-
Notifications
You must be signed in to change notification settings - Fork 6
coderabbit: add security-focused code review configuration #1000
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Draft
trgill
wants to merge
1
commit into
snapshotmanager:main
Choose a base branch
from
trgill:code_rabbit_changes
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
+148
−0
Draft
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,148 @@ | ||
| # CodeRabbit AI Configuration for snapm | ||
| # | ||
| # This configuration ensures CodeRabbit focuses on actionable bug fixes | ||
| # and security issues rather than incomplete or theoretical improvements. | ||
| # | ||
| # Schema: https://coderabbit.ai/integrations/schema.v2.json | ||
| # Validate: comment "@coderabbitai configuration" on any PR | ||
|
|
||
| language: "en-US" | ||
| tone_instructions: "Security-focused. State risk severity and impact." | ||
|
|
||
| reviews: | ||
| profile: "assertive" | ||
| request_changes_workflow: true | ||
| high_level_summary: true | ||
| collapse_walkthrough: false | ||
|
|
||
| path_filters: | ||
| - "!vendor/**" | ||
| - "!node_modules/**" | ||
| - "!dist/**" | ||
| - "!build/**" | ||
| - "!*.min.js" | ||
| - "!.venv/**" | ||
|
|
||
| auto_review: | ||
| enabled: true | ||
| auto_incremental_review: true | ||
| drafts: false | ||
| base_branches: | ||
| - "main" | ||
|
|
||
| # Path-specific rules | ||
| path_instructions: | ||
|
|
||
| # ── Repo-wide review guidance ──────────────────────────────── | ||
| - path: "**/*" | ||
| instructions: | | ||
| - Only suggest refactoring or API changes if the suggestion includes | ||
| complete implementation (e.g., if suggesting dependency injection, | ||
| include the test code that uses it) | ||
| - Avoid suggesting changes that add complexity without immediate, | ||
| demonstrable value | ||
| - Focus on bugs, security issues, and correctness problems in PR reviews | ||
| - Do not suggest changes to code marked with '# pragma: no cover' | ||
| unless fixing an actual bug | ||
| - Avoid premature optimization and theoretical improvements | ||
| - When creating issues for potential improvements, ensure they describe | ||
| complete solutions, not partial API changes | ||
|
|
||
| # ── Python security ────────────────────────────────────────── | ||
| - path: "**/*.py" | ||
| instructions: | | ||
| Python security: | ||
| - Prioritize correctness and security over style and architecture | ||
| - Flag actual bugs, race conditions, and security vulnerabilities | ||
| - Avoid suggesting testability improvements without corresponding test implementations | ||
| - SQL: parameterized queries only; no string concatenation | ||
| - Command: no shell=True, os.system with user input | ||
| - Path traversal: canonicalize paths, reject ../ | ||
| - Deserialization: no pickle.loads on untrusted data | ||
| - Integer overflow: bounds-check user-supplied sizes | ||
| - Never ignore error returns | ||
|
|
||
| # ── IDE & AI tool configuration (supply chain risk) ───────── | ||
| - path: "**/{.claude,.vscode}/**/*" | ||
| instructions: | | ||
| HIGH RISK — IDE and AI tool configuration: | ||
| These directories can be supply chain attack vectors. | ||
| Review every change with a security and malware lens. | ||
| Flag the following for close scrutiny: | ||
| - .claude: hook commands, MCP server definitions, or | ||
| permissive tool-use policies in settings.json | ||
| - .claude: any scripts or binaries (e.g., .mjs, .sh) | ||
| - .vscode: tasks.json or launch.json entries that execute | ||
| code on folder open, build, or save | ||
| - .vscode: settings.json entries that auto-run formatters, | ||
| linters, or extensions with broad permissions | ||
| - Any change that grants broad filesystem or network access | ||
| - Obfuscated content or suspiciously large files | ||
| - Changes without a clear, legitimate purpose | ||
|
|
||
| # ── CI/CD & GitHub Actions ─────────────────────────────────── | ||
| - path: ".github/workflows/**/*" | ||
| instructions: | | ||
| CI/CD security: | ||
| - Pin actions by full SHA, not tag | ||
| - No secrets in logs; mask sensitive outputs | ||
| - Least privilege: minimize GITHUB_TOKEN permissions | ||
| - No pull_request_target with checkout of PR head | ||
| - SAST/SCA steps in pipeline | ||
|
|
||
| # ── Security scanners ──────────────────────────────────────── | ||
| tools: | ||
| gitleaks: | ||
| enabled: true | ||
| semgrep: | ||
| enabled: true | ||
| actionlint: | ||
| enabled: true | ||
|
|
||
| # ── Pre-merge checks (hard gates) ─────────────────────────── | ||
| pre_merge_checks: | ||
| override_requested_reviewers_only: true | ||
| description: | ||
| mode: "warning" | ||
| custom_checks: | ||
| - name: "no-hardcoded-secrets" | ||
| instructions: | | ||
| Flag hardcoded secrets: API keys, tokens, passwords, private | ||
| keys, credentials. Also flag base64 strings >32 chars in config, | ||
| URLs with embedded credentials, variables named api_key/secret/ | ||
| token/password assigned string literals. | ||
| mode: "error" | ||
|
|
||
| - name: "no-weak-crypto" | ||
| instructions: | | ||
| Flag MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB mode usage. | ||
| Flag custom crypto implementations. Flag non-constant-time | ||
| comparison of secrets or tokens. | ||
| mode: "error" | ||
|
|
||
| - name: "no-injection-vectors" | ||
| instructions: | | ||
| Flag SQL string concatenation, shell=True with user input, | ||
| eval/exec on untrusted data, pickle.loads on untrusted input, | ||
| yaml.load without SafeLoader, os.system with variables. | ||
| mode: "error" | ||
|
|
||
| - name: "no-sensitive-data-in-logs" | ||
| instructions: | | ||
| Flag logging that may expose passwords, tokens, API keys, | ||
| PII (email, SSN, credit card), session IDs, internal | ||
| hostnames, or customer data. | ||
| mode: "error" | ||
|
|
||
| # ── Knowledge base ─────────────────────────────────────────── | ||
| knowledge_base: | ||
| code_guidelines: | ||
| enabled: true | ||
| filePatterns: | ||
| - "**/CONTRIBUTING.md" | ||
| - "**/SECURITY.md" | ||
|
|
||
| issues: | ||
| scope: "auto" | ||
| pull_requests: | ||
| scope: "auto" | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🔒 Security & Privacy | 🟠 Major | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
Repository: snapshotmanager/snapm
Length of output: 1639
🏁 Script executed:
Repository: snapshotmanager/snapm
Length of output: 1867
Restrict overrides on hard gates.
request_changes_workflow: truestill allows failed checks to be overridden unlessoverride_requested_reviewers_only: trueis set underpre_merge_checks. Add it so only requested reviewers can bypass these security gates.🤖 Prompt for AI Agents