trufflesecurity · amanfcp · Apr 27, 2026 · May 4, 2026 · May 4, 2026 · May 6, 2026
@@ -24,7 +24,7 @@ jobs:
         with:
           # NOTE: Version and args must match scripts/lint.sh
           version: v2.11.4
-          args: --disable errcheck,staticcheck --enable bodyclose,copyloopvar,misspell --timeout 10m
+          args: --enable bodyclose,copyloopvar,misspell --timeout 10m
   man-page-staleness:
     name: man-page-staleness
     runs-on: ubuntu-latest

@@ -33,9 +33,9 @@ func main() {
 	flag.BoolVar(&failOnFindings, "fail", false, "exit 1 if any findings are reported (default: warning-only)")
 	flag.BoolVar(&quiet, "quiet", false, "suppress the summary line when no findings are reported")
 	flag.Usage = func() {
-		fmt.Fprintf(flag.CommandLine.Output(), "Usage: %s [flags] [dir ...]\n", os.Args[0])
-		fmt.Fprintln(flag.CommandLine.Output(), "\nFinds detector packages that construct detectors.Result without setting SecretParts.")
-		fmt.Fprintln(flag.CommandLine.Output(), "\nFlags:")
+		_, _ = fmt.Fprintf(flag.CommandLine.Output(), "Usage: %s [flags] [dir ...]\n", os.Args[0])
+		_, _ = fmt.Fprintln(flag.CommandLine.Output(), "\nFinds detector packages that construct detectors.Result without setting SecretParts.")
+		_, _ = fmt.Fprintln(flag.CommandLine.Output(), "\nFlags:")
 		flag.PrintDefaults()
 	}
 	flag.Parse()

@@ -219,7 +219,7 @@ func main() {
 					logFatal(err, "error scanning repo")
 				}
 				logger.Info("scanned repo", "repo", r)
-				defer os.RemoveAll(path)
+				defer func() { _ = os.RemoveAll(path) }()
 			}(repo)
 		}
 

@@ -465,7 +465,7 @@ func run(state overseer.State, logSync func() error) {
 	if *githubScanToken != "" {
 		// NOTE: this kludge is here to do an authenticated shallow commit
 		// TODO: refactor to better pass credentials
-		os.Setenv("GITHUB_TOKEN", *githubScanToken)
+		_ = os.Setenv("GITHUB_TOKEN", *githubScanToken)
 	}
 
 	if *concurrency <= 0 {
@@ -725,7 +725,7 @@ func runSingleScan(ctx context.Context, cmd string, cfg engine.Config) (metrics,
 	handleFinishedMetrics := func(ctx context.Context, finishedMetrics <-chan sources.UnitMetrics, jobReportWriter io.WriteCloser) {
 		go func() {
 			defer func() {
-				jobReportWriter.Close()
+				_ = jobReportWriter.Close()
 				if namer, ok := jobReportWriter.(interface{ Name() string }); ok {
 					ctx.Logger().Info("report written", "path", namer.Name())
 				} else {

@@ -25,8 +25,7 @@ func (Analyzer) Type() analyzers.AnalyzerType { return analyzers.AnalyzerTypeAir
 func (a Analyzer) Analyze(_ context.Context, credInfo map[string]string) (*analyzers.AnalyzerResult, error) {
 	info, err := AnalyzePermissions(a.Cfg, credInfo["key"])
 	if err != nil {
-		return nil, analyzers.NewAnalysisError(a.Type().String(), analyzers.OperationAnalyzePermissions, analyzers.ServiceAPI, "", err,
-		)
+		return nil, analyzers.NewAnalysisError(a.Type().String(), analyzers.OperationAnalyzePermissions, analyzers.ServiceAPI, "", err)
 	}
 	return secretInfoToAnalyzerResult(info), nil
 }
@@ -109,7 +108,7 @@ func validateKey(cfg *config.Config, key string) (bool, []Project, error) {
 	}
 
 	// read response
-	defer resp.Body.Close()
+	defer func() { _ = resp.Body.Close() }()
 
 	// if status code is 200, decode response
 	if resp.StatusCode == 200 {
@@ -150,7 +149,7 @@ func AnalyzePermissions(cfg *config.Config, key string) (*SecretInfo, error) {
 		return nil, err
 	}
 	if !valid {
-		return nil, fmt.Errorf("Invalid Airbrake User API Key")
+		return nil, fmt.Errorf("invalid Airbrake User API Key")
 	}
 
 	info := &SecretInfo{

@@ -119,7 +119,7 @@ func determineScope(token string, perm common.Permission, requiredIDs map[string
 	if requiredIDs != nil {
 		for _, key := range endpoint.RequiredIDs {
 			if value, ok := requiredIDs[key]; ok {
-				url = strings.Replace(url, fmt.Sprintf("{%s}", key), value, -1)
+				url = strings.ReplaceAll(url, fmt.Sprintf("{%s}", key), value)
 			}
 		}
 	}
@@ -128,7 +128,7 @@ func determineScope(token string, perm common.Permission, requiredIDs map[string
 	if err != nil {
 		return false, err
 	}
-	defer resp.Body.Close()
+	defer func() { _ = resp.Body.Close() }()
 
 	if resp.StatusCode == endpoint.ExpectedSuccessStatus {
 		scopeStatusMap[scopeString] = true

@@ -18,12 +18,12 @@ func fetchAirtableRecords(token string, baseID string, tableID string) ([]common
 	if !exists {
 		return nil, fmt.Errorf("endpoint for ListRecordsEndpoint does not exist")
 	}
-	url := strings.Replace(strings.Replace(endpoint.URL, "{baseID}", baseID, -1), "{tableID}", tableID, -1)
+	url := strings.ReplaceAll(strings.ReplaceAll(endpoint.URL, "{baseID}", baseID), "{tableID}", tableID)
 	resp, err := common.CallAirtableAPI(token, "GET", url)
 	if err != nil {
 		return nil, err
 	}
-	defer resp.Body.Close()
+	defer func() { _ = resp.Body.Close() }()
 
 	if resp.StatusCode != http.StatusOK {
 		return nil, fmt.Errorf("failed to fetch Airtable records, status: %d", resp.StatusCode)

@@ -39,7 +39,7 @@ func FetchAirtableUserInfo(token string) (*AirtableUserInfo, error) {
 	if err != nil {
 		return nil, err
 	}
-	defer resp.Body.Close()
+	defer func() { _ = resp.Body.Close() }()
 
 	if resp.StatusCode != http.StatusOK {
 		return nil, fmt.Errorf("failed to fetch Airtable user info, status: %d", resp.StatusCode)
@@ -62,7 +62,7 @@ func FetchAirtableBases(token string) (*AirtableBases, error) {
 	if err != nil {
 		return nil, err
 	}
-	defer resp.Body.Close()
+	defer func() { _ = resp.Body.Close() }()
 
 	if resp.StatusCode != http.StatusOK {
 		return nil, fmt.Errorf("failed to fetch Airtable bases, status: %d", resp.StatusCode)
@@ -96,7 +96,7 @@ func fetchBaseSchema(token string, baseID string) (*Schema, error) {
 	if err != nil {
 		return nil, err
 	}
-	defer resp.Body.Close()
+	defer func() { _ = resp.Body.Close() }()
 
 	if resp.StatusCode != http.StatusOK {
 		return nil, fmt.Errorf("failed to fetch schema for base %s, status: %d", baseID, resp.StatusCode)

@@ -227,7 +227,7 @@ func (h *HttpStatusTest) RunTest(headers map[string]string) error {
 	if err != nil {
 		return err
 	}
-	defer resp.Body.Close()
+	defer func() { _ = resp.Body.Close() }()
 
 	// Check response status code
 	switch {

@@ -116,18 +116,18 @@ func AnalyzePermissions(cfg *config.Config, key string) (*SecretInfo, error) {
 	}
 
 	if resp.StatusCode != 200 {
-		return nil, fmt.Errorf("Invalid Asana API Key")
+		return nil, fmt.Errorf("invalid Asana API Key")
 	}
 
-	defer resp.Body.Close()
+	defer func() { _ = resp.Body.Close() }()
 
 	err = json.NewDecoder(resp.Body).Decode(&me)
 	if err != nil {
 		return nil, err
 	}
 
 	if me.Data.Email == "" {
-		return nil, fmt.Errorf("Invalid Asana API Key")
+		return nil, fmt.Errorf("invalid Asana API Key")
 	}
 	return &me, nil
 }

@@ -146,7 +146,7 @@ func getScopesAndType(cfg *config.Config, key string) (string, []string, error)
 	if err != nil {
 		return "", nil, err
 	}
-	defer resp.Body.Close()
+	defer func() { _ = resp.Body.Close() }()
 
 	// parse response headers
 	credentialType := resp.Header.Get("x-credential-type")
@@ -198,7 +198,7 @@ func getRepositories(cfg *config.Config, key string, role string) (RepoJSON, err
 	if err != nil {
 		return repos, err
 	}
-	defer resp.Body.Close()
+	defer func() { _ = resp.Body.Close() }()
 
 	// parse response body
 	err = json.NewDecoder(resp.Body).Decode(&repos)

@@ -107,7 +107,7 @@ func (r LoggingRoundTripper) RoundTrip(req *http.Request) (*http.Response, error
 	if err != nil {
 		return resp, fmt.Errorf("failed to open log file: %w", err)
 	}
-	defer file.Close()
+	defer func() { _ = file.Close() }()
 
 	// Write log entry to file.
 	if _, err := file.WriteString(logEntry); err != nil {

@@ -216,7 +216,7 @@ func ValidateApiKey(client *http.Client, baseURL, apiKey string) (bool, error) {
 	case http.StatusForbidden:
 		return false, nil
 	default:
-		return false, fmt.Errorf("Unable to validate api key with status code: %d", resp.StatusCode)
+		return false, fmt.Errorf("unable to validate api key with status code: %d", resp.StatusCode)
 	}
 }
 

@@ -34,13 +34,11 @@ func (Analyzer) Type() analyzers.AnalyzerType { return analyzers.AnalyzerTypeDig
 func (a Analyzer) Analyze(_ context.Context, credInfo map[string]string) (*analyzers.AnalyzerResult, error) {
 	key, ok := credInfo["key"]
 	if !ok {
-		return nil, analyzers.NewAnalysisError(a.Type().String(), analyzers.OperationValidateCredentials, analyzers.ServiceConfig, "", errors.New("missing key in credInfo"),
-		)
+		return nil, analyzers.NewAnalysisError(a.Type().String(), analyzers.OperationValidateCredentials, analyzers.ServiceConfig, "", errors.New("missing key in credInfo"))
 	}
 	info, err := AnalyzePermissions(a.Cfg, key)
 	if err != nil {
-		return nil, analyzers.NewAnalysisError(a.Type().String(), analyzers.OperationAnalyzePermissions, analyzers.ServiceAPI, "", err,
-		)
+		return nil, analyzers.NewAnalysisError(a.Type().String(), analyzers.OperationAnalyzePermissions, analyzers.ServiceAPI, "", err)
 	}
 	return secretInfoToAnalyzerResult(info), nil
 }
@@ -125,7 +123,7 @@ func (h *HttpStatusTest) RunTest(cfg *config.Config, headers map[string]string)
 	if err != nil {
 		return false, err
 	}
-	defer resp.Body.Close()
+	defer func() { _ = resp.Body.Close() }()
 
 	// Check response status code
 	switch {
@@ -232,7 +230,7 @@ func getUser(cfg *config.Config, token string) (*user, error) {
 	if err != nil {
 		return nil, err
 	}
-	defer resp.Body.Close()
+	defer func() { _ = resp.Body.Close() }()
 
 	switch resp.StatusCode {
 	case http.StatusOK:

@@ -86,14 +86,12 @@ func (a Analyzer) Analyze(_ context.Context, credInfo map[string]string) (*analy
 	// check if the `key` exist in the credentials info
 	key, exist := credInfo["key"]
 	if !exist {
-		return nil, analyzers.NewAnalysisError(a.Type().String(), analyzers.OperationValidateCredentials, analyzers.ServiceConfig, "", errors.New("key not found in credentials info"),
-		)
+		return nil, analyzers.NewAnalysisError(a.Type().String(), analyzers.OperationValidateCredentials, analyzers.ServiceConfig, "", errors.New("key not found in credentials info"))
 	}
 
 	info, err := AnalyzePermissions(a.Cfg, key)
 	if err != nil {
-		return nil, analyzers.NewAnalysisError(a.Type().String(), analyzers.OperationAnalyzePermissions, analyzers.ServiceAPI, "", err,
-		)
+		return nil, analyzers.NewAnalysisError(a.Type().String(), analyzers.OperationAnalyzePermissions, analyzers.ServiceAPI, "", err)
 	}
 
 	return secretInfoToAnalyzerResult(info), nil
@@ -242,9 +240,10 @@ func fetchUser(client *http.Client, key string) (*User, error) {
 			return nil, err
 		}
 
-		if errorResp.Detail.Status == InvalidAPIKey || errorResp.Detail.Status == NotVerifiable {
+		switch errorResp.Detail.Status {
+		case InvalidAPIKey, NotVerifiable:
 			return nil, errors.New("invalid api key")
-		} else if errorResp.Detail.Status == MissingPermissions {
+		case MissingPermissions:
 			// key is missing user read permissions but is valid
 			return nil, nil
 		}

@@ -83,7 +83,7 @@ func AnalyzePermissions(cfg *config.Config, token string) (*secretInfo, error) {
 		if err != nil {
 			return nil, err
 		}
-		defer resp.Body.Close()
+		defer func() { _ = resp.Body.Close() }()
 		body, err := io.ReadAll(resp.Body)
 		if err != nil {
 			return nil, err

@@ -78,7 +78,7 @@ func permissionFormatter(key, val any) (string, string) {
 	if perm, ok := val.(Permission); ok {
 		permStr, err := perm.ToString()
 		if err != nil {
-			log.Fatal(fmt.Errorf("Error converting permission to string: %v", err))
+			log.Fatal(fmt.Errorf("error converting permission to string: %v", err))
 		}
 		var permissionStr string
 		switch {
@@ -217,7 +217,7 @@ func getCodeScanningAlertsPermission(client *gh.Client, repo *gh.Repository, cur
 	// Risk: Extremely Low
 	// -> GET request to /repos/{owner}/{repo}/code-scanning/alerts
 	_, resp, err := client.CodeScanning.ListAlertsForRepo(context.Background(), *repo.Owner.Login, *repo.Name, nil)
-	defer resp.Body.Close()
+	defer func() { _ = resp.Body.Close() }()
 
 	switch {
 	case resp.StatusCode == 403:
@@ -427,7 +427,7 @@ func getDependabotAlertsPermission(client *gh.Client, repo *gh.Repository, curre
 	// Risk: Extremely Low
 	// GET /repos/{owner}/{repo}/dependabot/alerts
 	_, resp, err := client.Dependabot.ListRepoAlerts(context.Background(), *repo.Owner.Login, *repo.Name, &gh.ListAlertsOptions{})
-	defer resp.Body.Close()
+	defer func() { _ = resp.Body.Close() }()
 
 	switch resp.StatusCode {
 	case 403:

@@ -155,7 +155,7 @@ func getPersonalAccessToken(cfg *config.Config, key, host string) (AccessTokenJS
 		return tokens, resp.StatusCode, err
 	}
 
-	defer resp.Body.Close()
+	defer func() { _ = resp.Body.Close() }()
 	if err := json.NewDecoder(resp.Body).Decode(&tokens); err != nil {
 		return tokens, resp.StatusCode, err
 	}
@@ -183,7 +183,7 @@ func getAccessibleProjects(cfg *config.Config, key, host string) ([]ProjectsJSON
 		return projects, err
 	}
 
-	defer resp.Body.Close()
+	defer func() { _ = resp.Body.Close() }()
 
 	bodyBytes, err := io.ReadAll(resp.Body)
 	if err != nil {
@@ -197,7 +197,7 @@ func getAccessibleProjects(cfg *config.Config, key, host string) ([]ProjectsJSON
 	if err := json.NewDecoder(newBody()).Decode(&projects); err != nil {
 		var e ErrorJSON
 		if err := json.NewDecoder(newBody()).Decode(&e); err == nil {
-			return projects, fmt.Errorf("Insufficient Scope to query for projects. We need api or read_api permissions.")
+			return projects, errors.New("insufficient scope to query for projects: we need api or read_api permissions")
 		}
 		return projects, err
 	}
@@ -219,7 +219,7 @@ func getMetadata(cfg *config.Config, key, host string) (MetadataJSON, error) {
 		return metadata, err
 	}
 
-	defer resp.Body.Close()
+	defer func() { _ = resp.Body.Close() }()
 
 	bodyBytes, err := io.ReadAll(resp.Body)
 	if err != nil {
@@ -239,7 +239,7 @@ func getMetadata(cfg *config.Config, key, host string) (MetadataJSON, error) {
 		if err := json.NewDecoder(newBody()).Decode(&e); err != nil {
 			return metadata, err
 		}
-		return metadata, fmt.Errorf("Insufficient Scope to query for metadata. We need read_user, ai_features, api or read_api permissions.")
+		return metadata, errors.New("insufficient scope to query for metadata: we need read_user, ai_features, api or read_api permissions")
 	}
 
 	return metadata, nil
@@ -258,7 +258,7 @@ func AnalyzePermissions(cfg *config.Config, key string, host string) (*SecretInf
 		return nil, err
 	}
 	if statusCode != http.StatusOK {
-		return nil, fmt.Errorf("Invalid GitLab Access Token")
+		return nil, errors.New("invalid GitLab access token")
 	}
 
 	meta, err := getMetadata(cfg, key, host)