codegate-ai 0.6.1 → 0.8.0

package/dist/reporter/sarif.js

@@ -49,6 +49,7 @@ function findingToResult(finding) {
         locations: [findingToLocation(finding)],
         properties: {
             finding_id: finding.finding_id,
+            fingerprint: finding.fingerprint ?? null,
             severity: finding.severity,
             category: finding.category,
             layer: finding.layer,
@@ -59,6 +60,7 @@ function findingToResult(finding) {
             evidence: finding.evidence ?? null,
             fixable: finding.fixable,
             suppressed: finding.suppressed,
+            metadata: finding.metadata ?? null,
             source_config: finding.source_config ?? null,
         },
     };

package/dist/reporter/terminal.js

@@ -15,6 +15,27 @@ function appendLabeledText(lines, label, value) {
     }
     lines.push(`  ${label}: ${value}`);
 }
+function appendMetadata(lines, metadata) {
+    if (!metadata) {
+        return;
+    }
+    const hasContent = (metadata.sources?.length ?? 0) > 0 ||
+        (metadata.sinks?.length ?? 0) > 0 ||
+        (metadata.referenced_secrets?.length ?? 0) > 0 ||
+        (metadata.risk_tags?.length ?? 0) > 0 ||
+        typeof metadata.origin === "string";
+    if (!hasContent) {
+        return;
+    }
+    lines.push("  Metadata:");
+    appendLabeledList(lines, "Sources", metadata.sources ?? []);
+    appendLabeledList(lines, "Sinks", metadata.sinks ?? []);
+    appendLabeledList(lines, "Referenced secrets", metadata.referenced_secrets ?? []);
+    appendLabeledList(lines, "Risk tags", metadata.risk_tags ?? []);
+    if (metadata.origin) {
+        appendLabeledText(lines, "Origin", metadata.origin);
+    }
+}
 function appendEvidence(lines, evidence) {
     const evidenceLines = evidence.split("\n");
     if (evidenceLines.length === 1) {
@@ -55,6 +76,9 @@ function appendFinding(lines, report, options, finding) {
     if (verbose) {
         lines.push(`  Rule: ${finding.rule_id}`);
         lines.push(`  Finding ID: ${finding.finding_id}`);
+        if (finding.fingerprint) {
+            lines.push(`  Fingerprint: ${finding.fingerprint}`);
+        }
         lines.push(`  Category: ${finding.category} | Layer: ${finding.layer} | Confidence: ${finding.confidence}`);
         const formattedLocation = formatLocation(finding.location);
         if (formattedLocation) {
@@ -70,6 +94,7 @@ function appendFinding(lines, report, options, finding) {
         if (finding.remediation_actions.length > 0) {
             lines.push(`  Remediation: ${finding.remediation_actions.join(", ")}`);
         }
+        appendMetadata(lines, finding.metadata);
     }
     if (finding.layer === "L3" && finding.source_config) {
         const fieldSuffix = finding.source_config.field ? ` (${finding.source_config.field})` : "";

package/dist/scan-target/fetch-plan.d.ts

@@ -0,0 +1,8 @@
+export interface SparseFetchPlan {
+    sparsePaths: string[];
+}
+export interface BuildSparseFetchPlanInput {
+    preferredSkill?: string;
+    inferredSkill?: string;
+}
+export declare function buildSparseFetchPlan(source: string, input?: BuildSparseFetchPlanInput): SparseFetchPlan | null;

package/dist/scan-target/fetch-plan.js

@@ -0,0 +1,30 @@
+import { isLikelyGitRepoUrl } from "./helpers.js";
+function normalizeSkillName(value) {
+    const trimmed = value?.trim();
+    if (!trimmed) {
+        return null;
+    }
+    return trimmed.replace(/^skills\//iu, "").replace(/^\/+/u, "");
+}
+function selectSkill(input) {
+    return normalizeSkillName(input.preferredSkill) ?? normalizeSkillName(input.inferredSkill);
+}
+export function buildSparseFetchPlan(source, input = {}) {
+    let url;
+    try {
+        url = new URL(source);
+    }
+    catch {
+        return null;
+    }
+    if (!isLikelyGitRepoUrl(url)) {
+        return null;
+    }
+    const selectedSkill = selectSkill(input);
+    if (!selectedSkill) {
+        return null;
+    }
+    return {
+        sparsePaths: ["/*", "!/*/", "/.*/**", "/hooks/**", `/skills/${selectedSkill}/**`],
+    };
+}

package/dist/scan-target/staging.js

@@ -2,16 +2,71 @@ import { copyFileSync, existsSync, mkdirSync, mkdtempSync, readdirSync, statSync
 import { spawnSync } from "node:child_process";
 import { tmpdir } from "node:os";
 import { dirname, join } from "node:path";
+import { buildSparseFetchPlan } from "./fetch-plan.js";
 import { cleanupTempDir, collectExplicitCandidates, copyDirectoryRecursive, extractSkillFromRepoPath, inferRemoteCandidateFormat, inferLocalFileStagePath, inferRemoteFileStagePath, inferToolFromReportPath, parseGitHubFileSource, preserveTailSegments, shouldStageContainingFolder, } from "./helpers.js";
-function cloneRepository(source, destination) {
-    const result = spawnSync("git", ["clone", "--depth", "1", "--filter=blob:none", source, destination], {
+function runGit(args) {
+    const result = spawnSync("git", args, {
+        encoding: "utf8",
+    });
+    if (result.status !== 0) {
+        const stderr = result.stderr?.trim();
+        throw new Error(stderr && stderr.length > 0 ? stderr : `git ${args.join(" ")} failed`);
+    }
+}
+function cloneRepository(source, destination, sparsePaths) {
+    const cloneArgs = ["clone", "--depth", "1", "--filter=blob:none"];
+    if (sparsePaths && sparsePaths.length > 0) {
+        cloneArgs.push("--no-checkout");
+    }
+    cloneArgs.push(source, destination);
+    const result = spawnSync("git", cloneArgs, {
         encoding: "utf8",
     });
     if (result.status !== 0) {
         const stderr = result.stderr?.trim();
         throw new Error(stderr && stderr.length > 0 ? stderr : `git clone failed for ${source}`);
     }
-    cleanupTempDir(join(destination, ".git"));
+    if (!sparsePaths || sparsePaths.length === 0) {
+        cleanupTempDir(join(destination, ".git"));
+        return;
+    }
+    try {
+        runGit(["-C", destination, "sparse-checkout", "init", "--no-cone"]);
+        runGit(["-C", destination, "sparse-checkout", "set", "--no-cone", ...sparsePaths]);
+        runGit(["-C", destination, "checkout", "--force", "HEAD"]);
+        cleanupTempDir(join(destination, ".git"));
+        return;
+    }
+    catch (error) {
+        cleanupTempDir(destination);
+        const fallback = spawnSync("git", ["clone", "--depth", "1", "--filter=blob:none", source, destination], {
+            encoding: "utf8",
+        });
+        if (fallback.status !== 0) {
+            const stderr = fallback.stderr?.trim();
+            throw new Error(stderr && stderr.length > 0 ? stderr : `git clone failed for ${source}`, {
+                cause: error,
+            });
+        }
+        cleanupTempDir(join(destination, ".git"));
+    }
+}
+function cloneSparseRepository(source, destination, sparsePaths) {
+    cloneRepository(source, destination, sparsePaths);
+}
+function cloneFullRepository(source, destination) {
+    cloneRepository(source, destination);
+}
+function stageSparseClone(source, destination, preferredSkill, inferredSkill) {
+    const sparsePlan = buildSparseFetchPlan(source, {
+        preferredSkill,
+        inferredSkill,
+    });
+    if (!sparsePlan) {
+        cloneFullRepository(source, destination);
+        return;
+    }
+    cloneSparseRepository(source, destination, sparsePlan.sparsePaths);
 }
 export function stageLocalFile(absolutePath) {
     const tempRoot = mkdtempSync(join(tmpdir(), "codegate-scan-target-"));
@@ -132,7 +187,7 @@ export async function cloneGitRepo(rawTarget, options = {}) {
     const tempRoot = mkdtempSync(join(tmpdir(), "codegate-scan-repo-"));
     const repoDir = join(tempRoot, "repo");
     try {
-        cloneRepository(rawTarget, repoDir);
+        stageSparseClone(rawTarget, repoDir, options.preferredSkill, options.inferredSkill);
         return await stageSkillAwareRepository(tempRoot, repoDir, options.displayTarget ?? rawTarget, options);
     }
     catch (error) {
@@ -144,7 +199,7 @@ export function stageRepoSubdirectory(repoUrl, filePath, displayTarget) {
     const tempRoot = mkdtempSync(join(tmpdir(), "codegate-scan-repo-file-"));
     const repoDir = join(tempRoot, "repo");
     try {
-        cloneRepository(repoUrl, repoDir);
+        stageSparseClone(repoUrl, repoDir, undefined, extractSkillFromRepoPath(filePath) ?? undefined);
         const inferredSkill = extractSkillFromRepoPath(filePath);
         if (inferredSkill) {
             const stageRoot = join(tempRoot, "staged");

package/dist/scan.js

@@ -571,6 +571,9 @@ export async function runScanEngine(input) {
             trustedApiDomains: input.config.trusted_api_domains,
             unicodeAnalysis: input.config.unicode_analysis,
             checkIdeSettings: input.config.check_ide_settings,
+            rulePackPaths: input.config.rule_pack_paths,
+            allowedRules: input.config.allowed_rules,
+            skipRules: input.config.skip_rules,
         },
     });
     const snapshots = new Map();

package/dist/types/finding.d.ts

@@ -13,6 +13,13 @@ export interface FindingSourceConfig {
     file_path: string;
     field?: string;
 }
+export interface FindingMetadata {
+    sources?: string[];
+    sinks?: string[];
+    referenced_secrets?: string[];
+    risk_tags?: string[];
+    origin?: string;
+}
 export interface AffectedLocation {
     file_path: string;
     location?: FindingLocation;
@@ -20,6 +27,7 @@ export interface AffectedLocation {
 export interface Finding {
     rule_id: string;
     finding_id: string;
+    fingerprint?: string;
     severity: Severity;
     category: FindingCategory;
     layer: FindingLayer;
@@ -34,6 +42,7 @@ export interface Finding {
     confidence: FindingConfidence;
     fixable: boolean;
     remediation_actions: string[];
+    metadata?: FindingMetadata | null;
     evidence?: string | null;
     observed?: string[] | null;
     inference?: string | null;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "codegate-ai",
-  "version": "0.6.1",
+  "version": "0.8.0",
   "description": "Pre-flight security scanner for AI coding tool configurations.",
   "license": "MIT",
   "type": "module",
@@ -31,6 +31,7 @@
     "lint": "eslint .",
     "lint:fix": "eslint . --fix",
     "test": "vitest run",
+    "test:coverage": "vitest run --coverage",
     "test:perf": "vitest run tests/perf/scan-performance.test.ts",
     "test:reliability": "vitest run tests/reliability/signal-handling.test.ts",
     "typecheck": "tsc --noEmit -p tsconfig.json",
@@ -85,6 +86,7 @@
     "@types/node": "^25.3.5",
     "@types/react": "^19.2.14",
     "@types/which": "^3.0.4",
+    "@vitest/coverage-v8": "^4.1.0",
     "conventional-changelog-conventionalcommits": "^9.3.0",
     "eslint": "^10.0.2",
     "globals": "^17.4.0",