chore(security): triage code scanning backlog by risk/reward

[cv]

Summary

Tracking issue for the current code-scanning backlog in NVIDIA/NemoClaw/security/code-scanning.

Note: this is a prioritization tracker for maintainers. It intentionally avoids exploit/reproducer detail; alert links require code-scanning access.

Refresh status — June 6, 2026

Last checked against:

• origin/main @ 7e0772448a388104d4ba2e01436e5f49980b8f65
• Latest completed Security / Code Scanning run on main: 27052564135, success, created 2026-06-06 04:28 UTC
  • CodeQL (javascript-typescript): success
  • CodeQL (python): success
  • ShellCheck SARIF: success
• Live code-scanning API inventory: GET /repos/NVIDIA/NemoClaw/code-scanning/alerts?state=open, paginated, with code-scanning access

Current open inventory:

Tool	Open alerts	Notes
CodeQL	120	42 unused-local-variable notes; 78 other security/correctness/static-quality findings
ShellCheck SARIF	0	#4880 and #4884 removed or narrowly suppressed the previously open 15 ShellCheck findings; latest ShellCheck SARIF upload has no open alerts
Total	120	Down from 153 on the June 5 snapshot (138 CodeQL + 15 ShellCheck)

What changed since the June 5 tracker refresh

• fix(security): close P1 code scanning findings #4880 merged the P1 cleanup for the old production logging/runtime correctness bucket and production-ish ShellCheck findings.
• fix(security): clean P2 tooling scan findings #4884 merged low-risk P2 cleanup for release-tooling docs URL regexes, test URL/host regex assertions, and remaining E2E ShellCheck findings.
• fix(security): harden P0 code scanning boundaries #4878 merged the P0 production hardening pass for runner/uninstall process boundaries, HTTP/file probes, and atomic/state/credential IO paths.
• refactor(security): extract curl probe policy #4885 merged a follow-up curl probe policy refactor and is included in the latest completed main scan above.
• The live inventory is now 120 open CodeQL alerts and 0 open ShellCheck alerts. This is a net reduction of 33 total alerts from the June 5 active inventory.
• The P0/P1/P2 merge train closed the previous ShellCheck backlog, the js/regex/missing-regexp-anchor bucket, the js/call-to-non-callable bucket, and most production process/file-system race findings.
• The latest inventory also surfaced 9 new js/clear-text-logging findings in production inference/onboarding paths (alert IDs 765-773). Treat these as the highest-signal next cleanup before broad test/docs quality work.
• Remaining production/runtime boundary stragglers are small: src/lib/inference/ollama/proxy.ts (js/file-access-to-http, alert 601) and src/lib/actions/uninstall/run-plan.ts (js/indirect-command-line-injection, alert 180). The rest of the command/env/temp-file/URL/TLS findings are test/tooling scoped.

Active CodeQL inventory by rule

120 open CodeQL findings

Rule	Count	Severity	First..last seen	Primary locations	Alert IDs
js/unused-local-variable	42	note	2026-05-11..2026-06-05	src/lib/onboard.ts (26), test/tooling cleanup	225-226, 294, 300, 564-566, 591-592, 636-638, 641-647, 653-654, ...
js/property-access-on-non-object	20	error	2026-05-11..2026-05-11	test/policy-tiers.test.ts	397-406, 408-410, 412-413, 415-417, 419-420
js/clear-text-logging	9	high	2026-06-06..2026-06-06	src/lib/onboard/inference-selection-validation.ts (4), src/lib/onboard/web-search-flow.ts (2), src/lib/inference/model-prompts.ts (2), src/lib/inference/onboard-probes.ts	765-773
py/unsafe-cyclic-import	9	error	2026-05-11..2026-05-11	docs/_ext/json_output/core/*	107-115
js/insecure-temporary-file	7	high	2026-05-11..2026-05-11	test-only temporary directory helpers	168-169, 174, 177-178, 446-447
js/shell-command-injection-from-environment	5	medium	2026-05-11..2026-05-27	E2E/framework and credential tests	130, 463-464, 699-700
js/indirect-command-line-injection	4	medium	2026-05-11..2026-05-11	src/lib/actions/uninstall/run-plan.ts (1), Brev E2E tests (3)	180, 185-186, 188
js/incomplete-url-substring-sanitization	4	high	2026-05-11..2026-05-11	test/policies.test.ts	134-137
js/trivial-conditional	4	warning	2026-05-11..2026-05-11	blueprint helper scripts	308-311
js/disabling-certificate-validation	2	high	2026-05-11..2026-05-11	HTTP proxy tests	156-157
js/file-access-to-http	2	medium	2026-05-19..2026-05-19	src/lib/inference/ollama/proxy.ts, tools/advisors/github.mts	596, 601
js/file-system-race	2	high	2026-05-11..2026-05-11	test-only paths (npm-link-or-shim.test.ts, nemoclaw-start.test.ts)	205, 216
js/http-to-file-access	2	medium	2026-05-19..2026-05-19	advisor tooling (tools/advisors/io.mts, tools/e2e-advisor/dispatch.mts)	594-595
js/useless-assignment-to-local	2	warning	2026-05-20..2026-05-20	onboard machine handlers	612-613
js/useless-regexp-character-escape	2	high	2026-05-11..2026-05-11	test/seccomp-guard.test.ts	140-141
js/bad-code-sanitization	1	medium	2026-05-11..2026-05-11	test/repro-2010.test.ts	155
js/duplicate-property	1	warning	2026-05-11..2026-05-11	plugin migration-state test	312
js/tainted-format-string	1	high	2026-05-11..2026-05-11	generated docs search asset	154
py/empty-except	1	note	2026-05-26..2026-05-26	scripts/docs-to-skills.py	685

Active ShellCheck inventory

0 open ShellCheck SARIF findings

The latest ShellCheck SARIF job in 27052564135 succeeded and the live code-scanning API currently reports no open ShellCheck alerts.

Previously tracked ShellCheck items were handled by:

• fix(security): close P1 code scanning findings #4880: production-ish SC2015 in agents/hermes/start.sh and scripts/nemoclaw-start.sh
• fix(security): clean P2 tooling scan findings #4884: low-risk E2E SC2015 and SC2317 cleanup/suppressions with rationale

Updated risk/reward plan

Priority	Bucket	Current count	Next action
P0	Production credential/logging regression	9 CodeQL	Fix js/clear-text-logging in src/lib/inference/model-prompts.ts, src/lib/inference/onboard-probes.ts, src/lib/onboard/inference-selection-validation.ts, and src/lib/onboard/web-search-flow.ts. Add redaction/regression coverage and avoid printing API-key-derived values.
P0	Remaining production/runtime boundary stragglers	2 CodeQL	Resolve or explicitly dismiss with rationale: src/lib/inference/ollama/proxy.ts alert 601 and src/lib/actions/uninstall/run-plan.ts alert 180. Keep scope small so the next scan delta is clear.
P1	Tools/advisors boundary cleanup	3 CodeQL	Revisit advisor http-to-file/file-to-http alerts 594-596. Prior suppressions/comments did not close them; either refactor the data boundaries or dismiss with explicit maintainer rationale.
P2	Test/E2E security-pattern alerts	26 mixed CodeQL	Batch test-only command/env, temp-file, URL substring, TLS, regex-character, bad-sanitization, and file-race patterns. Prefer behavior-preserving test helpers or narrow suppressions with rationale.
P3	Docs/generated and static-quality debt	80 CodeQL	Batch docs cyclic imports/search asset and quality-only JS/Python findings (unused-local-variable, property access, trivial conditionals, useless assignments, duplicate property, empty except). Avoid distracting from remaining production alerts.

Proposed next PR sequence

1. Credential/logging cleanup PR: close new js/clear-text-logging alerts 765-773 in production inference/onboarding paths with redaction tests.
2. Boundary straggler PR: close or explicitly dismiss the two remaining production/runtime boundary alerts (src/lib/inference/ollama/proxy.ts and src/lib/actions/uninstall/run-plan.ts).
3. Advisor tooling boundary PR: close/dismiss tools/advisors/* and tools/e2e-advisor/* network/file artifact findings 594-596.
4. Test/E2E pattern cleanup PR(s): batch remaining test-only command/env, temp-file, URL/TLS, regex-character, and file-race alerts.
5. Static-quality cleanup train: docs extension cyclic imports/search asset plus JS/Python quality-only findings.

After each merge, wait for the next main Security / Code Scanning run, update this issue with the new total and rule deltas, and remove closed alert IDs from the active inventory.

Definition of done

• Live CodeQL alert inventory has been refreshed with authenticated current counts.
• P0 production CodeQL buckets are fixed or dismissed with explicit rationale.
• All 15 ShellCheck findings are fixed or suppressed with rationale and confirmed closed by the latest main scan.
• Remaining test/docs/tooling CodeQL findings are fixed, dismissed with rationale, or split into targeted follow-up issues.
• Security-sensitive production fixes have regression coverage.
• A final main code-scanning run confirms the remaining expected alert closures.

[cv]

Refreshed the tracker body from a June 5 pass against origin/main @ 2b68caa and the latest completed code-scanning run (27045158282). Removed the stale May 17 139-alert tables from the active plan, recorded the confirmed cleanup from #3657 and later CodeQL cleanup commits, and added the currently reproducible ShellCheck slice: 15 findings.

Next step is to refresh the live CodeQL alert inventory with a token/session that can read code-scanning alerts, then rebuild the risk/reward table from current alert IDs instead of carrying forward the old snapshot.

[cv]

Refreshed the tracker with live code-scanning API access. The PAT/access note is now stale and has been removed from the active plan.

Current inventory is 153 open alerts: 138 CodeQL and 15 ShellCheck against origin/main @ 2b68caa / code-scanning run 27045158282. I rebuilt the rule table from current alert IDs, called out the 47 open alerts created after the old May 17 snapshot, and replaced the old “needs live count” buckets with a P0/P1/P2/P3 plan.

Immediate next PR order in the issue body is now: production process boundaries, production HTTP/file boundaries, production atomic IO, small correctness/logging cleanup, ShellCheck, then tools/tests/docs quality cleanup.

[cv]

Opened P0 cleanup PR: #4878

Scope covers the current P0 buckets in the refreshed plan:

• production process boundaries (src/lib/runner.ts, uninstall command discovery)
• production HTTP/file boundaries (curl probe URL/file-read validation and local Ollama pull endpoint restriction)
• production file-system race / atomic IO paths (state/config/credential/lock/shim/known_hosts handling)

Verification on the branch:

• npx prek run --all-files passes
• targeted Vitest coverage for the touched areas passes
• npm test was attempted; it still hits the existing environment-sensitive installer test test/install-preflight.test.ts > warns on Podman but still runs onboarding, where local CDI detection turns the expected Podman warning path into a missing-CDI issue path.

[cv]

Opened P1 cleanup PR: #4880

Scope covers the current P1 buckets in the refreshed plan:

• production logging and runtime correctness (src/lib/actions/dev/npm-link-or-shim.ts, snapshot shields verification, shields auto-restore lock helper resolution)
• production-ish ShellCheck (agents/hermes/start.sh, scripts/nemoclaw-start.sh)

Verification on the branch:

• npx prek run --all-files passes
• targeted Vitest coverage for the touched TypeScript paths passes
• npm test was attempted; it still hits the existing environment-sensitive installer test test/install-preflight.test.ts > warns on Podman but still runs onboarding, where local CDI detection turns the expected Podman warning path into a missing-CDI issue path before onboarding.