npm - @vulcn/plugin-report - Versions diffs - 0.2.0 → 0.5.0 - Mend

@vulcn/plugin-report 0.2.0 → 0.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.cjs CHANGED Viewed

@@ -30,10 +30,12 @@ var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: tru
 // src/index.ts
 var index_exports = {};
 __export(index_exports, {
+  buildReport: () => buildReport,
   configSchema: () => configSchema,
   default: () => index_default,
   generateHtml: () => generateHtml,
   generateJson: () => generateJson,
+  generateSarif: () => generateSarif,
   generateYaml: () => generateYaml
 });
 module.exports = __toCommonJS(index_exports);
@@ -41,6 +43,262 @@ var import_zod = require("zod");
 var import_promises = require("fs/promises");
 var import_node_path = require("path");
+// src/report-model.ts
+var CWE_MAP = {
+  xss: {
+    id: 79,
+    name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
+  },
+  sqli: {
+    id: 89,
+    name: "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
+  },
+  ssrf: { id: 918, name: "Server-Side Request Forgery (SSRF)" },
+  xxe: {
+    id: 611,
+    name: "Improper Restriction of XML External Entity Reference"
+  },
+  "command-injection": {
+    id: 78,
+    name: "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"
+  },
+  "path-traversal": {
+    id: 22,
+    name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"
+  },
+  "open-redirect": {
+    id: 601,
+    name: "URL Redirection to Untrusted Site ('Open Redirect')"
+  },
+  reflection: {
+    id: 200,
+    name: "Exposure of Sensitive Information to an Unauthorized Actor"
+  },
+  "security-misconfiguration": {
+    id: 16,
+    name: "Configuration"
+  },
+  "information-disclosure": {
+    id: 200,
+    name: "Exposure of Sensitive Information to an Unauthorized Actor"
+  },
+  custom: { id: 20, name: "Improper Input Validation" }
+};
+var SEVERITY_WEIGHTS = {
+  critical: 10,
+  high: 7,
+  medium: 4,
+  low: 1,
+  info: 0
+};
+var SECURITY_SEVERITY = {
+  critical: "9.0",
+  high: "7.0",
+  medium: "4.0",
+  low: "2.0",
+  info: "0.0"
+};
+var PASSIVE_CATEGORIES = [
+  {
+    id: "security-headers",
+    label: "Security Headers",
+    icon: "\u{1F512}",
+    color: "#42a5f5",
+    remedy: "Add the recommended security headers to your server configuration. Most web servers and frameworks support these via middleware.",
+    checks: [
+      "Strict-Transport-Security (HSTS)",
+      "Content-Security-Policy (CSP)",
+      "X-Content-Type-Options",
+      "X-Frame-Options",
+      "Referrer-Policy",
+      "Permissions-Policy"
+    ]
+  },
+  {
+    id: "cookie-security",
+    label: "Cookie Security",
+    icon: "\u{1F36A}",
+    color: "#ffab40",
+    remedy: "Set the Secure, HttpOnly, and SameSite attributes on all session cookies. Configure your framework's session middleware accordingly.",
+    checks: ["Secure flag", "HttpOnly flag", "SameSite attribute"]
+  },
+  {
+    id: "information-disclosure",
+    label: "Information Disclosure",
+    icon: "\u{1F50D}",
+    color: "#66bb6a",
+    remedy: "Remove or obfuscate server version headers (Server, X-Powered-By). Disable debug mode in production environments.",
+    checks: ["Server version", "X-Powered-By", "Debug tokens"]
+  },
+  {
+    id: "cors",
+    label: "CORS Configuration",
+    icon: "\u{1F310}",
+    color: "#ce93d8",
+    remedy: "Replace wildcard origins with specific trusted domains. Never combine Access-Control-Allow-Credentials with wildcard origins.",
+    checks: ["Wildcard origin", "Credentials with wildcard"]
+  },
+  {
+    id: "mixed-content",
+    label: "Mixed Content",
+    icon: "\u26A0\uFE0F",
+    color: "#ff8a65",
+    remedy: "Replace all HTTP resource URLs with HTTPS. Use Content-Security-Policy: upgrade-insecure-requests as a fallback.",
+    checks: ["HTTP resources on HTTPS"]
+  }
+];
+function toRuleId(type) {
+  return `VULCN-${type.toUpperCase().replace(/[^A-Z0-9]+/g, "-")}`;
+}
+function fingerprint(f) {
+  return `${f.type}:${f.stepId}:${f.payload.slice(0, 50)}`;
+}
+function detectMethod(f) {
+  return f.metadata?.detectionMethod === "passive" ? "passive" : "active";
+}
+function passiveCat(f) {
+  const method = detectMethod(f);
+  if (method !== "passive") return void 0;
+  return f.metadata?.category || "other";
+}
+function enrichFinding(f) {
+  const cwe = CWE_MAP[f.type] || CWE_MAP.custom;
+  const sev = f.severity;
+  return {
+    // Original fields
+    type: f.type,
+    severity: sev,
+    title: f.title,
+    description: f.description,
+    stepId: f.stepId,
+    payload: f.payload,
+    url: f.url,
+    evidence: f.evidence,
+    metadata: f.metadata,
+    // Enriched
+    ruleId: toRuleId(f.type),
+    cwe,
+    securitySeverity: SECURITY_SEVERITY[sev] || "4.0",
+    fingerprint: fingerprint(f),
+    detectionMethod: detectMethod(f),
+    passiveCategory: passiveCat(f)
+  };
+}
+function buildRules(enriched) {
+  const seen = /* @__PURE__ */ new Map();
+  for (const f of enriched) {
+    if (!seen.has(f.type)) seen.set(f.type, f);
+  }
+  return Array.from(seen.entries()).map(([type, sample]) => ({
+    id: toRuleId(type),
+    type,
+    cwe: sample.cwe,
+    severity: sample.severity,
+    securitySeverity: sample.securitySeverity,
+    description: `Vulcn detected a potential ${type} vulnerability. ${sample.cwe.name}.`
+  }));
+}
+function countSeverities(findings) {
+  const counts = {
+    critical: 0,
+    high: 0,
+    medium: 0,
+    low: 0,
+    info: 0
+  };
+  for (const f of findings) {
+    counts[f.severity] = (counts[f.severity] || 0) + 1;
+  }
+  return counts;
+}
+function assessRisk(counts, total) {
+  const score = counts.critical * SEVERITY_WEIGHTS.critical + counts.high * SEVERITY_WEIGHTS.high + counts.medium * SEVERITY_WEIGHTS.medium + counts.low * SEVERITY_WEIGHTS.low;
+  const maxRisk = total * SEVERITY_WEIGHTS.critical || 1;
+  const percent = Math.min(100, Math.round(score / maxRisk * 100));
+  const label = percent >= 80 ? "Critical" : percent >= 50 ? "High" : percent >= 25 ? "Medium" : percent > 0 ? "Low" : "Clear";
+  return { score, percent, label };
+}
+function buildPassiveAnalysis(passiveFindings) {
+  const grouped = /* @__PURE__ */ new Map();
+  for (const f of passiveFindings) {
+    const cat = f.passiveCategory || "other";
+    if (!grouped.has(cat)) grouped.set(cat, []);
+    grouped.get(cat).push(f);
+  }
+  const categories = PASSIVE_CATEGORIES.map((def) => {
+    const findings = grouped.get(def.id) || [];
+    const issueCount = findings.length;
+    const totalChecks = def.checks.length;
+    const passedChecks = Math.max(0, totalChecks - issueCount);
+    const status = issueCount === 0 ? "pass" : issueCount >= 3 ? "fail" : "warn";
+    return {
+      definition: def,
+      findings,
+      issueCount,
+      passedChecks,
+      totalChecks,
+      status
+    };
+  });
+  return {
+    totalIssues: passiveFindings.length,
+    categories
+  };
+}
+function buildReport(session, result, generatedAt, engineVersion) {
+  const severityOrder = {
+    critical: 0,
+    high: 1,
+    medium: 2,
+    low: 3,
+    info: 4
+  };
+  const sortedFindings = [...result.findings].sort(
+    (a, b) => (severityOrder[a.severity] ?? 5) - (severityOrder[b.severity] ?? 5)
+  );
+  const findings = sortedFindings.map(enrichFinding);
+  const activeFindings = findings.filter((f) => f.detectionMethod === "active");
+  const passiveFindings = findings.filter(
+    (f) => f.detectionMethod === "passive"
+  );
+  const counts = countSeverities(findings);
+  const risk = assessRisk(counts, findings.length);
+  const rules = buildRules(findings);
+  return {
+    reportVersion: "2.0",
+    engineVersion,
+    generatedAt,
+    session: {
+      name: session.name,
+      driver: session.driver,
+      driverConfig: session.driverConfig,
+      stepsCount: session.steps.length,
+      metadata: session.metadata
+    },
+    stats: {
+      stepsExecuted: result.stepsExecuted,
+      payloadsTested: result.payloadsTested,
+      durationMs: result.duration,
+      errors: result.errors
+    },
+    summary: {
+      totalFindings: findings.length,
+      severityCounts: counts,
+      risk,
+      vulnerabilityTypes: [...new Set(findings.map((f) => f.type))],
+      affectedUrls: [...new Set(findings.map((f) => f.url))]
+    },
+    rules,
+    findings,
+    activeFindings,
+    passiveAnalysis: buildPassiveAnalysis(passiveFindings)
+  };
+}
+function formatDuration(ms) {
+  if (ms < 1e3) return `${ms}ms`;
+  return `${(ms / 1e3).toFixed(1)}s`;
+}
 // src/html.ts
 var COLORS = {
   bg: "#0a0a0f",
@@ -77,30 +335,9 @@ function severityColor(severity) {
       return COLORS.textMuted;
   }
 }
-function severityOrder(severity) {
-  switch (severity) {
-    case "critical":
-      return 0;
-    case "high":
-      return 1;
-    case "medium":
-      return 2;
-    case "low":
-      return 3;
-    case "info":
-      return 4;
-    default:
-      return 5;
-  }
-}
 function escapeHtml(str) {
   return str.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#039;");
 }
-function formatDuration(ms) {
-  if (ms < 1e3) return `${ms}ms`;
-  const seconds = (ms / 1e3).toFixed(1);
-  return `${seconds}s`;
-}
 function formatDate(iso) {
   const d = new Date(iso);
   return d.toLocaleDateString("en-US", {
@@ -127,31 +364,95 @@ var VULCN_LOGO_SVG = `<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 20 20
