Fix linting issues

Signed-off-by: Radoslav Dimitrov <radoslav@stacklok.com>

Author: rdimitrov

cmd/thv/main.go

@@ -84,7 +84,7 @@ func setupSignalHandler() context.Context {
 	sigCh := make(chan os.Signal, 1)
 	signal.Notify(sigCh, os.Interrupt, syscall.SIGTERM, syscall.SIGQUIT)
 
-	ctx, cancel := context.WithCancel(context.Background())
+	ctx, cancel := context.WithCancel(context.Background()) //nolint:gosec // G118 - cancel called in signal handler goroutine
 	go func() {
 		<-sigCh
 		slog.Debug("received signal, cleaning up lock files")

pkg/auth/github_provider.go

@@ -127,6 +127,7 @@ func (*GitHubProvider) CanHandle(introspectURL string) bool {
 // IntrospectToken introspects a GitHub OAuth token and returns JWT claims
 // This calls GitHub's token validation API to verify the token and extract user information
 func (g *GitHubProvider) IntrospectToken(ctx context.Context, token string) (jwt.MapClaims, error) {
+	//nolint:gosec // G706 - baseURL is a configured GitHub API endpoint
 	slog.Debug("using GitHub token validation provider", "url", g.baseURL)
 
 	// Apply rate limiting to prevent DoS and respect GitHub API limits
@@ -142,6 +143,7 @@ func (g *GitHubProvider) IntrospectToken(ctx context.Context, token string) (jwt
 	}
 
 	// Create POST request
+	//nolint:gosec // G704 - URL is configured GitHub API endpoint
 	req, err := http.NewRequestWithContext(ctx, "POST", g.baseURL, bytes.NewReader(bodyBytes))
 	if err != nil {
 		return nil, fmt.Errorf("failed to create GitHub validation request: %w", err)

pkg/auth/token.go

@@ -115,6 +115,7 @@ func (g *GoogleProvider) IntrospectToken(ctx context.Context, token string) (jwt
 	u.RawQuery = query.Encode()
 
 	// Create the GET request
+	//nolint:gosec // G704 - URL from trusted OIDC discovery config
 	req, err := http.NewRequestWithContext(ctx, "GET", u.String(), nil)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create Google tokeninfo request: %w", err)
@@ -290,6 +291,7 @@ func (r *RFC7662Provider) IntrospectToken(ctx context.Context, token string) (jw
 	formData.Set("token_type_hint", "access_token")
 
 	// Create POST request with form data
+	//nolint:gosec // G704 - URL is configured introspection endpoint
 	req, err := http.NewRequestWithContext(ctx, "POST", r.url, strings.NewReader(formData.Encode()))
 	if err != nil {
 		return nil, fmt.Errorf("failed to create introspection request: %w", err)

pkg/authserver/server/handlers/callback.go

@@ -209,7 +209,7 @@ func (h *Handler) writeAuthorizationResponse(
 			authorizeRequest.RequestedScope = append(authorizeRequest.RequestedScope, scope)
 			authorizeRequest.GrantedScope = append(authorizeRequest.GrantedScope, scope)
 		} else {
-			slog.Warn("filtered unregistered scope from authorization",
+			slog.Warn("filtered unregistered scope from authorization", //nolint:gosec // G706 - scope from server-side storage
 				"scope", scope,
 				"client_id", pending.ClientID,
 			)
@@ -242,7 +242,7 @@ func (h *Handler) buildAuthorizeRequesterFromPending(
 	// so failure indicates storage corruption
 	redirectURI, err := url.Parse(pending.RedirectURI)
 	if err != nil {
-		slog.Error("stored redirect URI is invalid",
+		slog.Error("stored redirect URI is invalid", //nolint:gosec // G706 - redirect URI from server-side storage
 			"redirect_uri", pending.RedirectURI,
 			"error", err,
 		)

pkg/authserver/storage/redis.go

@@ -240,7 +240,7 @@ func (s *RedisStorage) RegisterClient(ctx context.Context, client fosite.Client)
 		Public:        client.IsPublic(),
 	}
 
-	data, err := json.Marshal(stored)
+	data, err := json.Marshal(stored) //nolint:gosec // G117 - internal Redis storage serialization, not exposed to users
 	if err != nil {
 		return fmt.Errorf("failed to marshal client: %w", err)
 	}
@@ -760,7 +760,7 @@ func marshalUpstreamTokensWithTTL(tokens *UpstreamTokens) ([]byte, time.Duration
 		ClientID:        tokens.ClientID,
 	}
 
-	data, err := json.Marshal(stored)
+	data, err := json.Marshal(stored) //nolint:gosec // G117 - internal Redis storage serialization, not exposed to users
 	if err != nil {
 		return nil, 0, fmt.Errorf("failed to marshal upstream tokens: %w", err)
 	}
@@ -932,7 +932,7 @@ func (s *RedisStorage) StorePendingAuthorization(ctx context.Context, state stri
 		CreatedAt:            pending.CreatedAt.Unix(),
 	}
 
-	data, err := json.Marshal(stored)
+	data, err := json.Marshal(stored) //nolint:gosec // G117 - internal Redis storage serialization, not exposed to users
 	if err != nil {
 		return fmt.Errorf("failed to marshal pending authorization: %w", err)
 	}
@@ -1021,7 +1021,7 @@ func (s *RedisStorage) CreateUser(ctx context.Context, user *User) error {
 		UpdatedAt: user.UpdatedAt.Unix(),
 	}
 
-	data, err := json.Marshal(stored)
+	data, err := json.Marshal(stored) //nolint:gosec // G117 - internal Redis storage serialization, not exposed to users
 	if err != nil {
 		return fmt.Errorf("failed to marshal user: %w", err)
 	}
@@ -1153,7 +1153,7 @@ func (s *RedisStorage) CreateProviderIdentity(ctx context.Context, identity *Pro
 		LastUsedAt:      identity.LastUsedAt.Unix(),
 	}
 
-	data, err := json.Marshal(stored)
+	data, err := json.Marshal(stored) //nolint:gosec // G117 - internal Redis storage serialization, not exposed to users
 	if err != nil {
 		return fmt.Errorf("failed to marshal identity: %w", err)
 	}

pkg/authz/response_filter.go

@@ -61,14 +61,14 @@ func (rfw *ResponseFilteringWriter) FlushAndFilter() error {
 	// If it's not a successful response, just pass it through
 	if rfw.statusCode != http.StatusOK && rfw.statusCode != http.StatusAccepted {
 		rfw.ResponseWriter.WriteHeader(rfw.statusCode)
-		_, err := rfw.ResponseWriter.Write(rfw.buffer.Bytes())
+		_, err := rfw.ResponseWriter.Write(rfw.buffer.Bytes()) //nolint:gosec // G705 - JSON-RPC response, not rendered as HTML
 		return err
 	}
 
 	// Check if this is a list operation that needs filtering
 	if !isListOperation(rfw.method) {
 		rfw.ResponseWriter.WriteHeader(rfw.statusCode)
-		_, err := rfw.ResponseWriter.Write(rfw.buffer.Bytes())
+		_, err := rfw.ResponseWriter.Write(rfw.buffer.Bytes()) //nolint:gosec // G705 - JSON-RPC response, not rendered as HTML
 		return err
 	}
 
@@ -77,7 +77,7 @@ func (rfw *ResponseFilteringWriter) FlushAndFilter() error {
 	// Skip filtering for empty responses (common in SSE scenarios where actual data comes via SSE stream)
 	if len(rawResponse) == 0 {
 		rfw.ResponseWriter.WriteHeader(rfw.statusCode)
-		_, err := rfw.ResponseWriter.Write(rawResponse)
+		_, err := rfw.ResponseWriter.Write(rawResponse) //nolint:gosec // G705 - JSON-RPC response, not rendered as HTML
 		return err
 	}
 

pkg/container/images/registry.go

@@ -247,7 +247,7 @@ func createTarFromDir(srcDir string, writer io.Writer) error {
 		// If it's a regular file, write the contents
 		if !info.IsDir() {
 			// #nosec G304 - This is safe because we're only opening files within the specified context directory
-			file, err := os.Open(path)
+			file, err := os.Open(path) //nolint:gosec // G122 - path from filepath.Walk within validated source directory
 			if err != nil {
 				return fmt.Errorf("failed to open file: %w", err)
 			}

pkg/transport/stdio.go

@@ -220,7 +220,7 @@ func (t *StdioTransport) Start(ctx context.Context) error {
 	}
 
 	// Start a goroutine to handle container exit
-	go t.handleContainerExit(ctx)
+	go t.handleContainerExit(ctx) //nolint:gosec // G118 - background goroutine manages container lifecycle, outlives request
 
 	return nil
 }

pkg/updates/checker.go

@@ -211,6 +211,7 @@ func (d *defaultUpdateChecker) CheckLatestVersion() error {
 	}
 	defer lockfile.ReleaseTrackedLock(lockPath, lockFile)
 
+	//nolint:gosec // G703 - path from trusted app config directory
 	if err := os.WriteFile(d.updateFilePath, updatedData, 0600); err != nil {
 		return fmt.Errorf("failed to write updated file: %w", err)
 	}

pkg/vmcp/health/monitor.go

@@ -241,7 +241,7 @@ func (m *Monitor) Start(ctx context.Context) error {
 	for i := range m.backends {
 		backend := &m.backends[i] // Capture backend pointer for this iteration
 
-		backendCtx, cancel := context.WithCancel(m.ctx)
+		backendCtx, cancel := context.WithCancel(m.ctx) //nolint:gosec // G118 - cancel stored in m.activeChecks, called during Stop
 		m.activeChecks[backend.ID] = cancel
 		m.wg.Add(1)
 		m.initialCheckWg.Add(1)                        // Track initial health check
@@ -331,7 +331,7 @@ func (m *Monitor) UpdateBackends(newBackends []vmcp.Backend) {
 
 			// Circuit breaker will be lazily initialized on first health check
 
-			backendCtx, cancel := context.WithCancel(m.ctx)
+			backendCtx, cancel := context.WithCancel(m.ctx) //nolint:gosec // G118 - cancel stored in m.activeChecks, called during Stop
 			m.activeChecks[id] = cancel
 			m.wg.Add(1)
 			// Clear the "removed" flag if this backend was previously removed