Annotate gosec-safe file accesses

2025-11-17 10:12:46 -07:00
parent 7b63b5a30b
commit bf9b2c83fb
14 changed files with 182 additions and 158 deletions
--- a/cmd/bd/hooks.go
+++ b/cmd/bd/hooks.go
@@ -74,6 +74,7 @@ func CheckGitHooks() []HookStatus {

 // getHookVersion extracts the version from a hook file
 func getHookVersion(path string) (string, error) {
+	// #nosec G304 -- hook path constrained to .git/hooks directory
 	file, err := os.Open(path)
 	if err != nil {
 		return "", err
@@ -293,6 +294,7 @@ func installHooks(embeddedHooks map[string]string, force bool) error {
 		}

 		// Write hook file
+		// #nosec G306 -- git hooks must be executable for Git to run them
 		if err := os.WriteFile(hookPath, []byte(hookContent), 0755); err != nil {
 			return fmt.Errorf("failed to write %s: %w", hookName, err)
 		}