# Gosec

The Gosec Scanner is a static analysis tool that finds vulnerabilities in Go projects using the Go AST. Gosec supports Go modules as of Gosec 2.0.0.

# Configuration

In addition to the global scanner configurations, the Gosec scanner has specific configurations available.

The following configuration options are available for the Gosec scanner.


# confidence

This option filters out issues with a lower confidence than configured. The valid string options are low, medium or high

Filter out the issues with confidence lower than medium
scanner_configs:
  Gosec:
    confidence: medium

# exclude

List of rules IDs to exclude, deprecated in favor of exceptions

scanner_configs:
  Gosec:
    exclude:
      - G102

# exclude-dir

excludes folders and its contents from scan

scanner_configs:
  Gosec:
    exclude-dir:
      - tests
      - temp
      - vendor

# include

List of rules IDs to include

scanner_configs:
  Gosec:
    include:
      - G104
      - G105

# no-fail

This option determines if the scanner should fail if issues were found.

Do not fail the scan, even if issues were found
scanner_configs:
  Gosec:
    no-fail: false

# nosec

Ignores #nosec comments when set to true. This is the default functionality in Salus

scanner_configs:
  Gosec:
    nosec: false

# nosec-tag

Set an alternative string for #nosec (default)

nosec-tag: falsepositive 

# run_from_dirs

run gosec from the specified subdirs only. for now, any other gosec config will apply to all subdir runs

scanner_configs:
  Gosec:
    run_from_dirs:
      - subdir1
      - subdir2

#

This option filters out issues with a lower severity than configured. It can take the string options low, medium or high

Filter out the issues with severities lower than medium
scanner_configs:
  Gosec:
    severity: medium

#

This option determines if issues should be sorted by severity

Do not sort issues by severity
scanner_configs:
  Gosec:
    sort: false

# tests

This option determines if tests files should be scanned

scanner_configs:
  Gosec:
    tests: false 

# Sample Configuration

  scanner_configs:
    Gosec:
    - nosec: false
      nosec-tag: falsepositive
      include: 
        - G104
      exclude:                            
        - G102
      sort: true
      severity: low
      confidence: low
      no-fail: false
      tests: false 
      exclude-dir:                       
        - tests
        - temp
        - vendor
      run_from_dirs:                     
        - subdir1                        
        - subdir2
      exceptions:
        - advisory_id: G101
          changed_by: security-team
          notes: Currently no patch exists and determined that this vulnerability is not exploitable.
          expiration: "2021-04-27"