New folder structure (design)

[tmikula-dev]

Overview

This pull request makes significant improvements to the organizational workflows repository, focusing on codebase restructuring and renaming the modules and scripts. The main changes include consolidating and renaming core modules, clarifying documentation and example workflows, and streamlining the AquaSec scan workflow and related configuration.

Release Notes

• New project folder structure (design)

Related

Closes #35

Summary by CodeRabbit

• Documentation

  • Clarified Copilot instructions, repository layout, and logging prefix convention
  • Updated security docs and example workflow paths; renamed Aquasec→AquaSec display names

• Bug Fixes

  • Removed obsolete branch-comparison workflow
  • Reduced unnecessary workflow permissions and removed an unused secret from scan callers

• Refactor

  • Reorganized internal packages and consolidated utilities for clearer structure and maintainability

[coderabbitai]

Warning

Rate limit exceeded

@tmikula-dev has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 50 minutes and 23 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 50 minutes and 23 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: fe93fd3c-3964-4c6c-a1b4-4bb3841df1b3

📥 Commits

Reviewing files that changed from the base of the PR and between 449395e and 2485c78.

📒 Files selected for processing (1)

• .github/workflows/aquasec-scan.yml

Walkthrough

Reorganizes the repository into a domain-driven layout under src/core/ and src/security/, moves subprocess/GitHub helpers into core, introduces security issue models under security.issues.models, updates many imports/tests to the new package paths, and adjusts GitHub Actions and docs accordingly. (≤50 words)

Changes

Cohort / File(s)	Summary
Docs & Workflows /.github/copilot-instructions.md, README.md, docs/security/..., .github/workflows/aquasec-scan.yml, .github/workflows/aquasec-branch-comparison.yml	Updated Copilot instructions; renamed “Aquasec” → “AquaSec”; removed aquasec-branch-comparison.yml; removed GH_PROJECT_ONLY_TOKEN usages and repository-projects: write permission; adjusted example workflow paths.
Pyproject / Tooling pyproject.toml	Changed pytest pythonpath to src, added --import-mode=importlib; expanded coverage omit list to include specific src/security helpers.
Core package src/core/__init__.py, src/core/config.py, src/core/helpers.py, src/core/rendering.py?, src/core/github/... (__init__.py, client.py, issues.py, projects.py)	Created/updated src/core domain: added parse_runner_debug() in config.py; moved subprocess/gh wrappers into core/github/client.py (run_cmd, run_gh); removed duplicated helpers from core/helpers.py; adjusted github-related import wiring.
Security package root & subpackages src/security/__init__.py, src/security/main.py, src/security/*.py, src/security/*/* (check_labels, collect_alert, promote_alerts, send_notifications)	Removed sys.path hacks and rewired scripts to import from core.* and security.* modules; shortened some docstrings; updated entrypoint imports to new package layout.
Security — Alerts src/security/alerts/__init__.py, src/security/alerts/models.py, src/security/alerts/parser.py	Removed/changed alerts module docstrings; alerts.models had many dataclasses and helpers removed (moved to security.issues.models); updated imports to core.helpers and security.* locations.
Security — Issues src/security/issues/__init__.py, src/security/issues/models.py, src/security/issues/builder.py, src/security/issues/sync.py, src/security/issues/sec_events.py, src/security/issues/...templates	Added new security.issues.models exporting IssueIndex, NotifiedIssue, SeverityChange, SyncResult, AlertContext, SyncContext, SEVERITY_ORDER, severity_direction; refactored imports from shared/utils to core/security; moved templates/secmeta import paths.
Security — Notifications src/security/notifications/__init__.py, src/security/notifications/teams.py, src/security/send_notifications.py	New notifications package; teams.py now imports models from security.issues.models and invokes send_notifications.py (renamed from send_to_teams.py); adjusted docstrings and existence checks.
Test updates (imports & targets) tests/... (many files under tests/core/ and tests/security/...)	Widespread test updates to new import paths and patch/monkeypatch targets (shared/utils → core/security); added tests/security/alerts/test_models.py; adjusted fixtures referencing aquasec-night-scan-example.yml.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~75 minutes

Poem

🐰 I hopped through folders, new paths in sight,

Core tools snuggled, security's airtight,
Models moved home, imports now align,
Tests chased the rabbit trail—everything fine! 🥕

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 46.62% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title 'New folder structure (design)' directly describes the main change: reorganizing the repository with a new project folder structure.
Description check	✅ Passed	The PR description follows the template structure with Overview, Release Notes, and Related sections, providing adequate context about the restructuring work.
Linked Issues check	✅ Passed	The PR successfully implements the objectives from issue #35: establishes a clear src structure with core and security submodules, mirrors tests to match the src structure, improves separation of responsibilities, and enhances project design visibility.
Out of Scope Changes check	✅ Passed	All changes align with the folder restructuring objective. Minor updates to workflow names (Aquasec→AquaSec), path corrections in documentation, and removal of unused workflow (aquasec-branch-comparison.yml) are all directly related to the structural refactoring.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feature/new-folder-structure

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 15

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (6)

src/core/github/issues.py (1)

145-145: ⚠️ Potential issue | 🔴 Critical

Fix invalid Python exception syntax: use tuple form for multi-exception handling.

Python 3 requires parentheses when catching multiple exceptions. This is a parse-time error:

Occurrences to fix

Line 145:

-    except json.JSONDecodeError, ValueError:
+    except (json.JSONDecodeError, ValueError):

Line 190:

-        except TypeError, ValueError:
+        except (TypeError, ValueError):

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/core/github/issues.py` at line 145, The except clauses using invalid
syntax "except json.JSONDecodeError, ValueError:" must be changed to the tuple
form used in Python 3; update both occurrences to "except (json.JSONDecodeError,
ValueError):" so the parser accepts multi-exception handling—search for these in
src/core/github/issues.py (around the JSON parsing blocks, e.g., inside the
functions handling GitHub issue payload/response parsing) and replace the
malformed except lines accordingly.

tests/security/alerts/test_parser.py (1)

17-17: ⚠️ Potential issue | 🟡 Minor

Stale docstring references old module path.

The docstring still references utils.alert_parser but the module was relocated to security.alerts.parser.

📝 Proposed fix

-"""Unit tests for ``utils.alert_parser``."""
+"""Unit tests for ``security.alerts.parser``."""

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/security/alerts/test_parser.py` at line 17, Update the module docstring
in tests/security/alerts/test_parser.py to reference the relocated module path
security.alerts.parser instead of the stale utils.alert_parser reference; find
the top-level docstring in that file (the one currently reading "Unit tests for
``utils.alert_parser``.") and change the module path name to
"security.alerts.parser" so the docstring accurately reflects the current module
location.

tests/security/notifications/test_teams.py (1)

17-17: ⚠️ Potential issue | 🟡 Minor

Stale docstring references old module path.

The docstring still references utils.teams but the module was relocated to security.notifications.teams.

📝 Proposed fix

-"""Unit tests for ``utils.teams``."""
+"""Unit tests for ``security.notifications.teams``."""

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/security/notifications/test_teams.py` at line 17, Update the stale
module path in the module docstring at the top of the test (the triple-quoted
string in test_teams.py) to reference the current import path
security.notifications.teams instead of utils.teams so the docstring matches the
relocated module.

docs/security/security.md (1)

249-264: ⚠️ Potential issue | 🔴 Critical

Both directory paths are non-existent: docs/security/example_workflows/ and docs/security/example_workflow/ do not exist.

Line 142 references docs/security/example_workflows/ (plural) as containing example caller workflows, but line 249 links to docs/security/example_workflow/ (singular). Additionally, neither directory exists in the repository, and the referenced file remove-resolved-finding-label.yml is not present. Only one example file exists: docs/security/aquasec-night-scan-example.yml. Either these directories and files need to be created, or both references should be corrected to point to the actual location of example workflows.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@docs/security/security.md` around lines 249 - 264, The linked example
workflow path is incorrect and the referenced file doesn't exist; update the
references in docs/security/security.md that point to
docs/security/example_workflow/remove-resolved-finding-label.yml and
docs/security/example_workflows/... to point to the actual example file (e.g.,
docs/security/aquasec-night-scan-example.yml) or create the missing directory
and add the remove-resolved-finding-label.yml example; edit the example caller
snippet and any other references to use the correct path/name consistently
(search for "remove-resolved-finding-label.yml" and "example_workflow(s)" in
security.md and fix to the chosen existing file or add the new example file
under the referenced directory).

src/security/promote_alerts.py (1)

153-153: ⚠️ Potential issue | 🟡 Minor

Log message missing required domain prefix.

As per coding guidelines, all log messages in src/**/*.py must start with a domain prefix (e.g., "Security -").

Proposed fix

-        logging.debug("Teams webhook URL not configured - skipping notification")
+        logging.debug("Security - Teams webhook URL not configured - skipping notification")

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/security/promote_alerts.py` at line 153, Update the log message to
include the required domain prefix "Security -": find the logging.debug call
that currently logs "Teams webhook URL not configured - skipping notification"
and change the message so it begins with "Security -", e.g. "Security - Teams
webhook URL not configured - skipping notification"; ensure the modified string
is used in the logging.debug invocation in promote_alerts.py.

src/security/notifications/teams.py (1)

76-79: ⚠️ Potential issue | 🟡 Minor

Log messages missing required domain prefix.

Multiple logging statements in this file lack the required "Security -" prefix. As per coding guidelines, all log messages in src/**/*.py must start with a domain prefix.

Example fix for a few key lines

-            logging.info(f"DRY-RUN: {label} webhook configured; no delivery will occur")
+            logging.info(f"Security - DRY-RUN: {label} webhook configured; no delivery will occur")

-        logging.info("No new or reopened issues – skipping Teams notification")
+        logging.info("Security - No new or reopened issues - skipping Teams notification")

Apply similar changes to lines 79, 86, 116, 119, 122, and 161.

Also applies to: 86-86, 116-116, 119-119, 122-122, 139-139, 161-161

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/security/notifications/teams.py` around lines 76 - 79, Multiple
logging.info statements in src/security/notifications/teams.py emit messages
without the required "Security - " domain prefix; locate the logging.info calls
that start with f"DRY-RUN: {label} webhook configured..." and the one with
f"DRY-RUN: no Teams Incoming Webhook URL configured..." (and the similar log
statements referenced around the same blocks at the other noted locations) and
prepend "Security - " to each log message string so they all begin with
"Security - DRY-RUN: ..." (preserve the existing f-string formatting and label
interpolation).

🧹 Nitpick comments (5)

tests/security/alerts/test_models.py (1)

36-40: Use expected == actual assertion order for consistency.

Current assertions are reversed against the repository test convention.

As per coding guidelines tests/**/*.py: Use assert pattern assert expected == actual in test assertions.

Also applies to: 45-47, 52-52

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/security/alerts/test_models.py` around lines 36 - 40, The test
assertions use the repository's reversed order (actual == expected); change them
to the canonical assert expected == actual order: replace assertions like assert
md.severity == "unknown" with assert "unknown" == md.severity, assert md.rule_id
== "" with assert "" == md.rule_id, assert md.rule_name == "" with assert "" ==
md.rule_name, assert md.state == "" with assert "" == md.state, and assert
md.tool == "" with assert "" == md.tool; apply the same flipping of
expected/actual for the other assertions in the same file referenced around the
md object (the assertions at the other noted locations).

src/security/main.py (2)

150-153: Log message missing required domain prefix.

As per coding guidelines, log messages should include the "Security -" domain prefix.

📝 Proposed fix

             logger.error(
-                "Output file '%s' exists. Delete it, choose a different --out, or pass --force.",
+                "Security - Output file '%s' exists. Delete it, choose a different --out, or pass --force.",
                 out_file,
             )

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/security/main.py` around lines 150 - 153, The logger.error call that
reports an existing output file (logger.error(..., out_file)) must include the
required "Security - " domain prefix; update the message passed to logger.error
in the block where out_file is logged so it begins with "Security - " (e.g.,
"Security - Output file '%s' exists...") while preserving the out_file format
argument and existing guidance to delete/choose a different --out or use
--force.

---

137-143: Log messages missing required domain prefix.

As per coding guidelines, all log messages must start with a <Domain> - prefix. These security module logs should use the "Security -" prefix.

📝 Proposed fix

         if missing:
             logger.error(
-                "Required labels missing in %s: %s",
+                "Security - Required labels missing in %s: %s",
                 repo,
                 ", ".join(missing),
             )
             return 1
-        logger.info("All required labels present in %s", repo)
+        logger.info("Security - All required labels present in %s", repo)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/security/main.py` around lines 137 - 143, Update the log messages emitted
by logger.error and logger.info in the security module to include the required
domain prefix; specifically, prepend "Security - " to the existing messages that
currently read "Required labels missing in %s: %s" and "All required labels
present in %s" (the calls using variables repo and missing), so both logs start
with "Security - " while preserving the same formatting and arguments.

tests/security/test_check_labels.py (1)

54-56: Consider using list unpacking instead of concatenation.

Static analysis suggests using [*list(REQUIRED_LABELS), "extra-label"] for clarity, though this is a minor style preference.

♻️ Optional refactor

 def test_check_labels_all_present(mocker: MockerFixture) -> None:
-    mocker.patch("security.check_labels.fetch_repo_labels", return_value=list(REQUIRED_LABELS) + ["extra-label"])
+    mocker.patch("security.check_labels.fetch_repo_labels", return_value=[*REQUIRED_LABELS, "extra-label"])
     assert check_labels(REPO) == []

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/security/test_check_labels.py` around lines 54 - 56, The test uses list
concatenation when patching fetch_repo_labels; replace
return_value=list(REQUIRED_LABELS) + ["extra-label"] with a list unpacking form
like return_value=[*list(REQUIRED_LABELS), "extra-label"] in the mocker.patch
call inside test_check_labels_all_present so the intent is clearer while keeping
behavior identical (referencing REQUIRED_LABELS and the mocker.patch of
security.check_labels.fetch_repo_labels).

tests/security/issues/test_sync.py (1)

446-447: Consider moving imports to file top.

As per coding guidelines, imports should be placed at the top of test files rather than inside test functions. However, these are used only in specific tests and don't affect test isolation.

Proposed refactor

Move these imports to the top of the file with other imports:

 from security.issues.secmeta import render_secmeta
+from security.issues.builder import build_child_issue_body, build_issue_title
+from security.issues.sec_events import strip_sec_events_from_body

Then remove the local imports from test functions at lines 446-447 and 534.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@tests/security/issues/test_sync.py` around lines 446 - 447, Move the two
local imports for build_child_issue_body and strip_sec_events_from_body out of
the test functions and add them with the module-level imports at the top of the
file; then remove the in-function imports (the local imports currently
referencing build_child_issue_body and strip_sec_events_from_body) so tests
import these symbols from security.issues.builder and security.issues.sec_events
only once at file scope, ensuring no local duplicate imports remain in the test
functions.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/copilot-instructions.md:
- Around line 9-34: The fenced code block in .github/copilot-instructions.md is
missing a language tag which triggers markdownlint MD040; update the opening
fence from ``` to ```text (or another appropriate language) so the block becomes
```text and keep the existing block contents unchanged to satisfy the linter.

In `@README.md`:
- Line 39: The Markdown link in README has mismatched visible text
"docs/security/example_workflows/" and href "docs/security/example_workflow/";
update the href or the link text so both use the correct folder name (e.g.,
change "example_workflow" to "example_workflows" or vice versa) to make the link
target and display consistent; locate the link string in README.md and make the
paths identical.

In `@src/core/config.py`:
- Line 17: The module docstring contains an EN DASH (–) character causing Ruff
RUF002; update the top-level docstring (the string starting with "Runtime
configuration …") to use an ASCII hyphen (-) instead of the en dash so it reads
"Runtime configuration - GitHub Actions environment detection and logging
setup." Ensure only the character is replaced in the module docstring.

In `@src/core/github/__init__.py`:
- Line 17: Replace the EN DASH in the module docstring with a standard hyphen to
satisfy Ruff RUF002: update the string """GitHub API wrappers – CLI subprocess
helpers, Issues CRUD, Projects V2 GraphQL.""" to use a hyphen instead of the en
dash (the module docstring in src/core/github/__init__.py).

In `@src/core/github/client.py`:
- Line 45: Update the logging call that currently reads logging.error("gh CLI
not found. Install and authenticate gh.") to include the required domain prefix
in the message (e.g., "GitHub - gh CLI not found. Install and authenticate
gh."); locate and modify the logging.error invocation in the client module so
all logs start with the "<Domain> -" format.
- Around line 24-31: The run_cmd wrapper can hang indefinitely; add a timeout
parameter (e.g., timeout: float | None = 60) to the run_cmd signature and pass
it through to subprocess.run to prevent stuck CLI calls, and defensively merge
any provided env with os.environ inside run_cmd (use os.environ.copy() then
update with the passed env) so callers don't have to remember merging; ensure
subprocess.run receives the timeout kwarg and update any call sites (e.g.,
callers like projects.py) if they need a different timeout or to pass None for
no timeout.

In `@src/core/helpers.py`:
- Line 17: The module docstring in src/core/helpers.py uses an en dash character
(–) which triggers Ruff RUF002; replace that en dash with a plain ASCII
hyphen-minus (-) in the module docstring (the top-level string "Pure utility
functions – date helpers, hashing, and path normalisation.") so the docstring
reads "Pure utility functions - date helpers, hashing, and path normalisation."
to remove the ambiguous punctuation.

In `@src/security/__init__.py`:
- Line 17: The module docstring in src/security/__init__.py uses an en dash (–)
which triggers Ruff rule RUF002; edit the module docstring (the top-level string
in __init__.py) and replace the en dash with a normal ASCII hyphen (-) so the
docstring reads "Security workflow - alert-to-issue sync pipeline." to satisfy
the linter.

In `@src/security/alerts/__init__.py`:
- Line 17: The module docstring in src/security/alerts/__init__.py uses an EN
DASH (–) which triggers RUF002; edit the module-level docstring (top of the
file) to replace the EN DASH with a plain ASCII hyphen "-" so it reads "Alert
domain - models, parsing, and constants." and save the file to satisfy the
linter.

In `@src/security/issues/__init__.py`:
- Line 17: The module docstring in __init__.py contains an EN DASH character (–)
causing RUF002; replace it with a normal hyphen '-' so the docstring reads
"Issue management domain - builder, sync, metadata, and templates." and re-run
the linter to confirm the RUF002 warning is resolved.

In `@src/security/notifications/__init__.py`:
- Line 17: The module-level docstring contains an en dash character in the text
"Notification domain – Teams webhook integration." which triggers Ruff RUF002;
edit the docstring in src/security/notifications/__init__.py (module docstring
at top of file) and replace the en dash (–) with a standard ASCII hyphen-minus
(-) so it reads "Notification domain - Teams webhook integration." ensuring no
other non-ASCII punctuation remains.

In `@src/security/notifications/teams.py`:
- Around line 83-86: The logging message uses an ambiguous EN DASH character;
update the string in the logging.warning call that mentions
send_notifications.py to replace the EN DASH (–) with a standard hyphen (-),
e.g., in the expression referencing send_script and label (variables send_script
and label) so the warning reads "... not found at {send_script} - skipping
{label.lower()}" with a normal hyphen character.

In `@src/security/send_notifications.py`:
- Around line 46-56: The usage examples at the bottom of send_notifications.py
show running the script as "python3 send_notifications.py", which breaks when
imports use the package layout (e.g., from core.config ...); update all examples
(the ones showing --body-file, --body, stdin pipe, and --dry-run) to the module
invocation form using the package name (e.g., python3 -m
security.send_notifications ...) so they work with package imports without
requiring editable install or PYTHONPATH adjustments; ensure every occurrence in
the docstring/comments is replaced consistently.

In `@tests/security/alerts/test_models.py`:
- Around line 23-24: Replace the EN DASH characters in the comment strings
(e.g., "AlertMetadata – None-safe __post_init__" and the other comment at line
30) with the plain hyphen-minus "-" so the comments become "AlertMetadata -
None-safe __post_init__" (and same replacement for the second comment) to
resolve the RUF003 lint warning; update the comments in
tests/security/alerts/test_models.py accordingly.

In `@tests/security/issues/test_sync.py`:
- Around line 17-18: The module docstring in tests/security/issues/test_sync.py
contains an ambiguous EN DASH character (–) in the phrase describing the tests;
update the top-level docstring to replace the EN DASH with a standard hyphen (-)
so the line reads "Unit tests for ``security.issues.sync`` - pure-logic helpers
and orchestration functions with mocked GitHub CLI calls." and save the file.

---

Outside diff comments:
In `@docs/security/security.md`:
- Around line 249-264: The linked example workflow path is incorrect and the
referenced file doesn't exist; update the references in
docs/security/security.md that point to
docs/security/example_workflow/remove-resolved-finding-label.yml and
docs/security/example_workflows/... to point to the actual example file (e.g.,
docs/security/aquasec-night-scan-example.yml) or create the missing directory
and add the remove-resolved-finding-label.yml example; edit the example caller
snippet and any other references to use the correct path/name consistently
(search for "remove-resolved-finding-label.yml" and "example_workflow(s)" in
security.md and fix to the chosen existing file or add the new example file
under the referenced directory).

In `@src/core/github/issues.py`:
- Line 145: The except clauses using invalid syntax "except
json.JSONDecodeError, ValueError:" must be changed to the tuple form used in
Python 3; update both occurrences to "except (json.JSONDecodeError,
ValueError):" so the parser accepts multi-exception handling—search for these in
src/core/github/issues.py (around the JSON parsing blocks, e.g., inside the
functions handling GitHub issue payload/response parsing) and replace the
malformed except lines accordingly.

In `@src/security/notifications/teams.py`:
- Around line 76-79: Multiple logging.info statements in
src/security/notifications/teams.py emit messages without the required "Security
- " domain prefix; locate the logging.info calls that start with f"DRY-RUN:
{label} webhook configured..." and the one with f"DRY-RUN: no Teams Incoming
Webhook URL configured..." (and the similar log statements referenced around the
same blocks at the other noted locations) and prepend "Security - " to each log
message string so they all begin with "Security - DRY-RUN: ..." (preserve the
existing f-string formatting and label interpolation).

In `@src/security/promote_alerts.py`:
- Line 153: Update the log message to include the required domain prefix
"Security -": find the logging.debug call that currently logs "Teams webhook URL
not configured - skipping notification" and change the message so it begins with
"Security -", e.g. "Security - Teams webhook URL not configured - skipping
notification"; ensure the modified string is used in the logging.debug
invocation in promote_alerts.py.

In `@tests/security/alerts/test_parser.py`:
- Line 17: Update the module docstring in tests/security/alerts/test_parser.py
to reference the relocated module path security.alerts.parser instead of the
stale utils.alert_parser reference; find the top-level docstring in that file
(the one currently reading "Unit tests for ``utils.alert_parser``.") and change
the module path name to "security.alerts.parser" so the docstring accurately
reflects the current module location.

In `@tests/security/notifications/test_teams.py`:
- Line 17: Update the stale module path in the module docstring at the top of
the test (the triple-quoted string in test_teams.py) to reference the current
import path security.notifications.teams instead of utils.teams so the docstring
matches the relocated module.

---

Nitpick comments:
In `@src/security/main.py`:
- Around line 150-153: The logger.error call that reports an existing output
file (logger.error(..., out_file)) must include the required "Security - "
domain prefix; update the message passed to logger.error in the block where
out_file is logged so it begins with "Security - " (e.g., "Security - Output
file '%s' exists...") while preserving the out_file format argument and existing
guidance to delete/choose a different --out or use --force.
- Around line 137-143: Update the log messages emitted by logger.error and
logger.info in the security module to include the required domain prefix;
specifically, prepend "Security - " to the existing messages that currently read
"Required labels missing in %s: %s" and "All required labels present in %s" (the
calls using variables repo and missing), so both logs start with "Security - "
while preserving the same formatting and arguments.

In `@tests/security/alerts/test_models.py`:
- Around line 36-40: The test assertions use the repository's reversed order
(actual == expected); change them to the canonical assert expected == actual
order: replace assertions like assert md.severity == "unknown" with assert
"unknown" == md.severity, assert md.rule_id == "" with assert "" == md.rule_id,
assert md.rule_name == "" with assert "" == md.rule_name, assert md.state == ""
with assert "" == md.state, and assert md.tool == "" with assert "" == md.tool;
apply the same flipping of expected/actual for the other assertions in the same
file referenced around the md object (the assertions at the other noted
locations).

In `@tests/security/issues/test_sync.py`:
- Around line 446-447: Move the two local imports for build_child_issue_body and
strip_sec_events_from_body out of the test functions and add them with the
module-level imports at the top of the file; then remove the in-function imports
(the local imports currently referencing build_child_issue_body and
strip_sec_events_from_body) so tests import these symbols from
security.issues.builder and security.issues.sec_events only once at file scope,
ensuring no local duplicate imports remain in the test functions.

In `@tests/security/test_check_labels.py`:
- Around line 54-56: The test uses list concatenation when patching
fetch_repo_labels; replace return_value=list(REQUIRED_LABELS) + ["extra-label"]
with a list unpacking form like return_value=[*list(REQUIRED_LABELS),
"extra-label"] in the mocker.patch call inside test_check_labels_all_present so
the intent is clearer while keeping behavior identical (referencing
REQUIRED_LABELS and the mocker.patch of
security.check_labels.fetch_repo_labels).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 3a08173c-e335-4225-b8b3-1956f3721c97

📥 Commits

Reviewing files that changed from the base of the PR and between ad165ab and e4aa159.

📒 Files selected for processing (55)

• .coverage
• .github/copilot-instructions.md
• .github/workflows/aquasec-branch-comparison.yml
• .github/workflows/aquasec-scan.yml
• README.md
• docs/security/aquasec-night-scan-example.yml
• docs/security/example_workflows/remove-adept-to-close-on-issue-close.yml
• docs/security/security.md
• pyproject.toml
• src/core/__init__.py
• src/core/config.py
• src/core/github/__init__.py
• src/core/github/client.py
• src/core/github/issues.py
• src/core/github/projects.py
• src/core/helpers.py
• src/core/models.py
• src/core/priority.py
• src/core/rendering.py
• src/security/__init__.py
• src/security/alerts/__init__.py
• src/security/alerts/models.py
• src/security/alerts/parser.py
• src/security/check_labels.py
• src/security/collect_alert.py
• src/security/constants.py
• src/security/issues/__init__.py
• src/security/issues/builder.py
• src/security/issues/models.py
• src/security/issues/sec_events.py
• src/security/issues/secmeta.py
• src/security/issues/sync.py
• src/security/issues/templates.py
• src/security/main.py
• src/security/notifications/__init__.py
• src/security/notifications/teams.py
• src/security/promote_alerts.py
• src/security/send_notifications.py
• tests/core/github/test_issues.py
• tests/security/alerts/test_models.py
• tests/security/alerts/test_parser.py
• tests/security/conftest.py
• tests/security/issues/test_builder.py
• tests/security/issues/test_models.py
• tests/security/issues/test_sec_events.py
• tests/security/issues/test_secmeta.py
• tests/security/issues/test_sync.py
• tests/security/issues/test_templates.py
• tests/security/notifications/test_teams.py
• tests/security/test_check_labels.py
• tests/security/test_collect_alert.py
• tests/security/test_constants.py
• tests/security/test_main.py
• tests/security/test_promote_alerts.py
• tests/security/test_send_notifications.py

💤 Files with no reviewable changes (2)

• docs/security/example_workflows/remove-adept-to-close-on-issue-close.yml
• .github/workflows/aquasec-branch-comparison.yml

[tmikula-dev]

Please look at this PR and see, if a new project structure makes sense to you. The logic should be exact same. The run of this branch solution can be seen in link: https://github.com/AbsaOSS/living-doc-generator-mdoc/actions/runs/24559331689/job/71804204984. The following tasks are about fixing the documentation and removing obsolete parts of the solution like sec:meta, meta scripts like derive and extract team metrics, removing rest of the logic about GH_PROJECT_ONLY_TOKEN etc.

[tmikula-dev]

This whole module will be changed in the following issue: #31

[tmikula-dev]

This section was created to put together github client logic methods. No new logic is added.