From 7d178d00fadc38d8fec646ea2081fba9fda8ca02 Mon Sep 17 00:00:00 2001
From: Kelsi <kelsihates2fa@gmail.com>
Date: Fri, 20 Mar 2026 12:27:59 -0700
Subject: [PATCH] fix: exclude vendored Lua 5.1.5 from Semgrep security scan

The Semgrep security scan was failing because vendored Lua 5.1.5 source
uses strcpy/strncpy which are flagged as insecure C functions. These are
false positives in frozen third-party code that we don't modify.

Added .semgrepignore to exclude all vendored extern/ directories
(lua-5.1.5, imgui, stb, vk-bootstrap, FidelityFX SDKs).
---
 .semgrepignore | 8 ++++++++
 1 file changed, 8 insertions(+)
 create mode 100644 .semgrepignore

diff --git a/.semgrepignore b/.semgrepignore
new file mode 100644
index 00000000..eb36847a
--- /dev/null
+++ b/.semgrepignore
@@ -0,0 +1,8 @@
+# Vendored third-party code (frozen releases, not ours to modify)
+extern/lua-5.1.5/
+extern/imgui/
+extern/stb_image.h
+extern/stb_image_write.h
+extern/vk-bootstrap/
+extern/FidelityFX-FSR2/
+extern/FidelityFX-SDK/