ci: enable repo Semgrep rules for issue #338

.codacy.yml

@@ -6,15 +6,14 @@
 #
 # Recommended enabled tools:
 # - markdownlint: documentation linting
+# - opengrep: repository-owned Rust Semgrep rules from semgrep.yaml
 # - ruff: Python utility linting
 # - shellcheck: shell-script linting
 # - duplication: advisory duplicate-code metric
 # - lizard: advisory complexity feedback
 #
 # Recommended disabled tools:
 # - bandit, prospector, pylintpython3: redundant with Ruff/ty for this repo
-# - opengrep: keep broad/default rules disabled until repo-owned rules in
-#   .semgrep.yaml are cleaned up and enabled
 # - trivy: dependency vulnerability scanning is handled by cargo-audit and
 #   Dependabot unless this repository adds containers or IaC
 # - jacksonlinter, spectral: not relevant to the current project surface
@@ -50,6 +49,9 @@ engines:
       - "**/*.md"
     config:
       file: ".markdownlint.json"
+  opengrep:
+    include_paths:
+      - "src/**/*.rs"
   ruff:
     include_paths:
       - "scripts/**/*.py"
@@ -62,3 +64,5 @@ exclude_paths:
   - "node_modules/**"
   - ".git/**"
   - "docs/archive/**"
+  # Semgrep fixtures intentionally contain bad examples for rule tests.
+  - "tests/semgrep/**"

.coderabbit.yml

@@ -106,11 +106,11 @@ reviews:
     yamllint:
       enabled: true
 
-    # Semantic code analysis is intentionally disabled until the staged,
-    # repository-owned rules in .semgrep.yaml are enabled after legacy cleanup.
-    # Default Semgrep packs are noisy here and duplicate CodeQL/cargo-audit.
+    # Semantic code analysis uses only the focused, repository-owned rules in
+    # semgrep.yaml. Default Semgrep packs remain disabled in CodeRabbit.
     semgrep:
-      enabled: false
+      enabled: true
+      config_file: semgrep.yaml
 
     # Python linter (ruff provides comprehensive Python analysis)
     ruff:

.github/workflows/audit.yml

@@ -30,6 +30,8 @@ permissions:
 jobs:
   audit:
     runs-on: ubuntu-latest
+    env:
+      CARGO_AUDIT_VERSION: "0.22.1"
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
 
@@ -40,14 +42,14 @@ jobs:
           # toolchain, components, etc. are specified in rust-toolchain.toml
 
       - name: Cache audit database
-        uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
         with:
           path: ~/.cargo/advisory-db
           key: advisory-db-${{ github.ref_name }}-v1
           restore-keys: advisory-db-
 
       - name: Install cargo-audit
-        run: cargo install --locked cargo-audit
+        run: cargo install --locked cargo-audit --version "${CARGO_AUDIT_VERSION}"
 
       - name: Run cargo audit
         run: |
@@ -71,14 +73,14 @@ jobs:
 
       - name: Upload audit SARIF results
         if: always()
-        uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+        uses: github/codeql-action/upload-sarif@b25d0ebf40e5b63ee81e1bd6e5d2a12b7c2aeb61 # v4
         with:
           sarif_file: audit-results.sarif
           category: "cargo-audit"
           wait-for-processing: true
 
       - name: Upload audit results
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         if: always()
         with:
           name: audit-results

.github/workflows/benchmarks.yml

@@ -302,7 +302,7 @@ jobs:
 
       - name: Upload regression test results
         if: env.BASELINE_EXISTS == 'true' && env.SKIP_BENCHMARKS == 'false' && always()
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: performance-regression-results-${{ github.run_number }}
           path: |

.github/workflows/ci.yml

@@ -21,10 +21,15 @@ on:
 env:
   CARGO_TERM_COLOR: always
   RUST_BACKTRACE: 1
-  ACTIONLINT_VERSION: "1.7.10"
-  MARKDOWNLINT_VERSION: "0.47.0"
-  SHFMT_VERSION: "3.12.0"
-  TYPOS_VERSION: "1.43.4"
+  ACTIONLINT_VERSION: "1.7.12"
+  JUST_VERSION: "1.50.0"
+  MARKDOWNLINT_VERSION: "0.48.0"
+  SHFMT_VERSION: "3.13.1"
+  SHFMT_SHA256_DARWIN_AMD64: "6feedafc72915794163114f512348e2437d080d0047ef8b8fa2ec63b575f12af"
+  SHFMT_SHA256_DARWIN_ARM64: "9680526be4a66ea1ffe988ed08af58e1400fe1e4f4aef5bd88b20bb9b3da33f8"
+  SHFMT_SHA256_LINUX_AMD64: "fb096c5d1ac6beabbdbaa2874d025badb03ee07929f0c9ff67563ce8c75398b1"
+  TAPLO_VERSION: "0.10.0"
+  TYPOS_VERSION: "1.45.2"
   UV_VERSION: "0.11.8"
 
 jobs:
@@ -57,9 +62,9 @@ jobs:
 
       - name: Install just
         if: matrix.os != 'windows-latest'
-        uses: taiki-e/install-action@cf525cb33f51aca27cd6fa02034117ab963ff9f1 # v2.75.22
+        uses: taiki-e/install-action@b651345a718c8f44efa2460560b3dbf29cbd7ee1 # v2.75.26
         with:
-          tool: just
+          tool: just@${{ env.JUST_VERSION }}
 
       - name: Install uv (for Python scripts and pytest)
         if: matrix.os != 'windows-latest'
@@ -80,15 +85,15 @@ jobs:
 
       - name: Install typos-cli
         if: matrix.os != 'windows-latest'
-        uses: taiki-e/install-action@cf525cb33f51aca27cd6fa02034117ab963ff9f1 # v2.75.22
+        uses: taiki-e/install-action@b651345a718c8f44efa2460560b3dbf29cbd7ee1 # v2.75.26
         with:
           tool: typos-cli@${{ env.TYPOS_VERSION }}
 
       - name: Install taplo (for TOML formatting and linting)
         if: matrix.os != 'windows-latest'
-        uses: taiki-e/install-action@cf525cb33f51aca27cd6fa02034117ab963ff9f1 # v2.75.22
+        uses: taiki-e/install-action@b651345a718c8f44efa2460560b3dbf29cbd7ee1 # v2.75.26
         with:
-          tool: taplo-cli
+          tool: taplo-cli@${{ env.TAPLO_VERSION }}
 
       - name: Install actionlint (Linux/macOS)
         if: matrix.os != 'windows-latest'
@@ -169,20 +174,18 @@ jobs:
           # Install shfmt (pinned for CI consistency)
           SHFMT_ASSET="shfmt_v${SHFMT_VERSION}_linux_amd64"
           SHFMT_BASE_URL="https://github.com/mvdan/sh/releases/download/v${SHFMT_VERSION}"
+          SHFMT_SHA256="${SHFMT_SHA256_LINUX_AMD64}"
 
           tmpdir="$(mktemp -d)"
           trap 'rm -rf "$tmpdir"' EXIT
 
           curl -fsSL \
             "${SHFMT_BASE_URL}/${SHFMT_ASSET}" \
             -o "$tmpdir/${SHFMT_ASSET}"
-          curl -fsSL \
-            "${SHFMT_BASE_URL}/sha256sums.txt" \
-            -o "$tmpdir/sha256sums.txt"
 
           (
             cd "$tmpdir"
-            grep -F "  ${SHFMT_ASSET}" sha256sums.txt > checksum.txt
+            printf '%s  %s\n' "$SHFMT_SHA256" "$SHFMT_ASSET" > checksum.txt
             sha256sum -c checksum.txt
           )
 
@@ -202,20 +205,25 @@ jobs:
 
           SHFMT_ASSET="shfmt_v${SHFMT_VERSION}_darwin_${SHFMT_ARCH}"
           SHFMT_BASE_URL="https://github.com/mvdan/sh/releases/download/v${SHFMT_VERSION}"
+          case "$SHFMT_ARCH" in
+            amd64) SHFMT_SHA256="${SHFMT_SHA256_DARWIN_AMD64}" ;;
+            arm64) SHFMT_SHA256="${SHFMT_SHA256_DARWIN_ARM64}" ;;
+            *)
+              echo "Unsupported shfmt architecture: $SHFMT_ARCH" >&2
+              exit 1
+              ;;
+          esac
 
           tmpdir="$(mktemp -d)"
           trap 'rm -rf "$tmpdir"' EXIT
 
           curl -fsSL \
             "${SHFMT_BASE_URL}/${SHFMT_ASSET}" \
             -o "$tmpdir/${SHFMT_ASSET}"
-          curl -fsSL \
-            "${SHFMT_BASE_URL}/sha256sums.txt" \
-            -o "$tmpdir/sha256sums.txt"
 
           (
             cd "$tmpdir"
-            grep -F "  ${SHFMT_ASSET}" sha256sums.txt > checksum.txt
+            printf '%s  %s\n' "$SHFMT_SHA256" "$SHFMT_ASSET" > checksum.txt
             shasum -a 256 -c checksum.txt
           )
 

.github/workflows/codacy.yml

@@ -3,14 +3,14 @@
 # separate terms of service, privacy policy, and support
 # documentation.
 
-# This workflow checks out code, runs Codacy's Markdownlint engine only, and
-# integrates the results with GitHub Advanced Security code scanning.
+# This workflow checks out code, runs selected Codacy engines, and integrates
+# the results with GitHub Advanced Security code scanning.
 # For more information on the Codacy analysis action usage and
 # parameters, see https://github.com/codacy/codacy-analysis-cli-action.
 # For more information on Codacy Analysis CLI in general, see
 # https://github.com/codacy/codacy-analysis-cli.
 
-name: Codacy Markdownlint Scan
+name: Codacy Quality Scan
 
 concurrency:
   # This concurrency group ensures that only one Codacy analysis runs at a time
@@ -30,7 +30,7 @@ permissions:
   contents: read
 
 jobs:
-  codacy-markdownlint-scan:
+  codacy-quality-scan:
     permissions:
       # for actions/checkout to fetch code
       contents: read
@@ -39,9 +39,15 @@ jobs:
       # only required for a private repository by
       # github/codeql-action/upload-sarif to get the Action run status
       actions: read
-    name: Codacy Markdownlint Scan
+    name: Codacy ${{ matrix.tool }} Scan
     runs-on: ubuntu-latest
     timeout-minutes: 30
+    strategy:
+      fail-fast: false
+      matrix:
+        tool:
+          - markdownlint
+          - opengrep
     steps:
       # Checkout the repository to the GitHub Actions runner
       - name: Checkout code
@@ -51,17 +57,17 @@ jobs:
         run: |
           set -euo pipefail
           echo "CODACY_WORKDIR=$RUNNER_TEMP/codacy-src" >> "$GITHUB_ENV"
-          echo "CODACY_SARIF=$RUNNER_TEMP/results.sarif" >> "$GITHUB_ENV"
+          echo "CODACY_SARIF=$RUNNER_TEMP/results-${{ matrix.tool }}.sarif" >> "$GITHUB_ENV"
 
       - name: Prepare workspace copy without .git
         run: |
           set -euo pipefail
           mkdir -p "$CODACY_WORKDIR"
           rsync -a --delete --exclude '.git' ./ "$CODACY_WORKDIR/"
 
-      # Execute Codacy Analysis CLI with a single tool. The Codacy GitHub App may
-      # run curated PR-quality tools, but this SARIF workflow stays Markdownlint
-      # only so maintainability checks are not mirrored into GitHub Code Scanning.
+      # Execute Codacy Analysis CLI with one selected tool per matrix entry.
+      # Opengrep reads the repository-owned rules from semgrep.yaml; broad
+      # default Semgrep/Opengrep packs remain disabled.
       - name: Run Codacy Analysis CLI
         # Cap Codacy runtime so a hung analyzer does not consume the full job timeout.
         timeout-minutes: 20
@@ -76,7 +82,7 @@ jobs:
           directory: ${{ env.CODACY_WORKDIR }}
           output: ${{ env.CODACY_SARIF }}
           format: sarif
-          tool: markdownlint
+          tool: ${{ matrix.tool }}
           skip-uncommitted-files-check: true
           # Adjust severity of non-security issues
           gh-code-scanning-compat: true
@@ -148,7 +154,7 @@ jobs:
           PY
 
       - name: Upload split SARIF files
-        uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+        uses: github/codeql-action/upload-sarif@b25d0ebf40e5b63ee81e1bd6e5d2a12b7c2aeb61 # v4
         with:
           sarif_file: ${{ env.CODACY_SPLIT_SARIF_DIR }}
           wait-for-processing: true

.github/workflows/codecov.yml

@@ -22,6 +22,8 @@ jobs:
     runs-on: ubuntu-latest
     env:
       CARGO_LLVM_COV_VERSION: "0.8.5"
+      JUST_VERSION: "1.50.0"
+      NEXTEST_VERSION: "0.9.133"
     steps:
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -38,7 +40,7 @@ jobs:
         run: rustup component add llvm-tools-preview
 
       - name: Cache cargo-llvm-cov
-        uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
+        uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5.0.5
         with:
           path: ~/.cargo/bin/cargo-llvm-cov
           key: cargo-llvm-cov-${{ runner.os }}-${{ env.CARGO_LLVM_COV_VERSION }}
@@ -58,14 +60,14 @@ jobs:
           fi
 
       - name: Install just
-        uses: taiki-e/install-action@cf525cb33f51aca27cd6fa02034117ab963ff9f1 # v2.75.22
+        uses: taiki-e/install-action@b651345a718c8f44efa2460560b3dbf29cbd7ee1 # v2.75.26
         with:
-          tool: just
+          tool: just@${{ env.JUST_VERSION }}
 
       - name: Install nextest
-        uses: taiki-e/install-action@cf525cb33f51aca27cd6fa02034117ab963ff9f1 # v2.75.22
+        uses: taiki-e/install-action@b651345a718c8f44efa2460560b3dbf29cbd7ee1 # v2.75.26
         with:
-          tool: nextest
+          tool: nextest@${{ env.NEXTEST_VERSION }}
 
       - name: Run tests with nextest (for JUnit XML)
         run: |
@@ -202,14 +204,14 @@ jobs:
         continue-on-error: true
 
       - name: Archive coverage results
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         if: always()
         with:
           name: coverage-report
           path: coverage/
 
       - name: Archive test results
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         if: always()
         with:
           name: test-results

.github/workflows/codeql.yml

@@ -41,20 +41,20 @@ jobs:
 
       - name: Initialize CodeQL
         if: matrix.language != 'rust'
-        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+        uses: github/codeql-action/init@b25d0ebf40e5b63ee81e1bd6e5d2a12b7c2aeb61 # v4
         with:
           languages: ${{ matrix.language }}
           queries: security-extended
 
       - name: Initialize CodeQL (Rust)
         if: matrix.language == 'rust'
-        uses: github/codeql-action/init@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+        uses: github/codeql-action/init@b25d0ebf40e5b63ee81e1bd6e5d2a12b7c2aeb61 # v4
         with:
           languages: ${{ matrix.language }}
           build-mode: none
           queries: security-extended
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4
+        uses: github/codeql-action/analyze@b25d0ebf40e5b63ee81e1bd6e5d2a12b7c2aeb61 # v4
         with:
           category: "/language:${{ matrix.language }}"

.github/workflows/generate-baseline.yml

@@ -171,7 +171,7 @@ jobs:
         run: uv run benchmark-utils sanitize-artifact-name --tag "$TAG_NAME"
 
       - name: Upload baseline artifact
-        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
         with:
           name: ${{ steps.safe_name.outputs.artifact_name }}
           path: bench-target/baseline-artifact/