Kyle Isom
a60e5cb86a
- Fix 314 errcheck violations (blank identifier for unrecoverable errors) - Fix errorlint violation (errors.Is for io.EOF) - Remove unused serveL7Route test helper - Simplify Duration.Seconds() selectors in tests - Remove unnecessary fmt.Sprintf in test - Migrate exclusion rules from issues.exclusions to linters.exclusions (v2 schema) - Add gosec test exclusions (G115, G304, G402, G705) - Disable fieldalignment govet analyzer (optimization, not correctness) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
130 lines
4.6 KiB
YAML
130 lines
4.6 KiB
YAML
# golangci-lint v2 configuration for mc-proxy.
|
|
# Principle: fail loudly. Security and correctness issues are errors, not warnings.
|
|
|
|
version: "2"
|
|
|
|
run:
|
|
timeout: 5m
|
|
# Include test files so security rules apply to test helpers too.
|
|
tests: true
|
|
|
|
linters:
|
|
exclusions:
|
|
paths:
|
|
- vendor
|
|
rules:
|
|
# In test files, suppress gosec rules that are false positives in test code:
|
|
# G101: hardcoded test credentials (intentional fixtures)
|
|
# G115: integer overflow in type conversions (test TLS packet builders)
|
|
# G304: file paths from variables (t.TempDir paths)
|
|
# G402: InsecureSkipVerify (required for test TLS clients)
|
|
# G705: XSS via taint analysis (test HTTP handlers, not real servers)
|
|
- path: "_test\\.go"
|
|
linters:
|
|
- gosec
|
|
text: "G101|G115|G304|G402|G705"
|
|
default: none
|
|
enable:
|
|
# --- Correctness ---
|
|
# Unhandled errors are silent failures; in auth code they become vulnerabilities.
|
|
- errcheck
|
|
# go vet: catches printf-verb mismatches, unreachable code, suspicious constructs.
|
|
- govet
|
|
# Detects assignments whose result is never used; dead writes hide logic bugs.
|
|
- ineffassign
|
|
# Detects variables and functions that are never used.
|
|
- unused
|
|
|
|
# --- Error handling ---
|
|
# Enforces proper error wrapping (errors.Is/As instead of == comparisons) and
|
|
# prevents accidental discard of wrapped sentinel errors.
|
|
- errorlint
|
|
|
|
# --- Security ---
|
|
# Primary security scanner: hardcoded secrets, weak RNG, insecure crypto
|
|
# (MD5/SHA1/DES/RC4), SQL injection, insecure TLS, file permission issues, etc.
|
|
- gosec
|
|
# Deep static analysis: deprecated APIs, incorrect mutex use, unreachable code,
|
|
# incorrect string conversions, simplification suggestions, and hundreds of other checks.
|
|
# (gosimple was merged into staticcheck in golangci-lint v2)
|
|
- staticcheck
|
|
|
|
# --- Style / conventions (per CLAUDE.md) ---
|
|
# Enforces Go naming conventions and selected style rules.
|
|
- revive
|
|
|
|
settings:
|
|
errcheck:
|
|
# Do NOT flag blank-identifier assignments: `_ = rows.Close()` in defers,
|
|
# `_ = tx.Rollback()` after errors, and `_ = fs.Parse(args)` with ExitOnError
|
|
# are all legitimate patterns where the error is genuinely unrecoverable or
|
|
# irrelevant. The default errcheck (without check-blank) still catches
|
|
# unchecked returns that have no assignment at all.
|
|
check-blank: false
|
|
# Flag discarded ok-value in type assertions: `c, _ := x.(*T)` — the ok
|
|
# value should be checked so a failed assertion is not silently treated as nil.
|
|
check-type-assertions: true
|
|
|
|
govet:
|
|
# Enable all analyzers except shadow and fieldalignment. The shadow analyzer
|
|
# flags the idiomatic `if err := f(); err != nil { ... }` pattern as shadowing
|
|
# an outer `err`, which is ubiquitous in Go. The fieldalignment analyzer
|
|
# suggests struct field reordering for memory efficiency — useful as a one-off
|
|
# audit but too noisy for CI (every struct change triggers it).
|
|
enable-all: true
|
|
disable:
|
|
- shadow
|
|
- fieldalignment
|
|
|
|
gosec:
|
|
# Treat all gosec findings as errors, not warnings.
|
|
severity: medium
|
|
confidence: medium
|
|
excludes:
|
|
# G104 (errors unhandled) overlaps with errcheck; let errcheck own this.
|
|
- G104
|
|
|
|
errorlint:
|
|
errorf: true
|
|
asserts: true
|
|
comparison: true
|
|
|
|
revive:
|
|
rules:
|
|
# error-return and unexported-return are correctness/API-safety rules.
|
|
- name: error-return
|
|
severity: error
|
|
- name: unexported-return
|
|
severity: error
|
|
# Style rules.
|
|
- name: error-strings
|
|
severity: warning
|
|
- name: if-return
|
|
severity: warning
|
|
- name: increment-decrement
|
|
severity: warning
|
|
- name: var-naming
|
|
severity: warning
|
|
- name: range
|
|
severity: warning
|
|
- name: time-naming
|
|
severity: warning
|
|
- name: indent-error-flow
|
|
severity: warning
|
|
- name: early-return
|
|
severity: warning
|
|
# exported and package-comments are omitted: this is a personal project,
|
|
# not a public library; godoc completeness is not a CI requirement.
|
|
|
|
formatters:
|
|
enable:
|
|
# Enforces gofmt formatting. Non-formatted code is a CI failure.
|
|
- gofmt
|
|
# Manages import grouping and formatting; catches stray debug imports.
|
|
- goimports
|
|
|
|
issues:
|
|
# Do not cap the number of reported issues; in security code every finding matters.
|
|
max-issues-per-linter: 0
|
|
max-same-issues: 0
|