v1.3.0 — fail-on-findings, in-band suppressions, first calibrated Terraform shape

v1.3 adds three things: a CI-policy lever, an in-band suppression mechanism for declaring intentional exceptions, and Verify's first calibrated Terraform shape.

v1.3.0 adds Verify's first calibrated Terraform shape: AWS security-group ingress opening sensitive ports to the world, measured under the v1.1 same-module resolver and shipped warning-only via strong-single-corpus calibration.

The CI-policy lever and in-band suppressions come out of real engineering critique on v1.0-1.2: warnings get ignored in 2026 unless they have teeth, and intentional exceptions need a first-class mechanism that doesn't break the audit chain.

Policy-driven blocking

New Action input fail-on-findings (default false). When true, the workflow exits 1 if there are non-suppressed findings.

      - uses: Born14/verify@v1
        with:
          fail-on-findings: true

The receipt's calibrated severity is unchanged. The receipt represents the methodology; the CI failure represents the user's policy. Severity belongs to the discipline; enforcement belongs to the team.

Suppressed findings do not trigger the failure. They are still recorded in the receipt and covered by the digest.

In-band suppressions

New comment syntax for declaring intentional exceptions:

# verify:ignore <SHAPE-ID> reason:"<text>"

Place the comment on the same line as the trigger (trailing form) or the line immediately above it (standalone form). Examples:

spec:
  containers:
    # verify:ignore K8S-MISSING-LIMITS-01 reason:"unbounded by design pending sizing review"
    - name: api
      image: ghcr.io/example/api:1.4.2

      image: ghcr.io/example/api:latest  # verify:ignore K8S-IMAGE-TAG-LATEST-01 reason:"dev-only deploy"

Rules:

• The shape ID must be one of the calibrated shapes. Typos are reported as suppression warnings rather than silently treated as no-ops.
• The reason must be non-empty.
• Trailing-only scope: same line as trigger, or line immediately above. File-scoped and resource-scoped variants were rejected as abuse vectors.

Suppressed findings move out of the primary findings block into a new "Manifest Intent / Suppressions" block on the receipt. The file path, shape, comment line, and verbatim reason are recorded. The packet digest covers the suppressions and warnings arrays — a suppression cannot be silently removed without changing the digest.

Methodology vs. policy

METHODOLOGY.md adds two sections explaining the design:

• "Methodology vs. policy" — why severity (the calibration claim) is separate from enforcement (the team's CI behaviour).
• "Suppressions and intent" — Verify does not infer author intent. It records intent only when operators declare it explicitly via in-band comments.

Receipt schema

verify-receipt/v1 schema extended with two arrays:

• suppressions — findings that fired structurally and were suppressed by an operator-authored comment with a non-empty reason.
• suppression_warnings — # verify:ignore comments that did not match any fired finding (typo'd shape ID or comment placed where no detector fired).

Both are part of the packet digest. Empty arrays in the no-suppression case.

Canonical demo digest

The v1.3 schema produces a new canonical digest on the demo fixture:

sha256:0d7d9d941a672e37f2a31e0d8db8b20ce7ca416d57cf989c89deac7ca958b0e4

(Replaces the v1.2 digest sha256:bceed6d3.... The earlier v1.3 pre-Terraform digest sha256:2040419... is also superseded by this one, which reflects the eighth calibrated check, TF-SG-WORLD-OPEN-INGRESS-01.)

New Terraform shape

TF-SG-WORLD-OPEN-INGRESS-01 — AWS security-group ingress opening sensitive ports to the world. Calibrated/warning under the v1.1 same-module Terraform resolver, promoted via strong-single-corpus on devops-in-the-cloud: 32 TP / 0 FP / 16 AMB on 48 findings, 100% clean precision, 33.33% ambiguity, deterministic.

Narrow but real: this is one Terraform shape, single-corpus, warning-only. Not "Terraform solved" and not blocking-tier. The substrate work that resolves same-module var.X and local.Y defaults before detector evaluation is the unlock that future Terraform shapes will ride.

Behaviour unchanged on prior shapes

Same calibrated checks for K8s, Dockerfile, and GitHub Actions. Same detection logic. Same calibration corpora. Same precision numbers in the public ledger. The detectors for the prior verticals did not change; the receipt schema, the runtime, and the new Terraform shape are the additions.

Install (no change)

# .github/workflows/verify.yml
name: Verify
on: pull_request
jobs:
  verify:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      pull-requests: write
    steps:
      - uses: actions/checkout@v4
        with: { fetch-depth: 0 }
      - uses: Born14/verify@v1

The default GITHUB_TOKEN is sufficient. fail-on-findings: true opt-in if you want hard-stop enforcement.

v1.1.0 — receipt-product cleanup

Cleanup pass on the public repo and the Action bundle. Same product as v1.0.0 — seven calibrated checks across Kubernetes, Dockerfile, and GitHub Actions, posted as a PR change receipt — with the public surfaces aligned end to end.

What changed

• Repo surface: removed migration-era source and docs left over from the prior product (DM-18 SQL safety check). The public repo now contains only the Action bundle, the published calibration ledger, and user-facing docs.
• Receipt wording: the "Not checked" block in every receipt now reads "outside calibrated coverage at v1" instead of using internal phasing language.
• Public ledger: calibration/{shapes.json, attempts.jsonl, corpora.json} now mirrors the data the bundled Action ships, rebuilt cleanly from the engine's source-of-truth.
• README, methodology, docs: rewritten in plain language. Cross-repo links that previously pointed at a private repo now point at the in-repo ledger.
• Action bundle: rebuilt from the receipt entrypoint after the wording change. Same detection logic, same precision numbers, same byte-deterministic digest contract.

What didn't change

• The seven calibrated checks and their precision numbers.
• The receipt format, schema, or digest algorithm.
• The Action's inputs (token, scan-root) or outputs (result, digest).
• The install line: uses: Born14/verify@v1.

Install

# .github/workflows/verify.yml
name: Verify
on: pull_request
jobs:
  verify:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      pull-requests: write
    steps:
      - uses: actions/checkout@v4
        with: { fetch-depth: 0 }
      - uses: Born14/verify@v1

The default GITHUB_TOKEN is sufficient.

Live demo

Born14/verify-smoke#1 — a real PR with the receipt comment posted by the Action.

v1.0.0 — Gate A receipt-layer Action

The Verify GitHub Action posts a PR change receipt showing what was checked, what was found, and what was not checked. Covers Kubernetes, Dockerfile, and GitHub Actions.

What the receipt names

• which checks ran
• which fired and where
• which ran and were clear
• what was deliberately not checked
• a SHA-256 digest pinning the result to a specific commit

Calibrated checks at v1

• CONTAINER-ROOT-01 — Dockerfile — 85.71% on 23 (iac-grafana-v1)
• K8S-MISSING-LIMITS-01 — Kubernetes — 100.00% on 149 (iac-argo-cd-v1)
• K8S-MISSING-PROBES-01 — Kubernetes — 100.00% on 41 / 52.00% on 25
• K8S-MISSING-SECURITY-CONTEXT-01 — Kubernetes — 100.00% on 14 (iac-argo-cd-v1)
• K8S-IMAGE-TAG-LATEST-01 — Kubernetes — 100.00% on 62 (iac-argo-cd-v1)
• GHA-SHA-PIN-01 — GitHub Actions — 75.00% on 20 / 69.44% on 37
• DOCKERFILE-BASE-IMAGE-DIGEST-UNPINNED-01 — Dockerfile — 100.00% on 30 / 100.00% on 14

Each precision number traces to a row in calibration/attempts.jsonl measured against a third-party corpus pinned at a specific commit in calibration/corpora.json.

Install

# .github/workflows/verify.yml
name: Verify
on: pull_request
jobs:
  verify:
    runs-on: ubuntu-latest
    permissions:
      contents: read
      pull-requests: write
    steps:
      - uses: actions/checkout@v4
        with: { fetch-depth: 0 }
      - uses: Born14/verify@v1

That is the entire setup. The default GITHUB_TOKEN is sufficient.

Not checked

Terraform, CloudFormation, Helm-templated YAML, Kustomize overlays, runtime cloud state, business logic, intent, recall, uncalibrated detectors. The "Not checked" block ships in the receipt itself on every PR.

Live demo

Born14/verify-smoke#1 — a real PR with the receipt comment posted by the Action.

Deterministic. No LLM in the check path. Identical inputs produce a byte-identical receipt.