feat: Regulatory compliance audit — 20 frameworks, 126 checks, cross-framework mapping#183
Merged
feat: Regulatory compliance audit — 20 frameworks, 126 checks, cross-framework mapping#183
Conversation
- review_test: TestReviewPR_NoSCIPIndex creates 25-file repo without
SCIP index, runs review with 6 concurrent checks. Validates the
tsMu fix in searchWithTreesitter doesn't regress.
- secrets: isDocumentationFile() raises entropy threshold to 4.0 for
generic_secret/generic_api_key patterns in .md/.txt/.rst files.
Prose words ("Token tracking") have ~3.0 entropy vs real secrets
at ~4.5+. TestScanFile_MarkdownProseNotFlagged verifies.
- secrets: TestIsDocumentationFile covers all doc extensions and
common basenames (README, CHANGELOG, etc.)
- errors.go: Log JSON encode failures in WriteError and WriteJSON instead of silently discarding. Headers are already sent so status can't change, but the error is now visible in logs. (PR #144) - handlers_delta.go: Validate Content-Type on delta ingest and validate endpoints. Rejects non-JSON content types with 415 before reading body. (PR #145) - handlers_cicd.go: Cap coupling check to 20 files. Each Analyze call scans git log independently — N files = N git-log calls. Same cap pattern as blast-radius (30) and bug-patterns (20). (PR #143)
fix: Address 3 issues from windup PR analysis
Language detection now searches subdirectories (up to depth 3) for
manifest files like go.mod, package.json, Cargo.toml, etc. This
fixes repos where source code lives in subdirs (e.g., src/cli/go.mod).
- findManifest: walks subdirs to find exact manifest filenames
- FindManifestForLanguage: finds manifest for a specific --lang flag
- Skips example/test/doc/vendor dirs to avoid false detections
- Index command runs indexer from the manifest's directory, not root
- Multiple languages properly detected and reported
Before: ckb index → "Could not detect project language" on ShellAI
After: ckb index → "Multiple languages detected: Go, TypeScript"
ckb index --lang go → runs scip-go from src/cli/
- TestDetectLanguage_SubdirectoryManifest: go.mod in src/cli/, Cargo.toml in packages/core/, package.json in src/web/, root priority - TestDetectAllLanguages_MultiLanguageMonorepo: Go+TS, Go+Python, single language in subdir - TestDetectLanguage_SkipsExampleAndTestDirs: manifests in examples/, testdata/, docs/ not detected - TestFindManifestForLanguage: per-language manifest lookup for --lang - TestFindManifest_DepthAndSkipDirs: depth 2/3/4, root priority, vendor/examples/node_modules skipped
Language detection now searches subdirectories (up to depth 3) for
manifest files like go.mod, package.json, Cargo.toml, etc. This
fixes repos where source code lives in subdirs (e.g., src/cli/go.mod).
- findManifest: walks subdirs to find exact manifest filenames
- FindManifestForLanguage: finds manifest for a specific --lang flag
- Skips example/test/doc/vendor dirs to avoid false detections
- Index command runs indexer from the manifest's directory, not root
- Multiple languages properly detected and reported
Before: ckb index → "Could not detect project language" on ShellAI
After: ckb index → "Multiple languages detected: Go, TypeScript"
ckb index --lang go → runs scip-go from src/cli/
- TestDetectLanguage_SubdirectoryManifest: go.mod in src/cli/, Cargo.toml in packages/core/, package.json in src/web/, root priority - TestDetectAllLanguages_MultiLanguageMonorepo: Go+TS, Go+Python, single language in subdir - TestDetectLanguage_SkipsExampleAndTestDirs: manifests in examples/, testdata/, docs/ not detected - TestFindManifestForLanguage: per-language manifest lookup for --lang - TestFindManifest_DepthAndSkipDirs: depth 2/3/4, root priority, vendor/examples/node_modules skipped
feat: Monorepo language detection + subdir indexing
1. Coupling age filter: skip co-change gaps where the coupled file hasn't been modified in 180+ days. Prevents FPs from test files written once and never changed. Uses git log for last-mod date. 2. Cognitive complexity weighting: swap cyclomatic (0.25→0.15) and cognitive (0.15→0.25) weights in health score. Cognitive is less misleading than cyclomatic for switch statements and similar. 3. Symbol rename detection: filter rename pairs in breaking changes. When a removed + added symbol share the same file and kind, it's likely a rename, not a breaking API change. 4. Split clustering caps: skip coupling analysis for PRs > 200 files (use module clustering only). Merge clusters beyond 20 into one bucket. Prevents O(n²) explosion on large PRs. 5. Generated file markers: add protobuf headers, swagger/openapi, codegen markers (eslint-disable, @generated, protoc-gen, graphql-codegen), minified assets (*.min.js/css).
feat: Address 5 items from external technical review
* fix: reduce false positives in secrets scanner and test gap heuristic
Secrets: add varRefRe pattern to isLikelyFalsePositive() that detects
when the captured "secret" is a variable/attribute reference (e.g.,
self._settings.openai_api_key, config.apiKey, os.environ, process.env,
viper.GetString) rather than a hardcoded literal. Adds 7 test cases.
Test gaps: extend findTestFiles() to check the Python/pytest prefix
convention (test_{name}.ext) in addition to suffix patterns. Also
checks sibling tests/ directory and top-level tests/ directory, which
is the standard Python project layout.
* fix: resolve CI failures — undici vulnerability, review JSON parsing, test coverage
- Override undici to ^6.24.0 in pr-analysis action to fix Trivy security scan
- Suppress logger warnings for all output formats (not just human) so stderr
doesn't corrupt JSON output when CI redirects 2>&1
- Add tests for filterRenamePairs, varRefRe regex, and doc file entropy threshold
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: address 8 code review findings from CKB analysis
- filterRenamePairs: deterministic output via sorted keys, filter both
sides of rename pairs (not just the "removed" half)
- varRefRe: clarify why partial-capture branches exist alongside the
anchored dotted-chain branch
- review_coupling: batch fileLastModified into single shell invocation
instead of O(n) git-log subprocesses
- detect.go: document findManifest lexical ordering behavior
- handlers_delta: clarify Content-Type validation allows missing header
- review_health: fix stale weight comment (15%/25% not 25%/15%), add
weight-sum and ordering assertion test
- Remove eslint-disable from generated markers (too aggressive — flags
hand-written files with lint suppressions)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…ching (#181) Three CKB review infrastructure fixes: 1. Generated file marker detection was defined but never called — detectGeneratedFile now reads the first 10 lines of files and checks for GeneratedMarkers (DO NOT EDIT, @generated, etc.) 2. Add dist/*.js and dist/*.css to default generated patterns so bundled output (webpack, ncc, etc.) is automatically excluded from review. 3. Fix matchGlob ** suffix matching — was only checking filepath.Base(), now tries all path tail segments so patterns like **/dist/*.js work. 4. After HoldTheLine and dismissal filtering, reconcile check summaries with surviving findings. A check that reported "5 new bug patterns" but had all findings dropped (on unchanged lines) is now downgraded to pass with a note. Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…O 27701, IEC 61508) Introduces `ckb audit compliance --framework=<name>` with 41 checks across 5 regulatory frameworks, each mapping findings to specific regulation articles/clauses. Fills a gap no existing SAST tool covers — direct code-to- regulation mapping beyond CWE IDs. Frameworks and checks: - GDPR/DSGVO (11): PII detection, PII in logs/errors, weak crypto, plaintext storage, consent, retention, deletion, data minimization, transport encryption - EU AI Act (8): model I/O logging, audit trail, human override, kill switch, bias testing, data provenance, version tracking, confidence scores - ISO 27001:2022 (10): secrets, PII leakage, weak crypto, insecure random, SQL injection, path traversal, unsafe deserialization, TLS, CORS, config mgmt - ISO 27701 (5): consent mechanism, deletion/access/portability endpoints, purpose logging - IEC 61508/SIL (7): goto, recursion, nesting, function size, global state, unchecked errors, SIL-gated complexity thresholds Key design decisions: - Findings reuse query.ReviewFinding — JSON, SARIF, markdown formatters work - PII scanner with 80+ patterns incl. German terms, configurable via config - Confidence scoring (0.0-1.0) on every finding, filterable via --min-confidence - Parallel check execution via sync.WaitGroup - Non-PII exclusion list prevents false positives on code identifiers Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Rewrites the /ckb-review and /review slash commands for minimal LLM token usage (~3-8k tokens vs ~15-30k previously): - Early exit: score>=80 + verdict=pass → one-line approval, no source read - CLI-first: ckb review --compact instead of MCP tool discovery - Targeted reads: only files with warn/fail findings, not all hotspots - No drill-down phase: CLI compact output has enough signal - Terse output: flat issue list instead of multi-section prose - Anti-patterns list: explicit "don't do this" for token waste Updated in: embedded constant (setup.go), .claude/commands/review.md, ADR-001, and review advantages doc. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…apping Adds 15 new regulatory frameworks (126 total checks across 20 frameworks) and a cross-framework mapping engine that enriches findings with references to every regulation they violate simultaneously. New frameworks: - PCI DSS 4.0 (6 checks): PAN detection, secure coding, auth - HIPAA (5 checks): PHI detection/logging, audit trail, encryption - SOC 2 (6 checks): access control, monitoring, change management - NIST 800-53 Rev 5 (6 checks): access, audit, crypto, input validation - EU Cyber Resilience Act (6 checks): secure defaults, SBOM, vulnerabilities - DORA (6 checks): circuit breakers, timeouts, health endpoints, rollback - NIS2 (5 checks): supply chain, vulnerability handling, crypto - OWASP ASVS 4.0 (8 checks): auth, session, validation, crypto, TLS - CCPA/CPRA (5 checks): do-not-sell, sensitive PI, data subject rights - SBOM/SLSA (5 checks): SBOM generation, lock files, provenance, signing - MISRA C/C++ (6 checks): goto, dead code, switch, memory, type safety - ISO 26262 (5 checks): ASIL-gated complexity, recursion, null checks - DO-178C (5 checks): DAL-gated dead code, complexity, traceability - FDA 21 CFR Part 11 (5 checks): audit trail, authority, e-signatures - IEC 62443 (6 checks): default creds, input validation, message auth Cross-framework mapping (CKB differentiator): A single "weak crypto" finding now shows: "Also violates: NIST SC-13, PCI DSS 4.2.1, ASVS V6.2.1, NIS2 Art.21, GDPR Art.32, HIPAA §164.312, FDA §11.10" — no competing tool provides this structural context. Thread-safety: Added ScanScope.AnalyzeFileComplexity() mutex wrapper to prevent tree-sitter parser crashes under parallel check execution. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
NFR Tests ✅ 39 unchangedComparing PR against main branch (dynamic baseline). Regressions: 0 ✅ Thresholds: WARN ≥ +5% • FAIL ≥ +10% All scenarios
* = new scenario, compared against static baseline |
🟢 Change Impact Analysis
Blast Radius: 0 modules, 0 files, 0 unique callers 📝 Changed Symbols (142)
Recommendations
Generated by CKB |
CKB Analysis
Risk factors: Large PR with 166 files • High churn: 60866 lines changed • Touches 38 hotspot(s) 👥 Suggested: @lisa.welsch1985@gmail.com (4%), @talantyyr@gmail.com (4%), @lisa@tastehub.io (3%)
🎯 Change Impact Analysis · 🟢 LOW · 142 changed → 0 affected
Symbols changed in this PR:
Recommendations:
💣 Blast radius · 0 symbols · 15 tests · 0 consumersTests that may break:
🔥 Hotspots · 38 volatile files
📦 Modules · 5 at risk
📊 Complexity · 12 violations
💡 Quick wins · 10 suggestions
📚 Stale docs · 156 broken references
Generated by CKB · Run details |
Codecov Report❌ Patch coverage is ❌ Your patch status has failed because the patch coverage (8.5%) is below the target coverage (30.0%). You can increase the patch coverage or adjust the target coverage. Additional details and impacted files@@ Coverage Diff @@
## main #183 +/- ##
=======================================
- Coverage 47.8% 43.7% -4.1%
=======================================
Files 395 487 +92
Lines 66916 75450 +8534
=======================================
+ Hits 32046 33045 +999
- Misses 32611 40092 +7481
- Partials 2259 2313 +54
Flags with carried forward coverage won't be shown. Click here to find out more. 📢 Thoughts on this report? Let us know! 🚀 New features to boost your workflow:
|
|
CKB review failed to generate output. |
…tion (#184) Syncs local skill refinements to repo and embedded constant: - Early exit now requires score>=90 + zero warns + <100 lines + no new files (score>=80 was unsafe due to per-check caps hiding warnings) - Added "CKB's blind spots" section listing what the LLM must catch (logic errors, business logic, race conditions, etc.) - Expanded Phase 2 checklist: race conditions, incomplete refactoring, secrets beyond CKB's 26 patterns - Added anti-patterns: trusting score>=80, skipping new files Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- docs/features/compliance-audit/overview.md: Executive summary with market positioning and framework coverage - docs/features/compliance-audit/checks.md: Complete reference of all 126 checks across 20 frameworks - examples/github-actions/compliance-audit.yml: Production-ready GitHub Actions workflow with SARIF upload, PR comments, and quality gates Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
CKB review failed to generate output. |
New slash command for CKB-augmented compliance audit with same design principles as /ckb-review: CLI-first, early exit, targeted reads, terse output. Key features: - Auto-detect applicable frameworks from repo context - Deduplicate cross-framework findings (1 code fix ≠ 6 findings) - LLM focuses on contextual triage: applicability, compensating controls, business impact prioritization - installClaudeCodeSkills() now installs both /ckb-review and /ckb-audit Three copies synced: ~/.claude/commands/ckb-audit.md, .claude/commands/audit.md, embedded constant in setup.go. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Three improvements to the bug-patterns review check: 1. checkDiscardedError: Skip calls nested inside argument_list nodes. Previously flagged Register(NewFramework()) as "discarded return from NewFramework" — the return IS consumed as an argument, not discarded. 2. checkDiscardedError: Suppress standalone .Close() calls. Discarding Close() errors on read-only file handles is standard Go convention (os.Open for reading). Write-path Close errors are caught by the missing-defer-close rule instead. 3. checkMissingDeferClose: Recognize inline varName.Close() as valid resource cleanup (not just defer). Also removed NewScanner from openFuncs — bufio.Scanner doesn't implement io.Closer. Also adds compliance.ScanFileLines helper for proper open/defer-close lifecycle in file scanning checks. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
CKB review failed to generate output. |
Found via /ckb-review dogfood on PR #183: 1. Fix 59 file handle leaks across 33 compliance check files — manual f.Close() at loop end was skipped on early return via ctx.Err() or break. Wrapped in closures with defer f.Close(). 2. Add concurrency semaphore to compliance engine — 126 goroutines launching simultaneously could exhaust file descriptors. Now capped at GOMAXPROCS*4 (max 32). 3. Fix err shadow in installClaudeCodeSkills — `:=` inside loop shadowed outer err. Renamed to readErr/writeErr. 4. Fix crossmap dedup — strings.Contains on ruleID caused substring collisions (e.g., "nis2" matching "nis"). Now uses exact prefix match on slash-delimited ruleID. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Dogfooded on PR #183 (compliance audit). Changes: - Remove --compact flag reference (doesn't exist on CLI) - Add new file strategy: "read entry point + types first, then follow refs" for large new packages (90 new files was untractable otherwise) - Add "resource leaks" to blind spots list (found the main bug class) - Update check count 15 → 20 - Add anti-pattern: reading every file in a large new package - Add parse instructions for JSON output (pipe through python/jq) - All 3 copies synced: local, repo, embedded constant Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
CKB review failed to generate output. |
Dogfooded ckb audit compliance on CKB itself — 281 findings, mostly FPs. PII scanner: - Skip "fingerprint" unless paired with "biometric"/"user_fingerprint" (in code contexts fingerprint = hash, not biometric data) - Skip "display_name" (UI labels, not PII) - Skip test files in CheckPIIInLogs (test assertions reference PII names) SQL injection (iso27001 + owasp-asvs): - Skip test files and testdata/fixtures directories - Skip regex pattern definitions (compliance check code itself) - Skip lines with parameterized query markers (?, $1) Results: 281→159 findings, 189→88 unique locations, 0 test file FPs. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
CKB review failed to generate output. |
Daemon API endpoints (7 stubs → real implementations):
- handleScheduleList: returns schedules from scheduler.ListSchedules()
- handleJobsList: returns active jobs from scheduler state
- handleJobsRoute: GET job details, DELETE to cancel/disable
- handleReposList: loads repo registry via repos.LoadRegistry()
- handleReposRoute: GET repo details by name
- handleFederationsList: lists federations via federation.List()
- handleFederationsRoute: GET federation config by name
CLI daemon status: HTTP health query to localhost:{port}/health with
version, uptime, and per-check status display.
Query engine stubs (4 → real implementations):
- Ownership refresh: parses CODEOWNERS + git-blame via ownership module
- Hotspot refresh: queries git adapter for churn data (90-day window)
- Responsibility refresh: extracts module responsibilities via extractor
- Ownership history: queries ownership_history table from storage
TEMP pattern fix: Split todoPattern into case-insensitive (TODO/FIXME/
HACK/XXX) and case-sensitive (TEMP uppercase only) to stop matching
"temp file", "temp directory" in descriptive comments.
Compliance audit: 48/100 → 97/100 | 105 → 1 finding (unsigned-commits)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
CKB review failed to generate output. |
…rmup
Four features for ArchReview SRP pipeline optimization:
1. searchSymbols now returns lines, cyclomatic, cognitive per symbol.
The enrichWithBodyRanges step now also extracts complexity via
tree-sitter analyzer, merging body ranges and metrics in one pass.
Eliminates the enrichment phase — consumers get full symbol data
in a single searchSymbols call.
2. listSymbols — dedicated bulk listing without search query. Params:
scope (path prefix), kinds, minLines, minComplexity, sortBy
(complexity/lines/name), limit (max 200). Returns complete symbol
inventory with body ranges and complexity. One call replaces
exploring 40 files one-by-one.
3. getSymbolGraph — batch call graph for multiple symbols. Params:
symbolIds (max 30), depth (1-3), direction. Returns deduplicated
nodes and edges across all requested symbols. One call replaces
30 serial getCallGraph calls.
4. Warm searchSymbols on connect — MCP server fires a background
searchSymbols("", limit=1) on engine initialization to pre-warm
the FTS index and cache. First real search call hits warm cache
instead of cold start.
Both new tools added to refactor preset (now 37 tools).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
CKB review failed to generate output. |
searchSymbols: Add minLines, minComplexity, excludePatterns params.
Filtering happens after tree-sitter enrichment so it operates on real
body sizes and complexity values. Eliminates client-side filtering of
80% of results (struct fields, tiny getters, anonymous symbols).
Example: searchSymbols(query:'Review', minLines:30, excludePatterns:['#'])
returns only substantial functions — no Class#member properties.
batchGet: Add includeCounts param. When true, populates referenceCount,
callerCount, calleeCount per symbol via SCIP lookups. Consumers get
fan-in/fan-out metrics without transferring full caller/callee lists.
Example: batchGet(symbolIds:[...], includeCounts:true) returns
{referenceCount:8, callerCount:2, calleeCount:0} per symbol.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
CKB review failed to generate output. |
1. FTS empty query bug: FTS Search() returned [] for query="" (line 237:
"if query == '' return empty"). Added listAll() method that queries
the symbols_fts_content table directly when query is empty. This is
the path listSymbols and searchSymbols("") take.
2. Warmup caching bug: MCP server warmup fired SearchSymbols("", limit=1)
before SCIP index was fully loaded. The empty result got cached, and
all subsequent empty-query searches returned the cached 0 results.
Fix: warmup now calls RefreshFTS() instead of SearchSymbols() — this
populates the FTS table from SCIP data without caching search results.
Before: listSymbols → {symbols:null, totalCount:0} even with fresh SCIP
After: listSymbols → {symbols:[...], totalCount:15} with complexity data
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
CKB review failed to generate output. |
…mous listSymbols now passes excludePatterns: ["#"] to SearchSymbols, removing Container#Field properties that SCIP labels as kind=class. These have no body ranges or complexity data and are noise for behavioral analysis. Also skips anonymous/unknown/empty symbol names. Before: 10 symbols, all Class#member with 0 lines/complexity After: 22 symbols, all functions with real complexity data For searchSymbols with kinds:['class'], consumers can pass excludePatterns:['#'] to get only the class itself (e.g., ReviewEngine 220 lines), not its fields (ReviewEngine#ckb 1 line). Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
CKB review failed to generate output. |
listSymbols/searchSymbols class body ranges: Increased FTS query
multiplier from 2x to 10x when filters (excludePatterns/minLines/
minComplexity) are set. SCIP indexes struct fields as kind=class,
so searching "Daemon" with excludePatterns:["#"] needs 10x headroom
to find the type definition past all the Daemon#field entries.
Before: searchSymbols("Daemon", excludePatterns:["#"]) → 0 results
After: → Daemon class, lines=22, L28-49
getSymbolGraph with complexity: Each node now includes lines, endLine
(from CallGraphNode location), and cyclomatic/cognitive (from tree-
sitter complexity analysis per file). One getSymbolGraph call now
returns call graph + metrics, replacing getSymbolGraph + batchGet.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
CKB review failed to generate output. |
Add .arb (Flutter/ICU localization resource) and .g.dart (Dart generated) to isCouplingNoiseFile suffixes. Add l10n/ and generated/ to directory exclusion prefixes. Flutter's gen-l10n workflow generates app_localizations_*.dart from .arb source files. These always co-change by definition — flagging them as "missing co-change partners" when one side is staged produces false positives, especially with MM git status (staged + further unstaged). Closes #185 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
CKB review failed to generate output. |
Coupling noise filter — added 20+ generated file patterns from research: - Protobuf/gRPC: .pb.go, .pb.h, .pb.cc, .pb.ts, _grpc.pb.go, _pb2.py - Go generators: _string.go (stringer), _enumer.go, wire_gen.go, _mock.go - Dart/Flutter: .freezed.dart, .mocks.dart (in addition to .g.dart/.arb) - JS/TS bundled: .bundle.js, .chunk.js, .d.ts - Directories: __generated__/ (GraphQL/Relay), .dart_tool/, __pycache__/ Generated file detection (review) — added matching patterns: - All protobuf/gRPC extensions across Go, C++, TS, Python - Go code generators (stringer, mockgen, Wire, enumer) - Dart/Flutter (freezed, mocks, build_runner) - GraphQL (__generated__) - Additional markers: "generated by stringer/mockgen/Wire" Sources: GitHub Linguist overrides, Dart code generation guide, Protobuf documentation, Go generate patterns, Swagger/OpenAPI codegen. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
CKB review failed to generate output. |
Changelog: comprehensive entry for all v8.3 features — compliance audit (20 frameworks, --recommend, MCP tool), listSymbols, getSymbolGraph, searchSymbols enrichment, 42→0 bug-pattern FPs, coupling noise filter, compliance FP reduction, FTS empty query fix, daemon API implementations. Fix review issue #1: batchGet IncludeCounts now runs FindReferences + GetCallGraph in parallel with 10-concurrent semaphore (was sequential). Fix review issue #3: getSymbolGraph complexity enrichment documents single-instance analyzer reuse per call. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
CKB review failed to generate output. |
gofmt: Reformatted 93 files across internal/compliance/ and 2 other files. ineffassign (3): - format_audit_compliance.go: remove dead loc assignment - do178c/dead_code.go: remove redundant afterTerminator reset - misra/control_flow.go: same pattern nilerr (1): - engine.go:393: return err instead of nil when filepath.Rel fails unused (4): - ccpa/sensitive_pi.go: remove useLimitationPatterns - iec61508/defensive.go: remove uncheckedErrorPatterns + unused regexp import - iso27001/config_mgmt.go: remove httpPatterns - sbom/sbom.go: remove sbomCIFiles (replaced by findCIFiles) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
CKB review failed to generate output. |
recommend_test.go (4 tests): - Go project with HTTP+PII → recommends gdpr, nist, owasp - Empty directory → universal frameworks only - Deduplication works - All recommendation fields populated crossmap_test.go (7 tests): - Cross-references enrichment for weak-crypto - Unknown rules leave hint unchanged - Existing hints preserved with separator - CWE appended to detail - GetCrossReferences returns multi-framework refs - Unknown category returns nil - ListMappedCategories coverage engine_test.go (7 tests): - findSourceFiles with scope, directory exclusion, empty dirs - isSourceExt for all 18 extensions - Severity ordering, check filter matching fts_list_test.go (4 tests): - listAll returns all symbols for empty query - Limit respected - Normal search still works for non-empty query - Empty database returns empty, not error Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…hints expandToolset description now lists each preset's key tools and use cases so the LLM can pick the right one: - review: PR review, compliance, secrets, test gaps - refactor: coupling, cycles, dead code, suggestions - federation: multi-repo, contracts - docs: documentation, ADRs - ops: diagnostics, daemon, webhooks getStatus hints now include preset-awareness: when on core preset, explicitly suggests expanding to review/refactor/docs with arrows pointing to the workflows each unlocks. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
server_test.go (15 tests): HTTP handler tests via httptest for health, schedule list, jobs list/route, repos list/route, federations list/route. Covers nil-scheduler fallback, missing ID validation, method-not-allowed. symbols_enrich_test.go (6 tests): Post-enrichment filter validation for excludePatterns (#), minLines, minComplexity, combined filters, no-op. compound_batch_test.go (3 tests): BatchGetOptions.IncludeCounts field existence, symbol ID limit, default count behavior. Total new tests this session: 46 (22 + 24) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
CKB review failed to generate output. |
…workflow - expandToolset: reorder review preset description to lead with analyzeTestGaps + getAffectedTests, add 'test coverage analysis' to use-case summary - getStatus hints: explicitly name analyzeTestGaps and getAffectedTests in the review preset arrow so LLM connects 'write tests' → review Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
CKB review failed to generate output. |
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
CKB review failed to generate output. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds
ckb audit compliance --framework=<name>— a regulatory compliance auditing engine that maps static code analysis findings to specific regulation articles/clauses across 20 frameworks. No competing SAST tool provides this direct code-to-regulation mapping with cross-framework enrichment.20 Frameworks, 126 Checks
Cross-Framework Mapping (Key Differentiator)
A single finding gets enriched with every regulation it violates:
Features
--min-confidence--ci --fail-on=errorUsage
Test plan
go build -o ckb ./cmd/ckb— clean buildgo test ./internal/compliance/...— scanner tests passgo test ./cmd/ckb/... ./internal/config/...— no regressionsckb audit compliance --framework=all— all 20 frameworks produce findings🤖 Generated with Claude Code