@activemind/scd 1.4.0

package/LICENSE.md

@@ -0,0 +1,35 @@
+GNU AFFERO GENERAL PUBLIC LICENSE
+                       Version 3, 19 November 2007
+
+Copyright (C) 2026 Activemind Solutions AB
+Contact: info@activemind.se
+https://activemind.se
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU Affero General Public License as published
+by the Free Software Foundation, either version 3 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU Affero General Public License for more details.
+
+You should have received a copy of the GNU Affero General Public License
+along with this program. If not, see <https://www.gnu.org/licenses/>.
+
+---
+
+COMMERCIAL LICENSE
+
+If you wish to use Secure Code by Design in a proprietary product or
+service, or distribute it as part of a commercial offering without
+complying with the terms of the AGPL-3.0, a commercial license is
+available from Activemind Solutions AB.
+
+Contact: info@activemind.se
+
+---
+
+The full text of the GNU Affero General Public License v3 is available at:
+https://www.gnu.org/licenses/agpl-3.0.txt

package/README.md

@@ -0,0 +1,417 @@
+# Secure Code by Design
+
+> Automated security scanning for development teams using AI coding tools.
+
+Secure Code by Design (`scd`) is a CLI tool that catches security vulnerabilities before they reach production — running quietly in the background via git hooks and on-demand scans. Built for SMB companies using traditional coding and AI coding tools (Claude Code, GitHub Copilot, Cursor) which generates code faster than their security awareness can keep up with.
+
+**Not a replacement for penetration testing.** scd helps you find and fix common vulnerability patterns before they reach production, so that professional security assessments can focus on harder, context-specific problems. It does not replace a penetration test, threat model, or security audit.
+
+---
+
+## Features
+
+- **189 security rules** across JavaScript, TypeScript, Python, PHP, ASP.NET, and more
+- **Taint analysis** — tracks user-controlled variables from HTTP input to dangerous sinks
+- **Pre-scan file classification** — files are classified into source, test, and excluded contexts before any rule runs; test files and vendor code are routed separately
+- **Git hooks** – secrets scanning on pre-commit, full OWASP scan on pre-push
+- **Zero repo footprint** – no files written or modified to your repository
+- **Compact terminal output** – summary + top issues + most affected files (use `--verbose` for full detail)
+- **HTML, Markdown and JSON reports** with fix guidance for each finding
+- **Deep analysis** – optional AI-powered analysis via scd-server; requires the Deep Analysis Pack (Premium)
+- **Per-scan storage** – every scan saved with a unique random ID (`s-a3f9b2c1`), never overwritten; regenerate reports from any historical scan
+- **Finding IDs** – every finding gets a stable ID (`f-a1b2c3d4e5`) shown in scan output, reports and export — use directly with `scd accept` and `scd ignore`
+- **Exception management** – reviewed exceptions tracked in config, never as code comments
+- **Exception sync** – pull team-lead approvals from scd-server, sync rejected back with reason
+- **Audit trail** – append-only scan history per repository
+- **`.gitignore` respected** – files git ignores are excluded from scans by default; use `--include-ignored` to override
+- **Scan scope management** – explicitly exclude files, directories, or rules with documented reasons via `scope.yml`; every exclusion is tracked in scan output and audit log
+- **Pipeline-friendly** – works as a subprocess or in CI/CD without a TTY; use `--log-to` to control logging behaviour in automated contexts
+
+## Team & Premium
+
+scd-server extends the CLI with team collaboration features. When you're ready to move beyond local scanning:
+
+- **Team dashboard** — aggregated findings, trend analysis, and knowledge gap tracking across your whole team
+- **Exception approval flow** — developers request exceptions, team leads approve or reject with a reason
+- **CRA Compliance Report** — ready-made documentation for EU Cyber Resilience Act conformity assessments
+- **Findings history** — every scan from every developer in one place, searchable and filterable
+- **Deep Analysis Pack** — AI-powered analysis of CRITICAL and HIGH findings; confirms real vulnerabilities, identifies false positives, and suggests concrete fixes. Your code never leaves your infrastructure.
+
+scd-server runs in your own infrastructure. No code, no findings, and no scan data ever leaves your network.
+
+See [securecodebydesign.com](https://securecodebydesign.com) for plans and pricing.
+
+---
+
+## Requirements
+
+- Node.js 22 or later
+- Git (required for hook installation)
+- npm (included with Node.js)
+
+**macOS / Linux:** No additional requirements.
+
+**Windows:** Windows 10 (build 1803) or later required. Git for Windows must be installed (not WSL). Windows Terminal or PowerShell recommended — `cmd.exe` has limited ANSI colour support.
+
+> On Windows, the store directory is `%USERPROFILE%\\.scd\\` (e.g. `C:\\Users\\YourName\\.scd\\`). All `~/.scd` references in this documentation refer to this path on Windows.
+
+---
+
+## Installation
+
+```bash
+npm install -g @activemind/scd
+scd --version
+```
+
+See [INSTALL.md](INSTALL.md) for platform-specific Node.js setup, advanced options, and
+[installation troubleshooting](INSTALL.md#troubleshooting).
+
+---
+
+## Quick start
+
+```bash
+# Register a project and install git hooks
+cd /path/to/your/project
+scd init
+
+# Run a full security scan
+scd scan
+
+# Run with verbose output (full file-grouped + rule-grouped detail)
+scd scan --verbose
+
+# Generate an HTML report from the last scan
+scd report
+
+# Open the report in your browser
+scd report open            # macOS / Windows
+scd report serve           # Linux / Firefox (starts local HTTP server)
+```
+
+---
+
+## Commands
+
+### Scanning
+
+| Command | Description |
+|---|---|
+| `scd scan [target]` | Run a full security scan — vendor and `.gitignore`d files excluded by default |
+| `scd scan --verbose` | Full file-grouped + rule-grouped output |
+| `scd scan --deep` | Deep analysis via scd-server *(Premium)* |
+| `scd scan --include-vendor` | Include vendor/dependency code in scan |
+| `scd scan --vendor-only` | Scan only vendor/dependency code (supply chain) |
+| `scd scan --include-ignored` | Scan files excluded by `.gitignore` (default: respect `.gitignore`) |
+| `scd scan --exclude <pattern>` | Exclude a file or directory for this scan only (repeatable, not saved) |
+| `scd scan --exclude-rule <id>` | Exclude a rule for this scan only (repeatable, not saved) |
+| `scd scan --log-to <mode>` | Logging mode for non-interactive use: `none`, `current`, `target` (see below) |
+| `scd scan --no-sync` | Skip pushing this scan to scd-server (audit log kept locally) *(Premium)* |
+| `scd scan --no-audit` | Skip audit logging entirely for this scan |
+
+#### `--exclude` and `--exclude-rule` — one-off scan exclusions
+
+Exclude files or rules for a single scan without modifying `scope.yml`. Useful for quick ad-hoc filtering or testing rule changes.
+
+```bash
+scd scan --exclude "tests/fixtures/" --exclude-rule INFRA-002
+```
+
+One-off exclusions are shown in scan output, stored in the scan JSON, and never written to disk. For permanent exclusions, use `scd repo scope`.
+
+#### `--log-to` — non-interactive and pipeline use
+
+When `scd scan` is used as a subprocess or in a CI/CD pipeline without a TTY, it automatically detects the missing terminal and scans without logging — no prompt, no hanging. A single informational line is written to stderr.
+
+Use `--log-to` when you need explicit control over logging in non-interactive contexts:
+
+| Value | Behaviour |
+|---|---|
+| `none` | Scan without logging, no prompt (same as auto-detect default) |
+| `current` | Log results to the current working directory's repo, no prompt |
+| `target` | Log results to the target repository's repo, no prompt |
+
+```bash
+# Automated pipeline — no TTY, no prompt, output file always written
+scd scan ./repo --format json --output results.json
+
+# Cron job — scan and log results to current repo
+scd scan . --log-to current
+
+# Explicit no-logging
+scd scan . --log-to none
+```
+
+Normal interactive behaviour (with a TTY and no `--log-to`) is completely unchanged.
