Skip to content

Commit d66a905

Browse files
committed
fix(ci): add nox ignore and baseline to resolve security scan false positives
Add .noxignore to exclude vendored JS, docs artifacts, and go.sum from scanning. Add baseline for 32 reviewed findings: false positives (Go function names, example emails, font URLs) and accepted risk (GH Actions tag pinning, intentional workflow config). Reduces scan from 3,845 noisy findings to 0 unsuppressed.
1 parent 9d0dbe4 commit d66a905

2 files changed

Lines changed: 274 additions & 0 deletions

File tree

.nox/baseline.json

Lines changed: 261 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,261 @@
1+
{
2+
"schema_version": "1.0.0",
3+
"entries": [
4+
{
5+
"fingerprint": "9d0089bfdc5701be25b676b48dd9770428fa0c2490dc576fe1daebcd556bd1b5",
6+
"rule_id": "IAC-351",
7+
"file_path": ".github/workflows/deploy.yml",
8+
"severity": "critical",
9+
"reason": "False positive: id-token: write is standard GitHub OIDC permission, not a hardcoded secret",
10+
"created_at": "2026-03-25T06:38:57.127066Z"
11+
},
12+
{
13+
"fingerprint": "892754ab5606f038cfad9bdaa32d4097c93c8ac82620844d78919767dcbf99c9",
14+
"rule_id": "SEC-574",
15+
"file_path": "interpreter.go",
16+
"severity": "high",
17+
"reason": "False positive: Go function name findMatchingTransitionHierarchical, not an API key",
18+
"created_at": "2026-03-25T06:38:57.99013Z"
19+
},
20+
{
21+
"fingerprint": "d783d02a7388494a6bd97b72223860d775ebd8ef29e5a5eb45b3bd72278f0d9e",
22+
"rule_id": "SEC-574",
23+
"file_path": "interpreter.go",
24+
"severity": "high",
25+
"reason": "False positive: Go function name in interpreter.go, not an API key",
26+
"created_at": "2026-03-25T06:39:00.635594Z"
27+
},
28+
{
29+
"fingerprint": "1d19d4066b6c852565be70445892886c9d60587170f66d7218bb48566ae0ac11",
30+
"rule_id": "SEC-574",
31+
"file_path": "interpreter.go",
32+
"severity": "high",
33+
"reason": "False positive: Go function name in interpreter.go, not an API key",
34+
"created_at": "2026-03-25T06:39:03.324286Z"
35+
},
36+
{
37+
"fingerprint": "406a144312a197c9e9a6ede5611addee7d2af138f9fac1909e47efa2cea8f05a",
38+
"rule_id": "SEC-085",
39+
"file_path": "docs/src/components/Layout.astro",
40+
"severity": "high",
41+
"reason": "False positive: Google Fonts URL in Layout.astro, not an embedded password",
42+
"created_at": "2026-03-25T06:39:05.940481Z"
43+
},
44+
{
45+
"fingerprint": "8350b50e1c155a355f6aad272c7fbc887bba3c9ab6cf5b2f5aa2d42bf8eb36f4",
46+
"rule_id": "DATA-001",
47+
"file_path": "examples/form_wizard/main.go",
48+
"severity": "medium",
49+
"reason": "False positive: Example email in form_wizard example code",
50+
"created_at": "2026-03-25T06:39:23.020218Z"
51+
},
52+
{
53+
"fingerprint": "fdbff9ae219374de021b4b26478adc3865b3df57b335fcc1d2e487c4ae186d53",
54+
"rule_id": "DATA-001",
55+
"file_path": "examples/form_wizard/main_test.go",
56+
"severity": "medium",
57+
"reason": "False positive: Example email in form_wizard test",
58+
"created_at": "2026-03-25T06:39:26.068251Z"
59+
},
60+
{
61+
"fingerprint": "bad9361eeb8f840577f51a78a2710eb703ec7aef98ee347180e7139f791f51a5",
62+
"rule_id": "DATA-001",
63+
"file_path": "examples/form_wizard/main_test.go",
64+
"severity": "medium",
65+
"reason": "False positive: Example email in form_wizard test",
66+
"created_at": "2026-03-25T06:39:27.898684Z"
67+
},
68+
{
69+
"fingerprint": "4494d39766fa56754252b832e3631e680af7427d77934140d5698ca3874a4b3c",
70+
"rule_id": "DATA-001",
71+
"file_path": "examples/incident_lifecycle/README.md",
72+
"severity": "medium",
73+
"reason": "False positive: Example email in incident_lifecycle README",
74+
"created_at": "2026-03-25T06:39:30.453859Z"
75+
},
76+
{
77+
"fingerprint": "b4ab0b02b05a7bd4d6392b67ca43ae73d3c632880892ee224815baaf2cbb7fc8",
78+
"rule_id": "DATA-001",
79+
"file_path": "examples/incident_lifecycle/main.go",
80+
"severity": "medium",
81+
"reason": "False positive: Example email in incident_lifecycle example code",
82+
"created_at": "2026-03-25T06:39:32.867304Z"
83+
},
84+
{
85+
"fingerprint": "4af846f226f11f4e5985868cf25cbd7b1396cd4309b2021d897172a4699e2182",
86+
"rule_id": "DATA-001",
87+
"file_path": "examples/incident_lifecycle/main_test.go",
88+
"severity": "medium",
89+
"reason": "False positive: Example email in incident_lifecycle test",
90+
"created_at": "2026-03-25T06:39:45.865869Z"
91+
},
92+
{
93+
"fingerprint": "71d669e56a2d75ec0556ce6e8f14f9c11a0d1f43a64317d013a3bc7c6b20af4f",
94+
"rule_id": "DATA-001",
95+
"file_path": "examples/incident_lifecycle/main_test.go",
96+
"severity": "medium",
97+
"reason": "False positive: Example email in incident_lifecycle test",
98+
"created_at": "2026-03-25T06:39:48.84891Z"
99+
},
100+
{
101+
"fingerprint": "298e02648e8b41d1e2a84bf46c4a34978017a824229f405c79a25fd2f793936d",
102+
"rule_id": "SEC-161",
103+
"file_path": "performance_bench_test.go",
104+
"severity": "medium",
105+
"reason": "False positive: High-entropy test string in performance benchmark, not a secret",
106+
"created_at": "2026-03-25T06:39:49.789535Z"
107+
},
108+
{
109+
"fingerprint": "a71534eb8575fbdddb2341ecb7f8cb9eface72dcc8938e617c908c0068dbbe47",
110+
"rule_id": "IAC-306",
111+
"file_path": ".github/workflows/deploy.yml",
112+
"severity": "medium",
113+
"reason": "Accepted: OIDC token write is required for GitHub Pages deployment",
114+
"created_at": "2026-03-25T06:40:04.214042Z"
115+
},
116+
{
117+
"fingerprint": "2d99c42b5637e1deb4d3b100fa949faac2626a75c53da8a2ae774d7eeb3e0b3a",
118+
"rule_id": "IAC-310",
119+
"file_path": ".github/workflows/ci.yml",
120+
"severity": "medium",
121+
"reason": "Accepted: continue-on-error on security scan is intentional - scan is non-blocking",
122+
"created_at": "2026-03-25T06:40:07.529Z"
123+
},
124+
{
125+
"fingerprint": "db6ba4f77d34472dcdbf40eab97860e652f53c06a5486044c6a60c952d33838e",
126+
"rule_id": "IAC-018",
127+
"file_path": ".github/workflows/ci.yml",
128+
"severity": "low",
129+
