feat: add static analysis for execa() command injection detection

[Copilot]

The codebase uses execa() extensively for shell commands but lacks static analysis to detect unsafe usage patterns that could lead to command injection vulnerabilities.

Changes

• Added eslint-plugin-security - General security linting for Node.js (detect-child-process, detect-non-literal-fs, etc.)
• Created custom ESLint rule no-unsafe-execa - Detects:
  • Template literals with expressions in command/arguments
  • String concatenation in command/arguments
  • Variables as command names
  • shell: true option usage
• Added security review comments to known-safe flagged usages with inline disable + justification

Example Detection

// Flagged as unsafe
execa('docker', [`--filter=name=${userInput}`]);
execa(cmd, ['arg']);
execa('ls', ['-la'], { shell: true });

// Safe patterns (not flagged)
execa('docker', ['ps', '-a']);
execa('docker', ['stop', containerId.toString()]);

Configuration

Rule is set to warn level since it may produce false positives requiring human review. The rule has a comprehensive test suite in eslint-rules/no-unsafe-execa.test.js.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[Security] Large execa() attack surface without static analysis</issue_title>
<issue_description>## Priority
Low

Description

The codebase uses execa() extensively for running shell commands, which creates a large attack surface for command injection vulnerabilities. Currently, there's no static analysis to detect unsafe usage patterns.

Impact

• Severity: Low (assuming current code is safe)
• Attack Vector: Command injection if user input flows to execa() calls
• Risk: Arbitrary command execution

Proposed Solution

1. Add static analysis tool to detect unsafe execa() usage
2. Consider using ESLint plugin for detecting command injection patterns
3. Add unit tests for all execa() call sites with untrusted input

Tools to Consider

• eslint-plugin-security
• semgrep with custom rules

Effort Estimate

~4 hours

References

• Source: Daily Security Review Discussion [Security Review] Daily Security Review - January 16, 2026 #228</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes [Security] Large execa() attack surface without static analysis #256

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[github-actions]

✅ Coverage Check Passed

Overall Coverage

Metric	Base	PR	Delta
Lines	77.19%	77.19%	➡️ +0.00%
Statements	77.27%	77.27%	➡️ +0.00%
Functions	77.17%	77.17%	➡️ +0.00%
Branches	69.76%	69.76%	➡️ +0.00%

---

Coverage comparison generated by scripts/ci/compare-coverage.ts

In general, unused helper functions should be removed to improve readability and avoid confusion about intended behavior. Since isLiteralOrSafe is not referenced, the safest fix that does not alter existing functionality is simply to delete its definition block.

Concretely, in eslint-rules/no-unsafe-execa.js, inside the create(context) { ... } body, remove the entire isLiteralOrSafe function definition, from its JSDoc comment starting at line 67 through its closing brace and terminating semicolon at line 104–104/105, keeping the surrounding code intact. No additional imports, methods, or variables are needed; we only delete dead code.

[github-actions]

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

[github-actions]

🌑 The shadows whisper... Smoke Codex failed. The oracle requires further meditation...

[github-actions]

🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

[github-actions]

Smoke Test Results

Last 2 Merged PRs:

• feat(ci): add coverage regression detection #244: feat(ci): add coverage regression detection
• chore: delete existing firewall tests and migrate smoke tests #229: chore: delete existing firewall tests and migrate smoke tests

Test Results:

• ✅ GitHub MCP: Retrieved 2 merged PRs successfully
• ❌ Playwright: Failed (playwright-akamai.azureedge.net blocked by firewall)
• ✅ File Writing: Created /tmp/gh-aw/agent/smoke-test-copilot-21092095149.txt
• ✅ Bash Tool: Verified file contents successfully

Status: FAIL

cc @Mossaka @copilot

AI generated by Smoke Copilot

[github-actions]

Smoke Test Results (Claude)

Last 2 merged PRs:

• chore: delete existing firewall tests and migrate smoke tests #229: chore: delete existing firewall tests and migrate smoke tests
• feat(ci): add coverage regression detection #244: feat(ci): add coverage regression detection

Test Results:
✅ GitHub MCP - PR retrieval successful
✅ Playwright - Page loaded with title "GitHub · Change is constant. GitHub keeps you ahead. · GitHub"
✅ File Writing - Test file created at /tmp/gh-aw/agent/smoke-test-claude-21092095160.txt
✅ Bash Tool - File content verified: Smoke test passed for Claude at Sat Jan 17 09:26:19 UTC 2026

Overall Status: PASS

AI generated by Smoke Claude

[github-actions]

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

[github-actions]

🎬 THE END — Smoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

[github-actions]

🌑 The shadows whisper... Smoke Codex failed. The oracle requires further meditation...

[github-actions]

Smoke Test Results - Claude Sonnet 4.5

Last 2 Merged PRs:

• chore: remove smoke-codex workflow due to missing key #291: chore: remove smoke-codex workflow due to missing key
• ci: add agentic documentation preview workflow with Playwright #246: ci: add agentic documentation preview workflow with Playwright

Test Results:

• ✅ GitHub MCP - Fetched recent PRs
• ✅ Playwright - Navigated to github.com, title verified "GitHub · Change is constant. GitHub keeps you ahead. · GitHub"
• ✅ File Write - Created test file successfully
• ✅ Bash - Verified file contents

Status: PASS

AI generated by Smoke Claude

[github-actions]

Smoke Test Results

Last 2 Merged PRs:

• feat: port plan workflow from gh-aw repository #230: feat: port plan workflow from gh-aw repository
• ci: pin GitHub Actions to commit SHAs for supply chain security #266: ci: pin GitHub Actions to commit SHAs for supply chain security

Test Results:

• ✅ GitHub MCP: Retrieved PR titles successfully
• ❌ Playwright: Browser download failed in firewall environment
• ✅ File Writing: Created test file at /tmp/gh-aw/agent/smoke-test-copilot-21092322744.txt
• ✅ Bash Tool: Verified file contents successfully

Overall Status: PARTIAL PASS (3/4 tests passed)

Author: @Mossaka | Assignees: @Mossaka, @copilot

AI generated by Smoke Copilot