gsadmin/certctl
1
0
Fork 0
mirror of https://github.com/shankar0123/certctl.git synced 2026-06-07 23:21:30 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
944ce8e7108d7269181c852391cb6ef99a227516
certctl/staticcheck.conf
T
Shankar b566355d6f fix(bundle-7): Verification & Tool Suite Execution — wire mandatory scans + first-run evidence 
Closes Audit-2026-04-25 D-001..D-002 + D-006 (partial) + H-005 (partial).
Opens new tracker IDs H-010, M-028, L-020, L-021 (see closure document
in cowork/comprehensive-audit-2026-04-25/tool-output/_BUNDLE-7-CLOSURE.md).

What changed
- scripts/install-security-tools.sh (NEW) — idempotent installer for the
  Go-based subset (govulncheck, staticcheck, errcheck, ineffassign,
  gosec, osv-scanner). Used locally + by both CI workflows.
- .github/workflows/security-deep-scan.yml (NEW) — daily + workflow_dispatch
  scans for tools that need docker/network: trivy image, syft SBOM,
  ZAP baseline, schemathesis, nuclei, testssl.sh, gosec, osv-scanner,
  full-suite race detector at -count=10. Every step continue-on-error;
  artefacts uploaded for triage.
- .github/workflows/ci.yml — staticcheck added as a soft (continue-on-error)
  gate alongside the existing govulncheck hard gate. Soft until M-028
  closes the 6 remaining SA1019 deprecated-API sites; flip to fail-on-
  non-zero then. Per-package coverage gates extended: pkcs7 hard ≥85%
  (currently 100%), local-issuer soft ≥65% transitional floor (H-010
  raises to 85%).
- staticcheck.conf (NEW) — suppresses 4 style-only rules (ST1005, ST1000,
  ST1003, S1009, S1011, SA9003) with documented justifications. Real
  defects (SA1019) NOT suppressed.
- .govulnignore (NEW) — empty placeholder with the suppression contract
  (one OSV ID + justification + review-by date per line). Bundle-7's
  5 deferred-call advisories don't need entries because govulncheck's
  default exit code already passes.

Local tool-run evidence (cowork/comprehensive-audit-2026-04-25/tool-output/2026-04-26/):
- govulncheck.txt + govulncheck-verbose.txt — clean (0 affected; 5 deferred-call)
- staticcheck.txt + staticcheck-after-suppressions.txt — 6 SA1019 → M-028
- errcheck.txt — 1294 sites, all defer-Close / response-write convention → triaged
- ineffassign.txt — 15 unique sites → L-020
- helm-lint.txt — clean (1 INFO-level icon recommendation)
- go-test-race.txt — clean across scheduler/middleware/mcp at -count=3
  (CI runs -count=10 against the full suite)
- go-test-cover.txt — crypto 86.7% ✓, pkcs7 100% ✓, local-issuer 68.3% ✗ → H-010

Closures in this bundle
- D-001 partial — 4 of 6 Go-based tools ran locally; remainder wired in CI
- D-002 closed — race detector clean
- D-006 partial — helm lint passes; kube-score / kubesec deferred to CI
- D-007 deferred — semgrep p/react-security wired in CI (needs docker)
- D-003 / D-004 / D-005 deferred — wired in security-deep-scan.yml
- H-005 partial — crypto + pkcs7 meet 85%; local-issuer at 68.3% → H-010

New tracker IDs opened (next-bundle scope)
- H-010 — local-issuer coverage gap (68.3% vs 85% target). 2-3 days.
- M-028 — 6 deprecated-API sites (SA1019). Migration coordinated.
- L-020 — ineffassign cleanup sweep, 15 mechanical sites.
- L-021 — 5 transitive Go-module CVEs (deferred-call). Monitor + bump.

NOT addressed in this bundle (deferred to a future Bundle 7-bis)
- M-007 bulk-operation partial-failure tests
- M-008 admin-gated role-gate tests
- L-010 mock.Anything overuse audit
- L-018 defect age analysis on remaining High findings

Verification
- go vet ./...                                → clean
- go build ./...                              → clean
- go test -short -count=1 ./...               → all packages pass
- go test -race -count=3 ./scheduler/middleware/mcp → clean
- go test -cover ./crypto/pkcs7/local-issuer  → see go-test-cover.txt
- govulncheck ./...                           → clean
- staticcheck ./...                           → 6 SA1019 (tracked as M-028)
- helm lint                                   → clean
- yaml lint .github/workflows/*.yml           → clean
- python3 yaml.safe_load(api/openapi.yaml)    → 89 paths

Bundle 7 of the 2026-04-25 comprehensive audit. Tool-output evidence
preserved at cowork/comprehensive-audit-2026-04-25/tool-output/2026-04-26/.
2026-04-26 14:37:28 +00:00

36 lines
1.5 KiB
Plaintext
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Bundle-7 / Audit D-001 / staticcheck suppressions.
#
# Bundle-7 first-run dispositions:
#
# ST1005 (90 hits — error strings should not be capitalized)
# Style-only. Would require updating ~90 error strings across
# connectors/discovery for a cosmetic effect. Tracked for a future
# style-sweep bundle, not security-relevant. Suppressed below.
#
# S1009 (15 hits — should omit nil check; len() handles nil)
# Style-only. The redundant nil checks make the intent explicit
# for new-Go-engineer readers. Tracked for the same future sweep.
#
# S1011 (4 hits — could use append spread)
# Style-only.
#
# SA1019 (6 hits — deprecated API)
# Real engineering issue, NOT suppressed. Tracked as new audit
# finding M-028 for explicit migration:
# - cmd/server/main_test.go × 4: middleware.NewAuth → NewAuthWithNamedKeys
# - internal/api/handler/scep.go: csr.Attributes → Extensions
# - one more SA1019 hit elsewhere — see staticcheck.txt receipt.
#
# Configuration format: TOML.
checks = [
"all",
# Bundle-7 first-run dispositions:
"-ST1005", # error string capitalization — style-only (90 hits), future sweep
"-ST1000", # package comment — already-documented packages (126 hits), low value
"-ST1003", # naming convention — pre-existing, future style sweep (10 hits)
"-S1009", # redundant nil check — explicit-intent style (15 hits)
"-S1011", # append-spread — style-only (4 hits)
"-SA9003", # empty branch — guarded sites with `// no-op (...)` comments
]
Reference in New Issue View Git Blame Copy Permalink