still_active 1.5.0 → 2.0.0

data/lib/helpers/sarif_helper.rb

@@ -5,6 +5,7 @@ require "digest"
 require "time"
 require_relative "../still_active/sarif/rules"
 require_relative "lockfile_indexer"
+require_relative "activity_helper"
 
 module StillActive
   # Renders a still_active workflow result as a SARIF 2.1.0 document.
@@ -19,7 +20,7 @@ module StillActive
 
     LIBYEAR_THRESHOLD = 1.0
     SCORECARD_LOW_THRESHOLD = 4.0
-    ABANDONED_SECONDS = 2 * 365 * 24 * 60 * 60 # 2 years
+    SECONDS_PER_YEAR = 365 * 24 * 60 * 60 # for the human-readable "in N years"
 
     # result: same hash StillActive::Workflow.call returns (gem_name => gem_data)
     # ruby_info: optional Ruby freshness hash (or nil)
@@ -98,43 +99,68 @@ module StillActive
       location = location_for(name, line_index, lockfile_uri)
 
       if data[:archived]
-        out << result("SA001", name, "#{name} #{version}: upstream repository is archived#{repo_suffix(data)}.", location)
+        out << mark_suppressed(result("SA001", name, "#{name} #{version}: upstream repository is archived#{repo_suffix(data)}#{alternatives_suffix(data)}#{transitive_suffix(data)}.", location), name, :activity)
       end
 
       unless data[:archived]
-        last_commit = parse_time(data[:last_commit_date])
-        if last_commit && last_commit < (Time.now - ABANDONED_SECONDS)
-          years = ((Time.now - last_commit) / (365 * 24 * 60 * 60)).round(1)
-          out << result(
-            "SA002",
+        if ActivityHelper.activity_level(data) == :critical
+          activity = ActivityHelper.last_activity(data)
+          years = ((Time.now - activity[:date]) / SECONDS_PER_YEAR).round(1)
+          noun = activity[:kind] == :release ? "no release" : "no commits"
+          out << mark_suppressed(
+            result(
+              "SA002",
+              name,
+              "#{name} #{version}: #{noun} in #{years} years (last #{activity[:date].utc.strftime("%Y-%m-%d")})#{alternatives_suffix(data)}#{transitive_suffix(data)}.",
+              location,
+            ),
             name,
-            "#{name} #{version}: no commits in #{years} years (last #{last_commit.utc.strftime("%Y-%m-%d")}).",
-            location,
+            :activity,
           )
         end
       end
 
       Array(data[:vulnerabilities]).each do |vuln|
-        out << vulnerability_result(name, version, vuln, location)
+        out << vulnerability_result(name, version, vuln, location, data)
       end
 
       if data[:libyear] && data[:libyear] > LIBYEAR_THRESHOLD
         latest = data[:latest_version] ? " behind #{data[:latest_version]}" : ""
-        out << result("SA004", name, "#{name} #{version}: #{data[:libyear]} libyears#{latest}.", location)
+        out << mark_suppressed(result("SA004", name, "#{name} #{version}: #{data[:libyear]} libyears#{latest}#{transitive_suffix(data)}.", location), name, :libyear)
       end
 
       if data[:scorecard_score] && data[:scorecard_score] < SCORECARD_LOW_THRESHOLD
-        out << result("SA005", name, "#{name} #{version}: OpenSSF Scorecard #{data[:scorecard_score]}/10 (low).", location)
+        out << mark_suppressed(result("SA005", name, "#{name} #{version}: OpenSSF Scorecard #{data[:scorecard_score]}/10 (low).", location), name, :scorecard)
       end
 
       if data[:version_yanked]
-        out << result("SA007", name, "#{name} #{version}: this version has been yanked from RubyGems.", location)
+        out << mark_suppressed(result("SA007", name, "#{name} #{version}: this version has been yanked from RubyGems.", location), name, :yanked)
       end
 
       out
     end
 
-    def vulnerability_result(name, version, vuln, location)
+    # Attaches a SARIF native suppressions[] entry when this finding is covered
+    # by a whole-gem --ignore or a granular .still_active.yml suppression, so a
+    # GitHub code-scanning consumer renders it dismissed rather than open. The
+    # suppression's reason rides along as the justification.
+    def mark_suppressed(result_hash, gem_name, signal, advisory: nil, aliases: [])
+      config = StillActive.config
+      if config.ignored_gems.include?(gem_name)
+        result_hash["suppressions"] = [{ "kind" => "external", "justification" => "ignored via --ignore" }]
+        return result_hash
+      end
+
+      entry = config.suppressions.match(gem: gem_name, signal: signal, advisory: advisory, aliases: aliases)
+      return result_hash unless entry
+
+      suppression = { "kind" => "external" }
+      suppression["justification"] = entry.reason if entry.reason
+      result_hash["suppressions"] = [suppression]
+      result_hash
+    end
+
+    def vulnerability_result(name, version, vuln, location, data = {})
       score = vuln[:cvss3_score] || vuln[:cvss2_score]
       level = Sarif::Rules.cvss_to_level(score)
       severity = Sarif::Rules.cvss_to_security_severity(score)
@@ -146,13 +172,23 @@ module StillActive
       base = result(
         "SA003",
         name,
-        "#{name} #{version}: #{advisory_id}#{title}#{alias_suffix}.",
+        "#{name} #{version}: #{advisory_id}#{title}#{alias_suffix}#{transitive_suffix(data)}.",
         location,
         level: level,
         fp_extra: advisory_id,
       )
       base["properties"] = { "security-severity" => severity } if severity
-      base
+      mark_suppressed(base, name, :vulnerability, advisory: vuln[:id], aliases: Array(vuln[:aliases]))
+    end
+
+    # Names the direct dependency a transitive flagged gem rides in on, so a
+    # code-scanning consumer gets the actionable "replace your direct gem" hop
+    # instead of an un-actionable transitive finding (#60).
+    def transitive_suffix(data)
+      path = data[:dependency_path]
+      return "" unless data[:direct] == false && path && path.length >= 2
+
+      " (transitive, pulled in by #{path.first})"
     end
 
     def ruby_eol_result(ruby_info, ruby_line, lockfile_uri)
@@ -211,22 +247,20 @@ module StillActive
       Sarif::Rules.all.index { |r| r[:id] == rule_id }
     end
 
-    def parse_time(value)
-      return value if value.is_a?(Time)
-      return if value.nil?
-
-      Time.parse(value.to_s)
-    rescue ArgumentError, TypeError, RangeError
-      nil
-    end
-
     def format_date(value)
-      t = parse_time(value)
+      t = ActivityHelper.parse_time(value)
       t ? t.utc.strftime("%Y-%m-%d") : value.to_s
     end
 
     def repo_suffix(data)
       data[:repository_url] ? " (#{data[:repository_url]})" : ""
     end
+
+    def alternatives_suffix(data)
+      leads = data[:alternatives]
+      return "" if leads.nil? || leads.empty?
+
+      " Consider: #{leads.join(", ")}"
+    end
   end
 end

data/lib/helpers/summary_helper.rb

@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+require_relative "activity_helper"
+
+module StillActive
+  # Builds the JSON output's summary{} digest: the headline posture of the audit
+  # in one object, so a machine/LLM consumer reads the totals directly instead
+  # of iterating every gem. Counts are derived from the canonical per-gem fields
+  # (activity_level, archived, up_to_date, vulnerability_count) so they never
+  # drift from a separately-thresholded SARIF rule.
+  module SummaryHelper
+    ACTIVITY_LEVELS = [:ok, :stale, :critical, :archived, :unknown].freeze
+
+    extend self
+
+    def summarize(result, ruby_info: nil)
+      activity = ACTIVITY_LEVELS.to_h { |level| [level, 0] }
+      archived = up_to_date = outdated = vulnerable_gems = vulnerabilities = direct = 0
+
+      result.each_value do |data|
+        activity[ActivityHelper.activity_level(data)] += 1
+        direct += 1 if data[:direct]
+        archived += 1 if data[:archived]
+        up_to_date += 1 if data[:up_to_date] == true
+        outdated += 1 if data[:up_to_date] == false
+        count = data[:vulnerability_count].to_i
+        next unless count.positive?
+
+        vulnerable_gems += 1
+        vulnerabilities += count
+      end
+
+      summary = {
+        total_gems: result.size,
+        direct: direct,
+        transitive: result.size - direct,
+        activity: activity,
+        archived: archived,
+        up_to_date: up_to_date,
+        outdated: outdated,
+        vulnerable_gems: vulnerable_gems,
+        vulnerabilities: vulnerabilities,
+      }
+      summary[:ruby_eol] = ruby_info[:eol] == true if ruby_info
+      summary
+    end
+  end
+end

data/lib/helpers/terminal_helper.rb

@@ -2,6 +2,7 @@
 
 require_relative "activity_helper"
 require_relative "ansi_helper"
+require_relative "summary_helper"
 require_relative "libyear_helper"
 require_relative "version_helper"
 require_relative "vulnerability_helper"
@@ -13,13 +14,21 @@ module StillActive
     HEADERS = ["Name", "Version", "Activity", "OpenSSF", "Vulns", "License"].freeze
 
     def render(result, ruby_info: nil)
-      rows = result.keys.sort.map { |name| build_row(name, result[name]) }
+      names = result.keys.sort
+      rows = names.map { |name| build_row(name, result[name]) }
       widths = column_widths(rows)
 
       lines = []
       lines << header_line(widths)
       lines << separator_line(widths)
-      rows.each { |row| lines << row_line(row, widths) }
+      names.each_with_index do |name, i|
+        lines << row_line(rows[i], widths)
+        data = result[name]
+        # Transitive gems can't be swapped directly, so point at the direct
+        # parent instead of suggesting alternatives for them (#60).
+        extra = data[:direct] == false ? dependency_path_line(data) : alternatives_line(data)
+        lines << extra if extra
+      end
       lines << ""
       lines << summary_line(result)
       lines << ruby_summary_line(ruby_info) if ruby_info
@@ -125,6 +134,30 @@ module StillActive
         .join
     end
 
+    def alternatives_line(data)
+      level = ActivityHelper.activity_level(data)
+      return unless [:archived, :critical].include?(level)
+
+      leads = data[:alternatives]
+      if leads && !leads.empty?
+        AnsiHelper.dim("  ↳ leads (Ruby Toolbox): #{leads.join(" · ")} (verify fit)")
+      elsif !StillActive.config.alternatives
+        AnsiHelper.dim("  ↳ run with --alternatives for maintained replacements")
+      end
+    end
+
+    # For a flagged transitive gem, name the direct dependency that pulls it in,
+    # the gem the user can actually act on (#60).
+    def dependency_path_line(data)
+      path = data[:dependency_path]
+      return unless path && path.length >= 2
+
+      level = ActivityHelper.activity_level(data)
+      return unless [:archived, :critical].include?(level) || data[:vulnerability_count].to_i.positive?
+
+      AnsiHelper.dim("  ↳ transitive, pulled in by #{path.first}")
+    end
+
     def ruby_summary_line(ruby_info)
       version = ruby_info[:version]
       latest = ruby_info[:latest_version]
@@ -144,29 +177,23 @@ module StillActive
       end
     end
 
+    # Reuse the same digest the JSON output emits so the human summary line can
+    # never drift from the machine one (the #63 "computed two ways" trap). The
+    # terminal keeps a coarser grouping (critical folds into stale) and adds its
+    # own yanked / total-libyear extras that the JSON digest doesn't carry.
     def summary_line(result)
-      total = result.size
-      level_counts = result.each_value.map { |d| ActivityHelper.activity_level(d) }.tally
-      version_counts = result.each_value
-        .map { |d| VersionHelper.up_to_date(version_used: d[:version_used], latest_version: d[:latest_version]) }
-        .tally
-
-      up_to_date = version_counts.fetch(true, 0)
-      outdated = version_counts.fetch(false, 0)
+      summary = SummaryHelper.summarize(result)
+      active = summary[:activity][:ok]
+      stale = summary[:activity][:stale] + summary[:activity][:critical]
+      archived = summary[:activity][:archived]
       yanked = result.each_value.count { |d| d[:version_yanked] }
-      active = level_counts.fetch(:ok, 0)
-      archived = level_counts.fetch(:archived, 0)
-      stale = level_counts.fetch(:stale, 0) + level_counts.fetch(:critical, 0)
-      vulns = result.each_value.sum { |d| d[:vulnerability_count] || 0 }
 
-      parts = [
-        "#{total} gems: #{up_to_date} up to date, #{outdated} outdated",
-      ]
+      parts = ["#{summary[:total_gems]} gems: #{summary[:up_to_date]} up to date, #{summary[:outdated]} outdated"]
       parts.last << ", #{yanked} yanked" if yanked > 0
       activity = "#{active} active, #{stale} stale"
       activity << ", #{archived} archived" if archived > 0
       parts << activity
-      parts << "#{vulns} vulnerabilities"
+      parts << "#{summary[:vulnerabilities]} vulnerabilities"
       total_libyear = LibyearHelper.total_libyear(result)
       parts << "#{total_libyear.round(1)} libyears behind" if total_libyear > 0
       parts.join(" · ")

data/lib/helpers/version_helper.rb

@@ -12,7 +12,13 @@ module StillActive
       elsif !version_string.nil?
         versions&.find { |v| v["number"] == version_string }
       else
-        versions&.find { |v| v["prerelease"] == pre_release }
+        # The "latest" of a kind: pick the highest by version rather than trust
+        # the source's ordering. RubyGems happens to return newest-first, but
+        # GitHub Packages and other sources don't, and a wrong "latest" cascades
+        # into up_to_date and libyear.
+        versions
+          &.select { |v| v["prerelease"] == pre_release }
+          &.max_by { |v| to_gem_version(v["number"]) || Gem::Version.new("0") }
       end
     end
 

