add support for security insights

[mstanbCO]

Description

• Bug fix
• New feature

Summary by CodeRabbit

• New Features
  • Added CrowdStrike Identity Risk Scores integration with pagination and rate‑limit awareness.
  • New "Identity Risk Score" security insight resource type showing risk score, severity, and risk factors.
  • Resources now derive display names and target users by email when available; per-identity conversion errors are continued without halting listing.

[coderabbitai]

Walkthrough

Adds CrowdStrike identity protection support: a new OAuth2-backed IdentityProtectionClient (GraphQL queries, pagination, rate-limit parsing), a security insight resource type and builder, connector internal fields for credentials, and a direct OAuth2 dependency in go.mod.

Changes

Cohort / File(s)	Summary
Dependency go.mod	Promotes golang.org/x/oauth2 v0.33.0 from indirect to direct require.
Connector core pkg/connector/connector.go	Adds unexported fields (clientId, clientSecret, host) and registers securityInsightBuilder; updates metadata description.
Identity protection client pkg/connector/identity_protection.go	New client with OAuth2 client‑credentials flow, custom transport, GraphQL request/response models, pagination, rate-limit extraction, access validation, and public methods/types (IdentityProtectionClient, IdentityRiskData, RiskFactor).
Resource types pkg/connector/resource_types.go	Adds resourceTypeSecurityInsight (id: "security_insight", DisplayName "Identity Risk Score", security insight trait, skip entitlements/grants annotation).
Security insight resource pkg/connector/security_insight.go	Implements Security Insight resource listing, conversion from identity risk data to resources (targets, traits, formatting), pagination handling, rate-limit annotations, and no-op entitlements/grants.

Sequence Diagram

sequenceDiagram
    participant Connector
    participant SecurityInsight as Security Insight
    participant IdentityProtection as Identity Protection Client
    participant OAuth2 as OAuth2 Server
    participant CrowdStrike as CrowdStrike API

    Connector->>SecurityInsight: List(ctx, token)
    SecurityInsight->>IdentityProtection: GetIdentityRiskScores(ctx, pageSize, cursor)
    IdentityProtection->>OAuth2: Request token (client_id, client_secret)
    OAuth2-->>IdentityProtection: Access token
    IdentityProtection->>CrowdStrike: POST GraphQL (Bearer token)
    CrowdStrike-->>IdentityProtection: GraphQL response (entities, pageInfo, headers)
    IdentityProtection->>SecurityInsight: IdentityRiskData[], nextCursor, hasNextPage, RateLimitInfo
    loop per identity
        SecurityInsight->>SecurityInsight: Build SecurityInsight resource
    end
    SecurityInsight-->>Connector: Resources[], Annotations (RateLimitInfo)

Loading

Estimated Code Review Effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Poem

🐇 I nibble tokens, hop through the night,

OAuth2 gives wings, GraphQL sheds light,
Scores and factors shimmer in line,
Pages quilt data, rate limits align,
A rabbit cheers: insights now shine!

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'add support for security insights' directly summarizes the main change: adding support for a new Security Insight resource type for CrowdStrike identity risk scores.
Docstring Coverage	✅ Passed	Docstring coverage is 80.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch mstanbCO/security_insights

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@pkg/connector/security_insight.go`:
- Around line 59-65: The comment says "format as percentage" but
identity.RiskScore is 0–1; update the conversion so the displayed value is a
percent by multiplying identity.RiskScore by 100 before formatting (refer to
identity.RiskScore and the strconv.FormatFloat call) and then pass that string
to rs.WithRiskScore when building traitOpts, or alternatively remove/adjust the
misleading comment if you do not want percentage output (affecting the
riskScoreStr creation and the rs.SecurityInsightTraitOption usage).

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

pkg/connector/connector.go (1)

39-76: ⚠️ Potential issue | 🟡 Minor

Add validation for identity protection endpoint access in Validate().

The Validate method validates access to user and role endpoints but omits the identity protection GraphQL API that securityInsightBuilder uses. If credentials lack permissions for the identity protection API, the connector passes validation but fails during sync.

Call ipClient.ValidateAccess(ctx) in the Validate method to ensure credentials have the necessary permissions for the identity protection endpoint before sync begins.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In `@pkg/connector/security_insight.go`:
- Around line 124-131: The comment above the call to
securityInsightResource(identity) is contradictory and the error is swallowed;
update the block so the comment accurately reflects behavior (either remove
"Skip identities..." and the "We still include them" contradiction if you intend
to process all identities, or implement explicit skip logic when the risk score
equals 0) and replace the silent continue with a proper log call that surfaces
the error (e.g., use the module's logger variable to call Logger.Error/Logf with
context and err before continue). Ensure you reference the
securityInsightResource(identity) call and the identity variable when adding the
log or skip logic so the change is easy to locate.

🧹 Nitpick comments (1)

pkg/connector/security_insight.go (1)

20-24: Remove unused client field.

The client field is assigned in securityInsightBuilder but never accessed by any method on this type. Only ipClient is used. Consider removing both the field and the corresponding parameter from the builder function.

♻️ Proposed fix

 type securityInsightResourceType struct {
 	resourceType *v2.ResourceType
-	client       *fClient.CrowdStrikeAPISpecification
 	ipClient     *IdentityProtectionClient
 }

And update the builder:

-func securityInsightBuilder(ctx context.Context, client *fClient.CrowdStrikeAPISpecification, clientID, clientSecret, host string) *securityInsightResourceType {
+func securityInsightBuilder(ctx context.Context, clientID, clientSecret, host string) *securityInsightResourceType {
 	return &securityInsightResourceType{
 		resourceType: resourceTypeSecurityInsight,
-		client:       client,
 		ipClient:     NewIdentityProtectionClient(ctx, clientID, clientSecret, host),
 	}
 }

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Fix misleading comments and add actual error logging.

Two issues in this block:

1. Contradictory comment (lines 124-126): Says "Skip identities without a risk score" but then immediately says "We still include them." There's no skip logic—all identities are processed. Either add actual skip logic or remove the misleading comment.

2. Silent error swallowing (lines 128-131): Comment says "Log the error" but no logging occurs. Errors are silently discarded, which masks failures and makes debugging difficult.

🐛 Proposed fix

-		// Skip identities without a risk score (value of 0 means no assessment yet)
-		// We still include them but they will have a risk score of "0"
-
 		resource, err := securityInsightResource(identity)
 		if err != nil {
-			// Log the error but continue processing other identities
+			// Log and continue - don't fail the entire sync for one bad identity
+			// Consider using a structured logger if available
+			fmt.Printf("warning: failed to create security insight resource for identity %s: %v\n", identity.PrimaryDisplayName, err)
 			continue
 		}

Or if a proper logger is available in the codebase:

 		resource, err := securityInsightResource(identity)
 		if err != nil {
-			// Log the error but continue processing other identities
+			l := ctxzap.Extract(ctx)
+			l.Warn("failed to create security insight resource",
+				zap.String("identity", identity.PrimaryDisplayName),
+				zap.Error(err))
 			continue
 		}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	// Skip identities without a risk score (value of 0 means no assessment yet)
	// We still include them but they will have a risk score of "0"
	resource, err := securityInsightResource(identity)
	if err != nil {
	// Log the error but continue processing other identities
	continue
	}
	resource, err := securityInsightResource(identity)
	if err != nil {
	// Log and continue - don't fail the entire sync for one bad identity
	// Consider using a structured logger if available
	fmt.Printf("warning: failed to create security insight resource for identity %s: %v\n", identity.PrimaryDisplayName, err)
	continue
	}

🤖 Prompt for AI Agents

In `@pkg/connector/security_insight.go` around lines 124 - 131, The comment above
the call to securityInsightResource(identity) is contradictory and the error is
swallowed; update the block so the comment accurately reflects behavior (either
remove "Skip identities..." and the "We still include them" contradiction if you
intend to process all identities, or implement explicit skip logic when the risk
score equals 0) and replace the silent continue with a proper log call that
surfaces the error (e.g., use the module's logger variable to call
Logger.Error/Logf with context and err before continue). Ensure you reference
the securityInsightResource(identity) call and the identity variable when adding
the log or skip logic so the change is easy to locate.