fix(security): fix nosemgrep suppression format for subprocess calls

harmjeff · claude · harmjeff · commit c0922ea1c828 · 2026-05-05T16:52:37.000-04:00
Change inline full-rule-ID nosemgrep comments to preceding-line
short-name format (# nosemgrep: dangerous-subprocess-use-audit),
matching the pattern used throughout the rest of the codebase that
the Semgrep OSS GitHub App correctly honours.

Co-Authored-By: Claude Sonnet 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/scripts/aidlc-evaluator/packages/cli-harness/src/cli_harness/adapters/claude_code_sdk.py b/scripts/aidlc-evaluator/packages/cli-harness/src/cli_harness/adapters/claude_code_sdk.py
@@ -299,7 +299,8 @@ def _exec_tool(name: str, tool_input: dict, run_folder: Path, rules_dir: Path) -
                 if (val := os.environ.get(var)):
                     env[var] = val
             try:
-                result = subprocess.run(  # nosec B603 nosemgrep: python.lang.security.audit.dangerous-subprocess-use-audit.dangerous-subprocess-use-audit
+                # nosemgrep: dangerous-subprocess-use-audit
+                result = subprocess.run(  # nosec B603
                     shlex.split(command),
                     shell=False,
                     cwd=str(cwd),
diff --git a/scripts/aidlc-evaluator/packages/cli-harness/src/cli_harness/adapters/kiro_cli.py b/scripts/aidlc-evaluator/packages/cli-harness/src/cli_harness/adapters/kiro_cli.py
@@ -171,7 +171,8 @@ def _run_kiro_stage(stage_prompt: str, stage_name: str, is_first: bool) -> tuple
 
                 _log(f"{stage_name}: launching kiro ({len(stage_prompt)} chars)")
 
-                proc = subprocess.Popen(  # nosec B603 nosemgrep: python.lang.security.audit.dangerous-subprocess-use-audit.dangerous-subprocess-use-audit
+                # nosemgrep: dangerous-subprocess-use-audit
+                proc = subprocess.Popen(  # nosec B603
                     cmd,
                     cwd=str(workspace),
                     stdout=subprocess.PIPE,
diff --git a/scripts/aidlc-evaluator/run.py b/scripts/aidlc-evaluator/run.py
@@ -93,7 +93,8 @@ def check_docker_sandbox() -> bool:
     if cli is None:
         return False
     try:
-        result = subprocess.run(  # nosec B603 nosemgrep: python.lang.security.audit.dangerous-subprocess-use-audit.dangerous-subprocess-use-audit
+        # nosemgrep: dangerous-subprocess-use-audit
+        result = subprocess.run(  # nosec B603
             [cli, "info"],
             stdout=subprocess.DEVNULL,
             stderr=subprocess.DEVNULL,
@@ -102,7 +103,8 @@ def check_docker_sandbox() -> bool:
         if result.returncode != 0:
             return False
 
-        result = subprocess.run(  # nosec B603 nosemgrep: python.lang.security.audit.dangerous-subprocess-use-audit.dangerous-subprocess-use-audit
+        # nosemgrep: dangerous-subprocess-use-audit
+        result = subprocess.run(  # nosec B603
             [cli, "images", "-q", "aidlc-sandbox:latest"],
             capture_output=True,
             text=True,
diff --git a/scripts/aidlc-evaluator/scripts/run_git_compare.py b/scripts/aidlc-evaluator/scripts/run_git_compare.py
@@ -367,7 +367,8 @@ def run_single_evaluation(
         log_file.write(f"{'=' * 70}\n\n")
         log_file.flush()
 
-        result = subprocess.run(cmd, stdout=log_file, stderr=subprocess.STDOUT)  # nosec B603 nosemgrep: python.lang.security.audit.dangerous-subprocess-use-audit.dangerous-subprocess-use-audit
+        # nosemgrep: dangerous-subprocess-use-audit
+        result = subprocess.run(cmd, stdout=log_file, stderr=subprocess.STDOUT)  # nosec B603
 
     elapsed_s = time.monotonic() - start_monotonic
     status = "success" if result.returncode == 0 else "failed"
