Skip to content

v1.5.1 — Provenance Chain Display in Dashboard Fix Cards

Choose a tag to compare

View all tags
@greenarmor greenarmor released this 20 Jun 04:02
· 23 commits to master since this release
v1.5.1
42ba0fb

Release v1.5.1 (Patch)

Patch release. Enhances the Fix Assignment feature (v1.5.0) with full provenance chain visibility directly inside dashboard fix cards. Every pending fix now displays the complete governance approval chain — approval, risk assessment, policy, evidence, and review cycle — inline, without navigating to the Governance tab. Includes a bug fix for escapeHtml() crashing on undefined governance fields.

Previous release: v1.5.0
Release date: 2026-06-19

Highlights

Provenance Chain Now Visible Inside Every Pending Fix

In v1.5.0, assigning a fix to a governance record only showed the linked record name and assignee. Users had to navigate to the Governance tab to see the full approval chain.

Now, every fix card includes a "Governance Provenance Chain" section that renders the complete chain inline — exactly where you're triaging the fix.

┌─────────────────────────────────────────────────────┐
│ GDPR-ART32-006 — Audit Logging              HIGH ⚠️  │
├─────────────────────────────────────────────────────┤
│ Description: ...                                    │
│ Fix Guidance: ...                                   │
├─────────────────────────────────────────────────────┤
│ GOVERNANCE PROVENANCE CHAIN                         │
│                                                     │
│ ┌─────────────────────────────────────────────┐    │
│ │ ASSIGNED  Assignee: Bob Smith (Security Eng) │    │
│ │           Assigned by Tech Lead on 6/19/2026 │    │
│ │           Notes: Must implement audit logging│    │
│ │           [Mark Fixed] [Unassign]            │    │
│ └─────────────────────────────────────────────┘    │
│                                                     │
│ ┌─────────────────────────────────────────────┐    │
│ │ Payment Processing System   APPROVED  HIGH   │    │
│ ├─────────────────────────────────────────────┤    │
│ │ Approval     APPROVED by Jane Smith (CISO)   │    │
│ │              valid until 2027-01-01           │    │
│ │ Risk Assess  Score: 7.5/10 — Residual: medium│    │
│ │ Policy Basis InfoSec Policy v2.1 (ISO 27001) │    │
│ │ Evidence     DPIA Report Q4 (jira: DPIA-001) │    │
│ │ Review Cycle annual — next: 2027-01-01        │    │
│ │ Chain        ✓→✓→✓→✓→✓                       │    │
│ └─────────────────────────────────────────────┘    │
├─────────────────────────────────────────────────────┤
│ Traceability: ...                                   │
└─────────────────────────────────────────────────────┘

Control-Level Assignment

Controls without specific code findings (e.g., not-implemented status) can now be assigned directly. Previously, the "+ Assign to Governance Record" button only appeared inside individual audit findings. Now every non-passing control shows an assign button regardless of whether it has audit evidence.

What's New

1. Inline Provenance Table

When a fix is assigned to a governance record, the fix card renders a compact table showing all six dimensions of the provenance chain:

Dimension What's Shown
Approval Decision (APPROVED/REJECTED/CONDITIONAL), approver name + role, validity period
Risk Assessment Risk score, residual risk, methodology
Policy Basis Policy name, version, standard reference
Evidence Chain All evidence references with source system (Jira, Confluence, etc.)
Review Cycle Frequency, next review date
Chain Summary Approval → Risk → Policy → Evidence → Review (✓/✗ indicators)

Each dimension shows ✓ (recorded) or ✗ (not documented), making gaps immediately visible.

2. Assignment Details Box

The assignment section now displays:

  • Status badge — assigned / in-progress / fixed / verified (color-coded)
  • Assignee — name + role
  • Assigned by — who made the assignment
  • Date — when assigned
  • Notes — assignment context
  • Resolution (if resolved) — resolver, method (auto-fix/manual/not-applicable), date, notes
  • Action buttons — Mark Fixed (if not resolved), Unassign

3. Unassigned State

Controls without an assignment show:

  • A dashed-border prompt: "This control is not linked to any governance record"
  • A prominent "+ Assign to Governance Record" button
  • Works at the control level — no audit findings needed

4. Bug Fix: escapeHtml() Undefined Crash

Pre-existing bug: The escapeHtml() function crashed when called with undefined or null values. This affected governance records where enrichment functions left optional fields unset (rationale, conditions, assessment_date, last_review, review_history).

Fix: escapeHtml() now accepts unknown input, returns empty string for null/undefined, and converts everything else to string. All .map() calls on optional arrays are guarded with || [].

Files Changed

File Change
packages/web-dashboard/src/template.ts +166/-9 — New renderGovernanceProvenanceSection() and renderProvenanceChainInline() functions, control-level assign buttons, escapeHtml() fix, array guards

Validation

pnpm -r run build   → 16 packages, all clean
pnpm -r run test    → 465 tests, all passing

E2E smoke test      → 16/16 checks passed:
  - Provenance chain table renders with all 6 dimensions ✓
  - Approver name, role, decision displayed ✓
  - Risk score, policy, evidence, review cycle displayed ✓
  - Assignee, notes, status badge displayed ✓
  - Mark Fixed + Unassign buttons present ✓
  - Control-level Assign button for unassigned controls ✓

Upgrade Guide

This is a patch release. No migration required.

npm install -g @greenarmor/ges@latest

The dashboard updates automatically — no configuration needed. Open the Fixes Detail tab and expand any pending fix to see the new provenance chain section.

Assets 2
Loading