- G101 — Look for hardcoded credentials (AST)
- G102 — Bind to all interfaces (AST)
- G103 — Audit the use of unsafe block (AST)
- G104 — Audit errors not checked (AST)
- G106 — Audit the use of
ssh.InsecureIgnoreHostKeyfunction (AST) - G107 — URL provided to HTTP request as taint input (AST)
- G108 — Profiling endpoint is automatically exposed (AST)
- G109 — Converting
strconv.Atoiresult toint32/int16(AST) - G110 — Detect
io.Copyinstead ofio.CopyNwhen decompressing (AST) - G111 — Detect
http.Dir('/')as a potential risk (AST) - G112 — Detect
ReadHeaderTimeoutnot configured as a potential risk (AST) - G113 — HTTP request smuggling via conflicting headers or bare LF in body parsing (SSA)
- G114 — Use of
net/httpserve function that has no support for setting timeouts (AST) - G115 — Type conversion which leads to integer overflow (SSA)
- G116 — Detect Trojan Source attacks using bidirectional Unicode characters (AST)
- G117 — Potential exposure of secrets via JSON/YAML/XML/TOML marshaling (AST)
- G118 — Context propagation failure leading to goroutine/resource leaks (SSA)
- G119 — Unsafe redirect policy may propagate sensitive headers (SSA)
- G120 — Unbounded form parsing in HTTP handlers can cause memory exhaustion (SSA)
- G121 — Unsafe CrossOriginProtection bypass patterns (SSA)
- G122 — Filesystem TOCTOU race risk in
filepath.Walk/WalkDircallbacks (SSA) - G123 — TLS resumption may bypass
VerifyPeerCertificatewhenVerifyConnectionis unset (SSA) - G124 — Insecure HTTP cookie configuration missing Secure, HttpOnly, or SameSite attributes (SSA)
- G201 — SQL query construction using format string (AST)
- G202 — SQL query construction using string concatenation (AST)
- G203 — Use of unescaped data in HTML templates (AST)
- G204 — Audit use of command execution (AST)
- G301 — Poor file permissions used when creating a directory (AST)
- G302 — Poor file permissions used when creating file or using
chmod(AST) - G303 — Creating tempfile using a predictable path (AST)
- G304 — File path provided as taint input (AST)
- G305 — File path traversal when extracting zip archive (AST)
- G306 — Poor file permissions used when writing to a file (AST)
- G307 — Poor file permissions used when creating a file with
os.Create(AST)
- G401 — Detect the usage of MD5 or SHA1 (AST)
- G402 — Look for bad TLS connection settings (AST)
- G403 — Ensure minimum RSA key length of 2048 bits (AST)
- G404 — Insecure random number source (
rand) (AST) - G405 — Detect the usage of DES or RC4 (AST)
- G406 — Detect the usage of deprecated MD4 or RIPEMD160 (AST)
- G407 — Use of hardcoded IV/nonce for encryption (SSA)
- G408 — Stateful misuse of
ssh.PublicKeyCallbackleading to auth bypass (SSA)
- G501 — Import blocklist:
crypto/md5(AST) - G502 — Import blocklist:
crypto/des(AST) - G503 — Import blocklist:
crypto/rc4(AST) - G504 — Import blocklist:
net/http/cgi(AST) - G505 — Import blocklist:
crypto/sha1(AST) - G506 — Import blocklist:
golang.org/x/crypto/md4(AST) - G507 — Import blocklist:
golang.org/x/crypto/ripemd160(AST)
- G601 — Implicit memory aliasing in
RangeStmt(Go 1.21 or lower) (AST) - G602 — Possible slice bounds out of range (SSA)
- G701 — SQL injection via taint analysis (Taint)
- G702 — Command injection via taint analysis (Taint)
- G703 — Path traversal via taint analysis (Taint)
- G704 — SSRF via taint analysis (Taint)
- G705 — XSS via taint analysis (Taint)
- G706 — Log injection via taint analysis (Taint)
- G707 — SMTP command/header injection via taint analysis (Taint)
- G708 — Server-side template injection via
text/template(Taint) - G709 — Unsafe deserialization of untrusted data (Taint)
Note: Implementation types used in this document:
- AST: rule implemented in
rules/and evaluated on AST patterns - SSA: analyzer implemented in
analyzers/using the analyzer framework (SSA-backed execution path) - Taint: taint analysis rule implemented via
taint.NewGosecAnalyzer
- G105 is retired.
