Adding the Integrations Tests #173
Conversation
RoxyFarhad
force-pushed
the
RF/feat/integration-pipeline
branch
from
8e7e051 to
c8c5d4d
Compare
![semgrep-app[bot]](https://avatars.githubusercontent.com/in/60555?s=60&v=4){kind=small}
| run: | | ||
| AGENT_NAME="${{ steps.image-name.outputs.agent_name }}" | ||
| VERSION_TAG="${{ inputs.version_tag }}" | ||
| REPOSITORY_NAME="${{ github.repository }}/tutorial-agents/${AGENT_NAME}" | ||
| FULL_IMAGE="${REGISTRY}/${REPOSITORY_NAME}:${VERSION_TAG}" | ||
| agentex agents build \ | ||
| --manifest "${{ inputs.agent_path }}/manifest.yaml" \ | ||
| --registry "${REGISTRY}" \ | ||
| --tag "${VERSION_TAG}" \ | ||
| --platforms "linux/amd64" \ | ||
| --repository-name "${REPOSITORY_NAME}" \ | ||
| --push | ||
| echo "Successfully built and pushed: ${FULL_IMAGE}" | ||
| echo "### Build Complete" >> $GITHUB_STEP_SUMMARY | ||
| echo "- **Image**: \`${FULL_IMAGE}\`" >> $GITHUB_STEP_SUMMARY |
There was a problem hiding this comment.
Semgrep identified an issue in your code:
Using variable interpolation ${{...}} with github context data in a run: step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. github context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with env: to store the data and use the environment variable in the run: script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by run-shell-injection.
You can view more details about this finding in the Semgrep AppSec Platform.
| run: | | ||
| # Remove examples/tutorials/ prefix and replace / with - | ||
| AGENT_NAME=$(echo "${{ inputs.agent_path }}" | sed 's|^examples/tutorials/||' | sed 's|/|-|g') | ||
| echo "AGENT_NAME=$AGENT_NAME" >> $GITHUB_ENV | ||
| echo "agent_name=$AGENT_NAME" >> $GITHUB_OUTPUT | ||
| echo "Agent name set to $AGENT_NAME" | ||
There was a problem hiding this comment.
Semgrep identified an issue in your code:
Using variable interpolation ${{...}} with github context data in a run: step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. github context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with env: to store the data and use the environment variable in the run: script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by run-shell-injection.
You can view more details about this finding in the Semgrep AppSec Platform.
| run: | | ||
| if [ ! -f "${{ inputs.agent_path }}/manifest.yaml" ]; then | ||
| echo "❌ Error: manifest.yaml not found in '${{ inputs.agent_path }}'" | ||
| exit 1 | ||
| fi | ||
| echo "✅ manifest.yaml found" | ||
| echo "### Validation Summary" >> $GITHUB_STEP_SUMMARY | ||
| echo "- **Agent Path**: ${{ inputs.agent_path }}" >> $GITHUB_STEP_SUMMARY | ||
| echo "- **Version Tag**: ${{ inputs.version_tag }}" >> $GITHUB_STEP_SUMMARY | ||
| echo "- **Status**: ✅ Validation passed" >> $GITHUB_STEP_SUMMARY | ||
There was a problem hiding this comment.
Semgrep identified an issue in your code:
Using variable interpolation ${{...}} with github context data in a run: step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. github context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with env: to store the data and use the environment variable in the run: script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by run-shell-injection.
You can view more details about this finding in the Semgrep AppSec Platform.
| run: | | ||
| if [ ! -d "${{ inputs.agent_path }}" ]; then | ||
| echo "❌ Error: Agent path '${{ inputs.agent_path }}' does not exist" | ||
| exit 1 | ||
| fi | ||
| echo "✅ Agent path verified: ${{ inputs.agent_path }}" | ||
There was a problem hiding this comment.
Semgrep identified an issue in your code:
Using variable interpolation ${{...}} with github context data in a run: step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. github context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with env: to store the data and use the environment variable in the run: script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".
To resolve this comment:
🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.
💬 Ignore this finding
Reply with Semgrep commands to ignore this finding.
/fp <comment>for false positive/ar <comment>for acceptable risk/other <comment>for all other reasons
Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by run-shell-injection.
You can view more details about this finding in the Semgrep AppSec Platform.
RoxyFarhad
force-pushed
the
RF/feat/integration-pipeline
branch
from
41fdfc5 to
75ac121
Compare
RoxyFarhad
force-pushed
the
RF/feat/integration-pipeline
branch
5 times, most recently
from
0f5077c to
020984e
Compare
RoxyFarhad
force-pushed
the
RF/feat/integration-pipeline
branch
from
020984e to
54996c2
Compare
RoxyFarhad
force-pushed
the
RF/feat/integration-pipeline
branch
from
ce263ca to
7023a18
Compare
RoxyFarhad
force-pushed
the
RF/feat/integration-pipeline
branch
from
7023a18 to
e10ad36
Compare
RoxyFarhad
force-pushed
the
RF/feat/integration-pipeline
branch
from
6f4b382 to
fcb8313
Compare
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
RoxyFarhad
force-pushed
the
RF/feat/integration-pipeline
branch
2 times, most recently
from
65181e4 to
7e9b901
Compare
RoxyFarhad
force-pushed
the
RF/feat/integration-pipeline
branch
from
22c90b5 to
5b8f23b
Compare
RoxyFarhad
force-pushed
the
RF/feat/integration-pipeline
branch
from
5b8f23b to
b4d87d7
Compare
RoxyFarhad
force-pushed
the
RF/feat/integration-pipeline
branch
from
960c3c6 to
6c7de97
Compare
RoxyFarhad
force-pushed
the
RF/feat/integration-pipeline
branch
from
1d1f77c to
1feda9f
Compare
RoxyFarhad
force-pushed
the
RF/feat/integration-pipeline
branch
from
1feda9f to
5a13b31
Compare
RoxyFarhad
force-pushed
the
RF/feat/integration-pipeline
branch
from
6294dbb to
87f0fdf
Compare
RoxyFarhad
force-pushed
the
RF/feat/integration-pipeline
branch
2 times, most recently
from
e4f3636 to
134d3ef
Compare
RoxyFarhad
force-pushed
the
RF/feat/integration-pipeline
branch
5 times, most recently
from
69eb4e4 to
dc04e1a
Compare
RoxyFarhad
force-pushed
the
RF/feat/integration-pipeline
branch
from
dc04e1a to
bfab5aa
Compare
No description provided.