Skip to content

release: v0.5.0 (M.A.R.I.A policy import + risk model, HTML report, security hardening)#11

Merged
cassiodeveloper merged 1 commit into
mainfrom
release/v0.5.0
Jul 7, 2026
Merged

release: v0.5.0 (M.A.R.I.A policy import + risk model, HTML report, security hardening)#11
cassiodeveloper merged 1 commit into
mainfrom
release/v0.5.0

Conversation

@cassiodeveloper

Copy link
Copy Markdown
Owner

SecScore v0.5.0

Closes out the in-flight work as a single release: M.A.R.I.A policy import + risk-score model, optional HTML report, three security hardenings, and reporting fixes/repo hygiene.

Added

  • M.A.R.I.A policy import (--maria-import-policy, --maria-policy-url) — sync repository risk policy before scoring.
  • maria_riskscore_v1 risk-score model: risk weights, application context, risk profile multipliers (mirrors C# MidpointRounding.AwayFromZero).
  • HTML report (--html-output true / --html-out) generated from the standard JSON, plus GitHub Action inputs html_output / html_out.
  • Console entry point: secscore pr ....

Changed / Fixed

  • PR comment renderer now honors the policy reporting block (max_findings_in_comment, max_reasons, include_fields) instead of hardcoded 5/3 defaults.
  • include_fields is now actually applied to finding lines (was a dead parameter).

Security

  • SSRF hardening on M.A.R.I.A requests: scheme/credential validation, block private/loopback/reserved targets, explicit opt-in (SECSCORE_ALLOW_PRIVATE_MARIA_URLS=true) for local URLs.
  • Path traversal hardening: CLI and SARIF inputs confined to the workspace / approved CI roots.
  • Action injection hardening: input interpolation moved to env vars + quoted Bash arg arrays.
  • Markdown injection hardening in the PR comment: escape untrusted titles/paths/metadata, percent-encode link targets.

Repository

  • Version bumped to 0.5.0 (pyproject.toml + secscore.__version__, previously mismatched).
  • .gitattributes enforcing LF (keeps the composite action's Bash valid on Linux runners).
  • Ignored generated artifacts (secscore-report.html, runtime policy/policy-maria.yml, tmp-*); stopped tracking tmp-result.json.

Decision model

Unchanged. All changes are scoring-neutral (M.A.R.I.A model is opt-in via policy) or presentation/hygiene only — PASS/REVIEW/FAIL logic in engine.py is untouched.

Validation

  • python -m unittest discover -s tests -p "test_*.py"17/17 OK (11 existing + 6 new reporting tests).
  • End-to-end CLI run verified against fixtures.

Post-merge

  • Tag v0.5.0 on the merge commit.

🤖 Generated with Claude Code

…ecurity hardening)

Added
- M.A.R.I.A policy import (--maria-import-policy, --maria-policy-url) and
  maria_riskscore_v1 risk-score model (weights, application context, risk profile).
- Optional self-contained HTML report (--html-output / --html-out) and matching
  GitHub Action inputs.
- Console entry point `secscore pr ...`.

Changed / Fixed
- PR comment renderer now honors the policy `reporting` block
  (max_findings_in_comment, max_reasons, include_fields) instead of fixed defaults;
  include_fields is now actually applied to finding lines.

Security
- SSRF hardening on M.A.R.I.A outbound requests (scheme/credential checks, block
  private/reserved targets, explicit opt-in for local URLs).
- Path-access hardening for CLI and SARIF inputs (confined to workspace/CI roots).
- Composite action hardened against injection (env-var interpolation + quoted arg arrays).
- PR comment hardened against Markdown injection from untrusted scanner output
  (escaping + percent-encoded link targets).

Repository
- Bumped version to 0.5.0 (pyproject + secscore.__version__).
- Added .gitattributes (LF) and ignored generated artifacts; stopped tracking tmp-result.json.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@sonarqubecloud

sonarqubecloud Bot commented Jul 7, 2026

Copy link
Copy Markdown

Quality Gate Failed Quality Gate failed

Failed conditions
C Security Rating on New Code (required ≥ A)

See analysis details on SonarQube Cloud

Catch issues before they fail your Quality Gate with our IDE extension SonarQube for IDE

Comment on lines +36 to +41
response = requests.get(
resolved_policy_url,
params={"repositoryId": repository_id},
headers=headers,
timeout=timeout,
)
Comment thread secscore/cli/main.py
value = os.getenv(env_name)
if value:
try:
roots.append(Path(value).expanduser().resolve())
Comment thread secscore/cli/main.py
raise ValueError(f"{label} path is required")

base_dir = Path.cwd().resolve()
raw_path = Path(str(value).strip()).expanduser()
@cassiodeveloper

Copy link
Copy Markdown
Owner Author

Logo
Checkmarx One – Scan Summary & Details9a9f56c8-4395-47b0-b5c2-1357078333c4


New Issues (3) Checkmarx found the following issues in this Pull Request
# Severity Issue Source File / Package Checkmarx Insight
1 MEDIUM Hardcoded_Password_in_Connection_String secscore/core/engine.py: 306
detailsThe application contains hardcoded connection details, "PASS", at line 306 of /secscore/core/engine.py. This connection string contains a hardcod...
Attack Vector
2 LOW Client_Dangerous_File_Inclusion docs/index.html: 37
detailsThe application loads an external library or source code file using "https://www\.googletagmanager\.com/gtag/js?id=G\-3GSHG2W8EE", at line 37 of /d...
Attack Vector
3 LOW Potential_Clickjacking_on_Legacy_Browsers docs/index.html: 1
detailsThe application does not protect the web page /docs/index.html from clickjacking attacks in legacy browsers, by using framebusting scripts.
Attack Vector

Use @Checkmarx to interact with Checkmarx PR Assistant.
Examples:
@Checkmarx how are you able to help me?
@Checkmarx rescan this PR

@cassiodeveloper cassiodeveloper merged commit d692069 into main Jul 7, 2026
5 of 7 checks passed

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 968910bae7

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

resolved = candidate.resolve(strict=True)

try:
resolved.relative_to(base_dir)

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Allow approved CI roots for SARIF inputs

When a workflow passes a SARIF file produced outside the checkout, such as under $RUNNER_TEMP, this new resolver rejects it because it only compares against Path.cwd(). That regresses CI setups that keep scanner artifacts in the runner temp directory, and it is inconsistent with the CLI's approved-root helper that explicitly includes GITHUB_WORKSPACE/RUNNER_TEMP; use the same allowed-root logic here (and at the CLI SARIF call site) so those absolute SARIF paths can still be scored.

Useful? React with 👍 / 👎.

@cassiodeveloper cassiodeveloper deleted the release/v0.5.0 branch July 7, 2026 11:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants