mdemg/.golangci.yml at main · reh3376/mdemg · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
version: "2"

run:
  timeout: 5m
  modules-download-mode: readonly

linters:
  default: none
  enable:
    - govet
    - staticcheck
    - errcheck
    - ineffassign
    - unused
    - gosec
  settings:
    errcheck:
      exclude-functions:
        - (io.Closer).Close
        - (*net/http.Response).Body.Close
        - (net/http.ResponseWriter).Write
        - fmt.Fprint
        - fmt.Fprintf
        - fmt.Fprintln
        - fmt.Sscanf
        - (*encoding/json.Encoder).Encode
        - (*encoding/json.Decoder).Decode
        - (github.com/neo4j/neo4j-go-driver/v5/neo4j.DriverWithContext).Close
        - (github.com/neo4j/neo4j-go-driver/v5/neo4j.SessionWithContext).Close
        - (*os.File).Close
        - (*compress/gzip.Writer).Close
        - (*google.golang.org/grpc.ClientConn).Close
        - (*net.UnixListener).Close
        - os.Remove
        - (*os.Process).Kill
        - (*os/exec.Cmd).Wait
    staticcheck:
      checks:
        - "all"
        - "-QF*"       # disable quickfix suggestions (style, not bugs)
        - "-ST*"       # disable style enforcement
        - "-S1*"       # disable simple suggestions
    gosec:
      excludes:
        - G104         # unhandled errors — covered by errcheck with exclusions
        - G115         # integer overflow conversion — false positives on safe casts
        - G117         # exported secret fields — config structs intentionally hold secrets
        - G204         # subprocess with variable — intentional exec for docker/git/ingest
        - G702         # command injection via taint — same as G204 with taint tracking; docker/git calls are safe
        - G301         # directory permissions 0755 — standard for runtime directories
        - G304         # file inclusion via variable — expected for file-serving CLIs
        - G306         # WriteFile permissions >0600 — 0644 is standard for logs/ports
        - G404         # weak random for jitter — crypto/rand not needed for delay jitter
        - G703         # path traversal — plugin paths are constructed from validated config
        - G704         # SSRF via taint — HTTP clients call configured, trusted endpoints
        - G706         # log injection — internal log lines use controlled values; log forging is low-risk
    govet:
      enable:
        - nilness
      disable:
        - shadow
  exclusions:
    paths:
      - docs
      - archive
    rules:
      # Exclude all added linters from test files (only govet applies to tests)
      - path: _test\.go
        linters:
          - errcheck
          - govet
          - staticcheck
          - ineffassign
          - unused
          - gosec
      # Exclude generated protobuf files
      - path: \.pb\.go
        linters:
          - all
      # Exclude all added linters from CLI tools and plugins (only govet applies)
      - path: ^cmd/
        linters:
          - errcheck
          - staticcheck
          - ineffassign
          - unused
          - gosec
      - path: ^plugins/
        linters:
          - errcheck
          - staticcheck
          - ineffassign
          - unused
          - gosec

issues:
  max-issues-per-linter: 0
  max-same-issues: 0