guardrail-cli 1.0.6 → 2.0.0

package/dist/commands/scan-secrets.js

@@ -0,0 +1,225 @@
+"use strict";
+/**
+ * scan:secrets command
+ * Enterprise-grade secret detection with SecretsGuardian
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.scanSecrets = scanSecrets;
+exports.outputSecretsResults = outputSecretsResults;
+exports.registerScanSecretsCommand = registerScanSecretsCommand;
+const path_1 = require("path");
+const security_1 = require("@guardrail/security");
+const exit_codes_1 = require("../runtime/exit-codes");
+const evidence_1 = require("./evidence");
+const sarif_1 = require("../formatters/sarif");
+const fs_1 = require("fs");
+// Color helpers
+const c = {
+    reset: '\x1b[0m',
+    bold: (s) => `\x1b[1m${s}\x1b[0m`,
+    dim: (s) => `\x1b[2m${s}\x1b[0m`,
+    high: (s) => `\x1b[31m${s}\x1b[0m`,
+    medium: (s) => `\x1b[33m${s}\x1b[0m`,
+    low: (s) => `\x1b[36m${s}\x1b[0m`,
+    success: (s) => `\x1b[32m${s}\x1b[0m`,
+    info: (s) => `\x1b[34m${s}\x1b[0m`,
+};
+async function scanSecrets(projectPath, options) {
+    const guardian = new security_1.SecretsGuardian();
+    // Scan git history if requested
+    if (options.history) {
+        try {
+            const historyReport = await (0, security_1.scanGitHistory)(projectPath, 'cli-scan', guardian, {
+                depth: options.historyDepth || 50,
+                excludeTests: options.excludeTests,
+                minConfidence: options.minConfidence,
+                useCustomPatterns: !options.noCustomPatterns,
+                useAllowlist: !options.noAllowlist,
+                useContextualRisk: !options.noContextualRisk,
+            });
+            const findings = historyReport.detections.map(d => ({
+                type: d.secretType,
+                file: `${d.filePath} (commit: ${d.commitHash.substring(0, 7)})`,
+                line: d.location.line,
+                risk: d.risk,
+                confidence: d.confidence,
+                entropy: d.entropy,
+                match: d.maskedValue,
+                isTest: d.isTest,
+                recommendation: d.recommendation,
+            }));
+            return {
+                projectPath,
+                scanType: 'secrets-history',
+                filesScanned: historyReport.commitsScanned,
+                patterns: Array.from(new Set(findings.map(f => f.type))),
+                findings,
+                summary: {
+                    total: findings.length,
+                    highEntropy: findings.filter(f => f.entropy >= 4.0).length,
+                    lowEntropy: findings.filter(f => f.entropy < 4.0).length,
+                    byRisk: historyReport.summary.byType,
+                },
+            };
+        }
+        catch (err) {
+            if (err.message.includes('Not a git repository')) {
+                console.error(`\n  ${c.high('✗')} Not a git repository. Use --history only in git repos.\n`);
+                process.exit(1);
+            }
+            throw err;
+        }
+    }
+    const report = await guardian.scanProject(projectPath, 'cli-scan', {
+        excludeTests: options.excludeTests,
+        minConfidence: options.minConfidence,
+        maxFileSizeBytes: 2 * 1024 * 1024,
+        concurrency: 8,
+        skipBinaryFiles: true,
+        useCustomPatterns: !options.noCustomPatterns,
+        useAllowlist: !options.noAllowlist,
+        useContextualRisk: !options.noContextualRisk,
+    });
+    const findings = report.detections.map(d => ({
+        type: d.secretType,
+        file: d.filePath,
+        line: d.location.line,
+        risk: d.risk,
+        confidence: d.confidence,
+        entropy: d.entropy,
+        match: d.maskedValue,
+        isTest: d.isTest,
+        recommendation: d.recommendation,
+    }));
+    const patternTypes = new Set(findings.map(f => f.type));
+    const highEntropy = findings.filter(f => f.entropy >= 4.0).length;
+    const lowEntropy = findings.filter(f => f.entropy < 4.0).length;
+    // Log performance stats if verbose
+    if (report.performance.customPatternsLoaded > 0) {
+        console.log(`  ${c.info('ℹ')} Loaded ${report.performance.customPatternsLoaded} custom patterns from .guardrail/secrets.yaml`);
+    }
+    if (report.performance.allowlistSuppressed > 0) {
+        console.log(`  ${c.info('ℹ')} Suppressed ${report.performance.allowlistSuppressed} allowlisted detections`);
+    }
+    if (report.performance.skippedLarge > 0 || report.performance.skippedBinary > 0) {
+        console.log(`  ${c.dim(`Skipped: ${report.performance.skippedLarge} large files, ${report.performance.skippedBinary} binary files`)}`);
+    }
+    return {
+        projectPath,
+        scanType: 'secrets',
+        filesScanned: report.scannedFiles,
+        patterns: patternTypes.size > 0 ? Array.from(patternTypes) : ['API Keys', 'AWS Credentials', 'Private Keys', 'JWT Tokens', 'Database URLs'],
+        findings,
+        summary: {
+            total: findings.length,
+            highEntropy,
+            lowEntropy,
+            byRisk: report.summary.byRisk,
+        },
+    };
+}
+function outputSecretsResults(results, options) {
+    if (options.format === 'json') {
+        console.log(JSON.stringify(results, null, 2));
+        return;
+    }
+    if (options.format === 'sarif') {
+        const sarif = (0, sarif_1.toSarif)(results);
+        console.log(JSON.stringify(sarif, null, 2));
+        return;
+    }
+    console.log(`  ${c.info('Patterns checked:')} ${results.patterns.join(', ')}\n`);
+    if (results.findings.length === 0) {
+        console.log(`  ${c.success('✓')} ${c.bold('No secrets detected!')}\n`);
+        return;
+    }
+    const highRisk = results.findings.filter(f => f.risk === 'high').length;
+    const mediumRisk = results.findings.filter(f => f.risk === 'medium').length;
+    const lowRisk = results.findings.filter(f => f.risk === 'low').length;
+    const testFiles = results.findings.filter(f => f.isTest).length;
+    console.log(`  ${c.high('⚠')} ${c.bold(`${results.findings.length} potential secrets found:`)}`);
+    console.log(`     ${c.high('HIGH:')} ${highRisk}  ${c.medium('MEDIUM:')} ${mediumRisk}  ${c.low('LOW:')} ${lowRisk}  ${c.dim(`(${testFiles} in test files)`)}\n`);
+    for (const finding of results.findings) {
+        const riskLabel = finding.risk === 'high' ? c.high('HIGH') :
+            finding.risk === 'medium' ? c.medium('MEDIUM') : c.low('LOW');
+        const testTag = finding.isTest ? c.dim(' [TEST]') : '';
+        console.log(`  ${riskLabel} ${finding.type}${testTag}`);
+        console.log(`  ${c.dim('├─')} ${c.info('File:')} ${finding.file}:${finding.line}`);
+        console.log(`  ${c.dim('├─')} ${c.info('Confidence:')} ${(finding.confidence * 100).toFixed(0)}%  ${c.dim('Entropy:')} ${finding.entropy.toFixed(1)}`);
+        console.log(`  ${c.dim('├─')} ${c.info('Match:')} ${finding.match}`);
+        console.log(`  ${c.dim('└─')} ${c.info('Fix:')} ${finding.recommendation?.remediation || 'Move to environment variables'}\n`);
+    }
+}
+function registerScanSecretsCommand(program, requireAuth, printLogo) {
+    program
+        .command('scan:secrets')
+        .description('Scan for hardcoded secrets and credentials')
+        .option('-p, --path <path>', 'Project path to scan', '.')
+        .option('-f, --format <format>', 'Output format: table, json, sarif', 'table')
+        .option('-o, --output <file>', 'Output file path')
+        .option('--exclude-tests', 'Exclude test files from scan', false)
+        .option('--min-confidence <number>', 'Minimum confidence threshold (0-1)')
+        .option('--fail-on-detection', 'Exit with error if secrets found', false)
+        .option('--evidence', 'Generate signed evidence pack', false)
+        .option('--history', 'Scan git commit history for secrets', false)
+        .option('--history-depth <number>', 'Number of commits to scan (default: 50)', '50')
+        .option('--no-custom-patterns', 'Disable custom patterns from .guardrail/secrets.yaml')
+        .option('--no-allowlist', 'Disable allowlist from .guardrail/secrets.allowlist')
+        .option('--no-contextual-risk', 'Disable contextual risk adjustment')
+        .action(async (opts) => {
+        requireAuth();
+        printLogo();
+        console.log(`\n${c.bold('🔐 SECRET DETECTION SCAN')}\n`);
+        const projectPath = (0, path_1.resolve)(opts.path);
+        const options = {
+            path: projectPath,
+            format: opts.format,
+            output: opts.output,
+            excludeTests: opts.excludeTests,
+            minConfidence: opts.minConfidence ? parseFloat(opts.minConfidence) : undefined,
+            failOnDetection: opts.failOnDetection,
+            evidence: opts.evidence,
+            history: opts.history,
+            historyDepth: opts.historyDepth ? parseInt(opts.historyDepth) : 50,
+            noCustomPatterns: opts.noCustomPatterns,
+            noAllowlist: opts.noAllowlist,
+            noContextualRisk: opts.noContextualRisk,
+        };
+        const startTime = Date.now();
+        let results;
+        try {
+            results = await scanSecrets(projectPath, options);
+        }
+        catch (err) {
+            if (err instanceof security_1.ConfigValidationError) {
+                console.error(`\n  ${c.high('✗')} Custom patterns validation failed:\n`);
+                console.error(`  ${err.message}\n`);
+                if (err.details) {
+                    for (const detail of err.details) {
+                        console.error(`    • ${detail}`);
+                    }
+                }
+                console.error(`\n  Fix .guardrail/secrets.yaml and try again.\n`);
+                process.exit(1);
+            }
+            throw err;
+        }
+        const duration = Date.now() - startTime;
+        console.log(`\n${c.success('✓')} Secret scan complete (${(duration / 1000).toFixed(1)}s)`);
+        outputSecretsResults(results, options);
+        // Save to output file if specified
+        if (options.output) {
+            const outputData = options.format === 'sarif' ? (0, sarif_1.toSarif)(results) : results;
+            (0, fs_1.writeFileSync)(options.output, JSON.stringify(outputData, null, 2));
+            console.log(`\n  ${c.success('✓')} Results saved to ${options.output}`);
+        }
+        if (options.evidence) {
+            await (0, evidence_1.generateEvidence)('secrets', results, projectPath);
+        }
+        if (options.failOnDetection && results.findings.length > 0) {
+            const exitCode = (0, exit_codes_1.getExitCodeForFindings)({ high: results.summary.byRisk?.high || 0, medium: results.summary.byRisk?.medium || 0 }, { failOnHigh: true });
+            (0, exit_codes_1.exitWith)(exitCode, `${results.findings.length} secrets detected`);
+        }
+    });
+}
+//# sourceMappingURL=scan-secrets.js.map

package/dist/commands/scan-secrets.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"scan-secrets.js","sourceRoot":"","sources":["../../src/commands/scan-secrets.ts"],"names":[],"mappings":";AAAA;;;GAGG;;AA+DH,kCAyGC;AAED,oDAsCC;AAED,gEAgFC;AA/RD,+BAA+B;AAC/B,kDAAwG;AACxG,sDAAmF;AACnF,yCAA8C;AAC9C,+CAA8C;AAC9C,2BAAmC;AAEnC,gBAAgB;AAChB,MAAM,CAAC,GAAG;IACR,KAAK,EAAE,SAAS;IAChB,IAAI,EAAE,CAAC,CAAS,EAAE,EAAE,CAAC,UAAU,CAAC,SAAS;IACzC,GAAG,EAAE,CAAC,CAAS,EAAE,EAAE,CAAC,UAAU,CAAC,SAAS;IACxC,IAAI,EAAE,CAAC,CAAS,EAAE,EAAE,CAAC,WAAW,CAAC,SAAS;IAC1C,MAAM,EAAE,CAAC,CAAS,EAAE,EAAE,CAAC,WAAW,CAAC,SAAS;IAC5C,GAAG,EAAE,CAAC,CAAS,EAAE,EAAE,CAAC,WAAW,CAAC,SAAS;IACzC,OAAO,EAAE,CAAC,CAAS,EAAE,EAAE,CAAC,WAAW,CAAC,SAAS;IAC7C,IAAI,EAAE,CAAC,CAAS,EAAE,EAAE,CAAC,WAAW,CAAC,SAAS;CAC3C,CAAC;AA2CK,KAAK,UAAU,WAAW,CAAC,WAAmB,EAAE,OAA2B;IAChF,MAAM,QAAQ,GAAG,IAAI,0BAAe,EAAE,CAAC;IAEvC,gCAAgC;IAChC,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;QACpB,IAAI,CAAC;YACH,MAAM,aAAa,GAAG,MAAM,IAAA,yBAAc,EACxC,WAAW,EACX,UAAU,EACV,QAAQ,EACR;gBACE,KAAK,EAAE,OAAO,CAAC,YAAY,IAAI,EAAE;gBACjC,YAAY,EAAE,OAAO,CAAC,YAAY;gBAClC,aAAa,EAAE,OAAO,CAAC,aAAa;gBACpC,iBAAiB,EAAE,CAAC,OAAO,CAAC,gBAAgB;gBAC5C,YAAY,EAAE,CAAC,OAAO,CAAC,WAAW;gBAClC,iBAAiB,EAAE,CAAC,OAAO,CAAC,gBAAgB;aAC7C,CACF,CAAC;YAEF,MAAM,QAAQ,GAAoB,aAAa,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;gBACnE,IAAI,EAAE,CAAC,CAAC,UAAU;gBAClB,IAAI,EAAE,GAAG,CAAC,CAAC,QAAQ,aAAa,CAAC,CAAC,UAAU,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG;gBAC/D,IAAI,EAAE,CAAC,CAAC,QAAQ,CAAC,IAAI;gBACrB,IAAI,EAAE,CAAC,CAAC,IAAI;gBACZ,UAAU,EAAE,CAAC,CAAC,UAAU;gBACxB,OAAO,EAAE,CAAC,CAAC,OAAO;gBAClB,KAAK,EAAE,CAAC,CAAC,WAAW;gBACpB,MAAM,EAAE,CAAC,CAAC,MAAM;gBAChB,cAAc,EAAE,CAAC,CAAC,cAAc;aACjC,CAAC,CAAC,CAAC;YAEJ,OAAO;gBACL,WAAW;gBACX,QAAQ,EAAE,iBAAiB;gBAC3B,YAAY,EAAE,aAAa,CAAC,cAAc;gBAC1C,QAAQ,EAAE,KAAK,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;gBACxD,QAAQ;gBACR,OAAO,EAAE;oBACP,KAAK,EAAE,QAAQ,CAAC,MAAM;oBACtB,WAAW,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,IAAI,GAAG,CAAC,CAAC,MAAM;oBAC1D,UAAU,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,GAAG,GAAG,CAAC,CAAC,MAAM;oBACxD,MAAM,EAAE,aAAa,CAAC,OAAO,CAAC,MAAa;iBAC5C;aACF,CAAC;QACJ,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAK,GAAa,CAAC,OAAO,CAAC,QAAQ,CAAC,sBAAsB,CAAC,EAAE,CAAC;gBAC5D,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,2DAA2D,CAAC,CAAC;gBAC7F,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAClB,CAAC;YACD,MAAM,GAAG,CAAC;QACZ,CAAC;IACH,CAAC;IAED,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,WAAW,CAAC,WAAW,EAAE,UAAU,EAAE;QACjE,YAAY,EAAE,OAAO,CAAC,YAAY;QAClC,aAAa,EAAE,OAAO,CAAC,aAAa;QACpC,gBAAgB,EAAE,CAAC,GAAG,IAAI,GAAG,IAAI;QACjC,WAAW,EAAE,CAAC;QACd,eAAe,EAAE,IAAI;QACrB,iBAAiB,EAAE,CAAC,OAAO,CAAC,gBAAgB;QAC5C,YAAY,EAAE,CAAC,OAAO,CAAC,WAAW;QAClC,iBAAiB,EAAE,CAAC,OAAO,CAAC,gBAAgB;KAC7C,CAAC,CAAC;IAEH,MAAM,QAAQ,GAAoB,MAAM,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;QAC5D,IAAI,EAAE,CAAC,CAAC,UAAU;QAClB,IAAI,EAAE,CAAC,CAAC,QAAQ;QAChB,IAAI,EAAE,CAAC,CAAC,QAAQ,CAAC,IAAI;QACrB,IAAI,EAAE,CAAC,CAAC,IAAI;QACZ,UAAU,EAAE,CAAC,CAAC,UAAU;QACxB,OAAO,EAAE,CAAC,CAAC,OAAO;QAClB,KAAK,EAAE,CAAC,CAAC,WAAW;QACpB,MAAM,EAAE,CAAC,CAAC,MAAM;QAChB,cAAc,EAAE,CAAC,CAAC,cAAc;KACjC,CAAC,CAAC,CAAC;IAEJ,MAAM,YAAY,GAAG,IAAI,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;IACxD,MAAM,WAAW,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,IAAI,GAAG,CAAC,CAAC,MAAM,CAAC;IAClE,MAAM,UAAU,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,OAAO,GAAG,GAAG,CAAC,CAAC,MAAM,CAAC;IAEhE,mCAAmC;IACnC,IAAI,MAAM,CAAC,WAAW,CAAC,oBAAoB,GAAG,CAAC,EAAE,CAAC;QAChD,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,WAAW,MAAM,CAAC,WAAW,CAAC,oBAAoB,+CAA+C,CAAC,CAAC;IACjI,CAAC;IACD,IAAI,MAAM,CAAC,WAAW,CAAC,mBAAmB,GAAG,CAAC,EAAE,CAAC;QAC/C,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,eAAe,MAAM,CAAC,WAAW,CAAC,mBAAmB,yBAAyB,CAAC,CAAC;IAC9G,CAAC;IACD,IAAI,MAAM,CAAC,WAAW,CAAC,YAAY,GAAG,CAAC,IAAI,MAAM,CAAC,WAAW,CAAC,aAAa,GAAG,CAAC,EAAE,CAAC;QAChF,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,YAAY,MAAM,CAAC,WAAW,CAAC,YAAY,iBAAiB,MAAM,CAAC,WAAW,CAAC,aAAa,eAAe,CAAC,EAAE,CAAC,CAAC;IACzI,CAAC;IAED,OAAO;QACL,WAAW;QACX,QAAQ,EAAE,SAAS;QACnB,YAAY,EAAE,MAAM,CAAC,YAAY;QACjC,QAAQ,EAAE,YAAY,CAAC,IAAI,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,CAAC,UAAU,EAAE,iBAAiB,EAAE,cAAc,EAAE,YAAY,EAAE,eAAe,CAAC;QAC3I,QAAQ;QACR,OAAO,EAAE;YACP,KAAK,EAAE,QAAQ,CAAC,MAAM;YACtB,WAAW;YACX,UAAU;YACV,MAAM,EAAE,MAAM,CAAC,OAAO,CAAC,MAAM;SAC9B;KACF,CAAC;AACJ,CAAC;AAED,SAAgB,oBAAoB,CAAC,OAA0B,EAAE,OAA2B;IAC1F,IAAI,OAAO,CAAC,MAAM,KAAK,MAAM,EAAE,CAAC;QAC9B,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;QAC9C,OAAO;IACT,CAAC;IAED,IAAI,OAAO,CAAC,MAAM,KAAK,OAAO,EAAE,CAAC;QAC/B,MAAM,KAAK,GAAG,IAAA,eAAO,EAAC,OAAO,CAAC,CAAC;QAC/B,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;QAC5C,OAAO;IACT,CAAC;IAED,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,mBAAmB,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAEjF,IAAI,OAAO,CAAC,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAClC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,sBAAsB,CAAC,IAAI,CAAC,CAAC;QACvE,OAAO;IACT,CAAC;IAED,MAAM,QAAQ,GAAG,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,MAAM,CAAC,CAAC,MAAM,CAAC;IACxE,MAAM,UAAU,GAAG,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,MAAM,CAAC;IAC5E,MAAM,OAAO,GAAG,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,KAAK,CAAC,CAAC,MAAM,CAAC;IACtE,MAAM,SAAS,GAAG,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,MAAM,CAAC;IAEhE,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,GAAG,OAAO,CAAC,QAAQ,CAAC,MAAM,2BAA2B,CAAC,EAAE,CAAC,CAAC;IACjG,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,QAAQ,KAAK,CAAC,CAAC,MAAM,CAAC,SAAS,CAAC,IAAI,UAAU,KAAK,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,OAAO,KAAK,CAAC,CAAC,GAAG,CAAC,IAAI,SAAS,iBAAiB,CAAC,IAAI,CAAC,CAAC;IAElK,KAAK,MAAM,OAAO,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;QACvC,MAAM,SAAS,GAAG,OAAO,CAAC,IAAI,KAAK,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC;YAC1C,OAAO,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;QAChF,MAAM,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QAEvD,OAAO,CAAC,GAAG,CAAC,KAAK,SAAS,IAAI,OAAO,CAAC,IAAI,GAAG,OAAO,EAAE,CAAC,CAAC;QACxD,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,OAAO,CAAC,IAAI,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC,CAAC;QACnF,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,aAAa,CAAC,IAAI,CAAC,OAAO,CAAC,UAAU,GAAG,GAAG,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,OAAO,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;QACvJ,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC,CAAC;QACrE,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,OAAO,CAAC,cAAc,EAAE,WAAW,IAAI,+BAA+B,IAAI,CAAC,CAAC;IAChI,CAAC;AACH,CAAC;AAED,SAAgB,0BAA0B,CAAC,OAAgB,EAAE,WAAsB,EAAE,SAAqB;IACxG,OAAO;SACJ,OAAO,CAAC,cAAc,CAAC;SACvB,WAAW,CAAC,4CAA4C,CAAC;SACzD,MAAM,CAAC,mBAAmB,EAAE,sBAAsB,EAAE,GAAG,CAAC;SACxD,MAAM,CAAC,uBAAuB,EAAE,mCAAmC,EAAE,OAAO,CAAC;SAC7E,MAAM,CAAC,qBAAqB,EAAE,kBAAkB,CAAC;SACjD,MAAM,CAAC,iBAAiB,EAAE,8BAA8B,EAAE,KAAK,CAAC;SAChE,MAAM,CAAC,2BAA2B,EAAE,oCAAoC,CAAC;SACzE,MAAM,CAAC,qBAAqB,EAAE,kCAAkC,EAAE,KAAK,CAAC;SACxE,MAAM,CAAC,YAAY,EAAE,+BAA+B,EAAE,KAAK,CAAC;SAC5D,MAAM,CAAC,WAAW,EAAE,qCAAqC,EAAE,KAAK,CAAC;SACjE,MAAM,CAAC,0BAA0B,EAAE,yCAAyC,EAAE,IAAI,CAAC;SACnF,MAAM,CAAC,sBAAsB,EAAE,sDAAsD,CAAC;SACtF,MAAM,CAAC,gBAAgB,EAAE,qDAAqD,CAAC;SAC/E,MAAM,CAAC,sBAAsB,EAAE,oCAAoC,CAAC;SACpE,MAAM,CAAC,KAAK,EAAE,IAAI,EAAE,EAAE;QACrB,WAAW,EAAE,CAAC;QACd,SAAS,EAAE,CAAC;QACZ,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,IAAI,CAAC,0BAA0B,CAAC,IAAI,CAAC,CAAC;QAEzD,MAAM,WAAW,GAAG,IAAA,cAAO,EAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACvC,MAAM,OAAO,GAAuB;YAClC,IAAI,EAAE,WAAW;YACjB,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,YAAY,EAAE,IAAI,CAAC,YAAY;YAC/B,aAAa,EAAE,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,UAAU,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,CAAC,CAAC,SAAS;YAC9E,eAAe,EAAE,IAAI,CAAC,eAAe;YACrC,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,OAAO,EAAE,IAAI,CAAC,OAAO;YACrB,YAAY,EAAE,IAAI,CAAC,YAAY,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC,CAAC,CAAC,EAAE;YAClE,gBAAgB,EAAE,IAAI,CAAC,gBAAgB;YACvC,WAAW,EAAE,IAAI,CAAC,WAAW;YAC7B,gBAAgB,EAAE,IAAI,CAAC,gBAAgB;SACxC,CAAC;QAEF,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAC7B,IAAI,OAA0B,CAAC;QAC/B,IAAI,CAAC;YACH,OAAO,GAAG,MAAM,WAAW,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC;QACpD,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,GAAG,YAAY,gCAAqB,EAAE,CAAC;gBACzC,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,uCAAuC,CAAC,CAAC;gBACzE,OAAO,CAAC,KAAK,CAAC,KAAK,GAAG,CAAC,OAAO,IAAI,CAAC,CAAC;gBACpC,IAAI,GAAG,CAAC,OAAO,EAAE,CAAC;oBAChB,KAAK,MAAM,MAAM,IAAI,GAAG,CAAC,OAAO,EAAE,CAAC;wBACjC,OAAO,CAAC,KAAK,CAAC,SAAS,MAAM,EAAE,CAAC,CAAC;oBACnC,CAAC;gBACH,CAAC;gBACD,OAAO,CAAC,KAAK,CAAC,kDAAkD,CAAC,CAAC;gBAClE,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;YAClB,CAAC;YACD,MAAM,GAAG,CAAC;QACZ,CAAC;QACD,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;QAExC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,0BAA0B,CAAC,QAAQ,GAAG,IAAI,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;QAE3F,oBAAoB,CAAC,OAAO,EAAE,OAAO,CAAC,CAAC;QAEvC,mCAAmC;QACnC,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;YACnB,MAAM,UAAU,GAAG,OAAO,CAAC,MAAM,KAAK,OAAO,CAAC,CAAC,CAAC,IAAA,eAAO,EAAC,OAAO,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC;YAC3E,IAAA,kBAAa,EAAC,OAAO,CAAC,MAAM,EAAE,IAAI,CAAC,SAAS,CAAC,UAAU,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;YACnE,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,qBAAqB,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;QAC1E,CAAC;QAED,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;YACrB,MAAM,IAAA,2BAAgB,EAAC,SAAS,EAAE,OAAO,EAAE,WAAW,CAAC,CAAC;QAC1D,CAAC;QAED,IAAI,OAAO,CAAC,eAAe,IAAI,OAAO,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC3D,MAAM,QAAQ,GAAG,IAAA,mCAAsB,EACrC,EAAE,IAAI,EAAE,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,IAAI,IAAI,CAAC,EAAE,MAAM,EAAE,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,MAAM,IAAI,CAAC,EAAE,EACxF,EAAE,UAAU,EAAE,IAAI,EAAE,CACrB,CAAC;YACF,IAAA,qBAAQ,EAAC,QAAQ,EAAE,GAAG,OAAO,CAAC,QAAQ,CAAC,MAAM,mBAAmB,CAAC,CAAC;QACpE,CAAC;IACH,CAAC,CAAC,CAAC;AACP,CAAC"}

package/dist/commands/scan-vulnerabilities-enhanced.d.ts

@@ -0,0 +1,41 @@
+/**
+ * scan:vulnerabilities command (Enhanced)
+ * Enterprise-grade vulnerability detection using real-time OSV integration
+ *
+ * Features:
+ * - Real-time OSV API queries with 24h caching
+ * - Multi-ecosystem support (npm, PyPI, RubyGems, Go)
+ * - CVSS scoring and vectors
+ * - Remediation path analysis
+ * - Direct vs transitive vulnerability grouping
+ * - SARIF output support
+ */
+import { Command } from 'commander';
+import { Ecosystem, VulnerabilityCheckResult } from '@guardrail/security/supply-chain/vulnerability-db';
+export interface EnhancedVulnResult {
+    projectPath: string;
+    scanType: string;
+    ecosystem: Ecosystem;
+    packagesScanned: number;
+    findings: VulnerabilityCheckResult[];
+    summary: {
+        critical: number;
+        high: number;
+        medium: number;
+        low: number;
+    };
+    directVulnerabilities: number;
+    transitiveVulnerabilities: number;
+    cacheHitRate: number;
+    scanDuration: number;
+}
+/**
+ * Scan vulnerabilities with OSV integration
+ */
+export declare function scanVulnerabilitiesEnhanced(projectPath: string, options: any): Promise<EnhancedVulnResult>;
+/**
+ * Output enhanced vulnerability results
+ */
+export declare function outputEnhancedVulnResults(results: EnhancedVulnResult, options: any): void;
+export declare function registerScanVulnerabilitiesEnhancedCommand(program: Command, requireAuth: () => any, printLogo: () => void): void;
+//# sourceMappingURL=scan-vulnerabilities-enhanced.d.ts.map

package/dist/commands/scan-vulnerabilities-enhanced.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"scan-vulnerabilities-enhanced.d.ts","sourceRoot":"","sources":["../../src/commands/scan-vulnerabilities-enhanced.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAIpC,OAAO,EAAyB,SAAS,EAAE,wBAAwB,EAAE,MAAM,mDAAmD,CAAC;AAe/H,MAAM,WAAW,kBAAkB;IACjC,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,SAAS,CAAC;IACrB,eAAe,EAAE,MAAM,CAAC;IACxB,QAAQ,EAAE,wBAAwB,EAAE,CAAC;IACrC,OAAO,EAAE;QACP,QAAQ,EAAE,MAAM,CAAC;QACjB,IAAI,EAAE,MAAM,CAAC;QACb,MAAM,EAAE,MAAM,CAAC;QACf,GAAG,EAAE,MAAM,CAAC;KACb,CAAC;IACF,qBAAqB,EAAE,MAAM,CAAC;IAC9B,yBAAyB,EAAE,MAAM,CAAC;IAClC,YAAY,EAAE,MAAM,CAAC;IACrB,YAAY,EAAE,MAAM,CAAC;CACtB;AAoMD;;GAEG;AACH,wBAAsB,2BAA2B,CAC/C,WAAW,EAAE,MAAM,EACnB,OAAO,EAAE,GAAG,GACX,OAAO,CAAC,kBAAkB,CAAC,CAiF7B;AAED;;GAEG;AACH,wBAAgB,yBAAyB,CAAC,OAAO,EAAE,kBAAkB,EAAE,OAAO,EAAE,GAAG,GAAG,IAAI,CA6CzF;AA6BD,wBAAgB,0CAA0C,CACxD,OAAO,EAAE,OAAO,EAChB,WAAW,EAAE,MAAM,GAAG,EACtB,SAAS,EAAE,MAAM,IAAI,GACpB,IAAI,CAmCN"}

package/dist/commands/scan-vulnerabilities-enhanced.js

@@ -0,0 +1,368 @@
+"use strict";
+/**
+ * scan:vulnerabilities command (Enhanced)
+ * Enterprise-grade vulnerability detection using real-time OSV integration
+ *
+ * Features:
+ * - Real-time OSV API queries with 24h caching
+ * - Multi-ecosystem support (npm, PyPI, RubyGems, Go)
+ * - CVSS scoring and vectors
+ * - Remediation path analysis
+ * - Direct vs transitive vulnerability grouping
+ * - SARIF output support
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.scanVulnerabilitiesEnhanced = scanVulnerabilitiesEnhanced;
+exports.outputEnhancedVulnResults = outputEnhancedVulnResults;
+exports.registerScanVulnerabilitiesEnhancedCommand = registerScanVulnerabilitiesEnhancedCommand;
+const path_1 = require("path");
+const fs_1 = require("fs");
+const exit_codes_1 = require("../runtime/exit-codes");
+const vulnerability_db_1 = require("@guardrail/security/supply-chain/vulnerability-db");
+const evidence_1 = require("./evidence");
+const sarif_enhanced_1 = require("../formatters/sarif-enhanced");
+const c = {
+    bold: (s) => `\x1b[1m${s}\x1b[0m`,
+    dim: (s) => `\x1b[2m${s}\x1b[0m`,
+    critical: (s) => `\x1b[35m${s}\x1b[0m`,
+    high: (s) => `\x1b[31m${s}\x1b[0m`,
+    medium: (s) => `\x1b[33m${s}\x1b[0m`,
+    low: (s) => `\x1b[36m${s}\x1b[0m`,
+    success: (s) => `\x1b[32m${s}\x1b[0m`,
+    info: (s) => `\x1b[34m${s}\x1b[0m`,
+};
+/**
+ * Detect ecosystem from project files
+ */
+function detectEcosystems(projectPath) {
+    const ecosystems = [];
+    if ((0, fs_1.existsSync)((0, path_1.join)(projectPath, 'package.json')) ||
+        (0, fs_1.existsSync)((0, path_1.join)(projectPath, 'package-lock.json')) ||
+        (0, fs_1.existsSync)((0, path_1.join)(projectPath, 'pnpm-lock.yaml')) ||
+        (0, fs_1.existsSync)((0, path_1.join)(projectPath, 'yarn.lock'))) {
+        ecosystems.push('npm');
+    }
+    if ((0, fs_1.existsSync)((0, path_1.join)(projectPath, 'requirements.txt')) ||
+        (0, fs_1.existsSync)((0, path_1.join)(projectPath, 'Pipfile')) ||
+        (0, fs_1.existsSync)((0, path_1.join)(projectPath, 'poetry.lock')) ||
+        (0, fs_1.existsSync)((0, path_1.join)(projectPath, 'pyproject.toml'))) {
+        ecosystems.push('PyPI');
+    }
+    if ((0, fs_1.existsSync)((0, path_1.join)(projectPath, 'Gemfile')) ||
+        (0, fs_1.existsSync)((0, path_1.join)(projectPath, 'Gemfile.lock'))) {
+        ecosystems.push('RubyGems');
+    }
+    if ((0, fs_1.existsSync)((0, path_1.join)(projectPath, 'go.mod')) ||
+        (0, fs_1.existsSync)((0, path_1.join)(projectPath, 'go.sum'))) {
+        ecosystems.push('Go');
+    }
+    return ecosystems;
+}
+/**
+ * Parse npm dependencies
+ */
+function parseNpmDependencies(projectPath) {
+    const packages = [];
+    const packageJsonPath = (0, path_1.join)(projectPath, 'package.json');
+    if (!(0, fs_1.existsSync)(packageJsonPath))
+        return packages;
+    try {
+        const packageJson = JSON.parse((0, fs_1.readFileSync)(packageJsonPath, 'utf-8'));
+        const deps = packageJson.dependencies || {};
+        const devDeps = packageJson.devDependencies || {};
+        for (const [name, version] of Object.entries(deps)) {
+            const cleanVersion = String(version).replace(/^[\^~>=<]+/, '');
+            packages.push({ name, version: cleanVersion, ecosystem: 'npm', isDirect: true });
+        }
+        for (const [name, version] of Object.entries(devDeps)) {
+            const cleanVersion = String(version).replace(/^[\^~>=<]+/, '');
+            packages.push({ name, version: cleanVersion, ecosystem: 'npm', isDirect: true });
+        }
+        // Parse lockfile for transitive dependencies
+        const lockPath = (0, path_1.join)(projectPath, 'package-lock.json');
+        if ((0, fs_1.existsSync)(lockPath)) {
+            try {
+                const lockData = JSON.parse((0, fs_1.readFileSync)(lockPath, 'utf-8'));
+                const lockPackages = lockData.packages || {};
+                for (const [pkgPath, pkgInfo] of Object.entries(lockPackages)) {
+                    if (typeof pkgInfo === 'object' && pkgInfo !== null) {
+                        const info = pkgInfo;
+                        const name = info.name || pkgPath.replace(/^node_modules\//, '');
+                        const version = info.version;
+                        if (name && version && !packages.find(p => p.name === name)) {
+                            packages.push({ name, version, ecosystem: 'npm', isDirect: false });
+                        }
+                    }
+                }
+            }
+            catch {
+                // Lockfile parsing failed
+            }
+        }
+    }
+    catch {
+        // Package.json parsing failed
+    }
+    return packages;
+}
+/**
+ * Parse Python dependencies
+ */
+function parsePythonDependencies(projectPath) {
+    const packages = [];
+    const requirementsPath = (0, path_1.join)(projectPath, 'requirements.txt');
+    if ((0, fs_1.existsSync)(requirementsPath)) {
+        try {
+            const content = (0, fs_1.readFileSync)(requirementsPath, 'utf-8');
+            const lines = content.split('\n');
+            for (const line of lines) {
+                const trimmed = line.trim();
+                if (!trimmed || trimmed.startsWith('#'))
+                    continue;
+                const match = trimmed.match(/^([a-zA-Z0-9_-]+)(?:==|>=|<=|~=|>|<)?([\d.]+)?/);
+                if (match) {
+                    const name = match[1];
+                    const version = match[2] || 'latest';
+                    packages.push({ name, version, ecosystem: 'PyPI', isDirect: true });
+                }
+            }
+        }
+        catch {
+            // Requirements.txt parsing failed
+        }
+    }
+    return packages;
+}
+/**
+ * Parse Ruby dependencies
+ */
+function parseRubyDependencies(projectPath) {
+    const packages = [];
+    const gemfilePath = (0, path_1.join)(projectPath, 'Gemfile');
+    if ((0, fs_1.existsSync)(gemfilePath)) {
+        try {
+            const content = (0, fs_1.readFileSync)(gemfilePath, 'utf-8');
+            const lines = content.split('\n');
+            for (const line of lines) {
+                const trimmed = line.trim();
+                const match = trimmed.match(/gem\s+['"]([^'"]+)['"]\s*,?\s*['"]?([~>=<\d.]+)?['"]?/);
+                if (match) {
+                    const name = match[1];
+                    const version = match[2]?.replace(/[~>=<]/g, '') || 'latest';
+                    packages.push({ name, version, ecosystem: 'RubyGems', isDirect: true });
+                }
+            }
+        }
+        catch {
+            // Gemfile parsing failed
+        }
+    }
+    return packages;
+}
+/**
+ * Parse Go dependencies
+ */
+function parseGoDependencies(projectPath) {
+    const packages = [];
+    const goModPath = (0, path_1.join)(projectPath, 'go.mod');
+    if ((0, fs_1.existsSync)(goModPath)) {
+        try {
+            const content = (0, fs_1.readFileSync)(goModPath, 'utf-8');
+            const lines = content.split('\n');
+            let inRequire = false;
+            for (const line of lines) {
+                const trimmed = line.trim();
+                if (trimmed.startsWith('require (')) {
+                    inRequire = true;
+                    continue;
+                }
+                if (inRequire && trimmed === ')') {
+                    inRequire = false;
+                    continue;
+                }
+                const match = trimmed.match(/^(?:require\s+)?([^\s]+)\s+v?([\d.]+)/);
+                if (match) {
+                    const name = match[1];
+                    const version = match[2];
+                    packages.push({ name, version, ecosystem: 'Go', isDirect: true });
+                }
+            }
+        }
+        catch {
+            // go.mod parsing failed
+        }
+    }
+    return packages;
+}
+/**
+ * Scan vulnerabilities with OSV integration
+ */
+async function scanVulnerabilitiesEnhanced(projectPath, options) {
+    const startTime = Date.now();
+    const ecosystems = detectEcosystems(projectPath);
+    if (ecosystems.length === 0) {
+        return {
+            projectPath,
+            scanType: 'vulnerabilities',
+            ecosystem: 'npm',
+            packagesScanned: 0,
+            findings: [],
+            summary: { critical: 0, high: 0, medium: 0, low: 0 },
+            directVulnerabilities: 0,
+            transitiveVulnerabilities: 0,
+            cacheHitRate: 0,
+            scanDuration: Date.now() - startTime,
+        };
+    }
+    // Parse dependencies from all detected ecosystems
+    let allPackages = [];
+    for (const ecosystem of ecosystems) {
+        switch (ecosystem) {
+            case 'npm':
+                allPackages.push(...parseNpmDependencies(projectPath));
+                break;
+            case 'PyPI':
+                allPackages.push(...parsePythonDependencies(projectPath));
+                break;
+            case 'RubyGems':
+                allPackages.push(...parseRubyDependencies(projectPath));
+                break;
+            case 'Go':
