Provide detailed documentation for each rule

[mmlb]

It'd be great to have a shellcheck like wiki with some more info on each check, why its bad and what the possible fixes are. If this sounds like a good idea, I can start it off with the minimal info.

[gcmurphy]

+1 Thanks for the suggestion. Will add this to the backlog.

[ryboe]

Can this be given a higher priority? We currently have no idea if the issues reported by gas are real or worth fixing.

See staticcheck.io for inspiration, although a GitHub wiki would be more than enough.

[gcmurphy]

Just as an update I've created the repository github.com/securego/securego.github.io and registered the securego.io domain for this purpose. I'm hoping to get some spare time to work on this soon.

[alukyan]

Yes, this is needed. It looks like some rules are too broad to flag.
Example is G304 - gosec flags all lines where we read a file pointed by a variable, like contents, err := ioutil.ReadFile(cacheFile)
What is supposed fix? Hardcode the names?

[MVrachev]

Indeed that's something I think would be great.
The way Bandit (open source security linter for Python) does it is great.
It gives you a field in the json generated output with more info:

It would be sooo useful if we have similar thing in Gosec.

[fawkesley]

What's the status of this issue? Is there any (draft?) content written anywhere? Thanks!

[MVrachev]

I am helping with the documentation. We have documentation for a small subset of the rules you can read more here:
https://securego.io/

[ping035627]

@MVrachev, excuse me, about "G304: Potential file inclusion via variable ", "ioutil.ReadFile(filename)", what is the right way? I don't find it in https://securego.io/, thanks very much.

[MVrachev]

Yes, we need to work more on the documentation.
I was really busy this last month but I will continue to work on the documentation.

[haroldHT]

@MVrachev @ping035627 HI, what is the right way to solve 'G304: Potential file inclusion via variable'?

[ccojocar]

@MVrachev @gcmurphy What's the current status of the documentation? Some rules seem to have some guidelines https://securego.io/docs/rules/rule-intro.html. Are you actively working on adding more docs?

[MVrachev]

I am slowly working on this when I have time.

[Jacalz]

I would like this fixed too. I am having troubles figuring out how to actually fix G304 🙁

[dpritchett]

Googling G304 led me here. The answer is now added at https://securego.io/docs/rules/g304.html

The fix appears to be "wrap your file path string in a call to filepath.Clean(), e.g.

-                       loadResult.loadCachedJSON(cacheFilePath)
+                       loadResult.loadCachedJSON(filepath.Clean(cacheFilePath))

Thanks for gosec by the way, great tool!

[gliptak]

G110 is missing at https://securego.io/docs/rules/g110.html