Skip to content

fix: resolve CI lint, type-check, and security gate failures#18

Merged
michaelalber merged 2 commits intomainfrom
fix/ci-security-gate-failures
Apr 26, 2026
Merged

fix: resolve CI lint, type-check, and security gate failures#18
michaelalber merged 2 commits intomainfrom
fix/ci-security-gate-failures

Conversation

@michaelalber
Copy link
Copy Markdown
Owner

@michaelalber michaelalber commented Apr 26, 2026

Summary

  • __main__.py — Replace assert parser is not None with an explicit RuntimeError guard (assert is stripped with -O; S101/B101). Add # nosec B404 on import subprocess and # noqa: S603 # nosec B603 on subprocess.run — the invocation uses sys.executable with hardcoded flag strings and a validated Path; not a command-injection risk.
  • parser.py — Add # type: ignore[attr-defined] on the lazy AcceleratorOptions import. Docling's pipeline_options module defines no __all__, so mypy strict/no_implicit_reexport cannot verify the export; the attribute exists at runtime (confirmed with dir()).
  • embeddings.py — Add # nosemgrep suppression on the truncation logger.warning. Semgrep's python-logger-credential-disclosure rule fires on chunk_index=%s — a diagnostic field, not a credential. Confirmed false positive.

Gates fixed

File Suppression Tool Rule
__main__.py assert → RuntimeError Ruff + Bandit S101 / B101
__main__.py # nosec B404 Bandit B404
__main__.py # noqa: S603 # nosec B603 Ruff + Bandit S603 / B603
parser.py # type: ignore[attr-defined] mypy attr-defined
embeddings.py # nosemgrep Semgrep python-logger-credential-disclosure

Test plan

  • CI passes: Ruff, mypy, Bandit, Semgrep all green
  • 319 unit tests pass (verified locally)
  • No behaviour change to convert command — assert replaced with equivalent guard

🤖 Generated with Claude Code

michaelalber and others added 2 commits April 26, 2026 16:00
@michaelalber @claude
fix: replace assert with guard and suppress subprocess nosec in conve…
2748f05 
…rt command

Ruff S101/Bandit B101: replaced `assert parser is not None` with an
explicit RuntimeError guard — assert is stripped with -O and is not a
reliable control-flow mechanism.

Ruff S603/Bandit B603/B404: added inline nosec/noqa suppressions on the
subprocess import and the subprocess.run call. The invocation uses
sys.executable (same interpreter) with hardcoded flag strings and a
validated Path; shell=False is the default — not a command-injection risk.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@michaelalber @claude
fix: suppress docling mypy attr-defined and semgrep false positive on…
cb2b5d2 
… truncation log

parser.py: AcceleratorOptions exists at runtime in docling.datamodel.pipeline_options
but the module defines no __all__, so mypy strict/no_implicit_reexport cannot verify
the export. Added type: ignore[attr-defined] scoped to the lazy import block.

embeddings.py: Semgrep python-logger-credential-disclosure fires on the truncation
warning because the format string contains chunk_index=%s — a diagnostic field, not
a credential. Added nosemgrep suppression with the full rule ID.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@michaelalber michaelalber merged commit 1687e08 into main Apr 26, 2026
9 of 10 checks passed
@michaelalber michaelalber deleted the fix/ci-security-gate-failures branch April 26, 2026 23:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@michaelalber