@critiq/cli 0.0.2 → 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +55 -0
- package/main.js +17067 -7931
- package/package.json +9 -4
package/README.md
CHANGED
|
@@ -53,12 +53,60 @@ Run Critiq against a diff:
|
|
|
53
53
|
npx critiq check . --base origin/main --head HEAD
|
|
54
54
|
```
|
|
55
55
|
|
|
56
|
+
## GitHub Actions
|
|
57
|
+
|
|
58
|
+
To run the same checks on **pull requests** in GitHub Actions—with optional **inline PR review comments** and severity-based merge gates—use the official composite action **[critiq-dev/critiq-action](https://github.com/critiq-dev/critiq-action)** ([README](https://github.com/critiq-dev/critiq-action/blob/main/README.md)). The action wraps `critiq check`, honors `.critiq/config.yaml`, and can install published `@critiq/cli` / `@critiq/rules` when they are not already declared on the repository root `package.json`.
|
|
59
|
+
|
|
60
|
+
Example `.github/workflows/critiq.yml`:
|
|
61
|
+
|
|
62
|
+
```yaml
|
|
63
|
+
name: Critiq
|
|
64
|
+
|
|
65
|
+
on:
|
|
66
|
+
pull_request:
|
|
67
|
+
|
|
68
|
+
permissions:
|
|
69
|
+
contents: read
|
|
70
|
+
pull-requests: write
|
|
71
|
+
|
|
72
|
+
jobs:
|
|
73
|
+
critiq:
|
|
74
|
+
runs-on: ubuntu-latest
|
|
75
|
+
steps:
|
|
76
|
+
- name: Checkout
|
|
77
|
+
uses: actions/checkout@v4
|
|
78
|
+
with:
|
|
79
|
+
fetch-depth: 0
|
|
80
|
+
|
|
81
|
+
- name: Run Critiq
|
|
82
|
+
uses: critiq-dev/critiq-action@v1
|
|
83
|
+
with:
|
|
84
|
+
fail-on-severity: off
|
|
85
|
+
```
|
|
86
|
+
|
|
87
|
+
Use a **major tag** (`@v1`) or pin a **commit SHA** for supply-chain control. More options (inputs, outputs, monorepos, reusable workflow) are in the [action README](https://github.com/critiq-dev/critiq-action/blob/main/README.md).
|
|
88
|
+
|
|
56
89
|
## Public Commands
|
|
57
90
|
|
|
91
|
+
`critiq check` also runs an **advisory** built-in secret scan (same scope as the rule engine, plus optional `--staged` for index-only staging review) and prints a short summary before rule results. That scan does **not** change the `critiq check` exit code; use `critiq audit secrets` for full output and for gating in CI.
|
|
92
|
+
|
|
93
|
+
**What "staged review" means**
|
|
94
|
+
|
|
95
|
+
- "Staged" means Git index content (what `git add` has queued), not all local edits.
|
|
96
|
+
- Critiq reads staged content the same way Git does for commit previews (`git diff --cached`).
|
|
97
|
+
- Use this when you want pre-commit checks to match exactly what will be committed.
|
|
98
|
+
|
|
58
99
|
| Command | What it does |
|
|
59
100
|
| --- | --- |
|
|
60
101
|
| `critiq check [target]` | Runs deterministic checks against a codebase, directory, or single file. |
|
|
61
102
|
| `critiq check . --base origin/main --head HEAD` | Limits scanning to changed files and changed ranges in a diff. |
|
|
103
|
+
| `critiq check . --staged` | Rule scan unchanged; the advisory secret scan reads only what is staged in Git index (`git diff --cached`). |
|
|
104
|
+
| `critiq check . --format sarif` | Exports findings as SARIF 2.1.0 for code scanning and security platforms. |
|
|
105
|
+
| `critiq check . --format html` | Exports a shareable HTML report for human review and audit handoff. |
|
|
106
|
+
| `critiq audit secrets [target]` | Runs the dedicated secret-pattern scanner (exit non-zero when matches are found). |
|
|
107
|
+
| `critiq audit secrets . --base origin/main --head HEAD` | Secret scan over changed files only (includes non-code paths such as `.env`). |
|
|
108
|
+
| `critiq audit secrets . --staged` | Secret scan over staged paths/blobs from Git index (`git diff --cached`) (pre-commit friendly). |
|
|
109
|
+
| `critiq audit` / `critiq audit --help` | Lists audit subcommands. |
|
|
62
110
|
| `critiq rules validate <glob>` | Validates rule YAML files and returns diagnostics. |
|
|
63
111
|
| `critiq rules test [glob]` | Runs fixture-backed `RuleSpec` files end to end. |
|
|
64
112
|
| `critiq rules normalize <file>` | Prints the canonical normalized form of one rule. |
|
|
@@ -84,6 +132,12 @@ severityOverrides: {}
|
|
|
84
132
|
|
|
85
133
|
Supported presets are `recommended`, `strict`, `security`, and `experimental`.
|
|
86
134
|
|
|
135
|
+
Optional `secretsScan` in the same file merges extra `ignorePaths` (in addition to top-level `ignorePaths`), disables individual detectors by id (match the `detectorId` field in JSON output; published ids are exported as `SECRETS_SCAN_DETECTOR_IDS` from `@critiq/check-runner`), and drops findings listed under `suppressFingerprints` (64 lowercase hex characters from JSON `fingerprint`).
|
|
136
|
+
|
|
137
|
+
## Git hooks
|
|
138
|
+
|
|
139
|
+
Sample scripts ship under `scripts/hooks/` in this package (for example `pre-commit.sample.sh` runs `critiq audit secrets . --staged`; `pre-push.sample.sh` runs a diff against `origin/main` or `CRITIQ_PRE_PUSH_BASE`). Copy one to `.git/hooks/` and mark it executable, or wire the same commands into Husky.
|
|
140
|
+
|
|
87
141
|
## Default OSS Rule Catalog
|
|
88
142
|
|
|
89
143
|
The default open source catalog in [`@critiq/rules`](https://www.npmjs.com/package/@critiq/rules) currently includes `112` rules across `10` categories.
|
|
@@ -123,6 +177,7 @@ The default open source catalog in [`@critiq/rules`](https://www.npmjs.com/packa
|
|
|
123
177
|
- [Getting started](https://github.com/critiq-dev/critiq-core/blob/main/docs/guides/getting-started.md)
|
|
124
178
|
- [CLI reference](https://github.com/critiq-dev/critiq-core/blob/main/docs/reference/cli.md)
|
|
125
179
|
- [`@critiq/rules` package](https://www.npmjs.com/package/@critiq/rules)
|
|
180
|
+
- [Critiq GitHub Action](https://github.com/critiq-dev/critiq-action/blob/main/README.md) (CI and PR comments)
|
|
126
181
|
|
|
127
182
|
## License
|
|
128
183
|
|