diff --git a/agent/agentcontainers/containers_dockercli.go b/agent/agentcontainers/containers_dockercli.go
index da42c813c5138..b29f1e974bf3b 100644
--- a/agent/agentcontainers/containers_dockercli.go
+++ b/agent/agentcontainers/containers_dockercli.go
@@ -491,21 +491,15 @@ func convertDockerInspect(raw []byte) ([]codersdk.WorkspaceAgentContainer, []str
 //	"8080" -> 8080, "tcp"
 func convertDockerPort(in string) (uint16, string, error) {
 	parts := strings.Split(in, "/")
+	p, err := strconv.ParseUint(parts[0], 10, 16)
+	if err != nil {
+		return 0, "", xerrors.Errorf("invalid port format: %s", in)
+	}
 	switch len(parts) {
 	case 1:
 		// assume it's a TCP port
-		p, err := strconv.Atoi(parts[0])
-		if err != nil {
-			return 0, "", xerrors.Errorf("invalid port format: %s", in)
-		}
-		// #nosec G115 - Safe conversion since Docker TCP ports are limited to uint16 range
 		return uint16(p), "tcp", nil
 	case 2:
-		p, err := strconv.Atoi(parts[0])
-		if err != nil {
-			return 0, "", xerrors.Errorf("invalid port format: %s", in)
-		}
-		// #nosec G115 - Safe conversion since Docker ports are limited to uint16 range
 		return uint16(p), parts[1], nil
 	default:
 		return 0, "", xerrors.Errorf("invalid port format: %s", in)
diff --git a/agent/ls.go b/agent/ls.go
index 1d8adea12e0b4..9e65e26fdd4b0 100644
--- a/agent/ls.go
+++ b/agent/ls.go
@@ -76,6 +76,7 @@ func listFiles(query LSRequest) (LSResponse, error) {
 		return LSResponse{}, xerrors.Errorf("failed to get absolute path of %q: %w", fullPathRelative, err)
 	}
 
+	// codeql[go/path-injection] - The intent is to allow the user to navigate to any directory in their workspace.
 	f, err := os.Open(absolutePathString)
 	if err != nil {
 		return LSResponse{}, xerrors.Errorf("failed to open directory %q: %w", absolutePathString, err)
diff --git a/coderd/userauth.go b/coderd/userauth.go
index f08e126208d3c..abbe2b4a9f2eb 100644
--- a/coderd/userauth.go
+++ b/coderd/userauth.go
@@ -1100,6 +1100,7 @@ func (api *API) userOAuth2Github(rw http.ResponseWriter, r *http.Request) {
 	// We use AuthCodeURL from the OAuth2Config field instead of the one on
 	// GithubOAuth2Config because when device flow is configured, AuthCodeURL
 	// is overridden and returns a value that doesn't pass the URL check.
+	// codeql[go/constant-oauth2-state] -- We are solely using the AuthCodeURL from the OAuth2Config field in order to validate the hostname of the external auth provider.
 	if externalauth.IsGithubDotComURL(api.GithubOAuth2Config.OAuth2Config.AuthCodeURL("")) && user.GithubComUserID.Int64 != ghUser.GetID() {
 		err = api.Database.UpdateUserGithubComUserID(ctx, database.UpdateUserGithubComUserIDParams{
 			ID: user.ID,

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Transitional//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd'>
<html xmlns='http://www.w3.org/1999/xhtml'>
<head>
<title>pFad - Phonifier reborn</title>
<meta http-equiv='Content-Type' content='text/html; charset=utf-8' />
</head>
<body>
<h1>Pfad - The Proxy pFad of &#169; 2024 Garber Painting. All rights reserved.</h1>


<!-- Disclaimer -->
<p>Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.</p>
<br>
<p>Alternative Proxies:</p><p><a href="http://rainy.clevelandohioweatherforecast.com/php-proxy/index.php?q=https://patch-diff.githubusercontent.com/raw/coder/coder/pull/17138.diff" target="_blank">Alternative Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/index.php?u=https://patch-diff.githubusercontent.com/raw/coder/coder/pull/17138.diff" target="_blank">pFad Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/v3index.php?u=https://patch-diff.githubusercontent.com/raw/coder/coder/pull/17138.diff" target="_blank">pFad v3 Proxy</a></p><p><a href="http://rainy.clevelandohioweatherforecast.com/pFad/v4index.php?u=https://patch-diff.githubusercontent.com/raw/coder/coder/pull/17138.diff" target="_blank">pFad v4 Proxy</a></p></body>
</html>