api-tests-coverage 1.0.0

package/dist/src/security/gate/index.js

@@ -0,0 +1,65 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.evaluateSecurityGate = evaluateSecurityGate;
+// ─── Gate evaluation ──────────────────────────────────────────────────────────
+/**
+ * Count findings matching specific criteria.
+ */
+function countFindings(findings, predicate) {
+    return findings.filter(predicate).length;
+}
+/**
+ * Evaluate the security gate against normalized findings.
+ * Returns a SecurityGateResult with pass/fail status and detailed reasons.
+ */
+function evaluateSecurityGate(findings, config) {
+    const reasons = [];
+    const counts = {
+        critical: countFindings(findings, (f) => f.severity === 'CRITICAL'),
+        high: countFindings(findings, (f) => f.severity === 'HIGH'),
+        medium: countFindings(findings, (f) => f.severity === 'MEDIUM'),
+        low: countFindings(findings, (f) => f.severity === 'LOW'),
+        secrets: countFindings(findings, (f) => f.category === 'secret'),
+        misconfigHigh: countFindings(findings, (f) => f.category === 'misconfig' && (f.severity === 'HIGH' || f.severity === 'CRITICAL')),
+        criticalVulns: countFindings(findings, (f) => f.category === 'sca' && f.severity === 'CRITICAL'),
+        highVulns: countFindings(findings, (f) => f.category === 'sca' && f.severity === 'HIGH'),
+    };
+    // ── failOnCritical ────────────────────────────────────────────────────────
+    if (config.failOnCritical && counts.critical > 0) {
+        reasons.push(`${counts.critical} CRITICAL finding(s) found (failOnCritical=true)`);
+    }
+    // ── failOnHigh ────────────────────────────────────────────────────────────
+    if (config.failOnHigh && counts.high > 0) {
+        reasons.push(`${counts.high} HIGH finding(s) found (failOnHigh=true)`);
+    }
+    // ── maxMedium ─────────────────────────────────────────────────────────────
+    if (config.maxMedium !== undefined && counts.medium > config.maxMedium) {
+        reasons.push(`${counts.medium} MEDIUM finding(s) found, exceeds maxMedium=${config.maxMedium}`);
+    }
+    // ── maxLow ────────────────────────────────────────────────────────────────
+    if (config.maxLow !== undefined && counts.low > config.maxLow) {
+        reasons.push(`${counts.low} LOW finding(s) found, exceeds maxLow=${config.maxLow}`);
+    }
+    // ── maxSecrets ────────────────────────────────────────────────────────────
+    if (config.maxSecrets !== undefined && counts.secrets > config.maxSecrets) {
+        reasons.push(`${counts.secrets} secret(s) found, exceeds maxSecrets=${config.maxSecrets}`);
+    }
+    // ── maxMisconfigHigh ─────────────────────────────────────────────────────
+    if (config.maxMisconfigHigh !== undefined && counts.misconfigHigh > config.maxMisconfigHigh) {
+        reasons.push(`${counts.misconfigHigh} HIGH/CRITICAL misconfiguration(s) found, exceeds maxMisconfigHigh=${config.maxMisconfigHigh}`);
+    }
+    // ── maxCriticalVulns ─────────────────────────────────────────────────────
+    if (config.maxCriticalVulns !== undefined && counts.criticalVulns > config.maxCriticalVulns) {
+        reasons.push(`${counts.criticalVulns} CRITICAL vulnerability(ies) found, exceeds maxCriticalVulns=${config.maxCriticalVulns}`);
+    }
+    // ── maxHighVulns ─────────────────────────────────────────────────────────
+    if (config.maxHighVulns !== undefined && counts.highVulns > config.maxHighVulns) {
+        reasons.push(`${counts.highVulns} HIGH vulnerability(ies) found, exceeds maxHighVulns=${config.maxHighVulns}`);
+    }
+    return {
+        passed: reasons.length === 0,
+        reasons,
+        thresholds: config,
+        counts,
+    };
+}

package/dist/src/security/index.d.ts

@@ -0,0 +1,30 @@
+import { SecurityScanConfig, SecurityScanSummary, ScannerResult } from './types';
+export * from './types';
+export { normalizeSemgrepOutput } from './normalizers/semgrep';
+export { normalizeTrivyOutput } from './normalizers/trivy';
+export { normalizeZapOutput } from './normalizers/zap';
+export { evaluateSecurityGate } from './gate/index';
+/**
+ * Run all configured security scanners and collect findings.
+ */
+export declare function runSecurityScanners(config: SecurityScanConfig): Promise<ScannerResult[]>;
+/**
+ * Build a SecurityScanSummary from scanner results.
+ */
+export declare function buildSecurityScanSummary(results: ScannerResult[], config: SecurityScanConfig): SecurityScanSummary;
+/**
+ * Generate all security scan reports in the given directory.
+ */
+export declare function generateSecurityScanReports(summary: SecurityScanSummary, reportsDir: string): void;
+/**
+ * Run the complete security scan workflow:
+ * 1. Execute configured scanners
+ * 2. Normalize findings
+ * 3. Build summary
+ * 4. Evaluate gate
+ * 5. Generate reports
+ *
+ * Returns the SecurityScanSummary for further use.
+ */
+export declare function runSecurityScan(config: SecurityScanConfig, reportsDir?: string): Promise<SecurityScanSummary>;
+//# sourceMappingURL=index.d.ts.map

package/dist/src/security/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/security/index.ts"],"names":[],"mappings":"AAOA,OAAO,EACL,kBAAkB,EAClB,mBAAmB,EAKnB,aAAa,EACd,MAAM,SAAS,CAAC;AAQjB,cAAc,SAAS,CAAC;AACxB,OAAO,EAAE,sBAAsB,EAAE,MAAM,uBAAuB,CAAC;AAC/D,OAAO,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAC3D,OAAO,EAAE,kBAAkB,EAAE,MAAM,mBAAmB,CAAC;AACvD,OAAO,EAAE,oBAAoB,EAAE,MAAM,cAAc,CAAC;AAIpD;;GAEG;AACH,wBAAsB,mBAAmB,CACvC,MAAM,EAAE,kBAAkB,GACzB,OAAO,CAAC,aAAa,EAAE,CAAC,CAkB1B;AAID;;GAEG;AACH,wBAAgB,wBAAwB,CACtC,OAAO,EAAE,aAAa,EAAE,EACxB,MAAM,EAAE,kBAAkB,GACzB,mBAAmB,CAoDrB;AAID;;GAEG;AACH,wBAAgB,2BAA2B,CACzC,OAAO,EAAE,mBAAmB,EAC5B,UAAU,EAAE,MAAM,GACjB,IAAI,CA2EN;AAuKD;;;;;;;;;GASG;AACH,wBAAsB,eAAe,CACnC,MAAM,EAAE,kBAAkB,EAC1B,UAAU,GAAE,MAAkB,GAC7B,OAAO,CAAC,mBAAmB,CAAC,CAM9B"}

package/dist/src/security/index.js

@@ -0,0 +1,342 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.evaluateSecurityGate = exports.normalizeZapOutput = exports.normalizeTrivyOutput = exports.normalizeSemgrepOutput = void 0;
+exports.runSecurityScanners = runSecurityScanners;
+exports.buildSecurityScanSummary = buildSecurityScanSummary;
+exports.generateSecurityScanReports = generateSecurityScanReports;
+exports.runSecurityScan = runSecurityScan;
+/**
+ * Security scanning orchestrator.
+ * Coordinates scanner execution, normalization, report generation,
+ * and security gate evaluation.
+ */
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const semgrep_1 = require("./scanners/semgrep");
+const trivy_1 = require("./scanners/trivy");
+const zap_1 = require("./scanners/zap");
+const index_1 = require("./gate/index");
+// ─── Re-exports ───────────────────────────────────────────────────────────────
+__exportStar(require("./types"), exports);
+var semgrep_2 = require("./normalizers/semgrep");
+Object.defineProperty(exports, "normalizeSemgrepOutput", { enumerable: true, get: function () { return semgrep_2.normalizeSemgrepOutput; } });
+var trivy_2 = require("./normalizers/trivy");
+Object.defineProperty(exports, "normalizeTrivyOutput", { enumerable: true, get: function () { return trivy_2.normalizeTrivyOutput; } });
+var zap_2 = require("./normalizers/zap");
+Object.defineProperty(exports, "normalizeZapOutput", { enumerable: true, get: function () { return zap_2.normalizeZapOutput; } });
+var index_2 = require("./gate/index");
+Object.defineProperty(exports, "evaluateSecurityGate", { enumerable: true, get: function () { return index_2.evaluateSecurityGate; } });
+// ─── Scanner orchestration ────────────────────────────────────────────────────
+/**
+ * Run all configured security scanners and collect findings.
+ */
+async function runSecurityScanners(config) {
+    var _a, _b, _c, _d, _e;
+    const workspace = path.resolve((_a = config.workspace) !== null && _a !== void 0 ? _a : '.');
+    const results = [];
+    const scanners = (_b = config.scanners) !== null && _b !== void 0 ? _b : {};
+    if ((_c = scanners.semgrep) === null || _c === void 0 ? void 0 : _c.enabled) {
+        results.push(await (0, semgrep_1.runSemgrep)(scanners.semgrep, workspace));
+    }
+    if ((_d = scanners.trivy) === null || _d === void 0 ? void 0 : _d.enabled) {
+        results.push(await (0, trivy_1.runTrivy)(scanners.trivy, workspace));
+    }
+    if ((_e = scanners.zap) === null || _e === void 0 ? void 0 : _e.enabled) {
+        results.push(await (0, zap_1.runZap)(scanners.zap));
+    }
+    return results;
+}
+// ─── Summary builder ──────────────────────────────────────────────────────────
+/**
+ * Build a SecurityScanSummary from scanner results.
+ */
+function buildSecurityScanSummary(results, config) {
+    var _a, _b, _c;
+    const allFindings = results.flatMap((r) => r.findings);
+    const scannersRun = results
+        .filter((r) => r.success || r.findings.length > 0)
+        .map((r) => r.scanner);
+    const bySeverity = {
+        LOW: 0,
+        MEDIUM: 0,
+        HIGH: 0,
+        CRITICAL: 0,
+    };
+    const byCategory = {
+        sast: 0,
+        sca: 0,
+        secret: 0,
+        misconfig: 0,
+        dast: 0,
+        auth: 0,
+        injection: 0,
+        'data-exposure': 0,
+        crypto: 0,
+        unknown: 0,
+    };
+    const byScanner = {
+        semgrep: 0,
+        trivy: 0,
+        zap: 0,
+        gitleaks: 0,
+        other: 0,
+    };
+    for (const finding of allFindings) {
+        bySeverity[finding.severity] = ((_a = bySeverity[finding.severity]) !== null && _a !== void 0 ? _a : 0) + 1;
+        byCategory[finding.category] = ((_b = byCategory[finding.category]) !== null && _b !== void 0 ? _b : 0) + 1;
+        byScanner[finding.scanner] = ((_c = byScanner[finding.scanner]) !== null && _c !== void 0 ? _c : 0) + 1;
+    }
+    const gateResult = config.gate
+        ? (0, index_1.evaluateSecurityGate)(allFindings, config.gate)
+        : undefined;
+    return {
+        scannersRun,
+        totalFindings: allFindings.length,
+        bySeverity,
+        byCategory,
+        byScanner,
+        findings: allFindings,
+        gateResult,
+    };
+}
+// ─── Report generation ────────────────────────────────────────────────────────
+/**
+ * Generate all security scan reports in the given directory.
+ */
+function generateSecurityScanReports(summary, reportsDir) {
+    if (!fs.existsSync(reportsDir)) {
+        fs.mkdirSync(reportsDir, { recursive: true });
+    }
+    const { findings } = summary;
+    // ── security-scan-summary.json ────────────────────────────────────────────
+    const summaryJson = {
+        scannersRun: summary.scannersRun,
+        totalFindings: summary.totalFindings,
+        bySeverity: summary.bySeverity,
+        byCategory: summary.byCategory,
+        byScanner: summary.byScanner,
+        gateResult: summary.gateResult,
+    };
+    fs.writeFileSync(path.join(reportsDir, 'security-scan-summary.json'), JSON.stringify(summaryJson, null, 2), 'utf-8');
+    // ── security-sast.json ────────────────────────────────────────────────────
+    const sast = findings.filter((f) => f.scanner === 'semgrep' || f.category === 'sast' || f.category === 'injection');
+    fs.writeFileSync(path.join(reportsDir, 'security-sast.json'), JSON.stringify(sast, null, 2), 'utf-8');
+    // ── security-dependencies.json ────────────────────────────────────────────
+    const deps = findings.filter((f) => f.category === 'sca');
+    fs.writeFileSync(path.join(reportsDir, 'security-dependencies.json'), JSON.stringify(deps, null, 2), 'utf-8');
+    // ── security-secrets.json ─────────────────────────────────────────────────
+    const secrets = findings.filter((f) => f.category === 'secret');
+    fs.writeFileSync(path.join(reportsDir, 'security-secrets.json'), JSON.stringify(secrets, null, 2), 'utf-8');
+    // ── security-misconfig.json ───────────────────────────────────────────────
+    const misconfig = findings.filter((f) => f.category === 'misconfig');
+    fs.writeFileSync(path.join(reportsDir, 'security-misconfig.json'), JSON.stringify(misconfig, null, 2), 'utf-8');
+    // ── security-dast.json ────────────────────────────────────────────────────
+    const dast = findings.filter((f) => f.scanner === 'zap' || f.category === 'dast');
+    fs.writeFileSync(path.join(reportsDir, 'security-dast.json'), JSON.stringify(dast, null, 2), 'utf-8');
+    // ── security-ai-summary.md ────────────────────────────────────────────────
+    const md = buildAiSummaryMarkdown(summary);
+    fs.writeFileSync(path.join(reportsDir, 'security-ai-summary.md'), md, 'utf-8');
+    // ── security-scan-summary.html ────────────────────────────────────────────
+    const html = buildSummaryHtml(summary);
+    fs.writeFileSync(path.join(reportsDir, 'security-scan-summary.html'), html, 'utf-8');
+}
+// ─── AI-friendly Markdown report ──────────────────────────────────────────────
+function buildAiSummaryMarkdown(summary) {
+    const { findings, gateResult } = summary;
+    const gate = gateResult ? (gateResult.passed ? '✅ PASSED' : '❌ FAILED') : 'Not configured';
+    const topSecrets = findings.filter((f) => f.category === 'secret').slice(0, 5);
+    const topCritical = findings
+        .filter((f) => f.severity === 'CRITICAL' || f.severity === 'HIGH')
+        .slice(0, 10);
+    const listFindings = (items) => items.length === 0
+        ? '- None\n'
+        : items
+            .map((f) => { var _a; return `- **[${f.severity}]** ${f.title}${f.filePath ? ` — \`${f.filePath}\`` : ''}${f.packageName ? ` (${f.packageName} ${(_a = f.installedVersion) !== null && _a !== void 0 ? _a : ''})` : ''}`; })
+            .join('\n') + '\n';
+    return `# Security Scan AI Summary
+
+## Scanners Executed
+${summary.scannersRun.length > 0 ? summary.scannersRun.map((s) => `- ${s}`).join('\n') : '- None'}
+
+## Security Gate
+**Status:** ${gate}
+${gateResult && !gateResult.passed ? `\n**Failure reasons:**\n${gateResult.reasons.map((r) => `- ${r}`).join('\n')}` : ''}
+
+## Findings Summary
+
+| Severity | Count |
+|----------|-------|
+| CRITICAL | ${summary.bySeverity.CRITICAL} |
+| HIGH | ${summary.bySeverity.HIGH} |
+| MEDIUM | ${summary.bySeverity.MEDIUM} |
+| LOW | ${summary.bySeverity.LOW} |
+
+| Category | Count |
+|----------|-------|
+${Object.entries(summary.byCategory)
+        .filter(([, v]) => v > 0)
+        .map(([k, v]) => `| ${k} | ${v} |`)
+        .join('\n')}
+
+## Top Risks
+
+### Secrets Found (${findings.filter((f) => f.category === 'secret').length})
+${listFindings(topSecrets)}
+
+### Critical / High Findings (${topCritical.length} shown)
+${listFindings(topCritical)}
+
+## Recommended Remediation Order
+
+1. **Secrets** — revoke and rotate immediately (${findings.filter((f) => f.category === 'secret').length} found)
+2. **Critical Vulnerabilities** — patch or mitigate (${summary.bySeverity.CRITICAL} found)
+3. **Auth Flaws** — fix authentication/authorization issues (${summary.byCategory.auth} found)
+4. **Injection Risks** — fix injection vulnerabilities (${summary.byCategory.injection} found)
+5. **Misconfigurations** — resolve HIGH/CRITICAL misconfigurations (${summary.byCategory.misconfig} found)
+6. **Medium Findings** — address remaining MEDIUM issues (${summary.bySeverity.MEDIUM} found)
+`;
+}
+// ─── HTML summary report ──────────────────────────────────────────────────────
+function buildSummaryHtml(summary) {
+    const gateStatus = summary.gateResult
+        ? summary.gateResult.passed
+            ? '<span style="color:green">✅ PASSED</span>'
+            : `<span style="color:red">❌ FAILED</span>`
+        : '<span style="color:gray">Not configured</span>';
+    const gateReasons = summary.gateResult && !summary.gateResult.passed
+        ? `<ul>${summary.gateResult.reasons.map((r) => `<li>${r}</li>`).join('')}</ul>`
+        : '';
+    const severityRows = ['CRITICAL', 'HIGH', 'MEDIUM', 'LOW']
+        .map((s) => {
+        const count = summary.bySeverity[s];
+        const cls = s === 'CRITICAL' ? 'bad' : s === 'HIGH' ? 'bad' : s === 'MEDIUM' ? 'warn' : '';
+        return `<tr class="${cls}"><td>${s}</td><td>${count}</td></tr>`;
+    })
+        .join('\n');
+    const categoryRows = Object.entries(summary.byCategory)
+        .filter(([, v]) => v > 0)
+        .map(([k, v]) => `<tr><td>${k}</td><td>${v}</td></tr>`)
+        .join('\n');
+    const findingRows = summary.findings
+        .slice(0, 200)
+        .map((f) => {
+        var _a;
+        const cls = f.severity === 'CRITICAL' || f.severity === 'HIGH'
+            ? 'bad'
+            : f.severity === 'MEDIUM'
+                ? 'warn'
+                : '';
+        const file = f.filePath ? `<code>${f.filePath}${f.lineStart ? `:${f.lineStart}` : ''}</code>` : '—';
+        const pkg = f.packageName ? `${f.packageName} ${(_a = f.installedVersion) !== null && _a !== void 0 ? _a : ''}` : '—';
+        return `<tr class="${cls}">
+        <td>${f.scanner}</td>
+        <td>${f.severity}</td>
+        <td>${f.category}</td>
+        <td>${f.title}</td>
+        <td>${file}</td>
+        <td>${pkg}</td>
+      </tr>`;
+    })
+        .join('\n');
+    return `<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <title>Security Scan Summary</title>
+  <style>
+    body { font-family: sans-serif; padding: 2rem; }
+    h1, h2 { margin-bottom: 0.5rem; }
+    .gate { font-size: 1.2rem; margin-bottom: 1rem; }
+    table { border-collapse: collapse; width: 100%; margin-bottom: 2rem; }
+    th, td { border: 1px solid #ccc; padding: 0.5rem 1rem; text-align: left; }
+    th { background: #f0f0f0; }
+    tr.bad { background: #ffe6e6; }
+    tr.warn { background: #fff9e6; }
+  </style>
+</head>
+<body>
+  <h1>Security Scan Summary</h1>
+  <div class="gate">
+    Security Gate: ${gateStatus}
+    ${gateReasons}
+  </div>
+
+  <h2>Scanners Run</h2>
+  <p>${summary.scannersRun.length > 0 ? summary.scannersRun.join(', ') : 'None'}</p>
+
+  <h2>Findings by Severity</h2>
+  <table>
+    <thead><tr><th>Severity</th><th>Count</th></tr></thead>
+    <tbody>${severityRows}</tbody>
+  </table>
+
+  <h2>Findings by Category</h2>
+  <table>
+    <thead><tr><th>Category</th><th>Count</th></tr></thead>
+    <tbody>${categoryRows || '<tr><td colspan="2">No findings</td></tr>'}</tbody>
+  </table>
+
+  <h2>Findings Detail (up to 200)</h2>
+  <table>
+    <thead>
+      <tr><th>Scanner</th><th>Severity</th><th>Category</th><th>Title</th><th>File</th><th>Package</th></tr>
+    </thead>
+    <tbody>${findingRows || '<tr><td colspan="6">No findings</td></tr>'}</tbody>
+  </table>
+</body>
+</html>`;
+}
+// ─── Full security scan workflow ───────────────────────────────────────────────
+/**
+ * Run the complete security scan workflow:
+ * 1. Execute configured scanners
+ * 2. Normalize findings
+ * 3. Build summary
+ * 4. Evaluate gate
+ * 5. Generate reports
+ *
+ * Returns the SecurityScanSummary for further use.
+ */
+async function runSecurityScan(config, reportsDir = 'reports') {
+    const results = await runSecurityScanners(config);
+    const summary = buildSecurityScanSummary(results, config);
+    const resolvedDir = path.resolve(reportsDir);
+    generateSecurityScanReports(summary, resolvedDir);
+    return summary;
+}

package/dist/src/security/normalizers/semgrep.d.ts

@@ -0,0 +1,10 @@
+/**
+ * Semgrep output normalizer.
+ * Converts Semgrep JSON findings to the common SecurityFinding model.
+ */
+import { SecurityFinding } from '../types';
+/**
+ * Parse a Semgrep JSON output buffer and return normalized SecurityFindings.
+ */
+export declare function normalizeSemgrepOutput(raw: unknown): SecurityFinding[];
+//# sourceMappingURL=semgrep.d.ts.map

package/dist/src/security/normalizers/semgrep.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"semgrep.d.ts","sourceRoot":"","sources":["../../../../src/security/normalizers/semgrep.ts"],"names":[],"mappings":"AAAA;;;GAGG;AACH,OAAO,EACL,eAAe,EAGhB,MAAM,UAAU,CAAC;AAqHlB;;GAEG;AACH,wBAAgB,sBAAsB,CAAC,GAAG,EAAE,OAAO,GAAG,eAAe,EAAE,CAuBtE"}

package/dist/src/security/normalizers/semgrep.js

@@ -0,0 +1,104 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.normalizeSemgrepOutput = normalizeSemgrepOutput;
+// ─── Severity mapping ─────────────────────────────────────────────────────────
+function mapSemgrepSeverity(severity) {
+    switch ((severity !== null && severity !== void 0 ? severity : '').toUpperCase()) {
+        case 'CRITICAL':
+            return 'CRITICAL';
+        case 'ERROR':
+            return 'HIGH';
+        case 'WARNING':
+        case 'WARN':
+            return 'MEDIUM';
+        case 'INFO':
+        case 'NOTE':
+            return 'LOW';
+        default:
+            return 'MEDIUM';
+    }
+}
+// ─── Category mapping ─────────────────────────────────────────────────────────
+function mapSemgrepCategory(checkId, metadata) {
+    var _a;
+    const cat = ((_a = metadata === null || metadata === void 0 ? void 0 : metadata.category) !== null && _a !== void 0 ? _a : '').toLowerCase();
+    if (cat === 'security') {
+        // Derive more specific category from the rule ID and CWE/OWASP tags
+        const idLower = checkId.toLowerCase();
+        const cwes = normaliseTags(metadata === null || metadata === void 0 ? void 0 : metadata.cwe);
+        const owasp = normaliseTags(metadata === null || metadata === void 0 ? void 0 : metadata.owasp);
+        if (cwes.some((c) => c.includes('89') || c.includes('943')) ||
+            idLower.includes('injection') ||
+            idLower.includes('sqli') ||
+            idLower.includes('xss')) {
+            return 'injection';
+        }
+        if (cwes.some((c) => c.includes('798') || c.includes('259') || c.includes('321')) ||
+            idLower.includes('hardcoded') ||
+            idLower.includes('secret') ||
+            idLower.includes('password')) {
+            return 'secret';
+        }
+        if (cwes.some((c) => c.includes('287') || c.includes('306') || c.includes('384')) ||
+            idLower.includes('auth')) {
+            return 'auth';
+        }
+        if (cwes.some((c) => c.includes('311') || c.includes('319') || c.includes('327')) ||
+            idLower.includes('crypto') ||
+            idLower.includes('cipher') ||
+            idLower.includes('tls') ||
+            idLower.includes('ssl')) {
+            return 'crypto';
+        }
+        if (owasp.some((o) => o.includes('A3') || o.includes('sensitive'))) {
+            return 'data-exposure';
+        }
+        return 'sast';
+    }
+    if (cat.includes('secret') || cat.includes('credential'))
+        return 'secret';
+    if (cat.includes('inject'))
+        return 'injection';
+    if (cat.includes('auth'))
+        return 'auth';
+    if (cat.includes('crypto') || cat.includes('cipher'))
+        return 'crypto';
+    if (cat.includes('exposure') || cat.includes('disclosure'))
+        return 'data-exposure';
+    if (cat.includes('config') || cat.includes('misconfiguration'))
+        return 'misconfig';
+    return 'sast';
+}
+function normaliseTags(value) {
+    if (!value)
+        return [];
+    return Array.isArray(value) ? value : [value];
+}
+// ─── Normalizer ───────────────────────────────────────────────────────────────
+/**
+ * Parse a Semgrep JSON output buffer and return normalized SecurityFindings.
+ */
+function normalizeSemgrepOutput(raw) {
+    var _a;
+    const data = raw;
+    const results = (_a = data.results) !== null && _a !== void 0 ? _a : [];
+    return results.map((r) => {
+        var _a, _b, _c, _d, _e, _f, _g, _h, _j, _k, _l;
+        const cwe = normaliseTags((_b = (_a = r.extra) === null || _a === void 0 ? void 0 : _a.metadata) === null || _b === void 0 ? void 0 : _b.cwe);
+        const owasp = normaliseTags((_d = (_c = r.extra) === null || _c === void 0 ? void 0 : _c.metadata) === null || _d === void 0 ? void 0 : _d.owasp);
+        return {
+            scanner: 'semgrep',
+            category: mapSemgrepCategory(r.checkId, (_e = r.extra) === null || _e === void 0 ? void 0 : _e.metadata),
+            severity: mapSemgrepSeverity((_f = r.extra) === null || _f === void 0 ? void 0 : _f.severity),
+            title: (_h = (_g = r.extra) === null || _g === void 0 ? void 0 : _g.message) !== null && _h !== void 0 ? _h : r.checkId,
+            description: (_j = r.extra) === null || _j === void 0 ? void 0 : _j.lines,
+            ruleId: r.checkId,
+            cwe: cwe.length > 0 ? cwe : undefined,
+            owasp: owasp.length > 0 ? owasp : undefined,
+            filePath: r.path,
+            lineStart: (_k = r.start) === null || _k === void 0 ? void 0 : _k.line,
+            lineEnd: (_l = r.end) === null || _l === void 0 ? void 0 : _l.line,
+            scannerNativePayload: r,
+        };
+    });
+}

package/dist/src/security/normalizers/trivy.d.ts

@@ -0,0 +1,10 @@
+/**
+ * Trivy output normalizer.
+ * Converts Trivy JSON findings to the common SecurityFinding model.
+ */
+import { SecurityFinding } from '../types';
+/**
+ * Parse Trivy JSON output and return normalized SecurityFindings.
+ */
+export declare function normalizeTrivyOutput(raw: unknown): SecurityFinding[];
+//# sourceMappingURL=trivy.d.ts.map

package/dist/src/security/normalizers/trivy.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"trivy.d.ts","sourceRoot":"","sources":["../../../../src/security/normalizers/trivy.ts"],"names":[],"mappings":"AAAA;;;GAGG;AACH,OAAO,EACL,eAAe,EAGhB,MAAM,UAAU,CAAC;AAqFlB;;GAEG;AACH,wBAAgB,oBAAoB,CAAC,GAAG,EAAE,OAAO,GAAG,eAAe,EAAE,CAgEpE"}

package/dist/src/security/normalizers/trivy.js

@@ -0,0 +1,78 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.normalizeTrivyOutput = normalizeTrivyOutput;
+// ─── Severity mapping ─────────────────────────────────────────────────────────
+function mapTrivySeverity(severity) {
+    switch ((severity !== null && severity !== void 0 ? severity : '').toUpperCase()) {
+        case 'CRITICAL': return 'CRITICAL';
+        case 'HIGH': return 'HIGH';
+        case 'MEDIUM': return 'MEDIUM';
+        case 'LOW':
+        case 'UNKNOWN':
+        default: return 'LOW';
+    }
+}
+// ─── Normalizer ───────────────────────────────────────────────────────────────
+/**
+ * Parse Trivy JSON output and return normalized SecurityFindings.
+ */
+function normalizeTrivyOutput(raw) {
+    var _a, _b, _c, _d, _e, _f, _g;
+    const data = raw;
+    const results = (_a = data.Results) !== null && _a !== void 0 ? _a : [];
+    const findings = [];
+    for (const result of results) {
+        const filePath = result.Target;
+        // ── Vulnerabilities ──────────────────────────────────────────────────────
+        for (const vuln of (_b = result.Vulnerabilities) !== null && _b !== void 0 ? _b : []) {
+            const category = 'sca';
+            findings.push({
+                scanner: 'trivy',
+                category,
+                severity: mapTrivySeverity(vuln.Severity),
+                title: (_c = vuln.Title) !== null && _c !== void 0 ? _c : vuln.VulnerabilityID,
+                description: vuln.Description,
+                ruleId: vuln.VulnerabilityID,
+                cve: [vuln.VulnerabilityID],
+                cwe: vuln.CweIDs,
+                filePath,
+                packageName: vuln.PkgName,
+                installedVersion: vuln.InstalledVersion,
+                fixedVersion: vuln.FixedVersion,
+                scannerNativePayload: vuln,
+            });
+        }
+        // ── Secrets ──────────────────────────────────────────────────────────────
+        for (const secret of (_d = result.Secrets) !== null && _d !== void 0 ? _d : []) {
+            findings.push({
+                scanner: 'trivy',
+                category: 'secret',
+                severity: mapTrivySeverity(secret.Severity),
+                title: secret.Title,
+                description: secret.Match,
+                ruleId: secret.RuleID,
+                filePath,
+                lineStart: secret.StartLine,
+                lineEnd: secret.EndLine,
+                secretType: secret.Category,
+                scannerNativePayload: secret,
+            });
+        }
+        // ── Misconfigurations ────────────────────────────────────────────────────
+        for (const mis of (_e = result.Misconfigurations) !== null && _e !== void 0 ? _e : []) {
+            findings.push({
+                scanner: 'trivy',
+                category: 'misconfig',
+                severity: mapTrivySeverity(mis.Severity),
+                title: mis.Title,
+                description: mis.Description,
+                ruleId: mis.ID,
+                filePath,
+                lineStart: (_f = mis.CauseMetadata) === null || _f === void 0 ? void 0 : _f.StartLine,
+                lineEnd: (_g = mis.CauseMetadata) === null || _g === void 0 ? void 0 : _g.EndLine,
+                scannerNativePayload: mis,
+            });
+        }
+    }
+    return findings;
+}