@vulcn/plugin-report 0.2.0 → 0.5.0

package/dist/index.js

@@ -3,6 +3,262 @@ import { z } from "zod";
 import { writeFile, mkdir } from "fs/promises";
 import { resolve } from "path";
 
+// src/report-model.ts
+var CWE_MAP = {
+  xss: {
+    id: 79,
+    name: "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
+  },
+  sqli: {
+    id: 89,
+    name: "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
+  },
+  ssrf: { id: 918, name: "Server-Side Request Forgery (SSRF)" },
+  xxe: {
+    id: 611,
+    name: "Improper Restriction of XML External Entity Reference"
+  },
+  "command-injection": {
+    id: 78,
+    name: "Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"
+  },
+  "path-traversal": {
+    id: 22,
+    name: "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"
+  },
+  "open-redirect": {
+    id: 601,
+    name: "URL Redirection to Untrusted Site ('Open Redirect')"
+  },
+  reflection: {
+    id: 200,
+    name: "Exposure of Sensitive Information to an Unauthorized Actor"
+  },
+  "security-misconfiguration": {
+    id: 16,
+    name: "Configuration"
+  },
+  "information-disclosure": {
+    id: 200,
+    name: "Exposure of Sensitive Information to an Unauthorized Actor"
+  },
+  custom: { id: 20, name: "Improper Input Validation" }
+};
+var SEVERITY_WEIGHTS = {
+  critical: 10,
+  high: 7,
+  medium: 4,
+  low: 1,
+  info: 0
+};
+var SECURITY_SEVERITY = {
+  critical: "9.0",
+  high: "7.0",
+  medium: "4.0",
+  low: "2.0",
+  info: "0.0"
+};
+var PASSIVE_CATEGORIES = [
+  {
+    id: "security-headers",
+    label: "Security Headers",
+    icon: "\u{1F512}",
+    color: "#42a5f5",
+    remedy: "Add the recommended security headers to your server configuration. Most web servers and frameworks support these via middleware.",
+    checks: [
+      "Strict-Transport-Security (HSTS)",
+      "Content-Security-Policy (CSP)",
+      "X-Content-Type-Options",
+      "X-Frame-Options",
+      "Referrer-Policy",
+      "Permissions-Policy"
+    ]
+  },
+  {
+    id: "cookie-security",
+    label: "Cookie Security",
+    icon: "\u{1F36A}",
+    color: "#ffab40",
+    remedy: "Set the Secure, HttpOnly, and SameSite attributes on all session cookies. Configure your framework's session middleware accordingly.",
+    checks: ["Secure flag", "HttpOnly flag", "SameSite attribute"]
+  },
+  {
+    id: "information-disclosure",
+    label: "Information Disclosure",
+    icon: "\u{1F50D}",
+    color: "#66bb6a",
+    remedy: "Remove or obfuscate server version headers (Server, X-Powered-By). Disable debug mode in production environments.",
+    checks: ["Server version", "X-Powered-By", "Debug tokens"]
+  },
+  {
+    id: "cors",
+    label: "CORS Configuration",
+    icon: "\u{1F310}",
+    color: "#ce93d8",
+    remedy: "Replace wildcard origins with specific trusted domains. Never combine Access-Control-Allow-Credentials with wildcard origins.",
+    checks: ["Wildcard origin", "Credentials with wildcard"]
+  },
+  {
+    id: "mixed-content",
+    label: "Mixed Content",
+    icon: "\u26A0\uFE0F",
+    color: "#ff8a65",
+    remedy: "Replace all HTTP resource URLs with HTTPS. Use Content-Security-Policy: upgrade-insecure-requests as a fallback.",
+    checks: ["HTTP resources on HTTPS"]
+  }
+];
+function toRuleId(type) {
+  return `VULCN-${type.toUpperCase().replace(/[^A-Z0-9]+/g, "-")}`;
+}
+function fingerprint(f) {
+  return `${f.type}:${f.stepId}:${f.payload.slice(0, 50)}`;
+}
+function detectMethod(f) {
+  return f.metadata?.detectionMethod === "passive" ? "passive" : "active";
+}
+function passiveCat(f) {
+  const method = detectMethod(f);
+  if (method !== "passive") return void 0;
+  return f.metadata?.category || "other";
+}
+function enrichFinding(f) {
+  const cwe = CWE_MAP[f.type] || CWE_MAP.custom;
+  const sev = f.severity;
+  return {
+    // Original fields
+    type: f.type,
+    severity: sev,
+    title: f.title,
+    description: f.description,
+    stepId: f.stepId,
+    payload: f.payload,
+    url: f.url,
+    evidence: f.evidence,
+    metadata: f.metadata,
+    // Enriched
+    ruleId: toRuleId(f.type),
+    cwe,
+    securitySeverity: SECURITY_SEVERITY[sev] || "4.0",
+    fingerprint: fingerprint(f),
+    detectionMethod: detectMethod(f),
+    passiveCategory: passiveCat(f)
+  };
+}
+function buildRules(enriched) {
+  const seen = /* @__PURE__ */ new Map();
+  for (const f of enriched) {
+    if (!seen.has(f.type)) seen.set(f.type, f);
+  }
+  return Array.from(seen.entries()).map(([type, sample]) => ({
+    id: toRuleId(type),
+    type,
+    cwe: sample.cwe,
+    severity: sample.severity,
+    securitySeverity: sample.securitySeverity,
+    description: `Vulcn detected a potential ${type} vulnerability. ${sample.cwe.name}.`
+  }));
+}
+function countSeverities(findings) {
+  const counts = {
+    critical: 0,
+    high: 0,
+    medium: 0,
+    low: 0,
+    info: 0
+  };
+  for (const f of findings) {
+    counts[f.severity] = (counts[f.severity] || 0) + 1;
+  }
+  return counts;
+}
+function assessRisk(counts, total) {
+  const score = counts.critical * SEVERITY_WEIGHTS.critical + counts.high * SEVERITY_WEIGHTS.high + counts.medium * SEVERITY_WEIGHTS.medium + counts.low * SEVERITY_WEIGHTS.low;
+  const maxRisk = total * SEVERITY_WEIGHTS.critical || 1;
+  const percent = Math.min(100, Math.round(score / maxRisk * 100));
+  const label = percent >= 80 ? "Critical" : percent >= 50 ? "High" : percent >= 25 ? "Medium" : percent > 0 ? "Low" : "Clear";
+  return { score, percent, label };
+}
+function buildPassiveAnalysis(passiveFindings) {
+  const grouped = /* @__PURE__ */ new Map();
+  for (const f of passiveFindings) {
+    const cat = f.passiveCategory || "other";
+    if (!grouped.has(cat)) grouped.set(cat, []);
+    grouped.get(cat).push(f);
+  }
+  const categories = PASSIVE_CATEGORIES.map((def) => {
+    const findings = grouped.get(def.id) || [];
+    const issueCount = findings.length;
+    const totalChecks = def.checks.length;
+    const passedChecks = Math.max(0, totalChecks - issueCount);
+    const status = issueCount === 0 ? "pass" : issueCount >= 3 ? "fail" : "warn";
+    return {
+      definition: def,
+      findings,
+      issueCount,
+      passedChecks,
+      totalChecks,
+      status
+    };
+  });
+  return {
+    totalIssues: passiveFindings.length,
+    categories
+  };
+}
+function buildReport(session, result, generatedAt, engineVersion) {
+  const severityOrder = {
+    critical: 0,
+    high: 1,
+    medium: 2,
+    low: 3,
+    info: 4
+  };
+  const sortedFindings = [...result.findings].sort(
+    (a, b) => (severityOrder[a.severity] ?? 5) - (severityOrder[b.severity] ?? 5)
+  );
+  const findings = sortedFindings.map(enrichFinding);
+  const activeFindings = findings.filter((f) => f.detectionMethod === "active");
+  const passiveFindings = findings.filter(
+    (f) => f.detectionMethod === "passive"
+  );
+  const counts = countSeverities(findings);
+  const risk = assessRisk(counts, findings.length);
+  const rules = buildRules(findings);
+  return {
+    reportVersion: "2.0",
+    engineVersion,
+    generatedAt,
+    session: {
+      name: session.name,
+      driver: session.driver,
+      driverConfig: session.driverConfig,
+      stepsCount: session.steps.length,
+      metadata: session.metadata
+    },
+    stats: {
+      stepsExecuted: result.stepsExecuted,
+      payloadsTested: result.payloadsTested,
+      durationMs: result.duration,
+      errors: result.errors
+    },
+    summary: {
+      totalFindings: findings.length,
+      severityCounts: counts,
+      risk,
+      vulnerabilityTypes: [...new Set(findings.map((f) => f.type))],
+      affectedUrls: [...new Set(findings.map((f) => f.url))]
+    },
+    rules,
+    findings,
+    activeFindings,
+    passiveAnalysis: buildPassiveAnalysis(passiveFindings)
+  };
+}
+function formatDuration(ms) {
+  if (ms < 1e3) return `${ms}ms`;
+  return `${(ms / 1e3).toFixed(1)}s`;
+}
+
 // src/html.ts
 var COLORS = {
   bg: "#0a0a0f",
@@ -39,30 +295,9 @@ function severityColor(severity) {
       return COLORS.textMuted;
   }
 }
-function severityOrder(severity) {
-  switch (severity) {
-    case "critical":
-      return 0;
-    case "high":
-      return 1;
-    case "medium":
-      return 2;
-    case "low":
-      return 3;
-    case "info":
-      return 4;
-    default:
-      return 5;
-  }
-}
 function escapeHtml(str) {
   return str.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;").replace(/'/g, "&#039;");
 }
-function formatDuration(ms) {
-  if (ms < 1e3) return `${ms}ms`;
-  const seconds = (ms / 1e3).toFixed(1);
-  return `${seconds}s`;
-}
 function formatDate(iso) {
   const d = new Date(iso);
   return d.toLocaleDateString("en-US", {
@@ -89,31 +324,95 @@ var VULCN_LOGO_SVG = `<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 20 20
   <path fill="#dc2626" d="m 13.0058,9.89 c -0.164,1.484 -0.749,2.568 -1.659,3.353 -0.418,0.36 -0.465,0.992 -0.104,1.41 0.36,0.418 0.992,0.465 1.41,0.104 1.266,-1.092 2.112,-2.583 2.341,-4.647 0.061,-0.548 -0.335,-1.043 -0.884,-1.104 -0.548,-0.061 -1.043,0.335 -1.104,0.884 z"/>
   <path fill="url(#lg2)" d="m 14.0058,8.89 c -0.164,1.484 -0.749,2.568 -1.659,3.353 -0.418,0.36 -0.465,0.992 -0.104,1.41 0.36,0.418 0.992,0.465 1.41,0.104 1.266,-1.092 2.112,-2.583 2.341,-4.647 0.061,-0.548 -0.335,-1.043 -0.884,-1.104 -0.548,-0.061 -1.043,0.335 -1.104,0.884 z"/>
 </svg>`;
-function generateHtml(data) {
-  const { session, result, generatedAt, engineVersion } = data;
-  const findings = [...result.findings].sort(
-    (a, b) => severityOrder(a.severity) - severityOrder(b.severity)
-  );
-  const counts = {
-    critical: 0,
-    high: 0,
-    medium: 0,
-    low: 0,
-    info: 0
-  };
-  for (const f of findings) {
-    counts[f.severity] = (counts[f.severity] || 0) + 1;
+function renderPassiveSection(analysis) {
+  if (analysis.totalIssues === 0) {
+    return `
+    <div class="passive-section animate-in-delay-3">
+      <div class="section-header">
+        <h3>\u{1F6E1}\uFE0F Passive Security Analysis</h3>
+        <span class="findings-count">All clear</span>
+      </div>
+      <div class="passive-clear">
+        <div class="icon">\u2705</div>
+        <h4>All Passive Checks Passed</h4>
+        <p>No security header, cookie, CORS, or information disclosure issues detected.</p>
+      </div>
+    </div>`;
   }
-  const totalFindings = findings.length;
+  const categoryCards = analysis.categories.map((cat) => {
+    const statusColor = cat.status === "pass" ? COLORS.success : cat.status === "fail" ? COLORS.high : COLORS.medium;
+    return `
+      <div class="passive-category-card">
+        <div class="passive-cat-header">
+          <div class="passive-cat-icon">${cat.definition.icon}</div>
+          <div class="passive-cat-info">
+            <div class="passive-cat-title">${cat.definition.label}</div>
+            <div class="passive-cat-count" style="color: ${statusColor}">
+              ${cat.issueCount === 0 ? "\u2713 All clear" : `${cat.issueCount} issue${cat.issueCount !== 1 ? "s" : ""}`}
+            </div>
+          </div>
+          <div class="passive-cat-badge" style="background: ${statusColor}20; color: ${statusColor}; border-color: ${statusColor}30">
+            ${cat.status.toUpperCase()}
+          </div>
+        </div>
+        ${cat.findings.length > 0 ? `
+        <div class="passive-cat-findings">
+          ${cat.findings.map(
+      (f) => `
+            <div class="passive-finding-row">
+              <div class="passive-finding-dot" style="background: ${severityColor(f.severity)}"></div>
+              <div class="passive-finding-content">
+                <div class="passive-finding-title">${escapeHtml(f.title)}</div>
+                <div class="passive-finding-desc">${escapeHtml(f.description)}</div>
+                ${f.evidence ? `<div class="passive-finding-evidence">${escapeHtml(f.evidence)}</div>` : ""}
+              </div>
+              <span class="passive-sev-tag" style="color: ${severityColor(f.severity)}">${f.severity.toUpperCase()}</span>
+            </div>
+          `
+    ).join("")}
+        </div>
+        <div class="passive-remedy">
+          <span class="passive-remedy-label">\u{1F4A1} Remediation</span>
+          <span>${cat.definition.remedy}</span>
+        </div>
+        ` : `
+        <div class="passive-checks-passed">
+          ${cat.definition.checks.map(
+      (check) => `
+            <div class="passive-check-item">
+              <span class="passive-check-icon">\u2713</span>
+              <span>${check}</span>
+            </div>
+          `
+    ).join("")}
+        </div>
+        `}
+      </div>`;
+  }).join("");
+  return `
+    <div class="passive-section animate-in-delay-3">
+      <div class="section-header">
+        <h3>\u{1F6E1}\uFE0F Passive Security Analysis</h3>
+        <span class="findings-count">${analysis.totalIssues} issue${analysis.totalIssues !== 1 ? "s" : ""}</span>
+      </div>
+      <div class="passive-grid">
+        ${categoryCards}
+      </div>
+    </div>`;
+}
+function generateHtml(report) {
+  const { summary, stats, session, passiveAnalysis, activeFindings, findings } = report;
+  const {
+    severityCounts: counts,
+    risk,
+    totalFindings,
+    affectedUrls,
+    vulnerabilityTypes: vulnTypes
+  } = summary;
+  const { stepsExecuted, payloadsTested, durationMs, errors } = stats;
   const hasFindings = totalFindings > 0;
-  const riskScore = counts.critical * 10 + counts.high * 7 + counts.medium * 4 + counts.low * 1;
-  const maxRisk = totalFindings * 10 || 1;
-  const riskPercent = Math.min(100, Math.round(riskScore / maxRisk * 100));
-  const riskLabel = riskPercent >= 80 ? "Critical" : riskPercent >= 50 ? "High" : riskPercent >= 25 ? "Medium" : riskPercent > 0 ? "Low" : "Clear";
-  const riskColor = riskPercent >= 80 ? COLORS.critical : riskPercent >= 50 ? COLORS.high : riskPercent >= 25 ? COLORS.medium : riskPercent > 0 ? COLORS.low : COLORS.success;
+  const riskColor = risk.percent >= 80 ? COLORS.critical : risk.percent >= 50 ? COLORS.high : risk.percent >= 25 ? COLORS.medium : risk.percent > 0 ? COLORS.low : COLORS.success;
   const donutSvg = generateDonut(counts, totalFindings);
-  const affectedUrls = [...new Set(findings.map((f) => f.url))];
-  const vulnTypes = [...new Set(findings.map((f) => f.type))];
   return `<!DOCTYPE html>
 <html lang="en">
 <head>
@@ -605,6 +904,180 @@ function generateHtml(data) {
     .no-findings h3 { font-size: 20px; font-weight: 700; color: ${COLORS.success}; margin-bottom: 8px; }
     .no-findings p { font-size: 14px; color: var(--text-muted); }
 
+    /* \u2500\u2500 Passive Security Analysis \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 */
+    .passive-section { margin-bottom: 32px; }
+
+    .section-header {
+      display: flex;
+      align-items: center;
+      justify-content: space-between;
+      margin-bottom: 16px;
+    }
+
+    .section-header h3 {
+      font-size: 18px;
+      font-weight: 700;
+      letter-spacing: -0.01em;
+    }
+
+    .passive-grid {
+      display: grid;
+      grid-template-columns: repeat(auto-fit, minmax(320px, 1fr));
+      gap: 12px;
+    }
+
+    .passive-category-card {
+      background: var(--surface);
+      border: 1px solid var(--border);
+      border-radius: var(--radius);
+      overflow: hidden;
+      transition: border-color 0.2s;
+    }
+
+    .passive-category-card:hover { border-color: var(--border-active); }
+
+    .passive-cat-header {
+      display: flex;
+      align-items: center;
+      gap: 12px;
+      padding: 16px 20px;
+      border-bottom: 1px solid var(--border);
+    }
+
+    .passive-cat-icon {
+      font-size: 20px;
+      width: 36px;
+      height: 36px;
+      display: flex;
+      align-items: center;
+      justify-content: center;
+      background: rgba(255,255,255,0.03);
+      border-radius: var(--radius-xs);
+      flex-shrink: 0;
+    }
+
+    .passive-cat-info { flex: 1; min-width: 0; }
+
+    .passive-cat-title {
+      font-size: 14px;
+      font-weight: 600;
+      letter-spacing: -0.01em;
+    }
+
+    .passive-cat-count {
+      font-size: 12px;
+      font-weight: 500;
+    }
+
+    .passive-cat-badge {
+      font-size: 10px;
+      font-weight: 700;
+      letter-spacing: 0.05em;
+      padding: 3px 8px;
+      border-radius: 100px;
+      border: 1px solid;
+      flex-shrink: 0;
+    }
+
+    .passive-cat-findings {
+      padding: 12px 20px;
+    }
+
+    .passive-finding-row {
+      display: flex;
+      align-items: flex-start;
+      gap: 10px;
+      padding: 8px 0;
+      border-bottom: 1px solid rgba(255,255,255,0.03);
+    }
+
+    .passive-finding-row:last-child { border-bottom: none; }
+
+    .passive-finding-dot {
+      width: 6px;
+      height: 6px;
+      border-radius: 50%;
+      flex-shrink: 0;
+      margin-top: 7px;
+    }
+
+    .passive-finding-content { flex: 1; min-width: 0; }
+
+    .passive-finding-title {
+      font-size: 13px;
+      font-weight: 500;
+      margin-bottom: 2px;
+    }
+
+    .passive-finding-desc {
+      font-size: 12px;
+      color: var(--text-muted);
+      line-height: 1.4;
+    }
+
+    .passive-finding-evidence {
+      font-family: 'JetBrains Mono', monospace;
+      font-size: 11px;
+      color: var(--text-dim);
+      margin-top: 4px;
+      padding: 4px 8px;
+      background: rgba(255,255,255,0.02);
+      border-radius: 4px;
+    }
+
+    .passive-sev-tag {
+      font-size: 10px;
+      font-weight: 700;
+      letter-spacing: 0.04em;
+      flex-shrink: 0;
+      margin-top: 2px;
+    }
+
+    .passive-remedy {
+      padding: 12px 20px;
+      background: rgba(66, 165, 245, 0.04);
+      border-top: 1px solid rgba(66, 165, 245, 0.08);
+      font-size: 12px;
+      color: var(--text-muted);
+      line-height: 1.5;
+    }
+
+    .passive-remedy-label {
+      font-weight: 600;
+      margin-right: 6px;
+    }
+
+    .passive-checks-passed {
+      padding: 12px 20px;
+    }
+
+    .passive-check-item {
+      display: flex;
+      align-items: center;
+      gap: 8px;
+      padding: 4px 0;
+      font-size: 12px;
+      color: var(--text-muted);
+    }
+
+    .passive-check-icon {
+      color: ${COLORS.success};
+      font-weight: 700;
+      font-size: 11px;
+    }
+
+    .passive-clear {
+      text-align: center;
+      padding: 40px 24px;
+      background: var(--surface);
+      border: 1px solid var(--border);
+      border-radius: var(--radius);
+    }
+
+    .passive-clear .icon { font-size: 36px; margin-bottom: 12px; }
+    .passive-clear h4 { font-size: 16px; font-weight: 600; color: ${COLORS.success}; margin-bottom: 6px; }
+    .passive-clear p { font-size: 13px; color: var(--text-muted); }
+
     /* Errors section */
     .errors-section {
       margin-bottom: 32px;
@@ -669,6 +1142,7 @@ function generateHtml(data) {
       body::before { display: none; }
       .finding-details { display: block !important; padding-top: 12px !important; }
       .finding-card { page-break-inside: avoid; }
+      .passive-category-card { page-break-inside: avoid; }
     }
   </style>
 </head>
@@ -684,8 +1158,8 @@ function generateHtml(data) {
         </div>
       </div>
       <div class="header-meta">
-        <div>${formatDate(generatedAt)}</div>
-        <div>Engine v${escapeHtml(engineVersion)}</div>
+        <div>${formatDate(report.generatedAt)}</div>
+        <div>Engine v${escapeHtml(report.engineVersion)}</div>
       </div>
     </div>
 
@@ -700,11 +1174,11 @@ function generateHtml(data) {
         ${session.driverConfig?.startUrl ? `<div class="meta-item"><span class="meta-label">Target URL</span><span class="meta-value">${escapeHtml(String(session.driverConfig.startUrl))}</span></div>` : ""}
         <div class="meta-item">
           <span class="meta-label">Duration</span>
-          <span class="meta-value">${formatDuration(result.duration)}</span>
+          <span class="meta-value">${formatDuration(durationMs)}</span>
         </div>
         <div class="meta-item">
           <span class="meta-label">Generated</span>
-          <span class="meta-value">${formatDate(generatedAt)}</span>
+          <span class="meta-value">${formatDate(report.generatedAt)}</span>
         </div>
       </div>
     </div>
@@ -717,13 +1191,13 @@ function generateHtml(data) {
           <svg viewBox="0 0 160 160" width="160" height="160">
             <circle cx="80" cy="80" r="68" fill="none" stroke="rgba(255,255,255,0.04)" stroke-width="10"/>
             <circle cx="80" cy="80" r="68" fill="none" stroke="${riskColor}" stroke-width="10"
-              stroke-dasharray="${riskPercent / 100 * 427} 427"
+              stroke-dasharray="${risk.percent / 100 * 427} 427"
               stroke-linecap="round"
               style="filter: drop-shadow(0 0 6px ${riskColor});"/>
           </svg>
           <div class="risk-gauge-label">
-            <div class="score" style="color: ${riskColor}">${hasFindings ? riskPercent : 0}</div>
-            <div class="label">${riskLabel}</div>
+            <div class="score" style="color: ${riskColor}">${hasFindings ? risk.percent : 0}</div>
+            <div class="label">${risk.label}</div>
           </div>
         </div>
       </div>
@@ -736,11 +1210,11 @@ function generateHtml(data) {
             <div class="stat-label">Findings</div>
           </div>
           <div class="stat-box">
-            <div class="stat-number">${result.payloadsTested}</div>
+            <div class="stat-number">${payloadsTested}</div>
             <div class="stat-label">Payloads Tested</div>
           </div>
           <div class="stat-box">
-            <div class="stat-number">${result.stepsExecuted}</div>
+            <div class="stat-number">${stepsExecuted}</div>
             <div class="stat-label">Steps Executed</div>
           </div>
           <div class="stat-box">
@@ -768,14 +1242,17 @@ function generateHtml(data) {
       </div>
     </div>
 
-    <!-- Findings -->
+    <!-- Passive Security Analysis -->
+    ${renderPassiveSection(passiveAnalysis)}
+
+    <!-- Active Findings -->
     <div class="findings-section animate-in-delay-3">
       <div class="findings-header">
-        <h3>Findings</h3>
-        <span class="findings-count">${totalFindings} total</span>
+        <h3>\u{1F3AF} Active Scan Findings</h3>
+        <span class="findings-count">${activeFindings.length} finding${activeFindings.length !== 1 ? "s" : ""}</span>
       </div>
 
-      ${hasFindings ? findings.map(
+      ${activeFindings.length > 0 ? activeFindings.map(
     (f, i) => `
         <div class="finding-card" onclick="this.classList.toggle('open')">
           <div class="finding-header">
@@ -821,16 +1298,16 @@ function generateHtml(data) {
   ).join("") : `
         <div class="no-findings">
           <div class="icon">\u{1F6E1}\uFE0F</div>
-          <h3>No Vulnerabilities Detected</h3>
-          <p>${result.payloadsTested} payloads were tested across ${result.stepsExecuted} steps with no findings.</p>
+          <h3>No Active Vulnerabilities Detected</h3>
+          <p>${payloadsTested} payloads were tested across ${stepsExecuted} steps with no findings.</p>
         </div>
       `}
     </div>
 
-    ${result.errors.length > 0 ? `
+    ${errors.length > 0 ? `
     <div class="errors-section">
-      <h3>\u26A0\uFE0F Errors During Execution (${result.errors.length})</h3>
-      ${result.errors.map((e) => `<div class="error-item">${escapeHtml(e)}</div>`).join("")}
+      <h3>\u26A0\uFE0F Errors During Execution (${errors.length})</h3>
+      ${errors.map((e) => `<div class="error-item">${escapeHtml(e)}</div>`).join("")}
     </div>
     ` : ""}
 
@@ -865,67 +1342,231 @@ function generateDonut(counts, total) {
 }
 
 // src/json.ts
-function formatDuration2(ms) {
-  if (ms < 1e3) return `${ms}ms`;
-  return `${(ms / 1e3).toFixed(1)}s`;
-}
-function generateJson(session, result, generatedAt, engineVersion) {
-  const counts = {
-    critical: 0,
-    high: 0,
-    medium: 0,
-    low: 0,
-    info: 0
-  };
-  for (const f of result.findings) {
-    counts[f.severity] = (counts[f.severity] || 0) + 1;
-  }
-  const riskScore = counts.critical * 10 + counts.high * 7 + counts.medium * 4 + counts.low * 1;
+function generateJson(report) {
   return {
     vulcn: {
-      version: engineVersion,
-      reportVersion: "1.0",
-      generatedAt
-    },
-    session: {
-      name: session.name,
-      driver: session.driver,
-      driverConfig: session.driverConfig,
-      stepsCount: session.steps.length,
-      metadata: session.metadata
+      version: report.engineVersion,
+      reportVersion: report.reportVersion,
+      generatedAt: report.generatedAt
     },
+    session: report.session,
     execution: {
-      stepsExecuted: result.stepsExecuted,
-      payloadsTested: result.payloadsTested,
-      durationMs: result.duration,
-      durationFormatted: formatDuration2(result.duration),
-      errors: result.errors
+      stepsExecuted: report.stats.stepsExecuted,
+      payloadsTested: report.stats.payloadsTested,
+      durationMs: report.stats.durationMs,
+      durationFormatted: formatDuration(report.stats.durationMs),
+      errors: report.stats.errors
     },
     summary: {
-      totalFindings: result.findings.length,
-      riskScore,
-      severityCounts: counts,
-      vulnerabilityTypes: [...new Set(result.findings.map((f) => f.type))],
-      affectedUrls: [...new Set(result.findings.map((f) => f.url))]
+      totalFindings: report.summary.totalFindings,
+      riskScore: report.summary.risk.score,
+      riskLabel: report.summary.risk.label,
+      severityCounts: report.summary.severityCounts,
+      vulnerabilityTypes: report.summary.vulnerabilityTypes,
+      affectedUrls: report.summary.affectedUrls
     },
-    findings: result.findings
+    findings: report.findings,
+    passiveAnalysis: {
+      totalIssues: report.passiveAnalysis.totalIssues,
+      categories: report.passiveAnalysis.categories.map((c) => ({
+        id: c.definition.id,
+        label: c.definition.label,
+        status: c.status,
+        issueCount: c.issueCount,
+        passedChecks: c.passedChecks,
+        totalChecks: c.totalChecks,
+        remedy: c.definition.remedy
+      }))
+    },
+    rules: report.rules
   };
 }
 
 // src/yaml.ts
 import { stringify } from "yaml";
-function generateYaml(session, result, generatedAt, engineVersion) {
-  const report = generateJson(session, result, generatedAt, engineVersion);
+function generateYaml(report) {
+  const jsonReport = generateJson(report);
   const header = [
     "# \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500",
     "# Vulcn Security Report",
-    `# Generated: ${generatedAt}`,
-    `# Session: ${session.name}`,
-    `# Findings: ${result.findings.length}`,
+    `# Generated: ${report.generatedAt}`,
+    `# Session: ${report.session.name}`,
+    `# Findings: ${report.summary.totalFindings}`,
     "# \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500",
     ""
   ].join("\n");
-  return header + stringify(report, { indent: 2 });
+  return header + stringify(jsonReport, { indent: 2 });
+}
+
+// src/sarif.ts
+function toSarifLevel(severity) {
+  switch (severity) {
+    case "critical":
+    case "high":
+      return "error";
+    case "medium":
+      return "warning";
+    case "low":
+    case "info":
+      return "note";
+    default:
+      return "warning";
+  }
+}
+function toPrecision(severity) {
+  switch (severity) {
+    case "critical":
+      return "very-high";
+    case "high":
+      return "high";
+    case "medium":
+      return "medium";
+    case "low":
+    case "info":
+      return "low";
+    default:
+      return "medium";
+  }
+}
+function toSarifRule(rule) {
+  return {
+    id: rule.id,
+    name: rule.type,
+    shortDescription: {
+      text: `${rule.cwe.name} (CWE-${rule.cwe.id})`
+    },
+    fullDescription: {
+      text: rule.description
+    },
+    helpUri: `https://cwe.mitre.org/data/definitions/${rule.cwe.id}.html`,
+    help: {
+      text: `## ${rule.cwe.name}
+
+CWE-${rule.cwe.id}: ${rule.cwe.name}
+
+This rule detects ${rule.type} vulnerabilities by injecting security payloads into form inputs and analyzing the application's response for signs of exploitation.
+
+### Remediation
+
+See https://cwe.mitre.org/data/definitions/${rule.cwe.id}.html for detailed remediation guidance.`,
+      markdown: `## ${rule.cwe.name}
+
+**CWE-${rule.cwe.id}**: ${rule.cwe.name}
+
+This rule detects \`${rule.type}\` vulnerabilities by injecting security payloads into form inputs and analyzing the application's response for signs of exploitation.
+
+### Remediation
+
+See [CWE-${rule.cwe.id}](https://cwe.mitre.org/data/definitions/${rule.cwe.id}.html) for detailed remediation guidance.`
+    },
+    properties: {
+      tags: [
+        "security",
+        `CWE-${rule.cwe.id}`,
+        `external/cwe/cwe-${rule.cwe.id}`
+      ],
+      precision: toPrecision(rule.severity),
+      "security-severity": rule.securitySeverity
+    },
+    defaultConfiguration: {
+      level: toSarifLevel(rule.severity)
+    }
+  };
+}
+function toSarifResult(finding, sarifRules) {
+  const ruleIndex = sarifRules.findIndex((r) => r.id === finding.ruleId);
+  let messageText = `${finding.title}
+
+${finding.description}`;
+  if (finding.evidence) {
+    messageText += `
+
+Evidence: ${finding.evidence}`;
+  }
+  messageText += `
+
+Payload: ${finding.payload}`;
+  return {
+    ruleId: finding.ruleId,
+    ruleIndex: Math.max(ruleIndex, 0),
+    level: toSarifLevel(finding.severity),
+    message: { text: messageText },
+    locations: [
+      {
+        physicalLocation: {
+          artifactLocation: {
+            uri: finding.url || "unknown"
+          },
+          region: {
+            startLine: 1
+          }
+        },
+        logicalLocations: [
+          {
+            name: finding.stepId,
+            kind: "test-step"
+          }
+        ]
+      }
+    ],
+    fingerprints: {
+      vulcnFindingV1: finding.fingerprint
+    },
+    partialFingerprints: {
+      vulcnType: finding.type,
+      vulcnStepId: finding.stepId
+    },
+    properties: {
+      severity: finding.severity,
+      payload: finding.payload,
+      stepId: finding.stepId,
+      detectionMethod: finding.detectionMethod,
+      ...finding.evidence ? { evidence: finding.evidence } : {},
+      ...finding.passiveCategory ? { passiveCategory: finding.passiveCategory } : {}
+    }
+  };
+}
+function generateSarif(report) {
+  const sarifRules = report.rules.map(toSarifRule);
+  const results = report.findings.map((f) => toSarifResult(f, sarifRules));
+  const artifacts = report.summary.affectedUrls.map((url) => ({
+    location: { uri: url }
+  }));
+  const startDate = new Date(report.generatedAt);
+  const endDate = new Date(startDate.getTime() + report.stats.durationMs);
+  return {
+    $schema: "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json",
+    version: "2.1.0",
+    runs: [
+      {
+        tool: {
+          driver: {
+            name: "Vulcn",
+            version: report.engineVersion,
+            semanticVersion: report.engineVersion,
+            informationUri: "https://vulcn.dev",
+            rules: sarifRules
+          }
+        },
+        results,
+        invocations: [
+          {
+            executionSuccessful: report.stats.errors.length === 0,
+            startTimeUtc: report.generatedAt,
+            endTimeUtc: endDate.toISOString(),
+            properties: {
+              sessionName: report.session.name,
+              stepsExecuted: report.stats.stepsExecuted,
+              payloadsTested: report.stats.payloadsTested,
+              durationMs: report.stats.durationMs,
+              ...report.stats.errors.length > 0 ? { errors: report.stats.errors } : {}
+            }
+          }
+        ],
+        ...artifacts.length > 0 ? { artifacts } : {}
+      }
+    ]
+  };
 }
 
 // src/index.ts
@@ -935,10 +1576,11 @@ var configSchema = z.object({
    * - "html":  Beautiful dark-themed HTML report
    * - "json":  Machine-readable structured JSON
    * - "yaml":  Human-readable YAML
-   * - "all":   Generate all three formats
+   * - "sarif": SARIF v2.1.0 for GitHub Code Scanning
+   * - "all":   Generate all formats
    * @default "html"
    */
-  format: z.enum(["html", "json", "yaml", "all"]).default("html"),
+  format: z.enum(["html", "json", "yaml", "sarif", "all"]).default("html"),
   /**
    * Output directory for report files
    * @default "."
@@ -956,14 +1598,14 @@ var configSchema = z.object({
   open: z.boolean().default(false)
 });
 function getFormats(format) {
-  if (format === "all") return ["html", "json", "yaml"];
+  if (format === "all") return ["html", "json", "yaml", "sarif"];
   return [format];
 }
 var plugin = {
   name: "@vulcn/plugin-report",
   version: "0.1.0",
   apiVersion: 1,
-  description: "Report generation plugin \u2014 generates beautiful HTML, JSON, and YAML security reports",
+  description: "Report generation plugin \u2014 generates HTML, JSON, YAML, and SARIF security reports",
   configSchema,
   hooks: {
     onInit: async (ctx) => {
@@ -973,13 +1615,20 @@ var plugin = {
       );
     },
     /**
-     * Generate report(s) after run completes
+     * Generate report(s) after run completes.
+     *
+     * Architecture: RunResult + Session → buildReport() → VulcnReport
+     * Each output format is a pure projection of the canonical model.
      */
     onRunEnd: async (result, ctx) => {
       const config = configSchema.parse(ctx.config);
       const formats = getFormats(config.format);
-      const generatedAt = (/* @__PURE__ */ new Date()).toISOString();
-      const engineVersion = ctx.engine.version;
+      const report = buildReport(
+        ctx.session,
+        result,
+        (/* @__PURE__ */ new Date()).toISOString(),
+        ctx.engine.version
+      );
       const outDir = resolve(config.outputDir);
       await mkdir(outDir, { recursive: true });
       const basePath = resolve(outDir, config.filename);
@@ -988,13 +1637,7 @@ var plugin = {
         try {
           switch (fmt) {
             case "html": {
-              const htmlData = {
-                session: ctx.session,
-                result,
-                generatedAt,
-                engineVersion
-              };
-              const html = generateHtml(htmlData);
+              const html = generateHtml(report);
               const htmlPath = `${basePath}.html`;
               await writeFile(htmlPath, html, "utf-8");
               writtenFiles.push(htmlPath);
@@ -1002,12 +1645,7 @@ var plugin = {
               break;
             }
             case "json": {
-              const jsonReport = generateJson(
-                ctx.session,
-                result,
-                generatedAt,
-                engineVersion
-              );
+              const jsonReport = generateJson(report);
               const jsonPath = `${basePath}.json`;
               await writeFile(
                 jsonPath,
@@ -1019,18 +1657,25 @@ var plugin = {
               break;
             }
             case "yaml": {
-              const yamlContent = generateYaml(
-                ctx.session,
-                result,
-                generatedAt,
-                engineVersion
-              );
+              const yamlContent = generateYaml(report);
               const yamlPath = `${basePath}.yml`;
               await writeFile(yamlPath, yamlContent, "utf-8");
               writtenFiles.push(yamlPath);
               ctx.logger.info(`\u{1F4C4} YAML report: ${yamlPath}`);
               break;
             }
+            case "sarif": {
+              const sarifReport = generateSarif(report);
+              const sarifPath = `${basePath}.sarif`;
+              await writeFile(
+                sarifPath,
+                JSON.stringify(sarifReport, null, 2),
+                "utf-8"
+              );
+              writtenFiles.push(sarifPath);
+              ctx.logger.info(`\u{1F4C4} SARIF report: ${sarifPath}`);
+              break;
+            }
           }
         } catch (err) {
           ctx.logger.error(
@@ -1053,10 +1698,12 @@ var plugin = {
 };
 var index_default = plugin;
 export {
+  buildReport,
   configSchema,
   index_default as default,
   generateHtml,
   generateJson,
+  generateSarif,
   generateYaml
 };
 //# sourceMappingURL=index.js.map