fix: pass in folderConfig to scans, instead of deriving it. Ensures correct org is used for file scans [IDE-1671]

[andrewrobinsonhodges-snyk]

Before we had per-folder config, we used to pass in a file path and a folder path to OSS, Code and IaC scanners. The original intention was that the file path represented the file or folder to be scanned, and the folder path was used for context (i.e. which workspace are we using).

Over time this became inconsistent between the scanners, with some using the folder path for the scan target. Now that we have FolderConfigs for LDX-Sync, we can simplify this.

The path parameter is the thing to be scanned; either a single file or a folder, which may or may not be the top level of the Workspace.

The FolderConfig contains the workspace for which we should use the scan configuration (e.g, which org to use etc.).

This means that scanning files and folders should now always use the correct org, and be consistent across IaC, OSS and Code.

Description

Provide description of this PR and changes, if linked Jira ticket doesn't cover it in full.

Checklist

• Tests added and all succeed
• Regenerated mocks, etc. (make generate)
• Linted (make lint-fix)
• README.md updated, if user-facing
• License file updated, if new 3rd-party dependency is introduced

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[gemini-code-assist]

Summary of Changes

Hello @andrewrobinsonhodges-snyk, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces a significant refactoring to standardize how scan configurations, particularly organizational settings, are passed to and utilized by Snyk's various product scanners (Code, IaC, and Open Source). By modifying the Scan method signatures to directly accept a *types.FolderConfig object, the changes ensure that all scan operations consistently receive the necessary context. This approach eliminates the previous pattern of deriving or separately passing folder paths, leading to more robust and accurate application of organizational settings during file and folder scans.

Highlights

• Standardized Scan Parameter Passing: The Scan method across various scanner interfaces (Scanner, ProductScanner) and their implementations (Code, IaC, OSS) now consistently accepts a *types.FolderConfig object, removing the need for separate folderPath arguments.
• Improved Organizational Context for Scans: By directly passing folderConfig, the system ensures that file-level scans correctly inherit and utilize the appropriate organizational settings, preventing potential misconfigurations or incorrect context derivation.
• Refactored Internal Scan Logic: Internal methods like internalScan and scanBaseBranch have been updated to align with the new Scan method signatures, simplifying parameter handling and reducing redundancy.
• Enhanced Test Coverage: New test cases have been added to verify that the folderConfig is correctly passed and utilized by product scanners, especially for file-level scans and when different folders have distinct organizational configurations.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request refactors the scanning mechanism to pass a folderConfig object to scan functions instead of deriving it from a folder path. This is a good change that makes dependencies more explicit and aims to fix an issue with organization resolution for file scans. The changes are applied consistently across interfaces, implementations, and tests.

I've found a critical issue in domain/snyk/scanner/base_scan.go where the refactoring breaks base branch scanning for Snyk Code by causing it to scan the wrong directory. I've provided a detailed comment and a code suggestion to fix this. Other than that, the changes look solid.

[bastiandoetsch]

still in draft - is this intentional?

[bastiandoetsch]

also out of date with base branch :)

[snyk-pr-review-bot]

PR Reviewer Guide 🔍

🧪 PR contains tests

🔒 No security concerns identified

⚡ Recommended focus areas for review Logic Error 🟠 [major] The URL host construction logic in getCodeApiUrlFromFolderConfig will double the api. prefix if it is already present in the host. The regex deeproxyRegex (^(deeproxy\.)?) matches the empty string at the beginning of any string. When used with ReplaceAllString(u.Host, "api."), it always prepends api. to the host even when deeproxy. is not found. This results in invalid hosts like api.api.snyk.io for standard Snyk environments or FedRAMP, breaking connectivity. Additionally, the subsequent strings.HasPrefix check is redundant as the previous line already ensures the prefix exists (or is doubled). u.Host = deeproxyRegex.ReplaceAllString(u.Host, "api.") if !strings.HasPrefix(u.Host, "api.") { u.Host = "api." + u.Host } Shallow Copy 🟡 [minor] In scanBaseBranch, the folderConfig is copied using a shallow assignment (baseScanConfig := *folderConfig). Since FolderConfig contains reference types like maps (FeatureFlags, ScanCommandConfig), any mutations performed by scanners during the base branch scan could affect the original configuration. Given that a Clone() method is available and established as a pattern in this file (visible in the removed code hunk at line 145), it should be used here to ensure proper isolation. baseScanConfig := *folderConfig baseScanConfig.FolderPath = baseFolderPath // Pass baseFolderPath as pathToScan as we want to perform a full workspace scan results, err = s.Scan(ctx, baseFolderPath, &baseScanConfig)

📚 Repository Context Analyzed This review considered 108 relevant code sections from 14 files (average relevance: 1.04) application/config/config.go (2 segments, lines 909-1646) domain/ide/workspace/folder.go (lines 68-797) domain/snyk/issues.go (lines 1-498) internal/concurrency/atomic_bool.go (lines 1-36) infrastructure/oss/cli_scanner.go (lines 81-716) domain/snyk/persistence/git_persistence_provider.go (lines 1-540) internal/context/context.go (lines 1-202) ... and 7 more file(s)