npm - configsentry - Versions diffs - 0.0.24 → 0.0.26 - Mend

configsentry 0.0.24 → 0.0.26

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -15,7 +15,7 @@ npx configsentry ./docker-compose.yml
 ### GitHub Action (minimal)
 ```yml
-- uses: alfredMorgenstern/configsentry@v0.0.23
+- uses: alfredMorgenstern/configsentry@v0.0.25
   with:
     target: .
 ```
@@ -27,7 +27,7 @@ permissions:
   contents: read
   security-events: write
-- uses: alfredMorgenstern/configsentry@v0.0.23
+- uses: alfredMorgenstern/configsentry@v0.0.25
   with:
     target: .
     sarif: true
@@ -72,10 +72,16 @@ node dist/cli.js --target ./docker-compose.yml
 node dist/cli.js --target ./docker-compose.yml --format json
 ```
+Write JSON to a file (no shell redirection needed):
+```bash
+node dist/cli.js --target ./docker-compose.yml --format json --output configsentry.json
+```
 ### SARIF output (GitHub Code Scanning)
 ```bash
-node dist/cli.js --target ./docker-compose.yml --format sarif > configsentry.sarif.json
+node dist/cli.js --target ./docker-compose.yml --format sarif --output configsentry.sarif.json
 ```
 ## Baselines (incremental adoption)
@@ -146,7 +152,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: alfredMorgenstern/configsentry@v0.0.23
+      - uses: alfredMorgenstern/configsentry@v0.0.25
         with:
           target: .
           # optional: baseline: .configsentry-baseline.json
@@ -160,13 +166,23 @@ jobs:
 **Note (consumer repos):** your repo does **not** need a `package-lock.json`. The action installs/builds ConfigSentry from the action package itself.
-> Tip: pin to a tag (like `v0.0.18`) for reproducible builds.
+> Tip: pin to a tag (like `v0.0.25`) for reproducible builds.
 ## Exit codes
 - `0` no findings
 - `2` findings present
 - `1` error
+## CI: fail only on high severity (optional)
+If you want ConfigSentry to block builds only on high severity findings:
+```bash
+npx configsentry ./docker-compose.yml --severity-threshold high
+```
+This also works in GitHub Actions via `args:` (see `docs/action-usage.md`).
 ## Example
 ```bash

package/dist/cli.js CHANGED Viewed

@@ -8,6 +8,9 @@ import { runRules } from './rules.js';
 import { findingsToSarif } from './sarif.js';
 import { resolveTargets } from './scan.js';
 import { applyBaseline, loadBaseline, writeBaseline } from './baseline.js';
+function severityRank(s) {
+    return s === 'low' ? 1 : s === 'medium' ? 2 : 3;
+}
 function parseArgs(argv) {
     const args = argv.slice(2);
     const help = args.includes('-h') || args.includes('--help');
@@ -29,13 +32,17 @@ function parseArgs(argv) {
     const baselinePath = baselineIdx >= 0 ? args[baselineIdx + 1] : undefined;
     const writeBaselineIdx = args.indexOf('--write-baseline');
     const writeBaselinePath = writeBaselineIdx >= 0 ? args[writeBaselineIdx + 1] : undefined;
+    const severityThresholdIdx = args.indexOf('--severity-threshold');
+    const severityThreshold = severityThresholdIdx >= 0 ? args[severityThresholdIdx + 1] : undefined;
+    const outputIdx = args.indexOf('--output');
+    const outputPath = outputIdx >= 0 ? args[outputIdx + 1] : undefined;
     // Prefer explicit flag (matches the GitHub Action input)
     const targetIdx = args.indexOf('--target');
     const targetFromFlag = targetIdx >= 0 ? args[targetIdx + 1] : undefined;
     // Back-compat: first positional arg
     const targetFromPositional = args.find((a) => !a.startsWith('-'));
     const target = targetFromFlag ?? targetFromPositional;
-    return { args, help, version, output, format, baselinePath, writeBaselinePath, target };
+    return { args, help, version, output, format, outputPath, baselinePath, writeBaselinePath, severityThreshold, target };
 }
 function usage() {
     console.log(`ConfigSentry (MVP)
@@ -48,6 +55,9 @@ Output:
   --json                    machine-readable findings (deprecated; use --format json)
   --sarif                   SARIF 2.1.0 (for GitHub code scanning) (deprecated; use --format sarif)
   --format <pretty|json|sarif>
+  --output <file>           write JSON/SARIF output to a file (use with --format)
+  --severity-threshold <low|medium|high>
+                            only report findings at/above this severity (affects exit code)
 Baselines:
   --baseline <file>        suppress findings present in a baseline file
@@ -60,7 +70,7 @@ Exit codes:
 `);
 }
 async function main() {
-    const { args, help, version, output, format, baselinePath, writeBaselinePath, target } = parseArgs(process.argv);
+    const { args, help, version, output, format, outputPath, baselinePath, writeBaselinePath, severityThreshold, target } = parseArgs(process.argv);
     if (version) {
         try {
             const here = path.dirname(fileURLToPath(import.meta.url));
@@ -90,6 +100,14 @@ async function main() {
         console.error('Error: choose only one output mode: --json, --sarif, or --format');
         process.exit(1);
     }
+    if (outputPath && output === 'pretty') {
+        console.error('Error: --output requires machine output (use --format json or --format sarif)');
+        process.exit(1);
+    }
+    if (severityThreshold && severityThreshold !== 'low' && severityThreshold !== 'medium' && severityThreshold !== 'high') {
+        console.error(`Error: invalid --severity-threshold '${severityThreshold}'. Expected: low | medium | high`);
+        process.exit(1);
+    }
     if (!target) {
         usage();
         process.exit(1);
@@ -113,6 +131,14 @@ async function main() {
         findings = res.kept;
         suppressed = res.suppressed;
     }
+    // Severity threshold filtering (affects reporting + exit code)
+    if (severityThreshold) {
+        const min = severityRank(severityThreshold);
+        findings = findings.filter((f) => {
+            const sev = f.severity ?? 'low';
+            return severityRank(sev) >= min;
+        });
+    }
     // Baseline generation mode
     if (writeBaselinePath) {
         await writeBaseline(path.resolve(writeBaselinePath), allFindings);
@@ -120,10 +146,22 @@ async function main() {
         process.exit(0);
     }
     if (output === 'json') {
-        console.log(JSON.stringify({ targetPaths, findings, suppressedCount: suppressed.length }, null, 2));
+        const payload = JSON.stringify({ targetPaths, findings, suppressedCount: suppressed.length }, null, 2);
+        if (outputPath) {
+            await fs.writeFile(path.resolve(outputPath), payload, 'utf8');
+        }
+        else {
+            console.log(payload);
+        }
     }
     else if (output === 'sarif') {
-        console.log(JSON.stringify(findingsToSarif(findings), null, 2));
+        const payload = JSON.stringify(findingsToSarif(findings), null, 2);
+        if (outputPath) {
+            await fs.writeFile(path.resolve(outputPath), payload, 'utf8');
+        }
+        else {
+            console.log(payload);
+        }
     }
     else {
         const scope = targetPaths.length === 1 ? targetPaths[0] : `${targetPaths.length} file(s)`;

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "configsentry",
-  "version": "0.0.24",
+  "version": "0.0.26",
   "description": "Developer-first guardrails for docker-compose.yml (security + ops footguns).",
   "type": "module",
   "license": "MIT",
@@ -31,7 +31,9 @@
     "prepack": "npm run build",
     "start": "node dist/cli.js",
     "dev": "node --loader ts-node/esm src/cli.ts",
-    "lint:example": "node dist/cli.js ./example.docker-compose.yml"
+    "lint:example": "node dist/cli.js ./example.docker-compose.yml",
+    "demo": "node dist/cli.js --target ./docs/demo/docker-compose.demo.yml",
+    "demo:json": "node dist/cli.js --target ./docs/demo/docker-compose.demo.yml --format json --output /tmp/configsentry-demo.json"
   },
   "keywords": [
     "docker",