archive.go bind.go blacklist.go errors.go fileperms.go hardcoded_credentials.go pprof.go rand.go readfile.go rsa.go rulelist.go sql.go ssh.go ssrf.go subproc.go tempfiles.go templates.go tls.go tls_config.go unsafe.go weakcrypto.go
NewArchive creates a new rule which detects the file traversal when extracting zip archives
NewBadTempFile detects direct writes to predictable path in temporary directory
NewBindsToAllNetworkInterfaces detects socket connections that are setup to listen on all network interfaces.
NewBlacklistedImportCGI fails if CGI is imported
NewBlacklistedImportDES fails if DES is imported
NewBlacklistedImportMD5 fails if MD5 is imported
NewBlacklistedImportRC4 fails if DES is imported
NewBlacklistedImportSHA1 fails if SHA1 is imported
NewBlacklistedImports reports when a blacklisted import is being used. Typically when a deprecated technology is being used.
NewFilePerms creates a rule to detect file creation with a more permissive than configured permission mask.
NewHardcodedCredentials attempts to find high entropy string constants being assigned to variables that appear to be related to credentials.
NewIntermediateTLSCheck creates a check for Intermediate TLS ciphers DO NOT EDIT - generated by tlsconfig tool
NewMkdirPerms creates a rule to detect directory creation with more permissive than configured permission mask.
NewModernTLSCheck creates a check for Modern TLS ciphers DO NOT EDIT - generated by tlsconfig tool
NewNoErrorCheck detects if the returned error is unchecked
NewOldTLSCheck creates a check for Old TLS ciphers DO NOT EDIT - generated by tlsconfig tool
NewPprofCheck detects when the profiling endpoint is automatically exposed
NewReadFile detects cases where we read files
NewSQLStrConcat looks for cases where we are building SQL strings via concatenation
NewSQLStrFormat looks for cases where we're building SQL query strings using format strings
NewSSHHostKey rule detects the use of insecure ssh HostKeyCallback.
NewSSRFCheck detects cases where HTTP requests are sent
NewSubproc detects cases where we are forking out to an external process
NewTemplateCheck constructs the template check rule. This rule is used to find use of templates where HTML/JS escaping is not being used
NewUsesWeakCryptography detects uses of des.* md5.* or rc4.*
NewUsingUnsafe rule detects the use of the unsafe package. This is only really useful for auditing purposes.
NewWeakKeyStrength builds a rule that detects RSA keys < 2048 bits
NewWeakRandCheck detects the use of random number generator that isn't cryptographically secure
RuleDefinition contains the description of a rule and a mechanism to create it.
RuleFilter can be used to include or exclude a rule depending on the return value of the function
NewRuleFilter is a closure that will include/exclude the rule ID's based on the supplied boolean value.
RuleList is a mapping of rule ID's to rule definitions
Generate the list of rules to use
Builders returns all the create methods for a given rule list