UpCloudLtd · paketeserrano · Mar 11, 2026 · Mar 10, 2026 · Mar 10, 2026 · Mar 11, 2026
@@ -38,7 +38,7 @@ func TestCreateToken(t *testing.T) {
 				AllowedIPRanges:    nil,
 			},
 			resp: &upcloud.Token{
-				APIToken:           "ucat_01JH5D3ZZJVZS6JC713FA11CB8",
+				APIToken:           "test-token",
 				ID:                 "0cd8eab4-ecb7-445b-a457-6019b0a00496",
 				Name:               "test",
 				Type:               "workspace",

@@ -159,20 +159,20 @@ func formatMatch(address fwRuleAddress) string {
 		if ipStart.Equal(ipStop) {
 			// TODO: ermm, reimplement.. when we figure out if this is really needed + how to do it
 			// sb.WriteString(ui.DefaultAddressColours.Sprint(ipStart))
-			sb.WriteString(fmt.Sprint(ipStart))
+			fmt.Fprint(&sb, ipStart)
 		} else {
 			// sb.WriteString(ui.DefaultAddressColours.Sprintf("%s →\n%s", ipStart, ipStop))
-			sb.WriteString(fmt.Sprintf("%s →\n%s", ipStart, ipStop))
+			fmt.Fprintf(&sb, "%s →\n%s", ipStart, ipStop)
 		}
 	}
 	if address.PortStart != "" {
 		if ipStart != nil {
 			sb.WriteString("\n")
 		}
 		if address.PortStart == address.PortEnd {
-			sb.WriteString(fmt.Sprintf("port: %s", address.PortStart))
+			fmt.Fprintf(&sb, "port: %s", address.PortStart)
 		} else {
-			sb.WriteString(fmt.Sprintf("port: %s → %s", address.PortStart, address.PortEnd))
+			fmt.Fprintf(&sb, "port: %s → %s", address.PortStart, address.PortEnd)
 		}
 	}
 	return sb.String()

@@ -143,7 +143,7 @@ func (s *deployDokkuCommand) deploy(exec commands.Executor, configDir string) er
 		return err
 	}
 	defer func(name string) {
-		errRemove := os.Remove(name)
+		errRemove := os.Remove(name) //gosec:disable G703 -- temp path is created by os.CreateTemp above
 		if errRemove != nil {
 			fmt.Printf("failed to remove temp file %s: %v\n", name, errRemove)
 		}

@@ -327,7 +327,7 @@ func UninstallHelmRelease(releaseName, logDir string) error {
 	}
 
 	if resp != nil {
-		fmt.Fprintf(logFile, "Uninstalled release %q: %s\n", releaseName, resp.Info)
+		fmt.Fprintf(logFile, "Uninstalled release %q: %s\n", releaseName, resp.Info) //gosec:disable G705 -- writes to local log file, not HTML
 	}
 
