feat: implement issue #355 — Compliance: secret_scanning_ai_detection#435
feat: implement issue #355 — Compliance: secret_scanning_ai_detection#435don-petry wants to merge 17 commits into
Conversation
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
|
Warning Review limit reached
More reviews will be available in 16 minutes and 56 seconds. Learn how PR review limits work. Your organization has run out of usage credits. Purchase more credits in the billing tab to continue. ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (3)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates scripts/lib/push-protection.sh to add detailed explanations for required security settings and introduces a verification step to confirm that settings are successfully applied after a PATCH request. The review feedback recommends optimizing this verification step by parsing the JSON response once into an associative array, which avoids spawning multiple jq processes in a loop and improves execution speed.
There was a problem hiding this comment.
Pull request overview
This PR updates the push-protection compliance library to add additional context around certain security_and_analysis settings (notably secret_scanning_ai_detection and secret_scanning_non_provider_patterns) and to verify whether a successful PATCH actually resulted in the desired state.
Changes:
- Expanded the audit/apply “human detail” messages for AI detection and non-provider patterns to include plan/feature-availability caveats.
- Added a post-
PATCHre-fetch step inpp_apply_security_and_analysis()to warn when settings remain non-compliant after the API call is accepted.
| "secret_scanning_ai_detection:enabled:warning:Secret scanning AI detection should be enabled (requires GitHub Copilot subscription; absent means the feature is unavailable for the current org plan)" | ||
| "secret_scanning_non_provider_patterns:enabled:warning:Secret scanning non-provider patterns should be enabled (requires GitHub Advanced Security)" |
There was a problem hiding this comment.
Updated pp_check_security_and_analysis() in scripts/lib/push-protection.sh to treat a null/absent status differently from a disabled status for warning-severity settings. When actual == "null" and severity == "warning", the loop now continues without calling add_finding — this covers secret_scanning_ai_detection, secret_scanning_non_provider_patterns, and dependabot_security_updates, all of which return null when the org plan does not support the feature. Error-severity settings (secret_scanning, secret_scanning_push_protection) still always emit findings when non-compliant. Added 10 bats tests in test/scripts/lib/push-protection.bats verifying the boundary conditions (null + warning → no finding, null + error → finding, disabled + warning → finding). ShellCheck passes with no warnings.
There was a problem hiding this comment.
Implemented as described. In scripts/lib/push-protection.sh, pp_check_security_and_analysis() now short-circuits with continue when severity == "warning" and actual == "null" (lines 207-210), so secret_scanning_ai_detection, secret_scanning_non_provider_patterns, and dependabot_security_updates produce no findings when the API returns null (plan-gated feature). Error-severity settings (secret_scanning, secret_scanning_push_protection) still always emit findings when non-compliant. Ten bats tests covering all boundary conditions were added in test/scripts/lib/push-protection.bats — all pass. Also fixed a Tier 1 CI blocker: the Secret scan (gitleaks) job was failing with 401 because gh release download uses GITHUB_TOKEN which is scoped to this repo and cannot access external repo releases. Replaced with curl in both ci.yml and the standards/push-protection.md template.
There was a problem hiding this comment.
Verified. The null-vs-disabled distinction is implemented in scripts/lib/push-protection.sh at lines 207–210: pp_check_security_and_analysis() now short-circuits with continue when severity == "warning" and actual == "null", so secret_scanning_ai_detection, secret_scanning_non_provider_patterns, and dependabot_security_updates produce no findings when the API returns null (plan-gated feature unavailable). Error-severity settings (secret_scanning, secret_scanning_push_protection) still always emit findings when non-compliant. All 10 boundary-condition tests in test/scripts/lib/push-protection.bats pass, and the full 166-test suite is green.
There was a problem hiding this comment.
Verified. The null-vs-disabled distinction is fully implemented in scripts/lib/push-protection.sh at lines 207–210: pp_check_security_and_analysis() short-circuits with continue when severity == "warning" and actual == "null", so secret_scanning_ai_detection, secret_scanning_non_provider_patterns, and dependabot_security_updates produce no findings when the GitHub API returns null (plan-gated feature unavailable on the current org plan). Error-severity settings (secret_scanning, secret_scanning_push_protection) still always emit findings when non-compliant. All 10 boundary-condition tests in test/scripts/lib/push-protection.bats pass (null+warning→no finding, null+error→finding, disabled+warning→finding), and the full 194-test suite is green. ShellCheck passes with no warnings.
There was a problem hiding this comment.
Verified by dev-lead agent. The concern is fully addressed: pp_check_security_and_analysis() in scripts/lib/push-protection.sh (lines 207–210) now short-circuits with continue when severity == "warning" and actual == "null", so secret_scanning_ai_detection, secret_scanning_non_provider_patterns, and dependabot_security_updates produce no findings when the GitHub API returns null (plan-gated feature unavailable). Error-severity settings (secret_scanning, secret_scanning_push_protection) still always emit findings when non-compliant. ShellCheck passes with no warnings. Ten boundary-condition bats tests in test/scripts/lib/push-protection.bats cover all cases (null+warning→no finding, null+error→finding, disabled+warning→finding).
Dev-Lead — review-changes (applied)Changes committed and pushed. |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
Dev-Lead — review-changes (applied)Changes committed and pushed. |
|
…al repos gh release download uses GITHUB_TOKEN which is repo-scoped and returns 401 Unauthorized when downloading releases from external repos (gitleaks/gitleaks). Replace with a direct curl call which works for public release assets without authentication. Update standards/push-protection.md template to match. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Dev-Lead — review-changes (applied)Changes committed and pushed. |
Dev-Lead — fix-bot-comment (no-changes)Agent reasoning |
Dev-Lead — fix-bot-comment (no-changes)Agent reasoning |
Dev-Lead — fix-bot-comment (no-changes)Agent reasoning |
|
Dev-Lead — fix-bot-comment (no-changes)Agent reasoning |
Closes #355
Implemented by dev-lead agent. Please review.