Refactor formatCompilerError and unify security findings formatting

[Copilot]

Security findings used ad-hoc formatting inconsistent with compiler errors. This made output harder to parse and prevented IDE integration (clickable file:line:column links).

Changes

• Extract error formatter: Moved formatCompilerError from compiler.go to dedicated compiler_error_formatter.go for reuse
• Add position variant: Created formatCompilerErrorWithPosition(filePath, line, column, ...) for precise error locations
• Unify security output: Refactored FormatSecurityFindings() to use compiler error formatter with file context

Before/After

Before:

Security scan found 2 issue(s) in workflow markdown:
  1. [unicode-abuse] line 5: contains invisible character
  2. [html-abuse] line 10: <script> tag detected

After:

Security scan found 2 issue(s) in workflow markdown:

malicious-workflow.md:5:1: error: [unicode-abuse] contains invisible character
malicious-workflow.md:10:1: error: [html-abuse] <script> tag detected

IDE-parseable format enables click-to-navigate in VS Code, JetBrains IDEs, etc.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

• https://api.github.com/graphql
  • Triggering command: /usr/bin/gh /usr/bin/gh api graphql -f query=query($owner: String!, $name: String!) { repository(owner: $owner, name: $name) { hasDiscussionsEnabled } } -f owner=github -f name=gh-aw .cfg 64/pkg/tool/linu/tmp/gh-aw/aw.patch git rev-�� --show-toplevel 64/pkg/tool/linux_amd64/vet ache/node/24.13.0/x64/bin/node .json --ignore-pgit --local rgo/bin/bash /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v3
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v3 --jq .object.sha g_.a --write /home/REDACTED/go/bin/sh **/*.ts **/*.json --ignore-path sh -c wyvWSVN2l (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v4 --jq .object.sha audit-workflows.md (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v4 --jq .object.sha husky (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v4 --jq .object.sha /tmp/shared-actions-test1458111831 config /usr/bin/git remote.origin.urgit user.email e git chec�� .github/workflows/test.md ache/go/1.25.0/x-importcfg /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet '**/*.ts' '**/*.git 4166098/b068/vetrev-parse tions/setup/node--show-toplevel /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
• https://api.github.com/repos/actions/checkout/git/ref/tags/v5
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha 2062120600/.github/workflows /tmp/go-build3464166098/b203/vet.cfg /opt/hostedtoolcache/go/1.25.0/x64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha --write l 0/x64/bin/node **/*.json --ignore-path ../../../.pretti--show-toplevel 0/x64/bin/node rev-�� 0840160/b416/_pkg_.a 64/pkg/tool/linux_amd64/vet 0840160/b416=> (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/checkout/git/ref/tags/v5 --jq .object.sha /tmp/go-build1130840160/b416/_pkg_.a -trimpath /usr/bin/git -p main -lang=go1.25 git init�� g5FpiJ9ENbZatjTay5oJ/g5FpiJ9ENbZatjTay5oJ -dwarf=false /usr/bin/git go1.25.0 -c=4 -nolocalimports git (http block)
• https://api.github.com/repos/actions/github-script/git/ref/tags/v8
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha go1.25.0 -c=4 -nolocalimports -importcfg /tmp/go-build1130840160/b386/importcfg -pack UOpvBl5XgcBk ode_�� -security-findings-formatting --local .cfg pull.rebase (http block)
  • Triggering command: /usr/bin/gh gh api /repos/actions/github-script/git/ref/tags/v8 --jq .object.sha --get-regexp .cfg 64/pkg/tool/linux_amd64/vet (http block)
• https://api.github.com/repos/actions/setup-go/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-go/git/ref/tags/v4 --jq .object.sha blog-auditor.md (http block)
• https://api.github.com/repos/actions/setup-node/git/ref/tags/v4
  • Triggering command: /usr/bin/gh gh api /repos/actions/setup-node/git/ref/tags/v4 --jq .object.sha auto-triage-issues.md (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/1/artifacts
  • Triggering command: /usr/bin/gh gh run download 1 --dir test-logs/run-1 m0s 0/x64/lib/node_modules/npm/node_-lang=go1.25 rmatCompilerErrogit (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/12345/artifacts
  • Triggering command: /usr/bin/gh gh run download 12345 --dir test-logs/run-12345 o compiler_error_formatter.go angithub.com/github/gh-aw/pkg/constants tions/setup/js/node_modules/esbu-lang=go1.25 (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/12346/artifacts
  • Triggering command: /usr/bin/gh gh run download 12346 --dir test-logs/run-12346 o compiler_error_formatter.go an-ifaceassert x_amd64/compile (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/2/artifacts
  • Triggering command: /usr/bin/gh gh run download 2 --dir test-logs/run-2 /tmp/go-build3464166098/b006/vet-ifaceassert gs-formatting (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/3/artifacts
  • Triggering command: /usr/bin/gh gh run download 3 --dir test-logs/run-3 /tmp/go-build3464166098/b007/vet-w gs-formatting (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/4/artifacts
  • Triggering command: /usr/bin/gh gh run download 4 --dir test-logs/run-4 -trimpath bin/sh -p github.com/stretrev-parse -lang=go1.17 /opt/hostedtoolcache/go/1.25.0/xconfig -uns�� tmatter-with-arrays.md /tmp/go-build3464166098/b096/vet.cfg k/gh-aw/gh-aw/actions/node_modules/.bin/sh -c=4 -nolocalimports -importcfg /opt/hostedtoolcremote.origin.url (http block)
• https://api.github.com/repos/github/gh-aw/actions/runs/5/artifacts
  • Triggering command: /usr/bin/gh gh run download 5 --dir test-logs/run-5 (http block)
• https://api.github.com/repos/github/gh-aw/actions/workflows
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path json' --ignore-path ../../../.pr**/*.json .cfg 64/pkg/tool/linux_amd64/vet (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 100 (http block)
  • Triggering command: /usr/bin/gh gh run list --json databaseId,number,url,status,conclusion,workflowName,createdAt,startedAt,updatedAt,event,headBranch,headSha,displayTitle --workflow nonexistent-workflow-12345 --limit 6 -d 168.63.129.16 /opt/hostedtoolcache/go/1.25.0/xconfig -uns�� te '**/*.cjs' '**/*.ts' '**/*.jsremote.origin.url /tmp/go-build3464166098/b066/vet.cfg h 0 -j ACCEPT /opt/hostedtoolctest@example.com (http block)
• https://api.github.com/repos/github/gh-aw/git/ref/tags/v1.0.0
  • Triggering command: /usr/bin/gh gh api /repos/github/gh-aw/git/ref/tags/v1.0.0 --jq .object.sha -unreachable=false /tmp/go-build3464166098/b035/vetgithub.com/github/gh-aw/pkg/repoutil 0/x64/bin/npx (http block)
• https://api.github.com/repos/nonexistent/action/git/ref/tags/v999.999.999
  • Triggering command: /usr/bin/gh gh api /repos/nonexistent/action/git/ref/tags/v999.999.999 --jq .object.sha -unreachable=fal@{u} /tmp/go-build3464166098/b124/vet-nolocalimports tions/setup/node_modules/.bin/no-importcfg (http block)
• https://api.github.com/repos/nonexistent/repo/actions/runs/12345
  • Triggering command: /usr/bin/gh gh run view 12345 --repo nonexistent/repo --json status,conclusion (http block)
• https://api.github.com/repos/owner/repo/actions/workflows
  • Triggering command: /usr/bin/gh gh workflow list --json name,state,path --repo owner/repo 64/pkg/tool/linux_amd64/vet (http block)
• https://api.github.com/repos/owner/repo/contents/file.md
  • Triggering command: /tmp/go-build1130840160/b368/cli.test /tmp/go-build1130840160/b368/cli.test -test.testlogfile=/tmp/go-build1130840160/b368/testlog.txt -test.paniconexit0 -test.v=true -test.parallel=4 -test.timeout=10m0s -test.run=^Test -test.short=true (http block)
• https://api.github.com/repos/test-owner/test-repo/actions/secrets
  • Triggering command: /usr/bin/gh gh api /repos/test-owner/test-repo/actions/secrets --jq .secrets[].name json' --ignore-path ../../../.pr**/*.json (http block)
• https://api.github.com/user
  • Triggering command: /usr/bin/gh gh api user --jq .login (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to the custom allowlist in this repository's Copilot coding agent settings (admins only)

Original prompt

---

This section details on the original issue you should resolve

<issue_title>security findings</issue_title>
<issue_description>Use formatCompilerError to format security findings in markdown HTML comment validation. Refactor formatCompilerError into reusable functions (own file) first.</issue_description>

Comments on the Issue (you are @copilot in this section)

Custom agent used: custom-engine-implementation
Comprehensive guide for implementing custom agentic engines in gh-aw

• Fixes security findings #16592

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[Copilot]

Copilot wasn't able to review any files in this pull request.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.