Exclude generic var-in-href semgrep rule that nosemgrep cannot suppress

allanhaggett · claude · allanhaggett · commit 8600520ead8d · 2026-02-09T18:35:28.000Z
The generic.html-templates.security.var-in-href.var-in-href rule flags
server-generated moodle_url values in mustache templates. nosemgrep
comments don't work with generic template pattern rules, so exclude
the rule via --exclude-rule in the CI workflow instead.

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/semgrep.yml b/.github/workflows/semgrep.yml
@@ -32,6 +32,7 @@ jobs:
                   --config "p/secrets" \
                   --config "p/insecure-transport" \
                   --config .semgrep.yml \
+                  --exclude-rule "generic.html-templates.security.var-in-href.var-in-href" \
                   --error \
                   --sarif \
                   --output=semgrep-results.sarif \
diff --git a/templates/editor.mustache b/templates/editor.mustache
@@ -32,7 +32,6 @@
 <div id="githubsync-editor" class="githubsync-editor">
     {{! Toolbar }}
     <div class="d-flex align-items-center mb-3">
-        <!-- nosemgrep: generic.html-templates.security.var-in-href.var-in-href -->
         <a href="{{configurl}}" class="btn btn-secondary btn-sm mr-2">
             {{#pix}}i/return, core{{/pix}}
             {{#str}}editor_back, local_githubsync{{/str}}
