coverme-scanner 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (46) hide show
  1. package/README.md +227 -0
  2. package/commands/scan.md +317 -0
  3. package/dist/cli/index.d.ts +3 -0
  4. package/dist/cli/index.d.ts.map +1 -0
  5. package/dist/cli/index.js +39 -0
  6. package/dist/cli/index.js.map +1 -0
  7. package/dist/cli/init.d.ts +6 -0
  8. package/dist/cli/init.d.ts.map +1 -0
  9. package/dist/cli/init.js +636 -0
  10. package/dist/cli/init.js.map +1 -0
  11. package/dist/cli/scan.d.ts +11 -0
  12. package/dist/cli/scan.d.ts.map +1 -0
  13. package/dist/cli/scan.js +498 -0
  14. package/dist/cli/scan.js.map +1 -0
  15. package/dist/report/generator.d.ts +48 -0
  16. package/dist/report/generator.d.ts.map +1 -0
  17. package/dist/report/generator.js +368 -0
  18. package/dist/report/generator.js.map +1 -0
  19. package/dist/report/index.d.ts +35 -0
  20. package/dist/report/index.d.ts.map +1 -0
  21. package/dist/report/index.js +463 -0
  22. package/dist/report/index.js.map +1 -0
  23. package/dist/templates/report.html +796 -0
  24. package/dist/types.d.ts +94 -0
  25. package/dist/types.d.ts.map +1 -0
  26. package/dist/types.js +3 -0
  27. package/dist/types.js.map +1 -0
  28. package/package.json +48 -0
  29. package/src/cli/index.ts +43 -0
  30. package/src/cli/init.ts +611 -0
  31. package/src/cli/scan.ts +483 -0
  32. package/src/prompts/architecture-reviewer.md +171 -0
  33. package/src/prompts/consensus-builder.md +247 -0
  34. package/src/prompts/context-discovery.md +174 -0
  35. package/src/prompts/cross-validator.md +224 -0
  36. package/src/prompts/deep-dive-expert.md +224 -0
  37. package/src/prompts/dependency-auditor.md +190 -0
  38. package/src/prompts/performance-hunter.md +200 -0
  39. package/src/prompts/quality-analyzer.md +150 -0
  40. package/src/prompts/report-generator.md +285 -0
  41. package/src/prompts/security-scanner.md +180 -0
  42. package/src/report/generator.ts +382 -0
  43. package/src/report/index.ts +483 -0
  44. package/src/templates/report.html +796 -0
  45. package/src/types.ts +107 -0
  46. package/tsconfig.json +20 -0
@@ -0,0 +1,498 @@
1
+ "use strict";
2
+ var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
3
+ if (k2 === undefined) k2 = k;
4
+ var desc = Object.getOwnPropertyDescriptor(m, k);
5
+ if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
6
+ desc = { enumerable: true, get: function() { return m[k]; } };
7
+ }
8
+ Object.defineProperty(o, k2, desc);
9
+ }) : (function(o, m, k, k2) {
10
+ if (k2 === undefined) k2 = k;
11
+ o[k2] = m[k];
12
+ }));
13
+ var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
14
+ Object.defineProperty(o, "default", { enumerable: true, value: v });
15
+ }) : function(o, v) {
16
+ o["default"] = v;
17
+ });
18
+ var __importStar = (this && this.__importStar) || (function () {
19
+ var ownKeys = function(o) {
20
+ ownKeys = Object.getOwnPropertyNames || function (o) {
21
+ var ar = [];
22
+ for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
23
+ return ar;
24
+ };
25
+ return ownKeys(o);
26
+ };
27
+ return function (mod) {
28
+ if (mod && mod.__esModule) return mod;
29
+ var result = {};
30
+ if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
31
+ __setModuleDefault(result, mod);
32
+ return result;
33
+ };
34
+ })();
35
+ Object.defineProperty(exports, "__esModule", { value: true });
36
+ exports.scan = scan;
37
+ const fs = __importStar(require("fs"));
38
+ const path = __importStar(require("path"));
39
+ async function scan(scanPath, options) {
40
+ const resolvedPath = path.resolve(scanPath);
41
+ if (!fs.existsSync(resolvedPath)) {
42
+ console.error(`Error: Path does not exist: ${resolvedPath}`);
43
+ process.exit(1);
44
+ }
45
+ const categories = options.categories === 'all'
46
+ ? ['security', 'quality', 'architecture', 'dependencies', 'performance']
47
+ : options.categories.split(',');
48
+ const scanOptions = {
49
+ path: resolvedPath,
50
+ output: options.output,
51
+ outputPath: options.outputPath,
52
+ categories,
53
+ minSeverity: options.severity,
54
+ verbose: options.verbose,
55
+ parallel: parseInt(options.parallel, 10),
56
+ };
57
+ console.log(`
58
+ ================================================================================
59
+ COVERME SECURITY SCANNER
60
+ 10-Agent Deep Analysis System
61
+ ================================================================================
62
+
63
+ Scan Target: ${resolvedPath}
64
+ Categories: ${categories.join(', ')}
65
+ Output: ${scanOptions.output}
66
+ Agents: 10 scanners + 3 validators
67
+
68
+ ================================================================================
69
+
70
+ This scan runs FROM WITHIN Claude Code.
71
+ Run: /coverme
72
+
73
+ ================================================================================
74
+ `);
75
+ // Output the orchestration prompt for Claude Code
76
+ console.log(generateOrchestrationPrompt(scanOptions));
77
+ }
78
+ function generateOrchestrationPrompt(options) {
79
+ const projectPath = options.path;
80
+ const dateStr = new Date().toISOString().split('T')[0];
81
+ return `
82
+ ## CoverMe Multi-Agent Scan Orchestration
83
+
84
+ Execute this 10-agent security scan with cross-validation.
85
+
86
+ **CRITICAL OUTPUT FORMAT:**
87
+ Every finding MUST include ALL these fields for the report to work:
88
+ \`\`\`json
89
+ {
90
+ "id": "PREFIX-XXX",
91
+ "title": "Short descriptive title",
92
+ "severity": "critical|high|medium|low|info",
93
+ "category": "Category name",
94
+ "file": "exact/path/to/file.ts",
95
+ "line": 123,
96
+ "code": "the vulnerable/problematic code snippet",
97
+ "description": "What is wrong - the specific problem found",
98
+ "why": "Why this matters - security impact, what an attacker could do, business risk",
99
+ "context": "Code context - what this code is trying to do, surrounding logic, dependencies",
100
+ "checkBefore": "What to verify before fixing - tests to run, dependencies to check, potential breaking changes",
101
+ "recommendation": "Exact steps to fix this issue with code example if applicable",
102
+ "cwe": "CWE-XXX (if applicable)",
103
+ "confidence": 85
104
+ }
105
+ \`\`\`
106
+
107
+ **FIELD GUIDELINES:**
108
+ - **why**: Explain the real-world impact. Example: "An attacker could steal session tokens and impersonate any user"
109
+ - **context**: Reference specific code. Example: "This function handles user uploads and is called from the /api/upload endpoint"
110
+ - **checkBefore**: CRITICAL - Always check for existing solutions first! Include:
111
+
112
+ EXISTING SOLUTIONS TO CHECK:
113
+ - Search for: sanitize, validate, escape functions in utils/
114
+ - Check if library already imported (e.g., DOMPurify, validator.js)
115
+ - Look at how other files handle this pattern
116
+
117
+ BEFORE IMPLEMENTING:
118
+ 1. Run existing tests
119
+ 2. Check for duplicate fixes needed elsewhere
120
+ 3. Verify no breaking changes
121
+
122
+ ---
123
+
124
+ ### PHASE 1: PARALLEL DISCOVERY (Launch ALL 10 agents simultaneously)
125
+
126
+ ---
127
+
128
+ **AGENT 1: Security Core Scanner** (ID prefix: SEC)
129
+ \`\`\`
130
+ Scan ${projectPath} for OWASP Top 10 and core security vulnerabilities.
131
+
132
+ CHECK FOR:
133
+ - SQL/NoSQL Injection (parameterized queries missing)
134
+ - XSS (reflected, stored, DOM-based)
135
+ - Command Injection (shell commands with user input)
136
+ - Path Traversal (../ in file operations)
137
+ - SSRF (user-controlled URLs in fetch/axios)
138
+ - XXE (XML parsing without disabling entities)
139
+ - Insecure Deserialization (JSON.parse on untrusted data)
140
+ - Hardcoded Secrets (API keys, passwords, tokens in code)
141
+ - Weak Cryptography (MD5, SHA1 for passwords, ECB mode)
142
+ - Insecure Random (Math.random for security purposes)
143
+
144
+ For EACH finding, output the FULL JSON format above.
