Skip to content

GT-521: multi-language enforcers — Python (import-linter) + security-SARIF (Checkov/Trivy)#194

Merged
beyondnetPeru merged 2 commits into
mainfrom
develop
Jul 14, 2026
Merged

GT-521: multi-language enforcers — Python (import-linter) + security-SARIF (Checkov/Trivy)#194
beyondnetPeru merged 2 commits into
mainfrom
develop

Conversation

@beyondnetPeru

Copy link
Copy Markdown
Contributor

GT-521 — Deferred enforcers, landed where a real corpus exists

Extends the multi-language enforcer base (GT-515 Node/TS + GT-524 .NET) to Python and IaC/security, each exercised against a real corpus on this machine — the discipline the gap itself demands.

What landed

  • ImportLinterAdapter (Python) — parses lint-imports broken-contract reports → canonical Violation (file='', line=null, broken import chain in the message). isImportLinterFailure keys on the always-present "Contracts: N kept, M broken." summary, so a genuine tool failure SKIPs the rule rather than false-passing it.
  • Security-SARIF adapters (Checkov / Trivy + any SARIF 2.1.0 emitter) — reuse the GT-515 ingestSarif ingester wholesale and stamp category='security' so findings route to the security dimension, not architecture.
  • Violation.category optional field (schema + domain model).
  • Registered Checkov/Trivy in enforcer-catalog.json + validated-tool-catalog.md §4.3; createEnforcerAdapters now returns all five (dependency-cruiser, NetArchTest, import-linter, Checkov, Trivy).

Live verification

  • Python package where the domain imports infrastructure → 1 Violation carrying the chain; a clean package → 0 (0 FP).
  • Real Checkov SARIF over a Terraform corpus (8 findings) → 8 Violations, all category='security'; clean scan → 0.
  • core-domain 1024/1024 (incl. new adapter specs + updated anti-drift parity specs); core-api tsc --noEmit clean.

Honest scope

Deptrac (PHP) / ArchUnit (JVM) / jQAssistant (Neo4j) stay adapter-pending — no real repo of those runtimes exists to exercise them. That is criterion #1's own gate holding, not a shortcut: building them now is exactly the speculative, untestable code the gap's Risk/Evidence warn against.

Both acceptance criteria met. Board 530/551; guard 08 green (551 gaps / 512 closure records).

🤖 Generated with Claude Code

beyondnetPeru and others added 2 commits July 14, 2026 09:15
…rivy) enforcers (GT-521)

Extends the multi-language enforcer base beyond Node/TS + .NET, exercised against REAL corpora:
- ImportLinterAdapter (Python): parses lint-imports broken-contract reports → canonical
  Violations. Live-verified — a real Python package where domain imports infrastructure
  yields 1 Violation, a clean package 0 (0 FP).
- Security-SARIF adapters (Checkov/Trivy + any SARIF scanner): reuse the GT-515 ingestSarif
  and stamp category='security'. Live-verified — real Checkov SARIF on a Terraform corpus
  (8 findings) parses to 8 Violations, all category='security'; a clean scan → 0.
- Adds the optional Violation.category field (security tools route to the security dimension).
- Registers Checkov/Trivy in enforcer-catalog.json + validated-tool-catalog §4.3; wires all
  five adapters into createEnforcerAdapters.

Deptrac (PHP) / ArchUnit (JVM) / jQAssistant (Neo4j) correctly stay adapter-pending — no real
repo of those runtimes exists (GT-521 criterion #1's own gate).

Verified: core-domain 1024/1024 (incl. updated anti-drift parity tests), core-api tsc clean.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
…live-verified (board 530/551)

import-linter (Python) + Checkov/Trivy (security SARIF, category='security') landed and
exercised against real corpora on this machine (Python domain→infra = 1 Violation / clean 0;
Checkov SARIF over Terraform = 8 Violations all category='security' / clean 0). Both ACs met.
Deptrac (PHP) / ArchUnit (JVM) / jQAssistant (Neo4j) correctly stay adapter-pending — no real
repo of those runtimes exists to exercise them (criterion #1's own gate; the Risk/Evidence this
gap warns against). Guard 08: 551 gaps / 512 closure records green.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@github-actions

Copy link
Copy Markdown

📊 Bilingual Coverage Impact

PR Changes

  • Paired EN/ES files modified: 3
  • New EN files needing ES translation: 0

Repository Coverage

Metric Value
Total EN files 545
Total ES files 508
Paired files 0
Coverage 0%

Good: All EN changes have ES counterparts.


Generated by GitHub Actions

@beyondnetPeru beyondnetPeru merged commit 1ed941a into main Jul 14, 2026
22 checks passed

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 2aaa3e9064

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment on lines +43 to +45
createImportLinterAdapter(runner), // Python (GT-521)
createCheckovAdapter(runner), // IaC/security → category=security (GT-521)
createTrivyAdapter(runner), // vuln/IaC security → category=security (GT-521)

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Add the new analyzer commands to the sandbox allowlist

These newly registered adapters are always wrapped by SandboxedProcessRunner in createCompositeEnforcerStrategy, but DEFAULT_SANDBOX_POLICY.binaryAllowlist still lacks the actual executables they invoke: lint-imports, checkov, and trivy (it only has entries such as import-linter/conftest/dotnet). With the default policy, any Python or IaC/security enforcer rule is denied before the process can spawn and is reported as skipped, so the new implemented enforcers never run unless callers override the sandbox policy.

Useful? React with 👍 / 👎.

Comment on lines +121 to +124
| **import-linter** | 2.1.0 | python | Import contracts, grimp-backed (Python) | Implemented (GT-521, live-verified against a real Python corpus) | ADR-0002 |
| **Conftest** | 0.56.0 | iac | OPA/Rego policy checks for IaC/config manifests | Catalogued; SARIF path covered by the shared security adapter (GT-521) | ADR-0002 |
| **Checkov** | 3.3.8 | iac | IaC misconfiguration scanning (SARIF, `category=security`) | Implemented (GT-521, live-verified on a real Terraform corpus) | ADR-0002 |
| **Trivy** | 0.56.2 | iac | Vulnerability + IaC misconfiguration scanning (SARIF, `category=security`) | Implemented (GT-521, shared SARIF security adapter) | ADR-0002 |

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Sync the Spanish tool catalog

The English tool catalog now marks import-linter as implemented and adds Checkov/Trivy, but product/infra/validated-tool-catalog.es.md still has the old 16.x/2.x entries, still says import-linter is pending, and has no Checkov/Trivy rows in §4.3. Because this repository's root instructions require bilingual EN/ES documents to stay structurally and semantically in sync, this change leaves the Spanish catalog stale and should be updated alongside these rows.

Useful? React with 👍 / 👎.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant