npm - @oculum/scanner - Versions diffs - 1.0.10 → 1.0.12 - Mend

@oculum/scanner 1.0.10 → 1.0.12

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (520) hide show

package/dist/ai-context/index.d.ts +6 -0
package/dist/ai-context/index.d.ts.map +1 -0
package/dist/ai-context/index.js +13 -0
package/dist/ai-context/index.js.map +1 -0
package/dist/ai-context/manager.d.ts +67 -0
package/dist/ai-context/manager.d.ts.map +1 -0
package/dist/ai-context/manager.js +104 -0
package/dist/ai-context/manager.js.map +1 -0
package/dist/baseline/diff.d.ts +32 -0
package/dist/baseline/diff.d.ts.map +1 -0
package/dist/baseline/diff.js +119 -0
package/dist/baseline/diff.js.map +1 -0
package/dist/baseline/index.d.ts +9 -0
package/dist/baseline/index.d.ts.map +1 -0
package/dist/baseline/index.js +19 -0
package/dist/baseline/index.js.map +1 -0
package/dist/baseline/manager.d.ts +67 -0
package/dist/baseline/manager.d.ts.map +1 -0
package/dist/baseline/manager.js +180 -0
package/dist/baseline/manager.js.map +1 -0
package/dist/baseline/types.d.ts +91 -0
package/dist/baseline/types.d.ts.map +1 -0
package/dist/baseline/types.js +12 -0
package/dist/baseline/types.js.map +1 -0
package/dist/category-filter.d.ts +125 -0
package/dist/category-filter.d.ts.map +1 -0
package/dist/category-filter.js +360 -0
package/dist/category-filter.js.map +1 -0
package/dist/filtering/context-adjustments.d.ts +23 -0
package/dist/filtering/context-adjustments.d.ts.map +1 -0
package/dist/filtering/context-adjustments.js +100 -0
package/dist/filtering/context-adjustments.js.map +1 -0
package/dist/filtering/index.d.ts +3 -0
package/dist/filtering/index.d.ts.map +1 -0
package/dist/filtering/index.js +8 -0
package/dist/filtering/index.js.map +1 -0
package/dist/filtering/pipeline.d.ts +48 -0
package/dist/filtering/pipeline.d.ts.map +1 -0
package/dist/filtering/pipeline.js +76 -0
package/dist/filtering/pipeline.js.map +1 -0
package/dist/formatters/ai-context.d.ts +23 -0
package/dist/formatters/ai-context.d.ts.map +1 -0
package/dist/formatters/ai-context.js +238 -0
package/dist/formatters/ai-context.js.map +1 -0
package/dist/formatters/cli-terminal.d.ts +38 -0
package/dist/formatters/cli-terminal.d.ts.map +1 -1
package/dist/formatters/cli-terminal.js +365 -42
package/dist/formatters/cli-terminal.js.map +1 -1
package/dist/formatters/github-comment.d.ts +2 -2
package/dist/formatters/github-comment.d.ts.map +1 -1
package/dist/formatters/github-comment.js +77 -13
package/dist/formatters/github-comment.js.map +1 -1
package/dist/formatters/ide/claude-code.d.ts +17 -0
package/dist/formatters/ide/claude-code.d.ts.map +1 -0
package/dist/formatters/ide/claude-code.js +94 -0
package/dist/formatters/ide/claude-code.js.map +1 -0
package/dist/formatters/ide/cursor.d.ts +13 -0
package/dist/formatters/ide/cursor.d.ts.map +1 -0
package/dist/formatters/ide/cursor.js +125 -0
package/dist/formatters/ide/cursor.js.map +1 -0
package/dist/formatters/ide/index.d.ts +62 -0
package/dist/formatters/ide/index.d.ts.map +1 -0
package/dist/formatters/ide/index.js +184 -0
package/dist/formatters/ide/index.js.map +1 -0
package/dist/formatters/ide/windsurf.d.ts +13 -0
package/dist/formatters/ide/windsurf.d.ts.map +1 -0
package/dist/formatters/ide/windsurf.js +117 -0
package/dist/formatters/ide/windsurf.js.map +1 -0
package/dist/formatters/index.d.ts +3 -1
package/dist/formatters/index.d.ts.map +1 -1
package/dist/formatters/index.js +20 -1
package/dist/formatters/index.js.map +1 -1
package/dist/index.d.ts +11 -0
package/dist/index.d.ts.map +1 -1
package/dist/index.js +423 -56
package/dist/index.js.map +1 -1
package/dist/layer1/comments.d.ts +4 -1
package/dist/layer1/comments.d.ts.map +1 -1
package/dist/layer1/comments.js +1 -1
package/dist/layer1/comments.js.map +1 -1
package/dist/layer1/config-audit.d.ts +4 -1
package/dist/layer1/config-audit.d.ts.map +1 -1
package/dist/layer1/config-audit.js +65 -14
package/dist/layer1/config-audit.js.map +1 -1
package/dist/layer1/config-mcp-audit.d.ts +23 -0
package/dist/layer1/config-mcp-audit.d.ts.map +1 -0
package/dist/layer1/config-mcp-audit.js +239 -0
package/dist/layer1/config-mcp-audit.js.map +1 -0
package/dist/layer1/entropy.d.ts +4 -1
package/dist/layer1/entropy.d.ts.map +1 -1
package/dist/layer1/entropy.js +212 -1
package/dist/layer1/entropy.js.map +1 -1
package/dist/layer1/file-flags.d.ts +4 -1
package/dist/layer1/file-flags.d.ts.map +1 -1
package/dist/layer1/file-flags.js +12 -5
package/dist/layer1/file-flags.js.map +1 -1
package/dist/layer1/index.d.ts +1 -0
package/dist/layer1/index.d.ts.map +1 -1
package/dist/layer1/index.js +22 -19
package/dist/layer1/index.js.map +1 -1
package/dist/layer1/patterns.d.ts +4 -1
package/dist/layer1/patterns.d.ts.map +1 -1
package/dist/layer1/patterns.js +34 -4
package/dist/layer1/patterns.js.map +1 -1
package/dist/layer1/urls.d.ts +4 -1
package/dist/layer1/urls.d.ts.map +1 -1
package/dist/layer1/urls.js +162 -14
package/dist/layer1/urls.js.map +1 -1
package/dist/layer1/weak-crypto.d.ts +4 -1
package/dist/layer1/weak-crypto.d.ts.map +1 -1
package/dist/layer1/weak-crypto.js +144 -7
package/dist/layer1/weak-crypto.js.map +1 -1
package/dist/layer2/ai-agent-tools.d.ts +4 -1
package/dist/layer2/ai-agent-tools.d.ts.map +1 -1
package/dist/layer2/ai-agent-tools.js +964 -2
package/dist/layer2/ai-agent-tools.js.map +1 -1
package/dist/layer2/ai-endpoint-protection.d.ts +2 -0
package/dist/layer2/ai-endpoint-protection.d.ts.map +1 -1
package/dist/layer2/ai-endpoint-protection.js +18 -4
package/dist/layer2/ai-endpoint-protection.js.map +1 -1
package/dist/layer2/ai-execution-sinks.d.ts +4 -1
package/dist/layer2/ai-execution-sinks.d.ts.map +1 -1
package/dist/layer2/ai-execution-sinks.js +688 -29
package/dist/layer2/ai-execution-sinks.js.map +1 -1
package/dist/layer2/ai-fingerprinting.d.ts +4 -1
package/dist/layer2/ai-fingerprinting.d.ts.map +1 -1
package/dist/layer2/ai-fingerprinting.js +28 -32
package/dist/layer2/ai-fingerprinting.js.map +1 -1
package/dist/layer2/ai-mcp-security.d.ts +20 -0
package/dist/layer2/ai-mcp-security.d.ts.map +1 -0
package/dist/layer2/ai-mcp-security.js +877 -0
package/dist/layer2/ai-mcp-security.js.map +1 -0
package/dist/layer2/ai-package-hallucination.d.ts +22 -0
package/dist/layer2/ai-package-hallucination.d.ts.map +1 -0
package/dist/layer2/ai-package-hallucination.js +828 -0
package/dist/layer2/ai-package-hallucination.js.map +1 -0
package/dist/layer2/ai-prompt-hygiene.d.ts +4 -1
package/dist/layer2/ai-prompt-hygiene.d.ts.map +1 -1
package/dist/layer2/ai-prompt-hygiene.js +817 -17
package/dist/layer2/ai-prompt-hygiene.js.map +1 -1
package/dist/layer2/ai-rag-safety.d.ts +4 -1
package/dist/layer2/ai-rag-safety.d.ts.map +1 -1
package/dist/layer2/ai-rag-safety.js +454 -3
package/dist/layer2/ai-rag-safety.js.map +1 -1
package/dist/layer2/ai-schema-validation.d.ts +4 -1
package/dist/layer2/ai-schema-validation.d.ts.map +1 -1
package/dist/layer2/ai-schema-validation.js +2 -2
package/dist/layer2/ai-schema-validation.js.map +1 -1
package/dist/layer2/auth-antipatterns.d.ts +2 -0
package/dist/layer2/auth-antipatterns.d.ts.map +1 -1
package/dist/layer2/auth-antipatterns.js +209 -20
package/dist/layer2/auth-antipatterns.js.map +1 -1
package/dist/layer2/byok-patterns.d.ts +4 -1
package/dist/layer2/byok-patterns.d.ts.map +1 -1
package/dist/layer2/byok-patterns.js +5 -2
package/dist/layer2/byok-patterns.js.map +1 -1
package/dist/layer2/dangerous-functions/child-process.d.ts +16 -0
package/dist/layer2/dangerous-functions/child-process.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/child-process.js +74 -0
package/dist/layer2/dangerous-functions/child-process.js.map +1 -0
package/dist/layer2/dangerous-functions/dom-xss.d.ts +34 -0
package/dist/layer2/dangerous-functions/dom-xss.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/dom-xss.js +230 -0
package/dist/layer2/dangerous-functions/dom-xss.js.map +1 -0
package/dist/layer2/dangerous-functions/index.d.ts +16 -0
package/dist/layer2/dangerous-functions/index.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/index.js +1152 -0
package/dist/layer2/dangerous-functions/index.js.map +1 -0
package/dist/layer2/dangerous-functions/json-parse.d.ts +31 -0
package/dist/layer2/dangerous-functions/json-parse.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/json-parse.js +319 -0
package/dist/layer2/dangerous-functions/json-parse.js.map +1 -0
package/dist/layer2/dangerous-functions/math-random.d.ts +111 -0
package/dist/layer2/dangerous-functions/math-random.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/math-random.js +684 -0
package/dist/layer2/dangerous-functions/math-random.js.map +1 -0
package/dist/layer2/dangerous-functions/patterns.d.ts +21 -0
package/dist/layer2/dangerous-functions/patterns.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/patterns.js +163 -0
package/dist/layer2/dangerous-functions/patterns.js.map +1 -0
package/dist/layer2/dangerous-functions/request-validation.d.ts +13 -0
package/dist/layer2/dangerous-functions/request-validation.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/request-validation.js +119 -0
package/dist/layer2/dangerous-functions/request-validation.js.map +1 -0
package/dist/layer2/dangerous-functions/utils/control-flow.d.ts +24 -0
package/dist/layer2/dangerous-functions/utils/control-flow.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/utils/control-flow.js +70 -0
package/dist/layer2/dangerous-functions/utils/control-flow.js.map +1 -0
package/dist/layer2/dangerous-functions/utils/helpers.d.ts +31 -0
package/dist/layer2/dangerous-functions/utils/helpers.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/utils/helpers.js +147 -0
package/dist/layer2/dangerous-functions/utils/helpers.js.map +1 -0
package/dist/layer2/dangerous-functions/utils/index.d.ts +9 -0
package/dist/layer2/dangerous-functions/utils/index.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/utils/index.js +23 -0
package/dist/layer2/dangerous-functions/utils/index.js.map +1 -0
package/dist/layer2/dangerous-functions/utils/schema-validation.d.ts +22 -0
package/dist/layer2/dangerous-functions/utils/schema-validation.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/utils/schema-validation.js +102 -0
package/dist/layer2/dangerous-functions/utils/schema-validation.js.map +1 -0
package/dist/layer2/data-exposure.d.ts +4 -1
package/dist/layer2/data-exposure.d.ts.map +1 -1
package/dist/layer2/data-exposure.js +14 -38
package/dist/layer2/data-exposure.js.map +1 -1
package/dist/layer2/framework-checks.d.ts +4 -1
package/dist/layer2/framework-checks.d.ts.map +1 -1
package/dist/layer2/framework-checks.js +5 -2
package/dist/layer2/framework-checks.js.map +1 -1
package/dist/layer2/index.d.ts +12 -1
package/dist/layer2/index.d.ts.map +1 -1
package/dist/layer2/index.js +110 -45
package/dist/layer2/index.js.map +1 -1
package/dist/layer2/logic-gates.d.ts +4 -1
package/dist/layer2/logic-gates.d.ts.map +1 -1
package/dist/layer2/logic-gates.js +58 -20
package/dist/layer2/logic-gates.js.map +1 -1
package/dist/layer2/model-supply-chain.d.ts +23 -0
package/dist/layer2/model-supply-chain.d.ts.map +1 -0
package/dist/layer2/model-supply-chain.js +444 -0
package/dist/layer2/model-supply-chain.js.map +1 -0
package/dist/layer2/risky-imports.d.ts +4 -1
package/dist/layer2/risky-imports.d.ts.map +1 -1
package/dist/layer2/risky-imports.js +6 -2
package/dist/layer2/risky-imports.js.map +1 -1
package/dist/layer2/variables.d.ts +4 -1
package/dist/layer2/variables.d.ts.map +1 -1
package/dist/layer2/variables.js +6 -2
package/dist/layer2/variables.js.map +1 -1
package/dist/layer3/anthropic/auto-dismiss.d.ts +24 -0
package/dist/layer3/anthropic/auto-dismiss.d.ts.map +1 -0
package/dist/layer3/anthropic/auto-dismiss.js +199 -0
package/dist/layer3/anthropic/auto-dismiss.js.map +1 -0
package/dist/layer3/anthropic/clients.d.ts +44 -0
package/dist/layer3/anthropic/clients.d.ts.map +1 -0
package/dist/layer3/anthropic/clients.js +81 -0
package/dist/layer3/anthropic/clients.js.map +1 -0
package/dist/layer3/anthropic/index.d.ts +41 -0
package/dist/layer3/anthropic/index.d.ts.map +1 -0
package/dist/layer3/anthropic/index.js +141 -0
package/dist/layer3/anthropic/index.js.map +1 -0
package/dist/layer3/anthropic/prompts/index.d.ts +8 -0
package/dist/layer3/anthropic/prompts/index.d.ts.map +1 -0
package/dist/layer3/anthropic/prompts/index.js +14 -0
package/dist/layer3/anthropic/prompts/index.js.map +1 -0
package/dist/layer3/anthropic/prompts/semantic-analysis.d.ts +15 -0
package/dist/layer3/anthropic/prompts/semantic-analysis.d.ts.map +1 -0
package/dist/layer3/anthropic/prompts/semantic-analysis.js +169 -0
package/dist/layer3/anthropic/prompts/semantic-analysis.js.map +1 -0
package/dist/layer3/anthropic/prompts/validation.d.ts +12 -0
package/dist/layer3/anthropic/prompts/validation.d.ts.map +1 -0
package/dist/layer3/anthropic/prompts/validation.js +421 -0
package/dist/layer3/anthropic/prompts/validation.js.map +1 -0
package/dist/layer3/anthropic/providers/anthropic.d.ts +21 -0
package/dist/layer3/anthropic/providers/anthropic.d.ts.map +1 -0
package/dist/layer3/anthropic/providers/anthropic.js +266 -0
package/dist/layer3/anthropic/providers/anthropic.js.map +1 -0
package/dist/layer3/anthropic/providers/index.d.ts +8 -0
package/dist/layer3/anthropic/providers/index.d.ts.map +1 -0
package/dist/layer3/anthropic/providers/index.js +15 -0
package/dist/layer3/anthropic/providers/index.js.map +1 -0
package/dist/layer3/anthropic/providers/openai.d.ts +18 -0
package/dist/layer3/anthropic/providers/openai.d.ts.map +1 -0
package/dist/layer3/anthropic/providers/openai.js +340 -0
package/dist/layer3/anthropic/providers/openai.js.map +1 -0
package/dist/layer3/anthropic/request-builder.d.ts +20 -0
package/dist/layer3/anthropic/request-builder.d.ts.map +1 -0
package/dist/layer3/anthropic/request-builder.js +134 -0
package/dist/layer3/anthropic/request-builder.js.map +1 -0
package/dist/layer3/anthropic/types.d.ts +88 -0
package/dist/layer3/anthropic/types.d.ts.map +1 -0
package/dist/layer3/anthropic/types.js +38 -0
package/dist/layer3/anthropic/types.js.map +1 -0
package/dist/layer3/anthropic/utils/index.d.ts +9 -0
package/dist/layer3/anthropic/utils/index.d.ts.map +1 -0
package/dist/layer3/anthropic/utils/index.js +24 -0
package/dist/layer3/anthropic/utils/index.js.map +1 -0
package/dist/layer3/anthropic/utils/path-helpers.d.ts +21 -0
package/dist/layer3/anthropic/utils/path-helpers.d.ts.map +1 -0
package/dist/layer3/anthropic/utils/path-helpers.js +69 -0
package/dist/layer3/anthropic/utils/path-helpers.js.map +1 -0
package/dist/layer3/anthropic/utils/response-parser.d.ts +40 -0
package/dist/layer3/anthropic/utils/response-parser.d.ts.map +1 -0
package/dist/layer3/anthropic/utils/response-parser.js +285 -0
package/dist/layer3/anthropic/utils/response-parser.js.map +1 -0
package/dist/layer3/anthropic/utils/retry.d.ts +15 -0
package/dist/layer3/anthropic/utils/retry.d.ts.map +1 -0
package/dist/layer3/anthropic/utils/retry.js +62 -0
package/dist/layer3/anthropic/utils/retry.js.map +1 -0
package/dist/layer3/index.d.ts +1 -0
package/dist/layer3/index.d.ts.map +1 -1
package/dist/layer3/index.js +16 -6
package/dist/layer3/index.js.map +1 -1
package/dist/layer3/osv-check.d.ts +75 -0
package/dist/layer3/osv-check.d.ts.map +1 -0
package/dist/layer3/osv-check.js +308 -0
package/dist/layer3/osv-check.js.map +1 -0
package/dist/modes/incremental.js +1 -1
package/dist/rules/framework-fixes.d.ts +48 -0
package/dist/rules/framework-fixes.d.ts.map +1 -0
package/dist/rules/framework-fixes.js +439 -0
package/dist/rules/framework-fixes.js.map +1 -0
package/dist/rules/index.d.ts +8 -0
package/dist/rules/index.d.ts.map +1 -0
package/dist/rules/index.js +18 -0
package/dist/rules/index.js.map +1 -0
package/dist/rules/metadata.d.ts +43 -0
package/dist/rules/metadata.d.ts.map +1 -0
package/dist/rules/metadata.js +734 -0
package/dist/rules/metadata.js.map +1 -0
package/dist/suppression/config-loader.d.ts +74 -0
package/dist/suppression/config-loader.d.ts.map +1 -0
package/dist/suppression/config-loader.js +424 -0
package/dist/suppression/config-loader.js.map +1 -0
package/dist/suppression/hash.d.ts +48 -0
package/dist/suppression/hash.d.ts.map +1 -0
package/dist/suppression/hash.js +88 -0
package/dist/suppression/hash.js.map +1 -0
package/dist/suppression/index.d.ts +11 -0
package/dist/suppression/index.d.ts.map +1 -0
package/dist/suppression/index.js +39 -0
package/dist/suppression/index.js.map +1 -0
package/dist/suppression/inline-parser.d.ts +39 -0
package/dist/suppression/inline-parser.d.ts.map +1 -0
package/dist/suppression/inline-parser.js +218 -0
package/dist/suppression/inline-parser.js.map +1 -0
package/dist/suppression/manager.d.ts +94 -0
package/dist/suppression/manager.d.ts.map +1 -0
package/dist/suppression/manager.js +292 -0
package/dist/suppression/manager.js.map +1 -0
package/dist/suppression/types.d.ts +151 -0
package/dist/suppression/types.d.ts.map +1 -0
package/dist/suppression/types.js +28 -0
package/dist/suppression/types.js.map +1 -0
package/dist/tiers.d.ts +3 -3
package/dist/tiers.d.ts.map +1 -1
package/dist/tiers.js +34 -7
package/dist/tiers.js.map +1 -1
package/dist/types.d.ts +140 -9
package/dist/types.d.ts.map +1 -1
package/dist/types.js +34 -0
package/dist/types.js.map +1 -1
package/dist/utils/code-analysis.d.ts +39 -0
package/dist/utils/code-analysis.d.ts.map +1 -0
package/dist/utils/code-analysis.js +159 -0
package/dist/utils/code-analysis.js.map +1 -0
package/dist/utils/comment-analyzer.d.ts +38 -0
package/dist/utils/comment-analyzer.d.ts.map +1 -0
package/dist/utils/comment-analyzer.js +218 -0
package/dist/utils/comment-analyzer.js.map +1 -0
package/dist/utils/context-helpers.d.ts +112 -1
package/dist/utils/context-helpers.d.ts.map +1 -1
package/dist/utils/context-helpers.js +364 -11
package/dist/utils/context-helpers.js.map +1 -1
package/dist/utils/environment-context.d.ts +76 -0
package/dist/utils/environment-context.d.ts.map +1 -0
package/dist/utils/environment-context.js +271 -0
package/dist/utils/environment-context.js.map +1 -0
package/dist/utils/intent-detector.d.ts +66 -0
package/dist/utils/intent-detector.d.ts.map +1 -0
package/dist/utils/intent-detector.js +282 -0
package/dist/utils/intent-detector.js.map +1 -0
package/dist/utils/parsed-file.d.ts +51 -0
package/dist/utils/parsed-file.d.ts.map +1 -0
package/dist/utils/parsed-file.js +95 -0
package/dist/utils/parsed-file.js.map +1 -0
package/dist/utils/route-hierarchy.d.ts +50 -0
package/dist/utils/route-hierarchy.d.ts.map +1 -0
package/dist/utils/route-hierarchy.js +226 -0
package/dist/utils/route-hierarchy.js.map +1 -0
package/dist/utils/schema-semantics.d.ts +45 -0
package/dist/utils/schema-semantics.d.ts.map +1 -0
package/dist/utils/schema-semantics.js +193 -0
package/dist/utils/schema-semantics.js.map +1 -0
package/package.json +4 -2
package/src/__tests__/benchmark/fixtures/layer1/mcp-config-audit.json +31 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-execution-sinks.ts +1489 -82
package/src/__tests__/benchmark/fixtures/layer2/ai-mcp-security.ts +495 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-package-hallucination.ts +255 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-prompt-hygiene.ts +300 -1
package/src/__tests__/benchmark/fixtures/layer2/ai-rag-safety.ts +139 -0
package/src/__tests__/benchmark/fixtures/layer2/byok-patterns.ts +7 -0
package/src/__tests__/benchmark/fixtures/layer2/data-exposure.ts +63 -0
package/src/__tests__/benchmark/fixtures/layer2/excessive-agency.ts +221 -0
package/src/__tests__/benchmark/fixtures/layer2/index.ts +30 -0
package/src/__tests__/benchmark/fixtures/layer2/model-supply-chain.ts +204 -0
package/src/__tests__/benchmark/fixtures/layer2/phase1-enhancements.ts +157 -0
package/src/__tests__/benchmark/fixtures/layer2/phase5-excessive-agency.ts +580 -0
package/src/__tests__/benchmark/fixtures/layer2/sprint6-ai-enhancements.ts +515 -0
package/src/__tests__/benchmark/run-depth-validation.ts +9 -9
package/src/__tests__/category-filter.test.ts +478 -0
package/src/__tests__/regression/known-false-positives.test.ts +490 -0
package/src/__tests__/snapshots/__snapshots__/anthropic-validation-refactor.test.ts.snap +762 -0
package/src/__tests__/snapshots/__snapshots__/dangerous-functions-refactor.test.ts.snap +503 -0
package/src/__tests__/snapshots/__snapshots__/scan-depth.test.ts.snap +0 -9
package/src/__tests__/snapshots/anthropic-validation-refactor.test.ts +321 -0
package/src/__tests__/snapshots/dangerous-functions-refactor.test.ts +439 -0
package/src/__tests__/validation/run-validation.ts +7 -7
package/src/ai-context/__tests__/manager.test.ts +193 -0
package/src/ai-context/index.ts +15 -0
package/src/ai-context/manager.ts +145 -0
package/src/baseline/__tests__/diff.test.ts +261 -0
package/src/baseline/__tests__/manager.test.ts +225 -0
package/src/baseline/diff.ts +135 -0
package/src/baseline/index.ts +29 -0
package/src/baseline/manager.ts +230 -0
package/src/baseline/types.ts +97 -0
package/src/category-filter.ts +400 -0
package/src/filtering/__tests__/pipeline.test.ts +134 -0
package/src/filtering/context-adjustments.ts +111 -0
package/src/filtering/index.ts +10 -0
package/src/filtering/pipeline.ts +130 -0
package/src/formatters/__tests__/ai-context.test.ts +254 -0
package/src/formatters/ai-context.ts +302 -0
package/src/formatters/cli-terminal.ts +444 -41
package/src/formatters/github-comment.ts +82 -14
package/src/formatters/ide/__tests__/ide.test.ts +319 -0
package/src/formatters/ide/claude-code.ts +110 -0
package/src/formatters/ide/cursor.ts +147 -0
package/src/formatters/ide/index.ts +216 -0
package/src/formatters/ide/windsurf.ts +135 -0
package/src/formatters/index.ts +28 -0
package/src/index.ts +506 -45
package/src/layer1/comments.ts +3 -1
package/src/layer1/config-audit.ts +74 -14
package/src/layer1/config-mcp-audit.ts +278 -0
package/src/layer1/entropy.ts +234 -1
package/src/layer1/file-flags.ts +17 -6
package/src/layer1/index.ts +29 -23
package/src/layer1/patterns.ts +42 -4
package/src/layer1/urls.ts +188 -14
package/src/layer1/weak-crypto.ts +168 -16
package/src/layer2/ai-agent-tools.ts +1043 -2
package/src/layer2/ai-endpoint-protection.ts +19 -4
package/src/layer2/ai-execution-sinks.ts +755 -29
package/src/layer2/ai-fingerprinting.ts +33 -33
package/src/layer2/ai-mcp-security.ts +933 -0
package/src/layer2/ai-package-hallucination.ts +940 -0
package/src/layer2/ai-prompt-hygiene.ts +898 -17
package/src/layer2/ai-rag-safety.ts +467 -5
package/src/layer2/ai-schema-validation.ts +4 -2
package/src/layer2/auth-antipatterns.ts +235 -20
package/src/layer2/byok-patterns.ts +9 -3
package/src/layer2/dangerous-functions/child-process.ts +98 -0
package/src/layer2/dangerous-functions/dom-xss.ts +292 -0
package/src/layer2/dangerous-functions/index.ts +1533 -0
package/src/layer2/dangerous-functions/json-parse.ts +385 -0
package/src/layer2/dangerous-functions/math-random.ts +789 -0
package/src/layer2/dangerous-functions/patterns.ts +176 -0
package/src/layer2/dangerous-functions/request-validation.ts +145 -0
package/src/layer2/dangerous-functions/utils/control-flow.ts +35 -0
package/src/layer2/dangerous-functions/utils/helpers.ts +170 -0
package/src/layer2/dangerous-functions/utils/index.ts +25 -0
package/src/layer2/dangerous-functions/utils/schema-validation.ts +106 -0
package/src/layer2/data-exposure.ts +18 -39
package/src/layer2/framework-checks.ts +9 -2
package/src/layer2/index.ts +124 -43
package/src/layer2/logic-gates.ts +64 -22
package/src/layer2/model-supply-chain.ts +531 -0
package/src/layer2/risky-imports.ts +9 -2
package/src/layer2/variables.ts +9 -2
package/src/layer3/__tests__/osv-check.test.ts +384 -0
package/src/layer3/anthropic/auto-dismiss.ts +223 -0
package/src/layer3/anthropic/clients.ts +84 -0
package/src/layer3/anthropic/index.ts +170 -0
package/src/layer3/anthropic/prompts/index.ts +14 -0
package/src/layer3/anthropic/prompts/semantic-analysis.ts +173 -0
package/src/layer3/anthropic/prompts/validation.ts +419 -0
package/src/layer3/anthropic/providers/anthropic.ts +310 -0
package/src/layer3/anthropic/providers/index.ts +8 -0
package/src/layer3/anthropic/providers/openai.ts +384 -0
package/src/layer3/anthropic/request-builder.ts +150 -0
package/src/layer3/anthropic/types.ts +148 -0
package/src/layer3/anthropic/utils/index.ts +26 -0
package/src/layer3/anthropic/utils/path-helpers.ts +68 -0
package/src/layer3/anthropic/utils/response-parser.ts +322 -0
package/src/layer3/anthropic/utils/retry.ts +75 -0
package/src/layer3/index.ts +18 -5
package/src/layer3/osv-check.ts +420 -0
package/src/modes/incremental.ts +1 -1
package/src/rules/__tests__/framework-fixes.test.ts +689 -0
package/src/rules/__tests__/metadata.test.ts +218 -0
package/src/rules/framework-fixes.ts +470 -0
package/src/rules/index.ts +21 -0
package/src/rules/metadata.ts +831 -0
package/src/suppression/__tests__/config-loader.test.ts +382 -0
package/src/suppression/__tests__/hash.test.ts +166 -0
package/src/suppression/__tests__/inline-parser.test.ts +212 -0
package/src/suppression/__tests__/manager.test.ts +415 -0
package/src/suppression/config-loader.ts +462 -0
package/src/suppression/hash.ts +95 -0
package/src/suppression/index.ts +51 -0
package/src/suppression/inline-parser.ts +273 -0
package/src/suppression/manager.ts +379 -0
package/src/suppression/types.ts +174 -0
package/src/tiers.ts +45 -9
package/src/types.ts +212 -8
package/src/utils/__tests__/code-analysis.test.ts +165 -0
package/src/utils/__tests__/parsed-file.test.ts +124 -0
package/src/utils/code-analysis.ts +179 -0
package/src/utils/comment-analyzer.ts +249 -0
package/src/utils/context-helpers.ts +421 -11
package/src/utils/environment-context.ts +304 -0
package/src/utils/intent-detector.ts +318 -0
package/src/utils/parsed-file.ts +103 -0
package/src/utils/route-hierarchy.ts +250 -0
package/src/utils/schema-semantics.ts +233 -0
package/dist/layer2/dangerous-functions.d.ts +0 -7
package/dist/layer2/dangerous-functions.d.ts.map +0 -1
package/dist/layer2/dangerous-functions.js +0 -1701
package/dist/layer2/dangerous-functions.js.map +0 -1
package/dist/layer3/anthropic.d.ts +0 -87
package/dist/layer3/anthropic.d.ts.map +0 -1
package/dist/layer3/anthropic.js +0 -1948
package/dist/layer3/anthropic.js.map +0 -1
package/dist/layer3/openai.d.ts +0 -25
package/dist/layer3/openai.d.ts.map +0 -1
package/dist/layer3/openai.js +0 -238
package/dist/layer3/openai.js.map +0 -1
package/src/layer2/dangerous-functions.ts +0 -1940
package/src/layer3/anthropic.ts +0 -2257

package/src/formatters/cli-terminal.ts CHANGED Viewed

@@ -5,6 +5,7 @@
 import type { ScanResult, Vulnerability, VulnerabilitySeverity } from '../types'
 import { groupByTheme, getBlockingIssues, GroupedFindings, THEME_CONFIG } from './grouping'
+import { computeFindingHash } from '../suppression/hash'
 /**
  * ANSI color codes
@@ -57,28 +58,101 @@ function severityBadge(severity: VulnerabilitySeverity): string {
   return c(style.color, `${style.symbol} ${style.label}`)
 }
+/**
+ * Format options for single finding
+ */
+interface FormatFindingOptions {
+  indent?: string
+  compact?: boolean
+  verbose?: boolean
+}
 /**
  * Format a single finding for terminal
+ * Default: Actionable output with impact, code, and fix steps
+ * Compact: Severity + title + location only
+ * Verbose: All of the above plus references and validation notes
  */
-function formatFinding(finding: Vulnerability, indent: string = '  '): string {
+function formatFinding(finding: Vulnerability, options: FormatFindingOptions = {}): string {
+  const { indent = '  ', compact = false, verbose = false } = options
   const badge = severityBadge(finding.severity)
   const location = c(colors.cyan, `${finding.filePath}:${finding.lineNumber}`)
+  const hash = computeFindingHash(finding)
+  // Compact mode: just severity, title, and location
+  if (compact) {
+    return `${indent}${badge} ${c(colors.bold, finding.title)}  ${location}\n`
+  }
+  // Default actionable output
   let output = `${indent}${badge} ${c(colors.bold, finding.title)}\n`
   output += `${indent}   ${location}\n`
-  output += `${indent}   ${c(colors.dim, finding.description)}\n`
+  output += '\n'
+  // Impact (why this matters) - shown by default
+  if (finding.impact) {
+    output += `${indent}   ${c(colors.yellow + colors.bold, 'Impact:')} ${finding.impact}\n`
+    output += '\n'
+  }
+  // Code snippet
+  if (finding.lineContent && finding.lineContent.trim()) {
+    output += `${indent}   ${c(colors.dim, 'Code:')} ${c(colors.white, finding.lineContent.trim().substring(0, 80))}${finding.lineContent.trim().length > 80 ? '...' : ''}\n`
+    output += '\n'
+  }
-  if (finding.suggestedFix) {
+  // Fix steps - shown by default (numbered list)
+  if (finding.fixSteps && finding.fixSteps.length > 0) {
+    output += `${indent}   ${c(colors.green + colors.bold, 'Fix:')}\n`
+    finding.fixSteps.forEach((step, i) => {
