gosec icon indicating copy to clipboard operation
gosec copied to clipboard
verified publisher icon securego

Rule to detect secrets serialization

Open alexandear opened this issue 1 month ago • 1 comments

Add a rule to warn about exported struct fields with JSON serialization that have a high chance of containing secrets.

Many enterprise environments using structured logging simply rely on json serialization and then inadvertently log secrets such as passwords, tokens or other sensitive information including PII etc. It would be good to have a rule that does static code analysis to warn about potential security vulnerabilities in this context. By offering a rule argument to set the list of fields to consider the rule could be customized to apply to a broad range of application or business specific use cases.

Idea: @boriwo

Copied from https://github.com/mgechev/revive/issues/1488

alexandear avatar Nov 06 '25 16:11 alexandear

There is a rule for hardcoded credentials, maybe it can be extended to scan also the serialization tags text. Have a look at https://github.com/securego/gosec/blob/c34cbbf56507211a7bfd749654ba2e76c5851f71/rules/hardcoded_credentials.go#L224.

ccojocar avatar Nov 07 '25 09:11 ccojocar