Skip to content

chore: utilize org level coderabbit config #1172

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
dbasunag wants to merge 2 commits into from
Closed

chore: utilize org level coderabbit config #1172

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
2cc85d6
chore: utilize org level coderabbit config
dbasunag Mar 4, 2026
4352f7f
Merge branch 'main' into coderabbit
dbasunag Mar 4, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
59 changes: 7 additions & 52 deletions .coderabbit.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,42 +1,27 @@
language: en-US
tone_instructions: ''
early_access: false
enable_free_tier: true
# yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json
# Inherits from org-wide config: https://github.com/opendatahub-io/coderabbit
# Only overrides listed below differ from the org baseline.

inheritance: true
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai bot Mar 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🌐 Web query:

CodeRabbit v2 inheritance true configuration tools behavior documentation

💡 Result:

CodeRabbit v2: inheritance: true (what it does + where it’s documented)

Enable inheritance (v2 schema)

Add inheritance: true at the root of your repo’s .coderabbit.yaml (v2 schema). When enabled, CodeRabbit merges config from parent levels instead of using only the highest-priority source. Inheritance is off by default. [1]

# yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json
inheritance: true
reviews:
  profile: chill
  auto_review:
    enabled: true

How merging behaves (important for “behavior”)

With inheritance enabled, CodeRabbit walks up the config hierarchy and merges by type: objects deep-merge, scalars are overridden by the child, and arrays are child-first with unique parent items appended (deduped by common keys like path, name, id, etc.). The chain stops at the first level where inheritance: false (or not set). [1]

“Tools” configuration in v2

Tool integrations live under reviews.tools in .coderabbit.yaml, where each tool typically has an enabled flag (and some have extra options). The auto-generated Tools Reference lists supported tools and per-tool configuration fields. [3]

reviews:
  tools:
    eslint:
      enabled: true
    gitleaks:
      enabled: true

Full configuration reference (all behavior knobs)

For the complete v2 settings catalog (review behavior, auto-review, summaries, etc.), use the auto-generated Configuration reference (noted as last updated 2026-02-26). [2]

Sources: Configuration inheritance [1], Configuration reference [2], Tools Reference [3].

🏁 Script executed:

# First, let's examine the actual .coderabbit.yaml file to understand the full context
fd -e yaml -e yml | grep -E '(coderabbit|\.coderabbit)' | head -20

Repository: opendatahub-io/opendatahub-tests

Length of output: 58

🏁 Script executed:

# Let's read the full .coderabbit.yaml file
cat -n .coderabbit.yaml 2>/dev/null || find . -name '.coderabbit.yaml' -exec cat -n {} \;

Repository: opendatahub-io/opendatahub-tests

Length of output: 3084

🌐 Web query:

CodeRabbit supported tools gitleaks trufflehop checkov trivy semgrep opengrep

💡 Result:

CodeRabbit supports all of the tools you listed (with one typo clarification): Gitleaks, TruffleHog, Checkov, Trivy, Semgrep, and OpenGrep. (docs.coderabbit.ai)

  • “trufflehop” isn’t listed; CodeRabbit lists TruffleHog (likely what you meant). (docs.coderabbit.ai)

Citations:

🌐 Web query:

CodeRabbit tools reference complete list 2025 2026

💡 Result:

CodeRabbit’s docs list the following supported third‑party tools (as shown in the “List of supported tools” section of their documentation): actionlint, ast-grep, Biome, Blinter, Brakeman, Buf, Checkmake, Checkov, CircleCI, Clippy, Clang-Tidy, Cppcheck, detekt, Dotenv Linter, ESLint, Flake8, Fortitude, Gitleaks, golangci-lint, Hadolint, HTMLHint, LanguageTool, Luacheck, markdownlint, OSV-Scanner, OpenGrep, Oxlint, PHPCS, PHPMD, PHPStan, Pipeline Remediation (Pipeline Failure Remediation), PMD, Prisma Lint, PSScriptAnalyzer, Pylint, Regal, RuboCop, Ruff, Semgrep, ShellCheck, Shopify CLI, smarty-lint, SQLFluff, Stylelint, SwiftLint, TFLint, Trivy, TruffleHog. [1]

Recent additions called out in the 2026 changelog include smarty-lint, PSScriptAnalyzer (Feb 25, 2026) and Trivy, TFLint, Fortitude, Blinter (Feb 4, 2026). [2]

Sources: [1] [2]

Add missing security scanners to explicit tool configuration.

The file already pins 25+ tools explicitly (lines 30-88). However, critical security scanners—Gitleaks, TruffleHog, Checkov, Trivy, Semgrep—are absent. When inheriting, omitted tools merge from parent config; if the parent org-level .coderabbit.yaml doesn't enable these scanners either, security coverage remains incomplete (CWE-693). Explicitly enable them:

Add to tools block 
    dotenvLint:
      enabled: true
+   gitleaks:
+     enabled: true
+   trufflehog:
+     enabled: true
+   checkov:
+     enabled: true
+   trivy:
+     enabled: true
+   semgrep:
+     enabled: true
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.coderabbit.yaml at line 5, The config currently relies on inheritance and
omits key security scanners; update the .coderabbit.yaml tools block to
explicitly add and enable Gitleaks, TruffleHog, Checkov, Trivy, and Semgrep (so
they are not only inherited) by adding tool entries for each with enabled: true
and any minimal recommended settings (e.g., severity or policy refs if present),
ensuring the tools block that already lists 25+ tools includes these five tool
names so they run regardless of parent org config.


reviews:
profile: chill
request_changes_workflow: false
high_level_summary: true
high_level_summary_placeholder: '@coderabbitai summary'
high_level_summary_in_walkthrough: false
auto_title_placeholder: '@coderabbitai'
auto_title_instructions: ''
review_status: false
commit_status: true
fail_commit_status: false
collapse_walkthrough: true
changed_files_summary: true
sequence_diagrams: false
assess_linked_issues: true
related_issues: true
related_prs: true
suggested_labels: true
auto_apply_labels: false
suggested_reviewers: true
auto_assign_reviewers: false
poem: false
labeling_instructions: []
path_filters: ["!.github/**"]
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai bot Mar 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

CodeRabbit path_filters negation pattern !.github documentation

💡 Result:

In CodeRabbit, reviews.path_filters supports exclude (negation) patterns by prefixing the glob with !. Patterns are relative to the repo root and are passed through to git sparse-checkout. [1][2]

To exclude the entire .github/ directory, add:

reviews:
  path_filters:
    - "!.github/**"

Notes:

  • If you have any include patterns (ones without !), CodeRabbit will include only files matching those includes, then apply your excludes. [1]
  • Excludes can be mixed with includes, e.g. include everything but exclude .github: [1][2]
reviews:
  path_filters:
    - "**"
    - "!.github/**"

Sources: CodeRabbit configuration docs on reviews.path_filters and ! exclude patterns. [1][2]

🏁 Script executed:

# Search the repository for CodeRabbit schema, documentation, or configuration examples
find . -type f \( -name "*.md" -o -name "*.yaml" -o -name "*.json" \) -exec grep -l "path_filters\|coderabbit" {} \; 2>/dev/null | head -20

Repository: opendatahub-io/opendatahub-tests

Length of output: 94

🏁 Script executed:

# Check if there's a coderabbit schema or reference documentation in the repo
git ls-files | grep -i coderabbit | head -20

Repository: opendatahub-io/opendatahub-tests

Length of output: 92

🏁 Script executed:

cat -n .coderabbit.yaml

Repository: opendatahub-io/opendatahub-tests

Length of output: 3084

Fix malformed path_filters and include .github/workflows/** in review scope.

Line 16 has two problems: (1) the exclude-only pattern ["!.github/**"] lacks the necessary include-all prefix, and (2) it still excludes workflows from code review, creating a supply-chain blind spot (CWE-693). CodeRabbit requires explicit include patterns before excludes. Use ["**", "!.github/**"] to include all files except non-critical .github/ metadata, or use ["**", "!.github/**/*.md"] to keep workflows reviewable.

Suggested change 
-  path_filters: ["!.github/**"]
+  path_filters: ["**", "!.github/**/*.md"]
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.coderabbit.yaml at line 16, The path_filters entry is malformed (an
exclude-only pattern) and currently prevents workflow files from being reviewed;
update the path_filters value to prepend an explicit include-all pattern and
then apply the exclude you want (e.g., include all files then exclude .github
metadata), or alternatively exclude only .github markdown so workflows remain in
scope; modify the path_filters key accordingly to use an include-all prefix
followed by the intended .github exclusion so reviewers see workflow files.

path_instructions: []
abort_on_close: true
disable_cache: false
auto_review:
enabled: true
auto_incremental_review: true
ignore_title_keywords: ['wip', 'do not merge', 'do not review',
'lock file maintenance', 'pre-commit autoupdate']
labels: []
drafts: false
base_branches: []
finishing_touches:
docstrings:
enabled: true
Expand Down Expand Up @@ -73,39 +58,20 @@ reviews:
enabled: true
phpstan:
enabled: true
level: default
golangci-lint:
enabled: true
yamllint:
enabled: true
gitleaks:
enabled: true
checkov:
enabled: true
detekt:
enabled: true
eslint:
enabled: true
rubocop:
enabled: true
buf:
enabled: true
regal:
enabled: true
actionlint:
enabled: true
pmd:
enabled: true
cppcheck:
enabled: true
semgrep:
enabled: true
circleci:
enabled: true
clippy:
enabled: true
sqlfluff:
enabled: true
prismaLint:
enabled: true
pylint:
Expand All @@ -122,25 +88,14 @@ reviews:
enabled: true
chat:
auto_reply: true
integrations:
jira:
usage: auto
linear:
usage: auto

knowledge_base:
opt_out: false
web_search:
enabled: true
learnings:
scope: auto
issues:
scope: auto
jira:
usage: auto
project_keys: []
linear:
usage: auto
team_keys: []
pull_requests:
scope: auto
code_generation:
Expand Down