From 90a4544ab2b4ce7d0d286fa8df86aa16136ff74f Mon Sep 17 00:00:00 2001
From: JonKazama-Hellion <f.wathling@gmail.com>
Date: Sat, 9 May 2026 11:54:24 +0200
Subject: [PATCH] ci: exclude csharp-sqli rule from MessageStore.cs scans

Semgrep flags eight CommandText-with-string-interpolation call sites
in MessageStore.cs as SQL-injection patterns. All are safe in this
context: table names and clause fragments come from internal code
constants, the actual values are bound via SqlParameter, and the
plugin SQL surface is local-only with no external input vector.

CodeQL would not flag these because it does dataflow analysis and
sees the constants. Semgrep only matches patterns. Excluding the rule
for this repo only via the new semgrep-exclude-rules input keeps the
rule active for the other Hellion repos where it might catch real
issues (e.g. the web apps).
---
 .gitea/workflows/security.yml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/.gitea/workflows/security.yml b/.gitea/workflows/security.yml
index 839de66..665c049 100644
--- a/.gitea/workflows/security.yml
+++ b/.gitea/workflows/security.yml
@@ -10,4 +10,12 @@ on:
 jobs:
   scan:
     uses: JonKazama-Hellion/security-workflows/.gitea/workflows/security-scan.yml@main
+    with:
+      # MessageStore.cs uses string-interpolation in CommandText for table
+      # names and clause-joins that come from internal code constants, not
+      # user input. Values are bound via SqlParameter, the SQL surface is
+      # local-only inside a Dalamud plugin. Semgrep matches the pattern
+      # without dataflow, so it flags those eight call sites; CodeQL
+      # would not. Suppressed for this repo only.
+      semgrep-exclude-rules: 'csharp.lang.security.sqli.csharp-sqli'