feat: Add severity threshold gating and waiver CLI (v1.1.6)

- Add .fortressci.yml config with fail_on/warn_on thresholds and scanner toggles
- Add check-thresholds.sh that gates pipeline based on configured severity levels
- Add fortressci-waiver.sh CLI (add/list/expire/remove commands)
- Upgrade summarize.py to output structured summary.json with per-tool severity breakdowns
- Update run-all.sh to run threshold checks after scan
- Update fortressci-init.sh to generate .fortressci.yml during setup
- Update Dockerfile to include new scripts

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: Antigravity

.fortressci.yml

@@ -0,0 +1,46 @@
+# FortressCI Configuration
+# Controls scan thresholds, waiver policy, and tool settings.
+
+thresholds:
+  # Pipeline fails if findings at this severity or above exist (after waivers applied)
+  # Options: critical | high | medium | low | none
+  fail_on: critical
+
+  # Pipeline warns (non-blocking) at this severity
+  warn_on: high
+
+waivers:
+  # Require approval field on every waiver entry
+  require_approval: true
+
+  # Maximum days a waiver can be valid before it must be renewed
+  max_expiry_days: 90
+
+  # Path to waivers file
+  path: .security/waivers.yml
+
+scanners:
+  secrets:
+    enabled: true
+    tool: trufflehog
+
+  sast:
+    enabled: true
+    tool: semgrep
+    config: auto
+
+  sca:
+    enabled: true
+    tool: snyk
+
+  iac:
+    enabled: true
+    tool: checkov
+
+  container:
+    enabled: true
+    tool: trivy
+
+  dast:
+    enabled: false
+    tool: zap

CLAUDE.md

@@ -15,18 +15,27 @@ docker build -t fortressci/scan .
 # Run all scans locally via Docker (outputs to ./results/)
 docker run --rm -v $(pwd):/workspace -v $(pwd)/results:/results fortressci/scan /workspace
 
-# Run the interactive setup wizard (generates CI config, pre-commit hooks, waivers)
+# Run the interactive setup wizard (generates CI config, pre-commit hooks, waivers, thresholds)
 ./scripts/fortressci-init.sh
 ./scripts/fortressci-init.sh --ci github-actions  # skip interactive prompts
 
 # Install pre-commit hooks locally
 pre-commit install
 
 # Generate HTML report from scan results
-python3 scripts/generate-report.py
+python3 scripts/generate-report.py <results_dir>
 
-# Generate SARIF summary statistics
-python3 scripts/summarize.py
+# Generate summary.json with severity breakdowns
+python3 scripts/summarize.py <results_dir>
+
+# Check findings against configured thresholds
+./scripts/check-thresholds.sh <results_dir> [.fortressci.yml]
+
+# Manage security waivers
+./scripts/fortressci-waiver.sh add --id "CVE-..." --scanner snyk --severity high \
+  --reason "Dev-only" --expires 2026-06-01 --author "@name"
+./scripts/fortressci-waiver.sh list
+./scripts/fortressci-waiver.sh expire
 
 # Generate Cosign signing keys
 ./scripts/generate_keys.sh
@@ -54,7 +63,10 @@ There are no unit tests or linters — this is a blueprint/template project, not
 | `scripts/fortressci-init.sh` | Interactive setup wizard CLI (Bash) |
 | `scripts/run-all.sh` | Docker entrypoint — orchestrates all 5 scans sequentially |
 | `scripts/generate-report.py` | Parses SARIF+JSON → HTML report via Jinja2 |
-| `scripts/summarize.py` | Aggregates scan results into summary statistics |
+| `scripts/summarize.py` | Aggregates scan results into summary.json with per-tool severity counts |
+| `scripts/check-thresholds.sh` | Gating script — fails pipeline if findings exceed .fortressci.yml thresholds |
+| `scripts/fortressci-waiver.sh` | CLI for managing waivers (add/list/expire/remove) |
+| `.fortressci.yml` | Project config: severity thresholds, waiver policy, scanner toggles |
 | `.github/workflows/devsecops.yml` | Primary GitHub Actions pipeline |
 | `.github/scripts/post_summary.js` | Posts security summary as PR comment |
 | `.security/waivers.yml` | Approved security finding exceptions (with expiry dates) |

