npm - @clear-capabilities/agentic-security-scanner - Versions diffs - 0.76.1 → 0.78.0 - Mend

@clear-capabilities/agentic-security-scanner 0.76.1 → 0.78.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (108) hide show

package/bin/.agentic-security/findings.json +320 -9
package/bin/.agentic-security/last-scan.json +320 -9
package/bin/.agentic-security/last-scan.json.sig +1 -1
package/bin/.agentic-security/scan-history.json +17 -377
package/bin/.agentic-security/streak.json +11 -16
package/bin/agentic-security.js +33 -2
package/dist/178.index.js +1 -1
package/dist/384.index.js +1 -1
package/dist/637.index.js +1 -1
package/dist/718.index.js +106 -0
package/dist/824.index.js +126 -0
package/dist/838.index.js +1 -1
package/dist/agentic-security.mjs +32 -32
package/dist/agentic-security.mjs.sha256 +1 -1
package/package.json +7 -7
package/src/.agentic-security/findings.json +5731 -3933
package/src/.agentic-security/last-scan.json +5731 -3933
package/src/.agentic-security/last-scan.json.sig +1 -1
package/src/.agentic-security/scan-history.json +2533 -887
package/src/.agentic-security/streak.json +11 -16
package/src/dataflow/.agentic-security/findings.json +52 -24
package/src/dataflow/.agentic-security/last-scan.json +52 -24
package/src/dataflow/.agentic-security/last-scan.json.sig +1 -1
package/src/dataflow/.agentic-security/scan-history.json +101 -134
package/src/dataflow/.agentic-security/streak.json +8 -10
package/src/dataflow/async-sequencing.js +16 -7
package/src/dataflow/builtin-summaries.js +131 -0
package/src/dataflow/catalog.js +107 -0
package/src/dataflow/cross-repo.js +75 -1
package/src/dataflow/engine.js +129 -0
package/src/dataflow/implicit-flow.js +24 -6
package/src/dataflow/stub-aware-filter.js +69 -11
package/src/dataflow/summaries.js +28 -3
package/src/engine-parallel.js +70 -0
package/src/engine.js +165 -15
package/src/ir/.agentic-security/findings.json +757 -16
package/src/ir/.agentic-security/last-scan.json +757 -16
package/src/ir/.agentic-security/last-scan.json.sig +1 -1
package/src/ir/.agentic-security/scan-history.json +545 -138
package/src/ir/.agentic-security/streak.json +11 -13
package/src/ir/index.js +22 -1
package/src/ir/parser-go.js +403 -0
package/src/ir/parser-js.js +2 -0
package/src/ir/parser-php.js +330 -0
package/src/ir/parser-py.helper.py +137 -11
package/src/ir/parser-rb.js +309 -0
package/src/posture/.agentic-security/findings.json +407 -84
package/src/posture/.agentic-security/last-scan.json +407 -84
package/src/posture/.agentic-security/last-scan.json.sig +1 -1
package/src/posture/.agentic-security/scan-history.json +16 -4923
package/src/posture/.agentic-security/streak.json +10 -14
package/src/posture/calibration.js +14 -0
package/src/posture/triage.js +13 -0
package/src/report/.agentic-security/findings.json +6 -5
package/src/report/.agentic-security/last-scan.json +6 -5
package/src/report/.agentic-security/last-scan.json.sig +1 -1
package/src/report/.agentic-security/scan-history.json +3 -300
package/src/report/.agentic-security/streak.json +7 -8
package/src/report/index.js +23 -2
package/src/sast/.agentic-security/findings.json +195 -56
package/src/sast/.agentic-security/last-scan.json +195 -56
package/src/sast/.agentic-security/last-scan.json.sig +1 -1
package/src/sast/.agentic-security/scan-history.json +14 -394
package/src/sast/.agentic-security/streak.json +10 -13
package/src/sast/cache-poisoning.js +77 -0
package/src/sast/comparison-safety.js +73 -0
package/src/sast/db-taint.js +54 -0
package/src/sast/graphql.js +127 -0
package/src/sast/llm-stored-prompt.js +57 -0
package/src/sast/mutation-xss.js +43 -0
package/src/sast/nosql-injection.js +5 -0
package/src/sast/null-byte-injection.js +76 -0
package/src/sast/redos-nfa.js +338 -0
package/src/sast/sensitive-data-logging.js +73 -0
package/src/sast/weak-password-hash.js +77 -0
package/src/sast/weak-randomness.js +100 -0
package/src/sca/.agentic-security/findings.json +502 -11
package/src/sca/.agentic-security/last-scan.json +502 -11
package/src/sca/.agentic-security/last-scan.json.sig +1 -1
package/src/sca/.agentic-security/scan-history.json +19 -1
package/src/sca/.agentic-security/streak.json +6 -6
package/src/sca/llm-function-extract.js +107 -0
package/src/sca/vendor-detect.js +91 -0
package/dist/218.index.js +0 -793
package/dist/601.index.js +0 -1038
package/dist/634.index.js +0 -1892
package/src/integrations/.agentic-security/findings.json +0 -1504
package/src/integrations/.agentic-security/last-scan.json +0 -1504
package/src/integrations/.agentic-security/scan-history.json +0 -40
package/src/integrations/.agentic-security/streak.json +0 -21
package/src/llm-validator/.agentic-security/findings.json +0 -1891
package/src/llm-validator/.agentic-security/last-scan.json +0 -1891
package/src/llm-validator/.agentic-security/last-scan.json.sig +0 -1
package/src/llm-validator/.agentic-security/scan-history.json +0 -168
package/src/llm-validator/.agentic-security/streak.json +0 -20
package/src/lsp/.agentic-security/findings.json +0 -28
package/src/lsp/.agentic-security/last-scan.json +0 -28
package/src/lsp/.agentic-security/scan-history.json +0 -79
package/src/lsp/.agentic-security/streak.json +0 -22
package/src/mcp/.agentic-security/findings.json +0 -8403
package/src/mcp/.agentic-security/last-scan.json +0 -8403
package/src/mcp/.agentic-security/last-scan.json.sig +0 -1
package/src/mcp/.agentic-security/scan-history.json +0 -1182
package/src/mcp/.agentic-security/streak.json +0 -22
package/src/sast/bench-shape/.agentic-security/findings.json +0 -28
package/src/sast/bench-shape/.agentic-security/last-scan.json +0 -28
package/src/sast/bench-shape/.agentic-security/scan-history.json +0 -24
package/src/sast/bench-shape/.agentic-security/streak.json +0 -22

package/src/posture/.agentic-security/streak.json CHANGED Viewed

@@ -1,24 +1,20 @@
 {
-  "firstScanDate": "2026-05-13T19:07:35.663Z",
-  "lastScanDate": "2026-05-20T15:34:20.296Z",
-  "totalScans": 223,
+  "firstScanDate": "2026-05-27T11:16:44.741Z",
+  "lastScanDate": "2026-05-27T11:19:53.871Z",
+  "totalScans": 3,
   "daysCleanCritical": 0,
-  "lastCleanDate": "2026-05-19",
-  "lastCriticalDate": "2026-05-20",
+  "lastCleanDate": null,
+  "lastCriticalDate": "2026-05-27",
   "hasEverHadCritical": true,
-  "bestDaysCleanCritical": 2,
-  "totalFindingsAtFirstScan": 28,
+  "bestDaysCleanCritical": 0,
+  "totalFindingsAtFirstScan": 257,
   "totalFindingsAtLastScan": 257,
-  "totalFixesInferred": 1,
+  "totalFixesInferred": 0,
   "lastGrade": "C",
-  "bestGrade": "A",
+  "bestGrade": "C",
   "launchCheckPassedAt": null,
   "achievements": [
-    "first-fix",
-    "first-scan",
-    "grade-a",
-    "scan-veteran-100",
-    "scan-veteran-25"
+    "first-scan"
   ],
   "previousGrade": "C"
 }

package/src/posture/calibration.js CHANGED Viewed

@@ -120,6 +120,20 @@ export function loadCalibrationHistory(scanRoot) {
   };
   if (seed) merge(seed);
   if (customer) merge(customer);
+  // Merge triage-derived TP/FP counts (auto-feedback loop)
+  try {
+    const triage = _readJsonMaybe(path.join(scanRoot || process.cwd(), '.agentic-security', 'triage.json'));
+    if (triage && triage.findings) {
+      const triageFams = {};
+      for (const f of Object.values(triage.findings)) {
+        const fam = f.family || 'unknown';
+        if (!triageFams[fam]) triageFams[fam] = { tp: 0, fp: 0 };
+        if (f.state === 'fixed' || f.state === 'open' || f.state === 'in-progress') triageFams[fam].tp++;
+        else if (f.state === 'false-positive') triageFams[fam].fp++;
+      }
+      merge({ families: triageFams });
+    }
+  } catch { /* triage file optional */ }
   return { families };
 }

package/src/posture/triage.js CHANGED Viewed

@@ -144,3 +144,16 @@ export function trend(scanRoot, sinceDays = 30) {
     totalOpen: findings.filter(f => f.state === 'open' || f.state === 'in-progress').length,
   };
 }
+export function exportTriageMetrics(scanRoot) {
+  const triage = loadTriage(scanRoot);
+  const findings = Object.values(triage.findings || {});
+  const families = {};
+  for (const f of findings) {
+    const fam = f.family || 'unknown';
+    if (!families[fam]) families[fam] = { tp: 0, fp: 0 };
+    if (f.state === 'fixed' || f.state === 'open' || f.state === 'in-progress') families[fam].tp++;
+    else if (f.state === 'false-positive') families[fam].fp++;
+  }
+  return { families };
+}

package/src/report/.agentic-security/findings.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
-  "scanId": "c3ef4632-79ae-4ffb-8f06-3ff4f6f0fef2",
-  "startedAt": "2026-05-19T21:49:07.932Z",
-  "durationMs": 196,
+  "scanId": "db8e3115-87e6-4e90-8041-31f9921c7b54",
+  "startedAt": "2026-05-27T11:09:28.873Z",
+  "durationMs": 183,
   "scanned": {
     "files": 2,
     "lines": 0
@@ -28,7 +28,7 @@
   "_v3": {
     "counterfactual": {
       "spofControls": [],
-      "controlsDetected": 167
+      "controlsDetected": 174
     },
     "threatModel": {
       "summary": {
@@ -75,5 +75,6 @@
       "alarms": [],
       "note": "no-feedback-data"
     }
-  }
+  },
+  "annotatorErrors": []
 }

package/src/report/.agentic-security/last-scan.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
-  "scanId": "c3ef4632-79ae-4ffb-8f06-3ff4f6f0fef2",
-  "startedAt": "2026-05-19T21:49:07.932Z",
-  "durationMs": 196,
+  "scanId": "db8e3115-87e6-4e90-8041-31f9921c7b54",
+  "startedAt": "2026-05-27T11:09:28.873Z",
+  "durationMs": 183,
   "scanned": {
     "files": 2,
     "lines": 0
@@ -28,7 +28,7 @@
   "_v3": {
     "counterfactual": {
       "spofControls": [],
-      "controlsDetected": 167
+      "controlsDetected": 174
     },
     "threatModel": {
       "summary": {
@@ -75,5 +75,6 @@
       "alarms": [],
       "note": "no-feedback-data"
     }
-  }
+  },
+  "annotatorErrors": []
 }

package/src/report/.agentic-security/last-scan.json.sig CHANGED Viewed

	@@ -1 +1 @@
1	- ~~3cd9d9783f17e2685c9bac77499113866f2092dfbc7fd24dc665e09107d1c6f7~~
1	+ e3726a5fd5c2a4b763554484c083d9136dbb026f1f913a0c9b35e3455711b303

package/src/report/.agentic-security/scan-history.json CHANGED Viewed

@@ -1,6 +1,6 @@
 [
   {
-    "timestamp": "2026-05-16T12:14:36.442Z",
+    "timestamp": "2026-05-27T11:06:13.261Z",
     "label": "scan",
     "total": 0,
     "critical": 0,
@@ -11,7 +11,7 @@
     "ids": []
   },
   {
-    "timestamp": "2026-05-16T23:36:58.645Z",
+    "timestamp": "2026-05-27T11:07:38.301Z",
     "label": "scan",
     "total": 0,
     "critical": 0,
@@ -22,304 +22,7 @@
     "ids": []
   },
   {
-    "timestamp": "2026-05-18T17:48:29.014Z",
-    "label": "scan",
-    "total": 0,
-    "critical": 0,
-    "high": 0,
-    "medium": 0,
-    "low": 0,
-    "kev": 0,
-    "ids": []
-  },
-  {
-    "timestamp": "2026-05-18T17:56:28.844Z",
-    "label": "scan",
-    "total": 0,
-    "critical": 0,
-    "high": 0,
-    "medium": 0,
-    "low": 0,
-    "kev": 0,
-    "ids": []
-  },
-  {
-    "timestamp": "2026-05-18T22:34:47.507Z",
-    "label": "scan",
-    "total": 0,
-    "critical": 0,
-    "high": 0,
-    "medium": 0,
-    "low": 0,
-    "kev": 0,
-    "ids": []
-  },
-  {
-    "timestamp": "2026-05-18T22:59:24.059Z",
-    "label": "scan",
-    "total": 0,
-    "critical": 0,
-    "high": 0,
-    "medium": 0,
-    "low": 0,
-    "kev": 0,
-    "ids": []
-  },
-  {
-    "timestamp": "2026-05-18T22:59:40.564Z",
-    "label": "scan",
-    "total": 0,
-    "critical": 0,
-    "high": 0,
-    "medium": 0,
-    "low": 0,
-    "kev": 0,
-    "ids": []
-  },
-  {
-    "timestamp": "2026-05-18T23:08:03.888Z",
-    "label": "scan",
-    "total": 0,
-    "critical": 0,
-    "high": 0,
-    "medium": 0,
-    "low": 0,
-    "kev": 0,
-    "ids": []
-  },
-  {
-    "timestamp": "2026-05-18T23:08:22.652Z",
-    "label": "scan",
-    "total": 0,
-    "critical": 0,
-    "high": 0,
-    "medium": 0,
-    "low": 0,
-    "kev": 0,
-    "ids": []
-  },
-  {
-    "timestamp": "2026-05-18T23:10:59.592Z",
-    "label": "scan",
-    "total": 0,
-    "critical": 0,
-    "high": 0,
-    "medium": 0,
-    "low": 0,
-    "kev": 0,
-    "ids": []
-  },
-  {
-    "timestamp": "2026-05-19T00:09:08.611Z",
-    "label": "scan",
-    "total": 0,
-    "critical": 0,
-    "high": 0,
-    "medium": 0,
-    "low": 0,
-    "kev": 0,
-    "ids": []
-  },
-  {
-    "timestamp": "2026-05-19T00:09:16.891Z",
-    "label": "scan",
-    "total": 0,
-    "critical": 0,
-    "high": 0,
-    "medium": 0,
-    "low": 0,
-    "kev": 0,
-    "ids": []
-  },
-  {
-    "timestamp": "2026-05-19T00:10:01.720Z",
-    "label": "scan",
-    "total": 0,
-    "critical": 0,
-    "high": 0,
-    "medium": 0,
-    "low": 0,
-    "kev": 0,
-    "ids": []
-  },
-  {
-    "timestamp": "2026-05-19T00:10:15.908Z",
-    "label": "scan",
-    "total": 0,
-    "critical": 0,
-    "high": 0,
-    "medium": 0,
-    "low": 0,
-    "kev": 0,
-    "ids": []
-  },
-  {
-    "timestamp": "2026-05-19T02:01:28.011Z",
-    "label": "scan",
-    "total": 0,
-    "critical": 0,
-    "high": 0,
-    "medium": 0,
-    "low": 0,
-    "kev": 0,
-    "ids": []
-  },
-  {
-    "timestamp": "2026-05-19T02:09:03.968Z",
-    "label": "scan",
-    "total": 0,
-    "critical": 0,
-    "high": 0,
-    "medium": 0,
-    "low": 0,
-    "kev": 0,
-    "ids": []
-  },
-  {
-    "timestamp": "2026-05-19T02:17:39.336Z",
-    "label": "scan",
-    "total": 0,
-    "critical": 0,
-    "high": 0,
-    "medium": 0,
-    "low": 0,
-    "kev": 0,
-    "ids": []
-  },
-  {
-    "timestamp": "2026-05-19T03:11:59.398Z",
-    "label": "scan",
-    "total": 0,
-    "critical": 0,
-    "high": 0,
-    "medium": 0,
-    "low": 0,
-    "kev": 0,
-    "ids": []
-  },
-  {
-    "timestamp": "2026-05-19T03:13:30.141Z",
-    "label": "scan",
-    "total": 0,
-    "critical": 0,
-    "high": 0,
-    "medium": 0,
-    "low": 0,
-    "kev": 0,
-    "ids": []
-  },
-  {
-    "timestamp": "2026-05-19T03:21:16.211Z",
-    "label": "scan",
-    "total": 0,
-    "critical": 0,
-    "high": 0,
-    "medium": 0,
-    "low": 0,
-    "kev": 0,
-    "ids": []
-  },
-  {
-    "timestamp": "2026-05-19T04:45:00.044Z",
-    "label": "scan",
-    "total": 0,
-    "critical": 0,
-    "high": 0,
-    "medium": 0,
-    "low": 0,
-    "kev": 0,
-    "ids": []
-  },
-  {
-    "timestamp": "2026-05-19T04:45:15.057Z",
-    "label": "scan",
-    "total": 0,
-    "critical": 0,
-    "high": 0,
-    "medium": 0,
-    "low": 0,
-    "kev": 0,
-    "ids": []
-  },
-  {
-    "timestamp": "2026-05-19T04:54:36.921Z",
-    "label": "scan",
-    "total": 0,
-    "critical": 0,
-    "high": 0,
-    "medium": 0,
-    "low": 0,
-    "kev": 0,
-    "ids": []
-  },
-  {
-    "timestamp": "2026-05-19T13:24:54.931Z",
-    "label": "scan",
-    "total": 0,
-    "critical": 0,
-    "high": 0,
-    "medium": 0,
-    "low": 0,
-    "kev": 0,
-    "ids": []
-  },
-  {
-    "timestamp": "2026-05-19T13:25:09.569Z",
-    "label": "scan",
-    "total": 0,
-    "critical": 0,
-    "high": 0,
-    "medium": 0,
-    "low": 0,
-    "kev": 0,
-    "ids": []
-  },
-  {
-    "timestamp": "2026-05-19T20:25:04.198Z",
-    "label": "scan",
-    "total": 0,
-    "critical": 0,
-    "high": 0,
-    "medium": 0,
-    "low": 0,
-    "kev": 0,
-    "ids": []
-  },
-  {
-    "timestamp": "2026-05-19T20:26:03.116Z",
-    "label": "scan",
-    "total": 0,
-    "critical": 0,
-    "high": 0,
-    "medium": 0,
-    "low": 0,
-    "kev": 0,
-    "ids": []
-  },
-  {
-    "timestamp": "2026-05-19T20:26:12.780Z",
-    "label": "scan",
-    "total": 0,
-    "critical": 0,
-    "high": 0,
-    "medium": 0,
-    "low": 0,
-    "kev": 0,
-    "ids": []
-  },
-  {
-    "timestamp": "2026-05-19T21:46:43.850Z",
-    "label": "scan",
-    "total": 0,
-    "critical": 0,
-    "high": 0,
-    "medium": 0,
-    "low": 0,
-    "kev": 0,
-    "ids": []
-  },
-  {
-    "timestamp": "2026-05-19T21:49:08.128Z",
+    "timestamp": "2026-05-27T11:09:29.055Z",
     "label": "scan",
     "total": 0,
     "critical": 0,

package/src/report/.agentic-security/streak.json CHANGED Viewed

@@ -1,12 +1,12 @@
 {
-  "firstScanDate": "2026-05-15T12:33:46.108Z",
-  "lastScanDate": "2026-05-19T21:49:08.136Z",
-  "totalScans": 35,
-  "daysCleanCritical": 2,
-  "lastCleanDate": "2026-05-19",
+  "firstScanDate": "2026-05-27T11:06:13.266Z",
+  "lastScanDate": "2026-05-27T11:09:29.061Z",
+  "totalScans": 3,
+  "daysCleanCritical": 1,
+  "lastCleanDate": "2026-05-27",
   "lastCriticalDate": null,
   "hasEverHadCritical": false,
-  "bestDaysCleanCritical": 2,
+  "bestDaysCleanCritical": 1,
   "totalFindingsAtFirstScan": 0,
   "totalFindingsAtLastScan": 0,
   "totalFixesInferred": 0,
@@ -16,8 +16,7 @@
   "achievements": [
     "first-scan",
     "grade-a",
-    "grade-a-plus",
-    "scan-veteran-25"
+    "grade-a-plus"
   ],
   "previousGrade": "A+"
 }

package/src/report/index.js CHANGED Viewed

@@ -322,6 +322,7 @@ export function toJSON(scan, meta={}, opts={}){
     // threw and were skipped. The findings still ship; downstream consumers
     // see the gap.
     annotatorErrors: Array.isArray(scan.annotatorErrors) ? scan.annotatorErrors : [],
+    _scanMeta: scan._scanMeta || null,
   };
   if (opts.includeSuppressed) out.suppressed = scan.suppressions||[];
   return out;
@@ -560,11 +561,31 @@ export function toSARIF(scan, meta={}){
           ...(scan && scan._rulesetVersionMismatch ? { rulesetVersionMismatch: scan._rulesetVersionMismatch } : {}),
         },
       }],
-      results: findings.map(f => ({
+      results: findings.map(f => {
+        const chain = Array.isArray(f.chain) ? f.chain : [];
+        const codeFlows = chain.length >= 2 ? [{
+          threadFlows: [{
+            locations: chain.map((hop, idx) => ({
+              location: {
+                physicalLocation: {
+                  artifactLocation: { uri: hop.file || f.file },
+                  region: { startLine: Math.max(1, hop.line || 1) },
+                },
+                message: { text: hop.label || (idx === 0 ? 'source' : idx === chain.length - 1 ? 'sink' : 'propagation') },
+              },
+            })),
+          }],
+        }] : undefined;
+        const fixes = f.remediation ? [{
+          description: { text: f.remediation.slice(0, 500) },
+        }] : undefined;
+        return {
         ruleId: f.vuln ? f.vuln.replace(/[^a-zA-Z0-9]/g, '_') : 'unknown',
         level: SEV_TO_SARIF[f.severity] || 'warning',
         message: { text: f.fix?.description || f.vuln || 'Security finding' },
         locations: [{ physicalLocation: { artifactLocation: { uri: f.file }, region: { startLine: Math.max(1, f.line||1) } } }],
+        ...(codeFlows ? { codeFlows } : {}),
+        ...(fixes ? { fixes } : {}),
         // Phase-1 (Sentinel-parity) fingerprint: stableId persists across
         // refactors. Keep partialFingerprints intact for tools that key on
         // the line-hash; add a 'stableId' fingerprint for tools that respect
@@ -595,7 +616,7 @@ export function toSARIF(scan, meta={}){
           ...(f._unsigned ? { unsigned: true } : {}),
           ...(f._passThroughSigning ? { passThroughSigning: true } : {}),
         },
-      })),
+      };}),
     }],
   };
 }