v3.1.0 — Commercial Ready

🎯 Commercial Ready Release

Transform devsecops-ai-team from developer documentation into a commercial-grade product presentation — professional README, onboarding guides, demo scenarios, and service tiers.

Added

• Professional README redesign — commercial-grade product presentation (1,071 → 615 lines)
• Quick Start guide (docs/QUICK-START.md) — install to first scan in 5 minutes
• First Scan Walkthrough (docs/FIRST-SCAN-WALKTHROUGH.md) — behind-the-scenes technical deep-dive
• Demo scenarios (demo/) — 3 scripts (5/10/15 min) with bilingual talk tracks
• Demo vulnerable project (tests/fixtures/demo-project/) — intentional vulnerabilities for demos
• Architecture reference (docs/ARCHITECTURE.md) — extracted from README
• Features reference (docs/FEATURES.md) — consolidated feature details
• Project structure reference (docs/PROJECT-STRUCTURE.md) — extracted from README
• Service tiers section in README — Starter / Pro / Enterprise consulting packages

Fixed

• README version reference 3.0.3 → 3.0.4
• CLAUDE.md formatters list missing Dashboard (7 → 8)
• INSTALL.md MCP tools incomplete (5 → 10)
• SECURITY.md missing v3.0.x support

Validation

• 276/276 plugin structure checks passed
• All internal doc links verified

---

Full Changelog: v3.0.4...v3.1.0

v3.0.4 — Multi-Tool Lifecycle + Compliance Coverage Fix

Fixed

• Multi-tool lifecycle scoping (#71): scan-db.sh store no longer marks findings from other tools as "fixed" when storing results per-tool. Lifecycle comparison now scoped by source_tool.
• Compliance coverage double-multiplication (#71): generate_compliance() stored coverage as percentage (7.3) but dashboard template multiplied by 100 again (730%). Changed to store ratio (0.0–1.0).

Added

• 6 new tests in test-scan-db.sh (33 → 39): multi-tool isolation (5) + coverage range validation (1)

Test Results

• 39/39 scan-db tests
• 26/26 dashboard tests
• 276/276 plugin validation
• 1,302+ total checks across 42 suites

Full Changelog: v3.0.3...v3.0.4

v3.0.3 — Dashboard Bugfix + Data Pipeline Enrichment

Fixed

#69 — Dashboard injection bugs (dashboard-generator.sh)

• Bug 1: Triple-quote string injection broke on findings with single quotes (e.g., sk_live_...). Fixed with file-based data passing via temp files
• Bug 2: Multi-line placeholder regex left leftover JavaScript causing SyntaxError. Fixed with re.DOTALL + lambda substitution (Python 3.12+ safe)

#70 — Dashboard empty panels (scan-db.sh store)

• OWASP enrichment: Auto-maps CWE → OWASP dual-version tags (2021+2025) from cwe-to-owasp.json after storing findings
• Compliance snapshots: Auto-generates coverage for all 7 frameworks (OWASP, NIST, MITRE, NCSA, PDPA, SOC 2, ISO 27001) after storing findings
• Result: All 6 dashboard panels render without manual enrichment steps

Documentation accuracy sync

• 25+ stale metrics fixed across README.md, DOMAIN.md, PRD.md, INSTALL.md
• CWE 405→488, OWASP 120→122, QA 8→13, output formats 7→8
• 3 missing Docker tools added to INSTALL.md (Nuclei, TruffleHog, kube-bench)

Added

• 12 new tests: dashboard injection regression (5) + OWASP/compliance enrichment (7)
  • test-dashboard-generator.sh: 21 → 26
  • test-scan-db.sh: 26 → 33
• Smoke test prompts: v3.0.0 features (K8s, GraphQL, pipeline, dashboard, scan history, SLSA)
• GitHub Wiki: 6 pages updated/created for v3.0.2+ accuracy (Home, Installation, Architecture, Skills-Reference, Test-Results, Skills redirect)

Test Results

• validate-plugin.sh: 276/276 ✅
• test-dashboard-generator.sh: 26/26 ✅
• test-scan-db.sh: 33/33 ✅
• QA: 13 rounds, 75/75 latest

Full Changelog: v3.0.2...v3.0.3

v3.0.2 — GraphQL test depth improvement

Fixed

• GraphQL test depth (QA #67): Added 11 functional tests to test-graphql-scan.sh (23 → 34 tests)
  • Section 7: Normalizer integration — runs json-normalizer.sh on raw semgrep-format GraphQL data, validates JSON output, finding count, source_tool field
  • Section 8: Fixture field validation — required fields, location sub-fields, severity distribution vs summary, OWASP arrays
  • Section 9: Rules metadata validation — YAML parsing, CWE metadata on all 8 rules, OWASP 2021+2025 dual-tag compliance

Metrics

Metric	Value
GraphQL tests	23 → 34 (+11)
Release checklist	31/31 pass

v3.0.0 — Platform Release

v3.0.0 — Platform Release (DAG, SQLite, Dashboard, K8s, GraphQL)

Major platform transformation from tool collection to integrated security platform.

Added

• SQLite Historical Database — scripts/scan-db.sh with 7 subcommands (init, store, query, trend, lifecycle, export, stats)
• DAG Pipeline Engine — runner/pipeline-engine.sh with topological sort, cycle detection, 4 built-in pipelines
• Security Dashboard — Alpine.js 3 + Chart.js 4 self-contained HTML with 6 panels and dark mode
• K8s Security Scanning — /k8s-scan skill (15th), 8 Semgrep rules, kube-bench Docker integration
• GraphQL Security Scanning — /graphql-scan skill (16th), 8 Semgrep rules, 4 Nuclei templates
• MCP Tools — devsecops_history + devsecops_pipeline (10 total)
• Dashboard Generator — formatters/dashboard-generator.sh (SQLite → HTML)

Metrics

Metric	v2.8.0	v3.0.0
Skills	14	16
References	17	19
MCP tools	8	10
Semgrep rules	68	84
Docker tools	9	11
Test suites	22	43
Total tests	793	1,304

Install

claude plugin install devsecops-ai-team@pitimon-devsecops

Full changelog: https://github.com/pitimon/devsecops-ai-team/blob/main/CHANGELOG.md

v2.8.0 — Supply Chain Compliance + OWASP 10/10

What's New

OWASP 10/10 Custom Rules (#47)

• 15 new Semgrep rules across 3 categories: A06 Vulnerable Components (5), A07 Authentication Failures (5), A08 Integrity Failures (5)
• Total: 68 custom rules covering all OWASP Top 10 categories

SOC 2 + ISO 27001 Compliance Mapping (#48)

• SOC 2 Trust Service Criteria: 40 CWE mappings (CC6.x, CC7.x, CC8.x, CC9.x, C1.x, A1.x, PI1.x)
• ISO 27001:2022 Annex A: 41 CWE mappings (A.5–A.8 control groups)
• MCP compliance_status now supports 7 frameworks

SLSA Provenance Assessment (#45)

• New /slsa-assess skill (14th skill) — SLSA v1.1 Levels 0–3
• Reference file with EU CRA alignment and tool detection patterns

VEX Output Format (#46)

• CycloneDX VEX + OpenVEX dual output formatter (7th format)
• Severity-to-VEX status mapping from triage decisions

TruffleHog Secret Scanning (#49)

• 9th security tool — Docker service, job dispatcher (3 modes: git/filesystem/s3)
• JSONL normalizer, secret-scan skill extended with --tool flag

Secret Validity Checking (#50)

• In-the-Loop verifier with 4 providers (AWS, GitHub, Slack, Generic)
• Rate limiting, audit trail, redaction — --confirm flag required

Metrics

Metric	v2.7.0	v2.8.0
Custom Semgrep rules	53	68
OWASP coverage	8/10	10/10
Security tools	8	9
Compliance frameworks	5	7
Output formats	6	7
Skills	13	14
Tests	978	1,174

Full Changelog

v2.7.0...v2.8.0

v2.7.0 — OWASP 2025 + Nuclei DAST + PDPA Regulatory

What's New

OWASP Top 10 2025 Migration (Phase A)

• Dual-version mapping (2021+2025) across all 114 CWEs in cwe-to-owasp.json
• All 33 existing custom Semgrep rules dual-tagged with 2025 categories
• OWASP 2025 framework entry added to frameworks.json (17 frameworks)

20 New Custom Semgrep Rules (Phases B + E)

• A02 Cryptographic Failures — 6 rules (weak hash, hardcoded keys, insecure random, weak TLS)
• A04 Insecure Design — 4 rules (missing rate limit, unrestricted upload, trust boundary, no account lockout)
• A05 Security Misconfiguration — 6 rules (debug mode, default credentials, permissive CORS, verbose errors)
• A10 Exception Handling — 4 rules (generic catch, empty catch, stack exposure, unhandled promise) — new 2025 category
• Total custom rules: 53 (was 33)

Nuclei DAST Integration (Phase C)

• Docker Compose service (projectdiscovery/nuclei:latest)
• run_nuclei() in job-dispatcher with 3 modes: cve, full, custom
• JSONL normalizer with severity/confidence mapping
• DAST skill extended to support Nuclei alongside ZAP
• 8 security tools in the stack (was 7)

Thai Regulatory Compliance (Phase D)

• PDPA mapping — 30 CWE-to-PDPA article mappings (mappings/cwe-to-pdpa.json)
• MCP compliance_status — now supports 5 frameworks (OWASP, NIST, MITRE, NCSA, PDPA)
• NCSA 1.0 validator — added Permissions-Policy, COOP, COEP headers + TLS 1.3 preference check

Metrics

Metric	v2.6.1	v2.7.0
Custom Semgrep rules	33	53
DAST tools	1 (ZAP)	2 (ZAP + Nuclei)
Compliance frameworks	4	5 (+PDPA)
CWE mappings	~360	405
Test suites	22	28
Total tests	793	978
OWASP coverage	4/10	8/10

Quality

• ✅ 978 tests across 28 suites — all passing
• ✅ Release checklist 31/31
• ✅ validate-plugin.sh 258/258

Regulatory Deadlines Addressed

Standard	Deadline	Status
NCSA Website Security 1.0	Sep 16, 2026	✅ Validator updated to 1.0 spec
Thailand PDPA	Effective since Jun 2022	✅ CWE mapping added
EU CRA	Sep 11, 2026	🔜 v2.8.0 (supply chain focus)

Files Changed

40 files changed, +3,528 / -292 lines across 21 commits.

Full changelog: v2.6.1...v2.7.0

v2.6.1 — GitHub Actions Template Distribution Parity

What's Changed

Added

• GitHub Actions copy-paste templates (ci-templates/github/) — 4 workflow files mirroring .github/workflows/templates/ for copy-paste consumption parity with GitLab templates (#57)
• CI-INTEGRATION.md updated with copy-paste template documentation
• validate-plugin.sh Section 15 checks for ci-templates/github/ files (+4 checks)
• test-ci-templates.sh Section 2 with 20 GitHub copy-paste template tests (existence, triggers, inputs, headers, content parity)

Files Added

File	Purpose
ci-templates/github/devsecops-sast.yml	Semgrep SAST (copy-paste)
ci-templates/github/devsecops-sca.yml	Grype SCA (copy-paste)
ci-templates/github/devsecops-container-scan.yml	Trivy container scan (copy-paste)
ci-templates/github/devsecops-full-pipeline.yml	Full pipeline with concurrency groups (copy-paste)

Test Results

• 22 suites, 793 checks, 0 failures
• validate-plugin.sh: 258/258
• test-ci-templates.sh: 65/65 (was 45)
• release-checklist.sh: 27/27

Full Changelog: v2.6.0...v2.6.1

v2.6.0 — CI/CD Integration + Tech Debt

What's New

CI/CD Integration

• GitHub Actions — 4 reusable workflows (workflow_call) for SAST, SCA, container scan, and full pipeline with SARIF upload to Security tab (#33)
• GitLab CI — 4 templates producing native report artifacts (sast, dependency_scanning, container_scanning) with resource_group for heavy tools (#34)
• CI Adapter — platform-agnostic functions (ci_detect_platform, ci_set_output, ci_group_start, etc.) supporting GitHub Actions, GitLab CI, and local execution (#38)
• Concurrency Groups — tool classification by resource weight (heavy/medium/light) for parallel scheduling (#38)
• Pipeline Runner — run-pipeline.sh orchestrates multiple tools with concurrency-aware scheduling (#38)

MCP & Formatters

• MCP esbuild bundle — mcp/dist/server.js (622KB) committed to repo, zero npm install required after plugin install (#32, resolves #29)
• SARIF per-tool output — formatter creates one SARIF run per source tool with proper metadata; --combined flag for legacy single-run mode (#35)

Developer Tooling

• Version bump script — scripts/version-bump.sh <version> automates bumping all 7 version-synced files with --dry-run support (#36)

Tech Debt

• scan-on-write.sh — replaced fragile grep-based JSON parsing with robust python3 parser (#37)
• validate-plugin.sh — replaced 6 hardcoded count assertions with dynamic computation (#37)

Quality

• 22 test suites, 832 checks — all green
• 12-round local QA validation passed
• All 7 issues (#32–#38) implemented and closed

New Files (20)

scripts/version-bump.sh, mcp/build.sh, mcp/dist/server.js, runner/ci-adapter.sh, runner/concurrency-groups.json, runner/run-pipeline.sh, 4 GitHub workflow templates, 4 GitLab CI templates, ci-templates/converters/gitlab-sast-converter.sh, docs/CI-INTEGRATION.md, tests/test-version-bump.sh, tests/test-ci-adapter.sh, tests/test-ci-templates.sh, tests/fixtures/sample-mixed-normalized.json

Full Changelog

v2.5.0...v2.6.0

v2.5.0 — Custom OWASP Rules (A01/A03/A10), MCP Expansion & PDF/CSV Formatters

What's New in v2.5.0

Custom Semgrep Rules — 4 OWASP Categories

• A01:2021 Broken Access Control — 8 rules (CWE-22, 269, 639, 862, 942)
• A03:2021 Injection — 11 rules (CWE-78, 79, 89, 90, 1336)
• A09:2021 Logging Failures — 7 rules (existing from v2.4.0)
• A10:2021 SSRF — 7 rules (CWE-918)
• Total: 33 custom Semgrep rules across Python, JavaScript, TypeScript, and Java

MCP Server Expansion — 8 Tools

• devsecops_compare — Diff two scans → new/fixed/unchanged findings with trend analysis
• devsecops_compliance_status — Aggregate compliance across OWASP, NIST, MITRE, NCSA
• devsecops_suggest_fix — AI-assisted remediation from rules + reference knowledge

PDF/CSV Formatters

• PDF — Markdown → Pandoc conversion (Docker or host) for enterprise reports
• CSV — Python3 csv module export with proper escaping for spreadsheet import
• Output formats now: JSON, SARIF, Markdown, HTML, PDF, CSV

Quality

• 19 test suites, 719+ tests — all passing
• 4 new test suites: test-a01-rules.sh, test-a03-rules.sh, test-a10-rules.sh, test-mcp-compare.sh
• 6 new test fixtures for rules and MCP compare

Summary

Metric	v2.4.0	v2.5.0	Delta
Custom Semgrep Rules	7 (A09)	33 (A01+A03+A09+A10)	+26
Custom Rule Files	1	4	+3
MCP Tools	5	8	+3
Output Formats	4	6	+2
Test Suites	15	19	+4
Total Tests	587	719+	+132
OWASP Custom Coverage	1/10	4/10	+3

Install

claude install devsecops-ai-team@pitimon-devsecops

Full Changelog: v2.4.0...v2.5.0