Secure Go

Secure Go

  • Guidelines
  • Tools
  • Help
  • Blog

›Guidelines

Guidelines

  • About gosec's security rules
  • G101: Hardcoded credentials
  • G102: Bind to all interfaces
  • G103: Use of unsafe block
  • G104: Audit errors not checked
  • G107: Url provided to HTTP request as taint input
  • G201/G202: SQL query construction using format string/string concatenation
  • G304: File path provided as taint input

G101: Hardcoded credentials

The use of hard-coded passwords increases the possibility of password guessing tremendously. This plugin test looks for all string literals and checks the following conditions:

Variables are considered to look like a password if they have match any one of:

  • “password”
  • “pass”
  • “passwd”
  • “pwd”
  • “secret”
  • “token”

Note: this can be noisy and may generate false positives.

Example code:

package main

import "fmt"

func main() {
    username := "admin"
    var password = "f62e5bcda4fae4f82370da0c6f20697b8f8447ef"

    fmt.Println("Doing something with: ", username, password)
}

Gosec command line output

[examples/main.go:7] - G101: Potential hardcoded credentials (Confidence: LOW, Severity: HIGH)
  > password = "f62e5bcda4fae4f82370da0c6f20697b8f8447ef"

See also:

  • https://www.owasp.org/index.php/Use_of_hard-coded_password
  • http://gotowebsecurity.com/what-is-hardcoded-password-and-how-to-fix-it/
← About gosec's security rulesG102: Bind to all interfaces →
  • Example code:
  • Gosec command line output
  • See also:
Secure Go
Docs
Secure development guidelinesAPI Reference
Community
Stack OverflowSlack
More
BlogGitHub
Facebook Open Source
Copyright © 2020 Grant Murphy