feat(cli): env-gate scan-all verifier auto-triage (#3)#40
Conversation
Enable periodic verifier auto-triage via env, independent of how scan-all is scheduled. The scan-all runtime already runs the verifier + writes terminal dispositions under --verify-artifacts; the only gap was that it could not be turned on without an explicit CLI flag. - scan.py: --verify-artifacts is now a BooleanOptionalAction defaulting from SECURITY_SCANNER_VERIFY_ARTIFACTS (truthy=on, unset/0/false=off); --no-verify-artifacts overrides env-on. host/model/timeout/min-confidence already env-fallback via resolve_verifier_config. DEFAULT-OFF preserved. - deploy/systemd/README.md: trigger-agnostic enablement section (env table, fail-closed=needs_review semantics, exit 2 alerting). No .service edits — systemd is just one scheduler; verification rides any scan-all invocation. Scope correction (user feedback): the repo is poll-based (discover-updates → scan-worker), not PR/webhook-triggered; systemd is not essential. Per-change verification in the incremental scan-worker path is deferred as a separate follow-up. Spec under docs/workbench/specs/verifier-periodic-wiring/. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request implements environment-gated automatic triage using the Ollama verifier for periodic scans. It introduces the SECURITY_SCANNER_VERIFY_ARTIFACTS environment variable to control verification, updates the CLI argument parser to support this default, and adds comprehensive documentation and unit tests. The review feedback suggests documenting the missing SECURITY_SCANNER_OLLAMA_API_KEY_ENV variable in the README, aligning the design specification with the actual implementation signature of the _env_truthy helper, and simplifying the helper's implementation to be more idiomatic.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
- README: document SECURITY_SCANNER_OLLAMA_API_KEY_ENV in the verifier env table. - scan.py: simplify _env_truthy (early `if not value` instead of `(value or "")`). - design.md: correct _env_truthy signature (value:str|None, caller passes os.environ.get) and the BooleanOptionalAction default to match the impl. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
1 participant
What
Make
scan-allverifier auto-triage enable-able via environment, independent ofhow the scan is scheduled (trigger-agnostic). DEFAULT-OFF, public-safe, fail-closed.
Why (scope correction)
The runtime already runs the verifier and writes terminal dispositions under
--verify-artifacts; the gap was only that periodic runs had no way to turn it onwithout editing the CLI invocation. The repo is poll-based (
discover-updatespolls refs →
scan-worker), not PR/webhook-triggered, so systemd is just onescheduler — not the essence. The fix is a trigger-agnostic env gate, not systemd
template edits.
Changes
scan.py:--verify-artifacts→BooleanOptionalActiondefaulting fromSECURITY_SCANNER_VERIFY_ARTIFACTS(1/true/yes/on=on; unset/0/false=off).--no-verify-artifactsoverrides env-on. Other verifier inputs already env-fallback.deploy/systemd/README.md: env-table enablement section (fail-closed semantics,exit-2 alerting). No
.serviceedits.docs/workbench/specs/verifier-periodic-wiring/(research-grounded self-Q&A).Test
uv run pytest— 678 passed (new: env-gate default on/off,--no-override, helper).governance.public_safetyclean.Deferred
scan-workerpath (heavier;scan-all full-sweep already verifies newly detected findings on the next run).
Related to #23 follow-on residual work.