@clear-capabilities/agentic-security-scanner 0.74.0

package/src/.agentic-security/streak.json

@@ -0,0 +1,26 @@
+{
+  "firstScanDate": "2026-05-13T12:55:24.025Z",
+  "lastScanDate": "2026-05-20T21:26:48.636Z",
+  "totalScans": 281,
+  "daysCleanCritical": 0,
+  "lastCleanDate": "2026-05-19",
+  "lastCriticalDate": "2026-05-20",
+  "hasEverHadCritical": true,
+  "bestDaysCleanCritical": 2,
+  "totalFindingsAtFirstScan": 135,
+  "totalFindingsAtLastScan": 408,
+  "totalFixesInferred": 114,
+  "lastGrade": "C",
+  "bestGrade": "B-",
+  "launchCheckPassedAt": null,
+  "achievements": [
+    "clean-sweep",
+    "first-fix",
+    "first-scan",
+    "scan-veteran-100",
+    "scan-veteran-25",
+    "triage-master",
+    "triage-silver"
+  ],
+  "previousGrade": "C"
+}

package/src/badge.js

@@ -0,0 +1,188 @@
+// Live SVG badge generator (v0.72).
+//
+// Every repo can drop a badge in its README pulling from the latest scan:
+//
+//   ![agentic-security](https://agentic-security.dev/badge?repo=<slug>)
+//
+// or self-hosted via the CLI subcommand emitting an inline <img> URL or
+// a static SVG. The badge format borrows from shields.io for visual
+// consistency. Reads from .agentic-security/last-scan.json or accepts a
+// scan object directly.
+//
+// Output formats:
+//   - 'svg'  — inline SVG string (default; the bytes you'd serve)
+//   - 'json' — { label, count, color, severity } for a frontend renderer
+//
+// Style variants:
+//   - 'flat'         — shields.io flat
+//   - 'for-the-badge' — caps + thicker
+//
+// Color is driven by the highest non-zero severity:
+//   critical → red
+//   high     → orange
+//   medium   → yellow
+//   low      → blue
+//   info     → lightgrey
+//   none     → brightgreen
+
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+
+const COLORS = {
+  critical:    '#e05d44',  // red
+  high:        '#fe7d37',  // orange
+  medium:      '#dfb317',  // yellow
+  low:         '#007ec6',  // blue
+  info:        '#9f9f9f',  // grey
+  none:        '#4c1',     // brightgreen
+  label:       '#555',
+};
+
+const SEVERITIES = ['critical', 'high', 'medium', 'low', 'info'];
+
+function _readLastScan(scanRoot) {
+  if (!scanRoot) return null;
+  const fp = path.join(scanRoot, '.agentic-security', 'last-scan.json');
+  if (!fs.existsSync(fp)) return null;
+  try { return JSON.parse(fs.readFileSync(fp, 'utf8')); }
+  catch { return null; }
+}
+
+function _ageString(ts) {
+  if (!ts) return null;
+  const ageMs = Date.now() - new Date(ts).getTime();
+  if (isNaN(ageMs) || ageMs < 0) return null;
+  const min = Math.floor(ageMs / 60_000);
+  if (min < 60) return `${min}m ago`;
+  const hr = Math.floor(min / 60);
+  if (hr < 24) return `${hr}h ago`;
+  const day = Math.floor(hr / 24);
+  return `${day}d ago`;
+}
+
+/**
+ * Compute the badge value from a scan object.
+ *
+ * Returns:
+ *   {
+ *     label:    'agentic-security',
+ *     summary:  'critical 0 · high 2 · medium 5' | 'passing' | 'no scan',
+ *     color:    '#fe7d37',
+ *     highest:  'high' | 'none' | 'unknown',
+ *     ageStr:   '4h ago' | null,
+ *     counts:   { critical, high, medium, low, info },
+ *     total:    7,
+ *   }
+ */
+export function summarizeForBadge(scan) {
+  if (!scan || !Array.isArray(scan.findings)) {
+    return {
+      label: 'agentic-security',
+      summary: 'no scan',
+      color: COLORS.info,
+      highest: 'unknown',
+      ageStr: null,
+      counts: { critical: 0, high: 0, medium: 0, low: 0, info: 0 },
+      total: 0,
+    };
+  }
+  const counts = { critical: 0, high: 0, medium: 0, low: 0, info: 0 };
+  for (const f of scan.findings) {
+    const s = f.severity || 'info';
+    if (counts[s] !== undefined) counts[s]++;
+  }
+  let highest = 'none';
+  for (const s of SEVERITIES) { if (counts[s] > 0) { highest = s; break; } }
+  const color = COLORS[highest] || COLORS.info;
+  const summary = highest === 'none'
+    ? 'passing'
+    : `crit ${counts.critical} · high ${counts.high} · med ${counts.medium}`;
+  const total = SEVERITIES.reduce((a, s) => a + counts[s], 0);
+  return {
+    label: 'agentic-security',
+    summary,
+    color,
+    highest,
+    ageStr: _ageString(scan.timestamp || scan.when || scan.lastScan),
+    counts,
+    total,
+  };
+}
+
+/**
+ * Compute the badge from .agentic-security/last-scan.json under `scanRoot`.
+ */
+export function badgeFromScanRoot(scanRoot) {
+  return summarizeForBadge(_readLastScan(scanRoot));
+}
+
+function _xmlEscape(s) {
+  return String(s).replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;');
+}
+
+function _textWidth(s) {
+  // Rough character width — works fine for the small badge label range.
+  return s.length * 7 + 10;
+}
+
+/**
+ * Render an inline SVG matching shields.io's flat style. Self-contained
+ * (no external font references) so the badge works in any README.
+ */
+export function renderSvg(b, opts = {}) {
+  if (!b) b = summarizeForBadge(null);
+  const style = opts.style || 'flat';
+  const labelText = b.label;
+  const valueText = b.ageStr ? `${b.summary} · ${b.ageStr}` : b.summary;
+  const lblW = _textWidth(labelText);
+  const valW = _textWidth(valueText);
+  const totalW = lblW + valW;
+  const h = style === 'for-the-badge' ? 28 : 20;
+  const fontSize = style === 'for-the-badge' ? 12 : 11;
+  return `<svg xmlns="http://www.w3.org/2000/svg" width="${totalW}" height="${h}" role="img" aria-label="${_xmlEscape(labelText)}: ${_xmlEscape(valueText)}">
+  <title>${_xmlEscape(labelText)}: ${_xmlEscape(valueText)}</title>
+  <linearGradient id="s" x2="0" y2="100%">
+    <stop offset="0" stop-color="#bbb" stop-opacity=".1"/>
+    <stop offset="1" stop-opacity=".1"/>
+  </linearGradient>
+  <clipPath id="r"><rect width="${totalW}" height="${h}" rx="3" fill="#fff"/></clipPath>
+  <g clip-path="url(#r)">
+    <rect width="${lblW}" height="${h}" fill="${COLORS.label}"/>
+    <rect x="${lblW}" width="${valW}" height="${h}" fill="${b.color}"/>
+    <rect width="${totalW}" height="${h}" fill="url(#s)"/>
+  </g>
+  <g fill="#fff" text-anchor="middle" font-family="Verdana,Geneva,DejaVu Sans,sans-serif" font-size="${fontSize}">
+    <text aria-hidden="true" x="${lblW / 2}" y="${h - 6}" fill="#010101" fill-opacity=".3">${_xmlEscape(labelText)}</text>
+    <text x="${lblW / 2}" y="${h - 7}">${_xmlEscape(labelText)}</text>
+    <text aria-hidden="true" x="${lblW + valW / 2}" y="${h - 6}" fill="#010101" fill-opacity=".3">${_xmlEscape(valueText)}</text>
+    <text x="${lblW + valW / 2}" y="${h - 7}">${_xmlEscape(valueText)}</text>
+  </g>
+</svg>`;
+}
+
+/**
+ * Public entry: produce the badge in the requested format.
+ *
+ *   format: 'svg' (default) | 'json'
+ *   style:  'flat' (default) | 'for-the-badge'
+ *   scanRoot: directory containing .agentic-security/last-scan.json
+ *   scan: pre-loaded scan object (skips disk read)
+ */
+export function renderBadge({ format = 'svg', style = 'flat', scanRoot, scan } = {}) {
+  const summary = summarizeForBadge(scan || _readLastScan(scanRoot));
+  if (format === 'json') {
+    return JSON.stringify({
+      schemaVersion: 1,
+      label: summary.label,
+      message: summary.summary,
+      color: summary.color,
+      highest: summary.highest,
+      ageStr: summary.ageStr,
+      counts: summary.counts,
+      total: summary.total,
+    });
+  }
+  return renderSvg(summary, { style });
+}
+
+export const _internal = { COLORS, _ageString, _readLastScan };

package/src/compare.js

@@ -0,0 +1,203 @@
+// Side-by-side compare runner framework (v0.74).
+//
+// Generic framework for running a user-supplied scanner alongside
+// agentic-security on the same codebase and producing a comparison
+// card. We DO NOT ship configs for specific competitors — the
+// framework is bring-your-own-tool. The user provides:
+//
+//   - the other tool's invocation (an argv array)
+//   - a JSON path / regex that pulls findings out of its output
+//   - the field names that map to {file, line, severity, vuln, cwe}
+//
+// The framework runs both, normalizes both to a common shape, and
+// renders a Markdown comparison: overlap, agentic-security-only,
+// other-only, severity disagreement.
+//
+// Usage:
+//   agentic-security compare \\
+//     --with "other-cli scan . --json" \\
+//     --field-file "path" --field-line "lineNumber" \\
+//     --field-severity "level" --field-vuln "ruleId" \\
+//     --out compare.md
+//
+// The framework has zero knowledge of which "other tool" is running —
+// users supply config that maps the other tool's output shape to ours.
+
+import { spawnSync } from 'node:child_process';
+import * as fs from 'node:fs';
+import { runFullScan } from './engine.js';
+
+const SEVERITY_NORMALIZE = {
+  critical: 'critical', crit: 'critical', error: 'critical', '5': 'critical',
+  high:     'high',     warning: 'high',  warn: 'high',     '4': 'high',
+  medium:   'medium',   mid: 'medium',                       '3': 'medium',
+  low:      'low',      info: 'low',                         '2': 'low',
+  note:     'info',     none: 'info',                        '1': 'info',
+};
+
+function _normalizeSeverity(s) {
+  if (!s) return 'info';
+  return SEVERITY_NORMALIZE[String(s).toLowerCase()] || 'info';
+}
+
+/**
+ * Run the other tool with the given argv, parse its output as JSON,
+ * extract findings via the field map.
+ *
+ *   argv: ['other-cli', 'scan', '.', '--json']
+ *   fieldMap: { file: 'path', line: 'lineNumber', severity: 'level', vuln: 'ruleId', cwe: 'cwe' }
+ *   rootArrayPath: 'results' (optional — JSONPath-lite into the response)
+ */
+export function runOtherTool(argv, { fieldMap, rootArrayPath, timeoutMs = 120_000 } = {}) {
+  if (!Array.isArray(argv) || argv.length === 0) {
+    return { ok: false, reason: 'no-argv', findings: [] };
+  }
+  const r = spawnSync(argv[0], argv.slice(1), { encoding: 'utf8', timeout: timeoutMs });
+  if (r.error && r.error.code === 'ENOENT') {
+    return { ok: false, reason: 'binary-missing', findings: [] };
+  }
+  if (r.status === null) {
+    return { ok: false, reason: 'timed-out', findings: [] };
+  }
+  let parsed;
+  try { parsed = JSON.parse(r.stdout || '{}'); }
+  catch { return { ok: false, reason: 'json-parse-failed', findings: [] }; }
+  let arr = parsed;
+  if (rootArrayPath) {
+    for (const k of rootArrayPath.split('.')) arr = arr ? arr[k] : null;
+  }
+  if (!Array.isArray(arr)) arr = [];
+  const findings = arr.map(item => ({
+    file: _get(item, fieldMap?.file || 'file'),
+    line: Number(_get(item, fieldMap?.line || 'line')) || 0,
+    severity: _normalizeSeverity(_get(item, fieldMap?.severity || 'severity')),
+    vuln: String(_get(item, fieldMap?.vuln || 'vuln') || ''),
+    cwe: _get(item, fieldMap?.cwe || 'cwe') || null,
+    _other: true,
+  })).filter(f => f.file);
+  return { ok: true, findings, exitCode: r.status };
+}
+
+function _get(obj, path) {
+  if (!obj || !path) return null;
+  let cur = obj;
+  for (const k of String(path).split('.')) {
+    cur = cur ? cur[k] : null;
+    if (cur == null) return null;
+  }
+  return cur;
+}
+
+/**
+ * Compare two finding lists. Overlap is detected by (file, line, ±2)
+ * regardless of CWE — different tools sometimes assign different CWEs
+ * to the same shape.
+ *
+ * Returns:
+ *   {
+ *     overlap:        [{ ours, theirs }],          # both flagged same site
+ *     oursOnly:       Finding[],                   # we found, they missed
+ *     theirsOnly:     Finding[],                   # they found, we missed
+ *     severityShift:  [{ ours, theirs, oursSev, theirsSev }],
+ *   }
+ */
+export function compareFindings(ours, theirs) {
+  const oursByLoc = new Map();
+  for (const f of (ours || [])) {
+    if (!f.file) continue;
+    const key = `${f.file}:${f.line}`;
+    if (!oursByLoc.has(key)) oursByLoc.set(key, []);
+    oursByLoc.get(key).push(f);
+  }
+  const overlap = [];
+  const severityShift = [];
+  const theirsOnly = [];
+  const matchedOurs = new Set();
+  for (const t of (theirs || [])) {
+    let matched = null;
+    for (let d = -2; d <= 2; d++) {
+      const key = `${t.file}:${t.line + d}`;
+      const candidates = oursByLoc.get(key);
+      if (candidates && candidates.length) { matched = candidates[0]; break; }
+    }
+    if (matched) {
+      overlap.push({ ours: matched, theirs: t });
+      matchedOurs.add(matched);
+      if (matched.severity !== t.severity) {
+        severityShift.push({ ours: matched, theirs: t, oursSev: matched.severity, theirsSev: t.severity });
+      }
+    } else {
+      theirsOnly.push(t);
+    }
+  }
+  const oursOnly = (ours || []).filter(f => !matchedOurs.has(f));
+  return { overlap, oursOnly, theirsOnly, severityShift };
+}
+
+/**
+ * Render the comparison as a Markdown card. Tool names are user-supplied
+ * (per the no-competitor-names policy — the framework doesn't ship any
+ * built-in adapter for specific competitors).
+ */
+export function renderComparison(comparison, { ourName = 'agentic-security', otherName = 'other-tool' } = {}) {
+  const c = comparison || { overlap: [], oursOnly: [], theirsOnly: [], severityShift: [] };
+  const lines = [];
+  lines.push(`# Comparison: ${ourName} vs. ${otherName}`);
+  lines.push('');
+  lines.push(`| Metric | ${ourName} | ${otherName} |`);
+  lines.push('|--------|------:|------:|');
+  lines.push(`| Findings | ${c.overlap.length + c.oursOnly.length} | ${c.overlap.length + c.theirsOnly.length} |`);
+  lines.push(`| Overlap  | ${c.overlap.length} | ${c.overlap.length} |`);
+  lines.push(`| Unique   | ${c.oursOnly.length} | ${c.theirsOnly.length} |`);
+  lines.push(`| Severity disagreement | ${c.severityShift.length} | — |`);
+  lines.push('');
+  if (c.oursOnly.length) {
+    lines.push(`### ${c.oursOnly.length} findings only ${ourName} caught`);
+    lines.push('');
+    for (const f of c.oursOnly.slice(0, 10)) {
+      lines.push(`- **${f.severity}** \`${f.file}:${f.line}\` — ${f.vuln} ${f.cwe ? `(${f.cwe})` : ''}`);
+    }
+    if (c.oursOnly.length > 10) lines.push(`- … +${c.oursOnly.length - 10} more`);
+    lines.push('');
+  }
+  if (c.theirsOnly.length) {
+    lines.push(`### ${c.theirsOnly.length} findings only ${otherName} caught`);
+    lines.push('');
+    for (const f of c.theirsOnly.slice(0, 10)) {
+      lines.push(`- **${f.severity}** \`${f.file}:${f.line}\` — ${f.vuln} ${f.cwe ? `(${f.cwe})` : ''}`);
+    }
+    if (c.theirsOnly.length > 10) lines.push(`- … +${c.theirsOnly.length - 10} more`);
+    lines.push('');
+  }
+  if (c.severityShift.length) {
+    lines.push(`### ${c.severityShift.length} severity disagreements`);
+    lines.push('');
+    for (const s of c.severityShift.slice(0, 10)) {
+      lines.push(`- \`${s.ours.file}:${s.ours.line}\` — ${ourName}: **${s.oursSev}**, ${otherName}: **${s.theirsSev}**`);
+    }
+    lines.push('');
+  }
+  if (c.overlap.length && !c.oursOnly.length && !c.theirsOnly.length) {
+    lines.push('Perfect overlap — both tools agree on every finding.');
+  }
+  return lines.join('\n');
+}
+
+/**
+ * Full pipeline: run agentic-security in-memory + run the other tool +
+ * compare + render.
+ */
+export async function runComparison({ scanRoot, fileContents, otherArgv, otherFieldMap, otherRootArrayPath, ourName, otherName }) {
+  const ourScan = await runFullScan({ fileContents, scanRoot }, () => {});
+  const ours = (ourScan.findings || []).map(f => ({
+    file: f.file, line: f.line || 0,
+    severity: _normalizeSeverity(f.severity),
+    vuln: f.vuln, cwe: f.cwe || null,
+  }));
+  const other = runOtherTool(otherArgv, { fieldMap: otherFieldMap, rootArrayPath: otherRootArrayPath });
+  const comparison = compareFindings(ours, other.findings);
+  const md = renderComparison(comparison, { ourName, otherName });
+  return { ours, theirs: other.findings, comparison, markdown: md, otherStatus: other };
+}
+
+export const _internal = { _normalizeSeverity, _get };