Skip to content

[codex] Harden workflow shell and auth security gates#3336

Closed
elodiejmirza wants to merge 3 commits into
github:mainfrom
SoloSentryOrg:codex/secure-shell-workflow-gate
Closed

[codex] Harden workflow shell and auth security gates#3336
elodiejmirza wants to merge 3 commits into
github:mainfrom
SoloSentryOrg:codex/secure-shell-workflow-gate

Conversation

@elodiejmirza

Copy link
Copy Markdown

Summary

  • Require explicit trust before workflow shell steps execute noninteractively, with interactive approval as the local fallback.
  • Validate outbound authentication URLs and Azure tenant path segments before network requests.
  • Close Bandit low-severity findings by narrowing broad exception handling, replacing assert-based runtime guards, and adding targeted suppressions for deliberate subprocess/best-effort patterns.

Security review

  • Bandit: 0 High, 0 Medium, 0 Low findings after remediation.
  • Gitleaks: no leaks found.
  • pip-audit: no known vulnerabilities found.
  • Ruff and compile checks passed.
  • Full pytest was attempted; shell/git fixture tests were blocked by the local global Git identity hook rejecting test repos that set Test User test@example.com. Targeted regression suites for the touched auth, workflow, integration, and self-upgrade code passed.

Validation

  • PYTHONPATH=src uv run --extra test pytest tests/test_utils.py tests/test_authentication.py tests/test_self_upgrade_detection.py tests/test_self_upgrade_verification.py tests/test_self_upgrade_execution.py -q --tb=short
  • PYTHONPATH=src uv run --extra test pytest tests/integrations/test_integration_subcommand.py tests/test_workflows.py -q --tb=short
  • PYTHONPATH=src uv run ruff check
  • python3 -m compileall -q src
  • uv tool run bandit -q -r src -f json
  • gitleaks detect --no-git --redact --source .
  • pip-audit --desc off --progress-spinner off
  • git diff --check

@elodiejmirza elodiejmirza marked this pull request as ready for review July 4, 2026 17:46
@elodiejmirza elodiejmirza requested a review from mnriem as a code owner July 4, 2026 17:46
@elodiejmirza

Copy link
Copy Markdown
Author

Closing this upstream PR because the change was intended for the SoloSentryOrg fork and has already been merged in SoloSentryOrg#1.

@elodiejmirza elodiejmirza deleted the codex/secure-shell-workflow-gate branch July 5, 2026 07:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant