Skip to content

Gosec Scanner


The BoostSecurity Gosec scanner supports the rules listed below:

Name Id Description
G101: Look for hard coded credentials look-for-hard-coded-credentials The software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.
G102: Bind to all interfaces bind-to-all-interfaces The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
G103: Audit the use of unsafe block audit-use-of-unsafe-block The program calls a function that can never be guaranteed to work safely.
G104: Audit errors not checked audit-errors-not-checked The software does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the software.
G106: Audit the use of ssh.InsecureIgnoreHostKey audit-use-of-ssh.insecureignorehostkey The software performs a key exchange with an actor without verifying the identity of that actor.
G107: Url provided to HTTP request as taint input url-provided-to-http-request-as-taint-input The software does not properly delimit the intended arguments, options, or switches within that command string.
G108: Profiling endpoint automatically exposed on /debug/pprof profiling-endpoint-exposed-on-debug The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
G109: Potential Integer overflow made by strconv.Atoi result conversion to int16/32 potential-integer-overflow The software performs a calculation that can produce an integer overflow or wraparound.
G110: Potential DoS vulnerability via decompression bomb potential-dos-vulnerabiility-via-decompression-bomb The software does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.
G111: Potential directory traversal potential-directory-traversal The software does not properly neutralize special elements within the pathname.
G112: Potential slowloris attack potential-slowloris-attack The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.
G113: Usage of Rat.SetString in math/big with an overflow (CVE-2022-23772) G113 The software performs a calculation that can produce an integer overflow or wraparound.
G114: Use of net/http serve function that has no support for setting timeouts G114 The program invokes a potentially dangerous function that could introduce a vulnerability if it is used incorrectly, but the function can also be used safely.
G201: SQL query construction using format string sql-query-construction-using-format-string The software does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command.
G202: SQL query construction using string concatenation sql-query-construction-using-string-concatenation The software does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command.
G203: Use of unescaped data in HTML templates use-of-unescaped-data-in-html-templates The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output.
G204: Audit use of command execution audit-use-of-command-execution The software does not eutralize or incorrectly neutralizes special elements that could modify the intended OS command.
G301: Poor file permissions used when creating a directory poor-file-permissions-used-when-creating-a-directory During installation, installed file permissions are set to allow anyone to modify those files.
G302: Poor file permissions used with chmod poor-file-permissions-used-with-chmod During installation, installed file permissions are set to allow anyone to modify those files.
G303: Creating tempfile using a predictable path creating-tempfile-using-predictable-path Creating and using insecure temporary files can leave application and system data vulnerable to attack.
G304: File path provided as taint input file-path-provided-as-taint-input The software does not properly neutralize special elements within the pathname.
G305: File traversal when extracting zip/tar archive G305 The software does not properly neutralize special elements within the pathname.
G306: Poor file permissions used when writing to a new file poor-file-permissions During installation, installed file permissions are set to allow anyone to modify those files.
G307: Deferring a method which returns an error G307 The software does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the software.
G401: Detect the usage of DES, RC4, MD5 or SHA1 G401 The software stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
G402: Look for bad TLS connection settings G402 The software does not validate, or incorrectly validates, a certificate.
G403: Ensure minimum RSA key length of 2048 bits ensure-minimum-rsa-key-length The code contains a weakness related to the design and implementation of data confidentiality and integrity.
G404: Insecure random number source (rand) insecure-random-number-source The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.
G501: Import blocklist: crypto/md5 crypto-md5 The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the exposure of sensitive information.
G502: Import blocklist: crypto/des crypto-des The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the exposure of sensitive information.
G503: Import blocklist: crypto/rc4 G503 The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the exposure of sensitive information.
G504: Import blocklist: net/http/cgi G504 The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the exposure of sensitive information.
G505: Import blocklist: crypto/sha1 G505 The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the exposure of sensitive information.
G601: Implicit memory aliasing of items from a range statement G601 The software does not restrict or incorrectly restricts operations within the boundaries of a resource.