CrunchyData · tjmoore4 · Mar 12, 2026 · Mar 12, 2026
diff --git a/internal/bridge/client.go b/internal/bridge/client.go
@@ -155,10 +155,9 @@ type ClusterRoleApiResource struct {
 	ClusterId    string `json:"cluster_id"`
 	Flavor       string `json:"flavor"`
 	Name         string `json:"name"`
-	//nolint:gosec // G117: JSON serialization field for API response, not a hardcoded credential.
-	Password string `json:"password"`
-	Team     string `json:"team_id"`
-	URI      string `json:"uri"`
+	Password     string `json:"password"`
+	Team         string `json:"team_id"`
+	URI          string `json:"uri"`
 }
 
 // ClusterRoleList holds a slice of ClusterRoleApiResource
@@ -279,8 +278,7 @@ func (c *Client) doWithBackoff(
 
 		if err == nil {
 			request.Header = headers.Clone()
-
-			//nolint:bodyclose,gosec // bodyclose: response returned to caller; G704: URL is from trusted Bridge API configuration.
+			//nolint:bodyclose // response returned to caller.
 			response, err = c.Do(request)
 		}
 

diff --git a/internal/bridge/client_test.go b/internal/bridge/client_test.go
@@ -1229,6 +1229,7 @@ func TestGetClusterRole(t *testing.T) {
 	}
 
 	t.Run("WeSendCorrectData", func(t *testing.T) {
+		//nolint:gosec // G117: Password is part of the API resource struct, not a credential in test context.
 		responsePayloadJson, err := json.Marshal(clusterRoleApiResource)
 		assert.NilError(t, err)
 
@@ -1251,6 +1252,7 @@ func TestGetClusterRole(t *testing.T) {
 	})
 
 	t.Run("OkResponse", func(t *testing.T) {
+		//nolint:gosec // G117: Password is part of the API resource struct, not a credential in test context.
 		responsePayloadJson, err := json.Marshal(clusterRoleApiResource)
 		assert.NilError(t, err)
 
@@ -1269,6 +1271,7 @@ func TestGetClusterRole(t *testing.T) {
 	})
 
 	t.Run("ErrorResponse", func(t *testing.T) {
+		//nolint:gosec // G117: Password is part of the API resource struct, not a credential in test context.
 		responsePayloadJson, err := json.Marshal(clusterRoleApiResource)
 		assert.NilError(t, err)
 

diff --git a/internal/bridge/crunchybridgecluster/mock_bridge_api.go b/internal/bridge/crunchybridgecluster/mock_bridge_api.go
@@ -17,7 +17,6 @@ import (
 )
 
 type TestBridgeClient struct {
-	//nolint:gosec // G117: Test mock struct field, not a hardcoded credential.
 	ApiKey          string                                       `json:"apiKey,omitempty"`
 	TeamId          string                                       `json:"teamId,omitempty"`
 	Clusters        []*bridge.ClusterApiResource                 `json:"clusters,omitempty"`

diff --git a/internal/bridge/installation.go b/internal/bridge/installation.go
@@ -39,8 +39,7 @@ var self = new(struct {
 type AuthObject struct {
 	ID        string    `json:"id"`
 	ExpiresAt time.Time `json:"expires_at"`
-	//nolint:gosec // G117: JSON serialization field for API response, not a hardcoded credential.
-	Secret string `json:"secret"`
+	Secret    string    `json:"secret"`
 }
 
 type Installation struct {

diff --git a/internal/collector/postgres_metrics.go b/internal/collector/postgres_metrics.go
@@ -256,7 +256,7 @@ func EnablePostgresMetrics(ctx context.Context, inCluster *v1beta1.PostgresClust
 // appendToJSONArray appends elements of a json.RawMessage containing an array
 // to another json.RawMessage containing an array.
 func appendToJSONArray(a1, a2 json.RawMessage) (json.RawMessage, error) {
-	var slc1 []json.RawMessage
+	var slc1 []json.RawMessage //nolint:prealloc // Populated by json.Unmarshal, not manual appends.
 	if err := json.Unmarshal(a1, &slc1); err != nil {
 		return nil, err
 	}

diff --git a/internal/controller/standalone_pgadmin/users.go b/internal/controller/standalone_pgadmin/users.go
@@ -35,7 +35,6 @@ type pgAdminUserForJson struct {
 	IsAdmin bool `json:"isAdmin"`
 
 	// The user's password
-	//nolint:gosec // G117: This is a JSON serialization struct, not a hardcoded credential.
 	Password string `json:"password"`
 
 	// The username for User in pgAdmin.
@@ -332,6 +331,8 @@ cd $PGADMIN_DIR
 	// to add a user, that user will not be in intentUsers. If errors occurred when attempting to
 	// update a user, the user will be in intentUsers as it existed before. We now want to marshal the
 	// intentUsers to json and write the users.json file to the secret.
+
+	//nolint:gosec // G117: Password is intentionally stored in a Kubernetes Secret.
 	intentUserSecret.Data["users.json"], _ = json.Marshal(intentUsers)
 
 	err = errors.WithStack(r.setControllerReference(pgadmin, intentUserSecret))

diff --git a/pkg/apis/postgres-operator.crunchydata.com/v1beta1/crunchy_bridgecluster_types.go b/pkg/apis/postgres-operator.crunchydata.com/v1beta1/crunchy_bridgecluster_types.go
@@ -77,7 +77,6 @@ type CrunchyBridgeClusterSpec struct {
 
 	// The name of the secret containing the API key and team id
 	// +kubebuilder:validation:Required
-	//nolint:gosec // G117: Field holds secret name reference, not actual secret data.
 	Secret string `json:"secret"`
 
 	// The amount of storage available to the cluster in gigabytes.