@oculum/scanner 1.0.0

package/src/__tests__/validation/fp-deep-analysis.ts

@@ -0,0 +1,327 @@
+#!/usr/bin/env npx tsx
+/**
+ * M7 Deep FP Analysis
+ *
+ * Analyzes the gap between cheap and validated scans to identify
+ * exactly which patterns are causing false positives and where
+ * to focus tuning efforts.
+ */
+
+import * as fs from 'fs'
+import * as path from 'path'
+import type { ScanResult, Vulnerability } from '../../types'
+
+const RESULTS_DIR = path.join(__dirname, '../../../validation-results')
+const OUTPUT_PATH = path.join(__dirname, '../../../docs/FP_DEEP_ANALYSIS.md')
+
+interface RejectedFinding {
+  repo: string
+  file: string
+  line: number
+  category: string
+  title: string
+  severity: string
+  lineContent: string
+}
+
+interface CategoryAnalysis {
+  category: string
+  cheapCount: number
+  validatedCount: number
+  rejectedCount: number
+  fpRate: number
+  byPathType: Record<string, RejectedFinding[]>
+  byTitle: Record<string, number>
+  sampleFindings: RejectedFinding[]
+}
+
+function classifyPath(filePath: string): string {
+  const lower = filePath.toLowerCase()
+  if (lower.includes('/examples/') || lower.includes('/example/')) return 'examples'
+  if (lower.includes('/__tests__/') || lower.includes('/test/') || lower.includes('.test.') || lower.includes('.spec.')) return 'tests'
+  if (lower.includes('/src/') || lower.includes('/lib/') || lower.includes('/libs/')) return 'library'
+  return 'other'
+}
+
+function loadScanResult(fileName: string): ScanResult | null {
+  const filePath = path.join(RESULTS_DIR, fileName)
+  if (!fs.existsSync(filePath)) return null
+  return JSON.parse(fs.readFileSync(filePath, 'utf-8'))
+}
+
+function findRejectedFindings(cheapFile: string, validatedFile: string): RejectedFinding[] {
+  const cheap = loadScanResult(cheapFile)
+  const validated = loadScanResult(validatedFile)
+  if (!cheap || !validated) return []
+
+  // Build set of validated finding keys
+  const validatedKeys = new Set(
+    validated.vulnerabilities.map(v => `${v.filePath}:${v.lineNumber}:${v.category}`)
+  )
+
+  // Find what was rejected (in cheap but not in validated)
+  const rejected: RejectedFinding[] = []
+  for (const v of cheap.vulnerabilities) {
+    if (!['critical', 'high'].includes(v.severity)) continue
+    const key = `${v.filePath}:${v.lineNumber}:${v.category}`
+    if (!validatedKeys.has(key)) {
+      rejected.push({
+        repo: cheap.repoName,
+        file: v.filePath,
+        line: v.lineNumber,
+        category: v.category,
+        title: v.title,
+        severity: v.severity,
+        lineContent: v.lineContent?.slice(0, 100) || '',
+      })
+    }
+  }
+  return rejected
+}
+
+function analyzeCategory(category: string, findings: RejectedFinding[], cheapCount: number, validatedCount: number): CategoryAnalysis {
+  const byPathType: Record<string, RejectedFinding[]> = {}
+  const byTitle: Record<string, number> = {}
+
+  for (const f of findings) {
+    const pathType = classifyPath(f.file)
+    if (!byPathType[pathType]) byPathType[pathType] = []
+    byPathType[pathType].push(f)
+
+    byTitle[f.title] = (byTitle[f.title] || 0) + 1
+  }
+
+  return {
+    category,
+    cheapCount,
+    validatedCount,
+    rejectedCount: findings.length,
+    fpRate: cheapCount > 0 ? Math.round((findings.length / cheapCount) * 100) : 0,
+    byPathType,
+    byTitle,
+    sampleFindings: findings.slice(0, 10),
+  }
+}
+
+function generateMarkdown(analyses: CategoryAnalysis[]): string {
+  const lines: string[] = []
+
+  lines.push('# M7: False Positive Deep Analysis')
+  lines.push('')
+  lines.push('> This document analyzes exactly where the scanner is generating false positives')
+  lines.push('> to guide targeted improvements to the heuristics.')
+  lines.push('')
+  lines.push('## Executive Summary')
+  lines.push('')
+  lines.push('**Problem:** 69% of Critical+High findings in cheap scans are false positives that')
+  lines.push('require expensive AI validation to filter. We need to improve the heuristics to')
+  lines.push('reduce this noise at the source.')
+  lines.push('')
+  lines.push('## Category FP Rates (Critical+High only)')
+  lines.push('')
+  lines.push('| Category | Cheap | Validated | Rejected | FP Rate |')
+  lines.push('|----------|-------|-----------|----------|---------|')
+
+  for (const a of analyses.sort((a, b) => b.rejectedCount - a.rejectedCount)) {
+    lines.push(`| ${a.category} | ${a.cheapCount} | ${a.validatedCount} | ${a.rejectedCount} | **${a.fpRate}%** |`)
+  }
+
+  lines.push('')
+  lines.push('## Detailed Analysis by Category')
+  lines.push('')
+
+  for (const a of analyses.sort((a, b) => b.rejectedCount - a.rejectedCount)) {
+    if (a.rejectedCount === 0) continue
+
+    lines.push(`### ${a.category}`)
+    lines.push('')
+    lines.push(`- **FP Rate:** ${a.fpRate}% (${a.rejectedCount}/${a.cheapCount} rejected)`)
+    lines.push('')
+
+    // Path type breakdown
+    lines.push('**Where FPs occur:**')
+    lines.push('')
+    for (const [pathType, findings] of Object.entries(a.byPathType)) {
+      lines.push(`- ${pathType}: ${findings.length} findings (${Math.round((findings.length / a.rejectedCount) * 100)}%)`)
+    }
+    lines.push('')
+
+    // Title breakdown
+    const sortedTitles = Object.entries(a.byTitle).sort((a, b) => b[1] - a[1])
+    lines.push('**Common patterns:**')
+    lines.push('')
+    for (const [title, count] of sortedTitles.slice(0, 5)) {
+      lines.push(`- "${title}": ${count} occurrences`)
+    }
+    lines.push('')
+
+    // Sample findings
+    lines.push('**Sample rejected findings:**')
+    lines.push('')
+    lines.push('```')
+    for (const f of a.sampleFindings.slice(0, 5)) {
+      lines.push(`${f.file}:${f.line}`)
+      lines.push(`  Title: ${f.title}`)
+      lines.push(`  Code: ${f.lineContent}`)
+      lines.push('')
+    }
+    lines.push('```')
+    lines.push('')
+
+    // Recommendations
+    lines.push('**Tuning recommendations:**')
+    lines.push('')
+
+    // Category-specific recommendations
+    if (a.category === 'ai_endpoint_unprotected') {
+      const examplePct = a.byPathType['examples'] ? Math.round((a.byPathType['examples'].length / a.rejectedCount) * 100) : 0
+      if (examplePct > 50) {
+        lines.push(`- ${examplePct}% of FPs are in /examples/ directories. Add path-based severity downgrade.`)
+      }
+      lines.push('- Check for global middleware patterns more aggressively')
+      lines.push('- Recognize demo/tutorial context from surrounding code')
+    } else if (a.category === 'ai_overpermissive_tool') {
+      lines.push('- Distinguish between library definitions (intentionally flexible) and app usage')
+      lines.push('- Check if tools have sandboxing/restrictions defined elsewhere')
+      lines.push('- Look for permission checks in tool implementation')
+    } else if (a.category === 'ai_rag_exfiltration') {
+      const libPct = a.byPathType['library'] ? Math.round((a.byPathType['library'].length / a.rejectedCount) * 100) : 0
+      if (libPct > 50) {
+        lines.push(`- ${libPct}% of FPs are in library code. Library base classes are intentionally generic.`)
+        lines.push('- Downgrade library code to info severity (consumers add filters)')
+      }
+      lines.push('- Look for filter parameters in method signatures')
+    } else if (a.category === 'ai_unsafe_execution') {
+      const examplePct = a.byPathType['examples'] ? Math.round((a.byPathType['examples'].length / a.rejectedCount) * 100) : 0
+      lines.push('- Check if path comes from trusted source (config, not user input)')
+      if (examplePct > 30) {
+        lines.push(`- ${examplePct}% in examples - consider demo context`)
+      }
+    } else if (a.category === 'hardcoded_secret') {
+      lines.push('- These are likely test/fixture data - check file context')
+      lines.push('- Look for variable names containing "test", "mock", "example"')
+      lines.push('- Check entropy threshold - may be too sensitive')
+    }
+    lines.push('')
+  }
+
+  // Overall recommendations
+  lines.push('## Overall Recommendations')
+  lines.push('')
+  lines.push('### Quick Wins (High Impact, Low Effort)')
+  lines.push('')
+  lines.push('1. **Path-based severity adjustment:** Downgrade findings in `/examples/` directories to info')
+  lines.push('2. **Library code handling:** Flag library base classes as "intentionally generic" with lower severity')
+  lines.push('3. **Test file handling:** Already done, but verify it covers all patterns')
+  lines.push('')
+  lines.push('### Medium-Term Improvements')
+  lines.push('')
+  lines.push('1. **Better context detection:** Look at surrounding code for security indicators')
+  lines.push('2. **Cross-file analysis:** Check if protection exists in middleware/imports')
+  lines.push('3. **Comment analysis:** Look for "// example", "// demo", "// for testing" patterns')
+  lines.push('')
+  lines.push('### Cost Reduction Strategy')
+  lines.push('')
+  lines.push('If we can reduce the FP rate from 69% to 30% through heuristic improvements:')
+  lines.push('- AI validation calls would drop by ~57%')
+  lines.push('- $3 scan cost would become ~$1.30')
+  lines.push('- Better user experience (less noise to review)')
+  lines.push('')
+
+  return lines.join('\n')
+}
+
+async function main() {
+  console.log('Loading scan results...')
+
+  // Find rejected findings from all repos
+  const allRejected: RejectedFinding[] = [
+    ...findRejectedFindings('ai-cheap.json', 'ai-validated.json'),
+    ...findRejectedFindings('langchainjs-cheap.json', 'langchainjs-validated.json'),
+    ...findRejectedFindings('anthropic-cookbook-cheap.json', 'anthropic-cookbook-validated.json'),
+    ...findRejectedFindings('openai-cookbook-cheap.json', 'openai-cookbook-validated.json'),
+  ]
+
+  console.log(`Found ${allRejected.length} rejected findings (FPs)`)
+
+  // Load cheap scan totals by category
+  const cheapTotals: Record<string, number> = {}
+  const validatedTotals: Record<string, number> = {}
+
+  const cheapFiles = ['ai-cheap.json', 'langchainjs-cheap.json', 'anthropic-cookbook-cheap.json', 'openai-cookbook-cheap.json']
+  const validatedFiles = ['ai-validated.json', 'langchainjs-validated.json', 'anthropic-cookbook-validated.json', 'openai-cookbook-validated.json']
+
+  for (const f of cheapFiles) {
+    const result = loadScanResult(f)
+    if (!result) continue
+    for (const v of result.vulnerabilities) {
+      if (!['critical', 'high'].includes(v.severity)) continue
+      cheapTotals[v.category] = (cheapTotals[v.category] || 0) + 1
+    }
+  }
+
+  for (const f of validatedFiles) {
+    const result = loadScanResult(f)
+    if (!result) continue
+    for (const v of result.vulnerabilities) {
+      if (!['critical', 'high'].includes(v.severity)) continue
+      validatedTotals[v.category] = (validatedTotals[v.category] || 0) + 1
+    }
+  }
+
+  // Group rejected by category
+  const byCategory: Record<string, RejectedFinding[]> = {}
+  for (const f of allRejected) {
+    if (!byCategory[f.category]) byCategory[f.category] = []
+    byCategory[f.category].push(f)
+  }
+
+  // Analyze each category
+  const analyses: CategoryAnalysis[] = []
+  for (const [category, findings] of Object.entries(byCategory)) {
+    analyses.push(analyzeCategory(
+      category,
+      findings,
+      cheapTotals[category] || 0,
+      validatedTotals[category] || 0
+    ))
+  }
+
+  // Also add categories with 0% FP rate
+  for (const [category, count] of Object.entries(cheapTotals)) {
+    if (!byCategory[category]) {
+      analyses.push({
+        category,
+        cheapCount: count,
+        validatedCount: validatedTotals[category] || 0,
+        rejectedCount: 0,
+        fpRate: 0,
+        byPathType: {},
+        byTitle: {},
+        sampleFindings: [],
+      })
+    }
+  }
+
+  // Generate report
+  const markdown = generateMarkdown(analyses)
+
+  // Ensure output directory exists
+  const outputDir = path.dirname(OUTPUT_PATH)
+  if (!fs.existsSync(outputDir)) {
+    fs.mkdirSync(outputDir, { recursive: true })
+  }
+
+  fs.writeFileSync(OUTPUT_PATH, markdown)
+  console.log(`\nReport saved to: ${OUTPUT_PATH}`)
+
+  // Print summary
+  console.log('\n=== SUMMARY ===')
+  console.log('Categories with highest FP rates:')
+  for (const a of analyses.sort((a, b) => b.fpRate - a.fpRate).slice(0, 5)) {
+    if (a.cheapCount === 0) continue
+    console.log(`  ${a.category}: ${a.fpRate}% FP rate (${a.rejectedCount}/${a.cheapCount})`)
+  }
+}
+
+main().catch(console.error)

package/src/__tests__/validation/run-validation.ts

@@ -0,0 +1,364 @@
+#!/usr/bin/env npx tsx
+/**
+ * M7: Real-Repo Validation Script
+ *
+ * Runs security scans on real-world AI/LLM codebases to validate
+ * scanner effectiveness before beta launch.
+ *
+ * Target repos:
+ * - langchainjs (LangChain.js)
+ * - ai (Vercel AI SDK)
+ * - openai-cookbook
+ * - anthropic-cookbook
+ *
+ * Usage:
+ *   npx tsx packages/scanner/src/__tests__/validation/run-validation.ts
+ *   npx tsx packages/scanner/src/__tests__/validation/run-validation.ts --repo langchainjs
+ *   npx tsx packages/scanner/src/__tests__/validation/run-validation.ts --depth cheap
+ */
+
+import * as fs from 'fs'
+import * as path from 'path'
+import { glob } from 'glob'
+import { runScan, type ScanFile, type ScanResult, type ScanDepth } from '../../index'
+
+// Configuration
+const VALIDATION_DIR = path.join(__dirname, '../../../validation-repos')
+const RESULTS_DIR = path.join(__dirname, '../../../validation-results')
+
+const TARGET_REPOS = ['langchainjs', 'ai', 'openai-cookbook', 'anthropic-cookbook']
+const SCAN_DEPTHS: ScanDepth[] = ['cheap', 'validated']
+
+// File patterns to scan
+const INCLUDE_PATTERNS = [
+  '**/*.ts',
+  '**/*.tsx',
+  '**/*.js',
+  '**/*.jsx',
+  '**/*.py',
+  '**/*.json',
+  '**/*.yaml',
+  '**/*.yml',
+]
+
+// Patterns to exclude
+const EXCLUDE_PATTERNS = [
+  '**/node_modules/**',
+  '**/dist/**',
+  '**/build/**',
+  '**/.git/**',
+  '**/coverage/**',
+  '**/__pycache__/**',
+  '**/venv/**',
+  '**/.venv/**',
+  '**/vendor/**',
+  '**/*.min.js',
+  '**/*.bundle.js',
+  '**/package-lock.json',
+  '**/yarn.lock',
+  '**/pnpm-lock.yaml',
+]
+
+// Max file size (50KB as per scanner spec)
+const MAX_FILE_SIZE = 50 * 1024
+
+interface ValidationConfig {
+  repos: string[]
+  depths: ScanDepth[]
+  maxFilesPerRepo?: number
+  verbose: boolean
+}
+
+/**
+ * Collect scannable files from a repository
+ */
+async function collectFiles(repoPath: string, maxFiles?: number): Promise<ScanFile[]> {
+  const files: ScanFile[] = []
+
+  for (const pattern of INCLUDE_PATTERNS) {
+    const matches = await glob(pattern, {
+      cwd: repoPath,
+      ignore: EXCLUDE_PATTERNS,
+      nodir: true,
+      absolute: false,
+    })
+
+    for (const match of matches) {
+      if (maxFiles && files.length >= maxFiles) break
+
+      const filePath = path.join(repoPath, match)
+
+      try {
+        const stats = fs.statSync(filePath)
+        if (stats.size > MAX_FILE_SIZE) continue
+
+        const content = fs.readFileSync(filePath, 'utf-8')
+        const ext = path.extname(match).slice(1)
+
+        files.push({
+          path: match,
+          content,
+          language: getLanguage(ext),
+          size: stats.size,
+        })
+      } catch (err) {
+        // Skip files that can't be read
+        continue
+      }
+    }
+
+    if (maxFiles && files.length >= maxFiles) break
+  }
+
+  return files
+}
+
+/**
+ * Map file extension to language
+ */
+function getLanguage(ext: string): string {
+  const langMap: Record<string, string> = {
+    ts: 'typescript',
+    tsx: 'typescript',
+    js: 'javascript',
+    jsx: 'javascript',
+    py: 'python',
+    json: 'json',
+    yaml: 'yaml',
+    yml: 'yaml',
+  }
+  return langMap[ext] || ext
+}
+
+/**
+ * Run a scan on a repository
+ */
+async function scanRepo(
+  repoName: string,
+  depth: ScanDepth,
+  verbose: boolean,
+  maxFiles?: number
+): Promise<ScanResult> {
+  const repoPath = path.join(VALIDATION_DIR, repoName)
+
+  if (!fs.existsSync(repoPath)) {
+    throw new Error(`Repository not found: ${repoPath}. Run: git clone --depth 1 https://github.com/<org>/${repoName}.git ${repoPath}`)
+  }
+
+  console.log(`\n${'='.repeat(60)}`)
+  console.log(`Scanning: ${repoName} (depth: ${depth})`)
+  console.log('='.repeat(60))
+
+  // Collect files
+  const startCollect = Date.now()
+  const files = await collectFiles(repoPath, maxFiles)
+  const collectTime = Date.now() - startCollect
+
+  console.log(`Collected ${files.length} files in ${collectTime}ms`)
+
+  if (files.length === 0) {
+    throw new Error(`No scannable files found in ${repoPath}`)
+  }
+
+  // Run scan
+  const result = await runScan(
+    files,
+    {
+      name: repoName,
+      url: `https://github.com/${getRepoOrg(repoName)}/${repoName}`,
+      branch: 'main',
+    },
+    {
+      enableAI: depth !== 'cheap', // Only enable AI for validated/deep
+      scanDepth: depth,
+    },
+    verbose ? (progress) => {
+      console.log(`  [${progress.status}] ${progress.message}`)
+    } : undefined
+  )
+
+  // Print summary
+  console.log(`\nScan complete in ${result.scanDuration}ms`)
+  console.log(`  Files scanned: ${result.filesScanned}`)
+  console.log(`  Total findings: ${result.vulnerabilities.length}`)
+  console.log(`  Severity breakdown:`)
+  console.log(`    Critical: ${result.severityCounts.critical}`)
+  console.log(`    High:     ${result.severityCounts.high}`)
+  console.log(`    Medium:   ${result.severityCounts.medium}`)
+  console.log(`    Low:      ${result.severityCounts.low}`)
+  console.log(`    Info:     ${result.severityCounts.info}`)
+
+  return result
+}
+
+/**
+ * Get GitHub organization for a repo
+ */
+function getRepoOrg(repoName: string): string {
+  const orgs: Record<string, string> = {
+    langchainjs: 'langchain-ai',
+    ai: 'vercel',
+    'openai-cookbook': 'openai',
+    'anthropic-cookbook': 'anthropics',
+  }
+  return orgs[repoName] || 'unknown'
+}
+
+/**
+ * Save scan results to file
+ */
+function saveResults(repoName: string, depth: ScanDepth, result: ScanResult): string {
+  const outputPath = path.join(RESULTS_DIR, `${repoName}-${depth}.json`)
+
+  // Ensure results directory exists
+  if (!fs.existsSync(RESULTS_DIR)) {
+    fs.mkdirSync(RESULTS_DIR, { recursive: true })
+  }
+
+  fs.writeFileSync(outputPath, JSON.stringify(result, null, 2))
+  console.log(`Results saved to: ${outputPath}`)
+
+  return outputPath
+}
+
+/**
+ * Parse command line arguments
+ */
+function parseArgs(): ValidationConfig {
+  const args = process.argv.slice(2)
+  const config: ValidationConfig = {
+    repos: TARGET_REPOS,
+    depths: SCAN_DEPTHS,
+    verbose: false,
+  }
+
+  for (let i = 0; i < args.length; i++) {
+    const arg = args[i]
+
+    if (arg === '--repo' && args[i + 1]) {
+      const repo = args[i + 1]
+      if (!TARGET_REPOS.includes(repo)) {
+        console.error(`Unknown repo: ${repo}. Valid repos: ${TARGET_REPOS.join(', ')}`)
+        process.exit(1)
+      }
+      config.repos = [repo]
+      i++
+    } else if (arg === '--depth' && args[i + 1]) {
+      const depth = args[i + 1] as ScanDepth
+      if (!['cheap', 'validated', 'deep'].includes(depth)) {
+        console.error(`Invalid depth: ${depth}. Valid depths: cheap, validated, deep`)
+        process.exit(1)
+      }
+      config.depths = [depth]
+      i++
+    } else if (arg === '--max-files' && args[i + 1]) {
+      config.maxFilesPerRepo = parseInt(args[i + 1], 10)
+      i++
+    } else if (arg === '--verbose' || arg === '-v') {
+      config.verbose = true
+    } else if (arg === '--help' || arg === '-h') {
+      console.log(`
+M7: Real-Repo Validation Script
+
+Usage:
+  npx tsx run-validation.ts [options]
+
+Options:
+  --repo <name>       Scan only this repo (langchainjs, ai, openai-cookbook, anthropic-cookbook)
+  --depth <depth>     Use only this scan depth (cheap, validated, deep)
+  --max-files <n>     Limit files per repo (for faster testing)
+  --verbose, -v       Show detailed progress
+  --help, -h          Show this help
+
+Examples:
+  npx tsx run-validation.ts                           # Scan all repos at all depths
+  npx tsx run-validation.ts --repo langchainjs        # Scan only LangChain.js
+  npx tsx run-validation.ts --depth cheap             # Only cheap scans
+  npx tsx run-validation.ts --repo ai --max-files 50  # Quick test on Vercel AI SDK
+`)
+      process.exit(0)
+    }
+  }
+
+  return config
+}
+
+/**
+ * Main entry point
+ */
+async function main() {
+  const config = parseArgs()
+  const results: Map<string, ScanResult> = new Map()
+
+  console.log('\n' + '='.repeat(60))
+  console.log('M7: REAL-REPO VALIDATION')
+  console.log('='.repeat(60))
+  console.log(`Repos: ${config.repos.join(', ')}`)
+  console.log(`Depths: ${config.depths.join(', ')}`)
+  if (config.maxFilesPerRepo) {
+    console.log(`Max files per repo: ${config.maxFilesPerRepo}`)
+  }
+
+  // Check repos exist
+  for (const repo of config.repos) {
+    const repoPath = path.join(VALIDATION_DIR, repo)
+    if (!fs.existsSync(repoPath)) {
+      console.error(`\nError: Repository not found: ${repoPath}`)
+      console.error(`Please clone it first:`)
+      console.error(`  cd ${VALIDATION_DIR}`)
+      console.error(`  git clone --depth 1 https://github.com/${getRepoOrg(repo)}/${repo}.git`)
+      process.exit(1)
+    }
+  }
+
+  // Run scans
+  const totalScans = config.repos.length * config.depths.length
+  let scanCount = 0
+
+  for (const repo of config.repos) {
+    for (const depth of config.depths) {
+      scanCount++
+      console.log(`\n[${scanCount}/${totalScans}] Starting scan...`)
+
+      try {
+        const result = await scanRepo(repo, depth, config.verbose, config.maxFilesPerRepo)
+        const key = `${repo}-${depth}`
+        results.set(key, result)
+        saveResults(repo, depth, result)
+      } catch (err) {
+        console.error(`Error scanning ${repo} at ${depth}:`, err)
+      }
+    }
+  }
+
+  // Print summary
+  console.log('\n' + '='.repeat(60))
+  console.log('VALIDATION SUMMARY')
+  console.log('='.repeat(60))
+
+  for (const [key, result] of results) {
+    const [repo, depth] = key.split('-')
+    const mediumPlus = result.severityCounts.critical +
+                       result.severityCounts.high +
+                       result.severityCounts.medium
+
+    console.log(`\n${repo} (${depth}):`)
+    console.log(`  Files: ${result.filesScanned}`)
+    console.log(`  Total findings: ${result.vulnerabilities.length}`)
+    console.log(`  Medium+ findings: ${mediumPlus} (to triage)`)
+    console.log(`  Duration: ${result.scanDuration}ms`)
+  }
+
+  console.log('\n' + '='.repeat(60))
+  console.log('Next steps:')
+  console.log('1. Run analyze-results.ts to generate detailed metrics')
+  console.log('2. Review medium+ findings for FP triage')
+  console.log('3. Update docs/RESULTSCOMPARISON.md with findings')
+  console.log('='.repeat(60))
+}
+
+// Run
+main().catch(err => {
+  console.error('Validation failed:', err)
+  process.exit(1)
+})