8000
Skip to content

feat: add experimental support for updating config files#2534

Open
G-Rath wants to merge 43 commits intogoogle:mainfrom
ackama:support-updating-configs
Open

feat: add experimental support for updating config files#2534
G-Rath wants to merge 43 commits intogoogle:mainfrom
ackama:support-updating-configs

Conversation

@G-Rath
Copy link
Copy Markdown
Collaborator
@G-Rath G-Rath commented Feb 19, 2026

This is an attempt to port the --update-config-ignores feature from osv-detector, which has been useful especially for onboarding new codebases and updating existing ones after patching has been done to prune out old entries.

Currently this does not preserve comments or specific formatting, but I'm hopeful those are things we can improve on future especially if this proves to be a popular flag

@gemini-code-assist

This comment was marked as outdated.

Sign in to view
@G-Rath G-Rath marked this pull request as ready for review February 19, 2026 02:52
@gemini-code-assist

This comment was marked as outdated.

Sign in to view
@G-Rath G-Rath force-pushed the support-updating-configs branch 6 times, most recently from 1b5d45c to bdd81c3 Compare February 23, 2026 03:01
@codecov-commenter
Copy link
Copy Markdown
codecov-commenter commented Feb 23, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 86.33094% with 19 lines in your changes missing coverage. Please review.
✅ Project coverage is 68.14%. Comparing base (3553569) to head (0ba5d86).

Files with missing lines Patch % Lines
pkg/osvscanner/configs.go 85.91% 5 Missing and 5 partials ⚠️
internal/config/config.go 88.88% 3 Missing and 1 partial ⚠️
pkg/osvscanner/osvscanner.go 78.94% 2 Missing and 2 partials ⚠️
cmd/osv-scanner/internal/helper/flags.go 75.00% 1 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #2534      +/-   ##
==========================================
+ Coverage   67.99%   68.14%   +0.15%     
==========================================
  Files         173      174       +1     
  Lines       13387    13511     +124     
==========================================
+ Hits         9102     9207     +105     
- Misses       3576     3589      +13     
- Partials      709      715       +6

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

another-rex
another-rex reviewed Feb 23, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator
@another-rex another-rex left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Being able to automatically remove not found vulnerabilities from the config files seem quite useful.

However I'm not sure how much we want to encourage people to automatically add all their vulns to the ignore file. At least we should separate the two functionalities, maybe by making UpdateConfigIgnores not a boolean flag

internal/config/__snapshots__/config_internal_test.snap Outdated
id = "GHSA-123"

[[IgnoredVulns]]
id = "GHSA-456"
Copy link
Copy Markdown
Collaborator
@another-rex another-rex Feb 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we add a comment/reason saying this is automatically added by the new flag?

Copy link
Copy Markdown
Collaborator Author
@G-Rath G-Rath Feb 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

at this point I'm leaning to not doing that just for simplicity, and I'd rather add it later to see how we feel - I'll explore this once I'm done with the core implementation

@G-Rath
Copy link
Copy Markdown
Collaborator Author
G-Rath commented Feb 23, 2026

However I'm not sure how much we want to encourage people to automatically add all their vulns to the ignore file

I originally felt against this kind of thing too, similar to also having tools like this exit as an error if there were unused ignores, but I've found in practice at least in an agency company kind of context it can really help reduce the friction - I'm able to tell other developers who are less familiar with this space to just add "xyz flag" rather than needing to try explain how to write ignores (which they can still learn about because they see the diff + it helps keep the actual order and format consistent), and when onboarding apps from other vendors we can get the security pipelines setup faster by initially ignoring all existing vulns and then go back to triage.

With osv-detector prior to this flag I was having to run this jq query:

osv-detector --json . | jq -r  '[.results[].packages | map("- " + .vulnerabilities[].id)] | flatten | unique | sort | .[]'

which has no hope of preserving any other config content including other properties and comments (the latter of which are not being preserved "yet")

At least we should separate the two functionalities, maybe by making UpdateConfigIgnores not a boolean flag

I really like this idea, because then we could also later introduce an "interactive" mode which could let you set reasons and "until" dates.

One side thing to consider with this is if we do the updating before or after our filtering - currently I have it being done before which means the tool always presents "no vulns found" and with a non-zero exit code; currently osv-detector does it the other way around, presenting everything as if it wasn't going to add ignores, and just adds a "ignored vulns" message at the end of its output.

Since this is being added an experimental flag we don't need to decide right now, but something to think about - I can explore this more once we've gotten the rest of the implementation settled, since it should just be a case of moving a function call to see the difference 🤷

@G-Rath G-Rath mentioned this pull request Feb 26, 2026
Merged
G-Rath added a commit that referenced this pull request Feb 26, 2026
@G-Rath
refactor(config): use dedicated files for "config" and "manager" code…
b9f296c 
…, and rename method receiver (#2551)

While doing some deduplication for #2534, I found having these in the
same file when they have the same receiver name to be confusing so I've
moved them to different files and renamed the receiver for `Manager` to
be `m`
@G-Rath G-Rath force-pushed the support-updating-configs branch 3 times, most recently from 0b21ce3 to 4da338d Compare March 3, 2026 21:27
@G-Rath G-Rath mentioned this pull request Mar 4, 2026
Open
20 tasks
@G-Rath G-Rath force-pushed the support-updating-configs branch 3 times, most recently from 495d044 to 880a80c Compare March 6, 2026 21:02
@G-Rath G-Rath requested a review from another-rex March 10, 2026 02:39
@G-Rath

This comment was marked as resolved.

Sign in to view
@G-Rath G-Rath force-pushed the support-updating-configs branch 3 times, most recently from d26adc2 to a99c857 Compare March 10, 2026 22:25
@G-Rath G-Rath force-pushed the support-updating-configs branch from a99c857 to 72b86d8 Compare March 19, 2026 20:23
G-Rath added 26 commits March 20, 2026 10:18
@G-Rath
test: update names
8e1efd8
@G-Rath
test: add case for global config + recursive
15a0411
@G-Rath
test: add more cases for "with no config"
513f9c4
@G-Rath
test: merge groups
c711711
@G-Rath
test: use cassettes and update snapshots
8eb82f0
@G-Rath
feat: switch to using a string flag
c1145a6
@G-Rath
feat: implement support for removing unused ignores
9395e54
@G-Rath
refactor: merge unused-config.toml and custom-config.toml
b1e0899
@G-Rath
test: add a config case with a package override
cbab8c1
@G-Rath
chore: add todos
f93dd00
@G-Rath
refactor(config): split ignoring and saving
c6e840a
@G-Rath
refactor: clean up functions a bit more
28ac7d4
@G-Rath
refactor: stick with saving as config map is not holding pointers
2e2b2c1
@G-Rath
docs: add a page
92791ab
@G-Rath
perf: optimize slice filtering
eda9929
@G-Rath
fix: store configs by reference
2ffb482
@G-Rath
feat: print the number of removed unused ignore entries
2c62f2a
@G-Rath
feat: print the actual ignore entries that were removed
c39c234
@G-Rath
fix: don't record configs that had no ignores removed
1baeada
@G-Rath
feat: print when config ignores have been updated
57749cb
@G-Rath
refactor: deduplicate "reporting on unused ignore action"
2583e91
@G-Rath
refactor: deduplicate the whole "unused ignore entries" section
c23b5be
@G-Rath
refactor: deduplicate for when we're ignoring all entries too
c04b54d
@G-Rath
fix: omit empty fields from package overrides
47496f1
@G-Rath
fix: omit ignored vulns and package overrides entirely if empty
7641656
@G-Rath
fix: reorder top level Config fields
7e4942a
@G-Rath G-Rath force-pushed the support-updating-configs branch 2 times, most recently from 71c87bb to 25dc0aa Compare March 19, 2026 21:56
@G-Rath G-Rath force-pushed the support-updating-configs branch from 25dc0aa to 0ba5d86 Compare March 19, 2026 21:57
733E
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cuixq cuixq Awaiting requested review from cuixq

@Ly-Joey Ly-Joey Awaiting requested review from Ly-Joey

@another-rex another-rex Awaiting requested review from another-rex

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@G-Rath @codecov-commenter @another-rex
0