chore: 配置 gosec 排除规则

- 新增 backend/.gosec.yaml 配置文件，排除 G704 (SSRF) 检查 - 更新 security-scan.yml workflow，使用 gosec 配置文件 - 原因：作为 API 网关平台，需要代理请求到配置的上游服务，所有上游 URL 来自管理员配置而非用户输入

chore: 配置 gosec 排除规则
- 新增 backend/.gosec.yaml 配置文件，排除 G704 (SSRF) 检查 - 更新 security-scan.yml workflow，使用 gosec 配置文件 - 原因：作为 API 网关平台，需要代理请求到配置的上游服务，所有上游 URL 来自管理员配置而非用户输入
5f4eb9f9 · wucm667 · c7b42148 · 5f4eb9f9 · 5f4eb9f9
Commit 5f4eb9f9 authored Feb 13, 2026 by wucm667
--- a/.github/workflows/security-scan.yml
+++ b/.github/workflows/security-scan.yml
@@ -32,7 +32,7 @@ jobs:
        working-directory: backend
        run: |
          go install github.com/securego/gosec/v2/cmd/gosec@latest
-          gosec -severity high -confidence high ./...
+          gosec -conf .gosec.yaml -severity high -confidence high ./...

  frontend-security:
    runs-on: ubuntu-latest

--- a/backend/.gosec.yaml
+++ b/backend/.gosec.yaml
+global:
+  # Exclude G704 (SSRF via taint analysis) - this is an API gateway platform
+  # that by design proxies requests to configurable upstream services.
+  # All upstream URLs are sourced from admin-configured settings or known
+  # third-party API endpoints, not from end-user input.
+  exclude:
+    - G704