Skip to content

[duplicate-code] Duplicate Threat-Detection WorkflowData Setup Across Engine Paths #46140

Description

@github-actions

🔍 Duplicate Code Detected: Threat-Detection WorkflowData Setup Across Engine Paths

Analysis of commit 479a220

Assignee: @copilot

Summary

The threat-detection pipeline now repeats the same synthetic WorkflowData setup in three places: the inline detection engine path and both external-detector helper steps. The repeated logic builds a detection-specific workflow context, sets Tools, clones/merges engine config, and inherits APITarget.

Duplication Details

Pattern: Synthetic detection context setup

  • Severity: Medium
  • Occurrences: 3
  • Locations:
    • pkg/workflow/threat_detection_inline_engine.go (lines 55-129)
    • pkg/workflow/threat_detection_external.go (lines 199-213)
    • pkg/workflow/threat_detection_external.go (lines 265-289)
  • Code Sample:
    threatDetectionData := buildThreatDetectionWorkflowData(data, engineID)
    threatDetectionData.Tools = map[string]any{
        "bash": []any{"*"},
    }
    threatDetectionData.EngineConfig = &EngineConfig{ID: engineID}
    if canReuseThreatDetectionEngineConfigForExternalDetector(data, engineID) {
        threatDetectionData.EngineConfig = cloneThreatDetectionEngineConfig(engineID, data.SafeOutputs.ThreatDetection.EngineConfig)
    }
    threatDetectionData.EngineConfig.Env = mergeThreatDetectionEngineEnv(data, threatDetectionData.EngineConfig.Env)
    if threatDetectionData.EngineConfig.APITarget == "" && data.EngineConfig != nil {
        threatDetectionData.EngineConfig.APITarget = data.EngineConfig.APITarget
    }

Impact Analysis

  • Maintainability: Changes to threat-detection config inheritance now need to be updated in multiple places.
  • Bug Risk: It is easy for the inline and external detector paths to diverge on env/APITarget propagation.
  • Code Bloat: The same setup logic is copied into the external detector install and execution helpers instead of being shared.

Refactoring Recommendations

  1. Extract a shared threat-detection context helper

    • Centralize detection WorkflowData construction plus config/env/APITarget inheritance.
    • Suggested location: pkg/workflow/threat_detection_helpers.go
    • Estimated effort: small
  2. Parameterize external-detector-only additions

    • Let the helper accept optional mounts/network permissions so the external execution path can layer those on without copying the shared preamble.

Implementation Checklist

  • Review duplication findings
  • Prioritize refactoring tasks
  • Create refactoring plan
  • Implement changes
  • Update tests
  • Verify no functionality broken

Analysis Metadata

  • Analyzed Files: 6
  • Detection Method: Serena semantic code analysis
  • Commit: 479a220
  • Analysis Date: 2026-07-17T00:00:00Z

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

  • awmgmcpg

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "awmgmcpg"

See Network Configuration for more information.

Generated by 🔍 Duplicate Code Detector · 2.18 AIC · ⊞ 26.7K ·

  • expires on Jul 18, 2026, 10:09 PM UTC-08:00

Metadata

Metadata

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions