Add CLAUDE.md for Claude Code onboarding (AST-146794)#1474
Add CLAUDE.md for Claude Code onboarding (AST-146794)#1474cx-anurag-dalke wants to merge 2 commits intomainfrom
Conversation
Comprehensive guidance file covering project architecture, development setup, testing strategy, deployment process, proxy configuration, debugging steps, and contributing guidelines. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
cx-anurag-dalke
requested review from
cx-anjali-deore and
cx-umesh-waghode
as code owners
|
New Issues (1)Checkmarx found the following issues in this Pull Request
|
cx-atish-jadhav
left a comment
cx-atish-jadhav
left a comment
There was a problem hiding this comment.
Thanks for putting together this CLAUDE.md — it's well structured and covers all the sections required by the epic. Left a few inline remarks where the content drifts from what's actually in the repo today. Please verify and update before merging.
| 4. **Retrieve results:** `cx results show --scan-id "<id>" --report-format "json"` (supports json, sarif, pdf, sbom) | ||
| 5. **Integrate findings:** PR decoration, IDE feedback, CI/CD pipeline exit codes | ||
|
|
||
| Scans can target local directories (`--file-source`), Git repos (`--repo-url`), or container images (`--container-image`). Multiple engines can run simultaneously via `--scan-types`. |
There was a problem hiding this comment.
The flag name is incorrect. The actual flag defined in internal/params/flags.go is ContainerImagesFlag = "container-images" (plural). Please update --container-image to --container-images.
| - **Auth:** golang-jwt/jwt/v5 v5.2.2, gokrb5/v8 (Kerberos), alexbrainman/sspi (Windows NTLM) | ||
| - **Container Analysis:** containers-resolver, containers-images-extractor, anchore/syft (SBOM) | ||
| - **Testing:** stretchr/testify v1.11.1, gotest.tools | ||
| - **Linting:** golangci-lint v2 with 19 enabled linters |
There was a problem hiding this comment.
The linter count is off. Counting the entries in linters.enable in .golangci.yml, there are 20 enabled linters (bodyclose, depguard, dogsled, dupl, errcheck, funlen, gochecknoinits, goconst, gocritic, gocyclo, ineffassign, mnd, nakedret, revive, rowserrcheck, staticcheck, unconvert, unparam, unused, whitespace), not 19. Please update here and at line 168.
| ### Linting & Static Analysis | ||
|
|
||
| ```bash | ||
| # Run full linter suite (19 linters, see .golangci.yml) |
There was a problem hiding this comment.
Same issue as line 97 — the comment says 19 linters but there are actually 20 enabled in .golangci.yml.
| | `PR_GITHUB_TOKEN`, `PR_GITLAB_TOKEN`, `AZURE_TOKEN` | PR decoration tests | | ||
| | `PROXY_HOST`, `PROXY_PORT`, `PROXY_USERNAME`, `PROXY_PASSWORD` | Proxy tests | | ||
|
|
||
| No `.env.example` file exists — refer to `.github/workflows/ci-tests.yml` (lines 54-96) for the full list of required secrets. |
There was a problem hiding this comment.
Minor: the actual env var block in .github/workflows/ci-tests.yml spans lines 55-93, not 54-96. Please either correct the range or phrase it as approximate ("see the env: block under Go Integration test") to avoid it going stale.
| - **Environment variables:** `CX_` prefix in SCREAMING_SNAKE_CASE (e.g., `CX_BASE_URI`, `CX_CLIENT_ID`) | ||
| - **Max function length:** 200 lines / 100 statements (`funlen`) | ||
| - **Max cyclomatic complexity:** 15 (`gocyclo`) | ||
| - **Max line length:** 185 characters (`lll`) |
There was a problem hiding this comment.
lll is present under settings in .golangci.yml but it is not enabled in linters.enable, so the 185-char line length is not actually enforced by the linter today. Either remove this bullet or call out that it's a configured-but-not-enabled setting so Claude doesn't treat it as a hard rule.
|
|
||
| ### Coverage Thresholds | ||
|
|
||
| - **Unit tests:** **85%** minimum (CI-enforced) |
There was a problem hiding this comment.
This coverage threshold is incorrect. CI (.github/workflows/ci-tests.yml line 25) enforces EXPECTED_CODE_COV=77.7 for unit tests, not 85%. The 75% integration threshold on the next line is correct (line 109 of the workflow). Please update 85% → 77.7%.
|
|
||
| ### Integration Test Patterns | ||
|
|
||
| Integration tests use real HTTP wrappers (not mocks) and hit the **Canary environment** (`deu.ast.checkmarx.net`). The key setup function is `createASTIntegrationTestCommand(t)` in `test/integration/util_command.go`: |
There was a problem hiding this comment.
Consider whether deu.ast.checkmarx.net should be listed verbatim in a public-facing doc. The integration env is controlled through CI secrets (CX_BASE_URI) — referring to it as "the Checkmarx One integration/Canary environment configured via CX_BASE_URI" avoids hardcoding an internal hostname into the repo.
| | `ci-tests.yml` | Unit tests, integration tests, lint, govulncheck, Trivy | | ||
| | `release.yml` | Full build, sign, publish, notify pipeline | | ||
| | `issue_automation.yml` | Auto-label and assign issues | | ||
| | `pr-automation.yml` | Auto-assign reviewers, enforce PR guidelines | |
There was a problem hiding this comment.
pr-automation.yml does not exist in .github/workflows/. The actual PR-related workflows are pr-add-reviewers.yml, pr-label.yml, and pr-linter.yml. Please replace this row with the real filenames.
| | `issue_automation.yml` | Auto-label and assign issues | | ||
| | `pr-automation.yml` | Auto-assign reviewers, enforce PR guidelines | | ||
| | `checkmarx-one-scan.yml` | Security scan on PRs | | ||
| | `update-trivy.yml` | Keep Trivy vulnerability definitions current | |
There was a problem hiding this comment.
update-trivy.yml does not exist. The actual file is trivy-cache.yml. Also, this table is missing several workflows that do exist: ai-code-review.yml, dependabot-auto-merge.yml, and nightly-parallel.yml. Please correct the filename and add the missing entries so the table reflects the full set under .github/workflows/.
2 participants
Summary
Test plan
Generated with Claude Code