diff --git a/.golangci.yml b/.golangci.yml index 28f46f670..53021526b 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -152,6 +152,20 @@ linters: - err113 path: magefile.go text: 'do not define dynamic errors, use wrapped static errors instead:' + - linters: + - gosec + text: 'G117:' # Struct fields named Password/Secret/AccessToken are intentional data model fields + - linters: + - gosec + text: 'G101:' + path: (pkg/webtests/|pkg/e2etests/|_test\.go) # Test fixtures with bcrypt hashes, not real credentials + - linters: + - gosec + text: 'G70[24]:' + path: magefile.go # Build tooling, not user-facing code + - linters: + - goheader + path: plugins/ paths: - third_party$ - builtin$ diff --git a/pkg/models/export.go b/pkg/models/export.go index 5c953e134..4772fa2d5 100644 --- a/pkg/models/export.go +++ b/pkg/models/export.go @@ -81,7 +81,7 @@ func ExportUserData(s *xorm.Session, u *user.User) (err error) { dumpWriter.Close() dumpFile.Close() - exported, err := os.Open(tmpFilename) + exported, err := os.Open(tmpFilename) // #nosec G703 -- tmpFilename is generated internally, not from user input if err != nil { return err } @@ -107,7 +107,7 @@ func ExportUserData(s *xorm.Session, u *user.User) (err error) { } // Remove the old file - err = os.Remove(exported.Name()) + err = os.Remove(exported.Name()) // #nosec G703 -- path from internally created temp file if err != nil { return err } diff --git a/pkg/modules/dump/restore.go b/pkg/modules/dump/restore.go index 5c9062cfc..953951e00 100644 --- a/pkg/modules/dump/restore.go +++ b/pkg/modules/dump/restore.go @@ -247,7 +247,7 @@ func restoreFile(id int64, zipFile *zip.File) error { } defer func() { _ = tmpFile.Close() - _ = os.Remove(tmpFile.Name()) + _ = os.Remove(tmpFile.Name()) // #nosec G703 -- path from os.CreateTemp, not user input }() // Limit copy size to prevent decompression bombs diff --git a/pkg/modules/migration/microsoft-todo/microsoft_todo.go b/pkg/modules/migration/microsoft-todo/microsoft_todo.go index edc1115de..aa31cf3c8 100644 --- a/pkg/modules/migration/microsoft-todo/microsoft_todo.go +++ b/pkg/modules/migration/microsoft-todo/microsoft_todo.go @@ -187,7 +187,7 @@ func makeAuthenticatedGetRequest(token, urlPart string, v interface{}) error { } req.Header.Set("Authorization", "Bearer "+token) - resp, err := (&http.Client{}).Do(req) + resp, err := (&http.Client{}).Do(req) // #nosec G704 -- URL is constructed from a hardcoded API prefix if err != nil { return err } diff --git a/pkg/utils/avatar.go b/pkg/utils/avatar.go index 1ccd7b911..b5c7ad296 100644 --- a/pkg/utils/avatar.go +++ b/pkg/utils/avatar.go @@ -101,7 +101,7 @@ func DownloadImage(url string) ([]byte, error) { return nil, fmt.Errorf("failed to create HTTP request: %w", err) } - resp, err := (&http.Client{}).Do(req) + resp, err := (&http.Client{}).Do(req) // #nosec G704 -- URL comes from OIDC provider picture claim if err != nil { return nil, fmt.Errorf("failed to download image: %w", err) }