From 2bd919710803d75877f2720b24c8c65165d78415 Mon Sep 17 00:00:00 2001 From: Dmitrii Creed Date: Tue, 30 Jun 2026 23:47:00 +0400 Subject: [PATCH] ci(semgrep): disable flaky p/ci gha-curl-pipe-shell rule The p/ci rule yaml.github-actions.security.gha-curl-pipe-shell re-parses each workflow run: block as Bash via a metavariable-pattern. GitHub Actions ${{ }} expressions are not valid Bash, so the sub-parser emits nondeterministic PartialParsing / Internal matching error engine errors (24 on our workflows) that the scan action counts in .errors and fails on - flaky red CI, not real findings. The same commit passed then failed on consecutive runs (#355), and main went red post-merge for the same reason. Suppress it via the disabled-rules input. No coverage lost: the SC shell-curl-pipe-to-shell rule already flags curl|wget | sh piping in **/*.yml and **/*.yaml by regex, with no Bash sub-parse. Signed-off-by: Dmitrii Creed --- .github/workflows/semgrep.yml | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml index f2c7c292..2cfaa395 100644 --- a/.github/workflows/semgrep.yml +++ b/.github/workflows/semgrep.yml @@ -52,4 +52,16 @@ jobs: # secure_file_reader.go). The SC team explicitly dropped its # own equivalent rule in round-6 triage for the same reason # (see go-canon.yml comment in actions repo). - disabled-rules: 'go.lang.security.audit.crypto.use_of_weak_crypto.use-of-md5,go.lang.security.deserialization.unsafe-deserialization-interface.go-unsafe-deserialization-interface' + # + # `gha-curl-pipe-shell` — this p/ci rule re-parses each workflow + # `run:` block as Bash via a metavariable-pattern. GHA `${{ }}` + # expressions are not valid Bash, so the sub-parser emits + # nondeterministic PartialParsing / "Internal matching error" + # engine errors (24 on our workflows), which scan.sh counts as + # `.errors` and fails the build — flaky red CI, not real findings + # (the same commit passed and then failed on consecutive runs). + # Replacement coverage: the SC `shell-curl-pipe-to-shell` rule + # (shell.yml) flags curl/wget output piped into a shell across + # `**/*.yml`/`**/*.yaml` by regex, with no Bash sub-parse — so no + # coverage is lost by suppressing the registry rule. + disabled-rules: 'go.lang.security.audit.crypto.use_of_weak_crypto.use-of-md5,go.lang.security.deserialization.unsafe-deserialization-interface.go-unsafe-deserialization-interface,yaml.github-actions.security.gha-curl-pipe-shell.gha-curl-pipe-shell'