chore: update pvtr plugin to ossf repo and v0.23.2 IN-986#4126
chore: update pvtr plugin to ossf repo and v0.23.2 IN-986#4126gaspergrom wants to merge 3 commits into
Conversation
gaspergrom
force-pushed
the
chore/IN-986-update-pvtr-repo
branch
from
3c25713 to
81f9624
Compare
There was a problem hiding this comment.
Pull request overview
Updates the security best practices worker to use the canonical OSSF PVTR GitHub repo scanner and the newer OSPS baseline catalog ID.
Changes:
- Bumps the PVTR plugin source repository and pinned commit to v0.23.2.
- Updates the Privateer example config catalog from
OSPS_Btoosps-baseline-2026-02. - Updates the worker’s saved evaluation-suite lookup catalog ID accordingly.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
services/apps/security_best_practices_worker/src/activities/index.ts |
Updates the catalog ID used when selecting the evaluation suite to persist. |
services/apps/security_best_practices_worker/example-config.yml |
Updates the configured catalog passed to Privateer/PVTR. |
scripts/services/docker/Dockerfile.security_best_practices_worker |
Switches plugin clone/build source to the OSSF scanner repo and pinned commit. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
gaspergrom
force-pushed
the
chore/IN-986-update-pvtr-repo
branch
from
81f9624 to
35a0e22
Compare
Signed-off-by: Gašper Grom <gasper.grom@gmail.com>
gaspergrom
force-pushed
the
chore/IN-986-update-pvtr-repo
branch
from
35a0e22 to
02ba949
Compare
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 02ba949. Configure here.
…tibility (IN-986) Signed-off-by: Gašper Grom <gasper.grom@gmail.com>
… row error (IN-986) Signed-off-by: Gašper Grom <gasper.grom@gmail.com>
|
Addressed the duplicate row issue flagged by cursor[bot]. When a repo was previously scanned with the old Fix: added an optional |
epipav
left a comment
epipav
left a comment
There was a problem hiding this comment.
Looks good. One thing we can do to prevent duplicate evaluations and assessments is to update the existing catalogId to the new value in a migration
UPDATE "securityInsightsEvaluationSuites"
SET "catalogId" = 'osps-baseline-2026-02'
WHERE "catalogId" = 'OSPS_B';
Summary
Updates the pvtr GitHub repo scanner plugin from the old
revanite-io/pvtr-github-reporepo to the new canonical location atossf/pvtr-github-repo-scanner, and bumps the version to v0.23.2. Also updates the catalog ID andCATALOG_IDconstant from the deprecatedOSPS_Btoosps-baseline-2026-02.Changes
Dockerfile.security_best_practices_worker: updated clone URL toossf/pvtr-github-repo-scanner, updated commit hash to v0.23.2 (c7bd9538)example-config.yml: catalogOSPS_B→osps-baseline-2026-02activities/index.ts:CATALOG_IDconstant'OSPS_B'→'osps-baseline-2026-02'Type of change
JIRA ticket
https://linuxfoundation.atlassian.net/browse/IN-986
Note
Medium Risk
Moderate risk: changes the container build inputs (Go/Alpine base and external plugin repo/commit) and tightens DB lookup scoping for control evaluations, which could affect ingestion if catalog IDs or suite associations don’t match existing data.
Overview
Updates the
security_best_practices_workercontainer to build the pvtr GitHub repo scanner from the canonicalossf/pvtr-github-repo-scannerrepo at v0.23.2, and bumps the plugin build image togolang:1.26.3-alpine3.23.Migrates the OSPS baseline catalog identifier from
OSPS_Btoosps-baseline-2026-02in both the worker config and DB ingestion, and updatesfindSuiteControlEvaluationto optionally filter bysecurityInsightsEvaluationSuiteId(now passed from the worker) to avoid cross-suite collisions.Reviewed by Cursor Bugbot for commit f5e33c8. Bugbot is set up for automated code reviews on this repo. Configure here.