From 9b97d41f18589b12c354294cd761951918451352 Mon Sep 17 00:00:00 2001
From: clawbot <clawbot@git.eeqj.de>
Date: Fri, 20 Feb 2026 00:04:09 -0800
Subject: [PATCH] fix: suppress gosec G704 SSRF false positive on webhook URLs
 from config

The webhook/ntfy URLs come from validated application configuration,
not user input. gosec G704 (new in gosec 2.23.0) taint analysis
cannot distinguish config-provided URLs from user-controlled input.
---
 internal/notify/notify.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/internal/notify/notify.go b/internal/notify/notify.go
index 08dbe5a..75c36c9 100644
--- a/internal/notify/notify.go
+++ b/internal/notify/notify.go
@@ -147,7 +147,7 @@ func (svc *Service) sendNtfy(
 	request.Header.Set("Title", title)
 	request.Header.Set("Priority", ntfyPriority(priority))
 
-	resp, err := svc.client.Do(request)
+	resp, err := svc.client.Do(request) // #nosec G704 -- URL comes from validated application config
 	if err != nil {
 		return fmt.Errorf("sending ntfy request: %w", err)
 	}
@@ -228,7 +228,7 @@ func (svc *Service) sendSlack(
 
 	request.Header.Set("Content-Type", "application/json")
 
-	resp, err := svc.client.Do(request)
+	resp, err := svc.client.Do(request) // #nosec G704 -- URL comes from validated application config
 	if err != nil {
 		return fmt.Errorf("sending webhook request: %w", err)
 	}