conforma · fullsend-ai-coder · Jun 3, 2026
diff --git a/acceptance/git/git.go b/acceptance/git/git.go
@@ -92,15 +92,15 @@ func startStubGitServer(ctx context.Context) (context.Context, error) {
 	}
 
 	nginxConfDir := path.Join(repositories, "conf")
-	if err = os.Mkdir(nginxConfDir, 0755); err != nil {
+	if err = os.Mkdir(nginxConfDir, 0o755); err != nil {
 		return ctx, err
 	}
-	if err = os.WriteFile(path.Join(nginxConfDir, "nginx.conf"), nginxConf, 0400); err != nil {
+	if err = os.WriteFile(path.Join(nginxConfDir, "nginx.conf"), nginxConf, 0o400); err != nil {
 		return ctx, err
 	}
 
 	tlsDir := path.Join(repositories, "tls")
-	if err = os.Mkdir(tlsDir, 0755); err != nil {
+	if err = os.Mkdir(tlsDir, 0o755); err != nil {
 		return ctx, err
 	}
 
@@ -114,7 +114,7 @@ func startStubGitServer(ctx context.Context) (context.Context, error) {
 			Bytes: keyBytes,
 		})
 
-		if err = os.WriteFile(path.Join(tlsDir, "server.key"), keyPem, 0400); err != nil {
+		if err = os.WriteFile(path.Join(tlsDir, "server.key"), keyPem, 0o400); err != nil {
 			return ctx, err
 		}
 
@@ -142,7 +142,7 @@ func startStubGitServer(ctx context.Context) (context.Context, error) {
 				Bytes: cert,
 			})
 
-			if err = os.WriteFile(certificate, certPEM, 0400); err != nil {
+			if err = os.WriteFile(certificate, certPEM, 0o400); err != nil {
 				return ctx, err
 			}
 
@@ -152,7 +152,7 @@ func startStubGitServer(ctx context.Context) (context.Context, error) {
 
 	// Create a minimal health check repository before starting the container
 	healthCheckDir := path.Join(repositories, "health-check.git")
-	if err := os.MkdirAll(healthCheckDir, 0755); err != nil {
+	if err := os.MkdirAll(healthCheckDir, 0o755); err != nil {
 		return ctx, err
 	}
 
@@ -284,7 +284,7 @@ func createGitRepository(ctx context.Context, repositoryName string, files *godo
 			}))
 		}
 
-		err = os.WriteFile(dest, b, 0600)
+		err = os.WriteFile(dest, b, 0o600)
 		if err != nil {
 			return err
 		}

diff --git a/acceptance/image/image.go b/acceptance/image/image.go
@@ -878,7 +878,7 @@ func createAndPushImageWithLayer(ctx context.Context, imageName string, files *g
 			name := r.Cells[0].Value
 			if err := t.WriteHeader(&tar.Header{
 				Name: name,
-				Mode: 0644,
+				Mode: 0o644,
 				Size: int64(len(content)),
 			}); err != nil {
 				return nil, err

diff --git a/acceptance/kubernetes/kind/image.go b/acceptance/kubernetes/kind/image.go
@@ -68,7 +68,7 @@ func (k *kindCluster) buildCliImage(ctx context.Context) error {
 	// Build into a directory not excluded by .dockerignore (which excludes
 	// dist/) and not conflicting with the versioned binary from make build.
 	buildDir := ".acceptance-build"
-	if err := os.MkdirAll(buildDir, 0755); err != nil {
+	if err := os.MkdirAll(buildDir, 0o755); err != nil {
 		return fmt.Errorf("creating build directory: %w", err)
 	}
 	defer os.RemoveAll(buildDir)
@@ -140,7 +140,7 @@ func (k *kindCluster) buildCliImage(ctx context.Context) error {
 
 	// Write cache hash only after a successful build
 	if cacheFile != "" {
-		_ = os.WriteFile(cacheFile, []byte(currentHash), 0644) // #nosec G306
+		_ = os.WriteFile(cacheFile, []byte(currentHash), 0o644) // #nosec G306
 	}
 
 	return nil
@@ -323,7 +323,7 @@ func (k *kindCluster) BuildSnapshotArtifact(ctx context.Context, content string)
 	filePath := "snapshotartifact"
 
 	// #nosec G306 -- reduce-snapshot.sh needs these permissions
-	if err := os.WriteFile(filePath, []byte(content), 0644); err != nil {
+	if err := os.WriteFile(filePath, []byte(content), 0o644); err != nil {
 		return ctx, fmt.Errorf("failed to write JSON to file: %w", err)
 	}
 
@@ -408,7 +408,7 @@ func copyFile(src, dst string) error {
 	}
 	defer in.Close()
 
-	out, err := os.OpenFile(dst, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0755) // #nosec G302
+	out, err := os.OpenFile(dst, os.O_CREATE|os.O_WRONLY|os.O_TRUNC, 0o755) // #nosec G302
 	if err != nil {
 		return err
 	}

diff --git a/acceptance/pipeline/pipeline_definition.go b/acceptance/pipeline/pipeline_definition.go
@@ -24,7 +24,7 @@ import (
 )
 
 func writePipelineDefinition(ctx context.Context, name string, data string) (context.Context, error) {
-	err := os.WriteFile(name, []byte(data), 0600)
+	err := os.WriteFile(name, []byte(data), 0o600)
 	if err != nil {
 		return ctx, err
 	}

diff --git a/acceptance/registry/registry.go b/acceptance/registry/registry.go
@@ -101,7 +101,7 @@ func startStubRegistry(ctx context.Context) (context.Context, error) {
 			{
 				HostFilePath:      "",
 				ContainerFilePath: "/config/config.json",
-				FileMode:          0644,
+				FileMode:          0o644,
 				Reader:            strings.NewReader(zotConfig),
 			},
 		},

diff --git a/acceptance/tekton/bundles.go b/acceptance/tekton/bundles.go
@@ -49,7 +49,7 @@ func createTektonBundle(ctx context.Context, name string, data *godog.Table) (co
 		writer := tar.NewWriter(&data)
 		if err := writer.WriteHeader(&tar.Header{
 			Name:     name,
-			Mode:     0600,
+			Mode:     0o600,
 			Size:     int64(len(content)),
 			Typeflag: tar.TypeReg,
 		}); err != nil {

diff --git a/acceptance/testenv/testenv.go b/acceptance/testenv/testenv.go
@@ -77,7 +77,7 @@ func Persist(ctx context.Context) (bool, error) {
 		return true, fmt.Errorf("unable to store JSON data in .persisted file: %v", err.Error())
 	}
 
-	err = persister(persistedFile, b, 0644)
+	err = persister(persistedFile, b, 0o644)
 	if err != nil {
 		return true, fmt.Errorf("unable to write to %s file: %v", persistedFile, err.Error())
 	}

diff --git a/benchmark/internal/registry/registry.go b/benchmark/internal/registry/registry.go
@@ -100,20 +100,20 @@ func Launch(data string) (suite.Closer, error) {
 		return nil, err
 	}
 
-	if err := os.Chmod(dir, 0755); err != nil {
+	if err := os.Chmod(dir, 0o755); err != nil {
 		return closer.Close, err
 	}
 
 	certPath := path.Join(dir, "fake_quay.cer")
-	if err := os.WriteFile(certPath, certificate, 0600); err != nil {
+	if err := os.WriteFile(certPath, certificate, 0o600); err != nil {
 		return closer.Close, err
 	}
 
 	if err := os.Setenv("SSL_CERT_FILE", certPath); err != nil {
 		return closer.Close, err
 	}
 
-	if err := os.WriteFile(path.Join(dir, "fake_quay.key"), key, 0600); err != nil {
+	if err := os.WriteFile(path.Join(dir, "fake_quay.key"), key, 0o600); err != nil {
 		return closer.Close, err
 	}
 

diff --git a/benchmark/offliner/offliner.go b/benchmark/offliner/offliner.go
@@ -63,7 +63,7 @@ func main() {
 	}
 
 	if _, err := os.Stat(dir); os.IsNotExist(err) {
-		if err := os.MkdirAll(dir, 0755); err != nil {
+		if err := os.MkdirAll(dir, 0o755); err != nil {
 			fmt.Fprintln(os.Stderr, err)
 			os.Exit(3)
 		}

diff --git a/cmd/initialize/init_policies.go b/cmd/initialize/init_policies.go
@@ -79,7 +79,7 @@ func initPoliciesCmd() *cobra.Command {
 			}
 			fs := utils.FS(ctx)
 			workDir := destDir
-			err := fs.MkdirAll(workDir, 0755)
+			err := fs.MkdirAll(workDir, 0o755)
 			if err != nil {
 				log.Debug("Failed to create policy directory!")
 				return err

diff --git a/cmd/inspect/inspect_policy_test.go b/cmd/inspect/inspect_policy_test.go
@@ -56,10 +56,10 @@ func TestFetchSourcesFromPolicy(t *testing.T) {
 	createDir := func(args mock.Arguments) {
 		dir := args.String(0)
 
-		if err := fs.MkdirAll(dir, 0755); err != nil {
+		if err := fs.MkdirAll(dir, 0o755); err != nil {
 			panic(err)
 		}
-		if err := afero.WriteFile(fs, fmt.Sprintf("%s/foo.rego", args.String(0)), []byte("package foo\n\nbar = 1"), 0644); err != nil {
+		if err := afero.WriteFile(fs, fmt.Sprintf("%s/foo.rego", args.String(0)), []byte("package foo\n\nbar = 1"), 0o644); err != nil {
 			panic(err)
 		}
 	}
@@ -98,10 +98,10 @@ func TestFetchSources(t *testing.T) {
 	createDir := func(args mock.Arguments) {
 		dir := args.String(0)
 
-		if err := fs.MkdirAll(dir, 0755); err != nil {
+		if err := fs.MkdirAll(dir, 0o755); err != nil {
 			panic(err)
 		}
-		if err := afero.WriteFile(fs, fmt.Sprintf("%s/foo.rego", args.String(0)), []byte("package foo\n\nbar = 1"), 0644); err != nil {
+		if err := afero.WriteFile(fs, fmt.Sprintf("%s/foo.rego", args.String(0)), []byte("package foo\n\nbar = 1"), 0o644); err != nil {
 			panic(err)
 		}
 	}
@@ -144,7 +144,7 @@ func TestSourcesAndPolicyCantBeBothProvided(t *testing.T) {
 	createDir := func(args mock.Arguments) {
 		dir := args.String(0)
 
-		if err := fs.MkdirAll(dir, 0755); err != nil {
+		if err := fs.MkdirAll(dir, 0o755); err != nil {
 			panic(err)
 		}
 	}

diff --git a/cmd/test/test.go b/cmd/test/test.go
@@ -200,7 +200,7 @@ func NewTestCommand(ctx context.Context) *cobra.Command {
 
 					if outputFilePath != "" {
 						// Output to a file
-						err := os.WriteFile(outputFilePath, reportOutput, 0600)
+						err := os.WriteFile(outputFilePath, reportOutput, 0o600)
 						if err != nil {
 							return fmt.Errorf("creating output file: %w", err)
 						}

diff --git a/cmd/track/track_bundle.go b/cmd/track/track_bundle.go
@@ -137,7 +137,7 @@ func trackBundleCmd(track trackBundleFn, pullImage pullImageFn, pushImage pushIm
 			case strings.HasPrefix(params.output, "oci:"):
 				err = pushImage(cmd.Context(), strings.TrimPrefix(params.output, "oci:"), out, invocation)
 			default:
-				err = afero.WriteFile(fs, params.output, out, 0666)
+				err = afero.WriteFile(fs, params.output, out, 0o666)
 			}
 
 			if err != nil {

diff --git a/cmd/track/track_bundle_test.go b/cmd/track/track_bundle_test.go
@@ -214,7 +214,7 @@ func Test_TrackBundleCommand(t *testing.T) {
 			inputData := []byte(fmt.Sprintf(`{"file": "%s"}`, c.expectInput))
 
 			if c.expectInput != "" {
-				err := afero.WriteFile(fs, c.expectInput, inputData, 0777)
+				err := afero.WriteFile(fs, c.expectInput, inputData, 0o777)
 				assert.NoError(t, err)
 			}
 			testOutput := `{"test": true}`

diff --git a/cmd/validate/image_test.go b/cmd/validate/image_test.go
@@ -585,7 +585,7 @@ spec:
 
 			cmd.SetContext(ctx)
 
-			err := afero.WriteFile(fs, "/policy.yaml", []byte(c.config), 0644)
+			err := afero.WriteFile(fs, "/policy.yaml", []byte(c.config), 0o644)
 			if err != nil {
 				panic(err)
 			}
@@ -641,7 +641,7 @@ func Test_ValidateImageCommandJSONPolicyFile(t *testing.T) {
         - '@minimal'
       exclude: []
 `
-	err := afero.WriteFile(fs, "/policy.json", []byte(testPolicyJSON), 0644)
+	err := afero.WriteFile(fs, "/policy.json", []byte(testPolicyJSON), 0o644)
 	if err != nil {
 		panic(err)
 	}
@@ -701,7 +701,7 @@ func Test_ValidateImageCommandExtraData(t *testing.T) {
         - '@minimal'
       exclude: []
 `
-	err := afero.WriteFile(fs, "/policy.json", []byte(testPolicyJSON), 0644)
+	err := afero.WriteFile(fs, "/policy.json", []byte(testPolicyJSON), 0o644)
 	if err != nil {
 		panic(err)
 	}
@@ -717,7 +717,7 @@ spec:
           repository: quay.io/some-namespace/msd
 `
 
-	err = afero.WriteFile(fs, "/value.yaml", []byte(testExtraRuleDataYAML), 0644)
+	err = afero.WriteFile(fs, "/value.yaml", []byte(testExtraRuleDataYAML), 0o644)
 	if err != nil {
 		panic(err)
 	}
@@ -784,7 +784,7 @@ func Test_ValidateImageCommandEmptyPolicyFile(t *testing.T) {
 
 	cmd.SetContext(ctx)
 
-	err := afero.WriteFile(fs, "/policy.yaml", []byte(nil), 0644)
+	err := afero.WriteFile(fs, "/policy.yaml", []byte(nil), 0o644)
 	if err != nil {
 		panic(err)
 	}
@@ -875,12 +875,12 @@ func Test_ValidateImageError(t *testing.T) {
         - '@minimal'
       exclude: []
 `
-			err := afero.WriteFile(fs, "/policy.yaml", []byte(testPolicyJSON), 0644)
+			err := afero.WriteFile(fs, "/policy.yaml", []byte(testPolicyJSON), 0o644)
 			if err != nil {
 				panic(err)
 			}
 
-			err = afero.WriteFile(fs, "/value.json", []byte(nil), 0644)
+			err = afero.WriteFile(fs, "/value.json", []byte(nil), 0o644)
 			if err != nil {
 				panic(err)
 			}
@@ -1450,7 +1450,7 @@ func TestValidateImageCommand_VSAUpload_Success(t *testing.T) {
 	ctx := utils.WithFS(context.Background(), fs)
 
 	// Create a test VSA signing key (real ECDSA P-256 key for testing)
-	err := afero.WriteFile(fs, "/tmp/vsa-key.pem", []byte(testECKey), 0600)
+	err := afero.WriteFile(fs, "/tmp/vsa-key.pem", []byte(testECKey), 0o600)
 	require.NoError(t, err)
 
 	client := fake.FakeClient{}
@@ -1510,7 +1510,7 @@ func TestValidateImageCommand_VSAUpload_NoStorageBackends(t *testing.T) {
 	ctx := utils.WithFS(context.Background(), fs)
 
 	// Create VSA signing key
-	err := afero.WriteFile(fs, "/tmp/vsa-key.pem", []byte(testECKey), 0600)
+	err := afero.WriteFile(fs, "/tmp/vsa-key.pem", []byte(testECKey), 0o600)
 	require.NoError(t, err)
 
 	client := fake.FakeClient{}
@@ -1654,7 +1654,7 @@ func TestValidateImageCommand_VSAFormat_DSSE(t *testing.T) {
 	ctx := utils.WithFS(context.Background(), fs)
 
 	// Create a test VSA signing key
-	err := afero.WriteFile(fs, "/tmp/vsa-key.pem", []byte(testECKey), 0600)
+	err := afero.WriteFile(fs, "/tmp/vsa-key.pem", []byte(testECKey), 0o600)
 	require.NoError(t, err)
 
 	client := fake.FakeClient{}
@@ -1923,7 +1923,7 @@ func TestGenerateVSAsDSSE_Errors(t *testing.T) {
 		ctx := utils.WithFS(context.Background(), fs)
 
 		// Create invalid signing key file
-		err := afero.WriteFile(fs, "/tmp/invalid-key.pem", []byte("invalid key content"), 0600)
+		err := afero.WriteFile(fs, "/tmp/invalid-key.pem", []byte("invalid key content"), 0o600)
 		require.NoError(t, err)
 
 		client := fake.FakeClient{}
@@ -2003,7 +2003,7 @@ func TestGenerateVSAsDSSE_Errors(t *testing.T) {
 		ctx := utils.WithFS(context.Background(), fs)
 
 		// Create a test VSA signing key
-		err := afero.WriteFile(fs, "/tmp/vsa-key.pem", []byte(testECKey), 0600)
+		err := afero.WriteFile(fs, "/tmp/vsa-key.pem", []byte(testECKey), 0o600)
 		require.NoError(t, err)
 
 		client := fake.FakeClient{}
@@ -2152,7 +2152,7 @@ func TestVSAGeneration_WithOutputDir(t *testing.T) {
 
 			// Create test VSA signing key if needed
 			if tt.needsKey {
-				err := afero.WriteFile(fs, "/tmp/vsa-key.pem", []byte(testECKey), 0600)
+				err := afero.WriteFile(fs, "/tmp/vsa-key.pem", []byte(testECKey), 0o600)
 				require.NoError(t, err)
 			}