feat(integrations): split GitHub sanitized inputs check into two automations#2683
Merged
feat(integrations): split GitHub sanitized inputs check into two automations#2683
Conversation
…mations Splits the combined "Sanitized Inputs & Code Scanning" GitHub check into two separate IntegrationChecks so each renders as its own card in the integrations UI: - input_validation - "Input Validation" - scans for validation libraries in package.json / requirements.txt / pyproject.toml / composer.json - code_scanning - "Code Scanning" - detects CodeQL default setup, custom CodeQL workflows, or third-party SARIF uploaders Both checks remain mapped to the existing sanitizedInputs task template; the runner aggregates pass/fail across checks per task, so auto-completion behavior is preserved (task only completes when both pass for every repo). Detection logic is unchanged - the JS/PY/PHP package catalogs and the CodeQL detection flow (default-setup API + workflow file fallback) move verbatim into the new files. Shared catalogs are extracted to validation-libraries.ts; CodeQL detection helpers are extracted to code-scanning-detector.ts to keep each file under the 300-line limit. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
2 issues found across 7 files
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="packages/integration-platform/src/manifests/github/checks/code-scanning.ts">
<violation number="1" location="packages/integration-platform/src/manifests/github/checks/code-scanning.ts:60">
P2: A truncated repository tree is treated as a complete scan, which can produce false `not-configured` failures for repos that actually have code-scanning workflows.</violation>
</file>
<file name="packages/integration-platform/src/manifests/github/checks/input-validation.ts">
<violation number="1" location="packages/integration-platform/src/manifests/github/checks/input-validation.ts:219">
P1: Do not silently skip repositories when `/repos/{owner}/{repo}` fetch fails; this can incorrectly mark the check as successful without evaluating all selected repos.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review, or fix all with cubic.
…ode-scanning Reverts the previous split structure to a more conservative approach: keep sanitized-inputs.ts (and its check id 'sanitized_inputs') and just strip the code-scanning logic out of it. Code scanning becomes a single new self-contained file (code-scanning.ts). This preserves continuity for existing customers: - IntegrationCheckRun records under 'sanitized_inputs' continue to be the same automation - IntegrationConnection.metadata.disabledTaskChecks entries that reference 'sanitized_inputs' remain valid Removes the helper modules (input-validation.ts, validation-libraries.ts, code-scanning-detector.ts) introduced in the previous commit. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
2 issues found across 6 files (changes from recent commits).
Prompt for AI agents (unresolved issues)
Check if these issues are valid — if so, understand the root cause of each and fix them. If appropriate, use sub-agents to investigate and fix each issue separately.
<file name="packages/integration-platform/src/manifests/github/checks/code-scanning.ts">
<violation number="1" location="packages/integration-platform/src/manifests/github/checks/code-scanning.ts:190">
P1: Private repos can be incorrectly marked as code-scanning enabled when GHAS is not enabled, because workflow detection returns `enabled` before the `ghas-required` branch.</violation>
</file>
<file name="packages/integration-platform/src/manifests/github/checks/sanitized-inputs.ts">
<violation number="1" location="packages/integration-platform/src/manifests/github/checks/sanitized-inputs.ts:79">
P2: The input-validation automation is still using the legacy `sanitized_inputs` ID/name. This prevents a clean split into distinct `input_validation` and `code_scanning` check identities.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review, or fix all with cubic.
| @@ -109,9 +77,9 @@ const getFileName = (path: string): string => { | |||
|
|
|||
| export const sanitizedInputsCheck: IntegrationCheck = { | |||
| id: 'sanitized_inputs', | |||
Contributor
There was a problem hiding this comment.
P2: The input-validation automation is still using the legacy sanitized_inputs ID/name. This prevents a clean split into distinct input_validation and code_scanning check identities.
Prompt for AI agents
Check if this issue is valid — if so, understand the root cause and fix it. At packages/integration-platform/src/manifests/github/checks/sanitized-inputs.ts, line 79:
<comment>The input-validation automation is still using the legacy `sanitized_inputs` ID/name. This prevents a clean split into distinct `input_validation` and `code_scanning` check identities.</comment>
<file context>
@@ -43,88 +75,9 @@ const getFileName = (path: string): string => {
- id: 'input_validation',
- name: 'Input Validation',
+export const sanitizedInputsCheck: IntegrationCheck = {
+ id: 'sanitized_inputs',
+ name: 'Sanitized Inputs',
description:
</file context>
Contributor
|
🎉 This PR is included in version 3.34.0 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Splits the combined "Sanitized Inputs & Code Scanning" GitHub check (one card with two sub-results) into two separate
IntegrationCheckautomations so each renders as its own card in the integrations UI.sanitized_inputs— "Sanitized Inputs & Code Scanning" (1 card, 2 sub-checks per repo)input_validation— "Input Validation"code_scanning— "Code Scanning"What changed
packages/integration-platform/src/manifests/github/checks/input-validation.ts— scanspackage.json/requirements.txt/pyproject.toml/composer.jsonfor validation libraries (zod, yup, joi, valibot, pydantic, etc.).packages/integration-platform/src/manifests/github/checks/code-scanning.ts— detects CodeQL default setup, custom CodeQL workflows, and third-party SARIF uploaders.validation-libraries.tsandcode-scanning-detector.ts— small extracted modules so each check stays under the 300-line limit.sanitized-inputs.ts(the original combined file).github/checks/index.tsandgithub/index.tsregistrations.Behavior preservation
taskMapping: TASK_TEMPLATES.sanitizedInputs. The runner (run-task-integration-checks.ts) aggregates pass/fail across all checks per task — so the task auto-completes only when both checks pass for every repo, identical to the previous combined behavior.Migration notes
IntegrationCheckRunrecords forsanitized_inputsbecome historical only; new runs use the new check IDs.IntegrationConnection.metadata.disabledTaskChecksthat listedsanitized_inputsare no longer applied — users will need to re-disable individual checks if desired (acceptable, since they're now finer-grained).Test plan
Input ValidationandCode Scanning) appear, each rendering its own pass/fail per selected repo.bun run --filter '@trycompai/integration-platform' typecheck && buildclean (verified locally).🤖 Generated with Claude Code
Summary by cubic
Split the combined GitHub “Sanitized Inputs & Code Scanning” check into two cards by keeping
sanitized_inputsfor input validation and addingcode_scanningfor CodeQL/SARIF detection. The “Sanitized Inputs” task still completes only when both checks pass across all repos.New Features
code_scanning(detects CodeQL default setup, custom workflows, and third-party SARIF uploaders).sanitized_inputsto only scan for validation libraries inpackage.json,requirements.txt,pyproject.toml, andcomposer.json.TASK_TEMPLATES.sanitizedInputs.Migration
sanitized_inputsrun records anddisabledTaskChecksentries continue to work.code_scanning.Written for commit 07739f8. Summary will update on new commits. Review in cubic