Conformance Check Failure
Check ID: SEC-004
Severity: MEDIUM
Category: Security (Content Sanitization)
Problem Description
The SEC-004 conformance check (scripts/check-safe-outputs-conformance.sh, lines 137–162) scans every handler in actions/setup/js/*.cjs for the substrings "body" or body:, and if found requires the file to also contain one of sanitize, stripHTML, escapeMarkdown, or cleanContent.
actions/setup/js/generate_safe_outputs_tools.cjs matches the pattern because line 106 contains the comment // Remove fields from inputSchema.required when configured (e.g. allow-body: false) — the substring body: appears inside the literal token allow-body:. The file itself does not process user-supplied body content; it loads safe_outputs_tools.json, filters by config.json, and writes a generated tools.json. There is no body field that flows to a GitHub API call from this handler, so sanitization does not apply.
This is a false positive that nevertheless causes the conformance script to report a MEDIUM failure on every run.
Affected Components
- File:
actions/setup/js/generate_safe_outputs_tools.cjs
- Check script:
scripts/check-safe-outputs-conformance.sh (SEC-004, lines 135–163)
🔍 Current vs Expected Behavior
Current Behavior
bash scripts/check-safe-outputs-conformance.sh reports:
[MEDIUM] SEC-004: actions/setup/js/generate_safe_outputs_tools.cjs has body field but no sanitization
Expected Behavior
SEC-004 should only flag files that actually handle user-controlled body content destined for a GitHub API call. Schema/tool-generation files that mention body in comments or option names (e.g. allow-body) should be skipped.
Remediation Steps
The SEC-004 check already supports a documented exemption mechanism (see check script line 145: if grep -q "@safe-outputs-exempt[[:space:]]\+SEC-004" "$handler"; then continue; fi). Apply it here:
- Add a single-line annotation comment near the top of
actions/setup/js/generate_safe_outputs_tools.cjs explaining why this file is exempt, e.g.:
// `@safe-outputs-exempt` SEC-004 — schema generator; does not process user body content. The substring "body:" appears only in the comment referencing the "allow-body" config option.
- Re-run
bash scripts/check-safe-outputs-conformance.sh and confirm SEC-004 passes cleanly.
- (Optional) If similar false positives appear in future schema/codegen files, prefer narrowing the grep pattern in
check-safe-outputs-conformance.sh to match only true body-field assignments (e.g. require quoted JSON keys) rather than adding many exemption comments.
Verification
After remediation, verify the fix by running:
bash scripts/check-safe-outputs-conformance.sh
The SEC-004 check should report [PASS] SEC-004: All handlers properly sanitize content with no MEDIUM failure for generate_safe_outputs_tools.cjs.
References
- Safe Outputs Specification:
docs/src/content/docs/reference/safe-outputs-specification.md
- Conformance Checker:
scripts/check-safe-outputs-conformance.sh (SEC-004 at lines 135–163)
- Workflow Run: §26273181771
- Date: 2026-05-22
Generated by ✅ Daily Safe Outputs Conformance Checker · ● 1.8M · ◷
Conformance Check Failure
Check ID: SEC-004
Severity: MEDIUM
Category: Security (Content Sanitization)
Problem Description
The SEC-004 conformance check (
scripts/check-safe-outputs-conformance.sh, lines 137–162) scans every handler inactions/setup/js/*.cjsfor the substrings"body"orbody:, and if found requires the file to also contain one ofsanitize,stripHTML,escapeMarkdown, orcleanContent.actions/setup/js/generate_safe_outputs_tools.cjsmatches the pattern because line 106 contains the comment// Remove fields from inputSchema.required when configured (e.g. allow-body: false)— the substringbody:appears inside the literal tokenallow-body:. The file itself does not process user-supplied body content; it loadssafe_outputs_tools.json, filters byconfig.json, and writes a generatedtools.json. There is no body field that flows to a GitHub API call from this handler, so sanitization does not apply.This is a false positive that nevertheless causes the conformance script to report a MEDIUM failure on every run.
Affected Components
actions/setup/js/generate_safe_outputs_tools.cjsscripts/check-safe-outputs-conformance.sh(SEC-004, lines 135–163)🔍 Current vs Expected Behavior
Current Behavior
bash scripts/check-safe-outputs-conformance.shreports:Expected Behavior
SEC-004 should only flag files that actually handle user-controlled body content destined for a GitHub API call. Schema/tool-generation files that mention
bodyin comments or option names (e.g.allow-body) should be skipped.Remediation Steps
The SEC-004 check already supports a documented exemption mechanism (see check script line 145:
if grep -q "@safe-outputs-exempt[[:space:]]\+SEC-004" "$handler"; then continue; fi). Apply it here:actions/setup/js/generate_safe_outputs_tools.cjsexplaining why this file is exempt, e.g.:// `@safe-outputs-exempt` SEC-004 — schema generator; does not process user body content. The substring "body:" appears only in the comment referencing the "allow-body" config option.bash scripts/check-safe-outputs-conformance.shand confirm SEC-004 passes cleanly.check-safe-outputs-conformance.shto match only true body-field assignments (e.g. require quoted JSON keys) rather than adding many exemption comments.Verification
After remediation, verify the fix by running:
The SEC-004 check should report
[PASS] SEC-004: All handlers properly sanitize contentwith no MEDIUM failure forgenerate_safe_outputs_tools.cjs.References
docs/src/content/docs/reference/safe-outputs-specification.mdscripts/check-safe-outputs-conformance.sh(SEC-004 at lines 135–163)