fix: suppress gosec false positives (G101 dev DSN, G704 config-only URL)

haasonsaas · claude · haasonsaas · commit 076a4c780452 · 2026-03-30T22:20:17.000-07:00
G101 flags the default DSN which is a dev placeholder overridden by env
vars in production. G704 flags SSRF on a Vouch client that only calls
URLs from validated config, not user input.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/pkg/vouch/client.go b/pkg/vouch/client.go
@@ -215,7 +215,7 @@ func (c *Client) buildRequest(ctx context.Context, deviceID string) (*http.Reque
 func (c *Client) executeWithRetry(ctx context.Context, req *http.Request) (*http.Response, error) {
 	var resp *http.Response
 	retryErr := retry.Do(ctx, c.config.RetryConfig, func() error {
-		r, err := c.httpClient.Do(req)
+		r, err := c.httpClient.Do(req) // #nosec G704 -- URL is from validated config, not user input
 		if err != nil {
 			return err
 		}
diff --git a/services/inventory/main.go b/services/inventory/main.go
@@ -11,7 +11,7 @@ import (
 
 const (
 	defaultBindAddr    = ":8080"
-	defaultDSN         = "postgres://postgres:postgres@postgres:5432/keep?sslmode=disable"
+	defaultDSN         = "postgres://postgres:postgres@postgres:5432/keep?sslmode=disable" // #nosec G101 -- dev-only default, overridden by env var in production
 	defaultTLSCert     = ""
 	defaultTLSKey      = ""
 	defaultAuthzJWKS   = ""

Original file line number	Diff line number	Diff line change
`@@ -215,7 +215,7 @@ func (c Client) buildRequest(ctx context.Context, deviceID string) (http.Reque`
`215`	`215`	`func (c Client) executeWithRetry(ctx context.Context, req http.Request) (*http.Response, error) {`
`216`	`216`	`var resp *http.Response`
`217`	`217`	`retryErr := retry.Do(ctx, c.config.RetryConfig, func() error {`
`218`		`- r, err := c.httpClient.Do(req)`
	`218`	`+ r, err := c.httpClient.Do(req) // #nosec G704 -- URL is from validated config, not user input`
`219`	`219`	`if err != nil {`
`220`	`220`	`return err`
`221`	`221`	`}`