S603 false positive on safe cmd

[osauldmy]

Summary

I have cmd as list of constant strings, not example with input() as S603 doc suggest to verify, but it still flags as untrusted.

import subprocess

git_diff = subprocess.run(["/usr/bin/git", "diff", "main", "--name-status"], check=True, capture_output=True)

$ ruff check --select S ~/ruff_bug.py
ruff_bug.py:3:12: S603 `subprocess` call: check for execution of untrusted input

Version

0.11.2

[MichaReiser]

Ignoring run calls where all arguments are string literals seems reasonable

[trag1c]

I'd like to have a go at this!

[Avasam]

Hi.
#17136 doesn't work on tuples