Add governance artifact validation suite, schemas, Rego policies and CI#63
Merged
OneFineStarstuff merged 4 commits intoApr 27, 2026
Merged
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
The files' contents are under analysis for test generation. |
|
Review these changes at https://app.gitnotebooks.com/OneFineStarstuff/OneFineStarstuff.github.io/pull/63 |
Reviewer's GuideAdds a governance artifact validation pipeline (Make targets, Python tooling, Rego policies, schemas, tests, and GitHub Actions CI) for the 2026–2030 AGI/ASI governance blueprint, plus a deterministically generated evidence manifest and validation run report used for regulator-ready audit artifacts. Sequence diagram for governance validation run report generationsequenceDiagram
actor Dev
participant GHA as GitHubActions
participant Make as Makefile
participant RunChecks as run_governance_checks.py
participant Cmds as Make_governance_targets
participant Report as validation_run_report.json
Dev->>GHA: Push or open PR touching governance files
GHA->>Make: Invoke target governance-report
Make->>RunChecks: python docs/schemas/run_governance_checks.py
RunChecks->>RunChecks: Load default command list
RunChecks->>Cmds: Execute make governance-validate
Cmds-->>RunChecks: Status, stdout, stderr
RunChecks->>RunChecks: Sanitize and tail output
RunChecks->>Cmds: Execute make governance-artifact-inventory
Cmds-->>RunChecks: Status, stdout, stderr
RunChecks->>RunChecks: Append check result
RunChecks->>Cmds: Execute remaining governance-* commands
Cmds-->>RunChecks: Status, stdout, stderr per command
RunChecks->>RunChecks: Compute passed_checks / failed_checks
RunChecks->>Report: Write JSON report with checks, overall_status
RunChecks-->>Make: Exit code based on overall_status
Make-->>GHA: Target governance-report completed
GHA->>GHA: Later validate report and upload artifact
Class diagram for governance validation Python toolingclassDiagram
class governance_artifacts_validation_py {
+DEFAULT_YAML
+DEFAULT_JSON
+DEFAULT_YAML_SCHEMA
+DEFAULT_JSON_SCHEMA
+EXPECTED_FRAMEWORK_KEYS
+EXPECTED_CANONICAL_DOMAINS
+fail(msg)
+load_json(path)
+load_yaml(path)
+validate_schema(instance, schema, label)
+semantic_checks(yaml_doc, json_doc)
+parse_args()
+main()
}
class run_governance_checks_py {
+REPO_ROOT
+DEFAULT_COMMANDS
+parse_args()
+sanitize_output(text, repo_root)
+normalize_nondeterministic_text(text)
+tail_with_marker(text, max_chars)
+main()
}
class generate_evidence_bundle_py {
+DEFAULT_ARTIFACTS
+sha256_file(path)
+parse_args()
+main()
}
class verify_evidence_bundle_py {
+sha256_file(path)
+parse_args()
+main()
}
class validate_evidence_manifest_py {
+parse_args()
+load_json(path)
+fail(msg)
+main()
}
class validate_run_report_py {
+fail(msg)
+parse_args()
+load_json(path)
+validate_summary_counts(report)
+main()
}
class validate_artifact_inventory_py {
+DEFAULT_REPORT
+DEFAULT_REPO_ROOT
+INVENTORY_HEADING_PATTERNS
+PATH_PATTERN
+parse_args()
+extract_inventory_section(report_text)
+collect_inventory_paths(inventory_text)
+find_duplicate_paths(paths)
+validate_inventory_paths(paths, repo_root)
+main()
}
class check_dependencies_py {
+DEFAULT_MODULES
+REPO_ROOT
+DEFAULT_REQUIREMENTS
+parse_args()
+main()
}
class check_generated_artifacts_py {
+sha256_file(path)
+run(cmd, cwd)
+main()
}
class validation_deps_py {
+INSTALL_HINT
+require_jsonschema()
}
governance_artifacts_validation_py --> validation_deps_py : uses
validate_evidence_manifest_py --> validation_deps_py : uses
validate_run_report_py --> validation_deps_py : uses
run_governance_checks_py --> check_dependencies_py : indirect via Make
run_governance_checks_py --> governance_artifacts_validation_py : via make governance-validate
run_governance_checks_py --> validate_artifact_inventory_py : via make governance-artifact-inventory
run_governance_checks_py --> generate_evidence_bundle_py : via make governance-evidence-manifest
run_governance_checks_py --> verify_evidence_bundle_py : via make governance-evidence-verify
run_governance_checks_py --> validate_evidence_manifest_py : via make governance-evidence-schema
run_governance_checks_py --> validate_run_report_py : via make governance-report-schema
run_governance_checks_py --> check_generated_artifacts_py : via make governance-check-generated
File-Level Changes
Tips and commandsInteracting with Sourcery
Customizing Your ExperienceAccess your dashboard to:
Getting Help
|
Contributor
|
Caution Review failedThe pull request is closed. ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (122)
📝 WalkthroughWalkthroughAdds a governance validation toolchain: CI workflow, pre-commit hooks, Make targets, JSON/YAML schemas, Rego policies, Python validators/generators/verifiers, evidence manifest tooling, and comprehensive unit/integration tests with documentation and sample run reports. Changes
Sequence Diagram(s)sequenceDiagram
participant GH as GitHub Actions
participant Make as Make (targets)
participant Py as Python Validators/Generators
participant OPA as OPA (rego)
participant Art as Artifact Storage / Actions Upload
GH->>Make: checkout & setup (python3.12, deps)
GH->>OPA: install OPA v1.15.2
Make->>Py: run schema linting & validation scripts
Py->>OPA: run policy tests / evaluate rego
Py->>Art: produce validation_run_report.json & evidence manifest
OPA->>Make: return policy test results
Make->>GH: return job status
GH->>Art: upload reports & artifacts
Estimated code review effort🎯 4 (Complex) | ⏱️ ~45 minutes Possibly related PRs
Suggested labels
Suggested reviewers
Poem
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
|
|
View changes in DiffLens |
![gstraccini[bot]](https://avatars.githubusercontent.com/in/480132?s=60&v=4){kind=small}
|
View changes in DiffLens |
Contributor
|
Failed to generate code suggestions for PR |
![sourcery-ai[bot]](https://avatars.githubusercontent.com/in/48477?s=60&v=4){kind=small}
Not up to standards ⛔🔴 Issues
|
| Category | Results |
|---|---|
| Compatibility | 9 medium |
| Documentation | 12 minor |
| ErrorProne | 1 medium 12 high |
| Security | 24 high |
| CodeStyle | 32 minor |
| Complexity | 3 minor 2 critical 5 medium |
🟢 Metrics 192 complexity · 59 duplication
Metric Results Complexity 192 Duplication 59
NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.
There was a problem hiding this comment.
Hey - I've found 25 security issues, 3 other issues, and left some high level feedback:
Security issues:
- Detected subprocess function 'run' without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'. (link)
- Detected subprocess function 'run' without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'. (link)
- Found 'subprocess' function 'run' with 'shell=True'. This is dangerous because this call will spawn the command using a shell process. Doing so propagates current shell settings and variables, which makes it much easier for a malicious actor to execute commands. Use 'shell=False' instead. (link)
- Detected subprocess function 'run' without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'. (link)
- Detected subprocess function 'run' without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'. (link)
- Detected subprocess function 'run' without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'. (link)
- Detected subprocess function 'run' without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'. (link)
- Detected subprocess function 'run' without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'. (link)
- Detected subprocess function 'run' without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'. (link)
- Detected subprocess function 'run' without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'. (link)
- Detected subprocess function 'run' without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'. (link)
- Detected subprocess function 'run' without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'. (link)
- Detected subprocess function 'run' without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'. (link)
- Detected subprocess function 'run' without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'. (link)
- Detected subprocess function 'run' without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'. (link)
- Detected subprocess function 'run' without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'. (link)
- Detected subprocess function 'run' without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'. (link)
- Detected subprocess function 'run' without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'. (link)
- Detected subprocess function 'run' without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'. (link)
- Detected subprocess function 'run' without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'. (link)
- Detected subprocess function 'run' without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'. (link)
- Detected subprocess function 'run' without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'. (link)
- Detected subprocess function 'run' without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'. (link)
- Detected subprocess function 'run' without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'. (link)
- Detected subprocess function 'run' without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'. (link)
General comments:
- The governance-related scripts (e.g., generate_evidence_bundle.py, verify_evidence_bundle.py, validate_evidence_manifest.py, validate_run_report.py, check_generated_artifacts.py) each reimplement small utilities like sha256_file, JSON loading, and failure handling; consider extracting these into a shared helper module to reduce duplication and keep behavior consistent.