+
+### Reports
+
+| Command | Description |
+|---|---|
+| `scd report` | Generate report from last scan (HTML default) |
+| `scd report open` | Generate report and open in browser |
+| `scd report serve` | Serve report via local HTTP server |
+| `scd report serve --index` | Always show report index page |
+| `scd report --scan <id>` | Generate report from a specific saved scan |
+| `scd export-findings` | Export all findings from a scan to JSON |
+| `scd export-findings --deep-only` | Export only findings that have a deep analysis result |
+| `scd export-findings --severity critical` | Filter exported findings by severity |
+| `scd export-findings --scan <id>` | Export from a specific saved scan |
+
+### Findings
+
+| Command | Description |
+|---|---|
+| `scd findings` | List open (unhandled) findings from last scan |
+| `scd findings <finding-id>` | Show a specific finding with full detail (problem, scenario, fix) |
+| `scd findings --verbose` | Show all open findings with problem description, scenario, and fix |
+| `scd findings --all` | All findings including excepted and resolved |
+| `scd findings --excepted` | Only excepted findings |
+| `scd findings --show-suppressed` | Show findings suppressed by file context classification |
+| `scd findings --severity critical` | Filter by severity |
+| `scd findings --rule <id>` | Filter by rule ID |
+| `scd findings --scan <id>` | Load a specific historic scan |
+
+### Exception and scope management
+
+| Command | Description |
+|---|---|
+| `scd accept <finding-id> --reason "<text>"` | Accept a risk — requires team-lead approval via scd-server |
+| `scd ignore <finding-id> --reason "<text>"` | Ignore a finding (false positive, out of scope) |
+| `scd resolve` | Mark an EXPOSURE finding as handled, or remove a rejected exception |
+| `scd sync` | Pull approvals/rejections from scd-server |
+| `scd exceptions` | List all exceptions and their status |
+| `scd scope --show` | Show current scope exclusions |
+| `scd scope --add-file <pattern>` | Permanently exclude a file or directory |
+| `scd scope --add-rule <id>` | Permanently exclude a rule |
+| `scd scope --remove-file <pattern>` | Remove a file exclusion |
+| `scd scope --remove-rule <id>` | Remove a rule exclusion |
+
+### Repository management
+
+| Command | Description |
+|---|---|
+| `scd init` | Register current directory and install git hooks |
+| `scd repo` | Show repo info and scan statistics |
+| `scd repo configure` | Show or update per-repo configuration |
+| `scd repo hooks --disable --reason "<text>"` | Disable git hooks for this repo (reason required) |
+| `scd repo hooks --enable` | Re-enable git hooks |
+| `scd repo scope` | Manage per-repo scope exclusions |
+| `scd list` | List all registered repos |
+| `scd hooks` | Show hook status across all repos |
+| `scd remove` | Remove repo from scd |
+
+### Rules and insights
+
+| Command | Description |
+|---|---|
+| `scd rules` | List all rules |
+| `scd rules --search <term>` | Search rules by name or ID |
+| `scd rules --stats` | Show rule counts by severity |
+| `scd insights` | Behavioural analysis across scan history |
+| `scd audit` | Show audit log |
+
+### Diagnostics
+
+| Command | Description |
+|---|---|
+| `scd doctor` | Verify installation, hook status, and server connectivity |
+| `scd version` | Show version and rule counts |
+| `scd configure --show` | Show server configuration and global defaults |
+
+---
+
+## Privacy and data handling
+
+scd is designed for teams where code privacy is non-negotiable.
+
+**Local scanning.** Standard `scd scan` runs entirely on your machine. No code, no findings, no metadata leaves your network. Nothing is sent anywhere unless you explicitly connect scd-server.
+
+**scd-server.** When configured, scd pushes scan metadata and findings to your own scd-server instance — running in your own infrastructure. Findings never reach Activemind's servers.
+
+**Deep analysis.** `scd scan --deep` sends the triggering code line and 8 lines of surrounding context to your scd-server for AI analysis. The filename, rule ID, and severity are included. Whole files are never sent. Deep analysis requires scd-server with the Deep Analysis Pack. See [securecodebydesign.com](https://securecodebydesign.com) for subscription options.
+
+Set `trust_level: maximum_privacy` with `scd repo configure --trust-level maximum_privacy` to disable all external API calls entirely.
+
+### Exception management
+
+Exceptions are managed by finding ID — shown in scan output, reports, and `scd findings`. Never edit source code comments.
+
+```bash
+# View open findings with their IDs
+scd findings
+
+# Accept a risk (requires team-lead approval via scd-server)
+scd accept f-a1b2c3d4e5 --reason "Parameterized internally, validated input only"
+
+# Ignore a finding (false positive, out of scope etc.)
+scd ignore f-a1b2c3d4e5 --reason "Source maps intentionally included in staging" \
+  --tag false_positive
+
+# Pull approvals/rejections from team server
+scd sync
+
+# List exceptions and their status
+scd exceptions --list all
+
+# Remove a rejected exception after fixing the issue
+scd resolve --rejected exc-mn7k96ml
+```
+
+Exceptions include a hash of the relevant code line. If the code changes, the exception requires re-approval automatically.
+
+After `scd sync`, the next scan shows pending status inline:
+
+```
+ℹ  2 exception(s) pending approval – synced recently – run scd sync
+⚠  1 rejected exception(s) — fix required:
+   PHP-INJ-002  WS_addUser.php:10  [exc-mn7k96ml]
+```
+
+### Project configuration
+
+Per-repository configuration lives in `~/.scd/repos/{repoId}/config.yml` — outside your repository, alongside scan history and exceptions. This keeps your repository clean and avoids committing security configuration to source control.
+
+```yaml
+trust_level: balanced        # maximum_privacy | balanced | maximum_analysis
+scan_mode: full              # full (with taint analysis) | fast (regex only)
+block_on_critical: true
+block_on_high: true
+```
+
+Edit with `scd repo configure --<option> <value>` or directly in the file.
+
+`trust_level` controls which external connections are permitted:
+
+| Value | Behaviour |
+|---|---|
+| `maximum_privacy` | No external API calls. Local model only. Strongest privacy guarantee. |
+| `balanced` | Default. Local model preferred; cloud available as explicit opt-in. |
+| `maximum_analysis` | Cloud provider (Claude API). Maximum analysis depth. |
+
+---
+
+## Exporting findings
+
+`scd export-findings` produces a self-contained JSON snapshot useful for sharing with an external reviewer:
+
+```bash
+scd export-findings                          # all findings
+scd export-findings --deep-only              # only findings with deep analysis
+scd export-findings --severity critical      # filter by severity
+scd export-findings --rule PHP-INJ-001       # filter by rule
+scd export-findings --scan s-a3f9b2c1        # from specific scan
+scd export-findings --output /tmp/review.json
+```
+
+---
+
+## Multi-machine setup
+
+See [INSTALL.md](INSTALL.md) for full platform-specific instructions including Node.js setup for macOS, Linux, and Windows.
+
+---
+
+## Project structure
+
+```
+bin/
+  scd.js                  ← CLI entry point (all scd commands)
+lib/
+  commands/               ← One file per scd command (scan, findings, report, …)
+  scanner-full.js         ← OWASP scanner with taint analysis
+  scanner-secrets.js      ← Fast secrets scanner (pre-commit)
+  file-manifest.js        ← Pre-scan file classification (source/test/excluded)
+  file-context.js         ← Per-file classification with two-layer detection
+  context-modifiers.js    ← Severity adjustment based on file context + _trace
+  comment-map.js          ← Per-file line classifier (CODE/COMMENT/MIXED)
+  taint-register.js       ← Single-file taint tracking engine
+  store.js                ← Global store path management
+  store-verify.js         ← Store health checks and cleanup
+  scan-cache.js           ← Per-scan storage (scans/ directory)
+  scan-context.js         ← Repo-logging context resolution
+  rule-registry.js        ← Normalised catalogue of all rules
+  config.js               ← Config loading, isExcepted(), getRuleAction()
+  exception-manager.js    ← Exception/ignore create, sync, resolve
+  deep-analyzer.js        ← Deep analysis via scd-server
+  cli-helpers.js          ← Shared CLI utilities (warnIfOutdated, openInBrowser, tryFlush)
+  output-terminal.js      ← Compact + verbose terminal output
+  report-html.js          ← HTML report generator
+  report-markdown.js      ← Markdown report generator
+  report-json.js          ← JSON report generator
+  export-findings.js      ← Export findings to JSON
+  rules/                  ← Rule definitions per language
+    rule-loader.js        ← JSON→runtime compiler (pattern, antipatterns, extensions)
+    rules-js.json         ← JavaScript/TypeScript rules incl. JS-ERR-002/B/C
+    rules-infra-leakage.json ← Infrastructure rules incl. INFRA-001/B/C, 002/B/C
+    rules-sensitive-files.json ← Sensitive file rules incl. LOG-004, EXPOSURE-001
+    rules-secrets.json    ← Secrets detection
+    rules-python.json     ← Python rules
+    rules-php.json        ← PHP rules
+    rules-aspx.json       ← ASP.NET markup rules
+    rules-aspx-cs.json    ← ASP.NET C# rules
+    rules-ts.json         ← TypeScript-specific rules
+```
+
+---
+
+## Dependencies
+
+scd is intentionally lightweight. Keeping the dependency surface small is a deliberate design principle — fewer dependencies means fewer supply chain risks, faster installs, and easier security auditing.
+
+| Package | Version | Purpose |
+|---|---|---|
+| [commander](https://github.com/tj/commander.js) | ^14.0.3 | CLI argument parsing and subcommand structure |
+| [semver](https://github.com/npm/node-semver) | ^7.x | Semantic version comparison for server compatibility checks |
+
+No other runtime dependencies. Node.js built-in modules handle everything else.
+
+Verify at any time:
+
+```bash
+npm list          # full dependency tree
+npm audit         # check for known vulnerabilities
+```
+
+---
+
+## Roadmap
+
+- `scd deps` – Dependency vulnerability scanning against OSV + CISA KEV feeds (designed, in development)
+- Config-context file classification — distinguishes application config, infrastructure config, and schema/documentation files before rules run; improves precision for YAML and configuration-heavy projects
+- `scd uninstall` – clean removal with store data options
+
+---
+
+## Disclaimer
+
+Secure Code by Design is a static analysis tool designed to help development teams identify common security vulnerability patterns in source code. It is provided as a technical aid, not as a guarantee of security.
+
+**scd does not replace professional security testing.** No automated tool can detect all vulnerabilities in a codebase. scd does not perform dynamic analysis, penetration testing, runtime monitoring, or threat modelling. Findings depend on rule coverage, code patterns, and the languages supported — classes of vulnerabilities may exist that scd does not and cannot detect.
+
+**No liability for security incidents.** Activemind Solutions AB and the contributors to this project accept no liability for security breaches, data loss, regulatory penalties, or any other damages arising from the use or non-use of this tool, including cases where a vulnerability present in a scanned codebase was not identified by scd. The presence of a passing scan does not constitute a security certification or assurance of any kind.
+
+**scd is one layer of defence.** Effective application security requires multiple overlapping measures: secure design, code review, dependency management, penetration testing, monitoring, and incident response. scd is designed to make one of those layers — routine code scanning — easier and more consistent. It is not a substitute for any of the others.
+
+If your organisation requires a formal security assessment, contact a qualified security professional or penetration testing firm.
+
+---
+
+## Security & responsible disclosure
+
+Secure Code by Design is a security tool — and like any software, it may contain vulnerabilities. We encourage security testing of this product and welcome responsible disclosure.
+
+**Expected behaviour:** Running `scd scan` on this repository will trigger findings in the rule files themselves — patterns that match injection, hardcoded secrets, and similar issues are present by design as test cases. These are expected false positives when scanning the tool's own source code.
+
+**Reporting a vulnerability:** If you discover a genuine security issue, please report it privately to [security@activemind.se](mailto:security@activemind.se). Do not open a public GitHub issue for security vulnerabilities.
+
+We aim to acknowledge reports within 2 business days and resolve confirmed issues as quickly as possible. Credit is given to researchers who report valid findings responsibly.
+
+---
+
+## About
+
+Built by [Activemind Solutions AB](https://activemind.se) — security consulting and penetration testing.
+
+> Secure Code by Design is a commercial product. See LICENSE for terms.

package/bin/scd.js

@@ -0,0 +1,140 @@
+#!/usr/bin/env node
+/**
+ * scd – CLI entry point
+ * Config-aware with audit logging
+ */
+
+const { Command } = require('commander');
+
+const { warnIfOutdated, openInBrowser, tryFlush } = require('../lib/cli-helpers');
+const { loadConfig, getRepoRoot } = require('../lib/config');
+
+const program = new Command();
+
+const pkg = require('../package.json');
+
+
+program
+  .name('scd')
+  .description('Secure Code by Design – automated security scanning');
+
+// Handle --version / -V before Commander parses — shows scd version output
+// identical to `scd version`, instead of Commander's default single-line format.
