We all agree that you have to secure your code. The hard part is knowing where to start. Here I present SAST and SCA implementations for your Golang repositories — open-source tools you can wire up yourself in your CI/CD pipeline or pre-commit hooks.
See also: Security Post-it #6 – Software Security Testing for JavaScript and TypeScript.
What are SAST and SCA?
Static Application Security Testing (SAST) scans the code you write for security vulnerabilities. Software Composition Analysis (SCA) scans your dependencies for known vulnerabilities.
Both are necessary for an effective security approach. SAST covers the code you write; SCA covers the open-source libraries you depend on. These two technologies address security issues early and often during the development cycle.
In my opinion, SAST should run both synchronously (blocking CI/CD to prevent insecure code merges) and asynchronously (alerting the security team in real time). SCA must be asynchronous — running only on push means missing vulnerable dependencies in dormant repositories. Dead repositories are full of vulnerable dependencies. Run it continuously and consider tools like Renovabot to auto-create fix PRs.
SAST — gosec
The best SAST tool for Golang is gosec.
Install
$ go install github.com/securego/gosec/v2/cmd/gosec@latestOr for a temporary install:
$ curl -L https://github.com/securego/gosec/releases/download/v2.14.0/gosec_2.14.0_linux_amd64.tar.gz \ -o /tmp/gosec.tar.gz $ tar xvzf /tmp/gosec.tar.gz -C /tmp/ gosecAudit
Human-readable output
$ gosec \ -exclude=G301,G302,G303,G304,G305,G306,G307,G401,G402,G403,G404,G501,G502,G503,G504,G505,G601 \ -severity medium -confidence medium \ -exclude-dir vendor/ \ __CODE_DIRECTORY__/...JSON output
$ gosec \ -exclude=G301,G302,G303,G304,G305,G306,G307,G401,G402,G403,G404,G501,G502,G503,G504,G505,G601 \ -severity medium -confidence medium \ -exclude-dir vendor/ -fmt json \ -out /tmp/gosec.json \ __CODE_DIRECTORY__/... $ cat /tmp/gosec.json | jq .IssuesExample
Let's use this random Golang repository as an example:
$ git clone https://github.com/newrelic/go-agent /tmp/go-agent $ gosec \ -exclude=G301,G302,G303,G304,G305,G306,G307,G401,G402,G403,G404,G501,G502,G503,G504,G505,G601 \ -severity medium -confidence medium \ -exclude-dir vendor/ \ /tmp/go-agent/... … [/tmp/go-agent/internal/serverless.go:203] - G110 (CWE-409): Potential DoS vulnerability via decompression bomb (Confidence: MEDIUM, Severity: MEDIUM) 202: var out bytes.Buffer > 203: io.Copy(&out, gz) 204: gz.Close() Summary: Gosec : 2.14.0 Files : 364 Lines : 54408 Nosec : 0 Issues : 14CI Integration
Official documentation: github.com/securego/gosec#github-action — supports GitHub Actions.
SCA — govulncheck / nancy
govulncheck reports known vulnerabilities affecting Go code. It uses static analysis to narrow down reports to only those that could affect the application.
If you're blocked by a missing go.mod or poor error handling, fall back to nancy — sometimes less accurate, but reliable.
Install
$ go install golang.org/x/vuln/cmd/govulncheck@latestOr install nancy as a fallback:
$ curl -L https://github.com/sonatype-nexus-community/nancy/releases/download/v1.0.42/nancy-v1.0.42-linux-amd64.tar.gz \ -o /tmp/nancy.tar.gz $ tar xvzf /tmp/nancy.tar.gz -C /tmp/ nancyAudit
Human-readable output
$ cd __CODE_DIRECTORY__ $ govulncheck ./...JSON output
$ govulncheck -json ./... > /tmp/govulncheck.jsonWith nancy
$ cd __CODE_DIRECTORY__ $ go list -e -json -deps ./... 2>/dev/null | nancy sleuthExample
Using this intentionally vulnerable repository:
$ git clone https://github.com/netlify/gotell.git /tmp/gotell $ cd /tmp/gotell $ govulncheck ./... … Vulnerability #19: GO-2020-0012 An attacker can craft an ssh-ed25519 or sk-ssh-ed25519@openssh.com public key, such that the library will panic when trying to verify a signature with it. Found in: golang.org/x/crypto/ssh@v0.0.0-20160915071417-81372b2fc2f1 Fixed in: golang.org/x/crypto/ssh@v0.0.0-20200220183623-bac4c82f6975 More info: https://pkg.go.dev/vuln/GO-2020-0012CI Integration
Nancy documentation: github.com/sonatype-nexus-community/nancy — supports GitHub Actions and CircleCI.
Conclusion
You don't need an expensive scanner like Snyk or CheckMarx. With gosec and govulncheck wired into your pre-commit hooks, CI/CD, and as async jobs, you'll have a complete view of your application security posture and developers will naturally build security awareness.
At Tandem Technology, we help you improve your development practices during a workshop to harden your code repositories.