1.55.0 stops ignoring inline nosec

[Integralist]

Welcome

• Yes, I'm using a binary release within 2 latest major releases. Only such installations are supported.
• Yes, I've searched similar issues on GitHub and didn't find any.
• Yes, I've read the typecheck section of the FAQ (https://golangci-lint.run/usage/faq/#why-do-you-have-typecheck-errors).
• Yes, I've tried with the standalone linter if available (e.g., gocritic, go vet, etc.). (https://golangci-lint.run/usage/linters/)

Description of the problem

Using 1.54.2 the following line of code is ignored, but with 1.55.0 it is not...

Version of golangci-lint

$ golangci-lint --version
golangci-lint has version 1.55.0 built with go1.21.3 from de1c3919 on 2023-10-20T11:28:00Z

Configuration

# https://golangci-lint.run/usage/configuration/

issues:
  max-per-linter: 0
  max-same-issues: 0
run:
  allow-parallel-runners: true
linters:
  disable-all: true
  enable:
    - bodyclose
    - durationcheck
    - errcheck
    - exhaustive
    - exportloopref
    - forcetypeassert
    - gocritic
    - godot
    - gofumpt
    - goimports
    - gosec
    - gosimple
    - govet
    - ineffassign
    - makezero
    - misspell
    - nilerr
    - predeclared
    - revive
    - staticcheck
    - tenv
    - typecheck
    - unconvert
    - unparam
    - unused
    - vet
linters-settings:
  revive:
    enableAllRules: true
    rules:
      - name: "add-constant"
        severity: "warning"
        arguments:
          - maxLitCount: "10"
            allowInts: "0,1,2,3,4,5"
        disabled: true # most of the time it's fine, and the performance isn't a concern
      - name: "argument-limit"
        severity: "warning"
        arguments: [6]
      - name: "atomic"
        severity: "warning"
      - name: "bare-return"
        severity: "warning"
      - name: "bool-literal-in-expr"
        severity: "warning"
      - name: "confusing-naming"
        severity: "warning"
      - name: "confusing-results"
        severity: "warning"
      - name: "constant-logical-expr"
        severity: "error"
      - name: "context-as-argument"
        severity: "error"
      - name: "context-keys-type"
        severity: "error"
      - name: "deep-exit"
        severity: "warning"
      - name: "defer"
        severity: "warning"
      - name: "early-return"
        severity: "warning"
      - name: "empty-block"
        severity: "error"
      - name: "empty-lines"
        severity: "warning"
      - name: "error-naming"
        severity: "error"
      - name: "error-return"
        severity: "error"
      - name: "error-strings"
        severity: "error"
      - name: "errorf"
        severity: "warning"
      - name: "exported"
        severity: "error"
      - name: "flag-parameter"
        severity: "warning"
      - name: "function-result-limit"
        severity: "warning"
        arguments: [4]
      - name: "function-length"
        severity: "warning"
        arguments: [50, 0]
      - name: "get-return"
        severity: "error"
      - name: "identical-branches"
        severity: "error"
      - name: "if-return"
        severity: "warning"
      - name: "increment-decrement"
        severity: "error"
      - name: "indent-error-flow"
        severity: "warning"
      - name: "import-shadowing"
        severity: "warning"
      - name: "modifies-parameter"
        severity: "warning"
      - name: "modifies-value-receiver"
        severity: "warning"
      - name: "nested-structs"
        severity: "warning"
      - name: "optimize-operands-order"
        severity: "warning"
      - name: "package-comments"
        severity: "warning"
      - name: "range"
        severity: "warning"
      - name: "range-val-in-closure"
        severity: "warning"
      - name: "range-val-address"
        severity: "warning"
      - name: "receiver-naming"
        severity: "warning"
      - name: "redefines-builtin-id"
        severity: "error"
      - name: "string-of-int"
        severity: "warning"
      - name: "struct-tag"
        severity: "warning"
      - name: "superfluous-else"
        severity: "warning"
      - name: "time-equal"
        severity: "warning"
      - name: "time-naming"
        severity: "warning"
      - name: "var-declaration"
        severity: "warning"
      - name: "var-naming"
        severity: "warning"
      - name: "unconditional-recursion"
        severity: "error"
      - name: "unexported-naming"
        severity: "warning"
      - name: "unexported-return"
        severity: "error"
      - name: "unhandled-error"
        severity: "warning"
        arguments:
          - "fmt.Print"
          - "fmt.Printf"
          - "fmt.Println"
          - "fmt.Fprint"
          - "fmt.Fprintf"
          - "fmt.Fprintln"
      - name: "unnecessary-stmt"
        severity: "warning"
      - name: "unreachable-code"
        severity: "warning"
      - name: "unused-parameter"
        severity: "warning"
      - name: "unused-receiver"
        severity: "warning"
        disabled: true
      - name: "use-any"
        severity: "warning"
      - name: "useless-break"
        severity: "warning"
      - name: "waitgroup-by-value"
        severity: "warning"

Go environment

$ go version && go env
go version go1.21.3 darwin/arm64

GO111MODULE=''
GOARCH='arm64'
GOBIN=''
GOCACHE='/Users/integralist/Library/Caches/go-build'
GOENV='/Users/integralist/Library/Application Support/go/env'
GOEXE=''
GOEXPERIMENT=''
GOFLAGS=''
GOHOSTARCH='arm64'
GOHOSTOS='darwin'
GOINSECURE=''
GOMODCACHE='/Users/integralist/go/pkg/mod'
GONOPROXY='github.com/fastly'
GONOSUMDB='github.com/fastly'
GOOS='darwin'
GOPATH='/Users/integralist/go'
GOPRIVATE='github.com/fastly'
GOPROXY='https://proxy.golang.org,direct'
GOROOT='/Users/integralist/.go'
GOSUMDB='sum.golang.org'
GOTMPDIR=''
GOTOOLCHAIN='auto'
GOTOOLDIR='/Users/integralist/.go/pkg/tool/darwin_arm64'
GOVCS=''
GOVERSION='go1.21.3'
GCCGO='gccgo'
AR='ar'
CC='clang'
CXX='clang++'
CGO_ENABLED='1'
GOMOD='/Users/integralist/Code/terraform/terraform-provider-fastly-framework/go.mod'
GOWORK=''
CGO_CFLAGS='-O2 -g'
CGO_CPPFLAGS=''
CGO_CXXFLAGS='-O2 -g'
CGO_FFLAGS='-O2 -g'
CGO_LDFLAGS='-O2 -g'
PKG_CONFIG='pkg-config'
GOGCCFLAGS='-fPIC -arch arm64 -pthread -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -ffile-prefix-map=/var/folders/lj/y1tlk7nd5tgcz5z00fycytjr0000gp/T/go-build1283743495=/tmp/go-build -gno-record-gcc-switches -fno-common'

Verbose output of running

$ golangci-lint cache clean
$ golangci-lint run -v
INFO [config_reader] Config search paths: [./ /Users/integralist/Code/terraform/terraform-provider-fastly-framework /Users/integralist/Code/terraform /Users/integralist/Code /Users/integralist /Users /]
INFO [config_reader] Used config file .golangci.yml
INFO [lintersdb] Active 24 linters: [bodyclose durationcheck errcheck exhaustive exportloopref forcetypeassert gocritic godot gofumpt goimports gosec gosimple govet ineffassign makezero misspell nilerr predeclared revive staticcheck tenv unconvert unparam unused]
INFO [loader] Go packages loading at mode 575 (compiled_files|deps|name|types_sizes|exports_file|files|imports) took 522.543208ms
INFO [runner/filename_unadjuster] Pre-built 0 adjustments in 2.569333ms
INFO [linters_context/goanalysis] analyzers took 23.732965901s with top 10 stages: buildir: 13.565756215s, exhaustive: 1.6804395s, fact_deprecated: 1.136443986s, the_only_name: 1.102046503s, buildssa: 1.065012706s, inspect: 986.243172ms, ctrlflow: 908.693328ms, printf: 737.338118ms, fact_purity: 636.398706ms, nilness: 535.077208ms
INFO [runner] Issues before processing: 40, after processing: 1
INFO [runner] Processors filtering stat (out/in): diff: 1/1, max_from_linter: 1/1, source_code: 1/1, path_shortener: 1/1, filename_unadjuster: 40/40, path_prettifier: 40/40, exclude: 40/40, exclude-rules: 1/40, severity-rules: 1/1, autogenerated_exclude: 40/40, identifier_marker: 40/40, skip_dirs: 40/40, sort_results: 1/1, nolint: 1/1, uniq_by_line: 1/1, max_per_file_from_linter: 1/1, max_same_issues: 1/1, fixer: 1/1, path_prefixer: 1/1, cgo: 40/40, skip_files: 40/40
INFO [runner] processing took 2.439834ms with stages: path_prettifier: 875.417µs, autogenerated_exclude: 522.126µs, identifier_marker: 423.958µs, exclude-rules: 381.709µs, skip_dirs: 124.083µs, nolint: 68.833µs, source_code: 34.291µs, cgo: 3.958µs, uniq_by_line: 1.375µs, filename_unadjuster: 1.042µs, max_from_linter: 666ns, max_same_issues: 417ns, path_shortener: 333ns, max_per_file_from_linter: 292ns, fixer: 292ns, skip_files: 250ns, exclude: 250ns, sort_results: 250ns, severity-rules: 167ns, path_prefixer: 83ns, diff: 42ns
INFO [runner] linters took 5.743615042s with stages: goanalysis_metalinter: 5.741093333s
internal/helpers/client.go:16:7: G101: Potential hardcoded credentials (gosec)
const APIKeyEnv = "FASTLY_API_TOKEN" // #nosec G101
      ^
INFO File cache stats: 23 entries of total size 69.9KiB
INFO Memory: 64 samples, avg is 727.3MB, max is 1402.0MB
INFO Execution took 6.279629083s

A minimal reproducible example or link to a public repository

This PR introduced the change that shows the issue:
Integralist/terraform-provider-fastly-framework#59

I've since moved from using 'latest' to pinning to 1.54.2 to side-step the error for now until this reported issue can be reviewed/addressed.

Validation

• Yes, I've included all information above (version, config, etc.).

[ldez]

Hello,

• Yes, I've tried with the standalone linter if available (e.g., gocritic, go vet, etc.). (https://golangci-lint.run/usage/linters/)

It's a gosec issue: securego/gosec#1046

The problem has been fixed by gosec, and the update has been done inside golangci-lint #4153

The fix will be available in the next release of golangci-lint.

[Integralist]

Thanks @ldez

Apologies for opening this issue unnecessarily. I had run gosec locally and it didn't report any issue but clearly I must have not run it properly 🤦🏻