@vyuhlabs/dxkit 2.9.4 → 2.11.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +236 -0
- package/dist/allowlist/annotate.d.ts +71 -0
- package/dist/allowlist/annotate.d.ts.map +1 -0
- package/dist/allowlist/annotate.js +105 -0
- package/dist/allowlist/annotate.js.map +1 -0
- package/dist/allowlist/cli.d.ts +29 -23
- package/dist/allowlist/cli.d.ts.map +1 -1
- package/dist/allowlist/cli.js +141 -70
- package/dist/allowlist/cli.js.map +1 -1
- package/dist/allowlist/file.d.ts +7 -1
- package/dist/allowlist/file.d.ts.map +1 -1
- package/dist/allowlist/file.js +7 -1
- package/dist/allowlist/file.js.map +1 -1
- package/dist/analysis-result.d.ts +10 -0
- package/dist/analysis-result.d.ts.map +1 -1
- package/dist/analyzers/cache.d.ts +1 -0
- package/dist/analyzers/cache.d.ts.map +1 -1
- package/dist/analyzers/cache.js +69 -0
- package/dist/analyzers/cache.js.map +1 -1
- package/dist/analyzers/dashboard/index.d.ts.map +1 -1
- package/dist/analyzers/dashboard/index.js +6 -1
- package/dist/analyzers/dashboard/index.js.map +1 -1
- package/dist/analyzers/health.d.ts.map +1 -1
- package/dist/analyzers/health.js +17 -2
- package/dist/analyzers/health.js.map +1 -1
- package/dist/analyzers/security/actions.d.ts.map +1 -1
- package/dist/analyzers/security/actions.js +13 -0
- package/dist/analyzers/security/actions.js.map +1 -1
- package/dist/analyzers/security/aggregator.d.ts +97 -79
- package/dist/analyzers/security/aggregator.d.ts.map +1 -1
- package/dist/analyzers/security/aggregator.js +168 -56
- package/dist/analyzers/security/aggregator.js.map +1 -1
- package/dist/analyzers/security/gather.d.ts +2 -0
- package/dist/analyzers/security/gather.d.ts.map +1 -1
- package/dist/analyzers/security/gather.js +36 -4
- package/dist/analyzers/security/gather.js.map +1 -1
- package/dist/analyzers/security/index.d.ts.map +1 -1
- package/dist/analyzers/security/index.js +81 -2
- package/dist/analyzers/security/index.js.map +1 -1
- package/dist/analyzers/security/scanner-drift.d.ts +21 -0
- package/dist/analyzers/security/scanner-drift.d.ts.map +1 -0
- package/dist/analyzers/security/scanner-drift.js +113 -0
- package/dist/analyzers/security/scanner-drift.js.map +1 -0
- package/dist/analyzers/security/shallow.d.ts.map +1 -1
- package/dist/analyzers/security/shallow.js +24 -2
- package/dist/analyzers/security/shallow.js.map +1 -1
- package/dist/analyzers/security/types.d.ts +64 -4
- package/dist/analyzers/security/types.d.ts.map +1 -1
- package/dist/analyzers/tools/fingerprint.d.ts +133 -20
- package/dist/analyzers/tools/fingerprint.d.ts.map +1 -1
- package/dist/analyzers/tools/fingerprint.js +194 -20
- package/dist/analyzers/tools/fingerprint.js.map +1 -1
- package/dist/analyzers/tools/gitleaks.d.ts +2 -2
- package/dist/analyzers/tools/gitleaks.d.ts.map +1 -1
- package/dist/analyzers/tools/gitleaks.js +7 -1
- package/dist/analyzers/tools/gitleaks.js.map +1 -1
- package/dist/analyzers/tools/graphify.d.ts +11 -0
- package/dist/analyzers/tools/graphify.d.ts.map +1 -1
- package/dist/analyzers/tools/graphify.js +457 -413
- package/dist/analyzers/tools/graphify.js.map +1 -1
- package/dist/analyzers/tools/grep-secrets.d.ts.map +1 -1
- package/dist/analyzers/tools/grep-secrets.js +31 -12
- package/dist/analyzers/tools/grep-secrets.js.map +1 -1
- package/dist/analyzers/tools/osv-scanner-fix.d.ts.map +1 -1
- package/dist/analyzers/tools/osv-scanner-fix.js +12 -1
- package/dist/analyzers/tools/osv-scanner-fix.js.map +1 -1
- package/dist/analyzers/tools/salt.d.ts +68 -0
- package/dist/analyzers/tools/salt.d.ts.map +1 -0
- package/dist/{baseline → analyzers/tools}/salt.js +59 -18
- package/dist/analyzers/tools/salt.js.map +1 -0
- package/dist/analyzers/tools/semgrep.d.ts +7 -7
- package/dist/analyzers/tools/semgrep.d.ts.map +1 -1
- package/dist/analyzers/tools/semgrep.js +14 -7
- package/dist/analyzers/tools/semgrep.js.map +1 -1
- package/dist/analyzers/tools/tool-registry.d.ts.map +1 -1
- package/dist/analyzers/tools/tool-registry.js +78 -43
- package/dist/analyzers/tools/tool-registry.js.map +1 -1
- package/dist/analyzers/tools/walk-source-files.d.ts +10 -0
- package/dist/analyzers/tools/walk-source-files.d.ts.map +1 -1
- package/dist/analyzers/tools/walk-source-files.js +14 -0
- package/dist/analyzers/tools/walk-source-files.js.map +1 -1
- package/dist/analyzers/types.d.ts +9 -0
- package/dist/analyzers/types.d.ts.map +1 -1
- package/dist/baseline/baseline-file.d.ts +9 -2
- package/dist/baseline/baseline-file.d.ts.map +1 -1
- package/dist/baseline/baseline-file.js.map +1 -1
- package/dist/baseline/check-renderers.d.ts.map +1 -1
- package/dist/baseline/check-renderers.js +14 -0
- package/dist/baseline/check-renderers.js.map +1 -1
- package/dist/baseline/check.d.ts +33 -0
- package/dist/baseline/check.d.ts.map +1 -1
- package/dist/baseline/check.js +78 -2
- package/dist/baseline/check.js.map +1 -1
- package/dist/baseline/create.d.ts +1 -1
- package/dist/baseline/create.d.ts.map +1 -1
- package/dist/baseline/create.js +3 -1
- package/dist/baseline/create.js.map +1 -1
- package/dist/baseline/entry-to-located.d.ts +12 -5
- package/dist/baseline/entry-to-located.d.ts.map +1 -1
- package/dist/baseline/entry-to-located.js +21 -7
- package/dist/baseline/entry-to-located.js.map +1 -1
- package/dist/baseline/finding-identity.d.ts +20 -13
- package/dist/baseline/finding-identity.d.ts.map +1 -1
- package/dist/baseline/finding-identity.js +51 -20
- package/dist/baseline/finding-identity.js.map +1 -1
- package/dist/baseline/git-aware-match.d.ts +7 -5
- package/dist/baseline/git-aware-match.d.ts.map +1 -1
- package/dist/baseline/git-aware-match.js +78 -5
- package/dist/baseline/git-aware-match.js.map +1 -1
- package/dist/baseline/migrate.d.ts +94 -0
- package/dist/baseline/migrate.d.ts.map +1 -0
- package/dist/baseline/migrate.js +238 -0
- package/dist/baseline/migrate.js.map +1 -0
- package/dist/baseline/producers/security.d.ts +9 -9
- package/dist/baseline/producers/security.d.ts.map +1 -1
- package/dist/baseline/producers/security.js +16 -4
- package/dist/baseline/producers/security.js.map +1 -1
- package/dist/baseline/types.d.ts +145 -95
- package/dist/baseline/types.d.ts.map +1 -1
- package/dist/baseline/types.js +30 -26
- package/dist/baseline/types.js.map +1 -1
- package/dist/explore/context-hook.d.ts +49 -29
- package/dist/explore/context-hook.d.ts.map +1 -1
- package/dist/explore/context-hook.js +304 -29
- package/dist/explore/context-hook.js.map +1 -1
- package/dist/explore/finding-context.d.ts +17 -0
- package/dist/explore/finding-context.d.ts.map +1 -1
- package/dist/explore/finding-context.js +34 -0
- package/dist/explore/finding-context.js.map +1 -1
- package/dist/explore/queries.d.ts +32 -15
- package/dist/explore/queries.d.ts.map +1 -1
- package/dist/explore/queries.js +36 -6
- package/dist/explore/queries.js.map +1 -1
- package/dist/generator.d.ts.map +1 -1
- package/dist/generator.js +13 -7
- package/dist/generator.js.map +1 -1
- package/dist/ingest/normalize.d.ts +1 -1
- package/dist/ingest/normalize.d.ts.map +1 -1
- package/dist/ingest/normalize.js +5 -1
- package/dist/ingest/normalize.js.map +1 -1
- package/dist/ingest/sarif.d.ts.map +1 -1
- package/dist/ingest/sarif.js +16 -7
- package/dist/ingest/sarif.js.map +1 -1
- package/dist/ingest/snyk-policy.d.ts +22 -1
- package/dist/ingest/snyk-policy.d.ts.map +1 -1
- package/dist/ingest/snyk-policy.js +75 -18
- package/dist/ingest/snyk-policy.js.map +1 -1
- package/dist/ingest/types.d.ts +23 -12
- package/dist/ingest/types.d.ts.map +1 -1
- package/dist/languages/capabilities/types.d.ts +64 -53
- package/dist/languages/capabilities/types.d.ts.map +1 -1
- package/dist/languages/capabilities/types.js +4 -4
- package/dist/languages/index.d.ts +28 -5
- package/dist/languages/index.d.ts.map +1 -1
- package/dist/languages/index.js +38 -7
- package/dist/languages/index.js.map +1 -1
- package/dist/languages/typescript.d.ts.map +1 -1
- package/dist/languages/typescript.js +19 -0
- package/dist/languages/typescript.js.map +1 -1
- package/dist/scoring/dimensions/security.d.ts +17 -0
- package/dist/scoring/dimensions/security.d.ts.map +1 -1
- package/dist/scoring/dimensions/security.js +12 -0
- package/dist/scoring/dimensions/security.js.map +1 -1
- package/dist/update.d.ts.map +1 -1
- package/dist/update.js +49 -0
- package/dist/update.js.map +1 -1
- package/dist/upgrade.d.ts.map +1 -1
- package/dist/upgrade.js +2 -1
- package/dist/upgrade.js.map +1 -1
- package/package.json +6 -3
- package/templates/.claude/skills/dxkit-action/SKILL.md +11 -2
- package/templates/.claude/skills/dxkit-allowlist/SKILL.md +9 -0
- package/templates/.claude/skills/dxkit-onboard/SKILL.md +2 -2
- package/templates/.claude/skills/dxkit-update/SKILL.md +45 -4
- package/dist/baseline/salt.d.ts +0 -45
- package/dist/baseline/salt.d.ts.map +0 -1
- package/dist/baseline/salt.js.map +0 -1
package/CHANGELOG.md
CHANGED
|
@@ -7,6 +7,242 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
|
|
|
7
7
|
|
|
8
8
|
## [Unreleased]
|
|
9
9
|
|
|
10
|
+
## [2.11.0] - 2026-06-16
|
|
11
|
+
|
|
12
|
+
### Code-graph quality, guardrail reliability on JS/TS, and a dogfooding pass
|
|
13
|
+
|
|
14
|
+
dxkit was run on its own repo and on real public targets, the way a user would.
|
|
15
|
+
That surfaced a cluster of graph-quality and guardrail-identity defects — several
|
|
16
|
+
HIGH — that the unit suite couldn't catch because they only appear on the default
|
|
17
|
+
configuration, end-to-end. This release closes them.
|
|
18
|
+
|
|
19
|
+
#### Code graph
|
|
20
|
+
|
|
21
|
+
- **JS/TS method extraction (via `graphifyy` 0.8.40).** Function symbols defined as
|
|
22
|
+
`this.x = () => {}` (constructor-assigned methods), `exports.x` / `module.exports.x`,
|
|
23
|
+
prototype methods, class arrow fields, and function expressions are now captured.
|
|
24
|
+
Previously only top-level declarations, `const` arrows, and class-method shorthand
|
|
25
|
+
were, so on expression-style JS and CommonJS the bulk of callable symbols — and any
|
|
26
|
+
call edges to them — were invisible. On a constructor-style DAO, a file goes from 1
|
|
27
|
+
captured symbol to all of its methods. (Fixed upstream in
|
|
28
|
+
[safishamsi/graphify#1323](https://github.com/safishamsi/graphify/pull/1323).)
|
|
29
|
+
- **The code graph is restricted to source files.** graphify also parses `.md`
|
|
30
|
+
(headings → nodes) and `.json` (config + lockfile keys → nodes); on a JS repo that
|
|
31
|
+
made the graph ~92% non-code (a `package-lock.json` alone outweighed all application
|
|
32
|
+
code). A source-extension allowlist, sourced from the language registry, keeps the
|
|
33
|
+
graph to actual code — node counts, communities, hot-files, api-surface, and the
|
|
34
|
+
context-hook's file summaries all stop being diluted by docs/config.
|
|
35
|
+
|
|
36
|
+
#### Guardrail + finding identity
|
|
37
|
+
|
|
38
|
+
- **Dependency-vulnerability identity is now environment-independent.** The
|
|
39
|
+
fingerprint hashed `(package, installedVersion, id)`; the installed version is only
|
|
40
|
+
resolvable when the dependency tree is installed (`npm-audit` reads `node_modules`),
|
|
41
|
+
so a lockfile-only scanner — or any scan in an environment without `node_modules` —
|
|
42
|
+
omitted it, and the **same advisory forked into two identities by scan environment.**
|
|
43
|
+
Identity is now `(package, canonicalAdvisoryId)`: the version is display metadata, not
|
|
44
|
+
identity, and the advisory id is canonicalized across namespaces (GHSA → CVE → raw) so
|
|
45
|
+
different scanners agree on the same vulnerability.
|
|
46
|
+
**Migration:** dep-vuln fingerprints change. `ref-based` baselines: nothing to do.
|
|
47
|
+
`committed-full` baselines: run `vyuh-dxkit baseline create --force` once; the
|
|
48
|
+
transition run shows dep-vulns as resolved+added (non-blocking) until re-baselined.
|
|
49
|
+
Fingerprint-allowlisted dep-vulns (rare) need re-adding.
|
|
50
|
+
- **Secret + code-pattern finding identity is anchored to content, not line position.**
|
|
51
|
+
A finding's durable fingerprint hashed its file plus a 3-line window, so any edit that
|
|
52
|
+
shifted a finding more than three lines re-minted its identity — which silently
|
|
53
|
+
stranded the allowlist entry pinned to it (the suppression stopped matching) and
|
|
54
|
+
churned the baseline on edits that never touched the finding. Identity now derives from
|
|
55
|
+
*what the finding is*, computed only from inputs dxkit derives itself — never a scanner's
|
|
56
|
+
captured text or an environment-derived salt: a secret from a tool-independent constant
|
|
57
|
+
plus its file plus an in-file ordinal (no captured value, no salt — so the same leak gets
|
|
58
|
+
one identity whether gitleaks or the grep fallback found it, and identically across a
|
|
59
|
+
developer's machine and CI); a code-pattern finding from its enclosing symbol (resolved
|
|
60
|
+
from the code graph, or the file when no symbol resolves) plus a hash of the matched span
|
|
61
|
+
plus an in-symbol ordinal; a config finding (`.env`-in-git) from `(rule, file)`. The line
|
|
62
|
+
number becomes display metadata. A finding keeps its identity when it moves and re-mints
|
|
63
|
+
only when the matched construct — or its enclosing function — actually changes, so
|
|
64
|
+
allowlist entries and baselines survive refactors and unrelated edits. Ingested SARIF
|
|
65
|
+
findings (Snyk Code / CodeQL) earn the same code anchor from the engine's reported
|
|
66
|
+
snippet. When no anchor is resolvable (e.g. a scanner that surfaces no matched snippet)
|
|
67
|
+
identity falls back to the previous line-window hash, so every finding still has a stable
|
|
68
|
+
id.
|
|
69
|
+
**Migration — one command:** secret/code/config and dep-vuln fingerprints change once.
|
|
70
|
+
Every artifact now records the identity scheme it was written under, and the upgrade is
|
|
71
|
+
automatic:
|
|
72
|
+
|
|
73
|
+
```
|
|
74
|
+
npm i -D @vyuhlabs/dxkit@latest
|
|
75
|
+
vyuh-dxkit update # detects the scheme change → migrates baseline + allowlist
|
|
76
|
+
git add .dxkit && git commit -m "chore(dxkit): adopt this release"
|
|
77
|
+
```
|
|
78
|
+
|
|
79
|
+
`update` rewrites the allowlist's fingerprints onto the new scheme (preserving every
|
|
80
|
+
reviewed suppression — no re-reviewing, no copying fingerprints from reports) and
|
|
81
|
+
regenerates the baseline, reporting what it re-anchored and flagging any entry whose
|
|
82
|
+
finding is gone. Inline `dxkit-allow:` source annotations need nothing (they match by
|
|
83
|
+
location). If you skip `update` and run the guardrail directly, it stops with an
|
|
84
|
+
explicit "run `vyuh-dxkit update`" message instead of reporting every pre-existing
|
|
85
|
+
finding as net-new. `ref-based` repos (no committed baseline) need nothing. Manual
|
|
86
|
+
fallback if you'd rather not use `update`: `vyuh-dxkit baseline create --force` plus
|
|
87
|
+
re-adding fingerprint-based allowlist entries by hand. Refresh committed SARIF
|
|
88
|
+
snapshots (`vyuh-dxkit ingest …`) so ingested findings pick up content anchors; until
|
|
89
|
+
refreshed they ride the line-window fallback.
|
|
90
|
+
- **`ref-based` guardrail is reliable on JS/TS repos.** ref-based gathers the prior side
|
|
91
|
+
from a detached `git worktree` that has no `node_modules` or coverage report, so the
|
|
92
|
+
build-artifact-dependent kinds (`duplication` via jscpd, `test-gap` via coverage)
|
|
93
|
+
under-produced on the prior side and the current side's full set read as net-new. They
|
|
94
|
+
are now excluded from both sides of a ref-based diff (symmetric), with a disclosure in
|
|
95
|
+
the console + PR-comment output; `committed-full` remains the mode that gates them.
|
|
96
|
+
- **The analysis cache invalidates on `.dxkit/` input changes.** Editing
|
|
97
|
+
`.dxkit/allowlist.json` had no effect until the commit changed, because the cache
|
|
98
|
+
key tracked `.dxkit-ignore` but not the allowlist / policy / ingested-snapshot inputs
|
|
99
|
+
that live under the same `.dxkit/` prefix the dirty-check excludes. The cache key now
|
|
100
|
+
folds in a content digest of those inputs, so an allowlist edit re-scores immediately.
|
|
101
|
+
|
|
102
|
+
#### Toolchain
|
|
103
|
+
|
|
104
|
+
- **vitest 4.** Bumps vitest + `@vitest/coverage-v8` to v4 and clears the critical +
|
|
105
|
+
high dev-tooling advisories in the vitest → vite → esbuild chain (plus `tmp`). All
|
|
106
|
+
dev-only — none ship in `dist/`. No published-`engines` change.
|
|
107
|
+
|
|
108
|
+
## [2.10.0] - 2026-06-13
|
|
109
|
+
|
|
110
|
+
### Honest scoring under changing scanners, passive graph delivery, tool-robustness
|
|
111
|
+
|
|
112
|
+
Closes a set of brownfield-install and guardrail-matcher defects (the original
|
|
113
|
+
2.9.5 hardening), a class of scoring-honesty bugs (a Security score that could get
|
|
114
|
+
worse on an unchanged commit, with nothing explaining why), a defensive
|
|
115
|
+
tool-version-pin sweep, and the agentic-delivery redesign that finally routes the
|
|
116
|
+
code graph to the agent in a real fix workflow.
|
|
117
|
+
|
|
118
|
+
#### Scoring honesty
|
|
119
|
+
|
|
120
|
+
A Security score could drop on an **unchanged commit** — e.g. after an upgrade
|
|
121
|
+
enabled more scanners, or because a repo's own reviewed-and-accepted findings kept
|
|
122
|
+
holding it at a cap. The measurement was getting more honest, but the output
|
|
123
|
+
didn't explain it, and a properly-triaged repo couldn't recover its score. These
|
|
124
|
+
close that gap.
|
|
125
|
+
|
|
126
|
+
- **Symmetric unavailable-scanner caps.** A missing dependency-audit
|
|
127
|
+
already capped the Security score at the uncertainty tier, but missing
|
|
128
|
+
secret/code-pattern scanners silently scored as "0 findings" — so enabling
|
|
129
|
+
those scanners later read as a phantom regression. The secret and code-pattern
|
|
130
|
+
axes now get the same uncertainty cap when their scan didn't run, surfaced in
|
|
131
|
+
`metrics.toolsUnavailable` and the standalone vuln-scan report.
|
|
132
|
+
- **The score respects the allowlist.** Findings reviewed-and-accepted as
|
|
133
|
+
`false-positive` / `test-fixture` are now lifted from the Security penalties and
|
|
134
|
+
caps (not just the guardrail), so a triaged repo scores honestly instead of
|
|
135
|
+
staying capped on noise it has already accepted. `accepted-risk` / `deferred` /
|
|
136
|
+
`mitigated-externally` still count — accepting a real risk can't earn an A. The
|
|
137
|
+
vulnerability report and dashboard also annotate allowlisted findings and render
|
|
138
|
+
`Subtotal N (M allowlisted)` so the raw counts are explained, not alarming.
|
|
139
|
+
- **Scanner-coverage drift is disclosed.** When the active scanner set grew
|
|
140
|
+
since the last run, the vuln-scan report leads with a note: findings the new
|
|
141
|
+
scanners surface are newly **visible**, not newly **introduced**. This is the
|
|
142
|
+
root-cause explanation for a score that moved on unchanged code.
|
|
143
|
+
- **Secret severity is never lowered by file path.** A hardcoded credential keeps
|
|
144
|
+
its natural severity whether it sits in production code or a test — the generic
|
|
145
|
+
matcher can't tell a throwaway fixture from a real secret leaked into a test, so
|
|
146
|
+
lowering severity by path would silently hide genuine leaks. Test-file noise is
|
|
147
|
+
managed by the allowlist score-lift above (review fixtures once with
|
|
148
|
+
`--category test-fixture`), not by hiding. The vulnerability report now flags how
|
|
149
|
+
many secret findings sit in test files and points fixtures at the allowlist; the
|
|
150
|
+
`dxkit-action` and `dxkit-allowlist` skills gain an explicit triage step
|
|
151
|
+
(confirm fixture vs. real, allowlist fakes, rotate reals) so an agent handles
|
|
152
|
+
this judgment per finding rather than blanket-ignoring the test directory.
|
|
153
|
+
- **Systematic test-file detection.** Tests organized under Jest's `__tests__/`
|
|
154
|
+
directory — or named with the widespread `.unit.` / `.e2e.` / `.cy.` suffixes —
|
|
155
|
+
were classified as source, corrupting the test ratio, coverage, and test-gap
|
|
156
|
+
analysis. The cross-ecosystem test directories (`__tests__/`, `test/`, `tests/`,
|
|
157
|
+
`spec/`, `e2e/`) are now recognized in any language; the TS pack gains the
|
|
158
|
+
co-located suffix conventions.
|
|
159
|
+
- **Dependency-audit cleanup on Windows (EPERM).** The osv-scanner-fix temp-dir
|
|
160
|
+
cleanup now retries with backoff and never throws out of its `finally`, so a
|
|
161
|
+
Windows handle race (npm-install grandchildren / antivirus) can no longer
|
|
162
|
+
discard the already-parsed fix plans — which had let dependency vulnerabilities
|
|
163
|
+
go silently unreported.
|
|
164
|
+
|
|
165
|
+
#### Passive graph delivery (agentic value)
|
|
166
|
+
|
|
167
|
+
- **Context-hook fires on the tools agents actually use.** Pre-2.10 the graph
|
|
168
|
+
context-hook fired only on the native `Grep`/`Glob` tools and only when the
|
|
169
|
+
search pattern substring-matched a symbol name — so in a real fix workflow
|
|
170
|
+
(agents search via `Bash grep` for a symptom, and read files directly) it
|
|
171
|
+
almost never engaged. It now fires on **Read/Edit** (keyed on the file touched
|
|
172
|
+
→ that file's structural summary: symbols, callers, callees, module group),
|
|
173
|
+
**Bash** (parses grep/rg commands; a named source file delivers its summary,
|
|
174
|
+
else a symbol match on the pattern), and the original **Grep/Glob** path.
|
|
175
|
+
Per-session, per-file dedup keeps it cheap; the FAIL-OPEN + ADDITIVE contract is
|
|
176
|
+
preserved (any problem is a silent no-op). **Existing repos must re-run
|
|
177
|
+
`vyuh-dxkit init`** (or update `.claude/settings.json`) to pick up the broadened
|
|
178
|
+
`Read|Edit|Bash|Grep|Glob` matcher.
|
|
179
|
+
|
|
180
|
+
#### Snyk sync
|
|
181
|
+
|
|
182
|
+
- **`.dxkit-ignore` → `.snyk` exclude sync.** `allowlist export --snyk` now also
|
|
183
|
+
emits the paths dxkit's analyzers skip (`.dxkit-ignore`) into the `.snyk`
|
|
184
|
+
`exclude.global` block, so Snyk and dxkit agree on what's out of scope —
|
|
185
|
+
mirroring the existing allowlist → `.snyk` ignore sync. An export carrying only
|
|
186
|
+
exclusions still writes.
|
|
187
|
+
|
|
188
|
+
#### Tool-robustness + matcher rename fixes
|
|
189
|
+
|
|
190
|
+
Hardening pass closing a set of brownfield-install and guardrail-matcher
|
|
191
|
+
defects surfaced while benchmarking on Python 3.14 and large real-world repos.
|
|
192
|
+
|
|
193
|
+
#### Fixed
|
|
194
|
+
|
|
195
|
+
- **graphify on Python 3.14.** Python 3.14 made `forkserver` the default
|
|
196
|
+
multiprocessing start method on Linux. graphify parallelises extraction with a
|
|
197
|
+
`ProcessPoolExecutor`, and under spawn/forkserver each worker re-imports the
|
|
198
|
+
generated script — re-running top-level extraction and crashing the run (no
|
|
199
|
+
`.dxkit/reports/graph.json` written; every graph-dependent feature silently
|
|
200
|
+
degraded). The generated script now wraps its execution body in
|
|
201
|
+
`if __name__ == '__main__'` — graphify's own documented requirement for
|
|
202
|
+
parallel extraction — so it is correct on every platform and start method
|
|
203
|
+
(Linux fork/forkserver, macOS/Windows spawn) while keeping multi-core
|
|
204
|
+
extraction. The previous forced `set_start_method('fork')` workaround is
|
|
205
|
+
removed.
|
|
206
|
+
- **graphify cache redirect.** The on-disk cache is now redirected via
|
|
207
|
+
graphify's public `extract(cache_root=...)` parameter instead of
|
|
208
|
+
monkeypatching the internal `graphify.cache.cache_dir`, whose signature
|
|
209
|
+
changed in graphifyy 0.8 (`cache_dir(root)` → `cache_dir(root, kind)`) and
|
|
210
|
+
crashed the run. This also stops graphify's `atexit` stat-index flush from
|
|
211
|
+
writing a stray `graphify-out/` into the scanned repo. The temp cache lives
|
|
212
|
+
under the caller-owned script dir and is reclaimed after the process (and its
|
|
213
|
+
atexit handlers) exit. `graphifyy` is pinned to `0.8.36`.
|
|
214
|
+
- **jscpd version pin.** jscpd is pinned to `4.2.5`. jscpd 5.x is a Rust
|
|
215
|
+
rewrite that dropped the `--gitignore` flag (dxkit passed it → exit 2) and
|
|
216
|
+
changed the report JSON schema dxkit parses.
|
|
217
|
+
- **Guardrail matcher — whole-file rename relocation.** Renaming a source
|
|
218
|
+
file no longer reports its whole-file findings (test-gap, coverage-gap,
|
|
219
|
+
test-file-degradation, god-file, stale-file, large-file) as removed + added,
|
|
220
|
+
which falsely blocked the guardrail on a pure rename. The git-aware matcher
|
|
221
|
+
now relocates these line-less, file-anchored findings through git's rename
|
|
222
|
+
detection, keyed on `(renamed-path, kind)` so two different whole-file kinds
|
|
223
|
+
on the same renamed file never cross-pair.
|
|
224
|
+
|
|
225
|
+
#### Tool-version pins
|
|
226
|
+
|
|
227
|
+
- **Defensive pin sweep.** Nine more dxkit-owned, deterministic-output scanners
|
|
228
|
+
are pinned to their current releases (semgrep `1.165.0`, ruff `0.15.17`,
|
|
229
|
+
pip-audit `2.10.1`, pip-licenses `5.5.5`, coverage `7.14.1`,
|
|
230
|
+
license-checker-rseidelsohn `5.0.1`, golangci-lint `v1.64.8` — the v1 line,
|
|
231
|
+
since v2 is a breaking rewrite on a separate module path — govulncheck `v1.3.0`,
|
|
232
|
+
go-licenses `v1.6.0`), so a future breaking major can't silently change parsed
|
|
233
|
+
output or exit codes the way jscpd 5.x and graphifyy 0.8 did. Five tools stay
|
|
234
|
+
unpinned by design and are now documented as such: `eslint` + `vitest-coverage`
|
|
235
|
+
(project-local — the consumer owns the version), `snyk` (a SaaS client that
|
|
236
|
+
self-manages backend compatibility), `codeql` (a GitHub-managed bundle paired
|
|
237
|
+
with query packs), and `cloc` (non-semver npm tag, lowest-risk schema). Proper
|
|
238
|
+
schema-adaptive multi-version handling is planned for a later release.
|
|
239
|
+
|
|
240
|
+
#### Internal
|
|
241
|
+
|
|
242
|
+
- The version-pin guard test partitions every registry tool into pinned /
|
|
243
|
+
unpinned-by-design / package-manager-tracked, so a tool can't be added or
|
|
244
|
+
un-pinned without a deliberate decision.
|
|
245
|
+
|
|
10
246
|
## [2.9.4] - 2026-06-09
|
|
11
247
|
|
|
12
248
|
### Connecting findings + PRs to the people who know the code
|
|
@@ -0,0 +1,71 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Annotate security findings with their active-allowlist status
|
|
3
|
+
* for REPORTING (not gating).
|
|
4
|
+
*
|
|
5
|
+
* The guardrail already consults the allowlist to decide whether a
|
|
6
|
+
* net-new finding blocks a push (`src/baseline/check.ts`). But the
|
|
7
|
+
* vulnerability-scan report and dashboard rendered raw counts with no
|
|
8
|
+
* indication that some findings are reviewed-and-accepted — a repo that
|
|
9
|
+
* has correctly allowlisted, say, its unit-test fixtures still showed
|
|
10
|
+
* them as headline criticals with no visual distinction, which reads as
|
|
11
|
+
* "the score is lying."
|
|
12
|
+
*
|
|
13
|
+
* This module marks each finding whose fingerprint matches an ACTIVE
|
|
14
|
+
* (unexpired) allowlist entry so renderers can show "(N allowlisted)"
|
|
15
|
+
* beside the subtotal. It does NOT change raw counts and does NOT change
|
|
16
|
+
* the score — dxkit's raw-truth model is preserved; only the
|
|
17
|
+
* presentation gains an honesty annotation.
|
|
18
|
+
*
|
|
19
|
+
* Identity contract (CLAUDE.md Rule 9): this module never computes a
|
|
20
|
+
* fingerprint. It matches against the fingerprint the aggregator
|
|
21
|
+
* already stamped on each code/secret/config finding (plus the
|
|
22
|
+
* `absorbedFingerprints` recorded when cross-tool dedup collapsed
|
|
23
|
+
* contributors — same robust-match set the guardrail uses). Dependency
|
|
24
|
+
* findings are keyed by `(package, version, id)` through a producer and
|
|
25
|
+
* carry no inline fingerprint, so they are out of scope here.
|
|
26
|
+
*/
|
|
27
|
+
import { type AllowlistFile } from './file';
|
|
28
|
+
import type { AllowlistCategory } from './categories';
|
|
29
|
+
import type { FindingCategory } from '../analyzers/security/types';
|
|
30
|
+
/**
|
|
31
|
+
* The minimal finding shape this module reads + writes. The runtime
|
|
32
|
+
* objects are richer (`CodeFinding` carries `fingerprint` +
|
|
33
|
+
* `absorbedFingerprints`); we accept the structural subset so callers
|
|
34
|
+
* pass their findings directly without a cast.
|
|
35
|
+
*/
|
|
36
|
+
export interface AnnotatableFinding {
|
|
37
|
+
readonly category: FindingCategory;
|
|
38
|
+
readonly fingerprint?: string;
|
|
39
|
+
readonly absorbedFingerprints?: readonly string[];
|
|
40
|
+
allowlisted?: boolean;
|
|
41
|
+
allowlistCategory?: AllowlistCategory;
|
|
42
|
+
}
|
|
43
|
+
/**
|
|
44
|
+
* Whether an active allowlist entry of this category should LIFT the
|
|
45
|
+
* finding from the dimension score (penalties + caps), not just from
|
|
46
|
+
* the guardrail.
|
|
47
|
+
*
|
|
48
|
+
* `false-positive` and `test-fixture` declare the finding is "not a real
|
|
49
|
+
* finding" — a misfire or throwaway test data — so a properly-triaged
|
|
50
|
+
* repo shouldn't carry a score penalty for it (the failure mode where a
|
|
51
|
+
* repo stays capped at the trust-broken tier despite having reviewed and
|
|
52
|
+
* accepted every flagged secret). `accepted-risk` and `deferred`, by
|
|
53
|
+
* contrast, accept a REAL risk: the guardrail stops blocking on them,
|
|
54
|
+
* but the score must still reflect the residual exposure — you can't
|
|
55
|
+
* `accepted-risk` your way to an A. `mitigated-externally` counts too:
|
|
56
|
+
* the risk is real, just handled outside dxkit.
|
|
57
|
+
*/
|
|
58
|
+
export declare function allowlistLiftsScore(category: AllowlistCategory | undefined): boolean;
|
|
59
|
+
/**
|
|
60
|
+
* Mutate `findings` in place, setting `allowlisted` + `allowlistCategory`
|
|
61
|
+
* on each finding matched by an active allowlist entry. Returns the count
|
|
62
|
+
* of findings annotated, so callers can short-circuit rendering when zero.
|
|
63
|
+
*
|
|
64
|
+
* A finding matches when ANY of its candidate fingerprints (its own
|
|
65
|
+
* `fingerprint`, then any `absorbedFingerprints`) resolves to an
|
|
66
|
+
* allowlist entry whose `kind` equals the finding's kind and which is
|
|
67
|
+
* active at `now`. The kind guard rules out a cross-kind hash collision
|
|
68
|
+
* waiving the wrong finding — mirrors `allowlistSuppressionFor`.
|
|
69
|
+
*/
|
|
70
|
+
export declare function annotateFindingsWithAllowlist(findings: AnnotatableFinding[], allowlist: AllowlistFile | null, now?: Date): number;
|
|
71
|
+
//# sourceMappingURL=annotate.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"annotate.d.ts","sourceRoot":"","sources":["../../src/allowlist/annotate.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,OAAO,EAAE,KAAK,aAAa,EAA4B,MAAM,QAAQ,CAAC;AACtE,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAC;AACtD,OAAO,KAAK,EAAE,eAAe,EAAE,MAAM,6BAA6B,CAAC;AAGnE;;;;;GAKG;AACH,MAAM,WAAW,kBAAkB;IACjC,QAAQ,CAAC,QAAQ,EAAE,eAAe,CAAC;IACnC,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,oBAAoB,CAAC,EAAE,SAAS,MAAM,EAAE,CAAC;IAClD,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,iBAAiB,CAAC,EAAE,iBAAiB,CAAC;CACvC;AAoBD;;;;;;;;;;;;;;GAcG;AACH,wBAAgB,mBAAmB,CAAC,QAAQ,EAAE,iBAAiB,GAAG,SAAS,GAAG,OAAO,CAEpF;AAED;;;;;;;;;;GAUG;AACH,wBAAgB,6BAA6B,CAC3C,QAAQ,EAAE,kBAAkB,EAAE,EAC9B,SAAS,EAAE,aAAa,GAAG,IAAI,EAC/B,GAAG,GAAE,IAAiB,GACrB,MAAM,CAuBR"}
|
|
@@ -0,0 +1,105 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
+
exports.allowlistLiftsScore = allowlistLiftsScore;
|
|
4
|
+
exports.annotateFindingsWithAllowlist = annotateFindingsWithAllowlist;
|
|
5
|
+
/**
|
|
6
|
+
* Annotate security findings with their active-allowlist status
|
|
7
|
+
* for REPORTING (not gating).
|
|
8
|
+
*
|
|
9
|
+
* The guardrail already consults the allowlist to decide whether a
|
|
10
|
+
* net-new finding blocks a push (`src/baseline/check.ts`). But the
|
|
11
|
+
* vulnerability-scan report and dashboard rendered raw counts with no
|
|
12
|
+
* indication that some findings are reviewed-and-accepted — a repo that
|
|
13
|
+
* has correctly allowlisted, say, its unit-test fixtures still showed
|
|
14
|
+
* them as headline criticals with no visual distinction, which reads as
|
|
15
|
+
* "the score is lying."
|
|
16
|
+
*
|
|
17
|
+
* This module marks each finding whose fingerprint matches an ACTIVE
|
|
18
|
+
* (unexpired) allowlist entry so renderers can show "(N allowlisted)"
|
|
19
|
+
* beside the subtotal. It does NOT change raw counts and does NOT change
|
|
20
|
+
* the score — dxkit's raw-truth model is preserved; only the
|
|
21
|
+
* presentation gains an honesty annotation.
|
|
22
|
+
*
|
|
23
|
+
* Identity contract (CLAUDE.md Rule 9): this module never computes a
|
|
24
|
+
* fingerprint. It matches against the fingerprint the aggregator
|
|
25
|
+
* already stamped on each code/secret/config finding (plus the
|
|
26
|
+
* `absorbedFingerprints` recorded when cross-tool dedup collapsed
|
|
27
|
+
* contributors — same robust-match set the guardrail uses). Dependency
|
|
28
|
+
* findings are keyed by `(package, version, id)` through a producer and
|
|
29
|
+
* carry no inline fingerprint, so they are out of scope here.
|
|
30
|
+
*/
|
|
31
|
+
const file_1 = require("./file");
|
|
32
|
+
/**
|
|
33
|
+
* Map a report `FindingCategory` to the canonical `IdentityKind` used
|
|
34
|
+
* by allowlist entries. Only the three fingerprint-bearing categories
|
|
35
|
+
* resolve; `dependency` returns null (out of scope — see module doc).
|
|
36
|
+
*/
|
|
37
|
+
function kindForCategory(category) {
|
|
38
|
+
switch (category) {
|
|
39
|
+
case 'secret':
|
|
40
|
+
return 'secret';
|
|
41
|
+
case 'code':
|
|
42
|
+
return 'code';
|
|
43
|
+
case 'config':
|
|
44
|
+
return 'config';
|
|
45
|
+
case 'dependency':
|
|
46
|
+
return null;
|
|
47
|
+
}
|
|
48
|
+
}
|
|
49
|
+
/**
|
|
50
|
+
* Whether an active allowlist entry of this category should LIFT the
|
|
51
|
+
* finding from the dimension score (penalties + caps), not just from
|
|
52
|
+
* the guardrail.
|
|
53
|
+
*
|
|
54
|
+
* `false-positive` and `test-fixture` declare the finding is "not a real
|
|
55
|
+
* finding" — a misfire or throwaway test data — so a properly-triaged
|
|
56
|
+
* repo shouldn't carry a score penalty for it (the failure mode where a
|
|
57
|
+
* repo stays capped at the trust-broken tier despite having reviewed and
|
|
58
|
+
* accepted every flagged secret). `accepted-risk` and `deferred`, by
|
|
59
|
+
* contrast, accept a REAL risk: the guardrail stops blocking on them,
|
|
60
|
+
* but the score must still reflect the residual exposure — you can't
|
|
61
|
+
* `accepted-risk` your way to an A. `mitigated-externally` counts too:
|
|
62
|
+
* the risk is real, just handled outside dxkit.
|
|
63
|
+
*/
|
|
64
|
+
function allowlistLiftsScore(category) {
|
|
65
|
+
return category === 'false-positive' || category === 'test-fixture';
|
|
66
|
+
}
|
|
67
|
+
/**
|
|
68
|
+
* Mutate `findings` in place, setting `allowlisted` + `allowlistCategory`
|
|
69
|
+
* on each finding matched by an active allowlist entry. Returns the count
|
|
70
|
+
* of findings annotated, so callers can short-circuit rendering when zero.
|
|
71
|
+
*
|
|
72
|
+
* A finding matches when ANY of its candidate fingerprints (its own
|
|
73
|
+
* `fingerprint`, then any `absorbedFingerprints`) resolves to an
|
|
74
|
+
* allowlist entry whose `kind` equals the finding's kind and which is
|
|
75
|
+
* active at `now`. The kind guard rules out a cross-kind hash collision
|
|
76
|
+
* waiving the wrong finding — mirrors `allowlistSuppressionFor`.
|
|
77
|
+
*/
|
|
78
|
+
function annotateFindingsWithAllowlist(findings, allowlist, now = new Date()) {
|
|
79
|
+
if (!allowlist || allowlist.entries.length === 0)
|
|
80
|
+
return 0;
|
|
81
|
+
let annotated = 0;
|
|
82
|
+
for (const f of findings) {
|
|
83
|
+
const kind = kindForCategory(f.category);
|
|
84
|
+
if (!kind)
|
|
85
|
+
continue;
|
|
86
|
+
const candidates = [];
|
|
87
|
+
if (f.fingerprint)
|
|
88
|
+
candidates.push(f.fingerprint);
|
|
89
|
+
if (f.absorbedFingerprints)
|
|
90
|
+
candidates.push(...f.absorbedFingerprints);
|
|
91
|
+
for (const fp of candidates) {
|
|
92
|
+
const entry = (0, file_1.findEntry)(allowlist, fp);
|
|
93
|
+
if (!entry || entry.kind !== kind)
|
|
94
|
+
continue;
|
|
95
|
+
if (!(0, file_1.isEntryActive)(entry, now))
|
|
96
|
+
continue;
|
|
97
|
+
f.allowlisted = true;
|
|
98
|
+
f.allowlistCategory = entry.category;
|
|
99
|
+
annotated++;
|
|
100
|
+
break;
|
|
101
|
+
}
|
|
102
|
+
}
|
|
103
|
+
return annotated;
|
|
104
|
+
}
|
|
105
|
+
//# sourceMappingURL=annotate.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"annotate.js","sourceRoot":"","sources":["../../src/allowlist/annotate.ts"],"names":[],"mappings":";;AA8EA,kDAEC;AAaD,sEA2BC;AAxHD;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,iCAAsE;AAmBtE;;;;GAIG;AACH,SAAS,eAAe,CAAC,QAAyB;IAChD,QAAQ,QAAQ,EAAE,CAAC;QACjB,KAAK,QAAQ;YACX,OAAO,QAAQ,CAAC;QAClB,KAAK,MAAM;YACT,OAAO,MAAM,CAAC;QAChB,KAAK,QAAQ;YACX,OAAO,QAAQ,CAAC;QAClB,KAAK,YAAY;YACf,OAAO,IAAI,CAAC;IAChB,CAAC;AACH,CAAC;AAED;;;;;;;;;;;;;;GAcG;AACH,SAAgB,mBAAmB,CAAC,QAAuC;IACzE,OAAO,QAAQ,KAAK,gBAAgB,IAAI,QAAQ,KAAK,cAAc,CAAC;AACtE,CAAC;AAED;;;;;;;;;;GAUG;AACH,SAAgB,6BAA6B,CAC3C,QAA8B,EAC9B,SAA+B,EAC/B,MAAY,IAAI,IAAI,EAAE;IAEtB,IAAI,CAAC,SAAS,IAAI,SAAS,CAAC,OAAO,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,CAAC,CAAC;IAE3D,IAAI,SAAS,GAAG,CAAC,CAAC;IAClB,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,MAAM,IAAI,GAAG,eAAe,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;QACzC,IAAI,CAAC,IAAI;YAAE,SAAS;QAEpB,MAAM,UAAU,GAAa,EAAE,CAAC;QAChC,IAAI,CAAC,CAAC,WAAW;YAAE,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC;QAClD,IAAI,CAAC,CAAC,oBAAoB;YAAE,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,oBAAoB,CAAC,CAAC;QAEvE,KAAK,MAAM,EAAE,IAAI,UAAU,EAAE,CAAC;YAC5B,MAAM,KAAK,GAAG,IAAA,gBAAS,EAAC,SAAS,EAAE,EAAE,CAAC,CAAC;YACvC,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,IAAI,KAAK,IAAI;gBAAE,SAAS;YAC5C,IAAI,CAAC,IAAA,oBAAa,EAAC,KAAK,EAAE,GAAG,CAAC;gBAAE,SAAS;YACzC,CAAC,CAAC,WAAW,GAAG,IAAI,CAAC;YACrB,CAAC,CAAC,iBAAiB,GAAG,KAAK,CAAC,QAAQ,CAAC;YACrC,SAAS,EAAE,CAAC;YACZ,MAAM;QACR,CAAC;IACH,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC"}
|
package/dist/allowlist/cli.d.ts
CHANGED
|
@@ -4,22 +4,22 @@
|
|
|
4
4
|
*
|
|
5
5
|
* Subcommands (Sprint 1 chunk):
|
|
6
6
|
*
|
|
7
|
-
*
|
|
8
|
-
*
|
|
9
|
-
*
|
|
7
|
+
* - `add <file>:<line>` — inline annotation insertion. Kind-agnostic;
|
|
8
|
+
* the annotation grammar carries category + reason only. Refuses
|
|
9
|
+
* non-inline-compatible categories (accepted-risk / deferred).
|
|
10
10
|
*
|
|
11
|
-
*
|
|
12
|
-
*
|
|
13
|
-
*
|
|
14
|
-
*
|
|
15
|
-
*
|
|
11
|
+
* - `add --fingerprint=<id> --kind=<kind>` — file-level allowlist
|
|
12
|
+
* entry. Persists to `.dxkit/allowlist.json` (or its sanitized
|
|
13
|
+
* mode + gitignored reasons sidecar). Required for any
|
|
14
|
+
* accepted-risk / deferred suppression OR any kind that lacks a
|
|
15
|
+
* stable single-line attachment point.
|
|
16
16
|
*
|
|
17
|
-
*
|
|
18
|
-
*
|
|
17
|
+
* - `list` — print every entry across the file-level allowlist.
|
|
18
|
+
* Reads only; no mutation. Honors `--json` for structured output.
|
|
19
19
|
*
|
|
20
|
-
*
|
|
21
|
-
*
|
|
22
|
-
*
|
|
20
|
+
* - `show <fingerprint>` — print one entry's full detail. Falls
|
|
21
|
+
* back to a "no entry found" message when the fingerprint isn't
|
|
22
|
+
* present.
|
|
23
23
|
*
|
|
24
24
|
* Subcommands `audit` and `prune` land in a follow-up commit.
|
|
25
25
|
*
|
|
@@ -39,8 +39,8 @@ export declare const ALLOWLIST_SUBCOMMANDS: readonly ["add", "list", "show", "au
|
|
|
39
39
|
export type AllowlistSubcommand = (typeof ALLOWLIST_SUBCOMMANDS)[number];
|
|
40
40
|
export interface AllowlistAddOpts {
|
|
41
41
|
/** Positional target. `<file>:<line>` for inline form; absent or a
|
|
42
|
-
*
|
|
43
|
-
*
|
|
42
|
+
* bare file path for file-level form (requires `--fingerprint`
|
|
43
|
+
* + `--kind`). */
|
|
44
44
|
readonly target?: string;
|
|
45
45
|
readonly category?: string;
|
|
46
46
|
readonly reason?: string;
|
|
@@ -50,8 +50,8 @@ export interface AllowlistAddOpts {
|
|
|
50
50
|
readonly acknowledgedSeverity?: string;
|
|
51
51
|
readonly addedBy?: string;
|
|
52
52
|
/** Override the configured mode for this write only. Default
|
|
53
|
-
*
|
|
54
|
-
*
|
|
53
|
+
* reads from `.dxkit/policy.json` (out of scope here; this
|
|
54
|
+
* module accepts a flag to choose). */
|
|
55
55
|
readonly mode?: AllowlistMode;
|
|
56
56
|
}
|
|
57
57
|
export interface AllowlistShowOpts {
|
|
@@ -66,9 +66,9 @@ export interface AllowlistAuditOpts {
|
|
|
66
66
|
/** Soon-to-expire horizon in days (default 14). */
|
|
67
67
|
readonly soonToExpireDays?: number;
|
|
68
68
|
/** Cross-check fingerprints against the committed baseline so the
|
|
69
|
-
*
|
|
70
|
-
*
|
|
71
|
-
*
|
|
69
|
+
* audit can flag orphaned entries (suppress nothing in the current
|
|
70
|
+
* finding set). Off by default — keeps `audit` a pure read of the
|
|
71
|
+
* allowlist file unless the user opts in. */
|
|
72
72
|
readonly againstBaseline?: boolean;
|
|
73
73
|
/** Named baseline to diff against (default `main`). */
|
|
74
74
|
readonly baselineName?: string;
|
|
@@ -84,7 +84,7 @@ export interface AllowlistExportOpts {
|
|
|
84
84
|
readonly out?: string;
|
|
85
85
|
readonly json?: boolean;
|
|
86
86
|
/** ISO datetime stamped as each ignore's `created`. Defaults to now;
|
|
87
|
-
*
|
|
87
|
+
* injectable for deterministic tests. */
|
|
88
88
|
readonly now?: string;
|
|
89
89
|
}
|
|
90
90
|
export interface AllowlistPruneOpts {
|
|
@@ -92,8 +92,8 @@ export interface AllowlistPruneOpts {
|
|
|
92
92
|
/** Don't write; just print what would be removed. */
|
|
93
93
|
readonly dryRun?: boolean;
|
|
94
94
|
/** Skip confirmation prompt + write directly. Default behavior
|
|
95
|
-
*
|
|
96
|
-
*
|
|
95
|
+
* in Sprint 1 (no interactive prompts in dxkit yet) — the flag
|
|
96
|
+
* is accepted for future-proofing. */
|
|
97
97
|
readonly yes?: boolean;
|
|
98
98
|
}
|
|
99
99
|
/**
|
|
@@ -125,6 +125,12 @@ export declare function runAllowlistRemove(cwd: string, opts: AllowlistRemoveOpt
|
|
|
125
125
|
* reason + expiry. Expired entries are skipped (they no longer
|
|
126
126
|
* suppress). Only `snyk-code` findings export — native semgrep /
|
|
127
127
|
* gitleaks findings have no Snyk equivalent.
