From ea2acd51b60cef67bd931e49159f99482eeaa419 Mon Sep 17 00:00:00 2001 From: Felix Geelhaar Date: Mon, 8 Jun 2026 16:36:39 +0200 Subject: [PATCH 1/2] =?UTF-8?q?ci(lint):=20drop=20gosec=20=E2=80=94=20secu?= =?UTF-8?q?rity=20owned=20by=20nox?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .golangci.yml | 11 ++--------- 1 file changed, 2 insertions(+), 9 deletions(-) diff --git a/.golangci.yml b/.golangci.yml index 18b2ff6..830ac11 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -7,8 +7,8 @@ run: timeout: 5m linters: - # Mandatory org bar. gocritic is non-negotiable; gosec covers code-level - # security alongside the nox scan. gocyclo/dupl are intentionally NOT here + # Mandatory org bar. gocritic is non-negotiable; code-level security is + # owned by nox, not gosec. gocyclo/dupl are intentionally NOT here # — they are noisy and repo-specific; opt in per repo if a codebase wants # them, but they are not part of the shared gate. default: standard @@ -22,13 +22,6 @@ linters: - unconvert - unparam - gocritic # org engineering bar — do not drop - - gosec - exclusions: - rules: - # Tests legitimately use math/rand (deterministic fixtures, fuzz - # seeds). G404 weak-RNG does not apply to test code. - - path: _test\.go - linters: [gosec] formatters: enable: From 41d4c0e3038fc6ee2981fe799a8723e701cea253 Mon Sep 17 00:00:00 2001 From: Felix Geelhaar Date: Mon, 8 Jun 2026 16:36:39 +0200 Subject: [PATCH 2/2] refactor: remove now-unused gosec suppressions --- viz/html/renderer.go | 1 - 1 file changed, 1 deletion(-) diff --git a/viz/html/renderer.go b/viz/html/renderer.go index 04bdfb5..828b932 100644 --- a/viz/html/renderer.go +++ b/viz/html/renderer.go @@ -30,7 +30,6 @@ func (r *Renderer) Render(machine *viz.VizMachine) (string, error) { }{ // json.Marshal escapes HTML characters by default, so casting to template.JS is safe here. // We need raw JSON for the script tag. - // #nosec G203 MachineJSON: template.JS(jsonData), }