security-rules

Ruleguard security rules

What are we checking now?:

1. HTTP without SSL
2. old hash functions like: md5
3. TLS insecureSkipVerify option usage
4. Old TLS versions
5. Old cipher functions usage: like RC4
6. Swagger body validation function usage

How to use:

Full installation example: https://github.com/peakle/dc-rules-example

1. Install rules:

   go get -v github.com/peakle/security-rules

2. Create rules.go file in your project like in example
3. Add linter to your pipeline:

   1. Like another one check in golangci-lint (will work for golangci-lint >v1.27.0):

      linters:
        enable:
          - gocritic
      linters-settings:
        gocritic:
          enabled-checks:
            - ruleguard
          settings:
            ruleguard:
              rules: "YourDir/rules.go"

   2. Like file watcher in Goland IDE (will work for golangci-lint >v1.27.0):

      1. add golangci-lint as File Watcher in IDE (Preferences -> Tools -> File Watchers -> Add)
      2. set Arguments field where .golangci.yml file will be like example above:

      run $FileDir$ --config=$ProjectFileDir$/.golangci.yml
      

How to update to new rules version:

1. update rules version in your go.mod file
2. download new rules version:

   go get github.com/peakle/security-rules@newVersion

3. if you using golangci-lint update cache:

   golangci-lint cache clean

How to add new checks:

1. Ruleguard tour for newbees: https://go-ruleguard.github.io/by-example
2. Fork repo && open PR :D