Skip to content

feat: Production-grade Polaris scan reliability#4

Merged
Param-10 merged 1 commit into
mainfrom
codex/polaris-scan-reliability
Jun 23, 2026
Merged

feat: Production-grade Polaris scan reliability#4
Param-10 merged 1 commit into
mainfrom
codex/polaris-scan-reliability

Conversation

@Param-10

Copy link
Copy Markdown
Owner

Summary

Production-grade reliability overhaul for the Polaris scanner pipeline. Makes the system deterministic-first, evidence-driven, and resilient to AI failures.

Key Changes

Gemini Integration Hardening

  • Pinned google-genai==1.72.0, JSON Schema output, 30s per-call timeout
  • 90-second total AI budget with gemini-2.5-flash fallback
  • Sanitized error codes (AI_RATE_LIMIT, AI_TIMEOUT, AI_INVALID_OUTPUT)

Graceful Degradation

  • Gemini failure completes the deterministic scan with a warning
  • Only GitHub/DB/scanner failures produce error status

Strict AI Evidence Gate

  • AI findings require existing file, changed line, exact redacted evidence
  • Verification agent must approve; invented files/version claims are discarded

Content Protection

  • Secrets redacted before sending to Gemini
  • AI receives changed hunks + bounded context, not full files

Trustworthy Fixes

  • Require exact unified diff, clean application, syntax parsing
  • Finding removal verification; no fuzzy replacement fallback

Improved Reporting

  • Proper pending → success/failure/error lifecycle
  • Summaries show coverage, AI mode, accepted findings count

Retry Support

  • POST /scans/{scan_id}/retry with auth
  • Dashboard exposes Retry for failed/degraded scans

Tests

  • 42/42 existing tests pass
  • 21/21 new reliability tests pass
  • Golden clean/vulnerable fixtures for all 4 formats (Terraform, K8s, Dockerfile, GHA)

- Harden Gemini integration: pinned SDK, JSON Schema output, 30s timeout,
  90s total AI budget, gemini-2.5-flash fallback, sanitized error codes
- Graceful degradation: Gemini failure completes deterministic scan with
  warning instead of failing the entire scan
- Strict AI evidence: AI findings require existing file, changed line,
  exact redacted evidence, and verification agent approval
- Content protection: secrets redacted before Gemini, changed hunks only
- Trustworthy fixes: require exact unified diff, clean application,
  syntax parsing, finding removal verification
- Secure apply: stale scan 409, concurrent apply idempotent
- Improved reporting: pending/success/failure/error lifecycle, coverage
  and AI mode in summaries
- Retry support: POST /scans/{scan_id}/retry with auth
- Changed-line filtering and diff parsing
- Rule metadata with remediation guidance
- 21 new reliability tests, golden fixtures for all 4 formats
- CI workflow for backend tests, frontend checks, dep pinning
@vercel

vercel Bot commented Jun 23, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
polaris Ready Ready Preview, Comment Jun 23, 2026 5:47pm

@Param-10 Param-10 merged commit c203353 into main Jun 23, 2026
2 checks passed
@Param-10 Param-10 deleted the codex/polaris-scan-reliability branch June 23, 2026 17:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant