cassiodeveloper
diff --git a/‎CHANGELOG.md‎
Lines changed: 43 additions & 1 deletion b/‎CHANGELOG.md‎
Lines changed: 43 additions & 1 deletion
diff --git a/‎LICENSE‎
Lines changed: 127 additions & 8 deletions b/‎LICENSE‎
Lines changed: 127 additions & 8 deletions
@@ -6,6 +6,44 @@ The format is based on semantic versioning and follows a simple chronological re
 
 ---
 
+## v0.3.0 — 2026-03
+
+### Added
+
+* **Multi-SARIF support**: `--sarif` now accepts multiple files as a comma-separated list
+  (`--sarif semgrep.sarif,trivy.sarif`) or multiple flags. GitHub Action updated accordingly.
+  Findings are deduplicated across files by `(ruleId, path, line)`.
+* **Diff-aware filtering enabled by default** in PR mode. SecScore now automatically filters
+  findings to only those touching lines changed in the PR. Use `--no-diff-aware` to opt out.
+  Gracefully degrades (warning, no abort) when not running inside a git repository or when
+  the diff returns no changed files.
+* **Suppressions by fingerprint**: policy `suppressions.deny_fingerprints` list allows
+  suppressing specific known false positives by their finding fingerprint — traceable and
+  reviewable in version control.
+* `action.yml` new inputs: `no_diff_aware`, `base_ref`.
+* `policy_validator.py` now validates `suppressions.deny_fingerprints` entries.
+* Policy version bumped to `1.1` in default policy files.
+
+### Fixed
+
+* `engine.py`: `NoneType` crash when `asset.path` was absent in a finding.
+* `sarif.py`: `critical` severity from `properties.severity` (Semgrep, Snyk) was silently
+  downgraded to `high`. Now correctly propagated.
+* `action.yml`: Python inline block had incorrect indentation causing `SyntaxError` on the
+  GitHub Actions runner.
+* `diff_filter.py`: `base_ref` argument was passed unsanitized to `subprocess`. Now validated
+  against an allowlist regex before use.
+* `checkmarx_provider.py`: `get_results` used a hard-coded `limit=1000` with no pagination,
+  silently dropping findings beyond the first 1000. Replaced with a paginated loop.
+* `policy_validator.py` (new): policy YAML is now validated before reaching the engine.
+  Structural errors, unknown severity names, and misconfigured thresholds produce clear
+  error messages instead of silently incorrect scores.
+* `main.py`: diff-aware with empty `changed_ranges` was silently discarding all findings,
+  causing every run to score 100 and return PASS. Now skips filtering when diff is empty
+  and warns the user.
+
+---
+
 ## v0.2.0 — 2026-03
 
 ### Added
@@ -39,4 +77,8 @@ The format is based on semantic versioning and follows a simple chronological re
 
 ## Notes
 
-SecScore aims to reduce **security scanner noise** and provide **objective merge decisions** in CI/CD pipelines by introducing a policy-driven security score between scanners and Pull Requests.
+SecScore aims to reduce **security scanner noise** and provide **objective merge decisions**
+in CI/CD pipelines by introducing a policy-driven security score between scanners and Pull Requests.
+
+This project is licensed under the [PolyForm Noncommercial License 1.0.0](LICENSE).
+Commercial use requires explicit permission from the author.
@@ -1,14 +1,133 @@
-PolyForm Noncommercial License 1.0.0
+# PolyForm Noncommercial License 1.0.0
 
-Copyright (c) 2026 Cássio
+[Full license text here](https://polyformproject.org/licenses/noncommercial/1.0.0/)
 
-The Software may be used, modified, and redistributed for non-commercial purposes only.
+## Acceptance
 
-Commercial use of this software, including incorporation into a paid product,
-service, or platform, requires explicit permission from the copyright holder.
+In order to get any license under these terms, you must agree
+to them as both strict obligations and conditions to all
+your licenses.
 
-For commercial licensing inquiries, please contact the project author.
+## Copyright License
 
-Full license text:
+The licensor grants you a copyright license for the
+software to do everything you might do with the software
+that would otherwise infringe the licensor's copyright
+in it for any permitted purpose.  However, you may
+only distribute the software according to [Distribution
+License](#distribution-license) and make changes or new works
+based on the software according to [Changes and New Works
+License](#changes-and-new-works-license).
 
-https://polyformproject.org/licenses/noncommercial/1.0.0/
+## Distribution License
+
+The licensor grants you an additional copyright license
+to distribute copies of the software.  Your license
+to distribute covers distributing the software with
+changes and new works permitted by [Changes and New Works
+License](#changes-and-new-works-license).
+
+## Notices
+
+You must ensure that anyone who gets a copy of any part of
+the software from you also gets a copy of these terms or the
+URL for them above, as well as copies of any plain-text lines
+beginning with `Required Notice:` that the licensor provided
+with the software.  For example:
+
+> Required Notice: Copyright Yoyodyne, Inc. (http://example.com)
+
+## Changes and New Works License
+
+The licensor grants you an additional copyright license to
+make changes and new works based on the software for any
+permitted purpose.
+
+## Patent License
+
+The licensor grants you a patent license for the software that
+covers patent claims the licensor can license, or becomes able
+to license, that you would infringe by using the software.
+
+## Noncommercial Purposes
+
+Any noncommercial purpose is a permitted purpose.
+
+## Personal Uses
+
+Personal use for research, experiment, and testing for
+the benefit of public knowledge, personal study, private
+entertainment, hobby projects, amateur pursuits, or religious
+observance, without any anticipated commercial application,
+is use for a permitted purpose.
+
+## Noncommercial Organizations
+
+Use by any charitable organization, educational institution,
+public research organization, public safety or health
+organization, environmental protection organization,
+or government institution is use for a permitted purpose
+regardless of the source of funding or obligations resulting
+from the funding.
+
+## Fair Use
+
+You may have "fair use" rights for the software under the
+law. These terms do not limit them.
+
+## No Other Rights
+
+These terms do not allow you to sublicense or transfer any of
+your licenses to anyone else, or prevent the licensor from
+granting licenses to anyone else.  These terms do not imply
+any other licenses.
+
+## Patent Defense
+
+If you make any written claim that the software infringes or
+contributes to infringement of any patent, your patent license
+for the software granted under these terms ends immediately. If
+your company makes such a claim, your patent license ends
+immediately for work on behalf of your company.
+
+## Violations
+
+The first time you are notified in writing that you have
+violated any of these terms, or done anything with the software
+not covered by your licenses, your licenses can nonetheless
+continue if you come into full compliance with these terms,
+and take practical steps to correct past violations, within
+32 days of receiving notice.  Otherwise, all your licenses
+end immediately.
+
+## No Liability
+
+***As far as the law allows, the software comes as is, without
+any warranty or condition, and the licensor will not be liable
+to you for any damages arising out of these terms or the use
+or nature of the software, under any kind of legal claim.***
+
+## Definitions
+
+The **licensor** is the individual or entity offering these
+terms, and the **software** is the software the licensor makes
+available under these terms.
+
+**You** refers to the individual or entity agreeing to these
+terms.
+
+**Your company** is any legal entity, sole proprietorship,
+or other kind of organization that you work for, plus all
+organizations that have control over, are under the control of,
+or are under common control with that organization.  **Control**
+means ownership of substantially all the assets of an entity,
+or the power to direct its management and policies by vote,
+contract, or otherwise.  Control can be direct or indirect.
+
+**Your licenses** are all the licenses granted to you for the
+software under these terms.
+
+**Use** means anything you do with the software requiring one
+of your licenses.
+
+[Full license text here](https://polyformproject.org/licenses/noncommercial/1.0.0/)