You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
All repository-scoped commands now resolve provider, organization, and
repository from the origin remote URL when those arguments are omitted.
This lets users run e.g. `codacy issues` or `codacy pull-request 42`
inside a git checkout instead of spelling out the full triple every time.
Adds git-remote and resolve-repo-args utilities, updates all 11 commands
to use optional positional arguments with auto-detection fallback, and
documents the feature in the README.
Co-Authored-By: Claude <noreply@anthropic.com>
The reason will be displayed to describe this comment to others. Learn more.
Code Review
This pull request introduces repository auto-detection from the git remote origin URL, allowing repository-scoped CLI commands to run without explicitly specifying the provider, organization, and repository arguments. It also adds a 'False Positives' section to the issues overview and updates dependencies. The review feedback suggests making the git remote URL parser more robust to support GitLab subgroups and ssh:// prefixes, and safely handling potential undefined values for the new potentialFalsePositives field.
The reason will be displayed to describe this comment to others. Learn more.
The current regular expressions for parsing git remote URLs do not support subgroups (e.g., org/subgroup/repo on GitLab) or SSH URLs prefixed with ssh:// (e.g., ssh://git@github.com/org/repo.git).\n\nWe can simplify and make the parser significantly more robust by finding the supported hostnames directly in the URL and splitting the path after the host. This naturally handles subgroups, custom SSH prefixes, and trailing .git suffixes.
The reason will be displayed to describe this comment to others. Learn more.
Good catch — the regexes now support dots in repo names (changed [^/.]+? to [^/]+?), and HTTPS URLs with credentials are handled by stripping the userinfo prefix from the host before provider lookup.
GitLab subgroups (org/subgroup/repo) are out of scope for this PR — the Codacy API takes organization as a single path segment, so subgroup support needs a separate design pass.
The reason will be displayed to describe this comment to others. Learn more.
The potentialFalsePositives field is part of the IssuesOverviewCounts type returned by the API — if the API doesn't include it, that's a client generation issue. The type check already enforces its presence. No optional chaining needed here.
The reason will be displayed to describe this comment to others. Learn more.
Pull Request Overview
The pull request is currently not up to standards due to a combination of security risks, logic gaps in git remote parsing, and missing implementations. A critical security concern was identified in the use of execSync for shell commands, which is vulnerable to injection. Additionally, the regex patterns for remote parsing do not support GitLab subgroups or repository names containing dots, both of which are common use cases.
While the PR aims to update 11 repository-scoped commands, only 9 are implemented, and the documentation for the repositories command is misleading as the implementation was omitted. There is also undocumented scope creep regarding a 'Potential False Positives' feature and a reference to a non-existent version of lodash (4.18.1). The findings command lacks architectural consistency by not using the new resolveRepoArgs utility, resulting in unnecessarily complex and long code blocks.
About this PR
The PR description mentions updating 11 commands to support auto-detection, but the implementation only covers 9 (findings, issue, issues, pattern, patterns, pull-request, repository, tool, tools). Organization-scoped commands like 'repositories' appear to be missing despite documentation updates.
Test suggestions
Parse GitHub SSH URL (with and without .git suffix)
Parse GitHub HTTPS URL (with and without .git suffix)
Parse GitLab and Bitbucket remote URLs
Detect repository context using 'git remote get-url origin'
Handle errors when git is not available or the host is unknown
Auto-detection for commands with 0 additional arguments (e.g., issues)
Auto-detection for commands with trailing arguments (e.g., issue )
Verification that explicit arguments still take precedence
The reason will be displayed to describe this comment to others. Learn more.
🔴 HIGH RISK
Using execSync with template strings is susceptible to command injection if remoteName is manipulated. Refactor getGitRemoteUrl to use execFileSync from child_process and pass arguments as an array: ['remote', 'get-url', remoteName].
The reason will be displayed to describe this comment to others. Learn more.
🔴 HIGH RISK
Lodash version '4.18.1' was not found in the public registry. This will cause installation failures. Please revert to the latest stable version (4.17.21).
The reason will be displayed to describe this comment to others. Learn more.
🟡 MEDIUM RISK
The README suggests the repositories command now supports auto-detection, but src/commands/repositories.ts was not modified. Please implement the logic in the command or revert the documentation change.
The reason will be displayed to describe this comment to others. Learn more.
🟡 MEDIUM RISK
The action handler for the 'findings' command (102 lines) exceeds the quality threshold. This is caused by manual argument resolution logic that is inconsistent with the 'resolveRepoArgs' utility used elsewhere. Refactor this to use the shared utility to reduce complexity and ensure maintainability.
The reason will be displayed to describe this comment to others. Learn more.
⚪ LOW RISK
The addition of 'Potential False Positives' to the issues overview is scope creep unrelated to git remote auto-detection. This should be moved to a separate PR or properly documented.
The reason will be displayed to describe this comment to others. Learn more.
Pull request overview
This PR adds automatic detection of provider, organization, and repository from the local git origin remote when repo-scoped command positional args are omitted, reducing required CLI arguments when running inside a cloned repository.
Changes:
Added git-remote parsing + repo-context detection, plus resolve-repo-args to reconcile optional positional args with auto-detection fallback.
Updated multiple repo-scoped commands (and tests) to accept optional positional args and use the new resolver.
Documented the feature in README.md and bumped API fetch version / dependencies.
Reviewed changes
Copilot reviewed 25 out of 26 changed files in this pull request and generated 6 comments.
Show a summary per file
File
Description
src/utils/resolve-repo-args.ts
New utility to resolve positional args with auto-detect fallback.
src/utils/resolve-repo-args.test.ts
Tests for argument resolution behavior and error messages.
src/utils/git-remote.ts
New git remote URL parsing + context detection from origin.
src/utils/git-remote.test.ts
Tests for SSH/HTTPS parsing and detect behavior (mocked execSync).
src/commands/tools.ts
Make repo args optional and auto-detect when omitted.
src/commands/tools.test.ts
Add coverage for tools command auto-detect path.
src/commands/tool.ts
Make repo/tool args optional and auto-detect repo when omitted.
src/commands/tool.test.ts
Add coverage for tool command auto-detect path.
src/commands/repository.ts
Make repo args optional and auto-detect when omitted.
src/commands/repository.test.ts
Add coverage for repository command auto-detect path.
src/commands/pull-request.ts
Make repo/pr args optional and auto-detect repo when omitted.
src/commands/pull-request.test.ts
Add coverage for pull-request command auto-detect path.
src/commands/patterns.ts
Make repo/tool args optional and auto-detect repo when omitted.
src/commands/patterns.test.ts
Add coverage for patterns command auto-detect path.
src/commands/pattern.ts
Make repo/tool/pattern args optional and auto-detect repo when omitted.
src/commands/pattern.test.ts
Add coverage for pattern command auto-detect path.
src/commands/issues.ts
Make repo args optional + extend overview output (false positives) and JSON pick list.
src/commands/issues.test.ts
Update issues tests for new overview field + auto-detect path.
src/commands/issue.ts
Make repo/issue args optional and auto-detect repo when omitted.
src/commands/issue.test.ts
Add coverage for issue command auto-detect path.
src/commands/findings.ts
Add “0 args => auto-detect” behavior for findings (repo filter).
src/commands/findings.test.ts
Add coverage for findings command auto-detect path.
- Replace execSync with execFileSync to eliminate command injection vector
- Support dots in repo names by changing [^/.]+? to [^/]+? in regexes
- Strip userinfo from HTTPS URLs before provider lookup
- Redact credentials in error messages to prevent secret leakage
- Fix README: revert repositories/finding to required args (not updated)
- Add missing potentialFalsePositives to repository.test.ts mocks (CI fix)
Co-Authored-By: Claude <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
![codacy-production[bot]](https://avatars.githubusercontent.com/in/56611?s=60&v=4){kind=small}
Summary
origingit remote URL when those arguments are omittedgit-remoteandresolve-repo-argsutilities that parse SSH and HTTPS remote URLs for GitHub, GitLab, and BitbucketTest plan
npm test— all new and existing tests passnpx ts-node src/index.ts issuesauto-detects provider/org/reponpx ts-node src/index.ts issuesshows a helpful error messagenpx ts-node src/index.ts issues gh my-org my-repo🤖 Generated with Claude Code