@ship-safe/cli 1.1.16 → 1.1.17

package/dist/index.js

@@ -7,9 +7,9 @@ var __export = (target, all) => {
 
 // src/index.ts
 import { Command, InvalidArgumentError, Option } from "commander";
-import { readFileSync as readFileSync6 } from "fs";
+import { readFileSync as readFileSync7 } from "fs";
 import { fileURLToPath } from "url";
-import { dirname, join as join5 } from "path";
+import { dirname, join as join6 } from "path";
 
 // src/commands/scan.ts
 import { resolve as resolve2, join as join4 } from "path";
@@ -4178,6 +4178,12 @@ var FIX_PROMPT_LIMITS = {
 var LIFETIME_TIERS = new Set(
   Object.values(TIERS).filter((t) => t.aiScansAreLifetime).map((t) => t.id)
 );
+function isPaidTier(tier) {
+  if (!tier) return false;
+  if (tier === "badge") return true;
+  const def = TIERS[tier];
+  return def ? def.priceCents > 0 : false;
+}
 var LANGUAGE_EXTENSIONS = {
   ".js": "javascript",
   ".jsx": "javascript",
@@ -5125,6 +5131,35 @@ var SECRET_RULES = [
     languages: ["*"],
     patterns: [{ regex: `(?:OVSX_PAT|OVSX_TOKEN|OPEN_VSX_TOKEN)\\s*[:=]\\s*["']?[A-Za-z0-9-]{30,}`, type: "match" }],
     fix: { description: "Rotate at https://open-vsx.org/user-settings/tokens. Re-publish the latest known-good version of your extension after confirming the source hasn't been tampered with.", suggestion: "process.env.OVSX_PAT" }
+  },
+  {
+    id: "secrets/public-env-secret-exposed",
+    title: "Secret Exposed to the Browser via a Public Variable",
+    description: "A secret is tied to a public, client-bundled variable (VITE_, REACT_APP_, EXPO_PUBLIC_). These are inlined into the JavaScript shipped to every visitor, so anyone can read the key by viewing your site's source. (NEXT_PUBLIC_ is covered by a separate Next.js rule.)",
+    severity: "critical",
+    confidence: "high",
+    cwe: "CWE-200",
+    owasp: "A01:2021",
+    languages: ["*"],
+    patterns: [
+      // A public-prefixed variable whose NAME is unambiguously a server secret.
+      // Scoped to non-Next prefixes (framework/nextjs-public-env-secret owns
+      // NEXT_PUBLIC_) and to names that value-based rules can't catch from a bare
+      // `process.env.X` reference — so this is purely additive, no double-counting
+      // with llm/api-key-client-env. API_KEY/TOKEN are deliberately excluded (those
+      // overlap with value-based detection and legitimate publishable keys).
+      {
+        regex: "(?:VITE_|REACT_APP_|EXPO_PUBLIC_)[A-Z0-9_]*(?:SECRET|SERVICE_ROLE|PRIVATE|PASSWORD)(?!.*(?:anon|public))",
+        type: "match"
+      }
+    ],
+    excludePatterns: [
+      { regex: "ANON_KEY|PUBLISHABLE|PUBLIC_KEY|_URL\\b|_ID\\b", type: "context_line" }
+    ],
+    fix: {
+      description: "Never put a secret in a public variable. Use a server-only variable (drop the VITE_/EXPO_PUBLIC_ prefix) and read it from server code, or proxy the request through your backend so the key never reaches the browser.",
+      suggestion: "// server only \u2014 no public prefix:\nconst key = process.env.STRIPE_SECRET_KEY;"
+    }
   }
 ];
 var INJECTION_RULES = [
@@ -5203,6 +5238,56 @@ var INJECTION_RULES = [
     ],
     excludePatterns: [{ regex: "(?:__proto__|hasOwnProperty|prototype|constructor|sanitize|safeMerge|lodash\\.merge|deepmerge)", type: "context_line" }],
     fix: { description: "Validate that user-provided keys don't include __proto__, constructor, or prototype. Use Object.create(null) for key-value maps from user input.", suggestion: "if (['__proto__', 'constructor', 'prototype'].includes(key)) throw new Error('Invalid key')" }
+  },
+  {
+    id: "injection/python-sql-formatting",
+    title: "SQL Query Built with String Formatting (Python)",
+    description: "A SQL query passed to .execute() is built with % formatting or + concatenation. If any part comes from user input, this is SQL injection. Pass values as parameters instead. (f-string queries are caught separately.)",
+    severity: "critical",
+    confidence: "high",
+    cwe: "CWE-89",
+    owasp: "A03:2021",
+    languages: ["python"],
+    patterns: [
+      // f-strings are owned by framework/django-raw-sql; only the %/+ forms here,
+      // to stay purely additive and avoid double-counting one query.
+      { regex: `\\.execute(?:many)?\\s*\\(\\s*["'][^"']*["']\\s*%`, type: "match" },
+      { regex: `\\.execute(?:many)?\\s*\\(\\s*["'][^"']*["']\\s*\\+`, type: "match" }
+    ],
+    fix: {
+      description: "Use parameterized queries \u2014 pass values as the second argument to execute(), never format them into the SQL string.",
+      suggestion: 'cursor.execute("SELECT * FROM users WHERE id = %s", (user_id,))'
+    }
+  },
+  {
+    id: "injection/python-unsafe-yaml-load",
+    title: "Unsafe YAML Deserialization (Python)",
+    description: "yaml.load() without SafeLoader can construct arbitrary Python objects, so untrusted YAML can execute code on your server. Use yaml.safe_load() instead.",
+    severity: "critical",
+    confidence: "high",
+    cwe: "CWE-502",
+    owasp: "A08:2021",
+    languages: ["python"],
+    patterns: [{ regex: "yaml\\.load\\s*\\((?![^)]{0,200}SafeLoader)", type: "match" }],
+    fix: {
+      description: "Use yaml.safe_load() for any input you don't fully control.",
+      suggestion: "data = yaml.safe_load(user_input)"
+    }
+  },
+  {
+    id: "config/flask-debug-enabled",
+    title: "Flask Debug Mode Enabled",
+    description: "Flask runs with debug=True. The Werkzeug interactive debugger lets anyone who triggers an error run arbitrary code on your server. Never enable debug mode in production.",
+    severity: "critical",
+    confidence: "high",
+    cwe: "CWE-489",
+    owasp: "A05:2021",
+    languages: ["python"],
+    patterns: [{ regex: "\\.run\\s*\\([^)]*debug\\s*=\\s*True", type: "match" }],
+    fix: {
+      description: "Never run Flask with debug=True in production. Drive it from an environment variable that defaults to off.",
+      suggestion: 'app.run(debug=os.environ.get("FLASK_DEBUG") == "1")'
+    }
   }
 ];
 var XSS_RULES = [
@@ -5290,6 +5375,10 @@ var AUTH_RULES = [
     languages: ["javascript", "typescript"],
     patterns: [
       { regex: `(?:Access-Control-Allow-Origin|origin)\\s*[:=]\\s*["']\\*["']`, type: "match" },
+      // Two-argument header form: res.header("Access-Control-Allow-Origin", "*")
+      // / res.setHeader(...) — very common in AI-generated Express code, missed by
+      // the colon/equals pattern above.
+      { regex: `["']Access-Control-Allow-Origin["']\\s*,\\s*["']\\*["']`, type: "match" },
       { regex: "cors\\(\\s*\\)", type: "match" },
       { regex: `cors\\(\\s*\\{\\s*origin\\s*:\\s*(?:true|\\*|["']\\*["'])`, type: "match" }
     ],
@@ -7002,6 +7091,10 @@ function dedupeEntries(entries) {
     return true;
   });
 }
+var OSV_QUERYBATCH_URL = "https://api.osv.dev/v1/querybatch";
+var OSV_VULN_URL = "https://api.osv.dev/v1/vulns";
+var MAX_ENRICH = 200;
+var ENRICH_CONCURRENCY = 8;
 async function queryOsv(packages) {
   const queries = packages.map((p) => ({
     package: { name: p.name, ecosystem: p.ecosystem },
@@ -7009,7 +7102,7 @@ async function queryOsv(packages) {
   }));
   let response;
   try {
-    response = await fetch("https://api.osv.dev/v1/querybatch", {
+    response = await fetch(OSV_QUERYBATCH_URL, {
       method: "POST",
       headers: { "Content-Type": "application/json" },
       body: JSON.stringify({ queries })
@@ -7025,38 +7118,84 @@ async function queryOsv(packages) {
     );
   }
   const data = await response.json();
-  const findings = [];
+  const matches = [];
+  const ids = /* @__PURE__ */ new Set();
   for (let i = 0; i < data.results.length; i++) {
     const result = data.results[i];
     const pkg = packages[i];
     if (!result?.vulns || result.vulns.length === 0 || !pkg) continue;
     for (const vuln of result.vulns) {
-      const cveAlias = vuln.aliases?.find((a) => a.startsWith("CVE-"));
-      const severity = mapOsvSeverity(vuln);
-      const fixedVersion = getFixedVersion(vuln, pkg.name);
-      const summaryText = vuln.summary ? vuln.summary.replace(/\n/g, " ").trim() : `Known vulnerability in ${pkg.name}`;
-      const humanTitle = summaryText.length > 120 ? summaryText.slice(0, 117) + "..." : summaryText;
-      findings.push({
-        id: `dep-${vuln.id}`,
-        ruleId: vuln.id,
-        title: humanTitle,
-        description: `${pkg.name}@${pkg.version} \u2014 ${vuln.id}${cveAlias ? ` (${cveAlias})` : ""}. ${summaryText}`,
-        plainEnglish: `Your dependency "${pkg.name}" version ${pkg.version} has a known vulnerability (${vuln.id}). ${summaryText}`,
-        severity,
-        confidence: "high",
-        source: "dependency",
-        file: pkg.lockfile,
-        line: 1,
-        snippet: `${pkg.name}@${pkg.version}`,
-        fix: {
-          description: fixedVersion ? `Upgrade ${pkg.name} to version ${fixedVersion} or later.` : `Check ${vuln.id} for remediation steps. Consider upgrading or replacing this dependency.`,
-          suggestion: fixedVersion ? `npm install ${pkg.name}@${fixedVersion}` : void 0
-        },
-        cwe: cveAlias
-      });
+      if (!vuln.id) continue;
+      matches.push({ pkg, id: vuln.id });
+      ids.add(vuln.id);
     }
   }
-  return findings;
+  if (matches.length === 0) return [];
+  const details = await fetchVulnDetails([...ids].slice(0, MAX_ENRICH));
+  return matches.map(
+    ({ pkg, id }) => buildDependencyFinding(pkg, id, details.get(id))
+  );
+}
+async function fetchVulnDetails(ids) {
+  const out = /* @__PURE__ */ new Map();
+  let cursor = 0;
+  async function worker() {
+    while (cursor < ids.length) {
+      const id = ids[cursor++];
+      if (!id) continue;
+      try {
+        const res = await fetch(`${OSV_VULN_URL}/${encodeURIComponent(id)}`);
+        if (res.ok) out.set(id, await res.json());
+      } catch {
+      }
+    }
+  }
+  const workers = Array.from(
+    { length: Math.min(ENRICH_CONCURRENCY, ids.length) },
+    () => worker()
+  );
+  await Promise.all(workers);
+  return out;
+}
+function upgradeCommand(pkg, version) {
+  switch (pkg.ecosystem) {
+    case "npm":
+      return `npm install ${pkg.name}@${version}`;
+    case "PyPI":
+      return `pip install --upgrade "${pkg.name}==${version}"`;
+    case "Go":
+      return `go get ${pkg.name}@v${version}`;
+    case "RubyGems":
+      return `bundle update ${pkg.name}`;
+    default:
+      return `Upgrade ${pkg.name} to ${version}`;
+  }
+}
+function buildDependencyFinding(pkg, id, vuln) {
+  const cveAlias = vuln?.aliases?.find((a) => a.startsWith("CVE-"));
+  const severity = vuln ? mapOsvSeverity(vuln) : "medium";
+  const fixedVersion = vuln ? getFixedVersion(vuln, pkg.name) : void 0;
+  const ref = cveAlias ?? id;
+  const summaryText = vuln?.summary ? vuln.summary.replace(/\n/g, " ").trim() : `Known vulnerability in ${pkg.name}`;
+  const humanTitle = summaryText.length > 120 ? summaryText.slice(0, 117) + "..." : summaryText;
+  return {
+    id: `dep-${id}`,
+    ruleId: id,
+    title: humanTitle,
+    description: `${pkg.name}@${pkg.version} \u2014 ${id}${cveAlias ? ` (${cveAlias})` : ""}. ${summaryText}`,
+    plainEnglish: `Your dependency "${pkg.name}" version ${pkg.version} has a known vulnerability (${ref}). ${summaryText}`,
+    severity,
+    confidence: "high",
+    source: "dependency",
+    file: pkg.lockfile,
+    line: 1,
+    snippet: `${pkg.name}@${pkg.version}`,
+    fix: {
+      description: fixedVersion ? `Upgrade ${pkg.name} to version ${fixedVersion} or later.` : `Check ${ref} for remediation steps. Consider upgrading or replacing this dependency.`,
+      suggestion: fixedVersion ? upgradeCommand(pkg, fixedVersion) : void 0
+    },
+    cwe: cveAlias
+  };
 }
 function mapOsvSeverity(vuln) {
   if (vuln.severity) {
@@ -7092,13 +7231,13 @@ function getFixedVersion(vuln, packageName) {
 }
 function deduplicateFindings(findings) {
   const seen = /* @__PURE__ */ new Map();
-  for (const finding of findings) {
-    const key = `${finding.file}:${finding.line}:${finding.ruleId}`;
+  for (const finding2 of findings) {
+    const key = `${finding2.file}:${finding2.line}:${finding2.ruleId}`;
     const existing = seen.get(key);
     if (!existing) {
-      seen.set(key, finding);
-    } else if (SEVERITY_ORDER[finding.severity] < SEVERITY_ORDER[existing.severity]) {
-      seen.set(key, finding);
+      seen.set(key, finding2);
+    } else if (SEVERITY_ORDER[finding2.severity] < SEVERITY_ORDER[existing.severity]) {
+      seen.set(key, finding2);
     }
   }
   return Array.from(seen.values()).sort(
@@ -7584,15 +7723,15 @@ async function translateFindings(findings, apiKey, platform) {
   for (const { start, translations } of batchResults) {
     const translationMap = new Map(translations.map((t) => [t.id, t]));
     for (let j = start; j < Math.min(start + batchSize, translated.length); j++) {
-      const finding = translated[j];
-      if (!finding) continue;
-      const t = translationMap.get(finding.id);
+      const finding2 = translated[j];
+      if (!finding2) continue;
+      const t = translationMap.get(finding2.id);
       if (t) {
         translated[j] = {
-          ...finding,
+          ...finding2,
           plainEnglish: t.plainEnglish,
           fix: {
-            ...finding.fix,
+            ...finding2.fix,
             description: t.fixDescription
           }
         };
@@ -7655,45 +7794,21 @@ function detectPlatform(files) {
     if (lower.endsWith("package.json") && content.includes("lovable-tagger")) {
       signals.lovable.push("lovable-tagger in package.json");
     }
-    if (content.includes("lovable") && /\/\*.*lovable.*\*\//i.test(content)) {
-      signals.lovable.push("lovable comment in source");
-    }
     if (lower.includes(".lovable") || lower.includes("lovable.config")) {
       signals.lovable.push("lovable config file");
     }
     if (lower.includes(".bolt/") || lower.includes(".bolt\\")) {
       signals.bolt.push(".bolt/ directory detected");
     }
-    if (lower.endsWith("package.json") && (content.includes("@bolt") || content.includes("bolt-"))) {
-      signals.bolt.push("bolt dependency in package.json");
-    }
-    if (/\/[/*].*bolt\.new/i.test(content)) {
-      signals.bolt.push("bolt.new reference in source");
-    }
     if (lower.endsWith(".cursorrules") || lower.endsWith(".cursorignore")) {
       signals.cursor.push(".cursorrules file detected");
     }
-    if (/\/[/*].*cursor/i.test(content) && lower.endsWith(".ts")) {
-      signals.cursor.push("cursor reference in source");
-    }
     if (lower.includes(".v0/") || lower.includes(".v0\\")) {
       signals.v0.push(".v0/ directory detected");
     }
-    if (content.includes("v0.dev") || content.includes("@v0/")) {
-      signals.v0.push("v0.dev reference in source");
-    }
