Summary

.golangci.yml excludes gosec rules G204 (command execution) and G304 (tainted file paths) for the whole codebase, which hides real issues around unsafe exec usage or file operations.

Desired outcome

• Remove the global exclusions for G204/G304 in .golangci.yml.
• Audit existing exec.Command/file operations and add //nolint:gosec only where inputs are validated.
• Prefer validation over suppression wherever possible.

Notes

• Most command execution goes through helpers in internal/git; sanitizing inputs there should cover most cases.
• After re-enabling, ensure gosec still passes locally and in CI without broad suppressions.