Conversation
Users can now create .agentscan.yaml (in cwd, ~/, or via $AGENTSCAN_CONFIG) to set a default fail-on threshold and extend scans with extra env keys, credential files, and custom tool checks — without repeating flags in every pipeline invocation. CLI flags always take precedence over config values.
- config: Add Source type (SourceNone/Home/EnvOverride/Cwd) with Trusted()
method; Load() now returns LoadResult{Config, Source}
- config: Enable strict YAML parsing (KnownFields=true) — unknown fields error
- config: Add validate() checking fail_on enum and tool check required fields
- cli: Thread LoadResult through ScanRunner; gate extra_tool_checks on
Source.Trusted() to prevent hostile CWD configs executing arbitrary commands
- cli: Restore --fail-on cobra default to 'high'; use Changed() to detect
explicit CLI override so config fail_on is still honoured when flag absent
- scan: Deduplicate within ExtraEnvKeys and ExtraCredentialFiles extras lists
- tests: Update all callers for new API; add Source, validate, and dedup tests
- scan: Remove NewLocalScannerWithConfig — dead code with unsafe semantics (unconditionally copies ExtraToolChecks with no trust gate, bypassing the security invariant enforced in realScanRunner) - scan: Guard ExtraEnvKeys dedup map allocation behind len>0 check - scan: Normalise parseSeverityOrModerate to strings.ToLower, consistent with validate() in the config package - cli: Rename test to LoadedConfigPassedThroughToRunner (was CwdConfig_... but the source is SourceEnvOverride, not SourceCwd)
- cli: Gate fail_on from config on Source.Trusted() — a project-root .agentscan.yaml (SourceCwd) must not be able to weaken agentscan --ci by raising the failure threshold (e.g. fail_on: critical) - cli: Add TestRootCmd_CwdConfigFailOn_Ignored to prove the invariant - config: Correct ToolCheck comment — invalid severity is now rejected by validate(), not silently defaulted to MODERATE - README: Clarify that extra_tool_checks and fail_on are only honoured from trusted sources; add explicit security note explaining the trusted-vs-untrusted distinction and what each restriction prevents
…sts, dedup - models: add ParseSeverity, ParseSeverityOrModerate, Severity.Rank(), UnknownSeverityError as a single canonical severity source; eliminates duplicate validation logic across packages - internal/fsutil: new shared package with Exists() helper; removes duplicate fileExists from config and scan/apikeys - config: drop local validSeverities map; use models.ParseSeverity for fail_on and tool-check severity validation - cli: drop validSeverities slice, parseSeverity, severityRank; use models.ParseSeverity and Severity.Rank() — removes ~25 LOC of duplicated switch/linear-scan logic - scan/apikeys: replace unexported credentialFile with config.CredentialFile; use fsutil.Exists - scan/local: remove parseSeverityOrModerate; use models.ParseSeverityOrModerate; extract runToolCheck helper that deduplicates the rc-switch logic shared by built-in and extra checks - config/config_test: collapse 5 repetitive validation tests into one table-driven test (~40 LOC) - scan/apikeys_test: extract clearHighRiskEnv + newScannerWithHome helpers; collapse 3 duplicate- count tests into one table (TestAPIKeyScanner_NoDuplicateFindings) (~55 LOC) - cli/cli_test: collapse 3 fail_on precedence tests into one table (TestRootCmd_FailOnPrecedence) (~30 LOC); CWD-trust test kept separate as it requires os.Chdir
…ng severity in tests
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.