Address gosec security warnings (bd-102)

- Enable gosec linter in .golangci.yml - Tighten file permissions: 0755→0750 for directories, 0644→0600 for configs - Git hooks remain 0700 (executable, user-only access) - Add #nosec comments for safe cases with justifications: - G204: Safe subprocess launches (git show, bd daemon) - G304: File inclusions with controlled paths - G201: SQL formatting with controlled column names - G115: Integer conversions with controlled values All gosec warnings resolved (20→0). All tests passing. Amp-Thread-ID: https://ampcode.com/threads/T-d7166b9e-cbbe-4c7b-9e48-3df36b20f0d0 Co-authored-by: Amp <amp@ampcode.com>
2025-10-26 22:48:19 -07:00
parent 4ea347e08a
commit 648ecfafe7
21 changed files with 67 additions and 31 deletions
--- a/cmd/bd/delete.go
+++ b/cmd/bd/delete.go
@@ -310,6 +310,7 @@ func removeIssueFromJSONL(issueID string) error {
 	}

 	// Read all issues except the deleted one
+	// #nosec G304 - controlled path from config
 	f, err := os.Open(path)
 	if err != nil {
 		if os.IsNotExist(err) {
@@ -345,6 +346,7 @@ func removeIssueFromJSONL(issueID string) error {

 	// Write to temp file atomically
 	temp := fmt.Sprintf("%s.tmp.%d", path, os.Getpid())
+	// #nosec G304 - controlled path from config
 	out, err := os.OpenFile(temp, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0o600)
 	if err != nil {
 		return fmt.Errorf("failed to create temp file: %w", err)
@@ -602,6 +604,7 @@ func updateTextReferencesInIssues(ctx context.Context, deletedIDs []string, conn

 // readIssueIDsFromFile reads issue IDs from a file (one per line)
 func readIssueIDsFromFile(filename string) ([]string, error) {
+	// #nosec G304 - user-provided file path is intentional
 	f, err := os.Open(filename)
 	if err != nil {
 		return nil, err