johno/beads
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Address gosec security warnings (bd-102)

Browse Source 
- Enable gosec linter in .golangci.yml
- Tighten file permissions: 0755→0750 for directories, 0644→0600 for configs
- Git hooks remain 0700 (executable, user-only access)
- Add #nosec comments for safe cases with justifications:
  - G204: Safe subprocess launches (git show, bd daemon)
  - G304: File inclusions with controlled paths
  - G201: SQL formatting with controlled column names
  - G115: Integer conversions with controlled values

All gosec warnings resolved (20→0). All tests passing.

Amp-Thread-ID: https://ampcode.com/threads/T-d7166b9e-cbbe-4c7b-9e48-3df36b20f0d0
Co-authored-by: Amp <amp@ampcode.com>
This commit is contained in:
Steve Yegge
2025-10-26 22:48:19 -07:00
parent 4ea347e08a
commit 648ecfafe7
21 changed files with 67 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
internal/types/lock_check.go
View File

@@ -20,7 +20,7 @@ func ShouldSkipDatabase(beadsDir string) (skip bool, holder string, err error) {
lockPath := filepath.Join(beadsDir, ".exclusive-lock")
// Check if lock file exists
data, err := os.ReadFile(lockPath)
data, err := os.ReadFile(lockPath) // #nosec G304 - controlled path from config
if err != nil {
if os.IsNotExist(err) {
// No lock file, proceed with database