Skip to content

fix: use %q instead of single-quote wrapping for filePath in runtime import warnings#30528

Merged
pelikhan merged 2 commits intomainfrom
copilot/fix-code-scanning-alerts-581
May 6, 2026
Merged

fix: use %q instead of single-quote wrapping for filePath in runtime import warnings#30528
pelikhan merged 2 commits intomainfrom
copilot/fix-code-scanning-alerts-581

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented May 6, 2026
edited
Loading

CodeQL alert #581 (go/unsafe-quoting): user-controlled filePath was embedded verbatim inside single quotes in a format string, meaning a path containing ' would produce malformed output and trip the unsafe-quoting detector.

Change

Replace '%s' with %q for filePath in the sub-agent warning message:

// Before
fmt.Sprintf("runtime-import '%s': %s", filePath, w)

// After
fmt.Sprintf("runtime-import %q: %s", filePath, w)

%q safely double-quotes the path and escapes all special characters, producing well-formed output regardless of path content.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/graphql
    • Triggering command: /usr/bin/gh gh repo view --json owner,name --jq .owner.login + "/" + .name nfig/composer/vendor/bin/sh (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw github.com/stretinit -lang=go1.17 /opt/hostedtoolcache/go/1.25.8/xTest User m/_n�� -unreachable=false /tmp/go-build2630367986/b202/vet-nolocalimports /opt/hostedtoolcache/go/1.25.8/x-importcfg -c=4 r -importcfg /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linu-trimpath (http block)
    • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw (http block)
  • https://api.github.com/orgs/test-owner/actions/secrets
    • Triggering command: /usr/bin/gh gh api /orgs/test-owner/actions/secrets --jq .secrets[].name */*.ts' '**/*.json' --ignore-path ../../../.pret.prettierignore (http block)
  • https://api.github.com/repos/actions/ai-inference/git/ref/tags/v1
    • Triggering command: /usr/bin/gh gh api /repos/actions/ai-inference/git/ref/tags/v1 --jq [.object.sha, .object.type] | @tsv --show-toplevel ache/go/1.25.8/x64/pkg/tool/linux_amd64/link /usr/bin/git 2837035/b442/sligit -buildtags 2837035/b442/imp--show-toplevel git rev-�� --show-toplevel yDIvrJo6ipZht/Z2PMNnO1JhWT_hjJlGremote.origin.url /usr/bin/git ithub-script/gitgh -tests bject.type] | @t/repos/actions/github-script/git/ref/tags/v9 git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv remove remote1 /usr/bin/git se 0367986/b056/vetapi .cfg git rev-�� --show-toplevel ache/go/1.25.8/x64/pkg/tool/linurev-parse /usr/bin/gh se 0367986/b219/vetrev-parse x_amd64/vet gh (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v5
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv Gsr-/uey7eliGfWj_DSwBGsr- (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv ithub-script/git/ref/tags/v9 /usr/bin/git bject.type] | @tsv -v (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq [.object.sha, .object.type] | @tsv ithub-script/git/ref/tags/v9 git bject.type] | @tsv --show-toplevel ortcfg /usr/bin/git infocmp -1 xterm-color git e --show-toplevel 64/pkg/tool/linurev-parse /usr/bin/git git (http block)
  • https://api.github.com/repos/actions/checkout/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv runs/20260506-060858-14269/test-3904467415 Test User ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet l -c=4 -nolocalimports ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv image:v1.0.0 x_amd64/vet /opt/hostedtoolcache/node/24.14.1/x64/bin/node */*.json' '!../.git --local /usr/local/bin/g--show-toplevel 2837035/b475/importcfg /tmp�� k/gh-aw/gh-aw/scripts/lint_error_messages.go k/gh-aw/gh-aw/scripts/lint_error_messages_test.go /usr/bin/git celain --ignore-git --local 64/pkg/tool/linu--show-toplevel git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv /tmp/gh-aw-test-runs/20260506-060858-14269/test-2215799145/custom/workflows config /usr/bin/git remote.origin.urgit .cfg 64/pkg/tool/linu--show-toplevel git init�� (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v8
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq [.object.sha, .object.type] | @tsv xterm-color node /usr/bin/git /home/REDACTED/worgit /home/REDACTED/worrev-parse /opt/hostedtoolc--show-toplevel git rev-�� --show-toplevel /opt/hostedtoolcache/node/24.14.1/x64/bin/node /usr/bin/infocmp secrets.TOKEN ==git ache/go/1.25.8/xrev-parse /usr/bin/git infocmp (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v9
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv -581 (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv -c=4 -nolocalimports -importcfg /tmp/go-build4112837035/b125/importcfg -pack /home/REDACTED/work/gh-aw/gh-aw/cmd/gh-aw/main.go /home/REDACTED/work/gh-aw/gh-aw/cmd/gh-aw/capitalization_test.go (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9 --jq [.object.sha, .object.type] | @tsv (http block)
  • https://api.github.com/repos/actions/github-script/git/ref/tags/v9.0.0
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9.0.0 --jq [.object.sha, .object.type] | @tsv -581 (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9.0.0 --jq [.object.sha, .object.type] | @tsv submodules | head -n 10 (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v9.0.0 --jq [.object.sha, .object.type] | @tsv ./cmd/gh-aw (http block)
  • https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel 64/pkg/tool/linutest@example.com /usr/bin/gh g_.a (http block)
  • https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv /home/REDACTED/work/gh-aw/gh-aw/.github/workflows/api-consumption-report.md 64/pkg/tool/linuconfig /usr/bin/git rite '../../../*git refs/heads/main x_amd64/vet git rev-�� --git-dir resolved$ /usr/bin/git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel sh /usr/bin/git Q0vAYI106 -tests 2837035/b377/vet/repos/actions/github-script/git/ref/tags/v9 git rev-�� --show-toplevel sh /usr/bin/git /actions/secretsgit stmain.go ache/node/24.14.--show-toplevel git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git /tmp/TestGuardPogit rev-parse /usr/bin/infocmp--show-toplevel git rev-�� /ref/tags/v9 infocmp sv xterm-color 64/pkg/tool/linu-1 /usr/bin/git gh (http block)
  • https://api.github.com/repos/actions/setup-node/git/ref/tags/v6
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv --show-toplevel -tests ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv k/gh-aw/gh-aw/.github/workflows/ai-moderator.md rev-parse /usr/bin/git */*.json' '!../.git --local 64/pkg/tool/linu--show-toplevel git -C /tmp/gh-aw-test-runs/20260506-060858-14269/test-4229894026 (http block)
    • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v6 --jq [.object.sha, .object.type] | @tsv /tmp/gh-aw-test-runs/20260506-060858-14269/test--s show /usr/bin/git go1.25.8 -c=4 -nolocalimports git conf�� user.email test@example.com /usr/bin/git ./../pkg/workflogit .cfg x_amd64/vet git (http block)
  • https://api.github.com/repos/actions/upload-artifact/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/actions/upload-artifact/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv 0858-14269/test-3644148281 (http block)
  • https://api.github.com/repos/aws-actions/configure-aws-credentials/git/ref/tags/v4
    • Triggering command: /usr/bin/gh gh api /repos/aws-actions/configure-aws-credentials/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel ache/node/24.14.1/x64/bin/node /usr/bin/git /tmp/TestGuardPogit rev-parse /opt/hostedtoolc--show-toplevel git rev-�� --show-toplevel /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linuowner/repo /usr/bin/git -bool git ipts.test git (http block)
    • Triggering command: /usr/bin/gh gh api /repos/aws-actions/configure-aws-credentials/git/ref/tags/v4 --jq [.object.sha, .object.type] | @tsv --show-toplevel 2837035/b465/importcfg /usr/bin/git k/gh-aw/gh-aw/pkgh -trimpath ache/node/24.14./repos/actions/github-script/git/ref/tags/v9 git rev-�� /ref/tags/v9 ache/node/24.14.1/x64/bin/node sv ub.actor }} -goversion /usr/bin/git infocmp (http block)
  • https://api.github.com/repos/azure/login/git/ref/tags/v2
    • Triggering command: /usr/bin/gh gh api /repos/azure/login/git/ref/tags/v2 --jq [.object.sha, .object.type] | @tsv --show-toplevel ache/node/24.14.1/x64/bin/node /usr/bin/git /tmp/TestHashCongit -dwarf=false /usr/bin/git git rev-�� --show-toplevel git /usr/bin/git -pack (http block)
  • https://api.github.com/repos/docker/login-action/git/ref/tags/v3
    • Triggering command: /usr/bin/gh gh api /repos/docker/login-action/git/ref/tags/v3 --jq [.object.sha, .object.type] | @tsv --show-toplevel ache/node/24.14.1/x64/bin/node /usr/bin/git /tmp/TestGuardPogit config /usr/bin/git git rev-�� --show-toplevel git /usr/bin/infocmp --get l /usr/bin/git infocmp (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v0.1.2
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v0.1.2 --jq [.object.sha, .object.type] | @tsv /repos/actions/github-script/git/ref/tags/v9 --jq /usr/bin/git DMg6/cTqK_V6uGbCgit **/*.cjs /home/REDACTED/go/--show-toplevel git rev-�� --show-toplevel 2837035/b476/imp--jq /usr/bin/git /ref/tags/v9 scripts/**/*.js sv git (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv /v1.0.0 Test User sv -c=4 -nolocalimports -importcfg git rev-�� --show-toplevel 64/pkg/tool/linu-trimpath (http block)
  • https://api.github.com/repos/github/gh-aw-actions/git/ref/tags/v1.2.3
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw-actions/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv --show-toplevel 64/pkg/tool/linux_amd64/vet /opt/hostedtoolcache/node/24.14.1/x64/bin/node ntry_test.go .cfg nch,headSha,disp--show-toplevel /opt/hostedtoolcache/node/24.14.1/x64/bin/node /tmp�� github.actor && github.repository 64/pkg/tool/linuremote (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --limit 100 --created >=2026-04-29 (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --limit 100 --created >=2026-04-06 (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --limit 100 --created >=2026-02-05 **/*.json --ignore-path ache/go/1.25.8/x64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/1/artifacts --jq .artifacts[].name verutil_test.go x_amd64/compile nore (http block)
    • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 -trimpath k/gh-aw/gh-aw/actions/setup/js/node_modules/.bin-lang=go1.25 -p github.com/davecrev-parse -lang=go1.16 /opt/hostedtoolcache/go/1.25.8/x^remote\..*\.gh-resolved$ -uns�� -unreachable=false /tmp/go-build2630367986/b078/vet.cfg ache/go/1.25.8/x64/bin/node -c=4 erignore ode-gyp-bin/sh /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linu-test.v=true (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12345/artifacts --jq .artifacts[].name ../../../**/*.json ache/node/24.14.1/x64/bin/node nore ../../../.prettirev-parse (http block)
    • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 0367986/b360/vet.cfg x_amd64/compile nore ../../../.pretti/tmp/test-process-1231489439.js (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/1234567890
    • Triggering command: /usr/bin/gh gh api repos/{owner}/{repo}/actions/runs/1234567890 --jq {databaseId: .id, number: .run_number, url: .html_url, status: .status, conclusion: .conclusion, workflowName: .name, workflowPath: .path, createdAt: .created_at, startedAt: .run_started_at, updatedAt: .updated_at, event: .event, headBranch: .head_branch, re --log-level=error --local /node http.https://git/opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/link (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/12346/artifacts --jq .artifacts[].name ../../../**/*.json x_amd64/vet nore ../../../.prettirev-parse (http block)
    • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 ../../../**/*.json in/sh nore ../../../.prettiremote (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/2/artifacts --jq .artifacts[].name (http block)
    • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 -trimpath /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linu-nilfunc -p github.com/aymanrev-parse -lang=go1.24 /opt/hostedtoolcache/go/1.25.8/x-importcfg -ato�� te '**/*.cjs' '**/*.ts' '**/*.js-s -buildtags .cfg -errorsas -ifaceassert -nilfunc /opt/hostedtoolcache/go/1.25.8/x-extld=gcc (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/3/artifacts --jq .artifacts[].name (http block)
    • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 -trimpath x_amd64/vet -p tants -lang=go1.24 x_amd64/vet k/gh�� oyDE10HDn /tmp/go-build2630367986/b091/vet.cfg k/gh-aw/gh-aw/actions/setup/js/node_modules/.bin--quiet -c=4 -nolocalimports erignore ortcfg (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/4/artifacts --jq .artifacts[].name 0367986/b368/vet.cfg x_amd64/link nore onpins (http block)
    • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 -trimpath k/gh-aw/gh-aw/actions/setup/js/n-test.short=true -p github.com/aymanrev-parse -lang=go1.24 /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linu--revs k/gh�� 1794/001/stability-test.md /tmp/go-build2630367986/b084/vet.cfg .cfg -c=4 -nolocalimports erignore /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linu-test.v=true (http block)
  • https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
    • Triggering command: /usr/bin/gh gh api --paginate repos/{owner}/{repo}/actions/runs/5/artifacts --jq .artifacts[].name (http block)
    • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 -trimpath /opt/hostedtoolcache/go/1.25.8/x-lang=go1.25 -p github.com/githurev-parse -lang=go1.25 /opt/hostedtoolcache/go/1.25.8/x-goversion -uns�� 1794/001/stability-test.md /tmp/go-build2630367986/b114/vet-nolocalimports bin/node -c=4 -nolocalimports -importcfg /opt/hostedtoolcache/go/1.25.8/x/home/REDACTED/work/gh-aw/gh-aw/pkg/testutil/tempdir_test.go (http block)
  • https://api.github.com/repos/github/gh-aw/actions/workflows
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path */*.ts' '**/*.json' --ignore-path ../../../.prettierignore --global x_amd64/vet http.https://git/opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/link (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 (http block)
    • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 (http block)
  • https://api.github.com/repos/github/gh-aw/contents/.github/workflows/shared/reporting.md
    • Triggering command: /tmp/go-build4112837035/b404/cli.test /tmp/go-build4112837035/b404/cli.test -test.testlogfile=/tmp/go-build4112837035/b404/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v0.47.4
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v0.47.4 --jq [.object.sha, .object.type] | @tsv --show-toplevel git /usr/bin/git /tmp/gh-aw-test-du s/test.md /usr/bin/git git rev-�� --show-toplevel git /usr/bin/infocmp --show-toplevel 64/pkg/tool/linurev-parse /opt/hostedtoolc--show-toplevel infocmp (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq [.object.sha, .object.type] | @tsv -unreachable=false /tmp/go-build2630367986/b202/vet-nolocalimports /opt/hostedtoolcache/go/1.25.8/x-importcfg -c=4 r -importcfg /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linu-trimpath -ato�� 0858-14269/test-3479559699/.github/workflows -buildtags 2837035/b421/fileutil.test /../../.prettierinfocmp -ifaceassert -nilfunc 2837035/b421/fileutil.test (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.2.3
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.2.3 --jq [.object.sha, .object.type] | @tsv -c=4 -nolocalimports -importcfg /tmp/go-build4112837035/b459/importcfg -pack /home/REDACTED/work/gh-aw/gh-aw/pkg/timeutil/spec_test.go 64/pkg/tool/linurev-parse ortc�� ../pkg/workflow/js/**/*.json' ---s 64/src/testing/internal/testdeps-w ache/go/1.25.8/x64/pkg/tool/linu-buildmode=exe rkflow/js/**/*.j/opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/compile (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v2.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv te '**/*.cjs' '*go1.25.8 .cfg odules/npm/node_-nolocalimports (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv --local .cfg 64/pkg/tool/linux_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v2.0.0 --jq [.object.sha, .object.type] | @tsv th .prettierignore --log-level=e!../../../pkg/workflow/js/**/*.json commit.gpgsign 64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/github/gh-aw/git/ref/tags/v3.0.0
    • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v3.0.0 --jq [.object.sha, .object.type] | @tsv te '**/*.cjs' '*-r .cfg 64/pkg/tool/linux_amd64/vet (http block)
  • https://api.github.com/repos/google-github-actions/auth/git/ref/tags/v2
    • Triggering command: /usr/bin/gh gh api /repos/google-github-actions/auth/git/ref/tags/v2 --jq [.object.sha, .object.type] | @tsv --show-toplevel ache/node/24.14.1/x64/bin/node /usr/bin/git y rev-parse /opt/hostedtoolc--show-toplevel git rev-�� --show-toplevel /opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/compile /usr/bin/git /tmp/go-build411git -trimpath /usr/bin/git git (http block)
  • https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
    • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq [.object.sha, .object.type] | @tsv 4034215668/001 /tmp/go-build2630367986/b201/vet.cfg ache/go/1.25.8/x64/pkg/tool/linux_amd64/compile (http block)
  • https://api.github.com/repos/nonexistent/repo/actions/runs/12345
    • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion (http block)
  • https://api.github.com/repos/owner/repo/actions/workflows
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo x_amd64/vet (http block)
    • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo x_amd64/vet http.https://git/opt/hostedtoolcache/go/1.25.8/x64/pkg/tool/linux_amd64/compile (http block)
    • Triggering command: /usr/bin/gh gh workflow list --repo owner/repo --json name,path,state .cfg ." (http block)
  • https://api.github.com/repos/test-owner/test-repo/actions/secrets
    • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name */*.ts' '**/*.json' --ignore-path ../../../.pret.prettierignore (http block)
  • https://api.github.com/repos/test/repo
    • Triggering command: /usr/bin/gh gh api /repos/test/repo --jq .default_branch 1/001/inlined-a.md /tmp/go-build2630367986/b170/vet.cfg k/gh-aw/gh-aw/actions/setup/js/node_modules/.bin/prettier ath ../../../.prgit (http block)

If you need me to access, download, or install something from one of these locations, you can either:

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 6, 2026

Hey @copilot-swe-agent 👋 — thanks for picking up code scanning alert #581! The intent here is clear and this is exactly the kind of agentic security fix the project embraces. A few things to address before this is ready for review:

  • Still a WIP with no file changes — the PR currently has 0 additions and 0 deletions. The actual fix for alert #581 needs to land before this can be reviewed.
  • PR description needs updating — once the fix is in, replace the boilerplate WIP body with a concrete summary: what the alert was, what code was changed, and whether the alert was a true positive or false positive.
  • Tests — if the fix touches logic that can be unit-tested, add coverage for the corrected behavior.

If you would like a hand finishing this up, here is a prompt you can assign to your coding agent:

Complete the fix for code scanning alert #581 in github/gh-aw.
1. Retrieve the full details of alert #581 using the GitHub MCP server.
2. Implement the minimal code change required to resolve the alert.
3. If the alert is a false positive, document that explicitly in the PR body instead of changing code.
4. Update the PR description to explain: (a) what the alert flagged, (b) what was changed and why, (c) true positive or false positive verdict.
5. If the changed logic is unit-testable, add a test that covers the corrected behavior.

Generated by Contribution Check · ● 7.1M ·

@github-actions github-actions Bot mentioned this pull request May 6, 2026
Closed
@pelikhan
fix: replace unsafe single-quote wrapping with %q for filePath in run…
d1bbf4d 
…time_import_validation.go (#581)

Agent-Logs-Url: https://github.com/github/gh-aw/sessions/05f45839-0559-4bd6-afc0-67abdc55c63f

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix code scanning alert #581 in repository fix: use %q instead of single-quote wrapping for filePath in runtime import warnings May 6, 2026
Copilot AI requested a review from pelikhan May 6, 2026 06:11
@github-actions github-actions Bot mentioned this pull request May 6, 2026
Open
@pelikhan pelikhan marked this pull request as ready for review May 6, 2026 11:13
Copilot AI review requested due to automatic review settings May 6, 2026 11:13
@pelikhan pelikhan merged commit d5c42db into main May 6, 2026
1 check passed
@pelikhan pelikhan deleted the copilot/fix-code-scanning-alerts-581 branch May 6, 2026 11:13
Copilot AI reviewed May 6, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses CodeQL alert go/unsafe-quoting by changing how filePath is rendered in runtime-import sub-agent warning messages so that paths containing quote characters can’t produce malformed output.

Changes:

  • Replaced single-quote-wrapped %s formatting with %q for filePath in runtime-import warning strings.
Show a summary per file
File Description
pkg/workflow/runtime_import_validation.go Uses %q to safely quote/escape runtime-import filePath in emitted sub-agent warnings.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 1/1 changed files
  • Comments generated: 0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@pelikhan pelikhan Awaiting requested review from pelikhan

Assignees

@pelikhan pelikhan

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@pelikhan