-
Notifications
You must be signed in to change notification settings - Fork 3
Expand file tree
/
Copy path.semgrepignore
More file actions
86 lines (78 loc) · 4.52 KB
/
.semgrepignore
File metadata and controls
86 lines (78 loc) · 4.52 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
# Semgrep Ignore File
# Intentional security exemptions with documented justifications
# =============================================================================
# NVIDIA Device Plugin - Requires privileged access for GPU device management
# =============================================================================
# The NVIDIA device plugin DaemonSet needs access to host device paths
# (/var/lib/kubelet/device-plugins) to expose GPU devices to containers.
# This is a fundamental requirement for GPU support in Kubernetes.
# Reference: https://github.com/NVIDIA/k8s-device-plugin
lambda/kubectl-applier-simple/manifests/50-nvidia-device-plugin.yaml
# =============================================================================
# Lambda Container Dockerfiles - No USER directive needed
# =============================================================================
# AWS Lambda containers run as the Lambda runtime user, not as root.
# Adding a USER directive would break Lambda execution.
# Reference: https://docs.aws.amazon.com/lambda/latest/dg/images-create.html
lambda/helm-installer/Dockerfile
lambda/ga-registration/Dockerfile
lambda/secret-rotation/Dockerfile
lambda/api-gateway-proxy/Dockerfile
# =============================================================================
# Example YAML files - Documentation/reference only
# =============================================================================
# Example manifests are for documentation purposes and demonstrate various
# configurations. They are not deployed directly and users customize them.
examples/
# =============================================================================
# CDK NAG Suppressions - Intentional string concatenation for readability
# =============================================================================
# Historical context: earlier scans flagged the long multi-line strings used
# as cdk-nag suppression `reason=` text in these modules. A 2024 rescan
# (`semgrep --config=auto`) found 0 findings on both files, so the blanket
# ignores have been removed.
#
# If a future semgrep rule flags the multi-line strings again, prefer an
# inline `# nosemgrep: <rule-id>` on the offending line over re-adding the
# file-level ignore. Narrowing attempted and clean; the blanket was
# historical, not current.
# =============================================================================
# Test Files - False positives for test fixtures
# =============================================================================
# `tests/test_auth_middleware.py` defines FastAPI route handlers inside a
# pytest fixture. Semgrep's `useless-inner-function` rule flags those as
# unused because it cannot see that FastAPI's `@app.get(...)` decorator
# registers them. Each handler now carries an inline
# `# nosemgrep: useless-inner-function` comment, so the file-level ignore
# has been removed. Narrowing attempted and clean.
# =============================================================================
# Build artifacts and generated code
# =============================================================================
lambda/kubectl-applier-simple-build/
lambda/helm-installer-build/
cdk.out/
.venv/
htmlcov/
*.egg-info/
# =============================================================================
# Asciinema recordings - terminal output, not source code
# =============================================================================
# Cast files contain raw terminal output from demo recordings. Semgrep's
# generic secret detector flags CloudFormation resource names that contain
# base64-encoded strings (e.g., SecretRotationFunction/InvokeN0--a2GK...).
# These are CFN logical IDs, not actual secrets.
demo/*.cast
# =============================================================================
# Auto-generated code flowchart HTML
# =============================================================================
# ``diagrams/code_diagrams/**/*.html`` is produced by pyflowchart's
# ``output_html`` helper. The template it renders loads raphael.js,
# flowchart.js, and bootstrap from cdnjs over HTTPS and embeds a
# plaintext-HTTP example link in the "Format Help" section. Those are
# all pyflowchart / flowchart.js upstream template decisions, not ours.
# The files are not served from any GCO endpoint — they're local
# documentation artifacts users open in a checkout — so the
# ``missing-integrity`` (no SRI hash on CDN scripts) and
# ``plaintext-http-link`` findings have no runtime impact here.
# Regenerate with ``python diagrams/code_diagrams/generate.py``.
diagrams/code_diagrams/**/*.html