Skip to content

feat(ci): fail on critical vulnerabilities#3

Merged
davidapp merged 1 commit intodevelopfrom
feat/add_ai_audit
Apr 9, 2026
Merged

feat(ci): fail on critical vulnerabilities#3
davidapp merged 1 commit intodevelopfrom
feat/add_ai_audit

Conversation

@davidapp
Copy link
Copy Markdown
Owner

@davidapp davidapp commented Apr 9, 2026

Update workflow to fail when CRITICAL issues found

@david-dai-tron @claude
feat(ci): fail workflow when critical vulnerabilities are found
a02b9ab 
The AI security audit now exits with failure if any CRITICAL severity
issues are detected, preventing PRs with critical vulnerabilities
from showing a green check.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@davidapp davidapp merged commit 635e1f2 into develop Apr 9, 2026
1 check failed
@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 9, 2026

AI Security Audit Report

Summary

The diff introduces a CI step that fails the workflow when critical security issues are detected in an AI-generated audit report. The change is minimal, well-scoped, and follows standard GitHub Actions patterns. Risk level: CLEAN — no security vulnerabilities are introduced by this change.

Findings

No security issues were identified. The following were checked:

  • Command injection: The grep commands operate only on a local file (audit_result.md) generated earlier in the workflow. No user-controlled input is interpolated into the shell commands.
  • Variable injection: CRITICAL_COUNT is populated from grep -c output, which produces a plain integer — not attacker-controllable in a meaningful way.
  • Logic bypass: The if: steps.check.outputs.skip != 'true' guard is consistent with the existing workflow pattern, preventing the step from being silently bypassed by misconfiguration.
  • Regex reliability: grep -qi '\[CRITICAL\]' matches the literal string [CRITICAL]. The brackets are treated as a character class by grep (matching C, R, I, T, A, L), not as a literal string. This is a minor correctness issue, not a security issue — it could produce false positives but not false negatives that would suppress a real finding.
  • Workflow permissions: No new permissions are requested. The step uses gh (already authenticated via GITHUB_TOKEN in prior steps) only for reading, not writing.
  • Exit code handling: exit 1 correctly fails the job, and the condition gates it on the skip flag appropriately.

One Minor Note (Not a Security Issue)

The grep pattern '\[CRITICAL\]' uses unescaped brackets in basic regex mode. In BRE/ERE, [CRITICAL] is a character class. To match the literal string [CRITICAL], use:

grep -qi '\[CRITICAL\]'   # works in most implementations due to backslash escaping
# or more explicitly:
grep -qiF '[CRITICAL]'    # -F = fixed string, most reliable

Using -F (fixed string) is the safest and most portable approach.

Statistics

  • Files analyzed: 1 (.github/workflows/ai-security-audit.yml)
  • Issues found: 0 (critical: 0, high: 0, medium: 0, low: 0)

This report was generated by AI security audit. Please verify findings manually.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@davidapp @david-dai-tron