feat: implement issue #252 — Compliance: secret_scanning_non_provider_patterns

[don-petry]

Closes #252

Implemented by dev-lead agent. Please review.

Summary by CodeRabbit

• New Features

  • Compliance script now supports remediating security analysis settings for push protection, enabling detection of non-provider patterns.

• Tests

  • Added comprehensive test suites to validate security analysis remediation behavior across various scenarios including dry-run and failure modes.

[chatgpt-codex-connector]

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.

[coderabbitai]

Warning

Review limit reached

@don-petry, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 34 minutes and 5 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 0aa4f67b-47f0-4e21-b111-a9b2a919a5c8

📥 Commits

Reviewing files that changed from the base of the PR and between 672780f and a95b00c.

📒 Files selected for processing (3)

• scripts/compliance-remediate.sh
• test/scripts/compliance-remediate/helpers/setup.bash
• test/scripts/compliance-remediate/stubs/gh

📝 Walkthrough

Walkthrough

This PR extends the compliance-remediate script with a new handler function to remediate repository-level security_and_analysis nested settings via PATCH API calls. Two specific push-protection findings now trigger active remediation instead of being skipped, with full test infrastructure and comprehensive coverage validating the behavior.

Changes

Security Analysis Remediation Handler

Layer / File(s)	Summary
Core remediation function and dispatcher scripts/compliance-remediate.sh	remediate_security_analysis_setting() constructs nested security_and_analysis JSON payloads using jq and PATCHes repository settings via gh api, with direct success reporting and failure handling routed to the skipped report. The remediate_finding dispatcher is updated to route push-protection/non_provider_patterns_enabled and push-protection/secret_scanning_non_provider_patterns findings to invoke this handler with secret_scanning_non_provider_patterns.status set to enabled.
Test infrastructure: stub binary and helpers test/scripts/compliance-remediate/stubs/gh, test/scripts/compliance-remediate/helpers/setup.bash	A configurable gh stub logs argv/stdin and emits stdout/stderr based on environment variables for test isolation. Helper functions export repository paths, manage temp directory lifecycle, inject the stub into PATH via tt_install_gh_stub, and generate test findings.json records via jq.
Comprehensive test coverage test/scripts/compliance-remediate/security-analysis.bats	Test suite validates that canonical and legacy finding names trigger gh api -X PATCH with the correct nested payload, findings are recorded to remediation-report.md on success, DRY_RUN=true suppresses API calls, failed PATCH operations exit non-zero and mark findings as FAILED in skipped.md, and other push-protection/* findings continue to skip without API calls.

Sequence Diagram

sequenceDiagram
  participant Dispatcher as remediate_finding
  participant Handler as remediate_security_analysis_setting
  participant GH as gh api
  participant Report as remediation-report.md / skipped.md
  
  Dispatcher->>Handler: push-protection/non_provider_patterns_enabled
  alt DRY_RUN mode
    Handler->>Report: log to remediation-report.md
  else Normal mode
    Handler->>GH: PATCH repos/$ORG/$repo
    Note over GH: security_and_analysis.secret_scanning_non_provider_patterns.status = enabled
    alt PATCH succeeds
      Handler->>Report: record to remediation-report.md
    else PATCH fails
      Handler->>Report: record FAILED to skipped.md
    end
  end

Loading

Estimated Code Review Effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly Related PRs

• petry-projects/.github#220: Extends the compliance-remediate dispatcher by adding remediate_security_analysis_setting() and routing specific push-protection/*non_provider_patterns* findings to concrete gh api PATCH calls instead of skips.
• petry-projects/.github#224: Adjusts auditing and apply logic for repo-level security_and_analysis updates to proceed with idempotent PATCH operations, complementing this PR's remediation handler.
• petry-projects/.github#134: Implements similar security_and_analysis repo-level setting enforcement in audit/apply scripts, operating on the same secret_scanning_non_provider_patterns setting that this PR adds dedicated remediation handling for.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main change: implementing compliance for secret_scanning_non_provider_patterns (issue #252), which matches the code additions in compliance-remediate.sh.
Linked Issues check	✅ Passed	The PR implements the required remediation for issue #252 by adding code to enable secret_scanning_non_provider_patterns via the compliance-remediate.sh script with appropriate test coverage.
Out of Scope Changes check	✅ Passed	All changes are scoped to implementing the compliance remediation for secret_scanning_non_provider_patterns: new remediation handler function, test infrastructure, test suite, and test stub.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dev-lead/issue-252-20260609-0440

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[don-petry]

Dev-Lead — review-changes (no-changes)

No changes were needed for this PR.

[gemini-code-assist]

Code Review

This pull request introduces a new function remediate_security_analysis_setting to compliance-remediate.sh to handle nested security_and_analysis settings via the GitHub API, specifically targeting the secret_scanning_non_provider_patterns push-protection finding. It also adds a comprehensive test suite using bats and a mock gh stub. The review feedback correctly identifies that the actual check name produced by the audit script is non_provider_patterns_enabled rather than secret_scanning_non_provider_patterns. It is recommended to update the script to support both names for backward compatibility and to update the test cases to use the canonical check name.

[Copilot]

Pull request overview

Implements automated remediation for compliance finding push-protection/secret_scanning_non_provider_patterns by PATCHing the repo’s nested security_and_analysis settings via the GitHub API, and adds Bats coverage + a gh stub to lock in expected behavior.

Changes:

• Add remediate_security_analysis_setting() to PATCH security_and_analysis.<setting>.status using a nested JSON payload over gh api --input -.
• Route push-protection/secret_scanning_non_provider_patterns findings through the new remediation path (preserving the push-protection/* catch-all skip behavior).
• Add Bats tests + test helpers/stubs for the new remediation path (apply, dry-run, failure, and catch-all cases).

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated no comments.

File	Description
scripts/compliance-remediate.sh	Adds nested security_and_analysis PATCH helper and wires in the new push-protection remediation case.
test/scripts/compliance-remediate/security-analysis.bats	New Bats suite validating apply/dry-run/failure behavior and ensuring other push-protection findings still skip.
test/scripts/compliance-remediate/helpers/setup.bash	Shared Bats helpers for temp dirs, installing the stub gh, and generating a minimal findings JSON file.
test/scripts/compliance-remediate/stubs/gh	Adds a simple env-driven gh stub with argv + stdin logging for deterministic tests.

[don-petry]

Dev-Lead — fix-reviews (applied)

Changes committed and pushed.

[don-petry]

Dev-Lead — waiting on PR blockers (intent: review-changes)

PR: #422
No changes were committed, but the PR still has blocking checks or reviews (failing or cancelled checks, or changes-requested reviews). The retry cron will re-attempt automatically. Next attempt after: 2026-06-09T05:24:44Z

[don-petry]

Note

I reviewed this PR and no code changes were needed, but it still has blocking checks or reviews (failing or cancelled checks, or changes-requested reviews), so I cannot mark it done yet. I'll re-check automatically.
Next attempt after: 2026-06-09T05:24:44Z

[coderabbitai]

Actionable comments posted: 5

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@scripts/compliance-remediate.sh`:
- Around line 157-170: In remediate_security_analysis_setting(): replace the
POSIX test with Bash conditional [[ "$DRY_RUN" == "true" ]] for consistency when
checking DRY_RUN, and after constructing payload with payload=$(jq -n --arg key
"$setting" --arg status "$expected_status" '{security_and_analysis: {($key):
{status: $status}}}'), immediately verify jq succeeded and payload is non-empty
(e.g., test the exit status and that payload is not empty) and bail/skip/return
before calling gh api if the check fails; ensure the gh api PATCH invocation
that consumes --input - only runs when payload is valid.

In `@test/scripts/compliance-remediate/helpers/setup.bash`:
- Around line 1-3: Add Bash strict mode to the top of the helper by enabling
"set -euo pipefail" immediately after the existing shebang line so the script
fails fast on errors, treats unset variables as errors, and makes pipelines fail
properly; update the file beginning in
test/scripts/compliance-remediate/helpers/setup.bash (after the "#!/usr/bin/env
bash" line) to include the strict mode invocation and ensure any callers that
rely on relaxed semantics are adjusted accordingly.
- Around line 4-11: The top-level path variables TT_REPO_ROOT, TT_SCRIPT, and
TT_STUBS_DIR should be made immutable: after you assign and export each variable
in setup.bash (the TT_REPO_ROOT, TT_SCRIPT, TT_STUBS_DIR assignments), mark them
readonly (e.g., with readonly or declare -r) so they cannot be modified later;
keep the export calls and simply apply readonly to those three symbols to
satisfy the coding guideline.
- Around line 18-31: The tt_cleanup_tmpdir and tt_install_gh_stub helpers should
fail fast when TT_TMP is unset and use Bash conditionals: update both functions
to reference TT_TMP using the parameter expansion form ${TT_TMP:?"TT_TMP is
required"} (or similar message) so the script exits immediately if TT_TMP is
missing, and replace test brackets [ ... ] with Bash [[ ... ]] in
tt_cleanup_tmpdir (e.g., [[ -n "${TT_TMP}" && -d "${TT_TMP}" ]]) to ensure
Bash-safe conditionals while leaving the existing logic (rm -rf, mkdir -p, cp,
chmod, and PATH export) intact.

In `@test/scripts/compliance-remediate/stubs/gh`:
- Around line 27-30: The current stub swallows failures when writing stdin to
GH_STUB_STDIN_LOG via the line "cat >>\"$GH_STUB_STDIN_LOG\" || true"; change
this so write errors are not suppressed: remove the "|| true", capture the cat
exit status and, on failure, emit a clear stderr message (including
$GH_STUB_STDIN_LOG) and exit non‑zero so test instrumentation failures surface;
update the if block that checks GH_STUB_STDIN_LOG accordingly (refer to the
GH_STUB_STDIN_LOG variable and the cat >>"$GH_STUB_STDIN_LOG" invocation).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 1421b4f6-2e31-45c2-baa6-5d5c2360a020

📥 Commits

Reviewing files that changed from the base of the PR and between 9aad093 and 672780f.

📒 Files selected for processing (4)

• scripts/compliance-remediate.sh
• test/scripts/compliance-remediate/helpers/setup.bash
• test/scripts/compliance-remediate/security-analysis.bats
• test/scripts/compliance-remediate/stubs/gh

[don-petry]

Dev-Lead — fix-reviews (applied)

Changes committed and pushed.

[don-petry]

Dev-Lead — review-changes (no-changes)

No changes were needed for this PR.

[don-petry]

Dev-Lead — review-changes (no-changes)

No changes were needed for this PR.

[donpetry-bot]

Automated review — APPROVED ✓

Risk: MEDIUM
Reviewed commit: 2568860f9fa73fe966af868fce7f7890ec65fae2
Review mode: triage-approved (single reviewer)

Summary

Adds an auto-remediation path for the push-protection secret_scanning_non_provider_patterns finding in scripts/compliance-remediate.sh. A new remediate_security_analysis_setting() helper builds a nested security_and_analysis payload with jq -n --arg and PATCHes it via gh api ... --input - (since gh api -F only sends flat fields). The dispatcher now routes both the canonical non_provider_patterns_enabled and the legacy secret_scanning_non_provider_patterns check names to the new helper, while the rest of the push-protection/* catch-all is preserved. New bats suite covers apply, dry-run, failure (non-zero gh exit), and the preserved catch-all.

Linked issue analysis

Closes #252. The audit reopens the finding weekly because secret_scanning_non_provider_patterns is disabled on this repo and compliance-remediate.sh previously routed every push-protection/* finding to report_skip. This PR adds the missing auto-remediation path, scoped to the single setting the audit reports, consistent with the issue's stated scope. The dev-lead comments correctly flag that the actual setting flip on petry-projects/.github still requires running the script with a repo-admin token (out of scope for this PR).

Findings

• scripts/compliance-remediate.sh:148-184 — remediate_security_analysis_setting() uses jq -n --arg for safe JSON construction, guards a jq failure / empty payload, honors DRY_RUN, and reports a failure on non-zero gh exit. No injection vectors (no eval, no shell interpolation of user data into the payload).
• scripts/compliance-remediate.sh:726-728 — Dispatcher case is placed above the push-protection/* catch-all and matches both the canonical (non_provider_patterns_enabled) and legacy (secret_scanning_non_provider_patterns) names; catch-all preserved for all other push-protection findings.
• test/scripts/compliance-remediate/ — New bats suite (4 cases) pins apply, dry-run, failure, and catch-all behaviours. Helper uses set -euo pipefail, readonly constants, and ${var:?} guards as required by the repo's shell standards. gh stub is env-driven, logs argv and stdin, surfaces log-write failures (no silent swallow).
• Prior bot review threads from gemini-code-assist and coderabbitai (canonical-name fix, jq guard, strict-mode helper, readonly constants, ${var:?} guards, stub stdin-log handling) are all resolved.
• No org/standards violations; no GitHub Actions security smells; no .env* or secret material touched; no migrations.

CI status

All checks green: Lint, ShellCheck, Secret scan (gitleaks), Agent Security Scan, CodeQL (actions), SonarCloud, AgentShield, dev-lead dispatch, pr-auto-review/check-and-dispatch, CodeRabbit. Dependency-audit ecosystem jobs (npm/pnpm/cargo/pip/govuln) correctly SKIPPED — no manifests for those ecosystems. mergeStateStatus: BEHIND (branch is behind main); no merge conflict, just needs an update from main.

---

Reviewed automatically by the PR-review agent (single-reviewer mode: opus 4.7). Reply if you need a human review.

[don-petry]

Dev-Lead — review-changes (no-changes)

No changes were needed for this PR.

[don-petry]

Dev-Lead — review-changes (no-changes)

No changes were needed for this PR.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud