gastown/.golangci.yml at main · gastownhall/gastown · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
version: "2"

run:
  timeout: 5m
  tests: false

linters:
  default: 'none'
  enable:
    - errcheck
    - gosec
    - misspell
    - unconvert
    - unparam

  settings:
    errcheck:
      exclude-functions:
        - (*database/sql.DB).Close
        - (*database/sql.Rows).Close
        - (*database/sql.Tx).Rollback
        - (*database/sql.Stmt).Close
        - (*database/sql.Conn).Close
        - (*os.File).Close
        - (net.Conn).Close
        - os.RemoveAll
        - os.Remove
        - os.Setenv
        - os.Unsetenv
        - os.Chdir
        - os.MkdirAll
        - fmt.Sscanf
        - fmt.Fprintf
        - fmt.Fprintln
    misspell:
      locale: US

  exclusions:
    rules:
      # G304: File inclusion via variable in tests is safe (test data)
      - path: '_test\.go'
        linters:
          - gosec
        text: "G304"
      # G304: Config/state file loading uses constructed paths, not user input
      # All internal packages read files from constructed paths, not user input
      - path: 'internal/'
        linters:
          - gosec
        text: "G304"
      # G306: File permissions 0644 in tests are acceptable (test fixtures)
      - path: '_test\.go'
        linters:
          - gosec
        text: "G306"
      # G302/G306: Non-sensitive operational files (state, config, logs) can use 0644
      # Internal packages write non-sensitive operational data files
      - path: 'internal/'
        linters:
          - gosec
        text: "G306|G302"
      # G302/G306: Directory/file permissions 0700/0750 are acceptable
      - linters:
          - gosec
        text: "G302.*0700|G301.*0750"
      # G404: math/rand is fine for jitter/backoff calculations, not security
      - path: 'internal/'
        linters:
          - gosec
        text: "G404"
      # G104: Errors unhandled - covered by errcheck exclusions already
      - path: 'internal/'
        linters:
          - gosec
        text: "G104"
      # G204: Safe subprocess launches with validated arguments (internal tools)
      # All internal packages use subprocess calls for trusted internal tools
      - path: 'internal/'
        linters:
          - gosec
        text: 'G204'
      # G115: Integer narrowing conversions in internal code are intentional
      - path: 'internal/'
        linters:
          - gosec
        text: 'G115'
      # G117: Password fields in config/DB structs are not hardcoded secrets
      - path: 'internal/'
        linters:
          - gosec
        text: 'G117'
      # G201: SQL string formatting with backtick-quoted identifiers (dbName, table names)
      # Internal code builds queries with database/table names from internal config, not user input
      - path: 'internal/'
        linters:
          - gosec
        text: 'G201'
      # G702/G703/G704/G705: Taint analysis false positives in internal tooling
      # Internal code uses trusted inputs (constructed paths, internal APIs, validated args)
      - path: 'internal/'
        linters:
          - gosec
        text: 'G702|G703|G704|G705'
      # errcheck: Ignore unchecked errors in test files for common cleanup patterns
      - path: '_test\.go'
        linters:
          - errcheck
        text: "Error return value of .*(Close|Rollback|RemoveAll|Setenv|Unsetenv|Chdir|MkdirAll|Remove|Write).* is not checked"

issues:
  uniq-by-line: true