feat(view): bulk triage → OpenVEX + ignore files (Phase 7)#269
Merged
eFAILution merged 1 commit intoJun 13, 2026
Merged
Conversation
lazygit-style triage at scale for findings, with a durable audit trail instead of a spreadsheet. Multi-select (or focus a finding), press `S`, pick a status (false-positive / not-exploitable / accept-risk / under-investigation) and type a reason; Argus records the decision to two places so it sticks: - argus-results.openvex.json — an OpenVEX v0.2.0 document (the audit trail: per-CVE status + justification + reason + author + timestamp). Re-triaging a finding updates its statement and bumps the version; an existing VEX file is merged, never clobbered. - .trivyignore / .gitleaksignore — so the next scan honours the decision. CVE findings → .trivyignore (reason as a comment); secret findings → .gitleaksignore (fingerprint). under-investigation records VEX only. argus/core/suppressions.py (UI-free) does the work — decision_for, to_vex_statement, build_vex_document, merge_vex_documents, the ignore-entry formatters, and write_suppressions — all unit-tested (20 tests), reusing the same OpenVEX vocabulary as the signed-attestation reporter so a TUI decision and a CI-generated VEX speak the same language. This answers the "where do not_affected/fixed decisions come from?" question the OpenVEX reporter (#229) deliberately left open. Viewer: `S` opens a status+reason modal (SuppressScreen); a command-palette entry mirrors it. The "hide suppressed" filter view is a noted follow-on.
Codecov Report❌ Patch coverage is
📢 Thoughts on this report? Let us know! |
Contributor
🔒 Argus Container Security ScanBranch: 📊 Combined Findings Summary
Scanned: 5 containers | Build Failures: 0 📦 Container Breakdown
🔍 Detailed Findings by Container🚨 cli - 108 vulnerabilities (45 unique)Image: Combined (Deduplicated)
🔷 Trivy Scanner (108 findings, 43 unique)
...and 58 more ⚓ Grype Scanner (0 findings, 0 unique)✅ No vulnerabilities detected by Grype ✅ scanner-bandit - 0 vulnerabilities (0 unique)Image: Combined (Deduplicated)
🔷 Trivy Scanner (0 findings, 0 unique)✅ No vulnerabilities detected by Trivy ⚓ Grype Scanner (0 findings, 0 unique)✅ No vulnerabilities detected by Grype ✅ scanner-mumps - 0 vulnerabilities (0 unique)Image: Combined (Deduplicated)
🔷 Trivy Scanner (0 findings, 0 unique)✅ No vulnerabilities detected by Trivy ⚓ Grype Scanner (0 findings, 0 unique)✅ No vulnerabilities detected by Grype 🚨 scanner-opengrep - 106 vulnerabilities (49 unique)Image: Combined (Deduplicated)
🔷 Trivy Scanner (106 findings, 48 unique)
...and 56 more ⚓ Grype Scanner (0 findings, 0 unique)✅ No vulnerabilities detected by Grype
|
| 🚨 Critical | 🟡 Medium | 🔵 Low | Total | Unique | |
|---|---|---|---|---|---|
| 0 | 12 | 6 | 0 | 18 | 18 |
🔷 Trivy Scanner (18 findings, 18 unique)
| CVE | Severity | Package | Version | Fixed |
|---|---|---|---|---|
| CVE-2026-32280 | stdlib | v1.26.1 | 1.25.9, 1.26.2 | |
| CVE-2026-32281 | stdlib | v1.26.1 | 1.25.9, 1.26.2 | |
| CVE-2026-32283 | stdlib | v1.26.1 | 1.25.9, 1.26.2 | |
| CVE-2026-33810 | stdlib | v1.26.1 | 1.26.2 | |
| CVE-2026-33811 | stdlib | v1.26.1 | 1.25.10, 1.26.3 | |
| CVE-2026-33814 | stdlib | v1.26.1 | 1.25.10, 1.26.3 | |
| CVE-2026-39820 | stdlib | v1.26.1 | 1.25.10, 1.26.3 | |
| CVE-2026-39823 | stdlib | v1.26.1 | 1.25.10, 1.26.3 | |
| CVE-2026-39825 | stdlib | v1.26.1 | 1.25.10, 1.26.3 | |
| CVE-2026-39836 | stdlib | v1.26.1 | 1.25.10, 1.26.3 | |
| CVE-2026-42499 | stdlib | v1.26.1 | 1.25.10, 1.26.3 | |
| CVE-2026-42504 | stdlib | v1.26.1 | 1.25.11, 1.26.4 | |
| CVE-2026-27145 | 🟡 MEDIUM | stdlib | v1.26.1 | 1.25.11, 1.26.4 |
| CVE-2026-32282 | 🟡 MEDIUM | stdlib | v1.26.1 | 1.25.9, 1.26.2 |
| CVE-2026-32288 | 🟡 MEDIUM | stdlib | v1.26.1 | 1.25.9, 1.26.2 |
| CVE-2026-32289 | 🟡 MEDIUM | stdlib | v1.26.1 | 1.25.9, 1.26.2 |
| CVE-2026-39826 | 🟡 MEDIUM | stdlib | v1.26.1 | 1.25.10, 1.26.3 |
| CVE-2026-42507 | 🟡 MEDIUM | stdlib | v1.26.1 | 1.25.11, 1.26.4 |
⚓ Grype Scanner (0 findings, 0 unique)
✅ No vulnerabilities detected by Grype
Generated by Argus
eFAILution
merged commit 3f0a05d
into
feat/tui-explorer-and-scan-runner
26 checks passed
19 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Phase 7 — bulk triage at scale with a durable audit trail. Multi-select findings (or focus one), press
S, pick a status + reason, and Argus records the decision to OpenVEX + scanner ignore files. Targets the integration branch (feat/tui-explorer-and-scan-runner, PR #261).This answers the "where do
not_affected/fixedtriage decisions come from?" question the OpenVEX reporter (argus/reporters/openvex.py, #229) deliberately left open.Changes Made
argus/core/suppressions.py)Details
argus/core/suppressions.py(UI-free):decision_for(action, …)maps a triage action →TriageDecision;to_vex_statement/build_vex_document/merge_vex_documentsemit + merge an OpenVEX v0.2.0 doc (audit trail = status + justification + reason + author + timestamp, keyed by CVE+product, idempotent content@id);trivyignore_entries/gitleaksignore_entries+write_suppressionsappend to.trivyignore/.gitleaksignore(never clobber, merges existing VEX). Reuses the OpenVEX vocabulary of the signed-attestation reporter — a TUI decision and a CI VEX speak the same language.not_affected/vulnerable_code_not_present; not-exploitable →not_affected/vulnerable_code_not_in_execute_path; accept-risk →affected+action_statement; under-investigation →under_investigation(VEX only, no ignore entry).app.py):Sopens a status+reason modal (SuppressScreen) over the focused finding or the multi-select set; writes to the repo root; toasts the artifacts written. Command-palette entry mirrors it.Testing
test_suppressions.py(20 tests): action mapping, VEX statement/document shape, deterministic@id, merge dedup + version bump, CVE-less skip, ignore-entry formatting, andwrite_suppressions(VEX + trivy + gitleaks, merge-existing, append-without-clobber, under-investigation writes no ignore).Pilot: a Log4Shell CVE → VEXnot_affected+.trivyignore; a gitleaks finding (no CVE) →.gitleaksignorefingerprint, correctly excluded from VEX.viewers/browserfailures are pre-existing + green in CI.)Security Considerations
AI Context Updates (.ai/)
.ai/architecture.yamlupdated (core/suppressions.py+ viewerSaction, both mirror blocks)Checklist
docs/view-terminal.md— keybind + "Triage & suppression" section)Related Issues
Console epic —
docs/developer/CONSOLE-ROADMAP.md, Phase 7. Builds on the OpenVEX reporter (#229).