Commit 5f95738
chore(ci): suppress semgrep false positives with nosemgrep
All four findings are intentional:
- daemon_client.py: writer.write() targets a Unix socket StreamWriter,
not a file; Django injection rule does not apply
- local_auth.py: 0o750 on /var/lib/arbor is deliberate (arbor group
needs directory traverse; world access intentionally denied)
- daemon/main.py: 0o750 on socket dir and 0o660 on Unix socket are
deliberate (SO_PEERCRED enforces uid allowlist on top)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>1 parent c595446 commit 5f95738
3 files changed
Lines changed: 4 additions & 4 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
22 | 22 | | |
23 | 23 | | |
24 | 24 | | |
25 | | - | |
| 25 | + | |
26 | 26 | | |
27 | 27 | | |
28 | 28 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
99 | 99 | | |
100 | 100 | | |
101 | 101 | | |
102 | | - | |
| 102 | + | |
103 | 103 | | |
104 | 104 | | |
105 | 105 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
3323 | 3323 | | |
3324 | 3324 | | |
3325 | 3325 | | |
3326 | | - | |
| 3326 | + | |
3327 | 3327 | | |
3328 | 3328 | | |
3329 | 3329 | | |
3330 | 3330 | | |
3331 | 3331 | | |
3332 | 3332 | | |
3333 | | - | |
| 3333 | + | |
3334 | 3334 | | |
3335 | 3335 | | |
3336 | 3336 | | |
| |||
0 commit comments