feat(app): mark evidence check resources out of scope#3438
Merged
tofikwest merged 3 commits intoJul 16, 2026
Merged
Conversation
Customers failing an evidence item because of an intentional finding (e.g. an S3 bucket that must stay public for a static website redirect) had no way to accept it — the task stayed failed with no route to resolve it. The exception mechanism already existed end to end: FindingException rows keyed (connection, check, resource) are honored by both task run paths and the task run display. What was missing was a way to create/revoke them from the evidence item view. - app: failing check results on a task now offer "Mark out of scope" (captures a documented reason via the shared MarkExceptionModal, moved to components/integrations with copy overrides); excepted results show the reason and offer "Move back in scope" (revoke) - app: after a scope change the check re-runs automatically so the task status updates immediately - api: task check runs response now carries exceptionId + exceptionReason on excepted results (ActiveExceptionSet optionally carries metadata) - actions gated by integration:update, matching the endpoints
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Contributor
There was a problem hiding this comment.
cubic analysis
All reported issues were addressed across 11 files
Confidence score: 5/5
- Safe to merge after the addressed issues were fixed.
Linked issue analysis
Linked issue: CS-719: [BUG] No way to mark resources out of scope - AWS access restrictions task
| Status | Acceptance criteria | Notes |
|---|---|---|
| ✅ | Provide a “Mark out of scope” action on failing results in the evidence/task run history (latest run only). | UI adds a `Mark out of scope` button on failing rows for the latest run and wires an action target with run/check coordinates. |
| ✅ | Create an exception (finding exception) with reason/reviewer/expiry via the existing endpoint when the user marks a resource out of scope. | MarkExceptionModal posts to the existing exception endpoint, captures reason/reviewer/expiry, and emits success handling for the parent to refresh. |
| ✅ | Show excepted resources as “Out of scope” with the documented reason and offer “Move back in scope” (revoke) using the exception id. | Task run result rows include exception metadata so the UI can display the reason and render a revoke action that passes the exception id to the revoke handler. |
| ✅ | API surfaces exception id and reason on task check run results so the UI can display reason + revoke without extra queries. | Controller populates exception metadata from ActiveExceptionSet and returns exceptionId/exceptionReason on excepted result rows; tests assert these fields. |
| ✅ | After marking or revoking an exception, re-run the affected check so the task status updates immediately (without duplicating runs if one is already in flight). | UI triggers a re-run of the affected check after mark/revoke and avoids duplicate runs when a run is already in flight; parent refresh/mutateRuns is also called. |
| ✅ | Actions are gated to users with integration:update while read-only users still see out-of-scope state and reason. | Permission check is read client-side and the exceptionActions.canManage flag controls whether action buttons render; tests cover hidden actions for non-manage users. |
Reply with feedback, questions, or to request a fix.
Fix all with cubic | Re-trigger cubic
…t-of-scope-aws-access
- re-run guard now only skips when the SAME check is in flight — a run of a different check doesn't recompute this one, so it must not suppress the re-run after a scope change - findings and out-of-scope lists are expandable beyond the first three sampled rows, so every sampled resource is markable/revocable - the reason field label follows the surface copy (out-of-scope wording on evidence items) via a reasonLabel override
Contributor
There was a problem hiding this comment.
cubic analysis
No issues found across 11 files
Confidence score: 5/5
- Automated review surfaced no issues in the provided summaries.
- No files require special attention.
Linked issue analysis
Linked issue: CS-719: [BUG] No way to mark resources out of scope - AWS access restrictions task
| Status | Acceptance criteria | Notes |
|---|---|---|
| ✅ | Provide a UI action on the evidence item to mark a failing resource 'out of scope' (creates an exception) — available on the latest run only. | The run history rows render a 'Mark out of scope' button for failing results on the latest run, opening the shared reason modal and creating the exception. |
| ✅ | Show excepted results with an 'Out of scope' badge, display the documented reason, and offer 'Move back in scope' (revoke) with the exception id. | Excepted rows display an out-of-scope badge and the exception reason; a 'Move back in scope' action is offered and includes the exception id so revoke can be performed without extra queries. |
| ✅ | Backend surfaces exception id and reason on task-run result rows so the UI can display reason and revoke without extra queries. | ActiveExceptionSet now carries per-exception metadata and loadActiveExceptionSet populates it; task runs controller attaches exceptionId and exceptionReason on excepted result rows. |
| ✅ | After marking or revoking an exception, the affected check re-runs (unless an in-flight run of the same check exists) so task status updates immediately. | UI logic triggers mutate + a targeted runCheck rerunAfterScopeChange, skipping if the same check is already running, to refresh the evidence and recompute status immediately. |
| ✅ | Actions are permission-gated (integration:update) while read-only users still see out-of-scope state and reason; actions are hidden on non-latest runs. | Permission check (usePermissions) gates rendering of action buttons; tests verify actions hidden without permission and hidden on stale runs while the out-of-scope state remains visible. |
tofikwest
deleted the
tofik/cs-719-bug-no-way-to-mark-resources-out-of-scope-aws-access
branch
July 16, 2026 20:51
Contributor
|
🎉 This PR is included in version 3.104.0 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes CS-719
Problem
A customer failing an evidence item because of an intentional finding — e.g. an S3 bucket that must stay public because it only hosts a static website redirect — had no way to accept it. The "Access Restrictions" evidence item stayed failed with no route to resolve it, blocking their audit.
What already existed
The exception mechanism was already built end to end on the backend:
FindingExceptionrows keyed(connectionId, checkId, resourceId)are honored by both task run paths (manual run-check and the scheduled Trigger task, via the sharedActiveExceptionSet+countEffectiveFailures) and by the task runs display (exceptedflag, adjusted failed count/status). The mark/revoke endpoints (POST /v1/cloud-security/findings/:id/exception,DELETE /v1/cloud-security/exceptions/:id, bothintegration:update) also already resolve evidence-task check result rows correctly —resolveCheckKeyfalls back to the run's manifest check id, which is exactly the namespace the task paths match on.What was missing was purely the surface: no way to create or revoke an exception from the evidence item view, and the runs response didn't carry the exception's id/reason.
Changes
API
ActiveExceptionSetoptionally carries per-exception metadata (id,reason);loadActiveExceptionSetpopulates it. Constructor stays backward-compatible for evaluation-only callers.getTaskCheckRunsnow returnsexceptionId+exceptionReasonon excepted result rows so the UI can show the documented reason and offer revoke.App
integration:update(matching the endpoints); read-only users still see the out-of-scope state and reason.MarkExceptionModalmoved fromcloud-tests/componentstocomponents/integrationswith copy-override props — Cloud Tests keeps its exact previous copy via the defaults, the tasks surface brands the same flow "out of scope".No schema changes. No new endpoints. Exceptions created here are the same rows Cloud Tests uses, recorded in the audit trail (
exception_marked/exception_revoked).Tests
finding-exceptions.spec7/7 (newinfoForcoverage incl. bare-key sets);task-integrations.controller.specexception tests extended to assertexceptionId/exceptionReason.check-run-history.test.tsx(5 tests: mark payload, revoke payload incl. exception id, hidden without permission, hidden on non-latest runs, hidden when no actions provided);MarkExceptionModal.test.tsxextended for copy overrides (10/10 across both files).origin/main(23 and 15 pre-existing spec-drift errors respectively, verified by baseline comparison with the same command).src/integration-platform(4 suites/25 tests) and the app tasks+cloud-tests suites (5 suites/23 tests) are identical on unmodified origin/main — pre-existing order-dependent/env issues, not introduced here.Summary by cubic
Adds out‑of‑scope controls to evidence task check results so customers can accept intentional resources and unblock audits. Addresses CS‑719 with mark/revoke actions in task run history, expanded lists for actions, and immediate status updates.
New Features
integration:update.components/integrationswith copy overrides; the reason label uses out‑of‑scope wording.API
ActiveExceptionSetoptionally carries per‑exception metadata (id,reason);infoForexposes it andloadActiveExceptionSetpopulates it.getTaskCheckRunsreturnsexceptionIdandexceptionReasonon excepted results for display and revoke.POST /v1/cloud-security/findings/:id/exceptionandDELETE /v1/cloud-security/exceptions/:id.Written for commit 5113276. Summary will update on new commits.