fix: annotate jwt placeholder secret

kmendell · kmendell · commit 315d3e9ad0d3 · 2026-06-04T12:14:50.000-05:00
diff --git a/backend/pkg/utils/jwtclaims/jwt.go b/backend/pkg/utils/jwtclaims/jwt.go
@@ -87,7 +87,7 @@ const (
 	// KnownInsecureJWTSecret is the placeholder shipped in config.go's struct
 	// tag; it must never sign real tokens. Keep in sync with the `default:` tag
 	// on Config.JWTSecret.
-	KnownInsecureJWTSecret = "default-jwt-secret-change-me" //nolint:gosec // public placeholder config default, intentionally rejected for production signing
+	KnownInsecureJWTSecret = "default-jwt-secret-change-me" // #nosec G101: public placeholder config default, intentionally rejected for production signing
 	// MinJWTSecretLength matches the 32-byte floor enforced for ENCRYPTION_KEY.
 	MinJWTSecretLength = 32
 )

Original file line number	Diff line number	Diff line change
`@@ -87,7 +87,7 @@ const (`
`87`	`87`	`// KnownInsecureJWTSecret is the placeholder shipped in config.go's struct`
`88`	`88`	// tag; it must never sign real tokens. Keep in sync with the `default:` tag
`89`	`89`	`// on Config.JWTSecret.`
`90`		`- KnownInsecureJWTSecret = "default-jwt-secret-change-me" //nolint:gosec // public placeholder config default, intentionally rejected for production signing`
	`90`	`+ KnownInsecureJWTSecret = "default-jwt-secret-change-me" // #nosec G101: public placeholder config default, intentionally rejected for production signing`
`91`	`91`	`// MinJWTSecretLength matches the 32-byte floor enforced for ENCRYPTION_KEY.`
`92`	`92`	`MinJWTSecretLength = 32`
`93`	`93`	`)`