Problem
The CodeRabbit review gate (#1315) blocks gh pr create when any finding has severity=error. There's currently no way to override or dismiss a specific finding — the agent must either fix it or the developer is stuck.
This causes false positives in legitimate scenarios:
- Simulators with hardcoded test keys: A test server emulating the Anthropic API uses a hardcoded API key (e.g.,
sk-ant-test-...). CodeRabbit flags it as a critical secret exposure, but it's intentional — it's a simulator, not production code.
- Intentional pattern violations: Code that deliberately deviates from a convention for a documented reason (e.g., using
panic() in a CLI entrypoint, raw SQL in a migration).
- False positive detection: Security scanners flagging base64-encoded test fixtures, example URLs, or mock credentials in test files.
In all these cases, the developer has reviewed the finding, understands the context, and wants to proceed. Today they have no mechanism to do so — the gate is all-or-nothing.
Proposed Solution
Add a way to annotate specific CodeRabbit findings as "acknowledged/skipped" so the review gate allows them through. Options to consider:
-
Inline code comments: A comment like // coderabbit:ignore <finding-id> or // coderabbit:skip reason="test simulator key" next to the flagged line. The gate script parses these before deciding to block.
-
Configuration file: A .coderabbit-ignore or entry in .coderabbit.yaml listing file paths or patterns to exclude from specific rules (similar to .eslintignore or # nosec in bandit).
-
Per-PR override: A flag like --skip-findings=<id1>,<id2> passed to the gate script, or an env var CODERABBIT_SKIP_FINDINGS that the agent can set after confirming with the user.
The key requirement: the skip must be explicit and traceable — it should be visible in the PR diff or commit history so reviewers can see what was deliberately bypassed and why.
Context
Problem
The CodeRabbit review gate (#1315) blocks
gh pr createwhen any finding hasseverity=error. There's currently no way to override or dismiss a specific finding — the agent must either fix it or the developer is stuck.This causes false positives in legitimate scenarios:
sk-ant-test-...). CodeRabbit flags it as a critical secret exposure, but it's intentional — it's a simulator, not production code.panic()in a CLI entrypoint, raw SQL in a migration).In all these cases, the developer has reviewed the finding, understands the context, and wants to proceed. Today they have no mechanism to do so — the gate is all-or-nothing.
Proposed Solution
Add a way to annotate specific CodeRabbit findings as "acknowledged/skipped" so the review gate allows them through. Options to consider:
Inline code comments: A comment like
// coderabbit:ignore <finding-id>or// coderabbit:skip reason="test simulator key"next to the flagged line. The gate script parses these before deciding to block.Configuration file: A
.coderabbit-ignoreor entry in.coderabbit.yamllisting file paths or patterns to exclude from specific rules (similar to.eslintignoreor# nosecin bandit).Per-PR override: A flag like
--skip-findings=<id1>,<id2>passed to the gate script, or an env varCODERABBIT_SKIP_FINDINGSthat the agent can set after confirming with the user.The key requirement: the skip must be explicit and traceable — it should be visible in the PR diff or commit history so reviewers can see what was deliberately bypassed and why.
Context
scripts/hooks/coderabbit-review-gate.sh