feat(triage-security): add deployment context classification#219
Conversation
Reviewer's GuideAdds deployment-context-aware coordination guidance to triage-security remediation tasks, wiring deployment context extraction from Security Configuration through triage-security’s data flow while keeping behavior backward compatible when the column is absent. Flow diagram for deployment-context-aware triage-security remediation guidanceflowchart TD
A[SecurityConfiguration SourceRepositories table] --> B[Step0 extract SourceRepositories]
B --> C{DeploymentContext column present}
C -->|yes| D[Build mapping: repo -> url, deployment_context]
C -->|no| E[Build mapping: repo -> url, deployment_context=upstream]
D --> F[Step1 deployment context lookup by affected repository]
E --> F
F --> G{Repo found in mapping}
G -->|yes| H[Record deployment_context in CVE metadata]
G -->|no| I[Set deployment_context=upstream]
H --> J[Step8 append Coordination Guidance to remediation tasks]
I --> J
File-Level Changes
Tips and commandsInteracting with Sourcery
Customizing Your ExperienceAccess your dashboard to:
Getting Help
|
There was a problem hiding this comment.
Hey - I've left some high level feedback:
- The Security Configuration template now defines Source Repositories as a three-column table (Repository, URL, Deployment Context), but the new eval CLAUDE.md uses four columns (Repository, URL, Local Path, Deployment Context); double-check that the parser tolerates extra columns or update one of these so the format is consistent.
Prompt for AI Agents
Please address the comments from this code review:
## Overall Comments
- The Security Configuration template now defines Source Repositories as a three-column table (Repository, URL, Deployment Context), but the new eval CLAUDE.md uses four columns (Repository, URL, Local Path, Deployment Context); double-check that the parser tolerates extra columns or update one of these so the format is consistent.Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
There was a problem hiding this comment.
Eval Results
Eval Results: triage-security
| Eval | Passed | Failed | Pass Rate |
|---|---|---|---|
| eval-1 | 10/10 | 0 | 100% |
| eval-10 | 5/5 | 0 | 100% |
| eval-11 | 5/5 | 0 | 100% |
| eval-12 | 5/5 | 0 | 100% |
| eval-13 | 5/5 | 0 | 100% |
| eval-14 | 4/5 | 1 | 80% |
| eval-15 | 5/5 | 0 | 100% |
| eval-16 | 7/7 | 0 | 100% |
| eval-17 | 5/5 | 0 | 100% |
| eval-19 | 5/5 | 0 | 100% |
| eval-2 | 5/5 | 0 | 100% |
| eval-20 | 4/4 | 0 | 100% |
| eval-21 | 4/4 | 0 | 100% |
| eval-22 | 4/4 | 0 | 100% |
| eval-23 | 4/4 | 0 | 100% |
| eval-24 | 4/4 | 0 | 100% |
| eval-3 | 5/5 | 0 | 100% |
| eval-4 | 5/5 | 0 | 100% |
| eval-5 | 6/6 | 0 | 100% |
| eval-6 | 5/6 | 1 | 83% |
| eval-7 | 5/5 | 0 | 100% |
| eval-8 | 4/5 | 1 | 80% |
| eval-9 | 5/5 | 0 | 100% |
Failed Assertions
eval-14: 1 failing assertion
- Assertion: "SBOM verification uses cosign download sbom to compare the final container image SBOM against the base image SBOM (Step 2.3.5 sub-steps 2 and 4)"
Evidence: "The sbom-verification.md file references the SBOM comparison result conceptually (e.g. 'SBOM (final image)' vs 'SBOM (base image)' columns in the table) and states that cosign is available at '/usr/bin/cosign', but it never explicitly states or shows the use of 'cosign download sbom' as the command used to obtain the SBOMs. There is no mention of the specific cosign subcommand 'cosign download sbom', nor are the sub-step commands described or reproduced. The assertion requires evidence that cosign download sbom was specifically used — the file omits this."
eval-6: 1 failing assertion
- Assertion: "Each listed issue shows: issue key, status, CVE ID (from labels), summary, and created date"
Evidence: "The 'Excluded from Ready for QA' table in discovery-listing.md (lines 70-74) lists TC-9023 and TC-9026 with columns 'Issue | Status | CVE | Summary | Reason' — the Created date column is absent for these listed issues. All other tables (untriaged, triaged-but-new, and TC-9020 in Ready for QA) include all five required fields, but the excluded issues are still listed and lack the created date."
eval-8: 1 failing assertion
- Assertion: "Triage outcome recommends closing the issue because existing remediation task TC-8009 already bumps axios past the fix threshold — no new remediation task is created"
Evidence: "triage-outcome.md recommends against creating a new remediation task ('Decision: No New Remediation Task Needed') and references TC-8009 covering the fix. However, the recommended actions (lines 20-24) do NOT recommend closing the issue. Instead they say to link TC-8010 to TC-8009, add a comment, add label, and transition to In Progress. Lines 44-49 explicitly state 'This issue should not be closed' and the CVE Jira 'should remain open and linked to TC-8009 until the fix is delivered.' The triage outcome does not recommend closing the issue — it contradicts that assertion."
Pass rate: 98% · Tokens: 54,977 · Duration: 130s
Baseline (1f575ac4): 97% · 49,041 tokens · 111s
Eval Results: setup
| Eval | Passed | Failed | Pass Rate |
|---|---|---|---|
| eval-1 | 9/9 | 0 | 100% |
| eval-2 | 8/8 | 0 | 100% |
| eval-3 | 8/8 | 0 | 100% |
| eval-4 | 7/7 | 0 | 100% |
| eval-5 | 8/8 | 0 | 100% |
| eval-6 | 7/7 | 0 | 100% |
Pass rate: 100% · Tokens: 31,116 · Duration: 71s
Baseline (1f575ac4): 100% · 19,967 tokens · 41s
Generated by sdlc-workflow/run-evals v0.11.0
|
[sdlc-workflow/verify-pr] Re: @sourcery-ai[bot] review — Classified as suggestion — this observes a column count difference between the template (3 columns: Repository, URL, Deployment Context) and the eval fixture (4 columns, including Local Path). The mismatch is cosmetic: triage-security parses columns by header name, not position, so extra columns are tolerated. The eval fixture preserves the pre-existing Local Path column from sibling fixtures for consistency. No project convention governs template-fixture column alignment. No sub-task created. |
Verification Report for TC-4949 (commit e5fa858)
Overall: PASSAll checks pass. The sourcery-ai suggestion about template-vs-fixture column count (3 vs 4 columns for Source Repositories) is cosmetic — the parser uses header names, not positions, and eval 23 confirms it works correctly. No sub-tasks or root-cause investigation required. This comment was AI-generated by sdlc-workflow/verify-pr v0.11.0. |
…iation tasks Add per-repository deployment context (internal, upstream, customer-shipped) to setup skill's Source Repositories table. Triage-security extracts the context in Step 0, looks it up in Step 1, and appends context-appropriate coordination guidance to remediation task descriptions in Step 8. Backward compatible: when the Deployment Context column is absent, all repositories default to upstream and coordination guidance is omitted. Implements TC-4949 Assisted-by: Claude Code
Summary
Implements TC-4949
Test plan
🤖 Generated with Claude Code
Summary by Sourcery
Add deployment context awareness to triage-security so remediation tasks include context-specific coordination guidance while remaining backward compatible when deployment context is not configured.
New Features:
Enhancements:
Tests: