Skip to content

Commit

Permalink
Update README with details which describe the current behaviour of #n…
Browse files Browse the repository at this point in the history
…osec

Signed-off-by: Cosmin Cojocar <[email protected]>
  • Loading branch information
ccojocar committed Oct 18, 2023
1 parent d8a6d35 commit e298388
Showing 1 changed file with 19 additions and 17 deletions.
36 changes: 19 additions & 17 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -274,31 +274,33 @@ gosec -exclude-generated ./...

### Annotating code

As with all automated detection tools, there will be cases of false positives. In cases where gosec reports a failure that has been manually verified as being safe,
As with all automated detection tools, there will be cases of false positives.
In cases where gosec reports a failure that has been manually verified as being safe,
it is possible to annotate the code with a comment that starts with `#nosec`.

The `#nosec` comment should have the format `#nosec [RuleList] [-- Justification]`.

The annotation causes gosec to stop processing any further nodes within the
AST so can apply to a whole block or more granularly to a single expression.
The `#nosec` comment needs to be placed on the line where the warning is reported.

```go

import "md5" //#nosec


func main(){

/* #nosec */
if x > y {
h := md5.New() // this will also be ignored
}

func main() {
tr := &http.Transport{
TLSClientConfig: &tls.Config{
InsecureSkipVerify: true, // #nosec G402
},
}

client := &http.Client{Transport: tr}
_, err := client.Get("https://golang.org/")
if err != nil {
fmt.Println(err)
}
}

```

When a specific false positive has been identified and verified as safe, you may wish to suppress only that single rule (or a specific set of rules)
within a section of code, while continuing to scan for other problems. To do this, you can list the rule(s) to be suppressed within
When a specific false positive has been identified and verified as safe, you may
wish to suppress only that single rule (or a specific set of rules) within a section of code,
while continuing to scan for other problems. To do this, you can list the rule(s) to be suppressed within
the `#nosec` annotation, e.g: `/* #nosec G401 */` or `//#nosec G201 G202 G203`

You could put the description or justification text for the annotation. The
Expand Down

0 comments on commit e298388

Please sign in to comment.