refactor: Fetch GitHub PAT from Key Vault instead of ADO pipeline variable

- Added Key Vault token fetching to GitHubClient.__init__()
- Token now fetched from mariner-pipelines-kv/cblmarghGithubPRPat using Managed Identity
- Removed GITHUB_TOKEN pipeline variable dependency from YAML
- Added azure-keyvault-secrets>=4.7.0 to requirements.txt
- Single source of truth for PAT (Key Vault only)
- Falls back to environment variables for local testing

Author: abadawi591

.pipelines/prchecks/CveSpecFilePRCheck/CveSpecFilePRCheck.yml

@@ -116,22 +116,14 @@ steps:
       AZURE_CLIENT_ID: "7bf2e2c3-009a-460e-90d4-eff987a8d71d"
       # GitHub integration environment variables
       SYSTEM_ACCESSTOKEN: $(System.AccessToken)
-      # GITHUB_TOKEN: $(cblmarghGithubPRPat)
-      GITHUB_TOKEN: $(githubPrPat)
+      # GITHUB_TOKEN removed - now fetched from Key Vault in Python code
       GITHUB_REPOSITORY: $(Build.Repository.Name)
       GITHUB_PR_NUMBER: $(System.PullRequest.PullRequestNumber)
     inputs:
       targetType: inline
       script: |
         echo "🔍 Running analysis of spec files with integrated GitHub posting"
-        
-        # Debug: Check if GITHUB_TOKEN is set
-        if [ -n "$GITHUB_TOKEN" ]; then
-          TOKEN_PREFIX="${GITHUB_TOKEN:0:10}"
-          echo "✅ GITHUB_TOKEN is set (prefix: ${TOKEN_PREFIX}...)"
-        else
-          echo "❌ GITHUB_TOKEN is NOT set or empty - will fall back to SYSTEM_ACCESSTOKEN"
-        fi
+        echo "🔐 GitHub PAT will be fetched from Key Vault: mariner-pipelines-kv/cblmarghGithubPRPat"
         
         cd .pipelines/prchecks/CveSpecFilePRCheck
         chmod +x run-pr-check.sh

.pipelines/prchecks/CveSpecFilePRCheck/GENERATE_BOT_PAT.md

@@ -0,0 +1,222 @@
+# Generate New GitHub PAT for CBL-Mariner-Bot
+
+## Background
+The current GitHub Personal Access Token (PAT) for the CBL-Mariner-Bot account has expired. This token is used by:
+1. **Azure DevOps Pipeline** - To post initial antipattern detection comments on PRs
+2. **Azure Function** - To add labels and post challenge-related updates
+
+## Impact of Expired Token
+- PR checks fail with `401 Bad credentials` errors
+- No automated comments on PRs for antipattern detection
+- RADAR system cannot post detection reports or labels
+
+## Steps to Generate New PAT
+
+### 1. Log into CBL-Mariner-Bot Account
+- Go to https://github.com/login
+- Sign in with CBL-Mariner-Bot credentials
+- **Contact:** Team admin or whoever manages the bot account credentials
+
+### 2. Navigate to PAT Settings
+- Click on your profile picture (top-right corner)
+- Go to **Settings** → **Developer settings** (bottom of left sidebar)
+- Click **Personal access tokens** → **Tokens (classic)**
+  - URL: https://github.com/settings/tokens
+
+### 3. Generate New Token
+Click **"Generate new token"** → **"Generate new token (classic)"**
+
+### 4. Configure Token Settings
+
+**Token Name:** (Recommended)
+```
+Azure DevOps Pipeline - PR Checks & RADAR
+```
+
+**Expiration:** (Choose one)
+- ✅ **Recommended:** `No expiration` (for production stability)
+- Alternative: `1 year` (requires annual renewal)
+
+**Scopes:** (Select these checkboxes)
+- ✅ **repo** (Full control of private repositories)
+  - This includes:
+    - `repo:status` - Commit status
+    - `repo_deployment` - Deployment status
+    - `public_repo` - Public repositories
+    - `repo:invite` - Repository invitations
+- ✅ **workflow** (Update GitHub Action workflows)
+
+**Other scopes:** Leave unchecked
+
+### 5. Generate and Copy Token
+- Scroll to bottom and click **"Generate token"**
+- ⚠️ **CRITICAL:** Copy the token immediately - you won't see it again!
+- Token format: `ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx` (40 characters)
+
+### 6. Verify Token (Optional but Recommended)
+Test the token works:
+```bash
+curl -H "Authorization: token YOUR_NEW_TOKEN_HERE" https://api.github.com/user
+```
+
+Expected output:
+```json
+{
+  "login": "CBL-Mariner-Bot",
+  "type": "User",
+  ...
+}
+```
+
+If you see `"message": "Bad credentials"`, the token is invalid.
+
+---
+
+## Updating the Token in Azure
+
+After generating the new token, it must be updated in **TWO** locations:
+
+### Location 1: Azure Key Vault (for Azure Function)
+**Key Vault Name:** `mariner-pipelines-kv`  
+**Secret Name:** `cblmarghGithubPRPat`
+
+**Update via Azure CLI:**
+```bash
+az keyvault secret set \
+  --vault-name mariner-pipelines-kv \
+  --name cblmarghGithubPRPat \
+  --value "ghp_YOUR_NEW_TOKEN_HERE"
+```
+
+**Update via Azure Portal:**
+1. Go to https://portal.azure.com
+2. Search for `mariner-pipelines-kv`
+3. Go to **Secrets** (left sidebar)
+4. Click on `cblmarghGithubPRPat`
+5. Click **"+ New Version"**
+6. Paste new token value
+7. Click **"Create"**
+
+### Location 2: Azure DevOps Pipeline Variables (for PR Check Pipeline)
+
+You need to update **BOTH** of these variables (they should have the same value):
+- `cblmarghGithubPRPat`
+- `githubPrPat`
+
+**Update via Azure DevOps UI:**
+1. Go to your Azure DevOps project
+2. Navigate to **Pipelines** → **Library**
+3. Find the variable group OR go to the specific pipeline settings
+4. Update both variable values with the new token
+5. ✅ Check "Keep this value secret" (lock icon)
+6. Click **Save**
+
+**Alternative: Update via Pipeline YAML (Not Recommended for Secrets)**
+- Better to use UI to keep tokens encrypted
+
+---
+
+## Verification Steps
+
+### 1. Verify Key Vault Update
+```bash
+az keyvault secret show \
+  --vault-name mariner-pipelines-kv \
+  --name cblmarghGithubPRPat \
+  --query "value" -o tsv | head -c 10
+```
+Expected: `ghp_XXXXXX` (first 10 chars of new token)
+
+### 2. Verify Azure Function
+- Go to Azure Portal → Function App `radarfunc`
+- The function will automatically pick up the new token from Key Vault
+- No restart needed (uses DefaultAzureCredential)
+
+### 3. Verify Pipeline
+- Trigger a test PR check pipeline run
+- Check logs for: `✅ GITHUB_TOKEN is set (prefix: ghp_XXXXXX...)`
+- Verify the prefix matches your NEW token (not `ghp_4qL6t6...`)
+
+### 4. End-to-End Test
+- Create a test PR with an antipattern (e.g., far-future CVE year)
+- Verify bot posts initial comment ✅
+- Verify labels are added ✅
+- Verify no 401 errors ❌
+
+---
+
+## Troubleshooting
+
+### Issue: "Bad credentials" Error
+**Cause:** Token may not be authorized for Microsoft organization
+
+**Solution:**
+1. Go to https://github.com/settings/tokens
+2. Find your new token in the list
+3. Click **"Configure SSO"** next to it
+4. Click **"Authorize"** next to `microsoft` organization
+5. Confirm authorization
+
+### Issue: "Resource not found" Error
+**Cause:** Missing required scopes
+
+**Solution:**
+- Regenerate token with `repo` and `workflow` scopes
+- Delete old token to avoid confusion
+
+### Issue: Pipeline still uses old token
+**Cause:** Variable not updated in correct location
+
+**Solution:**
+- Check BOTH pipeline variables: `cblmarghGithubPRPat` AND `githubPrPat`
+- Verify both have the NEW token value
+- Check pipeline YAML uses correct variable name (line 120)
+
+---
+
+## Security Best Practices
+
+✅ **DO:**
+- Use "No expiration" for production stability
+- Enable SSO authorization for Microsoft org
+- Store in Key Vault (encrypted at rest)
+- Mark as secret in Azure DevOps
+- Document token purpose and location
+- Test token before deploying
+
+❌ **DON'T:**
+- Commit token to git repository
+- Share token in chat/email
+- Use personal account token for bot operations
+- Store in plain text files
+- Reuse tokens across multiple systems
+
+---
+
+## Contact Information
+
+**If you need help:**
+- Primary contact: [Your team lead or admin name]
+- Bot account owner: [Whoever manages CBL-Mariner-Bot credentials]
+- Azure subscription owner: [Person with Key Vault access]
+
+**Current Status (as of October 24, 2025):**
+- ❌ Old token: `ghp_4qL6t6...` - EXPIRED
+- ⏳ New token: Waiting for generation
+- 🔄 Temporary workaround: Using personal token (not recommended for production)
+
+---
+
+## After Token Update
+
+Once the new token is generated and deployed:
+
+1. ✅ Test with a PR check run
+2. ✅ Update this document with generation date
+3. ✅ Set calendar reminder for renewal (if not "no expiration")
+4. ✅ Delete old token from GitHub settings
+5. ✅ Notify team that system is operational
+
+**Generated by:** [Your name]  
+**Date:** October 24, 2025  
+**Last Updated:** October 24, 2025

.pipelines/prchecks/CveSpecFilePRCheck/GitHubClient.py

@@ -19,10 +19,59 @@
 from typing import Dict, List, Any, Optional
 from AntiPatternDetector import Severity
 
+# Azure Key Vault imports
+try:
+    from azure.identity import DefaultAzureCredential
+    from azure.keyvault.secrets import SecretClient
+    KEY_VAULT_AVAILABLE = True
+except ImportError:
+    KEY_VAULT_AVAILABLE = False
+    logging.warning("Azure Key Vault SDK not available - will use environment variables only")
+
 # Configure logging
 logging.basicConfig(level=logging.INFO)
 logger = logging.getLogger("github-client")
 
+def fetch_github_token_from_keyvault() -> Optional[str]:
+    """
+    Fetch GitHub PAT from Azure Key Vault using Managed Identity.
+    
+    Returns:
+        str: GitHub PAT token from Key Vault, or None if unavailable
+    """
+    if not KEY_VAULT_AVAILABLE:
+        logger.warning("⚠️ Azure Key Vault SDK not available - skipping Key Vault token fetch")
+        return None
+    
+    try:
+        # Configuration from security-config-dev.json
+        vault_name = "mariner-pipelines-kv"
+        secret_name = "cblmarghGithubPRPat"
+        vault_url = f"https://{vault_name}.vault.azure.net"
+        
+        logger.info(f"🔐 Fetching GitHub PAT from Key Vault: {vault_name}/{secret_name}")
+        
+        # Use DefaultAzureCredential (will use Managed Identity in pipeline)
+        credential = DefaultAzureCredential()
+        secret_client = SecretClient(vault_url=vault_url, credential=credential)
+        
+        # Fetch the secret
+        secret = secret_client.get_secret(secret_name)
+        token = secret.value
+        
+        if token and token.strip():
+            token_prefix = token[:10] if len(token) >= 10 else token
+            logger.info(f"✅ Successfully fetched GitHub PAT from Key Vault (prefix: {token_prefix}...)")
+            return token
+        else:
+            logger.warning("⚠️ Key Vault secret is empty")
+            return None
+            
+    except Exception as e:
+        logger.warning(f"⚠️ Failed to fetch token from Key Vault: {e}")
+        logger.warning("   Will fall back to environment variables")
+        return None
+
 class CheckStatus(Enum):
     """GitHub Check API status values"""
     SUCCESS = "success"      # All good, everything passes
@@ -37,29 +86,38 @@ class GitHubClient:
     """Client for interacting with GitHub API for PR checks and comments"""
 
     def __init__(self):
-        """Initialize the GitHub client using environment variables for auth"""
-        # Try multiple token environment variables in order of preference
-        token_vars = [
-            "GITHUB_TOKEN",  # Prioritize CBL-Mariner bot PAT from key vault
-            "SYSTEM_ACCESSTOKEN",  # Fall back to Azure DevOps OAuth token
-            "GITHUB_ACCESS_TOKEN",
-            "AZDO_GITHUB_TOKEN"
-        ]
-        
+        """Initialize the GitHub client using Key Vault or environment variables for auth"""
         self.token = None
-        for var in token_vars:
-            token_value = os.environ.get(var, "")
-            # Only use non-empty tokens
-            if token_value and token_value.strip():
-                self.token = token_value
-                token_prefix = token_value[:10] if len(token_value) >= 10 else token_value
-                logger.info(f"✅ Using {var} for GitHub authentication (prefix: {token_prefix}...)")
-                break
-            elif var in os.environ:
-                logger.warning(f"⚠️ {var} is set but empty - skipping")
+        
+        # FIRST: Try to fetch token from Azure Key Vault (single source of truth)
+        logger.info("🔐 Attempting to fetch GitHub PAT from Key Vault...")
+        kv_token = fetch_github_token_from_keyvault()
+        if kv_token:
+            self.token = kv_token
+            logger.info("✅ Using GitHub PAT from Key Vault")
+        else:
+            # FALLBACK: Try environment variables (for local testing or when Key Vault unavailable)
+            logger.info("⚠️ Key Vault token not available, trying environment variables...")
+            token_vars = [
+                "GITHUB_TOKEN",  # Explicit GitHub token
+                "SYSTEM_ACCESSTOKEN",  # Azure DevOps OAuth token
+                "GITHUB_ACCESS_TOKEN",
+                "AZDO_GITHUB_TOKEN"
+            ]
+            
+            for var in token_vars:
+                token_value = os.environ.get(var, "")
+                # Only use non-empty tokens
+                if token_value and token_value.strip():
+                    self.token = token_value
+                    token_prefix = token_value[:10] if len(token_value) >= 10 else token_value
+                    logger.info(f"✅ Using {var} for GitHub authentication (prefix: {token_prefix}...)")
+                    break
+                elif var in os.environ:
+                    logger.warning(f"⚠️ {var} is set but empty - skipping")
 
         if not self.token:
-            logger.error("❌ No valid GitHub token found in environment variables")
+            logger.error("❌ No valid GitHub token found in Key Vault or environment variables")
 
         # Get repository details from environment variables
         self.repo_name = os.environ.get("GITHUB_REPOSITORY", "")  # Format: owner/repo

.pipelines/prchecks/CveSpecFilePRCheck/requirements.txt

@@ -1,4 +1,5 @@
 openai>=1.63.0
 azure-identity>=1.15.0
 azure-storage-blob>=12.19.0
+azure-keyvault-secrets>=4.7.0
 requests>=2.25.0