+if (process.argv.includes('--version') || process.argv.includes('-V')) {
+  require('../lib/commands/version').showVersion();
+  process.exit(0);
+}
+
+require('../lib/commands/scan').register(program);
+
+
+require('../lib/commands/install').register(program);
+require('../lib/commands/uninstall').register(program);
+
+require('../lib/commands/doctor').register(program);
+
+require('../lib/commands/accept').register(program);
+
+require('../lib/commands/ignore').register(program);
+
+require('../lib/commands/findings').register(program);
+
+
+require('../lib/commands/sync').register(program);
+
+require('../lib/commands/exceptions').register(program);
+
+require('../lib/commands/resolve').register(program);
+
+require('../lib/commands/init').register(program);
+
+require('../lib/commands/remove').register(program);
+
+require('../lib/commands/report').register(program);
+
+require('../lib/commands/audit').register(program);
+require('../lib/commands/insights').register(program);
+
+require('../lib/commands/configure').register(program);
+require('../lib/commands/scope').register(program);
+
+
+require('../lib/commands/repo').register(program);
+
+require('../lib/commands/version').register(program);
+require('../lib/commands/list').register(program);
+require('../lib/commands/rules').register(program);
+
+require('../lib/commands/export-findings').register(program);
+
+
+// ── scd review-rules (Activemind-internal, hidden from scd --help) ───────────
+{
+  const { Command } = require('commander');
+  const reviewCmd = new Command('review-rules');
+  reviewCmd
+    .description('Export findings with rule internals for Activemind rule quality review')
+    .option('--scan <id>',        'Scan ID to export (default: latest scan)')
+    .option('--severity <level>', 'Filter by severity: critical, high, medium, exposure')
+    .option('--rule <id>',        'Filter to a specific rule ID')
+    .option('--deep-only',        'Export only findings that have a deep analysis result')
+    .option('--output <path>',    'Output file path (default: ~/.scd/repos/{id}/exports/scd-review-{scanId}.json)')
+    .action(async (opts) => {
+      const path  = require('path');
+      const store = require('../lib/store');
+      const { exportFindings } = require('../lib/export-findings');
+      const { loadCache } = require('../lib/scan-cache');
+      const repoRoot = getRepoRoot();
+
+      let resolvedScanId = opts.scan || null;
+      if (!resolvedScanId) {
+        const latest = loadCache(repoRoot);
+        if (latest) resolvedScanId = latest.scanId;
+      }
+
+      const defaultName = 'scd-review-' + (resolvedScanId || 'scan') + '.json';
+      const outputPath  = opts.output
+        ? path.resolve(process.cwd(), opts.output)
+        : store.exportPath(repoRoot, defaultName);
+
+      await exportFindings({
+        repoRoot,
+        scanId:               opts.scan     || null,
+        severity:             opts.severity || null,
+        rule:                 opts.rule     || null,
+        deepOnly:             !!opts.deepOnly,
+        outputPath,
+        includeRuleInternals: true,
+        command:              'review-rules',
+      });
+    });
+
+  program.addCommand(reviewCmd, { hidden: true });
+}
+
+
+program.parse(process.argv);
+
+// ── Push worker – trigger after every command ─────────────────────────────
+// Non-blocking: runs after the CLI command completes.
+// Only active when a central URL is configured.
+// Failures are silent – never affect CLI output or exit code.
+setImmediate(() => {
+  try {
+    const { getCentralUrl } = require('../lib/global-config');
+    const centralUrl = getCentralUrl();
+    if (!centralUrl) return;
+
+    const { flush, queueSize } = require('../lib/push-queue');
+    if (queueSize() === 0) return;
+
+    // Pass repoRoot so meta includes repo and installation identity
+    const repoRoot = (() => {
+      try { return require('../lib/config').getRepoRoot(); } catch { return null; }
+    })();
+
+    flush(centralUrl, { repoRoot }).catch(() => {});
+  } catch {
+    // Non-fatal
+  }
+});

package/lib/audit-report.js

@@ -0,0 +1,93 @@
+const { RESET, BOLD, DIM, RED, GREEN, YELLOW, CYAN } = require('./output-constants');
+/**
+ * audit-report.js
+ * Human-readable terminal report of the audit log.
+ * Shows findings history, exceptions, expired exceptions.
