Releases: Synvoya/codeinspectus
Releases · Synvoya/codeinspectus
Release list
v0.3.0
Rescan now reports "resolved" only when it can prove it, plus honesty fixes to install docs and stored-scan handling.
Changed
- Rescan no longer over-claims "resolved." A prior finding is reported resolved only when CodeInspectus can prove it was re-checked and is gone — the producing engine actually ran, results weren't truncated, and the original scan's scope was reproduced. When it can't confirm (an engine didn't run, results hit a limit, or the prior scan predates captured scope), the finding is reported as
not_rechecked— an honest "couldn't confirm," never a false all-clear. A genuine fix still shows as resolved. - Severity threshold on rescan is now display-only. It affects what's shown, not what's compared — so filtering to "medium and up" can no longer make a still-present lower-severity finding look resolved.
Fixed
- Rescans could report a still-present finding as "resolved" when the re-scan used a narrower filter, an engine quietly didn't run, or a co-located secret's identity shifted between runs. All three paths are closed; rescan now matches findings on stable identity, not just a run-specific fingerprint.
Docs
- Install prerequisites now stated up front: Node.js 18+ and cosign on your PATH (cosign verifies the Opengrep and Trivy downloads; the install fails closed without it — Gitleaks needs none).
- Refined the write-scope wording from 0.2.0: CodeInspectus never edits or deletes your source code or repository; scan history and engines live under
~/.codeinspectus, and an SBOM is written to a managed directory by default, or a path you choose.
Internal
- Hardened stored-scan handling against path traversal and added validation of loaded scan files. Added continuous integration (build, tests, engine-verified evals) with dependency-pinned workflows. No change to what gets detected — the 35-rule detection set is unchanged.
Known limitations (stated plainly)
- A rescan run with a smaller
max_findingsthan the original may report some findings asnot_recheckedrather than resolved — by design, so a truncated re-scan never produces a false all-clear.
v0.2.1
Fixed
- Release provenance: 0.2.1 is published from the public repository, so the npm package's gitHead and the v0.2.1 git tag both resolve to a public commit. (0.1.0 and 0.2.0 were published from a private build repo; their gitHead values point at commits not reachable from this repository and cannot be retroactively corrected.)
Added
- MCP Registry metadata:
mcpNamein package.json and a rootserver.json, making CodeInspectus installable/listable via the official Model Context Protocol registry.
No detection or scanner behavior changes in this release.
v0.2.0
CodeInspectus v0.2.0 focuses on making the project easier to evaluate, list, and contribute to.
Highlights:
- Added a public demo GIF to the README.
- Added example demo reports for Next.js + Supabase, AI chatbot/RAG, and Node/React apps.
- Added listing copy for MCP registries and awesome-lists.
- Added clearer README positioning for local-first MCP security scanning of AI-generated apps.
- Added good-first contribution ideas for rules, fixtures, and mapping verification.
Validation:
- npm run build: PASS
- npm test: PASS, 115 tests passed
CodeInspectus remains local-first, MIT licensed, MCP-ready, and designed to help developers and coding agents catch common AI-app security mistakes before shipping.