Skip to content

add support for ai-prompts in the comments #24

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
homanp merged 1 commit into from
May 25, 2026
Merged

add support for ai-prompts in the comments #24

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 15 additions & 1 deletion src/services/__tests__/prScan.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
import { beforeEach, describe, expect, it, vi } from "vitest";
import { CHECK_NAMES, DEFAULT_CONFIG } from "../../lib/types.js";
import { CHECK_NAMES, DEFAULT_CONFIG, MARKERS } from "../../lib/types.js";
import { runPrScan } from "../prScan.js";
import { fingerprintPrFindingCommentBody } from "../prFindings.js";

const isPrFindingFingerprintDismissedMock = vi.hoisted(() => vi.fn());

Expand Down Expand Up @@ -97,8 +98,21 @@ describe("runPrScan", () => {
expect(body).toContain("A new postinstall hook executes a remote script.");
expect(body).toContain("Remove the lifecycle hook");
expect(body).toContain("**P1:** Suspicious lifecycle hook");
expect(body).toContain("<summary>AI prompt</summary>");
expect(body).toContain("Check if this security scanner issue is valid.");
expect(body).toContain('<file name="package.json">');
expect(body).toContain('<violation number="1" location="package.json:1">');
expect(body).toContain("<title>Suspicious lifecycle hook</title>");
expect(body).not.toContain("Fix:");
expect(body).not.toContain("Recommended fix");
expect(fingerprintPrFindingCommentBody(body)).toBe(
fingerprintPrFindingCommentBody(`${MARKERS.PR_FINDING}
**P1:** Suspicious lifecycle hook

A new postinstall hook executes a remote script.

Remove the lifecycle hook or replace it with reviewed local setup code.`),
);
});

it("does not recreate comments for previously dismissed findings", async () => {
Expand Down
63 changes: 61 additions & 2 deletions src/services/prScan.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -137,7 +137,7 @@ function isFindingDismissed(
}

function fingerprintPrFinding(finding: PrFinding): string {
return fingerprintPrFindingCommentBody(renderInlineFindingCommentBody(finding))!;
return fingerprintPrFindingCommentBody(renderInlineFindingFingerprintBody(finding))!;
}

function renderFindingsSummary(findings: PrFinding[]): string {
Expand Down Expand Up @@ -209,10 +209,16 @@ async function deleteInlineFindingComments(

function renderInlineFindingComment(finding: PrFinding): string {
const body = renderInlineFindingCommentBody(finding);
return appendPrFindingFingerprint(body, fingerprintPrFindingCommentBody(body)!);
return appendPrFindingFingerprint(body, fingerprintPrFinding(finding));
}

function renderInlineFindingCommentBody(finding: PrFinding): string {
return `${renderInlineFindingFingerprintBody(finding)}

${renderAiPrompt(finding)}`;
}

function renderInlineFindingFingerprintBody(finding: PrFinding): string {
const evidence = compactSentence(finding.short_evidence ?? finding.evidence, 180);
const recommendation = compactSentence(
finding.short_recommendation ?? finding.recommendation,
Expand All @@ -227,6 +233,59 @@ ${evidence}
${recommendation}`;
}

function renderAiPrompt(finding: PrFinding): string {
return `<details>
<summary>AI prompt</summary>

${markdownCodeFence(renderAiPromptText(finding))}

</details>`;
}

function renderAiPromptText(finding: PrFinding): string {
const file = finding.file ?? "unknown";
const location = finding.file
? `${finding.file}${finding.line ? `:${finding.line}` : ""}`
: finding.line
? `line ${finding.line}`
: "unknown";

return `Check if this security scanner issue is valid. If so, understand the root cause and fix it. If appropriate, update or add tests. Keep the change focused and preserve intended behavior.

<file name="${escapeXmlAttribute(file)}">
<violation number="1" location="${escapeXmlAttribute(location)}">
<priority>${escapeXmlText(formatFindingPriority(finding.severity))}</priority>
<title>${escapeXmlText(finding.title)}</title>
<evidence>${escapeXmlText(finding.evidence)}</evidence>
<recommendation>${escapeXmlText(finding.recommendation)}</recommendation>
</violation>
</file>`;
}

function markdownCodeFence(value: string): string {
const fenceLength = Math.max(
3,
...Array.from(value.matchAll(/`+/g), (match) => match[0].length + 1),
);
const fence = "`".repeat(fenceLength);
return `${fence}text
${value}
${fence}`;
}

function escapeXmlText(value: string): string {
return value
.replace(/&/g, "&amp;")
.replace(/</g, "&lt;")
.replace(/>/g, "&gt;");
}

function escapeXmlAttribute(value: string): string {
return escapeXmlText(value)
.replace(/"/g, "&quot;")
.replace(/'/g, "&apos;");
}

function compactSentence(value: string, maxLength: number): string {
const compact = value.replace(/\s+/g, " ").trim();
if (compact.length <= maxLength) return compact;
Expand Down
Loading