Skip to content

Releases: Synvoya/codeinspectus

v0.3.0

Choose a tag to compare

@Synvoya Synvoya released this 12 Jul 13:25

Rescan now reports "resolved" only when it can prove it, plus honesty fixes to install docs and stored-scan handling.

Changed

  • Rescan no longer over-claims "resolved." A prior finding is reported resolved only when CodeInspectus can prove it was re-checked and is gone — the producing engine actually ran, results weren't truncated, and the original scan's scope was reproduced. When it can't confirm (an engine didn't run, results hit a limit, or the prior scan predates captured scope), the finding is reported as not_rechecked — an honest "couldn't confirm," never a false all-clear. A genuine fix still shows as resolved.
  • Severity threshold on rescan is now display-only. It affects what's shown, not what's compared — so filtering to "medium and up" can no longer make a still-present lower-severity finding look resolved.

Fixed

  • Rescans could report a still-present finding as "resolved" when the re-scan used a narrower filter, an engine quietly didn't run, or a co-located secret's identity shifted between runs. All three paths are closed; rescan now matches findings on stable identity, not just a run-specific fingerprint.

Docs

  • Install prerequisites now stated up front: Node.js 18+ and cosign on your PATH (cosign verifies the Opengrep and Trivy downloads; the install fails closed without it — Gitleaks needs none).
  • Refined the write-scope wording from 0.2.0: CodeInspectus never edits or deletes your source code or repository; scan history and engines live under ~/.codeinspectus, and an SBOM is written to a managed directory by default, or a path you choose.

Internal

  • Hardened stored-scan handling against path traversal and added validation of loaded scan files. Added continuous integration (build, tests, engine-verified evals) with dependency-pinned workflows. No change to what gets detected — the 35-rule detection set is unchanged.

Known limitations (stated plainly)

  • A rescan run with a smaller max_findings than the original may report some findings as not_rechecked rather than resolved — by design, so a truncated re-scan never produces a false all-clear.

v0.2.1

Choose a tag to compare

@Synvoya Synvoya released this 05 Jul 16:01

Fixed

  • Release provenance: 0.2.1 is published from the public repository, so the npm package's gitHead and the v0.2.1 git tag both resolve to a public commit. (0.1.0 and 0.2.0 were published from a private build repo; their gitHead values point at commits not reachable from this repository and cannot be retroactively corrected.)

Added

  • MCP Registry metadata: mcpName in package.json and a root server.json, making CodeInspectus installable/listable via the official Model Context Protocol registry.

No detection or scanner behavior changes in this release.

v0.2.0

Choose a tag to compare

@Synvoya Synvoya released this 05 Jul 13:33

CodeInspectus v0.2.0 focuses on making the project easier to evaluate, list, and contribute to.

Highlights:

  • Added a public demo GIF to the README.
  • Added example demo reports for Next.js + Supabase, AI chatbot/RAG, and Node/React apps.
  • Added listing copy for MCP registries and awesome-lists.
  • Added clearer README positioning for local-first MCP security scanning of AI-generated apps.
  • Added good-first contribution ideas for rules, fixtures, and mapping verification.

Validation:

  • npm run build: PASS
  • npm test: PASS, 115 tests passed

CodeInspectus remains local-first, MIT licensed, MCP-ready, and designed to help developers and coding agents catch common AI-app security mistakes before shipping.