Skip to content

🔒 ASH Security Scan - Monthly Report (2026-07-01) #100

Description

@github-actions

ASH Security Scan - Full Repository Report

Scan Date: 2026-07-01T03:19:43+00:00
Trigger: schedule
Type: Monthly scheduled scan

Scanner Results Summary

Scanner S C H M L I Time Action Result Thresh
bandit 0 1 0 0 120 0 2.1s 1 FAILED MED (g)
cdk-nag 0 0 0 0 0 0 31.6s 0 PASSED MED (g)
cfn-nag 0 0 0 0 0 0 23.7s 0 PASSED MED (g)
checkov 0 5 0 0 0 0 15.5s 5 FAILED MED (g)
detect-se… 0 1 0 0 0 0 20.7s 1 FAILED MED (g)
grype 0 25 0 30 4 0 1m 1s 55 FAILED MED (g)
npm-audit 0 0 0 0 0 0 6.7s 0 PASSED MED (g)
opengrep 25 33 0 0 0 0 38.8s 33 FAILED MED (g)
semgrep 0 0 0 0 0 0 <1ms 0 MISSING MED (g)
syft 0 0 0 0 0 0 2.8s 0 PASSED MED (g)

Status: ⚠️ Security findings detected

Detailed Findings

Detailed Findings

Show 95 actionable findings

Finding 1: B310

  • Severity: HIGH
  • Scanner: bandit
  • Rule ID: B310
  • Location: samples/llm-council/infra-cdk/lambdas/zip-packager/index.py:62-64

Description:
Audit url open for permitted schemes. Allowing use of file:/ or custom schemes is often unexpected.

Code Snippet:

)
    urllib.request.urlopen(req)

Finding 2: CKV_DOCKER_3

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV_DOCKER_3
  • Location: samples/copilotkit-generative-ui/docker/Dockerfile.bridge.dev:1-7

Description:
Ensure that a user for the container has been created

Code Snippet:

FROM node:20-alpine
WORKDIR /app
COPY package*.json ./
RUN npm ci
COPY . .
RUN npm run build
CMD ["node", "dist/server.js"]

Finding 3: CKV_DOCKER_2

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV_DOCKER_2
  • Location: samples/copilotkit-generative-ui/docker/Dockerfile.bridge.dev:1-7

Description:
Ensure that HEALTHCHECK instructions have been added to container images

Code Snippet:

FROM node:20-alpine
WORKDIR /app
COPY package*.json ./
RUN npm ci
COPY . .
RUN npm run build
CMD ["node", "dist/server.js"]

Finding 4: CKV_DOCKER_3

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV_DOCKER_3
  • Location: samples/copilotkit-generative-ui/docker/Dockerfile.frontend.dev:1-21

Description:
Ensure that a user for the container has been created

Code Snippet:

# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: Apache-2.0

FROM node:20-alpine

WORKDIR /app

# Copy package files
COPY package*.json ./

# Install dependencies
RUN npm install

# Copy source code
COPY . .

# Expose port
EXPOSE 3000

# Start development server (--host exposes to Docker network)
CMD ["npm", "run", "dev", "--", "--host"]

Finding 5: CKV_DOCKER_2

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV_DOCKER_2
  • Location: samples/copilotkit-generative-ui/docker/Dockerfile.frontend.dev:1-21

Description:
Ensure that HEALTHCHECK instructions have been added to container images

Code Snippet:

# Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
# SPDX-License-Identifier: Apache-2.0

FROM node:20-alpine

WORKDIR /app

# Copy package files
COPY package*.json ./

# Install dependencies
RUN npm install

# Copy source code
COPY . .

# Expose port
EXPOSE 3000

# Start development server (--host exposes to Docker network)
CMD ["npm", "run", "dev", "--", "--host"]

Finding 6: CKV_DOCKER_2

  • Severity: HIGH
  • Scanner: checkov
  • Rule ID: CKV_DOCKER_2
  • Location: samples/llm-council/patterns/llm-council-agent/Dockerfile:1-22

Description:
Ensure that HEALTHCHECK instructions have been added to container images

Code Snippet:

FROM public.ecr.aws/docker/library/python:3.13-slim

WORKDIR /app

# Copy and install agent-specific requirements
COPY patterns/llm-council-agent/requirements.txt requirements.txt
RUN pip install --no-cache-dir -r requirements.txt

# Copy shared utilities
COPY gateway/ gateway/
COPY tools/ tools/

# Copy the agent code as a package
COPY patterns/llm-council-agent/ llm_council_agent/

# Create non-root user
RUN useradd -m -u 1000 bedrock_agentcore
USER bedrock_agentcore

EXPOSE 8080

CMD ["python", "-m", "llm_council_agent.council_agent"]

Finding 7: SECRET-HEX-HIGH-ENTROPY-STRING

  • Severity: HIGH
  • Scanner: detect-secrets
  • Rule ID: SECRET-HEX-HIGH-ENTROPY-STRING
  • Location: ash-output.log:2022

Description:
Secret of type 'Hex High Entropy String' detected in file 'ash-output.log' at line 2022

Code Snippet:

Secret of type Hex High Entropy String detected

Finding 8: yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag

  • Severity: HIGH
  • Scanner: opengrep
  • Rule ID: yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag
  • Location: .github/workflows/ash-full-repository-scan.yml:20

Description:
GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA instead, e.g. uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608.

Code Snippet:

uses: actions/checkout@v4

Finding 9: yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag

  • Severity: HIGH
  • Scanner: opengrep
  • Rule ID: yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag
  • Location: .github/workflows/ash-full-repository-scan.yml:25

Description:
GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA instead, e.g. uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608.

Code Snippet:

uses: actions/setup-python@v5

Finding 10: yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag

  • Severity: HIGH
  • Scanner: opengrep
  • Rule ID: yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag
  • Location: .github/workflows/ash-full-repository-scan.yml:115

Description:
GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA instead, e.g. uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608.

Code Snippet:

uses: actions/upload-artifact@v4

Finding 11: yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag

  • Severity: HIGH
  • Scanner: opengrep
  • Rule ID: yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag
  • Location: .github/workflows/ash-full-repository-scan.yml:126

Description:
GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA instead, e.g. uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608.

Code Snippet:

uses: actions/github-script@v7

Finding 12: yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag

  • Severity: HIGH
  • Scanner: opengrep
  • Rule ID: yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag
  • Location: .github/workflows/ash-security-comment.yml:51

Description:
GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA instead, e.g. uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608.

Code Snippet:

uses: actions/github-script@v7

Finding 13: yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag

  • Severity: HIGH
  • Scanner: opengrep
  • Rule ID: yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag
  • Location: .github/workflows/ash-security-scan.yml:16

Description:
GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA instead, e.g. uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608.

Code Snippet:

- uses: actions/checkout@v4

Finding 14: yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag

  • Severity: HIGH
  • Scanner: opengrep
  • Rule ID: yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag
  • Location: .github/workflows/ash-security-scan.yml:52

Description:
GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA instead, e.g. uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608.

Code Snippet:

uses: actions/setup-python@v5

Finding 15: yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag

  • Severity: HIGH
  • Scanner: opengrep
  • Rule ID: yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag
  • Location: .github/workflows/ash-security-scan.yml:219

Description:
GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA instead, e.g. uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608.

Code Snippet:

uses: actions/upload-artifact@v4

Finding 16: yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag

  • Severity: HIGH
  • Scanner: opengrep
  • Rule ID: yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag
  • Location: .github/workflows/dependabot.yml:18

Description:
GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA instead, e.g. uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608.

Code Snippet:

uses: dependabot/fetch-metadata@v2

Finding 17: yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag

  • Severity: HIGH
  • Scanner: opengrep
  • Rule ID: yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag
  • Location: .github/workflows/js-lint.yml:17

Description:
GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA instead, e.g. uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608.

Code Snippet:

uses: actions/checkout@v4

Finding 18: yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag

  • Severity: HIGH
  • Scanner: opengrep
  • Rule ID: yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag
  • Location: .github/workflows/js-lint.yml:34

Description:
GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA instead, e.g. uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608.

Code Snippet:

uses: actions/setup-node@v4

Finding 19: yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag

  • Severity: HIGH
  • Scanner: opengrep
  • Rule ID: yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag
  • Location: .github/workflows/label.yml:16

Description:
GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA instead, e.g. uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608.

Code Snippet:

- uses: actions/labeler@v5

Finding 20: yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag

  • Severity: HIGH
  • Scanner: opengrep
  • Rule ID: yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag
  • Location: .github/workflows/python-lint.yml:17

Description:
GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA instead, e.g. uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608.

Code Snippet:

uses: actions/checkout@v4

Finding 21: yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag

  • Severity: HIGH
  • Scanner: opengrep
  • Rule ID: yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag
  • Location: .github/workflows/python-lint.yml:28

Description:
GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA instead, e.g. uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608.