- G307 (old meaning: deferred method error handling) is retired; the ID now refers to file creation permissions.
- G113 was previously used for a retired
math/bigcheck and is now used for HTTP request smuggling.
Some rules accept configuration in the gosec JSON config file.
Per-rule settings are top-level objects keyed by rule ID (Gxxx).
Configurable rules (alphabetical): G101, G104, G111, G117, G301, G302, G306, G307.
G101 (hardcoded credentials) can be configured with custom patterns and entropy thresholds:
{
"G101": {
"pattern": "(?i)passwd|pass|password|pwd|secret|private_key|token",
"ignore_entropy": false,
"entropy_threshold": "80.0",
"per_char_threshold": "3.0",
"truncate": "32",
"min_entropy_length": "8"
}
}G104 (unchecked errors) can be configured with function allowlists:
{
"G104": {
"ioutil": ["WriteFile"]
}
}G111 (HTTP directory serving) can be configured with a custom detection regex.
This replaces the default pattern.
{
"G111": {
"pattern": "http\\.Dir\\(\"\\/\"\\)|http\\.Dir\\('\\/'\\)"
}
}G117 (secret serialization) can be configured with a custom field-name pattern.
{
"G117": {
"pattern": "(?i)secret|token|password"
}
}G118 detects three classes of context-propagation failure using SSA-level analysis:
1. Lost cancel function (CWE-400)
Reports when a context.WithCancel, context.WithTimeout, or context.WithDeadline call
returns a cancel function that is never called, potentially leaking resources.
// Flagged: cancel never called
func work(ctx context.Context) {
child, _ := context.WithTimeout(ctx, time.Second)
_ = child
}
// Safe: cancel deferred
func work(ctx context.Context) {
child, cancel := context.WithTimeout(ctx, time.Second)
defer cancel()
_ = child
}The following patterns are all recognised as safe (cancel is considered called):
| Pattern | Description |
|---|---|
defer cancel() |
Direct deferred call |
defer func() { cancel() }() |
Cancel in a deferred closure |
cancelCopy := cancel; defer cancelCopy() |
Alias via variable |
return ctx, cancel |
Cancel returned to caller (responsibility transferred) |
s.cancelFn = cancel + method s.cancelFn() |
Stored in struct field, called via receiver method |
s.cancel = cancel; defer s.cancel() |
Stored in struct field, deferred in same function |
s.cancel = cancel; defer func() { s.cancel() }() |
Stored in struct field, called in closure |
| Struct containing field is returned | Caller inherits cancel responsibility |
2. Goroutine uses context.Background/TODO when request context is available (CWE-400)
Reports when a goroutine spawned inside an HTTP handler or a function accepting a
context.Context / *http.Request uses context.Background() or context.TODO()
instead of the request-scoped context.
// Flagged
func handler(w http.ResponseWriter, r *http.Request) {
go func() {
ctx := context.Background() // ignores request context
doWork(ctx)
}()
}3. Long-running loop without ctx.Done() guard (CWE-400)
Reports an infinite loop that performs blocking I/O (e.g. http.Get, db.Query,
time.Sleep, interface methods such as Read/Write) but never checks ctx.Done(),
making the loop impossible to cancel.
// Flagged
func poll(ctx context.Context) {
for {
http.Get("https://example.com") // blocks, no cancellation path
time.Sleep(time.Second)
}
}
// Safe
func poll(ctx context.Context) {
for {
select {
case <-ctx.Done():
return
case <-time.After(time.Second):
http.Get("https://example.com")
}
}
}Loops with an external exit path (e.g. a break or bounded for i < n) are not flagged.
File and directory permission rules can be configured with stricter maximum permissions:
{
"G301": "0o600",
"G302": "0o600",
"G306": "0o750",
"G307": "0o750"
}