Skip to content

feat: scope PR annotations to changed files with --changed-from#1

Merged
mackeh merged 25 commits intomainfrom
chore/verify-pr-annotations-v011
Feb 8, 2026
Merged

feat: scope PR annotations to changed files with --changed-from#1
mackeh merged 25 commits intomainfrom
chore/verify-pr-annotations-v011

Conversation

@mackeh
Copy link
Owner

@mackeh mackeh commented Feb 7, 2026

Implements major Phase 2 progress across PR signal quality and multi-language coverage.

What changed

  • Added aishield scan --changed-from <ref> to scope scans to changed files
  • Wired PR annotation workflow step to use PR base SHA
  • Added optional SAST bridge orchestration: --bridge semgrep,bandit,eslint|all
  • Bridge engines run in parallel and normalize findings into AIShield unified schema
  • Added config support: bridge_engines: []
  • CI now installs bridge tools by default (Semgrep/Bandit/ESLint), toggleable via repo vars
  • Fixed SARIF/annotation line+column clamping for strict SARIF validity
  • Added initial Go/Rust/Java language support in source scanner
  • Added starter Go/Rust/Java rulepacks (auth/crypto/injection)
  • Added vulnerable fixture suites for Go/Rust/Java
  • Updated docs and changelog for all changes

Why

  • Reduce PR annotation noise and improve review relevance.
  • Deliver initial multi-engine orchestration and normalization from the roadmap.
  • Expand language coverage beyond Python/JavaScript with immediate usable detections.

Validation

  • cargo fmt
  • cargo test
  • aishield scan ... --changed-from ... behavior
  • aishield scan ... --bridge all (with graceful warnings locally when tools missing)
  • CI run with bridge installs enabled and SARIF upload success

@mackeh mackeh changed the title chore: verify PR annotations workflow feat: scope PR annotations to changed files with --changed-from Feb 7, 2026
@mackeh mackeh marked this pull request as ready for review February 7, 2026 21:22

MessageDigest.getInstance("MD5");

String query = "SELECT * FROM users WHERE id = " + userInput;

Check failure

Code scanning / AIShield

SQL Query Built with String Concatenation

SQL Query Built with String Concatenation (AI confidence 79.0%, risk 76.7)
)],
"AISHIELD-JAVA-CRYPTO-002" => vec![("new Random()", "new java.security.SecureRandom()")],
"AISHIELD-JAVA-AUTH-001" => vec![
("if (token == provided)", "if (token.equals(provided))"),

Check failure

Code scanning / AIShield

Timing-Unsafe Token Comparison

Timing-Unsafe Token Comparison (AI confidence 79.0%, risk 75.7)
"AISHIELD-JAVA-CRYPTO-002" => vec![("new Random()", "new java.security.SecureRandom()")],
"AISHIELD-JAVA-AUTH-001" => vec![
("if (token == provided)", "if (token.equals(provided))"),
("if(token == provided)", "if(token.equals(provided))"),

Check failure

Code scanning / AIShield

Timing-Unsafe Token Comparison

Timing-Unsafe Token Comparison (AI confidence 79.0%, risk 75.7)
"exec.Command(\"cat\", userInput)",
)],
"AISHIELD-GO-AUTH-001" => vec![(
"if token == incoming",

Check failure

Code scanning / AIShield

Timing-Unsafe Token Comparison

Timing-Unsafe Token Comparison (AI confidence 79.0%, risk 75.7)
Copy link

@github-advanced-security github-advanced-security bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AIShield found more than 20 potential problems in the proposed changes. Check the Files changed tab for more details.

@github-advanced-security
Copy link

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

@mackeh mackeh merged commit e497f93 into main Feb 8, 2026
2 of 3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant