Releases: give-jd/deep-security-check
Release list
v0.4.1 — reachability-lite SCA + .dsc-ignore suppressions
Two opt-in triage passes, enabled with score.py --project <dir> (without it the score is unchanged).
Reachability-lite — an SCA finding whose package name never appears in your source is downgraded one severity step (declared-but-unused). Conservative by design: it never drops a finding, only downgrades on a confident zero-match — a CVE on a dependency you declare but never import weighs less than one you actually use.
.dsc-ignore — suppress accepted findings with a mandatory justification: <path-glob>:<ruleId-or-*> -- why. Suppressed findings are listed in the report with their reason (visible, never silent); a rule missing its justification is rejected, not applied.
Completes the v0.4.0 noise-reduction roadmap. Backward compatible.
v0.4.0 — noise reduction: dedup, path triage, malware category
Makes the grade reflect real risk, not scanner overlap. Inspired by Aikido's AutoTriage.
Cross-scanner dedup — the same file:line flagged by two tools is now counted once. Fixes a latent double-counting bug (demo project moves 55/E -> correct 69/D). Re-scan your projects — grades may improve.
Path-aware triage — findings under tests/fixtures/examples/mocks are downgraded one severity step. A hardcoded credential in a test fixture is not a production leak. Malware is never downgraded.
Malware category — OSV MAL-* advisories (actively malicious packages) surface as malicious_packages, separate from CVEs, and hard-cap the score at 20/F.
Fix suggestions — the skill proposes a concrete patch for the top findings — suggested for review, never applied. Still fully read-only.
score.py refactored to operate on individual findings; expanded selfcheck. Backward compatible.
v0.3.1 — Opengrep as drop-in SAST engine
Adds Opengrep (https://opengrep.dev), the LGPL community fork of the semgrep engine, as an automatic SAST fallback when semgrep is not on PATH.
- Drop-in compatible with the bundled ruleset and SARIF 2.1.0 output — verified to produce identical findings to semgrep on the test project
- Gives a fully open-source (MIT/LGPL) toolchain independent of Semgrep's relicensed CLI
- Not vendored (42MB binary);
LC_ALL=C.UTF-8forced (opengrep's config reader requires a UTF-8 locale)
Patch release: additive fallback, no breaking changes.
v0.3.0 — history secrets, CI/CD & IaC rules, SCA fallback, baseline diff
Feature release — the full improvement batch.
New checks
- Git-history secret scan: on git repos, gitleaks now also scans the commit history — committed-then-removed secrets are the common case a working-tree sweep misses. Opt out on huge repos with
DSC_SKIP_HISTORY=1. - CI/CD security rules (bundled ruleset): GitHub Actions workflow injection (
github.event.*interpolated intorun:),pull_request_targetusage, third-party actions not pinned to a commit SHA. - IaC rules: K8s
privileged/hostNetwork, Terraform 0.0.0.0/0 ingress and public S3 ACLs, Dockerfile mutable base images. - structure.py: SECURITY.md and dependabot/renovate checks.
New capabilities
score.py --baseline <old.json>→vs_baselinedelta: score delta, improved/worsened verdict, per-severity findings delta. Track posture across re-scans.- trivy as SCA fallback when osv-scanner is absent (
DSC_TRIVY_OFFLINE=1for its offline DB). Not vendored — the binary alone would approach the 200MB plugin limit. - syft SBOM artifact (CycloneDX
sbom.cdx.json) when present. Informational, never scored. - Explicit "SCA not run" warning when dependency CVEs were not checked.
Dogfooding note: the new unpinned-action rule flagged this repo's own CI workflow; fixed in the same release.
v0.2.0 — offline resilience, correct severity mapping, structure report
Severity mapping fix — affects every grade. semgrep and osv-scanner attach severity to the SARIF rule metadata, not to each result; score.py flattened everything to medium and inflated grades (demo app: 85/B wrong → 55/E correct). If you scanned a project with v0.1.x, re-run it: high/critical findings now count as such.
Offline resilience (born from a Claude Cowork sandbox test):
- Bundled MIT fallback ruleset (
rules/offline-basic.yaml, ~20 high-precision rules) used automatically when the Semgrep registry is unreachable — the registry rules themselves are not redistributable (Semgrep Rules License v1.0) - Vendored gitleaks 8.30.1 for Linux x86_64 (sha256-verified against the upstream release; weekly checksum-verified CI bump)
New: structure hygiene report. structure.py validates project shape — README/LICENSE, tests, CI, lockfiles, pinned dependencies, committed .env, Dockerfile root user. Advisory: never changes the grade.
Plus a Cowork section in PRIVACY.md and a regenerated demo GIF with the corrected grade.
v0.1.1 — no more hang on blocked semgrep registry
Bug fix release.
In egress-restricted environments (Cowork sandbox, corporate proxies with allowlists) semgrep retried the blocked registry indefinitely and scan.sh hung forever.
- Reachability pre-check on semgrep.dev for registry (
p/*) configs — graceful skip with guidance when blocked - New env vars:
DSC_SEMGREP_CONFIG(local ruleset, fully offline semgrep) andDSC_SEMGREP_TIMEOUT(default 900s) --disable-version-check
Found during a Claude Cowork sandbox compatibility test. Thanks to the graceful degradation design, the remaining scanners keep running and assessment_confidence reflects the reduced coverage.
v0.1.0 — first public release
First public release. 🎉
deep-security-check is a defensive, read-only security assessment skill for Claude Code: point it at a local project and get a report with a reproducible reliability grade (0–100, A–F) — the number comes from a deterministic rubric (score.py), not model opinion.
What's inside
- SAST — Semgrep (
p/defaultruleset) - SCA — osv-scanner (dependency CVEs via OSV.dev)
- Secrets — gitleaks
- Dynamic-test surface —
surface.py, a static zero-traffic pass that flags where a DAST run would look (permissive CORS, missing security headers, insecure cookies, debug/bind-all config). Advisory only, never changes the grade. - Deterministic scoring with per-severity penalties, caps and ceilings (any critical → ≤69, any high → ≤84) +
assessment_confidencethat tells you how much to trust the score itself. Verify the rubric withscore.py --selfcheck. - Graceful degradation: runs with whatever scanners are on
PATH; missing tools lower confidence, never crash the scan.
Install
/plugin marketplace add give-jd/deep-security-check
/plugin install deep-security-check@give-security
Then ask Claude: "how reliable is this project, security-wise?"
Works standalone too (no Claude required) — see README.
Scope
Static analysis only. Reads the project, never modifies it, never sends traffic to live or remote targets. Defensive use only — it is not a penetration test.