@shipsafe/cli 0.1.0

package/dist/src/engines/pattern/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../../src/engines/pattern/index.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,OAAO,EAAE,UAAU,EAAE,SAAS,EAAE,aAAa,EAAE,mBAAmB,EAAE,MAAM,gBAAgB,CAAC;AAOzG,MAAM,WAAW,oBAAoB;IACnC,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,EAAE,SAAS,CAAC;IACjB,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;CACxB;AAED,wBAAgB,YAAY,CAAC,QAAQ,EAAE,OAAO,EAAE,GAAG,aAAa,CAW/D;AAED,wBAAsB,oBAAoB,IAAI,OAAO,CAAC,mBAAmB,CAAC,CAQzE;AAED,wBAAsB,cAAc,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,CAgB1E;AAED,wBAAsB,gBAAgB,CAAC,OAAO,EAAE,oBAAoB,GAAG,OAAO,CAAC,UAAU,CAAC,CAgFzF"}

package/dist/src/engines/pattern/index.js

@@ -0,0 +1,111 @@
+import { execFile } from 'node:child_process';
+import { SEVERITY_ORDER } from '../../constants.js';
+import { checkSemgrepInstalled, runSemgrep } from './semgrep.js';
+import { checkGitleaksInstalled, runGitleaks } from './gitleaks.js';
+import { checkTrivyInstalled, runTrivy } from './trivy.js';
+import { runGraphEngine, isGraphEngineAvailable } from '../graph/index.js';
+export function computeScore(findings) {
+    if (findings.length === 0)
+        return 'A';
+    const severities = new Set(findings.map((f) => f.severity));
+    if (severities.has('critical'))
+        return 'F';
+    if (severities.has('high'))
+        return 'D';
+    if (severities.has('medium'))
+        return 'C';
+    // Only info and/or low remain
+    return 'B';
+}
+export async function getAvailableScanners() {
+    const [semgrep, gitleaks, trivy] = await Promise.all([
+        checkSemgrepInstalled(),
+        checkGitleaksInstalled(),
+        checkTrivyInstalled(),
+    ]);
+    return { semgrep, gitleaks, trivy };
+}
+export async function getStagedFiles(projectDir) {
+    return new Promise((resolve) => {
+        execFile('git', ['diff', '--cached', '--name-only'], { cwd: projectDir }, (error, stdout) => {
+            if (error) {
+                resolve([]);
+                return;
+            }
+            const files = (typeof stdout === 'string' ? stdout : '')
+                .split('\n')
+                .map((line) => line.trim())
+                .filter((line) => line.length > 0);
+            resolve(files);
+        });
+    });
+}
+export async function runPatternEngine(options) {
+    const startTime = Date.now();
+    const { targetPath, scope, stagedFiles: providedStagedFiles } = options;
+    // 1. Check which scanners are installed
+    const availability = await getAvailableScanners();
+    // 2. If scope is 'staged', get staged files
+    let stagedFiles = providedStagedFiles;
+    if (scope === 'staged' && !stagedFiles) {
+        stagedFiles = await getStagedFiles(targetPath);
+    }
+    // 3. If scope is 'staged' and no staged files, return clean result immediately
+    if (scope === 'staged' && (!stagedFiles || stagedFiles.length === 0)) {
+        return {
+            status: 'pass',
+            score: 'A',
+            findings: [],
+            scan_duration_ms: Date.now() - startTime,
+        };
+    }
+    // 4. Run all available scanners in parallel with Promise.allSettled()
+    const scannerPromises = [];
+    if (availability.semgrep) {
+        scannerPromises.push(runSemgrep(targetPath, stagedFiles));
+    }
+    if (availability.gitleaks) {
+        scannerPromises.push(runGitleaks(targetPath, stagedFiles));
+    }
+    if (availability.trivy) {
+        scannerPromises.push(runTrivy(targetPath));
+    }
+    const results = await Promise.allSettled(scannerPromises);
+    // 5. Merge all findings into single array
+    const findings = [];
+    for (const result of results) {
+        if (result.status === 'fulfilled') {
+            findings.push(...result.value);
+        }
+        // Rejected promises are silently skipped (scanner failure is non-fatal)
+    }
+    // 5b. Run graph engine (optional — failures are non-fatal)
+    if (isGraphEngineAvailable()) {
+        try {
+            const graphResult = await runGraphEngine({ targetPath, scope });
+            findings.push(...graphResult.findings);
+        }
+        catch {
+            // Graph engine failure is non-fatal — pattern results are still returned
+        }
+    }
+    // 6. Sort findings by severity (critical first)
+    findings.sort((a, b) => {
+        const orderA = SEVERITY_ORDER[a.severity] ?? 999;
+        const orderB = SEVERITY_ORDER[b.severity] ?? 999;
+        return orderA - orderB;
+    });
+    // 7. Compute score
+    const score = computeScore(findings);
+    // 8. Determine status
+    const hasCriticalOrHigh = findings.some((f) => f.severity === 'critical' || f.severity === 'high');
+    const status = hasCriticalOrHigh ? 'fail' : 'pass';
+    // 9. Return ScanResult with timing info
+    return {
+        status,
+        score,
+        findings,
+        scan_duration_ms: Date.now() - startTime,
+    };
+}
+//# sourceMappingURL=index.js.map

package/dist/src/engines/pattern/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../src/engines/pattern/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAE9C,OAAO,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC;AACpD,OAAO,EAAE,qBAAqB,EAAE,UAAU,EAAE,MAAM,cAAc,CAAC;AACjE,OAAO,EAAE,sBAAsB,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AACpE,OAAO,EAAE,mBAAmB,EAAE,QAAQ,EAAE,MAAM,YAAY,CAAC;AAC3D,OAAO,EAAE,cAAc,EAAE,sBAAsB,EAAE,MAAM,mBAAmB,CAAC;AAQ3E,MAAM,UAAU,YAAY,CAAC,QAAmB;IAC9C,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,GAAG,CAAC;IAEtC,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC;IAE5D,IAAI,UAAU,CAAC,GAAG,CAAC,UAAU,CAAC;QAAE,OAAO,GAAG,CAAC;IAC3C,IAAI,UAAU,CAAC,GAAG,CAAC,MAAM,CAAC;QAAE,OAAO,GAAG,CAAC;IACvC,IAAI,UAAU,CAAC,GAAG,CAAC,QAAQ,CAAC;QAAE,OAAO,GAAG,CAAC;IAEzC,8BAA8B;IAC9B,OAAO,GAAG,CAAC;AACb,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,oBAAoB;IACxC,MAAM,CAAC,OAAO,EAAE,QAAQ,EAAE,KAAK,CAAC,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC;QACnD,qBAAqB,EAAE;QACvB,sBAAsB,EAAE;QACxB,mBAAmB,EAAE;KACtB,CAAC,CAAC;IAEH,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,KAAK,EAAE,CAAC;AACtC,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,UAAkB;IACrD,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,EAAE;QAC7B,QAAQ,CAAC,KAAK,EAAE,CAAC,MAAM,EAAE,UAAU,EAAE,aAAa,CAAC,EAAE,EAAE,GAAG,EAAE,UAAU,EAAE,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,EAAE;YAC1F,IAAI,KAAK,EAAE,CAAC;gBACV,OAAO,CAAC,EAAE,CAAC,CAAC;gBACZ,OAAO;YACT,CAAC;YAED,MAAM,KAAK,GAAG,CAAC,OAAO,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC;iBACrD,KAAK,CAAC,IAAI,CAAC;iBACX,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;iBAC1B,MAAM,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;YAErC,OAAO,CAAC,KAAK,CAAC,CAAC;QACjB,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,OAA6B;IAClE,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAC7B,MAAM,EAAE,UAAU,EAAE,KAAK,EAAE,WAAW,EAAE,mBAAmB,EAAE,GAAG,OAAO,CAAC;IAExE,wCAAwC;IACxC,MAAM,YAAY,GAAG,MAAM,oBAAoB,EAAE,CAAC;IAElD,4CAA4C;IAC5C,IAAI,WAAW,GAAyB,mBAAmB,CAAC;IAC5D,IAAI,KAAK,KAAK,QAAQ,IAAI,CAAC,WAAW,EAAE,CAAC;QACvC,WAAW,GAAG,MAAM,cAAc,CAAC,UAAU,CAAC,CAAC;IACjD,CAAC;IAED,+EAA+E;IAC/E,IAAI,KAAK,KAAK,QAAQ,IAAI,CAAC,CAAC,WAAW,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC,CAAC,EAAE,CAAC;QACrE,OAAO;YACL,MAAM,EAAE,MAAM;YACd,KAAK,EAAE,GAAG;YACV,QAAQ,EAAE,EAAE;YACZ,gBAAgB,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;SACzC,CAAC;IACJ,CAAC;IAED,sEAAsE;IACtE,MAAM,eAAe,GAAyB,EAAE,CAAC;IAEjD,IAAI,YAAY,CAAC,OAAO,EAAE,CAAC;QACzB,eAAe,CAAC,IAAI,CAAC,UAAU,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC,CAAC;IAC5D,CAAC;IACD,IAAI,YAAY,CAAC,QAAQ,EAAE,CAAC;QAC1B,eAAe,CAAC,IAAI,CAAC,WAAW,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC,CAAC;IAC7D,CAAC;IACD,IAAI,YAAY,CAAC,KAAK,EAAE,CAAC;QACvB,eAAe,CAAC,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC,CAAC;IAC7C,CAAC;IAED,MAAM,OAAO,GAAG,MAAM,OAAO,CAAC,UAAU,CAAC,eAAe,CAAC,CAAC;IAE1D,0CAA0C;IAC1C,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;QAC7B,IAAI,MAAM,CAAC,MAAM,KAAK,WAAW,EAAE,CAAC;YAClC,QAAQ,CAAC,IAAI,CAAC,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC;QACjC,CAAC;QACD,wEAAwE;IAC1E,CAAC;IAED,2DAA2D;IAC3D,IAAI,sBAAsB,EAAE,EAAE,CAAC;QAC7B,IAAI,CAAC;YACH,MAAM,WAAW,GAAG,MAAM,cAAc,CAAC,EAAE,UAAU,EAAE,KAAK,EAAE,CAAC,CAAC;YAChE,QAAQ,CAAC,IAAI,CAAC,GAAG,WAAW,CAAC,QAAQ,CAAC,CAAC;QACzC,CAAC;QAAC,MAAM,CAAC;YACP,yEAAyE;QAC3E,CAAC;IACH,CAAC;IAED,gDAAgD;IAChD,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE;QACrB,MAAM,MAAM,GAAG,cAAc,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,GAAG,CAAC;QACjD,MAAM,MAAM,GAAG,cAAc,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,GAAG,CAAC;QACjD,OAAO,MAAM,GAAG,MAAM,CAAC;IACzB,CAAC,CAAC,CAAC;IAEH,mBAAmB;IACnB,MAAM,KAAK,GAAG,YAAY,CAAC,QAAQ,CAAC,CAAC;IAErC,sBAAsB;IACtB,MAAM,iBAAiB,GAAG,QAAQ,CAAC,IAAI,CACrC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,IAAI,CAAC,CAAC,QAAQ,KAAK,MAAM,CAC1D,CAAC;IACF,MAAM,MAAM,GAAG,iBAAiB,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC;IAEnD,wCAAwC;IACxC,OAAO;QACL,MAAM;QACN,KAAK;QACL,QAAQ;QACR,gBAAgB,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;KACzC,CAAC;AACJ,CAAC"}

package/dist/src/engines/pattern/semgrep.d.ts

@@ -0,0 +1,4 @@
+import type { Finding } from '../../types.js';
+export declare function checkSemgrepInstalled(): Promise<boolean>;
+export declare function runSemgrep(targetPath: string, stagedFiles?: string[]): Promise<Finding[]>;
+//# sourceMappingURL=semgrep.d.ts.map

package/dist/src/engines/pattern/semgrep.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"semgrep.d.ts","sourceRoot":"","sources":["../../../../src/engines/pattern/semgrep.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,OAAO,EAAY,MAAM,gBAAgB,CAAC;AAsExD,wBAAsB,qBAAqB,IAAI,OAAO,CAAC,OAAO,CAAC,CAO9D;AAED,wBAAsB,UAAU,CAC9B,UAAU,EAAE,MAAM,EAClB,WAAW,CAAC,EAAE,MAAM,EAAE,GACrB,OAAO,CAAC,OAAO,EAAE,CAAC,CAgCpB"}

package/dist/src/engines/pattern/semgrep.js

@@ -0,0 +1,83 @@
+import { execFile } from 'node:child_process';
+function execFilePromise(cmd, args) {
+    return new Promise((resolve, reject) => {
+        execFile(cmd, args, (error, stdout, stderr) => {
+            if (error) {
+                // Attach stdout/stderr to the error so callers can still read output
+                const enrichedError = error;
+                enrichedError.stdout = typeof stdout === 'string' ? stdout : '';
+                enrichedError.stderr = typeof stderr === 'string' ? stderr : '';
+                reject(enrichedError);
+                return;
+            }
+            resolve({
+                stdout: typeof stdout === 'string' ? stdout : '',
+                stderr: typeof stderr === 'string' ? stderr : '',
+            });
+        });
+    });
+}
+const SEVERITY_MAP = {
+    ERROR: 'critical',
+    WARNING: 'high',
+    INFO: 'medium',
+};
+function mapSeverity(semgrepSeverity) {
+    return SEVERITY_MAP[semgrepSeverity] ?? 'low';
+}
+function parseSemgrepOutput(jsonString) {
+    const output = JSON.parse(jsonString);
+    return output.results.map((result) => ({
+        id: `semgrep_${result.check_id}_${result.start.line}`,
+        engine: 'pattern',
+        severity: mapSeverity(result.extra.severity),
+        type: result.check_id,
+        file: result.path,
+        line: result.start.line,
+        description: result.extra.message,
+        fix_suggestion: result.extra.fix ?? '',
+        auto_fixable: result.extra.fix != null,
+    }));
+}
+export async function checkSemgrepInstalled() {
+    try {
+        await execFilePromise('which', ['semgrep']);
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+export async function runSemgrep(targetPath, stagedFiles) {
+    const installed = await checkSemgrepInstalled();
+    if (!installed) {
+        console.warn('ShipSafe: semgrep is not installed, skipping pattern scan');
+        return [];
+    }
+    try {
+        const args = ['scan', '--json', '--quiet'];
+        if (stagedFiles && stagedFiles.length > 0) {
+            args.push(...stagedFiles);
+        }
+        else {
+            args.push(targetPath);
+        }
+        const { stdout } = await execFilePromise('semgrep', args);
+        return parseSemgrepOutput(stdout);
+    }
+    catch (error) {
+        // If semgrep exits non-zero but produced output, still try to parse it
+        const execError = error;
+        if (execError.stdout) {
+            try {
+                return parseSemgrepOutput(execError.stdout);
+            }
+            catch {
+                // JSON parse failed on the output — fall through to warn
+            }
+        }
+        console.warn('ShipSafe: semgrep scan failed', execError.message);
+        return [];
+    }
+}
+//# sourceMappingURL=semgrep.js.map

package/dist/src/engines/pattern/semgrep.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"semgrep.js","sourceRoot":"","sources":["../../../../src/engines/pattern/semgrep.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAoB9C,SAAS,eAAe,CACtB,GAAW,EACX,IAAc;IAEd,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,QAAQ,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,EAAE;YAC5C,IAAI,KAAK,EAAE,CAAC;gBACV,qEAAqE;gBACrE,MAAM,aAAa,GAAG,KAGrB,CAAC;gBACF,aAAa,CAAC,MAAM,GAAG,OAAO,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC;gBAChE,aAAa,CAAC,MAAM,GAAG,OAAO,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC;gBAChE,MAAM,CAAC,aAAa,CAAC,CAAC;gBACtB,OAAO;YACT,CAAC;YACD,OAAO,CAAC;gBACN,MAAM,EAAE,OAAO,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE;gBAChD,MAAM,EAAE,OAAO,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE;aACjD,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC;AAED,MAAM,YAAY,GAA6B;IAC7C,KAAK,EAAE,UAAU;IACjB,OAAO,EAAE,MAAM;IACf,IAAI,EAAE,QAAQ;CACf,CAAC;AAEF,SAAS,WAAW,CAAC,eAAuB;IAC1C,OAAO,YAAY,CAAC,eAAe,CAAC,IAAI,KAAK,CAAC;AAChD,CAAC;AAED,SAAS,kBAAkB,CAAC,UAAkB;IAC5C,MAAM,MAAM,GAAkB,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;IAErD,OAAO,MAAM,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;QACrC,EAAE,EAAE,WAAW,MAAM,CAAC,QAAQ,IAAI,MAAM,CAAC,KAAK,CAAC,IAAI,EAAE;QACrD,MAAM,EAAE,SAAkB;QAC1B,QAAQ,EAAE,WAAW,CAAC,MAAM,CAAC,KAAK,CAAC,QAAQ,CAAC;QAC5C,IAAI,EAAE,MAAM,CAAC,QAAQ;QACrB,IAAI,EAAE,MAAM,CAAC,IAAI;QACjB,IAAI,EAAE,MAAM,CAAC,KAAK,CAAC,IAAI;QACvB,WAAW,EAAE,MAAM,CAAC,KAAK,CAAC,OAAO;QACjC,cAAc,EAAE,MAAM,CAAC,KAAK,CAAC,GAAG,IAAI,EAAE;QACtC,YAAY,EAAE,MAAM,CAAC,KAAK,CAAC,GAAG,IAAI,IAAI;KACvC,CAAC,CAAC,CAAC;AACN,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,qBAAqB;IACzC,IAAI,CAAC;QACH,MAAM,eAAe,CAAC,OAAO,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC;QAC5C,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,UAAU,CAC9B,UAAkB,EAClB,WAAsB;IAEtB,MAAM,SAAS,GAAG,MAAM,qBAAqB,EAAE,CAAC;IAChD,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,OAAO,CAAC,IAAI,CAAC,2DAA2D,CAAC,CAAC;QAC1E,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,CAAC,MAAM,EAAE,QAAQ,EAAE,SAAS,CAAC,CAAC;QAE3C,IAAI,WAAW,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC1C,IAAI,CAAC,IAAI,CAAC,GAAG,WAAW,CAAC,CAAC;QAC5B,CAAC;aAAM,CAAC;YACN,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QACxB,CAAC;QAED,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,eAAe,CAAC,SAAS,EAAE,IAAI,CAAC,CAAC;QAC1D,OAAO,kBAAkB,CAAC,MAAM,CAAC,CAAC;IACpC,CAAC;IAAC,OAAO,KAAc,EAAE,CAAC;QACxB,uEAAuE;QACvE,MAAM,SAAS,GAAG,KAAoC,CAAC;QACvD,IAAI,SAAS,CAAC,MAAM,EAAE,CAAC;YACrB,IAAI,CAAC;gBACH,OAAO,kBAAkB,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;YAC9C,CAAC;YAAC,MAAM,CAAC;gBACP,yDAAyD;YAC3D,CAAC;QACH,CAAC;QAED,OAAO,CAAC,IAAI,CAAC,+BAA+B,EAAE,SAAS,CAAC,OAAO,CAAC,CAAC;QACjE,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC"}

package/dist/src/engines/pattern/trivy.d.ts

@@ -0,0 +1,4 @@
+import type { Finding } from '../../types.js';
+export declare function checkTrivyInstalled(): Promise<boolean>;
+export declare function runTrivy(targetPath: string): Promise<Finding[]>;
+//# sourceMappingURL=trivy.d.ts.map

package/dist/src/engines/pattern/trivy.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"trivy.d.ts","sourceRoot":"","sources":["../../../../src/engines/pattern/trivy.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,OAAO,EAAY,MAAM,gBAAgB,CAAC;AA2FxD,wBAAsB,mBAAmB,IAAI,OAAO,CAAC,OAAO,CAAC,CAO5D;AAED,wBAAsB,QAAQ,CAAC,UAAU,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC,CA0BrE"}

package/dist/src/engines/pattern/trivy.js

@@ -0,0 +1,90 @@
+import { execFile } from 'node:child_process';
+function execFilePromise(cmd, args) {
+    return new Promise((resolve, reject) => {
+        execFile(cmd, args, (error, stdout, stderr) => {
+            if (error) {
+                // Attach stdout/stderr to the error so callers can still read output
+                const enrichedError = error;
+                enrichedError.stdout = typeof stdout === 'string' ? stdout : '';
+                enrichedError.stderr = typeof stderr === 'string' ? stderr : '';
+                reject(enrichedError);
+                return;
+            }
+            resolve({
+                stdout: typeof stdout === 'string' ? stdout : '',
+                stderr: typeof stderr === 'string' ? stderr : '',
+            });
+        });
+    });
+}
+const SEVERITY_MAP = {
+    CRITICAL: 'critical',
+    HIGH: 'high',
+    MEDIUM: 'medium',
+    LOW: 'low',
+};
+function mapSeverity(trivySeverity) {
+    return SEVERITY_MAP[trivySeverity] ?? 'low';
+}
+function parseTrivyOutput(jsonString) {
+    const output = JSON.parse(jsonString);
+    const findings = [];
+    for (const result of output.Results) {
+        if (!result.Vulnerabilities) {
+            continue;
+        }
+        for (const vuln of result.Vulnerabilities) {
+            const hasFixedVersion = vuln.FixedVersion !== '' && vuln.FixedVersion != null;
+            findings.push({
+                id: `trivy_${vuln.VulnerabilityID}_${vuln.PkgName}`,
+                engine: 'pattern',
+                severity: mapSeverity(vuln.Severity),
+                type: 'dependency_vulnerability',
+                file: result.Target,
+                line: 0,
+                description: `${vuln.VulnerabilityID}: ${vuln.Title} (${vuln.PkgName}@${vuln.InstalledVersion})`,
+                fix_suggestion: hasFixedVersion
+                    ? `Upgrade ${vuln.PkgName} to ${vuln.FixedVersion}`
+                    : 'No fix available yet',
+                auto_fixable: hasFixedVersion,
+            });
+        }
+    }
+    return findings;
+}
+export async function checkTrivyInstalled() {
+    try {
+        await execFilePromise('which', ['trivy']);
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+export async function runTrivy(targetPath) {
+    const installed = await checkTrivyInstalled();
+    if (!installed) {
+        console.warn('ShipSafe: trivy is not installed, skipping dependency vulnerability scan');
+        return [];
+    }
+    try {
+        const args = ['fs', '--format', 'json', '--quiet', targetPath];
+        const { stdout } = await execFilePromise('trivy', args);
+        return parseTrivyOutput(stdout);
+    }
+    catch (error) {
+        // If trivy exits non-zero but produced output, still try to parse it
+        const execError = error;
+        if (execError.stdout) {
+            try {
+                return parseTrivyOutput(execError.stdout);
+            }
+            catch {
+                // JSON parse failed on the output — fall through to warn
+            }
+        }
+        console.warn('ShipSafe: trivy scan failed', execError.message);
+        return [];
+    }
+}
+//# sourceMappingURL=trivy.js.map

package/dist/src/engines/pattern/trivy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"trivy.js","sourceRoot":"","sources":["../../../../src/engines/pattern/trivy.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAyB9C,SAAS,eAAe,CACtB,GAAW,EACX,IAAc;IAEd,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,QAAQ,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,EAAE;YAC5C,IAAI,KAAK,EAAE,CAAC;gBACV,qEAAqE;gBACrE,MAAM,aAAa,GAAG,KAGrB,CAAC;gBACF,aAAa,CAAC,MAAM,GAAG,OAAO,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC;gBAChE,aAAa,CAAC,MAAM,GAAG,OAAO,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC;gBAChE,MAAM,CAAC,aAAa,CAAC,CAAC;gBACtB,OAAO;YACT,CAAC;YACD,OAAO,CAAC;gBACN,MAAM,EAAE,OAAO,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE;gBAChD,MAAM,EAAE,OAAO,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE;aACjD,CAAC,CAAC;QACL,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC;AAED,MAAM,YAAY,GAA6B;IAC7C,QAAQ,EAAE,UAAU;IACpB,IAAI,EAAE,MAAM;IACZ,MAAM,EAAE,QAAQ;IAChB,GAAG,EAAE,KAAK;CACX,CAAC;AAEF,SAAS,WAAW,CAAC,aAAqB;IACxC,OAAO,YAAY,CAAC,aAAa,CAAC,IAAI,KAAK,CAAC;AAC9C,CAAC;AAED,SAAS,gBAAgB,CAAC,UAAkB;IAC1C,MAAM,MAAM,GAAgB,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;IACnD,MAAM,QAAQ,GAAc,EAAE,CAAC;IAE/B,KAAK,MAAM,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;QACpC,IAAI,CAAC,MAAM,CAAC,eAAe,EAAE,CAAC;YAC5B,SAAS;QACX,CAAC;QAED,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,eAAe,EAAE,CAAC;YAC1C,MAAM,eAAe,GAAG,IAAI,CAAC,YAAY,KAAK,EAAE,IAAI,IAAI,CAAC,YAAY,IAAI,IAAI,CAAC;YAE9E,QAAQ,CAAC,IAAI,CAAC;gBACZ,EAAE,EAAE,SAAS,IAAI,CAAC,eAAe,IAAI,IAAI,CAAC,OAAO,EAAE;gBACnD,MAAM,EAAE,SAAkB;gBAC1B,QAAQ,EAAE,WAAW,CAAC,IAAI,CAAC,QAAQ,CAAC;gBACpC,IAAI,EAAE,0BAA0B;gBAChC,IAAI,EAAE,MAAM,CAAC,MAAM;gBACnB,IAAI,EAAE,CAAC;gBACP,WAAW,EAAE,GAAG,IAAI,CAAC,eAAe,KAAK,IAAI,CAAC,KAAK,KAAK,IAAI,CAAC,OAAO,IAAI,IAAI,CAAC,gBAAgB,GAAG;gBAChG,cAAc,EAAE,eAAe;oBAC7B,CAAC,CAAC,WAAW,IAAI,CAAC,OAAO,OAAO,IAAI,CAAC,YAAY,EAAE;oBACnD,CAAC,CAAC,sBAAsB;gBAC1B,YAAY,EAAE,eAAe;aAC9B,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,mBAAmB;IACvC,IAAI,CAAC;QACH,MAAM,eAAe,CAAC,OAAO,EAAE,CAAC,OAAO,CAAC,CAAC,CAAC;QAC1C,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,QAAQ,CAAC,UAAkB;IAC/C,MAAM,SAAS,GAAG,MAAM,mBAAmB,EAAE,CAAC;IAC9C,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,OAAO,CAAC,IAAI,CAAC,0EAA0E,CAAC,CAAC;QACzF,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,CAAC,IAAI,EAAE,UAAU,EAAE,MAAM,EAAE,SAAS,EAAE,UAAU,CAAC,CAAC;QAE/D,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,eAAe,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;QACxD,OAAO,gBAAgB,CAAC,MAAM,CAAC,CAAC;IAClC,CAAC;IAAC,OAAO,KAAc,EAAE,CAAC;QACxB,qEAAqE;QACrE,MAAM,SAAS,GAAG,KAAoC,CAAC;QACvD,IAAI,SAAS,CAAC,MAAM,EAAE,CAAC;YACrB,IAAI,CAAC;gBACH,OAAO,gBAAgB,CAAC,SAAS,CAAC,MAAM,CAAC,CAAC;YAC5C,CAAC;YAAC,MAAM,CAAC;gBACP,yDAAyD;YAC3D,CAAC;QACH,CAAC;QAED,OAAO,CAAC,IAAI,CAAC,6BAA6B,EAAE,SAAS,CAAC,OAAO,CAAC,CAAC;QAC/D,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC"}

package/dist/src/github/api.d.ts

@@ -0,0 +1,19 @@
+/**
+ * Generate a JWT for GitHub App authentication.
+ * Uses RS256 signing with the App's private key.
+ */
+export declare function generateJwt(appId: string, privateKey: string): string;
+/**
+ * Get an installation access token for GitHub API calls.
+ * Requires SHIPSAFE_GITHUB_APP_ID and SHIPSAFE_GITHUB_PRIVATE_KEY env vars.
+ */
+export declare function getInstallationToken(installationId: number): Promise<string>;
+/**
+ * Make an authenticated GitHub API request.
+ */
+export declare function githubApi(path: string, options: {
+    method?: string;
+    body?: unknown;
+    token: string;
+}): Promise<unknown>;
+//# sourceMappingURL=api.d.ts.map

package/dist/src/github/api.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"api.d.ts","sourceRoot":"","sources":["../../../src/github/api.ts"],"names":[],"mappings":"AAEA;;;GAGG;AACH,wBAAgB,WAAW,CAAC,KAAK,EAAE,MAAM,EAAE,UAAU,EAAE,MAAM,GAAG,MAAM,CAiBrE;AAED;;;GAGG;AACH,wBAAsB,oBAAoB,CAAC,cAAc,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CA+BlF;AAED;;GAEG;AACH,wBAAsB,SAAS,CAC7B,IAAI,EAAE,MAAM,EACZ,OAAO,EAAE;IACP,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,IAAI,CAAC,EAAE,OAAO,CAAC;IACf,KAAK,EAAE,MAAM,CAAC;CACf,GACA,OAAO,CAAC,OAAO,CAAC,CAgClB"}

package/dist/src/github/api.js

@@ -0,0 +1,75 @@
+import { createSign } from 'node:crypto';
+/**
+ * Generate a JWT for GitHub App authentication.
+ * Uses RS256 signing with the App's private key.
+ */
+export function generateJwt(appId, privateKey) {
+    const now = Math.floor(Date.now() / 1000);
+    const header = Buffer.from(JSON.stringify({ alg: 'RS256', typ: 'JWT' })).toString('base64url');
+    const payload = Buffer.from(JSON.stringify({
+        iat: now - 60, // issued 60s ago to account for clock drift
+        exp: now + 600, // expires in 10 minutes
+        iss: appId,
+    })).toString('base64url');
+    const unsigned = `${header}.${payload}`;
+    const signer = createSign('RSA-SHA256');
+    signer.update(unsigned);
+    const signature = signer.sign(privateKey, 'base64url');
+    return `${unsigned}.${signature}`;
+}
+/**
+ * Get an installation access token for GitHub API calls.
+ * Requires SHIPSAFE_GITHUB_APP_ID and SHIPSAFE_GITHUB_PRIVATE_KEY env vars.
+ */
+export async function getInstallationToken(installationId) {
+    const appId = process.env.SHIPSAFE_GITHUB_APP_ID;
+    const privateKey = process.env.SHIPSAFE_GITHUB_PRIVATE_KEY;
+    if (!appId || !privateKey) {
+        throw new Error('Missing SHIPSAFE_GITHUB_APP_ID or SHIPSAFE_GITHUB_PRIVATE_KEY environment variables');
+    }
+    const jwt = generateJwt(appId, privateKey);
+    const response = await fetch(`https://api.github.com/app/installations/${installationId}/access_tokens`, {
+        method: 'POST',
+        headers: {
+            Authorization: `Bearer ${jwt}`,
+            Accept: 'application/vnd.github+json',
+            'X-GitHub-Api-Version': '2022-11-28',
+        },
+    });
+    if (!response.ok) {
+        const body = await response.text();
+        throw new Error(`Failed to get installation token: ${response.status} ${body}`);
+    }
+    const data = (await response.json());
+    return data.token;
+}
+/**
+ * Make an authenticated GitHub API request.
+ */
+export async function githubApi(path, options) {
+    const url = path.startsWith('https://') ? path : `https://api.github.com${path}`;
+    const headers = {
+        Authorization: `token ${options.token}`,
+        Accept: 'application/vnd.github+json',
+        'X-GitHub-Api-Version': '2022-11-28',
+    };
+    const fetchOptions = {
+        method: options.method ?? 'GET',
+        headers,
+    };
+    if (options.body !== undefined) {
+        headers['Content-Type'] = 'application/json';
+        fetchOptions.body = JSON.stringify(options.body);
+    }
+    const response = await fetch(url, fetchOptions);
+    if (!response.ok) {
+        const body = await response.text();
+        throw new Error(`GitHub API error: ${response.status} ${body}`);
+    }
+    const contentType = response.headers.get('content-type') ?? '';
+    if (contentType.includes('application/json')) {
+        return response.json();
+    }
+    return response.text();
+}
+//# sourceMappingURL=api.js.map

package/dist/src/github/api.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"api.js","sourceRoot":"","sources":["../../../src/github/api.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,MAAM,aAAa,CAAC;AAEzC;;;GAGG;AACH,MAAM,UAAU,WAAW,CAAC,KAAa,EAAE,UAAkB;IAC3D,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC;IAC1C,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,GAAG,EAAE,OAAO,EAAE,GAAG,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IAC/F,MAAM,OAAO,GAAG,MAAM,CAAC,IAAI,CACzB,IAAI,CAAC,SAAS,CAAC;QACb,GAAG,EAAE,GAAG,GAAG,EAAE,EAAE,4CAA4C;QAC3D,GAAG,EAAE,GAAG,GAAG,GAAG,EAAE,wBAAwB;QACxC,GAAG,EAAE,KAAK;KACX,CAAC,CACH,CAAC,QAAQ,CAAC,WAAW,CAAC,CAAC;IAExB,MAAM,QAAQ,GAAG,GAAG,MAAM,IAAI,OAAO,EAAE,CAAC;IACxC,MAAM,MAAM,GAAG,UAAU,CAAC,YAAY,CAAC,CAAC;IACxC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IACxB,MAAM,SAAS,GAAG,MAAM,CAAC,IAAI,CAAC,UAAU,EAAE,WAAW,CAAC,CAAC;IAEvD,OAAO,GAAG,QAAQ,IAAI,SAAS,EAAE,CAAC;AACpC,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CAAC,cAAsB;IAC/D,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC;IACjD,MAAM,UAAU,GAAG,OAAO,CAAC,GAAG,CAAC,2BAA2B,CAAC;IAE3D,IAAI,CAAC,KAAK,IAAI,CAAC,UAAU,EAAE,CAAC;QAC1B,MAAM,IAAI,KAAK,CACb,qFAAqF,CACtF,CAAC;IACJ,CAAC;IAED,MAAM,GAAG,GAAG,WAAW,CAAC,KAAK,EAAE,UAAU,CAAC,CAAC;IAE3C,MAAM,QAAQ,GAAG,MAAM,KAAK,CAC1B,4CAA4C,cAAc,gBAAgB,EAC1E;QACE,MAAM,EAAE,MAAM;QACd,OAAO,EAAE;YACP,aAAa,EAAE,UAAU,GAAG,EAAE;YAC9B,MAAM,EAAE,6BAA6B;YACrC,sBAAsB,EAAE,YAAY;SACrC;KACF,CACF,CAAC;IAEF,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QACnC,MAAM,IAAI,KAAK,CAAC,qCAAqC,QAAQ,CAAC,MAAM,IAAI,IAAI,EAAE,CAAC,CAAC;IAClF,CAAC;IAED,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAsB,CAAC;IAC1D,OAAO,IAAI,CAAC,KAAK,CAAC;AACpB,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,SAAS,CAC7B,IAAY,EACZ,OAIC;IAED,MAAM,GAAG,GAAG,IAAI,CAAC,UAAU,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,yBAAyB,IAAI,EAAE,CAAC;IAEjF,MAAM,OAAO,GAA2B;QACtC,aAAa,EAAE,SAAS,OAAO,CAAC,KAAK,EAAE;QACvC,MAAM,EAAE,6BAA6B;QACrC,sBAAsB,EAAE,YAAY;KACrC,CAAC;IAEF,MAAM,YAAY,GAAgB;QAChC,MAAM,EAAE,OAAO,CAAC,MAAM,IAAI,KAAK;QAC/B,OAAO;KACR,CAAC;IAEF,IAAI,OAAO,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;QAC/B,OAAO,CAAC,cAAc,CAAC,GAAG,kBAAkB,CAAC;QAC7C,YAAY,CAAC,IAAI,GAAG,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;IACnD,CAAC;IAED,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE,YAAY,CAAC,CAAC;IAEhD,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC;QACnC,MAAM,IAAI,KAAK,CAAC,qBAAqB,QAAQ,CAAC,MAAM,IAAI,IAAI,EAAE,CAAC,CAAC;IAClE,CAAC;IAED,MAAM,WAAW,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,IAAI,EAAE,CAAC;IAC/D,IAAI,WAAW,CAAC,QAAQ,CAAC,kBAAkB,CAAC,EAAE,CAAC;QAC7C,OAAO,QAAQ,CAAC,IAAI,EAAE,CAAC;IACzB,CAAC;IAED,OAAO,QAAQ,CAAC,IAAI,EAAE,CAAC;AACzB,CAAC"}

package/dist/src/github/app-manifest.d.ts

@@ -0,0 +1,28 @@
+/**
+ * GitHub App manifest for ShipSafe registration.
+ *
+ * This manifest defines the permissions and events the ShipSafe GitHub App
+ * requires. The actual App registration is done manually on GitHub; this
+ * manifest serves as the canonical source of truth for the configuration.
+ *
+ * See: https://docs.github.com/en/apps/sharing-github-apps/registering-a-github-app-from-a-manifest
+ */
+export declare const APP_MANIFEST: {
+    name: string;
+    url: string;
+    hook_attributes: {
+        url: string;
+    };
+    redirect_url: string;
+    setup_url: string;
+    public: boolean;
+    default_permissions: {
+        checks: "write";
+        contents: "read";
+        pull_requests: "write";
+        statuses: "write";
+    };
+    default_events: readonly ["pull_request", "push"];
+};
+export type AppManifest = typeof APP_MANIFEST;
+//# sourceMappingURL=app-manifest.d.ts.map

