JonKazama-Hellion
90a4544ab2
Security / scan (push) Failing after 33s
Semgrep flags eight CommandText-with-string-interpolation call sites in MessageStore.cs as SQL-injection patterns. All are safe in this context: table names and clause fragments come from internal code constants, the actual values are bound via SqlParameter, and the plugin SQL surface is local-only with no external input vector. CodeQL would not flag these because it does dataflow analysis and sees the constants. Semgrep only matches patterns. Excluding the rule for this repo only via the new semgrep-exclude-rules input keeps the rule active for the other Hellion repos where it might catch real issues (e.g. the web apps).