   <path fill="#dc2626" d="m 13.0058,9.89 c -0.164,1.484 -0.749,2.568 -1.659,3.353 -0.418,0.36 -0.465,0.992 -0.104,1.41 0.36,0.418 0.992,0.465 1.41,0.104 1.266,-1.092 2.112,-2.583 2.341,-4.647 0.061,-0.548 -0.335,-1.043 -0.884,-1.104 -0.548,-0.061 -1.043,0.335 -1.104,0.884 z"/>
   <path fill="url(#lg2)" d="m 14.0058,8.89 c -0.164,1.484 -0.749,2.568 -1.659,3.353 -0.418,0.36 -0.465,0.992 -0.104,1.41 0.36,0.418 0.992,0.465 1.41,0.104 1.266,-1.092 2.112,-2.583 2.341,-4.647 0.061,-0.548 -0.335,-1.043 -0.884,-1.104 -0.548,-0.061 -1.043,0.335 -1.104,0.884 z"/>
 </svg>`;
-function generateHtml(data) {
-  const { session, result, generatedAt, engineVersion } = data;
-  const findings = [...result.findings].sort(
-    (a, b) => severityOrder(a.severity) - severityOrder(b.severity)
-  );
-  const counts = {
-    critical: 0,
-    high: 0,
-    medium: 0,
-    low: 0,
-    info: 0
-  };
-  for (const f of findings) {
-    counts[f.severity] = (counts[f.severity] || 0) + 1;
+function renderPassiveSection(analysis) {
+  if (analysis.totalIssues === 0) {
+    return `
+    <div class="passive-section animate-in-delay-3">
+      <div class="section-header">
+        <h3>\u{1F6E1}\uFE0F Passive Security Analysis</h3>
+        <span class="findings-count">All clear</span>
+      </div>
+      <div class="passive-clear">
+        <div class="icon">\u2705</div>
+        <h4>All Passive Checks Passed</h4>
+        <p>No security header, cookie, CORS, or information disclosure issues detected.</p>
+      </div>
+    </div>`;
   }
-  const totalFindings = findings.length;
+  const categoryCards = analysis.categories.map((cat) => {
+    const statusColor = cat.status === "pass" ? COLORS.success : cat.status === "fail" ? COLORS.high : COLORS.medium;
+    return `
+      <div class="passive-category-card">
+        <div class="passive-cat-header">
+          <div class="passive-cat-icon">${cat.definition.icon}</div>
+          <div class="passive-cat-info">
+            <div class="passive-cat-title">${cat.definition.label}</div>
+            <div class="passive-cat-count" style="color: ${statusColor}">
+              ${cat.issueCount === 0 ? "\u2713 All clear" : `${cat.issueCount} issue${cat.issueCount !== 1 ? "s" : ""}`}
+            </div>
+          </div>
+          <div class="passive-cat-badge" style="background: ${statusColor}20; color: ${statusColor}; border-color: ${statusColor}30">
+            ${cat.status.toUpperCase()}
+          </div>
+        </div>
+        ${cat.findings.length > 0 ? `
+        <div class="passive-cat-findings">
+          ${cat.findings.map(
+      (f) => `
+            <div class="passive-finding-row">
+              <div class="passive-finding-dot" style="background: ${severityColor(f.severity)}"></div>
+              <div class="passive-finding-content">
+                <div class="passive-finding-title">${escapeHtml(f.title)}</div>
+                <div class="passive-finding-desc">${escapeHtml(f.description)}</div>
+                ${f.evidence ? `<div class="passive-finding-evidence">${escapeHtml(f.evidence)}</div>` : ""}
+              </div>
+              <span class="passive-sev-tag" style="color: ${severityColor(f.severity)}">${f.severity.toUpperCase()}</span>
+            </div>
+          `
+    ).join("")}
+        </div>
+        <div class="passive-remedy">
+          <span class="passive-remedy-label">\u{1F4A1} Remediation</span>
+          <span>${cat.definition.remedy}</span>
+        </div>
+        ` : `
+        <div class="passive-checks-passed">
+          ${cat.definition.checks.map(
+      (check) => `
+            <div class="passive-check-item">
+              <span class="passive-check-icon">\u2713</span>
+              <span>${check}</span>
+            </div>
+          `
+    ).join("")}
+        </div>
+        `}
+      </div>`;
+  }).join("");
+  return `
+    <div class="passive-section animate-in-delay-3">
+      <div class="section-header">
+        <h3>\u{1F6E1}\uFE0F Passive Security Analysis</h3>
+        <span class="findings-count">${analysis.totalIssues} issue${analysis.totalIssues !== 1 ? "s" : ""}</span>
+      </div>
+      <div class="passive-grid">
+        ${categoryCards}
+      </div>
+    </div>`;
+}
+function generateHtml(report) {
+  const { summary, stats, session, passiveAnalysis, activeFindings, findings } = report;
+  const {
+    severityCounts: counts,
+    risk,
+    totalFindings,
+    affectedUrls,
+    vulnerabilityTypes: vulnTypes
+  } = summary;
+  const { stepsExecuted, payloadsTested, durationMs, errors } = stats;
   const hasFindings = totalFindings > 0;
-  const riskScore = counts.critical * 10 + counts.high * 7 + counts.medium * 4 + counts.low * 1;
-  const maxRisk = totalFindings * 10 || 1;
-  const riskPercent = Math.min(100, Math.round(riskScore / maxRisk * 100));
-  const riskLabel = riskPercent >= 80 ? "Critical" : riskPercent >= 50 ? "High" : riskPercent >= 25 ? "Medium" : riskPercent > 0 ? "Low" : "Clear";
-  const riskColor = riskPercent >= 80 ? COLORS.critical : riskPercent >= 50 ? COLORS.high : riskPercent >= 25 ? COLORS.medium : riskPercent > 0 ? COLORS.low : COLORS.success;
+  const riskColor = risk.percent >= 80 ? COLORS.critical : risk.percent >= 50 ? COLORS.high : risk.percent >= 25 ? COLORS.medium : risk.percent > 0 ? COLORS.low : COLORS.success;
   const donutSvg = generateDonut(counts, totalFindings);
-  const affectedUrls = [...new Set(findings.map((f) => f.url))];
-  const vulnTypes = [...new Set(findings.map((f) => f.type))];
   return `<!DOCTYPE html>
 <html lang="en">
 <head>
@@ -643,6 +944,180 @@ function generateHtml(data) {
     .no-findings h3 { font-size: 20px; font-weight: 700; color: ${COLORS.success}; margin-bottom: 8px; }
     .no-findings p { font-size: 14px; color: var(--text-muted); }
+    /* \u2500\u2500 Passive Security Analysis \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 */
+    .passive-section { margin-bottom: 32px; }
+    .section-header {
+      display: flex;
+      align-items: center;
+      justify-content: space-between;
+      margin-bottom: 16px;
+    }
+    .section-header h3 {
+      font-size: 18px;
+      font-weight: 700;
+      letter-spacing: -0.01em;
+    }
+    .passive-grid {
+      display: grid;
+      grid-template-columns: repeat(auto-fit, minmax(320px, 1fr));
+      gap: 12px;
+    }
+    .passive-category-card {
+      background: var(--surface);
+      border: 1px solid var(--border);
+      border-radius: var(--radius);
+      overflow: hidden;
+      transition: border-color 0.2s;
+    }
+    .passive-category-card:hover { border-color: var(--border-active); }
+    .passive-cat-header {
+      display: flex;
+      align-items: center;
+      gap: 12px;
+      padding: 16px 20px;
+      border-bottom: 1px solid var(--border);
+    }
+    .passive-cat-icon {
+      font-size: 20px;
+      width: 36px;
+      height: 36px;
+      display: flex;
+      align-items: center;
+      justify-content: center;
+      background: rgba(255,255,255,0.03);
+      border-radius: var(--radius-xs);
+      flex-shrink: 0;
+    }
+    .passive-cat-info { flex: 1; min-width: 0; }
+    .passive-cat-title {
+      font-size: 14px;
+      font-weight: 600;
+      letter-spacing: -0.01em;
+    }
+    .passive-cat-count {
+      font-size: 12px;
+      font-weight: 500;
+    }
+    .passive-cat-badge {
+      font-size: 10px;
+      font-weight: 700;
+      letter-spacing: 0.05em;
+      padding: 3px 8px;
+      border-radius: 100px;
+      border: 1px solid;
+      flex-shrink: 0;
+    }
+    .passive-cat-findings {
+      padding: 12px 20px;
+    }
+    .passive-finding-row {
+      display: flex;
+      align-items: flex-start;
+      gap: 10px;
+      padding: 8px 0;
+      border-bottom: 1px solid rgba(255,255,255,0.03);
+    }
+    .passive-finding-row:last-child { border-bottom: none; }
+    .passive-finding-dot {
+      width: 6px;
+      height: 6px;
+      border-radius: 50%;
+      flex-shrink: 0;
+      margin-top: 7px;
+    }
+    .passive-finding-content { flex: 1; min-width: 0; }
+    .passive-finding-title {
+      font-size: 13px;
+      font-weight: 500;
+      margin-bottom: 2px;
+    }
+    .passive-finding-desc {
+      font-size: 12px;
+      color: var(--text-muted);
+      line-height: 1.4;
+    }
+    .passive-finding-evidence {
+      font-family: 'JetBrains Mono', monospace;
+      font-size: 11px;
+      color: var(--text-dim);
+      margin-top: 4px;
+      padding: 4px 8px;
+      background: rgba(255,255,255,0.02);
+      border-radius: 4px;
+    }
+    .passive-sev-tag {
+      font-size: 10px;
+      font-weight: 700;
+      letter-spacing: 0.04em;
+      flex-shrink: 0;
+      margin-top: 2px;
+    }
+    .passive-remedy {
+      padding: 12px 20px;
+      background: rgba(66, 165, 245, 0.04);
+      border-top: 1px solid rgba(66, 165, 245, 0.08);
+      font-size: 12px;
+      color: var(--text-muted);
+      line-height: 1.5;
+    }
+    .passive-remedy-label {
+      font-weight: 600;
+      margin-right: 6px;
+    }
+    .passive-checks-passed {
+      padding: 12px 20px;
+    }
+    .passive-check-item {
+      display: flex;
+      align-items: center;
+      gap: 8px;
+      padding: 4px 0;
+      font-size: 12px;
+      color: var(--text-muted);
+    }
+    .passive-check-icon {
+      color: ${COLORS.success};
+      font-weight: 700;
+      font-size: 11px;
+    }
+    .passive-clear {
+      text-align: center;
+      padding: 40px 24px;
+      background: var(--surface);
+      border: 1px solid var(--border);
+      border-radius: var(--radius);
+    }
+    .passive-clear .icon { font-size: 36px; margin-bottom: 12px; }
+    .passive-clear h4 { font-size: 16px; font-weight: 600; color: ${COLORS.success}; margin-bottom: 6px; }
+    .passive-clear p { font-size: 13px; color: var(--text-muted); }
     /* Errors section */
     .errors-section {
       margin-bottom: 32px;
@@ -707,6 +1182,7 @@ function generateHtml(data) {
       body::before { display: none; }
       .finding-details { display: block !important; padding-top: 12px !important; }
       .finding-card { page-break-inside: avoid; }
+      .passive-category-card { page-break-inside: avoid; }
     }
   </style>
 </head>
@@ -722,8 +1198,8 @@ function generateHtml(data) {
         </div>
       </div>
       <div class="header-meta">
-        <div>${formatDate(generatedAt)}</div>
-        <div>Engine v${escapeHtml(engineVersion)}</div>
+        <div>${formatDate(report.generatedAt)}</div>
+        <div>Engine v${escapeHtml(report.engineVersion)}</div>
       </div>
     </div>
@@ -738,11 +1214,11 @@ function generateHtml(data) {
         ${session.driverConfig?.startUrl ? `<div class="meta-item"><span class="meta-label">Target URL</span><span class="meta-value">${escapeHtml(String(session.driverConfig.startUrl))}</span></div>` : ""}
         <div class="meta-item">
           <span class="meta-label">Duration</span>
-          <span class="meta-value">${formatDuration(result.duration)}</span>
+          <span class="meta-value">${formatDuration(durationMs)}</span>
         </div>
         <div class="meta-item">
           <span class="meta-label">Generated</span>
-          <span class="meta-value">${formatDate(generatedAt)}</span>
+          <span class="meta-value">${formatDate(report.generatedAt)}</span>
         </div>
       </div>
     </div>
@@ -755,13 +1231,13 @@ function generateHtml(data) {
           <svg viewBox="0 0 160 160" width="160" height="160">
             <circle cx="80" cy="80" r="68" fill="none" stroke="rgba(255,255,255,0.04)" stroke-width="10"/>
             <circle cx="80" cy="80" r="68" fill="none" stroke="${riskColor}" stroke-width="10"
-              stroke-dasharray="${riskPercent / 100 * 427} 427"
+              stroke-dasharray="${risk.percent / 100 * 427} 427"
               stroke-linecap="round"
               style="filter: drop-shadow(0 0 6px ${riskColor});"/>
           </svg>
           <div class="risk-gauge-label">
-            <div class="score" style="color: ${riskColor}">${hasFindings ? riskPercent : 0}</div>
-            <div class="label">${riskLabel}</div>
+            <div class="score" style="color: ${riskColor}">${hasFindings ? risk.percent : 0}</div>
+            <div class="label">${risk.label}</div>
           </div>
         </div>
       </div>
@@ -774,11 +1250,11 @@ function generateHtml(data) {
             <div class="stat-label">Findings</div>
           </div>
           <div class="stat-box">
-            <div class="stat-number">${result.payloadsTested}</div>
+            <div class="stat-number">${payloadsTested}</div>
             <div class="stat-label">Payloads Tested</div>
           </div>
           <div class="stat-box">
-            <div class="stat-number">${result.stepsExecuted}</div>
+            <div class="stat-number">${stepsExecuted}</div>
             <div class="stat-label">Steps Executed</div>
           </div>
           <div class="stat-box">
@@ -806,14 +1282,17 @@ function generateHtml(data) {
       </div>
     </div>
-    <!-- Findings -->
+    <!-- Passive Security Analysis -->
+    ${renderPassiveSection(passiveAnalysis)}
+    <!-- Active Findings -->
     <div class="findings-section animate-in-delay-3">
       <div class="findings-header">
-        <h3>Findings</h3>
-        <span class="findings-count">${totalFindings} total</span>
+        <h3>\u{1F3AF} Active Scan Findings</h3>
+        <span class="findings-count">${activeFindings.length} finding${activeFindings.length !== 1 ? "s" : ""}</span>
       </div>
-      ${hasFindings ? findings.map(
+      ${activeFindings.length > 0 ? activeFindings.map(
     (f, i) => `
         <div class="finding-card" onclick="this.classList.toggle('open')">
           <div class="finding-header">
@@ -859,16 +1338,16 @@ function generateHtml(data) {
   ).join("") : `
         <div class="no-findings">
           <div class="icon">\u{1F6E1}\uFE0F</div>
-          <h3>No Vulnerabilities Detected</h3>
-          <p>${result.payloadsTested} payloads were tested across ${result.stepsExecuted} steps with no findings.</p>
+          <h3>No Active Vulnerabilities Detected</h3>
+          <p>${payloadsTested} payloads were tested across ${stepsExecuted} steps with no findings.</p>
         </div>
       `}
     </div>
-    ${result.errors.length > 0 ? `
+    ${errors.length > 0 ? `
     <div class="errors-section">
-      <h3>\u26A0\uFE0F Errors During Execution (${result.errors.length})</h3>
-      ${result.errors.map((e) => `<div class="error-item">${escapeHtml(e)}</div>`).join("")}
+      <h3>\u26A0\uFE0F Errors During Execution (${errors.length})</h3>
+      ${errors.map((e) => `<div class="error-item">${escapeHtml(e)}</div>`).join("")}
     </div>
     ` : ""}
@@ -903,67 +1382,231 @@ function generateDonut(counts, total) {
 }
 // src/json.ts
-function formatDuration2(ms) {
-  if (ms < 1e3) return `${ms}ms`;
-  return `${(ms / 1e3).toFixed(1)}s`;
-}
-function generateJson(session, result, generatedAt, engineVersion) {
-  const counts = {
-    critical: 0,
-    high: 0,
-    medium: 0,
-    low: 0,
-    info: 0
-  };
-  for (const f of result.findings) {
-    counts[f.severity] = (counts[f.severity] || 0) + 1;
-  }
-  const riskScore = counts.critical * 10 + counts.high * 7 + counts.medium * 4 + counts.low * 1;
+function generateJson(report) {
   return {
     vulcn: {
-      version: engineVersion,
-      reportVersion: "1.0",
-      generatedAt
-    },
-    session: {
-      name: session.name,
-      driver: session.driver,
-      driverConfig: session.driverConfig,
-      stepsCount: session.steps.length,
-      metadata: session.metadata
+      version: report.engineVersion,
+      reportVersion: report.reportVersion,
+      generatedAt: report.generatedAt
     },
+    session: report.session,
     execution: {
-      stepsExecuted: result.stepsExecuted,
-      payloadsTested: result.payloadsTested,
-      durationMs: result.duration,
-      durationFormatted: formatDuration2(result.duration),
-      errors: result.errors
+      stepsExecuted: report.stats.stepsExecuted,
+      payloadsTested: report.stats.payloadsTested,
+      durationMs: report.stats.durationMs,
+      durationFormatted: formatDuration(report.stats.durationMs),
+      errors: report.stats.errors
     },
     summary: {
-      totalFindings: result.findings.length,
-      riskScore,
-      severityCounts: counts,
-      vulnerabilityTypes: [...new Set(result.findings.map((f) => f.type))],
-      affectedUrls: [...new Set(result.findings.map((f) => f.url))]
+      totalFindings: report.summary.totalFindings,
+      riskScore: report.summary.risk.score,
+      riskLabel: report.summary.risk.label,
+      severityCounts: report.summary.severityCounts,
+      vulnerabilityTypes: report.summary.vulnerabilityTypes,
+      affectedUrls: report.summary.affectedUrls
     },
-    findings: result.findings
+    findings: report.findings,
+    passiveAnalysis: {
+      totalIssues: report.passiveAnalysis.totalIssues,
+      categories: report.passiveAnalysis.categories.map((c) => ({
+        id: c.definition.id,
+        label: c.definition.label,
+        status: c.status,
+        issueCount: c.issueCount,
+        passedChecks: c.passedChecks,
+        totalChecks: c.totalChecks,
+        remedy: c.definition.remedy
+      }))
+    },
+    rules: report.rules
   };
 }
 // src/yaml.ts
 var import_yaml = require("yaml");
-function generateYaml(session, result, generatedAt, engineVersion) {
-  const report = generateJson(session, result, generatedAt, engineVersion);
+function generateYaml(report) {
+  const jsonReport = generateJson(report);
   const header = [
     "# \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500",
     "# Vulcn Security Report",
-    `# Generated: ${generatedAt}`,
-    `# Session: ${session.name}`,
-    `# Findings: ${result.findings.length}`,
+    `# Generated: ${report.generatedAt}`,
+    `# Session: ${report.session.name}`,
+    `# Findings: ${report.summary.totalFindings}`,
     "# \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500",
     ""
   ].join("\n");
-  return header + (0, import_yaml.stringify)(report, { indent: 2 });
+  return header + (0, import_yaml.stringify)(jsonReport, { indent: 2 });
+}
+// src/sarif.ts
+function toSarifLevel(severity) {
+  switch (severity) {
+    case "critical":
+    case "high":
+      return "error";
+    case "medium":
+      return "warning";
+    case "low":
+    case "info":
+      return "note";
+    default:
+      return "warning";
+  }
+}
+function toPrecision(severity) {
+  switch (severity) {
+    case "critical":
+      return "very-high";
+    case "high":
+      return "high";
+    case "medium":
+      return "medium";
+    case "low":
+    case "info":
+      return "low";
+    default:
+      return "medium";
+  }
+}
+function toSarifRule(rule) {
+  return {
+    id: rule.id,
+    name: rule.type,
+    shortDescription: {
+      text: `${rule.cwe.name} (CWE-${rule.cwe.id})`
+    },
+    fullDescription: {
+      text: rule.description
+    },
+    helpUri: `https://cwe.mitre.org/data/definitions/${rule.cwe.id}.html`,
+    help: {
+      text: `## ${rule.cwe.name}
+CWE-${rule.cwe.id}: ${rule.cwe.name}
+This rule detects ${rule.type} vulnerabilities by injecting security payloads into form inputs and analyzing the application's response for signs of exploitation.
+### Remediation
+See https://cwe.mitre.org/data/definitions/${rule.cwe.id}.html for detailed remediation guidance.`,
+      markdown: `## ${rule.cwe.name}
+**CWE-${rule.cwe.id}**: ${rule.cwe.name}
+This rule detects \`${rule.type}\` vulnerabilities by injecting security payloads into form inputs and analyzing the application's response for signs of exploitation.
+### Remediation
+See [CWE-${rule.cwe.id}](https://cwe.mitre.org/data/definitions/${rule.cwe.id}.html) for detailed remediation guidance.`
+    },
+    properties: {
+      tags: [
+        "security",
+        `CWE-${rule.cwe.id}`,
+        `external/cwe/cwe-${rule.cwe.id}`
+      ],
+      precision: toPrecision(rule.severity),
+      "security-severity": rule.securitySeverity
+    },
+    defaultConfiguration: {
+      level: toSarifLevel(rule.severity)
+    }
+  };
+}
+function toSarifResult(finding, sarifRules) {
+  const ruleIndex = sarifRules.findIndex((r) => r.id === finding.ruleId);
+  let messageText = `${finding.title}
+${finding.description}`;
+  if (finding.evidence) {
+    messageText += `
+Evidence: ${finding.evidence}`;
+  }
+  messageText += `
+Payload: ${finding.payload}`;
+  return {
+    ruleId: finding.ruleId,
+    ruleIndex: Math.max(ruleIndex, 0),
+    level: toSarifLevel(finding.severity),
+    message: { text: messageText },
+    locations: [
+      {
+        physicalLocation: {
+          artifactLocation: {
+            uri: finding.url || "unknown"
+          },
+          region: {
+            startLine: 1
+          }
+        },
+        logicalLocations: [
+          {
+            name: finding.stepId,
+            kind: "test-step"
+          }
+        ]
+      }
+    ],
+    fingerprints: {
+      vulcnFindingV1: finding.fingerprint
+    },
+    partialFingerprints: {
+      vulcnType: finding.type,
+      vulcnStepId: finding.stepId
+    },
+    properties: {
+      severity: finding.severity,
+      payload: finding.payload,
+      stepId: finding.stepId,
+      detectionMethod: finding.detectionMethod,
+      ...finding.evidence ? { evidence: finding.evidence } : {},
+      ...finding.passiveCategory ? { passiveCategory: finding.passiveCategory } : {}
+    }
+  };
+}
+function generateSarif(report) {
+  const sarifRules = report.rules.map(toSarifRule);
+  const results = report.findings.map((f) => toSarifResult(f, sarifRules));
+  const artifacts = report.summary.affectedUrls.map((url) => ({
+    location: { uri: url }
+  }));
+  const startDate = new Date(report.generatedAt);
+  const endDate = new Date(startDate.getTime() + report.stats.durationMs);
+  return {
+    $schema: "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json",
+    version: "2.1.0",
+    runs: [
+      {
+        tool: {
+          driver: {
+            name: "Vulcn",
+            version: report.engineVersion,
+            semanticVersion: report.engineVersion,
+            informationUri: "https://vulcn.dev",
+            rules: sarifRules
+          }
+        },
+        results,
+        invocations: [
+          {
+            executionSuccessful: report.stats.errors.length === 0,
+            startTimeUtc: report.generatedAt,
+            endTimeUtc: endDate.toISOString(),
+            properties: {
+              sessionName: report.session.name,
+              stepsExecuted: report.stats.stepsExecuted,
+              payloadsTested: report.stats.payloadsTested,
+              durationMs: report.stats.durationMs,
+              ...report.stats.errors.length > 0 ? { errors: report.stats.errors } : {}
+            }
+          }
+        ],
+        ...artifacts.length > 0 ? { artifacts } : {}
+      }
+    ]
+  };
 }
 // src/index.ts
@@ -973,10 +1616,11 @@ var configSchema = import_zod.z.object({
    * - "html":  Beautiful dark-themed HTML report
    * - "json":  Machine-readable structured JSON
    * - "yaml":  Human-readable YAML
-   * - "all":   Generate all three formats
+   * - "sarif": SARIF v2.1.0 for GitHub Code Scanning
+   * - "all":   Generate all formats
    * @default "html"
    */
-  format: import_zod.z.enum(["html", "json", "yaml", "all"]).default("html"),
+  format: import_zod.z.enum(["html", "json", "yaml", "sarif", "all"]).default("html"),
   /**
    * Output directory for report files
    * @default "."
@@ -994,14 +1638,14 @@ var configSchema = import_zod.z.object({
   open: import_zod.z.boolean().default(false)
 });
 function getFormats(format) {
-  if (format === "all") return ["html", "json", "yaml"];
+  if (format === "all") return ["html", "json", "yaml", "sarif"];
   return [format];
 }
 var plugin = {
   name: "@vulcn/plugin-report",
   version: "0.1.0",
   apiVersion: 1,
-  description: "Report generation plugin \u2014 generates beautiful HTML, JSON, and YAML security reports",
+  description: "Report generation plugin \u2014 generates HTML, JSON, YAML, and SARIF security reports",
   configSchema,
   hooks: {
     onInit: async (ctx) => {
@@ -1011,13 +1655,20 @@ var plugin = {
       );
     },
     /**
-     * Generate report(s) after run completes
+     * Generate report(s) after run completes.
+     *
+     * Architecture: RunResult + Session → buildReport() → VulcnReport
+     * Each output format is a pure projection of the canonical model.
      */
     onRunEnd: async (result, ctx) => {
       const config = configSchema.parse(ctx.config);
       const formats = getFormats(config.format);
-      const generatedAt = (/* @__PURE__ */ new Date()).toISOString();
-      const engineVersion = ctx.engine.version;
+      const report = buildReport(
+        ctx.session,
+        result,
+        (/* @__PURE__ */ new Date()).toISOString(),
+        ctx.engine.version
+      );
       const outDir = (0, import_node_path.resolve)(config.outputDir);
       await (0, import_promises.mkdir)(outDir, { recursive: true });
       const basePath = (0, import_node_path.resolve)(outDir, config.filename);
@@ -1026,13 +1677,7 @@ var plugin = {
         try {
           switch (fmt) {
             case "html": {
-              const htmlData = {
-                session: ctx.session,
-                result,
-                generatedAt,
-                engineVersion
-              };
-              const html = generateHtml(htmlData);
+              const html = generateHtml(report);
               const htmlPath = `${basePath}.html`;
               await (0, import_promises.writeFile)(htmlPath, html, "utf-8");
               writtenFiles.push(htmlPath);
@@ -1040,12 +1685,7 @@ var plugin = {
               break;
             }
             case "json": {
-              const jsonReport = generateJson(
-                ctx.session,
-                result,
-                generatedAt,
-                engineVersion
-              );
+              const jsonReport = generateJson(report);
               const jsonPath = `${basePath}.json`;
               await (0, import_promises.writeFile)(
                 jsonPath,
@@ -1057,18 +1697,25 @@ var plugin = {
               break;
             }
             case "yaml": {
-              const yamlContent = generateYaml(
-                ctx.session,
-                result,
-                generatedAt,
-                engineVersion
-              );
+              const yamlContent = generateYaml(report);
               const yamlPath = `${basePath}.yml`;
               await (0, import_promises.writeFile)(yamlPath, yamlContent, "utf-8");
               writtenFiles.push(yamlPath);
               ctx.logger.info(`\u{1F4C4} YAML report: ${yamlPath}`);
               break;
             }
+            case "sarif": {
+              const sarifReport = generateSarif(report);
+              const sarifPath = `${basePath}.sarif`;
+              await (0, import_promises.writeFile)(
+                sarifPath,
+                JSON.stringify(sarifReport, null, 2),
+                "utf-8"
+              );
+              writtenFiles.push(sarifPath);
+              ctx.logger.info(`\u{1F4C4} SARIF report: ${sarifPath}`);
+              break;
+            }
           }
         } catch (err) {
           ctx.logger.error(
@@ -1092,9 +1739,11 @@ var plugin = {
 var index_default = plugin;
 // Annotate the CommonJS export names for ESM import in node:
 0 && (module.exports = {
+  buildReport,
   configSchema,
   generateHtml,
   generateJson,
+  generateSarif,
   generateYaml
 });
 //# sourceMappingURL=index.cjs.map