Skip to content

CM-67391: Use S3 presigned upload for secret CLI scans#476

Open
ilia-cy wants to merge 3 commits into
mainfrom
CM-67391-secret-presigned-upload
Open

CM-67391: Use S3 presigned upload for secret CLI scans#476
ilia-cy wants to merge 3 commits into
mainfrom
CM-67391-secret-presigned-upload

Conversation

@ilia-cy

@ilia-cy ilia-cy commented Jun 22, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Add secret to PRESIGNED_UPLOAD_SCAN_TYPES and give it the 5GB presigned zip-size limit, so async secret scans upload as a single file directly to object storage (BYOS-aware) — mirroring SASTs existing v4 flow instead of batching multipart through the API gateway.
  • Gate the presigned single-file path on non-sync flow, so a --sync secret scan keeps its bounded batched inline upload. This is the only net-new logic: secret is the first scan type that is both presigned-eligible and --sync-capable, a combination SAST never exercised.
  • Add a parametrized routing test (SAST regression + async-secret → presigned + --sync-secret → batched).

Merge ordering / dependency

Requires the secret-detector memory refactor (CM-67389) to deploy first — a single multi-GB zip would otherwise exceed the detector memory limit. Do not release a CLI build with this change ahead of CM-67389.

Jira

CM-67391

Add secret to PRESIGNED_UPLOAD_SCAN_TYPES and give it the 5GB presigned zip-size limit so async secret scans upload as a single file directly to object storage (BYOS-aware), mirroring SAST. Gate the presigned single-file path on non-sync flow so a --sync secret scan keeps its bounded batched inline upload.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@ilia-cy ilia-cy self-assigned this Jun 22, 2026
@ilia-cy ilia-cy added the do not merge Used when a PR has been approved but we don't want to merge just yet label Jun 22, 2026
ilia-cy and others added 2 commits July 2, 2026 15:40
Switching secret scans to the presigned upload path routed them through
get_upload_link -> S3 -> scan_repository_from_upload_id, none of which
were registered by mock_scan_async_responses. The scan hit an unmocked
endpoint, returned 0 violations, and failed test_passing_output_option.

- Extend mock_scan_async_responses to register the presigned endpoints
  (upload-link, S3 POST, repository) for presigned scan types, branching
  on should_use_presigned_upload.
- Widen the presigned-upload fallback in _perform_scan to also catch the
  client's wrapped RequestError/SlowUploadConnectionError, not just raw
  requests.RequestException. A connection/timeout error from get_upload_link
  or the scan trigger otherwise never fell back to the Cycode-API upload.
- Add a regression test covering the wrapped-exception fallback.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

do not merge Used when a PR has been approved but we don't want to merge just yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant