npm - bardscan - Versions diffs - 0.1.4 - Mend

bardscan 0.1.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/dist/index.d.ts ADDED Viewed

@@ -0,0 +1,21 @@
+#!/usr/bin/env node
+import { mkdir, writeFile } from 'node:fs/promises';
+import * as core from '@bardscan/core';
+export interface CliDeps {
+    mkdir: typeof mkdir;
+    writeFile: typeof writeFile;
+    runScan: typeof core.runScan;
+    updateAdvisoryDb: typeof core.updateAdvisoryDb;
+    buildMarkdownReport: typeof core.buildMarkdownReport;
+    buildSarifReport: (report: Awaited<ReturnType<typeof core.runScan>>) => object;
+    shouldFail: typeof core.shouldFail;
+    redactReportPaths: typeof core.redactReportPaths;
+    stdout: {
+        write: (text: string) => void;
+        isTTY?: boolean;
+    };
+    stderr: {
+        write: (text: string) => void;
+    };
+}
+export declare function runCli(rawArgs: string[], deps?: CliDeps): Promise<number>;

package/dist/index.js ADDED Viewed

@@ -0,0 +1,331 @@
+#!/usr/bin/env node
+import { mkdir, writeFile } from 'node:fs/promises';
+import os from 'node:os';
+import path from 'node:path';
+import { pathToFileURL } from 'node:url';
+import yargs from 'yargs';
+import { hideBin } from 'yargs/helpers';
+import * as core from '@bardscan/core';
+const defaultDeps = {
+    mkdir,
+    writeFile,
+    runScan: core.runScan,
+    updateAdvisoryDb: core.updateAdvisoryDb,
+    buildMarkdownReport: core.buildMarkdownReport,
+    buildSarifReport: (report) => typeof core.buildSarifReport === 'function'
+        ? core.buildSarifReport(report)
+        : {
+            version: '2.1.0',
+            runs: []
+        },
+    shouldFail: core.shouldFail,
+    redactReportPaths: core.redactReportPaths,
+    stdout: process.stdout,
+    stderr: process.stderr
+};
+export async function runCli(rawArgs, deps = defaultDeps) {
+    let exitCode = 0;
+    const parser = yargs(rawArgs)
+        .scriptName('bardscan')
+        .command('scan [path]', 'Scan a TypeScript project for vulnerable npm dependencies', (cmd) => cmd
+        .positional('path', {
+        type: 'string',
+        default: '.',
+        describe: 'Project path to scan'
+    })
+        .option('format', {
+        choices: ['json', 'md', 'sarif', 'both'],
+        default: 'both'
+    })
+        .option('out-dir', {
+        type: 'string',
+        default: path.join(os.tmpdir(), 'bardscan')
+    })
+        .option('fail-on', {
+        choices: ['critical', 'high', 'medium', 'low', 'none'],
+        default: 'high'
+    })
+        .option('privacy', {
+        choices: ['strict', 'standard'],
+        default: 'strict',
+        describe: 'Privacy preset that controls network and output defaults'
+    })
+        .option('online', {
+        type: 'boolean',
+        default: false,
+        describe: 'Enable online advisory lookups during scan'
+    })
+        .option('offline', {
+        type: 'boolean',
+        describe: 'Force cache-only scan mode'
+    })
+        .option('unknown-as', {
+        choices: ['critical', 'high', 'medium', 'low', 'unknown'],
+        default: 'unknown'
+    })
+        .option('refresh-cache', {
+        type: 'boolean',
+        default: false
+    })
+        .option('osv-url', {
+        type: 'string',
+        describe: 'Custom OSV API base URL (for mirrors/proxies)'
+    })
+        .option('fallback-calls', {
+        type: 'boolean',
+        describe: 'Allow secondary network fallbacks for unresolved severities'
+    })
+        .option('redact-paths', {
+        type: 'boolean',
+        describe: 'Redact target path and evidence paths in outputs'
+    })
+        .option('evidence', {
+        choices: ['none', 'imports'],
+        describe: 'Evidence collection mode'
+    })
+        .option('telemetry', {
+        choices: ['off', 'on'],
+        describe: 'Reserved telemetry mode (default off)'
+    })
+        .option('list-findings', {
+        choices: ['none', 'critical-high', 'medium-up', 'all'],
+        default: 'none',
+        describe: 'Print finding details in CLI output'
+    })
+        .option('findings-json', {
+        type: 'string',
+        describe: 'Write filtered finding details as JSON'
+    }), async (argv) => {
+        try {
+            const projectPath = path.resolve(String(argv.path));
+            const outDir = path.resolve(String(argv.outDir));
+            const settings = resolveScanSettings({
+                privacy: argv.privacy,
+                online: Boolean(argv.online),
+                offline: argv.offline,
+                fallbackCalls: argv.fallbackCalls,
+                redactPaths: argv.redactPaths,
+                evidence: argv.evidence,
+                telemetry: argv.telemetry
+            });
+            await deps.mkdir(outDir, { recursive: true });
+            const report = await deps.runScan({
+                projectPath,
+                outDir,
+                failOn: argv.failOn,
+                offline: settings.offline,
+                unknownAs: argv.unknownAs,
+                refreshCache: Boolean(argv.refreshCache),
+                osvUrl: argv.osvUrl ? String(argv.osvUrl) : undefined,
+                enableNetworkFallbacks: settings.enableNetworkFallbacks,
+                evidenceMode: settings.evidenceMode
+            });
+            const redact = typeof deps.redactReportPaths === 'function' ? deps.redactReportPaths : (r) => r;
+            const displayReport = settings.redactPaths ? redact(report) : report;
+            const jsonPath = path.join(outDir, 'report.json');
+            const mdPath = path.join(outDir, 'report.md');
+            const sarifPath = path.join(outDir, 'report.sarif');
+            if (argv.format === 'json' || argv.format === 'both') {
+                await deps.writeFile(jsonPath, JSON.stringify(displayReport, null, 2));
+                deps.stdout.write(`${jsonPath}\n`);
+            }
+            if (argv.format === 'md' || argv.format === 'both') {
+                await deps.writeFile(mdPath, deps.buildMarkdownReport(displayReport));
+                deps.stdout.write(`${mdPath}\n`);
+            }
+            if (argv.format === 'sarif') {
+                await deps.writeFile(sarifPath, JSON.stringify(deps.buildSarifReport(displayReport), null, 2));
+                deps.stdout.write(`${sarifPath}\n`);
+            }
+            const thresholdHit = argv.failOn !== 'none' &&
+                report.findings.some((f) => deps.shouldFail(argv.failOn, f.severity));
+            deps.stdout.write(buildCliSummary(displayReport, String(argv.failOn), thresholdHit, useColor(deps.stdout)));
+            deps.stdout.write(buildFindingsList(displayReport, argv.listFindings, useColor(deps.stdout)));
+            if (argv.findingsJson) {
+                const findingsJsonPath = path.resolve(String(argv.findingsJson));
+                const filteredFindings = filterFindings(displayReport, argv.listFindings);
+                await deps.writeFile(findingsJsonPath, JSON.stringify(filteredFindings, null, 2));
+                deps.stdout.write(`${findingsJsonPath}\n`);
+            }
+            if (thresholdHit) {
+                exitCode = 1;
+                return;
+            }
+            exitCode = 0;
+        }
+        catch (error) {
+            deps.stderr.write(`${error.message}\n`);
+            exitCode = 2;
+        }
+    })
+        .command('db update [path]', 'Refresh advisory cache for dependencies in the project lockfile', (cmd) => cmd
+        .positional('path', {
+        type: 'string',
+        default: '.',
+        describe: 'Project path to index dependencies from'
+    })
+        .option('out-dir', {
+        type: 'string',
+        default: path.join(os.tmpdir(), 'bardscan')
+    })
+        .option('refresh-cache', {
+        type: 'boolean',
+        default: false
+    })
+        .option('osv-url', {
+        type: 'string',
+        describe: 'Custom OSV API base URL (for mirrors/proxies)'
+    })
+        .option('fallback-calls', {
+        type: 'boolean',
+        default: true,
+        describe: 'Allow secondary network fallbacks for unresolved severities'
+    }), async (argv) => {
+        try {
+            const projectPath = path.resolve(String(argv.path));
+            const outDir = path.resolve(String(argv.outDir));
+            await deps.mkdir(outDir, { recursive: true });
+            const update = await deps.updateAdvisoryDb({
+                projectPath,
+                outDir,
+                refreshCache: Boolean(argv.refreshCache),
+                osvUrl: argv.osvUrl ? String(argv.osvUrl) : undefined,
+                enableNetworkFallbacks: Boolean(argv.fallbackCalls)
+            });
+            deps.stdout.write(buildDbUpdateSummary(update, useColor(deps.stdout)));
+            exitCode = 0;
+        }
+        catch (error) {
+            deps.stderr.write(`${error.message}\n`);
+            exitCode = 2;
+        }
+    })
+        .demandCommand(1)
+        .strict()
+        .help();
+    await parser.parseAsync();
+    return exitCode;
+}
+if (import.meta.url === pathToFileURL(process.argv[1] ?? '').href) {
+    void runCli(hideBin(process.argv)).then((code) => {
+        process.exitCode = code;
+    });
+}
+function resolveScanSettings(input) {
+    const preset = input.privacy === 'strict'
+        ? {
+            offline: true,
+            enableNetworkFallbacks: false,
+            redactPaths: true,
+            evidenceMode: 'none',
+            telemetry: 'off'
+        }
+        : {
+            offline: true,
+            enableNetworkFallbacks: true,
+            redactPaths: false,
+            evidenceMode: 'imports',
+            telemetry: 'off'
+        };
+    let offline = preset.offline;
+    if (input.online)
+        offline = false;
+    if (typeof input.offline === 'boolean')
+        offline = input.offline;
+    if (input.privacy === 'strict' && !offline) {
+        throw new Error('privacy strict disallows online scanning. Remove --online or use --privacy standard.');
+    }
+    if ((input.telemetry ?? preset.telemetry) === 'on' && input.privacy === 'strict') {
+        throw new Error('privacy strict disallows telemetry.');
+    }
+    return {
+        offline,
+        enableNetworkFallbacks: input.fallbackCalls ?? preset.enableNetworkFallbacks,
+        redactPaths: input.redactPaths ?? preset.redactPaths,
+        evidenceMode: input.evidence ?? preset.evidenceMode
+    };
+}
+function buildCliSummary(report, failOn, thresholdHit, color) {
+    const sev = report.summary.bySeverity;
+    const conf = report.summary.byConfidence;
+    const lines = [
+        '',
+        colorize('bardscan summary', 'cyan', color),
+        `target: ${report.targetPath}`,
+        `dependencies: ${report.summary.dependencyCount}`,
+        `findings: ${report.summary.findingsCount}`,
+        `severity: critical=${colorize(String(sev.critical), 'magenta', color)} high=${colorize(String(sev.high), 'red', color)} medium=${colorize(String(sev.medium), 'yellow', color)} low=${colorize(String(sev.low), 'green', color)} unknown=${colorize(String(sev.unknown), 'gray', color)}`,
+        `confidence: high=${colorize(String(conf.high), 'green', color)} medium=${colorize(String(conf.medium), 'yellow', color)} low=${colorize(String(conf.low), 'red', color)} unknown=${colorize(String(conf.unknown), 'gray', color)}`,
+        `fail-on: ${failOn}`,
+        `threshold hit: ${thresholdHit ? colorize('yes', 'red', color) : colorize('no', 'green', color)}`
+    ];
+    return `${lines.join('\n')}\n`;
+}
+function buildDbUpdateSummary(update, color) {
+    const lines = [
+        '',
+        colorize('bardscan db update', 'cyan', color),
+        `target: ${update.projectPath}`,
+        `dependencies: ${update.dependencyCount}`,
+        `queried: ${update.queriedCount}`,
+        `sources: osv=${colorize(String(update.bySource.osv), 'green', color)} cache=${colorize(String(update.bySource.cache), 'yellow', color)} unknown=${colorize(String(update.bySource.unknown), 'red', color)}`
+    ];
+    return `${lines.join('\n')}\n`;
+}
+function buildFindingsList(report, mode, color) {
+    if (mode === 'none')
+        return '';
+    const filtered = filterFindings(report, mode);
+    if (filtered.length === 0) {
+        return `\n${colorize('finding details', 'cyan', color)}\n(no matching findings)\n`;
+    }
+    const lines = ['', colorize('finding details', 'cyan', color)];
+    for (const finding of filtered) {
+        const vulnIds = finding.vulnerabilities.slice(0, 3).map((v) => v.id).join(', ');
+        const evidenceCount = finding.evidence.length;
+        const unknownReason = finding.unknownReason ? ` unknown-reason=${finding.unknownReason}` : '';
+        lines.push(`- ${colorize(finding.severity, severityColor(finding.severity), color)} ${finding.packageName}@${finding.version}` +
+            ` confidence=${finding.confidence} direct=${finding.direct ? 'yes' : 'no'} evidence=${evidenceCount}` +
+            ` source=${finding.source}${unknownReason} ids=${vulnIds || 'n/a'}`);
+    }
+    return `${lines.join('\n')}\n`;
+}
+function filterFindings(report, mode) {
+    if (mode === 'all')
+        return report.findings;
+    if (mode === 'critical-high') {
+        return report.findings.filter((f) => f.severity === 'critical' || f.severity === 'high');
+    }
+    if (mode === 'medium-up') {
+        return report.findings.filter((f) => f.severity === 'critical' || f.severity === 'high' || f.severity === 'medium');
+    }
+    return [];
+}
+function severityColor(severity) {
+    if (severity === 'critical')
+        return 'magenta';
+    if (severity === 'high')
+        return 'red';
+    if (severity === 'medium')
+        return 'yellow';
+    if (severity === 'low')
+        return 'green';
+    return 'gray';
+}
+function useColor(stdout) {
+    return Boolean(stdout.isTTY && !process.env.NO_COLOR);
+}
+function colorize(text, color, enabled) {
+    if (!enabled)
+        return text;
+    const code = {
+        red: 31,
+        yellow: 33,
+        green: 32,
+        cyan: 36,
+        magenta: 35,
+        gray: 90
+    };
+    return `\u001b[${code[color]}m${text}\u001b[0m`;
+}
+//# sourceMappingURL=index.js.map