package/dist/src/github/app-manifest.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"app-manifest.d.ts","sourceRoot":"","sources":["../../../src/github/app-manifest.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AACH,eAAO,MAAM,YAAY;;;;;;;;;;;;;;;;CAgBxB,CAAC;AAEF,MAAM,MAAM,WAAW,GAAG,OAAO,YAAY,CAAC"}

package/dist/src/github/app-manifest.js

@@ -0,0 +1,27 @@
+/**
+ * GitHub App manifest for ShipSafe registration.
+ *
+ * This manifest defines the permissions and events the ShipSafe GitHub App
+ * requires. The actual App registration is done manually on GitHub; this
+ * manifest serves as the canonical source of truth for the configuration.
+ *
+ * See: https://docs.github.com/en/apps/sharing-github-apps/registering-a-github-app-from-a-manifest
+ */
+export const APP_MANIFEST = {
+    name: 'ShipSafe',
+    url: 'https://shipsafe.org',
+    hook_attributes: {
+        url: '', // filled in during setup with the webhook endpoint URL
+    },
+    redirect_url: '',
+    setup_url: '',
+    public: true,
+    default_permissions: {
+        checks: 'write',
+        contents: 'read',
+        pull_requests: 'write',
+        statuses: 'write',
+    },
+    default_events: ['pull_request', 'push'],
+};
+//# sourceMappingURL=app-manifest.js.map

package/dist/src/github/app-manifest.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"app-manifest.js","sourceRoot":"","sources":["../../../src/github/app-manifest.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AACH,MAAM,CAAC,MAAM,YAAY,GAAG;IAC1B,IAAI,EAAE,UAAU;IAChB,GAAG,EAAE,sBAAsB;IAC3B,eAAe,EAAE;QACf,GAAG,EAAE,EAAE,EAAE,uDAAuD;KACjE;IACD,YAAY,EAAE,EAAE;IAChB,SAAS,EAAE,EAAE;IACb,MAAM,EAAE,IAAI;IACZ,mBAAmB,EAAE;QACnB,MAAM,EAAE,OAAgB;QACxB,QAAQ,EAAE,MAAe;QACzB,aAAa,EAAE,OAAgB;QAC/B,QAAQ,EAAE,OAAgB;KAC3B;IACD,cAAc,EAAE,CAAC,cAAc,EAAE,MAAM,CAAU;CAClD,CAAC"}

package/dist/src/github/checks.d.ts

@@ -0,0 +1,36 @@
+import type { Finding } from '../types.js';
+/**
+ * Create a check run in 'in_progress' state.
+ * Returns the check run ID.
+ */
+export declare function createCheckRun(options: {
+    repoFullName: string;
+    headSha: string;
+    installationId: number;
+}): Promise<number>;
+/**
+ * Format findings as GitHub check run annotations.
+ */
+export declare function formatAnnotations(findings: Finding[]): Array<{
+    path: string;
+    start_line: number;
+    end_line: number;
+    annotation_level: 'failure' | 'warning' | 'notice';
+    message: string;
+    title: string;
+}>;
+/**
+ * Build a summary string for the check run output.
+ */
+export declare function buildSummary(findings: Finding[]): string;
+/**
+ * Complete a check run with results.
+ */
+export declare function completeCheckRun(options: {
+    repoFullName: string;
+    checkRunId: number;
+    installationId: number;
+    conclusion: 'success' | 'failure' | 'neutral';
+    findings: Finding[];
+}): Promise<void>;
+//# sourceMappingURL=checks.d.ts.map

package/dist/src/github/checks.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"checks.d.ts","sourceRoot":"","sources":["../../../src/github/checks.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,aAAa,CAAC;AAG3C;;;GAGG;AACH,wBAAsB,cAAc,CAAC,OAAO,EAAE;IAC5C,YAAY,EAAE,MAAM,CAAC;IACrB,OAAO,EAAE,MAAM,CAAC;IAChB,cAAc,EAAE,MAAM,CAAC;CACxB,GAAG,OAAO,CAAC,MAAM,CAAC,CAelB;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAC/B,QAAQ,EAAE,OAAO,EAAE,GAClB,KAAK,CAAC;IACP,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,EAAE,MAAM,CAAC;IACnB,QAAQ,EAAE,MAAM,CAAC;IACjB,gBAAgB,EAAE,SAAS,GAAG,SAAS,GAAG,QAAQ,CAAC;IACnD,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,EAAE,MAAM,CAAC;CACf,CAAC,CASD;AAgBD;;GAEG;AACH,wBAAgB,YAAY,CAAC,QAAQ,EAAE,OAAO,EAAE,GAAG,MAAM,CAiBxD;AAED;;GAEG;AACH,wBAAsB,gBAAgB,CAAC,OAAO,EAAE;IAC9C,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC;IACnB,cAAc,EAAE,MAAM,CAAC;IACvB,UAAU,EAAE,SAAS,GAAG,SAAS,GAAG,SAAS,CAAC;IAC9C,QAAQ,EAAE,OAAO,EAAE,CAAC;CACrB,GAAG,OAAO,CAAC,IAAI,CAAC,CAuBhB"}

package/dist/src/github/checks.js

@@ -0,0 +1,90 @@
+import { getInstallationToken, githubApi } from './api.js';
+/**
+ * Create a check run in 'in_progress' state.
+ * Returns the check run ID.
+ */
+export async function createCheckRun(options) {
+    const token = await getInstallationToken(options.installationId);
+    const result = (await githubApi(`/repos/${options.repoFullName}/check-runs`, {
+        method: 'POST',
+        token,
+        body: {
+            name: 'ShipSafe Security Scan',
+            head_sha: options.headSha,
+            status: 'in_progress',
+            started_at: new Date().toISOString(),
+        },
+    }));
+    return result.id;
+}
+/**
+ * Format findings as GitHub check run annotations.
+ */
+export function formatAnnotations(findings) {
+    return findings.map((finding) => ({
+        path: finding.file,
+        start_line: finding.line,
+        end_line: finding.line,
+        annotation_level: severityToAnnotationLevel(finding.severity),
+        message: `${finding.description}\n\nFix: ${finding.fix_suggestion}`,
+        title: `[${finding.severity.toUpperCase()}] ${finding.type}`,
+    }));
+}
+function severityToAnnotationLevel(severity) {
+    switch (severity) {
+        case 'critical':
+        case 'high':
+            return 'failure';
+        case 'medium':
+            return 'warning';
+        default:
+            return 'notice';
+    }
+}
+/**
+ * Build a summary string for the check run output.
+ */
+export function buildSummary(findings) {
+    if (findings.length === 0) {
+        return 'ShipSafe found no security issues. Ship it!';
+    }
+    const critical = findings.filter((f) => f.severity === 'critical').length;
+    const high = findings.filter((f) => f.severity === 'high').length;
+    const medium = findings.filter((f) => f.severity === 'medium').length;
+    const low = findings.filter((f) => f.severity === 'low').length;
+    const parts = [];
+    if (critical > 0)
+        parts.push(`${critical} critical`);
+    if (high > 0)
+        parts.push(`${high} high`);
+    if (medium > 0)
+        parts.push(`${medium} medium`);
+    if (low > 0)
+        parts.push(`${low} low`);
+    return `ShipSafe found ${findings.length} issues (${parts.join(', ')})`;
+}
+/**
+ * Complete a check run with results.
+ */
+export async function completeCheckRun(options) {
+    const token = await getInstallationToken(options.installationId);
+    const annotations = formatAnnotations(options.findings);
+    const summary = buildSummary(options.findings);
+    // GitHub API limits annotations to 50 per request
+    const annotationBatch = annotations.slice(0, 50);
+    await githubApi(`/repos/${options.repoFullName}/check-runs/${options.checkRunId}`, {
+        method: 'PATCH',
+        token,
+        body: {
+            status: 'completed',
+            conclusion: options.conclusion,
+            completed_at: new Date().toISOString(),
+            output: {
+                title: 'ShipSafe Security Scan',
+                summary,
+                annotations: annotationBatch,
+            },
+        },
+    });
+}
+//# sourceMappingURL=checks.js.map

package/dist/src/github/checks.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"checks.js","sourceRoot":"","sources":["../../../src/github/checks.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,oBAAoB,EAAE,SAAS,EAAE,MAAM,UAAU,CAAC;AAE3D;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,OAIpC;IACC,MAAM,KAAK,GAAG,MAAM,oBAAoB,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC;IAEjE,MAAM,MAAM,GAAG,CAAC,MAAM,SAAS,CAAC,UAAU,OAAO,CAAC,YAAY,aAAa,EAAE;QAC3E,MAAM,EAAE,MAAM;QACd,KAAK;QACL,IAAI,EAAE;YACJ,IAAI,EAAE,wBAAwB;YAC9B,QAAQ,EAAE,OAAO,CAAC,OAAO;YACzB,MAAM,EAAE,aAAa;YACrB,UAAU,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;SACrC;KACF,CAAC,CAAmB,CAAC;IAEtB,OAAO,MAAM,CAAC,EAAE,CAAC;AACnB,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,iBAAiB,CAC/B,QAAmB;IASnB,OAAO,QAAQ,CAAC,GAAG,CAAC,CAAC,OAAO,EAAE,EAAE,CAAC,CAAC;QAChC,IAAI,EAAE,OAAO,CAAC,IAAI;QAClB,UAAU,EAAE,OAAO,CAAC,IAAI;QACxB,QAAQ,EAAE,OAAO,CAAC,IAAI;QACtB,gBAAgB,EAAE,yBAAyB,CAAC,OAAO,CAAC,QAAQ,CAAC;QAC7D,OAAO,EAAE,GAAG,OAAO,CAAC,WAAW,YAAY,OAAO,CAAC,cAAc,EAAE;QACnE,KAAK,EAAE,IAAI,OAAO,CAAC,QAAQ,CAAC,WAAW,EAAE,KAAK,OAAO,CAAC,IAAI,EAAE;KAC7D,CAAC,CAAC,CAAC;AACN,CAAC;AAED,SAAS,yBAAyB,CAChC,QAAgB;IAEhB,QAAQ,QAAQ,EAAE,CAAC;QACjB,KAAK,UAAU,CAAC;QAChB,KAAK,MAAM;YACT,OAAO,SAAS,CAAC;QACnB,KAAK,QAAQ;YACX,OAAO,SAAS,CAAC;QACnB;YACE,OAAO,QAAQ,CAAC;IACpB,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,YAAY,CAAC,QAAmB;IAC9C,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC1B,OAAO,6CAA6C,CAAC;IACvD,CAAC;IAED,MAAM,QAAQ,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,CAAC,CAAC,MAAM,CAAC;IAC1E,MAAM,IAAI,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC,MAAM,CAAC;IAClE,MAAM,MAAM,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,MAAM,CAAC;IACtE,MAAM,GAAG,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,KAAK,CAAC,CAAC,MAAM,CAAC;IAEhE,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,IAAI,QAAQ,GAAG,CAAC;QAAE,KAAK,CAAC,IAAI,CAAC,GAAG,QAAQ,WAAW,CAAC,CAAC;IACrD,IAAI,IAAI,GAAG,CAAC;QAAE,KAAK,CAAC,IAAI,CAAC,GAAG,IAAI,OAAO,CAAC,CAAC;IACzC,IAAI,MAAM,GAAG,CAAC;QAAE,KAAK,CAAC,IAAI,CAAC,GAAG,MAAM,SAAS,CAAC,CAAC;IAC/C,IAAI,GAAG,GAAG,CAAC;QAAE,KAAK,CAAC,IAAI,CAAC,GAAG,GAAG,MAAM,CAAC,CAAC;IAEtC,OAAO,kBAAkB,QAAQ,CAAC,MAAM,YAAY,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC;AAC1E,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,gBAAgB,CAAC,OAMtC;IACC,MAAM,KAAK,GAAG,MAAM,oBAAoB,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC;IAEjE,MAAM,WAAW,GAAG,iBAAiB,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IACxD,MAAM,OAAO,GAAG,YAAY,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IAE/C,kDAAkD;IAClD,MAAM,eAAe,GAAG,WAAW,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAEjD,MAAM,SAAS,CAAC,UAAU,OAAO,CAAC,YAAY,eAAe,OAAO,CAAC,UAAU,EAAE,EAAE;QACjF,MAAM,EAAE,OAAO;QACf,KAAK;QACL,IAAI,EAAE;YACJ,MAAM,EAAE,WAAW;YACnB,UAAU,EAAE,OAAO,CAAC,UAAU;YAC9B,YAAY,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;YACtC,MAAM,EAAE;gBACN,KAAK,EAAE,wBAAwB;gBAC/B,OAAO;gBACP,WAAW,EAAE,eAAe;aAC7B;SACF;KACF,CAAC,CAAC;AACL,CAAC"}