@cencori/scan 0.1.1 → 0.3.0

package/dist/cli.js

@@ -27,6 +27,7 @@ var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__ge
 var import_commander = require("commander");
 var import_chalk = __toESM(require("chalk"));
 var import_ora = __toESM(require("ora"));
+var import_prompts = require("@inquirer/prompts");
 
 // src/scanner/index.ts
 var fs = __toESM(require("fs"));
@@ -88,6 +89,12 @@ var SECRET_PATTERNS = [
     pattern: /sk_test_[0-9a-zA-Z]{24,}/g,
     severity: "medium"
   },
+  {
+    name: "Stripe Webhook Secret",
+    provider: "Stripe",
+    pattern: /whsec_[a-zA-Z0-9]{24,}/g,
+    severity: "critical"
+  },
   // AWS
   {
     name: "AWS Access Key ID",
@@ -114,6 +121,12 @@ var SECRET_PATTERNS = [
     pattern: /gho_[a-zA-Z0-9]{36}/g,
     severity: "critical"
   },
+  {
+    name: "GitHub Webhook Secret",
+    provider: "GitHub",
+    pattern: /sha256=[a-fA-F0-9]{64}/g,
+    severity: "high"
+  },
   // Telegram
   {
     name: "Telegram Bot Token",
@@ -196,13 +209,56 @@ var SECRET_PATTERNS = [
     pattern: /hf_[a-zA-Z0-9]{34}/g,
     severity: "critical"
   },
-  // Cohere
+  // JWT Secrets
   {
-    name: "Cohere API Key",
-    provider: "Cohere",
-    pattern: /[a-zA-Z0-9]{40}/g,
-    // Less specific, check context
-    severity: "medium"
+    name: "JWT Secret Assignment",
+    provider: "Generic",
+    pattern: /JWT_SECRET\s*[:=]\s*["'][^"']{16,}["']/gi,
+    severity: "critical"
+  },
+  {
+    name: "Hardcoded JWT Sign",
+    provider: "Generic",
+    pattern: /jwt\.(sign|verify)\s*\([^,]+,\s*["'][^"']{10,}["']/gi,
+    severity: "critical"
+  },
+  // OAuth Secrets
+  {
+    name: "OAuth Client Secret",
+    provider: "Generic",
+    pattern: /client_secret\s*[:=]\s*["'][a-zA-Z0-9_-]{20,}["']/gi,
+    severity: "critical"
+  },
+  {
+    name: "Google Client Secret",
+    provider: "Google",
+    pattern: /GOOGLE_CLIENT_SECRET\s*[:=]\s*["'][^"']+["']/gi,
+    severity: "critical"
+  },
+  // Database Connection Strings
+  {
+    name: "MongoDB Connection String",
+    provider: "MongoDB",
+    pattern: /mongodb(\+srv)?:\/\/[^@\s]+@[^\s"']+/g,
+    severity: "critical"
+  },
+  {
+    name: "PostgreSQL Connection String",
+    provider: "PostgreSQL",
+    pattern: /postgres(ql)?:\/\/[^\s"']+/g,
+    severity: "critical"
+  },
+  {
+    name: "MySQL Connection String",
+    provider: "MySQL",
+    pattern: /mysql:\/\/[^\s"']+/g,
+    severity: "critical"
+  },
+  {
+    name: "Redis Connection String",
+    provider: "Redis",
+    pattern: /redis:\/\/[^\s"']+/g,
+    severity: "high"
   }
 ];
 var PII_PATTERNS = [
@@ -238,7 +294,7 @@ var PII_PATTERNS = [
   }
 ];
 var ROUTE_PATTERNS = [
-  // Next.js API routes without auth
+  // Next.js API routes
   {
     name: "Next.js API Route (check for auth)",
     framework: "Next.js",
@@ -253,6 +309,120 @@ var ROUTE_PATTERNS = [
     pattern: /app\.(get|post|put|delete|patch)\s*\(\s*["'`][^"'`]+["'`]\s*,\s*(?!.*auth)/gi,
     severity: "medium",
     description: "Express route - check if auth middleware is applied"
+  },
+  // Admin routes
+  {
+    name: "Admin Route Exposed",
+    framework: "Generic",
+    pattern: /["'`](\/admin|\/dashboard|\/internal|\/private)[^"'`]*["'`]/gi,
+    severity: "high",
+    description: "Sensitive route - ensure proper authentication"
+  }
+];
+var VULNERABILITY_PATTERNS = [
+  // Hardcoded URLs
+  {
+    name: "Localhost URL in Code",
+    category: "hardcoded-url",
+    pattern: /https?:\/\/localhost[:\d]*/gi,
+    severity: "medium",
+    description: "Development URL - should use environment variables"
+  },
+  {
+    name: "Staging/Dev URL in Code",
+    category: "hardcoded-url",
+    pattern: /https?:\/\/(staging\.|dev\.|test\.)[^\s"']+/gi,
+    severity: "medium",
+    description: "Non-production URL in code"
+  },
+  // Debug artifacts (skip console.log - too many false positives for CLI tools)
+  {
+    name: "Debug Flag Enabled",
+    category: "debug",
+    pattern: /DEBUG\s*[:=]\s*(true|1|["']true["'])/gi,
+    severity: "medium",
+    description: "Debug mode enabled - disable in production"
+  },
+  {
+    name: "Hardcoded Development Mode",
+    category: "debug",
+    pattern: /NODE_ENV\s*[:=]\s*["']development["']/gi,
+    severity: "medium",
+    description: "Hardcoded development mode"
+  },
+  // CORS issues
+  {
+    name: "CORS Wildcard Origin",
+    category: "cors",
+    pattern: /Access-Control-Allow-Origin['":\s]+\*/g,
+    severity: "high",
+    description: "Allows requests from any origin - security risk"
+  },
+  {
+    name: "Permissive CORS Config",
+    category: "cors",
+    pattern: /cors\s*\(\s*\)/g,
+    severity: "medium",
+    description: "CORS with default (permissive) settings"
+  },
+  // SQL Injection
+  {
+    name: "SQL String Concatenation",
+    category: "injection",
+    pattern: /query\s*\(\s*[`'"].*\$\{.*\}/g,
+    severity: "critical",
+    description: "Potential SQL injection - use parameterized queries"
+  },
+  {
+    name: "SQL String Addition",
+    category: "injection",
+    pattern: /(SELECT|INSERT|UPDATE|DELETE).*["']\s*\+\s*\w+/gi,
+    severity: "critical",
+    description: "SQL built with string concatenation"
+  },
+  // XSS Vulnerabilities
+  {
+    name: "React dangerouslySetInnerHTML",
+    category: "xss",
+    pattern: /dangerouslySetInnerHTML\s*=\s*\{\s*\{\s*__html/g,
+    severity: "high",
+    description: "Renders raw HTML - ensure input is sanitized"
+  },
+  {
+    name: "Direct innerHTML Assignment",
+    category: "xss",
+    pattern: /\.innerHTML\s*=/g,
+    severity: "high",
+    description: "Direct HTML injection - use textContent instead"
+  },
+  {
+    name: "Vue v-html Directive",
+    category: "xss",
+    pattern: /v-html\s*=\s*["'][^"']+["']/g,
+    severity: "high",
+    description: "Vue raw HTML binding - ensure input is sanitized"
+  },
+  {
+    name: "Document Write",
+    category: "xss",
+    pattern: /document\.write\s*\(/g,
+    severity: "high",
+    description: "Deprecated and potentially dangerous"
+  },
+  // Eval and code execution
+  {
+    name: "Eval Usage",
+    category: "injection",
+    pattern: /\beval\s*\(/g,
+    severity: "critical",
+    description: "Code execution - major security risk"
+  },
+  {
+    name: "Function Constructor",
+    category: "injection",
+    pattern: /new\s+Function\s*\(/g,
+    severity: "high",
+    description: "Dynamic code execution risk"
   }
 ];
 var IGNORE_PATTERNS = [
@@ -293,7 +463,9 @@ var SCANNABLE_EXTENSIONS = [
   ".sql",
   ".sh",
   ".bash",
-  ".zsh"
+  ".zsh",
+  ".vue",
+  ".svelte"
 ];
 
 // src/scanner/index.ts
@@ -323,9 +495,14 @@ function isScannable(filePath) {
   const ext = path.extname(filePath).toLowerCase();
   return SCANNABLE_EXTENSIONS.includes(ext);
 }
+function isDocOrTestFile(filePath) {
+  const lower = filePath.toLowerCase();
+  return lower.includes(".test.") || lower.includes(".spec.") || lower.includes("__tests__") || lower.includes("/test/") || lower.includes("/tests/") || lower.endsWith(".md") || lower.includes("/docs/");
+}
 function scanFile(filePath, content) {
   const issues = [];
   const relativePath = filePath;
+  const isDocFile = isDocOrTestFile(filePath);
   for (const pattern of SECRET_PATTERNS) {
     pattern.pattern.lastIndex = 0;
     let match;
@@ -343,47 +520,73 @@ function scanFile(filePath, content) {
       });
     }
   }
-  for (const pattern of PII_PATTERNS) {
+  if (!isDocFile) {
+    for (const pattern of PII_PATTERNS) {
+      pattern.pattern.lastIndex = 0;
+      let match;
+      while ((match = pattern.pattern.exec(content)) !== null) {
+        const matchStr = match[0];
+        if (isLikelyFalsePositive(matchStr, pattern.name, filePath)) {
+          continue;
+        }
+        const pos = getPosition(content, match.index);
+        issues.push({
+          type: "pii",
+          severity: pattern.severity,
+          name: pattern.name,
+          file: relativePath,
+          line: pos.line,
+          column: pos.column,
+          match: redact(matchStr, 3)
+        });
+      }
+    }
+  }
+  for (const pattern of ROUTE_PATTERNS) {
     pattern.pattern.lastIndex = 0;
     let match;
     while ((match = pattern.pattern.exec(content)) !== null) {
-      const matchStr = match[0];
-      if (isLikelyFalsePositive(matchStr, pattern.name)) {
-        continue;
-      }
       const pos = getPosition(content, match.index);
       issues.push({
-        type: "pii",
+        type: "route",
         severity: pattern.severity,
         name: pattern.name,
         file: relativePath,
         line: pos.line,
         column: pos.column,
-        match: redact(matchStr, 3)
+        match: match[0],
+        description: pattern.description
       });
     }
   }
-  for (const pattern of ROUTE_PATTERNS) {
+  for (const pattern of VULNERABILITY_PATTERNS) {
+    if (pattern.category === "debug" && isDocFile) {
+      continue;
+    }
     pattern.pattern.lastIndex = 0;
     let match;
     while ((match = pattern.pattern.exec(content)) !== null) {
+      if (pattern.category === "debug" && pattern.name === "Console Log Statement") {
+        if (match[0].includes("error") || match[0].includes("warn")) {
+          continue;
+        }
+      }
       const pos = getPosition(content, match.index);
       issues.push({
-        type: "route",
+        type: "vulnerability",
+        category: pattern.category,
         severity: pattern.severity,
         name: pattern.name,
         file: relativePath,
         line: pos.line,
         column: pos.column,
-        match: match[0],
+        match: match[0].length > 50 ? match[0].slice(0, 50) + "..." : match[0],
         description: pattern.description
       });
     }
   }
   const fileName = path.basename(filePath);
   if (fileName.startsWith(".env") && !fileName.includes(".example")) {
-    const gitignorePath = path.join(path.dirname(filePath), ".gitignore");
-    const gitignoreExists = fs.existsSync(gitignorePath);
     issues.push({
       type: "config",
       severity: "high",
@@ -392,20 +595,14 @@ function scanFile(filePath, content) {
       line: 1,
       column: 1,
       match: fileName,
-      description: gitignoreExists ? "Verify this file is in .gitignore" : "Add .env* to .gitignore"
+      description: "Add .env* to .gitignore"
     });
   }
   return issues;
 }
-function isLikelyFalsePositive(match, patternName) {
+function isLikelyFalsePositive(match, patternName, filePath) {
   if (patternName === "Email Address") {
-    const falseDomains = [
-      "example.com",
-      "example.org",
-      "test.com",
-      "localhost",
-      "placeholder.com"
-    ];
+    const falseDomains = ["example.com", "example.org", "test.com", "localhost", "placeholder.com"];
     if (falseDomains.some((d) => match.includes(d))) {
       return true;
     }
@@ -447,13 +644,12 @@ function calculateScore(issues) {
   const critical = issues.filter((i) => i.severity === "critical").length;
   const high = issues.filter((i) => i.severity === "high").length;
   const medium = issues.filter((i) => i.severity === "medium").length;
-  const total = issues.length;
   if (critical > 0) return "F";
   if (high >= 3) return "F";
   if (high >= 2) return "D";
   if (high >= 1 || medium >= 5) return "C";
   if (medium >= 2) return "B";
-  if (total === 0) return "A";
+  if (issues.length === 0) return "A";
   return "B";
 }
 function getTierDescription(score) {
@@ -467,7 +663,7 @@ function getTierDescription(score) {
     case "D":
       return "Poor. Significant security issues detected.";
     case "F":
-      return "Critical! Your app is leaking secrets.";
+      return "Critical! Major security vulnerabilities found.";
     default:
       return "";
   }
@@ -510,6 +706,7 @@ async function scan(targetPath) {
       pii: issues.filter((i) => i.type === "pii").length,
       routes: issues.filter((i) => i.type === "route").length,
       config: issues.filter((i) => i.type === "config").length,
+      vulnerabilities: issues.filter((i) => i.type === "vulnerability").length,
       critical: issues.filter((i) => i.severity === "critical").length,
       high: issues.filter((i) => i.severity === "high").length,
       medium: issues.filter((i) => i.severity === "medium").length,
@@ -518,8 +715,177 @@ async function scan(targetPath) {
   };
 }
 
+// src/ai/index.ts
+var CENCORI_API_URL = "https://api.cencori.com/v1";
+function getApiKey() {
+  return process.env.CENCORI_API_KEY;
+}
+function isAIAvailable() {
+  return !!getApiKey();
+}
+async function analyzeIssues(issues, fileContents) {
+  const apiKey = getApiKey();
+  if (!apiKey) {
+    throw new Error("CENCORI_API_KEY not set");
+  }
+  const results = [];
+  for (const issue of issues) {
+    const content = fileContents.get(issue.file) || "";
+    const lines = content.split("\n");
+    const startLine = Math.max(0, issue.line - 3);
+    const endLine = Math.min(lines.length, issue.line + 3);
+    const context = lines.slice(startLine, endLine).join("\n");
+    try {
+      const response = await fetch(`${CENCORI_API_URL}/chat/completions`, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          "Authorization": `Bearer ${apiKey}`
+        },
+        body: JSON.stringify({
+          model: "gpt-4o-mini",
+          messages: [
+            {
+              role: "system",
+              content: `You are a security analyst. Analyze code findings and determine if they are real security issues or false positives. Respond in JSON format: {"isFalsePositive": boolean, "confidence": number (0-100), "reason": "brief explanation"}`
+            },
+            {
+              role: "user",
+              content: `Analyze this security finding:
+Type: ${issue.type}
+Name: ${issue.name}
+Match: ${issue.match}
+File: ${issue.file}:${issue.line}
+Context:
+\`\`\`
+${context}
+\`\`\`
+
+Is this a real security issue or a false positive (e.g., test data, example code, documentation)?`
+            }
+          ],
+          temperature: 0,
+          max_tokens: 150
+        })
+      });
+      if (!response.ok) {
+        throw new Error(`API error: ${response.status}`);
+      }
+      const data = await response.json();
+      const content_response = data.choices[0]?.message?.content || "{}";
+      const parsed = JSON.parse(content_response);
+      results.push({
+        issue,
+        isFalsePositive: parsed.isFalsePositive || false,
+        confidence: parsed.confidence || 50,
+        reason: parsed.reason || "Unable to analyze"
+      });
+    } catch {
+      results.push({
+        issue,
+        isFalsePositive: false,
+        confidence: 50,
+        reason: "Analysis failed - treating as potential issue"
+      });
+    }
+  }
+  return results;
+}
+async function generateFixes(issues, fileContents) {
+  const apiKey = getApiKey();
+  if (!apiKey) {
+    throw new Error("CENCORI_API_KEY not set");
+  }
+  const results = [];
+  for (const issue of issues) {
+    const content = fileContents.get(issue.file) || "";
+    const lines = content.split("\n");
+    const startLine = Math.max(0, issue.line - 5);
+    const endLine = Math.min(lines.length, issue.line + 5);
+    const codeSnippet = lines.slice(startLine, endLine).join("\n");
+    try {
+      const response = await fetch(`${CENCORI_API_URL}/chat/completions`, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          "Authorization": `Bearer ${apiKey}`
+        },
+        body: JSON.stringify({
+          model: "gpt-4o-mini",
+          messages: [
+            {
+              role: "system",
+              content: `You are a security engineer. Generate secure code fixes. For secrets, use environment variables. For XSS, use sanitization. Respond in JSON: {"fixedCode": "the fixed code snippet", "explanation": "what was changed"}`
+            },
+            {
+              role: "user",
+              content: `Fix this security issue:
+Type: ${issue.type}
+Name: ${issue.name}
+File: ${issue.file}:${issue.line}
+
+Code to fix:
+\`\`\`
+${codeSnippet}
+\`\`\`
+
+Generate a secure fix.`
+            }
+          ],
+          temperature: 0,
+          max_tokens: 500
+        })
+      });
+      if (!response.ok) {
+        throw new Error(`API error: ${response.status}`);
+      }
+      const data = await response.json();
+      const content_response = data.choices[0]?.message?.content || "{}";
+      const parsed = JSON.parse(content_response);
+      results.push({
+        issue,
+        originalCode: codeSnippet,
+        fixedCode: parsed.fixedCode || codeSnippet,
+        explanation: parsed.explanation || "No explanation provided",
+        applied: false
+      });
+    } catch {
+      results.push({
+        issue,
+        originalCode: codeSnippet,
+        fixedCode: codeSnippet,
+        explanation: "Unable to generate fix - manual review required",
+        applied: false
+      });
+    }
+  }
+  return results;
+}
+async function applyFixes(fixes, fileContents) {
+  const fs3 = await import("fs");
+  const path3 = await import("path");
+  for (const fix of fixes) {
+    if (fix.fixedCode === fix.originalCode) {
+      continue;
+    }
+    const content = fileContents.get(fix.issue.file);
+    if (!content) {
+      continue;
+    }
+    const newContent = content.replace(fix.originalCode, fix.fixedCode);
+    if (newContent !== content) {
+      const filePath = path3.resolve(fix.issue.file);
+      fs3.writeFileSync(filePath, newContent, "utf-8");
+      fix.applied = true;
+    }
+  }
+  return fixes;
+}
+
 // src/cli.ts
-var VERSION = "0.1.0";
+var fs2 = __toESM(require("fs"));
+var path2 = __toESM(require("path"));
+var VERSION = "0.3.0";
 var scoreStyles = {
   A: { color: import_chalk.default.green },
   B: { color: import_chalk.default.blue },
@@ -537,7 +903,8 @@ var typeLabels = {
   secret: "SECRETS",
   pii: "PII",
   route: "ROUTES",
-  config: "CONFIG"
+  config: "CONFIG",
+  vulnerability: "VULNERABILITIES"
 };
 function printBanner() {
   console.log();
@@ -611,12 +978,15 @@ function printSummary(result) {
   }
   console.log();
 }
-function printFixes(issues) {
+function printRecommendations(issues) {
   if (issues.length === 0) return;
   console.log(`  ${import_chalk.default.bold("Recommendations:")}`);
   const hasSecrets = issues.some((i) => i.type === "secret");
   const hasPII = issues.some((i) => i.type === "pii");
   const hasConfig = issues.some((i) => i.type === "config");
+  const hasXSS = issues.some((i) => i.category === "xss");
+  const hasInjection = issues.some((i) => i.category === "injection");
+  const hasCORS = issues.some((i) => i.category === "cors");
   if (hasSecrets) {
     console.log(import_chalk.default.gray("    - Use environment variables for secrets"));
     console.log(import_chalk.default.gray("    - Never commit API keys to version control"));
@@ -627,6 +997,26 @@ function printFixes(issues) {
   if (hasPII) {
     console.log(import_chalk.default.gray("    - Remove personal data from source code"));
   }
+  if (hasXSS) {
+    console.log(import_chalk.default.gray("    - Sanitize user input before rendering HTML"));
+  }
+  if (hasInjection) {
+    console.log(import_chalk.default.gray("    - Use parameterized queries for SQL"));
+  }
+  if (hasCORS) {
+    console.log(import_chalk.default.gray("    - Configure CORS with specific allowed origins"));
+  }
+  console.log();
+}
+function printAIUpsell() {
+  console.log(import_chalk.default.gray("  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
+  console.log();
+  console.log(`  ${import_chalk.default.cyan.bold("Upgrade to Cencori Pro")}`);
+  console.log(import_chalk.default.gray("  Get AI-powered auto-fix for all issues:"));
+  console.log();
+  console.log(`  1. Get your API key at ${import_chalk.default.cyan("https://cencori.com/dashboard")}`);
+  console.log(`  2. Run: ${import_chalk.default.cyan("export CENCORI_API_KEY=your_key")}`);
+  console.log(`  3. Scan again to unlock AI auto-fix`);
   console.log();
 }
 function printFooter() {
@@ -636,8 +1026,90 @@ function printFooter() {
   console.log(`  Docs:  ${import_chalk.default.cyan("https://cencori.com/docs")}`);
   console.log();
 }
+function loadFileContents(issues, basePath) {
+  const contents = /* @__PURE__ */ new Map();
+  const uniqueFiles = [...new Set(issues.map((i) => i.file))];
+  for (const file of uniqueFiles) {
+    try {
+      const fullPath = path2.resolve(basePath, file);
+      const content = fs2.readFileSync(fullPath, "utf-8");
+      contents.set(file, content);
+    } catch {
+    }
+  }
+  return contents;
+}
+async function handleAutoFix(result, targetPath) {
+  if (result.issues.length === 0) return;
+  console.log();
+  if (!isAIAvailable()) {
+    printAIUpsell();
+    return;
+  }
+  const shouldFix = await (0, import_prompts.confirm)({
+    message: "Would you like Cencori to auto-fix these issues?",
+    default: false
+  });
+  if (!shouldFix) {
+    console.log();
+    console.log(import_chalk.default.gray("  Skipped auto-fix. Run again anytime to fix issues."));
+    console.log();
+    return;
+  }
+  const fileContents = loadFileContents(result.issues, targetPath);
+  const analyzeSpinner = (0, import_ora.default)({
+    text: "Analyzing issues with AI...",
+    color: "cyan"
+  }).start();
+  try {
+    const analysis = await analyzeIssues(result.issues, fileContents);
+    const realIssues = analysis.filter((a) => !a.isFalsePositive);
+    const falsePositives = analysis.filter((a) => a.isFalsePositive);
+    if (falsePositives.length > 0) {
+      analyzeSpinner.succeed(`${import_chalk.default.green(falsePositives.length)} false positives filtered`);
+    } else {
+      analyzeSpinner.succeed("Analysis complete");
+    }
+    if (realIssues.length === 0) {
+      console.log(import_chalk.default.green("  All issues were false positives!"));
+      return;
+    }
+    const fixSpinner = (0, import_ora.default)({
+      text: "Generating fixes...",
+      color: "cyan"
+    }).start();
+    const fixes = await generateFixes(
+      realIssues.map((a) => a.issue),
+      fileContents
+    );
+    fixSpinner.succeed(`Generated ${fixes.length} fixes`);
+    const applySpinner = (0, import_ora.default)({
+      text: "Applying fixes...",
+      color: "cyan"
+    }).start();
+    const appliedFixes = await applyFixes(fixes, fileContents);
+    const appliedCount = appliedFixes.filter((f) => f.applied).length;
+    applySpinner.succeed(`Applied ${appliedCount}/${fixes.length} fixes`);
+    console.log();
+    console.log(`  ${import_chalk.default.bold("Applied fixes:")}`);
+    for (const fix of appliedFixes.filter((f) => f.applied)) {
+      console.log(import_chalk.default.green(`    \u2714 ${fix.issue.file}:${fix.issue.line}`));
+      console.log(import_chalk.default.gray(`      ${fix.explanation}`));
+    }
+    const notApplied = appliedFixes.filter((f) => !f.applied);
+    if (notApplied.length > 0) {
+      console.log();
+      console.log(`  ${import_chalk.default.yellow(`${notApplied.length} issues require manual review`)}`);
+    }
+    console.log();
+  } catch (error) {
+    analyzeSpinner.fail("Auto-fix failed");
+    console.error(import_chalk.default.red(`  Error: ${error instanceof Error ? error.message : "Unknown error"}`));
+    console.log();
+  }
+}
 async function main() {
-  import_commander.program.name("cencori-scan").description("Security scanner for AI apps. Detect secrets, PII, and exposed routes.").version(VERSION).argument("[path]", "Path to scan", ".").option("-j, --json", "Output results as JSON").option("-q, --quiet", "Only output the score").option("--no-color", "Disable colored output").action(async (targetPath, options) => {
+  import_commander.program.name("cencori-scan").description("Security scanner for AI apps. Detect secrets, PII, and exposed routes.").version(VERSION).argument("[path]", "Path to scan", ".").option("-j, --json", "Output results as JSON").option("-q, --quiet", "Only output the score").option("--no-prompt", "Skip interactive prompts").option("--no-color", "Disable colored output").action(async (targetPath, options) => {
     if (options.json) {
       const result = await scan(targetPath);
       console.log(JSON.stringify(result, null, 2));
@@ -663,7 +1135,10 @@ async function main() {
       printScore(result);
       printIssues(result.issues);
       printSummary(result);
-      printFixes(result.issues);
+      printRecommendations(result.issues);
+      if (options.prompt !== false && result.issues.length > 0) {
+        await handleAutoFix(result, targetPath);
+      }
       printFooter();
       process.exit(result.score === "A" || result.score === "B" ? 0 : 1);
     } catch (error) {