Add Shell BEC: no-set-x-left-in#76
Conversation
📝 WalkthroughWalkthroughAdds a new becwright rule, ChangesNew BEC Rule
Estimated code review effort: 1 (Trivial) | ~3 minutes Possibly related issues
Possibly related PRs
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@src/becwright/becs/no-set-x-left-in.bec.yaml`:
- Around line 13-19: The forbid rule in the xtrace check is too narrow because
the current pattern only catches the literal set -x. Update the builtin forbid
configuration in the no-set-x-left-in.bec.yaml rule to use a broader pattern
that also matches set -o xtrace and combined shell option flags like set -eux,
while keeping the rule anchored to the existing check metadata and paths.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro Plus
Run ID: d734652a-cb11-4bcb-a003-6183c9bef78f
📒 Files selected for processing (2)
src/becwright/becs/README.mdsrc/becwright/becs/no-set-x-left-in.bec.yaml
| paths: | ||
| - "**/*.sh" | ||
| severity: blocking | ||
| check: | ||
| kind: builtin | ||
| module: forbid | ||
| args: "--pattern 'set\\s+-x'" |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Inspect sibling BECs and matcher syntax before finalizing this rule.
sed -n '1,120p' src/becwright/becs/no-debug-go.bec.yaml
rg -n 'set -x|xtrace|forbid|pattern' src/becwright/becsRepository: DataDave-Dev/becwright
Length of output: 1703
🏁 Script executed:
#!/bin/bash
set -euo pipefail
printf '\n## Rule file\n'
cat -n src/becwright/becs/no-set-x-left-in.bec.yaml
printf '\n## README entry\n'
sed -n '1,80p' src/becwright/becs/README.md
printf '\n## Search matcher implementation and docs\n'
rg -n --hidden --glob '!**/node_modules/**' --glob '!**/dist/**' --glob '!**/build/**' \
'kind:\s*builtin|module:\s*forbid|forbid\b|xtrace|set -o xtrace|set \+x|set -x' \
src .github README.md .Repository: DataDave-Dev/becwright
Length of output: 22283
🏁 Script executed:
#!/bin/bash
set -euo pipefail
printf '\n## forbid implementation\n'
cat -n src/becwright/checks/forbid.py
printf '\n## regex probe\n'
python3 - <<'PY'
import re
pattern = r"set\s+-x"
rx = re.compile(pattern)
samples = [
"set -x",
"set -o xtrace",
"set -eux",
"set -xe",
"set +x",
"set -o xtrace; echo hi",
"set -x; set +x",
]
for s in samples:
print(f"{s!r:24} -> {bool(rx.search(s))}")
PYRepository: DataDave-Dev/becwright
Length of output: 2627
Broaden the xtrace pattern --pattern 'set\\s+-x' only matches the literal set -x; it misses common xtrace forms like set -o xtrace and combined flags such as set -eux.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@src/becwright/becs/no-set-x-left-in.bec.yaml` around lines 13 - 19, The
forbid rule in the xtrace check is too narrow because the current pattern only
catches the literal set -x. Update the builtin forbid configuration in the
no-set-x-left-in.bec.yaml rule to use a broader pattern that also matches set -o
xtrace and combined shell option flags like set -eux, while keeping the rule
anchored to the existing check metadata and paths.
What
Adds a new catalog BEC,
no-set-x-left-in, that forbidsset -xshell tracing from being left enabled in**/*.shscripts. Addedsrc/becwright/becs/no-set-x-left-in.bec.yaml(schema copied fromno-debug-go.bec.yaml) and a corresponding entry insrc/becwright/becs/README.md, plus updated the paths-convention note to mention Shell.Why
Closes #69.
set -xechoes every executed command — including expanded variables — to stdout/stderr before it runs. Left enabled in a shipped script, that means secrets and tokens passed as arguments get printed in plaintext wherever the script's output lands (CI logs, captured terminal output, etc.). This is a common accidental leak vector sinceset -xis normally added for local debugging and forgotten before commit.Checklist
pytest) — 253 passedtest_catalog_bundles_are_validbundle-parsing test, which validates all catalog YAML files including this oneREADME.mdcatalog table + paths-convention note updatedSummary by CodeRabbit
set -xtracing from being left enabled..shfiles and flags scripts that may expose expanded command arguments, including sensitive values.