 	return nil

@@ -139,13 +139,13 @@ func buildSummary(
 	// Kubernetes
 	b.WriteString("KUBERNETES CLUSTER\n")
 	if cluster != nil {
-		b.WriteString(fmt.Sprintf("  Name:        %s\n", cluster.Name))
-		b.WriteString(fmt.Sprintf("  UUID:        %s\n", cluster.UUID))
-		b.WriteString(fmt.Sprintf("  Zone:        %s\n", cluster.Zone))
-		b.WriteString(fmt.Sprintf("  Network:     %s\n", cluster.Network))
+		fmt.Fprintf(&b, "  Name:        %s\n", cluster.Name)
+		fmt.Fprintf(&b, "  UUID:        %s\n", cluster.UUID)
+		fmt.Fprintf(&b, "  Zone:        %s\n", cluster.Zone)
+		fmt.Fprintf(&b, "  Network:     %s\n", cluster.Network)
 		if kubeconfigPath != "" {
-			b.WriteString(fmt.Sprintf("  Kubeconfig:  %s\n", kubeconfigPath))
-			b.WriteString(fmt.Sprintf("  Set env:     export KUBECONFIG=%s\n", kubeconfigPath))
+			fmt.Fprintf(&b, "  Kubeconfig:  %s\n", kubeconfigPath)
+			fmt.Fprintf(&b, "  Set env:     export KUBECONFIG=%s\n", kubeconfigPath)
 			b.WriteString("  Test:        kubectl get nodes\n")
 			b.WriteString("  Ingress LB:  kubectl -n ingress-nginx get svc ingress-nginx-controller -o jsonpath='{.status.loadBalancer.ingress[0].hostname}{\"\\n\"}'\n")
 		}
@@ -155,9 +155,9 @@ func buildSummary(
 	// Network & Router
 	b.WriteString("NETWORKING\n")
 	if network != nil {
-		b.WriteString(fmt.Sprintf("  Network:     %s (UUID: %s)\n", network.Name, network.UUID))
+		fmt.Fprintf(&b, "  Network:     %s (UUID: %s)\n", network.Name, network.UUID)
 		if len(network.IPNetworks) > 0 {
-			b.WriteString(fmt.Sprintf("  CIDR:        %s\n", network.IPNetworks[0].Address))
+			fmt.Fprintf(&b, "  CIDR:        %s\n", network.IPNetworks[0].Address)
 			if network.IPNetworks[0].DHCP == upcloud.True {
 				b.WriteString("  DHCP:        enabled\n")
 			} else {
@@ -166,17 +166,17 @@ func buildSummary(
 		}
 	}
 	if router != nil {
-		b.WriteString(fmt.Sprintf("  Router:      %s (UUID: %s)\n", router.Name, router.UUID))
+		fmt.Fprintf(&b, "  Router:      %s (UUID: %s)\n", router.Name, router.UUID)
 	}
 	b.WriteString("\n")
 
 	// Managed Database
 	b.WriteString("MANAGED DATABASE\n")
 	if db != nil {
-		b.WriteString(fmt.Sprintf("  Name:        %s (UUID: %s)\n", db.Title, db.UUID))
-		b.WriteString(fmt.Sprintf("  Type/Plan:   %s / %s\n", db.Type, db.Plan))
-		b.WriteString(fmt.Sprintf("  State:       %s\n", db.State))
-		b.WriteString(fmt.Sprintf("  ServiceURI:  %s\n", db.ServiceURI))
+		fmt.Fprintf(&b, "  Name:        %s (UUID: %s)\n", db.Title, db.UUID)
+		fmt.Fprintf(&b, "  Type/Plan:   %s / %s\n", db.Type, db.Plan)
+		fmt.Fprintf(&b, "  State:       %s\n", db.State)
+		fmt.Fprintf(&b, "  ServiceURI:  %s\n", db.ServiceURI)
 	} else {
 		b.WriteString("  (not created)\n")
 	}
@@ -185,25 +185,25 @@ func buildSummary(
 	// Managed Object Storage
 	b.WriteString("OBJECT STORAGE\n")
 	if obj != nil {
-		b.WriteString(fmt.Sprintf("  Name:        %s (UUID: %s)\n", obj.Name, obj.UUID))
-		b.WriteString(fmt.Sprintf("  Region:      %s\n", obj.Region))
-		b.WriteString(fmt.Sprintf("  State:       %s\n", obj.OperationalState))
+		fmt.Fprintf(&b, "  Name:        %s (UUID: %s)\n", obj.Name, obj.UUID)
+		fmt.Fprintf(&b, "  Region:      %s\n", obj.Region)
+		fmt.Fprintf(&b, "  State:       %s\n", obj.OperationalState)
 
 		// If API provides endpoint(s)
 		if len(obj.Endpoints) > 0 {
-			b.WriteString(fmt.Sprintf("  DomainName:  %s\n", obj.Endpoints[0].DomainName))
-			b.WriteString(fmt.Sprintf("  Type:        %s\n", obj.Endpoints[0].Type))
-			b.WriteString(fmt.Sprintf("  IAMURL:      %s\n", obj.Endpoints[0].IAMURL))
-			b.WriteString(fmt.Sprintf("  STSURL:      %s\n", obj.Endpoints[0].STSURL))
+			fmt.Fprintf(&b, "  DomainName:  %s\n", obj.Endpoints[0].DomainName)
+			fmt.Fprintf(&b, "  Type:        %s\n", obj.Endpoints[0].Type)
+			fmt.Fprintf(&b, "  IAMURL:      %s\n", obj.Endpoints[0].IAMURL)
+			fmt.Fprintf(&b, "  STSURL:      %s\n", obj.Endpoints[0].STSURL)
 		}
 		// If bucket was created
 		if objBucket != "" {
-			b.WriteString(fmt.Sprintf("  Bucket:      %s\n", objBucket))
+			fmt.Fprintf(&b, "  Bucket:      %s\n", objBucket)
 		}
 		// If access key was created
 		if objAcc != nil {
-			b.WriteString(fmt.Sprintf("  AccessKey:   %s\n", objAcc.AccessKeyID))
-			b.WriteString(fmt.Sprintf("  SecretKey:   %s\n", *objAcc.SecretAccessKey))
+			fmt.Fprintf(&b, "  AccessKey:   %s\n", objAcc.AccessKeyID)
+			fmt.Fprintf(&b, "  SecretKey:   %s\n", *objAcc.SecretAccessKey)
 		}
 	} else {
 		b.WriteString("  (not created)\n")
@@ -232,7 +232,7 @@ func buildSummary(
 	// Final tips
 	b.WriteString("NEXT STEPS\n")
 	if kubeconfigPath != "" {
-		b.WriteString(fmt.Sprintf("  export KUBECONFIG=%s\n", kubeconfigPath))
+		fmt.Fprintf(&b, "  export KUBECONFIG=%s\n", kubeconfigPath)
 	}
 	b.WriteString("  Deploy ingress-nginx and your app, then point DNS (CNAME) to the LB hostname shown above.\n")
 

@@ -22,7 +22,7 @@ type SupabaseConfig struct {
 	LbHostname  string
 	ClusterName string
 
-	JWTSecret         string
+	JWTSecret         string //gosec:disable G117 -- field intentionally stores JWT signing secret
 	AnonKey           string
 	ServiceRoleKey    string
 	PostgresPassword  string

@@ -202,7 +202,7 @@ func (s *importCommand) ExecuteWithoutArguments(exec commands.Executor) (output.
 	case upcloud.StorageImportSourceDirectUpload:
 		// import from local file
 		transferType = "upload"
-		sourceFile, err := os.Open(parsedSource.Path)
+		sourceFile, err := os.Open(parsedSource.Path) //gosec:disable G703 -- local source path is explicit CLI input
 		if err != nil {
 			return commands.HandleError(exec, msg, fmt.Errorf("cannot open local file: %w", err))
 		}
@@ -247,7 +247,7 @@ func (s *importCommand) ExecuteWithoutArguments(exec commands.Executor) (output.
 				// we have no knowledge of the remote file size, report bytes uploaded
 				transferred := fmt.Sprintf("%sB", "-1")
 				if statusUpdate.bytesTransferred <= math.MaxUint32 {
-					transferred = ui.AbbrevNumBinaryPrefix(uint(statusUpdate.bytesTransferred)) //nolint:gosec // disable G115: false positive because value is checked
+					transferred = ui.AbbrevNumBinaryPrefix(uint(statusUpdate.bytesTransferred)) //gosec:disable G115 -- guarded by MaxUint32 check above
 				}
 				exec.PushProgressUpdate(messages.Update{
 					Key: msg,
@@ -314,7 +314,7 @@ func createStorage(exec commands.Executor, params *createParams) (upcloud.Storag
 }
 
 func getLocalFileSize(path string) (size int64, err error) {
-	stat, err := os.Stat(path)
+	stat, err := os.Stat(path) //gosec:disable G703 -- local path comes from explicit CLI/file URL input
 	if err != nil {
 		return 0, err
 	}

@@ -16,7 +16,7 @@ func TestConfig_LoadInvalidYAML(t *testing.T) {
 	require.NoError(t, err)
 	t.Cleanup(func() {
 		assert.NoError(t, tmpFile.Close())
-		assert.NoError(t, os.Remove(tmpFile.Name()))
+		assert.NoError(t, os.Remove(tmpFile.Name())) //gosec:disable G703 -- temp path is created by os.CreateTemp
 	})
 	_, err = tmpFile.WriteString("usernamd:sdkfo\npassword: foo")
 	require.NoError(t, err)
@@ -27,12 +27,16 @@ func TestConfig_LoadInvalidYAML(t *testing.T) {
 }
 
 func TestConfig_Load(t *testing.T) {
+	t.Setenv("UPCLOUD_USERNAME", "")
+	t.Setenv("UPCLOUD_PASSWORD", "")
+	t.Setenv("UPCLOUD_TOKEN", "")
+
 	cfg := New()
 	tmpFile, err := os.CreateTemp(os.TempDir(), "")
 	require.NoError(t, err)
 	t.Cleanup(func() {
 		assert.NoError(t, tmpFile.Close())
-		assert.NoError(t, os.Remove(tmpFile.Name()))
+		assert.NoError(t, os.Remove(tmpFile.Name())) //gosec:disable G703 -- temp path is created by os.CreateTemp
 	})
 	_, err = tmpFile.WriteString("username: sdkfo\npassword: foo")
 	require.NoError(t, err)
@@ -74,13 +78,14 @@ func TestConfig_GetVersion(t *testing.T) {
 func TestConfig_LoadKeyring(t *testing.T) {
 	t.Setenv("UPCLOUD_USERNAME", "")
 	t.Setenv("UPCLOUD_PASSWORD", "")
+	t.Setenv("UPCLOUD_TOKEN", "")
 
 	cfg := New()
 	tmpFile, err := os.CreateTemp(os.TempDir(), "")
 	require.NoError(t, err)
 	t.Cleanup(func() {
 		assert.NoError(t, tmpFile.Close())
-		assert.NoError(t, os.Remove(tmpFile.Name()))
+		assert.NoError(t, os.Remove(tmpFile.Name())) //gosec:disable G703 -- temp path is created by os.CreateTemp
 	})
 	_, err = tmpFile.WriteString("username: unittest")
 	require.NoError(t, err)
@@ -91,7 +96,7 @@ func TestConfig_LoadKeyring(t *testing.T) {
 	cfg.GlobalFlags.ConfigFile = tmpFile.Name()
 	err = cfg.Load()
 	require.NoError(t, err)
-	assert.Equal(t, cfg.GetString("username"), "unittest")
+	assert.Equal(t, "unittest", cfg.GetString("username"))
 	assert.Equal(t, "unittest_password", cfg.GetString("password"))
 	t.Cleanup(func() {
 		// remove test user from keyring

@@ -30,7 +30,7 @@ func IsStderrTerminal() bool {
 // GetTerminalWidth tries to figure out the width of the terminal and returns it
 // returns 0 if there are problems in getting the width.
 func GetTerminalWidth() int {
-	w, _, err := term.GetSize(int(os.Stdout.Fd()))
+	w, _, err := term.GetSize(int(os.Stdout.Fd())) //gosec:disable G115 // file descriptors are runtime-provided small integers
 	if err != nil {
 		return 0
 	}

@@ -30,17 +30,17 @@ func formatFlags(fs *pflag.FlagSet) string {
 		}
 		var flagText, flagUsage strings.Builder
 		if flag.Shorthand != "" {
-			flagText.WriteString(fmt.Sprintf("-%s, ", flag.Shorthand))
+			fmt.Fprintf(&flagText, "-%s, ", flag.Shorthand)
 		}
-		flagText.WriteString(fmt.Sprintf("--%s %s", flag.Name, flag.Value.Type()))
+		fmt.Fprintf(&flagText, "--%s %s", flag.Name, flag.Value.Type())
 		flagUsage.WriteString(text.WrapSoft(flag.Usage, wrappingLineLength))
 		def := flag.DefValue
 		if strings.HasSuffix(flag.Value.Type(), "Slice") || strings.HasSuffix(flag.Value.Type(), "Array") {
 			def = strings.TrimPrefix(def, "[")
 			def = strings.TrimSuffix(def, "]")
 		}
 		if def != "" {
-			flagUsage.WriteString(fmt.Sprintf("\nDefault: %s", def))
+			fmt.Fprintf(&flagUsage, "\nDefault: %s", def)
 		}
 		t.Append(table.Row{flagText.String(), flagUsage.String()})
 	})