Skip to content

fix(security): tighten command injection regex + add ignore rules logging#327

Closed
ajianaz wants to merge 1 commit into
developfrom
fix/reduce-security-scanner-fp
Closed

fix(security): tighten command injection regex + add ignore rules logging#327
ajianaz wants to merge 1 commit into
developfrom
fix/reduce-security-scanner-fp

Conversation

@ajianaz

@ajianaz ajianaz commented Jun 27, 2026

Copy link
Copy Markdown
Collaborator

Problem

The injection/exec security scanner regex matches every subprocess.run() call,
including safe ones with controlled literal lists. This causes false positives
in legitimate subprocess calls.

Also, apply_ignore_rules() had no debug logging.

Changes

  1. Tighter injection/exec regex: only flags when dynamic input signals present
    (f-string, format(), shell=True, string concat with user input)
  2. Debug logging for apply_ignore_rules
  3. 7 new unit tests (3 security_scanner + 4 review)

Closes #326

…ging

- Tighten injection/exec regex: only flag subprocess.run when dynamic
  input signals present (f-string, format(), shell=True, string concat
  with user input). Literal list calls like subprocess.run(cmd) are safe.
- Add debug logging to apply_ignore_rules for better diagnostics
- Add unit tests for ignore_rules (title match, issue_type match, empty,
  case insensitive)
- Add unit tests for security_scanner (no FP on literal list, triggers
  on f-string and shell=True)

Fixes #326
@ajianaz ajianaz force-pushed the fix/reduce-security-scanner-fp branch from d4a460b to 7759790 Compare June 27, 2026 07:51
@ajianaz ajianaz closed this Jun 27, 2026
@ajianaz ajianaz deleted the fix/reduce-security-scanner-fp branch June 27, 2026 08:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

investigate: ignore.rules does not filter security scanner findings from SARIF output

1 participant