Skip to content

fix(integration-platform): fail Dependabot check on open high/critical alerts#2643

Merged
tofikwest merged 1 commit intomainfrom
fix/dependabot-severity-gating
Apr 23, 2026
Merged

fix(integration-platform): fail Dependabot check on open high/critical alerts#2643
tofikwest merged 1 commit intomainfrom
fix/dependabot-severity-gating

Conversation

@tofikwest
Copy link
Copy Markdown
Contributor

@tofikwest tofikwest commented Apr 23, 2026
edited by cubic-dev-ai Bot
Loading

Summary

Fixes a bug where the GitHub Dependabot Security Updates Enabled automation (evidence for the Secure Code task) would return Passed even when the repo had open high- or critical-severity Dependabot alerts. Reported with a screenshot showing 8 open high alerts + 21 medium yet a green checkmark.

  • Adds an `alert_severity_threshold` variable (default `high`) — CX can now configure per connection whether only critical alerts trigger a fail, or all alerts.
  • When alerts at/above the threshold exist for an `enabled` or `paused` repo, the check now calls `ctx.fail()` with a clear title, severity mapped to the highest actual alert severity present, and a remediation link to the repo's `/security/dependabot` page.
  • Preserves the previous fallback when the alert-fetch endpoint returns 403/400 (permission denied / feature off): without an alert signal, the check falls back to the prior "Dependabot enabled = pass" behaviour rather than emitting a false fail.
  • Pulls the severity math (`countAtOrAboveSeverity`, `highestPresentSeverity`, threshold parsing) out of `dependabot.ts` into a small `dependabot-alert-severity.ts` module — keeps the main check single-responsibility and lets the helpers be unit-tested without the NestJS/GitHub fetch surface.

Test plan

  • 15 new tests in `packages/integration-platform/src/manifests/github/checks/tests/dependabot.test.ts` (all passing, including the exact bug case of "8 open high alerts on enabled Dependabot → must fail")
  • Full package test suite green: 98/98 passing
  • `tsc --noEmit` passes for `@trycompai/integration-platform` (and via turbo for downstream consumers of the package). Unrelated pre-existing typecheck failures on main in `apps/api` spec files are not caused by this change — diff touches only `packages/integration-platform`.
  • Before merge: re-run the Dependabot automation in staging against a repo that has open high alerts and confirm the UI now renders a red "failed" result with the expected remediation text.

Behaviour change (customer-visible)

Automations that were passing with the default settings will now fail if the connected repos have open high/critical Dependabot alerts. This is intentional — it was the bug. CX should expect incoming questions from customers who see a previously-passing check flip red. The remediation text in the fail message walks them through merging the auto-generated Dependabot fix PRs or dismissing alerts with justification.

Customers who want the old "pass on enabled" behaviour can set the new variable to `critical` (fails on critical only) or switch to a lower threshold if they want stricter gating.

🤖 Generated with Claude Code

Summary by cubic

Fixes the GitHub Dependabot check to fail when a repo has open alerts at/above a configurable severity threshold. This may flip some green checks to red; set alert_severity_threshold to critical to keep the old behavior.

  • Bug Fixes

    • For enabled or paused repos, fail if open alerts meet the threshold; severity reflects the highest alert, and the remediation links to /security/dependabot.
    • Preserves fallback when alert data can’t be fetched (e.g. 403/400): no alert signal = pass if enabled; still fail when Dependabot is disabled.

  • New Features

    • Adds alert_severity_threshold (default high) to gate on critical, high, medium, or low.

Written for commit b4492d1. Summary will update on new commits.

@tofikwest
fix(integration-platform): fail Dependabot check on open high/critica…
b4492d1 
…l alerts

The GitHub "Dependabot Security Updates Enabled" check previously passed
whenever Dependabot was enabled on a repo, even when open high- or
critical-severity alerts were waiting — hiding a real compliance risk
behind a green checkmark.

It now:
- Accepts an `alert_severity_threshold` variable (default: `high`) so CX
  can configure what counts as a failure per connection.
- Fails the check for the repo when open alerts at or above the threshold
  exist, using the highest actual severity present as the finding
  severity, and pointing the user at the repo's /security/dependabot page
  for remediation.
- Preserves the transparent fallback when alert data cannot be fetched
  (e.g. 403) — no alert signal means no pass/fail regression.

Severity helpers split into `dependabot-alert-severity.ts` for focused
unit testing; the main check stays a single-responsibility orchestrator.
@vercel
Copy link
Copy Markdown

vercel Bot commented Apr 23, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
app Ready Ready Preview, Comment Apr 23, 2026 2:44am
comp-framework-editor Ready Ready Preview, Comment Apr 23, 2026 2:44am
1 Skipped Deployment
Project Deployment Actions Updated (UTC)
portal Skipped Skipped Apr 23, 2026 2:44am

Request Review

cubic-dev-ai[bot]
cubic-dev-ai Bot reviewed Apr 23, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@cubic-dev-ai cubic-dev-ai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 4 files

Requires human review: This PR modifies business logic for a security check, resulting in customer-visible behavior changes (flipping check results) and new configuration variables.

@tofikwest tofikwest merged commit d75757c into main Apr 23, 2026
11 checks passed
@tofikwest tofikwest deleted the fix/dependabot-severity-gating branch April 23, 2026 02:44
@tofikwest tofikwest mentioned this pull request Apr 23, 2026
Merged
3 tasks
claudfuen pushed a commit that referenced this pull request Apr 23, 2026
@semantic-release-bot
chore(release): 3.30.0 [skip ci]
5dac1fa 
# [3.30.0](v3.29.0...v3.30.0) (2026-04-23)

### Bug Fixes

* **app:** show evidence block for failed automation runs ([975b4c9](975b4c9)), closes [#2643](#2643)
* **integration-platform:** fail Dependabot check on open high/critical alerts ([b4492d1](b4492d1))

### Features

* **device-agent:** relax screen lock threshold to 15 minutes ([b20ced0](b20ced0))

### Performance Improvements

* **onboarding:** replace sequential update loops with bulk SQL in org init ([0c5d332](0c5d332))
@claudfuen
Copy link
Copy Markdown
Contributor

claudfuen commented Apr 23, 2026

🎉 This PR is included in version 3.30.0 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

Assignees

No one assigned

Labels

released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tofikwest @claudfuen