Rule documentation updates (#1272)

dannyc-grafana · web-flow · commit e21b4d42cf52 · 2024-12-17T09:40:45.000+01:00
diff --git a/README.md b/README.md
@@ -211,30 +211,9 @@ A number of global settings can be provided in a configuration file as follows:
 $ gosec -conf config.json .
 ```
 
-Also some rules accept configuration. For instance on rule `G104`, it is possible to define packages along with a list
-of functions which will be skipped when auditing the not checked errors:
+#### Rule Configuration
 
-```JSON
-{
-    "G104": {
-        "ioutil": ["WriteFile"]
-    }
-}
-```
-
-You can also configure the hard-coded credentials rule `G101` with additional patterns, or adjust the entropy threshold:
-
-```JSON
-{
-    "G101": {
-        "pattern": "(?i)passwd|pass|password|pwd|secret|private_key|token",
-         "ignore_entropy": false,
-         "entropy_threshold": "80.0",
-         "per_char_threshold": "3.0",
-         "truncate": "32"
-    }
-}
-```
+Some rules accept configuration flags as well; these flags are documented in [RULES.md](https://github.com/securego/gosec/blob/master/RULES.md).
 
 #### Go version
 
diff --git a/RULES.md b/RULES.md
@@ -0,0 +1,61 @@
+# Rule Documentation
+
+## Rules accepting parameters
+
+As [README.md](https://github.com/securego/gosec/blob/master/README.md) mentions, some rules can be configured by adding parameters to the gosec JSON config. Per rule configs are encoded as top level objects in the gosec config, with the rule ID (`Gxxx`) as the key.
+
+Currently, the following rules accept parameters. This list is manually maintained; if you notice an omission please add it!
+
+### G101
+
+The hard-coded credentials rule `G101` can be configured with additional patterns, and the entropy threshold can be adjusted:
+
+```JSON
+{
+    "G101": {
+        "pattern": "(?i)passwd|pass|password|pwd|secret|private_key|token",
+         "ignore_entropy": false,
+         "entropy_threshold": "80.0",
+         "per_char_threshold": "3.0",
+         "truncate": "32"
+    }
+}
+```
+
+### G104
+
+The unchecked error value rule `G104` can be configured with additional functions that should be permitted to be called without checking errors.
+
+```JSON
+{
+    "G104": {
+        "ioutil": ["WriteFile"]
+    }
+}
+```
+
+### G111
+
+The HTTP Directory serving rule `G111` can be configured with a different regex for detecting potentially overly permissive servers. Note that this *replaces* the default pattern of `http\.Dir\("\/"\)|http\.Dir\('\/'\)`.
+
+```JSON
+{
+    "G111": {
+        "pattern": "http\\.Dir\\(\"\\\/\"\\)|http\\.Dir\\('\\\/'\\)"
+    }
+}
+
+```
+
+### G301, G302, G306, G307
+
+The various file and directory permission checking rules can be configured with a different maximum allowable file permission.
+
+```JSON
+{
+    "G301":"0o600",
+    "G302":"0o600",
+    "G306":"0o750",
+    "G307":"0o750"
+}
+```
