policy: allowlist scanner-safe-bundle example reference outputs#564
Conversation
`cargo xtask check-file-policy` flagged 5 unmatched files under `examples/scanner-safe-bundle/expected/` — the manifest, payload shapes, and receipts that the example README walks through. Add a single entry covering the whole `expected/**/*` tree, classified as `test` with covered_by pointing at the example README and manual review. Verified: 1214/1214 matched, 0 unmatched.
|
You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard. |
|
Warning Rate limit exceeded
You’ve run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (1)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Code Review
This pull request adds an allowlist entry for example reference outputs in policy/non-rust-allowlist.toml. Feedback suggests narrowing the file glob from a catch-all to specific extensions like .json and .yaml to adhere to the principle of least privilege and prevent the accidental inclusion of sensitive material. Additionally, it is recommended to remove documentation files from the covered_by field as they do not serve as verification mechanisms.
| [[allow]] | ||
| glob = "examples/scanner-safe-bundle/expected/**/*" | ||
| kind = "scanner_safe_bundle_reference" | ||
| owner = "cli" | ||
| surface = "examples" | ||
| classification = "test" | ||
| reason = "Scanner-safe bundle reference outputs (manifest, payload shapes, receipts) used by examples/scanner-safe-bundle/README.md to demonstrate deterministic generator stability. Shape-only — never real secret material." | ||
| covered_by = ["examples/scanner-safe-bundle/README.md", "manual review"] |
There was a problem hiding this comment.
To maintain the 'least privilege' principle of the file policy and ensure consistency with other entries (e.g., lines 158-182), it is better to narrow the glob to specific extensions (.json, .yaml) rather than using a catch-all **/*. This prevents the accidental inclusion of sensitive files like private keys or certificates in the allowlist.
Additionally, the covered_by field should list verification mechanisms (like automated tests or manual review processes). Since the README is documentation rather than a verifier, it should be removed from covered_by (it is already mentioned in the reason).
| [[allow]] | |
| glob = "examples/scanner-safe-bundle/expected/**/*" | |
| kind = "scanner_safe_bundle_reference" | |
| owner = "cli" | |
| surface = "examples" | |
| classification = "test" | |
| reason = "Scanner-safe bundle reference outputs (manifest, payload shapes, receipts) used by examples/scanner-safe-bundle/README.md to demonstrate deterministic generator stability. Shape-only — never real secret material." | |
| covered_by = ["examples/scanner-safe-bundle/README.md", "manual review"] | |
| [[allow]] | |
| glob = "examples/scanner-safe-bundle/expected/**/*.json" | |
| kind = "scanner_safe_bundle_reference" | |
| owner = "cli" | |
| surface = "examples" | |
| classification = "test" | |
| reason = "Scanner-safe bundle reference outputs (manifest, receipts) used by examples/scanner-safe-bundle/README.md to demonstrate deterministic generator stability. Shape-only — never real secret material." | |
| covered_by = ["manual review"] | |
| [[allow]] | |
| glob = "examples/scanner-safe-bundle/expected/**/*.yaml" | |
| kind = "scanner_safe_bundle_reference" | |
| owner = "cli" | |
| surface = "examples" | |
| classification = "test" | |
| reason = "Scanner-safe bundle reference outputs (payload shapes) used by examples/scanner-safe-bundle/README.md to demonstrate deterministic generator stability. Shape-only — never real secret material." | |
| covered_by = ["manual review"] |
References
- The project's primary goal is to prevent the commitment of sensitive material to version control. Narrowing allowlist globs to specific extensions instead of using a catch-all helps enforce this by preventing accidental inclusion of raw key material. (link)
Summary
cargo xtask check-file-policywas failing with 5 unmatched files, all underexamples/scanner-safe-bundle/expected/:These are reference outputs (manifest, payload shapes, receipts) that the `examples/scanner-safe-bundle/README.md` walkthrough uses to demonstrate the deterministic generator. Per the scanner-safe lesson, all values are shape-only — never real secret material — so committing them is correct, they just needed an explicit allowlist entry.
Add one entry covering `examples/scanner-safe-bundle/expected/**/*` with:
Validation
Test plan