ci(lint): drop gosec — security owned by nox#64
Conversation
There was a problem hiding this comment.
Pull request overview
Aligns this repository’s GolangCI-Lint configuration with the org’s standard security scanning approach by removing the legacy gosec linter and its now-dead suppressions, delegating code-level security scanning to nox as described.
Changes:
- Removed
gosecfrom.golangci.yml(enable list) and deleted the gosec-only exclusion rule block. - Removed a now-dead
#nosec G203directive from the HTML renderer now that gosec is no longer part of linting.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
viz/html/renderer.go |
Removes a gosec-specific suppression comment that becomes dead after dropping gosec. |
.golangci.yml |
Drops gosec from enabled linters and removes the gosec-only exclusions to match org-standard nox ownership. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
Heads-up: the |
|
Deferred — keeping gosec until nox/taint-analysis is published at community trust (the plugin is currently unverified; -allow-unverified declined org-wide). Will re-do the gosec removal once nox owns the taint layer. See klarlabs-studio/.github. |
Drop gosec — security is owned by nox
The org has standardized on nox for security scanning (secrets + IaC + dependency + AI + taint-analysis SAST), replacing gosec at the code-lint layer. The golden config in
klarlabs-studio/.github(golangci.reference.yml) already dropped gosec; this PR bringsstatekitin line.Changes
.golangci.yml: removedgosecfromlinters.enable, removed thelinters.settings.gosecblock (where present), and pruned gosec fromexclusions.rules(dropping gosec-only rules entirely, removing thegosectoken from mixed rules). Everything else — gocritic, the standard set, formatters, repo-specific config — is preserved unchanged.//nolint:gosec/// #nosec Gxxx) that become dead once gosec is gone. For mixed//nolint:errcheck,gosecdirectives, only thegosectoken was removed; the rest is kept.Verification
.golangci.ymlparses; no residual gosec references.golangci-lint run ./...(v2.12.2, the CI-pinned version) andgo build ./...run locally.No merge intended — opening for the Lint CI gate to confirm green.