Photo by rc.xyz NFT gallery on Unsplash
How to fix the "G101: Potential hardcoded credentials (gosec)"
Crash course in fixing a "gosec" Golang linter issue
SecureGo
SecureGo is a project that is behind the gosec - the great Go security checker tool. Their page is basically dead and full of TODOs, but their GitHub profile is alive and full of releases. Definitely worth visiting and leaving them a ⭐.
False Positives
The issue is that in some older versions the gosec had a tendency for a false positives. They officialy stated that some keywords will trigger the warning:
[1] Variables are considered to look like a password if they have match any one of:
“password”
“pass”
“passwd”
“pwd”
“secret”
“token”
Note: this can be noisy and may generate false positives.
It would be great if only those keywords or real passwords would trigger the warning.
Problem
Your go
file might looks as follows:
package linter
const Location = "var_host_locale_location"
And guess what?
➜ tools git:(main) ✗ docker run --rm -v ./:/app -w /app custom-golangci-lint:v1.54.2 | grep linter
linter/credentials.go:3:7: G101: Potential hardcoded credentials (gosec)
The combination of string literals causing this warning can be unpredictable.
Solution
We have a few solutions that can help us with this problem.
Gosec Upgrade
If you can allow to upgrade the gosec
or the golangci-lint
then this is a recommended solution. The mentioned error was triggered on a specific version, after upgrading it was no longer a problem.
Fine Tuning
[2] You can also configure the hard-coded credentials rule
G101
with additional patterns, or adjust the entropy threshold:
{
"G101": {
"pattern": "(?i)passwd|pass|password|pwd|secret|private_key|token",
"ignore_entropy": false,
"entropy_threshold": "80.0",
"per_char_threshold": "3.0",
"truncate": "32"
}
}
Ignoring
You can easily ignore the line causing the false-positive with the #nosec
annotation:
package linter
const Location = "var_host_locale_location" // #nosec G101
And we're good:
➜ tools git:(main) ✗ docker run --rm -v ./:/app -w /app custom-golangci-lint:v1.54.2 | grep linter
➜
More on annotations with the #nosec
can be found on the project's page.