Tags: boostsecurityio/poutine
Tags
Reduce MCP server JSON response size to minimize LLM token consumption ( #360) Implement lightweight response structure for MCP server that reduces JSON payload size while preserving all essential security data and adding enhanced SCM context for better repository identification. Changes: - Create mcpAnalysisResponse struct with only essential fields: findings, rules, purl, repository, scm_type, git_ref, commit_sha, last_commit - Remove embedded PackageInsights to eliminate heavy fields like github_actions_workflows, package_dependencies, and repo statistics - Update all MCP handlers (analyze_repo, analyze_local, analyze_org, analyze_stale_branches) to use lightweight response - Add comprehensive test suite to verify response structure and size - Add SCM context fields (purl, scm_type) per reviewer feedback - Rename 'ref' to 'git_ref' for clarity Results: - Lightweight response: ~182 bytes for empty findings vs kilobytes before - All essential security findings and repository metadata preserved - Better SCM identification with purl and scm_type fields - All tests passing with no regressions Fixes #359 Co-authored-by: François Proulx <francois@boostsecurity.io>
Document skip configuration for acknowledging findings (#364) * Document skip configuration for acknowledging findings Add "Acknowledging Findings" section to README.md to improve discoverability of the existing skip configuration feature. This allows users to suppress false positives or accepted risks. Includes: - Use case explanations for when to skip findings - Complete documentation of all filter options (job, level, path, rule, purl, osv_id) - Practical examples showing how to skip by severity level, workflow path, and rule name Fixes #40 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * Document --skip command-line flag for acknowledging findings Add documentation for the --skip command-line flag in both the Configuration Options section and the Acknowledging Findings section. Clarify that the command-line flag only supports skipping rules globally by name, while the configuration file supports granular filtering by job, path, level, etc. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> --------- Co-authored-by: François Proulx <francois@boostsecurity.io> Co-authored-by: Claude <noreply@anthropic.com>
Optimize skip rule (#287) * Optimize skip rule Do not compile rules that are going to be filtered by the config Move HasOnlyRule to valid place Add cli * Update cli message Signed-off-by: Sébastien Graveline <71460041+Talgarr@users.noreply.github.com> * Update opa/opa.go Co-authored-by: Alexis-Maurer Fortin <alexis-maurer.fortin@outlook.com> Signed-off-by: Sébastien Graveline <71460041+Talgarr@users.noreply.github.com> --------- Signed-off-by: Sébastien Graveline <71460041+Talgarr@users.noreply.github.com> Co-authored-by: Alexis-Maurer Fortin <alexis-maurer.fortin@outlook.com>
feat(findings): include 'event_triggers' in finding metadata (#233) * feat(findings): include 'event_triggers' in finding metadata Signed-off-by: Bryce Thuilot <bryce@thuilot.io> * Rego linting with opa fmt --write . --------- Signed-off-by: Bryce Thuilot <bryce@thuilot.io> Co-authored-by: François Proulx <francois@boostsecurity.io>
Git Error Handling Improvements + Git Error Resilient Analyze Local (#… …222) * improving parsing of git errors to give more flexility in error handling * git not found specific error * adding interface type for all git errors * wrapping errors for better context * making the local git client resilient to git errors so poutine can be used on folders that are not in a git repo * Made local git client resilient to git failures and to work when no git repos are present. Added handling to format the output data when no git repo exists
PreviousNext