Calculate context-aware confidence scores for security findings
Project description
Context Confidence Rating (CCR)
CCR generates lightweight repository context for LLM-assisted security review.
It scans a codebase for useful review signals such as frameworks, dependencies, entry points, configuration files, tests, and security controls. The output can be pasted into an LLM prompt or used by reviewers to understand what context is available before triaging scanner findings.
CCR is a context completeness score. It does not prove whether a vulnerability is exploitable, and it does not replace CVSS, SAST, or manual security review.
Built by Secuarden.
Quick Start
pip install context-confidence-rating
# Score the repository's available review context
ccr /path/to/repo
# Generate LLM-ready context
ccr context /path/to/repo
# Generate file-specific context
ccr context /path/to/repo --file src/api/auth.py
What CCR Gives You
- A 0-100 context completeness score
- Repository architecture signals
- Entrypoints and route-like files
- Dependency and lockfile information
- Security controls such as
SECURITY.md,CODEOWNERS, and CI checks - File-specific hints for user input, database operations, auth checks, and validation
- Markdown, JSON, and XML output for LLM workflows
Python API
from ccr import ContextAnalyzer, ContextGenerator
analyzer = ContextAnalyzer("/path/to/repo")
baseline = analyzer.calculate_repo_baseline_ccr()
print(f"Repository context score: {baseline.score}/100")
finding_context = analyzer.calculate_ccr({
"file": "api/payments.py",
"vulnerability": "SQL Injection",
"severity": "HIGH",
})
print(finding_context.to_dict())
generator = ContextGenerator("/path/to/repo")
context = generator.generate_context(target_file="src/api/auth.py")
print(generator.to_markdown(context))
CLI Usage
# Human-readable score
ccr /path/to/repo
# Verbose reasoning
ccr /path/to/repo --verbose
# JSON score output
ccr /path/to/repo --json
# Include a scanner finding for context scoring
ccr /path/to/repo \
--file "src/auth.py" \
--vuln "Hardcoded Credentials" \
--severity "CRITICAL"
LLM Context Generation
# Markdown, default
ccr context /path/to/repo
# JSON
ccr context /path/to/repo --format json
# XML
ccr context /path/to/repo --format xml
# Focus on one file
ccr context /path/to/repo --file src/api/auth.py
Example prompt:
Here is repository context generated by CCR:
<repo_context>
{paste CCR output}
</repo_context>
Here is a scanner finding:
<finding>
SQL Injection in api/users.py line 42
</finding>
Use the context to identify what should be manually checked before triage.
Score Meaning
| Score | Label | Meaning |
|---|---|---|
| 71-100 | High | Strong repository signals are available for review |
| 41-70 | Medium | Some useful context exists, but reviewers should expect gaps |
| 0-40 | Low | Limited context was detected; manual review needs more care |
Signals
| Signal | Weight | What It Means |
|---|---|---|
| Framework Detection | 15 | Framework or platform clues were found |
| Dependency Tracking | 15 | Dependency files or lockfiles were found |
| Dataflow Readiness | 20 | Imports, functions, and classes suggest code is structured enough to inspect |
| Entry Point Mapping | 15 | Route, API, or main entry files were found |
| Config Awareness | 10 | Configuration files were found |
| Security Controls | 15 | Security process files or scanner configs were found |
| Test Coverage | 10 | Test directories or test files were found |
Installation
From PyPI:
pip install context-confidence-rating
From source:
git clone https://github.com/secuardenai/context-confidence-rating.git
cd context-confidence-rating
pip install -e ".[dev]"
pytest
CI Example
name: CCR Context Check
on: [pull_request]
jobs:
ccr:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-python@v5
with:
python-version: "3.12"
- run: pip install context-confidence-rating
- run: ccr . --json > ccr-report.json
- run: ccr context . --format markdown > repo-context.md
Development
pip install -e ".[dev]"
pytest
black ccr/ tests/ examples/
flake8 ccr/ tests/ examples/ --count --select=E9,F63,F7,F82 --show-source --statistics
Project Status
CCR is beta software. The current implementation is intentionally lightweight and heuristic-based. Contributions that improve precision, fixtures, language coverage, and documentation are welcome.
Security
Please report security issues privately. See SECURITY.md.
License
MIT License. See LICENSE.
Project details
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file context_confidence_rating-0.1.4.tar.gz.
File metadata
- Download URL: context_confidence_rating-0.1.4.tar.gz
- Upload date:
- Size: 29.4 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
793e458d387abb4d0dcfe9863eefd2f3768b3531386ba5599f7efd7b9cb4c1f8
|
|
| MD5 |
dc2f9363d2e1e078029a1e4fd65bde03
|
|
| BLAKE2b-256 |
3df79da4223c1fae5ffe1d7dde558ee4ad6cb9a6af6d32e84610ccb14911b587
|
File details
Details for the file context_confidence_rating-0.1.4-py3-none-any.whl.
File metadata
- Download URL: context_confidence_rating-0.1.4-py3-none-any.whl
- Upload date:
- Size: 23.3 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
f65de93990b0e8c5d2edfcc63030152bae8e235010c4a0141d596ffcdfdd89f4
|
|
| MD5 |
e17af02587f8731dfea3e5387183ab4c
|
|
| BLAKE2b-256 |
99971775a3a3f2b8ffdb58164c5ac65a7697e6485533d3c7a5d2674b9473e088
|