JonKazama-Hellion
03da6d58a4
Security / scan (push) Successful in 14s
Semgrep rule IDs follow the pattern <pack>.<rule>. The pack name is csharp.lang.security.sqli.csharp-sqli and the rule inside it is also called csharp-sqli, so the full ID needs the trailing .csharp-sqli again. Without it the exclude flag silently filters a different subset of rules and the actual rule still runs.
22 lines
738 B
YAML
22 lines
738 B
YAML
name: Security
|
|
on:
|
|
push:
|
|
branches: [main, master]
|
|
pull_request:
|
|
schedule:
|
|
- cron: '0 6 * * 1'
|
|
workflow_dispatch:
|
|
|
|
jobs:
|
|
scan:
|
|
uses: JonKazama-Hellion/security-workflows/.gitea/workflows/security-scan.yml@main
|
|
with:
|
|
# MessageStore.cs uses string-interpolation in CommandText for table
|
|
# names and clause-joins that come from internal code constants, not
|
|
# user input. Values are bound via SqlParameter, the SQL surface is
|
|
# local-only inside a Dalamud plugin. Semgrep matches the pattern
|
|
# without dataflow, so it flags those eight call sites; CodeQL
|
|
# would not. Suppressed for this repo only.
|
|
semgrep-exclude-rules: 'csharp.lang.security.sqli.csharp-sqli.csharp-sqli'
|
|
|