Skip to content

Add receipt-backed GitHub security coverage#188

Merged
saagpatel merged 6 commits into
mainfrom
codex/github-security-coverage
Jul 17, 2026
Merged

Add receipt-backed GitHub security coverage#188
saagpatel merged 6 commits into
mainfrom
codex/github-security-coverage

Conversation

@saagpatel

Copy link
Copy Markdown
Owner

What

Add versioned, provenance-bearing GitHub security coverage receipts for the bounded default-attention cohort, integrate partial and UNKNOWN semantics into PortfolioTruth, and harden cache/control-center artifact persistence against credential-shaped values.

Why

PortfolioTruth previously reported zero scanned repositories without distinguishing unavailable evidence from clean results. The new contract preserves provider-level provenance, freshness, request bounds, and fail-closed security-gate behavior. The storage follow-up closes the remaining benign-key credential persistence gap before cached or operator artifacts are written.

Review Of What Was Built

  • Versioned GitHubSecurityCoverageReceipt with canonical owner/repo identities.
  • Serial count-only collector with request ceilings, quota reserve, conditional reuse, and immediate rate-limit stop.
  • Dependabot, code-scanning, and secret-scanning provider states with explicit UNKNOWN and partial coverage.
  • PortfolioTruth coverage denominators and fail-closed security gate.
  • Credential-shaped scalar detection and pre-write validation for cache, weekly, JSON, and Markdown artifacts.

Cleanup Review

No portfolio-wide scan, raw alert persistence, credential handling, scheduler expansion, or unrelated refactor was added. Existing compatibility fields remain while combined coverage no longer inherits Dependabot availability.

Verification Summary

  • Focused storage regressions: 14 passed.
  • Cache and artifact integration slice: 111 passed.
  • Full repository suite: 2,922 passed, 2 skipped.
  • Full Ruff check: passed.
  • Diff and whitespace checks: passed.

Shipped Summary

The branch can consume a bounded 16-repository security receipt, preserve unavailable providers as UNKNOWN, fail closed on incomplete required evidence, and prevent recognized credential material from reaching local persistence sinks.

Next Phase

After merge, run one bounded collection for the current 16-repository cohort, validate the receipt independently, regenerate PortfolioTruth from that receipt, and confirm the scheduler consumes it without initiating a broader scan.

Remaining Roadmap

Expand coverage only in explicit, budgeted tranches after the default-attention cohort is stable; keep unavailable private-repository secret-scanning evidence UNKNOWN until permissions or feature state are proven.

Comment thread src/github_security_coverage.py Fixed
Comment thread src/app/security_modes.py Fixed
Comment thread src/app/security_modes.py Fixed
Comment thread src/app/security_modes.py Fixed
Comment thread src/app/security_modes.py Fixed
@saagpatel
saagpatel marked this pull request as ready for review July 17, 2026 04:32
@saagpatel
saagpatel merged commit 7aa3c52 into main Jul 17, 2026
4 checks passed
@saagpatel
saagpatel deleted the codex/github-security-coverage branch July 17, 2026 04:33

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: fcf6806a0b

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment on lines +243 to +244
if status == 404:
return "not_found", "github_not_found"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Classify disabled secret scanning before generic 404s

For the repository secret-scanning endpoint, GitHub documents 404 as the disabled/public-repository case (https://docs.github.com/en/rest/secret-scanning/secret-scanning#http-response-status-codes-for-list-secret-scanning-alerts-for-a-repository), but this generic branch records every 404 as not_found. When secret scanning is simply unavailable for a cohort repo, the receipt will look like the repository/resource is missing instead of preserving the provider feature state, which makes the new provenance misleading and can send operators down the wrong follow-up path; handle provider == "secret_scanning" 404s before this fallback.

Useful? React with 👍 / 👎.

Comment thread src/cache.py
Comment on lines +48 to +49
if isinstance(value, str):
return any(pattern.search(value) for pattern in _SENSITIVE_VALUE_PATTERNS)

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Apply scalar secret checks to cached URLs

The new scalar detector catches token-shaped strings in params and response, but ResponseCache.put still only checks URL query names via _url_has_sensitive_query(url) and then persists the raw url field. If a fully composed URL contains a credential-shaped value under a benign key, such as a copied search or next-page URL with ?q=ghp_..., it bypasses this new pattern block and is written to output/.cache; run the same scalar check over the URL string or parsed query values before writing.

Useful? React with 👍 / 👎.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants