Releases: cassiodeveloper/SecScore
Release list
SecScore v0.5.0
SecScore v0.5.0 closes out the in-flight work as a single release: M.A.R.I.A policy import + risk-score model, an optional HTML report, three security hardenings, and reporting fixes / repo hygiene. The PASS / REVIEW / FAIL decision model is unchanged.
Added
- Console entry point for installed environments:
secscore pr ...can now be used instead ofpython -m secscore.cli.main pr .... - Optional HTML report output generated from the standard JSON result:
--html-output trueand--html-out secscore-report.html. - GitHub Action inputs
html_outputandhtml_outfor publishing the visual report as a workflow artifact. - HTML report polish: dark/light toggle, risk summary, linked findings and artifacts, copy JSON path action, collapsible execution parameters, and report footer metadata.
- Optional M.A.R.I.A policy import with
--maria-import-policyand--maria-policy-url, allowing SecScore to sync repository risk policy before scoring. - M.A.R.I.A risk score model support (
maria_riskscore_v1) including risk weights, application context, and risk profile multipliers.
Changed
- Package version bumped to
0.5.0. - GitHub Action now documents the workflow permissions needed for checks, PR comments, and labels.
- CI workflow now declares explicit least-privilege read access with
permissions: contents: read. - PR comment renderer now honors the policy
reportingblock (max_findings_in_comment,max_reasons,include_fields) instead of always falling back to fixed defaults.
Fixed
include_fieldsin the policyreportingblock is now actually applied when rendering finding lines (location and metadata fields), instead of being ignored.
Security
- Hardened M.A.R.I.A outbound requests against server-side request forgery by validating URL schemes, rejecting embedded credentials, and blocking local/private/reserved network targets by default. Private/local URLs require explicit trusted opt-in with
SECSCORE_ALLOW_PRIVATE_MARIA_URLS=true. - Hardened CLI and SARIF file handling against uncontrolled path access by resolving paths and requiring them to stay inside the current workspace or approved CI roots.
- Hardened the GitHub composite action against code injection by moving input interpolation into environment variables and passing CLI arguments through quoted Bash arrays.
- Hardened the PR comment against Markdown injection from untrusted scanner output by escaping finding titles, paths and metadata, and percent-encoding link targets.
Repository
- Added
.gitattributesenforcing LF line endings so the composite action's Bash steps stay valid on Linux runners regardless of contributor OS. - Ignored generated artifacts (
secscore-report.html, runtimepolicy/policy-maria.yml,tmp-*) and stopped trackingtmp-result.json.
Full changelog: https://github.com/cassiodeveloper/SecScore/blob/main/CHANGELOG.md
v0.4.0
Added
- M.A.R.I.A submissions integration for CI/CD results publishing:
- New CLI flags:
--maria-url,--maria-token,--maria-repository-id,--maria-strict - Submission metadata flags:
--maria-submission-key,--maria-commit-sha,--maria-branch-name,
--maria-pipeline-name,--maria-pipeline-run-id,--maria-pull-request-id,
--maria-started-at-utc,--maria-tool-name,--maria-cli-version - Automatic metadata fallback from CI environment and git when values are not provided.
- New CLI flags:
- GitHub Action support for M.A.R.I.A submission fields via new action inputs:
token,maria-url,maria-token,maria-repository-id,maria-pull-request-id. - New adapter module
secscore.adapters.maria_providerto isolate outbound submission logic. - Automated tests for M.A.R.I.A payload mapping and strict-mode failure behavior.
Changed
- M.A.R.I.A payload now sends explicit
ScoreandDecisionplus severitySummary
(Critical,High,Medium,Low) for submission endpoints. - Package metadata now declares all runtime dependencies used by the CLI (
pyyaml,requests,rich).
Fixed
- Package runtime metadata mismatch where
richwas used by CLI but not declared inpyproject.toml.
v0.3.0 — Multi-SARIF, diff-aware by default, fingerprint supressions
v0.3.0 — 2026-03
Added
- Multi-SARIF support:
--sarifnow accepts multiple files as a comma-separated list
(--sarif semgrep.sarif,trivy.sarif) or multiple flags. GitHub Action updated accordingly.
Findings are deduplicated across files by(ruleId, path, line). - Diff-aware filtering enabled by default in PR mode. SecScore now automatically filters
findings to only those touching lines changed in the PR. Use--no-diff-awareto opt out.
Gracefully degrades (warning, no abort) when not running inside a git repository or when
the diff returns no changed files. - Suppressions by fingerprint: policy
suppressions.deny_fingerprintslist allows
suppressing specific known false positives by their finding fingerprint — traceable and
reviewable in version control. action.ymlnew inputs:no_diff_aware,base_ref.policy_validator.pynow validatessuppressions.deny_fingerprintsentries.- Policy version bumped to
1.1in default policy files.
Fixed
engine.py:NoneTypecrash whenasset.pathwas absent in a finding.sarif.py:criticalseverity fromproperties.severity(Semgrep, Snyk) was silently
downgraded tohigh. Now correctly propagated.action.yml: Python inline block had incorrect indentation causingSyntaxErroron the
GitHub Actions runner.diff_filter.py:base_refargument was passed unsanitized tosubprocess. Now validated
against an allowlist regex before use.checkmarx_provider.py:get_resultsused a hard-codedlimit=1000with no pagination,
silently dropping findings beyond the first 1000. Replaced with a paginated loop.policy_validator.py(new): policy YAML is now validated before reaching the engine.
Structural errors, unknown severity names, and misconfigured thresholds produce clear
error messages instead of silently incorrect scores.main.py: diff-aware with emptychanged_rangeswas silently discarding all findings,
causing every run to score 100 and return PASS. Now skips filtering when diff is empty
and warns the user.
SecScore v0.2.0
SecScore v0.2.0 introduces diff-aware security scoring and improved PR feedback.
Highlights
• Diff-aware filtering to focus only on findings introduced in a Pull Request
• Security Diff section showing vulnerability changes by severity
• Improved PR comment UX with clearer decision explanation
• CLI output rendering using Rich for better terminal readability
• SARIF fixtures and CI validation workflow
SecScore reduces security scanner noise and enables objective PASS / REVIEW / FAIL decisions in CI/CD pipelines.
SecScore v0.1.0
Initial public release of SecScore.
Features:
- Security scoring engine
- SARIF support
- GitHub Action integration
- Policy driven security decisions