fix: address additional Copilot review feedback

dlevy-msft-sql · dlevy-msft-sql · commit af11705dcbc1 · 2026-02-02T00:05:02.000-06:00
Security improvements:
- Add SHA256 checksum verification for golangci-lint v1.64.8
  (b6270687afb143d019f387c791cd2a6f1cb383be9b3124d241ca11bd3ce2e54e)

Password handling:
- Consolidate to single env var (MSSQL_SA_PASSWORD only)
- Use MSSQL_SA_PASSWORD in healthcheck for consistency
- Set savePassword: false in mssql.connections (prompts on first use)

Tool management:
- Disable go.toolsManagement.autoUpdate to preserve pinned versions

Documentation:
- Clarify CI comparison (same env var names, not identical config)
- Update password change instructions to be clearer
diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile
@@ -15,9 +15,11 @@ RUN curl -fsSL https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor
 ENV PATH="/opt/mssql-tools18/bin:${PATH}"
 
 # Install golangci-lint for code quality
-# Download pre-built binary directly instead of running install script (supply chain security)
+# Download pre-built binary with SHA256 checksum verification (supply chain security)
 ARG GOLANGCI_LINT_VERSION=1.64.8
+ARG GOLANGCI_LINT_SHA256=b6270687afb143d019f387c791cd2a6f1cb383be9b3124d241ca11bd3ce2e54e
 RUN curl -fsSLO "https://github.com/golangci/golangci-lint/releases/download/v${GOLANGCI_LINT_VERSION}/golangci-lint-${GOLANGCI_LINT_VERSION}-linux-amd64.tar.gz" \
+    && echo "${GOLANGCI_LINT_SHA256}  golangci-lint-${GOLANGCI_LINT_VERSION}-linux-amd64.tar.gz" | sha256sum -c - \
     && tar -xzf "golangci-lint-${GOLANGCI_LINT_VERSION}-linux-amd64.tar.gz" \
     && mv "golangci-lint-${GOLANGCI_LINT_VERSION}-linux-amd64/golangci-lint" /usr/local/bin/ \
     && rm -rf "golangci-lint-${GOLANGCI_LINT_VERSION}-linux-amd64" "golangci-lint-${GOLANGCI_LINT_VERSION}-linux-amd64.tar.gz" \
diff --git a/.devcontainer/README.md b/.devcontainer/README.md
@@ -143,7 +143,7 @@ The following environment variables are set automatically:
 | `SQLCMDDATABASE` | `master` |
 | `SQLCMDDBNAME` | `master` |
 
-These are the same variables used by the CI pipeline, so tests run identically.
+These use the same environment variable names as the CI pipeline to ensure local tests behave similarly, although the actual password and SQL Server version in CI may differ.
 
 ## Working with sqlcmd
 
@@ -184,7 +184,7 @@ The `setup.sql` script in `.devcontainer/mssql/` is executed automatically when
 To change the SQL Server password:
 
 1. Update `MSSQL_SA_PASSWORD` in `docker-compose.yml`
-2. Update `SQLCMDPASSWORD` in `devcontainer.json` (remoteEnv section)
+2. Update `SQLCMDPASSWORD` in `devcontainer.json` (both `remoteEnv` and `go.testEnvVars` sections)
 3. Update the password in the `mssql.connections` settings in `devcontainer.json`
 
 ### Using a Different SQL Server Version
diff --git a/.devcontainer/devcontainer.json b/.devcontainer/devcontainer.json
@@ -19,7 +19,7 @@
                 "streetsidesoftware.code-spell-checker"
             ],
             "settings": {
-                "go.toolsManagement.autoUpdate": true,
+                "go.toolsManagement.autoUpdate": false,
                 "go.useLanguageServer": true,
                 "go.lintTool": "golangci-lint",
                 "go.lintFlags": ["--fast"],
@@ -36,7 +36,7 @@
                         "authenticationType": "SqlLogin",
                         "user": "sa",
                         "password": "SqlCmd@2025!",
-                        "savePassword": true,
+                        "savePassword": false,
                         "profileName": "sqlcmd-container",
                         "encrypt": "Optional",
                         "trustServerCertificate": true
diff --git a/.devcontainer/docker-compose.yml b/.devcontainer/docker-compose.yml
@@ -20,13 +20,12 @@ services:
     restart: unless-stopped
     environment:
       ACCEPT_EULA: "Y"
-      SA_PASSWORD: "SqlCmd@2025!"
       MSSQL_SA_PASSWORD: "SqlCmd@2025!"
       MSSQL_PID: "Developer"
     volumes:
       - mssql-data:/var/opt/mssql
     healthcheck:
-      test: ["CMD-SHELL", "/opt/mssql-tools18/bin/sqlcmd -S localhost -U sa -P \"$$SA_PASSWORD\" -C -Q \"SELECT 1\" || exit 1"]
+      test: ["CMD-SHELL", "/opt/mssql-tools18/bin/sqlcmd -S localhost -U sa -P \"$$MSSQL_SA_PASSWORD\" -C -Q \"SELECT 1\" || exit 1"]
       interval: 10s
       timeout: 5s
       retries: 15
