tokenhub/.golangci.yml at main · jordanhubbard/tokenhub · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
version: "2"

linters:
  enable:
    - gosec

  exclusions:
    rules:
      # math/rand is intentional in the router — used for Thompson sampling and
      # retry jitter, not for security-sensitive operations (those use crypto/rand).
      - path: internal/router/
        linters: [gosec]
        text: "G404"

      # tokenhubctl explicitly shells out to `docker exec` by design; the
      # container name comes from the user's own config, not untrusted input.
      - path: cmd/tokenhubctl/
        linters: [gosec]
        text: "G204"

      # Health-check URL is constructed from the server's own listen address,
      # not from external input. (G107 = legacy rule ID, G704 = new taint-aware ID)
      - path: cmd/tokenhub/main\.go
        linters: [gosec]
        text: "G107|G704"

      # File paths in admin_token.go are rooted at os.UserHomeDir() or a
      # server-configured data directory, not at user-supplied input.
      # (G304 = legacy rule ID, G703 = new taint-aware ID)
      - path: internal/httpapi/admin_token\.go
        linters: [gosec]
        text: "G304|G703"

      # Same for tokenhubctl reading ~/.tokenhub/* files.
      - path: cmd/tokenhubctl/main\.go
        linters: [gosec]
        text: "G304|G703|G704|G705"

      # Credentials file path comes from os.UserHomeDir() or TOKENHUB_CREDENTIALS_FILE
      # env var, not user-supplied input. Provider HTTP calls use operator-configured
      # URLs. credProvider struct deserializes a config file, not a hardcoded secret.
      - path: internal/app/server\.go
        linters: [gosec]
        text: "G304|G703|G704|G117|G101"

      # All outbound HTTP calls in the provider layer use operator-configured
      # base URLs registered via the admin API, not user-supplied input.
      - path: internal/providers/http\.go
        linters: [gosec]
        text: "G704"

      # Health prober calls operator-configured provider endpoints.
      - path: internal/health/prober\.go
        linters: [gosec]
        text: "G704"

      # Handler HTTP calls proxy to operator-configured provider endpoints.
      # slog structured logging uses internal metadata (request_id, model, op),
      # not user-supplied strings. ProviderUpsertRequest.APIKey is a DTO field.
      # Idempotency middleware replays a previously captured HTTP response.
      - path: internal/httpapi/
        linters: [gosec]
        text: "G704|G706|G117|G705"

      # slog's structured key=value format prevents log-injection newline attacks;
      # IP and path are logged only for audit visibility, not user-facing output.
      - path: internal/apikey/middleware\.go
        linters: [gosec]
        text: "G706"

      # Idempotency middleware replays a cached HTTP response — not user-injected HTML.
      - path: internal/idempotency/middleware\.go
        linters: [gosec]
        text: "G705"

      # apiKeyCols is a SQL column list constant; the name contains "key" but
      # there are no hardcoded credentials here.
      - path: internal/store/sqlite\.go
        linters: [gosec]
        text: "G101"

      # Test files are not production attack surface.
      - path: _test\.go
        linters: [gosec]