fix: resolve golangci lint diagnostics

Author: haasonsaas

.golangci.yml

@@ -3,23 +3,16 @@ run:
   issues-exit-code: 1
   tests: true
   build-tags: []
-  skip-dirs:
-    - vendor
-  skip-files:
-    - ".*\\.pb\\.go$"
-    - ".*_generated\\.go$"
+  modules-download-mode: vendor
 
 linters-settings:
   errcheck:
     check-type-assertions: true
     check-blank: true
-  
   gocyclo:
     min-complexity: 15
-  
   goimports:
     local-prefixes: github.com/EvalOps/keep
-  
   govet:
     enable-all: true
 
@@ -70,11 +63,13 @@ linters-settings:
       - G204 # Command injection - intentional for system commands
 
   staticcheck:
-    go: "1.22"
     checks: ["all"]
 
   gci:
-    local-prefixes: github.com/EvalOps/keep
+    sections:
+      - standard
+      - default
+      - prefix(github.com/EvalOps/keep)
 
   goconst:
     min-len: 2
@@ -108,16 +103,13 @@ linters:
     - goprintffuncname
     - nolintlint
 
-  disable:
-    - deadcode
-    - structcheck
-    - varcheck
-    - golint
-    - maligned
-    - interfacer
-    - scopelint
 
 issues:
+  exclude-dirs:
+    - vendor
+  exclude-files:
+    - ".*\\.pb\\.go$"
+    - ".*_generated\\.go$"
   exclude-rules:
     # Allow long lines in tests for readability
     - path: "_test\\.go"

agent/internal/posture/posture_test.go

@@ -268,7 +268,7 @@ func TestFileExists(t *testing.T) {
 
 	t.Run("returns true for existing file", func(t *testing.T) {
 		testFile := filepath.Join(tmpDir, "exists.txt")
-		if err := os.WriteFile(testFile, []byte("test"), 0644); err != nil {
+		if err := os.WriteFile(testFile, []byte("test"), 0o600); err != nil {
 			t.Fatalf("failed to write test file: %v", err)
 		}
 

agent/internal/service/service.go

@@ -347,10 +347,10 @@ func (s *Service) obtainCertificate() error {
 		if err != nil {
 			return err
 		}
-		if err := os.MkdirAll(filepath.Dir(s.config.CAPath), 0o755); err != nil {
+		if err := os.MkdirAll(filepath.Dir(s.config.CAPath), 0o700); err != nil {
 			return err
 		}
-		if err := os.WriteFile(s.config.CAPath, rawCA, 0o644); err != nil {
+		if err := os.WriteFile(s.config.CAPath, rawCA, 0o600); err != nil {
 			return err
 		}
 	}
@@ -407,7 +407,7 @@ func (s *Service) get(endpoint string) (*http.Response, error) {
 // writePIDFile writes the process ID to a file
 func (s *Service) writePIDFile() error {
 	pid := os.Getpid()
-	return os.WriteFile(s.config.PIDFile, []byte(fmt.Sprintf("%d\n", pid)), 0o644)
+	return os.WriteFile(s.config.PIDFile, []byte(fmt.Sprintf("%d\n", pid)), 0o600)
 }
 
 // removePIDFile removes the PID file

agent/internal/service/service_test.go

@@ -16,6 +16,8 @@ import (
 	"github.com/EvalOps/keep/agent/internal/posture"
 )
 
+const testDeviceID = "test-device"
+
 // mockPostureCollector implements the posture.Collector interface for testing
 type mockPostureCollector struct {
 	postureData *posture.DevicePosture
@@ -41,7 +43,7 @@ func (e *mockError) Error() string {
 func TestService_New(t *testing.T) {
 	t.Run("creates service with valid config", func(t *testing.T) {
 		config := &Config{
-			DeviceID:        "test-device",
+			DeviceID:        testDeviceID,
 			InventoryURL:    "http://localhost:8081",
 			AttestURL:       "http://localhost:8443",
 			KeyPath:         "/tmp/test.key",
@@ -84,7 +86,7 @@ func TestService_initialRegistration(t *testing.T) {
 					return
 				}
 
-				if req.ID != "test-device" {
+				if req.ID != testDeviceID {
 					t.Errorf("Expected device ID 'test-device', got %s", req.ID)
 				}
 
@@ -97,7 +99,9 @@ func TestService_initialRegistration(t *testing.T) {
 				}
 
 				w.WriteHeader(http.StatusOK)
-				json.NewEncoder(w).Encode(map[string]string{"status": "ok"})
+				if err := json.NewEncoder(w).Encode(map[string]string{"status": "ok"}); err != nil {
+					t.Fatalf("Failed to encode response: %v", err)
+				}
 			} else {
 				http.Error(w, "not found", http.StatusNotFound)
 			}
@@ -106,7 +110,7 @@ func TestService_initialRegistration(t *testing.T) {
 
 		// Create test config
 		config := &Config{
-			DeviceID:     "test-device",
+			DeviceID:     testDeviceID,
 			InventoryURL: mockInventory.URL,
 			AttestURL:    "http://localhost:8443",
 			KeyPath:      filepath.Join(tmpDir, "test.key"),
@@ -142,7 +146,7 @@ func TestService_initialRegistration(t *testing.T) {
 
 	t.Run("handles posture collection failure", func(t *testing.T) {
 		config := &Config{
-			DeviceID:     "test-device",
+			DeviceID:     testDeviceID,
 			InventoryURL: "http://localhost:8081",
 			KeyPath:      filepath.Join(tmpDir, "test.key"),
 		}
@@ -180,7 +184,7 @@ func TestService_initialRegistration(t *testing.T) {
 		defer mockInventory.Close()
 
 		config := &Config{
-			DeviceID:     "test-device",
+			DeviceID:     testDeviceID,
 			InventoryURL: mockInventory.URL,
 			KeyPath:      filepath.Join(tmpDir, "test.key"),
 		}
@@ -234,15 +238,17 @@ func TestService_updatePosture(t *testing.T) {
 				}
 
 				w.WriteHeader(http.StatusOK)
-				json.NewEncoder(w).Encode(map[string]string{"status": "updated"})
+				if err := json.NewEncoder(w).Encode(map[string]string{"status": "updated"}); err != nil {
+					t.Fatalf("Failed to encode response: %v", err)
+				}
 			} else {
 				http.Error(w, "not found", http.StatusNotFound)
 			}
 		}))
 		defer mockInventory.Close()
 
 		config := &Config{
-			DeviceID:     "test-device",
+			DeviceID:     testDeviceID,
 			InventoryURL: mockInventory.URL,
 		}
 
@@ -269,7 +275,7 @@ func TestService_updatePosture(t *testing.T) {
 
 	t.Run("handles posture collection failure", func(t *testing.T) {
 		config := &Config{
-			DeviceID:     "test-device",
+			DeviceID:     testDeviceID,
 			InventoryURL: "http://localhost:8081",
 		}
 
@@ -316,11 +322,15 @@ func TestService_obtainCertificate(t *testing.T) {
 				response := certResponse{
 					Certificate: "-----BEGIN CERTIFICATE-----\nMOCK_CERT_DATA\n-----END CERTIFICATE-----",
 				}
-				json.NewEncoder(w).Encode(response)
+				if err := json.NewEncoder(w).Encode(response); err != nil {
+					t.Fatalf("Failed to encode certificate response: %v", err)
+				}
 			} else if r.URL.Path == "/v1/certs/ca" && r.Method == http.MethodGet {
 				// Return mock CA certificate
 				w.Header().Set("Content-Type", "application/x-pem-file")
-				w.Write([]byte("-----BEGIN CERTIFICATE-----\nMOCK_CA_DATA\n-----END CERTIFICATE-----"))
+				if _, err := w.Write([]byte("-----BEGIN CERTIFICATE-----\nMOCK_CA_DATA\n-----END CERTIFICATE-----")); err != nil {
+					t.Fatalf("Failed to write CA certificate: %v", err)
+				}
 			} else {
 				http.Error(w, "not found", http.StatusNotFound)
 			}
@@ -432,7 +442,7 @@ func TestService_removePIDFile(t *testing.T) {
 	pidFile := filepath.Join(tmpDir, "test.pid")
 
 	// Create PID file
-	err := os.WriteFile(pidFile, []byte("12345\n"), 0644)
+	err := os.WriteFile(pidFile, []byte("12345\n"), 0o600)
 	if err != nil {
 		t.Fatalf("Failed to create test PID file: %v", err)
 	}

cmd/inventory/main.go

@@ -11,6 +11,12 @@ import (
 	serverpkg "github.com/EvalOps/keep/services/inventory/server"
 )
 
+const (
+	flagValueTrue      = "true"
+	defaultAppEnv      = "development"
+	defaultRequireMTLS = "false"
+)
+
 func main() {
 	// Initialize secret management
 	secretHelper := secrets.NewHelperFromEnv()
@@ -31,15 +37,15 @@ func main() {
 		ClientCA:    secretHelper.GetOrDefault("INVENTORY_CLIENT_CA", tlsConfig["INVENTORY_CLIENT_CA"]),
 		AuthzJWKS:   envOrDefault("AUTHZ_JWKS_URL", ""),
 		Shutdown:    5 * time.Second,
-		RequireMTLS: envOrDefault("INVENTORY_REQUIRE_MTLS", "false") == "true",
+		RequireMTLS: envOrDefault("INVENTORY_REQUIRE_MTLS", defaultRequireMTLS) == flagValueTrue,
 	}
 
 	ctx := context.Background()
 	if err := telemetry.Init(ctx, telemetry.Config{
 		Endpoint:    os.Getenv("OTEL_EXPORTER_OTLP_ENDPOINT"),
-		Insecure:    os.Getenv("OTEL_EXPORTER_OTLP_INSECURE") == "true",
+		Insecure:    os.Getenv("OTEL_EXPORTER_OTLP_INSECURE") == flagValueTrue,
 		ServiceName: "inventory",
-		Environment: envOrDefault("APP_ENV", "development"),
+		Environment: envOrDefault("APP_ENV", defaultAppEnv),
 	}); err != nil {
 		log.Printf("telemetry init failed: %v", err)
 	}

pkg/pki/ca_test.go

@@ -84,10 +84,10 @@ func TestLoadCA(t *testing.T) {
 		keyPath := filepath.Join(tmpDir, "key.pem")
 
 		// Write invalid certificate
-		if err := os.WriteFile(certPath, []byte("invalid pem"), 0644); err != nil {
+		if err := os.WriteFile(certPath, []byte("invalid pem"), 0o600); err != nil {
 			t.Fatalf("failed to write invalid certificate: %v", err)
 		}
-		if err := os.WriteFile(keyPath, []byte("-----BEGIN PRIVATE KEY-----\nMIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg\n-----END PRIVATE KEY-----"), 0600); err != nil {
+		if err := os.WriteFile(keyPath, []byte("-----BEGIN PRIVATE KEY-----\nMIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg\n-----END PRIVATE KEY-----"), 0o600); err != nil {
 			t.Fatalf("failed to write invalid key: %v", err)
 		}
 
@@ -112,7 +112,7 @@ func TestLoadCA(t *testing.T) {
 		}
 
 		// Now corrupt the key file
-		if err := os.WriteFile(keyPath, []byte("invalid key pem"), 0600); err != nil {
+		if err := os.WriteFile(keyPath, []byte("invalid key pem"), 0o600); err != nil {
 			t.Fatalf("failed to corrupt key file: %v", err)
 		}
 

pkg/pki/device_test.go

@@ -146,7 +146,9 @@ func TestLoadSigningKey(t *testing.T) {
 
 	t.Run("fails with invalid PEM", func(t *testing.T) {
 		invalidPEMPath := filepath.Join(tmpDir, "invalid.key")
-		os.WriteFile(invalidPEMPath, []byte("not a pem file"), 0600)
+		if err := os.WriteFile(invalidPEMPath, []byte("not a pem file"), 0o600); err != nil {
+			t.Fatalf("Failed to write invalid PEM file: %v", err)
+		}
 
 		_, err := LoadSigningKey(invalidPEMPath)
 		if err == nil {
@@ -168,7 +170,9 @@ MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC7VJTUt9Us8cKB
 wHVKYdZyLkmMdVNjJqLs2Nx7e62VQqTrqTqhqY+HVhMV7HjfRqNVM6pYsf3VrGQh
 -----END PRIVATE KEY-----`)
 
-		os.WriteFile(rsaKeyPath, keyData, 0600)
+		if err := os.WriteFile(rsaKeyPath, keyData, 0o600); err != nil {
+			t.Fatalf("Failed to write RSA key: %v", err)
+		}
 
 		_, err := LoadSigningKey(rsaKeyPath)
 		if err == nil {
@@ -184,7 +188,9 @@ wHVKYdZyLkmMdVNjJqLs2Nx7e62VQqTrqTqhqY+HVhMV7HjfRqNVM6pYsf3VrGQh
 invalidbase64data!!!
 -----END PRIVATE KEY-----`
 
-		os.WriteFile(corruptPath, []byte(corruptPEM), 0600)
+		if err := os.WriteFile(corruptPath, []byte(corruptPEM), 0o600); err != nil {
+			t.Fatalf("Failed to write corrupt PEM: %v", err)
+		}
 
 		_, err := LoadSigningKey(corruptPath)
 		if err == nil {