From 34daf8a8d8682dc0d0803159608ab1c43cb96ece Mon Sep 17 00:00:00 2001 From: Robby Cochran Date: Fri, 27 Mar 2026 10:15:00 -0700 Subject: [PATCH 1/4] X-Smart-Branch-Parent: master From b74f802158b5626dcb74ec4769defdc6aa277a86 Mon Sep 17 00:00:00 2001 From: Robby Cochran Date: Fri, 27 Mar 2026 10:22:31 -0700 Subject: [PATCH 2/4] Update CodeRabbit config with language-specific review instructions Add comprehensive review guidance for the collector repo tech stack: C++/eBPF, Go integration tests, Ansible/GHA YAML, shell scripts, CMake, Dockerfiles, and protobuf. Enable static analysis tools (cppcheck, shellcheck, yamllint, golangci-lint, hadolint, semgrep, gitleaks). Co-Authored-By: Claude Opus 4.6 (1M context) --- .coderabbit.yaml | 101 +++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 101 insertions(+) create mode 100644 .coderabbit.yaml diff --git a/.coderabbit.yaml b/.coderabbit.yaml new file mode 100644 index 0000000000..ffb1e9cbac --- /dev/null +++ b/.coderabbit.yaml @@ -0,0 +1,101 @@ + +# yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json +inheritance: true + +reviews: + profile: assertive + high_level_summary: true + auto_review: + enabled: true + drafts: false + base_branches: + - master + - main + - "release-.*" + + path_instructions: + - path: "**/*.{cpp,cc,cxx}" + instructions: > + C++ systems code. Review for memory safety, RAII compliance, proper + error handling, and thread safety. This code runs in a privileged + container and interacts with eBPF probes, so pay attention to + security, resource cleanup, and signal handling. Prefer modern C++ + idioms (smart pointers, std::string_view, structured bindings). + Flag any raw new/delete. + - path: "**/*.{h,hpp}" + instructions: > + C++ headers. Check include guards, minimal includes, and clean + public interfaces. Ensure no implementation details leak into + headers unnecessarily. + - path: "**/*.proto" + instructions: > + Protobuf definitions. Verify backward compatibility of field + changes (no renumbering, no removing fields in use). Check that + field types and names follow protobuf style conventions. + - path: "**/*.go" + instructions: > + Go integration tests that exercise the agent against real container + runtimes and kernel configurations. Review for test reliability + (no flaky assertions, proper timeouts, cleanup of test resources), + clear failure messages, and correct use of the testing package. + Tests run in CI VMs, so be mindful of environment assumptions. + - path: "**/*.yml" + instructions: > + YAML files may be Ansible playbooks, CI workflows, or configuration. + For Ansible: review for idempotency, proper use of handlers and + variables, secure credential handling (no hardcoded secrets), and + correct task naming with appropriate error handling (block/rescue). + For GitHub Actions: pin action versions to SHA, minimize token + permissions, avoid script injection via untrusted inputs, and + verify caching efficiency. + - path: "**/*.sh" + instructions: > + Shell scripts used in build and CI. Review for POSIX compliance + where appropriate, proper quoting of variables, set -euo pipefail + usage, and safe handling of paths with spaces. Check for proper + exit code propagation. + - path: "**/CMakeLists.txt" + instructions: > + CMake build configuration. Check for correct target dependencies, + proper use of PUBLIC/PRIVATE/INTERFACE keywords, and that compile + options are appropriate for the target platform. + - path: "**/{Dockerfile,Dockerfile.*,*.Dockerfile}" + instructions: > + Container image definitions. Review for minimal base images, + proper layer ordering for cache efficiency, no secrets in build + args, and that the final image has minimal attack surface. + - path: "**/Makefile*" + instructions: > + Build system Makefiles. Check for correct dependency declarations, + proper use of variables, and that phony targets are declared. + + tools: + cppcheck: + enabled: true + shellcheck: + enabled: true + yamllint: + enabled: true + golangci-lint: + enabled: true + hadolint: + enabled: true + semgrep: + enabled: true + gitleaks: + enabled: true + +chat: + auto_reply: true + +knowledge_base: + code_guidelines: + enabled: true + learnings: + scope: auto + issues: + scope: auto + pull_requests: + scope: auto + web_search: + enabled: true From 289f3c4849add15a092c22ea4060662ac42bdc50 Mon Sep 17 00:00:00 2001 From: Robby Cochran Date: Fri, 27 Mar 2026 10:39:00 -0700 Subject: [PATCH 3/4] Update .coderabbit.yaml Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> --- .coderabbit.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.coderabbit.yaml b/.coderabbit.yaml index ffb1e9cbac..752ec66b38 100644 --- a/.coderabbit.yaml +++ b/.coderabbit.yaml @@ -39,7 +39,7 @@ reviews: (no flaky assertions, proper timeouts, cleanup of test resources), clear failure messages, and correct use of the testing package. Tests run in CI VMs, so be mindful of environment assumptions. - - path: "**/*.yml" + - path: "**/*.{yml,yaml}" instructions: > YAML files may be Ansible playbooks, CI workflows, or configuration. For Ansible: review for idempotency, proper use of handlers and From e97fd3c1fa21e2b40c1f671532ee07b3b7f799a0 Mon Sep 17 00:00:00 2001 From: Robby Cochran Date: Fri, 27 Mar 2026 10:39:24 -0700 Subject: [PATCH 4/4] Update .coderabbit.yaml Co-authored-by: coderabbitai[bot] <136622811+coderabbitai[bot]@users.noreply.github.com> --- .coderabbit.yaml | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/.coderabbit.yaml b/.coderabbit.yaml index 752ec66b38..69adcae34f 100644 --- a/.coderabbit.yaml +++ b/.coderabbit.yaml @@ -22,6 +22,11 @@ reviews: security, resource cleanup, and signal handling. Prefer modern C++ idioms (smart pointers, std::string_view, structured bindings). Flag any raw new/delete. + - path: "**/*.c" + instructions: > + eBPF C code. Review for verifier constraints (bounded loops, + stack/memory safety, helper-call correctness), and stable ABI + contracts with userspace (map key/value layout compatibility). - path: "**/*.{h,hpp}" instructions: > C++ headers. Check include guards, minimal includes, and clean