style: reformat renovate.json with standard 2-space indent

renovat update
Signed-off-by: Jon Kazama <kontakt@hellion-media.de>
2026-05-09 12:34:47 +02:00 · 2026-05-09 10:18:20 +00:00 · 2026-05-09 10:17:33 +00:00 · 2026-05-09 10:17:33 +00:00 · 2026-05-09 12:08:08 +02:00 · 2026-05-09 11:54:24 +02:00
2 changed files with 104 additions and 0 deletions
@@ -0,0 +1,21 @@
+name: Security
+on:
+  push:
+    branches: [main, master]
+  pull_request:
+  schedule:
+    - cron: '0 6 * * 1'
+  workflow_dispatch:
+
+jobs:
+  scan:
+    uses: JonKazama-Hellion/security-workflows/.gitea/workflows/security-scan.yml@main
+    with:
+      # MessageStore.cs uses string-interpolation in CommandText for table
+      # names and clause-joins that come from internal code constants, not
+      # user input. Values are bound via SqlParameter, the SQL surface is
+      # local-only inside a Dalamud plugin. Semgrep matches the pattern
+      # without dataflow, so it flags those eight call sites; CodeQL
+      # would not. Suppressed for this repo only.
+      semgrep-exclude-rules: 'csharp.lang.security.sqli.csharp-sqli.csharp-sqli'
+
@@ -0,0 +1,83 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:recommended",
+    ":dependencyDashboard",
+    ":semanticCommits",
+    ":timezone(Europe/Berlin)",
+    "schedule:weekly"
+  ],
+  "labels": [
+    "dependencies",
+    "renovate"
+  ],
+  "assignees": [
+    "JonKazama-Hellion"
+  ],
+  "prHourlyLimit": 10,
+  "prConcurrentLimit": 20,
+  "rebaseWhen": "behind-base-branch",
+  "packageRules": [
+    {
+      "description": "Group all minor and patch updates per ecosystem in one PR",
+      "matchUpdateTypes": [
+        "minor",
+        "patch"
+      ],
+      "groupName": "minor and patch updates ({{manager}})"
+    },
+    {
+      "description": "Major updates always get their own PR with breaking-change label",
+      "matchUpdateTypes": [
+        "major"
+      ],
+      "labels": [
+        "dependencies",
+        "major-update",
+        "breaking-change"
+      ],
+      "addLabels": [
+        "needs-review"
+      ]
+    },
+    {
+      "description": "TypeScript type definitions stay grouped with each other",
+      "matchPackagePrefixes": [
+        "@types/"
+      ],
+      "groupName": "type definitions"
+    },
+    {
+      "description": "Dev dependencies in their own group",
+      "matchDepTypes": [
+        "devDependencies"
+      ],
+      "groupName": "dev dependencies"
+    },
+    {
+      "description": "Pin GitHub Action versions by SHA for supply-chain hygiene",
+      "matchManagers": [
+        "github-actions"
+      ],
+      "pinDigests": true
+    }
+  ],
+  "vulnerabilityAlerts": {
+    "labels": [
+      "security",
+      "vulnerability"
+    ],
+    "schedule": [
+      "at any time"
+    ],
+    "prPriority": 10
+  },
+  "lockFileMaintenance": {
+    "enabled": true,
+    "schedule": [
+      "before 6am on monday"
+    ],
+    "commitMessageAction": "Refresh"
+  },
+  "osvVulnerabilityAlerts": true
+}
Author	SHA1	Message	Date
JonKazama-Hellion	cd01fa63a1	style: reformat renovate.json with standard 2-space indent Security / scan (push) Successful in 13s Details	2026-05-09 12:34:47 +02:00
JonKazama-Hellion	b81c50b433	renovat update Security / scan (push) Successful in 11s Details Signed-off-by: Jon Kazama <kontakt@hellion-media.de>	2026-05-09 10:18:20 +00:00
JonKazama-Hellion	355a57089b	Merge pull request 'Configure Renovate' (#8 ) from renovate/configure into main Security / scan (push) Successful in 11s Details Reviewed-on: #8	2026-05-09 10:17:33 +00:00
renovate-bot	cf7ab6226c	Add renovate.json	2026-05-09 10:17:33 +00:00
JonKazama-Hellion	03da6d58a4	ci: fix semgrep rule ID for csharp-sqli exclusion Security / scan (push) Successful in 14s Details Semgrep rule IDs follow the pattern <pack>.<rule>. The pack name is csharp.lang.security.sqli.csharp-sqli and the rule inside it is also called csharp-sqli, so the full ID needs the trailing .csharp-sqli again. Without it the exclude flag silently filters a different subset of rules and the actual rule still runs.	2026-05-09 12:08:08 +02:00
JonKazama-Hellion	90a4544ab2	ci: exclude csharp-sqli rule from MessageStore.cs scans Security / scan (push) Failing after 33s Details Semgrep flags eight CommandText-with-string-interpolation call sites in MessageStore.cs as SQL-injection patterns. All are safe in this context: table names and clause fragments come from internal code constants, the actual values are bound via SqlParameter, and the plugin SQL surface is local-only with no external input vector. CodeQL would not flag these because it does dataflow analysis and sees the constants. Semgrep only matches patterns. Excluding the rule for this repo only via the new semgrep-exclude-rules input keeps the rule active for the other Hellion repos where it might catch real issues (e.g. the web apps).	2026-05-09 11:54:24 +02:00
JonKazama-Hellion	9b4557f197	chore: add reusable security scan workflow Security / scan (push) Failing after 6m33s Details Calls JonKazama-Hellion/security-workflows for Semgrep SAST + Trivy filesystem vulnerability scan. Runs on push to main/master, on every PR, and weekly Monday 06:00 UTC.	2026-05-09 11:28:09 +02:00