Skip to content

fix(scanner): downgrade clean risk score to degraded on incomplete coverage (MCP-2401)#669

Merged
Dumbris merged 1 commit into
mainfrom
fix/mcp-2401-scan-coverage-degraded
Jun 14, 2026
Merged

fix(scanner): downgrade clean risk score to degraded on incomplete coverage (MCP-2401)#669
Dumbris merged 1 commit into
mainfrom
fix/mcp-2401-scan-coverage-degraded

Conversation

@Dumbris

@Dumbris Dumbris commented Jun 14, 2026

Copy link
Copy Markdown
Member

Problem

The security scan summary reported a 0/100 "clean" verdict even when part of the scanner fleet failed — a user saw an all-clear while up to 40% (2/5) of scanners never ran. Coverage was surfaced only as a separate WARNING block; the risk/score signal itself was never degraded, so a glance at the number was misleading.

Fix

Tie risk-score confidence to scanner coverage and surface a degraded state:

  • SecurityScanSummary (contracts) / ScanSummary (scanner) now carry scanners_run / scanners_failed / scanners_total.
  • GetScanSummary computes coverage over the primary (security) pass. A would-be clean verdict is downgraded to a new degraded status when scanners_failed > 0. dangerous / warnings / failed verdicts are left intact — they already signal risk, and missing coverage can only have hidden more, never less.
  • If no scanner completed, the scan remains a flat failed (unchanged).
  • CLI printReportTable annotates the Risk Score line: Risk Score: 0/100 (degraded — 2 of 5 scanners did not run).
  • Swagger + CLI docs regenerated/updated.

Tests (TDD)

  • Flipped the bug-encoding scanner test (was asserting clean; now asserts degraded).
  • Added scanner tests: degraded on partial failure, failed when all fail, no downgrade for findings-driven verdicts.
  • Added CLI tests: degraded marker present on partial coverage, absent on full coverage.
  • go build ./..., go vet ./internal/server/, scanner/contracts/cmd suites, and golangci-lint v2 (CI config) — all green.

Scope

Backend (score calc + contract) only. The FrontendEngineer UI badge for the new degraded status is a separate lane per the issue.

Related #MCP-2401

@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Jun 14, 2026

Copy link
Copy Markdown

Deploying mcpproxy-docs with  Cloudflare Pages  Cloudflare Pages

Latest commit: ccfa3dc
Status: ✅  Deploy successful!
Preview URL: https://f598d1de.mcpproxy-docs.pages.dev
Branch Preview URL: https://fix-mcp-2401-scan-coverage-d.mcpproxy-docs.pages.dev

View logs

@codecov-commenter

Copy link
Copy Markdown

⚠️ Please install the 'codecov app svg image' to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

❌ Patch coverage is 72.00000% with 7 lines in your changes missing coverage. Please review.

Files with missing lines Patch % Lines
internal/server/server.go 0.00% 6 Missing ⚠️
internal/security/scanner/service.go 91.66% 0 Missing and 1 partial ⚠️

📢 Thoughts on this report? Let us know!

@mcpproxy-gatekeeper mcpproxy-gatekeeper Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved via Claude Code review (Codex out): risk-score degraded on incomplete coverage (MCP-2401). Reviewer verified fix + tests + CI green; VERDICT ACCEPT.

@Dumbris Dumbris enabled auto-merge (squash) June 14, 2026 14:57
@github-actions

Copy link
Copy Markdown

📦 Build Artifacts

Workflow Run: View Run
Branch: fix/mcp-2401-scan-coverage-degraded

Available Artifacts

  • archive-darwin-amd64 (28 MB)
  • archive-darwin-arm64 (25 MB)
  • archive-linux-amd64 (16 MB)
  • archive-linux-arm64 (14 MB)
  • archive-windows-amd64 (28 MB)
  • archive-windows-arm64 (25 MB)
  • frontend-dist-pr (0 MB)
  • installer-dmg-darwin-amd64 (21 MB)
  • installer-dmg-darwin-arm64 (19 MB)

How to Download

Option 1: GitHub Web UI (easiest)

  1. Go to the workflow run page linked above
  2. Scroll to the bottom "Artifacts" section
  3. Click on the artifact you want to download

Option 2: GitHub CLI

gh run download 27501983628 --repo smart-mcp-proxy/mcpproxy-go

Note: Artifacts expire in 14 days.

…verage

The scan summary reported a 0/100 "clean" verdict even when part of the
scanner fleet failed, so a user saw an all-clear while 40% of scanners
never ran. Coverage was only surfaced as a separate WARNING block.

Tie risk-score confidence to scanner coverage:
- SecurityScanSummary / ScanSummary carry scanners_run/failed/total.
- GetScanSummary computes coverage on the primary pass and downgrades a
  would-be "clean" verdict to a new "degraded" status when any scanner
  failed. "dangerous"/"warnings"/"failed" verdicts are left intact.
- CLI report annotates the Risk Score line with
  "(degraded — N of M scanners did not run)".
- Swagger + CLI docs updated.

Related #MCP-2401
@Dumbris Dumbris force-pushed the fix/mcp-2401-scan-coverage-degraded branch from 16d80ad to ccfa3dc Compare June 14, 2026 15:17

@mcpproxy-gatekeeper mcpproxy-gatekeeper Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Claude review ACCEPT — rebased onto main (ccfa3dc), behavior unchanged (only additive test-func conflict resolved keeping both); scanner+contracts+cmd tests green.

@Dumbris Dumbris merged commit dbaabc3 into main Jun 14, 2026
36 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants