From 465ca3c0b3f2de401afcaa0d5d617248f82914bf Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Fri, 5 Jun 2026 11:29:51 +0000
Subject: [PATCH 1/2] Initial plan


From a8c53b322ed4f67645d51e83c69a19342291f273 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Fri, 5 Jun 2026 11:36:50 +0000
Subject: [PATCH 2/2] fix: align gosec to v2.27.1, add nosec justifications,
 enforce nosec policy flags
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Bump gosec from v2.23.0 → v2.27.1 in Makefile (security-gosec and tools targets)
- Bump gosec from v2.22.11 → v2.27.1 in .github/workflows/security-scan.yml
- Add -nosec-require-rules and -nosec-require-justification flags in Makefile and CI
- Add missing justifications to 2 bare #nosec G304 annotations in run_workflow_validation.go

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
---
 .github/workflows/security-scan.yml | 3 ++-
 Makefile                            | 5 +++--
 pkg/cli/run_workflow_validation.go  | 4 ++--
 3 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml
index 54a26c7e5c0..bda8986b975 100644
--- a/.github/workflows/security-scan.yml
+++ b/.github/workflows/security-scan.yml
@@ -26,10 +26,11 @@ jobs:
 
       - name: Run Gosec
         run: |
-          go install github.com/securego/gosec/v2/cmd/gosec@v2.22.11
+          go install github.com/securego/gosec/v2/cmd/gosec@v2.27.1
           # Exclusions configured in .golangci.yml (linters-settings.gosec.exclude)
           # Keep this list in sync with .golangci.yml for consistency
           gosec -fmt sarif -out gosec-results.sarif -stdout -exclude-generated -track-suppressions \
+            -nosec-require-rules -nosec-require-justification \
             -exclude=G101,G115,G204,G602,G301,G302,G304,G306 \
             ./...
 
diff --git a/Makefile b/Makefile
index 9ff10114372..941b5d39fc8 100644
--- a/Makefile
+++ b/Makefile
@@ -195,11 +195,12 @@ security-scan: security-gosec security-govulncheck
 .PHONY: security-gosec
 security-gosec:
 	@echo "Running gosec security scanner..."
-	@command -v gosec >/dev/null || go install github.com/securego/gosec/v2/cmd/gosec@v2.23.0
+	@command -v gosec >/dev/null || go install github.com/securego/gosec/v2/cmd/gosec@v2.27.1
 	@# Exclusions configured in .golangci.yml (linters-settings.gosec.exclude)
 	@# Keep this list in sync with .golangci.yml for consistency
 	@GOPATH=$$(go env GOPATH); \
 	PATH="$$GOPATH/bin:$$PATH" gosec -fmt=json -out=gosec-report.json -stdout -exclude-generated -track-suppressions \
+		-nosec-require-rules -nosec-require-justification \
 		-exclude=G101,G115,G204,G602,G301,G302,G304,G306 \
 		./...
 	@echo "✓ Gosec scan complete (results in gosec-report.json)"
@@ -390,7 +391,7 @@ check-node-version:
 tools: ## Install build-time tools from tools.go
 	@echo "Installing build tools..."
 	@go install github.com/rhysd/actionlint/cmd/actionlint@v1.7.11
-	@go install github.com/securego/gosec/v2/cmd/gosec@v2.23.0
+	@go install github.com/securego/gosec/v2/cmd/gosec@v2.27.1
 	@go install golang.org/x/tools/gopls@v0.21.1
 	@go install golang.org/x/vuln/cmd/govulncheck@v1.1.4
 	@echo "✓ Tools installed successfully"
diff --git a/pkg/cli/run_workflow_validation.go b/pkg/cli/run_workflow_validation.go
index 7ce884b17fa..34dd61a43df 100644
--- a/pkg/cli/run_workflow_validation.go
+++ b/pkg/cli/run_workflow_validation.go
@@ -45,7 +45,7 @@ func IsRunnable(markdownPath string) (bool, error) {
 
 	// Read the lock file - path is sanitized using filepath.Clean() to prevent path traversal attacks.
 	// The lockPath is derived from markdownPath which comes from trusted sources (CLI arguments, validated workflow paths).
-	contentBytes, err := os.ReadFile(cleanLockPath) // #nosec G304
+	contentBytes, err := os.ReadFile(cleanLockPath) // #nosec G304 -- path is sanitized with filepath.Clean() and derived from trusted CLI argument
 	if err != nil {
 		return false, fmt.Errorf("failed to read lock file: %w", err)
 	}
@@ -98,7 +98,7 @@ func getWorkflowInputs(markdownPath string) (map[string]*workflow.InputDefinitio
 
 	// Read the lock file - path is sanitized using filepath.Clean() to prevent path traversal attacks.
 	// The lockPath is derived from markdownPath which comes from trusted sources (CLI arguments, validated workflow paths).
-	contentBytes, err := os.ReadFile(cleanLockPath) // #nosec G304
+	contentBytes, err := os.ReadFile(cleanLockPath) // #nosec G304 -- path is sanitized with filepath.Clean() and derived from trusted CLI argument
 	if err != nil {
 		return nil, fmt.Errorf("failed to read lock file: %w", err)
 	}