·
37 commits
to main
since this release
v0.1.2 — 2026-06-01
Added
- Readiness score-bar panel. The console box and the Step Summary now lead
with bar gauges: current readiness vs a projected readiness — what the
score would be if findings are resolved — computed from the single scan with
no second run. The projection re-applies trustabl's own scoring
(per-findingseverityWeight × confidence, per-toolmax(0, 1 − weighted/3),
overall =minacross tools), so the number matches what a real re-scan
would produce. - Per-severity breakdown. Finding counts for
critical / high / medium / low / info, each with a bar scaled to the largest bucket and tinted by
severity. - Projected headroom ladder. A cumulative per-severity projection —
fix critical → +high → +medium → +low → +info — each row showing
before → after (+Δ), so you can see which severity tier actually unlocks
the score.
Changed
- Console box and Step Summary restyled around the score bars and the ladder.
The raw metric table (repository, branch, readiness, risk, findings,
max-severity, native exit) is retained below the panel. - Console box frame is now ASCII (
+ - |) instead of Unicode box-drawing. Long
runs of 3-byte box glyphs on the divider lines were being split mid-character
by log viewers that buffer on byte boundaries, surfacing as U+FFFD (�); ASCII
is 1 byte/column and immune. Row separators are colored to match the frame.
Fixed
- CRLF in jq output on Windows runners. Projection values read from
jqare
stripped of\r, so a trailing carriage return can no longer break the
$(( ))arithmetic on Windows.
Notes
- Projected scores are an estimate, not a re-scan: each resolved finding is
assumed removed cleanly with nothing new introduced, and trustabl's confidence
inputs are heuristic — treat the numbers as guidance. "Projected all" is the
ceiling (≈100 whenever any findings exist); the ladder and the severity
breakdown carry the actionable detail.
Capabilities
- Static reliability/safety scan for agent-SDK repos (Claude Agent SDK,
OpenAI Agents SDK, Google ADK, MCP) — runs the upstreamtrustablbinary over
your checkout, no daemon or hosted service. - Composite + cross-platform —
ubuntu-*,macos-*,windows-*on
x64/arm64; binary is tool-cached so reruns are fast. - Two machine outputs — full JSON
ScanResultand SARIF 2.1.0, uploaded as
a downloadable artifact (Code Scanning upload is opt-in viaupload-sarif). - CI gates — fail the job on a
risk-score-thresholdand/or a
severity-threshold; both independent, both default-off (zero-config = scan
only). - Readiness panel — colored score-bar report in the log and the run's Step
Summary: current vs projected readiness, per-severity breakdown, and the
fix-headroom ladder. - Step outputs for downstream —
readiness-score,risk-score,
max-severity,findings-count,exit-code, plus file/artifact paths. - Zero-config — minimum call is
uses: trustabl/actions@v0.1.2after
actions/checkout; every input has a sensible default.
Usage
Minimal — drop into .github/workflows/trustabl.yml:
name: Trustabl
on: [push, pull_request]
permissions:
contents: read
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: trustabl/actions@v0.1.2Pinned + gated:
- uses: trustabl/actions@v0.1.2
with:
version: v0.5.0 # pin the trustabl binary for reproducible CI
detectors: claude_sdk,openai_sdk
severity-threshold: high # fail on any high or critical finding
risk-score-threshold: 70 # fail if risk (100 - readiness) >= 70
upload-sarif: true # also requires: permissions → security-events: write