Skip to content

feat: enhance assessors with multi-language support and security#200

Merged
jeremyeder merged 2 commits intoambient-code:mainfrom
jeremyeder:feat/enhance-assessors
Dec 10, 2025
Merged

feat: enhance assessors with multi-language support and security#200
jeremyeder merged 2 commits intoambient-code:mainfrom
jeremyeder:feat/enhance-assessors

Conversation

@jeremyeder
Copy link
Copy Markdown
Contributor

@jeremyeder jeremyeder commented Dec 10, 2025

Summary

  • Added DependencySecurityAssessor (Tier 1, 4% weight) - merged dependency_freshness + security_scanning
  • Added ContainerSetupAssessor (Tier 4, 1% weight) - conditional applicability for container projects
  • Enhanced DependencyPinningAssessor (formerly LockFilesAssessor) - version pinning validation, freshness checking
  • Enhanced GitignoreAssessor - language-specific pattern checking from GitHub templates
  • Enhanced CodeSmellsAssessor - multi-language linter support (pylint, ruff, ESLint, RuboCop, golangci-lint, actionlint, markdownlint)

New Assessors

DependencySecurityAssessor (Tier 1, 4% weight)

Merged dependency_freshness and security_scanning into comprehensive security assessor:

  • Checks Dependabot configuration (30 points)
  • Checks CodeQL/GitHub Security Scanning (25 points)
  • Python dependency scanners: pip-audit, safety, bandit (20 points)
  • JavaScript/TypeScript scanners: npm audit, Snyk (20 points)
  • Secret detection: detect-secrets, gitleaks (20 points)
  • Semgrep SAST (15 points)
  • Security policy bonus (5 points)

ContainerSetupAssessor (Tier 4, 1% weight)

Conditional applicability - only runs if Dockerfile/Containerfile exists:

  • Dockerfile/Containerfile detection (40 points)
  • Multi-stage build bonus (10 points)
  • docker-compose.yml (30 points)
  • .dockerignore (20 points)

Enhanced Assessors

DependencyPinningAssessor (formerly LockFilesAssessor)

  • Version pinning validation (detects unpinned dependencies: >=, ~=, etc.)
  • Lock file freshness checking (warns if >6 months old)
  • Improved scoring with partial credit
  • Backward compatibility alias maintained

GitignoreAssessor

  • Language-specific pattern checking (Python, JavaScript, TypeScript, Java, Go, Ruby, Rust)
  • References GitHub's gitignore templates
  • Pattern matching handles trailing slash variants
  • Evidence shows coverage percentage

CodeSmellsAssessor

Multi-language linter support (7 linters):

  • Python: pylint (20 pts), ruff (20 pts)
  • JavaScript/TypeScript: ESLint (20 pts)
  • Ruby: RuboCop (20 pts)
  • Go: golangci-lint (20 pts)
  • GitHub Actions: actionlint (10 pts)
  • Markdown: markdownlint (10 pts, always checked)

Weight Adjustments

Updated default-weights.yaml:

  • Tier 1: 54% total (was 50%, added dependency_security 4%)
  • Tier 2: 27% total (was 30%, removed dependency_freshness 3%)
  • Tier 4: 3% total (was 5%, removed performance_benchmarks 1%)

Removed Stubs

  • dependency_freshness - merged into DependencySecurityAssessor
  • security_scanning - merged into DependencySecurityAssessor
  • performance_benchmarks - low ROI, removed per user decision

Test Plan

  • 46/46 tests passing (100% pass rate)
  • All linters passing (black, isort, ruff)
  • All pre-commit hooks passing
  • Comprehensive test coverage:
    • test_assessors_security.py - 8 tests for DependencySecurityAssessor
    • test_assessors_containers.py - 9 tests for ContainerSetupAssessor
    • test_assessors_stub.py - 16 tests for enhanced assessors
    • test_assessors_code_quality.py - 13 tests for CodeSmellsAssessor

Files Changed

  • 10 files modified
  • +2,665 insertions, -148 deletions
  • 4 new test files created
  • 2 new assessor files created

Bug Fixes

  • Fixed Citation model calls (added missing title/relevance parameters)
  • Fixed test expectations for evidence format (Unicode symbols ✓/ℹ️)
  • Improved pattern matching logic for .gitignore validation
  • Proper git initialization in all test fixtures

🤖 Generated with Claude Code

Co-Authored-By: Claude Sonnet 4.5 noreply@anthropic.com

Loading
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jeremyeder