chore: utilize org level coderabbit config

[dbasunag]

Pull Request

Summary

Related Issues

• Fixes:
• JIRA:

How it has been tested

• Locally
• Jenkins

Additional Requirements

• If this PR introduces a new test image, did you create a PR to mirror it in disconnected environment?
• If this PR introduces new marker(s)/adds a new component, was relevant ticket created to update relevant Jenkins job?

Summary by CodeRabbit

• Chores
  • Streamlined configuration by removing optional automated analysis tools and third-party service integrations.
  • Enabled unit testing configuration and refined core review controls.

[github-actions]

The following are automatically added/executed:

• PR size label.
• Run pre-commit
• Run tox
• Add PR author as the PR assignee
• Build image based on the PR

Available user actions:

• To mark a PR as WIP, add /wip in a comment. To remove it from the PR comment /wip cancel to the PR.
• To block merging of a PR, add /hold in a comment. To un-block merging of PR comment /hold cancel.
• To mark a PR as approved, add /lgtm in a comment. To remove, add /lgtm cancel.
  lgtm label removed on each new commit push.
• To mark PR as verified comment /verified to the PR, to un-verify comment /verified cancel to the PR.
  verified label removed on each new commit push.
• To Cherry-pick a merged PR /cherry-pick <target_branch_name> to the PR. If <target_branch_name> is valid,
  and the current PR is merged, a cherry-picked PR would be created and linked to the current PR.
• To build and push image to quay, add /build-push-pr-image in a comment. This would create an image with tag
  pr-<pr_number> to quay repository. This image tag, however would be deleted on PR merge or close action.

Supported labels

{'/build-push-pr-image', '/verified', '/cherry-pick', '/lgtm', '/hold', '/wip'}

[coderabbitai]

📝 Walkthrough

Walkthrough

Configuration file modifications removing reviewer settings, disabling automated analysis tools (golangci-lint, yamllint, gitleaks, checkov, eslint, cppcheck, semgrep, sqlfluff), eliminating integration references (JIRA, Linear), and retaining core review controls with unit_tests configurations.

Changes

Cohort / File(s)	Summary
Reviewer configuration pruning .coderabbit.yaml	Removed profile, request_changes_workflow, high_level_summary, auto_title, auto_title_instructions, commit_status, fail_commit_status, collapse_walkthrough fields. Retained review controls: high_level_summary_placeholder, changed_files_summary, assess_linked_issues, related_issues, related_prs, suggested_labels, suggested_reviewers, auto_assign_reviewers.
Automated analysis tools removal .coderabbit.yaml	Disabled or removed: golangci-lint, yamllint, gitleaks, checkov, eslint, cppcheck, semgrep, sqlfluff. Removed explicit level defaults. Collapsed tool sections under finishing_touches.
Integration references elimination .coderabbit.yaml	Removed JIRA and Linear integration configuration blocks under chat and knowledge_base sections. Removed opt_out flag under knowledge_base.
Unit tests configuration .coderabbit.yaml	Introduced unit_tests under finishing_touches (enabled: true). Preserved docstrings and unit_tests path_instructions under code_generation.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description is completely empty except for the template structure; all substantive sections (Summary, Related Issues, testing details) are unfilled placeholder comments.	Fill in the Summary section explaining why the org-level config consolidation is needed, specify any related issues, and confirm testing performed (Locally/Jenkins).

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'chore: utilize org level coderabbit config' accurately summarizes the main change—consolidation of configuration into organization-level settings.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[dbasunag]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.coderabbit.yaml:
- Line 16: The path_filters entry is malformed (an exclude-only pattern) and
currently prevents workflow files from being reviewed; update the path_filters
value to prepend an explicit include-all pattern and then apply the exclude you
want (e.g., include all files then exclude .github metadata), or alternatively
exclude only .github markdown so workflows remain in scope; modify the
path_filters key accordingly to use an include-all prefix followed by the
intended .github exclusion so reviewers see workflow files.
- Line 5: The config currently relies on inheritance and omits key security
scanners; update the .coderabbit.yaml tools block to explicitly add and enable
Gitleaks, TruffleHog, Checkov, Trivy, and Semgrep (so they are not only
inherited) by adding tool entries for each with enabled: true and any minimal
recommended settings (e.g., severity or policy refs if present), ensuring the
tools block that already lists 25+ tools includes these five tool names so they
run regardless of parent org config.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: c5645a77-f68e-45f5-884a-3645f6a487df

📥 Commits

Reviewing files that changed from the base of the PR and between 39d3462 and 4352f7f.

