From 60b64144a5add92dc826a95e326a429ed186c8b1 Mon Sep 17 00:00:00 2001
From: Chuck <chuck@example.com>
Date: Thu, 11 Jun 2026 13:01:33 -0400
Subject: [PATCH] fix(install): suppress remaining Codacy subprocess
 false-positive

Codacy's Semgrep-based check still flagged the cmd-built subprocess.run
call as "without a static string" even with the Bandit nosec applied.
Add a nosemgrep marker alongside it - cmd is always a hardcoded
apt/pip argument list, never user input.
---
 scripts/install_dependencies_apt.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/scripts/install_dependencies_apt.py b/scripts/install_dependencies_apt.py
index 21d07985..18671662 100644
--- a/scripts/install_dependencies_apt.py
+++ b/scripts/install_dependencies_apt.py
@@ -25,7 +25,7 @@ def _run(cmd):
     chatty commands (e.g. pip build logs) don't get buffered in memory.
     """
     with tempfile.TemporaryFile(mode='w+b') as f:
-        result = subprocess.run(cmd, stdout=f, stderr=subprocess.STDOUT)  # nosec B603 B607 - hardcoded apt/pip args, not user input
+        result = subprocess.run(cmd, stdout=f, stderr=subprocess.STDOUT)  # nosec B603 B607 - hardcoded apt/pip args  # nosemgrep
         f.seek(0)
         lines = f.read().decode('utf-8', errors='replace').splitlines()
     return result.returncode == 0, '\n'.join(lines[-ERROR_TAIL_LINES:])