fixed migrate_via_ssm.sh script

[NickSavino]

PR Type

Bug fix

---

Description

• Fixed shell variable escaping in docker run command

• Corrected double backslash to single backslash before $DBURL variable

• Ensures proper variable substitution in SSM migration script

---

Diagram Walkthrough

flowchart LR
  A["Incorrect escaping<br/>\\\\$DBURL"] -- "Fix to" --> B["Correct escaping<br/>\\$DBURL"]
  B -- "Enables" --> C["Proper variable<br/>substitution"]

Loading

File Walkthrough

	Relevant files
Bug fix	migrate_via_ssm.sh Fix DBURL variable escaping in docker command                        scripts/ci/migrate_via_ssm.sh Fixed shell variable escaping in the docker run command Changed "\\$DBURL" to "\$DBURL" to ensure proper variable substitution Corrects the GOOSE_DBSTRING environment variable assignment for database migrations +1/-1

---

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

• 🔍 Trigger a full review

---

Note

🎁 Summarized by CodeRabbit Free

Your organization is on the Free plan. CodeRabbit will generate a high-level summary and a walkthrough for each pull request. For a comprehensive line-by-line review, please upgrade your subscription to CodeRabbit Pro by visiting https://app.coderabbit.ai/login.

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[qodo-code-review]

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
⚪	Secret exposure risk Description: The decrypted database URL fetched from SSM (DBURL) is passed into docker run as an environment variable (GOOSE_DBSTRING), which can be exposed to other privileged users/processes on the host via Docker inspection/metadata and logs, so secret-handling controls should be verified. migrate_via_ssm.sh [20-22] Referred Code "DBURL=\$(aws ssm get-parameter --region $AWS_REGION --with-decryption --name /cgc-2026-prod/api/database_url --query Parameter.Value --output text)", "sudo docker pull $MIGRATOR_IMAGE_URI", "sudo docker run --rm -e GOOSE_DRIVER=postgres -e GOOSE_DBSTRING=\"\$DBURL\" $MIGRATOR_IMAGE_URI -dir ./db/migrations up"
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
⚪	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Secret exposure risk: The new docker run command expands "$DBURL" into the command line, which may be captured in SSM command output/logs or visible via process listings, potentially exposing the database URL. Referred Code "sudo docker run --rm -e GOOSE_DRIVER=postgres -e GOOSE_DBSTRING=\"\$DBURL\" $MIGRATOR_IMAGE_URI -dir ./db/migrations up" ] Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Sensitive data handling: The change causes the decrypted SSM parameter value (DBURL) to be interpolated into a command argument, so confirm the execution environment prevents leakage of sensitive values (e.g., SSM logging redaction, restricted process visibility). Referred Code "sudo docker run --rm -e GOOSE_DRIVER=postgres -e GOOSE_DBSTRING=\"\$DBURL\" $MIGRATOR_IMAGE_URI -dir ./db/migrations up" ] Learn more about managing compliance generic rules or creating your own custom rules

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

[qodo-code-review]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Possible issue	Validate DBURL before migration Add a check to ensure the DBURL variable is not empty after fetching it from AWS SSM, and exit with an error if the retrieval failed. scripts/ci/migrate_via_ssm.sh [20-22] "DBURL=$(aws ssm get-parameter --region $AWS_REGION --with-decryption --name /cgc-2026-prod/api/database_url --query Parameter.Value --output text)", +"if [ -z \"\$DBURL\" ]; then echo 'ERROR: DBURL retrieval failed'; exit 1; fi", "sudo docker run --rm -e GOOSE_DRIVER=postgres -e GOOSE_DBSTRING=\"\$DBURL\" $MIGRATOR_IMAGE_URI -dir ./db/migrations up" Apply / Chat Suggestion importance[1-10]: 7 __ Why: The suggestion correctly identifies a potential failure point and proposes a robust check to ensure the DBURL is successfully retrieved, which improves the script's reliability.	Medium
General	Quote image URI Quote the $MIGRATOR_IMAGE_URI variable in the docker run command to prevent issues if the URI contains whitespace or special characters. scripts/ci/migrate_via_ssm.sh [22] -"sudo docker run --rm -e GOOSE_DRIVER=postgres -e GOOSE_DBSTRING=\"\$DBURL\" $MIGRATOR_IMAGE_URI -dir ./db/migrations up" +"sudo docker run --rm -e GOOSE_DRIVER=postgres -e GOOSE_DBSTRING=\"\$DBURL\" \"$MIGRATOR_IMAGE_URI\" -dir ./db/migrations up" Apply / Chat Suggestion importance[1-10]: 4 __ Why: The suggestion is a good practice for shell scripting, but an ECR image URI is unlikely to contain spaces or special characters, making the impact of this change minor.	Low
More