@vyuhlabs/dxkit 2.9.0 → 2.9.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +91 -0
- package/README.md +3 -2
- package/dist/allowlist/cli.d.ts +38 -1
- package/dist/allowlist/cli.d.ts.map +1 -1
- package/dist/allowlist/cli.js +190 -3
- package/dist/allowlist/cli.js.map +1 -1
- package/dist/allowlist/file.d.ts +18 -0
- package/dist/allowlist/file.d.ts.map +1 -1
- package/dist/allowlist/file.js +10 -1
- package/dist/allowlist/file.js.map +1 -1
- package/dist/analyzers/security/aggregator.d.ts +6 -0
- package/dist/analyzers/security/aggregator.d.ts.map +1 -1
- package/dist/analyzers/security/aggregator.js +41 -0
- package/dist/analyzers/security/aggregator.js.map +1 -1
- package/dist/analyzers/security/gather.d.ts.map +1 -1
- package/dist/analyzers/security/gather.js +8 -1
- package/dist/analyzers/security/gather.js.map +1 -1
- package/dist/analyzers/tools/fingerprint.d.ts.map +1 -1
- package/dist/analyzers/tools/fingerprint.js +10 -1
- package/dist/analyzers/tools/fingerprint.js.map +1 -1
- package/dist/baseline/check-renderers.d.ts +12 -0
- package/dist/baseline/check-renderers.d.ts.map +1 -1
- package/dist/baseline/check-renderers.js +60 -4
- package/dist/baseline/check-renderers.js.map +1 -1
- package/dist/baseline/check.d.ts +42 -0
- package/dist/baseline/check.d.ts.map +1 -1
- package/dist/baseline/check.js +83 -2
- package/dist/baseline/check.js.map +1 -1
- package/dist/baseline/producers/security.d.ts.map +1 -1
- package/dist/baseline/producers/security.js +9 -0
- package/dist/baseline/producers/security.js.map +1 -1
- package/dist/baseline/types.d.ts +7 -0
- package/dist/baseline/types.d.ts.map +1 -1
- package/dist/cli.d.ts.map +1 -1
- package/dist/cli.js +23 -4
- package/dist/cli.js.map +1 -1
- package/dist/doctor.d.ts.map +1 -1
- package/dist/doctor.js +55 -0
- package/dist/doctor.js.map +1 -1
- package/dist/generator.d.ts.map +1 -1
- package/dist/generator.js +7 -1
- package/dist/generator.js.map +1 -1
- package/dist/ingest/env-file.d.ts +40 -0
- package/dist/ingest/env-file.d.ts.map +1 -0
- package/dist/ingest/env-file.js +163 -0
- package/dist/ingest/env-file.js.map +1 -0
- package/dist/ingest/sarif.d.ts.map +1 -1
- package/dist/ingest/sarif.js +22 -0
- package/dist/ingest/sarif.js.map +1 -1
- package/dist/ingest/snyk-policy.d.ts +60 -0
- package/dist/ingest/snyk-policy.d.ts.map +1 -0
- package/dist/ingest/snyk-policy.js +104 -0
- package/dist/ingest/snyk-policy.js.map +1 -0
- package/dist/ingest-cli.d.ts +4 -0
- package/dist/ingest-cli.d.ts.map +1 -1
- package/dist/ingest-cli.js +23 -4
- package/dist/ingest-cli.js.map +1 -1
- package/package.json +1 -1
- package/templates/.claude/skills/dxkit-action/SKILL.md +5 -3
- package/templates/.claude/skills/dxkit-allowlist/SKILL.md +107 -0
- package/templates/.claude/skills/dxkit-config/SKILL.md +4 -4
- package/templates/.claude/skills/dxkit-fix/SKILL.md +1 -1
- package/templates/.claude/skills/dxkit-ingest/SKILL.md +2 -0
|
@@ -0,0 +1,40 @@
|
|
|
1
|
+
/** Prefix that gates which keys may be lifted from the file. Nothing
|
|
2
|
+
* outside this prefix is ever read into the environment. */
|
|
3
|
+
export declare const SNYK_ENV_PREFIX = "SNYK_";
|
|
4
|
+
export interface SnykEnvLoadOptions {
|
|
5
|
+
/** Skip `.env` loading entirely (`--no-env-file`). */
|
|
6
|
+
readonly noEnvFile?: boolean;
|
|
7
|
+
/** Explicit path override (`--env-file <path>`). Relative paths
|
|
8
|
+
* resolve against `cwd`. When set and the file is missing, that's
|
|
9
|
+
* a surfaced warning (the user asked for a specific file). */
|
|
10
|
+
readonly envFile?: string;
|
|
11
|
+
}
|
|
12
|
+
export interface SnykEnvLoadResult {
|
|
13
|
+
/** Absolute path of the file that was read. */
|
|
14
|
+
readonly path: string;
|
|
15
|
+
/** `SNYK_*` keys lifted into `process.env` (only those that weren't
|
|
16
|
+
* already set). Empty when the file had none or they were all
|
|
17
|
+
* already present in the environment. */
|
|
18
|
+
readonly loadedKeys: ReadonlyArray<string>;
|
|
19
|
+
/** Advisory messages for the caller to surface (e.g. the file looks
|
|
20
|
+
* committed to git). Never fatal. */
|
|
21
|
+
readonly warnings: ReadonlyArray<string>;
|
|
22
|
+
}
|
|
23
|
+
/**
|
|
24
|
+
* Parse a `.env`-style file body into key/value pairs, keeping ONLY
|
|
25
|
+
* keys that start with `SNYK_`. Tolerant of the common shapes:
|
|
26
|
+
* blank lines, `#` comments, an optional `export ` prefix, and
|
|
27
|
+
* single/double-quoted values. No variable interpolation — values are
|
|
28
|
+
* taken literally (after unquoting), which is correct for opaque
|
|
29
|
+
* tokens and ids.
|
|
30
|
+
*/
|
|
31
|
+
export declare function parseSnykEnv(body: string): Record<string, string>;
|
|
32
|
+
/**
|
|
33
|
+
* Lift `SNYK_*` keys from the cwd's `.env` (or `--env-file`) into
|
|
34
|
+
* `process.env`, unless `--no-env-file` is set or no file exists.
|
|
35
|
+
* Real environment values are never overwritten. Returns `null` when
|
|
36
|
+
* nothing was attempted (disabled, or no file present and none
|
|
37
|
+
* explicitly requested); otherwise a result describing what happened.
|
|
38
|
+
*/
|
|
39
|
+
export declare function loadSnykEnv(cwd: string, opts?: SnykEnvLoadOptions): SnykEnvLoadResult | null;
|
|
40
|
+
//# sourceMappingURL=env-file.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"env-file.d.ts","sourceRoot":"","sources":["../../src/ingest/env-file.ts"],"names":[],"mappings":"AAyBA;6DAC6D;AAC7D,eAAO,MAAM,eAAe,UAAU,CAAC;AAEvC,MAAM,WAAW,kBAAkB;IACjC,sDAAsD;IACtD,QAAQ,CAAC,SAAS,CAAC,EAAE,OAAO,CAAC;IAC7B;;mEAE+D;IAC/D,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC;CAC3B;AAED,MAAM,WAAW,iBAAiB;IAChC,+CAA+C;IAC/C,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB;;8CAE0C;IAC1C,QAAQ,CAAC,UAAU,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;IAC3C;0CACsC;IACtC,QAAQ,CAAC,QAAQ,EAAE,aAAa,CAAC,MAAM,CAAC,CAAC;CAC1C;AAED;;;;;;;GAOG;AACH,wBAAgB,YAAY,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAYjE;AAcD;;;;;;GAMG;AACH,wBAAgB,WAAW,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,GAAE,kBAAuB,GAAG,iBAAiB,GAAG,IAAI,CA6ChG"}
|
|
@@ -0,0 +1,163 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
|
|
3
|
+
if (k2 === undefined) k2 = k;
|
|
4
|
+
var desc = Object.getOwnPropertyDescriptor(m, k);
|
|
5
|
+
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
|
|
6
|
+
desc = { enumerable: true, get: function() { return m[k]; } };
|
|
7
|
+
}
|
|
8
|
+
Object.defineProperty(o, k2, desc);
|
|
9
|
+
}) : (function(o, m, k, k2) {
|
|
10
|
+
if (k2 === undefined) k2 = k;
|
|
11
|
+
o[k2] = m[k];
|
|
12
|
+
}));
|
|
13
|
+
var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
|
|
14
|
+
Object.defineProperty(o, "default", { enumerable: true, value: v });
|
|
15
|
+
}) : function(o, v) {
|
|
16
|
+
o["default"] = v;
|
|
17
|
+
});
|
|
18
|
+
var __importStar = (this && this.__importStar) || (function () {
|
|
19
|
+
var ownKeys = function(o) {
|
|
20
|
+
ownKeys = Object.getOwnPropertyNames || function (o) {
|
|
21
|
+
var ar = [];
|
|
22
|
+
for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
|
|
23
|
+
return ar;
|
|
24
|
+
};
|
|
25
|
+
return ownKeys(o);
|
|
26
|
+
};
|
|
27
|
+
return function (mod) {
|
|
28
|
+
if (mod && mod.__esModule) return mod;
|
|
29
|
+
var result = {};
|
|
30
|
+
if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
|
|
31
|
+
__setModuleDefault(result, mod);
|
|
32
|
+
return result;
|
|
33
|
+
};
|
|
34
|
+
})();
|
|
35
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
36
|
+
exports.SNYK_ENV_PREFIX = void 0;
|
|
37
|
+
exports.parseSnykEnv = parseSnykEnv;
|
|
38
|
+
exports.loadSnykEnv = loadSnykEnv;
|
|
39
|
+
/**
|
|
40
|
+
* Opt-in `.env` loading for Snyk credentials — scoped strictly to the
|
|
41
|
+
* `SNYK_*` prefix.
|
|
42
|
+
*
|
|
43
|
+
* dxkit deliberately does NOT auto-load a whole `.env` into
|
|
44
|
+
* `process.env` (pulling a developer's entire secrets file — GitHub
|
|
45
|
+
* tokens, database URLs, unrelated API keys — into the process is a
|
|
46
|
+
* footgun). But a local developer who keeps their Snyk token in `.env`
|
|
47
|
+
* shouldn't have to re-`export` it before every `ingest --from-snyk`.
|
|
48
|
+
*
|
|
49
|
+
* The compromise: read the cwd's `.env` (or an explicit `--env-file`
|
|
50
|
+
* path), parse it, and lift ONLY keys beginning with `SNYK_` into the
|
|
51
|
+
* environment — and only when they aren't already set, so a real
|
|
52
|
+
* exported env / CI Actions secret always wins. CI, which sets the
|
|
53
|
+
* token via the environment and has no `.env`, is a no-op.
|
|
54
|
+
*
|
|
55
|
+
* This module is pure data-in/data-out: it mutates `process.env` for
|
|
56
|
+
* the lifted keys and returns a structured result (the keys it set +
|
|
57
|
+
* any advisory warnings). The CLI renders the one-line notice + the
|
|
58
|
+
* warnings; the module logs nothing itself, which keeps it testable.
|
|
59
|
+
*/
|
|
60
|
+
const fs = __importStar(require("fs"));
|
|
61
|
+
const path = __importStar(require("path"));
|
|
62
|
+
const child_process_1 = require("child_process");
|
|
63
|
+
/** Prefix that gates which keys may be lifted from the file. Nothing
|
|
64
|
+
* outside this prefix is ever read into the environment. */
|
|
65
|
+
exports.SNYK_ENV_PREFIX = 'SNYK_';
|
|
66
|
+
/**
|
|
67
|
+
* Parse a `.env`-style file body into key/value pairs, keeping ONLY
|
|
68
|
+
* keys that start with `SNYK_`. Tolerant of the common shapes:
|
|
69
|
+
* blank lines, `#` comments, an optional `export ` prefix, and
|
|
70
|
+
* single/double-quoted values. No variable interpolation — values are
|
|
71
|
+
* taken literally (after unquoting), which is correct for opaque
|
|
72
|
+
* tokens and ids.
|
|
73
|
+
*/
|
|
74
|
+
function parseSnykEnv(body) {
|
|
75
|
+
const out = {};
|
|
76
|
+
for (const rawLine of body.split(/\r?\n/)) {
|
|
77
|
+
const line = rawLine.trim();
|
|
78
|
+
if (!line || line.startsWith('#'))
|
|
79
|
+
continue;
|
|
80
|
+
const m = line.match(/^(?:export\s+)?([A-Za-z_][A-Za-z0-9_]*)\s*=\s*(.*)$/);
|
|
81
|
+
if (!m)
|
|
82
|
+
continue;
|
|
83
|
+
const key = m[1];
|
|
84
|
+
if (!key.startsWith(exports.SNYK_ENV_PREFIX))
|
|
85
|
+
continue;
|
|
86
|
+
out[key] = unquote(m[2]);
|
|
87
|
+
}
|
|
88
|
+
return out;
|
|
89
|
+
}
|
|
90
|
+
function unquote(value) {
|
|
91
|
+
const v = value.trim();
|
|
92
|
+
if (v.length >= 2) {
|
|
93
|
+
const first = v[0];
|
|
94
|
+
const last = v[v.length - 1];
|
|
95
|
+
if ((first === '"' && last === '"') || (first === "'" && last === "'")) {
|
|
96
|
+
return v.slice(1, -1);
|
|
97
|
+
}
|
|
98
|
+
}
|
|
99
|
+
return v;
|
|
100
|
+
}
|
|
101
|
+
/**
|
|
102
|
+
* Lift `SNYK_*` keys from the cwd's `.env` (or `--env-file`) into
|
|
103
|
+
* `process.env`, unless `--no-env-file` is set or no file exists.
|
|
104
|
+
* Real environment values are never overwritten. Returns `null` when
|
|
105
|
+
* nothing was attempted (disabled, or no file present and none
|
|
106
|
+
* explicitly requested); otherwise a result describing what happened.
|
|
107
|
+
*/
|
|
108
|
+
function loadSnykEnv(cwd, opts = {}) {
|
|
109
|
+
if (opts.noEnvFile)
|
|
110
|
+
return null;
|
|
111
|
+
const explicit = opts.envFile !== undefined;
|
|
112
|
+
const filePath = explicit ? path.resolve(cwd, opts.envFile) : path.join(cwd, '.env');
|
|
113
|
+
if (!fs.existsSync(filePath)) {
|
|
114
|
+
if (explicit) {
|
|
115
|
+
return { path: filePath, loadedKeys: [], warnings: [`env-file not found: ${filePath}`] };
|
|
116
|
+
}
|
|
117
|
+
return null;
|
|
118
|
+
}
|
|
119
|
+
let body;
|
|
120
|
+
try {
|
|
121
|
+
body = fs.readFileSync(filePath, 'utf8');
|
|
122
|
+
}
|
|
123
|
+
catch (err) {
|
|
124
|
+
return {
|
|
125
|
+
path: filePath,
|
|
126
|
+
loadedKeys: [],
|
|
127
|
+
warnings: [`could not read env-file ${filePath}: ${err.message}`],
|
|
128
|
+
};
|
|
129
|
+
}
|
|
130
|
+
const parsed = parseSnykEnv(body);
|
|
131
|
+
const loadedKeys = [];
|
|
132
|
+
for (const [key, value] of Object.entries(parsed)) {
|
|
133
|
+
// Real exported env / CI secret always wins. Treat an empty string
|
|
134
|
+
// as "unset" so a blank export doesn't shadow a populated .env.
|
|
135
|
+
const current = process.env[key];
|
|
136
|
+
if (current === undefined || current === '') {
|
|
137
|
+
process.env[key] = value;
|
|
138
|
+
loadedKeys.push(key);
|
|
139
|
+
}
|
|
140
|
+
}
|
|
141
|
+
const warnings = [];
|
|
142
|
+
if (isTrackedByGit(cwd, filePath)) {
|
|
143
|
+
warnings.push(`${path.basename(filePath)} appears to be committed to git — a secrets file ` +
|
|
144
|
+
`should be gitignored. Move SNYK_TOKEN out of version control.`);
|
|
145
|
+
}
|
|
146
|
+
return { path: filePath, loadedKeys, warnings };
|
|
147
|
+
}
|
|
148
|
+
/** Whether `filePath` is tracked in the git index at `cwd`. Best-effort
|
|
149
|
+
* — any failure (not a repo, git missing) is treated as "not tracked"
|
|
150
|
+
* so the advisory simply doesn't fire. */
|
|
151
|
+
function isTrackedByGit(cwd, filePath) {
|
|
152
|
+
try {
|
|
153
|
+
(0, child_process_1.execSync)(`git ls-files --error-unmatch ${JSON.stringify(filePath)}`, {
|
|
154
|
+
cwd,
|
|
155
|
+
stdio: ['ignore', 'ignore', 'ignore'],
|
|
156
|
+
});
|
|
157
|
+
return true;
|
|
158
|
+
}
|
|
159
|
+
catch {
|
|
160
|
+
return false;
|
|
161
|
+
}
|
|
162
|
+
}
|
|
163
|
+
//# sourceMappingURL=env-file.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"env-file.js","sourceRoot":"","sources":["../../src/ingest/env-file.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA0DA,oCAYC;AAqBD,kCA6CC;AAxID;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,uCAAyB;AACzB,2CAA6B;AAC7B,iDAAyC;AAEzC;6DAC6D;AAChD,QAAA,eAAe,GAAG,OAAO,CAAC;AAuBvC;;;;;;;GAOG;AACH,SAAgB,YAAY,CAAC,IAAY;IACvC,MAAM,GAAG,GAA2B,EAAE,CAAC;IACvC,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC;QAC1C,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,EAAE,CAAC;QAC5B,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC;YAAE,SAAS;QAC5C,MAAM,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,qDAAqD,CAAC,CAAC;QAC5E,IAAI,CAAC,CAAC;YAAE,SAAS;QACjB,MAAM,GAAG,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;QACjB,IAAI,CAAC,GAAG,CAAC,UAAU,CAAC,uBAAe,CAAC;YAAE,SAAS;QAC/C,GAAG,CAAC,GAAG,CAAC,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAC3B,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC;AAED,SAAS,OAAO,CAAC,KAAa;IAC5B,MAAM,CAAC,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;IACvB,IAAI,CAAC,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;QAClB,MAAM,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;QACnB,MAAM,IAAI,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;QAC7B,IAAI,CAAC,KAAK,KAAK,GAAG,IAAI,IAAI,KAAK,GAAG,CAAC,IAAI,CAAC,KAAK,KAAK,GAAG,IAAI,IAAI,KAAK,GAAG,CAAC,EAAE,CAAC;YACvE,OAAO,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;QACxB,CAAC;IACH,CAAC;IACD,OAAO,CAAC,CAAC;AACX,CAAC;AAED;;;;;;GAMG;AACH,SAAgB,WAAW,CAAC,GAAW,EAAE,OAA2B,EAAE;IACpE,IAAI,IAAI,CAAC,SAAS;QAAE,OAAO,IAAI,CAAC;IAEhC,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,KAAK,SAAS,CAAC;IAC5C,MAAM,QAAQ,GAAG,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,IAAI,CAAC,OAAiB,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,MAAM,CAAC,CAAC;IAE/F,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,QAAQ,CAAC,EAAE,CAAC;QAC7B,IAAI,QAAQ,EAAE,CAAC;YACb,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,UAAU,EAAE,EAAE,EAAE,QAAQ,EAAE,CAAC,uBAAuB,QAAQ,EAAE,CAAC,EAAE,CAAC;QAC3F,CAAC;QACD,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,IAAY,CAAC;IACjB,IAAI,CAAC;QACH,IAAI,GAAG,EAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;IAC3C,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO;YACL,IAAI,EAAE,QAAQ;YACd,UAAU,EAAE,EAAE;YACd,QAAQ,EAAE,CAAC,2BAA2B,QAAQ,KAAM,GAAa,CAAC,OAAO,EAAE,CAAC;SAC7E,CAAC;IACJ,CAAC;IAED,MAAM,MAAM,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC;IAClC,MAAM,UAAU,GAAa,EAAE,CAAC;IAChC,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QAClD,mEAAmE;QACnE,gEAAgE;QAChE,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QACjC,IAAI,OAAO,KAAK,SAAS,IAAI,OAAO,KAAK,EAAE,EAAE,CAAC;YAC5C,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC;YACzB,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QACvB,CAAC;IACH,CAAC;IAED,MAAM,QAAQ,GAAa,EAAE,CAAC;IAC9B,IAAI,cAAc,CAAC,GAAG,EAAE,QAAQ,CAAC,EAAE,CAAC;QAClC,QAAQ,CAAC,IAAI,CACX,GAAG,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,mDAAmD;YAC3E,+DAA+D,CAClE,CAAC;IACJ,CAAC;IAED,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,UAAU,EAAE,QAAQ,EAAE,CAAC;AAClD,CAAC;AAED;;2CAE2C;AAC3C,SAAS,cAAc,CAAC,GAAW,EAAE,QAAgB;IACnD,IAAI,CAAC;QACH,IAAA,wBAAQ,EAAC,gCAAgC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,EAAE,EAAE;YACnE,GAAG;YACH,KAAK,EAAE,CAAC,QAAQ,EAAE,QAAQ,EAAE,QAAQ,CAAC;SACtC,CAAC,CAAC;QACH,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"sarif.d.ts","sourceRoot":"","sources":["../../src/ingest/sarif.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,OAAO,KAAK,EAAE,YAAY,EAAE,eAAe,EAAE,MAAM,SAAS,CAAC;
|
|
1
|
+
{"version":3,"file":"sarif.d.ts","sourceRoot":"","sources":["../../src/ingest/sarif.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,OAAO,KAAK,EAAE,YAAY,EAAE,eAAe,EAAE,MAAM,SAAS,CAAC;AA+H7D;;;;GAIG;AACH,wBAAgB,UAAU,CAAC,GAAG,EAAE,MAAM,EAAE,MAAM,CAAC,EAAE,YAAY,GAAG,eAAe,EAAE,CAyDhF"}
|
package/dist/ingest/sarif.js
CHANGED
|
@@ -41,6 +41,24 @@ function cweFromRule(rule) {
|
|
|
41
41
|
}
|
|
42
42
|
return '';
|
|
43
43
|
}
|
|
44
|
+
/**
|
|
45
|
+
* Whether a SARIF result has been dismissed upstream. True when it
|
|
46
|
+
* carries at least one suppression whose status is `accepted` — SARIF
|
|
47
|
+
* treats an absent `status` as `accepted`, while `underReview` and
|
|
48
|
+
* `rejected` mean the suppression is NOT yet (or no longer) in effect.
|
|
49
|
+
*
|
|
50
|
+
* Honoring this keeps dxkit's ingest in sync with the engine's own
|
|
51
|
+
* ignore state: a finding a developer dismissed in Snyk / CodeQL does
|
|
52
|
+
* not re-surface here as a fresh active finding. The decision was
|
|
53
|
+
* already reviewed in the engine that owns it, so dxkit drops it rather
|
|
54
|
+
* than re-litigating it.
|
|
55
|
+
*/
|
|
56
|
+
function isResultSuppressed(res) {
|
|
57
|
+
const s = res.suppressions;
|
|
58
|
+
if (!Array.isArray(s) || s.length === 0)
|
|
59
|
+
return false;
|
|
60
|
+
return s.some((entry) => entry.status === undefined || entry.status === 'accepted');
|
|
61
|
+
}
|
|
44
62
|
/** Resolve four-tier severity. Prefer numeric `security-severity`
|
|
45
63
|
* (CVSS-like 0–10); else the rule's `problem.severity`; else the
|
|
46
64
|
* result `level`. */
|
|
@@ -107,6 +125,10 @@ function parseSarif(raw, engine) {
|
|
|
107
125
|
}
|
|
108
126
|
}
|
|
109
127
|
for (const res of run.results || []) {
|
|
128
|
+
// Honor the engine's own dismissal — a finding suppressed in Snyk
|
|
129
|
+
// / CodeQL / Semgrep Pro must not re-surface in dxkit.
|
|
130
|
+
if (isResultSuppressed(res))
|
|
131
|
+
continue;
|
|
110
132
|
const ruleId = res.ruleId || res.rule?.id;
|
|
111
133
|
// Rule can be referenced by id or by index into the (flattened) list.
