Skip to content

Potential fix for code scanning alert no. 644: Shell command built from environment values #34

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Sep 9, 2025
Merged

Potential fix for code scanning alert no. 644: Shell command built from environment values #34

merged 7 commits into from
Sep 9, 2025

Conversation

@vinod0m
Copy link
Contributor

@vinod0m vinod0m commented Aug 20, 2025

Potential fix for https://github.com/SoftwareDevLabs/SDLC_core/security/code-scanning/644

To fix the problem, we should avoid constructing the shell command as a single string and passing it to execSync, which invokes a shell and is vulnerable to misinterpretation of arguments. Instead, we should use execFileSync, which allows us to pass the command and its arguments as separate elements in an array, ensuring that each argument is interpreted literally and not subject to shell expansion or splitting. Specifically, in build/azure-pipelines/publish-types/update-types.ts, replace the use of cp.execSync on line 19 with cp.execFileSync, passing "curl" as the command and ["dtsUri", "--output", "outPath"] as the arguments array. No additional imports are needed, as child_process is already imported as cp.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

vinod0m and others added 2 commits August 20, 2025 17:17
@vinod0m @github-advanced-security
Potential fix for code scanning alert no. 644: Shell command built fr…
80cbc95 
…om environment values

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@vinod0m @github-advanced-security
Potential fix for code scanning alert no. 678: Workflow does not cont…
2b07928 
…ain permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@vinod0m vinod0m requested a review from Copilot August 20, 2025 15:19
@vinod0m vinod0m added the bug Something isn't working label Aug 20, 2025
@vinod0m vinod0m added this to the 1st MVP milestone Aug 20, 2025
@vinod0m @github-advanced-security
Potential fix for code scanning alert no. 667: Workflow does not cont…
79d2557 
…ain permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@vinod0m @github-advanced-security
Potential fix for code scanning alert no. 655: Workflow does not cont…
7edd90d 
…ain permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@vinod0m vinod0m requested a review from cuietviper August 20, 2025 15:21
vinod0m and others added 3 commits August 20, 2025 17:22
@vinod0m @github-advanced-security
Potential fix for code scanning alert no. 649: Workflow does not cont…
b8f2d18 
…ain permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@vinod0m @github-advanced-security
Potential fix for code scanning alert no. 643: Workflow does not cont…
4687cbd 
…ain permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@vinod0m @github-advanced-security
Potential fix for code scanning alert no. 641: Workflow does not cont…
c6cc1a2 
…ain permissions

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
@github-actions
Copy link
Contributor

github-actions bot commented Aug 20, 2025

@check-spelling-bot Report

🔴 Please review

See the 📂 files view, the 📜action log, or 📝 job summary for details.

Unrecognized words (24660)

Truncated, please see the job summary, log, or artifact if available.

These words are not needed and should be removed

Truncated, please see the job summary, log, or artifact if available.

Some files were automatically ignored 🙈

These sample patterns would exclude them:

(?:^|/)RECORD$
(?:^|/)REQUESTED$
(?:^|/)sample\.json$
(?:^|/)zip-safe$
/handlers/[^/]+$
/integration/api/[^/]+$
/integration/llm/[^/]+$
/llm/platforms/[^/]+$
/pipelines/[^/]+$
/prompt_engineering/[^/]+$
/retrieval/[^/]+$
/skills/[^/]+$
/tools/openapi/[^/]+$
/unit/prompts/[^/]+$
/unit/utils/[^/]+$
/vision_audio/[^/]+$
^\.venv_ci\/lib\/python3\.12\/site\-packages\/numpy\.libs/
^\.venv_ci\/lib\/python3\.12\/site\-packages\/numpy\/lib\/tests\/data/
^\.venv_ci\/lib\/python3\.12\/site\-packages\/pbr\/tests\/testpackage\/data_files/
^\.venv_ci\/lib\/python3\.12\/site\-packages\/pbr\/tests\/testpackage\/pbr_testpackage\/package_data/
^\Q.venv_ci/lib/python3.12/site-packages/_pytest/_py/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/_pytest/py.typed\E$
^\Q.venv_ci/lib/python3.12/site-packages/aiohappyeyeballs/py.typed\E$
^\Q.venv_ci/lib/python3.12/site-packages/aiohttp-3.12.15.dist-info/top_level.txt\E$
^\Q.venv_ci/lib/python3.12/site-packages/aiosignal-1.4.0.dist-info/top_level.txt\E$
^\Q.venv_ci/lib/python3.12/site-packages/aiosignal/py.typed\E$
^\Q.venv_ci/lib/python3.12/site-packages/annotated_types/py.typed\E$
^\Q.venv_ci/lib/python3.12/site-packages/anyio-4.10.0.dist-info/top_level.txt\E$
^\Q.venv_ci/lib/python3.12/site-packages/anyio/_backends/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/anyio/_core/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/anyio/py.typed\E$
^\Q.venv_ci/lib/python3.12/site-packages/anyio/streams/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/attr/py.typed\E$
^\Q.venv_ci/lib/python3.12/site-packages/attrs/py.typed\E$
^\Q.venv_ci/lib/python3.12/site-packages/bandit/blacklists/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/bandit/cli/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/bandit/formatters/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/bandit/plugins/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/cachetools-5.5.2.dist-info/top_level.txt\E$
^\Q.venv_ci/lib/python3.12/site-packages/certifi-2025.8.3.dist-info/top_level.txt\E$
^\Q.venv_ci/lib/python3.12/site-packages/certifi/py.typed\E$
^\Q.venv_ci/lib/python3.12/site-packages/charset_normalizer/py.typed\E$
^\Q.venv_ci/lib/python3.12/site-packages/dataclasses_json/py.typed\E$
^\Q.venv_ci/lib/python3.12/site-packages/frozenlist-1.7.0.dist-info/top_level.txt\E$
^\Q.venv_ci/lib/python3.12/site-packages/google/auth/crypt/_helpers.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/google/protobuf/compiler/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/google/protobuf/pyext/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/google/protobuf/testdata/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/google/protobuf/util/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/greenlet/platform/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/httpcore/_backends/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/httpcore/py.typed\E$
^\Q.venv_ci/lib/python3.12/site-packages/httpx/py.typed\E$
^\Q.venv_ci/lib/python3.12/site-packages/httpx_sse-0.4.1.dist-info/top_level.txt\E$
^\Q.venv_ci/lib/python3.12/site-packages/httpx_sse/py.typed\E$
^\Q.venv_ci/lib/python3.12/site-packages/idna/py.typed\E$
^\Q.venv_ci/lib/python3.12/site-packages/iniconfig/py.typed\E$
^\Q.venv_ci/lib/python3.12/site-packages/jsonpatch-1.33.dist-info/top_level.txt\E$
^\Q.venv_ci/lib/python3.12/site-packages/jsonpointer-3.0.0.dist-info/top_level.txt\E$
^\Q.venv_ci/lib/python3.12/site-packages/langchain/adapters/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/langchain/agents/agent_toolkits/clickup/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/langchain/agents/agent_toolkits/conversational_retrieval/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/langchain/agents/agent_toolkits/nla/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/langchain/agents/chat/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/langchain/agents/json_chat/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/langchain/agents/openai_functions_agent/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/langchain/agents/openai_functions_multi_agent/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/langchain/agents/openai_tools/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/langchain/agents/structured_chat/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/langchain/agents/tool_calling_agent/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/langchain/agents/xml/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/langchain/chains/api/openapi/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/langchain/chains/chat_vector_db/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/langchain/chains/graph_qa/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/langchain/chains/qa_generation/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/langchain/evaluation/exact_match/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/langchain/evaluation/parsing/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/langchain/evaluation/regex_match/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/langchain/py.typed\E$
^\Q.venv_ci/lib/python3.12/site-packages/langchain/retrievers/self_query/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/langchain/schema/callbacks/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/langchain/schema/callbacks/tracers/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/langchain/smith/evaluation/utils.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/langchain/tools/ainetwork/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/langchain/tools/bearly/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/langchain/tools/brave_search/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/langchain/tools/clickup/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/langchain/tools/e2b_data_analysis/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/langchain/tools/nasa/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/langchain/tools/openapi/utils/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/langchain/tools/reddit_search/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/langchain/tools/searx_search/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/langchain/tools/youtube/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/langchain_community/agent_toolkits/amadeus/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/langchain_community/agent_toolkits/clickup/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/langchain_community/agent_toolkits/nla/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/langchain_community/agents/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/langchain_community/chains/openapi/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/langchain_community/chains/pebblo_retrieval/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/langchain_community/memory/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/langchain_community/py.typed\E$
^\Q.venv_ci/lib/python3.12/site-packages/langchain_community/query_constructors/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/langchain_community/tools/ainetwork/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/langchain_community/tools/bearly/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/langchain_community/tools/brave_search/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/langchain_community/tools/clickup/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/langchain_community/tools/e2b_data_analysis/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/langchain_community/tools/mojeek_search/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/langchain_community/tools/nasa/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/langchain_community/tools/openapi/utils/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/langchain_community/tools/riza/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/langchain_community/tools/searx_search/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/langchain_community/tools/youtube/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/langchain_core/py.typed\E$
^\Q.venv_ci/lib/python3.12/site-packages/langchain_google_genai/py.typed\E$
^\Q.venv_ci/lib/python3.12/site-packages/langchain_ollama/py.typed\E$
^\Q.venv_ci/lib/python3.12/site-packages/langchain_text_splitters/py.typed\E$
^\Q.venv_ci/lib/python3.12/site-packages/langsmith/_internal/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/langsmith/py.typed\E$
^\Q.venv_ci/lib/python3.12/site-packages/markdown_it/cli/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/markdown_it/common/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/marshmallow/py.typed\E$
^\Q.venv_ci/lib/python3.12/site-packages/multidict-6.6.4.dist-info/top_level.txt\E$
^\Q.venv_ci/lib/python3.12/site-packages/mypy-1.17.1.dist-info/top_level.txt\E$
^\Q.venv_ci/lib/python3.12/site-packages/mypy/dmypy/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/mypy/plugins/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/mypy/server/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/mypy/test/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/mypy/test/meta/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/mypy/typeshed/stdlib/compression/__init__.pyi\E$
^\Q.venv_ci/lib/python3.12/site-packages/mypy/typeshed/stdlib/compression/_common/__init__.pyi\E$
^\Q.venv_ci/lib/python3.12/site-packages/mypy/typeshed/stdlib/concurrent/__init__.pyi\E$
^\Q.venv_ci/lib/python3.12/site-packages/mypy/typeshed/stdlib/distutils/command/bdist_packager.pyi\E$
^\Q.venv_ci/lib/python3.12/site-packages/mypy/typeshed/stdlib/email/mime/__init__.pyi\E$
^\Q.venv_ci/lib/python3.12/site-packages/mypy/typeshed/stdlib/lib2to3/__init__.pyi\E$
^\Q.venv_ci/lib/python3.12/site-packages/mypy/typeshed/stdlib/lib2to3/fixes/__init__.pyi\E$
^\Q.venv_ci/lib/python3.12/site-packages/mypy/typeshed/stdlib/pydoc_data/__init__.pyi\E$
^\Q.venv_ci/lib/python3.12/site-packages/mypy/typeshed/stdlib/urllib/__init__.pyi\E$
^\Q.venv_ci/lib/python3.12/site-packages/mypy/typeshed/stdlib/wsgiref/__init__.pyi\E$
^\Q.venv_ci/lib/python3.12/site-packages/mypy/typeshed/stdlib/xml/etree/__init__.pyi\E$
^\Q.venv_ci/lib/python3.12/site-packages/mypy/typeshed/stdlib/xmlrpc/__init__.pyi\E$
^\Q.venv_ci/lib/python3.12/site-packages/mypyc/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/mypyc/analysis/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/mypyc/codegen/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/mypyc/ir/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/mypyc/irbuild/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/mypyc/lower/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/mypyc/primitives/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/mypyc/py.typed\E$
^\Q.venv_ci/lib/python3.12/site-packages/mypyc/test/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/mypyc/transform/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/numpy/_core/tests/data/astype_copy.pkl\E$
^\Q.venv_ci/lib/python3.12/site-packages/numpy/_core/tests/data/recarray_from_file.fits\E$
^\Q.venv_ci/lib/python3.12/site-packages/numpy/_pyinstaller/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/numpy/_pyinstaller/__init__.pyi\E$
^\Q.venv_ci/lib/python3.12/site-packages/numpy/core/__init__.pyi\E$
^\Q.venv_ci/lib/python3.12/site-packages/numpy/core/_dtype.pyi\E$
^\Q.venv_ci/lib/python3.12/site-packages/numpy/core/_dtype_ctypes.pyi\E$
^\Q.venv_ci/lib/python3.12/site-packages/numpy/fft/__init__.pyi\E$
^\Q.venv_ci/lib/python3.12/site-packages/numpy/fft/tests/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/numpy/lib/tests/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/numpy/linalg/tests/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/numpy/ma/tests/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/numpy/matrixlib/tests/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/numpy/polynomial/tests/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/numpy/py.typed\E$
^\Q.venv_ci/lib/python3.12/site-packages/numpy/random/tests/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/numpy/random/tests/data/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/numpy/testing/_private/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/numpy/testing/_private/__init__.pyi\E$
^\Q.venv_ci/lib/python3.12/site-packages/numpy/testing/tests/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/numpy/tests/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/numpy/typing/tests/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/ollama/py.typed\E$
^\Q.venv_ci/lib/python3.12/site-packages/orjson/py.typed\E$
^\Q.venv_ci/lib/python3.12/site-packages/packaging/py.typed\E$
^\Q.venv_ci/lib/python3.12/site-packages/pathspec/_meta.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/pbr-7.0.0.dist-info/AUTHORS\E$
^\Q.venv_ci/lib/python3.12/site-packages/pbr-7.0.0.dist-info/top_level.txt\E$
^\Q.venv_ci/lib/python3.12/site-packages/pbr/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/pbr/_compat/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/pbr/cmd/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/pbr/tests/_compat/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/pbr/tests/functional/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/pbr/tests/testpackage/extra-file.txt\E$
^\Q.venv_ci/lib/python3.12/site-packages/pbr/tests/testpackage/git-extra-file.txt\E$
^\Q.venv_ci/lib/python3.12/site-packages/pbr/tests/testpackage/pbr_testpackage/extra.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/pip/_internal/operations/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/pip/_internal/operations/build/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/pip/_internal/resolution/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/pip/_internal/resolution/legacy/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/pip/_internal/resolution/resolvelib/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/pip/_internal/utils/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/pip/_vendor/cachecontrol/py.typed\E$
^\Q.venv_ci/lib/python3.12/site-packages/pip/_vendor/certifi/py.typed\E$
^\Q.venv_ci/lib/python3.12/site-packages/pip/_vendor/dependency_groups/py.typed\E$
^\Q.venv_ci/lib/python3.12/site-packages/pip/_vendor/distro/py.typed\E$
^\Q.venv_ci/lib/python3.12/site-packages/pip/_vendor/idna/py.typed\E$
^\Q.venv_ci/lib/python3.12/site-packages/pip/_vendor/packaging/py.typed\E$
^\Q.venv_ci/lib/python3.12/site-packages/pip/_vendor/platformdirs/py.typed\E$
^\Q.venv_ci/lib/python3.12/site-packages/pip/_vendor/pyproject_hooks/py.typed\E$
^\Q.venv_ci/lib/python3.12/site-packages/pip/_vendor/resolvelib/py.typed\E$
^\Q.venv_ci/lib/python3.12/site-packages/pip/_vendor/rich/py.typed\E$
^\Q.venv_ci/lib/python3.12/site-packages/pip/_vendor/truststore/py.typed\E$
^\Q.venv_ci/lib/python3.12/site-packages/pip/_vendor/urllib3/contrib/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/pip/_vendor/urllib3/contrib/_securetransport/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/pkg_resources/py.typed\E$
^\Q.venv_ci/lib/python3.12/site-packages/pkg_resources/tests/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/pkg_resources/tests/data/my-test-package-source/setup.cfg\E$
^\Q.venv_ci/lib/python3.12/site-packages/pkg_resources/tests/data/my-test-package_unpacked-egg/my_test_package-1.0-py3.7.egg/EGG-INFO/dependency_links.txt\E$
^\Q.venv_ci/lib/python3.12/site-packages/pkg_resources/tests/data/my-test-package_unpacked-egg/my_test_package-1.0-py3.7.egg/EGG-INFO/top_level.txt\E$
^\Q.venv_ci/lib/python3.12/site-packages/pkg_resources/tests/data/my-test-package_zipped-egg/my_test_package-1.0-py3.7.egg\E$
^\Q.venv_ci/lib/python3.12/site-packages/pluggy/py.typed\E$
^\Q.venv_ci/lib/python3.12/site-packages/propcache-0.3.2.dist-info/top_level.txt\E$
^\Q.venv_ci/lib/python3.12/site-packages/pyasn1-0.6.1.dist-info/top_level.txt\E$
^\Q.venv_ci/lib/python3.12/site-packages/pydantic/_internal/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/pydantic/deprecated/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/pydantic/py.typed\E$
^\Q.venv_ci/lib/python3.12/site-packages/pydantic/v1/py.typed\E$
^\Q.venv_ci/lib/python3.12/site-packages/pydantic_core/py.typed\E$
^\Q.venv_ci/lib/python3.12/site-packages/pydantic_settings/py.typed\E$
^\Q.venv_ci/lib/python3.12/site-packages/pyflakes/scripts/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/pyflakes/test/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/pygments/lexers/_cocoa_builtins.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/pygments/lexers/_csound_builtins.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/pygments/lexers/_lasso_builtins.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/pygments/lexers/_scilab_builtins.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/pygments/lexers/_stata_builtins.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/pygments/lexers/_vim_builtins.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/pygments/lexers/apdlexer.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/pygments/lexers/freefem.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/pygments/lexers/mosel.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/pytest/py.typed\E$
^\Q.venv_ci/lib/python3.12/site-packages/requests_toolbelt/auth/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/requests_toolbelt/cookies/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/requests_toolbelt/downloadutils/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/requests_toolbelt/utils/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/rich/py.typed\E$
^\Q.venv_ci/lib/python3.12/site-packages/ruff/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/setuptools/_distutils/tests/compat/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/setuptools/_distutils/tests/test_versionpredicate.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/setuptools/_vendor/autocommand-2.2.2.dist-info/top_level.txt\E$
^\Q.venv_ci/lib/python3.12/site-packages/setuptools/_vendor/backports/tarfile/compat/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/setuptools/_vendor/importlib_metadata/compat/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/setuptools/_vendor/importlib_metadata/py.typed\E$
^\Q.venv_ci/lib/python3.12/site-packages/setuptools/_vendor/inflect/compat/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/setuptools/_vendor/inflect/py.typed\E$
^\Q.venv_ci/lib/python3.12/site-packages/setuptools/_vendor/jaraco.collections-5.1.0.dist-info/top_level.txt\E$
^\Q.venv_ci/lib/python3.12/site-packages/setuptools/_vendor/jaraco.context-5.3.0.dist-info/top_level.txt\E$
^\Q.venv_ci/lib/python3.12/site-packages/setuptools/_vendor/jaraco.functools-4.0.1.dist-info/top_level.txt\E$
^\Q.venv_ci/lib/python3.12/site-packages/setuptools/_vendor/jaraco.text-3.12.1.dist-info/top_level.txt\E$
^\Q.venv_ci/lib/python3.12/site-packages/setuptools/_vendor/jaraco/collections/py.typed\E$
^\Q.venv_ci/lib/python3.12/site-packages/setuptools/_vendor/jaraco/functools/py.typed\E$
^\Q.venv_ci/lib/python3.12/site-packages/setuptools/_vendor/jaraco/text/layouts.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/setuptools/_vendor/jaraco/text/Lorem ipsum.txt\E$
^\Q.venv_ci/lib/python3.12/site-packages/setuptools/_vendor/more_itertools/py.typed\E$
^\Q.venv_ci/lib/python3.12/site-packages/setuptools/_vendor/packaging/py.typed\E$
^\Q.venv_ci/lib/python3.12/site-packages/setuptools/_vendor/platformdirs/py.typed\E$
^\Q.venv_ci/lib/python3.12/site-packages/setuptools/_vendor/typeguard-4.3.0.dist-info/top_level.txt\E$
^\Q.venv_ci/lib/python3.12/site-packages/setuptools/_vendor/typeguard/py.typed\E$
^\Q.venv_ci/lib/python3.12/site-packages/setuptools/_vendor/wheel/vendored/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/setuptools/_vendor/wheel/vendored/packaging/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/setuptools/_vendor/zipp-3.19.2.dist-info/top_level.txt\E$
^\Q.venv_ci/lib/python3.12/site-packages/setuptools/_vendor/zipp/compat/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/setuptools/compat/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/setuptools/tests/compat/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/setuptools/tests/config/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/setuptools/tests/integration/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/sniffio-1.3.1.dist-info/top_level.txt\E$
^\Q.venv_ci/lib/python3.12/site-packages/sniffio/_tests/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/sniffio/py.typed\E$
^\Q.venv_ci/lib/python3.12/site-packages/sqlalchemy-2.0.43.dist-info/top_level.txt\E$
^\Q.venv_ci/lib/python3.12/site-packages/sqlalchemy/dialects/postgresql/pg_catalog.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/sqlalchemy/py.typed\E$
^\Q.venv_ci/lib/python3.12/site-packages/stevedore-5.4.1.dist-info/AUTHORS\E$
^\Q.venv_ci/lib/python3.12/site-packages/stevedore/example/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/stevedore/example2/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/stevedore/tests/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/stevedore/tests/extension_unimportable.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/tenacity/py.typed\E$
^\Q.venv_ci/lib/python3.12/site-packages/typing_inspection/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/typing_inspection/py.typed\E$
^\Q.venv_ci/lib/python3.12/site-packages/urllib3/contrib/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/wheel/vendored/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/wheel/vendored/packaging/__init__.py\E$
^\Q.venv_ci/lib/python3.12/site-packages/zstandard-0.24.0.dist-info/top_level.txt\E$
^\Q.venv_ci/lib/python3.12/site-packages/zstandard/py.typed\E$
^config/logging_config\.yaml$
^config/model_config\.yaml$
^config/prompt_templates\.yaml$
^Dockerfile$
^examples/basic_completion\.py$
^examples/chain_prompts\.py$
^examples/chat_session\.py$
^setup\.py$
^src/agents/executor\.py$
^src/agents/planner\.py$
^src/fallback/router\.py$
^src/guardrails/pii\.py$
^src/llm/schemas\.py$
^src/llm/utils\.py$
^src/memory/
^src/utils/
^test/e2e/test_full_workflow\.py$
^test/test_results/mypy_after_fix\.txt$
^test/test_results/mypy_strict\.txt$
^test/unit/llm/__init__\.py$

You should consider excluding directory paths (e.g. (?:^|/)vendor/), filenames (e.g. (?:^|/)yarn\.lock$), or file extensions (e.g. \.gz$)

You should consider adding them to:

.github/actions/spelling/excludes.txt

File matching is via Perl regular expressions.

To check these files, more of their words need to be in the dictionary than not. You can use patterns.txt to exclude portions, add items to the dictionary (e.g. by adding them to allow.txt), or fix typos.

Script unavailable

Truncated, please see the job summary, log, or artifact if available.

OR

To have the bot accept them for you, comment in the PR quoting the following line:
@check-spelling-bot apply updates.

Forbidden patterns 🙅 (42)

In order to address this, you could change the content to not match the forbidden patterns (comments before forbidden patterns may help explain why they're forbidden), add patterns for acceptable instances, or adjust the forbidden patterns themselves.

These forbidden patterns matched content:

Should be ; otherwise or . Otherwise

https://study.com/learn/lesson/otherwise-in-a-sentence.html

, [Oo]therwise\b

Should be a

\san (?=(?:[b-df-gj-np-rtv-xz]|h(?!our|sl|tml|ttp)|s(?!sh|vg))[a-z])

Should be self-signed

\bself signed\b

Complete sentences shouldn't be in the middle of another sentence as a parenthetical.

(?<!\.)(?<!\betc)\.\),

Should be cannot (or can't)

See https://www.grammarly.com/blog/cannot-or-can-not/

Don't use can not when you mean cannot. The only time you're likely to see can not written as separate words is when the word can happens to precede some other phrase that happens to start with not.
Can't is a contraction of cannot, and it's best suited for informal writing.
In formal writing and where contractions are frowned upon, use cannot.
It is possible to write can not, but you generally find it only as part of some other construction, such as not only . . . but also.

  • if you encounter such a case, add a pattern for that case to patterns.txt.
\b[Cc]an not\b(?! only\b)

In English, duplicated words are generally mistakes

There are a few exceptions (e.g. "that that").
If the highlighted doubled word pair is in:

  • code, write a pattern to mask it.
  • prose, have someone read the English before you dismiss this error.
\s([A-Z]{3,}|[A-Z][a-z]{2,}|[a-z]{3,})\s\g{-1}\s

Should be case-(in)sensitive

\bcase (?:in|)sensitive\b

Should probably be Otherwise,

(?<=\. )Otherwise\s

Should be macOS or Mac OS X or ...

\bMacOS\b

Should be fall back

(?<!\ba )(?<!\bthe )\bfallback(?= to(?! ask))\b

Should be preexisting

[Pp]re[- ]existing

Should be an

(?<!\b[Ii] )\bam\b

Should be (coarse|fine)-grained

\b(?:coarse|fine) grained\b

Do not use (click) here links

For more information, see:

(?i)(?:>|\[)(?:(?:click |)here|link|(?:read |)more)(?:</|\]\()

Should be GitHub

(?<![&*.]|// |\b(?:from|import|type) )\bGithub\b(?![{()])

Should only be one of a, an, or the

\b(?:(?:an?|the)\s+){2,}\b

Should be JavaScript

\bJavascript\b

Should be for its (possessive) or because it is

\bfor it(?:'s| is)\b

Should be for, for, to or to

\b(?:for to|to for)\b

Should be set up (setup is a noun / set up is a verb)

\b[Ss]etup(?= (?:an?|the)\b)

Should be nonexistent

\b[Nn]o[nt][- ]existent\b

Should be its

\bit's(?= (?:child|only purpose|own(?:er|)|parent|sibling)\b)

Should be workaround

(?:(?:[Aa]|[Tt]he|ugly)\swork[- ]around\b|\swork[- ]around\s+for)

Should be TensorFlow

\bTensorflow\b

Should be without (unless out is a modifier of the next word)

\bwith out\b(?!-)

Should be work around

\b[Ww]orkaround(?= an?\b)

Should be equals to is equal to

\bequals to\b

Should be in-depth if used as an adjective (but in depth when used as an adverb)

\bin depth\s(?!rather\b)\w{6,}

Should be prepopulate

[Pp]re[- ]populate

Should be more than or more, then

\bmore then\b

Should be preemptively

[Pp]re[- ]emptively

Should be reentrant

[Rr]e[- ]entrant

Complete sentences in parentheticals should not have a space before the period.

\s\.\)(?!.*\}\})

Should probably be ABCDEFGHIJKLMNOPQRSTUVWXYZ

(?i)(?!ABCDEFGHIJKLMNOPQRSTUVWXYZ)ABC[A-Z]{21}YZ

Should be GitLab

(?<![&*.]|// |\b(?:from|import|type) )\bGitlab\b(?![{()])

Should be log in

\blogin to the

Should be one of

(?<!-)\bon of\b

Should be rather than

\brather then\b

Should be Red Hat

\bRed[Hh]at\b

Should be regardless, ... or regardless of (whether)

\b[Rr]egardless if you\b

Should be socioeconomic

https://dictionary.cambridge.org/us/dictionary/english/socioeconomic

socio-economic

Should be neither/nor (plus rewording the beginning)

This is probably a double negative...

\bnot\b[^.?!"/(]*\bneither\b[^.?!"/(]*\bnor\b
Pattern suggestions ✂️ (30)

You could add these patterns to .github/actions/spelling/patterns/dc393fddd7c51bdc8ef1b84a4e5ce331ce5a2ea6.txt:

# Automatically suggested patterns

# hit-count: 14081 file-count: 1739
# python
\b(?i)py(?!gments|gmy|lon|ramid|ro|th)(?=[a-z]{2,})

# hit-count: 367 file-count: 320
# imports
^import\s+(?:(?:static|type)\s+|)(?:[\w.]|\{\s*\w*?(?:,\s*(?:\w*|\*))+\s*\})+

# hit-count: 355 file-count: 47
# machine learning (?)
\b(?i)ml(?=[a-z]{2,})

# hit-count: 31 file-count: 2
# numerator
\bnumer\b(?=.*denom)

# hit-count: 28 file-count: 4
# URL escaped characters
%[0-9A-F][A-F](?=[A-Za-z])

# hit-count: 27 file-count: 9
# Lorem
# Update Lorem based on your content (requires `ge` and `w` from https://github.com/jsoref/spelling; and `review` from https://github.com/check-spelling/check-spelling/wiki/Looking-for-items-locally )
# grep '^[^#].*lorem' .github/actions/spelling/patterns.txt|perl -pne 's/.*i..\?://;s/\).*//' |tr '|' "\n"|sort -f |xargs -n1 ge|perl -pne 's/^[^:]*://'|sort -u|w|sed -e 's/ .*//'|w|review -
# Warning, while `(?i)` is very neat and fancy, if you have some binary files that aren't proper unicode, you might run into:
# ... Operation "substitution (s///)" returns its argument for non-Unicode code point 0x1C19AE (the code point will vary).
# ... You could manually change `(?i)X...` to use `[Xx]...`
# ... or you could add the files to your `excludes` file (a version after 0.0.19 should identify the file path)
(?:(?:\w|\s|[,.])*\b(?i)(?:amet|consectetur|cursus|dolor|eros|ipsum|lacus|libero|ligula|lorem|magna|neque|nulla|suscipit|tempus)\b(?:\w|\s|[,.])*)

# hit-count: 23 file-count: 5
# perl qr regex
(?<!\$)\bqr(?:\{.*?\}|<.*?>|\(.*?\)|([|!/@#,;']).*?\g{-1})

# hit-count: 19 file-count: 5
# lower URL escaped characters
%[0-9a-f][a-f](?=[a-z]{2,})

# hit-count: 14 file-count: 3
# container images
image: [-\w./:@]+

# hit-count: 13 file-count: 1
# '/"
\\\([ad]q

# hit-count: 6 file-count: 6
# JavaScript regular expressions
# javascript test regex
/.{3,}/[gim]*\.test\(

# hit-count: 6 file-count: 1
# https://www.gnu.org/software/groff/manual/groff.html
# man troff content
\\f[BCIPR]

# hit-count: 5 file-count: 3
# bearer auth
(['"])[Bb]ear[e][r] .{3,}?\g{-1}

# hit-count: 5 file-count: 1
# GitHub SHAs (markdown)
(?:\[`?[0-9a-f]+`?\]\(https:/|)/(?:www\.|)github\.com(?:/[^/\s"]+){2,}(?:/[^/\s")]+)(?:[0-9a-f]+(?:[-0-9a-zA-Z/#.]*|)\b|)

# hit-count: 4 file-count: 4
# node packages
(["'])@[^/'" ]+/[^/'" ]+\g{-1}

# hit-count: 4 file-count: 3
# data url
\bdata:[-a-zA-Z=;:/0-9+]*,\S*

# hit-count: 3 file-count: 3
# https/http/file urls
(?:\b(?:https?|ftp|file)://)[-A-Za-z0-9+&@#/*%?=~_|!:,.;]+[-A-Za-z0-9+&@#/*%=~_|]

# hit-count: 3 file-count: 2
# data url in quotes
([`'"])data:(?:[^ `'"].*?|)(?:[A-Z]{3,}|[A-Z][a-z]{2,}|[a-z]{3,}).*\g{-1}

# hit-count: 3 file-count: 2
# assign regex
= /[^*].*?(?:[a-z]{3,}|[A-Z]{3,}|[A-Z][a-z]{2,}).*/[gim]*(?=\W|$)

# hit-count: 2 file-count: 2
# configure flags
.* \| --\w{2,}.*?(?=\w+\s\w+)

# hit-count: 2 file-count: 1
# Google APIs
\bgoogleapis\.(?:com|dev)/[a-z]+/(?:v\d+/|)[a-z]+/[-@:./?=\w+|&]+

# hit-count: 1 file-count: 1
\w+\@group\.calendar\.google\.com\b

# hit-count: 1 file-count: 1
# Google Cloud regions
(?:us|(?:north|south)america|europe|asia|australia|me|africa)-(?:north|south|east|west|central){1,2}\d+

# hit-count: 1 file-count: 1
# GHSA
GHSA(?:-[0-9a-z]{4}){3}

# hit-count: 1 file-count: 1
# GitHub actions
\buses:\s+[-\w.]+/[-\w./]+@[-\w.]+

# hit-count: 1 file-count: 1
# c99 hex digits (not the full format, just one I've seen)
0x[0-9a-fA-F](?:\.[0-9a-fA-F]*|)[pP]

# hit-count: 1 file-count: 1
# go install
go install(?:\s+[a-z]+\.[-@\w/.]+)+

# hit-count: 1 file-count: 1
# bearer auth
\b[Bb]ear[e][r]:? [-a-zA-Z=;:/0-9+.]{3,}

# hit-count: 1 file-count: 1
# weak e-tag
W/"[^"]+"

# hit-count: 1 file-count: 1
# set arguments
\b(?:bash|sh|set)(?:\s+[-+][abefimouxE]{1,2})*\s+[-+][abefimouxE]{3,}(?:\s+[-+][abefimouxE]+)*

Alternatively, if a pattern suggestion doesn't make sense for this project, add a #
to the beginning of the line in the candidates file with the pattern to stop suggesting it.

Errors, Warnings, and Notices ❌ (8)

See the 📂 files view, the 📜action log, or 📝 job summary for details.

❌ Errors, Warnings, and Notices Count
⚠️ binary-file 319
ℹ️ candidate-pattern 60
❌ check-file-path 9800
❌ forbidden-pattern 1749
⚠️ large-file 1
⚠️ noisy-file 137
❌ slow-file 1
⚠️ token-is-substring 87

See ❌ Event descriptions for more information.

✏️ Contributor please read this

By default the command suggestion will generate a file named based on your commit. That's generally ok as long as you add the file to your commit. Someone can reorganize it later.

If the listed items are:

  • ... misspelled, then please correct them instead of using the command.
  • ... names, please add them to .github/actions/spelling/allow/names.txt.
  • ... APIs, you can add them to a file in .github/actions/spelling/allow/.
  • ... just things you're using, please add them to an appropriate file in .github/actions/spelling/expect/.
  • ... tokens you only need in one place and shouldn't generally be used, you can add an item in an appropriate file in .github/actions/spelling/patterns/.

See the README.md in each directory for more information.

🔬 You can test your commits without appending to a PR by creating a new branch with that extra change and pushing it to your fork. The check-spelling action will run in response to your push -- it doesn't require an open pull request. By using such a branch, you can limit the number of typos your peers see you make. 😉

If the flagged items are 🤯 false positives

If items relate to a ...

  • binary file (or some other file you wouldn't want to check at all).

    Please add a file path to the excludes.txt file matching the containing file.

    File paths are Perl 5 Regular Expressions - you can test yours before committing to verify it will match your files.

    ^ refers to the file's path from the root of the repository, so ^README\.md$ would exclude README.md (on whichever branch you're using).

  • well-formed pattern.

    If you can write a pattern that would match it,
    try adding it to the patterns.txt file.

    Patterns are Perl 5 Regular Expressions - you can test yours before committing to verify it will match your lines.

    Note that patterns can't match multiline strings.

Copilot AI reviewed Aug 20, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

@vinod0m vinod0m marked this pull request as ready for review September 9, 2025 22:35
@vinod0m vinod0m merged commit f5ebc56 into main Sep 9, 2025
23 of 70 checks passed
@vinod0m vinod0m deleted the Security/alert-autofix-644 branch September 9, 2025 22:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@cuietviper cuietviper Awaiting requested review from cuietviper

Assignees

Copilot code review Copilot

Labels

bug Something isn't working

Projects

None yet

Milestone

1st MVP

Development

Successfully merging this pull request may close these issues.

2 participants

@vinod0m