Skip to content

fix(security): tighten command injection regex + add ignore rules logging#328

Merged
ajianaz merged 1 commit into
developfrom
fix/reduce-security-scanner-fp2
Jun 27, 2026
Merged

fix(security): tighten command injection regex + add ignore rules logging#328
ajianaz merged 1 commit into
developfrom
fix/reduce-security-scanner-fp2

Conversation

@ajianaz

@ajianaz ajianaz commented Jun 27, 2026

Copy link
Copy Markdown
Collaborator

Problem

The injection/exec security scanner regex matches every subprocess.run() call,
including safe ones with controlled literal lists. This causes false positives
in legitimate subprocess calls.

Also, apply_ignore_rules() had no debug logging, making it impossible to
diagnose filtering issues.

Changes

  1. Tighter injection/exec regex: only flags when dynamic input signals present
    (f-string, format(), shell=True, string concat with user input)
  2. Debug logging for apply_ignore_rules
  3. 7 new unit tests (3 security_scanner + 4 review)

Closes #326

…ging

- Tighten injection/exec regex: only flag subprocess.run when dynamic
  input signals present (f-string, format(), shell=True, string concat
  with user input). Literal list calls like subprocess.run(cmd) are safe.
- Add debug logging to apply_ignore_rules for better diagnostics
- Add unit tests for ignore_rules (title match, issue_type match, empty,
  case insensitive)
- Add unit tests for security_scanner (no FP on literal list, triggers
  on f-string and shell=True)

Fixes #326
@ajianaz ajianaz merged commit 7dff4a8 into develop Jun 27, 2026
10 checks passed
@ajianaz ajianaz deleted the fix/reduce-security-scanner-fp2 branch June 27, 2026 08:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

investigate: ignore.rules does not filter security scanner findings from SARIF output

1 participant