- check_generated_artifacts.py currently only verifies evidence_bundle_manifest.json; if validation_run_report.json is expected to be committed and deterministic, it would be helpful to include it in the stale-generated check as well so drift in either artifact is consistently caught.
- Several CLIs take both --repo-root and relative paths (e.g., validate_evidence_manifest.py, validate_run_report.py, validate_artifact_inventory.py); aligning their path resolution semantics (e.g., always resolving arguments relative to repo-root) and documenting this behavior would make them easier to reason about and less error-prone when used in other pipelines.
Prompt for AI Agents
Please address the comments from this code review:
## Overall Comments
- The governance-related scripts (e.g., generate_evidence_bundle.py, verify_evidence_bundle.py, validate_evidence_manifest.py, validate_run_report.py, check_generated_artifacts.py) each reimplement small utilities like sha256_file, JSON loading, and failure handling; consider extracting these into a shared helper module to reduce duplication and keep behavior consistent.
- check_generated_artifacts.py currently only verifies evidence_bundle_manifest.json; if validation_run_report.json is expected to be committed and deterministic, it would be helpful to include it in the stale-generated check as well so drift in either artifact is consistently caught.
- Several CLIs take both --repo-root and relative paths (e.g., validate_evidence_manifest.py, validate_run_report.py, validate_artifact_inventory.py); aligning their path resolution semantics (e.g., always resolving arguments relative to repo-root) and documenting this behavior would make them easier to reason about and less error-prone when used in other pipelines.
## Individual Comments
### Comment 1
<location path="docs/schemas/test_run_governance_checks.py" line_range="17" />
<code_context>
+SPEC.loader.exec_module(MODULE)
+
+
+class RunGovernanceChecksTests(unittest.TestCase):
+ def test_default_commands_include_post_generation_checks(self):
+ self.assertIn("make --no-print-directory governance-artifact-inventory", MODULE.DEFAULT_COMMANDS)
</code_context>
<issue_to_address>
**suggestion (testing):** Add a test that exercises the --include-timestamp flag and asserts the timestamp field is present.
The `run_governance_checks.py` script already supports an `--include-timestamp` flag that adds a `generated_at_utc` field, but no tests cover this path. Please add a test that runs the script with `--include-timestamp`, loads the JSON output, and asserts that `generated_at_utc` is present and non-empty while the rest of the report structure (e.g., checks, overall_status) remains unchanged. This helps catch regressions where the flag stops working or the field name changes.
Suggested implementation:
```python
class RunGovernanceChecksTests(unittest.TestCase):
def test_default_commands_include_post_generation_checks(self):
self.assertIn("make --no-print-directory governance-artifact-inventory", MODULE.DEFAULT_COMMANDS)
self.assertIn("make --no-print-directory governance-report-schema", MODULE.DEFAULT_COMMANDS)
self.assertIn("make --no-print-directory governance-check-generated", MODULE.DEFAULT_COMMANDS)
def test_include_timestamp_adds_generated_at_utc_field(self):
with tempfile.TemporaryDirectory() as td:
out = Path(td) / "report.json"
proc = subprocess.run(
[
sys.executable,
str(RUN),
"--include-timestamp",
"--output",
str(out),
],
check=True,
)
with out.open() as fh:
report = json.load(fh)
# Ensure generated_at_utc is present and non-empty
self.assertIn("generated_at_utc", report)
self.assertTrue(report["generated_at_utc"])
# Ensure core structure is unchanged compared to a run without the flag
out_no_ts = Path(td) / "report_no_ts.json"
proc_no_ts = subprocess.run(
[
sys.executable,
str(RUN),
"--output",
str(out_no_ts),
],
check=True,
)
with out_no_ts.open() as fh:
report_no_ts = json.load(fh)
for key in ("checks", "overall_status"):
self.assertIn(key, report)
self.assertIn(key, report_no_ts)
self.assertEqual(report[key], report_no_ts[key])
def test_report_redacts_absolute_repo_root(self):
```
1. Ensure the module imports `json`, `subprocess`, `sys`, and `tempfile` at the top of `docs/schemas/test_run_governance_checks.py` if they are not already imported.
2. The arguments passed to `run_governance_checks.py` in this new test (`--output`, `--include-timestamp`) should match the existing tests’ invocation style; if the script uses different flags (e.g. a positional output path or a different flag name), update the subprocess argument lists accordingly to stay consistent with the rest of the file.
</issue_to_address>
### Comment 2
<location path="docs/schemas/test_generate_evidence_bundle.py" line_range="12" />
<code_context>
+SCRIPT = ROOT / "generate_evidence_bundle.py"
+
+
+class EvidenceBundleTests(unittest.TestCase):
+ def run_generator(self, output_path: Path, include_timestamp: bool = False):
+ cmd = [sys.executable, str(SCRIPT), "--repo-root", str(ROOT.parent.parent), "--output", str(output_path)]
</code_context>
<issue_to_address>
**suggestion (testing):** Add a determinism test that compares two manifests generated without timestamps to ensure identical content.
Current tests cover structure and timestamp handling but not determinism of the default manifest. Please add a test that runs the generator twice without `--include-timestamp`, loads both JSON outputs, and asserts they are identical to catch any non-deterministic behavior in `DEFAULT_ARTIFACTS` or future changes.
Suggested implementation:
```python
import json
import subprocess
import sys
import tempfile
import unittest
from pathlib import Path
```
```python
def test_manifest_generation_deterministic_default(self):
with tempfile.TemporaryDirectory() as td:
out1 = Path(td) / "manifest1.json"
out2 = Path(td) / "manifest2.json"
result1 = self.run_generator(out1)
self.assertEqual(result1.returncode, 0, msg=result1.stderr)
self.assertTrue(out1.exists())
result2 = self.run_generator(out2)
self.assertEqual(result2.returncode, 0, msg=result2.stderr)
self.assertTrue(out2.exists())
with out1.open() as f1, out2.open() as f2:
manifest1 = json.load(f1)
manifest2 = json.load(f2)
self.assertEqual(manifest1, manifest2)
```
</issue_to_address>
### Comment 3
<location path="docs/schemas/test_verify_evidence_bundle.py" line_range="13" />
<code_context>
+VERIFY = ROOT / "verify_evidence_bundle.py"
+
+
+class VerifyEvidenceBundleTests(unittest.TestCase):
+ def test_verify_manifest_success(self):
+ with tempfile.TemporaryDirectory() as td:
</code_context>
<issue_to_address>
**suggestion (testing):** Add a test case that covers missing or removed artifact files in the evidence bundle verification.
Current tests cover only the happy path and hash mismatches, but not the case where a manifest entry points to a missing artifact (`Missing artifact: ...`). Please extend `test_verify_manifest_detects_tamper` or add a new test that removes a file (or uses a non-existent path), runs `verify_evidence_bundle.py`, and asserts a non-zero exit code and a `Missing artifact:` message so this scenario is covered.
Suggested implementation:
```python
import sys
import tempfile
import unittest
import subprocess
from pathlib import Path
```
To implement the missing-artifact test case, you should add a new test method inside `VerifyEvidenceBundleTests`, e.g.:
```python
def test_verify_manifest_missing_artifact(self):
with tempfile.TemporaryDirectory() as td:
manifest = Path(td) / "manifest.json"
gen = subprocess.run(
[sys.executable, str(GEN), "--repo-root", str(ROOT.parent.parent), "--output", str(manifest)],
capture_output=True,
text=True,
check=False,
)
self.assertEqual(gen.returncode, 0, msg=gen.stderr)
data = json.loads(manifest.read_text())
# Assume manifest["artifacts"] is a list of objects with a "path" field
missing_path = Path(td) / data["artifacts"][0]["path"]
if missing_path.exists():
missing_path.unlink()
verify = subprocess.run(
[sys.executable, str(VERIFY), "--manifest", str(manifest)],
capture_output=True,
text=True,
check=False,
)
self.assertNotEqual(verify.returncode, 0)
self.assertIn("Missing artifact:", verify.stderr)
```
You may need to:
1. Import `json` at the top of the file if not already imported.
2. Adjust the structure of `data` to match the actual manifest schema (e.g. `data["artifacts"][0]["artifact"]["path"]` or similar).
3. Ensure that `verify_evidence_bundle.py` prints `Missing artifact:` to stderr (or adjust the assertion to match the actual output stream and message).
4. If you prefer, you can fold this logic into an existing `test_verify_manifest_detects_tamper` by adding a sub-case or a separate removal/verification step, but a dedicated `test_verify_manifest_missing_artifact` keeps the scenarios clearer.
</issue_to_address>
### Comment 4
<location path="docs/schemas/check_generated_artifacts.py" line_range="21" />
<code_context>
proc = subprocess.run(cmd, capture_output=True, text=True, check=False, cwd=cwd)
</code_context>
<issue_to_address>
**security (python.lang.security.audit.dangerous-subprocess-use-audit):** Detected subprocess function 'run' without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'.
*Source: opengrep*
</issue_to_address>
### Comment 5
<location path="docs/schemas/run_governance_checks.py" line_range="81-89" />
<code_context>
proc = subprocess.run(
cmd,
shell=True,
capture_output=True,
text=True,
check=False,
cwd=REPO_ROOT,
timeout=args.timeout_seconds,
)
</code_context>
<issue_to_address>
**security (python.lang.security.audit.dangerous-subprocess-use-audit):** Detected subprocess function 'run' without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'.
*Source: opengrep*
</issue_to_address>
### Comment 6
<location path="docs/schemas/run_governance_checks.py" line_range="83" />
<code_context>
shell=True,
</code_context>
<issue_to_address>
**security (python.lang.security.audit.subprocess-shell-true):** Found 'subprocess' function 'run' with 'shell=True'. This is dangerous because this call will spawn the command using a shell process. Doing so propagates current shell settings and variables, which makes it much easier for a malicious actor to execute commands. Use 'shell=False' instead.
```suggestion
shell=False,
```
*Source: opengrep*
</issue_to_address>
### Comment 7
<location path="docs/schemas/test_check_dependencies.py" line_range="13" />
<code_context>
return subprocess.run([sys.executable, str(SCRIPT), *args], capture_output=True, text=True, check=False)
</code_context>
<issue_to_address>
**security (python.lang.security.audit.dangerous-subprocess-use-audit):** Detected subprocess function 'run' without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'.
*Source: opengrep*
</issue_to_address>
### Comment 8
<location path="docs/schemas/test_check_generated_artifacts.py" line_range="30-36" />
<code_context>
proc = subprocess.run(
[sys.executable, str(Path(module.__file__))],
cwd=td,
capture_output=True,
text=True,
check=False,
)
</code_context>
<issue_to_address>
**security (python.lang.security.audit.dangerous-subprocess-use-audit):** Detected subprocess function 'run' without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'.
*Source: opengrep*
</issue_to_address>
### Comment 9
<location path="docs/schemas/test_generate_evidence_bundle.py" line_range="17" />
<code_context>
return subprocess.run(cmd, capture_output=True, text=True, check=False)
</code_context>
<issue_to_address>
**security (python.lang.security.audit.dangerous-subprocess-use-audit):** Detected subprocess function 'run' without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'.
*Source: opengrep*
</issue_to_address>
### Comment 10
<location path="docs/schemas/test_governance_artifacts_validation.py" line_range="23-39" />
<code_context>
return subprocess.run(
[
sys.executable,
str(SCRIPT),
"--yaml",
str(yaml_path),
"--json",
str(json_path),
"--yaml-schema",
str(YAML_SCHEMA_PATH),
"--json-schema",
str(JSON_SCHEMA_PATH),
],
capture_output=True,
text=True,
check=False,
)
</code_context>
<issue_to_address>
**security (python.lang.security.audit.dangerous-subprocess-use-audit):** Detected subprocess function 'run' without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'.
*Source: opengrep*
</issue_to_address>
### Comment 11
<location path="docs/schemas/test_governance_artifacts_validation.py" line_range="42" />
<code_context>
result = subprocess.run([sys.executable, str(SCRIPT), "--help"], capture_output=True, text=True, check=False)
</code_context>
<issue_to_address>
**security (python.lang.security.audit.dangerous-subprocess-use-audit):** Detected subprocess function 'run' without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'.
