Add receipt-backed GitHub security coverage#188
Conversation
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: fcf6806a0b
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| if status == 404: | ||
| return "not_found", "github_not_found" |
There was a problem hiding this comment.
Classify disabled secret scanning before generic 404s
For the repository secret-scanning endpoint, GitHub documents 404 as the disabled/public-repository case (https://docs.github.com/en/rest/secret-scanning/secret-scanning#http-response-status-codes-for-list-secret-scanning-alerts-for-a-repository), but this generic branch records every 404 as not_found. When secret scanning is simply unavailable for a cohort repo, the receipt will look like the repository/resource is missing instead of preserving the provider feature state, which makes the new provenance misleading and can send operators down the wrong follow-up path; handle provider == "secret_scanning" 404s before this fallback.
Useful? React with 👍 / 👎.
| if isinstance(value, str): | ||
| return any(pattern.search(value) for pattern in _SENSITIVE_VALUE_PATTERNS) |
There was a problem hiding this comment.
Apply scalar secret checks to cached URLs
The new scalar detector catches token-shaped strings in params and response, but ResponseCache.put still only checks URL query names via _url_has_sensitive_query(url) and then persists the raw url field. If a fully composed URL contains a credential-shaped value under a benign key, such as a copied search or next-page URL with ?q=ghp_..., it bypasses this new pattern block and is written to output/.cache; run the same scalar check over the URL string or parsed query values before writing.
Useful? React with 👍 / 👎.
What
Add versioned, provenance-bearing GitHub security coverage receipts for the bounded default-attention cohort, integrate partial and UNKNOWN semantics into PortfolioTruth, and harden cache/control-center artifact persistence against credential-shaped values.
Why
PortfolioTruth previously reported zero scanned repositories without distinguishing unavailable evidence from clean results. The new contract preserves provider-level provenance, freshness, request bounds, and fail-closed security-gate behavior. The storage follow-up closes the remaining benign-key credential persistence gap before cached or operator artifacts are written.
Review Of What Was Built
Cleanup Review
No portfolio-wide scan, raw alert persistence, credential handling, scheduler expansion, or unrelated refactor was added. Existing compatibility fields remain while combined coverage no longer inherits Dependabot availability.
Verification Summary
Shipped Summary
The branch can consume a bounded 16-repository security receipt, preserve unavailable providers as UNKNOWN, fail closed on incomplete required evidence, and prevent recognized credential material from reaching local persistence sinks.
Next Phase
After merge, run one bounded collection for the current 16-repository cohort, validate the receipt independently, regenerate PortfolioTruth from that receipt, and confirm the scheduler consumes it without initiating a broader scan.
Remaining Roadmap
Expand coverage only in explicit, budgeted tranches after the default-attention cohort is stable; keep unavailable private-repository secret-scanning evidence UNKNOWN until permissions or feature state are proven.