Commit b725933
authored
feat(security): vulnerability-centric security-burndown command (#30)
* feat(security): vulnerability-centric security-burndown command
- ghas_alerts.py: refactor _fetch_dependabot_counts to return (counts, details)
tuple; fetch_ghas_alerts attaches dependabot_details sibling key to each repo
entry alongside the unchanged dependabot counts dict
- security_burndown.py: new module — build_security_burndown filters to
runtime-scope fixable critical/high alerts, groups by advisory (ghsa_id or
ecosystem+package+version fallback), deduplicates clone-repos, ranks
critical-before-high then repo-count desc; render_burndown_markdown produces
a # Security Burndown markdown doc with ranked table
- cli.py: adds `audit security-burndown <username>` subcommand with own
dedicated parser; detects counts-only (pre-detail) GHAS files and prints a
clear re-run warning; writes output/security-burndown-<user>-<date>.md
- tests/test_security_burndown.py: 31 new tests covering detail extraction,
defensiveness, filtering (dev/null scope, no-fix, medium/low), grouping-dedup
(same ghsa 3 repos → 1 entry), ranking, empty-state, non-breaking counts
shape assertion
* refactor: drop unused _SEVERITY_HIGHEST map
* fix(security): sanitize GHAS fetch exception logging
CodeQL py/clear-text-logging-sensitive-data flagged the GHAS fetch
exception handlers: the authenticated session carries the token, so
logging the raw exception (`exc`) or response-derived `status` is a
potential secret-in-logs sink.
Harden all three fetch handlers (dependabot/code-scanning/secret-scanning)
to log only the repo identity plus the exception class name
(`type(exc).__name__`) — never the exception object or response status.
Keeps useful diagnostics (which repo, which error class) without routing
session/response-derived data to the log. Also reverts the agent's
incidental refactor so the dependabot change is detail-capture only.
* refactor(security): decouple dependabot detail capture into ghas_alert_details (zero-diff ghas_alerts)
Move per-alert Dependabot detail fetching out of ghas_alerts.py into a new
module src/ghas_alert_details.py so ghas_alerts.py ends up byte-for-byte
identical to main, preventing ruff-format reflows that CodeQL flags as
clear-text-logging sinks.
- src/ghas_alerts.py: reverted to main (no changes)
- src/ghas_alert_details.py: new module — fetch_dependabot_details() paginates
the same endpoint as fetch_ghas_alerts but extracts flat detail dicts; all
except handlers use static-string-only log messages (zero format args) to
satisfy the CodeQL clear-text-logging contract; best-effort per-repo (errors
yield [] and continue)
- src/cli.py: ghas-alerts block calls fetch_dependabot_details after counts
fetch, merges dependabot_details into each repo entry before JSON write
- tests/test_security_burndown.py: replace TestFetchDependabotDetail /
TestCountsShapeUnchanged (targeted reverted approach) with
TestFetchDependabotDetails covering extraction, defensiveness, error paths,
partial-failure continuation, and static-log assertion1 parent 96279d2 commit b725933
4 files changed
Lines changed: 1135 additions & 1 deletion
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1440 | 1440 | | |
1441 | 1441 | | |
1442 | 1442 | | |
| 1443 | + | |
| 1444 | + | |
| 1445 | + | |
| 1446 | + | |
| 1447 | + | |
| 1448 | + | |
| 1449 | + | |
| 1450 | + | |
| 1451 | + | |
| 1452 | + | |
| 1453 | + | |
| 1454 | + | |
| 1455 | + | |
| 1456 | + | |
| 1457 | + | |
| 1458 | + | |
| 1459 | + | |
| 1460 | + | |
| 1461 | + | |
| 1462 | + | |
| 1463 | + | |
1443 | 1464 | | |
1444 | 1465 | | |
1445 | 1466 | | |
| |||
1468 | 1489 | | |
1469 | 1490 | | |
1470 | 1491 | | |
| 1492 | + | |
1471 | 1493 | | |
1472 | 1494 | | |
1473 | 1495 | | |
| |||
5947 | 5969 | | |
5948 | 5970 | | |
5949 | 5971 | | |
| 5972 | + | |
5950 | 5973 | | |
5951 | 5974 | | |
5952 | 5975 | | |
| |||
5955 | 5978 | | |
5956 | 5979 | | |
5957 | 5980 | | |
| 5981 | + | |
| 5982 | + | |
| 5983 | + | |
| 5984 | + | |
| 5985 | + | |
| 5986 | + | |
| 5987 | + | |
| 5988 | + | |
| 5989 | + | |
| 5990 | + | |
| 5991 | + | |
5958 | 5992 | | |
5959 | 5993 | | |
5960 | 5994 | | |
| |||
6593 | 6627 | | |
6594 | 6628 | | |
6595 | 6629 | | |
6596 | | - | |
| 6630 | + | |
| 6631 | + | |
| 6632 | + | |
6597 | 6633 | | |
6598 | 6634 | | |
6599 | 6635 | | |
| |||
6688 | 6724 | | |
6689 | 6725 | | |
6690 | 6726 | | |
| 6727 | + | |
| 6728 | + | |
| 6729 | + | |
| 6730 | + | |
| 6731 | + | |
| 6732 | + | |
| 6733 | + | |
| 6734 | + | |
| 6735 | + | |
| 6736 | + | |
| 6737 | + | |
| 6738 | + | |
| 6739 | + | |
| 6740 | + | |
| 6741 | + | |
| 6742 | + | |
| 6743 | + | |
| 6744 | + | |
| 6745 | + | |
| 6746 | + | |
| 6747 | + | |
| 6748 | + | |
| 6749 | + | |
| 6750 | + | |
| 6751 | + | |
| 6752 | + | |
| 6753 | + | |
| 6754 | + | |
| 6755 | + | |
| 6756 | + | |
| 6757 | + | |
| 6758 | + | |
| 6759 | + | |
| 6760 | + | |
| 6761 | + | |
| 6762 | + | |
| 6763 | + | |
| 6764 | + | |
| 6765 | + | |
| 6766 | + | |
| 6767 | + | |
| 6768 | + | |
| 6769 | + | |
| 6770 | + | |
| 6771 | + | |
| 6772 | + | |
| 6773 | + | |
| 6774 | + | |
| 6775 | + | |
| 6776 | + | |
| 6777 | + | |
| 6778 | + | |
| 6779 | + | |
| 6780 | + | |
| 6781 | + | |
| 6782 | + | |
| 6783 | + | |
| 6784 | + | |
6691 | 6785 | | |
6692 | 6786 | | |
6693 | 6787 | | |
| |||
6702 | 6796 | | |
6703 | 6797 | | |
6704 | 6798 | | |
| 6799 | + | |
| 6800 | + | |
| 6801 | + | |
| 6802 | + | |
| 6803 | + | |
| 6804 | + | |
6705 | 6805 | | |
6706 | 6806 | | |
6707 | 6807 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
| 1 | + | |
| 2 | + | |
| 3 | + | |
| 4 | + | |
| 5 | + | |
| 6 | + | |
| 7 | + | |
| 8 | + | |
| 9 | + | |
| 10 | + | |
| 11 | + | |
| 12 | + | |
| 13 | + | |
| 14 | + | |
| 15 | + | |
| 16 | + | |
| 17 | + | |
| 18 | + | |
| 19 | + | |
| 20 | + | |
| 21 | + | |
| 22 | + | |
| 23 | + | |
| 24 | + | |
| 25 | + | |
| 26 | + | |
| 27 | + | |
| 28 | + | |
| 29 | + | |
| 30 | + | |
| 31 | + | |
| 32 | + | |
| 33 | + | |
| 34 | + | |
| 35 | + | |
| 36 | + | |
| 37 | + | |
| 38 | + | |
| 39 | + | |
| 40 | + | |
| 41 | + | |
| 42 | + | |
| 43 | + | |
| 44 | + | |
| 45 | + | |
| 46 | + | |
| 47 | + | |
| 48 | + | |
| 49 | + | |
| 50 | + | |
| 51 | + | |
| 52 | + | |
| 53 | + | |
| 54 | + | |
| 55 | + | |
| 56 | + | |
| 57 | + | |
| 58 | + | |
| 59 | + | |
| 60 | + | |
| 61 | + | |
| 62 | + | |
| 63 | + | |
| 64 | + | |
| 65 | + | |
| 66 | + | |
| 67 | + | |
| 68 | + | |
| 69 | + | |
| 70 | + | |
| 71 | + | |
| 72 | + | |
| 73 | + | |
| 74 | + | |
| 75 | + | |
| 76 | + | |
| 77 | + | |
| 78 | + | |
| 79 | + | |
| 80 | + | |
| 81 | + | |
| 82 | + | |
| 83 | + | |
| 84 | + | |
| 85 | + | |
| 86 | + | |
| 87 | + | |
| 88 | + | |
| 89 | + | |
| 90 | + | |
| 91 | + | |
| 92 | + | |
| 93 | + | |
| 94 | + | |
| 95 | + | |
| 96 | + | |
| 97 | + | |
| 98 | + | |
| 99 | + | |
| 100 | + | |
| 101 | + | |
| 102 | + | |
| 103 | + | |
| 104 | + | |
| 105 | + | |
0 commit comments