Skip to content

coderabbit: add security-focused code review configuration#1000

Draft
trgill wants to merge 1 commit into
snapshotmanager:mainfrom
trgill:code_rabbit_changes
Draft

coderabbit: add security-focused code review configuration#1000
trgill wants to merge 1 commit into
snapshotmanager:mainfrom
trgill:code_rabbit_changes

Conversation

@trgill

@trgill trgill commented Jul 7, 2026

Copy link
Copy Markdown
Collaborator

Add CodeRabbit configuration to enforce Red Hat Product Security standards and prevent incomplete code review suggestions.

Key features:

  • Security scanners: gitleaks, semgrep, actionlint
  • Path-based rules for Python files, tests, workflows, configs
  • Supply chain security checks for .claude/ and .vscode/ directories
  • Pre-merge hard gates for secrets, weak crypto, injection vectors
  • Completeness requirements for refactoring suggestions

Security standards:

  • Flag hardcoded credentials (CRITICAL)
  • Flag weak cryptography: MD5, SHA-1, DES, RC4 (HIGH)
  • Flag injection risks: SQL, command, eval/exec, pickle (CRITICAL)
  • Flag sensitive data in logs (HIGH)
  • Require SHA-pinned GitHub Actions (supply chain security)

References: snapshotmanager/boom-boot#405
Resolves similar issues to boom-boot#351

Summary by CodeRabbit

  • Chores
    • Added a repository security and automated review configuration with stricter PR checks.
    • Enabled stronger detection for hardcoded secrets and risky patterns, including injection and unsafe deserialisation/crypto usage.
    • Added targeted review guidance for high-risk directories and workflow security, with pre-merge hard-gate enforcement and expanded exclusion of common build/cache/minified files.

@coderabbitai

coderabbitai Bot commented Jul 7, 2026

Copy link
Copy Markdown

Review Change Stack

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 0794c3a7-002a-4d09-a02b-b4166052dd1a

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review

Walkthrough

This PR adds a new .coderabbit.yaml configuration for snapm. It sets review behaviour, path-specific security guidance, security scanners, pre-merge checks, and knowledge base scoping.

Changes

CodeRabbit Configuration

Layer / File(s) Summary
Review profile and scope setup
.coderabbit.yaml
Adds configuration metadata, assertive review settings, request-changes workflow, auto-review on main, path exclusions, and knowledge base scoping.
Path-based review instructions
.coderabbit.yaml
Adds Python security rules, high-risk .claude/ and .vscode/ review criteria, and GitHub workflow rules for SHA-pinned actions, least-privilege tokens, and pull_request_target handling.
Security scanners and pre-merge checks
.coderabbit.yaml
Enables gitleaks, semgrep, and actionlint, then defines blocking checks for hardcoded secrets, weak cryptography, injection vectors, and sensitive log content.

Estimated code review effort: 3 (Moderate) | ~20 minutes

Poem

I’m a rabbit, quick and keen,
Hopping through YAML, crisp and clean.
Secrets hidden? Not in sight,
Workflows pinned up nice and tight.
One config burrow, safe and sound —
Security carrots all around. 🐇

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the main change: adding a security-focused CodeRabbit review configuration.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@packit-as-a-service

Copy link
Copy Markdown

Congratulations! One of the builds has completed. 🍾

You can install the built RPMs by following these steps:

  • sudo dnf install -y 'dnf*-command(copr)'
  • dnf copr enable packit/snapshotmanager-snapm-1000
  • And now you can install the packages.

Please note that the RPMs should be used only in a testing environment.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 4

🧹 Nitpick comments (1)
.coderabbit.yaml (1)

5-6: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Language and tone are only comments, so they aren't actually configured.

Lines 5-6 document intent but set nothing. If you want en-US and a security-focused tone applied, set the real keys, e.g. language: "en-US" and tone_instructions: "..." at the top level.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.coderabbit.yaml around lines 5 - 6, The .coderabbit.yaml entries for
language and tone are only comments and do not configure anything. Update the
top-level config to use the actual settings keys, such as language and
tone_instructions, so the intended en-US language and security-focused tone are
applied. Keep the intent currently described in the comment but move it into
real configuration fields rather than commented text.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.coderabbit.yaml:
- Around line 102-116: The path filter config is using a nested excluded map
under path_filters instead of the flat glob list expected by
reviews.path_filters. Update the .coderabbit.yaml path_filters block to use
quoted !-prefixed glob patterns directly in the list, and remove the excluded
key so the exclusions are applied correctly. Keep the existing exclusion set,
just change the structure of the configuration.
- Around line 200-232: The repository-wide guidance is currently defined under a
top-level instructions key, which is ignored by the review system. Move this
content into reviews.instructions so it applies globally, and use
reviews.path_instructions only for file-specific rules; if you need tone
changes, place them in reviews.profile or keep them in reviews.instructions.
- Around line 118-193: The scanner configuration is currently placed under an
unsupported top-level security block, so it will not be applied. Move the
gitleaks, semgrep, and actionlint settings under reviews.tools, keep
reviews.tools.gitleaks.enabled and reviews.tools.actionlint.enabled there, and
replace the inline Semgrep rules with a reviews.tools.semgrep.config_file
reference. Ensure the Semgrep rule definitions are moved into the referenced
config file rather than remaining inline in .coderabbit.yaml.
- Around line 24-30: The knowledge_base configuration is currently shaped as a
list, but it needs to be a mapping so the AI context settings are read
correctly. Update the .coderabbit.yaml knowledge_base section to use the
top-level knowledge_base key as an object, and move the existing file glob
entries under knowledge_base.code_guidelines.filePatterns while keeping the
existing patterns intact.

---

Nitpick comments:
In @.coderabbit.yaml:
- Around line 5-6: The .coderabbit.yaml entries for language and tone are only
comments and do not configure anything. Update the top-level config to use the
actual settings keys, such as language and tone_instructions, so the intended
en-US language and security-focused tone are applied. Keep the intent currently
described in the comment but move it into real configuration fields rather than
commented text.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: e62d3ebc-b016-4c03-a05a-dbb7a07bbff8

📥 Commits

Reviewing files that changed from the base of the PR and between e247b1c and a9505a0.

📒 Files selected for processing (1)
  • .coderabbit.yaml

Comment thread .coderabbit.yaml Outdated
Comment thread .coderabbit.yaml Outdated
Comment thread .coderabbit.yaml Outdated
Comment on lines +118 to +193
# Security scanners - pre-merge hard gates
security:
# Secret detection
gitleaks:
enabled: true
severity: "CRITICAL"
patterns:
- "(?i)(api[_-]?key|apikey)\\s*[:=]\\s*['\"]?[a-z0-9]{20,}['\"]?"
- "(?i)(secret[_-]?key|secretkey)\\s*[:=]\\s*['\"]?[a-z0-9]{20,}['\"]?"
- "(?i)(access[_-]?token|accesstoken)\\s*[:=]\\s*['\"]?[a-z0-9]{20,}['\"]?"
- "(?i)(password|passwd|pwd)\\s*[:=]\\s*['\"]?[^'\"\\s]{8,}['\"]?"
- "(?i)(private[_-]?key|privatekey)\\s*[:=]"
- "-----BEGIN (RSA |DSA |EC )?PRIVATE KEY-----"
- "(?i)(aws|amazon)[_-]?(access|secret)[_-]?key"
- "(?i)github[_-]?token"

# Static analysis security testing
semgrep:
enabled: true
rules:
# Weak cryptography
- id: "weak-crypto-md5"
pattern: "hashlib.md5"
message: "MD5 is cryptographically broken. Use SHA-256 or better."
severity: "HIGH"

- id: "weak-crypto-sha1"
pattern: "hashlib.sha1"
message: "SHA-1 is deprecated for security. Use SHA-256 or better."
severity: "MEDIUM"

- id: "weak-crypto-des"
pattern-regex: "(DES|DES3|TripleDES|RC4)"
message: "Weak encryption algorithm detected. Use AES-256-GCM."
severity: "HIGH"

# Injection vulnerabilities
- id: "sql-injection-risk"
pattern-regex: "cursor\\.execute\\([^?%]*%[^s]"
message: "Potential SQL injection. Use parameterized queries."
severity: "CRITICAL"

- id: "command-injection-shell-true"
pattern: "subprocess.*shell=True"
message: "Command injection risk. Never use shell=True with user input."
severity: "CRITICAL"

- id: "eval-exec-usage"
pattern-regex: "(eval|exec)\\("
message: "Arbitrary code execution via eval/exec is prohibited."
severity: "CRITICAL"

- id: "pickle-loads-untrusted"
pattern: "pickle.loads"
message: "Deserialization attack risk. Don't unpickle untrusted data."
severity: "HIGH"

# Sensitive data exposure
- id: "password-in-logs"
pattern-regex: "(log|print).*password"
message: "Password potentially logged. Never log credentials."
severity: "HIGH"

- id: "token-in-logs"
pattern-regex: "(log|print).*(token|api[_-]?key)"
message: "Token/API key potentially logged. Never log credentials."
severity: "HIGH"

# GitHub Actions security
actionlint:
enabled: true
rules:
- "Verify actions are SHA-pinned, not version tags"
- "Check GITHUB_TOKEN has minimal required permissions"
- "Verify secrets are masked in logs"
- "Check for injection in workflow expressions"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🗄️ Data Integrity & Integration | 🔴 Critical | 🏗️ Heavy lift

🧩 Analysis chain

🌐 Web query:

CodeRabbit reviews tools gitleaks semgrep actionlint configuration options

💡 Result:

CodeRabbit supports integrated security and linting tools including Gitleaks (specifically referenced as Betterleaks, an improved version of Gitleaks), Semgrep, and actionlint, among many others [1][2]. These tools are part of a broader suite of over 50 supported static analysis and security scanners [1][3]. Configuration Options You can manage these tools through the following methods: 1. Repository Configuration File (.coderabbit.yaml): You can enable or disable specific tools and manage their settings within your repository's.coderabbit.yaml file [2][4]. For most tools, basic enabling is handled under the tools section: reviews: tools: semgrep: enabled: true betterleaks: # Used in place of Gitleaks enabled: true actionlint: enabled: true 2. Web Interface: You can also manage tool integrations directly from the CodeRabbit organization or repository settings page under Reviews > Tools [4]. 3. Tool-Specific References: While many tools default to standard behavior when enabled, CodeRabbit provides dedicated reference documentation for each tool, which you can browse in their Tool Catalog [5][3]. For example, actionlint is specifically configured to scan GitHub Actions workflow files [1][6], and Semgrep is used for broader security and quality analysis [1][7]. Note that for secret scanning, CodeRabbit provides Betterleaks, which is explicitly identified as their improved version of Gitleaks [2]. You can verify the latest specific configuration keys and available parameters for each tool by visiting the official CodeRabbit Tools reference pages [1][3].

Citations:


🏁 Script executed:

git ls-files | rg '(^|/)(coderabbit|review|security|semgrep|actionlint|gitleaks|schema|config)\b|\.coderabbit\.yaml$|\.github/workflows/'

Repository: snapshotmanager/snapm

Length of output: 237


🏁 Script executed:

sed -n '1,260p' .coderabbit.yaml

Repository: snapshotmanager/snapm

Length of output: 9370


🌐 Web query:

CodeRabbit configuration reviews.tools gitleaks semgrep actionlint security key supported schema

💡 Result:

CodeRabbit supports configuration through a YAML file located at the root of your repository named.coderabbit.yaml [1]. You can manage third-party tools, including Gitleaks (or its successor Betterleaks), Semgrep, and actionlint, within the reviews.tools section of this file [2][3]. Key Configuration Details: 1. Enabling Tools: You can enable or disable specific tools using the enabled boolean flag under the tool's name [2][3]. Example: reviews: tools: gitleaks: enabled: true actionlint: enabled: true semgrep: enabled: true config_file: ".semgrep.yml" 2. Configuration Files: For tools that require specific rules or settings, you can provide an optional config_file path relative to the repository root in your.coderabbit.yaml [2][3]. If no file is specified, many tools fall back to profile-based defaults or look for standard configuration files in the root directory (e.g., semgrep.yml) [2][4]. 3. Schema: CodeRabbit provides a JSON schema to validate your.coderabbit.yaml configuration, which is available at https://coderabbit.ai/integrations/schema.v2.json [5][1]. You can use this schema in your IDE (e.g., via the yaml-language-server) by adding the following header to your YAML file [1]: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json 4. Tool Specifics: - Gitleaks/Betterleaks: CodeRabbit integrates with Betterleaks (an improved version of Gitleaks) for secret scanning [5][3]. - Semgrep: Requires a valid configuration file to run [4]. It will automatically detect files like semgrep.yml or semgrep.config.yml if they exist in the root [4]. - Actionlint: Used for checking GitHub Actions workflow files [6][3]. For a complete reference of all available tools and configuration options, you can consult the official CodeRabbit Tools Reference documentation [7][2].

Citations:


Move these scanners under reviews.tools

The top-level security: block is not part of the supported schema, so these gates will not run from this file. Use reviews.tools.gitleaks.enabled, reviews.tools.semgrep.config_file, and reviews.tools.actionlint.enabled; Semgrep rules need to live in the referenced config file, not inline here.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.coderabbit.yaml around lines 118 - 193, The scanner configuration is
currently placed under an unsupported top-level security block, so it will not
be applied. Move the gitleaks, semgrep, and actionlint settings under
reviews.tools, keep reviews.tools.gitleaks.enabled and
reviews.tools.actionlint.enabled there, and replace the inline Semgrep rules
with a reviews.tools.semgrep.config_file reference. Ensure the Semgrep rule
definitions are moved into the referenced config file rather than remaining
inline in .coderabbit.yaml.

Comment thread .coderabbit.yaml Outdated
@trgill trgill marked this pull request as draft July 7, 2026 21:44
@trgill trgill self-assigned this Jul 7, 2026
@trgill trgill force-pushed the code_rabbit_changes branch 2 times, most recently from 3eef959 to bb14a06 Compare July 9, 2026 18:56
@trgill

trgill commented Jul 9, 2026

Copy link
Copy Markdown
Collaborator Author

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jul 9, 2026

Copy link
Copy Markdown
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.coderabbit.yaml:
- Around line 96-100: The pre-merge hard gate configuration still allows
override bypasses when request_changes_workflow is enabled. Update the
pre_merge_checks section in the .coderabbit.yaml config to add
override_requested_reviewers_only: true alongside the existing
request_changes_workflow setting so only requested reviewers can bypass these
security gates.
- Around line 33-44: The repo-wide review bullets are currently placed under an
unsupported key, so they will be ignored by the reviewer. Move the existing
guidance from the current instructions block into a valid catch-all review rule
using reviews.path_instructions with path set to "**/*", or relocate it into a
guideline file matched by knowledge_base.code_guidelines.filePatterns. Keep the
same bullet content and ensure the supported key is the one used by the schema.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 0f5bc502-69e9-48a0-9792-f4da3c7646e6

📥 Commits

Reviewing files that changed from the base of the PR and between a9505a0 and bb14a06.

📒 Files selected for processing (1)
  • .coderabbit.yaml

Comment thread .coderabbit.yaml Outdated
Comment on lines +33 to +44
# Custom instructions to guide CodeRabbit's review behavior
instructions:
- "Only suggest refactoring or API changes if the suggestion includes complete implementation (e.g., if suggesting dependency injection, include the test code that uses it)"
- "Avoid suggesting changes that add complexity without immediate, demonstrable value"
- "Focus on bugs, security issues, and correctness problems in PR reviews"
- "Do not suggest changes to code marked with '# pragma: no cover' unless fixing an actual bug"
- "Avoid premature optimization and theoretical improvements"
- "When creating issues for potential improvements, ensure they describe complete solutions, not partial API changes"

# Path-specific rules
path_instructions:

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🗄️ Data Integrity & Integration | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail
curl -fsSL https://www.coderabbit.ai/integrations/schema.v2.json \
  | jq -e '.properties.reviews.properties.instructions'

Repository: snapshotmanager/snapm

Length of output: 164


🏁 Script executed:

#!/bin/bash
set -euo pipefail

printf '--- .coderabbit.yaml ---\n'
cat -n .coderabbit.yaml

printf '\n--- schema: reviews keys ---\n'
python3 - <<'PY'
import json, urllib.request
schema = json.load(urllib.request.urlopen('https://www.coderabbit.ai/integrations/schema.v2.json'))
reviews = schema.get('properties', {}).get('reviews', {})
print('reviews keys:', sorted(reviews.get('properties', {}).keys()))
print('reviews.instructions:', reviews.get('properties', {}).get('instructions'))
print('reviews.path_instructions:', reviews.get('properties', {}).get('path_instructions'))
PY

Repository: snapshotmanager/snapm

Length of output: 250


🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo '--- .coderabbit.yaml ---'
cat -n .coderabbit.yaml

echo
echo '--- schema: reviews keys ---'
python3 - <<'PY'
import json, urllib.request
schema = json.load(urllib.request.urlopen('https://www.coderabbit.ai/integrations/schema.v2.json'))
reviews = schema.get('properties', {}).get('reviews', {})
print('reviews keys:', sorted(reviews.get('properties', {}).keys()))
print('reviews.instructions:', reviews.get('properties', {}).get('instructions'))
print('reviews.path_instructions:', reviews.get('properties', {}).get('path_instructions'))
PY

Repository: snapshotmanager/snapm

Length of output: 9142


🏁 Script executed:

#!/bin/bash
set -euo pipefail

tmp=$(mktemp)
curl -ksSL https://www.coderabbit.ai/integrations/schema.v2.json > "$tmp"

python3 - <<'PY' "$tmp"
import json, sys
with open(sys.argv[1]) as f:
    schema = json.load(f)

reviews = schema.get('properties', {}).get('reviews', {})
print('reviews.properties keys:', sorted(reviews.get('properties', {}).keys()))
print('has reviews.instructions:', 'instructions' in reviews.get('properties', {}))
print('has reviews.path_instructions:', 'path_instructions' in reviews.get('properties', {}))

kb = schema.get('properties', {}).get('knowledge_base', {})
cg = kb.get('properties', {}).get('code_guidelines', {})
print('knowledge_base.code_guidelines.properties keys:', sorted(cg.get('properties', {}).keys()))
print('has knowledge_base.code_guidelines.filePatterns:', 'filePatterns' in cg.get('properties', {}))

pi = reviews.get('properties', {}).get('path_instructions', {})
print('path_instructions schema type:', pi.get('type'))
print('path_instructions items keys:', sorted(pi.get('items', {}).get('properties', {}).keys()) if isinstance(pi.get('items'), dict) else None)
PY

Repository: snapshotmanager/snapm

Length of output: 1345


Move the repo-wide guidance under a supported review key. reviews.instructions is not in the schema, so these bullets won’t be applied. Put them in a catch-all reviews.path_instructions entry (path: "**/*") or move them into a guideline file referenced by knowledge_base.code_guidelines.filePatterns.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.coderabbit.yaml around lines 33 - 44, The repo-wide review bullets are
currently placed under an unsupported key, so they will be ignored by the
reviewer. Move the existing guidance from the current instructions block into a
valid catch-all review rule using reviews.path_instructions with path set to
"**/*", or relocate it into a guideline file matched by
knowledge_base.code_guidelines.filePatterns. Keep the same bullet content and
ensure the supported key is the one used by the schema.

Comment thread .coderabbit.yaml
Comment on lines +96 to +100
# ── Pre-merge checks (hard gates) ───────────────────────────
pre_merge_checks:
description:
mode: "warning"
custom_checks:

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

sed -n '80,120p' .coderabbit.yaml
rg -n "override_requested_reviewers_only|request_changes_workflow|pre_merge_checks|hard gates" -S .

Repository: snapshotmanager/snapm

Length of output: 1639


🏁 Script executed:

sed -n '88,150p' .coderabbit.yaml
rg -n "override_requested_reviewers_only|request_changes_workflow" .coderabbit.yaml

Repository: snapshotmanager/snapm

Length of output: 1867


Restrict overrides on hard gates.

request_changes_workflow: true still allows failed checks to be overridden unless override_requested_reviewers_only: true is set under pre_merge_checks. Add it so only requested reviewers can bypass these security gates.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.coderabbit.yaml around lines 96 - 100, The pre-merge hard gate
configuration still allows override bypasses when request_changes_workflow is
enabled. Update the pre_merge_checks section in the .coderabbit.yaml config to
add override_requested_reviewers_only: true alongside the existing
request_changes_workflow setting so only requested reviewers can bypass these
security gates.

Add comprehensive CodeRabbit configuration to enforce Red Hat Product
Security standards and prevent incomplete code review suggestions.

Key features:
- Security scanners: gitleaks, semgrep, actionlint
- Path-based rules for Python files, tests, workflows, configs
- Supply chain security checks for .claude/ and .vscode/ directories
- Pre-merge hard gates for secrets, weak crypto, injection vectors
- Completeness requirements for refactoring suggestions

Security standards:
- Flag hardcoded credentials (CRITICAL)
- Flag weak cryptography: MD5, SHA-1, DES, RC4 (HIGH)
- Flag injection risks: SQL, command, eval/exec, pickle (CRITICAL)
- Flag sensitive data in logs (HIGH)
- Require SHA-pinned GitHub Actions (supply chain security)

References: snapshotmanager/boom-boot#405
Resolves similar issues to boom-boot#351

Signed-off-by: Todd Gill <tgill@redhat.com>
Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
@trgill trgill force-pushed the code_rabbit_changes branch from bb14a06 to ab2d0e3 Compare July 10, 2026 14:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant