ComfyUI_frontend/.agents/checks/semgrep-sast.md at e7d08a05bdacceda86ec8a2ca4b5deb63265f034

mirror of https://github.com/Comfy-Org/ComfyUI_frontend.git synced 2026-04-25 08:49:36 +00:00

Files

Christian Byrne df69d6b5d4 feat: add Amp code review checks (#9445 )

## Summary

Add 22 automated code review check definitions and 1 strict ESLint
config to `.agents/checks/` for Amp-powered code review.

## Changes

- **What**: 23 files in `.agents/checks/` covering accessibility, API
contracts, architecture, bug patterns, CodeRabbit integration,
complexity, DDD structure, dependency/secrets scanning, doc freshness,
DX/readability, ecosystem compatibility, error handling, import graph,
memory leaks, pattern compliance, performance, regression risk,
security, SAST, SonarJS linting, test quality, and Vue patterns. Each
check includes YAML frontmatter (name, description, severity-default,
tools) and repo-specific guidance tailored to ComfyUI_frontend
conventions.

## Review Focus

- Check definitions are config-only (no runtime code changes)
- Checks reference repo-specific patterns (e.g., `useErrorHandling`
composable, `useToastStore`, `es-toolkit`, Tailwind 4, Vue Composition
API)

┆Issue is synchronized with this [Notion
page](https://www.notion.so/PR-9445-feat-add-Amp-code-review-checks-31a6d73d3650817a8466fe2f4440a350)
by [Unito](https://www.unito.io)

---------

Co-authored-by: GitHub Action <action@github.com>

2026-03-05 15:29:30 -08:00

1.8 KiB

Raw Blame History

name, description, severity-default, tools

name

description

severity-default

tools

semgrep-sast

Runs Semgrep SAST with auto-configured rules for JS/TS/Vue

high

Bash

Read

Run Semgrep static analysis on changed files to detect security vulnerabilities, dangerous patterns, and framework-specific issues.

Steps

Check if semgrep is installed:
```
semgrep --version
```
If not installed, skip this check and report: "Skipped: semgrep not installed. Install with: pip3 install semgrep"
Identify changed files (.ts, .js, .vue) from the diff. If none are found, skip and report: "Skipped: no changed JS/TS/Vue files."

Run semgrep against changed files:

semgrep --config=auto --json --quiet <changed_files>

Parse the JSON output (.results[] array). For each finding, map severity:
- Semgrep ERROR → critical
- Semgrep WARNING → major
- Semgrep INFO → minor
Report each finding with:
- The semgrep rule ID (check_id)
- File path and line number (path, start.line)
- The message from extra.message
- A fix suggestion from extra.fix if available, otherwise general remediation advice

What Semgrep Catches

With --config=auto, Semgrep loads community-maintained rules for:

Security vulnerabilities: injection, XSS, SSRF, path traversal, open redirect
Dangerous patterns: eval(), innerHTML, dangerouslySetInnerHTML, exec()
Crypto issues: weak hashing, hardcoded secrets, insecure random
Best practices: missing security headers, unsafe deserialization
Framework-specific: Express, React, Vue security patterns

Error Handling

If semgrep config download fails, skip and report the error.
If semgrep fails to parse a specific file, skip that file and continue with others.
If semgrep produces no findings, report "No issues found."

1.8 KiB Raw Blame History

Steps

What Semgrep Catches

Error Handling

1.8 KiB

Raw Blame History