@clear-capabilities/agentic-security-scanner 0.78.0 → 0.80.0

package/src/integrations/index.js

@@ -13,9 +13,10 @@
 import * as fs from 'node:fs';
 import * as path from 'node:path';
 import * as yaml from 'js-yaml';
+import { statePath } from '../posture/state-dir.js';
 
 function _configPath(scanRoot) {
-  return path.join(scanRoot || process.cwd(), '.agentic-security', 'integrations.yml');
+  return statePath(scanRoot, 'integrations.yml');
 }
 
 export function loadIntegrationConfig(scanRoot) {

package/src/ir/.agentic-security/findings.json

@@ -1,9 +1,9 @@
 {
-  "scanId": "1a8e7623-7074-46ec-9fe6-a8a0d25ee3c6",
-  "startedAt": "2026-05-27T02:22:41.834Z",
-  "durationMs": 363,
+  "scanId": "dab30d60-68ee-499a-a5a0-9a73b9fc15de",
+  "startedAt": "2026-05-29T06:24:38.089Z",
+  "durationMs": 435,
   "scanned": {
-    "files": 15,
+    "files": 18,
     "lines": 0
   },
   "findings": [
@@ -1217,6 +1217,235 @@
         "ethics": "# AUTHORIZED USE ONLY — run only against systems you own or have explicit permission to test."
       }
     },
+    {
+      "id": "struct:cpp-preprocessor.js:94:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "kind": "sast",
+      "severity": "medium",
+      "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
+      "cwe": "CWE-400",
+      "owaspLlm": null,
+      "stride": "Denial of Service",
+      "file": "cpp-preprocessor.js",
+      "line": 94,
+      "snippet": "try { content = fs.readFileSync(abs, 'utf8'); }",
+      "fix": null,
+      "reachable": false,
+      "triage": 22,
+      "dataClasses": [],
+      "chain": null,
+      "confidence": 0.212,
+      "toxicity": 28,
+      "toxicityFactors": [
+        "http-facing"
+      ],
+      "toxicityLabel": "Medium",
+      "sources": null,
+      "epssScore": null,
+      "epssPercentile": null,
+      "epssCve": null,
+      "exploitedNow": false,
+      "tags": null,
+      "blastRadius": {
+        "scope": "all-users",
+        "dataAtRisk": [
+          "config"
+        ],
+        "userCount": 50,
+        "industry": "generic",
+        "jurisdictions": [],
+        "controlsApplied": [],
+        "dollarBest": 23250,
+        "dollarLikely": 136250,
+        "dollarWorst": 775000,
+        "dollarLow": 23250,
+        "dollarHigh": 775000,
+        "components": {
+          "incidentResponse": {
+            "low": 8000,
+            "likely": 50000,
+            "high": 250000
+          },
+          "legal": {
+            "low": 10000,
+            "likely": 75000,
+            "high": 500000
+          },
+          "crisisPR": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "notification": {
+            "low": 5000,
+            "likely": 10000,
+            "high": 15000
+          },
+          "creditMonitoring": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "regulatoryFines": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "directDamage": {
+            "low": 250,
+            "likely": 1250,
+            "high": 10000
+          },
+          "classAction": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "lostBusiness": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          }
+        },
+        "dominantDriver": "legal counsel",
+        "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
+        "confidence": "low",
+        "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `cpp-preprocessor.js:94` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
+      },
+      "stableId": "0b0187a7e1476c07",
+      "confidenceTier": "very-low",
+      "exploitability": 0.2,
+      "exploitabilityTier": "low",
+      "exploitabilityFactors": [
+        "sev:medium",
+        "unreachable"
+      ],
+      "clusterSize": null,
+      "unreachable": false,
+      "validator_verdict": "unvalidated",
+      "llm_confidence": null,
+      "unvalidated": true,
+      "cross_language": false,
+      "family": "dos-sync-io",
+      "parser": "STRUCTURAL",
+      "_unsigned": false,
+      "_passThroughSigning": false,
+      "signatureStatus": "verified",
+      "regression_test": null,
+      "poc": null,
+      "calibrated_confidence": null,
+      "calibrated_confidence_ci": null,
+      "calibrated_n": 0,
+      "calibration_reason": "no-history",
+      "verifier_verdict": "cannot-verify",
+      "verifier_reason": "no-poc-no-sanitizer-rule",
+      "verifier_runner": null,
+      "narration": null,
+      "mitigationVerdict": "unreachable-in-prod",
+      "mitigationsApplied": [],
+      "mitigatedByWaf": false,
+      "wafRuleId": null,
+      "mitigatedByAuth": false,
+      "authMechanism": null,
+      "mitigatedByNetwork": false,
+      "networkExposure": null,
+      "featureFlag": null,
+      "featureFlagState": null,
+      "featureFlagRollout": null,
+      "exposedInProd": false,
+      "unreachableInProd": true,
+      "coldPath": false,
+      "hotPath": false,
+      "prodRequestCount": null,
+      "crownJewelScore": 0,
+      "crownJewelTier": "unknown",
+      "crownJewelFactors": [],
+      "cloneClusterId": "c5704ff81dc82f80",
+      "cloneClusterSize": 1,
+      "provenance": "mixed",
+      "provenanceScore": 0.3,
+      "typeNarrowed": null,
+      "strideCategory": "denialOfService",
+      "personaScores": {
+        "script-kiddie": {
+          "score": 0.4,
+          "tier": "medium",
+          "factors": [
+            "sev:medium"
+          ]
+        },
+        "opportunistic-criminal": {
+          "score": 0.4,
+          "tier": "medium",
+          "factors": [
+            "sev:medium"
+          ]
+        },
+        "apt-nation-state": {
+          "score": 0.4,
+          "tier": "medium",
+          "factors": [
+            "sev:medium"
+          ]
+        },
+        "supply-chain-attacker": {
+          "score": 0.4,
+          "tier": "medium",
+          "factors": [
+            "sev:medium"
+          ]
+        },
+        "malicious-insider": {
+          "score": 0.4,
+          "tier": "medium",
+          "factors": [
+            "sev:medium"
+          ]
+        }
+      },
+      "personaTopTwo": [
+        "script-kiddie",
+        "opportunistic-criminal"
+      ],
+      "personaMaxName": "script-kiddie",
+      "personaMaxScore": 0.4,
+      "reverseExposure": null,
+      "specMined": null,
+      "whyFired": {
+        "detector": "sast/dos-sync-io",
+        "ruleId": "CWE-400",
+        "parser": "STRUCTURAL",
+        "evidence": {
+          "sinkSnippet": "try { content = fs.readFileSync(abs, 'utf8'); }",
+          "sourceSnippet": "try { content = fs.readFileSync(abs, 'utf8'); }",
+          "pathSteps": [],
+          "sanitizers": [],
+          "guards": []
+        },
+        "considered": {
+          "suppressionsApplied": [],
+          "suppressionsSkipped": [],
+          "reachabilityFilter": "unaffected",
+          "clusterCollapsed": false,
+          "typeNarrowed": false,
+          "crownJewelTier": "unknown",
+          "mitigationVerdict": "unreachable-in-prod"
+        },
+        "scanner": {
+          "rulesetVersion": null,
+          "packHash": null,
+          "modelId": null
+        }
+      },
+      "adversaryTranscript": null,
+      "predictedBountyUsd": {
+        "low": 10,
+        "likely": 40,
+        "high": 120,
+        "program": "web2"
+      },
+      "bountyConfidence": "high",
+      "attackPlaybook": null
+    },
     {
       "id": "struct:type-stubs.js:48:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
       "kind": "sast",
@@ -3631,7 +3860,7 @@
   "_v3": {
     "counterfactual": {
       "spofControls": [],
-      "controlsDetected": 307
+      "controlsDetected": 379
     },
     "threatModel": {
       "summary": {
@@ -3642,7 +3871,7 @@
           "tampering": 1,
           "repudiation": 0,
           "informationDisclosure": 0,
-          "denialOfService": 9,
+          "denialOfService": 10,
           "elevationOfPrivilege": 0
         }
       },
@@ -3674,6 +3903,11 @@
         "repudiation": [],
         "informationDisclosure": [],
         "denialOfService": [
+          {
+            "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
+            "file": "cpp-preprocessor.js",
+            "severity": "medium"
+          },
           {
             "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
             "file": "type-stubs.js",

package/src/ir/.agentic-security/last-scan.json

@@ -1,9 +1,9 @@
 {
-  "scanId": "1a8e7623-7074-46ec-9fe6-a8a0d25ee3c6",
-  "startedAt": "2026-05-27T02:22:41.834Z",
-  "durationMs": 363,
+  "scanId": "dab30d60-68ee-499a-a5a0-9a73b9fc15de",
+  "startedAt": "2026-05-29T06:24:38.089Z",
+  "durationMs": 435,
   "scanned": {
-    "files": 15,
+    "files": 18,
     "lines": 0
   },
   "findings": [
@@ -1217,6 +1217,235 @@
         "ethics": "# AUTHORIZED USE ONLY — run only against systems you own or have explicit permission to test."
       }
     },
+    {
+      "id": "struct:cpp-preprocessor.js:94:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
+      "kind": "sast",
+      "severity": "medium",
+      "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
+      "cwe": "CWE-400",
+      "owaspLlm": null,
+      "stride": "Denial of Service",
+      "file": "cpp-preprocessor.js",
+      "line": 94,
+      "snippet": "try { content = fs.readFileSync(abs, 'utf8'); }",
+      "fix": null,
+      "reachable": false,
+      "triage": 22,
+      "dataClasses": [],
+      "chain": null,
+      "confidence": 0.212,
+      "toxicity": 28,
+      "toxicityFactors": [
+        "http-facing"
+      ],
+      "toxicityLabel": "Medium",
+      "sources": null,
+      "epssScore": null,
+      "epssPercentile": null,
+      "epssCve": null,
+      "exploitedNow": false,
+      "tags": null,
+      "blastRadius": {
+        "scope": "all-users",
+        "dataAtRisk": [
+          "config"
+        ],
+        "userCount": 50,
+        "industry": "generic",
+        "jurisdictions": [],
+        "controlsApplied": [],
+        "dollarBest": 23250,
+        "dollarLikely": 136250,
+        "dollarWorst": 775000,
+        "dollarLow": 23250,
+        "dollarHigh": 775000,
+        "components": {
+          "incidentResponse": {
+            "low": 8000,
+            "likely": 50000,
+            "high": 250000
+          },
+          "legal": {
+            "low": 10000,
+            "likely": 75000,
+            "high": 500000
+          },
+          "crisisPR": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "notification": {
+            "low": 5000,
+            "likely": 10000,
+            "high": 15000
+          },
+          "creditMonitoring": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "regulatoryFines": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "directDamage": {
+            "low": 250,
+            "likely": 1250,
+            "high": 10000
+          },
+          "classAction": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          },
+          "lostBusiness": {
+            "low": 0,
+            "likely": 0,
+            "high": 0
+          }
+        },
+        "dominantDriver": "legal counsel",
+        "comparable": "Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage",
+        "confidence": "low",
+        "narrative": "Synchronous Blocking I/O (DoS Risk in Server Context) on `cpp-preprocessor.js:94` could expose configuration / internal data. Context: general SaaS / no specific regulatory exposure. Estimated cost: best $23k · likely $136k · worst $775k. Dominant driver: legal counsel. Comparable: Air Canada 2024 LLM chatbot DoS → court-ordered refunds + reputational damage."
+      },
+      "stableId": "0b0187a7e1476c07",
+      "confidenceTier": "very-low",
+      "exploitability": 0.2,
+      "exploitabilityTier": "low",
+      "exploitabilityFactors": [
+        "sev:medium",
+        "unreachable"
+      ],
+      "clusterSize": null,
+      "unreachable": false,
+      "validator_verdict": "unvalidated",
+      "llm_confidence": null,
+      "unvalidated": true,
+      "cross_language": false,
+      "family": "dos-sync-io",
+      "parser": "STRUCTURAL",
+      "_unsigned": false,
+      "_passThroughSigning": false,
+      "signatureStatus": "verified",
+      "regression_test": null,
+      "poc": null,
+      "calibrated_confidence": null,
+      "calibrated_confidence_ci": null,
+      "calibrated_n": 0,
+      "calibration_reason": "no-history",
+      "verifier_verdict": "cannot-verify",
+      "verifier_reason": "no-poc-no-sanitizer-rule",
+      "verifier_runner": null,
+      "narration": null,
+      "mitigationVerdict": "unreachable-in-prod",
+      "mitigationsApplied": [],
+      "mitigatedByWaf": false,
+      "wafRuleId": null,
+      "mitigatedByAuth": false,
+      "authMechanism": null,
+      "mitigatedByNetwork": false,
+      "networkExposure": null,
+      "featureFlag": null,
+      "featureFlagState": null,
+      "featureFlagRollout": null,
+      "exposedInProd": false,
+      "unreachableInProd": true,
+      "coldPath": false,
+      "hotPath": false,
+      "prodRequestCount": null,
+      "crownJewelScore": 0,
+      "crownJewelTier": "unknown",
+      "crownJewelFactors": [],
+      "cloneClusterId": "c5704ff81dc82f80",
+      "cloneClusterSize": 1,
+      "provenance": "mixed",
+      "provenanceScore": 0.3,
+      "typeNarrowed": null,
+      "strideCategory": "denialOfService",
+      "personaScores": {
+        "script-kiddie": {
+          "score": 0.4,
+          "tier": "medium",
+          "factors": [
+            "sev:medium"
+          ]
+        },
+        "opportunistic-criminal": {
+          "score": 0.4,
+          "tier": "medium",
+          "factors": [
+            "sev:medium"
+          ]
+        },
+        "apt-nation-state": {
+          "score": 0.4,
+          "tier": "medium",
+          "factors": [
+            "sev:medium"
+          ]
+        },
+        "supply-chain-attacker": {
+          "score": 0.4,
+          "tier": "medium",
+          "factors": [
+            "sev:medium"
+          ]
+        },
+        "malicious-insider": {
+          "score": 0.4,
+          "tier": "medium",
+          "factors": [
+            "sev:medium"
+          ]
+        }
+      },
+      "personaTopTwo": [
+        "script-kiddie",
+        "opportunistic-criminal"
+      ],
+      "personaMaxName": "script-kiddie",
+      "personaMaxScore": 0.4,
+      "reverseExposure": null,
+      "specMined": null,
+      "whyFired": {
+        "detector": "sast/dos-sync-io",
+        "ruleId": "CWE-400",
+        "parser": "STRUCTURAL",
+        "evidence": {
+          "sinkSnippet": "try { content = fs.readFileSync(abs, 'utf8'); }",
+          "sourceSnippet": "try { content = fs.readFileSync(abs, 'utf8'); }",
+          "pathSteps": [],
+          "sanitizers": [],
+          "guards": []
+        },
+        "considered": {
+          "suppressionsApplied": [],
+          "suppressionsSkipped": [],
+          "reachabilityFilter": "unaffected",
+          "clusterCollapsed": false,
+          "typeNarrowed": false,
+          "crownJewelTier": "unknown",
+          "mitigationVerdict": "unreachable-in-prod"
+        },
+        "scanner": {
+          "rulesetVersion": null,
+          "packHash": null,
+          "modelId": null
+        }
+      },
+      "adversaryTranscript": null,
+      "predictedBountyUsd": {
+        "low": 10,
+        "likely": 40,
+        "high": 120,
+        "program": "web2"
+      },
+      "bountyConfidence": "high",
+      "attackPlaybook": null
+    },
     {
       "id": "struct:type-stubs.js:48:Synchronous_Blocking_I/O_(DoS_Risk_in_Server_Context)",
       "kind": "sast",
@@ -3631,7 +3860,7 @@
   "_v3": {
     "counterfactual": {
       "spofControls": [],
-      "controlsDetected": 307
+      "controlsDetected": 379
     },
     "threatModel": {
       "summary": {
@@ -3642,7 +3871,7 @@
           "tampering": 1,
           "repudiation": 0,
           "informationDisclosure": 0,
-          "denialOfService": 9,
+          "denialOfService": 10,
           "elevationOfPrivilege": 0
         }
       },
@@ -3674,6 +3903,11 @@
         "repudiation": [],
         "informationDisclosure": [],
         "denialOfService": [
+          {
+            "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
+            "file": "cpp-preprocessor.js",
+            "severity": "medium"
+          },
           {
             "vuln": "Synchronous Blocking I/O (DoS Risk in Server Context)",
             "file": "type-stubs.js",

package/src/ir/.agentic-security/last-scan.json.sig

@@ -1 +1 @@
-2d6b454b1b54b22d2448f5dd18fb90e019441e946757937852bed1278c2c80be
+da76e96762f8d7ee6ac2ee8968d5822c14bee45de513ed9c1d60cf6f6694c261