v2.0.1: world-class CLI output + accuracy fixes#42
Merged
Conversation
The minimal CLI report printed descriptions, fix hints, and links as single long lines that ran off the terminal and wrapped raggedly. Rework the renderer to: - wrap description / fix / AI-reasoning / evidence to the terminal width (via terminal.Width(), clamped 60–120) with clean hanging indents - tighten indentation (file at column 0 with a finding count, details at 4) - render the fix with a "→" prefix and aligned continuation lines - truncate over-long offending-code lines instead of overflowing No change to the json/sarif/yaml/markdown formats.
Rework the CLI renderer into a semgrep-class layout: - a colored title and per-file headers with finding counts - each finding shows a severity-colored "❯" marker, the rule, and the line - a multi-line code snippet with a line-number gutter: context lines are dimmed and the offending line is marked "❱" and highlighted - description / fix / AI notes wrap to the terminal width with clean hanging indents; over-long code lines are truncated with an ellipsis - a width-aware summary footer with color-coded counts json/sarif/yaml/markdown output is unchanged.
- IMPOSTOR_COMMIT: evaluate each line of a run block independently. Previously
a benign `git config user.name "github-actions[bot]"` was escalated to
CRITICAL whenever the block contained any `${...}` elsewhere, and the finding
was mis-located to the first `run:` line. Now the official bot identity is
LOW and a variable-based identity is CRITICAL, each pinpointed to its line.
- GITHUB_ENV_UNTRUSTED_WRITE: locate the exact offending `>> $GITHUB_ENV` line
inside the run block (and use it as evidence) instead of the `run:` block line.
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.OpenSSF Scorecard
Scanned Files |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
A patch release focused on terminal UX and finding accuracy.
CLI output (semgrep-class)
The default report is reworked into a polished layout:
❯marker, the rule, and the linelines dimmed, the offending line marked
❱and highlightedfix:/ AI notes wrap to the terminal width with hanging indentsjson/sarif/yaml/markdownoutput is unchanged.Accuracy fixes
IMPOSTOR_COMMIT: a benigngit config user.name "github-actions[bot]"was reported CRITICAL whenever its run block contained
${...}anywhere(and mis-located to the first
run:). Now each run-block line is evaluatedindependently — official bot identity is LOW, variable-based identity is
CRITICAL — each pinpointed to its exact line.
GITHUB_ENV_UNTRUSTED_WRITE: points at the exact>> $GITHUB_ENVlineinside the run block instead of the
run:block-scalar line.Verification
go build/go vet/go test ./...— 23/23 packages pass. Validated onreal scans of
cli/cliandgit/git.