You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
feat(security): surface Dependabot posture in portfolio render surfaces
The radar's truth-layer security dimension (RiskFields.security_risk,
SecurityFields Dependabot counts, the active-high-severity-alerts factor)
was wired into the risk model and weekly digest in #27, but the two
human-facing render surfaces — PORTFOLIO-AUDIT-REPORT.md and
project-registry.md — did not surface it. This adds that, mirroring the
digest's Security Posture treatment:
- Portfolio report: a Coverage Summary line + a dedicated '## Security
Posture' section (TOC entry included) with the same three states as the
digest — per-repo open high/critical (critical-first, capped at 5),
'all N scanned clear', or 'overlay not run'.
- Registry: a pipe-free per-repo security flag in the Notes column (fires
only for scanned repos with open high/critical) plus four aggregate rows
in the Portfolio Summary table.
Shared _security_overview / _security_attention_items helpers mirror the
digest's aggregation on the in-memory snapshot. The Notes flag is pipe-free
and the summary rows are digit-valued, so the registry still round-trips
through parse_registry unchanged; both markdown validators stay green.
5 new tests cover all three report states, the registry flag + round-trip,
and the unscanned case.
f"- Security posture: scanned `{security_overview['scanned_count']}`, with open high/critical Dependabot alerts `{security_overview['repos_with_open_high_critical']}` (critical `{security_overview['total_open_critical']}`, high `{security_overview['total_open_high']}`)",
122
173
f"- Catalog warnings carried into the snapshot: `{len(snapshot.warnings)}`",
0 commit comments