feat: detector precision, monorepo discovery, CI gate + honest docs restructure#22
Merged
Merged
Conversation
… CI gate - XML_XXE now fires only on explicitly insecure entity configuration (the old lazy-dot lookahead matched every XML parser mention, including the entity-free browser DOMParser); precision corpus extended with safe/insecure XXE pairs - scanner discovers config/dep/BaaS files recursively (monorepo-aware), runs one parallel glob walk per category, /-normalizes paths, and detects frameworks from ALL workspace manifests - CLI: strict parseArgs (mistyped flags abort instead of silently changing the audit), --version, and a --fail-on <severity> CI gate - tools: --tool-timeout and --semgrep-config (local rules, metrics off); timeouts are reported as timeouts, not generic unavailability - consolidation: single sanitizeAgentName module (was 3 copies), shared extension/language maps (fixes *.pyw missing Python rules), single content split per file in the detector Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
*_security.sarif, *_local-dast-report*.html, *_local-dast-findings*.md, and *_db-dump-guide.html now match the existing stray-copy patterns. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
SKILL.md drops from 1948 to ~250 lines: engine-first execution workflow (run the CLI; never handcraft reports), consolidated core rules, and an explicit no-fabricated-metrics rule (the engine computes no ASVS percentages, SLSA levels, or per-article compliance verdicts). DAST-CONFIRMED is documented as a reserved label the built-in probe never emits, and dotnet build is no longer listed as a scanner. Checklists, compliance tables, tooling commands, the subagent protocol, and report anatomy move to csreview/reference/*.md (shipped in the npm package, loaded on demand). README is rebuilt as an honest landing page (orchestration + corroboration + evidence layer, with an explicit limits section) and keeps the verbatim SKILL.md mirror. The doc-honesty contracts in analysis.test.js now assert across README + SKILL.md + reference/*. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
The exact-version pin broke CI on every release bump (this PR's bump to 0.1.4 included) without protecting anything; the semver-shape assertion keeps the metadata contract. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Runs CSReview against its own repository on every PR (Semgrep installed, update check skipped) and fails the build when HIGH/CRITICAL findings remain — exercising the new CI gate end to end. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Engine/CLI hardening and a documentation restructure so the project presents itself as what it is: an orchestration, corroboration, and evidence layer for local security review — complementing Semgrep and the other scanners, never replacing them.
Engine & CLI
.*?(?!...)lookahead was always satisfiable, so ANY mention of an XML parser (including the entity-free browserDOMParser) produced a CRITICAL false positive — empirically proven, then rewritten to fire only on explicitly insecure entity configuration (noent: true,resolve_entities=True,LIBXML_NOENT,DtdProcessing.Parse, ...). Audited all 9 lookahead patterns; the other 8 are positionally correct. Precision corpus extended with safe/insecure XXE pairs.**/), soapps/*/.env,services/*/Dockerfile, nestedpackage.json/firestore.rulesare scanned; one parallel glob walk per category (was ~87 sequential walks);/-normalized paths; frameworks detected from ALL workspace manifests.node:utilparseArgs — a mistyped flag (--basline) now aborts instead of silently running without the baseline. New--versionand--fail-on <severity>(exit 1 when findings at/above the level remain → CI gate to pair with the SARIF output).--tool-timeout <s>(timeouts reported as timeouts, with the knob named, instead of generic "unavailable") and--semgrep-config <ref>for local/air-gapped rules (adds--metrics=off).sanitizeAgentNamemodule (was 3 drifting copies), shared extension/language maps (fixes*.pywnever getting Python rules), single content split per file in the detector.CI
Documentation honesty
ASVS Coverage %,SLSA Level, and per-article compliance PASS/FAIL that the engine does not compute.DAST-CONFIRMEDis documented as a reserved label the built-in probe never emits;dotnet buildis no longer listed as a security scanner.csreview/reference/*.md(shipped in the package, loaded on demand — agents stop paying ~2k lines of context per invocation).analysis.test.jsnow assert across README + SKILL.md + reference/*.Test plan
npm run lint+npm run typecheckclean--fail-on high→ exit 0;--fail-on low→ exit 1 (gate verified in both directions)🤖 Generated with Claude Code