coderabbit: add security-focused code review configuration#1000
Conversation
|
Important Review skippedDraft detected. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
WalkthroughThis PR adds a new ChangesCodeRabbit Configuration
Estimated code review effort: 3 (Moderate) | ~20 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
Congratulations! One of the builds has completed. 🍾 You can install the built RPMs by following these steps:
Please note that the RPMs should be used only in a testing environment. |
There was a problem hiding this comment.
Actionable comments posted: 4
🧹 Nitpick comments (1)
.coderabbit.yaml (1)
5-6: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low valueLanguage and tone are only comments, so they aren't actually configured.
Lines 5-6 document intent but set nothing. If you want
en-USand a security-focused tone applied, set the real keys, e.g.language: "en-US"andtone_instructions: "..."at the top level.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.coderabbit.yaml around lines 5 - 6, The .coderabbit.yaml entries for language and tone are only comments and do not configure anything. Update the top-level config to use the actual settings keys, such as language and tone_instructions, so the intended en-US language and security-focused tone are applied. Keep the intent currently described in the comment but move it into real configuration fields rather than commented text.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.coderabbit.yaml:
- Around line 102-116: The path filter config is using a nested excluded map
under path_filters instead of the flat glob list expected by
reviews.path_filters. Update the .coderabbit.yaml path_filters block to use
quoted !-prefixed glob patterns directly in the list, and remove the excluded
key so the exclusions are applied correctly. Keep the existing exclusion set,
just change the structure of the configuration.
- Around line 200-232: The repository-wide guidance is currently defined under a
top-level instructions key, which is ignored by the review system. Move this
content into reviews.instructions so it applies globally, and use
reviews.path_instructions only for file-specific rules; if you need tone
changes, place them in reviews.profile or keep them in reviews.instructions.
- Around line 118-193: The scanner configuration is currently placed under an
unsupported top-level security block, so it will not be applied. Move the
gitleaks, semgrep, and actionlint settings under reviews.tools, keep
reviews.tools.gitleaks.enabled and reviews.tools.actionlint.enabled there, and
replace the inline Semgrep rules with a reviews.tools.semgrep.config_file
reference. Ensure the Semgrep rule definitions are moved into the referenced
config file rather than remaining inline in .coderabbit.yaml.
- Around line 24-30: The knowledge_base configuration is currently shaped as a
list, but it needs to be a mapping so the AI context settings are read
correctly. Update the .coderabbit.yaml knowledge_base section to use the
top-level knowledge_base key as an object, and move the existing file glob
entries under knowledge_base.code_guidelines.filePatterns while keeping the
existing patterns intact.
---
Nitpick comments:
In @.coderabbit.yaml:
- Around line 5-6: The .coderabbit.yaml entries for language and tone are only
comments and do not configure anything. Update the top-level config to use the
actual settings keys, such as language and tone_instructions, so the intended
en-US language and security-focused tone are applied. Keep the intent currently
described in the comment but move it into real configuration fields rather than
commented text.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
| # Security scanners - pre-merge hard gates | ||
| security: | ||
| # Secret detection | ||
| gitleaks: | ||
| enabled: true | ||
| severity: "CRITICAL" | ||
| patterns: | ||
| - "(?i)(api[_-]?key|apikey)\\s*[:=]\\s*['\"]?[a-z0-9]{20,}['\"]?" | ||
| - "(?i)(secret[_-]?key|secretkey)\\s*[:=]\\s*['\"]?[a-z0-9]{20,}['\"]?" | ||
| - "(?i)(access[_-]?token|accesstoken)\\s*[:=]\\s*['\"]?[a-z0-9]{20,}['\"]?" | ||
| - "(?i)(password|passwd|pwd)\\s*[:=]\\s*['\"]?[^'\"\\s]{8,}['\"]?" | ||
| - "(?i)(private[_-]?key|privatekey)\\s*[:=]" | ||
| - "-----BEGIN (RSA |DSA |EC )?PRIVATE KEY-----" | ||
| - "(?i)(aws|amazon)[_-]?(access|secret)[_-]?key" | ||
| - "(?i)github[_-]?token" | ||
|
|
||
| # Static analysis security testing | ||
| semgrep: | ||
| enabled: true | ||
| rules: | ||
| # Weak cryptography | ||
| - id: "weak-crypto-md5" | ||
| pattern: "hashlib.md5" | ||
| message: "MD5 is cryptographically broken. Use SHA-256 or better." | ||
| severity: "HIGH" | ||
|
|
||
| - id: "weak-crypto-sha1" | ||
| pattern: "hashlib.sha1" | ||
| message: "SHA-1 is deprecated for security. Use SHA-256 or better." | ||
| severity: "MEDIUM" | ||
|
|
||
| - id: "weak-crypto-des" | ||
| pattern-regex: "(DES|DES3|TripleDES|RC4)" | ||
| message: "Weak encryption algorithm detected. Use AES-256-GCM." | ||
| severity: "HIGH" | ||
|
|
||
| # Injection vulnerabilities | ||
| - id: "sql-injection-risk" | ||
| pattern-regex: "cursor\\.execute\\([^?%]*%[^s]" | ||
| message: "Potential SQL injection. Use parameterized queries." | ||
| severity: "CRITICAL" | ||
|
|
||
| - id: "command-injection-shell-true" | ||
| pattern: "subprocess.*shell=True" | ||
| message: "Command injection risk. Never use shell=True with user input." | ||
| severity: "CRITICAL" | ||
|
|
||
| - id: "eval-exec-usage" | ||
| pattern-regex: "(eval|exec)\\(" | ||
| message: "Arbitrary code execution via eval/exec is prohibited." | ||
| severity: "CRITICAL" | ||
|
|
||
| - id: "pickle-loads-untrusted" | ||
| pattern: "pickle.loads" | ||
| message: "Deserialization attack risk. Don't unpickle untrusted data." | ||
| severity: "HIGH" | ||
|
|
||
| # Sensitive data exposure | ||
| - id: "password-in-logs" | ||
| pattern-regex: "(log|print).*password" | ||
| message: "Password potentially logged. Never log credentials." | ||
| severity: "HIGH" | ||
|
|
||
| - id: "token-in-logs" | ||
| pattern-regex: "(log|print).*(token|api[_-]?key)" | ||
| message: "Token/API key potentially logged. Never log credentials." | ||
| severity: "HIGH" | ||
|
|
||
| # GitHub Actions security | ||
| actionlint: | ||
| enabled: true | ||
| rules: | ||
| - "Verify actions are SHA-pinned, not version tags" | ||
| - "Check GITHUB_TOKEN has minimal required permissions" | ||
| - "Verify secrets are masked in logs" | ||
| - "Check for injection in workflow expressions" |
There was a problem hiding this comment.
🗄️ Data Integrity & Integration | 🔴 Critical | 🏗️ Heavy lift
🧩 Analysis chain
🌐 Web query:
CodeRabbit reviews tools gitleaks semgrep actionlint configuration options
💡 Result:
CodeRabbit supports integrated security and linting tools including Gitleaks (specifically referenced as Betterleaks, an improved version of Gitleaks), Semgrep, and actionlint, among many others [1][2]. These tools are part of a broader suite of over 50 supported static analysis and security scanners [1][3]. Configuration Options You can manage these tools through the following methods: 1. Repository Configuration File (.coderabbit.yaml): You can enable or disable specific tools and manage their settings within your repository's.coderabbit.yaml file [2][4]. For most tools, basic enabling is handled under the tools section: reviews: tools: semgrep: enabled: true betterleaks: # Used in place of Gitleaks enabled: true actionlint: enabled: true 2. Web Interface: You can also manage tool integrations directly from the CodeRabbit organization or repository settings page under Reviews > Tools [4]. 3. Tool-Specific References: While many tools default to standard behavior when enabled, CodeRabbit provides dedicated reference documentation for each tool, which you can browse in their Tool Catalog [5][3]. For example, actionlint is specifically configured to scan GitHub Actions workflow files [1][6], and Semgrep is used for broader security and quality analysis [1][7]. Note that for secret scanning, CodeRabbit provides Betterleaks, which is explicitly identified as their improved version of Gitleaks [2]. You can verify the latest specific configuration keys and available parameters for each tool by visiting the official CodeRabbit Tools reference pages [1][3].
Citations:
- 1: https://docs.coderabbit.ai/reference/tools-reference
- 2: https://docs.coderabbit.ai/reference/configuration
- 3: https://docs.coderabbit.ai/tools/reference
- 4: https://docs.coderabbit.ai/tools/skillspector
- 5: https://docs.coderabbit.ai/tools/list
- 6: https://docs.coderabbit.ai/tools/actionlint
- 7: https://docs.coderabbit.ai/tools/semgrep
🏁 Script executed:
git ls-files | rg '(^|/)(coderabbit|review|security|semgrep|actionlint|gitleaks|schema|config)\b|\.coderabbit\.yaml$|\.github/workflows/'Repository: snapshotmanager/snapm
Length of output: 237
🏁 Script executed:
sed -n '1,260p' .coderabbit.yamlRepository: snapshotmanager/snapm
Length of output: 9370
🌐 Web query:
CodeRabbit configuration reviews.tools gitleaks semgrep actionlint security key supported schema
💡 Result:
CodeRabbit supports configuration through a YAML file located at the root of your repository named.coderabbit.yaml [1]. You can manage third-party tools, including Gitleaks (or its successor Betterleaks), Semgrep, and actionlint, within the reviews.tools section of this file [2][3]. Key Configuration Details: 1. Enabling Tools: You can enable or disable specific tools using the enabled boolean flag under the tool's name [2][3]. Example: reviews: tools: gitleaks: enabled: true actionlint: enabled: true semgrep: enabled: true config_file: ".semgrep.yml" 2. Configuration Files: For tools that require specific rules or settings, you can provide an optional config_file path relative to the repository root in your.coderabbit.yaml [2][3]. If no file is specified, many tools fall back to profile-based defaults or look for standard configuration files in the root directory (e.g., semgrep.yml) [2][4]. 3. Schema: CodeRabbit provides a JSON schema to validate your.coderabbit.yaml configuration, which is available at https://coderabbit.ai/integrations/schema.v2.json [5][1]. You can use this schema in your IDE (e.g., via the yaml-language-server) by adding the following header to your YAML file [1]: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json 4. Tool Specifics: - Gitleaks/Betterleaks: CodeRabbit integrates with Betterleaks (an improved version of Gitleaks) for secret scanning [5][3]. - Semgrep: Requires a valid configuration file to run [4]. It will automatically detect files like semgrep.yml or semgrep.config.yml if they exist in the root [4]. - Actionlint: Used for checking GitHub Actions workflow files [6][3]. For a complete reference of all available tools and configuration options, you can consult the official CodeRabbit Tools Reference documentation [7][2].
Citations:
- 1: https://coderabbit.mintlify.app/getting-started/yaml-configuration
- 2: https://docs.coderabbit.ai/tools
- 3: https://coderabbit.mintlify.app/tools/reference
- 4: https://docs.coderabbit.ai/tools/semgrep
- 5: https://catalog.lintel.tools/schemas/schemastore/coderabbit/
- 6: https://docs.coderabbit.ai/reference/tools-reference
- 7: https://docs.coderabbit.ai/tools/reference
Move these scanners under reviews.tools
The top-level security: block is not part of the supported schema, so these gates will not run from this file. Use reviews.tools.gitleaks.enabled, reviews.tools.semgrep.config_file, and reviews.tools.actionlint.enabled; Semgrep rules need to live in the referenced config file, not inline here.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.coderabbit.yaml around lines 118 - 193, The scanner configuration is
currently placed under an unsupported top-level security block, so it will not
be applied. Move the gitleaks, semgrep, and actionlint settings under
reviews.tools, keep reviews.tools.gitleaks.enabled and
reviews.tools.actionlint.enabled there, and replace the inline Semgrep rules
with a reviews.tools.semgrep.config_file reference. Ensure the Semgrep rule
definitions are moved into the referenced config file rather than remaining
inline in .coderabbit.yaml.
3eef959 to
bb14a06
Compare
|
@coderabbitai review |
✅ Action performedReview finished.
|
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.coderabbit.yaml:
- Around line 96-100: The pre-merge hard gate configuration still allows
override bypasses when request_changes_workflow is enabled. Update the
pre_merge_checks section in the .coderabbit.yaml config to add
override_requested_reviewers_only: true alongside the existing
request_changes_workflow setting so only requested reviewers can bypass these
security gates.
- Around line 33-44: The repo-wide review bullets are currently placed under an
unsupported key, so they will be ignored by the reviewer. Move the existing
guidance from the current instructions block into a valid catch-all review rule
using reviews.path_instructions with path set to "**/*", or relocate it into a
guideline file matched by knowledge_base.code_guidelines.filePatterns. Keep the
same bullet content and ensure the supported key is the one used by the schema.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
| # Custom instructions to guide CodeRabbit's review behavior | ||
| instructions: | ||
| - "Only suggest refactoring or API changes if the suggestion includes complete implementation (e.g., if suggesting dependency injection, include the test code that uses it)" | ||
| - "Avoid suggesting changes that add complexity without immediate, demonstrable value" | ||
| - "Focus on bugs, security issues, and correctness problems in PR reviews" | ||
| - "Do not suggest changes to code marked with '# pragma: no cover' unless fixing an actual bug" | ||
| - "Avoid premature optimization and theoretical improvements" | ||
| - "When creating issues for potential improvements, ensure they describe complete solutions, not partial API changes" | ||
|
|
||
| # Path-specific rules | ||
| path_instructions: | ||
|
|
There was a problem hiding this comment.
🗄️ Data Integrity & Integration | 🟡 Minor | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
curl -fsSL https://www.coderabbit.ai/integrations/schema.v2.json \
| jq -e '.properties.reviews.properties.instructions'Repository: snapshotmanager/snapm
Length of output: 164
🏁 Script executed:
#!/bin/bash
set -euo pipefail
printf '--- .coderabbit.yaml ---\n'
cat -n .coderabbit.yaml
printf '\n--- schema: reviews keys ---\n'
python3 - <<'PY'
import json, urllib.request
schema = json.load(urllib.request.urlopen('https://www.coderabbit.ai/integrations/schema.v2.json'))
reviews = schema.get('properties', {}).get('reviews', {})
print('reviews keys:', sorted(reviews.get('properties', {}).keys()))
print('reviews.instructions:', reviews.get('properties', {}).get('instructions'))
print('reviews.path_instructions:', reviews.get('properties', {}).get('path_instructions'))
PYRepository: snapshotmanager/snapm
Length of output: 250
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo '--- .coderabbit.yaml ---'
cat -n .coderabbit.yaml
echo
echo '--- schema: reviews keys ---'
python3 - <<'PY'
import json, urllib.request
schema = json.load(urllib.request.urlopen('https://www.coderabbit.ai/integrations/schema.v2.json'))
reviews = schema.get('properties', {}).get('reviews', {})
print('reviews keys:', sorted(reviews.get('properties', {}).keys()))
print('reviews.instructions:', reviews.get('properties', {}).get('instructions'))
print('reviews.path_instructions:', reviews.get('properties', {}).get('path_instructions'))
PYRepository: snapshotmanager/snapm
Length of output: 9142
🏁 Script executed:
#!/bin/bash
set -euo pipefail
tmp=$(mktemp)
curl -ksSL https://www.coderabbit.ai/integrations/schema.v2.json > "$tmp"
python3 - <<'PY' "$tmp"
import json, sys
with open(sys.argv[1]) as f:
schema = json.load(f)
reviews = schema.get('properties', {}).get('reviews', {})
print('reviews.properties keys:', sorted(reviews.get('properties', {}).keys()))
print('has reviews.instructions:', 'instructions' in reviews.get('properties', {}))
print('has reviews.path_instructions:', 'path_instructions' in reviews.get('properties', {}))
kb = schema.get('properties', {}).get('knowledge_base', {})
cg = kb.get('properties', {}).get('code_guidelines', {})
print('knowledge_base.code_guidelines.properties keys:', sorted(cg.get('properties', {}).keys()))
print('has knowledge_base.code_guidelines.filePatterns:', 'filePatterns' in cg.get('properties', {}))
pi = reviews.get('properties', {}).get('path_instructions', {})
print('path_instructions schema type:', pi.get('type'))
print('path_instructions items keys:', sorted(pi.get('items', {}).get('properties', {}).keys()) if isinstance(pi.get('items'), dict) else None)
PYRepository: snapshotmanager/snapm
Length of output: 1345
Move the repo-wide guidance under a supported review key. reviews.instructions is not in the schema, so these bullets won’t be applied. Put them in a catch-all reviews.path_instructions entry (path: "**/*") or move them into a guideline file referenced by knowledge_base.code_guidelines.filePatterns.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.coderabbit.yaml around lines 33 - 44, The repo-wide review bullets are
currently placed under an unsupported key, so they will be ignored by the
reviewer. Move the existing guidance from the current instructions block into a
valid catch-all review rule using reviews.path_instructions with path set to
"**/*", or relocate it into a guideline file matched by
knowledge_base.code_guidelines.filePatterns. Keep the same bullet content and
ensure the supported key is the one used by the schema.
| # ── Pre-merge checks (hard gates) ─────────────────────────── | ||
| pre_merge_checks: | ||
| description: | ||
| mode: "warning" | ||
| custom_checks: |
There was a problem hiding this comment.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
sed -n '80,120p' .coderabbit.yaml
rg -n "override_requested_reviewers_only|request_changes_workflow|pre_merge_checks|hard gates" -S .Repository: snapshotmanager/snapm
Length of output: 1639
🏁 Script executed:
sed -n '88,150p' .coderabbit.yaml
rg -n "override_requested_reviewers_only|request_changes_workflow" .coderabbit.yamlRepository: snapshotmanager/snapm
Length of output: 1867
Restrict overrides on hard gates.
request_changes_workflow: true still allows failed checks to be overridden unless override_requested_reviewers_only: true is set under pre_merge_checks. Add it so only requested reviewers can bypass these security gates.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.coderabbit.yaml around lines 96 - 100, The pre-merge hard gate
configuration still allows override bypasses when request_changes_workflow is
enabled. Update the pre_merge_checks section in the .coderabbit.yaml config to
add override_requested_reviewers_only: true alongside the existing
request_changes_workflow setting so only requested reviewers can bypass these
security gates.
Add comprehensive CodeRabbit configuration to enforce Red Hat Product Security standards and prevent incomplete code review suggestions. Key features: - Security scanners: gitleaks, semgrep, actionlint - Path-based rules for Python files, tests, workflows, configs - Supply chain security checks for .claude/ and .vscode/ directories - Pre-merge hard gates for secrets, weak crypto, injection vectors - Completeness requirements for refactoring suggestions Security standards: - Flag hardcoded credentials (CRITICAL) - Flag weak cryptography: MD5, SHA-1, DES, RC4 (HIGH) - Flag injection risks: SQL, command, eval/exec, pickle (CRITICAL) - Flag sensitive data in logs (HIGH) - Require SHA-pinned GitHub Actions (supply chain security) References: snapshotmanager/boom-boot#405 Resolves similar issues to boom-boot#351 Signed-off-by: Todd Gill <tgill@redhat.com> Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
bb14a06 to
ab2d0e3
Compare
Add CodeRabbit configuration to enforce Red Hat Product Security standards and prevent incomplete code review suggestions.
Key features:
Security standards:
References: snapshotmanager/boom-boot#405
Resolves similar issues to boom-boot#351
Summary by CodeRabbit