chore(deps): update dependency macos to v26 [ci-skip]

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
macos	github-runner	major	15 → 26

---

Release Notes

actions/runner-images (macos)

v26: macos-26 (20260324) Image Update

Announcements
macOS 26 (Tahoe) is now generally available in GitHub Actions
[macOS] The macOS 14 Sonoma based runner images will begin deprecation on July 6th and will be fully unsupported by November 2nd for GitHub Actions and Azure DevOps

---

🖥️ Actions Runner Image: macOS 26

• OS Version: macOS 26.3.1 (25D2128)
• Kernel Version: Darwin 25.3.0
• Image Version: 2026032.0226.1

📣 What's changed?

Added ➕

Category	Tool name	Current (20260324.0226.1)
Language and Runtime	.NET Core SDK	10.0.201

Updated

Category	Tool name	Previous (20260303.0134.1)	Current (20260324.0226.1)
	OS Version	macOS 26.3 (25D125)	macOS 26.3.1 (25D2128)
Language and Runtime	.NET Core SDK	8.0.418, 9.0.311	8.0.419, 9.0.312
	Kotlin	2.3.10-release-465	2.3.20-release-208
	Perl	5.42.0	5.42.1
	PHP	8.5.3	8.5.4
	Ruby	3.4.8	3.4.9
Package Management	Bundler	4.0.7	4.0.8
	Homebrew	5.0.16	5.1.1
	Pipx	1.8.0	1.11.0
	RubyGems	4.0.7	4.0.8
	Vcpkg	2026 (build from commit 39a6cc0e44)	2026 (build from commit ed8445dd2a)
Project Management	Apache Maven	3.9.12	3.9.14
	Gradle	9.3.1	9.4.1
Utilities	azcopy	10.32.1	10.32.2
	bazel	9.0.0	9.0.1
	Curl	8.18.0	8.19.0
	GitHub CLI	2.87.3	2.88.1
	gpg (GnuPG)	2.4.9	2.5.18
Tools	AWS CLI	2.34.0	2.34.15
	AWS SAM CLI	1.154.0	1.156.0
	AWS Session Manager CLI	1.2.779.0	1.2.792.0
	Cmake	4.2.3	4.3.0
	CodeQL Action Bundle	2.24.2	2.24.3
	SwiftFormat	0.59.1	0.60.1
Browsers	Safari	26.3 (21623.2.7.11.6)	26.3.1 (21623.2.7.11.7)
	SafariDriver	26.3 (21623.2.7.11.6)	26.3.1 (21623.2.7.11.7)
	Google Chrome	145.0.7632.117	146.0.7680.165
	Google Chrome for Testing	145.0.7632.117	146.0.7680.165
	ChromeDriver	145.0.7632.117	146.0.7680.165
	Microsoft Edge	145.0.3800.82	146.0.3856.72
	Microsoft Edge WebDriver	145.0.3800.82	146.0.3856.72
	Mozilla Firefox	148.0	149.0
Cached Tools	Ruby	3.4.8, 4.0.1	3.4.9, 4.0.2
	Node.js	20.20.0, 22.22.0	20.20.1, 22.22.1
	Go	1.25.7	1.25.8
Rust Tools	Cargo	1.93.1	1.94.0
	Rust	1.93.1	1.94.0
	Rustdoc	1.93.1	1.94.0
	Rustup	1.28.2	1.29.0
Rust Tools > Packages	Clippy	0.1.93	0.1.94
PowerShell Tools	PowerShell	7.4.13	7.4.14
PowerShell Tools > PowerShell Modules	PSScriptAnalyzer	1.24.0	1.25.0

Xcode

Version	Build	Path	Symlinks
26.4 (beta)	17E5170d	/Applications/Xcode_26.4_beta_2.app	/Applications/Xcode_26.4.0.app /Applications/Xcode_26.4.app
26.4	17E192	/Applications/Xcode_26.4_Release_Candidate.app	/Applications/Xcode_26.4.0.app /Applications/Xcode_26.4.app

Android

Package Name	Version
Android Emulator	36.4.9
Android Emulator	36.4.10

For comprehensive list of software installed on this image please click here.

---

Configuration

📅 Schedule: (in timezone Europe/London)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[henry-pa-bot]

Super-linter summary

Language	Validation result
BIOME_FORMAT	Fail ❌
BIOME_LINT	Fail ❌
CHECKOV	Fail ❌
GITHUB_ACTIONS	Pass ✅
GITHUB_ACTIONS_ZIZMOR	Fail ❌
GITLEAKS	Pass ✅
GIT_MERGE_CONFLICT_MARKERS	Pass ✅
JSCPD	Fail ❌
PRE_COMMIT	Pass ✅
SPELL_CODESPELL	Pass ✅
TRIVY	Fail ❌
YAML	Pass ✅
YAML_PRETTIER	Pass ✅

Super-linter detected linting errors

For more information, see the GitHub Actions workflow run

Powered by Super-linter

BIOME_FORMAT

Checked 5 files in 21ms. No fixes applied.
Found 5 errors..vscode/extensions.json format ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  × Formatter would have printed the following content:

     1  1 │   {
     2    │ - ··"recommendations":·[
     3    │ - ····"mads-hartmann.bash-ide-vscode",
     4    │ - ····"timonwong.shellcheck",
     5    │ - ····"foxundermoon.shell-format",
     6    │ - ····"editorconfig.editorconfig",
     7    │ - ····"ms-kubernetes-tools.vscode-kubernetes-tools",
     8    │ - ····"tim-koehler.helm-intellisense"
     9    │ - ··]
    10    │ - }
        2 │ + → "recommendations":·[
        3 │ + → → "mads-hartmann.bash-ide-vscode",
        4 │ + → → "timonwong.shellcheck",
        5 │ + → → "foxundermoon.shell-format",
        6 │ + → → "editorconfig.editorconfig",
        7 │ + → → "ms-kubernetes-tools.vscode-kubernetes-tools",
        8 │ + → → "tim-koehler.helm-intellisense"
        9 │ + → ]
       10 │ + }
       11 │ +


.vscode/launch.json format ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  × Formatter would have printed the following content:

     1  1 │   {
     2    │ - ··"version":·"0.2.0",
     3    │ - ··"configurations":·[
     4    │ - ····{
     5    │ - ······"type":·"bashdb",
     6    │ - ······"request":·"launch",
     7    │ - ······"name":·"Bash-Debug·(simplest·configuration)",
     8    │ - ······"program":·"${file}"
     9    │ - ····}
    10    │ - ··]
    11    │ - }
        2 │ + → "version":·"0.2.0",
        3 │ + → "configurations":·[
        4 │ + → → {
        5 │ + → → → "type":·"bashdb",
        6 │ + → → → "request":·"launch",
        7 │ + → → → "name":·"Bash-Debug·(simplest·configuration)",
        8 │ + → → → "program":·"${file}"
        9 │ + → → }
       10 │ + → ]
       11 │ + }
       12 │ +


.vscode/settings.json format ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  × Formatter would have printed the following content:

    1   │ - {
    2   │ - }
      1 │ + {}
      2 │ +


home/dot_hyper.js format ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  × Formatter would have printed the following content:

      4   4 │   // See https://hyper.is#cfg for all currently supported options.
      5   5 │   module.exports = {
      6     │ - ····config:·{
      7     │ - ········//·choose·either·`'stable'`·for·receiving·highly·polished,
      8     │ - ········//·or·`'canary'`·for·less·polished·but·more·frequent·updates
      9     │ - ········updateChannel:·'stable',
     10     │ - ········//·default·font·size·in·pixels·for·all·tabs
     11     │ - ········fontSize:·12,
     12     │ - ········//·font·family·with·optional·fallbacks
     13     │ - ········fontFamily:·'FiraMono·Nerd·Font',
     14     │ - ········//·default·font·weight:·'normal'·or·'bold'
     15     │ - ········fontWeight:·'normal',
     16     │ - ········//·font·weight·for·bold·characters:·'normal'·or·'bold'
     17     │ - ········fontWeightBold:·'bold',
     18     │ - ········//·line·height·as·a·relative·unit
     19     │ - ········lineHeight:·1,
     20     │ - ········//·letter·spacing·as·a·relative·unit
     21     │ - ········letterSpacing:·0,
     22     │ - ········//·terminal·cursor·background·color·and·opacity·(hex,·rgb,·hsl,·hsv,·hwb·or·cmyk)
     23     │ - ········cursorColor:·'rgba(248,28,229,0.8)',
     24     │ - ········//·terminal·text·color·under·BLOCK·cursor
     25     │ - ········cursorAccentColor:·'#000',
     26     │ - ········//·`'BEAM'`·for·|,·`'UNDERLINE'`·for·_,·`'BLOCK'`·for·█
     27     │ - ········cursorShape:·'BLOCK',
     28     │ - ········//·set·to·`true`·(without·backticks·and·without·quotes)·for·blinking·cursor
     29     │ - ········cursorBlink:·false,
     30     │ - ········//·color·of·the·text
     31     │ - ········foregroundColor:·'#fff',
     32     │ - ········//·terminal·background·color
     33     │ - ········//·opacity·is·only·supported·on·macOS
     34     │ - ········backgroundColor:·'#000',
     35     │ - ········//·terminal·selection·color
     36     │ - ········selectionColor:·'rgba(248,28,229,0.3)',
     37     │ - ········//·border·color·(window,·tabs)
     38     │ - ········borderColor:·'#333',
     39     │ - ········//·custom·CSS·to·embed·in·the·main·window
     40     │ - ········css:·'',
     41     │ - ········//·custom·CSS·to·embed·in·the·terminal·window
     42     │ - ········termCSS:·'',
     43     │ - ········//·set·custom·startup·directory·(must·be·an·absolute·path)
     44     │ - ········workingDirectory:·'',
     45     │ - ········//·if·you're·using·a·Linux·setup·which·show·native·menus,·set·to·false
     46     │ - ········//·default:·`true`·on·Linux,·`true`·on·Windows,·ignored·on·macOS
     47     │ - ········showHamburgerMenu:·'',
     48     │ - ········//·set·to·`false`·(without·backticks·and·without·quotes)·if·you·want·to·hide·the·minimize,·maximize·and·close·buttons
     49     │ - ········//·additionally,·set·to·`'left'`·if·you·want·them·on·the·left,·like·in·Ubuntu
     50     │ - ········//·default:·`true`·(without·backticks·and·without·quotes)·on·Windows·and·Linux,·ignored·on·macOS
     51     │ - ········showWindowControls:·'',
     52     │ - ········//·custom·padding·(CSS·format,·i.e.:·`top·right·bottom·left`)
     53     │ - ········padding:·'12px·14px',
     54     │ - ········//·the·full·list.·if·you're·going·to·provide·the·full·color·palette,
     55     │ - ········//·including·the·6·x·6·color·cubes·and·the·grayscale·map,·just·provide
     56     │ - ········//·an·array·here·instead·of·a·color·map·object
     57     │ - ········colors:·{
     58     │ - ············black:·'#000000',
     59     │ - ············red:·'#C51E14',
     60     │ - ············green:·'#1DC121',
     61     │ - ············yellow:·'#C7C329',
     62     │ - ············blue:·'#0A2FC4',
     63     │ - ············magenta:·'#C839C5',
     64     │ - ············cyan:·'#20C5C6',
     65     │ - ············white:·'#C7C7C7',
     66     │ - ············lightBlack:·'#686868',
     67     │ - ············lightRed:·'#FD6F6B',
     68     │ - ············lightGreen:·'#67F86F',
     69     │ - ············lightYellow:·'#FFFA72',
     70     │ - ············lightBlue:·'#6A76FB',
     71     │ - ············lightMagenta:·'#FD7CFC',
     72     │ - ············lightCyan:·'#68FDFE',
     73     │ - ············lightWhite:·'#FFFFFF',
     74     │ - ············limeGreen:·'#32CD32',
     75     │ - ············lightCoral:·'#F08080',
     76     │ - ········},
     77     │ - ········//·the·shell·to·run·when·spawning·a·new·session·(i.e.·/usr/local/bin/fish)
     78     │ - ········//·if·left·empty,·your·system's·login·shell·will·be·used·by·default
     79     │ - ········//
     80     │ - ········//·Windows
     81     │ - ········//·-·Make·sure·to·use·a·full·path·if·the·binary·name·doesn't·work
     82     │ - ········//·-·Remove·`--login`·in·shellArgs
     83     │ - ········//
     84     │ - ········//·Windows·Subsystem·for·Linux·(WSL)·-·previously·Bash·on·Windows
     85     │ - ········//·-·Example:·`C:\\Windows\\System32\\wsl.exe`
     86     │ - ········//
     87     │ - ········//·Git-bash·on·Windows
     88     │ - ········//·-·Example:·`C:\\Program·Files\\Git\\bin\\bash.exe`
     89     │ - ········//
     90     │ - ········//·PowerShell·on·Windows
     91     │ - ········//·-·Example:·`C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe`
     92     │ - ········//
     93     │ - ········//·Cygwin
     94     │ - ········//·-·Example:·`C:\\cygwin64\\bin\\bash.exe`
     95     │ - ········shell:·'zsh',
     96     │ - ········//·for·setting·shell·arguments·(i.e.·for·using·interactive·shellArgs:·`['-i']`)
     97     │ - ········//·by·default·`['--login']`·will·be·used
     98     │ - ········shellArgs:·['--login'],
     99     │ - ········//·for·environment·variables
    100     │ - ········env:·{},
    101     │ - ········//·Supported·Options:
    102     │ - ········//··1.·'SOUND'·->·Enables·the·bell·as·a·sound
    103     │ - ········//··2.·false:·turns·off·the·bell
    104     │ - ········bell:·'SOUND',
    105     │ - ········//·An·absolute·file·path·to·a·sound·file·on·the·machine.
    106     │ - ········//·bellSoundURL:·'/path/to/sound/file',
    107     │ - ········//·if·`true`·(without·backticks·and·without·quotes),·selected·text·will·automatically·be·copied·to·the·clipboard
    108     │ - ········copyOnSelect:·false,
    109     │ - ········//·if·`true`·(without·backticks·and·without·quotes),·hyper·will·be·set·as·the·default·protocol·client·for·SSH
    110     │ - ········defaultSSHApp:·true,
    111     │ - ········//·if·`true`·(without·backticks·and·without·quotes),·on·right·click·selected·text·will·be·copied·or·pasted·if·no
    112     │ - ········//·selection·is·present·(`true`·by·default·on·Windows·and·disables·the·context·menu·feature)
    113     │ - ········quickEdit:·false,
    114     │ - ········//·choose·either·`'vertical'`,·if·you·want·the·column·mode·when·Option·key·is·hold·during·selection·(Default)
    115     │ - ········//·or·`'force'`,·if·you·want·to·force·selection·regardless·of·whether·the·terminal·is·in·mouse·events·mode
    116     │ - ········//·(inside·tmux·or·vim·with·mouse·mode·enabled·for·example).
    117     │ - ········macOptionSelectionMode:·'vertical',
    118     │ - ········//·Whether·to·use·the·WebGL·renderer.·Set·it·to·false·to·use·canvas-based
    119     │ - ········//·rendering·(slower,·but·supports·transparent·backgrounds)
    120     │ - ········webGLRenderer:·true,
    121     │ - ········//·keypress·required·for·weblink·activation:·[ctrl|alt|meta|shift]
    122     │ - ········//·todo:·does·not·pick·up·config·changes·automatically,·need·to·restart·terminal·:/
    123     │ - ········webLinksActivationKey:·'',
    124     │ - ········//·if·`false`·(without·backticks·and·without·quotes),·Hyper·will·use·ligatures·provided·by·some·fonts
    125     │ - ········disableLigatures:·true,
    126     │ - ········//·set·to·true·to·disable·auto·updates
    127     │ - ········disableAutoUpdates:·false,
    128     │ - ········//·set·to·true·to·enable·screen·reading·apps·(like·NVDA)·to·read·the·contents·of·the·terminal
    129     │ - ········screenReaderMode:·false,
    130     │ - ········//·set·to·true·to·preserve·working·directory·when·creating·splits·or·tabs
    131     │ - ········preserveCWD:·true,
    132     │ - ········//·for·advanced·config·flags·please·refer·to·https://hyper.is/#cfg
    133     │ - ····},
    134     │ - ····//·a·list·of·plugins·to·fetch·and·install·from·npm
    135     │ - ····//·format:·[@org/]project[#version]
    136     │ - ····//·examples:
    137     │ - ····//···`hyperpower`
    138     │ - ····//···`@company/project`
    139     │ - ····//···`project#1.0.1`
    140     │ - ····plugins:·[],
    141     │ - ····//·in·development,·you·can·create·a·directory·under
    142     │ - ····//·`~/.hyper_plugins/local/`·and·include·it·here
    143     │ - ····//·to·load·it·and·avoid·it·being·`npm·install`ed
    144     │ - ····localPlugins:·[],
    145     │ - ····keymaps:·{
    146     │ - ········//·Example
    147     │ - ········//·'window:devtools':·'cmd+alt+o',
    148     │ - ····},
          6 │ + → config:·{
          7 │ + → → //·choose·either·`'stable'`·for·receiving·highly·polished,
          8 │ + → → //·or·`'canary'`·for·less·polished·but·more·frequent·updates
          9 │ + → → updateChannel:·"stable",
         10 │ + → → //·default·font·size·in·pixels·for·all·tabs
  142 more lines truncated


tests/renovate-bot/local-config.js format ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  × Formatter would have printed the following content:

    1 1 │   module.exports = {
    2   │ - ··platform:·'github',
    3   │ - ··repositories:·['kitos9112/dotfiles'],
    4   │ - ··includeForks:·true,
    5   │ - ··onboarding:·false,
    6   │ - ··requireConfig:·'optional',
    7   │ - ··gitAuthor:·'henry-pa-bot·<166536+henry-bot[bot]@users.noreply.github.com>',
      2 │ + → platform:·"github",
      3 │ + → repositories:·["kitos9112/dotfiles"],
      4 │ + → includeForks:·true,
      5 │ + → onboarding:·false,
      6 │ + → requireConfig:·"optional",
      7 │ + → gitAuthor:·"henry-pa-bot·<166536+henry-bot[bot]@users.noreply.github.com>",
    8 8 │   };
    9 9 │


format ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  × Some errors were emitted while running checks.

BIOME_LINT

Checked 5 files in 29ms. No fixes applied.
Found 1 warning.home/dot_hyper.js:1:1 lint/suspicious/noRedundantUseStrict  FIXABLE  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  ! Redundant use strict directive.

  > 1 │ "use strict";
      │ ^^^^^^^^^^^^^
    2 │ // Future versions of Hyper may add additional config options,
    3 │ // which will not automatically be merged into this file.

  i The entire contents of JavaScript modules are automatically in strict mode, with no statement needed to initiate it.

  i Safe fix: Remove the redundant use strict directive.

    1 │ "use·strict";
      │ -------------

lint ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  × Some warnings were emitted while running checks.

CHECKOV

dockerfile scan results:

Passed checks: 250, Failed checks: 6, Skipped checks: 0

Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
	FAILED for resource: /tests/ubuntu-25.10/Dockerfile.
	File: /tests/ubuntu-25.10/Dockerfile:1-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images

		1  | FROM ubuntu:25.10
		2  |
		3  | ENV GIT_REPO=https://github.com/kitos9112/dotfiles.git
		4  | ENV DEBIAN_FRONTEND=noninteractive
		5  |
		6  | RUN apt-get update && \
		7  |     DEBIAN_FRONTEND=noninteractive apt-get install -y \
		8  |     curl \
		9  |     file \
		10 |     git \
		11 |     iproute2 \
		12 |     sudo
		13 |
		14 | RUN useradd -m -s /bin/sh -d /home/docker-qa docker-qa  && \
		15 |     echo "docker-qa ALL=NOPASSWD: ALL" >> /etc/sudoers
		16 |
		17 | USER docker-qa
		18 |
		19 | COPY --chown=docker-qa:docker-qa ./ /home/docker-qa/.dotfiles
		20 |
		21 | WORKDIR /home/docker-qa
		22 |
		23 | RUN DOTFILES_TEST=true DOTFILES_VERBOSE=true DOTFILES_NO_TTY=true DOTFILES_CHEZMOI_EXCLUDE=scripts .dotfiles/install
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
	FAILED for resource: /tests/ubuntu-24.04/Dockerfile.
	File: /tests/ubuntu-24.04/Dockerfile:1-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images

		1  | FROM ubuntu:24.04
		2  |
		3  | ENV GIT_REPO=https://github.com/kitos9112/dotfiles.git
		4  | ENV DEBIAN_FRONTEND=noninteractive
		5  |
		6  | RUN apt-get update && \
		7  |     DEBIAN_FRONTEND=noninteractive apt-get install -y \
		8  |     curl \
		9  |     iproute2 \
		10 |     file \
		11 |     git \
		12 |     sudo
		13 |
		14 | RUN useradd -m -s /bin/sh -d /home/docker-qa docker-qa  && \
		15 |     echo "docker-qa ALL=NOPASSWD: ALL" >> /etc/sudoers
		16 |
		17 | USER docker-qa
		18 |
		19 | COPY --chown=docker-qa:docker-qa ./ /home/docker-qa/.dotfiles
		20 |
		21 | WORKDIR /home/docker-qa
		22 |
		23 | RUN DOTFILES_TEST=true DOTFILES_VERBOSE=true DOTFILES_NO_TTY=true DOTFILES_CHEZMOI_EXCLUDE=scripts .dotfiles/install
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
	FAILED for resource: /tests/almalinux-9/Dockerfile.
	File: /tests/almalinux-9/Dockerfile:1-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images

		1  | FROM almalinux:9
		2  |
		3  | RUN dnf install -y \
		4  |     curl-minimal \
		5  |     findutils \
		6  |     sed \
		7  |     sudo \
		8  |     util-linux \
		9  |     util-linux-user \
		10 |     which && \
		11 |     dnf clean all
		12 |
		13 | RUN useradd -m -s /bin/sh -d /home/docker-qa docker-qa && \
		14 |     echo "docker-qa ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
		15 |
		16 | USER docker-qa
		17 |
		18 | COPY ./ /home/docker-qa/.dotfiles
		19 |
		20 | WORKDIR /home/docker-qa
		21 |
		22 | RUN DOTFILES_TEST=true DOTFILES_VERBOSE=true DOTFILES_NO_TTY=true DOTFILES_CHEZMOI_EXCLUDE=scripts .dotfiles/install
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
	FAILED for resource: /tests/almalinux-10/Dockerfile.
	File: /tests/almalinux-10/Dockerfile:1-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images

		1  | FROM almalinux:10
		2  |
		3  | RUN dnf install -y \
		4  |     curl-minimal \
		5  |     findutils \
		6  |     sed \
		7  |     sudo \
		8  |     util-linux \
		9  |     util-linux-user \
		10 |     which && \
		11 |     dnf clean all
		12 |
		13 | RUN useradd -m -s /bin/sh -d /home/docker-qa docker-qa && \
		14 |     echo "docker-qa ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
		15 |
		16 | USER docker-qa
		17 |
		18 | COPY ./ /home/docker-qa/.dotfiles
		19 |
		20 | WORKDIR /home/docker-qa
		21 |
		22 | RUN DOTFILES_TEST=true DOTFILES_VERBOSE=true DOTFILES_NO_TTY=true DOTFILES_CHEZMOI_EXCLUDE=scripts .dotfiles/install
Check: CKV2_DOCKER_1: "Ensure that sudo isn't used"
	FAILED for resource: /tests/almalinux-9/Dockerfile.RUN
	File: /tests/almalinux-9/Dockerfile:3-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-dont-use-sudo

		3  | RUN dnf install -y \
		4  |     curl-minimal \
		5  |     findutils \
		6  |     sed \
		7  |     sudo \
		8  |     util-linux \
		9  |     util-linux-user \
		10 |     which && \
		11 |     dnf clean all

Check: CKV2_DOCKER_1: "Ensure that sudo isn't used"
	FAILED for resource: /tests/almalinux-10/Dockerfile.RUN
	File: /tests/almalinux-10/Dockerfile:3-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-dont-use-sudo

		3  | RUN dnf install -y \
		4  |     curl-minimal \
		5  |     findutils \
		6  |     sed \
		7  |     sudo \
		8  |     util-linux \
		9  |     util-linux-user \
		10 |     which && \
		11 |     dnf clean all

github_actions scan results:

Passed checks: 95, Failed checks: 5, Skipped checks: 0

Check: CKV_GHA_7: "The build output cannot be affected by user parameters other than the build entry point and the top-level source location. GitHub Actions workflow_dispatch inputs MUST be empty. "
	FAILED for resource: on(Schedule/Push - Renovate)
	File: /.github/workflows/renovate.yaml:7-16

		7  |       dryRun:
		8  |         description: "Dry-Run"
		9  |         default: "true"
		10 |         required: false
		11 |       logLevel:
		12 |         description: "Log-Level"
		13 |         default: "debug"
		14 |         required: false
		15 |   schedule:
		16 |     - cron: "*/10 * * * *"

Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
	FAILED for resource: on(lint YAML and Shell)
	File: /.github/workflows/linters.yaml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
	FAILED for resource: on(Create GH issues based on TODO comments)
	File: /.github/workflows/todo2github-issues.yaml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
	FAILED for resource: on(Acceptance Tests)
	File: /.github/workflows/acceptance-tests.yaml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
	FAILED for resource: on(Schedule/Push - Renovate)
	File: /.github/workflows/renovate.yaml:0-1

GITHUB_ACTIONS_ZIZMOR

�[1m�[96mhelp[artipacked]�[0m�[1m: credential persistence through GitHub Actions artifacts�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/acceptance-tests.yaml:27:9
   �[1m�[94m|�[0m
�[1m�[94m27�[0m �[1m�[94m|�[0m         - name: Checkout
   �[1m�[94m|�[0m �[1m�[96m _________^�[0m
�[1m�[94m28�[0m �[1m�[94m|�[0m �[1m�[96m|�[0m         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
   �[1m�[94m|�[0m �[1m�[96m|____________________________________________________________________________^�[0m �[1m�[96mdoes not set persist-credentials: false�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Low
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#artipacked�[39m

�[1m�[96mhelp[artipacked]�[0m�[1m: credential persistence through GitHub Actions artifacts�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/acceptance-tests.yaml:62:9
   �[1m�[94m|�[0m
�[1m�[94m62�[0m �[1m�[94m|�[0m         - name: Checkout
   �[1m�[94m|�[0m �[1m�[96m _________^�[0m
�[1m�[94m63�[0m �[1m�[94m|�[0m �[1m�[96m|�[0m         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
   �[1m�[94m|�[0m �[1m�[96m|____________________________________________________________________________^�[0m �[1m�[96mdoes not set persist-credentials: false�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Low
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#artipacked�[39m

�[1m�[33mwarning[excessive-permissions]�[0m�[1m: overly broad permissions�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/acceptance-tests.yaml:2:1
   �[1m�[94m|�[0m
�[1m�[94m 2�[0m �[1m�[94m|�[0m �[1m�[33m/�[0m name: Acceptance Tests
�[1m�[94m 3�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m
�[1m�[94m 4�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m on:
�[1m�[94m 5�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m   pull_request:
�[1m�[94m...�[0m  �[1m�[33m|�[0m
�[1m�[94m80�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m           chezmoi init --apply --source "${GITHUB_WORKSPACE}" --exclude scripts --no-tty
�[1m�[94m81�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m           chezmoi verify --source "${GITHUB_WORKSPACE}" --exclude scripts --no-tty
   �[1m�[94m|�[0m �[1m�[33m|___________________________________________________________________________________^�[0m �[1m�[33mdefault permissions used due to no permissions: block�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Medium
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#excessive-permissions�[39m

�[1m�[33mwarning[excessive-permissions]�[0m�[1m: overly broad permissions�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/acceptance-tests.yaml:14:3
   �[1m�[94m|�[0m
�[1m�[94m14�[0m �[1m�[94m|�[0m �[1m�[33m/�[0m   linux:
�[1m�[94m15�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m     name: Linux Smoke (${{ matrix.os }})
�[1m�[94m16�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m     runs-on: ubuntu-24.04
�[1m�[94m...�[0m  �[1m�[33m|�[0m
�[1m�[94m53�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m           priority: "-1" # low priority - no sound or vibration generated
�[1m�[94m54�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m         if: failure() && github.event_name == 'schedule'
   �[1m�[94m|�[0m �[1m�[33m|�[0m                                                        �[1m�[33m^�[0m
   �[1m�[94m|�[0m �[1m�[33m|�[0m                                                        �[1m�[33m|�[0m
   �[1m�[94m|�[0m �[1m�[33m|________________________________________________________�[0m�[1m�[94mthis job�[0m
   �[1m�[94m|�[0m                                                          �[1m�[33mdefault permissions used due to no permissions: block�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Medium
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#excessive-permissions�[39m

�[1m�[33mwarning[excessive-permissions]�[0m�[1m: overly broad permissions�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/acceptance-tests.yaml:56:3
   �[1m�[94m|�[0m
�[1m�[94m56�[0m �[1m�[94m|�[0m �[1m�[33m/�[0m   macos:
�[1m�[94m57�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m     name: macOS Smoke
�[1m�[94m58�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m     runs-on: macos-26
�[1m�[94m59�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m     env:
�[1m�[94m...�[0m  �[1m�[33m|�[0m
�[1m�[94m80�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m           chezmoi init --apply --source "${GITHUB_WORKSPACE}" --exclude scripts --no-tty
�[1m�[94m81�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m           chezmoi verify --source "${GITHUB_WORKSPACE}" --exclude scripts --no-tty
   �[1m�[94m|�[0m �[1m�[33m|�[0m                                                                                   �[1m�[33m^�[0m
   �[1m�[94m|�[0m �[1m�[33m|�[0m                                                                                   �[1m�[33m|�[0m
   �[1m�[94m|�[0m �[1m�[33m|___________________________________________________________________________________�[0m�[1m�[94mthis job�[0m
   �[1m�[94m|�[0m                                                                                     �[1m�[33mdefault permissions used due to no permissions: block�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Medium
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#excessive-permissions�[39m

�[1m�[91merror[unpinned-uses]�[0m�[1m: unpinned action reference�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/acceptance-tests.yaml:31:15
   �[1m�[94m|�[0m
�[1m�[94m31�[0m �[1m�[94m|�[0m         uses: docker/setup-buildx-action@v4
   �[1m�[94m|�[0m               �[1m�[91m^^^^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[91maction is not pinned to a hash (required by blanket policy)�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#unpinned-uses�[39m

�[1m�[91merror[unpinned-uses]�[0m�[1m: unpinned action reference�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/acceptance-tests.yaml:34:15
   �[1m�[94m|�[0m
�[1m�[94m34�[0m �[1m�[94m|�[0m         uses: docker/build-push-action@v7
   �[1m�[94m|�[0m               �[1m�[91m^^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[91maction is not pinned to a hash (required by blanket policy)�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#unpinned-uses�[39m

�[1m�[91merror[unpinned-uses]�[0m�[1m: unpinned action reference�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/acceptance-tests.yaml:43:15
   �[1m�[94m|�[0m
�[1m�[94m43�[0m �[1m�[94m|�[0m         uses: umahmood/pushover-actions@main
   �[1m�[94m|�[0m               �[1m�[91m^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[91maction is not pinned to a hash (required by blanket policy)�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#unpinned-uses�[39m

�[1m�[33mwarning[secrets-outside-env]�[0m�[1m: secrets referenced without a dedicated environment�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/acceptance-tests.yaml:45:31
   �[1m�[94m|�[0m
�[1m�[94m14�[0m �[1m�[94m|�[0m   linux:
   �[1m�[94m|�[0m   �[1m�[94m-----�[0m �[1m�[94mthis job�[0m
�[1m�[94m...�[0m
�[1m�[94m45�[0m �[1m�[94m|�[0m           PUSHOVER_TOKEN: ${{ secrets.PUSHOVER_TOKEN }}
   �[1m�[94m|�[0m                               �[1m�[33m^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[33msecret is accessed outside of a dedicated environment�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#secrets-outside-env�[39m

�[1m�[33mwarning[secrets-outside-env]�[0m�[1m: secrets referenced without a dedicated environment�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/acceptance-tests.yaml:46:30
   �[1m�[94m|�[0m
�[1m�[94m14�[0m �[1m�[94m|�[0m   linux:
   �[1m�[94m|�[0m   �[1m�[94m-----�[0m �[1m�[94mthis job�[0m
�[1m�[94m...�[0m
�[1m�[94m46�[0m �[1m�[94m|�[0m           PUSHOVER_USER: ${{ secrets.PUSHOVER_USER }}
   �[1m�[94m|�[0m                              �[1m�[33m^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[33msecret is accessed outside of a dedicated environment�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#secrets-outside-env�[39m

�[32m12�[39m findings (�[1m�[93m2�[39m suppressed, �[92m5�[39m fixable�[0m): �[35m0�[39m informational, �[36m2�[39m low, �[33m5�[39m medium, �[31m3�[39m high🌈 zizmor v1.23.1
�[32m INFO�[0m �[1maudit�[0m�[2m:�[0m �[2mzizmor�[0m�[2m:�[0m 🌈 completed /github/workspace/.github/workflows/acceptance-tests.yaml

JSCPD

Clone found (markdown):
 - /github/workspace/docs/superpowers/plans/2026-04-30-dotfiles-maintenance-normalization.md [855:1 - 869:10] (14 lines, 71 tokens)
   /github/workspace/docs/superpowers/plans/2026-04-30-dotfiles-maintenance-normalization.md [775:1 - 788:5]

Clone found (markdown):
 - /github/workspace/README.md [49:1 - 66:17] (17 lines, 172 tokens)
   /github/workspace/docs/superpowers/plans/2026-04-30-dotfiles-maintenance-normalization.md [745:1 - 759:4]

Clone found (markdown):
 - /github/workspace/README.md [116:1 - 140:3] (24 lines, 125 tokens)
   /github/workspace/docs/superpowers/plans/2026-04-30-dotfiles-maintenance-normalization.md [767:1 - 788:5]

Clone found (markdown):
 - /github/workspace/docs/superpowers/plans/2026-04-30-dotfiles-maintenance-normalization.md [855:1 - 869:10] (14 lines, 71 tokens)
   /github/workspace/docs/superpowers/plans/2026-04-30-dotfiles-maintenance-normalization.md [775:1 - 788:5]

 855 │ 775 │ {tmp_home}/.local/share" \
 856 │ 776 │ XDG_STATE_HOME="${tmp_home}/.local/state" \
 857 │ 777 │ XDG_CACHE_HOME="${tmp_home}/.cache" \
 858 │ 778 │ DOTFILES_TEST=true \
 859 │ 779 │ chezmoi init --apply --source "$(pwd)" --exclude scripts --no-tty
 860 │ 780 │
 861 │ 781 │ HOME="${tmp_home}" \
 862 │ 782 │ XDG_CONFIG_HOME="${tmp_home}/.config" \
 863 │ 783 │ XDG_DATA_HOME="${tmp_home}/.local/share" \
 864 │ 784 │ XDG_STATE_HOME="${tmp_home}/.local/state" \
 865 │ 785 │ XDG

Clone found (markdown):
 - /github/workspace/README.md [49:1 - 66:17] (17 lines, 172 tokens)
   /github/workspace/docs/superpowers/plans/2026-04-30-dotfiles-maintenance-normalization.md [745:1 - 759:4]

 49 │ 745 │  with `chezmoi`
 50 │ 746 │
 51 │ 747 │ Leveraging off-the-shelf `Chezmoi` capabilities
 52 │ 748 │
 53 │ 749 │ ```bash
 54 │ 750 │ chezmoi init --apply --verbose https://github.com/kitos9112/dotfiles.git
 55 │ 751 │ ```
 56 │ 752 │
 57 │ 753 │ ### Installer controls
 58 │ 754 │
 59 │ 755 │ The root `install` script accepts environment variables for test and recovery
 60 │ 756 │ flows:
 61 │ 757 │
 62 │ 758 │ - `DOTFILES_SOURCE` uses a local source checkout instead of the remote repo.
 63 │ 759 │ - `DOTFILES_REPO` overrides the remote chezmoi repository.
 64 │ 760 │ - `DOTFILES_ONE_SHOT=true` passes `--one-shot` instead of `--apply`.
 65 │ 761 │ - `DOTFILES_CHEZMOI_INCLUDE` and `DOTFILES_CHEZMOI_EXCLUDE` pass include and
 66 │ 762 │   exclude filters to chezmoi.
 67 │ 763 │ - `DOTFILES_NO_TTY=true` passes `--no-tty`.
 68 │ 764 │ - `DOTFILES_VERBOSE=true` passes `--verbose`.
 69 │ 765 │ - `DOTFILES_DEBUG=true` passes `--debug`.
 70 │ 766 │ - `DOTFILES_RETRY_COUNT` and `DOTFILES_RETRY_DELAY` contro

Clone found (markdown):
 - /github/workspace/README.md [116:1 - 140:3] (24 lines, 125 tokens)
   /github/workspace/docs/superpowers/plans/2026-04-30-dotfiles-maintenance-normalization.md [767:1 - 788:5]

 116 │ 767 │ IG_HOME="${tmp_home}/.config" \
 117 │ 768 │ XDG_DATA_HOME="${tmp_home}/.local/share" \
 118 │ 769 │ XDG_STATE_HOME="${tmp_home}/.local/state" \
 119 │ 770 │ XDG_CACHE_HOME="${tmp_home}/.cache" \
 120 │ 771 │ DOTFILES_TEST=true chezmoi init --apply --source "$(pwd)" --exclude scripts --no-tty
 121 │ 772 │ ```
 122 │ 773 │
 123 │ 774 │ To validate hooks locally through `uv`, run:
 124 │ 775 │
 125 │ 776 │ ```bash
 126 │ 777 │ uvx pre-commit run --all-files
 127 │ 778 │ ```
 128 │ 779 │
 129 │ 780 │ To validate the root installer path locally without running mutating scripts:
 130 │ 781 │
 131 │ 782 │ ```bash
 132 │ 783 │ tmp_home="$(mktemp -d)"
 133 │ 784 │ HOME="${tmp_home}" \
 134 │ 785 │ XDG_CONFIG_HOME="${tmp_home}/.config" \
 135 │ 786 │ XDG

Found 3 clones.
Error: ERROR: jscpd found too many duplicates (1.96%) over threshold (0%)
    at ThresholdReporter.report (/node_modules/@jscpd/finder/dist/index.js:615:13)
    at /node_modules/@jscpd/finder/dist/index.js:109:18
    at Array.forEach (<anonymous>)
    at /node_modules/@jscpd/finder/dist/index.js:108:22
    at async /node_modules/jscpd/dist/bin/jscpd.js:9:5ERROR: jscpd found too many duplicates (1.96%) over threshold (0%)

TRIVY

Report Summary

┌───────────────────────────────┬────────────┬─────────────────┬───────────────────┬─────────┐
│            Target             │    Type    │ Vulnerabilities │ Misconfigurations │ Secrets │
├───────────────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┤
│ tests/almalinux-10/Dockerfile │ dockerfile │        -        │         1         │    -    │
├───────────────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┤
│ tests/almalinux-9/Dockerfile  │ dockerfile │        -        │         1         │    -    │
├───────────────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┤
│ tests/ubuntu-24.04/Dockerfile │ dockerfile │        -        │         2         │    -    │
├───────────────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┤
│ tests/ubuntu-25.10/Dockerfile │ dockerfile │        -        │         2         │    -    │
└───────────────────────────────┴────────────┴─────────────────┴───────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


tests/almalinux-10/Dockerfile (dockerfile)
==========================================
Tests: 27 (SUCCESSES: 26, FAILURES: 1)
Failures: 1 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

DS-0026 (LOW): Add HEALTHCHECK instruction in your Dockerfile
════════════════════════════════════════
You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.

See https://avd.aquasec.com/misconfig/ds-0026
────────────────────────────────────────



tests/almalinux-9/Dockerfile (dockerfile)
=========================================
Tests: 27 (SUCCESSES: 26, FAILURES: 1)
Failures: 1 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

DS-0026 (LOW): Add HEALTHCHECK instruction in your Dockerfile
════════════════════════════════════════
You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.

See https://avd.aquasec.com/misconfig/ds-0026
────────────────────────────────────────



tests/ubuntu-24.04/Dockerfile (dockerfile)
==========================================
Tests: 27 (SUCCESSES: 25, FAILURES: 2)
Failures: 2 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

DS-0026 (LOW): Add HEALTHCHECK instruction in your Dockerfile
════════════════════════════════════════
You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.

See https://avd.aquasec.com/misconfig/ds-0026
────────────────────────────────────────


DS-0029 (HIGH): '--no-install-recommends' flag is missed: 'apt-get update &&     DEBIAN_FRONTEND=noninteractive apt-get install -y     curl     iproute2     file     git     sudo'
════════════════════════════════════════
'apt-get' install should use '--no-install-recommends' to minimize image size.

See https://avd.aquasec.com/misconfig/ds-0029
────────────────────────────────────────
 tests/ubuntu-24.04/Dockerfile:6-12
────────────────────────────────────────
   6 ┌ RUN apt-get update && \
   7 │     DEBIAN_FRONTEND=noninteractive apt-get install -y \
   8 │     curl \
   9 │     iproute2 \
  10 │     file \
  11 │     git \
  12 └     sudo
────────────────────────────────────────



tests/ubuntu-25.10/Dockerfile (dockerfile)
==========================================
Tests: 27 (SUCCESSES: 25, FAILURES: 2)
Failures: 2 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

DS-0026 (LOW): Add HEALTHCHECK instruction in your Dockerfile
════════════════════════════════════════
You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.

See https://avd.aquasec.com/misconfig/ds-0026
────────────────────────────────────────


DS-0029 (HIGH): '--no-install-recommends' flag is missed: 'apt-get update &&     DEBIAN_FRONTEND=noninteractive apt-get install -y     curl     file     git     iproute2     sudo'
════════════════════════════════════════
'apt-get' install should use '--no-install-recommends' to minimize image size.

See https://avd.aquasec.com/misconfig/ds-0029
────────────────────────────────────────
 tests/ubuntu-25.10/Dockerfile:6-12
────────────────────────────────────────
   6 ┌ RUN apt-get update && \
   7 │     DEBIAN_FRONTEND=noninteractive apt-get install -y \
   8 │     curl \
   9 │     file \
  10 │     git \
  11 │     iproute2 \
  12 └     sudo
────────────────────────────────────────

[henry-pa-bot]

Super-linter summary

Language	Validation result
BIOME_FORMAT	Fail ❌
BIOME_LINT	Fail ❌
CHECKOV	Fail ❌
GITHUB_ACTIONS	Pass ✅
GITHUB_ACTIONS_ZIZMOR	Fail ❌
GITLEAKS	Pass ✅
GIT_MERGE_CONFLICT_MARKERS	Pass ✅
JSCPD	Fail ❌
PRE_COMMIT	Pass ✅
SPELL_CODESPELL	Pass ✅
TRIVY	Fail ❌
YAML	Pass ✅
YAML_PRETTIER	Pass ✅

Super-linter detected linting errors

For more information, see the GitHub Actions workflow run

Powered by Super-linter

BIOME_FORMAT

Checked 5 files in 14ms. No fixes applied.
Found 5 errors..vscode/extensions.json format ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  × Formatter would have printed the following content:

     1  1 │   {
     2    │ - ··"recommendations":·[
     3    │ - ····"mads-hartmann.bash-ide-vscode",
     4    │ - ····"timonwong.shellcheck",
     5    │ - ····"foxundermoon.shell-format",
     6    │ - ····"editorconfig.editorconfig",
     7    │ - ····"ms-kubernetes-tools.vscode-kubernetes-tools",
     8    │ - ····"tim-koehler.helm-intellisense"
     9    │ - ··]
    10    │ - }
        2 │ + → "recommendations":·[
        3 │ + → → "mads-hartmann.bash-ide-vscode",
        4 │ + → → "timonwong.shellcheck",
        5 │ + → → "foxundermoon.shell-format",
        6 │ + → → "editorconfig.editorconfig",
        7 │ + → → "ms-kubernetes-tools.vscode-kubernetes-tools",
        8 │ + → → "tim-koehler.helm-intellisense"
        9 │ + → ]
       10 │ + }
       11 │ +


.vscode/launch.json format ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  × Formatter would have printed the following content:

     1  1 │   {
     2    │ - ··"version":·"0.2.0",
     3    │ - ··"configurations":·[
     4    │ - ····{
     5    │ - ······"type":·"bashdb",
     6    │ - ······"request":·"launch",
     7    │ - ······"name":·"Bash-Debug·(simplest·configuration)",
     8    │ - ······"program":·"${file}"
     9    │ - ····}
    10    │ - ··]
    11    │ - }
        2 │ + → "version":·"0.2.0",
        3 │ + → "configurations":·[
        4 │ + → → {
        5 │ + → → → "type":·"bashdb",
        6 │ + → → → "request":·"launch",
        7 │ + → → → "name":·"Bash-Debug·(simplest·configuration)",
        8 │ + → → → "program":·"${file}"
        9 │ + → → }
       10 │ + → ]
       11 │ + }
       12 │ +


.vscode/settings.json format ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  × Formatter would have printed the following content:

    1   │ - {
    2   │ - }
      1 │ + {}
      2 │ +


home/dot_hyper.js format ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  × Formatter would have printed the following content:

      4   4 │   // See https://hyper.is#cfg for all currently supported options.
      5   5 │   module.exports = {
      6     │ - ····config:·{
      7     │ - ········//·choose·either·`'stable'`·for·receiving·highly·polished,
      8     │ - ········//·or·`'canary'`·for·less·polished·but·more·frequent·updates
      9     │ - ········updateChannel:·'stable',
     10     │ - ········//·default·font·size·in·pixels·for·all·tabs
     11     │ - ········fontSize:·12,
     12     │ - ········//·font·family·with·optional·fallbacks
     13     │ - ········fontFamily:·'FiraMono·Nerd·Font',
     14     │ - ········//·default·font·weight:·'normal'·or·'bold'
     15     │ - ········fontWeight:·'normal',
     16     │ - ········//·font·weight·for·bold·characters:·'normal'·or·'bold'
     17     │ - ········fontWeightBold:·'bold',
     18     │ - ········//·line·height·as·a·relative·unit
     19     │ - ········lineHeight:·1,
     20     │ - ········//·letter·spacing·as·a·relative·unit
     21     │ - ········letterSpacing:·0,
     22     │ - ········//·terminal·cursor·background·color·and·opacity·(hex,·rgb,·hsl,·hsv,·hwb·or·cmyk)
     23     │ - ········cursorColor:·'rgba(248,28,229,0.8)',
     24     │ - ········//·terminal·text·color·under·BLOCK·cursor
     25     │ - ········cursorAccentColor:·'#000',
     26     │ - ········//·`'BEAM'`·for·|,·`'UNDERLINE'`·for·_,·`'BLOCK'`·for·█
     27     │ - ········cursorShape:·'BLOCK',
     28     │ - ········//·set·to·`true`·(without·backticks·and·without·quotes)·for·blinking·cursor
     29     │ - ········cursorBlink:·false,
     30     │ - ········//·color·of·the·text
     31     │ - ········foregroundColor:·'#fff',
     32     │ - ········//·terminal·background·color
     33     │ - ········//·opacity·is·only·supported·on·macOS
     34     │ - ········backgroundColor:·'#000',
     35     │ - ········//·terminal·selection·color
     36     │ - ········selectionColor:·'rgba(248,28,229,0.3)',
     37     │ - ········//·border·color·(window,·tabs)
     38     │ - ········borderColor:·'#333',
     39     │ - ········//·custom·CSS·to·embed·in·the·main·window
     40     │ - ········css:·'',
     41     │ - ········//·custom·CSS·to·embed·in·the·terminal·window
     42     │ - ········termCSS:·'',
     43     │ - ········//·set·custom·startup·directory·(must·be·an·absolute·path)
     44     │ - ········workingDirectory:·'',
     45     │ - ········//·if·you're·using·a·Linux·setup·which·show·native·menus,·set·to·false
     46     │ - ········//·default:·`true`·on·Linux,·`true`·on·Windows,·ignored·on·macOS
     47     │ - ········showHamburgerMenu:·'',
     48     │ - ········//·set·to·`false`·(without·backticks·and·without·quotes)·if·you·want·to·hide·the·minimize,·maximize·and·close·buttons
     49     │ - ········//·additionally,·set·to·`'left'`·if·you·want·them·on·the·left,·like·in·Ubuntu
     50     │ - ········//·default:·`true`·(without·backticks·and·without·quotes)·on·Windows·and·Linux,·ignored·on·macOS
     51     │ - ········showWindowControls:·'',
     52     │ - ········//·custom·padding·(CSS·format,·i.e.:·`top·right·bottom·left`)
     53     │ - ········padding:·'12px·14px',
     54     │ - ········//·the·full·list.·if·you're·going·to·provide·the·full·color·palette,
     55     │ - ········//·including·the·6·x·6·color·cubes·and·the·grayscale·map,·just·provide
     56     │ - ········//·an·array·here·instead·of·a·color·map·object
     57     │ - ········colors:·{
     58     │ - ············black:·'#000000',
     59     │ - ············red:·'#C51E14',
     60     │ - ············green:·'#1DC121',
     61     │ - ············yellow:·'#C7C329',
     62     │ - ············blue:·'#0A2FC4',
     63     │ - ············magenta:·'#C839C5',
     64     │ - ············cyan:·'#20C5C6',
     65     │ - ············white:·'#C7C7C7',
     66     │ - ············lightBlack:·'#686868',
     67     │ - ············lightRed:·'#FD6F6B',
     68     │ - ············lightGreen:·'#67F86F',
     69     │ - ············lightYellow:·'#FFFA72',
     70     │ - ············lightBlue:·'#6A76FB',
     71     │ - ············lightMagenta:·'#FD7CFC',
     72     │ - ············lightCyan:·'#68FDFE',
     73     │ - ············lightWhite:·'#FFFFFF',
     74     │ - ············limeGreen:·'#32CD32',
     75     │ - ············lightCoral:·'#F08080',
     76     │ - ········},
     77     │ - ········//·the·shell·to·run·when·spawning·a·new·session·(i.e.·/usr/local/bin/fish)
     78     │ - ········//·if·left·empty,·your·system's·login·shell·will·be·used·by·default
     79     │ - ········//
     80     │ - ········//·Windows
     81     │ - ········//·-·Make·sure·to·use·a·full·path·if·the·binary·name·doesn't·work
     82     │ - ········//·-·Remove·`--login`·in·shellArgs
     83     │ - ········//
     84     │ - ········//·Windows·Subsystem·for·Linux·(WSL)·-·previously·Bash·on·Windows
     85     │ - ········//·-·Example:·`C:\\Windows\\System32\\wsl.exe`
     86     │ - ········//
     87     │ - ········//·Git-bash·on·Windows
     88     │ - ········//·-·Example:·`C:\\Program·Files\\Git\\bin\\bash.exe`
     89     │ - ········//
     90     │ - ········//·PowerShell·on·Windows
     91     │ - ········//·-·Example:·`C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe`
     92     │ - ········//
     93     │ - ········//·Cygwin
     94     │ - ········//·-·Example:·`C:\\cygwin64\\bin\\bash.exe`
     95     │ - ········shell:·'zsh',
     96     │ - ········//·for·setting·shell·arguments·(i.e.·for·using·interactive·shellArgs:·`['-i']`)
     97     │ - ········//·by·default·`['--login']`·will·be·used
     98     │ - ········shellArgs:·['--login'],
     99     │ - ········//·for·environment·variables
    100     │ - ········env:·{},
    101     │ - ········//·Supported·Options:
    102     │ - ········//··1.·'SOUND'·->·Enables·the·bell·as·a·sound
    103     │ - ········//··2.·false:·turns·off·the·bell
    104     │ - ········bell:·'SOUND',
    105     │ - ········//·An·absolute·file·path·to·a·sound·file·on·the·machine.
    106     │ - ········//·bellSoundURL:·'/path/to/sound/file',
    107     │ - ········//·if·`true`·(without·backticks·and·without·quotes),·selected·text·will·automatically·be·copied·to·the·clipboard
    108     │ - ········copyOnSelect:·false,
    109     │ - ········//·if·`true`·(without·backticks·and·without·quotes),·hyper·will·be·set·as·the·default·protocol·client·for·SSH
    110     │ - ········defaultSSHApp:·true,
    111     │ - ········//·if·`true`·(without·backticks·and·without·quotes),·on·right·click·selected·text·will·be·copied·or·pasted·if·no
    112     │ - ········//·selection·is·present·(`true`·by·default·on·Windows·and·disables·the·context·menu·feature)
    113     │ - ········quickEdit:·false,
    114     │ - ········//·choose·either·`'vertical'`,·if·you·want·the·column·mode·when·Option·key·is·hold·during·selection·(Default)
    115     │ - ········//·or·`'force'`,·if·you·want·to·force·selection·regardless·of·whether·the·terminal·is·in·mouse·events·mode
    116     │ - ········//·(inside·tmux·or·vim·with·mouse·mode·enabled·for·example).
    117     │ - ········macOptionSelectionMode:·'vertical',
    118     │ - ········//·Whether·to·use·the·WebGL·renderer.·Set·it·to·false·to·use·canvas-based
    119     │ - ········//·rendering·(slower,·but·supports·transparent·backgrounds)
    120     │ - ········webGLRenderer:·true,
    121     │ - ········//·keypress·required·for·weblink·activation:·[ctrl|alt|meta|shift]
    122     │ - ········//·todo:·does·not·pick·up·config·changes·automatically,·need·to·restart·terminal·:/
    123     │ - ········webLinksActivationKey:·'',
    124     │ - ········//·if·`false`·(without·backticks·and·without·quotes),·Hyper·will·use·ligatures·provided·by·some·fonts
    125     │ - ········disableLigatures:·true,
    126     │ - ········//·set·to·true·to·disable·auto·updates
    127     │ - ········disableAutoUpdates:·false,
    128     │ - ········//·set·to·true·to·enable·screen·reading·apps·(like·NVDA)·to·read·the·contents·of·the·terminal
    129     │ - ········screenReaderMode:·false,
    130     │ - ········//·set·to·true·to·preserve·working·directory·when·creating·splits·or·tabs
    131     │ - ········preserveCWD:·true,
    132     │ - ········//·for·advanced·config·flags·please·refer·to·https://hyper.is/#cfg
    133     │ - ····},
    134     │ - ····//·a·list·of·plugins·to·fetch·and·install·from·npm
    135     │ - ····//·format:·[@org/]project[#version]
    136     │ - ····//·examples:
    137     │ - ····//···`hyperpower`
    138     │ - ····//···`@company/project`
    139     │ - ····//···`project#1.0.1`
    140     │ - ····plugins:·[],
    141     │ - ····//·in·development,·you·can·create·a·directory·under
    142     │ - ····//·`~/.hyper_plugins/local/`·and·include·it·here
    143     │ - ····//·to·load·it·and·avoid·it·being·`npm·install`ed
    144     │ - ····localPlugins:·[],
    145     │ - ····keymaps:·{
    146     │ - ········//·Example
    147     │ - ········//·'window:devtools':·'cmd+alt+o',
    148     │ - ····},
          6 │ + → config:·{
          7 │ + → → //·choose·either·`'stable'`·for·receiving·highly·polished,
          8 │ + → → //·or·`'canary'`·for·less·polished·but·more·frequent·updates
          9 │ + → → updateChannel:·"stable",
         10 │ + → → //·default·font·size·in·pixels·for·all·tabs
  142 more lines truncated


tests/renovate-bot/local-config.js format ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  × Formatter would have printed the following content:

    1 1 │   module.exports = {
    2   │ - ··platform:·'github',
    3   │ - ··repositories:·['kitos9112/dotfiles'],
    4   │ - ··includeForks:·true,
    5   │ - ··onboarding:·false,
    6   │ - ··requireConfig:·'optional',
    7   │ - ··gitAuthor:·'henry-pa-bot·<166536+henry-bot[bot]@users.noreply.github.com>',
      2 │ + → platform:·"github",
      3 │ + → repositories:·["kitos9112/dotfiles"],
      4 │ + → includeForks:·true,
      5 │ + → onboarding:·false,
      6 │ + → requireConfig:·"optional",
      7 │ + → gitAuthor:·"henry-pa-bot·<166536+henry-bot[bot]@users.noreply.github.com>",
    8 8 │   };
    9 9 │


format ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  × Some errors were emitted while running checks.

BIOME_LINT

Checked 5 files in 21ms. No fixes applied.
Found 1 warning.home/dot_hyper.js:1:1 lint/suspicious/noRedundantUseStrict  FIXABLE  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  ! Redundant use strict directive.

  > 1 │ "use strict";
      │ ^^^^^^^^^^^^^
    2 │ // Future versions of Hyper may add additional config options,
    3 │ // which will not automatically be merged into this file.

  i The entire contents of JavaScript modules are automatically in strict mode, with no statement needed to initiate it.

  i Safe fix: Remove the redundant use strict directive.

    1 │ "use·strict";
      │ -------------

lint ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  × Some warnings were emitted while running checks.

CHECKOV

dockerfile scan results:

Passed checks: 250, Failed checks: 6, Skipped checks: 0

Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
	FAILED for resource: /tests/almalinux-9/Dockerfile.
	File: /tests/almalinux-9/Dockerfile:1-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images

		1  | FROM almalinux:9
		2  |
		3  | RUN dnf install -y \
		4  |     curl-minimal \
		5  |     findutils \
		6  |     sed \
		7  |     sudo \
		8  |     util-linux \
		9  |     util-linux-user \
		10 |     which && \
		11 |     dnf clean all
		12 |
		13 | RUN useradd -m -s /bin/sh -d /home/docker-qa docker-qa && \
		14 |     echo "docker-qa ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
		15 |
		16 | USER docker-qa
		17 |
		18 | COPY ./ /home/docker-qa/.dotfiles
		19 |
		20 | WORKDIR /home/docker-qa
		21 |
		22 | RUN DOTFILES_TEST=true DOTFILES_VERBOSE=true DOTFILES_NO_TTY=true DOTFILES_CHEZMOI_EXCLUDE=scripts .dotfiles/install
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
	FAILED for resource: /tests/ubuntu-24.04/Dockerfile.
	File: /tests/ubuntu-24.04/Dockerfile:1-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images

		1  | FROM ubuntu:24.04
		2  |
		3  | ENV GIT_REPO=https://github.com/kitos9112/dotfiles.git
		4  | ENV DEBIAN_FRONTEND=noninteractive
		5  |
		6  | RUN apt-get update && \
		7  |     DEBIAN_FRONTEND=noninteractive apt-get install -y \
		8  |     curl \
		9  |     iproute2 \
		10 |     file \
		11 |     git \
		12 |     sudo
		13 |
		14 | RUN useradd -m -s /bin/sh -d /home/docker-qa docker-qa  && \
		15 |     echo "docker-qa ALL=NOPASSWD: ALL" >> /etc/sudoers
		16 |
		17 | USER docker-qa
		18 |
		19 | COPY --chown=docker-qa:docker-qa ./ /home/docker-qa/.dotfiles
		20 |
		21 | WORKDIR /home/docker-qa
		22 |
		23 | RUN DOTFILES_TEST=true DOTFILES_VERBOSE=true DOTFILES_NO_TTY=true DOTFILES_CHEZMOI_EXCLUDE=scripts .dotfiles/install
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
	FAILED for resource: /tests/almalinux-10/Dockerfile.
	File: /tests/almalinux-10/Dockerfile:1-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images

		1  | FROM almalinux:10
		2  |
		3  | RUN dnf install -y \
		4  |     curl-minimal \
		5  |     findutils \
		6  |     sed \
		7  |     sudo \
		8  |     util-linux \
		9  |     util-linux-user \
		10 |     which && \
		11 |     dnf clean all
		12 |
		13 | RUN useradd -m -s /bin/sh -d /home/docker-qa docker-qa && \
		14 |     echo "docker-qa ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
		15 |
		16 | USER docker-qa
		17 |
		18 | COPY ./ /home/docker-qa/.dotfiles
		19 |
		20 | WORKDIR /home/docker-qa
		21 |
		22 | RUN DOTFILES_TEST=true DOTFILES_VERBOSE=true DOTFILES_NO_TTY=true DOTFILES_CHEZMOI_EXCLUDE=scripts .dotfiles/install
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
	FAILED for resource: /tests/ubuntu-25.10/Dockerfile.
	File: /tests/ubuntu-25.10/Dockerfile:1-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images

		1  | FROM ubuntu:25.10
		2  |
		3  | ENV GIT_REPO=https://github.com/kitos9112/dotfiles.git
		4  | ENV DEBIAN_FRONTEND=noninteractive
		5  |
		6  | RUN apt-get update && \
		7  |     DEBIAN_FRONTEND=noninteractive apt-get install -y \
		8  |     curl \
		9  |     file \
		10 |     git \
		11 |     iproute2 \
		12 |     sudo
		13 |
		14 | RUN useradd -m -s /bin/sh -d /home/docker-qa docker-qa  && \
		15 |     echo "docker-qa ALL=NOPASSWD: ALL" >> /etc/sudoers
		16 |
		17 | USER docker-qa
		18 |
		19 | COPY --chown=docker-qa:docker-qa ./ /home/docker-qa/.dotfiles
		20 |
		21 | WORKDIR /home/docker-qa
		22 |
		23 | RUN DOTFILES_TEST=true DOTFILES_VERBOSE=true DOTFILES_NO_TTY=true DOTFILES_CHEZMOI_EXCLUDE=scripts .dotfiles/install
Check: CKV2_DOCKER_1: "Ensure that sudo isn't used"
	FAILED for resource: /tests/almalinux-9/Dockerfile.RUN
	File: /tests/almalinux-9/Dockerfile:3-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-dont-use-sudo

		3  | RUN dnf install -y \
		4  |     curl-minimal \
		5  |     findutils \
		6  |     sed \
		7  |     sudo \
		8  |     util-linux \
		9  |     util-linux-user \
		10 |     which && \
		11 |     dnf clean all

Check: CKV2_DOCKER_1: "Ensure that sudo isn't used"
	FAILED for resource: /tests/almalinux-10/Dockerfile.RUN
	File: /tests/almalinux-10/Dockerfile:3-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-dont-use-sudo

		3  | RUN dnf install -y \
		4  |     curl-minimal \
		5  |     findutils \
		6  |     sed \
		7  |     sudo \
		8  |     util-linux \
		9  |     util-linux-user \
		10 |     which && \
		11 |     dnf clean all

github_actions scan results:

Passed checks: 95, Failed checks: 5, Skipped checks: 0

Check: CKV_GHA_7: "The build output cannot be affected by user parameters other than the build entry point and the top-level source location. GitHub Actions workflow_dispatch inputs MUST be empty. "
	FAILED for resource: on(Schedule/Push - Renovate)
	File: /.github/workflows/renovate.yaml:7-16

		7  |       dryRun:
		8  |         description: "Dry-Run"
		9  |         default: "true"
		10 |         required: false
		11 |       logLevel:
		12 |         description: "Log-Level"
		13 |         default: "debug"
		14 |         required: false
		15 |   schedule:
		16 |     - cron: "*/10 * * * *"

Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
	FAILED for resource: on(Schedule/Push - Renovate)
	File: /.github/workflows/renovate.yaml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
	FAILED for resource: on(Create GH issues based on TODO comments)
	File: /.github/workflows/todo2github-issues.yaml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
	FAILED for resource: on(Acceptance Tests)
	File: /.github/workflows/acceptance-tests.yaml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
	FAILED for resource: on(lint YAML and Shell)
	File: /.github/workflows/linters.yaml:0-1

GITHUB_ACTIONS_ZIZMOR

�[1m�[96mhelp[artipacked]�[0m�[1m: credential persistence through GitHub Actions artifacts�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/acceptance-tests.yaml:27:9
   �[1m�[94m|�[0m
�[1m�[94m27�[0m �[1m�[94m|�[0m         - name: Checkout
   �[1m�[94m|�[0m �[1m�[96m _________^�[0m
�[1m�[94m28�[0m �[1m�[94m|�[0m �[1m�[96m|�[0m         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
   �[1m�[94m|�[0m �[1m�[96m|____________________________________________________________________________^�[0m �[1m�[96mdoes not set persist-credentials: false�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Low
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#artipacked�[39m

�[1m�[96mhelp[artipacked]�[0m�[1m: credential persistence through GitHub Actions artifacts�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/acceptance-tests.yaml:62:9
   �[1m�[94m|�[0m
�[1m�[94m62�[0m �[1m�[94m|�[0m         - name: Checkout
   �[1m�[94m|�[0m �[1m�[96m _________^�[0m
�[1m�[94m63�[0m �[1m�[94m|�[0m �[1m�[96m|�[0m         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
   �[1m�[94m|�[0m �[1m�[96m|____________________________________________________________________________^�[0m �[1m�[96mdoes not set persist-credentials: false�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Low
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#artipacked�[39m

�[1m�[33mwarning[excessive-permissions]�[0m�[1m: overly broad permissions�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/acceptance-tests.yaml:2:1
   �[1m�[94m|�[0m
�[1m�[94m 2�[0m �[1m�[94m|�[0m �[1m�[33m/�[0m name: Acceptance Tests
�[1m�[94m 3�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m
�[1m�[94m 4�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m on:
�[1m�[94m 5�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m   pull_request:
�[1m�[94m...�[0m  �[1m�[33m|�[0m
�[1m�[94m80�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m           chezmoi init --apply --source "${GITHUB_WORKSPACE}" --exclude scripts --no-tty
�[1m�[94m81�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m           chezmoi verify --source "${GITHUB_WORKSPACE}" --exclude scripts --no-tty
   �[1m�[94m|�[0m �[1m�[33m|___________________________________________________________________________________^�[0m �[1m�[33mdefault permissions used due to no permissions: block�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Medium
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#excessive-permissions�[39m

�[1m�[33mwarning[excessive-permissions]�[0m�[1m: overly broad permissions�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/acceptance-tests.yaml:14:3
   �[1m�[94m|�[0m
�[1m�[94m14�[0m �[1m�[94m|�[0m �[1m�[33m/�[0m   linux:
�[1m�[94m15�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m     name: Linux Smoke (${{ matrix.os }})
�[1m�[94m16�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m     runs-on: ubuntu-24.04
�[1m�[94m...�[0m  �[1m�[33m|�[0m
�[1m�[94m53�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m           priority: "-1" # low priority - no sound or vibration generated
�[1m�[94m54�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m         if: failure() && github.event_name == 'schedule'
   �[1m�[94m|�[0m �[1m�[33m|�[0m                                                        �[1m�[33m^�[0m
   �[1m�[94m|�[0m �[1m�[33m|�[0m                                                        �[1m�[33m|�[0m
   �[1m�[94m|�[0m �[1m�[33m|________________________________________________________�[0m�[1m�[94mthis job�[0m
   �[1m�[94m|�[0m                                                          �[1m�[33mdefault permissions used due to no permissions: block�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Medium
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#excessive-permissions�[39m

�[1m�[33mwarning[excessive-permissions]�[0m�[1m: overly broad permissions�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/acceptance-tests.yaml:56:3
   �[1m�[94m|�[0m
�[1m�[94m56�[0m �[1m�[94m|�[0m �[1m�[33m/�[0m   macos:
�[1m�[94m57�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m     name: macOS Smoke
�[1m�[94m58�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m     runs-on: macos-26
�[1m�[94m59�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m     env:
�[1m�[94m...�[0m  �[1m�[33m|�[0m
�[1m�[94m80�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m           chezmoi init --apply --source "${GITHUB_WORKSPACE}" --exclude scripts --no-tty
�[1m�[94m81�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m           chezmoi verify --source "${GITHUB_WORKSPACE}" --exclude scripts --no-tty
   �[1m�[94m|�[0m �[1m�[33m|�[0m                                                                                   �[1m�[33m^�[0m
   �[1m�[94m|�[0m �[1m�[33m|�[0m                                                                                   �[1m�[33m|�[0m
   �[1m�[94m|�[0m �[1m�[33m|___________________________________________________________________________________�[0m�[1m�[94mthis job�[0m
   �[1m�[94m|�[0m                                                                                     �[1m�[33mdefault permissions used due to no permissions: block�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Medium
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#excessive-permissions�[39m

�[1m�[91merror[unpinned-uses]�[0m�[1m: unpinned action reference�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/acceptance-tests.yaml:31:15
   �[1m�[94m|�[0m
�[1m�[94m31�[0m �[1m�[94m|�[0m         uses: docker/setup-buildx-action@v4
   �[1m�[94m|�[0m               �[1m�[91m^^^^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[91maction is not pinned to a hash (required by blanket policy)�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#unpinned-uses�[39m

�[1m�[91merror[unpinned-uses]�[0m�[1m: unpinned action reference�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/acceptance-tests.yaml:34:15
   �[1m�[94m|�[0m
�[1m�[94m34�[0m �[1m�[94m|�[0m         uses: docker/build-push-action@v7
   �[1m�[94m|�[0m               �[1m�[91m^^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[91maction is not pinned to a hash (required by blanket policy)�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#unpinned-uses�[39m

�[1m�[91merror[unpinned-uses]�[0m�[1m: unpinned action reference�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/acceptance-tests.yaml:43:15
   �[1m�[94m|�[0m
�[1m�[94m43�[0m �[1m�[94m|�[0m         uses: umahmood/pushover-actions@main
   �[1m�[94m|�[0m               �[1m�[91m^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[91maction is not pinned to a hash (required by blanket policy)�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#unpinned-uses�[39m

�[1m�[33mwarning[secrets-outside-env]�[0m�[1m: secrets referenced without a dedicated environment�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/acceptance-tests.yaml:45:31
   �[1m�[94m|�[0m
�[1m�[94m14�[0m �[1m�[94m|�[0m   linux:
   �[1m�[94m|�[0m   �[1m�[94m-----�[0m �[1m�[94mthis job�[0m
�[1m�[94m...�[0m
�[1m�[94m45�[0m �[1m�[94m|�[0m           PUSHOVER_TOKEN: ${{ secrets.PUSHOVER_TOKEN }}
   �[1m�[94m|�[0m                               �[1m�[33m^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[33msecret is accessed outside of a dedicated environment�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#secrets-outside-env�[39m

�[1m�[33mwarning[secrets-outside-env]�[0m�[1m: secrets referenced without a dedicated environment�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/acceptance-tests.yaml:46:30
   �[1m�[94m|�[0m
�[1m�[94m14�[0m �[1m�[94m|�[0m   linux:
   �[1m�[94m|�[0m   �[1m�[94m-----�[0m �[1m�[94mthis job�[0m
�[1m�[94m...�[0m
�[1m�[94m46�[0m �[1m�[94m|�[0m           PUSHOVER_USER: ${{ secrets.PUSHOVER_USER }}
   �[1m�[94m|�[0m                              �[1m�[33m^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[33msecret is accessed outside of a dedicated environment�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#secrets-outside-env�[39m

�[32m12�[39m findings (�[1m�[93m2�[39m suppressed, �[92m5�[39m fixable�[0m): �[35m0�[39m informational, �[36m2�[39m low, �[33m5�[39m medium, �[31m3�[39m high🌈 zizmor v1.23.1
�[32m INFO�[0m �[1maudit�[0m�[2m:�[0m �[2mzizmor�[0m�[2m:�[0m 🌈 completed /github/workspace/.github/workflows/acceptance-tests.yaml

JSCPD

Clone found (markdown):
 - /github/workspace/docs/superpowers/plans/2026-04-30-dotfiles-maintenance-normalization.md [855:1 - 869:10] (14 lines, 71 tokens)
   /github/workspace/docs/superpowers/plans/2026-04-30-dotfiles-maintenance-normalization.md [775:1 - 788:5]

Clone found (markdown):
 - /github/workspace/README.md [49:1 - 66:17] (17 lines, 172 tokens)
   /github/workspace/docs/superpowers/plans/2026-04-30-dotfiles-maintenance-normalization.md [745:1 - 759:4]

Clone found (markdown):
 - /github/workspace/README.md [116:1 - 140:3] (24 lines, 125 tokens)
   /github/workspace/docs/superpowers/plans/2026-04-30-dotfiles-maintenance-normalization.md [767:1 - 788:5]

Clone found (markdown):
 - /github/workspace/docs/superpowers/plans/2026-04-30-dotfiles-maintenance-normalization.md [855:1 - 869:10] (14 lines, 71 tokens)
   /github/workspace/docs/superpowers/plans/2026-04-30-dotfiles-maintenance-normalization.md [775:1 - 788:5]

 855 │ 775 │ {tmp_home}/.local/share" \
 856 │ 776 │ XDG_STATE_HOME="${tmp_home}/.local/state" \
 857 │ 777 │ XDG_CACHE_HOME="${tmp_home}/.cache" \
 858 │ 778 │ DOTFILES_TEST=true \
 859 │ 779 │ chezmoi init --apply --source "$(pwd)" --exclude scripts --no-tty
 860 │ 780 │
 861 │ 781 │ HOME="${tmp_home}" \
 862 │ 782 │ XDG_CONFIG_HOME="${tmp_home}/.config" \
 863 │ 783 │ XDG_DATA_HOME="${tmp_home}/.local/share" \
 864 │ 784 │ XDG_STATE_HOME="${tmp_home}/.local/state" \
 865 │ 785 │ XDG

Clone found (markdown):
 - /github/workspace/README.md [49:1 - 66:17] (17 lines, 172 tokens)
   /github/workspace/docs/superpowers/plans/2026-04-30-dotfiles-maintenance-normalization.md [745:1 - 759:4]

 49 │ 745 │  with `chezmoi`
 50 │ 746 │
 51 │ 747 │ Leveraging off-the-shelf `Chezmoi` capabilities
 52 │ 748 │
 53 │ 749 │ ```bash
 54 │ 750 │ chezmoi init --apply --verbose https://github.com/kitos9112/dotfiles.git
 55 │ 751 │ ```
 56 │ 752 │
 57 │ 753 │ ### Installer controls
 58 │ 754 │
 59 │ 755 │ The root `install` script accepts environment variables for test and recovery
 60 │ 756 │ flows:
 61 │ 757 │
 62 │ 758 │ - `DOTFILES_SOURCE` uses a local source checkout instead of the remote repo.
 63 │ 759 │ - `DOTFILES_REPO` overrides the remote chezmoi repository.
 64 │ 760 │ - `DOTFILES_ONE_SHOT=true` passes `--one-shot` instead of `--apply`.
 65 │ 761 │ - `DOTFILES_CHEZMOI_INCLUDE` and `DOTFILES_CHEZMOI_EXCLUDE` pass include and
 66 │ 762 │   exclude filters to chezmoi.
 67 │ 763 │ - `DOTFILES_NO_TTY=true` passes `--no-tty`.
 68 │ 764 │ - `DOTFILES_VERBOSE=true` passes `--verbose`.
 69 │ 765 │ - `DOTFILES_DEBUG=true` passes `--debug`.
 70 │ 766 │ - `DOTFILES_RETRY_COUNT` and `DOTFILES_RETRY_DELAY` contro

Clone found (markdown):
 - /github/workspace/README.md [116:1 - 140:3] (24 lines, 125 tokens)
   /github/workspace/docs/superpowers/plans/2026-04-30-dotfiles-maintenance-normalization.md [767:1 - 788:5]

 116 │ 767 │ IG_HOME="${tmp_home}/.config" \
 117 │ 768 │ XDG_DATA_HOME="${tmp_home}/.local/share" \
 118 │ 769 │ XDG_STATE_HOME="${tmp_home}/.local/state" \
 119 │ 770 │ XDG_CACHE_HOME="${tmp_home}/.cache" \
 120 │ 771 │ DOTFILES_TEST=true chezmoi init --apply --source "$(pwd)" --exclude scripts --no-tty
 121 │ 772 │ ```
 122 │ 773 │
 123 │ 774 │ To validate hooks locally through `uv`, run:
 124 │ 775 │
 125 │ 776 │ ```bash
 126 │ 777 │ uvx pre-commit run --all-files
 127 │ 778 │ ```
 128 │ 779 │
 129 │ 780 │ To validate the root installer path locally without running mutating scripts:
 130 │ 781 │
 131 │ 782 │ ```bash
 132 │ 783 │ tmp_home="$(mktemp -d)"
 133 │ 784 │ HOME="${tmp_home}" \
 134 │ 785 │ XDG_CONFIG_HOME="${tmp_home}/.config" \
 135 │ 786 │ XDG

Found 3 clones.
Error: ERROR: jscpd found too many duplicates (1.96%) over threshold (0%)
    at ThresholdReporter.report (/node_modules/@jscpd/finder/dist/index.js:615:13)
    at /node_modules/@jscpd/finder/dist/index.js:109:18
    at Array.forEach (<anonymous>)
    at /node_modules/@jscpd/finder/dist/index.js:108:22
    at async /node_modules/jscpd/dist/bin/jscpd.js:9:5ERROR: jscpd found too many duplicates (1.96%) over threshold (0%)

TRIVY

Report Summary

┌───────────────────────────────┬────────────┬─────────────────┬───────────────────┬─────────┐
│            Target             │    Type    │ Vulnerabilities │ Misconfigurations │ Secrets │
├───────────────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┤
│ tests/almalinux-10/Dockerfile │ dockerfile │        -        │         1         │    -    │
├───────────────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┤
│ tests/almalinux-9/Dockerfile  │ dockerfile │        -        │         1         │    -    │
├───────────────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┤
│ tests/ubuntu-24.04/Dockerfile │ dockerfile │        -        │         2         │    -    │
├───────────────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┤
│ tests/ubuntu-25.10/Dockerfile │ dockerfile │        -        │         2         │    -    │
└───────────────────────────────┴────────────┴─────────────────┴───────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


tests/almalinux-10/Dockerfile (dockerfile)
==========================================
Tests: 27 (SUCCESSES: 26, FAILURES: 1)
Failures: 1 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

DS-0026 (LOW): Add HEALTHCHECK instruction in your Dockerfile
════════════════════════════════════════
You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.

See https://avd.aquasec.com/misconfig/ds-0026
────────────────────────────────────────



tests/almalinux-9/Dockerfile (dockerfile)
=========================================
Tests: 27 (SUCCESSES: 26, FAILURES: 1)
Failures: 1 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

DS-0026 (LOW): Add HEALTHCHECK instruction in your Dockerfile
════════════════════════════════════════
You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.

See https://avd.aquasec.com/misconfig/ds-0026
────────────────────────────────────────



tests/ubuntu-24.04/Dockerfile (dockerfile)
==========================================
Tests: 27 (SUCCESSES: 25, FAILURES: 2)
Failures: 2 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

DS-0026 (LOW): Add HEALTHCHECK instruction in your Dockerfile
════════════════════════════════════════
You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.

See https://avd.aquasec.com/misconfig/ds-0026
────────────────────────────────────────


DS-0029 (HIGH): '--no-install-recommends' flag is missed: 'apt-get update &&     DEBIAN_FRONTEND=noninteractive apt-get install -y     curl     iproute2     file     git     sudo'
════════════════════════════════════════
'apt-get' install should use '--no-install-recommends' to minimize image size.

See https://avd.aquasec.com/misconfig/ds-0029
────────────────────────────────────────
 tests/ubuntu-24.04/Dockerfile:6-12
────────────────────────────────────────
   6 ┌ RUN apt-get update && \
   7 │     DEBIAN_FRONTEND=noninteractive apt-get install -y \
   8 │     curl \
   9 │     iproute2 \
  10 │     file \
  11 │     git \
  12 └     sudo
────────────────────────────────────────



tests/ubuntu-25.10/Dockerfile (dockerfile)
==========================================
Tests: 27 (SUCCESSES: 25, FAILURES: 2)
Failures: 2 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

DS-0026 (LOW): Add HEALTHCHECK instruction in your Dockerfile
════════════════════════════════════════
You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.

See https://avd.aquasec.com/misconfig/ds-0026
────────────────────────────────────────


DS-0029 (HIGH): '--no-install-recommends' flag is missed: 'apt-get update &&     DEBIAN_FRONTEND=noninteractive apt-get install -y     curl     file     git     iproute2     sudo'
════════════════════════════════════════
'apt-get' install should use '--no-install-recommends' to minimize image size.

See https://avd.aquasec.com/misconfig/ds-0029
────────────────────────────────────────
 tests/ubuntu-25.10/Dockerfile:6-12
────────────────────────────────────────
   6 ┌ RUN apt-get update && \
   7 │     DEBIAN_FRONTEND=noninteractive apt-get install -y \
   8 │     curl \
   9 │     file \
  10 │     git \
  11 │     iproute2 \
  12 └     sudo
────────────────────────────────────────

[henry-pa-bot]

Super-linter summary

Language	Validation result
BIOME_FORMAT	Fail ❌
BIOME_LINT	Fail ❌
CHECKOV	Fail ❌
GITHUB_ACTIONS	Pass ✅
GITHUB_ACTIONS_ZIZMOR	Fail ❌
GITLEAKS	Pass ✅
GIT_MERGE_CONFLICT_MARKERS	Pass ✅
JSCPD	Fail ❌
PRE_COMMIT	Pass ✅
SPELL_CODESPELL	Pass ✅
TRIVY	Fail ❌
YAML	Pass ✅
YAML_PRETTIER	Pass ✅

Super-linter detected linting errors

For more information, see the GitHub Actions workflow run

Powered by Super-linter

BIOME_FORMAT

Checked 5 files in 11ms. No fixes applied.
Found 5 errors..vscode/extensions.json format ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  × Formatter would have printed the following content:

     1  1 │   {
     2    │ - ··"recommendations":·[
     3    │ - ····"mads-hartmann.bash-ide-vscode",
     4    │ - ····"timonwong.shellcheck",
     5    │ - ····"foxundermoon.shell-format",
     6    │ - ····"editorconfig.editorconfig",
     7    │ - ····"ms-kubernetes-tools.vscode-kubernetes-tools",
     8    │ - ····"tim-koehler.helm-intellisense"
     9    │ - ··]
    10    │ - }
        2 │ + → "recommendations":·[
        3 │ + → → "mads-hartmann.bash-ide-vscode",
        4 │ + → → "timonwong.shellcheck",
        5 │ + → → "foxundermoon.shell-format",
        6 │ + → → "editorconfig.editorconfig",
        7 │ + → → "ms-kubernetes-tools.vscode-kubernetes-tools",
        8 │ + → → "tim-koehler.helm-intellisense"
        9 │ + → ]
       10 │ + }
       11 │ +


.vscode/launch.json format ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  × Formatter would have printed the following content:

     1  1 │   {
     2    │ - ··"version":·"0.2.0",
     3    │ - ··"configurations":·[
     4    │ - ····{
     5    │ - ······"type":·"bashdb",
     6    │ - ······"request":·"launch",
     7    │ - ······"name":·"Bash-Debug·(simplest·configuration)",
     8    │ - ······"program":·"${file}"
     9    │ - ····}
    10    │ - ··]
    11    │ - }
        2 │ + → "version":·"0.2.0",
        3 │ + → "configurations":·[
        4 │ + → → {
        5 │ + → → → "type":·"bashdb",
        6 │ + → → → "request":·"launch",
        7 │ + → → → "name":·"Bash-Debug·(simplest·configuration)",
        8 │ + → → → "program":·"${file}"
        9 │ + → → }
       10 │ + → ]
       11 │ + }
       12 │ +


.vscode/settings.json format ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  × Formatter would have printed the following content:

    1   │ - {
    2   │ - }
      1 │ + {}
      2 │ +


home/dot_hyper.js format ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  × Formatter would have printed the following content:

      4   4 │   // See https://hyper.is#cfg for all currently supported options.
      5   5 │   module.exports = {
      6     │ - ····config:·{
      7     │ - ········//·choose·either·`'stable'`·for·receiving·highly·polished,
      8     │ - ········//·or·`'canary'`·for·less·polished·but·more·frequent·updates
      9     │ - ········updateChannel:·'stable',
     10     │ - ········//·default·font·size·in·pixels·for·all·tabs
     11     │ - ········fontSize:·12,
     12     │ - ········//·font·family·with·optional·fallbacks
     13     │ - ········fontFamily:·'FiraMono·Nerd·Font',
     14     │ - ········//·default·font·weight:·'normal'·or·'bold'
     15     │ - ········fontWeight:·'normal',
     16     │ - ········//·font·weight·for·bold·characters:·'normal'·or·'bold'
     17     │ - ········fontWeightBold:·'bold',
     18     │ - ········//·line·height·as·a·relative·unit
     19     │ - ········lineHeight:·1,
     20     │ - ········//·letter·spacing·as·a·relative·unit
     21     │ - ········letterSpacing:·0,
     22     │ - ········//·terminal·cursor·background·color·and·opacity·(hex,·rgb,·hsl,·hsv,·hwb·or·cmyk)
     23     │ - ········cursorColor:·'rgba(248,28,229,0.8)',
     24     │ - ········//·terminal·text·color·under·BLOCK·cursor
     25     │ - ········cursorAccentColor:·'#000',
     26     │ - ········//·`'BEAM'`·for·|,·`'UNDERLINE'`·for·_,·`'BLOCK'`·for·█
     27     │ - ········cursorShape:·'BLOCK',
     28     │ - ········//·set·to·`true`·(without·backticks·and·without·quotes)·for·blinking·cursor
     29     │ - ········cursorBlink:·false,
     30     │ - ········//·color·of·the·text
     31     │ - ········foregroundColor:·'#fff',
     32     │ - ········//·terminal·background·color
     33     │ - ········//·opacity·is·only·supported·on·macOS
     34     │ - ········backgroundColor:·'#000',
     35     │ - ········//·terminal·selection·color
     36     │ - ········selectionColor:·'rgba(248,28,229,0.3)',
     37     │ - ········//·border·color·(window,·tabs)
     38     │ - ········borderColor:·'#333',
     39     │ - ········//·custom·CSS·to·embed·in·the·main·window
     40     │ - ········css:·'',
     41     │ - ········//·custom·CSS·to·embed·in·the·terminal·window
     42     │ - ········termCSS:·'',
     43     │ - ········//·set·custom·startup·directory·(must·be·an·absolute·path)
     44     │ - ········workingDirectory:·'',
     45     │ - ········//·if·you're·using·a·Linux·setup·which·show·native·menus,·set·to·false
     46     │ - ········//·default:·`true`·on·Linux,·`true`·on·Windows,·ignored·on·macOS
     47     │ - ········showHamburgerMenu:·'',
     48     │ - ········//·set·to·`false`·(without·backticks·and·without·quotes)·if·you·want·to·hide·the·minimize,·maximize·and·close·buttons
     49     │ - ········//·additionally,·set·to·`'left'`·if·you·want·them·on·the·left,·like·in·Ubuntu
     50     │ - ········//·default:·`true`·(without·backticks·and·without·quotes)·on·Windows·and·Linux,·ignored·on·macOS
     51     │ - ········showWindowControls:·'',
     52     │ - ········//·custom·padding·(CSS·format,·i.e.:·`top·right·bottom·left`)
     53     │ - ········padding:·'12px·14px',
     54     │ - ········//·the·full·list.·if·you're·going·to·provide·the·full·color·palette,
     55     │ - ········//·including·the·6·x·6·color·cubes·and·the·grayscale·map,·just·provide
     56     │ - ········//·an·array·here·instead·of·a·color·map·object
     57     │ - ········colors:·{
     58     │ - ············black:·'#000000',
     59     │ - ············red:·'#C51E14',
     60     │ - ············green:·'#1DC121',
     61     │ - ············yellow:·'#C7C329',
     62     │ - ············blue:·'#0A2FC4',
     63     │ - ············magenta:·'#C839C5',
     64     │ - ············cyan:·'#20C5C6',
     65     │ - ············white:·'#C7C7C7',
     66     │ - ············lightBlack:·'#686868',
     67     │ - ············lightRed:·'#FD6F6B',
     68     │ - ············lightGreen:·'#67F86F',
     69     │ - ············lightYellow:·'#FFFA72',
     70     │ - ············lightBlue:·'#6A76FB',
     71     │ - ············lightMagenta:·'#FD7CFC',
     72     │ - ············lightCyan:·'#68FDFE',
     73     │ - ············lightWhite:·'#FFFFFF',
     74     │ - ············limeGreen:·'#32CD32',
     75     │ - ············lightCoral:·'#F08080',
     76     │ - ········},
     77     │ - ········//·the·shell·to·run·when·spawning·a·new·session·(i.e.·/usr/local/bin/fish)
     78     │ - ········//·if·left·empty,·your·system's·login·shell·will·be·used·by·default
     79     │ - ········//
     80     │ - ········//·Windows
     81     │ - ········//·-·Make·sure·to·use·a·full·path·if·the·binary·name·doesn't·work
     82     │ - ········//·-·Remove·`--login`·in·shellArgs
     83     │ - ········//
     84     │ - ········//·Windows·Subsystem·for·Linux·(WSL)·-·previously·Bash·on·Windows
     85     │ - ········//·-·Example:·`C:\\Windows\\System32\\wsl.exe`
     86     │ - ········//
     87     │ - ········//·Git-bash·on·Windows
     88     │ - ········//·-·Example:·`C:\\Program·Files\\Git\\bin\\bash.exe`
     89     │ - ········//
     90     │ - ········//·PowerShell·on·Windows
     91     │ - ········//·-·Example:·`C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe`
     92     │ - ········//
     93     │ - ········//·Cygwin
     94     │ - ········//·-·Example:·`C:\\cygwin64\\bin\\bash.exe`
     95     │ - ········shell:·'zsh',
     96     │ - ········//·for·setting·shell·arguments·(i.e.·for·using·interactive·shellArgs:·`['-i']`)
     97     │ - ········//·by·default·`['--login']`·will·be·used
     98     │ - ········shellArgs:·['--login'],
     99     │ - ········//·for·environment·variables
    100     │ - ········env:·{},
    101     │ - ········//·Supported·Options:
    102     │ - ········//··1.·'SOUND'·->·Enables·the·bell·as·a·sound
    103     │ - ········//··2.·false:·turns·off·the·bell
    104     │ - ········bell:·'SOUND',
    105     │ - ········//·An·absolute·file·path·to·a·sound·file·on·the·machine.
    106     │ - ········//·bellSoundURL:·'/path/to/sound/file',
    107     │ - ········//·if·`true`·(without·backticks·and·without·quotes),·selected·text·will·automatically·be·copied·to·the·clipboard
    108     │ - ········copyOnSelect:·false,
    109     │ - ········//·if·`true`·(without·backticks·and·without·quotes),·hyper·will·be·set·as·the·default·protocol·client·for·SSH
    110     │ - ········defaultSSHApp:·true,
    111     │ - ········//·if·`true`·(without·backticks·and·without·quotes),·on·right·click·selected·text·will·be·copied·or·pasted·if·no
    112     │ - ········//·selection·is·present·(`true`·by·default·on·Windows·and·disables·the·context·menu·feature)
    113     │ - ········quickEdit:·false,
    114     │ - ········//·choose·either·`'vertical'`,·if·you·want·the·column·mode·when·Option·key·is·hold·during·selection·(Default)
    115     │ - ········//·or·`'force'`,·if·you·want·to·force·selection·regardless·of·whether·the·terminal·is·in·mouse·events·mode
    116     │ - ········//·(inside·tmux·or·vim·with·mouse·mode·enabled·for·example).
    117     │ - ········macOptionSelectionMode:·'vertical',
    118     │ - ········//·Whether·to·use·the·WebGL·renderer.·Set·it·to·false·to·use·canvas-based
    119     │ - ········//·rendering·(slower,·but·supports·transparent·backgrounds)
    120     │ - ········webGLRenderer:·true,
    121     │ - ········//·keypress·required·for·weblink·activation:·[ctrl|alt|meta|shift]
    122     │ - ········//·todo:·does·not·pick·up·config·changes·automatically,·need·to·restart·terminal·:/
    123     │ - ········webLinksActivationKey:·'',
    124     │ - ········//·if·`false`·(without·backticks·and·without·quotes),·Hyper·will·use·ligatures·provided·by·some·fonts
    125     │ - ········disableLigatures:·true,
    126     │ - ········//·set·to·true·to·disable·auto·updates
    127     │ - ········disableAutoUpdates:·false,
    128     │ - ········//·set·to·true·to·enable·screen·reading·apps·(like·NVDA)·to·read·the·contents·of·the·terminal
    129     │ - ········screenReaderMode:·false,
    130     │ - ········//·set·to·true·to·preserve·working·directory·when·creating·splits·or·tabs
    131     │ - ········preserveCWD:·true,
    132     │ - ········//·for·advanced·config·flags·please·refer·to·https://hyper.is/#cfg
    133     │ - ····},
    134     │ - ····//·a·list·of·plugins·to·fetch·and·install·from·npm
    135     │ - ····//·format:·[@org/]project[#version]
    136     │ - ····//·examples:
    137     │ - ····//···`hyperpower`
    138     │ - ····//···`@company/project`
    139     │ - ····//···`project#1.0.1`
    140     │ - ····plugins:·[],
    141     │ - ····//·in·development,·you·can·create·a·directory·under
    142     │ - ····//·`~/.hyper_plugins/local/`·and·include·it·here
    143     │ - ····//·to·load·it·and·avoid·it·being·`npm·install`ed
    144     │ - ····localPlugins:·[],
    145     │ - ····keymaps:·{
    146     │ - ········//·Example
    147     │ - ········//·'window:devtools':·'cmd+alt+o',
    148     │ - ····},
          6 │ + → config:·{
          7 │ + → → //·choose·either·`'stable'`·for·receiving·highly·polished,
          8 │ + → → //·or·`'canary'`·for·less·polished·but·more·frequent·updates
          9 │ + → → updateChannel:·"stable",
         10 │ + → → //·default·font·size·in·pixels·for·all·tabs
  142 more lines truncated


tests/renovate-bot/local-config.js format ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  × Formatter would have printed the following content:

    1 1 │   module.exports = {
    2   │ - ··platform:·'github',
    3   │ - ··repositories:·['kitos9112/dotfiles'],
    4   │ - ··includeForks:·true,
    5   │ - ··onboarding:·false,
    6   │ - ··requireConfig:·'optional',
    7   │ - ··gitAuthor:·'henry-pa-bot·<166536+henry-bot[bot]@users.noreply.github.com>',
      2 │ + → platform:·"github",
      3 │ + → repositories:·["kitos9112/dotfiles"],
      4 │ + → includeForks:·true,
      5 │ + → onboarding:·false,
      6 │ + → requireConfig:·"optional",
      7 │ + → gitAuthor:·"henry-pa-bot·<166536+henry-bot[bot]@users.noreply.github.com>",
    8 8 │   };
    9 9 │


format ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  × Some errors were emitted while running checks.

BIOME_LINT

Checked 5 files in 24ms. No fixes applied.
Found 1 warning.home/dot_hyper.js:1:1 lint/suspicious/noRedundantUseStrict  FIXABLE  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  ! Redundant use strict directive.

  > 1 │ "use strict";
      │ ^^^^^^^^^^^^^
    2 │ // Future versions of Hyper may add additional config options,
    3 │ // which will not automatically be merged into this file.

  i The entire contents of JavaScript modules are automatically in strict mode, with no statement needed to initiate it.

  i Safe fix: Remove the redundant use strict directive.

    1 │ "use·strict";
      │ -------------

lint ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  × Some warnings were emitted while running checks.

CHECKOV

dockerfile scan results:

Passed checks: 250, Failed checks: 6, Skipped checks: 0

Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
	FAILED for resource: /tests/almalinux-10/Dockerfile.
	File: /tests/almalinux-10/Dockerfile:1-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images

		1  | FROM almalinux:10
		2  |
		3  | RUN dnf install -y \
		4  |     curl-minimal \
		5  |     findutils \
		6  |     sed \
		7  |     sudo \
		8  |     util-linux \
		9  |     util-linux-user \
		10 |     which && \
		11 |     dnf clean all
		12 |
		13 | RUN useradd -m -s /bin/sh -d /home/docker-qa docker-qa && \
		14 |     echo "docker-qa ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
		15 |
		16 | USER docker-qa
		17 |
		18 | COPY ./ /home/docker-qa/.dotfiles
		19 |
		20 | WORKDIR /home/docker-qa
		21 |
		22 | RUN DOTFILES_TEST=true DOTFILES_VERBOSE=true DOTFILES_NO_TTY=true DOTFILES_CHEZMOI_EXCLUDE=scripts .dotfiles/install
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
	FAILED for resource: /tests/ubuntu-25.10/Dockerfile.
	File: /tests/ubuntu-25.10/Dockerfile:1-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images

		1  | FROM ubuntu:25.10
		2  |
		3  | ENV GIT_REPO=https://github.com/kitos9112/dotfiles.git
		4  | ENV DEBIAN_FRONTEND=noninteractive
		5  |
		6  | RUN apt-get update && \
		7  |     DEBIAN_FRONTEND=noninteractive apt-get install -y \
		8  |     curl \
		9  |     file \
		10 |     git \
		11 |     iproute2 \
		12 |     sudo
		13 |
		14 | RUN useradd -m -s /bin/sh -d /home/docker-qa docker-qa  && \
		15 |     echo "docker-qa ALL=NOPASSWD: ALL" >> /etc/sudoers
		16 |
		17 | USER docker-qa
		18 |
		19 | COPY --chown=docker-qa:docker-qa ./ /home/docker-qa/.dotfiles
		20 |
		21 | WORKDIR /home/docker-qa
		22 |
		23 | RUN DOTFILES_TEST=true DOTFILES_VERBOSE=true DOTFILES_NO_TTY=true DOTFILES_CHEZMOI_EXCLUDE=scripts .dotfiles/install
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
	FAILED for resource: /tests/almalinux-9/Dockerfile.
	File: /tests/almalinux-9/Dockerfile:1-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images

		1  | FROM almalinux:9
		2  |
		3  | RUN dnf install -y \
		4  |     curl-minimal \
		5  |     findutils \
		6  |     sed \
		7  |     sudo \
		8  |     util-linux \
		9  |     util-linux-user \
		10 |     which && \
		11 |     dnf clean all
		12 |
		13 | RUN useradd -m -s /bin/sh -d /home/docker-qa docker-qa && \
		14 |     echo "docker-qa ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
		15 |
		16 | USER docker-qa
		17 |
		18 | COPY ./ /home/docker-qa/.dotfiles
		19 |
		20 | WORKDIR /home/docker-qa
		21 |
		22 | RUN DOTFILES_TEST=true DOTFILES_VERBOSE=true DOTFILES_NO_TTY=true DOTFILES_CHEZMOI_EXCLUDE=scripts .dotfiles/install
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
	FAILED for resource: /tests/ubuntu-24.04/Dockerfile.
	File: /tests/ubuntu-24.04/Dockerfile:1-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images

