Rule | Description | Example | KPI |
---|---|---|---|
G101-LookForHardCodedCredentials | Do not use hardcoded passwords anywhere in the source code.The use of hard-coded passwords increases the possibility of password guessing tremendously. Hardcoded password is nothing but a plaintext password used in the application source code as it is one of the easiest ways to use password for authentication as required to connect and communicate with database or other systems. Variables are considered to look like a password if they have match any one of: 1)“password†2)“pass†3)“passwd†4)“pwd†5)“secret†6)“token†| //non-compliant package main import "fmt" func main() { username := "admin" var password = "f62e5bcda4fae4f82370da0c6f20697b8f8447ef" //non-compliant code (Consider storing passwords in a configuration file and restrict access to that file.) fmt.Println("Doing something with: ", username, password) } //compliant code package main import "fmt" func main() { username := "admin" password:= getEncryptedPass() fmt.Println("Never use hardcoded passwords.") } | Security |
G402-LookForBadTLSConnectionSettings | Look for bad TLS connection settings.When a certificate is invalid or malicious, it might allow an attacker to spoof a trusted entity by interfering in the communication path between the host and client. The software might connect to a malicious host while believing it is a trusted host, or the software might be deceived into accepting spoofed data that appears to originate from a trusted host. | "//non-compliant code package main import ( ""crypto/tls"" ""fmt"" ) func main() { TLSClientConfig: &tls.Config{InsecureSkipVerify} }" | Security |