feat(inspect): production hardening — re-baseline to v0.2.0 + OSS hygiene#2
Merged
Merged
Conversation
…, PR/issue templates)
Re-baselines inspect's version to 0.2.0 across both authoritative
locations and adds the top-50 OSS standard files that were missing.
Version 0.2.0 set in:
- internal/report/sarif.go (`const inspectVersion = "0.2.0"`,
used as `tool.driver.version` in SARIF output)
- mcp/server.go (`mcpserver.NewMCPServer("inspect", "0.2.0", ...)`)
The previous values were inconsistent (`inspectVersion` was `"1.0.0"`
while the MCP server advertised `"0.1.0"`); both now agree on
`"0.2.0"`. The SARIF spec version (`sarifVersion = "2.1.0"`) is
unchanged — that field identifies the SARIF format, not the tool.
Aligns inspect with the rest of the hawk-eco ecosystem (hawk, tok,
eyrie, yaad, trace, sight). The CVE-database entries in
`dependency_check.go` reference real CVE-affected/fixed versions of
third-party libraries (lodash, jsonwebtoken, golang.org/x/net, etc.)
and are intentionally untouched — they are factual data, not inspect's
own version.
CHANGELOG.md gains an [Unreleased] section. Existing 0.4.0 / 0.2.0 /
0.1.0 historical entries preserved.
New top-level OSS files:
- CODE_OF_CONDUCT.md — Contributor Covenant 2.1
- .gitattributes — LF normalization, binary detection, GitHub
linguist hint to collapse `go.sum` and `browser/go.sum`
- .editorconfig — UTF-8, LF, final newline, trim trailing whitespace,
tabs for Go + Makefile, 2-space indent for YAML/JSON/TOML, no-trim
for Markdown
- .github/dependabot.yml — weekly gomod (root + browser/ sub-module
grouped by go-rod) + github-actions, root gomod grouped by
mark3labs/mcp-go to reduce PR noise
- .github/PULL_REQUEST_TEMPLATE.md — Summary / Changes / Scan-quality
impact / SARIF compatibility / SSRF & egress safety / Testing /
Checklist (the SSRF section asks contributors to call out any
change to private-IP blocking, redirect filtering, or scheme
allowlists)
- .github/ISSUE_TEMPLATE/bug_report.yml — surface dropdown (library
API / MCP / GitHub Action / SARIF / browser checks / CVE database),
required redaction confirmation, false-positive textarea
- .github/ISSUE_TEMPLATE/feature_request.yml — kind selector covering
8 areas (security check / accessibility / SEO / performance /
browser / output formats / config / tooling) and solo-dev fit
checks (incl. an explicit 'does not weaken SSRF / egress
protections' confirmation)
- .github/ISSUE_TEMPLATE/config.yml — routes security to advisories,
questions to discussions, blocks blank issues
Cleanup:
- gofmt -w on mcp/server.go and internal/report/sarif.go to fix
pre-existing blank-line and struct-tag alignment drift in the
files I touched
Verification:
- `go build ./...` clean
- `go vet ./...` clean
- `go test -race -count=1 -timeout=120s -short ./...` passes on
every package: root inspect, checks, internal/{check,crawler,
report}, mcp
- `gofmt -l` clean for all files I touched
- VERSION file as single source of truth - CODEOWNERS for auto-review routing - Canonical Makefile with standard targets - release-please config + workflow - lefthook/pre-commit hooks (conventional commits, fmt, lint, secrets) - Canonical CI + release GitHub Actions workflows - Standardized .editorconfig, .gitattributes, CODE_OF_CONDUCT, SECURITY, CONTRIBUTING - goreleaser config (where applicable) Part of hawk-eco standardization sweep.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Production-hygiene pass for inspect that brings the repo to top-50 OSS
repository standards. Single commit targeting
dev.The mandate (per
GOAL.md) is that inspect be the reference Gowebsite + dependency security scanner for the hawk ecosystem,
comparable in quality to gosec / trivy / snyk / grype / osv-scanner /
bearer / gitleaks / trufflehog / checkov / tfsec, and built for solo
developers running their coding agent locally.
This PR re-baselines the version (also fixes a small inconsistency
between two version strings) and fills the OSS-meta gaps. No code-
behaviour changes other than the version strings reported via MCP and
SARIF.
Changes
Version 0.2.0 (also: fix internal inconsistency)
internal/report/sarif.goconst inspectVersion = "0.2.0"(was"1.0.0", used astool.driver.versionin SARIF)mcp/server.gomcpserver.NewMCPServer("inspect", "0.2.0", ...)(was"0.1.0")Pre-PR these two strings disagreed (
1.0.0vs0.1.0); now they bothreport
0.2.0. The SARIF spec version (sarifVersion = "2.1.0")is intentionally unchanged — different field, identifies the format
not the tool.
The CVE-database entries in
dependency_check.go(e.g.0.0.0-2022for
golang.org/x/crypto,4.17.20forlodash, etc.) are factualCVE-affected/fixed versions of third-party libraries — left untouched.
CHANGELOG.md
Added
## [Unreleased]describing the re-baseline + the new files.Historical entries (
0.4.0/0.2.0/0.1.0) preserved.New OSS standard files
CODE_OF_CONDUCT.md.gitattributesgo.sumandbrowser/go.sum.editorconfig.github/dependabot.ymlbrowser/sub-module grouped bygo-rod) + github-actions, root gomod grouped bymark3labs/mcp-go.github/PULL_REQUEST_TEMPLATE.md.github/ISSUE_TEMPLATE/bug_report.yml.github/ISSUE_TEMPLATE/feature_request.ymlkindselector covering 8 areas + solo-dev fit checks (with explicit "does not weaken SSRF / egress protections" confirmation).github/ISSUE_TEMPLATE/config.ymlThe PR template has three inspect-specific sections:
rule set, or finding deduplication can shift the false-positive /
false-negative balance.
internal/report/sarif.gomust still validate against the SARIF 2.1.0 schema.
any change to private-IP blocking, redirect filtering, scheme
allowlists, or DNS resolution must be called out explicitly. This
mirrors the
does not weaken SSRF / egress protectionscheckbox inthe feature-request template.
Cleanup
gofmt -wonmcp/server.goandinternal/report/sarif.goto fixpre-existing blank-line and struct-tag alignment drift in the files
I touched.
Verification
go build ./...go vet ./...go test -race -count=1 -timeout=120s -short ./...inspect,checks,internal/{check,crawler,report},mcpgofmt -lfor files I touchedTest plan
make buildmake test-racego vet ./...gofmt -l mcp/server.go internal/report/sarif.goemptygovet,ineffassign,misspellper
.golangci.yml) and testsbrowser/sub-module is not exercised here (requires Chromium);separate workflow handles it