fix(hooks): replace hardcoded paths with workspaceFolder variable

jackseceng · jackseceng · commit 588d4e64d136 · 2026-05-13T12:51:03.000+01:00
diff --git a/.kiro/hooks/container-security-scan.kiro.hook b/.kiro/hooks/container-security-scan.kiro.hook
@@ -11,7 +11,7 @@
   },
   "then": {
     "type": "askAgent",
-    "prompt": "A shell command just completed. If it was a `docker build` or `docker compose build` (or `docker-compose build`) command, you MUST run the following security scans against the newly built image before the user proceeds.\n\nFirst, determine the image name/tag that was just built. For this project it is `linkshort` (or `jackseceng/linkshort:latest` if fully tagged). Use the tag from the build command if one was specified.\n\nRun all three of the following scans in sequence:\n\n**1. Grype (only-fixed vulnerabilities, CRITICAL/HIGH/MEDIUM)**\n```\ndocker run --rm -v /var/run/docker.sock:/var/run/docker.sock \\\n  anchore/grype:v0.112.0 linkshort --only-fixed\n```\n\n**2. Trivy (CRITICAL, HIGH, MEDIUM)**\n```\ndocker run --rm -v /var/run/docker.sock:/var/run/docker.sock \\\n  aquasec/trivy:0.70.0 image \\\n  --severity CRITICAL,HIGH,MEDIUM \\\n  --ignore-unfixed=true \\\n  linkshort\n```\n\n**3. Semgrep SAST (source code)**\n```\ndocker run --rm -v /home/jack/Repos/LinkShort:/src \\\n  semgrep/semgrep:1.161.0 semgrep scan --config auto /src\n```\n\nAfter all scans complete:\n- Report a summary of findings grouped by scanner (tool name, severity, description, file/location).\n- If any CRITICAL or HIGH severity vulnerabilities are found, warn the user clearly and recommend they do not commit or push until the issues are resolved or justified.\n- If no issues are found across all scanners, confirm the image is clean.\n\nIf the shell command was NOT a docker build, do nothing."
+    "prompt": "A shell command just completed. If it was a `docker build` or `docker compose build` (or `docker-compose build`) command, you MUST run the following security scans against the newly built image before the user proceeds.\n\nFirst, determine the image name/tag that was just built. For this project it is `linkshort` (or `jackseceng/linkshort:latest` if fully tagged). Use the tag from the build command if one was specified.\n\nRun all three of the following scans in sequence:\n\n**1. Grype (only-fixed vulnerabilities, CRITICAL/HIGH/MEDIUM)**\n```\ndocker run --rm -v /var/run/docker.sock:/var/run/docker.sock \\\n  anchore/grype:v0.112.0 linkshort --only-fixed\n```\n\n**2. Trivy (CRITICAL, HIGH, MEDIUM)**\n```\ndocker run --rm -v /var/run/docker.sock:/var/run/docker.sock \\\n  aquasec/trivy:0.70.0 image \\\n  --severity CRITICAL,HIGH,MEDIUM \\\n  --ignore-unfixed=true \\\n  linkshort\n```\n\n**3. Semgrep SAST (source code)**\n```\ndocker run --rm -v ${workspaceFolder}:/src \\\n  semgrep/semgrep:1.161.0 semgrep scan --config auto /src\n```\n\nAfter all scans complete:\n- Report a summary of findings grouped by scanner (tool name, severity, description, file/location).\n- If any CRITICAL or HIGH severity vulnerabilities are found, warn the user clearly and recommend they do not commit or push until the issues are resolved or justified.\n- If no issues are found across all scanners, confirm the image is clean.\n\nIf the shell command was NOT a docker build, do nothing."
   },
   "workspaceFolderName": "LinkShort",
   "shortName": "container-security-scan"
diff --git a/.kiro/hooks/manual-security-scan.kiro.hook b/.kiro/hooks/manual-security-scan.kiro.hook
@@ -8,6 +8,6 @@
   },
   "then": {
     "type": "askAgent",
-    "prompt": "The user has manually triggered a full security scan.\n\n## Step 1: Sync scanner versions from security.yml\n\nRead `/home/jack/Repos/LinkShort/.github/workflows/security.yml` and extract the following:\n- The Semgrep image tag from the `container: image:` field in the `semgrep` job (e.g. `semgrep/semgrep:1.161.0`)\n- The Trivy version from the `version` default in `trivy-action` — look up the raw action.yaml at `https://raw.githubusercontent.com/aquasecurity/trivy-action/<COMMIT_SHA>/action.yaml` using the pinned commit SHA from the `trivy-action` step, and read the `default:` value under the `version:` input\n- The Grype version: `anchore/scan-action` is pinned by commit SHA in security.yml, but the `grype-version` input is not passed, so the action resolves the latest Grype release dynamically at CI runtime. Mirror this by running `docker run --rm anchore/grype:latest version 2>&1 | grep '^Version:'` to get the current latest version string\n\nNow compare those three versions against the versions currently hardcoded in this hook file at `/home/jack/Repos/LinkShort/.kiro/hooks/manual-security-scan.kiro.hook` and in `/home/jack/Repos/LinkShort/.kiro/hooks/container-security-scan.kiro.hook`.\n\nIf any version has changed, update BOTH hook files with the new versions (edit the image tags in the docker run commands in the prompt strings), then report which versions were updated. If nothing changed, note that versions are already in sync.\n\n## Step 2: Run the scans\n\nRun all three of the following scans against the local `linkshort` image in sequence, using the versions confirmed/updated in Step 1:\n\n**1. Grype (only-fixed vulnerabilities, fail on medium+)**\n```\ndocker run --rm -v /var/run/docker.sock:/var/run/docker.sock \\\n  anchore/grype:v0.112.0 linkshort --only-fixed \\\n  --fail-on medium\n```\n\n**2. Trivy (CRITICAL, HIGH, MEDIUM — including unfixed)**\n```\ndocker run --rm -v /var/run/docker.sock:/var/run/docker.sock \\\n  aquasec/trivy:0.70.0 image \\\n  --severity CRITICAL,HIGH,MEDIUM \\\n  --ignore-unfixed=false \\\n  linkshort\n```\n\n**3. Semgrep SAST (source code)**\n```\ndocker run --rm -v /home/jack/Repos/LinkShort:/src \\\n  semgrep/semgrep:1.161.0 semgrep scan --config auto /src\n```\n\nAfter all scans complete, produce a summary table of all findings grouped by scanner with columns: File/Location, Description, Severity, Tool. If any CRITICAL or HIGH findings exist, highlight them prominently and recommend they are resolved before committing or pushing. If everything is clean, confirm that clearly."
+    "prompt": "The user has manually triggered a full security scan.\n\n## Step 1: Sync scanner versions from security.yml\n\nRead `${workspaceFolder}/.github/workflows/security.yml` and extract the following:\n- The Semgrep image tag from the `container: image:` field in the `semgrep` job (e.g. `semgrep/semgrep:1.161.0`)\n- The Trivy version from the `version` default in `trivy-action` — look up the raw action.yaml at `https://raw.githubusercontent.com/aquasecurity/trivy-action/<COMMIT_SHA>/action.yaml` using the pinned commit SHA from the `trivy-action` step, and read the `default:` value under the `version:` input\n- The Grype version: `anchore/scan-action` is pinned by commit SHA in security.yml, but the `grype-version` input is not passed, so the action resolves the latest Grype release dynamically at CI runtime. Mirror this by running `docker run --rm anchore/grype:latest version 2>&1 | grep '^Version:'` to get the current latest version string\n\nNow compare those three versions against the versions currently hardcoded in this hook file at `${workspaceFolder}/.kiro/hooks/manual-security-scan.kiro.hook` and in `${workspaceFolder}/.kiro/hooks/container-security-scan.kiro.hook`.\n\nIf any version has changed, update BOTH hook files with the new versions (edit the image tags in the docker run commands in the prompt strings), then report which versions were updated. If nothing changed, note that versions are already in sync.\n\n## Step 2: Run the scans\n\nRun all three of the following scans against the local `linkshort` image in sequence, using the versions confirmed/updated in Step 1:\n\n**1. Grype (only-fixed vulnerabilities, fail on medium+)**\n```\ndocker run --rm -v /var/run/docker.sock:/var/run/docker.sock \\\n  anchore/grype:v0.112.0 linkshort --only-fixed \\\n  --fail-on medium\n```\n\n**2. Trivy (CRITICAL, HIGH, MEDIUM — including unfixed)**\n```\ndocker run --rm -v /var/run/docker.sock:/var/run/docker.sock \\\n  aquasec/trivy:0.70.0 image \\\n  --severity CRITICAL,HIGH,MEDIUM \\\n  --ignore-unfixed=false \\\n  linkshort\n```\n\n**3. Semgrep SAST (source code)**\n```\ndocker run --rm -v ${workspaceFolder}:/src \\\n  semgrep/semgrep:1.161.0 semgrep scan --config auto /src\n```\n\nAfter all scans complete, produce a summary table of all findings grouped by scanner with columns: File/Location, Description, Severity, Tool. If any CRITICAL or HIGH findings exist, highlight them prominently and recommend they are resolved before committing or pushing. If everything is clean, confirm that clearly."
   }
 }
diff --git a/.kiro/hooks/super-linter-pre-commit.kiro.hook b/.kiro/hooks/super-linter-pre-commit.kiro.hook
@@ -11,6 +11,6 @@
   },
   "then": {
     "type": "askAgent",
-    "prompt": "A shell command is about to be executed. If it is a `git commit` command, you MUST first run Super Linter using this exact Docker command from the repo root before allowing the commit to proceed:\n\n```\ndocker run --rm -e DEFAULT_BRANCH=origin/main -e VALIDATE_ALL_CODEBASE=true -e VALIDATE_CSS=true -e VALIDATE_DOCKERFILE_HADOLINT=true -e VALIDATE_GITLEAKS=true -e VALIDATE_GITHUB_ACTIONS=true -e VALIDATE_HTML=true -e VALIDATE_MARKDOWN=true -e VALIDATE_PYTHON_BLACK=true -e VALIDATE_PYTHON_ISORT=true -e VALIDATE_YAML=true -e VALIDATE_JAVASCRIPT_PRETTIER=true -e FILTER_REGEX_EXCLUDE='.app/static/qrcode.min.js' -e RUN_LOCAL=true -v /home/jack/Repos/LinkShort:/tmp/lint ghcr.io/super-linter/super-linter:slim-v8.6.0\n```\n\nIf Super Linter reports any ERRORS (not warnings), you MUST fix all errors in the relevant files before allowing the commit. Do not proceed with the commit until Super Linter reports \"All files and directories linted successfully\". If the command is not a git commit, allow it to proceed immediately without running Super Linter."
+    "prompt": "A shell command is about to be executed. If it is a `git commit` command, you MUST first run Super Linter using this exact Docker command from the repo root before allowing the commit to proceed:\n\n```\ndocker run --rm -e DEFAULT_BRANCH=origin/main -e VALIDATE_ALL_CODEBASE=true -e VALIDATE_CSS=true -e VALIDATE_DOCKERFILE_HADOLINT=true -e VALIDATE_GITLEAKS=true -e VALIDATE_GITHUB_ACTIONS=true -e VALIDATE_HTML=true -e VALIDATE_MARKDOWN=true -e VALIDATE_PYTHON_BLACK=true -e VALIDATE_PYTHON_ISORT=true -e VALIDATE_YAML=true -e VALIDATE_JAVASCRIPT_PRETTIER=true -e FILTER_REGEX_EXCLUDE='.app/static/qrcode.min.js' -e RUN_LOCAL=true -v ${workspaceFolder}:/tmp/lint ghcr.io/super-linter/super-linter:slim-v8.6.0\n```\n\nIf Super Linter reports any ERRORS (not warnings), you MUST fix all errors in the relevant files before allowing the commit. Do not proceed with the commit until Super Linter reports \"All files and directories linted successfully\". If the command is not a git commit, allow it to proceed immediately without running Super Linter."
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -8,6 +8,6 @@`
`8`	`8`	`},`
`9`	`9`	`"then": {`
`10`	`10`	`"type": "askAgent",`
`11`		- "prompt": "The user has manually triggered a full security scan.\n\n## Step 1: Sync scanner versions from security.yml\n\nRead `/home/jack/Repos/LinkShort/.github/workflows/security.yml` and extract the following:\n- The Semgrep image tag from the `container: image:` field in the `semgrep` job (e.g. `semgrep/semgrep:1.161.0`)\n- The Trivy version from the `version` default in `trivy-action` — look up the raw action.yaml at `https://raw.githubusercontent.com/aquasecurity/trivy-action/<COMMIT_SHA>/action.yaml` using the pinned commit SHA from the `trivy-action` step, and read the `default:` value under the `version:` input\n- The Grype version: `anchore/scan-action` is pinned by commit SHA in security.yml, but the `grype-version` input is not passed, so the action resolves the latest Grype release dynamically at CI runtime. Mirror this by running `docker run --rm anchore/grype:latest version 2>&1 \| grep '^Version:'` to get the current latest version string\n\nNow compare those three versions against the versions currently hardcoded in this hook file at `/home/jack/Repos/LinkShort/.kiro/hooks/manual-security-scan.kiro.hook` and in `/home/jack/Repos/LinkShort/.kiro/hooks/container-security-scan.kiro.hook`.\n\nIf any version has changed, update BOTH hook files with the new versions (edit the image tags in the docker run commands in the prompt strings), then report which versions were updated. If nothing changed, note that versions are already in sync.\n\n## Step 2: Run the scans\n\nRun all three of the following scans against the local `linkshort` image in sequence, using the versions confirmed/updated in Step 1:\n\n1. Grype (only-fixed vulnerabilities, fail on medium+)\n```\ndocker run --rm -v /var/run/docker.sock:/var/run/docker.sock \\\n anchore/grype:v0.112.0 linkshort --only-fixed \\\n --fail-on medium\n```\n\n2. Trivy (CRITICAL, HIGH, MEDIUM — including unfixed)\n```\ndocker run --rm -v /var/run/docker.sock:/var/run/docker.sock \\\n aquasec/trivy:0.70.0 image \\\n --severity CRITICAL,HIGH,MEDIUM \\\n --ignore-unfixed=false \\\n linkshort\n```\n\n3. Semgrep SAST (source code)\n```\ndocker run --rm -v /home/jack/Repos/LinkShort:/src \\\n semgrep/semgrep:1.161.0 semgrep scan --config auto /src\n```\n\nAfter all scans complete, produce a summary table of all findings grouped by scanner with columns: File/Location, Description, Severity, Tool. If any CRITICAL or HIGH findings exist, highlight them prominently and recommend they are resolved before committing or pushing. If everything is clean, confirm that clearly."
	`11`	+ "prompt": "The user has manually triggered a full security scan.\n\n## Step 1: Sync scanner versions from security.yml\n\nRead `${workspaceFolder}/.github/workflows/security.yml` and extract the following:\n- The Semgrep image tag from the `container: image:` field in the `semgrep` job (e.g. `semgrep/semgrep:1.161.0`)\n- The Trivy version from the `version` default in `trivy-action` — look up the raw action.yaml at `https://raw.githubusercontent.com/aquasecurity/trivy-action/<COMMIT_SHA>/action.yaml` using the pinned commit SHA from the `trivy-action` step, and read the `default:` value under the `version:` input\n- The Grype version: `anchore/scan-action` is pinned by commit SHA in security.yml, but the `grype-version` input is not passed, so the action resolves the latest Grype release dynamically at CI runtime. Mirror this by running `docker run --rm anchore/grype:latest version 2>&1 \| grep '^Version:'` to get the current latest version string\n\nNow compare those three versions against the versions currently hardcoded in this hook file at `${workspaceFolder}/.kiro/hooks/manual-security-scan.kiro.hook` and in `${workspaceFolder}/.kiro/hooks/container-security-scan.kiro.hook`.\n\nIf any version has changed, update BOTH hook files with the new versions (edit the image tags in the docker run commands in the prompt strings), then report which versions were updated. If nothing changed, note that versions are already in sync.\n\n## Step 2: Run the scans\n\nRun all three of the following scans against the local `linkshort` image in sequence, using the versions confirmed/updated in Step 1:\n\n1. Grype (only-fixed vulnerabilities, fail on medium+)\n```\ndocker run --rm -v /var/run/docker.sock:/var/run/docker.sock \\\n anchore/grype:v0.112.0 linkshort --only-fixed \\\n --fail-on medium\n```\n\n2. Trivy (CRITICAL, HIGH, MEDIUM — including unfixed)\n```\ndocker run --rm -v /var/run/docker.sock:/var/run/docker.sock \\\n aquasec/trivy:0.70.0 image \\\n --severity CRITICAL,HIGH,MEDIUM \\\n --ignore-unfixed=false \\\n linkshort\n```\n\n3. Semgrep SAST (source code)\n```\ndocker run --rm -v ${workspaceFolder}:/src \\\n semgrep/semgrep:1.161.0 semgrep scan --config auto /src\n```\n\nAfter all scans complete, produce a summary table of all findings grouped by scanner with columns: File/Location, Description, Severity, Tool. If any CRITICAL or HIGH findings exist, highlight them prominently and recommend they are resolved before committing or pushing. If everything is clean, confirm that clearly."
`12`	`12`	`}`
`13`	`13`	`}`
Original file line number	Diff line number	Diff line change
`@@ -11,6 +11,6 @@`
`11`	`11`	`},`
`12`	`12`	`"then": {`
`13`	`13`	`"type": "askAgent",`
`14`		- "prompt": "A shell command is about to be executed. If it is a `git commit` command, you MUST first run Super Linter using this exact Docker command from the repo root before allowing the commit to proceed:\n\n```\ndocker run --rm -e DEFAULT_BRANCH=origin/main -e VALIDATE_ALL_CODEBASE=true -e VALIDATE_CSS=true -e VALIDATE_DOCKERFILE_HADOLINT=true -e VALIDATE_GITLEAKS=true -e VALIDATE_GITHUB_ACTIONS=true -e VALIDATE_HTML=true -e VALIDATE_MARKDOWN=true -e VALIDATE_PYTHON_BLACK=true -e VALIDATE_PYTHON_ISORT=true -e VALIDATE_YAML=true -e VALIDATE_JAVASCRIPT_PRETTIER=true -e FILTER_REGEX_EXCLUDE='.app/static/qrcode.min.js' -e RUN_LOCAL=true -v /home/jack/Repos/LinkShort:/tmp/lint ghcr.io/super-linter/super-linter:slim-v8.6.0\n```\n\nIf Super Linter reports any ERRORS (not warnings), you MUST fix all errors in the relevant files before allowing the commit. Do not proceed with the commit until Super Linter reports \"All files and directories linted successfully\". If the command is not a git commit, allow it to proceed immediately without running Super Linter."
	`14`	+ "prompt": "A shell command is about to be executed. If it is a `git commit` command, you MUST first run Super Linter using this exact Docker command from the repo root before allowing the commit to proceed:\n\n```\ndocker run --rm -e DEFAULT_BRANCH=origin/main -e VALIDATE_ALL_CODEBASE=true -e VALIDATE_CSS=true -e VALIDATE_DOCKERFILE_HADOLINT=true -e VALIDATE_GITLEAKS=true -e VALIDATE_GITHUB_ACTIONS=true -e VALIDATE_HTML=true -e VALIDATE_MARKDOWN=true -e VALIDATE_PYTHON_BLACK=true -e VALIDATE_PYTHON_ISORT=true -e VALIDATE_YAML=true -e VALIDATE_JAVASCRIPT_PRETTIER=true -e FILTER_REGEX_EXCLUDE='.app/static/qrcode.min.js' -e RUN_LOCAL=true -v ${workspaceFolder}:/tmp/lint ghcr.io/super-linter/super-linter:slim-v8.6.0\n```\n\nIf Super Linter reports any ERRORS (not warnings), you MUST fix all errors in the relevant files before allowing the commit. Do not proceed with the commit until Super Linter reports \"All files and directories linted successfully\". If the command is not a git commit, allow it to proceed immediately without running Super Linter."
`15`	`15`	`}`
`16`	`16`	`}`