fix the gosec test and a make target for it

Makefile

@@ -75,6 +75,10 @@ image: clean-image ## Build image for a particular arch.
 		--build-arg BUILD_ID="$(BUILD_ID)" \
 		-t $(REGISTRY)/controller:$(TAG) rootfs
 
+.PHONY: gosec
+gosec:
+	docker run --mount type=bind,source="$(pwd)"/,target=/source securego/gosec:2.11.0 -exclude=G109,G601,G104,G204,G304,G306,G307 -tests=false -exclude-dir=test -exclude-dir=images/  -exclude-dir=docs/ /source/...
+
 .PHONY: image-chroot
 image-chroot: clean-chroot-image ## Build image for a particular arch.
 	echo "Building docker image ($(ARCH))..."

cmd/nginx/main.go

@@ -327,8 +327,10 @@ func registerProfiler() {
 	mux.HandleFunc("/debug/pprof/trace", pprof.Trace)
 
 	server := &http.Server{
-		Addr:    fmt.Sprintf("127.0.0.1:%v", nginx.ProfilerPort),
-		Handler: mux,
+		Addr: fmt.Sprintf("127.0.0.1:%v", nginx.ProfilerPort),
+		//G112 (CWE-400): Potential Slowloris Attack
+		ReadHeaderTimeout: 10 * time.Second,
+		Handler:           mux,
 	}
 	klog.Fatal(server.ListenAndServe())
 }

internal/ingress/controller/nginx.go

@@ -110,9 +110,11 @@ func NewNGINXController(config *Configuration, mc metric.Collector) *NGINXContro
 
 	if n.cfg.ValidationWebhook != "" {
 		n.validationWebhookServer = &http.Server{
-			Addr:      config.ValidationWebhook,
-			Handler:   adm_controller.NewAdmissionControllerServer(&adm_controller.IngressAdmission{Checker: n}),
-			TLSConfig: ssl.NewTLSListener(n.cfg.ValidationWebhookCertPath, n.cfg.ValidationWebhookKeyPath).TLSConfig(),
+			Addr: config.ValidationWebhook,
+			//G112 (CWE-400): Potential Slowloris Attack
+			ReadHeaderTimeout: 10 * time.Second,
+			Handler:           adm_controller.NewAdmissionControllerServer(&adm_controller.IngressAdmission{Checker: n}),
+			TLSConfig:         ssl.NewTLSListener(n.cfg.ValidationWebhookCertPath, n.cfg.ValidationWebhookKeyPath).TLSConfig(),
 			// disable http/2
 			// https://github.com/kubernetes/kubernetes/issues/80313
 			// https://github.com/kubernetes/ingress-nginx/issues/6323#issuecomment-737239159