fix: update existing PR comments to add all-clear message

lelia · lelia · commit 34b732f96a87 · 2026-04-01T14:55:30.000-04:00
Signed-off-by: lelia &lt;2418071+lelia@users.noreply.github.com&gt;
diff --git a/socket_basics/core/notification/github_pr_notifier.py b/socket_basics/core/notification/github_pr_notifier.py
@@ -59,6 +59,7 @@ def notify(self, facts: Dict[str, Any]) -> None:
                 pr_number = self._get_pr_number()
                 if pr_number:
                     self._reconcile_pr_labels(pr_number, [])
+                    self._replace_existing_sections_with_all_clear(pr_number)
                 else:
                     logger.warning('GithubPRNotifier: unable to determine PR number for label reconciliation')
             logger.info('GithubPRNotifier: no notifications present; skipping comments')
@@ -288,6 +289,25 @@ def _extract_section_markers(self, content: str) -> Optional[Dict[str, str]]:
         
         return None
 
+    def _extract_all_section_types(self, comment_body: str) -> List[str]:
+        """Extract all managed section markers from a comment body."""
+        import re
+
+        pattern = r'<!-- ([a-zA-Z0-9\-_]+) start -->'
+        return re.findall(pattern, comment_body or '')
+
+    def _extract_section_title(self, section_content: str) -> str:
+        """Extract the display title from a wrapped PR comment section."""
+        import re
+
+        for line in (section_content or '').splitlines():
+            stripped = line.strip()
+            if stripped.startswith('## '):
+                title = stripped[3:].strip()
+                title = re.sub(r'<img[^>]+>\s*', '', title).strip()
+                return title or 'Socket Security'
+        return 'Socket Security'
+
     def _find_comment_with_section(self, comments: List[Dict[str, Any]], section_type: str) -> Optional[Dict[str, Any]]:
         """Find an existing comment that contains the given section type."""
         import re
@@ -313,6 +333,49 @@ def _update_section_in_comment(self, comment_body: str, section_type: str, new_s
         
         return updated_body
 
+    def _build_all_clear_section(self, section_type: str, existing_section_content: str) -> str:
+        """Build an all-clear replacement for an existing managed section."""
+        from socket_basics.core.notification import github_pr_helpers as helpers
+
+        title = self._extract_section_title(existing_section_content)
+        body = "✅ Socket Basics found no active findings in the latest run."
+        return helpers.wrap_pr_comment_section(section_type, title, body, self.full_scan_url)
+
+    def _replace_existing_sections_with_all_clear(self, pr_number: int) -> None:
+        """Rewrite existing managed PR comment sections to an all-clear state."""
+        existing_comments = self._get_pr_comments(pr_number)
+        for comment in existing_comments:
+            original_body = comment.get('body', '')
+            if not original_body:
+                continue
+
+            updated_body = original_body
+            changed = False
+            for section_type in self._extract_all_section_types(original_body):
+                section_match = self._extract_section_markers(updated_body)
+                if not section_match or section_match.get('type') != section_type:
+                    import re
+                    pattern = rf'<!-- {re.escape(section_type)} start -->.*?<!-- {re.escape(section_type)} end -->'
+                    match = re.search(pattern, updated_body, re.DOTALL)
+                    if not match:
+                        continue
+                    section_content = match.group(0)
+                else:
+                    section_content = section_match['content']
+
+                all_clear_section = self._build_all_clear_section(section_type, section_content)
+                next_body = self._update_section_in_comment(updated_body, section_type, all_clear_section)
+                if next_body != updated_body:
+                    updated_body = next_body
+                    changed = True
+
+            if changed:
+                success = self._update_comment(pr_number, comment['id'], updated_body)
+                if success:
+                    logger.info('GithubPRNotifier: updated existing comment %s to all-clear state', comment['id'])
+                else:
+                    logger.error('GithubPRNotifier: failed to update comment %s to all-clear state', comment['id'])
+
     def _truncate_comment_if_needed(self, comment_body: str, full_scan_url: Optional[str] = None) -> str:
         """Truncate comment if it exceeds GitHub's character limit.
         
diff --git a/tests/test_github_pr_notifier.py b/tests/test_github_pr_notifier.py
@@ -104,3 +104,35 @@ def test_notify_reconciles_labels_even_when_notifications_are_empty(monkeypatch)
     notifier.notify({'notifications': []})
 
     assert reconciled == [(123, [])]
+
+
+def test_notify_rewrites_existing_section_to_all_clear_when_notifications_are_empty(monkeypatch):
+    notifier = GithubPRNotifier(
+        {
+            'repository': 'SocketDev/socket-basics',
+            'pr_labels_enabled': True,
+        }
+    )
+
+    comment_body = """<!-- sast-javascript start -->
+## <img src="https://example.test/logo.png" width="24" height="24"> Socket SAST JavaScript
+
+### Summary
+🟡 Medium: 1
+<!-- sast-javascript end -->"""
+    updated_bodies: list[str] = []
+
+    monkeypatch.setattr(notifier, '_get_pr_number', lambda: 123)
+    monkeypatch.setattr(notifier, '_reconcile_pr_labels', lambda pr_number, labels: True)
+    monkeypatch.setattr(notifier, '_get_pr_comments', lambda pr_number: [{'id': 99, 'body': comment_body}])
+    monkeypatch.setattr(
+        notifier,
+        '_update_comment',
+        lambda pr_number, comment_id, body: updated_bodies.append(body) or True,
+    )
+
+    notifier.notify({'notifications': []})
+
+    assert len(updated_bodies) == 1
+    assert 'No active findings remain for this scanner in the latest run.' in updated_bodies[0]
+    assert '<!-- sast-javascript start -->' in updated_bodies[0]
