GT-521: multi-language enforcers — Python (import-linter) + security-SARIF (Checkov/Trivy)#194
Conversation
…rivy) enforcers (GT-521) Extends the multi-language enforcer base beyond Node/TS + .NET, exercised against REAL corpora: - ImportLinterAdapter (Python): parses lint-imports broken-contract reports → canonical Violations. Live-verified — a real Python package where domain imports infrastructure yields 1 Violation, a clean package 0 (0 FP). - Security-SARIF adapters (Checkov/Trivy + any SARIF scanner): reuse the GT-515 ingestSarif and stamp category='security'. Live-verified — real Checkov SARIF on a Terraform corpus (8 findings) parses to 8 Violations, all category='security'; a clean scan → 0. - Adds the optional Violation.category field (security tools route to the security dimension). - Registers Checkov/Trivy in enforcer-catalog.json + validated-tool-catalog §4.3; wires all five adapters into createEnforcerAdapters. Deptrac (PHP) / ArchUnit (JVM) / jQAssistant (Neo4j) correctly stay adapter-pending — no real repo of those runtimes exists (GT-521 criterion #1's own gate). Verified: core-domain 1024/1024 (incl. updated anti-drift parity tests), core-api tsc clean. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…live-verified (board 530/551) import-linter (Python) + Checkov/Trivy (security SARIF, category='security') landed and exercised against real corpora on this machine (Python domain→infra = 1 Violation / clean 0; Checkov SARIF over Terraform = 8 Violations all category='security' / clean 0). Both ACs met. Deptrac (PHP) / ArchUnit (JVM) / jQAssistant (Neo4j) correctly stay adapter-pending — no real repo of those runtimes exists to exercise them (criterion #1's own gate; the Risk/Evidence this gap warns against). Guard 08: 551 gaps / 512 closure records green. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
📊 Bilingual Coverage ImpactPR Changes
Repository Coverage
✅ Good: All EN changes have ES counterparts. Generated by GitHub Actions |
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 2aaa3e9064
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| createImportLinterAdapter(runner), // Python (GT-521) | ||
| createCheckovAdapter(runner), // IaC/security → category=security (GT-521) | ||
| createTrivyAdapter(runner), // vuln/IaC security → category=security (GT-521) |
There was a problem hiding this comment.
Add the new analyzer commands to the sandbox allowlist
These newly registered adapters are always wrapped by SandboxedProcessRunner in createCompositeEnforcerStrategy, but DEFAULT_SANDBOX_POLICY.binaryAllowlist still lacks the actual executables they invoke: lint-imports, checkov, and trivy (it only has entries such as import-linter/conftest/dotnet). With the default policy, any Python or IaC/security enforcer rule is denied before the process can spawn and is reported as skipped, so the new implemented enforcers never run unless callers override the sandbox policy.
Useful? React with 👍 / 👎.
| | **import-linter** | 2.1.0 | python | Import contracts, grimp-backed (Python) | Implemented (GT-521, live-verified against a real Python corpus) | ADR-0002 | | ||
| | **Conftest** | 0.56.0 | iac | OPA/Rego policy checks for IaC/config manifests | Catalogued; SARIF path covered by the shared security adapter (GT-521) | ADR-0002 | | ||
| | **Checkov** | 3.3.8 | iac | IaC misconfiguration scanning (SARIF, `category=security`) | Implemented (GT-521, live-verified on a real Terraform corpus) | ADR-0002 | | ||
| | **Trivy** | 0.56.2 | iac | Vulnerability + IaC misconfiguration scanning (SARIF, `category=security`) | Implemented (GT-521, shared SARIF security adapter) | ADR-0002 | |
There was a problem hiding this comment.
The English tool catalog now marks import-linter as implemented and adds Checkov/Trivy, but product/infra/validated-tool-catalog.es.md still has the old 16.x/2.x entries, still says import-linter is pending, and has no Checkov/Trivy rows in §4.3. Because this repository's root instructions require bilingual EN/ES documents to stay structurally and semantically in sync, this change leaves the Spanish catalog stale and should be updated alongside these rows.
Useful? React with 👍 / 👎.
GT-521 — Deferred enforcers, landed where a real corpus exists
Extends the multi-language enforcer base (GT-515 Node/TS + GT-524 .NET) to Python and IaC/security, each exercised against a real corpus on this machine — the discipline the gap itself demands.
What landed
ImportLinterAdapter(Python) — parseslint-importsbroken-contract reports → canonicalViolation(file='',line=null, broken import chain in the message).isImportLinterFailurekeys on the always-present "Contracts: N kept, M broken." summary, so a genuine tool failure SKIPs the rule rather than false-passing it.ingestSarifingester wholesale and stampcategory='security'so findings route to the security dimension, not architecture.Violation.categoryoptional field (schema + domain model).enforcer-catalog.json+validated-tool-catalog.md§4.3;createEnforcerAdaptersnow returns all five (dependency-cruiser, NetArchTest, import-linter, Checkov, Trivy).Live verification
category='security'; clean scan → 0.core-domain 1024/1024(incl. new adapter specs + updated anti-drift parity specs);core-api tsc --noEmitclean.Honest scope
Deptrac (PHP) / ArchUnit (JVM) / jQAssistant (Neo4j) stay adapter-pending — no real repo of those runtimes exists to exercise them. That is criterion #1's own gate holding, not a shortcut: building them now is exactly the speculative, untestable code the gap's Risk/Evidence warn against.
Both acceptance criteria met. Board 530/551; guard 08 green (551 gaps / 512 closure records).
🤖 Generated with Claude Code