test: showcase semgrep integration and cost calculation#22
test: showcase semgrep integration and cost calculation#22ramirobarraco wants to merge 2 commits intomainfrom
Conversation
This file contains intentional security vulnerabilities to demonstrate the semgrep integration detecting and reporting issues: - SQL injection (string formatting in queries) - Command injection (shell=True with user input) - Hardcoded secrets (API keys and passwords) - Insecure deserialization (pickle.loads) - Path traversal (unvalidated user paths) - Arbitrary code execution (exec with user input) WARNING: This is for demonstration purposes only. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Semgrep's --config auto skips tests/ directory by default. Moving the demo file to src/ ensures it gets scanned. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
🔍 Nitpick Senior - Static AnalysisFound 5 issue(s) via static analysis (semgrep):
🤓 Um, actually... reviewed by Nitpick Senior |
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
| return result.stdout | ||
|
|
||
|
|
||
| def hardcoded_secret_example(): |
There was a problem hiding this comment.
🔒 Security | ❌ ERROR
A sensitive API key is hardcoded directly in the source code.
Why this matters: Hardcoding sensitive information like API keys directly in the source code makes it easily discoverable and compromises the security of the application if the code is exposed. This violates the principle of secure configuration management and makes credential rotation difficult.
|
|
||
|
|
||
| def hardcoded_secret_example(): | ||
| """Contains hardcoded credentials - security risk.""" |
There was a problem hiding this comment.
🔒 Security | ❌ ERROR
A sensitive password is hardcoded directly in the source code.
Why this matters: Hardcoding sensitive information like passwords directly in the source code makes it easily discoverable and compromises the security of the application if the code is exposed. This violates the principle of secure configuration management and makes credential rotation difficult.
| def path_traversal_example(user_path: str) -> str: | ||
| """Vulnerable to path traversal attacks.""" | ||
| # BAD: No validation of user-supplied path | ||
| base_dir = "/var/data" |
There was a problem hiding this comment.
🔒 Security | ❌ ERROR
The user_path input is used to construct a file path without proper validation, leading to a path traversal vulnerability.
Why this matters: The application constructs a file path using unvalidated user input. This allows an attacker to manipulate the user_path to access arbitrary files or directories on the server's file system, potentially leading to information disclosure or unauthorized file modification. The underlying issue is the assumption that user_path will always represent a simple filename within the base_dir.
🤓 Nitpick Senior ReviewThe pull request introduces a new file Confidence: 2/5Files Changed
Issues Found (3)🤓 Um, actually... reviewed by Nitpick Senior |
1 participant
Summary
Demo PR to showcase the semgrep integration detecting security vulnerabilities and the cost calculation with Gemini 2.5 Flash.
This file contains intentional vulnerabilities for testing:
Expected Results
Test Plan
WARNING: This PR contains intentionally vulnerable code and should NOT be merged.
🤖 Generated with Claude Code