punimtag/.semgrepignore

# Semgrep ignore file - suppress false positives and low-risk findings

# Console.log format string warnings - false positives (JavaScript console.log doesn't use format strings)
javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring

# SQL injection warnings in database setup/migration scripts (controlled inputs, admin-only)
# These are legitimate uses of text() for DDL operations that can't use parameterized queries
scripts/db/
scripts/debug/
scripts/db/drop_all_tables.py
scripts/db/grant_auth_db_permissions.py
scripts/db/migrate_sqlite_to_postgresql.py
scripts/debug/check_database_tables.py

# Database setup code in app.py (controlled inputs, admin-only operations)
backend/app.py

# Docker compose security suggestions (acceptable for development)
deploy/docker-compose.yml