README
¶
lintfix
A structured lint remediation database for Go projects using golangci-lint.
Overview
lintfix provides a data layer that maps lint errors to remediation strategies, including:
- Remediation types: code fix, nolint annotation, or refactor
- Helper package references: links to packages like mogo for actual fixes
- Nolint generators: properly formatted comments with documented reasons
- Pre-written reasons: common scenarios like OAuth responses, shutdown handlers
Installation
go get github.com/grokify/lintfix
Usage
Query the Remediation Database
import "github.com/grokify/lintfix"
db := lintfix.MustLoadRemediations()
// Get remediation for a specific rule
fix := db.GetGosec("G120")
fmt.Println(fix.Name) // "Unbounded request body"
fmt.Println(fix.Remediation.Type) // "code"
fmt.Println(fix.Remediation.Package) // "github.com/grokify/mogo/net/http/httputilmore"
fmt.Println(fix.Remediation.Function) // "LimitRequestBody"
// Check if there's a helper function available
if fix.HasHelper() {
fmt.Printf("Use %s.%s()\n", fix.Remediation.Package, fix.Remediation.Function)
}
Generate Nolint Comments
import "github.com/grokify/lintfix/gosec"
// Using pre-written reasons
comment := gosec.NolintG117(gosec.CommonReasons.OAuthTokenResponse)
// Returns: "//nolint:gosec // G117: OAuth token response per RFC 6749"
// Using custom reasons
comment := gosec.NolintG704("URL from validated internal config")
// Returns: "//nolint:gosec // G704: URL from validated internal config"
// Generic nolint generator
comment := gosec.Nolint("G118", "Shutdown handler runs after context cancelled")
Common Reasons
Pre-written reason strings for common scenarios:
// G117 - Secret in JSON response
gosec.CommonReasons.OAuthTokenResponse // "OAuth token response per RFC 6749"
gosec.CommonReasons.OAuthRegistrationResponse // "OAuth registration response per RFC 7591"
// G118 - context.Background in goroutine
gosec.CommonReasons.ShutdownHandler // "Shutdown handler runs after request context is cancelled"
gosec.CommonReasons.BackgroundJob // "Background job outlives request lifecycle"
// G704 - SSRF
gosec.CommonReasons.HttptestServer // "Test uses httptest server URL"
gosec.CommonReasons.ValidatedAllowlist // "URL from validated allowlist"
// G101 - Hardcoded credentials (false positives)
gosec.CommonReasons.URLPathNotCredential // "URL path, not a credential"
gosec.CommonReasons.TestFixture // "Test fixture with fake credentials"
Supported Linters
| Linter | Rules |
|---|---|
| gosec | G101, G117, G118, G120, G401, G501, G601, G704 |
| staticcheck | SA1019, SA4006 |
| errcheck | unchecked |
Remediation Types
| Type | Description | Example |
|---|---|---|
code |
Add or modify code | LimitRequestBody() for G120 |
nolint |
Add nolint annotation | //nolint:gosec // G117: reason |
refactor |
Broader code changes | Move hardcoded secrets to env vars |
Version-Specific Caveats
Some lint rules have version-specific behaviors. See docs/gosec-caveats.md for details.
G120 (gosec 2.11+)
gosec 2.11+ has stricter G120 detection:
- Only inline
http.MaxBytesReaderis recognized - helper functions are not detected r.FormValue()is flagged even afterParseForm()- user.Form.Get()instead
// Correct pattern for gosec 2.11+
r.Body = http.MaxBytesReader(w, r.Body, 1<<20)
if err := r.ParseForm(); err != nil { ... }
value := r.Form.Get("key") // Not r.FormValue("key")
Keeping Versions in Sync
Keep local golangci-lint version in sync with CI to avoid surprises:
# Check version
golangci-lint --version
# Install specific version
go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.11.1
Related Packages
- mogo/net/http/httputilmore - Runtime helpers like
LimitRequestBody()
License
MIT License. See LICENSE file.
Documentation
¶
Overview ¶
Package lintfix provides a structured database of lint rule remediations for Go projects using golangci-lint.
This package serves as a "data overlay" that maps lint errors to:
- Remediation strategies (code fix, nolint annotation, refactor)
- Helper packages that provide actual fixes (e.g., github.com/grokify/mogo)
- Pre-written nolint comments with proper documentation
- Example code and explanations
Usage ¶
Load the remediation database and query for specific rules:
db := lintfix.MustLoadRemediations()
fix := db.GetGosec("G120")
fmt.Println(fix.Remediation.Summary)
// "Use http.MaxBytesReader before parsing form data"
Remediation Types ¶
The database categorizes remediations into three types:
- "code": Fix by adding/changing code (e.g., LimitRequestBody for G120)
- "nolint": Fix by adding a nolint annotation with proper documentation
- "refactor": Fix requires broader code changes (e.g., removing hardcoded secrets)
Nolint Generators ¶
For rules that require nolint annotations, use the gosec subpackage:
comment := gosec.NolintG117(gosec.CommonReasons.OAuthTokenResponse) // Returns: "//nolint:gosec // G117: OAuth token response per RFC 6749"
Helper Package References ¶
Code-based remediations reference helper packages:
fix := db.GetGosec("G120")
fmt.Println(fix.Remediation.Package)
// "github.com/grokify/mogo/net/http/httputilmore"
fmt.Println(fix.Remediation.Function)
// "LimitRequestBody"
Supported Linters ¶
Currently supported:
- gosec: Security-focused linter
- staticcheck: Go static analysis
- errcheck: Error handling checks
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Remediation ¶
type Remediation struct {
Type string `json:"type"` // "code", "nolint", "refactor"
Summary string `json:"summary"`
Pattern string `json:"pattern,omitempty"`
Package string `json:"package,omitempty"`
Function string `json:"function,omitempty"`
Example string `json:"example,omitempty"`
Explanation string `json:"explanation,omitempty"`
When string `json:"when,omitempty"`
Avoid []string `json:"avoid,omitempty"`
}
Remediation contains the actual fix information.
type RemediationDB ¶
type RemediationDB struct {
Version string `json:"version"`
Description string `json:"description"`
Linters map[string]map[string]*RuleFix `json:"linters"`
}
RemediationDB is the top-level structure for the remediation database.
func LoadRemediations ¶
func LoadRemediations() (*RemediationDB, error)
LoadRemediations loads and parses the embedded remediation database.
func MustLoadRemediations ¶
func MustLoadRemediations() *RemediationDB
MustLoadRemediations loads the remediation database or panics.
func (*RemediationDB) Get ¶
func (db *RemediationDB) Get(linter, code string) *RuleFix
Get retrieves a remediation by linter and rule code. Returns nil if not found.
func (*RemediationDB) GetGosec ¶
func (db *RemediationDB) GetGosec(code string) *RuleFix
GetGosec is a convenience method for getting gosec remediations.
func (*RemediationDB) GetStaticcheck ¶
func (db *RemediationDB) GetStaticcheck(code string) *RuleFix
GetStaticcheck is a convenience method for getting staticcheck remediations.
func (*RemediationDB) ListLinters ¶
func (db *RemediationDB) ListLinters() []string
ListLinters returns all linters in the database.
func (*RemediationDB) ListRules ¶
func (db *RemediationDB) ListRules(linter string) []string
ListRules returns all rule codes for a given linter.
type RuleFix ¶
type RuleFix struct {
Name string `json:"name"`
Description string `json:"description"`
Severity string `json:"severity,omitempty"`
Category string `json:"category,omitempty"`
Remediation *Remediation `json:"remediation"`
References []string `json:"references,omitempty"`
}
RuleFix contains remediation information for a specific lint rule.
Source Files
Directories