@hatem427/code-guard-ci 3.3.0 → 3.4.0

package/scripts/precommit-check.ts

@@ -36,11 +36,6 @@ import { verifyBypassPassword, recordBypass } from './utils/bypass-manager';
 import '../config/angular.config';
 import '../config/react.config';
 import '../config/nextjs.config';
-import '../config/nestjs.config';
-import '../config/node.config';
-import '../config/fastify.config';
-import '../config/hono.config';
-import '../config/python.config';
 
 // ── Constants ───────────────────────────────────────────────────────────────
 
@@ -50,6 +45,28 @@ const LINTABLE_EXTENSIONS = ['ts', 'tsx', 'js', 'jsx', 'html', 'css', 'scss'];
 /** File extensions for code guardian rule checks */
 const CHECKABLE_EXTENSIONS = ['ts', 'tsx', 'js', 'jsx', 'html', 'css', 'scss', 'sass', 'less'];
 
+/**
+ * Returns true when lint-staged is configured in the project.
+ * When lint-staged is active it ALREADY ran ESLint --fix and Prettier --write
+ * and re-staged the modified files before this script is invoked.
+ * Running them again would produce a duplicate git-add and confuse developers.
+ */
+function lintStagedIsActive(): boolean {
+  const fs = require('fs');
+  const lintStagedFiles = [
+    '.lintstagedrc', '.lintstagedrc.json', '.lintstagedrc.js',
+    '.lintstagedrc.cjs', '.lintstagedrc.yaml', '.lintstagedrc.yml',
+    'lint-staged.config.js', 'lint-staged.config.cjs',
+  ];
+  if (lintStagedFiles.some((f: string) => fs.existsSync(f))) return true;
+  try {
+    const pkg = JSON.parse(fs.readFileSync('package.json', 'utf-8'));
+    return !!pkg['lint-staged'];
+  } catch {
+    return false;
+  }
+}
+
 /** Flag in commit message to request bypass */
 const BYPASS_COMMIT_FLAG = '#bypass-rules';
 
@@ -134,7 +151,12 @@ function runEslint(stagedFiles: string[]): boolean {
     return true;
   }
 
-  logger.info(`Running ESLint on ${lintableFiles.length} file(s)...`);
+  const lintStagedActive = lintStagedIsActive();
+  if (lintStagedActive) {
+    logger.info(`ESLint check on ${lintableFiles.length} file(s) (lint-staged already auto-fixed)...`);
+  } else {
+    logger.info(`Running ESLint on ${lintableFiles.length} file(s)...`);
+  }
 
   try {
     // Security: Use array args to prevent command injection
@@ -193,6 +215,14 @@ function runEslint(stagedFiles: string[]): boolean {
  * If formatting issues are found, runs Prettier --write and re-stages the files.
  */
 function runPrettier(stagedFiles: string[]): boolean {
+  // When lint-staged is active it already ran `prettier --write` and
+  // re-staged the formatted files. Running Prettier again would produce a
+  // redundant `git add` and confuse developers.
+  if (lintStagedIsActive()) {
+    logger.success('Prettier: handled by lint-staged (skipping duplicate run).');
+    return true;
+  }
+
   const formattableFiles = stagedFiles.filter((f) => {
     const ext = path.extname(f).replace(/^\./, '');
     return LINTABLE_EXTENSIONS.includes(ext);
@@ -206,48 +236,42 @@ function runPrettier(stagedFiles: string[]): boolean {
   logger.info(`Running Prettier on ${formattableFiles.length} file(s)...`);
 
   try {
-    // Security: Use array args to prevent command injection
     const { spawnSync } = require('child_process');
     const checkResult = spawnSync('npx', ['prettier', '--check', ...formattableFiles], {
       stdio: 'pipe',
       encoding: 'utf-8',
     });
-    
+
     if (checkResult.status === 0) {
       logger.success('Prettier check passed.');
       return true;
     }
-    
-    logger.warn('Prettier found formatting issues — auto-fixing...');
 
-    try {
-      const writeResult = spawnSync('npx', ['prettier', '--write', ...formattableFiles], {
-        stdio: 'inherit',
-        encoding: 'utf-8',
-      });
+    logger.warn('Prettier found formatting issues — auto-fixing...');
 
-      if (writeResult.status !== 0) {
-        logger.error('Prettier auto-fix failed.');
-        return false;
-      }
+    const writeResult = spawnSync('npx', ['prettier', '--write', ...formattableFiles], {
+      stdio: 'inherit',
+      encoding: 'utf-8',
+    });
 
-      // Re-stage the auto-formatted files
-      const gitResult = spawnSync('git', ['add', ...formattableFiles], {
-        stdio: 'inherit',
-        encoding: 'utf-8',
-      });
+    if (writeResult.status !== 0) {
+      logger.error('Prettier auto-fix failed.');
+      return false;
+    }
 
-      if (gitResult.status !== 0) {
-        logger.error('Failed to re-stage auto-formatted files.');
-        return false;
-      }
+    // Re-stage only in standalone mode (lint-staged is NOT active)
+    const gitResult = spawnSync('git', ['add', ...formattableFiles], {
+      stdio: 'inherit',
+      encoding: 'utf-8',
+    });
 
-      logger.success('Prettier auto-fixed and re-staged files.');
-      return true;
-    } catch (error) {
-      logger.error('Prettier auto-fix failed.');
+    if (gitResult.status !== 0) {
+      logger.error('Failed to re-stage auto-formatted files.');
       return false;
     }
+
+    logger.success('Prettier auto-fixed and re-staged files.');
+    return true;
   } catch (error) {
     logger.error('Prettier check failed.');
     return false;
@@ -267,56 +291,28 @@ export interface SecurityScanResult {
 
 /**
  * Layer 1 — npm audit
- * Checks all installed npm dependencies against the GitHub Advisory Database.
- * Blocks on critical/high severity by default.
  */
 function runNpmAudit(): SecurityScanResult {
-  const result: SecurityScanResult = {
-    tool: 'npm audit',
-    passed: true,
-    skipped: false,
-    summary: '',
-    criticalCount: 0,
-    highCount: 0,
-  };
-
-  // Skip if not an npm project
+  const result: SecurityScanResult = { tool: 'npm audit', passed: true, skipped: false, summary: '', criticalCount: 0, highCount: 0 };
   const fs = require('fs');
   if (!fs.existsSync('package.json')) {
-    result.skipped = true;
-    result.summary = 'No package.json found — skipping.';
-    logger.dim('  npm audit: skipped (no package.json)');
-    return result;
+    result.skipped = true; result.summary = 'No package.json found — skipping.';
+    logger.dim('  npm audit: skipped (no package.json)'); return result;
   }
-
   logger.info('Layer 1/3 — Running npm audit...');
-
   try {
     const { spawnSync } = require('child_process');
-    const auditResult = spawnSync(
-      'npm',
-      ['audit', '--json', '--audit-level=high'],
-      { encoding: 'utf-8', cwd: process.cwd() }
-    );
-
+    const auditResult = spawnSync('npm', ['audit', '--json', '--audit-level=high'], { encoding: 'utf-8', cwd: process.cwd() });
     let auditData: any = {};
-    try {
-      auditData = JSON.parse(auditResult.stdout || '{}');
-    } catch {
-      // npm audit output is not valid JSON (e.g. no lock file)
+    try { auditData = JSON.parse(auditResult.stdout || '{}'); } catch {
       if (auditResult.stderr?.includes('ENOLOCK') || auditResult.stdout?.includes('ENOLOCK')) {
-        result.skipped = true;
-        result.summary = 'No lock file found — run `npm install` first.';
-        logger.warn('  npm audit: skipped (no lock file — run npm install first)');
-        return result;
+        result.skipped = true; result.summary = 'No lock file found — run `npm install` first.';
+        logger.warn('  npm audit: skipped (no lock file)'); return result;
       }
     }
-
     const vulns = auditData?.metadata?.vulnerabilities ?? {};
-    result.criticalCount = vulns.critical ?? 0;
-    result.highCount = vulns.high ?? 0;
+    result.criticalCount = vulns.critical ?? 0; result.highCount = vulns.high ?? 0;
     const total = Object.values(vulns).reduce((acc: number, v) => acc + (v as number), 0);
-
     if (result.criticalCount > 0 || result.highCount > 0) {
       result.passed = false;
       result.summary = `Found ${result.criticalCount} critical, ${result.highCount} high severity vulnerabilities (${total} total).`;
@@ -329,116 +325,58 @@ function runNpmAudit(): SecurityScanResult {
       result.summary = 'No known vulnerabilities found.';
       logger.success('  npm audit: ✅ No vulnerabilities found.');
     }
-  } catch {
-    result.skipped = true;
-    result.summary = 'npm not available — skipping.';
-    logger.dim('  npm audit: skipped (npm not available)');
-  }
-
+  } catch { result.skipped = true; result.summary = 'npm not available.'; logger.dim('  npm audit: skipped'); }
   return result;
 }
 
 /**
- * Layer 2 — RetireJS (npx retire)
- * Scans JavaScript files and node_modules for libraries with known CVEs.
- * Complements npm audit by catching bundled/vendored libraries that npm
- * audit cannot see.
+ * Layer 2 — RetireJS
  */
 function runRetireJs(): SecurityScanResult {
-  const result: SecurityScanResult = {
-    tool: 'retire.js',
-    passed: true,
-    skipped: false,
-    summary: '',
-    criticalCount: 0,
-    highCount: 0,
-  };
-
+  const result: SecurityScanResult = { tool: 'retire.js', passed: true, skipped: false, summary: '', criticalCount: 0, highCount: 0 };
   logger.info('Layer 2/3 — Running RetireJS...');
-
   try {
     const { spawnSync } = require('child_process');
-    const retireResult = spawnSync(
-      'npx',
-      ['--yes', 'retire', '--outputformat', 'json', '--exitwith', '0'],
-      { encoding: 'utf-8', cwd: process.cwd(), timeout: 60_000 }
-    );
-
+    const retireResult = spawnSync('npx', ['--yes', 'retire', '--outputformat', 'json', '--exitwith', '0'], { encoding: 'utf-8', cwd: process.cwd(), timeout: 60_000 });
     let findings: any[] = [];
     try {
       const parsed = JSON.parse(retireResult.stdout || '[]');
       findings = Array.isArray(parsed) ? parsed : (parsed.data ?? []);
     } catch {
-      // Non-JSON output means no findings or retire not installed
-      if (retireResult.status === 0) {
-        result.summary = 'No vulnerable libraries detected.';
-        logger.success('  retire.js: ✅ No vulnerable libraries found.');
-        return result;
-      }
-    }
-
-    if (findings.length === 0) {
-      result.summary = 'No vulnerable libraries detected.';
-      logger.success('  retire.js: ✅ No vulnerable libraries found.');
-      return result;
+      if (retireResult.status === 0) { result.summary = 'No vulnerable libraries detected.'; logger.success('  retire.js: ✅ No vulnerable libraries found.'); return result; }
     }
-
-    // Count by severity
+    if (findings.length === 0) { result.summary = 'No vulnerable libraries detected.'; logger.success('  retire.js: ✅ No vulnerable libraries found.'); return result; }
     for (const file of findings) {
-      for (const result_ of (file.results ?? [])) {
-        for (const vuln of (result_.vulnerabilities ?? [])) {
+      for (const r of (file.results ?? [])) {
+        for (const vuln of (r.vulnerabilities ?? [])) {
           const sev = (vuln.severity ?? '').toLowerCase();
-          if (sev === 'critical') result.criticalCount++;
-          else if (sev === 'high') result.highCount++;
+          if (sev === 'critical') result.criticalCount++; else if (sev === 'high') result.highCount++;
         }
       }
     }
-
     if (result.criticalCount > 0 || result.highCount > 0) {
       result.passed = false;
       result.summary = `Found ${result.criticalCount} critical, ${result.highCount} high severity vulnerable libraries (${findings.length} affected files).`;
       logger.error(`  retire.js: ❌ ${result.summary}`);
-      logger.dim('    Fix: Update or replace the flagged libraries.');
     } else {
       result.summary = `${findings.length} affected file(s) with low/moderate severity findings. Review when possible.`;
       logger.warn(`  retire.js: ⚠️  ${result.summary}`);
     }
-  } catch {
-    result.skipped = true;
-    result.summary = 'RetireJS could not be executed — skipping.';
-    logger.dim('  retire.js: skipped (could not execute npx retire)');
-  }
-
+  } catch { result.skipped = true; result.summary = 'RetireJS could not be executed.'; logger.dim('  retire.js: skipped'); }
   return result;
 }
 
 /**
  * Layer 3 — Syft + Grype
- * Syft generates a Software Bill of Materials (SBOM) for the project.
- * Grype scans the SBOM for CVEs across ALL package ecosystems (npm, pip,
- * Go, Maven, etc.), including OS-level packages if running inside a container.
- *
- * Falls back to running `grype dir:.` directly if Syft is not installed.
  */
 function runGrype(): SecurityScanResult {
-  const result: SecurityScanResult = {
-    tool: 'Syft + Grype',
-    passed: true,
-    skipped: false,
-    summary: '',
-    criticalCount: 0,
-    highCount: 0,
-  };
-
+  const result: SecurityScanResult = { tool: 'Syft + Grype', passed: true, skipped: false, summary: '', criticalCount: 0, highCount: 0 };
   logger.info('Layer 3/3 — Running Syft + Grype...');
-
   const { spawnSync } = require('child_process');
-
-  // Check if grype is available
   const grypeCheck = spawnSync('which', ['grype'], { encoding: 'utf-8' });
   if (grypeCheck.status !== 0) {
     result.skipped = true;
-    result.summary = 'grype not installed — install with: curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin';
+    result.summary = 'grype not installed';
     logger.warn('  Syft+Grype: ⚠️  grype not installed — Layer 3 skipped.');
     logger.dim('');
     logger.dim('  To enable full SBOM vulnerability scanning, install Grype once:');
@@ -450,100 +388,42 @@ function runGrype(): SecurityScanResult {
     logger.dim('    macOS (Homebrew):');
     logger.dim('      brew install anchore/grype/grype');
     logger.dim('');
-    logger.dim('  Optionally install Syft for full SBOM generation:');
-    logger.dim('      brew install anchore/syft/syft');
-    logger.dim('      (or see https://github.com/anchore/syft)');
-    logger.dim('');
     return result;
   }
-
   try {
     const fs = require('fs');
     const syftCheck = spawnSync('which', ['syft'], { encoding: 'utf-8' });
-
     if (syftCheck.status === 0) {
-      // Use the most accurate Syft source depending on what's present:
-      //   1. node_modules   → captures every resolved transitive npm dep
-      //   2. package-lock.json → full npm lockfile (catches same set as npm audit)
-      //   3. dir:.          → generic fallback (may miss transitive deps)
-      let syftSource = 'dir:.';
-      let syftMode   = 'generic dir';
-
-      if (fs.existsSync('node_modules')) {
-        syftSource = 'dir:node_modules';
-        syftMode   = 'node_modules (full transitive tree)';
-      } else if (fs.existsSync('package-lock.json')) {
-        syftSource = 'file:package-lock.json';
-        syftMode   = 'package-lock.json';
-      }
-
+      let syftSource = 'dir:.'; let syftMode = 'generic dir';
+      if (fs.existsSync('node_modules')) { syftSource = 'dir:node_modules'; syftMode = 'node_modules (full transitive tree)'; }
+      else if (fs.existsSync('package-lock.json')) { syftSource = 'file:package-lock.json'; syftMode = 'package-lock.json'; }
       logger.dim(`  Generating SBOM with Syft (${syftMode})...`);
-      const syftResult = spawnSync(
-        'syft',
-        [syftSource, '-o', 'cyclonedx-json', '--quiet'],
-        { encoding: 'utf-8', cwd: process.cwd(), timeout: 180_000 }
-      );
-
+      const syftResult = spawnSync('syft', [syftSource, '-o', 'cyclonedx-json', '--quiet'], { encoding: 'utf-8', cwd: process.cwd(), timeout: 180_000 });
       if (syftResult.status === 0 && (syftResult.stdout as string)?.trim()) {
-        const grypeArgs = ['sbom:-', '--output', 'json', '--fail-on', 'high'];
-        const grypeResult = spawnSync('grype', grypeArgs, {
-          input: syftResult.stdout as string,
-          encoding: 'utf-8',
-          cwd: process.cwd(),
-          timeout: 120_000,
-        });
+        const grypeResult = spawnSync('grype', ['sbom:-', '--output', 'json', '--fail-on', 'high'], { input: syftResult.stdout as string, encoding: 'utf-8', cwd: process.cwd(), timeout: 120_000 });
         return _parseGrypeOutput(grypeResult, result, `Syft SBOM (${syftMode})`);
       }
     }
-
-    // Fallback: run grype directly — point at node_modules if it exists so
-    // Grype resolves the full dependency tree rather than just package.json
-    const fs2 = require('fs');
-    const grypeTarget = fs2.existsSync('node_modules') ? 'dir:node_modules' : 'dir:.';
+    const grypeTarget = fs.existsSync('node_modules') ? 'dir:node_modules' : 'dir:.';
     logger.dim(`  Running Grype directly on ${grypeTarget}...`);
-    const grypeArgs = [grypeTarget, '--output', 'json', '--fail-on', 'high'];
-    const grypeResult = spawnSync('grype', grypeArgs, {
-      encoding: 'utf-8',
-      cwd: process.cwd(),
-      timeout: 120_000,
-    });
+    const grypeResult = spawnSync('grype', [grypeTarget, '--output', 'json', '--fail-on', 'high'], { encoding: 'utf-8', cwd: process.cwd(), timeout: 120_000 });
     return _parseGrypeOutput(grypeResult, result, `direct scan (${grypeTarget})`);
-  } catch {
-    result.skipped = true;
-    result.summary = 'Grype scan failed — check your installation.';
-    logger.warn('  Syft+Grype: ⚠️  Scan failed — check grype installation.');
-    return result;
-  }
+  } catch { result.skipped = true; result.summary = 'Grype scan failed.'; logger.warn('  Syft+Grype: ⚠️  Scan failed.'); return result; }
 }
 
-/** Parse grype JSON output and update the SecurityScanResult in-place. */
-function _parseGrypeOutput(
-  spawnResult: ReturnType<typeof import('child_process').spawnSync>,
-  result: SecurityScanResult,
-  mode: string
-): SecurityScanResult {
+function _parseGrypeOutput(spawnResult: any, result: SecurityScanResult, mode: string): SecurityScanResult {
   let matches: any[] = [];
   try {
     const parsed = JSON.parse((spawnResult.stdout as string) || '{}');
     matches = parsed.matches ?? [];
   } catch {
-    if (spawnResult.status === 0) {
-      result.summary = 'No vulnerabilities found.';
-      logger.success(`  Syft+Grype: ✅ No vulnerabilities found (${mode}).`);
-      return result;
-    }
-    result.skipped = true;
-    result.summary = 'Could not parse Grype output.';
-    logger.warn('  Syft+Grype: ⚠️  Could not parse output.');
-    return result;
+    if (spawnResult.status === 0) { result.summary = 'No vulnerabilities found.'; logger.success(`  Syft+Grype: ✅ No vulnerabilities found (${mode}).`); return result; }
+    result.skipped = true; result.summary = 'Could not parse Grype output.'; logger.warn('  Syft+Grype: ⚠️  Could not parse output.'); return result;
   }
-
   for (const match of matches) {
     const sev = (match.vulnerability?.severity ?? '').toLowerCase();
-    if (sev === 'critical') result.criticalCount++;
-    else if (sev === 'high') result.highCount++;
+    if (sev === 'critical') result.criticalCount++; else if (sev === 'high') result.highCount++;
   }
-
   if (result.criticalCount > 0 || result.highCount > 0) {
     result.passed = false;
     result.summary = `Found ${result.criticalCount} critical, ${result.highCount} high severity CVEs (${matches.length} total matches).`;
@@ -556,104 +436,55 @@ function _parseGrypeOutput(
     result.summary = 'No vulnerabilities found.';
     logger.success(`  Syft+Grype: ✅ No vulnerabilities found (${mode}).`);
   }
-
   return result;
 }
 
-/**
- * Run all three security scan layers and return the combined results.
- * When vulnerabilities are found the caller is responsible for prompting
- * the developer — this function only scans and reports.
- */
 function runSecurityScans(): { passed: boolean; results: SecurityScanResult[] } {
   logger.header('🔐 Security Scanning (3 layers)');
-
   const npmResult    = runNpmAudit();
   const retireResult = runRetireJs();
   const grypeResult  = runGrype();
-
   const results = [npmResult, retireResult, grypeResult];
   const passed  = results.every((r) => r.skipped || r.passed);
-
   console.log('');
   if (!passed) {
     const blocking = results.filter((r) => !r.skipped && !r.passed);
     logger.error(`Security scan found vulnerabilities — ${blocking.length} tool(s) reported critical/high issues:`);
-    for (const r of blocking) {
-      logger.error(`  • ${r.tool}: ${r.summary}`);
-    }
-  } else {
-    logger.success('Security scans passed (all layers).');
-  }
-
+    for (const r of blocking) { logger.error(`  • ${r.tool}: ${r.summary}`); }
+  } else { logger.success('Security scans passed (all layers).'); }
   return { passed, results };
 }
 
-/**
- * When security scans find vulnerabilities, prompt the developer to decide
- * whether to proceed or abort the commit.
- * Returns true  → developer chose to continue (risks acknowledged).
- * Returns false → developer chose to abort.
- */
 async function promptSecurityDecision(results: SecurityScanResult[]): Promise<boolean> {
-  const pad = (line: string, width = 63) => {
-    // strip ANSI codes for length calculation
-    const plain = line.replace(/\x1b\[[0-9;]*m/g, '');
-    return line + ' '.repeat(Math.max(0, width - plain.length)) + '│';
-  };
-
   console.log('');
   console.log('┌─────────────────────────────────────────────────────────────┐');
   console.log('│  ⚠️   VULNERABILITY REPORT — all 3 layers                   │');
-  console.log('├──────────────────┬──────────────────────────────────────────┤');
+  console.log('├──────────────────┬───────────────────────────────────────────┤');
   console.log('│  Tool            │  Result                                  │');
-  console.log('├──────────────────┼──────────────────────────────────────────┤');
-
+  console.log('├──────────────────┼───────────────────────────────────────────┤');
   for (const r of results) {
     const toolCol = `│  ${r.tool}`.padEnd(18) + '│';
-    let status: string;
-    if (r.skipped) {
-      status = '  ⬛ skipped';
-    } else if (!r.passed) {
-      status = `  ❌ ${r.criticalCount} critical, ${r.highCount} high`;
-    } else {
-      status = '  ✅ clean';
-    }
-    const statusCol = status.padEnd(42) + '│';
-    console.log(toolCol + statusCol);
+    const status  = r.skipped ? '  ⬛ skipped' : !r.passed ? `  ❌ ${r.criticalCount} critical, ${r.highCount} high` : '  ✅ clean';
+    console.log(toolCol + status.padEnd(42) + '│');
   }
-
-  console.log('├──────────────────┴──────────────────────────────────────────┤');
-
-  // Detail lines for failing tools
+  console.log('├──────────────────┴───────────────────────────────────────────┤');
   const blocking = results.filter((r) => !r.skipped && !r.passed);
   for (const r of blocking) {
     const summary = r.summary.length > 57 ? r.summary.slice(0, 54) + '...' : r.summary;
-    console.log(pad(`│  ↳ ${r.tool}: ${summary}`));
+    const line = `│  ⤵ ${r.tool}: ${summary}`;
+    console.log(line.padEnd(63) + '│');
   }
-
   console.log('├─────────────────────────────────────────────────────────────┤');
   console.log('│  Fix: npm audit fix  |  npm audit (for full details)        │');
   console.log('└─────────────────────────────────────────────────────────────┘');
   console.log('');
-
-  const answer = await promptUser(
-    '  Proceed with commit despite vulnerabilities? [y/N]: '
-  );
-
+  const answer = await promptUser('  Proceed with commit despite vulnerabilities? [y/N]: ');
   const confirmed = answer.toLowerCase() === 'y' || answer.toLowerCase() === 'yes';
-
-  if (confirmed) {
-    logger.warn('⚠️  Proceeding with known vulnerabilities — please fix them as soon as possible.');
-  } else {
-    logger.error('❌ Commit aborted. Fix the vulnerabilities and try again.');
-  }
-
+  if (confirmed) { logger.warn('⚠️  Proceeding with known vulnerabilities — please fix them soon.'); }
+  else { logger.error('❌ Commit aborted. Fix the vulnerabilities and try again.'); }
   return confirmed;
 }
 
-// ── Feature doc detection ───────────────────────────────────────────────────
-
 /**
  * If the commit looks like a new feature (branch name contains "feat/" or
  * "feature/"), remind the user to generate docs.
@@ -738,16 +569,22 @@ async function main(): Promise<void> {
   // Step 5: Run ESLint
   const eslintPassed = runEslint(stagedPaths);
 
-  // Step 6: Run Prettier (auto-fix mode)
+  // Step 6: Run Prettier (skipped when lint-staged is active)
   const prettierPassed = runPrettier(stagedPaths);
 
-  // Step 7: Run 3-layer security scans
-  const { passed: securityPassed, results: securityResults } = runSecurityScans();
+  // Step 7: Security scans — ask developer first
+  let securityConfirmed = true;
+  const runScans = await promptUser('  🔐 Run security scans (npm audit + RetireJS + Grype)? [Y/n]: ');
+  const wantsScans = runScans === '' || runScans.toLowerCase() === 'y' || runScans.toLowerCase() === 'yes';
 
-  // Step 7.5: If vulnerabilities found, ask the developer what to do
-  let securityConfirmed = securityPassed;
-  if (!securityPassed) {
-    securityConfirmed = await promptSecurityDecision(securityResults);
+  if (wantsScans) {
+    const { passed: securityPassed, results: securityResults } = runSecurityScans();
+    securityConfirmed = securityPassed;
+    if (!securityPassed) {
+      securityConfirmed = await promptSecurityDecision(securityResults);
+    }
+  } else {
+    logger.dim('  Security scans skipped.');
   }
 
   // Step 8: Check for feature docs
@@ -773,8 +610,6 @@ async function main(): Promise<void> {
   if (report.errorCount > 0 || !eslintPassed || !securityConfirmed) {
     logger.error('❌ Commit BLOCKED — fix the errors above and try again.');
     logger.dim('  💡 To bypass: BYPASS_RULES=true git commit ... or add #bypass-rules to commit message');
-
-    // Exit immediately with error code
     process.exitCode = 1;
     process.exit(1);
   }