chore: update pvtr plugin to ossf repo and v0.23.2 IN-986#4126
Conversation
gaspergrom
force-pushed
the
chore/IN-986-update-pvtr-repo
branch
from
3c25713 to
81f9624
Compare
There was a problem hiding this comment.
Pull request overview
Updates the security best practices worker to use the canonical OSSF PVTR GitHub repo scanner and the newer OSPS baseline catalog ID.
Changes:
- Bumps the PVTR plugin source repository and pinned commit to v0.23.2.
- Updates the Privateer example config catalog from
OSPS_Btoosps-baseline-2026-02. - Updates the worker’s saved evaluation-suite lookup catalog ID accordingly.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
services/apps/security_best_practices_worker/src/activities/index.ts |
Updates the catalog ID used when selecting the evaluation suite to persist. |
services/apps/security_best_practices_worker/example-config.yml |
Updates the configured catalog passed to Privateer/PVTR. |
scripts/services/docker/Dockerfile.security_best_practices_worker |
Switches plugin clone/build source to the OSSF scanner repo and pinned commit. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
gaspergrom
force-pushed
the
chore/IN-986-update-pvtr-repo
branch
from
81f9624 to
35a0e22
Compare
Signed-off-by: Gašper Grom <gasper.grom@gmail.com>
gaspergrom
force-pushed
the
chore/IN-986-update-pvtr-repo
branch
from
35a0e22 to
02ba949
Compare
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
…tibility (IN-986) Signed-off-by: Gašper Grom <gasper.grom@gmail.com>
… row error (IN-986) Signed-off-by: Gašper Grom <gasper.grom@gmail.com>
|
Addressed the duplicate row issue flagged by cursor[bot]. When a repo was previously scanned with the old Fix: added an optional |
epipav
left a comment
epipav
left a comment
There was a problem hiding this comment.
Looks good. One thing we can do to prevent duplicate evaluations and assessments is to update the existing catalogId to the new value in a migration
UPDATE "securityInsightsEvaluationSuites"
SET "catalogId" = 'osps-baseline-2026-02'
WHERE "catalogId" = 'OSPS_B';
Signed-off-by: Gašper Grom <gasper.grom@gmail.com>
There was a problem hiding this comment.
Copilot encountered an error: Your billing is not configured or you have Copilot licenses from multiple standalone organizations or enterprises. To use premium requests, select a billing entity via the GitHub site, under Settings > Copilot > Features.
| @@ -0,0 +1,3 @@ | |||
| UPDATE "securityInsightsEvaluationSuites" | |||
| SET "catalogId" = 'osps-baseline-2026-02' | |||
| WHERE "catalogId" = 'OSPS_B'; | |||
There was a problem hiding this comment.
Migration hits unique constraint
High Severity
The catalog rename UPDATE can fail when a repo already has a securityInsightsEvaluationSuites row with osps-baseline-2026-02 from a rescan on the new worker, while an older row still has OSPS_B. Renaming the legacy row duplicates (repo, catalogId) and violates the table unique constraint, blocking the migration.
Reviewed by Cursor Bugbot for commit 125d6c7. Configure here.
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
There are 2 total unresolved issues (including 1 from previous review).
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit c84ee25. Configure here.
| repo: ISecurityInsightsObsoleteRepo, | ||
| ): Promise<void> { | ||
| const CATALOG_ID = 'OSPS_B' | ||
| const CATALOG_ID = 'osps-baseline-2026-02' |
There was a problem hiding this comment.
Save ignores legacy catalog scans
Medium Severity
saveOSPSBaselineInsightsToDB only selects the evaluation suite matching osps-baseline-2026-02. Redis payloads from scans still using OSPS_B leave evaluationSuite undefined, and the next property access throws at runtime.
Reviewed by Cursor Bugbot for commit c84ee25. Configure here.
Summary
Updates the pvtr GitHub repo scanner plugin from the old
revanite-io/pvtr-github-reporepo to the new canonical location atossf/pvtr-github-repo-scanner, and bumps the version to v0.23.2. Also updates the catalog ID andCATALOG_IDconstant from the deprecatedOSPS_Btoosps-baseline-2026-02.Changes
Dockerfile.security_best_practices_worker: updated clone URL toossf/pvtr-github-repo-scanner, updated commit hash to v0.23.2 (c7bd9538)example-config.yml: catalogOSPS_B→osps-baseline-2026-02activities/index.ts:CATALOG_IDconstant'OSPS_B'→'osps-baseline-2026-02'Type of change
JIRA ticket
https://linuxfoundation.atlassian.net/browse/IN-986
Note
Medium Risk
Catalog ID migration and scanner swap affect how OSPS baseline results are stored and matched; suite-scoped lookups reduce wrong-row joins but deploy must run the migration with the worker image update.
Overview
Moves the security best practices worker to the OSSF
pvtr-github-repo-scannerplugin at v0.23.2 (new commit, Go 1.26.3 image) and aligns Privateer policy with catalogosps-baseline-2026-02instead ofOSPS_B.A Flyway migration rewrites existing
securityInsightsEvaluationSuites.catalogIdvalues; the worker’sCATALOG_IDand example config match the new id.findSuiteControlEvaluationcan filter bysecurityInsightsEvaluationSuiteId, and persistence now passessuite.idso assessments attach to the correct suite after the catalog rename.Reviewed by Cursor Bugbot for commit c84ee25. Bugbot is set up for automated code reviews on this repo. Configure here.