Move Codacy suppressions inline so Semgrep/ESLint/Bandit honour them

Author: JE-Chen

.github/workflows/docker.yml

@@ -28,10 +28,12 @@ jobs:
       - uses: actions/checkout@v4
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3  # NOSONAR githubactions:S7637 — project convention pins to vendored major version tags (matches dev.yml / stable.yml / quality.yml)
+        # nosemgrep: yaml.github-actions.security.third-party-action-not-pinned-to-commit-sha.third-party-action-not-pinned-to-commit-sha
+        uses: docker/setup-buildx-action@v3  # NOSONAR githubactions:S7637
 
       - name: Build image (no push)
-        uses: docker/build-push-action@v5  # NOSONAR githubactions:S7637 — project convention pins to vendored major version tags
+        # nosemgrep: yaml.github-actions.security.third-party-action-not-pinned-to-commit-sha.third-party-action-not-pinned-to-commit-sha
+        uses: docker/build-push-action@v5  # NOSONAR githubactions:S7637
         with:
           context: .
           file: docker/Dockerfile
@@ -52,10 +54,12 @@ jobs:
       - uses: actions/checkout@v4
 
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3  # NOSONAR githubactions:S7637 — project convention pins to vendored major version tags (matches dev.yml / stable.yml / quality.yml)
+        # nosemgrep: yaml.github-actions.security.third-party-action-not-pinned-to-commit-sha.third-party-action-not-pinned-to-commit-sha
+        uses: docker/setup-buildx-action@v3  # NOSONAR githubactions:S7637
 
       - name: Rebuild image (cached)
-        uses: docker/build-push-action@v5  # NOSONAR githubactions:S7637 — project convention pins to vendored major version tags
+        # nosemgrep: yaml.github-actions.security.third-party-action-not-pinned-to-commit-sha.third-party-action-not-pinned-to-commit-sha
+        uses: docker/build-push-action@v5  # NOSONAR githubactions:S7637
         with:
           context: .
           file: docker/Dockerfile

browser-extension/background.js

@@ -5,8 +5,7 @@
 // unit-tested by importing this module from a Node test runner.
 
 // nosemgrep: codacy.javascript.security.hard-coded-password
-// reason: this is a chrome.storage key, not a credential.
-const STATE_KEY = "autocontrol.recorder.state";
+const STATE_KEY = "autocontrol.recorder.state";  // nosemgrep: codacy.javascript.security.hard-coded-password
 
 /**
  * @typedef {Object} RecorderState
@@ -27,6 +26,7 @@ async function loadState() {
     // fires on the spread of an unsanitised storage value. ``stored``
     // is whatever chrome.storage round-trips for us; we only ever
     // copy own enumerable properties onto a fresh default.
+    // eslint-disable-next-line security/detect-object-injection
     const saved = Object.prototype.hasOwnProperty.call(stored, STATE_KEY)
         ? stored[STATE_KEY] : null;
     if (saved == null || typeof saved !== "object") {
@@ -81,6 +81,7 @@ export function actionFor(event) {
     }
 }
 
+// eslint-disable-next-line security-node/detect-unhandled-async-errors
 async function handleMessage(message, _sender, sendResponse) {
     const state = await loadState();
     switch (message?.command) {

browser-extension/popup.js

@@ -10,6 +10,7 @@ function send(command, extra = {}) {
     });
 }
 
+// eslint-disable-next-line security-node/detect-unhandled-async-errors
 async function refresh() {
     const reply = await send("status");
     const state = reply.state || {};

examples/18_slack_daily_report.py

@@ -86,12 +86,10 @@ def fetch_slack_messages(channel_id: str, *,
         f"https://slack.com/api/conversations.history?{params}",
         headers={"Authorization": f"Bearer {token}"},
     )
+    # URL is built from the literal ``https://slack.com/api/...`` above
+    # so file:// / custom schemes can't reach urlopen here.
     try:
-        # nosec B310  # reason: URL is built from the literal
-        # ``https://slack.com/api/...`` above — scheme is fixed,
-        # never user-supplied, so file:// / custom schemes can't
-        # reach urlopen here.
-        with urllib.request.urlopen(  # noqa: S310
+        with urllib.request.urlopen(  # nosec B310  # noqa: S310
                 request, timeout=30.0) as resp:
             body = json.loads(resp.read().decode("utf-8"))
     except urllib.error.URLError as error:

je_auto_control/linux_wayland/keyboard.py

@@ -42,11 +42,11 @@ def _require(name: str, hint: str) -> str:
 
 
 def _run(argv: list, *, timeout: float = 5.0) -> None:
-    # nosemgrep: python.lang.security.audit.dangerous-subprocess-use-audit
-    # reason: argv comes from a private allow-list (wtype / ydotool
-    # absolute paths via shutil.which), never user input; no shell=True.
+    # argv comes from a private allow-list (wtype / ydotool absolute
+    # paths via shutil.which), never user input; no shell=True.
     try:
-        subprocess.run(  # nosec B603  # reason: argv-list, validated binary
+        # nosemgrep: python.lang.security.audit.dangerous-subprocess-use-audit
+        subprocess.run(  # nosec B603
             argv, check=True, timeout=timeout,
             stdout=subprocess.DEVNULL, stderr=subprocess.PIPE,
         )

je_auto_control/linux_wayland/mouse.py

@@ -40,11 +40,11 @@ def _require_ydotool() -> str:
 
 
 def _run(argv: list, *, timeout: float = 5.0) -> None:
-    # nosemgrep: python.lang.security.audit.dangerous-subprocess-use-audit
-    # reason: argv comes from a private allow-list (ydotool absolute
-    # path via shutil.which), never user input; no shell=True.
+    # argv comes from a private allow-list (ydotool absolute path via
+    # shutil.which), never user input; no shell=True.
     try:
-        subprocess.run(  # nosec B603  # reason: argv-list, validated binary
+        # nosemgrep: python.lang.security.audit.dangerous-subprocess-use-audit
+        subprocess.run(  # nosec B603
             argv, check=True, timeout=timeout,
             stdout=subprocess.DEVNULL, stderr=subprocess.PIPE,
         )

je_auto_control/linux_wayland/screen.py

@@ -37,11 +37,11 @@ def _require_grim() -> str:
 
 
 def _run(argv: list, *, timeout: float = 10.0) -> bytes:
-    # nosemgrep: python.lang.security.audit.dangerous-subprocess-use-audit
-    # reason: argv comes from a private allow-list (grim / wlr-randr
-    # absolute paths via shutil.which), never user input; no shell=True.
+    # argv comes from a private allow-list (grim / wlr-randr absolute
+    # paths via shutil.which), never user input; no shell=True.
     try:
-        completed = subprocess.run(  # nosec B603  # reason: argv-list, validated binary
+        # nosemgrep: python.lang.security.audit.dangerous-subprocess-use-audit
+        completed = subprocess.run(  # nosec B603
             argv, check=True, timeout=timeout,
             stdout=subprocess.PIPE, stderr=subprocess.PIPE,
         )

test/unit_test/headless/test_self_healing.py

@@ -230,10 +230,10 @@ def test_package_facade_stays_qt_free():
         "qt = [m for m in sys.modules if 'PySide6' in m]\n"
         "import json; print(json.dumps(qt))\n"
     )
+    # subprocess spawned with [sys.executable, ...] — known interpreter,
+    # fixed argv list, no shell=True, no user input.
     # nosemgrep: python.lang.security.audit.dangerous-subprocess-use-audit
-    # reason: subprocess spawned with [sys.executable, ...] — known
-    # interpreter, fixed argv list, no shell=True, no user input.
-    result = subprocess.run(
+    result = subprocess.run(  # nosec B603
         [sys.executable, "-c", script],
         capture_output=True, text=True, check=True, timeout=60,
     )

test/unit_test/headless/test_wayland_backend.py

@@ -94,9 +94,9 @@ def test_keymap_function_keys_present():
 def _fake_run(captured):
     def runner(argv, **_kwargs):
         captured.append(list(argv))
+        # CompletedProcess is a *constructor* (not a process spawn);
+        # used here to mock subprocess.run's return value.
         # nosemgrep: python.lang.security.audit.dangerous-subprocess-use-audit
-        # reason: CompletedProcess is a *constructor* (not a call to
-        # spawn a process); used here to mock subprocess.run's return.
         result = subprocess.CompletedProcess(argv, 0, b"", b"")
         return result
     return runner
@@ -230,11 +230,11 @@ def test_mouse_raises_when_ydotool_missing():
 
 def test_screenshot_calls_grim_with_path():
     captured: list = []
-    # nosemgrep: python.lang.security.audit.dangerous-subprocess-use-audit
-    # reason: CompletedProcess constructor used to mock subprocess.run.
+    # CompletedProcess constructor used to mock subprocess.run.
     with patch.object(wayland_screen, "binary_path",
                       return_value="/usr/bin/grim"), \
          patch.object(wayland_screen.subprocess, "run",
+                      # nosemgrep: python.lang.security.audit.dangerous-subprocess-use-audit
                       side_effect=lambda argv, **kw: (captured.append(argv)
                        or subprocess.CompletedProcess(argv, 0, b"", b""))):
         wayland_screen.screenshot("out.png")