Add portfolio security drift gate#148
Conversation
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: f16de95e12
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
|
|
||
| @property | ||
| def passed(self) -> bool: | ||
| return self.scanned_count > 0 and self.repos_with_open_high_critical == 0 |
There was a problem hiding this comment.
Treat partial security overlays as unknown
When a snapshot has a partial security overlay—for example, one repo has alerts_available: true and another repo is skipped/unavailable with alerts_available: false—this still returns PASS and the CLI exits 0 as long as the scanned repo is clear. The command is advertised as making missing overlay data unknown/nonzero, and the portfolio truth contract keeps unscanned repos distinct so consumers do not treat them as healthy; this gate should track unscanned projects and report unknown/nonzero when coverage is incomplete.
Useful? React with 👍 / 👎.
What
Adds a first-class
audit security-gatecommand that readsoutput/portfolio-truth-latest.jsonand fails when scanned repos have open high/critical Dependabot alerts.Why
The portfolio is currently clear of high/critical alerts, so the highest-leverage follow-up is a small guardrail that catches regression without adding another broad dashboard or manual review ritual.
Review Of What Was Built
src/portfolio_security_gate.pyfor snapshot-level pass/fail security drift evaluation.audit security-gate --output-dir outputplus--jsonoutput into the CLI.docs/security-model.md.Cleanup Review
Kept the gate narrow: it uses the existing portfolio truth/security overlay and does not create a separate dashboard, scheduler, or write path.
Verification Summary
python3.13 -m ruff check src/portfolio_security_gate.py tests/test_portfolio_security_gate.py src/cli.pypassed.python3.13 -m pytest -q tests/test_portfolio_security_gate.py tests/test_portfolio_decision_queue.py tests/test_security_burndown.py tests/test_cli_subcommands.py tests/test_cli_hardening.pypassed: 141 tests.python3.13 -m src.cli security-gate --output-dir output --jsonpassed against the live snapshot: 135 scanned, 0 open critical, 0 open high.Shipped Summary
The branch now has a reusable security drift tripwire that returns nonzero on high/critical portfolio regression and treats missing security overlay data as unknown, not healthy.
Next Phase
Thread this command into the recurring portfolio review or whichever automation owns security posture checks. Main risk is noisy scheduling: the gate should run only after a fresh GHAS overlay and portfolio-truth refresh.
Remaining Roadmap