fix: preflight unavailable security providers#190
Conversation
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: f2a601afec
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| repository = _mapping(data.get(f"repo{index}")) | ||
| full_name = _canonical_repo(repository.get("nameWithOwner")) |
There was a problem hiding this comment.
Fall back when preflight repo evidence is missing
When a prior unavailable candidate has since been renamed/deleted or the token loses visibility and the GraphQL alias is returned as null or without nameWithOwner, _mapping turns it into {} and _canonical_repo(None) raises out of collect_security_coverage. That bypasses the intended malformed-preflight fallback and can leave no fresh receipt at all, instead of recording the preflight as malformed and continuing with bounded provider calls.
Useful? React with 👍 / 👎.
What
Add an incremental GitHub account/repository eligibility preflight to the bounded security-coverage collector. Private user-owned repositories on Free/Pro are marked
feature_unavailablefor code and secret scanning from embedded provenance, and their known-doomed provider calls are skipped.Why
The current collector repeats twelve endpoints that cannot succeed for the six private default-attention repositories, while secret scanning appears as generic
not_found. The receipt should explain the plan/visibility boundary without spending calls or implying clean coverage.Review Of What Was Built
feature_unavailable.Cleanup Review
No repository visibility, GitHub security settings, scheduler configuration, or canonical output was changed. The live candidate remains temporary pending merge.
Verification Summary
uv run --extra dev ruff check .uv run --extra dev mypy src/github_security_coverage.py --ignore-missing-importsfeature_unavailablecode-scanning states and six matching secret-scanning states.Shipped Summary
The branch has a fail-closed, incremental eligibility path that reduces requests without converting unavailable coverage into zero risk.
Next Phase
After merge, pin the canonical runtime to the merge commit, perform one bounded conditional collection, regenerate and independently validate PortfolioTruth, then update the scheduler pin only after those checks pass.
Remaining Roadmap
Track accepted-risk dispositions separately so dismissed alerts remain visible without being counted as open findings.