RuleDescriptionExampleKPI
G101-LookForHardCodedCredentials
Do not use hardcoded passwords anywhere in the source code.The use of hard-coded passwords increases the possibility of password guessing tremendously. Hardcoded password is nothing but a plaintext password used in the application source code as it is one of the easiest ways to use password for authentication as required to connect and communicate with database or other systems.

Variables are considered to look like a password if they have match any one of:

1)“password”
2)“pass”
3)“passwd”
4)“pwd”
5)“secret”
6)“token”
//non-compliant

package main
import "fmt"
func main() {

username := "admin"
var password = "f62e5bcda4fae4f82370da0c6f20697b8f8447ef" //non-compliant code (Consider storing passwords in a configuration file and restrict access to that file.)

fmt.Println("Doing something with: ", username, password)
}



//compliant code

package main
import "fmt"
func main() {
username := "admin"
password:= getEncryptedPass()
fmt.Println("Never use hardcoded passwords.")
}

Security
G402-LookForBadTLSConnectionSettings
Look for bad TLS connection settings.When a certificate is invalid or malicious, it might allow an attacker to spoof a trusted entity by interfering in the communication path between the host and client. The software might connect to a malicious host while believing it is a trusted host, or the software might be deceived into accepting spoofed data that appears to originate from a trusted host.
"//non-compliant code

package main

import (
""crypto/tls""
""fmt""

)

func main() {
TLSClientConfig: &tls.Config{InsecureSkipVerify}

}"
Security