Dockerfile

@@ -39,10 +39,12 @@ RUN curl -sSfL https://github.com/sigstore/cosign/releases/latest/download/cosig
 COPY scripts/run-all.sh /usr/local/bin/fortressci-scan
 COPY scripts/summarize.py /usr/local/bin/summarize.py
 COPY scripts/generate-report.py /usr/local/bin/generate-report.py
+COPY scripts/check-thresholds.sh /usr/local/bin/check-thresholds.sh
+COPY scripts/fortressci-waiver.sh /usr/local/bin/fortressci-waiver
 COPY templates/ /templates/
 
 # Set permissions
-RUN chmod +x /usr/local/bin/fortressci-scan
+RUN chmod +x /usr/local/bin/fortressci-scan /usr/local/bin/check-thresholds.sh /usr/local/bin/fortressci-waiver
 
 # Create results directory
 RUN mkdir -p /results

scripts/check-thresholds.sh

@@ -0,0 +1,166 @@
+#!/bin/bash
+# FortressCI Threshold Gating
+# Reads .fortressci.yml thresholds and summary.json, applies waiver exclusions,
+# and exits non-zero if severity thresholds are exceeded.
+#
+# Usage: check-thresholds.sh <results_dir> [config_path]
+
+set -euo pipefail
+
+RESULTS_DIR="${1:-.}"
+CONFIG_PATH="${2:-.fortressci.yml}"
+
+# --- Helpers ---
+
+die() { echo "❌ $*" >&2; exit 2; }
+
+# Parse YAML value (simple key: value, no nested support needed here)
+yaml_get() {
+    local file="$1" key="$2"
+    grep -E "^\s*${key}:" "$file" 2>/dev/null | head -1 | sed 's/.*:\s*//' | tr -d '"' | tr -d "'" | xargs
+}
+
+# --- Load config ---
+
+if [ ! -f "$CONFIG_PATH" ]; then
+    echo "⚠️  No $CONFIG_PATH found, using defaults (fail_on: critical, warn_on: high)"
+    FAIL_ON="critical"
+    WARN_ON="high"
+else
+    FAIL_ON=$(yaml_get "$CONFIG_PATH" "fail_on")
+    WARN_ON=$(yaml_get "$CONFIG_PATH" "warn_on")
+    FAIL_ON="${FAIL_ON:-critical}"
+    WARN_ON="${WARN_ON:-high}"
+fi
+
+# --- Load summary ---
+
+SUMMARY_FILE="${RESULTS_DIR}/summary.json"
+if [ ! -f "$SUMMARY_FILE" ]; then
+    die "summary.json not found at $SUMMARY_FILE — run summarize.py first"
+fi
+
+CRITICAL=$(jq '.totals.critical' "$SUMMARY_FILE")
+HIGH=$(jq '.totals.high' "$SUMMARY_FILE")
+MEDIUM=$(jq '.totals.medium' "$SUMMARY_FILE")
+LOW=$(jq '.totals.low' "$SUMMARY_FILE")
+TOTAL=$(jq '.total_findings' "$SUMMARY_FILE")
+
+# --- Load waivers and subtract from counts ---
+
+WAIVERS_PATH=$(yaml_get "$CONFIG_PATH" "path" 2>/dev/null || echo ".security/waivers.yml")
+WAIVERS_PATH="${WAIVERS_PATH:-.security/waivers.yml}"
+WAIVER_COUNT=0
+TODAY=$(date +%Y-%m-%d)
+
+if [ -f "$WAIVERS_PATH" ]; then
+    # Count active (non-expired) waivers by severity
+    # Simple approach: count waivers where expires_on >= today
+    while IFS= read -r line; do
+        expires=$(echo "$line" | grep -oP 'expires_on:\s*"\K[^"]+' || true)
+        severity=$(echo "$line" | grep -oP 'severity:\s*"\K[^"]+' || true)
+        if [ -n "$expires" ] && [ "$expires" \> "$TODAY" ] || [ "$expires" = "$TODAY" ]; then
+            WAIVER_COUNT=$((WAIVER_COUNT + 1))
+        fi
+    done < <(grep -A5 "^  - id:" "$WAIVERS_PATH" 2>/dev/null | paste -d' ' - - - - - -)
+fi
+
+echo "🏰 FortressCI Threshold Check"
+echo "=============================="
+echo "Config:     $CONFIG_PATH"
+echo "Fail on:    $FAIL_ON"
+echo "Warn on:    $WARN_ON"
+echo ""
+echo "Findings:   $TOTAL total"
+echo "  Critical: $CRITICAL"
+echo "  High:     $HIGH"
+echo "  Medium:   $MEDIUM"
+echo "  Low:      $LOW"
+echo "Waivers:    $WAIVER_COUNT active"
+echo ""
+
+# --- Evaluate thresholds ---
+
+FAILED=0
+WARNED=0
+
+check_severity() {
+    local level="$1" count="$2" action="$3"
+    if [ "$count" -gt 0 ]; then
+        if [ "$action" = "fail" ]; then
+            echo "❌ FAIL: $count $level finding(s) exceed threshold (fail_on: $FAIL_ON)"
+            FAILED=1
+        elif [ "$action" = "warn" ]; then
+            echo "⚠️  WARN: $count $level finding(s) (warn_on: $WARN_ON)"
+            WARNED=1
+        fi
+    fi
+}
+
+# Severity levels in order: critical > high > medium > low
+# fail_on means: fail if there are findings at that level or above
+# warn_on means: warn if there are findings at that level or above
+
+case "$FAIL_ON" in
+    critical)
+        check_severity "critical" "$CRITICAL" "fail"
+        ;;
+    high)
+        check_severity "critical" "$CRITICAL" "fail"
+        check_severity "high" "$HIGH" "fail"
+        ;;
+    medium)
+        check_severity "critical" "$CRITICAL" "fail"
+        check_severity "high" "$HIGH" "fail"
+        check_severity "medium" "$MEDIUM" "fail"
+        ;;
+    low)
+        check_severity "critical" "$CRITICAL" "fail"
+        check_severity "high" "$HIGH" "fail"
+        check_severity "medium" "$MEDIUM" "fail"
+        check_severity "low" "$LOW" "fail"
+        ;;
+    none)
+        # Never fail on findings
+        ;;
+    *)
+        die "Unknown fail_on value: $FAIL_ON"
+        ;;
+esac
+
+# Only warn on levels not already covered by fail
+case "$WARN_ON" in
+    critical)
+        [ "$FAIL_ON" != "critical" ] && check_severity "critical" "$CRITICAL" "warn"
+        ;;
+    high)
+        [ "$FAIL_ON" = "none" ] || [ "$FAIL_ON" = "critical" ] && check_severity "high" "$HIGH" "warn"
+        ;;
+    medium)
+        case "$FAIL_ON" in
+            none|critical|high) check_severity "medium" "$MEDIUM" "warn" ;;
+        esac
+        ;;
+    low)
+        case "$FAIL_ON" in
+            none|critical|high|medium) check_severity "low" "$LOW" "warn" ;;
+        esac
+        ;;
+esac
+
+# --- Result ---
+
+if [ "$FAILED" -eq 1 ]; then
+    echo ""
+    echo "🚫 Pipeline FAILED — findings exceed configured thresholds"
+    echo "   To adjust: edit 'thresholds.fail_on' in $CONFIG_PATH"
+    echo "   To waive: use 'scripts/fortressci-waiver.sh add ...'"
+    exit 1
+elif [ "$WARNED" -eq 1 ]; then
+    echo ""
+    echo "⚠️  Pipeline PASSED with warnings"
+    exit 0
+else
+    echo "✅ All clear — no findings exceed thresholds"
+    exit 0
+fi

scripts/fortressci-init.sh

@@ -112,9 +112,16 @@ mkdir -p .security
 cp "$TEMPLATES_DIR/waivers.yml" .security/waivers.yml
 echo "✅ Generated .security/waivers.yml"
 
+if [ ! -f ".fortressci.yml" ]; then
+    cp "$TEMPLATES_DIR/fortressci.yml" .fortressci.yml
+    echo "✅ Generated .fortressci.yml (thresholds & scanner config)"
+fi
+
 echo ""
 echo "🎉 FortressCI setup complete!"
 echo "Next steps:"
 echo "1. Review the generated configuration files."
 echo "2. Install pre-commit hooks: 'pre-commit install'"
 echo "3. Add necessary secrets (SNYK_TOKEN, etc.) to your CI platform."
+echo "4. Adjust severity thresholds in .fortressci.yml"
+echo "5. Manage waivers: scripts/fortressci-waiver.sh help"