@prodcycle/prodcycle 0.6.1 → 0.6.2

package/dist/index.d.ts

@@ -4,13 +4,10 @@ export * from './formatters/table';
 export * from './formatters/prompt';
 export * from './formatters/sarif';
 /**
- * Set when the server-side scanner threw and the API was configured to
+ * Set when the upstream scanner threw and the service was configured to
  * fail closed (the default). When this is present, callers MUST treat
  * `passed: false` as "scanner unavailable — cannot certify compliance"
- * rather than "code is dirty." Mirrors the API's `ScannerErrorInfo`
- * shape; see `packages/compliance-code-scanner/api/src/domain/services/
- * compliance-scan.service.ts` (`ScannerErrorInfo`) for the field
- * contract.
+ * rather than "code is dirty."
  *
  * Without this surfaced to the CLI's --output JSON, a benchmark or CI
  * report shows `passed: false, findings: []` and the user can't tell

package/dist/utils/fs.js

@@ -58,21 +58,18 @@ const MAX_TOTAL_FILES = (() => {
     return Number.isFinite(parsed) && parsed > 0 ? parsed : 50_000;
 })();
 /**
- * Extensions and exact filenames the server-side `isScannable` filter
- * accepts. Pre-filtering client-side avoids:
+ * Extensions and exact filenames the upstream scanner accepts. Pre-
+ * filtering client-side avoids:
  *   - bloating the wire payload with images / fonts / docs / archives
- *     that the API just drops on receipt
+ *     that the service just drops on receipt
  *   - hitting MAX_TOTAL_FILES on repos like hapi-fhir or the Linux
  *     kernel where most files are not scannable
  *
- * Keep in lock-step with `api/src/domain/services/compliance-scan.service.ts`:
- *   - APPLICATION_CODE_EXTENSIONS (the source-code allowlist)
- *   - INFRASTRUCTURE_EXTENSIONS (.tf, .yaml, .yml, .json, .sql)
- *   - INFRASTRUCTURE_FILENAMES (dockerfile, .env)
- *
- * Files outside this set are skipped during walk. Source-of-truth is
- * the server filter; this is just an optimization so we don't pay the
- * wire cost for files the server will reject anyway.
+ * The upstream allowlist is the source of truth — this set is an
+ * optimization, not a security boundary. Drift between the two sets
+ * is benign (extra entries here just send files the service will
+ * drop; missing entries here just send extra non-scannable files).
+ * The lockstep contract is enforced by `lockstep-fs.test.mjs`.
  */
 const SCANNABLE_EXTENSIONS = new Set([
     // Application code (must mirror APPLICATION_CODE_EXTENSIONS in the API)
@@ -106,8 +103,9 @@ const SCANNABLE_FILENAMES = new Set([
     '.env',
 ]);
 /**
- * Directories skipped unconditionally. Kept in parity with
- * `packages/compliance-code-scanner/src/ignore-utils.ts`.
+ * Directories skipped unconditionally. Kept in parity with the upstream
+ * scanner's directory blocklist; the lockstep contract is enforced by
+ * `lockstep-fs.test.mjs`.
  */
 const SKIP_DIRS = new Set([
     'node_modules',
@@ -162,11 +160,37 @@ const SKIP_FILE_NAMES = new Set([
  * (see server-side fix in ignore-utils.ts).
  */
 function loadGitignore(repoPath) {
+    return readIgnoreFile(path.join(repoPath, '.gitignore'));
+}
+/**
+ * Load .prodcycleignore patterns from the repo root. Same gitignore-style
+ * syntax as `.gitignore`, applied additively on top of it.
+ *
+ * Use case: opt-in suppression for files that should be skipped at scan
+ * time but kept in version control. Concrete motivating cases from the
+ * OSS-bench sweep:
+ *
+ *   - `gitleaks/cmd/generate/config/rules/aws.go` (and siblings) — scanner
+ *     rule definitions embed example credentials inside Go struct literals
+ *     (e.g. `AKIA[0-9A-Z]{16}` as a regex pattern); the SOC2/HIPAA
+ *     hardcoded-credential rule has no way to distinguish those from real
+ *     creds.
+ *   - `bandit/.../extension_loader.py` (and siblings) — same FP class:
+ *     scanner source ships representative credential-shape patterns as
+ *     Python string literals.
+ *
+ * Patterns in `.prodcycleignore` are also dropped if they start with `!`
+ * (same negation-handling limitation as `.gitignore` here — the simple
+ * minimatch path doesn't have gitignore's re-include semantics).
+ */
+function loadProdcycleIgnore(repoPath) {
+    return readIgnoreFile(path.join(repoPath, '.prodcycleignore'));
+}
+function readIgnoreFile(filePath) {
     try {
-        const gitignorePath = path.join(repoPath, '.gitignore');
-        if (!fs.existsSync(gitignorePath))
+        if (!fs.existsSync(filePath))
             return [];
-        const content = fs.readFileSync(gitignorePath, 'utf-8');
+        const content = fs.readFileSync(filePath, 'utf-8');
         return content
             .split('\n')
             .map((line) => line.trim())
@@ -184,8 +208,23 @@ function matchesAny(filePath, patterns) {
  * Decide whether a directory or file entry should be excluded from collection.
  * Mirrors server `shouldIgnore` so scanner results stay consistent between
  * client-collected (CLI) and server-collected paths.
+ *
+ * Precedence (highest → lowest):
+ *   1. `SKIP_DIRS` / hidden-dir / suffix rules — unconditional.
+ *   2. `userExcludes` (CLI `--exclude`) — explicit user intent on this
+ *      invocation.
+ *   3. `prodcycleIgnores` (`.prodcycleignore`) — explicit user intent
+ *      written into the repo. Overrides the `.env*` carve-out below
+ *      because the user is opting out at scan time on purpose (e.g.
+ *      `.env.example` containing placeholder credentials in a
+ *      scanner-source repo). `.gitignore` is NOT promoted to this
+ *      precedence because gitignored `.env*` files are routinely
+ *      committed-but-ignored real-credential locations and we want
+ *      the secret-detection rule to fire.
+ *   4. `.env*` carve-out — always-scan, overrides `.gitignore` only.
+ *   5. `gitignores` (`.gitignore`) — incidental git-tracking config.
  */
-function shouldIgnore(name, relPath, ignores, userExcludes) {
+function shouldIgnore(name, relPath, gitignores, prodcycleIgnores, userExcludes) {
     if (SKIP_DIRS.has(name) ||
         SKIP_DIR_SUFFIXES.some((s) => name.endsWith(s)) ||
         (name.startsWith('.') &&
@@ -206,6 +245,25 @@ function shouldIgnore(name, relPath, ignores, userExcludes) {
         if (matchesAny(relPath, userExcludes))
             return true;
     }
+    // `.prodcycleignore` patterns are user-explicit scan-time intent —
+    // higher precedence than the `.env*` carve-out below. Without this
+    // ordering, a user trying to suppress a `.env.example` containing
+    // placeholder credentials in a scanner-source repo would find their
+    // pattern silently ignored. `.gitignore` patterns intentionally stay
+    // below the carve-out because gitignored `.env*` files are commonly
+    // real credentials we want to surface.
+    if (prodcycleIgnores.length > 0) {
+        for (const pattern of prodcycleIgnores) {
+            if (name === pattern ||
+                name + '/' === pattern ||
+                relPath === pattern ||
+                relPath + '/' === pattern) {
+                return true;
+            }
+        }
+        if (matchesAny(relPath, prodcycleIgnores))
+            return true;
+    }
     // .env-family files are always scanned even if .gitignored — the
     // common case for `.env`, `.env.local`, `.env.production`, `.envrc`,
     // etc., where the whole point of scanning is to catch hardcoded
@@ -216,7 +274,7 @@ function shouldIgnore(name, relPath, ignores, userExcludes) {
     // `compliance-code-scanner/src/ignore-utils.ts`.
