Semgrep rule IDs follow the pattern <pack>.<rule>. The pack name is
csharp.lang.security.sqli.csharp-sqli and the rule inside it is also
called csharp-sqli, so the full ID needs the trailing .csharp-sqli
again. Without it the exclude flag silently filters a different
subset of rules and the actual rule still runs.
Semgrep flags eight CommandText-with-string-interpolation call sites
in MessageStore.cs as SQL-injection patterns. All are safe in this
context: table names and clause fragments come from internal code
constants, the actual values are bound via SqlParameter, and the
plugin SQL surface is local-only with no external input vector.
CodeQL would not flag these because it does dataflow analysis and
sees the constants. Semgrep only matches patterns. Excluding the rule
for this repo only via the new semgrep-exclude-rules input keeps the
rule active for the other Hellion repos where it might catch real
issues (e.g. the web apps).
Calls JonKazama-Hellion/security-workflows for Semgrep SAST + Trivy
filesystem vulnerability scan. Runs on push to main/master, on every
PR, and weekly Monday 06:00 UTC.
JonKazama-Hellion