MokoConsulting/MokoCassiopeia
1
1
Fork 0
Code Issues 2 Pull Requests Actions Packages Releases 1 Activity

Enforce MokoStandards compliance with security workflows and documentation #44

Merged
Copilot merged 6 commits from copilot/enforce-mokostandards-requirements into main 2026-01-09 03:29:53 +00:00
Conversation 4 Commits 6 Files Changed 5 +8 -4
3 changed files with 8 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit dcaabd0c53 - Show all commits

7
.github/workflows/dependency-review.yml vendored
View File

@@ -133,12 +133,15 @@ jobs:
# Check requirements.txt if exists # Check requirements.txt if exists
if [ -f "requirements.txt" ]; then if [ -f "requirements.txt" ]; then
if safety check -r requirements.txt; then if safety check -r requirements.txt 2>&1 | tee safety_output.txt; then
echo "✅ No known vulnerabilities in Python dependencies" >> $GITHUB_STEP_SUMMARY echo "✅ No known vulnerabilities in Python dependencies" >> $GITHUB_STEP_SUMMARY
else else
echo "⚠️ Vulnerabilities detected in Python dependencies" >> $GITHUB_STEP_SUMMARY echo "⚠️ Vulnerabilities detected in Python dependencies" >> $GITHUB_STEP_SUMMARY
safety check -r requirements.txt || true cat safety_output.txt >> $GITHUB_STEP_SUMMARY || true
rm -f safety_output.txt
copilot-pull-request-reviewer[bot] commented 2026-01-09 03:34:05 +00:00 (Migrated from github.com)
Review
Copy Link

The exit code handling for the safety check is confusing. On line 142, 'exit 0' is used after detecting vulnerabilities, which prevents the workflow from failing even when vulnerabilities are found. If this is intentional (to make the check informational only), it should be documented. If vulnerabilities should cause the job to fail, remove the 'exit 0' statement.

              rm -f safety_output.txt
              # Intentionally exit with success so this safety check remains informational-only
              # and does not cause the workflow to fail when vulnerabilities are detected.
The exit code handling for the safety check is confusing. On line 142, 'exit 0' is used after detecting vulnerabilities, which prevents the workflow from failing even when vulnerabilities are found. If this is intentional (to make the check informational only), it should be documented. If vulnerabilities should cause the job to fail, remove the 'exit 0' statement. ```suggestion rm -f safety_output.txt # Intentionally exit with success so this safety check remains informational-only # and does not cause the workflow to fail when vulnerabilities are detected. ```
exit 0
fi fi
rm -f safety_output.txt
else else
echo " No requirements.txt found" >> $GITHUB_STEP_SUMMARY echo " No requirements.txt found" >> $GITHUB_STEP_SUMMARY
fi fi

3
.github/workflows/standards-compliance.yml vendored
View File

@@ -384,7 +384,8 @@ jobs:
echo "### Workflow YAML Syntax" >> $GITHUB_STEP_SUMMARY echo "### Workflow YAML Syntax" >> $GITHUB_STEP_SUMMARY
INVALID=0 INVALID=0
for workflow in .github/workflows/*.yml .github/workflows/*.yaml 2>/dev/null; do shopt -s nullglob
for workflow in .github/workflows/*.yml .github/workflows/*.yaml; do
if [ -f "$workflow" ]; then if [ -f "$workflow" ]; then
if python3 -c "import yaml; yaml.safe_load(open('$workflow'))" 2>/dev/null; then if python3 -c "import yaml; yaml.safe_load(open('$workflow'))" 2>/dev/null; then
copilot-pull-request-reviewer[bot] commented 2026-01-09 03:34:07 +00:00 (Migrated from github.com)
Review
Copy Link

The Python script execution on line 390 uses an f-string-like approach with the workflow path directly embedded in the command string. This could be vulnerable to command injection if workflow filenames contain special characters. Consider using subprocess or a safer approach, or at minimum validate the filename before use.

              if python3 - "$workflow" << 'EOF' 2>/dev/null; then
                import sys
                from pathlib import Path
                import yaml

                workflow_path = Path(sys.argv[1])
                with workflow_path.open('r', encoding='utf-8') as f:
                    yaml.safe_load(f)
EOF
The Python script execution on line 390 uses an f-string-like approach with the workflow path directly embedded in the command string. This could be vulnerable to command injection if workflow filenames contain special characters. Consider using subprocess or a safer approach, or at minimum validate the filename before use. ```suggestion if python3 - "$workflow" << 'EOF' 2>/dev/null; then import sys from pathlib import Path import yaml workflow_path = Path(sys.argv[1]) with workflow_path.open('r', encoding='utf-8') as f: yaml.safe_load(f) EOF ```
echo "✅ $(basename $workflow)" >> $GITHUB_STEP_SUMMARY echo "✅ $(basename $workflow)" >> $GITHUB_STEP_SUMMARY

2
docs/README.md
View File

@@ -23,7 +23,7 @@
INGROUP: Moko-Cassiopeia.Documentation INGROUP: Moko-Cassiopeia.Documentation
REPO: https://github.com/mokoconsulting-tech/moko-cassiopeia REPO: https://github.com/mokoconsulting-tech/moko-cassiopeia
FILE: docs/README.md FILE: docs/README.md
VERSION: 03.05.00 VERSION: 01.00.00
BRIEF: Documentation index for Moko-Cassiopeia template BRIEF: Documentation index for Moko-Cassiopeia template
PATH: /docs/README.md PATH: /docs/README.md
--> -->