From 0d2e16dfa3ecf8f95c79be87706d848a41eab956 Mon Sep 17 00:00:00 2001 From: John Martinez Date: Tue, 31 Jul 2018 16:22:19 -0400 Subject: [PATCH] Document #nosec use with a list of rules Extend the readme to document the ability to prevent some, but not all, rules from being enforced within an AST node. --- README.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 95ecc28af2..afb51dbb4d 100644 --- a/README.md +++ b/README.md @@ -77,8 +77,8 @@ that are not considered build artifacts by the compiler (so test files). As with all automated detection tools there will be cases of false positives. In cases where gosec reports a failure that has been manually verified as being safe it is possible to annotate the code with a '#nosec' comment. -The annotation causes gosec to stop processing any further nodes within the -AST so can apply to a whole block or more granularly to a single expression. +The annotation causes gosec to stop processing any further nodes within the +AST so can apply to a whole block or more granularly to a single expression. ```go @@ -96,6 +96,8 @@ func main(){ ``` +When a specific false positive has been identified and verified as safe, you may wish to suppress only that single rule (or a specific set of rules) within a section of code, while continuing to scan for other problems. To do this, you can list the rule(s) to be suppressed within the `#nosec` annotation, e.g: `/* #nosec G401 */` or `// #nosec G201 G202 G203 ` + In some cases you may also want to revisit places where #nosec annotations have been used. To run the scanner and ignore any #nosec annotations you can do the following: