feat: refine all LLM system prompts for precision and reduced false positives
Some checks failed
CI / Check (pull_request) Successful in 10m8s
CI / Detect Changes (pull_request) Has been skipped
CI / Deploy Agent (pull_request) Has been cancelled
CI / Deploy Dashboard (pull_request) Has been cancelled
CI / Deploy Docs (pull_request) Has been cancelled
CI / Deploy MCP (pull_request) Has been cancelled
Some checks failed
CI / Check (pull_request) Successful in 10m8s
CI / Detect Changes (pull_request) Has been skipped
CI / Deploy Agent (pull_request) Has been cancelled
CI / Deploy Dashboard (pull_request) Has been cancelled
CI / Deploy Docs (pull_request) Has been cancelled
CI / Deploy MCP (pull_request) Has been cancelled
Code review prompts (review_prompts.rs): - Add explicit "Do NOT report" sections listing common false positive patterns - Add language-specific guidance (Rust short-circuit, shadowing, clone patterns) - Cap findings per pass (3 for conventions, 2 for complexity) to reduce noise - Raise complexity thresholds (80 lines, 5+ nesting) to pragmatic levels - Require concrete bug scenarios, not theoretical concerns - Separate severity guides per pass with clear definitions Triage prompt (triage.rs): - Add explicit dismiss criteria for language idioms, non-security hash usage, operational logging, and duplicate findings - Add confirm-only-when criteria requiring concrete exploit scenarios - Refined confidence scoring guide with clear thresholds Finding descriptions (descriptions.rs): - Rewrite to be developer-facing: lead with what/where, skip filler - Fix suggestions should show corrected code, not vulnerable code - Remove generic "could lead to" phrasing in favor of specific scenarios Code fix suggestions (fixes.rs): - Require drop-in replacement code preserving original style - Handle false positives by returning original code with explanation - Limit inline comments to the changed line only Pentest orchestrator (prompt_builder.rs): - Add "Finding Quality Rules" section preventing duplicate findings - Instruct grouping related findings (e.g. missing headers = one finding) - Cap missing header severity at medium unless exploit demonstrated - Mark console.log in vendored/minified JS as informational only RAG chat (chat.rs): - Add concise rules for referencing files/lines and security context Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Sharang Parnerkar
@@ -90,10 +90,13 @@ pub async fn chat(
|
||||
};
|
||||
|
||||
let system_prompt = format!(
|
||||
"You are an expert code assistant for a software repository. \
|
||||
Answer the user's question based on the code context below. \
|
||||
Reference specific files and functions when relevant. \
|
||||
If the context doesn't contain enough information, say so.\n\n\
|
||||
"You are a code assistant for this repository. Answer questions using the code context below.\n\n\
|
||||
Rules:\n\
|
||||
- Reference specific files, functions, and line numbers\n\
|
||||
- Show code snippets when they help explain the answer\n\
|
||||
- If the context is insufficient, say what's missing rather than guessing\n\
|
||||
- Be concise — lead with the answer, then explain if needed\n\
|
||||
- For security questions, note relevant CWEs and link to the finding if one exists\n\n\
|
||||
## Code Context\n\n{code_context}"
|
||||
);
|
||||
|
||||
|
||||
Reference in New Issue
Block a user