Products
In-IDE
IDE extension that lets you fix coding issues before they exist!
Discover SonarQube for IDE
SaaS
Setup is effortless and analysis is automatic for most languages
Discover SonarQube Cloud
Self-Hosted
Fast, accurate analysis; enterprise scalability
Discover SonarQube Server

Secrets
ABAP
Ansible
Apex
AzureResourceManager
C
C#
C++
CloudFormation
COBOL
CSS
Dart
Docker
Flex
Go
HTML
Java
JavaScript
JCL
Kotlin
Kubernetes
Objective C
PHP
PL/I
PL/SQL
Python
RPG
Ruby
Rust
Scala
Swift
Terraform
Text
TypeScript
T-SQL
VB.NET
VB6
XML

Go static code analysis

Unique rules to find Bugs, Vulnerabilities, Security Hotspots, and Code Smells in your GO code

Filtered: 38 rules found

cwe

Impact

Clean code attribute

Credentials should not be hard-coded
Vulnerability
Hard-coded secrets are security-sensitive
Security Hotspot
Constructing arguments of system commands from user input is security-sensitive
Security Hotspot
Extracting archives should not lead to zip slip vulnerabilities
Vulnerability
JWT should be signed and verified with strong cipher algorithms
Vulnerability
Cipher algorithms should be robust
Vulnerability
Encryption algorithms should be used with secure mode and padding scheme
Vulnerability
Server hostnames should be verified during SSL/TLS connections
Vulnerability
Insecure temporary file creation methods should not be used
Vulnerability
Using publicly writable directories is security-sensitive
Security Hotspot
Passwords should not be stored in plaintext or with a fast hashing algorithm
Vulnerability
Using clear-text protocols is security-sensitive
Security Hotspot
HTTP request redirections should not be open to forging attacks
Vulnerability
Logging should not be vulnerable to injection attacks
Vulnerability
Server-side requests should not be vulnerable to forging attacks
Vulnerability
Server certificates should be verified during SSL/TLS connections
Vulnerability
Using weak hashing algorithms is security-sensitive
Security Hotspot
Delivering code in production with debug features activated is security-sensitive
Security Hotspot
Cryptographic keys should be robust
Vulnerability
Weak SSL/TLS protocols should not be used
Vulnerability
Searching OS commands in PATH is security-sensitive
Security Hotspot
Database queries should not be vulnerable to injection attacks
Vulnerability
Creating cookies without the "HttpOnly" flag is security-sensitive
Security Hotspot
Cipher Block Chaining IVs should be unpredictable
Vulnerability
Setting loose POSIX file permissions is security-sensitive
Security Hotspot
Using pseudorandom number generators (PRNGs) is security-sensitive
Security Hotspot
Creating cookies without the "secure" flag is security-sensitive
Security Hotspot
XPath expressions should not be vulnerable to injection attacks
Vulnerability
I/O function calls should not be vulnerable to path injection attacks
Vulnerability
Formatting SQL queries is security-sensitive
Security Hotspot
OS commands should not be vulnerable to command injection attacks
Vulnerability
Hard-coded credentials are security-sensitive
Security Hotspot
Password hashing functions should use an unpredictable salt
Vulnerability
All code should be reachable
Bug
"switch" statements should have "default" clauses
Code Smell
Useless "if(true) {...}" and "if(false){...}" blocks should be removed
Bug
Track uses of "TODO" tags
Code Smell
Track uses of "FIXME" tags
Code Smell

Hard-coded secrets are security-sensitive

responsibility - trustworthy

security

Security Hotspot

Because it is easy to extract strings from an application source code or binary, secrets should not be hard-coded. This is particularly true for applications that are distributed or that are open-source.

In the past, it has led to the following vulnerabilities:

CVE-2022-25510
CVE-2021-42635

Secrets should be stored outside of the source code in a configuration file or a management service for secrets.

This rule detects variables/fields having a name matching a list of words (secret, token, credential, auth, api[_.-]?key) being assigned a pseudorandom hard-coded value. The pseudorandomness of the hard-coded value is based on its entropy and the probability to be human-readable. The randomness sensibility can be adjusted if needed. Lower values will detect less random values, raising potentially more false positives.

Ask Yourself Whether

The secret allows access to a sensitive component like a database, a file storage, an API, or a service.
The secret is used in a production environment.
Application re-distribution is required before updating the secret.

There would be a risk if you answered yes to any of those questions.

Recommended Secure Coding Practices

Store the secret in a configuration file that is not pushed to the code repository.
Use your cloud provider’s service for managing secrets.
If a secret has been disclosed through the source code: revoke it and create a new one.

Sensitive Code Example

var secret = "47828a8dd77ee1eb9dde2d5e93cb221ce8c32b37" // Sensitive

func main() {
    callMyService(secret)
}

Compliant Solution

import "os"

var secret = os.Getenv("SECRET")

func main() {
    callMyService(secret)
}

See

OWASP - Top 10 2021 Category A7 - Identification and Authentication Failures
OWASP - Top 10 2017 Category A2 - Broken Authentication
CWE - CWE-798 - Use of Hard-coded Credentials
MSC - MSC03-J - Never hard code sensitive information

Available In:

Catch issues on the fly,
in your IDE

Detect issues in your GitHub, Azure DevOps Services, Bitbucket Cloud, GitLab repositories

Analyze code in your
on-premise CI

In-IDE

SaaS

Self-Hosted