Fix lint and CodeQL findings

Signed-off-by: Moritz Johner <beller.moritz@googlemail.com>

pkg/executil/executil.go

@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
+// Package executil provides small helpers for constructing subprocess commands.
 package executil
 
 import (
@@ -30,5 +31,6 @@ func Command(name string, args ...string) (*exec.Cmd, error) {
 		return nil, fmt.Errorf("find executable %q: %w", name, err)
 	}
 
+	//nolint:gosec // Callers intentionally choose the executable and arguments; LookPath resolves the binary first.
 	return execabs.Command(path, args...), nil
 }

providers/v2/aws/config_test.go

@@ -46,9 +46,9 @@ func TestGetSpecMapperMapsParameterStore(t *testing.T) {
 			Namespace: "provider-ns",
 		},
 		Spec: awsv2alpha1.ParameterStoreSpec{
-			Region: "eu-central-1",
-			Role:   "arn:aws:iam::123456789012:role/eso-ssm",
-			Prefix: "/team-a/",
+			Region:     "eu-central-1",
+			Role:       "arn:aws:iam::123456789012:role/eso-ssm",
+			Prefix:     "/team-a/",
 			ExternalID: "ext-id",
 		},
 	}).Build()

providers/v2/hack/generate-provider-main.go

@@ -27,6 +27,7 @@ import (
 	"log"
 	"os"
 	"path/filepath"
+	"strconv"
 	"strings"
 	"text/template"
 
@@ -163,8 +164,10 @@ func main() {
 			log.Fatalf("Failed to load/validate config %s: %v", configPath, err)
 		}
 
+		providerName := logSafeValue(config.Provider.Name)
+		providerDisplayName := logSafeValue(config.Provider.DisplayName)
 		if *verbose {
-			log.Printf("  Provider: %s (%s)", config.Provider.Name, config.Provider.DisplayName)
+			log.Printf("  Provider: %s (%s)", providerName, providerDisplayName)
 			log.Printf("  Stores: %d, Generators: %d", len(config.Stores), len(config.Generators))
 		}
 
@@ -174,13 +177,13 @@ func main() {
 		// Generate main.go
 		mainContent, err := executeTemplate(mainTemplate, templateData)
 		if err != nil {
-			log.Fatalf("Failed to generate main.go for %s: %v", config.Provider.Name, err)
+			log.Fatalf("Failed to generate main.go for %s: %v", providerName, err)
 		}
 
 		// Format with goimports/gofmt
 		formattedMain, err := formatGoCode(mainContent)
 		if err != nil {
-			log.Printf("Warning: Failed to format main.go for %s: %v", config.Provider.Name, err)
+			log.Printf("Warning: Failed to format main.go for %s: %v", providerName, err)
 			formattedMain = mainContent // Use unformatted if formatting fails
 		}
 
@@ -197,7 +200,7 @@ func main() {
 		// Generate Dockerfile
 		dockerContent, err := executeTemplate(dockerfileTemplate, templateData)
 		if err != nil {
-			log.Fatalf("Failed to generate Dockerfile for %s: %v", config.Provider.Name, err)
+			log.Fatalf("Failed to generate Dockerfile for %s: %v", providerName, err)
 		}
 
 		dockerPath := filepath.Join(providerDir, "Dockerfile")
@@ -232,6 +235,10 @@ func findProviderConfigs(baseDir string) ([]string, error) {
 	return configs, err
 }
 
+func logSafeValue(value string) string {
+	return strconv.QuoteToASCII(strings.ToValidUTF8(value, "?"))
+}
+
 func loadAndValidateConfig(configPath string, schemaLoader gojsonschema.JSONLoader) (*ProviderConfig, error) {
 	// Read YAML file
 	//nolint:gosec // configPath comes from controlled provider config discovery under providers-dir.