Skip to content

ci(hypatia-scan): emit + upload SARIF so scans reconcile code-scanning alerts#485

Merged
hyperpolymath merged 1 commit into
mainfrom
ci/hypatia-sarif-reconcile
Jul 11, 2026
Merged

ci(hypatia-scan): emit + upload SARIF so scans reconcile code-scanning alerts#485
hyperpolymath merged 1 commit into
mainfrom
ci/hypatia-sarif-reconcile

Conversation

@hyperpolymath

Copy link
Copy Markdown
Owner

What

The reusable Hypatia scan now emits SARIF and uploads it to code scanning (category: hypatia), and declares security-events: write.

Why

The reusable scan produced hypatia-findings.json as an artifact only and declared security-events: read. So it could neither create nor close code-scanning alerts. Alerts that an earlier SARIF path had uploaded (tool Hypatia, category hypatia) were orphaned: once the underlying code was fixed, nothing propagated the fix to the Security tab, and the alerts lingered as stale "open" findings.

Surfaced on metadatastician/gossamer: of 108 open alerts, ~40 were already fixed in code (timeouts, believe_me, SD007/SD022, all four workflow singletons, scorecard StaticAnalysis/DependencyPinning) but could not auto-close. The rest were inherent FFI-boundary casts + derivative meta-findings.

How

Restores the behaviour that lib/hypatia/sarif.ex already documents ("the workflow can call this format directly"):

  1. Second scan pass with HYPATIA_FORMAT=sarifhypatia.sarif.
  2. github/codeql-action/upload-sarif with category: hypatia (matches the historical analysis_key, so GitHub reconciles — fixed findings auto-close).
  3. permissions: security-events: write.

Safety

  • No self-echo. lib/hypatia/sarif.ex filters the code_scanning_alerts meta-rules (@meta_rule_modules) at render time — the exact loop the render-time filter was added to close (the 7,724-alert incident). Uploading is now safe.
  • No blast radius. Every caller SHA-pins this reusable, so the change is strictly opt-in: it takes effect for a repo only when that repo bumps its pin and grants security-events: write.
  • Read-only callers unaffected. The upload step is continue-on-error: true; a caller still granting only security-events: read skips it gracefully.

Follow-up

metadatastician/gossamer will bump its hypatia-scan.yml pin to this reusable's merged SHA and grant security-events: write, so its scans self-reconcile going forward (the 108 alerts were dismissed manually as an immediate fix).

🤖 Generated with Claude Code

…g alerts

The reusable scan produced hypatia-findings.json as an *artifact* only and
declared `security-events: read`, so it could neither create nor CLOSE
code-scanning alerts. Alerts uploaded by an earlier SARIF path (tool "Hypatia",
category "hypatia") were therefore orphaned: once the underlying code was fixed,
the fix never propagated to the Security tab and the alerts lingered as stale
"open" findings (observed on metadatastician/gossamer — ~40 of 108 open alerts
were already fixed in code but could not auto-close).

This restores the designed behaviour that lib/hypatia/sarif.ex documents:

  - run the scan a second time with HYPATIA_FORMAT=sarif -> hypatia.sarif
  - upload it via github/codeql-action/upload-sarif with category "hypatia"
  - grant security-events: write

SARIF render already filters the code_scanning_alerts meta-rules
(lib/hypatia/sarif.ex @meta_rule_modules), so re-uploading cannot self-echo
(the 7,724-alert loop the render-time filter was added to close). The upload
step is `continue-on-error: true`, so callers that still grant only
security-events: read are unaffected — and because every caller SHA-pins this
reusable, the change is opt-in: it takes effect for a repo only when that repo
bumps its pin AND grants write.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@sonarqubecloud

Copy link
Copy Markdown

@hyperpolymath hyperpolymath merged commit f4a1e56 into main Jul 11, 2026
20 checks passed
@hyperpolymath hyperpolymath deleted the ci/hypatia-sarif-reconcile branch July 11, 2026 11:40
hyperpolymath added a commit to metadatastician/gossamer that referenced this pull request Jul 11, 2026
…rite) (#111)

## What

Makes gossamer's Hypatia scan **upload SARIF** to code scanning, so
code-scanning alerts **self-reconcile**.

- reusable pin `d7c2271` → **`2ccc38e`** (standards `main`,
post-[standards#485](hyperpolymath/standards#485))
- `permissions: security-events` **read → write**
- `secrets: inherit` (lets the reusable use `HYPATIA_SCAN_PAT` for
Dependabot reads; falls back to `GITHUB_TOKEN`)

## Why

The scan previously uploaded `hypatia-findings.json` as an **artifact
only**, so it could neither create nor **close** code-scanning alerts.
Findings fixed in code stayed "open" forever — that's how **~40
already-fixed alerts** (timeouts, `believe_me`, SD007/SD022, workflow
singletons, scorecard checks) got stuck among the 108 open alerts.

With this, every scan uploads SARIF (tool `Hypatia`, `category:
hypatia`, matching the historical `analysis_key`), and GitHub
auto-closes anything fixed since the last run. No self-echo — the SARIF
renderer filters the `code_scanning_alerts` meta-rules.

## Note

The one-off backlog of 108 alerts was already **reconciled manually**
(dismissed with per-alert reasons: stale→`won't fix`+remediation note,
inherent-FFI→`won't fix`, `.envrc`→`false positive`). This PR makes the
pipeline **self-healing** so it doesn't recur.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant