Fix Copilot security scanning issues

Vivek Reddy · claude · Vivek Reddy · commit 3f00444d4bfb · 2026-01-20T09:14:29.000-08:00
- Add int32Param function with proper bounds checking using strconv.ParseInt to safely convert string parameters to int32 without potential overflow - Add documentation explaining why InsecureSkipVerify is required for E2E testing (self-signed Splunk certs via port-forward to localhost) - Add #nosec and //nolint:gosec annotations to suppress false positive 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/e2e/framework/runner/topology.go b/e2e/framework/runner/topology.go
@@ -153,8 +153,8 @@ func (r *Runner) runTopologyGroup(ctx context.Context, group topologyGroup) []re
 		LicenseMasterRef:     strings.TrimSpace(group.params["license_master_ref"]),
 		MonitoringConsoleRef: strings.TrimSpace(group.params["monitoring_console_ref"]),
 		ClusterManagerKind:   strings.TrimSpace(group.params["cluster_manager_kind"]),
-		IndexerReplicas:      int32(intParam(group.params, "indexer_replicas", defaultIndexerReplicas(group.kind))),
-		SHCReplicas:          int32(intParam(group.params, "shc_replicas", defaultSHCReplicas(group.kind))),
+		IndexerReplicas:      int32Param(group.params, "indexer_replicas", int32(defaultIndexerReplicas(group.kind))),
+		SHCReplicas:          int32Param(group.params, "shc_replicas", int32(defaultSHCReplicas(group.kind))),
 		WithSHC:              boolParam(group.params, "with_shc", true),
 		SiteCount:            intParam(group.params, "site_count", defaultSiteCount(group.kind)),
 	}
@@ -306,6 +306,20 @@ func intParam(params map[string]string, key string, fallback int) int {
 	return value
 }
 
+// int32Param safely parses a parameter as int32 with bounds checking.
+// Returns fallback if the value is empty, invalid, or out of int32 range.
+func int32Param(params map[string]string, key string, fallback int32) int32 {
+	raw := strings.TrimSpace(params[key])
+	if raw == "" {
+		return fallback
+	}
+	value, err := strconv.ParseInt(raw, 10, 32)
+	if err != nil {
+		return fallback
+	}
+	return int32(value)
+}
+
 func boolParam(params map[string]string, key string, fallback bool) bool {
 	raw := strings.TrimSpace(params[key])
 	if raw == "" {
diff --git a/e2e/framework/splunkd/client.go b/e2e/framework/splunkd/client.go
@@ -265,10 +265,18 @@ func (c *Client) doRequest(ctx context.Context, port int, method, path string, q
 		req.Header.Set(key, value)
 	}
 
+	// Note: InsecureSkipVerify is required for E2E testing because:
+	// 1. Splunk pods use self-signed certificates by default
+	// 2. This client connects via port-forward to localhost (127.0.0.1)
+	// 3. Certificate hostname verification would fail for localhost connections
+	// 4. This is test framework code, not production code
+	// #nosec G402 -- This is intentional for E2E test framework connecting to self-signed Splunk certs
 	client := &http.Client{
 		Timeout: 60 * time.Second,
 		Transport: &http.Transport{
-			TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
+			TLSClientConfig: &tls.Config{
+				InsecureSkipVerify: true, //nolint:gosec // Required for self-signed Splunk certs in E2E tests
+			},
 		},
 	}
 	resp, err := client.Do(req)
