Integrate forbidigo linter for os.Getenv/LookupEnv

Signed-off-by: Marko Mudrinić <mudrinic.mare@gmail.com>

.golangci.yml

@@ -20,6 +20,7 @@ linters:
   - depguard
   - errcheck
   - errorlint
+  - forbidigo
   - gofmt
   - goimports
   - gosec
@@ -33,6 +34,15 @@ linters:
   - unconvert
   - unparam
   - whitespace
+linters-settings:
+  forbidigo:
+    # Forbid using os.Getenv and os.LookupEnv with COSIGN_ variables in favor of
+    # pkg/cosign/env package
+    # Reference: https://github.com/sigstore/cosign/issues/2236
+    forbid:
+      - 'os\.Getenv.*'
+      - 'os\.LookupEnv.*'
+    exclude_godoc_examples: false
 output:
   uniq-by-line: false
 issues:
@@ -41,6 +51,16 @@ issues:
     linters:
     - errcheck
     - gosec
+    - forbidigo
+  - path: pkg/cosign/env
+    linters:
+    - forbidigo
+  - path: pkg/providers/
+    linters:
+    - forbidigo
+  - path: pkg/cosign/git/gitlab
+    linters:
+    - forbidigo
   max-issues-per-linter: 0
   max-same-issues: 0
 run:

cmd/cosign/cli/fulcio/fulcioverifier/ctl/verify.go

@@ -74,7 +74,7 @@ func ContainsSCT(cert []byte) (bool, error) {
 func VerifySCT(ctx context.Context, certPEM, chainPEM, rawSCT []byte) error {
 	// fetch SCT verification key
 	pubKeys := make(map[[sha256.Size]byte]logIDMetadata)
-	rootEnv := os.Getenv(altCTLogPublicKeyLocation)
+	rootEnv := os.Getenv(altCTLogPublicKeyLocation) //nolint:forbidigo
 	if rootEnv == "" {
 		tufClient, err := tuf.NewFromEnv(ctx)
 		if err != nil {

internal/pkg/cosign/fulcio/fulcioroots/fulcioroots.go

@@ -62,7 +62,7 @@ func initRoots() (*x509.CertPool, *x509.CertPool, error) {
 	// intermediatePool should be nil if no intermediates are found
 	var intermediatePool *x509.CertPool
 
-	rootEnv := os.Getenv(altRoot)
+	rootEnv := os.Getenv(altRoot) //nolint:forbidigo
 	if rootEnv != "" {
 		raw, err := os.ReadFile(rootEnv)
 		if err != nil {

pkg/blob/load.go

@@ -53,7 +53,7 @@ func LoadFileOrURL(fileRef string) ([]byte, error) {
 			}
 		case "env://":
 			envVar := parts[1]
-			value, found := os.LookupEnv(envVar)
+			value, found := os.LookupEnv(envVar) //nolint:forbidigo
 			if !found {
 				return nil, fmt.Errorf("loading URL: env var $%s not found", envVar)
 			}

pkg/cosign/git/github/github.go

@@ -44,7 +44,7 @@ func New() *Gh {
 
 func (g *Gh) PutSecret(ctx context.Context, ref string, pf cosign.PassFunc) error {
 	var httpClient *http.Client
-	if token, ok := os.LookupEnv("GITHUB_TOKEN"); ok {
+	if token, ok := os.LookupEnv("GITHUB_TOKEN"); ok { //nolint:forbidigo
 		ts := oauth2.StaticTokenSource(
 			&oauth2.Token{AccessToken: token},
 		)

pkg/cosign/tlog.go

@@ -110,7 +110,7 @@ func intotoEntry(ctx context.Context, signature, pubKey []byte) (models.Proposed
 // TODO: Rename SIGSTORE_TRUST_REKOR_API_PUBLIC_KEY to be test-only or remove.
 func GetRekorPubs(ctx context.Context, rekorClient *client.Rekor) (map[string]RekorPubKey, error) {
 	publicKeys := make(map[string]RekorPubKey)
-	altRekorPub := os.Getenv(altRekorPublicKey)
+	altRekorPub := os.Getenv(altRekorPublicKey) //nolint:forbidigo
 
 	if altRekorPub != "" {
 		raw, err := os.ReadFile(altRekorPub)
@@ -150,7 +150,7 @@ func GetRekorPubs(ctx context.Context, rekorClient *client.Rekor) (map[string]Re
 
 	// If we have a Rekor client and we've been told to fetch the Public Key from Rekor,
 	// additionally fetch it here.
-	addRekorPublic := os.Getenv(addRekorPublicKeyFromRekor)
+	addRekorPublic := os.Getenv(addRekorPublicKeyFromRekor) //nolint:forbidigo
 	if addRekorPublic != "" && rekorClient != nil {
 		fmt.Fprintf(os.Stderr, "**Warning ('%s' is only for testing)** Fetching public key from Rekor API directly\n", addRekorPublicKeyFromRekor)
 		pubOK, err := rekorClient.Pubkey.GetPublicKey(nil)