claude-crap 0.1.2

package/src/sarif/sarif-validator.ts

@@ -0,0 +1,145 @@
+/**
+ * AJV-backed minimal SARIF 2.1.0 document validator.
+ *
+ * F-A05-01: the `ingest_sarif` MCP tool accepts a caller-supplied
+ * `sarifDocument` object and, before this module existed, only
+ * checked `version === "2.1.0"`. That was enough for tool-call
+ * dispatch but not for the payload itself — a SARIF with a missing
+ * `runs[]`, a `results` array of wrong-type entries, or a result
+ * without a `ruleId` would still be accepted by the MCP tool and
+ * flow through to the store, the dashboard, and any downstream
+ * consumer that uploads claude-crap's SARIF to GitHub code-scanning
+ * or an IDE viewer.
+ *
+ * This module uses the `ajv` dependency (already in package.json) to
+ * compile a minimal JSON Schema that covers exactly the fields
+ * claude-crap reads: `version`, `runs`, `runs[].tool.driver.name`,
+ * and the per-result shape. Everything else (tool metadata, rule
+ * definitions, snippets, etc.) is passthrough — we do not enforce
+ * the full SARIF 2.1.0 spec because claude-crap does not consume
+ * those fields.
+ *
+ * The compiled validator is cached so the ~5 ms AJV compile cost is
+ * paid once per MCP server process, not once per ingestion.
+ *
+ * @module sarif/sarif-validator
+ */
+
+import { Ajv, type ValidateFunction } from "ajv";
+
+/**
+ * Minimal JSON Schema covering every field claude-crap reads from a
+ * SARIF 2.1.0 document. Passthrough fields are allowed because
+ * `additionalProperties` is left at the default (`true`).
+ *
+ * Keep this schema in sync with `hydrateFindingFromResult` in
+ * `src/sarif/sarif-store.ts` — anything the store reads MUST be
+ * covered here, and nothing else should be enforced.
+ */
+const SARIF_MINIMAL_SCHEMA = {
+  type: "object",
+  properties: {
+    version: { type: "string", enum: ["2.1.0"] },
+    $schema: { type: "string" },
+    runs: {
+      type: "array",
+      items: {
+        type: "object",
+        properties: {
+          tool: {
+            type: "object",
+            properties: {
+              driver: {
+                type: "object",
+                properties: {
+                  name: { type: "string", minLength: 1 },
+                  version: { type: "string" },
+                },
+                required: ["name"],
+              },
+            },
+            required: ["driver"],
+          },
+          results: {
+            type: "array",
+            items: {
+              type: "object",
+              properties: {
+                ruleId: { type: "string", minLength: 1 },
+                level: { type: "string", enum: ["none", "note", "warning", "error"] },
+                message: {
+                  type: "object",
+                  properties: { text: { type: "string", minLength: 1 } },
+                  required: ["text"],
+                },
+                locations: { type: "array" },
+                properties: { type: "object" },
+              },
+              required: ["ruleId", "message"],
+            },
+          },
+        },
+        required: ["tool", "results"],
+      },
+    },
+  },
+  required: ["version", "runs"],
+} as const;
+
+/**
+ * Lazily-compiled validator instance. `null` until the first call to
+ * {@link validateSarifDocument}, then reused for the lifetime of the
+ * process.
+ */
+let cachedValidator: ValidateFunction | null = null;
+
+/**
+ * Returned by {@link validateSarifDocument} when the document fails
+ * schema validation. Includes the full AJV error array for callers
+ * that want to surface structured diagnostics.
+ */
+export class SarifValidationError extends Error {
+  public readonly errors: unknown;
+
+  constructor(message: string, errors: unknown) {
+    super(message);
+    this.name = "SarifValidationError";
+    this.errors = errors;
+  }
+}
+
+/**
+ * Obtain the compiled AJV validator, compiling on first use.
+ *
+ * The schema above intentionally allows passthrough fields on every
+ * object (AJV's default `additionalProperties: true`). We disable
+ * `strict` so AJV does not warn about benign constructs like the
+ * `format`/`enum` combination.
+ */
+function getValidator(): ValidateFunction {
+  if (cachedValidator) return cachedValidator;
+  const ajv = new Ajv({ allErrors: false, strict: false });
+  const validator = ajv.compile(SARIF_MINIMAL_SCHEMA);
+  cachedValidator = validator;
+  return validator;
+}
+
+/**
+ * Validate a SARIF 2.1.0 document against the minimal schema. Throws
+ * {@link SarifValidationError} when the document does not match.
+ *
+ * @param doc Document to validate. May be any value — the validator
+ *            treats non-object inputs as a schema violation.
+ * @throws    {@link SarifValidationError} on any validation failure.
+ */
+export function validateSarifDocument(doc: unknown): void {
+  const validator = getValidator();
+  if (validator(doc)) return;
+  const first = validator.errors?.[0];
+  const path = first?.instancePath?.length ? first.instancePath : "<root>";
+  const message = first?.message ?? "unknown validation error";
+  throw new SarifValidationError(
+    `[sarif-validator] SARIF document is not valid 2.1.0: ${path} ${message}`,
+    validator.errors ?? null,
+  );
+}

package/src/schemas/tool-schemas.ts

@@ -0,0 +1,225 @@
+/**
+ * JSON Schema (Draft-07) definitions for every tool exposed by the MCP server.
+ *
+ * Each schema uses `enum`, `pattern`, `minimum`, `maximum`, `oneOf` and
+ * `additionalProperties: false` to eliminate schema hallucinations from the
+ * LLM. The MCP SDK automatically validates tool-call inputs against these
+ * schemas before invoking the handler — any drift produces a deterministic
+ * error that the agent can consume and correct.
+ *
+ * These `description` fields are read by the LLM at tool-listing time and
+ * become part of the agent's context, so they must be precise, imperative,
+ * and never speculative. Keep them short but actionable.
+ *
+ * @module schemas/tool-schemas
+ */
+
+// The MCP SDK consumes these as the `inputSchema` field of a Tool. We type
+// them with `as const` so TypeScript infers literal types and the MCP SDK
+// accepts them without runtime casting.
+
+/**
+ * Schema for the `compute_crap` tool. Returns a CRAP score for a single
+ * function and a block decision against the configured threshold.
+ */
+export const computeCrapSchema = {
+  type: "object",
+  description:
+    "Compute the CRAP (Change Risk Anti-Patterns) index for a single function. Returns the score and whether it exceeds the configured threshold. A blocked result means the function must be decomposed or covered by more tests before the Stop quality gate will pass.",
+  properties: {
+    cyclomaticComplexity: {
+      type: "integer",
+      minimum: 1,
+      maximum: 1000,
+      description: "Cyclomatic complexity of the function (number of linearly independent paths).",
+    },
+    coveragePercent: {
+      type: "number",
+      minimum: 0,
+      maximum: 100,
+      description: "Test coverage percentage for the function, in the range [0, 100].",
+    },
+    functionName: {
+      type: "string",
+      pattern: "^[A-Za-z_$][A-Za-z0-9_$.:<>]*$",
+      minLength: 1,
+      maxLength: 256,
+      description: "Fully qualified name of the function under analysis, used for SARIF traceability.",
+    },
+    filePath: {
+      type: "string",
+      minLength: 1,
+      maxLength: 4096,
+      description: "Absolute or workspace-relative path to the source file that contains the function.",
+    },
+  },
+  required: ["cyclomaticComplexity", "coveragePercent", "functionName", "filePath"],
+  additionalProperties: false,
+} as const;
+
+/**
+ * Schema for the `compute_tdr` tool. Returns a Technical Debt Ratio and a
+ * maintainability letter rating for a scope (project, module, or file).
+ */
+export const computeTdrSchema = {
+  type: "object",
+  description:
+    "Compute the Technical Debt Ratio (TDR) for a scope and return the maintainability letter rating (A..E). Rating E always halts the workflow regardless of the configured tolerance. Use this after aggregating remediation estimates from SARIF findings.",
+  properties: {
+    remediationMinutes: {
+      type: "number",
+      minimum: 0,
+      maximum: 10_000_000,
+      description: "Total estimated remediation effort in minutes, summed across every finding in the scope.",
+    },
+    totalLinesOfCode: {
+      type: "integer",
+      minimum: 1,
+      maximum: 100_000_000,
+      description: "Physical lines of code in the scope (project, module, or file).",
+    },
+    scope: {
+      type: "string",
+      enum: ["project", "module", "file"],
+      description: "Aggregation scope for the TDR computation.",
+    },
+  },
+  required: ["remediationMinutes", "totalLinesOfCode", "scope"],
+  additionalProperties: false,
+} as const;
+
+/**
+ * Schema for the `analyze_file_ast` tool. Returns deterministic AST
+ * metrics (LOC, cyclomatic complexity, node counts) for a source file.
+ */
+export const analyzeFileAstSchema = {
+  type: "object",
+  description:
+    "Parse a source file with tree-sitter and return deterministic metrics (lines of code, cyclomatic complexity per function, top-level node counts). Prefer this tool over reading the file directly — it is faster and will not bloat the agent context.",
+  properties: {
+    filePath: {
+      type: "string",
+      minLength: 1,
+      maxLength: 4096,
+      // The lookahead pattern rejects any path traversal (`../`) to prevent
+      // the LLM from reading files outside the workspace. Any absolute path
+      // that does not contain `../` is still allowed.
+      pattern: "^(?!.*\\.\\./).*$",
+      description: "Path to the file to analyze. Paths containing `../` are rejected to prevent workspace escape.",
+    },
+    language: {
+      type: "string",
+      enum: ["csharp", "javascript", "typescript", "python", "java"],
+      description: "Source language of the file. Determines which tree-sitter grammar to load.",
+    },
+  },
+  required: ["filePath", "language"],
+  additionalProperties: false,
+} as const;
+
+/**
+ * Schema for the `score_project` tool. Aggregates the latest SARIF
+ * report and the workspace size into a single project score with
+ * Maintainability / Reliability / Security letter grades, an overall
+ * grade, the dashboard URL (when running), and the SARIF report path.
+ */
+export const scoreProjectSchema = {
+  type: "object",
+  description:
+    "Compute the aggregate project score (Maintainability / Reliability / Security / Overall A..E), and return both a chat-friendly Markdown summary and a structured JSON snapshot. Includes the local dashboard URL and the consolidated SARIF report path so the user can drill in without opening any extra tooling.",
+  properties: {
+    format: {
+      type: "string",
+      enum: ["markdown", "json", "both"],
+      description:
+        "Output format. `markdown` returns only the chat summary, `json` returns only the structured snapshot, `both` (default) returns both as separate content blocks.",
+    },
+  },
+  required: [],
+  additionalProperties: false,
+} as const;
+
+/**
+ * Schema for the `require_test_harness` tool. Checks whether a production
+ * source file has an accompanying test file in any of the conventional
+ * locations the resolver supports (sibling `.test.`, `__tests__/`, mirror
+ * tree, Python `test_` prefix).
+ */
+export const requireTestHarnessSchema = {
+  type: "object",
+  description:
+    "Check whether a production source file has a matching test file. Returns the first existing test path, or the full list of paths the resolver probed when none exists. Use this BEFORE writing any functional code — the CLAUDE.md Golden Rule requires a test harness to exist first.",
+  properties: {
+    filePath: {
+      type: "string",
+      minLength: 1,
+      maxLength: 4096,
+      pattern: "^(?!.*\\.\\./).*$",
+      description:
+        "Path to the production file. Paths containing `../` are rejected to prevent workspace escape.",
+    },
+  },
+  required: ["filePath"],
+  additionalProperties: false,
+} as const;
+
+/**
+ * Schema for the `ingest_scanner_output` tool. Accepts a scanner
+ * identifier (Semgrep, ESLint, Bandit, Stryker) plus that scanner's
+ * native output (SARIF or JSON), routes the input through the
+ * matching adapter in `src/adapters/`, and persists the normalized
+ * SARIF 2.1.0 document in the store.
+ *
+ * This tool is the preferred path for ingesting scanner output that
+ * is not already SARIF — `ingest_sarif` remains the right choice
+ * when you already have a SARIF document and just need deduplication.
+ */
+export const ingestScannerOutputSchema = {
+  type: "object",
+  description:
+    "Ingest a scanner's native output (Semgrep SARIF, ESLint JSON, Bandit JSON, or Stryker JSON), route it through the matching adapter, enrich every finding with an effort estimate, and persist the normalized SARIF 2.1.0 document. Prefer this tool over `ingest_sarif` whenever the scanner does not emit SARIF natively.",
+  properties: {
+    scanner: {
+      type: "string",
+      enum: ["semgrep", "eslint", "bandit", "stryker"],
+      description: "Identifier of the producing scanner.",
+    },
+    rawOutput: {
+      description:
+        "The scanner's native output. Accepts either a JSON string (as produced by the scanner's CLI) or a pre-parsed JSON object / array.",
+      oneOf: [{ type: "string" }, { type: "object" }, { type: "array" }],
+    },
+  },
+  required: ["scanner", "rawOutput"],
+  additionalProperties: false,
+} as const;
+
+/**
+ * Schema for the `ingest_sarif` tool. Accepts a raw SARIF 2.1.0 document
+ * from an external scanner, deduplicates against the internal store, and
+ * normalizes the output into claude-crap's canonical format.
+ */
+export const ingestSarifSchema = {
+  type: "object",
+  description:
+    "Ingest a raw SARIF 2.1.0 report produced by an external scanner (Semgrep, ESLint, Bandit, Stryker, etc.), deduplicate it against the internal store, and return the normalized document. The agent should call this once per scanner invocation, not once per finding.",
+  properties: {
+    sarifDocument: {
+      type: "object",
+      description: "A full SARIF 2.1.0 document with `version` and `runs` keys.",
+      properties: {
+        version: { type: "string", enum: ["2.1.0"] },
+        $schema: { type: "string" },
+        runs: { type: "array", minItems: 1 },
+      },
+      required: ["version", "runs"],
+    },
+    sourceTool: {
+      type: "string",
+      pattern: "^[a-zA-Z0-9._-]{1,64}$",
+      description: "Stable identifier of the tool that produced the report (`semgrep`, `eslint`, `bandit`, ...).",
+    },
+  },
+  required: ["sarifDocument", "sourceTool"],
+  additionalProperties: false,
+} as const;

package/src/sdk.ts

@@ -0,0 +1,110 @@
+/**
+ * Root public SDK for `claude-crap`.
+ *
+ * This is the module you get when you do
+ * `import ... from "claude-crap"`. It is intentionally
+ * **side-effect-free**: importing this file does NOT start the MCP
+ * server, does NOT open the dashboard, does NOT touch the filesystem.
+ * Only the executable entrypoint in `dist/index.js` boots the
+ * server — that file is invoked by the `.mcp.json` command and the
+ * CLI bin, never as a library.
+ *
+ * Structure:
+ *
+ *   - `./metrics` — CRAP, TDR, project score, workspace walker
+ *   - `./sarif`   — SARIF 2.1.0 builder and on-disk store
+ *   - `./ast`     — tree-sitter engine, cyclomatic complexity, language config
+ *   - `./tools`   — test-harness resolver used by `require_test_harness`
+ *
+ * Prefer deep imports
+ * (`import { computeCrap } from "claude-crap/metrics"`) over
+ * pulling everything through the root — they give TypeScript more
+ * precise type information and help tree-shakers drop unused modules.
+ *
+ * The symbols re-exported here are the ones most code paths need:
+ *
+ *   - `computeCrap`, `computeTdr`, `computeProjectScore`
+ *   - `renderProjectScoreMarkdown`
+ *   - `classifyTdr`, `ratingIsWorseThan`
+ *   - `SarifStore`, `buildSarifDocument`
+ *   - `TreeSitterEngine`
+ *
+ * @module claude-crap
+ */
+
+// --- metrics ---------------------------------------------------------------
+export {
+  computeCrap,
+  computeTdr,
+  classifyTdr,
+  ratingIsWorseThan,
+  ratingToRank,
+  computeProjectScore,
+  renderProjectScoreMarkdown,
+  estimateWorkspaceLoc,
+} from "./metrics/index.js";
+export type {
+  CrapInput,
+  CrapResult,
+  TdrInput,
+  TdrResult,
+  ComputeProjectScoreInput,
+  DimensionScore,
+  FindingsSummary,
+  MaintainabilityScore,
+  ProjectScore,
+  ScoreLocation,
+  SeverityRating,
+  WorkspaceStats,
+  WorkspaceWalkResult,
+} from "./metrics/index.js";
+
+// --- sarif -----------------------------------------------------------------
+export { SarifStore, buildSarifDocument } from "./sarif/index.js";
+export type {
+  IngestedFinding,
+  PersistedSarif,
+  SarifFinding,
+  SarifLevel,
+  SarifLocation,
+  SarifStoreOptions,
+  SarifToolInfo,
+} from "./sarif/index.js";
+
+// --- ast -------------------------------------------------------------------
+export {
+  TreeSitterEngine,
+  computeCyclomaticComplexity,
+  detectLanguageFromPath,
+  LANGUAGE_TABLE,
+} from "./ast/index.js";
+export type {
+  AnalyzeFileRequest,
+  AstNode,
+  FileMetrics,
+  FunctionMetrics,
+  LanguageConfig,
+  SupportedLanguage,
+  TreeSitterEngineOptions,
+} from "./ast/index.js";
+
+// --- tools -----------------------------------------------------------------
+export { findTestFile, isTestFile, candidatePaths } from "./tools/index.js";
+export type { TestFileResolution } from "./tools/index.js";
+
+// --- adapters --------------------------------------------------------------
+export {
+  adaptScannerOutput,
+  adaptSemgrep,
+  adaptEslint,
+  adaptBandit,
+  adaptStryker,
+  KNOWN_SCANNERS,
+} from "./adapters/index.js";
+export type { AdapterResult, KnownScanner } from "./adapters/index.js";
+
+// --- configuration types ---------------------------------------------------
+// We re-export the config type (not `loadConfig`) so consumers can type
+// their own configs without importing the loader, which would read
+// `process.env` eagerly.
+export type { MaintainabilityRating, CrapConfig } from "./config.js";

package/src/tests/adapters/bandit.test.ts

@@ -0,0 +1,111 @@
+/**
+ * Unit tests for the Bandit adapter.
+ *
+ * Bandit's `-f json` output has a `results[]` array of findings with
+ * `issue_severity` strings HIGH / MEDIUM / LOW that map to SARIF
+ * error / warning / note.
+ *
+ * @module tests/adapters/bandit.test
+ */
+
+import { describe, it } from "node:test";
+import assert from "node:assert/strict";
+
+import { adaptBandit } from "../../adapters/bandit.js";
+
+describe("adaptBandit", () => {
+  it("maps HIGH severity to error", () => {
+    const raw = {
+      results: [
+        {
+          filename: "app.py",
+          line_number: 12,
+          col_offset: 4,
+          test_id: "B608",
+          test_name: "hardcoded_sql_expressions",
+          issue_severity: "HIGH",
+          issue_confidence: "HIGH",
+          issue_text: "Possible SQL injection",
+          issue_cwe: { id: 89 },
+        },
+      ],
+    };
+    const result = adaptBandit(raw);
+    assert.equal(result.sourceTool, "bandit");
+    const finding = result.document.runs[0]?.results?.[0] as {
+      level?: string;
+      ruleId?: string;
+      properties?: { cwe?: number; confidence?: string };
+    };
+    assert.equal(finding?.level, "error");
+    assert.equal(finding?.ruleId, "bandit.B608");
+    assert.equal(finding?.properties?.cwe, 89);
+    assert.equal(finding?.properties?.confidence, "HIGH");
+  });
+
+  it("maps MEDIUM severity to warning and LOW severity to note", () => {
+    const raw = {
+      results: [
+        {
+          filename: "a.py",
+          line_number: 1,
+          col_offset: 0,
+          test_id: "B101",
+          issue_severity: "MEDIUM",
+        },
+        {
+          filename: "b.py",
+          line_number: 2,
+          col_offset: 0,
+          test_id: "B102",
+          issue_severity: "LOW",
+        },
+      ],
+    };
+    const result = adaptBandit(raw);
+    const levels = (result.document.runs[0]?.results ?? [])
+      .map((r) => (r as { level?: string }).level)
+      .sort();
+    assert.deepEqual(levels, ["note", "warning"]);
+  });
+
+  it("converts 0-based col_offset to 1-based SARIF startColumn", () => {
+    const raw = {
+      results: [
+        { filename: "a.py", line_number: 5, col_offset: 0, test_id: "B101", issue_severity: "LOW" },
+      ],
+    };
+    const result = adaptBandit(raw);
+    const finding = result.document.runs[0]?.results?.[0] as {
+      locations?: Array<{ physicalLocation?: { region?: { startColumn?: number } } }>;
+    };
+    assert.equal(finding?.locations?.[0]?.physicalLocation?.region?.startColumn, 1);
+  });
+
+  it("assigns a high effort budget to HIGH severity findings", () => {
+    const high = adaptBandit({
+      results: [
+        { filename: "a.py", line_number: 1, col_offset: 0, test_id: "B1", issue_severity: "HIGH" },
+      ],
+    });
+    const low = adaptBandit({
+      results: [
+        { filename: "a.py", line_number: 1, col_offset: 0, test_id: "B1", issue_severity: "LOW" },
+      ],
+    });
+    assert.ok(high.totalEffortMinutes > low.totalEffortMinutes * 2);
+  });
+
+  it("accepts a JSON string", () => {
+    const raw = JSON.stringify({
+      results: [
+        { filename: "x.py", line_number: 1, col_offset: 0, test_id: "B101", issue_severity: "LOW" },
+      ],
+    });
+    assert.equal(adaptBandit(raw).findingCount, 1);
+  });
+
+  it("throws on inputs missing the results[] array", () => {
+    assert.throws(() => adaptBandit({ not: "a bandit report" }));
+  });
+});

package/src/tests/adapters/dispatch.test.ts

@@ -0,0 +1,100 @@
+/**
+ * Unit tests for the `adaptScannerOutput` dispatcher.
+ *
+ * The dispatcher is a thin switch that picks the right adapter based
+ * on the `scanner` argument. These tests pin the happy path per
+ * scanner and the error path for unknown names.
+ *
+ * @module tests/adapters/dispatch.test
+ */
+
+import { describe, it } from "node:test";
+import assert from "node:assert/strict";
+
+import { adaptScannerOutput, KNOWN_SCANNERS } from "../../adapters/index.js";
+
+describe("adaptScannerOutput", () => {
+  it("routes semgrep input through the semgrep adapter", () => {
+    const result = adaptScannerOutput("semgrep", {
+      version: "2.1.0",
+      runs: [
+        {
+          tool: { driver: { name: "semgrep", version: "1" } },
+          results: [
+            {
+              ruleId: "r1",
+              level: "error",
+              message: { text: "m" },
+              locations: [
+                {
+                  physicalLocation: {
+                    artifactLocation: { uri: "a.py" },
+                    region: { startLine: 1, startColumn: 1 },
+                  },
+                },
+              ],
+            },
+          ],
+        },
+      ],
+    });
+    assert.equal(result.sourceTool, "semgrep");
+    assert.equal(result.findingCount, 1);
+  });
+
+  it("routes eslint input through the eslint adapter", () => {
+    const result = adaptScannerOutput("eslint", [
+      {
+        filePath: "/a.js",
+        messages: [{ ruleId: "no-undef", severity: 2, message: "m", line: 1, column: 1 }],
+      },
+    ]);
+    assert.equal(result.sourceTool, "eslint");
+    assert.equal(result.findingCount, 1);
+  });
+
+  it("routes bandit input through the bandit adapter", () => {
+    const result = adaptScannerOutput("bandit", {
+      results: [
+        { filename: "a.py", line_number: 1, col_offset: 0, test_id: "B101", issue_severity: "LOW" },
+      ],
+    });
+    assert.equal(result.sourceTool, "bandit");
+    assert.equal(result.findingCount, 1);
+  });
+
+  it("routes stryker input through the stryker adapter", () => {
+    const result = adaptScannerOutput("stryker", {
+      schemaVersion: "1.0",
+      files: {
+        "src/a.ts": {
+          mutants: [
+            {
+              id: "1",
+              mutatorName: "Cond",
+              replacement: "!",
+              location: {
+                start: { line: 1, column: 1 },
+                end: { line: 1, column: 5 },
+              },
+              status: "Survived",
+            },
+          ],
+        },
+      },
+    });
+    assert.equal(result.sourceTool, "stryker");
+    assert.equal(result.findingCount, 1);
+  });
+
+  it("throws on unknown scanner names", () => {
+    // Cast through unknown → string to keep the test compile-time safe
+    // while we exercise the runtime exhaustiveness guard.
+    const scanner = "does-not-exist" as unknown as "semgrep";
+    assert.throws(() => adaptScannerOutput(scanner, {}));
+  });
+
+  it("KNOWN_SCANNERS is frozen and contains exactly the four supported names", () => {
+    assert.deepEqual([...KNOWN_SCANNERS].sort(), ["bandit", "eslint", "semgrep", "stryker"]);
+  });
+});