Can we use `shell=False`?

[jsf9k]

Can we use the default of shell=False here?

cyhy-reports/extras/create_snapshots_reports_scorecard.py

Lines 815 to 820 in 57e67d7

	subprocess.call(
	"docker run --rm --volume /etc/cyhy:/etc/cyhy --volume {}:/home/cyhy {}/cyhy-reports:stable cyhy-report -h".format(
	WEEKLY_REPORT_BASE_DIR, NCATS_DHUB_URL
	),
	shell=True,
	)

shell=True means that the subprocess Python module spawns the command using the shell process, which makes it much easier for a malicious actor to execute commands.

Originally posted by @dv4harr10 in #101 (comment)

[jsf9k]

In this case it is probably possible to use the default of shell=False. See here for the documentation on the Python subprocess module.