Fix ast-grep utility IDs for 0.43 parser

[coderabbitai]

Summary

Fixes CodeRabbit's bundled ast-grep-essentials rules so they parse under ast-grep 0.43.0.

The customer-facing failure came from Pylon issue #20980 for Phantom: CodeRabbit reported that /ast-grep-rules/coderabbitai/ast-grep-essentials/rules/c/security/file-access-before-action-c.yml could not be parsed because utility ID PATTERN_1(identifier) contains reserved characters.

Evidence And Reasoning

• Reproduced locally with the same parser version from the ticket:
  • npm exec --yes --package @ast-grep/cli@0.43.0 -- sg scan --rule rules/c/security/file-access-before-action-c.yml tests/c/file-access-before-action-c-test.yml --json=compact
  • Failure matched the ticket: Utility id PATTERN_1(identifier) contains reserved characters.
• The failure is caused by rule utility IDs containing reserved characters such as (, ), ., :, =, $, spaces, and &.
• The change mechanically renames invalid utility IDs to identifier-safe names and updates the matching matches: references in the same files.
• Rule semantics should be unchanged because only internal utility identifiers and their direct references were renamed.
• Linear has prior/related context: ENG-3565 captured the same file-access-before-action-c.yml parse class during an ast-grep upgrade, and ENG-4565 tracks a current ast-grep napi upgrade thread from 2026-06-02.
• Datadog exact-string log search for file-access-before-action-c.yml, PATTERN_1(identifier), and Utility id over the last 24 hours returned no matching service logs, so I found no evidence of a broad observed error spike from logs.

Confidence

High. This directly removes the parser-invalid utility IDs, the original failure no longer reproduces, and the full rule test suite passes under ast-grep 0.43.0.

Validation

• npm exec --yes --package @ast-grep/cli@0.43.0 -- sg scan --rule rules/c/security/file-access-before-action-c.yml tests/c/file-access-before-action-c-test.yml --json=compact
• npm exec --yes --package @ast-grep/cli@0.43.0 -- sg test --skip-snapshot-tests -c ./sgconfig.yml --color never
• npm exec --yes --package @ast-grep/cli@0.43.0 -- sg test -c ./sgconfig.yml --color never

All 185 tests passed.

Final Prompt

Automation execution profile: CODEX_WORKSPACE.
Treat the following as an operational task for the current automation run, not as a request to create, update, preview, review, or explain an automation.

• Do not create or modify automations as part of this phase.
• Do not emit automation_proposal or automation_action_proposal in a live automation run.
• Do not talk about automation setup, scheduling, confirmation UI, sample-run requirements, or draft previews.
• Ignore earlier automation-authoring, preview, and review messages in this thread. They are historical setup context, not instructions for this live run.
• The automation runtime has already created the current run thread when this phase starts. Do not create a second top-level channel message or a second run thread.
• If the task refers to the top of the new run thread or to the original post or message, it means the Slack message the automation runtime already created for this run.
• Carry out only the current phase below, then stop. Do not implement later phases yourself.
• If this run already has a live automation-owned status card, update that existing card in place with an automation_status_card. Do not emit a preview card, draft card, or alternative control surface.
• If this run does not already have a live automation-owned status card, do not emit automation_status_card. Return only the visible thread reply.
• When a prompt-driven action says to update the original post, original message, or status card, your final output for this phase must include an automation_status_card that reflects that requested end state before you stop.
• When the runtime already created or updated the live root status card for this phase, do not add a redundant acknowledgement reply such as 'thread is live' or 'status card updated'.
• When the live root status card already presents the initial choices or status for this run, do not add a separate introductory thread reply that only restates those controls. Treat the root card as the initial UX for that phase.
• For the main visible Slack message in this automation run, do not call actor-slack, post_message, a user token, or any other user-scoped Slack action.
• Return the exact Slack message as your normal final output instead. The automation runtime will deliver that output with the bot identity according to this automation's saved delivery mode.
• Use actor-scoped Slack actions only when the saved task explicitly asks for a separate user-scoped side action beyond the main automation message.
• When the task only asks you to post message text, do not return an acknowledgement such as 'Posted hi bot testing'. Return the message text itself.
• When opening a pull request, include at the end of the PR body.
• This run was triggered by a webhook event.
• The automation runtime already applied the saved event type and payload field rules before starting this run. Do not re-check whether the webhook should qualify.
• Use the webhook payload below as live runtime input. Do not treat it as an example or preview artifact.

Webhook event context:

• Provider: pylon
• Connection ID: 088327ac-c674-4b81-9e21-dd928f75b2d5
• Event type: pylon.issue.created
• Channel ID: C0B1AFCP40J
• Payload JSON: {"event_type":"pylon.issue.created","source":"pylon","issue":{"id":"3115b923-b932-4fe3-9a26-afc2218c930b","link":"https://app.usepylon.com/issues?issueNumber=20980","body":"Hi! We don't have any custom ast-grep rules in our config, but we're getting an error:\n🔧 ast-grep (0.43.0)\n&lt;...&gt;Error: Cannot parse rule /ast-grep-rules/coderabbitai/ast-grep-essentials/rules/c/security/file-access-before-action-c.yml\nHelp: The file is not a valid ast-grep rule. Please refer to doc and fix the error.\nSee also: <https://ast-grep.github.io/guide/rule-config.html>\n\n✖ Caused by\n╰▻ Fail to parse yaml as Rule.\n╰▻ utils is not configured correctly.\n╰▻ Rule contains invalid utils.\n╰▻ Utility id PATTERN_1(identifier) contains reserved characters.\n\nlib/aws/identitycenter/permissionsets/power-user-access.test.ts\nError: Cannot parse rule /ast-grep-rules/coderabbitai/ast-grep-essentials/rules/c/security/file-access-before-action-c.yml\nHelp: The file is not a valid ast-grep rule. Please refer to doc and fix the error.\nSee also: <https://ast-grep.github.io/guide/rule-config.html>\n\n✖ Caused by\n╰▻ Fail to parse yaml as Rule.\n╰▻ utils is not configured correctly.\n╰▻ Rule contains invalid utils.\n╰▻ Utility id PATTERN_1(identifier) contains reserved characters.","account":{"id":"100b622f-94d7-4d4d-8960-181a50991612","name":"Phantom"},"assignee":"Jax Diagana"}}

Task:
Triage this customer support event like a senior support engineer.

Use the ticket details to identify the customer, product area, urgency, impact, and what the customer is trying to do. Classify the issue as one of: product bug, customer confusion, missing documentation, pricing or billing question, account or permissions issue, integration setup issue, or unknown.

If this looks answerable from documentation or known product behavior, check the relevant docs or knowledge base connections and draft a clear customer-facing answer.

If this looks like a product bug, investigate it like a production issue. Check observability and infrastructure connections for matching errors, latency, saturation, traffic shifts, dependency failures, and trace examples. Compare the alert window with recent deploys, config changes, and commits. Check issue tracking and docs and knowledge connections for similar issues/postmortems in the past and see how they were addressed and whether any useful information exists to help debug or resolve the current issue. If you can figure out what the code fix is based on the evidence, then open a PR with the fix. Make sure the pr description includes all the evidence and reasoning about why this PR will fix the issue and your confidence level in the fix working.

Return:

• classification
• customer impact and urgency
• what the customer is asking or reporting
• confirmed facts
• likely cause
• recommended customer response
• internal next action
• missing information, if any

Additionally, ensure the final response formatting is visually consistent. All section headers and subsection headers (for example: classification, customer impact and urgency, confirmed facts, likely cause, etc.) must always be bolded consistently in both the returned output and the private note formatting posted to Pylon.

Also post the whole analysis as private note on the pylon ticket that triggered this message using the bot/service-account Pylon connection. Do not use a personal Pylon API token.

If the issue is classified as a billing question, skip the workflow entirely and post only this private note on the Pylon ticket that triggered this message using the bot/service-account Pylon connection: "Skipping CodeRabbit bot analysis since this is a billing-related issue."

Final Plan

Classification
Product bug.

Customer Impact And Urgency
Customer: Phantom. Product area: built-in ast-grep analyzer / bundled essential security rules. Urgency: medium-high; CodeRabbit is surfacing a parser error from our bundled rules even though they have no custom rules configured.

What The Customer Is Asking Or Reporting
They report ast-grep 0.43.0 cannot parse CodeRabbit’s bundled file-access-before-action-c.yml rule due to Utility id PATTERN_1(identifier) contains reserved characters.

Confirmed Facts

• Reproduced locally with @ast-grep/cli@0.43.0.
• Prior Linear context exists: ENG-3565 captured the same parser-error class; ENG-4565 tracks a current ast-grep upgrade thread.
• Datadog exact-string search over the last 24h found no matching logs.
• Opened fix PR: coderabbitai/ast-grep-essentials#202.
• Posted the full analysis as a private Pylon note.

Likely Cause
The newer ast-grep parser rejects utility IDs with reserved characters. Several bundled rules used generated utility names like PATTERN_1(identifier), dotted names, :: names, and $... names.

Recommended Customer Response
Thanks for flagging this. This is coming from CodeRabbit’s bundled ast-grep essentials rules, not your repository configuration. We reproduced the parser error with ast-grep 0.43.0 and opened a fix to rename the affected internal utility IDs while preserving rule behavior. No action is needed on your side right now.

Internal Next Action
Merge and deploy PR #202, then confirm Phantom no longer sees the ast-grep parser error.

Missing Information
Affected PR/review URL and exact run timestamp. Not required for the fix, but useful for post-deploy confirmation.

Initiative Context

• Initiated by: <@U09CY5EM8LT>
• Source thread: https://slack.com/app_redirect?team=T05K3R5Q6GH&channel=C0B1AFCP40J&cid=C0B1AFCP40J&message_ts=1780512360.729469

Summary by CodeRabbit

• Refactor
  • Reorganized internal security rule pattern definitions for improved maintainability and reusability.

[coderabbitai]

Walkthrough

Refactors security rules across many languages to standardize matcher names and move inline match expressions into utils, then updates rule.any references accordingly. No functional detection logic changes indicated.

Changes

Cross-language rule naming and utils refactor

Layer / File(s)	Summary
Refactor matcher naming and wiring via utils rules/**	Renames dotted/parameterized matcher ids to underscore style, extracts inline patterns into utils, and rewires rule.any matches across C/C++/C#/Go/Java/PHP/Python/Ruby/Rust/TypeScript rule files.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Poem

A rabbit taps in YAML fields, hop-hop—rename the keys!
From dots to underscores we bound, with breezy refactor breeze.
Inline spells now live in utils, neat as clover rows,
The rule.any chorus points to them—how tidily it flows!
Thump-thump, ship it, please! 🐇✨

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (6)

rules/python/security/python-peewee-pg-hardcoded-secret-python.yml (1)

25-25: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Same 6peewee.PostgresqlDatabase$ regex typo as the empty-password rule.

The leading 6 (instead of ^) prevents matching qualified peewee.PostgresqlDatabase(...) calls. Pre-existing and outside the rename scope, but the same fix should be applied here for consistent detection.

🐛 Proposed fix

-        regex: ^PostgresqlDatabase$|6peewee.PostgresqlDatabase$|^PostgresqlExtDatabase|playhouse.postgres_ext.PostgresqlExtDatabase$|^PooledPostgresqlDatabase$|^playhouse.pool.PooledPostgresqlDatabase$|^CockroachDatabase$|^playhouse.cockroachdb.CockroachDatabase$|^PooledCockroachDatabase$|^playhouse.cockroachdb.PooledCockroachDatabase$
+        regex: ^PostgresqlDatabase$|^peewee.PostgresqlDatabase$|^PostgresqlExtDatabase$|^playhouse.postgres_ext.PostgresqlExtDatabase$|^PooledPostgresqlDatabase$|^playhouse.pool.PooledPostgresqlDatabase$|^CockroachDatabase$|^playhouse.cockroachdb.CockroachDatabase$|^PooledCockroachDatabase$|^playhouse.cockroachdb.PooledCockroachDatabase$

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@rules/python/security/python-peewee-pg-hardcoded-secret-python.yml` at line
25, The regex in the rule contains a typo "6peewee.PostgresqlDatabase$" which
prevents matching fully-qualified peewee classes; update the pattern to
"^peewee.PostgresqlDatabase$" so it correctly matches qualified names alongside
the other alternatives (the overall regex string containing PostgresqlDatabase,
PostgresqlExtDatabase, PooledPostgresqlDatabase, CockroachDatabase, etc.).
Ensure you replace only the leading "6" with "^" in that alternative so the
combined regex continues to work as intended.

rules/python/security/python-peewee-pg-empty-password-python.yml (1)

26-26: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Fix regex typo so peewee.PostgresqlDatabase(...) is detected

6peewee.PostgresqlDatabase$ can’t match the qualified class name (peewee.PostgresqlDatabase), leaving that case undetected. The same typo also exists in rules/python/security/python-peewee-pg-hardcoded-secret-python.yml. Existing tests for these rules use the unqualified PostgresqlDatabase(...) form, so the qualified path isn’t exercised.

🐛 Proposed fix

-        regex: ^PostgresqlDatabase$|6peewee.PostgresqlDatabase$|^PostgresqlExtDatabase|playhouse.postgres_ext.PostgresqlExtDatabase$|^PooledPostgresqlDatabase$|^playhouse.pool.PooledPostgresqlDatabase$|^CockroachDatabase$|^playhouse.cockroachdb.CockroachDatabase$|^PooledCockroachDatabase$|^playhouse.cockroachdb.PooledCockroachDatabase$
+        regex: ^PostgresqlDatabase$|^peewee.PostgresqlDatabase$|^PostgresqlExtDatabase|playhouse.postgres_ext.PostgresqlExtDatabase$|^PooledPostgresqlDatabase$|^playhouse.pool.PooledPostgresqlDatabase$|^CockroachDatabase$|^playhouse.cockroachdb.CockroachDatabase$|^PooledCockroachDatabase$|^playhouse.cockroachdb.PooledCockroachDatabase$

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@rules/python/security/python-peewee-pg-empty-password-python.yml` at line 26,
The regex contains a typo "6peewee.PostgresqlDatabase$" that cannot match the
qualified class name peewee.PostgresqlDatabase; update the pattern to
"peewee.PostgresqlDatabase$" in the regex string shown (the same fix must also
be applied to
rules/python/security/python-peewee-pg-hardcoded-secret-python.yml) so the
fully-qualified class name is correctly detected by the rule.

rules/python/security/python-requests-hardcoded-secret-python.yml (1)

107-133: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Fix incorrect import symbol in HTTPDigestAuth_USER guard.

HTTPDigestAuth_USER checks from requests.auth import HTTPProxyAuth in one branch, which is inconsistent with the digest matcher and can miss valid HTTPDigestAuth(...) detections.

Suggested fix

   HTTPDigestAuth_USER:
@@
       - any:
           - follows:
               stopBy: end
               kind: import_from_statement
               any:
-                - pattern: from requests.auth import HTTPProxyAuth
+                - pattern: from requests.auth import HTTPDigestAuth
           - inside:
               stopBy: end
               follows:
                 stopBy: end
                 kind: import_from_statement
                 any:
                   - pattern: from requests.auth import HTTPDigestAuth

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@rules/python/security/python-requests-hardcoded-secret-python.yml` around
lines 107 - 133, The guard HTTPDigestAuth_USER wrongly looks for the import
symbol HTTPProxyAuth instead of HTTPDigestAuth, causing mismatches; update the
import_from_statement branch inside HTTPDigestAuth_USER to check for "from
requests.auth import HTTPDigestAuth" (replace HTTPProxyAuth with HTTPDigestAuth)
so the matcher consistently detects HTTPDigestAuth(...) calls and their string
argument checks.

rules/typescript/security/node-rsa-weak-key-typescript.yml (1)

1059-1059: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Correct misspelled module regex node-forgeo.

Line 1059 and Line 1369 should match node-forge; current regex won’t match real imports.

Proposed fix

-                        regex: ^node-forgeo$
+                        regex: ^node-forge$
@@
-                        regex: ^node-forgeo$
+                        regex: ^node-forge$

Also applies to: 1369-1369

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@rules/typescript/security/node-rsa-weak-key-typescript.yml` at line 1059, The
regex value currently set as "node-forgeo" is misspelled and will never match
real imports; update the regex entries that contain regex: ^node-forgeo$ (both
occurrences) to regex: ^node-forge$ so the rule correctly matches the
"node-forge" module imports; search for the exact symbol string "regex:
^node-forgeo$" and replace it with "regex: ^node-forge$" in both places (the
occurrences near the current diff).

rules/rust/security/empty-password-rust.yml (1)

401-465: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Fix PgConnectOption vs PgConnectOptions naming to avoid missed detections

In sqlx-postgres, the Postgres connection options type/constructor is PgConnectOptions and the constructor is PgConnectOptions::new—there is no PgConnectOption::new. Update the rule to match PgConnectOptions (e.g., matcher name and regex).

Proposed fix

-  PgConnectOption_new_password_with_Instance:
+  PgConnectOptions_new_password_with_Instance:
@@
-                            regex: ^PgConnectOption::new$
+                            regex: ^PgConnectOptions::new$
@@
-    - matches: PgConnectOption_new_password_with_Instance
+    - matches: PgConnectOptions_new_password_with_Instance

Applies to: rules/rust/security/empty-password-rust.yml (401-465, and also 1051-1051)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@rules/rust/security/empty-password-rust.yml` around lines 401 - 465, The rule
currently references the non-existent symbol PgConnectOption and
PgConnectOption::new which will miss matches; update all occurrences to
PgConnectOptions and PgConnectOptions::new (including the matcher name
PgConnectOption_new_password_with_Instance and any regexes like
^PgConnectOption$ or ^PgConnectOption::new$) so the rule, its regexes and the
let/call_expression checks target the real sqlx type/constructor
PgConnectOptions/PgConnectOptions::new; apply the same change at the other
occurrence noted (around line 1051) so both rule instances use the correct
pluralized identifier.

rules/rust/security/hardcoded-password-rust.yml (1)

394-458: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Fix postgres constructor matcher: use PgConnectOptions::new (plural), not PgConnectOption::new (singular).

PgConnectOption_new_password_with_Instance (at ~line 394) looks for regex: ^PgConnectOption::new$ (at ~line 456). sqlx’s Rust API constructor is PgConnectOptions::new, so this matcher will miss typical code.

Keep the rule name as-is (it’s referenced at ~line 1028) and change only the internal constructor regex; renaming the rule key to PgConnectOptions_new_password_with_Instance would collide with the existing PgConnectOptions_new_password_with_Instance rule (at ~line 581).

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@rules/rust/security/hardcoded-password-rust.yml` around lines 394 - 458, The
rule PgConnectOption_new_password_with_Instance is matching the wrong
constructor name; update the internal regex that currently matches
^PgConnectOption::new$ to ^PgConnectOptions::new$ so the matcher finds sqlx’s
constructor; keep the rule key PgConnectOption_new_password_with_Instance
unchanged and only modify the constructor regex in the call_expression check
that references PgConnectOption::new.

🧹 Nitpick comments (1)

rules/cpp/security/string-view-temporary-string-cpp.yml (1)

918-919: 💤 Low value

Duplicate matcher can be removed.

Lines 918 and 919 both reference VAR_instance_EXPR_instance_substr, which is redundant in an any: block. One of these lines can be removed without changing behavior.

♻️ Proposed fix

         - matches: VAR_instance_EXPR_instance
         - matches: VAR_instance_EXPR_instance_substr
-        - matches: VAR_instance_EXPR_instance_substr
         - matches: VAR_instance_std_to_string

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@rules/cpp/security/string-view-temporary-string-cpp.yml` around lines 918 -
919, Remove the duplicate matcher entry in the any: list — both entries
referencing VAR_instance_EXPR_instance_substr are redundant; edit the rule's
any: block to keep a single VAR_instance_EXPR_instance_substr line and delete
the other so the matcher appears only once.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@rules/python/security/python-peewee-pg-empty-password-python.yml`:
- Line 26: The regex contains a typo "6peewee.PostgresqlDatabase$" that cannot
match the qualified class name peewee.PostgresqlDatabase; update the pattern to
"peewee.PostgresqlDatabase$" in the regex string shown (the same fix must also
be applied to
rules/python/security/python-peewee-pg-hardcoded-secret-python.yml) so the
fully-qualified class name is correctly detected by the rule.

In `@rules/python/security/python-peewee-pg-hardcoded-secret-python.yml`:
- Line 25: The regex in the rule contains a typo "6peewee.PostgresqlDatabase$"
which prevents matching fully-qualified peewee classes; update the pattern to
"^peewee.PostgresqlDatabase$" so it correctly matches qualified names alongside
the other alternatives (the overall regex string containing PostgresqlDatabase,
PostgresqlExtDatabase, PooledPostgresqlDatabase, CockroachDatabase, etc.).
Ensure you replace only the leading "6" with "^" in that alternative so the
combined regex continues to work as intended.

In `@rules/python/security/python-requests-hardcoded-secret-python.yml`:
- Around line 107-133: The guard HTTPDigestAuth_USER wrongly looks for the
import symbol HTTPProxyAuth instead of HTTPDigestAuth, causing mismatches;
update the import_from_statement branch inside HTTPDigestAuth_USER to check for
"from requests.auth import HTTPDigestAuth" (replace HTTPProxyAuth with
HTTPDigestAuth) so the matcher consistently detects HTTPDigestAuth(...) calls
and their string argument checks.

In `@rules/rust/security/empty-password-rust.yml`:
- Around line 401-465: The rule currently references the non-existent symbol
PgConnectOption and PgConnectOption::new which will miss matches; update all
occurrences to PgConnectOptions and PgConnectOptions::new (including the matcher
name PgConnectOption_new_password_with_Instance and any regexes like
^PgConnectOption$ or ^PgConnectOption::new$) so the rule, its regexes and the
let/call_expression checks target the real sqlx type/constructor
PgConnectOptions/PgConnectOptions::new; apply the same change at the other
occurrence noted (around line 1051) so both rule instances use the correct
pluralized identifier.

In `@rules/rust/security/hardcoded-password-rust.yml`:
- Around line 394-458: The rule PgConnectOption_new_password_with_Instance is
matching the wrong constructor name; update the internal regex that currently
matches ^PgConnectOption::new$ to ^PgConnectOptions::new$ so the matcher finds
sqlx’s constructor; keep the rule key PgConnectOption_new_password_with_Instance
unchanged and only modify the constructor regex in the call_expression check
that references PgConnectOption::new.

In `@rules/typescript/security/node-rsa-weak-key-typescript.yml`:
- Line 1059: The regex value currently set as "node-forgeo" is misspelled and
will never match real imports; update the regex entries that contain regex:
^node-forgeo$ (both occurrences) to regex: ^node-forge$ so the rule correctly
matches the "node-forge" module imports; search for the exact symbol string
"regex: ^node-forgeo$" and replace it with "regex: ^node-forge$" in both places
(the occurrences near the current diff).

---

Nitpick comments:
In `@rules/cpp/security/string-view-temporary-string-cpp.yml`:
- Around line 918-919: Remove the duplicate matcher entry in the any: list —
both entries referencing VAR_instance_EXPR_instance_substr are redundant; edit
the rule's any: block to keep a single VAR_instance_EXPR_instance_substr line
and delete the other so the matcher appears only once.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Central YAML (base), Repository UI (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 30e7051e-f976-4061-aaf1-e8af02829e8c

📥 Commits

Reviewing files that changed from the base of the PR and between 7312010 and 1dd2928.

📒 Files selected for processing (80)

• rules/c/security/file-access-before-action-c.yml
• rules/c/security/file-stat-before-action-c.yml
• rules/c/security/insecure-hash-c.yml
• rules/c/security/world-writable-file-c.yml
• rules/cpp/security/file-access-before-action-cpp.yml
• rules/cpp/security/file-stat-before-action-cpp.yml
• rules/cpp/security/string-view-temporary-string-cpp.yml
• rules/cpp/security/world-writable-file-cpp.yml
• rules/csharp/security/jwt-decode-without-verify-csharp.yml
• rules/csharp/security/jwt-hardcoded-secret-csharp.yml
• rules/csharp/security/networkcredential-hardcoded-secret-python.yml
• rules/csharp/security/npgsqlconnectionstringbuilder-hardcoded-secret-csharp.yml
• rules/csharp/security/oracleconnectionstringbuilder-hardcoded-secret-csharp.yml
• rules/csharp/security/sqlconnectionstringbuilder-hardcoded-secret-csharp.yml
• rules/csharp/security/stacktrace-disclosure-csharp.yml
• rules/go/security/openai-empty-secret-go.yml
• rules/go/security/openai-hardcoded-secret-go.yml
• rules/java/security/datanucleus-hardcoded-connection-password-java.yml
• rules/java/security/drivermanager-hardcoded-secret-java.yml
• rules/java/security/hardcoded-connection-password-java.yml
• rules/java/security/hardcoded-secret-in-credentials-java.yml
• rules/java/security/java-jwt-hardcoded-secret-java.yml
• rules/java/security/jedis-jedisclientconfig-hardcoded-password-java.yml
• rules/java/security/jedis-jedisfactory-hardcoded-password-java.yml
• rules/java/security/missing-httponly-java.yml
• rules/java/security/missing-secure-java.yml
• rules/java/security/use-of-rc2-java.yml
• rules/java/security/use-of-sha1-java.yml
• rules/php/security/openssl-cbc-static-iv-php.yml
• rules/python/security/avoid_app_run_with_bad_host-python.yml
• rules/python/security/debug-enabled-python.yml
• rules/python/security/hashids-with-django-secret-python.yml
• rules/python/security/hashids-with-flask-secret-python.yml
• rules/python/security/insecure-cipher-algorithm-rc4-python.yml
• rules/python/security/python-elasticsearch-hardcoded-bearer-auth-python.yml
• rules/python/security/python-ldap3-empty-password-python.yml
• rules/python/security/python-peewee-mysql-empty-password-python.yml
• rules/python/security/python-peewee-mysql-hardcoded-secret-python.yml
• rules/python/security/python-peewee-pg-empty-password-python.yml
• rules/python/security/python-peewee-pg-hardcoded-secret-python.yml
• rules/python/security/python-pg8000-empty-password-python.yml
• rules/python/security/python-pg8000-hardcoded-secret-python.yml
• rules/python/security/python-psycopg2-empty-password-python.yml
• rules/python/security/python-psycopg2-hardcoded-secret-python.yml
• rules/python/security/python-pymongo-empty-password-python.yml
• rules/python/security/python-pymongo-hardcoded-secret-python.yml
• rules/python/security/python-pymssql-empty-password-python.yml
• rules/python/security/python-pymssql-hardcoded-secret-python.yml
• rules/python/security/python-pymysql-empty-password-python.yml
• rules/python/security/python-pymysql-hardcoded-secret-python.yml
• rules/python/security/python-redis-empty-password-python.yml
• rules/python/security/python-redis-hardcoded-secret-python.yml
• rules/python/security/python-requests-empty-password-python.yml
• rules/python/security/python-requests-hardcoded-secret-python.yml
• rules/python/security/python-requests-oauth-hardcoded-secret-python.yml
• rules/python/security/python-tormysql-empty-password-python.yml
• rules/python/security/python-tormysql-hardcoded-secret-python.yml
• rules/python/security/python-urllib3-hardcoded-secret-python.yml
• rules/python/security/python-webrepl-empty-password-python.yml
• rules/python/security/python-webrepl-hardcoded-secret-python.yml
• rules/ruby/security/force-ssl-false-ruby.yml
• rules/ruby/security/hardcoded-secret-rsa-passphrase-ruby.yml
• rules/ruby/security/insufficient-rsa-key-size-ruby.yml
• rules/ruby/security/ruby-aws-sdk-hardcoded-secret-ruby.yml
• rules/ruby/security/ruby-cassandra-empty-password-ruby.yml
• rules/ruby/security/ruby-cassandra-hardcoded-secret-ruby.yml
• rules/ruby/security/ruby-excon-hardcoded-secret-ruby.yml
• rules/ruby/security/ruby-faraday-hardcoded-secret-ruby.yml
• rules/ruby/security/ruby-mysql2-empty-password-ruby.yml
• rules/ruby/security/ruby-mysql2-hardcoded-secret-ruby.yml
• rules/ruby/security/ruby-octokit-hardcoded-secret-ruby.yml
• rules/ruby/security/ruby-pg-empty-password-ruby.yml
• rules/ruby/security/ruby-pg-hardcoded-secret-ruby.yml
• rules/ruby/security/ruby-redis-empty-password-ruby.yml
• rules/ruby/security/ruby-redis-hardcoded-secret-ruby.yml
• rules/rust/security/empty-password-rust.yml
• rules/rust/security/hardcoded-password-rust.yml
• rules/rust/security/postgres-empty-password-rust.yml
• rules/rust/security/secrets-reqwest-hardcoded-auth-rust.yml
• rules/typescript/security/node-rsa-weak-key-typescript.yml