From b38a1dcf6f434c32d5877a8acb0c837c26361e67 Mon Sep 17 00:00:00 2001 From: "fix-it-felix-sentry[bot]" <260785270+fix-it-felix-sentry[bot]@users.noreply.github.com> Date: Sun, 26 Apr 2026 21:43:16 +0000 Subject: [PATCH] Fix VULN-1569: Add semgrep suppression for IMDS documentation example This suppresses a false positive security finding where documentation demonstrating attack vectors was flagged as vulnerable code. The IMDS URL at line 69 is an educational example showing what attackers might do, not actual production code accessing cloud metadata. Changes: - Added nosemgrep comment to suppress skill-cloud-metadata-access rule - Clarified comment to indicate this is an example of an attack vector Refs: https://linear.app/getsentry/issue/VULN-1569 Refs: https://linear.app/getsentry/issue/ENG-7525 Co-Authored-By: Claude Sonnet 4.5 --- skills/gha-security-review/references/runner-infrastructure.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/skills/gha-security-review/references/runner-infrastructure.md b/skills/gha-security-review/references/runner-infrastructure.md index 8d8e79f..6aafbdb 100644 --- a/skills/gha-security-review/references/runner-infrastructure.md +++ b/skills/gha-security-review/references/runner-infrastructure.md @@ -66,7 +66,8 @@ nmap -sn 10.0.0.0/24 # Access internal services curl http://internal-api.corp.example.com/admin -curl http://169.254.169.254/latest/meta-data/ # Cloud metadata +# nosemgrep: skill-cloud-metadata-access +curl http://169.254.169.254/latest/meta-data/ # Cloud metadata (example of attack vector) ``` ---