TEST: Aikido integration by robdiciuccio · Pull Request #6281 · codeforamerica/vita-min

robdiciuccio · 2026-04-21T18:03:45Z

DO NOT MERGE

Link to pivotal/JIRA issue

e.g. https://codeforamerica.atlassian.net/browse/ABCD-123

Is PM acceptance required? (delete one)

Yes - don't merge until JIRA issue is accepted!
No - merge after code review approval

Reminder: merge main into this branch and get green tests before merging to main

What was done?

Explain the implementation goals being solved or the feature with the reviewer in mind
Mention any relevant issues or insights to be shared with the reviewer.
Alternatives considered

How to test?

Describe the testing approach taken to verify the changes, including:
- Unit/integration/manual tests
- Test data used
Specify any relevant testing environments used (e.g., development, staging, demo, Heroku).
Risk Assessment
- Risks or side effects associated with the changes and how they were mitigated.
- Highlight areas that may need extra attention during code review or testing.
- Paste SQL queries or output where relevant

Screenshots (for visual changes)

Before
After

aikido-pr-checks · 2026-04-21T18:04:30Z

+    mentioned_column = ALLOWED_SORT_COLUMNS.find { |c| cleaned.include?(c) }
+    return scope unless mentioned_column
+
+    scope.reorder(Arel.sql(cleaned))


Potential SQL injection via string-based query concatenation - critical severity
SQL injection might be possible in these locations, especially if the strings being concatenated are controlled via user input.

Show fix

Remediation: If possible, rebuild the query to use prepared statements or an ORM. If that is not possible, make sure the user input is allowlisted or sanitized. As an added layer of protection, we also recommend installing a WAF that blocks SQL injection attacks.

_{Reply @AikidoSec ignore: [REASON] to ignore this issue.}
_{More info}

aikido-pr-checks · 2026-04-21T18:04:31Z

+    # (`//evil.com`) URL that could spoof our host.
+    destination = "https://#{destination}" if destination.start_with?("//")
+
+    redirect_to(destination, allow_other_host: true)


Open redirect can be used in social engineering attacks - critical severity
An open redirect allows an attacker to use your app to perform social engineering attacks by redirecting users to other top-level domains (e.g. evilsite.com). It can usually also be used to combine with other exploits that could result in stolen credentials and user account takeover.

Show fix

Remediation: Never set the allow_other_host parameter from the redirect function to true.

_{Reply @AikidoSec ignore: [REASON] to ignore this issue.}
_{More info}

aikido-pr-checks · 2026-04-21T18:04:32Z

10 Open source vulnerabilities detected - critical severity
Aikido detected 10 vulnerabilities across 2 packages, it includes 1 critical, 5 high, 3 medium and 1 low vulnerabilities.

Details

Remediation Aikido suggests bumping the vulnerable packages to a safe version.

_{Reply @AikidoSec ignore: [REASON] to ignore this issue.}
More info

github-actions · 2026-04-21T18:05:00Z

❌ SAST Scan (Semgrep) Failed

Resolve all findings before proceeding.

🛡️ SARIF Security Report

Semgrep OSS

📊 Summary

Severity	Count
🟠 - Warning	11
Total	11

🐛 Detailed Results

🟠 - Warning [yaml.github-actions.security.run-shell-injection.run-shell-injection] - yaml.github-actions.security.run-shell-injection.run-shell-injection

Details

Message:

Using variable interpolation ${{...}} with github context data in a run: step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. github context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with env: to store the data and use the environment variable in the run: script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".

Description:

Semgrep Finding: yaml.github-actions.security.run-shell-injection.run-shell-injection

Tags:

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
HIGH CONFIDENCE
OWASP-A01:2017 - Injection
OWASP-A03:2021 - Injection
OWASP-A05:2025 - Injection
security
Documentation: View details

Locations:

`.github/workflows/heroku-pull-request.yml`:103:9
```</details>
<details>
<summary>
🟠 - Warning [yaml.github-actions.security.run-shell-injection.run-shell-injection] - yaml.github-actions.security.run-shell-injection.run-shell-injection
</summary>

#### Details

**Message:**
> Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with `env:` to store the data and use the environment variable in the `run:` script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".

**Description:**
> Semgrep Finding: yaml.github-actions.security.run-shell-injection.run-shell-injection

**Tags:**
- `CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')`
- `HIGH CONFIDENCE`
- `OWASP-A01:2017 - Injection`
- `OWASP-A03:2021 - Injection`
- `OWASP-A05:2025 - Injection`
- `security`
**Documentation:** [View details](https://semgrep.dev/r/yaml.github-actions.security.run-shell-injection.run-shell-injection)

**Locations:**

.github/workflows/tag-and-release.yml:68:9

<details>
<summary>
🟠 - Warning [yaml.github-actions.security.run-shell-injection.run-shell-injection] - yaml.github-actions.security.run-shell-injection.run-shell-injection
</summary>

#### Details

**Message:**
> Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with `env:` to store the data and use the environment variable in the `run:` script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".

**Description:**
> Semgrep Finding: yaml.github-actions.security.run-shell-injection.run-shell-injection

**Tags:**
- `CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')`
- `HIGH CONFIDENCE`
- `OWASP-A01:2017 - Injection`
- `OWASP-A03:2021 - Injection`
- `OWASP-A05:2025 - Injection`
- `security`
**Documentation:** [View details](https://semgrep.dev/r/yaml.github-actions.security.run-shell-injection.run-shell-injection)

**Locations:**

.github/workflows/tag-and-release.yml:90:9

<details>
<summary>
🟠 - Warning [yaml.github-actions.security.run-shell-injection.run-shell-injection] - yaml.github-actions.security.run-shell-injection.run-shell-injection
</summary>

#### Details

**Message:**
> Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with `env:` to store the data and use the environment variable in the `run:` script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".

**Description:**
> Semgrep Finding: yaml.github-actions.security.run-shell-injection.run-shell-injection

**Tags:**
- `CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')`
- `HIGH CONFIDENCE`
- `OWASP-A01:2017 - Injection`
- `OWASP-A03:2021 - Injection`
- `OWASP-A05:2025 - Injection`
- `security`
**Documentation:** [View details](https://semgrep.dev/r/yaml.github-actions.security.run-shell-injection.run-shell-injection)

**Locations:**

.github/workflows/tag-and-release.yml:103:9

<details>
<summary>
🟠 - Warning [dockerfile.security.missing-user.missing-user] - dockerfile.security.missing-user.missing-user
</summary>

#### Details

**Message:**
> By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'.

**Description:**
> Semgrep Finding: dockerfile.security.missing-user.missing-user

**Tags:**
- `CWE-250: Execution with Unnecessary Privileges`
- `MEDIUM CONFIDENCE`
- `OWASP-A04:2021 - Insecure Design`
- `OWASP-A06:2025 - Insecure Design`
- `security`
**Documentation:** [View details](https://semgrep.dev/r/dockerfile.security.missing-user.missing-user)

**Locations:**

Dockerfile:65:1

<details>
<summary>
🟠 - Warning [ruby.lang.security.missing-csrf-protection.missing-csrf-protection] - ruby.lang.security.missing-csrf-protection.missing-csrf-protection
</summary>

#### Details

**Message:**
> Detected controller which does not enable cross-site request forgery protections using 'protect_from_forgery'. Add 'protect_from_forgery :with => :exception' to your controller class.

**Description:**
> Semgrep Finding: ruby.lang.security.missing-csrf-protection.missing-csrf-protection

**Tags:**
- `CWE-352: Cross-Site Request Forgery (CSRF)`
- `LOW CONFIDENCE`
- `OWASP-A01:2021 - Broken Access Control`
- `OWASP-A01:2025 - Broken Access Control`
- `security`
**Documentation:** [View details](https://semgrep.dev/r/ruby.lang.security.missing-csrf-protection.missing-csrf-protection)

**Locations:**

app/controllers/application_controller.rb:1:1

<details>
<summary>
🟠 - Warning [ruby.lang.security.missing-csrf-protection.missing-csrf-protection] - ruby.lang.security.missing-csrf-protection.missing-csrf-protection
</summary>

#### Details

**Message:**
> Detected controller which does not enable cross-site request forgery protections using 'protect_from_forgery'. Add 'protect_from_forgery :with => :exception' to your controller class.

**Description:**
> Semgrep Finding: ruby.lang.security.missing-csrf-protection.missing-csrf-protection

**Tags:**
- `CWE-352: Cross-Site Request Forgery (CSRF)`
- `LOW CONFIDENCE`
- `OWASP-A01:2021 - Broken Access Control`
- `OWASP-A01:2025 - Broken Access Control`
- `security`
**Documentation:** [View details](https://semgrep.dev/r/ruby.lang.security.missing-csrf-protection.missing-csrf-protection)

**Locations:**

app/controllers/aws_ip_ranges_webhooks_controller.rb:1:1

<details>
<summary>
🟠 - Warning [ruby.lang.security.missing-csrf-protection.missing-csrf-protection] - ruby.lang.security.missing-csrf-protection.missing-csrf-protection
</summary>

#### Details

**Message:**
> Detected controller which does not enable cross-site request forgery protections using 'protect_from_forgery'. Add 'protect_from_forgery :with => :exception' to your controller class.

**Description:**
> Semgrep Finding: ruby.lang.security.missing-csrf-protection.missing-csrf-protection

**Tags:**
- `CWE-352: Cross-Site Request Forgery (CSRF)`
- `LOW CONFIDENCE`
- `OWASP-A01:2021 - Broken Access Control`
- `OWASP-A01:2025 - Broken Access Control`
- `security`
**Documentation:** [View details](https://semgrep.dev/r/ruby.lang.security.missing-csrf-protection.missing-csrf-protection)

**Locations:**

app/controllers/mailgun_webhooks_controller.rb:1:1

<details>
<summary>
🟠 - Warning [ruby.lang.security.missing-csrf-protection.missing-csrf-protection] - ruby.lang.security.missing-csrf-protection.missing-csrf-protection
</summary>

#### Details

**Message:**
> Detected controller which does not enable cross-site request forgery protections using 'protect_from_forgery'. Add 'protect_from_forgery :with => :exception' to your controller class.

**Description:**
> Semgrep Finding: ruby.lang.security.missing-csrf-protection.missing-csrf-protection

**Tags:**
- `CWE-352: Cross-Site Request Forgery (CSRF)`
- `LOW CONFIDENCE`
- `OWASP-A01:2021 - Broken Access Control`
- `OWASP-A01:2025 - Broken Access Control`
- `security`
**Documentation:** [View details](https://semgrep.dev/r/ruby.lang.security.missing-csrf-protection.missing-csrf-protection)

**Locations:**

app/controllers/twilio_webhooks_controller.rb:1:1

<details>
<summary>
🟠 - Warning [ruby.rails.security.brakeman.check-validation-regex.check-validation-regex] - ruby.rails.security.brakeman.check-validation-regex.check-validation-regex
</summary>

#### Details

**Message:**
> /(\.)/ Found an incorrectly-bounded regex passed to `validates_format_of` or `validate ... format => ...`. Ruby regex behavior is multiline by default and lines should be terminated by `\A` for beginning of line and `\Z` for end of line, respectively.

**Description:**
> Semgrep Finding: ruby.rails.security.brakeman.check-validation-regex.check-validation-regex

**Tags:**
- `CWE-185: Incorrect Regular Expression`
- `MEDIUM CONFIDENCE`
- `OWASP-A01:2021 - Broken Access Control`
- `OWASP-A01:2025 - Broken Access Control`
- `OWASP-A05:2017 - Broken Access Control`
- `security`
**Documentation:** [View details](https://semgrep.dev/r/ruby.rails.security.brakeman.check-validation-regex.check-validation-regex)

**Locations:**

app/models/fraud/indicators/domain.rb:29:7

<details>
<summary>
🟠 - Warning [dockerfile.security.missing-user-entrypoint.missing-user-entrypoint] - dockerfile.security.missing-user-entrypoint.missing-user-entrypoint
</summary>

#### Details

**Message:**
> By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'.

**Description:**
> Semgrep Finding: dockerfile.security.missing-user-entrypoint.missing-user-entrypoint

**Tags:**
- `CWE-269: Improper Privilege Management`
- `MEDIUM CONFIDENCE`
- `OWASP-A04:2021 - Insecure Design`
- `OWASP-A06:2025 - Insecure Design`
- `security`
**Documentation:** [View details](https://semgrep.dev/r/dockerfile.security.missing-user-entrypoint.missing-user-entrypoint)

**Locations:**

jmeter_test/Dockerfile:29:1


---

<sub>*Report generated on 2026-04-21 18:05:00 UTC*</sub>

[View Semgrep job output](https://github.com/codeforamerica/vita-min/actions/runs/24738349544)

github-actions · 2026-04-21T18:05:02Z

❌ Security Scan (Trivy) Failed

Resolve all CRITICAL and HIGH severity findings before proceeding.

🛡️ SARIF Security Report

Trivy v0.69.3

📊 Summary

Severity	Count
🔴 - Error	11
🟡 - Note	13
Total	24

🐛 Detailed Results

🔴 - Error [DS-0002] - Misconfiguration

Details

Message:

Artifact: Dockerfile
Type: dockerfile
Vulnerability DS-0002
Severity: HIGH
Message: Specify at least 1 USER command in Dockerfile with non-root user as argument
Link: DS-0002

Description:

Image user should not be 'root'

Tags:

misconfiguration
security
HIGH
Documentation: View details

Locations:

`Dockerfile`:1:1
```</details>
<details>
<summary>
🟡 - Note [DS-0005] - Misconfiguration
</summary>

#### Details

**Message:**
> Artifact: Dockerfile
Type: dockerfile
Vulnerability DS-0005
Severity: LOW
Message: Consider using 'COPY . /app' command instead of 'ADD . /app'
Link: [DS-0005](https://avd.aquasec.com/misconfig/ds-0005)

**Description:**
> ADD instead of COPY

**Tags:**
- `misconfiguration`
- `security`
- `LOW`
**Documentation:** [View details](https://avd.aquasec.com/misconfig/ds-0005)

**Locations:**

Dockerfile:34:1

<details>
<summary>
🟡 - Note [DS-0005] - Misconfiguration
</summary>

#### Details

**Message:**
> Artifact: Dockerfile
Type: dockerfile
Vulnerability DS-0005
Severity: LOW
Message: Consider using 'COPY ./vendor/pdftk /app/vendor/pdftk' command instead of 'ADD ./vendor/pdftk /app/vendor/pdftk'
Link: [DS-0005](https://avd.aquasec.com/misconfig/ds-0005)

**Description:**
> ADD instead of COPY

**Tags:**
- `misconfiguration`
- `security`
- `LOW`
**Documentation:** [View details](https://avd.aquasec.com/misconfig/ds-0005)

**Locations:**

Dockerfile:25:1

<details>
<summary>
🟡 - Note [DS-0005] - Misconfiguration
</summary>

#### Details

**Message:**
> Artifact: Dockerfile
Type: dockerfile
Vulnerability DS-0005
Severity: LOW
Message: Consider using 'COPY .ruby-version Gemfile Gemfile.lock /app/' command instead of 'ADD .ruby-version Gemfile Gemfile.lock /app/'
Link: [DS-0005](https://avd.aquasec.com/misconfig/ds-0005)

