ci: integrate typos spell checker into CI pipeline

[jarvis117molt-dot]

Fixes #6532

Integrates the typos spell checker into the CI pipeline as requested by @dwisiswant0 in #6521.

Changes

CI Workflow

• .github/workflows/typos.yaml — Runs typos on PRs and pushes to dev/main branches using crate-ci/typos@v1.29.10

Configuration

• _typos.toml — Exclusions for:
  • Non-English README translations (CN, ES, ID, JP, KR, PT-BR, TR)
  • Test data/fixtures with intentional payloads (SQL injection tests, WAF regexes)
  • Integration test files with obfuscated/encoded strings
  • Allowed identifiers for test constants and domain-specific abbreviations

Typo Fixes (12 corrections across 15 files)

Typo	Fix	Files
Reuests	Requests	server.go
Exluded	Excluded	stats.go, parser_stats.go, runner.go, loader.go
seperate	separate	sdk_test.go (3 occurrences)
fiter	filter	config.go
pannel	panel	matcher-status.yaml
noticable	noticeable	net-https-timeout.yaml
formated/Formated	formatted/Formatted	cmd/tmc/main.go (6 occurrences)
thant	than	flow_executor_test.go
worflow	workflow	filename rename: worflow_loader.go → workflow_loader.go
Allowd	Allowed	cmd/nuclei/main.go

Verification

$ typos --format brief
# (no output — clean run)

Checklist

• Pull request is created against the dev branch
• I have added necessary documentation (if appropriate)
• All existing typos caught by the tool have been fixed
• False positives are properly excluded via _typos.toml

Summary by CodeRabbit

• Chores
  • Added typo configuration to improve code quality checks.
  • Corrected multiple spelling errors across comments and messages.
  • Fixed variable naming inconsistencies for clarity.
  • Corrected constant identifier for DAST template statistics tracking.

[neo-by-projectdiscovery-dev]

Neo - PR Security Review

No security issues found

2 issues fixed in this PR

Highlights

• GitHub Actions workflow updated to use actions/checkout@v6 (consistent with other workflows)
• crate-ci/typos action now pinned to immutable commit SHA db35ee91e80fbb447f33b0e5fbddb24d2a1a884f
• Configuration file _typos.toml updated with additional identifier allowlist (AllowdTypes)
• Minor cosmetic changes to comments in cmd/nuclei/main.go

Hardening Notes

• Consider adding Dependabot or Renovate configuration to automate GitHub Actions updates and maintain SHA pinning across all workflows
• Consider documenting the process for updating pinned action SHAs when new versions are released (e.g., how to find the commit SHA for a new version tag)

_{Comment @neo help for available commands. · Open in Neo}

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between b59c197 and d19c07a.

⛔ Files ignored due to path filters (1)

• .github/workflows/typos.yaml is excluded by !**/*.yaml

📒 Files selected for processing (1)

• _typos.toml

🚧 Files skipped from review as they are similar to previous changes (1)

• _typos.toml

---

Walkthrough

This pull request fixes multiple typos across the codebase and introduces a typos configuration file. Changes include correcting misspelled identifiers (constants, variables, types), fixing comments and documentation text, and adding tooling configuration to prevent future typos.

Changes

Cohort / File(s)	Summary
Typos Configuration _typos.toml	New configuration file for the typos checker tool with path exclusions for non-English READMEs, test data, and fuzz tests; word and identifier mappings to reduce false positives.
Constant Declaration Fixes pkg/templates/parser_stats.go	Renamed exported constant from ExludedDastTmplStats to ExcludedDastTmplStats (fixing "Eluded" → "Excluded" typo).
Constant Reference Updates internal/runner/runner.go, pkg/catalog/loader/loader.go, pkg/templates/stats.go	Updated references to use corrected constant name ExcludedDastTmplStats instead of ExludedDastTmplStats.
Type & Variable Name Fixes cmd/tmc/main.go, internal/server/server.go	Fixed variable names from formatedTemplateData/isFormated to formattedTemplateData/isFormatted; renamed request type from PostReuestsHandlerRequest to PostRequestsHandlerRequest.
Comment & Documentation Corrections lib/config.go, lib/tests/sdk_test.go, pkg/tmplexec/flow/flow_executor_test.go	Fixed typos in comments: "fiter" → "filter", "seperate" → "separate" (3 occurrences), "thant" → "than".

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Poem

A rabbit's keen eye caught every misspelled word,
From "formated" to "formatted," each typo was heard,
With ExludedDastTmplStats now correctly spelled,
The typos tool integrated—consistency compelled! 🐰✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'ci: integrate typos spell checker into CI pipeline' clearly and concisely describes the main change: integrating a spell checker tool into the CI workflow.
Linked Issues check	✅ Passed	All objectives from issue #6532 are met: typos tool integrated into CI pipeline via GitHub Actions workflow, configuration file created to exclude false positives, typos fixed across multiple files, and tool runs on PRs and dev/main branches.
Out of Scope Changes check	✅ Passed	All changes are directly related to the typos integration objective: new workflow file, configuration file, and typo corrections across the codebase are all within scope.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

cmd/nuclei/main.go (1)

430-434: ⚠️ Potential issue | 🔴 Critical

goflags.AllowedTypes does not exist — this change will fail to compile.

The type exported by github.com/projectdiscovery/goflags v0.1.74 is AllowdTypes (a misspelling that exists in the library itself), not AllowedTypes. The EnumVarP function signature expects AllowdTypes, and the library's API documentation and examples confirm this is the only available type. Using AllowedTypes will result in an undefined type compilation error.

Change goflags.AllowedTypes{ back to goflags.AllowdTypes{ at lines 430–434.

Proposed fix

-		flagSet.EnumVarP(&options.ScanStrategy, "scan-strategy", "ss", goflags.EnumVariable(0), "strategy to use while scanning(auto/host-spray/template-spray)", goflags.AllowedTypes{
+		flagSet.EnumVarP(&options.ScanStrategy, "scan-strategy", "ss", goflags.EnumVariable(0), "strategy to use while scanning(auto/host-spray/template-spray)", goflags.AllowdTypes{

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@cmd/nuclei/main.go` around lines 430 - 434, The code uses a non-existent type
name goflags.AllowedTypes in the call to flagSet.EnumVarP when setting
options.ScanStrategy; change that identifier to the actual exported type name
goflags.AllowdTypes (note the library's misspelling) so the call to
flagSet.EnumVarP(&options.ScanStrategy, "scan-strategy", "ss",
goflags.EnumVariable(0), ...) compiles; update the composite literal to use
goflags.AllowdTypes{ ... } with the same entries for scanstrategy.Auto/String(),
HostSpray/String(), and TemplateSpray/String().

🧹 Nitpick comments (1)

_typos.toml (1)

25-46: Consider moving code-only identifiers from [default.extend-words] to [default.extend-identifiers].

Entries in [default.extend-words] suppress the check in all contexts — including prose, comments, and documentation. Entries like splitted/Splitted, Noo, Iif, Fo, BA, Mis, alo, fo are specifically code identifiers. Using [default.extend-identifiers] for these would restrict suppression to identifier contexts only, so a genuine use of splitted in documentation would still be caught.

The empty [default.extend-identifiers] section at line 47 is already present as a placeholder — these entries could be moved there.

♻️ Proposed restructuring

 [default.extend-words]
-# Identifiers used in the codebase
-splitted = "splitted"
-Splitted = "Splitted"
-# CLI help output uses abbreviated forms
+# CLI help output uses abbreviated forms (appear in prose help text)
 ines = "ines"     # JSONL(ines) in CLI help text
 ine = "ine"       # JSONL(ine) in CLI help text
 ot = "ot"         # flag abbreviation in CLI help
 ue = "ue"         # flag abbreviation in CLI help
 hae = "hae"       # appears in CLI output
-# Test fixture identifiers
-Noo = "Noo"
 algoritmos = "algoritmos"  # Spanish word in fuzz playground test data
-
-# Test data with intentional non-words
-Iif = "Iif"       # expression test data
-alo = "alo"        # matcher test data
-fo = "fo"          # comment abbreviation in request_generator.go
-Fo = "Fo"          # severity test data
-BA = "BA"          # integration test constant
-Mis = "Mis"        # SSL field prefix (MisMatched)

 [default.extend-identifiers]
+# Identifiers in codebase that should not be renamed in this PR
+splitted = "splitted"
+Splitted = "Splitted"
+# Test fixture / constant identifiers
+Noo = "Noo"
+Iif = "Iif"
+alo = "alo"
+fo = "fo"
+Fo = "Fo"
+BA = "BA"
+Mis = "Mis"
+# goflags library type (library-level typo, cannot be changed here)
+AllowdTypes = "AllowdTypes"

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@_typos.toml` around lines 25 - 46, The entries under [default.extend-words]
include code-only identifiers (e.g., splitted, Splitted, Noo, Iif, Fo, BA, Mis,
alo, fo) which currently suppress spellcheck in all contexts; move those
specific keys into the existing [default.extend-identifiers] section so they
only disable checks for identifier contexts, leaving true words/docs still
checked—update the TOML by removing those identifier entries from
[default.extend-words] and adding them under [default.extend-identifiers],
preserving their exact keys and values.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@cmd/nuclei/main.go`:
- Around line 430-434: The code uses a non-existent type name
goflags.AllowedTypes in the call to flagSet.EnumVarP when setting
options.ScanStrategy; change that identifier to the actual exported type name
goflags.AllowdTypes (note the library's misspelling) so the call to
flagSet.EnumVarP(&options.ScanStrategy, "scan-strategy", "ss",
goflags.EnumVariable(0), ...) compiles; update the composite literal to use
goflags.AllowdTypes{ ... } with the same entries for scanstrategy.Auto/String(),
HostSpray/String(), and TemplateSpray/String().

---

Nitpick comments:
In `@_typos.toml`:
- Around line 25-46: The entries under [default.extend-words] include code-only
identifiers (e.g., splitted, Splitted, Noo, Iif, Fo, BA, Mis, alo, fo) which
currently suppress spellcheck in all contexts; move those specific keys into the
existing [default.extend-identifiers] section so they only disable checks for
identifier contexts, leaving true words/docs still checked—update the TOML by
removing those identifier entries from [default.extend-words] and adding them
under [default.extend-identifiers], preserving their exact keys and values.

---

ℹ️ Review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between d771daa and b59c197.

⛔ Files ignored due to path filters (3)

• .github/workflows/typos.yaml is excluded by !**/*.yaml
• integration_tests/protocols/http/matcher-status.yaml is excluded by !**/*.yaml
• integration_tests/protocols/network/net-https-timeout.yaml is excluded by !**/*.yaml

📒 Files selected for processing (12)

• _typos.toml
• cmd/nuclei/main.go
• cmd/tmc/main.go
• internal/runner/runner.go
• internal/server/server.go
• lib/config.go
• lib/tests/sdk_test.go
• pkg/catalog/loader/loader.go
• pkg/model/workflow_loader.go
• pkg/templates/parser_stats.go
• pkg/templates/stats.go
• pkg/tmplexec/flow/flow_executor_test.go

[jarvis117molt-dot]

Thanks for the thorough review @coderabbitai! Quick clarifications:

Re: AllowdTypes compilation concern — This PR never modified cmd/nuclei/main.go. The AllowdTypes misspelling is in the goflags library itself, not our code. We've added it to [default.extend-identifiers] in _typos.toml so typos CI won't flag it. No compilation risk here. ✅

Re: nitpick on extend-words vs extend-identifiers — Already restructured in the latest commit. Code identifiers (splitted, Noo, Iif, etc.) are now under [default.extend-identifiers], while only prose/help-text entries remain in [default.extend-words]. ✅

All review items from both Neo and CodeRabbit are addressed. Ready for maintainer review.

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

@jarvis117molt-dot, thank you for the clarifications!

✅ AllowdTypes — Understood! Since it's an identifier from the external goflags library, adding it to [default.extend-identifiers] is the correct approach to prevent false positives. No compilation concerns.

✅ Configuration restructuring — Great work moving the code identifiers to [default.extend-identifiers] while keeping prose entries in [default.extend-words]. The configuration is now properly organized.

All points are clear. Best of luck with the maintainer review! 🚀