Skip to content

feat: Removing adept to close label logic#84

Merged
tmikula-dev merged 8 commits into
masterfrom
feature/82-remove-adept-to-close-label-need
Jul 14, 2026
Merged

feat: Removing adept to close label logic#84
tmikula-dev merged 8 commits into
masterfrom
feature/82-remove-adept-to-close-label-need

Conversation

@tmikula-dev

@tmikula-dev tmikula-dev commented Jul 13, 2026

Copy link
Copy Markdown
Collaborator

Overview

This pull request makes significant changes to how resolved security findings are handled in the AquaSec GitHub integration. The main update is that child issues for resolved findings are now automatically closed instead of being labeled for manual closure. All code, documentation, and tests have been updated to reflect this new behavior. Additionally, the obsolete sec:adept-to-close label and its handling have been removed, and new documentation has been added for manual waiver labels.

Release Notes

  • GitHub issues now close automatically, after they disappear from AquaSec platform.
  • New standard labels recommended sec:suppression and sec:false-positive for full security ticket lifecycle.

Related

Closes #82

Summary by CodeRabbit

  • New Features
    • Resolved security findings are now automatically closed when no longer detected (including orphaned/resolved child issues).
    • Added label-based guidance for suppression vs false-positive waivers, and reopening no longer affects human-managed waiver labels.
  • Documentation
    • Updated security automation docs and prerequisites to match the new required label set and the closure lifecycle behavior.
  • Bug Fixes
    • Resolved closure continues to run even when triggering alerts are below the configured severity threshold.
    • Parent issues can close automatically after all resolved child issues are closed.
  • Tests
    • Updated/expanded sync and label-check coverage for the new closure flow.
  • Chores
    • Minor CI/workflow adjustments to reflect updated AquaSec workflow references and pylint output formatting.

…s automatically once they disappear from AquaSec platform.
@tmikula-dev tmikula-dev self-assigned this Jul 13, 2026
@tmikula-dev tmikula-dev added the enhancement New feature or request label Jul 13, 2026
@coderabbitai

coderabbitai Bot commented Jul 13, 2026

Copy link
Copy Markdown

Review Change Stack

Warning

Review limit reached

@tmikula-dev, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 18 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 65603acf-36c3-492a-a940-27924950de11

📥 Commits

Reviewing files that changed from the base of the PR and between ebd29f5 and f1b9102.

📒 Files selected for processing (4)
  • .github/workflows/aquasec-night-scan.yml
  • .github/workflows/aquasec-scan.yml
  • .github/workflows/check_python.yml
  • src/security/README.md

Walkthrough

The security workflow replaces deferred sec:adept-to-close labeling with automatic closure of resolved child issues, adds waiver-label documentation, updates synchronization statistics, removes a GitHub label-removal helper, and revises related tests.

Changes

Security issue lifecycle

Layer / File(s) Summary
Lifecycle labels and contracts
.github/workflows/aquasec-scan.yml, docs/security/security.md, src/security/README.md, src/security/constants.py, src/security/issues/models.py
Workflow documentation, required labels, waiver guidance, and SyncStats now reflect automatic closure and sec:suppression/sec:false-positive tracking.
Resolved issue synchronization
src/security/issues/sync.py, src/core/github/issues.py
Unmatched open child issues are closed directly, waiver labels remain untouched during reopening, and closure statistics are logged.
Closure and helper validation
tests/security/issues/test_sync.py, tests/security/services/test_label_checker.py, tests/core/github/test_issues.py
Tests cover resolved-child closure, dry runs, parent cascading, severity filtering, waiver preservation, required labels, and issue creation behavior.
Workflow references and shell output
.github/workflows/aquasec-night-scan.yml, .github/workflows/aquasec-scan.yml, .github/workflows/check_python.yml
Reusable workflow references and Pylint score output handling are updated.

Estimated code review effort: 3 (Moderate) | ~20 minutes

Possibly related issues

  • AbsaOSS/aquasec-scan-results#128 — Covers automatic closure, removal of sec:adept-to-close, and suppression/false-positive labels.

Possibly related PRs

Suggested labels: bug

Suggested reviewers: miroslavpojer

Poem

I’m a bunny closing issues with care,
No stale labels floating in air.
Waivers stay tagged, histories bright,
Resolved findings hop out of sight.
Sync runs clean beneath moonlight.

🚥 Pre-merge checks | ✅ 2 | ❌ 3

❌ Failed checks (3 warnings)

Check name Status Explanation Resolution
Linked Issues check ⚠️ Warning The PR automates closure and removes sec:adept-to-close, but it doesn't implement the required sec:suppression/sec:false-positive labeling or Jira comments for [#82]. Add the suppression and false-positive handling so the issue gets the right label and a Jira comment when those review flows are created.
Out of Scope Changes check ⚠️ Warning The check_python.yml Pylint formatting/env update is unrelated to the AquaSec issue workflow changes and appears outside the linked issue scope. Move the Pylint workflow tweak to a separate PR unless it is required for this security workflow change.
Docstring Coverage ⚠️ Warning Docstring coverage is 76.47% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (2 passed)
Check name Status Explanation
Title check ✅ Passed The title is concise and matches the main change: removing the adept-to-close label workflow and moving to automatic closure.
Description check ✅ Passed The description follows the template with Overview, Release Notes, and Related, and it clearly summarizes the PR's behavior changes.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch feature/82-remove-adept-to-close-label-need

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
src/security/issues/sync.py (1)

743-785: 📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

Replace en dash with hyphen-minus in debug message.

Ruff RUF001 flags the (U+2013 EN DASH) at line 761 as ambiguous. Use a standard - (HYPHEN-MINUS) to avoid confusion and silence the linter warning.

🔧 Proposed fix
-        logging.debug("No unmatched child issues – skipping resolved-alert closure")
+        logging.debug("No unmatched child issues - skipping resolved-alert closure")
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/security/issues/sync.py` around lines 743 - 785, In
_close_resolved_child_issues, replace the en dash in the “No unmatched child
issues” debug message with a standard hyphen-minus, leaving the message and
surrounding logic unchanged.

Source: Linters/SAST tools

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/security/README.md`:
- Around line 41-42: Update the stale ready-to-close wording in the README
Overview section to state that findings are automatically closed when they
disappear, aligning the documentation with the current
_close_resolved_child_issues behavior and removing the obsolete
sec:adept-to-close workflow reference.

---

Outside diff comments:
In `@src/security/issues/sync.py`:
- Around line 743-785: In _close_resolved_child_issues, replace the en dash in
the “No unmatched child issues” debug message with a standard hyphen-minus,
leaving the message and surrounding logic unchanged.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 7ca33c1b-0fdf-4400-9096-c8a82d31f645

📥 Commits

Reviewing files that changed from the base of the PR and between 7fce4b9 and 6cdaed2.

📒 Files selected for processing (10)
  • .github/workflows/aquasec-scan.yml
  • docs/security/security.md
  • src/core/github/issues.py
  • src/security/README.md
  • src/security/constants.py
  • src/security/issues/models.py
  • src/security/issues/sync.py
  • tests/core/github/test_issues.py
  • tests/security/issues/test_sync.py
  • tests/security/services/test_label_checker.py
💤 Files with no reviewable changes (2)
  • src/security/constants.py
  • src/core/github/issues.py

Comment thread src/security/README.md

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/aquasec-scan.yml:
- Line 103: Update the checkout reference in the workflow to use the valid
reusable-workflow SHA context, replacing github.job_workflow_sha with
job.workflow_sha while preserving the existing pinning behavior.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: a2b270b1-1ad1-4440-96fb-34669725ebed

📥 Commits

Reviewing files that changed from the base of the PR and between 6cdaed2 and ebd29f5.

📒 Files selected for processing (3)
  • .github/workflows/aquasec-night-scan.yml
  • .github/workflows/aquasec-scan.yml
  • .github/workflows/check_python.yml

Comment thread .github/workflows/aquasec-scan.yml Outdated
miroslavpojer
miroslavpojer previously approved these changes Jul 14, 2026

@miroslavpojer miroslavpojer left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks ok.
I saw some not mentioned changes - side changes - all planeed?
See Rabbit comment.

@tmikula-dev tmikula-dev merged commit 3b6a6b0 into master Jul 14, 2026
8 checks passed
@tmikula-dev tmikula-dev deleted the feature/82-remove-adept-to-close-label-need branch July 14, 2026 09:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

enhancement New feature or request

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Update aquasec workflow behavior - remove sec:adept-to-close label

2 participants