bun-ready 0.2.5 → 0.3.0

package/README.md

@@ -23,7 +23,7 @@ bun-ready scan .
 
 ## Usage
 ```bash
-bun-ready scan <path> [--format md|json] [--out <file>] [--no-install] [--no-test] [--verbose] [--detailed]
+bun-ready scan <path> [--format md|json|sarif] [--out <file>] [--no-install] [--no-test] [--verbose] [--detailed] [--scope root|packages|all] [--fail-on green|yellow|red] [--ci] [--output-dir <dir>] [--rule <id>=<action>] [--max-warnings <n>] [--baseline <file>] [--update-baseline] [--changed-only] [--since <ref>]
 ```
 
 ## Examples:
@@ -238,6 +238,119 @@ Add it to the allowlist:
 
 Some packages have optional native modules that can be disabled or work fine with Bun.
 
+## v0.3 New Features
+
+### CI Mode
+
+Run in CI mode for stable, machine-friendly output:
+
+```bash
+bun-ready scan . --ci --output-dir .bun-ready-artifacts
+```
+
+**CI Mode Benefits:**
+- Reduced "human noise" in stdout
+- Stable section ordering in reports
+- CI summary block with top findings and next actions
+- Automatic artifact generation when `--output-dir` is specified
+
+### SARIF Export
+
+Generate SARIF 2.1.0 format for GitHub Code Scanning:
+
+```bash
+bun-ready scan . --format sarif --out bun-ready.sarif.json
+```
+
+### Policy-as-Code
+
+Enforce organization-specific migration policies:
+
+```bash
+# CLI flags
+bun-ready scan . --rule deps.native_addons=fail --max-warnings 5
+
+# Or in config file
+{
+  "rules": [
+    { "id": "deps.native_addons", "action": "fail" },
+    { "id": "scripts.lifecycle", "action": "off" }
+  ],
+  "thresholds": {
+    "maxWarnings": 10,
+    "maxPackagesRed": 2
+  }
+}
+```
+
+**Policy Sources** (priority order):
+1. CLI flags (`--rule`, `--max-warnings`)
+2. `bun-ready.config.json` file
+3. Default rules
+
+**Policy Actions:**
+- `fail` - Mark finding as failure
+- `warn` - Downgrade to warning
+- `off` - Disable this finding
+- `ignore` - Ignore this finding (don't report)
+
+### Baseline / Regression Detection
+
+Prevent regressions by comparing against a baseline:
+
+```bash
+# Create baseline (first time)
+bun-ready scan . --baseline bun-ready-baseline.json --update-baseline
+
+# In CI - compare against baseline
+bun-ready scan . --baseline bun-ready-baseline.json --ci
+```
+
+**Baseline Features:**
+- Detects new findings
+- Detects resolved findings
+- Detects severity changes (upgrades/downgrades)
+- Regression verdict: fails if new red findings or increased failures
+- Update baseline with `--update-baseline`
+
+### Changed-Only Scanning (Monorepos)
+
+Scan only changed packages to speed up large monorepo PRs:
+
+```bash
+bun-ready scan . --changed-only --since main
+```
+
+**Changed-Only Verdict Types:**
+- **Partial verdict** (no baseline): Warning about partial coverage
+- **Regression verdict** (with baseline): OK - comparing only changed packages
+
+### GitHub Action Integration
+
+Use bun-ready as a GitHub Action:
+
+```yaml
+name: bun-ready Check
+on: [pull_request]
+jobs:
+  bun-ready:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: oven-sh/setup-bun@v1
+      - uses: ./  # Uses action.yml from repo
+        with:
+          fail-on: yellow
+          baseline: bun-ready-baseline.json
+```
+
+**Action Features:**
+- Automatic artifact upload
+- GitHub job summary generation
+- PR comment support
+- SARIF export for Code Scanning
+- Policy and baseline support
+
 ## What it checks (MVP)
 - package.json presence & shape
 - lockfiles (npm/yarn/pnpm/bun)

package/dist/cli.js

@@ -86,9 +86,127 @@ var init_bun_check = __esm(() => {
   init_spawn();
 });
 
-// src/cli.ts
+// src/baseline.ts
+var exports_baseline = {};
+__export(exports_baseline, {
+  updateBaseline: () => updateBaseline,
+  saveBaseline: () => saveBaseline,
+  loadBaseline: () => loadBaseline,
+  createFindingFingerprint: () => createFindingFingerprint,
+  compareFindings: () => compareFindings,
+  calculateBaselineMetrics: () => calculateBaselineMetrics
+});
 import { promises as fs4 } from "node:fs";
-import path6 from "node:path";
+import { createHash } from "node:crypto";
+function createFindingFingerprint(finding, packageName) {
+  const normalizedDetails = finding.details.map((d) => d.trim().toLowerCase()).sort().join("|");
+  const detailsHash = createHash("md5").update(normalizedDetails).digest("hex");
+  return {
+    id: finding.id,
+    packageName: packageName || "root",
+    severity: finding.severity,
+    detailsHash
+  };
+}
+function calculateBaselineMetrics(findings, packages) {
+  const greenCount = findings.filter((f) => f.severity === "green").length;
+  const yellowCount = findings.filter((f) => f.severity === "yellow").length;
+  const redCount = findings.filter((f) => f.severity === "red").length;
+  const packagesGreen = packages.filter((p) => p.severity === "green").length;
+  const packagesYellow = packages.filter((p) => p.severity === "yellow").length;
+  const packagesRed = packages.filter((p) => p.severity === "red").length;
+  return {
+    totalFindings: findings.length,
+    greenCount,
+    yellowCount,
+    redCount,
+    packagesGreen,
+    packagesYellow,
+    packagesRed
+  };
+}
+function compareFindings(baseline, current) {
+  const baselineMap = new Map;
+  const currentMap = new Map;
+  for (const fp of baseline) {
+    const key = `${fp.id}:${fp.packageName}:${fp.detailsHash}`;
+    baselineMap.set(key, fp);
+  }
+  for (const fp of current) {
+    const key = `${fp.id}:${fp.packageName}:${fp.detailsHash}`;
+    currentMap.set(key, fp);
+  }
+  const newFindings = [];
+  for (const [key, fp] of currentMap.entries()) {
+    if (!baselineMap.has(key)) {
+      newFindings.push(fp);
+    }
+  }
+  const resolvedFindings = [];
+  for (const [key, fp] of baselineMap.entries()) {
+    if (!currentMap.has(key)) {
+      resolvedFindings.push(fp);
+    }
+  }
+  const severityChanges = [];
+  for (const [key, currentFp] of currentMap.entries()) {
+    const baselineFp = baselineMap.get(key);
+    if (baselineFp && currentFp.severity !== baselineFp.severity) {
+      severityChanges.push({
+        fingerprint: currentFp,
+        oldSeverity: baselineFp.severity,
+        newSeverity: currentFp.severity
+      });
+    }
+  }
+  const regressionReasons = [];
+  let isRegression = false;
+  const newRedFindings = newFindings.filter((f) => f.severity === "red");
+  if (newRedFindings.length > 0) {
+    isRegression = true;
+    regressionReasons.push(`New RED findings detected: ${newRedFindings.map((f) => f.id).join(", ")}`);
+  }
+  const upgradedToRed = severityChanges.filter((c) => c.newSeverity === "red");
+  if (upgradedToRed.length > 0) {
+    isRegression = true;
+    regressionReasons.push(`Severity upgraded to RED: ${upgradedToRed.map((c) => c.fingerprint.id).join(", ")}`);
+  }
+  return {
+    newFindings,
+    resolvedFindings,
+    severityChanges,
+    isRegression,
+    regressionReasons
+  };
+}
+async function saveBaseline(baseline, filePath) {
+  const json = JSON.stringify(baseline, null, 2);
+  await fs4.writeFile(filePath, json, "utf-8");
+}
+async function loadBaseline(filePath) {
+  try {
+    const json = await fs4.readFile(filePath, "utf-8");
+    const data = JSON.parse(json);
+    if (typeof data === "object" && data !== null && typeof data.version === "string" && typeof data.timestamp === "string" && Array.isArray(data.findings)) {
+      return data;
+    }
+    return null;
+  } catch (error) {
+    return null;
+  }
+}
+function updateBaseline(existing, current) {
+  return {
+    ...existing,
+    timestamp: new Date().toISOString(),
+    findings: current
+  };
+}
+var init_baseline = () => {};
+
+// src/cli.ts
+import { promises as fs5 } from "node:fs";
+import path7 from "node:path";
 
 // src/analyze.ts
 init_spawn();
@@ -1272,6 +1390,119 @@ var formatPackageStats = (pkg) => {
   }
   return lines;
 };
+var formatPolicyApplied = (policy) => {
+  const lines = [];
+  lines.push(`## Policy Applied`);
+  lines.push(``);
+  lines.push(`- **Rules applied**: ${policy.rulesApplied}`);
+  lines.push(`- **Findings modified**: ${policy.findingsModified}`);
+  lines.push(`- **Findings disabled**: ${policy.findingsDisabled}`);
+  lines.push(`- **Severity upgraded**: ${policy.severityUpgraded}`);
+  lines.push(`- **Severity downgraded**: ${policy.severityDowngraded}`);
+  lines.push(``);
+  if (policy.rules.length > 0) {
+    lines.push(`### Policy Rules`);
+    for (const rule of policy.rules) {
+      const actionBadge = getPolicyActionBadge(rule.action);
+      lines.push(`- **${rule.findingId}**: ${actionBadge}`);
+      if (rule.originalSeverity && rule.newSeverity && rule.originalSeverity !== rule.newSeverity) {
+        lines.push(`  - ${badge(rule.originalSeverity)} → ${badge(rule.newSeverity)}`);
+      }
+      if (rule.reason) {
+        lines.push(`  - Reason: ${rule.reason}`);
+      }
+    }
+    lines.push(``);
+  } else {
+    lines.push(`No policy rules were applied.`);
+    lines.push(``);
+  }
+  return lines.join(`
+`);
+};
+var getPolicyActionBadge = (action) => {
+  if (action === "fail")
+    return "\uD83D\uDED1 FAIL";
+  if (action === "warn")
+    return "⚠️ WARN";
+  if (action === "off")
+    return "\uD83D\uDD34 OFF";
+  return "\uD83D\uDD35 IGNORE";
+};
+var formatBaselineComparison = (comparison) => {
+  const lines = [];
+  lines.push(`## Baseline Comparison`);
+  lines.push(``);
+  if (comparison.isRegression) {
+    lines.push(`\uD83D\uDD34 **REGRESSION DETECTED**`);
+  } else {
+    lines.push(`✅ No regression detected`);
+  }
+  lines.push(``);
+  if (comparison.newFindings.length > 0) {
+    lines.push(`### New Findings (${comparison.newFindings.length})`);
+    for (const f of comparison.newFindings) {
+      const severityBadge = badge(f.severity);
+      lines.push(`- ${severityBadge} **${f.id}** in package \`${f.packageName}\``);
+    }
+    lines.push(``);
+  }
+  if (comparison.resolvedFindings.length > 0) {
+    lines.push(`### Resolved Findings (${comparison.resolvedFindings.length})`);
+    for (const f of comparison.resolvedFindings) {
+      const severityBadge = badge(f.severity);
+      lines.push(`- ${severityBadge} **${f.id}** in package \`${f.packageName}\``);
+    }
+    lines.push(``);
+  }
+  if (comparison.severityChanges.length > 0) {
+    lines.push(`### Severity Changes (${comparison.severityChanges.length})`);
+    for (const c of comparison.severityChanges) {
+      const oldBadge = badge(c.oldSeverity);
+      const newBadge = badge(c.newSeverity);
+      lines.push(`- **${c.fingerprint.id}** in package \`${c.fingerprint.packageName}\`: ${oldBadge} → ${newBadge}`);
+    }
+    lines.push(``);
+  }
+  if (comparison.regressionReasons.length > 0) {
+    lines.push(`### Regression Reasons`);
+    for (const reason of comparison.regressionReasons) {
+      lines.push(`- ${reason}`);
+    }
+    lines.push(``);
+  }
+  if (comparison.newFindings.length === 0 && comparison.resolvedFindings.length === 0 && comparison.severityChanges.length === 0) {
+    lines.push(`No changes detected from baseline.`);
+    lines.push(``);
+  }
+  return lines.join(`
+`);
+};
+var formatChangedOnly = (changedPackages, baselineFile) => {
+  const lines = [];
+  lines.push(`## Scanned Packages (Changed-only)`);
+  lines.push(``);
+  if (changedPackages.length === 0) {
+    lines.push(`No packages were identified as changed.`);
+  } else {
+    lines.push(`The following packages were scanned (only changed packages):`);
+    lines.push(``);
+    for (const pkgPath of changedPackages) {
+      const normalizedPath = pkgPath.replace(/\\/g, "/");
+      lines.push(`- \`${normalizedPath}\``);
+    }
+  }
+  lines.push(``);
+  if (baselineFile) {
+    lines.push(`**Verdict type:** Regression verdict (comparing changed packages against baseline)`);
+  } else {
+    lines.push(`**Verdict type:** Partial verdict (only changed packages scanned, no baseline)`);
+    lines.push(`⚠️ Note: This is a partial scan. For complete verdict, provide a baseline file.`);
+  }
+  lines.push(``);
+  return lines.join(`
+`);
+};
 function renderMarkdown(r) {
   const lines = [];
   const bunVersion = process.version;
@@ -1323,6 +1554,9 @@ function renderMarkdown(r) {
     }
     lines.push(``);
   }
+  if (r.policyApplied) {
+    lines.push(formatPolicyApplied(r.policyApplied));
+  }
   lines.push(`## Root Package`);
   lines.push(`- Path: \`${r.repo.packageJsonPath.replace(/\\/g, "/")}\``);
   lines.push(`- Workspaces: ${r.repo.hasWorkspaces ? "yes" : "no"}`);
@@ -1393,6 +1627,13 @@ function renderMarkdown(r) {
     }
   }
   lines.push(``);
+  if (r.baselineComparison) {
+    lines.push(formatBaselineComparison(r.baselineComparison));
+  }
+  if (r.changedPackages) {
+    const baselineFile = r.baselineFile;
+    lines.push(formatChangedOnly(r.changedPackages, baselineFile));
+  }
   if (r.packages && r.packages.length > 0) {
     const sortedPackages = stableSort(r.packages, (p) => p.name);
     for (const pkg of sortedPackages) {
@@ -1473,6 +1714,9 @@ var renderDetailedReport = (r) => {
   lines.push(``);
   lines.push(`**Overall:** ${badge(r.severity)}`);
   lines.push(``);
+  if (r.policyApplied) {
+    lines.push(formatPolicyApplied(r.policyApplied));
+  }
   lines.push(`## Detailed Package Usage`);
   lines.push(``);
   let hasUsageInfo = false;
@@ -1535,6 +1779,13 @@ var renderDetailedReport = (r) => {
     }
   }
   lines.push(``);
+  if (r.baselineComparison) {
+    lines.push(formatBaselineComparison(r.baselineComparison));
+  }
+  if (r.changedPackages) {
+    const baselineFile = r.baselineFile;
+    lines.push(formatChangedOnly(r.changedPackages, baselineFile));
+  }
   return lines.join(`
 `);
 };
@@ -1544,16 +1795,512 @@ function renderJson(r) {
   return JSON.stringify(r, null, 2);
 }
 
+// src/sarif.ts
+import path6 from "node:path";
+function severityToSarifLevel(severity) {
+  switch (severity) {
+    case "green":
+      return "note";
+    case "yellow":
+      return "warning";
+    case "red":
+      return "error";
+  }
+}
+function createSarifRule(finding) {
+  const descriptionText = finding.details.length > 0 ? finding.details[0] : finding.title;
+  const fullDesc = { text: descriptionText };
+  const helpParts = [];
+  if (finding.details.length > 0) {
+    helpParts.push("Details:");
+    finding.details.forEach((d) => helpParts.push(`  - ${d}`));
+  }
+  if (finding.hints.length > 0) {
+    helpParts.push("Hints:");
+    finding.hints.forEach((h) => helpParts.push(`  - ${h}`));
+  }
+  const helpText = helpParts.length > 0 ? helpParts.join(`
+`) : "No hints available";
+  return {
+    id: finding.id,
+    shortDescription: {
+      text: finding.title
+    },
+    fullDescription: fullDesc,
+    help: {
+      text: helpText
+    },
+    defaultConfiguration: {
+      level: severityToSarifLevel(finding.severity)
+    }
+  };
+}
+function determineFindingLocation(finding, repoPath, packageName) {
+  if (!packageName) {
+    return {
+      physicalLocation: {
+        artifactLocation: {
+          uri: path6.basename(repoPath)
+        }
+      }
+    };
+  }
+  const relativePath = packageName === "root" ? "package.json" : packageName;
+  return {
+    physicalLocation: {
+      artifactLocation: {
+        uri: relativePath
+      }
+    }
+  };
+}
+function createSarifResult(finding, repoPath, packageName) {
+  const messageParts = [finding.title];
+  if (finding.details.length > 0) {
+    messageParts.push("");
+    messageParts.push("Details:");
+    messageParts.push(...finding.details.map((d) => `- ${d}`));
+  }
+  const messageText = messageParts.join(`
+`);
+  return {
+    ruleId: finding.id,
+    level: severityToSarifLevel(finding.severity),
+    message: {
+      text: messageText
+    },
+    locations: [determineFindingLocation(finding, repoPath, packageName)]
+  };
+}
+function renderSarif(result) {
+  const allFindings = [...result.findings];
+  if (result.packages) {
+    for (const pkg of result.packages) {
+      for (const finding of pkg.findings) {
+        if (!allFindings.some((f) => f.id === finding.id)) {
+          allFindings.push(finding);
+        }
+      }
+    }
+  }
+  const rulesMap = new Map;
+  for (const finding of allFindings) {
+    if (!rulesMap.has(finding.id)) {
+      rulesMap.set(finding.id, createSarifRule(finding));
+    }
+  }
+  const rules = Array.from(rulesMap.values()).sort((a, b) => a.id.localeCompare(b.id));
+  const results = [];
+  for (const finding of result.findings) {
+    results.push(createSarifResult(finding, result.repo.packageJsonPath, "root"));
+  }
+  for (const pkg of result.packages || []) {
+    const packageName = pkg.name;
+    for (const finding of pkg.findings) {
+      results.push(createSarifResult(finding, result.repo.packageJsonPath, packageName));
+    }
+  }
+  const sarifLog = {
+    version: "2.1.0",
+    $schema: "https://json.schemastore.org/sarif-2.1.0.json",
+    runs: [
+      {
+        tool: {
+          driver: {
+            name: "bun-ready",
+            version: result.version || "0.3.0",
+            semanticVersion: "2.1.0",
+            rules
+          }
+        },
+        results
+      }
+    ]
+  };
+  return sarifLog;
+}
+
+// src/ci_summary.ts
+function getTopFindings2(findings, count = 3) {
+  const sorted = [...findings].sort((a, b) => {
+    const severityOrder = { red: 0, yellow: 1, green: 2 };
+    if (severityOrder[a.severity] !== severityOrder[b.severity]) {
+      return severityOrder[a.severity] - severityOrder[b.severity];
+    }
+    return a.id.localeCompare(b.id);
+  });
+  const badge2 = (s) => {
+    switch (s) {
+      case "green":
+        return "\uD83D\uDFE2";
+      case "yellow":
+        return "\uD83D\uDFE1";
+      case "red":
+        return "\uD83D\uDD34";
+    }
+  };
+  return sorted.slice(0, count).map((f) => `${badge2(f.severity)} ${f.title} (${f.id})`);
+}
+function generateNextActions(findings) {
+  const actions = [];
+  const actionSet = new Set;
+  for (const finding of findings) {
+    for (const hint of finding.hints) {
+      const action = hint.trim();
+      if (!actionSet.has(action)) {
+        actions.push(action);
+        actionSet.add(action);
+      }
+    }
+  }
+  return actions.slice(0, 5);
+}
+function calculateExitCode(severity, failOn) {
+  if (!failOn) {
+    if (severity === "green")
+      return 0;
+    if (severity === "yellow")
+      return 2;
+    return 3;
+  }
+  if (failOn === "green") {
+    if (severity === "green")
+      return 0;
+    return 3;
+  }
+  if (failOn === "yellow") {
+    if (severity === "red")
+      return 3;
+    return 0;
+  }
+  if (severity === "green")
+    return 0;
+  if (severity === "yellow")
+    return 2;
+  return 3;
+}
+function generateCISummary(result, failOn) {
+  const topFindings = getTopFindings2(result.findings, 3);
+  const nextActions = generateNextActions(result.findings);
+  const exitCode = calculateExitCode(result.severity, failOn);
+  return {
+    verdict: result.severity,
+    topFindings,
+    nextActions,
+    exitCode
+  };
+}
+function formatCISummaryText(summary) {
+  const badge2 = (s) => {
+    switch (s) {
+      case "green":
+        return "\uD83D\uDFE2 GREEN";
+      case "yellow":
+        return "\uD83D\uDFE1 YELLOW";
+      case "red":
+        return "\uD83D\uDD34 RED";
+    }
+  };
+  const lines = [];
+  lines.push("=== bun-ready CI Summary ===");
+  lines.push("");
+  lines.push(`Verdict: ${badge2(summary.verdict)}`);
+  lines.push("");
+  if (summary.topFindings.length > 0) {
+    lines.push("Top Issues:");
+    for (const finding of summary.topFindings) {
+      lines.push(`  - ${finding}`);
+    }
+    lines.push("");
+  }
+  if (summary.nextActions.length > 0) {
+    lines.push("Next Actions:");
+    for (let i = 0;i < summary.nextActions.length; i++) {
+      lines.push(`  ${i + 1}. ${summary.nextActions[i]}`);
+    }
+    lines.push("");
+  }
+  lines.push(`Exit Code: ${summary.exitCode}`);
+  return lines.join(`
+`);
+}
+function formatGitHubJobSummary(summary) {
+  const badge2 = (s) => {
+    switch (s) {
+      case "green":
+        return "\uD83D\uDFE2 **GREEN**";
+      case "yellow":
+        return "\uD83D\uDFE1 **YELLOW**";
+      case "red":
+        return "\uD83D\uDD34 **RED**";
+    }
+  };
+  const lines = [];
+  lines.push("## bun-ready CI Summary");
+  lines.push("");
+  lines.push(`### Verdict: ${badge2(summary.verdict)}`);
+  lines.push("");
+  if (summary.topFindings.length > 0) {
+    lines.push("### Top Issues");
+    lines.push("");
+    for (const finding of summary.topFindings) {
+      lines.push(`- ${finding}`);
+    }
+    lines.push("");
+  }
+  if (summary.nextActions.length > 0) {
+    lines.push("### Next Actions");
+    lines.push("");
+    for (let i = 0;i < summary.nextActions.length; i++) {
+      lines.push(`${i + 1}. ${summary.nextActions[i]}`);
+    }
+    lines.push("");
+  }
+  lines.push(`**Exit Code:** \`${summary.exitCode}\``);
+  return lines.join(`
+`);
+}
+
+// src/policy.ts
+function applySeverityChange(originalSeverity, change) {
+  if (change === "same")
+    return originalSeverity;
+  if (change === "upgrade") {
+    if (originalSeverity === "green")
+      return "yellow";
+    if (originalSeverity === "yellow")
+      return "red";
+    return "red";
+  }
+  if (originalSeverity === "red")
+    return "yellow";
+  if (originalSeverity === "yellow")
+    return "green";
+  return "green";
+}
+function parseRuleArgs(ruleArgs) {
+  const rules = [];
+  for (const arg of ruleArgs) {
+    const parts = arg.split(/[=:]/, 2);
+    if (parts.length !== 2)
+      continue;
+    const [id, actionOrChange] = parts.map((p) => p.trim());
+    if (!id || !actionOrChange) {
+      continue;
+    }
+    if (["fail", "warn", "off", "ignore"].includes(actionOrChange)) {
+      const actionRule = {
+        id,
+        action: actionOrChange
+      };
+      rules.push(actionRule);
+    } else if (["upgrade", "downgrade", "same"].includes(actionOrChange)) {
+      const severityRule = {
+        id,
+        severityChange: actionOrChange
+      };
+      rules.push(severityRule);
+    }
+  }
+  return rules;
+}
+function mergePolicyConfigs(cliPolicy, configPolicy) {
+  if (!cliPolicy && !configPolicy) {
+    return;
+  }
+  const result = {};
+  if (cliPolicy?.rules && cliPolicy.rules.length > 0) {
+    result.rules = cliPolicy.rules;
+  } else if (configPolicy?.rules && configPolicy.rules.length > 0) {
+    result.rules = configPolicy.rules;
+  }
+  if (cliPolicy?.thresholds && Object.keys(cliPolicy.thresholds).length > 0) {
+    result.thresholds = cliPolicy.thresholds;
+  } else if (configPolicy?.thresholds && Object.keys(configPolicy.thresholds).length > 0) {
+    result.thresholds = configPolicy.thresholds;
+  }
+  if (cliPolicy?.failOn) {
+    result.failOn = cliPolicy.failOn;
+  } else if (configPolicy?.failOn) {
+    result.failOn = configPolicy.failOn;
+  }
+  if (Object.keys(result).length === 0) {
+    return;
+  }
+  return result;
+}
+function findMatchingRule(findingId, rules) {
+  for (const rule of rules) {
+    if (rule.id === findingId) {
+      return rule;
+    }
+  }
+  for (const rule of rules) {
+    if (rule.id === "*") {
+      return rule;
+    }
+  }
+  return null;
+}
+function applyPolicy(findings, policy, metrics) {
+  const rules = policy.rules || [];
+  const thresholds = policy.thresholds;
+  const modifiedFindings = [];
+  const appliedRules = [];
+  let findingsModified = 0;
+  let findingsDisabled = 0;
+  let severityUpgraded = 0;
+  let severityDowngraded = 0;
+  for (const finding of findings) {
+    const rule = findMatchingRule(finding.id, rules);
+    if (!rule) {
+      modifiedFindings.push(finding);
+      continue;
+    }
+    const applied = {
+      findingId: finding.id,
+      action: rule.action || "ignore",
+      originalSeverity: finding.severity
+    };
+    if (rule.action === "off" || rule.action === "ignore") {
+      findingsDisabled++;
+      appliedRules.push(applied);
+      continue;
+    }
+    let newSeverity = finding.severity;
+    let wasModified = false;
+    if (rule.severityChange) {
+      newSeverity = finding.severity;
+      if (rule.action === "fail") {
+        newSeverity = "red";
+      } else if (rule.action === "warn") {
+        newSeverity = "yellow";
+      }
+      newSeverity = applySeverityChange(newSeverity, rule.severityChange);
+      if (rule.severityChange === "upgrade") {
