npm - @clear-capabilities/agentic-security-scanner - Versions diffs - 0.84.1 → 0.86.0 - Mend

@clear-capabilities/agentic-security-scanner 0.84.1 → 0.86.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (16) hide show

package/src/posture/.agentic-security/threat-model.md ADDED Viewed

@@ -0,0 +1,73 @@
+# Threat Model (auto-generated)
+Generated by agentic-security on 2026-05-30.
+This threat model is derived from static analysis of the current codebase and is regenerated on every scan. It is intended as a working artifact, not a finished compliance document.
+## Entities + boundaries
+```mermaid
+flowchart TB
+  subgraph External
+    route_GET__api_users_2["http-route: GET /api/users/2"]
+    route_GET__api_admin_users["http-route: GET /api/admin/users"]
+    route_GET__api_health["http-route: GET /api/health"]
+  end
+  subgraph Application
+  end
+  External --> route_GET__api_users_2
+  External --> route_GET__api_admin_users
+  External --> route_GET__api_health
+```
+## Assets
+## STRIDE threats
+### Tampering (148)
+- [medium] **dos-sync-io** (CWE-400) at `deploy-platform.js:undefined` — Synchronous Blocking I/O (DoS Risk in Server Context)
+- [low] **mass-assignment** (CWE-915) at `integrity.js:undefined` — Mass Assignment (req.body Direct to Model)
+- [low] **dos-sync-io** (CWE-400) at `agents-memory.js:undefined` — Synchronous Blocking I/O (DoS Risk in Server Context)
+- [low] **dos-sync-io** (CWE-400) at `api-contract.js:undefined` — Synchronous Blocking I/O (DoS Risk in Server Context)
+- [low] **dos-sync-io** (CWE-400) at `auditor-walkthrough.js:undefined` — Synchronous Blocking I/O (DoS Risk in Server Context)
+- [low] **dos-sync-io** (CWE-400) at `auth-posture-import.js:undefined` — Synchronous Blocking I/O (DoS Risk in Server Context)
+- [low] **dos-sync-io** (CWE-400) at `blast-radius.js:undefined` — Synchronous Blocking I/O (DoS Risk in Server Context)
+- [low] **dos-sync-io** (CWE-400) at `calibration-drift.js:undefined` — Synchronous Blocking I/O (DoS Risk in Server Context)
+- [low] **dos-sync-io** (CWE-400) at `calibration.js:undefined` — Synchronous Blocking I/O (DoS Risk in Server Context)
+- [low] **dos-sync-io** (CWE-400) at `compliance-policy.js:undefined` — Synchronous Blocking I/O (DoS Risk in Server Context)
+- [low] **dos-sync-io** (CWE-400) at `cross-repo-memory.js:undefined` — Synchronous Blocking I/O (DoS Risk in Server Context)
+- [low] **dos-sync-io** (CWE-400) at `custom-rules.js:undefined` — Synchronous Blocking I/O (DoS Risk in Server Context)
+- [low] **dos-sync-io** (CWE-400) at `cve-alert-daemon.js:undefined` — Synchronous Blocking I/O (DoS Risk in Server Context)
+- [low] **dos-sync-io** (CWE-400) at `cve-lookup.js:undefined` — Synchronous Blocking I/O (DoS Risk in Server Context)
+- [low] **dos-sync-io** (CWE-400) at `dep-add-guard.js:undefined` — Synchronous Blocking I/O (DoS Risk in Server Context)
+- [low] **dos-sync-io** (CWE-400) at `deterministic.js:undefined` — Synchronous Blocking I/O (DoS Risk in Server Context)
+- [low] **dos-sync-io** (CWE-400) at `epss.js:undefined` — Synchronous Blocking I/O (DoS Risk in Server Context)
+- [low] **dos-sync-io** (CWE-400) at `exploitability-probability.js:undefined` — Synchronous Blocking I/O (DoS Risk in Server Context)
+- [low] **dos-sync-io** (CWE-400) at `feature-flags.js:undefined` — Synchronous Blocking I/O (DoS Risk in Server Context)
+- [low] **dos-sync-io** (CWE-400) at `federated-learning.js:undefined` — Synchronous Blocking I/O (DoS Risk in Server Context)
+- [low] **dos-sync-io** (CWE-400) at `findings-memory.js:undefined` — Synchronous Blocking I/O (DoS Risk in Server Context)
+- [low] **dos-sync-io** (CWE-400) at `fix-history.js:undefined` — Synchronous Blocking I/O (DoS Risk in Server Context)
+- [low] **dos-sync-io** (CWE-400) at `fix-plan.js:undefined` — Synchronous Blocking I/O (DoS Risk in Server Context)
+- [low] **dos-sync-io** (CWE-400) at `fix-style-mirror.js:undefined` — Synchronous Blocking I/O (DoS Risk in Server Context)
+- [low] **dos-sync-io** (CWE-400) at `fix-verify-loop.js:undefined` — Synchronous Blocking I/O (DoS Risk in Server Context)
+- … and 123 more
+### Information Disclosure (5)
+- [low] **ssrf** (CWE-918) at `attack-playbooks.js:72` — SSRF: explicit reference to cloud instance-metadata endpoint
+- [low] **ssrf** (CWE-918) at `defender-agent.js:41` — SSRF: explicit reference to cloud instance-metadata endpoint
+- [low] **ssrf** (CWE-918) at `flow-narration.js:24` — SSRF: explicit reference to cloud instance-metadata endpoint
+- [low] **pqc-migration** (CWE-327) at `rule-pack-signing.js:187` — Pre-quantum ED25519 (ed25519) — replace with ML-DSA-65 before CRQC arrives
+- [low] **ssrf** (CWE-918) at `verifier.js:55` — SSRF: explicit reference to cloud instance-metadata endpoint
+### Elevation of Privilege (5)
+- [low] **ssrf** (CWE-918) at `attack-playbooks.js:72` — SSRF: explicit reference to cloud instance-metadata endpoint
+- [low] **prototype-pollution** (CWE-1321) at `adversarial-self-test.js:60` — Prototype Pollution: Direct write to __proto__ / constructor.prototype
+- [low] **ssrf** (CWE-918) at `defender-agent.js:41` — SSRF: explicit reference to cloud instance-metadata endpoint
+- [low] **ssrf** (CWE-918) at `flow-narration.js:24` — SSRF: explicit reference to cloud instance-metadata endpoint
+- [low] **ssrf** (CWE-918) at `verifier.js:55` — SSRF: explicit reference to cloud instance-metadata endpoint
+## Attack trees

package/src/posture/auditor-walkthrough.js CHANGED Viewed

@@ -230,7 +230,7 @@ export function renderWalkthrough(fw, evaluation, opts = {}) {
       lines.push('');
     }
     if (ev.status === 'absent' || ev.status === 'partial') {
-      lines.push(`**Remediation:** address the bullet(s) above, then re-run \`/auditor-walkthrough ${fw.id}\` to update this report.`);
+      lines.push(`**Remediation:** address the bullet(s) above, then re-run \`/compliance --walkthrough ${fw.id}\` to update this report.`);
       lines.push('');
     }
   }

package/src/posture/pr-augment.js CHANGED Viewed

@@ -141,7 +141,7 @@ export function augmentPrBody(scanRoot, opts = {}) {
   lines.push('');
   if (!baseline) {
-    lines.push(`> Baseline against \`${baselineRef}\` not found — showing the full current scan as added. Run \`/pr-augment --persist-baseline ${baselineRef}\` from \`${baselineRef}\` to enable diff mode.`);
+    lines.push(`> Baseline against \`${baselineRef}\` not found — showing the full current scan as added. Run \`/compliance --pr --persist-baseline ${baselineRef}\` from \`${baselineRef}\` to enable diff mode.`);
     lines.push('');
   }

package/src/posture/router.js CHANGED Viewed

@@ -7,8 +7,8 @@
 // Decision tree (cheap, no scan):
 //   - No prior scan?              → run /scan first
 //   - Prior scan, criticals open? → run /fix --all --critical
-//   - Prior scan, highs open?     → /fix --all --high  OR  /show-findings
-//   - Prior scan, only mediums?   → /report-card
+//   - Prior scan, highs open?     → /fix --all --high  OR  /triage --show
+//   - Prior scan, only mediums?   → /posture --report-card
 //   - All clean?                  → /security-badge   (celebrate + share)
 //   - Pre-deploy intent (--launch flag, or no scan in 7 days)? → /launch-check
 //
@@ -71,7 +71,7 @@ export function decide({ scanRoot, intent }) {
   if (sev.high > 0) {
     return {
       action: 'review-high',
-      command: 'claude /show-findings',
+      command: 'claude /triage --show',
       reason: `${sev.high} high finding(s). Review and triage before fixing.`,
     };
   }
@@ -85,7 +85,7 @@ export function decide({ scanRoot, intent }) {
   if (sev.medium > 0) {
     return {
       action: 'report-card',
-      command: 'claude /report-card',
+      command: 'claude /posture --report-card',
       reason: `Only mediums remain. Get a letter-grade snapshot and pick what's worth fixing.`,
     };
   }

package/src/report/.agentic-security/sbom-history/7d45b5e03804aac084b4a2b4dc8c6f10107d2005.json ADDED Viewed

@@ -0,0 +1,6 @@
+{
+  "sha": "7d45b5e03804aac084b4a2b4dc8c6f10107d2005",
+  "ts": "2026-05-30T05:08:01.641Z",
+  "componentCount": 0,
+  "components": []
+}

package/src/report/.agentic-security/threat-model.json ADDED Viewed

@@ -0,0 +1,7 @@
+{
+  "entities": [],
+  "boundaries": [],
+  "assets": [],
+  "threats": [],
+  "attackTrees": []
+}

package/src/report/.agentic-security/threat-model.md ADDED Viewed

@@ -0,0 +1,22 @@
+# Threat Model (auto-generated)
+Generated by agentic-security on 2026-05-30.
+This threat model is derived from static analysis of the current codebase and is regenerated on every scan. It is intended as a working artifact, not a finished compliance document.
+## Entities + boundaries
+```mermaid
+flowchart TB
+  subgraph External
+  end
+  subgraph Application
+  end
+```
+## Assets
+## STRIDE threats
+## Attack trees

package/src/report/index.js CHANGED Viewed

@@ -973,7 +973,7 @@ export function toShipVerdict(scan, options = {}) {
   // CONFIRMED: surface validator-confirmed criticals as a trust signal —
   // distinguishes "tool said so" from "tool built a PoC and it ran."
   if (confirmedCount > 0) {
-    lines.push(c(`  ✓  ${confirmedCount} CONFIRMED (PoC built by /validate-findings)`, '\x1b[1;32m'));
+    lines.push(c(`  ✓  ${confirmedCount} CONFIRMED (PoC built by /triage --validate)`, '\x1b[1;32m'));
   }
   lines.push('');