Package org.egothor.methodatlas.emit

Class GitHubAnnotationsEmitter

java.lang.Object
org.egothor.methodatlas.emit.GitHubAnnotationsEmitter
All Implemented Interfaces:
TestMethodSink
public final class GitHubAnnotationsEmitter extends Object implements TestMethodSink
Emits GitHub Actions workflow commands for inline PR annotations.

Only security-relevant methods produce output. Each method becomes one ::notice or ::warning line that GitHub Actions intercepts and renders as an inline annotation on the PR diff:

  • ::warning — when ai_interaction_score >= 0.8: the test only verifies that methods were called, not what they returned.
  • ::notice — otherwise: a well-formed security test worth reviewing.

The file path in each annotation is constructed as <filePrefix><fqcn-as-path>.java, where filePrefix is derived from the first configured scan root (e.g. src/test/java/). This produces paths like src/test/java/com/acme/AuthTest.java, which GitHub resolves to the correct inline position in the PR diff for standard Maven / Gradle source layouts.

This mode does not require a GitHub Advanced Security licence, unlike SARIF upload via the upload-sarif action.

See Also:

  • Field Details

    • PLACEBO_THRESHOLD

      public static final double PLACEBO_THRESHOLD
      Interaction score at or above which a security test is flagged as a potential placebo.
      See Also:

  • Constructor Details

    • GitHubAnnotationsEmitter

      public GitHubAnnotationsEmitter(PrintWriter out, String filePrefix)
      Parameters:
      out - writer that receives the annotation lines
      filePrefix - prefix prepended to the FQCN-derived file path, including a trailing slash (e.g. "src/test/java/"); empty string when the scan root is already the repo root

  • Method Details

    • record

      public void record(String fqcn, String method, int beginLine, int loc, String contentHash, List<String> tags, String displayName, AiMethodSuggestion suggestion)
      Description copied from interface: TestMethodSink
      Records a single test method.
      Specified by:
      record in interface TestMethodSink
      Parameters:
      fqcn - fully qualified name of the class that declares the method
      method - simple method name
      beginLine - one-based line number of the first line of the method declaration; 0 when the parser cannot determine the location
      loc - inclusive line count of the method declaration
      contentHash - lowercase-hex SHA-256 fingerprint of the enclosing class source, or null when -content-hash is not enabled
      tags - source-level test-framework tag values declared on the method; never null
      displayName - text from an existing display-name annotation on the method; null when no such annotation is present; "" when the annotation is present but has an empty value — which is a malformed annotation and may be treated as a quality finding by implementations
      suggestion - AI-generated security classification for the method, or null when AI enrichment is disabled or unavailable for this class

    • formatCommand

      public static String formatCommand(String level, String filePath, int beginLine, String title, String message)
      Formats a GitHub Actions workflow command line.

    • escapeParam

      public static String escapeParam(String value)
      Encodes characters that would break a GitHub workflow command parameter value.

    • escapeMessage

      public static String escapeMessage(String value)
      Encodes characters that would break a GitHub workflow command message.