+        severityUpgraded++;
+      } else if (rule.severityChange === "downgrade") {
+        severityDowngraded++;
+      }
+      wasModified = true;
+    } else if (rule.action === "fail" || rule.action === "warn") {
+      if (rule.action === "fail") {
+        newSeverity = "red";
+      } else if (rule.action === "warn") {
+        newSeverity = "yellow";
+      }
+      wasModified = true;
+      if (newSeverity !== finding.severity) {
+        const severityOrder = { green: 0, yellow: 1, red: 2 };
+        if (severityOrder[newSeverity] > severityOrder[finding.severity]) {
+          severityUpgraded++;
+        } else {
+          severityDowngraded++;
+        }
+      }
+    }
+    if (wasModified) {
+      findingsModified++;
+    }
+    applied.newSeverity = newSeverity;
+    applied.reason = rule.reason;
+    modifiedFindings.push({
+      ...finding,
+      severity: newSeverity
+    });
+    appliedRules.push(applied);
+  }
+  let rulesApplied = appliedRules.length;
+  if (thresholds && metrics) {
+    if (thresholds.maxPackagesRed !== undefined && metrics.packagesRed > thresholds.maxPackagesRed) {
+      rulesApplied++;
+    }
+    if (thresholds.maxPackagesYellow !== undefined && metrics.packagesYellow > thresholds.maxPackagesYellow) {
+      rulesApplied++;
+    }
+  }
+  const summary = {
+    rulesApplied,
+    findingsModified,
+    findingsDisabled,
+    severityUpgraded,
+    severityDowngraded,
+    rules: appliedRules
+  };
+  return { modifiedFindings, summary };
+}
+
+// src/cli.ts
+init_baseline();
+
+// src/changed_only.ts
+init_spawn();
+async function getGitDiffPaths(repoPath, sinceRef) {
+  try {
+    const res = await exec("git", ["diff", "--name-only", sinceRef], repoPath);
+    if (!res.stdout) {
+      return [];
+    }
+    const paths = res.stdout.split(`
+`).map((p) => p.trim()).filter((p) => p.length > 0);
+    return paths;
+  } catch (error) {
+    return [];
+  }
+}
+function isWorkspacePackage(path7, workspacePackages) {
+  if (!workspacePackages || workspacePackages.length === 0) {
+    return false;
+  }
+  for (const wp of workspacePackages) {
+    const normalizedPath = path7.replace(/\\/g, "/");
+    const normalizedWpPath = wp.path.replace(/\\/g, "/");
+    if (normalizedPath.startsWith(normalizedWpPath)) {
+      return true;
+    }
+  }
+  return false;
+}
+function mapPathsToPackages(paths, packages) {
+  const packageMap = new Map;
+  for (const pkg of packages) {
+    const normalizedPath = pkg.path.replace(/\\/g, "/");
+    packageMap.set(normalizedPath, pkg.name);
+  }
+  const changedPackages = new Set;
+  for (const path7 of paths) {
+    for (const [pkgPath, pkgName] of packageMap.entries()) {
+      const relativePath = path7.replace(/\\/g, "/");
+      if (relativePath.startsWith(pkgPath)) {
+        changedPackages.add(pkgPath);
+        break;
+      }
+    }
+  }
+  return Array.from(changedPackages).sort();
+}
+async function detectChangedPackages(repoPath, sinceRef, workspacePackages) {
+  const paths = await getGitDiffPaths(repoPath, sinceRef);
+  if (paths.length === 0) {
+    return [];
+  }
+  let filteredPaths = paths;
+  if (workspacePackages && workspacePackages.length > 0) {
+    filteredPaths = paths.filter((p) => isWorkspacePackage(p, workspacePackages));
+  }
+  return filteredPaths;
+}
+
 // src/cli.ts
 var usage = () => {
   return [
     "bun-ready",
     "",
     "Usage:",
-    "  bun-ready scan <path> [--format md|json] [--out <file>] [--no-install] [--no-test] [--verbose] [--detailed] [--scope root|packages|all] [--fail-on green|yellow|red]",
+    "  bun-ready scan <path> [--format md|json|sarif] [--out <file>] [--no-install] [--no-test] [--verbose] [--detailed] [--scope root|packages|all] [--fail-on green|yellow|red] [--ci] [--output-dir <dir>] [--rule <id>=<action>] [--max-warnings <n>] [--baseline <file>] [--update-baseline] [--changed-only] [--since <ref>]",
     "",
     "Options:",
-    "  --format md|json       Output format (default: md)",
+    "  --format md|json|sarif       Output format (default: md)",
     "  --out <file>          Output file path (default: bun-ready.md or bun-ready.json)",
     "  --no-install           Skip bun install --dry-run",
     "  --no-test             Skip bun test",
@@ -1561,6 +2308,14 @@ var usage = () => {
     "  --detailed            Show detailed package usage report with file paths",
     "  --scope root|packages|all  Scan scope for monorepos (default: all)",
     "  --fail-on green|yellow|red  Fail policy (default: red)",
+    "  --ci                  Run in CI mode (stable output, minimal noise)",
+    "  --output-dir <dir>    Output directory for all artifacts (in CI mode)",
+    "  --rule <id>=<action>  Apply policy rule (e.g., --rule deps.native_addons=fail)",
+    "  --max-warnings <n>    Maximum warnings allowed (threshold)",
+    "  --baseline <file>      Baseline file for regression detection",
+    "  --update-baseline      Update baseline file after scan",
+    "  --changed-only         Scan only changed packages (monorepos)",
+    "  --since <ref>         Git ref for changed packages (e.g., main, HEAD~1)",
     "",
     "Exit codes:",
     "  0   green",
@@ -1597,11 +2352,17 @@ var parseArgs = (argv) => {
   let detailed = false;
   let scope = "all";
   let failOn;
+  let ci;
+  let outputDir;
+  let ruleArgs = [];
+  let maxWarnings;
+  let baseline;
+  let changedOnly;
   for (let i = 2;i < args.length; i++) {
     const a = args[i] ?? "";
     if (a === "--format") {
       const v = args[i + 1] ?? "";
-      if (v === "md" || v === "json")
+      if (v === "md" || v === "json" || v === "sarif")
         format = v;
       i++;
       continue;
@@ -1641,6 +2402,59 @@ var parseArgs = (argv) => {
       i++;
       continue;
     }
+    if (a === "--ci") {
+      ci = { mode: true };
+      continue;
+    }
+    if (a === "--output-dir") {
+      outputDir = args[i + 1];
+      i++;
+      continue;
+    }
+    if (a === "--rule") {
+      ruleArgs.push(args[i + 1] ?? "");
+      i++;
+      continue;
+    }
+    if (a === "--max-warnings") {
+      const v = args[i + 1] ?? "";
+      const num = parseInt(v, 10);
+      if (!isNaN(num) && num >= 0) {
+        maxWarnings = num;
+      }
+      i++;
+      continue;
+    }
+    if (a === "--baseline") {
+      baseline = { file: args[i + 1] ?? "" };
+      i++;
+      continue;
+    }
+    if (a === "--update-baseline") {
+      if (!baseline) {
+        baseline = { file: "", update: true };
+      } else {
+        baseline.update = true;
+      }
+      continue;
+    }
+    if (a === "--changed-only") {
+      if (!changedOnly) {
+        changedOnly = { enabled: true };
+      } else {
+        changedOnly.enabled = true;
+      }
+      continue;
+    }
+    if (a === "--since") {
+      if (!changedOnly) {
+        changedOnly = { enabled: true, sinceRef: args[i + 1] ?? "" };
+      } else {
+        changedOnly.sinceRef = args[i + 1] ?? "";
+      }
+      i++;
+      continue;
+    }
   }
   const baseOpts = {
     repoPath,
@@ -1655,35 +2469,36 @@ var parseArgs = (argv) => {
   if (failOn !== undefined) {
     baseOpts.failOn = failOn;
   }
+  if (ci !== undefined) {
+    baseOpts.ci = ci;
+  }
+  if (outputDir !== undefined) {
+    if (!baseOpts.ci) {
+      baseOpts.ci = { mode: true };
+    }
+    baseOpts.ci.outputDir = outputDir;
+  }
+  if (ruleArgs.length > 0 || maxWarnings !== undefined) {
+    const policy = {};
+    if (ruleArgs.length > 0) {
+      policy.rules = parseRuleArgs(ruleArgs);
+    }
+    if (maxWarnings !== undefined) {
+      policy.thresholds = { maxWarnings };
+    }
+    baseOpts.policy = policy;
+  }
+  if (baseline !== undefined && (baseline.file || baseline.update)) {
+    baseOpts.baseline = baseline;
+  }
+  if (changedOnly !== undefined && changedOnly.enabled) {
+    baseOpts.changedOnly = changedOnly;
+  }
   return {
     cmd,
     opts: baseOpts
   };
 };
-var exitCode = (sev, failOn) => {
-  if (!failOn) {
-    if (sev === "green")
-      return 0;
-    if (sev === "yellow")
-      return 2;
-    return 3;
-  }
-  if (failOn === "green") {
-    if (sev === "green")
-      return 0;
-    return 3;
-  }
-  if (failOn === "yellow") {
-    if (sev === "red")
-      return 3;
-    return 0;
-  }
-  if (sev === "green")
-    return 0;
-  if (sev === "yellow")
-    return 2;
-  return 3;
-};
 var main = async () => {
   const { cmd, opts } = parseArgs(process.argv);
   if (cmd !== "scan") {
@@ -1699,6 +2514,7 @@ var main = async () => {
     configOpts.detailed = opts.detailed;
   }
   const config = await mergeConfigWithOpts(null, configOpts);
+  const mergedPolicy = mergePolicyConfigs(opts.policy, config?.rules ? { rules: config.rules } : undefined);
   const scanOpts = {
     repoPath: opts.repoPath,
     format: opts.format,
@@ -1711,14 +2527,78 @@ var main = async () => {
   if (opts.failOn !== undefined) {
     scanOpts.failOn = opts.failOn;
   }
+  if (opts.ci !== undefined) {
+    scanOpts.ci = opts.ci;
+  }
+  if (mergedPolicy !== undefined) {
+    scanOpts.policy = mergedPolicy;
+  }
   const res = await analyzeRepoOverall(scanOpts);
-  if (res.install?.skipReason || res.test?.skipReason) {
+  let changedPackages;
+  if (opts.changedOnly?.enabled && opts.changedOnly?.sinceRef) {
+    try {
+      const detectedPaths = await detectChangedPackages(opts.repoPath, opts.changedOnly.sinceRef, res.packages?.map((p) => ({ path: p.path, packageJsonPath: p.path, name: p.name })));
+      if (res.packages) {
+        changedPackages = mapPathsToPackages(detectedPaths, res.packages);
+      }
+    } catch (error) {
+      process.stderr.write(`Failed to detect changed packages: ${error instanceof Error ? error.message : String(error)}
+`);
+    }
+  }
+  let baselineData = null;
+  if (opts.baseline?.file) {
+    try {
+      baselineData = await loadBaseline(opts.baseline.file);
+    } catch (error) {
+      process.stderr.write(`Failed to load baseline: ${error instanceof Error ? error.message : String(error)}
+`);
+      process.exit(1);
+    }
+  }
+  let finalResult = res;
+  if (mergedPolicy) {
+    const policyResult = applyPolicy(res.findings, mergedPolicy);
+    finalResult = {
+      ...res,
+      findings: policyResult.modifiedFindings,
+      policyApplied: policyResult.summary
+    };
+  }
+  const { createFindingFingerprint: createFindingFingerprint2, calculateBaselineMetrics: calculateBaselineMetrics2 } = await Promise.resolve().then(() => (init_baseline(), exports_baseline));
+  const packages = finalResult.packages || [];
+  const allFindings = [...finalResult.findings];
+  for (const pkg of packages) {
+    for (const finding of pkg.findings) {
+      allFindings.push(finding);
+    }
+  }
+  const currentFingerprints = allFindings.map((f) => createFindingFingerprint2(f));
+  if (baselineData) {
+    const comparison = compareFindings(baselineData.findings, currentFingerprints);
+    finalResult = {
+      ...finalResult,
+      baselineComparison: comparison
+    };
+    if (opts.baseline?.update) {
+      const updatedBaseline = {
+        ...baselineData,
+        timestamp: new Date().toISOString(),
+        findings: currentFingerprints
+      };
+      await saveBaseline(updatedBaseline, opts.baseline.file || "");
+    }
+  }
+  if (changedPackages) {
+    finalResult.changedPackages = changedPackages;
+  }
+  if (finalResult.install?.skipReason || finalResult.test?.skipReason) {
     const skipWarnings = [];
-    if (res.install?.skipReason) {
-      skipWarnings.push(`Install check skipped: ${res.install.skipReason}`);
+    if (finalResult.install?.skipReason) {
+      skipWarnings.push(`Install check skipped: ${finalResult.install.skipReason}`);
     }
-    if (res.test?.skipReason) {
-      skipWarnings.push(`Test run skipped: ${res.test.skipReason}`);
+    if (finalResult.test?.skipReason) {
+      skipWarnings.push(`Test run skipped: ${finalResult.test.skipReason}`);
     }
     if (skipWarnings.length > 0) {
       process.stderr.write(`WARNING:
@@ -1727,13 +2607,48 @@ ${skipWarnings.map((w) => `  - ${w}`).join(`
 `);
     }
   }
-  const out = opts.format === "json" ? renderJson(res) : opts.detailed ? renderDetailedReport(res) : renderMarkdown(res);
-  const target = opts.outFile ?? (opts.format === "json" ? "bun-ready.json" : opts.detailed ? "bun-ready-detailed.md" : "bun-ready.md");
-  const resolved = path6.resolve(process.cwd(), target);
-  await fs4.writeFile(resolved, out, "utf8");
-  process.stdout.write(`Wrote ${opts.format.toUpperCase()} report to ${resolved}
+  let out = "";
+  if (opts.format === "sarif") {
+    out = JSON.stringify(renderSarif(finalResult), null, 2);
+  } else if (opts.format === "json") {
+    out = renderJson(finalResult);
+  } else {
+    out = opts.detailed ? renderDetailedReport(finalResult) : renderMarkdown(finalResult);
+  }
+  let target = opts.outFile;
+  let outputDir = opts.ci?.outputDir;
+  if (!target) {
+    if (opts.format === "sarif") {
+      target = "bun-ready.sarif.json";
+    } else if (opts.format === "json") {
+      target = "bun-ready.json";
+    } else if (opts.detailed) {
+      target = "bun-ready-detailed.md";
+    } else {
+      target = "bun-ready.md";
+    }
+  }
+  const resolved = outputDir ? path7.resolve(process.cwd(), outputDir, target) : path7.resolve(process.cwd(), target);
+  if (outputDir) {
+    await fs5.mkdir(path7.dirname(resolved), { recursive: true });
+  }
+  await fs5.writeFile(resolved, out, "utf8");
+  if (opts.ci?.mode) {
+    const ciSummary = generateCISummary(finalResult, config?.failOn || opts.failOn);
+    const summaryText = formatCISummaryText(ciSummary);
+    process.stdout.write(`
+${summaryText}
 `);
-  process.exit(exitCode(res.severity, config?.failOn || opts.failOn));
+    if (process.env.GITHUB_STEP_SUMMARY) {
+      const githubSummary = formatGitHubJobSummary(ciSummary);
+      await fs5.writeFile(process.env.GITHUB_STEP_SUMMARY, githubSummary, "utf8");
+    }
+  } else {
+    process.stdout.write(`Wrote ${opts.format.toUpperCase()} report to ${resolved}
+`);
+  }
+  const exitCodeValue = calculateExitCode(finalResult.severity, config?.failOn || opts.failOn);
+  process.exit(exitCodeValue);
 };
 main().catch((e) => {
   const msg = e instanceof Error ? e.message : String(e);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "bun-ready",
-  "version": "0.2.5",
+  "version": "0.3.0",
   "description": "CLI that estimates how painful migrating a Node.js repo to Bun might be. Generates a green/yellow/red Markdown report with reasons.",
   "author": "Pas7 Studio",
   "license": "Apache-2.0",