This is an automated email from the ASF dual-hosted git repository.
sbp pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tooling-trusted-releases.git
The following commit(s) were added to refs/heads/main by this push:
new b7b0b03 Add OS injection related semgrep rules
b7b0b03 is described below
commit b7b0b03f2d08c931b9a1ed211a2df43011f4ad39
Author: Sean B. Palmer <[email protected]>
AuthorDate: Tue Dec 9 16:52:47 2025 +0000
Add OS injection related semgrep rules
---
.pre-commit-heavy.yaml | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/.pre-commit-heavy.yaml b/.pre-commit-heavy.yaml
index f3ca406..cd85020 100644
--- a/.pre-commit-heavy.yaml
+++ b/.pre-commit-heavy.yaml
@@ -15,6 +15,7 @@ repos:
- id: semgrep
args:
- --config=p/ci
+ - --config=p/command-injection
- --config=p/cwe-top-25
- --config=p/docker-compose
- --config=p/jwt
@@ -23,13 +24,15 @@ repos:
- --config=p/secrets
- --config=p/security-audit
- --config=p/sql-injection
- - --error
- - --quiet
- - --metrics=off
+ - --config=r/python.lang.security.audit.dangerous-asyncio-shell
- --disable-version-check
- - --exclude=migrations/versions/0027_2025.09.08_69e565eb.py
+ - --error
-
--exclude-rule=generic.html-templates.security.var-in-href.var-in-href
- --exclude-rule=html.security.plaintext-http-link.plaintext-http-link
- - --exclude-rule=python.lang.security.use-defused-xml.use-defused-xml
+ -
--exclude-rule=python.flask.security.xss.audit.template-unescaped-with-safe.template-unescaped-with-safe
-
--exclude-rule=python.lang.security.use-defused-xml-parse.use-defused-xml-parse
+ - --exclude-rule=python.lang.security.use-defused-xml.use-defused-xml
+ - --exclude=migrations/versions/0027_2025.09.08_69e565eb.py
+ - --metrics=off
+ - --quiet
pass_filenames: false
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
