When running a scan via the ASH MCP server (run_ash_scan), the get_scan_progress API reports scanners that were skipped due to missing dependencies as "completed" with 0 findings. This is misleading — the consumer has no way to distinguish between "scanned and found nothing" vs "never ran because dependencies weren't available."
Steps to Reproduce
- Run a scan via the MCP server on a system where some scanner dependencies are missing (e.g., grype, opengrep, semgrep, syft not installed):
result = run_ash_scan(source_dir="/path/to/project")
scan_id = result['scan_id']
# Poll until complete
progress = get_scan_progress(scan_id=scan_id)
- Observe that
get_scan_progress reports all scanners (including those with missing deps) as:
{
"scanner_name": "opengrep",
"status": "completed",
"finding_count": 0,
"severity_counts": { "critical": 0, "high": 0, "medium": 0, "low": 0, "info": 0, "suppressed": 0 }
}
- Meanwhile, the ASH log (
ash.log) shows:
Scanner semgrep dependencies are not satisfied, marking as MISSING
Scanner syft dependencies are not satisfied, marking as MISSING
Expected Behavior
Scanners that were skipped due to missing dependencies should be reported with a distinct status, e.g.:
{
"scanner_name": "opengrep",
"status": "skipped",
"skip_reason": "missing_dependencies",
"finding_count": 0
}
Or at minimum, the progress response should include a skipped_scanners field listing which scanners didn't actually run.
Impact
- Users relying on the MCP server for CI/CD integration may believe they have full scanner coverage when they don't.
- No signal that security coverage is degraded.
- The
completed_scanners count (9 in this case) doesn't match the actual number of scanners that ran (4).
Environment
- ASH version: v3 (installed via
uvx)
- OS: Linux (Amazon Linux)
- MCP server: ASH MCP server
- Missing scanners: grype, opengrep, semgrep, syft (dependencies not installed)
- Scanners that actually ran: bandit, checkov, detect-secrets, npm-audit
When running a scan via the ASH MCP server (
run_ash_scan), theget_scan_progressAPI reports scanners that were skipped due to missing dependencies as "completed" with 0 findings. This is misleading — the consumer has no way to distinguish between "scanned and found nothing" vs "never ran because dependencies weren't available."Steps to Reproduce
get_scan_progressreports all scanners (including those with missing deps) as:{ "scanner_name": "opengrep", "status": "completed", "finding_count": 0, "severity_counts": { "critical": 0, "high": 0, "medium": 0, "low": 0, "info": 0, "suppressed": 0 } }ash.log) shows:Expected Behavior
Scanners that were skipped due to missing dependencies should be reported with a distinct status, e.g.:
{ "scanner_name": "opengrep", "status": "skipped", "skip_reason": "missing_dependencies", "finding_count": 0 }Or at minimum, the progress response should include a
skipped_scannersfield listing which scanners didn't actually run.Impact
completed_scannerscount (9 in this case) doesn't match the actual number of scanners that ran (4).Environment
uvx)