feat: PR security checks — suspicious paths, committer identity, auto-merge override (#1109)

<h3>PR Summary by Qodo</h3>

Add PR security checks for suspicious paths, committer identity, and
auto-merge override
<code>✨ Enhancement</code> <code>🧪 Tests</code> <code>⚙️ Configuration
changes</code> <code>📝 Documentation</code> <code>🕐 40+ Minutes</code>

<img
src="https://www.qodo.ai/wp-content/uploads/2025/11/light-grey-line.svg"
height="10%" alt="Grey Divider">

<h3>Walkthroughs</h3>

<details open>
<summary>User Description</summary>

<br/>

## Summary

Three configurable security checks to detect and block malicious PR
attack vectors:

### Suspicious Path Detection
- New `security-suspicious-paths` check run
- Configurable path prefixes (default: `.claude/`, `.vscode/`,
`.cursor/`, `.devcontainer/`, `.pi/`, `.github/workflows/`,
`.github/actions/`)
- Fails check when PR modifies files in sensitive locations

### Committer Identity Check
- New `security-committer-identity` check run
- Flags when last committer differs from PR author
- Handles unknown committer identity explicitly

### Auto-Merge Override
- Blocks auto-merge when PR touches suspicious paths
- Posts comment explaining why auto-merge was blocked

### Security Design
- Config only from server-side `config.yaml` (not overridable by in-repo
`.github-webhook-server.yaml`)
- Prevents attackers from weakening security policy via PR

Closes #1106

</details>

<details open>
<summary>AI Description</summary>

<br/>

<pre>
• Add configurable PR security check runs for suspicious paths and
committer identity.
• Block auto-merge and comment when PR touches security-sensitive path
prefixes.
• Document/validate security-checks config and add full test coverage
for new behavior.
</pre>
</details>

<details>
<summary>Diagram</summary>

<br/>

```mermaid
graph TD
  cfg["server config.yaml"] --> wh(["GitHubWebhook"]) --> prh(["PullRequestHandler"]) --> ofh(["OwnersFileHandler"])
  prh --> rh(["RunnerHandler"]) --> crh(["CheckRunHandler"]) --> gh{{"GitHub API"}}
  prh -. "comment / enable automerge" .-> gh

  subgraph Legend
    direction LR
    _file["Config/File"] ~~~ _svc(["Handler/Service"]) ~~~ _ext{{"External"}}
  end
```

</details>




<details>
<summary>High-Level Assessment</summary>

<br/>

The following are alternative approaches to this PR:

<details>
<summary><b>1. Use CODEOWNERS + branch protection for sensitive
paths</b></summary>

- ➕ Native GitHub enforcement; no extra webhook-side logic
- ➕ Can require reviews for .github/workflows/ and similar paths
- ➖ CODEOWNERS lives in-repo; attacker PR may attempt to modify it
(mitigations require additional protections)
- ➖ Doesn’t detect committer mismatch vs PR author
- ➖ Doesn’t provide an explicit auto-merge override message path

</details>

<details>
<summary><b>2. Required GitHub Actions workflow with path
filters</b></summary>

- ➕ Clear CI signal in GitHub UI; can block merges via required checks
- ➕ Easy to extend with additional detectors
- ➖ Workflows are in-repo and are themselves part of the attack surface
- ➖ May not run as expected depending on repo settings/permissions;
weaker central enforcement than server-side config

</details>

<details>
<summary><b>3. Org policy: require verified commits / signature
enforcement</b></summary>

- ➕ Stronger identity assurance than comparing GitHub usernames alone
- ➕ Moves trust decision into cryptographic verification
- ➖ Org-wide operational overhead; may block legitimate contributors
- ➖ Doesn’t address suspicious-path modifications; still needs
path-based review controls

</details>

**Recommendation:** The PR’s approach (server-side, non-overridable
security policy + explicit check-runs + auto-merge override) is a good
fit for defending against repo-config supply-chain attacks. Consider
adding CODEOWNERS/branch protections as defense-in-depth, but keep these
webhook checks as the centrally enforced gate.

</details>

<img
src="https://www.qodo.ai/wp-content/uploads/2025/11/light-grey-line.svg"
height="10%" alt="Grey Divider">

<h3>File Changes</h3>

<details>
<summary><strong>Enhancement</strong> (4)</summary>

<blockquote>
<details>
<summary><strong>github_api.py</strong> <code>Load server-side security
policy and make committer identity explicit</code>
<code>+10/-1</code></summary>

<br/>

>Load server-side security policy and make committer identity explicit
>
><pre>
>• Sets last_committer to &quot;unknown&quot; when no GitHub user is
associated with the last commit committer. Loads security-checks only
from server configuration (no per-repo extra_dict override) and exposes
security_suspicious_paths and security_committer_identity_check on the
webhook context.
></pre>
>
><a
href='https://github.com/myk-org/github-webhook-server/pull/1109/files#diff-7c5f6dfcadb38e75c2d0f1d418ba1a861cc9f6c0efe72905a250e9f43a6cfdcf'>webhook_server/libs/github_api.py</a>
<hr/>

</details>
</blockquote>

<blockquote>
<details>
<summary><strong>pull_request_handler.py</strong> <code>Queue/run
security check-runs and block auto-merge on suspicious paths</code>
<code>+63/-0</code></summary>

<br/>

>Queue/run security check-runs and block auto-merge on suspicious paths
>
><pre>
>• Adds a Security Checks section to the welcome comment, queues and
launches two new security check-runs during PR open/sync, and blocks
auto-merge with an explanatory PR comment when changed_files match
suspicious path prefixes.
></pre>
>
><a
href='https://github.com/myk-org/github-webhook-server/pull/1109/files#diff-8644dc42c86db802123c2ba72847dca72589fe19f330ecc70621af895a72fc8a'>webhook_server/libs/handlers/pull_request_handler.py</a>
<hr/>

</details>
</blockquote>

<blockquote>
<details>
<summary><strong>runner_handler.py</strong> <code>Implement
suspicious-path and committer-identity security check runners</code>
<code>+114/-0</code></summary>

<br/>

>Implement suspicious-path and committer-identity security check runners
>
><pre>
>• Adds runner methods to evaluate changed files against configured
prefixes and to compare PR author vs last committer (including an
explicit &quot;unknown&quot; case). Each runner publishes detailed
check-run outputs and sets success/failure accordingly.
></pre>
>
><a
href='https://github.com/myk-org/github-webhook-server/pull/1109/files#diff-0cb54c95cafda12d8d169c7b03ac484738f4cf925c22f6e6b8b8c5db0730ce42'>webhook_server/libs/handlers/runner_handler.py</a>
<hr/>

</details>
</blockquote>

<blockquote>
<details>
<summary><strong>constants.py</strong> <code>Define security check names
and default suspicious path prefixes</code>
<code>+14/-0</code></summary>

<br/>

>Define security check names and default suspicious path prefixes
>
><pre>
>• Introduces constants for the two new check-run names, registers them
as non-overridable built-in checks, and defines the default suspicious
path prefix list used for detection.
></pre>
>
><a
href='https://github.com/myk-org/github-webhook-server/pull/1109/files#diff-9a2d73fb31266bc568369ee81f15b1ebb12d9703f412a0ab65cf7c5a5b98060f'>webhook_server/utils/constants.py</a>
<hr/>

</details>
</blockquote>

</details>

<details>
<summary><strong>Tests</strong> (2)</summary>

<blockquote>
<details>
<summary><strong>test_pull_request_handler.py</strong> <code>Extend PR
handler tests to account for new security runners</code>
<code>+9/-0</code></summary>

<br/>

>Extend PR handler tests to account for new security runners
>
><pre>
>• Updates the webhook mock with security-related attributes and patches
the new runner methods in existing workflow tests. Ensures PR processing
test scaffolding stays compatible with the new queued/started tasks.
></pre>
>
><a
href='https://github.com/myk-org/github-webhook-server/pull/1109/files#diff-ba922f135da60a85cf895a8d3fb3154c635c21019e6b7b6ab07c92caa9cbc163'>webhook_server/tests/test_pull_request_handler.py</a>
<hr/>

</details>
</blockquote>

<blockquote>
<details>
<summary><strong>test_security_checks.py</strong> <code>Add dedicated
tests for security checks and auto-merge override</code>
<code>+459/-0</code></summary>

<br/>

>Add dedicated tests for security checks and auto-merge override
>
><pre>
>• Adds coverage for suspicious path detection outcomes, committer
identity match/mismatch/unknown, and auto-merge blocking behavior
(including comment posting). Also asserts security constants and default
suspicious path list are wired into BUILTIN_CHECK_NAMES.
></pre>
>
><a
href='https://github.com/myk-org/github-webhook-server/pull/1109/files#diff-d7e0086d532052be0150224126f9b67dd174e7e039409d47316dd027f508a8c8'>webhook_server/tests/test_security_checks.py</a>
<hr/>

</details>
</blockquote>

</details>

<details>
<summary><strong>Other</strong> (2)</summary>

<blockquote>
<details>
<summary><strong>config.yaml</strong> <code>Document security-checks
settings and defaults in example config</code>
<code>+14/-0</code></summary>

<br/>

>Document security-checks settings and defaults in example config
>
><pre>
>• Adds a new security-checks section with default suspicious path
prefixes and a committer identity toggle. Provides inline commentary
describing the intent of these checks.
></pre>
>
><a
href='https://github.com/myk-org/github-webhook-server/pull/1109/files#diff-e3ac27ce128a0ddae53723bc8c3133257530a13c00f97c9edfeef152ebc3b8ce'>examples/config.yaml</a>
<hr/>

</details>
</blockquote>

<blockquote>
<details>
<summary><strong>schema.yaml</strong> <code>Add JSON schema for
security-checks configuration</code> <code>+24/-0</code></summary>

<br/>

>Add JSON schema for security-checks configuration
>
><pre>
>• Introduces a security-checks schema definition (suspicious-paths list
and committer-identity-check boolean) and wires it into the root schema.
Documents behavioral effects (check-run failure and auto-merge
blocking).
></pre>
>
><a
href='https://github.com/myk-org/github-webhook-server/pull/1109/files#diff-0eaf85d7f2a5888c61710a31c06434f63fe254f177f3df114332204780388f67'>webhook_server/config/schema.yaml</a>
<hr/>

</details>
</blockquote>

</details>

<img
src="https://www.qodo.ai/wp-content/uploads/2025/11/light-grey-line.svg"
height="10%" alt="Grey Divider">


<a href="https://www.qodo.ai"><img
src="https://www.qodo.ai/wp-content/uploads/2025/03/qodo-logo.svg"
width="80" alt="Qodo Logo"></a>

Author: myakove

examples/.github-webhook-server.yaml

@@ -171,3 +171,11 @@ test-oracle:
     - "tests/**/*.py"
   triggers:
     - approved
+
+# Security Checks (overrides global config)
+security-checks:
+  mandatory: true
+  suspicious-paths:
+    - ".github/workflows/"
+    - ".github/actions/"
+  committer-identity-check: true

examples/config.yaml

@@ -136,6 +136,21 @@ ai-features:
     enabled: true
     timeout-minutes: 10  # Timeout in minutes for AI CLI (default: 10)
 
+# Security Checks configuration
+# Detects potentially malicious PR patterns like modifications to
+# security-sensitive paths or mismatched committer identities.
+security-checks:
+  mandatory: true  # true (default) = blocks can-be-merged. false = advisory only
+  suspicious-paths:
+    - ".claude/"
+    - ".vscode/"
+    - ".cursor/"
+    - ".devcontainer/"
+    - ".pi/"
+    - ".github/workflows/"
+    - ".github/actions/"
+  committer-identity-check: true
+
 repositories:
   my-repository:
     name: my-org/my-repository
@@ -286,3 +301,10 @@ repositories:
         - "tests/**/*.py"
       triggers:
         - approved
+
+    # Security Checks (overrides global)
+    # security-checks:
+    #   suspicious-paths:
+    #     - ".github/workflows/"
+    #     - ".github/actions/"
+    #   committer-identity-check: true

webhook_server/config/schema.yaml

@@ -68,6 +68,34 @@ $defs:
       - ai-provider
       - ai-model
     additionalProperties: false
+  security-checks:
+    type: object
+    description: |
+      Security checks for pull requests. Detects potentially malicious PR patterns
+      such as modifications to security-sensitive paths or mismatched committer identities.
+    properties:
+      mandatory:
+        type: boolean
+        description: |
+          When true (default), security checks block can-be-merged.
+          When false, security checks are advisory only (run but don't block merge).
+        default: true
+      suspicious-paths:
+        type: array
+        description: |
+          List of path prefixes considered security-sensitive.
+          PRs modifying files under these paths will fail the security-suspicious-paths check run
+          and have auto-merge blocked.
+          Default: [".claude/", ".vscode/", ".cursor/", ".devcontainer/", ".pi/", ".github/workflows/", ".github/actions/"]
+        items:
+          type: string
+      committer-identity-check:
+        type: boolean
+        description: |
+          When enabled, compares the PR author (parent committer) against the last commit's
+          committer. Fails the security-committer-identity check run if they differ.
+        default: true
+    additionalProperties: false
 type: object
 properties:
   log-level:
@@ -213,6 +241,8 @@ properties:
     additionalProperties: false
   ai-features:
     $ref: '#/$defs/ai-features'
+  security-checks:
+    $ref: '#/$defs/security-checks'
   labels:
     type: object
     description: Configure which labels are enabled and their colors
@@ -631,6 +661,8 @@ properties:
           additionalProperties: false
         ai-features:
           $ref: '#/$defs/ai-features'
+        security-checks:
+          $ref: '#/$defs/security-checks'
         custom-check-runs:
           type: array
           description: |

webhook_server/libs/github_api.py

@@ -35,6 +35,7 @@
     CAN_BE_MERGED_STR,
     CONFIGURABLE_LABEL_CATEGORIES,
     CONVENTIONAL_TITLE_STR,
+    DEFAULT_SUSPICIOUS_PATHS,
     OTHER_MAIN_BRANCH,
     PRE_COMMIT_STR,
     PYTHON_MODULE_INSTALL_STR,
@@ -662,7 +663,7 @@ async def process(self) -> Any:
 
             self.last_commit = await self._get_last_commit(pull_request=pull_request)
             self.parent_committer = pull_request.user.login
-            self.last_committer = getattr(self.last_commit.committer, "login", self.parent_committer)
+            self.last_committer = getattr(self.last_commit.committer, "login", "unknown")
 
             # Store PR SHAs: prefer webhook payload (avoids race condition with live API)
             # For pull_request events, base.sha and head.sha are guaranteed by GitHub webhook spec.
@@ -953,6 +954,33 @@ def _repo_data_from_config(self, repository_config: dict[str, Any]) -> None:
         self.ai_features: dict[str, Any] | None = self.config.get_value(
             value="ai-features", return_on_none=None, extra_dict=repository_config
         )
+        _security_checks: dict[str, Any] | None = self.config.get_value(
+            value="security-checks", return_on_none=None, extra_dict=repository_config
+        )
+        _security_config = _security_checks if isinstance(_security_checks, dict) else {}
+        _suspicious_paths = _security_config.get("suspicious-paths", DEFAULT_SUSPICIOUS_PATHS)
+        self.security_suspicious_paths: list[str] = (
+            [str(p).strip() for p in _suspicious_paths if isinstance(p, (str, int, float)) and str(p).strip()]
+            if isinstance(_suspicious_paths, list)
+            else DEFAULT_SUSPICIOUS_PATHS
+        )
+        _committer_check_raw = _security_config.get("committer-identity-check", True)
+        if not isinstance(_committer_check_raw, bool):
+            self.logger.warning(
+                f"{self.log_prefix} security-checks.committer-identity-check must be boolean, "
+                f"got {type(_committer_check_raw).__name__}. Defaulting to true."
+            )
+            _committer_check_raw = True
+        self.security_committer_identity_check: bool = _committer_check_raw
+        _mandatory_raw = _security_config.get("mandatory", True)
+        if not isinstance(_mandatory_raw, bool):
+            self.logger.warning(
+                f"{self.log_prefix} security-checks.mandatory must be boolean, got {type(_mandatory_raw).__name__}. "
+                "Defaulting to true."
+            )
+            _mandatory_raw = True
+        self.security_mandatory: bool = _mandatory_raw
+
         _auto_merge_prs = self.config.get_value(
             value="set-auto-merge-prs", return_on_none=[], extra_dict=repository_config
         )

webhook_server/libs/handlers/check_run_handler.py

@@ -18,6 +18,8 @@
     IN_PROGRESS_STR,
     PYTHON_MODULE_INSTALL_STR,
     QUEUED_STR,
+    SECURITY_COMMITTER_IDENTITY_STR,
+    SECURITY_SUSPICIOUS_PATHS_STR,
     SUCCESS_STR,
     TOX_STR,
     VERIFIED_LABEL_STR,
@@ -427,6 +429,14 @@ async def all_required_status_checks(self, pull_request: PullRequest) -> list[st
                 check_name = custom_check["name"]
                 all_required_status_checks.append(check_name)
 
+        # Add mandatory security checks
+        if self.github_webhook.security_mandatory:
+            if self.github_webhook.security_suspicious_paths:
+                all_required_status_checks.append(SECURITY_SUSPICIOUS_PATHS_STR)
+
+            if self.github_webhook.security_committer_identity_check:
+                all_required_status_checks.append(SECURITY_COMMITTER_IDENTITY_STR)
+
         # Use ordered deduplication to combine branch and config checks without duplicates
         _all_required_status_checks = list(dict.fromkeys(branch_required_status_checks + all_required_status_checks))
         self.logger.debug(f"{self.log_prefix} All required status checks: {_all_required_status_checks}")

webhook_server/libs/handlers/issue_comment_handler.py

@@ -9,7 +9,7 @@
 from github.PullRequest import PullRequest
 from github.Repository import Repository
 
-from webhook_server.libs.handlers.check_run_handler import CheckRunHandler
+from webhook_server.libs.handlers.check_run_handler import CheckRunHandler, CheckRunOutput
 from webhook_server.libs.handlers.labels_handler import LabelsHandler
 from webhook_server.libs.handlers.owners_files_handler import OwnersFileHandler
 from webhook_server.libs.handlers.pull_request_handler import PullRequestHandler
@@ -30,9 +30,12 @@
     COMMAND_REGENERATE_WELCOME_STR,
     COMMAND_REPROCESS_STR,
     COMMAND_RETEST_STR,
+    COMMAND_SECURITY_OVERRIDE_STR,
     COMMAND_TEST_ORACLE_STR,
     HOLD_LABEL_STR,
     REACTIONS,
+    SECURITY_COMMITTER_IDENTITY_STR,
+    SECURITY_SUSPICIOUS_PATHS_STR,
     USER_LABELS_DICT,
     VERIFIED_LABEL_STR,
     WIP_STR,
@@ -171,6 +174,7 @@ async def user_commands(
             COMMAND_ADD_ALLOWED_USER_STR,
             COMMAND_REGENERATE_WELCOME_STR,
             COMMAND_TEST_ORACLE_STR,
+            COMMAND_SECURITY_OVERRIDE_STR,
         ]
 
         command_and_args: list[str] = command.split(" ", 1)
@@ -362,6 +366,64 @@ async def user_commands(
                     pull_request.create_issue_comment, msg, logger=self.logger, log_prefix=self.log_prefix
                 )
 
+        elif _command == COMMAND_SECURITY_OVERRIDE_STR:
+            maintainers = await self.owners_file_handler.get_all_repository_maintainers()
+            if reviewed_user not in maintainers:
+                msg = "Only maintainers can use `/security-override`"
+                self.logger.debug(f"{self.log_prefix} {msg}")
+                await github_api_call(
+                    pull_request.create_issue_comment, body=msg, logger=self.logger, log_prefix=self.log_prefix
+                )
+                return
+
+            if remove:
+                # Re-run security checks to re-evaluate
+                await self.runner_handler.run_security_suspicious_paths()
+                await self.runner_handler.run_security_committer_identity()
+                self.logger.info(f"{self.log_prefix} Security checks re-run by {reviewed_user}")
+                await github_api_call(
+                    pull_request.create_issue_comment,
+                    body=f"Security override removed by @{reviewed_user}. Security checks re-run.",
+                    logger=self.logger,
+                    log_prefix=self.log_prefix,
+                )
+            else:
+                # Set security check runs to success (override)
+                if (
+                    not self.github_webhook.security_suspicious_paths
+                    and not self.github_webhook.security_committer_identity_check
+                ):
+                    msg = "No security checks are enabled — nothing to override."
+                    self.logger.debug(f"{self.log_prefix} {msg}")
+                    await github_api_call(
+                        pull_request.create_issue_comment, body=msg, logger=self.logger, log_prefix=self.log_prefix
+                    )
+                    return
+
+                override_output: CheckRunOutput = {
+                    "title": f"Overridden by maintainer @{reviewed_user}",
+                    "summary": "Security check overridden by maintainer",
+                    "text": (
+                        f"This security check was overridden by maintainer @{reviewed_user}.\n\n"
+                        "Use `/security-override cancel` to re-run security checks."
+                    ),
+                }
+                if self.github_webhook.security_suspicious_paths:
+                    await self.check_run_handler.set_check_success(
+                        name=SECURITY_SUSPICIOUS_PATHS_STR, output=override_output
+                    )
+                if self.github_webhook.security_committer_identity_check:
+                    await self.check_run_handler.set_check_success(
+                        name=SECURITY_COMMITTER_IDENTITY_STR, output=override_output
+                    )
+                self.logger.info(f"{self.log_prefix} Security override applied by {reviewed_user}")
+                await github_api_call(
+                    pull_request.create_issue_comment,
+                    body=f"Security checks overridden by @{reviewed_user}. Security check runs set to pass.",
+                    logger=self.logger,
+                    log_prefix=self.log_prefix,
+                )
+
         elif _command == WIP_STR:
             if not await self.owners_file_handler.is_user_valid_to_run_commands(
                 pull_request=pull_request, reviewed_user=reviewed_user