Skip to content

feat: cast validate, template sync, yamllint CI, TTY fix#9

Merged
shenxianpeng merged 4 commits intomainfrom
copilot/review-project-overall
Apr 9, 2026
Merged

feat: cast validate, template sync, yamllint CI, TTY fix#9
shenxianpeng merged 4 commits intomainfrom
copilot/review-project-overall

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Apr 9, 2026
edited
Loading

Four gaps identified during project review — one unimplemented "本期实施" feature, one spec deviation, one silent drift risk, and one missing CI gate.

cast validate (new command)

Validates a SARIF 2.1.0 file locally and previews cast-gate blocking behavior — no OPA/conftest dependency. Gate logic mirrors policy/*.rego in pure Python.

cast validate semgrep.sarif
# ✓ SARIF valid
#   Tool(s):   Semgrep
#   Findings:  12 (3 error, 5 warning, 4 note)
#   Policy:    default
#   Gate:      ❌ 3 finding(s) would be blocked
#   • [CRITICAL] Semgrep — SQL injection (rule: sql-injection)
#   ...

cast validate semgrep.sarif --policy strict   # blocks on HIGH + CRITICAL
cast validate semgrep.sarif --policy permissive  # never blocks
CAST_POLICY=strict cast validate semgrep.sarif   # env var fallback

Exit codes: 0 valid + allowed · 1 format error · 2 valid + blocked

Template drift fix + sync guard

  • templates/ (curl-download copies) had diverged from src/cast_cli/templates/ (embedded CLI copies) across all 6 stack templates — Rego policy was injected via env-var+printf in canonical vs heredoc in embedded. Synced canonical to match embedded (heredoc is more reliable).
  • Added scripts/check-template-sync.sh: diffs all devsecops.yml pairs, exits 1 on any mismatch.

yamllint CI job

New template-lint job in devsecops.yml runs yamllint -d relaxed over all template YAML files. Template syntax errors now fail CI instead of reaching users.

TTY detection fix

cast init used sys.stdout.isatty() to gate the interactive type-selection menu. Changed to sys.stdin.isatty() — stdin is the correct signal for "can I prompt the user for input."

Copilot AI and others added 2 commits April 9, 2026 15:13
Copilot AI changed the title [WIP] Review project for alignment with goals feat: cast validate, template sync, yamllint CI, TTY fix Apr 9, 2026
Copilot AI requested a review from shenxianpeng April 9, 2026 15:19
@shenxianpeng
Copy link
Copy Markdown
Member

shenxianpeng commented Apr 9, 2026

@copilot fix ci failure

Copy link
Copy Markdown
Contributor Author

Copilot AI commented Apr 9, 2026

@copilot fix ci failure

Fixed in a5952c5. Two failures:

  1. Ruff F541 (main.py:287): removed the bare f prefix from f"[bold green]✓[/bold green] SARIF valid" since there were no placeholders in that string.

  2. yamllint syntax errors in templates: the devsecops.yml templates embed bash heredocs whose content is intentionally at column 1 (required by bash). GitHub Actions handles this fine, but yamllint's YAML parser rejects them as syntax errors. Fixed by scoping the yamllint step to only .github/workflows/*.yml (pure workflow YAML) rather than the templates that embed shell scripts.

Copilot AI requested a review from shenxianpeng April 9, 2026 15:39
@shenxianpeng shenxianpeng marked this pull request as ready for review April 9, 2026 18:42
@shenxianpeng shenxianpeng added the enhancement New feature or request label Apr 9, 2026
@shenxianpeng shenxianpeng merged commit 632ef97 into main Apr 9, 2026
7 checks passed
@shenxianpeng shenxianpeng deleted the copilot/review-project-overall branch April 9, 2026 18:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@shenxianpeng shenxianpeng shenxianpeng approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@shenxianpeng shenxianpeng

Copilot code review Copilot

Labels

enhancement New feature or request

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@shenxianpeng