# How to fix the "G101: Potential hardcoded credentials (gosec)"

# SecureGo

SecureGo is a project that is behind the **gosec** - the great Go security checker tool. Their [page](https://securego.io/) is basically dead and full of TODOs, but their [GitHub profile](https://github.com/securego) is alive and full of releases. Definitely worth visiting and leaving them a ⭐.

# False Positives

The issue is that in some older versions the gosec had a tendency for a false positives. They [officialy stated](https://securego.io/docs/rules/g101) that some keywords will trigger the warning:

> \[1\] Variables are considered to look like a password if they have match any one of:
> 
> * “password”
>     
> * “pass”
>     
> * “passwd”
>     
> * “pwd”
>     
> * “secret”
>     
> * “token”
>     
> 
> Note: this can be noisy and may generate false positives.

It would be great if only those keywords or real passwords would trigger the warning.

# Problem

Your `go` file might looks as follows:

```go
package linter

const Location = "var_host_locale_location"
```

And guess what?

```bash
➜  tools git:(main) ✗ docker run --rm -v ./:/app -w /app custom-golangci-lint:v1.54.2 | grep linter
linter/credentials.go:3:7: G101: Potential hardcoded credentials (gosec)
```

The combination of string literals causing this warning can be unpredictable.

# Solution

We have a few solutions that can help us with this problem.

## Gosec Upgrade

If you can allow to upgrade the `gosec` or the `golangci-lint` then this is a recommended solution. The mentioned error was triggered on a specific version, after upgrading it was no longer a problem.

## Fine Tuning

> \[2\] You can also configure the hard-coded credentials rule `G101` with additional patterns, or adjust the entropy threshold:

```json
{
    "G101": {
        "pattern": "(?i)passwd|pass|password|pwd|secret|private_key|token",
         "ignore_entropy": false,
         "entropy_threshold": "80.0",
         "per_char_threshold": "3.0",
         "truncate": "32"
    }
}
```

## Ignoring

You can easily ignore the line causing the false-positive with the `#nosec` annotation:

```go
package linter

const Location = "var_host_locale_location" // #nosec G101
```

And we're good:

```bash
➜  tools git:(main) ✗ docker run --rm -v ./:/app -w /app custom-golangci-lint:v1.54.2 | grep linter
➜
```

More on annotations with the `#nosec` can be found on the [project's page](https://github.com/securego/gosec?tab=readme-ov-file#annotating-code).

# Sources

## Docs

* [https://securego.io/docs/rules/rule-intro](https://securego.io/docs/rules/rule-intro)
    
* [https://github.com/securego/gosec](https://github.com/securego/gosec)
    

## Quotations

* \[1\] - [https://securego.io/docs/rules/g101](https://securego.io/docs/rules/g101)
    
* \[2\] - [https://github.com/securego/gosec?tab=readme-ov-file#configuration](https://github.com/securego/gosec?tab=readme-ov-file#configuration)
