rusackas commented on PR #39644: URL: https://github.com/apache/superset/pull/39644#issuecomment-4700690893
Picking this back up to wrap it: as discussed in the thread, dropping `shell=True` here just swaps the Bandit `S602` suppression for `S603`/`S607` on the same calls, on a local dev/CI helper (`check-env.py`) that runs hardcoded commands with no untrusted input. Per SECURITY.md that path is inside the operator trust boundary, so there's no boundary violation to fix, and we aren't really removing suppressions, just relabeling them. Closing this one out. Thanks for the pass regardless, and happy to revisit if there's a concrete role/capability angle I'm missing. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
