fixes

pkg/scanner/ghsa/ghsa.go

@@ -105,7 +105,7 @@ func (s *Scanner) Health(ctx context.Context) error {
 	if err != nil {
 		return fmt.Errorf("github advisory database not accessible: %w", err)
 	}
-	defer resp.Body.Close()
+	defer resp.Body.Close() // #nosec G104 -- Cleanup, error not critical
 
 	if resp.StatusCode != http.StatusOK {
 		return fmt.Errorf("github api returned status: %d", resp.StatusCode)
@@ -146,7 +146,7 @@ func (s *Scanner) queryAdvisories(ctx context.Context, ecosystem, packageName st
 	if err != nil {
 		return nil, fmt.Errorf("failed to query advisories: %w", err)
 	}
-	defer resp.Body.Close()
+	defer resp.Body.Close() // #nosec G104 -- Cleanup, error not critical
 
 	if resp.StatusCode != http.StatusOK {
 		body, _ := io.ReadAll(resp.Body)

pkg/scanner/govulncheck/govulncheck.go

@@ -74,7 +74,7 @@ func (s *Scanner) Scan(ctx context.Context, registry, packageName, version strin
 	}
 
 	// Run govulncheck
-	cmd := exec.CommandContext(ctx, "govulncheck", "-json", "-mode=binary", tmpDir)
+	cmd := exec.CommandContext(ctx, "govulncheck", "-json", "-mode=binary", tmpDir) // #nosec G204 -- govulncheck command with temp directory
 	output, _ := cmd.CombinedOutput()
 
 	// govulncheck returns non-zero when vulnerabilities are found

pkg/scanner/osv/osv.go

@@ -154,7 +154,7 @@ func (s *Scanner) Scan(ctx context.Context, registry, packageName, version strin
 	if err != nil {
 		return nil, fmt.Errorf("OSV API request failed: %w", err)
 	}
-	defer resp.Body.Close()
+	defer resp.Body.Close() // #nosec G104 -- Cleanup, error not critical
 
 	// Read response
 	body, err := io.ReadAll(resp.Body)
@@ -322,7 +322,7 @@ func (s *Scanner) Health(ctx context.Context) error {
 	if err != nil {
 		return fmt.Errorf("OSV API not reachable: %w", err)
 	}
-	defer resp.Body.Close()
+	defer resp.Body.Close() // #nosec G104 -- Cleanup, error not critical
 
 	log.Debug().Int("status", resp.StatusCode).Msg("OSV health check passed")
 	return nil

pkg/scanner/pipaudit/pipaudit.go

@@ -75,8 +75,8 @@ func (s *Scanner) Scan(ctx context.Context, registry, packageName, version strin
 	}
 
 	// Run pip-audit on the package file
-	cmd := exec.CommandContext(ctx, "pip-audit", "-r", tmpFile, "--format", "json")
-	output, _ := cmd.CombinedOutput() // pip-audit returns non-zero when vulns found
+	cmd := exec.CommandContext(ctx, "pip-audit", "-r", tmpFile, "--format", "json") // #nosec G204 -- pip-audit command with temp file
+	output, _ := cmd.CombinedOutput()                                               // pip-audit returns non-zero when vulns found
 
 	// Parse pip-audit output
 	var auditResult PipAuditResult
@@ -110,11 +110,11 @@ func (s *Scanner) Health(ctx context.Context) error {
 
 // copyFile copies a file from src to dst
 func (s *Scanner) copyFile(src, dst string) error {
-	input, err := os.ReadFile(src)
+	input, err := os.ReadFile(src) // #nosec G304 -- Source path is from scanner, controlled
 	if err != nil {
 		return err
 	}
-	return os.WriteFile(dst, input, 0644)
+	return os.WriteFile(dst, input, 0600)
 }
 
 // emptyResult returns an empty scan result

pkg/scanner/trivy/trivy.go

@@ -118,7 +118,7 @@ func (s *Scanner) Scan(ctx context.Context, registry, packageName, version strin
 		filePath,
 	}
 
-	cmd := exec.CommandContext(ctx, "trivy", args...)
+	cmd := exec.CommandContext(ctx, "trivy", args...) // #nosec G204 -- trivy command with controlled arguments
 
 	// Set cache directory if configured
 	if s.config.CacheDB != "" {