+      output += `${indent}   ${c(colors.green, `${i + 1}. ${step}`)}\n`
+    })
+    output += '\n'
+  } else if (finding.suggestedFix) {
+    // Fallback to legacy suggestedFix field
     output += `${indent}   ${c(colors.green, '💡 ' + finding.suggestedFix)}\n`
+    output += '\n'
   }
+  // Verbose mode: show additional details
+  if (verbose) {
+    // Description
+    output += `${indent}   ${c(colors.dim, finding.description)}\n`
+    // References (OWASP/CWE links)
+    if (finding.references && finding.references.length > 0) {
+      output += `${indent}   ${c(colors.blue, 'References:')}\n`
+      finding.references.forEach(ref => {
+        output += `${indent}   ${c(colors.blue, `  • ${ref}`)}\n`
+      })
+    }
+    // Validation notes (if AI validated)
+    if (finding.validationNotes) {
+      output += `${indent}   ${c(colors.dim, `[AI] ${finding.validationNotes}`)}\n`
+    }
+    // AI enhanced indicator
+    if (finding.aiEnhanced) {
+      output += `${indent}   ${c(colors.magenta, '✨ AI-enhanced fix suggestion')}\n`
+    }
+  }
+  // Suppress command - always shown
+  output += `${indent}   ${c(colors.dim, `Suppress: oculum ignore ${hash} --file "${finding.filePath}:${finding.lineNumber}" --reason "..."`)}\n`
   return output
 }
 /**
  * Format a group of findings
  */
-function formatGroup(group: GroupedFindings, maxFindings: number = 10): string {
+function formatGroup(group: GroupedFindings, options: {
+  maxFindings?: number
+  compact?: boolean
+  verbose?: boolean
+} = {}): string {
+  const { maxFindings = 10, compact = false, verbose = false } = options
   const { theme, themeName, findings, severityCounts } = group
   const config = THEME_CONFIG[theme]
@@ -96,7 +170,7 @@ function formatGroup(group: GroupedFindings, maxFindings: number = 10): string {
   // Show findings
   const shown = findings.slice(0, maxFindings)
   for (const finding of shown) {
-    output += formatFinding(finding) + '\n'
+    output += formatFinding(finding, { compact, verbose }) + '\n'
   }
   // Truncation notice
@@ -107,6 +181,32 @@ function formatGroup(group: GroupedFindings, maxFindings: number = 10): string {
   return output
 }
+/**
+ * Format baseline diff summary
+ */
+function formatDiffSummary(baselineDiff: NonNullable<ScanResult['baselineDiff']>): string {
+  let output = ''
+  output += c(colors.bold, 'Baseline Comparison') + '\n'
+  output += c(colors.dim, '─'.repeat(40)) + '\n'
+  output += `  🆕 ${c(colors.yellow, `${baselineDiff.newCount} new`)} findings\n`
+  output += `  ✅ ${c(colors.green, `${baselineDiff.fixedCount} fixed`)} since baseline\n`
+  output += `  📋 ${c(colors.dim, `${baselineDiff.existingCount} existing`)} (in baseline)\n`
+  output += '\n'
+  // Format baseline date
+  const baselineDate = new Date(baselineDiff.baselineCreatedAt)
+  const dateStr = baselineDate.toLocaleDateString('en-US', {
+    year: 'numeric',
+    month: 'short',
+    day: 'numeric',
+  })
+  const commitStr = baselineDiff.baselineCommit ? ` (${baselineDiff.baselineCommit})` : ''
+  output += c(colors.dim, `Baseline from ${dateStr}${commitStr}`) + '\n\n'
+  return output
+}
 /**
  * Format full scan result for terminal
  */
@@ -114,13 +214,17 @@ export function formatTerminalOutput(result: ScanResult, options: {
   maxFindingsPerGroup?: number
   showAllFindings?: boolean
   noColor?: boolean
+  compact?: boolean
+  verbose?: boolean
 } = {}): string {
   const {
     maxFindingsPerGroup = 10,
     showAllFindings = false,
+    compact = false,
+    verbose = false,
   } = options
-  const { vulnerabilities, severityCounts, hasBlockingIssues, filesScanned, scanDuration } = result
+  const { vulnerabilities, severityCounts, hasBlockingIssues, filesScanned, scanDuration, baselineDiff } = result
   let output = '\n'
@@ -129,6 +233,11 @@ export function formatTerminalOutput(result: ScanResult, options: {
   output += c(colors.bold, '  OCULUM SECURITY SCAN RESULTS') + '\n'
   output += c(colors.bold, '═'.repeat(60)) + '\n\n'
+  // Baseline diff summary (if present)
+  if (baselineDiff) {
+    output += formatDiffSummary(baselineDiff)
+  }
   // Status
   if (hasBlockingIssues) {
     const blocking = severityCounts.critical + severityCounts.high
@@ -157,7 +266,7 @@ export function formatTerminalOutput(result: ScanResult, options: {
     output += c(colors.red, 'These must be fixed before merging:') + '\n\n'
     for (const finding of blockingIssues.slice(0, 10)) {
-      output += formatFinding(finding)
+      output += formatFinding(finding, { compact, verbose })
       output += '\n'
     }
@@ -182,7 +291,47 @@ export function formatTerminalOutput(result: ScanResult, options: {
       if (nonBlocking.length === 0 && blockingIssues.length > 0) continue
     }
-    output += formatGroup(group, maxFindingsPerGroup)
+    output += formatGroup(group, { maxFindings: maxFindingsPerGroup, compact, verbose })
+  }
+  // Suppressed findings section (if any)
+  if (result.suppressedVulnerabilities && result.suppressedVulnerabilities.length > 0) {
+    output += '\n' + c(colors.dim, '─'.repeat(60)) + '\n'
+    output += c(colors.dim + colors.bold, 'SUPPRESSED FINDINGS') + '\n'
+    output += c(colors.dim, `${result.suppressedVulnerabilities.length} findings suppressed`) + '\n\n'
+    for (const suppressed of result.suppressedVulnerabilities.slice(0, 5)) {
+      const typeLabel = suppressed.suppressionType === 'inline' ? 'inline'
+        : suppressed.suppressionType === 'config-finding' ? 'config'
+        : 'rule'
+      output += c(colors.dim, `  ${suppressed.hash.slice(0, 8)} ${suppressed.filePath}:${suppressed.lineNumber}`) + '\n'
+      output += c(colors.dim, `    ${suppressed.title}`) + '\n'
+      output += c(colors.dim, `    [${typeLabel}] ${suppressed.suppressionReason}`) + '\n'
+      if (suppressed.expires) {
+        output += c(colors.dim, `    Expires: ${suppressed.expires}`) + '\n'
+      }
+      output += '\n'
+    }
+    if (result.suppressedVulnerabilities.length > 5) {
+      output += c(colors.dim, `  ... and ${result.suppressedVulnerabilities.length - 5} more suppressed\n`)
+    }
+  }
+  // Suppression stats (if any)
+  if (result.suppressionStats && (result.suppressionStats.inlineSuppressed > 0 ||
+      result.suppressionStats.configFindingSuppressed > 0 ||
+      result.suppressionStats.configRuleSuppressed > 0)) {
+    const stats = result.suppressionStats
+    const parts: string[] = []
+    if (stats.inlineSuppressed > 0) parts.push(`${stats.inlineSuppressed} inline`)
+    if (stats.configFindingSuppressed > 0) parts.push(`${stats.configFindingSuppressed} config`)
+    if (stats.configRuleSuppressed > 0) parts.push(`${stats.configRuleSuppressed} rule`)
+    if (stats.expired > 0) parts.push(`${stats.expired} expired`)
+    if (!result.suppressedVulnerabilities) {
+      output += '\n' + c(colors.dim, `Suppressed: ${parts.join(', ')}`) + '\n'
+    }
   }
   // Footer
@@ -192,6 +341,222 @@ export function formatTerminalOutput(result: ScanResult, options: {
   return output
 }
+/**
+ * Compact summary options
+ */
+export interface CompactSummaryOptions {
+  /** Number findings for reference with show command */
+  showNumbers?: boolean
+  /** Limit shown per severity (default: 5) */
+  maxPerSeverity?: number
+  /** Show "Run oculum show..." hint */
+  showHint?: boolean
+  /** Disable colors */
+  noColor?: boolean
+}
+/**
+ * Format compact summary grouped by severity
+ * Output format:
+ *   HIGH (2)
+ *      1. SQL injection in src/api/users.ts:42
+ *      2. Missing auth in src/api/admin.ts:15
+ */
+export function formatCompactSummary(
+  vulnerabilities: Vulnerability[],
+  options: CompactSummaryOptions = {}
+): string {
+  const {
+    showNumbers = true,
+    maxPerSeverity = 5,
+    showHint = true,
+    noColor = false,
+  } = options
+  if (vulnerabilities.length === 0) {
+    return noColor
+      ? 'No security issues found.'
+      : c(colors.green, '✓ No security issues found.')
+  }
+  // Group by severity
+  const bySeverity: Record<VulnerabilitySeverity, Vulnerability[]> = {
+    critical: [],
+    high: [],
+    medium: [],
+    low: [],
+    info: [],
+  }
+  for (const v of vulnerabilities) {
+    bySeverity[v.severity].push(v)
+  }
+  // Build output
+  let output = ''
+  let globalIndex = 1
+  const severityOrder: VulnerabilitySeverity[] = ['critical', 'high', 'medium', 'low', 'info']
+  const severityColors: Record<VulnerabilitySeverity, string> = {
+    critical: colors.bgRed + colors.white,
+    high: colors.red,
+    medium: colors.yellow,
+    low: colors.blue,
+    info: colors.gray,
+  }
+  for (const severity of severityOrder) {
+    const findings = bySeverity[severity]
+    if (findings.length === 0) continue
+    // Severity header
+    const label = severity.toUpperCase()
+    const header = noColor
+      ? `${label} (${findings.length})`
+      : c(severityColors[severity] + colors.bold, `${label} (${findings.length})`)
+    output += `\n  ${header}\n`
+    // Show findings
+    const shown = findings.slice(0, maxPerSeverity)
+    for (const finding of shown) {
+      const num = showNumbers ? `${globalIndex}. ` : ''
+      const location = noColor
+        ? `${finding.filePath}:${finding.lineNumber}`
+        : c(colors.cyan, `${finding.filePath}:${finding.lineNumber}`)
+      output += noColor
+        ? `     ${num}${finding.title} in ${location}\n`
+        : `     ${c(colors.dim, num)}${finding.title} ${c(colors.dim, 'in')} ${location}\n`
+      globalIndex++
+    }
+    // Show truncation notice
+    if (findings.length > maxPerSeverity) {
+      const more = findings.length - maxPerSeverity
+      const truncated = noColor
+        ? `     ... and ${more} more\n`
+        : c(colors.dim, `     ... and ${more} more\n`)
+      output += truncated
+      globalIndex += more // Increment for hidden findings
+    }
+  }
+  // Hint at bottom
+  if (showHint && vulnerabilities.length > 0) {
+    output += '\n'
+    output += noColor
+      ? "Run 'oculum show 1' for details · 'oculum fix' for suggestions\n"
+      : c(colors.dim, "Run 'oculum show 1' for details · 'oculum fix' for suggestions\n")
+  }
+  return output
+}
+/**
+ * Format a numbered finding list for the show command
+ * Returns findings with their numbers for reference
+ */
+export function getNumberedFindings(vulnerabilities: Vulnerability[]): Array<{ number: number; finding: Vulnerability }> {
+  return vulnerabilities.map((finding, index) => ({
+    number: index + 1,
+    finding,
+  }))
+}
+/**
+ * Format a single finding detail view for the show command
+ */
+export function formatFindingDetail(
+  finding: Vulnerability,
+  number: number,
+  options: { verbose?: boolean; noColor?: boolean } = {}
+): string {
+  const { verbose = false, noColor = false } = options
+  let output = ''
+  // Header
+  const badge = noColor
+    ? `[${finding.severity.toUpperCase()}]`
+    : severityBadge(finding.severity)
+  const title = noColor ? finding.title : c(colors.bold, finding.title)
+  output += `\n#${number} ${badge} ${title}\n`
+  // Location
+  const location = noColor
+    ? finding.filePath + ':' + finding.lineNumber
+    : c(colors.cyan, `${finding.filePath}:${finding.lineNumber}`)
+  output += `   ${location}\n`
+  output += '\n'
+  // Impact
+  if (finding.impact) {
+    const impactLabel = noColor ? 'Impact:' : c(colors.yellow + colors.bold, 'Impact:')
+    output += `   ${impactLabel} ${finding.impact}\n`
+    output += '\n'
+  }
+  // Code snippet
+  if (finding.lineContent && finding.lineContent.trim()) {
+    const codeLabel = noColor ? 'Code:' : c(colors.dim, 'Code:')
+    const code = finding.lineContent.trim().substring(0, 100)
+    const codeText = noColor ? code : c(colors.white, code)
+    output += `   ${codeLabel} ${codeText}${finding.lineContent.trim().length > 100 ? '...' : ''}\n`
+    output += '\n'
+  }
+  // Description
+  output += noColor
+    ? `   ${finding.description}\n`
+    : `   ${c(colors.dim, finding.description)}\n`
+  output += '\n'
+  // Fix steps
+  if (finding.fixSteps && finding.fixSteps.length > 0) {
+    const fixLabel = noColor ? 'How to fix:' : c(colors.green + colors.bold, 'How to fix:')
+    output += `   ${fixLabel}\n`
+    finding.fixSteps.forEach((step, i) => {
+      const stepText = noColor ? `${i + 1}. ${step}` : c(colors.green, `${i + 1}. ${step}`)
+      output += `   ${stepText}\n`
+    })
+    output += '\n'
+  } else if (finding.suggestedFix) {
+    const fixLabel = noColor ? 'Suggested fix:' : c(colors.green + colors.bold, 'Suggested fix:')
+    output += `   ${fixLabel} ${finding.suggestedFix}\n`
+    output += '\n'
+  }
+  // Verbose mode: additional details
+  if (verbose) {
+    // References
+    if (finding.references && finding.references.length > 0) {
+      const refLabel = noColor ? 'References:' : c(colors.blue, 'References:')
+      output += `   ${refLabel}\n`
+      finding.references.forEach(ref => {
+        output += noColor
+          ? `   - ${ref}\n`
+          : `   ${c(colors.blue, `- ${ref}`)}\n`
+      })
+      output += '\n'
+    }
+    // Validation notes
+    if (finding.validationNotes) {
+      const notesLabel = noColor ? '[AI]' : c(colors.magenta, '[AI]')
+      output += `   ${notesLabel} ${finding.validationNotes}\n`
+      output += '\n'
+    }
+    // Category and confidence
+    output += noColor
+      ? `   Category: ${finding.category} · Confidence: ${finding.confidence || 'medium'} · Layer: ${finding.layer}\n`
+      : c(colors.dim, `   Category: ${finding.category} · Confidence: ${finding.confidence || 'medium'} · Layer: ${finding.layer}\n`)
+  }
+  return output
+}
 /**
  * Format as simple list (no grouping, no colors)
  */
@@ -317,6 +682,76 @@ const RULE_METADATA: Record<string, { name: string; description: string; helpUri
  * For integration with GitHub Code Scanning
  */
 export function formatSARIF(result: ScanResult): object {
+  // Build results from active vulnerabilities
+  const activeResults = result.vulnerabilities.map((v, index) => ({
+    ruleId: v.category,
+    ruleIndex: getRuleIndex(result.vulnerabilities, v.category),
+    level: mapSeverityToSARIF(v.severity),
+    message: {
+      text: v.description,
+    },
+    locations: [{
+      physicalLocation: {
+        artifactLocation: {
+          uri: v.filePath,
+          uriBaseId: '%SRCROOT%',
+        },
+        region: {
+          startLine: v.lineNumber,
+          startColumn: 1,
+          snippet: v.lineContent ? { text: v.lineContent } : undefined,
+        },
+      },
+    }],
+    fingerprints: {
+      'oculum/v1': `${v.category}:${v.filePath}:${v.lineNumber}`,
+    },
+    fixes: v.suggestedFix ? [{
+      description: {
+        text: v.suggestedFix,
+      },
+    }] : undefined,
+    properties: {
+      confidence: v.confidence,
+      layer: v.layer,
+    },
+  }))
+  // Build results from suppressed vulnerabilities (with SARIF suppression state)
+  const suppressedResults = (result.suppressedVulnerabilities || []).map((s) => ({
+    ruleId: s.category,
+    ruleIndex: 0, // Will be resolved by GitHub
+    level: mapSeverityToSARIF(s.severity),
+    message: {
+      text: s.title,
+    },
+    locations: [{
+      physicalLocation: {
+        artifactLocation: {
+          uri: s.filePath,
+          uriBaseId: '%SRCROOT%',
+        },
+        region: {
+          startLine: s.lineNumber,
+          startColumn: 1,
+        },
+      },
+    }],
+    fingerprints: {
+      'oculum/v1': `${s.category}:${s.filePath}:${s.lineNumber}`,
+      'oculum/hash': s.hash,
+    },
+    suppressions: [{
+      kind: s.suppressionType === 'inline' ? 'inSource' : 'external',
+      justification: s.suppressionReason,
+      state: 'accepted',
+    }],
+    properties: {
+      suppressionType: s.suppressionType,
+      expires: s.expires,
+    },
+  }))
   return {
     $schema: 'https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json',
     version: '2.1.0',
@@ -330,39 +765,7 @@ export function formatSARIF(result: ScanResult): object {
           rules: getUniqueRules(result.vulnerabilities),
         },
       },
-      results: result.vulnerabilities.map((v, index) => ({
-        ruleId: v.category,
-        ruleIndex: getRuleIndex(result.vulnerabilities, v.category),
-        level: mapSeverityToSARIF(v.severity),
-        message: {
-          text: v.description,
-        },
-        locations: [{
-          physicalLocation: {
-            artifactLocation: {
-              uri: v.filePath,
-              uriBaseId: '%SRCROOT%',
-            },
-            region: {
-              startLine: v.lineNumber,
-              startColumn: 1,
-              snippet: v.lineContent ? { text: v.lineContent } : undefined,
-            },
-          },
-        }],
-        fingerprints: {
-          'oculum/v1': `${v.category}:${v.filePath}:${v.lineNumber}`,
-        },
-        fixes: v.suggestedFix ? [{
-          description: {
-            text: v.suggestedFix,
-          },
-        }] : undefined,
-        properties: {
-          confidence: v.confidence,
-          layer: v.layer,
-        },
-      })),
+      results: [...activeResults, ...suppressedResults],
       columnKind: 'utf16CodeUnits',
     }],
   }