fix(ci): add -nosec flag to gosec for SARIF #nosec annotation support

itcmsgr · claude · itcmsgr · commit 8317ed2ea24f · 2026-04-17T08:28:19.000+03:00
Without -nosec, gosec includes all findings in SARIF output even
when #nosec annotations are present in code. The -nosec flag tells
gosec to honor inline suppressions in SARIF mode.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/secure-go.yml b/.github/workflows/secure-go.yml
@@ -95,7 +95,7 @@ jobs:
         run: go install github.com/securego/gosec/v2/cmd/gosec@v2.22.0
 
       - name: Run gosec (SARIF)
-        run: $(go env GOPATH)/bin/gosec -fmt sarif -out gosec.sarif ./... || true
+        run: $(go env GOPATH)/bin/gosec -nosec -fmt sarif -out gosec.sarif ./... || true
 
       - name: Fix gosec SARIF relationships
         run: |
