chore(helm/charts): import erpc from morpho-infra-helm#90
Conversation
Wiz Scan Summary
To detect these findings earlier in the dev lifecycle, try using Wiz Code VS Code Extension. |
![aikido-pr-checks[bot]](https://avatars.githubusercontent.com/in/898896?s=60&v=4){kind=small}
| if should_skip_validation "$chart_name"; then | ||
| echo -e "${YELLOW}⊘ Skipping kubeconform for ${chart_name} (database chart)${NC}" >&2 | ||
| rm -f "$result_file" "$result_file.lint" "$result_file.template" | ||
| exit $has_error |
There was a problem hiding this comment.
process_chart uses exit, which ends the whole script when called in the sequential loop, so only the first chart can run. The function should signal status without terminating global execution.
Details
✨ AI Reasoning
The function is intended to process one chart and report success/failure so the caller can continue iterating. However, it terminates the whole script from inside the function. That makes the surrounding loop logic impossible to fulfill in sequential execution, because the loop cannot proceed past the first chart. This is a direct control-flow contradiction between the function’s apparent contract and its actual behavior.
🔧 How do I fix it?
Trace execution paths carefully. Ensure precondition checks happen before using values, validate ranges before checking impossible conditions, and don't check for states that the code has already ruled out.
Reply @AikidoSec feedback: [FEEDBACK] to get better review comments in the future.
Reply @AikidoSec ignore: [REASON] to ignore this issue.
More info
| echo "✅ Authentication with proper secret parameter works" | ||
| else | ||
| echo "⚠️ Authentication secret parameter didn't work as expected" | ||
| echo " Response: $auth_response_with_secret" |
There was a problem hiding this comment.
Echoes auth_response_with_secret (response derived from a request containing a secret). Avoid logging or redact sensitive fields.
Details
✨ AI Reasoning
The script logs the full auth_response_with_secret, which was obtained via a URL containing LABELS_SERVICE_API_KEY. Logging that response may reveal authentication behavior and could indirectly expose secrets.
🔧 How do I fix it?
Keep sensitive data such as emails, passwords, and tokens out of logs. When logging values tied to a user, prefer a safe identifier like a user ID over the raw input, and strip line breaks from any user-provided text you do log.
Reply @AikidoSec feedback: [FEEDBACK] to get better review comments in the future.
Reply @AikidoSec ignore: [REASON] to ignore this issue.
More info
| process_chart() { | ||
| local chart_path=$1 | ||
| local chart_name=$(basename "$chart_path") | ||
| local result_file=$(mktemp) |
There was a problem hiding this comment.
Creates a base temp file ($result_file) but only uses "$result_file.lint"/"$result_file.template". Create temp files with explicit suffixes or mktemp twice and avoid the unused base file.
Details
✨ AI Reasoning
The code mktemp()s into result_file and then uses "$result_file.lint" and "$result_file.template" but never writes to or reads "$result_file" itself. Creating the base temp file is unnecessary and misleading. Simpler alternatives: create distinct temp files for lint/template or use mktemp with suffixes. This reduces resource usage and clarifies intent without changing behavior.
🔧 How do I fix it?
Rewrite the snippet in the simpler, behavior-equivalent form: return a boolean expression directly instead of if cond return true else return false, avoid using lists when they are guaranteed to contain one element, etc.
Reply @AikidoSec feedback: [FEEDBACK] to get better review comments in the future.
Reply @AikidoSec ignore: [REASON] to ignore this issue.
More info
|
|
||
| # Run template validation | ||
| cd "$chart_absolute_path" | ||
| if ! helm template . 2>/dev/null | kubeconform --ignore-missing-schemas --summary --skip "$CUSTOM_RESOURCES" > "$result_file.template" 2>&1; then |
There was a problem hiding this comment.
Complex shell pipeline with helm template piped to kubeconform and multiple redirects; split into named steps or a small helper function to improve readability and error handling.
Show fix
| if ! helm template . 2>/dev/null | kubeconform --ignore-missing-schemas --summary --skip "$CUSTOM_RESOURCES" > "$result_file.template" 2>&1; then | |
| helm template . 2>/dev/null | \ | |
| kubeconform --ignore-missing-schemas --summary --skip "$CUSTOM_RESOURCES" \ | |
| > "$result_file.template" 2>&1 | |
| validation_result=$? | |
| if [ $validation_result -ne 0 ]; then |
Details
✨ AI Reasoning
The code runs helm template, pipes output into kubeconform, and applies multiple redirections and flags on one line. That creates a compact but hard-to-read command with mixed IO and control flow, increasing cognitive load when debugging or modifying behavior.
Reply @AikidoSec feedback: [FEEDBACK] to get better review comments in the future.
Reply @AikidoSec ignore: [REASON] to ignore this issue.
More info
rguichard
force-pushed
the
feature/pla-1455-move-app-related-deployment-config-into-application-repos
branch
from
3db6a38 to
631f9ad
Compare
|
|
||
| rm -f "$result_file" "$result_file.lint" "$result_file.template" | ||
| exit $has_error | ||
| } |
There was a problem hiding this comment.
process_chart ends with 'exit $has_error'; change to 'return $has_error' so the caller can continue processing charts and aggregate failures.
Details
✨ AI Reasoning
process_chart's final 'exit $has_error' will always exit the shell when the function runs in the main script (sequential flow). This prevents the caller from iterating over remaining charts or collecting failures, rendering later lines in the main execution unreachable. Returning the status would preserve intended control flow.
🔧 How do I fix it?
Remove code that can never be executed due to control flow. Check for code after return/throw/break statements or in unreachable conditional branches.
Reply @AikidoSec feedback: [FEEDBACK] to get better review comments in the future.
Reply @AikidoSec ignore: [REASON] to ignore this issue.
More info
| echo " Block range: 0x1254048f (307,074,191) to 0x12558b2f (307,166,767)" | ||
| echo " Range size: ~92,576 blocks" |
There was a problem hiding this comment.
Printed decimal block numbers and range size contradict fromBlock/toBlock literals. The log reports incorrect numeric equivalents for 0x1254048f/0x12558b2f and an incorrect block-span value.
| echo " Block range: 0x1254048f (307,074,191) to 0x12558b2f (307,166,767)" | |
| echo " Range size: ~92,576 blocks" | |
| echo " Block range: 0x1254048f (307,627,151) to 0x12558b2f (307,695,407)" | |
| echo " Range size: ~68,256 blocks" |
Details
✨ AI Reasoning
The code is reporting a block range using hardcoded hexadecimal values and then describing that same range with hardcoded decimal numbers and a range size. Those descriptions do not match the actual values implied by the literals. Because the mismatch is deterministic and visible directly in the code, the output communicates incorrect results even when execution succeeds.
Reply @AikidoSec feedback: [FEEDBACK] to get better review comments in the future.
Reply @AikidoSec ignore: [REASON] to ignore this issue.
More info
rguichard
force-pushed
the
feature/pla-1455-move-app-related-deployment-config-into-application-repos
branch
from
631f9ad to
7cad0d6
Compare
| fi | ||
|
|
||
| rm -f "$result_file" "$result_file.lint" "$result_file.template" | ||
| exit $has_error |
There was a problem hiding this comment.
process_chart uses 'exit' inside the function, terminating the whole script; use 'return ' so callers can handle failures instead.
Details
:sparkles: AI Reasoning
A function (process_chart) ends with an unconditional exit ($has_error) making any code that expects to receive its return status and continue execution unreachable. The use of exit inside a helper intended to be called in-process prevents callers from handling failures and continuing, turning caller-side branches into dead/unreachable code. This is a local, provable control-flow issue introduced by the new function implementation.
:wrench: How do I fix it?
Remove code that can never be executed due to control flow. Check for code after return/throw/break statements or in unreachable conditional branches.
Reply @AikidoSec feedback: [FEEDBACK] to get better review comments in the future.
Reply @AikidoSec ignore: [REASON] to ignore this issue.
More info
| @@ -0,0 +1,7 @@ | |||
| # Default ownership | |||
There was a problem hiding this comment.
please add me as a default codeowner for the repo as well
There was a problem hiding this comment.
Should we use individual names?
There was a problem hiding this comment.
You can keep the team, but for now, I'd like to also be a mandatory codeowner in addition to the team
| secretsPath: "secret/data/erpc/secrets" | ||
| jobImage: | ||
| repository: 537124939463.dkr.ecr.eu-west-3.amazonaws.com/docker-hub/morphoorg/erpc-validator | ||
| tag: "0.0.77" |
There was a problem hiding this comment.
make sure to sync versions to latest in infra helm repo
There was a problem hiding this comment.
0.0.77 is the latest one in morpho-org/morpho-infra-helm
There was a problem hiding this comment.
You can take latest prd values which are 0.1.3: https://github.com/morpho-org/morpho-infra-helm/blob/main/environments/prd/erpc/values.yaml#L1333
rguichard
force-pushed
the
feature/pla-1455-move-app-related-deployment-config-into-application-repos
branch
from
7cad0d6 to
7cadc0e
Compare
| fi | ||
|
|
||
| rm -f "$result_file" "$result_file.lint" "$result_file.template" | ||
| exit $has_error |
There was a problem hiding this comment.
process_chart uses exit, which ends the whole script in sequential mode. This prevents validating remaining charts and can skip the summary after the first chart.
Details
✨ AI Reasoning
The function is intended to process one chart and let the caller continue iterating through all charts. However, it terminates with a shell exit status instead of returning to the caller. In the sequential execution path, this makes further loop iterations and the final summary unreachable after the first chart, which contradicts the script’s stated behavior of validating all discovered charts.
🔧 How do I fix it?
Trace execution paths carefully. Ensure precondition checks happen before using values, validate ranges before checking impossible conditions, and don't check for states that the code has already ruled out.
Reply @AikidoSec feedback: [FEEDBACK] to get better review comments in the future.
Reply @AikidoSec ignore: [REASON] to ignore this issue.
More info
| # Build dependencies if Chart.yaml exists and has dependencies | ||
| if [ -f "${chart_absolute_path}/Chart.yaml" ]; then | ||
| if grep -q "dependencies:" "${chart_absolute_path}/Chart.yaml"; then | ||
| cd "$chart_absolute_path" |
There was a problem hiding this comment.
Avoid cd into chart directories to run helm commands; call helm dependency update and helm template with the chart path (or helm -C) to remove repeated cd/cd back.
Details
✨ AI Reasoning
The code repeatedly changes the working directory to run helm commands then cd back. This is unnecessarily verbose and fragile: scripts switch into chart_absolute_path twice (for dependency update and template validation) instead of invoking helm with an explicit path or using helm's -C/--directory-like options. Reducing cd usage improves readability and prevents stateful errors when adding more steps. This is a local simplification that preserves behavior and is safe to fix in this PR.
🔧 How do I fix it?
Rewrite the snippet in the simpler, behavior-equivalent form: return a boolean expression directly instead of if cond return true else return false, avoid using lists when they are guaranteed to contain one element, etc.
Reply @AikidoSec feedback: [FEEDBACK] to get better review comments in the future.
Reply @AikidoSec ignore: [REASON] to ignore this issue.
More info
|
|
||
| echo "Processing: ${chart_path}" >&2 | ||
|
|
||
| # Run helm lint |
There was a problem hiding this comment.
Run should_skip_validation before helm lint to avoid doing expensive linting for charts that are meant to be skipped; use an early continue/return when skip applies.
Details
✨ AI Reasoning
process_chart runs helm lint before calling should_skip_validation, causing an expensive lint step even when the chart should be skipped. Moving the skip check earlier would guard the expensive work and simplify control flow.
🔧 How do I fix it?
Place parameter validation and guard clauses at the function start. Use early returns to reduce nesting levels and improve readability.
Reply @AikidoSec feedback: [FEEDBACK] to get better review comments in the future.
Reply @AikidoSec ignore: [REASON] to ignore this issue.
More info
2 participants
No description provided.