Skip to content

security: Fix 15 CodeQL alerts — URL sanitization and workflow permissions#108

Merged
docdyhr merged 1 commit intomasterfrom
fix/codeql-security-alerts
Mar 2, 2026
Merged

security: Fix 15 CodeQL alerts — URL sanitization and workflow permissions#108
docdyhr merged 1 commit intomasterfrom
fix/codeql-security-alerts

Conversation

@docdyhr
Copy link
Owner

@docdyhr docdyhr commented Mar 2, 2026
edited by sourcery-ai bot
Loading

Summary

  • 3 high-severity (py/incomplete-url-substring-sanitization): Replace incomplete URL substring checks in verify_badges.py with strict scheme+hostname validation via _is_trusted_host() allowlist and startswith() path prefix checks
  • 12 medium-severity (actions/missing-workflow-permissions): Add explicit job-level permissions: blocks to all jobs in ci.yml, lint.yml, performance.yml, release.yml, and security.yml — enforcing principle of least privilege per job

Files changed

File Change
.github/verify_badges.py Add _is_trusted_host() with HTTPS scheme + hostname allowlist
.github/workflows/ci.yml Add permissions: contents: read to test and build jobs
.github/workflows/lint.yml Add permissions: contents: read to lint job
.github/workflows/performance.yml Add permissions to all 4 jobs ({} for no-op, contents: read for checkout)
.github/workflows/release.yml Add permissions to validate-release, pre-release-checks, build-and-test, verify-release
.github/workflows/security.yml Add permissions: contents: read, pull-requests: write to security job

Test plan

  • All CI checks pass (lint, test, security, CodeQL, coverage, performance)
  • CodeQL re-scan shows 0 open alerts after merge

🤖 Generated with Claude Code

Summary by Sourcery

Harden badge URL validation and tighten GitHub Actions workflow permissions.

Bug Fixes:

  • Ensure badge verification only trusts HTTPS URLs from a restricted set of known hosts with specific action path prefixes to avoid incomplete URL sanitization issues.

Enhancements:

  • Centralize trusted badge host handling via a reusable HTTPS + hostname validation helper.
  • Clarify workflow job privileges by explicitly defining minimal permissions for CI, lint, performance, release, and security jobs.

CI:

  • Add explicit least-privilege permissions blocks to all jobs across CI, lint, performance, release, and security workflows.

@docdyhr @claude
security: Fix 15 CodeQL alerts — URL sanitization and workflow permis…
c242207 
…sions

Resolve all open code scanning alerts:

- 3 high-severity: Replace incomplete URL substring checks in
  verify_badges.py with strict scheme+hostname validation via
  _is_trusted_host() allowlist and path prefix checks
- 12 medium-severity: Add explicit job-level permissions blocks to
  all jobs in ci.yml, lint.yml, performance.yml, release.yml, and
  security.yml (principle of least privilege)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@sourcery-ai
Copy link
Contributor

sourcery-ai bot commented Mar 2, 2026
edited
Loading

Reviewer's Guide

Refines badge URL validation to use a strict HTTPS + hostname allowlist and path-prefix checks, and tightens GitHub Actions security by adding explicit least-privilege permissions to all relevant workflow jobs.

Sequence diagram for strict badge URL verification flow

sequenceDiagram
    participant BV as BadgeVerifier
    participant TH as _is_trusted_host
    participant HP as TrustedHostPolicy
    participant HTTP as BadgeHost

    BV->>TH: _is_trusted_host(url, github_com)
    TH->>HP: validate https scheme and hostname in _TRUSTED_HOSTS
    HP-->>TH: validation result (true or false)
    TH-->>BV: is_trusted

    alt trusted_github_actions_badge
        BV->>BV: check path startswith /docdyhr/versiontracker/actions/workflows/
        BV->>HTTP: GET url
        HTTP-->>BV: status (200 or 404)
        BV->>BV: mark success if status in [200, 404]
    else other_trusted_badge_host
        BV->>HTTP: GET url
        HTTP-->>BV: status (expected_status)
        BV->>BV: mark success if status == expected_status
    end

    BV->>BV: store result in results list

    loop print_summary filtering
        BV->>TH: _is_trusted_host(result.url, hostname)
        TH-->>BV: is_trusted
        BV->>BV: group into github_actions, shields_io, codecov based on hostname and path prefix
    end
Loading

Class diagram for updated badge verification URL sanitization

classDiagram
    class verify_badges {
        <<module>>
        _TRUSTED_HOSTS : frozenset
        _is_trusted_host(url: str, hostname: str) bool
    }

    class BadgeVerifier {
        results : list
        check_badge(name: str, url: str, expected_status: int) dict
        print_summary() bool
    }

    verify_badges <.. BadgeVerifier : uses

    class URLParse {
        <<external>>
        urlparse(url: str) ParseResult
    }

    BadgeVerifier ..> URLParse : uses

    class Requests {
        <<external>>
        get(url: str) Response
    }

    BadgeVerifier ..> Requests : uses

    %% Highlight new trust model usage
    class TrustedHostPolicy {
        <<concept>>
        requires_https : bool
        allowed_hostnames : set
        path_prefix_checks : bool
    }

    verify_badges ..> TrustedHostPolicy : enforces
    BadgeVerifier ..> TrustedHostPolicy : validates_badge_urls
Loading

File-Level Changes

Change Details Files
Harden badge URL validation to avoid incomplete substring-based sanitization.
  • Introduce a _TRUSTED_HOSTS frozenset listing allowed HTTPS badge hosts
  • Add _is_trusted_host() helper that enforces https scheme, exact hostname match, and membership in the trusted-hosts allowlist
  • Update GitHub Actions badge checks to require trusted host and a repository-specific workflow path prefix instead of generic substring matching
  • Update badge summary categorization to rely on _is_trusted_host() for GitHub, shields.io, and codecov URLs
 .github/verify_badges.py
Define explicit least-privilege permissions on all CI, lint, performance, release, and security workflow jobs.
  • Grant contents: read to CI test and build jobs to support checkout while keeping read-only repo access
  • Grant contents: read to lint and performance-test jobs and use {} for no-op performance jobs that don’t need token access
  • Add contents: read to release validation, pre-release checks, and build-and-test jobs; set permissions: {} for final verify-release job
  • Grant contents: read and pull-requests: write to the security analysis job so it can comment on PRs without broader scopes
 .github/workflows/ci.yml
.github/workflows/lint.yml
.github/workflows/performance.yml
.github/workflows/release.yml
.github/workflows/security.yml
Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it. You can also reply to a
    review comment with @sourcery-ai issue to create an issue from it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time. You can also comment
    @sourcery-ai title on the pull request to (re-)generate the title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time exactly where you
    want it. You can also comment @sourcery-ai summary on the pull request to
    (re-)generate the summary at any time.
  • Generate reviewer's guide: Comment @sourcery-ai guide on the pull
    request to (re-)generate the reviewer's guide at any time.
  • Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
    pull request to resolve all Sourcery comments. Useful if you've already
    addressed all the comments and don't want to see them anymore.
  • Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
    request to dismiss all existing Sourcery reviews. Especially useful if you
    want to start fresh with a new review - don't forget to comment
    @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

@github-actions
Copy link

github-actions bot commented Mar 2, 2026

🔒 Security Analysis Report

Security Analysis Report

Generated: Mon Mar 2 11:48:56 UTC 2026
Repository: docdyhr/versiontracker
Commit: 9fff02b

Bandit Security Scan

�[?25l
�[2KWorking... �[90m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━�[0m �[35m  0%�[0m �[36m-:--:--�[0m
�[2KWorking... �[90m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━�[0m �[35m  0%�[0m �[36m-:--:--�[0m
�[2KWorking... �[91m━━━━━�[0m�[90m╺�[0m�[90m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━�[0m �[35m 13%�[0m �[36m0:00:02�[0m
�[2KWorking... �[91m━━━━━━━━━�[0m�[90m╺�[0m�[90m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━�[0m �[35m 24%�[0m �[36m0:00:01�[0m
�[2KWorking... �[91m━━━━━━━━━━━━━�[0m�[91m╸�[0m�[90m━━━━━━━━━━━━━━━━━━━━━━━━━━�[0m �[35m 35%�[0m �[36m0:00:01�[0m
�[2KWorking... �[91m━━━━━━━━━━━━━━�[0m�[91m╸�[0m�[90m━━━━━━━━━━━━━━━━━━━━━━━━━�[0m �[35m 36%�[0m �[36m0:00:01�[0m
�[2KWorking... �[91m━━━━━━━━━━━━━━━━━━━�[0m�[91m╸�[0m�[90m━━━━━━━━━━━━━━━━━━━━�[0m �[35m 49%�[0m �[36m0:00:01�[0m
�[2KWorking... �[91m━━━━━━━━━━━━━━━━━━━━━━━━�[0m�[91m╸�[0m�[90m━━━━━━━━━━━━━━━�[0m �[35m 62%�[0m �[36m0:00:01�[0m
�[2KWorking... �[91m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━�[0m�[90m╺�[0m�[90m━━━━━━━━━━�[0m �[35m 73%�[0m �[36m0:00:01�[0m
�[2KWorking... �[91m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━�[0m�[90m╺�[0m�[90m━━━━━━━━�[0m �[35m 78%�[0m �[36m0:00:01�[0m
�[2KWorking... �[91m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━�[0m�[90m╺�[0m�[90m━━━━━━�[0m �[35m 84%�[0m �[36m0:00:01�[0m
�[2KWorking... �[91m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━�[0m�[90m╺�[0m�[90m━━�[0m �[35m 93%�[0m �[36m0:00:01�[0m
�[2KWorking... �[90m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━�[0m �[35m100%�[0m �[33m0:00:01�[0m
�[2KWorking... �[90m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━�[0m �[35m100%�[0m �[33m0:00:01�[0m
�[?25hRun started:2026-03-02 11:48:57.916693+00:00

Test results:
>> Issue: [B608:hardcoded_sql_expressions] Possible SQL injection vector through string-based query construction.
   Severity: Medium   Confidence: Low
   CWE: CWE-89 (https://cwe.mitre.org/data/definitions/89.html)
   More Info: https://bandit.readthedocs.io/en/1.9.4/plugins/b608_hardcoded_sql_expressions.html
   Location: versiontracker/advanced_cache.py:610:24
609	                # Use f-string for better readability
610	                msg = f"Failed to delete from cache {key}: {e}"
611	                raise CacheError(msg) from e

--------------------------------------------------
>> Issue: [B404:blacklist] Consider possible security implications associated with the subprocess module.
   Severity: Low   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.9.4/blacklists/blacklist_imports.html#b404-import-subprocess
   Location: versiontracker/config.py:174:16
173	                cmd = f"{path} --version"
174	                import subprocess
175	

--------------------------------------------------
>> Issue: [B603:subprocess_without_shell_equals_true] subprocess call - check for execution of untrusted input.
   Severity: Low   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.9.4/plugins/b603_subprocess_without_shell_equals_true.html
   Location: versiontracker/config.py:177:29
176	                try:
177	                    result = subprocess.run(cmd.split(), capture_output=True, timeout=2, check=False)
178	                    returncode = result.returncode

--------------------------------------------------
>> Issue: [B110:try_except_pass] Try, Except, Pass detected.
   Severity: Low   Confidence: High
   CWE: CWE-703 (https://cwe.mitre.org/data/definitions/703.html)
   More Info: https://bandit.readthedocs.io/en/1.9.4/plugins/b110_try_except_pass.html
   Location: versiontracker/experimental/analytics.py:645:16
644	                    self.peak_cpu = max(self.peak_cpu, cpu_percent)
645	                except Exception:
646	                    pass
647	                time.sleep(0.05)

--------------------------------------------------
>> Issue: [B101:assert_used] Use of assert detected. The enclosed code will be removed when compiling to optimised byte code.
   Severity: Low   Confidence: High
   CWE: CWE-703 (https://cwe.mitre.org/data/definitions/703.html)
   More Info: https://bandit.readthedocs.io/en/1.9.4/plugins/b101_assert_used.html
   Location: versiontracker/handlers/outdated_handlers.py:494:8
493	        # Type assertion: apps and brews cannot be None here due to exit_code checks above
494	        assert apps is not None
495	        assert brews is not None

--------------------------------------------------
>> Issue: [B101:assert_used] Use of assert detected. The enclosed code will be removed when compiling to optimised byte code.
   Severity: Low   Confidence: High
   CWE: CWE-703 (https://cwe.mitre.org/data/definitions/703.html)
   More Info: https://bandit.readthedocs.io/en/1.9.4/plugins/b101_assert_used.html
   Location: versiontracker/handlers/outdated_handlers.py:495:8
494	        assert apps is not None
495	        assert brews is not None
496	        apps = _filter_applications(apps, brews, include_brews)

--------------------------------------------------
>> Issue: [B101:assert_used] Use of assert detected. The enclosed code will be removed when compiling to optimised byte code.
   Severity: Low   Confidence: High
   CWE: CWE-703 (https://cwe.mitre.org/data/definitions/703.html)
   More Info: https://bandit.readthedocs.io/en/1.9.4/plugins/b101_assert_used.html
   Location: versiontracker/handlers/outdated_handlers.py:512:8
511	        # Type assertion: outdated_info cannot be None here due to exit_code check
512	        assert outdated_info is not None
513	        # Type cast: outdated_info cannot be None here due to exit_code check above

--------------------------------------------------
>> Issue: [B404:blacklist] Consider possible security implications associated with the subprocess module.
   Severity: Low   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.9.4/blacklists/blacklist_imports.html#b404-import-subprocess
   Location: versiontracker/homebrew.py:12:0
11	import re
12	import subprocess
13	import time

--------------------------------------------------
>> Issue: [B404:blacklist] Consider possible security implications associated with the subprocess module.
   Severity: Low   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.9.4/blacklists/blacklist_imports.html#b404-import-subprocess
   Location: versiontracker/macos_integration.py:11:0
10	import os
11	import subprocess
12	from pathlib import Path

--------------------------------------------------
>> Issue: [B603:subprocess_without_shell_equals_true] subprocess call - check for execution of untrusted input.
   Severity: Low   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.9.4/plugins/b603_subprocess_without_shell_equals_true.html
   Location: versiontracker/macos_integration.py:245:21
244	            # nosec B603 - osascript with controlled arguments
245	            result = subprocess.run(cmd, capture_output=True, text=True)
246	

--------------------------------------------------
>> Issue: [B404:blacklist] Consider possible security implications associated with the subprocess module.
   Severity: Low   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.9.4/blacklists/blacklist_imports.html#b404-import-subprocess
   Location: versiontracker/menubar_app.py:8:0
7	import logging
8	import subprocess
9	import sys

--------------------------------------------------
>> Issue: [B404:blacklist] Consider possible security implications associated with the subprocess module.
   Severity: Low   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.9.4/blacklists/blacklist_imports.html#b404-import-subprocess
   Location: versiontracker/plugins/example_plugins.py:322:16
321	            try:
322	                import subprocess
323	

--------------------------------------------------
>> Issue: [B607:start_process_with_partial_path] Starting a process with a partial executable path
   Severity: Low   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.9.4/plugins/b607_start_process_with_partial_path.html
   Location: versiontracker/plugins/example_plugins.py:324:25
323	
324	                result = subprocess.run(["brew", "--version"], capture_output=True, text=True, timeout=5)
325	                if result.returncode == 0:

--------------------------------------------------
>> Issue: [B603:subprocess_without_shell_equals_true] subprocess call - check for execution of untrusted input.
   Severity: Low   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.9.4/plugins/b603_subprocess_without_shell_equals_true.html
   Location: versiontracker/plugins/example_plugins.py:324:25
323	
324	                result = subprocess.run(["brew", "--version"], capture_output=True, text=True, timeout=5)
325	                if result.returncode == 0:

--------------------------------------------------
>> Issue: [B404:blacklist] Consider possible security implications associated with the subprocess module.
   Severity: Low   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.9.4/blacklists/blacklist_imports.html#b404-import-subprocess
   Location: versiontracker/utils.py:15:0
14	import shutil
15	import subprocess
16	import sys

--------------------------------------------------
>> Issue: [B607:start_process_with_partial_path] Starting a process with a partial executable path
   Severity: Low   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.9.4/plugins/b607_start_process_with_partial_path.html
   Location: versiontracker/utils.py:784:17
783	    try:
784	        result = subprocess.run(["which", "brew"], capture_output=True, text=True, timeout=5)
785	        return result.returncode == 0

--------------------------------------------------
>> Issue: [B603:subprocess_without_shell_equals_true] subprocess call - check for execution of untrusted input.
   Severity: Low   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.9.4/plugins/b603_subprocess_without_shell_equals_true.html
   Location: versiontracker/utils.py:784:17
783	    try:
784	        result = subprocess.run(["which", "brew"], capture_output=True, text=True, timeout=5)
785	        return result.returncode == 0

--------------------------------------------------
>> Issue: [B607:start_process_with_partial_path] Starting a process with a partial executable path
   Severity: Low   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.9.4/plugins/b607_start_process_with_partial_path.html
   Location: versiontracker/utils.py:800:17
799	    try:
800	        result = subprocess.run(["brew", "--prefix"], capture_output=True, text=True, timeout=5)
801	        if result.returncode == 0:

--------------------------------------------------
>> Issue: [B603:subprocess_without_shell_equals_true] subprocess call - check for execution of untrusted input.
   Severity: Low   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.9.4/plugins/b603_subprocess_without_shell_equals_true.html
   Location: versiontracker/utils.py:800:17
799	    try:
800	        result = subprocess.run(["brew", "--prefix"], capture_output=True, text=True, timeout=5)
801	        if result.returncode == 0:

--------------------------------------------------
>> Issue: [B603:subprocess_without_shell_equals_true] subprocess call - check for execution of untrusted input.
   Severity: Low   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.9.4/plugins/b603_subprocess_without_shell_equals_true.html
   Location: versiontracker/utils.py:833:15
832	    try:
833	        return subprocess.run(command, capture_output=True, text=True, timeout=timeout, check=check)
834	    except subprocess.TimeoutExpired as e:

--------------------------------------------------
>> Issue: [B404:blacklist] Consider possible security implications associated with the subprocess module.
   Severity: Low   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.9.4/blacklists/blacklist_imports.html#b404-import-subprocess
   Location: versiontracker/version/batch.py:11:0
10	import logging
11	import subprocess
12	from concurrent.futures import ThreadPoolExecutor

--------------------------------------------------
>> Issue: [B404:blacklist] Consider possible security implications associated with the subprocess module.
   Severity: Low   Confidence: High
   CWE: CWE-78 (https://cwe.mitre.org/data/definitions/78.html)
   More Info: https://bandit.readthedocs.io/en/1.9.4/blacklists/blacklist_imports.html#b404-import-subprocess
   Location: versiontracker/version/homebrew.py:18:0
17	import logging
18	import subprocess
19	

--------------------------------------------------

Code scanned:
	Total lines of code: 15130
	Total lines skipped (#nosec): 0
	Total potential issues skipped due to specifically being disabled (e.g., #nosec BXXX): 33

Run metrics:
	Total issues (by severity):
		Undefined: 0
		Low: 21
		Medium: 1
		High: 0
	Total issues (by confidence):
		Undefined: 0
		Low: 1
		Medium: 0
		High: 21
Files skipped (0):

Safety Check Results



�[33m�[1m+===========================================================================================================================================================================================+�[0m


�[31m�[1mDEPRECATED: �[0m�[33m�[1mthis command (`check`) has been DEPRECATED, and will be unsupported beyond 01 June 2024.�[0m


�[32mWe highly encourage switching to the new �[0m�[32m�[1m`scan`�[0m�[32m command which is easier to use, more powerful, and can be set up to mimic the deprecated command if required.�[0m


�[33m�[1m+===========================================================================================================================================================================================+�[0m


+==============================================================================+

                               /$$$$$$            /$$
                              /$$__  $$          | $$
           /$$$$$$$  /$$$$$$ | $$  \__//$$$$$$  /$$$$$$   /$$   /$$
          /$$_____/ |____  $$| $$$$   /$$__  $$|_  $$_/  | $$  | $$
         |  $$$$$$   /$$$$$$$| $$_/  | $$$$$$$$  | $$    | $$  | $$
          \____  $$ /$$__  $$| $$    | $$_____/  | $$ /$$| $$  | $$
          /$$$$$$$/|  $$$$$$$| $$    |  $$$$$$$  |  $$$$/|  $$$$$$$
         |_______/  \_______/|__/     \_______/   \___/   \____  $$
                                                          /$$  | $$
                                                         |  $$$$$$/
  by safetycli.com                                        \______/

+==============================================================================+

 �[1mREPORT�[0m 

  Safety �[1mv3.7.0�[0m is scanning for �[1mVulnerabilities�[0m�[1m...�[0m
�[1m  Scanning dependencies�[0m in your �[1menvironment:�[0m

  -> /opt/hostedtoolcache/Python/3.13.12/x64/lib/python3.13/site-packages

  Using �[1mopen-source vulnerability database�[0m
�[1m  Found and scanned 106 packages�[0m
  Timestamp �[1m2026-03-02 11:48:59�[0m
�[1m  0�[0m�[1m vulnerabilities reported�[0m
�[1m  0�[0m�[1m vulnerabilities ignored�[0m
+==============================================================================+

 �[32m�[1mNo known security vulnerabilities reported.�[0m 

+==============================================================================+�[0m


�[33m�[1m+===========================================================================================================================================================================================+�[0m


�[31m�[1mDEPRECATED: �[0m�[33m�[1mthis command (`check`) has been DEPRECATED, and will be unsupported beyond 01 June 2024.�[0m


�[32mWe highly encourage switching to the new �[0m�[32m�[1m`scan`�[0m�[32m command which is easier to use, more powerful, and can be set up to mimic the deprecated command if required.�[0m


�[33m�[1m+===========================================================================================================================================================================================+�[0m

Pip-Audit Results

�[?25l�[32m-�[0m Collecting inputs
�[2K�[32m-�[0m Collecting inputs
�[2K�[32m-�[0m Collecting inputs
�[2K�[32m-�[0m Collecting inputs
�[2K�[32m\�[0m Collecting inputs
�[2K�[32m\�[0m Collecting inputs
�[2K�[32m\�[0m Collecting inputs
�[2K�[32m\�[0m Collecting inputs
�[2K�[32m\�[0m Collecting aiohappyeyeballs (2.6.1)
�[2K�[32m\�[0m Auditing aiohappyeyeballs (2.6.1)
�[2K�[32m\�[0m Collecting aiohttp (3.13.3)
�[2K�[32m\�[0m Auditing aiohttp (3.13.3)
�[2K�[32m\�[0m Collecting aiosignal (1.4.0)
�[2K�[32m\�[0m Auditing aiosignal (1.4.0)
�[2K�[32m\�[0m Collecting annotated-doc (0.0.4)
�[2K�[32m\�[0m Auditing annotated-doc (0.0.4)
�[2K�[32m\�[0m Collecting annotated-types (0.7.0)
�[2K�[32m\�[0m Auditing annotated-types (0.7.0)
�[2K�[32m\�[0m Collecting anyio (4.12.1)
�[2K�[32m\�[0m Auditing anyio (4.12.1)
�[2K�[32m\�[0m Collecting attrs (25.4.0)
�[2K�[32m\�[0m Auditing attrs (25.4.0)
�[2K�[32m\�[0m Collecting Authlib (1.6.9)
�[2K�[32m\�[0m Auditing Authlib (1.6.9)
�[2K�[32m\�[0m Collecting bandit (1.9.4)
�[2K�[32m\�[0m Auditing bandit (1.9.4)
�[2K�[32m\�[0m Collecting black (26.1.0)
�[2K�[32m\�[0m Auditing black (26.1.0)
�[2K�[32m\�[0m Collecting boolean.py (5.0)
�[2K�[32m\�[0m Auditing boolean.py (5.0)
�[2K�[32m\�[0m Collecting build (1.4.0)
�[2K�[32m|�[0m Auditing build (1.4.0)
�[2K�[32m|�[0m Collecting CacheControl (0.14.4)
�[2K�[32m|�[0m Auditing CacheControl (0.14.4)
�[2K�[32m|�[0m Collecting certifi (2026.2.25)
�[2K�[32m|�[0m Auditing certifi (2026.2.25)
�[2K�[32m|�[0m Collecting cffi (2.0.0)
�[2K�[32m|�[0m Auditing cffi (2.0.0)
�[2K�[32m|�[0m Collecting charset-normalizer (3.4.4)
�[2K�[32m|�[0m Auditing charset-normalizer (3.4.4)
�[2K�[32m|�[0m Collecting click (8.3.1)
�[2K�[32m|�[0m Auditing click (8.3.1)
�[2K�[32m|�[0m Collecting coverage (7.13.4)
�[2K�[32m|�[0m Auditing coverage (7.13.4)
�[2K�[32m|�[0m Collecting cryptography (46.0.5)
�[2K�[32m|�[0m Collecting cryptography (46.0.5)
�[2K�[32m|�[0m Auditing cryptography (46.0.5)
�[2K�[32m|�[0m Collecting cyclonedx-python-lib (11.6.0)
�[2K�[32m|�[0m Auditing cyclonedx-python-lib (11.6.0)
�[2K�[32m|�[0m Collecting defusedxml (0.7.1)
�[2K�[32m|�[0m Auditing defusedxml (0.7.1)
�[2K�[32m|�[0m Collecting docutils (0.22.4)
�[2K�[32m|�[0m Auditing docutils (0.22.4)
�[2K�[32m|�[0m Collecting dparse (0.6.4)
�[2K�[32m|�[0m Auditing dparse (0.6.4)
�[2K�[32m|�[0m Collecting filelock (3.25.0)
�[2K�[32m|�[0m Auditing filelock (3.25.0)
�[2K�[32m|�[0m Collecting frozenlist (1.8.0)
�[2K�[32m|�[0m Auditing frozenlist (1.8.0)
�[2K�[32m|�[0m Collecting h11 (0.16.0)
�[2K�[32m|�[0m Auditing h11 (0.16.0)
�[2K�[32m|�[0m Collecting httpcore (1.0.9)
�[2K�[32m|�[0m Auditing httpcore (1.0.9)
�[2K�[32m|�[0m Collecting httpx (0.28.1)
�[2K�[32m|�[0m Auditing httpx (0.28.1)
�[2K�[32m|�[0m Collecting id (1.6.1)
�[2K�[32m|�[0m Auditing id (1.6.1)
�[2K�[32m|�[0m Collecting idna (3.11)
�[2K�[32m|�[0m Auditing idna (3.11)
�[2K�[32m|�[0m Collecting iniconfig (2.3.0)
�[2K�[32m|�[0m Auditing iniconfig (2.3.0)
�[2K�[32m|�[0m Collecting jaraco.classes (3.4.0)
�[2K�[32m|�[0m Auditing jaraco.classes (3.4.0)
�[2K�[32m|�[0m Collecting jaraco.context (6.1.0)
�[2K�[32m|�[0m Auditing jaraco.context (6.1.0)
�[2K�[32m|�[0m Collecting jaraco.functools (4.4.0)
�[2K�[32m|�[0m Auditing jaraco.functools (4.4.0)
�[2K�[32m|�[0m Collecting jeepney (0.9.0)
�[2K�[32m|�[0m Auditing jeepney (0.9.0)
�[2K�[32m|�[0m Collecting Jinja2 (3.1.6)
�[2K�[32m|�[0m Auditing Jinja2 (3.1.6)
�[2K�[32m|�[0m Collecting joblib (1.5.3)
�[2K�[32m|�[0m Auditing joblib (1.5.3)
�[2K�[32m|�[0m Collecting keyring (25.7.0)
�[2K�[32m|�[0m Auditing keyring (25.7.0)
�[2K�[32m|�[0m Collecting librt (0.8.1)
�[2K�[32m|�[0m Auditing librt (0.8.1)
�[2K�[32m|�[0m Collecting license-expression (30.4.4)
�[2K�[32m|�[0m Auditing license-expression (30.4.4)
�[2K�[32m|�[0m Collecting macversiontracker (0.9.0)
�[2K�[32m|�[0m Auditing macversiontracker (0.9.0)
�[2K�[32m|�[0m Collecting markdown-it-py (4.0.0)
�[2K�[32m|�[0m Auditing markdown-it-py (4.0.0)
�[2K�[32m|�[0m Collecting MarkupSafe (3.0.3)
�[2K�[32m|�[0m Auditing MarkupSafe (3.0.3)
�[2K�[32m|�[0m Collecting marshmallow (4.2.2)
�[2K�[32m|�[0m Auditing marshmallow (4.2.2)
�[2K�[32m|�[0m Collecting mdurl (0.1.2)
�[2K�[32m|�[0m Auditing mdurl (0.1.2)
�[2K�[32m|�[0m Collecting more-itertools (10.8.0)
�[2K�[32m|�[0m Collecting more-itertools (10.8.0)
�[2K�[32m|�[0m Auditing more-itertools (10.8.0)
�[2K�[32m|�[0m Collecting msgpack (1.1.2)
�[2K�[32m|�[0m Auditing msgpack (1.1.2)
�[2K�[32m|�[0m Collecting multidict (6.7.1)
�[2K�[32m|�[0m Auditing multidict (6.7.1)
�[2K�[32m|�[0m Collecting mypy (1.19.1)
�[2K�[32m|�[0m Auditing mypy (1.19.1)
�[2K�[32m|�[0m Collecting mypy_extensions (1.1.0)
�[2K�[32m|�[0m Auditing mypy_extensions (1.1.0)
�[2K�[32m|�[0m Collecting nh3 (0.3.3)
�[2K�[32m|�[0m Auditing nh3 (0.3.3)
�[2K�[32m|�[0m Collecting nltk (3.9.3)
�[2K�[32m|�[0m Auditing nltk (3.9.3)
�[2K�[32m|�[0m Collecting packageurl-python (0.17.6)
�[2K�[32m|�[0m Auditing packageurl-python (0.17.6)
�[2K�[32m|�[0m Collecting packaging (26.0)
�[2K�[32m|�[0m Auditing packaging (26.0)
�[2K�[32m|�[0m Collecting pathspec (1.0.4)
�[2K�[32m|�[0m Auditing pathspec (1.0.4)
�[2K�[32m|�[0m Collecting pip (26.0.1)
�[2K�[32m|�[0m Auditing pip (26.0.1)
�[2K�[32m|�[0m Collecting pip-api (0.0.34)
�[2K�[32m|�[0m Auditing pip-api (0.0.34)
�[2K�[32m|�[0m Collecting pip_audit (2.10.0)
�[2K�[32m|�[0m Auditing pip_audit (2.10.0)
�[2K�[32m|�[0m Collecting pip-requirements-parser (32.0.1)
�[2K�[32m|�[0m Auditing pip-requirements-parser (32.0.1)
�[2K�[32m|�[0m Collecting platformdirs (4.9.2)
�[2K�[32m|�[0m Auditing platformdirs (4.9.2)
�[2K�[32m|�[0m Collecting pluggy (1.6.0)
�[2K�[32m|�[0m Auditing pluggy (1.6.0)
�[2K�[32m|�[0m Collecting propcache (0.4.1)
�[2K�[32m|�[0m Auditing propcache (0.4.1)
�[2K�[32m|�[0m Collecting psutil (7.2.2)
�[2K�[32m|�[0m Auditing psutil (7.2.2)
�[2K�[32m|�[0m Collecting py-serializable (2.1.0)
�[2K�[32m|�[0m Auditing py-serializable (2.1.0)
�[2K�[32m|�[0m Collecting pycparser (3.0)
�[2K�[32m|�[0m Auditing pycparser (3.0)
�[2K�[32m|�[0m Collecting pydantic (2.12.5)
�[2K�[32m|�[0m Auditing pydantic (2.12.5)
�[2K�[32m|�[0m Collecting pydantic_core (2.41.5)
�[2K�[32m|�[0m Auditing pydantic_core (2.41.5)
�[2K�[32m|�[0m Collecting Pygments (2.19.2)
�[2K�[32m|�[0m Auditing Pygments (2.19.2)
�[2K�[32m|�[0m Collecting pyparsing (3.3.2)
�[2K�[32m|�[0m Auditing pyparsing (3.3.2)
�[2K�[32m|�[0m Collecting pyproject_hooks (1.2.0)
�[2K�[32m|�[0m Auditing pyproject_hooks (1.2.0)
�[2K�[32m|�[0m Collecting pytest (9.0.2)
�[2K�[32m|�[0m Collecting pytest (9.0.2)
�[2K�[32m|�[0m Auditing pytest (9.0.2)
�[2K�[32m|�[0m Collecting pytest-asyncio (1.3.0)
�[2K�[32m|�[0m Auditing pytest-asyncio (1.3.0)
�[2K�[32m|�[0m Collecting pytest-cov (7.0.0)
�[2K�[32m|�[0m Auditing pytest-cov (7.0.0)
�[2K�[32m|�[0m Collecting pytest-mock (3.15.1)
�[2K�[32m|�[0m Auditing pytest-mock (3.15.1)
�[2K�[32m|�[0m Collecting pytest-timeout (2.4.0)
�[2K�[32m|�[0m Auditing pytest-timeout (2.4.0)
�[2K�[32m|�[0m Collecting pytokens (0.4.1)
�[2K�[32m|�[0m Auditing pytokens (0.4.1)
�[2K�[32m|�[0m Collecting PyYAML (6.0.3)
�[2K�[32m|�[0m Auditing PyYAML (6.0.3)
�[2K�[32m|�[0m Collecting readme_renderer (44.0)
�[2K�[32m|�[0m Auditing readme_renderer (44.0)
�[2K�[32m|�[0m Collecting regex (2026.2.28)
�[2K�[32m|�[0m Auditing regex (2026.2.28)
�[2K�[32m|�[0m Collecting requests (2.32.5)
�[2K�[32m|�[0m Auditing requests (2.32.5)
�[2K�[32m|�[0m Collecting requests-toolbelt (1.0.0)
�[2K�[32m|�[0m Auditing requests-toolbelt (1.0.0)
�[2K�[32m|�[0m Collecting rfc3986 (2.0.0)
�[2K�[32m|�[0m Auditing rfc3986 (2.0.0)
�[2K�[32m|�[0m Collecting rich (14.3.3)
�[2K�[32m|�[0m Auditing rich (14.3.3)
�[2K�[32m|�[0m Collecting ruamel.yaml (0.19.1)
�[2K�[32m|�[0m Auditing ruamel.yaml (0.19.1)
�[2K�[32m|�[0m Collecting ruff (0.15.4)
�[2K�[32m|�[0m Auditing ruff (0.15.4)
�[2K�[32m|�[0m Collecting safety (3.7.0)
�[2K�[32m|�[0m Auditing safety (3.7.0)
�[2K�[32m|�[0m Collecting safety-schemas (0.0.16)
�[2K�[32m|�[0m Auditing safety-schemas (0.0.16)
�[2K�[32m|�[0m Collecting SecretStorage (3.5.0)
�[2K�[32m|�[0m Auditing SecretStorage (3.5.0)
�[2K�[32m|�[0m Collecting setuptools (82.0.0)
�[2K�[32m|�[0m Auditing setuptools (82.0.0)
�[2K�[32m|�[0m Collecting shellingham (1.5.4)
�[2K�[32m|�[0m Auditing shellingham (1.5.4)
�[2K�[32m|�[0m Collecting sortedcontainers (2.4.0)
�[2K�[32m|�[0m Auditing sortedcontainers (2.4.0)
�[2K�[32m|�[0m Collecting stevedore (5.7.0)
�[2K�[32m|�[0m Auditing stevedore (5.7.0)
�[2K�[32m|�[0m Collecting tabulate (0.9.0)
�[2K�[32m|�[0m Auditing tabulate (0.9.0)
�[2K�[32m|�[0m Collecting tenacity (9.1.4)
�[2K�[32m|�[0m Auditing tenacity (9.1.4)
�[2K�[32m|�[0m Collecting tomli (2.4.0)
�[2K�[32m|�[0m Auditing tomli (2.4.0)
�[2K�[32m|�[0m Collecting tomli_w (1.2.0)
�[2K�[32m|�[0m Auditing tomli_w (1.2.0)
�[2K�[32m|�[0m Collecting tomlkit (0.14.0)
�[2K�[32m|�[0m Auditing tomlkit (0.14.0)
�[2K�[32m|�[0m Collecting tqdm (4.67.3)
�[2K�[32m|�[0m Collecting tqdm (4.67.3)
�[2K�[32m|�[0m Auditing tqdm (4.67.3)
�[2K�[32m|�[0m Collecting twine (6.2.0)
�[2K�[32m|�[0m Auditing twine (6.2.0)
�[2K�[32m|�[0m Collecting typer (0.24.1)
�[2K�[32m|�[0m Auditing typer (0.24.1)
�[2K�[32m|�[0m Collecting types-PyYAML (6.0.12.20250915)
�[2K�[32m|�[0m Auditing types-PyYAML (6.0.12.20250915)
�[2K�[32m|�[0m Collecting typing_extensions (4.15.0)
�[2K�[32m|�[0m Auditing typing_extensions (4.15.0)
�[2K�[32m|�[0m Collecting typing-inspection (0.4.2)
�[2K�[32m|�[0m Auditing typing-inspection (0.4.2)
�[2K�[32m|�[0m Collecting urllib3 (2.6.3)
�[2K�[32m|�[0m Auditing urllib3 (2.6.3)
�[2K�[32m|�[0m Collecting wheel (0.46.3)
�[2K�[32m|�[0m Auditing wheel (0.46.3)
�[2K�[32m|�[0m Collecting yarl (1.23.0)
�[2K�[32m|�[0m Auditing yarl (1.23.0)
�[2K�[32m|�[0m Auditing yarl (1.23.0)
�[?25h
�[1A�[2K```

sourcery-ai[bot]
sourcery-ai bot reviewed Mar 2, 2026
View reviewed changes
Copy link
Contributor

@sourcery-ai sourcery-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey - I've left some high level feedback:

  • In verify_badges.py, you’re calling urlparse() multiple times on the same URL within the same logical block (e.g., check_badge and print_summary); consider parsing once and reusing the result to avoid redundant work and make the code easier to read.
  • The _is_trusted_host(url, hostname) helper both takes an explicit hostname and checks membership in _TRUSTED_HOSTS; you could simplify the API by deriving the hostname from the URL inside the helper and validating it directly against _TRUSTED_HOSTS, which would also reduce the risk of mismatches between the passed hostname and the parsed one.
Prompt for AI Agents 
Please address the comments from this code review:

## Overall Comments
- In `verify_badges.py`, you’re calling `urlparse()` multiple times on the same URL within the same logical block (e.g., `check_badge` and `print_summary`); consider parsing once and reusing the result to avoid redundant work and make the code easier to read.
- The `_is_trusted_host(url, hostname)` helper both takes an explicit hostname and checks membership in `_TRUSTED_HOSTS`; you could simplify the API by deriving the hostname from the URL inside the helper and validating it directly against `_TRUSTED_HOSTS`, which would also reduce the risk of mismatches between the passed hostname and the parsed one.
Sourcery is free for open source - if you like our reviews please consider sharing them ✨
Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.

@codecov
Copy link

codecov bot commented Mar 2, 2026

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@docdyhr docdyhr merged commit 355fe70 into master Mar 2, 2026
48 checks passed
@docdyhr docdyhr deleted the fix/codeql-security-alerts branch March 2, 2026 23:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sourcery-ai sourcery-ai[bot] sourcery-ai[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@docdyhr