@vyuhlabs/dxkit 2.9.1 → 2.9.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +41 -0
- package/README.md +3 -2
- package/dist/allowlist/cli.d.ts +38 -1
- package/dist/allowlist/cli.d.ts.map +1 -1
- package/dist/allowlist/cli.js +190 -3
- package/dist/allowlist/cli.js.map +1 -1
- package/dist/allowlist/file.d.ts +18 -0
- package/dist/allowlist/file.d.ts.map +1 -1
- package/dist/allowlist/file.js +10 -1
- package/dist/allowlist/file.js.map +1 -1
- package/dist/cli.d.ts.map +1 -1
- package/dist/cli.js +23 -4
- package/dist/cli.js.map +1 -1
- package/dist/generator.d.ts.map +1 -1
- package/dist/generator.js +7 -1
- package/dist/generator.js.map +1 -1
- package/dist/ingest/env-file.d.ts +40 -0
- package/dist/ingest/env-file.d.ts.map +1 -0
- package/dist/ingest/env-file.js +163 -0
- package/dist/ingest/env-file.js.map +1 -0
- package/dist/ingest/snyk-policy.d.ts +60 -0
- package/dist/ingest/snyk-policy.d.ts.map +1 -0
- package/dist/ingest/snyk-policy.js +104 -0
- package/dist/ingest/snyk-policy.js.map +1 -0
- package/dist/ingest-cli.d.ts +4 -0
- package/dist/ingest-cli.d.ts.map +1 -1
- package/dist/ingest-cli.js +23 -4
- package/dist/ingest-cli.js.map +1 -1
- package/package.json +1 -1
- package/templates/.claude/skills/dxkit-action/SKILL.md +5 -3
- package/templates/.claude/skills/dxkit-allowlist/SKILL.md +107 -0
- package/templates/.claude/skills/dxkit-config/SKILL.md +4 -4
- package/templates/.claude/skills/dxkit-fix/SKILL.md +1 -1
- package/templates/.claude/skills/dxkit-ingest/SKILL.md +2 -0
|
@@ -91,7 +91,7 @@ If doctor flags a tool (git, dotnet, node, npm, a scanner) as missing but the cu
|
|
|
91
91
|
2. Add that directory to `.dxkit/tools.json` `probePaths` (hand off to **dxkit-config**, which documents the file).
|
|
92
92
|
3. Re-run `npx vyuh-dxkit doctor` to confirm it now resolves.
|
|
93
93
|
|
|
94
|
-
This matters: an undetected scanner means `baseline create` silently captured ZERO findings for that tool's category —
|
|
94
|
+
This matters: an undetected scanner means `baseline create` silently captured ZERO findings for that tool's category — refresh the baseline once detection is fixed. Do that through the `dxkit-baseline-refresh` CI workflow, not a local `baseline create --force`: a local refresh records your machine's scanner versions in the committed baseline, so the next PR's guardrail emits spurious `TOOLING-DRIFT` warnings and phantom "resolved" findings when CI's versions differ.
|
|
95
95
|
|
|
96
96
|
## Capturing the FIRST baseline — be deliberate
|
|
97
97
|
|
|
@@ -88,6 +88,8 @@ Compiled languages (Java, C#, Kotlin, Go) need a working build for CodeQL extrac
|
|
|
88
88
|
|
|
89
89
|
Ingested findings flow through the same aggregate as native findings, so they appear in the vulnerability report (with the engine as the `tool`), get a stable fingerprint, dedupe against any overlapping semgrep finding, and — with `--graph-context` — carry the enclosing symbol + blast radius the agent needs to fix safely. That graph enrichment is the part the source engine's own autofix doesn't have.
|
|
90
90
|
|
|
91
|
+
> **Step [4] belongs in CI, not on your laptop.** Adding ingested findings changes the finding set, so the baseline must be refreshed to pick them up. Do that through the bundled `dxkit-baseline-refresh` workflow (workflow_dispatch / post-merge), NOT a local `baseline create --force`. A local refresh bakes your machine's scanner versions into the committed baseline; when they differ from CI's, the next PR gets spurious `TOOLING-DRIFT` warnings and phantom "resolved" findings. Refresh the snapshot AND the baseline from CI so both are captured with CI's tool versions.
|
|
92
|
+
|
|
91
93
|
## Keeping it fresh (CI)
|
|
92
94
|
|
|
93
95
|
Add a scheduled refresh (mirrors `dxkit-baseline-refresh`): a CI job with the `SNYK_TOKEN` secret runs `ingest --from-snyk` and commits the updated snapshot. The bundled `--with-deep-sast-refresh` workflow (`workflow_dispatch`) does exactly this; its `method` input picks `api` (Enterprise, quota-free) or `cli` (free/team, one test per run). The ingested findings are a point-in-time snapshot of the engine's last scan — re-ingest after the engine re-scans.
|