add gosec (3rd sast tool)

2026-03-09 10:47:20 -04:00 · 2026-03-09 10:47:20 -04:00 · 04969ee6f8
commit 04969ee6f8
parent 0573622056
3 changed files with 33 additions and 0 deletions
--- a/sast_results/gosec.txt
+++ b/sast_results/gosec.txt
@ -0,0 +1,17 @@
+Results:
+
+
+[/home/vovuas/linux-auth/internal/config/config.go:41] - G304 (CWE-22): Potential file inclusion via variable (Confidence: HIGH, Severity: MEDIUM)
+    40: func Load(path string) (*Config, error) {
+  > 41: 	data, err := os.ReadFile(path)
+    42: 	if err != nil {
+
+Autofix: Consider using os.Root to scope file access under a fixed root (Go >=1.24). Prefer root.Open/root.Stat over os.Open/os.Stat to prevent directory traversal.
+
+Summary:
+  Gosec  : 2.24.7
+  Files  : 8
+  Lines  : 545
+  Nosec  : 0
+  Issues : 1
+
--- a/scripts/config_sast.sh
+++ b/scripts/config_sast.sh
@ -15,3 +15,16 @@ curl -sfL https://raw.githubusercontent.com/Bearer/bearer/main/contrib/install.s

 echo "Установка golangci-lint"
 curl -sSfL https://golangci-lint.run/install.sh | sh -s v2.11.2
+
+echo "Установка gosec"
+mkdir -p bin
+cd bin
+curl -L -o gosec.tar.gz https://github.com/securego/gosec/releases/download/v2.24.7/gosec_2.24.7_linux_amd64.tar.gz
+mkdir -p gosec_download
+tar -xzf gosec.tar.gz -C gosec_download
+mv gosec_download/gosec .
+rm -f gosec.tar.gz
+rm -rf gosec_download
+chmod +x ./gosec
+
+echo "Бинарники анализаторов установлены в ./bin"
--- a/scripts/run_sast.sh
+++ b/scripts/run_sast.sh
@ -9,4 +9,7 @@ echo "Запуск bearer"
 echo "Запуск golangci-lint"
 ./bin/golangci-lint run > sast_results/golangci-lint.txt

+echo "Запуск gosec"
+./bin/gosec -out sast_results/gosec.txt ./...
+
 echo "Анализ завершён, результаты в sast_results"