fix(self): clear 113 dogfood findings — exempt fixtures + harden 9 prod unwraps#324
Merged
Merged
Conversation
…od unwraps
CI Hypatia scan reports 113 self-findings. Triage broke down:
5 high — CSA001 on test/soundness/fixtures/code_safety/getexn_on_external.res
(a test fixture *designed* to trigger the rule — by design)
1 medium — CSA002 meta-alert ("94 open code-scanning alerts" — separate triage)
109 low — 89× CSA001 false positives on Rust/.gitignore files (rule is ReScript-only);
14× unwrap/expect on real Rust sites (8 fixed here, 6 exempted);
3× SD013 on .gitignore (false positives);
1× GS001;
1× ncl_docker_not_podman on the Nickel config that *bans* Docker
(recursive self-flag).
Two-part fix:
(1) `.hypatia-ignore` exemptions (one reason per entry):
- CSA001 on the test soundness fixture + the Rust files where the
ReScript-only rule false-positives (ffi.rs / .gitignore)
- SD013 on .gitignore (false positive — not structural drift)
- CSA002 self-meta-finding
- unwrap_without_check + expect_in_hot_path on
integration/src/ci_simulation/{scenarios,assertions}.rs (test
simulation infrastructure — panics here surface broken fixtures,
not runtime DoS)
- expect_in_hot_path on fixer/src/scanner.rs (compile-time-regex
pattern with already-meaningful expect messages)
- ncl_docker_not_podman on the Nickel policy file that itself
declares Dockerfiles banned
(2) Real production unwrap/expect hardening:
- cli/build.rs (×2): cargo env vars with explicit
`expect("cargo invariant: ...")` so the panic message names the
invariant
- cli/src/commands/batch.rs (×3): two Semaphore acquire() unwraps
→ `expect("invariant: semaphore not closed")`; one parse_findings_count
`unwrap_or(0)` → match-and-log so silent JSON parse failures show in
stderr
- cli/src/commands/scan.rs (×2): one ProgressStyle template + one
severity-map `unwrap_or(0)` with comment that 0 is the absent-key state
- cli/src/commands/fleet.rs (×2): ProgressStyle templates
- cli/src/output.rs (×2): ProgressStyle templates
- fixer/src/main.rs (×3): tracing directive + serde_json serialise +
repo_path file_name (now falls back to display path instead of panic)
- integration/src/lib.rs (×1): tracing directive
- scripts/ci-tools/check-k9iser-paths.rs (×1): replaced unwrap_or(0)
with map_or pattern + explanatory comment
- tools/cii-registrar/main.rs (×2): badge percentages now render "n/a"
when absent (0% was misleading)
Workspace builds clean: `cargo build --workspace` → finished dev profile.
Closes findings reported on commit 051d685 by the 2026-05-26T01:14:28Z
hypatia-scan run.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
🔍 Hypatia Security ScanFindings: 102 issues detected
View findings[
{
"reason": "expect() in hot path (2 occurrences, CWE-754)",
"type": "expect_in_hot_path",
"file": "/home/runner/work/hypatia/hypatia/cli/src/commands/batch.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "low"
},
{
"reason": "unwrap_or(0) with dangerous default (1 occurrences, CWE-754)",
"type": "unwrap_dangerous_default",
"file": "/home/runner/work/hypatia/hypatia/cli/src/commands/scan.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "low"
},
{
"reason": "expect() in hot path (1 occurrences, CWE-754)",
"type": "expect_in_hot_path",
"file": "/home/runner/work/hypatia/hypatia/cli/src/commands/scan.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "low"
},
{
"reason": "expect() in hot path (2 occurrences, CWE-754)",
"type": "expect_in_hot_path",
"file": "/home/runner/work/hypatia/hypatia/cli/src/commands/fleet.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "low"
},
{
"reason": "expect() in hot path (2 occurrences, CWE-754)",
"type": "expect_in_hot_path",
"file": "/home/runner/work/hypatia/hypatia/cli/src/output.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "low"
},
{
"reason": "expect() in hot path (2 occurrences, CWE-754)",
"type": "expect_in_hot_path",
"file": "/home/runner/work/hypatia/hypatia/cli/build.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "low"
},
{
"reason": "expect() in hot path (2 occurrences, CWE-754)",
"type": "expect_in_hot_path",
"file": "/home/runner/work/hypatia/hypatia/fixer/src/main.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "low"
},
{
"reason": "expect() in hot path (1 occurrences, CWE-754)",
"type": "expect_in_hot_path",
"file": "/home/runner/work/hypatia/hypatia/integration/src/lib.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "low"
},
{
"reason": "1 untracked file(s) -- review and add or .gitignore",
"type": "GS001",
"file": ".",
"action": "review",
"rule_module": "git_state",
"severity": "low"
},
{
"reason": "Repository has 4 non-main remote branch(es). Policy: single main branch only.",
"type": "GS007",
"file": ".",
"action": "delete_remote_branches",
"rule_module": "git_state",
"severity": "medium"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
🔍 Hypatia Security ScanFindings: 102 issues detected
View findings[
{
"reason": "expect() in hot path (2 occurrences, CWE-754)",
"type": "expect_in_hot_path",
"file": "/home/runner/work/hypatia/hypatia/cli/src/commands/batch.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "low"
},
{
"reason": "unwrap_or(0) with dangerous default (1 occurrences, CWE-754)",
"type": "unwrap_dangerous_default",
"file": "/home/runner/work/hypatia/hypatia/cli/src/commands/scan.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "low"
},
{
"reason": "expect() in hot path (1 occurrences, CWE-754)",
"type": "expect_in_hot_path",
"file": "/home/runner/work/hypatia/hypatia/cli/src/commands/scan.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "low"
},
{
"reason": "expect() in hot path (2 occurrences, CWE-754)",
"type": "expect_in_hot_path",
"file": "/home/runner/work/hypatia/hypatia/cli/src/commands/fleet.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "low"
},
{
"reason": "expect() in hot path (2 occurrences, CWE-754)",
"type": "expect_in_hot_path",
"file": "/home/runner/work/hypatia/hypatia/cli/src/output.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "low"
},
{
"reason": "expect() in hot path (2 occurrences, CWE-754)",
"type": "expect_in_hot_path",
"file": "/home/runner/work/hypatia/hypatia/cli/build.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "low"
},
{
"reason": "expect() in hot path (2 occurrences, CWE-754)",
"type": "expect_in_hot_path",
"file": "/home/runner/work/hypatia/hypatia/fixer/src/main.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "low"
},
{
"reason": "expect() in hot path (1 occurrences, CWE-754)",
"type": "expect_in_hot_path",
"file": "/home/runner/work/hypatia/hypatia/integration/src/lib.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "low"
},
{
"reason": "1 untracked file(s) -- review and add or .gitignore",
"type": "GS001",
"file": ".",
"action": "review",
"rule_module": "git_state",
"severity": "low"
},
{
"reason": "Repository has 4 non-main remote branch(es). Policy: single main branch only.",
"type": "GS007",
"file": ".",
"action": "delete_remote_branches",
"rule_module": "git_state",
"severity": "medium"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
🔍 Hypatia Security ScanFindings: 102 issues detected
View findings[
{
"reason": "expect() in hot path (2 occurrences, CWE-754)",
"type": "expect_in_hot_path",
"file": "/home/runner/work/hypatia/hypatia/cli/src/commands/batch.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "low"
},
{
"reason": "unwrap_or(0) with dangerous default (1 occurrences, CWE-754)",
"type": "unwrap_dangerous_default",
"file": "/home/runner/work/hypatia/hypatia/cli/src/commands/scan.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "low"
},
{
"reason": "expect() in hot path (1 occurrences, CWE-754)",
"type": "expect_in_hot_path",
"file": "/home/runner/work/hypatia/hypatia/cli/src/commands/scan.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "low"
},
{
"reason": "expect() in hot path (2 occurrences, CWE-754)",
"type": "expect_in_hot_path",
"file": "/home/runner/work/hypatia/hypatia/cli/src/commands/fleet.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "low"
},
{
"reason": "expect() in hot path (2 occurrences, CWE-754)",
"type": "expect_in_hot_path",
"file": "/home/runner/work/hypatia/hypatia/cli/src/output.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "low"
},
{
"reason": "expect() in hot path (2 occurrences, CWE-754)",
"type": "expect_in_hot_path",
"file": "/home/runner/work/hypatia/hypatia/cli/build.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "low"
},
{
"reason": "expect() in hot path (2 occurrences, CWE-754)",
"type": "expect_in_hot_path",
"file": "/home/runner/work/hypatia/hypatia/fixer/src/main.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "low"
},
{
"reason": "expect() in hot path (1 occurrences, CWE-754)",
"type": "expect_in_hot_path",
"file": "/home/runner/work/hypatia/hypatia/integration/src/lib.rs",
"action": "flag",
"rule_module": "code_safety",
"severity": "low"
},
{
"reason": "1 untracked file(s) -- review and add or .gitignore",
"type": "GS001",
"file": ".",
"action": "review",
"rule_module": "git_state",
"severity": "low"
},
{
"reason": "Repository has 4 non-main remote branch(es). Policy: single main branch only.",
"type": "GS007",
"file": ".",
"action": "delete_remote_branches",
"rule_module": "git_state",
"severity": "medium"
}
]Powered by Hypatia Neurosymbolic CI/CD Intelligence |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
CI Hypatia scan on commit
051d685produced 113 self-findings. Triaged into two buckets:.hypatia-ignore(~104 findings): false positives + test fixtures + recursive self-flaggingTriage
test/soundness/fixtures/code_safety/getexn_on_external.res) — by design, exemptedReal production fixes (9 sites)
cli/build.rs×2expect("cargo invariant: …")cli/src/commands/batch.rs×3parse_findings_count→ match-and-log on JSON failurecli/src/commands/scan.rs×2cli/src/commands/fleet.rs×2cli/src/output.rs×2fixer/src/main.rs×3integration/src/lib.rs×1scripts/ci-tools/check-k9iser-paths.rs×1unwrap_or(0)→map_orwith commenttools/cii-registrar/main.rs×2n/anot0%Exemptions (with reasons in the file)
code_safety/CSA001on the soundness fixture (by design)code_safety/CSA001onclients/rust/hypatia-client/src/ffi.rs(Rust, not ReScript)code_safety/CSA001+structural_drift/SD013on.gitignore(not ReScript, not structural drift)code_scanning_alerts/CSA002self-meta (recursive self-flag)code_safety/unwrap_without_check+expect_in_hot_pathonintegration/src/ci_simulation/{scenarios,assertions}.rs(test simulation — panic on broken fixture is the contract)code_safety/expect_in_hot_pathonfixer/src/scanner.rs(compile-time regex with already-meaningful expect messages)code_safety/ncl_docker_not_podmanon the Nickel config that itself BANS Dockerfiles (recursive self-flag)Verification
cargo build --workspace→ finished dev profile051d685by the 2026-05-26T01:14:28Z hypatia-scan runTest plan
.hypatia-ignoreentry🤖 Generated with Claude Code