How to fix the "G101: Potential hardcoded credentials (gosec)"

Crash course in fixing a "gosec" Golang linter issue

SecureGo

SecureGo is a project that is behind the gosec - the great Go security checker tool. Their page is basically dead and full of TODOs, but their GitHub profile is alive and full of releases. Definitely worth visiting and leaving them a ⭐.

False Positives

The issue is that in some older versions the gosec had a tendency for a false positives. They officialy stated that some keywords will trigger the warning:

[1] Variables are considered to look like a password if they have match any one of:

  • “password”

  • “pass”

  • “passwd”

  • “pwd”

  • “secret”

  • “token”

Note: this can be noisy and may generate false positives.

It would be great if only those keywords or real passwords would trigger the warning.

Problem

Your go file might looks as follows:

package linter

const Location = "var_host_locale_location"

And guess what?

➜  tools git:(main) ✗ docker run --rm -v ./:/app -w /app custom-golangci-lint:v1.54.2 | grep linter
linter/credentials.go:3:7: G101: Potential hardcoded credentials (gosec)

The combination of string literals causing this warning can be unpredictable.

Solution

We have a few solutions that can help us with this problem.

Gosec Upgrade

If you can allow to upgrade the gosec or the golangci-lint then this is a recommended solution. The mentioned error was triggered on a specific version, after upgrading it was no longer a problem.

Fine Tuning

[2] You can also configure the hard-coded credentials rule G101 with additional patterns, or adjust the entropy threshold:

{
    "G101": {
        "pattern": "(?i)passwd|pass|password|pwd|secret|private_key|token",
         "ignore_entropy": false,
         "entropy_threshold": "80.0",
         "per_char_threshold": "3.0",
         "truncate": "32"
    }
}

Ignoring

You can easily ignore the line causing the false-positive with the #nosec annotation:

package linter

const Location = "var_host_locale_location" // #nosec G101

And we're good:

➜  tools git:(main) ✗ docker run --rm -v ./:/app -w /app custom-golangci-lint:v1.54.2 | grep linter
➜

More on annotations with the #nosec can be found on the project's page.

Sources

Docs

Quotations