I can't take credit for this one, I was just running go-tuf through gosec out of curiosity. 😆

[/go-tuf/metadata/multirepo/multirepo.go:281] - G601 (CWE-118): Implicit memory aliasing in for loop. (Confidence: MEDIUM, Severity: MEDIUM)
280: // this is the first target we found matching the necessary threshold so save it

281: result = &target
282: }

You have two options to fix it:

1. Bump go.mod to 1.22 and it will automagically be fixed, as per the 1.22 release notes:

In Go 1.22, each iteration of the loop creates new variables, to avoid accidental sharing bugs.

2. Various "legacy" options as outlined on this SO answer, for example "index the ranged slice/array/map" would look like this:

for tn, target := range matchedTargetGroups { // add tn iterator
/// REMOVED CODE FOR CLARITY
                        result = &matchedTargetGroups[tn] // &matchedTargetGroups[tn] instead of &target
                }
        }
}