Rule that forbids using http URLs in string literals #1449
Description
Is your feature request related to a problem? Please describe.
We want to enforce secure URL usage across our Go codebase. Specifically, we want to forbid using http:// URLs in string literals to avoid accidental use of insecure connections. This is hard to enforce in code reviews and easy to miss.
Describe the solution you'd like
A new rule forbid-http-url that detects string literals starting with http:// and reports a violation. Ideally, the rule should be configurable with an allowed list or allow disabling in specific cases using suppression comments.
Describe alternatives you've considered
Adding a grep-based pre-commit hook to scan for http://:
#!/bin/sh
if grep -r --exclude-dir=.git 'http://' .; then
echo "Found http:// URLs. Use https:// instead."
exit 1
fiAdditional context
This rule would help enforce security best practices (sometimes) and catch situations like:
- Use secure links for Go Blog and YouTube ardanlabs/gotour#266
- Use secure links for Go site ardanlabs/gotour#259
- dev: use secure links golangci/golangci-lint#5106
- docs: Use secure URLs in string literals google/go-github#3657
- https://go-review.googlesource.com/c/website/+/602835 (this for *.md, but the idea is the same)