This page looks best with JavaScript enabled

gosec - GO security scanner and gosec integration with SonarCloud

 ·  ☕ 3 min read  ·  ✍️ Neeraj Sidhaye · 👀... views

In this post, we will scan GO application code for security issues using gosec and will also integrate gosec with SonarCloud.

We will explore below topics

What is gosec?

Installing gosec

Running security checks for a GO code

Analyzing gosec reports

SonarCloud Integration with gosec

Companies using gosec

What is gosec?

gosec is a static code analyzer tool for inspecting go application code for security problems.
static code analyzer meaning - analyze code without running the application.

Gosec currently has a set of 30 rules that map to the Common Weakness Enumeration (CWE) framework. Those rules help to secure your code by covering 8 of the 2019 CWE Top 25 Most Dangerous Software Errors.

gosec github repo

Installing gosec

gosec can be installed using go get or using CLI.

If you already have go installed then run below command to install gosec.

go get github.com/securego/gosec/cmd/gosec

After running this command, you would see gosec executable available here $GO_PATH/bin/gosec.

If you don’t have GO installed, you can install gosec using CLI.

Please have a look at gosec CLI installation options

Running security checks for a GO project

I will be using my existing go project github repo for running gosec security checks.
You could create a simple go project and execute gosec.

Running gosec from project root folder

gosec ./...

This will scan all the go files located in all the packages and sub packages from the root folder.

gosec

Analyzing reports

You can also specify security check result to be produced in a specific format and written to a file.

json example

gosec -fmt=json -out=gosecResult.json ./...

This will generate security scan result in the mentioned json file.

gosec

All the supported formats.

SonarCloud Integration

gosec security result can be easily integration with SonarCloud and then we analyse result on SonarCloud.

Configuring project in SonarCloud

We will need to configure github repo in SonarCloud and for this, we will create new project in SonarCloud and link that project to github repo and branch.

configsonarcloud

Adding sonar-project.properties to the project

Few important properties

sonar.projectKey = project key of new project which we just created on the SonarCloud.

sonar.externalIssuesReportPaths = We will generate this report in sonar supported format by using gosec command.

sonar.projectKey=gosec_go-rest-api
sonar.organization=bethecodewithyou-github
sonar.host.url=https://sonarcloud.io

sonar.sources=.
sonar.exclusions=**/*_test.go
 
sonar.externalIssuesReportPaths=gosecReport.json

Generate gosec report for SonarCloud

gosec -fmt=sonarqube -out=gosecReport.json ./...

If you notice here, we are using sonarqube format and it is one of the supported formats in gosec.

Running the Sonar Scanner

sonar-scanner.bat \
  -D"sonar.organization=bethecodewithyou-github" \
  -D"sonar.projectKey=gosec_go-rest-api" \
  -D"sonar.sources=." \
  -D"sonar.host.url=https://sonarcloud.io"

After running this command, the results should be available on your SonarCloud server shortly.

You can take a look here on - downloading and configuring Sonar Scanner.

Analyzing gosec report on SonarCloud

Now, we will analyze gosec report directly on SonarCloud.

Companies using gosec

List of companies using gosec. Sourced from here.

  • Gitlab
  • CloudBees
  • VMware
  • Codacy
  • Coinbase
  • RedHat/OpenShift
  • Guardalis
  • 1Password
  • PingCAP/tidb
Share on
{Neeraj:Sidhaye}
WRITTEN BY
Neeraj Sidhaye
I Aspire to Inspire before I Expire!

See Also