feat: dependency check

[gusfcarvalho]

Introduces the ability to parse a repository dependencies (for now golang apps only)

Summary by CodeRabbit

• New Features

  • Optional Go dependency-health collection with per-dependency evidence, policy evaluation, and configurable behavior/limits.

• Documentation

  • README updated with dependency-health config, permissions, semantics and limits.
  • Added dependency-health design document.

• Tests

  • Extensive unit and integration tests covering dependency parsing, collection, metrics, caching, and policy evaluation.

• Chores

  • Bumped a module dependency to v0.7.0.
  • Updated .gitignore to exclude plugin-github-repositories.

• CI

  • Test workflow now derives Go version from go.mod.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Adds optional dependency-health collection from direct go.mod requires, resolves GitHub module paths, enriches dependency repositories with release/commit/workflow/license/SBOM/PR metrics, refactors evaluation to run per dependency, and adds types, tests, README updates, and a design document.

Changes

Dependency Health Feature

Layer / File(s)	Summary
Design document dependency-health-design.md	Design and policy conventions for dependency health collection, input shapes, resolver rules, collected signals, and test/bootstrap expectations.
Dependency Health Data Model types.go	Exports RepositoryDependency and nested types for policy input, identity, health signals, supply-chain summaries, and collection status/errors.
Plugin configuration and Eval refactor main.go	Adds dependency-health config fields and parsed defaults, moves policy input to request-provided PolicyData, parses settings in Configure, and refactors Eval/EvaluatePolicies to accept explicit dependencies and dependency policy data.
Gathering: go.mod parsing and module resolution dependencies.go	Fetches go.mod, parses direct (non-indirect) require entries, truncates to configured max, resolves github.com/{owner}/{repo} module paths into repository identity, optionally omits unresolved deps, caches repository facts, and deep-clones cached results before emitting each dependency.
Health enrichment: releases, commits, workflows, license, SBOM dependencies.go	Collects latest release (404 → absent), latest commit on default branch, workflow totals and latest default-branch run, license metadata (404 → absent), and optional SBOM via GitHub Dependency Graph (presence vs API errors recorded).
Pull request statistics and sampling dependencies.go	Lists open and recently closed PRs with pagination, computes oldest open PR creation, recent closed PR count over lookback, median days-to-close, and median hours-to-first-interaction by sampling closed PRs and examining earliest comments/reviews after creation.
Helpers: cloning, parsing, medians, error recording dependencies.go	Helpers for fetching go.mod, parsing direct dependencies, deep-cloning dependency snapshots (time/float pointer safety), median calculations, GitHub timestamp conversion, and scoped collection error recording with optional logging.
Unit tests dependencies_test.go	Unit tests for go.mod parsing, GitHub module path resolution, dependency-health config defaults/validation, median helpers, and policy-path classification.
Integration tests dependencies_test.go	httptest-based integration tests validate GatherRepositoryDependencies (enrichment, caching, archived/forbidden SBOM handling, omission of unresolved deps), missing go.mod behavior, and EvaluatePolicies per-dependency evidence production.
Docs and CI updates dependency-health-design.md, README.md, .gitignore, go.mod, .github/workflows/test.yml	Design doc and README additions for dependency health, README permission and config updates, .gitignore addition, go.mod dependency bump, and CI setup reading Go version from go.mod.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Poem

🐰 I nibble go.mod lines with cheer,
Resolve upstreams both far and near.
Fetch releases, commits, and PR cues,
SBOMs, licenses, median views.
Per-dependency policies hop into sight!

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 1.92% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Title check	❓ Inconclusive	The title 'feat: dependency check' is vague and generic; it does not clearly convey the specific feature being implemented or summarize the main change meaningfully.	Consider using a more descriptive title such as 'feat: add Go dependency health collection and policy evaluation' or 'feat: parse Go module dependencies for supply-chain visibility'.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Copilot]

Pull request overview

Adds optional Go (go.mod) direct dependency parsing and per-dependency policy evaluation so the plugin can emit dependency health / supply-chain evidence (repository resolution, activity, workflows, PR signals, license, SBOM summary) when enabled.

Changes:

• Introduces a dependency data model (RepositoryDependency + health/supply-chain/status structs) and a go.mod parser + GitHub-based dependency health collector.
• Extends plugin configuration to enable/limit dependency health collection, and updates evaluation to route “dependency behavior” policies per dependency.
• Updates documentation and bumps compliance-framework/agent plus adds golang.org/x/mod.

Reviewed changes

Copilot reviewed 7 out of 9 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
types.go	Adds dependency-related types used as policy input/output.
dependencies.go	Implements go.mod parsing, GitHub repo resolution, and dependency health/supply-chain collection.
dependencies_test.go	Adds unit + end-to-end style HTTP-mocked tests for parsing/collection and dependency policy evaluation.
main.go	Adds dependency health config parsing and splits policy evaluation into repository vs dependency behavior.
README.md	Documents optional dependency collection, required permissions, and new config knobs.
dependency-health-design.md	Adds detailed design doc for dependency health evidence and policy model.
go.mod / go.sum	Bumps agent version and adds golang.org/x/mod.
.gitignore	Ignores built plugin-github-repositories artifact.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[coderabbitai]

Actionable comments posted: 6

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@dependencies_test.go`:
- Around line 391-394: The test populates data.PolicyData on the
SaturatedRepository but still calls EvaluatePolicies with nil (lines around the
EvaluatePolicies call), so the dependency-level policy_data path is never
exercised; update the test to pass the dependency policy data into
EvaluatePolicies (e.g., pass data.PolicyData or the specific dependency map
instead of nil) when invoking EvaluatePolicies in the test that builds
SaturatedRepository, and adjust assertions to verify that dependency-specific
thresholds from PolicyData are applied by the
EvaluatePolicies/ApplyDependencyPolicies code paths (refer to
SaturatedRepository, PolicyData, and EvaluatePolicies).
- Around line 420-453: Replace direct protobuf field accesses with protobuf
getter methods in the assertions: use ev.GetLabels() instead of ev.Labels (e.g.,
ev.GetLabels()["type"]), use foo.GetSubjects() and
foo.GetSubjects()[0].GetIdentifier() instead of foo.Subjects/Identifier and use
foo.GetLinks() when calling evidenceHasHref(foo, ...) (or adjust evidenceHasHref
to accept links), and similarly use bar.GetProps() and
bar.GetProps()[0].GetValue() and bar.GetLinks() instead of bar.Props and
bar.Links; update the length checks to len(foo.GetSubjects()) and any other
places referencing these fields to consistently use Get*() on proto.Evidence
(symbols: byDependency, evidence slice, foo, bar, evidenceHasHref).

In `@dependencies.go`:
- Around line 507-527: The listPullRequestIssues function currently only
requests Page:1 and ignores pagination, undercounting PRs; update it to paginate
by calling l.githubClient.Issues.ListByRepo repeatedly, collecting results
across pages: call ListByRepo with opts (including Since), append returned
issues to a single slice, inspect the returned *github.Response (resp.NextPage)
and loop setting opts.Page = resp.NextPage until NextPage == 0 or no more
results, preserving the same PR filter (issue.IsPullRequest()) and error
handling used in listPullRequestIssues.

In `@dependency-health-design.md`:
- Around line 577-584: The policy title string is inverted for stale-activity
violations; change the title variable (title := "...") to reflect a violation
(e.g., "Direct dependency has no recent upstream activity" or "Direct dependency
shows no recent upstream activity") and ensure the description (description :=
"...") remains the healthy/explanatory text already suggested so evidence
emitted uses the corrected title and matching description.

In `@main.go`:
- Around line 225-229: The code currently logs raw policy_data via
l.Logger.Debug which can leak secrets/PII; change all occurrences (e.g., the
l.Logger.Debug call using "policy_data" with config.policyData and any similar
logs in the evaluation loops at the referenced locations) to avoid dumping
values — log only mapKeys(config.policyData), counts (len), or a redacted
summary instead of the full map; update any places that pass config.policyData
into structured log fields to pass keys/count or a
redactPolicyData(config.policyData) summary and remove direct value exposure.

In `@README.md`:
- Around line 40-45: The README currently documents configuration keys
(dependency_health_enabled, dependency_health_max_dependencies,
dependency_health_closed_pr_lookback_days, dependency_health_include_unresolved,
dependency_health_collect_sbom, dependency_health_pr_interaction_sample_size)
using quoted strings; change these to typed YAML scalars (use unquoted booleans
true/false and unquoted integers for numeric values) so consumers copying the
snippet will have correct types and avoid parser coercion or decoding failures.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: a15813a5-3529-43e2-b0d2-516927a77380

📥 Commits

Reviewing files that changed from the base of the PR and between 50ae2e0 and 9e6cf5a.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (8)

• .gitignore
• README.md
• dependencies.go
• dependencies_test.go
• dependency-health-design.md
• go.mod
• main.go
• types.go

[Copilot]

Pull request overview

Copilot reviewed 7 out of 9 changed files in this pull request and generated 3 comments.

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (3)

dependency-health-design.md (1)

1034-1045: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Align the identifier examples with the implementation in this PR.

The code now emits dependency identifiers as github-repository-dependency/<repo>/<module>@<version>, but this section still documents dependency/go/.... Leaving both formats in the same PR makes the evidence identifier contract ambiguous for policy authors and downstream tooling.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@dependency-health-design.md` around lines 1034 - 1045, Update the
documentation examples to match the implementation that emits identifiers as
github-repository-dependency/<repo>/<module>@<version> instead of the old
dependency/go/... format; replace the recommended identifier example and the
future inventory example with the actual contract used by the code (e.g.,
github-repository-dependency/github.com/example/lib@v1.2.3) and add a short note
that these identifiers are stable and can be promoted to first-class inventory
items, ensuring the doc strings exactly match the emitted identifier pattern
used by the PR.

main.go (1)

510-516: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Buffer dependency evidence until the whole repository succeeds.

CreateEvidence happens inside the per-dependency callback. If a later dependency evaluation or write fails, Eval returns FAILURE after earlier dependency findings have already been persisted. That leaves partial assessment state behind and can duplicate findings on retry. Accumulate the dependency evidences for this repository and submit them only after gatherRepositoryDependencies completes without error.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@main.go` around lines 510 - 516, The current code calls
apiHelper.CreateEvidence inside the per-dependency callback passed to
l.gatherRepositoryDependencies (where EvaluatePolicies is invoked), causing
evidence to be persisted incrementally and leaving partial state on later
failure; instead, collect/append each dependency's evidences into a local slice
(e.g., depsEvidences) defined outside the callback in main.go, have the callback
return nil after appending, and after l.gatherRepositoryDependencies returns
successfully call apiHelper.CreateEvidence once with the accumulated slice;
ensure you only call CreateEvidence when gatherRepositoryDependencies returns no
error so evidences are only persisted on complete success.

dependencies.go (1)

400-408: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Use workflows.TotalCount for workflow count

collectDependencyWorkflows calls Actions.ListWorkflows(..., nil) and sets summary.Count = len(workflows.Workflows), which only reflects the number of workflows returned in that response page. Since go-github’s Workflows response includes TotalCount *int, use *workflows.TotalCount (with a nil fallback) to avoid undercounting repositories with more workflows than the returned slice size.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@dependencies.go` around lines 400 - 408, The code in
collectDependencyWorkflows uses len(workflows.Workflows) which only reflects the
current page; change assignment of summary.Count to use the TotalCount field
from the go-github response instead: when workflows != nil set summary.Count to
the dereferenced value of workflows.TotalCount with a safe nil fallback (e.g.,
0) so repositories with more workflows than the returned slice are counted
correctly.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@dependencies.go`:
- Around line 400-408: The code in collectDependencyWorkflows uses
len(workflows.Workflows) which only reflects the current page; change assignment
of summary.Count to use the TotalCount field from the go-github response
instead: when workflows != nil set summary.Count to the dereferenced value of
workflows.TotalCount with a safe nil fallback (e.g., 0) so repositories with
more workflows than the returned slice are counted correctly.

In `@dependency-health-design.md`:
- Around line 1034-1045: Update the documentation examples to match the
implementation that emits identifiers as
github-repository-dependency/<repo>/<module>@<version> instead of the old
dependency/go/... format; replace the recommended identifier example and the
future inventory example with the actual contract used by the code (e.g.,
github-repository-dependency/github.com/example/lib@v1.2.3) and add a short note
that these identifiers are stable and can be promoted to first-class inventory
items, ensuring the doc strings exactly match the emitted identifier pattern
used by the PR.

In `@main.go`:
- Around line 510-516: The current code calls apiHelper.CreateEvidence inside
the per-dependency callback passed to l.gatherRepositoryDependencies (where
EvaluatePolicies is invoked), causing evidence to be persisted incrementally and
leaving partial state on later failure; instead, collect/append each
dependency's evidences into a local slice (e.g., depsEvidences) defined outside
the callback in main.go, have the callback return nil after appending, and after
l.gatherRepositoryDependencies returns successfully call
apiHelper.CreateEvidence once with the accumulated slice; ensure you only call
CreateEvidence when gatherRepositoryDependencies returns no error so evidences
are only persisted on complete success.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 109b034e-3367-4a52-a362-1b15cdc22fdd

📥 Commits

Reviewing files that changed from the base of the PR and between 9e6cf5a and 825fef5.

📒 Files selected for processing (4)

• dependencies.go
• dependencies_test.go
• dependency-health-design.md
• main.go

[gusfcarvalho]

lisa: done. no actionable review threads remaining.

[Copilot]

Pull request overview

Copilot reviewed 7 out of 9 changed files in this pull request and generated 2 comments.

[gusfcarvalho]

I like submitting reviews. (this is a test)

[coderabbitai]

♻️ Duplicate comments (1)

README.md (1)

40-45: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Keep dependency-health config values as quoted strings to match the parser contract.

Line 40-45 now documents typed YAML booleans/integers, but these fields are parsed as strings in plugin config. This makes docs inconsistent with implementation and can break copied configs depending on decoding path.

Suggested README fix

-    dependency_health_enabled: false
-    dependency_health_max_dependencies: 50
-    dependency_health_closed_pr_lookback_days: 180
-    dependency_health_include_unresolved: true
-    dependency_health_collect_sbom: true
-    dependency_health_pr_interaction_sample_size: 20
+    dependency_health_enabled: "false"
+    dependency_health_max_dependencies: "50"
+    dependency_health_closed_pr_lookback_days: "180"
+    dependency_health_include_unresolved: "true"
+    dependency_health_collect_sbom: "true"
+    dependency_health_pr_interaction_sample_size: "20"

Based on learnings: dependency health config fields in PluginConfig are declared as string and manually parsed, so the README example should use quoted string values.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@README.md` around lines 40 - 45, The README shows dependency_health fields as
raw YAML booleans/integers but the PluginConfig expects string-typed values;
update the example lines for dependency_health_enabled,
dependency_health_max_dependencies, dependency_health_closed_pr_lookback_days,
dependency_health_include_unresolved, dependency_health_collect_sbom, and
dependency_health_pr_interaction_sample_size to use quoted string values (e.g.
"false", "50", "180", "true", "true", "20") so the documented config matches the
PluginConfig string contract and manual parsing.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In `@README.md`:
- Around line 40-45: The README shows dependency_health fields as raw YAML
booleans/integers but the PluginConfig expects string-typed values; update the
example lines for dependency_health_enabled, dependency_health_max_dependencies,
dependency_health_closed_pr_lookback_days, dependency_health_include_unresolved,
dependency_health_collect_sbom, and dependency_health_pr_interaction_sample_size
to use quoted string values (e.g. "false", "50", "180", "true", "true", "20") so
the documented config matches the PluginConfig string contract and manual
parsing.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: daf2217a-2eea-48ba-a619-eff919a0c1be

📥 Commits

Reviewing files that changed from the base of the PR and between a7bde8d and 3417f72.

📒 Files selected for processing (6)

• README.md
• dependencies.go
• dependencies_test.go
• dependency-health-design.md
• main.go
• types.go

[Copilot]

Pull request overview

Copilot reviewed 7 out of 9 changed files in this pull request and generated 4 comments.

[coderabbitai]

♻️ Duplicate comments (1)

dependencies.go (1)

18-18: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Increase PR page cap to avoid heavily biased health metrics.

Line 18 sets dependencyPRMaxPages to 1, which truncates PR-derived metrics to at most 100 items per state and can significantly skew OpenCount, RecentClosedCount, and median calculations for active repositories.

Suggested minimal fix

-	dependencyPRMaxPages  = 1
+	dependencyPRMaxPages  = 10

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@dependencies.go` at line 18, The constant dependencyPRMaxPages is set to 1
which limits PR-derived metrics; update dependencyPRMaxPages to a higher
sensible default (e.g., 5) or wire it to a configurable source (env/config) so
PR pagination fetches more pages; locate the dependencyPRMaxPages definition and
replace the literal 1 with the chosen default or a config lookup (e.g., read
from config.GetInt/ENV) and ensure any callers that rely on this constant
continue to accept an int.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In `@dependencies.go`:
- Line 18: The constant dependencyPRMaxPages is set to 1 which limits PR-derived
metrics; update dependencyPRMaxPages to a higher sensible default (e.g., 5) or
wire it to a configurable source (env/config) so PR pagination fetches more
pages; locate the dependencyPRMaxPages definition and replace the literal 1 with
the chosen default or a config lookup (e.g., read from config.GetInt/ENV) and
ensure any callers that rely on this constant continue to accept an int.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 61385e3b-9afd-4468-a081-49440e61aaa8

📥 Commits

Reviewing files that changed from the base of the PR and between 3417f72 and 8b55fcc.

📒 Files selected for processing (4)

• .github/workflows/test.yml
• README.md
• dependencies.go
• dependencies_test.go

[Copilot]

Pull request overview

Copilot reviewed 8 out of 10 changed files in this pull request and generated 2 comments.

Comments suppressed due to low confidence (1)

main.go:189

• Renaming policy_input to policy_data in the repository evaluation payload is a breaking change for any existing policies that read input.policy_input. Consider including a backward-compatible alias field (or populating both JSON keys) for at least one release cycle, or clearly documenting the breaking change and required policy updates.

	RepositoryTeams      []*RepositoryTeam                       `json:"repository_teams"`
	Environments         []*RepositoryEnvironment                `json:"environments"`
	EffectiveBranchRules map[string]*BranchRuleEvidence          `json:"effective_branch_rules"`
	PolicyData           map[string]interface{}                  `json:"policy_data"`
}

[Copilot]

Pull request overview

Copilot reviewed 8 out of 10 changed files in this pull request and generated 3 comments.

[Copilot]

Pull request overview

Copilot reviewed 8 out of 10 changed files in this pull request and generated 2 comments.

[Copilot]

Pull request overview

Copilot reviewed 8 out of 10 changed files in this pull request and generated 1 comment.

[Copilot]

Pull request overview

Copilot reviewed 8 out of 10 changed files in this pull request and generated 2 comments.

[Copilot]

Pull request overview

Copilot reviewed 8 out of 10 changed files in this pull request and generated 1 comment.

[Copilot]

Pull request overview

Copilot reviewed 8 out of 10 changed files in this pull request and generated no new comments.

[gusfcarvalho]

lisa: done. all review threads addressed (via reply or fix).