Address gosec security warnings (bd-102)

- Enable gosec linter in .golangci.yml - Tighten file permissions: 0755→0750 for directories, 0644→0600 for configs - Git hooks remain 0700 (executable, user-only access) - Add #nosec comments for safe cases with justifications: - G204: Safe subprocess launches (git show, bd daemon) - G304: File inclusions with controlled paths - G201: SQL formatting with controlled column names - G115: Integer conversions with controlled values All gosec warnings resolved (20→0). All tests passing. Amp-Thread-ID: https://ampcode.com/threads/T-d7166b9e-cbbe-4c7b-9e48-3df36b20f0d0 Co-authored-by: Amp <amp@ampcode.com>
2025-10-26 22:48:19 -07:00
parent 4ea347e08a
commit 648ecfafe7
21 changed files with 67 additions and 31 deletions
--- a/cmd/bd/daemons.go
+++ b/cmd/bd/daemons.go
@@ -257,6 +257,7 @@ Supports tail mode (last N lines) and follow mode (like tail -f).`,

 		if jsonOutput {
 			// JSON mode: read entire file
+			// #nosec G304 - controlled path from daemon discovery
 			content, err := os.ReadFile(logPath)
 			if err != nil {
 				outputJSON(map[string]string{"error": err.Error()})
@@ -283,6 +284,7 @@ Supports tail mode (last N lines) and follow mode (like tail -f).`,
 }

 func tailLines(filePath string, n int) error {
+	// #nosec G304 - controlled path from daemon discovery
 	file, err := os.Open(filePath)
 	if err != nil {
 		return err
@@ -312,6 +314,7 @@ func tailLines(filePath string, n int) error {
 }

 func tailFollow(filePath string) {
+	// #nosec G304 - controlled path from daemon discovery
 	file, err := os.Open(filePath)
 	if err != nil {
 		fmt.Fprintf(os.Stderr, "Error opening log file: %v\n", err)