diff --git a/.golangci.yml b/.golangci.yml index d0643633741..b429b93c3f2 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -20,6 +20,7 @@ linters: - depguard - errcheck - errorlint + - forbidigo - gofmt - goimports - gosec @@ -33,6 +34,15 @@ linters: - unconvert - unparam - whitespace +linters-settings: + forbidigo: + # Forbid using os.Getenv and os.LookupEnv with COSIGN_ variables in favor of + # pkg/cosign/env package + # Reference: https://github.com/sigstore/cosign/issues/2236 + forbid: + - 'os\.Getenv.*' + - 'os\.LookupEnv.*' + exclude_godoc_examples: false output: uniq-by-line: false issues: @@ -41,6 +51,16 @@ issues: linters: - errcheck - gosec + - forbidigo + - path: pkg/cosign/env + linters: + - forbidigo + - path: pkg/providers/ + linters: + - forbidigo + - path: pkg/cosign/git/gitlab + linters: + - forbidigo max-issues-per-linter: 0 max-same-issues: 0 run: diff --git a/cmd/cosign/cli/fulcio/fulcioverifier/ctl/verify.go b/cmd/cosign/cli/fulcio/fulcioverifier/ctl/verify.go index 38287ab3e0d..af867fdeac5 100644 --- a/cmd/cosign/cli/fulcio/fulcioverifier/ctl/verify.go +++ b/cmd/cosign/cli/fulcio/fulcioverifier/ctl/verify.go @@ -74,7 +74,7 @@ func ContainsSCT(cert []byte) (bool, error) { func VerifySCT(ctx context.Context, certPEM, chainPEM, rawSCT []byte) error { // fetch SCT verification key pubKeys := make(map[[sha256.Size]byte]logIDMetadata) - rootEnv := os.Getenv(altCTLogPublicKeyLocation) + rootEnv := os.Getenv(altCTLogPublicKeyLocation) //nolint:forbidigo if rootEnv == "" { tufClient, err := tuf.NewFromEnv(ctx) if err != nil { diff --git a/internal/pkg/cosign/fulcio/fulcioroots/fulcioroots.go b/internal/pkg/cosign/fulcio/fulcioroots/fulcioroots.go index 4403c529a90..da462a294d3 100644 --- a/internal/pkg/cosign/fulcio/fulcioroots/fulcioroots.go +++ b/internal/pkg/cosign/fulcio/fulcioroots/fulcioroots.go @@ -62,7 +62,7 @@ func initRoots() (*x509.CertPool, *x509.CertPool, error) { // intermediatePool should be nil if no intermediates are found var intermediatePool *x509.CertPool - rootEnv := os.Getenv(altRoot) + rootEnv := os.Getenv(altRoot) //nolint:forbidigo if rootEnv != "" { raw, err := os.ReadFile(rootEnv) if err != nil { diff --git a/pkg/blob/load.go b/pkg/blob/load.go index 26db1367848..1d59e705266 100644 --- a/pkg/blob/load.go +++ b/pkg/blob/load.go @@ -53,7 +53,7 @@ func LoadFileOrURL(fileRef string) ([]byte, error) { } case "env://": envVar := parts[1] - value, found := os.LookupEnv(envVar) + value, found := os.LookupEnv(envVar) //nolint:forbidigo if !found { return nil, fmt.Errorf("loading URL: env var $%s not found", envVar) } diff --git a/pkg/cosign/git/github/github.go b/pkg/cosign/git/github/github.go index 6e41603d543..6894acf0fa8 100644 --- a/pkg/cosign/git/github/github.go +++ b/pkg/cosign/git/github/github.go @@ -44,7 +44,7 @@ func New() *Gh { func (g *Gh) PutSecret(ctx context.Context, ref string, pf cosign.PassFunc) error { var httpClient *http.Client - if token, ok := os.LookupEnv("GITHUB_TOKEN"); ok { + if token, ok := os.LookupEnv("GITHUB_TOKEN"); ok { //nolint:forbidigo ts := oauth2.StaticTokenSource( &oauth2.Token{AccessToken: token}, ) diff --git a/pkg/cosign/tlog.go b/pkg/cosign/tlog.go index 94929d77d32..cea71fae921 100644 --- a/pkg/cosign/tlog.go +++ b/pkg/cosign/tlog.go @@ -110,7 +110,7 @@ func intotoEntry(ctx context.Context, signature, pubKey []byte) (models.Proposed // TODO: Rename SIGSTORE_TRUST_REKOR_API_PUBLIC_KEY to be test-only or remove. func GetRekorPubs(ctx context.Context, rekorClient *client.Rekor) (map[string]RekorPubKey, error) { publicKeys := make(map[string]RekorPubKey) - altRekorPub := os.Getenv(altRekorPublicKey) + altRekorPub := os.Getenv(altRekorPublicKey) //nolint:forbidigo if altRekorPub != "" { raw, err := os.ReadFile(altRekorPub) @@ -150,7 +150,7 @@ func GetRekorPubs(ctx context.Context, rekorClient *client.Rekor) (map[string]Re // If we have a Rekor client and we've been told to fetch the Public Key from Rekor, // additionally fetch it here. - addRekorPublic := os.Getenv(addRekorPublicKeyFromRekor) + addRekorPublic := os.Getenv(addRekorPublicKeyFromRekor) //nolint:forbidigo if addRekorPublic != "" && rekorClient != nil { fmt.Fprintf(os.Stderr, "**Warning ('%s' is only for testing)** Fetching public key from Rekor API directly\n", addRekorPublicKeyFromRekor) pubOK, err := rekorClient.Pubkey.GetPublicKey(nil)