**Description:**
> ADD instead of COPY

**Tags:**
- `misconfiguration`
- `security`
- `LOW`
**Documentation:** [View details](https://avd.aquasec.com/misconfig/ds-0005)

**Locations:**

Dockerfile:38:1

<details>
<summary>
🟡 - Note [DS-0005] - Misconfiguration
</summary>

#### Details

**Message:**
> Artifact: Dockerfile
Type: dockerfile
Vulnerability DS-0005
Severity: LOW
Message: Consider using 'COPY package.json yarn.lock /app/' command instead of 'ADD package.json yarn.lock /app/'
Link: [DS-0005](https://avd.aquasec.com/misconfig/ds-0005)

**Description:**
> ADD instead of COPY

**Tags:**
- `misconfiguration`
- `security`
- `LOW`
**Documentation:** [View details](https://avd.aquasec.com/misconfig/ds-0005)

**Locations:**

Dockerfile:36:1

<details>
<summary>
🟡 - Note [DS-0014] - Misconfiguration
</summary>

#### Details

**Message:**
> Artifact: Dockerfile
Type: dockerfile
Vulnerability DS-0014
Severity: LOW
Message: Shouldn't use both curl and wget
Link: [DS-0014](https://avd.aquasec.com/misconfig/ds-0014)

**Description:**
> RUN using 'wget' and 'curl'

**Tags:**
- `misconfiguration`
- `security`
- `LOW`
**Documentation:** [View details](https://avd.aquasec.com/misconfig/ds-0014)

**Locations:**

Dockerfile:29:1

<details>
<summary>
🔴 - Error [DS-0017] - Misconfiguration
</summary>

#### Details

**Message:**
> Artifact: Dockerfile
Type: dockerfile
Vulnerability DS-0017
Severity: HIGH
Message: The instruction 'RUN <package-manager> update' should always be followed by '<package-manager> install' in the same RUN statement.
Link: [DS-0017](https://avd.aquasec.com/misconfig/ds-0017)

**Description:**
> 'RUN <package-manager> update' instruction alone

**Tags:**
- `misconfiguration`
- `security`
- `HIGH`
**Documentation:** [View details](https://avd.aquasec.com/misconfig/ds-0017)

**Locations:**

Dockerfile:4:1

<details>
<summary>
🟡 - Note [DS-0026] - Misconfiguration
</summary>

#### Details

**Message:**
> Artifact: Dockerfile
Type: dockerfile
Vulnerability DS-0026
Severity: LOW
Message: Add HEALTHCHECK instruction in your Dockerfile
Link: [DS-0026](https://avd.aquasec.com/misconfig/ds-0026)

**Description:**
> No HEALTHCHECK defined

**Tags:**
- `misconfiguration`
- `security`
- `LOW`
**Documentation:** [View details](https://avd.aquasec.com/misconfig/ds-0026)

**Locations:**

Dockerfile:1:1

<details>
<summary>
🔴 - Error [DS-0029] - Misconfiguration
</summary>

#### Details

**Message:**
> Artifact: Dockerfile
Type: dockerfile
Vulnerability DS-0029
Severity: HIGH
Message: '--no-install-recommends' flag is missed: 'apt-get update   && apt-get -y install ca-certificates libgnutls30 build-essential libpq-dev ghostscript default-jre poppler-utils curl   && curl -sL https://deb.nodesource.com/setup_20.x | bash -   && curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add -   && echo "deb https://dl.yarnpkg.com/debian/ stable main" | tee /etc/apt/sources.list.d/yarn.list   && apt-get update && apt-get install -y nodejs yarn   && rm -rf /var/lib/apt/lists/*'
Link: [DS-0029](https://avd.aquasec.com/misconfig/ds-0029)

**Description:**
> 'apt-get' missing '--no-install-recommends'

**Tags:**
- `misconfiguration`
- `security`
- `HIGH`
**Documentation:** [View details](https://avd.aquasec.com/misconfig/ds-0029)

**Locations:**

Dockerfile:7:1

<details>
<summary>
🔴 - Error [DS-0002] - Misconfiguration
</summary>

#### Details

**Message:**
> Artifact: Dockerfile.local
Type: dockerfile
Vulnerability DS-0002
Severity: HIGH
Message: Specify at least 1 USER command in Dockerfile with non-root user as argument
Link: [DS-0002](https://avd.aquasec.com/misconfig/ds-0002)

**Description:**
> Image user should not be 'root'

**Tags:**
- `misconfiguration`
- `security`
- `HIGH`
**Documentation:** [View details](https://avd.aquasec.com/misconfig/ds-0002)

**Locations:**

Dockerfile.local:1:1

<details>
<summary>
🟡 - Note [DS-0005] - Misconfiguration
</summary>

#### Details

**Message:**
> Artifact: Dockerfile.local
Type: dockerfile
Vulnerability DS-0005
Severity: LOW
Message: Consider using 'COPY . /app' command instead of 'ADD . /app'
Link: [DS-0005](https://avd.aquasec.com/misconfig/ds-0005)

**Description:**
> ADD instead of COPY

**Tags:**
- `misconfiguration`
- `security`
- `LOW`
**Documentation:** [View details](https://avd.aquasec.com/misconfig/ds-0005)

**Locations:**

Dockerfile.local:44:1

<details>
<summary>
🟡 - Note [DS-0005] - Misconfiguration
</summary>

#### Details

**Message:**
> Artifact: Dockerfile.local
Type: dockerfile
Vulnerability DS-0005
Severity: LOW
Message: Consider using 'COPY ./vendor/pdftk /app/vendor/pdftk' command instead of 'ADD ./vendor/pdftk /app/vendor/pdftk'
Link: [DS-0005](https://avd.aquasec.com/misconfig/ds-0005)

**Description:**
> ADD instead of COPY

**Tags:**
- `misconfiguration`
- `security`
- `LOW`
**Documentation:** [View details](https://avd.aquasec.com/misconfig/ds-0005)

**Locations:**

Dockerfile.local:27:1

<details>
<summary>
🟡 - Note [DS-0005] - Misconfiguration
</summary>

#### Details

**Message:**
> Artifact: Dockerfile.local
Type: dockerfile
Vulnerability DS-0005
Severity: LOW
Message: Consider using 'COPY .ruby-version Gemfile Gemfile.lock /app/' command instead of 'ADD .ruby-version Gemfile Gemfile.lock /app/'
Link: [DS-0005](https://avd.aquasec.com/misconfig/ds-0005)

**Description:**
> ADD instead of COPY

**Tags:**
- `misconfiguration`
- `security`
- `LOW`
**Documentation:** [View details](https://avd.aquasec.com/misconfig/ds-0005)

**Locations:**

Dockerfile.local:33:1

<details>
<summary>
🟡 - Note [DS-0005] - Misconfiguration
</summary>

#### Details

**Message:**
> Artifact: Dockerfile.local
Type: dockerfile
Vulnerability DS-0005
Severity: LOW
Message: Consider using 'COPY package.json yarn.lock /app/' command instead of 'ADD package.json yarn.lock /app/'
Link: [DS-0005](https://avd.aquasec.com/misconfig/ds-0005)

**Description:**
> ADD instead of COPY

**Tags:**
- `misconfiguration`
- `security`
- `LOW`
**Documentation:** [View details](https://avd.aquasec.com/misconfig/ds-0005)

**Locations:**

Dockerfile.local:31:1

<details>
<summary>
🟡 - Note [DS-0014] - Misconfiguration
</summary>

#### Details

**Message:**
> Artifact: Dockerfile.local
Type: dockerfile
Vulnerability DS-0014
Severity: LOW
Message: Shouldn't use both curl and wget
Link: [DS-0014](https://avd.aquasec.com/misconfig/ds-0014)

**Description:**
> RUN using 'wget' and 'curl'

**Tags:**
- `misconfiguration`
- `security`
- `LOW`
**Documentation:** [View details](https://avd.aquasec.com/misconfig/ds-0014)

**Locations:**

Dockerfile.local:42:1

<details>
<summary>
🔴 - Error [DS-0017] - Misconfiguration
</summary>

#### Details

**Message:**
> Artifact: Dockerfile.local
Type: dockerfile
Vulnerability DS-0017
Severity: HIGH
Message: The instruction 'RUN <package-manager> update' should always be followed by '<package-manager> install' in the same RUN statement.
Link: [DS-0017](https://avd.aquasec.com/misconfig/ds-0017)

**Description:**
> 'RUN <package-manager> update' instruction alone

**Tags:**
- `misconfiguration`
- `security`
- `HIGH`
**Documentation:** [View details](https://avd.aquasec.com/misconfig/ds-0017)

**Locations:**

Dockerfile.local:6:1

<details>
<summary>
🟡 - Note [DS-0026] - Misconfiguration
</summary>

#### Details

**Message:**
> Artifact: Dockerfile.local
Type: dockerfile
Vulnerability DS-0026
Severity: LOW
Message: Add HEALTHCHECK instruction in your Dockerfile
Link: [DS-0026](https://avd.aquasec.com/misconfig/ds-0026)

**Description:**
> No HEALTHCHECK defined

**Tags:**
- `misconfiguration`
- `security`
- `LOW`
**Documentation:** [View details](https://avd.aquasec.com/misconfig/ds-0026)

**Locations:**

Dockerfile.local:1:1

<details>
<summary>
🔴 - Error [DS-0029] - Misconfiguration
</summary>

#### Details

**Message:**
> Artifact: Dockerfile.local
Type: dockerfile
Vulnerability DS-0029
Severity: HIGH
Message: '--no-install-recommends' flag is missed: 'apt-get update  && apt-get -y install ca-certificates libgnutls30 build-essential libpq-dev ghostscript default-jre poppler-utils curl  && curl -sL https://deb.nodesource.com/setup_20.x | bash -  && curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add -  && echo "deb https://dl.yarnpkg.com/debian/ stable main" | tee /etc/apt/sources.list.d/yarn.list  && apt-get update && apt-get install -y nodejs yarn  && rm -rf /var/lib/apt/lists/*'
Link: [DS-0029](https://avd.aquasec.com/misconfig/ds-0029)

**Description:**
> 'apt-get' missing '--no-install-recommends'

**Tags:**
- `misconfiguration`
- `security`
- `HIGH`
**Documentation:** [View details](https://avd.aquasec.com/misconfig/ds-0029)

**Locations:**

Dockerfile.local:9:1

<details>
<summary>
🔴 - Error [DS-0002] - Misconfiguration
</summary>

#### Details

**Message:**
> Artifact: jmeter_test/Dockerfile
Type: dockerfile
Vulnerability DS-0002
Severity: HIGH
Message: Specify at least 1 USER command in Dockerfile with non-root user as argument
Link: [DS-0002](https://avd.aquasec.com/misconfig/ds-0002)

**Description:**
> Image user should not be 'root'

**Tags:**
- `misconfiguration`
- `security`
- `HIGH`
**Documentation:** [View details](https://avd.aquasec.com/misconfig/ds-0002)

**Locations:**

jmeter_test/Dockerfile:1:1

<details>
<summary>
🔴 - Error [DS-0017] - Misconfiguration
</summary>

#### Details

**Message:**
> Artifact: jmeter_test/Dockerfile
Type: dockerfile
Vulnerability DS-0017
Severity: HIGH
Message: The instruction 'RUN <package-manager> update' should always be followed by '<package-manager> install' in the same RUN statement.
Link: [DS-0017](https://avd.aquasec.com/misconfig/ds-0017)

**Description:**
> 'RUN <package-manager> update' instruction alone

**Tags:**
- `misconfiguration`
- `security`
- `HIGH`
**Documentation:** [View details](https://avd.aquasec.com/misconfig/ds-0017)

**Locations:**

jmeter_test/Dockerfile:12:1

<details>
<summary>
🔴 - Error [DS-0022] - Misconfiguration
</summary>

#### Details

**Message:**
> Artifact: jmeter_test/Dockerfile
Type: dockerfile
Vulnerability DS-0022
Severity: HIGH
Message: MAINTAINER should not be used: 'MAINTAINER tofarr tofarrell@codeforamerica.org'
Link: [DS-0022](https://avd.aquasec.com/misconfig/ds-0022)

**Description:**
> Deprecated MAINTAINER used

**Tags:**
- `misconfiguration`
- `security`
- `HIGH`
**Documentation:** [View details](https://avd.aquasec.com/misconfig/ds-0022)

**Locations:**

jmeter_test/Dockerfile:2:1

<details>
<summary>
🔴 - Error [DS-0025] - Misconfiguration
</summary>

#### Details

**Message:**
> Artifact: jmeter_test/Dockerfile
Type: dockerfile
Vulnerability DS-0025
Severity: HIGH
Message: '--no-cache' is missed: apk add --update openjdk8-jre tzdata curl unzip bash
Link: [DS-0025](https://avd.aquasec.com/misconfig/ds-0025)

**Description:**
> 'apk add' is missing '--no-cache'

**Tags:**
- `misconfiguration`
- `security`
- `HIGH`
**Documentation:** [View details](https://avd.aquasec.com/misconfig/ds-0025)

**Locations:**

jmeter_test/Dockerfile:18:1

<details>
<summary>
🔴 - Error [DS-0025] - Misconfiguration
</summary>

#### Details

**Message:**
> Artifact: jmeter_test/Dockerfile
Type: dockerfile
Vulnerability DS-0025
Severity: HIGH
Message: '--no-cache' is missed: apk add curl
Link: [DS-0025](https://avd.aquasec.com/misconfig/ds-0025)

**Description:**
> 'apk add' is missing '--no-cache'

**Tags:**
- `misconfiguration`
- `security`
- `HIGH`
**Documentation:** [View details](https://avd.aquasec.com/misconfig/ds-0025)

**Locations:**

jmeter_test/Dockerfile:14:1

<details>
<summary>
🟡 - Note [DS-0026] - Misconfiguration
</summary>

#### Details

**Message:**
> Artifact: jmeter_test/Dockerfile
Type: dockerfile
Vulnerability DS-0026
Severity: LOW
Message: Add HEALTHCHECK instruction in your Dockerfile
Link: [DS-0026](https://avd.aquasec.com/misconfig/ds-0026)

**Description:**
> No HEALTHCHECK defined

**Tags:**
- `misconfiguration`
- `security`
- `LOW`
**Documentation:** [View details](https://avd.aquasec.com/misconfig/ds-0026)

**Locations:**

jmeter_test/Dockerfile:1:1


---

<sub>*Report generated on 2026-04-21 18:05:01 UTC*</sub>

[View Trivy job output](https://github.com/codeforamerica/vita-min/actions/runs/24738349544)

github-actions · 2026-04-21T18:18:40Z

❌ Security Scan (Trivy) Failed

Resolve all CRITICAL and HIGH severity findings before proceeding.

🛡️ SARIF Security Report

Trivy v0.69.3

📊 Summary

Severity	Count
🔴 - Error	11
🟡 - Note	13
Total	24

🐛 Detailed Results

🔴 - Error [DS-0002] - Misconfiguration

Details

Message:

Artifact: Dockerfile
Type: dockerfile
Vulnerability DS-0002
Severity: HIGH
Message: Specify at least 1 USER command in Dockerfile with non-root user as argument
Link: DS-0002

Description:

Image user should not be 'root'

Tags:

misconfiguration
security
HIGH
Documentation: View details

Locations:

`Dockerfile`:1:1
```</details>
<details>
<summary>
🟡 - Note [DS-0005] - Misconfiguration
</summary>

#### Details

**Message:**
> Artifact: Dockerfile
Type: dockerfile
Vulnerability DS-0005
Severity: LOW
Message: Consider using 'COPY . /app' command instead of 'ADD . /app'
Link: [DS-0005](https://avd.aquasec.com/misconfig/ds-0005)

**Description:**
> ADD instead of COPY

**Tags:**
- `misconfiguration`
- `security`
- `LOW`
**Documentation:** [View details](https://avd.aquasec.com/misconfig/ds-0005)

**Locations:**

Dockerfile:34:1

<details>
<summary>
🟡 - Note [DS-0005] - Misconfiguration
</summary>

#### Details

**Message:**
> Artifact: Dockerfile
Type: dockerfile
Vulnerability DS-0005
Severity: LOW
Message: Consider using 'COPY ./vendor/pdftk /app/vendor/pdftk' command instead of 'ADD ./vendor/pdftk /app/vendor/pdftk'
Link: [DS-0005](https://avd.aquasec.com/misconfig/ds-0005)

**Description:**
> ADD instead of COPY

**Tags:**
- `misconfiguration`
- `security`
- `LOW`
**Documentation:** [View details](https://avd.aquasec.com/misconfig/ds-0005)

**Locations:**

Dockerfile:25:1

<details>
<summary>
🟡 - Note [DS-0005] - Misconfiguration
</summary>

#### Details

**Message:**
> Artifact: Dockerfile
Type: dockerfile
Vulnerability DS-0005
Severity: LOW
Message: Consider using 'COPY .ruby-version Gemfile Gemfile.lock /app/' command instead of 'ADD .ruby-version Gemfile Gemfile.lock /app/'
Link: [DS-0005](https://avd.aquasec.com/misconfig/ds-0005)

**Description:**
> ADD instead of COPY

**Tags:**
- `misconfiguration`
- `security`
- `LOW`
**Documentation:** [View details](https://avd.aquasec.com/misconfig/ds-0005)

**Locations:**

Dockerfile:38:1

<details>
<summary>
🟡 - Note [DS-0005] - Misconfiguration
</summary>

#### Details

**Message:**
> Artifact: Dockerfile
Type: dockerfile
Vulnerability DS-0005
Severity: LOW
Message: Consider using 'COPY package.json yarn.lock /app/' command instead of 'ADD package.json yarn.lock /app/'
Link: [DS-0005](https://avd.aquasec.com/misconfig/ds-0005)

**Description:**
> ADD instead of COPY

**Tags:**
- `misconfiguration`
- `security`
- `LOW`
**Documentation:** [View details](https://avd.aquasec.com/misconfig/ds-0005)

**Locations:**

Dockerfile:36:1

<details>
<summary>
🟡 - Note [DS-0014] - Misconfiguration
</summary>

#### Details

**Message:**
> Artifact: Dockerfile
Type: dockerfile
Vulnerability DS-0014
Severity: LOW
Message: Shouldn't use both curl and wget
Link: [DS-0014](https://avd.aquasec.com/misconfig/ds-0014)

**Description:**
> RUN using 'wget' and 'curl'

**Tags:**
- `misconfiguration`
- `security`
- `LOW`
**Documentation:** [View details](https://avd.aquasec.com/misconfig/ds-0014)

**Locations:**

Dockerfile:29:1

<details>
<summary>
🔴 - Error [DS-0017] - Misconfiguration
</summary>

#### Details

**Message:**
> Artifact: Dockerfile
Type: dockerfile
Vulnerability DS-0017
Severity: HIGH
Message: The instruction 'RUN <package-manager> update' should always be followed by '<package-manager> install' in the same RUN statement.
Link: [DS-0017](https://avd.aquasec.com/misconfig/ds-0017)

**Description:**
> 'RUN <package-manager> update' instruction alone

**Tags:**
- `misconfiguration`
- `security`
- `HIGH`
**Documentation:** [View details](https://avd.aquasec.com/misconfig/ds-0017)

**Locations:**

Dockerfile:4:1

<details>
<summary>
🟡 - Note [DS-0026] - Misconfiguration
</summary>

#### Details

**Message:**
> Artifact: Dockerfile
Type: dockerfile
Vulnerability DS-0026
Severity: LOW
Message: Add HEALTHCHECK instruction in your Dockerfile
Link: [DS-0026](https://avd.aquasec.com/misconfig/ds-0026)

**Description:**
> No HEALTHCHECK defined

**Tags:**
- `misconfiguration`
- `security`
- `LOW`
**Documentation:** [View details](https://avd.aquasec.com/misconfig/ds-0026)

**Locations:**

Dockerfile:1:1

<details>
<summary>
🔴 - Error [DS-0029] - Misconfiguration
</summary>

#### Details

**Message:**
> Artifact: Dockerfile
Type: dockerfile
Vulnerability DS-0029
Severity: HIGH
Message: '--no-install-recommends' flag is missed: 'apt-get update   && apt-get -y install ca-certificates libgnutls30 build-essential libpq-dev ghostscript default-jre poppler-utils curl   && curl -sL https://deb.nodesource.com/setup_20.x | bash -   && curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add -   && echo "deb https://dl.yarnpkg.com/debian/ stable main" | tee /etc/apt/sources.list.d/yarn.list   && apt-get update && apt-get install -y nodejs yarn   && rm -rf /var/lib/apt/lists/*'
Link: [DS-0029](https://avd.aquasec.com/misconfig/ds-0029)

**Description:**
> 'apt-get' missing '--no-install-recommends'

**Tags:**
- `misconfiguration`
- `security`
- `HIGH`
**Documentation:** [View details](https://avd.aquasec.com/misconfig/ds-0029)

**Locations:**

Dockerfile:7:1

<details>
<summary>
🔴 - Error [DS-0002] - Misconfiguration
</summary>

#### Details

**Message:**
> Artifact: Dockerfile.local
Type: dockerfile
Vulnerability DS-0002
Severity: HIGH
Message: Specify at least 1 USER command in Dockerfile with non-root user as argument
Link: [DS-0002](https://avd.aquasec.com/misconfig/ds-0002)

**Description:**
> Image user should not be 'root'

**Tags:**
- `misconfiguration`
- `security`
- `HIGH`
**Documentation:** [View details](https://avd.aquasec.com/misconfig/ds-0002)

**Locations:**

Dockerfile.local:1:1

<details>
<summary>
🟡 - Note [DS-0005] - Misconfiguration
</summary>

#### Details

**Message:**
> Artifact: Dockerfile.local
Type: dockerfile
Vulnerability DS-0005
Severity: LOW
Message: Consider using 'COPY . /app' command instead of 'ADD . /app'
Link: [DS-0005](https://avd.aquasec.com/misconfig/ds-0005)

**Description:**
> ADD instead of COPY

**Tags:**
- `misconfiguration`
- `security`
- `LOW`
**Documentation:** [View details](https://avd.aquasec.com/misconfig/ds-0005)

**Locations:**

Dockerfile.local:44:1

<details>
<summary>
🟡 - Note [DS-0005] - Misconfiguration
</summary>

#### Details

**Message:**
> Artifact: Dockerfile.local
Type: dockerfile
Vulnerability DS-0005
Severity: LOW
Message: Consider using 'COPY ./vendor/pdftk /app/vendor/pdftk' command instead of 'ADD ./vendor/pdftk /app/vendor/pdftk'
Link: [DS-0005](https://avd.aquasec.com/misconfig/ds-0005)

**Description:**
> ADD instead of COPY

**Tags:**
- `misconfiguration`
- `security`
- `LOW`
**Documentation:** [View details](https://avd.aquasec.com/misconfig/ds-0005)

**Locations:**

Dockerfile.local:27:1

<details>
<summary>
🟡 - Note [DS-0005] - Misconfiguration
</summary>

#### Details

**Message:**
> Artifact: Dockerfile.local
Type: dockerfile
Vulnerability DS-0005
Severity: LOW
Message: Consider using 'COPY .ruby-version Gemfile Gemfile.lock /app/' command instead of 'ADD .ruby-version Gemfile Gemfile.lock /app/'
Link: [DS-0005](https://avd.aquasec.com/misconfig/ds-0005)

**Description:**
> ADD instead of COPY

**Tags:**
- `misconfiguration`
- `security`
- `LOW`
**Documentation:** [View details](https://avd.aquasec.com/misconfig/ds-0005)

**Locations:**

Dockerfile.local:33:1

<details>
<summary>
🟡 - Note [DS-0005] - Misconfiguration
</summary>

#### Details

**Message:**
> Artifact: Dockerfile.local
Type: dockerfile
Vulnerability DS-0005
Severity: LOW
Message: Consider using 'COPY package.json yarn.lock /app/' command instead of 'ADD package.json yarn.lock /app/'
