omamori 0.1.2 → 0.1.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2c6e52c517c84f78c559299c80b6d0c3817ea6b1cc7cdb9e0bc041bb2c6ccad1
-  data.tar.gz: c654919d2b1db48f3bb286e55ccd8909a82b9c69d4c3fd88d67fadfe03a621e7
+  metadata.gz: bafa258377208d15c678d88752804be6963159d28b83c13958de28bdd8bf8fa7
+  data.tar.gz: 9739ae26075e9e5c0f2f87eafd68f2ed6cce0baee719a4c31c1042e8b1c8abf9
 SHA512:
-  metadata.gz: ded5134ca28c5835ba121b637c7105a5cbe6930777275562fbc49b45fcfc021ddb7d57f5c26c1bbb5958a56f52d1f7e9df6175de1274de19fee2683081db3bfa
-  data.tar.gz: c495125630ff1467816c47c21888d4e984c08a5e074cc8f904a10045860c11e17212432ef146bd5a37324601589dca67c4ffe1546b2196518d9b3faa216e79cf
+  metadata.gz: 373c41e264bc7548b3b4f37a526ed98fcefdd6a51fc6eaa8571b18d7688e131b4852c7e4ce839c7cdd43e540c3bf83b7466a1a66c29cea7c5d6e03dcd59f5cac
+  data.tar.gz: 102078caed02ab830885759ddf21bc8430b15c6a829a5f4ed7c1fcca99360ac707bb938ab19a8f2f9a5ed8ad2ccd86427acfaecc1da6d55a48c27338ae753454

data/Gemfile.lock

@@ -1,7 +1,9 @@
 PATH
   remote: .
   specs:
-    omamori (0.1.2)
+    omamori (0.1.4)
+      brakeman (~> 7.0)
+      bundler-audit (~> 0.9.2)
       colorize (~> 0.8)
       dotenv (~> 2.0)
       ruby-gemini-api (~> 0.1.1)
@@ -10,8 +12,13 @@ GEM
   remote: https://rubygems.org/
   specs:
     ast (2.4.3)
+    brakeman (7.0.2)
+      racc
+    bundler-audit (0.9.2)
+      bundler (>= 1.2.0, < 3)
+      thor (~> 1.0)
     colorize (0.8.1)
-    diff-lcs (1.6.1)
+    diff-lcs (1.6.2)
     dotenv (2.8.1)
     faraday (2.13.1)
       faraday-net_http (>= 2.0, < 3.5)
@@ -21,8 +28,8 @@ GEM
       multipart-post (~> 2.0)
     faraday-net_http (3.4.0)
       net-http (>= 0.5.0)
-    json (2.11.3)
-    language_server-protocol (3.17.0.4)
+    json (2.12.0)
+    language_server-protocol (3.17.0.5)
     lint_roller (1.1.0)
     logger (1.7.0)
     multipart-post (2.4.1)
@@ -43,14 +50,14 @@ GEM
       rspec-mocks (~> 3.13.0)
     rspec-core (3.13.3)
       rspec-support (~> 3.13.0)
-    rspec-expectations (3.13.3)
+    rspec-expectations (3.13.4)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.13.0)
-    rspec-mocks (3.13.2)
+    rspec-mocks (3.13.4)
       diff-lcs (>= 1.2.0, < 2.0)
       rspec-support (~> 3.13.0)
-    rspec-support (3.13.2)
-    rubocop (1.75.3)
+    rspec-support (3.13.3)
+    rubocop (1.75.6)
       json (~> 2.3)
       language_server-protocol (~> 3.17.0.2)
       lint_roller (~> 1.1.0)
@@ -69,6 +76,7 @@ GEM
       faraday-multipart (~> 1.0)
       json (~> 2.0)
     ruby-progressbar (1.13.0)
+    thor (1.3.2)
     unicode-display_width (3.1.4)
       unicode-emoji (~> 4.0, >= 4.0.4)
     unicode-emoji (4.0.4)

data/README.md

@@ -15,11 +15,12 @@ Running the analysis multiple times may help reduce false negatives.
 
 ## Features
 
-- Scan staged changes (`git diff --staged`) or the entire codebase for security risks.
+- Scan staged changes (`git diff --staged`), the entire codebase, or specified files and directories for security risks.
 - Integrates with static analysis tools like Brakeman and Bundler-Audit.
 - Utilizes the Gemini API for advanced code analysis to detect vulnerabilities.
 - Supports multiple report formats (console, HTML, JSON).
 - Configurable via a `.omamorirc` file.
+- Exclusion of files and directories via a `.omamoriignore` file (except in `diff` mode).
 
 ## Installation
 
@@ -51,7 +52,7 @@ To generate an initial configuration file (`.omamorirc`), run:
 omamori init
 ```
 
-Edit the generated `.omamorirc` file to configure your Gemini API key, preferred model, checks to perform, and other settings.
+Edit the generated `.omamorirc` and `.omamoriignore` files to configure your Gemini API key, preferred model, checks to perform, and files/directories to exclude from scanning, and other settings.
 
 ### Scanning
 
@@ -66,6 +67,7 @@ Scan the entire codebase:
 ```bash
 omamori scan --all
 ```
+This mode respects the `.omamoriignore` file.
 
 Specify output format (console, html, json):
 
@@ -74,6 +76,22 @@ bundle exec omamori scan --format html
 bundle exec omamori scan --all --format json
 ```
 
+### Scan Specific Files/Directories
+
+You can specify particular files or directories to scan:
+
+```bash
+omamori scan <file_path1> <file_path2> ... <directory_path1> ...
+```
+
+Example:
+
+```bash
+omamori scan app/controllers/users_controller.rb app/models/user.rb config/routes.rb lib/
+```
+
+This mode respects the `.omamoriignore` file.
+
 ### AI Analysis Only
 
 To perform only AI analysis without running static analysis tools, use the `--ai` option:
@@ -96,7 +114,7 @@ Here's a detailed breakdown of the configuration options:
 # You can also set this via the GEMINI_API_KEY environment variable
 api_key: YOUR_GEMINI_API_KEY # Replace with your actual API key
 
-# Gemini Model to use (optional, default: gemini-1.5-pro-latest)
+# Gemini Model to use (optional, default: gemini-2.5-flash-preview-04-17)
 model: gemini-2.5-flash-preview-04-17
 
