feat: add comprehensive static analysis with golangci-lint

Add golangci-lint for static analysis to prevent nil pointer exceptions and other common Go bugs.

Changes:
- Configure golangci-lint with focus on nil safety (errcheck, nilnil, nilerr, staticcheck)
- Add lint job to CircleCI pipeline that runs before tests
- Create Makefile for local development workflow
- Add GitHub Actions workflow as alternative CI
- Update pre-commit hooks to include linting
- Document static analysis setup and best practices

This addresses recent nil pointer issues by catching them at build time before they reach production.

Author: james00012

.circleci/config.yml

@@ -13,6 +13,19 @@ defaults: &defaults
     - image: 087285199408.dkr.ecr.us-east-1.amazonaws.com/circle-ci-test-image-base:go1.22.6-tf1.5-tg58.8-pck1.8-ci56.0
 version: 2.1
 jobs:
+  lint:
+    <<: *defaults
+    steps:
+      - checkout
+      - run:
+          name: Install golangci-lint
+          command: |
+            curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v1.61.0
+      - run:
+          name: Run golangci-lint
+          command: |
+            golangci-lint run ./...
+  
   test:
     <<: *defaults
     steps:
@@ -259,7 +272,16 @@ workflows:
       not:
         equal: [ scheduled_pipeline, << pipeline.trigger_source >> ]
     jobs:
+      - lint:
+          filters:
+            tags:
+              only: /^v.*/
+          context:
+            - AWS__PHXDEVOPS__circle-ci-test
+            - GITHUB__PAT__gruntwork-ci
       - test:
+          requires:
+            - lint
           filters:
             tags:
               only: /^v.*/

.golangci.yml

@@ -0,0 +1,89 @@
+run:
+  timeout: 10m
+  tests: true
+  modules-download-mode: readonly
+  go: "1.23"
+
+linters:
+  enable:
+    # Default linters (these come with golangci-lint)
+    - errcheck      # Checking for unchecked errors - critical for nil safety
+    - gosimple      # Simplify code  
+    - govet         # Reports suspicious constructs including nil issues
+    - ineffassign   # Detects when assignments to existing variables are not used
+    - staticcheck   # Comprehensive static analysis including nil checks (SA5011)
+    - typecheck     # Like the front-end of a Go compiler, parses and type-checks
+    - unused        # Checks for unused constants, variables, functions and types
+    
+    # Critical nil safety linters
+    - nilnil        # Checks that there is no simultaneous return of nil error and an invalid value
+    - nilerr        # Finds the code that returns nil even if it checks that the error is not nil
+    
+    # Code quality linters
+    - bodyclose     # Checks whether HTTP response body is closed successfully
+    - durationcheck # Check for two common problems with time.Duration
+    - errorlint     # Find code that will cause problems with error handling
+    - copyloopvar   # Checks for pointers to enclosing loop variables (replaces exportloopref)
+    - noctx         # Finds sending http request without context.Context
+    
+    # Style linters
+    - gofmt         # Checks whether code was gofmt-ed
+    - goimports     # Check import statements are formatted
+    - misspell      # Finds commonly misspelled English words in comments
+    - whitespace    # Detection of leading and trailing whitespace
+
+  disable:
+    - depguard      # Too restrictive for dependencies
+    - exhaustive    # Too strict for switch statements
+    - gochecknoglobals # We use some globals
+    - lll           # Line length limit is too strict
+    - wsl           # Whitespace linter is too opinionated
+
+linters-settings:
+  errcheck:
+    check-type-assertions: true
+    check-blank: true
+    
+  govet:
+    enable:
+      - shadow  # Check for shadowed variables
+    
+  staticcheck:
+    checks: ["all", "-ST1000", "-ST1003"]  # Disable some stylistic checks
+    
+  nilnil:
+    checked-types:
+      - ptr
+      - func
+      - iface
+      - map
+      - chan
+
+issues:
+  # Exclude directories from all linters
+  exclude-dirs:
+    - vendor
+    - third_party
+    - generated
+    
+  exclude-rules:
+    # Exclude test files from some linters
+    - path: _test\.go
+      linters:
+        - errcheck
+        - noctx
+        
+    # Exclude generated files
+    - path: "generated"
+      linters:
+        - staticcheck
+        - govet
+        
+  # Maximum issues count per one linter
+  max-issues-per-linter: 0
+  
+  # Maximum count of issues with the same text
+  max-same-issues: 0
+  
+  # Show only new issues for PRs
+  new: false

.pre-commit-config.yaml

@@ -11,3 +11,8 @@ repos:
   hooks:
     - id: shellcheck
     - id: gofmt
+- repo: https://github.com/golangci/golangci-lint
+  rev: v1.55.2
+  hooks:
+    - id: golangci-lint
+      args: ['--config=.golangci.yml']

docs/STATIC_ANALYSIS.md

@@ -0,0 +1,137 @@
+# Static Analysis and Nil Safety
+
+This project uses **golangci-lint** as the primary static analysis tool to prevent common Go bugs, especially nil pointer dereferences.
+
+## Why golangci-lint?
+
+We use golangci-lint as our single static analysis tool because:
+- **Comprehensive**: Runs 20+ linters including staticcheck, errcheck, and nil-specific linters
+- **Fast**: Runs linters in parallel with smart caching
+- **Configurable**: Single `.golangci.yml` file for all configuration
+- **CI-friendly**: Easy integration with CircleCI and GitHub Actions
+
+## Key Linters for Nil Safety
+
+The following linters in our configuration specifically help prevent nil pointer issues:
+
+- **staticcheck**: Comprehensive static analysis including SA5011 (nil pointer checks)
+- **errcheck**: Ensures error values are checked before using returns
+- **nilnil**: Prevents returning nil error with nil value
+- **nilerr**: Finds code that returns nil even when error is not nil
+- **govet**: Reports suspicious constructs including potential nil dereferences
+
+## Local Development
+
+### Pre-commit Hook (Recommended)
+The project uses pre-commit hooks to automatically run linters before each commit:
+
+```bash
+# Install pre-commit
+pip install pre-commit
+
+# Install hooks
+pre-commit install
+
+# Run manually on all files
+pre-commit run --all-files
+
+# Run golangci-lint specifically
+pre-commit run golangci-lint --all-files
+```
+
+### Manual Run
+If you need to run golangci-lint directly:
+
+```bash
+# Install
+curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(go env GOPATH)/bin v1.61.0
+
+# Run
+golangci-lint run ./...
+
+# Auto-fix issues
+golangci-lint run --fix ./...
+
+# Check only new code
+golangci-lint run --new-from-rev=HEAD~1 ./...
+```
+
+## CI/CD Integration
+
+The `lint` job in CircleCI runs before tests on all commits. Tests only run if linting passes, ensuring code quality gates are enforced.
+
+## Common Nil Issues and Fixes
+
+### AWS SDK Responses
+AWS SDK can return nil responses even without errors:
+
+```go
+// ❌ Bad - potential nil panic
+output, err := client.DescribeResourcePolicy(ctx, input)
+if err != nil {
+    return err
+}
+policy := output.Policy // PANIC if output is nil!
+
+// ✅ Good - nil check before access
+output, err := client.DescribeResourcePolicy(ctx, input)
+if err != nil {
+    return err
+}
+if output != nil && output.Policy != nil {
+    policy := output.Policy
+}
+```
+
+### Error Checking
+Always check errors before using returned values:
+
+```go
+// ❌ Bad - ignoring error
+result, _ := someFunction()
+result.Field // PANIC if result is nil!
+
+// ✅ Good - check error first
+result, err := someFunction()
+if err != nil {
+    return err
+}
+// Safe to use result
+```
+
+## Gradual Adoption
+
+For existing codebases with many issues:
+
+1. **Fix critical issues first**: Focus on errcheck and nil-related linters
+2. **Use `make lint-new`**: Only lint new/changed code
+3. **Configure severity**: Set some linters to warning level in `.golangci.yml`
+4. **Exclude old code**: Use `issues.exclude-rules` in config for legacy code
+
+## Suppressing False Positives
+
+When you need to suppress a false positive:
+
+```go
+//nolint:errcheck // We intentionally ignore this error because...
+```
+
+Or for specific linters:
+```go
+//nolint:staticcheck,nilnil // Safe because...
+```
+
+## Configuration
+
+See `.golangci.yml` for full configuration. Key settings:
+
+- **timeout**: 10 minutes for large codebases
+- **skip-dirs**: Excludes vendor, generated code
+- **issues.max-same-issues**: 0 (show all occurrences)
+- **linters-settings**: Specific configuration per linter
+
+## Performance Tips
+
+- Use `--fast` flag for quick checks during development
+- Enable Go module cache: `export GOMODCACHE=$HOME/go/pkg/mod`
+- Use `--parallel` flag to control CPU usage