Skip to content

Docs: static analysis policy roadmap#168

Merged
PrzemyslawKlys merged 2 commits intomasterfrom
codex/static-policy-roadmap-plan
Feb 9, 2026
Merged

Docs: static analysis policy roadmap#168
PrzemyslawKlys merged 2 commits intomasterfrom
codex/static-policy-roadmap-plan

Conversation

@PrzemyslawKlys
Copy link
Member

@PrzemyslawKlys PrzemyslawKlys commented Feb 9, 2026

Adds a concise end-to-end roadmap for IntelligenceX static analysis policy (packs, gates, hotspots, AI assist/codefix) and points to the existing deep-dive doc.

@PrzemyslawKlys PrzemyslawKlys force-pushed the codex/static-policy-roadmap-plan branch from 2d3e470 to 454ac1e Compare February 9, 2026 10:38
@PrzemyslawKlys PrzemyslawKlys merged commit 085a573 into master Feb 9, 2026
6 of 7 checks passed
@PrzemyslawKlys PrzemyslawKlys deleted the codex/static-policy-roadmap-plan branch February 9, 2026 10:38
@intelligencex-review
Copy link

intelligencex-review bot commented Feb 9, 2026
edited
Loading

IntelligenceX Review

Reviewing PR #168: Docs: static analysis policy roadmap
Reviewed commit: 454ac1e

Merge blockers: items in Todo List ✅ and Critical Issues ⚠️ sections (if present). Other Issues 🧯 are suggestions.

Summary 📝

Clearer, more actionable roadmap with a better “current state” snapshot and phased plan. The restructure is mostly solid, but a few correctness/security details in the GitHub permissions section and a potentially confusing workflow statement should be tightened to avoid misleading implementers.

Todo List ✅

  • Fix GitHub App permissions to use correct names/scopes (e.g., security_events is fine, but pull_requests:write / issues:write isn’t a GitHub App permission format) because incorrect permissions guidance will cause failed integrations and confusion.
  • Clarify/validate the “Self-hosted by default while private” claim against current workflows because docs should not assert a default that the repo doesn’t enforce.

Critical Issues ⚠️

  • GitHub App permissions section lists invalid/ambiguous permission strings (e.g., pull_requests:write) rather than GitHub App permission names and access levels, which will lead to misconfigured apps and broken automation.

Other Issues 🧯

  • The “workflows:read” permission callout for auto-PR/codefix looks unnecessary/misleading; GitHub App permissions typically needed for creating PRs are contents:write and often pull_requests:write (as a GitHub API capability), but the docs should stick to actual GitHub App permission categories/levels to avoid conflating concepts.
  • “Self-hosted by default while private” is a policy statement; consider rephrasing to “recommended” unless the workflow enforces runs-on self-hosted labels, because mismatches erode trust in the doc.
  • The CodeQL hygiene note is helpful, but it’s a bit context-heavy; consider referencing the exact repo setting names (“Code security and analysis”) consistently to reduce ambiguity.

Tests / Coverage 🧪

N/A (docs-only change).

Next Steps 🚀

  • Update the GitHub App permissions section to use GitHub’s permission category names + access levels (what appears in the App settings UI).
  • Reword (or confirm and align workflows) around the self-hosted runner guidance so the doc reflects actual behavior/defaults.

Static Analysis Policy 🧭

  • Config mode: respect
  • Packs: All Essentials (50)
  • Rules: 67 enabled
  • Rule list display: up to 10 items per section
  • Enabled rules preview: CA2000 (Dispose objects before losing scope), CA1062 (Validate arguments of public methods), SA1600 (Elements should be documented), CA1016 (Mark assemblies with assembly version), CA1018 (Mark attributes with AttributeUsageAttribute), CA1041 (Provide ObsoleteAttribute message), CA1047 (Do not declare protected member in sealed type), CA1050 (Declare types in namespaces), CA1061 (Do not hide base class methods), CA1067 (Override Object.Equals(object) when implementing IEquatable<T>) (truncated)
  • Result files: 2 input patterns, 1 matched, 1 parsed, 0 failed
  • Status: pass
  • Rule outcomes: 0 with findings, 67 clean
  • Failing rules: none
  • Clean rules: CA2000 (Dispose objects before losing scope), CA1062 (Validate arguments of public methods), SA1600 (Elements should be documented), CA1016 (Mark assemblies with assembly version), CA1018 (Mark attributes with AttributeUsageAttribute), CA1041 (Provide ObsoleteAttribute message), CA1047 (Do not declare protected member in sealed type), CA1050 (Declare types in namespaces), CA1061 (Do not hide base class methods), CA1067 (Override Object.Equals(object) when implementing IEquatable<T>) (truncated)
  • Outside-pack rules: none

Static Analysis 🔎

  • Findings: 0 (no issues at or above configured severity)

Model & Usage 🤖

  • Model: gpt-5.3-codex
  • Length: medium
  • Mode: inline
  • Reasoning: not configured
  • Usage: 5h limit: 88% remaining | weekly limit: 53% remaining | code review weekly limit: 100% remaining | credits: 0

intelligencex-review[bot]
intelligencex-review bot reviewed Feb 9, 2026
View reviewed changes
STATIC.md
- “new issues only” mode vs “pay down the debt” mode.

## GitHub App Permissions (Recommended)
- Read-only baseline:
Copy link

@intelligencex-review intelligencex-review bot Feb 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Comment: These aren’t valid GitHub App permission names/levels as written; document the actual GitHub App permission categories (e.g., “Contents: Read-only”) to prevent misconfigured apps.

Suggested change
- Read-only baseline:
- Read-only baseline:

intelligencex-review[bot]
intelligencex-review bot reviewed Feb 9, 2026
View reviewed changes
STATIC.md

## GitHub App Permissions (Recommended)
- Read-only baseline:
- `contents:read`, `pull_requests:write`, `issues:write`
Copy link

@intelligencex-review intelligencex-review bot Feb 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • Read-only baseline (GitHub App permissions):
    • Contents: Read-only
    • Pull requests: Read & write
    • Issues: Read & write

intelligencex-review[bot]
intelligencex-review bot reviewed Feb 9, 2026
View reviewed changes
STATIC.md
## GitHub App Permissions (Recommended)
- Read-only baseline:
- `contents:read`, `pull_requests:write`, `issues:write`
- Needed for SARIF upload:
Copy link

@intelligencex-review intelligencex-review bot Feb 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Comment: Use the GitHub App permission label GitHub shows (“Security events: Read & write”) rather than API-ish notation to avoid confusion.

Suggested change
- Needed for SARIF upload:
- Needed for SARIF upload:

intelligencex-review[bot]
intelligencex-review bot reviewed Feb 9, 2026
View reviewed changes
STATIC.md
- Read-only baseline:
- `contents:read`, `pull_requests:write`, `issues:write`
- Needed for SARIF upload:
- `security_events:write` (GitHub Code Scanning)
Copy link

@intelligencex-review intelligencex-review bot Feb 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • Needed for SARIF upload:
    • Security events: Read & write (GitHub Code Scanning)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@intelligencex-review intelligencex-review[bot] intelligencex-review[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@PrzemyslawKlys