@vibgrate/cli 1.0.26 → 1.0.27

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (10) hide show
  1. package/DOCS.md +16 -1
  2. package/README.md +6 -2
  3. package/dist/{baseline-KXUPTMQ2.js → baseline-B5K5M2XJ.js} +2 -2
  4. package/dist/{chunk-7EEUYKZI.js → chunk-K4ZGFGP2.js} +1 -1
  5. package/dist/chunk-PROF25OR.js +217290 -0
  6. package/dist/cli.js +3 -3
  7. package/dist/index.d.ts +71 -0
  8. package/dist/index.js +1 -1
  9. package/package.json +1 -1
  10. package/dist/chunk-27LB7QTA.js +0 -5857
package/DOCS.md CHANGED
@@ -40,6 +40,7 @@ For a quick overview, see the [README](./README.md). This document covers everyt
40
40
  - [Breaking Change Exposure](#breaking-change-exposure)
41
41
  - [File Hotspots](#file-hotspots)
42
42
  - [Security Posture](#security-posture)
43
+ - [Security Scanners](#security-scanners)
43
44
  - [Service Dependencies](#service-dependencies)
44
45
  - [CI Integration](#ci-integration)
45
46
  - [GitHub Actions](#github-actions)
@@ -65,7 +66,7 @@ Vibgrate recursively scans your repository for `package.json` (Node/TypeScript)
65
66
  4. **Generates** a deterministic Upgrade Drift Score (0–100)
66
67
  5. **Produces** findings, a full JSON artifact, and optional SARIF output
67
68
 
68
- No source code is read. No secrets are scanned. The CLI works entirely offline dashboard upload is optional.
69
+ Core drift analysis does not execute source code. Optional security scanners can run lightweight secret heuristics and local toolchain checks. Dashboard upload remains optional.
69
70
 
70
71
  ---
71
72
 
@@ -274,6 +275,7 @@ const config: VibgrateConfig = {
274
275
  breakingChangeExposure: { enabled: true },
275
276
  fileHotspots: { enabled: true },
276
277
  securityPosture: { enabled: true },
278
+ securityScanners: { enabled: true },
277
279
  serviceDependencies: { enabled: true },
278
280
  },
279
281
  };
@@ -398,6 +400,19 @@ Structural security hygiene indicators (not a secret scanner):
398
400
  - `.env` files tracked outside `.gitignore`
399
401
  - Audit severity counts (via `npm audit --json`)
400
402
 
403
+
404
+ ### Security Scanners
405
+
406
+ Security scanner orchestration and readiness analysis focused on modern SAST and secrets tooling:
407
+
408
+ - Semgrep support for SAST (version detection + freshness checks)
409
+ - Gitleaks and TruffleHog support for secret scanning readiness
410
+ - Recommended minimum version checks to highlight stale engines/signatures
411
+ - Config discovery (`.semgrep.yml`, `.gitleaks.toml`, `.trufflehog.yml`)
412
+ - Cache-backed heuristic secret signals to add value even when binaries are unavailable
413
+
414
+ > This scanner does not guarantee full secret detection or rule coverage by itself; it reports toolchain status and lightweight in-repo indicators so teams can decide how to harden CI enforcement.
415
+
401
416
  ### Service Dependencies
402
417
 
403
418
  Maps external service and platform dependencies by detecting SDK packages:
package/README.md CHANGED
@@ -162,7 +162,7 @@ Works across **Node.js/TypeScript** and **.NET** projects in the same scan. Dete
162
162
 
163
163
  Designed to live in your build pipeline. Returns meaningful exit codes, produces SARIF output for GitHub Code Scanning and Azure DevOps, and requires zero configuration to get started.
164
164
 
165
- ### Ten Extended Scanners
165
+ ### 13 Extended Scanners
166
166
 
167
167
  Beyond the core drift score, Vibgrate runs a suite of extended scanners — all optional, all privacy-safe:
168
168
 
@@ -177,7 +177,10 @@ Beyond the core drift score, Vibgrate runs a suite of extended scanners — all
177
177
  | **Breaking Change Exposure** | Packages known to cause upgrade pain, legacy polyfills |
178
178
  | **File Hotspots** | Codebase shape — file counts, sizes, depth, shared packages |
179
179
  | **Security Posture** | Lockfile hygiene, `.gitignore` coverage, audit severity counts |
180
+ | **Security Scanners** | Semgrep (SAST) + Gitleaks/TruffleHog readiness, version risk checks, heuristic secret signals |
180
181
  | **Service Dependencies** | External SDK detection — payment, auth, cloud, databases, messaging |
182
+ | **Code Quality** | Cyclomatic complexity, function length, nesting depth, god files, dead-code estimate, circular imports |
183
+ | **OWASP Category Mapping** | Semgrep OSS findings mapped to OWASP Top 10 categories (fast or cache-input mode) |
181
184
 
182
185
  ### Baseline & Delta Tracking
183
186
 
@@ -284,7 +287,8 @@ export default config;
284
287
 
285
288
  Vibgrate is designed to be safe to run on any codebase:
286
289
 
287
- - **No source code is read** — only `package.json`, `tsconfig.json`, lockfiles, and project manifests
290
+ - **No source code content is exfiltrated** — code-quality metrics are computed locally and only aggregated numbers are emitted
291
+ - **Source code is only read when explicitly needed** — core drift scanners use manifests/configs; OWASP mapping can inspect source files via Semgrep
288
292
  - **No secrets are scanned** — ever
289
293
  - **No git history, authors, or commit messages** — only HEAD SHA and branch name for traceability
290
294
  - **No data leaves your machine** unless you explicitly run `vibgrate push` or `vibgrate scan --push`
package/dist/{baseline-KXUPTMQ2.js → baseline-B5K5M2XJ.js} RENAMED
@@ -1,8 +1,8 @@
1
1
  import {
2
2
  baselineCommand,
3
3
  runBaseline
4
- } from "./chunk-7EEUYKZI.js";
5
- import "./chunk-27LB7QTA.js";
4
+ } from "./chunk-K4ZGFGP2.js";
5
+ import "./chunk-PROF25OR.js";
6
6
  export {
7
7
  baselineCommand,
8
8
  runBaseline
package/dist/{chunk-7EEUYKZI.js → chunk-K4ZGFGP2.js} RENAMED
@@ -1,7 +1,7 @@
1
1
  import {
2
2
  runScan,
3
3
  writeJsonFile
4
- } from "./chunk-27LB7QTA.js";
4
+ } from "./chunk-PROF25OR.js";
5
5
 
6
6
  // src/commands/baseline.ts
7
7
  import * as path from "path";