Adopt linters from Kubernetes

[nirs]

Summary

Compare linters used by Kubernetes with this project and adopt useful ones.

Sources

• Kubernetes golangci-lint config: https://github.com/kubernetes/kubernetes/blob/master/hack/golangci.yaml
• This project's config: .golangci.yaml

Current comparison

Linters used by both projects

Linter	Purpose
gocritic	Code style and common mistakes
staticcheck	Static analysis (150+ checks)
misspell	Spelling errors

Linters used only by Kubernetes

Linter	Purpose	Recommendation
govet	Go vet checks	Add - catches real bugs, should always be enabled
ineffassign	Useless assignments	Add - catches dead code
unused	Dead code detection	Add - finds unused code
revive	Modern golint replacement	Add - more comprehensive than gocritic alone
modernize	Modern Go idioms	Consider - helps keep code up to date
depguard	Dependency restrictions	Skip - only useful for large projects with dependency policies
forbidigo	Forbidden API calls	Skip - only useful for banning specific APIs
ginkgolinter	Ginkgo test patterns	Skip - project doesn't use Ginkgo
kubeapilinter	K8s API conventions	Skip - K8s-specific
logcheck	Structured logging	Skip - K8s-specific custom linter
sorted	Sorted imports/declarations	Skip - too opinionated
testifylint	Testify usage	Skip - project doesn't use testify

Linters used only by this project

Linter	Purpose	Recommendation
gosec	Security checks	Remove or reduce - K8s doesn't use it, high false positive rate
goconst	Repeated constants	Keep - low noise
nolintlint	Check nolint directives	Keep - ensures nolint comments are valid
unconvert	Unnecessary type conversions	Keep - low noise

Recommendations

Add these linters

enable:
  - govet       # Go vet checks, catches real bugs
  - ineffassign # Useless assignments
  - unused      # Dead code detection
  - revive      # Modern golint replacement

Consider removing

• gosec - Kubernetes doesn't use it. High false positive rate for CLI tools. Already disabled G602, G703, and G705 for tools/. Consider removing entirely and relying on code review for security.

Keep as-is

• goconst, gocritic, misspell, nolintlint, staticcheck, unconvert

Notes

Kubernetes relies on staticcheck, custom linters for their specific conventions, and code review for security rather than generic security linters like gosec.

[nirs]

/cc @parikshithb

[nirs]

Additional research: Prometheus linters

Source: https://github.com/prometheus/prometheus/blob/main/.golangci.yml

Prometheus enabled linters

depguard, errorlint, exptostd, fatcontext, gocritic, godot, govet,
loggercheck, misspell, modernize, nilnesserr, perfsprint, predeclared,
revive, sloglint, staticcheck, testifylint, unconvert, unused,
usestdlibvars, whitespace

Key observations

1. Prometheus does NOT use gosec - This is another major CNCF project that doesn't use gosec
2. Both Kubernetes and Prometheus use: govet, gocritic, revive, staticcheck, unused, misspell, unconvert, modernize
3. Prometheus adds: errorlint, perfsprint, usestdlibvars, whitespace

Updated recommendations

High priority additions (used by both K8s and Prometheus):

Linter	Purpose
govet	Go vet checks - catches real bugs
revive	Modern golint replacement
unused	Dead code detection
modernize	Modern Go idioms

Consider adding (Prometheus uses):

Linter	Purpose
errorlint	Proper error wrapping with %w
usestdlibvars	Use stdlib constants (http.StatusOK vs 200)
whitespace	Trailing whitespace

Recommend removing:

Linter	Reason
gosec	Neither K8s nor Prometheus use it. High false positive rate.

[nirs]

Additional research: HashiCorp projects

Vault

Source: https://github.com/hashicorp/vault/blob/main/.golangci.yml

enable:
  - depguard  # Only dependency checking - surprisingly minimal

Vault has an extremely minimal linter config, relying on other processes (code review, internal tooling) rather than extensive static analysis.

Consul

Source: https://github.com/hashicorp/consul/blob/main/.golangci.yml

enable:
  - depguard
  - forbidigo
  - gomodguard
  - govet
  - ineffassign
  - staticcheck
  - unconvert
  - unparam

Key observations

1. Neither Vault nor Consul use gosec - This is now the fourth major project we've checked that skips gosec
2. Consul uses the common core: govet, staticcheck, ineffassign - same as K8s/Prometheus
3. Consul adds unparam - detects unused function parameters
4. HashiCorp relies heavily on code review rather than extensive linting

Summary across all projects checked

Linter	Kubernetes	Prometheus	Consul	Vault	This Project
gosec	✗	✗	✗	✗	✓
govet	✓	✓	✓	✗	✗
staticcheck	✓	✓	✓	✗	✓
ineffassign	✓	✗	✓	✗	✗
revive	✓	✓	✗	✗	✗
unused	✓	✓	✗	✗	✗
gocritic	✓	✓	✗	✗	✓
unconvert	✗	✓	✓	✗	✓
modernize	✓	✓	✗	✗	✗

Conclusion: gosec is not used by any of the major Go projects checked. The industry standard core linters are govet, staticcheck, and project-specific tooling.

[nirs]

golangci-lint defaults and systematic research

Existing systematic research

No public research analyzing linting configurations across many Go projects was found. This type of analysis would require:

1. Using GitHub API to find top Go repos (by stars, contributors, or activity)
2. Fetching .golangci.yml / .golangci.yaml from each
3. Parsing and aggregating which linters are enabled
4. Statistical analysis

This could be a useful community contribution.

golangci-lint default linters

The following linters are enabled by default in golangci-lint (what new projects get out of the box):

Linter	Purpose
errcheck	Checks for unchecked errors
gosimple	Code simplification suggestions
govet	Go vet - suspicious constructs
ineffassign	Unused assignments
staticcheck	Static analysis (150+ checks)
unused	Unused code detection

Comparison with major projects and defaults

Linter	K8s	Prometheus	Consul	Vault	Default	This Project
govet	✓	✓	✓	✗	✓	✗
staticcheck	✓	✓	✓	✗	✓	✓
ineffassign	✓	✗	✓	✗	✓	✗
unused	✓	✓	✗	✗	✓	✗
errcheck	✗	✗	✗	✗	✓	✗
gosimple	✗	✗	✗	✗	✓	✗
gosec	✗	✗	✗	✗	✗	✓

Recommendations

Use golangci-lint defaults as baseline - they are well-chosen and validated by:

• The golangci-lint maintainers' expertise
• Major projects enabling the same core linters
• Low false positive rates

Suggested action:

1. Enable the default linters we're missing: govet, ineffassign, unused, errcheck, gosimple
2. Remove gosec (not in defaults, not used by major projects, high false positive rate)
3. Keep project-specific additions: gocritic, goconst, misspell, unconvert, nolintlint