Conversation
…l alerts The GitHub "Dependabot Security Updates Enabled" check previously passed whenever Dependabot was enabled on a repo, even when open high- or critical-severity alerts were waiting — hiding a real compliance risk behind a green checkmark. It now: - Accepts an `alert_severity_threshold` variable (default: `high`) so CX can configure what counts as a failure per connection. - Fails the check for the repo when open alerts at or above the threshold exist, using the highest actual severity present as the finding severity, and pointing the user at the repo's /security/dependabot page for remediation. - Preserves the transparent fallback when alert data cannot be fetched (e.g. 403) — no alert signal means no pass/fail regression. Severity helpers split into `dependabot-alert-severity.ts` for focused unit testing; the main check stays a single-responsibility orchestrator.
fix(integration-platform): fail Dependabot check on open high/critical alerts
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
The automation-run detail card in Compliance → Task → Integration Checks rendered a "View Evidence" expandable JSON tree for every *passing* result but never for a *failing* one — even though the backend saves the same `evidence` payload for both and the API returns it identically. After the Dependabot severity-gating change (#2643), failing runs surface useful context in their evidence (open_by_severity breakdown, checked_at, etc.) that users need to understand *why* the check failed. Hiding it behind a UI inconsistency defeats that. Mirror the passing block's `details > EvidenceJsonView` pattern onto the findings map so both states render identically.
fix(app): show evidence block for failed automation runs
Industry baseline (NIST 800-53 AC-11, CIS Benchmarks, common SOC 2 practice) is 15 minutes, not 5. Customers have repeatedly asked for this. Raise both the compliance-check maximum and the auto-fix target from 300s to 900s across macOS, Linux, and Windows. Update all user-facing copy (renderer labels, guided instructions, docs, framework task/seed descriptions, SPEC) to match. Pure relaxation: devices currently passing (≤5 min) still pass; devices failing at 6–15 min now pass. No migration required. Seed template changes affect new orgs only; existing task rows are unchanged. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
…g init
The org initialization transaction was firing ~100 sequential queries for a
typical SOC 2 onboarding — two loops inside the transaction were the main
contributors:
1. Per-policy `policy.update` to set `currentVersionId` after creating
PolicyVersion rows (one UPDATE per new policy).
2. Per-control `control.update({ policies: { connect }, tasks: { connect } })`
to link policies/tasks to controls (one UPDATE per control).
On Prisma v6 with the native Rust engine this ran in ~5-10s. The v6→v7
migration swapped the Rust engine for `@prisma/adapter-pg` (node-postgres),
which roughly tripled per-query overhead, pushing the same workload to 30+s
and causing onboarding to trip the 30s transaction timeout (which we bumped
to 60s as a stopgap in 8d1764a).
Fix:
- Policy block: pre-generate Policy and PolicyVersion CUIDs in a single
`$queryRaw` call using `generate_prefixed_cuid()`. Create policies, then
versions, then set `currentVersionId` for all rows in a single bulk
`UPDATE ... FROM (VALUES ...)` statement. Handles the FK cycle
(Policy.currentVersionId ↔ PolicyVersion.policyId) by insert ordering
rather than schema changes. Kills N sequential updates.
- Control block: collect control↔policy and control↔task pairs in memory
during the existing requirement-map pass, then bulk-insert into the
implicit M2M join tables `_ControlToPolicy` and `_ControlToTask` with
`ON CONFLICT ("A","B") DO NOTHING`. Preserves idempotency for re-runs
(e.g. adding a framework to an existing org). Kills M sequential updates.
Result: ~100 queries → ~20, flat regardless of framework size. Expected
wall-clock 2-4s. Public API, return shape, console.warn diagnostics, and
org-scoping are all preserved.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
perf(onboarding): replace sequential update loops with bulk SQL
feat(device-agent): relax screen lock threshold to 15 minutes
Contributor
|
@cubic-dev-ai review it |
Contributor
@tofikwest I have started the AI code review. It will take a few minutes to complete. |
Contributor
|
🎉 This PR is included in version 3.30.0 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is an automated pull request to release the candidate branch into production, which will trigger a deployment.
It was created by the [Production PR] action.
Summary by cubic
Dependabot check now fails when a repo has open alerts at/above a configurable severity threshold (default
high), and the Compliance task UI shows evidence for failed runs. Also speeds up org initialization by pre-generating IDs and using bulk SQL, and updates the Device Agent screen lock requirement to 15 minutes across OSes and docs.New Features
alert_severity_threshold(defaulthigh) to control when the check fails.dependabot-alert-severity.ts) and unit tests.Bug Fixes
Written for commit ae34d81. Summary will update on new commits.