rancher · thardeck · Mar 13, 2026 · Mar 13, 2026
@@ -153,5 +153,5 @@ sidebar_label: "%s"
 }
 
 func usage() {
-	fmt.Fprintln(os.Stdout, "Usage: ", os.Args[0], " <directory>") //nolint:gosec // G705 false positive: output goes to stdout, not an HTTP response writer
+	fmt.Fprintln(os.Stdout, "Usage: ", os.Args[0], " <directory>")
 }
@@ -15,7 +15,7 @@ import (
 
 type Auth struct {
 	Username           string `json:"username,omitempty"`
-	Password           string `json:"password,omitempty"` //nolint:gosec // G117 false positive: Password is an intentional field in the Helm chart auth config
+	Password           string `json:"password,omitempty"`
 	CABundle           []byte `json:"caBundle,omitempty"`
 	SSHPrivateKey      []byte `json:"sshPrivateKey,omitempty"`
 	InsecureSkipVerify bool   `json:"insecureSkipVerify,omitempty"`

@@ -162,7 +162,7 @@ func getHelmRepoIndex(ctx context.Context, repoURL string, auth Auth) (helmRepoI
 
 	client := getHTTPClient(auth)
 
-	resp, err := client.Do(request) //nolint:gosec // G704 false positive: URL is the user-configured Helm chart repository
+	resp, err := client.Do(request)
 	if err != nil {
 		return nil, fmt.Errorf("failed to fetch %q: %w", indexURL, err)
 	}

@@ -319,7 +319,7 @@ func GetContent(ctx context.Context, base, source, version string, auth Auth, di
 			return nil
 		}
 
-		content, err := os.ReadFile(path)
+		content, err := os.ReadFile(path) //nolint:gosec // G122: path is from WalkDir over a go-getter controlled temp directory
 		if err != nil {
 			return err
 		}
@@ -432,7 +432,7 @@ func get(ctx context.Context, client Getter, req *getter.Request, auth Auth) err
 		}
 		defer func() {
 			file.Close()
-			os.Remove(file.Name()) //nolint:gosec // G703 false positive: path comes from os.CreateTemp, not user-controlled data
+			os.Remove(file.Name())
 		}()
 
 		if _, err := file.Write(auth.CABundle); err != nil {

@@ -301,7 +301,7 @@ func createClientConfigFromSecret(ctx context.Context, secret *corev1.Secret, tr
 		// NOTE(manno): client-go will use the system trust store even if a CA is configured. So, why do this?
 		req, err := http.NewRequestWithContext(ctx, http.MethodGet, apiServerURL, nil)
 		if err == nil {
-			if resp, err := http.DefaultClient.Do(req); err == nil { //nolint:gosec // G704 false positive: URL is the Kubernetes API server from admin-configured kubeconfig
+			if resp, err := http.DefaultClient.Do(req); err == nil {
 				resp.Body.Close()
 				apiServerCA = nil
 			}

@@ -206,8 +206,8 @@ func (a *Analyze) compareFiles(cmd *cobra.Command, file1, file2 string) error {
 	}
 
 	troubleshooting.PrintHeader(w, "COMPARING SNAPSHOTS")
-	fmt.Fprintf(w, "Before: %s (%s)\n", file1, before.Timestamp) //nolint:gosec // G705 false positive: w is a CLI stdout writer, not an HTTP ResponseWriter
-	fmt.Fprintf(w, "After:  %s (%s)\n", file2, after.Timestamp)  //nolint:gosec // G705 false positive: w is a CLI stdout writer, not an HTTP ResponseWriter
+	fmt.Fprintf(w, "Before: %s (%s)\n", file1, before.Timestamp)
+	fmt.Fprintf(w, "After:  %s (%s)\n", file2, after.Timestamp)
 
 	troubleshooting.PrintSnapshotDiff(w, before, after)
 

@@ -270,7 +270,7 @@ func writeTmpKnownHosts() (string, error) {
 
 	knownHostsPath := f.Name()
 
-	if err := os.WriteFile(knownHostsPath, []byte(knownHosts), 0600); err != nil { //nolint:gosec // G703 false positive: path is generated by os.CreateTemp, not user-controlled
+	if err := os.WriteFile(knownHostsPath, []byte(knownHosts), 0600); err != nil {
 		return "", fmt.Errorf(
 			"failed to write value of %q env var to known_hosts file %s: %w",
 			ssh.KnownHostsEnvVar,

@@ -63,7 +63,7 @@ type Getter interface {
 type OCIRegistrySpec struct {
 	Reference       string
 	Username        string
-	Password        string //nolint:gosec // G117 false positive: Password is an intentional field in the apply options
+	Password        string
 	BasicHTTP       bool
 	InsecureSkipTLS bool
 }

@@ -531,7 +531,7 @@ func addMetricsToArchive(ctx context.Context, c client.Client, logger logr.Logge
 			return fmt.Errorf("failed to create request to metrics service: %w", err)
 		}
 
-		resp, err := httpCli.Do(req) //nolint:gosec // G704 false positive: URL always targets localhost via kubectl port-forward, not an arbitrary server
+		resp, err := httpCli.Do(req)
 		if err != nil {
 			return fmt.Errorf("failed to get response from metrics service: %w", err)
 		}

@@ -549,7 +549,7 @@ func (i *importHandler) restConfigFromKubeConfig(data []byte, agentTLSMode strin
 		if raw.Clusters[cluster] != nil {
 			req, err := http.NewRequestWithContext(context.Background(), http.MethodGet, raw.Clusters[cluster].Server, nil)
 			if err == nil {
-				if resp, err := http.DefaultClient.Do(req); err == nil { //nolint:gosec // G704 false positive: URL is the Kubernetes API server from admin-configured kubeconfig
+				if resp, err := http.DefaultClient.Do(req); err == nil {
 					resp.Body.Close()
 					raw.Clusters[cluster].CertificateAuthorityData = nil
 				}

@@ -91,7 +91,7 @@ func (r *ScreeningLocalReader) Read() ([]*yaml.RNode, error) {
 
 		// To check for the token, I need the file contents. This
 		// assumes the file is encoded as UTF8.
-		filebytes, err := os.ReadFile(p)
+		filebytes, err := os.ReadFile(p) //nolint:gosec // G122: path is from WalkDir over an admin-configured directory
 		if err != nil {
 			return fmt.Errorf("reading YAML file: %w", err)
 		}

@@ -166,7 +166,7 @@ type Bootstrap struct {
 	// in one shot.
 	Repo string `json:"repo,omitempty"`
 	// Secret is the gitrepo.ClientSecretName for agent from repo
-	Secret string `json:"secret,omitempty"` //nolint:gosec // G117 false positive: Secret is a Kubernetes resource name, not a credential value
+	Secret string `json:"secret,omitempty"`
 	Paths  string `json:"paths,omitempty"`
 	Branch string `json:"branch,omitempty"`
 }

@@ -34,7 +34,7 @@ const (
 type OCIOpts struct {
 	Reference       string
 	Username        string
-	Password        string //nolint:gosec // G117 false positive: Password is an intentional field in the OCI registry config
+	Password        string
 	AgentUsername   string
 	AgentPassword   string
 	BasicHTTP       bool

@@ -75,7 +75,7 @@ func latestCommitFromCommitsURL(ctx context.Context, commitsUrl string, opts *op
 
 	req.Header.Set("Accept", "application/vnd.github.v3.sha")
 
-	resp, err := client.Do(req) //nolint:gosec // G704 false positive: URL is derived from the user-configured Git repository
+	resp, err := client.Do(req)
 	if err != nil {
 		return "", err
 	}

@@ -199,8 +199,7 @@ func HandleHooks(ctx context.Context, namespace string, client client.Client, cl
 
 func (w *Webhook) logAndReturn(rw http.ResponseWriter, err error) {
 	w.log.Error(err, "Webhook processing failed")
-	rw.WriteHeader(getErrorCodeFromErr(err))
-	_, _ = rw.Write([]byte(err.Error()))
+	http.Error(rw, "Webhook processing failed", getErrorCodeFromErr(err))
 }
 
 func (w *Webhook) getSecret(ctx context.Context, gitrepo fleet.GitRepo) (*corev1.Secret, error) {

@@ -874,7 +874,7 @@ func TestErrorReadingRequest(t *testing.T) {
 		client:    mockClient,
 		namespace: "default",
 	}
-	testRequest := httptest.NewRequest(http.MethodPost, "/something", errReader(0))
+	testRequest := httptest.NewRequestWithContext(context.Background(), http.MethodPost, "/something", errReader(0))
 	rr := httptest.NewRecorder()
 	w.ServeHTTP(rr, testRequest)