As README.md mentions, some rules can be configured by adding parameters to the gosec JSON config. Per rule configs are encoded as top level objects in the gosec config, with the rule ID (Gxxx) as the key.
Currently, the following rules accept parameters. This list is manually maintained; if you notice an omission please add it!
The hard-coded credentials rule G101 can be configured with additional patterns, and the entropy threshold can be adjusted:
{
"G101": {
"pattern": "(?i)passwd|pass|password|pwd|secret|private_key|token",
"ignore_entropy": false,
"entropy_threshold": "80.0",
"per_char_threshold": "3.0",
"truncate": "32"
}
}The unchecked error value rule G104 can be configured with additional functions that should be permitted to be called without checking errors.
{
"G104": {
"ioutil": ["WriteFile"]
}
}The HTTP Directory serving rule G111 can be configured with a different regex for detecting potentially overly permissive servers. Note that this replaces the default pattern of http\.Dir\("\/"\)|http\.Dir\('\/'\).
{
"G111": {
"pattern": "http\\.Dir\\(\"\\\/\"\\)|http\\.Dir\\('\\\/'\\)"
}
}
The various file and directory permission checking rules can be configured with a different maximum allowable file permission.
{
"G301":"0o600",
"G302":"0o600",
"G306":"0o750",
"G307":"0o750"
}