codeant-cli 0.1.0 → 0.1.1

package/README.md

@@ -68,6 +68,8 @@ codeant secrets [options]
 | `--uncommitted` | Scan all uncommitted changes |
 | `--last-commit` | Scan files from the last commit |
 | `--fail-on <level>` | Fail only on HIGH, MEDIUM, or all (default: HIGH) |
+| `--include <patterns>` | Comma-separated glob patterns to include files |
+| `--exclude <patterns>` | Comma-separated glob patterns to exclude files |
 
 **Examples:**
 
@@ -89,8 +91,21 @@ codeant secrets --fail-on MEDIUM
 
 # Fail on all secrets (except false positives)
 codeant secrets --fail-on all
+
+# Filter files using glob patterns
+codeant secrets --include '**/*.js'                           # Only JS files
+codeant secrets --exclude 'node_modules/**,*.test.js'         # Exclude patterns
+codeant secrets --include 'src/**' --exclude '*.test.*'       # Combine both
 ```
 
+**File Filtering:**
+
+Use `--include` and `--exclude` with glob patterns to filter files:
+- `*` matches any characters except `/`
+- `**` matches any characters including `/`
+- `*.{js,ts}` matches multiple extensions
+- Comma-separated for multiple patterns: `--exclude 'test/**,dist/**'`
+
 **Exit codes:**
 - `0` - No blocking secrets found (or only false positives)
 - `1` - Secrets detected that match the `--fail-on` threshold

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "codeant-cli",
-  "version": "0.1.0",
+  "version": "0.1.1",
   "description": "Code review CLI tool",
   "type": "module",
   "bin": {
@@ -9,7 +9,11 @@
   "scripts": {
     "start": "node src/index.js"
   },
-  "keywords": ["cli", "code-review", "secrets"],
+  "keywords": [
+    "cli",
+    "code-review",
+    "secrets"
+  ],
   "author": "",
   "license": "MIT",
   "repository": {
@@ -22,6 +26,7 @@
   "dependencies": {
     "commander": "^12.1.0",
     "ink": "^5.0.1",
+    "minimatch": "^10.1.1",
     "open": "^10.1.0",
     "react": "^18.3.1"
   }

package/src/commands/secrets.js

@@ -4,7 +4,7 @@ import { getConfigValue } from '../utils/config.js';
 import { fetchApi } from '../utils/fetchApi.js';
 import SecretsApiHelper from '../utils/secretsApiHelper.js';
 
-export default function Secrets({ scanType = 'staged-only', failOn = 'HIGH' }) {
+export default function Secrets({ scanType = 'staged-only', failOn = 'HIGH', include = [], exclude = [] }) {
   const { exit } = useApp();
   const [status, setStatus] = useState('initializing');
   const [secrets, setSecrets] = useState([]);
@@ -13,12 +13,16 @@ export default function Secrets({ scanType = 'staged-only', failOn = 'HIGH' }) {
 
   const apiKey = getConfigValue('apiKey');
 
+  // Handle not logged in state
+  useEffect(() => {
+    if (!apiKey) {
+      const id = setTimeout(() => exit(new Error('Not logged in')), 0);
+      return () => clearTimeout(id);
+    }
+  }, [apiKey, exit]);
+
   // Check if logged in
   if (!apiKey) {
-    useEffect(() => {
-      exit(new Error('Not logged in'));
-    }, []);
-
     return React.createElement(
       Box,
       { flexDirection: 'column', padding: 1 },
@@ -37,19 +41,23 @@ export default function Secrets({ scanType = 'staged-only', failOn = 'HIGH' }) {
   };
 
   useEffect(() => {
+    let cancelled = false;
+
     async function scanSecrets() {
       try {
+        if (cancelled) return;
         setStatus('scanning');
 
         // Initialize git helper and get staged files
         const helper = new SecretsApiHelper(process.cwd());
         await helper.init();
 
-        const requestBody = await helper.buildSecretsApiRequest(scanType);
-        setFileCount(requestBody.files.length);
+        if (cancelled) return;
+        const requestBody = await helper.buildSecretsApiRequest(scanType, include, exclude);
+        if (cancelled) return;
 
         if (requestBody.files.length === 0) {
-          setStatus('no_files');
+          if (!cancelled) setStatus('no_files');
           return;
         }
 
@@ -60,6 +68,7 @@ export default function Secrets({ scanType = 'staged-only', failOn = 'HIGH' }) {
           requestBody
         );
 
+        if (cancelled) return;
         const detectedSecrets = response.secretsDetected || [];
 
         // Filter to only include files with actual secrets
@@ -67,16 +76,24 @@ export default function Secrets({ scanType = 'staged-only', failOn = 'HIGH' }) {
           file => file.secrets && file.secrets.length > 0
         );
 
-        setSecrets(filesWithSecrets);
-        setStatus('done');
+        if (!cancelled) {
+          setSecrets(filesWithSecrets);
+          setStatus('done');
+        }
       } catch (err) {
-        setError(err.message);
-        setStatus('error');
+        if (!cancelled) {
+          setError(err.message);
+          setStatus('error');
+        }
       }
     }
 
     scanSecrets();
-  }, []);
+
+    return () => {
+      cancelled = true;
+    };
+  }, [scanType, include, exclude]);
 
   // Handle exit after status changes
   useEffect(() => {

package/src/index.js

@@ -22,13 +22,25 @@ program
   .option('--uncommitted', 'Scan uncommitted changes')
   .option('--last-commit', 'Scan last commit')
   .option('--fail-on <level>', 'Fail only on HIGH, MEDIUM, or all (default: HIGH)', 'HIGH')
+  .option('--include <paths>', 'Comma-separated list of file paths regex to include')
+  .option('--exclude <paths>', 'Comma-separated list of file paths regex to exclude')
   .action((options) => {
     let scanType = 'staged-only';
     if (options.all) scanType = 'branch-diff';
     else if (options.uncommitted) scanType = 'uncommitted';
     else if (options.lastCommit) scanType = 'last-commit';
 
-    render(React.createElement(Secrets, { scanType, failOn: options.failOn }));
+    const include = options.include
+      ? (Array.isArray(options.include) ? options.include : options.include.split(',')).map(s => s.trim()).filter(Boolean)
+      : [];
+
+    const exclude = options.exclude
+      ? (Array.isArray(options.exclude) ? options.exclude : options.exclude.split(',')).map(s => s.trim()).filter(Boolean)
+      : [];
+
+    const failOn = options.failOn?.toUpperCase() || 'HIGH';
+
+    render(React.createElement(Secrets, { scanType, failOn, include, exclude }));
   });
 
 program

package/src/utils/secretsApiHelper.js

@@ -1,4 +1,5 @@
 import GitDiffHelper from './gitDiffHelper.js';
+import { minimatch } from 'minimatch';
 
 /**
  * Transforms git diff data into the format expected by the secrets detection API
@@ -93,10 +94,70 @@ class SecretsApiHelper {
     return Array.from(fileMap.values());
   }
 
+  /**
+   * Filter files based on include and exclude glob patterns
+   * @param {Array} files - Array of file objects with file_path property
+   * @param {Array} includePatterns - Array of glob pattern strings to include
+   * @param {Array} excludePatterns - Array of glob pattern strings to exclude
+   * @returns {Array} Filtered array of files
+   */
+  _filterFiles(files, includePatterns = [], excludePatterns = []) {
+    return files.filter(file => {
+      const filePath = file.file_path;
+
+      // If include patterns are specified, file must match at least one
+      if (includePatterns.length > 0) {
+        const matchesInclude = includePatterns.some(pattern => {
+          try {
+            // If pattern is a RegExp, test it directly against the file path.
+            if (pattern instanceof RegExp) {
+              return pattern.test(filePath);
+            }
+            // Use matchBase option to match basename patterns like '*.js' for glob strings
+            return minimatch(filePath, pattern, { matchBase: true });
+          } catch (e) {
+            console.warn(`Invalid include pattern: ${pattern}`, e.message);
+            return false;
+          }
+        });
+
+        if (!matchesInclude) {
+          return false;
+        }
+      }
+
+      // If exclude patterns are specified, file must not match any
+      if (excludePatterns.length > 0) {
+        const matchesExclude = excludePatterns.some(pattern => {
+          try {
+            // If pattern is a RegExp, test it directly against the file path.
+            if (pattern instanceof RegExp) {
+              return pattern.test(filePath);
+            }
+            // Use matchBase option to match basename patterns like '*.js' for glob strings
+            return minimatch(filePath, pattern, { matchBase: true });
+          } catch (e) {
+            console.warn(`Invalid exclude pattern: ${pattern}`, e.message);
+            return false;
+          }
+        });
+
+        if (matchesExclude) {
+          return false;
+        }
+      }
+
+      return true;
+    });
+  }
+
   /**
    * Build the complete request body for the secrets API
+   * @param {string} type - Type of scan (staged-only, branch-diff, etc.)
+   * @param {Array} includePatterns - Optional array of glob patterns to include files
+   * @param {Array} excludePatterns - Optional array of glob patterns to exclude files
    */
-  async buildSecretsApiRequest(type = 'staged-only') {
+  async buildSecretsApiRequest(type = 'staged-only', includePatterns = [], excludePatterns = []) {
     let files;
 
     switch (type) {
@@ -116,6 +177,9 @@ class SecretsApiHelper {
         files = await this.getStagedFilesForApi();
     }
 
+    // Apply include/exclude filters
+    files = this._filterFiles(files, includePatterns, excludePatterns);
+
     return { files };
   }