feat(cli): add --min-severity filtering option#9
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What changed
Added a new
--min-severity <level>CLI option to filter out findings below a certain severity threshold. Supported levels areinfo,warning, anderror.Why
When scanning large repositories, users may want to focus only on critical risks (e.g., hardcoded credentials) rather than being distracted by lower-severity warnings (e.g., prompt artifacts or unpinned dependencies). This allows integrating OPK more strictly into CI pipelines where
--min-severity errorwould fail the build, but warnings would not clutter the output.Testing
tests/scanner/scanner.test.tsto verify findings are correctly filtered.opk scan --min-severity erroron theprompt-artifactsfixture (which only contains warnings) returns0findings.Risks
None. This strictly reduces the volume of reported findings when the flag is used. The default behavior (no flag provided) remains unchanged (reports all findings with level
>= info).Follow-up
Consider adding file/path exclusion patterns next.