From 9182b5e27fbe73a0f0c7562696049b8782d87437 Mon Sep 17 00:00:00 2001 From: squid-protocol Date: Sun, 12 Jul 2026 08:37:09 -0400 Subject: [PATCH 1/2] fix(sarif): resolve false positive suppression gap in sanitization phase - Updated Phase 10.8 to bridge the naming convention gap between raw metric keys and GG-SAST-* dashboard IDs. - Expanded the sanitization loop to properly mask ai_appsec, ai_guardrails, and is_ml_threat sensors when ignored. - Updated .galaxyscope.yaml with baseline ignored rules and paths to validate the new suppression logic. --- .galaxyscope.yaml | 1 + gitgalaxy/galaxyscope.py | 62 +++++++++++++++++++++++++--------------- 2 files changed, 40 insertions(+), 23 deletions(-) diff --git a/.galaxyscope.yaml b/.galaxyscope.yaml index 6fbd09e0..60797e3e 100644 --- a/.galaxyscope.yaml +++ b/.galaxyscope.yaml @@ -5,6 +5,7 @@ galaxyscope: - "vendor/" - "gitgalaxy/standards/" - "gitgalaxy/security/" + - "gitgalaxy/tools/" SARIF_IGNORED_RULES: - "GH-1022" - "squid-protocol" \ No newline at end of file diff --git a/gitgalaxy/galaxyscope.py b/gitgalaxy/galaxyscope.py index 35c96cd6..a60c8695 100644 --- a/gitgalaxy/galaxyscope.py +++ b/gitgalaxy/galaxyscope.py @@ -918,7 +918,6 @@ def execute_pipeline(self, output_file: str = "galaxy.json"): if "risk_vector" in file_data and isinstance(file_data["risk_vector"], list): file_data["risk_vector"] = [0.0] * len(file_data["risk_vector"]) - # THE NUCLEAR SCRUB: Annihilate all telemetry except what the 3D map requires if "telemetry" in file_data: file_data["telemetry"] = { "popularity": file_data["telemetry"].get("popularity", 0), @@ -940,29 +939,46 @@ def execute_pipeline(self, output_file: str = "galaxy.json"): eqs = file_data.get("equations", {}) if isinstance(ts, dict) and isinstance(eqs, dict): - keys_to_delete_ts = [ - k for k in ts.keys() - if k in mitigs - or f"sec_{k}" in mitigs - or k.replace("sec_", "") in mitigs - or k in ignored_rules - or f"sec_{k}" in ignored_rules - ] - keys_to_delete_eqs = [ - k for k in eqs.keys() - if k in mitigs - or k.replace("sec_", "") in mitigs - or k in ignored_rules - or k.replace("sec_", "") in ignored_rules - ] + keys_to_delete_ts = [ + k for k in ts.keys() + if k in mitigs + or f"sec_{k}" in mitigs + or k.replace("sec_", "") in mitigs + or k in ignored_rules + or f"sec_{k}" in ignored_rules + or f"GG-SAST-{k.upper()}" in ignored_rules + or f"GG-SAST-{k.replace('sec_', '').upper()}" in ignored_rules + ] + keys_to_delete_eqs = [ + k for k in eqs.keys() + if k in mitigs + or k.replace("sec_", "") in mitigs + or k in ignored_rules + or k.replace("sec_", "") in ignored_rules + or f"GG-SAST-{k.upper()}" in ignored_rules + or f"GG-SAST-{k.replace('sec_', '').upper()}" in ignored_rules + ] + + for k in keys_to_delete_ts: + if k in ts: + del ts[k] + + for k in keys_to_delete_eqs: + if k in eqs: + del eqs[k] + + if "GG-AGENT-VULNERABILITY" in ignored_rules or "ai_appsec" in mitigs: + if "ai_appsec" in file_data.get("telemetry", {}): + del file_data["telemetry"]["ai_appsec"] + + if "GG-AGENT-GUARDRAIL" in ignored_rules or "ai_guardrails" in mitigs: + if "ai_guardrails" in file_data.get("telemetry", {}): + del file_data["telemetry"]["ai_guardrails"] - for k in keys_to_delete_ts: - if k in ts: - del ts[k] - - for k in keys_to_delete_eqs: - if k in eqs: - del eqs[k] + if file_data.get("is_ml_threat"): + ai_class = file_data.get("telemetry", {}).get("domain_context", {}).get("AI Threat Class", "Unknown") + if f"GG-ML-{ai_class.upper().replace(' ', '_').replace('/', '')}" in ignored_rules or "ml_threat" in mitigs: + file_data["is_ml_threat"] = False # ========================================================== # PHASE 11: GLOBAL TELEMETRY & METADATA LOCKING From fcba5885dfa634ef5d572bb852ce06efd0f4ccee Mon Sep 17 00:00:00 2001 From: squid-protocol Date: Sun, 12 Jul 2026 08:51:51 -0400 Subject: [PATCH 2/2] fix(core): resolve IndentationError in SARIF sanitization loop - Fixed a strict indentation alignment issue (E999) inside the Phase 10.8 telemetry sanitization block that was causing the GitHub Action pipeline to crash during Python compilation. --- gitgalaxy/galaxyscope.py | 54 ++++++++++++++++++++-------------------- 1 file changed, 27 insertions(+), 27 deletions(-) diff --git a/gitgalaxy/galaxyscope.py b/gitgalaxy/galaxyscope.py index a60c8695..39a30f84 100644 --- a/gitgalaxy/galaxyscope.py +++ b/gitgalaxy/galaxyscope.py @@ -939,33 +939,33 @@ def execute_pipeline(self, output_file: str = "galaxy.json"): eqs = file_data.get("equations", {}) if isinstance(ts, dict) and isinstance(eqs, dict): - keys_to_delete_ts = [ - k for k in ts.keys() - if k in mitigs - or f"sec_{k}" in mitigs - or k.replace("sec_", "") in mitigs - or k in ignored_rules - or f"sec_{k}" in ignored_rules - or f"GG-SAST-{k.upper()}" in ignored_rules - or f"GG-SAST-{k.replace('sec_', '').upper()}" in ignored_rules - ] - keys_to_delete_eqs = [ - k for k in eqs.keys() - if k in mitigs - or k.replace("sec_", "") in mitigs - or k in ignored_rules - or k.replace("sec_", "") in ignored_rules - or f"GG-SAST-{k.upper()}" in ignored_rules - or f"GG-SAST-{k.replace('sec_', '').upper()}" in ignored_rules - ] - - for k in keys_to_delete_ts: - if k in ts: - del ts[k] - - for k in keys_to_delete_eqs: - if k in eqs: - del eqs[k] + keys_to_delete_ts = [ + k for k in ts.keys() + if k in mitigs + or f"sec_{k}" in mitigs + or k.replace("sec_", "") in mitigs + or k in ignored_rules + or f"sec_{k}" in ignored_rules + or f"GG-SAST-{k.upper()}" in ignored_rules + or f"GG-SAST-{k.replace('sec_', '').upper()}" in ignored_rules + ] + keys_to_delete_eqs = [ + k for k in eqs.keys() + if k in mitigs + or k.replace("sec_", "") in mitigs + or k in ignored_rules + or k.replace("sec_", "") in ignored_rules + or f"GG-SAST-{k.upper()}" in ignored_rules + or f"GG-SAST-{k.replace('sec_', '').upper()}" in ignored_rules + ] + + for k in keys_to_delete_ts: + if k in ts: + del ts[k] + + for k in keys_to_delete_eqs: + if k in eqs: + del eqs[k] if "GG-AGENT-VULNERABILITY" in ignored_rules or "ai_appsec" in mitigs: if "ai_appsec" in file_data.get("telemetry", {}):