145
+ \`\`\`
146
+
147
+ ---
148
+
149
+ **AGENT 2: Auth & Session Scanner** (ID prefix: AUTH)
150
+ \`\`\`
151
+ Scan ${projectPath} for authentication and session vulnerabilities.
152
+
153
+ CHECK FOR:
154
+ - SSO/OAuth Open Redirect (return_url, redirect_uri without validation)
155
+ - PKCE missing in OAuth flows
156
+ - JWT issues (alg:none, weak secrets, missing expiry)
157
+ - Session fixation (session not regenerated after login)
158
+ - Cookie security (missing HttpOnly, Secure, SameSite)
159
+ - Password reset flaws (predictable tokens, no expiry)
160
+ - MFA bypass paths
161
+ - Remember-me token weaknesses
162
+ - Account enumeration (different responses for valid/invalid users)
163
+ - Brute force protection missing
164
+
165
+ For EACH finding, output the FULL JSON format.
166
+ \`\`\`
167
+
168
+ ---
169
+
170
+ **AGENT 3: API Security Scanner** (ID prefix: API)
171
+ \`\`\`
172
+ Scan ${projectPath} for API security issues.
173
+
174
+ CHECK FOR:
175
+ - Missing authentication on endpoints
176
+ - Broken authorization (IDOR, privilege escalation)
177
+ - Input validation missing (Zod/Joi schemas)
178
+ - Rate limiting issues (non-atomic INCR+EXPIRE in Redis)
179
+ - CORS misconfiguration (Access-Control-Allow-Origin: *)
180
+ - Mass assignment (spreading req.body into DB)
181
+ - Webhook signature verification missing (HMAC)
182
+ - GraphQL introspection enabled in production
183
+ - API versioning issues
184
+ - Excessive data exposure in responses
185
+
186
+ For EACH finding, output the FULL JSON format.
187
+ \`\`\`
188
+
189
+ ---
190
+
191
+ **AGENT 4: Infrastructure Scanner** (ID prefix: INFRA)
192
+ \`\`\`
193
+ Scan ${projectPath} for infrastructure and DevOps issues.
194
+
195
+ CHECK FOR:
196
+ - Secrets in git-tracked files (Helm values, K8s manifests, .env committed)
197
+ - Real IPs/hostnames committed to repo
198
+ - Docker issues (running as root, secrets in layers)
199
+ - K8s pod security context missing
200
+ - CI/CD pipeline security (missing quality gates)
201
+ - Missing security headers in server config
202
+ - TLS/SSL configuration issues
203
+ - Debug mode enabled in production configs
204
+ - Exposed internal ports
205
+ - Missing resource limits
206
+
207
+ For EACH finding, output the FULL JSON format.
208
+ \`\`\`
209
+
210
+ ---
211
+
212
+ **AGENT 5: Data & Privacy Scanner** (ID prefix: DATA)
213
+ \`\`\`
214
+ Scan ${projectPath} for data protection and privacy issues.
215
+
216
+ CHECK FOR:
217
+ - PII logging (emails, IPs, names in logs)
218
+ - GDPR deletion bugs (incomplete data removal)
219
+ - Encryption at rest missing for sensitive fields
220
+ - Data residency violations
221
+ - Backup encryption missing
222
+ - Sensitive data in URLs/query params
223
+ - Missing data classification
224
+ - Retention policy not enforced
225
+ - Export functionality exposing too much data
226
+ - Cross-tenant data leakage
227
+
228
+ For EACH finding, output the FULL JSON format.
229
+ \`\`\`
230
+
231
+ ---
232
+
233
+ **AGENT 6: AI/LLM Security Scanner** (ID prefix: AI)
234
+ \`\`\`
235
+ Scan ${projectPath} for AI/LLM specific vulnerabilities.
236
+
237
+ CHECK FOR:
238
+ - Prompt injection (user input directly in prompts)
239
+ - Content filter fail-open (errors bypass safety)
240
+ - CDN imports without SRI (integrity hashes missing)
241
+ - Model output not sanitized before use
242
+ - Sensitive data sent to external AI APIs
243
+ - AI decision logging insufficient for audit
244
+ - Rate limiting on AI endpoints
245
+ - Cost controls missing
246
+ - Jailbreak prevention missing
247
+ - PII in training data/prompts
248
+
249
+ For EACH finding, output the FULL JSON format.
250
+ \`\`\`
251
+
252
+ ---
253
+
254
+ **AGENT 7: Performance & DoS Scanner** (ID prefix: PERF)
255
+ \`\`\`
256
+ Scan ${projectPath} for performance and denial-of-service issues.
257
+
258
+ CHECK FOR:
259
+ - N+1 query patterns
260
+ - ReDoS (regex denial of service)
261
+ - Memory leaks (event listeners not removed, growing caches)
262
+ - Unbounded data structures
263
+ - Missing pagination
264
+ - SSE/WebSocket buffering entire streams
265
+ - Heavy computation blocking event loop
266
+ - Missing connection pooling
267
+ - Resource exhaustion (no limits on uploads, requests)
268
+ - Synchronous operations that should be async
269
+
270
+ For EACH finding, output the FULL JSON format.
271
+ \`\`\`
272
+
273
+ ---
274
+
275
+ **AGENT 8: Business Logic Scanner** (ID prefix: BIZ)
276
+ \`\`\`
277
+ Scan ${projectPath} for business logic vulnerabilities.
278
+
279
+ CHECK FOR:
280
+ - Race conditions (TOCTOU, double-spend)
281
+ - Workflow bypass (skipping required steps)
282
+ - Price/quantity manipulation
283
+ - Negative value attacks
284
+ - State machine violations
285
+ - Time-based attacks (timing side channels)
286
+ - Non-constant-time comparisons for secrets
287
+ - Duplicate request handling (missing idempotency)
288
+ - Business rule bypass
289
+ - Inconsistent validation between client/server
290
+
291
+ For EACH finding, output the FULL JSON format.
292
+ \`\`\`
293
+
294
+ ---
295
+
296
+ **AGENT 9: Code Quality Scanner** (ID prefix: QUAL)
297
+ \`\`\`
298
+ Scan ${projectPath} for code quality issues that affect security/reliability.
299
+
300
+ CHECK FOR:
301
+ - Error handling swallowing exceptions silently
302
+ - Missing error boundaries
303
+ - Inconsistent error responses
304
+ - Dead code with security implications
305
+ - DRY violations in security code
306
+ - Complex functions (high cyclomatic complexity)
307
+ - Any/unknown types masking issues
308
+ - Missing null checks
309
+ - Callback hell making auditing hard
310
+ - Anti-patterns (god objects, tight coupling)
311
+
312
+ For EACH finding, output the FULL JSON format.
313
+ \`\`\`
314
+
315
+ ---
316
+
317
+ **AGENT 10: Testing & Reliability Scanner** (ID prefix: TEST)
318
+ \`\`\`
319
+ Scan ${projectPath} for testing and reliability gaps.
320
+
321
+ CHECK FOR:
322
+ - Missing tests for security-critical paths
323
+ - No CI quality gates
324
+ - Missing health checks
325
+ - No graceful shutdown handling
326
+ - Circuit breakers missing
327
+ - Retry logic without exponential backoff
328
+ - Missing observability (logging, metrics, tracing)
329
+ - Feature flags without cleanup
330
+ - Database migrations without rollback
331
+ - No chaos/failure testing evidence
332
+
333
+ For EACH finding, output the FULL JSON format.
334
+ \`\`\`
335
+
336
+ ---
337
+
338
+ ### PHASE 2: DUPLICATE & EXISTING SOLUTIONS CHECK
339
+
340
+ **AGENT 11: Duplicate & Existing Solutions Scanner** (ID prefix: DUP)
341
+ \`\`\`
342
+ CRITICAL: Before recommending ANY fix, check if a solution ALREADY EXISTS in the codebase.
343
+
344
+ For EVERY finding from Phase 1, search the codebase for:
345
+
346
+ 1. **Existing utilities/helpers that solve this**:
347
+ - Search for similar function names (sanitize, validate, escape, hash, encrypt)
348
+ - Check utils/, helpers/, lib/, common/ folders
349
+ - Look for imported libraries that handle this
350
+
351
+ 2. **Existing patterns in the codebase**:
352
+ - How do OTHER files handle the same issue?
353
+ - Is there a project-wide convention?
354
+ - Are there shared middleware/decorators?
355
+
356
+ 3. **Configuration that already exists**:
357
+ - Check if there's a config for this (CSP headers, CORS, rate limits)
358
+ - Look in config/, .env files, infrastructure code
359
+
360
+ 4. **Duplicate findings**:
361
+ - Is this the same issue reported multiple times?
362
+ - Are multiple findings actually ONE root cause?
363
+
364
+ For EACH finding, add to the checkBefore field:
365
+ - "EXISTING: Found sanitizeHtml() in src/utils/security.ts - use this instead of creating new"
366
+ - "PATTERN: Other files use zod.string().email() for validation - follow same pattern"
367
+ - "DUPLICATE: This is same root cause as SEC-003, fix once in middleware"
368
+ - "CONFIG: Rate limiting already configured in src/middleware/rateLimit.ts line 15"
369
+
370
+ If NO existing solution found, state: "VERIFIED: No existing solution found, new implementation needed"
371
+
372
+ Output for each finding:
373
+ {
374
+ "findingId": "SEC-001",
375
+ "existingSolution": "Found: src/utils/sanitize.ts exports sanitizeUserInput()",
376
+ "duplicateOf": null | "SEC-003",
377
+ "suggestedApproach": "Import and use existing sanitizeUserInput() instead of creating new function",
378
+ "checkBefore": "1. Verify sanitizeUserInput() handles this case 2. Check if it's already imported"
379
+ }
380
+ \`\`\`
381
+
382
+ ---
383
+
384
+ ### PHASE 3: CROSS-VALIDATION (After Phase 2 completes)
385
+
386
+ Launch 3 validators IN PARALLEL:
387
+
388
+ **Validator A: False Positive & Duplicate Hunter**
389
+ \`\`\`
390
+ Review ALL findings from Phase 1 + Phase 2 duplicate analysis.
391
+ For each finding determine if it's FALSE POSITIVE or DUPLICATE:
392
+ - Is the code actually reachable?
393
+ - Are there mitigating controls elsewhere?
394
+ - Is the context misunderstood?
395
+ - Is it already handled by a framework?
396
+ - Is this a DUPLICATE of another finding? (same root cause)
397
+ - Does an EXISTING SOLUTION already exist in the codebase?
398
+
399
+ If existing solution found, mark as "use_existing" not "fix_new".
400
+
401
+ Output:
402
+ {
403
+ "confirmed": ["SEC-001", "AUTH-002", ...],
404
+ "useExisting": [
405
+ {"id": "SEC-005", "existingSolution": "src/utils/sanitize.ts", "reason": "sanitizeHtml() already exists"}
406
+ ],
407
+ "duplicates": [
408
+ {"id": "SEC-007", "duplicateOf": "SEC-003", "reason": "Same XSS issue, fix once in shared component"}
409
+ ],
410
+ "falsePositives": [
411
+ {"id": "API-003", "reason": "Input is validated by Zod schema at line 45"}
412
+ ]
413
+ }
414
+ \`\`\`
415
+
416
+ **Validator B: Evidence Challenger**
417
+ \`\`\`
418
+ For every HIGH and CRITICAL finding:
419
+ - Read the actual code files
420
+ - Trace complete data flow
421
+ - Verify exploit scenario is realistic
422
+ - Check if exploitable in production context
423
+
424
+ Output same format as Validator A.
425
+ \`\`\`
426
+
427
+ **Validator C: Missing Issues Hunter**
428
+ \`\`\`
429
+ Look for issues Phase 1 agents MISSED:
430
+ - Edge cases
431
+ - Combination attacks
432
+ - Business logic flaws specific to this codebase
433
+ - Configuration issues
434
+ - Integration points
435
+
436
+ Output:
437
+ {
438
+ "missedIssues": [{full finding object}]
439
+ }
440
+ \`\`\`
441
+
442
+ ---
443
+
444
+ ### PHASE 3: POSITIVE OBSERVATIONS
445
+
446
+ Scan for good practices to include in the report:
447
+ - Security controls that work well
448
+ - Good patterns (input validation, parameterized queries)
449
+ - Proper error handling
450
+ - Good test coverage areas
451
+ - Well-implemented auth flows
452
+
453
+ Output as list of strings.
454
+
455
+ ---
456
+
457
+ ### PHASE 4: BUILD CONSENSUS & GENERATE OUTPUT
458
+
459
+ 1. Calculate confidence: (confirmations / total_validators) * 100
460
+ 2. Remove findings with confidence < 50%
461
+ 3. Add missed issues from Validator C
462
+ 4. Sort: severity DESC, confidence DESC
463
+
464
+ **SAVE OUTPUT AS JSON:**
465
+ \`\`\`json
466
+ {
467
+ "projectName": "project-name",
468
+ "scanDate": "${new Date().toISOString()}",
469
+ "summary": {
470
+ "total": X,
471
+ "critical": X,
472
+ "high": X,
473
+ "medium": X,
474
+ "low": X,
475
+ "info": X
476
+ },
477
+ "findings": [
478
+ {all findings with full fields}
479
+ ],
480
+ "positiveObservations": [
481
+ "Good pattern 1",
482
+ "Good pattern 2"
483
+ ],
484
+ "falsePositives": [
485
+ {"id": "...", "reason": "..."}
486
+ ],
487
+ "agentsUsed": ["Security Core", "Auth & Session", ...],
488
+ "scanDuration": X
489
+ }
490
+ \`\`\`
491
+
492
+ Save as: coverme-scan.json
493
+
494
+ Then generate HTML report:
495
+ \`coverme report coverme-scan.json -f html -o coverme-report.html\`
496
+ `;
497
+ }
498
+ //# sourceMappingURL=scan.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"scan.js","sourceRoot":"","sources":["../../src/cli/scan.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAaA,oBA+CC;AA5DD,uCAAyB;AACzB,2CAA6B;AAYtB,KAAK,UAAU,IAAI,CACxB,QAAgB,EAChB,OAA2B;IAE3B,MAAM,YAAY,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IAE5C,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;QACjC,OAAO,CAAC,KAAK,CAAC,+BAA+B,YAAY,EAAE,CAAC,CAAC;QAC7D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,MAAM,UAAU,GACd,OAAO,CAAC,UAAU,KAAK,KAAK;QAC1B,CAAC,CAAC,CAAC,UAAU,EAAE,SAAS,EAAE,cAAc,EAAE,cAAc,EAAE,aAAa,CAAC;QACxE,CAAC,CAAE,OAAO,CAAC,UAAU,CAAC,KAAK,CAAC,GAAG,CAAgB,CAAC;IAEpD,MAAM,WAAW,GAAgB;QAC/B,IAAI,EAAE,YAAY;QAClB,MAAM,EAAE,OAAO,CAAC,MAAwC;QACxD,UAAU,EAAE,OAAO,CAAC,UAAU;QAC9B,UAAU;QACV,WAAW,EAAE,OAAO,CAAC,QAAoB;QACzC,OAAO,EAAE,OAAO,CAAC,OAAO;QACxB,QAAQ,EAAE,QAAQ,CAAC,OAAO,CAAC,QAAQ,EAAE,EAAE,CAAC;KACzC,CAAC;IAEF,OAAO,CAAC,GAAG,CAAC;;;;;;gBAME,YAAY;gBACZ,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC;gBACrB,WAAW,CAAC,MAAM;;;;;;;;;CASjC,CAAC,CAAC;IAED,kDAAkD;IAClD,OAAO,CAAC,GAAG,CAAC,2BAA2B,CAAC,WAAW,CAAC,CAAC,CAAC;AACxD,CAAC;AAED,SAAS,2BAA2B,CAAC,OAAoB;IACvD,MAAM,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC;IACjC,MAAM,OAAO,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IAEvD,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OAiDF,WAAW;;;;;;;;;;;;;;;;;;;;;OAqBX,WAAW;;;;;;;;;;;;;;;;;;;;;OAqBX,WAAW;;;;;;;;;;;;;;;;;;;;;OAqBX,WAAW;;;;;;;;;;;;;;;;;;;;;OAqBX,WAAW;;;;;;;;;;;;;;;;;;;;;OAqBX,WAAW;;;;;;;;;;;;;;;;;;;;;OAqBX,WAAW;;;;;;;;;;;;;;;;;;;;;OAqBX,WAAW;;;;;;;;;;;;;;;;;;;;;OAqBX,WAAW;;;;;;;;;;;;;;;;;;;;;OAqBX,WAAW;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBAqJD,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA4BxC,CAAC;AACF,CAAC"}
@@ -0,0 +1,48 @@
1
+ import type { ScanResult, ConsensusFinding } from '../types.js';
2
+ interface ReportData {
3
+ projectName: string;
4
+ scanDate: string;
5
+ scoreGrade: string;
6
+ scoreValue: number;
7
+ criticalCount: number;
8
+ highCount: number;
9
+ mediumCount: number;
10
+ lowCount: number;
11
+ infoCount: number;
12
+ executiveSummary: string;
13
+ criticalFindings: ConsensusFinding[];
14
+ highFindings: ConsensusFinding[];
15
+ mediumFindings: ConsensusFinding[];
16
+ lowFindings: ConsensusFinding[];
17
+ falsePositives: Array<{
18
+ id: string;
19
+ title: string;
20
+ file?: string;
21
+ rejectionReason: string;
22
+ }>;
23
+ falsePositiveCount: number;
24
+ lowInfoCount: number;
25
+ positiveObservations: string[];
26
+ scanDuration: string;
27
+ agentCount: number;
28
+ }
29
+ export declare function calculateScore(result: ScanResult): {
30
+ grade: string;
31
+ value: number;
32
+ };
33
+ export declare function generateExecutiveSummary(result: ScanResult): string;
34
+ export declare function renderTemplate(templateHtml: string, data: ReportData): string;
35
+ export declare function generatePdfReport(result: ScanResult, outputPath: string, falsePositives?: Array<{
36
+ id: string;
37
+ title: string;
38
+ file?: string;
39
+ rejectionReason: string;
40
+ }>): Promise<void>;
41
+ export declare function generateHtmlReport(result: ScanResult, outputPath: string, falsePositives?: Array<{
42
+ id: string;
43
+ title: string;
44
+ file?: string;
45
+ rejectionReason: string;
46
+ }>): Promise<void>;
47
+ export {};
48
+ //# sourceMappingURL=generator.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"generator.d.ts","sourceRoot":"","sources":["../../src/report/generator.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,UAAU,EAAE,gBAAgB,EAAY,MAAM,aAAa,CAAC;AAE1E,UAAU,UAAU;IAClB,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,aAAa,EAAE,MAAM,CAAC;IACtB,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,gBAAgB,EAAE,MAAM,CAAC;IACzB,gBAAgB,EAAE,gBAAgB,EAAE,CAAC;IACrC,YAAY,EAAE,gBAAgB,EAAE,CAAC;IACjC,cAAc,EAAE,gBAAgB,EAAE,CAAC;IACnC,WAAW,EAAE,gBAAgB,EAAE,CAAC;IAChC,cAAc,EAAE,KAAK,CAAC;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,CAAC;QAAC,eAAe,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAC7F,kBAAkB,EAAE,MAAM,CAAC;IAC3B,YAAY,EAAE,MAAM,CAAC;IACrB,oBAAoB,EAAE,MAAM,EAAE,CAAC;IAC/B,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,wBAAgB,cAAc,CAAC,MAAM,EAAE,UAAU,GAAG;IAAE,KAAK,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,CAwBnF;AAED,wBAAgB,wBAAwB,CAAC,MAAM,EAAE,UAAU,GAAG,MAAM,CAkBnE;AAqDD,wBAAgB,cAAc,CAAC,YAAY,EAAE,MAAM,EAAE,IAAI,EAAE,UAAU,GAAG,MAAM,CA8I7E;AAED,wBAAsB,iBAAiB,CACrC,MAAM,EAAE,UAAU,EAClB,UAAU,EAAE,MAAM,EAClB,cAAc,GAAE,KAAK,CAAC;IAAE,EAAE,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAC;IAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IAAC,eAAe,EAAE,MAAM,CAAA;CAAE,CAAM,GAChG,OAAO,CAAC,IAAI,CAAC,CA4Df;AAED,wBAAsB,kBAAkB,CACtC,MAAM,EAAE,UAAU,EAClB,UAAU,EAAE,MAAM,EAClB,cAAc,GAAE,KAAK,CAAC;IAAE,EAAE,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAC;IAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IAAC,eAAe,EAAE,MAAM,CAAA;CAAE,CAAM,GAChG,OAAO,CAAC,IAAI,CAAC,CA0Cf"}