fix(cli): doctor verifies the bandit[sarif] formatter, not just the binary#171
Merged
Conversation
…inary doctor reported "bandit OK" from `bandit --version` exit 0, while `codehub scan` was silently broken: without the [sarif] extra, `bandit -f sarif` is argparse-rejected (exit 2 + usage banner) and the scan contributes 0 findings. The check was a false positive (field-report Issue 6). - banditSarifCheck replaces the bandit binaryOnPathCheck. It probes `bandit --version` (missing → warn), then `bandit -f sarif --quiet -r <empty tmp dir>`. argparse validates the --format choice BEFORE walking any target, so a missing formatter fails fast (~0.1s) without scanning the repo. The fail branch gates on the STRUCTURAL signature (exit 2 + a `usage: bandit` banner) so it can't silently regress if the message is reworded. Row name stays "bandit binary" (preserves --strict accounting). - Adds a runCommand DI seam to DoctorOptions so doctor tests are hermetic. Threaded into the spawning checks (pnpm, scip indexers, binaryOnPathCheck, banditSarifCheck). This also de-flakes the pre-existing strict-exit test, which previously depended on whatever scanner binaries the host had. Verified on this host: doctor reports FAIL for the PATH bandit lacking the extra, OK for the uv-tool bandit[sarif]. Tests: formatter-missing→fail, formatter-present→ok, binary-absent→warn. cli 266/266, tsc + biome clean. Field-report Issue 6.
Merged
theagenticguy
pushed a commit
that referenced
this pull request
May 29, 2026
🤖 Automated release via release-please --- <details><summary>analysis: 0.3.3</summary> ## [0.3.3](analysis-v0.3.2...analysis-v0.3.3) (2026-05-29) ### Features * **cli:** expose 9 read-only graph tools as CLI subcommands ([#174](#174)) ([be15666](be15666)) ### Dependencies * The following workspace dependencies were updated * dependencies * @opencodehub/storage bumped to 0.2.3 * @opencodehub/wiki bumped to 0.2.3 </details> <details><summary>cli: 0.5.6</summary> ## [0.5.6](cli-v0.5.5...cli-v0.5.6) (2026-05-29) ### Features * **cli:** expose 9 read-only graph tools as CLI subcommands ([#174](#174)) ([be15666](be15666)) * **cli:** status surfaces retrieval mode (summaries / vectors / embedder) ([#172](#172)) ([611e818](611e818)) ### Bug Fixes * **cli:** doctor verifies the bandit[sarif] formatter, not just the binary ([#171](#171)) ([0d78c92](0d78c92)) * **scanners:** exclude indexer-ignored dirs from vulture/radon/ty (drop .venv noise) ([#168](#168)) ([848aa34](848aa34)) ### Documentation * **repo:** clarify `sql` targets the temporal store, not the node/edge graph ([#173](#173)) ([814774a](814774a)) ### Dependencies * The following workspace dependencies were updated * dependencies * @opencodehub/analysis bumped to 0.3.3 * @opencodehub/ingestion bumped to 0.4.5 * @opencodehub/mcp bumped to 0.4.5 * @opencodehub/pack bumped to 0.2.4 * @opencodehub/scanners bumped to 0.2.3 * @opencodehub/search bumped to 0.2.3 * @opencodehub/storage bumped to 0.2.3 * @opencodehub/wiki bumped to 0.2.3 </details> <details><summary>cobol-proleap: 0.1.9</summary> ## [0.1.9](cobol-proleap-v0.1.8...cobol-proleap-v0.1.9) (2026-05-29) ### Dependencies * The following workspace dependencies were updated * dependencies * @opencodehub/ingestion bumped to 0.4.5 </details> <details><summary>ingestion: 0.4.5</summary> ## [0.4.5](ingestion-v0.4.4...ingestion-v0.4.5) (2026-05-29) ### Dependencies * The following workspace dependencies were updated * dependencies * @opencodehub/analysis bumped to 0.3.3 * @opencodehub/scip-ingest bumped to 0.2.5 * @opencodehub/storage bumped to 0.2.3 </details> <details><summary>mcp: 0.4.5</summary> ## [0.4.5](mcp-v0.4.4...mcp-v0.4.5) (2026-05-29) ### Features * **cli:** expose 9 read-only graph tools as CLI subcommands ([#174](#174)) ([be15666](be15666)) ### Documentation * **repo:** clarify `sql` targets the temporal store, not the node/edge graph ([#173](#173)) ([814774a](814774a)) ### Dependencies * The following workspace dependencies were updated * dependencies * @opencodehub/analysis bumped to 0.3.3 * @opencodehub/pack bumped to 0.2.4 * @opencodehub/scanners bumped to 0.2.3 * @opencodehub/search bumped to 0.2.3 * @opencodehub/storage bumped to 0.2.3 </details> <details><summary>pack: 0.2.4</summary> ## [0.2.4](pack-v0.2.3...pack-v0.2.4) (2026-05-29) ### Dependencies * The following workspace dependencies were updated * dependencies * @opencodehub/analysis bumped to 0.3.3 * @opencodehub/ingestion bumped to 0.4.5 * @opencodehub/storage bumped to 0.2.3 </details> <details><summary>scanners: 0.2.3</summary> ## [0.2.3](scanners-v0.2.2...scanners-v0.2.3) (2026-05-29) ### Bug Fixes * **scanners:** exclude indexer-ignored dirs from vulture/radon/ty (drop .venv noise) ([#168](#168)) ([848aa34](848aa34)) </details> <details><summary>scip-ingest: 0.2.5</summary> ## [0.2.5](scip-ingest-v0.2.4...scip-ingest-v0.2.5) (2026-05-29) ### Dependencies * The following workspace dependencies were updated * dependencies * @opencodehub/analysis bumped to 0.3.3 </details> <details><summary>search: 0.2.3</summary> ## [0.2.3](search-v0.2.2...search-v0.2.3) (2026-05-29) ### Dependencies * The following workspace dependencies were updated * dependencies * @opencodehub/storage bumped to 0.2.3 </details> <details><summary>storage: 0.2.3</summary> ## [0.2.3](storage-v0.2.2...storage-v0.2.3) (2026-05-29) ### Features * **cli:** status surfaces retrieval mode (summaries / vectors / embedder) ([#172](#172)) ([611e818](611e818)) </details> <details><summary>wiki: 0.2.3</summary> ## [0.2.3](wiki-v0.2.2...wiki-v0.2.3) (2026-05-29) ### Dependencies * The following workspace dependencies were updated * dependencies * @opencodehub/storage bumped to 0.2.3 </details> <details><summary>root: 0.6.7</summary> ## [0.6.7](root-v0.6.6...root-v0.6.7) (2026-05-29) ### Features * **cli:** expose 9 read-only graph tools as CLI subcommands ([#174](#174)) ([be15666](be15666)) * **cli:** status surfaces retrieval mode (summaries / vectors / embedder) ([#172](#172)) ([611e818](611e818)) ### Bug Fixes * **cli:** doctor verifies the bandit[sarif] formatter, not just the binary ([#171](#171)) ([0d78c92](0d78c92)) * **scanners:** exclude indexer-ignored dirs from vulture/radon/ty (drop .venv noise) ([#168](#168)) ([848aa34](848aa34)) ### Documentation * **repo:** clarify `sql` targets the temporal store, not the node/edge graph ([#173](#173)) ([814774a](814774a)) </details> --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
doctorreported bandit OK frombandit --versionexit 0 — whilecodehub scanwas silently broken. Without the[sarif]extra (bandit-sarif-formatter),bandit -f sarifis argparse-rejected (exit 2 + ausage: banditbanner) and the scan contributes 0 findings. The check was a false positive (field-report Issue 6).Fix
banditSarifCheckreplaces the banditbinaryOnPathCheck. It probesbandit --version(missing →warn), then runsbandit -f sarif --quiet -r <empty tmp dir>. argparse validates the--formatchoice before walking any target, so a missing formatter fails fast (~0.1s) without scanning the repo. The fail branch gates on the structural signature (exit 2 +usage: banditbanner) — not advisory prose — so it can't silently regress if the message is reworded. Row name stays"bandit binary"(preserves--strictexit accounting and table order).runCommandDI seam added toDoctorOptions, threaded into the spawning checks (pnpm, scip indexers,binaryOnPathCheck,banditSarifCheck). This makes doctor tests hermetic and de-flakes the pre-existing strict-exit test, which previously depended on whatever scanner binaries the host happened to have installed.Test plan
mise pipx-bandit), and OK for the uv-toolbandit[sarif].failwith abandit[sarif]hint; formatter-present →ok; binary-absent →warn.@opencodehub/cli266/266;tsc+biomeclean.Companion to #166 (which fixed the
installCmdthe hint points at).