 # Security checks to enable (optional, default: all implemented checks)
@@ -128,7 +146,7 @@ model: gemini-2.5-flash-preview-04-17
 ```
 
 *   `api_key`: Your API key for accessing the Gemini API. Can also be set via the `GEMINI_API_KEY` environment variable.
-*   `model`: The Gemini model to use for AI analysis. Defaults to `gemini-1.5-pro-latest`.
+*   `model`: The Gemini model to use for AI analysis. Defaults to `gemini-2.5-flash-preview-04-17`.
 *   `checks`: Configure which types of security checks to enable. By default, all implemented checks are enabled. You can selectively enable/disable checks here (e.g., `xss: true`, `csrf: false`).
 *   `prompt_templates`: Define custom prompt templates for AI analysis.
 *   `report`: Configure report output settings.
@@ -139,6 +157,16 @@ model: gemini-2.5-flash-preview-04-17
     *   `bundler_audit`: Additional command-line options for Bundler-Audit.
 *   `language`: Language setting for the details provided in AI analysis reports. Defaults to English (`en`).
 
+## .omamoriignore File
+
+The `.omamoriignore` file allows you to exclude specific files and directories from the scan target. Its behavior is similar to a `.gitignore` file, but with the following considerations:
+
+*   **Effective Modes:** It is only effective in `--all` mode or when scanning specified files/directories.
+*   **Ineffective Mode:** In `diff` mode (i.e., `omamori scan` without arguments), the `.omamoriignore` file is ignored. This is because `diff` mode only targets changes retrieved by `git diff`.
+*   **Format:** Each line specifies one pattern. Lines starting with `#` are treated as comments. It is recommended to append a `/` to directory patterns (e.g., `vendor/`). Patterns are evaluated using simple prefix matching (e.g., `config/initializers` matches `config/initializers/devise.rb`). Wildcards (`*`) are not currently supported.
+
+When you run the `omamori init` command, a `.omamoriignore` file pre-filled with patterns for common files and directories to ignore in a Rails project will be generated. You can edit this file as needed.
+
 ## Demo Files
 
 The `demo` directory contains example files with known vulnerabilities that can be used to demonstrate Omamori's capabilities.

data/README_ja.md

@@ -13,11 +13,12 @@ AI解析は静的解析で診断できない脆弱性を発見することがで
 
 ## 特徴
 
-- ステージされた変更（`git diff --staged`）またはコードベース全体をスキャンしてセキュリティリスクを検出
+- ステージされた変更（`git diff --staged`）、コードベース全体、または指定されたファイルやディレクトリをスキャンしてセキュリティリスクを検出
 - BrakemanやBundler-Auditなどの静的解析ツールと連携
 - Gemini APIを活用し、AIによる高度なコード脆弱性検出
 - 複数のレポート形式に対応（コンソール、HTML、JSON）
 - `.omamorirc`ファイルによる柔軟な設定が可能
+- `.omamoriignore`ファイルによるスキャン対象からの除外機能（`diff`モードを除く）
 
 ## インストール
 
@@ -49,7 +50,7 @@ gem install omamori
 omamori init
 ```
 
-生成された`.omamorirc`ファイルを編集して、Gemini APIキー、使用するモデル、実行するチェック項目などを設定します。
+生成された`.omamorirc`ファイルと`.omamoriignore`ファイルを編集して、Gemini APIキー、使用するモデル、実行するチェック項目、スキャン対象から除外するファイル/ディレクトリなどを設定します。
 
 ### スキャン
 
@@ -64,6 +65,7 @@ omamori scan
 ```bash
 omamori scan --all
 ```
+このモードでは`.omamoriignore`ファイルが有効になります。
 
 出力形式を指定（コンソール、HTML、JSON）：
 
@@ -72,6 +74,22 @@ bundle exec omamori scan --format html
 bundle exec omamori scan --all --format json
 ```
 
+### ファイル/ディレクトリ指定スキャン
+
+特定のファイルやディレクトリを指定してスキャンを実行します。
+
+```bash
+omamori scan <ファイルパス1> <ファイルパス2> ... <ディレクトリパス1> ...
+```
+
+例:
+
+```bash
+omamori scan app/controllers/users_controller.rb app/models/user.rb config/routes.rb lib/
+```
+
+このモードでは`.omamoriignore`ファイルが有効になります。
+
 ### AI解析のみ実施
 
 静的解析ツールを使わず、AI解析のみを実行するには、`--ai`オプションを使用します：
@@ -94,7 +112,7 @@ omamori scan --ai
 # 環境変数GEMINI_API_KEYで設定することも可能
 api_key: YOUR_GEMINI_API_KEY # 実際のAPIキーに置き換えてください
 
-# 使用するGeminiモデル（任意、デフォルト: gemini-1.5-pro-latest）
+# 使用するGeminiモデル（任意、デフォルト: gemini-2.5-flash-preview-04-17）
 model: gemini-2.5-flash-preview-04-17
 
 # 有効化するセキュリティチェック（任意、デフォルトは全チェック）
@@ -126,7 +144,7 @@ model: gemini-2.5-flash-preview-04-17
 ```
 
 - `api_key`: Gemini APIへのアクセスキー。環境変数`GEMINI_API_KEY`でも設定可能。
-- `model`: AI解析に使用するGeminiモデル。デフォルトは`gemini-1.5-pro-latest`。
+- `model`: AI解析に使用するGeminiモデル。デフォルトは`gemini-2.5-flash-preview-04-17`。
 - `checks`: 実行するセキュリティチェックの設定。特定のチェックを有効/無効にできます（例：`xss: true`, `csrf: false`）。
 - `prompt_templates`: AI解析用のカスタムプロンプトテンプレートを設定。
 - `report`: レポート出力に関する設定。
@@ -135,6 +153,16 @@ model: gemini-2.5-flash-preview-04-17
 - `static_analysers`: 静的解析ツール（Brakeman、Bundler-Auditなど）の追加オプション設定。
 - `language`: AI解析結果の詳細説明文の言語設定。デフォルトは英語（`en`）。
 
+## .omamoriignore ファイル
+
+`.omamoriignore`ファイルを使用すると、特定のファイルやディレクトリをスキャン対象から除外できます。これは`.gitignore`ファイルと似たような働きをしますが、以下の点に注意してください。
+
+*   **有効なモード:** `--all` モード、またはファイル/ディレクトリを指定してスキャンする場合にのみ有効です。
+*   **無効なモード:** `diff` モード（引数なしの `omamori scan`）では、`.omamoriignore` ファイルは無視されます。これは、`git diff` で取得された変更点のみを対象とするためです。
+*   **書式:** 1行に1つのパターンを記述します。`#` で始まる行はコメントとして扱われます。ディレクトリを指定する場合は、末尾に `/` を付けることを推奨します (例: `vendor/`)。単純な前方一致で評価されます。 (例: `config/initializers` は `config/initializers/devise.rb` にマッチします)ワイルドカード (`*`) は現時点ではサポートされていません。
+
+`omamori init` コマンドを実行すると、一般的なRailsプロジェクトで無視すべきファイルやディレクトリのパターンが記述された`.omamoriignore`ファイルが生成されます。必要に応じてこのファイルを編集してください。
+
 ## デモファイル
 
 `demo`ディレクトリには、Omamoriの機能をデモンストレーションするための既知の脆弱性を含むサンプルファイルが置かれています。

data/lib/omamori/ai_analysis_engine/diff_splitter.rb

@@ -1,12 +1,8 @@
-# frozen_string_literal: true
+# lib/omamori/ai_analysis_engine/diff_splitter.rb
 
 module Omamori
   module AIAnalysisEngine
     class DiffSplitter
-      # TODO: Determine appropriate chunk size based on token limits
-      # Gemini 1.5 Pro has a large context window (1 million tokens),
-      # but splitting might still be necessary for very large inputs
-      # or to manage cost/latency.
       DEFAULT_CHUNK_SIZE = 8000 # Characters as a proxy for tokens
 
       def initialize(chunk_size: DEFAULT_CHUNK_SIZE)
@@ -17,8 +13,8 @@ module Omamori
         chunks = []
         current_chunk = ""
         content.each_line do |line|
-          if (current_chunk.length + line.length) > @chunk_size
-            chunks << current_chunk unless current_chunk.empty?
+          if (current_chunk.length + line.length) > @chunk_size && !current_chunk.empty?
+            chunks << current_chunk
             current_chunk = line
           else
             current_chunk += line
@@ -28,30 +24,29 @@ module Omamori
         chunks
       end
 
-      def process_in_chunks(content, gemini_client, json_schema, prompt_manager, risks_to_check, model: "gemini-1.5-pro-latest")
+      # Updated to accept file_path keyword argument
+      def process_in_chunks(content, gemini_client, json_schema, prompt_manager, risks_to_check, model: "gemini-2.5-flash-preview-04-17", file_path: nil)
         all_results = []
         chunks = split(content)
 
-        puts "Splitting content into #{chunks.size} chunks..."
+        puts "[DEBUG Omamori DiffSplitter] Splitting content into #{chunks.size} chunks for file: #{file_path || 'N/A'}"
 
         chunks.each_with_index do |chunk, index|
-          puts "Processing chunk #{index + 1}/#{chunks.size}..."
-          prompt = prompt_manager.build_prompt(chunk, risks_to_check, json_schema)
-          result = gemini_client.analyze(prompt, json_schema, model: model)
+          puts "[DEBUG Omamori DiffSplitter] Processing chunk #{index + 1}/#{chunks.size} for file: #{file_path || 'N/A'}"
+          # Pass file_path (potentially modified for chunks) to build_prompt
+          chunk_file_path_info = if file_path
+                                   chunks.size > 1 ? "#{file_path} (chunk #{index + 1}/#{chunks.size})" : file_path
+                                 end
+          prompt = prompt_manager.build_prompt(chunk, risks_to_check, json_schema, file_path: chunk_file_path_info)
+          result = gemini_client.analyze(prompt, json_schema, model: model) # This call to analyze is correct
           all_results << result
-          # TODO: Handle potential rate limits or errors between chunks
         end
-
-        # TODO: Combine results from all chunks
         combine_results(all_results)
       end
 
       private
 
       def combine_results(results)
-        # This is a placeholder. Combining results from multiple AI responses
-        # requires careful consideration of overlapping findings, context, etc.
-        # For now, just flatten the list of security risks.
         combined_risks = results.flat_map do |result|
           result && result["security_risks"] ? result["security_risks"] : []
         end
@@ -59,4 +54,4 @@ module Omamori
       end
     end
   end
-end
+end

data/lib/omamori/ai_analysis_engine/gemini_client.rb

@@ -10,12 +10,12 @@ module Omamori
         @client = nil # Initialize client later
       end
 
-      def analyze(prompt, json_schema, model: "gemini-1.5-pro-latest")
+      def analyze(prompt, json_schema, model: "gemini-2.5-flash-preview-04-17")
         # Ensure the client is initialized
         client
 
         begin
-          response = @client.generate_content(
+          response = client.generate_content(
             prompt,
             model: model,
             response_schema: json_schema, # Use response_schema for Structured Output

data/lib/omamori/ai_analysis_engine/prompt_manager.rb

@@ -1,5 +1,3 @@
-# frozen_string_literal: true
-
 module Omamori
   module AIAnalysisEngine
     class PromptManager
@@ -11,6 +9,7 @@ module Omamori
       %{json_schema}
       If no risks are found, output an empty list for the "security_risks" array.
       Please provide your response in %{language}.
+      #{"File context (if available): %{file_path}" if ENV['OMAMORI_DEBUG_PROMPT']}
 
       【Code to Analyze】:
       %{code_content}
@@ -48,9 +47,9 @@ dangerous_eval_prompt = <<~PROMPT
   Search for methods enabling dynamic code execution in Ruby code (e.g., eval, instance_eval, class_eval, send, public_send, system, exec, backticks `).
   Check if arguments passed to these methods originate from or are directly influenced by external untrusted input (e.g., HTTP request parameters params, data from files, network responses). Look for patterns similar to the vulnerable Ruby examples shown above.
   Verify if user input is rigorously sanitized or validated specifically to prevent code injection vectors before being used in these methods. Standard escaping for HTML (like XSS prevention) is not sufficient here. Check if execution is restricted only to a predefined, absolutely safe allowlist of commands or methods if dynamic execution cannot be avoided.
-  Assess if safer alternatives exist that can achieve the same functionality without dynamic code execution. Examples include using Hash lookups for dispatching actions, case statements based on input values, leveraging safe templating engines, or using specific library functions designed for the task instead of generic execution methods. 
+  Assess if safer alternatives exist that can achieve the same functionality without dynamic code execution. Examples include using Hash lookups for dispatching actions, case statements based on input values, leveraging safe templating engines, or using specific library functions designed for the task instead of generic execution methods.
   PROMPT
-    
+
       RISK_PROMPTS = {
         xss: "Cross-Site Scripting (XSS): A vulnerability where user input is not properly escaped and is embedded into HTML or JavaScript, leading to arbitrary script execution in the victim's browser. Detection steps: 1) Identify where user input is output to HTML/JS context. 2) Check if proper encoding/escaping is applied (e.g., html_safe, raw, sanitize, escape_javascript). 3) Look for unsafe methods that bypass default Rails escaping (html_safe, raw, <%==). 4) Examine JavaScript that incorporates user input via template interpolation. 5) Check for improper content-type headers that might enable XSS. 6) Verify if user input is passed to eval(), setTimeout(), document.write() or DOM manipulation functions. 7) Look for attribute injection possibilities where user input sets HTML attributes.",
         csrf: "Cross-Site Request Forgery (CSRF): An attack that forces an authenticated user to perform unwanted actions via forged requests. Detection steps: 1) Check if CSRF protection is disabled globally or for specific controllers/actions (skip_before_action :verify_authenticity_token). 2) Look for APIs or endpoints that handle state-changing operations (POST, PUT, DELETE methods). 3) Verify if authenticity tokens are properly validated for forms and AJAX requests. 4) Check if the application relies solely on cookies for authentication without additional CSRF protection. 5) Look for custom CSRF protection implementations that might be incomplete. 6) Verify if SameSite cookie attributes are properly set. 7) Check if the application validates the Origin or Referer header for cross-origin requests.",
@@ -88,7 +87,7 @@ dangerous_eval_prompt = <<~PROMPT
         audit_log_missing: "Missing Audit Logging: Lack of logging for critical actions or authorization checks prevents accountability. Detection steps: 1) Identify code performing critical actions (login, permission change, sensitive data access/modification, config change). 2) Verify these actions generate logs including who (user), when (timestamp), what (action/resource), result (success/fail), and where (IP address). 3) Check if authentication successes/failures and authorization failures are logged. 4) Assess if logs are stored securely and retained appropriately. 5) Ensure log format is consistent and useful for monitoring.",
         time_based_side_channel: "Time-Based Side Channel: Execution time differences can leak secrets (e.g., timing attacks in string comparison). Detection steps: 1) Locate code comparing secret values (passwords, tokens, API keys). 2) Check if standard comparison operators (`==`) are used for secrets. 3) Verify use of constant-time comparison functions (e.g., `ActiveSupport::SecurityUtils.secure_compare`, `Rack::Utils.secure_compare`). 4) Analyze cryptographic operations for potential timing leaks (may depend on library implementation). 5) Consider if database query times varying based on input could leak information."
       }.freeze
-      
+
 
       def initialize(config = {})
         # Load custom templates and language from config, merge with default
@@ -98,12 +97,30 @@ dangerous_eval_prompt = <<~PROMPT
         @language = config.get("language", "en") # Get language from config, default to 'en'
       end
 
-      def build_prompt(code_content, risks_to_check, json_schema, template_key: :default)
-        # Use the template from @prompt_templates, defaulting to :default if template_key is not found
+      # Updated to accept file_path keyword argument
+      def build_prompt(code_content, risks_to_check, json_schema, template_key: :default, file_path: nil)
         template = @prompt_templates.fetch(template_key, @prompt_templates[:default])
         risk_list = risks_to_check.map { |risk_key| @risk_prompts[risk_key] }.compact.join(", ")
 
-        template % { risk_list: risk_list, code_content: code_content, json_schema: json_schema.to_json, language: @language}
+        prompt_variables = {
+          risk_list: risk_list,
+          code_content: code_content,
+          json_schema: json_schema.to_json,
+          language: @language
+        }
+        # Add file_path to variables if provided and template expects it
+        # Ensure your template string (DEFAULT_PROMPT_TEMPLATE or custom ones)
+        # actually uses %{file_path} if you want to include it.
+        prompt_variables[:file_path] = file_path if file_path && template.include?("%{file_path}")
+
+        # Handle cases where a key in prompt_variables might not be in the template string
+        # by selecting only keys present in the template.
+        final_variables = {}
+        template.scan(/%\{(\w+)\}/).flatten.uniq.each do |key_in_template|
+          final_variables[key_in_template.to_sym] = prompt_variables[key_in_template.to_sym]
+        end
+        
+        template % final_variables
       end
     end
   end

data/lib/omamori/config.rb

@@ -5,10 +5,14 @@ require 'yaml'
 module Omamori
   class Config
     DEFAULT_CONFIG_PATH = ".omamorirc"
+    DEFAULT_IGNORE_PATH = ".omamoriignore"
+
+    attr_reader :ignore_patterns
 
     def initialize(config_path = DEFAULT_CONFIG_PATH)
       @config_path = config_path
       @config = load_config
+      @ignore_patterns = load_ignore_patterns # Load ignore patterns
       validate_config # Add validation after loading
     end
 
@@ -128,6 +132,23 @@ module Omamori
       end
     end
 
+    # Load .omamoriignore file and return an array of ignore patterns
+    def load_ignore_patterns
+      ignore_path = DEFAULT_IGNORE_PATH
+      if File.exist?(ignore_path)
+        begin
+          File.readlines(ignore_path, chomp: true).reject do |line|
+            line.strip.empty? || line.strip.start_with?('#')
+          end
+        rescue => e
+          puts "Warning: Error reading .omamoriignore file #{ignore_path}: #{e.message}"
+          [] # Return empty array if reading fails
+        end
+      else
+        [] # Return empty array if file does not exist
+      end
+    end
+
     def load_config
       if File.exist?(@config_path)
         begin

data/lib/omamori/core_runner.rb

@@ -1,16 +1,18 @@
 # frozen_string_literal: true
 
 require 'optparse'
+require 'fileutils' # FileUtils を require する
+require 'pathname'  # Pathname を require する
 require_relative 'ai_analysis_engine/gemini_client'
-require_relative 'ai_analysis_engine/prompt_manager' # Require PromptManager
-require_relative 'ai_analysis_engine/diff_splitter' # Require DiffSplitter
-require_relative 'report_generator/console_formatter' # Require ConsoleFormatter
-require_relative 'report_generator/html_formatter' # Require HTMLFormatter
-require_relative 'report_generator/json_formatter' # Require JSONFormatter
-require_relative 'static_analysers/brakeman_runner' # Require BrakemanRunner
-require_relative 'static_analysers/bundler_audit_runner' # Require BundlerAuditRunner
-require 'json' # Required for JSON Schema
-require_relative 'config' # Require Config class
+require_relative 'ai_analysis_engine/prompt_manager'
+require_relative 'ai_analysis_engine/diff_splitter'
+require_relative 'report_generator/console_formatter'
+require_relative 'report_generator/html_formatter'
+require_relative 'report_generator/json_formatter'
+require_relative 'static_analysers/brakeman_runner'
+require_relative 'static_analysers/bundler_audit_runner'
+require 'json'
+require_relative 'config'
 
 module Omamori
   class CoreRunner
@@ -53,41 +55,44 @@ module Omamori
       "required": ["security_risks"]
     }.freeze # Freeze the hash to make it immutable
 
-    # TODO: Get risks to check from config file
-    RISKS_TO_CHECK = [
+    # Default risks to check, can be overridden by config
+    DEFAULT_RISKS_TO_CHECK = [
       :xss, :csrf, :idor, :open_redirect, :ssrf, :session_fixation
-      # TODO: Add other risks from requirements
+      # TODO: Add other risks from requirements based on PromptManager::RISK_PROMPTS.keys
     ].freeze
 
-    # TODO: Determine threshold for splitting based on token limits
-    SPLIT_THRESHOLD = 7000 # Characters as a proxy for tokens
+    # Threshold for splitting large content (characters as a proxy for tokens)
+    # Can be overridden by config
+    DEFAULT_SPLIT_THRESHOLD = 8000 # Characters
 
     def initialize(args)
       @args = args
-      @options = { command: :scan, format: :console } # Default command is scan, default format is console
-      @config = Omamori::Config.new # Initialize Config
+      @options = { command: :scan, format: :console } # Default command and format
+      @target_paths = []
+      @config = Omamori::Config.new
 
-      # Initialize components with config
-      api_key = @config.get("api_key", ENV["GEMINI_API_KEY"]) # Get API key from config or environment variable
-      gemini_model = @config.get("model", "gemini-1.5-pro-latest") # Get Gemini model from config
+      # Initialize components with configuration
+      api_key = @config.get("api_key", ENV["GEMINI_API_KEY"])
+      gemini_model = @config.get("model", "gemini-2.5-flash-preview-04-17")
       @gemini_client = AIAnalysisEngine::GeminiClient.new(api_key)
-      @prompt_manager = AIAnalysisEngine::PromptManager.new(@config) # Pass the entire config object
-      # Get chunk size from config, default to 7000 characters if not specified
-      chunk_size = @config.get("chunk_size", SPLIT_THRESHOLD)
-      @diff_splitter = AIAnalysisEngine::DiffSplitter.new(chunk_size: chunk_size) # Pass chunk size to DiffSplitter
-      # Get report output path and html template path from config
+      @prompt_manager = AIAnalysisEngine::PromptManager.new(@config)
+
+      chunk_size = @config.get("chunk_size", DEFAULT_SPLIT_THRESHOLD)
+      @diff_splitter = AIAnalysisEngine::DiffSplitter.new(chunk_size: chunk_size)
+
       report_config = @config.get("report", {})
       report_output_path = report_config.fetch("output_path", "./omamori_report")
-      html_template_path = report_config.fetch("html_template", nil) # Default to nil, formatter will use default template
-      @console_formatter = ReportGenerator::ConsoleFormatter.new # TODO: Pass config for colors/options
-      @html_formatter = ReportGenerator::HTMLFormatter.new(report_output_path, html_template_path) # Pass output path and template path
-      @json_formatter = ReportGenerator::JSONFormatter.new(report_output_path) # Pass output path
-      # Get static analyser options from config
+      html_template_path = report_config.fetch("html_template", nil)
+
+      @console_formatter = ReportGenerator::ConsoleFormatter.new
+      @html_formatter = ReportGenerator::HTMLFormatter.new(report_output_path, html_template_path)
+      @json_formatter = ReportGenerator::JSONFormatter.new(report_output_path)
+
       static_analyser_config = @config.get("static_analysers", {})
-      brakeman_options = static_analyser_config.fetch("brakeman", {}).fetch("options", {}) # Default to empty hash
-      bundler_audit_options = static_analyser_config.fetch("bundler_audit", {}).fetch("options", {}) # Default to empty hash
-      @brakeman_runner = StaticAnalysers::BrakemanRunner.new(brakeman_options) # Pass options
-      @bundler_audit_runner = StaticAnalysers::BundlerAuditRunner.new(bundler_audit_options) # Pass options
+      brakeman_options = static_analyser_config.fetch("brakeman", {}).fetch("options", {})
+      bundler_audit_options = static_analyser_config.fetch("bundler_audit", {}).fetch("options", {})
+      @brakeman_runner = StaticAnalysers::BrakemanRunner.new(brakeman_options)
+      @bundler_audit_runner = StaticAnalysers::BundlerAuditRunner.new(bundler_audit_options)
     end
 
     def run
@@ -95,49 +100,99 @@ module Omamori
 
       case @options[:command]
       when :scan
-        # Run static analysers first unless --ai option is specified
+        # Initialize results
+        ai_analysis_result = { "security_risks" => [] }
         brakeman_result = nil
         bundler_audit_result = nil
+
+        # Run static analysers first unless --ai option is specified
         unless @options[:only_ai]
+          puts "Running static analysers..."
           brakeman_result = @brakeman_runner.run
           bundler_audit_result = @bundler_audit_runner.run
         end
 
-        # Perform AI analysis
-        analysis_result = nil
+        # Perform AI analysis based on scan mode
         case @options[:scan_mode]
+        when :paths
+          # Scan specified files/directories
+          if @target_paths.empty?
+            puts "No paths specified for scan. Use --diff, --all, or provide paths."
+          else
+            puts "Scanning specified paths with AI..."
+            ignore_patterns = @config.ignore_patterns
+            force_scan_ignored = @options.fetch(:force_scan_ignored, false)
+            files_to_scan = collect_files_from_paths(@target_paths, ignore_patterns, force_scan_ignored)
+
+            if files_to_scan.empty?
+              puts "No Ruby files found in the specified paths."
+            else
+              files_to_scan.each do |file_path|
+                begin
+                  file_content = File.read(file_path)
+                  puts "Analyzing file: #{file_path}..." # スキャン中のファイルパスを表示
+                  current_risks_to_check = get_risks_to_check
+                  # @diff_splitterのインスタンス変数 @chunk_size を参照して比較
+                  if file_content.length > @diff_splitter.instance_variable_get(:@chunk_size)
+                     puts "File content exceeds threshold (#{@diff_splitter.instance_variable_get(:@chunk_size)} chars), splitting..."
+                     file_ai_result = @diff_splitter.process_in_chunks(file_content, @gemini_client, JSON_SCHEMA, @prompt_manager, current_risks_to_check, file_path: file_path, model: @config.get("model", "gemini-2.5-flash-preview-04-17"))
+                  else
+                     prompt = @prompt_manager.build_prompt(file_content, current_risks_to_check, JSON_SCHEMA, file_path: file_path)
+                     file_ai_result = @gemini_client.analyze(prompt, JSON_SCHEMA, model: @config.get("model", "gemini-2.5-flash-preview-04-17"))
+                  end
+                  # Merge results
+                  if file_ai_result && file_ai_result["security_risks"]
+                    ai_analysis_result["security_risks"].concat(file_ai_result["security_risks"])
+                  end
+                rescue => e
+                  puts "Error analyzing file #{file_path}: #{e.message}"
+                end
+              end
+            end
+          end
         when :diff
+          # Scan staged differences
           diff_content = get_staged_diff
           if diff_content.empty?
             puts "No staged changes to scan."
-            return
-          end
-          puts "Scanning staged differences with AI..."
-          if diff_content.length > SPLIT_THRESHOLD # TODO: Use token count
-            puts "Diff content exceeds threshold, splitting..."
-            analysis_result = @diff_splitter.process_in_chunks(diff_content, @gemini_client, JSON_SCHEMA, @prompt_manager, get_risks_to_check, model: @config.get("model", "gemini-1.5-pro-latest"))
           else
-            prompt = @prompt_manager.build_prompt(diff_content, get_risks_to_check, JSON_SCHEMA)
-            analysis_result = @gemini_client.analyze(prompt, JSON_SCHEMA, model: @config.get("model", "gemini-1.5-pro-latest"))
+            puts "Scanning staged differences with AI..."
+            current_risks_to_check = get_risks_to_check
+            # @diff_splitterのインスタンス変数 @chunk_size を参照して比較
+            if diff_content.length > @diff_splitter.instance_variable_get(:@chunk_size)
+              puts "Diff content exceeds threshold (#{@diff_splitter.instance_variable_get(:@chunk_size)} chars), splitting..."
+              ai_analysis_result = @diff_splitter.process_in_chunks(diff_content, @gemini_client, JSON_SCHEMA, @prompt_manager, current_risks_to_check, model: @config.get("model", "gemini-2.5-flash-preview-04-17"))
+            else
+              prompt = @prompt_manager.build_prompt(diff_content, current_risks_to_check, JSON_SCHEMA)
+              ai_analysis_result = @gemini_client.analyze(prompt, JSON_SCHEMA, model: @config.get("model", "gemini-2.5-flash-preview-04-17"))
+            end
           end
         when :all
+          # Scan entire codebase
           full_code_content = get_full_codebase
           if full_code_content.strip.empty?
             puts "No code found to scan."
-            return
-          end
-          puts "Scanning entire codebase with AI..."
-          if full_code_content.length > SPLIT_THRESHOLD # TODO: Use token count
-            puts "Full code content exceeds threshold, splitting..."
-            analysis_result = @diff_splitter.process_in_chunks(full_code_content, @gemini_client, JSON_SCHEMA, @prompt_manager, get_risks_to_check, model: @config.get("model", "gemini-1.5-pro-latest"))
           else
-            prompt = @prompt_manager.build_prompt(full_code_content, get_risks_to_check, JSON_SCHEMA)
-            analysis_result = @gemini_client.analyze(prompt, JSON_SCHEMA, model: @config.get("model", "gemini-1.5-pro-latest"))
+            puts "Scanning entire codebase with AI..."
+            current_risks_to_check = get_risks_to_check
+            # @diff_splitterのインスタンス変数 @chunk_size を参照して比較
+            if full_code_content.length > @diff_splitter.instance_variable_get(:@chunk_size)
+              puts "Full code content exceeds threshold (#{@diff_splitter.instance_variable_get(:@chunk_size)} chars), splitting..."
+              ai_analysis_result = @diff_splitter.process_in_chunks(full_code_content, @gemini_client, JSON_SCHEMA, @prompt_manager, current_risks_to_check, model: @config.get("model", "gemini-2.5-flash-preview-04-17"))
+            else
+              prompt = @prompt_manager.build_prompt(full_code_content, current_risks_to_check, JSON_SCHEMA)
+              ai_analysis_result = @gemini_client.analyze(prompt, JSON_SCHEMA, model: @config.get("model", "gemini-2.5-flash-preview-04-17"))
+            end
           end
+        else
+          puts "Unknown scan mode: #{@options[:scan_mode]}"
+          puts @opt_parser
+          return # Exit if scan mode is invalid
         end
 
         # Combine results and display report
-        combined_results = combine_results(analysis_result, brakeman_result, bundler_audit_result)
+        ai_analysis_result ||= { "security_risks" => [] } # Ensure it's not nil
+        combined_results = combine_results(ai_analysis_result, brakeman_result, bundler_audit_result)
         display_report(combined_results)
 
         puts "Scan complete."
@@ -146,81 +201,69 @@ module Omamori
         generate_ci_setup(@options[:ci_service])
 
       when :init
-        generate_config_file # Generate initial config file
+        generate_initial_files
 
       else
         puts "Unknown command: #{@options[:command]}"
-        puts @opt_parser # Display help for unknown command
+        puts @opt_parser
       end
     end
 
     private
 
-    # Combine AI analysis results and static analyser results
     def combine_results(ai_result, brakeman_result, bundler_audit_result)
-      # Transform bundler_audit_result to match the expected structure in tests/formatters
       formatted_bundler_audit_result = if bundler_audit_result && bundler_audit_result["results"]
                                          { "scan" => { "results" => bundler_audit_result["results"] } }
                                        else
-                                         # Return a structure that formatters can handle gracefully
-                                         { "scan" => { "results" => [] } } # Or nil, depending on desired behavior when no results
+                                         { "scan" => { "results" => [] } }
                                        end
-
       combined = {
         "ai_security_risks" => ai_result && ai_result["security_risks"] ? ai_result["security_risks"] : [],
         "static_analysis_results" => {
           "brakeman" => brakeman_result,
-          "bundler_audit" => formatted_bundler_audit_result # Use the transformed result
+          "bundler_audit" => formatted_bundler_audit_result
         }
       }
       combined
     end
 
-    # Default risks to check if not specified in config
-    DEFAULT_RISKS_TO_CHECK = [
-      :xss, :csrf, :idor, :open_redirect, :ssrf, :session_fixation
-      # TODO: Add other risks from requirements
-    ].freeze
-
     def get_risks_to_check
-      # Get risks to check from config, default to hardcoded list if not specified
-      @config.get("checks", DEFAULT_RISKS_TO_CHECK)
+      # 設定ファイルからチェック対象のリスクを取得し、シンボルの配列に変換する
+      # 設定がない場合は DEFAULT_RISKS_TO_CHECK を使用する
+      configured_checks = @config.get("checks", DEFAULT_RISKS_TO_CHECK)
+      configured_checks.map(&:to_sym)
     end
 
     def parse_options
       @opt_parser = OptionParser.new do |opts|
-        opts.banner = "Usage: omamori [command] [options]"
-
+        opts.banner = "Usage: omamori [command] [PATH...] [options]"
         opts.separator ""
         opts.separator "Commands:"
-        opts.separator "  scan [options]  : Scan code or diff for security vulnerabilities"
-        opts.separator "  ci-setup [options] : Generate CI/CD setup files"
-        opts.separator "  init          : Generate initial config file (.omamorirc)"
-
+        opts.separator "  scan [PATH...] [options] : Scan specified files/directories or staged changes"
+        opts.separator "  ci-setup [options]       : Generate CI/CD setup files"
+        opts.separator "  init                     : Generate initial config file (.omamorirc) and .omamoriignore"
         opts.separator ""
         opts.separator "Scan Options:"
-        opts.on("--diff", "Scan only the staged differences (default)") do
-          @options[:scan_mode] = :diff
+        opts.on("--diff", "Scan only the staged differences (default if no PATH is specified)") do
+          @options[:scan_mode_explicit] = :diff
         end
-
         opts.on("--all", "Scan the entire codebase") do
-          @options[:scan_mode] = :all
+          @options[:scan_mode_explicit] = :all
         end
-
         opts.on("--format FORMAT", [:console, :html, :json], "Output format (console, html, json)") do |format|
           @options[:format] = format
         end
-
         opts.on("--ai", "Run only AI analysis, skipping static analysers") do
           @options[:only_ai] = true
         end
-
+        opts.on("--force-scan-ignored", "Force scan files and directories listed in .omamoriignore") do
+          @options[:force_scan_ignored] = true
+        end
         opts.separator ""
         opts.separator "CI Setup Options:"
         opts.on("--ci SERVICE", [:github_actions, :gitlab_ci], "Generate setup for specified CI service (github_actions, gitlab_ci)") do |service|
           @options[:ci_service] = service
         end
-
         opts.separator ""
         opts.separator "General Options:"
         opts.on("-h", "--help", "Prints this help") do
@@ -229,39 +272,127 @@ module Omamori
         end
       end
 
-      # Determine command before parsing options
-      # Use @args instead of ARGV
-      command = @args.first.to_s.downcase.to_sym rescue nil
-      if [:scan, :ci_setup, :init].include?(command)
-        @options[:command] = @args.shift.to_sym # Consume the command argument from @args
+      command_candidate = @args.first.to_s.downcase.to_sym
+      if [:scan, :ci_setup, :init].include?(command_candidate)
+        @options[:command] = @args.shift.to_sym
       else
-        @options[:command] = :scan # Default command is scan if not specified
+        @options[:command] = :scan # Default command
+      end
+
+      begin
+        @opt_parser.parse!(@args) # Parse remaining arguments for options
+      rescue OptionParser::InvalidOption => e
+        puts "Error: #{e.message}"
+        puts @opt_parser
+        exit 1
+      rescue OptionParser::MissingArgument => e
+        puts "Error: #{e.message}"
+        puts @opt_parser
+        exit 1
       end
 
-      @opt_parser.parse!(@args)
 
-      # Default scan mode to diff if command is scan and mode is not specified
-      @options[:scan_mode] ||= :diff if @options[:command] == :scan
+      @target_paths = @args.dup
 
-      # Display help if command is not recognized after parsing
-      unless [:scan, :ci_setup, :init].include?(@options[:command])
-        puts @opt_parser
-        exit
+      # scan コマンドの場合の scan_mode の決定ロジック
+      if @options[:command] == :scan
+        if @options[:scan_mode_explicit]
+          # --diff または --all が明示的に指定された場合
+          @options[:scan_mode] = @options[:scan_mode_explicit]
+          # パス指定があり、かつ --all や --diff もある場合、パス指定を優先する
+          if !@target_paths.empty? && (@options[:scan_mode] == :all || @options[:scan_mode] == :diff)
+            puts "Warning: Paths provided with --#{@options[:scan_mode]}. Scanning specified paths instead of full codebase/diff."
+            @options[:scan_mode] = :paths
+          end
+        elsif !@target_paths.empty?
+          # パス指定があり、--diff や --all がない場合
+          @options[:scan_mode] = :paths
+        else
+          # パス指定がなく、--diff や --all もない場合 (例: omamori scan, omamori scan --ai)
+          @options[:scan_mode] = :diff # デフォルトは diff
+        end
       end
     end
 
+    def matches_ignore_pattern?(file_path, ignore_patterns, force_scan_ignored)
+      return false if force_scan_ignored # 強制スキャンが有効な場合は無視しない
+
+      # file_path をプロジェクトルートからの相対パスに正規化する
+      # Pathname を使用して堅牢なパス操作を行う
+      project_root = Pathname.pwd
+      absolute_file_path = Pathname.new(file_path).expand_path
+      relative_file_path = absolute_file_path.relative_path_from(project_root).to_s
+
+      ignore_patterns.each do |pattern|
+        negated = pattern.start_with?('!')
+        current_pattern = negated ? pattern[1..] : pattern
+
+        # パターンが '/' で終わる場合、ディレクトリ全体を対象とする
+        if current_pattern.end_with?('/')
+          # "dir/" のようなパターンは "dir/file.rb" や "dir/subdir/file.rb" にマッチする
+          # relative_file_path が current_pattern (末尾の '/' を除いたもの) で始まるか確認
+          if relative_file_path.start_with?(current_pattern.chomp('/')) &&
+             (relative_file_path.length == current_pattern.chomp('/').length || # ディレクトリ自体にマッチ (例: "dir" vs "dir/")
+              relative_file_path[current_pattern.chomp('/').length] == '/')     # ディレクトリ内のファイルにマッチ
+            return !negated # マッチし、かつ否定パターンでなければ無視する
+          end
+        else
+          # ファイル名またはglobパターンにマッチするか確認
+          # File.fnmatch はシェルのglobのように動作する
+          # File::FNM_PATHNAME は '*' が '/' にマッチしないようにする
+          if File.fnmatch(current_pattern, relative_file_path, File::FNM_PATHNAME | File::FNM_DOTMATCH) || # FNM_DOTMATCH で隠しファイルも考慮
+             File.fnmatch(current_pattern, File.basename(relative_file_path), File::FNM_PATHNAME | File::FNM_DOTMATCH) # ファイル名のみでのマッチも考慮
+            return !negated # マッチし、かつ否定パターンでなければ無視する
+          end
+        end
+      end
+      false # どのパターンにもマッチしなければ無視しない
+    end
+
+    def collect_files_from_paths(target_paths, ignore_patterns, force_scan_ignored)
+      collected_files = []
+      target_paths.each do |path|
+        expanded_path = File.expand_path(path) # パスを絶対パスに展開
+        if File.file?(expanded_path)
+          # ファイルの場合、Rubyファイルであり、かつ無視パターンにマッチしないか確認
+          if File.extname(expanded_path) == '.rb' && !matches_ignore_pattern?(expanded_path, ignore_patterns, force_scan_ignored)
+            collected_files << expanded_path
+          end
+        elsif File.directory?(expanded_path)
+          # ディレクトリの場合、再帰的にRubyファイルを取得し、無視パターンを適用
+          Dir.glob(File.join(expanded_path, "**", "*.rb")).each do |file_path|
+            abs_file_path = File.expand_path(file_path) # globで見つかったパスも絶対パスに
+            if !matches_ignore_pattern?(abs_file_path, ignore_patterns, force_scan_ignored)
+              collected_files << abs_file_path
+            end
+          end
+        else
+          puts "Warning: Path not found or is not a file/directory: #{path}"
+        end
+      end
+      collected_files.uniq # 重複を除いて返す
+    end
+
     def get_staged_diff
       `git diff --staged`
     end
 
     def get_full_codebase
       code_content = ""
-      # TODO: Get target directories/files from config
-      Dir.glob("**/*.rb").each do |file_path|
-        next if file_path.include?("vendor/") || file_path.include?(".git/") || file_path.include?(".cline/") # Exclude vendor, .git, and .cline directories
+      ignore_patterns = @config.ignore_patterns
+      force_scan_ignored = @options.fetch(:force_scan_ignored, false)
+      # カレントディレクトリ ('.') 内のRubyファイルを収集
+      files_to_scan = collect_files_from_paths(['.'], ignore_patterns, force_scan_ignored)
 
+      files_to_scan.each do |file_path|
         begin
-          code_content += "# File: #{file_path}\n"
+          # 表示用に相対パスを試みるが、エラーなら絶対パスを使用
+          relative_display_path = begin
+                                    Pathname.new(file_path).relative_path_from(Pathname.pwd).to_s
+                                  rescue ArgumentError
+                                    file_path # fallback to absolute path
+                                  end
+          code_content += "# File: #{relative_display_path}\n"
           code_content += File.read(file_path)
           code_content += "\n\n"
         rescue => e
@@ -276,14 +407,12 @@ module Omamori
       when :console
         puts @console_formatter.format(combined_results)
       when :html
-        # Get output file path from config/options
         report_config = @config.get("report", {})
         output_path_prefix = report_config.fetch("output_path", "./omamori_report")
         output_path = "#{output_path_prefix}.html"
         File.write(output_path, @html_formatter.format(combined_results))
         puts "HTML report generated: #{output_path}"
       when :json
-        # Get output file path from config/options
         report_config = @config.get("report", {})
         output_path_prefix = report_config.fetch("output_path", "./omamori_report")
         output_path = "#{output_path_prefix}.json"
@@ -299,7 +428,8 @@ module Omamori
       when :gitlab_ci
         generate_gitlab_ci_workflow
       else
-        puts "Unsupported CI service: #{ci_service}"
+        puts "Unsupported CI service: #{ci_service}. Supported: github_actions, gitlab_ci"
+        puts @opt_parser # ヘルプメッセージを表示
       end
     end
 
@@ -316,31 +446,46 @@ module Omamori
 
             steps:
             - name: Checkout code
-              uses: actions/checkout@v4
+              uses: actions/checkout@v4 # Recommended to use specific version
 
             - name: Set up Ruby
-              uses: ruby/setup-ruby@v1
+              uses: ruby/setup-ruby@v1 # Recommended to use specific version
               with:
-                ruby-version: 2.7 # Or your project's Ruby version
+                ruby-version: '3.0' # Specify your project's Ruby version
 
             - name: Install dependencies
               run: bundle install
 
+            # Optional: Cache gems to speed up future builds
+            # - name: Cache gems
+            #   uses: actions/cache@v3
+            #   with:
+            #     path: vendor/bundle
+            #     key: ${{ runner.os }}-gems-${{ hashFiles('**/Gemfile.lock') }}
+            #     restore-keys: |
+            #       ${{ runner.os }}-gems-
+
             - name: Install Brakeman (if not in Gemfile)
-              run: gem install brakeman || true # Install if not already present
+              run: gem install brakeman --no-document || true
 
             - name: Install Bundler-Audit (if not in Gemfile)
-              run: gem install bundler-audit || true # Install if not already present
+              run: gem install bundler-audit --no-document || true
 
             - name: Run Omamori Scan
               env:
-                GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }} # Ensure you add GEMINI_API_KEY to GitHub Secrets
-              run: bundle exec omamori scan --all --format console # Or --diff for diff scan
-
+                GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }} # Ensure GEMINI_API_KEY is set in GitHub Secrets
+              # Example: Scan all files on push to main, diff on PRs
+              # This logic might need adjustment based on your workflow preference
+              run: |
+                if [ "$GITHUB_EVENT_NAME" == "pull_request" ]; then
+                  bundle exec omamori scan --diff --format console
+                else
+                  bundle exec omamori scan --all --format console
+                fi
       YAML
-      # Get output file path from config/options, default to .github/workflows/omamori_scan.yml
       ci_config = @config.get("ci_setup", {})
       output_path = ci_config.fetch("github_actions_path", ".github/workflows/omamori_scan.yml")
+      FileUtils.mkdir_p(File.dirname(output_path)) # Ensure directory exists
       File.write(output_path, workflow_content)
       puts "GitHub Actions workflow generated: #{output_path}"
     end
@@ -353,79 +498,160 @@ module Omamori
 
         omamori_security_scan:
           stage: security_scan
-          image: ruby:latest # Use a Ruby image
+          image: ruby:3.0 # Specify your project's Ruby version
+          # Cache gems
+          cache:
+            key:
+              files:
+                - Gemfile.lock
+            paths:
+              - vendor/bundle
           before_script:
-            - apt-get update -qq && apt-get install -y nodejs # Install nodejs if needed for some tools
-            - gem install bundler # Ensure bundler is installed
-            - bundle install --jobs $(nproc) --retry 3 # Install dependencies
-            - gem install brakeman || true # Install Brakeman if not in Gemfile
-            - gem install bundler-audit || true # Install Bundler-Audit if not in Gemfile
+            - apt-get update -qq && apt-get install -y --no-install-recommends nodejs # If needed for JS runtime
+            - gem install bundler --no-document
+            - bundle install --jobs $(nproc) --retry 3 --path vendor/bundle
+            - gem install brakeman --no-document || true
+            - gem install bundler-audit --no-document || true
           script:
-            - bundle exec omamori scan --all --format console # Or --diff for diff scan
+            # Example: Scan all files on pipelines for the default branch, diff on merge requests
+            - |
+              if [ "$CI_PIPELINE_SOURCE" == "merge_request_event" ]; then
+                bundle exec omamori scan --diff --format console
+              else
+                bundle exec omamori scan --all --format console
+              fi
           variables:
-            GEMINI_API_KEY: $GEMINI_API_KEY # Ensure you set GEMINI_API_KEY as a CI/CD variable in GitLab
-          # Optional: Define rules for when to run this job
-          # rules:
-          #   - if: '$CI_PIPELINE_SOURCE == "merge_request_event"'
-          #   - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
-
+            GEMINI_API_KEY: $GEMINI_API_KEY # Set GEMINI_API_KEY as a CI/CD variable in GitLab
+          rules:
+            - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
+            - if: '$CI_PIPELINE_SOURCE == "merge_request_event"'
       YAML
-      # Get output file path from config/options, default to .gitlab-ci.yml
       ci_config = @config.get("ci_setup", {})
       output_path = ci_config.fetch("gitlab_ci_path", ".gitlab-ci.yml")
       File.write(output_path, workflow_content)
       puts "GitLab CI workflow generated: #{output_path}"
     end
 
-    def generate_config_file
+    DEFAULT_OMAMORIIGNORE_CONTENT = <<~IGNORE
+      # Omamori ignore file
+      # Add files and directories to ignore during Omamori scans.
+      # Lines starting with # are comments.
+      # Globs are supported (e.g., *.tmp, spec/fixtures/)
+      # Negation with ! (e.g., !important.log) - not fully implemented in current basic matcher
+
+      # Log files
+      log/
+      *.log
+
+      # Temporary files
+      tmp/
+      *.tmp
+      *.swp
+      *.swo
+
+      # OS-specific files
+      .DS_Store
+      Thumbs.db
+
+      # Vendor directory (often contains third-party code)
+      vendor/bundle/
+
+      # Coverage reports
+      coverage/
+
+      # Node.js dependencies
+      node_modules/
+
+      # Build artifacts
+      pkg/
+
+      # Test files and fixtures (optional, consider if they contain sensitive examples)
+      # spec/
+      # test/
+      # features/
+
+      # Database schema and migrations (usually not directly exploitable via code injection)
+      # db/schema.rb
+      # db/migrate/
+
+      # Assets (compiled or static, less likely to have Ruby vulnerabilities)
+      # app/assets/builds/
+      # public/assets/
+    IGNORE
+
+    def generate_initial_files
       config_content = <<~YAML
         # .omamorirc
         # Configuration file for omamori gem
 
         # Gemini API Key (required for AI analysis)
-        # You can also set this via the GEMINI_API_KEY environment variable
-        api_key: YOUR_GEMINI_API_KEY # Replace with your actual API key
+        # You can also set this via the GEMINI_API_KEY environment variable.
+        # Example: api_key: "YOUR_GEMINI_API_KEY_HERE"
+        api_key: YOUR_GEMINI_API_KEY
 
-        # Gemini Model to use (optional, default: gemini-1.5-pro-latest)
-        # model: gemini-1.5-flash-latest
+        # Gemini Model to use (optional, default: g emini-2.5-flash-preview-04-17)
+        # Example: model: "gemini-2.5-pro-preview-05-06"
+        # model: "gemini-2.5-flash-preview-04-17"
 
-        # Security checks to enable (optional, default: all implemented checks)
+        # Security checks to enable (optional, default: all implemented checks).
+        # Provide a list of symbols. Example:
         # checks:
-        #   xss: true
-        #   csrf: true
-        #   idor: true
-        #   ...
+        #   - xss
+        #   - csrf
+        #   - idor
+        #   - open_redirect
+        #   # Add other risk symbols from Omamori::AIAnalysisEngine::PromptManager::RISK_PROMPTS.keys
 
-        # Custom prompt templates (optional)
+        # Custom prompt templates (optional).
         # prompt_templates:
         #   default: |
-        #     Your custom prompt template here...
+        #     Analyze the following Ruby code for security vulnerabilities.
+        #     Focus on: %{risk_list}.
+        #     Report in JSON format: %{json_schema}.
+        #     Code:
+        #     %{code_content}
 
-        # Report output settings (optional)
+        # Report output settings (optional).
         # report:
-        #   output_path: ./omamori_report # Output directory/prefix for html/json reports
-        #   html_template: path/to/custom/template.erb # Custom HTML template
+        #   output_path: "./omamori_scan_results" # Prefix for html/json reports
+        #   html_template: "custom_report_template.erb" # Path to custom ERB template
 
-        # Static analyser options (optional)
+        # Static analyser options (optional).
+        # Provide options as a hash.
         # static_analysers:
         #   brakeman:
-        #     options: "--force" # Additional Brakeman options
+        #     options: {"--skip-checks": "BasicAuth", "--no-progress": true}
         #   bundler_audit:
-        #     options: "--quiet" # Additional Bundler-Audit options
-        
-        # Language setting for AI analysis details (optional, default: en)
-        # language: ja
-        
-              YAML
-      # TODO: Specify output file path from options
-      output_path = Omamori::Config::DEFAULT_CONFIG_PATH
-      if File.exist?(output_path)
-        puts "Config file already exists at #{output_path}. Aborting init."
+        #     options: {quiet: true}
+
+        # Language for AI analysis details (optional, default: "en").
+        # Supported languages depend on the AI model.
+        # language: "ja"
+
+        # Chunk size for splitting large code content for AI analysis (optional, default: 8000 characters).
+        # chunk_size: 10000
+
+        # CI setup file paths (optional).
+        # ci_setup:
+        #   github_actions_path: ".github/workflows/custom_omamori_scan.yml"
+        #   gitlab_ci_path: ".custom-gitlab-ci.yml"
+      YAML
+      config_output_path = Omamori::Config::DEFAULT_CONFIG_PATH
+      if File.exist?(config_output_path)
+        puts "Config file already exists at #{config_output_path}. Aborting .omamorirc generation."
+      else
+        File.write(config_output_path, config_content)
+        puts "Config file generated: #{config_output_path}"
+        puts "IMPORTANT: Please open #{config_output_path} and replace 'YOUR_GEMINI_API_KEY' with your actual Gemini API key."
+      end
+
+      ignore_output_path = Omamori::Config::DEFAULT_IGNORE_PATH
+      if File.exist?(ignore_output_path)
+        puts ".omamoriignore file already exists at #{ignore_output_path}. Aborting .omamoriignore generation."
       else
-        File.write(output_path, config_content)
-        puts "Config file generated: #{output_path}"
-        puts "Please replace 'YOUR_GEMINI_API_KEY' with your actual API key."
+        File.write(ignore_output_path, DEFAULT_OMAMORIIGNORE_CONTENT)
+        puts ".omamoriignore file generated: #{ignore_output_path}"
       end
     end
   end
-end
+end

data/lib/omamori/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Omamori
-  VERSION = "0.1.2"
+  VERSION = "0.1.4"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: omamori
 version: !ruby/object:Gem::Version
-  version: 0.1.2
+  version: 0.1.4
 platform: ruby
 authors:
 - rira100000000
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2025-05-04 00:00:00.000000000 Z
+date: 2025-05-18 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: colorize
@@ -52,6 +52,34 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: 0.1.1
+- !ruby/object:Gem::Dependency
+  name: brakeman
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '7.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '7.0'
+- !ruby/object:Gem::Dependency
+  name: bundler-audit
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.9.2
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.9.2
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement