feat: send commit SHA with scan dispatch#3
Conversation
- Add getCommitShaEnvVar() to auto-detect from GITHUB_SHA, CI_COMMIT_SHA, BITBUCKET_COMMIT, or PENSAR_COMMIT_SHA - Add commitSha to DispatchScanParams and RunScanParams interfaces - Include commitSha in /ci/dispatch POST body - Auto-resolve commitSha in runScan() from env when not explicitly provided - Add -c/--commit <sha> CLI option to pentest command - Read CI_COMMIT_SHA in GitLab integration and forward to runScan() - Document --commit option and new env vars in README Co-authored-by: Josh Kotrous <joshkotrous@users.noreply.github.com>
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
Bugbot Autofix prepared a fix for the issue found in the latest run.
- ✅ Fixed:
PENSAR_COMMIT_SHAoverride has lowest priority instead of highest- Moved PENSAR_COMMIT_SHA to the first position in the nullish coalescing chain so it can properly override CI-specific environment variables as documented.
| process.env.PENSAR_COMMIT_SHA ?? | ||
| undefined | ||
| ); | ||
| } |
There was a problem hiding this comment.
PENSAR_COMMIT_SHA override has lowest priority instead of highest
High Severity
PENSAR_COMMIT_SHA is documented as a "Commit SHA override" in the README, but in getCommitShaEnvVar() it's checked last in the ?? chain — after GITHUB_SHA, CI_COMMIT_SHA, and BITBUCKET_COMMIT. Since those CI-specific env vars are always set automatically in their respective CI platforms, PENSAR_COMMIT_SHA can never take effect, making it impossible for users to override the commit SHA via env var.
Additional Locations (1)
| const branch = process.env.CI_COMMIT_REF_NAME ?? undefined; | ||
|
|
||
| // GitLab CI provides the commit SHA in CI_COMMIT_SHA | ||
| const commitSha = process.env.CI_COMMIT_SHA ?? undefined; |
There was a problem hiding this comment.
GitLab bypasses centralized commit SHA resolution
Medium Severity
The GitLab integration reads CI_COMMIT_SHA directly and passes it explicitly as commitSha to CI.runScan(). Since runScan() uses params.commitSha ?? getCommitShaEnvVar(), the explicitly-passed value always takes precedence and getCommitShaEnvVar() is never called. This means the documented PENSAR_COMMIT_SHA override can never work for GitLab users, even after fixing the priority order in getCommitShaEnvVar(). The reading is also redundant since getCommitShaEnvVar() already checks CI_COMMIT_SHA.
Additional Locations (1)
2 participants
Note
Low Risk
Small, additive change that only extends request payloads and parameter plumbing; main risk is compatibility if the backend rejects/ignores the new
commitShafield.Overview
Pentest dispatches now include an optional
commitShafield, plumbed throughRunScanParams/DispatchScanParamsand sent in the/ci/dispatchPOST body.The CLI gains
-c/--commitand the CI helpers auto-detect the SHA from common provider env vars (GitHub/GitLab/Bitbucket) with aPENSAR_COMMIT_SHAoverride; the GitLab integration forwardsCI_COMMIT_SHA. Documentation is updated to reflect the new option and env vars.Written by Cursor Bugbot for commit cf0893d. This will update automatically on new commits. Configure here.