Skip to content

Centralize gosec exclusions in .golangci.yml as source of truth #12217

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
pelikhan merged 2 commits into from
Jan 28, 2026
Merged

Centralize gosec exclusions in .golangci.yml as source of truth #12217

pelikhan merged 2 commits into from
Jan 28, 2026
+23 −2

Conversation

Copy link
Contributor

Copilot AI commented Jan 28, 2026
edited
Loading

Gosec exclusions were duplicated across Makefile and GitHub Actions without clear ownership, making updates error-prone.

Changes

  • .golangci.yml - Established as authoritative source for exclusions list
  • Makefile - Added inline comments referencing .golangci.yml
  • .github/workflows/security-scan.yml - Added missing exclusions (G101, G115, G602, G301, G302, G304, G306) with reference comments
  • specs/gosec.md - Documented the source of truth relationship

Implementation Notes

Gosec cannot parse .golangci.yml directly, so exclusions use command-line -exclude flags in both Makefile and GitHub Actions. Comments in all locations now explicitly reference .golangci.yml to ensure consistency during updates.

# .golangci.yml
linters-settings:
  gosec:
    # Source of truth for exclusions applied in Makefile and GitHub Actions
    exclude:
      - G101  # Hardcoded credentials (false positives)
      - G115  # Integer overflow (validated inputs)
      - G602  # Slice bounds (runtime checked)
      - G301  # Directory permissions 0755
      - G302  # File permissions 0755
      - G304  # File inclusion (validated paths)
      - G306  # WriteFile permissions 0644
# .github/workflows/security-scan.yml
- name: Run Gosec
  run: |
    # Exclusions configured in .golangci.yml (linters-settings.gosec.exclude)
    gosec -exclude=G101,G115,G602,G301,G302,G304,G306 ./...
Original prompt

This section details on the original issue you should resolve

<issue_title>[plan] Centralize gosec configuration to .golangci.yml</issue_title>
<issue_description>## Objective

Move hardcoded gosec exclusions from Makefile and GitHub Actions to .golangci.yml for a single source of truth.

Context

From discussion #12003: Currently gosec exclusions are duplicated in multiple files (Makefile line 158, GitHub Actions workflow). This should be centralized in .golangci.yml for better maintainability.

Approach

  1. Extract current gosec exclusions from Makefile and workflow files
  2. Add gosec configuration section to .golangci.yml:
linters-settings:
  gosec:
    excludes:
      - G101  # Hardcoded credentials (false positives)
      - G115  # Integer overflow (validated inputs)
      - G602  # Slice bounds (Go runtime checks)
    config:
      G204: "0644"
      G306: "0644"
  1. Update Makefile to reference .golangci.yml config
  2. Update GitHub Actions to use centralized config
  3. Update specs/gosec.md to reference the new location

Files to Modify

  • Create/Update: .golangci.yml
  • Update: Makefile (remove hardcoded flags)
  • Update: .github/workflows/security.yml
  • Update: specs/gosec.md

Acceptance Criteria

  • All gosec exclusions moved to .golangci.yml
  • Makefile references centralized config
  • GitHub Actions uses centralized config
  • Documentation updated
  • Security scans still pass with same exclusions

Priority

MEDIUM - Best practice alignment

Estimated Effort

1 hour

AI generated by Plan Command for discussion #12003

Comments on the Issue (you are @copilot in this section)

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

@pelikhan
Centralize gosec configuration documentation in .golangci.yml
7ef447a 
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Centralize gosec configuration to .golangci.yml Centralize gosec exclusions in .golangci.yml as source of truth Jan 28, 2026
Copilot AI requested a review from pelikhan January 28, 2026 08:28
@pelikhan pelikhan marked this pull request as ready for review January 28, 2026 13:50
@pelikhan pelikhan merged commit 4850aed into main Jan 28, 2026
@pelikhan pelikhan deleted the copilot/centralize-gosec-configuration branch January 28, 2026 13:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pelikhan pelikhan Awaiting requested review from pelikhan

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[plan] Centralize gosec configuration to .golangci.yml

2 participants

@pelikhan