Skip to content

v0.3.0 — engine v0.1.4 support (line ranges + vuln-scan)

Choose a tag to compare

View all tags
@jhumel-code jhumel-code released this 08 Jun 16:30
· 24 commits to main since this release
v0.3.0
43e2066
This commit was created on GitHub.com and signed with GitHub’s verified signature.
GPG key ID: B5690EEEBB952194
Verified
Learn about vigilant mode.

First Marketplace release of the node20 TypeScript action — the listing previously served the bash v0.1.x. @v0 now points here.

Engine v0.1.4 support

  • Line-range annotations. Inline annotations consume the engine's start_line/end_line (with a legacy line fallback so older pinned engines still work) and span multi-line findings. Fixes annotations collapsing to the top of the file against the latest engine.
  • vuln-scan input (default false). Matches declared dependencies against a pinned OSV snapshot and reports known CVEs as findings — they flow through the readiness score, gating, inline annotations, and the Security tab, plus a dependency headline (scanned / known-vulnerable) in the console panel, Step Summary, and PR comment.
  • skill scope support; MIN_ENGINE_VERSION pinned to v0.1.3.

In this listing (TypeScript rewrite, since the bash v0.1.x)

  • Inline PR annotations + GitHub Security tab (SARIF upload), a sticky PR comment, and a readiness panel in the run log + Step Summary.
  • Single scan (JSON + SARIF from one pass), sha256-verified binary install, and honest gating (a failed/empty scan errors instead of scoring a clean 100).

Migration

  • Grant permissions as needed: security-events: write (Security tab) and pull-requests: write (sticky comment). Without them the action degrades gracefully and never fails solely because a surface was unavailable.
  • Pin @v0.3.0, or track the line with @v0.

Full notes: CHANGELOG.md

Assets 2
Loading