Conversation
Co-authored-by: Luisfer Romero Calero <luisfer.romero.calero@gmail.com>
Co-authored-by: Luisfer Romero Calero <luisfer.romero.calero@gmail.com>
|
Cursor Agent can help with this pull request. Just |
Co-authored-by: Luisfer Romero Calero <luisfer.romero.calero@gmail.com>
Co-authored-by: Luisfer Romero Calero <luisfer.romero.calero@gmail.com>
Co-authored-by: Luisfer Romero Calero <luisfer.romero.calero@gmail.com>
Co-authored-by: Luisfer Romero Calero <luisfer.romero.calero@gmail.com>
Co-authored-by: Luisfer Romero Calero <luisfer.romero.calero@gmail.com>
Co-authored-by: Luisfer Romero Calero <luisfer.romero.calero@gmail.com>
Co-authored-by: Luisfer Romero Calero <luisfer.romero.calero@gmail.com>
Co-authored-by: Luisfer Romero Calero <luisfer.romero.calero@gmail.com>
Co-authored-by: Luisfer Romero Calero <luisfer.romero.calero@gmail.com>
Co-authored-by: Luisfer Romero Calero <luisfer.romero.calero@gmail.com>
Co-authored-by: Luisfer Romero Calero <luisfer.romero.calero@gmail.com>
Co-authored-by: Luisfer Romero Calero <luisfer.romero.calero@gmail.com>
Co-authored-by: Luisfer Romero Calero <luisfer.romero.calero@gmail.com>
Co-authored-by: Luisfer Romero Calero <luisfer.romero.calero@gmail.com>
Co-authored-by: Luisfer Romero Calero <luisfer.romero.calero@gmail.com>
Co-authored-by: Luisfer Romero Calero <luisfer.romero.calero@gmail.com>
Co-authored-by: Luisfer Romero Calero <luisfer.romero.calero@gmail.com>
Co-authored-by: Luisfer Romero Calero <luisfer.romero.calero@gmail.com>
Co-authored-by: Luisfer Romero Calero <luisfer.romero.calero@gmail.com>
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| } | ||
|
|
||
| // Set-Cookie missing attributes (with fix edits) | ||
| if (/setHeader\(\s*['"][Ss]et-[Cc]ookie['"],\s*['"][^'"]+['"]\s*\)/.test(line) || /Set-Cookie:/i.test(line)) { |
Check warning
Code scanning / ubon
Set-Cookie missing HttpOnly/Secure/SameSite Warning
|
|
||
| // Set-Cookie missing attributes (with fix edits) | ||
| if (/setHeader\(\s*['"][Ss]et-[Cc]ookie['"],\s*['"][^'"]+['"]\s*\)/.test(line) || /Set-Cookie:/i.test(line)) { | ||
| const cookieStrMatch = line.match(/Set-Cookie:\s*([^;]+(?:;[^;]+)*)/i); |
Check warning
Code scanning / ubon
Set-Cookie missing HttpOnly/Secure/SameSite Warning
Co-authored-by: Luisfer Romero Calero <luisfer.romero.calero@gmail.com>
| match: token.slice(0, 200), | ||
| confidence, | ||
| confidenceReason: looksLikeSecret | ||
| ? 'High entropy + matches known secret pattern (sk-, AKIA, etc.)' |
Check failure
Code scanning / ubon
High-entropy string literal (possible secret) Error
Co-authored-by: Luisfer Romero Calero <luisfer.romero.calero@gmail.com>
Co-authored-by: Luisfer Romero Calero <luisfer.romero.calero@gmail.com>
Co-authored-by: Luisfer Romero Calero <luisfer.romero.calero@gmail.com>
Co-authored-by: Luisfer Romero Calero <luisfer.romero.calero@gmail.com>
Co-authored-by: Luisfer Romero Calero <luisfer.romero.calero@gmail.com>
Co-authored-by: Luisfer Romero Calero <luisfer.romero.calero@gmail.com>
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.
This is the final PR Bugbot will review for you during this billing cycle
Your free Bugbot reviews will reset on March 9
Details
You are on the Bugbot Free tier. On this plan, Bugbot will review limited PRs each billing cycle.
To receive Bugbot reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.
|
|
||
| switch (policy) { | ||
| case 'startup': | ||
| if (typeof scanOptions.fast === 'undefined') (scanOptions as any).fast = true; |
There was a problem hiding this comment.
Policy presets never enable fast mode as intended
Medium Severity
The startup and ai-prototype policy presets check typeof scanOptions.fast === 'undefined' before setting fast = true, but buildScanOptions always produces a boolean for fast via options.fast ?? defaults.fast ?? false. Since fast is never undefined after buildScanOptions, these policies silently fail to enable fast mode. The strict-prod and regulated policies work correctly because they unconditionally assign fast = false.
Additional Locations (2)
2 participants
Implement key security hardening, noise reduction, and credibility improvements.
This PR addresses the top recommendations from a recent repo evaluation, focusing on safer command execution, reducing false positives by excluding test files, and enforcing code quality through linting in CI to improve overall reliability and trustworthiness.
Note
Medium Risk
Touches core scanning, fix application, and git/CI execution paths; while changes are mostly additive and covered by new tests, regressions could affect scan results or CI gating behavior.
Overview
Hardens and expands the CLI scan pipeline by adding
--scorecardJSON output (including per-scanner runtime/stats), introducing policy presets via--policy, and tightening fix application controls with--fix-levelgating for auto-fixes.Reduces scan noise and improves accuracy by default-ignoring tests/coverage/tmp artifacts across scanners (unless
--detailed), refactoringSecurityScannerchecks into dedicated executors, skipping link checks in--skip-build, and improving secret detection/redaction (including avoiding false positives on regex literals).Improves supply-chain/CI credibility by adding a CLI-docs drift check (
docs:cli-sync), runningnpm auditandeslintin CI/release workflows, adding conditional Jest coverage thresholds in CI, and updating git operations to usespawnSyncwith safe ref/branch validation to mitigate command-injection risks.Written by Cursor Bugbot for commit 4adfdbe. This will update automatically on new commits. Configure here.