Skip to content

fix: MCP Server, config validation and cli#339

Merged
rafaelpereyra merged 6 commits into
mainfrom
fix/mcp-actionable-only-severity-filtering
May 12, 2026
Merged

fix: MCP Server, config validation and cli#339
rafaelpereyra merged 6 commits into
mainfrom
fix/mcp-actionable-only-severity-filtering

Conversation

@rafaelpereyra
Copy link
Copy Markdown
Contributor

@rafaelpereyra rafaelpereyra commented May 12, 2026

Issue #, if available:
N/A

Description of changes:

fix(config): Validate ignore_paths/suppression paths for directory-without-glob patterns
fix(scan): Resolve scan set returning 0 files and --exclude arg being silently dropped
fix(cli): Default output-dir relative to source-dir instead of CWD
fix(mcp): Return flat findings list when actionable_only is requested

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@rafaelpereyra
fix(config): validate ignore_paths and suppression paths for director…
0bec2c6 
…y-without-glob patterns

Add validation to both `ash config validate` and `ash config lint` that
warns when an ignore_path or suppression path points to an existing directory
but lacks a `**` glob suffix. Without `**`, the pattern silently fails to
match any files inside the directory.

Only warns when the path actually exists as a directory in the repo, avoiding
false positives for virtual environments that haven't been initialized.

Adds IGNORE_PATH_ISSUE lint category and comprehensive test coverage.
@rafaelpereyra
fix(scan): resolve scan set returning 0 files and --exclude arg being…
09fd200 
… silently dropped

Two related bugs fixed:

1. Nested .gitignore scope pollution: .gitignore files inside ignored
   directories (e.g., .venv/.gitignore containing '*') were being collected
   and their rules applied globally, causing the entire project to have 0
   scannable files. Fixed by:
   - Pruning ignored directories during os.walk (skips .venv/, etc.)
   - Scoping rules in get_ash_ignorespec to their parent directory via
     base_path instead of applying all rules at root level

2. --exclude key validation too strict: The _VALID_FLAG_KEY_PATTERN regex
   rejected --key=value syntax used by bandit (--exclude="...") and
   checkov (--skip-path="..."), silently dropping exclude paths. Fixed by
   allowing optional =value suffix in the regex.
@rafaelpereyra
fix(cli): default output-dir relative to source-dir instead of CWD
21acdec 
When --source-dir points to a different project and --output-dir is not
specified, the output directory now defaults to source_dir/.ash/ash_output
instead of CWD/.ash/ash_output. This ensures the correct config file is
discovered and output is written to the expected location.
@rafaelpereyra
fix(mcp): return flat findings list when actionable_only is requested
39036f3 
When using get_scan_results with actionable_only=true, the response now
includes a flat findings list with severity, file path, and message for
each actionable finding, instead of only returning scanner metadata
without finding details.
@rafaelpereyra rafaelpereyra requested a review from a team as a code owner May 12, 2026 02:13
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 12, 2026
edited
Loading

ASH Security Scan Report

  • Report generated: 2026-05-12T12:58:34+00:00
  • Time since scan: 2 minutes

Scan Metadata

  • Project: ASH
  • Scan executed: 2026-05-12T12:56:32+00:00
  • ASH version: 3.5.1

Summary

Scanner Results

The table below shows findings by scanner, with status based on severity thresholds and dependencies:

  • Severity levels:
    • Suppressed (S): Findings that have been explicitly suppressed and don't affect scanner status
    • Critical (C): Highest severity findings that require immediate attention
    • High (H): Serious findings that should be addressed soon
    • Medium (M): Moderate risk findings
    • Low (L): Lower risk findings
    • Info (I): Informational findings with minimal risk
  • Duration (Time): Time taken by the scanner to complete its execution
  • Actionable: Number of findings at or above the threshold severity level that require attention
  • Result:
    • PASSED = No findings at or above threshold
    • FAILED = Findings at or above threshold
    • MISSING = Required dependencies not available
    • SKIPPED = Scanner explicitly disabled
    • ERROR = Scanner execution error
  • Threshold: The minimum severity level that will cause a scanner to fail
    • Thresholds: ALL, LOW, MEDIUM, HIGH, CRITICAL
    • Source: Values in parentheses indicate where the threshold is set:
      • global (global_settings section in the ASH_CONFIG used)
      • config (scanner config section in the ASH_CONFIG used)
      • scanner (default configuration in the plugin, if explicitly set)
  • Statistics calculation:
    • All statistics are calculated from the final aggregated SARIF report
    • Suppressed findings are counted separately and do not contribute to actionable findings
    • Scanner status is determined by comparing actionable findings to the threshold
Scanner Suppressed Critical High Medium Low Info Actionable Result Threshold
bandit 0 0 0 0 0 0 0 PASSED MEDIUM (global)
cdk-nag 0 0 0 0 0 0 0 MISSING MEDIUM (global)
cfn-nag 0 0 0 0 0 0 0 MISSING MEDIUM (global)
checkov 3 0 0 0 0 0 0 PASSED LOW (config)
detect-secrets 17 0 0 0 0 0 0 PASSED MEDIUM (global)
grype 0 0 0 0 0 0 0 PASSED MEDIUM (global)
npm-audit 0 0 0 0 0 0 0 PASSED MEDIUM (global)
opengrep 7 0 0 0 0 0 0 PASSED MEDIUM (global)
semgrep 7 0 0 0 0 0 0 PASSED MEDIUM (global)
syft 0 0 0 0 0 0 0 PASSED MEDIUM (global)

Report generated by Automated Security Helper (ASH) at 2026-05-12T12:58:34+00:00

github-advanced-security[bot]
github-advanced-security AI found potential problems May 12, 2026
View reviewed changes
Comment thread automated_security_helper/utils/get_scan_set.py Fixed
Comment thread automated_security_helper/utils/get_scan_set.py Fixed
@rafaelpereyra rafaelpereyra enabled auto-merge May 12, 2026 02:45
@rafaelpereyra rafaelpereyra requested a review from awsmadi May 12, 2026 02:46
@rafaelpereyra
fix(reporters): promote gitlab dependency_scanning properties to meta…
49f4d63 
…data level

GitLab's CycloneDX parser resolves the report-level source exclusively
from metadata.properties. Per-component gitlab:dependency_scanning:*
properties alone are insufficient — the parser returns nil for the source
and fires 'Required GitLab CycloneDX properties are missing'.

Fix: derive the dominant ecosystem from component PURLs/syft types and
inject gitlab:dependency_scanning:{category,package_manager:name,
language:name,input_file:path} at the metadata.properties level in
addition to per-component enrichment.

Adds _resolve_dominant_type, _dominant_input_file helper methods and
_DEFAULT_LOCKFILES fallback mapping.
@rafaelpereyra
refactor(scan): narrow exception handling in scan set directory pruning
88fb2f3 
Replace bare 'except Exception: pass' with specific exception types
(OSError, ValueError, TypeError, IndexError, re.error) that igittigitt
can reasonably throw. Adds debug logging when the root .gitignore
cannot be parsed. Resolves GHAS code scanning alert.
@rafaelpereyra rafaelpereyra disabled auto-merge May 12, 2026 13:10
@rafaelpereyra rafaelpereyra merged commit 5646f0b into main May 12, 2026
235 checks passed
@rafaelpereyra rafaelpereyra deleted the fix/mcp-actionable-only-severity-filtering branch May 12, 2026 13:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@awsmadi awsmadi Awaiting requested review from awsmadi

1 more reviewer

@github-advanced-security github-advanced-security[bot] github-advanced-security[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rafaelpereyra @github-advanced-security