Skip to content

Reduce standalone gosec exclusions to restore actionable detection of new findings#44705

Merged
pelikhan merged 2 commits into
mainfrom
copilot/go-fan-go-module-review
Jul 10, 2026
Merged

Reduce standalone gosec exclusions to restore actionable detection of new findings#44705
pelikhan merged 2 commits into
mainfrom
copilot/go-fan-go-module-review

Conversation

Copilot AI commented Jul 10, 2026

Copy link
Copy Markdown
Contributor

The current gosec setup globally excluded several rules that were already suppressed inline with rule-specific, justified #nosec annotations. That made those inline suppressions effectively dead and prevented detection of new unannotated violations in those categories.

  • Scope reduction in standalone gosec invocation

    • Updated both standalone call sites to keep only the globally noisy exclusion:
      • Makefile (security-gosec)
      • .github/workflows/security-scan.yml (Run Gosec)
    • Exclusions changed from:
      • G101,G115,G204,G602,G301,G302,G304,G306
      • to:
      • G602
  • Policy clarification in comments

    • Reworded comments in both call sites to reflect intended model:
      • global excludes only for broadly noisy rules
      • targeted suppressions via inline #nosec Gxxx -- justification
    • Added explicit rationale for retaining G602 as global exclude.
  • Config comment alignment

    • Updated .golangci.yml gosec commentary to remove outdated “source of truth / keep in sync” wording and clarify that this block applies if gosec is re-enabled in golangci-lint.
# before
-exclude=G101,G115,G204,G602,G301,G302,G304,G306

# after
-exclude=G602

Copilot AI linked an issue Jul 10, 2026 that may be closed by this pull request
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Review securego/gosec Go module usage Reduce standalone gosec exclusions to restore actionable detection of new findings Jul 10, 2026
Copilot AI requested a review from pelikhan July 10, 2026 10:59
@github-actions

Copy link
Copy Markdown
Contributor

🤖 PR Triage

Field Value
Category chore
Risk 🟡 Medium
Score 48/100 (impact:18 + urgency:18 + quality:12)
Action batch_review (pr-batch:draft-chores)

Reduces standalone gosec exclusions to restore actionable security findings detection. 3 files, minimal net change. Review with similar security/chore draft PRs.

Generated by 🔧 PR Triage Agent · 206.8 AIC · ⌖ 8.74 AIC · ⊞ 5.4K ·

@pelikhan pelikhan marked this pull request as ready for review July 10, 2026 14:42
Copilot AI review requested due to automatic review settings July 10, 2026 14:42
@pelikhan pelikhan merged commit 866f777 into main Jul 10, 2026
@pelikhan pelikhan deleted the copilot/go-fan-go-module-review branch July 10, 2026 14:43

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This pull request tightens the standalone gosec configuration so that only the broadly noisy G602 rule remains globally excluded, restoring detection for newly introduced findings that should be handled via targeted inline #nosec suppressions.

Changes:

  • Reduced standalone gosec global exclusions from multiple rules down to -exclude=G602 in both local (make security-gosec) and CI scanning.
  • Updated comments in the standalone gosec call sites to clarify the intended policy (global excludes only for noisy rules; inline #nosec Gxxx -- justification for targeted suppressions).
  • Adjusted .golangci.yml commentary to clarify it only applies if gosec is re-enabled under golangci-lint.
Show a summary per file
File Description
Makefile Narrows standalone gosec exclusions to G602 and updates policy comments.
.golangci.yml Clarifies the scope of the gosec exclusion list when/if re-enabled in golangci-lint.
.github/workflows/security-scan.yml Narrows CI gosec exclusions to G602 and updates policy comments.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 3/3 changed files
  • Comments generated: 2
  • Review effort level: Low

Comment thread Makefile
Comment on lines +212 to +214
@# Keep only globally noisy rules here.
@# G602 (slice bounds check) is excluded globally due persistent false positives.
@# Use inline '#nosec Gxxx -- justification' suppressions for specific findings.
Comment on lines +30 to +32
# Keep only globally noisy rules here.
# G602 (slice bounds check) is excluded globally due persistent false positives.
# Use inline '#nosec Gxxx -- justification' suppressions for specific findings.
@github-actions

Copy link
Copy Markdown
Contributor

🎉 This pull request is included in a new release.

Release: v0.82.8

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[go-fan] Go Module Review: securego/gosec

3 participants