Code Snippet:

uses: actions/setup-python@v5

Finding 22: yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag

  • Severity: HIGH
  • Scanner: opengrep
  • Rule ID: yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag
  • Location: .github/workflows/python-lint.yml:34

Description:
GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA instead, e.g. uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608.

Code Snippet:

uses: astral-sh/setup-uv@v3

Finding 23: yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag

  • Severity: HIGH
  • Scanner: opengrep
  • Rule ID: yaml.github-actions.security.github-actions-mutable-action-tag.github-actions-mutable-action-tag
  • Location: .github/workflows/repo-stats.yml:18

Description:
GitHub Actions step uses a mutable tag or branch reference. Tags and branch names can be silently repointed by the action owner, enabling supply-chain attacks — as seen in the trivy-action and kics-github-action compromises. Pin the reference to a full 40-character commit SHA instead, e.g. uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608.

Code Snippet:

uses: jgehrcke/github-repo-stats@RELEASE

Finding 24: python.jwt.security.unverified-jwt-decode.unverified-jwt-decode

  • Severity: HIGH
  • Scanner: opengrep
  • Rule ID: python.jwt.security.unverified-jwt-decode.unverified-jwt-decode
  • Location: samples/copilotkit-generative-ui/agents/utils/auth.py:62

Description:
Detected JWT token decoded with 'verify=False'. This bypasses any integrity checks for the token which means the token could be tampered with by malicious actors. Ensure that the JWT token is verified.

Code Snippet:

options={"verify_signature": False},

Finding 25: javascript.lang.security.detect-child-process.detect-child-process

  • Severity: HIGH
  • Scanner: opengrep
  • Rule ID: javascript.lang.security.detect-child-process.detect-child-process
  • Location: samples/copilotkit-generative-ui/infra-cdk/lib/backend-stack.ts:396

Description:
Detected calls to child_process from a function argument outputDir. This could lead to a command injection if the input is user controllable. Try to avoid calls to child_process, and if it is needed ensure user input is correctly sanitized or sandboxed.

Code Snippet:

`cp -R dist node_modules package.json package-lock.json ${outputDir}/`,

Finding 26: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal

  • Severity: HIGH
  • Scanner: opengrep
  • Rule ID: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
  • Location: samples/copilotkit-generative-ui/infra-cdk/lib/utils/config-manager.ts:50

Description:
Detected possible user input going into a path.join or path.resolve function. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or validate user input first.

Code Snippet:

const configPath = path.join(__dirname, "..", "..", "..", configFile);

Finding 27: javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop

  • Severity: HIGH
  • Scanner: opengrep
  • Rule ID: javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop
  • Location: samples/copilotkit-generative-ui/infra-cdk/lib/utils/config-manager.ts:135

Description:
Possibility of prototype polluting function detected. By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf). Possible mitigations might be: freezing the object prototype, using an object without prototypes (via Object.create(null) ), blocking modifications of attributes that resolve to object prototype, using Map instead of object.

Code Snippet:

value = value[k];

Finding 28: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring

  • Severity: HIGH
  • Scanner: opengrep
  • Rule ID: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring
  • Location: samples/dual-monitoring-system/frontend/src/components/evaluations/DashboardView.tsx:116

Description:
Detected string concatenation with a non-literal variable in a util.format / console.log function. If an attacker injects a format specifier in the string, it will forge the log message. Try to use constant values for the format string.

Code Snippet:

console.log(`Metrics response for ${configName}:`, {

Finding 29: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring

  • Severity: HIGH
  • Scanner: opengrep
  • Rule ID: javascript.lang.security.audit.unsafe-formatstring.unsafe-formatstring
  • Location: samples/dual-monitoring-system/frontend/src/components/evaluations/DashboardView.tsx:137

Description:
Detected string concatenation with a non-literal variable in a util.format / console.log function. If an attacker injects a format specifier in the string, it will forge the log message. Try to use constant values for the format string.

Code Snippet:

console.log(`Failed to load metrics for config ${configId}:`, metricsError)

Finding 30: python.lang.security.audit.dynamic-urllib-use-detected.dynamic-urllib-use-detected

  • Severity: HIGH
  • Scanner: opengrep
  • Rule ID: python.lang.security.audit.dynamic-urllib-use-detected.dynamic-urllib-use-detected
  • Location: samples/llm-council/infra-cdk/lambdas/zip-packager/index.py:63

Description:
Detected a dynamic value being used with urllib. urllib supports 'file://' schemes, so a dynamic value controlled by a malicious actor may allow them to read arbitrary files. Audit uses of urllib calls to ensure user data cannot control the URLs, or consider using the 'requests' library instead.

Code Snippet:

urllib.request.urlopen(req)

Finding 31: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal

  • Severity: HIGH
  • Scanner: opengrep
  • Rule ID: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
  • Location: samples/llm-council/infra-cdk/lib/backend-stack.ts:124

Description:
Detected possible user input going into a path.join or path.resolve function. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or validate user input first.

Code Snippet:

const patternDir = path.join(repoRoot, "patterns", pattern)

Finding 32: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal

  • Severity: HIGH
  • Scanner: opengrep
  • Rule ID: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
  • Location: samples/llm-council/infra-cdk/lib/backend-stack.ts:152

Description:
Detected possible user input going into a path.join or path.resolve function. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or validate user input first.

Code Snippet:

const content = fs.readFileSync(path.join(patternDir, file))

Finding 33: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal

  • Severity: HIGH
  • Scanner: opengrep
  • Rule ID: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
  • Location: samples/llm-council/infra-cdk/lib/backend-stack.ts:152

Description:
Detected possible user input going into a path.join or path.resolve function. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or validate user input first.

Code Snippet:

const content = fs.readFileSync(path.join(patternDir, file))

Finding 34: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal

  • Severity: HIGH
  • Scanner: opengrep
  • Rule ID: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
  • Location: samples/llm-council/infra-cdk/lib/backend-stack.ts:166

Description:
Detected possible user input going into a path.join or path.resolve function. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or validate user input first.

Code Snippet:

const requirementsPath = path.join(patternDir, "requirements.txt")

Finding 35: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal

  • Severity: HIGH
  • Scanner: opengrep
  • Rule ID: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
  • Location: samples/llm-council/infra-cdk/lib/backend-stack.ts:796

Description:
Detected possible user input going into a path.join or path.resolve function. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or validate user input first.

Code Snippet:

const fullPath = path.join(dirPath, entry.name)

Finding 36: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal

  • Severity: HIGH
  • Scanner: opengrep
  • Rule ID: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
  • Location: samples/llm-council/infra-cdk/lib/backend-stack.ts:796

Description:
Detected possible user input going into a path.join or path.resolve function. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or validate user input first.

Code Snippet:

const fullPath = path.join(dirPath, entry.name)

Finding 37: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal

  • Severity: HIGH
  • Scanner: opengrep
  • Rule ID: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
  • Location: samples/llm-council/infra-cdk/lib/backend-stack.ts:797

Description:
Detected possible user input going into a path.join or path.resolve function. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or validate user input first.

Code Snippet:

const relativePath = path.join(prefix, entry.name)

Finding 38: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal

  • Severity: HIGH
  • Scanner: opengrep
  • Rule ID: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
  • Location: samples/llm-council/infra-cdk/lib/backend-stack.ts:797

Description:
Detected possible user input going into a path.join or path.resolve function. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or validate user input first.

Code Snippet:

const relativePath = path.join(prefix, entry.name)

Finding 39: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal

  • Severity: HIGH
  • Scanner: opengrep
  • Rule ID: javascript.lang.security.audit.path-traversal.path-join-resolve-traversal.path-join-resolve-traversal
  • Location: samples/llm-council/infra-cdk/lib/utils/config-manager.ts:32

Description:
Detected possible user input going into a path.join or path.resolve function. This could possibly lead to a path traversal vulnerability, where the attacker can access arbitrary files stored in the file system. Instead, be sure to sanitize or validate user input first.

Code Snippet:

const configPath = path.join(__dirname, "..", "..", configFile)

Finding 40: javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop

  • Severity: HIGH
  • Scanner: opengrep
  • Rule ID: javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop
  • Location: samples/llm-council/infra-cdk/lib/utils/config-manager.ts:82

Description:
Possibility of prototype polluting function detected. By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf). Possible mitigations might be: freezing the object prototype, using an object without prototypes (via Object.create(null) ), blocking modifications of attributes that resolve to object prototype, using Map instead of object.

