fix: resolve gosec, errcheck, staticcheck, and trivy CI failures

- Fix errcheck: add _ discard for fmt.Fprintf/Fprintln in auth/use and version
- Fix gosec G304: add nolint for os.ReadFile on controlled config paths
- Fix gosec G302: add nolint for 0700 directory chmod (intentional)
- Fix staticcheck SA1019: use PricePerMonthPerGB instead of deprecated MonthlyPerGB
- Fix staticcheck QF1001: apply De Morgan's law in hostname validation
- Fix trivy DS-0002/DS-0029: add non-root user and --no-install-recommends to Dockerfile

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: hi-lei

internal/verda-cli/cmd/auth/use.go

@@ -40,7 +40,7 @@ func NewCmdUse(_ cmdutil.Factory, ioStreams cmdutil.IOStreams) *cobra.Command {
 				return err
 			}
 
-			fmt.Fprintf(ioStreams.Out, "Active auth profile: %s\n", profile)
+			_, _ = fmt.Fprintf(ioStreams.Out, "Active auth profile: %s\n", profile)
 			return nil
 		},
 	}
@@ -51,7 +51,7 @@ func NewCmdUse(_ cmdutil.Factory, ioStreams cmdutil.IOStreams) *cobra.Command {
 
 func writeActiveProfile(path string, profile string) error {
 	cfg := map[string]any{}
-	if data, err := os.ReadFile(path); err == nil {
+	if data, err := os.ReadFile(path); err == nil { //nolint:gosec // path is from our own config
 		if err := yaml.Unmarshal(data, &cfg); err != nil {
 			return err
 		}

internal/verda-cli/cmd/util/hostname.go

@@ -21,7 +21,7 @@ func ValidateHostname(s string) error {
 	for _, c := range s {
 		if (c >= 'a' && c <= 'z') || (c >= 'A' && c <= 'Z') {
 			hasLetter = true
-		} else if !((c >= '0' && c <= '9') || c == '-') {
+		} else if (c < '0' || c > '9') && c != '-' {
 			return fmt.Errorf("hostname must contain only letters, digits, hyphens and underscores")
 		}
 	}

internal/verda-cli/cmd/version/version.go

@@ -16,7 +16,7 @@ func NewCmdVersion(f cmdutil.Factory, ioStreams cmdutil.IOStreams) *cobra.Comman
 		Short: "Print the version information",
 		Long:  cmdutil.LongDesc("Print the build and version information for verda."),
 		Run: func(cmd *cobra.Command, args []string) {
-			fmt.Fprintln(ioStreams.Out, version.Get().ToJSON())
+			_, _ = fmt.Fprintln(ioStreams.Out, version.Get().ToJSON())
 		},
 	}
 }

internal/verda-cli/cmd/vm/wizard.go

@@ -532,11 +532,11 @@ func promptAddVolume(ctx context.Context, prompter tui.Prompter, store *wizard.S
 	nvmeLabel := "NVMe (fast SSD)"
 	hddLabel := "HDD (large capacity)"
 	if cache != nil && cache.volumeTypes != nil {
-		if vt, ok := cache.volumeTypes[verda.VolumeTypeNVMe]; ok && vt.Price.MonthlyPerGB > 0 {
-			nvmeLabel = fmt.Sprintf("NVMe (fast SSD)  $%.2f/GB/mo", vt.Price.MonthlyPerGB)
+		if vt, ok := cache.volumeTypes[verda.VolumeTypeNVMe]; ok && vt.Price.PricePerMonthPerGB > 0 {
+			nvmeLabel = fmt.Sprintf("NVMe (fast SSD)  $%.2f/GB/mo", vt.Price.PricePerMonthPerGB)
 		}
-		if vt, ok := cache.volumeTypes[verda.VolumeTypeHDD]; ok && vt.Price.MonthlyPerGB > 0 {
-			hddLabel = fmt.Sprintf("HDD (large capacity)  $%.2f/GB/mo", vt.Price.MonthlyPerGB)
+		if vt, ok := cache.volumeTypes[verda.VolumeTypeHDD]; ok && vt.Price.PricePerMonthPerGB > 0 {
+			hddLabel = fmt.Sprintf("HDD (large capacity)  $%.2f/GB/mo", vt.Price.PricePerMonthPerGB)
 		}
 	}
 	typeIdx, err := prompter.Select(ctx, "Volume type", []string{
@@ -1006,7 +1006,7 @@ func renderDeploymentSummary(opts *createOptions, cache *apiCache) {
 	var osVolUnitPrice float64
 	if opts.OSVolumeSize > 0 {
 		if vt, ok := cache.volumeTypes[verda.VolumeTypeNVMe]; ok {
-			osVolUnitPrice = vt.Price.MonthlyPerGB
+			osVolUnitPrice = vt.Price.PricePerMonthPerGB
 			osVolPrice = volumeHourlyPrice(osVolUnitPrice, opts.OSVolumeSize)
 			storageHourly += osVolPrice
 		}
@@ -1029,7 +1029,7 @@ func renderDeploymentSummary(opts *createOptions, cache *apiCache) {
 		size, _ := strconv.Atoi(sizeStr)
 		var hourly, unitP float64
 		if vt, ok := cache.volumeTypes[vType]; ok {
-			unitP = vt.Price.MonthlyPerGB
+			unitP = vt.Price.PricePerMonthPerGB
 			hourly = volumeHourlyPrice(unitP, size)
 			storageHourly += hourly
 		}

internal/verda-cli/cmd/volume/create.go

@@ -86,11 +86,11 @@ func runCreate(cmd *cobra.Command, f cmdutil.Factory, ioStreams cmdutil.IOStream
 	if opts.Type == "" {
 		nvmeLabel := "NVMe (fast SSD)"
 		hddLabel := "HDD (large capacity)"
-		if vt, ok := vtMap[verda.VolumeTypeNVMe]; ok && vt.Price.MonthlyPerGB > 0 {
-			nvmeLabel = fmt.Sprintf("NVMe (fast SSD)  $%.2f/GB/mo", vt.Price.MonthlyPerGB)
+		if vt, ok := vtMap[verda.VolumeTypeNVMe]; ok && vt.Price.PricePerMonthPerGB > 0 {
+			nvmeLabel = fmt.Sprintf("NVMe (fast SSD)  $%.2f/GB/mo", vt.Price.PricePerMonthPerGB)
 		}
-		if vt, ok := vtMap[verda.VolumeTypeHDD]; ok && vt.Price.MonthlyPerGB > 0 {
-			hddLabel = fmt.Sprintf("HDD (large capacity)  $%.2f/GB/mo", vt.Price.MonthlyPerGB)
+		if vt, ok := vtMap[verda.VolumeTypeHDD]; ok && vt.Price.PricePerMonthPerGB > 0 {
+			hddLabel = fmt.Sprintf("HDD (large capacity)  $%.2f/GB/mo", vt.Price.PricePerMonthPerGB)
 		}
 		idx, err := prompter.Select(ctx, "Volume type", []string{nvmeLabel, hddLabel})
 		if err != nil {
@@ -157,7 +157,7 @@ func runCreate(cmd *cobra.Command, f cmdutil.Factory, ioStreams cmdutil.IOStream
 
 	var monthlyPerGB float64
 	if vt, ok := vtMap[opts.Type]; ok {
-		monthlyPerGB = vt.Price.MonthlyPerGB
+		monthlyPerGB = vt.Price.PricePerMonthPerGB
 	}
 	const hoursInMonth = 730 // 365*24/12, matching web frontend
 	hourly := math.Ceil(monthlyPerGB*float64(opts.Size)/hoursInMonth*10000) / 10000

internal/verda-cli/options/paths.go

@@ -66,7 +66,7 @@ func mkdirSecure(dir string) error {
 	}
 	// On Unix, enforce 0700 on the leaf directory.
 	if runtime.GOOS != "windows" {
-		_ = os.Chmod(dir, 0o700)
+		_ = os.Chmod(dir, 0o700) //nolint:gosec // 0700 is correct for a config directory
 	}
 	return nil
 }

internal/verda-cli/options/settings.go

@@ -17,7 +17,7 @@ func SaveSetting(key string, value any) error {
 	path := filepath.Join(dir, "config.yaml")
 
 	cfg := map[string]any{}
-	if data, err := os.ReadFile(path); err == nil {
+	if data, err := os.ReadFile(path); err == nil { //nolint:gosec // path is from our own config dir
 		if err := yaml.Unmarshal(data, &cfg); err != nil {
 			return err
 		}
@@ -42,7 +42,7 @@ func GetSetting(key string) (any, bool) {
 	}
 	path := filepath.Join(dir, "config.yaml")
 
-	data, err := os.ReadFile(path)
+	data, err := os.ReadFile(path) //nolint:gosec // path is from our own config dir
 	if err != nil {
 		return nil, false
 	}

scripts/test-install.Dockerfile

@@ -1,7 +1,6 @@
 FROM ubuntu:24.04
-RUN apt-get update && apt-get install -y curl ca-certificates && rm -rf /var/lib/apt/lists/*
+RUN apt-get update && apt-get install -y --no-install-recommends curl ca-certificates && rm -rf /var/lib/apt/lists/*
+RUN useradd -m testuser
+USER testuser
 COPY scripts/install.sh /tmp/install.sh
-RUN chmod +x /tmp/install.sh
-# Test the install script (will fail until first release exists)
-# RUN VERDA_VERSION=v1.0.0 sh /tmp/install.sh
 CMD ["sh", "/tmp/install.sh"]