📒 Files selected for processing (1)

• .coderabbit.yaml

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🌐 Web query:

CodeRabbit v2 inheritance true configuration tools behavior documentation

💡 Result:

CodeRabbit v2: inheritance: true (what it does + where it’s documented)

Enable inheritance (v2 schema)

Add inheritance: true at the root of your repo’s .coderabbit.yaml (v2 schema). When enabled, CodeRabbit merges config from parent levels instead of using only the highest-priority source. Inheritance is off by default. [1]

# yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json
inheritance: true
reviews:
  profile: chill
  auto_review:
    enabled: true

How merging behaves (important for “behavior”)

With inheritance enabled, CodeRabbit walks up the config hierarchy and merges by type: objects deep-merge, scalars are overridden by the child, and arrays are child-first with unique parent items appended (deduped by common keys like path, name, id, etc.). The chain stops at the first level where inheritance: false (or not set). [1]

“Tools” configuration in v2

Tool integrations live under reviews.tools in .coderabbit.yaml, where each tool typically has an enabled flag (and some have extra options). The auto-generated Tools Reference lists supported tools and per-tool configuration fields. [3]

reviews:
  tools:
    eslint:
      enabled: true
    gitleaks:
      enabled: true

Full configuration reference (all behavior knobs)

For the complete v2 settings catalog (review behavior, auto-review, summaries, etc.), use the auto-generated Configuration reference (noted as last updated 2026-02-26). [2]

Sources: Configuration inheritance [1], Configuration reference [2], Tools Reference [3].

---

🏁 Script executed:

# First, let's examine the actual .coderabbit.yaml file to understand the full context
fd -e yaml -e yml | grep -E '(coderabbit|\.coderabbit)' | head -20

Repository: opendatahub-io/opendatahub-tests

Length of output: 58

---

🏁 Script executed:

# Let's read the full .coderabbit.yaml file
cat -n .coderabbit.yaml 2>/dev/null || find . -name '.coderabbit.yaml' -exec cat -n {} \;

Repository: opendatahub-io/opendatahub-tests

Length of output: 3084

---

🌐 Web query:

CodeRabbit supported tools gitleaks trufflehop checkov trivy semgrep opengrep

💡 Result:

CodeRabbit supports all of the tools you listed (with one typo clarification): Gitleaks, TruffleHog, Checkov, Trivy, Semgrep, and OpenGrep. (docs.coderabbit.ai)

• “trufflehop” isn’t listed; CodeRabbit lists TruffleHog (likely what you meant). (docs.coderabbit.ai)

Citations:

• 1: https://docs.coderabbit.ai/tools/list?utm_source=openai
• 2: https://docs.coderabbit.ai/tools/list?utm_source=openai

---

🌐 Web query:

CodeRabbit tools reference complete list 2025 2026

💡 Result:

CodeRabbit’s docs list the following supported third‑party tools (as shown in the “List of supported tools” section of their documentation): actionlint, ast-grep, Biome, Blinter, Brakeman, Buf, Checkmake, Checkov, CircleCI, Clippy, Clang-Tidy, Cppcheck, detekt, Dotenv Linter, ESLint, Flake8, Fortitude, Gitleaks, golangci-lint, Hadolint, HTMLHint, LanguageTool, Luacheck, markdownlint, OSV-Scanner, OpenGrep, Oxlint, PHPCS, PHPMD, PHPStan, Pipeline Remediation (Pipeline Failure Remediation), PMD, Prisma Lint, PSScriptAnalyzer, Pylint, Regal, RuboCop, Ruff, Semgrep, ShellCheck, Shopify CLI, smarty-lint, SQLFluff, Stylelint, SwiftLint, TFLint, Trivy, TruffleHog. [1]

Recent additions called out in the 2026 changelog include smarty-lint, PSScriptAnalyzer (Feb 25, 2026) and Trivy, TFLint, Fortitude, Blinter (Feb 4, 2026). [2]

Sources: [1] [2]

---

Add missing security scanners to explicit tool configuration.

