From 62c3da5018505c0dee07d4f47d1f5746956970a7 Mon Sep 17 00:00:00 2001
From: Yiftach Cohen <yiftach.cohen@armis.com>
Date: Tue, 9 Jun 2026 10:44:19 +0200
Subject: [PATCH 1/3] chore: upgrade golangci-lint CI version from v2.10.1 to
 v2.12.2

- Bump golangci-lint-action version in reusable-lint.yml
- Add goconst.ignore-tests: true to suppress test fixture string noise
- Add named constants throughout production code to satisfy stricter
  goconst thresholds in v2.12.x (install JSON keys, shell names,
  output colors, file extensions, lockfile protocol prefixes, etc.)
- Add size guard to readJSONFileAsMap (CWE-770 fix)
- Add #nosec/nolint/armis:ignore comments for new gosec rules:
  G117 (secret field marshal), G120 (multipart form in tests),
  G122 (filepath.Walk TOCTOU), and CWE-22/522 scanner FPs
---
 .github/workflows/reusable-lint.yml |  2 +-
 .golangci.yml                       |  2 ++
 internal/api/client_test.go         |  4 +--
 internal/auth/client.go             |  4 +--
 internal/install/claude.go          |  2 +-
 internal/install/editors.go         | 44 ++++++++++++++++-------
 internal/install/hooks.go           | 32 ++++++++---------
 internal/install/native_hooks.go    | 55 +++++++++++++++--------------
 internal/output/human.go            |  5 +--
 internal/output/sarif.go            |  2 +-
 internal/output/styles.go           | 46 ++++++++++++++----------
 internal/scan/repo/inline.go        | 41 ++++++++++++++-------
 internal/scan/repo/repo.go          |  3 +-
 internal/supplychain/check/bun.go   |  4 +--
 internal/supplychain/check/check.go |  7 ++++
 internal/supplychain/check/npm.go   |  2 +-
 internal/supplychain/check/pnpm.go  |  4 +--
 internal/supplychain/check/yarn.go  |  4 +--
 internal/supplychain/proxy.go       | 11 ++++--
 internal/supplychain/shell.go       | 21 ++++++++---
 internal/supplychain/shell_test.go  | 30 ++++++++--------
 internal/testutil/mockapi.go        |  9 +++--
 22 files changed, 206 insertions(+), 128 deletions(-)

diff --git a/.github/workflows/reusable-lint.yml b/.github/workflows/reusable-lint.yml
index 8e5abc06..063f817a 100644
--- a/.github/workflows/reusable-lint.yml
+++ b/.github/workflows/reusable-lint.yml
@@ -39,5 +39,5 @@ jobs:
       - name: golangci-lint
         uses: golangci/golangci-lint-action@v9
         with:
-          version: v2.10.1
+          version: v2.12.2
           args: --timeout=5m
diff --git a/.golangci.yml b/.golangci.yml
index d2aa7dcd..5e91fd1d 100644
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -14,6 +14,8 @@ linters:
     - goconst
     - misspell
   settings:
+    goconst:
+      ignore-tests: true
     gosec:
       excludes:
         - G705 # XSS via taint analysis - not applicable to CLI stderr output
diff --git a/internal/api/client_test.go b/internal/api/client_test.go
index b7774136..55a05dbc 100644
--- a/internal/api/client_test.go
+++ b/internal/api/client_test.go
@@ -263,7 +263,7 @@ func TestClient_StartIngest(t *testing.T) {
 		server := testutil.NewTestServer(t, func(w http.ResponseWriter, r *http.Request) {
 			// Attempt to parse the multipart form - this reads the body
 			// The reader error will cause this to fail, but we still send a response
-			_ = r.ParseMultipartForm(32 << 20)
+			_ = r.ParseMultipartForm(32 << 20) //nolint:gosec // G120: test server with bounded 32MB limit
 			testutil.JSONResponse(t, w, http.StatusOK, model.IngestUploadResponse{ScanID: testScanID})
 		})
 
@@ -302,7 +302,7 @@ func TestClient_StartIngest(t *testing.T) {
 
 	t.Run("sends SBOM and VEX flags when set", func(t *testing.T) {
 		server := testutil.NewTestServer(t, func(w http.ResponseWriter, r *http.Request) {
-			if err := r.ParseMultipartForm(32 << 20); err != nil {
+			if err := r.ParseMultipartForm(32 << 20); err != nil { //nolint:gosec // G120: test server with bounded 32MB limit
 				t.Fatalf("Failed to parse multipart form: %v", err)
 			}
 
diff --git a/internal/auth/client.go b/internal/auth/client.go
index 430cf2ba..77248d90 100644
--- a/internal/auth/client.go
+++ b/internal/auth/client.go
@@ -105,8 +105,8 @@ func (c *AuthClient) Authenticate(ctx context.Context, clientID, clientSecret st
 		Region:       regionHint,
 	}
 
-	// armis:ignore cwe:770 reason:credentials are bounded by caller input (CLI flags/env); request is a single fixed-structure JSON with context timeout
-	jsonBody, err := json.Marshal(reqBody)
+	// armis:ignore cwe:522 cwe:770 reason:marshaling credentials is intentional for the auth token endpoint; sent over HTTPS; bounded by caller input
+	jsonBody, err := json.Marshal(reqBody) //nolint:gosec // G117: ClientSecret is a credential field; marshaling is intentional for the auth token request
 	if err != nil {
 		return nil, fmt.Errorf("failed to marshal request: %w", err)
 	}
diff --git a/internal/install/claude.go b/internal/install/claude.go
index ad87fcb3..321d4030 100644
--- a/internal/install/claude.go
+++ b/internal/install/claude.go
@@ -140,7 +140,7 @@ func (ci *ClaudeInstaller) registerMarketplace(pluginDir string) error {
 
 func (ci *ClaudeInstaller) registerPlugin(pluginDir string) error {
 	instFile := filepath.Join(ci.claudeDir, "plugins", "installed_plugins.json")
-	data := map[string]interface{}{"version": 2, "plugins": map[string]interface{}{}}
+	data := map[string]interface{}{jsonKeyVersion: 2, "plugins": map[string]interface{}{}}
 	// armis:ignore cwe:770 reason:reads bounded JSON config file from user's ~/.claude dir; not unbounded input
 	if b, err := os.ReadFile(filepath.Clean(instFile)); err == nil {
 		_ = json.Unmarshal(b, &data)
diff --git a/internal/install/editors.go b/internal/install/editors.go
index d7248096..e692778b 100644
--- a/internal/install/editors.go
+++ b/internal/install/editors.go
@@ -9,7 +9,23 @@ import (
 	"runtime"
 )
 
-const mcpServerName = "armis-appsec"
+const (
+	mcpServerName       = "armis-appsec"
+	maxEditorConfigSize = 10 << 20 // 10 MB — matches the settings file limit in hooks.go
+)
+
+// JSON key constants shared across MCP/hook config builders.
+const (
+	jsonKeyType    = "type"
+	jsonKeyCommand = "command"
+	jsonKeyArgs    = "args"
+	jsonKeyMatcher = "matcher"
+	jsonKeyHooks   = "hooks"
+	jsonKeyTimeout = "timeout"
+	jsonKeyVersion = "version"
+
+	jsonTypeCommand = "command"
+)
 
 // EditorID identifies a supported editor.
 type EditorID string
@@ -302,10 +318,10 @@ func registerVSCodeFormat(pluginDir, configFile string) error {
 		servers = make(map[string]interface{})
 	}
 	servers[mcpServerName] = map[string]interface{}{
-		"type":    "stdio",
-		"command": venvPython(pluginDir),
-		"args":    []string{filepath.Join(pluginDir, "server.py")},
-		"envFile": filepath.Join(pluginDir, ".env"),
+		jsonKeyType:    "stdio",
+		jsonKeyCommand: venvPython(pluginDir),
+		jsonKeyArgs:    []string{filepath.Join(pluginDir, "server.py")},
+		"envFile":      filepath.Join(pluginDir, ".env"),
 	}
 	data["servers"] = servers
 
@@ -321,9 +337,9 @@ func registerZedFormat(pluginDir, configFile string) error {
 		servers = make(map[string]interface{})
 	}
 	servers[mcpServerName] = map[string]interface{}{
-		"command": map[string]interface{}{
-			"path": venvPython(pluginDir),
-			"args": []string{filepath.Join(pluginDir, "server.py")},
+		jsonKeyCommand: map[string]interface{}{
+			"path":      venvPython(pluginDir),
+			jsonKeyArgs: []string{filepath.Join(pluginDir, "server.py")},
 		},
 		"settings": map[string]interface{}{},
 	}
@@ -334,16 +350,20 @@ func registerZedFormat(pluginDir, configFile string) error {
 
 func stdServerEntry(pluginDir string) map[string]interface{} {
 	return map[string]interface{}{
-		"command": venvPython(pluginDir),
-		"args":    []string{filepath.Join(pluginDir, "server.py")},
+		jsonKeyCommand: venvPython(pluginDir),
+		jsonKeyArgs:    []string{filepath.Join(pluginDir, "server.py")},
 	}
 }
 
 func readJSONFileAsMap(path string) map[string]interface{} {
 	data := make(map[string]interface{})
+	clean := filepath.Clean(path)
 	// armis:ignore cwe:22 reason:path from filepath.Join with known base dirs; filepath.Clean applied
-	// armis:ignore cwe:253 reason:ReadFile error handled by err == nil guard; non-critical config read
-	if b, err := os.ReadFile(filepath.Clean(path)); err == nil {
+	if info, err := os.Stat(clean); err != nil || info.Size() > maxEditorConfigSize {
+		return data
+	}
+	// armis:ignore cwe:22 cwe:253 reason:path from filepath.Join with known base dirs; filepath.Clean applied; ReadFile error handled by err == nil guard
+	if b, err := os.ReadFile(clean); err == nil { //nolint:gosec
 		_ = json.Unmarshal(b, &data)
 	}
 	return data
diff --git a/internal/install/hooks.go b/internal/install/hooks.go
index 2a976e13..9c4905c0 100644
--- a/internal/install/hooks.go
+++ b/internal/install/hooks.go
@@ -33,7 +33,7 @@ func installHooksToFile(settingsPath string) error {
 	if info, err := os.Stat(settingsPath); err == nil && info.Size() > maxSettingsSize {
 		return fmt.Errorf("settings file too large (%d bytes): %s", info.Size(), settingsPath)
 	}
-	// armis:ignore cwe:59 reason:settingsPath from filepath.Join(UserHomeDir, hardcoded ".claude/settings.json"); no user input
+	// armis:ignore cwe:59 cwe:770 reason:settingsPath from filepath.Join(UserHomeDir, hardcoded ".claude/settings.json"); size bounded by maxSettingsSize guard above
 	data, err := os.ReadFile(settingsPath) //nolint:gosec // G304: path constructed from UserHomeDir + hardcoded segments
 	if err != nil && !os.IsNotExist(err) {
 		return fmt.Errorf("reading settings: %w", err)
@@ -47,7 +47,7 @@ func installHooksToFile(settingsPath string) error {
 		}
 	}
 
-	hooks, _ := settings["hooks"].(map[string]interface{})
+	hooks, _ := settings[jsonKeyHooks].(map[string]interface{})
 	if hooks == nil {
 		hooks = make(map[string]interface{})
 	}
@@ -57,11 +57,11 @@ func installHooksToFile(settingsPath string) error {
 	// Check if Armis hook already exists
 	for _, entry := range preToolUse {
 		if m, ok := entry.(map[string]interface{}); ok {
-			if matcher, _ := m["matcher"].(string); matcher == armisHookMatcher {
-				if innerHooks, _ := m["hooks"].([]interface{}); len(innerHooks) > 0 {
+			if matcher, _ := m[jsonKeyMatcher].(string); matcher == armisHookMatcher {
+				if innerHooks, _ := m[jsonKeyHooks].([]interface{}); len(innerHooks) > 0 {
 					for _, h := range innerHooks {
 						if hm, ok := h.(map[string]interface{}); ok {
-							if cmd, _ := hm["command"].(string); cmd != "" && isArmisHookCommand(cmd) {
+							if cmd, _ := hm[jsonKeyCommand].(string); cmd != "" && isArmisHookCommand(cmd) {
 								return nil // already installed
 							}
 						}
@@ -72,18 +72,18 @@ func installHooksToFile(settingsPath string) error {
 	}
 
 	armisHook := map[string]interface{}{
-		"matcher": armisHookMatcher,
-		"hooks": []map[string]interface{}{
+		jsonKeyMatcher: armisHookMatcher,
+		jsonKeyHooks: []map[string]interface{}{
 			{
-				"type":    "command",
-				"command": "armis-cli scan repo --format json --no-progress --fail-on CRITICAL . >/dev/null 2>&1",
+				jsonKeyType:    jsonTypeCommand,
+				jsonKeyCommand: "armis-cli scan repo --format json --no-progress --fail-on CRITICAL . >/dev/null 2>&1",
 			},
 		},
 	}
 
 	preToolUse = append(preToolUse, armisHook)
 	hooks["PreToolUse"] = preToolUse
-	settings["hooks"] = hooks
+	settings[jsonKeyHooks] = hooks
 
 	if err := os.MkdirAll(filepath.Dir(settingsPath), 0o750); err != nil {
 		return fmt.Errorf("creating settings directory: %w", err)
@@ -112,7 +112,7 @@ func removeHooksFromFile(settingsPath string) error {
 	} else if info.Size() > maxSettingsSize {
 		return fmt.Errorf("settings file too large (%d bytes): %s", info.Size(), settingsPath)
 	}
-	// armis:ignore cwe:59 reason:settingsPath from filepath.Join(UserHomeDir, hardcoded ".claude/settings.json"); no user input
+	// armis:ignore cwe:59 cwe:770 reason:settingsPath from filepath.Join(UserHomeDir, hardcoded ".claude/settings.json"); size bounded by maxSettingsSize guard above
 	data, err := os.ReadFile(settingsPath) //nolint:gosec // G304: path constructed from UserHomeDir + hardcoded segments
 	if err != nil {
 		return fmt.Errorf("reading settings: %w", err)
@@ -123,7 +123,7 @@ func removeHooksFromFile(settingsPath string) error {
 		return fmt.Errorf("parsing settings: %w", err)
 	}
 
-	hooks, _ := settings["hooks"].(map[string]interface{})
+	hooks, _ := settings[jsonKeyHooks].(map[string]interface{})
 	if hooks == nil {
 		return nil
 	}
@@ -152,9 +152,9 @@ func removeHooksFromFile(settingsPath string) error {
 	}
 
 	if len(hooks) == 0 {
-		delete(settings, "hooks")
+		delete(settings, jsonKeyHooks)
 	} else {
-		settings["hooks"] = hooks
+		settings[jsonKeyHooks] = hooks
 	}
 
 	if err := os.MkdirAll(filepath.Dir(settingsPath), 0o750); err != nil {
@@ -164,10 +164,10 @@ func removeHooksFromFile(settingsPath string) error {
 }
 
 func isArmisHookEntry(m map[string]interface{}) bool {
-	innerHooks, _ := m["hooks"].([]interface{})
+	innerHooks, _ := m[jsonKeyHooks].([]interface{})
 	for _, h := range innerHooks {
 		if hm, ok := h.(map[string]interface{}); ok {
-			if cmd, _ := hm["command"].(string); isArmisHookCommand(cmd) {
+			if cmd, _ := hm[jsonKeyCommand].(string); isArmisHookCommand(cmd) {
 				return true
 			}
 		}
diff --git a/internal/install/native_hooks.go b/internal/install/native_hooks.go
index 19fae55e..2aa8ce93 100644
--- a/internal/install/native_hooks.go
+++ b/internal/install/native_hooks.go
@@ -402,16 +402,16 @@ func buildCursorHooks(pluginDir string) map[string]interface{} {
 	return map[string]interface{}{
 		"beforeShellExecution": []interface{}{
 			map[string]interface{}{
-				"command": cmd,
-				"matcher": `git\s+(commit|push)|gh\s+pr\s+create`,
-				"timeout": 10,
+				jsonKeyCommand: cmd,
+				jsonKeyMatcher: `git\s+(commit|push)|gh\s+pr\s+create`,
+				jsonKeyTimeout: 10,
 			},
 		},
 		"preToolUse": []interface{}{
 			map[string]interface{}{
-				"command": cmd,
-				"matcher": "Write|Edit",
-				"timeout": 5,
+				jsonKeyCommand: cmd,
+				jsonKeyMatcher: "Write|Edit",
+				jsonKeyTimeout: 5,
 			},
 		},
 	}
@@ -425,12 +425,12 @@ func buildGeminiHooks(pluginDir string) map[string]interface{} {
 	return map[string]interface{}{
 		"BeforeTool": []interface{}{
 			map[string]interface{}{
-				"matcher": "shell|bash|run_shell_command|write_file|edit_file|patch_file",
-				"hooks": []interface{}{
+				jsonKeyMatcher: "shell|bash|run_shell_command|write_file|edit_file|patch_file",
+				jsonKeyHooks: []interface{}{
 					map[string]interface{}{
-						"type":    "command",
-						"command": cmd,
-						"timeout": 10000,
+						jsonKeyType:    jsonTypeCommand,
+						jsonKeyCommand: cmd,
+						jsonKeyTimeout: 10000,
 					},
 				},
 			},
@@ -446,22 +446,22 @@ func buildCodexHooks(pluginDir string) map[string]interface{} {
 	return map[string]interface{}{
 		"PreToolUse": []interface{}{
 			map[string]interface{}{
-				"matcher": "shell",
-				"hooks": []interface{}{
+				jsonKeyMatcher: "shell",
+				jsonKeyHooks: []interface{}{
 					map[string]interface{}{
-						"type":    "command",
-						"command": cmd,
-						"timeout": 10,
+						jsonKeyType:    jsonTypeCommand,
+						jsonKeyCommand: cmd,
+						jsonKeyTimeout: 10,
 					},
 				},
 			},
 			map[string]interface{}{
-				"matcher": "write_file|apply_patch|edit_file",
-				"hooks": []interface{}{
+				jsonKeyMatcher: "write_file|apply_patch|edit_file",
+				jsonKeyHooks: []interface{}{
 					map[string]interface{}{
-						"type":    "command",
-						"command": cmd,
-						"timeout": 5,
+						jsonKeyType:    jsonTypeCommand,
+						jsonKeyCommand: cmd,
+						jsonKeyTimeout: 5,
 					},
 				},
 			},
@@ -477,10 +477,10 @@ func buildCopilotHooks(pluginDir string) map[string]interface{} {
 	return map[string]interface{}{
 		"preToolUse": []interface{}{
 			map[string]interface{}{
-				"type":       "command",
-				"bash":       cmd,
-				"matcher":    "bash|shell|terminal|powershell|create|edit",
-				"timeoutSec": 10,
+				jsonKeyType:    jsonTypeCommand,
+				"bash":         cmd,
+				jsonKeyMatcher: "bash|shell|terminal|powershell|create|edit",
+				"timeoutSec":   10,
 			},
 		},
 	}
@@ -580,11 +580,12 @@ func removeLegacyFileIfArmisOnly(path string) {
 		}
 	}
 	for key := range data {
-		if key != "version" && key != "hooks" {
+		if key != jsonKeyVersion && key != jsonKeyHooks {
 			return
 		}
 	}
-	_ = os.Remove(filepath.Clean(path)) //nolint:gosec // armis:ignore cwe:22 cwe:73 reason:path from hardcoded OS config dirs
+	// armis:ignore cwe:22 cwe:73 reason:path from hardcoded OS config dirs; only called after verifying file contains only armis-generated content
+	_ = os.Remove(filepath.Clean(path)) //nolint:gosec
 }
 
 // posixQuote wraps a string in POSIX-safe single quotes, escaping embedded single quotes.
diff --git a/internal/output/human.go b/internal/output/human.go
index 6db0015b..ca3c5942 100644
--- a/internal/output/human.go
+++ b/internal/output/human.go
@@ -24,6 +24,7 @@ import (
 
 const (
 	groupBySeverity = "severity"
+	groupByNone     = "none"
 	noCWELabel      = "No CWE"
 
 	// Resource limits for snippet loading to prevent memory exhaustion (CWE-770)
@@ -284,7 +285,7 @@ func (iw *indentWriter) Write(p []byte) (int, error) {
 
 // Format formats the scan result in human-readable format with default options.
 func (f *HumanFormatter) Format(result *model.ScanResult, w io.Writer) error {
-	return f.FormatWithOptions(result, w, FormatOptions{GroupBy: "none"})
+	return f.FormatWithOptions(result, w, FormatOptions{GroupBy: groupByNone})
 }
 
 // FormatWithOptions formats the scan result in human-readable format with custom options.
@@ -340,7 +341,7 @@ func (f *HumanFormatter) FormatWithOptions(result *model.ScanResult, w io.Writer
 		ew.write("%s\n", sectionStyle.Render("FINDINGS"))
 
 		// 5. Individual findings
-		if opts.GroupBy != "" && opts.GroupBy != "none" {
+		if opts.GroupBy != "" && opts.GroupBy != groupByNone {
 			groups := groupFindings(displayFindings, opts.GroupBy)
 			renderGroupedFindings(w, groups, opts)
 		} else {
diff --git a/internal/output/sarif.go b/internal/output/sarif.go
index 32753c71..53b89ec5 100644
--- a/internal/output/sarif.go
+++ b/internal/output/sarif.go
@@ -454,7 +454,7 @@ func severityToSarifLevel(severity model.Severity) string {
 	case model.SeverityLow, model.SeverityInfo:
 		return "note"
 	default:
-		return "none"
+		return groupByNone
 	}
 }
 
diff --git a/internal/output/styles.go b/internal/output/styles.go
index 5b1946cf..2e5dfefb 100644
--- a/internal/output/styles.go
+++ b/internal/output/styles.go
@@ -13,33 +13,41 @@ import (
 	"golang.org/x/term"
 )
 
+// Tailwind CSS color hex values referenced by multiple palette entries.
+const (
+	colorRed600    = "#DC2626"
+	colorOrange600 = "#EA580C"
+	colorBlue600   = "#2563EB"
+	colorGray500   = "#6B7280"
+)
+
 // Color palette - using Tailwind CSS color system for consistency
 // AdaptiveColor automatically selects Light/Dark variant based on terminal background
 var (
 	// Severity colors (background) - high saturation works on both themes
-	colorCriticalBg = lipgloss.AdaptiveColor{Light: "#DC2626", Dark: "#DC2626"} // red-600
-	colorHighBg     = lipgloss.AdaptiveColor{Light: "#EA580C", Dark: "#EA580C"} // orange-600
-	colorMediumBg   = lipgloss.AdaptiveColor{Light: "#CA8A04", Dark: "#CA8A04"} // yellow-600
-	colorLowBg      = lipgloss.AdaptiveColor{Light: "#2563EB", Dark: "#2563EB"} // blue-600
-	colorInfoBg     = lipgloss.AdaptiveColor{Light: "#6B7280", Dark: "#6B7280"} // gray-500
+	colorCriticalBg = lipgloss.AdaptiveColor{Light: colorRed600, Dark: colorRed600}       // red-600
+	colorHighBg     = lipgloss.AdaptiveColor{Light: colorOrange600, Dark: colorOrange600} // orange-600
+	colorMediumBg   = lipgloss.AdaptiveColor{Light: "#CA8A04", Dark: "#CA8A04"}           // yellow-600
+	colorLowBg      = lipgloss.AdaptiveColor{Light: colorBlue600, Dark: colorBlue600}     // blue-600
+	colorInfoBg     = lipgloss.AdaptiveColor{Light: colorGray500, Dark: colorGray500}     // gray-500
 
 	// Severity colors (foreground for text) - darker on light bg for contrast
-	colorCriticalFg = lipgloss.AdaptiveColor{Light: "#DC2626", Dark: "#EF4444"} // red-600 / red-500
-	colorHighFg     = lipgloss.AdaptiveColor{Light: "#EA580C", Dark: "#F97316"} // orange-600 / orange-500
-	colorMediumFg   = lipgloss.AdaptiveColor{Light: "#A16207", Dark: "#EAB308"} // yellow-700 / yellow-500
-	colorLowFg      = lipgloss.AdaptiveColor{Light: "#2563EB", Dark: "#3B82F6"} // blue-600 / blue-500
-	colorInfoFg     = lipgloss.AdaptiveColor{Light: "#6B7280", Dark: "#9CA3AF"} // gray-500 / gray-400
+	colorCriticalFg = lipgloss.AdaptiveColor{Light: colorRed600, Dark: "#EF4444"}    // red-600 / red-500
+	colorHighFg     = lipgloss.AdaptiveColor{Light: colorOrange600, Dark: "#F97316"} // orange-600 / orange-500
+	colorMediumFg   = lipgloss.AdaptiveColor{Light: "#A16207", Dark: "#EAB308"}      // yellow-700 / yellow-500
+	colorLowFg      = lipgloss.AdaptiveColor{Light: colorBlue600, Dark: "#3B82F6"}   // blue-600 / blue-500
+	colorInfoFg     = lipgloss.AdaptiveColor{Light: colorGray500, Dark: "#9CA3AF"}   // gray-500 / gray-400
 
 	// Semantic colors - darker on light bg for contrast
-	colorSuccess = lipgloss.AdaptiveColor{Light: "#16A34A", Dark: "#22C55E"} // green-600 / green-500
-	colorWarning = lipgloss.AdaptiveColor{Light: "#D97706", Dark: "#F59E0B"} // amber-600 / amber-500
-	colorMuted   = lipgloss.AdaptiveColor{Light: "#4B5563", Dark: "#6B7280"} // gray-600 / gray-500
-	colorAccent  = lipgloss.AdaptiveColor{Light: "#7c3aed", Dark: "#7c3aed"} // purple-600 (Armis brand)
+	colorSuccess = lipgloss.AdaptiveColor{Light: "#16A34A", Dark: "#22C55E"}    // green-600 / green-500
+	colorWarning = lipgloss.AdaptiveColor{Light: "#D97706", Dark: "#F59E0B"}    // amber-600 / amber-500
+	colorMuted   = lipgloss.AdaptiveColor{Light: "#4B5563", Dark: colorGray500} // gray-600 / gray-500
+	colorAccent  = lipgloss.AdaptiveColor{Light: "#7c3aed", Dark: "#7c3aed"}    // purple-600 (Armis brand)
 
 	// Diff colors - darker on light bg for contrast
-	colorDiffAdd    = lipgloss.AdaptiveColor{Light: "#16A34A", Dark: "#22C55E"} // green-600 / green-500
-	colorDiffRemove = lipgloss.AdaptiveColor{Light: "#DC2626", Dark: "#EF4444"} // red-600 / red-500
-	colorDiffHunk   = lipgloss.AdaptiveColor{Light: "#6B7280", Dark: "#6B7280"} // gray-500
+	colorDiffAdd    = lipgloss.AdaptiveColor{Light: "#16A34A", Dark: "#22C55E"}       // green-600 / green-500
+	colorDiffRemove = lipgloss.AdaptiveColor{Light: colorRed600, Dark: "#EF4444"}     // red-600 / red-500
+	colorDiffHunk   = lipgloss.AdaptiveColor{Light: colorGray500, Dark: colorGray500} // gray-500
 
 	// Diff background colors - light tints on light bg, dark tints on dark bg
 	colorDiffAddBg    = lipgloss.AdaptiveColor{Light: "#dcfce7", Dark: "#0f2918"} // green-50 / dark green
@@ -49,8 +57,8 @@ var (
 	colorVulnBg = lipgloss.AdaptiveColor{Light: "#fef3c7", Dark: "#422006"} // amber-100 / amber-950
 
 	// UI colors - inverted for light/dark themes
-	colorBorder = lipgloss.AdaptiveColor{Light: "#D1D5DB", Dark: "#374151"} // gray-300 / gray-700
-	colorDim    = lipgloss.AdaptiveColor{Light: "#4B5563", Dark: "#6B7280"} // gray-600 / gray-500
+	colorBorder = lipgloss.AdaptiveColor{Light: "#D1D5DB", Dark: "#374151"}    // gray-300 / gray-700
+	colorDim    = lipgloss.AdaptiveColor{Light: "#4B5563", Dark: colorGray500} // gray-600 / gray-500
 
 	// Bright text color - dark on light bg, white on dark bg
 	colorBright = lipgloss.AdaptiveColor{Light: "#1F2937", Dark: "#FFFFFF"} // gray-800 / white
diff --git a/internal/scan/repo/inline.go b/internal/scan/repo/inline.go
index 1bb150fe..6433bb72 100644
--- a/internal/scan/repo/inline.go
+++ b/internal/scan/repo/inline.go
@@ -20,30 +20,47 @@ const (
 	suppressionTypeRule = "rule"
 )
 
+// File extension constants referenced in multiple maps below.
+const (
+	extPy    = ".py"
+	extRb    = ".rb"
+	extJs    = ".js"
+	extTS    = ".ts"
+	extJsx   = ".jsx"
+	extTsx   = ".tsx"
+	extKt    = ".kt"
+	extScala = ".scala"
+
+	commentHTML = "<!--"
+
+	kwDef      = "def "
+	kwFunction = "function "
+)
+
 // funcSigByExt maps file extensions to the function/method signature prefixes
 // valid for that language. Only unambiguous declaration keywords are included;
 // prefixes like "public "/"private " are excluded because they also match
 // field/property declarations and would cause false transparency.
 var funcSigByExt = map[string][]string{
 	".go":    {"func "},
-	".py":    {"def "},
-	".rb":    {"def "},
-	".js":    {"function "},
-	".ts":    {"function "},
-	".jsx":   {"function "},
-	".tsx":   {"function "},
-	".php":   {"function "},
+	extPy:    {kwDef},
+	extRb:    {kwDef},
+	extJs:    {kwFunction},
+	extTS:    {kwFunction},
+	extJsx:   {kwFunction},
+	extTsx:   {kwFunction},
+	".php":   {kwFunction},
 	".rs":    {"fn ", "pub fn "},
-	".kt":    {"fun "},
-	".scala": {"def "},
+	extKt:    {"fun "},
+	extScala: {kwDef},
 	".swift": {"func "},
 }
 
 // classKeywordExts are extensions where `class` is a language keyword for
 // type declarations (not a valid identifier prefix).
 var classKeywordExts = map[string]bool{
-	".py": true, ".rb": true, ".js": true, ".ts": true, ".jsx": true, ".tsx": true,
-	".java": true, ".kt": true, ".scala": true, ".cs": true, ".dart": true,
+	extPy: true, extRb: true, extJs: true, extTS: true, extJsx: true, extTsx: true,
+	".java": true, extKt: true, extScala: true, ".cs": true, ".dart": true,
 }
 
 // InlineDirective represents a parsed armis:ignore comment.
@@ -73,7 +90,7 @@ var commentPrefixes = map[string][]string{
 
 	".ini": {";"}, ".cfg": {";"},
 
-	".html": {"<!--"}, ".xml": {"<!--"}, ".svg": {"<!--"},
+	".html": {commentHTML}, ".xml": {commentHTML}, ".svg": {commentHTML},
 
 	".css": {"/*"}, ".scss": {"/*", "//"}, ".less": {"/*", "//"},
 }
diff --git a/internal/scan/repo/repo.go b/internal/scan/repo/repo.go
index 03898a67..c143e55a 100644
--- a/internal/scan/repo/repo.go
+++ b/internal/scan/repo/repo.go
@@ -352,7 +352,8 @@ func (s *Scanner) tarGzDirectory(sourcePath string, writer io.Writer, ignoreMatc
 		}
 
 		if !info.IsDir() {
-			file, err := os.Open(path) // #nosec G304 - path is from filepath.Walk within repo
+			// armis:ignore cwe:22 reason:path is yielded by filepath.Walk(sourcePath,...) which only produces descendants of sourcePath; symlinks are skipped above preventing escape
+			file, err := os.Open(path) // #nosec G304 G122 - path is from filepath.Walk within repo; os.Root API not available in Go 1.25
 			if err != nil {
 				return err
 			}
diff --git a/internal/supplychain/check/bun.go b/internal/supplychain/check/bun.go
index d2cdd3a5..416f12be 100644
--- a/internal/supplychain/check/bun.go
+++ b/internal/supplychain/check/bun.go
@@ -79,8 +79,8 @@ func shouldSkipBunPackage(tuple []interface{}) bool {
 	}
 	if resolved, ok := tuple[1].(string); ok {
 		if strings.HasPrefix(resolved, "git+") ||
-			strings.HasPrefix(resolved, "file:") ||
-			strings.HasPrefix(resolved, "link:") ||
+			strings.HasPrefix(resolved, protocolFile) ||
+			strings.HasPrefix(resolved, protocolLink) ||
 			strings.HasPrefix(resolved, "workspace:") {
 			return true
 		}
diff --git a/internal/supplychain/check/check.go b/internal/supplychain/check/check.go
index 4d0b0e43..ad15614c 100644
--- a/internal/supplychain/check/check.go
+++ b/internal/supplychain/check/check.go
@@ -12,6 +12,13 @@ import (
 	"github.com/ArmisSecurity/armis-cli/internal/supplychain/registry"
 )
 
+// protocolFile and protocolLink are URL schemes used in lockfiles to denote
+// local path and symlink dependencies. Shared across npm, pnpm, yarn, and bun parsers.
+const (
+	protocolFile = "file:"
+	protocolLink = "link:"
+)
+
 type Result struct {
 	Violations []supplychain.Violation
 	Warnings   []string
diff --git a/internal/supplychain/check/npm.go b/internal/supplychain/check/npm.go
index ecbe7b74..a8f42bab 100644
--- a/internal/supplychain/check/npm.go
+++ b/internal/supplychain/check/npm.go
@@ -85,7 +85,7 @@ func shouldSkipResolved(resolved string) bool {
 	if resolved == "" {
 		return false
 	}
-	for _, prefix := range []string{"git+", "git://", "git@", "file:", "link:"} {
+	for _, prefix := range []string{"git+", "git://", "git@", protocolFile, protocolLink} {
 		if strings.HasPrefix(resolved, prefix) {
 			return true
 		}
diff --git a/internal/supplychain/check/pnpm.go b/internal/supplychain/check/pnpm.go
index 0e1b1630..a515b0c6 100644
--- a/internal/supplychain/check/pnpm.go
+++ b/internal/supplychain/check/pnpm.go
@@ -145,14 +145,14 @@ func stripPeerFromKey(key string) string {
 }
 
 func shouldSkipPnpmPackage(key string, info pnpmPackageInfo) bool {
-	if strings.HasPrefix(key, "file:") || strings.HasPrefix(key, "link:") {
+	if strings.HasPrefix(key, protocolFile) || strings.HasPrefix(key, protocolLink) {
 		return true
 	}
 	if info.Resolution.Type == "directory" || info.Resolution.Type == "git" {
 		return true
 	}
 	tarball := info.Resolution.Tarball
-	if strings.HasPrefix(tarball, "file:") || strings.Contains(tarball, ".git") {
+	if strings.HasPrefix(tarball, protocolFile) || strings.Contains(tarball, ".git") {
 		return true
 	}
 	return false
diff --git a/internal/supplychain/check/yarn.go b/internal/supplychain/check/yarn.go
index b1b6b9d5..ee92a26a 100644
--- a/internal/supplychain/check/yarn.go
+++ b/internal/supplychain/check/yarn.go
@@ -117,7 +117,7 @@ func extractBerryPackageName(key string) string {
 }
 
 func shouldSkipYarnResolution(resolution string) bool {
-	for _, proto := range []string{"workspace:", "link:", "file:", "portal:", "patch:", "exec:"} {
+	for _, proto := range []string{"workspace:", protocolLink, protocolFile, "portal:", "patch:", "exec:"} {
 		if strings.Contains(resolution, proto) {
 			return true
 		}
@@ -197,7 +197,7 @@ func extractClassicPackageName(line string) string {
 }
 
 func shouldSkipClassicProtocol(line string) bool {
-	for _, proto := range []string{"workspace:", "link:", "file:", "portal:", "https://", "http://", "git+", "git://", "git@"} {
+	for _, proto := range []string{"workspace:", protocolLink, protocolFile, "portal:", "https://", "http://", "git+", "git://", "git@"} {
 		if strings.Contains(line, proto) {
 			return true
 		}
diff --git a/internal/supplychain/proxy.go b/internal/supplychain/proxy.go
index a15f3ba1..979f2e9d 100644
--- a/internal/supplychain/proxy.go
+++ b/internal/supplychain/proxy.go
@@ -21,6 +21,13 @@ const (
 	maxProxyResponseSize    = 20 * 1024 * 1024
 	distTagLatest           = "latest"
 
+	// npmTimeKeyCreated and npmTimeKeyModified are metadata-only keys in the npm
+	// registry's "time" object that record when the package was first published
+	// and last modified. They are not version strings and must be skipped when
+	// iterating over the version→timestamp map.
+	npmTimeKeyCreated  = "created"
+	npmTimeKeyModified = "modified"
+
 	// pypiSimpleJSONAccept is the PEP 691 content type for the PyPI Simple API
 	// JSON representation. The default Simple API response is HTML (PEP 503),
 	// which carries no upload timestamps; only the JSON form exposes the PEP 700
@@ -391,7 +398,7 @@ func (p *Proxy) filterMetadata(body []byte, pkgName string) ([]byte, []BlockedPa
 	versionsToRemove := make(map[string]bool)
 
 	for version, timeStr := range timeMap {
-		if version == "created" || version == "modified" {
+		if version == npmTimeKeyCreated || version == npmTimeKeyModified {
 			continue
 		}
 		publishTime, err := time.Parse(time.RFC3339, timeStr)
@@ -432,7 +439,7 @@ func (p *Proxy) filterMetadata(body []byte, pkgName string) ([]byte, []BlockedPa
 	if latestVersion == "" {
 		var latestTime time.Time
 		for version, timeStr := range timeMap {
-			if version == "created" || version == "modified" {
+			if version == npmTimeKeyCreated || version == npmTimeKeyModified {
 				continue
 			}
 			if isPrerelease(version) {
diff --git a/internal/supplychain/shell.go b/internal/supplychain/shell.go
index 8dbe1200..4b88d490 100644
--- a/internal/supplychain/shell.go
+++ b/internal/supplychain/shell.go
@@ -28,6 +28,17 @@ const cliBinaryName = "armis-cli"
 // platform guards across this package (and its tests) share one literal.
 const goosWindows = "windows"
 
+// Shell name constants used by DetectShells and GenerateWrapper.
+const (
+	shellBash = "bash"
+	shellZsh  = "zsh"
+	shellFish = "fish"
+)
+
+// pipExeBase is the bare pip executable name. DetectPipVariants falls back to
+// this when no pip binary is found on $PATH.
+const pipExeBase = "pip"
+
 // validPMName bounds package-manager names to a safe shell identifier: a
 // lowercase letter followed by lowercase letters, digits, or hyphens, with an
 // optional trailing `.<digits>` version suffix so versioned pip variants
@@ -83,11 +94,11 @@ func DetectShells() []Shell {
 	// of `supply-chain init`, and $HOME is not a trust boundary for a local CLI.
 	candidates := []Shell{
 		// armis:ignore cwe:22 cwe:73 reason:home is the current user's own $HOME joined with a hardcoded filename; configuring the user's own shell RC is the purpose of `supply-chain init`
-		{Name: "bash", RCFile: filepath.Join(home, ".bashrc")},
+		{Name: shellBash, RCFile: filepath.Join(home, ".bashrc")},
 		// armis:ignore cwe:22 cwe:73 reason:home is the current user's own $HOME joined with a hardcoded filename; configuring the user's own shell RC is the purpose of `supply-chain init`
-		{Name: "zsh", RCFile: filepath.Join(home, ".zshrc")},
+		{Name: shellZsh, RCFile: filepath.Join(home, ".zshrc")},
 		// armis:ignore cwe:22 cwe:73 reason:home is the current user's own $HOME joined with hardcoded path segments; configuring the user's own shell RC is the purpose of `supply-chain init`
-		{Name: "fish", RCFile: filepath.Join(home, ".config", "fish", "config.fish")},
+		{Name: shellFish, RCFile: filepath.Join(home, ".config", "fish", "config.fish")},
 	}
 
 	currentShell := filepath.Base(os.Getenv("SHELL"))
@@ -106,7 +117,7 @@ func DetectShells() []Shell {
 func GenerateWrapper(shell string, pms []string) string {
 	cli := resolveCliPath()
 	switch shell {
-	case "fish":
+	case shellFish:
 		return generateFishWrapper(pms, cli)
 	default:
 		return generatePosixWrapper(pms, cli)
@@ -519,7 +530,7 @@ func scanPathExecutables(match func(name string) bool) []string {
 func DetectPipVariants() []string {
 	variants := scanPathExecutables(pipExecutable.MatchString)
 	if len(variants) == 0 {
-		return []string{"pip"}
+		return []string{pipExeBase}
 	}
 	return variants
 }
diff --git a/internal/supplychain/shell_test.go b/internal/supplychain/shell_test.go
index 0e662539..17f7df00 100644
--- a/internal/supplychain/shell_test.go
+++ b/internal/supplychain/shell_test.go
@@ -15,7 +15,7 @@ import (
 const pipExe = "pip"
 
 func TestGenerateWrapper_Posix(t *testing.T) {
-	wrapper := GenerateWrapper("bash", []string{"npm"})
+	wrapper := GenerateWrapper(shellBash, []string{"npm"})
 
 	if !strings.Contains(wrapper, markerStart) {
 		t.Error("missing start marker")
@@ -29,7 +29,7 @@ func TestGenerateWrapper_Posix(t *testing.T) {
 }
 
 func TestGenerateWrapper_Fish(t *testing.T) {
-	wrapper := GenerateWrapper("fish", []string{"npm"})
+	wrapper := GenerateWrapper(shellFish, []string{"npm"})
 
 	if !strings.Contains(wrapper, "function npm") {
 		t.Error("missing fish function declaration")
@@ -40,7 +40,7 @@ func TestGenerateWrapper_Fish(t *testing.T) {
 }
 
 func TestGenerateWrapper_MultiplePMs(t *testing.T) {
-	wrapper := GenerateWrapper("zsh", []string{"npm", "npx"})
+	wrapper := GenerateWrapper(shellZsh, []string{"npm", "npx"})
 
 	if !strings.Contains(wrapper, "npm()") {
 		t.Error("missing npm function")
@@ -67,7 +67,7 @@ func TestGenerateWrapper_RejectsUnsafeNames(t *testing.T) {
 		"npm'quote", // embedded quote
 	}
 
-	for _, shell := range []string{"bash", "zsh", "fish"} {
+	for _, shell := range []string{shellBash, shellZsh, shellFish} {
 		for _, name := range malicious {
 			wrapper := GenerateWrapper(shell, []string{name})
 			// The only content should be the marker block; the unsafe name must
@@ -83,7 +83,7 @@ func TestGenerateWrapper_RejectsUnsafeNames(t *testing.T) {
 // per-entry: a valid PM name is still wrapped even when an unsafe one is present
 // in the same list.
 func TestGenerateWrapper_KeepsValidAlongsideInvalid(t *testing.T) {
-	wrapper := GenerateWrapper("bash", []string{"npm", "evil; rm -rf ~", "pnpm"})
+	wrapper := GenerateWrapper(shellBash, []string{"npm", "evil; rm -rf ~", "pnpm"})
 
 	if !strings.Contains(wrapper, "npm()") {
 		t.Error("valid npm wrapper should be present")
@@ -112,7 +112,7 @@ func TestGenerateWrapper_CapsNameCount(t *testing.T) {
 
 	// The cap must hold through the public wrapper generator too: count the
 	// emitted function definitions rather than trusting the helper alone.
-	wrapper := GenerateWrapper("bash", many)
+	wrapper := GenerateWrapper(shellBash, many)
 	if n := strings.Count(wrapper, "npm()"); n != maxPMNames {
 		t.Errorf("expected %d wrapped functions, got %d", maxPMNames, n)
 	}
@@ -125,7 +125,7 @@ func TestInjectAndRemoveFunctions(t *testing.T) {
 	existing := "# existing config\nexport PATH=$PATH:/usr/local/bin\n"
 	os.WriteFile(rcFile, []byte(existing), 0o644) //nolint:errcheck,gosec
 
-	shells := []Shell{{Name: "bash", RCFile: rcFile}}
+	shells := []Shell{{Name: shellBash, RCFile: rcFile}}
 	pms := []string{"npm"}
 
 	modified, err := InjectFunctions(shells, pms)
@@ -196,7 +196,7 @@ func TestRemoveFunctions_PreservesPermissions(t *testing.T) {
 		t.Fatalf("write rc: %v", err)
 	}
 
-	shells := []Shell{{Name: "bash", RCFile: rcFile}}
+	shells := []Shell{{Name: shellBash, RCFile: rcFile}}
 	if _, err := InjectFunctions(shells, []string{"npm"}); err != nil {
 		t.Fatalf("InjectFunctions: %v", err)
 	}
@@ -218,7 +218,7 @@ func TestRemoveFunctions_NoBlock(t *testing.T) {
 	rcFile := filepath.Join(tmpDir, ".zshrc")
 	os.WriteFile(rcFile, []byte("# clean file\n"), 0o644) //nolint:errcheck,gosec
 
-	shells := []Shell{{Name: "zsh", RCFile: rcFile}}
+	shells := []Shell{{Name: shellZsh, RCFile: rcFile}}
 	removed, err := RemoveFunctions(shells)
 	if err != nil {
 		t.Fatalf("RemoveFunctions: %v", err)
@@ -229,7 +229,7 @@ func TestRemoveFunctions_NoBlock(t *testing.T) {
 }
 
 func TestRemoveFunctions_MissingFile(t *testing.T) {
-	shells := []Shell{{Name: "bash", RCFile: "/tmp/nonexistent-rc-file-test"}}
+	shells := []Shell{{Name: shellBash, RCFile: "/tmp/nonexistent-rc-file-test"}}
 	removed, err := RemoveFunctions(shells)
 	if err != nil {
 		t.Fatalf("unexpected error: %v", err)
@@ -243,7 +243,7 @@ func TestInjectFunctions_CreatesFile(t *testing.T) {
 	tmpDir := t.TempDir()
 	rcFile := filepath.Join(tmpDir, "subdir", ".bashrc")
 
-	shells := []Shell{{Name: "bash", RCFile: rcFile}}
+	shells := []Shell{{Name: shellBash, RCFile: rcFile}}
 	modified, err := InjectFunctions(shells, []string{"npm"})
 	if err != nil {
 		t.Fatalf("InjectFunctions: %v", err)
@@ -267,7 +267,7 @@ func TestHasInjection(t *testing.T) {
 		t.Error("should return false for clean file")
 	}
 
-	shells := []Shell{{Name: "bash", RCFile: rcFile}}
+	shells := []Shell{{Name: shellBash, RCFile: rcFile}}
 	InjectFunctions(shells, []string{"npm"}) //nolint:errcheck,gosec
 
 	if !HasInjection(rcFile) {
@@ -340,7 +340,7 @@ func TestIsPipVariant(t *testing.T) {
 // validPMName fix, the dot in "pip3.12" caused sanitizePMNames to drop it, so
 // `pip3.12 install` silently bypassed enforcement.
 func TestGenerateWrapper_WrapsVersionedPip(t *testing.T) {
-	wrapper := GenerateWrapper("bash", []string{"pip3.12"})
+	wrapper := GenerateWrapper(shellBash, []string{"pip3.12"})
 	if !strings.Contains(wrapper, "pip3.12()") {
 		t.Errorf("versioned pip variant should be wrapped, got:\n%s", wrapper)
 	}
@@ -473,14 +473,14 @@ func TestDetectShells(t *testing.T) {
 		if len(shells) == 0 {
 			t.Fatal("expected at least one detected shell")
 		}
-		if shells[0].Name != "zsh" {
+		if shells[0].Name != shellZsh {
 			t.Errorf("first shell = %q, want zsh (the current $SHELL)", shells[0].Name)
 		}
 		names := make([]string, len(shells))
 		for i, s := range shells {
 			names[i] = s.Name
 		}
-		if !slices.Contains(names, "bash") {
+		if !slices.Contains(names, shellBash) {
 			t.Errorf("expected bash among detected shells (its .bashrc exists), got %v", names)
 		}
 	})
diff --git a/internal/testutil/mockapi.go b/internal/testutil/mockapi.go
index 6d05395b..4ed4ba09 100644
--- a/internal/testutil/mockapi.go
+++ b/internal/testutil/mockapi.go
@@ -10,6 +10,9 @@ import (
 	"github.com/ArmisSecurity/armis-cli/internal/model"
 )
 
+// mockTenantID is the tenant identifier returned by the mock API server.
+const mockTenantID = "test-tenant"
+
 // MockAPIConfig configures the mock API server behavior.
 type MockAPIConfig struct {
 	// Findings to return in normalized-results endpoint
@@ -77,7 +80,7 @@ func createMockHandler(t *testing.T, config MockAPIConfig) http.HandlerFunc {
 			JSONResponse(t, w, http.StatusOK, model.IngestUploadResponse{
 				ScanID:       config.ScanID,
 				ArtifactType: "tar",
-				TenantID:     "test-tenant",
+				TenantID:     mockTenantID,
 				Filename:     "upload.tar.gz",
 				Message:      "Upload successful",
 			})
@@ -102,7 +105,7 @@ func createMockHandler(t *testing.T, config MockAPIConfig) http.HandlerFunc {
 					{
 						ScanID:       config.ScanID,
 						ScanStatus:   status,
-						TenantID:     "test-tenant",
+						TenantID:     mockTenantID,
 						ArtifactType: "tar",
 						ScanType:     "repository",
 						LastError:    lastError,
@@ -116,7 +119,7 @@ func createMockHandler(t *testing.T, config MockAPIConfig) http.HandlerFunc {
 		if strings.Contains(r.URL.Path, "/api/v1/ingest/normalized-results") && r.Method == http.MethodGet {
 			JSONResponse(t, w, http.StatusOK, model.NormalizedResultsResponse{
 				Data: model.NormalizedResultsData{
-					TenantID: "test-tenant",
+					TenantID: mockTenantID,
 					ScanResults: []model.ScanResultData{
 						{
 							ScanID:   config.ScanID,

From c0592bf5fea81d085e7ef4d3d6d8683ad7e6806d Mon Sep 17 00:00:00 2001
From: Yiftach Cohen <yiftach.cohen@armis.com>
Date: Tue, 9 Jun 2026 11:13:40 +0200
Subject: [PATCH 2/3] chore: exclude test/ directory from goconst linter

---
 .golangci.yml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/.golangci.yml b/.golangci.yml
index 5e91fd1d..bab02bc8 100644
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -13,6 +13,15 @@ linters:
     - gosec
     - goconst
     - misspell
+  exclusions:
+    rules:
+      # The test/ directory holds standalone integration-test scaffolding
+      # (e.g. mock-server.go, package main). goconst's ignore-tests only
+      # matches *_test.go files, so exempt the whole test/ tree explicitly —
+      # constant-extraction adds no value to throwaway test harnesses.
+      - path: ^test/
+        linters:
+          - goconst
   settings:
     goconst:
       ignore-tests: true

From 41ce4246833b89b0b6b5b9e79ca718ab77de2b33 Mon Sep 17 00:00:00 2001
From: Yiftach Cohen <yiftach.cohen@armis.com>
Date: Tue, 9 Jun 2026 15:03:32 +0200
Subject: [PATCH 3/3] fix(security): reject non-regular files in config
 readers; address PR review

Resolve Copilot review comments on PR #218:

- editors.go / hooks.go: size guards before os.ReadFile now reject
  non-regular files (devices, FIFOs). A special file can report size 0
  and still stream unbounded data into ReadFile, defeating the size cap
  (CWE-770). Add info.Mode().IsRegular() checks.
- editors_test.go: add TestRegisterSkipsOversizedConfig covering the
  oversized-config skip path (registration still writes a valid config).
- output: introduce neutral noneValue = "none" so severityToSarifLevel
  references a SARIF-level name instead of borrowing groupByNone's
  grouping semantics.
- editors.go: add armis:ignore cwe:502 at the json.Unmarshal sink (Go
  encoding/json into map has no gadget deserialization; local config input).
---
 internal/install/editors.go      |  5 +++-
 internal/install/editors_test.go | 51 ++++++++++++++++++++++++++++++++
 internal/install/hooks.go        | 15 +++++++---
 internal/output/human.go         |  8 ++++-
 internal/output/sarif.go         |  3 +-
 5 files changed, 75 insertions(+), 7 deletions(-)

diff --git a/internal/install/editors.go b/internal/install/editors.go
index e692778b..4f85d046 100644
--- a/internal/install/editors.go
+++ b/internal/install/editors.go
@@ -359,11 +359,14 @@ func readJSONFileAsMap(path string) map[string]interface{} {
 	data := make(map[string]interface{})
 	clean := filepath.Clean(path)
 	// armis:ignore cwe:22 reason:path from filepath.Join with known base dirs; filepath.Clean applied
-	if info, err := os.Stat(clean); err != nil || info.Size() > maxEditorConfigSize {
+	// Reject non-regular files (devices, FIFOs): they can report Size()==0 yet
+	// stream unbounded data into os.ReadFile, defeating the size cap (CWE-770).
+	if info, err := os.Stat(clean); err != nil || !info.Mode().IsRegular() || info.Size() > maxEditorConfigSize {
 		return data
 	}
 	// armis:ignore cwe:22 cwe:253 reason:path from filepath.Join with known base dirs; filepath.Clean applied; ReadFile error handled by err == nil guard
 	if b, err := os.ReadFile(clean); err == nil { //nolint:gosec
+		// armis:ignore cwe:502 cwe:770 reason:Go encoding/json into map[string]interface{} has no gadget/polymorphic deserialization; input is the user's own local editor config, size-bounded by the maxEditorConfigSize guard above
 		_ = json.Unmarshal(b, &data)
 	}
 	return data
diff --git a/internal/install/editors_test.go b/internal/install/editors_test.go
index c3ce1fb2..f3dc990a 100644
--- a/internal/install/editors_test.go
+++ b/internal/install/editors_test.go
@@ -5,6 +5,7 @@ import (
 	"os"
 	"path/filepath"
 	"runtime"
+	"strings"
 	"testing"
 )
 
@@ -287,6 +288,56 @@ func TestRegisterPreservesExistingConfig(t *testing.T) {
 	}
 }
 
+func TestRegisterSkipsOversizedConfig(t *testing.T) {
+	dir := t.TempDir()
+	configFile := filepath.Join(dir, "mcp.json")
+	pluginDir := filepath.Join(dir, "plugin")
+
+	// Write a valid-but-oversized config: a real mcpServers entry plus padding
+	// that pushes the file past maxEditorConfigSize. readJSONFileAsMap must skip
+	// reading it, so registration starts fresh and the padded entry is dropped.
+	padding := strings.Repeat("a", maxEditorConfigSize+1)
+	existing := map[string]interface{}{
+		"mcpServers": map[string]interface{}{
+			"other-server": map[string]interface{}{
+				"command": "node",
+				"args":    []string{"server.js"},
+			},
+		},
+		"_pad": padding,
+	}
+	b, _ := json.Marshal(existing)
+	if err := os.WriteFile(configFile, b, 0o600); err != nil {
+		t.Fatalf("seeding config: %v", err)
+	}
+
+	configPathOverrides = map[EditorID]string{EditorCursor: configFile}
+	defer func() { configPathOverrides = nil }()
+
+	e, _ := EditorByID(EditorCursor)
+	if err := e.Register(pluginDir); err != nil {
+		t.Fatalf("Register() error: %v", err)
+	}
+
+	// The rewritten config must be valid JSON with armis-appsec registered.
+	var data map[string]interface{}
+	out, _ := os.ReadFile(filepath.Clean(configFile))
+	if err := json.Unmarshal(out, &data); err != nil {
+		t.Fatalf("rewritten config is not valid JSON: %v", err)
+	}
+	servers, ok := data["mcpServers"].(map[string]interface{})
+	if !ok {
+		t.Fatal("mcpServers key missing after register")
+	}
+	if _, ok := servers[mcpServerName]; !ok {
+		t.Error("armis-appsec not registered")
+	}
+	// The oversized file was skipped, so its prior contents were not merged in.
+	if _, ok := servers["other-server"]; ok {
+		t.Error("oversized config was read instead of skipped (other-server survived)")
+	}
+}
+
 func TestRegisterJetBrains(t *testing.T) {
 	dir := t.TempDir()
 	configFile := filepath.Join(dir, ".jb-mcp.json")
diff --git a/internal/install/hooks.go b/internal/install/hooks.go
index 9c4905c0..940086ff 100644
--- a/internal/install/hooks.go
+++ b/internal/install/hooks.go
@@ -30,10 +30,15 @@ func InstallHooks() error {
 func installHooksToFile(settingsPath string) error {
 	settings := make(map[string]interface{})
 
-	if info, err := os.Stat(settingsPath); err == nil && info.Size() > maxSettingsSize {
-		return fmt.Errorf("settings file too large (%d bytes): %s", info.Size(), settingsPath)
+	if info, err := os.Stat(settingsPath); err == nil {
+		if !info.Mode().IsRegular() {
+			return fmt.Errorf("settings file is not a regular file: %s", settingsPath)
+		}
+		if info.Size() > maxSettingsSize {
+			return fmt.Errorf("settings file too large (%d bytes): %s", info.Size(), settingsPath)
+		}
 	}
-	// armis:ignore cwe:59 cwe:770 reason:settingsPath from filepath.Join(UserHomeDir, hardcoded ".claude/settings.json"); size bounded by maxSettingsSize guard above
+	// armis:ignore cwe:59 cwe:770 reason:settingsPath from filepath.Join(UserHomeDir, hardcoded ".claude/settings.json"); regular-file + size bounded by guards above
 	data, err := os.ReadFile(settingsPath) //nolint:gosec // G304: path constructed from UserHomeDir + hardcoded segments
 	if err != nil && !os.IsNotExist(err) {
 		return fmt.Errorf("reading settings: %w", err)
@@ -109,10 +114,12 @@ func removeHooksFromFile(settingsPath string) error {
 			return nil
 		}
 		return fmt.Errorf("reading settings: %w", err)
+	} else if !info.Mode().IsRegular() {
+		return fmt.Errorf("settings file is not a regular file: %s", settingsPath)
 	} else if info.Size() > maxSettingsSize {
 		return fmt.Errorf("settings file too large (%d bytes): %s", info.Size(), settingsPath)
 	}
-	// armis:ignore cwe:59 cwe:770 reason:settingsPath from filepath.Join(UserHomeDir, hardcoded ".claude/settings.json"); size bounded by maxSettingsSize guard above
+	// armis:ignore cwe:59 cwe:770 reason:settingsPath from filepath.Join(UserHomeDir, hardcoded ".claude/settings.json"); regular-file + size bounded by guards above
 	data, err := os.ReadFile(settingsPath) //nolint:gosec // G304: path constructed from UserHomeDir + hardcoded segments
 	if err != nil {
 		return fmt.Errorf("reading settings: %w", err)
diff --git a/internal/output/human.go b/internal/output/human.go
index ca3c5942..0dc62ef7 100644
--- a/internal/output/human.go
+++ b/internal/output/human.go
@@ -23,8 +23,14 @@ import (
 )
 
 const (
+	// noneValue is the neutral "none" literal shared across unrelated domains
+	// (the group-by option and the SARIF "none" level). Domain-specific
+	// constants derive from it so call sites reference the name that matches
+	// their own semantics rather than borrowing another domain's.
+	noneValue = "none"
+
 	groupBySeverity = "severity"
-	groupByNone     = "none"
+	groupByNone     = noneValue
 	noCWELabel      = "No CWE"
 
 	// Resource limits for snippet loading to prevent memory exhaustion (CWE-770)
diff --git a/internal/output/sarif.go b/internal/output/sarif.go
index 53b89ec5..9f604a47 100644
--- a/internal/output/sarif.go
+++ b/internal/output/sarif.go
@@ -454,7 +454,8 @@ func severityToSarifLevel(severity model.Severity) string {
 	case model.SeverityLow, model.SeverityInfo:
 		return "note"
 	default:
-		return groupByNone
+		// SARIF "none" level — neutral literal, not a group-by option.
+		return noneValue
 	}
 }