Skip to content

Add opencode on agentcore#1421

Open
szymonkochanski wants to merge 3 commits intoawslabs:mainfrom
szymonkochanski:add-opencode-on-agentcore
Open

Add opencode on agentcore#1421
szymonkochanski wants to merge 3 commits intoawslabs:mainfrom
szymonkochanski:add-opencode-on-agentcore

Conversation

@szymonkochanski
Copy link
Copy Markdown

@szymonkochanski szymonkochanski commented Apr 29, 2026

Issue number: #1420

Concise description of the PR

Adds end-to-end sample 02-use-cases/opencode-on-agentcore/ demonstrating five AgentCore capabilities (Runtime, Gateway, Identity, Policy, Observability) through an async coding-agent workload with 6 MCP tools, 9 CDK stacks, and 374 tests.

User experience

New sample — no before/after. Users deploy with cdk deploy --all, create a Cognito user, connect an MCP client (Kiro/Claude Desktop/Cursor), and submit coding tasks through the Gateway.

Checklist

  • I have reviewed the contributing guidelines
  • Add your name to CONTRIBUTORS.md
  • Have you checked to ensure there aren't other open Pull Requests for the same update/change?
  • Are you uploading a dataset?
  • Have you documented Introduction, Architecture Diagram, Prerequisites, Usage, Sample Prompts, and Clean Up steps in your example README?
  • I agree to resolve any issues created for this example in the future
  • I have performed a self-review of this change
  • Changes have been tested
  • Changes are documented

Szymon Kochanski added 2 commits April 29, 2026 22:26
feat: add OpenCode on AgentCore end-to-end sample
13ca4ee 
Async coding-agent sample demonstrating AgentCore Runtime, Gateway,
Identity, Policy, and Observability. FastMCP server with 6 MCP tools
running in Firecracker microVMs, deployed via CDK (9 stacks).

Tested in us-east-1 and eu-central-1.
chore: add contributor name
0e23588
@github-actions github-actions Bot added the 02-use-cases 02-use-cases label Apr 29, 2026
@szymonkochanski
Copy link
Copy Markdown
Author

szymonkochanski commented Apr 29, 2026

This PR is ready for review.

github-advanced-security[bot]
github-advanced-security AI found potential problems May 4, 2026
View reviewed changes
Comment thread 02-use-cases/opencode-on-agentcore/tests/unit/test_agentcore_stack.py
role = _find_execution_role(tpl)
trust = role["Properties"]["AssumeRolePolicyDocument"]
principals = _collect_service_principals(trust)
assert "bedrock-agentcore.amazonaws.com" in principals, (
Comment thread 02-use-cases/opencode-on-agentcore/tests/unit/test_agentcore_stack.py
role = _find_execution_role(tpl)
trust = role["Properties"]["AssumeRolePolicyDocument"]
principals = _collect_service_principals(trust)
assert "bedrock-agentcore.amazonaws.com" in principals, (
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 4, 2026

Latest scan for commit: b243adc | Updated: 2026-05-04 17:05:30 UTC

Security Scan Results

Scan Metadata

  • Project: ASH
  • Scan executed: 2026-05-04T17:05:17+00:00
  • ASH version: 3.0.0

Summary

Scanner Results

The table below shows findings by scanner, with status based on severity thresholds and dependencies:

Column Explanations:

Severity Levels (S/C/H/M/L/I):

  • Suppressed (S): Security findings that have been explicitly suppressed/ignored and don't affect the scanner's pass/fail status
  • Critical (C): The most severe security vulnerabilities requiring immediate remediation (e.g., SQL injection, remote code execution)
  • High (H): Serious security vulnerabilities that should be addressed promptly (e.g., authentication bypasses, privilege escalation)
  • Medium (M): Moderate security risks that should be addressed in normal development cycles (e.g., weak encryption, input validation issues)
  • Low (L): Minor security concerns with limited impact (e.g., information disclosure, weak recommendations)
  • Info (I): Informational findings for awareness with minimal security risk (e.g., code quality suggestions, best practice recommendations)

Other Columns:

  • Time: Duration taken by each scanner to complete its analysis
  • Action: Total number of actionable findings at or above the configured severity threshold that require attention

Scanner Results:

  • PASSED: Scanner found no security issues at or above the configured severity threshold - code is clean for this scanner
  • FAILED: Scanner found security vulnerabilities at or above the threshold that require attention and remediation
  • MISSING: Scanner could not run because required dependencies/tools are not installed or available
  • SKIPPED: Scanner was intentionally disabled or excluded from this scan
  • ERROR: Scanner encountered an execution error and could not complete successfully

Severity Thresholds (Thresh Column):

  • CRITICAL: Only Critical severity findings cause scanner to fail
  • HIGH: High and Critical severity findings cause scanner to fail
  • MEDIUM (MED): Medium, High, and Critical severity findings cause scanner to fail
  • LOW: Low, Medium, High, and Critical severity findings cause scanner to fail
  • ALL: Any finding of any severity level causes scanner to fail

Threshold Source: Values in parentheses indicate where the threshold is configured:

  • (g) = global: Set in the global_settings section of ASH configuration
  • (c) = config: Set in the individual scanner configuration section
  • (s) = scanner: Default threshold built into the scanner itself

Statistics calculation:

  • All statistics are calculated from the final aggregated SARIF report
  • Suppressed findings are counted separately and do not contribute to actionable findings
  • Scanner status is determined by comparing actionable findings to the threshold
Scanner S C H M L I Time Action Result Thresh
bandit 0 76 0 0 1115 0 6.4s 76 FAILED MED (g)
cdk-nag 0 0 0 0 0 0 31.1s 0 PASSED MED (g)
cfn-nag 0 0 0 0 0 0 11ms 0 PASSED MED (g)
checkov 0 0 0 0 0 0 6.8s 0 PASSED MED (g)
detect-sec… 0 25 0 0 0 0 3.9s 25 FAILED MED (g)
grype 0 0 0 0 0 0 40.2s 0 PASSED MED (g)
npm-audit 0 0 0 0 0 0 237ms 0 PASSED MED (g)
opengrep 0 0 0 0 0 0 <1ms 0 SKIPPED MED (g)
semgrep 0 0 0 0 0 0 <1ms 0 MISSING MED (g)
syft 0 0 0 0 0 0 1.6s 0 PASSED MED (g)

Detailed Findings

Show 101 actionable findings

Finding 1: SECRET-SECRET-KEYWORD

  • Severity: HIGH
  • Scanner: detect-secrets
  • Rule ID: SECRET-SECRET-KEYWORD
  • Location: 02-use-cases/opencode-on-agentcore/scripts/setup-oauth-app.sh:25

Description:
Secret of type 'Secret Keyword' detected in file '02-use-cases/opencode-on-agentcore/scripts/setup-oauth-app.sh' at line 25

Code Snippet:

Secret of type Secret Keyword detected

Finding 2: SECRET-SECRET-KEYWORD

  • Severity: HIGH
  • Scanner: detect-secrets
  • Rule ID: SECRET-SECRET-KEYWORD
  • Location: 02-use-cases/opencode-on-agentcore/stacks/security_stack.py:84

Description:
Secret of type 'Secret Keyword' detected in file '02-use-cases/opencode-on-agentcore/stacks/security_stack.py' at line 84

Code Snippet:

Secret of type Secret Keyword detected

Finding 3: SECRET-PRIVATE-KEY

  • Severity: HIGH
  • Scanner: detect-secrets
  • Rule ID: SECRET-PRIVATE-KEY
  • Location: 02-use-cases/opencode-on-agentcore/tests/integration/test_credential_scanner_integration.py:76

Description:
Secret of type 'Private Key' detected in file '02-use-cases/opencode-on-agentcore/tests/integration/test_credential_scanner_integration.py' at line 76

Code Snippet:

Secret of type Private Key detected

Finding 4: SECRET-SECRET-KEYWORD

  • Severity: HIGH
  • Scanner: detect-secrets
  • Rule ID: SECRET-SECRET-KEYWORD
  • Location: 02-use-cases/opencode-on-agentcore/tests/integration/test_credential_scanner_integration.py:47

Description:
Secret of type 'Secret Keyword' detected in file '02-use-cases/opencode-on-agentcore/tests/integration/test_credential_scanner_integration.py' at line 47

Code Snippet:

Secret of type Secret Keyword detected

Finding 5: SECRET-AWS-ACCESS-KEY

  • Severity: HIGH
  • Scanner: detect-secrets
  • Rule ID: SECRET-AWS-ACCESS-KEY
  • Location: 02-use-cases/opencode-on-agentcore/tests/integration/test_credential_scanner_integration.py:37

Description:
Secret of type 'AWS Access Key' detected in file '02-use-cases/opencode-on-agentcore/tests/integration/test_credential_scanner_integration.py' at line 37

Code Snippet:

Secret of type AWS Access Key detected

Finding 6: SECRET-PRIVATE-KEY

  • Severity: HIGH
  • Scanner: detect-secrets
  • Rule ID: SECRET-PRIVATE-KEY
  • Location: 02-use-cases/opencode-on-agentcore/tests/integration/test_credential_scanner_integration.py:57

Description:
Secret of type 'Private Key' detected in file '02-use-cases/opencode-on-agentcore/tests/integration/test_credential_scanner_integration.py' at line 57

Code Snippet:

Secret of type Private Key detected

Finding 7: SECRET-SECRET-KEYWORD

  • Severity: HIGH
  • Scanner: detect-secrets
  • Rule ID: SECRET-SECRET-KEYWORD
  • Location: 02-use-cases/opencode-on-agentcore/tests/integration/test_credential_scanner_integration.py:108

Description:
Secret of type 'Secret Keyword' detected in file '02-use-cases/opencode-on-agentcore/tests/integration/test_credential_scanner_integration.py' at line 108

Code Snippet:

Secret of type Secret Keyword detected

Finding 8: SECRET-BASE64-HIGH-ENTROPY-STRING

  • Severity: HIGH
  • Scanner: detect-secrets
  • Rule ID: SECRET-BASE64-HIGH-ENTROPY-STRING
  • Location: 02-use-cases/opencode-on-agentcore/tests/integration/test_credential_scanner_integration.py:47

Description:
Secret of type 'Base64 High Entropy String' detected in file '02-use-cases/opencode-on-agentcore/tests/integration/test_credential_scanner_integration.py' at line 47

Code Snippet:

Secret of type Base64 High Entropy String detected

Finding 9: SECRET-BASE64-HIGH-ENTROPY-STRING

  • Severity: HIGH
  • Scanner: detect-secrets
  • Rule ID: SECRET-BASE64-HIGH-ENTROPY-STRING
  • Location: 02-use-cases/opencode-on-agentcore/tests/property/test_connect_git_host_no_token_leak.py:38

Description:
Secret of type 'Base64 High Entropy String' detected in file '02-use-cases/opencode-on-agentcore/tests/property/test_connect_git_host_no_token_leak.py' at line 38

Code Snippet:

Secret of type Base64 High Entropy String detected

Finding 10: SECRET-BASE64-HIGH-ENTROPY-STRING

  • Severity: HIGH
  • Scanner: detect-secrets
  • Rule ID: SECRET-BASE64-HIGH-ENTROPY-STRING
  • Location: 02-use-cases/opencode-on-agentcore/tests/property/test_connect_git_host_no_token_leak.py:39

Description:
Secret of type 'Base64 High Entropy String' detected in file '02-use-cases/opencode-on-agentcore/tests/property/test_connect_git_host_no_token_leak.py' at line 39

Code Snippet:

Secret of type Base64 High Entropy String detected

Finding 11: SECRET-PRIVATE-KEY

  • Severity: HIGH
  • Scanner: detect-secrets
  • Rule ID: SECRET-PRIVATE-KEY
  • Location: 02-use-cases/opencode-on-agentcore/tests/property/test_credential_scanner_property.py:43

Description:
Secret of type 'Private Key' detected in file '02-use-cases/opencode-on-agentcore/tests/property/test_credential_scanner_property.py' at line 43

Code Snippet:

Secret of type Private Key detected

Finding 12: SECRET-PRIVATE-KEY

  • Severity: HIGH
  • Scanner: detect-secrets
  • Rule ID: SECRET-PRIVATE-KEY
  • Location: 02-use-cases/opencode-on-agentcore/tests/property/test_credential_scanner_property.py:45

Description:
Secret of type 'Private Key' detected in file '02-use-cases/opencode-on-agentcore/tests/property/test_credential_scanner_property.py' at line 45

Code Snippet:

Secret of type Private Key detected

Finding 13: SECRET-PRIVATE-KEY

  • Severity: HIGH
  • Scanner: detect-secrets
  • Rule ID: SECRET-PRIVATE-KEY
  • Location: 02-use-cases/opencode-on-agentcore/tests/property/test_credential_scanner_property.py:42

Description:
Secret of type 'Private Key' detected in file '02-use-cases/opencode-on-agentcore/tests/property/test_credential_scanner_property.py' at line 42

Code Snippet:

Secret of type Private Key detected

Finding 14: SECRET-PRIVATE-KEY

  • Severity: HIGH
  • Scanner: detect-secrets
  • Rule ID: SECRET-PRIVATE-KEY
  • Location: 02-use-cases/opencode-on-agentcore/tests/property/test_credential_scanner_property.py:44

Description:
Secret of type 'Private Key' detected in file '02-use-cases/opencode-on-agentcore/tests/property/test_credential_scanner_property.py' at line 44

Code Snippet:

Secret of type Private Key detected

Finding 15: SECRET-BASE64-HIGH-ENTROPY-STRING

  • Severity: HIGH
  • Scanner: detect-secrets
  • Rule ID: SECRET-BASE64-HIGH-ENTROPY-STRING
  • Location: 02-use-cases/opencode-on-agentcore/tests/property/test_git_askpass_properties.py:41

Description:
Secret of type 'Base64 High Entropy String' detected in file '02-use-cases/opencode-on-agentcore/tests/property/test_git_askpass_properties.py' at line 41

Code Snippet:

Secret of type Base64 High Entropy String detected

Finding 16: SECRET-GITHUB-TOKEN

  • Severity: HIGH
  • Scanner: detect-secrets
  • Rule ID: SECRET-GITHUB-TOKEN
  • Location: 02-use-cases/opencode-on-agentcore/tests/property/test_git_askpass_properties.py:125

Description:
Secret of type 'GitHub Token' detected in file '02-use-cases/opencode-on-agentcore/tests/property/test_git_askpass_properties.py' at line 125

Code Snippet:

Secret of type GitHub Token detected

Finding 17: SECRET-BASE64-HIGH-ENTROPY-STRING

  • Severity: HIGH
  • Scanner: detect-secrets
  • Rule ID: SECRET-BASE64-HIGH-ENTROPY-STRING
  • Location: 02-use-cases/opencode-on-agentcore/tests/property/test_git_push_retry_property.py:35

Description:
Secret of type 'Base64 High Entropy String' detected in file '02-use-cases/opencode-on-agentcore/tests/property/test_git_push_retry_property.py' at line 35

Code Snippet:

Secret of type Base64 High Entropy String detected

Finding 18: SECRET-BASE64-HIGH-ENTROPY-STRING

  • Severity: HIGH
  • Scanner: detect-secrets
  • Rule ID: SECRET-BASE64-HIGH-ENTROPY-STRING
  • Location: 02-use-cases/opencode-on-agentcore/tests/property/test_pr_creation_token_isolation.py:177

Description:
Secret of type 'Base64 High Entropy String' detected in file '02-use-cases/opencode-on-agentcore/tests/property/test_pr_creation_token_isolation.py' at line 177

Code Snippet:

Secret of type Base64 High Entropy String detected

Finding 19: SECRET-AWS-ACCESS-KEY

  • Severity: HIGH
  • Scanner: detect-secrets
  • Rule ID: SECRET-AWS-ACCESS-KEY
  • Location: 02-use-cases/opencode-on-agentcore/tests/unit/test_scan_and_strip_credentials.py:96

Description:
Secret of type 'AWS Access Key' detected in file '02-use-cases/opencode-on-agentcore/tests/unit/test_scan_and_strip_credentials.py' at line 96

Code Snippet:

Secret of type AWS Access Key detected

Finding 20: SECRET-PRIVATE-KEY

  • Severity: HIGH
  • Scanner: detect-secrets
  • Rule ID: SECRET-PRIVATE-KEY
  • Location: 02-use-cases/opencode-on-agentcore/tests/unit/test_scan_and_strip_credentials.py:55

Description:
Secret of type 'Private Key' detected in file '02-use-cases/opencode-on-agentcore/tests/unit/test_scan_and_strip_credentials.py' at line 55

Code Snippet:

Secret of type Private Key detected

Finding 21: SECRET-AWS-ACCESS-KEY

  • Severity: HIGH
  • Scanner: detect-secrets
  • Rule ID: SECRET-AWS-ACCESS-KEY
  • Location: 02-use-cases/opencode-on-agentcore/tests/unit/test_scan_and_strip_credentials.py:33

Description:
Secret of type 'AWS Access Key' detected in file '02-use-cases/opencode-on-agentcore/tests/unit/test_scan_and_strip_credentials.py' at line 33

Code Snippet:

Secret of type AWS Access Key detected

Finding 22: SECRET-BASE64-HIGH-ENTROPY-STRING

  • Severity: HIGH
  • Scanner: detect-secrets
  • Rule ID: SECRET-BASE64-HIGH-ENTROPY-STRING
  • Location: 02-use-cases/opencode-on-agentcore/tests/unit/test_scan_and_strip_credentials.py:41

Description:
Secret of type 'Base64 High Entropy String' detected in file '02-use-cases/opencode-on-agentcore/tests/unit/test_scan_and_strip_credentials.py' at line 41

Code Snippet:

Secret of type Base64 High Entropy String detected

Finding 23: SECRET-PRIVATE-KEY

  • Severity: HIGH
  • Scanner: detect-secrets
  • Rule ID: SECRET-PRIVATE-KEY
  • Location: 02-use-cases/opencode-on-agentcore/tests/unit/test_scan_and_strip_credentials.py:48

Description:
Secret of type 'Private Key' detected in file '02-use-cases/opencode-on-agentcore/tests/unit/test_scan_and_strip_credentials.py' at line 48

Code Snippet:

Secret of type Private Key detected

Finding 24: SECRET-SECRET-KEYWORD

  • Severity: HIGH
  • Scanner: detect-secrets
  • Rule ID: SECRET-SECRET-KEYWORD
  • Location: 02-use-cases/opencode-on-agentcore/tests/unit/test_scan_and_strip_credentials.py:41

Description:
Secret of type 'Secret Keyword' detected in file '02-use-cases/opencode-on-agentcore/tests/unit/test_scan_and_strip_credentials.py' at line 41

Code Snippet:

Secret of type Secret Keyword detected

Finding 25: SECRET-SECRET-KEYWORD

  • Severity: HIGH
  • Scanner: detect-secrets
  • Rule ID: SECRET-SECRET-KEYWORD
  • Location: 02-use-cases/opencode-on-agentcore/tests/unit/test_run_opencode_acp.py:83

Description:
Secret of type 'Secret Keyword' detected in file '02-use-cases/opencode-on-agentcore/tests/unit/test_run_opencode_acp.py' at line 83

Code Snippet:

Secret of type Secret Keyword detected

Finding 26: B108

  • Severity: HIGH
  • Scanner: bandit
  • Rule ID: B108
  • Location: 02-use-cases/opencode-on-agentcore/container/code_mcp_server.py:196-200

Description:
Probable insecure usage of temp file/directory.

Code Snippet:

SESSION_STORAGE_PATH = os.environ.get(
    "SESSION_STORAGE_PATH", "/tmp/opencode-sessions"
)

Finding 27: B104

  • Severity: HIGH
  • Scanner: bandit
  • Rule ID: B104
  • Location: 02-use-cases/opencode-on-agentcore/container/code_mcp_server.py:640-641

Description:
Possible binding to all interfaces.

Code Snippet:

logger.info("Starting FastMCP on port 8000 (%.1fs since module load)", time.time() - _startup_start)
    mcp.run(transport="streamable-http", host="0.0.0.0", port=8000)

Finding 28: B310

  • Severity: HIGH
  • Scanner: bandit
  • Rule ID: B310
  • Location: 02-use-cases/opencode-on-agentcore/container/tools/git_push_and_create_pr.py:118-120

Description:
Audit url open for permitted schemes. Allowing use of file:/ or custom schemes is often unexpected.

Code Snippet:

)
        resp = urllib.request.urlopen(req)
        pr = json.loads(resp.read().decode())

Finding 29: B310

  • Severity: HIGH
  • Scanner: bandit
  • Rule ID: B310
  • Location: 02-use-cases/opencode-on-agentcore/lambda/oauth_callback/index.py:58-60

Description:
Audit url open for permitted schemes. Allowing use of file:/ or custom schemes is often unexpected.

Code Snippet:

with urllib.request.urlopen(req) as resp:
            response_body = resp.read().decode()

Finding 30: B310

  • Severity: HIGH
  • Scanner: bandit
  • Rule ID: B310
  • Location: 02-use-cases/opencode-on-agentcore/scripts/smoke-test.py:177-179

Description:
Audit url open for permitted schemes. Allowing use of file:/ or custom schemes is often unexpected.

Code Snippet:

resp = urllib.request.urlopen(req, timeout=timeout)
    raw = resp.read().decode()

Finding 31: B108

  • Severity: HIGH
  • Scanner: bandit
  • Rule ID: B108
  • Location: 02-use-cases/opencode-on-agentcore/tests/property/test_git_clone_askpass.py:109-111

Description:
Probable insecure usage of temp file/directory.

Code Snippet:

"container.tools.git_clone._create_askpass_script",
                return_value="/tmp/fake_askpass.sh",
            ),

Finding 32: B108

  • Severity: HIGH
  • Scanner: bandit
  • Rule ID: B108
  • Location: 02-use-cases/opencode-on-agentcore/tests/property/test_git_clone_askpass.py:118-120

Description:
Probable insecure usage of temp file/directory.

Code Snippet:

base_branch=branch,
                work_dir="/tmp/work",
                sparse_paths=sparse_paths,

Finding 33: B108

  • Severity: HIGH
  • Scanner: bandit
  • Rule ID: B108
  • Location: 02-use-cases/opencode-on-agentcore/tests/property/test_git_push_retry_property.py:57-59

Description:
Probable insecure usage of temp file/directory.

Code Snippet:

# Work directory
_work_dir = st.sampled_from(["/tmp/work", "/workspace/code", "/home/user/repo"])

Finding 34: B102

  • Severity: HIGH
  • Scanner: bandit
  • Rule ID: B102
  • Location: 02-use-cases/opencode-on-agentcore/tests/property/test_oauth_callback_properties.py:27-29

Description:
Use of exec detected.

Code Snippet:

_authorizer_module = types.ModuleType("authorizer_inline")
exec(AUTHORIZER_LAMBDA_CODE, _authorizer_module.__dict__)  # noqa: S102
authorizer_handler = _authorizer_module.handler

Finding 35: B108

  • Severity: HIGH
  • Scanner: bandit
  • Rule ID: B108
  • Location: 02-use-cases/opencode-on-agentcore/tests/property/test_pipeline_properties.py:583-585

Description:
Probable insecure usage of temp file/directory.

Code Snippet:

"""
    work_dir = f"/tmp/pipeline-property-1/{job_id}"

Finding 36: B108

  • Severity: HIGH
  • Scanner: bandit
  • Rule ID: B108
  • Location: 02-use-cases/opencode-on-agentcore/tests/property/test_pipeline_properties.py:731-733

Description:
Probable insecure usage of temp file/directory.

Code Snippet:

"""
    work_dir = f"/tmp/pipeline-property-2/{job_id}"

Finding 37: B108

  • Severity: HIGH
  • Scanner: bandit
  • Rule ID: B108
  • Location: 02-use-cases/opencode-on-agentcore/tests/property/test_pipeline_properties.py:945-947

Description:
Probable insecure usage of temp file/directory.

Code Snippet:

work_dir = f"/tmp/pipeline-property-3/{job_id}"
    metric_prefix = "async_task"

Finding 38: B108

  • Severity: HIGH
  • Scanner: bandit
  • Rule ID: B108
  • Location: 02-use-cases/opencode-on-agentcore/tests/property/test_pipeline_properties.py:1210-1212

Description:
Probable insecure usage of temp file/directory.

Code Snippet:

work_dir = f"/tmp/pipeline-property-4/{job_id}"
    metric_prefix = "code"

Finding 39: B108

  • Severity: HIGH
  • Scanner: bandit
  • Rule ID: B108
  • Location: 02-use-cases/opencode-on-agentcore/tests/property/test_pipeline_properties.py:1572-1574

Description:
Probable insecure usage of temp file/directory.

Code Snippet:

work_dir = f"/tmp/pipeline-property-5/{job_id}"
    metric_prefix = "code"

Finding 40: B108

  • Severity: HIGH
  • Scanner: bandit
  • Rule ID: B108
  • Location: 02-use-cases/opencode-on-agentcore/tests/property/test_pipeline_properties.py:1787-1789

Description:
Probable insecure usage of temp file/directory.

Code Snippet:

work_dir = f"/tmp/pipeline-property-6/{job_id}"

Finding 41: B108

  • Severity: HIGH
  • Scanner: bandit
  • Rule ID: B108
  • Location: 02-use-cases/opencode-on-agentcore/tests/property/test_pipeline_properties.py:1974-1976

Description:
Probable insecure usage of temp file/directory.

Code Snippet:

work_dir = f"/tmp/pipeline-property-7a/{job_id}"
    metric_prefix = "code"

Finding 42: B108

  • Severity: HIGH
  • Scanner: bandit
  • Rule ID: B108
  • Location: 02-use-cases/opencode-on-agentcore/tests/property/test_pipeline_properties.py:2154-2156

Description:
Probable insecure usage of temp file/directory.

Code Snippet:

work_dir = f"/tmp/pipeline-property-7b/{job_id}"
    metric_prefix = "code"

Finding 43: B108

  • Severity: HIGH
  • Scanner: bandit
  • Rule ID: B108
  • Location: 02-use-cases/opencode-on-agentcore/tests/property/test_pr_creation_token_isolation.py:130-132

Description:
Probable insecure usage of temp file/directory.

Code Snippet:

result = git_push_and_create_pr(
                work_dir="/tmp/work",
                token=token,

Finding 44: B108

  • Severity: HIGH
  • Scanner: bandit
  • Rule ID: B108
  • Location: 02-use-cases/opencode-on-agentcore/tests/property/test_pr_creation_token_isolation.py:175-177

Description:
Probable insecure usage of temp file/directory.

Code Snippet:

result = git_push_and_create_pr(
                work_dir="/tmp/work",
                token="ghp_testtoken1234567890abcdef",

Finding 45: B108

  • Severity: HIGH
  • Scanner: bandit
  • Rule ID: B108
  • Location: 02-use-cases/opencode-on-agentcore/tests/unit/test_bugfix_28_preservation.py:395-397

Description:
Probable insecure usage of temp file/directory.

Code Snippet:

"container.tools.git_clone._create_askpass_script",
                return_value="/tmp/fake_askpass.sh",
            ),

Finding 46: B108

  • Severity: HIGH
  • Scanner: bandit
  • Rule ID: B108
  • Location: 02-use-cases/opencode-on-agentcore/tests/unit/test_bugfix_28_preservation.py:405-407

Description:
Probable insecure usage of temp file/directory.

Code Snippet:

base_branch="main",
                work_dir="/tmp/work",
            )

Finding 47: B108

  • Severity: HIGH
  • Scanner: bandit
  • Rule ID: B108
  • Location: 02-use-cases/opencode-on-agentcore/tests/unit/test_bugfix_28_preservation.py:408-410

Description:
Probable insecure usage of temp file/directory.

Code Snippet:

assert "/tmp/fake_askpass.sh" in removed_paths, (
            "git_clone finally block must remove the askpass script; "

Finding 48: B108

  • Severity: HIGH
  • Scanner: bandit
  • Rule ID: B108
  • Location: 02-use-cases/opencode-on-agentcore/tests/unit/test_bugfix_28_preservation.py:426-428

Description:
Probable insecure usage of temp file/directory.

Code Snippet:

"container.tools.git_push_and_create_pr._create_askpass_script",
                return_value="/tmp/fake_askpass.sh",
            ),

Finding 49: B108

  • Severity: HIGH
  • Scanner: bandit
  • Rule ID: B108
  • Location: 02-use-cases/opencode-on-agentcore/tests/unit/test_bugfix_28_preservation.py:442-444

Description:
Probable insecure usage of temp file/directory.

Code Snippet:

git_push_and_create_pr(
                work_dir="/tmp/work",
                token="ghp_test123",

Finding 50: B108

  • Severity: HIGH
  • Scanner: bandit
  • Rule ID: B108
  • Location: 02-use-cases/opencode-on-agentcore/tests/unit/test_bugfix_28_preservation.py:451-453

Description:
Probable insecure usage of temp file/directory.

Code Snippet:

assert "/tmp/fake_askpass.sh" in removed_paths, (
            "git_push_and_create_pr finally block must remove the askpass script; "

Finding 51: B108

  • Severity: HIGH
  • Scanner: bandit
  • Rule ID: B108
  • Location: 02-use-cases/opencode-on-agentcore/tests/unit/test_elicitation_error_handling_bug.py:253-255

Description:
Probable insecure usage of temp file/directory.

Code Snippet:

target_branch="opencode/job-1",
                work_dir="/tmp/pipeline-30-bug/job-1",
                timeout_minutes=10,

Finding 52: B108

  • Severity: HIGH
  • Scanner: bandit
  • Rule ID: B108
  • Location: 02-use-cases/opencode-on-agentcore/tests/unit/test_git_clone.py:84-86

Description:
Probable insecure usage of temp file/directory.

Code Snippet:

base_branch="main",
            work_dir="/tmp/work",
        )

Finding 53: B108

  • Severity: HIGH
  • Scanner: bandit
  • Rule ID: B108
  • Location: 02-use-cases/opencode-on-agentcore/tests/unit/test_git_clone.py:76-78

Description:
Probable insecure usage of temp file/directory.

Code Snippet:

@patch("container.tools.git_clone.subprocess.run")
    @patch("container.tools.git_clone._create_askpass_script", return_value="/tmp/fake_askpass.sh")
    @patch("container.tools.git_clone.os.path.exists", return_value=True)

Finding 54: B108

  • Severity: HIGH
  • Scanner: bandit
  • Rule ID: B108
  • Location: 02-use-cases/opencode-on-agentcore/tests/unit/test_git_clone.py:100-102

Description:
Probable insecure usage of temp file/directory.

Code Snippet:

base_branch="main",
            work_dir="/tmp/work",
        )

Finding 55: B108

  • Severity: HIGH
  • Scanner: bandit
  • Rule ID: B108
  • Location: 02-use-cases/opencode-on-agentcore/tests/unit/test_git_clone.py:92-94

Description:
Probable insecure usage of temp file/directory.

Code Snippet:

@patch("container.tools.git_clone.subprocess.run")
    @patch("container.tools.git_clone._create_askpass_script", return_value="/tmp/fake_askpass.sh")
    @patch("container.tools.git_clone.os.path.exists", return_value=True)

Finding 56: B108

  • Severity: HIGH
  • Scanner: bandit
  • Rule ID: B108
  • Location: 02-use-cases/opencode-on-agentcore/tests/unit/test_git_clone.py:115-117

Description:
Probable insecure usage of temp file/directory.

Code Snippet:

base_branch="main",
            work_dir="/tmp/work",
        )

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@github-advanced-security github-advanced-security[bot] github-advanced-security[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

02-use-cases 02-use-cases

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@szymonkochanski @github-advanced-security