The file already pins 25+ tools explicitly (lines 30-88). However, critical security scanners—Gitleaks, TruffleHog, Checkov, Trivy, Semgrep—are absent. When inheriting, omitted tools merge from parent config; if the parent org-level .coderabbit.yaml doesn't enable these scanners either, security coverage remains incomplete (CWE-693). Explicitly enable them:

Add to tools block

    dotenvLint:
      enabled: true
+   gitleaks:
+     enabled: true
+   trufflehog:
+     enabled: true
+   checkov:
+     enabled: true
+   trivy:
+     enabled: true
+   semgrep:
+     enabled: true

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.coderabbit.yaml at line 5, The config currently relies on inheritance and
omits key security scanners; update the .coderabbit.yaml tools block to
explicitly add and enable Gitleaks, TruffleHog, Checkov, Trivy, and Semgrep (so
they are not only inherited) by adding tool entries for each with enabled: true
and any minimal recommended settings (e.g., severity or policy refs if present),
ensuring the tools block that already lists 25+ tools includes these five tool
names so they run regardless of parent org config.

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

CodeRabbit path_filters negation pattern !.github documentation

💡 Result:

In CodeRabbit, reviews.path_filters supports exclude (negation) patterns by prefixing the glob with !. Patterns are relative to the repo root and are passed through to git sparse-checkout. [1][2]

To exclude the entire .github/ directory, add:

reviews:
  path_filters:
    - "!.github/**"

Notes:

• If you have any include patterns (ones without !), CodeRabbit will include only files matching those includes, then apply your excludes. [1]
• Excludes can be mixed with includes, e.g. include everything but exclude .github: [1][2]

reviews:
  path_filters:
    - "**"
    - "!.github/**"

Sources: CodeRabbit configuration docs on reviews.path_filters and ! exclude patterns. [1][2]

---

🏁 Script executed:

# Search the repository for CodeRabbit schema, documentation, or configuration examples
find . -type f \( -name "*.md" -o -name "*.yaml" -o -name "*.json" \) -exec grep -l "path_filters\|coderabbit" {} \; 2>/dev/null | head -20

Repository: opendatahub-io/opendatahub-tests

Length of output: 94

---

🏁 Script executed:

# Check if there's a coderabbit schema or reference documentation in the repo
git ls-files | grep -i coderabbit | head -20

Repository: opendatahub-io/opendatahub-tests

Length of output: 92

---

🏁 Script executed:

cat -n .coderabbit.yaml

Repository: opendatahub-io/opendatahub-tests

Length of output: 3084

---

Fix malformed path_filters and include .github/workflows/** in review scope.

Line 16 has two problems: (1) the exclude-only pattern ["!.github/**"] lacks the necessary include-all prefix, and (2) it still excludes workflows from code review, creating a supply-chain blind spot (CWE-693). CodeRabbit requires explicit include patterns before excludes. Use ["**", "!.github/**"] to include all files except non-critical .github/ metadata, or use ["**", "!.github/**/*.md"] to keep workflows reviewable.

Suggested change

-  path_filters: ["!.github/**"]
+  path_filters: ["**", "!.github/**/*.md"]

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.coderabbit.yaml at line 16, The path_filters entry is malformed (an
exclude-only pattern) and currently prevents workflow files from being reviewed;
update the path_filters value to prepend an explicit include-all pattern and
then apply the exclude you want (e.g., include all files then exclude .github
metadata), or alternatively exclude only .github markdown so workflows remain in
scope; modify the path_filters key accordingly to use an include-all prefix
followed by the intended .github exclusion so reviewers see workflow files.

[sheltoncyril]

/lgtm

[dbasunag]

Closing in favor of #1169. Will create separate patch if I need to bring back any settings.