v0.4.0 — noise reduction: dedup, path triage, malware category
Makes the grade reflect real risk, not scanner overlap. Inspired by Aikido's AutoTriage.
Cross-scanner dedup — the same file:line flagged by two tools is now counted once. Fixes a latent double-counting bug (demo project moves 55/E -> correct 69/D). Re-scan your projects — grades may improve.
Path-aware triage — findings under tests/fixtures/examples/mocks are downgraded one severity step. A hardcoded credential in a test fixture is not a production leak. Malware is never downgraded.
Malware category — OSV MAL-* advisories (actively malicious packages) surface as malicious_packages, separate from CVEs, and hard-cap the score at 20/F.
Fix suggestions — the skill proposes a concrete patch for the top findings — suggested for review, never applied. Still fully read-only.
score.py refactored to operate on individual findings; expanded selfcheck. Backward compatible.