package/dist/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AACA,OAAO,EAAE,KAAK,EAAE,SAAS,EAAE,MAAM,kBAAkB,CAAC;AACpD,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AACzC,OAAO,KAAK,MAAM,OAAO,CAAC;AAC1B,OAAO,EAAE,OAAO,EAAE,MAAM,eAAe,CAAC;AACxC,OAAO,KAAK,IAAI,MAAM,gBAAgB,CAAC;AAqBvC,MAAM,WAAW,GAAY;IAC3B,KAAK;IACL,SAAS;IACT,OAAO,EAAE,IAAI,CAAC,OAAO;IACrB,gBAAgB,EAAE,IAAI,CAAC,gBAAgB;IACvC,mBAAmB,EAAE,IAAI,CAAC,mBAAmB;IAC7C,gBAAgB,EAAE,CAAC,MAAM,EAAE,EAAE,CAC3B,OAAQ,IAA4D,CAAC,gBAAgB,KAAK,UAAU;QAClG,CAAC,CAAE,IAA2D,CAAC,gBAAgB,CAAC,MAAM,CAAC;QACvF,CAAC,CAAC;YACE,OAAO,EAAE,OAAO;YAChB,IAAI,EAAE,EAAE;SACT;IACP,UAAU,EAAE,IAAI,CAAC,UAAU;IAC3B,iBAAiB,EAAE,IAAI,CAAC,iBAAiB;IACzC,MAAM,EAAE,OAAO,CAAC,MAAM;IACtB,MAAM,EAAE,OAAO,CAAC,MAAM;CACvB,CAAC;AAEF,MAAM,CAAC,KAAK,UAAU,MAAM,CAAC,OAAiB,EAAE,OAAgB,WAAW;IACzE,IAAI,QAAQ,GAAG,CAAC,CAAC;IAEjB,MAAM,MAAM,GAAG,KAAK,CAAC,OAAO,CAAC;SAC1B,UAAU,CAAC,UAAU,CAAC;SACtB,OAAO,CACN,aAAa,EACb,2DAA2D,EAC3D,CAAC,GAAG,EAAE,EAAE,CACN,GAAG;SACA,UAAU,CAAC,MAAM,EAAE;QAClB,IAAI,EAAE,QAAQ;QACd,OAAO,EAAE,GAAG;QACZ,QAAQ,EAAE,sBAAsB;KACjC,CAAC;SACD,MAAM,CAAC,QAAQ,EAAE;QAChB,OAAO,EAAE,CAAC,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM,CAAU;QACjD,OAAO,EAAE,MAAM;KAChB,CAAC;SACD,MAAM,CAAC,SAAS,EAAE;QACjB,IAAI,EAAE,QAAQ;QACd,OAAO,EAAE,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,UAAU,CAAC;KAC5C,CAAC;SACD,MAAM,CAAC,SAAS,EAAE;QACjB,OAAO,EAAE,CAAC,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,CAAU;QAC/D,OAAO,EAAE,MAAM;KAChB,CAAC;SACD,MAAM,CAAC,SAAS,EAAE;QACjB,OAAO,EAAE,CAAC,QAAQ,EAAE,UAAU,CAAU;QACxC,OAAO,EAAE,QAAQ;QACjB,QAAQ,EAAE,0DAA0D;KACrE,CAAC;SACD,MAAM,CAAC,QAAQ,EAAE;QAChB,IAAI,EAAE,SAAS;QACf,OAAO,EAAE,KAAK;QACd,QAAQ,EAAE,4CAA4C;KACvD,CAAC;SACD,MAAM,CAAC,SAAS,EAAE;QACjB,IAAI,EAAE,SAAS;QACf,QAAQ,EAAE,4BAA4B;KACvC,CAAC;SACD,MAAM,CAAC,YAAY,EAAE;QACpB,OAAO,EAAE,CAAC,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,KAAK,EAAE,SAAS,CAAU;QAClE,OAAO,EAAE,SAAS;KACnB,CAAC;SACD,MAAM,CAAC,eAAe,EAAE;QACvB,IAAI,EAAE,SAAS;QACf,OAAO,EAAE,KAAK;KACf,CAAC;SACD,MAAM,CAAC,SAAS,EAAE;QACjB,IAAI,EAAE,QAAQ;QACd,QAAQ,EAAE,+CAA+C;KAC1D,CAAC;SACD,MAAM,CAAC,gBAAgB,EAAE;QACxB,IAAI,EAAE,SAAS;QACf,QAAQ,EAAE,6DAA6D;KACxE,CAAC;SACD,MAAM,CAAC,cAAc,EAAE;QACtB,IAAI,EAAE,SAAS;QACf,QAAQ,EAAE,kDAAkD;KAC7D,CAAC;SACD,MAAM,CAAC,UAAU,EAAE;QAClB,OAAO,EAAE,CAAC,MAAM,EAAE,SAAS,CAAU;QACrC,QAAQ,EAAE,0BAA0B;KACrC,CAAC;SACD,MAAM,CAAC,WAAW,EAAE;QACnB,OAAO,EAAE,CAAC,KAAK,EAAE,IAAI,CAAU;QAC/B,QAAQ,EAAE,uCAAuC;KAClD,CAAC;SACD,MAAM,CAAC,eAAe,EAAE;QACvB,OAAO,EAAE,CAAC,MAAM,EAAE,eAAe,EAAE,WAAW,EAAE,KAAK,CAAU;QAC/D,OAAO,EAAE,MAAM;QACf,QAAQ,EAAE,qCAAqC;KAChD,CAAC;SACD,MAAM,CAAC,eAAe,EAAE;QACvB,IAAI,EAAE,QAAQ;QACd,QAAQ,EAAE,wCAAwC;KACnD,CAAC,EACN,KAAK,EAAE,IAAI,EAAE,EAAE;QACb,IAAI,CAAC;YACH,MAAM,WAAW,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;YACpD,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC;YACjD,MAAM,QAAQ,GAAG,mBAAmB,CAAC;gBACnC,OAAO,EAAE,IAAI,CAAC,OAAsB;gBACpC,MAAM,EAAE,OAAO,CAAC,IAAI,CAAC,MAAM,CAAC;gBAC5B,OAAO,EAAE,IAAI,CAAC,OAAO;gBACrB,aAAa,EAAE,IAAI,CAAC,aAAa;gBACjC,WAAW,EAAE,IAAI,CAAC,WAAW;gBAC7B,QAAQ,EAAE,IAAI,CAAC,QAAoC;gBACnD,SAAS,EAAE,IAAI,CAAC,SAAqC;aACtD,CAAC,CAAC;YAEH,MAAM,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;YAE9C,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC;gBAChC,WAAW;gBACX,MAAM;gBACN,MAAM,EAAE,IAAI,CAAC,MAAgB;gBAC7B,OAAO,EAAE,QAAQ,CAAC,OAAO;gBACzB,SAAS,EAAE,IAAI,CAAC,SAAqB;gBACrC,YAAY,EAAE,OAAO,CAAC,IAAI,CAAC,YAAY,CAAC;gBACxC,MAAM,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,SAAS;gBACrD,sBAAsB,EAAE,QAAQ,CAAC,sBAAsB;gBACvD,YAAY,EAAE,QAAQ,CAAC,YAAY;aACpC,CAAC,CAAC;YAEH,MAAM,MAAM,GAAG,OAAO,IAAI,CAAC,iBAAiB,KAAK,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC,CAAC,CAAC,CAAgB,EAAE,EAAE,CAAC,CAAC,CAAC;YAC/G,MAAM,aAAa,GAAG,QAAQ,CAAC,WAAW,CAAC,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC;YACrE,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,aAAa,CAAC,CAAC;YAClD,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;YAC9C,MAAM,SAAS,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC;YAEpD,IAAI,IAAI,CAAC,MAAM,KAAK,MAAM,IAAI,IAAI,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;gBACrD,MAAM,IAAI,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,CAAC,SAAS,CAAC,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;gBACvE,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,QAAQ,IAAI,CAAC,CAAC;YACrC,CAAC;YACD,IAAI,IAAI,CAAC,MAAM,KAAK,IAAI,IAAI,IAAI,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;gBACnD,MAAM,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,CAAC,mBAAmB,CAAC,aAAa,CAAC,CAAC,CAAC;gBACtE,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,MAAM,IAAI,CAAC,CAAC;YACnC,CAAC;YACD,IAAI,IAAI,CAAC,MAAM,KAAK,OAAO,EAAE,CAAC;gBAC5B,MAAM,IAAI,CAAC,SAAS,CAAC,SAAS,EAAE,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,gBAAgB,CAAC,aAAa,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;gBAC/F,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,SAAS,IAAI,CAAC,CAAC;YACtC,CAAC;YAED,MAAM,YAAY,GAChB,IAAI,CAAC,MAAM,KAAK,MAAM;gBACtB,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,MAAgB,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC;YAClF,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,eAAe,CAAC,aAAa,EAAE,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,YAAY,EAAE,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;YAC5G,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,iBAAiB,CAAC,aAAa,EAAE,IAAI,CAAC,YAAgC,EAAE,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;YAClH,IAAI,IAAI,CAAC,YAAY,EAAE,CAAC;gBACtB,MAAM,gBAAgB,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC,CAAC;gBACjE,MAAM,gBAAgB,GAAG,cAAc,CAAC,aAAa,EAAE,IAAI,CAAC,YAAgC,CAAC,CAAC;gBAC9F,MAAM,IAAI,CAAC,SAAS,CAAC,gBAAgB,EAAE,IAAI,CAAC,SAAS,CAAC,gBAAgB,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;gBAClF,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,GAAG,gBAAgB,IAAI,CAAC,CAAC;YAC7C,CAAC;YAED,IAAI,YAAY,EAAE,CAAC;gBACjB,QAAQ,GAAG,CAAC,CAAC;gBACb,OAAO;YACT,CAAC;YACD,QAAQ,GAAG,CAAC,CAAC;QACf,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,GAAI,KAAe,CAAC,OAAO,IAAI,CAAC,CAAC;YACnD,QAAQ,GAAG,CAAC,CAAC;QACf,CAAC;IACH,CAAC,CACF;SACA,OAAO,CACN,kBAAkB,EAClB,iEAAiE,EACjE,CAAC,GAAG,EAAE,EAAE,CACN,GAAG;SACA,UAAU,CAAC,MAAM,EAAE;QAClB,IAAI,EAAE,QAAQ;QACd,OAAO,EAAE,GAAG;QACZ,QAAQ,EAAE,yCAAyC;KACpD,CAAC;SACD,MAAM,CAAC,SAAS,EAAE;QACjB,IAAI,EAAE,QAAQ;QACd,OAAO,EAAE,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,UAAU,CAAC;KAC5C,CAAC;SACD,MAAM,CAAC,eAAe,EAAE;QACvB,IAAI,EAAE,SAAS;QACf,OAAO,EAAE,KAAK;KACf,CAAC;SACD,MAAM,CAAC,SAAS,EAAE;QACjB,IAAI,EAAE,QAAQ;QACd,QAAQ,EAAE,+CAA+C;KAC1D,CAAC;SACD,MAAM,CAAC,gBAAgB,EAAE;QACxB,IAAI,EAAE,SAAS;QACf,OAAO,EAAE,IAAI;QACb,QAAQ,EAAE,6DAA6D;KACxE,CAAC,EACN,KAAK,EAAE,IAAI,EAAE,EAAE;QACb,IAAI,CAAC;YACH,MAAM,WAAW,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;YACpD,MAAM,MAAM,GAAG,IAAI,CAAC,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC;YACjD,MAAM,IAAI,CAAC,KAAK,CAAC,MAAM,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,CAAC,CAAC;YAE9C,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,gBAAgB,CAAC;gBACzC,WAAW;gBACX,MAAM;gBACN,YAAY,EAAE,OAAO,CAAC,IAAI,CAAC,YAAY,CAAC;gBACxC,MAAM,EAAE,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,SAAS;gBACrD,sBAAsB,EAAE,OAAO,CAAC,IAAI,CAAC,aAAa,CAAC;aACpD,CAAC,CAAC;YAEH,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,oBAAoB,CAAC,MAAM,EAAE,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;YACvE,QAAQ,GAAG,CAAC,CAAC;QACf,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,GAAI,KAAe,CAAC,OAAO,IAAI,CAAC,CAAC;YACnD,QAAQ,GAAG,CAAC,CAAC;QACf,CAAC;IACH,CAAC,CACF;SACA,aAAa,CAAC,CAAC,CAAC;SAChB,MAAM,EAAE;SACR,IAAI,EAAE,CAAC;IAEV,MAAM,MAAM,CAAC,UAAU,EAAE,CAAC;IAC1B,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,IAAI,MAAM,CAAC,IAAI,CAAC,GAAG,KAAK,aAAa,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC;IAClE,KAAK,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE;QAC/C,OAAO,CAAC,QAAQ,GAAG,IAAI,CAAC;IAC1B,CAAC,CAAC,CAAC;AACL,CAAC;AAED,SAAS,mBAAmB,CAAC,KAQ5B;IAMC,MAAM,MAAM,GACV,KAAK,CAAC,OAAO,KAAK,QAAQ;QACxB,CAAC,CAAC;YACE,OAAO,EAAE,IAAI;YACb,sBAAsB,EAAE,KAAK;YAC7B,WAAW,EAAE,IAAI;YACjB,YAAY,EAAE,MAAsB;YACpC,SAAS,EAAE,KAAc;SAC1B;QACH,CAAC,CAAC;YACE,OAAO,EAAE,IAAI;YACb,sBAAsB,EAAE,IAAI;YAC5B,WAAW,EAAE,KAAK;YAClB,YAAY,EAAE,SAAyB;YACvC,SAAS,EAAE,KAAc;SAC1B,CAAC;IAER,IAAI,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC;IAC7B,IAAI,KAAK,CAAC,MAAM;QAAE,OAAO,GAAG,KAAK,CAAC;IAClC,IAAI,OAAO,KAAK,CAAC,OAAO,KAAK,SAAS;QAAE,OAAO,GAAG,KAAK,CAAC,OAAO,CAAC;IAEhE,IAAI,KAAK,CAAC,OAAO,KAAK,QAAQ,IAAI,CAAC,OAAO,EAAE,CAAC;QAC3C,MAAM,IAAI,KAAK,CAAC,sFAAsF,CAAC,CAAC;IAC1G,CAAC;IACD,IAAI,CAAC,KAAK,CAAC,SAAS,IAAI,MAAM,CAAC,SAAS,CAAC,KAAK,IAAI,IAAI,KAAK,CAAC,OAAO,KAAK,QAAQ,EAAE,CAAC;QACjF,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;IACzD,CAAC;IAED,OAAO;QACL,OAAO;QACP,sBAAsB,EAAE,KAAK,CAAC,aAAa,IAAI,MAAM,CAAC,sBAAsB;QAC5E,WAAW,EAAE,KAAK,CAAC,WAAW,IAAI,MAAM,CAAC,WAAW;QACpD,YAAY,EAAE,KAAK,CAAC,QAAQ,IAAI,MAAM,CAAC,YAAY;KACpD,CAAC;AACJ,CAAC;AAED,SAAS,eAAe,CACtB,MAAgD,EAChD,MAAc,EACd,YAAqB,EACrB,KAAc;IAEd,MAAM,GAAG,GAAG,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC;IACtC,MAAM,IAAI,GAAG,MAAM,CAAC,OAAO,CAAC,YAAY,CAAC;IACzC,MAAM,KAAK,GAAG;QACZ,EAAE;QACF,QAAQ,CAAC,kBAAkB,EAAE,MAAM,EAAE,KAAK,CAAC;QAC3C,WAAW,MAAM,CAAC,UAAU,EAAE;QAC9B,iBAAiB,MAAM,CAAC,OAAO,CAAC,eAAe,EAAE;QACjD,aAAa,MAAM,CAAC,OAAO,CAAC,aAAa,EAAE;QAC3C,sBAAsB,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC,QAAQ,CAAC,EAAE,SAAS,EAAE,KAAK,CAAC,SAAS,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,KAAK,CAAC,WAAW,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,QAAQ,EAAE,KAAK,CAAC,QAAQ,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC,GAAG,CAAC,EAAE,OAAO,EAAE,KAAK,CAAC,YAAY,QAAQ,CAAC,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE;QAC1R,oBAAoB,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,OAAO,EAAE,KAAK,CAAC,WAAW,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,QAAQ,EAAE,KAAK,CAAC,QAAQ,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,KAAK,EAAE,KAAK,CAAC,YAAY,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE;QACnO,YAAY,MAAM,EAAE;QACpB,kBAAkB,YAAY,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,EAAE,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,EAAE,OAAO,EAAE,KAAK,CAAC,EAAE;KAClG,CAAC;IACF,OAAO,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC;AACjC,CAAC;AAED,SAAS,oBAAoB,CAAC,MAAyD,EAAE,KAAc;IACrG,MAAM,KAAK,GAAG;QACZ,EAAE;QACF,QAAQ,CAAC,oBAAoB,EAAE,MAAM,EAAE,KAAK,CAAC;QAC7C,WAAW,MAAM,CAAC,WAAW,EAAE;QAC/B,iBAAiB,MAAM,CAAC,eAAe,EAAE;QACzC,YAAY,MAAM,CAAC,YAAY,EAAE;QACjC,gBAAgB,QAAQ,CAAC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,OAAO,EAAE,KAAK,CAAC,UAAU,QAAQ,CAAC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,QAAQ,EAAE,KAAK,CAAC,YAAY,QAAQ,CAAC,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,KAAK,EAAE,KAAK,CAAC,EAAE;KAC7M,CAAC;IACF,OAAO,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC;AACjC,CAAC;AAED,SAAS,iBAAiB,CACxB,MAAgD,EAChD,IAAsB,EACtB,KAAc;IAEd,IAAI,IAAI,KAAK,MAAM;QAAE,OAAO,EAAE,CAAC;IAE/B,MAAM,QAAQ,GAAG,cAAc,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC;IAE9C,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC1B,OAAO,KAAK,QAAQ,CAAC,iBAAiB,EAAE,MAAM,EAAE,KAAK,CAAC,4BAA4B,CAAC;IACrF,CAAC;IAED,MAAM,KAAK,GAAG,CAAC,EAAE,EAAE,QAAQ,CAAC,iBAAiB,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC,CAAC;IAC/D,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,MAAM,OAAO,GAAG,OAAO,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QAChF,MAAM,aAAa,GAAG,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC;QAC9C,MAAM,aAAa,GAAG,OAAO,CAAC,aAAa,CAAC,CAAC,CAAC,mBAAmB,OAAO,CAAC,aAAa,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAC9F,KAAK,CAAC,IAAI,CACR,KAAK,QAAQ,CAAC,OAAO,CAAC,QAAQ,EAAE,aAAa,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,KAAK,CAAC,IAAI,OAAO,CAAC,WAAW,IAAI,OAAO,CAAC,OAAO,EAAE;YACjH,eAAe,OAAO,CAAC,UAAU,WAAW,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,aAAa,aAAa,EAAE;YACrG,WAAW,OAAO,CAAC,MAAM,GAAG,aAAa,QAAQ,OAAO,IAAI,KAAK,EAAE,CACtE,CAAC;IACJ,CAAC;IACD,OAAO,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC;AACjC,CAAC;AAED,SAAS,cAAc,CACrB,MAAgD,EAChD,IAAsB;IAEtB,IAAI,IAAI,KAAK,KAAK;QAAE,OAAO,MAAM,CAAC,QAAQ,CAAC;IAC3C,IAAI,IAAI,KAAK,eAAe,EAAE,CAAC;QAC7B,OAAO,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,IAAI,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC;IAC3F,CAAC;IACD,IAAI,IAAI,KAAK,WAAW,EAAE,CAAC;QACzB,OAAO,MAAM,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,IAAI,CAAC,CAAC,QAAQ,KAAK,MAAM,IAAI,CAAC,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC;IACtH,CAAC;IACD,OAAO,EAAE,CAAC;AACZ,CAAC;AAED,SAAS,aAAa,CAAC,QAAkB;IACvC,IAAI,QAAQ,KAAK,UAAU;QAAE,OAAO,SAAS,CAAC;IAC9C,IAAI,QAAQ,KAAK,MAAM;QAAE,OAAO,KAAK,CAAC;IACtC,IAAI,QAAQ,KAAK,QAAQ;QAAE,OAAO,QAAQ,CAAC;IAC3C,IAAI,QAAQ,KAAK,KAAK;QAAE,OAAO,OAAO,CAAC;IACvC,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,QAAQ,CAAC,MAA2B;IAC3C,OAAO,OAAO,CAAC,MAAM,CAAC,KAAK,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;AACxD,CAAC;AAED,SAAS,QAAQ,CAAC,IAAY,EAAE,KAA+D,EAAE,OAAgB;IAC/G,IAAI,CAAC,OAAO;QAAE,OAAO,IAAI,CAAC;IAC1B,MAAM,IAAI,GAAiC;QACzC,GAAG,EAAE,EAAE;QACP,MAAM,EAAE,EAAE;QACV,KAAK,EAAE,EAAE;QACT,IAAI,EAAE,EAAE;QACR,OAAO,EAAE,EAAE;QACX,IAAI,EAAE,EAAE;KACT,CAAC;IACF,OAAO,UAAU,IAAI,CAAC,KAAK,CAAC,IAAI,IAAI,WAAW,CAAC;AAClD,CAAC"}

package/package.json ADDED Viewed

@@ -0,0 +1,21 @@
+{
+  "version": "0.1.4",
+  "name": "bardscan",
+  "type": "module",
+  "bin": {
+    "bardscan": "dist/index.js"
+  },
+  "scripts": {
+    "build": "tsc -p tsconfig.json",
+    "lint": "eslint src test --ext .ts",
+    "test": "corepack pnpm --filter @bardscan/core build && node --test --import tsx test/*.test.ts"
+  },
+  "dependencies": {
+    "@bardscan/core": "workspace:*",
+    "yargs": "^17.7.2"
+  },
+  "devDependencies": {
+    "@types/yargs": "^17.0.33",
+    "tsx": "^4.19.2"
+  }
+}

package/src/index.ts ADDED Viewed

@@ -0,0 +1,407 @@
+#!/usr/bin/env node
+import { mkdir, writeFile } from 'node:fs/promises';
+import os from 'node:os';
+import path from 'node:path';
+import { pathToFileURL } from 'node:url';
+import yargs from 'yargs';
+import { hideBin } from 'yargs/helpers';
+import * as core from '@bardscan/core';
+import { Severity } from '@bardscan/core';
+export interface CliDeps {
+  mkdir: typeof mkdir;
+  writeFile: typeof writeFile;
