Skip to content

ci(security): drop gosec from golden golangci config#18

Merged
felixgeelhaar merged 1 commit into
mainfrom
ci/drop-gosec
Jun 9, 2026
Merged

ci(security): drop gosec from golden golangci config#18
felixgeelhaar merged 1 commit into
mainfrom
ci/drop-gosec

Conversation

@felixgeelhaar

Copy link
Copy Markdown
Contributor

nox now owns all code-level security org-wide. nox/taint-analysis (cosign-verified, community trust, enforced in go-ci.yml) covers gosec's taint rules (G703/G704/G706); nox core covers credential/crypto/file-perm. The "keep gosec until taint verified" deferral is satisfied — taint is live across all 11 repos. Removes gosec from the reference enable, settings.gosec and exclusions.rules. golangci-lint config verify passes.

nox now owns all code-level security. Its cosign-verified taint-analysis
plugin (community trust, enforced in go-ci.yml) covers the taint rules
gosec provided (G703/G704/G706 — SSRF, path traversal, injection), and
nox's core ruleset covers gosec's credential/crypto/file-perm checks. The
deferral note ("keep gosec until nox/taint-analysis is verified") is now
satisfied across the org, so gosec is removed from the reference linter
set, settings and exclusions. Routes any code-security gap through nox.
Copilot AI review requested due to automatic review settings June 9, 2026 08:41

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Removes gosec from the organization’s reference golangci-lint configuration now that code-level security/taint scanning is handled by nox (via the enforced nox/taint-analysis plugin in the shared Go CI workflow).

Changes:

  • Dropped gosec from the reference linter enable list.
  • Removed gosec-specific configuration (settings.gosec) and its related exclusion rule.
  • Updated the header/security note and linter rationale comments to reflect nox as the sole code-level security scanner.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@felixgeelhaar felixgeelhaar merged commit 3f2f25f into main Jun 9, 2026
1 check passed
@felixgeelhaar felixgeelhaar deleted the ci/drop-gosec branch June 9, 2026 09:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants