You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Adds utils/httpclient package: New(opts...) factory that sets http.ProxyFromEnvironment, loads system cert pool + optional SSL_CERT_FILE custom CA bundle, and honours CODACY_CLI_INSECURE=1 (with stderr warning)
Migrates all 7 HTTP callsites (codacy-client, tools/patterns, utils/download, cmd/upload ×4, cmd/upload_sbom) to the new factory
Adds README "Proxy & TLS" section documenting the three env vars
Adds hermetic unit tests (utils/httpclient/httpclient_test.go, 9 tests, no network) and a real-life integration harness (integration-tests/proxy-tls/run.sh) using mitmproxy against app.codacy.com
OD-30 Proxy/TLS — Manual Test Results
Real cli-v2 init → mitmproxy (:8899, MITM) → real app.codacy.com.
A — proxy + custom CA (SSL_CERT_FILE=$CA)
ℹ️ No project token was specified, fetching codacy default configurations
PMD7 configuration created based on Codacy settings
...
✅ Successfully initialized Codacy configuration!
PASS — traffic through proxy, custom CA trusted, success.
B — proxy, no CA
Warning: Failed to get default patterns for : ... tls: failed to verify
certificate: x509: "app.codacy.com" certificate is not trusted
(repeated per tool)
failed to build languages config from API: ... certificate is not trusted
PASS — TLS correctly rejected MITM cert (fails loud, no insecure default).
C — proxy + CODACY_CLI_INSECURE=1
WARNING: TLS certificate verification is DISABLED (CODACY_CLI_INSECURE set)...
(repeated per HTTP call)
Runs the actual cli-v2 binary through a real mitmproxy against app.codacy.com.
Baseline confirms SSL_CERT_FILE is ignored on macOS and CODACY_CLI_INSECURE is
unimplemented; both cases flip green once OD-30 lands.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Coverage variation is the difference between the coverage for the head and common ancestor commits of the pull request branch: <coverage of head commit> - <coverage of common ancestor commit>
Diff coverage is the percentage of lines that are covered by tests out of the coverable lines that the pull request added or modified: <covered lines added or modified>/<coverable lines added or modified> * 100%
The reason will be displayed to describe this comment to others. Learn more.
Code Review
This pull request introduces a centralized HTTP client factory in utils/httpclient that honors standard proxy environment variables, supports custom CA bundles via SSL_CERT_FILE, and allows disabling TLS verification via CODACY_CLI_INSECURE. Multiple callsites across the codebase have been migrated to use this new factory. Feedback on the changes suggests optimizing the TLS configuration by only loading the system cert pool when a custom CA bundle is specified to avoid performance overhead and potential handshake failures. Additionally, it is recommended to clone http.DefaultTransport instead of creating a new transport from scratch to preserve optimized default settings such as connection pooling and HTTP/2 support.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
The reason will be displayed to describe this comment to others. Learn more.
Loading the system cert pool on every client creation even when no custom CA bundle (SSL_CERT_FILE) is specified is inefficient and can be slow on some operating systems. Furthermore, if x509.SystemCertPool() fails and no custom CA is provided, cfg.RootCAs is set to an empty cert pool, which will cause all subsequent TLS handshakes to fail instead of falling back to Go's default system verification behavior. We should only load the system cert pool and set cfg.RootCAs if a custom CA bundle path is actually configured.
Suggested change
pool, err:=x509.SystemCertPool()
iferr!=nil||pool==nil {
pool=x509.NewCertPool()
}
ifpath:=caBundlePath(); path!="" {
pemBytes, err:=os.ReadFile(path)
iferr!=nil {
returnnil, fmt.Errorf("failed to read CA bundle from %s (%s): %w", EnvCABundle, path, err)
}
if!pool.AppendCertsFromPEM(pemBytes) {
returnnil, fmt.Errorf("no valid certificates found in CA bundle %s (%s)", EnvCABundle, path)
}
}
cfg.RootCAs=pool
returncfg, nil
ifpath:=caBundlePath(); path!="" {
pool, err:=x509.SystemCertPool()
iferr!=nil||pool==nil {
pool=x509.NewCertPool()
}
pemBytes, err:=os.ReadFile(path)
iferr!=nil {
returnnil, fmt.Errorf("failed to read CA bundle from %s (%s): %w", EnvCABundle, path, err)
}
if!pool.AppendCertsFromPEM(pemBytes) {
returnnil, fmt.Errorf("no valid certificates found in CA bundle %s (%s)", EnvCABundle, path)
The reason will be displayed to describe this comment to others. Learn more.
Applied — only build the cert pool and set RootCAs when SSL_CERT_FILE is configured; otherwise leave RootCAs nil so Go uses default system verification. Avoids the empty-pool-rejects-everything failure mode.
The reason will be displayed to describe this comment to others. Learn more.
Creating a new http.Transport from scratch without cloning http.DefaultTransport or copying its configuration means you lose important default settings, such as connection pooling limits (MaxIdleConns), idle timeouts (IdleConnTimeout), TLS handshake timeouts (TLSHandshakeTimeout), and HTTP/2 support (ForceAttemptHTTP2). To preserve these optimized defaults, clone http.DefaultTransport and then apply your custom TLSClientConfig.
The reason will be displayed to describe this comment to others. Learn more.
Applied — now clone http.DefaultTransport and override only Proxy + TLSClientConfig, preserving connection pooling, idle/handshake timeouts, and HTTP/2.
…m CA (OD-30)
Address PR #205 review:
- Clone http.DefaultTransport to preserve connection pooling, idle/handshake
timeouts, and HTTP/2 instead of building a bare Transport.
- Only set tls.Config.RootCAs when SSL_CERT_FILE is configured; leave nil
otherwise so Go uses default system verification. Prevents an empty pool
(when SystemCertPool fails) from rejecting all TLS handshakes.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
…ing to file (OD-30)
Proxy/TLS warnings (and all log.Printf/log.Fatalf output) reached only the
terminal, never codacy-cli.log. Initialize now redirects Go's standard logger
to io.MultiWriter(stderr, logfile), and the CODACY_CLI_INSECURE warning is
emitted via log.Println so it lands in the file too.
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
Summary
utils/httpclientpackage:New(opts...)factory that setshttp.ProxyFromEnvironment, loads system cert pool + optionalSSL_CERT_FILEcustom CA bundle, and honoursCODACY_CLI_INSECURE=1(with stderr warning)codacy-client,tools/patterns,utils/download,cmd/upload×4,cmd/upload_sbom) to the new factoryutils/httpclient/httpclient_test.go, 9 tests, no network) and a real-life integration harness (integration-tests/proxy-tls/run.sh) using mitmproxy againstapp.codacy.comOD-30 Proxy/TLS — Manual Test Results
Real cli-v2 init → mitmproxy (:8899, MITM) → real app.codacy.com.
A — proxy + custom CA (SSL_CERT_FILE=$CA)
ℹ️ No project token was specified, fetching codacy default configurations
PMD7 configuration created based on Codacy settings
...
✅ Successfully initialized Codacy configuration!
PASS — traffic through proxy, custom CA trusted, success.
B — proxy, no CA
Warning: Failed to get default patterns for : ... tls: failed to verify
certificate: x509: "app.codacy.com" certificate is not trusted
(repeated per tool)
failed to build languages config from API: ... certificate is not trusted
PASS — TLS correctly rejected MITM cert (fails loud, no insecure default).
C — proxy + CODACY_CLI_INSECURE=1
WARNING: TLS certificate verification is DISABLED (CODACY_CLI_INSECURE set)...
(repeated per HTTP call)
✅ Successfully initialized Codacy configuration!
PASS — insecure toggle works, stderr warning shown, success.
D — NO_PROXY=app.codacy.com,api.codacy.com
ℹ️ No project token was specified, fetching codacy default configurations
✅ Successfully initialized Codacy configuration!
PASS — bypassed proxy (no MITM in path), success.
Test plan
go test ./utils/httpclient/ -count=5— all 9 unit tests pass (stable)go build ./...+go vet ./...— cleanintegration-tests/proxy-tls/run.sh— all 4 cases (custom CA, no-CA-fails, insecure, no-proxy bypass) PASS with real mitmproxy → real app.codacy.comx509: certificate is not trusted; after: both PASSCloses OD-30
🤖 Generated with Claude Code