chore(lint): enable gosec with v2 config

aryeko · sisyphus-dev-ai · aryeko · commit 82f3a967645a · 2026-02-13T04:38:26.000+02:00
Ultraworked with Sisyphus https://github.com/code-yeongyu/oh-my-opencode Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai>
diff --git a/.golangci.yml b/.golangci.yml
@@ -12,6 +12,7 @@ linters:
     - staticcheck
     - govet
     - unused
+    - gosec
     - bodyclose
     - nilerr
     
@@ -36,6 +37,13 @@ formatters:
       local-prefixes: github.com/go-modkit/modkit
 
 linters-settings:
+  gosec:
+    excludes:
+      - G101
+      - G302
+      - G304
+      - G306
+      - G114
   govet:
     enable:
       - nilness
@@ -66,7 +74,7 @@ issues:
 
   exclude-rules:
     # Relax rules for tests
-    - path: ".*_test\\.go$"
+    - path: '.*_test\.go$'
       linters:
         - errcheck
         - dupl
diff --git a/internal/cli/ast/modify_test.go b/internal/cli/ast/modify_test.go
@@ -38,7 +38,7 @@ func (m *Module) Definition() module.ModuleDef {
 		t.Fatalf("AddProvider failed: %v", err)
 	}
 
-	b, err := os.ReadFile(file)
+	b, err := os.ReadFile(file) //nolint:gosec
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -178,7 +178,7 @@ func (m *Module) Definition() module.ModuleDef {
 		t.Fatalf("Duplicate AddProvider should succeed idempotently: %v", err)
 	}
 
-	b, err := os.ReadFile(file)
+	b, err := os.ReadFile(file) //nolint:gosec
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -220,7 +220,7 @@ func (m *Module) Definition() module.ModuleDef {
 		t.Fatalf("AddController failed: %v", err)
 	}
 
-	b, err := os.ReadFile(file)
+	b, err := os.ReadFile(file) //nolint:gosec
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -266,7 +266,7 @@ func (m *Module) Definition() module.ModuleDef {
 		t.Fatalf("Duplicate AddController should succeed idempotently: %v", err)
 	}
 
-	b, err := os.ReadFile(file)
+	b, err := os.ReadFile(file) //nolint:gosec
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -555,10 +555,10 @@ func (m *Module) Definition() module.ModuleDef {
 		t.Fatal(err)
 	}
 
-	if err := os.Chmod(moduleDir, 0o500); err != nil {
+	if err := os.Chmod(moduleDir, 0o500); err != nil { //nolint:gosec
 		t.Fatal(err)
 	}
-	t.Cleanup(func() { _ = os.Chmod(moduleDir, 0o750) })
+	t.Cleanup(func() { _ = os.Chmod(moduleDir, 0o750) }) //nolint:gosec
 
 	err := AddProvider(file, "users.auth", "buildAuth")
 	if err == nil {
@@ -601,10 +601,10 @@ func (m *Module) Definition() module.ModuleDef {
 		t.Fatal(err)
 	}
 
-	if err := os.Chmod(moduleDir, 0o500); err != nil {
+	if err := os.Chmod(moduleDir, 0o500); err != nil { //nolint:gosec
 		t.Fatal(err)
 	}
-	t.Cleanup(func() { _ = os.Chmod(moduleDir, 0o750) })
+	t.Cleanup(func() { _ = os.Chmod(moduleDir, 0o750) }) //nolint:gosec
 
 	err := AddController(file, "UsersController", "NewUsersController")
 	if err == nil {
diff --git a/internal/cli/cmd/new_app_test.go b/internal/cli/cmd/new_app_test.go
@@ -61,7 +61,7 @@ func TestCreateNewApp(t *testing.T) {
 		shim = filepath.Join(binDir, "go.bat")
 		content = "@echo off\r\nexit /b 0\r\n"
 	}
-	if err := os.WriteFile(shim, []byte(content), 0o755); err != nil {
+	if err := os.WriteFile(shim, []byte(content), 0o755); err != nil { //nolint:gosec
 		t.Fatal(err)
 	}
 
@@ -79,7 +79,7 @@ func TestCreateNewApp(t *testing.T) {
 		t.Fatalf("expected go.mod, got %v", err)
 	}
 
-	modBytes, err := os.ReadFile(filepath.Join(tmp, "demo", "go.mod"))
+	modBytes, err := os.ReadFile(filepath.Join(tmp, "demo", "go.mod")) //nolint:gosec
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -194,7 +194,7 @@ func TestCreateNewAppExistingEmptyDirectory(t *testing.T) {
 		shim = filepath.Join(binDir, "go.bat")
 		content = "@echo off\r\nexit /b 0\r\n"
 	}
-	if err := os.WriteFile(shim, []byte(content), 0o755); err != nil {
+	if err := os.WriteFile(shim, []byte(content), 0o755); err != nil { //nolint:gosec
 		t.Fatal(err)
 	}
 	oldPath := os.Getenv("PATH")
@@ -262,7 +262,7 @@ func TestCreateNewAppRunE(t *testing.T) {
 		shim = filepath.Join(binDir, "go.bat")
 		content = "@echo off\r\nexit /b 0\r\n"
 	}
-	if err := os.WriteFile(shim, []byte(content), 0o755); err != nil {
+	if err := os.WriteFile(shim, []byte(content), 0o755); err != nil { //nolint:gosec
 		t.Fatal(err)
 	}
 	oldPath := os.Getenv("PATH")
diff --git a/internal/cli/cmd/new_controller_test.go b/internal/cli/cmd/new_controller_test.go
@@ -43,7 +43,7 @@ func (m *UserServiceModule) Definition() module.ModuleDef {
 		t.Fatalf("createNewController failed: %v", err)
 	}
 
-	b, err := os.ReadFile(filepath.Join(moduleDir, "auth_controller.go"))
+	b, err := os.ReadFile(filepath.Join(moduleDir, "auth_controller.go")) //nolint:gosec
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -252,10 +252,10 @@ func TestCreateNewControllerCreateFileFailure(t *testing.T) {
 	if err := os.WriteFile(filepath.Join(moduleDir, "module.go"), []byte("package users\n"), 0o600); err != nil {
 		t.Fatal(err)
 	}
-	if err := os.Chmod(moduleDir, 0o500); err != nil {
+	if err := os.Chmod(moduleDir, 0o500); err != nil { //nolint:gosec
 		t.Fatal(err)
 	}
-	t.Cleanup(func() { _ = os.Chmod(moduleDir, 0o750) })
+	t.Cleanup(func() { _ = os.Chmod(moduleDir, 0o750) }) //nolint:gosec
 
 	if err := createNewController("auth", "users"); err == nil {
 		t.Fatal("expected error when controller file cannot be created")
diff --git a/internal/cli/cmd/new_module_test.go b/internal/cli/cmd/new_module_test.go
@@ -22,7 +22,7 @@ func TestCreateNewModule(t *testing.T) {
 		t.Fatalf("createNewModule failed: %v", err)
 	}
 
-	b, err := os.ReadFile(filepath.Join(tmp, "internal", "modules", "user-service", "module.go"))
+	b, err := os.ReadFile(filepath.Join(tmp, "internal", "modules", "user-service", "module.go")) //nolint:gosec
 	if err != nil {
 		t.Fatal(err)
 	}
diff --git a/internal/cli/cmd/new_provider_test.go b/internal/cli/cmd/new_provider_test.go
@@ -84,7 +84,7 @@ func (m *UserServiceModule) Definition() module.ModuleDef {
 		t.Fatalf("createNewProvider failed: %v", err)
 	}
 
-	b, err := os.ReadFile(filepath.Join(moduleDir, "auth.go"))
+	b, err := os.ReadFile(filepath.Join(moduleDir, "auth.go")) //nolint:gosec
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -312,7 +312,7 @@ func (m *UsersModule) Definition() module.ModuleDef {
 		t.Fatalf("createNewProvider failed: %v", err)
 	}
 
-	b, err := os.ReadFile(modulePath)
+	b, err := os.ReadFile(modulePath) //nolint:gosec
 	if err != nil {
 		t.Fatal(err)
 	}
@@ -340,10 +340,10 @@ func TestCreateNewProviderCreateFileFailure(t *testing.T) {
 	if err := os.WriteFile(filepath.Join(moduleDir, "module.go"), []byte("package users\n"), 0o600); err != nil {
 		t.Fatal(err)
 	}
-	if err := os.Chmod(moduleDir, 0o500); err != nil {
+	if err := os.Chmod(moduleDir, 0o500); err != nil { //nolint:gosec
 		t.Fatal(err)
 	}
-	t.Cleanup(func() { _ = os.Chmod(moduleDir, 0o750) })
+	t.Cleanup(func() { _ = os.Chmod(moduleDir, 0o750) }) //nolint:gosec
 
 	if err := createNewProvider("auth", "users"); err == nil {
 		t.Fatal("expected error when provider file cannot be created")
diff --git a/modkit/config/module_test.go b/modkit/config/module_test.go
@@ -42,7 +42,7 @@ func mod(
 }
 
 func TestWithTyped_DefaultAndParse(t *testing.T) {
-	const token module.Token = "config.jwt_ttl"
+	const token module.Token = "config.jwt_ttl" //nolint:gosec
 	def := 1 * time.Hour
 
 	cfgModule := config.NewModule(
@@ -76,7 +76,7 @@ func TestWithTyped_DefaultAndParse(t *testing.T) {
 }
 
 func TestWithTyped_UsesDefaultWhenUnset(t *testing.T) {
-	const token module.Token = "config.http_addr"
+	const token module.Token = "config.http_addr" //nolint:gosec
 	def := ":8080"
 
 	cfgModule := config.NewModule(
@@ -105,7 +105,7 @@ func TestWithTyped_UsesDefaultWhenUnset(t *testing.T) {
 }
 
 func TestWithTyped_OptionalUnsetReturnsZeroWithoutParsing(t *testing.T) {
-	const token module.Token = "config.optional_int"
+	const token module.Token = "config.optional_int" //nolint:gosec
 	called := false
 
 	cfgModule := config.NewModule(
@@ -145,7 +145,7 @@ func TestWithTyped_OptionalUnsetReturnsZeroWithoutParsing(t *testing.T) {
 }
 
 func TestWithTyped_MissingRequired(t *testing.T) {
-	const token module.Token = "config.jwt_secret"
+	const token module.Token = "config.jwt_secret" //nolint:gosec
 
 	cfgModule := config.NewModule(
 		config.WithSource(mapSource{}),
@@ -187,7 +187,7 @@ func TestWithTyped_MissingRequired(t *testing.T) {
 }
 
 func TestWithTyped_ParseError(t *testing.T) {
-	const token module.Token = "config.rate_limit_burst"
+	const token module.Token = "config.rate_limit_burst" //nolint:gosec
 
 	cfgModule := config.NewModule(
 		config.WithSource(mapSource{"RATE_LIMIT_BURST": "NaN"}),
@@ -223,7 +223,7 @@ func TestWithTyped_ParseError(t *testing.T) {
 
 func TestWithTyped_InvalidSpec(t *testing.T) {
 	t.Run("empty key", func(t *testing.T) {
-		const token module.Token = "config.foo"
+		const token module.Token = "config.foo" //nolint:gosec
 		cfgModule := config.NewModule(
 			config.WithSource(mapSource{"X": "1"}),
 			config.WithTyped(token, config.ValueSpec[int]{
@@ -276,7 +276,7 @@ func TestWithTyped_InvalidSpec(t *testing.T) {
 }
 
 func TestWithTyped_SensitiveErrorDoesNotLeakValue(t *testing.T) {
-	const token module.Token = "config.jwt_secret"
+	const token module.Token = "config.jwt_secret" //nolint:gosec
 
 	cfgModule := config.NewModule(
 		config.WithSource(mapSource{"JWT_SECRET": "super-secret-value"}),
@@ -305,7 +305,7 @@ func TestWithTyped_SensitiveErrorDoesNotLeakValue(t *testing.T) {
 }
 
 func TestWithSourceNil(t *testing.T) {
-	const token module.Token = "config.foo"
+	const token module.Token = "config.foo" //nolint:gosec
 
 	cfgModule := config.NewModule(
 		config.WithSource(nil),
@@ -334,7 +334,7 @@ func TestWithSourceNil(t *testing.T) {
 }
 
