[GH#441] [Future]Tech Debt: Harden gosec security scanning (PR #437 follow-up) #20

New issue

Open

opened 2026-05-19 22:15:37 +02:00 by Max · 0 comments

Max commented

2026-05-19 22:15:37 +02:00

Owner

Migrated from GitHub #441
Originally created by @Bio1988 on 2026-05-07T06:10:37Z

Problem

The security scanning pipeline introduced in PR #437 currently excludes several gosec rules and filters by severity high only. This was necessary to get CI green on pre-existing code, but these should be addressed and re-enabled.

Current Exclusions

gosec rules excluded via CLI `-exclude`:

Rule	Name	Reason excluded	Action needed
G101	Hardcoded Credentials	False positives on variable names containing "password", "secret" etc.	Audit all G101 findings — distinguish real hardcoded secrets from false positives. Add `#nosec G101` annotations for legitimate false positives, fix real ones.
G115	Integer Overflow	Pre-existing integer conversion issues	Audit and fix unsafe integer conversions, or add `#nosec` annotations with justification
G304	Tainted File Path	File paths from config/CLI args	Validate/sanitize file paths before use
G305	Zip/Archive Path Traversal	Archive extraction code	Add path traversal protection if applicable, or `#nosec` if unreachable

Severity filter:

Currently: -severity high — medium and low findings are silently dropped
Target: Report all severities, fix or annotate medium findings

Proposed Plan

Remove -severity high filter — let all severities through
Re-enable G101 first (highest priority — real secret leaks)
Run gosec ./... locally, triage all findings
For each finding: fix the code, or add #nosec annotation with documented reason
Re-enable remaining rules one by one (G115, G304, G305)
Update .golangci.yml to also run gosec (currently only in CI script)

References

PR #437: Security Scanning pipeline
gosec docs: https://securego.io/docs/

Migrated from [GitHub #441](https://github.com/Bio1988/strategy-desktop/issues/441) Originally created by @Bio1988 on 2026-05-07T06:10:37Z --- ## Problem The security scanning pipeline introduced in PR #437 currently excludes several gosec rules and filters by severity `high` only. This was necessary to get CI green on pre-existing code, but these should be addressed and re-enabled. ## Current Exclusions ### gosec rules excluded via CLI `-exclude`: | Rule | Name | Reason excluded | Action needed | |------|------|-----------------|---------------| | **G101** | Hardcoded Credentials | False positives on variable names containing "password", "secret" etc. | Audit all G101 findings — distinguish real hardcoded secrets from false positives. Add `#nosec G101` annotations for legitimate false positives, fix real ones. | | **G115** | Integer Overflow | Pre-existing integer conversion issues | Audit and fix unsafe integer conversions, or add `#nosec` annotations with justification | | **G304** | Tainted File Path | File paths from config/CLI args | Validate/sanitize file paths before use | | **G305** | Zip/Archive Path Traversal | Archive extraction code | Add path traversal protection if applicable, or `#nosec` if unreachable | ### Severity filter: - Currently: `-severity high` — medium and low findings are **silently dropped** - Target: Report all severities, fix or annotate medium findings ## Proposed Plan 1. Remove `-severity high` filter — let all severities through 2. Re-enable G101 first (highest priority — real secret leaks) 3. Run `gosec ./...` locally, triage all findings 4. For each finding: fix the code, or add `#nosec` annotation with documented reason 5. Re-enable remaining rules one by one (G115, G304, G305) 6. Update `.golangci.yml` to also run gosec (currently only in CI script) ## References - PR #437: Security Scanning pipeline - gosec docs: https://securego.io/docs/

Max added the

labels

2026-05-19 22:15:37 +02:00