SP-4167: Improve settings file loading#209
Conversation
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
📝 WalkthroughWalkthroughAdds a CLI ChangesScan Root Feature and Settings/Filtering Refactor
Sequence Diagram(s)sequenceDiagram
participant CLI as CLI (scan/wfp)
participant Validator as validate_scan_root
participant Settings as ScanossSettings.load_json_file
participant Scanner as Scanner
participant FileFilters as FileFilters.get_filtered_files_from_folder
participant WFP as WFP generator / SBOM lookup
CLI->>Validator: validate scan_root and resolved target
Validator->>Settings: derive settings root and load scanoss.json
CLI->>Scanner: call scan/wfp with filter_path or file_id
Scanner->>FileFilters: get_filtered_files_from_folder(scan_dir, filter_path)
FileFilters-->>Scanner: filtered file list
Scanner->>WFP: generate WFPs (using file_id or derived wfp_id)
WFP-->>Scanner: WFPs / SBOM context
Scanner-->>CLI: scan/wfp result
Estimated code review effort🎯 4 (Complex) | ⏱️ ~45 minutes Possibly related PRs
Suggested labels
Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
SCANOSS SCAN Completed 🚀
View more details on SCANOSS Action Summary |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 3
🧹 Nitpick comments (1)
tests/test_file_filters.py (1)
344-373: ⚡ Quick winAdd a
filter_path='.'regression test.This suite should include the root-subtree case (
'.') to lock down behavior used by--scan-rootscans.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@tests/test_file_filters.py` around lines 344 - 373, Add a regression test that calls self.file_filters.get_filtered_files_from_folder(self.test_dir, '.') to ensure filter_path='.' returns files from the repository root subtree; use self._create to set up files (e.g. files at root and in subfolders) and assert the returned list matches the expected sorted set (use same conventions as existing tests like test_filter_path_none_returns_all and test_filter_path_allows_nested_subdir), e.g., create ['a.c', 'sub/b.c'] and assert '.' returns ['a.c', 'sub/b.c'] (or sorted equivalent) to lock down --scan-root behavior.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@src/scanoss/cli.py`:
- Around line 1741-1766: The code forwards args.scan_dir verbatim to
scanner.scan_folder_with_options (filter_path) and
scanner.scan_file_with_options (file_id), which can cause mismatches for inputs
like "./sub/file.c" or "sub/../file.c"; normalize the path before passing it.
Compute a normalized target: if scan_root is provided, derive a relative,
normalized path from scan_root to effective_path (e.g.,
os.path.relpath(effective_path, scan_root) then os.path.normpath), otherwise use
os.path.normpath(args.scan_dir); pass that normalized value as filter_path to
scan_folder_with_options and as file_id to scan_file_with_options instead of the
raw args.scan_dir.
In `@src/scanoss/file_filters.py`:
- Around line 353-355: The filter logic mishandles '.' and path-separator
differences; normalize filter_path with os.path.normpath and os.path.normcase,
treat '.' or empty result as "no filter" (skip filtering), and then filter files
by comparing each file's normalized/normcased path to the normalized filter
using equality or startswith(normalized + os.sep); update the block that sets
normalized and filters files (variables filter_path, normalized, files) to use
os.path.normpath/os.path.normcase and the special-case for '.'/'' so separators
and platforms are handled correctly.
In `@src/scanoss/scanoss_settings.py`:
- Line 27: Remove the unused getcwd import to fix the F401 lint error: edit the
import statement that currently reads "from os import getcwd" and either delete
it or replace it with only the actually used os imports in this module so no
unused symbol (getcwd) remains referenced in scanoss_settings.py.
---
Nitpick comments:
In `@tests/test_file_filters.py`:
- Around line 344-373: Add a regression test that calls
self.file_filters.get_filtered_files_from_folder(self.test_dir, '.') to ensure
filter_path='.' returns files from the repository root subtree; use self._create
to set up files (e.g. files at root and in subfolders) and assert the returned
list matches the expected sorted set (use same conventions as existing tests
like test_filter_path_none_returns_all and
test_filter_path_allows_nested_subdir), e.g., create ['a.c', 'sub/b.c'] and
assert '.' returns ['a.c', 'sub/b.c'] (or sorted equivalent) to lock down
--scan-root behavior.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 28e7c9e0-1958-4b79-a940-323435297e92
📒 Files selected for processing (8)
CHANGELOG.mdsrc/scanoss/__init__.pysrc/scanoss/cli.pysrc/scanoss/file_filters.pysrc/scanoss/scanner.pysrc/scanoss/scanoss_settings.pytests/test_file_filters.pytests/test_scanoss_settings.py
…ing to a common function: get_scanoss_settings_from_args
SCANOSS SCAN Completed 🚀
View more details on SCANOSS Action Summary |
There was a problem hiding this comment.
Actionable comments posted: 8
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/container-local-test.yml:
- Line 24: Replace all tag-pinned GitHub Action references (e.g., the literal
string "uses: actions/checkout@v6" and the other "uses: ...@v4" / "...@v7"
entries) with the corresponding action pinned to a full commit SHA; locate each
"uses:" line in the workflow (the ones ending with `@v6`, `@v4`, `@v7`) and update
them to the full immutable commit SHA from the upstream action repository
release you intend to use (copy the commit SHA from the action's GitHub
tags/releases and substitute it in place of the tag).
In @.github/workflows/container-publish-ghcr.yml:
- Line 27: Pin every GitHub Action reference in the workflow to an immutable
commit SHA instead of mutable major tags: replace actions/checkout@v6,
actions/setup-python@v6, docker/setup-qemu-action@v4,
docker/setup-buildx-action@v4, docker/metadata-action@v6,
docker/build-push-action@v7 (and the other listed uses entries) with their
corresponding full commit SHAs retrieved from each action's repo, and ensure the
already-commented pinned SHA for docker/setup-buildx-action is applied; update
each uses: line to the exact "owner/repo@<full-commit-sha>" form so the workflow
is deterministic.
In @.github/workflows/python-local-test.yml:
- Line 23: Replace the mutable tag "actions/checkout@v6" with the corresponding
immutable commit SHA: locate the actions/checkout repository tag v6 on GitHub,
copy the commit SHA for that tag, and update the workflow's uses line to
"actions/checkout@<COMMIT_SHA>" so the workflow references the exact commit
instead of the moving tag; ensure you replace the value in the uses: entry that
currently reads actions/checkout@v6.
In @.github/workflows/python-publish-pypi.yml:
- Line 17: The workflow uses floating action refs (actions/checkout@v6,
actions/setup-python@v6, pypa/gh-action-pypi-publish@release/v1,
softprops/action-gh-release@v3, nick-fields/retry@v4) which must be pinned to
immutable commit SHAs; update each uses: entry to reference the corresponding
full 40-character commit SHA for the specific released tag you want to consume
(replace e.g. actions/checkout@v6 with actions/checkout@<commit-sha>), verifying
the SHA against the action repo release/tag and keeping the tag name in a
comment if helpful.
In @.github/workflows/python-publish-testpypi.yml:
- Line 16: Workflow uses mutable action tags; replace actions/checkout@v6,
actions/setup-python@v6, and pypa/gh-action-pypi-publish@release/v1 with their
corresponding full commit SHAs to pin to immutable revisions: locate the three
usages of actions/checkout@v6, actions/setup-python@v6 (two occurrences), and
pypa/gh-action-pypi-publish@release/v1 in the TestPyPI workflow and replace each
tag with the exact commit SHA from the action repository (ensure you copy the
full 40-character SHA), then verify the workflow file's YAML remains valid and
run the workflow to confirm success.
In @.github/workflows/scanoss.yml:
- Line 23: Replace tag-based action refs with immutable commit SHAs: update the
two uses: entries that reference actions/checkout@v6 and
scanoss/gha-code-scan@v1 to point to their corresponding full commit SHA values
(replace the tag with the specific commit hash) so the workflow pins to exact
revisions; locate the uses lines for "actions/checkout@v6" and
"scanoss/gha-code-scan@v1" in the scanoss.yml and substitute each tag with the
verified commit SHA for that action.
In @.github/workflows/version-tag.yml:
- Around line 19-22: Update the checkout step that uses actions/checkout@v6 to
include persist-credentials: false so the SC_GH_TAG_TOKEN is not stored in the
job git config, and then modify the later git push --tags step to authenticate
explicitly (e.g., use the token from secrets in the push command or configure a
remote with https://<token>`@github.com/`... before pushing) so tag push uses only
the explicit credentials rather than persisted ones; look for the
actions/checkout@v6 step and the job step that runs git push --tags to make
these changes.
- Line 19: The workflow uses floating tags for actions and leaves checkout
credentials implicit: replace uses: actions/checkout@v6 and uses:
actions/setup-python@v6 with their immutable commit SHAs (pin both to specific
commit refs) and explicitly set actions/checkout persist-credentials to false in
the checkout step; then create a dedicated git-auth step that calls
actions/checkout or configures git with token: ${{ secrets.SC_GH_TAG_TOKEN }}
only for the push step (or set persist-credentials true only in that single
push-related checkout), ensuring the token is not written into local git config
for earlier steps.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: ffab5bed-492b-45ef-a91a-291fc5b75775
📒 Files selected for processing (10)
.github/workflows/container-local-test.yml.github/workflows/container-publish-ghcr.yml.github/workflows/lint.yml.github/workflows/python-local-test.yml.github/workflows/python-publish-pypi.yml.github/workflows/python-publish-testpypi.yml.github/workflows/scanoss.yml.github/workflows/version-tag.ymlsrc/scanoss/cli.pysrc/scanoss/scanner.py
| steps: | ||
| - name: Checkout Repository | ||
| uses: actions/checkout@v4 | ||
| uses: actions/checkout@v6 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
FILE=".github/workflows/container-local-test.yml"
echo "== File = $FILE =="
if [ ! -f "$FILE" ]; then
echo "Missing file: $FILE" >&2
exit 1
fi
echo "== Lines 1-120 =="
nl -ba "$FILE" | sed -n '1,140p'
echo "== Extract uses: entries (with line numbers) =="
nl -ba "$FILE" | rg -n "uses:\s" || true
echo "== Specific requested lines (24,28,41,46,57,68) =="
for L in 24 28 41 46 57 68; do
echo "-- line $L --"
nl -ba "$FILE" | sed -n "${L}p"
doneRepository: scanoss/scanoss.py
Length of output: 198
🏁 Script executed:
#!/bin/bash
set -euo pipefail
FILE=".github/workflows/container-local-test.yml"
echo "== ls workspace =="
ls -la .github/workflows || true
echo
echo "== sanity check =="
if [ ! -f "$FILE" ]; then
echo "Missing file: $FILE" >&2
exit 1
fi
echo "Found: $FILE"
echo
echo "== show first 120 lines (numbered via awk) =="
awk '{printf "%d:%s\n", NR, $0}' "$FILE" | sed -n '1,140p'
echo
echo "== extract all uses: lines (with line numbers) =="
awk '/uses:/{printf "%d:%s\n", NR, $0}' "$FILE"
echo
echo "== print requested lines =="
for L in 24 28 41 46 57 68; do
echo "-- line $L --"
sed -n "${L}p" "$FILE" | cat
doneRepository: scanoss/scanoss.py
Length of output: 5234
Pin GitHub Actions uses: references to immutable commit SHAs
These steps are tag-pinned (@v6/@v4/@v7) in .github/workflows/container-local-test.yml (lines 24, 28, 41, 46, 57, 68), which leaves the workflow exposed to upstream tag retargeting. Pin them to full commit SHAs for the same actions.
Suggested hardening pattern
- uses: actions/checkout@v6
+ uses: actions/checkout@<full_commit_sha>
- uses: actions/setup-python@v6
+ uses: actions/setup-python@<full_commit_sha>
- uses: docker/setup-buildx-action@v4
+ uses: docker/setup-buildx-action@<full_commit_sha>
- uses: docker/build-push-action@v7
+ uses: docker/build-push-action@<full_commit_sha>🧰 Tools
🪛 zizmor (1.25.2)
[error] 24-24: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/container-local-test.yml at line 24, Replace all
tag-pinned GitHub Action references (e.g., the literal string "uses:
actions/checkout@v6" and the other "uses: ...@v4" / "...@v7" entries) with the
corresponding action pinned to a full commit SHA; locate each "uses:" line in
the workflow (the ones ending with `@v6`, `@v4`, `@v7`) and update them to the full
immutable commit SHA from the upstream action repository release you intend to
use (copy the commit SHA from the action's GitHub tags/releases and substitute
it in place of the tag).
| steps: | ||
| - name: Checkout Repository | ||
| uses: actions/checkout@v4 | ||
| uses: actions/checkout@v6 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
FILE=".github/workflows/container-publish-ghcr.yml"
echo "== File = $FILE =="
wc -l "$FILE"
echo
echo "== uses: lines =="
rg -n "^\s*uses:\s*" "$FILE" || true
echo
echo "== Check referenced line ranges (27,31,45,50,63,70,85,92,107,114) =="
python3 - <<'PY'
import itertools, re, pathlib
p=pathlib.Path(".github/workflows/container-publish-ghcr.yml")
lines=p.read_text().splitlines()
targets=[27,31,45,50,63,70,85,92,107,114]
for t in targets:
i=t-1
if 0<=i<len(lines):
print(f"--- line {t} ---")
for j in range(max(0,i-2), min(len(lines), i+3)):
mark=">>" if j==i else " "
print(f"{mark}{j+1:4d}: {lines[j]}")
PYRepository: scanoss/scanoss.py
Length of output: 3045
Pin immutable SHA GitHub Actions in this publish workflow.
All uses: refs in .github/workflows/container-publish-ghcr.yml are still on mutable major tags (actions/checkout@v6, actions/setup-python@v6, docker/setup-qemu-action@v4, docker/setup-buildx-action@v4, docker/metadata-action@v6, docker/build-push-action@v7). Pin each to a full commit SHA (the pinned SHA shown for docker/setup-buildx-action is only commented out).
Lines: 27, 31, 45, 50, 63, 70, 85, 92, 107, 114
🧰 Tools
🪛 zizmor (1.25.2)
[error] 27-27: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/container-publish-ghcr.yml at line 27, Pin every GitHub
Action reference in the workflow to an immutable commit SHA instead of mutable
major tags: replace actions/checkout@v6, actions/setup-python@v6,
docker/setup-qemu-action@v4, docker/setup-buildx-action@v4,
docker/metadata-action@v6, docker/build-push-action@v7 (and the other listed
uses entries) with their corresponding full commit SHAs retrieved from each
action's repo, and ensure the already-commented pinned SHA for
docker/setup-buildx-action is applied; update each uses: line to the exact
"owner/repo@<full-commit-sha>" form so the workflow is deterministic.
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: actions/checkout@v6 |
There was a problem hiding this comment.
Pin actions/checkout to an immutable commit SHA
.github/workflows/python-local-test.yml line 23 still uses the mutable tag actions/checkout@v6. Update the uses: value to the corresponding commit SHA.
🧰 Tools
🪛 zizmor (1.25.2)
[warning] 23-23: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 23-23: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/python-local-test.yml at line 23, Replace the mutable tag
"actions/checkout@v6" with the corresponding immutable commit SHA: locate the
actions/checkout repository tag v6 on GitHub, copy the commit SHA for that tag,
and update the workflow's uses line to "actions/checkout@<COMMIT_SHA>" so the
workflow references the exact commit instead of the moving tag; ensure you
replace the value in the uses: entry that currently reads actions/checkout@v6.
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: actions/checkout@v6 |
There was a problem hiding this comment.
Release workflow actions must be SHA-pinned.
.github/workflows/python-publish-pypi.yml uses non-SHA floating refs in uses: across the publish/release path (not 40-hex commit SHAs): actions/checkout@v6 (17, 82), actions/setup-python@v6 (20, 85), pypa/gh-action-pypi-publish@release/v1 (64), softprops/action-gh-release@v3 (72), nick-fields/retry@v4 (90).
🧰 Tools
🪛 zizmor (1.25.2)
[warning] 17-17: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 17-17: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/python-publish-pypi.yml at line 17, The workflow uses
floating action refs (actions/checkout@v6, actions/setup-python@v6,
pypa/gh-action-pypi-publish@release/v1, softprops/action-gh-release@v3,
nick-fields/retry@v4) which must be pinned to immutable commit SHAs; update each
uses: entry to reference the corresponding full 40-character commit SHA for the
specific released tag you want to consume (replace e.g. actions/checkout@v6 with
actions/checkout@<commit-sha>), verifying the SHA against the action repo
release/tag and keeping the tag name in a comment if helpful.
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: actions/checkout@v6 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
FILE=".github/workflows/python-publish-testpypi.yml"
echo "== File: $FILE =="
if [ ! -f "$FILE" ]; then
echo "Missing file: $FILE"
exit 1
fi
# Show file with line numbers
nl -ba "$FILE" | sed -n '1,120p'
echo
echo "== All uses: lines =="
rg -n "^\s*uses:\s*" "$FILE" || true
echo
echo "== uses: lines with actions/checkout@ or actions/* around likely lines =="
nl -ba "$FILE" | awk '($2 ~ /uses:/) {print}'Repository: scanoss/scanoss.py
Length of output: 182
🏁 Script executed:
#!/bin/bash
set -euo pipefail
FILE=".github/workflows/python-publish-testpypi.yml"
echo "== File: $FILE =="
if [ ! -f "$FILE" ]; then
echo "Missing file: $FILE"
exit 1
fi
echo "== File first 120 lines (with line numbers via cat -n) =="
cat -n "$FILE" | sed -n '1,120p'
echo
echo "== All uses: lines =="
rg -n "^\s*uses:\s*" "$FILE" || true
echo
echo "== uses: lines with actions/checkout@ or other actions/* (context) =="
rg -n "^\s*uses:\s*actions/" "$FILE" || true
echo
echo "== Exact lines 10-25, 60-75 for the originally referenced locations =="
awk 'NR>=10 && NR<=25 {printf "%6d %s\n", NR, $0} NR>=60 && NR<=75 {printf "%6d %s\n", NR, $0}' "$FILE"Repository: scanoss/scanoss.py
Length of output: 5336
Pin GitHub Actions to immutable commit SHAs in TestPyPI workflow (avoid @v*/tags): update actions/checkout@v6 (lines 16, 66), actions/setup-python@v6 (lines 19, 69), and pypa/gh-action-pypi-publish@release/v1 (line 53) to full commit SHAs.
🧰 Tools
🪛 zizmor (1.25.2)
[warning] 16-16: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 16-16: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/python-publish-testpypi.yml at line 16, Workflow uses
mutable action tags; replace actions/checkout@v6, actions/setup-python@v6, and
pypa/gh-action-pypi-publish@release/v1 with their corresponding full commit SHAs
to pin to immutable revisions: locate the three usages of actions/checkout@v6,
actions/setup-python@v6 (two occurrences), and
pypa/gh-action-pypi-publish@release/v1 in the TestPyPI workflow and replace each
tag with the exact commit SHA from the action repository (ensure you copy the
full 40-character SHA), then verify the workflow file's YAML remains valid and
run the workflow to confirm success.
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
| uses: actions/checkout@v6 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
FILE=".github/workflows/scanoss.yml"
if [ ! -f "$FILE" ]; then
echo "Missing file: $FILE" >&2
exit 1
fi
nl -ba "$FILE" | sed -n '1,120p'Repository: scanoss/scanoss.py
Length of output: 106
🏁 Script executed:
#!/bin/bash
set -euo pipefail
FILE=".github/workflows/scanoss.yml"
if [ ! -f "$FILE" ]; then
echo "Missing file: $FILE" >&2
exit 1
fi
# Print around the referenced lines (23 and 27)
cat -n "$FILE" | sed -n '15,40p'Repository: scanoss/scanoss.py
Length of output: 594
🏁 Script executed:
#!/bin/bash
set -euo pipefail
FILE=".github/workflows/scanoss.yml"
rg -n '^\s*uses:\s*' "$FILE" || trueRepository: scanoss/scanoss.py
Length of output: 141
Pin checkout and SCANOSS action refs to immutable commit SHAs.
In .github/workflows/scanoss.yml, actions/checkout@v6 (line 23) and scanoss/gha-code-scan@v1 (line 27) are still tag-based; pin both uses: references to full commit SHAs.
🧰 Tools
🪛 zizmor (1.25.2)
[warning] 22-23: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 23-23: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/scanoss.yml at line 23, Replace tag-based action refs with
immutable commit SHAs: update the two uses: entries that reference
actions/checkout@v6 and scanoss/gha-code-scan@v1 to point to their corresponding
full commit SHA values (replace the tag with the specific commit hash) so the
workflow pins to exact revisions; locate the uses lines for
"actions/checkout@v6" and "scanoss/gha-code-scan@v1" in the scanoss.yml and
substitute each tag with the verified commit SHA for that action.
| runs-on: ubuntu-latest | ||
| steps: | ||
| - uses: actions/checkout@v4 | ||
| - uses: actions/checkout@v6 |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Locate the workflow file
ls -la .github/workflows/version-tag.yml
# Print relevant sections around the cited lines
nl -ba .github/workflows/version-tag.yml | sed -n '1,120p'Repository: scanoss/scanoss.py
Length of output: 206
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo "=== Workflow file ==="
ls -la .github/workflows/version-tag.yml
echo "=== Lines 1-120 (with numbers via cat -n) ==="
cat -n .github/workflows/version-tag.yml | sed -n '1,120p'
echo "=== Grep for checkout/setup-python and token/persist-credentials ==="
rg -n "uses:\s*(actions/checkout|actions/setup-python)|token:\s*\$\{\{\s*secrets\.|persist-credentials:" .github/workflows/version-tag.yml || trueRepository: scanoss/scanoss.py
Length of output: 1774
🌐 Web query:
actions/checkout persist-credentials default value
💡 Result:
The default value for the persist-credentials input in the actions/checkout GitHub Action is true [1][2][3]. When set to true (the default), the action configures the repository's local Git configuration (.git/config) with the credentials (such as the GITHUB_TOKEN or a provided SSH key) used to perform the checkout [1][3][4]. This allows subsequent steps in the workflow to execute authenticated Git commands using those credentials [1][4]. Because this behavior can potentially expose credentials to other steps or if artifacts are improperly handled, it is a common security best practice to set persist-credentials: false in workflows that do not require the ability to push changes or perform authenticated Git operations [5][6][7].
Citations:
- 1: https://github.com/actions/checkout/?tab=readme-ov-file
- 2: https://github.com/actions/checkout/tree/refs/heads/main
- 3: https://spacelift.io/blog/github-actions-checkout
- 4: https://github.com/actions/checkout/tree/v4
- 5: Remove
persist-credentialsor change the default tofalseactions/checkout#485 - 6: Add persist-credentials: false to GitHub Actions checkout steps aquasecurity/trivy#10305
- 7: https://yossarian.net/til/post/actions-checkout-can-leak-github-credentials/
Pin checkout/setup-python to immutable SHAs and explicitly manage checkout credential persistence.
actions/checkout@v6(line 19) andactions/setup-python@v6(line 24) use floating major tags; pin both to commit SHAs.- Checkout passes
token: ${{ secrets.SC_GH_TAG_TOKEN }}(line 22) whilepersist-credentialsis left unset;actions/checkoutdefaultspersist-credentials: true, so the token is written into local git config. Since the workflow later runsgit push --tags, setpersist-credentialsexplicitly and limit/configure credentials only for the push step.
- uses: actions/checkout@v6
Also applies to: 24-24
🧰 Tools
🪛 zizmor (1.25.2)
[warning] 19-22: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false
(artipacked)
[error] 19-19: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)
(unpinned-uses)
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.github/workflows/version-tag.yml at line 19, The workflow uses floating
tags for actions and leaves checkout credentials implicit: replace uses:
actions/checkout@v6 and uses: actions/setup-python@v6 with their immutable
commit SHAs (pin both to specific commit refs) and explicitly set
actions/checkout persist-credentials to false in the checkout step; then create
a dedicated git-auth step that calls actions/checkout or configures git with
token: ${{ secrets.SC_GH_TAG_TOKEN }} only for the push step (or set
persist-credentials true only in that single push-related checkout), ensuring
the token is not written into local git config for earlier steps.
…ersisting credentials in checkout in version-tag workflow.
SCANOSS SCAN Completed 🚀
View more details on SCANOSS Action Summary |
There was a problem hiding this comment.
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
src/scanoss/cli.py (1)
1801-1805:⚠️ Potential issue | 🟡 Minor | ⚡ Quick winReject
--scan-rootwhen--containeris used.This branch returns before
validate_scan_root(args)andget_scanoss_settings_from_args(args), sodependencies --container ... --scan-root ...accepts the new flag but ignores it entirely. Please fail fast on that combination, or plumbscan_root/settings into the container path as well.Suggested guard
# Workaround to return syft scan results converted to our dependency output format if args.container: + if args.scan_root: + print_stderr('ERROR: --scan-root is only supported with a FILE/DIR target.') + sys.exit(1) args.scan_loc = args.container return container_scan(parser, args, only_interim_results=True)🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@src/scanoss/cli.py` around lines 1801 - 1805, Add a fast-fail guard for the invalid combination of --container and --scan-root: before you set args.scan_loc or call container_scan(parser, args, ...), check if args.container and args.scan_root are both provided and call parser.error(...) (or raise SystemExit with a clear message) to reject the combination. Modify the branch around args.container / container_scan in the CLI so the check runs first; reference the args.container, args.scan_loc assignment, and the container_scan(parser, args, only_interim_results=True) call when making the change.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Outside diff comments:
In `@src/scanoss/cli.py`:
- Around line 1801-1805: Add a fast-fail guard for the invalid combination of
--container and --scan-root: before you set args.scan_loc or call
container_scan(parser, args, ...), check if args.container and args.scan_root
are both provided and call parser.error(...) (or raise SystemExit with a clear
message) to reject the combination. Modify the branch around args.container /
container_scan in the CLI so the check runs first; reference the args.container,
args.scan_loc assignment, and the container_scan(parser, args,
only_interim_results=True) call when making the change.
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 176b960c-f491-48a8-9329-584f50a7a59a
📒 Files selected for processing (2)
.github/workflows/version-tag.ymlsrc/scanoss/cli.py
SCANOSS SCAN Completed 🚀
View more details on SCANOSS Action Summary |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/python-local-test.yml:
- Around line 113-116: The echo in the if block that checks the variable
`hash_names` is missing its closing double-quote and will cause a Bash parse
error; fix the `echo` line used to report "Error: Folder hash failed to generate
HPFM hashes. Failing." by terminating the string with a closing `"` (and keep
`exit 1` on its own line), so the `if [ "$hash_names" = "" ]; then` ... `fi`
block contains a properly quoted echo followed by `exit 1`.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 984ded59-bce7-42cd-a1e0-13fa4c5e906d
📒 Files selected for processing (3)
.github/workflows/container-local-test.yml.github/workflows/python-local-test.ymlsrc/scanoss/cli.py
🚧 Files skipped from review as they are similar to previous changes (1)
- src/scanoss/cli.py
SCANOSS SCAN Completed 🚀
View more details on SCANOSS Action Summary |
2 participants
Summary by CodeRabbit