Problem
.cora.yaml ignore.rules with pattern "Command injection via exec/system with dynamic input" does not filter out findings from the built-in security_scanner (injection/exec rule). SARIF output still contains the finding even though:
apply_ignore_rules() in review.rs:341 runs after merge_rule_findings() at line 311
- The
RuleFinding title matches the ignore pattern via contains()
.cora.yaml is correctly detected and loaded in CI log
Evidence
- SARIF output: 3201 bytes, 1 finding despite ignore rule
- CI log: No blocking issues (severity filter works, but SARIF still has the finding)
- Cora CLI version: v0.6.2
Suspected Cause
Possibly a config merge ordering issue where ignore rules are applied but the SARIF formatter receives the pre-filtered response rather than the filtered one. Or the security_scanner findings are re-added after ignore rules are applied.
Files to Investigate
- src/engine/review.rs:302-341 (merge + filter ordering)
- src/engine/security_scanner.rs (finding generation)
- src/engine/rules/mod.rs:109-145 (merge_rule_findings, sets issue_type: rule)
- src/commands/review.rs:263 (filtered_response = response.clone)
Problem
.cora.yamlignore.ruleswith pattern"Command injection via exec/system with dynamic input"does not filter out findings from the built-insecurity_scanner(injection/execrule). SARIF output still contains the finding even though:apply_ignore_rules()inreview.rs:341runs aftermerge_rule_findings()at line 311RuleFindingtitle matches the ignore pattern viacontains().cora.yamlis correctly detected and loaded in CI logEvidence
Suspected Cause
Possibly a config merge ordering issue where ignore rules are applied but the SARIF formatter receives the pre-filtered response rather than the filtered one. Or the security_scanner findings are re-added after ignore rules are applied.
Files to Investigate