sharang/compliance-scanner-agent
1
0
Fork 0
Code Issues 51 Pull Requests 1 Actions Packages Projects Releases 1 Wiki Activity
Files
da4084ee78e354aed87dce6fc22b07d5314cf6b8
compliance-scanner-agent/compliance-agent
History
Sharang Parnerkar da4084ee78
Some checks failed
CI / Check (pull_request) Successful in 10m8s
Details
CI / Detect Changes (pull_request) Has been skipped
Details
CI / Deploy Agent (pull_request) Has been cancelled
Details
CI / Deploy Dashboard (pull_request) Has been cancelled
Details
CI / Deploy Docs (pull_request) Has been cancelled
Details
CI / Deploy MCP (pull_request) Has been cancelled
Details
feat: refine all LLM system prompts for precision and reduced false positives 
Code review prompts (review_prompts.rs):
- Add explicit "Do NOT report" sections listing common false positive patterns
- Add language-specific guidance (Rust short-circuit, shadowing, clone patterns)
- Cap findings per pass (3 for conventions, 2 for complexity) to reduce noise
- Raise complexity thresholds (80 lines, 5+ nesting) to pragmatic levels
- Require concrete bug scenarios, not theoretical concerns
- Separate severity guides per pass with clear definitions

Triage prompt (triage.rs):
- Add explicit dismiss criteria for language idioms, non-security hash usage,
  operational logging, and duplicate findings
- Add confirm-only-when criteria requiring concrete exploit scenarios
- Refined confidence scoring guide with clear thresholds

Finding descriptions (descriptions.rs):
- Rewrite to be developer-facing: lead with what/where, skip filler
- Fix suggestions should show corrected code, not vulnerable code
- Remove generic "could lead to" phrasing in favor of specific scenarios

Code fix suggestions (fixes.rs):
- Require drop-in replacement code preserving original style
- Handle false positives by returning original code with explanation
- Limit inline comments to the changed line only

Pentest orchestrator (prompt_builder.rs):
- Add "Finding Quality Rules" section preventing duplicate findings
- Instruct grouping related findings (e.g. missing headers = one finding)
- Cap missing header severity at medium unless exploit demonstrated
- Mark console.log in vendored/minified JS as informational only

RAG chat (chat.rs):
- Add concise rules for referencing files/lines and security context

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-29 22:57:37 +02:00
..
src
feat: refine all LLM system prompts for precision and reduced false positives
2026-03-29 22:57:37 +02:00
tests
refactor: modularize codebase and add 404 unit tests (#13)
2026-03-13 08:03:45 +00:00
Cargo.toml
feat: pentest onboarding — streaming, browser automation, reports, user cleanup (#16)
2026-03-17 20:32:20 +00:00