🎉 CodeClarity Update - v0.0.22-alpha is Here! 🎉

CodeClarity v0.0.22-alpha introduces significant enhancements to our open-source security analysis platform, focusing on intelligent vulnerability assessment, automated scheduling, and improved developer experience. This release strengthens our position as a comprehensive alternative to Snyk, Checkmarx, and Black Duck.

Enhanced Testing Infrastructure

Added comprehensive test coverage across both API (NestJS) and Frontend (Vue.js + TypeScript) components. This improves reliability, prevents regressions, and enables more confident deployments with tests running automatically in our CI/CD pipeline.

AI-Powered Vulnerability Intelligence

Vulnerability Lookup AI (VLAI) Integration VLAI automatically analyzes vulnerability descriptions to predict severity levels using natural language processing. This provides intelligent estimates when official CVSS scores are unavailable and offers context-aware analysis beyond traditional CVE scores.

The VLAI response includes predicted severity levels (LOW, MEDIUM, HIGH, CRITICAL) and confidence scores for the assessment.

EPSS Score Integration Integrates Exploit Prediction Scoring System (EPSS) scores to assess exploitation probability. This combines CVSS severity with real-world exploitation likelihood, helping teams focus on vulnerabilities most likely to be exploited. Results in more accurate risk assessment, better resource allocation, and reduced false positives.

Automated Analysis Scheduling

Configure automatic security scans with daily or weekly schedules. Features flexible scheduling options for different project needs and optimized resource management to run during low-traffic periods.

Schedule configuration allows setting frequency (daily or weekly), specific time, and target projects. Use cases include continuous compliance monitoring, regular dependency update checks, and automated SBOM generation.

Enhanced Notification System

Intelligent alert management provides real-time notifications for vulnerability discoveries and proactive alerts for dependency updates. Critical findings trigger immediate notifications while non-critical findings use digest options for summary reports.

Currently notifications are displayed in the web UI. Planned notification channels include in-platform notifications, email alerts, webhook integrations (Slack, Teams, Discord), and API endpoints for custom integrations.

CI/CD Integration Enhancements

GitHub Actions Integration Pre-built GitHub Action enables seamless CI/CD integration with configurable triggers (PR, push, scheduled events) and security gates that can fail builds based on vulnerability thresholds.

The GitHub Action accepts parameters for API URL, authentication token, project path, and failure conditions based on vulnerability severity levels.

Bash Script Automation Universal compatibility with any CI/CD platform (Jenkins, GitLab CI, Azure DevOps) through lightweight integration scripts with customizable parameters.

UI/UX Improvements

Analysis Pipeline Visualization Enhanced graph interface with improved visual representation of analysis pipelines, better user interaction with pipeline stages, and real-time progress and performance indicators.

Brand Refresh: Black & Green Theme Updated color scheme reflecting our security-focused brand with WCAG 2.1 AA compliant color contrast and unified visual experience across components.

Technical Architecture Updates

API Layer (NestJS) Additional REST endpoints for scheduling and notifications, improved request validation and error handling, plus updated Swagger documentation for new features.

Frontend Modernization (Vue.js) Improved component reusability and maintainability, and stronger TypeScript type safety for better developer experience.

Impact Metrics

Developer experience improvements include simplified CI/CD setup where GitHub Action reduces integration time from hours to minutes, automated workflows eliminating manual scan triggers, and better visibility through enhanced notifications.

The VLAI and EPSS integration helps users achieve better prioritization to focus on real threats.

Migration Guide

In the deployment folder, just run "git pull" to get the latest versions of the docker compose files. Then run "make pull" to fetch the latest docker images. And finally, run "make up" to start the containers. The migration files will be automatically applied by the API container. You can check the logs to verify if they ran correctly.

What's Next

Upcoming in v0.0.23: Implement vulnerability finder policy to blacklist some CVEs that we don't want to see in future analyses. Create a small ticketing system to plan and follow the patching progression. Add notifications when fixes are discovered.

Community & Support

Quick Setup: Use the one-liner command "curl -O https://raw.githubusercontent.com/CodeClarityCE/codeclarity-dev/main/setup.sh && sh setup.sh"

Documentation: doc.codeclarity.io GitHub: github.com/CodeClarityCE/codeclarity-dev

We welcome contributions! Check our CONTRIBUTING.md for guidelines.

License: AGPL-3.0-or-later - Open source with commercial use allowed under AGPL terms.

CodeClarity v0.0.22-alpha represents a significant step forward in open-source security analysis. We're committed to providing enterprise-grade security tools that remain transparent, customizable, and community-driven.