Conversation
A finding marked as an exception (e.g. a deliberately-public S3 bucket) was suppressed in the Cloud Tests findings view but still failed the corresponding integration TASK check — both the compliance task status and the "N failed" card — because only cloud-security-query applied exceptions. Centralize the exception logic into one source of truth (ActiveExceptionSet / loadActiveExceptionSet) and apply it everywhere a check result becomes pass/fail: - Cloud Tests findings view refactored to use it (removes the duplicate; the two systems are now matched by construction). - Manual run-check + scheduled Trigger task: task status excludes excepted findings (shared decideTaskStatus / countEffectiveFailures helpers), so a task whose only failures are excepted goes done — identical in both paths. - Task-check display (getTaskCheckRuns): excepted results are flagged and dropped from the run's failed count/status; the UI renders them as "Exception". Additive + fail-safe: with no exceptions the behavior is byte-for-byte identical, and if the exception lookup errors it suppresses nothing (never hides a real finding). Raw check results/counts are left untouched in the DB; exceptions only affect derived status + display. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Two P1 issues from cubic: 1. getTaskCheckRuns rewrote a failed run to success whenever the effective failed count was 0 — which also matched an execution-error run (status failed, failedCount 0 because the error produced no findings), hiding real runtime failures. Gate the rewrite on exceptedCount > 0 so only genuinely all-excepted runs are downgraded; error runs stay failed. 2. decideTaskStatus returned null (leave unchanged) when all findings were excepted AND there were no passing results, so an all-excepted task could stay stuck in its prior (failed) status. Add the raw totalFindings signal: if the check evaluated any resource and nothing effectively fails, it goes done; only a run that evaluated nothing (e.g. all errored) stays unchanged. Applied in both the manual and scheduled paths. Added tests: all-excepted/no-passing -> done (helper + manual run), and an execution-error run stays failed in the display. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
fix(cloud-security): honor finding exceptions in integration task checks
|
The latest updates on your projects. Learn more about Vercel for GitHub.
1 Skipped Deployment
|
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
Contributor
|
🎉 This PR is included in version 3.82.1 🎉 The release is available on GitHub release Your semantic-release bot 📦🚀 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is an automated pull request to release the candidate branch into production, which will trigger a deployment.
It was created by the [Production PR] action.
Summary by cubic
Centralized finding exception handling and applied it across task checks, Cloud Tests, and the UI for consistent behavior. Tasks no longer fail when the only failing findings are excepted; those items are shown as “Exception” and excluded from failed counts.
Bug Fixes
loadActiveExceptionSetand shared helpers (countEffectiveFailures,decideTaskStatus). All-excepted runs go done; execution errors don’t flip to success.getTaskCheckRuns) flag excepted results and drop them from failed counts/status; failed → success only whenexceptedCount > 0. Execution-error runs remain failed.Refactors
ActiveExceptionSetand helpers for consistent pass/fail decisions; removed duplicated exception lookup in cloud-security query.Written for commit e3a1495. Summary will update on new commits.