-    if (lower.endsWith("package.json") && content.includes('"v0"')) {
-      signals.v0.push("v0 dependency in package.json");
-    }
     if (lower.includes("base44.config") || lower.includes(".base44")) {
       signals.base44.push("base44 config file");
     }
-    if (/from\s+['"]@?base44\b/i.test(content) || /require\s*\(\s*['"]@?base44\b/i.test(content)) {
-      signals.base44.push("base44 SDK import in source");
-    }
-    if (/https?:\/\/[^"'\s]*base44\.app/i.test(content)) {
-      signals.base44.push("base44.app URL in source");
-    }
   }
   const scores = Object.entries(signals).filter(([key]) => key !== "manual").map(([platform, sigs]) => ({
     platform,
@@ -7726,9 +7841,9 @@ function computeSummary(findings, files) {
     llm: 0,
     dependency: 0
   };
-  for (const finding of findings) {
-    bySeverity[finding.severity]++;
-    bySource[finding.source]++;
+  for (const finding2 of findings) {
+    bySeverity[finding2.severity]++;
+    bySource[finding2.source]++;
   }
   return {
     total: findings.length,
@@ -7838,6 +7953,95 @@ async function scan(config, onProgress) {
     ...warnings.length > 0 ? { warnings } : {}
   };
 }
+async function fetchStatus(fetchImpl, url, init, timeoutMs) {
+  const controller = new AbortController();
+  const timer = setTimeout(() => controller.abort(), timeoutMs);
+  try {
+    const res = await fetchImpl(url, { ...init, signal: controller.signal });
+    return res.status;
+  } catch {
+    return null;
+  } finally {
+    clearTimeout(timer);
+  }
+}
+function classify(status) {
+  if (status === null) return "unverifiable";
+  if (status === 200) return "live";
+  if (status === 401 || status === 403) return "revoked";
+  return "unverifiable";
+}
+var PROVIDER_VALIDATORS = [
+  {
+    id: "openai",
+    name: "OpenAI",
+    extract: (t) => t.match(/sk-(?:proj-)?[A-Za-z0-9_-]{20,}/)?.[0] ?? null,
+    check: async (value, f, ms) => classify(
+      await fetchStatus(f, "https://api.openai.com/v1/models", { headers: { Authorization: `Bearer ${value}` } }, ms)
+    )
+  },
+  {
+    id: "stripe",
+    name: "Stripe",
+    extract: (t) => t.match(/(?:sk|rk)_(?:live|test)_[A-Za-z0-9]{16,}/)?.[0] ?? null,
+    check: async (value, f, ms) => classify(
+      await fetchStatus(f, "https://api.stripe.com/v1/balance", { headers: { Authorization: `Bearer ${value}` } }, ms)
+    )
+  },
+  {
+    id: "github",
+    name: "GitHub",
+    extract: (t) => t.match(/gh[posru]_[A-Za-z0-9]{36,}|github_pat_[A-Za-z0-9_]{22,}/)?.[0] ?? null,
+    check: async (value, f, ms) => classify(
+      await fetchStatus(
+        f,
+        "https://api.github.com/user",
+        { headers: { Authorization: `Bearer ${value}`, "User-Agent": "ShipSafe-Validator" } },
+        ms
+      )
+    )
+  },
+  {
+    id: "sendgrid",
+    name: "SendGrid",
+    extract: (t) => t.match(/SG\.[A-Za-z0-9_-]{22}\.[A-Za-z0-9_-]{43}/)?.[0] ?? null,
+    check: async (value, f, ms) => classify(
+      await fetchStatus(f, "https://api.sendgrid.com/v3/scopes", { headers: { Authorization: `Bearer ${value}` } }, ms)
+    )
+  },
+  {
+    id: "gitlab",
+    name: "GitLab",
+    extract: (t) => t.match(/glpat-[A-Za-z0-9_-]{20}/)?.[0] ?? null,
+    check: async (value, f, ms) => classify(await fetchStatus(f, "https://gitlab.com/api/v4/user", { headers: { "PRIVATE-TOKEN": value } }, ms))
+  },
+  {
+    id: "slack",
+    name: "Slack",
+    extract: (t) => t.match(/xox[baprs]-[A-Za-z0-9-]{10,}/)?.[0] ?? null,
+    // auth.test is read-only; Slack returns {ok:true|false} regardless of HTTP 200.
+    check: async (value, f, ms) => {
+      const controller = new AbortController();
+      const timer = setTimeout(() => controller.abort(), ms);
+      try {
+        const res = await f("https://slack.com/api/auth.test", {
+          method: "POST",
+          headers: { Authorization: `Bearer ${value}` },
+          signal: controller.signal
+        });
+        const body = await res.json().catch(() => null);
+        if (body?.ok === true) return "live";
+        if (body?.ok === false) return "revoked";
+        return "unverifiable";
+      } catch {
+        return "unverifiable";
+      } finally {
+        clearTimeout(timer);
+      }
+    }
+  }
+];
+var VALIDATOR_BY_ID = new Map(PROVIDER_VALIDATORS.map((v) => [v.id, v]));
 
 // src/lib/file-collector.ts
 import { readdirSync, readFileSync, statSync, existsSync } from "fs";
@@ -8600,7 +8804,7 @@ async function scanCommand(targetPath, options) {
   spinner.succeed(
     chalk5.green(`Scan complete \u2014 ${result.findings.length} findings in ${result.durationMs}ms`)
   );
-  if (tokenData?.tier === "growth" || tokenData?.tier === "badge" || tokenData?.tier === "shield") {
+  if (tokenData && isPaidTier(tokenData.tier)) {
     const aiSpinner = ora2({
       text: chalk5.dim("Running AI-powered deep analysis... (this may take 1-3 minutes)"),
       color: "yellow",
@@ -8968,13 +9172,59 @@ function initCommand() {
   console.log(chalk6.green("Created .shipsafe.yml configuration file."));
 }
 
+// src/commands/false-positive.ts
+import { readFileSync as readFileSync6, existsSync as existsSync7 } from "fs";
+import { homedir as homedir4 } from "os";
+import { join as join5 } from "path";
+import chalk7 from "chalk";
+var TOKEN_FILE2 = join5(homedir4(), ".shipsafe", "token.json");
+async function falsePositiveCommand(ruleId, options) {
+  if (!existsSync7(TOKEN_FILE2)) {
+    console.error(chalk7.red("Not logged in. Run `shipsafe login` first."));
+    process.exitCode = 1;
+    return;
+  }
+  let token;
+  try {
+    token = JSON.parse(readFileSync6(TOKEN_FILE2, "utf-8")).token;
+    if (!token) throw new Error("no token");
+  } catch {
+    console.error(chalk7.red("Couldn't read your login token. Run `shipsafe login` again."));
+    process.exitCode = 1;
+    return;
+  }
+  try {
+    const res = await fetch(`${options.apiUrl}/api/cli/false-positive`, {
+      method: "POST",
+      headers: { "Content-Type": "application/json", Authorization: `Bearer ${token}` },
+      body: JSON.stringify({
+        ruleId,
+        filePath: options.file,
+        lineNumber: options.line ? parseInt(options.line, 10) : void 0,
+        reason: options.reason,
+        surface: "cli"
+      })
+    });
+    if (!res.ok) {
+      const msg = await res.json().then((b) => b?.error).catch(() => null);
+      console.error(chalk7.red(`Couldn't report: ${msg || `HTTP ${res.status}`}`));
+      process.exitCode = 1;
+      return;
+    }
+    console.log(chalk7.green(`\u2713 Reported ${ruleId} as a false positive. Thanks \u2014 this helps ShipSafe tune the rule.`));
+  } catch (e) {
+    console.error(chalk7.red(`Couldn't reach ShipSafe: ${e instanceof Error ? e.message : "network error"}`));
+    process.exitCode = 1;
+  }
+}
+
 // src/index.ts
 function getVersion() {
   try {
     let dir = dirname(fileURLToPath(import.meta.url));
     for (let i = 0; i < 5; i++) {
       try {
-        const pkg = JSON.parse(readFileSync6(join5(dir, "package.json"), "utf-8"));
+        const pkg = JSON.parse(readFileSync7(join6(dir, "package.json"), "utf-8"));
         if (pkg.version) return pkg.version;
       } catch {
       }
@@ -9024,4 +9274,10 @@ program.command("whoami").description("Show current login status and plan info")
 ).action(whoamiCommand);
 program.command("ignore").description("Suppress a rule in future scans").argument("<rule-id>", "Rule ID to ignore (e.g. secrets/generic-api-key)").option("-r, --reason <reason>", "Why this rule is being suppressed").action(ignoreCommand);
 program.command("unignore").description("Re-enable a previously suppressed rule").argument("<rule-id>", "Rule ID to unignore").action(unignoreCommand);
+program.command("false-positive").description("Report a finding as a false positive to ShipSafe (helps tune the rule)").argument("<rule-id>", "Rule ID to report (e.g. secrets/generic-api-key)").option("-f, --file <path>", "File the finding was reported on").option("-l, --line <number>", "Line number of the finding").option("-r, --reason <reason>", "Why it's a false positive").option(
+  "--api-url <url>",
+  "API URL for ShipSafe server",
+  validateApiUrl,
+  "https://ship-safe.co"
+).action(falsePositiveCommand);
 program.parse();

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@ship-safe/cli",
-  "version": "1.1.16",
+  "version": "1.1.17",
   "description": "Security scanner for AI-generated code — find vulnerabilities before you ship",
   "type": "module",
   "license": "MIT",