		1  | FROM ubuntu:24.04
		2  |
		3  | ENV GIT_REPO=https://github.com/kitos9112/dotfiles.git
		4  | ENV DEBIAN_FRONTEND=noninteractive
		5  |
		6  | RUN apt-get update && \
		7  |     DEBIAN_FRONTEND=noninteractive apt-get install -y \
		8  |     curl \
		9  |     iproute2 \
		10 |     file \
		11 |     git \
		12 |     sudo
		13 |
		14 | RUN useradd -m -s /bin/sh -d /home/docker-qa docker-qa  && \
		15 |     echo "docker-qa ALL=NOPASSWD: ALL" >> /etc/sudoers
		16 |
		17 | USER docker-qa
		18 |
		19 | COPY --chown=docker-qa:docker-qa ./ /home/docker-qa/.dotfiles
		20 |
		21 | WORKDIR /home/docker-qa
		22 |
		23 | RUN DOTFILES_TEST=true DOTFILES_VERBOSE=true DOTFILES_NO_TTY=true DOTFILES_CHEZMOI_EXCLUDE=scripts .dotfiles/install
Check: CKV2_DOCKER_1: "Ensure that sudo isn't used"
	FAILED for resource: /tests/almalinux-10/Dockerfile.RUN
	File: /tests/almalinux-10/Dockerfile:3-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-dont-use-sudo

		3  | RUN dnf install -y \
		4  |     curl-minimal \
		5  |     findutils \
		6  |     sed \
		7  |     sudo \
		8  |     util-linux \
		9  |     util-linux-user \
		10 |     which && \
		11 |     dnf clean all

Check: CKV2_DOCKER_1: "Ensure that sudo isn't used"
	FAILED for resource: /tests/almalinux-9/Dockerfile.RUN
	File: /tests/almalinux-9/Dockerfile:3-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-dont-use-sudo

		3  | RUN dnf install -y \
		4  |     curl-minimal \
		5  |     findutils \
		6  |     sed \
		7  |     sudo \
		8  |     util-linux \
		9  |     util-linux-user \
		10 |     which && \
		11 |     dnf clean all

github_actions scan results:

Passed checks: 95, Failed checks: 5, Skipped checks: 0

Check: CKV_GHA_7: "The build output cannot be affected by user parameters other than the build entry point and the top-level source location. GitHub Actions workflow_dispatch inputs MUST be empty. "
	FAILED for resource: on(Schedule/Push - Renovate)
	File: /.github/workflows/renovate.yaml:7-16

		7  |       dryRun:
		8  |         description: "Dry-Run"
		9  |         default: "true"
		10 |         required: false
		11 |       logLevel:
		12 |         description: "Log-Level"
		13 |         default: "debug"
		14 |         required: false
		15 |   schedule:
		16 |     - cron: "*/10 * * * *"

Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
	FAILED for resource: on(Acceptance Tests)
	File: /.github/workflows/acceptance-tests.yaml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
	FAILED for resource: on(Create GH issues based on TODO comments)
	File: /.github/workflows/todo2github-issues.yaml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
	FAILED for resource: on(Schedule/Push - Renovate)
	File: /.github/workflows/renovate.yaml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
	FAILED for resource: on(lint YAML and Shell)
	File: /.github/workflows/linters.yaml:0-1

GITHUB_ACTIONS_ZIZMOR

�[1m�[96mhelp[artipacked]�[0m�[1m: credential persistence through GitHub Actions artifacts�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/acceptance-tests.yaml:27:9
   �[1m�[94m|�[0m
�[1m�[94m27�[0m �[1m�[94m|�[0m         - name: Checkout
   �[1m�[94m|�[0m �[1m�[96m _________^�[0m
�[1m�[94m28�[0m �[1m�[94m|�[0m �[1m�[96m|�[0m         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
   �[1m�[94m|�[0m �[1m�[96m|____________________________________________________________________________^�[0m �[1m�[96mdoes not set persist-credentials: false�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Low
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#artipacked�[39m

�[1m�[96mhelp[artipacked]�[0m�[1m: credential persistence through GitHub Actions artifacts�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/acceptance-tests.yaml:62:9
   �[1m�[94m|�[0m
�[1m�[94m62�[0m �[1m�[94m|�[0m         - name: Checkout
   �[1m�[94m|�[0m �[1m�[96m _________^�[0m
�[1m�[94m63�[0m �[1m�[94m|�[0m �[1m�[96m|�[0m         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
   �[1m�[94m|�[0m �[1m�[96m|____________________________________________________________________________^�[0m �[1m�[96mdoes not set persist-credentials: false�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Low
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#artipacked�[39m

�[1m�[33mwarning[excessive-permissions]�[0m�[1m: overly broad permissions�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/acceptance-tests.yaml:2:1
   �[1m�[94m|�[0m
�[1m�[94m 2�[0m �[1m�[94m|�[0m �[1m�[33m/�[0m name: Acceptance Tests
�[1m�[94m 3�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m
�[1m�[94m 4�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m on:
�[1m�[94m 5�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m   pull_request:
�[1m�[94m...�[0m  �[1m�[33m|�[0m
�[1m�[94m80�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m           chezmoi init --apply --source "${GITHUB_WORKSPACE}" --exclude scripts --no-tty
�[1m�[94m81�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m           chezmoi verify --source "${GITHUB_WORKSPACE}" --exclude scripts --no-tty
   �[1m�[94m|�[0m �[1m�[33m|___________________________________________________________________________________^�[0m �[1m�[33mdefault permissions used due to no permissions: block�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Medium
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#excessive-permissions�[39m

�[1m�[33mwarning[excessive-permissions]�[0m�[1m: overly broad permissions�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/acceptance-tests.yaml:14:3
   �[1m�[94m|�[0m
�[1m�[94m14�[0m �[1m�[94m|�[0m �[1m�[33m/�[0m   linux:
�[1m�[94m15�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m     name: Linux Smoke (${{ matrix.os }})
�[1m�[94m16�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m     runs-on: ubuntu-24.04
�[1m�[94m...�[0m  �[1m�[33m|�[0m
�[1m�[94m53�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m           priority: "-1" # low priority - no sound or vibration generated
�[1m�[94m54�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m         if: failure() && github.event_name == 'schedule'
   �[1m�[94m|�[0m �[1m�[33m|�[0m                                                        �[1m�[33m^�[0m
   �[1m�[94m|�[0m �[1m�[33m|�[0m                                                        �[1m�[33m|�[0m
   �[1m�[94m|�[0m �[1m�[33m|________________________________________________________�[0m�[1m�[94mthis job�[0m
   �[1m�[94m|�[0m                                                          �[1m�[33mdefault permissions used due to no permissions: block�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Medium
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#excessive-permissions�[39m

�[1m�[33mwarning[excessive-permissions]�[0m�[1m: overly broad permissions�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/acceptance-tests.yaml:56:3
   �[1m�[94m|�[0m
�[1m�[94m56�[0m �[1m�[94m|�[0m �[1m�[33m/�[0m   macos:
�[1m�[94m57�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m     name: macOS Smoke
�[1m�[94m58�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m     runs-on: macos-26
�[1m�[94m59�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m     env:
�[1m�[94m...�[0m  �[1m�[33m|�[0m
�[1m�[94m80�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m           chezmoi init --apply --source "${GITHUB_WORKSPACE}" --exclude scripts --no-tty
�[1m�[94m81�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m           chezmoi verify --source "${GITHUB_WORKSPACE}" --exclude scripts --no-tty
   �[1m�[94m|�[0m �[1m�[33m|�[0m                                                                                   �[1m�[33m^�[0m
   �[1m�[94m|�[0m �[1m�[33m|�[0m                                                                                   �[1m�[33m|�[0m
   �[1m�[94m|�[0m �[1m�[33m|___________________________________________________________________________________�[0m�[1m�[94mthis job�[0m
   �[1m�[94m|�[0m                                                                                     �[1m�[33mdefault permissions used due to no permissions: block�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Medium
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#excessive-permissions�[39m

�[1m�[91merror[unpinned-uses]�[0m�[1m: unpinned action reference�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/acceptance-tests.yaml:31:15
   �[1m�[94m|�[0m
�[1m�[94m31�[0m �[1m�[94m|�[0m         uses: docker/setup-buildx-action@v4
   �[1m�[94m|�[0m               �[1m�[91m^^^^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[91maction is not pinned to a hash (required by blanket policy)�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#unpinned-uses�[39m

�[1m�[91merror[unpinned-uses]�[0m�[1m: unpinned action reference�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/acceptance-tests.yaml:34:15
   �[1m�[94m|�[0m
�[1m�[94m34�[0m �[1m�[94m|�[0m         uses: docker/build-push-action@v7
   �[1m�[94m|�[0m               �[1m�[91m^^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[91maction is not pinned to a hash (required by blanket policy)�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#unpinned-uses�[39m

�[1m�[91merror[unpinned-uses]�[0m�[1m: unpinned action reference�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/acceptance-tests.yaml:43:15
   �[1m�[94m|�[0m
�[1m�[94m43�[0m �[1m�[94m|�[0m         uses: umahmood/pushover-actions@main
   �[1m�[94m|�[0m               �[1m�[91m^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[91maction is not pinned to a hash (required by blanket policy)�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#unpinned-uses�[39m

�[1m�[33mwarning[secrets-outside-env]�[0m�[1m: secrets referenced without a dedicated environment�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/acceptance-tests.yaml:45:31
   �[1m�[94m|�[0m
�[1m�[94m14�[0m �[1m�[94m|�[0m   linux:
   �[1m�[94m|�[0m   �[1m�[94m-----�[0m �[1m�[94mthis job�[0m
�[1m�[94m...�[0m
�[1m�[94m45�[0m �[1m�[94m|�[0m           PUSHOVER_TOKEN: ${{ secrets.PUSHOVER_TOKEN }}
   �[1m�[94m|�[0m                               �[1m�[33m^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[33msecret is accessed outside of a dedicated environment�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#secrets-outside-env�[39m

�[1m�[33mwarning[secrets-outside-env]�[0m�[1m: secrets referenced without a dedicated environment�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/acceptance-tests.yaml:46:30
   �[1m�[94m|�[0m
�[1m�[94m14�[0m �[1m�[94m|�[0m   linux:
   �[1m�[94m|�[0m   �[1m�[94m-----�[0m �[1m�[94mthis job�[0m
�[1m�[94m...�[0m
�[1m�[94m46�[0m �[1m�[94m|�[0m           PUSHOVER_USER: ${{ secrets.PUSHOVER_USER }}
   �[1m�[94m|�[0m                              �[1m�[33m^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[33msecret is accessed outside of a dedicated environment�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#secrets-outside-env�[39m

�[32m12�[39m findings (�[1m�[93m2�[39m suppressed, �[92m5�[39m fixable�[0m): �[35m0�[39m informational, �[36m2�[39m low, �[33m5�[39m medium, �[31m3�[39m high🌈 zizmor v1.23.1
�[32m INFO�[0m �[1maudit�[0m�[2m:�[0m �[2mzizmor�[0m�[2m:�[0m 🌈 completed /github/workspace/.github/workflows/acceptance-tests.yaml

JSCPD

Clone found (markdown):
 - /github/workspace/docs/superpowers/plans/2026-04-30-dotfiles-maintenance-normalization.md [855:1 - 869:10] (14 lines, 71 tokens)
   /github/workspace/docs/superpowers/plans/2026-04-30-dotfiles-maintenance-normalization.md [775:1 - 788:5]

Clone found (markdown):
 - /github/workspace/README.md [49:1 - 66:17] (17 lines, 172 tokens)
   /github/workspace/docs/superpowers/plans/2026-04-30-dotfiles-maintenance-normalization.md [745:1 - 759:4]

Clone found (markdown):
 - /github/workspace/README.md [116:1 - 140:3] (24 lines, 125 tokens)
   /github/workspace/docs/superpowers/plans/2026-04-30-dotfiles-maintenance-normalization.md [767:1 - 788:5]

Clone found (markdown):
 - /github/workspace/docs/superpowers/plans/2026-04-30-dotfiles-maintenance-normalization.md [855:1 - 869:10] (14 lines, 71 tokens)
   /github/workspace/docs/superpowers/plans/2026-04-30-dotfiles-maintenance-normalization.md [775:1 - 788:5]

 855 │ 775 │ {tmp_home}/.local/share" \
 856 │ 776 │ XDG_STATE_HOME="${tmp_home}/.local/state" \
 857 │ 777 │ XDG_CACHE_HOME="${tmp_home}/.cache" \
 858 │ 778 │ DOTFILES_TEST=true \
 859 │ 779 │ chezmoi init --apply --source "$(pwd)" --exclude scripts --no-tty
 860 │ 780 │
 861 │ 781 │ HOME="${tmp_home}" \
 862 │ 782 │ XDG_CONFIG_HOME="${tmp_home}/.config" \
 863 │ 783 │ XDG_DATA_HOME="${tmp_home}/.local/share" \
 864 │ 784 │ XDG_STATE_HOME="${tmp_home}/.local/state" \
 865 │ 785 │ XDG

Clone found (markdown):
 - /github/workspace/README.md [49:1 - 66:17] (17 lines, 172 tokens)
   /github/workspace/docs/superpowers/plans/2026-04-30-dotfiles-maintenance-normalization.md [745:1 - 759:4]

 49 │ 745 │  with `chezmoi`
 50 │ 746 │
 51 │ 747 │ Leveraging off-the-shelf `Chezmoi` capabilities
 52 │ 748 │
 53 │ 749 │ ```bash
 54 │ 750 │ chezmoi init --apply --verbose https://github.com/kitos9112/dotfiles.git
 55 │ 751 │ ```
 56 │ 752 │
 57 │ 753 │ ### Installer controls
 58 │ 754 │
 59 │ 755 │ The root `install` script accepts environment variables for test and recovery
 60 │ 756 │ flows:
 61 │ 757 │
 62 │ 758 │ - `DOTFILES_SOURCE` uses a local source checkout instead of the remote repo.
 63 │ 759 │ - `DOTFILES_REPO` overrides the remote chezmoi repository.
 64 │ 760 │ - `DOTFILES_ONE_SHOT=true` passes `--one-shot` instead of `--apply`.
 65 │ 761 │ - `DOTFILES_CHEZMOI_INCLUDE` and `DOTFILES_CHEZMOI_EXCLUDE` pass include and
 66 │ 762 │   exclude filters to chezmoi.
 67 │ 763 │ - `DOTFILES_NO_TTY=true` passes `--no-tty`.
 68 │ 764 │ - `DOTFILES_VERBOSE=true` passes `--verbose`.
 69 │ 765 │ - `DOTFILES_DEBUG=true` passes `--debug`.
 70 │ 766 │ - `DOTFILES_RETRY_COUNT` and `DOTFILES_RETRY_DELAY` contro

Clone found (markdown):
 - /github/workspace/README.md [116:1 - 140:3] (24 lines, 125 tokens)
   /github/workspace/docs/superpowers/plans/2026-04-30-dotfiles-maintenance-normalization.md [767:1 - 788:5]

 116 │ 767 │ IG_HOME="${tmp_home}/.config" \
 117 │ 768 │ XDG_DATA_HOME="${tmp_home}/.local/share" \
 118 │ 769 │ XDG_STATE_HOME="${tmp_home}/.local/state" \
 119 │ 770 │ XDG_CACHE_HOME="${tmp_home}/.cache" \
 120 │ 771 │ DOTFILES_TEST=true chezmoi init --apply --source "$(pwd)" --exclude scripts --no-tty
 121 │ 772 │ ```
 122 │ 773 │
 123 │ 774 │ To validate hooks locally through `uv`, run:
 124 │ 775 │
 125 │ 776 │ ```bash
 126 │ 777 │ uvx pre-commit run --all-files
 127 │ 778 │ ```
 128 │ 779 │
 129 │ 780 │ To validate the root installer path locally without running mutating scripts:
 130 │ 781 │
 131 │ 782 │ ```bash
 132 │ 783 │ tmp_home="$(mktemp -d)"
 133 │ 784 │ HOME="${tmp_home}" \
 134 │ 785 │ XDG_CONFIG_HOME="${tmp_home}/.config" \
 135 │ 786 │ XDG

Found 3 clones.
Error: ERROR: jscpd found too many duplicates (1.96%) over threshold (0%)
    at ThresholdReporter.report (/node_modules/@jscpd/finder/dist/index.js:615:13)
    at /node_modules/@jscpd/finder/dist/index.js:109:18
    at Array.forEach (<anonymous>)
    at /node_modules/@jscpd/finder/dist/index.js:108:22
    at async /node_modules/jscpd/dist/bin/jscpd.js:9:5ERROR: jscpd found too many duplicates (1.96%) over threshold (0%)

TRIVY

Report Summary

┌───────────────────────────────┬────────────┬─────────────────┬───────────────────┬─────────┐
│            Target             │    Type    │ Vulnerabilities │ Misconfigurations │ Secrets │
├───────────────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┤
│ tests/almalinux-10/Dockerfile │ dockerfile │        -        │         1         │    -    │
├───────────────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┤
│ tests/almalinux-9/Dockerfile  │ dockerfile │        -        │         1         │    -    │
├───────────────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┤
│ tests/ubuntu-24.04/Dockerfile │ dockerfile │        -        │         2         │    -    │
├───────────────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┤
│ tests/ubuntu-25.10/Dockerfile │ dockerfile │        -        │         2         │    -    │
└───────────────────────────────┴────────────┴─────────────────┴───────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


tests/almalinux-10/Dockerfile (dockerfile)
==========================================
Tests: 27 (SUCCESSES: 26, FAILURES: 1)
Failures: 1 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

DS-0026 (LOW): Add HEALTHCHECK instruction in your Dockerfile
════════════════════════════════════════
You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.

See https://avd.aquasec.com/misconfig/ds-0026
────────────────────────────────────────



tests/almalinux-9/Dockerfile (dockerfile)
=========================================
Tests: 27 (SUCCESSES: 26, FAILURES: 1)
Failures: 1 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

DS-0026 (LOW): Add HEALTHCHECK instruction in your Dockerfile
════════════════════════════════════════
You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.

See https://avd.aquasec.com/misconfig/ds-0026
────────────────────────────────────────



tests/ubuntu-24.04/Dockerfile (dockerfile)
==========================================
Tests: 27 (SUCCESSES: 25, FAILURES: 2)
Failures: 2 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

DS-0026 (LOW): Add HEALTHCHECK instruction in your Dockerfile
════════════════════════════════════════
You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.

See https://avd.aquasec.com/misconfig/ds-0026
────────────────────────────────────────


DS-0029 (HIGH): '--no-install-recommends' flag is missed: 'apt-get update &&     DEBIAN_FRONTEND=noninteractive apt-get install -y     curl     iproute2     file     git     sudo'
════════════════════════════════════════
'apt-get' install should use '--no-install-recommends' to minimize image size.

See https://avd.aquasec.com/misconfig/ds-0029
────────────────────────────────────────
 tests/ubuntu-24.04/Dockerfile:6-12
────────────────────────────────────────
   6 ┌ RUN apt-get update && \
   7 │     DEBIAN_FRONTEND=noninteractive apt-get install -y \
   8 │     curl \
   9 │     iproute2 \
  10 │     file \
  11 │     git \
  12 └     sudo
────────────────────────────────────────



tests/ubuntu-25.10/Dockerfile (dockerfile)
==========================================
Tests: 27 (SUCCESSES: 25, FAILURES: 2)
Failures: 2 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

DS-0026 (LOW): Add HEALTHCHECK instruction in your Dockerfile
════════════════════════════════════════
You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.

See https://avd.aquasec.com/misconfig/ds-0026
────────────────────────────────────────


DS-0029 (HIGH): '--no-install-recommends' flag is missed: 'apt-get update &&     DEBIAN_FRONTEND=noninteractive apt-get install -y     curl     file     git     iproute2     sudo'
════════════════════════════════════════
'apt-get' install should use '--no-install-recommends' to minimize image size.

See https://avd.aquasec.com/misconfig/ds-0029
────────────────────────────────────────
 tests/ubuntu-25.10/Dockerfile:6-12
────────────────────────────────────────
   6 ┌ RUN apt-get update && \
   7 │     DEBIAN_FRONTEND=noninteractive apt-get install -y \
   8 │     curl \
   9 │     file \
  10 │     git \
  11 │     iproute2 \
  12 └     sudo
────────────────────────────────────────

[henry-pa-bot]

Super-linter summary

Language	Validation result
BIOME_FORMAT	Fail ❌
BIOME_LINT	Fail ❌
CHECKOV	Fail ❌
GITHUB_ACTIONS	Pass ✅
GITHUB_ACTIONS_ZIZMOR	Fail ❌
GITLEAKS	Pass ✅
GIT_MERGE_CONFLICT_MARKERS	Pass ✅
JSCPD	Fail ❌
PRE_COMMIT	Pass ✅
SPELL_CODESPELL	Pass ✅
TRIVY	Fail ❌
YAML	Pass ✅
YAML_PRETTIER	Pass ✅

Super-linter detected linting errors

For more information, see the GitHub Actions workflow run

Powered by Super-linter

BIOME_FORMAT

Checked 5 files in 19ms. No fixes applied.
Found 5 errors..vscode/extensions.json format ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  × Formatter would have printed the following content:

     1  1 │   {
     2    │ - ··"recommendations":·[
     3    │ - ····"mads-hartmann.bash-ide-vscode",
     4    │ - ····"timonwong.shellcheck",
     5    │ - ····"foxundermoon.shell-format",
     6    │ - ····"editorconfig.editorconfig",
     7    │ - ····"ms-kubernetes-tools.vscode-kubernetes-tools",
     8    │ - ····"tim-koehler.helm-intellisense"
     9    │ - ··]
    10    │ - }
        2 │ + → "recommendations":·[
        3 │ + → → "mads-hartmann.bash-ide-vscode",
        4 │ + → → "timonwong.shellcheck",
        5 │ + → → "foxundermoon.shell-format",
        6 │ + → → "editorconfig.editorconfig",
        7 │ + → → "ms-kubernetes-tools.vscode-kubernetes-tools",
        8 │ + → → "tim-koehler.helm-intellisense"
        9 │ + → ]
       10 │ + }
       11 │ +


.vscode/launch.json format ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  × Formatter would have printed the following content:

     1  1 │   {
     2    │ - ··"version":·"0.2.0",
     3    │ - ··"configurations":·[
     4    │ - ····{
     5    │ - ······"type":·"bashdb",
     6    │ - ······"request":·"launch",
     7    │ - ······"name":·"Bash-Debug·(simplest·configuration)",
     8    │ - ······"program":·"${file}"
     9    │ - ····}
    10    │ - ··]
    11    │ - }
        2 │ + → "version":·"0.2.0",
        3 │ + → "configurations":·[
        4 │ + → → {
        5 │ + → → → "type":·"bashdb",
        6 │ + → → → "request":·"launch",
        7 │ + → → → "name":·"Bash-Debug·(simplest·configuration)",
        8 │ + → → → "program":·"${file}"
        9 │ + → → }
       10 │ + → ]
       11 │ + }
       12 │ +


.vscode/settings.json format ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  × Formatter would have printed the following content:

    1   │ - {
    2   │ - }
      1 │ + {}
      2 │ +


home/dot_hyper.js format ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  × Formatter would have printed the following content:

      4   4 │   // See https://hyper.is#cfg for all currently supported options.
      5   5 │   module.exports = {
      6     │ - ····config:·{
      7     │ - ········//·choose·either·`'stable'`·for·receiving·highly·polished,
      8     │ - ········//·or·`'canary'`·for·less·polished·but·more·frequent·updates
      9     │ - ········updateChannel:·'stable',
     10     │ - ········//·default·font·size·in·pixels·for·all·tabs
     11     │ - ········fontSize:·12,
     12     │ - ········//·font·family·with·optional·fallbacks
     13     │ - ········fontFamily:·'FiraMono·Nerd·Font',
     14     │ - ········//·default·font·weight:·'normal'·or·'bold'
     15     │ - ········fontWeight:·'normal',
     16     │ - ········//·font·weight·for·bold·characters:·'normal'·or·'bold'
     17     │ - ········fontWeightBold:·'bold',
     18     │ - ········//·line·height·as·a·relative·unit
     19     │ - ········lineHeight:·1,
     20     │ - ········//·letter·spacing·as·a·relative·unit
     21     │ - ········letterSpacing:·0,
     22     │ - ········//·terminal·cursor·background·color·and·opacity·(hex,·rgb,·hsl,·hsv,·hwb·or·cmyk)
     23     │ - ········cursorColor:·'rgba(248,28,229,0.8)',
     24     │ - ········//·terminal·text·color·under·BLOCK·cursor
     25     │ - ········cursorAccentColor:·'#000',
     26     │ - ········//·`'BEAM'`·for·|,·`'UNDERLINE'`·for·_,·`'BLOCK'`·for·█
     27     │ - ········cursorShape:·'BLOCK',
     28     │ - ········//·set·to·`true`·(without·backticks·and·without·quotes)·for·blinking·cursor
     29     │ - ········cursorBlink:·false,
     30     │ - ········//·color·of·the·text
     31     │ - ········foregroundColor:·'#fff',
     32     │ - ········//·terminal·background·color
     33     │ - ········//·opacity·is·only·supported·on·macOS
     34     │ - ········backgroundColor:·'#000',
     35     │ - ········//·terminal·selection·color
     36     │ - ········selectionColor:·'rgba(248,28,229,0.3)',
     37     │ - ········//·border·color·(window,·tabs)
     38     │ - ········borderColor:·'#333',
     39     │ - ········//·custom·CSS·to·embed·in·the·main·window
     40     │ - ········css:·'',
     41     │ - ········//·custom·CSS·to·embed·in·the·terminal·window
     42     │ - ········termCSS:·'',
     43     │ - ········//·set·custom·startup·directory·(must·be·an·absolute·path)
     44     │ - ········workingDirectory:·'',
     45     │ - ········//·if·you're·using·a·Linux·setup·which·show·native·menus,·set·to·false
     46     │ - ········//·default:·`true`·on·Linux,·`true`·on·Windows,·ignored·on·macOS
     47     │ - ········showHamburgerMenu:·'',
     48     │ - ········//·set·to·`false`·(without·backticks·and·without·quotes)·if·you·want·to·hide·the·minimize,·maximize·and·close·buttons
     49     │ - ········//·additionally,·set·to·`'left'`·if·you·want·them·on·the·left,·like·in·Ubuntu
     50     │ - ········//·default:·`true`·(without·backticks·and·without·quotes)·on·Windows·and·Linux,·ignored·on·macOS
     51     │ - ········showWindowControls:·'',
     52     │ - ········//·custom·padding·(CSS·format,·i.e.:·`top·right·bottom·left`)
     53     │ - ········padding:·'12px·14px',
     54     │ - ········//·the·full·list.·if·you're·going·to·provide·the·full·color·palette,
     55     │ - ········//·including·the·6·x·6·color·cubes·and·the·grayscale·map,·just·provide
     56     │ - ········//·an·array·here·instead·of·a·color·map·object
     57     │ - ········colors:·{
     58     │ - ············black:·'#000000',
     59     │ - ············red:·'#C51E14',
     60     │ - ············green:·'#1DC121',
     61     │ - ············yellow:·'#C7C329',
     62     │ - ············blue:·'#0A2FC4',
     63     │ - ············magenta:·'#C839C5',
     64     │ - ············cyan:·'#20C5C6',
     65     │ - ············white:·'#C7C7C7',
     66     │ - ············lightBlack:·'#686868',
     67     │ - ············lightRed:·'#FD6F6B',
     68     │ - ············lightGreen:·'#67F86F',
     69     │ - ············lightYellow:·'#FFFA72',
     70     │ - ············lightBlue:·'#6A76FB',
     71     │ - ············lightMagenta:·'#FD7CFC',
     72     │ - ············lightCyan:·'#68FDFE',
     73     │ - ············lightWhite:·'#FFFFFF',
     74     │ - ············limeGreen:·'#32CD32',
     75     │ - ············lightCoral:·'#F08080',
     76     │ - ········},
     77     │ - ········//·the·shell·to·run·when·spawning·a·new·session·(i.e.·/usr/local/bin/fish)
     78     │ - ········//·if·left·empty,·your·system's·login·shell·will·be·used·by·default
     79     │ - ········//
     80     │ - ········//·Windows
     81     │ - ········//·-·Make·sure·to·use·a·full·path·if·the·binary·name·doesn't·work
     82     │ - ········//·-·Remove·`--login`·in·shellArgs
     83     │ - ········//
     84     │ - ········//·Windows·Subsystem·for·Linux·(WSL)·-·previously·Bash·on·Windows
     85     │ - ········//·-·Example:·`C:\\Windows\\System32\\wsl.exe`
     86     │ - ········//
     87     │ - ········//·Git-bash·on·Windows
     88     │ - ········//·-·Example:·`C:\\Program·Files\\Git\\bin\\bash.exe`
     89     │ - ········//
     90     │ - ········//·PowerShell·on·Windows
     91     │ - ········//·-·Example:·`C:\\WINDOWS\\System32\\WindowsPowerShell\\v1.0\\powershell.exe`
     92     │ - ········//
     93     │ - ········//·Cygwin
     94     │ - ········//·-·Example:·`C:\\cygwin64\\bin\\bash.exe`
     95     │ - ········shell:·'zsh',
     96     │ - ········//·for·setting·shell·arguments·(i.e.·for·using·interactive·shellArgs:·`['-i']`)
     97     │ - ········//·by·default·`['--login']`·will·be·used
     98     │ - ········shellArgs:·['--login'],
     99     │ - ········//·for·environment·variables
    100     │ - ········env:·{},
    101     │ - ········//·Supported·Options:
    102     │ - ········//··1.·'SOUND'·->·Enables·the·bell·as·a·sound
    103     │ - ········//··2.·false:·turns·off·the·bell
    104     │ - ········bell:·'SOUND',
    105     │ - ········//·An·absolute·file·path·to·a·sound·file·on·the·machine.
    106     │ - ········//·bellSoundURL:·'/path/to/sound/file',
    107     │ - ········//·if·`true`·(without·backticks·and·without·quotes),·selected·text·will·automatically·be·copied·to·the·clipboard
    108     │ - ········copyOnSelect:·false,
    109     │ - ········//·if·`true`·(without·backticks·and·without·quotes),·hyper·will·be·set·as·the·default·protocol·client·for·SSH
    110     │ - ········defaultSSHApp:·true,
    111     │ - ········//·if·`true`·(without·backticks·and·without·quotes),·on·right·click·selected·text·will·be·copied·or·pasted·if·no
    112     │ - ········//·selection·is·present·(`true`·by·default·on·Windows·and·disables·the·context·menu·feature)
    113     │ - ········quickEdit:·false,
    114     │ - ········//·choose·either·`'vertical'`,·if·you·want·the·column·mode·when·Option·key·is·hold·during·selection·(Default)
    115     │ - ········//·or·`'force'`,·if·you·want·to·force·selection·regardless·of·whether·the·terminal·is·in·mouse·events·mode
    116     │ - ········//·(inside·tmux·or·vim·with·mouse·mode·enabled·for·example).
    117     │ - ········macOptionSelectionMode:·'vertical',
    118     │ - ········//·Whether·to·use·the·WebGL·renderer.·Set·it·to·false·to·use·canvas-based
    119     │ - ········//·rendering·(slower,·but·supports·transparent·backgrounds)
    120     │ - ········webGLRenderer:·true,
    121     │ - ········//·keypress·required·for·weblink·activation:·[ctrl|alt|meta|shift]
    122     │ - ········//·todo:·does·not·pick·up·config·changes·automatically,·need·to·restart·terminal·:/
    123     │ - ········webLinksActivationKey:·'',
    124     │ - ········//·if·`false`·(without·backticks·and·without·quotes),·Hyper·will·use·ligatures·provided·by·some·fonts
    125     │ - ········disableLigatures:·true,
    126     │ - ········//·set·to·true·to·disable·auto·updates
    127     │ - ········disableAutoUpdates:·false,
    128     │ - ········//·set·to·true·to·enable·screen·reading·apps·(like·NVDA)·to·read·the·contents·of·the·terminal
    129     │ - ········screenReaderMode:·false,
    130     │ - ········//·set·to·true·to·preserve·working·directory·when·creating·splits·or·tabs
    131     │ - ········preserveCWD:·true,
    132     │ - ········//·for·advanced·config·flags·please·refer·to·https://hyper.is/#cfg
    133     │ - ····},
    134     │ - ····//·a·list·of·plugins·to·fetch·and·install·from·npm
    135     │ - ····//·format:·[@org/]project[#version]
    136     │ - ····//·examples:
    137     │ - ····//···`hyperpower`
    138     │ - ····//···`@company/project`
    139     │ - ····//···`project#1.0.1`
    140     │ - ····plugins:·[],
    141     │ - ····//·in·development,·you·can·create·a·directory·under
    142     │ - ····//·`~/.hyper_plugins/local/`·and·include·it·here
    143     │ - ····//·to·load·it·and·avoid·it·being·`npm·install`ed
    144     │ - ····localPlugins:·[],
    145     │ - ····keymaps:·{
    146     │ - ········//·Example
    147     │ - ········//·'window:devtools':·'cmd+alt+o',
    148     │ - ····},
          6 │ + → config:·{
          7 │ + → → //·choose·either·`'stable'`·for·receiving·highly·polished,
          8 │ + → → //·or·`'canary'`·for·less·polished·but·more·frequent·updates
          9 │ + → → updateChannel:·"stable",
         10 │ + → → //·default·font·size·in·pixels·for·all·tabs
  142 more lines truncated


tests/renovate-bot/local-config.js format ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  × Formatter would have printed the following content:

    1 1 │   module.exports = {
    2   │ - ··platform:·'github',
    3   │ - ··repositories:·['kitos9112/dotfiles'],
    4   │ - ··includeForks:·true,
    5   │ - ··onboarding:·false,
    6   │ - ··requireConfig:·'optional',
    7   │ - ··gitAuthor:·'henry-pa-bot·<166536+henry-bot[bot]@users.noreply.github.com>',
      2 │ + → platform:·"github",
      3 │ + → repositories:·["kitos9112/dotfiles"],
      4 │ + → includeForks:·true,
      5 │ + → onboarding:·false,
      6 │ + → requireConfig:·"optional",
      7 │ + → gitAuthor:·"henry-pa-bot·<166536+henry-bot[bot]@users.noreply.github.com>",
    8 8 │   };
    9 9 │


format ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  × Some errors were emitted while running checks.

BIOME_LINT

Checked 5 files in 39ms. No fixes applied.
Found 1 warning.home/dot_hyper.js:1:1 lint/suspicious/noRedundantUseStrict  FIXABLE  ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  ! Redundant use strict directive.

  > 1 │ "use strict";
      │ ^^^^^^^^^^^^^
    2 │ // Future versions of Hyper may add additional config options,
    3 │ // which will not automatically be merged into this file.

  i The entire contents of JavaScript modules are automatically in strict mode, with no statement needed to initiate it.

  i Safe fix: Remove the redundant use strict directive.

    1 │ "use·strict";
      │ -------------

lint ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

  × Some warnings were emitted while running checks.

CHECKOV

dockerfile scan results:

Passed checks: 250, Failed checks: 6, Skipped checks: 0

Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
	FAILED for resource: /tests/almalinux-10/Dockerfile.
	File: /tests/almalinux-10/Dockerfile:1-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images

		1  | FROM almalinux:10
		2  |
		3  | RUN dnf install -y \
		4  |     curl-minimal \
		5  |     findutils \
		6  |     sed \
		7  |     sudo \
		8  |     util-linux \
		9  |     util-linux-user \
		10 |     which && \
		11 |     dnf clean all
		12 |
		13 | RUN useradd -m -s /bin/sh -d /home/docker-qa docker-qa && \
		14 |     echo "docker-qa ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
		15 |
		16 | USER docker-qa
		17 |
		18 | COPY ./ /home/docker-qa/.dotfiles
		19 |
		20 | WORKDIR /home/docker-qa
		21 |
		22 | RUN DOTFILES_TEST=true DOTFILES_VERBOSE=true DOTFILES_NO_TTY=true DOTFILES_CHEZMOI_EXCLUDE=scripts .dotfiles/install
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
	FAILED for resource: /tests/ubuntu-25.10/Dockerfile.
	File: /tests/ubuntu-25.10/Dockerfile:1-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images

		1  | FROM ubuntu:25.10
		2  |
		3  | ENV GIT_REPO=https://github.com/kitos9112/dotfiles.git
		4  | ENV DEBIAN_FRONTEND=noninteractive
		5  |
		6  | RUN apt-get update && \
		7  |     DEBIAN_FRONTEND=noninteractive apt-get install -y \
		8  |     curl \
		9  |     file \
		10 |     git \
		11 |     iproute2 \
		12 |     sudo
		13 |
		14 | RUN useradd -m -s /bin/sh -d /home/docker-qa docker-qa  && \
		15 |     echo "docker-qa ALL=NOPASSWD: ALL" >> /etc/sudoers
		16 |
		17 | USER docker-qa
		18 |
		19 | COPY --chown=docker-qa:docker-qa ./ /home/docker-qa/.dotfiles
		20 |
		21 | WORKDIR /home/docker-qa
		22 |
		23 | RUN DOTFILES_TEST=true DOTFILES_VERBOSE=true DOTFILES_NO_TTY=true DOTFILES_CHEZMOI_EXCLUDE=scripts .dotfiles/install
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
	FAILED for resource: /tests/ubuntu-24.04/Dockerfile.
	File: /tests/ubuntu-24.04/Dockerfile:1-23
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images

		1  | FROM ubuntu:24.04
		2  |
		3  | ENV GIT_REPO=https://github.com/kitos9112/dotfiles.git
		4  | ENV DEBIAN_FRONTEND=noninteractive
		5  |
		6  | RUN apt-get update && \
		7  |     DEBIAN_FRONTEND=noninteractive apt-get install -y \
		8  |     curl \
		9  |     iproute2 \
		10 |     file \
		11 |     git \
		12 |     sudo
		13 |
		14 | RUN useradd -m -s /bin/sh -d /home/docker-qa docker-qa  && \
		15 |     echo "docker-qa ALL=NOPASSWD: ALL" >> /etc/sudoers
		16 |
		17 | USER docker-qa
		18 |
		19 | COPY --chown=docker-qa:docker-qa ./ /home/docker-qa/.dotfiles
		20 |
		21 | WORKDIR /home/docker-qa
		22 |
		23 | RUN DOTFILES_TEST=true DOTFILES_VERBOSE=true DOTFILES_NO_TTY=true DOTFILES_CHEZMOI_EXCLUDE=scripts .dotfiles/install
Check: CKV_DOCKER_2: "Ensure that HEALTHCHECK instructions have been added to container images"
	FAILED for resource: /tests/almalinux-9/Dockerfile.
	File: /tests/almalinux-9/Dockerfile:1-22
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-healthcheck-instructions-have-been-added-to-container-images

		1  | FROM almalinux:9
		2  |
		3  | RUN dnf install -y \
		4  |     curl-minimal \
		5  |     findutils \
		6  |     sed \
		7  |     sudo \
		8  |     util-linux \
		9  |     util-linux-user \
		10 |     which && \
		11 |     dnf clean all
		12 |
		13 | RUN useradd -m -s /bin/sh -d /home/docker-qa docker-qa && \
		14 |     echo "docker-qa ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
		15 |
		16 | USER docker-qa
		17 |
		18 | COPY ./ /home/docker-qa/.dotfiles
		19 |
		20 | WORKDIR /home/docker-qa
		21 |
		22 | RUN DOTFILES_TEST=true DOTFILES_VERBOSE=true DOTFILES_NO_TTY=true DOTFILES_CHEZMOI_EXCLUDE=scripts .dotfiles/install
Check: CKV2_DOCKER_1: "Ensure that sudo isn't used"
	FAILED for resource: /tests/almalinux-10/Dockerfile.RUN
	File: /tests/almalinux-10/Dockerfile:3-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-dont-use-sudo

		3  | RUN dnf install -y \
		4  |     curl-minimal \
		5  |     findutils \
		6  |     sed \
		7  |     sudo \
		8  |     util-linux \
		9  |     util-linux-user \
		10 |     which && \
		11 |     dnf clean all

Check: CKV2_DOCKER_1: "Ensure that sudo isn't used"
	FAILED for resource: /tests/almalinux-9/Dockerfile.RUN
	File: /tests/almalinux-9/Dockerfile:3-11
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-docker-dont-use-sudo

		3  | RUN dnf install -y \
		4  |     curl-minimal \
		5  |     findutils \
		6  |     sed \
		7  |     sudo \
		8  |     util-linux \
		9  |     util-linux-user \
		10 |     which && \
		11 |     dnf clean all

github_actions scan results:

Passed checks: 95, Failed checks: 5, Skipped checks: 0

Check: CKV_GHA_7: "The build output cannot be affected by user parameters other than the build entry point and the top-level source location. GitHub Actions workflow_dispatch inputs MUST be empty. "
	FAILED for resource: on(Schedule/Push - Renovate)
	File: /.github/workflows/renovate.yaml:7-16

		7  |       dryRun:
		8  |         description: "Dry-Run"
		9  |         default: "true"
		10 |         required: false
		11 |       logLevel:
		12 |         description: "Log-Level"
		13 |         default: "debug"
		14 |         required: false
		15 |   schedule:
		16 |     - cron: "*/10 * * * *"

Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
	FAILED for resource: on(Create GH issues based on TODO comments)
	File: /.github/workflows/todo2github-issues.yaml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
	FAILED for resource: on(Acceptance Tests)
	File: /.github/workflows/acceptance-tests.yaml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
	FAILED for resource: on(lint YAML and Shell)
	File: /.github/workflows/linters.yaml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
	FAILED for resource: on(Schedule/Push - Renovate)
	File: /.github/workflows/renovate.yaml:0-1

GITHUB_ACTIONS_ZIZMOR

�[1m�[96mhelp[artipacked]�[0m�[1m: credential persistence through GitHub Actions artifacts�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/acceptance-tests.yaml:27:9
   �[1m�[94m|�[0m
�[1m�[94m27�[0m �[1m�[94m|�[0m         - name: Checkout
   �[1m�[94m|�[0m �[1m�[96m _________^�[0m
�[1m�[94m28�[0m �[1m�[94m|�[0m �[1m�[96m|�[0m         uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
   �[1m�[94m|�[0m �[1m�[96m|____________________________________________________________________________^�[0m �[1m�[96mdoes not set persist-credentials: false�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Low
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#artipacked�[39m

�[1m�[96mhelp[artipacked]�[0m�[1m: credential persistence through GitHub Actions artifacts�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/acceptance-tests.yaml:62:9
   �[1m�[94m|�[0m
�[1m�[94m62�[0m �[1m�[94m|�[0m         - name: Checkout
   �[1m�[94m|�[0m �[1m�[96m _________^�[0m
�[1m�[94m63�[0m �[1m�[94m|�[0m �[1m�[96m|�[0m         uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
   �[1m�[94m|�[0m �[1m�[96m|____________________________________________________________________________^�[0m �[1m�[96mdoes not set persist-credentials: false�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Low
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#artipacked�[39m

�[1m�[33mwarning[excessive-permissions]�[0m�[1m: overly broad permissions�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/acceptance-tests.yaml:2:1
   �[1m�[94m|�[0m
�[1m�[94m 2�[0m �[1m�[94m|�[0m �[1m�[33m/�[0m name: Acceptance Tests
�[1m�[94m 3�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m
�[1m�[94m 4�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m on:
�[1m�[94m 5�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m   pull_request:
�[1m�[94m...�[0m  �[1m�[33m|�[0m
�[1m�[94m80�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m           chezmoi init --apply --source "${GITHUB_WORKSPACE}" --exclude scripts --no-tty
�[1m�[94m81�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m           chezmoi verify --source "${GITHUB_WORKSPACE}" --exclude scripts --no-tty
   �[1m�[94m|�[0m �[1m�[33m|___________________________________________________________________________________^�[0m �[1m�[33mdefault permissions used due to no permissions: block�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Medium
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#excessive-permissions�[39m

�[1m�[33mwarning[excessive-permissions]�[0m�[1m: overly broad permissions�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/acceptance-tests.yaml:14:3
   �[1m�[94m|�[0m
�[1m�[94m14�[0m �[1m�[94m|�[0m �[1m�[33m/�[0m   linux:
�[1m�[94m15�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m     name: Linux Smoke (${{ matrix.os }})
�[1m�[94m16�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m     runs-on: ubuntu-24.04
�[1m�[94m...�[0m  �[1m�[33m|�[0m
�[1m�[94m53�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m           priority: "-1" # low priority - no sound or vibration generated
�[1m�[94m54�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m         if: failure() && github.event_name == 'schedule'
   �[1m�[94m|�[0m �[1m�[33m|�[0m                                                        �[1m�[33m^�[0m
   �[1m�[94m|�[0m �[1m�[33m|�[0m                                                        �[1m�[33m|�[0m
   �[1m�[94m|�[0m �[1m�[33m|________________________________________________________�[0m�[1m�[94mthis job�[0m
   �[1m�[94m|�[0m                                                          �[1m�[33mdefault permissions used due to no permissions: block�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Medium
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#excessive-permissions�[39m

�[1m�[33mwarning[excessive-permissions]�[0m�[1m: overly broad permissions�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/acceptance-tests.yaml:56:3
   �[1m�[94m|�[0m
�[1m�[94m56�[0m �[1m�[94m|�[0m �[1m�[33m/�[0m   macos:
�[1m�[94m57�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m     name: macOS Smoke
�[1m�[94m58�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m     runs-on: macos-26
�[1m�[94m59�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m     env:
�[1m�[94m...�[0m  �[1m�[33m|�[0m
�[1m�[94m80�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m           chezmoi init --apply --source "${GITHUB_WORKSPACE}" --exclude scripts --no-tty
�[1m�[94m81�[0m �[1m�[94m|�[0m �[1m�[33m|�[0m           chezmoi verify --source "${GITHUB_WORKSPACE}" --exclude scripts --no-tty
   �[1m�[94m|�[0m �[1m�[33m|�[0m                                                                                   �[1m�[33m^�[0m
   �[1m�[94m|�[0m �[1m�[33m|�[0m                                                                                   �[1m�[33m|�[0m
   �[1m�[94m|�[0m �[1m�[33m|___________________________________________________________________________________�[0m�[1m�[94mthis job�[0m
   �[1m�[94m|�[0m                                                                                     �[1m�[33mdefault permissions used due to no permissions: block�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → Medium
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#excessive-permissions�[39m

�[1m�[91merror[unpinned-uses]�[0m�[1m: unpinned action reference�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/acceptance-tests.yaml:31:15
   �[1m�[94m|�[0m
�[1m�[94m31�[0m �[1m�[94m|�[0m         uses: docker/setup-buildx-action@v4
   �[1m�[94m|�[0m               �[1m�[91m^^^^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[91maction is not pinned to a hash (required by blanket policy)�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#unpinned-uses�[39m

�[1m�[91merror[unpinned-uses]�[0m�[1m: unpinned action reference�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/acceptance-tests.yaml:34:15
   �[1m�[94m|�[0m
�[1m�[94m34�[0m �[1m�[94m|�[0m         uses: docker/build-push-action@v7
   �[1m�[94m|�[0m               �[1m�[91m^^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[91maction is not pinned to a hash (required by blanket policy)�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#unpinned-uses�[39m

�[1m�[91merror[unpinned-uses]�[0m�[1m: unpinned action reference�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/acceptance-tests.yaml:43:15
   �[1m�[94m|�[0m
�[1m�[94m43�[0m �[1m�[94m|�[0m         uses: umahmood/pushover-actions@main
   �[1m�[94m|�[0m               �[1m�[91m^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[91maction is not pinned to a hash (required by blanket policy)�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mnote�[0m: this finding has an auto-fix
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#unpinned-uses�[39m

�[1m�[33mwarning[secrets-outside-env]�[0m�[1m: secrets referenced without a dedicated environment�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/acceptance-tests.yaml:45:31
   �[1m�[94m|�[0m
�[1m�[94m14�[0m �[1m�[94m|�[0m   linux:
   �[1m�[94m|�[0m   �[1m�[94m-----�[0m �[1m�[94mthis job�[0m
�[1m�[94m...�[0m
�[1m�[94m45�[0m �[1m�[94m|�[0m           PUSHOVER_TOKEN: ${{ secrets.PUSHOVER_TOKEN }}
   �[1m�[94m|�[0m                               �[1m�[33m^^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[33msecret is accessed outside of a dedicated environment�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#secrets-outside-env�[39m

�[1m�[33mwarning[secrets-outside-env]�[0m�[1m: secrets referenced without a dedicated environment�[0m
  �[1m�[94m--> �[0m/github/workspace/.github/workflows/acceptance-tests.yaml:46:30
   �[1m�[94m|�[0m
�[1m�[94m14�[0m �[1m�[94m|�[0m   linux:
   �[1m�[94m|�[0m   �[1m�[94m-----�[0m �[1m�[94mthis job�[0m
�[1m�[94m...�[0m
�[1m�[94m46�[0m �[1m�[94m|�[0m           PUSHOVER_USER: ${{ secrets.PUSHOVER_USER }}
   �[1m�[94m|�[0m                              �[1m�[33m^^^^^^^^^^^^^^^^^^^^^�[0m �[1m�[33msecret is accessed outside of a dedicated environment�[0m
   �[1m�[94m|�[0m
   �[1m�[94m= �[0m�[1mnote�[0m: audit confidence → High
   �[1m�[94m= �[0m�[1mhelp�[0m: audit documentation → �[32mhttps://docs.zizmor.sh/audits/#secrets-outside-env�[39m

�[32m12�[39m findings (�[1m�[93m2�[39m suppressed, �[92m5�[39m fixable�[0m): �[35m0�[39m informational, �[36m2�[39m low, �[33m5�[39m medium, �[31m3�[39m high🌈 zizmor v1.23.1
�[32m INFO�[0m �[1maudit�[0m�[2m:�[0m �[2mzizmor�[0m�[2m:�[0m 🌈 completed /github/workspace/.github/workflows/acceptance-tests.yaml

JSCPD

Clone found (markdown):
 - /github/workspace/docs/superpowers/plans/2026-04-30-dotfiles-maintenance-normalization.md [855:1 - 869:10] (14 lines, 71 tokens)
   /github/workspace/docs/superpowers/plans/2026-04-30-dotfiles-maintenance-normalization.md [775:1 - 788:5]

Clone found (markdown):
 - /github/workspace/README.md [49:1 - 66:17] (17 lines, 172 tokens)
   /github/workspace/docs/superpowers/plans/2026-04-30-dotfiles-maintenance-normalization.md [745:1 - 759:4]

Clone found (markdown):
 - /github/workspace/README.md [116:1 - 140:3] (24 lines, 125 tokens)
   /github/workspace/docs/superpowers/plans/2026-04-30-dotfiles-maintenance-normalization.md [767:1 - 788:5]

Clone found (markdown):
 - /github/workspace/docs/superpowers/plans/2026-04-30-dotfiles-maintenance-normalization.md [855:1 - 869:10] (14 lines, 71 tokens)
   /github/workspace/docs/superpowers/plans/2026-04-30-dotfiles-maintenance-normalization.md [775:1 - 788:5]

 855 │ 775 │ {tmp_home}/.local/share" \
 856 │ 776 │ XDG_STATE_HOME="${tmp_home}/.local/state" \
 857 │ 777 │ XDG_CACHE_HOME="${tmp_home}/.cache" \
 858 │ 778 │ DOTFILES_TEST=true \
 859 │ 779 │ chezmoi init --apply --source "$(pwd)" --exclude scripts --no-tty
 860 │ 780 │
 861 │ 781 │ HOME="${tmp_home}" \
 862 │ 782 │ XDG_CONFIG_HOME="${tmp_home}/.config" \
 863 │ 783 │ XDG_DATA_HOME="${tmp_home}/.local/share" \
 864 │ 784 │ XDG_STATE_HOME="${tmp_home}/.local/state" \
 865 │ 785 │ XDG

Clone found (markdown):
 - /github/workspace/README.md [49:1 - 66:17] (17 lines, 172 tokens)
   /github/workspace/docs/superpowers/plans/2026-04-30-dotfiles-maintenance-normalization.md [745:1 - 759:4]

 49 │ 745 │  with `chezmoi`
 50 │ 746 │
 51 │ 747 │ Leveraging off-the-shelf `Chezmoi` capabilities
 52 │ 748 │
 53 │ 749 │ ```bash
 54 │ 750 │ chezmoi init --apply --verbose https://github.com/kitos9112/dotfiles.git
 55 │ 751 │ ```
 56 │ 752 │
 57 │ 753 │ ### Installer controls
 58 │ 754 │
 59 │ 755 │ The root `install` script accepts environment variables for test and recovery
 60 │ 756 │ flows:
 61 │ 757 │
 62 │ 758 │ - `DOTFILES_SOURCE` uses a local source checkout instead of the remote repo.
 63 │ 759 │ - `DOTFILES_REPO` overrides the remote chezmoi repository.
 64 │ 760 │ - `DOTFILES_ONE_SHOT=true` passes `--one-shot` instead of `--apply`.
 65 │ 761 │ - `DOTFILES_CHEZMOI_INCLUDE` and `DOTFILES_CHEZMOI_EXCLUDE` pass include and
 66 │ 762 │   exclude filters to chezmoi.
 67 │ 763 │ - `DOTFILES_NO_TTY=true` passes `--no-tty`.
 68 │ 764 │ - `DOTFILES_VERBOSE=true` passes `--verbose`.
 69 │ 765 │ - `DOTFILES_DEBUG=true` passes `--debug`.
 70 │ 766 │ - `DOTFILES_RETRY_COUNT` and `DOTFILES_RETRY_DELAY` contro

Clone found (markdown):
 - /github/workspace/README.md [116:1 - 140:3] (24 lines, 125 tokens)
   /github/workspace/docs/superpowers/plans/2026-04-30-dotfiles-maintenance-normalization.md [767:1 - 788:5]

 116 │ 767 │ IG_HOME="${tmp_home}/.config" \
 117 │ 768 │ XDG_DATA_HOME="${tmp_home}/.local/share" \
 118 │ 769 │ XDG_STATE_HOME="${tmp_home}/.local/state" \
 119 │ 770 │ XDG_CACHE_HOME="${tmp_home}/.cache" \
 120 │ 771 │ DOTFILES_TEST=true chezmoi init --apply --source "$(pwd)" --exclude scripts --no-tty
 121 │ 772 │ ```
 122 │ 773 │
 123 │ 774 │ To validate hooks locally through `uv`, run:
 124 │ 775 │
 125 │ 776 │ ```bash
 126 │ 777 │ uvx pre-commit run --all-files
 127 │ 778 │ ```
 128 │ 779 │
 129 │ 780 │ To validate the root installer path locally without running mutating scripts:
 130 │ 781 │
 131 │ 782 │ ```bash
 132 │ 783 │ tmp_home="$(mktemp -d)"
 133 │ 784 │ HOME="${tmp_home}" \
 134 │ 785 │ XDG_CONFIG_HOME="${tmp_home}/.config" \
 135 │ 786 │ XDG

Found 3 clones.
Error: ERROR: jscpd found too many duplicates (1.96%) over threshold (0%)
    at ThresholdReporter.report (/node_modules/@jscpd/finder/dist/index.js:615:13)
    at /node_modules/@jscpd/finder/dist/index.js:109:18
    at Array.forEach (<anonymous>)
    at /node_modules/@jscpd/finder/dist/index.js:108:22
    at async /node_modules/jscpd/dist/bin/jscpd.js:9:5ERROR: jscpd found too many duplicates (1.96%) over threshold (0%)

TRIVY

Report Summary

┌───────────────────────────────┬────────────┬─────────────────┬───────────────────┬─────────┐
│            Target             │    Type    │ Vulnerabilities │ Misconfigurations │ Secrets │
├───────────────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┤
│ tests/almalinux-10/Dockerfile │ dockerfile │        -        │         1         │    -    │
├───────────────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┤
│ tests/almalinux-9/Dockerfile  │ dockerfile │        -        │         1         │    -    │
├───────────────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┤
│ tests/ubuntu-24.04/Dockerfile │ dockerfile │        -        │         2         │    -    │
├───────────────────────────────┼────────────┼─────────────────┼───────────────────┼─────────┤
│ tests/ubuntu-25.10/Dockerfile │ dockerfile │        -        │         2         │    -    │
└───────────────────────────────┴────────────┴─────────────────┴───────────────────┴─────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


tests/almalinux-10/Dockerfile (dockerfile)
==========================================
Tests: 27 (SUCCESSES: 26, FAILURES: 1)
Failures: 1 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

DS-0026 (LOW): Add HEALTHCHECK instruction in your Dockerfile
════════════════════════════════════════
You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.

See https://avd.aquasec.com/misconfig/ds-0026
────────────────────────────────────────



tests/almalinux-9/Dockerfile (dockerfile)
=========================================
Tests: 27 (SUCCESSES: 26, FAILURES: 1)
Failures: 1 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 0, CRITICAL: 0)

DS-0026 (LOW): Add HEALTHCHECK instruction in your Dockerfile
════════════════════════════════════════
You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.

See https://avd.aquasec.com/misconfig/ds-0026
────────────────────────────────────────



tests/ubuntu-24.04/Dockerfile (dockerfile)
==========================================
Tests: 27 (SUCCESSES: 25, FAILURES: 2)
Failures: 2 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

DS-0026 (LOW): Add HEALTHCHECK instruction in your Dockerfile
════════════════════════════════════════
You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.

See https://avd.aquasec.com/misconfig/ds-0026
────────────────────────────────────────


DS-0029 (HIGH): '--no-install-recommends' flag is missed: 'apt-get update &&     DEBIAN_FRONTEND=noninteractive apt-get install -y     curl     iproute2     file     git     sudo'
════════════════════════════════════════
'apt-get' install should use '--no-install-recommends' to minimize image size.

See https://avd.aquasec.com/misconfig/ds-0029
────────────────────────────────────────
 tests/ubuntu-24.04/Dockerfile:6-12
────────────────────────────────────────
   6 ┌ RUN apt-get update && \
   7 │     DEBIAN_FRONTEND=noninteractive apt-get install -y \
   8 │     curl \
   9 │     iproute2 \
  10 │     file \
  11 │     git \
  12 └     sudo
────────────────────────────────────────



tests/ubuntu-25.10/Dockerfile (dockerfile)
==========================================
Tests: 27 (SUCCESSES: 25, FAILURES: 2)
Failures: 2 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

DS-0026 (LOW): Add HEALTHCHECK instruction in your Dockerfile
════════════════════════════════════════
You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.

See https://avd.aquasec.com/misconfig/ds-0026
────────────────────────────────────────


DS-0029 (HIGH): '--no-install-recommends' flag is missed: 'apt-get update &&     DEBIAN_FRONTEND=noninteractive apt-get install -y     curl     file     git     iproute2     sudo'
════════════════════════════════════════
'apt-get' install should use '--no-install-recommends' to minimize image size.

See https://avd.aquasec.com/misconfig/ds-0029
────────────────────────────────────────
 tests/ubuntu-25.10/Dockerfile:6-12
────────────────────────────────────────
   6 ┌ RUN apt-get update && \
   7 │     DEBIAN_FRONTEND=noninteractive apt-get install -y \
   8 │     curl \
   9 │     file \
  10 │     git \
  11 │     iproute2 \
  12 └     sudo
────────────────────────────────────────