data/lib/still_active/artifactory_client.rb

@@ -0,0 +1,166 @@
+# frozen_string_literal: true
+
+require "bundler"
+require "cgi"
+require "json"
+require "uri"
+require_relative "../helpers/http_helper"
+
+module StillActive
+  module ArtifactoryClient
+    extend self
+
+    def artifactory_uri?(uri)
+      # Hostnames are case-insensitive, so downcase before the suffix check; an
+      # uppercase jfrog host would otherwise be misread as an unqueryable source.
+      uri.is_a?(String) && URI(uri).host&.downcase&.end_with?(".jfrog.io")
+    rescue URI::InvalidURIError
+      false
+    end
+
+    def versions(gem_name:, source_uri:)
+      headers = auth_headers(gem_name: gem_name, source_uri: source_uri)
+      vs = RubygemsClient.versions(gem_name: gem_name, source_uri: source_uri, headers: headers)
+      return vs unless vs.empty?
+
+      AqlClient.versions(gem_name: gem_name, source_uri: source_uri, headers: headers)
+    rescue Errno::ECONNRESET, Errno::ECONNREFUSED, Net::OpenTimeout, Net::ReadTimeout, SocketError
+      []
+    end
+
+    private
+
+    def credentials(gem_name:, source_uri:)
+      host = URI(source_uri).host
+      bundler = Bundler.settings[source_uri] || Bundler.settings[host]
+      return bundler if bundler && !bundler.empty?
+
+      global = StillActive.config.artifactory_token
+      return unless global
+
+      configured_host = StillActive.config.artifactory_host
+      unless configured_host && host&.casecmp?(configured_host)
+        warn_unauthorized_host(gem_name: gem_name, host: host)
+        return
+      end
+
+      global
+    end
+
+    def warn_unauthorized_host(gem_name:, host:)
+      $stderr.puts(
+        "warning: an Artifactory token is set but #{host} (source for #{gem_name}) is not an authorized host, " \
+          "so the token will not be sent. " \
+          "To allow it, set --artifactory-host=#{host} or STILL_ACTIVE_ARTIFACTORY_HOST=#{host}",
+      )
+    end
+
+    def auth_headers(gem_name:, source_uri:)
+      creds = credentials(gem_name: gem_name, source_uri: source_uri)
+      return {} unless creds
+
+      if creds.include?(":")
+        user, pass = creds.split(":", 2).map { |part| CGI.unescape(part) }
+        { "Authorization" => "Basic #{["#{user}:#{pass}"].pack("m0")}" }
+      else
+        { "Authorization" => "Bearer #{creds}" }
+      end
+    end
+
+    # Artifactory's Rubygems-compatible API
+    module RubygemsClient
+      extend self
+
+      def versions(gem_name:, source_uri:, headers: {})
+        base = URI(source_uri.chomp("/"))
+        path = "#{base.path}/api/v1/versions/#{encode(gem_name)}.json"
+        HttpHelper.get_json(base, path, headers: headers) || []
+      end
+
+      private
+
+      def encode(value)
+        CGI.escape(value)
+      end
+    end
+
+    # AQL stands for Artifactory Query Language
+    # https://docs.jfrog.com/artifactory/docs/artifactory-query-language
+    module AqlClient
+      extend self
+
+      SOURCE_URL_PATTERN = %r{\A(https?://[^/]+\.jfrog\.io/[^/]+)/api/gems/([^/]+)/?\z}
+      AQL_PATH = "/api/search/aql"
+
+      def versions(gem_name:, source_uri:, headers: {})
+        artifactory_base, repo_key = parse_source_url(source_uri)
+        return [] if artifactory_base.nil?
+
+        base = URI(artifactory_base)
+        path = "#{base.path}#{AQL_PATH}"
+        query = {
+          "name" => { "$match" => "#{gem_name}-*.gem" },
+          "repo" => repo_key,
+        }
+        body = %(items.find(#{JSON.generate(query)}).include("repo", "path", "name", "created"))
+        response = HttpHelper.post_json(base, path, body: body, headers: headers.merge("Content-Type" => "text/plain"))
+        return [] if response.nil?
+
+        results = response["results"] || []
+        build_version_hashes(results: results, gem_name: gem_name)
+      end
+
+      private
+
+      def parse_source_url(source_uri)
+        match = source_uri.match(SOURCE_URL_PATTERN)
+        unless match
+          $stderr.puts("warning: unrecognized Artifactory source URL for AQL fallback: #{source_uri}")
+          return [nil, nil]
+        end
+
+        [match[1], match[2]]
+      end
+
+      def build_version_hashes(results:, gem_name:)
+        results
+          .filter_map do |item|
+            version = extract_version(item["name"], gem_name)
+            next if version.nil?
+
+            {
+              "number" => version,
+              "created_at" => item["created"],
+              "prerelease" => Gem::Version.new(version).prerelease?,
+            }
+          end
+          .uniq { |h| h["number"] }
+          .sort_by { |h| Gem::Version.new(h["number"]) }
+          .reverse
+      end
+
+      def extract_version(filename, gem_name)
+        prefix = "#{gem_name}-"
+        return unless filename&.end_with?(".gem") && filename.start_with?(prefix)
+
+        version_part = filename[prefix.length..-5]
+        return if version_part.nil? || version_part.empty?
+
+        parse_version_from_filename_tail(version_part)
+      end
+
+      # Given the portion of a `.gem` filename after `name-`, returns the
+      # leading semver (e.g. `7.0.0` from `7.0.0-x86_64-linux`). Ignores
+      # unrelated artifacts that share a prefix (e.g. `datadog-ruby_core_source`
+      # when the gem name is `datadog`).
+      def parse_version_from_filename_tail(version_part)
+        segments = version_part.split("-")
+        segments.length.times do |i|
+          candidate = segments[0, i + 1].join("-")
+          return candidate if Gem::Version.correct?(candidate)
+        end
+        nil
+      end
+    end
+  end
+end

data/lib/still_active/cli.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 
 require_relative "options"
+require_relative "config_file"
 require_relative "diff"
 require_relative "../helpers/activity_helper"
 require_relative "../helpers/bot_context"
@@ -10,6 +11,7 @@ require_relative "../helpers/diff_markdown_helper"
 require_relative "../helpers/emoji_helper"
 require_relative "../helpers/markdown_helper"
 require_relative "../helpers/sarif_helper"
+require_relative "../helpers/summary_helper"
 require_relative "../helpers/terminal_helper"
 require_relative "../helpers/version_helper"
 require_relative "../helpers/vulnerability_helper"
@@ -17,8 +19,20 @@ require_relative "workflow"
 
 module StillActive
   class CLI
+    # The committed JSON Schema for the --json output. Emitted as `$schema` so
+    # the output is self-describing and a consumer can validate it.
+    SCHEMA_URL = "https://raw.githubusercontent.com/SeanLF/still_active/main/docs/still_active.schema.json"
+
     def run(args)
+      # Apply the committed .still_active.yml first so CLI flags (parsed next)
+      # win over it: CLI flag > env var > config file > default.
+      config_data = ConfigFile.load
+      ConfigFile.apply(StillActive.config, config_data).each { |warning| $stderr.puts("warning: #{warning}") }
       options = Options.new.parse!(args)
+      # After CLI flags resolve, nudge (don't auto-inherit) an un-imported
+      # bundler-audit ignore list when the vulnerability gate is on.
+      hint = ConfigFile.import_hint(config_data)
+      $stderr.puts("hint: #{hint}") if hint
       unless options[:provided_gems]
         begin
           StillActive.config.gems = BundlerHelper.gemfile_dependencies
@@ -29,6 +43,7 @@ module StillActive
       end
 
       warn_output_flag_conflicts(options)
+      warn_stale_suppressions
 
       result = if $stderr.tty?
         Workflow.call { |done, total| $stderr.print("\rChecking #{done}/#{total} gems...") }
@@ -50,14 +65,20 @@ module StillActive
         case resolve_format
         when :json
           output = {
+            "$schema": SCHEMA_URL,
             schema_version: 1,
             tool: { name: "still_active", version: StillActive::VERSION },
             generated_at: Time.now.utc.iso8601,
-            gems: result,
+            # A one-object digest of the audit's posture, so a machine/LLM
+            # consumer reads the headline counts without iterating every gem.
+            summary: SummaryHelper.summarize(result, ruby_info: ruby_info),
+            # Surface the derived verdict so a machine/LLM consumer reads it
+            # directly instead of re-deriving it from the raw dates.
+            gems: result.transform_values { |data| data.merge(activity_level: ActivityHelper.activity_level(data)) },
           }
           output[:ruby] = ruby_info if ruby_info
           output[:pr_context] = pr_context if pr_context
-          puts output.to_json
+          puts iso8601_times(output).to_json
         when :terminal
           puts BotContext.summary(pr_context) if pr_context
           puts TerminalHelper.render(result, ruby_info: ruby_info)
@@ -71,6 +92,29 @@ module StillActive
 
     private
 
+    # Dates live in the result as real Time objects (the activity/libyear math
+    # needs them), but the JSON contract is ISO8601 UTC strings, matching
+    # generated_at. Normalize at the serialization boundary only, so the
+    # terminal/markdown/SARIF paths keep their Time objects untouched.
+    def iso8601_times(value)
+      case value
+      when Time then value.utc.iso8601
+      when Hash then value.transform_values { |v| iso8601_times(v) }
+      when Array then value.map { |v| iso8601_times(v) }
+      else value
+      end
+    end
+
+    # A suppression naming a gem that isn't in the resolved dependency set can
+    # never fire, so it's dead config worth surfacing (the presence half of
+    # suppression rot, alongside the expiry half the entries handle themselves).
+    def warn_stale_suppressions
+      present = StillActive.config.gems.map { |gem| gem[:name] }
+      StillActive.config.suppressions.stale_gem_warnings(present).each do |warning|
+        $stderr.puts("warning: #{warning}")
+      end
+    end
+
     # The output destinations are mutually exclusive and resolved by precedence
     # (baseline > sarif > cyclonedx > terminal/markdown/json). Warn rather than
     # silently dropping the loser when more than one is set.
@@ -190,6 +234,10 @@ module StillActive
 
         puts MarkdownHelper.markdown_table_body_line(gem_name: name, data: gem_data)
       end
+      alternatives = MarkdownHelper.alternatives_section(result)
+      puts alternatives unless alternatives.empty?
+      transitive = MarkdownHelper.transitive_section(result)
+      puts transitive unless transitive.empty?
       if ruby_info
         puts ""
         puts MarkdownHelper.ruby_line(ruby_info)
@@ -200,27 +248,50 @@ module StillActive
       config = StillActive.config
       return unless config.fail_if_critical || config.fail_if_warning || config.fail_if_vulnerable || config.fail_if_outdated
 
-      ignored = config.ignored_gems
-      checked = result.reject { |name, _| ignored.include?(name) }
+      exit(1) if result.any? { |name, data| gate_failed?(name, data, config) }
+    end
 
-      if config.fail_if_critical || config.fail_if_warning
-        levels = checked.each_value.map { |gem_data| ActivityHelper.activity_level(gem_data) }
-        exit(1) if config.fail_if_warning && levels.intersect?([:stale, :critical, :archived])
-        exit(1) if config.fail_if_critical && levels.intersect?([:critical, :archived])
-      end
+    # A gem fails the run when it trips an enabled gate that is neither
+    # whole-gem --ignore'd nor covered by a granular .still_active.yml
+    # suppression. Each signal is checked independently so accepting one finding
+    # (e.g. a single advisory) never blinds the others.
+    def gate_failed?(name, data, config)
+      return false if config.ignored_gems.include?(name)
 
-      if (vuln_setting = config.fail_if_vulnerable)
-        checked.each_value do |d|
-          next unless d[:vulnerability_count]&.positive?
+      suppressions = config.suppressions
+      failed_activity?(name, data, config, suppressions) ||
+        failed_vulnerability?(name, data, config, suppressions) ||
+        failed_outdated?(name, data, config, suppressions)
+    end
 
-          exit(1) if vuln_setting == true
-          exit(1) if VulnerabilityHelper.severity_at_or_above?(d[:vulnerabilities], vuln_setting)
-        end
-      end
+    def failed_activity?(name, data, config, suppressions)
+      return false unless config.fail_if_warning || config.fail_if_critical
+      return false if suppressions.suppressed?(gem: name, signal: :activity)
+
+      level = ActivityHelper.activity_level(data)
+      (config.fail_if_warning && [:stale, :critical, :archived].include?(level)) ||
+        (config.fail_if_critical && [:critical, :archived].include?(level))
+    end
+
+    def failed_vulnerability?(name, data, config, suppressions)
+      setting = config.fail_if_vulnerable
+      return false unless setting
+      return false unless data[:vulnerability_count]&.positive?
 
-      if (threshold = config.fail_if_outdated)
-        exit(1) if checked.each_value.any? { |d| d[:libyear] && d[:libyear] > threshold }
+      live = Array(data[:vulnerabilities]).reject do |vuln|
+        suppressions.suppressed?(gem: name, signal: :vulnerability, advisory: vuln[:id], aliases: Array(vuln[:aliases]))
       end
+      return false if live.empty?
+
+      setting == true || VulnerabilityHelper.severity_at_or_above?(live, setting)
+    end
+
+    def failed_outdated?(name, data, config, suppressions)
+      threshold = config.fail_if_outdated
+      return false unless threshold
+      return false if suppressions.suppressed?(gem: name, signal: :libyear)
+
+      data[:libyear] && data[:libyear] > threshold
     end
   end
 end