+ */
+
+const { readAuditLog, EVENTS } = require('./audit');
+
+async function showAuditReport(repoRoot, limit = 50) {
+  const events = readAuditLog(repoRoot, 500);
+
+  if (events.length === 0) {
+    console.log(DIM + '\n No audit log found yet.' + RESET + '\n');
+    return;
+  }
+
+  console.log(`\n${CYAN}${BOLD}╔══════════════════════════════════════════╗${RESET}`);
+  console.log(`${CYAN}${BOLD}║     Secure Code by Design – Audit Report  ║${RESET}`);
+  console.log(`${CYAN}${BOLD}╚══════════════════════════════════════════╝${RESET}\n`);
+
+  // ── Stats ────────────────────────────────────────────────────────────────
+  const scans     = events.filter(e => e.event === EVENTS.SCAN_STARTED);
+  const blocked   = events.filter(e => e.event === EVENTS.FINDING_BLOCKED);
+  const warned    = events.filter(e => e.event === EVENTS.FINDING_WARNED);
+  const excepted  = events.filter(e => e.event === EVENTS.FINDING_EXCEPTED);
+  const expired   = events.filter(e => e.event === EVENTS.FINDING_EXCEPTION_EXPIRED);
+  const scanBlocked = events.filter(e => e.event === EVENTS.SCAN_BLOCKED);
+
+  console.log(`${BOLD}Summary${RESET}`);
+  console.log(`  Total scans:              ${scans.length}`);
+  console.log(`  Blocked scans:            ${RED}${scanBlocked.length}${RESET}`);
+  console.log(`  Blocked findings:         ${RED}${blocked.length}${RESET}`);
+  console.log(`  Warned findings:          ${YELLOW}${warned.length}${RESET}`);
+  console.log(`  Excepted findings:        ${DIM}${excepted.length}${RESET}`);
+
+  if (expired.length > 0) {
+    console.log(`  ${RED}${BOLD}Expired exceptions:        ${expired.length} – action required!${RESET}`);
+  }
+
+  // ── Expired exceptions – these need immediate attention ──────────────────
+  if (expired.length > 0) {
+    console.log(`\n${RED}${BOLD}⚠️  Expired exceptions – immediate action required${RESET}`);
+    console.log(`${RED}${'─'.repeat(50)}${RESET}`);
+    for (const e of expired.slice(-10)) {
+      console.log(`  ${e.timestamp.slice(0, 10)}  ${e.rule_id}  ${e.file}:${e.line}`);
+      console.log(`  ${DIM}Exception approved by: ${e.exception_by || 'unknown'}${RESET}`);
+    }
+  }
+
+  // ── Recent blocked findings ───────────────────────────────────────────────
+  if (blocked.length > 0) {
+    console.log(`\n${BOLD}Recent blocked findings${RESET}`);
+    console.log(`${'─'.repeat(50)}`);
+    for (const e of blocked.slice(-10)) {
+      const date = e.timestamp.slice(0, 16).replace('T', ' ');
+      console.log(`  ${DIM}${date}${RESET}  ${RED}${e.severity}${RESET}  ${e.rule_id}`);
+      console.log(`  ${DIM}${e.file}:${e.line}  [${e.git_user}]${RESET}`);
+    }
+  }
+
+  // ── Active exceptions ─────────────────────────────────────────────────────
+  if (excepted.length > 0) {
+    console.log(`\n${BOLD}Active exceptions (recent runs)${RESET}`);
+    console.log(`${'─'.repeat(50)}`);
+
+    // Deduplicate by rule+file
+    const seen = new Set();
+    for (const e of excepted.slice(-20)) {
+      const key = `${e.rule_id}:${e.file}`;
+      if (seen.has(key)) continue;
+      seen.add(key);
+      const date = e.timestamp.slice(0, 10);
+      console.log(`  ${DIM}${date}${RESET}  ${YELLOW}${e.rule_id}${RESET}  ${e.file}`);
+      console.log(`  ${DIM}Approved by: ${e.exception_by || 'not specified'}${RESET}`);
+    }
+    console.log(`\n  ${DIM}Run 'scd approve --list' for full list${RESET}`);
+  }
+
+  // ── Recent scan history ───────────────────────────────────────────────────
+  console.log(`\n${BOLD}Recent scans${RESET}`);
+  console.log(`${'─'.repeat(50)}`);
+  for (const e of scans.slice(-5)) {
+    const date = e.timestamp.slice(0, 16).replace('T', ' ');
+    const outcome = scanBlocked.find(b => b.session_id === e.session_id);
+    const icon = outcome ? `${RED}🚫${RESET}` : `${GREEN}✅${RESET}`;
+    console.log(`  ${icon}  ${DIM}${date}${RESET}  ${e.hook}  ${e.files_count} file(s)  [${e.git_user}]`);
+  }
+
+  console.log('');
+}
+
+module.exports = { showAuditReport };