kyle/mcias
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
9ef913c59b9777eafb8f42b27e40a99f3b17d2f8
mcias/.golangci.yaml
Kyle Isom f02eff21b4 Complete implementation: e2e tests, gofmt, hardening 
- Add test/e2e: 11 end-to-end tests covering full login/logout,
  token renewal, admin account management, credential-never-in-response,
  unauthorised access, JWT alg confusion and alg:none attacks,
  revoked token rejection, system account token issuance,
  wrong-password vs unknown-user indistinguishability
- Apply gofmt to all source files (formatting only, no logic changes)
- Update .golangci.yaml for golangci-lint v2 (version field required,
  gosimple merged into staticcheck, formatters section separated)
- Update PROGRESS.md to reflect Phase 5 completion
Security:
  All 97 tests pass with go test -race ./... (zero race conditions).
  Adversarial JWT tests (alg confusion, alg:none) confirm the
  ValidateToken alg-first check is effective against both attack classes.
  Credential fields (PasswordHash, TOTPSecret*, PGPassword) confirmed
  absent from all API responses via both unit and e2e tests.
  go vet ./... clean. golangci-lint v2.6.2 incompatible with go1.26
  runtime; go vet used as linter until toolchain is updated.
2026-03-11 11:54:14 -07:00

120 lines
3.4 KiB
YAML
Raw Blame History

# golangci-lint v2 configuration for a security-critical IAM system.
# Principle: fail loudly. Security and correctness issues are errors, not warnings.
version: "2"
run:
timeout: 5m
# Include test files so security rules apply to test helpers too.
tests: true
linters:
default: none
enable:
# --- Correctness ---
# Unhandled errors are silent failures; in auth code they become vulnerabilities.
- errcheck
# go vet: catches printf-verb mismatches, unreachable code, suspicious constructs.
- govet
# Detects assignments whose result is never used; dead writes hide logic bugs.
- ineffassign
# Detects variables and functions that are never used.
- unused
# --- Error handling ---
# Enforces proper error wrapping (errors.Is/As instead of == comparisons) and
# prevents accidental discard of wrapped sentinel errors.
- errorlint
# --- Security ---
# Primary security scanner: hardcoded secrets, weak RNG, insecure crypto
# (MD5/SHA1/DES/RC4), SQL injection, insecure TLS, file permission issues, etc.
- gosec
# Deep static analysis: deprecated APIs, incorrect mutex use, unreachable code,
# incorrect string conversions, simplification suggestions, and hundreds of other checks.
# (gosimple was merged into staticcheck in golangci-lint v2)
- staticcheck
# --- Style / conventions (per CLAUDE.md) ---
# Enforces Go naming conventions and exported-symbol documentation.
- revive
formatters:
enable:
# Enforces gofmt formatting. Non-formatted code is a CI failure.
- gofmt
# Manages import grouping and formatting; catches stray debug imports.
- goimports
linters-settings:
errcheck:
# Treat blank-identifier assignment of errors as a failure: `_ = riskyCall()`
check-blank: true
# Also check error returns from type assertions.
check-type-assertions: true
govet:
# Enable all analyzers, including shadow (variable shadowing is dangerous in
# auth code where an outer `err` may be silently clobbered).
enable-all: true
gosec:
# Treat all gosec findings as errors, not warnings.
severity: medium
confidence: medium
excludes:
# G104 (errors unhandled) overlaps with errcheck; let errcheck own this.
- G104
errorlint:
errorf: true
asserts: true
comparison: true
revive:
rules:
- name: exported
severity: warning
- name: error-return
severity: error
- name: error-strings
severity: warning
- name: if-return
severity: warning
- name: increment-decrement
severity: warning
- name: var-naming
severity: warning
- name: package-comments
severity: warning
- name: range
severity: warning
- name: time-naming
severity: warning
- name: unexported-return
severity: error
- name: indent-error-flow
severity: warning
- name: early-return
severity: warning
issues:
# Do not cap the number of reported issues; in security code every finding matters.
max-issues-per-linter: 0
max-same-issues: 0
# Exclude vendor and generated code only.
exclude-dirs:
- vendor
exclude-files:
- ".*\\.pb\\.go$"
- ".*_gen\\.go$"
exclude-rules:
# In test files, allow hardcoded test credentials (gosec G101) since they are
# intentional fixtures, not production secrets.
- path: "_test\\.go"
linters:
- gosec
text: "G101"
Reference in New Issue View Git Blame Copy Permalink