@metasession.co/devaudit-cli 0.1.9 → 0.1.10
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.js +1 -1
- package/dist/index.js.map +1 -1
- package/package.json +2 -2
- package/sdlc/files/ci/ci.yml.template +17 -6
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@metasession.co/devaudit-cli",
|
|
3
|
-
"version": "0.1.
|
|
3
|
+
"version": "0.1.10",
|
|
4
4
|
"description": "DevAudit CLI — installs, syncs, and operates the Metasession SDLC across consumer projects.",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"bin": {
|
|
@@ -33,7 +33,7 @@
|
|
|
33
33
|
},
|
|
34
34
|
"dependencies": {
|
|
35
35
|
"@clack/prompts": "^0.8.2",
|
|
36
|
-
"@metasession.co/devaudit-plugin-sdk": "^0.1.
|
|
36
|
+
"@metasession.co/devaudit-plugin-sdk": "^0.1.10",
|
|
37
37
|
"commander": "^12.1.0",
|
|
38
38
|
"consola": "^3.2.3",
|
|
39
39
|
"env-paths": "^3.0.0",
|
|
@@ -82,9 +82,13 @@ jobs:
|
|
|
82
82
|
|
|
83
83
|
- name: SAST Scan
|
|
84
84
|
run: |
|
|
85
|
+
# --output writes the JSON report to the file directly; stderr
|
|
86
|
+
# (progress/metrics/version notices) goes to /dev/null. Using
|
|
87
|
+
# `> file 2>&1` instead merged semgrep's stderr into the JSON and
|
|
88
|
+
# produced an unparseable file (DevAudit #48).
|
|
85
89
|
semgrep scan --config auto {{SOURCE_DIRS}} \
|
|
86
90
|
--severity ERROR --severity WARNING \
|
|
87
|
-
--json
|
|
91
|
+
--json --output sast-results.json 2>/dev/null || true
|
|
88
92
|
FINDINGS=$(python3 -c "
|
|
89
93
|
import json
|
|
90
94
|
with open('sast-results.json') as f:
|
|
@@ -103,7 +107,8 @@ jobs:
|
|
|
103
107
|
|
|
104
108
|
- name: Dependency Audit
|
|
105
109
|
run: |
|
|
106
|
-
|
|
110
|
+
# stderr → /dev/null so warnings can't corrupt the JSON (DevAudit #48)
|
|
111
|
+
npm audit --json > dependency-audit.json 2>/dev/null || true
|
|
107
112
|
ACCEPTED="{{ACCEPTED_DEP_RISKS}}"
|
|
108
113
|
UNACCEPTED=$(python3 -c "
|
|
109
114
|
import json
|
|
@@ -136,9 +141,15 @@ jobs:
|
|
|
136
141
|
run: npx wait-on http://localhost:3000 --timeout 120000
|
|
137
142
|
|
|
138
143
|
- name: E2E Tests
|
|
139
|
-
|
|
140
|
-
|
|
141
|
-
|
|
144
|
+
env:
|
|
145
|
+
# PLAYWRIGHT_JSON_OUTPUT_NAME makes the json reporter write straight
|
|
146
|
+
# to the file. Capturing stdout (`> e2e-results.json`) instead mixed
|
|
147
|
+
# the html reporter's "To open report" line in after the JSON blob
|
|
148
|
+
# and produced an unparseable file (DevAudit #48). html report still
|
|
149
|
+
# lands in playwright-report/.
|
|
150
|
+
PLAYWRIGHT_HTML_REPORTER_OPEN: never
|
|
151
|
+
PLAYWRIGHT_JSON_OUTPUT_NAME: e2e-results.json
|
|
152
|
+
run: npx playwright test --project={{E2E_PROJECT}} --reporter=json,html
|
|
142
153
|
|
|
143
154
|
# ── Gate 5: Build ──
|
|
144
155
|
|
|
@@ -273,7 +284,7 @@ jobs:
|
|
|
273
284
|
if [ ! -f ci-evidence/sast-results.json ]; then
|
|
274
285
|
VENV="$HOME/.semgrep-venv"
|
|
275
286
|
if [ -x "$VENV/bin/semgrep" ]; then
|
|
276
|
-
"$VENV/bin/semgrep" scan --config auto {{SOURCE_DIRS}} --json
|
|
287
|
+
"$VENV/bin/semgrep" scan --config auto {{SOURCE_DIRS}} --json --output ci-evidence/sast-results.json 2>/dev/null || echo '{"results":[]}' > ci-evidence/sast-results.json
|
|
277
288
|
else
|
|
278
289
|
echo '{"results":[]}' > ci-evidence/sast-results.json
|
|
279
290
|
fi
|