Skip to content

refactor(#234): extract FormatFinding helper for security findings#268

Open
fullsend-ai-coder[bot] wants to merge 1 commit into
mainfrom
agent/234-extract-format-finding-helper
Open

refactor(#234): extract FormatFinding helper for security findings#268
fullsend-ai-coder[bot] wants to merge 1 commit into
mainfrom
agent/234-extract-format-finding-helper

Conversation

@fullsend-ai-coder

Copy link
Copy Markdown

Add FormatFinding to internal/security/ as the canonical format for printing finding details: [severity] name: detail. This resolves the Scanner vs Name field inconsistency in scan.go (line 125 used f.Scanner while line 258 used f.Name) and gives future callers a single function to use instead of copying a format string.

Changes:

  • Add FormatFinding(f Finding) string to scanner.go
  • Update scan.go input scan to use FormatFinding (fixes Scanner
    to Name)
  • Update scan.go context scan to use FormatFinding
  • Add TestFormatFinding

Closes #234

Post-script verification

  • Branch is not main/master (agent/234-extract-format-finding-helper)
  • Secret scan passed (gitleaks — c776c248ac9a91f10998ca7107e974a6c9d76514..HEAD)
  • Pre-commit hooks passed (authoritative run on runner)
  • Tests ran inside sandbox

Add FormatFinding to internal/security/ as the canonical format
for printing finding details: [severity] name: detail. This
resolves the Scanner vs Name field inconsistency in scan.go
(line 125 used f.Scanner while line 258 used f.Name) and gives
future callers a single function to use instead of copying a
format string.

Changes:
- Add FormatFinding(f Finding) string to scanner.go
- Update scan.go input scan to use FormatFinding (fixes Scanner
  to Name)
- Update scan.go context scan to use FormatFinding
- Add TestFormatFinding

Closes #234
@github-actions

Copy link
Copy Markdown

E2E tests did not run

E2E tests run automatically for org/repo members and collaborators on pull requests.

For other contributors, a maintainer must add the ok-to-test label after the latest push.

See E2E testing guide for details.

@fullsend-ai-review

fullsend-ai-review Bot commented Jul 10, 2026

Copy link
Copy Markdown

🤖 Finished Review · ❌ Failure · Started 12:58 PM UTC · Completed 12:58 PM UTC
Commit: c776c24 · View workflow run →

@guyoron1

Copy link
Copy Markdown
Owner

/fs-review

@fullsend-ai-review

fullsend-ai-review Bot commented Jul 10, 2026

Copy link
Copy Markdown

🤖 Finished Review · ✅ Success · Started 3:57 PM UTC · Completed 4:04 PM UTC
Commit: d8e3df7 · View workflow run →

@fullsend-ai-review

Copy link
Copy Markdown

Review — approve

Clean, well-scoped refactor that extracts a canonical FormatFinding helper, fixes the Scanner vs Name field inconsistency at scan.go:125, and includes a test. The helper is correctly placed alongside the Finding type in internal/security/scanner.go, consistent with the existing HasCriticalFindings pattern.

Findings

[low] behavior-change — internal/cli/scan.go:125
The input scan previously logged f.Scanner (e.g., "secret_redactor") and now logs f.Name (e.g., "github_pat") via FormatFinding. This is an intentional, authorized change per issue #234 and is documented in the godoc. Operators or log consumers keyed on the old format should be aware. No action required — the Name field is more meaningful for end-user output, and the context scan already used it.

[low] style — internal/security/scanner.go
The FormatFinding godoc is multi-line (5 lines), while the comparable HasCriticalFindings helper uses a single-line comment. The extra context explaining the Name-over-Scanner choice is useful for future callers, so this is a reasonable tradeoff. No action required.

Notes

  • bootstrap_scan.go correctly omitted. Issue [RTK+Ponytail] Extract shared helper for formatting security finding details #234 mentions updating this file, but it does not contain per-finding format loops — it only logs aggregate counts. No change needed.
  • run.go:1718 correctly left as-is. Uses an intentionally different format ("Sanitized [%s] in %s: %s") with additional context (file path). Not a candidate for FormatFinding.
  • Test integrity verified. No existing tests modified or weakened; only a new TestFormatFinding added.
  • No security concerns. No injection patterns, secrets, permission changes, or auth code modified.

Labels: PR modifies internal/security/ scanning infrastructure

Comment thread internal/cli/scan.go
// Print findings
for _, f := range allFindings {
printer.StepWarn(fmt.Sprintf("[%s] %s: %s", f.Severity, f.Scanner, f.Detail))
printer.StepWarn(security.FormatFinding(f))

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[low] behavior-change

The input scan switches from f.Scanner to f.Name via FormatFinding, changing operator-visible output. Authorized by issue #234 and documented in godoc. Log consumers keyed on the old format will stop matching.

)
}

// FormatFinding returns a human-readable summary of a single finding.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[low] style

FormatFinding godoc is multi-line while comparable HasCriticalFindings uses single-line. The extra context explaining Name-over-Scanner is useful, so this is a reasonable tradeoff.

@fullsend-ai-review fullsend-ai-review Bot added ready-for-merge All reviewers approved — ready to merge security labels Jul 10, 2026
@guyoron1

Copy link
Copy Markdown
Owner

/fs-fix

@fullsend-ai-coder

fullsend-ai-coder Bot commented Jul 10, 2026

Copy link
Copy Markdown
Author

🤖 Finished Fix · ✅ Success · Started 5:43 PM UTC · Completed 5:47 PM UTC
Commit: d8e3df7 · View workflow run →

@fullsend-ai-coder

Copy link
Copy Markdown
Author

🔧 Fix agent — iteration 1 (human-triggered)

Review already approved PR with no actionable findings. Both [low] findings were informational ('No action required'). Human /fs-fix had no specific instruction. Verified code matches review assessment — no changes needed.

Disagreed (2):

  1. [low] behavior-change — scan.go:125 Scanner vs Name field switch: Review already marked this 'No action required'. The change from f.Scanner to f.Name is the intentional fix per issue [RTK+Ponytail] Extract shared helper for formatting security finding details #234. The Name field is more meaningful for end-user output, and the context scan already used it. No code change needed.
  2. [low] style — FormatFinding godoc length: Review already marked this 'No action required'. The multi-line godoc explaining the Name-over-Scanner choice is a reasonable tradeoff for guiding future callers. No code change needed.

Tests: passed

Updated by fullsend fix agent

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

ready-for-merge All reviewers approved — ready to merge security

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[RTK+Ponytail] Extract shared helper for formatting security finding details

1 participant