Skip to content

ci(semgrep): disable flaky p/ci gha-curl-pipe-shell rule#356

Merged
Cre-eD merged 1 commit into
mainfrom
fix/semgrep-disable-flaky-gha-curl-pipe-shell
Jul 1, 2026
Merged

ci(semgrep): disable flaky p/ci gha-curl-pipe-shell rule#356
Cre-eD merged 1 commit into
mainfrom
fix/semgrep-disable-flaky-gha-curl-pipe-shell

Conversation

@Cre-eD

@Cre-eD Cre-eD commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Problem

The Semgrep check is flaky-red on PRs and went red on main after #355 merged. Root cause is the p/ci registry rule yaml.github-actions.security.gha-curl-pipe-shell.gha-curl-pipe-shell.

That rule re-parses every workflow run: block as Bash via a metavariable-pattern. GitHub Actions ${{ }} expressions are not valid Bash, so the sub-parser throws — emitting PartialParsing + Internal matching error entries into the results JSON (24 on our workflows). The scan action treats a non-empty .errors array as a hard failure, so the build fails even though zero real findings were produced.

It's nondeterministic: the same commit on feat/provision-skip-refresh passed in run 28464481418 and then failed in run 28464579912. After #355 squash-merged, the post-merge main run 28469227229 failed for the same reason.

Fix

Add the rule to the existing disabled-rules input (the documented knob for over-broad registry-pack rules).

Why no coverage is lost

The SC custom ruleset already ships shell-curl-pipe-to-shell (semgrep-scan/rules/shell.yml), an ERROR-severity regex rule that flags curl|wget … | sh supply-chain piping across **/*.sh, **/*.bash, **/*.yml, **/*.yaml — with no Bash sub-parse, so it can't hit this engine bug. The registry rule is redundant with it.

Empirical verification

Pinned image semgrep/semgrep:1.161.0 against .github/workflows:

Config .errors
p/ci (rule active) 22–24 (engine parse errors, not findings)
p/ci + --exclude-rule …gha-curl-pipe-shell 0

All 24 CI errors traced to this single rule (23× PartialParsing + Internal matching error, no other rule implicated).

@github-actions

github-actions Bot commented Jun 30, 2026

Copy link
Copy Markdown

Semgrep Scan Results

Repository: api | Commit: 6d3fbad

Check Status Details
⚠️ Semgrep Warning 1 warning(s), 5 total

Scanned at 2026-07-01 06:38 UTC

@github-actions

Copy link
Copy Markdown

📊 Statement coverage

Measured on the documented included set (see docs/TESTING.md → Coverage scope). Observe-only — no regression gate is enforced yet.

Scope This PR main baseline Δ
Included set (Gold-tier denominator) 90.3% 90.3% +0.0 pp
Full set (whole repo, transparency) 27.9% 27.9% +0.0 pp

Baseline: main @ 97f2738

@github-actions

github-actions Bot commented Jun 30, 2026

Copy link
Copy Markdown

Security Scan Results

Repository: api | Commit: 6d3fbad

Check Status Details
✅ Secret Scan Pass No secrets detected
✅ Dependencies (Trivy) Pass 0 total (no critical/high)
✅ Dependencies (Grype) Pass 0 total (no critical/high)
📦 SBOM Generated 523 components (CycloneDX)

Scanned at 2026-07-01 06:39 UTC

smecsia
smecsia previously approved these changes Jun 30, 2026
universe-ops
universe-ops previously approved these changes Jun 30, 2026
The p/ci rule yaml.github-actions.security.gha-curl-pipe-shell re-parses
each workflow run: block as Bash via a metavariable-pattern. GitHub
Actions ${{ }} expressions are not valid Bash, so the sub-parser emits
nondeterministic PartialParsing / Internal matching error engine errors
(24 on our workflows) that the scan action counts in .errors and fails
on - flaky red CI, not real findings. The same commit passed then failed
on consecutive runs (#355), and main went red post-merge for the same
reason.

Suppress it via the disabled-rules input. No coverage lost: the SC
shell-curl-pipe-to-shell rule already flags curl|wget | sh piping in
**/*.yml and **/*.yaml by regex, with no Bash sub-parse.

Signed-off-by: Dmitrii Creed <creeed22@gmail.com>
@Cre-eD Cre-eD dismissed stale reviews from universe-ops and smecsia via 2bd9197 July 1, 2026 06:38
@Cre-eD Cre-eD force-pushed the fix/semgrep-disable-flaky-gha-curl-pipe-shell branch from 5292ce6 to 2bd9197 Compare July 1, 2026 06:38
@Cre-eD Cre-eD merged commit 5e9f06e into main Jul 1, 2026
22 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants