semgrep: filesystem-deletion rule lacks paths:exclude for src/hooks/
#1,954 opened on May 18, 2026
Repository metrics
- Stars
- (48,085 stars)
- PR merge metrics
- (Avg merge 11d 1h) (45 merged PRs in 30d)
Description
Problem
The filesystem-deletion rule in .semgrep.yml matches the syntactic pattern fs::remove_file(...) / fs::remove_dir_all(...) with no paths: scoping. Its own message states the intent:
File/directory deletion detected. Expected in hooks/init cleanup, surprising in a filter module. Verify intent.
But because the rule has no path filter, it scans src/hooks/ too. The CI runs semgrep scan --config .semgrep.yml --baseline-commit <base> --error, so any PR that adds a new deletion call to src/hooks/init.rs (uninstall logic for a new agent) produces a fresh finding and fails the scan — even though deletion there is exactly what the rule says it expects.
init.rs already contains ~8 fs::remove_file calls (Claude, Gemini, Cursor, Codex uninstall paths); they only pass CI because they predate the baseline. Every future agent-uninstall PR will hit this false positive (e.g. #1741, Pi support).
Proposed fix
Add a paths: exclude so the rule reflects its stated intent — flag deletions in filter modules, not in the hooks/init cleanup code:
- id: filesystem-deletion
pattern-either:
- pattern: fs::remove_file(...)
- pattern: fs::remove_dir_all(...)
- pattern: std::fs::remove_file(...)
- pattern: std::fs::remove_dir_all(...)
paths:
exclude:
- src/hooks/
message: >
...
Workaround until fixed
New uninstall PRs can add // nosemgrep: filesystem-deletion on the offending line.