feat: Support archived repo exclusion from GH org scans#4875
feat: Support archived repo exclusion from GH org scans#4875hibare wants to merge 1 commit intotrufflesecurity:mainfrom
Conversation
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
| continue | ||
| } | ||
| numArchived++ | ||
| } |
There was a problem hiding this comment.
Archived repo counter incremented only when not excluding
Low Severity
The numArchived counter is placed after the continue statement inside the ExcludeArchived check, so it's only incremented when archived repos are included (not excluded). When ExcludeArchived is true, repos are skipped via continue before numArchived++ runs, making the final log line always report num_archived=0 — exactly when you'd most want to know how many were skipped.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit 64137fa. Configure here.
There was a problem hiding this comment.
This behaviour is inline with how numForks is counted.
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
There are 2 total unresolved issues (including 1 from previous review).
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 6ecbeb6. Configure here.
| continue | ||
| } | ||
| numArchived++ | ||
| } |
There was a problem hiding this comment.
Fork counter overcounts when archived repos excluded
Low Severity
When a repo is both a fork and archived, with IncludeForks=true and ExcludeArchived=true, numForks is incremented at line 268 but then the repo is skipped by the archived continue at line 274 before reaching numRepos++. This makes numForks count repos that were never actually included, so numForks can exceed numRepos in the final log output—an impossible state prior to this change.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit 6ecbeb6. Configure here.
1 participant
Description:
Adds optional exclusion of archived GitHub repositories from organization scans. Introduces the
--exclude-archivedflag on thegithubsubcommand, a matchingexclude_archivedfield on the GitHub source protobuf (sourcespb.GitHub), and wiring throughGithubConfig, the engine, and org repo enumeration so archived repos are skipped when the option is enabled. Default behavior is unchanged when the flag is not set. Includes unit tests, an integration test case, and README usage.Checklist:
make test-community)?make lintthis requires golangci-lint)?Note
Medium Risk
Primarily adds an opt-in filtering path, but it changes GitHub scan enumeration behavior and extends the GitHub source protobuf, which could affect config compatibility and scan coverage when enabled.
Overview
Adds an opt-in
--exclude-archivedoption for GitHub org scans to skip archived repositories during repo enumeration.Wires the new setting end-to-end (CLI →
sources.GithubConfig→ engine →sourcespb.GitHub/sources.proto), updates repo-processing logic to filter archived repos and log archived counts, and documents the new usage inREADME.md.Includes coverage via new unit tests for org repo listing behavior and an integration test asserting fewer repos are scanned when archived repos exist.
Reviewed by Cursor Bugbot for commit 6ecbeb6. Bugbot is set up for automated code reviews on this repo. Configure here.