*Source: opengrep*
</issue_to_address>
### Comment 12
<location path="docs/schemas/test_run_governance_checks.py" line_range="26-39" />
<code_context>
proc = subprocess.run(
[
sys.executable,
str(RUN),
"--output",
str(out),
"--command",
"python -c \"import pathlib; print(pathlib.Path.cwd())\"",
],
capture_output=True,
text=True,
check=False,
cwd=td,
)
</code_context>
<issue_to_address>
**security (python.lang.security.audit.dangerous-subprocess-use-audit):** Detected subprocess function 'run' without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'.
*Source: opengrep*
</issue_to_address>
### Comment 13
<location path="docs/schemas/test_run_governance_checks.py" line_range="49-61" />
<code_context>
proc = subprocess.run(
[
sys.executable,
str(RUN),
"--output",
str(out),
"--command",
"python -c \"import sys; sys.stderr.write(\'Ran 2 tests in 0.123s\\n\')\"",
],
capture_output=True,
text=True,
check=False,
)
</code_context>
<issue_to_address>
**security (python.lang.security.audit.dangerous-subprocess-use-audit):** Detected subprocess function 'run' without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'.
*Source: opengrep*
</issue_to_address>
### Comment 14
<location path="docs/schemas/test_run_governance_checks.py" line_range="70-84" />
<code_context>
proc = subprocess.run(
[
sys.executable,
str(RUN),
"--output",
str(out),
"--max-tail-chars",
"20",
"--command",
"python -c \"import sys; sys.stdout.write('x' * 120)\"",
],
capture_output=True,
text=True,
check=False,
)
</code_context>
<issue_to_address>
**security (python.lang.security.audit.dangerous-subprocess-use-audit):** Detected subprocess function 'run' without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'.
*Source: opengrep*
</issue_to_address>
### Comment 15
<location path="docs/schemas/test_run_governance_checks.py" line_range="94-110" />
<code_context>
proc = subprocess.run(
[
sys.executable,
str(RUN),
"--output",
str(out),
"--command",
"echo ok",
"--command",
"python -c \"print('done')\"",
"--max-tail-chars",
"20",
],
capture_output=True,
text=True,
check=False,
)
</code_context>
<issue_to_address>
**security (python.lang.security.audit.dangerous-subprocess-use-audit):** Detected subprocess function 'run' without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'.
*Source: opengrep*
</issue_to_address>
### Comment 16
<location path="docs/schemas/test_run_governance_checks.py" line_range="123-137" />
<code_context>
proc = subprocess.run(
[
sys.executable,
str(RUN),
"--output",
str(out),
"--timeout-seconds",
"1",
"--command",
"python -c \"import time; time.sleep(2)\"",
],
capture_output=True,
text=True,
check=False,
)
</code_context>
<issue_to_address>
**security (python.lang.security.audit.dangerous-subprocess-use-audit):** Detected subprocess function 'run' without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'.
*Source: opengrep*
</issue_to_address>
### Comment 17
<location path="docs/schemas/test_run_governance_checks.py" line_range="149-164" />
<code_context>
proc = subprocess.run(
[
sys.executable,
str(RUN),
"--output",
str(out),
"--continue-on-failure",
"--command",
"python -c \"import sys; sys.exit(1)\"",
"--command",
"echo should_run",
],
capture_output=True,
text=True,
check=False,
)
</code_context>
<issue_to_address>
**security (python.lang.security.audit.dangerous-subprocess-use-audit):** Detected subprocess function 'run' without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'.
*Source: opengrep*
</issue_to_address>
### Comment 18
<location path="docs/schemas/test_run_governance_checks.py" line_range="177-191" />
<code_context>
proc = subprocess.run(
[
sys.executable,
str(RUN),
"--output",
str(out),
"--command",
"python -c \"import sys; sys.exit(1)\"",
"--command",
"echo should_not_run",
],
capture_output=True,
text=True,
check=False,
)
</code_context>
<issue_to_address>
**security (python.lang.security.audit.dangerous-subprocess-use-audit):** Detected subprocess function 'run' without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'.
*Source: opengrep*
</issue_to_address>
### Comment 19
<location path="docs/schemas/test_validate_evidence_manifest.py" line_range="21-26" />
<code_context>
gen = subprocess.run(
[sys.executable, str(GEN), "--repo-root", str(ROOT.parent.parent), "--output", str(manifest)],
capture_output=True,
text=True,
check=False,
)
</code_context>
<issue_to_address>
**security (python.lang.security.audit.dangerous-subprocess-use-audit):** Detected subprocess function 'run' without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'.
*Source: opengrep*
</issue_to_address>
### Comment 20
<location path="docs/schemas/test_validate_evidence_manifest.py" line_range="29-43" />
<code_context>
val = subprocess.run(
[
sys.executable,
str(VALIDATE),
"--repo-root",
str(ROOT.parent.parent),
"--manifest",
str(manifest),
"--schema",
str(SCHEMA),
],
capture_output=True,
text=True,
check=False,
)
</code_context>
<issue_to_address>
**security (python.lang.security.audit.dangerous-subprocess-use-audit):** Detected subprocess function 'run' without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'.
*Source: opengrep*
</issue_to_address>
### Comment 21
<location path="docs/schemas/test_validate_evidence_manifest.py" line_range="52-66" />
<code_context>
val = subprocess.run(
[
sys.executable,
str(VALIDATE),
"--repo-root",
str(ROOT.parent.parent),
"--manifest",
str(manifest),
"--schema",
str(SCHEMA),
],
capture_output=True,
text=True,
check=False,
)
</code_context>
<issue_to_address>
**security (python.lang.security.audit.dangerous-subprocess-use-audit):** Detected subprocess function 'run' without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'.
*Source: opengrep*
</issue_to_address>
### Comment 22
<location path="docs/schemas/test_validate_evidence_manifest.py" line_range="71-85" />
<code_context>
val = subprocess.run(
[
sys.executable,
str(VALIDATE),
"--repo-root",
str(ROOT.parent.parent),
"--manifest",
"docs/schemas/does_not_exist.json",
"--schema",
str(SCHEMA),
],
capture_output=True,
text=True,
check=False,
)
</code_context>
<issue_to_address>
**security (python.lang.security.audit.dangerous-subprocess-use-audit):** Detected subprocess function 'run' without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'.
*Source: opengrep*
</issue_to_address>
### Comment 23
<location path="docs/schemas/test_validate_evidence_manifest.py" line_range="94-108" />
<code_context>
val = subprocess.run(
[
sys.executable,
str(VALIDATE),
"--repo-root",
str(ROOT.parent.parent),
"--manifest",
str(manifest),
"--schema",
str(SCHEMA),
],
capture_output=True,
text=True,
check=False,
)
</code_context>
<issue_to_address>
**security (python.lang.security.audit.dangerous-subprocess-use-audit):** Detected subprocess function 'run' without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'.
*Source: opengrep*
</issue_to_address>
### Comment 24
<location path="docs/schemas/test_validate_run_report.py" line_range="37-51" />
<code_context>
val = subprocess.run(
[
sys.executable,
str(VALIDATE),
"--repo-root",
str(ROOT.parent.parent),
"--report",
str(report),
"--schema",
str(SCHEMA),
],
capture_output=True,
text=True,
check=False,
)
</code_context>
<issue_to_address>
**security (python.lang.security.audit.dangerous-subprocess-use-audit):** Detected subprocess function 'run' without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'.
*Source: opengrep*
</issue_to_address>
### Comment 25
<location path="docs/schemas/test_validate_run_report.py" line_range="72-86" />
<code_context>
val = subprocess.run(
[
sys.executable,
str(VALIDATE),
"--repo-root",
str(ROOT.parent.parent),
"--report",
str(report),
"--schema",
str(SCHEMA),
],
capture_output=True,
text=True,
check=False,
)
</code_context>
<issue_to_address>
**security (python.lang.security.audit.dangerous-subprocess-use-audit):** Detected subprocess function 'run' without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'.
*Source: opengrep*
</issue_to_address>
### Comment 26
<location path="docs/schemas/test_validate_run_report.py" line_range="109-123" />
<code_context>
val = subprocess.run(
[
sys.executable,
str(VALIDATE),
"--repo-root",
str(ROOT.parent.parent),
"--report",
str(report),
"--schema",
str(SCHEMA),
],
capture_output=True,
text=True,
check=False,
)
</code_context>
<issue_to_address>
**security (python.lang.security.audit.dangerous-subprocess-use-audit):** Detected subprocess function 'run' without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'.
*Source: opengrep*
</issue_to_address>
### Comment 27
<location path="docs/schemas/test_validate_run_report.py" line_range="147-161" />
<code_context>
val = subprocess.run(
[
sys.executable,
str(VALIDATE),
"--repo-root",
str(ROOT.parent.parent),
"--report",
str(report),
"--schema",
str(SCHEMA),
],
capture_output=True,
text=True,
check=False,
)
</code_context>
<issue_to_address>
**security (python.lang.security.audit.dangerous-subprocess-use-audit):** Detected subprocess function 'run' without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'.
*Source: opengrep*
</issue_to_address>
### Comment 28
<location path="docs/schemas/test_validate_run_report.py" line_range="185-199" />
<code_context>
val = subprocess.run(
[
sys.executable,
str(VALIDATE),
"--repo-root",
str(ROOT.parent.parent),
"--report",
str(report),
"--schema",
str(SCHEMA),
],
capture_output=True,
text=True,
check=False,
)
</code_context>
<issue_to_address>
**security (python.lang.security.audit.dangerous-subprocess-use-audit):** Detected subprocess function 'run' without a static string. If this data can be controlled by a malicious actor, it may be an instance of command injection. Audit the use of this call to ensure it is not controllable by an external resource. You may consider using 'shlex.escape()'.
*Source: opengrep*
</issue_to_address>Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 4ec0ec28ff
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
Micro-Learning Topic: OS command injection (Detected by phrase)Matched on "command injection"In many situations, applications will rely on OS provided functions, scripts, macros and utilities instead of reimplementing them in code. While functions would typically be accessed through a native interface library, the remaining three OS provided features will normally be invoked via the command line or launched as a process. If unsafe inputs are used to construct commands or arguments, it may allow arbitrary OS operations to be performed that can compromise the server. Try a challenge in Secure Code WarriorHelpful references
|
❌ Deploy Preview for onefinestarstuff failed.
|
…26-2030 Signed-off-by: 𝐎𝐧𝐞 𝐅𝐢𝐧𝐞 𝐒𝐭𝐚𝐫𝐬𝐭𝐮𝐟𝐟 <onefinestarstuff@gmail.com>
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
|
View changes in DiffLens |
1 similar comment
|
View changes in DiffLens |
for more information, see https://pre-commit.ci
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
|
Warning Review the following alerts detected in dependencies. According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.
|
Micro-Learning Topic: Cross-site scripting (Detected by phrase)Matched on "xSs"Cross-site scripting vulnerabilities occur when unescaped input is rendered into a page displayed to the user. When HTML or script is included in the input, it will be processed by a user's browser as HTML or script and can alter the appearance of the page or execute malicious scripts in their user context. Try a challenge in Secure Code WarriorHelpful references
|
This was referenced Jun 9, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation
Description
governance-artifacts-ci.ymlthat installs dependencies, runs schema/semantic validators, OPA/Rego formatting and tests, evidence manifest generation/verification, run report generation/validation, and uploads the validation report.Makefilewith targets for governance setup and checks such asgovernance-validate,governance-policy-test,governance-validator-test,governance-evidence-manifest,governance-evidence-verify,governance-evidence-schema,governance-report,governance-report-schema, andgovernance-check-generated.docs/schemas/: JSON schemas, YAML profile (agi_asi_governance_profile_2026_2030.yaml), compliance mapping JSON, evidence manifest generator/verifier, run-report runner and validators, inventory validator, helper_validation_deps.py, determinism helpers, andREADME.md/CONTRIBUTING.md.ai_governance.rego) and unit tests (ai_governance_test.rego), plus a comprehensive set of Python unit tests (test_*.py) and pre-commit configuration (.pre-commit-config.yaml) andyamllintsettings (.yamllint).Testing
docs/schemas/validation_run_report.jsonshowing all checks passed (overall_status: pass,passed_checks: 9,failed_checks: 0).opa testand reportedPASS: 4/4.docs/schemas/(thetest_*.pysuite invoked bymake governance-validator-test) were executed as part of the run and completed successfully according to the generated run report.Codex Task
Summary by Sourcery
Introduce a governance artifact validation framework with machine-readable schemas, Rego policies, evidence manifests, and CI automation for the AGI/ASI governance blueprint.
New Features:
Enhancements:
CI:
Summary by CodeRabbit
New Features
Documentation
Chores