Skip to content

fix(sarif): suppress code_scanning_alerts findings from SARIF output (close estate-wide self-echo)#368

Merged
hyperpolymath merged 1 commit into
mainfrom
fix/csa-sarif-self-echo
May 27, 2026
Merged

fix(sarif): suppress code_scanning_alerts findings from SARIF output (close estate-wide self-echo)#368
hyperpolymath merged 1 commit into
mainfrom
fix/csa-sarif-self-echo

Conversation

@hyperpolymath
Copy link
Copy Markdown
Owner

@hyperpolymath hyperpolymath commented May 27, 2026

Summary

  • CSA001/CSA002/CSA003/CSA004 are lens rules that query GitHub for open code-scanning alerts. When their findings are uploaded as SARIF, they become new code-scanning alerts that the next scan re-observes — an infinite self-echo loop.
  • The fetch-time filter at lib/rules/code_scanning_alerts.ex:340 (self_referential_alert?) stops the loop within any single scanner instance, but does not help once the SARIF has been uploaded and a subsequent scan picks it up. This PR closes that gap at SARIF render time.
  • Findings still flow through the Elixir pipeline (PatternAnalyzer, TriangleRouter, FleetDispatcher) — only the public GitHub code-scanning surface is suppressed.

Estate audit (2026-05-27)

A paginated sweep of all 328 active non-fork hyperpolymath repos found:

metric value
Repos with code-scanning 325
Repos with ≥1 CSA self-echo 310
CSA self-echo alerts open 7,724
Real findings open 11,785
Total open alerts 19,509
CSA share of total 39.6%
Average CSA / affected repo ~24.9

Top affected: zotero-tools (71), julia-ecosystem (66), my-lang (61), tentacles-agentic-syllabus (57).

Implementation

Single module attribute @meta_rule_modules ~w(code_scanning_alerts) in lib/hypatia/sarif.ex. from_findings/2 rejects findings whose rule_module matches before result/rule construction. Predicate handles atom, string-key, and binary-value shapes consistently with the rest of the module.

Follow-ups (separate PRs)

  • Bulk-dismiss the existing ~7,724 self-referential alerts as won't fix with documented reason once this merges and a fresh scan confirms no new ones are uploaded.
  • Tactical clean-up of julia-professional-registry to zero open alerts (canary repo for the dismissal sweep).
  • Wire code-scanning alerts as a recipe-matchable scan source into the dispatch pipeline so dispatch-runner produces PRs that resolve real findings (the 11,785 bucket).

Test plan

  • mix test test/sarif_test.exs — 13/13 pass (10 prior + 3 new under meta-rule suppression)
  • CI green
  • On next hypatia-scan run on a clean repo: confirm no hypatia/code_scanning_alerts/CSA00x alerts appear in the uploaded SARIF

🤖 Generated with Claude Code

@hyperpolymath @claude
fix(sarif): suppress code_scanning_alerts (CSA00x) findings from SARI…
b13cd37 
…F output

CSA001/CSA002/CSA003/CSA004 are lens rules that query GitHub for
open code-scanning alerts. Uploading their findings as SARIF turns
each one into a *new* code-scanning alert that the next scan
re-observes -- the boj-server post-mortem in
`code_scanning_alerts.ex` documents alerts 357-386 accumulated this
way.

A 2026-05-27 estate audit found this self-echo pattern is widespread:
7,724 self-referential alerts across 310 of 325 code-scan-enabled
repos (39.6% of all 19,509 open alerts on the estate).

The fetch-time filter in `code_scanning_alerts.ex:340` stops the
loop within any single scanner instance, but does not help when the
SARIF is uploaded by one runner and re-observed by the next.
Filtering at SARIF render time closes the loop for good.

Findings still flow through the Elixir pipeline (PatternAnalyzer,
TriangleRouter, FleetDispatcher) -- only the public GitHub
code-scanning surface is suppressed.

Existing self-referential alerts on already-uploaded SARIFs will
need to be bulk-dismissed as won't-fix in a follow-up sweep.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@hyperpolymath hyperpolymath enabled auto-merge (squash) May 27, 2026 17:58
This was referenced May 27, 2026
Merged
Open
hyperpolymath added a commit to hyperpolymath/julia-professional-registry that referenced this pull request May 27, 2026
@hyperpolymath @claude
fix(ci): close 7 real code-scanning alerts (canary for estate sweep) (#…
faab15d 
…17)

Adds the three missing standards reusables, pins the unpinned one,
adds a CodeQL workflow scoped to GitHub Actions (the repo's only
analyzable surface), and removes the stale root-level STATE.a2ml.

Alerts closed:

  #2  workflow_audit/missing_workflow  scorecard.yml
  #4  workflow_audit/missing_workflow  mirror.yml
  #6  workflow_audit/missing_workflow  secret-scanner.yml
  #7  workflow_audit/unpinned_action   governance.yml @main -> @4285741
  #8  cicd_rules/missing_requirement   scorecard.yml (same root as #2)
  #10 scorecard/StaticAnalysis         add codeql.yml language: actions
  #12 structural_drift/SD004           remove root .machine_readable/STATE.a2ml
                                        (canonical at .machine_readable/6a2/STATE.a2ml)

Not addressed here:

  #11 git_state/GS007  non-main branch `feat/register-echotypes-krladapter`
                       is the head of in-flight PR #16; will auto-resolve
                       when that PR merges or closes.

The 17 CSA001/CSA002/CSA003 self-referential alerts on this repo
were dismissed as `won't fix` against hyperpolymath/hypatia#368,
which suppresses the meta-rule lens at the SARIF render layer to
stop the self-echo at source.

All four wrapper workflows are pinned to standards/main HEAD SHA
4285741 (2026-05-27).

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@hyperpolymath hyperpolymath merged commit 22ef9f3 into main May 27, 2026
22 of 31 checks passed
@hyperpolymath hyperpolymath deleted the fix/csa-sarif-self-echo branch May 27, 2026 19:20
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 28, 2026

🔍 Hypatia Security Scan

Findings: 72 issues detected

Severity Count
🔴 Critical 0
🟠 High 1
🟡 Medium 71
View findings 
[
  {
    "reason": "Issue in ci.yml",
    "type": "unknown",
    "file": "ci.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in ci.yml",
    "type": "unknown",
    "file": "ci.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in ci.yml",
    "type": "unknown",
    "file": "ci.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in ci.yml",
    "type": "unknown",
    "file": "ci.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in ci.yml",
    "type": "unknown",
    "file": "ci.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in ci.yml",
    "type": "unknown",
    "file": "ci.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in ci.yml",
    "type": "unknown",
    "file": "ci.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in ci.yml",
    "type": "unknown",
    "file": "ci.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in clusterfuzzlite.yml",
    "type": "unknown",
    "file": "clusterfuzzlite.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in clusterfuzzlite.yml",
    "type": "unknown",
    "file": "clusterfuzzlite.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  }
]

Powered by Hypatia Neurosymbolic CI/CD Intelligence

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@hyperpolymath