feat(gosec): support configuration.

golangci · Apr 24, 2021 · 2394796 · 2394796
1 parent 4c82143
commit 2394796
Show file tree

Hide file tree

Showing 5 changed files with 46 additions and 2 deletions.
diff --git a/.golangci.example.yml b/.golangci.example.yml
@@ -339,12 +339,23 @@ linters-settings:
     # Available rules: https://github.com/securego/gosec#available-rules
     includes:
       - G401
-      - G501
-      - G204
+      - G306
+      - G101
     # To specify a set of rules to explicitly exclude.
     # Available rules: https://github.com/securego/gosec#available-rules
     excludes:
       - G204
+    # To specify configuration: https://github.com/securego/gosec#configuration
+    # The rules configuration is not documented by gosec, it can be only find in the code:
+    # https://github.com/securego/gosec/blob/569328eade2ccbad4ce2d0f21ee158ab5356a5cf/rules/rulelist.go#L60-L102
+    config:
+      G306: "0600"
+      G101:
+        pattern: "(?i)example"
+        ignore_entropy: false
+        entropy_threshold: "80.0"
+        per_char_threshold: "3.0"
+        truncate: "32"
 
   govet:
     # report about shadowed variables

diff --git a/pkg/config/linters_settings.go b/pkg/config/linters_settings.go
@@ -272,6 +272,7 @@ type GoModGuardSettings struct {
 type GoSecSettings struct {
 	Includes []string
 	Excludes []string
+	Config   map[string]interface{} `mapstructure:"config"`
 }
 
 type GovetSettings struct {

diff --git a/pkg/golinters/gosec.go b/pkg/golinters/gosec.go
@@ -6,6 +6,7 @@ import (
 	"io/ioutil"
 	"log"
 	"strconv"
+	"strings"
 	"sync"
 
 	"github.com/securego/gosec/v2"
@@ -30,6 +31,12 @@ func NewGosec(settings *config.GoSecSettings) *goanalysis.Linter {
 	var filters []rules.RuleFilter
 	if settings != nil {
 		filters = gosecRuleFilters(settings.Includes, settings.Excludes)
+
+		for k, v := range settings.Config {
+			// Uses ToUpper because the parsing of the map's key change the key to lowercase.
+			// The value is not impacted by that: the case is respected.
+			gasConfig.Set(strings.ToUpper(k), v)
+		}
 	}
 
 	ruleDefinitions := rules.Generate(filters...)

diff --git a/test/testdata/configs/gosec.yml b/test/testdata/configs/gosec.yml
@@ -0,0 +1,13 @@
+linters-settings:
+  gosec:
+    includes:
+      - G306
+      - G101
+    config:
+      G306: "0666"
+      G101:
+        pattern: "(?i)simple"
+        ignore_entropy: false
+        entropy_threshold: "80.0"
+        per_char_threshold: "3.0"
+        truncate: "32"
diff --git a/test/testdata/gosec_rules_config.go b/test/testdata/gosec_rules_config.go
@@ -0,0 +1,12 @@
+//args: -Egosec
+//config_path: testdata/configs/gosec.yml
+package testdata
+
+import "io/ioutil"
+
+const gosecToken = "62ebc7a03d6ca24dca1258fd4b48462f6fed1545"
+const gosecSimple = "62ebc7a03d6ca24dca1258fd4b48462f6fed1545" // ERROR "G101: Potential hardcoded credentials"
+
+func gosecCustom() {
+	ioutil.WriteFile("filename", []byte("test"), 0755) // ERROR "G306: Expect WriteFile permissions to be 0666 or less"
+}