Skip to content

Releases: give-jd/deep-security-check

v0.4.1 — reachability-lite SCA + .dsc-ignore suppressions

Choose a tag to compare

@give-jd give-jd released this 10 Jul 19:14
d0d9fc2

Two opt-in triage passes, enabled with score.py --project <dir> (without it the score is unchanged).

Reachability-lite — an SCA finding whose package name never appears in your source is downgraded one severity step (declared-but-unused). Conservative by design: it never drops a finding, only downgrades on a confident zero-match — a CVE on a dependency you declare but never import weighs less than one you actually use.

.dsc-ignore — suppress accepted findings with a mandatory justification: <path-glob>:<ruleId-or-*> -- why. Suppressed findings are listed in the report with their reason (visible, never silent); a rule missing its justification is rejected, not applied.

Completes the v0.4.0 noise-reduction roadmap. Backward compatible.

v0.4.0 — noise reduction: dedup, path triage, malware category

Choose a tag to compare

@give-jd give-jd released this 10 Jul 18:52
5a9cbb8

Makes the grade reflect real risk, not scanner overlap. Inspired by Aikido's AutoTriage.

Cross-scanner dedup — the same file:line flagged by two tools is now counted once. Fixes a latent double-counting bug (demo project moves 55/E -> correct 69/D). Re-scan your projects — grades may improve.

Path-aware triage — findings under tests/fixtures/examples/mocks are downgraded one severity step. A hardcoded credential in a test fixture is not a production leak. Malware is never downgraded.

Malware category — OSV MAL-* advisories (actively malicious packages) surface as malicious_packages, separate from CVEs, and hard-cap the score at 20/F.

Fix suggestions — the skill proposes a concrete patch for the top findings — suggested for review, never applied. Still fully read-only.

score.py refactored to operate on individual findings; expanded selfcheck. Backward compatible.

v0.3.1 — Opengrep as drop-in SAST engine

Choose a tag to compare

@give-jd give-jd released this 10 Jul 18:00
90b525c

Adds Opengrep (https://opengrep.dev), the LGPL community fork of the semgrep engine, as an automatic SAST fallback when semgrep is not on PATH.

  • Drop-in compatible with the bundled ruleset and SARIF 2.1.0 output — verified to produce identical findings to semgrep on the test project
  • Gives a fully open-source (MIT/LGPL) toolchain independent of Semgrep's relicensed CLI
  • Not vendored (42MB binary); LC_ALL=C.UTF-8 forced (opengrep's config reader requires a UTF-8 locale)

Patch release: additive fallback, no breaking changes.

v0.3.0 — history secrets, CI/CD & IaC rules, SCA fallback, baseline diff

Choose a tag to compare

@give-jd give-jd released this 10 Jul 13:46
afce297

Feature release — the full improvement batch.

New checks

  • Git-history secret scan: on git repos, gitleaks now also scans the commit history — committed-then-removed secrets are the common case a working-tree sweep misses. Opt out on huge repos with DSC_SKIP_HISTORY=1.
  • CI/CD security rules (bundled ruleset): GitHub Actions workflow injection (github.event.* interpolated into run:), pull_request_target usage, third-party actions not pinned to a commit SHA.
  • IaC rules: K8s privileged/hostNetwork, Terraform 0.0.0.0/0 ingress and public S3 ACLs, Dockerfile mutable base images.
  • structure.py: SECURITY.md and dependabot/renovate checks.

New capabilities

  • score.py --baseline <old.json>vs_baseline delta: score delta, improved/worsened verdict, per-severity findings delta. Track posture across re-scans.
  • trivy as SCA fallback when osv-scanner is absent (DSC_TRIVY_OFFLINE=1 for its offline DB). Not vendored — the binary alone would approach the 200MB plugin limit.
  • syft SBOM artifact (CycloneDX sbom.cdx.json) when present. Informational, never scored.
  • Explicit "SCA not run" warning when dependency CVEs were not checked.

Dogfooding note: the new unpinned-action rule flagged this repo's own CI workflow; fixed in the same release.

v0.2.0 — offline resilience, correct severity mapping, structure report

Choose a tag to compare

@give-jd give-jd released this 10 Jul 10:43
10bf006

Severity mapping fix — affects every grade. semgrep and osv-scanner attach severity to the SARIF rule metadata, not to each result; score.py flattened everything to medium and inflated grades (demo app: 85/B wrong → 55/E correct). If you scanned a project with v0.1.x, re-run it: high/critical findings now count as such.

Offline resilience (born from a Claude Cowork sandbox test):

  • Bundled MIT fallback ruleset (rules/offline-basic.yaml, ~20 high-precision rules) used automatically when the Semgrep registry is unreachable — the registry rules themselves are not redistributable (Semgrep Rules License v1.0)
  • Vendored gitleaks 8.30.1 for Linux x86_64 (sha256-verified against the upstream release; weekly checksum-verified CI bump)

New: structure hygiene report. structure.py validates project shape — README/LICENSE, tests, CI, lockfiles, pinned dependencies, committed .env, Dockerfile root user. Advisory: never changes the grade.

Plus a Cowork section in PRIVACY.md and a regenerated demo GIF with the corrected grade.

v0.1.1 — no more hang on blocked semgrep registry

Choose a tag to compare

@give-jd give-jd released this 10 Jul 09:41
f4de3b6

Bug fix release.

In egress-restricted environments (Cowork sandbox, corporate proxies with allowlists) semgrep retried the blocked registry indefinitely and scan.sh hung forever.

  • Reachability pre-check on semgrep.dev for registry (p/*) configs — graceful skip with guidance when blocked
  • New env vars: DSC_SEMGREP_CONFIG (local ruleset, fully offline semgrep) and DSC_SEMGREP_TIMEOUT (default 900s)
  • --disable-version-check

Found during a Claude Cowork sandbox compatibility test. Thanks to the graceful degradation design, the remaining scanners keep running and assessment_confidence reflects the reduced coverage.

v0.1.0 — first public release

Choose a tag to compare

@give-jd give-jd released this 09 Jul 21:26
64bad2c

First public release. 🎉

deep-security-check is a defensive, read-only security assessment skill for Claude Code: point it at a local project and get a report with a reproducible reliability grade (0–100, A–F) — the number comes from a deterministic rubric (score.py), not model opinion.

What's inside

  • SAST — Semgrep (p/default ruleset)
  • SCA — osv-scanner (dependency CVEs via OSV.dev)
  • Secrets — gitleaks
  • Dynamic-test surfacesurface.py, a static zero-traffic pass that flags where a DAST run would look (permissive CORS, missing security headers, insecure cookies, debug/bind-all config). Advisory only, never changes the grade.
  • Deterministic scoring with per-severity penalties, caps and ceilings (any critical → ≤69, any high → ≤84) + assessment_confidence that tells you how much to trust the score itself. Verify the rubric with score.py --selfcheck.
  • Graceful degradation: runs with whatever scanners are on PATH; missing tools lower confidence, never crash the scan.

Install

/plugin marketplace add give-jd/deep-security-check
/plugin install deep-security-check@give-security

Then ask Claude: "how reliable is this project, security-wise?"

Works standalone too (no Claude required) — see README.

Scope

Static analysis only. Reads the project, never modifies it, never sends traffic to live or remote targets. Defensive use only — it is not a penetration test.