This is a finding from https://github.com/krokoko/cairn (action item CA-09).
Component
Tooling / CI
Describe the feature
Add custom semgrep rules for silent-success masking — the dangerous AI004 variant that bare-except rules do not catch. Target patterns where a failure is swallowed and a plausible-but-empty default is returned, e.g.:
catch (...) { return [] } / return null / return {}- default-substitution-on-failure (returning a fallback value in a catch/except instead of surfacing the error)
Emit SARIF so findings are agent-routable (file / line / rule / fix).
Use case
The current gates catch bare-except (ruff E722/B) and empty catches — the report found 0 empty catches and 0 except: pass. But the more dangerous fail-fast violation, silently returning a plausible default on failure, has no detector. This is exactly the kind of error handling that hides failures from the right actor and lets plausible-but-wrong agent code through (AI004). It compounds with AI001: a swallowed failure plus a fabricated happy path produces a green run that proves nothing.
Proposed solution
- Author semgrep rules matching silent-success masking in TS (
catch { return []|null|{} }) and Python (except ...: return <empty/default>).
- Tune with an allowlist for legitimate fallback sites.
- Emit SARIF; wire into the security suite output (pairs with CA-06).
- Start advisory, then make blocking once the baseline is clean.
Acceptance criteria
Other information
Source report: ai-smells-gates-report.md (AI004 — "No silent-success-masking detection"; Quick wins #2). Effort: S. Per ADR-003 this issue needs the approved label before work begins.
Component
Tooling / CI
Describe the feature
Add custom semgrep rules for silent-success masking — the dangerous AI004 variant that bare-except rules do not catch. Target patterns where a failure is swallowed and a plausible-but-empty default is returned, e.g.:
catch (...) { return [] }/return null/return {}Emit SARIF so findings are agent-routable (file / line / rule / fix).
Use case
The current gates catch bare-except (
ruff E722/B) and empty catches — the report found 0 empty catches and 0except: pass. But the more dangerous fail-fast violation, silently returning a plausible default on failure, has no detector. This is exactly the kind of error handling that hides failures from the right actor and lets plausible-but-wrong agent code through (AI004). It compounds with AI001: a swallowed failure plus a fabricated happy path produces a green run that proves nothing.Proposed solution
catch { return []|null|{} }) and Python (except ...: return <empty/default>).Acceptance criteria
catch { return []|null|{} }(TS) and equivalent default-substitution-on-failure (Py).Other information
Source report:
ai-smells-gates-report.md(AI004 — "No silent-success-masking detection"; Quick wins #2). Effort: S. Per ADR-003 this issue needs theapprovedlabel before work begins.