fix(security): suppress false positive G304 alerts in filesystem abstraction

arimxyer · claude · arimxyer · commit 15e2208a45fb · 2025-11-12T23:51:37.000-05:00
Add #nosec G304 to filesystem wrapper functions. These are abstraction layer methods where file paths are validated by callers (vault, config). Closes security alerts #12, #13. Generated with Claude Code Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/internal/storage/filesystem.go b/internal/storage/filesystem.go
@@ -31,10 +31,12 @@ func NewOSFileSystem() FileSystem {
 }
 
 func (f *osFileSystem) OpenFile(name string, flag int, perm os.FileMode) (*os.File, error) {
+	// #nosec G304 -- filesystem abstraction layer, file paths are validated by callers (vault, config, etc.)
 	return os.OpenFile(name, flag, perm)
 }
 
 func (f *osFileSystem) ReadFile(name string) ([]byte, error) {
+	// #nosec G304 -- filesystem abstraction layer, file paths are validated by callers (vault, config, etc.)
 	return os.ReadFile(name)
 }
 

Original file line number	Diff line number	Diff line change
`@@ -31,10 +31,12 @@ func NewOSFileSystem() FileSystem {`
`31`	`31`	`}`
`32`	`32`
`33`	`33`	`func (f osFileSystem) OpenFile(name string, flag int, perm os.FileMode) (os.File, error) {`
	`34`	`+ // #nosec G304 -- filesystem abstraction layer, file paths are validated by callers (vault, config, etc.)`
`34`	`35`	`return os.OpenFile(name, flag, perm)`
`35`	`36`	`}`
`36`	`37`
`37`	`38`	`func (f *osFileSystem) ReadFile(name string) ([]byte, error) {`
	`39`	`+ // #nosec G304 -- filesystem abstraction layer, file paths are validated by callers (vault, config, etc.)`
`38`	`40`	`return os.ReadFile(name)`
`39`	`41`	`}`
`40`	`42`