Skip to content

Improve SAST monorepo SARIF coverage gates#1541

Open
bozicovichsantiago20-oss wants to merge 1 commit into
UnitOneAI:mainfrom
bozicovichsantiago20-oss:codex/sast-monorepo-sarif-1527
Open

Improve SAST monorepo SARIF coverage gates#1541
bozicovichsantiago20-oss wants to merge 1 commit into
UnitOneAI:mainfrom
bozicovichsantiago20-oss:codex/sast-monorepo-sarif-1527

Conversation

@bozicovichsantiago20-oss
Copy link
Copy Markdown

@bozicovichsantiago20-oss bozicovichsantiago20-oss commented Jun 6, 2026

Skill Improvement ($50-150 Bounty)

Skill Modified

Skill name: sast-config
Skill path: skills/devsecops/sast-config/

What Was Wrong

Issue #1527 shows that the skill could report healthy repo-level CWE/ASVS SAST coverage while a polyglot monorepo only scans one package, one language, or one subdirectory. It also did not require SARIF/log evidence for included and excluded paths, generated/vendor LOC inflation, or per-release-component coverage.

What This PR Fixes

  • Adds a workspace and release component inventory step for monorepo boundaries and production deployables.
  • Adds a SARIF completeness gate covering CodeQL language matrices, extractor logs, Semgrep include/exclude/subdir flags, SonarQube module mapping, scan commit SHA, and branch protection context.
  • Requires each production component and language to map to an artifact or approved exclusion.
  • Adds per-component rule coverage guidance and a Workspace Coverage Matrix output.
  • Adds Not Evaluable guidance when scan artifacts cannot be tied back to production components.
  • Adds a common pitfall for one green monorepo scan being treated as complete coverage.

Evidence

Before: A single green CodeQL/Semgrep/Sonar job could be treated as repository-wide SAST maturity even if only the root package, one matrix language, or one --subdir was scanned.

After: The skill requires a component-to-artifact matrix and path/SARIF evidence before marking coverage complete. Missing Go/Python services, generated/vendor LOC inflation, or stale/base-branch scan SHAs are explicitly classified as gaps.

Test Cases Added/Updated

  • Added vulnerable test cases (tests/vulnerable/)
  • Added benign test cases (tests/benign/)
  • Existing markdown structure validated manually

Validation performed:

  • git diff --check
  • Markdown fence balance check: 22 fences, balanced
  • Marker checks for workspace inventory, SARIF completeness, Workspace Coverage Matrix, generated/vendor LOC, Not Evaluable, automationDetails.id, --subdir, and CodeQL language matrix

Bounty Tier

  • Minor ($50) - Doc update, small logic tweak, typo fix
  • Moderate ($100) - New edge case coverage, FP reduction with evidence
  • Substantial ($150) - Rewritten detection logic, major coverage expansion

Bounty Info

  • I have read and agree to the CONTRIBUTING.md bounty terms
  • Preferred payment method: PayPal

Related issue: #1527
Attempt: #1527 (comment)

@bozicovichsantiago20-oss bozicovichsantiago20-oss mentioned this pull request Jun 6, 2026
Open
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@bozicovichsantiago20-oss