Skip to content

feat: engine v0.1.4 support (line ranges + vuln-scan) — release v0.3.0#4

Merged
jhumel-code merged 1 commit into
mainfrom
feat/engine-v0.1.4-support
Jun 8, 2026
Merged

feat: engine v0.1.4 support (line ranges + vuln-scan) — release v0.3.0#4
jhumel-code merged 1 commit into
mainfrom
feat/engine-v0.1.4-support

Conversation

@jhumel-code

@jhumel-code jhumel-code commented Jun 8, 2026

Copy link
Copy Markdown
Collaborator

@jhumel-code
feat(action): consume engine v0.1.4 (line ranges, vuln-scan); release…
771683a 
… v0.3.0

- Findings: read the engine's start_line/end_line range (v0.1.4 renamed the
  single `line` field) with a legacy `line` fallback, so inline annotations
  point at the right lines across engine versions and span multi-line ranges.
- Add the `vuln-scan` input -> `--vuln-scan`: OSV CVE matches surface as
  findings (readiness/gate/annotations/SARIF) plus a dependency headline in
  every report (console panel, Step Summary, PR comment).
- Add the `skill` scope to the typed Scope / surface-kind unions.
- Set MIN_ENGINE_VERSION to v0.1.3 (first release with single-scan dual output,
  Code-Scanning-valid SARIF, and projected_scores).
- Selftest: unpin from v0.1.2/pre-mcp to v0.1.4 + default rules (v0.1.4 supports
  the mcp category natively and loads newer rules leniently).
- Branding: gray-dark marketplace badge; add the Trustabl banner to the README.
- Release v0.3.0 (package.json, lockfile, CHANGELOG).
@github-actions

github-actions Bot commented Jun 8, 2026

Copy link
Copy Markdown

Trustabl scan

trustabl/trustabl-action · feat/engine-v0.1.4-support · 0 findings

Readiness goes from 100100 (+0)

Readiness now   🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩   100 / 100

Projected if all findings resolved   🟩🟩🟩🟩🟩🟩🟩🟩🟩🟩   100 / 100   +0

Findings by severity

Severity Count
critical 0 ▱▱▱▱▱▱▱▱
high 0 ▱▱▱▱▱▱▱▱
medium 0 ▱▱▱▱▱▱▱▱
low 0 ▱▱▱▱▱▱▱▱
info 0 ▱▱▱▱▱▱▱▱
Projected headroom — estimate, not a re-scan
Fix scope Readiness Δ
Fix critical 100 → 100 +0
+ high 100 → 100 +0
+ medium 100 → 100 +0
+ low 100 → 100 +0
+ info (all) 100 → 100 +0

Projected by re-applying trustabl's own scoring with the listed findings resolved (nothing new introduced). Treat as guidance, not a guarantee.

Metric Value
Repository trustabl/trustabl-action
Branch feat/engine-v0.1.4-support
Readiness score 100
Risk score 0
Findings 0
Max severity none
Native exit 0
Rules version d77749c5299d470297ee1040a6c8167a759f7004

✅ Passed scanning

@jhumel-code jhumel-code merged commit 43e2066 into main Jun 8, 2026
5 checks passed
@jhumel-code jhumel-code deleted the feat/engine-v0.1.4-support branch June 8, 2026 16:30
jaysonsantos05 added a commit that referenced this pull request Jun 9, 2026
@jaysonsantos05
Squashed commit of the following:
ab4166b 
commit 57d4363
Merge: 43e2066 fe74efa
Author: Ian Jhumel Bautista <85332563+jhumel-code@users.noreply.github.com>
Date:   Tue Jun 9 01:11:35 2026 +0800

    Merge pull request #5 from trustabl/build/node24-runtime

    build: adopt the Node.js 24 runtime (v0.3.1)

commit fe74efa
Author: Ian Jhumel Bautista <ianjhumelbautista@gmail.com>
Date:   Tue Jun 9 01:10:04 2026 +0800

    docs: document full SDK coverage, vuln-scan, and detector tokens

    README + capabilities list the full analyzed surface (Claude/OpenAI/Google ADK/
    LangChain/CrewAI/Pydantic AI/Vercel AI/AutoGen SDKs, MCP servers, and Claude
    subagents & skills), add a how-it-works note for the opt-in --vuln-scan, expand
    the detectors token list to the engine's full set, and bump install pins to
    v0.3.1.

commit 685730b
Author: Ian Jhumel Bautista <ianjhumelbautista@gmail.com>
Date:   Tue Jun 9 01:03:53 2026 +0800

    build(action): adopt the Node.js 24 runtime ahead of Node 20 deprecation

    GitHub deprecates the Node 20 Actions runtime — runners default to Node 24 on
    2026-06-16 and Node 20 is removed on 2026-09-16. Move `runs.using` to node24
    now. No behavior change: the bundled `dist/` is byte-identical. Build CI and the
    `engines` field bump to Node 24 to match the runtime.

    Release v0.3.1.

commit 43e2066
Merge: ad69fa2 771683a
Author: Ian Jhumel Bautista <85332563+jhumel-code@users.noreply.github.com>
Date:   Tue Jun 9 00:30:02 2026 +0800

    Merge pull request #4 from trustabl/feat/engine-v0.1.4-support

    feat: engine v0.1.4 support (line ranges + vuln-scan) — release v0.3.0

commit 771683a
Author: Ian Jhumel Bautista <ianjhumelbautista@gmail.com>
Date:   Tue Jun 9 00:27:02 2026 +0800

    feat(action): consume engine v0.1.4 (line ranges, vuln-scan); release v0.3.0

    - Findings: read the engine's start_line/end_line range (v0.1.4 renamed the
      single `line` field) with a legacy `line` fallback, so inline annotations
      point at the right lines across engine versions and span multi-line ranges.
    - Add the `vuln-scan` input -> `--vuln-scan`: OSV CVE matches surface as
      findings (readiness/gate/annotations/SARIF) plus a dependency headline in
      every report (console panel, Step Summary, PR comment).
    - Add the `skill` scope to the typed Scope / surface-kind unions.
    - Set MIN_ENGINE_VERSION to v0.1.3 (first release with single-scan dual output,
      Code-Scanning-valid SARIF, and projected_scores).
    - Selftest: unpin from v0.1.2/pre-mcp to v0.1.4 + default rules (v0.1.4 supports
      the mcp category natively and loads newer rules leniently).
    - Branding: gray-dark marketplace badge; add the Trustabl banner to the README.
    - Release v0.3.0 (package.json, lockfile, CHANGELOG).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jhumel-code