.github/workflows/ci.yml

@@ -10,7 +10,7 @@ jobs:
   test:
     strategy:
       matrix:
-        version: [{go: '1.23.7', golangci: 'latest'}, {go: '1.24.1', golangci: 'latest'}]
+        version: [{go: '1.23.8', golangci: 'latest'}, {go: '1.24.2', golangci: 'latest'}]
     runs-on: ubuntu-latest
     env:
       GO111MODULE: on
@@ -48,7 +48,7 @@ jobs:
       - name: Setup go
         uses: actions/setup-go@v5
         with:
-          go-version: '1.24.1'
+          go-version: '1.24.2'
       - name: Checkout Source
         uses: actions/checkout@v4
       - uses: actions/cache@v4

.github/workflows/release.yml

@@ -17,7 +17,7 @@ jobs:
       - name: Set up Go
         uses: actions/setup-go@v5
         with:
-          go-version: '1.24.1'
+          go-version: '1.24.2'
       - name: Install Cosign
         uses: sigstore/cosign-installer@v3
         with:

README.md

@@ -138,7 +138,6 @@ directory you can supply `./...` as the input argument.
 - G110: Potential DoS vulnerability via decompression bomb
 - G111: Potential directory traversal
 - G112: Potential slowloris attack
-- G113: Usage of Rat.SetString in math/big with an overflow (CVE-2022-23772)
 - G114: Use of net/http serve function that has no support for setting timeouts
 - G115: Potential integer overflow when converting between integer types
 - G201: SQL query construction using format string
@@ -172,6 +171,7 @@ directory you can supply `./...` as the input argument.
 ### Retired rules
 
 - G105: Audit the use of math/big.Int.Exp - [CVE is fixed](https://github.com/golang/go/issues/15184)
+- G113: Usage of Rat.SetString in math/big with an overflow (CVE-2022-23772). This affected Go <1.16.14 and Go <1.17.7, which are no longer supported by gosec. 
 - G307: Deferring a method which returns an error - causing more inconvenience than fixing a security issue, despite the details from this [blog post](https://www.joeshaw.org/dont-defer-close-on-writable-files/)
 
 ### Selecting rules
@@ -304,7 +304,13 @@ You could put the description or justification text for the annotation. The
 justification should be after the rule(s) to suppress and start with two or
 more dashes, e.g: `//#nosec G101 G102 -- This is a false positive`
 
-In some cases you may also want to revisit places where `#nosec` annotations
+Alternatively, gosec also supports the `//gosec:disable` directive, which functions similar to `#nosec`:
+
+```go
+//gosec:disable G101 -- This is a false positive
+```
+
+In some cases you may also want to revisit places where `#nosec` or `//gosec:disable` annotations
 have been used. To run the scanner and ignore any `#nosec` annotations you
 can do the following:
 

USERS.md

@@ -16,6 +16,7 @@ This is a list of gosec's users. Please send a pull request with your organisati
 10. [Checkmarx](https://www.checkmarx.com/)
 11. [SeatGeek](https://www.seatgeek.com/)
 12. [reMarkable](https://remarkable.com)
+13. [SSOJet](https://ssojet.com)
 
 ## Projects
 

analyzer.go

@@ -57,6 +57,8 @@ const externalSuppressionJustification = "Globally suppressed."
 
 const aliasOfAllRules = "*"
 
+var directiveRegexp = regexp.MustCompile("^//gosec:disable(?: (.+))?$")
+
 type ignore struct {
 	start        int
 	end          int
@@ -582,53 +584,77 @@ func (gosec *Analyzer) ignore(n ast.Node) map[string]issue.SuppressionInfo {
 	}
 
 	for _, group := range groups {
-		comment := strings.TrimSpace(group.Text())
-		foundDefaultTag := strings.HasPrefix(comment, noSecDefaultTag) || regexp.MustCompile("\n *"+noSecDefaultTag).MatchString(comment)
-		foundAlternativeTag := strings.HasPrefix(comment, noSecAlternativeTag) || regexp.MustCompile("\n *"+noSecAlternativeTag).MatchString(comment)
-
-		if foundDefaultTag || foundAlternativeTag {
-			gosec.stats.NumNosec++
-
-			// Discard what's in front of the nosec tag.
-			if foundDefaultTag {
-				comment = strings.SplitN(comment, noSecDefaultTag, 2)[1]
-			} else {
-				comment = strings.SplitN(comment, noSecAlternativeTag, 2)[1]
-			}
+		found, args := findNoSecDirective(group, noSecDefaultTag, noSecAlternativeTag)
+		if !found {
+			continue
+		}
 
-			// Extract the directive and the justification.
-			justification := ""
-			commentParts := regexp.MustCompile(`-{2,}`).Split(comment, 2)
-			directive := commentParts[0]
-			if len(commentParts) > 1 {
-				justification = strings.TrimSpace(strings.TrimRight(commentParts[1], "\n"))
-			}
+		gosec.stats.NumNosec++
 
-			// Pull out the specific rules that are listed to be ignored.
-			re := regexp.MustCompile(`(G\d{3})`)
-			matches := re.FindAllStringSubmatch(directive, -1)
+		// Extract the directive and the justification.
+		justification := ""
+		commentParts := regexp.MustCompile(`-{2,}`).Split(args, 2)
+		directive := commentParts[0]
+		if len(commentParts) > 1 {
+			justification = strings.TrimSpace(strings.TrimRight(commentParts[1], "\n"))
+		}
 
-			suppression := issue.SuppressionInfo{
-				Kind:          "inSource",
-				Justification: justification,
-			}
+		// Pull out the specific rules that are listed to be ignored.
+		re := regexp.MustCompile(`(G\d{3})`)
+		matches := re.FindAllStringSubmatch(directive, -1)
 
-			// Find the rule IDs to ignore.
-			ignores := make(map[string]issue.SuppressionInfo)
-			for _, v := range matches {
-				ignores[v[1]] = suppression
-			}
+		suppression := issue.SuppressionInfo{
+			Kind:          "inSource",
+			Justification: justification,
+		}
 
-			// If no specific rules were given, ignore everything.
-			if len(matches) == 0 {
-				ignores[aliasOfAllRules] = suppression
-			}
-			return ignores
+		// Find the rule IDs to ignore.
+		ignores := make(map[string]issue.SuppressionInfo)
+		for _, v := range matches {
+			ignores[v[1]] = suppression
 		}
+
+		// If no specific rules were given, ignore everything.
+		if len(matches) == 0 {
+			ignores[aliasOfAllRules] = suppression
+		}
+		return ignores
 	}
 	return nil
 }
 
+// findNoSecDirective checks if the comment group contains `#nosec` or `//gosec:disable` directive.
+// If found, it returns true and the directive's arguments.
+func findNoSecDirective(group *ast.CommentGroup, noSecDefaultTag, noSecAlternativeTag string) (bool, string) {
+	// Check if the comment grounp has a nosec comment.
+	for _, tag := range []string{noSecDefaultTag, noSecAlternativeTag} {
+		if found, args := findNoSecTag(group, tag); found {
+			return true, args
+		}
+	}
+
+	// Check if the comment group has a directive comment.
+	for _, c := range group.List {
+		match := directiveRegexp.FindStringSubmatch(c.Text)
+		if len(match) > 0 {
+			return true, match[0]
+		}
+	}
+
+	return false, ""
+}
+
+func findNoSecTag(group *ast.CommentGroup, tag string) (bool, string) {
+	comment := strings.TrimSpace(group.Text())
+
+	if strings.HasPrefix(comment, tag) || regexp.MustCompile("\n *"+tag).MatchString(comment) {
+		// Discard what's in front of the nosec tag.
+		return true, strings.SplitN(comment, tag, 2)[1]
+	}
+
+	return false, ""
+}
+
 // Visit runs the gosec visitor logic over an AST created by parsing go code.
 // Rule methods added with AddRule will be invoked as necessary.
 func (gosec *Analyzer) Visit(n ast.Node) ast.Visitor {