From 22f5726d495284bec8c6f7b8c9c92b3f79766f74 Mon Sep 17 00:00:00 2001
From: Oliver Baer <75138893+mrwind-up-bird@users.noreply.github.com>
Date: Tue, 10 Mar 2026 02:54:46 +0100
Subject: [PATCH] fix(autofix): Unbounded jq processing without validation

---
 examples/github-actions/risk-audit.yml | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/examples/github-actions/risk-audit.yml b/examples/github-actions/risk-audit.yml
index 5657ff9f..77c45499 100644
--- a/examples/github-actions/risk-audit.yml
+++ b/examples/github-actions/risk-audit.yml
@@ -95,10 +95,10 @@ jobs:
           echo "| Staleness | 10% | Time since last modification |" >> audit-report.md
           echo "| Error Rate | 10% | Runtime errors from telemetry |" >> audit-report.md
           echo "| Coupling | 5% | Tightly coupled files |" >> audit-report.md
-          echo "| Churn | 5% | Frequency of changes |" >> audit-report.md
 
-          echo "" >> audit-report.md
-          echo "## Critical Risk Files" >> audit-report.md
+          CRITICAL=$(jq -r 'if type == "object" and has("summary") then .summary.critical // 0 else 0 end' audit.json)
+          HIGH=$(jq -r 'if type == "object" and has("summary") then .summary.high // 0 else 0 end' audit.json)
+          MEDIUM=$(jq -r 'if type == "object" and has("summary") then .summary.medium // 0 else 0 end' audit.json)
           echo "" >> audit-report.md
 
           if [ "$CRITICAL" -gt 0 ]; then
@@ -125,7 +125,7 @@ jobs:
           echo "## Quick Wins" >> audit-report.md
           echo "" >> audit-report.md
 
-          QUICK_WINS=$(jq -r '.quickWins | length // 0' audit.json)
+            jq -r 'if type == "object" and has("items") then .items[] | select(.riskLevel == "critical") | "| `\(.file)` | \(.riskScore) | \(.factors[:2] | map(.factor) | join(\", \")) |" else empty end' audit.json >> audit-report.md
           if [ "$QUICK_WINS" -gt 0 ]; then
             echo "Low-effort, high-impact improvements:" >> audit-report.md
             echo "" >> audit-report.md
@@ -137,7 +137,7 @@ jobs:
           echo "" >> audit-report.md
           echo "---" >> audit-report.md
           echo "*Generated by CKB risk audit*" >> audit-report.md
-
+            jq -r 'if type == "object" and has("items") then .items[] | select(.riskLevel == "high") | "| `\(.file)` | \(.riskScore) | \(.factors[:2] | map(.factor) | join(\", \")) |" else empty end' audit.json | head -20 >> audit-report.md
       - name: Upload Report
         uses: actions/upload-artifact@v4
         with:
@@ -150,7 +150,7 @@ jobs:
       - name: Create/Update Issue
         if: steps.audit.outputs.critical > 0 || steps.audit.outputs.high > 5
         uses: actions/github-script@v7
-        with:
+            jq -r 'if type == "object" and has("quickWins") then .quickWins[] | "- **\(.action)**: `\(.target)` (effort: \(.effort), impact: \(.impact))" else empty end' audit.json >> audit-report.md
           script: |
             const fs = require('fs');
             const report = fs.readFileSync('audit-report.md', 'utf8');