Skip to content

🔒 Security Auto-Fix: CodeQL Alerts #37

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
xaostech merged 1 commit into from
Feb 21, 2026
Merged

🔒 Security Auto-Fix: CodeQL Alerts #37

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 15 additions & 15 deletions .github/workflows/anglicise.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -309,8 +309,8 @@ jobs:
! -path "./license-templates/*" \
2>/dev/null | sort)

echo "## British English Spelling Check" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "## British English Spelling Check" >> "$GITHUB_STEP_SUMMARY"
echo "" >> "$GITHUB_STEP_SUMMARY"
echo "🔍 Checking $(echo "$FILES" | wc -l) files for American spellings..." | tee -a $GITHUB_STEP_SUMMARY
echo ""

Expand Down Expand Up @@ -358,21 +358,21 @@ jobs:
echo ""
if [[ $ISSUES_FOUND -gt 0 ]]; then
echo "❌ Found $ISSUES_FOUND American spelling(s) in ${#FILES_TO_FIX[@]} file(s)"
echo "" >> $GITHUB_STEP_SUMMARY
echo "❌ **Found $ISSUES_FOUND American spelling(s) to convert**" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "| Location | American 🇺🇸 | British 🇬🇧 | Pattern |" >> $GITHUB_STEP_SUMMARY
echo "|----------|-------------|------------|---------|" >> $GITHUB_STEP_SUMMARY
echo "$ISSUE_OUTPUT" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "🔧 **A pull request will be created with automatic fixes.**" >> $GITHUB_STEP_SUMMARY
echo "" >> "$GITHUB_STEP_SUMMARY"
echo "❌ **Found $ISSUES_FOUND American spelling(s) to convert**" >> "$GITHUB_STEP_SUMMARY"
echo "" >> "$GITHUB_STEP_SUMMARY"
echo "| Location | American 🇺🇸 | British 🇬🇧 | Pattern |" >> "$GITHUB_STEP_SUMMARY"
echo "|----------|-------------|------------|---------|" >> "$GITHUB_STEP_SUMMARY"
echo "$ISSUE_OUTPUT" >> "$GITHUB_STEP_SUMMARY"
echo "" >> "$GITHUB_STEP_SUMMARY"
echo "🔧 **A pull request will be created with automatic fixes.**" >> "$GITHUB_STEP_SUMMARY"

echo "needs_fix=true" >> $GITHUB_OUTPUT
echo "needs_fix=true" >> "$GITHUB_OUTPUT"
else
echo "✅ All spellings conform to British English standards."
echo "" >> $GITHUB_STEP_SUMMARY
echo "✅ **All spellings conform to British English standards.**" >> $GITHUB_STEP_SUMMARY
echo "needs_fix=false" >> $GITHUB_OUTPUT
echo "" >> "$GITHUB_STEP_SUMMARY"
echo "✅ **All spellings conform to British English standards.**" >> "$GITHUB_STEP_SUMMARY"
echo "needs_fix=false" >> "$GITHUB_OUTPUT"
fi

- name: Apply British English fixes
Expand Down Expand Up @@ -538,4 +538,4 @@ jobs:
--head "$BRANCH_NAME" \
--label "automerge"

echo "✅ Pull request created successfully"
echo "✅ Pull request created successfully"
21 changes: 10 additions & 11 deletions .github/workflows/automerge.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,7 @@ jobs:
id: extract
run: |
if [ ! -f pr-validation.zip ]; then
echo "should_merge=false" >> $GITHUB_OUTPUT
echo "should_merge=false" >> "$GITHUB_OUTPUT"
exit 0
fi

Expand All @@ -83,29 +83,29 @@ jobs:
# Verify artifact contains numeric PR number
if [ ! -f pr-validation/NUMBER ]; then
echo "❌ Missing PR number in validation artifact"
echo "should_merge=false" >> $GITHUB_OUTPUT
echo "should_merge=false" >> "$GITHUB_OUTPUT"
exit 0
fi

PR_NUMBER=$(cat pr-validation/NUMBER)
if ! [[ "$PR_NUMBER" =~ ^[0-9]+$ ]]; then
echo "❌ Invalid PR number: $PR_NUMBER"
echo "should_merge=false" >> $GITHUB_OUTPUT
echo "should_merge=false" >> "$GITHUB_OUTPUT"
exit 0
fi

echo "pr_number=$PR_NUMBER" >> $GITHUB_OUTPUT
echo "should_merge=true" >> $GITHUB_OUTPUT
echo "head_sha=$(cat pr-validation/HEAD_SHA)" >> $GITHUB_OUTPUT
echo "base_ref=$(cat pr-validation/BASE_REF)" >> $GITHUB_OUTPUT
echo "head_label=$(cat pr-validation/HEAD_LABEL)" >> $GITHUB_OUTPUT
echo "pr_number=$PR_NUMBER" >> "$GITHUB_OUTPUT"
echo "should_merge=true" >> "$GITHUB_OUTPUT"
echo "head_sha=$(cat pr-validation/HEAD_SHA)" >> "$GITHUB_OUTPUT"
echo "base_ref=$(cat pr-validation/BASE_REF)" >> "$GITHUB_OUTPUT"
echo "head_label=$(cat pr-validation/HEAD_LABEL)" >> "$GITHUB_OUTPUT"

# Handle multi-line PR title
{
echo 'pr_title<<EOF'
cat pr-validation/TITLE
echo EOF
} >> $GITHUB_OUTPUT
} >> "$GITHUB_OUTPUT"

echo "✅ Validated PR #$PR_NUMBER from artifact"
echo " Reason: $(cat pr-validation/REASON)"
Expand Down Expand Up @@ -333,5 +333,4 @@ jobs:
} catch (error) {
core.setFailed(`❌ Failed to merge PR #${prNumber}: ${error.message}`);
}
}

}
42 changes: 21 additions & 21 deletions .github/workflows/bash-lint-advanced.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ jobs:

steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
with:
fetch-depth: 0

Expand All @@ -61,8 +61,8 @@ jobs:
ERRORS=$(jq '[.[] | select(.level=="error")] | length' /tmp/lint/results.json 2>/dev/null || echo "0")
WARNINGS=$(jq '[.[] | select(.level=="warning")] | length' /tmp/lint/results.json 2>/dev/null || echo "0")

echo "errors=$ERRORS" >> $GITHUB_OUTPUT
echo "warnings=$WARNINGS" >> $GITHUB_OUTPUT
echo "errors=$ERRORS" >> "$GITHUB_OUTPUT"
echo "warnings=$WARNINGS" >> "$GITHUB_OUTPUT"

cat /tmp/lint/results.json

Expand Down Expand Up @@ -102,7 +102,7 @@ jobs:

- name: Suggest fixes on PR
if: github.event_name == 'pull_request' && (steps.shellcheck.outputs.errors > 0 || steps.shellcheck.outputs.warnings > 0)
uses: actions/github-script@v7
uses: actions/github-script@f28e40c7f34bde8b3046d885e986cb6290c5673b
with:
script: |
const fs = require('fs');
Expand Down Expand Up @@ -152,7 +152,7 @@ jobs:

steps:
- name: Checkout code
uses: actions/checkout@v4
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
with:
fetch-depth: 0

Expand All @@ -163,7 +163,7 @@ jobs:

- name: Generate security app token
id: app_token
uses: actions/create-github-app-token@v1
uses: actions/create-github-app-token@d72941d797fd3113feb6b93fd0dec494b13a2547
with:
app-id: ${{ secrets.XSS_AI }}
private-key: ${{ secrets.XSS_PK }}
Expand All @@ -185,8 +185,8 @@ jobs:
-exec shellcheck -f json {} + > /tmp/lint/results.json 2>&1 || true

ERRORS=$(jq '[.[] | select(.level=="error")] | length' /tmp/lint/results.json 2>/dev/null || echo "0")
echo "errors=$ERRORS" >> $GITHUB_OUTPUT
[[ "$ERRORS" -gt 0 ]] && echo "has_fixes=true" >> $GITHUB_OUTPUT || echo "has_fixes=false" >> $GITHUB_OUTPUT
echo "errors=$ERRORS" >> "$GITHUB_OUTPUT"
[[ "$ERRORS" -gt 0 ]] && echo "has_fixes=true" >> "$GITHUB_OUTPUT" || echo "has_fixes=false" >> "$GITHUB_OUTPUT"

- name: Apply style fixes with shfmt
if: steps.check.outputs.has_fixes == 'true'
Expand Down Expand Up @@ -253,20 +253,20 @@ jobs:
run: |
ERRORS="${{ needs.shellcheck-analysis.outputs.errors }}"
WARNINGS="${{ needs.shellcheck-analysis.outputs.warnings }}"
echo "## 📊 Bash Linting Summary" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "**Errors**: ${ERRORS:-0}" >> $GITHUB_STEP_SUMMARY
echo "**Warnings**: ${WARNINGS:-0}" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "### Next Steps:" >> $GITHUB_STEP_SUMMARY
echo "1. Review issues in workflow annotations" >> $GITHUB_STEP_SUMMARY
echo "2. Check PR comments for detailed suggestions" >> $GITHUB_STEP_SUMMARY
echo "3. Follow linked wiki pages for explanations" >> $GITHUB_STEP_SUMMARY
echo "4. Create PR with fixes" >> $GITHUB_STEP_SUMMARY
echo "## 📊 Bash Linting Summary" >> "$GITHUB_STEP_SUMMARY"
echo "" >> "$GITHUB_STEP_SUMMARY"
echo "**Errors**: ${ERRORS:-0}" >> "$GITHUB_STEP_SUMMARY"
echo "**Warnings**: ${WARNINGS:-0}" >> "$GITHUB_STEP_SUMMARY"
echo "" >> "$GITHUB_STEP_SUMMARY"
echo "### Next Steps:" >> "$GITHUB_STEP_SUMMARY"
echo "1. Review issues in workflow annotations" >> "$GITHUB_STEP_SUMMARY"
echo "2. Check PR comments for detailed suggestions" >> "$GITHUB_STEP_SUMMARY"
echo "3. Follow linked wiki pages for explanations" >> "$GITHUB_STEP_SUMMARY"
echo "4. Create PR with fixes" >> "$GITHUB_STEP_SUMMARY"

# Fail if there are errors
if [[ "${ERRORS:-0}" -gt 0 ]]; then
echo "" >> $GITHUB_STEP_SUMMARY
echo "❌ **Errors found - please fix**" >> $GITHUB_STEP_SUMMARY
echo "" >> "$GITHUB_STEP_SUMMARY"
echo "❌ **Errors found - please fix**" >> "$GITHUB_STEP_SUMMARY"
exit 1
fi
fi
30 changes: 15 additions & 15 deletions .github/workflows/bash-lint.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -44,9 +44,9 @@ jobs:
id: find_scripts
run: |
SCRIPTS=$(find . -type f -name "*.sh" ! -path "./.git/*" ! -path "./node_modules/*" ! -path "./vendor/*")
echo "scripts<<EOF" >> $GITHUB_OUTPUT
echo "$SCRIPTS" >> $GITHUB_OUTPUT
echo "EOF" >> $GITHUB_OUTPUT
echo "scripts<<EOF" >> "$GITHUB_OUTPUT"
echo "$SCRIPTS" >> "$GITHUB_OUTPUT"
echo "EOF" >> "$GITHUB_OUTPUT"
echo "Script count: $(echo "$SCRIPTS" | wc -l)"

- name: Run ShellCheck on all shell scripts
Expand Down Expand Up @@ -74,17 +74,17 @@ jobs:
- name: Summary report
if: always()
run: |
echo "## Bash Linting Report" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "**Tool**: ShellCheck" >> $GITHUB_STEP_SUMMARY
echo "**Status**: ${{ job.status }}" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "### Best Practices Applied" >> $GITHUB_STEP_SUMMARY
echo "- ✓ Use \`set -e\` for error handling" >> $GITHUB_STEP_SUMMARY
echo "- ✓ Quote variables to prevent word splitting" >> $GITHUB_STEP_SUMMARY
echo "- ✓ Use \`[[ ]]\` for conditionals" >> $GITHUB_STEP_SUMMARY
echo "- ✓ Add meaningful comments" >> $GITHUB_STEP_SUMMARY
echo "- ✓ Break scripts into functions" >> $GITHUB_STEP_SUMMARY
echo "## Bash Linting Report" >> "$GITHUB_STEP_SUMMARY"
echo "" >> "$GITHUB_STEP_SUMMARY"
echo "**Tool**: ShellCheck" >> "$GITHUB_STEP_SUMMARY"
echo "**Status**: ${{ job.status }}" >> "$GITHUB_STEP_SUMMARY"
echo "" >> "$GITHUB_STEP_SUMMARY"
echo "### Best Practices Applied" >> "$GITHUB_STEP_SUMMARY"
echo "- ✓ Use \`set -e\` for error handling" >> "$GITHUB_STEP_SUMMARY"
echo "- ✓ Quote variables to prevent word splitting" >> "$GITHUB_STEP_SUMMARY"
echo "- ✓ Use \`[[ ]]\` for conditionals" >> "$GITHUB_STEP_SUMMARY"
echo "- ✓ Add meaningful comments" >> "$GITHUB_STEP_SUMMARY"
echo "- ✓ Break scripts into functions" >> "$GITHUB_STEP_SUMMARY"

bash-formatting:
name: Bash Code Quality
Expand Down Expand Up @@ -161,4 +161,4 @@ jobs:
echo "❌ ShellCheck failed - please fix linting errors"
exit 1
fi
echo "✅ All checks passed!"
echo "✅ All checks passed!"
6 changes: 3 additions & 3 deletions .github/workflows/central-loader.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -79,12 +79,12 @@ jobs:

steps:
- name: Checkout calling repository
uses: actions/checkout@v4
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
with:
fetch-depth: 0

- name: Checkout Dev-Control templates
uses: actions/checkout@v4
uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5
with:
repository: xaoscience/dev-control
path: .dev-control-templates
Expand Down Expand Up @@ -327,4 +327,4 @@ jobs:
else
git commit -m "docs: initialise repository templates via Dev-Control"
git push
fi
fi
36 changes: 18 additions & 18 deletions .github/workflows/codeql.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -70,21 +70,21 @@ jobs:

- name: Generate security summary
run: |
echo "## 🔒 CodeQL Security Analysis Complete" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "### Analysis Coverage:" >> $GITHUB_STEP_SUMMARY
echo "- **Auto-detected languages**: JavaScript, Python, Go, Java, C++, C#, Ruby, Swift" >> $GITHUB_STEP_SUMMARY
echo "- **Query suite**: Extended (security-and-quality)" >> $GITHUB_STEP_SUMMARY
echo "- **Schedule**: Push, PR, daily at 2 AM UTC" >> $GITHUB_STEP_SUMMARY
echo "- **Concurrency**: Cancels older scans on new push" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "### Complementary Security:" >> $GITHUB_STEP_SUMMARY
echo "- Shell scripts: bash-lint-advanced workflow (ShellCheck)" >> $GITHUB_STEP_SUMMARY
echo "- Dockerfile: GitHub Advanced Security scanning" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "### Next Steps:" >> $GITHUB_STEP_SUMMARY
echo "1. Check the [Security tab](../../security/code-scanning?tab=alert) for results" >> $GITHUB_STEP_SUMMARY
echo "2. Review any alerts in detail" >> $GITHUB_STEP_SUMMARY
echo "3. Address discovered vulnerabilities" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "[View CodeQL Documentation](https://codeql.github.com/docs/)" >> $GITHUB_STEP_SUMMARY
echo "## 🔒 CodeQL Security Analysis Complete" >> "$GITHUB_STEP_SUMMARY"
echo "" >> "$GITHUB_STEP_SUMMARY"
echo "### Analysis Coverage:" >> "$GITHUB_STEP_SUMMARY"
echo "- **Auto-detected languages**: JavaScript, Python, Go, Java, C++, C#, Ruby, Swift" >> "$GITHUB_STEP_SUMMARY"
echo "- **Query suite**: Extended (security-and-quality)" >> "$GITHUB_STEP_SUMMARY"
echo "- **Schedule**: Push, PR, daily at 2 AM UTC" >> "$GITHUB_STEP_SUMMARY"
echo "- **Concurrency**: Cancels older scans on new push" >> "$GITHUB_STEP_SUMMARY"
echo "" >> "$GITHUB_STEP_SUMMARY"
echo "### Complementary Security:" >> "$GITHUB_STEP_SUMMARY"
echo "- Shell scripts: bash-lint-advanced workflow (ShellCheck)" >> "$GITHUB_STEP_SUMMARY"
echo "- Dockerfile: GitHub Advanced Security scanning" >> "$GITHUB_STEP_SUMMARY"
echo "" >> "$GITHUB_STEP_SUMMARY"
echo "### Next Steps:" >> "$GITHUB_STEP_SUMMARY"
echo "1. Check the [Security tab](../../security/code-scanning?tab=alert) for results" >> "$GITHUB_STEP_SUMMARY"
echo "2. Review any alerts in detail" >> "$GITHUB_STEP_SUMMARY"
echo "3. Address discovered vulnerabilities" >> "$GITHUB_STEP_SUMMARY"
echo "" >> "$GITHUB_STEP_SUMMARY"
echo "[View CodeQL Documentation](https://codeql.github.com/docs/)" >> "$GITHUB_STEP_SUMMARY"
Loading