Show 95 actionable findings
Finding 1: B310
- Severity: HIGH
- Scanner: bandit
- Rule ID: B310
- Location: samples/llm-council/infra-cdk/lambdas/zip-packager/index.py:62-64
Description:
Audit url open for permitted schemes. Allowing use of file:/ or custom schemes is often unexpected.
Code Snippet:
)
urllib.request.urlopen(req)
Finding 2: CKV_DOCKER_3
- Severity: HIGH
- Scanner: checkov
- Rule ID: CKV_DOCKER_3
- Location: samples/copilotkit-generative-ui/docker/Dockerfile.bridge.dev:1-7
Description:
Ensure that a user for the container has been created
Code Snippet:
FROM node:20-alpine
WORKDIR /app
COPY package*.json ./
RUN npm ci
COPY . .
RUN npm run build
CMD ["node", "dist/server.js"]
Finding 3: CKV_DOCKER_2
- Severity: HIGH
- Scanner: checkov
- Rule ID: CKV_DOCKER_2
- Location: samples/copilotkit-generative-ui/docker/Dockerfile.bridge.dev:1-7
Description:
Ensure that HEALTHCHECK instructions have been added to container images
Code Snippet:
FROM node:20-alpine
WORKDIR /app
COPY package*.json ./
RUN npm ci
COPY . .
RUN npm run build
CMD ["node", "dist/server.js"]
Finding 4: CKV_DOCKER_3
- Severity: HIGH
- Scanner: checkov
- Rule ID: CKV_DOCKER_3
- Location: samples/copilotkit-generative-ui/docker/Dockerfile.frontend.dev:1-21
Description:
Ensure that a user for the container has been created
Code Snippet:
# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: Apache-2.0
FROM node:20-alpine
WORKDIR /app
# Copy package files
COPY package*.json ./
# Install dependencies
RUN npm install
# Copy source code
COPY . .
# Expose port
EXPOSE 3000
# Start development server (--host exposes to Docker network)
CMD ["npm", "run", "dev", "--", "--host"]
Finding 5: CKV_DOCKER_2
- Severity: HIGH
- Scanner: checkov
- Rule ID: CKV_DOCKER_2
- Location: samples/copilotkit-generative-ui/docker/Dockerfile.frontend.dev:1-21
Description:
Ensure that HEALTHCHECK instructions have been added to container images
Code Snippet:
# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: Apache-2.0
FROM node:20-alpine
WORKDIR /app
# Copy package files
COPY package*.json ./
# Install dependencies
RUN npm install
# Copy source code
COPY . .
# Expose port
EXPOSE 3000
# Start development server (--host exposes to Docker network)
CMD ["npm", "run", "dev", "--", "--host"]
Finding 6: CKV_DOCKER_2
- Severity: HIGH
- Scanner: checkov
- Rule ID: CKV_DOCKER_2
- Location: samples/llm-council/patterns/llm-council-agent/Dockerfile:1-22
Description:
Ensure that HEALTHCHECK instructions have been added to container images
Code Snippet:
FROM public.ecr.aws/docker/library/python:3.13-slim
WORKDIR /app
# Copy and install agent-specific requirements
COPY patterns/llm-council-agent/requirements.txt requirements.txt
RUN pip install --no-cache-dir -r requirements.txt
# Copy shared utilities
COPY gateway/ gateway/
COPY tools/ tools/
# Copy the agent code as a package
COPY patterns/llm-council-agent/ llm_council_agent/
# Create non-root user
RUN useradd -m -u 1000 bedrock_agentcore
USER bedrock_agentcore
EXPOSE 8080
CMD ["python", "-m", "llm_council_agent.council_agent"]
Finding 7: SECRET-HEX-HIGH-ENTROPY-STRING
- Severity: HIGH
- Scanner: detect-secrets
- Rule ID: SECRET-HEX-HIGH-ENTROPY-STRING
- Location: ash-output.log:2022
Description:
Secret of type 'Hex High Entropy String' detected in file 'ash-output.log' at line 2022
Code Snippet:
Secret of type Hex High Entropy String detected
Finding 8: yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag
- Severity: HIGH
- Scanner: opengrep
- Rule ID: yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag
- Location: .github/workflows/ash-full-repository-scan.yml:20
Description:
GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA instead, e.g. uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608.
Code Snippet:
uses: actions/checkout@v4
Finding 9: yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag
- Severity: HIGH
- Scanner: opengrep
- Rule ID: yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag
- Location: .github/workflows/ash-full-repository-scan.yml:25
Description:
GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA instead, e.g. uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608.
Code Snippet:
uses: actions/setup-python@v5
Finding 10: yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag
- Severity: HIGH
- Scanner: opengrep
- Rule ID: yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag
- Location: .github/workflows/ash-full-repository-scan.yml:115
Description:
GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA instead, e.g. uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608.
Code Snippet:
uses: actions/upload-artifact@v4
Finding 11: yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag
- Severity: HIGH
- Scanner: opengrep
- Rule ID: yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag
- Location: .github/workflows/ash-full-repository-scan.yml:126
Description:
GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA instead, e.g. uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608.
Code Snippet:
uses: actions/github-script@v7
Finding 12: yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag
- Severity: HIGH
- Scanner: opengrep
- Rule ID: yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag
- Location: .github/workflows/ash-security-comment.yml:51
Description:
GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA instead, e.g. uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608.
Code Snippet:
uses: actions/github-script@v7
Finding 13: yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag
- Severity: HIGH
- Scanner: opengrep
- Rule ID: yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag
- Location: .github/workflows/ash-security-scan.yml:16
Description:
GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA instead, e.g. uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608.
Code Snippet:
- uses: actions/checkout@v4
Finding 14: yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag
- Severity: HIGH
- Scanner: opengrep
- Rule ID: yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag
- Location: .github/workflows/ash-security-scan.yml:52
Description:
GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA instead, e.g. uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608.
Code Snippet:
uses: actions/setup-python@v5
Finding 15: yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag
- Severity: HIGH
- Scanner: opengrep
- Rule ID: yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag
- Location: .github/workflows/ash-security-scan.yml:219
Description:
GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA instead, e.g. uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608.
Code Snippet:
uses: actions/upload-artifact@v4
Finding 16: yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag
- Severity: HIGH
- Scanner: opengrep
- Rule ID: yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag
- Location: .github/workflows/dependabot.yml:18
Description:
GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA instead, e.g. uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608.
Code Snippet:
uses: dependabot/fetch-metadata@v2
Finding 17: yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag
- Severity: HIGH
- Scanner: opengrep
- Rule ID: yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag
- Location: .github/workflows/js-lint.yml:17
Description:
GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA instead, e.g. uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608.
Code Snippet:
uses: actions/checkout@v4
Finding 18: yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag
- Severity: HIGH
- Scanner: opengrep
- Rule ID: yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag
- Location: .github/workflows/js-lint.yml:34
Description:
GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA instead, e.g. uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608.
Code Snippet:
uses: actions/setup-node@v4
Finding 19: yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag
- Severity: HIGH
- Scanner: opengrep
- Rule ID: yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag
- Location: .github/workflows/label.yml:16
Description:
GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA instead, e.g. uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608.
Code Snippet:
- uses: actions/labeler@v5
Finding 20: yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag
- Severity: HIGH
- Scanner: opengrep
- Rule ID: yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag
- Location: .github/workflows/python-lint.yml:17
Description:
GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA instead, e.g. uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608.
Code Snippet:
uses: actions/checkout@v4
Finding 21: yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag
- Severity: HIGH
- Scanner: opengrep
- Rule ID: yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag
- Location: .github/workflows/python-lint.yml:28
Description:
GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA instead, e.g. uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608.
Code Snippet:
uses: actions/setup-python@v5
Finding 22: yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag
- Severity: HIGH
- Scanner: opengrep
- Rule ID: yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag
- Location: .github/workflows/python-lint.yml:34
Description:
GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA instead, e.g. uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608.
Code Snippet:
uses: astral-sh/setup-uv@v3
Finding 23: yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag
- Severity: HIGH
- Scanner: opengrep
- Rule ID: yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag
- Location: .github/workflows/repo-stats.yml:18
Description:
GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA instead, e.g. uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608.
Code Snippet:
uses: jgehrcke/github-repo-stats@RELEASE
Finding 24: python.jwt.security.unverified-jwt-decode.unverified-jwt-decode
- Severity: HIGH
- Scanner: opengrep
- Rule ID: python.jwt.security.unverified-jwt-decode.unverified-jwt-decode
- Location: samples/copilotkit-generative-ui/agents/utils/auth.py:62
Description:
Detected JWT token decoded with 'verify=False'. This bypasses any integrity checks for the token which means the token could be tampered with by malicious actors. Ensure that the JWT token is verified.
Code Snippet:
options={"verify_signature": False},
Finding 25: javascript.lang.security.detect-child-process.detect-child-process
- Severity: HIGH
- Scanner: opengrep
- Rule ID: javascript.lang.security.detect-child-process.detect-child-process
- Location: samples/copilotkit-generative-ui/infra-cdk/lib/backend-stack.ts:396
Description:
Detected calls to child_process from a function argument outputDir. This could lead to a command injection if the input is user controllable. Try to avoid calls to child_process, and if it is needed ensure user input is correctly sanitized or sandboxed.
Code Snippet:
`cp -R dist node_modules package.json package-lock.json ${outputDir}/`,
Finding 26: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
- Severity: HIGH
- Scanner: opengrep
- Rule ID: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
- Location: samples/copilotkit-generative-ui/infra-cdk/lib/utils/config-manager.ts:50
Description:
Detected possible user input going into a path.join or path.resolve function. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or validate user input first.
Code Snippet:
const configPath = path.join(__dirname, "..", "..", "..", configFile);
Finding 27: javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop
- Severity: HIGH
- Scanner: opengrep
- Rule ID: javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop
- Location: samples/copilotkit-generative-ui/infra-cdk/lib/utils/config-manager.ts:135
Description:
Possibility of prototype polluting function detected. By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf). Possible mitigations might be: freezing the object prototype, using an object without prototypes (via Object.create(null) ), blocking modifications of attributes that resolve to object prototype, using Map instead of object.
Code Snippet:
Finding 28: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring
- Severity: HIGH
- Scanner: opengrep
- Rule ID: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring
- Location: samples/dual-monitoring-system/frontend/src/components/evaluations/DashboardView.tsx:116
Description:
Detected string concatenation with a non-literal variable in a util.format / console.log function. If an attacker injects a format specifier in the string, it will forge the log message. Try to use constant values for the format string.
Code Snippet:
console.log(`Metrics response for ${configName}:`, {
Finding 29: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring
- Severity: HIGH
- Scanner: opengrep
- Rule ID: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring
- Location: samples/dual-monitoring-system/frontend/src/components/evaluations/DashboardView.tsx:137
Description:
Detected string concatenation with a non-literal variable in a util.format / console.log function. If an attacker injects a format specifier in the string, it will forge the log message. Try to use constant values for the format string.
Code Snippet:
console.log(`Failed to load metrics for config ${configId}:`, metricsError)
Finding 30: python.lang.security.audit.dynamic-urllib-use-detected.dynamic-urllib-use-detected
- Severity: HIGH
- Scanner: opengrep
- Rule ID: python.lang.security.audit.dynamic-urllib-use-detected.dynamic-urllib-use-detected
- Location: samples/llm-council/infra-cdk/lambdas/zip-packager/index.py:63
Description:
Detected a dynamic value being used with urllib. urllib supports 'file://' schemes, so a dynamic value controlled by a malicious actor may allow them to read arbitrary files. Audit uses of urllib calls to ensure user data cannot control the URLs, or consider using the 'requests' library instead.
Code Snippet:
urllib.request.urlopen(req)
Finding 31: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
- Severity: HIGH
- Scanner: opengrep
- Rule ID: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
- Location: samples/llm-council/infra-cdk/lib/backend-stack.ts:124
Description:
Detected possible user input going into a path.join or path.resolve function. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or validate user input first.
Code Snippet:
const patternDir = path.join(repoRoot, "patterns", pattern)
Finding 32: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
- Severity: HIGH
- Scanner: opengrep
- Rule ID: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
- Location: samples/llm-council/infra-cdk/lib/backend-stack.ts:152
Description:
Detected possible user input going into a path.join or path.resolve function. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or validate user input first.
Code Snippet:
const content = fs.readFileSync(path.join(patternDir, file))
Finding 33: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
- Severity: HIGH
- Scanner: opengrep
- Rule ID: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
- Location: samples/llm-council/infra-cdk/lib/backend-stack.ts:152
Description:
Detected possible user input going into a path.join or path.resolve function. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or validate user input first.
Code Snippet:
const content = fs.readFileSync(path.join(patternDir, file))
Finding 34: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
- Severity: HIGH
- Scanner: opengrep
- Rule ID: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
- Location: samples/llm-council/infra-cdk/lib/backend-stack.ts:166
Description:
Detected possible user input going into a path.join or path.resolve function. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or validate user input first.
Code Snippet:
const requirementsPath = path.join(patternDir, "requirements.txt")
Finding 35: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
- Severity: HIGH
- Scanner: opengrep
- Rule ID: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
- Location: samples/llm-council/infra-cdk/lib/backend-stack.ts:796
Description:
Detected possible user input going into a path.join or path.resolve function. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or validate user input first.
Code Snippet:
const fullPath = path.join(dirPath, entry.name)
Finding 36: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
- Severity: HIGH
- Scanner: opengrep
- Rule ID: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
- Location: samples/llm-council/infra-cdk/lib/backend-stack.ts:796
Description:
Detected possible user input going into a path.join or path.resolve function. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or validate user input first.
Code Snippet:
const fullPath = path.join(dirPath, entry.name)
Finding 37: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
- Severity: HIGH
- Scanner: opengrep
- Rule ID: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
- Location: samples/llm-council/infra-cdk/lib/backend-stack.ts:797
Description:
Detected possible user input going into a path.join or path.resolve function. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or validate user input first.
Code Snippet:
const relativePath = path.join(prefix, entry.name)
Finding 38: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
- Severity: HIGH
- Scanner: opengrep
- Rule ID: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
- Location: samples/llm-council/infra-cdk/lib/backend-stack.ts:797
Description:
Detected possible user input going into a path.join or path.resolve function. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or validate user input first.
Code Snippet:
const relativePath = path.join(prefix, entry.name)
Finding 39: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
- Severity: HIGH
- Scanner: opengrep
- Rule ID: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
- Location: samples/llm-council/infra-cdk/lib/utils/config-manager.ts:32
Description:
Detected possible user input going into a path.join or path.resolve function. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or validate user input first.
Code Snippet:
const configPath = path.join(__dirname, "..", "..", configFile)
Finding 40: javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop
- Severity: HIGH
- Scanner: opengrep
- Rule ID: javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop
- Location: samples/llm-council/infra-cdk/lib/utils/config-manager.ts:82
Description:
Possibility of prototype polluting function detected. By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf). Possible mitigations might be: freezing the object prototype, using an object without prototypes (via Object.create(null) ), blocking modifications of attributes that resolve to object prototype, using Map instead of object.
Code Snippet:
- Severity: HIGH
- Scanner: grype
- Rule ID: GHSA-mrrh-fwg8-r2c3-tj-actions/changed-files
- Location: .github/workflows/js-lint.yml:1
Description:
A high vulnerability in github-action package: tj-actions/changed-files, version ed68ef82c095e0d48ec87eccea555d944a631a4c was found at: /.github/workflows/js-lint.yml
- Severity: HIGH
- Scanner: grype
- Rule ID: GHSA-mrrh-fwg8-r2c3-tj-actions/changed-files
- Location: .github/workflows/python-lint.yml:1
Description:
A high vulnerability in github-action package: tj-actions/changed-files, version ed68ef82c095e0d48ec87eccea555d944a631a4c was found at: /.github/workflows/python-lint.yml
- Severity: HIGH
- Scanner: grype
- Rule ID: GHSA-mcph-m25j-8j63-tj-actions/changed-files
- Location: .github/workflows/js-lint.yml:1
Description:
A high vulnerability in github-action package: tj-actions/changed-files, version ed68ef82c095e0d48ec87eccea555d944a631a4c was found at: /.github/workflows/js-lint.yml
- Severity: HIGH
- Scanner: grype
- Rule ID: GHSA-mcph-m25j-8j63-tj-actions/changed-files
- Location: .github/workflows/python-lint.yml:1
Description:
A high vulnerability in github-action package: tj-actions/changed-files, version ed68ef82c095e0d48ec87eccea555d944a631a4c was found at: /.github/workflows/python-lint.yml
- Severity: HIGH
- Scanner: grype
- Rule ID: GHSA-r5fr-rjxr-66jc-lodash
- Location: samples/llm-council/frontend/package-lock.json:1
Description:
A high vulnerability in npm package: lodash, version 4.17.23 was found at: /samples/llm-council/frontend/package-lock.json
- Severity: HIGH
- Scanner: grype
- Rule ID: GHSA-999r-qq7v-r334-aws-cdk-lib
- Location: samples/copilotkit-generative-ui/infra-cdk/package-lock.json:1
Description:
A high vulnerability in npm package: aws-cdk-lib, version 2.245.0 was found at: /samples/copilotkit-generative-ui/infra-cdk/package-lock.json
- Severity: HIGH
- Scanner: grype
- Rule ID: GHSA-jmr7-xgp7-cmfj-fast-xml-parser
- Location: samples/llm-council/infra-cdk/package-lock.json:1
Description:
A high vulnerability in npm package: fast-xml-parser, version 5.2.5 was found at: /samples/llm-council/infra-cdk/package-lock.json
- Severity: HIGH
- Scanner: grype
- Rule ID: GHSA-jmr7-xgp7-cmfj-fast-xml-parser
- Location: samples/llm-council/frontend/package-lock.json:1
Description:
A high vulnerability in npm package: fast-xml-parser, version 5.3.4 was found at: /samples/llm-council/frontend/package-lock.json
- Severity: HIGH
- Scanner: grype
- Rule ID: GHSA-jmr7-xgp7-cmfj-fast-xml-parser
- Location: samples/llm-council/frontend/package-lock.json:1
Description:
A high vulnerability in npm package: fast-xml-parser, version 5.3.5 was found at: /samples/llm-council/frontend/package-lock.json
- Severity: HIGH
- Scanner: grype
- Rule ID: GHSA-8gc5-j5rx-235r-fast-xml-parser
- Location: samples/llm-council/infra-cdk/package-lock.json:1
Description:
A high vulnerability in npm package: fast-xml-parser, version 5.2.5 was found at: /samples/llm-council/infra-cdk/package-lock.json
- Severity: HIGH
- Scanner: grype
- Rule ID: GHSA-8gc5-j5rx-235r-fast-xml-parser
- Location: samples/llm-council/frontend/package-lock.json:1
Description:
A high vulnerability in npm package: fast-xml-parser, version 5.3.4 was found at: /samples/llm-council/frontend/package-lock.json
- Severity: HIGH
- Scanner: grype
- Rule ID: GHSA-8gc5-j5rx-235r-fast-xml-parser
- Location: samples/llm-council/frontend/package-lock.json:1
Description:
A high vulnerability in npm package: fast-xml-parser, version 5.3.5 was found at: /samples/llm-council/frontend/package-lock.json
- Severity: HIGH
- Scanner: grype
- Rule ID: GHSA-37qj-frw5-hhjh-fast-xml-parser
- Location: samples/llm-council/infra-cdk/package-lock.json:1
Description:
A high vulnerability in npm package: fast-xml-parser, version 5.2.5 was found at: /samples/llm-council/infra-cdk/package-lock.json
- Severity: HIGH
- Scanner: grype
- Rule ID: GHSA-m7jm-9gc2-mpf2-fast-xml-parser
- Location: samples/llm-council/infra-cdk/package-lock.json:1
Description:
A critical vulnerability in npm package: fast-xml-parser, version 5.2.5 was found at: /samples/llm-council/infra-cdk/package-lock.json
- Severity: HIGH
- Scanner: grype
- Rule ID: GHSA-m7jm-9gc2-mpf2-fast-xml-parser
- Location: samples/llm-council/frontend/package-lock.json:1
Description:
A critical vulnerability in npm package: fast-xml-parser, version 5.3.4 was found at: /samples/llm-council/frontend/package-lock.json
- Severity: HIGH
- Scanner: grype
- Rule ID: GHSA-96hv-2xvq-fx4p-ws
- Location: samples/copilotkit-generative-ui/infra-cdk/lambdas/copilotkit-runtime/package-lock.json:1
Description:
A high vulnerability in npm package: ws, version 8.20.1 was found at: /samples/copilotkit-generative-ui/infra-cdk/lambdas/copilotkit-runtime/package-lock.json
- Severity: HIGH
- Scanner: grype
- Rule ID: GHSA-q3j6-qgpj-74h6-fast-uri
- Location: samples/llm-council/infra-cdk/package-lock.json:1
Description:
A high vulnerability in npm package: fast-uri, version 3.1.0 was found at: /samples/llm-council/infra-cdk/package-lock.json
- Severity: HIGH
- Scanner: grype
- Rule ID: GHSA-q3j6-qgpj-74h6-fast-uri
- Location: samples/dual-monitoring-system/infra-cdk/package-lock.json:1
Description:
A high vulnerability in npm package: fast-uri, version 3.1.0 was found at: /samples/dual-monitoring-system/infra-cdk/package-lock.json
- Severity: HIGH
- Scanner: grype
- Rule ID: GHSA-q3j6-qgpj-74h6-fast-uri
- Location: samples/copilotkit-generative-ui/infra-cdk/package-lock.json:1
Description:
A high vulnerability in npm package: fast-uri, version 3.1.0 was found at: /samples/copilotkit-generative-ui/infra-cdk/package-lock.json
- Severity: HIGH
- Scanner: grype
- Rule ID: GHSA-q3j6-qgpj-74h6-fast-uri
- Location: samples/restaurant-assistant/infra-cdk/package-lock.json:1
Description:
A high vulnerability in npm package: fast-uri, version 3.1.0 was found at: /samples/restaurant-assistant/infra-cdk/package-lock.json
This issue was automatically created by the monthly security scan workflow.
ASH Security Scan - Full Repository Report
Scan Date: 2026-07-01T03:19:43+00:00
Trigger: schedule
Type: Monthly scheduled scan
Scanner Results Summary
Status:⚠️ Security findings detected
Detailed Findings
Detailed Findings
Show 95 actionable findings
Finding 1: B310
Description:
Audit url open for permitted schemes. Allowing use of file:/ or custom schemes is often unexpected.
Code Snippet:
Finding 2: CKV_DOCKER_3
Description:
Ensure that a user for the container has been created
Code Snippet:
Finding 3: CKV_DOCKER_2
Description:
Ensure that HEALTHCHECK instructions have been added to container images
Code Snippet:
Finding 4: CKV_DOCKER_3
Description:
Ensure that a user for the container has been created
Code Snippet:
Finding 5: CKV_DOCKER_2
Description:
Ensure that HEALTHCHECK instructions have been added to container images
Code Snippet:
Finding 6: CKV_DOCKER_2
Description:
Ensure that HEALTHCHECK instructions have been added to container images
Code Snippet:
Finding 7: SECRET-HEX-HIGH-ENTROPY-STRING
Description:
Secret of type 'Hex High Entropy String' detected in file 'ash-output.log' at line 2022
Code Snippet:
Finding 8: yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag
Description:
GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA instead, e.g.
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608.Code Snippet:
Finding 9: yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag
Description:
GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA instead, e.g.
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608.Code Snippet:
Finding 10: yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag
Description:
GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA instead, e.g.
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608.Code Snippet:
Finding 11: yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag
Description:
GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA instead, e.g.
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608.Code Snippet:
Finding 12: yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag
Description:
GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA instead, e.g.
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608.Code Snippet:
Finding 13: yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag
Description:
GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA instead, e.g.
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608.Code Snippet:
Finding 14: yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag
Description:
GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA instead, e.g.
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608.Code Snippet:
Finding 15: yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag
Description:
GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA instead, e.g.
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608.Code Snippet:
Finding 16: yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag
Description:
GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA instead, e.g.
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608.Code Snippet:
Finding 17: yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag
Description:
GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA instead, e.g.
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608.Code Snippet:
Finding 18: yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag
Description:
GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA instead, e.g.
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608.Code Snippet:
Finding 19: yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag
Description:
GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA instead, e.g.
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608.Code Snippet:
Finding 20: yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag
Description:
GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA instead, e.g.
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608.Code Snippet:
Finding 21: yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag
Description:
GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA instead, e.g.
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608.Code Snippet:
Finding 22: yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag
Description:
GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA instead, e.g.
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608.Code Snippet:
Finding 23: yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag
Description:
GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA instead, e.g.
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608.Code Snippet:
Finding 24: python.jwt.security.unverified-jwt-decode.unverified-jwt-decode
Description:
Detected JWT token decoded with 'verify=False'. This bypasses any integrity checks for the token which means the token could be tampered with by malicious actors. Ensure that the JWT token is verified.
Code Snippet:
Finding 25: javascript.lang.security.detect-child-process.detect-child-process
Description:
Detected calls to child_process from a function argument
outputDir. This could lead to a command injection if the input is user controllable. Try to avoid calls to child_process, and if it is needed ensure user input is correctly sanitized or sandboxed.Code Snippet:
Finding 26: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
Description:
Detected possible user input going into a
path.joinorpath.resolvefunction. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or validate user input first.Code Snippet:
Finding 27: javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop
Description:
Possibility of prototype polluting function detected. By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf). Possible mitigations might be: freezing the object prototype, using an object without prototypes (via Object.create(null) ), blocking modifications of attributes that resolve to object prototype, using Map instead of object.
Code Snippet:
Finding 28: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring
Description:
Detected string concatenation with a non-literal variable in a util.format / console.log function. If an attacker injects a format specifier in the string, it will forge the log message. Try to use constant values for the format string.
Code Snippet:
Finding 29: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring
Description:
Detected string concatenation with a non-literal variable in a util.format / console.log function. If an attacker injects a format specifier in the string, it will forge the log message. Try to use constant values for the format string.
Code Snippet:
Finding 30: python.lang.security.audit.dynamic-urllib-use-detected.dynamic-urllib-use-detected
Description:
Detected a dynamic value being used with urllib. urllib supports 'file://' schemes, so a dynamic value controlled by a malicious actor may allow them to read arbitrary files. Audit uses of urllib calls to ensure user data cannot control the URLs, or consider using the 'requests' library instead.
Code Snippet:
Finding 31: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
Description:
Detected possible user input going into a
path.joinorpath.resolvefunction. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or validate user input first.Code Snippet:
Finding 32: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
Description:
Detected possible user input going into a
path.joinorpath.resolvefunction. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or validate user input first.Code Snippet:
Finding 33: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
Description:
Detected possible user input going into a
path.joinorpath.resolvefunction. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or validate user input first.Code Snippet:
Finding 34: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
Description:
Detected possible user input going into a
path.joinorpath.resolvefunction. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or validate user input first.Code Snippet:
Finding 35: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
Description:
Detected possible user input going into a
path.joinorpath.resolvefunction. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or validate user input first.Code Snippet:
Finding 36: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
Description:
Detected possible user input going into a
path.joinorpath.resolvefunction. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or validate user input first.Code Snippet:
Finding 37: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
Description:
Detected possible user input going into a
path.joinorpath.resolvefunction. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or validate user input first.Code Snippet:
Finding 38: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
Description:
Detected possible user input going into a
path.joinorpath.resolvefunction. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or validate user input first.Code Snippet:
Finding 39: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
Description:
Detected possible user input going into a
path.joinorpath.resolvefunction. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or validate user input first.Code Snippet:
Finding 40: javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop
Description:
Possibility of prototype polluting function detected. By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf). Possible mitigations might be: freezing the object prototype, using an object without prototypes (via Object.create(null) ), blocking modifications of attributes that resolve to object prototype, using Map instead of object.
Code Snippet:
Finding 41: GHSA-mrrh-fwg8-r2c3-tj-actions/changed-files
Description:
A high vulnerability in github-action package: tj-actions/changed-files, version ed68ef82c095e0d48ec87eccea555d944a631a4c was found at: /.github/workflows/js-lint.yml
Finding 42: GHSA-mrrh-fwg8-r2c3-tj-actions/changed-files
Description:
A high vulnerability in github-action package: tj-actions/changed-files, version ed68ef82c095e0d48ec87eccea555d944a631a4c was found at: /.github/workflows/python-lint.yml
Finding 43: GHSA-mcph-m25j-8j63-tj-actions/changed-files
Description:
A high vulnerability in github-action package: tj-actions/changed-files, version ed68ef82c095e0d48ec87eccea555d944a631a4c was found at: /.github/workflows/js-lint.yml
Finding 44: GHSA-mcph-m25j-8j63-tj-actions/changed-files
Description:
A high vulnerability in github-action package: tj-actions/changed-files, version ed68ef82c095e0d48ec87eccea555d944a631a4c was found at: /.github/workflows/python-lint.yml
Finding 45: GHSA-r5fr-rjxr-66jc-lodash
Description:
A high vulnerability in npm package: lodash, version 4.17.23 was found at: /samples/llm-council/frontend/package-lock.json
Finding 46: GHSA-999r-qq7v-r334-aws-cdk-lib
Description:
A high vulnerability in npm package: aws-cdk-lib, version 2.245.0 was found at: /samples/copilotkit-generative-ui/infra-cdk/package-lock.json
Finding 47: GHSA-jmr7-xgp7-cmfj-fast-xml-parser
Description:
A high vulnerability in npm package: fast-xml-parser, version 5.2.5 was found at: /samples/llm-council/infra-cdk/package-lock.json
Finding 48: GHSA-jmr7-xgp7-cmfj-fast-xml-parser
Description:
A high vulnerability in npm package: fast-xml-parser, version 5.3.4 was found at: /samples/llm-council/frontend/package-lock.json
Finding 49: GHSA-jmr7-xgp7-cmfj-fast-xml-parser
Description:
A high vulnerability in npm package: fast-xml-parser, version 5.3.5 was found at: /samples/llm-council/frontend/package-lock.json
Finding 50: GHSA-8gc5-j5rx-235r-fast-xml-parser
Description:
A high vulnerability in npm package: fast-xml-parser, version 5.2.5 was found at: /samples/llm-council/infra-cdk/package-lock.json
Finding 51: GHSA-8gc5-j5rx-235r-fast-xml-parser
Description:
A high vulnerability in npm package: fast-xml-parser, version 5.3.4 was found at: /samples/llm-council/frontend/package-lock.json
Finding 52: GHSA-8gc5-j5rx-235r-fast-xml-parser
Description:
A high vulnerability in npm package: fast-xml-parser, version 5.3.5 was found at: /samples/llm-council/frontend/package-lock.json
Finding 53: GHSA-37qj-frw5-hhjh-fast-xml-parser
Description:
A high vulnerability in npm package: fast-xml-parser, version 5.2.5 was found at: /samples/llm-council/infra-cdk/package-lock.json
Finding 54: GHSA-m7jm-9gc2-mpf2-fast-xml-parser
Description:
A critical vulnerability in npm package: fast-xml-parser, version 5.2.5 was found at: /samples/llm-council/infra-cdk/package-lock.json
Finding 55: GHSA-m7jm-9gc2-mpf2-fast-xml-parser
Description:
A critical vulnerability in npm package: fast-xml-parser, version 5.3.4 was found at: /samples/llm-council/frontend/package-lock.json
Finding 56: GHSA-96hv-2xvq-fx4p-ws
Description:
A high vulnerability in npm package: ws, version 8.20.1 was found at: /samples/copilotkit-generative-ui/infra-cdk/lambdas/copilotkit-runtime/package-lock.json
Finding 57: GHSA-q3j6-qgpj-74h6-fast-uri
Description:
A high vulnerability in npm package: fast-uri, version 3.1.0 was found at: /samples/llm-council/infra-cdk/package-lock.json
Finding 58: GHSA-q3j6-qgpj-74h6-fast-uri
Description:
A high vulnerability in npm package: fast-uri, version 3.1.0 was found at: /samples/dual-monitoring-system/infra-cdk/package-lock.json
Finding 59: GHSA-q3j6-qgpj-74h6-fast-uri
Description:
A high vulnerability in npm package: fast-uri, version 3.1.0 was found at: /samples/copilotkit-generative-ui/infra-cdk/package-lock.json
Finding 60: GHSA-q3j6-qgpj-74h6-fast-uri
Description:
A high vulnerability in npm package: fast-uri, version 3.1.0 was found at: /samples/restaurant-assistant/infra-cdk/package-lock.json
Finding 61: GHSA-f886-m6hf-6m8v-brace-expansion
This issue was automatically created by the monthly security scan workflow.