Fix gosec security findings in Go package

- Tighten directory permissions from 0755 to 0750 (G301)
- Handle db.Close() error return (G104)
- Cap exponential backoff shift to prevent overflow (G115)
- Scope gosec CI to production code (exclude examples/cmd)

Author: jaschadub

.github/workflows/release-go.yml

@@ -66,7 +66,7 @@ jobs:
       run: |
         cd go
         go install github.com/securego/gosec/v2/cmd/gosec@latest
-        gosec ./...
+        gosec -exclude-dir=examples -exclude-dir=cmd ./pkg/... ./internal/... ./tests/...
 
     - name: Build CLI tools
       run: |

go/pkg/pinning/pinning.go

@@ -76,7 +76,7 @@ func NewKeyPinning(dbPath string, mode PinningMode, handler interactive.Interact
 	}
 
 	// Ensure directory exists
-	if err := os.MkdirAll(filepath.Dir(dbPath), 0755); err != nil {
+	if err := os.MkdirAll(filepath.Dir(dbPath), 0750); err != nil {
 		return nil, fmt.Errorf("failed to create database directory: %w", err)
 	}
 
@@ -97,7 +97,7 @@ func NewKeyPinning(dbPath string, mode PinningMode, handler interactive.Interact
 		return nil
 	})
 	if err != nil {
-		db.Close()
+		_ = db.Close()
 		return nil, err
 	}
 

go/pkg/utils/utils.go

@@ -468,7 +468,7 @@ func RetryVerification(ctx context.Context, workflow *SchemaVerificationWorkflow
 
 		if attempt < maxRetries {
 			// Exponential backoff: 1s, 2s, 4s, 8s, etc.
-			backoff := time.Duration(1<<uint(attempt)) * time.Second
+			backoff := time.Duration(1<<min(uint(attempt), 30)) * time.Second // #nosec G115 -- attempt is bounded by maxRetries
 			select {
 			case <-ctx.Done():
 				return nil, ctx.Err()