fix(security): resolve CodeQL source code alerts and update GitHub Actions

[sriaradhyula]

Summary

• Clear-text logging (17 alerts): Redact OAuth client_secret, access tokens, IP addresses, kubectl commands, and trusted network config from log output across rbac.py, oauth_setup.py, get_oauth_jwt_token.py, oauth2_middleware.py, aws/tools.py, aigateway/tools.py
• Stack trace exposure (6 alerts): Replace str(e) with generic "An internal error occurred" in SSE error events (chat.py), scan-content responses (router.py), and HTTP error responses (restapi.py)
• URL sanitization (13 alerts): Use urlparse hostname checks instead of substring matching in Jira client, Jira search, and ReadTheDocs parser; use hostname === / endsWith() in TypeScript skill-hubs routes and hub-crawl.ts
• Path injection (2 alerts): Add resolve() + is_relative_to() boundary check in write_single_skill_to_temp_tree; existing regex sanitization already prevents traversal
• YAML escaping (1 alert): Use JSON.stringify instead of manual replace(/"/g, '\\"') in agent config YAML export; extracted toYaml to testable yaml-serializer.ts utility
• GitHub Actions (25 files): Bump harden-runner v2.17.0 → v2.18.0 and super-linter v8.5.0 → v8.6.0
• 3 false positives dismissed via GitHub API: template file write in add-new-agent-helm-chart.py, scanner result passthrough in router.py

Test plan

• New Python unit tests: test_git_tool.py (13 tests, SSH URL + false-positive coverage), test_skill_scanner_runner.py (7 tests, path sanitization), test_url_validation.py (Jira example.com detection), test_sse_error_sanitization.py (SSE error sanitization)
• Extended test_parsers.py with ReadTheDocs hostname validation tests
• New TypeScript tests: yaml-serializer.test.ts (14 tests), url-validation.test.ts (12 tests for skill-hubs and hub-crawl)
• All new tests passing locally

[github-actions]

✅ No proprietary content detected. This PR is clear for review!

[github-actions]

✅ No proprietary content detected. This PR is clear for review!

[github-actions]

🧪 CAIPE UI Test Results

✅ All tests passed

🔴 Overall Coverage: 30%

📊 Detailed Coverage

Metric	Covered	Total	Percentage
Lines	7155	21329	33.54%
Statements	7652	23343	32.78%
Functions	1224	4652	26.31%
Branches	4830	16628	29.04%

✅ Test Suites

• ✅ auth-guard.test.tsx - Route protection & authorization
• ✅ token-expiry-guard.test.tsx - Token expiry handling
• ✅ a2a-sdk-client.test.ts - A2A streaming SDK
• ✅ auth-utils.test.ts - Authentication utilities (100% coverage)
• ✅ auth-config.test.ts - OIDC configuration

📈 Coverage Thresholds

Threshold	Target	Current	Status
Minimum	40%	30%	❌ Fail
Good	60%	30%	⚠️ Below target
Excellent	80%	30%	⚠️ Below target

⚠️ Areas Needing Tests

High Priority:

• hooks/use-a2a-streaming.ts - Core streaming functionality
• store/chat-store.ts - Chat state management
• store/agent-skills-store.ts - Agent skills
• lib/api-client.ts - API communication
• lib/storage-mode.ts - MongoDB/localStorage switching

Medium Priority:

• components/chat/ChatPanel.tsx - Main chat interface
• components/agent-builder/* - Agent builder UI
• lib/mongodb.ts - MongoDB integration

---

💡 Run locally: make caipe-ui-tests
📦 Full report: Check workflow artifacts

[github-actions]

🐳 Prebuild Dynamic Agents Docker Image Published

Repository: ghcr.io/cnoe-io/prebuild/caipe-dynamic-agents
Tag: fix-npm-and-source-security-3

Usage

docker pull ghcr.io/cnoe-io/prebuild/caipe-dynamic-agents:fix-npm-and-source-security-3

Test in Helm values

dynamic-agents:
  image:
    repository: ghcr.io/cnoe-io/prebuild/caipe-dynamic-agents
    tag: "fix-npm-and-source-security-3"

Note: This prebuild image will be automatically cleaned up when the PR is closed or merged.

[github-actions]

🐳 Prebuild Dynamic Agents Docker Image Published

Repository: ghcr.io/cnoe-io/prebuild/caipe-dynamic-agents
Tag: fix-npm-and-source-security-2

Usage

docker pull ghcr.io/cnoe-io/prebuild/caipe-dynamic-agents:fix-npm-and-source-security-2

Test in Helm values

dynamic-agents:
  image:
    repository: ghcr.io/cnoe-io/prebuild/caipe-dynamic-agents
    tag: "fix-npm-and-source-security-2"

Note: This prebuild image will be automatically cleaned up when the PR is closed or merged.

[github-actions]

🐳 Prebuild CAIPE UI Docker Image Published

Repository: ghcr.io/cnoe-io/prebuild/caipe-ui
Tag: fix-npm-and-source-security-2

Usage

docker pull ghcr.io/cnoe-io/prebuild/caipe-ui:fix-npm-and-source-security-2

Test in docker-compose

# Update docker-compose.dev.yaml
caipe-ui:
  image: ghcr.io/cnoe-io/prebuild/caipe-ui:fix-npm-and-source-security-2
  # ... rest of config

Note: This prebuild image will be automatically cleaned up when the PR is closed or merged.

[github-actions]

🐳 Prebuild Docker Image Published

Agent: webex
Repository: ghcr.io/cnoe-io/prebuild/agent-webex
Tag: fix-npm-and-source-security-2

Usage

docker pull ghcr.io/cnoe-io/prebuild/agent-webex:fix-npm-and-source-security-2

Note: This prebuild image will be automatically cleaned up when the PR is closed or merged.

[github-actions]

🐳 Prebuild Docker Image Published

Repository: ghcr.io/cnoe-io/prebuild/ai-platform-engineering
Tag: fix-npm-and-source-security-2

Usage

docker pull ghcr.io/cnoe-io/prebuild/ai-platform-engineering:fix-npm-and-source-security-2

Note: This prebuild image will be automatically cleaned up when the PR is closed or merged.

[github-actions]

🐳 Prebuild Docker Image Published

Agent: jira
Repository: ghcr.io/cnoe-io/prebuild/mcp-jira
Tag: fix-npm-and-source-security-2

Usage

docker pull ghcr.io/cnoe-io/prebuild/mcp-jira:fix-npm-and-source-security-2

Note: This prebuild image will be automatically cleaned up when the PR is closed or merged.

[github-actions]

🐳 Prebuild CAIPE UI Docker Image Published

Repository: ghcr.io/cnoe-io/prebuild/caipe-ui
Tag: fix-npm-and-source-security-3

Usage

docker pull ghcr.io/cnoe-io/prebuild/caipe-ui:fix-npm-and-source-security-3

Test in docker-compose

# Update docker-compose.dev.yaml
caipe-ui:
  image: ghcr.io/cnoe-io/prebuild/caipe-ui:fix-npm-and-source-security-3
  # ... rest of config

Note: This prebuild image will be automatically cleaned up when the PR is closed or merged.

[github-actions]

🐳 Prebuild Docker Image Published

Component: server
Repository: ghcr.io/cnoe-io/prebuild/caipe-rag-server
Tag: fix-npm-and-source-security-2

Usage

docker pull ghcr.io/cnoe-io/prebuild/caipe-rag-server:fix-npm-and-source-security-2

Note: This prebuild image will be automatically cleaned up when the PR is closed or merged.

[github-actions]

🐳 Prebuild Docker Image Published

Repository: ghcr.io/cnoe-io/prebuild/ai-platform-engineering
Tag: fix-npm-and-source-security-3

Usage

docker pull ghcr.io/cnoe-io/prebuild/ai-platform-engineering:fix-npm-and-source-security-3

Note: This prebuild image will be automatically cleaned up when the PR is closed or merged.

[github-actions]

🐳 Prebuild Docker Image Published

Component: ingestors
Repository: ghcr.io/cnoe-io/prebuild/caipe-rag-ingestors
Tag: fix-npm-and-source-security-2

Usage

docker pull ghcr.io/cnoe-io/prebuild/caipe-rag-ingestors:fix-npm-and-source-security-2

Note: This prebuild image will be automatically cleaned up when the PR is closed or merged.

[github-actions]

🐳 Prebuild Docker Image Published

Agent: gitlab
Repository: ghcr.io/cnoe-io/prebuild/agent-gitlab
Tag: fix-npm-and-source-security-2

Usage

docker pull ghcr.io/cnoe-io/prebuild/agent-gitlab:fix-npm-and-source-security-2

Note: This prebuild image will be automatically cleaned up when the PR is closed or merged.

[github-actions]

🐳 Prebuild Docker Image Published

Agent: github
Repository: ghcr.io/cnoe-io/prebuild/agent-github
Tag: fix-npm-and-source-security-2

Usage

docker pull ghcr.io/cnoe-io/prebuild/agent-github:fix-npm-and-source-security-2

Note: This prebuild image will be automatically cleaned up when the PR is closed or merged.

[github-actions]

🐳 Prebuild Docker Image Published

Component: agent-ontology
Repository: ghcr.io/cnoe-io/prebuild/caipe-rag-agent-ontology
Tag: fix-npm-and-source-security-2

Usage

docker pull ghcr.io/cnoe-io/prebuild/caipe-rag-agent-ontology:fix-npm-and-source-security-2

Note: This prebuild image will be automatically cleaned up when the PR is closed or merged.

[github-actions]

🐳 Prebuild Docker Image Published

Agent: jira
Repository: ghcr.io/cnoe-io/prebuild/agent-jira
Tag: fix-npm-and-source-security-2

Usage

docker pull ghcr.io/cnoe-io/prebuild/agent-jira:fix-npm-and-source-security-2

Note: This prebuild image will be automatically cleaned up when the PR is closed or merged.

[github-actions]

🐳 Prebuild Docker Image Published

Agent: jira
Repository: ghcr.io/cnoe-io/prebuild/mcp-jira
Tag: fix-npm-and-source-security-3

Usage

docker pull ghcr.io/cnoe-io/prebuild/mcp-jira:fix-npm-and-source-security-3

Note: This prebuild image will be automatically cleaned up when the PR is closed or merged.

[github-actions]

🐳 Prebuild Docker Image Published

Agent: argocd
Repository: ghcr.io/cnoe-io/prebuild/agent-argocd
Tag: fix-npm-and-source-security-2

Usage

docker pull ghcr.io/cnoe-io/prebuild/agent-argocd:fix-npm-and-source-security-2

Note: This prebuild image will be automatically cleaned up when the PR is closed or merged.

[github-actions]

🐳 Prebuild Docker Image Published

Agent: komodor
Repository: ghcr.io/cnoe-io/prebuild/agent-komodor
Tag: fix-npm-and-source-security-2

Usage

docker pull ghcr.io/cnoe-io/prebuild/agent-komodor:fix-npm-and-source-security-2

Note: This prebuild image will be automatically cleaned up when the PR is closed or merged.

[github-actions]

🐳 Prebuild Docker Image Published

Agent: netutils
Repository: ghcr.io/cnoe-io/prebuild/agent-netutils
Tag: fix-npm-and-source-security-2

Usage

docker pull ghcr.io/cnoe-io/prebuild/agent-netutils:fix-npm-and-source-security-2

Note: This prebuild image will be automatically cleaned up when the PR is closed or merged.

[github-actions]

🐳 Prebuild Docker Image Published

Component: agent-ontology
Repository: ghcr.io/cnoe-io/prebuild/caipe-rag-agent-ontology
Tag: fix-npm-and-source-security-3

Usage

docker pull ghcr.io/cnoe-io/prebuild/caipe-rag-agent-ontology:fix-npm-and-source-security-3

Note: This prebuild image will be automatically cleaned up when the PR is closed or merged.