     if (name.startsWith('.env'))
         return false;
-    for (const pattern of ignores) {
+    for (const pattern of gitignores) {
         if (name === pattern ||
             name + '/' === pattern ||
             relPath === pattern ||
@@ -224,7 +282,7 @@ function shouldIgnore(name, relPath, ignores, userExcludes) {
             return true;
         }
     }
-    if (matchesAny(relPath, ignores))
+    if (matchesAny(relPath, gitignores))
         return true;
     return false;
 }
@@ -266,13 +324,14 @@ function isScannableFilename(name) {
 }
 async function collectFiles(baseDir, includePatterns, excludePatterns) {
     const repoRoot = path.resolve(baseDir);
-    const ignores = loadGitignore(repoRoot);
+    const gitignores = loadGitignore(repoRoot);
+    const prodcycleIgnores = loadProdcycleIgnore(repoRoot);
     const files = {};
     const state = { count: 0, limitReached: false };
-    walk(repoRoot, repoRoot, ignores, includePatterns, excludePatterns, files, state);
+    walk(repoRoot, repoRoot, gitignores, prodcycleIgnores, includePatterns, excludePatterns, files, state);
     return files;
 }
-function walk(dir, repoRoot, ignores, includePatterns, userExcludes, files, state) {
+function walk(dir, repoRoot, gitignores, prodcycleIgnores, includePatterns, userExcludes, files, state) {
     if (state.limitReached)
         return;
     let entries;
@@ -289,14 +348,14 @@ function walk(dir, repoRoot, ignores, includePatterns, userExcludes, files, stat
         const fullPath = path.join(dir, name);
         const relPath = path.relative(repoRoot, fullPath);
         if (entry.isDirectory()) {
-            if (shouldIgnore(name, relPath, ignores, userExcludes))
+            if (shouldIgnore(name, relPath, gitignores, prodcycleIgnores, userExcludes))
                 continue;
-            walk(fullPath, repoRoot, ignores, includePatterns, userExcludes, files, state);
+            walk(fullPath, repoRoot, gitignores, prodcycleIgnores, includePatterns, userExcludes, files, state);
             continue;
         }
         if (!entry.isFile())
             continue;
-        if (shouldIgnore(name, relPath, ignores, userExcludes))
+        if (shouldIgnore(name, relPath, gitignores, prodcycleIgnores, userExcludes))
             continue;
         if (shouldSkipFileByName(name))
             continue;
@@ -323,6 +382,10 @@ function walk(dir, repoRoot, ignores, includePatterns, userExcludes, files, stat
         catch {
             continue;
         }
+        // Cheap pre-read filter: skip files obviously above the limit by disk
+        // size so we don't read multi-MB files into the heap only to reject
+        // them. Files that pass this check get a second post-decode check
+        // below.
         if (stats.size > MAX_FILE_SIZE)
             continue;
         let buffer;
@@ -334,7 +397,21 @@ function walk(dir, repoRoot, ignores, includePatterns, userExcludes, files, stat
         }
         if (isBinary(buffer))
             continue;
-        files[relPath] = buffer.toString('utf8');
+        const content = buffer.toString('utf8');
+        // Post-decode filter: the service enforces the 256 KB per-file limit
+        // on the UTF-8 byte length of the decoded string content, which can
+        // differ from the file's on-disk byte count. `buffer.toString('utf8')`
+        // silently replaces invalid UTF-8 byte sequences with U+FFFD (3 UTF-8
+        // bytes each), so a file with invalid bytes that's under 256 KB on
+        // disk can balloon over the limit after the round trip. The cheap
+        // `stats.size` check above would let it through; the service then
+        // rejects the entire chunk with 413 and torpedoes the scan.
+        // Re-measuring here keeps the CLI's filter aligned with the service
+        // enforcement. Concrete case from the GA-validation sweep:
+        // `web/pnpm-lock.yaml` with stray non-UTF-8 bytes.
+        if (Buffer.byteLength(content, 'utf8') > MAX_FILE_SIZE)
+            continue;
+        files[relPath] = content;
         state.count++;
     }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@prodcycle/prodcycle",
-  "version": "0.6.1",
+  "version": "0.6.2",
   "description": "Multi-framework policy-as-code compliance scanner for infrastructure and application code.",
   "homepage": "https://docs.prodcycle.com",
   "repository": {