|
|
128
|
+
*
|
|
129
|
+
* 2.10 also syncs the PATH-EXCLUSION half: `.dxkit-ignore` patterns
|
|
130
|
+
* (the paths dxkit's own analyzers skip) are emitted into the `.snyk`
|
|
131
|
+
* `exclude.global` block, so Snyk and dxkit agree on what's out of
|
|
132
|
+
* scope. The two halves compose into one `.snyk`; an export carrying
|
|
133
|
+
* only exclusions (no allowlisted Snyk findings yet) still writes.
|
|
128
134
|
*/
|
|
129
135
|
export declare function runAllowlistExport(cwd: string, opts: AllowlistExportOpts): Promise<void>;
|
|
130
136
|
export { DEFAULT_EXPIRY_DAYS };
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../../src/allowlist/cli.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiCG;
|
|
1
|
+
{"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../../src/allowlist/cli.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiCG;AA6BH,OAAO,EAEL,mBAAmB,EAMpB,MAAM,cAAc,CAAC;AACtB,OAAO,EACL,kBAAkB,EAelB,KAAK,aAAa,EAEnB,MAAM,QAAQ,CAAC;AAGhB,2DAA2D;AAC3D,eAAO,MAAM,qBAAqB,wEAQxB,CAAC;AACX,MAAM,MAAM,mBAAmB,GAAG,CAAC,OAAO,qBAAqB,CAAC,CAAC,MAAM,CAAC,CAAC;AAEzE,MAAM,WAAW,gBAAgB;IAC/B;;sBAEkB;IAClB,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAC3B,QAAQ,CAAC,MAAM,CAAC,EAAE,MAAM,CAAC;IACzB,QAAQ,CAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IACvB,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAC1B,QAAQ,CAAC,oBAAoB,CAAC,EAAE,MAAM,CAAC;IACvC,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,CAAC;IAC1B;;2CAEuC;IACvC,QAAQ,CAAC,IAAI,CAAC,EAAE,aAAa,CAAC;CAC/B;AAED,MAAM,WAAW,iBAAiB;IAChC,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,IAAI,CAAC,EAAE,OAAO,CAAC;CACzB;AAED,MAAM,WAAW,iBAAiB;IAChC,QAAQ,CAAC,IAAI,CAAC,EAAE,OAAO,CAAC;CACzB;AAED,MAAM,WAAW,kBAAkB;IACjC,QAAQ,CAAC,IAAI,CAAC,EAAE,OAAO,CAAC;IACxB,mDAAmD;IACnD,QAAQ,CAAC,gBAAgB,CAAC,EAAE,MAAM,CAAC;IACnC;;;iDAG6C;IAC7C,QAAQ,CAAC,eAAe,CAAC,EAAE,OAAO,CAAC;IACnC,uDAAuD;IACvD,QAAQ,CAAC,YAAY,CAAC,EAAE,MAAM,CAAC;CAChC;AAED,MAAM,WAAW,mBAAmB;IAClC,QAAQ,CAAC,WAAW,CAAC,EAAE,MAAM,CAAC;IAC9B,QAAQ,CAAC,IAAI,CAAC,EAAE,OAAO,CAAC;CACzB;AAED,MAAM,WAAW,mBAAmB;IAClC,uDAAuD;IACvD,QAAQ,CAAC,IAAI,CAAC,EAAE,OAAO,CAAC;IACxB,4CAA4C;IAC5C,QAAQ,CAAC,GAAG,CAAC,EAAE,MAAM,CAAC;IACtB,QAAQ,CAAC,IAAI,CAAC,EAAE,OAAO,CAAC;IACxB;6CACyC;IACzC,QAAQ,CAAC,GAAG,CAAC,EAAE,MAAM,CAAC;CACvB;AAED,MAAM,WAAW,kBAAkB;IACjC,QAAQ,CAAC,IAAI,CAAC,EAAE,OAAO,CAAC;IACxB,qDAAqD;IACrD,QAAQ,CAAC,MAAM,CAAC,EAAE,OAAO,CAAC;IAC1B;;0CAEsC;IACtC,QAAQ,CAAC,GAAG,CAAC,EAAE,OAAO,CAAC;CACxB;AAED;;;;;GAKG;AACH,wBAAsB,YAAY,CAChC,GAAG,EAAE,MAAM,EACX,UAAU,EAAE,MAAM,GAAG,SAAS,EAC9B,IAAI,EAAE;IACJ,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACjC,GACA,OAAO,CAAC,IAAI,CAAC,CAyDf;AAID,wBAAsB,eAAe,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,gBAAgB,GAAG,OAAO,CAAC,IAAI,CAAC,CAqBxF;AAyHD,wBAAsB,gBAAgB,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,iBAAiB,GAAG,OAAO,CAAC,IAAI,CAAC,CAuB1F;AAID,wBAAsB,gBAAgB,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,iBAAiB,GAAG,OAAO,CAAC,IAAI,CAAC,CA8B1F;AAID,wBAAsB,iBAAiB,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,kBAAkB,GAAG,OAAO,CAAC,IAAI,CAAC,CAuG5F;AAID,wBAAsB,iBAAiB,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,kBAAkB,GAAG,OAAO,CAAC,IAAI,CAAC,CAmC5F;AAID,wBAAsB,kBAAkB,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,mBAAmB,GAAG,OAAO,CAAC,IAAI,CAAC,CA4B9F;AAID;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAsB,kBAAkB,CAAC,GAAG,EAAE,MAAM,EAAE,IAAI,EAAE,mBAAmB,GAAG,OAAO,CAAC,IAAI,CAAC,CAmI9F;AAmJD,OAAO,EAAE,mBAAmB,EAAE,CAAC;AAG/B,OAAO,EAAE,kBAAkB,EAAE,CAAC"}
|