Add Gosec Github Action (#9332)

* add gosec security scan * add gosec ignores first batch * more nosec for exec * add filepath clean * more nosec * file inclusion nosec * build * herumi Co-authored-by: prylabs-bulldozer[bot] <58059840+prylabs-bulldozer[bot]@users.noreply.github.com>
2026-01-08 21:08:10 -05:00 · 2021-08-15 10:24:13 -05:00
parent 1936f991eb
commit 8122da6c97
37 changed files with 86 additions and 63 deletions
--- a/.github/workflows/go.yml
+++ b/.github/workflows/go.yml
@@ -31,6 +31,10 @@ jobs:
        with:
          goimports-path: ./

+      - name: Gosec security scanner
+        uses: securego/gosec@master
+        with:
+          args: '-exclude-dir=shared/bls/herumi ./...'
  build:
    name: Build
    runs-on: ubuntu-latest
--- a/beacon-chain/node/registration/p2p.go
+++ b/beacon-chain/node/registration/p2p.go
@@ -42,7 +42,7 @@ func P2PPreregistration(cliCtx *cli.Context) (bootstrapNodeAddrs []string, dataD
 }

 func readbootNodes(fileName string) ([]string, error) {
-	fileContent, err := ioutil.ReadFile(fileName)
+	fileContent, err := ioutil.ReadFile(fileName) // #nosec G304
 	if err != nil {
 		return nil, err
 	}
--- a/beacon-chain/p2p/utils.go
+++ b/beacon-chain/p2p/utils.go
@@ -89,7 +89,7 @@ func privKey(cfg *Config) (*ecdsa.PrivateKey, error) {

 // Retrieves a p2p networking private key from a file path.
 func privKeyFromFile(path string) (*ecdsa.PrivateKey, error) {
-	src, err := ioutil.ReadFile(path)
+	src, err := ioutil.ReadFile(path) // #nosec G304
 	if err != nil {
 		log.WithError(err).Error("Error reading private key from file")
 		return nil, err
@@ -135,7 +135,7 @@ func metaDataFromConfig(cfg *Config) (metadata.Metadata, error) {
 	if defaultMetadataExist && metaDataPath == "" {
 		metaDataPath = defaultKeyPath
 	}
-	src, err := ioutil.ReadFile(metaDataPath)
+	src, err := ioutil.ReadFile(metaDataPath) // #nosec G304
 	if err != nil {
 		log.WithError(err).Error("Error reading metadata from file")
 		return nil, err
--- a/endtoend/components/beacon_node.go
+++ b/endtoend/components/beacon_node.go
@@ -129,7 +129,7 @@ func (node *BeaconNode) Start(ctx context.Context) error {
 	args = append(args, featureconfig.E2EBeaconChainFlags...)
 	args = append(args, config.BeaconFlags...)

-	cmd := exec.CommandContext(ctx, binaryPath, args...)
+	cmd := exec.CommandContext(ctx, binaryPath, args...) /* #nosec G204 */
 	// Write stdout and stderr to log files.
 	stdout, err := os.Create(path.Join(e2e.TestParams.LogPath, fmt.Sprintf("beacon_node_%d_stdout.log", index)))
 	if err != nil {
--- a/endtoend/components/boot_node.go
+++ b/endtoend/components/boot_node.go
@@ -55,7 +55,7 @@ func (node *BootNode) Start(ctx context.Context) error {
 		"--debug",
 	}

-	cmd := exec.CommandContext(ctx, binaryPath, args...)
+	cmd := exec.CommandContext(ctx, binaryPath, args...) /* #nosec G204 */
 	cmd.Stdout = stdOutFile
 	cmd.Stderr = stdOutFile
 	log.Infof("Starting boot node with flags: %s", strings.Join(args[1:], " "))
@@ -84,7 +84,7 @@ func (node *BootNode) Started() <-chan struct{} {
 }

 func enrFromLogFile(name string) (string, error) {
-	byteContent, err := ioutil.ReadFile(name)
+	byteContent, err := ioutil.ReadFile(name) // #nosec G304
 	if err != nil {
 		return "", err
 	}
--- a/endtoend/components/eth1.go
+++ b/endtoend/components/eth1.go
@@ -81,7 +81,7 @@ func (node *Eth1Node) Start(ctx context.Context) error {
 		"--dev.period=2",
 		"--ipcdisable",
 	}
-	cmd := exec.CommandContext(ctx, binaryPath, args...)
+	cmd := exec.CommandContext(ctx, binaryPath, args...) /* #nosec G204 */
 	file, err := helpers.DeleteAndCreateFile(e2e.TestParams.LogPath, "eth1.log")
 	if err != nil {
 		return err
@@ -104,12 +104,12 @@ func (node *Eth1Node) Start(ctx context.Context) error {
 	web3 := ethclient.NewClient(client)

 	// Access the dev account keystore to deploy the contract.
-	fileName, err := exec.Command("ls", path.Join(eth1Path, "keystore")).Output()
+	fileName, err := exec.Command("ls", path.Join(eth1Path, "keystore")).Output() /* #nosec G204 */
 	if err != nil {
 		return err
 	}
 	keystorePath := path.Join(eth1Path, fmt.Sprintf("keystore/%s", strings.TrimSpace(string(fileName))))
-	jsonBytes, err := ioutil.ReadFile(keystorePath)
+	jsonBytes, err := ioutil.ReadFile(keystorePath) // #nosec G304
 	if err != nil {
 		return err
 	}
--- a/endtoend/components/slasher.go
+++ b/endtoend/components/slasher.go
@@ -92,7 +92,7 @@ func (node *SlasherNode) Start(ctx context.Context) error {
 	}

 	log.Infof("Starting slasher %d with flags: %s", node.index, strings.Join(args[2:], " "))
-	cmd := exec.CommandContext(ctx, binaryPath, args...)
+	cmd := exec.CommandContext(ctx, binaryPath, args...) /* #nosec G204 */
 	if err = cmd.Start(); err != nil {
 		return fmt.Errorf("failed to start slasher client: %w", err)
 	}
--- a/endtoend/components/validator.go
+++ b/endtoend/components/validator.go
@@ -155,7 +155,7 @@ func (v *ValidatorNode) Start(ctx context.Context) error {
 		log.Warning("Using latest release validator via prysm.sh")
 	}

-	cmd := exec.CommandContext(ctx, binaryPath, args...)
+	cmd := exec.CommandContext(ctx, binaryPath, args...) /* #nosec G204 */

 	// Write stdout and stderr to log files.
 	stdout, err := os.Create(path.Join(e2e.TestParams.LogPath, fmt.Sprintf("validator_%d_stdout.log", index)))
@@ -202,7 +202,7 @@ func SendAndMineDeposits(keystorePath string, validatorNum, offset int, partial
 	defer client.Close()
 	web3 := ethclient.NewClient(client)

-	keystoreBytes, err := ioutil.ReadFile(keystorePath)
+	keystoreBytes, err := ioutil.ReadFile(keystorePath) // #nosec G304
 	if err != nil {
 		return err
 	}
--- a/endtoend/helpers/helpers.go
+++ b/endtoend/helpers/helpers.go
@@ -168,7 +168,7 @@ func WritePprofFiles(testDir string, index int) error {
 }

 func writeURLRespAtPath(url, filePath string) error {
-	resp, err := http.Get(url)
+	resp, err := http.Get(url) /* #nosec G107 */
 	if err != nil {
 		return err
 	}
--- a/shared/benchutil/pregen.go
+++ b/shared/benchutil/pregen.go
@@ -45,7 +45,7 @@ func PreGenState1Epoch() (state.BeaconState, error) {
 	if err != nil {
 		return nil, err
 	}
-	beaconBytes, err := ioutil.ReadFile(path)
+	beaconBytes, err := ioutil.ReadFile(path) // #nosec G304
 	if err != nil {
 		return nil, err
 	}
@@ -62,7 +62,7 @@ func PreGenstateFullEpochs() (state.BeaconState, error) {
 	if err != nil {
 		return nil, err
 	}
-	beaconBytes, err := ioutil.ReadFile(path)
+	beaconBytes, err := ioutil.ReadFile(path) // #nosec G304
 	if err != nil {
 		return nil, err
 	}
@@ -79,7 +79,7 @@ func PreGenFullBlock() (*ethpb.SignedBeaconBlock, error) {
 	if err != nil {
 		return nil, err
 	}
-	blockBytes, err := ioutil.ReadFile(path)
+	blockBytes, err := ioutil.ReadFile(path) // #nosec G304
 	if err != nil {
 		return nil, err
 	}
--- a/shared/bls/blst/signature.go
+++ b/shared/bls/blst/signature.go
@@ -227,7 +227,7 @@ func VerifyMultipleSignatures(sigs [][]byte, msgs [][32]byte, pubKeys []common.P
 		var rbytes [scalarBytes]byte
 		randLock.Lock()
 		// Ignore error as the error will always be nil in `read` in math/rand.
-		randGen.Read(rbytes[:])
+		randGen.Read(rbytes[:]) /* #nosec G104 */
 		randLock.Unlock()
 		// Protect against the generator returning 0. Since the scalar value is
 		// derived from a big endian byte slice, we take the last byte.
--- a/shared/debug/debug.go
+++ b/shared/debug/debug.go
@@ -22,7 +22,10 @@ import (
 	"fmt"
 	"io"
 	"net/http"
-	_ "net/http/pprof" // required to serve pprof http endpoints.
+
+	// We are safe to expose this import as we are using a custom
+	// handler only enabled if the pprof flag is on.
+	_ "net/http/pprof" // #nosec G108
 	"os"
 	"os/user"
 	"path/filepath"
--- a/shared/fileutil/fileutil.go
+++ b/shared/fileutil/fileutil.go
@@ -197,7 +197,7 @@ func ReadFileAsBytes(filename string) ([]byte, error) {
 	if err != nil {
 		return nil, errors.Wrap(err, "could not determine absolute path of password file")
 	}
-	return ioutil.ReadFile(filePath)
+	return ioutil.ReadFile(filePath) // #nosec G304
 }

 // CopyFile copy a file from source to destination path.
@@ -205,11 +205,11 @@ func CopyFile(src, dst string) error {
 	if !FileExists(src) {
 		return errors.New("source file does not exist at provided path")
 	}
-	f, err := os.Open(src)
+	f, err := os.Open(src) // #nosec G304
 	if err != nil {
 		return err
 	}
-	dstFile, err := os.OpenFile(dst, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, params.BeaconIoConfig().ReadWritePermissions)
+	dstFile, err := os.OpenFile(dst, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, params.BeaconIoConfig().ReadWritePermissions) // #nosec G304
 	if err != nil {
 		return err
 	}
@@ -277,7 +277,7 @@ func HashDir(dir string) (string, error) {
 	files = append([]string(nil), files...)
 	sort.Strings(files)
 	for _, file := range files {
-		fd, err := os.Open(filepath.Join(dir, file))
+		fd, err := os.Open(filepath.Join(dir, file)) // #nosec G304
 		if err != nil {
 			return "", err
 		}
--- a/shared/logutil/logutil.go
+++ b/shared/logutil/logutil.go
@@ -20,7 +20,7 @@ func addLogWriter(w io.Writer) {
 // ConfigurePersistentLogging adds a log-to-file writer. File content is identical to stdout.
 func ConfigurePersistentLogging(logFileName string) error {
 	logrus.WithField("logFileName", logFileName).Info("Logs will be made persistent")
-	f, err := os.OpenFile(logFileName, os.O_CREATE|os.O_WRONLY|os.O_APPEND, params.BeaconIoConfig().ReadWritePermissions)
+	f, err := os.OpenFile(logFileName, os.O_CREATE|os.O_WRONLY|os.O_APPEND, params.BeaconIoConfig().ReadWritePermissions) // #nosec G304
 	if err != nil {
 		return err
 	}
--- a/shared/params/loader.go
+++ b/shared/params/loader.go
@@ -12,7 +12,7 @@ import (
 // LoadChainConfigFile load, convert hex values into valid param yaml format,
 // unmarshal , and apply beacon chain config file.
 func LoadChainConfigFile(chainConfigFileName string) {
-	yamlFile, err := ioutil.ReadFile(chainConfigFileName)
+	yamlFile, err := ioutil.ReadFile(chainConfigFileName) // #nosec G304
 	if err != nil {
 		log.WithError(err).Fatal("Failed to read chain config file.")
 	}
--- a/shared/prereq/prereq.go
+++ b/shared/prereq/prereq.go
@@ -27,7 +27,7 @@ var (

