release: v0.5.0 (M.A.R.I.A policy import + risk model, HTML report, security hardening)#11
Conversation
…ecurity hardening) Added - M.A.R.I.A policy import (--maria-import-policy, --maria-policy-url) and maria_riskscore_v1 risk-score model (weights, application context, risk profile). - Optional self-contained HTML report (--html-output / --html-out) and matching GitHub Action inputs. - Console entry point `secscore pr ...`. Changed / Fixed - PR comment renderer now honors the policy `reporting` block (max_findings_in_comment, max_reasons, include_fields) instead of fixed defaults; include_fields is now actually applied to finding lines. Security - SSRF hardening on M.A.R.I.A outbound requests (scheme/credential checks, block private/reserved targets, explicit opt-in for local URLs). - Path-access hardening for CLI and SARIF inputs (confined to workspace/CI roots). - Composite action hardened against injection (env-var interpolation + quoted arg arrays). - PR comment hardened against Markdown injection from untrusted scanner output (escaping + percent-encoded link targets). Repository - Bumped version to 0.5.0 (pyproject + secscore.__version__). - Added .gitattributes (LF) and ignored generated artifacts; stopped tracking tmp-result.json. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
| response = requests.get( | ||
| resolved_policy_url, | ||
| params={"repositoryId": repository_id}, | ||
| headers=headers, | ||
| timeout=timeout, | ||
| ) |
| value = os.getenv(env_name) | ||
| if value: | ||
| try: | ||
| roots.append(Path(value).expanduser().resolve()) |
| raise ValueError(f"{label} path is required") | ||
|
|
||
| base_dir = Path.cwd().resolve() | ||
| raw_path = Path(str(value).strip()).expanduser() |
|
New Issues (3)Checkmarx found the following issues in this Pull Request
Use @Checkmarx to interact with Checkmarx PR Assistant. |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 968910bae7
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| resolved = candidate.resolve(strict=True) | ||
|
|
||
| try: | ||
| resolved.relative_to(base_dir) |
There was a problem hiding this comment.
Allow approved CI roots for SARIF inputs
When a workflow passes a SARIF file produced outside the checkout, such as under $RUNNER_TEMP, this new resolver rejects it because it only compares against Path.cwd(). That regresses CI setups that keep scanner artifacts in the runner temp directory, and it is inconsistent with the CLI's approved-root helper that explicitly includes GITHUB_WORKSPACE/RUNNER_TEMP; use the same allowed-root logic here (and at the CLI SARIF call site) so those absolute SARIF paths can still be scored.
Useful? React with 👍 / 👎.







SecScore v0.5.0
Closes out the in-flight work as a single release: M.A.R.I.A policy import + risk-score model, optional HTML report, three security hardenings, and reporting fixes/repo hygiene.
Added
--maria-import-policy,--maria-policy-url) — sync repository risk policy before scoring.maria_riskscore_v1risk-score model: risk weights, application context, risk profile multipliers (mirrors C#MidpointRounding.AwayFromZero).--html-output true/--html-out) generated from the standard JSON, plus GitHub Action inputshtml_output/html_out.secscore pr ....Changed / Fixed
reportingblock (max_findings_in_comment,max_reasons,include_fields) instead of hardcoded 5/3 defaults.include_fieldsis now actually applied to finding lines (was a dead parameter).Security
SECSCORE_ALLOW_PRIVATE_MARIA_URLS=true) for local URLs.Repository
0.5.0(pyproject.toml+secscore.__version__, previously mismatched)..gitattributesenforcing LF (keeps the composite action's Bash valid on Linux runners).secscore-report.html, runtimepolicy/policy-maria.yml,tmp-*); stopped trackingtmp-result.json.Decision model
Unchanged. All changes are scoring-neutral (M.A.R.I.A model is opt-in via policy) or presentation/hygiene only —
PASS/REVIEW/FAILlogic inengine.pyis untouched.Validation
python -m unittest discover -s tests -p "test_*.py"→ 17/17 OK (11 existing + 6 new reporting tests).Post-merge
v0.5.0on the merge commit.🤖 Generated with Claude Code