Skip to content

feat: optimize sighthound-security-scan — binary cache + pre-filter to skip agent on test-only findings#45417

Merged
pelikhan merged 1 commit into
mainfrom
copilot/optimize-caching-and-token-usage
Jul 14, 2026
Merged

feat: optimize sighthound-security-scan — binary cache + pre-filter to skip agent on test-only findings#45417
pelikhan merged 1 commit into
mainfrom
copilot/optimize-caching-and-token-usage

Conversation

Copilot AI commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Run #29318429751 spent 6.5 AIC triaging 126 findings that were entirely test fixtures in testdata/. The agent job also recompiles Sighthound from Rust source on every run.

Changes

  • Binary cache (actions/cache@v6): caches ~/.cargo/bin/sighthound under key sighthound-${{ runner.os }}-v1; skips the multi-minute Rust build on hit. Bump -v1 to force refresh.

  • Pre-filter step (DataOps): new prefilter step strips findings whose file/path matches testdata/, /testdata$, or _test.go, writing actionable.json and emitting actionable_findings_detected as a job output.

  • Agent gate: if: condition changed from findings_detectedactionable_findings_detected; entire agent job is skipped when all findings are test fixtures, saving the full ~6.5 AIC per PR.

  • Prompt trim: agent reads actionable.json directly; "confirm whether findings are valid" instruction removed — pre-filtering handles this deterministically.

- Add actions/cache for Sighthound binary to avoid recompiling Rust from
  source on every run (cache key sighthound-${{ runner.os }}-v1)
- Add pre-filter step that strips testdata/ and _test.go findings and
  outputs actionable_findings_detected
- Gate agent job on actionable_findings_detected instead of
  findings_detected — saves ~6.5 AIC when all findings are test fixtures
- Trim agent prompt to reference actionable.json and drop now-redundant
  'confirm validity' instructions
- Recompile .lock.yml

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title feat: optimize sighthound-security-scan with caching and pre-filtering feat: optimize sighthound-security-scan — binary cache + pre-filter to skip agent on test-only findings Jul 14, 2026
Copilot AI requested a review from pelikhan July 14, 2026 09:15
@pelikhan pelikhan marked this pull request as ready for review July 14, 2026 11:01
Copilot AI review requested due to automatic review settings July 14, 2026 11:01
@pelikhan pelikhan merged commit 6b48a3b into main Jul 14, 2026
1 check passed
@pelikhan pelikhan deleted the copilot/optimize-caching-and-token-usage branch July 14, 2026 11:02

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Optimizes Sighthound scanning to reduce build time and avoid unnecessary agent runs.

Changes:

  • Caches the Sighthound binary.
  • Pre-filters test-only findings and gates agent execution.
  • Regenerates the compiled workflow and changes the auto-upgrade schedule.
Show a summary per file
File Description
.github/workflows/sighthound-security-scan.md Adds caching, filtering, gating, and prompt updates.
.github/workflows/sighthound-security-scan.lock.yml Regenerates the compiled workflow.
.github/workflows/agentic-auto-upgrade.yml Reschedules weekly auto-upgrades.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 3/3 changed files
  • Comments generated: 3
  • Review effort level: Medium

# Remove findings whose file path is under a known test-only directory.
# Sighthound uses a 'file' field for the path; fall back to 'path' if absent.
jq '[.[] | select(
((.file // .path // "") | test("testdata/|/testdata$|_test\\.go")) | not
Comment on lines +160 to +164
1. Read `/tmp/gh-aw/agent/sighthound/actionable.json` and `/tmp/gh-aw/agent/sighthound/summary.md`.
2. If this is triggered by a pull request, call `add_comment` (no `item_number`) with: total count, top findings by severity, and remediation guidance.
3. If not triggered by a pull request, call `create_issue` with:
- title: `Sighthound findings in ${{ github.repository }} (run ${{ github.run_id }})`
- a concise summary
- key findings and remediation guidance
- concise summary, key findings, and remediation guidance.
on:
schedule:
- cron: "11 4 * * 6" # Weekly (auto-upgrade)
- cron: "21 3 * * 5" # Weekly (auto-upgrade)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants