fix: add nosec G124 suppressions for client-side HTTP cookies (#617)

Copilot · frjcomp · web-flow · commit be728c955d18 · 2026-05-05T13:02:13.000+02:00
Agent-Logs-Url: https://github.com/CompassSecurity/pipeleek/sessions/895c3a0b-fd40-40d0-a9b4-178261cb42e6 Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: frjcomp <107982661+frjcomp@users.noreply.github.com>
diff --git a/pkg/bitbucket/scan/api.go b/pkg/bitbucket/scan/api.go
@@ -43,6 +43,7 @@ func NewClient(username string, password string, bitBucketCookie string, baseURL
 		jar, _ := cookiejar.New(nil)
 		// set cookie on the internal host root so requests to internal endpoints include it
 		targetURL := &url.URL{Scheme: parsedBase.Scheme, Host: internalHost, Path: "/"}
+		// #nosec G124 - Cookie attributes (Secure/HttpOnly/SameSite) are server-side browser directives; not applicable for client HTTP requests
 		jar.SetCookies(targetURL, []*http.Cookie{
 			{
 				Name:  "cloud.session.token",
diff --git a/pkg/gitea/scan/scanner.go b/pkg/gitea/scan/scanner.go
@@ -272,7 +272,7 @@ func InitializeOptions(token, giteaURL, repository, organization, cookie, maxArt
 
 	var httpClient *retryablehttp.Client
 	if cookie != "" {
-		//nolint:gosec
+		// #nosec G124 - Cookie attributes (Secure/HttpOnly/SameSite) are server-side browser directives; not applicable for client HTTP requests
 		httpClient = httpclient.GetPipeleekHTTPClient(
 			giteaURL,
 			[]*http.Cookie{
diff --git a/pkg/gitlab/scan/queue.go b/pkg/gitlab/scan/queue.go
@@ -296,7 +296,7 @@ func DownloadEnvArtifact(cookieVal string, gitlabUrl string, prjectPath string,
 	reqUrl.RawQuery = q.Encode()
 	dotenvUrl = reqUrl.String()
 
-	//nolint:gosec
+	// #nosec G124 - Cookie attributes (Secure/HttpOnly/SameSite) are server-side browser directives; not applicable for client HTTP requests
 	client := httpclient.GetPipeleekHTTPClient(gitlabUrl, []*http.Cookie{{Name: "_gitlab_session", Value: cookieVal}}, nil)
 	resp, err := client.Get(dotenvUrl)
 	if err != nil {
diff --git a/pkg/gitlab/util/util.go b/pkg/gitlab/util/util.go
@@ -104,7 +104,7 @@ func GetGitlabClient(token string, url string) (*gitlab.Client, error) {
 func CookieSessionValid(gitlabUrl string, cookieVal string) {
 	gitlabSessionsUrl, _ := url.JoinPath(gitlabUrl, "-/user_settings/active_sessions")
 
-	//nolint:gosec
+	// #nosec G124 - Cookie attributes (Secure/HttpOnly/SameSite) are server-side browser directives; not applicable for client HTTP requests
 	client := httpclient.GetPipeleekHTTPClient(gitlabUrl, []*http.Cookie{{Name: "_gitlab_session", Value: cookieVal}}, nil)
 	resp, err := client.Get(gitlabSessionsUrl)
 	if err != nil {

Original file line number	Diff line number	Diff line change
`@@ -43,6 +43,7 @@ func NewClient(username string, password string, bitBucketCookie string, baseURL`
`43`	`43`	`jar, _ := cookiejar.New(nil)`
`44`	`44`	`// set cookie on the internal host root so requests to internal endpoints include it`
`45`	`45`	`targetURL := &url.URL{Scheme: parsedBase.Scheme, Host: internalHost, Path: "/"}`
	`46`	`+ // #nosec G124 - Cookie attributes (Secure/HttpOnly/SameSite) are server-side browser directives; not applicable for client HTTP requests`
`46`	`47`	`jar.SetCookies(targetURL, []*http.Cookie{`
`47`	`48`	`{`
`48`	`49`	`Name: "cloud.session.token",`