Skip to content

style: automated autofixes from CodeQL workflow#1040

Open
github-actions[bot] wants to merge 1 commit into
mainfrom
chore/codeql-autofix-29162861564
Open

style: automated autofixes from CodeQL workflow#1040
github-actions[bot] wants to merge 1 commit into
mainfrom
chore/codeql-autofix-29162861564

Conversation

@github-actions

Copy link
Copy Markdown
Contributor

Automated cleanup pushed by the CodeQL Advanced workflow.

Tools applied:

  • ruff check --fix + ruff format (unsafe fixes only enabled when allow_unsafe_fixes=true on scheduled/manual runs)
  • prettier --write
  • eslint --fix (if configured in the repository)
  • clang-format -i --style=file (when C/C++ files are present)

Triggered by: push on refs/heads/main (run #29162861564).

@stepsecurity-app

Copy link
Copy Markdown
Contributor

Security Policy Alert: Harden Runner Policy Violation

This workflow run has been blocked by StepSecurity's Harden Runner policy.

This workflow run was blocked because one or more jobs are missing the Harden-Runner action, or it is not properly configured, which can introduce agent-bypass risk.

Jobs not protected by Harden Runner:

  • .github/workflows/dependabot-fetch-metadata.yml::dependabot

Update the affected jobs so Harden Runner is initialized before any other action or command runs.

For more information, see StepSecurity's Harden Runner documentation.

@stepsecurity-app

Copy link
Copy Markdown
Contributor

Security Policy Alert: Harden Runner Policy Violation

This workflow run has been blocked by StepSecurity's Harden Runner policy.

This workflow run was blocked because one or more jobs are missing the Harden-Runner action, or it is not properly configured, which can introduce agent-bypass risk.

Jobs not protected by Harden Runner:

  • .github/workflows/dependabot-auto-merge.yml::dependabot

Update the affected jobs so Harden Runner is initialized before any other action or command runs.

For more information, see StepSecurity's Harden Runner documentation.

"plateau": es_metrics.is_plateau,
"reason": es_metrics.reason
}
"early_stopping": {"plateau": es_metrics.is_plateau, "reason": es_metrics.reason},

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Semgrep identified an issue in your code:
Is "is_plateau" a function or an attribute? If it is a function, you may have meant es_metrics.is_plateau() because es_metrics.is_plateau is always true.

To resolve this comment:

🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.

💬 Ignore this finding

Reply with Semgrep commands to ignore this finding.

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by is-function-without-parentheses.

You can view more details about this finding in the Semgrep AppSec Platform.

Comment thread shared/early_stopping.py
with open(metrics_file, 'w') as f:

with open(metrics_file, "w") as f:

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Semgrep identified an issue in your code:
Missing 'encoding' parameter. 'open()' uses device locale encodings by default, corrupting files with special characters. Specify the encoding to ensure cross-platform support when opening files in text mode (e.g. encoding="utf-8").

To resolve this comment:

🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.

💬 Ignore this finding

Reply with Semgrep commands to ignore this finding.

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by unspecified-open-encoding.

You can view more details about this finding in the Semgrep AppSec Platform.

with open(output / "training_results.json", 'w') as f:

with open(output / "training_results.json", "w") as f:

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Semgrep identified an issue in your code:
Missing 'encoding' parameter. 'open()' uses device locale encodings by default, corrupting files with special characters. Specify the encoding to ensure cross-platform support when opening files in text mode (e.g. encoding="utf-8").

To resolve this comment:

🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.

💬 Ignore this finding

Reply with Semgrep commands to ignore this finding.

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by unspecified-open-encoding.

You can view more details about this finding in the Semgrep AppSec Platform.

Comment thread .github/dependabot.yml
Comment on lines +49 to +61
- package-ecosystem: "github-actions"
directory: "/"
<<: *defaults
open-pull-requests-limit: 6
commit-message:
prefix: "deps(actions)"
groups:
actions-minor-patch:
update-types: ["minor", "patch"]
patterns: ["*"]
actions-major:
update-types: ["major"]
patterns: ["*"]

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Semgrep identified an issue in your code:
This Dependabot configuration does not set a cooldown period. Newly published packages can be malicious or unstable. Add a cooldown block with default-days: 7 to each package-ecosystem entry under updates to wait 7 days before proposing updates to newly published package versions. Reference: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#cooldown

To resolve this comment:

🔧 No guidance has been designated for this issue. Fix according to your organization's approved methods.

💬 Ignore this finding

Reply with Semgrep commands to ignore this finding.

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

Alternatively, triage in Semgrep AppSec Platform to ignore the finding created by dependabot-missing-cooldown.

You can view more details about this finding in the Semgrep AppSec Platform.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants