Skip to content

Stabilize Sighthound Security Scan by scanning a clean archived repo snapshot#45361

Merged
pelikhan merged 3 commits into
mainfrom
copilot/aw-fix-sighthound-security-scan
Jul 14, 2026
Merged

Stabilize Sighthound Security Scan by scanning a clean archived repo snapshot#45361
pelikhan merged 3 commits into
mainfrom
copilot/aw-fix-sighthound-security-scan

Conversation

Copilot AI commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

The Sighthound Security Scan workflow was failing immediately after launch because Sighthound was scanning the live checkout and tripping on checkout artifacts, producing action_required runs without actionable findings. This change isolates the scan input so the workflow only escalates on real scan output.

  • Root cause

    • Sighthound was run against the live workspace (.), where checkout byproducts and symlink-heavy paths could trigger an internal panic in its path handling.
    • In the failure mode, the scan exited non-zero with no findings, but still flowed through the workflow as if triage might continue.
  • Workflow changes

    • Add a pre-scan step that creates a clean repository snapshot with git archive into /tmp/gh-aw/sighthound/repo.
    • Run Sighthound against that archived tree instead of the mutable checkout.
    • Promote the scan root to a job-level env var so both steps share the same path.
    • Preserve the existing findings artifact flow for downstream triage.
  • Failure semantics

    • If Sighthound exits non-zero and produces no findings, fail the scan job immediately.
    • Keep the existing findings-based gating for the agent path unchanged when valid output exists.
    • Include the scan root in the generated summary for easier diagnosis of future failures.
env:
  SCAN_ROOT: /tmp/gh-aw/sighthound/repo

- name: Prepare clean scan root
  run: |
    rm -rf "$SCAN_ROOT"
    mkdir -p "$SCAN_ROOT"
    git archive --format=tar HEAD | tar -xf - -C "$SCAN_ROOT"

- name: Run Sighthound scan
  run: |
    sighthound --output-format json "$SCAN_ROOT" > "$RESULTS_JSON"
    if [ "$SCAN_EXIT" -ne 0 ] && [ "$FINDINGS_COUNT" -eq 0 ]; then
      exit "$SCAN_EXIT"
    fi

Copilot AI and others added 2 commits July 14, 2026 03:28
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix Sighthound Security Scan issues Stabilize Sighthound Security Scan by scanning a clean archived repo snapshot Jul 14, 2026
Copilot AI requested a review from pelikhan July 14, 2026 03:32
@pelikhan pelikhan marked this pull request as ready for review July 14, 2026 06:59
Copilot AI review requested due to automatic review settings July 14, 2026 06:59
@pelikhan pelikhan merged commit fb10059 into main Jul 14, 2026
@pelikhan pelikhan deleted the copilot/aw-fix-sighthound-security-scan branch July 14, 2026 06:59

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR isolates Sighthound scans from checkout artifacts using an archived repository snapshot.

Changes:

  • Creates and scans a clean git archive snapshot.
  • Fails scans that exit unsuccessfully without findings.
  • Adds scan-root diagnostics and recompiles the workflow.
Show a summary per file
File Description
.github/workflows/sighthound-security-scan.md Updates scan preparation and failure handling.
.github/workflows/sighthound-security-scan.lock.yml Regenerates the compiled workflow.

Review details

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 2/2 changed files
  • Comments generated: 1
  • Review effort level: Medium

Comment on lines +67 to +70
if [ "$SCAN_EXIT" -ne 0 ] && [ "$FINDINGS_COUNT" -eq 0 ]; then
echo "::error::Sighthound failed with exit code $SCAN_EXIT before producing any findings."
exit "$SCAN_EXIT"
fi
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[aw] Sighthound Security Scan: 100% action_required since launch (Jul 13)

3 participants