ci: fix semgrep rule ID for csharp-sqli exclusion

Semgrep rule IDs follow the pattern <pack>.<rule>. The pack name is csharp.lang.security.sqli.csharp-sqli and the rule inside it is also called csharp-sqli, so the full ID needs the trailing .csharp-sqli again. Without it the exclude flag silently filters a different subset of rules and the actual rule still runs.
ci: exclude csharp-sqli rule from MessageStore.cs scans
2026-05-09 12:08:08 +02:00 · 2026-05-09 11:54:24 +02:00 · 2026-05-09 11:28:09 +02:00
1 changed files with 21 additions and 0 deletions
@@ -0,0 +1,21 @@
+name: Security
+on:
+  push:
+    branches: [main, master]
+  pull_request:
+  schedule:
+    - cron: '0 6 * * 1'
+  workflow_dispatch:
+
+jobs:
+  scan:
+    uses: JonKazama-Hellion/security-workflows/.gitea/workflows/security-scan.yml@main
+    with:
+      # MessageStore.cs uses string-interpolation in CommandText for table
+      # names and clause-joins that come from internal code constants, not
+      # user input. Values are bound via SqlParameter, the SQL surface is
+      # local-only inside a Dalamud plugin. Semgrep matches the pattern
+      # without dataflow, so it flags those eight call sites; CodeQL
+      # would not. Suppressed for this repo only.
+      semgrep-exclude-rules: 'csharp.lang.security.sqli.csharp-sqli.csharp-sqli'
+