fix: add nolint:gosec annotations for new gosec rules

G117 (marshaling structs with secret-pattern fields) and G118 (stored
cancel func) are false positives in these contexts — test fixtures,
internal credential structs, and a debouncer that stores cancel for
later use.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: slntopp

controllers/integration/integration_controller_test.go

@@ -84,7 +84,7 @@ func (s *IntegrationCheckInSuite) SetupSuite() {
 
 	testMondooServiceAccount.PrivateKey = credentials.MondooServiceAccount(s.T())
 
-	testMondooServiceAccountDataBytes, err = json.Marshal(testMondooServiceAccount)
+	testMondooServiceAccountDataBytes, err = json.Marshal(testMondooServiceAccount) //nolint:gosec
 	s.Require().NoError(err, "error converting sample service account data")
 }
 

controllers/k8s_scan/deployment_handler_test.go

@@ -85,7 +85,7 @@ func (s *DeploymentHandlerSuite) TestReconcile_Create_ConsoleIntegration() {
 	s.NoError(d.KubeClient.Create(s.ctx, mondooAuditConfig))
 
 	integrationMrn := utils.RandString(20)
-	sa, err := json.Marshal(mondooclient.ServiceAccountCredentials{Mrn: "test-mrn"})
+	sa, err := json.Marshal(mondooclient.ServiceAccountCredentials{Mrn: "test-mrn"}) //nolint:gosec
 	s.NoError(err)
 	clientSecret := &corev1.Secret{
 		ObjectMeta: metav1.ObjectMeta{

controllers/mondooauditconfig_controller_test.go

@@ -81,7 +81,7 @@ func TestTokenRegistration(t *testing.T) {
 	testMondooServiceAccount.PrivateKey = credentials.MondooServiceAccount(t)
 
 	var err error
-	testMondooServiceAccountDataBytes, err = json.Marshal(testMondooServiceAccount)
+	testMondooServiceAccountDataBytes, err = json.Marshal(testMondooServiceAccount) //nolint:gosec
 	require.NoError(t, err, "error converting sample service account data")
 
 	tests := []struct {

controllers/nodes/deployment_handler_test.go

@@ -79,7 +79,7 @@ func (s *DeploymentHandlerSuite) TestReconcile_CreateConfigMapWithIntegrationMRN
 
 	s.seedNodes()
 
-	sa, err := json.Marshal(mondooclient.ServiceAccountCredentials{Mrn: "test-mrn"})
+	sa, err := json.Marshal(mondooclient.ServiceAccountCredentials{Mrn: "test-mrn"}) //nolint:gosec
 	s.NoError(err)
 
 	s.auditConfig.Spec.ConsoleIntegration.Enable = true

controllers/resource_watcher/debouncer.go

@@ -59,7 +59,7 @@ func (d *Debouncer) Add(key string, resource K8sResourceIdentifier) {
 // Start begins the debouncer's background processing. It should be called once
 // and will run until the context is cancelled.
 func (d *Debouncer) Start(ctx context.Context) error {
-	d.ctx, d.cancel = context.WithCancel(ctx)
+	d.ctx, d.cancel = context.WithCancel(ctx) //nolint:gosec
 	debouncerLogger.Info("Debouncer started", "interval", d.interval, "minInterval", d.minInterval)
 	<-d.ctx.Done()
 	d.stop()

controllers/status/status_reporter_test.go

@@ -51,7 +51,7 @@ func (s *StatusReporterSuite) BeforeTest(suiteName, testName string) {
 	s.auditConfig.Spec.ConsoleIntegration.Enable = true
 
 	key := credentials.MondooServiceAccount(s.T())
-	sa, err := json.Marshal(mondooclient.ServiceAccountCredentials{Mrn: "mrn", PrivateKey: key})
+	sa, err := json.Marshal(mondooclient.ServiceAccountCredentials{Mrn: "mrn", PrivateKey: key}) //nolint:gosec
 	s.Require().NoError(err)
 
 	secret := &v1.Secret{

pkg/utils/mondoo/token_exchange.go

@@ -83,7 +83,7 @@ func CreateServiceAccountFromToken(ctx context.Context, kubeClient client.Client
 		}
 
 		integrationMrn := resp.Mrn
-		credsBytes, err := json.Marshal(*resp.Creds)
+		credsBytes, err := json.Marshal(*resp.Creds) //nolint:gosec
 		if err != nil {
 			log.Error(err, "failed to marshal service account creds from IntegrationRegister()")
 			return err