Releases: RHEcosystemAppEng/sast-ai-workflow
Releases Β· RHEcosystemAppEng/sast-ai-workflow
v0.0.2
What's Changed
- introduce TRIGGERING_WORKFLOWS documentation by @operetz-rh in #157
- adding confidence to filter node by @GuyZivRH in #158
- Update nvidia nat to 1.3.1 by @Yael-F in #152
- Fix sonarqube issues by @nemerna in #166
- Fix sonar vulns by @nemerna in #167
- fix: resolve SonarCloud reliability issues by @nemerna in #168
- fix: Pin GitHub Actions to full commit SHAs and add NOSONAR annotations by @nemerna in #169
- fix: Revert to floating UBI base image tag and suppress SonarQube rule by @nemerna in #170
- Revert "fix: remove pinned package versions in base Containerfile" by @GuyZivRH in #173
- upgrade NAT version (1.4.0) by @operetz-rh in #172
- Fix/pre existing test failures by @GuyZivRH in #175
- feat: scaffold investigation package structure and dependencies by @GuyZivRH in #176
- feat: migrate investigation constants, exceptions, and schemas by @GuyZivRH in #177
- feat: add Langfuse observability integration for investigation workflow by @Yael-F in #179
- feat: migrate investigation tools from research_agent branch by @GuyZivRH in #178
- feat: migrate investigation prompt templates and CWE checklists by @Yael-F in #180
- Fix-llm model override tekton duplicate by @operetz-rh in #174
- feat: add investigation subgraph nodes (research, analysis, evaluatio⦠by @Yael-F in #181
- feat: add investigation subgraph builder and orchestrator node by @Yael-F in #182
- Wire investigate node into main workflow, replacing 3-node anaysis loop by @Yael-F in #183
- Add missing TEKTON_RESULTS_DIR env var to write-evaluation-results-mlops step by @Yael-F in #186
- Track investigation evidence quality metrics (reanalysis count, tool calls, stop reason) by @Yael-F in #185
- Feature/weighted confidence formula by @operetz-rh in #184
- investigation tools int and unit tests by @operetz-rh in #187
- Feature/externalize confidence weights by @operetz-rh in #188
- Add extended LLM providers with HttpClientMixin and truncate embeddings input to token limit by @Yael-F in #193
- docs: Update architecture docs and add Langfuse, operations, and tool s reference guides by @Yael-F in #192
- refactor: Replace the analysis node's string confidence with a float score by @Yael-F in #189
- update investigation confidence weights by @operetz-rh in #190
- Truncate embedding input known issue retriever by @Yael-F in #194
- Fix tool result error detection by @Yael-F in #195
- read gathered_code attribute from the tracker object by @JudeNiroshan in #196
Full Changelog: v1.0.0...v0.0.2
Contributors
JudeNiroshan, Yael-F, and 3 other contributors
Assets 2
v0.0.1
SAST-AI-Workflow v0.0.1 - Initial Release
Overview
We're excited to announce the first official release of SAST-AI-Workflow - an LLM-powered tool designed to intelligently analyze and validate static application security testing (SAST) findings. This release represents the culmination of extensive development focused on reducing false positives in vulnerability detection and providing AI-assisted security insights.
β¨ Major Features
π€ AI-Powered Vulnerability Analysis
- Multi-stage LLM Analysis Pipeline: Comprehensive evaluation workflow with Judge LLM and Critique Agent stages for accurate false positive detection
- NVIDIA AIQ Agent Toolkit Integration: Adopted NVIDIA's Agent Intelligence Toolkit (AIQ) with LangGraph-based workflow orchestration (#88, #72)
- Independent Critique Agent: Secondary analysis for enhanced decision validation (#11)
- Structured JSON Output: Strict JSON schema mode ensuring reliable, parseable LLM responses (#138)
π Enhanced Context & Reasoning
- Call Hierarchy Analysis: Extracts relevant source code by error trace for comprehensive context (#12)
- CWE Data Enrichment: Integrates Common Weakness Enumeration data for vulnerability classification (#14)
- Known False Positive Matching: Learns from verified false positives to improve detection accuracy (#10, #13, #67)
- Line-numbered Source Code: Provides precise code references for improved reasoning (#26)
- Automatic Macro Detection: Identifies and handles C preprocessor macros (#20)
π Flexible Input/Output Support
- SAST Report Readers: Supports HTML and SARIF report formats (#87, #122)
- SARIF Output: Generates standardized SARIF reports for integration with security tooling (#122)
- Google Sheets Integration: Read input and write results directly to Google Sheets (#23, #27)
- Excel Report Generation: Detailed Excel reports with confusion matrix and analysis results (#7)
π Evaluation & Metrics
- Confusion Matrix Calculation: Automated metrics for model performance evaluation (#3, #35)
- MLflow Dashboard Integration: Modular evaluation dashboard with node-specific converters (#121)
- Stratified Dataset Splitting: Ensures balanced evaluation across vulnerability types (#85)
- Timing & Token Metrics: Performance monitoring for LLM operations (#144)
π Enterprise Deployment
- Tekton CI/CD Pipeline: Complete pipeline for OpenShift deployment (#25, #53, #114)
- ArgoCD GitOps: Declarative deployment with ArgoCD application management (#70, #116)
- Container Images: Production-ready containers published to Quay.io (#22, #47)
- Dev/Prod Environment Separation: Distinct deployment configurations (#124)
- S3/MinIO Storage: MLOps storage integration for artifacts and datasets (#131, #134)
- DVC Data Management: Version control for datasets with PostgreSQL metadata (#115)
π§ Modular Architecture
- Refactored LLM Services: Single-responsibility services for maintainability (#68, #89)
- Configurable Pipeline: YAML-based configuration management (#8)
- HTTP Connection Pooling: Optimized embedding requests for performance (#113)
- Externalized Prompts: Template-based prompt management (#66)
ποΈ Architecture Highlights
- LangGraph Workflow: State machine-based agent orchestration
- Vector Store (FAISS): In-memory similarity search for known issues
- Sentence Transformers: HuggingFace embeddings (all-mpnet-base-v2)
- OpenAI-Compatible API: Supports various LLM backends including NVIDIA NIMs
π¦ What's Included
- Complete Python package with all dependencies
- Tekton pipeline definitions for OpenShift
- ArgoCD application manifests
- Docker/Podman container configurations
- Comprehensive documentation and setup guides
- Unit and integration test suite
π Contributors
Thanks to all contributors who made this release possible:
π Documentation
β οΈ Requirements
- Python 3.11+
- Access to OpenAI-compatible LLM API or NVIDIA NIM
- OpenShift cluster (for Tekton deployment)
- Optional: Google Cloud credentials for Sheets/Drive integration
Full Changelog: https://github.com/RHEcosystemAppEng/sast-ai-workflow/commits/v1.0.0
π¦ Container Images
This release includes the following container image published to Quay.io:
quay.io/ecosystem-appeng/sast-ai-workflow:1.0.0
π³ Usage
# Pull specific version for production
podman pull quay.io/ecosystem-appeng/sast-ai-workflow:1.0.0π Registry
View all versions: Quay.io Repository
Note: Production deployments should use this specific version tag.
π¦ Container Images
This release includes the following container image published to Quay.io:
quay.io/ecosystem-appeng/sast-ai-workflow:1.0.0
π³ Usage
# Pull specific version for production
podman pull quay.io/ecosystem-appeng/sast-ai-workflow:1.0.0π Registry
View all versions: Quay.io Repository
Note: Production deployments should use this specific version tag.
π¦ Container Images
This release includes the following container image published to Quay.io:
quay.io/ecosystem-appeng/sast-ai-workflow:1.0.0
π³ Usage
# Pull specific version for production
podman pull quay.io/ecosystem-appeng/sast-ai-workflow:1.0.0π Registry
View all versions: Quay.io Repository
Note: Production deployments should use this specific version tag.
Contributors
JudeNiroshan, Yael-F, and 5 other contributors