Add nolint comments for false positives for bridgecluster

Author: tjmoore4

internal/bridge/client.go

@@ -155,9 +155,10 @@ type ClusterRoleApiResource struct {
 	ClusterId    string `json:"cluster_id"`
 	Flavor       string `json:"flavor"`
 	Name         string `json:"name"`
-	Password     string `json:"password"`
-	Team         string `json:"team_id"`
-	URI          string `json:"uri"`
+	//nolint:gosec // G117: JSON serialization field for API response, not a hardcoded credential.
+	Password string `json:"password"`
+	Team     string `json:"team_id"`
+	URI      string `json:"uri"`
 }
 
 // ClusterRoleList holds a slice of ClusterRoleApiResource
@@ -279,7 +280,7 @@ func (c *Client) doWithBackoff(
 		if err == nil {
 			request.Header = headers.Clone()
 
-			//nolint:bodyclose // This response is returned to the caller.
+			//nolint:bodyclose,gosec // bodyclose: response returned to caller; G704: URL is from trusted Bridge API configuration.
 			response, err = c.Do(request)
 		}
 

internal/bridge/crunchybridgecluster/mock_bridge_api.go

@@ -17,6 +17,7 @@ import (
 )
 
 type TestBridgeClient struct {
+	//nolint:gosec // G117: Test mock struct field, not a hardcoded credential.
 	ApiKey          string                                       `json:"apiKey,omitempty"`
 	TeamId          string                                       `json:"teamId,omitempty"`
 	Clusters        []*bridge.ClusterApiResource                 `json:"clusters,omitempty"`

internal/bridge/crunchybridgecluster/postgres_test.go

@@ -35,6 +35,7 @@ func TestGeneratePostgresRoleSecret(t *testing.T) {
 		Name:       "application",
 		SecretName: "application-role-secret",
 	}
+	//nolint:gosec // G101: Test data with fake credentials for unit testing.
 	role := &bridge.ClusterRoleApiResource{
 		Name:     "application",
 		Password: "password",
@@ -148,6 +149,7 @@ func TestReconcilePostgresRoleSecrets(t *testing.T) {
 			Name:       "application",
 			SecretName: "application-role-secret",
 		}
+		//nolint:gosec // G101: "postgres" is a role name, not a credential.
 		postgresSpec := &v1beta1.CrunchyBridgeClusterRoleSpec{
 			Name:       "postgres",
 			SecretName: "postgres-role-secret",

internal/bridge/installation.go

@@ -39,7 +39,8 @@ var self = new(struct {
 type AuthObject struct {
 	ID        string    `json:"id"`
 	ExpiresAt time.Time `json:"expires_at"`
-	Secret    string    `json:"secret"`
+	//nolint:gosec // G117: JSON serialization field for API response, not a hardcoded credential.
+	Secret string `json:"secret"`
 }
 
 type Installation struct {

pkg/apis/postgres-operator.crunchydata.com/v1beta1/crunchy_bridgecluster_types.go

@@ -77,6 +77,7 @@ type CrunchyBridgeClusterSpec struct {
 
 	// The name of the secret containing the API key and team id
 	// +kubebuilder:validation:Required
+	//nolint:gosec // G117: Field holds secret name reference, not actual secret data.
 	Secret string `json:"secret"`
 
 	// The amount of storage available to the cluster in gigabytes.