+  runScan: typeof core.runScan;
+  updateAdvisoryDb: typeof core.updateAdvisoryDb;
+  buildMarkdownReport: typeof core.buildMarkdownReport;
+  buildSarifReport: (report: Awaited<ReturnType<typeof core.runScan>>) => object;
+  shouldFail: typeof core.shouldFail;
+  redactReportPaths: typeof core.redactReportPaths;
+  stdout: { write: (text: string) => void; isTTY?: boolean };
+  stderr: { write: (text: string) => void };
+}
+type FailOn = Severity | 'none';
+type ListFindingsMode = 'none' | 'critical-high' | 'medium-up' | 'all';
+type PrivacyMode = 'strict' | 'standard';
+type EvidenceMode = 'none' | 'imports';
+const defaultDeps: CliDeps = {
+  mkdir,
+  writeFile,
+  runScan: core.runScan,
+  updateAdvisoryDb: core.updateAdvisoryDb,
+  buildMarkdownReport: core.buildMarkdownReport,
+  buildSarifReport: (report) =>
+    typeof (core as { buildSarifReport?: (r: typeof report) => object }).buildSarifReport === 'function'
+      ? (core as { buildSarifReport: (r: typeof report) => object }).buildSarifReport(report)
+      : {
+          version: '2.1.0',
+          runs: []
+        },
+  shouldFail: core.shouldFail,
+  redactReportPaths: core.redactReportPaths,
+  stdout: process.stdout,
+  stderr: process.stderr
+};
+export async function runCli(rawArgs: string[], deps: CliDeps = defaultDeps): Promise<number> {
+  let exitCode = 0;
+  const parser = yargs(rawArgs)
+    .scriptName('bardscan')
+    .command(
+      'scan [path]',
+      'Scan a TypeScript project for vulnerable npm dependencies',
+      (cmd) =>
+        cmd
+          .positional('path', {
+            type: 'string',
+            default: '.',
+            describe: 'Project path to scan'
+          })
+          .option('format', {
+            choices: ['json', 'md', 'sarif', 'both'] as const,
+            default: 'both'
+          })
+          .option('out-dir', {
+            type: 'string',
+            default: path.join(os.tmpdir(), 'bardscan')
+          })
+          .option('fail-on', {
+            choices: ['critical', 'high', 'medium', 'low', 'none'] as const,
+            default: 'high'
+          })
+          .option('privacy', {
+            choices: ['strict', 'standard'] as const,
+            default: 'strict',
+            describe: 'Privacy preset that controls network and output defaults'
+          })
+          .option('online', {
+            type: 'boolean',
+            default: false,
+            describe: 'Enable online advisory lookups during scan'
+          })
+          .option('offline', {
+            type: 'boolean',
+            describe: 'Force cache-only scan mode'
+          })
+          .option('unknown-as', {
+            choices: ['critical', 'high', 'medium', 'low', 'unknown'] as const,
+            default: 'unknown'
+          })
+          .option('refresh-cache', {
+            type: 'boolean',
+            default: false
+          })
+          .option('osv-url', {
+            type: 'string',
+            describe: 'Custom OSV API base URL (for mirrors/proxies)'
+          })
+          .option('fallback-calls', {
+            type: 'boolean',
+            describe: 'Allow secondary network fallbacks for unresolved severities'
+          })
+          .option('redact-paths', {
+            type: 'boolean',
+            describe: 'Redact target path and evidence paths in outputs'
+          })
+          .option('evidence', {
+            choices: ['none', 'imports'] as const,
+            describe: 'Evidence collection mode'
+          })
+          .option('telemetry', {
+            choices: ['off', 'on'] as const,
+            describe: 'Reserved telemetry mode (default off)'
+          })
+          .option('list-findings', {
+            choices: ['none', 'critical-high', 'medium-up', 'all'] as const,
+            default: 'none',
+            describe: 'Print finding details in CLI output'
+          })
+          .option('findings-json', {
+            type: 'string',
+            describe: 'Write filtered finding details as JSON'
+          }),
+      async (argv) => {
+        try {
+          const projectPath = path.resolve(String(argv.path));
+          const outDir = path.resolve(String(argv.outDir));
+          const settings = resolveScanSettings({
+            privacy: argv.privacy as PrivacyMode,
+            online: Boolean(argv.online),
+            offline: argv.offline,
+            fallbackCalls: argv.fallbackCalls,
+            redactPaths: argv.redactPaths,
+            evidence: argv.evidence as EvidenceMode | undefined,
+            telemetry: argv.telemetry as 'off' | 'on' | undefined
+          });
+          await deps.mkdir(outDir, { recursive: true });
+          const report = await deps.runScan({
+            projectPath,
+            outDir,
+            failOn: argv.failOn as FailOn,
+            offline: settings.offline,
+            unknownAs: argv.unknownAs as Severity,
+            refreshCache: Boolean(argv.refreshCache),
+            osvUrl: argv.osvUrl ? String(argv.osvUrl) : undefined,
+            enableNetworkFallbacks: settings.enableNetworkFallbacks,
+            evidenceMode: settings.evidenceMode
+          });
+          const redact = typeof deps.redactReportPaths === 'function' ? deps.redactReportPaths : (r: typeof report) => r;
+          const displayReport = settings.redactPaths ? redact(report) : report;
+          const jsonPath = path.join(outDir, 'report.json');
+          const mdPath = path.join(outDir, 'report.md');
+          const sarifPath = path.join(outDir, 'report.sarif');
+          if (argv.format === 'json' || argv.format === 'both') {
+            await deps.writeFile(jsonPath, JSON.stringify(displayReport, null, 2));
+            deps.stdout.write(`${jsonPath}\n`);
+          }
+          if (argv.format === 'md' || argv.format === 'both') {
+            await deps.writeFile(mdPath, deps.buildMarkdownReport(displayReport));
+            deps.stdout.write(`${mdPath}\n`);
+          }
+          if (argv.format === 'sarif') {
+            await deps.writeFile(sarifPath, JSON.stringify(deps.buildSarifReport(displayReport), null, 2));
+            deps.stdout.write(`${sarifPath}\n`);
+          }
+          const thresholdHit =
+            argv.failOn !== 'none' &&
+            report.findings.some((f) => deps.shouldFail(argv.failOn as FailOn, f.severity));
+          deps.stdout.write(buildCliSummary(displayReport, String(argv.failOn), thresholdHit, useColor(deps.stdout)));
+          deps.stdout.write(buildFindingsList(displayReport, argv.listFindings as ListFindingsMode, useColor(deps.stdout)));
+          if (argv.findingsJson) {
+            const findingsJsonPath = path.resolve(String(argv.findingsJson));
+            const filteredFindings = filterFindings(displayReport, argv.listFindings as ListFindingsMode);
+            await deps.writeFile(findingsJsonPath, JSON.stringify(filteredFindings, null, 2));
+            deps.stdout.write(`${findingsJsonPath}\n`);
+          }
+          if (thresholdHit) {
+            exitCode = 1;
+            return;
+          }
+          exitCode = 0;
+        } catch (error) {
+          deps.stderr.write(`${(error as Error).message}\n`);
+          exitCode = 2;
+        }
+      }
+    )
+    .command(
+      'db update [path]',
+      'Refresh advisory cache for dependencies in the project lockfile',
+      (cmd) =>
+        cmd
+          .positional('path', {
+            type: 'string',
+            default: '.',
+            describe: 'Project path to index dependencies from'
+          })
+          .option('out-dir', {
+            type: 'string',
+            default: path.join(os.tmpdir(), 'bardscan')
+          })
+          .option('refresh-cache', {
+            type: 'boolean',
+            default: false
+          })
+          .option('osv-url', {
+            type: 'string',
+            describe: 'Custom OSV API base URL (for mirrors/proxies)'
+          })
+          .option('fallback-calls', {
+            type: 'boolean',
+            default: true,
+            describe: 'Allow secondary network fallbacks for unresolved severities'
+          }),
+      async (argv) => {
+        try {
+          const projectPath = path.resolve(String(argv.path));
+          const outDir = path.resolve(String(argv.outDir));
+          await deps.mkdir(outDir, { recursive: true });
+          const update = await deps.updateAdvisoryDb({
+            projectPath,
+            outDir,
+            refreshCache: Boolean(argv.refreshCache),
+            osvUrl: argv.osvUrl ? String(argv.osvUrl) : undefined,
+            enableNetworkFallbacks: Boolean(argv.fallbackCalls)
+          });
+          deps.stdout.write(buildDbUpdateSummary(update, useColor(deps.stdout)));
+          exitCode = 0;
+        } catch (error) {
+          deps.stderr.write(`${(error as Error).message}\n`);
+          exitCode = 2;
+        }
+      }
+    )
+    .demandCommand(1)
+    .strict()
+    .help();
+  await parser.parseAsync();
+  return exitCode;
+}
+if (import.meta.url === pathToFileURL(process.argv[1] ?? '').href) {
+  void runCli(hideBin(process.argv)).then((code) => {
+    process.exitCode = code;
+  });
+}
+function resolveScanSettings(input: {
+  privacy: PrivacyMode;
+  online: boolean;
+  offline: boolean | undefined;
+  fallbackCalls: boolean | undefined;
+  redactPaths: boolean | undefined;
+  evidence: EvidenceMode | undefined;
+  telemetry: 'off' | 'on' | undefined;
+}): {
+  offline: boolean;
+  enableNetworkFallbacks: boolean;
+  redactPaths: boolean;
+  evidenceMode: EvidenceMode;
+} {
+  const preset =
+    input.privacy === 'strict'
+      ? {
+          offline: true,
+          enableNetworkFallbacks: false,
+          redactPaths: true,
+          evidenceMode: 'none' as EvidenceMode,
+          telemetry: 'off' as const
+        }
+      : {
+          offline: true,
+          enableNetworkFallbacks: true,
+          redactPaths: false,
+          evidenceMode: 'imports' as EvidenceMode,
+          telemetry: 'off' as const
+        };
+  let offline = preset.offline;
+  if (input.online) offline = false;
+  if (typeof input.offline === 'boolean') offline = input.offline;
+  if (input.privacy === 'strict' && !offline) {
+    throw new Error('privacy strict disallows online scanning. Remove --online or use --privacy standard.');
+  }
+  if ((input.telemetry ?? preset.telemetry) === 'on' && input.privacy === 'strict') {
+    throw new Error('privacy strict disallows telemetry.');
+  }
+  return {
+    offline,
+    enableNetworkFallbacks: input.fallbackCalls ?? preset.enableNetworkFallbacks,
+    redactPaths: input.redactPaths ?? preset.redactPaths,
+    evidenceMode: input.evidence ?? preset.evidenceMode
+  };
+}
+function buildCliSummary(
+  report: Awaited<ReturnType<typeof core.runScan>>,
+  failOn: string,
+  thresholdHit: boolean,
+  color: boolean
+): string {
+  const sev = report.summary.bySeverity;
+  const conf = report.summary.byConfidence;
+  const lines = [
+    '',
+    colorize('bardscan summary', 'cyan', color),
+    `target: ${report.targetPath}`,
+    `dependencies: ${report.summary.dependencyCount}`,
+    `findings: ${report.summary.findingsCount}`,
+    `severity: critical=${colorize(String(sev.critical), 'magenta', color)} high=${colorize(String(sev.high), 'red', color)} medium=${colorize(String(sev.medium), 'yellow', color)} low=${colorize(String(sev.low), 'green', color)} unknown=${colorize(String(sev.unknown), 'gray', color)}`,
+    `confidence: high=${colorize(String(conf.high), 'green', color)} medium=${colorize(String(conf.medium), 'yellow', color)} low=${colorize(String(conf.low), 'red', color)} unknown=${colorize(String(conf.unknown), 'gray', color)}`,
+    `fail-on: ${failOn}`,
+    `threshold hit: ${thresholdHit ? colorize('yes', 'red', color) : colorize('no', 'green', color)}`
+  ];
+  return `${lines.join('\n')}\n`;
+}
+function buildDbUpdateSummary(update: Awaited<ReturnType<typeof core.updateAdvisoryDb>>, color: boolean): string {
+  const lines = [
+    '',
+    colorize('bardscan db update', 'cyan', color),
+    `target: ${update.projectPath}`,
+    `dependencies: ${update.dependencyCount}`,
+    `queried: ${update.queriedCount}`,
+    `sources: osv=${colorize(String(update.bySource.osv), 'green', color)} cache=${colorize(String(update.bySource.cache), 'yellow', color)} unknown=${colorize(String(update.bySource.unknown), 'red', color)}`
+  ];
+  return `${lines.join('\n')}\n`;
+}
+function buildFindingsList(
+  report: Awaited<ReturnType<typeof core.runScan>>,
+  mode: ListFindingsMode,
+  color: boolean
+): string {
+  if (mode === 'none') return '';
+  const filtered = filterFindings(report, mode);
+  if (filtered.length === 0) {
+    return `\n${colorize('finding details', 'cyan', color)}\n(no matching findings)\n`;
+  }
+  const lines = ['', colorize('finding details', 'cyan', color)];
+  for (const finding of filtered) {
+    const vulnIds = finding.vulnerabilities.slice(0, 3).map((v) => v.id).join(', ');
+    const evidenceCount = finding.evidence.length;
+    const unknownReason = finding.unknownReason ? ` unknown-reason=${finding.unknownReason}` : '';
+    lines.push(
+      `- ${colorize(finding.severity, severityColor(finding.severity), color)} ${finding.packageName}@${finding.version}` +
+        ` confidence=${finding.confidence} direct=${finding.direct ? 'yes' : 'no'} evidence=${evidenceCount}` +
+        ` source=${finding.source}${unknownReason} ids=${vulnIds || 'n/a'}`
+    );
+  }
+  return `${lines.join('\n')}\n`;
+}
+function filterFindings(
+  report: Awaited<ReturnType<typeof core.runScan>>,
+  mode: ListFindingsMode
+): Awaited<ReturnType<typeof core.runScan>>['findings'] {
+  if (mode === 'all') return report.findings;
+  if (mode === 'critical-high') {
+    return report.findings.filter((f) => f.severity === 'critical' || f.severity === 'high');
+  }
+  if (mode === 'medium-up') {
+    return report.findings.filter((f) => f.severity === 'critical' || f.severity === 'high' || f.severity === 'medium');
+  }
+  return [];
+}
+function severityColor(severity: Severity): 'magenta' | 'red' | 'yellow' | 'green' | 'gray' {
+  if (severity === 'critical') return 'magenta';
+  if (severity === 'high') return 'red';
+  if (severity === 'medium') return 'yellow';
+  if (severity === 'low') return 'green';
+  return 'gray';
+}
+function useColor(stdout: { isTTY?: boolean }): boolean {
+  return Boolean(stdout.isTTY && !process.env.NO_COLOR);
+}
+function colorize(text: string, color: 'red' | 'yellow' | 'green' | 'cyan' | 'magenta' | 'gray', enabled: boolean): string {
+  if (!enabled) return text;
+  const code: Record<typeof color, number> = {
+    red: 31,
+    yellow: 33,
+    green: 32,
+    cyan: 36,
+    magenta: 35,
+    gray: 90
+  };
+  return `\u001b[${code[color]}m${text}\u001b[0m`;
+}

package/test/cli.test.ts ADDED Viewed

@@ -0,0 +1,381 @@
+import assert from 'node:assert/strict';
+import { mkdtemp } from 'node:fs/promises';
+import os from 'node:os';
+import path from 'node:path';
+import test from 'node:test';
+import { CliDeps, runCli } from '../src/index.js';
+function makeReport(severity: 'critical' | 'high' | 'medium' | 'low' | 'unknown') {
+  return {
+    targetPath: '/tmp/project',
+    generatedAt: '2026-02-19T00:00:00.000Z',
+    failOn: 'high',
+    summary: {
+      dependencyCount: 1,
+      scannedFiles: 1,
+      findingsCount: 1,
+      bySeverity: {
+        critical: severity === 'critical' ? 1 : 0,
+        high: severity === 'high' ? 1 : 0,
+        medium: severity === 'medium' ? 1 : 0,
+        low: severity === 'low' ? 1 : 0,
+        unknown: severity === 'unknown' ? 1 : 0
+      },
+      byConfidence: { high: 1, medium: 0, low: 0, unknown: 0 }
+    },
+    findings: [
+      {
+        packageName: 'lodash',
+        version: '4.17.21',
+        direct: true,
+        severity,
+        severitySource: 'osv_label',
+        confidence: 'high',
+        evidence: ['src/index.ts'],
+        vulnerabilities: [{ id: 'OSV-1', severity, severitySource: 'osv_label' }],
+        source: 'osv'
+      }
+    ]
+  };
+}
+test('runCli writes only JSON report and returns exit code 1 on threshold match', async () => {
+  const outDir = await mkdtemp(path.join(os.tmpdir(), 'bardscan-cli-json-'));
+  const writes: string[] = [];
+  const stdout: string[] = [];
+  const stderr: string[] = [];
+  const deps: CliDeps = {
+    mkdir: async () => undefined,
+    writeFile: async (filePath) => {
+      writes.push(String(filePath));
+    },
+    runScan: async () => makeReport('high'),
+    buildMarkdownReport: () => '# report',
+    buildSarifReport: () => ({ version: '2.1.0', runs: [] }),
+    shouldFail: (failOn, findingSeverity) => failOn === findingSeverity,
+    stdout: { write: (text: string) => stdout.push(text) },
+    stderr: { write: (text: string) => stderr.push(text) }
+  };
+  const code = await runCli(['scan', '.', '--format', 'json', '--out-dir', outDir, '--fail-on', 'high'], deps);
+  assert.equal(code, 1);
+  assert.equal(stderr.length, 0);
+  assert.equal(writes.length, 1);
+  assert.equal(writes[0], path.resolve(outDir, 'report.json'));
+  assert.match(stdout.join(''), /report\.json/);
+  assert.doesNotMatch(stdout.join(''), /report\.md/);
+  assert.match(stdout.join(''), /bardscan summary/);
+  assert.match(stdout.join(''), /threshold hit: yes/);
+});
+test('runCli writes only Markdown report and returns exit code 0 for fail-on none', async () => {
+  const outDir = await mkdtemp(path.join(os.tmpdir(), 'bardscan-cli-md-'));
+  const writes: string[] = [];
+  const stdout: string[] = [];
+  const deps: CliDeps = {
+    mkdir: async () => undefined,
+    writeFile: async (filePath) => {
+      writes.push(String(filePath));
+    },
+    runScan: async () => makeReport('critical'),
+    buildMarkdownReport: () => '# markdown-report',
+    buildSarifReport: () => ({ version: '2.1.0', runs: [] }),
+    shouldFail: () => true,
+    stdout: { write: (text: string) => stdout.push(text) },
+    stderr: { write: () => undefined }
+  };
+  const code = await runCli(['scan', '.', '--format', 'md', '--out-dir', outDir, '--fail-on', 'none'], deps);
+  assert.equal(code, 0);
+  assert.equal(writes.length, 1);
+  assert.equal(writes[0], path.resolve(outDir, 'report.md'));
+  assert.match(stdout.join(''), /report\.md/);
+  assert.doesNotMatch(stdout.join(''), /report\.json/);
+  assert.match(stdout.join(''), /bardscan summary/);
+  assert.match(stdout.join(''), /threshold hit: no/);
+});
+test('runCli returns exit code 2 and writes to stderr on tool errors', async () => {
+  const outDir = await mkdtemp(path.join(os.tmpdir(), 'bardscan-cli-err-'));
+  const stderr: string[] = [];
+  const deps: CliDeps = {
+    mkdir: async () => undefined,
+    writeFile: async () => undefined,
+    runScan: async () => {
+      throw new Error('boom');
+    },
+    buildMarkdownReport: () => '# report',
+    buildSarifReport: () => ({ version: '2.1.0', runs: [] }),
+    shouldFail: () => false,
+    stdout: { write: () => undefined },
+    stderr: { write: (text: string) => stderr.push(text) }
+  };
+  const code = await runCli(['scan', '.', '--format', 'both', '--out-dir', outDir], deps);
+  assert.equal(code, 2);
+  assert.match(stderr.join(''), /boom/);
+});
+test('runCli writes SARIF report when format is sarif', async () => {
+  const outDir = await mkdtemp(path.join(os.tmpdir(), 'bardscan-cli-sarif-'));
+  const writes: string[] = [];
+  const deps: CliDeps = {
+    mkdir: async () => undefined,
+    writeFile: async (filePath) => {
+      writes.push(String(filePath));
+    },
+    runScan: async () => makeReport('medium'),
+    buildMarkdownReport: () => '# report',
+    buildSarifReport: () => ({ version: '2.1.0', runs: [{ tool: { driver: { name: 'bardscan' } }, results: [] }] }),
+    shouldFail: () => false,
+    stdout: { write: () => undefined },
+    stderr: { write: () => undefined }
+  };
+  const code = await runCli(['scan', '.', '--format', 'sarif', '--out-dir', outDir, '--fail-on', 'none'], deps);
+  assert.equal(code, 0);
+  assert.equal(writes.length, 1);
+  assert.equal(writes[0], path.resolve(outDir, 'report.sarif'));
+});
+test('runCli colorizes summary output when stdout is a TTY', async () => {
+  const outDir = await mkdtemp(path.join(os.tmpdir(), 'bardscan-cli-color-'));
+  const stdout: string[] = [];
+  const previousNoColor = process.env.NO_COLOR;
+  delete process.env.NO_COLOR;
+  const deps: CliDeps = {
+    mkdir: async () => undefined,
+    writeFile: async () => undefined,
+    runScan: async () => makeReport('high'),
+    buildMarkdownReport: () => '# report',
+    buildSarifReport: () => ({ version: '2.1.0', runs: [] }),
+    shouldFail: (failOn, findingSeverity) => failOn === findingSeverity,
+    stdout: { write: (text: string) => stdout.push(text), isTTY: true },
+    stderr: { write: () => undefined }
+  };
+  try {
+    const code = await runCli(['scan', '.', '--format', 'json', '--out-dir', outDir, '--fail-on', 'high'], deps);
+    assert.equal(code, 1);
+    const output = stdout.join('');
+    assert.equal(output.includes('\u001b[36mbardscan summary\u001b[0m'), true);
+    assert.equal(output.includes('\u001b[31myes\u001b[0m'), true);
+  } finally {
+    if (previousNoColor === undefined) {
+      delete process.env.NO_COLOR;
+    } else {
+      process.env.NO_COLOR = previousNoColor;
+    }
+  }
+});
+test('runCli lists critical/high findings when list mode is critical-high', async () => {
+  const outDir = await mkdtemp(path.join(os.tmpdir(), 'bardscan-cli-list-hi-'));
+  const stdout: string[] = [];
+  const deps: CliDeps = {
+    mkdir: async () => undefined,
+    writeFile: async () => undefined,
+    runScan: async () => ({
+      targetPath: '/tmp/project',
+      generatedAt: '2026-02-19T00:00:00.000Z',
+      failOn: 'none',
+      summary: {
+        dependencyCount: 2,
+        scannedFiles: 1,
+        findingsCount: 2,
+        bySeverity: { critical: 0, high: 1, medium: 0, low: 1, unknown: 0 },
+        byConfidence: { high: 1, medium: 1, low: 0, unknown: 0 }
+      },
+      findings: [
+        {
+          packageName: 'high-pkg',
+          version: '1.0.0',
+          direct: true,
+          severity: 'high',
+          severitySource: 'osv_label',
+          confidence: 'high',
+          evidence: ['src/a.ts'],
+          vulnerabilities: [{ id: 'OSV-HIGH', severity: 'high', severitySource: 'osv_label' }],
+          source: 'osv'
+        },
+        {
+          packageName: 'low-pkg',
+          version: '1.0.0',
+          direct: false,
+          severity: 'low',
+          severitySource: 'osv_label',
+          confidence: 'low',
+          evidence: ['src/b.ts'],
+          vulnerabilities: [{ id: 'OSV-LOW', severity: 'low', severitySource: 'osv_label' }],
+          source: 'osv'
+        }
+      ]
+    }),
+    buildMarkdownReport: () => '# report',
+    buildSarifReport: () => ({ version: '2.1.0', runs: [] }),
+    shouldFail: () => false,
+    stdout: { write: (text: string) => stdout.push(text) },
+    stderr: { write: () => undefined }
+  };
+  const code = await runCli(
+    ['scan', '.', '--format', 'json', '--out-dir', outDir, '--fail-on', 'none', '--list-findings', 'critical-high'],
+    deps
+  );
+  assert.equal(code, 0);
+  const output = stdout.join('');
+  assert.match(output, /finding details/);
+  assert.match(output, /high-pkg@1.0.0/);
+  assert.doesNotMatch(output, /low-pkg@1.0.0/);
+});
+test('runCli lists medium/high/critical findings when list mode is medium-up', async () => {
+  const outDir = await mkdtemp(path.join(os.tmpdir(), 'bardscan-cli-list-med-'));
+  const stdout: string[] = [];
+  const deps: CliDeps = {
+    mkdir: async () => undefined,
+    writeFile: async () => undefined,
+    runScan: async () => ({
+      targetPath: '/tmp/project',
+      generatedAt: '2026-02-19T00:00:00.000Z',
+      failOn: 'none',
+      summary: {
+        dependencyCount: 3,
+        scannedFiles: 1,
+        findingsCount: 3,
+        bySeverity: { critical: 0, high: 1, medium: 1, low: 1, unknown: 0 },
+        byConfidence: { high: 1, medium: 2, low: 0, unknown: 0 }
+      },
+      findings: [
+        {
+          packageName: 'high-pkg',
+          version: '1.0.0',
+          direct: true,
+          severity: 'high',
+          severitySource: 'osv_label',
+          confidence: 'high',
+          evidence: ['src/a.ts'],
+          vulnerabilities: [{ id: 'OSV-HIGH', severity: 'high', severitySource: 'osv_label' }],
+          source: 'osv'
+        },
+        {
+          packageName: 'medium-pkg',
+          version: '1.0.0',
+          direct: true,
+          severity: 'medium',
+          severitySource: 'osv_label',
+          confidence: 'medium',
+          evidence: [],
+          vulnerabilities: [{ id: 'OSV-MED', severity: 'medium', severitySource: 'osv_label' }],
+          source: 'osv'
+        },
+        {
+          packageName: 'low-pkg',
+          version: '1.0.0',
+          direct: false,
+          severity: 'low',
+          severitySource: 'osv_label',
+          confidence: 'low',
+          evidence: ['src/b.ts'],
+          vulnerabilities: [{ id: 'OSV-LOW', severity: 'low', severitySource: 'osv_label' }],
+          source: 'osv'
+        }
+      ]
+    }),
+    buildMarkdownReport: () => '# report',
+    buildSarifReport: () => ({ version: '2.1.0', runs: [] }),
+    shouldFail: () => false,
+    stdout: { write: (text: string) => stdout.push(text) },
+    stderr: { write: () => undefined }
+  };
+  const code = await runCli(
+    ['scan', '.', '--format', 'json', '--out-dir', outDir, '--fail-on', 'none', '--list-findings', 'medium-up'],
+    deps
+  );
+  assert.equal(code, 0);
+  const output = stdout.join('');
+  assert.match(output, /high-pkg@1.0.0/);
+  assert.match(output, /medium-pkg@1.0.0/);
+  assert.doesNotMatch(output, /low-pkg@1.0.0/);
+});
+test('runCli writes filtered findings JSON when findings-json is set', async () => {
+  const outDir = await mkdtemp(path.join(os.tmpdir(), 'bardscan-cli-findings-json-'));
+  const writes: Array<{ filePath: string; content: string }> = [];
+  const deps: CliDeps = {
+    mkdir: async () => undefined,
+    writeFile: async (filePath, content) => {
+      writes.push({ filePath: String(filePath), content: String(content) });
+    },
+    runScan: async () => ({
+      targetPath: '/tmp/project',
+      generatedAt: '2026-02-19T00:00:00.000Z',
+      failOn: 'none',
+      summary: {
+        dependencyCount: 2,
+        scannedFiles: 1,
+        findingsCount: 2,
+        bySeverity: { critical: 0, high: 1, medium: 0, low: 1, unknown: 0 },
+        byConfidence: { high: 1, medium: 1, low: 0, unknown: 0 }
+      },
+      findings: [
+        {
+          packageName: 'high-pkg',
+          version: '1.0.0',
+          direct: true,
+          severity: 'high',
+          severitySource: 'osv_label',
+          confidence: 'high',
+          evidence: ['src/a.ts'],
+          vulnerabilities: [{ id: 'OSV-HIGH', severity: 'high', severitySource: 'osv_label' }],
+          source: 'osv'
+        },
+        {
+          packageName: 'low-pkg',
+          version: '1.0.0',
+          direct: false,
+          severity: 'low',
+          severitySource: 'osv_label',
+          confidence: 'low',
+          evidence: ['src/b.ts'],
+          vulnerabilities: [{ id: 'OSV-LOW', severity: 'low', severitySource: 'osv_label' }],
+          source: 'osv'
+        }
+      ]
+    }),
+    buildMarkdownReport: () => '# report',
+    buildSarifReport: () => ({ version: '2.1.0', runs: [] }),
+    shouldFail: () => false,
+    stdout: { write: () => undefined },
+    stderr: { write: () => undefined }
+  };
+  const findingsJsonPath = path.join(outDir, 'filtered-findings.json');
+  const code = await runCli(
+    [
+      'scan',
+      '.',
+      '--format',
+      'json',
+      '--out-dir',
+      outDir,
+      '--fail-on',
+      'none',
+      '--list-findings',
+      'critical-high',
+      '--findings-json',
+      findingsJsonPath
+    ],
+    deps
+  );
+  assert.equal(code, 0);
+  const findingsWrite = writes.find((w) => w.filePath === path.resolve(findingsJsonPath));
+  assert.ok(findingsWrite);
+  const parsed = JSON.parse(findingsWrite.content) as Array<{ packageName: string }>;
+  assert.equal(parsed.length, 1);
+  assert.equal(parsed[0]?.packageName, 'high-pkg');
+});

package/tsconfig.json ADDED Viewed

@@ -0,0 +1,8 @@
+{
+  "extends": "../../tsconfig.base.json",
+  "compilerOptions": {
+    "outDir": "dist",
+    "rootDir": "src"
+  },
+  "include": ["src"]
+}