feat: add trusted-committers allowlist for security-committer-identity check

rnetser · rnetser · commit f488f9f38a78 · 2026-06-16T13:34:48.000+03:00
Adds a `trusted-committers` config option under `security-checks` that allowlists committer logins for the identity check. When the last committer is in the list, the check passes regardless of PR author. Handles case-insensitive comparison and element sanitization. Useful for bots (pre-commit-ci[bot]) and org identities. Closes #1116 Signed-off-by: rnetser <rnetser@redhat.com> Assisted-by: Claude <noreply@anthropic.com>
diff --git a/examples/config.yaml b/examples/config.yaml
@@ -150,6 +150,8 @@ security-checks:
     - ".github/workflows/"
     - ".github/actions/"
   committer-identity-check: true
+  trusted-committers: # Committers always trusted for identity check
+    - "pre-commit-ci[bot]"
 
 repositories:
   my-repository:
diff --git a/webhook_server/config/schema.yaml b/webhook_server/config/schema.yaml
@@ -95,6 +95,14 @@ $defs:
           When enabled, compares the PR author (parent committer) against the last commit's
           committer. Fails the security-committer-identity check run if they differ.
         default: true
+      trusted-committers:
+        type: array
+        description: |
+          List of committer logins that are always trusted for the committer-identity check.
+          When the last committer matches an entry in this list, the check passes regardless
+          of the PR author. Useful for bots (e.g., pre-commit-ci[bot]) and org identities.
+        items:
+          type: string
     additionalProperties: false
 type: object
 properties:
diff --git a/webhook_server/libs/github_api.py b/webhook_server/libs/github_api.py
@@ -992,6 +992,19 @@ def _repo_data_from_config(self, repository_config: dict[str, Any]) -> None:
             _mandatory_raw = True
         self.security_mandatory: bool = _mandatory_raw
 
+        _trusted_committers = _security_config.get("trusted-committers", [])
+        if not isinstance(_trusted_committers, list):
+            self.logger.warning(
+                f"{self.log_prefix} security-checks.trusted-committers must be array, "
+                f"got {type(_trusted_committers).__name__}. Defaulting to empty list."
+            )
+            _trusted_committers = []
+        self.security_trusted_committers: list[str] = [
+            str(entry).strip().lower()
+            for entry in _trusted_committers
+            if isinstance(entry, (str, int, float)) and str(entry).strip()
+        ]
+
         _auto_merge_prs = self.config.get_value(
             value="set-auto-merge-prs", return_on_none=[], extra_dict=repository_config
         )
diff --git a/webhook_server/libs/handlers/runner_handler.py b/webhook_server/libs/handlers/runner_handler.py
@@ -384,6 +384,9 @@ async def run_security_committer_identity(self) -> None:
             parent_committer = self.github_webhook.parent_committer
             last_committer = self.github_webhook.last_committer
 
