From ca08f33c1eb27cd65cfbbb5498adddd478327c33 Mon Sep 17 00:00:00 2001 From: squid-protocol Date: Sun, 12 Jul 2026 06:53:08 -0400 Subject: [PATCH 1/2] fix(security): zero out hit_vector array for ignored SARIF paths to prevent ghost alerts --- gitgalaxy/galaxyscope.py | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/gitgalaxy/galaxyscope.py b/gitgalaxy/galaxyscope.py index c3ac3d19..56f82547 100644 --- a/gitgalaxy/galaxyscope.py +++ b/gitgalaxy/galaxyscope.py @@ -912,14 +912,27 @@ def execute_pipeline(self, output_file: str = "galaxy.json"): # COMPLETE PATH EXCLUSION: Wipe all threat indicators so SARIF ignores this file file_data["equations"] = {} file_data["is_ml_threat"] = False + + # 1. NEW: Wipe the numeric hit vector (The SARIF Recorder's primary data source) + if "hit_vector" in file_data and isinstance(file_data["hit_vector"], list): + file_data["hit_vector"] = [0] * len(file_data["hit_vector"]) + + # 2. Zero out the risk vector + if "risk_vector" in file_data and isinstance(file_data["risk_vector"], list): + file_data["risk_vector"] = [0.0] * len(file_data["risk_vector"]) + + # 3. Wipe all telemetry strings and contexts if "telemetry" in file_data: file_data["telemetry"]["threat_snippets"] = {} if "domain_context" in file_data["telemetry"]: file_data["telemetry"]["domain_context"].pop("warning", None) + file_data["telemetry"]["domain_context"].pop("alert", None) file_data["telemetry"]["domain_context"].pop("AI Threat Class", None) - if "risk_vector" in file_data and isinstance(file_data["risk_vector"], list): - # Zero out the risk vector so thresholds aren't breached - file_data["risk_vector"] = [0.0] * len(file_data["risk_vector"]) + + if "metadata" in file_data: + file_data["metadata"].pop("warning", None) + file_data["metadata"].pop("alert", None) + continue mitigs = file_data.get("mitigations", []) From 066b7c5dce27951ba38c03c005b436eef0525df3 Mon Sep 17 00:00:00 2001 From: squid-protocol Date: Sun, 12 Jul 2026 07:21:33 -0400 Subject: [PATCH 2/2] fix(security): obliterate network metrics and domain context for ignored SARIF paths --- gitgalaxy/galaxyscope.py | 15 ++------------- 1 file changed, 2 insertions(+), 13 deletions(-) diff --git a/gitgalaxy/galaxyscope.py b/gitgalaxy/galaxyscope.py index 56f82547..47934f4a 100644 --- a/gitgalaxy/galaxyscope.py +++ b/gitgalaxy/galaxyscope.py @@ -909,30 +909,19 @@ def execute_pipeline(self, output_file: str = "galaxy.json"): path_excluded = any(p in file_path for p in ignored_paths) if path_excluded: - # COMPLETE PATH EXCLUSION: Wipe all threat indicators so SARIF ignores this file file_data["equations"] = {} file_data["is_ml_threat"] = False - # 1. NEW: Wipe the numeric hit vector (The SARIF Recorder's primary data source) if "hit_vector" in file_data and isinstance(file_data["hit_vector"], list): file_data["hit_vector"] = [0] * len(file_data["hit_vector"]) - # 2. Zero out the risk vector if "risk_vector" in file_data and isinstance(file_data["risk_vector"], list): file_data["risk_vector"] = [0.0] * len(file_data["risk_vector"]) - # 3. Wipe all telemetry strings and contexts if "telemetry" in file_data: file_data["telemetry"]["threat_snippets"] = {} - if "domain_context" in file_data["telemetry"]: - file_data["telemetry"]["domain_context"].pop("warning", None) - file_data["telemetry"]["domain_context"].pop("alert", None) - file_data["telemetry"]["domain_context"].pop("AI Threat Class", None) - - if "metadata" in file_data: - file_data["metadata"].pop("warning", None) - file_data["metadata"].pop("alert", None) - + file_data["telemetry"]["network_metrics"] = {} + file_data["telemetry"]["domain_context"] = {} continue mitigs = file_data.get("mitigations", [])