Feat: GH Issue generation based on severity#74
Conversation
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (6)
✅ Files skipped from review due to trivial changes (1)
🚧 Files skipped from review as they are similar to previous changes (4)
WalkthroughThis PR implements severity-based filtering for AquaSec security alerts in the organizational workflows. It adds a configurable minimum severity threshold ( ChangesSecurity Alert Severity Filtering
Sequence DiagramsequenceDiagram
participant Workflow as GitHub Workflow
participant CLI as security/main.py
participant Config as SecurityConfig
participant IssueSyncer as IssueSyncer
participant SyncLogic as sync_alerts_and_issues
participant FilterCheck as _meets_min_severity
Workflow->>CLI: parse args with --min-severity
CLI->>Config: load(args, env)
Config->>Config: normalize to lowercase
Config->>Config: validate against VALID_SEVERITIES
IssueSyncer->>SyncLogic: sync_alerts_and_issues(alerts, min_severity)
SyncLogic->>SyncLogic: iterate over alerts
SyncLogic->>FilterCheck: check alert.metadata.severity
FilterCheck->>FilterCheck: compare rank via SEVERITY_ORDER
alt Alert meets threshold
SyncLogic->>SyncLogic: ensure_issue(alert)
else Alert below threshold
SyncLogic->>SyncLogic: skip (continue)
end
SyncLogic->>SyncLogic: apply adept-to-close logic (all alerts)
🎯 3 (Moderate) | ⏱️ ~20 minutes Possibly related PRs
Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 2
🧹 Nitpick comments (2)
src/security/README.md (2)
196-196: 💤 Low valueConsider mentioning "unknown" severity behavior in the feature description.
The implementation (context snippet 3, sync.py) includes special handling for findings with "unknown" severity: they pass when
min-severity=low(the default) but are filtered at higher thresholds. Documenting this edge case could help users understand the complete filtering behavior.📝 Optional addition to clarify edge case
-- **Severity filtering**: Configurable minimum severity threshold to limit issue creation to findings at or above the chosen level. +- **Severity filtering**: Configurable minimum severity threshold to limit issue creation to findings at or above the chosen level. Findings with unknown severity pass at the default threshold (`low`) but are filtered at higher thresholds.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@src/security/README.md` at line 196, Update the "Severity filtering" line to explicitly describe how findings with "unknown" severity are treated by the filter: note that with the default min-severity=low unknown findings are allowed through, but they are excluded when the configured min-severity is raised above low; reference the config key "min-severity" and the "unknown" severity behavior implemented in sync.py so users understand this edge case.
155-174: ⚡ Quick winConsider documenting the MIN_SEVERITY environment variable.
The local running examples document environment variables for AquaSec credentials, but the
MIN_SEVERITYenvironment variable (supported per context snippet 1, config.py) is not mentioned. Users running locally might prefer to set this via environment variable rather than the--min-severityCLI flag.📝 Example showing MIN_SEVERITY env var
Consider adding an example that shows the MIN_SEVERITY environment variable:
**With minimum severity threshold:** ```bash AQUA_KEY=... AQUA_SECRET=... AQUA_GROUP_ID=... AQUA_REPOSITORY_ID=... \ MIN_SEVERITY=high \ PYTHONPATH=src python3 src/security/main.py --repo <owner/repo></details> <details> <summary>🤖 Prompt for AI Agents</summary>Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.In
@src/security/README.mdaround lines 155 - 174, Add documentation for the
MIN_SEVERITY environment variable to the local run examples in README.md (the
same section that shows AQUA_KEY/AQUA_SECRET/AQUA_GROUP_ID/AQUA_REPOSITORY_ID
for dry-run/live/verbose). Show a short example that sets MIN_SEVERITY (e.g.,
MIN_SEVERITY=high) in the environment before invoking python3
src/security/main.py so users can see the env-var alternative to the
--min-severity CLI flag; reference the existing config.py behavior
(MIN_SEVERITY) in the text so readers know this env var is supported.</details> <!-- cr-comment:v1:7003ae75b0a69179e4b110ff --> </blockquote></details> </blockquote></details> <details> <summary>🤖 Prompt for all review comments with AI agents</summary>Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.Inline comments:
In@src/security/config.py:
- Around line 102-103: The validation error message for self.min_severity is
missing the f-string prefix so the allowed values aren't interpolated; update
the error append call (the block that checks "if self.min_severity not in
VALID_SEVERITIES") to use an f-string (e.g., f"...{',
'.join(sorted(VALID_SEVERITIES))}...") so VALID_SEVERITIES is formatted into the
message, keeping the same wording and reference to VALID_SEVERITIES and errors.In
@src/security/README.md:
- Line 188: Update the CLI flags table entry for
--min-severityto match the
workflow input docs: state the default value is'low'and note that the flag
is case-insensitive (accepts low/medium/high/critical in any letter case).
Locate the--min-severityrow in the CLI flags table (the entry currently only
lists allowed severities) and extend its description to include the default
'low'and the case-insensitivity behavior so both tables are consistent.
Nitpick comments:
In@src/security/README.md:
- Line 196: Update the "Severity filtering" line to explicitly describe how
findings with "unknown" severity are treated by the filter: note that with the
default min-severity=low unknown findings are allowed through, but they are
excluded when the configured min-severity is raised above low; reference the
config key "min-severity" and the "unknown" severity behavior implemented in
sync.py so users understand this edge case.- Around line 155-174: Add documentation for the MIN_SEVERITY environment
variable to the local run examples in README.md (the same section that shows
AQUA_KEY/AQUA_SECRET/AQUA_GROUP_ID/AQUA_REPOSITORY_ID for dry-run/live/verbose).
Show a short example that sets MIN_SEVERITY (e.g., MIN_SEVERITY=high) in the
environment before invoking python3 src/security/main.py so users can see the
env-var alternative to the --min-severity CLI flag; reference the existing
config.py behavior (MIN_SEVERITY) in the text so readers know this env var is
supported.</details> <details> <summary>🪄 Autofix (Beta)</summary> Fix all unresolved CodeRabbit comments on this PR: - [ ] <!-- {"checkboxId": "4b0d0e0a-96d7-4f10-b296-3a18ea78f0b9"} --> Push a commit to this branch (recommended) - [ ] <!-- {"checkboxId": "ff5b1114-7d8c-49e6-8ac1-43f82af23a33"} --> Create a new PR with the fixes </details> --- <details> <summary>ℹ️ Review info</summary> <details> <summary>⚙️ Run configuration</summary> **Configuration used**: Organization UI **Review profile**: CHILL **Plan**: Pro **Run ID**: `2bccaff2-4da2-4c88-acc7-b1ce5d44814b` </details> <details> <summary>📥 Commits</summary> Reviewing files that changed from the base of the PR and between 8737f561167222e0ef72bc18487017dac4533a31 and 3ad778071294df46a00b941abfa5a63029d1837c. </details> <details> <summary>📒 Files selected for processing (10)</summary> * `.github/workflows/aquasec-scan.yml` * `src/core/github/issues.py` * `src/security/README.md` * `src/security/config.py` * `src/security/constants.py` * `src/security/issues/sync.py` * `src/security/main.py` * `src/security/services/issue_syncer.py` * `tests/security/issues/test_sync.py` * `tests/security/test_config.py` </details> </details> <!-- This is an auto-generated comment by CodeRabbit for review status -->
miroslavpojer
left a comment
There was a problem hiding this comment.
See comments, pls.
Overview
This pull request introduces a configurable minimum severity threshold for security issue creation, allowing users to control which findings result in new or reopened GitHub issues. The changes span workflow configuration, backend logic, and documentation, and include comprehensive tests to ensure correct behavior.
Release Notes
Related
Closes #73
Summary by CodeRabbit
min-severity(default:low) to filter which security findings are promoted to issues, supportinglow,medium,high, andcritical.min-severityand the matching CLI flag.