Harden code-scanning hotspots in process invocation and wildcard expansion

[Copilot]

Summary

Addresses the code-scanning findings by removing shell-style argument construction from Docker-based test helpers and by rejecting traversal-style roots during code analysis wildcard expansion.

• Process execution hardening

  • Replaced flattened ProcessStartInfo(..., "arg1 arg2 ...") usage with tokenized ArgumentList construction in Docker-related test fixtures.
  • Preserves argument boundaries for values containing spaces/special characters and removes the command-injection pattern flagged by static analysis.

• Wildcard expansion hardening

  • Canonicalizes enumeration roots before file discovery.
  • Rejects parent-traversal segments (for example ..) before filesystem enumeration when expanding --code-analysis-results patterns.

• Regression coverage

  • Added focused tests for safe process argument handling.
  • Added a traversal regression test for WildcardExpander.

var psi = new ProcessStartInfo("docker");
psi.ArgumentList.Add("run");
psi.ArgumentList.Add("--rm");
psi.ArgumentList.Add(imageName);
psi.ArgumentList.Add(commandArg);

---

Checklist

• All checks pass (build, test, lint)
• Commits follow Conventional Commits
• PR description uses the standard template (Problem / Change / Verification)

Merge method: Use Rebase and merge to maintain a linear history. The repository enforces rebase-only merges by default.

Create & merge guidance: Use scripts/pr-github.sh create to create PRs, and scripts/pr-github.sh create-and-merge to perform the merge (this script is the authoritative, repo-preferred tool for PR creation and merges). If you need to inspect/check the PR, use GitHub chat tools (github/*) as needed.

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.