Skip to content

[Safe Outputs Conformance] Conformance checker script exits prematurely due to bash arithmetic bug with set -euo pipefail #16604

New issue
New issue
Closed as not planned
Closed as not planned
[Safe Outputs Conformance] Conformance checker script exits prematurely due to bash arithmetic bug with set -euo pipefail#16604
Labels
automatedbugSomething isn't workingconformancesafe-outputs
@github-actions

Description

@github-actions
github-actions
bot
opened on Feb 18, 2026

Conformance Check Failure

Check ID: Script Infrastructure Bug
Severity: HIGH
Category: Implementation

Problem Description

The conformance checker script scripts/check-safe-outputs-conformance.sh uses set -euo pipefail at line 6, but also uses bash arithmetic increment expressions like ((MEDIUM_FAILURES++)) inside the logging functions (lines 33-39). In bash, arithmetic expressions that evaluate to zero return exit code 1, which triggers set -e (errexit) to terminate the script immediately.

This means the script exits after the very first [MEDIUM] or [LOW] finding, before completing all subsequent checks (SEC-004 onward). This produces:

  • False positives: Checks like IMP-001, IMP-002, IMP-003, REQ-001, REQ-003 never actually run
  • Incorrect exit code: Script exits with 1 (HIGH priority issues) even when there are only MEDIUM-severity findings
  • Misleading reports: The conformance summary is never printed

Root Cause: The pattern ((MEDIUM_FAILURES++)) when MEDIUM_FAILURES=0 evaluates to 0 (the old value before increment), and bash treats an arithmetic expression evaluating to zero as a failure condition.

Reproduction:

set -e
MEDIUM_FAILURES=0
((MEDIUM_FAILURES++))  # exits here: arithmetic result was 0 (old value)
echo "This never prints"

Affected Components

  • Files: scripts/check-safe-outputs-conformance.sh (lines 22-40, logging functions)
  • Checks never reached: SEC-004, SEC-005, USE-001, USE-002, USE-003, REQ-001, REQ-002, REQ-003, IMP-001, IMP-002, IMP-003

Current Behavior

Script terminates after first MEDIUM/LOW/HIGH/CRITICAL finding due to arithmetic expression evaluating to 0, triggering errexit. The summary section (line 399+) is never printed.

Expected Behavior

Script should complete all checks, print the full summary, and exit with the appropriate code based on the total failure counts.

Remediation Steps

This task can be assigned to a Copilot coding agent with the following steps:

  1. Replace the arithmetic increment expressions in the logging functions to use a form that doesn't return exit code 1 on zero: 
    # Replace:
((CRITICAL_FAILURES++))
# With:
CRITICAL_FAILURES=$((CRITICAL_FAILURES + 1))
  2. Apply this fix to all four logging functions: log_critical, log_high, log_medium, log_low (lines 23-40)
  3. Alternatively, use || true after each arithmetic expression: ((MEDIUM_FAILURES++)) || true
  4. Run the full script to verify all 13 checks complete and the summary is printed

Verification

After remediation, verify the fix by running:

bash scripts/check-safe-outputs-conformance.sh

The script should now complete all checks (SEC-001 through IMP-003) and print the full summary.

References

  • Conformance Checker: scripts/check-safe-outputs-conformance.sh
  • Run ID: §22149599947
  • Date: 2026-02-18

Generated by Daily Safe Outputs Conformance Checker

  • expires on Feb 19, 2026, 5:15 PM UTC

Metadata

Metadata

Assignees

No one assigned

    Labels

    automatedbugSomething isn't workingconformancesafe-outputs

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions