From 77143be132619aae572ee58273d252afe4fee9eb Mon Sep 17 00:00:00 2001 From: Max Hsu Date: Fri, 29 May 2026 00:01:57 +0800 Subject: [PATCH] fix(cicd): scope semgrep filesystem-deletion rule to exclude src/hooks/ MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The filesystem-deletion rule matches fs::remove_file/remove_dir_all with no paths scoping, so it flags src/hooks/ — yet its own message states deletion is "Expected in hooks/init cleanup". Since CI runs semgrep with --baseline-commit --error, every new agent-uninstall PR that adds a deletion to src/hooks/init.rs trips a false positive and fails the scan. Add paths.exclude: src/hooks/ so the rule reflects its stated intent — flag deletions in filter modules, not in hooks/init cleanup code. Fixes #1954 --- .semgrep.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.semgrep.yml b/.semgrep.yml index 4e8cc1f22..0587e6d48 100644 --- a/.semgrep.yml +++ b/.semgrep.yml @@ -101,6 +101,9 @@ rules: - pattern: fs::remove_dir_all(...) - pattern: std::fs::remove_file(...) - pattern: std::fs::remove_dir_all(...) + paths: + exclude: + - src/hooks/ message: > File/directory deletion detected. Expected in hooks/init cleanup, surprising in a filter module. Verify intent.