fix(checkers): load custom YAML checkers from disk, not embedded FS

[sanket-deepsource]

Problem

LoadCustomYamlCheckers(dir) in checkers/checker.go walks
os.DirFS(dir) with fs.WalkDir to discover YAML files on the local
disk, but the closure it shared with the builtin loader
(findYamlCheckers) read file content via
builtinCheckers.ReadFile(path) — i.e. always the embedded FS, never
the local filesystem.

For every custom YAML file, ReadFile returned fs.ErrNotExist, the
error was silently swallowed by the top-level error check in the walk
callback (if err != nil { return nil }), and the checker was never
loaded. Net result: globstar check --checkers=local in a repo with a
.globstar/*.yml found zero issues regardless of the YAML's content.

Reproduction (against v0.7.0)

mkdir -p /tmp/repro/.globstar
# copy any working built-in YAML (e.g. checkers/go/md5_weak_hash.yml)
# into /tmp/repro/.globstar/
cat > /tmp/repro/test.go <<'GO'
package main
import "crypto/md5"
func main() { _ = md5.New() }
GO
cd /tmp/repro && globstar check --checkers=local
# -> 0 issues (should have fired, same YAML fires via --checkers=builtin)

Fix

Thread a per-backend readFile func(string) ([]byte, error) through
findYamlCheckers:

• LoadBuiltinYamlCheckers passes builtinCheckers.ReadFile
• LoadCustomYamlCheckers passes a closure that reads from disk via
  os.ReadFile(filepath.Join(dir, p))

No public API changes — only the unexported helper signature changes.

Tests

• Added checkers/checker_test.go with TestLoadCustomYamlCheckers_ReadsFromDisk,
  which writes a YAML checker to a t.TempDir() and asserts the
  checker is returned in the language map. Verified the test fails on
  the pre-fix code and passes after.
• go test ./checkers/... ./analysis/... ./pkg/... all pass.
• make generate-registry && go build ./cmd/globstar builds cleanly.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
globstar	Ignored		Apr 19, 2026 6:10am