internal/common/common.go:330

• //nolint:gosec on os.Stat(filename) inside PathExists suppresses G304 for all callers of this helper. Since filename can be derived from environment-based host path overrides (HOST_*) and from exported APIs that accept string inputs (e.g. callers building sysfs/procfs paths), this blanket suppression can hide real file-inclusion/path-traversal findings. Prefer keeping PathExists clean and placing a narrowly-scoped suppression at the specific safe call sites, or add validation that the path stays within an expected base directory; also adjust the comment text since “not user input” isn’t guaranteed here.

	if _, err := os.Stat(filename); err == nil {
		return true

internal/common/common.go:338

• Same concern as PathExists: suppressing gosec at the helper level (os.Stat(filename)) makes future unsafe call sites invisible to the linter. Consider moving the suppression to the specific call sites that are known-safe, or validating/sanitizing filename before stat’ing it; the current comment claims it’s not user input, which isn’t universally true for this helper.

	info, err := os.Stat(filename) //nolint:gosec // filename is constructed from system paths, not user input
	if err != nil {

process/process_posix.go:114

• The //nolint:gosec justification here focuses on pid being an int32, but the path being stat’d also depends on common.HostProcWithContext(ctx) (which is derived from env/context overrides). If this is suppressing G304, please update the rationale to reflect the actual trust boundary (HOST_PROC overrides) and consider constraining/validating the constructed path (or scoping the suppression as tightly as possible).

		_, err := os.Stat(common.HostProcWithContext(ctx, strconv.Itoa(int(pid)))) //nolint:gosec // pid is int32, path traversal is not possible

process/process_test.go:289

• This test already has a // #nosec G204 marker above the function, and now also uses per-line //nolint:gosec directives. To reduce confusion and avoid future lint churn, consider using a single suppression style consistently (e.g., keep only the per-line suppression on the specific exec.CommandContext calls that trigger gosec, and remove/relocate the function-level #nosec if it’s not needed).

	err = exec.CommandContext(ctx, "go", "build", "-o", tmpfile.Name()+".exe", tmpfile.Name()).Run() //nolint:gosec // test code
	require.NoErrorf(t, err, "unable to build temp file %v", err)

	cmd := exec.CommandContext(ctx, tmpfile.Name()+".exe") //nolint:gosec // test code

process/process_test.go:329

• Same as above: there are both function-level // #nosec G204 comments and per-line //nolint:gosec directives in this test. Consider consolidating to one mechanism (preferably per-line on the exact exec.CommandContext calls) so it’s clear what is being suppressed and why.

	err = exec.CommandContext(ctx, "go", "build", "-o", tmpfile.Name()+".exe", tmpfile.Name()).Run() //nolint:gosec // test code
	require.NoErrorf(t, err, "unable to build temp file %v", err)

	cmd := exec.CommandContext(ctx, tmpfile.Name()+".exe") //nolint:gosec // test code

process/process_test.go:717

• Same as above: consider consolidating gosec suppression directives (function-level #nosec vs per-line //nolint:gosec) to a single, clearly scoped approach to keep the test’s intent and linting behavior easy to understand.

	err = exec.CommandContext(ctx, "go", "build", "-o", tmpfile.Name()+".exe", tmpfile.Name()).Run() //nolint:gosec // test code
	require.NoErrorf(t, err, "unable to build temp file %v", err)

	cmd := exec.CommandContext(ctx, tmpfile.Name()+".exe") //nolint:gosec // test code