Skip to content

Development: Scope Codacy security scanners to production code#13202

Open
krusche wants to merge 2 commits into
developfrom
chore/codacy-scope-security-to-prod
Open

Development: Scope Codacy security scanners to production code#13202
krusche wants to merge 2 commits into
developfrom
chore/codacy-scope-security-to-prod

Conversation

@krusche

@krusche krusche commented Jul 12, 2026

Copy link
Copy Markdown
Member

Summary

Adds a .codacy.yaml that scopes the Codacy security scanners (Semgrep/opengrep and Bandit) to production code, excluding test code. Configuration-only change; no application code is modified.

Checklist

General

  • I chose a title conforming to the naming conventions for pull requests.
  • This is a small change (Codacy configuration only) verified against Codacy Cloud analysis rather than a test server.

Motivation and Context

Codacy previously had Semgrep security scanning disabled entirely. After enabling it, 121 of 310 Codacy Cloud security findings landed in test code (src/test/**, **/*.spec.ts) — intentional fixtures such as hardcoded test credentials, new RegExp(dynamic) and fs calls in test helpers, and test HTTP/socket setup. These are not vulnerabilities and drowned out the 189 production findings.

Description

Adds .codacy.yaml at the repository root with per-engine exclude_paths for opengrep (Semgrep) and bandit, excluding src/test/** and **/*.spec.ts. Codacy Cloud reads .codacy.yaml from the default branch, so this must be on develop to take effect. Other tools (ESLint, Stylelint, PMD) continue to analyze test code via their own configuration files.

Steps for Testing

  1. After merge to develop, open the repository in Codacy Cloud.
  2. Confirm Semgrep/Bandit security findings under src/test/** and **/*.spec.ts no longer appear.
  3. Confirm production security findings (under src/main, docker, .github) are unaffected.

Testserver States

Not applicable — configuration-only change, no deployment needed.

Review Progress

Code Review

  • Code Review 1
  • Code Review 2

Test Coverage

No code changes detected - test coverage not required for this PR.

Last updated: 2026-07-12 14:43:21 UTC

Screenshots

Not applicable — no UI changes.

Add .codacy.yaml excluding test code from the Semgrep (opengrep) and Bandit
security engines. Hardcoded test credentials, non-literal fs/regexp usage in
test helpers, and similar findings in test code are intentional fixtures, not
vulnerabilities — 121 of 310 Codacy Cloud security findings were in test paths.
Other tools (ESLint, Stylelint, PMD) continue to analyze test code via their
own configuration files.

Codacy Cloud reads .codacy.yaml from the default branch, so this must land on
develop to take effect.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings July 12, 2026 07:13
@github-project-automation github-project-automation Bot moved this to Work In Progress in Artemis Development Jul 12, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot was unable to review this pull request because the user who requested the review has reached their quota limit.

@krusche krusche temporarily deployed to playwright-e2e-tests July 12, 2026 07:21 — with GitHub Actions Inactive
@github-actions

github-actions Bot commented Jul 12, 2026

Copy link
Copy Markdown

End-to-End Test Results

Phase Status Details
Phase 1 (Relevant) ✅ Passed
TestsPassed ✅SkippedFailedTime ⏱
Phase 1: E2E Test Report14 ran14 passed0 skipped0 failed2m 43s
Phase 2 (Remaining) ✅ Passed
TestsPassed ✅Skipped ⚠️FailedTime ⏱
Phase 2: E2E Test Report292 ran287 passed5 skipped0 failed36m 20s

Test Strategy: Two-phase execution

  • Phase 1: e2e/Login.spec.ts e2e/Logout.spec.ts e2e/SystemHealth.spec.ts
  • Phase 2: e2e/Passkey.spec.ts e2e/PasskeyReminderPersistence.spec.ts e2e/admin/ e2e/atlas/ e2e/course/ e2e/exam/ExamAssessment.spec.ts e2e/exam/ExamChecklists.spec.ts e2e/exam/ExamCreationDeletion.spec.ts e2e/exam/ExamDateVerification.spec.ts e2e/exam/ExamManagement.spec.ts e2e/exam/ExamParticipation.spec.ts e2e/exam/ExamResults.spec.ts e2e/exam/ExamTestRun.spec.ts e2e/exam/test-exam/ e2e/exercise/ExerciseImport.spec.ts e2e/exercise/file-upload/ e2e/exercise/modeling/ e2e/exercise/programming/ e2e/exercise/quiz-exercise/ e2e/exercise/text/ e2e/iris/ e2e/lecture/ e2e/shared/

Overall: ✅ E2E tests passed

🔗 Workflow Run · 📊 Test Report Phase 1 · 📊 Test Report Phase 2

@krusche krusche temporarily deployed to playwright-e2e-tests July 12, 2026 07:24 — with GitHub Actions Inactive
@krusche krusche temporarily deployed to playwright-e2e-tests July 12, 2026 14:24 — with GitHub Actions Inactive
@krusche krusche temporarily deployed to playwright-e2e-tests July 12, 2026 14:27 — with GitHub Actions Inactive
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Status: Work In Progress

Development

Successfully merging this pull request may close these issues.

2 participants