Add integration tests, security/QAT workflows, and SDK framework README#3
Open
bnreplah wants to merge 3 commits into
Open
Add integration tests, security/QAT workflows, and SDK framework README#3bnreplah wants to merge 3 commits into
bnreplah wants to merge 3 commits into
Conversation
- tests/unit/: 55 unit tests for email validation, schedule helpers, CSV parsing - tests/integration/: 71 integration tests covering DAST request script, blacklist script, bash syntax validation, shellcheck, XML API scripts, and live API connectivity (credential-gated) - tests/fixtures/: allowlist, blacklist, glblacklist CSV fixtures for test runs - pytest.ini, requirements-test.txt: test runner configuration - .github/workflows/integration-tests.yml: unit + integration + shell + API tests, split into jobs with artifact uploads and optional live API job on main - .github/workflows/security-scan.yml: Bandit, ShellCheck, Gitleaks, pip-audit, Semgrep, and credentials-file checker; scheduled weekly - .github/workflows/qat.yml: flake8, ShellCheck lint, JSON/YAML validation, PSScriptAnalyzer on Windows, full test suite with result publishing - README.md: rewritten with badge table, SDK framework overview, API reference, quick-start, test docs, and secrets guide - .gitignore: excludes __pycache__, credentials, test artifacts, coverage files https://claude.ai/code/session_015pBhzcxzBhLcAujgXrwsaz
QAT Test Results173 tests 163 ✅ 2s ⏱️ For more details on these failures, see this check. Results for commit 3ea7ca5. ♻️ This comment has been updated with latest results. |
templates/workflows/ — copy any file to .github/workflows/ in a target repo: - pipeline-scan.yml fast SAST inline scan, every PR - policy-scan-sast.yml full policy scan, main/release branches - sandbox-scan-promote.yml feature branch sandbox + promote on merge - sca-agent-scan.yml SCA dependency scan via srcclr agent - dast-web-scan.yml DAST dynamic scan via DASTWebAppRequest-std.py - container-scan.yml Docker image scan via Veracode CLI or action - all-scans-devops.yml full DevSecOps pipeline (build → all scans → summary) - by-language/java-maven.yml - by-language/java-gradle.yml - by-language/nodejs.yml - by-language/python.yml - by-language/dotnet.yml - by-language/go.yml .github/workflows/ — reusable/callable workflows (any repo can call these): - reusable-pipeline-scan.yml workflow_call with inputs, secrets, outputs - reusable-policy-scan.yml workflow_call supporting sandbox or policy mode All templates include CUSTOMIZE/TODO markers, secrets documentation, packaging notes per language, and inline option comments (e.g. Action vs Java wrapper, binary vs source zip for Go). https://claude.ai/code/session_015pBhzcxzBhLcAujgXrwsaz
Scripts/AIAnalysis/ — a pipeline that correlates findings across Veracode scan types (SAST/DAST/SCA/container), validates them with a panel of Claude models to reduce false positives, and chains related findings into risk paths. Prepared for Mythos and future frontier models: - models.json registry drives all model selection by role (triage/validate/deep-validate/correlate/chain/second-opinion). Enabling Claude Mythos 5 or a later model is a one-line config edit — no code change. - providers.py shapes each request per model family: adaptive thinking for Opus/Sonnet, thinking omitted for Fable/Mythos (always-on), and server-side refusal fallbacks when a fallback_model is set. A not-yet-served model (404) is disabled for the run so the pipeline degrades gracefully. - hooks.py exposes 9 operational hook points (pre_ingest ... report) so external tooling or a frontier model running alongside can observe/transform data at each stage without touching pipeline code. Analysis capabilities: - Deterministic cross-scan correlation (offline, stdlib-only, CI-safe): cross-layer CWE confirmation (SAST+DAST reachable), common flaw sources, shared CVE (SCA+container), dependency-usage links. - Multi-model consensus FP validation (adversarial refute framing + quorum). - Model-assisted risk chaining with combined severity, remediation order, and directed security-training recommendations. - Structured outputs via output_config.format (json_schema) throughout. Tests: 47 new tests (config/findings/correlation/hooks unit + pipeline integration with a MockProvider, no API key needed). Full suite 163 passing. Adds AIAnalysis flake8 job to the QAT workflow and documents the layer in the READMEs. https://claude.ai/code/session_015pBhzcxzBhLcAujgXrwsaz
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
script, bash syntax validation, shellcheck, XML API scripts, and live API
connectivity (credential-gated)
split into jobs with artifact uploads and optional live API job on main
Semgrep, and credentials-file checker; scheduled weekly
PSScriptAnalyzer on Windows, full test suite with result publishing
quick-start, test docs, and secrets guide
https://claude.ai/code/session_015pBhzcxzBhLcAujgXrwsaz