Code Snippet:

value = value[k]

Finding 41: GHSA-mrrh-fwg8-r2c3-tj-actions/changed-files

  • Severity: HIGH
  • Scanner: grype
  • Rule ID: GHSA-mrrh-fwg8-r2c3-tj-actions/changed-files
  • Location: .github/workflows/js-lint.yml:1

Description:
A high vulnerability in github-action package: tj-actions/changed-files, version ed68ef82c095e0d48ec87eccea555d944a631a4c was found at: /.github/workflows/js-lint.yml


Finding 42: GHSA-mrrh-fwg8-r2c3-tj-actions/changed-files

  • Severity: HIGH
  • Scanner: grype
  • Rule ID: GHSA-mrrh-fwg8-r2c3-tj-actions/changed-files
  • Location: .github/workflows/python-lint.yml:1

Description:
A high vulnerability in github-action package: tj-actions/changed-files, version ed68ef82c095e0d48ec87eccea555d944a631a4c was found at: /.github/workflows/python-lint.yml


Finding 43: GHSA-mcph-m25j-8j63-tj-actions/changed-files

  • Severity: HIGH
  • Scanner: grype
  • Rule ID: GHSA-mcph-m25j-8j63-tj-actions/changed-files
  • Location: .github/workflows/js-lint.yml:1

Description:
A high vulnerability in github-action package: tj-actions/changed-files, version ed68ef82c095e0d48ec87eccea555d944a631a4c was found at: /.github/workflows/js-lint.yml


Finding 44: GHSA-mcph-m25j-8j63-tj-actions/changed-files

  • Severity: HIGH
  • Scanner: grype
  • Rule ID: GHSA-mcph-m25j-8j63-tj-actions/changed-files
  • Location: .github/workflows/python-lint.yml:1

Description:
A high vulnerability in github-action package: tj-actions/changed-files, version ed68ef82c095e0d48ec87eccea555d944a631a4c was found at: /.github/workflows/python-lint.yml


Finding 45: GHSA-r5fr-rjxr-66jc-lodash

  • Severity: HIGH
  • Scanner: grype
  • Rule ID: GHSA-r5fr-rjxr-66jc-lodash
  • Location: samples/llm-council/frontend/package-lock.json:1

Description:
A high vulnerability in npm package: lodash, version 4.17.23 was found at: /samples/llm-council/frontend/package-lock.json


Finding 46: GHSA-999r-qq7v-r334-aws-cdk-lib

  • Severity: HIGH
  • Scanner: grype
  • Rule ID: GHSA-999r-qq7v-r334-aws-cdk-lib
  • Location: samples/copilotkit-generative-ui/infra-cdk/package-lock.json:1

Description:
A high vulnerability in npm package: aws-cdk-lib, version 2.245.0 was found at: /samples/copilotkit-generative-ui/infra-cdk/package-lock.json


Finding 47: GHSA-jmr7-xgp7-cmfj-fast-xml-parser

  • Severity: HIGH
  • Scanner: grype
  • Rule ID: GHSA-jmr7-xgp7-cmfj-fast-xml-parser
  • Location: samples/llm-council/infra-cdk/package-lock.json:1

Description:
A high vulnerability in npm package: fast-xml-parser, version 5.2.5 was found at: /samples/llm-council/infra-cdk/package-lock.json


Finding 48: GHSA-jmr7-xgp7-cmfj-fast-xml-parser

  • Severity: HIGH
  • Scanner: grype
  • Rule ID: GHSA-jmr7-xgp7-cmfj-fast-xml-parser
  • Location: samples/llm-council/frontend/package-lock.json:1

Description:
A high vulnerability in npm package: fast-xml-parser, version 5.3.4 was found at: /samples/llm-council/frontend/package-lock.json


Finding 49: GHSA-jmr7-xgp7-cmfj-fast-xml-parser

  • Severity: HIGH
  • Scanner: grype
  • Rule ID: GHSA-jmr7-xgp7-cmfj-fast-xml-parser
  • Location: samples/llm-council/frontend/package-lock.json:1

Description:
A high vulnerability in npm package: fast-xml-parser, version 5.3.5 was found at: /samples/llm-council/frontend/package-lock.json


Finding 50: GHSA-8gc5-j5rx-235r-fast-xml-parser

  • Severity: HIGH
  • Scanner: grype
  • Rule ID: GHSA-8gc5-j5rx-235r-fast-xml-parser
  • Location: samples/llm-council/infra-cdk/package-lock.json:1

Description:
A high vulnerability in npm package: fast-xml-parser, version 5.2.5 was found at: /samples/llm-council/infra-cdk/package-lock.json


Finding 51: GHSA-8gc5-j5rx-235r-fast-xml-parser

  • Severity: HIGH
  • Scanner: grype
  • Rule ID: GHSA-8gc5-j5rx-235r-fast-xml-parser
  • Location: samples/llm-council/frontend/package-lock.json:1

Description:
A high vulnerability in npm package: fast-xml-parser, version 5.3.4 was found at: /samples/llm-council/frontend/package-lock.json


Finding 52: GHSA-8gc5-j5rx-235r-fast-xml-parser

  • Severity: HIGH
  • Scanner: grype
  • Rule ID: GHSA-8gc5-j5rx-235r-fast-xml-parser
  • Location: samples/llm-council/frontend/package-lock.json:1

Description:
A high vulnerability in npm package: fast-xml-parser, version 5.3.5 was found at: /samples/llm-council/frontend/package-lock.json


Finding 53: GHSA-37qj-frw5-hhjh-fast-xml-parser

  • Severity: HIGH
  • Scanner: grype
  • Rule ID: GHSA-37qj-frw5-hhjh-fast-xml-parser
  • Location: samples/llm-council/infra-cdk/package-lock.json:1

Description:
A high vulnerability in npm package: fast-xml-parser, version 5.2.5 was found at: /samples/llm-council/infra-cdk/package-lock.json


Finding 54: GHSA-m7jm-9gc2-mpf2-fast-xml-parser

  • Severity: HIGH
  • Scanner: grype
  • Rule ID: GHSA-m7jm-9gc2-mpf2-fast-xml-parser
  • Location: samples/llm-council/infra-cdk/package-lock.json:1

Description:
A critical vulnerability in npm package: fast-xml-parser, version 5.2.5 was found at: /samples/llm-council/infra-cdk/package-lock.json


Finding 55: GHSA-m7jm-9gc2-mpf2-fast-xml-parser

  • Severity: HIGH
  • Scanner: grype
  • Rule ID: GHSA-m7jm-9gc2-mpf2-fast-xml-parser
  • Location: samples/llm-council/frontend/package-lock.json:1

Description:
A critical vulnerability in npm package: fast-xml-parser, version 5.3.4 was found at: /samples/llm-council/frontend/package-lock.json


Finding 56: GHSA-96hv-2xvq-fx4p-ws

  • Severity: HIGH
  • Scanner: grype
  • Rule ID: GHSA-96hv-2xvq-fx4p-ws
  • Location: samples/copilotkit-generative-ui/infra-cdk/lambdas/copilotkit-runtime/package-lock.json:1

Description:
A high vulnerability in npm package: ws, version 8.20.1 was found at: /samples/copilotkit-generative-ui/infra-cdk/lambdas/copilotkit-runtime/package-lock.json


Finding 57: GHSA-q3j6-qgpj-74h6-fast-uri

  • Severity: HIGH
  • Scanner: grype
  • Rule ID: GHSA-q3j6-qgpj-74h6-fast-uri
  • Location: samples/llm-council/infra-cdk/package-lock.json:1

Description:
A high vulnerability in npm package: fast-uri, version 3.1.0 was found at: /samples/llm-council/infra-cdk/package-lock.json


Finding 58: GHSA-q3j6-qgpj-74h6-fast-uri

  • Severity: HIGH
  • Scanner: grype
  • Rule ID: GHSA-q3j6-qgpj-74h6-fast-uri
  • Location: samples/dual-monitoring-system/infra-cdk/package-lock.json:1

Description:
A high vulnerability in npm package: fast-uri, version 3.1.0 was found at: /samples/dual-monitoring-system/infra-cdk/package-lock.json


Finding 59: GHSA-q3j6-qgpj-74h6-fast-uri

  • Severity: HIGH
  • Scanner: grype
  • Rule ID: GHSA-q3j6-qgpj-74h6-fast-uri
  • Location: samples/copilotkit-generative-ui/infra-cdk/package-lock.json:1

Description:
A high vulnerability in npm package: fast-uri, version 3.1.0 was found at: /samples/copilotkit-generative-ui/infra-cdk/package-lock.json


Finding 60: GHSA-q3j6-qgpj-74h6-fast-uri

  • Severity: HIGH
  • Scanner: grype
  • Rule ID: GHSA-q3j6-qgpj-74h6-fast-uri
  • Location: samples/restaurant-assistant/infra-cdk/package-lock.json:1

Description:
A high vulnerability in npm package: fast-uri, version 3.1.0 was found at: /samples/restaurant-assistant/infra-cdk/package-lock.json


Finding 61: GHSA-f886-m6hf-6m8v-brace-expansion


This issue was automatically created by the monthly security scan workflow.

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions