Skip to content

chore: add blank osv scanner config#105

Merged
dermorz merged 1 commit into
mainfrom
chore/update-go-mods
Jun 29, 2026
Merged

chore: add blank osv scanner config#105
dermorz merged 1 commit into
mainfrom
chore/update-go-mods

Conversation

@dermorz

@dermorz dermorz commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

What

Add a .osv-scanner.toml so the local make scan / pre-commit hook stops erroring.

Why

make scan (and the osv-scanner pre-commit hook) passes --config ./.osv-scanner.toml, but the file was never committed — so the hook fails with config file not found for anyone touching go.mod/go.sum. The dependency vulns that were also flagged have since been resolved by Renovate's now-merged PRs, so this PR is just the config file.

Testing

make scan → No issues found.

Notes for reviewers

The config is an empty allowlist (commented [[IgnoredVulns]] template), matching the solar repo convention. Note this only affects the local/pre-commit scan — the GitHub OSV-Scanner workflow doesn't use this config.

Checklist

  • Tests added/updated n/a
  • No breaking changes (or upgrade path documented above)
  • Readable commit history (squashed and cleaned up as desired)
  • AI code review considered and comments resolved

@coderabbitai

coderabbitai Bot commented Jun 29, 2026

Copy link
Copy Markdown

Review Change Stack

Warning

Review limit reached

@dermorz, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 6 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 7a057bd1-30b6-4e88-bcdf-a7a2db436038

📥 Commits

Reviewing files that changed from the base of the PR and between cff173a and 9f60ec5.

📒 Files selected for processing (1)
  • .osv-scanner.toml
📝 Walkthrough

Walkthrough

Bumps several golang.org/x/* indirect module versions (x/crypto, x/mod, x/net, x/term, x/text, x/tools) in go.mod, and adds a new .osv-scanner.toml file containing a commented-out IgnoredVulns scaffold with placeholder id and reason fields.

Dependency and security config updates

Layer / File(s) Summary
golang.org/x/* version bumps and OSV config
go.mod, .osv-scanner.toml
Bumps six golang.org/x/* indirect dependencies to newer versions; adds commented IgnoredVulns block scaffold to the OSV scanner config.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐇 Hop hop, the modules rise,
New versions gleam before my eyes.
A scanner config, blank but ready,
Keeping vulnerability watch steady.
The warren stays secure today! 🌿

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Title check ✅ Passed The title clearly describes the added blank osv-scanner config, which is a primary change in the PR.
Description check ✅ Passed The PR follows the template with What, Why, Testing, Notes, and Checklist sections; only the optional issue reference is absent.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch chore/update-go-mods

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coveralls

Copy link
Copy Markdown

Coverage Report for CI Build 28353649263

Warning

No base build found for commit 70f187a on main.
Coverage changes can't be calculated without a base build.
If a base build is processing, this comment will update automatically when it completes.

Coverage: 27.101%

Details

  • Patch coverage: No coverable lines changed in this PR.

Uncovered Changes

No uncovered changes found.

Coverage Regressions

Requires a base build to compare against. How to fix this →


Coverage Stats

Coverage Status
Relevant Lines: 476
Covered Lines: 129
Line Coverage: 27.1%
Coverage Strength: 0.72 hits per line

💛 - Coveralls

@dermorz dermorz marked this pull request as draft June 29, 2026 07:03
@dermorz dermorz force-pushed the chore/update-go-mods branch from cff173a to 9f60ec5 Compare June 29, 2026 07:21
@dermorz dermorz changed the title chore: update go mods chore: add blank osv scanner config Jun 29, 2026
@dermorz dermorz marked this pull request as ready for review June 29, 2026 07:36
@dermorz dermorz merged commit 3618887 into main Jun 29, 2026
14 checks passed
@dermorz dermorz deleted the chore/update-go-mods branch June 29, 2026 07:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants