CTGuard

[](https://github.com/oasilturk/ctguard/actions/workflows/ci.yml) [](https://goreportcard.com/report/github.com/oasilturk/ctguard) [](https://github.com/oasilturk/ctguard/actions/workflows/ci.yml) [](https://pkg.go.dev/github.com/oasilturk/ctguard) [](https://opensource.org/licenses/MIT) **Catch timing side-channel vulnerabilities in your Go code.** CTGuard finds vulnerabilities in code where secret data can be leaked through execution time, like when you compare passwords with `==` or branch on private keys. Each finding includes a confidence level to help you focus on the most certain issues.  ## 它捕获的内容 | Rule | What it detects | |------|-----------------| | CT001 | Branches and loops that depend on secret data (`if secretKey == ...`) | | CT002 | Non-constant-time comparisons (`bytes.Equal` on secrets) | | CT003 | Array/map indexing with secret indices (cache timing) | | CT004 | Secrets leaked to logs or error messages | | CT005 | Variable-time arithmetic operations (`/`, `%`, `<<`, `>>` on secrets) | | CT006 | Secret related channel operations (send/receive) | | CT007 | Secret data flowing into I/O sinks (network, file, syscall) within "isolated" regions | ## 快速示例 **Vulnerable Code:** ``` //ctguard:secret key func Check(key string) { normalized := strings.ToLower(key) // taint propagates if normalized == "admin" { // CT001: branch depends on secret! grantAccess() } } ``` ``` auth.go:4:5 CT001: branch depends on secret 'key' (confidence: high) ``` **Fixed:** ``` //ctguard:secret key func Check(key string) { normalized := strings.ToLower(key) if subtle.ConstantTimeCompare([]byte(normalized), []byte("admin")) == 1 { grantAccess() } } ``` ``` ✓ No issues found ``` ## 安装 ``` go install github.com/oasilturk/ctguard/cmd/ctguard@latest ``` ## 用法 Mark your secret parameters: ``` //ctguard:secret key func Verify(key []byte, message []byte) bool { return bytes.Equal(key, expected) // CTGuard will flag this } ``` Run it: ``` ctguard ./... ``` **Output formats:** ``` ctguard ./... # Plain text (default) ctguard -format=json ./... # JSON ctguard -format=sarif ./... # SARIF (for GitHub Code Scanning) ``` ## 配置 Create `.ctguard.yaml` in your project: ``` rules: enable: [all] disable: [CT003] # optionally disable rules exclude: - "vendor/**" - "**/*_test.go" ```

Advanced Configuration

``` # 不修改代码。支持通配符。 annotations: secrets: - package: "github.com/vendor/examples" function: "NonConstantTimeFunction" params: ["secret"] ignores: - package: "github.com/vendor/examples" function: "SafeFunction" rules: all # or specific rules like ["CT001", "CT002"] format: json # plain, json, or sarif fail: true # exit code on findings summary: true # show stats min-confidence: low # low or high ``` See [.ctguard.yaml.example](.ctguard.yaml.example) for all options.

## CI 集成 **GitHub Actions (recommended):** ``` - uses: oasilturk/ctguard@main ``` **With options:** ``` - uses: oasilturk/ctguard@main with: format: json args: "-fail=false ./..." ``` **With GitHub Code Scanning:** ``` - uses: oasilturk/ctguard@main with: format: sarif args: "-fail=false ./..." sarif-file: ctguard.sarif - uses: github/codeql-action/upload-sarif@v4 with: sarif_file: ctguard.sarif ```

Manual installation

``` - run: go install github.com/oasilturk/ctguard/cmd/ctguard@latest - run: ctguard ./... ```

## 抑制发现 When you have a legitimate reason to ignore a finding: ``` //ctguard:secret token func ParseToken(token string) bool { //ctguard:ignore CT002 -- comparing constant prefix for parsing return strings.HasPrefix(token, "Bearer ") } ``` ## 了解更多 - [Contributing Guide](CONTRIBUTING.md) - [Security Policy](SECURITY.md) - [Example Config](.ctguard.yaml.example) ## 许可证 MIT © [oasilturk](https://github.com/oasilturk)

标签：CI集成, CTGuard, EVTX分析, GoReportCard, Go语言, I/O侧信道, SQL查询, 云安全监控, 侧信道漏洞, 分支依赖秘密数据, 变量时间算术操作, 定时攻击, 开发者安全工具, 数组映射索引秘密, 文档结构分析, 日志审计, 日志泄露秘密, 时序侧信道, 机密数据保护, 秘密传播, 程序破解, 覆盖率报告, 通道操作秘密, 静态分析, 非恒定时间比较