Add standardized CLAUDE.md documentation (AST-146797)#323
Add standardized CLAUDE.md documentation (AST-146797)#323cx-rahul-pidde wants to merge 2 commits intomainfrom
Conversation
Add comprehensive CLAUDE.md file following the Cloud MD standardization template (epic AST-146798). Includes: - Project Overview (purpose, status, key features) - Architecture (layered design, components, data flow) - Repository Structure (complete folder mapping) - Technology Stack (languages, frameworks, dependencies) - Development Setup (prerequisites, build, debug) - Coding Standards (naming, style, async/threading) - Project Rules (constraints, branch naming, commit format) - Testing Strategy (unit tests, integration tests, manual checklist) - Known Issues (compilation error, limitations, workarounds) - Database Schema (none - stateless) - External Integrations (Checkmarx API, CLI, GitHub) - Deployment Info (release process, VSIX artifacts) - Performance Considerations (scan timing, memory, optimization) - API/Endpoints/Interfaces (DTE automation, VS APIs) - Security & Access (credential storage, code signing, audit) - Logging (framework, levels, destinations, troubleshooting) - Debugging Steps (common issues, solutions, debug mode) Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
|
Policy Management Violations (2)
|
Added details about the extension's compatibility and REST API restrictions.
cx-atish-jadhav
left a comment
cx-atish-jadhav
left a comment
There was a problem hiding this comment.
Review: CLAUDE.md Documentation
Good coverage overall — all 17 sections from the epic are present and the structure is clean. However, several sections reference files, constants, and features that do not exist in the actual codebase. These need to be corrected before merge so the document doesn't mislead contributors or AI assistants using it as a codebase map.
See inline comments for specific line-level issues.
| **Real-time Scanner:** | ||
| - `ASCAService.cs` — Monitors text changes, debounces (2000ms), executes scan | ||
| - `ASCAUIManager.cs` — Updates error list and editor markers with diagnostics | ||
| - Scans: .java, .cs, .go, .py, .js, .jsx files |
There was a problem hiding this comment.
ASCA file extension list is not enforced in code.
ASCAService.cs uses Path.GetExtension() generically — there is no hardcoded allowlist of .java, .cs, .go, .py, .js, .jsx in the file. The actual filtering logic (if any) was not found in the service.
Please verify where this list comes from and cite the actual source (e.g. a constants file or CLI behaviour), or rephrase as "primarily targets" rather than stating it as a fixed list.
|
|
||
| **Settings:** | ||
| - `CxPreferences/` — DialogPage for API key, tenant, environment configuration | ||
| - `SettingsModule.cs` — Validates and loads settings at startup |
There was a problem hiding this comment.
SettingsModule.cs does not exist in this repository.
Searched the entire codebase — no file with this name was found. The settings entry point is CxPreferencesModule.cs in the CxPreferences/ folder, which exposes GetCxConfig() and IsAscaEnabled().
Please replace this line with the correct file reference.
| │ │ │ ├── CxScan.cs | ||
| │ │ │ ├── CxScanDetail.cs | ||
| │ │ │ ├── CxAsca.cs | ||
| │ │ │ └── [other models] |
There was a problem hiding this comment.
Model file names are incorrect — three of them don't match the actual codebase.
The doc references:
CxResults.cs→ actual file isResults.csCxScan.cs→ actual file isScan.csCxScanDetail.cs→ this file does not exist at all
Full actual list in CxWrapper/Models/: Results.cs, Scan.cs, Result.cs, CxAsca.cs, CxConfig.cs, Project.cs, CodeBashing.cs, Node.cs, Predicate.cs, State.cs, etc.
Please update the model names to match the actual files.
| │ │ ├── Exceptions/ # Custom exceptions | ||
| │ │ └── Resources/ # CLI configuration | ||
| │ ├── CxPreferences/ # Settings UI | ||
| │ │ ├── CxOneAssistSettingsModule.cs |
There was a problem hiding this comment.
CxOneAssistSettingsModule.cs does not exist in the repository.
The actual files in CxPreferences/ are:
CxPreferencesModule.cs(this is the correct settings module)CxPreferencesPackage.csCxPreferencesUI.cs+CxPreferencesUI.Designer.cs
Please replace CxOneAssistSettingsModule.cs with CxPreferencesModule.cs.
| - Stop when a wrapper AST-CLI command for functionality is not found. | ||
|
|
||
| 4. **Do not** execute CLI commands without timeout | ||
| - All CLI calls must have 30-second timeout (CxConstants.CLI_TIMEOUT) |
There was a problem hiding this comment.
CxConstants.CLI_TIMEOUT does not exist in the codebase.
Checked CxConstants.cs — there are no timeout-related constants defined anywhere in the file. This reference will mislead anyone looking for this constant.
Either:
- Add the constant to
CxConstants.cs(recommended — it enforces the rule in code), or - Remove the specific reference and just state the 30-second rule without citing a constant that doesn't exist.
| - Code review approval | ||
| - CI/CD pipeline success | ||
|
|
||
| 7. **Do not** modify .resx files via Visual Studio designer |
There was a problem hiding this comment.
Numbering bug: two items are both labeled 7.
Line 339 is also numbered 7. ("Do not deploy to production without..."). This item should be 8.
Please renumber from here to the end of the Don'ts list.
|
|
||
| 3. **Do not** implement any REST API invocation neither in extension or wrapper source code | ||
| - AST-CLI wrapper orchestrates AST-CLI command invocations instead | ||
| - Stop when a wrapper AST-CLI command for functionality is not found. |
There was a problem hiding this comment.
This rule is correct but the wording "Stop when..." is cryptic.
Verified — there are no HttpClient/WebClient calls anywhere in the repo, so the rule itself is accurate.
Suggested clearer wording:
If AST-CLI does not provide a command for required functionality, stop and request an upstream CLI change — do not add direct REST calls as a workaround.
Also note: the API / Endpoints section (line ~557) lists GET /api/projects etc. as endpoints, which contradicts this rule. Those calls happen inside cx.exe, not in this codebase. The section header there should be updated to make that clear (e.g. "Endpoints called internally by cx.exe").
|
|
||
| ### Don'ts | ||
| 1. **Do not** hardcode credentials, API keys, or secrets in code | ||
| - Use VS Settings/DialogPage and Windows Credential Manager |
There was a problem hiding this comment.
Inconsistency with line 575 (Security section).
This line says "Use VS Settings/DialogPage and Windows Credential Manager", but line 575 in the Security section correctly notes storage is "Windows Registry (plaintext
The Credential Manager is the aspirational future state, not the current reality. This bullet in the Don'ts section should reflect what developers should do today — which is the DialogPage/Registry approach — not imply Credential Manager is already in use.
3 participants
Add comprehensive CLAUDE.md file following the Cloud MD standardization template (epic AST-146798).
Includes:
By submitting a PR to this repository, you agree to the terms within the Checkmarx Code of Conduct. Please see the contributing guidelines for how to create and submit a high-quality PR for this repo.
Description
References
Testing
Checklist