Skip to content
Draft
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
148 changes: 148 additions & 0 deletions .coderabbit.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,148 @@
# CodeRabbit AI Configuration for snapm
#
# This configuration ensures CodeRabbit focuses on actionable bug fixes
# and security issues rather than incomplete or theoretical improvements.
#
# Schema: https://coderabbit.ai/integrations/schema.v2.json
# Validate: comment "@coderabbitai configuration" on any PR

language: "en-US"
tone_instructions: "Security-focused. State risk severity and impact."

reviews:
profile: "assertive"
request_changes_workflow: true
high_level_summary: true
collapse_walkthrough: false

path_filters:
- "!vendor/**"
- "!node_modules/**"
- "!dist/**"
- "!build/**"
- "!*.min.js"
- "!.venv/**"

auto_review:
enabled: true
auto_incremental_review: true
drafts: false
base_branches:
- "main"

# Path-specific rules
path_instructions:

# ── Repo-wide review guidance ────────────────────────────────
- path: "**/*"
instructions: |
- Only suggest refactoring or API changes if the suggestion includes
complete implementation (e.g., if suggesting dependency injection,
include the test code that uses it)
- Avoid suggesting changes that add complexity without immediate,
demonstrable value
- Focus on bugs, security issues, and correctness problems in PR reviews
- Do not suggest changes to code marked with '# pragma: no cover'
unless fixing an actual bug
- Avoid premature optimization and theoretical improvements
- When creating issues for potential improvements, ensure they describe
complete solutions, not partial API changes

# ── Python security ──────────────────────────────────────────
- path: "**/*.py"
instructions: |
Python security:
- Prioritize correctness and security over style and architecture
- Flag actual bugs, race conditions, and security vulnerabilities
- Avoid suggesting testability improvements without corresponding test implementations
- SQL: parameterized queries only; no string concatenation
- Command: no shell=True, os.system with user input
- Path traversal: canonicalize paths, reject ../
- Deserialization: no pickle.loads on untrusted data
- Integer overflow: bounds-check user-supplied sizes
- Never ignore error returns

# ── IDE & AI tool configuration (supply chain risk) ─────────
- path: "**/{.claude,.vscode}/**/*"
instructions: |
HIGH RISK — IDE and AI tool configuration:
These directories can be supply chain attack vectors.
Review every change with a security and malware lens.
Flag the following for close scrutiny:
- .claude: hook commands, MCP server definitions, or
permissive tool-use policies in settings.json
- .claude: any scripts or binaries (e.g., .mjs, .sh)
- .vscode: tasks.json or launch.json entries that execute
code on folder open, build, or save
- .vscode: settings.json entries that auto-run formatters,
linters, or extensions with broad permissions
- Any change that grants broad filesystem or network access
- Obfuscated content or suspiciously large files
- Changes without a clear, legitimate purpose

# ── CI/CD & GitHub Actions ───────────────────────────────────
- path: ".github/workflows/**/*"
instructions: |
CI/CD security:
- Pin actions by full SHA, not tag
- No secrets in logs; mask sensitive outputs
- Least privilege: minimize GITHUB_TOKEN permissions
- No pull_request_target with checkout of PR head
- SAST/SCA steps in pipeline

# ── Security scanners ────────────────────────────────────────
tools:
gitleaks:
enabled: true
semgrep:
enabled: true
actionlint:
enabled: true

# ── Pre-merge checks (hard gates) ───────────────────────────
pre_merge_checks:
override_requested_reviewers_only: true
description:
mode: "warning"
custom_checks:
Comment on lines +102 to +107

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

sed -n '80,120p' .coderabbit.yaml
rg -n "override_requested_reviewers_only|request_changes_workflow|pre_merge_checks|hard gates" -S .

Repository: snapshotmanager/snapm

Length of output: 1639


🏁 Script executed:

sed -n '88,150p' .coderabbit.yaml
rg -n "override_requested_reviewers_only|request_changes_workflow" .coderabbit.yaml

Repository: snapshotmanager/snapm

Length of output: 1867


Restrict overrides on hard gates.

request_changes_workflow: true still allows failed checks to be overridden unless override_requested_reviewers_only: true is set under pre_merge_checks. Add it so only requested reviewers can bypass these security gates.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.coderabbit.yaml around lines 96 - 100, The pre-merge hard gate
configuration still allows override bypasses when request_changes_workflow is
enabled. Update the pre_merge_checks section in the .coderabbit.yaml config to
add override_requested_reviewers_only: true alongside the existing
request_changes_workflow setting so only requested reviewers can bypass these
security gates.

- name: "no-hardcoded-secrets"
instructions: |
Flag hardcoded secrets: API keys, tokens, passwords, private
keys, credentials. Also flag base64 strings >32 chars in config,
URLs with embedded credentials, variables named api_key/secret/
token/password assigned string literals.
mode: "error"

- name: "no-weak-crypto"
instructions: |
Flag MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB mode usage.
Flag custom crypto implementations. Flag non-constant-time
comparison of secrets or tokens.
mode: "error"

- name: "no-injection-vectors"
instructions: |
Flag SQL string concatenation, shell=True with user input,
eval/exec on untrusted data, pickle.loads on untrusted input,
yaml.load without SafeLoader, os.system with variables.
mode: "error"

- name: "no-sensitive-data-in-logs"
instructions: |
Flag logging that may expose passwords, tokens, API keys,
PII (email, SSN, credit card), session IDs, internal
hostnames, or customer data.
mode: "error"

# ── Knowledge base ───────────────────────────────────────────
knowledge_base:
code_guidelines:
enabled: true
filePatterns:
- "**/CONTRIBUTING.md"
- "**/SECURITY.md"

issues:
scope: "auto"
pull_requests:
scope: "auto"
Loading