Merge pull request 'Configure Renovate' (#8 ) from renovate/configure into main

Reviewed-on: #8
Add renovate.json
2026-05-09 10:17:33 +00:00 · 2026-05-09 10:17:33 +00:00 · 2026-05-09 12:08:08 +02:00 · 2026-05-09 11:54:24 +02:00 · 2026-05-09 11:28:09 +02:00
2 changed files with 27 additions and 0 deletions
@@ -0,0 +1,21 @@
 name: Security
 on:
  push:
    branches: [main, master]
  pull_request:
  schedule:
    - cron: '0 6 * * 1'
  workflow_dispatch:
 jobs:
  scan:
    uses: JonKazama-Hellion/security-workflows/.gitea/workflows/security-scan.yml@main
    with:
      # MessageStore.cs uses string-interpolation in CommandText for table
      # names and clause-joins that come from internal code constants, not
      # user input. Values are bound via SqlParameter, the SQL surface is
      # local-only inside a Dalamud plugin. Semgrep matches the pattern
      # without dataflow, so it flags those eight call sites; CodeQL
      # would not. Suppressed for this repo only.
      semgrep-exclude-rules: 'csharp.lang.security.sqli.csharp-sqli.csharp-sqli'
@@ -0,0 +1,6 @@
 {
  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
  "extends": [
    "config:recommended"
  ]
 }
Author	SHA1	Message	Date
JonKazama-Hellion	355a57089b	Merge pull request 'Configure Renovate' (#8 ) from renovate/configure into main Security / scan (push) Successful in 11s Details Reviewed-on: #8	2026-05-09 10:17:33 +00:00
renovate-bot	cf7ab6226c	Add renovate.json	2026-05-09 10:17:33 +00:00
JonKazama-Hellion	03da6d58a4	ci: fix semgrep rule ID for csharp-sqli exclusion Security / scan (push) Successful in 14s Details Semgrep rule IDs follow the pattern <pack>.<rule>. The pack name is csharp.lang.security.sqli.csharp-sqli and the rule inside it is also called csharp-sqli, so the full ID needs the trailing .csharp-sqli again. Without it the exclude flag silently filters a different subset of rules and the actual rule still runs.	2026-05-09 12:08:08 +02:00
JonKazama-Hellion	90a4544ab2	ci: exclude csharp-sqli rule from MessageStore.cs scans Security / scan (push) Failing after 33s Details Semgrep flags eight CommandText-with-string-interpolation call sites in MessageStore.cs as SQL-injection patterns. All are safe in this context: table names and clause fragments come from internal code constants, the actual values are bound via SqlParameter, and the plugin SQL surface is local-only with no external input vector. CodeQL would not flag these because it does dataflow analysis and sees the constants. Semgrep only matches patterns. Excluding the rule for this repo only via the new semgrep-exclude-rules input keeps the rule active for the other Hellion repos where it might catch real issues (e.g. the web apps).	2026-05-09 11:54:24 +02:00
JonKazama-Hellion	9b4557f197	chore: add reusable security scan workflow Security / scan (push) Failing after 6m33s Details Calls JonKazama-Hellion/security-workflows for Semgrep SAST + Trivy filesystem vulnerability scan. Runs on push to main/master, on every PR, and weekly Monday 06:00 UTC.	2026-05-09 11:28:09 +02:00