From ee7b66bc12606c755b96f12c053e91d68251dd8c Mon Sep 17 00:00:00 2001
From: Michael Lu Chen <Michael.Chen1@ibm.com>
Date: Fri, 27 Jun 2025 15:32:03 -0400
Subject: [PATCH 1/2] run terraform formatting

---
 .../is_instance_test/is_instance_test.tf      | 24 +++++++++----------
 1 file changed, 12 insertions(+), 12 deletions(-)

diff --git a/internal/providers/terraform/ibm/testdata/is_instance_test/is_instance_test.tf b/internal/providers/terraform/ibm/testdata/is_instance_test/is_instance_test.tf
index 2ca1f88c1e2..d65d00b864f 100644
--- a/internal/providers/terraform/ibm/testdata/is_instance_test/is_instance_test.tf
+++ b/internal/providers/terraform/ibm/testdata/is_instance_test/is_instance_test.tf
@@ -62,10 +62,10 @@ resource "ibm_is_ssh_key" "ssh_key" {
 }
 
 resource "ibm_is_instance" "vsi" {
-  for_each = toset(local.profiles)
-  name     = "vsi-instance-${random_string.unique_identifier.result}-${each.key}"
-  image = data.ibm_is_image.redhat.id
-  keys  = [ibm_is_ssh_key.ssh_key.id]
+  for_each       = toset(local.profiles)
+  name           = "vsi-instance-${random_string.unique_identifier.result}-${each.key}"
+  image          = data.ibm_is_image.redhat.id
+  keys           = [ibm_is_ssh_key.ssh_key.id]
   profile        = each.key
   resource_group = ibm_resource_group.resource_group.id
   vpc            = ibm_is_vpc.vpc.id
@@ -80,10 +80,10 @@ resource "ibm_is_instance" "vsi" {
 }
 
 resource "ibm_is_instance" "vsi_boot_volume" {
-  for_each = toset(local.profiles)
-  name     = "vsi-instance-boot-volume-${random_string.unique_identifier.result}-${each.key}"
-  image = data.ibm_is_image.windowssql.id
-  keys  = [ibm_is_ssh_key.ssh_key.id]
+  for_each       = toset(local.profiles)
+  name           = "vsi-instance-boot-volume-${random_string.unique_identifier.result}-${each.key}"
+  image          = data.ibm_is_image.windowssql.id
+  keys           = [ibm_is_ssh_key.ssh_key.id]
   profile        = each.key
   resource_group = ibm_resource_group.resource_group.id
   vpc            = ibm_is_vpc.vpc.id
@@ -102,10 +102,10 @@ resource "ibm_is_instance" "vsi_boot_volume" {
 }
 
 resource "ibm_is_instance" "vsi_dedicated_host" {
-  for_each = toset(local.profiles)
-  name     = "vsi-instance-dedicated-host-${random_string.unique_identifier.result}-${each.key}"
-  image = data.ibm_is_image.sles.id
-  keys  = [ibm_is_ssh_key.ssh_key.id]
+  for_each       = toset(local.profiles)
+  name           = "vsi-instance-dedicated-host-${random_string.unique_identifier.result}-${each.key}"
+  image          = data.ibm_is_image.sles.id
+  keys           = [ibm_is_ssh_key.ssh_key.id]
   profile        = each.key
   resource_group = ibm_resource_group.resource_group.id
   vpc            = ibm_is_vpc.vpc.id

From 2d0b1a157d1817fc715888f509415b43af3ae738 Mon Sep 17 00:00:00 2001
From: Michael Lu Chen <Michael.Chen1@ibm.com>
Date: Wed, 2 Jul 2025 10:15:42 -0400
Subject: [PATCH 2/2] ignore specific gosec errors

---
 internal/apiclient/auth.go        | 2 +-
 internal/apiclient/usage.go       | 2 +-
 internal/comment/github.go        | 4 ++--
 internal/config/config_test.go    | 2 +-
 internal/hcl/funcs/crypto_test.go | 1 +
 internal/hcl/parser_test.go       | 4 ++--
 internal/output/format.go         | 2 +-
 7 files changed, 9 insertions(+), 8 deletions(-)

diff --git a/internal/apiclient/auth.go b/internal/apiclient/auth.go
index 5035d5a3aeb..65580467cc9 100644
--- a/internal/apiclient/auth.go
+++ b/internal/apiclient/auth.go
@@ -76,7 +76,7 @@ func (a AuthClient) startCallbackServer(listener net.Listener, generatedState st
 	}()
 
 	go func() {
-		_ = http.Serve(listener, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		_ = http.Serve(listener, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { // nolint: gosec
 			if r.Method == http.MethodOptions {
 				return
 			}
diff --git a/internal/apiclient/usage.go b/internal/apiclient/usage.go
index 496a5a0003d..428e76398f6 100644
--- a/internal/apiclient/usage.go
+++ b/internal/apiclient/usage.go
@@ -74,7 +74,7 @@ func NewUsageAPIClient(ctx *config.RunContext) *UsageAPIClient {
 	}
 
 	if ctx.Config.TLSInsecureSkipVerify != nil {
-		tlsConfig.InsecureSkipVerify = *ctx.Config.TLSInsecureSkipVerify
+		tlsConfig.InsecureSkipVerify = *ctx.Config.TLSInsecureSkipVerify // nolint: gosec
 	}
 
 	return &UsageAPIClient{
diff --git a/internal/comment/github.go b/internal/comment/github.go
index ae310f17f8c..16766b84dfb 100644
--- a/internal/comment/github.go
+++ b/internal/comment/github.go
@@ -188,8 +188,8 @@ func (h *githubPRHandler) CallFindMatchingComments(ctx context.Context, tag stri
 	variables := map[string]interface{}{
 		"owner":    githubv4.String(h.owner),
 		"repo":     githubv4.String(h.repo),
-		"prNumber": githubv4.Int(h.prNumber),
-		"after":    (*githubv4.String)(nil), // Null after argument to get first page.
+		"prNumber": githubv4.Int(h.prNumber), // nolint:gosec // ignore G115: integer overflow conversion int -> int32
+		"after":    (*githubv4.String)(nil),  // Null after argument to get first page.
 	}
 
 	// Get comments from all pages.
diff --git a/internal/config/config_test.go b/internal/config/config_test.go
index b96b59594eb..2ff4555ec12 100644
--- a/internal/config/config_test.go
+++ b/internal/config/config_test.go
@@ -106,7 +106,7 @@ projects:
 		t.Run(tt.name, func(t *testing.T) {
 			c := Config{}
 			path := filepath.Join(tmp, fmt.Sprintf("conf-%d.yaml", i))
-			err := os.WriteFile(path, tt.contents, os.ModePerm)
+			err := os.WriteFile(path, tt.contents, os.ModePerm) // nolint: gosec
 			require.NoError(t, err)
 
 			// we need to remove INFRACOST_TERRAFORM_CLOUD_TOKEN value for these tests.
diff --git a/internal/hcl/funcs/crypto_test.go b/internal/hcl/funcs/crypto_test.go
index 27977774388..ad7590bb6bc 100644
--- a/internal/hcl/funcs/crypto_test.go
+++ b/internal/hcl/funcs/crypto_test.go
@@ -678,6 +678,7 @@ func TestFileSHA512(t *testing.T) {
 	}
 }
 
+// nolint:gosec
 const (
 	CipherBase64 = "eczGaDhXDbOFRZGhjx2etVzWbRqWDlmq0bvNt284JHVbwCgObiuyX9uV0LSAMY707IEgMkExJqXmsB4OWKxvB7epRB9G/3+F+pcrQpODlDuL9oDUAsa65zEpYF0Wbn7Oh7nrMQncyUPpyr9WUlALl0gRWytOA23S+y5joa4M34KFpawFgoqTu/2EEH4Xl1zo+0fy73fEto+nfkUY+meuyGZ1nUx/+DljP7ZqxHBFSlLODmtuTMdswUbHbXbWneW51D7Jm7xB8nSdiA2JQNK5+Sg5x8aNfgvFTt/m2w2+qpsyFa5Wjeu6fZmXSl840CA07aXbk9vN4I81WmJyblD/ZA=="
 	PrivateKey   = `
diff --git a/internal/hcl/parser_test.go b/internal/hcl/parser_test.go
index c4f4e139782..45e3b88ec9c 100644
--- a/internal/hcl/parser_test.go
+++ b/internal/hcl/parser_test.go
@@ -736,7 +736,7 @@ func createTestFile(filename, contents string) string {
 		panic(err)
 	}
 	path := filepath.Join(dir, filename)
-	if err := os.WriteFile(path, []byte(contents), os.ModePerm); err != nil {
+	if err := os.WriteFile(path, []byte(contents), os.ModePerm); err != nil { // nolint: gosec
 		panic(err)
 	}
 	return path
@@ -764,7 +764,7 @@ func createTestFileWithModule(contents string, moduleContents string, moduleName
 		}
 	}
 
-	if err := os.WriteFile(filepath.Join(rootPath, "main.tf"), []byte(contents), os.ModePerm); err != nil {
+	if err := os.WriteFile(filepath.Join(rootPath, "main.tf"), []byte(contents), os.ModePerm); err != nil { // nolint: gosec
 		panic(err)
 	}
 
diff --git a/internal/output/format.go b/internal/output/format.go
index 415d79ca7e2..f61a6a18674 100644
--- a/internal/output/format.go
+++ b/internal/output/format.go
@@ -78,7 +78,7 @@ type scaledInt64 struct {
 // length of the fraction.
 func decimalToScaledInt(d decimal.Decimal, minFracLen, maxFracLen int) *scaledInt64 {
 	// round excess fraction part
-	d = d.Round(int32(maxFracLen))
+	d = d.Round(int32(maxFracLen)) // nolint:gosec
 
 	co := d.Coefficient().Int64()
 	ex := int(d.Exponent())