semgrep: filesystem-deletion rule lacks paths:exclude for src/hooks/
#1.954 geöffnet am 18. Mai 2026
Repository-Metriken
- Stars
- (48.085 Stars)
- PR-Merge-Metriken
- (Durchschn. Merge 11T 1h) (45 gemergte PRs in 30 T)
Beschreibung
Problem
The filesystem-deletion rule in .semgrep.yml matches the syntactic pattern fs::remove_file(...) / fs::remove_dir_all(...) with no paths: scoping. Its own message states the intent:
File/directory deletion detected. Expected in hooks/init cleanup, surprising in a filter module. Verify intent.
But because the rule has no path filter, it scans src/hooks/ too. The CI runs semgrep scan --config .semgrep.yml --baseline-commit <base> --error, so any PR that adds a new deletion call to src/hooks/init.rs (uninstall logic for a new agent) produces a fresh finding and fails the scan — even though deletion there is exactly what the rule says it expects.
init.rs already contains ~8 fs::remove_file calls (Claude, Gemini, Cursor, Codex uninstall paths); they only pass CI because they predate the baseline. Every future agent-uninstall PR will hit this false positive (e.g. #1741, Pi support).
Proposed fix
Add a paths: exclude so the rule reflects its stated intent — flag deletions in filter modules, not in the hooks/init cleanup code:
- id: filesystem-deletion
pattern-either:
- pattern: fs::remove_file(...)
- pattern: fs::remove_dir_all(...)
- pattern: std::fs::remove_file(...)
- pattern: std::fs::remove_dir_all(...)
paths:
exclude:
- src/hooks/
message: >
...
Workaround until fixed
New uninstall PRs can add // nosemgrep: filesystem-deletion on the offending line.