diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml index 17885b71602..1a7ae7d52ef 100644 --- a/.github/workflows/security-scan.yml +++ b/.github/workflows/security-scan.yml @@ -27,11 +27,12 @@ jobs: - name: Run Gosec run: | go install github.com/securego/gosec/v2/cmd/gosec@v2.27.1 - # Exclusions configured in .golangci.yml (linters-settings.gosec.exclude) - # Keep this list in sync with .golangci.yml for consistency + # Keep only globally noisy rules here. + # G602 (slice bounds check) is excluded globally due persistent false positives. + # Use inline '#nosec Gxxx -- justification' suppressions for specific findings. gosec -fmt sarif -out gosec-results.sarif -stdout -exclude-generated -track-suppressions \ -nosec-require-rules -nosec-require-justification \ - -exclude=G101,G115,G204,G602,G301,G302,G304,G306 \ + -exclude=G602 \ ./... - name: Upload Gosec SARIF @@ -63,4 +64,3 @@ jobs: with: sarif_file: govulncheck-results.sarif category: govulncheck - diff --git a/.golangci.yml b/.golangci.yml index 04db1c5f58c..070bd3e3e4f 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -70,10 +70,8 @@ linters-settings: - badCall # filepath.Join with 1 arg is acceptable gosec: # NOTE: gosec is disabled in golangci-lint due to configuration bugs in v2. - # The following exclusions are the source of truth and are applied when running - # gosec directly via 'make security-gosec' and in GitHub Actions. - # Update the -exclude flags in Makefile and .github/workflows/security-scan.yml - # when changing these exclusions to maintain consistency. + # These exclusions apply only if gosec is re-enabled in golangci-lint. + # Standalone gosec execution uses Makefile/.github/workflows/security-scan.yml. # - G101: Potential hardcoded credentials (often false positives) # - G115: Integer overflow conversion (acceptable in most cases) # - G204: Subprocess with variable args - all exec.Command calls use separate args diff --git a/Makefile b/Makefile index 54b2bffd273..39295d35f3d 100644 --- a/Makefile +++ b/Makefile @@ -209,12 +209,13 @@ security-scan: security-gosec security-govulncheck security-gosec: @echo "Running gosec security scanner..." @command -v gosec >/dev/null || go install github.com/securego/gosec/v2/cmd/gosec@v2.27.1 - @# Exclusions configured in .golangci.yml (linters-settings.gosec.exclude) - @# Keep this list in sync with .golangci.yml for consistency + @# Keep only globally noisy rules here. + @# G602 (slice bounds check) is excluded globally due persistent false positives. + @# Use inline '#nosec Gxxx -- justification' suppressions for specific findings. @GOPATH=$$(go env GOPATH); \ PATH="$$GOPATH/bin:$$PATH" gosec -fmt=json -out=gosec-report.json -stdout -exclude-generated -track-suppressions \ -nosec-require-rules -nosec-require-justification \ - -exclude=G101,G115,G204,G602,G301,G302,G304,G306 \ + -exclude=G602 \ ./... @echo "✓ Gosec scan complete (results in gosec-report.json)"