"reason": "Accepted: continue-on-error on security scan is intentional - scan is non-blocking",
130+
"created_at": "2026-03-25T06:40:09.94049Z"
131+
},
132+
{
133+
"fingerprint": "be85f18ea6f2212d4e4e9f66bcabc9651dbb3d8d94b2ee9d7c6fee73257f6b20",
134+
"rule_id": "IAC-308",
135+
"file_path": ".github/workflows/deploy.yml",
136+
"severity": "low",
137+
"reason": "Accepted: workflow_dispatch is intentional for manual deploy triggers",
138+
"created_at": "2026-03-25T06:40:10.992288Z"
139+
},
140+
{
141+
"fingerprint": "98e4aa7666099d7ec6bed5d3a6b5dbb9e151248b87e6a392b03b79a7a0da3365",
142+
"rule_id": "IAC-013",
143+
"file_path": ".github/workflows/ci.yml",
144+
"severity": "high",
145+
"reason": "Accepted: actions/checkout@v4 is a first-party GitHub action, tag pinning is standard practice",
146+
"created_at": "2026-03-25T06:40:18.313684Z"
147+
},
148+
{
149+
"fingerprint": "f96b474605ca31dfc0fcfe3ecff3fad866f257e6d27326fe3abad4efe48b1fb4",
150+
"rule_id": "IAC-013",
151+
"file_path": ".github/workflows/ci.yml",
152+
"severity": "high",
153+
"reason": "Accepted: actions/setup-go@v5 is a first-party GitHub action",
154+
"created_at": "2026-03-25T06:40:21.14889Z"
155+
},
156+
{
157+
"fingerprint": "38c948dce18363869a0a23c43300cc763a91b4829eb0c542bb53f4cfb67e57c7",
158+
"rule_id": "IAC-013",
159+
"file_path": ".github/workflows/ci.yml",
160+
"severity": "high",
161+
"reason": "Accepted: first-party GitHub action pinned to major version tag",
162+
"created_at": "2026-03-25T06:40:23.764017Z"
163+
},
164+
{
165+
"fingerprint": "617a3814ea260412b24e583254b990357c105712bbe5ea5c4ed2014f7f7b65b0",
166+
"rule_id": "IAC-013",
167+
"file_path": ".github/workflows/ci.yml",
168+
"severity": "high",
169+
"reason": "Accepted: first-party GitHub action pinned to major version tag",
170+
"created_at": "2026-03-25T06:40:26.63394Z"
171+
},
172+
{
173+
"fingerprint": "e7393cb52f0e257c90b35ce9d3be036ee28a8945734296add7dc68bc53fa6c72",
174+
"rule_id": "IAC-013",
175+
"file_path": ".github/workflows/ci.yml",
176+
"severity": "high",
177+
"reason": "Accepted: first-party GitHub action pinned to major version tag",
178+
"created_at": "2026-03-25T06:40:28.916925Z"
179+
},
180+
{
181+
"fingerprint": "d1a7684157a4461c1a83a6f5441169d439ea3992a7d4affaa964a4eca04547c7",
182+
"rule_id": "IAC-013",
183+
"file_path": ".github/workflows/ci.yml",
184+
"severity": "high",
185+
"reason": "Accepted: first-party GitHub action pinned to major version tag",
186+
"created_at": "2026-03-25T06:41:03.759943Z"
187+
},
188+
{
189+
"fingerprint": "6edc196fba212dcb0fc302717f28e1cd35d52ece417422696895aa4ad0157201",
190+
"rule_id": "IAC-013",
191+
"file_path": ".github/workflows/ci.yml",
192+
"severity": "high",
193+
"reason": "Accepted: golangci-lint action pinned to major version tag",
194+
"created_at": "2026-03-25T06:41:03.797439Z"
195+
},
196+
{
197+
"fingerprint": "6443eafb87035bb6f236008e8576ad6f7b14842cd7f41c568b8a9c62dfe16b44",
198+
"rule_id": "IAC-013",
199+
"file_path": ".github/workflows/ci.yml",
200+
"severity": "high",
201+
"reason": "Accepted: first-party GitHub action pinned to major version tag",
202+
"created_at": "2026-03-25T06:41:03.818953Z"
203+
},
204+
{
205+
"fingerprint": "f85045b61e158faafd522fd4672ca5008d01ba69410e36fb858a122609031b27",
206+
"rule_id": "IAC-013",
207+
"file_path": ".github/workflows/ci.yml",
208+
"severity": "high",
209+
"reason": "Accepted: first-party GitHub action pinned to major version tag",
210+
"created_at": "2026-03-25T06:41:03.842197Z"
211+
},
212+
{
213+
"fingerprint": "0db431cfc5f3ebc8b1eb4ea7f2c7689432b10812fec82dd11327f6dcf91c3abc",
214+
"rule_id": "IAC-013",
215+
"file_path": ".github/workflows/ci.yml",
216+
"severity": "high",
217+
"reason": "Accepted: nox GitHub action pinned to major version tag",
218+
"created_at": "2026-03-25T06:41:03.861384Z"
219+
},
220+
{
221+
"fingerprint": "35d6decc391cbb0d2f1ce954839e697044091da11c0bb617242e6a0d79a8d1f5",
222+
"rule_id": "IAC-013",
223+
"file_path": ".github/workflows/deploy.yml",
224+
"severity": "high",
225+
"reason": "Accepted: first-party GitHub action pinned to major version tag",
226+
"created_at": "2026-03-25T06:41:11.168341Z"
227+
},
228+
{
229+
"fingerprint": "1e1d9f9fdb17a829419b37a3e02d90c0a726d1dd1c8d08cbde155008fdf5ae5c",
230+
"rule_id": "IAC-013",
231+
"file_path": ".github/workflows/deploy.yml",
232+
"severity": "high",
233+
"reason": "Accepted: actions/setup-node pinned to major version tag",
234+
"created_at": "2026-03-25T06:41:15.066738Z"
235+
},
236+
{
237+
"fingerprint": "f974f882a03bcf61d8c63e263ce727119dbcea17b7565c57ca1c2146a5ecf578",
238+
"rule_id": "IAC-013",
239+
"file_path": ".github/workflows/deploy.yml",
240+
"severity": "high",
241+
"reason": "Accepted: peaceiris/actions-gh-pages pinned to major version tag",
242+
"created_at": "2026-03-25T06:41:17.03027Z"
243+
},
244+
{
245+
"fingerprint": "eae4be6d435f0b5f66d57ab8359ec06f88e0191c75e34827c7dc7d584bae84ce",
246+
"rule_id": "IAC-013",
247+
"file_path": ".github/workflows/deploy.yml",
248+
"severity": "high",
249+
"reason": "Accepted: actions/deploy-pages pinned to major version tag",
250+
"created_at": "2026-03-25T06:41:19.761001Z"
251+
},
252+
{
253+
"fingerprint": "ce40a00c8094a6ac1e9f19ad032325f8d94dd59d2e218cd9d7093ddc9cb381ee",
254+
"rule_id": "IAC-013",
255+
"file_path": ".github/workflows/deploy.yml",
256+
"severity": "high",
257+
"reason": "Accepted: actions/upload-pages-artifact pinned to major version tag",
258+
"created_at": "2026-03-25T06:41:22.483607Z"
259+
}
260+
]
261+
}

.noxignore

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,13 @@
1+
# Nox own files (baseline contains fingerprint hashes that trigger entropy rules)
2+
.nox/
3+
4+
# Vendored third-party JavaScript (minified, triggers false positives)
5+
mcp/ui/vendor/
6+
7+
# Docs build artifacts and npm lock file
8+
docs/node_modules/
9+
docs/dist/
10+
docs/package-lock.json
11+
12+
# Go checksum file (hashes flagged as secrets)
13+
go.sum

0 commit comments

Comments
 (0)