Skip to content

main-branch/security#2

Merged
donny-devops merged 15 commits into
mainfrom
master
Jun 30, 2026
Merged

main-branch/security#2
donny-devops merged 15 commits into
mainfrom
master

Conversation

@donny-devops

Copy link
Copy Markdown
Owner

No description provided.

Copilot AI review requested due to automatic review settings June 30, 2026 06:20
@qodo-code-review

Copy link
Copy Markdown

Qodo reviews are paused for this user.

Troubleshooting steps vary by plan Learn more →

On a Teams plan?
Reviews resume once this user has a paid seat and their Git account is linked in Qodo.
Link Git account →

Using GitHub Enterprise Server, GitLab Self-Managed, or Bitbucket Data Center?
These require an Enterprise plan - Contact us
Contact us →

@ecc-tools

ecc-tools Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Analyzing 200 commits...

@ecc-tools

ecc-tools Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Analysis Complete

Generated ECC bundle from 3 commits | Confidence: 50%

View Pull Request #3

Repository Profile
Attribute Value
Language Python
Framework Not detected
Commit Convention conventional
Test Directory separate
Changed Files (14)
Metric Value
Files changed 14
Additions 249
Deletions 0

Top hotspots

Path Status +/-
tools/vuln-scanner/vuln_scanner.py added +30 / -0
bots/changelog-bot/changelog_bot.py added +28 / -0
tools/secret-scanner/secret_scanner.py added +25 / -0
bots/issue-labeler/issue_labeler.py added +22 / -0
tools/registry-sync/registry_sync.py added +22 / -0

Top directories

Directory Files Total changes
.grok/agents 3 48
.grok/subagents 2 38
tools/vuln-scanner 1 30
bots/changelog-bot 1 28
tools/secret-scanner 1 25
Analysis Depth Readiness (evidence-backed, 36%)

ECC Tools uses this to decide whether recommendations should stay at commit-history/setup guidance or expand into CI, security, harness, reference-set, AI-routing, and team backlog work.

Area Status Evidence / Next Step
Commit history Partial 3 commits sampled
CI/CD signals Ready .github/workflows/secret-scan.yml
Security evidence Ready .github/workflows/secret-scan.yml, .grok/agents/security-auditor.md
Harness configuration Missing Add Claude, Codex, OpenCode, Zed, dmux, MCP, plugin, or cross-harness config evidence for harness-agnostic recommendations.
Reference/eval evidence Missing Add fixtures, golden traces, reference sets, or evaluator benchmarks so deeper recommendations have regression evidence.
AI routing and cost controls Missing Add model-routing, budget, usage, or cost-control files before relying on AI-heavy automation recommendations.
Team handoff and project tracking Missing Add roadmap, runbook, project, Linear, or follow-up tracking docs so generated work can land in a team queue.
Reference Set Readiness (1/7, 14%)
Area Status Evidence / Next Step
Deep analyzer corpus Missing Add analyzer fixture, golden, benchmark, or reference-set files that can catch analyzer regressions.
RAG/evaluator comparison Missing Add retrieval or evaluator reference-set comparison fixtures with expected ranking behavior.
PR salvage/review corpus Missing Add stale-PR, review-thread, reopen-flow, or salvage reference cases for queue cleanup automation.
Discussion triage corpus Missing Add public discussion triage fixtures, golden cases, or reference sets for informational, answered, and no-response classifications.
Harness compatibility Missing Add cross-harness, adapter-compliance, or harness-audit evidence for Claude, Codex, OpenCode, Zed, dmux, and agent surfaces.
Security evidence Present .github/workflows/secret-scan.yml, .grok/agents/security-auditor.md
CI failure-mode evidence Missing Add captured CI failure logs, dry-run fixtures, or troubleshooting docs for common workflow failure modes.
Likely Future Issues (3)
Severity Signal Why it may show up
HIGH Regression coverage may lag behind the diff 8 generic code paths changed; 0 test files changed
MEDIUM CI workflow changes may ship without failure-mode evidence 1 CI/test-runner paths changed; 0 CI failure-mode evidence artifacts changed
MEDIUM Dependency or CI drift could surface after merge CI/workflow files changed; no lockfile changes detected
  • Regression coverage may lag behind the diff: The PR changes multiple code paths but does not touch any obvious test files.
  • CI workflow changes may ship without failure-mode evidence: The PR changes CI workflows or test-runner entrypoints without touching CI failure fixtures, captured logs, troubleshooting notes, or regression evidence.
  • Dependency or CI drift could surface after merge: Package or workflow changes landed without an accompanying lockfile update, which often turns into CI or release noise later.
Suggested Follow-up Work (3)
Type Suggested title Targets
PR test: add regression coverage for bots/changelog-bot/changelog_bot.py + bots/dep-bot/dep_bot.py bots/changelog-bot/changelog_bot.py, bots/dep-bot/dep_bot.py
PR ci: add failure-mode evidence for .github/workflows/secret-scan.yml .github/workflows/secret-scan.yml
PR chore: refresh lockfile and validate CI after dependency updates .github/workflows/secret-scan.yml
  • test: add regression coverage for bots/changelog-bot/changelog_bot.py + bots/dep-bot/dep_bot.py: Backfill regression coverage before another change set lands on the touched code paths.
  • ci: add failure-mode evidence for .github/workflows/secret-scan.yml: Backfill CI failure-mode evidence before another workflow or test-runner change lands on the touched surface.
  • chore: refresh lockfile and validate CI after dependency updates: Package or workflow changes without a lockfile refresh tend to turn into noisy follow-up fixes after merge.

Copy-ready bodies

test: add regression coverage for bots/changelog-bot/changelog_bot.py + bots/dep-bot/dep_bot.py

## Summary
- Add regression coverage for the recently touched code paths before more changes stack on top.

## Why
- Backfill regression coverage before another change set lands on the touched code paths.

## Touched paths
- `bots/changelog-bot/changelog_bot.py`
- `bots/dep-bot/dep_bot.py`

## Validation
- Add or extend focused tests that exercise the touched paths.
- Run the affected test suite and verify the new coverage closes the gap.

ci: add failure-mode evidence for .github/workflows/secret-scan.yml

## Summary
- Add CI failure-mode evidence for the recently changed workflow or test-runner surface.

## Why
- Backfill CI failure-mode evidence before another workflow or test-runner change lands on the touched surface.

## Touched paths
- `.github/workflows/secret-scan.yml`

## Validation
- Add or update a CI failure fixture, captured failing log, troubleshooting note, workflow dry-run evidence, or regression test for the changed CI/test-runner behavior.
- Run the affected workflow or test-runner entrypoint locally or in CI and record pass/fail evidence.

chore: refresh lockfile and validate CI after dependency updates

## Summary
- Refresh the lockfile and rerun CI after the dependency or workflow changes in this PR.

## Why
- Package or workflow changes without a lockfile refresh tend to turn into noisy follow-up fixes after merge.

## Touched paths
- `.github/workflows/secret-scan.yml`

## Validation
- Refresh the lockfile in the same package manager used by the repo.
- Run the repo typecheck / test / CI entrypoints that depend on the updated package graph.
Detected Workflows (1)
Workflow Description
update-secret-scan-workflow Update or trigger the GitHub Actions workflow for secret scanning, typically to fix configuration, update inputs, or trigger a scan.
Generated Instincts (16)
Domain Count
git 4
code-style 9
testing 1
workflow 2

After merging, import with:

/instinct-import .claude/homunculus/instincts/inherited/loop-engineering-instincts.yaml

Files

  • .claude/ecc-tools.json
  • .claude/skills/loop-engineering/SKILL.md
  • .agents/skills/loop-engineering/SKILL.md
  • .agents/skills/loop-engineering/agents/openai.yaml
  • .claude/identity.json
  • .codex/config.toml
  • .codex/AGENTS.md
  • .codex/agents/explorer.toml
  • .codex/agents/reviewer.toml
  • .codex/agents/docs-researcher.toml
  • .claude/homunculus/instincts/inherited/loop-engineering-instincts.yaml
  • .claude/commands/update-secret-scan-workflow.md

ECC Tools | Everything Claude Code

@amazon-q-developer amazon-q-developer Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review Summary

This PR introduces automation agents and security tooling infrastructure. Found 6 blocking issues that must be resolved before merge:

Critical Issues

  • Syntax error in changelog_bot.py causing runtime crash
  • Command injection vulnerability in vuln_scanner.py using shell=True
  • Missing error handling causing crashes in multiple tools when commands fail

Required Actions

  1. Fix syntax error in changelog bot's write_text call
  2. Remove shell=True and refactor subprocess calls to use list arguments
  3. Add try-except blocks for subprocess and YAML parsing operations
  4. Ensure PyYAML is added to project dependencies

All issues have actionable fixes provided. Please address these before merging to prevent runtime failures and security risks.


You can now have the agent implement changes and create commits directly on your pull request's source branch. Simply comment with /q followed by your request in natural language to ask the agent to make changes.

@@ -0,0 +1,22 @@
#!/usr/bin/env python3
"""registry-sync: Sync patterns/registry.yaml with cron schedule truth."""
import json, pathlib, yaml, sys

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛑 Crash Risk: Import statement includes yaml but PyYAML is not in standard library. Add PyYAML to dependencies or catch ImportError to prevent runtime crashes.

import subprocess, pathlib, re, sys

def get_commits(n=20):
out = subprocess.check_output(["git", "log", f"-n", str(n), "--pretty=format:%h %s"] , text=True)

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛑 Crash Risk: subprocess.check_output() raises CalledProcessError if git command fails or returns non-zero exit code. Add error handling to prevent crashes when git history is unavailable or command fails.

Suggested change
out = subprocess.check_output(["git", "log", f"-n", str(n), "--pretty=format:%h %s"] , text=True)
out = subprocess.check_output(["git", "log", f"-n", str(n), "--pretty=format:%h %s"], text=True, stderr=subprocess.DEVNULL)


def run(cmd):
try:
out = subprocess.check_output(cmd, shell=True, stderr=subprocess.STDOUT, text=True)

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛑 Security Vulnerability: Using shell=True with subprocess enables command injection attacks1. User-controlled input could execute arbitrary shell commands. Replace with shell=False and pass commands as lists.

Suggested change
out = subprocess.check_output(cmd, shell=True, stderr=subprocess.STDOUT, text=True)
out = subprocess.check_output(cmd, stderr=subprocess.STDOUT, text=True)

Footnotes

  1. CWE-78: OS Command Injection - https://cwe.mitre.org/data/definitions/78.html

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Micro-Learning Topic: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE 78)

Matched on "CWE-78"

What is this? (2min video)

The software constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Try a challenge in Secure Code Warrior

Helpful references
  • OWASP Command Injection - OWASP community page with comprehensive information about command injection, and links to various OWASP resources to help detect or prevent it.
  • OWASP testing for Command Injection - This article is focused on providing testing techniques for identifying command injection flaws in your applications

Micro-Learning Topic: OS command injection (Detected by phrase)

Matched on "command injection"

What is this? (2min video)

In many situations, applications will rely on OS provided functions, scripts, macros and utilities instead of reimplementing them in code. While functions would typically be accessed through a native interface library, the remaining three OS provided features will normally be invoked via the command line or launched as a process. If unsafe inputs are used to construct commands or arguments, it may allow arbitrary OS operations to be performed that can compromise the server.

Try a challenge in Secure Code Warrior

Helpful references
  • OWASP Command Injection - OWASP community page with comprehensive information about command injection, and links to various OWASP resources to help detect or prevent it.
  • OWASP testing for Command Injection - This article is focused on providing testing techniques for identifying command injection flaws in your applications

Micro-Learning Topic: Injection attack (Detected by phrase)

Matched on "injection attack"

Injection flaws, such as SQL, NoSQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization. Source: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

Try a challenge in Secure Code Warrior

Helpful references

cat = categorize(msg)
sections.setdefault(cat, []).append(msg)
out = pathlib.Path("CHANGELOG.draft.md")
out.write_text("\n".join(f"## {cat}\n" + "\n".join(f"- {m}" for m in ms)) for cat, ms in sections.items())

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛑 Syntax Error: write_text() receives a generator expression instead of a string, causing a runtime crash. The generator comprehension must be wrapped in "\n".join().

Suggested change
out.write_text("\n".join(f"## {cat}\n" + "\n".join(f"- {m}" for m in ms)) for cat, ms in sections.items())
out.write_text("\n".join("\n".join([f"## {cat}\n" + "\n".join(f"- {m}" for m in ms) for cat, ms in sections.items()])))

Comment on lines +15 to +21
leaks = run("gitleaks detect --source . --report-format json --no-git")
try:
report["secrets"] = json.loads(leaks)
except Exception:
report["secrets"] = []
# npm audit
npm = run("npm audit --json")

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Update function calls to pass commands as lists instead of strings to work with shell=False.

Suggested change
leaks = run("gitleaks detect --source . --report-format json --no-git")
try:
report["secrets"] = json.loads(leaks)
except Exception:
report["secrets"] = []
# npm audit
npm = run("npm audit --json")
leaks = run(["gitleaks", "detect", "--source", ".", "--report-format", "json", "--no-git"])
try:
report["secrets"] = json.loads(leaks)
except Exception:
report["secrets"] = []
# npm audit
npm = run(["npm", "audit", "--json"])

Comment on lines +12 to +14
data = yaml.safe_load(REGISTRY.read_text())
# Simple checker: ensure every active entry has a schedule
missing = [e["id"] for e in data.get("entries", []) if e.get("active") and not e.get("schedule")]

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛑 Crash Risk: yaml.safe_load() and dictionary access can raise exceptions if file is malformed or missing expected structure. Wrap in try-except to prevent crashes.

Suggested change
data = yaml.safe_load(REGISTRY.read_text())
# Simple checker: ensure every active entry has a schedule
missing = [e["id"] for e in data.get("entries", []) if e.get("active") and not e.get("schedule")]
try:
data = yaml.safe_load(REGISTRY.read_text())
except Exception as e:
print(f"Failed to parse registry.yaml: {e}", file=sys.stderr)
sys.exit(1)
# Simple checker: ensure every active entry has a schedule
try:
missing = [e["id"] for e in data.get("entries", []) if e.get("active") and not e.get("schedule")]
except (KeyError, TypeError) as e:
print(f"Invalid registry structure: {e}", file=sys.stderr)
sys.exit(1)

@secure-code-warrior-for-github

Copy link
Copy Markdown

Micro-Learning Topic: Missing global error handler (Detected by phrase)

Matched on "Missing error handling"

What is this? (2min video)

ASP.NET applications should not set the 'customError' mode to "off" without providing a global error handler, otherwise they may leak exception information.

Try a challenge in Secure Code Warrior

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces several automation agents, subagents, bots, and tools, including a changelog bot, dependency scanner, issue labeler, document scanner, metric exporter, registry sync, and vulnerability scanners. The review feedback highlights several critical issues: a runtime TypeError in changelog_bot.py due to passing a generator to write_text(), potential JSON corruption in vuln_scanner.py from redirecting stderr to stdout, performance inefficiencies in secret_scanner.py when traversing .git and node_modules, a non-standard CODEOWNERS.md filename check in doc_scanner.py, and the use of the deprecated utcnow() method in export_metrics.py.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

cat = categorize(msg)
sections.setdefault(cat, []).append(msg)
out = pathlib.Path("CHANGELOG.draft.md")
out.write_text("\n".join(f"## {cat}\n" + "\n".join(f"- {m}" for m in ms)) for cat, ms in sections.items())

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

The pathlib.Path.write_text() method expects a string as its argument. Passing a generator expression directly will result in a TypeError: write_text() argument must be str, not generator at runtime.

To fix this, join the generated section strings into a single string using "\n\n".join(...) before writing to the file.

Suggested change
out.write_text("\n".join(f"## {cat}\n" + "\n".join(f"- {m}" for m in ms)) for cat, ms in sections.items())
out.write_text("\n\n".join(f"## {cat}\n" + "\n".join(f"- {m}" for m in ms) for cat, ms in sections.items()))

Comment on lines +5 to +10
def run(cmd):
try:
out = subprocess.check_output(cmd, shell=True, stderr=subprocess.STDOUT, text=True)
return out
except subprocess.CalledProcessError as e:
return e.output

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

high

Using stderr=subprocess.STDOUT redirects standard error to standard output. If gitleaks or npm audit prints any diagnostic logs, warnings, or error messages to stderr, they will be mixed into the returned out string. This will corrupt the output and cause json.loads() to fail with a JSONDecodeError, resulting in empty reports even when vulnerabilities are found.

To prevent this, redirect stderr to subprocess.DEVNULL (or handle it separately) so that only the clean standard output is captured for JSON parsing.

Suggested change
def run(cmd):
try:
out = subprocess.check_output(cmd, shell=True, stderr=subprocess.STDOUT, text=True)
return out
except subprocess.CalledProcessError as e:
return e.output
def run(cmd):
try:
out = subprocess.check_output(cmd, shell=True, stderr=subprocess.DEVNULL, text=True)
return out
except subprocess.CalledProcessError as e:
return e.output

Comment on lines +18 to +22
def main():
root = pathlib.Path(".")
for f in root.rglob("*"):
if f.is_file() and ".git" not in str(f) and "node_modules" not in str(f):
scan_file(f)

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

Using root.rglob("*") and then filtering out .git and node_modules in Python is highly inefficient. rglob("*") will still fully traverse the .git and node_modules directories, instantiating Path objects for potentially tens of thousands of internal files, only to discard them in the if condition. This can cause severe performance issues and high CPU/IO usage in standard repositories.

Instead, use os.walk and prune the dirs list in-place to prevent traversing into these directories entirely.

Suggested change
def main():
root = pathlib.Path(".")
for f in root.rglob("*"):
if f.is_file() and ".git" not in str(f) and "node_modules" not in str(f):
scan_file(f)
def main():
import os
for root, dirs, files in os.walk("."):
dirs[:] = [d for d in dirs if d not in (".git", "node_modules")]
for f in files:
scan_file(pathlib.Path(root) / f)

"""doc-scanner: Check required docs and report gaps."""
import pathlib, sys

REQUIRED = ["README.md","SECURITY.md","CHANGELOG.md","CONTRIBUTING.md","CODEOWNERS.md","STATE.md"]

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

GitHub's standard code owners file is named CODEOWNERS (without any file extension) and is typically located in the root directory or the .github/ directory. Checking for CODEOWNERS.md is non-standard and will cause the document scanner to fail on standard repositories that use the correct CODEOWNERS filename.

Suggested change
REQUIRED = ["README.md","SECURITY.md","CHANGELOG.md","CONTRIBUTING.md","CODEOWNERS.md","STATE.md"]
REQUIRED = ["README.md","SECURITY.md","CHANGELOG.md","CONTRIBUTING.md","CODEOWNERS","STATE.md"]

"""metric-exporter: Emit loop metrics as JSON."""
import json, pathlib, datetime
report = {
"timestamp": datetime.datetime.utcnow().isoformat() + "Z",

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

datetime.datetime.utcnow() is deprecated starting in Python 3.12 and may be removed in a future version. It is recommended to use timezone-aware datetime objects instead.

Use datetime.datetime.now(datetime.timezone.utc) to get the current UTC time in a timezone-aware manner.

Suggested change
"timestamp": datetime.datetime.utcnow().isoformat() + "Z",
"timestamp": datetime.datetime.now(datetime.timezone.utc).isoformat().replace("+00:00", "Z"),

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review


P1 Badge Remove control bytes from secret-scan workflow

When this workflow is loaded, the trailing NUL/control bytes added after the GITHUB_TOKEN line make the file invalid YAML; I checked the modified .github/workflows/secret-scan.yml with a YAML parser and it fails before loading, while the parent version parsed. On push/PR events GitHub Actions will not be able to load the gitleaks workflow until these bytes are removed.

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment on lines +18 to +19
except Exception:
report["secrets"] = []

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Report gitleaks failures instead of clearing them

When gitleaks detect is missing or exits before producing valid JSON, run() returns the error text and this handler converts the parse failure into []. That makes vuln-report.json look like a clean secret scan even though gitleaks never completed, so automation relying on this scanner can pass with secrets unchecked; preserve/report the command failure instead of treating non-JSON output as no findings.

Useful? React with 👍 / 👎.

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds a set of new repo automation scripts (security/vulnerability scanning, doc checks, metrics export, registry validation) plus new .grok agent/subagent definitions intended to support security and operational workflows in the loop-engineering repository.

Changes:

  • Added Python CLI-style utilities under tools/ for vuln scanning, secret scanning, doc scanning, registry checks, and metrics export.
  • Added automation “bots” under bots/ for issue labeling, dependency scanning, and changelog drafting.
  • Added .grok agent/subagent markdown definitions for triage and scanning workers.

Reviewed changes

Copilot reviewed 13 out of 14 changed files in this pull request and generated 20 comments.

Show a summary per file
File Description
tools/vuln-scanner/vuln_scanner.py Aggregates gitleaks/npm/pip signals into a JSON report.
tools/secret-scanner/secret_scanner.py Heuristic secret keyword scanner across repo files.
tools/registry-sync/registry_sync.py Validates that active registry entries have schedules.
tools/metric-exporter/export_metrics.py Emits metrics JSON output for loop operations.
tools/doc-scanner/doc_scanner.py Checks for presence of required docs files.
bots/issue-labeler/issue_labeler.py Labels issues based on keyword regex matches.
bots/dep-bot/dep_bot.py Writes a dependency update “approval required” report.
bots/changelog-bot/changelog_bot.py Drafts a changelog file based on recent git commits.
.grok/subagents/triage-worker.md Defines a triage subagent configuration.
.grok/subagents/scan-worker.md Defines a scanning subagent configuration.
.grok/agents/security-auditor.md Defines a security auditing agent configuration.
.grok/agents/loop-engineer.md Defines the primary engineering agent configuration.
.grok/agents/devops-automator.md Defines a devops automation agent configuration.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@@ -0,0 +1,30 @@
#!/usr/bin/env python3
Comment on lines +5 to +27
def run(cmd):
try:
out = subprocess.check_output(cmd, shell=True, stderr=subprocess.STDOUT, text=True)
return out
except subprocess.CalledProcessError as e:
return e.output

def main():
report = {"secrets": None, "npm": None, "pip": None}
# gitleaks json report
leaks = run("gitleaks detect --source . --report-format json --no-git")
try:
report["secrets"] = json.loads(leaks)
except Exception:
report["secrets"] = []
# npm audit
npm = run("npm audit --json")
try:
report["npm"] = json.loads(npm)
except Exception:
report["npm"] = {}
pathlib.Path("vuln-report.json").write_text(json.dumps(report, indent=2))
print("Wrote vuln-report.json")
@@ -0,0 +1,25 @@
#!/usr/bin/env python3
Comment on lines +20 to +22
for f in root.rglob("*"):
if f.is_file() and ".git" not in str(f) and "node_modules" not in str(f):
scan_file(f)
@@ -0,0 +1,22 @@
#!/usr/bin/env python3
@@ -0,0 +1,19 @@
---
@@ -0,0 +1,19 @@
---
@@ -0,0 +1,17 @@
---
Comment thread .grok/agents/loop-engineer.md Outdated
@@ -0,0 +1,16 @@
---
Comment thread .grok/agents/devops-automator.md Outdated
@@ -0,0 +1,15 @@
---
@github-advanced-security

Copy link
Copy Markdown

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

  • The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
  • Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
  • You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

@gitguardian

gitguardian Bot commented Jun 30, 2026

Copy link
Copy Markdown

⚠️ GitGuardian has uncovered 1 secret following the scan of your pull request.

Please consider investigating the findings and remediating the incidents. Failure to do so may lead to compromising the associated services or software components.

🔎 Detected hardcoded secret in your pull request
GitGuardian id GitGuardian status Secret Commit Filename
34396067 Triggered GitHub Fine Grained Personal Access Token 1a094b2 .github/workflows/secret-scan.yml View secret
🛠 Guidelines to remediate hardcoded secrets
  1. Understand the implications of revoking this secret by investigating where it is used in your code.
  2. Replace and store your secret safely. Learn here the best practices.
  3. Revoke and rotate this secret.
  4. If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.

To avoid such incidents in the future consider


🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.

@sonarqubecloud

Copy link
Copy Markdown

Quality Gate Failed Quality Gate failed

Failed conditions
E Security Rating on New Code (required ≥ A)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE

@donny-devops donny-devops merged commit bbdd99e into main Jun 30, 2026
8 of 15 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants