Skip to content

Fix Bandit B602: remove shell=True from subprocess call in bootstrap.py#11

Merged
fivepanelhat merged 3 commits into
mainfrom
copilot/fix-bandit-sast-scan
Jun 28, 2026
Merged

Fix Bandit B602: remove shell=True from subprocess call in bootstrap.py#11
fivepanelhat merged 3 commits into
mainfrom
copilot/fix-bandit-sast-scan

Conversation

Copilot AI commented Jun 28, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

The Bandit SAST scan was failing with a High severity / High confidence finding (B602 / CWE-78) due to subprocess.run(..., shell=True) in bootstrap.py.

Changes

  • bootstrap.py: Replace shell=True string-based invocation with a list-based one using shlex.split(). run_cmd now accepts either a str (split via shlex.split) or a pre-built list, removing the shell injection surface.
# Before
subprocess.run(cmd, shell=True, check=True, capture_output=True, text=True)

# After
args = cmd if isinstance(cmd, list) else shlex.split(cmd)
subprocess.run(args, check=True, capture_output=True, text=True)

All existing callers pass formatted strings (e.g. f'"{pip_exe}" install -r {req_file}'); shlex.split handles the quoted executable path correctly across platforms.

Copilot AI changed the title [WIP] Fix the failing GitHub Actions job Bandit SAST Scan Fix Bandit B602: remove shell=True from subprocess call in bootstrap.py Jun 28, 2026
Copilot AI requested a review from fivepanelhat June 28, 2026 23:29
@fivepanelhat fivepanelhat marked this pull request as ready for review June 28, 2026 23:39
@fivepanelhat fivepanelhat merged commit 57cbb48 into main Jun 28, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fivepanelhat fivepanelhat Awaiting requested review from fivepanelhat

Assignees

Copilot code review Copilot

@fivepanelhat fivepanelhat

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@fivepanelhat