docs: update changelog for gosec scanner fix

chore(go): annotate intentional command execution for gosec
2026-03-21 20:58:17 +00:00 · 2026-03-21 20:58:17 +00:00
2 changed files with 5 additions and 1 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -28,6 +28,7 @@ A `### Breaking` section is used in addition to Keep a Changelog's standard sect
 - `golang/govulncheck-action` in push and PR validation now passes explicit `go-package`, cache enablement, and `cache-dependency-path` inputs to match the required workflow pattern.
 - CLI/core wiring now injects `stdin` through `core.NewApp`, `main` owns the `GIT_TERMINAL_PROMPT=0` side effect, and `Rc` force handling is passed per call instead of mutating shared app state.
 - Core filesystem and git error paths now wrap underlying failures with command-specific context across listing, generation, tracking, linking, rc hook execution, and destroy confirmation flows.
+- Gosec compliance updated for intentional command execution paths: `Open()` now documents both `G702` and `G204` suppression rationale, and fixed-`git` helper invocations include explicit `G204` justifications.
 - README badge link target updated to `actions/runs/latest?workflow=...` format per workflow standards.
 - CI security scanning now uses GitHub Marketplace actions (`securego/gosec` and `golang/govulncheck-action`) instead of manual tool installation, improving reliability and caching.
 - CI setup compatibility fix: gosec scanner now references the correct public action source (`securego/gosec`), resolving action clone failures in Gitea runners.
--- a/internal/homesick/core/core.go
+++ b/internal/homesick/core/core.go
@@ -299,7 +299,8 @@ func (a *App) Open(castle string) error {
 	}

 	castleRoot := filepath.Join(a.ReposDir, castle)
-	cmd := exec.Command(editor, ".") // #nosec G204 — EDITOR environment variable is user-set
+	// #nosec G702,G204 -- EDITOR is user-controlled local configuration and command is executed directly without a shell.
+	cmd := exec.Command(editor, ".")
 	cmd.Dir = castleRoot
 	cmd.Stdout = a.Stdout
 	cmd.Stderr = a.Stderr
@@ -801,6 +802,7 @@ func matchesIgnoredDir(castleHome string, candidate string, subdirs []string) (b
 }

 func runGitWithIO(dir string, stdout io.Writer, stderr io.Writer, args ...string) error {
+	// #nosec G204 -- git is fixed binary; args are internal command parameters for expected git operations.
 	cmd := exec.Command("git", args...)
 	cmd.Dir = dir
 	cmd.Stdout = stdout
@@ -834,6 +836,7 @@ func (a *App) sayStatus(action string, message string) {
 }

 func gitOutput(dir string, args ...string) (string, error) {
+	// #nosec G204 -- git is fixed binary; args are internal read-only git query parameters.
 	cmd := exec.Command("git", args...)
 	cmd.Dir = dir
 	out, err := cmd.Output()
Author	SHA1	Message	Date
Micheal Wilkinson	a316723cfc	docs: update changelog for gosec scanner fix Some checks failed Push Validation / validate (push) Has been cancelled Details Pull Request Validation / validate (pull_request) Failing after 4m5s Details	2026-03-21 20:58:17 +00:00
Micheal Wilkinson	7405044fb5	chore(go): annotate intentional command execution for gosec	2026-03-21 20:58:17 +00:00