fix(review): suppress findings inside Markdown fenced code blocks (#329)#343
Merged
Conversation
Markdown files (.md/.mdx/.markdown) frequently contain fenced code blocks that are documentation examples, not executable code. Treating their contents like real source code produced false positives — e.g. a `git push` inside a fenced bash block flagged as SQL injection (#329). New module `engine::markdown` detects fenced code blocks (triple-backtick / triple-tilde) within a diff chunk and exposes which new-file line numbers fall inside them. A new filter `apply_markdown_code_block_filter()` drops findings (from all sources: security/secrets/rules scanners + LLM) whose file:line lands inside a code block of a markdown file. Fence state is tracked across full hunk context (Add + Context lines, skipping Removed lines) so it works even when only the body of a code block was edited — the opening fence does not need to be part of the diff. Findings without a resolvable line number are kept (safe default). 11 new tests (7 unit for fence detection + 4 integration for the filter, including the exact #329 git-push/SQL-injection scenario). All 648 tests pass; clippy + fmt + audit clean. Refs #329
This was referenced Jul 16, 2026
Closed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes the root cause of #329: Markdown fenced code blocks (documentation examples) were treated like executable code, producing false positives — e.g. a
git pushinside a```bashblock flagged as SQL injection.Approach
Issue #329 offered three options (skip code blocks / reduce severity / language-hint matching). Skipping code blocks entirely subsumes language-hint matching for the common case and is the cleanest, so that's what this implements.
New module
engine::markdown:is_markdown(path)— detects.md/.mdx/.markdownlines_inside_code_blocks(chunk)— returns the set of new-file line numbers inside```/~~~fences. Tracks fence state across full hunk context (Add + Context lines, skipping Removed lines), so it works even when only the body of a code block was edited (the opening fence is often pre-existing context).New filter
apply_markdown_code_block_filter()inreview.rs:Vec<ReviewIssue>— right next toapply_ignore_rules, in both the success path and the LLM-failure fallback path.fileis markdown and whoselinefalls inside a code block.Why this design
response.issuesafter the LLM call, so filtering at the unifiedReviewIssuestage catches regex-scanner and LLM false positives in one place.DiffLineType::Contextlines are parsed), so fence tracking is reliable without extra file I/O.Scope
This addresses the systematic markdown code-block root cause (#329 item 1). The issue's other two observations (CHANGELOG future-date timezone; Cargo.lock format) are not regex-scanner artifacts — they come from LLM/rule paths and are noted for separate handling.
Testing
cargo auditclean.Refs #329