From 9e1e054f056b23860f0604412114742035b32e4f Mon Sep 17 00:00:00 2001
From: alpha-nerd <alpha-nerd@noreply.localhost>
Date: Sun, 24 May 2026 11:53:00 +0200
Subject: [PATCH] feat: add base_rules

---
 nyx-scan/action.yml | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/nyx-scan/action.yml b/nyx-scan/action.yml
index 03995ce..84626bb 100644
--- a/nyx-scan/action.yml
+++ b/nyx-scan/action.yml
@@ -44,7 +44,7 @@ runs:
       id: nyx
       shell: bash
       run: |
-        .nyx-src/target/release/nyx scan --format json > nyx-results-raw.json 2>&1
+        .nyx-src/target/release/nyx scan --format json --quiet > nyx-results-raw.json 2>nyx-scan.stderr
 
         python3 -c "
         import json, os
@@ -68,8 +68,16 @@ runs:
             p = p.replace(workspace, '').lstrip('/')
             return p
 
+        # Taint rule ids carry a source-location suffix, e.g.
+        # 'taint-unsanitised-flow (source 401:5)'. Strip it so 'rule' and
+        # 'rule_in_file' suppressions match on the base rule id (and so the
+        # colon inside the suffix does not break the 'rule_in_file' split).
+        def base_rule(rid):
+            i = rid.find(' (source ')
+            return rid[:i] if i != -1 else rid
+
         def is_suppressed(f):
-            rule_id = f.get('id', '')
+            rule_id = base_rule(f.get('id', ''))
             path = rel_path(f.get('path', ''))
             for r in rules:
                 by = r.get('by', '')