diff --git a/.coderabbit.yaml b/.coderabbit.yaml new file mode 100644 index 00000000..86367ec3 --- /dev/null +++ b/.coderabbit.yaml @@ -0,0 +1,148 @@ +# CodeRabbit AI Configuration for snapm +# +# This configuration ensures CodeRabbit focuses on actionable bug fixes +# and security issues rather than incomplete or theoretical improvements. +# +# Schema: https://coderabbit.ai/integrations/schema.v2.json +# Validate: comment "@coderabbitai configuration" on any PR + +language: "en-US" +tone_instructions: "Security-focused. State risk severity and impact." + +reviews: + profile: "assertive" + request_changes_workflow: true + high_level_summary: true + collapse_walkthrough: false + + path_filters: + - "!vendor/**" + - "!node_modules/**" + - "!dist/**" + - "!build/**" + - "!*.min.js" + - "!.venv/**" + + auto_review: + enabled: true + auto_incremental_review: true + drafts: false + base_branches: + - "main" + + # Path-specific rules + path_instructions: + + # ── Repo-wide review guidance ──────────────────────────────── + - path: "**/*" + instructions: | + - Only suggest refactoring or API changes if the suggestion includes + complete implementation (e.g., if suggesting dependency injection, + include the test code that uses it) + - Avoid suggesting changes that add complexity without immediate, + demonstrable value + - Focus on bugs, security issues, and correctness problems in PR reviews + - Do not suggest changes to code marked with '# pragma: no cover' + unless fixing an actual bug + - Avoid premature optimization and theoretical improvements + - When creating issues for potential improvements, ensure they describe + complete solutions, not partial API changes + + # ── Python security ────────────────────────────────────────── + - path: "**/*.py" + instructions: | + Python security: + - Prioritize correctness and security over style and architecture + - Flag actual bugs, race conditions, and security vulnerabilities + - Avoid suggesting testability improvements without corresponding test implementations + - SQL: parameterized queries only; no string concatenation + - Command: no shell=True, os.system with user input + - Path traversal: canonicalize paths, reject ../ + - Deserialization: no pickle.loads on untrusted data + - Integer overflow: bounds-check user-supplied sizes + - Never ignore error returns + + # ── IDE & AI tool configuration (supply chain risk) ───────── + - path: "**/{.claude,.vscode}/**/*" + instructions: | + HIGH RISK — IDE and AI tool configuration: + These directories can be supply chain attack vectors. + Review every change with a security and malware lens. + Flag the following for close scrutiny: + - .claude: hook commands, MCP server definitions, or + permissive tool-use policies in settings.json + - .claude: any scripts or binaries (e.g., .mjs, .sh) + - .vscode: tasks.json or launch.json entries that execute + code on folder open, build, or save + - .vscode: settings.json entries that auto-run formatters, + linters, or extensions with broad permissions + - Any change that grants broad filesystem or network access + - Obfuscated content or suspiciously large files + - Changes without a clear, legitimate purpose + + # ── CI/CD & GitHub Actions ─────────────────────────────────── + - path: ".github/workflows/**/*" + instructions: | + CI/CD security: + - Pin actions by full SHA, not tag + - No secrets in logs; mask sensitive outputs + - Least privilege: minimize GITHUB_TOKEN permissions + - No pull_request_target with checkout of PR head + - SAST/SCA steps in pipeline + + # ── Security scanners ──────────────────────────────────────── + tools: + gitleaks: + enabled: true + semgrep: + enabled: true + actionlint: + enabled: true + + # ── Pre-merge checks (hard gates) ─────────────────────────── + pre_merge_checks: + override_requested_reviewers_only: true + description: + mode: "warning" + custom_checks: + - name: "no-hardcoded-secrets" + instructions: | + Flag hardcoded secrets: API keys, tokens, passwords, private + keys, credentials. Also flag base64 strings >32 chars in config, + URLs with embedded credentials, variables named api_key/secret/ + token/password assigned string literals. + mode: "error" + + - name: "no-weak-crypto" + instructions: | + Flag MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB mode usage. + Flag custom crypto implementations. Flag non-constant-time + comparison of secrets or tokens. + mode: "error" + + - name: "no-injection-vectors" + instructions: | + Flag SQL string concatenation, shell=True with user input, + eval/exec on untrusted data, pickle.loads on untrusted input, + yaml.load without SafeLoader, os.system with variables. + mode: "error" + + - name: "no-sensitive-data-in-logs" + instructions: | + Flag logging that may expose passwords, tokens, API keys, + PII (email, SSN, credit card), session IDs, internal + hostnames, or customer data. + mode: "error" + +# ── Knowledge base ─────────────────────────────────────────── +knowledge_base: + code_guidelines: + enabled: true + filePatterns: + - "**/CONTRIBUTING.md" + - "**/SECURITY.md" + + issues: + scope: "auto" + pull_requests: + scope: "auto"