Skip to content

fix: correct advsec_get_alerts secret alert filtering and confidenceLevels default (#1395)#1420

Open
David-Mavrodiev wants to merge 2 commits into
microsoft:mainfrom
David-Mavrodiev:fix/1395-advsec-get-alerts-secret-filters
Open

fix: correct advsec_get_alerts secret alert filtering and confidenceLevels default (#1395)#1420
David-Mavrodiev wants to merge 2 commits into
microsoft:mainfrom
David-Mavrodiev:fix/1395-advsec-get-alerts-secret-filters

Conversation

@David-Mavrodiev

Copy link
Copy Markdown

Fixes #1395

Summary

advsec_get_alerts diverged from the Azure DevOps Alerts REST API when querying secret alerts, and carried a latent Zod validation crash. This corrects the request construction for secret alerts, removes/documents the forced defaults, fixes the crash, and adds schema-driven tests.

Changes

  • Secret branch filters: onlyDefaultBranch and ref are "Not applicable for secret alerts" per the REST API. For an explicit alertType: "Secret" query the tool no longer sends them, so it matches the REST API / Advanced Security UI instead of returning an empty set.
  • Forced default removed: dropped the hidden onlyDefaultBranch = true Zod default (the service already defaults to true when omitted). Documented the remaining defaults (confidenceLevels, top, orderBy) and the secret-only caveats in the schema.
  • confidenceLevels default crash (found while fixing this): the default was lowercase ["high","other"] while the schema enum keys are PascalCase ["High","Other"], so Zod threw invalid_enum_value on any call that omitted confidenceLevels. Changed the default to getEnumKeys(Confidence) so it stays valid and in sync.
  • Mixed-query caveat documented: with no alertType and onlyDefaultBranch=false (or ref), secrets may still be excluded because branch filters cannot be applied per-type in a single request; the descriptions now direct callers to query alertType: "Secret" to retrieve all secrets.

Reported symptoms -> resolution

  • False empty on onlyDefaultBranch=false for secrets -> fixed for explicit secret queries.
  • Undocumented default filter -> forced onlyDefaultBranch default removed; remaining defaults documented.
  • Wrong-repo / "cached" responses -> no cache exists in the tool (repository is a URL path param); the identical responses were empty results from the above, which now return real data.

Tests

  • Added Zod schema-driven tests that parse through the real schema (exercising defaults); these would have caught the confidenceLevels crash.
  • npx jest: 1000 passed / 18 suites. tsc --noEmit: clean. node scripts/build-validate-tools.js: clean.

Note

Not yet verified end-to-end against a live org; all verification is at the request-construction / unit level.

…evels default (microsoft#1395)

- Do not send onlyDefaultBranch/ref for secret-only queries; they are not applicable to secret alerts and caused false-empty results.
- Remove forced onlyDefaultBranch=true default; document remaining defaults and the secret-only caveats.
- Fix confidenceLevels default casing (lowercase vs PascalCase enum) that threw a Zod validation error whenever confidenceLevels was omitted.
- Document mixed-query caveat: unspecified alertType with onlyDefaultBranch=false can exclude secrets.
- Add Zod schema-driven tests covering schema defaults and the omitted-confidenceLevels regression.
@David-Mavrodiev David-Mavrodiev requested a review from a team as a code owner July 14, 2026 09:17
@codecov-commenter

codecov-commenter commented Jul 14, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
⚠️ Please upload report for BASE (main@0a08dc6). Learn more about missing BASE report.

Additional details and impacted files
@@           Coverage Diff           @@
##             main    #1420   +/-   ##
=======================================
  Coverage        ?   92.37%           
=======================================
  Files           ?       19           
  Lines           ?     2189           
  Branches        ?      532           
=======================================
  Hits            ?     2022           
  Misses          ?       80           
  Partials        ?       87           
Flag Coverage Δ
unittests 92.37% <100.00%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@David-Mavrodiev

Copy link
Copy Markdown
Author

@microsoft-github-policy-service agree company="Microsoft"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

3 participants