Skip to content

XS✔ ◾ Add Agentic CI Dependency Workflow#787

Merged
muiriswoulfe merged 17 commits into
mainfrom
muiriswoulfe/agentic-workflow
Apr 27, 2026
Merged

XS✔ ◾ Add Agentic CI Dependency Workflow#787
muiriswoulfe merged 17 commits into
mainfrom
muiriswoulfe/agentic-workflow

Conversation

@muiriswoulfe
Copy link
Copy Markdown
Member

@muiriswoulfe muiriswoulfe commented Apr 20, 2026

Summary

Introduces an agentic workflow that refreshes pinned CI/CD dependencies for this repository. Triggered when the Release – Initiate workflow completes – or by manual dispatch while a release is in flight – the agent identifies the open release pull request and pushes dependency updates directly onto its branch.

Scope

  • SHA-pinned GitHub Actions, with synchronised version comments.
  • Azure DevOps task versions and 1ES template refs.
  • Node.js runtime pin alignment across CI definitions and the package manifest.

Impact

Release preparation no longer requires a manual dependency-refresh sweep. Each release pull request arrives with pins already updated, and an automatic retrigger commit causes the existing Build loop to run against the updates. Out-of-release invocations are no-ops, so the workflow is safe to re-dispatch.

@muiriswoulfe
feat: add agentic workflow for CI dependency refresh
bfef03e 
Implements the update-ci-dependencies skill via gh-aw. Triggered on Release
– Initiate completion (and workflow_dispatch) so refreshed CI pins land on
the release pull request automatically.
@muiriswoulfe
chore(ci): update CI dependencies workflow formatting
1269fe5 
- Remove quotes around workflow name for consistency.
- Simplify tool command syntax by removing quotes.
- Enhance documentation for clarity and structure.
- Ensure Node.js version consistency across workflows and pipelines.
@muiriswoulfe muiriswoulfe requested review from a team and Copilot April 20, 2026 14:16
@muiriswoulfe muiriswoulfe added the enhancement New feature or request label Apr 20, 2026
@muiriswoulfe muiriswoulfe self-assigned this Apr 20, 2026
@muiriswoulfe
Copy link
Copy Markdown
Member Author

muiriswoulfe commented Apr 20, 2026
edited
Loading

PR Metrics

Thanks for keeping your pull request small.
Thanks for adding tests.

Lines
Product Code -
Test Code -
Subtotal -
Ignored Code 1,713
Total 1,713

Metrics computed by PR Metrics. Add it to your Azure DevOps and GitHub PRs!

@muiriswoulfe muiriswoulfe changed the title Add Agentic CI Dependency Workflow XS✔ ◾ Add Agentic CI Dependency Workflow Apr 20, 2026
@muiriswoulfe
Copy link
Copy Markdown
Member Author

muiriswoulfe commented Apr 20, 2026

Super-linter summary

Language Validation result
BIOME_LINT Pass ✅
CHECKOV Pass ✅
EDITORCONFIG Pass ✅
GITHUB_ACTIONS Pass ✅
GITHUB_ACTIONS_ZIZMOR Pass ✅
GITLEAKS Pass ✅
GIT_MERGE_CONFLICT_MARKERS Pass ✅
JSCPD Pass ✅
JSON_PRETTIER Pass ✅
MARKDOWN Pass ✅
MARKDOWN_PRETTIER Pass ✅
NATURAL_LANGUAGE Pass ✅
POWERSHELL Pass ✅
PRE_COMMIT Pass ✅
SPELL_CODESPELL Pass ✅
TRIVY Pass ✅
TYPESCRIPT_PRETTIER Pass ✅
XML Pass ✅
YAML Pass ✅
YAML_PRETTIER Pass ✅

All files and directories linted successfully

For more information, see the GitHub Actions workflow run

Powered by Super-linter

Copilot AI reviewed Apr 20, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds an “agentic” dependency-refresh workflow intended to keep CI/CD pins (GitHub Actions SHAs + version comments, Azure DevOps task majors/template refs) and Node.js runtime pins consistent, primarily during release PRs.

Changes:

  • Introduces a new Copilot-driven dependency refresh workflow definition/instructions.
  • Defines trigger intent (workflow_run after “Release – Initiate” and workflow_dispatch) and a “push onto release PR branch” output target with file edit constraints.

Comment thread .github/workflows/update-ci-dependencies.md
Comment thread .github/workflows/update-ci-dependencies.md Outdated
@muiriswoulfe
Copy link
Copy Markdown
Member Author

muiriswoulfe commented Apr 20, 2026

Super-linter summary

Language Validation result
BIOME_LINT Pass ✅
CHECKOV Pass ✅
EDITORCONFIG Pass ✅
GITHUB_ACTIONS Pass ✅
GITHUB_ACTIONS_ZIZMOR Pass ✅
GITLEAKS Pass ✅
GIT_MERGE_CONFLICT_MARKERS Pass ✅
JSCPD Pass ✅
JSON_PRETTIER Pass ✅
MARKDOWN Pass ✅
MARKDOWN_PRETTIER Pass ✅
NATURAL_LANGUAGE Pass ✅
POWERSHELL Pass ✅
PRE_COMMIT Pass ✅
SPELL_CODESPELL Pass ✅
TRIVY Pass ✅
TYPESCRIPT_PRETTIER Pass ✅
XML Pass ✅
YAML Pass ✅
YAML_PRETTIER Pass ✅

All files and directories linted successfully

For more information, see the GitHub Actions workflow run

Powered by Super-linter

@muiriswoulfe
Copy link
Copy Markdown
Member Author

muiriswoulfe commented Apr 20, 2026

Super-linter summary

Language Validation result
BIOME_LINT Pass ✅
CHECKOV Pass ✅
EDITORCONFIG Pass ✅
GITHUB_ACTIONS Pass ✅
GITHUB_ACTIONS_ZIZMOR Pass ✅
GITLEAKS Pass ✅
GIT_MERGE_CONFLICT_MARKERS Pass ✅
JSCPD Pass ✅
JSON_PRETTIER Pass ✅
MARKDOWN Pass ✅
MARKDOWN_PRETTIER Pass ✅
NATURAL_LANGUAGE Pass ✅
POWERSHELL Pass ✅
PRE_COMMIT Pass ✅
SPELL_CODESPELL Pass ✅
TRIVY Pass ✅
TYPESCRIPT_PRETTIER Pass ✅
XML Pass ✅
YAML Pass ✅
YAML_PRETTIER Pass ✅

All files and directories linted successfully

For more information, see the GitHub Actions workflow run

Powered by Super-linter

@muiriswoulfe
fix: quote wildcard values in agentic workflow frontmatter
bbd42ef 
Bare `*` values in `checkout.fetch` and
`safe-outputs.push-to-pull-request-branch.target` were being parsed as YAML
alias references, which made the frontmatter fail to load. Quoting them as
`"*"` makes them valid string scalars.
Copilot AI review requested due to automatic review settings April 20, 2026 16:10
@muiriswoulfe
Copy link
Copy Markdown
Member Author

muiriswoulfe commented Apr 21, 2026

Super-linter summary

Language Validation result
BIOME_LINT Pass ✅
CHECKOV Fail ❌
EDITORCONFIG Pass ✅
GITHUB_ACTIONS Pass ✅
GITHUB_ACTIONS_ZIZMOR Pass ✅
GITLEAKS Pass ✅
GIT_MERGE_CONFLICT_MARKERS Pass ✅
JSCPD Pass ✅
JSON_PRETTIER Pass ✅
MARKDOWN Pass ✅
MARKDOWN_PRETTIER Pass ✅
NATURAL_LANGUAGE Pass ✅
POWERSHELL Pass ✅
PRE_COMMIT Pass ✅
SPELL_CODESPELL Pass ✅
TRIVY Pass ✅
TYPESCRIPT_PRETTIER Pass ✅
XML Pass ✅
YAML Pass ✅
YAML_PRETTIER Pass ✅

Super-linter detected linting errors

For more information, see the GitHub Actions workflow run

Powered by Super-linter

CHECKOV 


       _               _
   ___| |__   ___  ___| | _______   __
  / __| '_ \ / _ \/ __| |/ / _ \ \ / /
 | (__| | | |  __/ (__|   < (_) \ V /
  \___|_| |_|\___|\___|_|\_\___/ \_/

By Prisma Cloud | version: 3.2.513
Update available 3.2.513 -> 3.2.524
Run pip3 install -U checkov to update


github_actions scan results:

Passed checks: 591, Failed checks: 1, Skipped checks: 0

Check: CKV_GHA_7: "The build output cannot be affected by user parameters other than the build entry point and the top-level source location. GitHub Actions workflow_dispatch inputs MUST be empty. "
	PASSED for resource: on(Release – Initiate)
	File: /.github/workflows/release-initiate.yml:8-11
Check: CKV_GHA_5: "Found artifact build without evidence of cosign sign execution in pipeline"
	PASSED for resource: jobs
	File: /.github/workflows/release-initiate.yml:23-114
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(release)
	File: /.github/workflows/release-initiate.yml:24-114
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(release)
	File: /.github/workflows/release-initiate.yml:24-114
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(release)
	File: /.github/workflows/release-initiate.yml:24-114
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(release)
	File: /.github/workflows/release-initiate.yml:24-114
Check: CKV_GHA_6: "Found artifact build without evidence of cosign sbom attestation in pipeline"
	PASSED for resource: jobs
	File: /.github/workflows/release-initiate.yml:23-114
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(release).steps[1](Checkout)
	File: /.github/workflows/release-initiate.yml:29-36
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(release).steps[2](gh – Log Version)
	File: /.github/workflows/release-initiate.yml:35-39
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(release).steps[3](Version Number – Validate)
	File: /.github/workflows/release-initiate.yml:38-45
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(release).steps[4](Version Number – Set Environment Variable)
	File: /.github/workflows/release-initiate.yml:44-50
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(release).steps[5](Version Number – Update)
	File: /.github/workflows/release-initiate.yml:49-57
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(release).steps[6](Version Number – release-publish-trigger.txt)
	File: /.github/workflows/release-initiate.yml:56-60
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(release).steps[7](Git – Create Branch)
	File: /.github/workflows/release-initiate.yml:59-63
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(release).steps[8](Git – Add Changed Files)
	File: /.github/workflows/release-initiate.yml:62-66
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(release).steps[9](Git – Commit & Push (Signed))
	File: /.github/workflows/release-initiate.yml:65-74
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(release).steps[10](Git – Sync Local with Remote)
	File: /.github/workflows/release-initiate.yml:73-79
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(release).steps[11](PR – Create)
	File: /.github/workflows/release-initiate.yml:78-88
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(release).steps[12](Install Node.js)
	File: /.github/workflows/release-initiate.yml:87-93
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(release).steps[13](npm – Install Dependencies)
	File: /.github/workflows/release-initiate.yml:92-96
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(release).steps[14](npm – Update Package Versions)
	File: /.github/workflows/release-initiate.yml:95-99
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(release).steps[15](npm – Update Transitive Dependencies)
	File: /.github/workflows/release-initiate.yml:98-102
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(release).steps[16](Git – Commit & Push (Signed))
	File: /.github/workflows/release-initiate.yml:101-110
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(release).steps[17](Git – Sync Local with Remote)
	File: /.github/workflows/release-initiate.yml:109-114
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(release).steps[1](Checkout)
	File: /.github/workflows/release-initiate.yml:29-36
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(release).steps[2](gh – Log Version)
	File: /.github/workflows/release-initiate.yml:35-39
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(release).steps[3](Version Number – Validate)
	File: /.github/workflows/release-initiate.yml:38-45
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(release).steps[4](Version Number – Set Environment Variable)
	File: /.github/workflows/release-initiate.yml:44-50
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(release).steps[5](Version Number – Update)
	File: /.github/workflows/release-initiate.yml:49-57
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(release).steps[6](Version Number – release-publish-trigger.txt)
	File: /.github/workflows/release-initiate.yml:56-60
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(release).steps[7](Git – Create Branch)
	File: /.github/workflows/release-initiate.yml:59-63
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(release).steps[8](Git – Add Changed Files)
	File: /.github/workflows/release-initiate.yml:62-66
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(release).steps[9](Git – Commit & Push (Signed))
	File: /.github/workflows/release-initiate.yml:65-74
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(release).steps[10](Git – Sync Local with Remote)
	File: /.github/workflows/release-initiate.yml:73-79
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(release).steps[11](PR – Create)
	File: /.github/workflows/release-initiate.yml:78-88
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(release).steps[12](Install Node.js)
	File: /.github/workflows/release-initiate.yml:87-93
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(release).steps[13](npm – Install Dependencies)
	File: /.github/workflows/release-initiate.yml:92-96
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(release).steps[14](npm – Update Package Versions)
	File: /.github/workflows/release-initiate.yml:95-99
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(release).steps[15](npm – Update Transitive Dependencies)
	File: /.github/workflows/release-initiate.yml:98-102
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(release).steps[16](Git – Commit & Push (Signed))
	File: /.github/workflows/release-initiate.yml:101-110
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(release).steps[17](Git – Sync Local with Remote)
	File: /.github/workflows/release-initiate.yml:109-114
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(release).steps[1](Checkout)
	File: /.github/workflows/release-initiate.yml:29-36
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(release).steps[2](gh – Log Version)
	File: /.github/workflows/release-initiate.yml:35-39
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(release).steps[3](Version Number – Validate)
	File: /.github/workflows/release-initiate.yml:38-45
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(release).steps[4](Version Number – Set Environment Variable)
	File: /.github/workflows/release-initiate.yml:44-50
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(release).steps[5](Version Number – Update)
	File: /.github/workflows/release-initiate.yml:49-57
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(release).steps[6](Version Number – release-publish-trigger.txt)
	File: /.github/workflows/release-initiate.yml:56-60
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(release).steps[7](Git – Create Branch)
	File: /.github/workflows/release-initiate.yml:59-63
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(release).steps[8](Git – Add Changed Files)
	File: /.github/workflows/release-initiate.yml:62-66
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(release).steps[9](Git – Commit & Push (Signed))
	File: /.github/workflows/release-initiate.yml:65-74
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(release).steps[10](Git – Sync Local with Remote)
	File: /.github/workflows/release-initiate.yml:73-79
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(release).steps[11](PR – Create)
	File: /.github/workflows/release-initiate.yml:78-88
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(release).steps[12](Install Node.js)
	File: /.github/workflows/release-initiate.yml:87-93
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(release).steps[13](npm – Install Dependencies)
	File: /.github/workflows/release-initiate.yml:92-96
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(release).steps[14](npm – Update Package Versions)
	File: /.github/workflows/release-initiate.yml:95-99
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(release).steps[15](npm – Update Transitive Dependencies)
	File: /.github/workflows/release-initiate.yml:98-102
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(release).steps[16](Git – Commit & Push (Signed))
	File: /.github/workflows/release-initiate.yml:101-110
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(release).steps[17](Git – Sync Local with Remote)
	File: /.github/workflows/release-initiate.yml:109-114
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(release).steps[1](Checkout)
	File: /.github/workflows/release-initiate.yml:29-36
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(release).steps[2](gh – Log Version)
	File: /.github/workflows/release-initiate.yml:35-39
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(release).steps[3](Version Number – Validate)
	File: /.github/workflows/release-initiate.yml:38-45
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(release).steps[4](Version Number – Set Environment Variable)
	File: /.github/workflows/release-initiate.yml:44-50
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(release).steps[5](Version Number – Update)
	File: /.github/workflows/release-initiate.yml:49-57
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(release).steps[6](Version Number – release-publish-trigger.txt)
	File: /.github/workflows/release-initiate.yml:56-60
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(release).steps[7](Git – Create Branch)
	File: /.github/workflows/release-initiate.yml:59-63
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(release).steps[8](Git – Add Changed Files)
	File: /.github/workflows/release-initiate.yml:62-66
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(release).steps[9](Git – Commit & Push (Signed))
	File: /.github/workflows/release-initiate.yml:65-74
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(release).steps[10](Git – Sync Local with Remote)
	File: /.github/workflows/release-initiate.yml:73-79
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(release).steps[11](PR – Create)
	File: /.github/workflows/release-initiate.yml:78-88
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(release).steps[12](Install Node.js)
	File: /.github/workflows/release-initiate.yml:87-93
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(release).steps[13](npm – Install Dependencies)
	File: /.github/workflows/release-initiate.yml:92-96
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(release).steps[14](npm – Update Package Versions)
	File: /.github/workflows/release-initiate.yml:95-99
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(release).steps[15](npm – Update Transitive Dependencies)
	File: /.github/workflows/release-initiate.yml:98-102
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(release).steps[16](Git – Commit & Push (Signed))
	File: /.github/workflows/release-initiate.yml:101-110
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(release).steps[17](Git – Sync Local with Remote)
	File: /.github/workflows/release-initiate.yml:109-114
Check: CKV_GHA_5: "Found artifact build without evidence of cosign sign execution in pipeline"
	PASSED for resource: jobs
	File: /.github/workflows/update-ci-dependencies.lock.yml:75-1289
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(activation)
	File: /.github/workflows/update-ci-dependencies.lock.yml:76-299
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(agent)
	File: /.github/workflows/update-ci-dependencies.lock.yml:299-854
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(conclusion)
	File: /.github/workflows/update-ci-dependencies.lock.yml:854-990
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(detection)
	File: /.github/workflows/update-ci-dependencies.lock.yml:990-1147
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(pre_activation)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1147-1173
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(safe_outputs)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1173-1289
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(activation)
	File: /.github/workflows/update-ci-dependencies.lock.yml:76-299
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(agent)
	File: /.github/workflows/update-ci-dependencies.lock.yml:299-854
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(conclusion)
	File: /.github/workflows/update-ci-dependencies.lock.yml:854-990
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(detection)
	File: /.github/workflows/update-ci-dependencies.lock.yml:990-1147
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(pre_activation)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1147-1173
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(safe_outputs)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1173-1289
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(activation)
	File: /.github/workflows/update-ci-dependencies.lock.yml:76-299
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(agent)
	File: /.github/workflows/update-ci-dependencies.lock.yml:299-854
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(conclusion)
	File: /.github/workflows/update-ci-dependencies.lock.yml:854-990
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(detection)
	File: /.github/workflows/update-ci-dependencies.lock.yml:990-1147
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(pre_activation)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1147-1173
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(safe_outputs)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1173-1289
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(activation)
	File: /.github/workflows/update-ci-dependencies.lock.yml:76-299
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(agent)
	File: /.github/workflows/update-ci-dependencies.lock.yml:299-854
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(conclusion)
	File: /.github/workflows/update-ci-dependencies.lock.yml:854-990
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(detection)
	File: /.github/workflows/update-ci-dependencies.lock.yml:990-1147
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(pre_activation)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1147-1173
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(safe_outputs)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1173-1289
Check: CKV_GHA_6: "Found artifact build without evidence of cosign sbom attestation in pipeline"
	PASSED for resource: jobs
	File: /.github/workflows/update-ci-dependencies.lock.yml:75-1289
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(activation).steps[1](Setup Scripts)
	File: /.github/workflows/update-ci-dependencies.lock.yml:94-102
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(activation).steps[2](Generate agentic run info)
	File: /.github/workflows/update-ci-dependencies.lock.yml:101-128
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(activation).steps[3](Validate COPILOT_GITHUB_TOKEN secret)
	File: /.github/workflows/update-ci-dependencies.lock.yml:127-133
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(activation).steps[4](Checkout .github and .agents folders)
	File: /.github/workflows/update-ci-dependencies.lock.yml:132-142
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(activation).steps[5](Check workflow lock file)
	File: /.github/workflows/update-ci-dependencies.lock.yml:141-154
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(activation).steps[6](Check compile-agentic version)
	File: /.github/workflows/update-ci-dependencies.lock.yml:153-164
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(activation).steps[7](Create prompt with built-in context)
	File: /.github/workflows/update-ci-dependencies.lock.yml:163-232
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(activation).steps[8](Interpolate variables and render templates)
	File: /.github/workflows/update-ci-dependencies.lock.yml:231-242
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(activation).steps[9](Substitute placeholders)
	File: /.github/workflows/update-ci-dependencies.lock.yml:241-277
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(activation).steps[10](Validate prompt placeholders)
	File: /.github/workflows/update-ci-dependencies.lock.yml:276-282
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(activation).steps[11](Print prompt)
	File: /.github/workflows/update-ci-dependencies.lock.yml:281-287
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(activation).steps[12](Upload activation artifact)
	File: /.github/workflows/update-ci-dependencies.lock.yml:286-299
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(agent).steps[1](Setup Scripts)
	File: /.github/workflows/update-ci-dependencies.lock.yml:327-335
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(agent).steps[2](Set runtime paths)
	File: /.github/workflows/update-ci-dependencies.lock.yml:334-343
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(agent).steps[3](Checkout repository)
	File: /.github/workflows/update-ci-dependencies.lock.yml:342-348
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(agent).steps[4](Fetch additional refs)
	File: /.github/workflows/update-ci-dependencies.lock.yml:347-354
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(agent).steps[5](Create gh-aw temp directory)
	File: /.github/workflows/update-ci-dependencies.lock.yml:353-356
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(agent).steps[6](Configure gh CLI for GitHub Enterprise)
	File: /.github/workflows/update-ci-dependencies.lock.yml:355-360
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(agent).steps[7](Configure Git credentials)
	File: /.github/workflows/update-ci-dependencies.lock.yml:359-373
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(agent).steps[8](Checkout PR branch)
	File: /.github/workflows/update-ci-dependencies.lock.yml:372-387
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(agent).steps[9](Install GitHub Copilot CLI)
	File: /.github/workflows/update-ci-dependencies.lock.yml:386-391
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(agent).steps[10](Install AWF binary)
	File: /.github/workflows/update-ci-dependencies.lock.yml:390-393
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(agent).steps[11](Determine automatic lockdown mode for GitHub MCP Server)
	File: /.github/workflows/update-ci-dependencies.lock.yml:392-403
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(agent).steps[12](Download container images)
	File: /.github/workflows/update-ci-dependencies.lock.yml:402-405
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(agent).steps[13](Write Safe Outputs Config)
	File: /.github/workflows/update-ci-dependencies.lock.yml:404-415
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(agent).steps[14](Write Safe Outputs Tools)
	File: /.github/workflows/update-ci-dependencies.lock.yml:414-528
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(agent).steps[15](Generate Safe Outputs MCP Server Config)
	File: /.github/workflows/update-ci-dependencies.lock.yml:527-546
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(agent).steps[16](Start Safe Outputs MCP HTTP Server)
	File: /.github/workflows/update-ci-dependencies.lock.yml:545-568
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(agent).steps[17](Start MCP Gateway)
	File: /.github/workflows/update-ci-dependencies.lock.yml:567-638
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(agent).steps[18](Download activation artifact)
	File: /.github/workflows/update-ci-dependencies.lock.yml:637-643
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(agent).steps[19](Clean git credentials)
	File: /.github/workflows/update-ci-dependencies.lock.yml:642-646
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(agent).steps[20](Execute GitHub Copilot CLI)
	File: /.github/workflows/update-ci-dependencies.lock.yml:645-707
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(agent).steps[21](Detect Copilot errors)
	File: /.github/workflows/update-ci-dependencies.lock.yml:706-712
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(agent).steps[22](Configure Git credentials)
	File: /.github/workflows/update-ci-dependencies.lock.yml:711-725
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(agent).steps[23](Copy Copilot session state files to logs)
	File: /.github/workflows/update-ci-dependencies.lock.yml:724-729
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(agent).steps[24](Stop MCP Gateway)
	File: /.github/workflows/update-ci-dependencies.lock.yml:728-738
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(agent).steps[25](Redact secrets in logs)
	File: /.github/workflows/update-ci-dependencies.lock.yml:737-754
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(agent).steps[26](Append agent step summary)
	File: /.github/workflows/update-ci-dependencies.lock.yml:753-757
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(agent).steps[27](Copy Safe Outputs)
	File: /.github/workflows/update-ci-dependencies.lock.yml:756-764
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(agent).steps[28](Ingest agent output)
	File: /.github/workflows/update-ci-dependencies.lock.yml:763-779
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(agent).steps[29](Parse agent logs for step summary)
	File: /.github/workflows/update-ci-dependencies.lock.yml:778-790
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(agent).steps[30](Parse MCP Gateway logs for step summary)
	File: /.github/workflows/update-ci-dependencies.lock.yml:789-800
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(agent).steps[31](Print firewall logs)
	File: /.github/workflows/update-ci-dependencies.lock.yml:799-815
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(agent).steps[32](Parse token usage for step summary)
	File: /.github/workflows/update-ci-dependencies.lock.yml:814-825
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(agent).steps[33](Write agent output placeholder if missing)
	File: /.github/workflows/update-ci-dependencies.lock.yml:824-831
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(agent).steps[34](Upload agent artifacts)
	File: /.github/workflows/update-ci-dependencies.lock.yml:830-854
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(conclusion).steps[1](Setup Scripts)
	File: /.github/workflows/update-ci-dependencies.lock.yml:875-883
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(conclusion).steps[2](Download agent output artifact)
	File: /.github/workflows/update-ci-dependencies.lock.yml:882-890
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(conclusion).steps[3](Setup agent output environment variable)
	File: /.github/workflows/update-ci-dependencies.lock.yml:889-897
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(conclusion).steps[4](Process no-op messages)
	File: /.github/workflows/update-ci-dependencies.lock.yml:896-914
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(conclusion).steps[5](Log detection run)
	File: /.github/workflows/update-ci-dependencies.lock.yml:913-930
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(conclusion).steps[6](Record missing tool)
	File: /.github/workflows/update-ci-dependencies.lock.yml:929-944
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(conclusion).steps[7](Record incomplete)
	File: /.github/workflows/update-ci-dependencies.lock.yml:943-958
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(conclusion).steps[8](Handle agent failure)
	File: /.github/workflows/update-ci-dependencies.lock.yml:957-990
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(detection).steps[1](Setup Scripts)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1003-1011
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(detection).steps[2](Download agent output artifact)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1010-1018
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(detection).steps[3](Setup agent output environment variable)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1017-1025
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(detection).steps[4](Checkout repository for patch context)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1024-1031
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(detection).steps[5](Clean stale firewall files from agent artifact)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1030-1035
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(detection).steps[6](Download container images)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1034-1037
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(detection).steps[7](Check if detection needed)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1036-1051
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(detection).steps[8](Clear MCP configuration for detection)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1050-1057
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(detection).steps[9](Prepare threat detection files)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1056-1071
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(detection).steps[10](Setup threat detection)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1070-1084
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(detection).steps[11](Ensure threat-detection directory and log)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1083-1089
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(detection).steps[12](Install GitHub Copilot CLI)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1088-1093
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(detection).steps[13](Install AWF binary)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1092-1095
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(detection).steps[14](Execute GitHub Copilot CLI)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1094-1126
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(detection).steps[15](Upload threat detection log)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1125-1133
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(detection).steps[16](Parse and conclude threat detection)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1132-1147
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(pre_activation).steps[1](Setup Scripts)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1153-1160
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(pre_activation).steps[2](Check team membership for workflow)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1159-1173
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(safe_outputs).steps[1](Setup Scripts)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1202-1210
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(safe_outputs).steps[2](Download agent output artifact)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1209-1217
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(safe_outputs).steps[3](Setup agent output environment variable)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1216-1224
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(safe_outputs).steps[4](Download patch artifact)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1223-1230
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(safe_outputs).steps[5](Checkout repository)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1229-1238
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(safe_outputs).steps[6](Configure Git credentials)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1237-1252
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(safe_outputs).steps[7](Configure GH_HOST for enterprise compatibility)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1251-1261
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(safe_outputs).steps[8](Process Safe Outputs)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1260-1279
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(safe_outputs).steps[9](Upload Safe Outputs Items)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1278-1289
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(activation).steps[1](Setup Scripts)
	File: /.github/workflows/update-ci-dependencies.lock.yml:94-102
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(activation).steps[2](Generate agentic run info)
	File: /.github/workflows/update-ci-dependencies.lock.yml:101-128
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(activation).steps[3](Validate COPILOT_GITHUB_TOKEN secret)
	File: /.github/workflows/update-ci-dependencies.lock.yml:127-133
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(activation).steps[4](Checkout .github and .agents folders)
	File: /.github/workflows/update-ci-dependencies.lock.yml:132-142
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(activation).steps[5](Check workflow lock file)
	File: /.github/workflows/update-ci-dependencies.lock.yml:141-154
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(activation).steps[6](Check compile-agentic version)
	File: /.github/workflows/update-ci-dependencies.lock.yml:153-164
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(activation).steps[7](Create prompt with built-in context)
	File: /.github/workflows/update-ci-dependencies.lock.yml:163-232
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(activation).steps[8](Interpolate variables and render templates)
	File: /.github/workflows/update-ci-dependencies.lock.yml:231-242
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(activation).steps[9](Substitute placeholders)
	File: /.github/workflows/update-ci-dependencies.lock.yml:241-277
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(activation).steps[10](Validate prompt placeholders)
	File: /.github/workflows/update-ci-dependencies.lock.yml:276-282
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(activation).steps[11](Print prompt)
	File: /.github/workflows/update-ci-dependencies.lock.yml:281-287
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(activation).steps[12](Upload activation artifact)
	File: /.github/workflows/update-ci-dependencies.lock.yml:286-299
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(agent).steps[1](Setup Scripts)
	File: /.github/workflows/update-ci-dependencies.lock.yml:327-335
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(agent).steps[2](Set runtime paths)
	File: /.github/workflows/update-ci-dependencies.lock.yml:334-343
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(agent).steps[3](Checkout repository)
	File: /.github/workflows/update-ci-dependencies.lock.yml:342-348
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(agent).steps[4](Fetch additional refs)
	File: /.github/workflows/update-ci-dependencies.lock.yml:347-354
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(agent).steps[5](Create gh-aw temp directory)
	File: /.github/workflows/update-ci-dependencies.lock.yml:353-356
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(agent).steps[6](Configure gh CLI for GitHub Enterprise)
	File: /.github/workflows/update-ci-dependencies.lock.yml:355-360
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(agent).steps[7](Configure Git credentials)
	File: /.github/workflows/update-ci-dependencies.lock.yml:359-373
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(agent).steps[8](Checkout PR branch)
	File: /.github/workflows/update-ci-dependencies.lock.yml:372-387
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(agent).steps[9](Install GitHub Copilot CLI)
	File: /.github/workflows/update-ci-dependencies.lock.yml:386-391
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(agent).steps[10](Install AWF binary)
	File: /.github/workflows/update-ci-dependencies.lock.yml:390-393
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(agent).steps[11](Determine automatic lockdown mode for GitHub MCP Server)
	File: /.github/workflows/update-ci-dependencies.lock.yml:392-403
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(agent).steps[12](Download container images)
	File: /.github/workflows/update-ci-dependencies.lock.yml:402-405
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(agent).steps[13](Write Safe Outputs Config)
	File: /.github/workflows/update-ci-dependencies.lock.yml:404-415
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(agent).steps[14](Write Safe Outputs Tools)
	File: /.github/workflows/update-ci-dependencies.lock.yml:414-528
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(agent).steps[15](Generate Safe Outputs MCP Server Config)
	File: /.github/workflows/update-ci-dependencies.lock.yml:527-546
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(agent).steps[16](Start Safe Outputs MCP HTTP Server)
	File: /.github/workflows/update-ci-dependencies.lock.yml:545-568
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(agent).steps[17](Start MCP Gateway)
	File: /.github/workflows/update-ci-dependencies.lock.yml:567-638
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(agent).steps[18](Download activation artifact)
	File: /.github/workflows/update-ci-dependencies.lock.yml:637-643
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(agent).steps[19](Clean git credentials)
	File: /.github/workflows/update-ci-dependencies.lock.yml:642-646
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(agent).steps[20](Execute GitHub Copilot CLI)
	File: /.github/workflows/update-ci-dependencies.lock.yml:645-707
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(agent).steps[21](Detect Copilot errors)
	File: /.github/workflows/update-ci-dependencies.lock.yml:706-712
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(agent).steps[22](Configure Git credentials)
	File: /.github/workflows/update-ci-dependencies.lock.yml:711-725
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(agent).steps[23](Copy Copilot session state files to logs)
	File: /.github/workflows/update-ci-dependencies.lock.yml:724-729
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(agent).steps[24](Stop MCP Gateway)
	File: /.github/workflows/update-ci-dependencies.lock.yml:728-738
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(agent).steps[25](Redact secrets in logs)
	File: /.github/workflows/update-ci-dependencies.lock.yml:737-754
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(agent).steps[26](Append agent step summary)
	File: /.github/workflows/update-ci-dependencies.lock.yml:753-757
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(agent).steps[27](Copy Safe Outputs)
	File: /.github/workflows/update-ci-dependencies.lock.yml:756-764
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(agent).steps[28](Ingest agent output)
	File: /.github/workflows/update-ci-dependencies.lock.yml:763-779
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(agent).steps[29](Parse agent logs for step summary)
	File: /.github/workflows/update-ci-dependencies.lock.yml:778-790
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(agent).steps[30](Parse MCP Gateway logs for step summary)
	File: /.github/workflows/update-ci-dependencies.lock.yml:789-800
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(agent).steps[31](Print firewall logs)
	File: /.github/workflows/update-ci-dependencies.lock.yml:799-815
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(agent).steps[32](Parse token usage for step summary)
	File: /.github/workflows/update-ci-dependencies.lock.yml:814-825
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(agent).steps[33](Write agent output placeholder if missing)
	File: /.github/workflows/update-ci-dependencies.lock.yml:824-831
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(agent).steps[34](Upload agent artifacts)
	File: /.github/workflows/update-ci-dependencies.lock.yml:830-854
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(conclusion).steps[1](Setup Scripts)
	File: /.github/workflows/update-ci-dependencies.lock.yml:875-883
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(conclusion).steps[2](Download agent output artifact)
	File: /.github/workflows/update-ci-dependencies.lock.yml:882-890
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(conclusion).steps[3](Setup agent output environment variable)
	File: /.github/workflows/update-ci-dependencies.lock.yml:889-897
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(conclusion).steps[4](Process no-op messages)
	File: /.github/workflows/update-ci-dependencies.lock.yml:896-914
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(conclusion).steps[5](Log detection run)
	File: /.github/workflows/update-ci-dependencies.lock.yml:913-930
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(conclusion).steps[6](Record missing tool)
	File: /.github/workflows/update-ci-dependencies.lock.yml:929-944
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(conclusion).steps[7](Record incomplete)
	File: /.github/workflows/update-ci-dependencies.lock.yml:943-958
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(conclusion).steps[8](Handle agent failure)
	File: /.github/workflows/update-ci-dependencies.lock.yml:957-990
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(detection).steps[1](Setup Scripts)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1003-1011
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(detection).steps[2](Download agent output artifact)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1010-1018
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(detection).steps[3](Setup agent output environment variable)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1017-1025
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(detection).steps[4](Checkout repository for patch context)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1024-1031
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(detection).steps[5](Clean stale firewall files from agent artifact)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1030-1035
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(detection).steps[6](Download container images)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1034-1037
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(detection).steps[7](Check if detection needed)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1036-1051
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(detection).steps[8](Clear MCP configuration for detection)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1050-1057
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(detection).steps[9](Prepare threat detection files)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1056-1071
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(detection).steps[10](Setup threat detection)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1070-1084
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(detection).steps[11](Ensure threat-detection directory and log)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1083-1089
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(detection).steps[12](Install GitHub Copilot CLI)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1088-1093
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(detection).steps[13](Install AWF binary)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1092-1095
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(detection).steps[14](Execute GitHub Copilot CLI)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1094-1126
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(detection).steps[15](Upload threat detection log)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1125-1133
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(detection).steps[16](Parse and conclude threat detection)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1132-1147
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(pre_activation).steps[1](Setup Scripts)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1153-1160
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(pre_activation).steps[2](Check team membership for workflow)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1159-1173
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(safe_outputs).steps[1](Setup Scripts)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1202-1210
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(safe_outputs).steps[2](Download agent output artifact)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1209-1217
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(safe_outputs).steps[3](Setup agent output environment variable)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1216-1224
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(safe_outputs).steps[4](Download patch artifact)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1223-1230
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(safe_outputs).steps[5](Checkout repository)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1229-1238
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(safe_outputs).steps[6](Configure Git credentials)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1237-1252
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(safe_outputs).steps[7](Configure GH_HOST for enterprise compatibility)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1251-1261
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(safe_outputs).steps[8](Process Safe Outputs)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1260-1279
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(safe_outputs).steps[9](Upload Safe Outputs Items)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1278-1289
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(activation).steps[1](Setup Scripts)
	File: /.github/workflows/update-ci-dependencies.lock.yml:94-102
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(activation).steps[2](Generate agentic run info)
	File: /.github/workflows/update-ci-dependencies.lock.yml:101-128
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(activation).steps[3](Validate COPILOT_GITHUB_TOKEN secret)
	File: /.github/workflows/update-ci-dependencies.lock.yml:127-133
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(activation).steps[4](Checkout .github and .agents folders)
	File: /.github/workflows/update-ci-dependencies.lock.yml:132-142
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(activation).steps[5](Check workflow lock file)
	File: /.github/workflows/update-ci-dependencies.lock.yml:141-154
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(activation).steps[6](Check compile-agentic version)
	File: /.github/workflows/update-ci-dependencies.lock.yml:153-164
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(activation).steps[7](Create prompt with built-in context)
	File: /.github/workflows/update-ci-dependencies.lock.yml:163-232
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(activation).steps[8](Interpolate variables and render templates)
	File: /.github/workflows/update-ci-dependencies.lock.yml:231-242
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(activation).steps[9](Substitute placeholders)
	File: /.github/workflows/update-ci-dependencies.lock.yml:241-277
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(activation).steps[10](Validate prompt placeholders)
	File: /.github/workflows/update-ci-dependencies.lock.yml:276-282
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(activation).steps[11](Print prompt)
	File: /.github/workflows/update-ci-dependencies.lock.yml:281-287
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(activation).steps[12](Upload activation artifact)
	File: /.github/workflows/update-ci-dependencies.lock.yml:286-299
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(agent).steps[1](Setup Scripts)
	File: /.github/workflows/update-ci-dependencies.lock.yml:327-335
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(agent).steps[2](Set runtime paths)
	File: /.github/workflows/update-ci-dependencies.lock.yml:334-343
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(agent).steps[3](Checkout repository)
	File: /.github/workflows/update-ci-dependencies.lock.yml:342-348
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(agent).steps[4](Fetch additional refs)
	File: /.github/workflows/update-ci-dependencies.lock.yml:347-354
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(agent).steps[5](Create gh-aw temp directory)
	File: /.github/workflows/update-ci-dependencies.lock.yml:353-356
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(agent).steps[6](Configure gh CLI for GitHub Enterprise)
	File: /.github/workflows/update-ci-dependencies.lock.yml:355-360
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(agent).steps[7](Configure Git credentials)
	File: /.github/workflows/update-ci-dependencies.lock.yml:359-373
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(agent).steps[8](Checkout PR branch)
	File: /.github/workflows/update-ci-dependencies.lock.yml:372-387
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(agent).steps[9](Install GitHub Copilot CLI)
	File: /.github/workflows/update-ci-dependencies.lock.yml:386-391
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(agent).steps[10](Install AWF binary)
	File: /.github/workflows/update-ci-dependencies.lock.yml:390-393
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(agent).steps[11](Determine automatic lockdown mode for GitHub MCP Server)
	File: /.github/workflows/update-ci-dependencies.lock.yml:392-403
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(agent).steps[12](Download container images)
	File: /.github/workflows/update-ci-dependencies.lock.yml:402-405
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(agent).steps[13](Write Safe Outputs Config)
	File: /.github/workflows/update-ci-dependencies.lock.yml:404-415
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(agent).steps[14](Write Safe Outputs Tools)
	File: /.github/workflows/update-ci-dependencies.lock.yml:414-528
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(agent).steps[15](Generate Safe Outputs MCP Server Config)
	File: /.github/workflows/update-ci-dependencies.lock.yml:527-546
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(agent).steps[16](Start Safe Outputs MCP HTTP Server)
	File: /.github/workflows/update-ci-dependencies.lock.yml:545-568
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(agent).steps[17](Start MCP Gateway)
	File: /.github/workflows/update-ci-dependencies.lock.yml:567-638
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(agent).steps[18](Download activation artifact)
	File: /.github/workflows/update-ci-dependencies.lock.yml:637-643
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(agent).steps[19](Clean git credentials)
	File: /.github/workflows/update-ci-dependencies.lock.yml:642-646
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(agent).steps[20](Execute GitHub Copilot CLI)
	File: /.github/workflows/update-ci-dependencies.lock.yml:645-707
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(agent).steps[21](Detect Copilot errors)
	File: /.github/workflows/update-ci-dependencies.lock.yml:706-712
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(agent).steps[22](Configure Git credentials)
	File: /.github/workflows/update-ci-dependencies.lock.yml:711-725
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(agent).steps[23](Copy Copilot session state files to logs)
	File: /.github/workflows/update-ci-dependencies.lock.yml:724-729
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(agent).steps[24](Stop MCP Gateway)
	File: /.github/workflows/update-ci-dependencies.lock.yml:728-738
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(agent).steps[25](Redact secrets in logs)
	File: /.github/workflows/update-ci-dependencies.lock.yml:737-754
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(agent).steps[26](Append agent step summary)
	File: /.github/workflows/update-ci-dependencies.lock.yml:753-757
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(agent).steps[27](Copy Safe Outputs)
	File: /.github/workflows/update-ci-dependencies.lock.yml:756-764
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(agent).steps[28](Ingest agent output)
	File: /.github/workflows/update-ci-dependencies.lock.yml:763-779
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(agent).steps[29](Parse agent logs for step summary)
	File: /.github/workflows/update-ci-dependencies.lock.yml:778-790
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(agent).steps[30](Parse MCP Gateway logs for step summary)
	File: /.github/workflows/update-ci-dependencies.lock.yml:789-800
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(agent).steps[31](Print firewall logs)
	File: /.github/workflows/update-ci-dependencies.lock.yml:799-815
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(agent).steps[32](Parse token usage for step summary)
	File: /.github/workflows/update-ci-dependencies.lock.yml:814-825
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(agent).steps[33](Write agent output placeholder if missing)
	File: /.github/workflows/update-ci-dependencies.lock.yml:824-831
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(agent).steps[34](Upload agent artifacts)
	File: /.github/workflows/update-ci-dependencies.lock.yml:830-854
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(conclusion).steps[1](Setup Scripts)
	File: /.github/workflows/update-ci-dependencies.lock.yml:875-883
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(conclusion).steps[2](Download agent output artifact)
	File: /.github/workflows/update-ci-dependencies.lock.yml:882-890
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(conclusion).steps[3](Setup agent output environment variable)
	File: /.github/workflows/update-ci-dependencies.lock.yml:889-897
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(conclusion).steps[4](Process no-op messages)
	File: /.github/workflows/update-ci-dependencies.lock.yml:896-914
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(conclusion).steps[5](Log detection run)
	File: /.github/workflows/update-ci-dependencies.lock.yml:913-930
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(conclusion).steps[6](Record missing tool)
	File: /.github/workflows/update-ci-dependencies.lock.yml:929-944
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(conclusion).steps[7](Record incomplete)
	File: /.github/workflows/update-ci-dependencies.lock.yml:943-958
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(conclusion).steps[8](Handle agent failure)
	File: /.github/workflows/update-ci-dependencies.lock.yml:957-990
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(detection).steps[1](Setup Scripts)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1003-1011
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(detection).steps[2](Download agent output artifact)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1010-1018
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(detection).steps[3](Setup agent output environment variable)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1017-1025
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(detection).steps[4](Checkout repository for patch context)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1024-1031
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(detection).steps[5](Clean stale firewall files from agent artifact)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1030-1035
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(detection).steps[6](Download container images)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1034-1037
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(detection).steps[7](Check if detection needed)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1036-1051
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(detection).steps[8](Clear MCP configuration for detection)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1050-1057
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(detection).steps[9](Prepare threat detection files)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1056-1071
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(detection).steps[10](Setup threat detection)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1070-1084
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(detection).steps[11](Ensure threat-detection directory and log)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1083-1089
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(detection).steps[12](Install GitHub Copilot CLI)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1088-1093
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(detection).steps[13](Install AWF binary)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1092-1095
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(detection).steps[14](Execute GitHub Copilot CLI)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1094-1126
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(detection).steps[15](Upload threat detection log)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1125-1133
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(detection).steps[16](Parse and conclude threat detection)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1132-1147
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(pre_activation).steps[1](Setup Scripts)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1153-1160
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(pre_activation).steps[2](Check team membership for workflow)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1159-1173
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(safe_outputs).steps[1](Setup Scripts)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1202-1210
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(safe_outputs).steps[2](Download agent output artifact)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1209-1217
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(safe_outputs).steps[3](Setup agent output environment variable)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1216-1224
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(safe_outputs).steps[4](Download patch artifact)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1223-1230
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(safe_outputs).steps[5](Checkout repository)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1229-1238
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(safe_outputs).steps[6](Configure Git credentials)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1237-1252
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(safe_outputs).steps[7](Configure GH_HOST for enterprise compatibility)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1251-1261
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(safe_outputs).steps[8](Process Safe Outputs)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1260-1279
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(safe_outputs).steps[9](Upload Safe Outputs Items)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1278-1289
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(activation).steps[1](Setup Scripts)
	File: /.github/workflows/update-ci-dependencies.lock.yml:94-102
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(activation).steps[2](Generate agentic run info)
	File: /.github/workflows/update-ci-dependencies.lock.yml:101-128
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(activation).steps[3](Validate COPILOT_GITHUB_TOKEN secret)
	File: /.github/workflows/update-ci-dependencies.lock.yml:127-133
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(activation).steps[4](Checkout .github and .agents folders)
	File: /.github/workflows/update-ci-dependencies.lock.yml:132-142
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(activation).steps[5](Check workflow lock file)
	File: /.github/workflows/update-ci-dependencies.lock.yml:141-154
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(activation).steps[6](Check compile-agentic version)
	File: /.github/workflows/update-ci-dependencies.lock.yml:153-164
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(activation).steps[7](Create prompt with built-in context)
	File: /.github/workflows/update-ci-dependencies.lock.yml:163-232
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(activation).steps[8](Interpolate variables and render templates)
	File: /.github/workflows/update-ci-dependencies.lock.yml:231-242
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(activation).steps[9](Substitute placeholders)
	File: /.github/workflows/update-ci-dependencies.lock.yml:241-277
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(activation).steps[10](Validate prompt placeholders)
	File: /.github/workflows/update-ci-dependencies.lock.yml:276-282
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(activation).steps[11](Print prompt)
	File: /.github/workflows/update-ci-dependencies.lock.yml:281-287
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(activation).steps[12](Upload activation artifact)
	File: /.github/workflows/update-ci-dependencies.lock.yml:286-299
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(agent).steps[1](Setup Scripts)
	File: /.github/workflows/update-ci-dependencies.lock.yml:327-335
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(agent).steps[2](Set runtime paths)
	File: /.github/workflows/update-ci-dependencies.lock.yml:334-343
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(agent).steps[3](Checkout repository)
	File: /.github/workflows/update-ci-dependencies.lock.yml:342-348
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(agent).steps[4](Fetch additional refs)
	File: /.github/workflows/update-ci-dependencies.lock.yml:347-354
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(agent).steps[5](Create gh-aw temp directory)
	File: /.github/workflows/update-ci-dependencies.lock.yml:353-356
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(agent).steps[6](Configure gh CLI for GitHub Enterprise)
	File: /.github/workflows/update-ci-dependencies.lock.yml:355-360
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(agent).steps[7](Configure Git credentials)
	File: /.github/workflows/update-ci-dependencies.lock.yml:359-373
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(agent).steps[8](Checkout PR branch)
	File: /.github/workflows/update-ci-dependencies.lock.yml:372-387
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(agent).steps[9](Install GitHub Copilot CLI)
	File: /.github/workflows/update-ci-dependencies.lock.yml:386-391
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(agent).steps[10](Install AWF binary)
	File: /.github/workflows/update-ci-dependencies.lock.yml:390-393
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(agent).steps[11](Determine automatic lockdown mode for GitHub MCP Server)
	File: /.github/workflows/update-ci-dependencies.lock.yml:392-403
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(agent).steps[12](Download container images)
	File: /.github/workflows/update-ci-dependencies.lock.yml:402-405
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(agent).steps[13](Write Safe Outputs Config)
	File: /.github/workflows/update-ci-dependencies.lock.yml:404-415
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(agent).steps[14](Write Safe Outputs Tools)
	File: /.github/workflows/update-ci-dependencies.lock.yml:414-528
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(agent).steps[15](Generate Safe Outputs MCP Server Config)
	File: /.github/workflows/update-ci-dependencies.lock.yml:527-546
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(agent).steps[16](Start Safe Outputs MCP HTTP Server)
	File: /.github/workflows/update-ci-dependencies.lock.yml:545-568
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(agent).steps[17](Start MCP Gateway)
	File: /.github/workflows/update-ci-dependencies.lock.yml:567-638
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(agent).steps[18](Download activation artifact)
	File: /.github/workflows/update-ci-dependencies.lock.yml:637-643
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(agent).steps[19](Clean git credentials)
	File: /.github/workflows/update-ci-dependencies.lock.yml:642-646
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(agent).steps[20](Execute GitHub Copilot CLI)
	File: /.github/workflows/update-ci-dependencies.lock.yml:645-707
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(agent).steps[21](Detect Copilot errors)
	File: /.github/workflows/update-ci-dependencies.lock.yml:706-712
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(agent).steps[22](Configure Git credentials)
	File: /.github/workflows/update-ci-dependencies.lock.yml:711-725
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(agent).steps[23](Copy Copilot session state files to logs)
	File: /.github/workflows/update-ci-dependencies.lock.yml:724-729
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(agent).steps[24](Stop MCP Gateway)
	File: /.github/workflows/update-ci-dependencies.lock.yml:728-738
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(agent).steps[25](Redact secrets in logs)
	File: /.github/workflows/update-ci-dependencies.lock.yml:737-754
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(agent).steps[26](Append agent step summary)
	File: /.github/workflows/update-ci-dependencies.lock.yml:753-757
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(agent).steps[27](Copy Safe Outputs)
	File: /.github/workflows/update-ci-dependencies.lock.yml:756-764
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(agent).steps[28](Ingest agent output)
	File: /.github/workflows/update-ci-dependencies.lock.yml:763-779
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(agent).steps[29](Parse agent logs for step summary)
	File: /.github/workflows/update-ci-dependencies.lock.yml:778-790
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(agent).steps[30](Parse MCP Gateway logs for step summary)
	File: /.github/workflows/update-ci-dependencies.lock.yml:789-800
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(agent).steps[31](Print firewall logs)
	File: /.github/workflows/update-ci-dependencies.lock.yml:799-815
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(agent).steps[32](Parse token usage for step summary)
	File: /.github/workflows/update-ci-dependencies.lock.yml:814-825
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(agent).steps[33](Write agent output placeholder if missing)
	File: /.github/workflows/update-ci-dependencies.lock.yml:824-831
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(agent).steps[34](Upload agent artifacts)
	File: /.github/workflows/update-ci-dependencies.lock.yml:830-854
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(conclusion).steps[1](Setup Scripts)
	File: /.github/workflows/update-ci-dependencies.lock.yml:875-883
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(conclusion).steps[2](Download agent output artifact)
	File: /.github/workflows/update-ci-dependencies.lock.yml:882-890
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(conclusion).steps[3](Setup agent output environment variable)
	File: /.github/workflows/update-ci-dependencies.lock.yml:889-897
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(conclusion).steps[4](Process no-op messages)
	File: /.github/workflows/update-ci-dependencies.lock.yml:896-914
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(conclusion).steps[5](Log detection run)
	File: /.github/workflows/update-ci-dependencies.lock.yml:913-930
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(conclusion).steps[6](Record missing tool)
	File: /.github/workflows/update-ci-dependencies.lock.yml:929-944
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(conclusion).steps[7](Record incomplete)
	File: /.github/workflows/update-ci-dependencies.lock.yml:943-958
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(conclusion).steps[8](Handle agent failure)
	File: /.github/workflows/update-ci-dependencies.lock.yml:957-990
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(detection).steps[1](Setup Scripts)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1003-1011
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(detection).steps[2](Download agent output artifact)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1010-1018
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(detection).steps[3](Setup agent output environment variable)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1017-1025
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(detection).steps[4](Checkout repository for patch context)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1024-1031
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(detection).steps[5](Clean stale firewall files from agent artifact)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1030-1035
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(detection).steps[6](Download container images)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1034-1037
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(detection).steps[7](Check if detection needed)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1036-1051
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(detection).steps[8](Clear MCP configuration for detection)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1050-1057
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(detection).steps[9](Prepare threat detection files)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1056-1071
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(detection).steps[10](Setup threat detection)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1070-1084
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(detection).steps[11](Ensure threat-detection directory and log)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1083-1089
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(detection).steps[12](Install GitHub Copilot CLI)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1088-1093
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(detection).steps[13](Install AWF binary)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1092-1095
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(detection).steps[14](Execute GitHub Copilot CLI)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1094-1126
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(detection).steps[15](Upload threat detection log)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1125-1133
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(detection).steps[16](Parse and conclude threat detection)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1132-1147
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(pre_activation).steps[1](Setup Scripts)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1153-1160
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(pre_activation).steps[2](Check team membership for workflow)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1159-1173
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(safe_outputs).steps[1](Setup Scripts)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1202-1210
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(safe_outputs).steps[2](Download agent output artifact)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1209-1217
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(safe_outputs).steps[3](Setup agent output environment variable)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1216-1224
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(safe_outputs).steps[4](Download patch artifact)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1223-1230
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(safe_outputs).steps[5](Checkout repository)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1229-1238
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(safe_outputs).steps[6](Configure Git credentials)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1237-1252
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(safe_outputs).steps[7](Configure GH_HOST for enterprise compatibility)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1251-1261
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(safe_outputs).steps[8](Process Safe Outputs)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1260-1279
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(safe_outputs).steps[9](Upload Safe Outputs Items)
	File: /.github/workflows/update-ci-dependencies.lock.yml:1278-1289
Check: CKV_GHA_7: "The build output cannot be affected by user parameters other than the build entry point and the top-level source location. GitHub Actions workflow_dispatch inputs MUST be empty. "
	PASSED for resource: on(Build)
	File: /.github/workflows/build.yml:8-19
Check: CKV_GHA_5: "Found artifact build without evidence of cosign sign execution in pipeline"
	PASSED for resource: jobs
	File: /.github/workflows/build.yml:25-247
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(update-code)
	File: /.github/workflows/build.yml:26-80
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(build)
	File: /.github/workflows/build.yml:80-117
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(test-github-action)
	File: /.github/workflows/build.yml:117-139
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(validate)
	File: /.github/workflows/build.yml:139-163
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(validate-linter)
	File: /.github/workflows/build.yml:163-232
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(dependabot)
	File: /.github/workflows/build.yml:232-247
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(update-code)
	File: /.github/workflows/build.yml:26-80
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(build)
	File: /.github/workflows/build.yml:80-117
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(test-github-action)
	File: /.github/workflows/build.yml:117-139
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(validate)
	File: /.github/workflows/build.yml:139-163
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(validate-linter)
	File: /.github/workflows/build.yml:163-232
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(dependabot)
	File: /.github/workflows/build.yml:232-247
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(update-code)
	File: /.github/workflows/build.yml:26-80
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(build)
	File: /.github/workflows/build.yml:80-117
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(test-github-action)
	File: /.github/workflows/build.yml:117-139
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(validate)
	File: /.github/workflows/build.yml:139-163
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(validate-linter)
	File: /.github/workflows/build.yml:163-232
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(dependabot)
	File: /.github/workflows/build.yml:232-247
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(update-code)
	File: /.github/workflows/build.yml:26-80
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(build)
	File: /.github/workflows/build.yml:80-117
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(test-github-action)
	File: /.github/workflows/build.yml:117-139
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(validate)
	File: /.github/workflows/build.yml:139-163
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(validate-linter)
	File: /.github/workflows/build.yml:163-232
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(dependabot)
	File: /.github/workflows/build.yml:232-247
Check: CKV_GHA_6: "Found artifact build without evidence of cosign sbom attestation in pipeline"
	PASSED for resource: jobs
	File: /.github/workflows/build.yml:25-247
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(update-code).steps[1](Checkout)
	File: /.github/workflows/build.yml:31-39
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(update-code).steps[2](Install Node.js)
	File: /.github/workflows/build.yml:38-44
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(update-code).steps[3](npm – Install Dependencies)
	File: /.github/workflows/build.yml:43-47
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(update-code).steps[4](License – Truncate)
	File: /.github/workflows/build.yml:46-50
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(update-code).steps[5](License – Generate Third-Party Licenses)
	File: /.github/workflows/build.yml:49-53
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(update-code).steps[6](License – Update LICENSE.txt)
	File: /.github/workflows/build.yml:52-56
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(update-code).steps[7](npm – Lint)
	File: /.github/workflows/build.yml:55-59
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(update-code).steps[8](npm – Build Package)
	File: /.github/workflows/build.yml:58-62
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(update-code).steps[9](Git – Add Changed Files)
	File: /.github/workflows/build.yml:61-66
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(update-code).steps[10](Git – Test for Changes)
	File: /.github/workflows/build.yml:65-71
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(update-code).steps[11](Git – Commit & Push (Signed))
	File: /.github/workflows/build.yml:70-80
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(build).steps[1](Checkout)
	File: /.github/workflows/build.yml:84-90
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(build).steps[2](Install Node.js)
	File: /.github/workflows/build.yml:89-95
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(build).steps[3](npm – Install Dependencies)
	File: /.github/workflows/build.yml:94-98
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(build).steps[4](npm – Clean)
	File: /.github/workflows/build.yml:97-101
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(build).steps[5](npm – Build)
	File: /.github/workflows/build.yml:100-104
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(build).steps[6](npm – Test)
	File: /.github/workflows/build.yml:103-107
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(build).steps[7](Release – Create)
	File: /.github/workflows/build.yml:106-111
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(build).steps[8](Release – Upload)
	File: /.github/workflows/build.yml:110-117
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(test-github-action).steps[1](Checkout)
	File: /.github/workflows/build.yml:122-129
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(test-github-action).steps[2](PR Metrics)
	File: /.github/workflows/build.yml:128-139
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(validate).steps[1](Checkout)
	File: /.github/workflows/build.yml:144-150
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(validate).steps[2](CodeQL – Initialize)
	File: /.github/workflows/build.yml:149-158
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(validate).steps[3](CodeQL – Analyze)
	File: /.github/workflows/build.yml:157-163
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(validate-linter).steps[1](Checkout)
	File: /.github/workflows/build.yml:168-175
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(validate-linter).steps[2](Super-Linter)
	File: /.github/workflows/build.yml:174-195
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(validate-linter).steps[3](Git – Test for Changes)
	File: /.github/workflows/build.yml:194-203
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(validate-linter).steps[4](Git – Stash Changes)
	File: /.github/workflows/build.yml:202-207
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(validate-linter).steps[5](Git – Checkout PR Branch)
	File: /.github/workflows/build.yml:206-215
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(validate-linter).steps[6](Git – Apply Stashed Changes)
	File: /.github/workflows/build.yml:214-219
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(validate-linter).steps[7](Git – Add Changed Files)
	File: /.github/workflows/build.yml:218-223
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(validate-linter).steps[8](Git – Commit & Push (Signed))
	File: /.github/workflows/build.yml:222-232
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(dependabot).steps[1](gh – Log Version)
	File: /.github/workflows/build.yml:237-241
Check: CKV_GHA_3: "Suspicious use of curl with secrets"
	PASSED for resource: jobs(dependabot).steps[2](Enable Auto-Merge)
	File: /.github/workflows/build.yml:240-247
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(update-code).steps[1](Checkout)
	File: /.github/workflows/build.yml:31-39
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(update-code).steps[2](Install Node.js)
	File: /.github/workflows/build.yml:38-44
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(update-code).steps[3](npm – Install Dependencies)
	File: /.github/workflows/build.yml:43-47
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(update-code).steps[4](License – Truncate)
	File: /.github/workflows/build.yml:46-50
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(update-code).steps[5](License – Generate Third-Party Licenses)
	File: /.github/workflows/build.yml:49-53
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(update-code).steps[6](License – Update LICENSE.txt)
	File: /.github/workflows/build.yml:52-56
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(update-code).steps[7](npm – Lint)
	File: /.github/workflows/build.yml:55-59
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(update-code).steps[8](npm – Build Package)
	File: /.github/workflows/build.yml:58-62
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(update-code).steps[9](Git – Add Changed Files)
	File: /.github/workflows/build.yml:61-66
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(update-code).steps[10](Git – Test for Changes)
	File: /.github/workflows/build.yml:65-71
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(update-code).steps[11](Git – Commit & Push (Signed))
	File: /.github/workflows/build.yml:70-80
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(build).steps[1](Checkout)
	File: /.github/workflows/build.yml:84-90
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(build).steps[2](Install Node.js)
	File: /.github/workflows/build.yml:89-95
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(build).steps[3](npm – Install Dependencies)
	File: /.github/workflows/build.yml:94-98
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(build).steps[4](npm – Clean)
	File: /.github/workflows/build.yml:97-101
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(build).steps[5](npm – Build)
	File: /.github/workflows/build.yml:100-104
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(build).steps[6](npm – Test)
	File: /.github/workflows/build.yml:103-107
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(build).steps[7](Release – Create)
	File: /.github/workflows/build.yml:106-111
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(build).steps[8](Release – Upload)
	File: /.github/workflows/build.yml:110-117
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(test-github-action).steps[1](Checkout)
	File: /.github/workflows/build.yml:122-129
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(test-github-action).steps[2](PR Metrics)
	File: /.github/workflows/build.yml:128-139
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(validate).steps[1](Checkout)
	File: /.github/workflows/build.yml:144-150
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(validate).steps[2](CodeQL – Initialize)
	File: /.github/workflows/build.yml:149-158
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(validate).steps[3](CodeQL – Analyze)
	File: /.github/workflows/build.yml:157-163
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(validate-linter).steps[1](Checkout)
	File: /.github/workflows/build.yml:168-175
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(validate-linter).steps[2](Super-Linter)
	File: /.github/workflows/build.yml:174-195
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(validate-linter).steps[3](Git – Test for Changes)
	File: /.github/workflows/build.yml:194-203
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(validate-linter).steps[4](Git – Stash Changes)
	File: /.github/workflows/build.yml:202-207
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(validate-linter).steps[5](Git – Checkout PR Branch)
	File: /.github/workflows/build.yml:206-215
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(validate-linter).steps[6](Git – Apply Stashed Changes)
	File: /.github/workflows/build.yml:214-219
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(validate-linter).steps[7](Git – Add Changed Files)
	File: /.github/workflows/build.yml:218-223
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(validate-linter).steps[8](Git – Commit & Push (Signed))
	File: /.github/workflows/build.yml:222-232
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(dependabot).steps[1](gh – Log Version)
	File: /.github/workflows/build.yml:237-241
Check: CKV_GHA_4: "Suspicious use of netcat with IP address"
	PASSED for resource: jobs(dependabot).steps[2](Enable Auto-Merge)
	File: /.github/workflows/build.yml:240-247
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(update-code).steps[1](Checkout)
	File: /.github/workflows/build.yml:31-39
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(update-code).steps[2](Install Node.js)
	File: /.github/workflows/build.yml:38-44
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(update-code).steps[3](npm – Install Dependencies)
	File: /.github/workflows/build.yml:43-47
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(update-code).steps[4](License – Truncate)
	File: /.github/workflows/build.yml:46-50
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(update-code).steps[5](License – Generate Third-Party Licenses)
	File: /.github/workflows/build.yml:49-53
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(update-code).steps[6](License – Update LICENSE.txt)
	File: /.github/workflows/build.yml:52-56
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(update-code).steps[7](npm – Lint)
	File: /.github/workflows/build.yml:55-59
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(update-code).steps[8](npm – Build Package)
	File: /.github/workflows/build.yml:58-62
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(update-code).steps[9](Git – Add Changed Files)
	File: /.github/workflows/build.yml:61-66
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(update-code).steps[10](Git – Test for Changes)
	File: /.github/workflows/build.yml:65-71
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(update-code).steps[11](Git – Commit & Push (Signed))
	File: /.github/workflows/build.yml:70-80
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(build).steps[1](Checkout)
	File: /.github/workflows/build.yml:84-90
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(build).steps[2](Install Node.js)
	File: /.github/workflows/build.yml:89-95
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(build).steps[3](npm – Install Dependencies)
	File: /.github/workflows/build.yml:94-98
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(build).steps[4](npm – Clean)
	File: /.github/workflows/build.yml:97-101
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(build).steps[5](npm – Build)
	File: /.github/workflows/build.yml:100-104
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(build).steps[6](npm – Test)
	File: /.github/workflows/build.yml:103-107
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(build).steps[7](Release – Create)
	File: /.github/workflows/build.yml:106-111
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(build).steps[8](Release – Upload)
	File: /.github/workflows/build.yml:110-117
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(test-github-action).steps[1](Checkout)
	File: /.github/workflows/build.yml:122-129
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(test-github-action).steps[2](PR Metrics)
	File: /.github/workflows/build.yml:128-139
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(validate).steps[1](Checkout)
	File: /.github/workflows/build.yml:144-150
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(validate).steps[2](CodeQL – Initialize)
	File: /.github/workflows/build.yml:149-158
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(validate).steps[3](CodeQL – Analyze)
	File: /.github/workflows/build.yml:157-163
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(validate-linter).steps[1](Checkout)
	File: /.github/workflows/build.yml:168-175
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(validate-linter).steps[2](Super-Linter)
	File: /.github/workflows/build.yml:174-195
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(validate-linter).steps[3](Git – Test for Changes)
	File: /.github/workflows/build.yml:194-203
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(validate-linter).steps[4](Git – Stash Changes)
	File: /.github/workflows/build.yml:202-207
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(validate-linter).steps[5](Git – Checkout PR Branch)
	File: /.github/workflows/build.yml:206-215
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(validate-linter).steps[6](Git – Apply Stashed Changes)
	File: /.github/workflows/build.yml:214-219
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(validate-linter).steps[7](Git – Add Changed Files)
	File: /.github/workflows/build.yml:218-223
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(validate-linter).steps[8](Git – Commit & Push (Signed))
	File: /.github/workflows/build.yml:222-232
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(dependabot).steps[1](gh – Log Version)
	File: /.github/workflows/build.yml:237-241
Check: CKV_GHA_2: "Ensure run commands are not vulnerable to shell injection"
	PASSED for resource: jobs(dependabot).steps[2](Enable Auto-Merge)
	File: /.github/workflows/build.yml:240-247
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(update-code).steps[1](Checkout)
	File: /.github/workflows/build.yml:31-39
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(update-code).steps[2](Install Node.js)
	File: /.github/workflows/build.yml:38-44
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(update-code).steps[3](npm – Install Dependencies)
	File: /.github/workflows/build.yml:43-47
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(update-code).steps[4](License – Truncate)
	File: /.github/workflows/build.yml:46-50
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(update-code).steps[5](License – Generate Third-Party Licenses)
	File: /.github/workflows/build.yml:49-53
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(update-code).steps[6](License – Update LICENSE.txt)
	File: /.github/workflows/build.yml:52-56
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(update-code).steps[7](npm – Lint)
	File: /.github/workflows/build.yml:55-59
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(update-code).steps[8](npm – Build Package)
	File: /.github/workflows/build.yml:58-62
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(update-code).steps[9](Git – Add Changed Files)
	File: /.github/workflows/build.yml:61-66
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(update-code).steps[10](Git – Test for Changes)
	File: /.github/workflows/build.yml:65-71
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(update-code).steps[11](Git – Commit & Push (Signed))
	File: /.github/workflows/build.yml:70-80
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(build).steps[1](Checkout)
	File: /.github/workflows/build.yml:84-90
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(build).steps[2](Install Node.js)
	File: /.github/workflows/build.yml:89-95
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(build).steps[3](npm – Install Dependencies)
	File: /.github/workflows/build.yml:94-98
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(build).steps[4](npm – Clean)
	File: /.github/workflows/build.yml:97-101
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(build).steps[5](npm – Build)
	File: /.github/workflows/build.yml:100-104
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(build).steps[6](npm – Test)
	File: /.github/workflows/build.yml:103-107
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(build).steps[7](Release – Create)
	File: /.github/workflows/build.yml:106-111
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(build).steps[8](Release – Upload)
	File: /.github/workflows/build.yml:110-117
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(test-github-action).steps[1](Checkout)
	File: /.github/workflows/build.yml:122-129
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(test-github-action).steps[2](PR Metrics)
	File: /.github/workflows/build.yml:128-139
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(validate).steps[1](Checkout)
	File: /.github/workflows/build.yml:144-150
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(validate).steps[2](CodeQL – Initialize)
	File: /.github/workflows/build.yml:149-158
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(validate).steps[3](CodeQL – Analyze)
	File: /.github/workflows/build.yml:157-163
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(validate-linter).steps[1](Checkout)
	File: /.github/workflows/build.yml:168-175
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(validate-linter).steps[2](Super-Linter)
	File: /.github/workflows/build.yml:174-195
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(validate-linter).steps[3](Git – Test for Changes)
	File: /.github/workflows/build.yml:194-203
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(validate-linter).steps[4](Git – Stash Changes)
	File: /.github/workflows/build.yml:202-207
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(validate-linter).steps[5](Git – Checkout PR Branch)
	File: /.github/workflows/build.yml:206-215
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(validate-linter).steps[6](Git – Apply Stashed Changes)
	File: /.github/workflows/build.yml:214-219
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(validate-linter).steps[7](Git – Add Changed Files)
	File: /.github/workflows/build.yml:218-223
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(validate-linter).steps[8](Git – Commit & Push (Signed))
	File: /.github/workflows/build.yml:222-232
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(dependabot).steps[1](gh – Log Version)
	File: /.github/workflows/build.yml:237-241
Check: CKV_GHA_1: "Ensure ACTIONS_ALLOW_UNSECURE_COMMANDS isn't true on environment variables"
	PASSED for resource: jobs(dependabot).steps[2](Enable Auto-Merge)
	File: /.github/workflows/build.yml:240-247
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
	PASSED for resource: on(Release – Initiate)
	File: /.github/workflows/release-initiate.yml:10-11
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
	PASSED for resource: on(Build)
	File: /.github/workflows/build.yml:18-19
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
	PASSED for resource: on(Update CI Dependencies)
	File: /.github/workflows/update-ci-dependencies.lock.yml:67-68
Check: CKV_GHA_7: "The build output cannot be affected by user parameters other than the build entry point and the top-level source location. GitHub Actions workflow_dispatch inputs MUST be empty. "
	FAILED for resource: on(Update CI Dependencies)
	File: /.github/workflows/update-ci-dependencies.lock.yml:53-59

		53 |       aw_context:
		54 |         default: ""
		55 |         description: Agent caller context (used internally by Agentic Workflows).
		56 |         required: false
		57 |         type: string
		58 |   workflow_run:
		59 |     # zizmor: ignore[dangerous-triggers] - workflow_run trigger is secured with role and fork validation

Copilot AI reviewed Apr 21, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 8 out of 9 changed files in this pull request and generated 1 comment.

Comment thread .github/workflows/update-ci-dependencies.md Outdated
@muiriswoulfe
chore(ci): add copyright headers and align linter configs
3581543 
- Add Microsoft copyright headers to Checkov, commitlint, and Trivy
  configs to match the repo convention.
- Ignore WTFPL (truncate-utf8-bytes transitive dep) in Trivy.
- Fix natural-language hyphenation ("client-side") in the
  update-ci-dependencies workflow description.
@muiriswoulfe
Copy link
Copy Markdown
Member Author

muiriswoulfe commented Apr 21, 2026

Super-linter summary

Language Validation result
BIOME_LINT Pass ✅
CHECKOV Pass ✅
EDITORCONFIG Pass ✅
GITHUB_ACTIONS Pass ✅
GITHUB_ACTIONS_ZIZMOR Pass ✅
GITLEAKS Pass ✅
GIT_MERGE_CONFLICT_MARKERS Pass ✅
JSCPD Pass ✅
JSON_PRETTIER Pass ✅
MARKDOWN Pass ✅
MARKDOWN_PRETTIER Pass ✅
NATURAL_LANGUAGE Pass ✅
POWERSHELL Pass ✅
PRE_COMMIT Pass ✅
SPELL_CODESPELL Pass ✅
TRIVY Pass ✅
TYPESCRIPT_PRETTIER Pass ✅
XML Pass ✅
YAML Pass ✅
YAML_PRETTIER Pass ✅

All files and directories linted successfully

For more information, see the GitHub Actions workflow run

Powered by Super-linter

@muiriswoulfe
chore(ci): clear remaining Super-Linter warnings
9336be2 
- Move .commitlintrc.yml to the repo root so Super-Linter's commitlint
  search picks it up.
- Enable SAVE_SUPER_LINTER_SUMMARY since PR summary comments are on
  by default.
- Disable Biome lint (ESLint/Stylelint own JS and CSS) and Python Black
  (Ruff covers Python; this repo has none anyway).
Copilot AI review requested due to automatic review settings April 21, 2026 17:44
@muiriswoulfe
Copy link
Copy Markdown
Member Author

muiriswoulfe commented Apr 21, 2026

Super-linter summary

Language Validation result
CHECKOV Pass ✅
EDITORCONFIG Pass ✅
GITHUB_ACTIONS Pass ✅
GITHUB_ACTIONS_ZIZMOR Pass ✅
GITLEAKS Pass ✅
GIT_COMMITLINT Fail ❌
GIT_MERGE_CONFLICT_MARKERS Pass ✅
JSCPD Pass ✅
JSON_PRETTIER Pass ✅
MARKDOWN Pass ✅
MARKDOWN_PRETTIER Pass ✅
NATURAL_LANGUAGE Pass ✅
POWERSHELL Pass ✅
PRE_COMMIT Pass ✅
SPELL_CODESPELL Pass ✅
TRIVY Pass ✅
TYPESCRIPT_PRETTIER Pass ✅
XML Pass ✅
YAML Pass ✅
YAML_PRETTIER Pass ✅

Super-linter detected linting errors

For more information, see the GitHub Actions workflow run

Powered by Super-linter

GIT_COMMITLINT 
�[90m⧗�[39m   input: �[1mchore(ci): clear remaining Super-Linter warnings

- Move .commitlintrc.yml to the repo root so Super-Linter's commitlint
  search picks it up.
- Enable SAVE_SUPER_LINTER_SUMMARY since PR summary comments are on
  by default.
- Disable Biome lint (ESLint/Stylelint own JS and CSS) and Python Black
  (Ruff covers Python; this repo has none anyway).�[22m
�[1m�[32m✔�[39m   found 0 problems, 0 warnings�[22m
�[90m⧗�[39m   input: �[1mchore(ci): add copyright headers and align linter configs

- Add Microsoft copyright headers to Checkov, commitlint, and Trivy
  configs to match the repo convention.
- Ignore WTFPL (truncate-utf8-bytes transitive dep) in Trivy.
- Fix natural-language hyphenation ("client-side") in the
  update-ci-dependencies workflow description.�[22m
�[1m�[32m✔�[39m   found 0 problems, 0 warnings�[22m
�[90m⧗�[39m   input: �[1mchore(ci): clear Super-Linter warnings

Add a conventional-commits commitlint config so Super-Linter can run
Git commit message validation instead of silently disabling it, and
remove the deprecated VALIDATE_TYPESCRIPT_STANDARD env var.�[22m
�[1m�[32m✔�[39m   found 0 problems, 0 warnings�[22m
�[90m⧗�[39m   input: �[1mchore(ci): use bare .checkov.yaml filename for Super-Linter lookup

Super-Linter resolves CHECKOV_FILE_NAME against LINTER_RULES_PATH
(default .github/linters/), so the value must be a filename rather
than a path. Mirrors the existing GITLEAKS_CONFIG_FILE convention.�[22m
�[1m�[32m✔�[39m   found 0 problems, 0 warnings�[22m
�[90m⧗�[39m   input: �[1mchore(ci): use correct CHECKOV_FILE_NAME env for Super-Linter

Super-Linter v8.6.0 resolves the Checkov config via CHECKOV_FILE_NAME
relative to GITHUB_WORKSPACE, not CHECKOV_CONFIG_FILE. Point it at
.github/linters/.checkov.yaml so the skip-path rule for *.lock.yml
actually takes effect.�[22m
�[1m�[32m✔�[39m   found 0 problems, 0 warnings�[22m
�[90m⧗�[39m   input: �[1mchore(ci): skip autogenerated lock files from Checkov scan

Super-Linter's FILTER_REGEX_EXCLUDE does not propagate to Checkov,
which scans .github/workflows as a directory. Add a dedicated
.checkov.yaml skip-path pattern so *.lock.yml files produced by
gh aw compile are left to gh-aw's own policy guarantees.�[22m
�[1m�[32m✔�[39m   found 0 problems, 0 warnings�[22m
�[90m⧗�[39m   input: �[1mchore(ci): exclude gh-aw generated files from Super-Linter

Add .github/agents/ and .github/workflows/*.lock.yml to
FILTER_REGEX_EXCLUDE so Super-Linter skips files produced by
gh aw compile, and give .gitattributes a trailing newline.�[22m
�[1m�[32m✔�[39m   found 0 problems, 0 warnings�[22m
�[90m⧗�[39m   input: �[1mfeat: compile update-ci-dependencies agentic workflow�[22m
�[1m�[32m✔�[39m   found 0 problems, 0 warnings�[22m
�[90m⧗�[39m   input: �[1mMatch release PR title prefix in agentic workflow context

`Release – Initiate` creates PRs with titles like `[Autogenerated] Release
v<version> with Package Updates`, not plain `[Autogenerated] Release
v<version>`. The `Process` section already filters on the `[Autogenerated]
Release v` prefix, so align the `Invocation Context` description with that
behaviour.�[22m
�[31m✖�[39m   subject may not be empty �[90m[subject-empty]�[39m
�[31m✖�[39m   type may not be empty �[90m[type-empty]�[39m

�[1m�[31m✖�[39m   found 2 problems, 0 warnings�[22m
ⓘ   Get help: https://github.com/conventional-changelog/commitlint/#what-is-commitlint

�[90m⧗�[39m   input: �[1mQuote wildcard values in agentic workflow frontmatter

Bare `*` values in `checkout.fetch` and
`safe-outputs.push-to-pull-request-branch.target` were being parsed as YAML
alias references, which made the frontmatter fail to load. Quoting them as
`"*"` makes them valid string scalars.�[22m
�[31m✖�[39m   subject may not be empty �[90m[subject-empty]�[39m
�[31m✖�[39m   type may not be empty �[90m[type-empty]�[39m

�[1m�[31m✖�[39m   found 2 problems, 0 warnings�[22m
ⓘ   Get help: https://github.com/conventional-changelog/commitlint/#what-is-commitlint

�[90m⧗�[39m   input: �[1mchore: add copyright header to CI dependencies workflow�[22m
�[1m�[32m✔�[39m   found 0 problems, 0 warnings�[22m
�[90m⧗�[39m   input: �[1mchore: fix linting�[22m
�[1m�[32m✔�[39m   found 0 problems, 0 warnings�[22m
�[90m⧗�[39m   input: �[1mchore(ci): update CI dependencies workflow formatting

- Remove quotes around workflow name for consistency.
- Simplify tool command syntax by removing quotes.
- Enhance documentation for clarity and structure.
- Ensure Node.js version consistency across workflows and pipelines.�[22m
�[1m�[32m✔�[39m   found 0 problems, 0 warnings�[22m
�[90m⧗�[39m   input: �[1mfeat: add agentic workflow for CI dependency refresh

Implements the update-ci-dependencies skill via gh-aw. Triggered on Release
– Initiate completion (and workflow_dispatch) so refreshed CI pins land on
the release pull request automatically.�[22m
�[1m�[32m✔�[39m   found 0 problems, 0 warnings�[22m

Copilot AI reviewed Apr 21, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 9 out of 10 changed files in this pull request and generated 1 comment.

Comment thread .github/linters/.checkov.yaml
@muiriswoulfe muiriswoulfe force-pushed the muiriswoulfe/agentic-workflow branch from 64f4347 to 9336be2 Compare April 21, 2026 17:55
@muiriswoulfe
Copy link
Copy Markdown
Member Author

muiriswoulfe commented Apr 21, 2026

Super-linter summary

Language Validation result
CHECKOV Pass ✅
EDITORCONFIG Pass ✅
GITHUB_ACTIONS Pass ✅
GITHUB_ACTIONS_ZIZMOR Pass ✅
GITLEAKS Pass ✅
GIT_COMMITLINT Pass ✅
GIT_MERGE_CONFLICT_MARKERS Pass ✅
JSCPD Pass ✅
JSON_PRETTIER Pass ✅
MARKDOWN Pass ✅
MARKDOWN_PRETTIER Pass ✅
NATURAL_LANGUAGE Pass ✅
POWERSHELL Pass ✅
PRE_COMMIT Pass ✅
SPELL_CODESPELL Pass ✅
TRIVY Pass ✅
TYPESCRIPT_PRETTIER Pass ✅
XML Pass ✅
YAML Pass ✅
YAML_PRETTIER Pass ✅

All files and directories linted successfully

For more information, see the GitHub Actions workflow run

Powered by Super-linter

@muiriswoulfe
fix(workflow): tighten allowed-files and drop az fallback guidance
9622c47 
- Replace the .github/workflows/*.yml glob with an explicit list
  (build.yml, release-initiate.yml, release-publish.yml) so the agent
  cannot patch the gh-aw-generated update-ci-dependencies.lock.yml.
- Remove the az authentication fallback from the template-ref step
  because az is not in the workflow's bash allowlist; tell the agent
  to leave the current ref in place and report the miss instead.
@muiriswoulfe
Copy link
Copy Markdown
Member Author

muiriswoulfe commented Apr 22, 2026

Super-linter summary

Language Validation result
CHECKOV Pass ✅
EDITORCONFIG Pass ✅
GITHUB_ACTIONS Pass ✅
GITHUB_ACTIONS_ZIZMOR Pass ✅
GITLEAKS Pass ✅
GIT_COMMITLINT Pass ✅
GIT_MERGE_CONFLICT_MARKERS Pass ✅
JSCPD Pass ✅
JSON_PRETTIER Pass ✅
MARKDOWN Pass ✅
MARKDOWN_PRETTIER Pass ✅
NATURAL_LANGUAGE Pass ✅
POWERSHELL Pass ✅
PRE_COMMIT Pass ✅
SPELL_CODESPELL Pass ✅
TRIVY Pass ✅
TYPESCRIPT_PRETTIER Pass ✅
XML Pass ✅
YAML Pass ✅
YAML_PRETTIER Pass ✅

All files and directories linted successfully

For more information, see the GitHub Actions workflow run

Powered by Super-linter

Copilot AI reviewed Apr 22, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 9 out of 10 changed files in this pull request and generated no new comments.

@muiriswoulfe
Copy link
Copy Markdown
Member Author

muiriswoulfe commented Apr 24, 2026

Super-linter summary

Language Validation result
CHECKOV Pass ✅
EDITORCONFIG Pass ✅
GITHUB_ACTIONS Pass ✅
GITHUB_ACTIONS_ZIZMOR Pass ✅
GITLEAKS Pass ✅
GIT_COMMITLINT Pass ✅
GIT_MERGE_CONFLICT_MARKERS Pass ✅
JSCPD Pass ✅
JSON_PRETTIER Pass ✅
MARKDOWN Pass ✅
MARKDOWN_PRETTIER Pass ✅
NATURAL_LANGUAGE Pass ✅
POWERSHELL Pass ✅
PRE_COMMIT Pass ✅
SPELL_CODESPELL Pass ✅
TRIVY Pass ✅
TYPESCRIPT_PRETTIER Pass ✅
XML Pass ✅
YAML Pass ✅
YAML_PRETTIER Pass ✅

All files and directories linted successfully

For more information, see the GitHub Actions workflow run

Powered by Super-linter

Copilot AI reviewed Apr 24, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 9 out of 10 changed files in this pull request and generated 3 comments.

Comment thread .gitattributes
Comment thread .github/workflows/update-ci-dependencies.lock.yml
Comment thread .github/workflows/build.yml
@muiriswoulfe
Copy link
Copy Markdown
Member Author

muiriswoulfe commented Apr 24, 2026

Super-linter summary

Language Validation result
CHECKOV Pass ✅
EDITORCONFIG Pass ✅
GITHUB_ACTIONS Pass ✅
GITHUB_ACTIONS_ZIZMOR Pass ✅
GITLEAKS Pass ✅
GIT_COMMITLINT Pass ✅
GIT_MERGE_CONFLICT_MARKERS Pass ✅
JSCPD Pass ✅
JSON_PRETTIER Pass ✅
MARKDOWN Pass ✅
MARKDOWN_PRETTIER Pass ✅
NATURAL_LANGUAGE Pass ✅
POWERSHELL Pass ✅
PRE_COMMIT Pass ✅
SPELL_CODESPELL Pass ✅
TRIVY Pass ✅
TYPESCRIPT_PRETTIER Pass ✅
XML Pass ✅
YAML Pass ✅
YAML_PRETTIER Pass ✅

All files and directories linted successfully

For more information, see the GitHub Actions workflow run

Powered by Super-linter

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@neilr81 neilr81 neilr81 approved these changes

Assignees

@muiriswoulfe muiriswoulfe

Labels

enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@muiriswoulfe @neilr81