agent-security-scanner-mcp 3.20.0 → 4.0.0

package/code-review-agent/src/llm/router.ts

@@ -0,0 +1,86 @@
+import type { AnalysisOptions } from '../types/config.js';
+import { AnthropicProvider } from './anthropic.js';
+import { ClaudeCliProvider } from './claude-cli.js';
+import { OpenAIProvider } from './openai.js';
+import type { LLMProvider } from './provider.js';
+
+const TRIAGE_MODELS: Record<string, string> = {
+  anthropic: 'claude-haiku-4-5-20251001',
+  openai: 'gpt-4o-mini',
+  'claude-cli': 'haiku',
+};
+
+const ANALYSIS_MODELS: Record<string, string> = {
+  anthropic: 'claude-sonnet-4-20250514',
+  openai: 'gpt-4o',
+  'claude-cli': 'sonnet',
+};
+
+// Approximate USD per million tokens (input + output averaged)
+const COST_PER_MILLION: Record<string, number> = {
+  'claude-sonnet-4-20250514': 9,
+  'claude-haiku-4-5-20251001': 1.25,
+  'gpt-4o': 7.5,
+  'gpt-4o-mini': 0.3,
+};
+
+export class ModelRouter {
+  private triageProvider: LLMProvider | null = null;
+  private analysisProvider: LLMProvider | null = null;
+  private options: AnalysisOptions;
+
+  constructor(options: AnalysisOptions) {
+    this.options = options;
+  }
+
+  getTriageProvider(): LLMProvider {
+    if (!this.triageProvider) {
+      const model =
+        this.options.triageModel ?? TRIAGE_MODELS[this.options.provider];
+      this.triageProvider = this.createProvider(model);
+    }
+    return this.triageProvider;
+  }
+
+  getAnalysisProvider(): LLMProvider {
+    if (!this.analysisProvider) {
+      const model =
+        this.options.model ?? ANALYSIS_MODELS[this.options.provider];
+      this.analysisProvider = this.createProvider(model);
+    }
+    return this.analysisProvider;
+  }
+
+  estimateCost(tokens: number, model?: string): number {
+    const modelId =
+      model ?? this.options.model ?? ANALYSIS_MODELS[this.options.provider];
+    const rate = COST_PER_MILLION[modelId] ?? 5;
+    return (tokens / 1_000_000) * rate;
+  }
+
+  private createProvider(model: string): LLMProvider {
+    const provider = this.options.provider;
+
+    if (provider === 'claude-cli') {
+      return new ClaudeCliProvider(model);
+    }
+
+    const apiKey = this.getApiKey(provider);
+    if (provider === 'anthropic') {
+      return new AnthropicProvider(apiKey, model);
+    }
+    return new OpenAIProvider(apiKey, model);
+  }
+
+  private getApiKey(provider: string): string {
+    const envVar =
+      provider === 'anthropic' ? 'ANTHROPIC_API_KEY' : 'OPENAI_API_KEY';
+    const key = process.env[envVar];
+    if (!key) {
+      throw new Error(
+        `Missing API key. Set ${envVar} environment variable or pass it in options.`,
+      );
+    }
+    return key;
+  }
+}

package/code-review-agent/src/llm/schemas.ts

@@ -0,0 +1,125 @@
+import { z } from 'zod';
+
+type JsonSchema = Record<string, unknown>;
+
+export function zodToJsonSchema(schema: z.ZodTypeAny): JsonSchema {
+  return convertType(schema);
+}
+
+function convertType(schema: z.ZodTypeAny): JsonSchema {
+  const def = schema._def;
+  const typeName = def.typeName as string;
+
+  switch (typeName) {
+    case 'ZodString':
+      return { type: 'string' };
+
+    case 'ZodNumber': {
+      const result: JsonSchema = { type: 'number' };
+      for (const check of def.checks ?? []) {
+        if (check.kind === 'min') result.minimum = check.value;
+        if (check.kind === 'max') result.maximum = check.value;
+      }
+      return result;
+    }
+
+    case 'ZodBoolean':
+      return { type: 'boolean' };
+
+    case 'ZodLiteral':
+      return { type: typeof def.value, const: def.value };
+
+    case 'ZodEnum':
+      return { type: 'string', enum: def.values };
+
+    case 'ZodArray':
+      return { type: 'array', items: convertType(def.type) };
+
+    case 'ZodObject': {
+      const shape = def.shape();
+      const properties: Record<string, JsonSchema> = {};
+      const required: string[] = [];
+
+      for (const [key, value] of Object.entries(shape)) {
+        const fieldSchema = value as z.ZodTypeAny;
+        const isOptional = fieldSchema.isOptional();
+        properties[key] = convertType(fieldSchema);
+        if (!isOptional) {
+          required.push(key);
+        }
+      }
+
+      const result: JsonSchema = {
+        type: 'object',
+        properties,
+        additionalProperties: false,
+      };
+      if (required.length > 0) {
+        result.required = required;
+      }
+      return result;
+    }
+
+    case 'ZodOptional':
+      return convertType(def.innerType);
+
+    case 'ZodNullable': {
+      const inner = convertType(def.innerType);
+      return { anyOf: [inner, { type: 'null' }] };
+    }
+
+    case 'ZodDefault':
+      return convertType(def.innerType);
+
+    case 'ZodEffects':
+      return convertType(def.schema);
+
+    case 'ZodUnion': {
+      const options = (def.options as z.ZodTypeAny[]).map(convertType);
+      return { anyOf: options };
+    }
+
+    case 'ZodRecord':
+      return {
+        type: 'object',
+        additionalProperties: convertType(def.valueType),
+      };
+
+    default:
+      // Fail loud instead of silently producing invalid schema
+      throw new Error(`zodToJsonSchema: unsupported Zod type "${typeName}". Add explicit handling for this type.`);
+  }
+}
+
+export function zodToAnthropicTool(
+  schema: z.ZodTypeAny,
+  name: string,
+  description: string,
+): {
+  name: string;
+  description: string;
+  input_schema: JsonSchema;
+} {
+  return {
+    name,
+    description,
+    input_schema: zodToJsonSchema(schema),
+  };
+}
+
+export function zodToOpenAIResponseFormat(
+  schema: z.ZodTypeAny,
+  name: string,
+): {
+  type: 'json_schema';
+  json_schema: { name: string; strict: boolean; schema: JsonSchema };
+} {
+  return {
+    type: 'json_schema',
+    json_schema: {
+      name,
+      strict: true,
+      schema: zodToJsonSchema(schema),
+    },
+  };
+}

package/code-review-agent/src/types/analysis.ts

@@ -0,0 +1,62 @@
+import type { Finding, IntentProfile, TriageDecision } from './findings.js';
+
+export interface AnalysisResult {
+  findings: Finding[];
+  intentProfile: IntentProfile | null;
+  fileResults: FileAnalysisResult[];
+  stats: AnalysisStats;
+}
+
+export interface FileAnalysisResult {
+  file: string;
+  findings: Finding[];
+  triageDecision: TriageDecision | null;
+  tokensUsed: number;
+  skipped: boolean;
+  truncated: boolean;
+}
+
+export interface AnalysisStats {
+  filesAnalyzed: number;
+  filesSkipped: number;
+  totalFindings: number;
+  findingsBySeverity: Record<string, number>;
+  totalTokensUsed: number;
+  estimatedCost: number;
+  durationMs: number;
+}
+
+export interface ProjectContext {
+  readme: string;
+  packageMeta: Record<string, unknown> | null;
+  directoryTree: string;
+  envVars: string[];
+  hasDockerfile: boolean;
+  hasCI: boolean;
+  language: string;
+  framework: string;
+}
+
+export interface FileContext {
+  filePath: string;
+  content: string;
+  language: string;
+  lineCount: number;
+  imports: string[];
+  importedBy: string[];
+  siblingFiles: string[];
+  isTestFile: boolean;
+  isConfigFile: boolean;
+  isGenerated: boolean;
+}
+
+export interface DependencyNode {
+  file: string;
+  imports: string[];
+  importedBy: string[];
+}
+
+export interface DependencyGraph {
+  nodes: Map<string, DependencyNode>;
+  entryPoints: string[];
+}

package/code-review-agent/src/types/config.ts

@@ -0,0 +1,72 @@
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+
+export interface AnalysisOptions {
+  provider: 'anthropic' | 'openai' | 'claude-cli';
+  model?: string;
+  triageModel?: string;
+  confidenceThreshold: number;
+  format: 'text' | 'json' | 'sarif';
+  verbose: boolean;
+  projectRoot: string;
+  exclude: string[];
+  concurrencyLimit: number;
+  maxFileSize: number;
+}
+
+export interface CRAgentConfig {
+  provider?: 'anthropic' | 'openai' | 'claude-cli';
+  model?: string;
+  triageModel?: string;
+  confidenceThreshold?: number;
+  exclude?: string[];
+  concurrencyLimit?: number;
+  maxFileSize?: number;
+}
+
+const DEFAULTS: AnalysisOptions = {
+  provider: 'anthropic',
+  confidenceThreshold: 0.7,
+  format: 'text',
+  verbose: false,
+  projectRoot: process.cwd(),
+  exclude: ['node_modules', 'dist', 'build', '.git', 'vendor', '__pycache__', '.venv', 'venv', 'env', '.env', 'site-packages', '.tox', '.mypy_cache', '.pytest_cache', 'coverage', '.nyc_output', '.next', 'target'],
+  concurrencyLimit: 5,
+  maxFileSize: 512 * 1024,
+};
+
+export function loadConfig(projectRoot: string): CRAgentConfig | null {
+  const configPath = path.join(projectRoot, '.cr-agent.json');
+  try {
+    const raw = fs.readFileSync(configPath, 'utf-8');
+    return JSON.parse(raw) as CRAgentConfig;
+  } catch {
+    return null;
+  }
+}
+
+export function resolveOptions(
+  cliFlags: Partial<AnalysisOptions>,
+  config: CRAgentConfig | null,
+  env: Record<string, string | undefined> = process.env,
+): AnalysisOptions {
+  return {
+    provider:
+      cliFlags.provider ??
+      config?.provider ??
+      (env.CR_AGENT_PROVIDER as AnalysisOptions['provider'] | undefined) ??
+      DEFAULTS.provider,
+    model: cliFlags.model ?? config?.model ?? env.CR_AGENT_MODEL ?? undefined,
+    triageModel: cliFlags.triageModel ?? config?.triageModel ?? undefined,
+    confidenceThreshold:
+      cliFlags.confidenceThreshold ??
+      config?.confidenceThreshold ??
+      (env.CR_AGENT_CONFIDENCE ? parseFloat(env.CR_AGENT_CONFIDENCE) : DEFAULTS.confidenceThreshold),
+    format: cliFlags.format ?? DEFAULTS.format,
+    verbose: cliFlags.verbose ?? DEFAULTS.verbose,
+    projectRoot: cliFlags.projectRoot ?? DEFAULTS.projectRoot,
+    exclude: cliFlags.exclude ?? config?.exclude ?? DEFAULTS.exclude,
+    concurrencyLimit: Math.max(1, cliFlags.concurrencyLimit ?? config?.concurrencyLimit ?? DEFAULTS.concurrencyLimit),
+    maxFileSize: cliFlags.maxFileSize ?? config?.maxFileSize ?? DEFAULTS.maxFileSize,
+  };
+}

package/code-review-agent/src/types/findings.ts

@@ -0,0 +1,81 @@
+import { z } from 'zod';
+
+export const SeveritySchema = z.enum(['critical', 'high', 'medium', 'low', 'info']);
+export type Severity = z.infer<typeof SeveritySchema>;
+
+export const CategorySchema = z.enum([
+  'logic-bug',
+  'security',
+  'race-condition',
+  'null-ref',
+  'boundary',
+  'type-error',
+  'unhandled-exception',
+  'other',
+]);
+export type Category = z.infer<typeof CategorySchema>;
+
+export const IntentAlignmentSchema = z.enum([
+  'violates-intent',
+  'matches-intent',
+  'unclear',
+]);
+export type IntentAlignment = z.infer<typeof IntentAlignmentSchema>;
+
+export const RiskDomainSchema = z.enum([
+  'web-api',
+  'cli-tool',
+  'library',
+  'build-tool',
+  'data-pipeline',
+  'desktop-app',
+  'unknown',
+]);
+export type RiskDomain = z.infer<typeof RiskDomainSchema>;
+
+export const LocationSchema = z.object({
+  file: z.string(),
+  startLine: z.number().int().min(1),
+  endLine: z.number().int().min(1),
+});
+
+export const FindingSchema = z.object({
+  title: z.string(),
+  severity: SeveritySchema,
+  category: CategorySchema,
+  location: LocationSchema,
+  reasoning: z.string(),
+  intentAlignment: IntentAlignmentSchema,
+  confidence: z.number().min(0).max(1),
+  suggestedAction: z.string(),
+  cwe: z.string().optional(),
+  owasp: z.string().optional(),
+});
+export type Finding = z.infer<typeof FindingSchema>;
+
+export const FileAnalysisResponseSchema = z.object({
+  findings: z.array(FindingSchema),
+});
+export type FileAnalysisResponse = z.infer<typeof FileAnalysisResponseSchema>;
+
+export const IntentProfileSchema = z.object({
+  purpose: z.string(),
+  expectedBehaviors: z.array(z.string()),
+  unexpectedBehaviors: z.array(z.string()),
+  framework: z.string(),
+  riskDomain: RiskDomainSchema,
+});
+export type IntentProfile = z.infer<typeof IntentProfileSchema>;
+
+export const AreaOfInterestSchema = z.object({
+  startLine: z.number(),
+  endLine: z.number(),
+  reason: z.string(),
+});
+
+export const TriageDecisionSchema = z.object({
+  action: z.enum(['analyze', 'skip']),
+  reason: z.string(),
+  areasOfInterest: z.array(AreaOfInterestSchema),
+});
+export type TriageDecision = z.infer<typeof TriageDecisionSchema>;

package/code-review-agent/tests/analyzer/engine.test.ts

@@ -0,0 +1,194 @@
+import { describe, it, expect, vi, beforeEach } from 'vitest';
+import * as path from 'node:path';
+import { AnalysisEngine } from '../../src/analyzer/engine.js';
+import type { AnalysisOptions } from '../../src/types/config.js';
+
+// We need to mock the ModelRouter to return our MockLLMProvider
+// Since the engine creates its own router, we mock at the module level
+const mockAnalysisResponse = {
+  findings: [
+    {
+      title: 'SQL Injection via string concatenation',
+      severity: 'critical' as const,
+      category: 'security' as const,
+      location: { file: 'server.js', startLine: 15, endLine: 15 },
+      reasoning: 'User input directly concatenated into SQL query',
+      intentAlignment: 'violates-intent' as const,
+      confidence: 0.95,
+      suggestedAction: 'Use parameterized queries',
+      cwe: 'CWE-89',
+    },
+    {
+      title: 'eval() on user input',
+      severity: 'critical' as const,
+      category: 'security' as const,
+      location: { file: 'server.js', startLine: 23, endLine: 23 },
+      reasoning: 'eval() with user-controlled input',
+      intentAlignment: 'violates-intent' as const,
+      confidence: 0.92,
+      suggestedAction: 'Remove eval, use a safe parser',
+      cwe: 'CWE-94',
+    },
+  ],
+};
+
+const mockIntentResponse = {
+  purpose: 'REST API server for user management',
+  expectedBehaviors: ['Handle HTTP requests', 'Query database'],
+  unexpectedBehaviors: ['Execute eval on user input', 'Write arbitrary files'],
+  framework: 'express',
+  riskDomain: 'web-api' as const,
+};
+
+const mockTriageAnalyze = {
+  action: 'analyze' as const,
+  reason: 'Contains HTTP handlers with database queries',
+  areasOfInterest: [{ startLine: 1, endLine: 50, reason: 'HTTP handler code' }],
+};
+
+// Mock the LLM modules to avoid needing real API keys
+vi.mock('../../src/llm/anthropic.js', () => ({
+  AnthropicProvider: class {
+    modelId = 'mock-model';
+    providerName = 'anthropic';
+    async chat() { return 'mock'; }
+    async chatStructured(_msgs: unknown, schema: { safeParse: (data: unknown) => { success: boolean; data: unknown } }, schemaName: string) {
+      const responses: Record<string, unknown> = {
+        intent_profile: mockIntentResponse,
+        file_analysis: mockAnalysisResponse,
+        triage_decision: mockTriageAnalyze,
+      };
+      const response = responses[schemaName];
+      const result = schema.safeParse(response);
+      if (!result.success) throw new Error('Schema validation failed');
+      return result.data;
+    }
+    countTokens(text: string) { return Math.ceil(text.length / 4); }
+  },
+}));
+
+vi.mock('../../src/llm/openai.js', () => ({
+  OpenAIProvider: class {
+    modelId = 'mock-model';
+    providerName = 'openai';
+    async chat() { return 'mock'; }
+    async chatStructured() { return {}; }
+    countTokens(text: string) { return Math.ceil(text.length / 4); }
+  },
+}));
+
+const FIXTURES_DIR = path.resolve(__dirname, '../fixtures');
+
+describe('AnalysisEngine', () => {
+  beforeEach(() => {
+    vi.stubEnv('ANTHROPIC_API_KEY', 'test-key');
+  });
+
+  it('analyzes vuln-api-server and finds vulnerabilities', async () => {
+    const options: AnalysisOptions = {
+      provider: 'anthropic',
+      confidenceThreshold: 0.7,
+      format: 'text',
+      verbose: false,
+      projectRoot: path.join(FIXTURES_DIR, 'vuln-api-server'),
+      exclude: ['node_modules', 'dist', '.git'],
+      concurrencyLimit: 5,
+      maxFileSize: 512 * 1024,
+    };
+
+    const engine = new AnalysisEngine(options);
+    const result = await engine.analyze('.');
+
+    expect(result.intentProfile).toBeTruthy();
+    expect(result.intentProfile?.riskDomain).toBe('web-api');
+    expect(result.findings.length).toBeGreaterThan(0);
+    expect(result.stats.filesAnalyzed).toBeGreaterThan(0);
+    expect(result.stats.durationMs).toBeGreaterThan(0);
+  });
+
+  it('returns sorted findings (critical first)', async () => {
+    const options: AnalysisOptions = {
+      provider: 'anthropic',
+      confidenceThreshold: 0.5,
+      format: 'text',
+      verbose: false,
+      projectRoot: path.join(FIXTURES_DIR, 'vuln-api-server'),
+      exclude: ['node_modules', 'dist', '.git'],
+      concurrencyLimit: 5,
+      maxFileSize: 512 * 1024,
+    };
+
+    const engine = new AnalysisEngine(options);
+    const result = await engine.analyze('.');
+
+    if (result.findings.length >= 2) {
+      const severityOrder = ['critical', 'high', 'medium', 'low', 'info'];
+      for (let i = 1; i < result.findings.length; i++) {
+        const prevIdx = severityOrder.indexOf(result.findings[i - 1].severity);
+        const currIdx = severityOrder.indexOf(result.findings[i].severity);
+        expect(currIdx).toBeGreaterThanOrEqual(prevIdx);
+      }
+    }
+  });
+
+  it('filters findings below confidence threshold', async () => {
+    const options: AnalysisOptions = {
+      provider: 'anthropic',
+      confidenceThreshold: 0.99,
+      format: 'text',
+      verbose: false,
+      projectRoot: path.join(FIXTURES_DIR, 'vuln-api-server'),
+      exclude: ['node_modules', 'dist', '.git'],
+      concurrencyLimit: 5,
+      maxFileSize: 512 * 1024,
+    };
+
+    const engine = new AnalysisEngine(options);
+    const result = await engine.analyze('.');
+
+    // All remaining findings should be above threshold
+    for (const f of result.findings) {
+      expect(f.confidence).toBeGreaterThanOrEqual(0.99);
+    }
+  });
+
+  it('computes stats correctly', async () => {
+    const options: AnalysisOptions = {
+      provider: 'anthropic',
+      confidenceThreshold: 0.7,
+      format: 'text',
+      verbose: false,
+      projectRoot: path.join(FIXTURES_DIR, 'vuln-api-server'),
+      exclude: ['node_modules', 'dist', '.git'],
+      concurrencyLimit: 5,
+      maxFileSize: 512 * 1024,
+    };
+
+    const engine = new AnalysisEngine(options);
+    const result = await engine.analyze('.');
+
+    expect(result.stats.filesAnalyzed + result.stats.filesSkipped).toBeGreaterThan(0);
+    expect(result.stats.totalFindings).toBe(result.findings.length);
+    expect(typeof result.stats.estimatedCost).toBe('number');
+  });
+
+  it('clamps private worker count when concurrency is zero', async () => {
+    const options: AnalysisOptions = {
+      provider: 'anthropic',
+      confidenceThreshold: 0.7,
+      format: 'text',
+      verbose: false,
+      projectRoot: path.join(FIXTURES_DIR, 'vuln-api-server'),
+      exclude: ['node_modules', 'dist', '.git'],
+      concurrencyLimit: 0,
+      maxFileSize: 512 * 1024,
+    };
+
+    const engine = new AnalysisEngine(options);
+    const results = await (engine as unknown as {
+      runParallel<T, R>(items: T[], fn: (item: T) => Promise<R>, limit: number): Promise<R[]>;
+    }).runParallel([1, 2, 3], async (value) => value * 2, 0);
+
+    expect(results).toEqual([2, 4, 6]);
+  });
+});

package/code-review-agent/tests/analyzer/intent.test.ts

@@ -0,0 +1,76 @@
+import { describe, it, expect } from 'vitest';
+import { IntentProfiler } from '../../src/analyzer/intent.js';
+import { MockLLMProvider } from '../helpers/mock-provider.js';
+import type { ProjectContext } from '../../src/types/analysis.js';
+
+const mockProjectContext: ProjectContext = {
+  readme: '# Test Project\nA REST API for user management.',
+  packageMeta: { name: 'test-api', dependencies: { express: '^4.18.0' } },
+  directoryTree: 'src/\n  server.js\n  routes/\n    users.js',
+  envVars: ['DATABASE_URL', 'JWT_SECRET'],
+  hasDockerfile: true,
+  hasCI: true,
+  language: 'javascript/typescript',
+  framework: 'express',
+};
+
+const mockIntentResponse = {
+  purpose: 'REST API for user management with authentication',
+  expectedBehaviors: [
+    'Handle HTTP requests',
+    'Read/write to database',
+    'Validate user input',
+    'Generate JWT tokens',
+  ],
+  unexpectedBehaviors: [
+    'Execute system commands',
+    'Write arbitrary files to disk',
+    'Eval user-controlled strings',
+  ],
+  framework: 'express',
+  riskDomain: 'web-api' as const,
+};
+
+describe('IntentProfiler', () => {
+  it('profiles a project and returns intent', async () => {
+    const provider = new MockLLMProvider({
+      intent_profile: mockIntentResponse,
+    });
+    const profiler = new IntentProfiler(provider);
+    const result = await profiler.profile(mockProjectContext);
+
+    expect(result.purpose).toBe(mockIntentResponse.purpose);
+    expect(result.riskDomain).toBe('web-api');
+    expect(result.expectedBehaviors).toHaveLength(4);
+    expect(result.unexpectedBehaviors).toHaveLength(3);
+    expect(result.framework).toBe('express');
+  });
+
+  it('caches intent profile for same project', async () => {
+    const provider = new MockLLMProvider({
+      intent_profile: mockIntentResponse,
+    });
+    const profiler = new IntentProfiler(provider);
+
+    await profiler.profile(mockProjectContext);
+    await profiler.profile(mockProjectContext);
+
+    expect(provider.structuredCalls).toHaveLength(1);
+  });
+
+  it('passes project context in the prompt', async () => {
+    const provider = new MockLLMProvider({
+      intent_profile: mockIntentResponse,
+    });
+    const profiler = new IntentProfiler(provider);
+
+    await profiler.profile(mockProjectContext);
+
+    const call = provider.structuredCalls[0];
+    expect(call.schemaName).toBe('intent_profile');
+
+    const userMessage = call.messages.find((m) => m.role === 'user');
+    expect(userMessage?.content).toContain('Test Project');
+    expect(userMessage?.content).toContain('express');
+  });
+});