johno/beads
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Address gosec security warnings (bd-102)

Browse Source 
- Enable gosec linter in .golangci.yml
- Tighten file permissions: 0755→0750 for directories, 0644→0600 for configs
- Git hooks remain 0700 (executable, user-only access)
- Add #nosec comments for safe cases with justifications:
  - G204: Safe subprocess launches (git show, bd daemon)
  - G304: File inclusions with controlled paths
  - G201: SQL formatting with controlled column names
  - G115: Integer conversions with controlled values

All gosec warnings resolved (20→0). All tests passing.

Amp-Thread-ID: https://ampcode.com/threads/T-d7166b9e-cbbe-4c7b-9e48-3df36b20f0d0
Co-authored-by: Amp <amp@ampcode.com>
This commit is contained in:
Steve Yegge
2025-10-26 22:48:19 -07:00
parent 4ea347e08a
commit 648ecfafe7
21 changed files with 67 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
.golangci.yml
View File

@@ -8,10 +8,10 @@ linters:
disable:
- dupl
- goconst
- gosec
- revive
enable:
- errcheck
- gosec
# - gocyclo # Disabled: high complexity acceptable for large functions (see LINTING.md)
- misspell
- unconvert
@@ -52,19 +52,25 @@ issues:
exclude:
- "var-naming: avoid meaningless package names"
- "exported.*SQLiteStorage.*stutters"
- "G201: SQL string formatting" # Safe: SQL is constructed from constants
- "G204: Subprocess launched" # Safe: git/bd commands from trusted sources
- "G115: integer overflow conversion" # Safe: controlled conversions
exclude-rules:
# G304: File inclusion via variable in tests is safe (test data)
- path: _test\.go
linters:
- gosec
text: "G304.*file inclusion via variable"
# G302/G306: Directory permissions 0700/0750 are acceptable
# G302/G306: Directory/file permissions 0700/0750 are acceptable
- linters:
- gosec
text: "G302.*0700|G301.*0750"
# G306: Git hooks must be executable (0700)
- path: cmd/bd/init\.go
linters:
- gosec
text: "G306.*0700"
# G204: Safe subprocess launches (git show, bd daemon)
- linters:
- gosec
text: 'G204.*git.*show|G204.*daemon'
# errcheck: Ignore unchecked errors in test files for common cleanup patterns
- path: _test\.go
linters: