feat: optimize sighthound-security-scan — binary cache + pre-filter to skip agent on test-only findings#45417
Merged
Conversation
- Add actions/cache for Sighthound binary to avoid recompiling Rust from
source on every run (cache key sighthound-${{ runner.os }}-v1)
- Add pre-filter step that strips testdata/ and _test.go findings and
outputs actionable_findings_detected
- Gate agent job on actionable_findings_detected instead of
findings_detected — saves ~6.5 AIC when all findings are test fixtures
- Trim agent prompt to reference actionable.json and drop now-redundant
'confirm validity' instructions
- Recompile .lock.yml
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot
AI
changed the title
feat: optimize sighthound-security-scan with caching and pre-filtering
feat: optimize sighthound-security-scan — binary cache + pre-filter to skip agent on test-only findings
Jul 14, 2026
Copilot created this pull request from a session on behalf of
pelikhan
July 14, 2026 09:15
View session
Contributor
There was a problem hiding this comment.
Pull request overview
Optimizes Sighthound scanning to reduce build time and avoid unnecessary agent runs.
Changes:
- Caches the Sighthound binary.
- Pre-filters test-only findings and gates agent execution.
- Regenerates the compiled workflow and changes the auto-upgrade schedule.
Show a summary per file
| File | Description |
|---|---|
.github/workflows/sighthound-security-scan.md |
Adds caching, filtering, gating, and prompt updates. |
.github/workflows/sighthound-security-scan.lock.yml |
Regenerates the compiled workflow. |
.github/workflows/agentic-auto-upgrade.yml |
Reschedules weekly auto-upgrades. |
Review details
Tip
Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Files reviewed: 3/3 changed files
- Comments generated: 3
- Review effort level: Medium
| # Remove findings whose file path is under a known test-only directory. | ||
| # Sighthound uses a 'file' field for the path; fall back to 'path' if absent. | ||
| jq '[.[] | select( | ||
| ((.file // .path // "") | test("testdata/|/testdata$|_test\\.go")) | not |
Comment on lines
+160
to
+164
| 1. Read `/tmp/gh-aw/agent/sighthound/actionable.json` and `/tmp/gh-aw/agent/sighthound/summary.md`. | ||
| 2. If this is triggered by a pull request, call `add_comment` (no `item_number`) with: total count, top findings by severity, and remediation guidance. | ||
| 3. If not triggered by a pull request, call `create_issue` with: | ||
| - title: `Sighthound findings in ${{ github.repository }} (run ${{ github.run_id }})` | ||
| - a concise summary | ||
| - key findings and remediation guidance | ||
| - concise summary, key findings, and remediation guidance. |
| on: | ||
| schedule: | ||
| - cron: "11 4 * * 6" # Weekly (auto-upgrade) | ||
| - cron: "21 3 * * 5" # Weekly (auto-upgrade) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Run #29318429751 spent 6.5 AIC triaging 126 findings that were entirely test fixtures in
testdata/. The agent job also recompiles Sighthound from Rust source on every run.Changes
Binary cache (
actions/cache@v6): caches~/.cargo/bin/sighthoundunder keysighthound-${{ runner.os }}-v1; skips the multi-minute Rust build on hit. Bump-v1to force refresh.Pre-filter step (DataOps): new
prefilterstep strips findings whosefile/pathmatchestestdata/,/testdata$, or_test.go, writingactionable.jsonand emittingactionable_findings_detectedas a job output.Agent gate:
if:condition changed fromfindings_detected→actionable_findings_detected; entire agent job is skipped when all findings are test fixtures, saving the full ~6.5 AIC per PR.Prompt trim: agent reads
actionable.jsondirectly; "confirm whether findings are valid" instruction removed — pre-filtering handles this deterministically.