RFE: options to require rules and justfication for inline annotations

[scop]

It would be nice if gosec had options to require specifying

• at least one rule to inline #nosec/gosec:disable annotations (i.e. ban "naked" directives without any rules), in order to avoid inadvertently suppressing other than intended rules that might apply
• a justification present in all #nosec/gosec:disable annotations, for rationale as it is not always obvious, and this is quite probably security sensitive stuff

For example, golangci-lint (nolint) and revive (revive:disable*) already have these (revive only for justification/reasoning at time of writing).

[ccojocar]

I think this is a good feature request but I suspect it will create a lot of friction because a lot of users are just using #nosec to ignore some warning on a line since this was historically the only option. This seems like a good approach from security perspective but I am not sure from usability point of view.

[scop]

I failed to mention it, but I think both options should be opt-in, i.e. default to false (so unless asked for, things would continue to work as they currently do). I don't think that should cause any particular friction as far as gosec is concerned.

[ccojocar]

If this is optional, it should work.