@stefanoginella/code-guardian 0.0.16 → 0.0.17
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +16 -1
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -30,7 +30,7 @@ Auto-detects your project's tech stack and runs appropriate open-source CLI tool
|
|
|
30
30
|
|
|
31
31
|
| Option | Values | Default | Description |
|
|
32
32
|
|--------|--------|---------|-------------|
|
|
33
|
-
| `--scope` | `codebase`, `uncommitted`, `unpushed` | `codebase` | What files to scan. `codebase` = all tracked files. `uncommitted` = staged + unstaged + untracked changes. `unpushed` = commits not yet pushed to remote. |
|
|
33
|
+
| `--scope` | `codebase`, `uncommitted`, `unpushed` | `codebase` | What files to scan. `codebase` = all tracked files. `uncommitted` = staged + unstaged + untracked changes. `unpushed` = commits not yet pushed to remote. When scoped, dependency scanners (npm-audit, pip-audit, etc.) are skipped unless their lockfile/manifest is in the changed files. |
|
|
34
34
|
| `--tools` | comma-separated tool names | all available | Only run these specific tools (e.g. `--tools semgrep,gitleaks`). Others are skipped. |
|
|
35
35
|
| `--autofix` | — | off | Run tools with auto-fix flags and let the security-fixer agent handle the rest. |
|
|
36
36
|
| `--refresh` | — | off | Force re-detection of stack and tools, ignoring the 24-hour cache. |
|
|
@@ -180,6 +180,7 @@ code-guardian/
|
|
|
180
180
|
│ ├── detect-stack.sh # Detects languages, frameworks, Docker, CI, IaC
|
|
181
181
|
│ ├── check-tools.sh # Checks tool availability (local + Docker)
|
|
182
182
|
│ ├── scan.sh # Main scan orchestrator
|
|
183
|
+
│ ├── generate-report.sh # Persistent markdown report generator
|
|
183
184
|
│ ├── ci-recommend.sh # CI config generator
|
|
184
185
|
│ ├── read-config.sh # Reads project config (.claude/code-guardian.config.json)
|
|
185
186
|
│ └── cache-state.sh # Cache I/O for stack + tools detection results
|
|
@@ -219,6 +220,20 @@ The plugin caches stack detection and tool availability results in `.claude/code
|
|
|
219
220
|
- Cache is invalidated automatically if it's older than 24 hours or the project path changes
|
|
220
221
|
- Use `--refresh` on the scan command to bypass the cache and force re-detection
|
|
221
222
|
|
|
223
|
+
## 📝 Scan Reports
|
|
224
|
+
|
|
225
|
+
Each scan automatically saves a detailed markdown report to `.code-guardian/scan-reports/scan-report-YYYYMMDD-HHMMSS.md`. Reports are timestamped so multiple scans never overwrite each other.
|
|
226
|
+
|
|
227
|
+
**Report contents:**
|
|
228
|
+
- Header with date, scope, and scanners run
|
|
229
|
+
- Summary table with finding counts by severity
|
|
230
|
+
- Per-tool breakdown table
|
|
231
|
+
- Every finding as a `- [ ]` checkbox item, grouped by severity (high first), with tool, rule ID, message, file location, and auto-fixable flag
|
|
232
|
+
- Skipped tools (with install commands) and failed tools
|
|
233
|
+
- Scope-skipped dependency scanners (when using `--scope uncommitted` or `--scope unpushed`)
|
|
234
|
+
|
|
235
|
+
**Remediation tracking:** Open the report in any markdown editor and check off items (`- [x]`) as you fix them. The reports persist in your project directory — add `.code-guardian/` to `.gitignore` if you don't want them committed, or commit them to track remediation progress across the team.
|
|
236
|
+
|
|
222
237
|
## 🔐 Permissions
|
|
223
238
|
|
|
224
239
|
The scan command runs bash scripts that invoke Docker or local CLI tools. Claude Code will prompt you to approve these if they aren't already in your allow list. For smoother runs, consider adding these patterns to your project's `.claude/settings.json` under `permissions.allow`:
|