|
|
112
134
|
let rule = ruleId ? rulesById.get(ruleId) : undefined;
|
package/dist/ingest/sarif.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"sarif.js","sourceRoot":"","sources":["../../src/ingest/sarif.ts"],"names":[],"mappings":";;
|
|
1
|
+
{"version":3,"file":"sarif.js","sourceRoot":"","sources":["../../src/ingest/sarif.ts"],"names":[],"mappings":";;AAyJA,gCAyDC;AA7ID;;qDAEqD;AACrD,SAAS,gBAAgB,CAAC,IAAwB;IAChD,MAAM,CAAC,GAAG,CAAC,IAAI,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;IACrC,IAAI,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC;QAAE,OAAO,QAAQ,CAAC;IAC1C,IAAI,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC;QAAE,OAAO,WAAW,CAAC;IAC3C,IAAI,CAAC,CAAC,QAAQ,CAAC,SAAS,CAAC;QAAE,OAAO,aAAa,CAAC;IAChD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;0CAC0C;AAC1C,SAAS,YAAY,CAAC,CAAqB;IACzC,IAAI,CAAC,CAAC;QAAE,OAAO,EAAE,CAAC;IAClB,MAAM,CAAC,GAAG,iBAAiB,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IACpC,OAAO,CAAC,CAAC,CAAC,CAAC,OAAO,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;AAC9C,CAAC;AAED;;gEAEgE;AAChE,SAAS,WAAW,CAAC,IAA2B;IAC9C,MAAM,MAAM,GAAG,IAAI,EAAE,UAAU,EAAE,GAAG,CAAC;IACrC,IAAI,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;QAC1B,KAAK,MAAM,CAAC,IAAI,MAAM,EAAE,CAAC;YACvB,MAAM,CAAC,GAAG,YAAY,CAAC,CAAC,CAAC,CAAC;YAC1B,IAAI,CAAC;gBAAE,OAAO,CAAC,CAAC;QAClB,CAAC;IACH,CAAC;IACD,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,UAAU,EAAE,IAAI,IAAI,EAAE,EAAE,CAAC;QAC/C,MAAM,CAAC,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC;QAC5B,IAAI,CAAC;YAAE,OAAO,CAAC,CAAC;IAClB,CAAC;IACD,OAAO,EAAE,CAAC;AACZ,CAAC;AAED;;;;;;;;;;;GAWG;AACH,SAAS,kBAAkB,CAAC,GAAgB;IAC1C,MAAM,CAAC,GAAG,GAAG,CAAC,YAAY,CAAC;IAC3B,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IACtD,OAAO,CAAC,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,MAAM,KAAK,SAAS,IAAI,KAAK,CAAC,MAAM,KAAK,UAAU,CAAC,CAAC;AACtF,CAAC;AAED;;sBAEsB;AACtB,SAAS,eAAe,CAAC,IAA2B,EAAE,KAAyB;IAC7E,MAAM,GAAG,GAAG,IAAI,EAAE,UAAU,EAAE,CAAC,mBAAmB,CAAC,CAAC;IACpD,IAAI,GAAG,KAAK,SAAS,IAAI,GAAG,KAAK,IAAI,IAAI,GAAG,KAAK,EAAE,EAAE,CAAC;QACpD,MAAM,KAAK,GAAG,OAAO,GAAG,KAAK,QAAQ,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,UAAU,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC;QACtE,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,CAAC,EAAE,CAAC;YACzB,IAAI,KAAK,IAAI,GAAG;gBAAE,OAAO,UAAU,CAAC;YACpC,IAAI,KAAK,IAAI,GAAG;gBAAE,OAAO,MAAM,CAAC;YAChC,IAAI,KAAK,IAAI,GAAG;gBAAE,OAAO,QAAQ,CAAC;YAClC,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IACD,MAAM,EAAE,GAAG,IAAI,EAAE,UAAU,EAAE,CAAC,kBAAkB,CAAC,CAAC;IAClD,IAAI,EAAE,KAAK,OAAO;QAAE,OAAO,MAAM,CAAC;IAClC,IAAI,EAAE,KAAK,SAAS,IAAI,EAAE,KAAK,gBAAgB;QAAE,OAAO,QAAQ,CAAC;IACjE,yCAAyC;IACzC,IAAI,KAAK,KAAK,OAAO;QAAE,OAAO,MAAM,CAAC;IACrC,IAAI,KAAK,KAAK,MAAM;QAAE,OAAO,KAAK,CAAC;IACnC,IAAI,KAAK,KAAK,SAAS;QAAE,OAAO,QAAQ,CAAC;IACzC,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED;;;;GAIG;AACH,SAAgB,UAAU,CAAC,GAAW,EAAE,MAAqB;IAC3D,IAAI,GAAa,CAAC;IAClB,IAAI,CAAC;QACH,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAa,CAAC;IACpC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;IACD,MAAM,GAAG,GAAsB,EAAE,CAAC;IAClC,KAAK,MAAM,GAAG,IAAI,GAAG,CAAC,IAAI,IAAI,EAAE,EAAE,CAAC;QACjC,MAAM,UAAU,GAAG,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC;QAC1C,MAAM,cAAc,GAAG,MAAM,IAAI,gBAAgB,CAAC,UAAU,CAAC,CAAC;QAE9D,mDAAmD;QACnD,MAAM,SAAS,GAAG,IAAI,GAAG,EAAqB,CAAC;QAC/C,MAAM,SAAS,GAAkB,EAAE,CAAC;QACpC,IAAI,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,KAAK;YAAE,SAAS,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;QACnE,KAAK,MAAM,GAAG,IAAI,GAAG,CAAC,IAAI,EAAE,UAAU,IAAI,EAAE,EAAE,CAAC;YAC7C,IAAI,GAAG,CAAC,KAAK;gBAAE,SAAS,CAAC,IAAI,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QAC3C,CAAC;QACD,MAAM,SAAS,GAAgB,EAAE,CAAC;QAClC,KAAK,MAAM,IAAI,IAAI,SAAS,EAAE,CAAC;YAC7B,KAAK,MAAM,CAAC,IAAI,IAAI,EAAE,CAAC;gBACrB,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;gBAClB,IAAI,CAAC,CAAC,EAAE;oBAAE,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC;YACnC,CAAC;QACH,CAAC;QAED,KAAK,MAAM,GAAG,IAAI,GAAG,CAAC,OAAO,IAAI,EAAE,EAAE,CAAC;YACpC,kEAAkE;YAClE,uDAAuD;YACvD,IAAI,kBAAkB,CAAC,GAAG,CAAC;gBAAE,SAAS;YAEtC,MAAM,MAAM,GAAG,GAAG,CAAC,MAAM,IAAI,GAAG,CAAC,IAAI,EAAE,EAAE,CAAC;YAC1C,sEAAsE;YACtE,IAAI,IAAI,GAA0B,MAAM,CAAC,CAAC,CAAC,SAAS,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;YAC7E,IAAI,CAAC,IAAI,IAAI,OAAO,GAAG,CAAC,IAAI,EAAE,KAAK,KAAK,QAAQ;gBAAE,IAAI,GAAG,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YAEnF,MAAM,GAAG,GAAG,GAAG,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC,EAAE,gBAAgB,CAAC;YACjD,MAAM,IAAI,GAAG,GAAG,EAAE,gBAAgB,EAAE,GAAG,CAAC;YACxC,MAAM,IAAI,GAAG,GAAG,EAAE,MAAM,EAAE,SAAS,CAAC;YACpC,8DAA8D;YAC9D,qDAAqD;YACrD,IAAI,CAAC,IAAI,IAAI,CAAC,IAAI;gBAAE,SAAS;YAE7B,GAAG,CAAC,IAAI,CAAC;gBACP,MAAM,EAAE,cAAc;gBACtB,QAAQ,EAAE,eAAe,CAAC,IAAI,EAAE,GAAG,CAAC,KAAK,CAAC;gBAC1C,QAAQ,EAAE,MAAM;gBAChB,GAAG,EAAE,WAAW,CAAC,IAAI,CAAC;gBACtB,IAAI,EAAE,MAAM,IAAI,IAAI,EAAE,IAAI,IAAI,SAAS;gBACvC,KAAK,EAAE,GAAG,CAAC,OAAO,EAAE,IAAI,IAAI,IAAI,EAAE,gBAAgB,EAAE,IAAI,IAAI,MAAM,IAAI,cAAc;gBACpF,IAAI;gBACJ,IAAI;aACL,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC"}
|
|
@@ -0,0 +1,60 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Writer for Snyk's `.snyk` policy file — the OUTBOUND half of the
|
|
3
|
+
* Snyk ↔ dxkit suppression sync.
|
|
4
|
+
*
|
|
5
|
+
* 2.9.1 wired the INBOUND direction: dxkit honors SARIF
|
|
6
|
+
* `result.suppressions` so a finding the team dismissed in Snyk is
|
|
7
|
+
* dropped at ingest time (`src/ingest/sarif.ts`). This module is the
|
|
8
|
+
* mirror: when the team allowlists a Snyk-originated finding in dxkit,
|
|
9
|
+
* `allowlist export --snyk` writes a `.snyk` ignore so the decision
|
|
10
|
+
* propagates back to Snyk's own gate (`snyk code test`, the Snyk UI).
|
|
11
|
+
*
|
|
12
|
+
* The `.snyk` file is YAML. dxkit carries no YAML dependency, so this
|
|
13
|
+
* is a small CONTROLLED serializer for exactly the policy shape Snyk's
|
|
14
|
+
* tooling reads — not a general YAML emitter. The structure is fixed:
|
|
15
|
+
*
|
|
16
|
+
* version: v1.25.0
|
|
17
|
+
* ignore:
|
|
18
|
+
* '<rule-id>':
|
|
19
|
+
* - '<path>':
|
|
20
|
+
* reason: "<reason>"
|
|
21
|
+
* expires: <ISO datetime> # omitted for a permanent ignore
|
|
22
|
+
* created: <ISO datetime>
|
|
23
|
+
* patch: {}
|
|
24
|
+
*
|
|
25
|
+
* Caveat surfaced to the user by the CLI: Snyk Code (SAST) honors
|
|
26
|
+
* `.snyk` ignores only when the org has Snyk's "consistent ignores"
|
|
27
|
+
* feature enabled; SCA/dependency ignores are standard. dxkit writes
|
|
28
|
+
* the file either way — the caller documents the prerequisite.
|
|
29
|
+
*/
|
|
30
|
+
/** One ignore directive — a single (rule, path) pair plus metadata. */
|
|
31
|
+
export interface SnykIgnore {
|
|
32
|
+
/** Snyk-native rule / issue id (e.g. `javascript/InsecureTLSConfig`). */
|
|
33
|
+
readonly ruleId: string;
|
|
34
|
+
/** Repo-relative path the ignore applies to. */
|
|
35
|
+
readonly path: string;
|
|
36
|
+
/** Human rationale carried over from the allowlist entry. */
|
|
37
|
+
readonly reason?: string;
|
|
38
|
+
/** ISO 8601 datetime after which the ignore lapses. Omitted →
|
|
39
|
+
* permanent ignore (Snyk treats a missing `expires` as no expiry). */
|
|
40
|
+
readonly expires?: string;
|
|
41
|
+
/** ISO 8601 datetime the ignore was written. */
|
|
42
|
+
readonly created: string;
|
|
43
|
+
}
|
|
44
|
+
/** Snyk policy schema version dxkit emits. Matches the version Snyk's
|
|
45
|
+
* own `snyk ignore` writes for the ignore/patch shape used here. */
|
|
46
|
+
export declare const SNYK_POLICY_VERSION: "v1.25.0";
|
|
47
|
+
/**
|
|
48
|
+
* Convert an allowlist entry's `expiresAt` (`YYYY-MM-DD`) into the ISO
|
|
49
|
+
* datetime Snyk's policy file expects. Returns `undefined` for a
|
|
50
|
+
* missing date so the caller emits a permanent ignore.
|
|
51
|
+
*/
|
|
52
|
+
export declare function expiryToSnykDatetime(expiresAt: string | undefined): string | undefined;
|
|
53
|
+
/**
|
|
54
|
+
* Serialize ignores into `.snyk` policy YAML. Groups by rule id (the
|
|
55
|
+
* file's top-level ignore key), each carrying a list of per-path
|
|
56
|
+
* directives. Deterministic ordering (rules + paths sorted) so the
|
|
57
|
+
* committed file has stable diffs across runs.
|
|
58
|
+
*/
|
|
59
|
+
export declare function buildSnykPolicy(ignores: ReadonlyArray<SnykIgnore>): string;
|
|
60
|
+
//# sourceMappingURL=snyk-policy.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"snyk-policy.d.ts","sourceRoot":"","sources":["../../src/ingest/snyk-policy.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AAEH,uEAAuE;AACvE,MAAM,WAAW,UAAU;IACzB,yEAAyE;IACzE,QAAQ,CAAC,MAAM,EAAE,MAAM,CAAC;IACxB,gDAAgD;IAChD,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC;IACtB,6DAA6D;IAC7D,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;IACzB;2EACuE;IACvE,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAC1B,gDAAgD;IAChD,QAAQ,CAAC,OAAO,EAAE,MAAM,CAAC;CAC1B;AAED;qEACqE;AACrE,eAAO,MAAM,mBAAmB,EAAG,SAAkB,CAAC;AAEtD;;;;GAIG;AACH,wBAAgB,oBAAoB,CAAC,SAAS,EAAE,MAAM,GAAG,SAAS,GAAG,MAAM,GAAG,SAAS,CAGtF;AAED;;;;;GAKG;AACH,wBAAgB,eAAe,CAAC,OAAO,EAAE,aAAa,CAAC,UAAU,CAAC,GAAG,MAAM,CAoC1E"}
|
|
@@ -0,0 +1,104 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/**
|
|
3
|
+
* Writer for Snyk's `.snyk` policy file — the OUTBOUND half of the
|
|
4
|
+
* Snyk ↔ dxkit suppression sync.
|
|
5
|
+
*
|
|
6
|
+
* 2.9.1 wired the INBOUND direction: dxkit honors SARIF
|
|
7
|
+
* `result.suppressions` so a finding the team dismissed in Snyk is
|
|
8
|
+
* dropped at ingest time (`src/ingest/sarif.ts`). This module is the
|
|
9
|
+
* mirror: when the team allowlists a Snyk-originated finding in dxkit,
|
|
10
|
+
* `allowlist export --snyk` writes a `.snyk` ignore so the decision
|
|
11
|
+
* propagates back to Snyk's own gate (`snyk code test`, the Snyk UI).
|
|
12
|
+
*
|
|
13
|
+
* The `.snyk` file is YAML. dxkit carries no YAML dependency, so this
|
|
14
|
+
* is a small CONTROLLED serializer for exactly the policy shape Snyk's
|
|
15
|
+
* tooling reads — not a general YAML emitter. The structure is fixed:
|
|
16
|
+
*
|
|
17
|
+
* version: v1.25.0
|
|
18
|
+
* ignore:
|
|
19
|
+
* '<rule-id>':
|
|
20
|
+
* - '<path>':
|
|
21
|
+
* reason: "<reason>"
|
|
22
|
+
* expires: <ISO datetime> # omitted for a permanent ignore
|
|
23
|
+
* created: <ISO datetime>
|
|
24
|
+
* patch: {}
|
|
25
|
+
*
|
|
26
|
+
* Caveat surfaced to the user by the CLI: Snyk Code (SAST) honors
|
|
27
|
+
* `.snyk` ignores only when the org has Snyk's "consistent ignores"
|
|
28
|
+
* feature enabled; SCA/dependency ignores are standard. dxkit writes
|
|
29
|
+
* the file either way — the caller documents the prerequisite.
|
|
30
|
+
*/
|
|
31
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
32
|
+
exports.SNYK_POLICY_VERSION = void 0;
|
|
33
|
+
exports.expiryToSnykDatetime = expiryToSnykDatetime;
|
|
34
|
+
exports.buildSnykPolicy = buildSnykPolicy;
|
|
35
|
+
/** Snyk policy schema version dxkit emits. Matches the version Snyk's
|
|
36
|
+
* own `snyk ignore` writes for the ignore/patch shape used here. */
|
|
37
|
+
exports.SNYK_POLICY_VERSION = 'v1.25.0';
|
|
38
|
+
/**
|
|
39
|
+
* Convert an allowlist entry's `expiresAt` (`YYYY-MM-DD`) into the ISO
|
|
40
|
+
* datetime Snyk's policy file expects. Returns `undefined` for a
|
|
41
|
+
* missing date so the caller emits a permanent ignore.
|
|
42
|
+
*/
|
|
43
|
+
function expiryToSnykDatetime(expiresAt) {
|
|
44
|
+
if (!expiresAt)
|
|
45
|
+
return undefined;
|
|
46
|
+
return `${expiresAt}T00:00:00.000Z`;
|
|
47
|
+
}
|
|
48
|
+
/**
|
|
49
|
+
* Serialize ignores into `.snyk` policy YAML. Groups by rule id (the
|
|
50
|
+
* file's top-level ignore key), each carrying a list of per-path
|
|
51
|
+
* directives. Deterministic ordering (rules + paths sorted) so the
|
|
52
|
+
* committed file has stable diffs across runs.
|
|
53
|
+
*/
|
|
54
|
+
function buildSnykPolicy(ignores) {
|
|
55
|
+
const byRule = new Map();
|
|
56
|
+
for (const ig of ignores) {
|
|
57
|
+
const list = byRule.get(ig.ruleId) ?? [];
|
|
58
|
+
list.push(ig);
|
|
59
|
+
byRule.set(ig.ruleId, list);
|
|
60
|
+
}
|
|
61
|
+
const lines = [
|
|
62
|
+
'# Snyk (https://snyk.io) policy file, written by dxkit allowlist export.',
|
|
63
|
+
`version: ${exports.SNYK_POLICY_VERSION}`,
|
|
64
|
+
];
|
|
65
|
+
if (byRule.size === 0) {
|
|
66
|
+
lines.push('ignore: {}');
|
|
67
|
+
lines.push('patch: {}');
|
|
68
|
+
return lines.join('\n') + '\n';
|
|
69
|
+
}
|
|
70
|
+
lines.push('ignore:');
|
|
71
|
+
for (const ruleId of [...byRule.keys()].sort()) {
|
|
72
|
+
lines.push(` ${quoteKey(ruleId)}:`);
|
|
73
|
+
const perPath = byRule.get(ruleId);
|
|
74
|
+
// Stable order + one directive per unique path.
|
|
75
|
+
const seen = new Set();
|
|
76
|
+
for (const ig of perPath.slice().sort((a, b) => a.path.localeCompare(b.path))) {
|
|
77
|
+
if (seen.has(ig.path))
|
|
78
|
+
continue;
|
|
79
|
+
seen.add(ig.path);
|
|
80
|
+
lines.push(` - ${quoteKey(ig.path)}:`);
|
|
81
|
+
lines.push(` reason: ${doubleQuote(ig.reason ?? '')}`);
|
|
82
|
+
if (ig.expires)
|
|
83
|
+
lines.push(` expires: ${ig.expires}`);
|
|
84
|
+
lines.push(` created: ${ig.created}`);
|
|
85
|
+
}
|
|
86
|
+
}
|
|
87
|
+
lines.push('patch: {}');
|
|
88
|
+
return lines.join('\n') + '\n';
|
|
89
|
+
}
|
|
90
|
+
// ─── Minimal scalar quoting ───────────────────────────────────────────────
|
|
91
|
+
/** Single-quote a YAML key/scalar, escaping embedded single quotes by
|
|
92
|
+
* doubling (the YAML single-quote rule). Used for rule ids + paths,
|
|
93
|
+
* which never contain newlines. */
|
|
94
|
+
function quoteKey(value) {
|
|
95
|
+
return `'${value.replace(/'/g, "''")}'`;
|
|
96
|
+
}
|
|
97
|
+
/** Double-quote a YAML scalar. JSON's string encoding is a valid YAML
|
|
98
|
+
* double-quoted flow scalar (YAML is a JSON superset), so JSON.stringify
|
|
99
|
+
* gives correct escaping for reasons that may carry quotes, colons, or
|
|
100
|
+
* other special characters. */
|
|
101
|
+
function doubleQuote(value) {
|
|
102
|
+
return JSON.stringify(value);
|
|
103
|
+
}
|
|
104
|
+
//# sourceMappingURL=snyk-policy.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"snyk-policy.js","sourceRoot":"","sources":["../../src/ingest/snyk-policy.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;;;AA0BH,oDAGC;AAQD,0CAoCC;AAxDD;qEACqE;AACxD,QAAA,mBAAmB,GAAG,SAAkB,CAAC;AAEtD;;;;GAIG;AACH,SAAgB,oBAAoB,CAAC,SAA6B;IAChE,IAAI,CAAC,SAAS;QAAE,OAAO,SAAS,CAAC;IACjC,OAAO,GAAG,SAAS,gBAAgB,CAAC;AACtC,CAAC;AAED;;;;;GAKG;AACH,SAAgB,eAAe,CAAC,OAAkC;IAChE,MAAM,MAAM,GAAG,IAAI,GAAG,EAAwB,CAAC;IAC/C,KAAK,MAAM,EAAE,IAAI,OAAO,EAAE,CAAC;QACzB,MAAM,IAAI,GAAG,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;QACzC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACd,MAAM,CAAC,GAAG,CAAC,EAAE,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;IAC9B,CAAC;IAED,MAAM,KAAK,GAAa;QACtB,0EAA0E;QAC1E,YAAY,2BAAmB,EAAE;KAClC,CAAC;IAEF,IAAI,MAAM,CAAC,IAAI,KAAK,CAAC,EAAE,CAAC;QACtB,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QACzB,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QACxB,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;IACjC,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;IACtB,KAAK,MAAM,MAAM,IAAI,CAAC,GAAG,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC;QAC/C,KAAK,CAAC,IAAI,CAAC,KAAK,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACrC,MAAM,OAAO,GAAG,MAAM,CAAC,GAAG,CAAC,MAAM,CAAE,CAAC;QACpC,gDAAgD;QAChD,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;QAC/B,KAAK,MAAM,EAAE,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,EAAE,CAAC;YAC9E,IAAI,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC;gBAAE,SAAS;YAChC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC;YAClB,KAAK,CAAC,IAAI,CAAC,SAAS,QAAQ,CAAC,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;YAC1C,KAAK,CAAC,IAAI,CAAC,mBAAmB,WAAW,CAAC,EAAE,CAAC,MAAM,IAAI,EAAE,CAAC,EAAE,CAAC,CAAC;YAC9D,IAAI,EAAE,CAAC,OAAO;gBAAE,KAAK,CAAC,IAAI,CAAC,oBAAoB,EAAE,CAAC,OAAO,EAAE,CAAC,CAAC;YAC7D,KAAK,CAAC,IAAI,CAAC,oBAAoB,EAAE,CAAC,OAAO,EAAE,CAAC,CAAC;QAC/C,CAAC;IACH,CAAC;IACD,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;IACxB,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,IAAI,CAAC;AACjC,CAAC;AAED,6EAA6E;AAE7E;;oCAEoC;AACpC,SAAS,QAAQ,CAAC,KAAa;IAC7B,OAAO,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,EAAE,IAAI,CAAC,GAAG,CAAC;AAC1C,CAAC;AAED;;;gCAGgC;AAChC,SAAS,WAAW,CAAC,KAAa;IAChC,OAAO,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,CAAC;AAC/B,CAAC"}
|
package/dist/ingest-cli.d.ts
CHANGED
|
@@ -13,6 +13,10 @@ export interface IngestOptions {
|
|
|
13
13
|
project?: string;
|
|
14
14
|
generatedAt: string;
|
|
15
15
|
commitSha?: string;
|
|
16
|
+
/** Skip opt-in `.env` loading of `SNYK_*` credentials (`--no-env-file`). */
|
|
17
|
+
noEnvFile?: boolean;
|
|
18
|
+
/** Explicit `.env` path for `SNYK_*` credentials (`--env-file <path>`). */
|
|
19
|
+
envFile?: string;
|
|
16
20
|
}
|
|
17
21
|
export declare function runIngest(cwd: string, opts: IngestOptions): Promise<void>;
|
|
18
22
|
/** A REST failure that means "this plan can't read the API" — Enterprise-
|
package/dist/ingest-cli.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"ingest-cli.d.ts","sourceRoot":"","sources":["../src/ingest-cli.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"ingest-cli.d.ts","sourceRoot":"","sources":["../src/ingest-cli.ts"],"names":[],"mappings":"AAiCA,MAAM,WAAW,aAAa;IAC5B,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,QAAQ,CAAC,EAAE,OAAO,CAAC;IACnB,MAAM,CAAC,EAAE,OAAO,CAAC;IACjB;;mEAE+D;IAC/D,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,yEAAyE;IACzE,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,0DAA0D;IAC1D,GAAG,CAAC,EAAE,MAAM,CAAC;IACb,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,4EAA4E;IAC5E,SAAS,CAAC,EAAE,OAAO,CAAC;IACpB,2EAA2E;IAC3E,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAMD,wBAAsB,SAAS,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,aAAa,GAAG,OAAO,CAAC,IAAI,CAAC,CAqB/E;AAmDD;0EAC0E;AAC1E,wBAAgB,aAAa,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAEtD"}
|
package/dist/ingest-cli.js
CHANGED
|
@@ -47,6 +47,9 @@ exports.isNotEntitled = isNotEntitled;
|
|
|
47
47
|
* On plans without REST API access (Enterprise-only)
|
|
48
48
|
* this auto-falls-back to `snyk code test`; pass
|
|
49
49
|
* --snyk-cli to force that path and skip the REST try.
|
|
50
|
+
* SNYK_* credentials are read from the environment and,
|
|
51
|
+
* as a fallback, from a local `.env` (only SNYK_* keys;
|
|
52
|
+
* --no-env-file opts out, --env-file <path> overrides).
|
|
50
53
|
*
|
|
51
54
|
* Either way the result is written to `.dxkit/external/<engine>.json`,
|
|
52
55
|
* a committed snapshot every later scan reads — so the token is needed
|
|
@@ -60,6 +63,7 @@ const snyk_api_1 = require("./ingest/snyk-api");
|
|
|
60
63
|
const snyk_cli_1 = require("./ingest/snyk-cli");
|
|
61
64
|
const codeql_1 = require("./ingest/codeql");
|
|
62
65
|
const config_1 = require("./ingest/config");
|
|
66
|
+
const env_file_1 = require("./ingest/env-file");
|
|
63
67
|
const snapshot_1 = require("./ingest/snapshot");
|
|
64
68
|
const index_1 = require("./languages/index");
|
|
65
69
|
function isSourceEngine(s) {
|
|
@@ -83,6 +87,7 @@ async function runIngest(cwd, opts) {
|
|
|
83
87
|
logger.dim(' vyuh-dxkit ingest --sarif results.sarif');
|
|
84
88
|
logger.dim(' SNYK_TOKEN=… vyuh-dxkit ingest --from-snyk --org <id> --project <id>');
|
|
85
89
|
logger.dim(' SNYK_TOKEN=… vyuh-dxkit ingest --from-snyk --snyk-cli # free/team plans');
|
|
90
|
+
logger.dim(' vyuh-dxkit ingest --from-snyk # SNYK_* read from .env when present');
|
|
86
91
|
logger.dim(' vyuh-dxkit ingest --codeql # OSS / GitHub Advanced Security only');
|
|
87
92
|
process.exitCode = 1;
|
|
88
93
|
}
|
|
@@ -139,18 +144,32 @@ function isNotEntitled(message) {
|
|
|
139
144
|
return /\b403\b/.test(message) || /not entitled/i.test(message) || /api access/i.test(message);
|
|
140
145
|
}
|
|
141
146
|
async function ingestFromSnyk(cwd, opts) {
|
|
147
|
+
// Opt-in: lift ONLY SNYK_* keys from a local `.env` into the
|
|
148
|
+
// environment (real exported env / CI secret always wins). Disabled
|
|
149
|
+
// by --no-env-file; path overridable by --env-file. CI has no .env →
|
|
150
|
+
// no-op, so behavior there is unchanged.
|
|
151
|
+
const envLoad = (0, env_file_1.loadSnykEnv)(cwd, { noEnvFile: opts.noEnvFile, envFile: opts.envFile });
|
|
152
|
+
if (envLoad) {
|
|
153
|
+
for (const w of envLoad.warnings)
|
|
154
|
+
logger.warn(w);
|
|
155
|
+
if (envLoad.loadedKeys.length > 0) {
|
|
156
|
+
logger.dim(` Loaded ${envLoad.loadedKeys.join(', ')} from ${envLoad.path}`);
|
|
157
|
+
}
|
|
158
|
+
}
|
|
142
159
|
const token = process.env.SNYK_TOKEN;
|
|
143
160
|
if (!token) {
|
|
144
161
|
logger.warn('SNYK_TOKEN is not set.');
|
|
145
|
-
logger.dim(' dxkit reads SNYK_TOKEN from the environment
|
|
146
|
-
|
|
162
|
+
logger.dim(' dxkit reads SNYK_TOKEN from the environment. It also auto-loads SNYK_* keys ' +
|
|
163
|
+
'from a local .env (only those keys, never the rest of the file).');
|
|
164
|
+
logger.dim(' Export it (`export SNYK_TOKEN=…`), put it in .env, or add it as a CI secret, then retry. ' +
|
|
165
|
+
'Use --no-env-file to skip .env, or --env-file <path> to point elsewhere.');
|
|
147
166
|
process.exitCode = 1;
|
|
148
167
|
return;
|
|
149
168
|
}
|
|
150
169
|
// Org/project resolve flag → persisted config (`.vyuh-dxkit.json:
|
|
151
170
|
// deepSast.snyk`) → environment, so a sourced shell or configured repo
|
|
152
|
-
// can run `ingest --from-snyk` with no flags.
|
|
153
|
-
//
|
|
171
|
+
// can run `ingest --from-snyk` with no flags. SNYK_ORG_ID / SNYK_PROJECT_ID
|
|
172
|
+
// also come from a local .env via loadSnykEnv above (SNYK_* keys only).
|
|
154
173
|
const cfg = (0, config_1.readDeepSastConfig)(cwd);
|
|
155
174
|
const orgId = opts.org ?? cfg.snyk?.orgId ?? process.env.SNYK_ORG_ID;
|
|
156
175
|
const projectId = opts.project ?? cfg.snyk?.projectId ?? process.env.SNYK_PROJECT_ID;
|
package/dist/ingest-cli.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"ingest-cli.js","sourceRoot":"","sources":["../src/ingest-cli.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
|
1
|
+
{"version":3,"file":"ingest-cli.js","sourceRoot":"","sources":["../src/ingest-cli.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA0DA,8BAqBC;AAqDD,sCAEC;AAtID;;;;;;;;;;;;;;;;;;;;GAoBG;AACH,uCAAyB;AACzB,iDAAmC;AACnC,0CAA4C;AAC5C,gDAA0D;AAC1D,gDAAoD;AACpD,4CAA+D;AAC/D,4CAAqD;AACrD,gDAAgD;AAChD,gDAAkD;AAClD,6CAA0D;AAwB1D,SAAS,cAAc,CAAC,CAAqB;IAC3C,OAAO,CAAC,KAAK,WAAW,IAAI,CAAC,KAAK,QAAQ,IAAI,CAAC,KAAK,aAAa,IAAI,CAAC,KAAK,OAAO,CAAC;AACrF,CAAC;AAEM,KAAK,UAAU,SAAS,CAAC,GAAW,EAAE,IAAmB;IAC9D,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;QAClB,MAAM,cAAc,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;QAChC,OAAO;IACT,CAAC;IACD,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC;QAChB,MAAM,gBAAgB,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;QAClC,OAAO;IACT,CAAC;IACD,IAAI,IAAI,CAAC,KAAK,EAAE,CAAC;QACf,eAAe,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;QAC3B,OAAO;IACT,CAAC;IACD,MAAM,CAAC,IAAI,CAAC,mEAAmE,CAAC,CAAC;IACjF,MAAM,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC;IAC1B,MAAM,CAAC,GAAG,CAAC,6CAA6C,CAAC,CAAC;IAC1D,MAAM,CAAC,GAAG,CAAC,0EAA0E,CAAC,CAAC;IACvF,MAAM,CAAC,GAAG,CAAC,8EAA8E,CAAC,CAAC;IAC3F,MAAM,CAAC,GAAG,CAAC,0EAA0E,CAAC,CAAC;IACvF,MAAM,CAAC,GAAG,CAAC,6EAA6E,CAAC,CAAC;IAC1F,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;AACvB,CAAC;AAED,KAAK,UAAU,gBAAgB,CAAC,GAAW,EAAE,IAAmB;IAC9D,qEAAqE;IACrE,iEAAiE;IACjE,mBAAmB;IACnB,MAAM,OAAO,GAAmB,EAAE,CAAC;IACnC,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;IAC/B,KAAK,MAAM,IAAI,IAAI,IAAA,6BAAqB,EAAC,GAAG,CAAC,EAAE,CAAC;QAC9C,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,EAAE,cAAc,CAAC;QAC3C,IAAI,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;YAC5B,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;YACf,OAAO,CAAC,IAAI,CAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,CAAC,QAAQ,EAAE,gBAAgB,EAAE,CAAC,CAAC;QAChF,CAAC;IACH,CAAC;IACD,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzB,MAAM,CAAC,IAAI,CAAC,+DAA+D,CAAC,CAAC;QAC7E,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;QACrB,OAAO;IACT,CAAC;IACD,MAAM,CAAC,IAAI,CACT,uBAAuB,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,gCAAgC,CACjG,CAAC;IACF,IAAI,QAA2B,CAAC;IAChC,IAAI,CAAC;QACH,QAAQ,GAAG,MAAM,IAAA,kBAAS,EAAC,EAAE,GAAG,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC;IACnF,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,CAAC,IAAI,CAAC,sBAAuB,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;QAC5D,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;QACrB,OAAO;IACT,CAAC;IACD,cAAc,CAAC,GAAG,EAAE,QAAQ,EAAE,QAAQ,EAAE,IAAI,CAAC,CAAC;AAChD,CAAC;AAED,SAAS,eAAe,CAAC,GAAW,EAAE,IAAmB;IACvD,IAAI,GAAW,CAAC;IAChB,IAAI,CAAC;QACH,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC,KAAe,EAAE,OAAO,CAAC,CAAC;IACvD,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,CAAC,IAAI,CAAC,0BAA0B,IAAI,CAAC,KAAK,KAAM,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;QAC/E,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;QACrB,OAAO;IACT,CAAC;IACD,MAAM,cAAc,GAAG,cAAc,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS,CAAC;IAC7E,MAAM,QAAQ,GAAG,IAAA,kBAAU,EAAC,GAAG,EAAE,cAAc,CAAC,CAAC;IACjD,qEAAqE;IACrE,8DAA8D;IAC9D,MAAM,MAAM,GAAiB,cAAc,IAAI,QAAQ,CAAC,CAAC,CAAC,EAAE,MAAM,IAAI,OAAO,CAAC;IAC9E,cAAc,CAAC,GAAG,EAAE,MAAM,EAAE,QAAQ,EAAE,IAAI,CAAC,CAAC;AAC9C,CAAC;AAED;0EAC0E;AAC1E,SAAgB,aAAa,CAAC,OAAe;IAC3C,OAAO,SAAS,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,eAAe,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,aAAa,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;AACjG,CAAC;AAED,KAAK,UAAU,cAAc,CAAC,GAAW,EAAE,IAAmB;IAC5D,6DAA6D;IAC7D,oEAAoE;IACpE,qEAAqE;IACrE,yCAAyC;IACzC,MAAM,OAAO,GAAG,IAAA,sBAAW,EAAC,GAAG,EAAE,EAAE,SAAS,EAAE,IAAI,CAAC,SAAS,EAAE,OAAO,EAAE,IAAI,CAAC,OAAO,EAAE,CAAC,CAAC;IACvF,IAAI,OAAO,EAAE,CAAC;QACZ,KAAK,MAAM,CAAC,IAAI,OAAO,CAAC,QAAQ;YAAE,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACjD,IAAI,OAAO,CAAC,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAClC,MAAM,CAAC,GAAG,CAAC,YAAY,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC;QAC/E,CAAC;IACH,CAAC;IAED,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC;IACrC,IAAI,CAAC,KAAK,EAAE,CAAC;QACX,MAAM,CAAC,IAAI,CAAC,wBAAwB,CAAC,CAAC;QACtC,MAAM,CAAC,GAAG,CACR,gFAAgF;YAC9E,kEAAkE,CACrE,CAAC;QACF,MAAM,CAAC,GAAG,CACR,6FAA6F;YAC3F,0EAA0E,CAC7E,CAAC;QACF,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;QACrB,OAAO;IACT,CAAC;IACD,kEAAkE;IAClE,uEAAuE;IACvE,4EAA4E;IAC5E,wEAAwE;IACxE,MAAM,GAAG,GAAG,IAAA,2BAAkB,EAAC,GAAG,CAAC,CAAC;IACpC,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,IAAI,GAAG,CAAC,IAAI,EAAE,KAAK,IAAI,OAAO,CAAC,GAAG,CAAC,WAAW,CAAC;IACrE,MAAM,SAAS,GAAG,IAAI,CAAC,OAAO,IAAI,GAAG,CAAC,IAAI,EAAE,SAAS,IAAI,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC;IAErF,yEAAyE;IACzE,uEAAuE;IACvE,kCAAkC;IAClC,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;QACjB,MAAM,gBAAgB,CAAC,GAAG,EAAE,IAAI,EAAE,KAAK,CAAC,CAAC;QACzC,OAAO;IACT,CAAC;IAED,IAAI,CAAC,KAAK,IAAI,CAAC,SAAS,EAAE,CAAC;QACzB,MAAM,CAAC,IAAI,CAAC,oEAAoE,CAAC,CAAC;QAClF,MAAM,CAAC,GAAG,CAAC,sEAAsE,CAAC,CAAC;QACnF,MAAM,CAAC,GAAG,CAAC,oEAAoE,CAAC,CAAC;QACjF,MAAM,CAAC,GAAG,CAAC,gEAAgE,CAAC,CAAC;QAC7E,MAAM,CAAC,GAAG,CACR,oFAAoF,CACrF,CAAC;QACF,MAAM,CAAC,GAAG,CAAC,mFAAmF,CAAC,CAAC;QAChG,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;QACrB,OAAO;IACT,CAAC;IACD,MAAM,CAAC,IAAI,CAAC,uEAAuE,CAAC,CAAC;IACrF,IAAI,QAA2B,CAAC;IAChC,IAAI,CAAC;QACH,QAAQ,GAAG,MAAM,IAAA,gCAAqB,EAAC;YACrC,KAAK;YACL,KAAK;YACL,SAAS;YACT,OAAO,EAAE,OAAO,CAAC,GAAG,CAAC,QAAQ;SAC9B,CAAC,CAAC;IACL,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,OAAO,GAAI,GAAa,CAAC,OAAO,CAAC;QACvC,oEAAoE;QACpE,sEAAsE;QACtE,2DAA2D;QAC3D,IAAI,aAAa,CAAC,OAAO,CAAC,EAAE,CAAC;YAC3B,MAAM,CAAC,IAAI,CAAC,6EAA6E,CAAC,CAAC;YAC3F,MAAM,CAAC,GAAG,CAAC,8EAA8E,CAAC,CAAC;YAC3F,MAAM,gBAAgB,CAAC,GAAG,EAAE,IAAI,EAAE,KAAK,CAAC,CAAC;YACzC,OAAO;QACT,CAAC;QACD,MAAM,CAAC,IAAI,CAAC,qBAAqB,OAAO,EAAE,CAAC,CAAC;QAC5C,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;QACrB,OAAO;IACT,CAAC;IACD,cAAc,CAAC,GAAG,EAAE,WAAW,EAAE,QAAQ,EAAE,IAAI,CAAC,CAAC;AACnD,CAAC;AAED;4EAC4E;AAC5E,KAAK,UAAU,gBAAgB,CAC7B,GAAW,EACX,IAAmB,EACnB,KAAyB;IAEzB,IAAI,QAA2B,CAAC;IAChC,IAAI,CAAC;QACH,QAAQ,GAAG,MAAM,IAAA,0BAAe,EAAC,EAAE,GAAG,EAAE,GAAG,EAAE,KAAK,EAAE,KAAK,EAAE,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC;IAC5F,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,CAAC,IAAI,CAAC,0BAA2B,GAAa,CAAC,OAAO,EAAE,CAAC,CAAC;QAChE,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;QACrB,OAAO;IACT,CAAC;IACD,cAAc,CAAC,GAAG,EAAE,WAAW,EAAE,QAAQ,EAAE,IAAI,CAAC,CAAC;AACnD,CAAC;AAED,SAAS,cAAc,CACrB,GAAW,EACX,MAAoB,EACpB,QAA2B,EAC3B,IAAmB;IAEnB,MAAM,IAAI,GAAG,IAAA,wBAAa,EAAC,GAAG,EAAE;QAC9B,aAAa,EAAE,CAAC;QAChB,MAAM;QACN,WAAW,EAAE,IAAI,CAAC,WAAW;QAC7B,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,SAAS,EAAE,IAAI,CAAC,SAAS,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACxD,QAAQ;KACT,CAAC,CAAC;IACH,MAAM,KAAK,GAAG,QAAQ,CAAC,MAAM,CAAyB,CAAC,GAAG,EAAE,CAAC,EAAE,EAAE;QAC/D,GAAG,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;QAC7C,OAAO,GAAG,CAAC;IACb,CAAC,EAAE,EAAE,CAAC,CAAC;IACP,MAAM,CAAC,OAAO,CAAC,YAAY,QAAQ,CAAC,MAAM,IAAI,MAAM,iBAAiB,IAAI,EAAE,CAAC,CAAC;IAC7E,MAAM,CAAC,GAAG,CACR,cAAc,KAAK,CAAC,QAAQ,IAAI,CAAC,SAAS,KAAK,CAAC,IAAI,IAAI,CAAC,WAAW,KAAK,CAAC,MAAM,IAAI,CAAC,QAAQ,KAAK,CAAC,GAAG,IAAI,CAAC,EAAE,CAC9G,CAAC;IACF,MAAM,CAAC,GAAG,CAAC,8EAA8E,CAAC,CAAC;IAC3F,MAAM,CAAC,GAAG,CAAC,gFAAgF,CAAC,CAAC;AAC/F,CAAC"}
|
package/package.json
CHANGED
|
@@ -202,7 +202,7 @@ npx vyuh-dxkit allowlist audit # expired / soon-to-expire / missing-r
|
|
|
202
202
|
npx vyuh-dxkit allowlist prune # remove expired entries
|
|
203
203
|
```
|
|
204
204
|
|
|
205
|
-
Run `audit` periodically — `accepted-risk` and `deferred` entries that pass their expiry should either be re-justified (renew expiry) or pruned (remove the entry; the underlying finding will re-flag on the next scan).
|
|
205
|
+
Run `audit` periodically — `accepted-risk` and `deferred` entries that pass their expiry should either be re-justified (renew expiry) or pruned (remove the entry; the underlying finding will re-flag on the next scan). For the full lifecycle — auditing orphaned entries after a re-baseline (`audit --against-baseline`), removing a single stale fingerprint (`allowlist remove`), and exporting Snyk-originated suppressions back to a `.snyk` (`allowlist export --snyk`) — hand off to the **dxkit-allowlist** skill.
|
|
206
206
|
|
|
207
207
|
### Stale annotations
|
|
208
208
|
|
|
@@ -235,13 +235,15 @@ Once a finding is processed (fixed, allowlisted, or accepted), the workflow depe
|
|
|
235
235
|
| Real risk neutralized externally (WAF, runtime guard) | `vyuh-dxkit allowlist add` with `category=mitigated-externally` + a reason describing the mitigation. Baseline unchanged. |
|
|
236
236
|
| Real risk, accepted by team, won't fix | `vyuh-dxkit allowlist add` with `category=accepted-risk` + `--expires=YYYY-MM-DD` (defaults 90 days). Acknowledged-severity required for high/critical. |
|
|
237
237
|
| Real risk, will fix later (tracked work) | `vyuh-dxkit allowlist add` with `category=deferred` + `--expires=YYYY-MM-DD`. The expiry forces re-review when the deadline passes. |
|
|
238
|
-
| Fix landed via a config change (e.g., new entry in `.dxkit-ignore`) | Re-baseline
|
|
238
|
+
| Fix landed via a config change (e.g., new entry in `.dxkit-ignore`) | Re-baseline through the `dxkit-baseline-refresh` CI workflow (NOT a local `baseline create --force` — see the note below). Commit the `.dxkit-ignore` change; let CI refresh + commit the baseline. |
|
|
239
239
|
| Brownfield acceptance (the whole CURRENT state is known mess; future regressions must be net-new) | Re-baseline with an explicit reason in the commit message. Reserve this for the deliberate "draw a line here" moment, not per-finding suppression. |
|
|
240
240
|
|
|
241
241
|
**Prefer the allowlist over re-baselining for per-finding decisions.** The allowlist carries a typed category + reason + (when relevant) expiry; the baseline carries only "this finding was here." Future maintainers reading `vyuh-dxkit allowlist show <fingerprint>` see WHY the suppression is in place; reading the baseline file shows only that the finding existed at capture time. Per-finding decisions belong in the allowlist; codebase-wide brownfield acceptance belongs in the baseline.
|
|
242
242
|
|
|
243
243
|
**Never** re-baseline a finding silently — the commit message should explain why the regression is accepted. Future maintainers reading `git log .dxkit/baselines/` should see the rationale.
|
|
244
244
|
|
|
245
|
+
**Refresh the baseline in CI, not locally.** When a re-baseline is the right call, run it through the bundled `dxkit-baseline-refresh` workflow (or a runner pinned to CI's scanner versions) — not a local `npx vyuh-dxkit baseline create --force`. A local refresh records your machine's semgrep / npm-audit / jscpd versions in the committed baseline; when they differ from CI's, the next PR's guardrail surfaces spurious `TOOLING-DRIFT` warnings and phantom "resolved" findings. A local `--force` is fine only for the very first capture or a throwaway experiment.
|
|
246
|
+
|
|
245
247
|
## Workflow guardrail
|
|
246
248
|
|
|
247
249
|
After fixing N findings, run the guardrail check before pushing:
|
|
@@ -270,4 +272,4 @@ In those cases: `vyuh-dxkit allowlist add` is the right tool for per-finding dec
|
|
|
270
272
|
- For hook-related issues during a fix push → `dxkit-hooks` skill
|
|
271
273
|
- For re-running reports between fixes → `dxkit-reports` skill
|
|
272
274
|
- For broken dxkit install (hooks not firing, vyuh-dxkit not on PATH) → `dxkit-fix` skill
|
|
273
|
-
- For allowlist management beyond the per-finding `add` path
|
|
275
|
+
- For allowlist management beyond the per-finding `add` path — auditing existing entries (including orphans after a re-baseline), removing stale fingerprints, pruning expired ones, exporting to a `.snyk`, or reviewing the team's overall suppression posture → **dxkit-allowlist** skill
|