From 09014c0c5ca7d24bbad09e821efe6c676702f12f Mon Sep 17 00:00:00 2001
From: Ben Kochie <superq@gmail.com>
Date: Fri, 16 Feb 2024 09:41:06 +0100
Subject: [PATCH] Enforce no subprocess policy (#2926)

Add depguard to golangci-lint to enforce the no-os/exec policy.

Signed-off-by: Ben Kochie <superq@gmail.com>
---
 .golangci.yml | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/.golangci.yml b/.golangci.yml
index 3f7e4589..472b3a5e 100644
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -1,5 +1,6 @@
 linters:
   enable:
+    - depguard
     - misspell
     - revive
   disable:
@@ -19,6 +20,14 @@ issues:
         - errcheck
 
 linters-settings:
+  depguard:
+    rules:
+      no_exec_policy:
+        files:
+          - "!$test"
+        deny:
+          - pkg: "os/exec"
+            desc: "Using os/exec to run sub processes it not allowed by policy"
   errcheck:
     exclude-functions:
       # Used in HTTP handlers, any error is handled by the server itself.