feat: harden cross-repo analyzer and add risk hotspot docs

Author: Antigravity

.gitignore

@@ -1,4 +1,5 @@
 # Generated scan results
+results/
 results-*/
 report.html
 
@@ -23,3 +24,6 @@ node_modules/
 __pycache__/
 *.pyc
 .venv/
+
+# Local agent guidance
+AGENTS.md

CHANGELOG.md

@@ -0,0 +1,20 @@
+# Changelog
+
+All notable changes to this project are documented in this file.
+
+The format is based on Keep a Changelog, and the project follows Semantic Versioning.
+
+## [2.1.5] - 2026-02-13
+
+### Fixed
+- Fixed a syntax error in `scripts/cross-repo-analyzer.py` that prevented execution.
+
+### Changed
+- Rebuilt cross-repo analysis logic with stronger error handling and deterministic output.
+- Added optional Snyk correlation (`sca.json`) to identify vulnerable shared dependencies.
+- Added ranked `top_shared_risk_hotspots` to prioritize high-impact remediation work.
+
+### Documentation
+- Added cross-repo analyzer usage docs in `README.md`.
+- Updated `ROADMAP.md` and `fortressci-roadmap.md` to reflect current delivery status.
+

README.md

@@ -3,6 +3,7 @@
 FortressCI is a secure-by-default DevSecOps platform blueprint designed to implement "Shift Left" security, automated pipelines, and infrastructure protection. It integrates best-in-class open-source security tools to ensure your code and infrastructure are secure from day one.
 
 > **[View our Roadmap](ROADMAP.md)** for upcoming features and long-term vision.
+> **[Read the Changelog](CHANGELOG.md)** for release-by-release updates.
 > **[Try the Interactive Playground](playground/index.html)** to see FortressCI in action.
 
 ## Features
@@ -33,6 +34,7 @@ Automated checks on every push and pull request across **6 CI platforms**.
 
 - **AI Triage**: Automated findings analysis and prioritisation via LLMs.
 - **Auto-Remediation**: Self-healing pipelines that open PRs to fix vulnerabilities.
+- **Cross-Repo Analyzer**: Shared dependency and vulnerability hotspot analysis across many repositories.
 - **Security Dashboard**: Real-time visualisations of security posture and trends.
 - **MCP Server**: Native integration for AI assistants to query security data.
 
@@ -132,6 +134,21 @@ python3 scripts/ai-triage.py --results-dir results/ --config .fortressci.yml
 
 ---
 
+## Cross-Repo Dependency Risk Analysis
+
+Use SBOM and SCA outputs from multiple repositories to find shared dependency
+hotspots that are likely to create systemic risk.
+
+```bash
+# Analyze all subdirectories under ./org-results that contain sbom-source.cdx.json
+# If sibling sca.json files exist, known vulnerable dependencies are correlated too.
+python3 scripts/cross-repo-analyzer.py --dir ./org-results --top 25
+```
+
+Output: `./org-results/cross-repo-analysis.json`
+
+---
+
 ## Repository Structure
 
 ```
@@ -154,6 +171,7 @@ python3 scripts/ai-triage.py --results-dir results/ --config .fortressci.yml
 │   ├── run-all.sh                 # Docker scan orchestrator
 │   ├── ai-triage.py               # AI findings analysis
 │   ├── auto-fix.sh                # Automated remediation
+│   ├── cross-repo-analyzer.py     # Shared dependency risk analysis
 │   ├── generate-badge.py          # Security scoring & badges
 │   ├── generate-sbom.sh           # SBOM generator
 │   ├── fortressci-policy-check.sh # Policy enforcement

ROADMAP.md

@@ -233,14 +233,16 @@
 - Managed scanning infrastructure
 - **Effort:** 3–6 months
 
-### Cross-Repo Dependency Graph [IN PROGRESS 🏗️]
+### Cross-Repo Dependency Graph [COMPLETED ✅]
 
 **Goal:** Visualise how vulnerabilities propagate across shared libraries.
 
 **Achievements:**
 - Implemented `scripts/cross-repo-analyzer.py` to aggregate SBOM data across multiple projects.
 - Enabled identification of shared dependencies and their usage across the organisation.
 - Automated generation of cross-repo dependency reports in JSON format.
+- Added optional Snyk correlation from sibling `sca.json` files to highlight shared vulnerable dependencies.
+- Added prioritized `top_shared_risk_hotspots` output to support CISO-level remediation planning.
 
 ### Zero-Trust CI Pipeline
 - Every step runs in isolated, attested environment

fortressci-roadmap.md

@@ -33,6 +33,11 @@
 - Branch protection recommendations and operational guidance
 - `scripts/generate_keys.sh` for Cosign key generation
 
+### ✅ v2.1.x — Ecosystem Insights (Delivered)
+- Cross-repo dependency analysis via `scripts/cross-repo-analyzer.py`
+- Shared dependency hotspot prioritisation (`top_shared_risk_hotspots`)
+- Optional Snyk correlation from per-repo `sca.json` to identify vulnerable shared packages
+
 ---
 
 ## Upcoming Phases
@@ -124,7 +129,7 @@
 
 - **FortressCI Cloud**: Hosted SaaS with org management, centralised dashboards, SSO, and managed scan infrastructure — no self-hosting required
 - **Runtime protection agent**: Lightweight sidecar that enforces security policies at runtime (network egress, file access, process execution) based on CI-time analysis — extends "shift left" to "shift everywhere"
-- **Cross-repo dependency graph**: Visualise how vulnerabilities in shared libraries propagate across all repos in an organisation — *"Upgrading `lodash` in `shared-utils` fixes findings in 14 downstream repos"*
+- **Cross-repo dependency graph UI and service layer**: Extend current JSON analyzer into an interactive org-wide graph experience — *"Upgrading `lodash` in `shared-utils` fixes findings in 14 downstream repos"*
 - **Security debt tracking**: Treat security findings like tech debt — estimate remediation cost, track velocity, forecast when the backlog will be clear at current fix rate
 - **Regulatory auto-mapping**: Automatically map findings and controls to evolving regulatory frameworks as they change (new NIST revisions, EU CRA updates, PCI DSS v4)
 - **Zero-trust CI pipeline**: Every step in the pipeline runs in an isolated, attested environment with minimal permissions — no shared runners, no persistent state, cryptographic verification at every handoff