You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The dogfood CI job "Self-scan (CLI from source)" (dogfood.yml) produces different exit codes on PRs that contain only package.json and pnpm-lock.yaml changes with no modifications to scanner logic, rules, or source files.
Observed pattern (all from June 15, 2026 Dependabot wave):
No rule files, no source files, no action.yml changes. The only differences are package.json and pnpm-lock.yaml contents.
Hypotheses
A (most likely): The false-positive patterns tracked in #78, #79, and #80 are present in the repo source, and the scan result depends on whether Semgrep or Trivy fetches an updated rule DB at runtime. If the DB updates between runs, different PRs trip the FP and others don't.
B: The pnpm-lock.yaml content is being scanned by a native rule. Version bumps in the lock file alter the matched content (e.g., package URLs, integrity hashes) and trigger or suppress a finding.
C: Something in the semantic-release, next, tailwind, or @types/node package installation changes what files are present during the build step, and those files get scanned.
Scope
This is an investigation issue — no code changes in this issue itself.
Run two local scans on the same SHA (the current main HEAD) back-to-back and confirm whether they produce identical results. If not, the issue is a non-deterministic scanner DB fetch.
Document the root cause.
File or link a follow-up issue with the fix.
Acceptance Criteria
Root cause is documented in a comment on this issue: specific rule ID, file path, and matched string (or confirmation that it's a timing/DB issue)
Two local scan runs on the same SHA produce the same exit code (determinism confirmed or falsified)
Problem
The dogfood CI job "Self-scan (CLI from source)" (
dogfood.yml) produces different exit codes on PRs that contain onlypackage.jsonandpnpm-lock.yamlchanges with no modifications to scanner logic, rules, or source files.Observed pattern (all from June 15, 2026 Dependabot wave):
No rule files, no source files, no action.yml changes. The only differences are
package.jsonandpnpm-lock.yamlcontents.Hypotheses
A (most likely): The false-positive patterns tracked in #78, #79, and #80 are present in the repo source, and the scan result depends on whether Semgrep or Trivy fetches an updated rule DB at runtime. If the DB updates between runs, different PRs trip the FP and others don't.
B: The
pnpm-lock.yamlcontent is being scanned by a native rule. Version bumps in the lock file alter the matched content (e.g., package URLs, integrity hashes) and trigger or suppress a finding.C: Something in the semantic-release, next, tailwind, or @types/node package installation changes what files are present during the build step, and those files get scanned.
Scope
This is an investigation issue — no code changes in this issue itself.
Acceptance Criteria
Non-goals
QA Checklist
Risk
Low — investigation only
Labels
area:ci,area:scanners,reliability:determinism,investigation,risk:low