[Safe Outputs Conformance] SEC-003 check pattern too narrow, produces false positives and misses valid implementations

[github-actions]

Conformance Check Failure

Check ID: SEC-003 (via script bug)
Severity: MEDIUM
Category: Implementation

Problem Description

The SEC-003 check in scripts/check-safe-outputs-conformance.sh (lines 107-124) uses an overly narrow grep pattern to detect max limit enforcement:

grep -q "\.length.*>.*\.max\|enforceMaxLimit\|checkLimit\|max.*exceeded" "$handler"

This pattern has two problems:

Problem 1 – False positives: The check scans ALL .cjs files in actions/setup/js/ (170+ files), including utilities, parsers, MCP server infrastructure, and sanitization helpers that are not "handlers" and have no reason to enforce array limits. This generates hundreds of spurious MEDIUM failures per run.

Problem 2 – False negatives for valid implementations: Some legitimate handler files use the pattern processedCount >= maxCount or config.max which the check pattern doesn't recognize. Specifically:

• actions/setup/js/close_issue.cjs (lines 82, 112-116): Uses config.max + processedCount >= maxCount
• actions/setup/js/remove_labels.cjs (lines 23, 49-53): Uses config.max + processedCount >= maxCount

Both files properly implement max count enforcement, but SEC-003 reports them as non-conformant.

Affected Components

• Files: scripts/check-safe-outputs-conformance.sh (lines 107-124, SEC-003 check)
• Over-flagged files: All 170+ .cjs utility/infrastructure files
• Under-checked files: close_issue.cjs, remove_labels.cjs

Current Behavior

The SEC-003 check applies to every .cjs file without filtering to actual output handler files, and uses a pattern that doesn't match the processedCount >= maxCount style of limit enforcement.

Expected Behavior

The check should:

1. Only scan files that are actual safe-output handlers (e.g., those that call octokit. or are imported by safe_output_handler_manager.cjs)
2. Use an expanded pattern that also matches maxCount\|processedCount.*max\|config\.max

Remediation Steps

This task can be assigned to a Copilot coding agent with the following steps:

1. Narrow the SEC-003 file filter to only scan core handler files:

   for handler in actions/setup/js/{create_issue,add_comment,update_issue,close_issue,add_labels,remove_labels,create_discussion,create_pull_request,add_reaction,assign_issue,create_discussion}.cjs; do

   Or alternatively filter by files that import octokit:

   grep -l "octokit\." actions/setup/js/*.cjs

2. Expand the grep pattern to include the processedCount.*max\|config\.max enforcement style:

   grep -q "\.length.*>.*\.max\|enforceMaxLimit\|checkLimit\|max.*exceeded\|processedCount.*maxCount\|config\.max" "$handler"

3. Run the updated checker and confirm close_issue.cjs and remove_labels.cjs now pass

Verification

After remediation, verify the fix by running:

bash scripts/check-safe-outputs-conformance.sh

The SEC-003 check should report PASS for all core handler files.

References

• Conformance Checker: scripts/check-safe-outputs-conformance.sh
• Limit Enforcement Helpers: actions/setup/js/limit_enforcement_helpers.cjs
• Run ID: §22149599947
• Date: 2026-02-18

Generated by Daily Safe Outputs Conformance Checker

• expires on Feb 19, 2026, 5:15 PM UTC