Skip to content

fix: enable gosec G402 (TLS MinVersion) linter rule#19588

Open
raajheshkannaa wants to merge 1 commit intostackrox:masterfrom
raajheshkannaa:fix/enable-gosec-g402
Open

fix: enable gosec G402 (TLS MinVersion) linter rule#19588
raajheshkannaa wants to merge 1 commit intostackrox:masterfrom
raajheshkannaa:fix/enable-gosec-g402

Conversation

@raajheshkannaa
Copy link

@raajheshkannaa raajheshkannaa commented Mar 25, 2026

Part of #3545

Summary

  • Enables gosec G402 in .golangci.yml to enforce TLS minimum version settings
  • Adds MinVersion: tls.VersionTLS12 to 15 tls.Config structs missing it
  • Adds #nosec G402 annotations to 28 intentional InsecureSkipVerify usages with explanatory comments

Categories of nosec annotations

  • User-configurable TLS skip: notifiers (email, syslog, splunk, sumologic), scanners (quay, clair), registries
  • mTLS-authenticated connections: sensor-to-central, compliance indexer
  • Design intent: cosign fetcher, scanner transports
  • Test code: self-signed certs, test utilities

Changes

43 files changed, 59 insertions, 46 deletions

Test plan

  • golangci-lint passes with G402 enabled
  • All existing tests unaffected
  • Every nosec annotation includes a justification comment

@raajheshkannaa
Enable gosec G402: look for bad TLS connection settings
796fd38 
Add G402 to the gosec includes list in .golangci.yml and fix all
violations across the codebase:

- Add MinVersion: tls.VersionTLS12 to tls.Config structs that were
  missing it (production code, test helpers, test servers)
- Add #nosec G402 annotations to intentional InsecureSkipVerify usages
  where TLS verification is user-configurable (notifiers, scanners,
  registries) or where mTLS provides authentication (sensor-to-central)
- Add #nosec G402 annotations to test code that uses self-signed certs

Fixes part of stackrox#3545
@raajheshkannaa raajheshkannaa requested review from a team as code owners March 25, 2026 01:57
@openshift-ci
Copy link

openshift-ci bot commented Mar 25, 2026

Hi @raajheshkannaa. Thanks for your PR.

I'm waiting for a stackrox member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

needs-ok-to-test

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@raajheshkannaa