autoremediator 0.4.1 → 0.5.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +4 -8
- package/dist/{chunk-GBOD3DV6.js → chunk-VLXGEH7U.js} +64 -2
- package/dist/{chunk-GBOD3DV6.js.map → chunk-VLXGEH7U.js.map} +1 -1
- package/dist/cli.js +12 -4
- package/dist/cli.js.map +1 -1
- package/dist/index.d.ts +52 -1
- package/dist/index.js +5 -3
- package/dist/mcp/server.js +1 -1
- package/dist/openapi/server.js +1 -1
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -4,6 +4,8 @@
|
|
|
4
4
|
[](https://www.npmjs.com/package/autoremediator)
|
|
5
5
|
[](https://github.com/Rawlings/autoremediator/blob/master/LICENSE)
|
|
6
6
|
[](https://www.npmjs.com/package/autoremediator)
|
|
7
|
+
[](https://github.com/Rawlings/autoremediator/pkgs/container/autoremediator)
|
|
8
|
+
[](https://github.com/marketplace/actions/autoremediator)
|
|
7
9
|
|
|
8
10
|
> [!WARNING]
|
|
9
11
|
> Automated dependency remediation is a controversial practice.
|
|
@@ -18,6 +20,8 @@ It exposes stable SDK and CLI surfaces for direct CVE remediation and scanner-dr
|
|
|
18
20
|
|
|
19
21
|
It also exposes non-mutating planning and correlation context for agent orchestration workflows.
|
|
20
22
|
|
|
23
|
+
See the [documentation](https://rawlings.github.io/autoremediator/docs/getting-started) to get started.
|
|
24
|
+
|
|
21
25
|
## Why Teams Use It
|
|
22
26
|
|
|
23
27
|
- Continuous remediation in CI and scheduled GitHub workflows
|
|
@@ -100,14 +104,6 @@ Public API naming canon: `runTests`, `policy`, `evidence`, `patchCount`, and `pa
|
|
|
100
104
|
- Configure policy and branch protection before broad rollout
|
|
101
105
|
- Use CI summaries and evidence outputs for operational governance
|
|
102
106
|
|
|
103
|
-
## Getting Started Fast
|
|
104
|
-
|
|
105
|
-
Start from the live guides instead of repo markdown:
|
|
106
|
-
|
|
107
|
-
- [Quick setup](https://rawlings.github.io/autoremediator/docs/getting-started)
|
|
108
|
-
- [Automation workflows](https://rawlings.github.io/autoremediator/docs/integrations)
|
|
109
|
-
- [Safety controls](https://rawlings.github.io/autoremediator/docs/policy-and-safety)
|
|
110
|
-
|
|
111
107
|
## Package
|
|
112
108
|
|
|
113
109
|
- [npm package](https://www.npmjs.com/package/autoremediator)
|
|
@@ -2528,6 +2528,67 @@ function toCiSummary(report) {
|
|
|
2528
2528
|
function ciExitCode(summary) {
|
|
2529
2529
|
return summary.failedCount > 0 ? 1 : 0;
|
|
2530
2530
|
}
|
|
2531
|
+
function severityToSarifLevel(severity) {
|
|
2532
|
+
if (severity === "CRITICAL" || severity === "HIGH") return "error";
|
|
2533
|
+
if (severity === "MEDIUM") return "warning";
|
|
2534
|
+
if (severity === "LOW") return "note";
|
|
2535
|
+
return "warning";
|
|
2536
|
+
}
|
|
2537
|
+
function toSarifOutput(report) {
|
|
2538
|
+
const rules = [];
|
|
2539
|
+
const results = [];
|
|
2540
|
+
const seenRules = /* @__PURE__ */ new Set();
|
|
2541
|
+
for (const r of report.reports) {
|
|
2542
|
+
const severity = r.cveDetails?.severity ?? "UNKNOWN";
|
|
2543
|
+
const level = severityToSarifLevel(severity);
|
|
2544
|
+
const summary = r.cveDetails?.summary ?? r.cveId;
|
|
2545
|
+
if (!seenRules.has(r.cveId)) {
|
|
2546
|
+
seenRules.add(r.cveId);
|
|
2547
|
+
rules.push({
|
|
2548
|
+
id: r.cveId,
|
|
2549
|
+
name: "VulnerableDependency",
|
|
2550
|
+
shortDescription: { text: r.cveId },
|
|
2551
|
+
fullDescription: { text: summary },
|
|
2552
|
+
defaultConfiguration: { level },
|
|
2553
|
+
helpUri: `https://osv.dev/vulnerability/${r.cveId}`,
|
|
2554
|
+
properties: { severity }
|
|
2555
|
+
});
|
|
2556
|
+
}
|
|
2557
|
+
for (const vp of r.vulnerablePackages) {
|
|
2558
|
+
const fixText = vp.affected.firstPatchedVersion ? ` Fix: upgrade to ${vp.affected.firstPatchedVersion}.` : " No fixed version available.";
|
|
2559
|
+
results.push({
|
|
2560
|
+
ruleId: r.cveId,
|
|
2561
|
+
level,
|
|
2562
|
+
message: {
|
|
2563
|
+
text: `${vp.installed.name}@${vp.installed.version} is vulnerable to ${r.cveId}: ${summary}${fixText}`
|
|
2564
|
+
},
|
|
2565
|
+
locations: [
|
|
2566
|
+
{
|
|
2567
|
+
physicalLocation: {
|
|
2568
|
+
artifactLocation: { uri: "package.json", uriBaseId: "%SRCROOT%" }
|
|
2569
|
+
}
|
|
2570
|
+
}
|
|
2571
|
+
]
|
|
2572
|
+
});
|
|
2573
|
+
}
|
|
2574
|
+
}
|
|
2575
|
+
return {
|
|
2576
|
+
version: "2.1.0",
|
|
2577
|
+
$schema: "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Documents/CommitteeSpecifications/2.1.0/sarif-schema-2.1.0.json",
|
|
2578
|
+
runs: [
|
|
2579
|
+
{
|
|
2580
|
+
tool: {
|
|
2581
|
+
driver: {
|
|
2582
|
+
name: "autoremediator",
|
|
2583
|
+
informationUri: "https://github.com/Rawlings/autoremediator",
|
|
2584
|
+
rules
|
|
2585
|
+
}
|
|
2586
|
+
},
|
|
2587
|
+
results
|
|
2588
|
+
}
|
|
2589
|
+
]
|
|
2590
|
+
};
|
|
2591
|
+
}
|
|
2531
2592
|
|
|
2532
2593
|
export {
|
|
2533
2594
|
runRemediationPipeline,
|
|
@@ -2535,6 +2596,7 @@ export {
|
|
|
2535
2596
|
planRemediation,
|
|
2536
2597
|
remediateFromScan,
|
|
2537
2598
|
toCiSummary,
|
|
2538
|
-
ciExitCode
|
|
2599
|
+
ciExitCode,
|
|
2600
|
+
toSarifOutput
|
|
2539
2601
|
};
|
|
2540
|
-
//# sourceMappingURL=chunk-
|
|
2602
|
+
//# sourceMappingURL=chunk-VLXGEH7U.js.map
|