version: '2' run: allow-parallel-runners: true linters: default: none enable: - gocritic - bodyclose - copyloopvar - depguard - errcheck - errorlint - forbidigo - govet - ineffassign - intrange - perfsprint - staticcheck - unused - mirror - durationcheck - errorlint - govet - usetesting - zerologlint - testifylint - modernize - unconvert - unused - zerologlint - exptostd settings: staticcheck: checks: ['all', '-ST1003', '-ST1005', '-ST1016', '-SA1019', '-QF1003'] depguard: rules: main: files: - '!**/*_test.go' - '!**/base.go' - '!**/base_tx.go' deny: - pkg: encoding/json desc: use github.com/segmentio/encoding/json - pkg: golang.org/x/exp desc: exp is not allowed - pkg: github.com/portainer/libcrypto desc: use github.com/portainer/portainer/pkg/libcrypto - pkg: github.com/portainer/libhttp desc: use github.com/portainer/portainer/pkg/libhttp - pkg: golang.org/x/crypto desc: golang.org/x/crypto is not allowed because of FIPS mode - pkg: github.com/ProtonMail/go-crypto/openpgp desc: github.com/ProtonMail/go-crypto/openpgp is not allowed because of FIPS mode - pkg: github.com/cosi-project/runtime desc: github.com/cosi-project/runtime is not allowed because of FIPS mode - pkg: gopkg.in/yaml.v2 desc: use go.yaml.in/yaml/v3 instead - pkg: gopkg.in/yaml.v3 desc: use go.yaml.in/yaml/v3 instead - pkg: github.com/golang-jwt/jwt/v4 desc: use github.com/golang-jwt/jwt/v5 instead - pkg: github.com/mitchellh/mapstructure desc: use github.com/go-viper/mapstructure/v2 instead - pkg: gopkg.in/alecthomas/kingpin.v2 desc: use github.com/alecthomas/kingpin/v2 instead - pkg: github.com/jcmturner/gokrb5$ desc: use github.com/jcmturner/gokrb5/v8 instead - pkg: github.com/gofrs/uuid desc: use github.com/google/uuid - pkg: github.com/Masterminds/semver$ desc: use github.com/Masterminds/semver/v3 - pkg: github.com/blang/semver desc: use github.com/Masterminds/semver/v3 - pkg: github.com/coreos/go-semver desc: use github.com/Masterminds/semver/v3 - pkg: github.com/hashicorp/go-version desc: use github.com/Masterminds/semver/v3 gocritic: disable-all: true enabled-checks: - ruleguard settings: ruleguard: rules: './analysis/ssrf.go,./analysis/git.go' forbidigo: forbid: - pattern: ^tls\.Config$ msg: Use crypto.CreateTLSConfiguration() instead - pattern: ^tls\.Config\.(InsecureSkipVerify|MinVersion|MaxVersion|CipherSuites|CurvePreferences)$ msg: Do not set this field directly, use crypto.CreateTLSConfiguration() instead - pattern: ^object\.(Commit|Tag)\.Verify$ msg: 'Not allowed because of FIPS mode' - pattern: ^(types\.SystemContext\.)?(DockerDaemonInsecureSkipTLSVerify|DockerInsecureSkipTLSVerify|OCIInsecureSkipTLSVerify)$ msg: 'Not allowed because of FIPS mode' - pattern: ^git\.PlainClone(Context|WithOptions)?$ msg: Use git.CloneContext with NewNoSymlinkFS to prevent symlink traversal attacks analyze-types: true exclusions: generated: lax presets: - comments - common-false-positives - legacy rules: - path: pkg/libhttp/ssrf linters: - gocritic text: ruleguard - path: pkg/libhttp/ssrf/builder\.go linters: - forbidigo paths: - third_party$ - builtin$ - examples$ formatters: enable: - gofmt exclusions: generated: lax paths: - third_party$ - builtin$ - examples$