fix(scanners): exclude indexer-ignored dirs from vulture/radon/ty (drop .venv noise)#168
Merged
Merged
Conversation
…op .venv noise) vulture/radon/ty walk the project tree directly with no exclude, so they descend into .venv/ and report library dead-code, complexity, and type findings. On a uv-managed repo this was 127/133 findings — 95% library noise drowning the 6 real ones. The indexer already excludes these dirs via pipeline.HARDCODED_IGNORES; the scan runner never threaded that set into the wrappers. - VultureWrapperOptions.excludeGlobs → vulture --exclude, each ignore name ANCHORED to a path segment (*/.venv/* not bare .venv, which vulture would substring-match and so also suppress src/.venv_helpers.py). - RadonWrapperOptions.ignoreDirs → radon -i (matches directory basenames, so bare names are correct here). - TyWrapperOptions.excludeGlobs → ty --exclude <name>/ plus --force-exclude (CLI-named paths bypass excludes otherwise). - DefaultWrapperContext gains vulture/radon/ty; createWrapperFor threads them the pip-audit-options way; scan.ts buildWrapperContext populates all three from pipeline.HARDCODED_IGNORES (single source of truth, no drift). Verified end-to-end: codehub scan on ngs-research-agent now reports 6 findings (was 133) — vulture contributes 0 .venv noise; the 6 real findings (2 semgrep, 1 osv, 1 pip-audit, 2 radon) are unchanged. Scanners 94/94, cli 263/263, tsc + biome clean. Field-report Issue 2.
Merged
theagenticguy
pushed a commit
that referenced
this pull request
May 29, 2026
🤖 Automated release via release-please --- <details><summary>analysis: 0.3.3</summary> ## [0.3.3](analysis-v0.3.2...analysis-v0.3.3) (2026-05-29) ### Features * **cli:** expose 9 read-only graph tools as CLI subcommands ([#174](#174)) ([be15666](be15666)) ### Dependencies * The following workspace dependencies were updated * dependencies * @opencodehub/storage bumped to 0.2.3 * @opencodehub/wiki bumped to 0.2.3 </details> <details><summary>cli: 0.5.6</summary> ## [0.5.6](cli-v0.5.5...cli-v0.5.6) (2026-05-29) ### Features * **cli:** expose 9 read-only graph tools as CLI subcommands ([#174](#174)) ([be15666](be15666)) * **cli:** status surfaces retrieval mode (summaries / vectors / embedder) ([#172](#172)) ([611e818](611e818)) ### Bug Fixes * **cli:** doctor verifies the bandit[sarif] formatter, not just the binary ([#171](#171)) ([0d78c92](0d78c92)) * **scanners:** exclude indexer-ignored dirs from vulture/radon/ty (drop .venv noise) ([#168](#168)) ([848aa34](848aa34)) ### Documentation * **repo:** clarify `sql` targets the temporal store, not the node/edge graph ([#173](#173)) ([814774a](814774a)) ### Dependencies * The following workspace dependencies were updated * dependencies * @opencodehub/analysis bumped to 0.3.3 * @opencodehub/ingestion bumped to 0.4.5 * @opencodehub/mcp bumped to 0.4.5 * @opencodehub/pack bumped to 0.2.4 * @opencodehub/scanners bumped to 0.2.3 * @opencodehub/search bumped to 0.2.3 * @opencodehub/storage bumped to 0.2.3 * @opencodehub/wiki bumped to 0.2.3 </details> <details><summary>cobol-proleap: 0.1.9</summary> ## [0.1.9](cobol-proleap-v0.1.8...cobol-proleap-v0.1.9) (2026-05-29) ### Dependencies * The following workspace dependencies were updated * dependencies * @opencodehub/ingestion bumped to 0.4.5 </details> <details><summary>ingestion: 0.4.5</summary> ## [0.4.5](ingestion-v0.4.4...ingestion-v0.4.5) (2026-05-29) ### Dependencies * The following workspace dependencies were updated * dependencies * @opencodehub/analysis bumped to 0.3.3 * @opencodehub/scip-ingest bumped to 0.2.5 * @opencodehub/storage bumped to 0.2.3 </details> <details><summary>mcp: 0.4.5</summary> ## [0.4.5](mcp-v0.4.4...mcp-v0.4.5) (2026-05-29) ### Features * **cli:** expose 9 read-only graph tools as CLI subcommands ([#174](#174)) ([be15666](be15666)) ### Documentation * **repo:** clarify `sql` targets the temporal store, not the node/edge graph ([#173](#173)) ([814774a](814774a)) ### Dependencies * The following workspace dependencies were updated * dependencies * @opencodehub/analysis bumped to 0.3.3 * @opencodehub/pack bumped to 0.2.4 * @opencodehub/scanners bumped to 0.2.3 * @opencodehub/search bumped to 0.2.3 * @opencodehub/storage bumped to 0.2.3 </details> <details><summary>pack: 0.2.4</summary> ## [0.2.4](pack-v0.2.3...pack-v0.2.4) (2026-05-29) ### Dependencies * The following workspace dependencies were updated * dependencies * @opencodehub/analysis bumped to 0.3.3 * @opencodehub/ingestion bumped to 0.4.5 * @opencodehub/storage bumped to 0.2.3 </details> <details><summary>scanners: 0.2.3</summary> ## [0.2.3](scanners-v0.2.2...scanners-v0.2.3) (2026-05-29) ### Bug Fixes * **scanners:** exclude indexer-ignored dirs from vulture/radon/ty (drop .venv noise) ([#168](#168)) ([848aa34](848aa34)) </details> <details><summary>scip-ingest: 0.2.5</summary> ## [0.2.5](scip-ingest-v0.2.4...scip-ingest-v0.2.5) (2026-05-29) ### Dependencies * The following workspace dependencies were updated * dependencies * @opencodehub/analysis bumped to 0.3.3 </details> <details><summary>search: 0.2.3</summary> ## [0.2.3](search-v0.2.2...search-v0.2.3) (2026-05-29) ### Dependencies * The following workspace dependencies were updated * dependencies * @opencodehub/storage bumped to 0.2.3 </details> <details><summary>storage: 0.2.3</summary> ## [0.2.3](storage-v0.2.2...storage-v0.2.3) (2026-05-29) ### Features * **cli:** status surfaces retrieval mode (summaries / vectors / embedder) ([#172](#172)) ([611e818](611e818)) </details> <details><summary>wiki: 0.2.3</summary> ## [0.2.3](wiki-v0.2.2...wiki-v0.2.3) (2026-05-29) ### Dependencies * The following workspace dependencies were updated * dependencies * @opencodehub/storage bumped to 0.2.3 </details> <details><summary>root: 0.6.7</summary> ## [0.6.7](root-v0.6.6...root-v0.6.7) (2026-05-29) ### Features * **cli:** expose 9 read-only graph tools as CLI subcommands ([#174](#174)) ([be15666](be15666)) * **cli:** status surfaces retrieval mode (summaries / vectors / embedder) ([#172](#172)) ([611e818](611e818)) ### Bug Fixes * **cli:** doctor verifies the bandit[sarif] formatter, not just the binary ([#171](#171)) ([0d78c92](0d78c92)) * **scanners:** exclude indexer-ignored dirs from vulture/radon/ty (drop .venv noise) ([#168](#168)) ([848aa34](848aa34)) ### Documentation * **repo:** clarify `sql` targets the temporal store, not the node/edge graph ([#173](#173)) ([814774a](814774a)) </details> --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
vulture,radon, andtywalk the project tree with no exclude, so they descend into.venv/and report library dead-code/complexity/type findings. On a uv-managed repo this was 127 of 133 findings — 95% library noise drowning the 6 real ones (field-report Issue 2). The indexer already excludes these dirs viapipeline.HARDCODED_IGNORES; the scan runner never threaded that set into the scanner wrappers.Fix
Thread the indexer's ignore set into the three tree-walking Python scanners, each formatted for its own CLI's exclude semantics (the adversarial review flagged these as not uniform):
--excludematches against absolute paths and treats a wildcard-free pattern as a substring — so a bare.venvwould also suppresssrc/.venv_helpers.py. Each ignore name is anchored to a path segment (*/.venv/*).-imatches directory basenames, so bare names are correct.--exclude <name>/plus--force-exclude(CLI-named paths bypass excludes otherwise — silent no-op without it).DefaultWrapperContextgainsvulture/radon/ty;createWrapperForthreads them the same way pip-audit's options flow;scan.tsbuildWrapperContextpopulates all three frompipeline.HARDCODED_IGNORES— one source of truth, no drift. Scanners package stays free of an ingestion dependency (the CLI does the threading).Test plan
codehub scanonngs-research-agentnow reports 6 findings (was 133) — vulture contributes 0.venvnoise; the 6 real findings (2 semgrep, 1 osv, 1 pip-audit, 2 radon) are unchanged.*/.venv/*form and a negative assertion that the bare name is never passed; plus a no-exclude-when-empty case.@opencodehub/scanners94/94,@opencodehub/cli263/263,tsc+biomeclean.