Skip to content

Add Shell BEC: no-set-x-left-in#76

Merged
DataDave-Dev merged 1 commit into
DataDave-Dev:mainfrom
PedroVBAmorim:add-no-set-x-left-in-bec
Jul 2, 2026
Merged

Add Shell BEC: no-set-x-left-in#76
DataDave-Dev merged 1 commit into
DataDave-Dev:mainfrom
PedroVBAmorim:add-no-set-x-left-in-bec

Conversation

@PedroVBAmorim

@PedroVBAmorim PedroVBAmorim commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

What

Adds a new catalog BEC, no-set-x-left-in, that forbids set -x shell tracing from being left enabled in **/*.sh scripts. Added src/becwright/becs/no-set-x-left-in.bec.yaml (schema copied from no-debug-go.bec.yaml) and a corresponding entry in src/becwright/becs/README.md, plus updated the paths-convention note to mention Shell.

Why

Closes #69. set -x echoes every executed command — including expanded variables — to stdout/stderr before it runs. Left enabled in a shipped script, that means secrets and tokens passed as arguments get printed in plaintext wherever the script's output lands (CI logs, captured terminal output, etc.). This is a common accidental leak vector since set -x is normally added for local debugging and forgotten before commit.

Checklist

  • Tests pass (pytest) — 253 passed
  • New behavior is covered by tests — covered by the existing test_catalog_bundles_are_valid bundle-parsing test, which validates all catalog YAML files including this one
  • Commits are atomic (one logical change each) — single commit, one logical addition
  • Docs updated if needed — README.md catalog table + paths-convention note updated

Summary by CodeRabbit

  • New Features
    • Added a new check for shell scripts that prevents set -x tracing from being left enabled.
    • The new rule applies to .sh files and flags scripts that may expose expanded command arguments, including sensitive values.
    • Marked as a blocking issue to help catch risky scripts before release.

@coderabbitai

coderabbitai Bot commented Jul 2, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

Adds a new becwright rule, no-set-x-left-in, that forbids set -x in shell scripts via a builtin forbid module targeting **/*.sh files, and registers this rule in the BEC catalog README with blocking severity.

Changes

New BEC Rule

Layer / File(s) Summary
Rule definition and catalog registration
src/becwright/becs/no-set-x-left-in.bec.yaml, src/becwright/becs/README.md
Adds a forbid-based rule blocking set -x in **/*.sh files with intent/why-it-matters messaging, and adds a matching catalog row in the README with blocking severity.

Estimated code review effort: 1 (Trivial) | ~3 minutes

Possibly related issues

Possibly related PRs

  • DataDave-Dev/becwright#15: Both PRs add new forbid-based, blocking severity BEC rules and corresponding README catalog entries.
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title is concise and accurately summarizes the main change: adding the Shell BEC rule no-set-x-left-in.
Description check ✅ Passed The description matches the template with What, Why, and Checklist sections and includes the required implementation details.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/becwright/becs/no-set-x-left-in.bec.yaml`:
- Around line 13-19: The forbid rule in the xtrace check is too narrow because
the current pattern only catches the literal set -x. Update the builtin forbid
configuration in the no-set-x-left-in.bec.yaml rule to use a broader pattern
that also matches set -o xtrace and combined shell option flags like set -eux,
while keeping the rule anchored to the existing check metadata and paths.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: d734652a-cb11-4bcb-a003-6183c9bef78f

📥 Commits

Reviewing files that changed from the base of the PR and between fbf9e85 and a867d0a.

📒 Files selected for processing (2)
  • src/becwright/becs/README.md
  • src/becwright/becs/no-set-x-left-in.bec.yaml

Comment on lines +13 to +19
paths:
- "**/*.sh"
severity: blocking
check:
kind: builtin
module: forbid
args: "--pattern 'set\\s+-x'"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Inspect sibling BECs and matcher syntax before finalizing this rule.
sed -n '1,120p' src/becwright/becs/no-debug-go.bec.yaml
rg -n 'set -x|xtrace|forbid|pattern' src/becwright/becs

Repository: DataDave-Dev/becwright

Length of output: 1703


🏁 Script executed:

#!/bin/bash
set -euo pipefail

printf '\n## Rule file\n'
cat -n src/becwright/becs/no-set-x-left-in.bec.yaml

printf '\n## README entry\n'
sed -n '1,80p' src/becwright/becs/README.md

printf '\n## Search matcher implementation and docs\n'
rg -n --hidden --glob '!**/node_modules/**' --glob '!**/dist/**' --glob '!**/build/**' \
  'kind:\s*builtin|module:\s*forbid|forbid\b|xtrace|set -o xtrace|set \+x|set -x' \
  src .github README.md .

Repository: DataDave-Dev/becwright

Length of output: 22283


🏁 Script executed:

#!/bin/bash
set -euo pipefail

printf '\n## forbid implementation\n'
cat -n src/becwright/checks/forbid.py

printf '\n## regex probe\n'
python3 - <<'PY'
import re

pattern = r"set\s+-x"
rx = re.compile(pattern)

samples = [
    "set -x",
    "set -o xtrace",
    "set -eux",
    "set -xe",
    "set +x",
    "set -o xtrace; echo hi",
    "set -x; set +x",
]

for s in samples:
    print(f"{s!r:24} -> {bool(rx.search(s))}")
PY

Repository: DataDave-Dev/becwright

Length of output: 2627


Broaden the xtrace pattern --pattern 'set\\s+-x' only matches the literal set -x; it misses common xtrace forms like set -o xtrace and combined flags such as set -eux.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/becwright/becs/no-set-x-left-in.bec.yaml` around lines 13 - 19, The
forbid rule in the xtrace check is too narrow because the current pattern only
catches the literal set -x. Update the builtin forbid configuration in the
no-set-x-left-in.bec.yaml rule to use a broader pattern that also matches set -o
xtrace and combined shell option flags like set -eux, while keeping the rule
anchored to the existing check metadata and paths.

@DataDave-Dev DataDave-Dev merged commit 4717f41 into DataDave-Dev:main Jul 2, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Catalog: Shell BECs (no-set-x-left-in)

2 participants