coderabbit: add security-focused code review configuration#1000
Conversation
Add comprehensive CodeRabbit configuration to enforce Red Hat Product Security standards and prevent incomplete code review suggestions. Key features: - Security scanners: gitleaks, semgrep, actionlint - Path-based rules for Python files, tests, workflows, configs - Supply chain security checks for .claude/ and .vscode/ directories - Pre-merge hard gates for secrets, weak crypto, injection vectors - Completeness requirements for refactoring suggestions Security standards: - Flag hardcoded credentials (CRITICAL) - Flag weak cryptography: MD5, SHA-1, DES, RC4 (HIGH) - Flag injection risks: SQL, command, eval/exec, pickle (CRITICAL) - Flag sensitive data in logs (HIGH) - Require SHA-pinned GitHub Actions (supply chain security) References: snapshotmanager/boom-boot#405 Resolves similar issues to boom-boot#351 Signed-off-by: Todd Gill <tgill@redhat.com> Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
|
Warning Ignoring CodeRabbit configuration file changes. For security, only the configuration from the base branch is applied for open source repositories. WalkthroughThis pull request adds a new ChangesCodeRabbit Configuration
Estimated code review effort: 3 (Moderate) | ~20 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
Congratulations! One of the builds has completed. 🍾 You can install the built RPMs by following these steps:
Please note that the RPMs should be used only in a testing environment. |
There was a problem hiding this comment.
Actionable comments posted: 4
🧹 Nitpick comments (1)
.coderabbit.yaml (1)
5-6: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low valueLanguage and tone are only comments, so they aren't actually configured.
Lines 5-6 document intent but set nothing. If you want
en-USand a security-focused tone applied, set the real keys, e.g.language: "en-US"andtone_instructions: "..."at the top level.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.coderabbit.yaml around lines 5 - 6, The .coderabbit.yaml entries for language and tone are only comments and do not configure anything. Update the top-level config to use the actual settings keys, such as language and tone_instructions, so the intended en-US language and security-focused tone are applied. Keep the intent currently described in the comment but move it into real configuration fields rather than commented text.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.coderabbit.yaml:
- Around line 102-116: The path filter config is using a nested excluded map
under path_filters instead of the flat glob list expected by
reviews.path_filters. Update the .coderabbit.yaml path_filters block to use
quoted !-prefixed glob patterns directly in the list, and remove the excluded
key so the exclusions are applied correctly. Keep the existing exclusion set,
just change the structure of the configuration.
- Around line 200-232: The repository-wide guidance is currently defined under a
top-level instructions key, which is ignored by the review system. Move this
content into reviews.instructions so it applies globally, and use
reviews.path_instructions only for file-specific rules; if you need tone
changes, place them in reviews.profile or keep them in reviews.instructions.
- Around line 118-193: The scanner configuration is currently placed under an
unsupported top-level security block, so it will not be applied. Move the
gitleaks, semgrep, and actionlint settings under reviews.tools, keep
reviews.tools.gitleaks.enabled and reviews.tools.actionlint.enabled there, and
replace the inline Semgrep rules with a reviews.tools.semgrep.config_file
reference. Ensure the Semgrep rule definitions are moved into the referenced
config file rather than remaining inline in .coderabbit.yaml.
- Around line 24-30: The knowledge_base configuration is currently shaped as a
list, but it needs to be a mapping so the AI context settings are read
correctly. Update the .coderabbit.yaml knowledge_base section to use the
top-level knowledge_base key as an object, and move the existing file glob
entries under knowledge_base.code_guidelines.filePatterns while keeping the
existing patterns intact.
---
Nitpick comments:
In @.coderabbit.yaml:
- Around line 5-6: The .coderabbit.yaml entries for language and tone are only
comments and do not configure anything. Update the top-level config to use the
actual settings keys, such as language and tone_instructions, so the intended
en-US language and security-focused tone are applied. Keep the intent currently
described in the comment but move it into real configuration fields rather than
commented text.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
| # Knowledge base files for AI context | ||
| knowledge_base: | ||
| - CONTRIBUTING.md | ||
| - SECURITY.md | ||
| - README.md | ||
| - doc/**/*.md | ||
| - doc/**/*.rst |
There was a problem hiding this comment.
🗄️ Data Integrity & Integration | 🟡 Minor | ⚡ Quick win
🧩 Analysis chain
🌐 Web query:
CodeRabbit .coderabbit.yaml knowledge_base configuration schema options
💡 Result:
The CodeRabbit.coderabbit.yaml configuration for the knowledge base allows you to manage how the AI gathers context for code reviews. You can configure these settings under the knowledge_base key in your configuration file [1]. Available configuration options include: Code Guidelines: - knowledge_base.code_guidelines.enabled (boolean, default: true): Whether to automatically detect and apply coding guideline files (like.cursorrules, CLAUDE.md) [2]. - knowledge_base.code_guidelines.filePatterns (array of strings): Defines additional custom glob patterns for your project's coding standard files [2]. Integrations and Context Sources: - knowledge_base.issues (local, global, or auto; default: auto): Scope for gathering context from GitHub and GitLab issues [1]. - knowledge_base.pull_requests (local, global, or auto; default: auto): Scope for gathering context from past pull requests [1]. - knowledge_base.jira: Configures Jira as a knowledge source (auto, enabled, or disabled; default: auto). Supports project_keys to filter specific projects [1]. - knowledge_base.linear: Configures Linear as a knowledge source (auto, enabled, or disabled; default: auto). Supports team_keys to filter specific teams [1]. - knowledge_base.mcp.usage (auto, enabled, or disabled): Controls usage of configured Model Context Protocol (MCP) servers [3]. - knowledge_base.mcp.disabled_servers (array of strings): Allows you to selectively disable specific MCP servers by name [3]. Web Search: - knowledge_base.web_search.enabled (boolean, default: true): Enables or disables the AI's ability to perform web searches for additional context [4]. Data Privacy: - knowledge_base.opt_out (boolean): When set to true, this disables data retention features (such as learnings and context storage). This action is immediate and removes all stored knowledge base data [1]. For the most comprehensive list and specific schema details, refer to the official CodeRabbit configuration reference [1][5].
Citations:
- 1: https://docs.coderabbit.ai/knowledge-base
- 2: https://docs.coderabbit.ai/knowledge-base/code-guidelines
- 3: https://docs.coderabbit.ai/knowledge-base/mcp-context
- 4: https://docs.coderabbit.ai/knowledge-base/web-search
- 5: https://docs.coderabbit.ai/reference/configuration
🏁 Script executed:
#!/bin/bash
set -euo pipefail
printf '%s\n' '--- .coderabbit.yaml (relevant lines) ---'
nl -ba .coderabbit.yaml | sed -n '1,120p'
printf '\n%s\n' '--- repo files that may define CodeRabbit config/docs ---'
git ls-files | rg '(^|/)(\.coderabbit\.yaml|coderabbit|knowledge-base|knowledge_base|README\.md|CONTRIBUTING\.md|SECURITY\.md)$'
printf '\n%s\n' '--- search for knowledge_base usage in repo ---'
rg -n --hidden --glob '!.git' '\bknowledge_base\b' .
printf '\n%s\n' '--- search for reviews key near knowledge_base in config/docs ---'
rg -n --hidden --glob '!.git' '(^\s*reviews:|^\s*knowledge_base:|knowledge_base\.)' .coderabbit.yaml . 2>/dev/null | sed -n '1,200p'Repository: snapshotmanager/snapm
Length of output: 241
🏁 Script executed:
#!/bin/bash
set -euo pipefail
printf '%s\n' '--- .coderabbit.yaml (relevant lines) ---'
sed -n '1,120p' .coderabbit.yaml | cat -n
printf '\n%s\n' '--- files that may mention CodeRabbit config ---'
git ls-files | rg '(^|/)(\.coderabbit\.yaml|README\.md|CONTRIBUTING\.md|SECURITY\.md|.*coderabbit.*)$'
printf '\n%s\n' '--- knowledge_base references in repo ---'
rg -n --hidden --glob '!.git' '\bknowledge_base\b|code_guidelines|web_search|linear|jira|pull_requests|issues' . 2>/dev/null | sed -n '1,240p'Repository: snapshotmanager/snapm
Length of output: 8257
🌐 Web query:
site:docs.coderabbit.ai CodeRabbit configuration reference knowledge_base reviews .coderabbit.yaml top level filePatterns markdown globs
💡 Result:
To configure CodeRabbit, you use a YAML file named.coderabbit.yaml located in the root of your repository [1][2]. This file allows you to customize various aspects of the review process, including knowledge base guidelines and file filtering. Knowledge Base and Code Guidelines CodeRabbit uses a knowledge base to enhance reviews with context beyond simple diff analysis [3]. You can extend the default coding standard files that CodeRabbit scans by using the knowledge_base.code_guidelines.filePatterns setting in your.coderabbit.yaml file [4]. Example configuration for additional guideline files: knowledge_base: code_guidelines: enabled: true filePatterns: - "/CODING_STANDARDS.md" - "/docs/style-guide.md" - "/.teamrules" The filePatterns option accepts an array of glob strings that supplement (rather than replace) the built-in defaults [4]. Glob patterns in CodeRabbit follow standard minimatch syntax, where matches any number of path segments [4][5]. Path Filtering and Glob Patterns For general file filtering and path-specific instructions, CodeRabbit uses path patterns (also utilizing minimatch syntax) [6][5]. These are typically configured under reviews.path_filters or path_instructions [6]. Patterns prefixed with! exclude paths (e.g.,!dist/), while others explicitly include them [6]. Configuration Resolution CodeRabbit resolves its configuration by merging settings from multiple levels, such as the repository-level.coderabbit.yaml, central organization configurations, and UI-based settings [2][7]. You can verify your final, merged configuration at any time by commenting @coderabbitai configuration on a pull request [1][7]. This command provides the resolved YAML, annotated with comments indicating the source of each setting [1][7].
Citations:
- 1: https://docs.coderabbit.ai/getting-started/yaml-configuration
- 2: https://docs.coderabbit.ai/guides/configuration-overview
- 3: https://docs.coderabbit.ai/knowledge-base
- 4: https://docs.coderabbit.ai/knowledge-base/code-guidelines
- 5: https://docs.coderabbit.ai/finishing-touches/docstrings
- 6: https://docs.coderabbit.ai/configuration/path-instructions
- 7: https://docs.coderabbit.ai/configuration/configuration-inheritance
Move this block to the top-level knowledge_base key.
knowledge_base should be a mapping, not a list, and the extra file globs belong under knowledge_base.code_guidelines.filePatterns. As written here, this section will not be read as intended.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.coderabbit.yaml around lines 24 - 30, The knowledge_base configuration is
currently shaped as a list, but it needs to be a mapping so the AI context
settings are read correctly. Update the .coderabbit.yaml knowledge_base section
to use the top-level knowledge_base key as an object, and move the existing file
glob entries under knowledge_base.code_guidelines.filePatterns while keeping the
existing patterns intact.
| # Path exclusions - don't review these | ||
| path_filters: | ||
| excluded: | ||
| - "**/*.pyc" | ||
| - "**/__pycache__/**" | ||
| - "**/venv/**" | ||
| - "**/.venv/**" | ||
| - "**/dist/**" | ||
| - "**/build/**" | ||
| - "**/.eggs/**" | ||
| - "**/*.egg-info/**" | ||
| - "**/node_modules/**" | ||
| - "**/.pytest_cache/**" | ||
| - "**/.mypy_cache/**" | ||
| - "**/.tox/**" |
There was a problem hiding this comment.
🗄️ Data Integrity & Integration | 🟡 Minor | ⚡ Quick win
🧩 Analysis chain
🌐 Web query:
CodeRabbit path_filters exclude syntax coderabbit.yaml
💡 Result:
In a CodeRabbit configuration file (.coderabbit.yaml), you use the reviews.path_filters key to control which files are included or excluded from reviews [1]. To exclude files, you must use a pattern prefixed with an exclamation mark (!) [1]. Because the exclamation mark (!) is a special character in YAML (used to denote tags), these patterns must be enclosed in quotes [2]. Here is an example of the correct syntax: reviews: path_filters: - "!dist/" - "!node_modules/" - "!/generated/" Patterns without the! prefix are treated as inclusions, which can be used to override default exclusions or explicitly include specific files [1]. CodeRabbit applies these filters to determine the scope of its review; files matching an exclusion pattern are ignored by the AI review process [1].
Citations:
- 1: https://coderabbit.mintlify.app/configuration/path-instructions
- 2: https://github.com/asmyshlyaev177/test-proxy-recorder/blob/master/.coderabbit.yaml
🌐 Web query:
CodeRabbit configuration reviews.path_filters list of glob strings exclude patterns with ! schema
💡 Result:
In CodeRabbit, the reviews.path_filters configuration uses standard glob patterns to determine which files are included in or excluded from AI code reviews [1][2]. Key rules for the path_filters schema: - Exclude patterns: Any glob pattern prefixed with an exclamation mark (!) will exclude the matching files or directories from review [1][2]. For example,!dist/ skips the entire dist directory [1]. - Include patterns: Patterns without the! prefix are treated as inclusions [1]. This is useful for explicitly overriding default exclusions or narrowing the scope of reviews [1]. - Implementation: You define these filters within the.coderabbit.yaml configuration file under the reviews section [1][2]. Example configuration: reviews: path_filters: - "!dist/" # Exclude build output - "!node_modules/" # Exclude dependencies - "!/*.lock" # Exclude lock files - "src/" # Explicitly include source files CodeRabbit maintains sensible defaults for common non-source files (such as binaries, lock files, and generated code), which you can supplement or override using this configuration [1][3]. Changes to these filters take effect on the next pull request [2].
Citations:
- 1: https://coderabbit.mintlify.app/configuration/path-instructions
- 2: https://aicodereview.cc/blog/coderabbit-configuration/
- 3: https://docs.coderabbit.ai/configuration/auto-review
Use !-prefixed globs under reviews.path_filters
path_filters should be a flat list of glob strings. Replace the nested excluded: map with quoted ! patterns so these files are actually excluded.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.coderabbit.yaml around lines 102 - 116, The path filter config is using a
nested excluded map under path_filters instead of the flat glob list expected by
reviews.path_filters. Update the .coderabbit.yaml path_filters block to use
quoted !-prefixed glob patterns directly in the list, and remove the excluded
key so the exclusions are applied correctly. Keep the existing exclusion set,
just change the structure of the configuration.
| # Security scanners - pre-merge hard gates | ||
| security: | ||
| # Secret detection | ||
| gitleaks: | ||
| enabled: true | ||
| severity: "CRITICAL" | ||
| patterns: | ||
| - "(?i)(api[_-]?key|apikey)\\s*[:=]\\s*['\"]?[a-z0-9]{20,}['\"]?" | ||
| - "(?i)(secret[_-]?key|secretkey)\\s*[:=]\\s*['\"]?[a-z0-9]{20,}['\"]?" | ||
| - "(?i)(access[_-]?token|accesstoken)\\s*[:=]\\s*['\"]?[a-z0-9]{20,}['\"]?" | ||
| - "(?i)(password|passwd|pwd)\\s*[:=]\\s*['\"]?[^'\"\\s]{8,}['\"]?" | ||
| - "(?i)(private[_-]?key|privatekey)\\s*[:=]" | ||
| - "-----BEGIN (RSA |DSA |EC )?PRIVATE KEY-----" | ||
| - "(?i)(aws|amazon)[_-]?(access|secret)[_-]?key" | ||
| - "(?i)github[_-]?token" | ||
|
|
||
| # Static analysis security testing | ||
| semgrep: | ||
| enabled: true | ||
| rules: | ||
| # Weak cryptography | ||
| - id: "weak-crypto-md5" | ||
| pattern: "hashlib.md5" | ||
| message: "MD5 is cryptographically broken. Use SHA-256 or better." | ||
| severity: "HIGH" | ||
|
|
||
| - id: "weak-crypto-sha1" | ||
| pattern: "hashlib.sha1" | ||
| message: "SHA-1 is deprecated for security. Use SHA-256 or better." | ||
| severity: "MEDIUM" | ||
|
|
||
| - id: "weak-crypto-des" | ||
| pattern-regex: "(DES|DES3|TripleDES|RC4)" | ||
| message: "Weak encryption algorithm detected. Use AES-256-GCM." | ||
| severity: "HIGH" | ||
|
|
||
| # Injection vulnerabilities | ||
| - id: "sql-injection-risk" | ||
| pattern-regex: "cursor\\.execute\\([^?%]*%[^s]" | ||
| message: "Potential SQL injection. Use parameterized queries." | ||
| severity: "CRITICAL" | ||
|
|
||
| - id: "command-injection-shell-true" | ||
| pattern: "subprocess.*shell=True" | ||
| message: "Command injection risk. Never use shell=True with user input." | ||
| severity: "CRITICAL" | ||
|
|
||
| - id: "eval-exec-usage" | ||
| pattern-regex: "(eval|exec)\\(" | ||
| message: "Arbitrary code execution via eval/exec is prohibited." | ||
| severity: "CRITICAL" | ||
|
|
||
| - id: "pickle-loads-untrusted" | ||
| pattern: "pickle.loads" | ||
| message: "Deserialization attack risk. Don't unpickle untrusted data." | ||
| severity: "HIGH" | ||
|
|
||
| # Sensitive data exposure | ||
| - id: "password-in-logs" | ||
| pattern-regex: "(log|print).*password" | ||
| message: "Password potentially logged. Never log credentials." | ||
| severity: "HIGH" | ||
|
|
||
| - id: "token-in-logs" | ||
| pattern-regex: "(log|print).*(token|api[_-]?key)" | ||
| message: "Token/API key potentially logged. Never log credentials." | ||
| severity: "HIGH" | ||
|
|
||
| # GitHub Actions security | ||
| actionlint: | ||
| enabled: true | ||
| rules: | ||
| - "Verify actions are SHA-pinned, not version tags" | ||
| - "Check GITHUB_TOKEN has minimal required permissions" | ||
| - "Verify secrets are masked in logs" | ||
| - "Check for injection in workflow expressions" |
There was a problem hiding this comment.
🗄️ Data Integrity & Integration | 🔴 Critical | 🏗️ Heavy lift
🧩 Analysis chain
🌐 Web query:
CodeRabbit reviews tools gitleaks semgrep actionlint configuration options
💡 Result:
CodeRabbit supports integrated security and linting tools including Gitleaks (specifically referenced as Betterleaks, an improved version of Gitleaks), Semgrep, and actionlint, among many others [1][2]. These tools are part of a broader suite of over 50 supported static analysis and security scanners [1][3]. Configuration Options You can manage these tools through the following methods: 1. Repository Configuration File (.coderabbit.yaml): You can enable or disable specific tools and manage their settings within your repository's.coderabbit.yaml file [2][4]. For most tools, basic enabling is handled under the tools section: reviews: tools: semgrep: enabled: true betterleaks: # Used in place of Gitleaks enabled: true actionlint: enabled: true 2. Web Interface: You can also manage tool integrations directly from the CodeRabbit organization or repository settings page under Reviews > Tools [4]. 3. Tool-Specific References: While many tools default to standard behavior when enabled, CodeRabbit provides dedicated reference documentation for each tool, which you can browse in their Tool Catalog [5][3]. For example, actionlint is specifically configured to scan GitHub Actions workflow files [1][6], and Semgrep is used for broader security and quality analysis [1][7]. Note that for secret scanning, CodeRabbit provides Betterleaks, which is explicitly identified as their improved version of Gitleaks [2]. You can verify the latest specific configuration keys and available parameters for each tool by visiting the official CodeRabbit Tools reference pages [1][3].
Citations:
- 1: https://docs.coderabbit.ai/reference/tools-reference
- 2: https://docs.coderabbit.ai/reference/configuration
- 3: https://docs.coderabbit.ai/tools/reference
- 4: https://docs.coderabbit.ai/tools/skillspector
- 5: https://docs.coderabbit.ai/tools/list
- 6: https://docs.coderabbit.ai/tools/actionlint
- 7: https://docs.coderabbit.ai/tools/semgrep
🏁 Script executed:
git ls-files | rg '(^|/)(coderabbit|review|security|semgrep|actionlint|gitleaks|schema|config)\b|\.coderabbit\.yaml$|\.github/workflows/'Repository: snapshotmanager/snapm
Length of output: 237
🏁 Script executed:
sed -n '1,260p' .coderabbit.yamlRepository: snapshotmanager/snapm
Length of output: 9370
🌐 Web query:
CodeRabbit configuration reviews.tools gitleaks semgrep actionlint security key supported schema
💡 Result:
CodeRabbit supports configuration through a YAML file located at the root of your repository named.coderabbit.yaml [1]. You can manage third-party tools, including Gitleaks (or its successor Betterleaks), Semgrep, and actionlint, within the reviews.tools section of this file [2][3]. Key Configuration Details: 1. Enabling Tools: You can enable or disable specific tools using the enabled boolean flag under the tool's name [2][3]. Example: reviews: tools: gitleaks: enabled: true actionlint: enabled: true semgrep: enabled: true config_file: ".semgrep.yml" 2. Configuration Files: For tools that require specific rules or settings, you can provide an optional config_file path relative to the repository root in your.coderabbit.yaml [2][3]. If no file is specified, many tools fall back to profile-based defaults or look for standard configuration files in the root directory (e.g., semgrep.yml) [2][4]. 3. Schema: CodeRabbit provides a JSON schema to validate your.coderabbit.yaml configuration, which is available at https://coderabbit.ai/integrations/schema.v2.json [5][1]. You can use this schema in your IDE (e.g., via the yaml-language-server) by adding the following header to your YAML file [1]: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json 4. Tool Specifics: - Gitleaks/Betterleaks: CodeRabbit integrates with Betterleaks (an improved version of Gitleaks) for secret scanning [5][3]. - Semgrep: Requires a valid configuration file to run [4]. It will automatically detect files like semgrep.yml or semgrep.config.yml if they exist in the root [4]. - Actionlint: Used for checking GitHub Actions workflow files [6][3]. For a complete reference of all available tools and configuration options, you can consult the official CodeRabbit Tools Reference documentation [7][2].
Citations:
- 1: https://coderabbit.mintlify.app/getting-started/yaml-configuration
- 2: https://docs.coderabbit.ai/tools
- 3: https://coderabbit.mintlify.app/tools/reference
- 4: https://docs.coderabbit.ai/tools/semgrep
- 5: https://catalog.lintel.tools/schemas/schemastore/coderabbit/
- 6: https://docs.coderabbit.ai/reference/tools-reference
- 7: https://docs.coderabbit.ai/tools/reference
Move these scanners under reviews.tools
The top-level security: block is not part of the supported schema, so these gates will not run from this file. Use reviews.tools.gitleaks.enabled, reviews.tools.semgrep.config_file, and reviews.tools.actionlint.enabled; Semgrep rules need to live in the referenced config file, not inline here.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.coderabbit.yaml around lines 118 - 193, The scanner configuration is
currently placed under an unsupported top-level security block, so it will not
be applied. Move the gitleaks, semgrep, and actionlint settings under
reviews.tools, keep reviews.tools.gitleaks.enabled and
reviews.tools.actionlint.enabled there, and replace the inline Semgrep rules
with a reviews.tools.semgrep.config_file reference. Ensure the Semgrep rule
definitions are moved into the referenced config file rather than remaining
inline in .coderabbit.yaml.
| instructions: | | ||
| You are reviewing code for snapm, a Red Hat system snapshot management tool. | ||
|
|
||
| **Completeness Requirements:** | ||
| - Only suggest refactoring or API changes if you provide a COMPLETE implementation | ||
| - Don't suggest theoretical improvements without concrete, working code | ||
| - Don't suggest changes to `# pragma: no cover` code unless fixing actual bugs | ||
| - Require complete solutions in issue descriptions, not placeholders | ||
|
|
||
| **Security Standards (Red Hat Product Security):** | ||
| - Flag ANY hardcoded secrets, API keys, passwords, or tokens as CRITICAL | ||
| - Flag weak cryptography (MD5, SHA-1, DES, RC4, 3DES) as HIGH severity | ||
| - Flag injection vectors (SQL, command, eval/exec, pickle) as CRITICAL | ||
| - Flag sensitive data in logs (passwords, tokens, PII) as HIGH severity | ||
| - Verify GitHub Actions pin dependencies by SHA, not version tags | ||
| - Treat .claude/ and .vscode/ directories as HIGH RISK supply chain vectors | ||
|
|
||
| **Code Quality:** | ||
| - Check for proper error handling (no bare except) | ||
| - Verify input validation for external data | ||
| - Require docstrings for public APIs | ||
| - Check for proper resource cleanup (context managers) | ||
| - Verify tests cover error paths, not just happy paths | ||
|
|
||
| **Python Best Practices:** | ||
| - Use secrets module for cryptographic random numbers, not random module | ||
| - Use parameterized SQL queries, never string formatting | ||
| - Never use shell=True with subprocess unless absolutely necessary | ||
| - Avoid pickle for untrusted data (use JSON or safer serialization) | ||
| - Use pathlib for path operations, validate paths to prevent traversal | ||
|
|
||
| When flagging security issues, state the severity (CRITICAL/HIGH/MEDIUM/LOW) and | ||
| potential impact clearly. Security issues block merge until resolved. |
There was a problem hiding this comment.
🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win
🧩 Analysis chain
🌐 Web query:
CodeRabbit coderabbit.yaml tone_instructions global instructions path_instructions
💡 Result:
CodeRabbit uses a.coderabbit.yaml file located in the root directory of a repository to customize its review behavior [1][2]. Within this configuration file, specific fields are used to manage review guidance, tone, and file-specific behavior [3][2]. Global Instructions The reviews.instructions field (often referred to as tone instructions or global instructions) allows you to provide natural language guidance that applies to every file in every pull request [3][2]. This is the primary method for defining project-wide conventions, setting the review tone (e.g., professional, chill, strict), and instructing CodeRabbit on what types of issues to ignore—such as style preferences already covered by linters like ESLint or Prettier [3]. Path-Specific Instructions The reviews.path_instructions field provides the ability to attach targeted, natural language review guidance to specific directories or file patterns using glob patterns [3]. When a pull request includes changes to files that match these patterns, CodeRabbit adjusts its analysis focus to follow these specific instructions [3]. This is ideal for domain-specific requirements, such as enforcing specialized security checks on API routes or prioritizing performance analysis for database queries [3]. Relationship Global instructions and path-specific instructions can be used together [3]. Global instructions establish the baseline behavior and tone for the entire repository, while path-specific instructions act as supplements or overrides for specific code areas [3]. Using both effectively helps maintain consistent standards while ensuring the AI reviewer remains relevant and helpful across different parts of the codebase [3]. To generate a starting point for your.coderabbit.yaml file, you can use the @coderabbitai configuration command on any pull request; this will return the current configuration in the correct YAML format [4].
Citations:
- 1: https://docs.coderabbit.ai/reference/configuration
- 2: https://dev.to/rahulxsingh/coderabbit-configuration-coderabbityaml-reference-5493
- 3: https://aicodereview.cc/blog/coderabbit-configuration/
- 4: https://coderabbit.mintlify.app/getting-started/yaml-configuration
🌐 Web query:
CodeRabbit configuration reviews.instructions reviews.path_instructions tone_instructions root instructions schema
💡 Result:
CodeRabbit is configured using a YAML file named.coderabbit.yaml, which must be placed in the root of your repository [1]. This file allows for advanced customization of review behavior, with global and path-specific settings [2][3]. Key configuration elements include: Schema Validation The configuration file should include a YAML schema reference at the top to enable auto-completion and validation in many IDEs [1]: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json Reviews Configuration The reviews section within the YAML file handles specific review behavior, including: reviews.instructions: This field accepts natural language guidance that applies to every file in every pull request [3]. It is used to define project-wide conventions, set the overall tone (e.g., tone_instructions), and specify what CodeRabbit should focus on or avoid [3]. reviews.path_instructions: This is a powerful feature for providing domain-specific review guidance [3]. It is an array of objects where you define a pattern (to match directories or files) and the specific instructions to apply when those files are modified [4][3]. This allows you to tailor analysis focus—such as security checks for API routes or performance guidelines for database queries—only when relevant files change [3]. Tone Instructions While there is no dedicated "tone_instructions" field in the schema, tone is effectively managed via the reviews.profile setting (e.g., "chill", "informative") and the reviews.instructions field, where you can explicitly describe the desired tone for the AI's feedback [1][3]. Repository Settings You can generate the current configuration in YAML format by using the @coderabbitai configuration command on any pull request [1]. Additionally, the CodeRabbit web interface provides a YAML editor mode that matches this format and includes real-time schema validation [5].
Citations:
- 1: https://coderabbit.mintlify.app/getting-started/yaml-configuration
- 2: https://docs.coderabbit.ai/getting-started/yaml-configuration
- 3: https://dev.to/rahulxsingh/coderabbit-configuration-coderabbityaml-reference-5493
- 4: https://docs.coderabbit.ai/configuration/path-instructions
- 5: https://docs.coderabbit.ai/guides/repository-settings
Move the shared guidance into reviews.instructions — a top-level instructions key is ignored; repo-wide guidance belongs in reviews.instructions, and file-scoped rules go in reviews.path_instructions. If you want tone changes, use reviews.profile or describe them in reviews.instructions.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In @.coderabbit.yaml around lines 200 - 232, The repository-wide guidance is
currently defined under a top-level instructions key, which is ignored by the
review system. Move this content into reviews.instructions so it applies
globally, and use reviews.path_instructions only for file-specific rules; if you
need tone changes, place them in reviews.profile or keep them in
reviews.instructions.
Add CodeRabbit configuration to enforce Red Hat Product Security standards and prevent incomplete code review suggestions.
Key features:
Security standards:
References: snapshotmanager/boom-boot#405
Resolves similar issues to boom-boot#351
Summary by CodeRabbit