fix(compliance-audit): handle boolean false in settings checks#133
Conversation
The jq alternative operator (//) treats boolean false as falsy, causing settings like has_wiki: false to be reported as null instead of false. This means the has_wiki check (and any other boolean-false check) always fires even when the repository setting is correctly set to false. Fix: use '| tostring' with an explicit null guard instead of //. Closes petry-projects/bmad-bgreat-suite#89
|
@don-petry please review and merge — this fixes the false-positive compliance finding for |
|
Warning Rate limit exceeded
Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 3 minutes and 26 seconds. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (1)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
There was a problem hiding this comment.
Pull request overview
Fixes false-positive findings in the compliance audit’s repository settings checks by ensuring jq distinguishes between null and boolean false when extracting settings values.
Changes:
- Replace
jq’s// "null"fallback with an explicitnullguard plustostring, sofalseis preserved as"false"instead of being treated like missing data.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
- Merge PR #133 from main (same jq boolean fix) - Apply printf instead of echo for JSON piping (safer) - Use jq --arg for key interpolation (prevents injection) Agent-Logs-Url: https://github.com/petry-projects/.github/sessions/bc09d7ce-9add-488c-a416-223d826cc900 Co-authored-by: don-petry <36422719+don-petry@users.noreply.github.com>
…131) * fix(compliance-audit): use null-safe jq expression for boolean checks jq's // operator treats false as falsy, so false // "null" returns "null" rather than "false". This caused boolean settings checks with expected value of false (e.g. has_wiki) to always report a compliance finding even when the setting was correctly set to false. Replace the // "null" fallback with an explicit null test: if .$key == null then "null" else (.$key | tostring) end This correctly returns "false" for a false value and "null" only when the field is actually absent. Closes petry-projects/ContentTwin#63 * Merge main and apply Copilot review suggestions - Merge PR #133 from main (same jq boolean fix) - Apply printf instead of echo for JSON piping (safer) - Use jq --arg for key interpolation (prevents injection) Agent-Logs-Url: https://github.com/petry-projects/.github/sessions/bc09d7ce-9add-488c-a416-223d826cc900 Co-authored-by: don-petry <36422719+don-petry@users.noreply.github.com> * ci: trigger CI with clean check-suite preferences * fix(apply-repo-settings): use null-safe jq for boolean settings checks Mirror the compliance-audit.sh fix into apply-repo-settings.sh: - Replace `.$key // "null"` with `--arg key / .[$key] | if . == null` pattern to correctly handle boolean false values (jq's `//` treats false as falsy, causing false→null misread and spurious PATCH calls) - Replace `echo` with `printf '%s'` for consistent, safe JSON piping Co-authored-by: Don Petry <don-petry@users.noreply.github.com> --------- Co-authored-by: anthropic-code-agent[bot] <242468646+Claude@users.noreply.github.com> Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: Don Petry <don-petry@users.noreply.github.com>
The jq alternative operator (//) treats boolean false as falsy, causing settings like has_wiki: false to be reported as null instead of false. This means the has_wiki check (and any other boolean-false check) always fires even when the repository setting is correctly set to false. Fix: use '| tostring' with an explicit null guard instead of //. Closes petry-projects/bmad-bgreat-suite#89
The jq alternative operator (//) treats boolean false as falsy, causing settings like has_wiki: false to be reported as null instead of false. This means the has_wiki check (and any other boolean-false check) always fires even when the repository setting is correctly set to false. Fix: use '| tostring' with an explicit null guard instead of //. Closes petry-projects/bmad-bgreat-suite#89
The jq alternative operator (//) treats boolean false as falsy, causing settings like has_wiki: false to be reported as null instead of false. This means the has_wiki check (and any other boolean-false check) always fires even when the repository setting is correctly set to false. Fix: use '| tostring' with an explicit null guard instead of //. Closes petry-projects/bmad-bgreat-suite#89
…131) * fix(compliance-audit): use null-safe jq expression for boolean checks jq's // operator treats false as falsy, so false // "null" returns "null" rather than "false". This caused boolean settings checks with expected value of false (e.g. has_wiki) to always report a compliance finding even when the setting was correctly set to false. Replace the // "null" fallback with an explicit null test: if .$key == null then "null" else (.$key | tostring) end This correctly returns "false" for a false value and "null" only when the field is actually absent. Closes petry-projects/ContentTwin#63 * Merge main and apply Copilot review suggestions - Merge PR #133 from main (same jq boolean fix) - Apply printf instead of echo for JSON piping (safer) - Use jq --arg for key interpolation (prevents injection) Agent-Logs-Url: https://github.com/petry-projects/.github/sessions/bc09d7ce-9add-488c-a416-223d826cc900 Co-authored-by: don-petry <36422719+don-petry@users.noreply.github.com> * ci: trigger CI with clean check-suite preferences * fix(apply-repo-settings): use null-safe jq for boolean settings checks Mirror the compliance-audit.sh fix into apply-repo-settings.sh: - Replace `.$key // "null"` with `--arg key / .[$key] | if . == null` pattern to correctly handle boolean false values (jq's `//` treats false as falsy, causing false→null misread and spurious PATCH calls) - Replace `echo` with `printf '%s'` for consistent, safe JSON piping Co-authored-by: Don Petry <don-petry@users.noreply.github.com> --------- Co-authored-by: anthropic-code-agent[bot] <242468646+Claude@users.noreply.github.com> Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com> Co-authored-by: Don Petry <don-petry@users.noreply.github.com>



Summary
The jq alternative operator (
//) treats booleanfalseas falsy, sojq -r '.$key // "null"'returns"null"when the setting value isfalse. This causes any boolean-false check (e.g.has_wiki: false) to always fire as a finding, even when the repository setting is correctly set.Before:
actual=$(echo "$settings" | jq -r ".$key // \"null\"")After:
actual=$(echo "$settings" | jq -r ".$key | if . == null then \"null\" else tostring end")This uses an explicit null guard and
tostringconversion, so booleanfalse→"false"and booleantrue→"true", whilenullstill maps to"null".Impact
has_wiki: falseno longer generates a false-positive finding for repos that already have wiki disabledexpected: falsechecks will work correctly)Test plan
bmad-bgreat-suiteshould no longer reporthas_wikias a finding since its wiki is already disabledCloses petry-projects/bmad-bgreat-suite#89
Generated with Claude Code