Releases: trustabl/trustabl-action
Releases · trustabl/trustabl-action
v0.4.0 — Enrich: AI explanations, auto-fix, and fix PRs
Changelog entry:
[0.4.0] - 2026-06-10
Added
- Enrich surface — runs
trustabl enrichafter the scan to generate AI
explanations and exact code fixes for each finding (BYOK viallm-key) auto-enrich— applies AI-generated fixes directly to source filescreate-fix-pr— commits patches on a new branch and opens a PR for
human review; fix PR URL appears in the Step Summary and sticky PR commentenriched.jsonincluded in the artifact when enrich runsllm-providerinput for future multi-provider support (default:anthropic)enrich-modelinput to override the Claude model (default:claude-haiku-4-5)enrich-rulesinput to filter enrichment to specific rule IDs- New outputs:
enrich-json-file,fix-pr-url
v0.3.1 — Node.js 24 runtime + docs refresh
A maintenance release. @v0 now points here.
Changed
- Node.js 24 runtime (
runs.using: node24), ahead of GitHub's Node 20 deprecation — runners default to Node 24 on 2026-06-16 and remove Node 20 on 2026-09-16. No behavior change — the bundleddist/is identical to v0.3.0; build CI andenginesbump to Node 24 to match. (GitHub-hosted runners already support Node 24; self-hosted runners need Node 24 available.)
Docs
- Corrected the coverage claim to the analyzer's real surface: Claude / OpenAI / Google ADK / LangChain / CrewAI / Pydantic AI / Vercel AI / AutoGen SDKs, MCP servers, and Claude subagents & skills.
- Expanded the
detectorstoken list to the full set; added a how-it-works note for the opt-invuln-scan; bumped install pins tov0.3.1.
Full notes: CHANGELOG.md
v0.3.0 — engine v0.1.4 support (line ranges + vuln-scan)
First Marketplace release of the node20 TypeScript action — the listing previously served the bash v0.1.x. @v0 now points here.
Engine v0.1.4 support
- Line-range annotations. Inline annotations consume the engine's
start_line/end_line(with a legacylinefallback so older pinned engines still work) and span multi-line findings. Fixes annotations collapsing to the top of the file against the latest engine. vuln-scaninput (defaultfalse). Matches declared dependencies against a pinned OSV snapshot and reports known CVEs as findings — they flow through the readiness score, gating, inline annotations, and the Security tab, plus a dependency headline (scanned / known-vulnerable) in the console panel, Step Summary, and PR comment.skillscope support;MIN_ENGINE_VERSIONpinned tov0.1.3.
In this listing (TypeScript rewrite, since the bash v0.1.x)
- Inline PR annotations + GitHub Security tab (SARIF upload), a sticky PR comment, and a readiness panel in the run log + Step Summary.
- Single scan (JSON + SARIF from one pass), sha256-verified binary install, and honest gating (a failed/empty scan errors instead of scoring a clean 100).
Migration
- Grant permissions as needed:
security-events: write(Security tab) andpull-requests: write(sticky comment). Without them the action degrades gracefully and never fails solely because a surface was unavailable. - Pin
@v0.3.0, or track the line with@v0.
Full notes: CHANGELOG.md
v0.1.2
v0.1.2 — 2026-06-01
Added
- Readiness score-bar panel. The console box and the Step Summary now lead
with bar gauges: current readiness vs a projected readiness — what the
score would be if findings are resolved — computed from the single scan with
no second run. The projection re-applies trustabl's own scoring
(per-findingseverityWeight × confidence, per-toolmax(0, 1 − weighted/3),
overall =minacross tools), so the number matches what a real re-scan
would produce. - Per-severity breakdown. Finding counts for
critical / high / medium / low / info, each with a bar scaled to the largest bucket and tinted by
severity. - Projected headroom ladder. A cumulative per-severity projection —
fix critical → +high → +medium → +low → +info — each row showing
before → after (+Δ), so you can see which severity tier actually unlocks
the score.
Changed
- Console box and Step Summary restyled around the score bars and the ladder.
The raw metric table (repository, branch, readiness, risk, findings,
max-severity, native exit) is retained below the panel. - Console box frame is now ASCII (
+ - |) instead of Unicode box-drawing. Long
runs of 3-byte box glyphs on the divider lines were being split mid-character
by log viewers that buffer on byte boundaries, surfacing as U+FFFD (�); ASCII
is 1 byte/column and immune. Row separators are colored to match the frame.
Fixed
- CRLF in jq output on Windows runners. Projection values read from
jqare
stripped of\r, so a trailing carriage return can no longer break the
$(( ))arithmetic on Windows.
Notes
- Projected scores are an estimate, not a re-scan: each resolved finding is
assumed removed cleanly with nothing new introduced, and trustabl's confidence
inputs are heuristic — treat the numbers as guidance. "Projected all" is the
ceiling (≈100 whenever any findings exist); the ladder and the severity
breakdown carry the actionable detail.
Capabilities
- Static reliability/safety scan for agent-SDK repos (Claude Agent SDK,
OpenAI Agents SDK, Google ADK, MCP) — runs the upstreamtrustablbinary over
your checkout, no daemon or hosted service. - Composite + cross-platform —
ubuntu-*,macos-*,windows-*on
x64/arm64; binary is tool-cached so reruns are fast. - Two machine outputs — full JSON
ScanResultand SARIF 2.1.0, uploaded as
a downloadable artifact (Code Scanning upload is opt-in viaupload-sarif). - CI gates — fail the job on a
risk-score-thresholdand/or a
severity-threshold; both independent, both default-off (zero-config = scan
only). - Readiness panel — colored score-bar report in the log and the run's Step
Summary: current vs projected readiness, per-severity breakdown, and the
fix-headroom ladder. - Step outputs for downstream —
readiness-score,risk-score,
max-severity,findings-count,exit-code, plus file/artifact paths. - Zero-config — minimum call is
uses: trustabl/actions@v0.1.2after
actions/checkout; every input has a sensible default.
Usage
Minimal — drop into .github/workflows/trustabl.yml:
name: Trustabl
on: [push, pull_request]
permissions:
contents: read
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: trustabl/actions@v0.1.2Pinned + gated:
- uses: trustabl/actions@v0.1.2
with:
version: v0.5.0 # pin the trustabl binary for reproducible CI
detectors: claude_sdk,openai_sdk
severity-threshold: high # fail on any high or critical finding
risk-score-threshold: 70 # fail if risk (100 - readiness) >= 70
upload-sarif: true # also requires: permissions → security-events: writev0.1.1
Patch release. Single bug fix for branch resolution on remote URL targets.
v0.1.1
Fixed
- Branch row showed
unknownforhttps://github.com/OWNER/NAMEtargets. The resolver only inspected local checkouts, so URL-based scans had no signal to read. v0.1.1 callsgh api repos/OWNER/NAME --jq .default_branchusing the runner's${{ github.token }}and shows the remote's default branch — the same one trustabl actually clones and scans.
Local-path targets still prefer main → master → HEAD. unknown remains the documented last-resort.
Usage
name: Trustabl
on: [push, pull_request]
permissions:
contents: read
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: trustabl/actions@v0.1.1v0.1.0
First Marketplace release. Reusable composite Action that runs trustabl — the static reliability/safety analyzer for agent-SDK repos (Claude Agent SDK, OpenAI Agents SDK, Google ADK, MCP) — against any repository and gates the pipeline on readiness, risk, or severity thresholds.
⚠️ 0.x pre-stable. Pin to@v0.1.0(not a sliding@v0). Minor bumps may carry breaking changes until 1.0.0.
Quick start
name: Trustabl
on: [push, pull_request]
permissions:
contents: read
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: trustabl/actions@v0.1.0
**Full Changelog**: https://github.com/trustabl/actions/commits/v0.1.0