Isaac Evans
Isaac Evans
It's definitely a bug that we don't support --severity=CRITICAL and will fix. However, we don't expect that critical would be included when specifying --severity=ERROR. From semgrep scan --help: --severity=VAL Report...
Related: * https://github.com/returntocorp/semgrep/issues/4175 * https://github.com/returntocorp/semgrep/issues/4309
As far as I understand the use case, I suspect it's semi-related to https://github.com/returntocorp/semgrep/issues/3147 E.g., if we bundled `p/semgrep-rule-lints` with release, `--validate` would be robust to network requirements. @khanhldt is...
Also, duplicate of https://github.com/returntocorp/semgrep/issues/4454
I think the alternative we'd recommend is to match a metavariable + regex: https://semgrep.dev/docs/writing-rules/rule-syntax#metavariable-regex Would that work for you? then you can still get all the semgrep matching power +...
Just to be clear, you expect two additional matches? e.g. this annotated example: https://semgrep.dev/playground/s/bwGEZ
this is really about the rule rather than the engine but I've flagged it to the secrets team!
@dbarlett I've moved this to the correct repo -- we would welcome a PR to fix the rule here!
(https://github.com/semgrep/semgrep-rules/blob/release/generic/secrets/security/detected-slack-webhook.yaml)
yes https://cla-assistant.io/semgrep/semgrep-rules