Add nosec exclusions

hslatman · hslatman · commit af2b67c0c5cd · 2026-05-05T17:43:05.000+02:00
diff --git a/command/oauth/cmd.go b/command/oauth/cmd.go
@@ -526,7 +526,7 @@ func oauthCmd(c *cli.Context) error {
 				fmt.Println(tok.AccessToken)
 			}
 		} else {
-			b, err := json.MarshalIndent(tok, "", "  ")
+			b, err := json.MarshalIndent(tok, "", "  ") // #nosec G117 --  printing the token details intentionally
 			if err != nil {
 				return errors.Wrapf(err, "error marshaling token data")
 			}
@@ -1318,7 +1318,7 @@ func (o *oauth) badRequest(w http.ResponseWriter, msg string) {
 	w.Write([]byte(`</div>`))
 	w.Write([]byte(`<p style='font-size: 20px;'>`))
 	w.Write([]byte(`<strong style='font-size: 28px; color: red;'>Failure</strong><br />`))
-	w.Write([]byte(msg))
+	w.Write([]byte(msg)) // #nosec G705 -- message is either a string literal, or comes from (trusted) IdP
 	w.Write([]byte(`</p></body></html>`))
 	o.errCh <- errors.New(msg)
 }
diff --git a/utils/cautils/tpm.go b/utils/cautils/tpm.go
@@ -649,7 +649,7 @@ func (ac *attestationClient) verifyDecryptedSecret(ctx context.Context, secret [
 		DecryptedSecret: secret,
 	}
 
-	body, err := json.Marshal(sr)
+	body, err := json.Marshal(sr) // #nosec G117 -- the decrypted secret is intentionally sent back to attestation CA (via HTTPS)
 	if err != nil {
 		return nil, fmt.Errorf("failed marshaling secret request: %w", err)
 	}

Original file line number	Diff line number	Diff line change
`@@ -526,7 +526,7 @@ func oauthCmd(c *cli.Context) error {`
`526`	`526`	`fmt.Println(tok.AccessToken)`
`527`	`527`	`}`
`528`	`528`	`} else {`
`529`		`- b, err := json.MarshalIndent(tok, "", " ")`
	`529`	`+ b, err := json.MarshalIndent(tok, "", " ") // #nosec G117 -- printing the token details intentionally`
`530`	`530`	`if err != nil {`
`531`	`531`	`return errors.Wrapf(err, "error marshaling token data")`
`532`	`532`	`}`
`@@ -1318,7 +1318,7 @@ func (o *oauth) badRequest(w http.ResponseWriter, msg string) {`
`1318`	`1318`	w.Write([]byte(`</div>`))
`1319`	`1319`	w.Write([]byte(`<p style='font-size: 20px;'>`))
`1320`	`1320`	w.Write([]byte(`<strong style='font-size: 28px; color: red;'>Failure</strong><br />`))
`1321`		`- w.Write([]byte(msg))`
	`1321`	`+ w.Write([]byte(msg)) // #nosec G705 -- message is either a string literal, or comes from (trusted) IdP`
`1322`	`1322`	w.Write([]byte(`</p></body></html>`))
`1323`	`1323`	`o.errCh <- errors.New(msg)`
`1324`	`1324`	`}`
Original file line number	Diff line number	Diff line change
`@@ -649,7 +649,7 @@ func (ac *attestationClient) verifyDecryptedSecret(ctx context.Context, secret [`
`649`	`649`	`DecryptedSecret: secret,`
`650`	`650`	`}`
`651`	`651`
`652`		`- body, err := json.Marshal(sr)`
	`652`	`+ body, err := json.Marshal(sr) // #nosec G117 -- the decrypted secret is intentionally sent back to attestation CA (via HTTPS)`
`653`	`653`	`if err != nil {`
`654`	`654`	`return nil, fmt.Errorf("failed marshaling secret request: %w", err)`
`655`	`655`	`}`