feat(security): surface Dependabot posture in portfolio render surfaces#28
Merged
Conversation
The radar's truth-layer security dimension (RiskFields.security_risk, SecurityFields Dependabot counts, the active-high-severity-alerts factor) was wired into the risk model and weekly digest in #27, but the two human-facing render surfaces — PORTFOLIO-AUDIT-REPORT.md and project-registry.md — did not surface it. This adds that, mirroring the digest's Security Posture treatment: - Portfolio report: a Coverage Summary line + a dedicated '## Security Posture' section (TOC entry included) with the same three states as the digest — per-repo open high/critical (critical-first, capped at 5), 'all N scanned clear', or 'overlay not run'. - Registry: a pipe-free per-repo security flag in the Notes column (fires only for scanned repos with open high/critical) plus four aggregate rows in the Portfolio Summary table. Shared _security_overview / _security_attention_items helpers mirror the digest's aggregation on the in-memory snapshot. The Notes flag is pipe-free and the summary rows are digit-valued, so the registry still round-trips through parse_registry unchanged; both markdown validators stay green. 5 new tests cover all three report states, the registry flag + round-trip, and the unscanned case.
…egistry clean path Addresses code-review findings on the render surfaces: - validate_portfolio_report_markdown now requires the '## Security Posture' header, so the section can't silently vanish in a future refactor (every other section header is already guarded). - New unit test pins _security_attention_items' cap-at-5 and critical-desc / high-desc / name-asc sort — the one behavior unique to the attention list. - Extends the scanned-clear test to assert the registry's per-repo flag is absent for a medium-only repo while it still counts as scanned.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Surfaces the radar's truth-layer security dimension (
RiskFields.security_risk,SecurityFieldsDependabot counts, theactive-high-severity-alertsfactor) in the two human-facing render surfaces. The radar was wired into the risk model + weekly digest in #27, butPORTFOLIO-AUDIT-REPORT.mdandproject-registry.mddidn't yet reflect it. This closes that gap, mirroring the digest's Security Posture treatment.Changes
Portfolio report (
render_portfolio_report_markdown)## Security Posturesection (+ TOC entry) with the same three states as the digest: per-repo open high/critical alerts (critical-first, capped at 5), "all N scanned clear", or "overlay not run".Registry (
render_registry_markdown)Shared helpers —
_security_overviewand_security_attention_itemsmirror the digest's_build_security_summary/_build_security_attention_items, operating on the in-memory snapshot instead of JSON.Safety
parse_registrywith an unchanged project-row count (proven by test).validate_registry_markdown,validate_portfolio_report_markdown) stay green — no required section removed.Tests
ruff check .clean.