Skip to content

feat: add Kilo Gastown methodology spec and SAST tooling #942

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
KooshaPari wants to merge 13 commits into from
Closed

feat: add Kilo Gastown methodology spec and SAST tooling #942

Show file tree
Hide file tree
Changes from 3 commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
0f98bcc
Add Kilo Gastown methodology spec
Mar 31, 2026
3d28883
docs: resolve merge conflict in KILO_GASTOWN_SPEC.md
claude Mar 31, 2026
f44d1fd
ci: add SAST tooling (semgrep, trufflehog)
Apr 1, 2026
fa9c9d5
chore: add governance baselines, rulesets, and update security workflow
Apr 2, 2026
07c09bc
Merge origin/main into feat/kilo-gastown-spec-and-sast
Apr 2, 2026
faafc4f
ci: refresh sast and pr readiness tooling
Apr 2, 2026
52b6035
ci: fix models catalog refresh path
Apr 2, 2026
b460bab
fix: unblock secret scan and codex executor syntax
Apr 2, 2026
576b830
ci: tighten quick sast to pr delta and fix gofmt debt
Apr 2, 2026
eac2d7f
fix(security): clear semgrep findings on pr diff
Apr 2, 2026
d530d80
ci: harden governance and security baselines
Apr 2, 2026
39ba5a3
feat: apply phenotype governance standards
Apr 2, 2026
d9cff8a
feat: apply governance standards
Apr 2, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
86 changes: 86 additions & 0 deletions .github/workflows/sast-full.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,86 @@
name: SAST Full Analysis

on:
schedule:
- cron: "0 2 * * *"
workflow_dispatch:

permissions:
Copy link

Copilot AI Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

github/codeql-action/* typically requires actions: read permission (the existing codeql.yml includes it). sast-full.yml sets only contents: read and security-events: write, which may cause the CodeQL steps to fail with insufficient permissions in some repo/org settings.

Suggested change
permissions:
permissions:
actions: read

Copilot uses AI. Check for mistakes.
contents: read
security-events: write

jobs:
codeql:
name: CodeQL Analysis
runs-on: ubuntu-latest
timeout-minutes: 30
strategy:
matrix:
language: [python, cpp, javascript]
Copy link
Copy Markdown

@cursor cursor bot Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CodeQL scans wrong languages, misses Go entirely

High Severity

The CodeQL language matrix is [python, cpp, javascript], but this is a Go repository (the go.mod declares module github.com/kooshapari/CLIProxyAPI/v7). The existing codeql.yml correctly targets [go]. This full SAST analysis will scan three languages that have no source files in the repo while completely missing the actual Go codebase — rendering the CodeQL job useless.

Fix in Cursor Fix in Web

steps:
- uses: actions/checkout@v4
Copy link
Copy Markdown

@kilo-code-bot kilo-code-bot bot Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

WARNING: CodeQL matrix missing Go language.

The matrix lists [python, cpp, javascript] but this is primarily a Go codebase (per cargo clippy in sast-quick.yml, the AGENTS.md build instructions, and the codebase structure). Without go in the matrix, CodeQL will not analyze the core Go code, making the full SAST scan incomplete for this repository.

Suggested change
- uses: actions/checkout@v4
language: [go, python, javascript]

Note: also removed cpp since this doesn't appear to be a C++ project. Adjust if there is C++ code present.


- name: Initialize CodeQL
uses: github/codeql-action/init@v3
with:
languages: ${{ matrix.language }}

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v3
Copy link

Copilot AI Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This CodeQL matrix doesn’t include the repo’s primary language (Go) and includes cpp even though there are no C/C++ sources in the repository. Also, the repo already has a dedicated Go CodeQL workflow (.github/workflows/codeql.yml). Consider either extending the existing CodeQL workflow for additional languages present here (Go/Python/JS) or adjusting this job to scan the actual languages in the repo and avoid duplicating CodeQL uploads.

Copilot uses AI. Check for mistakes.

Comment on lines +23 to +30
Copy link

Copilot AI Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This workflow uses CodeQL action v3 (github/codeql-action/*@v3), but the existing .github/workflows/codeql.yml uses v4 (see .github/workflows/codeql.yml:24-36). Aligning on a single major version reduces maintenance overhead and avoids behavioral differences across workflows.

Copilot uses AI. Check for mistakes.
trivy-repo:
name: Trivy Repository Scan
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
Copy link
Copy Markdown

@kilo-code-bot kilo-code-bot bot Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

WARNING: Using @master branch reference for trivy-action.

Pinning to a mutable branch (@master) introduces supply-chain risk and non-reproducible builds. If the upstream action is compromised or introduces breaking changes, your CI will silently adopt them.

Recommend pinning to a specific version tag or commit SHA:

      - uses: aquasecurity/trivy-action@v0.28.0

- uses: aquasecurity/trivy-action@master
with:
scan-type: fs
scan-ref: .
format: sarif
output: trivy-results.sarif
continue-on-error: true
Copy link

Copilot AI Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

aquasecurity/trivy-action@master and trufflesecurity/trufflehog@main are floating refs. For a security workflow, these should be pinned to a version tag or (ideally) a commit SHA to reduce supply-chain risk and ensure reproducible scans.

Copilot uses AI. Check for mistakes.
Copy link

Copilot AI Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The Trivy action is referenced from the moving @master branch. Pin to a version tag or commit SHA to avoid unexpected behavior changes and reduce supply-chain risk.

Copilot uses AI. Check for mistakes.

- name: Upload Trivy SARIF
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: trivy-results.sarif
category: trivy
Comment thread
coderabbitai[bot] marked this conversation as resolved.

full-semgrep:
name: Full Semgrep Analysis
runs-on: ubuntu-latest
timeout-minutes: 20
steps:
- uses: actions/checkout@v4

- uses: returntocorp/semgrep-action@v1
with:
config: >-
p/security-audit
p/owasp-top-ten
p/cwe-top-25
.semgrep-rules/
generateSarif: true

- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: semgrep.sarif
category: semgrep-full

full-secrets:
name: Full Secret Scan
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0

- uses: trufflesecurity/trufflehog@main
with:
path: ./
extra_args: --only-verified --fail
continue-on-error: true
Copy link

Copilot AI Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same as in the quick workflow: trufflehog is run with --fail but the step is continue-on-error: true, so verified secret findings won’t fail the scheduled/manual run. Decide whether this should be enforcing (remove continue-on-error) or informational (remove --fail).

Suggested change
continue-on-error: true

Copilot uses AI. Check for mistakes.
Copy link

Copilot AI Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The TruffleHog action is referenced from the moving @main branch. Pin to a release tag or commit SHA for reproducibility and supply-chain safety.

Copilot uses AI. Check for mistakes.
69 changes: 69 additions & 0 deletions .github/workflows/sast-quick.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@
name: SAST Quick Check

on:
pull_request:
push:
branches: [main]

permissions:
contents: read
security-events: write
pull-requests: write
Copy link

Copilot AI Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Workflow permissions include pull-requests: write, but this workflow doesn’t appear to create/update PR comments or reviews. Consider dropping it to follow least-privilege (keep contents: read and security-events: write).

Suggested change
pull-requests: write

Copilot uses AI. Check for mistakes.

jobs:
semgrep:
name: Semgrep Scan
runs-on: ubuntu-latest
timeout-minutes: 5
steps:
- uses: actions/checkout@v4

- uses: returntocorp/semgrep-action@v1
with:
config: >-
p/security-audit
p/owasp-top-ten
Copy link
Copy Markdown

@kilo-code-bot kilo-code-bot bot Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

WARNING: returntocorp/semgrep-action@v1 is deprecated.

The returntocorp/semgrep-action has been deprecated in favor of running the Semgrep CLI directly or using the semgrep/semgrep-action container. The @v1 tag may stop receiving updates.

Recommended replacement:

      - uses: semgrep/semgrep-action@v1

Or run semgrep CLI directly:

      - run: semgrep ci --config p/security-audit --config p/owasp-top-ten --config p/cwe-top-25 --config .semgrep-rules/ --sarif --output semgrep.sarif

p/cwe-top-25
.semgrep-rules/
generateSarif: true

- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: semgrep.sarif
category: semgrep

secrets:
name: Secret Scanning
runs-on: ubuntu-latest
timeout-minutes: 3
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0

- uses: trufflesecurity/trufflehog@main
Copy link
Copy Markdown

@cursor cursor bot Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Security actions pinned to mutable branch references

Medium Severity

trufflesecurity/trufflehog@main and aquasecurity/trivy-action@master are pinned to mutable branch refs rather than commit SHAs or immutable version tags. A compromised upstream repo could inject malicious code that runs in CI with contents: read and security-events: write permissions. This is especially concerning for security-focused workflows running on every PR.

Additional Locations (2)
Fix in Cursor Fix in Web

with:
path: ./
extra_args: --only-verified --fail
Copy link

Copilot AI Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

trufflehog is invoked with --fail, but the step is marked continue-on-error: true, so verified secrets won’t actually fail the workflow. If the goal is to gate PRs on verified findings, remove continue-on-error; if the goal is reporting-only, drop --fail to avoid implying enforcement.

Suggested change
extra_args: --only-verified --fail
extra_args: --only-verified

Copilot uses AI. Check for mistakes.
continue-on-error: true
Copy link
Copy Markdown

@cursor cursor bot Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Secret scan continue-on-error defeats --fail flag

Medium Severity

The trufflehog step uses --fail (exit non-zero on verified secrets) but also sets continue-on-error: true, which means the job still reports success. In sast-quick.yml this runs on PRs, so a pull request containing verified leaked secrets will not be blocked by this check — undermining the purpose of secret scanning in CI.

Additional Locations (1)
Fix in Cursor Fix in Web

Copy link

Copilot AI Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

trufflesecurity/trufflehog@main is a floating ref. For supply-chain safety and reproducible results, pin to a version tag or commit SHA (especially in security workflows).

Copilot uses AI. Check for mistakes.
Copy link

Copilot AI Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This step sets --fail in TruffleHog args, but the action step is marked continue-on-error: true, which prevents failures from ever gating. Decide whether secret findings should block (remove continue-on-error) or be informational (remove --fail).

Suggested change
continue-on-error: true

Copilot uses AI. Check for mistakes.

Copy link
Copy Markdown

@kilo-code-bot kilo-code-bot bot Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

WARNING: Using @main branch reference for trufflehog.

Pinning to @main introduces supply-chain risk and non-reproducible builds. Pin to a specific release tag or commit SHA for security:

      - uses: trufflesecurity/trufflehog@v3.82.12

lint-rust:
name: Rust Lint
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: dtolnay/rust-toolchain@stable
with:
components: clippy
- uses: Swatinem/rust-cache@v2
- run: cargo clippy --all-targets --all-features -- -D warnings
Copy link
Copy Markdown

@cursor cursor bot Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Rust lint job runs on Go-only repository

Medium Severity

The lint-rust job runs cargo clippy on every PR and push to main, but this repository contains no Rust code — no Cargo.toml, no .rs files. This job will either fail (wasting CI time and creating noise) or require cargo setup for nothing. For a Go repo, this likely intended to be a Go lint step.

Fix in Cursor Fix in Web

Copy link

Copilot AI Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The lint-rust job runs cargo clippy, but this repo doesn’t contain a Cargo project (no Cargo.toml found). This job will fail on every run. Remove the Rust lint job, or guard it (e.g., only run when Cargo.toml exists / when Rust paths change).

Copilot uses AI. Check for mistakes.

license-check:
name: License Compliance
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: licensefinder/license_finder_action@v2
continue-on-error: true
52 changes: 52 additions & 0 deletions .semgrep-rules/architecture-violations.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
rules:
- id: circular-module-dependency
patterns:
- pattern-either:
- pattern: |
use crate::domain::*;
- pattern: |
use crate::adapters::*;
message: Potential circular dependency. Check module import hierarchy.
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist bot Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The rule circular-module-dependency is misleadingly named. It currently flags any wildcard import (*) in the domain or adapters modules, which is a style preference rather than a detection of circular dependencies. Consider renaming the rule to no-wildcard-imports or implementing a more robust check for actual dependency cycles.

languages: [rust]
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist bot Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

The repository cliproxyapi++ is a Go project (as evidenced by the Taskfile.yml, AGENTS.md, and .go source files), but these Semgrep rules are configured for Rust (languages: [rust]) and use Rust-specific syntax like crate:: and async fn. These rules will not execute on the Go source code. Please update the rules to use languages: [go] and patterns appropriate for the Go project structure.

severity: MEDIUM

- id: layer-violation-adapter-accessing-domain
patterns:
- pattern: |
mod adapters {
...
use crate::domain::...
...
}
message: Adapter layer should not directly access domain logic. Use ports/traits instead.
languages: [rust]
severity: MEDIUM

- id: mixed-concerns-in-handler
patterns:
- pattern: |
async fn $HANDLER(...) {
...
database.query(...)
...
api.call(...)
...
filesystem.write(...)
...
}
message: Handler mixes database, API, and filesystem concerns. Consider dependency injection.
languages: [rust]
severity: LOW

- id: direct-database-in-tests
patterns:
- pattern: |
#[test]
fn $TEST(...) {
...
Database::connect(...)
...
}
message: Tests should use mocks/fixtures, not direct database connections.
languages: [rust]
severity: MEDIUM
58 changes: 58 additions & 0 deletions .semgrep-rules/secrets-detection.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
rules:
- id: hardcoded-aws-key
patterns:
- pattern-either:
- pattern: |
"AKIA[0-9A-Z]{16}"
- pattern: |
AKIA[0-9A-Z]{16}
Copy link

Copilot AI Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These secret-detection rules are written like regexes, but pattern: matches literal code/text structure, not a regular expression. As written, this will only match the literal string AKIA[0-9A-Z]{16} (and similarly for the token/webhook patterns), so it won’t detect real secrets. Use pattern-regex: (or regex:-based constructs) for token-like detectors, and avoid "..." which currently matches only three dots.

Copilot uses AI. Check for mistakes.
message: Potential AWS Access Key detected. Use environment variables instead.
languages: [generic]
severity: CRITICAL

- id: hardcoded-api-key-env
patterns:
- pattern-either:
- pattern: |
api_key = "..."
- pattern: |
apiKey = "..."
- pattern: |
API_KEY = "..."
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist bot Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The patterns for hardcoded keys use the = operator, which is common in configuration files but may miss assignments in Go source code where the short variable declaration operator := is frequently used. Consider adding patterns that account for := or using a more flexible regex to catch various assignment styles in the generic language mode.

message: Hardcoded API key detected. Use environment variables or secrets management.
languages: [generic]
severity: HIGH
Comment on lines +8 to +12
Copy link

Copilot AI Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The character class uses \\n which (after YAML parsing) typically excludes a literal backslash and the letter n, not an actual newline. If the goal is to avoid matching across lines, use \n (newline escape) in the regex (and consider \r as well). As written, this can increase false positives by allowing matches that span newlines.

Copilot uses AI. Check for mistakes.

Comment on lines +2 to +18
Copy link

Copilot AI Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These secret-detection rules appear to use regex syntax inside pattern, but Semgrep won’t treat pattern as a regex (so strings like AKIA[0-9A-Z]{16} and "..." will match literally and likely never trigger). Consider switching to pattern-regex (or using metavariables) so the rules actually detect real secrets.

Copilot uses AI. Check for mistakes.
- id: hardcoded-password
patterns:
- pattern-either:
- pattern: |
password = "..."
- pattern: |
passwd = "..."
- pattern: |
pwd = "..."
message: Hardcoded password detected. Use environment variables or secrets management.
Comment thread
coderabbitai[bot] marked this conversation as resolved.
languages: [generic]
severity: CRITICAL
Comment on lines +19 to +23
Copy link

Copilot AI Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same newline-escape issue as the API key rule: \\n inside the negated character class is unlikely to exclude actual newline characters. Using \n (and possibly \r) would better prevent cross-line matches and reduce false positives.

Copilot uses AI. Check for mistakes.

- id: hardcoded-slack-webhook
patterns:
- pattern: |
https://hooks.slack.com/services/[A-Z0-9/]+
message: Slack webhook URL detected. This should be in environment variables.
languages: [generic]
severity: HIGH

- id: hardcoded-github-token
patterns:
- pattern-either:
- pattern: |
ghp_[A-Za-z0-9_]{36,255}
- pattern: |
gho_[A-Za-z0-9_]{36,255}
- pattern: |
ghu_[A-Za-z0-9_]{36,255}
message: GitHub token detected. Never commit tokens to code.
languages: [generic]
severity: CRITICAL
59 changes: 59 additions & 0 deletions .semgrep-rules/unsafe-patterns.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
rules:
- id: unsafe-deserialization
patterns:
- pattern-either:
- pattern: |
serde_json::from_str($X)
- pattern: |
bincode::deserialize($X)
message: Unsafe deserialization without validation. Consider using `serde` with validation attributes.
languages: [rust]
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist bot Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

These unsafe pattern rules are targeting Rust. For this Go project, consider adding rules for common Go issues such as unhandled errors, fmt.Sprintf in SQL queries (injection), or improper use of the unsafe package.

severity: MEDIUM

- id: unwrap-without-context
patterns:
- pattern: |
$X.unwrap()
- metavariable-comparison:
metavariable: $X
comparison: match_regex
regex: |
(?!(log|debug|info|warn|error)).*
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist bot Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The regex (?!(log|debug|info|warn|error)).* used in the unwrap-without-context rule is confusing. It appears to exclude variables starting with logging levels from being flagged when .unwrap() is called on them. However, in production code, .unwrap() is generally discouraged regardless of the variable name. It would be clearer to flag all occurrences and exclude test files via the global configuration.

message: Use of unwrap() without error handling context. Prefer `?` operator or explicit error handling.
languages: [rust]
severity: MEDIUM

- id: todo-without-issue
patterns:
- pattern: |
todo!($MSG)
message: Untracked todo!() macro. Please file an issue and reference it in a comment.
languages: [rust]
severity: LOW

- id: unsafe-sql
patterns:
- pattern: |
format!($QUERY, $ARG)
Copy link

Copilot AI Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

format!($QUERY, $ARG) will flag any two-argument format! usage, even when the formatted string isn't SQL, while missing common multi-argument format! calls. This makes the rule's "SQL injection" message inaccurate/noisy. Consider constraining matches to known SQL contexts (e.g., variables/identifiers used in query APIs) or using a regex that checks for SQL keywords in the format string.

Suggested change
format!($QUERY, $ARG)
format!($QUERY, $ARG, ...)
- metavariable-regex:
metavariable: $QUERY
regex: '(?i)\b(SELECT|INSERT|UPDATE|DELETE|FROM|WHERE|JOIN)\b'

Copilot uses AI. Check for mistakes.
message: SQL queries built with format!() are vulnerable to injection. Use parameterized queries.
languages: [rust]
severity: CRITICAL

- id: hardcoded-localhost
patterns:
- pattern-either:
- pattern: |
"localhost:$PORT"
- pattern: |
"127.0.0.1:$PORT"
message: Hardcoded localhost in production code. Use environment variables or configuration.
Copy link

Copilot AI Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some patterns here won’t match real code as intended because they use literal identifiers/strings instead of metavariables. For example, return Err(e) only matches when the variable is literally named e, and "localhost:$PORT" will only match that exact string (Semgrep doesn’t treat $PORT as a placeholder inside string literals). Use metavariables (e.g., return Err($E)) and/or pattern-regex for matching within string literal contents.

Copilot uses AI. Check for mistakes.
languages: [rust]
severity: MEDIUM

- id: missing-error-context
patterns:
- pattern: |
return Err(e)
message: Error propagated without context. Consider using `.context()` from `anyhow` or `.map_err()`.
languages: [rust]
severity: LOW
Copy link
Copy Markdown

@cursor cursor bot Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Semgrep custom rules target Rust, not Go

Medium Severity

All custom semgrep rules in unsafe-patterns.yml and architecture-violations.yml specify languages: [rust] with Rust-specific patterns (unwrap(), format!(), use crate::, etc.). This is a Go repository with no Rust code, so none of these rules will ever match anything. The entire custom rule suite is inert.

Additional Locations (1)
Fix in Cursor Fix in Web

Comment on lines +1 to +26
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Apr 2, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

Custom rules not loaded by SAST workflows.

These Go-focused rules are well-designed, but neither sast-quick.yml nor sast-full.yml includes --config .semgrep-rules/ in the Semgrep scan command. The workflows only use the upstream packs (p/security-audit, p/owasp-top-ten, p/cwe-top-25).

To activate these custom rules, add the config flag to both workflow files:

  semgrep scan \
    --config p/security-audit \
    --config p/owasp-top-ten \
    --config p/cwe-top-25 \
+   --config .semgrep-rules/ \
    --error \

Alternatively, if the intent is to gate CI only on upstream packs initially (as mentioned in 04_IMPLEMENTATION_STRATEGY.md), consider documenting this explicitly so future maintainers know these rules exist but are intentionally not enforced yet.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.semgrep-rules/unsafe-patterns.yml around lines 1 - 26, The Semgrep custom
rules defined in .semgrep-rules/unsafe-patterns.yml are not being loaded because
the Semgrep scan steps in the CI workflows do not pass the --config
.semgrep-rules/ flag; update the Semgrep invocation in both sast-quick.yml and
sast-full.yml to include --config .semgrep-rules/ so these rules (ids
shell-command-with-shell, sql-query-built-with-sprintf,
direct-http-get-without-timeout) are applied, or alternatively add a short note
in 04_IMPLEMENTATION_STRATEGY.md indicating the intentional omission if you want
to keep CI gated only on upstream packs.

27 changes: 27 additions & 0 deletions .semgrep.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
rules:
- id: config
include:
Copy link
Copy Markdown

@kilo-code-bot kilo-code-bot bot Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CRITICAL: Invalid Semgrep configuration structure.

The rules: key with nested id: and include: is not valid Semgrep config syntax. Semgrep expects rules: to be a list of rule definitions OR references to config files using the rules: key with - path/to/rules.yml entries. The current structure will cause Semgrep to fail to parse this file, breaking all CI SAST scans.

Correct format:

rules:
  - .semgrep-rules/architecture-violations.yml
  - .semgrep-rules/secrets-detection.yml
  - .semgrep-rules/unsafe-patterns.yml

Reference: https://semgrep.dev/docs/configuration-reference

- .semgrep-rules/
Copy link

Copilot AI Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This Semgrep config is not valid Semgrep rule syntax: include: is nested under a rule (- id: config), but include is not a rule property. If the intent is to include the rule directory, use Semgrep's supported config composition (e.g., top-level include: / extends: depending on Semgrep version) or run Semgrep with --config .semgrep-rules/ instead.

Suggested change
rules:
- id: config
include:
- .semgrep-rules/
include:
- .semgrep-rules/

Copilot uses AI. Check for mistakes.

exclude:
- tests/
- "**/*_test.rs"
- "**/*_test.go"
- "**/*.test.ts"
- "**/*.test.js"
- "**/__pycache__"
- "**/__tests__"
- node_modules/
- target/
- build/
- dist/

max-lines-per-finding: 10
paths:
exclude:
- ".git/"
- "target/"
- ".archive/"
- "node_modules/"
- "dist/"
- "build/"
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist bot Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

low

There is redundant exclusion logic in this configuration. The top-level exclude key (lines 6-17) and the paths: exclude: key (lines 20-27) contain overlapping entries (e.g., target/, node_modules/). It is recommended to consolidate all exclusions under paths: exclude: for better maintainability and adherence to standard Semgrep configuration patterns.

Copy link
Copy Markdown

@cursor cursor bot Apr 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Semgrep config file has invalid rule structure

Medium Severity

The .semgrep.yaml rule entry id: config with include: is missing all required semgrep rule fields: pattern/patterns, message, severity, and languages. The include key is not a recognized rule field. Top-level keys like exclude: and max-lines-per-finding: are CLI flags, not valid YAML config keys. This file will cause parse errors when semgrep auto-discovers it (e.g., semgrep --config .), breaking local development usage.

Fix in Cursor Fix in Web

Loading
Loading