Skip to content

chore(gosec): suppress new gosec false positives#2377

Merged
fadymak merged 2 commits intomasterfrom
fm/fix-go-sec-errors
Feb 16, 2026
Merged

chore(gosec): suppress new gosec false positives#2377
fadymak merged 2 commits intomasterfrom
fm/fix-go-sec-errors

Conversation

@fadymak
Copy link
Contributor

@fadymak fadymak commented Feb 16, 2026

Exclude G117 (secret field names) and G704 (SSRF) globally in Makefile, and add #nosec annotations for G115, G602, G705, G706.

@fadymak fadymak requested a review from a team as a code owner February 16, 2026 17:11
@coderabbitai
Copy link

coderabbitai bot commented Feb 16, 2026
edited
Loading

No actionable comments were generated in the recent review. 🎉

📝 Walkthrough

Summary by CodeRabbit

  • Chores
    • Consolidated and expanded static analysis exclusions in the build configuration.
    • Added targeted static-analysis suppression annotations across internal modules to silence specific warnings; no functional or behavioral changes.

Walkthrough

This pull request adds gosec suppression directives and broadens gosec exclusions without changing runtime behavior. Six // #nosec`` annotations were added: G115 in cmd/serve_cmd.go; G706 in internal/api/provider/provider.go, internal/api/sms_provider/sms_provider.go, and internal/security/captcha.go; G705 in internal/api/saml.go; and G602 in internal/models/one_time_token.go. The Makefile's sec target now expands exclusion flags for gosec scans, adding `-exclude=G117` and `-exclude=G704` to both commands and `-exclude=G104` (plus `-exclude=G101`) for the test scan. No control flow, error handling, or logic changes were made.

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai bot reviewed Feb 16, 2026
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Fix all issues with AI agents 
In `@Makefile`:
- Around line 55-56: Remove the repo-wide exclusions of G117 and G704 from the
gosec invocations in the Makefile (the two lines invoking "gosec -quiet ...
-exclude=G117,G704 $(CHECK_FILES)"), and instead scope suppressions to the
specific false-positive locations by adding inline "#nosec" comments with
justifications or using file-specific excludes (or a documented allowlist) for
those known files; update the Makefile to run gosec without those global
excludes and add a short note in the repo's security/README describing why any
remaining scoped suppressions exist and how to verify (e.g., run the provided
verification command to confirm only expected G117/G704 instances are
suppressed).

cstockton
cstockton approved these changes Feb 16, 2026
View reviewed changes
Copy link
Contributor

@cstockton cstockton left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@fadymak fadymak merged commit 9b47fd9 into master Feb 16, 2026
5 checks passed
@fadymak fadymak deleted the fm/fix-go-sec-errors branch February 16, 2026 17:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@cstockton cstockton cstockton approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@fadymak @cstockton