[github-actions]

🐳 Prebuild Docker Image Published

Agent: pagerduty
Repository: ghcr.io/cnoe-io/prebuild/agent-pagerduty
Tag: fix-npm-and-source-security-2

Usage

docker pull ghcr.io/cnoe-io/prebuild/agent-pagerduty:fix-npm-and-source-security-2

Note: This prebuild image will be automatically cleaned up when the PR is closed or merged.

[github-actions]

🐳 Prebuild Docker Image Published

Component: server
Repository: ghcr.io/cnoe-io/prebuild/caipe-rag-server
Tag: fix-npm-and-source-security-3

Usage

docker pull ghcr.io/cnoe-io/prebuild/caipe-rag-server:fix-npm-and-source-security-3

Note: This prebuild image will be automatically cleaned up when the PR is closed or merged.

[github-actions]

🐳 Prebuild Docker Image Published

Agent: victorops
Repository: ghcr.io/cnoe-io/prebuild/agent-victorops
Tag: fix-npm-and-source-security-2

Usage

docker pull ghcr.io/cnoe-io/prebuild/agent-victorops:fix-npm-and-source-security-2

Note: This prebuild image will be automatically cleaned up when the PR is closed or merged.

[github-actions]

🐳 Prebuild Docker Image Published

Agent: aws
Repository: ghcr.io/cnoe-io/prebuild/agent-aws
Tag: fix-npm-and-source-security-3

Usage

docker pull ghcr.io/cnoe-io/prebuild/agent-aws:fix-npm-and-source-security-3

Note: This prebuild image will be automatically cleaned up when the PR is closed or merged.

[github-actions]

🐳 Prebuild Docker Image Published

Agent: weather
Repository: ghcr.io/cnoe-io/prebuild/agent-weather
Tag: fix-npm-and-source-security-3

Usage

docker pull ghcr.io/cnoe-io/prebuild/agent-weather:fix-npm-and-source-security-3

Note: This prebuild image will be automatically cleaned up when the PR is closed or merged.

[github-actions]

✅ No proprietary content detected. This PR is clear for review!

[github-actions]

🐳 Prebuild Docker Image Published

Agent: jira
Repository: ghcr.io/cnoe-io/prebuild/mcp-jira
Tag: fix-npm-and-source-security-4

Usage

docker pull ghcr.io/cnoe-io/prebuild/mcp-jira:fix-npm-and-source-security-4

Note: This prebuild image will be automatically cleaned up when the PR is closed or merged.

[github-actions]

🐳 Prebuild CAIPE UI Docker Image Published

Repository: ghcr.io/cnoe-io/prebuild/caipe-ui
Tag: fix-npm-and-source-security-4

Usage

docker pull ghcr.io/cnoe-io/prebuild/caipe-ui:fix-npm-and-source-security-4

Test in docker-compose

# Update docker-compose.dev.yaml
caipe-ui:
  image: ghcr.io/cnoe-io/prebuild/caipe-ui:fix-npm-and-source-security-4
  # ... rest of config

Note: This prebuild image will be automatically cleaned up when the PR is closed or merged.

[github-actions]

🐳 Prebuild Dynamic Agents Docker Image Published

Repository: ghcr.io/cnoe-io/prebuild/caipe-dynamic-agents
Tag: fix-npm-and-source-security-4

Usage

docker pull ghcr.io/cnoe-io/prebuild/caipe-dynamic-agents:fix-npm-and-source-security-4

Test in Helm values

dynamic-agents:
  image:
    repository: ghcr.io/cnoe-io/prebuild/caipe-dynamic-agents
    tag: "fix-npm-and-source-security-4"

Note: This prebuild image will be automatically cleaned up when the PR is closed or merged.

[github-actions]

🐳 Prebuild Docker Image Published

Repository: ghcr.io/cnoe-io/prebuild/ai-platform-engineering
Tag: fix-npm-and-source-security-4

Usage

docker pull ghcr.io/cnoe-io/prebuild/ai-platform-engineering:fix-npm-and-source-security-4

Note: This prebuild image will be automatically cleaned up when the PR is closed or merged.

[github-actions]

🐳 Prebuild Docker Image Published

Component: ingestors
Repository: ghcr.io/cnoe-io/prebuild/caipe-rag-ingestors
Tag: fix-npm-and-source-security-4

Usage

docker pull ghcr.io/cnoe-io/prebuild/caipe-rag-ingestors:fix-npm-and-source-security-4

Note: This prebuild image will be automatically cleaned up when the PR is closed or merged.

[github-actions]

🐳 Prebuild Docker Image Published

Component: server
Repository: ghcr.io/cnoe-io/prebuild/caipe-rag-server
Tag: fix-npm-and-source-security-4

Usage

docker pull ghcr.io/cnoe-io/prebuild/caipe-rag-server:fix-npm-and-source-security-4

Note: This prebuild image will be automatically cleaned up when the PR is closed or merged.

[github-actions]

🐳 Prebuild Docker Image Published

Agent: netutils
Repository: ghcr.io/cnoe-io/prebuild/agent-netutils
Tag: fix-npm-and-source-security-4

Usage

docker pull ghcr.io/cnoe-io/prebuild/agent-netutils:fix-npm-and-source-security-4

Note: This prebuild image will be automatically cleaned up when the PR is closed or merged.

[github-actions]

🐳 Prebuild Docker Image Published

Component: agent-ontology
Repository: ghcr.io/cnoe-io/prebuild/caipe-rag-agent-ontology
Tag: fix-npm-and-source-security-4

Usage

docker pull ghcr.io/cnoe-io/prebuild/caipe-rag-agent-ontology:fix-npm-and-source-security-4

Note: This prebuild image will be automatically cleaned up when the PR is closed or merged.

[github-actions]

🐳 Prebuild Docker Image Published

Agent: confluence
Repository: ghcr.io/cnoe-io/prebuild/agent-confluence
Tag: fix-npm-and-source-security-4

Usage

docker pull ghcr.io/cnoe-io/prebuild/agent-confluence:fix-npm-and-source-security-4

Note: This prebuild image will be automatically cleaned up when the PR is closed or merged.

[github-actions]

🐳 Prebuild Docker Image Published

Agent: gitlab
Repository: ghcr.io/cnoe-io/prebuild/agent-gitlab
Tag: fix-npm-and-source-security-4

Usage

docker pull ghcr.io/cnoe-io/prebuild/agent-gitlab:fix-npm-and-source-security-4

Note: This prebuild image will be automatically cleaned up when the PR is closed or merged.

[github-actions]

🐳 Prebuild Docker Image Published

Agent: victorops
Repository: ghcr.io/cnoe-io/prebuild/agent-victorops
Tag: fix-npm-and-source-security-4

Usage

docker pull ghcr.io/cnoe-io/prebuild/agent-victorops:fix-npm-and-source-security-4

Note: This prebuild image will be automatically cleaned up when the PR is closed or merged.

[github-actions]

🐳 Prebuild Docker Image Published

Agent: jira
Repository: ghcr.io/cnoe-io/prebuild/agent-jira
Tag: fix-npm-and-source-security-4

Usage

docker pull ghcr.io/cnoe-io/prebuild/agent-jira:fix-npm-and-source-security-4

Note: This prebuild image will be automatically cleaned up when the PR is closed or merged.

[github-actions]

🐳 Prebuild Docker Image Published

Agent: github
Repository: ghcr.io/cnoe-io/prebuild/agent-github
Tag: fix-npm-and-source-security-4

Usage

docker pull ghcr.io/cnoe-io/prebuild/agent-github:fix-npm-and-source-security-4

Note: This prebuild image will be automatically cleaned up when the PR is closed or merged.

[github-actions]

🐳 Prebuild Docker Image Published

Agent: splunk
Repository: ghcr.io/cnoe-io/prebuild/agent-splunk
Tag: fix-npm-and-source-security-4

Usage

docker pull ghcr.io/cnoe-io/prebuild/agent-splunk:fix-npm-and-source-security-4

Note: This prebuild image will be automatically cleaned up when the PR is closed or merged.

[github-actions]

🐳 Prebuild Docker Image Published

Agent: template
Repository: ghcr.io/cnoe-io/prebuild/agent-template
Tag: fix-npm-and-source-security-4

Usage

docker pull ghcr.io/cnoe-io/prebuild/agent-template:fix-npm-and-source-security-4

Note: This prebuild image will be automatically cleaned up when the PR is closed or merged.

[github-actions]

🐳 Prebuild Docker Image Published

Agent: aws
Repository: ghcr.io/cnoe-io/prebuild/agent-aws
Tag: fix-npm-and-source-security-4

Usage

docker pull ghcr.io/cnoe-io/prebuild/agent-aws:fix-npm-and-source-security-4

Note: This prebuild image will be automatically cleaned up when the PR is closed or merged.

[github-actions]

🐳 Prebuild Docker Image Published

Agent: argocd
Repository: ghcr.io/cnoe-io/prebuild/agent-argocd
Tag: fix-npm-and-source-security-4

Usage

docker pull ghcr.io/cnoe-io/prebuild/agent-argocd:fix-npm-and-source-security-4

Note: This prebuild image will be automatically cleaned up when the PR is closed or merged.

[github-actions]

🐳 Prebuild Docker Image Published

Agent: backstage
Repository: ghcr.io/cnoe-io/prebuild/agent-backstage
Tag: fix-npm-and-source-security-4

Usage

docker pull ghcr.io/cnoe-io/prebuild/agent-backstage:fix-npm-and-source-security-4

Note: This prebuild image will be automatically cleaned up when the PR is closed or merged.

[github-actions]

🐳 Prebuild Docker Image Published

Agent: pagerduty
Repository: ghcr.io/cnoe-io/prebuild/agent-pagerduty
Tag: fix-npm-and-source-security-4

Usage

docker pull ghcr.io/cnoe-io/prebuild/agent-pagerduty:fix-npm-and-source-security-4

Note: This prebuild image will be automatically cleaned up when the PR is closed or merged.

[github-actions]

🐳 Prebuild Docker Image Published

Agent: weather
Repository: ghcr.io/cnoe-io/prebuild/agent-weather
Tag: fix-npm-and-source-security-4

Usage

docker pull ghcr.io/cnoe-io/prebuild/agent-weather:fix-npm-and-source-security-4

Note: This prebuild image will be automatically cleaned up when the PR is closed or merged.

[github-actions]

🐳 Prebuild Docker Image Published

Agent: slack
Repository: ghcr.io/cnoe-io/prebuild/agent-slack
Tag: fix-npm-and-source-security-4

Usage

docker pull ghcr.io/cnoe-io/prebuild/agent-slack:fix-npm-and-source-security-4

Note: This prebuild image will be automatically cleaned up when the PR is closed or merged.

[github-actions]

🐳 Prebuild Docker Image Published

Agent: komodor
Repository: ghcr.io/cnoe-io/prebuild/agent-komodor
Tag: fix-npm-and-source-security-4

Usage

docker pull ghcr.io/cnoe-io/prebuild/agent-komodor:fix-npm-and-source-security-4

Note: This prebuild image will be automatically cleaned up when the PR is closed or merged.

[github-actions]

🐳 Prebuild Docker Image Published

Agent: webex
Repository: ghcr.io/cnoe-io/prebuild/agent-webex
Tag: fix-npm-and-source-security-4

Usage

docker pull ghcr.io/cnoe-io/prebuild/agent-webex:fix-npm-and-source-security-4

Note: This prebuild image will be automatically cleaned up when the PR is closed or merged.