Skip to content

Add portfolio security drift gate#148

Merged
saagpatel merged 1 commit into
mainfrom
codex/portfolio-security-gate
Jul 4, 2026
Merged

Add portfolio security drift gate#148
saagpatel merged 1 commit into
mainfrom
codex/portfolio-security-gate

Conversation

@saagpatel

Copy link
Copy Markdown
Owner

What

Adds a first-class audit security-gate command that reads output/portfolio-truth-latest.json and fails when scanned repos have open high/critical Dependabot alerts.

Why

The portfolio is currently clear of high/critical alerts, so the highest-leverage follow-up is a small guardrail that catches regression without adding another broad dashboard or manual review ritual.

Review Of What Was Built

  • Added src/portfolio_security_gate.py for snapshot-level pass/fail security drift evaluation.
  • Wired audit security-gate --output-dir output plus --json output into the CLI.
  • Added focused tests for pass, fail, missing-overlay, parser, and CLI behavior.
  • Documented the gate in docs/security-model.md.

Cleanup Review

Kept the gate narrow: it uses the existing portfolio truth/security overlay and does not create a separate dashboard, scheduler, or write path.

Verification Summary

  • python3.13 -m ruff check src/portfolio_security_gate.py tests/test_portfolio_security_gate.py src/cli.py passed.
  • python3.13 -m pytest -q tests/test_portfolio_security_gate.py tests/test_portfolio_decision_queue.py tests/test_security_burndown.py tests/test_cli_subcommands.py tests/test_cli_hardening.py passed: 141 tests.
  • python3.13 -m src.cli security-gate --output-dir output --json passed against the live snapshot: 135 scanned, 0 open critical, 0 open high.

Shipped Summary

The branch now has a reusable security drift tripwire that returns nonzero on high/critical portfolio regression and treats missing security overlay data as unknown, not healthy.

Next Phase

Thread this command into the recurring portfolio review or whichever automation owns security posture checks. Main risk is noisy scheduling: the gate should run only after a fresh GHAS overlay and portfolio-truth refresh.

Remaining Roadmap

  • Add automation wiring after confirming the right scheduled owner.
  • Consider a compact operator note only when the gate fails or reports unknown.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: f16de95e12

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".


@property
def passed(self) -> bool:
return self.scanned_count > 0 and self.repos_with_open_high_critical == 0

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Treat partial security overlays as unknown

When a snapshot has a partial security overlay—for example, one repo has alerts_available: true and another repo is skipped/unavailable with alerts_available: false—this still returns PASS and the CLI exits 0 as long as the scanned repo is clear. The command is advertised as making missing overlay data unknown/nonzero, and the portfolio truth contract keeps unscanned repos distinct so consumers do not treat them as healthy; this gate should track unscanned projects and report unknown/nonzero when coverage is incomplete.

Useful? React with 👍 / 👎.

@saagpatel
saagpatel merged commit 87b1cb2 into main Jul 4, 2026
4 checks passed
@saagpatel
saagpatel deleted the codex/portfolio-security-gate branch July 4, 2026 11:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant