fix: address code quality and security issues from PR review #139
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Add mutex for thread safety in VDB client - Increase token validation buffer from 1 to 3 minutes - Fix AWS SigV4 canonical request format (add query string component) - Handle json.Unmarshal error in api.go - Extract pagination logic into helper function - Fix stdout/stderr for JSON output mode (5 locations) - Scope vdbLimit and vdbOffset variables to commands Co-authored-by: 0x73746F66 <93355168+0x73746F66@users.noreply.github.com>
- Update secret key placeholder in config example - Fix troubleshooting section to not print secrets - Add error handling for command substitution in CI script - Add checksum verification for binary download in GitHub Action - Fix GitHub Actions conditional expression syntax - Add error handling after jq commands Co-authored-by: 0x73746F66 <93355168+0x73746F66@users.noreply.github.com>
Copilot
AI
changed the title
[WIP] Implement VDB subcommand for Vulnerability Database API
fix: address code quality and security issues from PR review
Jan 19, 2026
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Addresses 18 unresolved review comments on PR #136 covering thread safety, output handling, AWS spec compliance, and example security.
Core Code Fixes
Thread safety: Added
sync.RWMutexto VDB client token cache with double-checked locking pattern. Token refresh buffer increased to 3 minutes.AWS SigV4 compliance: Canonical request now includes query string component per AWS spec:
Output separation: Informational messages now write to stderr when
--output jsonis used, keeping stdout clean for piping.Variable scoping: Moved
vdbLimitandvdbOffsetfrom global to per-command locals to prevent flag interference between commands.Error handling: Fixed ignored
json.Unmarshalerror in CVE data parsing. Extracted pagination logic intobuildPaginationQuery()helper.Example & Documentation Security
Secrets handling: Troubleshooting now checks credential existence without printing values. Config example uses
REPLACE_WITH_YOUR_SECRET_KEYplaceholder instead of zeros.CI/CD hardening:
if ! cmd=$(...)pattern)!= '0'instead of> 0)💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.