internal/homesick/core/core.go

@@ -299,7 +299,8 @@ func (a *App) Open(castle string) error {
 	}
 
 	castleRoot := filepath.Join(a.ReposDir, castle)
-	cmd := exec.Command(editor, ".") // #nosec G204 — EDITOR environment variable is user-set
+	// #nosec G702,G204 -- EDITOR is user-controlled local configuration and command is executed directly without a shell.
+	cmd := exec.Command(editor, ".")
 	cmd.Dir = castleRoot
 	cmd.Stdout = a.Stdout
 	cmd.Stderr = a.Stderr
@@ -801,6 +802,7 @@ func matchesIgnoredDir(castleHome string, candidate string, subdirs []string) (b
 }
 
 func runGitWithIO(dir string, stdout io.Writer, stderr io.Writer, args ...string) error {
+	// #nosec G204 -- git is fixed binary; args are internal command parameters for expected git operations.
 	cmd := exec.Command("git", args...)
 	cmd.Dir = dir
 	cmd.Stdout = stdout
@@ -834,6 +836,7 @@ func (a *App) sayStatus(action string, message string) {
 }
 
 func gitOutput(dir string, args ...string) (string, error) {
+	// #nosec G204 -- git is fixed binary; args are internal read-only git query parameters.
 	cmd := exec.Command("git", args...)
 	cmd.Dir = dir
 	out, err := cmd.Output()