Feat: GH Issue generation based on severity

[tmikula-dev]

Overview

This pull request introduces a configurable minimum severity threshold for security issue creation, allowing users to control which findings result in new or reopened GitHub issues. The changes span workflow configuration, backend logic, and documentation, and include comprehensive tests to ensure correct behavior.

Release Notes

• Feat: GH Issue generation based on severity

Related

Closes #73

Summary by CodeRabbit

• New Features

  • Added configurable min-severity parameter to control which security findings trigger issue creation (supports low, medium, high, critical levels; defaults to low).

• Documentation

  • Updated workflow documentation with new input parameter and CLI flag details.

• Tests

  • Added comprehensive test coverage for severity filtering behavior and configuration validation.

[coderabbitai]

Warning

Review limit reached

@tmikula-dev, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 17 minutes and 20 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 6c812ae7-334a-48a4-b789-7ee7fe9546cc

📥 Commits

Reviewing files that changed from the base of the PR and between 3ad7780 and 949a531.

📒 Files selected for processing (4)

• docs/security/aquasec-night-scan-example.yml
• src/security/README.md
• src/security/config.py
• src/security/services/issue_syncer.py

Walkthrough

This PR implements severity-based filtering for AquaSec security alerts in the organizational workflows. It adds a configurable minimum severity threshold (low, medium, high, or critical), allowing teams to generate GitHub issues only for alerts at or above that level while maintaining existing issue lifecycle management for suppressed alerts.

Changes

Security Alert Severity Filtering

Layer / File(s)	Summary
Severity Constants and Config Schema src/security/constants.py, src/security/config.py	Defines MIN_SEVERITY_DEFAULT = "low" and VALID_SEVERITIES frozenset. Adds min_severity field to SecurityConfig dataclass.
Configuration Loading and Validation src/security/config.py, tests/security/test_config.py	Loads min_severity from CLI args or MIN_SEVERITY environment variable with lowercase normalization. Validates against allowed severity set, raising exit on invalid values. Test helper and six new test cases cover defaulting, normalization, env reading, CLI precedence, and validation.
Alert Filtering Logic src/security/issues/sync.py, tests/security/issues/test_sync.py	Introduces _meets_min_severity(severity, min_severity) helper using SEVERITY_ORDER for rank-based comparison. Updates sync_alerts_and_issues signature to accept min_severity parameter. Skips ensure_issue for below-threshold alerts in processing loop while preserving adept-to-close behavior. Parametrized tests verify threshold logic and unknown severity handling.
CLI and Integration Wiring src/security/main.py, src/security/services/issue_syncer.py, .github/workflows/aquasec-scan.yml	Adds --min-severity CLI flag to argument parser. Passes config.min_severity to sync_alerts_and_issues call in IssueSyncer.sync. Declares optional workflow input min-severity and exports it to MIN_SEVERITY environment variable.
Documentation and User-Facing Updates src/security/README.md	Documents new min-severity input parameter (allowed values and default) in workflow configuration table and CLI flags section. Adds feature description of severity-based issue creation filtering.
Python 3 Exception Syntax Fix src/core/github/issues.py	Updates exception handlers in gh_issue_get_sub_issue_numbers and gh_issue_list_by_label to use Python 3 tuple-based syntax for json.JSONDecodeError, ValueError, and TypeError.

---

🎯 3 (Moderate) | ⏱️ ~20 minutes

---

Suggested labels

documentation

---

Suggested reviewers

• miroslavpojer

---

Poem

🐰 A rabbit hops through severity tiers,
Low and medium, high and critical cheer,
Filter the alerts, keep focus sharp bright,
Only what matters gets issues in sight!
Configuration flows, tests pass with delight,
Issues now sorted—a workflow done right! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 62.50% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title 'Feat: GH Issue generation based on severity' accurately and concisely summarizes the main feature addition - filtering GitHub issue creation by AquaSec alert severity.
Description check	✅ Passed	The PR description follows the template structure with Overview, Release Notes, and Related sections clearly filled out with relevant details about the severity-based issue creation feature.
Linked Issues check	✅ Passed	All acceptance criteria from issue #73 are met: new input parameter added [.github/workflows/aquasec-scan.yml], severity filtering logic implemented [src/security/issues/sync.py], comprehensive tests added [tests/security/issues/test_sync.py, tests/security/test_config.py], and documentation updated [src/security/README.md].
Out of Scope Changes check	✅ Passed	All changes directly support the severity-based issue creation feature: config/constants updates, workflow/CLI additions, sync logic implementation, and supporting test cases. Minor Python 2/3 syntax updates in issues.py align with modernization standards.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feature/create-issues-based-on-severity

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (2)

src/security/README.md (2)

196-196: 💤 Low value

Consider mentioning "unknown" severity behavior in the feature description.

The implementation (context snippet 3, sync.py) includes special handling for findings with "unknown" severity: they pass when min-severity=low (the default) but are filtered at higher thresholds. Documenting this edge case could help users understand the complete filtering behavior.

📝 Optional addition to clarify edge case

-- **Severity filtering**: Configurable minimum severity threshold to limit issue creation to findings at or above the chosen level.
+- **Severity filtering**: Configurable minimum severity threshold to limit issue creation to findings at or above the chosen level. Findings with unknown severity pass at the default threshold (`low`) but are filtered at higher thresholds.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/security/README.md` at line 196, Update the "Severity filtering" line to
explicitly describe how findings with "unknown" severity are treated by the
filter: note that with the default min-severity=low unknown findings are allowed
through, but they are excluded when the configured min-severity is raised above
low; reference the config key "min-severity" and the "unknown" severity behavior
implemented in sync.py so users understand this edge case.

---

155-174: ⚡ Quick win

Consider documenting the MIN_SEVERITY environment variable.

The local running examples document environment variables for AquaSec credentials, but the MIN_SEVERITY environment variable (supported per context snippet 1, config.py) is not mentioned. Users running locally might prefer to set this via environment variable rather than the --min-severity CLI flag.

📝 Example showing MIN_SEVERITY env var

Consider adding an example that shows the MIN_SEVERITY environment variable:

**With minimum severity threshold:**

```bash
AQUA_KEY=... AQUA_SECRET=... AQUA_GROUP_ID=... AQUA_REPOSITORY_ID=... \
MIN_SEVERITY=high \
PYTHONPATH=src python3 src/security/main.py --repo <owner/repo>

</details>

<details>
<summary>🤖 Prompt for AI Agents</summary>

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @src/security/README.md around lines 155 - 174, Add documentation for the
MIN_SEVERITY environment variable to the local run examples in README.md (the
same section that shows AQUA_KEY/AQUA_SECRET/AQUA_GROUP_ID/AQUA_REPOSITORY_ID
for dry-run/live/verbose). Show a short example that sets MIN_SEVERITY (e.g.,
MIN_SEVERITY=high) in the environment before invoking python3
src/security/main.py so users can see the env-var alternative to the
--min-severity CLI flag; reference the existing config.py behavior
(MIN_SEVERITY) in the text so readers know this env var is supported.

</details>

<!-- cr-comment:v1:7003ae75b0a69179e4b110ff -->

</blockquote></details>

</blockquote></details>

<details>
<summary>🤖 Prompt for all review comments with AI agents</summary>

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @src/security/config.py:

• Around line 102-103: The validation error message for self.min_severity is
  missing the f-string prefix so the allowed values aren't interpolated; update
  the error append call (the block that checks "if self.min_severity not in
  VALID_SEVERITIES") to use an f-string (e.g., f"...{',
  '.join(sorted(VALID_SEVERITIES))}...") so VALID_SEVERITIES is formatted into the
  message, keeping the same wording and reference to VALID_SEVERITIES and errors.

In @src/security/README.md:

• Line 188: Update the CLI flags table entry for --min-severity to match the
  workflow input docs: state the default value is 'low' and note that the flag
  is case-insensitive (accepts low/medium/high/critical in any letter case).
  Locate the --min-severity row in the CLI flags table (the entry currently only
  lists allowed severities) and extend its description to include the default
  'low' and the case-insensitivity behavior so both tables are consistent.

---

Nitpick comments:
In @src/security/README.md:

• Line 196: Update the "Severity filtering" line to explicitly describe how
  findings with "unknown" severity are treated by the filter: note that with the
  default min-severity=low unknown findings are allowed through, but they are
  excluded when the configured min-severity is raised above low; reference the
  config key "min-severity" and the "unknown" severity behavior implemented in
  sync.py so users understand this edge case.
• Around line 155-174: Add documentation for the MIN_SEVERITY environment
  variable to the local run examples in README.md (the same section that shows
  AQUA_KEY/AQUA_SECRET/AQUA_GROUP_ID/AQUA_REPOSITORY_ID for dry-run/live/verbose).
  Show a short example that sets MIN_SEVERITY (e.g., MIN_SEVERITY=high) in the
  environment before invoking python3 src/security/main.py so users can see the
  env-var alternative to the --min-severity CLI flag; reference the existing
  config.py behavior (MIN_SEVERITY) in the text so readers know this env var is
  supported.

</details>

<details>
<summary>🪄 Autofix (Beta)</summary>

Fix all unresolved CodeRabbit comments on this PR:

- [ ] <!-- {"checkboxId": "4b0d0e0a-96d7-4f10-b296-3a18ea78f0b9"} --> Push a commit to this branch (recommended)
- [ ] <!-- {"checkboxId": "ff5b1114-7d8c-49e6-8ac1-43f82af23a33"} --> Create a new PR with the fixes

</details>

---

<details>
<summary>ℹ️ Review info</summary>

<details>
<summary>⚙️ Run configuration</summary>

**Configuration used**: Organization UI

**Review profile**: CHILL

**Plan**: Pro

**Run ID**: `2bccaff2-4da2-4c88-acc7-b1ce5d44814b`

</details>

<details>
<summary>📥 Commits</summary>

Reviewing files that changed from the base of the PR and between 8737f561167222e0ef72bc18487017dac4533a31 and 3ad778071294df46a00b941abfa5a63029d1837c.

</details>

<details>
<summary>📒 Files selected for processing (10)</summary>

* `.github/workflows/aquasec-scan.yml`
* `src/core/github/issues.py`
* `src/security/README.md`
* `src/security/config.py`
* `src/security/constants.py`
* `src/security/issues/sync.py`
* `src/security/main.py`
* `src/security/services/issue_syncer.py`
* `tests/security/issues/test_sync.py`
* `tests/security/test_config.py`

</details>

</details>

<!-- This is an auto-generated comment by CodeRabbit for review status -->