Rule to detect secrets serialization

[alexandear]

Add a rule to warn about exported struct fields with JSON serialization that have a high chance of containing secrets.

Many enterprise environments using structured logging simply rely on json serialization and then inadvertently log secrets such as passwords, tokens or other sensitive information including PII etc. It would be good to have a rule that does static code analysis to warn about potential security vulnerabilities in this context. By offering a rule argument to set the list of fields to consider the rule could be customized to apply to a broad range of application or business specific use cases.

Idea: @boriwo

Copied from mgechev/revive#1488

[ccojocar]

There is a rule for hardcoded credentials, maybe it can be extended to scan also the serialization tags text. Have a look at

gosec/rules/hardcoded_credentials.go

Line 224 in c34cbbf

func (r *credentials) Match(n ast.Node, ctx *gosec.Context) (*issue.Issue, error) {

.