fix(security): address CodeQL scanning alerts by Jaganpro · Pull Request #48 · salesforce/sf-pi

Jaganpro · 2026-05-04T15:43:36Z

Summary

Exclude the generated Agent Script SDK bundle from CodeQL analysis instead of hand-editing vendored output
Replace shell-string process execution with argv-based execution in maintenance scripts
Harden URL/header handling and remove file existence pre-check patterns flagged by CodeQL
Add narrow CodeQL suppressions for intentional temp-file spillover/download flows with inline justification
Add regression coverage for Salesforce org URL parsing and unsafe cached ETag handling

Local CodeQL CLI is not installed, so this PR relies on the GitHub CodeQL workflow for final scanner verification.

Jaganpro force-pushed the fix/code-scanning-alerts branch from c981604 to 42d394d Compare May 4, 2026 15:47

fix(security): address CodeQL scanning alerts

9b4cb98

Jaganpro force-pushed the fix/code-scanning-alerts branch from 42d394d to 9b4cb98 Compare May 4, 2026 15:50

Jaganpro merged commit 308800c into main May 4, 2026
15 checks passed

Jaganpro deleted the fix/code-scanning-alerts branch May 4, 2026 16:17

github-actions Bot mentioned this pull request May 4, 2026

chore(main): release v0.37.2 #49

Merged