You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
feat(security): wire Dependabot alert posture into portfolio risk model (#27)
* feat(security): wire Dependabot alert posture into portfolio risk model
Schema 0.4.0 -> 0.5.0: new SecurityFields (Dependabot / code-scanning /
secret-scanning counts) on every PortfolioTruthProject. New risk factor
active-high-severity-alerts — open high alerts add one factor toward the
3+ elevation threshold; an open critical alert force-elevates on its own,
so a lone unpatched critical CVE cannot hide in a clean repo.
Opt-in via --portfolio-truth-include-security, overlaying the latest
output/ghas-alerts-<user>-*.json (mirrors the release_count overlay; the
truth pipeline itself stays network-free / offline-testable). Weekly
digest gains a ## Security Posture section distinguishing scanned-clean
from unscanned repos. Fully inert unless fed: defaults keep the factor
dormant and all existing risk tiers unchanged.
27 new tests across risk math, GHAS mapping, opt-in, force-elevate,
deferred short-circuit, digest states, and the CLI loader. 2140 pass.
* feat(security): join GHAS overlay by repo name, not just display name
The security overlay is keyed by GitHub repo name, but local dir display
names often differ ("Signal & Noise" vs "signal-noise"), so 40 repos with
open alerts were silently missed. Extract `_select_security_entry`: match
on the repo name from repo_full_name first, fall back to display_name.
Live impact: overlay match rate 113 -> 153 of 161 local projects; e.g.
Signal & Noise (9 high), Devil's Advocate (6), Interruption Resume Studio
(3) now correctly join. 4 join-precedence tests added.
0 commit comments