fix: mark no-source skill scans not applicable#3
Conversation
Add a zero-dependency static web demo (examples/demo/index.html + README) that provides a live CLI/SDK/source-command snippet generator and displays security rule badges. Update top-level README to reference the interactive demo. Bump several devDependencies (TypeScript, ts-jest, eslint and TypeScript ESLint packages, @types/node, @types/jest) and add pnpm-lock.yaml. Also add a .comux* entry to .gitignore.
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces a 'not applicable' status for skill audits when CodeQL detects no analyzable source code, updating the core logic, CLI, and reporters to handle this state. It also adds an interactive web demo for generating audit snippets and updates the project documentation and dependencies. Review feedback highlights that several dependency versions in package.json appear to be incorrect or non-existent (e.g., TypeScript 5.9.3) and suggests refactoring duplicated report-writing logic in src/audit.ts for better maintainability.
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Autofix Details
Bugbot Autofix prepared a fix for the issue found in the latest run.
- ✅ Fixed: Console reporter prints identical not-applicable message twice
- The verdict line for
not_applicablenow prints a distinct message ('Audit skipped — no analyzable source.') instead of duplicating the findings-section text.
- The verdict line for
Or push these changes by commenting:
@cursor push 56cd6bc990
Preview (56cd6bc990)
diff --git a/src/reporters/console-reporter.ts b/src/reporters/console-reporter.ts
--- a/src/reporters/console-reporter.ts
+++ b/src/reporters/console-reporter.ts
@@ -117,7 +117,7 @@
}
if (result.status === 'not_applicable') {
- console.log(chalk.yellow.bold(' ⚪ Audit NOT APPLICABLE — no analyzable source code detected.'));
+ console.log(chalk.yellow.bold(' ⚪ Audit skipped — no analyzable source.'));
} else if (passed) {
console.log(chalk.green.bold(' ✅ Audit PASSED — no critical or high severity issues.'));
} else {You can send follow-ups to the cloud agent here.
|
Resolved all review threads:
Verification rerun locally:
|
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix prepared a fix for the issue found in the latest run.
- ✅ Fixed:
parseSarifFileomits newly introducedstatusfield- Added the same
statusderivation asauditSkill(passedvsfailedfrom critical/high counts) to theparseSarifFilereturn value.
- Added the same
Or push these changes by commenting:
@cursor push 3966e531f0
Preview (3966e531f0)
diff --git a/src/audit.ts b/src/audit.ts
--- a/src/audit.ts
+++ b/src/audit.ts
@@ -309,5 +309,6 @@
findings,
summary,
passed: summary.critical === 0 && summary.high === 0,
+ status: summary.critical === 0 && summary.high === 0 ? 'passed' : 'failed',
};
}You can send follow-ups to the cloud agent here.
Reviewed by Cursor Bugbot for commit 05dd0f8. Configure here.
| writeSarifReport(result, outputFile); | ||
| } | ||
| } | ||
| writeAuditOutput(result, outputFormat, outputFile); |
There was a problem hiding this comment.
parseSarifFile omits newly introduced status field
Medium Severity
auditSkill now always populates result.status ('passed', 'failed', or 'not_applicable'), but parseSarifFile still returns an AuditResult without setting status. Downstream consumers (including the console reporter which branches on result.status) will see undefined for parsed SARIF results instead of the expected 'passed'/'failed' value. This inconsistency means the two code paths that produce AuditResult behave differently for the new field, which can lead to confusing output or silent logic mismatches.
Reviewed by Cursor Bugbot for commit 05dd0f8. Configure here.
1 participant
Summary
status: "not_applicable"audit results when CodeQL reports no analyzable source--fail-on-highfrom failing not-applicable scansCloses #2.
Verification
pnpm exec jest tests/audit.test.ts --runInBand --testPathIgnorePatterns='/.comux/'pnpm buildpnpm lintnode dist/cli.js audit /Users/buns/.openclaw/workspace/skills/linear-issue-management --format json --output /tmp/linear-scan.json --fail-on-high→status: not_applicableNote
Medium Risk
Changes the
auditSkillcontract and CLI exit behavior by introducing a newnot_applicablestatus when CodeQL can’t index any source, which could affect downstream consumers that assume only pass/fail semantics.Overview
Adds first-class handling for skills with no CodeQL-analyzable source:
auditSkillnow detects the CodeQL “no supported languages” error, returnsstatus: 'not_applicable'(withnotApplicableReason), and still writes JSON/SARIF output when requested.Updates CLI and console reporting to clearly distinguish not applicable from a clean pass and prevents
--fail-on-highfrom failing these skipped scans; also refactors output writing into a shared helper and adds a unit test for the new behavior.Documentation is expanded with a static interactive demo (
examples/demo), guidance on markdown-only/no-source scans and CodeQL CLI installation, plus a release checklist; dev tooling deps are bumped and apnpm-lock.yamlis added.Reviewed by Cursor Bugbot for commit 05dd0f8. Bugbot is set up for automated code reviews on this repo. Configure here.