Overview - Adt-cli

adt-cli

7 days30 days

Latest CI Pipeline Executions

Fuzzy

Succeeded
fix/main-health
d414b35f review: harden detectGithubRepo (SCP vs URL, dotted repos, shell-safe owner/repo) Addresses two bot review findings on PR #115: * Devin Review — the SCP-style regex `^[^@\s]+@([^:]+):(.+)$` falsely matched URL-form remotes that contain both `user@` and a `:port` segment, e.g. `ssh://git@github.com:22/abapify/adt-cli.git`. The port was captured as part of the path and then rejected by parseOwnerRepo, silently disabling trusted-publisher auto-detection. The SCP branch is now skipped whenever the input contains `://`, so URL-form remotes fall through to `new URL()`. * CodeRabbit — the previous shape regex `[^/]+/[^/.]+?` rejected valid GitHub repos with dots in the name (e.g. `owner/repo.name`) and accepted shell metacharacters in the owner segment. The value flows unquoted into a shell command at `plugin.ts` line ~126 (`--trust-repo=${trustRepo}`), so a strict allow-list is enforced before return: `^[A-Za-z0-9_.-]+/[A-Za-z0-9_.-]+$`. This accepts dotted repos and rejects anything that could be interpreted by a shell.
by Petr Plenkov
Succeeded
fix/main-health
25e4846e quality: simplify detectGithubRepo to cut regex complexity Split host extraction into two small paths: `new URL()` for proper URL schemes and a trivial SCP-style regex for `user@host:path`. The combined regex in the previous commit had cyclomatic complexity 31 (> 20 allowed by SonarCloud `typescript:S5843`). Behaviour and the `js/incomplete-url-substring-sanitization` fix are preserved — host match is now anchored via `URL.hostname` or an explicit SCP host capture, so substrings like `github.com.attacker.com` still cannot match. Resolves SonarCloud issue typescript:S5843 on fix/main-health.
by Petr Plenkov
Succeeded
fix/main-health
ca1cc788 security: rename report.checks.mfa to mfaPolicy to reflect semantics The field stores the configured npm publish MFA *policy* (e.g. `none`, `automatic`), not a user authentication factor or secret. Logging it in the structured JSON report is safe, but the CodeQL heuristic `js/clear-text-logging` fired on the field name `mfa`. Rename clarifies intent and removes the false-positive signal. Resolves code-scanning alert #42 (js/clear-text-logging).
by Petr Plenkov