 // execShellOutputFunc passes a command and args to exec.CommandContext and returns the result as a string
 func execShellOutputFunc(ctx context.Context, command string, args ...string) (string, error) {
-	result, err := exec.CommandContext(ctx, command, args...).Output()
+	result, err := exec.CommandContext(ctx, command, args...).Output() /* #nosec G204 */
 	if err != nil {
 		return "", errors.Wrap(err, "error in command execution")
 	}
--- a/shared/promptutil/prompt.go
+++ b/shared/promptutil/prompt.go
@@ -132,7 +132,7 @@ func InputPassword(
 		if err != nil {
 			return "", errors.Wrap(err, "could not determine absolute path of password file")
 		}
-		data, err := ioutil.ReadFile(passwordFilePath)
+		data, err := ioutil.ReadFile(passwordFilePath) // #nosec G304
 		if err != nil {
 			return "", errors.Wrap(err, "could not read password file")
 		}
--- a/shared/rand/rand.go
+++ b/shared/rand/rand.go
@@ -39,7 +39,7 @@ import (
 type source struct{}

 var lock sync.RWMutex
-var _ mrand.Source64 = (*source)(nil)
+var _ mrand.Source64 = (*source)(nil) /* #nosec G404 */

 // Seed does nothing when crypto/rand is used as source.
 func (s *source) Seed(_ int64) {}
@@ -62,7 +62,7 @@ func (s *source) Uint64() (val uint64) {
 }

 // Rand is alias for underlying random generator.
-type Rand = mrand.Rand
+type Rand = mrand.Rand /* #nosec G404 */

 // NewGenerator returns a new generator that uses random values from crypto/rand as a source
 // (cryptographically secure random number generator).
@@ -70,7 +70,7 @@ type Rand = mrand.Rand
 // Use it for everything where crypto secure non-deterministic randomness is required. Performance
 // takes a hit, so use sparingly.
 func NewGenerator() *Rand {
-	return mrand.New(&source{})
+	return mrand.New(&source{}) /* #nosec G404 */
 }

 // NewDeterministicGenerator returns a random generator which is only seeded with crypto/rand,
@@ -80,5 +80,5 @@ func NewGenerator() *Rand {
 // Otherwise, rely on NewGenerator().
 func NewDeterministicGenerator() *Rand {
 	randGen := NewGenerator()
-	return mrand.New(mrand.NewSource(randGen.Int63()))
+	return mrand.New(mrand.NewSource(randGen.Int63())) /* #nosec G404 */
 }
--- a/shared/sszutil/deep_equal.go
+++ b/shared/sszutil/deep_equal.go
@@ -13,8 +13,8 @@ import (
 // checks in progress are true when it reencounters them.
 // Visited comparisons are stored in a map indexed by visit.
 type visit struct {
-	a1  unsafe.Pointer
-	a2  unsafe.Pointer
+	a1  unsafe.Pointer /* #nosec G103 */
+	a2  unsafe.Pointer /* #nosec G103 */
 	typ reflect.Type
 }

@@ -48,8 +48,9 @@ func deepValueEqual(v1, v2 reflect.Value, visited map[visit]bool, depth int) boo
 	}

 	if v1.CanAddr() && v2.CanAddr() && hard(v1.Kind()) {
-		addr1 := unsafe.Pointer(v1.UnsafeAddr())
-		addr2 := unsafe.Pointer(v2.UnsafeAddr())
+		addr1 := unsafe.Pointer(v1.UnsafeAddr()) /* #nosec G103 */
+		addr2 := unsafe.Pointer(v2.UnsafeAddr()) /* #nosec G103 */
+
 		if uintptr(addr1) > uintptr(addr2) {
 			// Canonicalize order to reduce number of entries in visited.
 			// Assumes non-moving garbage collector.
@@ -138,8 +139,8 @@ func deepValueEqualExportedOnly(v1, v2 reflect.Value, visited map[visit]bool, de
 	}

 	if v1.CanAddr() && v2.CanAddr() && hard(v1.Kind()) {
-		addr1 := unsafe.Pointer(v1.UnsafeAddr())
-		addr2 := unsafe.Pointer(v2.UnsafeAddr())
+		addr1 := unsafe.Pointer(v1.UnsafeAddr()) /* #nosec G103 */
+		addr2 := unsafe.Pointer(v2.UnsafeAddr()) /* #nosec G103 */
 		if uintptr(addr1) > uintptr(addr2) {
 			// Canonicalize order to reduce number of entries in visited.
 			// Assumes non-moving garbage collector.
--- a/shared/testutil/bazel.go
+++ b/shared/testutil/bazel.go
@@ -26,7 +26,7 @@ func BazelFileBytes(filePaths ...string) ([]byte, error) {
 	if err != nil {
 		return nil, err
 	}
-	fileBytes, err := ioutil.ReadFile(filepath)
+	fileBytes, err := ioutil.ReadFile(filepath) // #nosec G304
 	if err != nil {
 		return nil, err
 	}
--- a/spectest/shared/phase0/epoch_processing/helpers.go
+++ b/spectest/shared/phase0/epoch_processing/helpers.go
@@ -50,7 +50,7 @@ func RunEpochOperationTest(
 	if postSSZExists {
 		require.NoError(t, err)

-		postBeaconStateFile, err := ioutil.ReadFile(postSSZFilepath)
+		postBeaconStateFile, err := ioutil.ReadFile(postSSZFilepath) // #nosec G304
 		require.NoError(t, err)
 		postBeaconStateSSZ, err := snappy.Decode(nil /* dst */, postBeaconStateFile)
 		require.NoError(t, err, "Failed to decompress")
--- a/spectest/shared/phase0/operations/block_header.go
+++ b/spectest/shared/phase0/operations/block_header.go
@@ -56,7 +56,7 @@ func RunBlockHeaderTest(t *testing.T, config string) {
 			if postSSZExists {
 				require.NoError(t, err)

-				postBeaconStateFile, err := ioutil.ReadFile(postSSZFilepath)
+				postBeaconStateFile, err := ioutil.ReadFile(postSSZFilepath) // #nosec G304
 				require.NoError(t, err)
 				postBeaconStateSSZ, err := snappy.Decode(nil /* dst */, postBeaconStateFile)
 				require.NoError(t, err, "Failed to decompress")
--- a/spectest/shared/phase0/operations/helpers.go
+++ b/spectest/shared/phase0/operations/helpers.go
@@ -58,7 +58,7 @@ func RunBlockOperationTest(
 	if postSSZExists {
 		require.NoError(t, err)

-		postBeaconStateFile, err := ioutil.ReadFile(postSSZFilepath)
+		postBeaconStateFile, err := ioutil.ReadFile(postSSZFilepath) // #nosec G304
 		require.NoError(t, err)
 		postBeaconStateSSZ, err := snappy.Decode(nil /* dst */, postBeaconStateFile)
 		require.NoError(t, err, "Failed to decompress")
--- a/spectest/shared/phase0/sanity/block_processing.go
+++ b/spectest/shared/phase0/sanity/block_processing.go
@@ -83,7 +83,7 @@ func RunBlockProcessingTest(t *testing.T, config string) {
 					t.Errorf("Unexpected error: %v", transitionError)
 				}

-				postBeaconStateFile, err := ioutil.ReadFile(postSSZFilepath)
+				postBeaconStateFile, err := ioutil.ReadFile(postSSZFilepath) // #nosec G304
 				require.NoError(t, err)
 				postBeaconStateSSZ, err := snappy.Decode(nil /* dst */, postBeaconStateFile)
 				require.NoError(t, err, "Failed to decompress")
--- a/tools/analyzers/cryptorand/testdata/custom_import.go
+++ b/tools/analyzers/cryptorand/testdata/custom_import.go
@@ -8,19 +8,25 @@ import (

 // UseRandNewCustomImport --
 func UseRandNewCustomImport() {
+	// #nosec G404
 	source := mathRand.NewSource(time.Now().UnixNano()) // want "crypto-secure RNGs are required, use CSPRNG or PRNG defined in github.com/prysmaticlabs/prysm/shared/rand"
-	randGenerator := mathRand.New(source)               // want "crypto-secure RNGs are required, use CSPRNG or PRNG defined in github.com/prysmaticlabs/prysm/shared/rand"
+	// #nosec G404
+	randGenerator := mathRand.New(source) // want "crypto-secure RNGs are required, use CSPRNG or PRNG defined in github.com/prysmaticlabs/prysm/shared/rand"
 	start := uint64(randGenerator.Intn(32))
 	_ = start

+	// #nosec G404
 	source = mathRand.NewSource(time.Now().UnixNano()) // want "crypto-secure RNGs are required, use CSPRNG or PRNG defined in github.com/prysmaticlabs/prysm/shared/rand"
-	randGenerator = mathRand.New(source)               // want "crypto-secure RNGs are required, use CSPRNG or PRNG defined in github.com/prysmaticlabs/prysm/shared/rand"
+	// #nosec G404
+	randGenerator = mathRand.New(source) // want "crypto-secure RNGs are required, use CSPRNG or PRNG defined in github.com/prysmaticlabs/prysm/shared/rand"
 }

 // UseWithoutSeeCustomImport --
 func UseWithoutSeeCustomImport() {
+	// #nosec G404
 	assignedIndex := mathRand.Intn(128) // want "crypto-secure RNGs are required, use CSPRNG or PRNG defined in github.com/prysmaticlabs/prysm/shared/rand"
 	_ = assignedIndex
+	// #nosec G404
 	foobar.Shuffle(10, func(i, j int) { // want "crypto-secure RNGs are required, use CSPRNG or PRNG defined in github.com/prysmaticlabs/prysm/shared/rand"

 	})
--- a/tools/analyzers/cryptorand/testdata/rand_new.go
+++ b/tools/analyzers/cryptorand/testdata/rand_new.go
@@ -8,17 +8,22 @@ import (

 // UseRandNew --
 func UseRandNew() {
+	// #nosec G404
 	source := rand.NewSource(time.Now().UnixNano()) // want "crypto-secure RNGs are required, use CSPRNG or PRNG defined in github.com/prysmaticlabs/prysm/shared/rand"
-	randGenerator := mathRand.New(source)           // want "crypto-secure RNGs are required, use CSPRNG or PRNG defined in github.com/prysmaticlabs/prysm/shared/rand"
+	// #nosec G404
+	randGenerator := mathRand.New(source) // want "crypto-secure RNGs are required, use CSPRNG or PRNG defined in github.com/prysmaticlabs/prysm/shared/rand"
 	start := uint64(randGenerator.Intn(32))
 	_ = start

+	// #nosec G404
 	source = rand.NewSource(time.Now().UnixNano()) // want "crypto-secure RNGs are required, use CSPRNG or PRNG defined in github.com/prysmaticlabs/prysm/shared/rand"
-	randGenerator = rand.New(source)               // want "crypto-secure RNGs are required, use CSPRNG or PRNG defined in github.com/prysmaticlabs/prysm/shared/rand"
+	// #nosec G404
+	randGenerator = rand.New(source) // want "crypto-secure RNGs are required, use CSPRNG or PRNG defined in github.com/prysmaticlabs/prysm/shared/rand"
 }

 // UseWithoutSeed --
 func UseWithoutSeed() {
+	// #nosec G404
 	assignedIndex := rand.Intn(128) // want "crypto-secure RNGs are required, use CSPRNG or PRNG defined in github.com/prysmaticlabs/prysm/shared/rand"
 	_ = assignedIndex
 }
--- a/tools/beacon-fuzz/main.go
+++ b/tools/beacon-fuzz/main.go
@@ -48,7 +48,7 @@ func main() {
 		if err != nil {
 			panic(fmt.Sprintf("%s does not end in an integer for the filename.", p))
 		}
-		b, err := ioutil.ReadFile(p)
+		b, err := ioutil.ReadFile(p) // #nosec G304
 		if err != nil {
 			panic(err)
 		}
--- a/tools/eth1exporter/main.go
+++ b/tools/eth1exporter/main.go
@@ -155,7 +155,7 @@ func ReloadHTTP(w http.ResponseWriter, _ *http.Request) {

 // OpenAddresses from text file (name:address)
 func OpenAddresses(filename string) error {
-	file, err := os.Open(filename)
+	file, err := os.Open(filename) // #nosec G304
 	if err != nil {
 		return err
 	}
--- a/tools/genesis-state-gen/main.go
+++ b/tools/genesis-state-gen/main.go
@@ -63,7 +63,7 @@ func main() {
 			log.Printf("Could not expand file path %s: %v", inputFile, err)
 			return
 		}
-		inputJSON, err := os.Open(expanded)
+		inputJSON, err := os.Open(expanded) // #nosec G304
 		if err != nil {
 			log.Printf("Could not open JSON file for reading: %v", err)
 			return
--- a/tools/interop/convert-keys/main.go
+++ b/tools/interop/convert-keys/main.go
@@ -31,7 +31,7 @@ func main() {
 	}
 	inFile := os.Args[1]

-	in, err := ioutil.ReadFile(inFile)
+	in, err := ioutil.ReadFile(inFile) // #nosec G304
 	if err != nil {
 		log.Fatalf("Failed to read file %s: %v", inFile, err)
 	}
--- a/tools/keystores/main.go
+++ b/tools/keystores/main.go
@@ -224,7 +224,7 @@ func encrypt(cliCtx *cli.Context) error {
 // Reads the keystore file at the provided path and attempts
 // to decrypt it with the specified passwords.
 func readAndDecryptKeystore(fullPath, password string) error {
-	file, err := ioutil.ReadFile(fullPath)
+	file, err := ioutil.ReadFile(fullPath) // #nosec G304
 	if err != nil {
 		return errors.Wrapf(err, "could not read file at path: %s", fullPath)
 	}
--- a/tools/pcli/main.go
+++ b/tools/pcli/main.go
@@ -208,7 +208,7 @@ func main() {

 // dataFetcher fetches and unmarshals data from file to provided data structure.
 func dataFetcher(fPath string, data fssz.Unmarshaler) error {
-	rawFile, err := ioutil.ReadFile(fPath)
+	rawFile, err := ioutil.ReadFile(fPath) // #nosec G304
 	if err != nil {
 		return err
 	}
--- a/tools/specs-checker/download.go
+++ b/tools/specs-checker/download.go
@@ -50,7 +50,7 @@ func getAndSaveFile(specDocUrl, outFilePath string) error {
 	}()

 	// Download spec doc.
-	resp, err := http.Get(specDocUrl)
+	resp, err := http.Get(specDocUrl) /* #nosec G107 */
 	if err != nil {
 		return err
 	}
--- a/validator/accounts/accounts_import.go
+++ b/validator/accounts/accounts_import.go
@@ -199,7 +199,7 @@ func ImportAccountsCli(cliCtx *cli.Context) error {
 	var accountsPassword string
 	if cliCtx.IsSet(flags.AccountPasswordFileFlag.Name) {
 		passwordFilePath := cliCtx.String(flags.AccountPasswordFileFlag.Name)
-		data, err := ioutil.ReadFile(passwordFilePath)
+		data, err := ioutil.ReadFile(passwordFilePath) // #nosec G304
 		if err != nil {
 			return err
 		}
@@ -248,7 +248,7 @@ func importPrivateKeyAsAccount(cliCtx *cli.Context, wallet *wallet.Wallet, km *i
 	if !fileutil.FileExists(fullPath) {
 		return fmt.Errorf("file %s does not exist", fullPath)
 	}
-	privKeyHex, err := ioutil.ReadFile(fullPath)
+	privKeyHex, err := ioutil.ReadFile(fullPath) // #nosec G304
 	if err != nil {
 		return errors.Wrapf(err, "could not read private key file at path %s", fullPath)
 	}
@@ -288,7 +288,7 @@ func importPrivateKeyAsAccount(cliCtx *cli.Context, wallet *wallet.Wallet, km *i
 }

 func readKeystoreFile(_ context.Context, keystoreFilePath string) (*keymanager.Keystore, error) {
-	keystoreBytes, err := ioutil.ReadFile(keystoreFilePath)
+	keystoreBytes, err := ioutil.ReadFile(keystoreFilePath) // #nosec G304
 	if err != nil {
 		return nil, errors.Wrap(err, "could not read keystore file")
 	}
--- a/validator/accounts/wallet/wallet.go
+++ b/validator/accounts/wallet/wallet.go
@@ -117,7 +117,7 @@ func IsValid(walletDir string) (bool, error) {
 	if err != nil {
 		return false, err
 	}
-	f, err := os.Open(expanded)
+	f, err := os.Open(expanded) // #nosec G304
 	if err != nil {
 		if strings.Contains(err.Error(), "no such file") ||
 			strings.Contains(err.Error(), "cannot find the file") ||
@@ -373,7 +373,7 @@ func (w *Wallet) ReadKeymanagerConfigFromDisk(_ context.Context) (io.ReadCloser,
 		return nil, fmt.Errorf("no keymanager config file found at path: %s", w.accountsPath)
 	}
 	w.configFilePath = configFilePath
-	return os.Open(configFilePath)
+	return os.Open(configFilePath) // #nosec G304

 }

@@ -390,7 +390,7 @@ func (w *Wallet) WriteKeymanagerConfigToDisk(_ context.Context, encoded []byte)
 }

 func readKeymanagerKindFromWalletPath(walletPath string) (keymanager.Kind, error) {
-	walletItem, err := os.Open(walletPath)
+	walletItem, err := os.Open(walletPath) // #nosec G304
 	if err != nil {
 		return 0, err
 	}
--- a/validator/accounts/wallet_recover.go
+++ b/validator/accounts/wallet_recover.go
@@ -22,11 +22,15 @@ import (
 )

 const (
-	phraseWordCount                 = 24
-	newMnemonicPassphraseYesNoText  = "(Advanced) Do you want to setup a '25th word' passphrase for your mnemonic? [y/n]"
+	phraseWordCount = 24
+	/* #nosec G101 */
+	newMnemonicPassphraseYesNoText = "(Advanced) Do you want to setup a '25th word' passphrase for your mnemonic? [y/n]"
+	/* #nosec G101 */
 	newMnemonicPassphrasePromptText = "(Advanced) Setup a passphrase '25th word' for your mnemonic " +
 		"(WARNING: You cannot recover your keys from your mnemonic if you forget this passphrase!)"
-	mnemonicPassphraseYesNoText  = "(Advanced) Do you have an optional '25th word' passphrase for your mnemonic? [y/n]"
+	/* #nosec G101 */
+	mnemonicPassphraseYesNoText = "(Advanced) Do you have an optional '25th word' passphrase for your mnemonic? [y/n]"
+	/* #nosec G101 */
 	mnemonicPassphrasePromptText = "(Advanced) Enter the '25th word' passphrase for your mnemonic"
 )

@@ -148,7 +152,7 @@ func RecoverWallet(ctx context.Context, cfg *RecoverWalletConfig) (*wallet.Walle
 func inputMnemonic(cliCtx *cli.Context) (mnemonicPhrase string, err error) {
 	if cliCtx.IsSet(flags.MnemonicFileFlag.Name) {
 		mnemonicFilePath := cliCtx.String(flags.MnemonicFileFlag.Name)
-		data, err := ioutil.ReadFile(mnemonicFilePath)
+		data, err := ioutil.ReadFile(mnemonicFilePath) // #nosec G304
 		if err != nil {
 			return "", err
 		}
--- a/validator/graffiti/parse_graffiti.go
+++ b/validator/graffiti/parse_graffiti.go
@@ -26,7 +26,7 @@ type Graffiti struct {

 // ParseGraffitiFile parses the graffiti file and returns the graffiti struct.
 func ParseGraffitiFile(f string) (*Graffiti, error) {
-	yamlFile, err := ioutil.ReadFile(f)
+	yamlFile, err := ioutil.ReadFile(f) // #nosec G304
 	if err != nil {
 		return nil, err
 	}