stackrox · janisz · May 21, 2026 · May 21, 2026 · May 21, 2026 · May 25, 2026
diff --git a/.golangci.yml b/.golangci.yml
@@ -1,7 +1,7 @@
 version: "2"
 run:
   timeout: 240m
-  go: "1.25"
+  go: "1.26"
   build-tags:
     - integration
     - scanner_db_integration
@@ -169,23 +169,6 @@ linters:
         - sensor\.DiagnoseConnectionFailure
         - status\.Error
         - utils\.Should
-    modernize:
-      disable:
-        - any
-        - fmtappendf
-        - mapsloop
-        - minmax
-        - rangeint
-        - reflecttypefor
-        - slicescontains
-        - slicessort
-        - stditerators
-        - stringsbuilder
-        - stringscut
-        - stringscutprefix
-        - stringsseq
-        - testingcontext
-        - waitgroup
   exclusions:
     generated: lax
     rules:

@@ -1,4 +1,4 @@
-FROM brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_9_golang_1.25@sha256:977bd041377a1367c8b102a460ae8e63f89905f7cf9d8235484ae658c9b47646
+FROM brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_9_golang_1.26@sha256:8bca01ace56d684c43f59d9c60c8e9516ee30c46e7d7357c2f9b526369d3fddf
 
 WORKDIR /workspace
 

@@ -354,7 +354,7 @@ spec:
           - use
           - $(params.SOURCE_ARTIFACT)=/var/workdir/source
         - name: build-index-content
-          image: brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_9_golang_1.25@sha256:977bd041377a1367c8b102a460ae8e63f89905f7cf9d8235484ae658c9b47646
+          image: brew.registry.redhat.io/rh-osbs/openshift-golang-builder:rhel_9_golang_1.26@sha256:8bca01ace56d684c43f59d9c60c8e9516ee30c46e7d7357c2f9b526369d3fddf
           imagePullPolicy: IfNotPresent
           workingDir: /var/workdir/source/operator
           securityContext:

@@ -100,7 +100,7 @@ func (suite *UsageDataStoreTestSuite) TestWalk() {
 	const N = page + 2
 	first := time.Now()
 	last := first
-	for i := 0; i < N; i++ {
+	for i := range N {
 		ts, _ := protocompat.ConvertTimeToTimestampOrError(last)
 		err = suite.datastore.Add(suite.hasWriteCtx, &storage.SecuredUnits{
 			Timestamp:   ts,
@@ -134,7 +134,7 @@ func (suite *UsageDataStoreTestSuite) TestGetMax() {
 	const N = page + 2
 	first := time.Now()
 	last := first
-	for i := 0; i < N; i++ {
+	for i := range N {
 		ts, _ := protocompat.ConvertTimeToTimestampOrError(last)
 		err = suite.datastore.Add(suite.hasWriteCtx, &storage.SecuredUnits{
 			Timestamp:   ts,

diff --git a/central/alert/datastore/bench_postgres_test.go b/central/alert/datastore/bench_postgres_test.go
@@ -54,7 +54,7 @@ func BenchmarkAlertDatabaseOps(b *testing.B) {
 
 	// Keep the count low in CI. You can run w/ higher numbers locally.
 	totalAlerts := 1000
-	for i := 0; i < totalAlerts; i++ {
+	for range totalAlerts {
 		id := uuid.NewV4().String()
 		ids = append(ids, id)
 		a := fixtures.GetAlertWithID(id)

diff --git a/central/alert/datastore/internal/store/postgres/bench_test.go b/central/alert/datastore/internal/store/postgres/bench_test.go
@@ -16,7 +16,7 @@ import (
 func BenchmarkMany(b *testing.B) {
 	var alerts []*storage.Alert
 	const alertsNum = 10000
-	for i := 0; i < alertsNum; i++ {
+	for range alertsNum {
 		alert := &storage.Alert{}
 		err := testutils.FullInit(alert, testutils.UniqueInitializer(), testutils.JSONFieldsFilter)
 		if err != nil {

diff --git a/central/audit/audit.go b/central/audit/audit.go
@@ -46,7 +46,7 @@ func New(notifications notifier.Processor) auditPkg.Auditor {
 }
 
 // SendAuditMessage will send an audit message for the specified request.
-func (a *audit) SendAuditMessage(ctx context.Context, req interface{}, grpcMethod string,
+func (a *audit) SendAuditMessage(ctx context.Context, req any, grpcMethod string,
 	authError interceptor.AuthStatus, requestError error) {
 	if !a.notifications.HasEnabledAuditNotifiers() {
 		return
@@ -78,7 +78,7 @@ var (
 	)
 )
 
-func (a *audit) newAuditMessage(ctx context.Context, req interface{}, grpcFullMethod string,
+func (a *audit) newAuditMessage(ctx context.Context, req any, grpcFullMethod string,
 	authError interceptor.AuthStatus, requestError error) *v1.Audit_Message {
 	ri := requestinfo.FromContext(ctx)
 
@@ -148,10 +148,10 @@ func (a *audit) newAuditMessage(ctx context.Context, req interface{}, grpcFullMe
 }
 
 // UnaryServerInterceptor is the interceptor for audit logging
-func (a *audit) UnaryServerInterceptor() func(ctx context.Context, req interface{},
-	info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{}, error) {
-	return func(ctx context.Context, req interface{}, info *grpc.UnaryServerInfo,
-		handler grpc.UnaryHandler) (interface{}, error) {
+func (a *audit) UnaryServerInterceptor() func(ctx context.Context, req any,
+	info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (any, error) {
+	return func(ctx context.Context, req any, info *grpc.UnaryServerInfo,
+		handler grpc.UnaryHandler) (any, error) {
 		resp, err := handler(ctx, req)
 		go a.SendAuditMessage(ctx, req, info.FullMethod, interceptor.GetAuthErrorFromContext(ctx), err)
 		return resp, err

diff --git a/central/audit/audit_test.go b/central/audit/audit_test.go
@@ -235,8 +235,8 @@ func (suite *AuditLogTestSuite) TestUserRequestsContinueToBeAudited() {
 	suite.Equal(v1.Audit_CLI, msg.GetMethod(), "User gRPC requests should have method=CLI")
 }
 
-func handler(err error) func(ctx context.Context, req interface{}) (interface{}, error) {
-	return func(ctx context.Context, req interface{}) (interface{}, error) {
+func handler(err error) func(ctx context.Context, req any) (any, error) {
+	return func(ctx context.Context, req any) (any, error) {
 		return nil, err
 	}
 }
@@ -50,7 +50,7 @@ func getFriendlyName(claims map[string][]string) string {
 }
 
 func (*genericClaimExtractor) ExtractClaims(idToken *IDToken) (map[string][]string, error) {
-	var unstructured map[string]interface{}
+	var unstructured map[string]any
 	if err := idToken.Claims(&unstructured); err != nil {
 		return nil, errors.Wrap(err, "extracting claims")
 	}
@@ -62,7 +62,7 @@ func (*genericClaimExtractor) ExtractClaims(idToken *IDToken) (map[string][]stri
 	return claims, nil
 }
 
-func parse(unstructured map[string]interface{}, claims map[string][]string, pfx string) {
+func parse(unstructured map[string]any, claims map[string][]string, pfx string) {
 	for key, value := range unstructured {
 		key = pfx + key
 		switch value := value.(type) {
@@ -76,7 +76,7 @@ func parse(unstructured map[string]interface{}, claims map[string][]string, pfx
 					claims[key] = append(claims[key], s)
 				}
 			}
-		case map[string]interface{}:
+		case map[string]any:
 			parse(value, claims, key+".")
 		default:
 			log.Debugf("Dropping value %v for claim %s since its a non-supported type %T", value, key, value)

@@ -11,12 +11,12 @@ import (
 func Test_genericClaimExtractor(t *testing.T) {
 	testCases := []struct {
 		subject      string
-		unstructured map[string]interface{}
+		unstructured map[string]any
 		roxClaims    tokens.RoxClaims
 	}{
 		{
 			subject: "test-subject-email",
-			unstructured: map[string]interface{}{
+			unstructured: map[string]any{
 				"email":     "test@something.com",
 				"something": "else",
 				"another":   []string{"value", "of", "things"},
@@ -38,7 +38,7 @@ func Test_genericClaimExtractor(t *testing.T) {
 		},
 		{
 			subject: "test-subject-preferred_username",
-			unstructured: map[string]interface{}{
+			unstructured: map[string]any{
 				"preferred_username": "test-user",
 				"something":          "else",
 				"another":            []string{"value", "of", "things"},
@@ -60,7 +60,7 @@ func Test_genericClaimExtractor(t *testing.T) {
 		},
 		{
 			subject: "test-subject-full_name",
-			unstructured: map[string]interface{}{
+			unstructured: map[string]any{
 				"full_name": "i am the test user",
 				"something": "else",
 				"another":   []string{"value", "of", "things"},
@@ -82,7 +82,7 @@ func Test_genericClaimExtractor(t *testing.T) {
 		},
 		{
 			subject: "test-subject-empty",
-			unstructured: map[string]interface{}{
+			unstructured: map[string]any{
 				"something": "else",
 				"another":   []string{"value", "of", "things"},
 			},
@@ -102,15 +102,15 @@ func Test_genericClaimExtractor(t *testing.T) {
 		},
 		{
 			subject: "test-k8s",
-			unstructured: map[string]interface{}{
+			unstructured: map[string]any{
 				"aud": []string{"https://example.com"},
 				"exp": 1763119831,
 				"iat": 1763116231,
 				"iss": "https://example.com",
 				"jti": "6a5e8681-3b2a-44f2-9462-ecf16f52c779",
-				"kubernetes.io": map[string]interface{}{
+				"kubernetes.io": map[string]any{
 					"namespace": "stackrox",
-					"serviceaccount": map[string]interface{}{
+					"serviceaccount": map[string]any{
 						"name": "config-controller",
 						"uid":  "3cd68f8a-7e72-44e7-af17-b283e7027980",
 					},

@@ -16,7 +16,7 @@ func IssuerFromRawIDToken(rawIDToken string) (string, error) {
 	// This will be handled in a latter part, when the metadata from the provider will be used to verify the signature.
 	// This does not pose a security threat, since this is only used to optimize fetching of the correct TokenExchanger.
 	// The TokenExchanger will do the final validation of the token including it's signature.
-	_, err := jwt.ParseWithClaims(rawIDToken, standardClaims, func(token *jwt.Token) (interface{}, error) {
+	_, err := jwt.ParseWithClaims(rawIDToken, standardClaims, func(token *jwt.Token) (any, error) {
 		return nil, nil
 	}, jwt.WithoutClaimsValidation())
 

@@ -18,15 +18,15 @@ func Test_kubeClaimExtractor(t *testing.T) {
 
 		claims, err := e.ExtractClaims(&IDToken{
 			Claims: func(v any) error {
-				*v.(*map[string]any) = map[string]interface{}{
+				*v.(*map[string]any) = map[string]any{
 					"aud": []string{"https://example.com"},
 					"exp": 1763119831,
 					"iat": 1763116231,
 					"iss": "https://example.com",
 					"jti": "6a5e8681-3b2a-44f2-9462-ecf16f52c779",
-					"kubernetes.io": map[string]interface{}{
+					"kubernetes.io": map[string]any{
 						"namespace": "stackrox",
-						"serviceaccount": map[string]interface{}{
+						"serviceaccount": map[string]any{
 							"name": "config-controller",
 							"uid":  "3cd68f8a-7e72-44e7-af17-b283e7027980",
 						},

@@ -3,6 +3,7 @@ package m2m
 import (
 	"context"
 	"regexp"
+	"slices"
 
 	"github.com/pkg/errors"
 	roleDataStore "github.com/stackrox/rox/central/role/datastore"
@@ -73,10 +74,5 @@ func resolveRolesForClaims(ctx context.Context, claims map[string][]string, role
 }
 
 func valuesMatch(expr *regexp.Regexp, claimValues []string) bool {
-	for _, claimValue := range claimValues {
-		if expr.MatchString(claimValue) {
-			return true
-		}
-	}
-	return false
+	return slices.ContainsFunc(claimValues, expr.MatchString)
 }
@@ -14,7 +14,7 @@ type watchHandler struct {
 	manager *basic.Manager
 }
 
-func (h *watchHandler) OnChange(dir string) (interface{}, error) {
+func (h *watchHandler) OnChange(dir string) (any, error) {
 	htpasswdPath := filepath.Join(dir, htpasswdFile)
 	f, err := os.Open(htpasswdPath)
 	if err != nil {
@@ -25,7 +25,7 @@ func (h *watchHandler) OnChange(dir string) (interface{}, error) {
 	return htpasswd.ReadHashFile(f)
 }
 
-func (h *watchHandler) OnStableUpdate(val interface{}, err error) {
+func (h *watchHandler) OnStableUpdate(val any, err error) {
 	var hashFile *htpasswd.HashFile
 	if err != nil {
 		log.Warnf("Error reading htpasswd file: %v. Basic (username/password) auth will be disabled until the issue is remediated", err)

diff --git a/central/backgroundmigrations/runner/rollout_test.go b/central/backgroundmigrations/runner/rollout_test.go
@@ -15,7 +15,8 @@ const (
 	testNamespace = "stackrox"
 )
 
-func int32Ptr(i int32) *int32 { return &i }
+//go:fix inline
+func int32Ptr(i int32) *int32 { return new(i) }
 
 func newTestRolloutChecker(client *fake.Clientset) *k8sRolloutChecker {
 	return &k8sRolloutChecker{
@@ -32,7 +33,7 @@ func readyDeployment() *appsv1.Deployment {
 			Generation: 1,
 		},
 		Spec: appsv1.DeploymentSpec{
-			Replicas: int32Ptr(1),
+			Replicas: new(int32(1)),
 			Selector: &metav1.LabelSelector{
 				MatchLabels: map[string]string{"app": "central"},
 			},

diff --git a/central/backgroundmigrations/runner/runner.go b/central/backgroundmigrations/runner/runner.go
@@ -293,7 +293,7 @@ func parseSkipMigrations() set.IntSet {
 		return set.NewIntSet()
 	}
 	s := set.NewIntSet()
-	for _, entry := range strings.Split(val, ",") {
+	for entry := range strings.SplitSeq(val, ",") {
 		n, err := strconv.Atoi(strings.TrimSpace(entry))
 		if err != nil {
 			log.Errorf("could not parse %q from %s, not skipping", entry, env.SkipBackgroundMigrations.EnvVar())

diff --git a/central/baseimage/datastore/datastore_impl.go b/central/baseimage/datastore/datastore_impl.go
@@ -60,10 +60,7 @@ func (ds *datastoreImpl) UpsertImages(
 
 	// Process in chunks. This reduces pressure on storage and avoids parameter/time limits.
 	for start := 0; start < len(batch); start += upsertChunkSize {
-		end := start + upsertChunkSize
-		if end > len(batch) {
-			end = len(batch)
-		}
+		end := min(start+upsertChunkSize, len(batch))
 
 		if err := ds.storage.UpsertMany(ctx, batch[start:end]); err != nil {
 			return fmt.Errorf("upsert images chunk [%d:%d]: %w", start, end, err)

diff --git a/central/baseimage/datastore/repository/datastore_impl.go b/central/baseimage/datastore/repository/datastore_impl.go
@@ -6,6 +6,7 @@ import (
 	"encoding/hex"
 	"errors"
 	"fmt"
+	"slices"
 	"time"
 
 	repoStore "github.com/stackrox/rox/central/baseimage/store/repository/postgres"
@@ -215,10 +216,5 @@ func (d *datastoreImpl) DeleteRepository(ctx context.Context, id string) error {
 }
 
 func statusMatches(current storage.BaseImageRepository_Status, allowed []storage.BaseImageRepository_Status) bool {
-	for _, s := range allowed {
-		if current == s {
-			return true
-		}
-	}
-	return false
+	return slices.Contains(allowed, current)
 }
diff --git a/central/baseimage/datastore/repository/datastore_impl_test.go b/central/baseimage/datastore/repository/datastore_impl_test.go
@@ -96,8 +96,9 @@ func newRepository(path, tagPattern string) *storage.BaseImageRepository {
 	}
 }
 
+//go:fix inline
 func ptr(s string) *string {
-	return &s
+	return new(s)
 }
 
 func (s *BaseImageRepositoryDatastoreTestSuite) TestBaseImageRepositoryDatastore() {
@@ -210,7 +211,7 @@ func (s *BaseImageRepositoryDatastoreTestSuite) TestUserCtxOperationsDenied() {
 	_, err = s.datastore.UpdateStatus(s.normalUserCtx, "non-existent-id", StatusUpdate{Status: storage.BaseImageRepository_READY})
 	s.Error(err, "UpdateStatus should fail for user context without permissions")
 
-	_, err = s.datastore.UpdateConfiguration(s.normalUserCtx, "non-existent-id", ConfigUpdate{TagPattern: ptr("v*")})
+	_, err = s.datastore.UpdateConfiguration(s.normalUserCtx, "non-existent-id", ConfigUpdate{TagPattern: new("v*")})
 	s.Error(err, "UpdateConfiguration should fail for user context without permissions")
 }
 
@@ -321,7 +322,7 @@ func (s *BaseImageRepositoryDatastoreTestSuite) TestUpsertRepository_InsertsProv
 }
 
 func (s *BaseImageRepositoryDatastoreTestSuite) TestUpdateConfiguration_NotFound() {
-	updated, err := s.datastore.UpdateConfiguration(s.imgAdminCtx, uuid.NewV4().String(), ConfigUpdate{TagPattern: ptr("v*")})
+	updated, err := s.datastore.UpdateConfiguration(s.imgAdminCtx, uuid.NewV4().String(), ConfigUpdate{TagPattern: new("v*")})
 
 	s.Nil(updated)
 	s.ErrorIs(err, errox.NotFound)
@@ -556,7 +557,7 @@ func (s *BaseImageRepositoryDatastoreTestSuite) TestUpdateStatus_OnlyIfStatus_Co
 	results := make(chan *storage.BaseImageRepository, numGoroutines)
 	errs := make(chan error, numGoroutines)
 
-	for i := 0; i < numGoroutines; i++ {
+	for range numGoroutines {
 		go func() {
 			updated, err := s.datastore.UpdateStatus(ctx, created.GetId(), StatusUpdate{
 				Status: storage.BaseImageRepository_QUEUED,
@@ -573,7 +574,7 @@ func (s *BaseImageRepositoryDatastoreTestSuite) TestUpdateStatus_OnlyIfStatus_Co
 
 	// Collect results.
 	var updatedCount int
-	for i := 0; i < numGoroutines; i++ {
+	for range numGoroutines {
 		updated := <-results
 		err := <-errs
 		s.NoError(err)