fix(engine): exclude build outputs (.output) from detector + Semgrep; tighten DEFAULT_CREDENTIALS#20
Merged
Conversation
… tighten DEFAULT_CREDENTIALS
Driven by a real monorepo comparison (DeckMidia, Nuxt): the engine report had 218
findings / score 49 dominated by FALSE POSITIVES from build artifacts under
.output/ (prototype pollution in _nitro.mjs, JWTs in bundles) — ~47 critical FPs.
Root causes:
- .output (Nuxt/Nitro build output) was missing from DEFAULT_IGNORE_DIRS (only
.next/.nuxt were covered), so the heuristic detector scanned it.
- runSemgrep passed only --exclude node_modules --exclude csreview-reports, so
Semgrep scanned .output/dist/build/.nuxt and reported FPs from compiled bundles.
- DEFAULT_CREDENTIALS matched a bare admin|root|default|test key, flagging UI
role-label maps like { admin: 'Admin' } as CRITICAL default credentials.
Fixes:
- Add JS/TS build outputs to DEFAULT_IGNORE_DIRS: .output, out, .vercel, .netlify,
.svelte-kit, .angular, .turbo, .parcel-cache. Flows to BOTH the scanner
discovery globs and the external-tool finding suppression.
- New semgrepExcludeArgs(): Semgrep now excludes the SAME dirs as the detector
(single source of truth = DEFAULT_IGNORE_DIRS), not just node_modules.
- DEFAULT_CREDENTIALS now requires a credential-context key (password/pwd/secret/
credential) set to a weak value; keeps real default creds, drops the label FP.
Tests: +2 + extended ignore/credential guards. 183/183 - lint clean - typecheck 0.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Exclude build outputs (.output) from the engine; tighten DEFAULT_CREDENTIALS
Driven by a real, detailed monorepo comparison (a Nuxt monorepo, DeckMidia). The engine's report had 218 findings / score 49, dominated by false positives from build artifacts under
.output/— prototype pollution in_nitro.mjs, JWTs in compiled bundles, session-fixation in route chunks (~47 critical FPs). The reviewers' verdict: "Codex report não confiável para priorização direta sem triagem manual pesada... inflacionado por análise de build artifacts (.output/)."Root causes
.output(Nuxt/Nitro build output) was missing fromDEFAULT_IGNORE_DIRS— only.next/.nuxtwere covered, so the heuristic detector scanned.output/.runSemgreponly excludednode_modules+csreview-reports— so Semgrep scanned.output,dist,build,.nuxt, etc. and reported FPs from compiled code.DEFAULT_CREDENTIALSmatched a bareadmin|root|default|testkey → it flagged UI role-label maps like{ admin: 'Admin' }as CRITICAL default credentials.Fixes
DEFAULT_IGNORE_DIRS:.output,out,.vercel,.netlify,.svelte-kit,.angular,.turbo,.parcel-cache. One change flows to both the scanner's discovery globs and the external-tool finding suppression.semgrepExcludeArgs()— Semgrep now excludes the same dirs as the detector (single source of truth =DEFAULT_IGNORE_DIRS), instead of justnode_modules.DEFAULT_CREDENTIALSnow requires a credential-context key (password/pwd/secret/credential) set to a weak value — keeps real default creds, drops the role-label FP.Not changed (out of scope / not ours)
N8N_BASE_URL/PAGARME_API_URL, SQLi in a pure-data file) are Semgrep's own rules — surfaced asTOOL-ONLYconfidence; the findings-by-origin breakdown (feat(reports): findings-by-origin breakdown (trust corroborated first) #19) helps triage these..envsecrets: still reported (a real risk if committed); the user can.csreview-ignorethem.Tests: +2 + extended ignore/credential guards (
.outputdiscovery + suppression,semgrepExcludeArgs, DEFAULT_CREDENTIALS FP/TP). 183/183 · lint clean · typecheck 0.🤖 Generated with Claude Code