 func TestNoReflectionMagic_CustomParser(t *testing.T) {
-	const token module.Token = "config.custom"
+	const token module.Token = "config.custom" //nolint:gosec
 
 	parseCustom := func(raw string) (string, error) {
 		if raw != "expected" {
diff --git a/modkit/http/server_test.go b/modkit/http/server_test.go
@@ -33,7 +33,7 @@ func TestServe_ReturnsErrorWhenServerFailsToStart(t *testing.T) {
 	}
 
 	router := NewRouter()
-	err := Serve("127.0.0.1:12345", router)
+	err := Serve("127.0.0.1:12345", router) //nolint:gosec
 
 	if gotAddr != "127.0.0.1:12345" {
 		t.Fatalf("expected addr %q, got %q", "127.0.0.1:12345", gotAddr)
@@ -77,7 +77,7 @@ func TestServe_HandlesSignals_ReturnsNil(t *testing.T) {
 
 			errCh := make(chan error, 1)
 			go func() {
-				errCh <- Serve("127.0.0.1:12345", NewRouter())
+				errCh <- Serve("127.0.0.1:12345", NewRouter()) //nolint:gosec
 			}()
 
 			<-serveStarted
@@ -135,7 +135,7 @@ func TestServe_ShutdownWaitsForInFlightRequest(t *testing.T) {
 
 	serveErrCh := make(chan error, 1)
 	go func() {
-		serveErrCh <- Serve(addr, handler)
+		serveErrCh <- Serve(addr, handler) //nolint:gosec
 	}()
 
 	clientErrCh := make(chan error, 1)

Original file line number	Diff line number	Diff line change
`@@ -38,7 +38,7 @@ func (m *Module) Definition() module.ModuleDef {`
`38`	`38`	`t.Fatalf("AddProvider failed: %v", err)`
`39`	`39`	`}`
`40`	`40`
`41`		`- b, err := os.ReadFile(file)`
	`41`	`+ b, err := os.ReadFile(file) //nolint:gosec`
`42`	`42`	`if err != nil {`
`43`	`43`	`t.Fatal(err)`
`44`	`44`	`}`
`@@ -178,7 +178,7 @@ func (m *Module) Definition() module.ModuleDef {`
`178`	`178`	`t.Fatalf("Duplicate AddProvider should succeed idempotently: %v", err)`
`179`	`179`	`}`
`180`	`180`
`181`		`- b, err := os.ReadFile(file)`
	`181`	`+ b, err := os.ReadFile(file) //nolint:gosec`
`182`	`182`	`if err != nil {`
`183`	`183`	`t.Fatal(err)`
`184`	`184`	`}`
`@@ -220,7 +220,7 @@ func (m *Module) Definition() module.ModuleDef {`
`220`	`220`	`t.Fatalf("AddController failed: %v", err)`
`221`	`221`	`}`
`222`	`222`
`223`		`- b, err := os.ReadFile(file)`
	`223`	`+ b, err := os.ReadFile(file) //nolint:gosec`
`224`	`224`	`if err != nil {`
`225`	`225`	`t.Fatal(err)`
`226`	`226`	`}`
`@@ -266,7 +266,7 @@ func (m *Module) Definition() module.ModuleDef {`
`266`	`266`	`t.Fatalf("Duplicate AddController should succeed idempotently: %v", err)`
`267`	`267`	`}`
`268`	`268`
`269`		`- b, err := os.ReadFile(file)`
	`269`	`+ b, err := os.ReadFile(file) //nolint:gosec`
`270`	`270`	`if err != nil {`
`271`	`271`	`t.Fatal(err)`
`272`	`272`	`}`
`@@ -555,10 +555,10 @@ func (m *Module) Definition() module.ModuleDef {`
`555`	`555`	`t.Fatal(err)`
`556`	`556`	`}`
`557`	`557`
`558`		`- if err := os.Chmod(moduleDir, 0o500); err != nil {`
	`558`	`+ if err := os.Chmod(moduleDir, 0o500); err != nil { //nolint:gosec`
`559`	`559`	`t.Fatal(err)`
`560`	`560`	`}`
`561`		`- t.Cleanup(func() { _ = os.Chmod(moduleDir, 0o750) })`
	`561`	`+ t.Cleanup(func() { _ = os.Chmod(moduleDir, 0o750) }) //nolint:gosec`
`562`	`562`
`563`	`563`	`err := AddProvider(file, "users.auth", "buildAuth")`
`564`	`564`	`if err == nil {`
`@@ -601,10 +601,10 @@ func (m *Module) Definition() module.ModuleDef {`
`601`	`601`	`t.Fatal(err)`
`602`	`602`	`}`
`603`	`603`
`604`		`- if err := os.Chmod(moduleDir, 0o500); err != nil {`
	`604`	`+ if err := os.Chmod(moduleDir, 0o500); err != nil { //nolint:gosec`
`605`	`605`	`t.Fatal(err)`
`606`	`606`	`}`
`607`		`- t.Cleanup(func() { _ = os.Chmod(moduleDir, 0o750) })`
	`607`	`+ t.Cleanup(func() { _ = os.Chmod(moduleDir, 0o750) }) //nolint:gosec`
`608`	`608`
`609`	`609`	`err := AddController(file, "UsersController", "NewUsersController")`
`610`	`610`	`if err == nil {`
Original file line number	Diff line number	Diff line change
`@@ -61,7 +61,7 @@ func TestCreateNewApp(t *testing.T) {`
`61`	`61`	`shim = filepath.Join(binDir, "go.bat")`
`62`	`62`	`content = "@echo off\r\nexit /b 0\r\n"`
`63`	`63`	`}`
`64`		`- if err := os.WriteFile(shim, []byte(content), 0o755); err != nil {`
	`64`	`+ if err := os.WriteFile(shim, []byte(content), 0o755); err != nil { //nolint:gosec`
`65`	`65`	`t.Fatal(err)`
`66`	`66`	`}`
`67`	`67`
`@@ -79,7 +79,7 @@ func TestCreateNewApp(t *testing.T) {`
`79`	`79`	`t.Fatalf("expected go.mod, got %v", err)`
`80`	`80`	`}`
`81`	`81`
`82`		`- modBytes, err := os.ReadFile(filepath.Join(tmp, "demo", "go.mod"))`
	`82`	`+ modBytes, err := os.ReadFile(filepath.Join(tmp, "demo", "go.mod")) //nolint:gosec`
`83`	`83`	`if err != nil {`
`84`	`84`	`t.Fatal(err)`
`85`	`85`	`}`
`@@ -194,7 +194,7 @@ func TestCreateNewAppExistingEmptyDirectory(t *testing.T) {`
`194`	`194`	`shim = filepath.Join(binDir, "go.bat")`
`195`	`195`	`content = "@echo off\r\nexit /b 0\r\n"`
`196`	`196`	`}`
`197`		`- if err := os.WriteFile(shim, []byte(content), 0o755); err != nil {`
	`197`	`+ if err := os.WriteFile(shim, []byte(content), 0o755); err != nil { //nolint:gosec`
`198`	`198`	`t.Fatal(err)`
`199`	`199`	`}`
`200`	`200`	`oldPath := os.Getenv("PATH")`
`@@ -262,7 +262,7 @@ func TestCreateNewAppRunE(t *testing.T) {`
`262`	`262`	`shim = filepath.Join(binDir, "go.bat")`
`263`	`263`	`content = "@echo off\r\nexit /b 0\r\n"`
`264`	`264`	`}`
`265`		`- if err := os.WriteFile(shim, []byte(content), 0o755); err != nil {`
	`265`	`+ if err := os.WriteFile(shim, []byte(content), 0o755); err != nil { //nolint:gosec`
`266`	`266`	`t.Fatal(err)`
`267`	`267`	`}`
`268`	`268`	`oldPath := os.Getenv("PATH")`
Original file line number	Diff line number	Diff line change
`@@ -43,7 +43,7 @@ func (m *UserServiceModule) Definition() module.ModuleDef {`
`43`	`43`	`t.Fatalf("createNewController failed: %v", err)`
`44`	`44`	`}`
`45`	`45`
`46`		`- b, err := os.ReadFile(filepath.Join(moduleDir, "auth_controller.go"))`
	`46`	`+ b, err := os.ReadFile(filepath.Join(moduleDir, "auth_controller.go")) //nolint:gosec`
`47`	`47`	`if err != nil {`
`48`	`48`	`t.Fatal(err)`
`49`	`49`	`}`
`@@ -252,10 +252,10 @@ func TestCreateNewControllerCreateFileFailure(t *testing.T) {`
`252`	`252`	`if err := os.WriteFile(filepath.Join(moduleDir, "module.go"), []byte("package users\n"), 0o600); err != nil {`
`253`	`253`	`t.Fatal(err)`
`254`	`254`	`}`
`255`		`- if err := os.Chmod(moduleDir, 0o500); err != nil {`
	`255`	`+ if err := os.Chmod(moduleDir, 0o500); err != nil { //nolint:gosec`
`256`	`256`	`t.Fatal(err)`
`257`	`257`	`}`
`258`		`- t.Cleanup(func() { _ = os.Chmod(moduleDir, 0o750) })`
	`258`	`+ t.Cleanup(func() { _ = os.Chmod(moduleDir, 0o750) }) //nolint:gosec`
`259`	`259`
`260`	`260`	`if err := createNewController("auth", "users"); err == nil {`
`261`	`261`	`t.Fatal("expected error when controller file cannot be created")`
Original file line number	Diff line number	Diff line change
`@@ -22,7 +22,7 @@ func TestCreateNewModule(t *testing.T) {`
`22`	`22`	`t.Fatalf("createNewModule failed: %v", err)`
`23`	`23`	`}`
`24`	`24`
`25`		`- b, err := os.ReadFile(filepath.Join(tmp, "internal", "modules", "user-service", "module.go"))`
	`25`	`+ b, err := os.ReadFile(filepath.Join(tmp, "internal", "modules", "user-service", "module.go")) //nolint:gosec`
`26`	`26`	`if err != nil {`
`27`	`27`	`t.Fatal(err)`
`28`	`28`	`}`
Original file line number	Diff line number	Diff line change
`@@ -84,7 +84,7 @@ func (m *UserServiceModule) Definition() module.ModuleDef {`
`84`	`84`	`t.Fatalf("createNewProvider failed: %v", err)`
`85`	`85`	`}`
`86`	`86`
`87`		`- b, err := os.ReadFile(filepath.Join(moduleDir, "auth.go"))`
	`87`	`+ b, err := os.ReadFile(filepath.Join(moduleDir, "auth.go")) //nolint:gosec`
`88`	`88`	`if err != nil {`
`89`	`89`	`t.Fatal(err)`
`90`	`90`	`}`
`@@ -312,7 +312,7 @@ func (m *UsersModule) Definition() module.ModuleDef {`
`312`	`312`	`t.Fatalf("createNewProvider failed: %v", err)`
`313`	`313`	`}`
`314`	`314`
`315`		`- b, err := os.ReadFile(modulePath)`
	`315`	`+ b, err := os.ReadFile(modulePath) //nolint:gosec`
`316`	`316`	`if err != nil {`
`317`	`317`	`t.Fatal(err)`
`318`	`318`	`}`
`@@ -340,10 +340,10 @@ func TestCreateNewProviderCreateFileFailure(t *testing.T) {`
`340`	`340`	`if err := os.WriteFile(filepath.Join(moduleDir, "module.go"), []byte("package users\n"), 0o600); err != nil {`
`341`	`341`	`t.Fatal(err)`
`342`	`342`	`}`
`343`		`- if err := os.Chmod(moduleDir, 0o500); err != nil {`
	`343`	`+ if err := os.Chmod(moduleDir, 0o500); err != nil { //nolint:gosec`
`344`	`344`	`t.Fatal(err)`
`345`	`345`	`}`
`346`		`- t.Cleanup(func() { _ = os.Chmod(moduleDir, 0o750) })`
	`346`	`+ t.Cleanup(func() { _ = os.Chmod(moduleDir, 0o750) }) //nolint:gosec`
`347`	`347`
`348`	`348`	`if err := createNewProvider("auth", "users"); err == nil {`
`349`	`349`	`t.Fatal("expected error when provider file cannot be created")`