Link: [DS-0005](https://avd.aquasec.com/misconfig/ds-0005)

**Description:**
> ADD instead of COPY

**Tags:**
- `misconfiguration`
- `security`
- `LOW`
**Documentation:** [View details](https://avd.aquasec.com/misconfig/ds-0005)

**Locations:**

Dockerfile.local:31:1

<details>
<summary>
🟡 - Note [DS-0014] - Misconfiguration
</summary>

#### Details

**Message:**
> Artifact: Dockerfile.local
Type: dockerfile
Vulnerability DS-0014
Severity: LOW
Message: Shouldn't use both curl and wget
Link: [DS-0014](https://avd.aquasec.com/misconfig/ds-0014)

**Description:**
> RUN using 'wget' and 'curl'

**Tags:**
- `misconfiguration`
- `security`
- `LOW`
**Documentation:** [View details](https://avd.aquasec.com/misconfig/ds-0014)

**Locations:**

Dockerfile.local:42:1

<details>
<summary>
🔴 - Error [DS-0017] - Misconfiguration
</summary>

#### Details

**Message:**
> Artifact: Dockerfile.local
Type: dockerfile
Vulnerability DS-0017
Severity: HIGH
Message: The instruction 'RUN <package-manager> update' should always be followed by '<package-manager> install' in the same RUN statement.
Link: [DS-0017](https://avd.aquasec.com/misconfig/ds-0017)

**Description:**
> 'RUN <package-manager> update' instruction alone

**Tags:**
- `misconfiguration`
- `security`
- `HIGH`
**Documentation:** [View details](https://avd.aquasec.com/misconfig/ds-0017)

**Locations:**

Dockerfile.local:6:1

<details>
<summary>
🟡 - Note [DS-0026] - Misconfiguration
</summary>

#### Details

**Message:**
> Artifact: Dockerfile.local
Type: dockerfile
Vulnerability DS-0026
Severity: LOW
Message: Add HEALTHCHECK instruction in your Dockerfile
Link: [DS-0026](https://avd.aquasec.com/misconfig/ds-0026)

**Description:**
> No HEALTHCHECK defined

**Tags:**
- `misconfiguration`
- `security`
- `LOW`
**Documentation:** [View details](https://avd.aquasec.com/misconfig/ds-0026)

**Locations:**

Dockerfile.local:1:1

<details>
<summary>
🔴 - Error [DS-0029] - Misconfiguration
</summary>

#### Details

**Message:**
> Artifact: Dockerfile.local
Type: dockerfile
Vulnerability DS-0029
Severity: HIGH
Message: '--no-install-recommends' flag is missed: 'apt-get update  && apt-get -y install ca-certificates libgnutls30 build-essential libpq-dev ghostscript default-jre poppler-utils curl  && curl -sL https://deb.nodesource.com/setup_20.x | bash -  && curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add -  && echo "deb https://dl.yarnpkg.com/debian/ stable main" | tee /etc/apt/sources.list.d/yarn.list  && apt-get update && apt-get install -y nodejs yarn  && rm -rf /var/lib/apt/lists/*'
Link: [DS-0029](https://avd.aquasec.com/misconfig/ds-0029)

**Description:**
> 'apt-get' missing '--no-install-recommends'

**Tags:**
- `misconfiguration`
- `security`
- `HIGH`
**Documentation:** [View details](https://avd.aquasec.com/misconfig/ds-0029)

**Locations:**

Dockerfile.local:9:1

<details>
<summary>
🔴 - Error [DS-0002] - Misconfiguration
</summary>

#### Details

**Message:**
> Artifact: jmeter_test/Dockerfile
Type: dockerfile
Vulnerability DS-0002
Severity: HIGH
Message: Specify at least 1 USER command in Dockerfile with non-root user as argument
Link: [DS-0002](https://avd.aquasec.com/misconfig/ds-0002)

**Description:**
> Image user should not be 'root'

**Tags:**
- `misconfiguration`
- `security`
- `HIGH`
**Documentation:** [View details](https://avd.aquasec.com/misconfig/ds-0002)

**Locations:**

jmeter_test/Dockerfile:1:1

<details>
<summary>
🔴 - Error [DS-0017] - Misconfiguration
</summary>

#### Details

**Message:**
> Artifact: jmeter_test/Dockerfile
Type: dockerfile
Vulnerability DS-0017
Severity: HIGH
Message: The instruction 'RUN <package-manager> update' should always be followed by '<package-manager> install' in the same RUN statement.
Link: [DS-0017](https://avd.aquasec.com/misconfig/ds-0017)

**Description:**
> 'RUN <package-manager> update' instruction alone

**Tags:**
- `misconfiguration`
- `security`
- `HIGH`
**Documentation:** [View details](https://avd.aquasec.com/misconfig/ds-0017)

**Locations:**

jmeter_test/Dockerfile:12:1

<details>
<summary>
🔴 - Error [DS-0022] - Misconfiguration
</summary>

#### Details

**Message:**
> Artifact: jmeter_test/Dockerfile
Type: dockerfile
Vulnerability DS-0022
Severity: HIGH
Message: MAINTAINER should not be used: 'MAINTAINER tofarr tofarrell@codeforamerica.org'
Link: [DS-0022](https://avd.aquasec.com/misconfig/ds-0022)

**Description:**
> Deprecated MAINTAINER used

**Tags:**
- `misconfiguration`
- `security`
- `HIGH`
**Documentation:** [View details](https://avd.aquasec.com/misconfig/ds-0022)

**Locations:**

jmeter_test/Dockerfile:2:1

<details>
<summary>
🔴 - Error [DS-0025] - Misconfiguration
</summary>

#### Details

**Message:**
> Artifact: jmeter_test/Dockerfile
Type: dockerfile
Vulnerability DS-0025
Severity: HIGH
Message: '--no-cache' is missed: apk add --update openjdk8-jre tzdata curl unzip bash
Link: [DS-0025](https://avd.aquasec.com/misconfig/ds-0025)

**Description:**
> 'apk add' is missing '--no-cache'

**Tags:**
- `misconfiguration`
- `security`
- `HIGH`
**Documentation:** [View details](https://avd.aquasec.com/misconfig/ds-0025)

**Locations:**

jmeter_test/Dockerfile:18:1

<details>
<summary>
🔴 - Error [DS-0025] - Misconfiguration
</summary>

#### Details

**Message:**
> Artifact: jmeter_test/Dockerfile
Type: dockerfile
Vulnerability DS-0025
Severity: HIGH
Message: '--no-cache' is missed: apk add curl
Link: [DS-0025](https://avd.aquasec.com/misconfig/ds-0025)

**Description:**
> 'apk add' is missing '--no-cache'

**Tags:**
- `misconfiguration`
- `security`
- `HIGH`
**Documentation:** [View details](https://avd.aquasec.com/misconfig/ds-0025)

**Locations:**

jmeter_test/Dockerfile:14:1

<details>
<summary>
🟡 - Note [DS-0026] - Misconfiguration
</summary>

#### Details

**Message:**
> Artifact: jmeter_test/Dockerfile
Type: dockerfile
Vulnerability DS-0026
Severity: LOW
Message: Add HEALTHCHECK instruction in your Dockerfile
Link: [DS-0026](https://avd.aquasec.com/misconfig/ds-0026)

**Description:**
> No HEALTHCHECK defined

**Tags:**
- `misconfiguration`
- `security`
- `LOW`
**Documentation:** [View details](https://avd.aquasec.com/misconfig/ds-0026)

**Locations:**

jmeter_test/Dockerfile:1:1


---

<sub>*Report generated on 2026-04-21 18:18:40 UTC*</sub>

[View Trivy job output](https://github.com/codeforamerica/vita-min/actions/runs/24738982319)

github-actions · 2026-04-21T18:18:47Z

❌ SAST Scan (Semgrep) Failed

Resolve all findings before proceeding.

🛡️ SARIF Security Report

Semgrep OSS

📊 Summary

Severity	Count
🟠 - Warning	11
Total	11

🐛 Detailed Results

🟠 - Warning [yaml.github-actions.security.run-shell-injection.run-shell-injection] - yaml.github-actions.security.run-shell-injection.run-shell-injection

Details

Message:

Using variable interpolation ${{...}} with github context data in a run: step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. github context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with env: to store the data and use the environment variable in the run: script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".

Description:

Semgrep Finding: yaml.github-actions.security.run-shell-injection.run-shell-injection

Tags:

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
HIGH CONFIDENCE
OWASP-A01:2017 - Injection
OWASP-A03:2021 - Injection
OWASP-A05:2025 - Injection
security
Documentation: View details

Locations:

`.github/workflows/heroku-pull-request.yml`:103:9
```</details>
<details>
<summary>
🟠 - Warning [yaml.github-actions.security.run-shell-injection.run-shell-injection] - yaml.github-actions.security.run-shell-injection.run-shell-injection
</summary>

#### Details

**Message:**
> Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with `env:` to store the data and use the environment variable in the `run:` script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".

**Description:**
> Semgrep Finding: yaml.github-actions.security.run-shell-injection.run-shell-injection

**Tags:**
- `CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')`
- `HIGH CONFIDENCE`
- `OWASP-A01:2017 - Injection`
- `OWASP-A03:2021 - Injection`
- `OWASP-A05:2025 - Injection`
- `security`
**Documentation:** [View details](https://semgrep.dev/r/yaml.github-actions.security.run-shell-injection.run-shell-injection)

**Locations:**

.github/workflows/tag-and-release.yml:68:9

<details>
<summary>
🟠 - Warning [yaml.github-actions.security.run-shell-injection.run-shell-injection] - yaml.github-actions.security.run-shell-injection.run-shell-injection
</summary>

#### Details

**Message:**
> Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with `env:` to store the data and use the environment variable in the `run:` script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".

**Description:**
> Semgrep Finding: yaml.github-actions.security.run-shell-injection.run-shell-injection

**Tags:**
- `CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')`
- `HIGH CONFIDENCE`
- `OWASP-A01:2017 - Injection`
- `OWASP-A03:2021 - Injection`
- `OWASP-A05:2025 - Injection`
- `security`
**Documentation:** [View details](https://semgrep.dev/r/yaml.github-actions.security.run-shell-injection.run-shell-injection)

**Locations:**

.github/workflows/tag-and-release.yml:90:9

<details>
<summary>
🟠 - Warning [yaml.github-actions.security.run-shell-injection.run-shell-injection] - yaml.github-actions.security.run-shell-injection.run-shell-injection
</summary>

#### Details

**Message:**
> Using variable interpolation `${{...}}` with `github` context data in a `run:` step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. `github` context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with `env:` to store the data and use the environment variable in the `run:` script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".

**Description:**
> Semgrep Finding: yaml.github-actions.security.run-shell-injection.run-shell-injection

**Tags:**
- `CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')`
- `HIGH CONFIDENCE`
- `OWASP-A01:2017 - Injection`
- `OWASP-A03:2021 - Injection`
- `OWASP-A05:2025 - Injection`
- `security`
**Documentation:** [View details](https://semgrep.dev/r/yaml.github-actions.security.run-shell-injection.run-shell-injection)

**Locations:**

.github/workflows/tag-and-release.yml:103:9

<details>
<summary>
🟠 - Warning [dockerfile.security.missing-user.missing-user] - dockerfile.security.missing-user.missing-user
</summary>

#### Details

**Message:**
> By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'.

**Description:**
> Semgrep Finding: dockerfile.security.missing-user.missing-user

**Tags:**
- `CWE-250: Execution with Unnecessary Privileges`
- `MEDIUM CONFIDENCE`
- `OWASP-A04:2021 - Insecure Design`
- `OWASP-A06:2025 - Insecure Design`
- `security`
**Documentation:** [View details](https://semgrep.dev/r/dockerfile.security.missing-user.missing-user)

**Locations:**

Dockerfile:65:1

<details>
<summary>
🟠 - Warning [ruby.lang.security.missing-csrf-protection.missing-csrf-protection] - ruby.lang.security.missing-csrf-protection.missing-csrf-protection
</summary>

#### Details

**Message:**
> Detected controller which does not enable cross-site request forgery protections using 'protect_from_forgery'. Add 'protect_from_forgery :with => :exception' to your controller class.

**Description:**
> Semgrep Finding: ruby.lang.security.missing-csrf-protection.missing-csrf-protection

**Tags:**
- `CWE-352: Cross-Site Request Forgery (CSRF)`
- `LOW CONFIDENCE`
- `OWASP-A01:2021 - Broken Access Control`
- `OWASP-A01:2025 - Broken Access Control`
- `security`
**Documentation:** [View details](https://semgrep.dev/r/ruby.lang.security.missing-csrf-protection.missing-csrf-protection)

**Locations:**

app/controllers/application_controller.rb:1:1

<details>
<summary>
🟠 - Warning [ruby.lang.security.missing-csrf-protection.missing-csrf-protection] - ruby.lang.security.missing-csrf-protection.missing-csrf-protection
</summary>

#### Details

**Message:**
> Detected controller which does not enable cross-site request forgery protections using 'protect_from_forgery'. Add 'protect_from_forgery :with => :exception' to your controller class.

**Description:**
> Semgrep Finding: ruby.lang.security.missing-csrf-protection.missing-csrf-protection

**Tags:**
- `CWE-352: Cross-Site Request Forgery (CSRF)`
- `LOW CONFIDENCE`
- `OWASP-A01:2021 - Broken Access Control`
- `OWASP-A01:2025 - Broken Access Control`
- `security`
**Documentation:** [View details](https://semgrep.dev/r/ruby.lang.security.missing-csrf-protection.missing-csrf-protection)

**Locations:**

app/controllers/aws_ip_ranges_webhooks_controller.rb:1:1

<details>
<summary>
🟠 - Warning [ruby.lang.security.missing-csrf-protection.missing-csrf-protection] - ruby.lang.security.missing-csrf-protection.missing-csrf-protection
</summary>

#### Details

**Message:**
> Detected controller which does not enable cross-site request forgery protections using 'protect_from_forgery'. Add 'protect_from_forgery :with => :exception' to your controller class.

**Description:**
> Semgrep Finding: ruby.lang.security.missing-csrf-protection.missing-csrf-protection

**Tags:**
- `CWE-352: Cross-Site Request Forgery (CSRF)`
- `LOW CONFIDENCE`
- `OWASP-A01:2021 - Broken Access Control`
- `OWASP-A01:2025 - Broken Access Control`
- `security`
**Documentation:** [View details](https://semgrep.dev/r/ruby.lang.security.missing-csrf-protection.missing-csrf-protection)

**Locations:**

app/controllers/mailgun_webhooks_controller.rb:1:1

<details>
<summary>
🟠 - Warning [ruby.lang.security.missing-csrf-protection.missing-csrf-protection] - ruby.lang.security.missing-csrf-protection.missing-csrf-protection
</summary>

#### Details

**Message:**
> Detected controller which does not enable cross-site request forgery protections using 'protect_from_forgery'. Add 'protect_from_forgery :with => :exception' to your controller class.

**Description:**
> Semgrep Finding: ruby.lang.security.missing-csrf-protection.missing-csrf-protection

**Tags:**
- `CWE-352: Cross-Site Request Forgery (CSRF)`
- `LOW CONFIDENCE`
- `OWASP-A01:2021 - Broken Access Control`
- `OWASP-A01:2025 - Broken Access Control`
- `security`
**Documentation:** [View details](https://semgrep.dev/r/ruby.lang.security.missing-csrf-protection.missing-csrf-protection)

**Locations:**

app/controllers/twilio_webhooks_controller.rb:1:1

<details>
<summary>
🟠 - Warning [ruby.rails.security.brakeman.check-validation-regex.check-validation-regex] - ruby.rails.security.brakeman.check-validation-regex.check-validation-regex
</summary>

#### Details

**Message:**
> /(\.)/ Found an incorrectly-bounded regex passed to `validates_format_of` or `validate ... format => ...`. Ruby regex behavior is multiline by default and lines should be terminated by `\A` for beginning of line and `\Z` for end of line, respectively.

**Description:**
> Semgrep Finding: ruby.rails.security.brakeman.check-validation-regex.check-validation-regex

**Tags:**
- `CWE-185: Incorrect Regular Expression`
- `MEDIUM CONFIDENCE`
- `OWASP-A01:2021 - Broken Access Control`
- `OWASP-A01:2025 - Broken Access Control`
- `OWASP-A05:2017 - Broken Access Control`
- `security`
**Documentation:** [View details](https://semgrep.dev/r/ruby.rails.security.brakeman.check-validation-regex.check-validation-regex)

**Locations:**

app/models/fraud/indicators/domain.rb:29:7

<details>
<summary>
🟠 - Warning [dockerfile.security.missing-user-entrypoint.missing-user-entrypoint] - dockerfile.security.missing-user-entrypoint.missing-user-entrypoint
</summary>

#### Details

**Message:**
> By not specifying a USER, a program in the container may run as 'root'. This is a security hazard. If an attacker can control a process running as root, they may have control over the container. Ensure that the last USER in a Dockerfile is a USER other than 'root'.

**Description:**
> Semgrep Finding: dockerfile.security.missing-user-entrypoint.missing-user-entrypoint

**Tags:**
- `CWE-269: Improper Privilege Management`
- `MEDIUM CONFIDENCE`
- `OWASP-A04:2021 - Insecure Design`
- `OWASP-A06:2025 - Insecure Design`
- `security`
**Documentation:** [View details](https://semgrep.dev/r/dockerfile.security.missing-user-entrypoint.missing-user-entrypoint)

**Locations:**

jmeter_test/Dockerfile:29:1


---

<sub>*Report generated on 2026-04-21 18:18:47 UTC*</sub>

[View Semgrep job output](https://github.com/codeforamerica/vita-min/actions/runs/24738982319)

+    mentioned_column = ALLOWED_SORT_COLUMNS.find { |c| cleaned.include?(c) }
+    return scope unless mentioned_column
+
+    scope.reorder(Arel.sql(cleaned))


+    mentioned_column = ALLOWED_SORT_COLUMNS.find { |c| cleaned.include?(c) }
+    return scope unless mentioned_column
+
+    scope.reorder(Arel.sql(cleaned))


+    # (`//evil.com`) URL that could spoof our host.
+    destination = "https://#{destination}" if destination.start_with?("//")
+
+    redirect_to(destination, allow_other_host: true)


robdiciuccio added 6 commits March 24, 2026 21:30

chore: add security scan GHA workflow

e686d5d

fix: update path and perms

5a9000e

fix: add missing action perms

fbfac46

feat: add sast workflow

9cc335d

Merge branch 'main' into rd/security-scan

bfa6843

chore: fix reported issues

89de6a3

aikido-pr-checks Bot reviewed Apr 21, 2026

View reviewed changes

fix: add missing routes

0c15f90

github-advanced-security AI found potential problems Apr 21, 2026

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

TEST: Aikido integration#6281

TEST: Aikido integration#6281
robdiciuccio wants to merge 7 commits intomainfrom
rd/aikido

robdiciuccio commented Apr 21, 2026

Uh oh!

aikido-pr-checks Bot Apr 21, 2026

Uh oh!

aikido-pr-checks Bot Apr 21, 2026

Uh oh!

aikido-pr-checks Bot Apr 21, 2026

Uh oh!

github-actions Bot commented Apr 21, 2026

Details

Uh oh!

github-actions Bot commented Apr 21, 2026

Details

Uh oh!

github-actions Bot commented Apr 21, 2026

Details

Uh oh!

github-actions Bot commented Apr 21, 2026

Details

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

robdiciuccio commented Apr 21, 2026

DO NOT MERGE

Link to pivotal/JIRA issue

Is PM acceptance required? (delete one)

What was done?

How to test?

Screenshots (for visual changes)

Uh oh!

aikido-pr-checks Bot Apr 21, 2026

Choose a reason for hiding this comment

Uh oh!

aikido-pr-checks Bot Apr 21, 2026

Choose a reason for hiding this comment

Uh oh!

aikido-pr-checks Bot Apr 21, 2026

Choose a reason for hiding this comment

Uh oh!

github-actions Bot commented Apr 21, 2026

❌ SAST Scan (Semgrep) Failed

🛡️ SARIF Security Report

📊 Summary

🐛 Detailed Results

Details

Uh oh!

github-actions Bot commented Apr 21, 2026

❌ Security Scan (Trivy) Failed

🛡️ SARIF Security Report

📊 Summary

🐛 Detailed Results

Details

Uh oh!

github-actions Bot commented Apr 21, 2026

❌ Security Scan (Trivy) Failed

🛡️ SARIF Security Report

📊 Summary

🐛 Detailed Results

Details

Uh oh!

github-actions Bot commented Apr 21, 2026

❌ SAST Scan (Semgrep) Failed

🛡️ SARIF Security Report

📊 Summary

🐛 Detailed Results

Details

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants