fix: replace shell=True subprocess with argument list in modal CLI

[Hadar01]

Description

Replace shell=True subprocess call with an argument list in the Modal CLI cloud integration.

Motivation and Context

subprocess.check_output() was called with shell=True and a formatted string containing docker_image, which is derived from user config (self.config.docker_tag). Passing user-controlled values to a shell string is a command injection risk (Bandit B602). Using an argument list passes args directly to the process without shell interpretation, eliminating the risk and allowing the # nosec annotation to be removed.

How has this been tested?

• pre-commit run --all-files — Bandit no longer flags this line

AI Usage Disclaimer

No

Types of changes

• Bug fix (non-breaking change which fixes an issue)

Summary by CodeRabbit

• Refactor
  • Improved the reliability and safety of docker image hash retrieval operations.

[coderabbitai]

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: e8e26b1c-584b-4efa-a21f-26ff839e30e7

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Refactors docker image hash retrieval in the modal CLI module by replacing shell-invoked subprocess command with direct argument list, eliminating shell injection risk while preserving error handling behavior.

Changes

Cohort / File(s)	Summary
Docker command refactoring src/axolotl/cli/cloud/modal_.py	Replaced shell-based docker manifest inspect command invocation with direct subprocess argument list, removing shell=True and decoding stdout for hash extraction.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and accurately summarizes the main change: replacing a shell=True subprocess call with an argument list in the modal CLI to address a security issue.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Tip

Flake8 can be used to improve the quality of Python code reviews.

Flake8 is a Python linter that wraps PyFlakes, pycodestyle and Ned Batchelder's McCabe script.

To configure Flake8, add a '.flake8' or 'setup.cfg' file to your project root.

See Flake8 Documentation for more details.

[winglian]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[codecov]

Codecov Report

❌ Patch coverage is 0% with 1 line in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
src/axolotl/cli/cloud/modal_.py	0.00%	1 Missing ⚠️

📢 Thoughts on this report? Let us know!