issues:
  max-issues-per-linter: 0
  max-same-issues: 0

linters:
  settings:
    depguard:
      rules:
        main:
          list-mode: lax
          deny:
            # Cannot use gomodguard, which examines go.mod, as "golang.org/x/exp/slices" is not a module and doesn't appear in go.mod.
            - pkg: "golang.org/x/exp/slices"
              desc: "Use 'slices' instead"
            - pkg: "golang.org/x/exp/maps"
              desc: "Use 'maps' or 'github.com/samber/lo' instead"
            - pkg: "io/ioutil"
              desc: "io/ioutil is deprecated. Use 'io' or 'os' instead"
    dupl:
      threshold: 100
    errcheck:
      check-type-assertions: true
      check-blank: true
    goconst:
      min-len: 3
      min-occurrences: 3
    gocritic:
      disabled-checks:
        - appendAssign
        - commentedOutCode
        - hugeParam
        - importShadow # FIXME
        - indexAlloc
        - rangeValCopy
        - regexpSimplify
        - sloppyReassign
        - unnamedResult
        - whyNoLint
      enabled-tags:
        - diagnostic
        - style
        - performance
        - experimental
        - opinionated
      settings:
        ruleguard:
          failOn: all
          rules: '${base-path}/misc/lint/rules.go'
    gocyclo:
      min-complexity: 20
    gomodguard:
      blocked:
        modules:
          - github.com/hashicorp/go-version:
              recommendations:
                - github.com/aquasecurity/go-version
              reason: "`aquasecurity/go-version` is designed for our use-cases"
          - github.com/Masterminds/semver:
              recommendations:
                - github.com/aquasecurity/go-version
              reason: "`aquasecurity/go-version` is designed for our use-cases"
          - github.com/liamg/memoryfs:
              recommendations:
                - github.com/aquasecurity/trivy/pkg/mapfs
    gosec:
      excludes:
        - G101
        - G114
        - G115
        - G204
        - G304
        - G402
    govet:
      disable:
        - shadow
    misspell:
      locale: US
      ignore-rules:
        - behaviour
        - licence
        - optimise
        - simmilar
    perfsprint:
      # Optimizes even if it requires an int or uint type cast.
      int-conversion: true
      # Optimizes into `err.Error()` even if it is only equivalent for non-nil errors.
      err-error: true
      # Optimizes `fmt.Errorf`.
      errorf: true
      # Optimizes `fmt.Sprintf` with only one argument.
      sprintf1: false
      # Optimizes into strings concatenation.
      strconcat: false
    revive:
      max-open-files: 2048
      # https://github.com/mgechev/revive/blob/HEAD/RULES_DESCRIPTIONS.md
      rules:
        - name: bool-literal-in-expr
        - name: context-as-argument
          arguments:
            - allowTypesBefore: "*testing.T"
        - name: duplicated-imports
        - name: early-return
          arguments:
            - preserve-scope
        - name: if-return
        - name: increment-decrement
        - name: indent-error-flow
          arguments:
            - preserve-scope
        - name: range
        - name: range-val-address
        - name: superfluous-else
          arguments:
            - preserve-scope
        - name: time-equal
        - name: unnecessary-stmt
        - name: unused-parameter
        - name: use-any

    staticcheck:
      checks:
        - all
        - -QF1008 # Omit embedded fields from selector expression
        - -S1007  # Simplify regular expression by using raw string literal
        - -S1011  # Use a single append to concatenate two slices
        - -S1023  # Omit redundant control flow
        - -SA1019 # Using a deprecated function, variable, constant or field
        - -SA1024 # A string cutset contains duplicate characters
        - -SA4004 # The loop exits unconditionally after one iteration
        - -SA4023 # Impossible comparison of interface value with untyped nil
        - -SA4032 # Comparing runtime.GOOS or runtime.GOARCH against impossible value
        - -SA5011 # Possible nil pointer dereference
        - -ST1003 # Poorly chosen identifier
        - -ST1012 # Poorly chosen name for error variable

    testifylint:
      enable-all: true

  default: none

  enable:
    - bodyclose
    - depguard
    - goconst
    - gocritic
    - gocyclo
    - gomodguard
    - gosec
    - govet
    - ineffassign
    - misspell
    - perfsprint
    - revive
    - staticcheck
    - testifylint
    - unconvert
    - unused
    - usestdlibvars
    - usetesting

  exclusions:
    generated: lax
    paths:
      - "pkg/iac/scanners/terraform/parser/funcs" # copies of Terraform functions
    rules:
      - path: ".*_test.go$"
        linters:
          - goconst
          - gosec
          - unused
      - path: ".*_test.go$"
        linters:
          - govet
        text: "copylocks:"
      - path: ".*_test.go$"
        linters:
          - gocritic
        text: "commentFormatting:"
      - path: ".*_test.go$"
        linters:
          - gocritic
        text: "exitAfterDefer:"
      - path: ".*_test.go$"
        linters:
          - gocritic
        text: "importShadow:"
      - linters:
          - goconst
        text: "string `each` has 3 occurrences, make it a constant"  # FIXME
    presets:
      - comments
      - common-false-positives
      - legacy
      - std-error-handling
    warn-unused: true

run:
  go: '1.25'
  timeout: 30m

formatters:
  enable:
    - gci
    - gofmt

  exclusions:
    generated: lax

  settings:
    gci:
      sections:
        - standard
        - default
        - prefix(github.com/aquasecurity/)
        - blank
        - dot
    gofmt:
      simplify: false

version: "2"