You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
hashicorp-vault-sonar-prodBot
changed the title
Add dependency risk eligibility check for git integrate
CLI-724 Add dependency risk eligibility check for git integrate
Jun 19, 2026
CI failed: The build failed due to a `TypeError` in the unit tests caused by missing `auth` object properties in the new dependency risk eligibility check.
Overview
3 unit tests failed in the git-integration-subfeatures test suite due to a TypeError when accessing auth.serverUrl in the scaSkipReason function. This indicates the new dependency risk eligibility logic does not safely handle scenarios where authentication state is absent.
Failures
TypeError in scaSkipReason (confidence: high)
Type: test
Affected jobs: 82372062652
Related to change: yes
Root cause: The function scaSkipReason assumes an auth object exists and attempts to read auth.serverUrl. However, several test cases for createDepRisksSubfeature invoke this logic without providing an auth object, causing an unhandled exception.
Suggested fix: Update scaSkipReason to include a null check for auth (e.g., if (!auth?.serverUrl) return ...) or ensure all test setups provide a default mock auth object when testing the dependency risk integration.
Summary
Change-related failures: 3 test failures related to the new dependency risk eligibility check.
Infrastructure/flaky failures: None.
Recommended action: Review src/features/git-integration-subfeatures.ts (or relevant file) to implement null-safety for the auth object in scaSkipReason and ensure unit tests cover the non-authenticated integration flow.
Code Review✅ Approved1 resolved / 1 findings
Implements SCA eligibility checks for git integration, ensuring dependency-risk scanning gracefully skips unsupported connections. The previously missing scaEnabled configuration in interactive tests has been resolved.
✅ 1 resolved✅ Bug: Interactive dep-risks test missing scaEnabled, will now fail
📄 tests/integration/specs/integrate/git.test.ts:664-678
The new code in createDepRisksSubfeature.shouldInstall now calls assertScaAvailable whenever auth is present and a project key is resolved. When the fake server is started without withScaEnabled(true), the SCA endpoint returns 404, checkScaEnabled resolves to false, and assertScaAvailable throws CommandFailedError, so dep-risks is skipped.
The test 'opts into dependency-risks interactively and auto-discovers project key' (line 664) calls setupAuthenticated(harness, { withSecretsBinary: true }) WITHOUT scaEnabled: true, yet asserts that dep-risks IS installed:
Every other dep-risks-installing test in this PR was updated to pass scaEnabled: true (lines 552, 585, 820, 984, 1316), but this one was missed. With the new SCA gate, the auto-discovered project key triggers the SCA check, dep-risks is skipped, and these assertions will fail. Update this test's setup to setupAuthenticated(harness, { withSecretsBinary: true, scaEnabled: true }).
Tip
Comment Gitar fix CI or enable auto-apply: gitar auto-apply:on
Options
Auto-apply is off → Gitar will not commit updates to this branch. Display: compact → Showing less information.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
hashicorp-vault-sonar-prod
Bot
changed the title
Part of CLI-505
Summary by Gitar
assertScaAvailableto verify Software Composition Analysis (SCA) eligibility for git integration.createDepRisksSubfeatureto skip dependency-risks scanning if the current connection does not support SCA.authcontext throughout the git integration flow to enable server-side eligibility checks.This will update automatically on new commits.