+            # SECURITY: "unknown" check MUST precede the trusted-committers allowlist check.
+            # An unverifiable committer identity should always fail, even if "unknown" is
+            # accidentally added to the trusted-committers list.
             if last_committer == "unknown":
                 output: CheckRunOutput = {
                     "title": "\u274c Security: Committer Identity Unknown",
@@ -467,26 +470,45 @@ async def run_security_committer_identity(self) -> None:
                     }
                     await self.check_run_handler.set_check_failure(name=SECURITY_COMMITTER_IDENTITY_STR, output=output)
             elif last_committer != parent_committer:
-                output = {
-                    "title": "\u274c Security: Committer Identity Mismatch",
-                    "summary": f"Last committer '{last_committer}' differs from PR author '{parent_committer}'",
-                    "text": (
-                        f"## Committer Identity Check\n\n"
-                        f"**PR author:** `{parent_committer}`\n"
-                        f"**Last commit committer:** `{last_committer}`\n\n"
-                        f"The last commit in this PR was made by a different user than the PR author. "
-                        f"This may indicate:\n"
-                        f"- An unauthorized commit was pushed to the PR branch\n"
-                        f"- A bot or automation tool committed with unexpected credentials\n"
-                        f"- A legitimate co-author contribution (review carefully)\n\n"
-                        f"Please verify this is expected before merging."
-                    ),
-                }
-                self.logger.warning(
-                    f"{self.log_prefix} Committer identity mismatch: "
-                    f"PR author={parent_committer}, last committer={last_committer}"
-                )
-                await self.check_run_handler.set_check_failure(name=SECURITY_COMMITTER_IDENTITY_STR, output=output)
+                # Check if last_committer is in trusted-committers allowlist
+                if last_committer.lower() in self.github_webhook.security_trusted_committers:
+                    output = {
+                        "title": "Security: Committer Identity",
+                        "summary": f"Committer '{last_committer}' is in the trusted-committers allowlist",
+                        "text": (
+                            f"## Committer Identity Check\n\n"
+                            f"**PR author:** `{parent_committer}`\n"
+                            f"**Last commit committer:** `{last_committer}`\n\n"
+                            f"The committer differs from the PR author but is in the `trusted-committers` allowlist.\n"
+                            f"This is expected for automated workflows (bots, CI tools, org identities)."
+                        ),
+                    }
+                    self.logger.info(
+                        f"{self.log_prefix} Committer identity mismatch allowed: "
+                        f"'{last_committer}' is in trusted-committers list"
+                    )
+                    await self.check_run_handler.set_check_success(name=SECURITY_COMMITTER_IDENTITY_STR, output=output)
+                else:
+                    output = {
+                        "title": "\u274c Security: Committer Identity Mismatch",
+                        "summary": f"Last committer '{last_committer}' differs from PR author '{parent_committer}'",
+                        "text": (
+                            f"## Committer Identity Check\n\n"
+                            f"**PR author:** `{parent_committer}`\n"
+                            f"**Last commit committer:** `{last_committer}`\n\n"
+                            f"The last commit in this PR was made by a different user than the PR author. "
+                            f"This may indicate:\n"
+                            f"- An unauthorized commit was pushed to the PR branch\n"
+                            f"- A bot or automation tool committed with unexpected credentials\n"
+                            f"- A legitimate co-author contribution (review carefully)\n\n"
+                            f"Please verify this is expected before merging."
+                        ),
+                    }
+                    self.logger.warning(
+                        f"{self.log_prefix} Committer identity mismatch: "
+                        f"PR author={parent_committer}, last committer={last_committer}"
+                    )
+                    await self.check_run_handler.set_check_failure(name=SECURITY_COMMITTER_IDENTITY_STR, output=output)
             else:
                 output = {
                     "title": "Security: Committer Identity",
diff --git a/webhook_server/tests/test_security_checks.py b/webhook_server/tests/test_security_checks.py
@@ -55,6 +55,7 @@ def mock_github_webhook(self) -> Mock:
         mock_webhook.config.get_value = Mock(return_value=None)
         mock_webhook.security_suspicious_paths = DEFAULT_SUSPICIOUS_PATHS
         mock_webhook.security_committer_identity_check = True
+        mock_webhook.security_trusted_committers = []
         mock_webhook.parent_committer = "test-user"
         mock_webhook.last_committer = "test-user"
         return mock_webhook
@@ -214,6 +215,7 @@ def mock_github_webhook(self) -> Mock:
         mock_webhook.config.get_value = Mock(return_value=None)
         mock_webhook.security_suspicious_paths = DEFAULT_SUSPICIOUS_PATHS
         mock_webhook.security_committer_identity_check = True
+        mock_webhook.security_trusted_committers = []
         mock_webhook.parent_committer = "test-user"
         mock_webhook.last_committer = "test-user"
         return mock_webhook
@@ -349,6 +351,37 @@ async def test_committer_identity_check_disabled(self, runner_handler: RunnerHan
             await runner_handler.run_security_committer_identity()
             mock_progress.assert_not_called()
 
+    @pytest.mark.asyncio
+    async def test_committer_identity_mismatch_trusted(self, runner_handler: RunnerHandler) -> None:
+        """Check passes when last committer is in trusted-committers list."""
+        runner_handler.github_webhook.parent_committer = "legit-user"
+        runner_handler.github_webhook.last_committer = "pre-commit-ci[bot]"
+        runner_handler.github_webhook.security_trusted_committers = ["pre-commit-ci[bot]", "myorg"]
+
+        with patch.object(runner_handler.check_run_handler, "set_check_in_progress", new=AsyncMock()):
+            with patch.object(runner_handler.check_run_handler, "set_check_success", new=AsyncMock()) as mock_success:
+                await runner_handler.run_security_committer_identity()
+
+                mock_success.assert_called_once()
+                call_args = mock_success.call_args
+                assert call_args.kwargs["name"] == SECURITY_COMMITTER_IDENTITY_STR
+                assert "trusted-committers" in call_args.kwargs["output"]["summary"]
+
+    @pytest.mark.asyncio
+    async def test_committer_identity_mismatch_not_trusted(self, runner_handler: RunnerHandler) -> None:
+        """Check fails when last committer is NOT in trusted-committers list."""
+        runner_handler.github_webhook.parent_committer = "legit-user"
+        runner_handler.github_webhook.last_committer = "suspicious-user"
+        runner_handler.github_webhook.security_trusted_committers = ["pre-commit-ci[bot]"]
+
+        with patch.object(runner_handler.check_run_handler, "set_check_in_progress", new=AsyncMock()):
+            with patch.object(runner_handler.check_run_handler, "set_check_failure", new=AsyncMock()) as mock_failure:
+                await runner_handler.run_security_committer_identity()
+
+                mock_failure.assert_called_once()
+                call_args = mock_failure.call_args
+                assert "suspicious-user" in call_args.kwargs["output"]["summary"]
+
 
 class TestAutoMergeSecurityOverride:
     """Test auto-merge is blocked when PR modifies suspicious paths."""
@@ -367,6 +400,7 @@ def mock_github_webhook(self) -> Mock:
         mock_webhook.set_auto_merge_prs = []
         mock_webhook.security_suspicious_paths = DEFAULT_SUSPICIOUS_PATHS
         mock_webhook.security_committer_identity_check = True
+        mock_webhook.security_trusted_committers = []
         mock_webhook.security_mandatory = True
         mock_webhook.last_commit = Mock()
         mock_webhook.ctx = None
@@ -616,6 +650,7 @@ def mock_github_webhook(self) -> Mock:
         mock_webhook.custom_check_runs = []
         mock_webhook.security_suspicious_paths = DEFAULT_SUSPICIOUS_PATHS
         mock_webhook.security_committer_identity_check = True
+        mock_webhook.security_trusted_committers = []
         mock_webhook.security_mandatory = True
         mock_webhook.last_commit = Mock()
         mock_webhook.last_commit.sha = "abc123"
@@ -686,6 +721,7 @@ async def test_security_checks_partial_config(
         """Only configured security checks are added to required list."""
         check_run_handler.github_webhook.security_suspicious_paths = []
         check_run_handler.github_webhook.security_committer_identity_check = True
+        check_run_handler.github_webhook.security_trusted_committers = []
 
         with patch.object(
             check_run_handler,
@@ -712,6 +748,7 @@ def mock_github_webhook(self) -> Mock:
         mock_webhook.security_mandatory = True
         mock_webhook.security_suspicious_paths = DEFAULT_SUSPICIOUS_PATHS
         mock_webhook.security_committer_identity_check = True
+        mock_webhook.security_trusted_committers = []
         mock_webhook.ctx = None
         mock_webhook.config = Mock()
         mock_webhook.config.get_value = Mock(return_value=None)
