feat: add Cisco skill scanning and security ops reporting#1
feat: add Cisco skill scanning and security ops reporting#1internet-dot merged 2 commits intomainfrom
Conversation
Signed-off-by: Michael Kantor <6068672+kantorcodes@users.noreply.github.com>
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates the Codex Plugin Scanner to version 1.1.0, introducing Cisco-backed skill scanning and a security-ops focus. Key features include new report formats (SARIF, Markdown), severity-based CI gating, and a normalized scoring system that handles non-applicable checks. The review feedback highlights a scoring logic error when the Cisco scanner is unavailable, an inefficiency in the GitHub Action documentation, and a missing data extraction for skipped skills in the Cisco integration.
| return CheckResult( | ||
| name="Cisco skill scan completed", | ||
| passed=True, | ||
| points=3, | ||
| max_points=3, | ||
| message=summary.message, | ||
| ) |
There was a problem hiding this comment.
When the Cisco skill scanner is unavailable in 'auto' mode, this check incorrectly awards full points (3/3). This rewards projects for not having the optional cisco dependencies installed. Instead, the check should be marked as not applicable (0/0 points) to ensure scores are normalized correctly, as described in the README.
| return CheckResult( | |
| name="Cisco skill scan completed", | |
| passed=True, | |
| points=3, | |
| max_points=3, | |
| message=summary.message, | |
| ) | |
| return CheckResult( | |
| name="Cisco skill scan completed", | |
| passed=True, | |
| points=0, | |
| max_points=0, | |
| message=summary.message, | |
| applicable=False, | |
| ) |
README.md
Outdated
| - name: Scan plugin | ||
| run: codex-plugin-scanner ./my-plugin | ||
| run: codex-plugin-scanner ./my-plugin --fail-on-severity high | ||
| - name: Upload SARIF | ||
| run: codex-plugin-scanner ./my-plugin --format sarif --output codex-plugin-scanner.sarif |
There was a problem hiding this comment.
The GitHub Action example runs the scanner twice, which is inefficient. You can combine these two steps into a single run to both check for failures and generate the SARIF report. This will make the CI pipeline faster.
| - name: Scan plugin | |
| run: codex-plugin-scanner ./my-plugin | |
| run: codex-plugin-scanner ./my-plugin --fail-on-severity high | |
| - name: Upload SARIF | |
| run: codex-plugin-scanner ./my-plugin --format sarif --output codex-plugin-scanner.sarif | |
| - name: Scan plugin | |
| run: codex-plugin-scanner ./my-plugin --fail-on-severity high --format sarif --output codex-plugin-scanner.sarif |
| message=f"Cisco skill scanner completed using the {policy_name} policy preset.", | ||
| findings=tuple(findings), | ||
| skills_scanned=int(summary.get("total_skills_scanned", 0)), | ||
| skills_skipped=skills_skipped, |
There was a problem hiding this comment.
The skills_skipped field is always an empty tuple. The _analyzability_check relies on this field to report on skipped skills. If the cisco-ai-skill-scanner payload contains information on skipped skills, it should be extracted and populated here. For example, it might be in the summary dictionary from the payload.
![kilo-code-bot[bot]](https://avatars.githubusercontent.com/in/2193792?s=60&v=4){kind=small}
|
|
||
|
|
||
| def _availability_check(summary: CiscoSkillScanSummary, mode: str) -> CheckResult: | ||
| if summary.status in {CiscoIntegrationStatus.ENABLED, CiscoIntegrationStatus.SKIPPED}: |
There was a problem hiding this comment.
WARNING: Logic issue: when status is UNAVAILABLE or FAILED and mode is not "on", this falls through to the else branch at line 86 which returns passed=True with 3 points.
When cisco_skill_scan="auto" and the Cisco scanner is installed but the scan itself fails (status=FAILED), or when it's unavailable in auto mode, the check silently passes and awards points. The else branch should not unconditionally grant points — it should check whether the scanner was expected to be available.
| CategoryResult(name="Best Practices", checks=run_best_practice_checks(resolved)), | ||
| CategoryResult(name="Marketplace", checks=run_marketplace_checks(resolved)), | ||
| CategoryResult(name="Skill Security", checks=run_skill_security_checks(resolved, scan_options)), | ||
| CategoryResult(name="Code Quality", checks=run_code_quality_checks(resolved)), |
There was a problem hiding this comment.
WARNING: run_cisco_skill_scan is called redundantly. run_skill_security_checks on this line calls run_cisco_skill_scan internally, and then _build_integration_results on line 91 calls it again with the same arguments. This means the Cisco skill scanner executes twice per scan. Consider caching the result or having _build_integration_results reuse the summary already produced by the skill security checks.
|
|
||
|
|
||
| def _is_safe_source(plugin_dir: Path, source: str) -> bool: | ||
| if source.startswith(("http://", "https://", "git+", "github://")): |
There was a problem hiding this comment.
SUGGESTION: Allowing http:// sources is a security risk. Marketplace sources fetched over plain HTTP are vulnerable to MITM attacks. Consider requiring https:// or git+ schemes only.
Code Review SummaryStatus: No New Issues Found | Recommendation: Merge All 3 issues from the previous review have been resolved in commit Previous Issues — Resolved
Changes in This Commit
Files Reviewed (7 files)
Reviewed by mimo-v2-pro-20260318 · 344,844 tokens |
Signed-off-by: Michael Kantor <6068672+kantorcodes@users.noreply.github.com>
internet-dot
left a comment
internet-dot
left a comment
There was a problem hiding this comment.
LGTM. All checks passing, clean feature addition.
2 participants
Summary
Verification
./.venv/bin/python -m pytest./.venv/bin/ruff check src tests./.venv/bin/python -m buildNotes
ciscoextra and can be required per run with--cisco-skill-scan on..claude/were intentionally not included in this PR.