gosec
envchain
| gosec | envchain | |
|---|---|---|
| 20 | 3 | |
| 7,527 | 1,150 | |
| 1.0% | - | |
| 8.7 | 3.6 | |
| 7 days ago | about 1 month ago | |
| Go | C | |
| Apache License 2.0 | MIT License |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
gosec
-
Secure Randomness in Go 1.22
For those unaware, gosec (and by extension golangci-lint) will warn about uses of `math/rand`
https://github.com/securego/gosec/blob/d3b2359ae29fe344f4df5...
-
Top 10 Snyk Alternatives for Code Security
6. Gosec
-
Safety in Go
You can (and definitely should!) also use gosec.
-
We have getrandom at home
The crypto source in Go is great, no complaints there. Lints like gosec even recommend using it when generating crypto entropy. Go did a good job here, and I expect Rust will do the same sometime after getrandom reaches 1.0 so the API questions are settled, plus whatever makes sense for the future-proofing the standard library needs.
-
any open source that checks security vulnerabilities in code?
i think there's https://github.com/securego/gosec linter
-
Goast: Generic static analysis for Go Abstract Syntax Tree by OPA/Rego
Various static analysis tools are available for the Go language, and existing static analysis tools can check general best practices. For example, gosec is a tool to check secure Go coding, and I use it myself. However, coding rules in software development are not only based on best practices, but can also be software- or team-specific. For example
-
Vulnerability Management for Go
What's the difference between this a https://github.com/securego/gosec?
-
Github template for Golang services
A github actions workflow is provided to run go fmt, vet, test and gosec. An initial configuration for dependabot is also provided.
- gosec
-
What tools exists, or you recommend, for code review, quality and/or security review
Besides what was mentioned, we use : staticcheck.io and https://github.com/securego/gosec
envchain
-
How do you protect your secret keys in your local computer?
I use https://github.com/sorah/envchain. It stores your secrets in Keychain (macOS) or gnome-keyring.
-
Secretlint 6: masking API tokens in .bash_history and .zsh_history
Credentials are often stored as raw text in .config/ or ~/.aws. These can be found in 1Password Shell Plugins, op run, zenv, envchain, etc. to avoid storing raw tokens in files.
-
How to Handle Secrets on the Command Line
You have envchain to store secrets as ENV variables in your keyring and execute commands:
https://github.com/sorah/envchain
Not really something you would use for production web apps, I think envconsul covers that usecase:
https://github.com/hashicorp/envconsul
What are some alternatives?
golangci-lint - Fast linters runner for Go
Mosh - Mobile Shell
gokart - A static analysis tool for securing Go code
platform-compat - Roslyn analyzer that finds usages of APIs that will throw PlatformNotSupportedException on certain platforms.
go-tools - Staticcheck - The advanced Go linter
envconsul - Launch a subprocess with environment variables using data from @HashiCorp Consul and Vault.
pre-commit-golang - Pre-commit hooks for Golang with support for monorepos, the ability to pass arguments and environment variables to all hooks, and the ability to invoke custom go tools.
dotfiles - Home directory with an absurd amount of tweaks
docker-bench-security - The Docker Bench for Security is a script that checks for dozens of common best-practices around deploying Docker containers in production.
secretlint - Pluggable linting tool to prevent committing credential.
rustsec - RustSec API & Tooling
ShellCheck - ShellCheck, a static analysis tool for shell scripts