Skip to content

Releases: marshallguillory86/secure-code-agent

v0.2.0 — Tier-2 scanners (Trivy, Checkov, Hadolint, OSV, TruffleHog, Scorecard)

13 May 17:19
@marshallguillory86 marshallguillory86
v0.2.0
6e88af9
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

Choose a tag to compare

View all tags
v0.2.0 — Tier-2 scanners (Trivy, Checkov, Hadolint, OSV, TruffleHog, Scorecard) Latest
Latest

What's new

v0.2 ships the six Tier-2 scanners promised in the v0.1 roadmap — full adapters with standards mappings and mocked-subprocess test coverage.

Six new scanner adapters

  • Trivy — containers / filesystem / IaC scanning. SARIF-native; output auto-routed into dependencies / config_iac / secrets by rule-id prefix.
  • Checkov — IaC misconfig across Terraform / CloudFormation / Helm / k8s / Dockerfile.
  • Hadolint — Dockerfile lint with 12 security-relevant rules carrying specific severities (DL3002 USER root → HIGH, DL3025 shell-form CMD → MEDIUM, SC2086 unquoted variable → MEDIUM, etc.).
  • OSV-Scanner — multi-ecosystem SCA via osv.dev. Overlaps pip-audit + npm-audit by design; canonical fingerprint dedupes across all three.
  • TruffleHog — verified secret scanning. Defaults to --only-verified (live-confirmed). Verified → CRITICAL; unverified (opt-in) → HIGH.
  • OpenSSF Scorecard — repo + supply-chain hygiene. Special-cased to operate against a remote GitHub URL (auto-detected via git remote get-url origin). Score → severity mapping built in (<3 → HIGH, <7 → MEDIUM, <10 → LOW, 10 → no finding).

Standards mappings

New (scanner, rule_id) → CWE/OWASP/ASVS/SSDF entries for all six scanners. Scorecard checks get per-check mappings for Branch-Protection (CWE-732), Signed-Releases (CWE-345), Pinned-Dependencies (CWE-829), Token-Permissions (CWE-272), Security-Policy (CWE-1059), Dangerous-Workflow (CWE-94), plus a wildcard fallback.

Refactors (dogfooding maintainability-agent)

  • scoring.evaluate_gates() extracted into per-gate evaluators — cognitive complexity 17 → 8.
  • sarif.ingest() decomposed into 5 helpers — cognitive complexity 38 → 4 in the top-level function.

Fixes

  • owasp_url(owasp_id) now generates a deep-link to the specific Top-10 bucket (A03_2021-Injection/) instead of always returning the index URL.
  • fail_on_new gate no longer trips on INFORMATIONAL findings (e.g. tool-unavailable notices). Those are awareness signals, not security defects.

Install

pip install --upgrade secure-code-agent

# Run an audit
secure-code-agent --config secure-code-agent.json \
  --fail-on-gate \
  --output secure-code-report.md \
  --sarif-output secure-code.sarif \
  --prompt-output secure-code-remediation-prompt.md

Tests + dogfood

  • 76 tests pass (was 61). 15 new in tests/unit/test_tier2_scanners.py.
  • Self-audit: 5.00 / 5.0 (A+) · gate PASS.

Compatibility

No breaking changes. CLI surface, config schema, and output formats are identical to 0.1.0. New scanners are opt-in via scanners.<name>.enabled (default true if the binary is on PATH; emits tool_unavailable informational finding otherwise).

Full changelog: https://github.com/marshallguillory86/secure-code-agent/blob/main/CHANGELOG.md

Assets 4
Loading