From fbfbb26fd2a714d0e6ea2e86c7f46db7b6a3b305 Mon Sep 17 00:00:00 2001
From: shaw <shaw-wei@foxmail.com>
Date: Sat, 28 Feb 2026 23:08:41 +0800
Subject: [PATCH] =?UTF-8?q?fix(ci):=20=E5=B0=86=20gosec=20=E9=9B=86?=
 =?UTF-8?q?=E6=88=90=E5=88=B0=20golangci-lint=20=E8=A7=A3=E5=86=B3?=
 =?UTF-8?q?=E5=AE=89=E5=85=A8=E6=89=AB=E6=8F=8F=E8=B6=85=E6=97=B6?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

standalone gosec 扫描 24 万行 Go 代码在 CI 中持续超时，
将其作为 golangci-lint 的内置 linter 运行，复用 AST 解析和缓存大幅提速。

- 在 .golangci.yml 中启用 gosec 并迁移原有排除规则
- golangci-lint timeout 从 5m 提升到 30m
- 从 security-scan.yml 移除 standalone gosec 步骤
- 删除不再需要的 .gosec.json 配置文件
---
 .github/workflows/backend-ci.yml    |  2 +-
 .github/workflows/security-scan.yml |  6 ------
 backend/.golangci.yml               | 17 +++++++++++++++++
 backend/.gosec.json                 |  5 -----
 4 files changed, 18 insertions(+), 12 deletions(-)
 delete mode 100644 backend/.gosec.json

diff --git a/.github/workflows/backend-ci.yml b/.github/workflows/backend-ci.yml
index 4fd22aff..ff991154 100644
--- a/.github/workflows/backend-ci.yml
+++ b/.github/workflows/backend-ci.yml
@@ -43,5 +43,5 @@ jobs:
         uses: golangci/golangci-lint-action@v9
         with:
           version: v2.7
-          args: --timeout=5m
+          args: --timeout=30m
           working-directory: backend
\ No newline at end of file
diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml
index 7c59b074..cc2631ec 100644
--- a/.github/workflows/security-scan.yml
+++ b/.github/workflows/security-scan.yml
@@ -29,12 +29,6 @@ jobs:
         run: |
           go install golang.org/x/vuln/cmd/govulncheck@latest
           govulncheck ./...
-      - name: Run gosec
-        working-directory: backend
-        run: |
-          go install github.com/securego/gosec/v2/cmd/gosec@latest
-          # exclude ent/ — auto-generated ORM code, not subject to manual security review
-          gosec -conf .gosec.json -severity high -confidence high -exclude-generated -exclude-dir=ent ./...
 
   frontend-security:
     runs-on: ubuntu-latest
diff --git a/backend/.golangci.yml b/backend/.golangci.yml
index 3ec692a8..68b76751 100644
--- a/backend/.golangci.yml
+++ b/backend/.golangci.yml
@@ -5,6 +5,7 @@ linters:
   enable:
     - depguard
     - errcheck
+    - gosec
     - govet
     - ineffassign
     - staticcheck
@@ -42,6 +43,22 @@ linters:
               desc: "handler must not import gorm"
             - pkg: github.com/redis/go-redis/v9
               desc: "handler must not import redis"
+    gosec:
+      excludes:
+        - G101
+        - G103
+        - G104
+        - G109
+        - G115
+        - G201
+        - G202
+        - G301
+        - G302
+        - G304
+        - G306
+        - G404
+      severity: high
+      confidence: high
     errcheck:
       # Report about not checking of errors in type assertions: `a := b.(MyStruct)`.
       # Such cases aren't reported by default.
diff --git a/backend/.gosec.json b/backend/.gosec.json
deleted file mode 100644
index 7a8ccb6a..00000000
--- a/backend/.gosec.json
+++ /dev/null
@@ -1,5 +0,0 @@
-{
-  "global": {
-    "exclude": "G704,G101,G103,G104,G109,G115,G201,G202,G301,G302,G304,G306,G404"
-  }
-}