+                allPackages.push(...parseGoDependencies(projectPath));
+                break;
+        }
+    }
+    // Query OSV for vulnerabilities
+    const db = new vulnerability_db_1.VulnerabilityDatabase();
+    const results = await db.checkPackages(allPackages);
+    // Calculate summary
+    const summary = {
+        critical: 0,
+        high: 0,
+        medium: 0,
+        low: 0,
+    };
+    let directVulnerabilities = 0;
+    let transitiveVulnerabilities = 0;
+    for (const result of results) {
+        if (result.isVulnerable) {
+            for (const vuln of result.vulnerabilities) {
+                summary[vuln.severity]++;
+            }
+            if (result.isDirect) {
+                directVulnerabilities += result.vulnerabilities.length;
+            }
+            else {
+                transitiveVulnerabilities += result.vulnerabilities.length;
+            }
+        }
+    }
+    const cacheStats = db.getCacheStats();
+    return {
+        projectPath,
+        scanType: 'vulnerabilities',
+        ecosystem: ecosystems[0],
+        packagesScanned: allPackages.length,
+        findings: results.filter(r => r.isVulnerable),
+        summary,
+        directVulnerabilities,
+        transitiveVulnerabilities,
+        cacheHitRate: cacheStats.hitRate,
+        scanDuration: Date.now() - startTime,
+    };
+}
+/**
+ * Output enhanced vulnerability results
+ */
+function outputEnhancedVulnResults(results, options) {
+    if (options.format === 'json') {
+        console.log(JSON.stringify(results, null, 2));
+        return;
+    }
+    if (options.format === 'sarif') {
+        const sarif = (0, sarif_enhanced_1.toSarifVulnerabilitiesEnhanced)(results);
+        console.log(JSON.stringify(sarif, null, 2));
+        return;
+    }
+    console.log(`\n  ${c.info('Ecosystem:')} ${results.ecosystem}`);
+    console.log(`  ${c.info('Packages scanned:')} ${results.packagesScanned}`);
+    console.log(`  ${c.info('Cache hit rate:')} ${(results.cacheHitRate * 100).toFixed(1)}%`);
+    console.log(`  ${c.info('Scan duration:')} ${(results.scanDuration / 1000).toFixed(2)}s\n`);
+    const { summary } = results;
+    const total = summary.critical + summary.high + summary.medium + summary.low;
+    if (total === 0) {
+        console.log(`  ${c.success('✓')} ${c.bold('No vulnerabilities found!')}\n`);
+        return;
+    }
+    console.log(`  ${c.critical('CRITICAL')}  ${summary.critical}`);
+    console.log(`  ${c.high('HIGH')}      ${summary.high}`);
+    console.log(`  ${c.medium('MEDIUM')}    ${summary.medium}`);
+    console.log(`  ${c.low('LOW')}       ${summary.low}\n`);
+    console.log(`  ${c.info('Direct:')} ${results.directVulnerabilities} | ${c.info('Transitive:')} ${results.transitiveVulnerabilities}\n`);
+    // Group by direct vs transitive
+    const directFindings = results.findings.filter(f => f.isDirect);
+    const transitiveFindings = results.findings.filter(f => !f.isDirect);
+    if (directFindings.length > 0) {
+        console.log(`${c.bold('  DIRECT DEPENDENCIES:')}\n`);
+        outputFindingsList(directFindings);
+    }
+    if (transitiveFindings.length > 0) {
+        console.log(`\n${c.bold('  TRANSITIVE DEPENDENCIES:')}\n`);
+        outputFindingsList(transitiveFindings);
+    }
+}
+function outputFindingsList(findings) {
+    for (const finding of findings) {
+        for (const vuln of finding.vulnerabilities) {
+            const severityLabel = vuln.severity === 'critical' ? c.critical('CRITICAL') :
+                vuln.severity === 'high' ? c.high('HIGH') :
+                    vuln.severity === 'medium' ? c.medium('MEDIUM') :
+                        c.low('LOW');
+            console.log(`  ${severityLabel} ${finding.package}@${finding.version}`);
+            console.log(`  ${c.dim('├─')} ${c.info('ID:')} ${vuln.id}`);
+            console.log(`  ${c.dim('├─')} ${c.info('Title:')} ${vuln.title}`);
+            if (vuln.cvssScore) {
+                console.log(`  ${c.dim('├─')} ${c.info('CVSS:')} ${vuln.cvssScore.toFixed(1)}${vuln.cvssVector ? ` (${vuln.cvssVector})` : ''}`);
+            }
+            if (finding.remediationPath) {
+                const remed = finding.remediationPath;
+                const breakingLabel = remed.breakingChange ? c.medium(' [BREAKING]') : c.success(' [NON-BREAKING]');
+                console.log(`  ${c.dim('└─')} ${c.info('Fix:')} ${remed.description}${breakingLabel}\n`);
+            }
+            else {
+                console.log(`  ${c.dim('└─')} ${c.info('Fix:')} ${finding.recommendedVersion || 'No fix available'}\n`);
+            }
+        }
+    }
+}
+function registerScanVulnerabilitiesEnhancedCommand(program, requireAuth, printLogo) {
+    program
+        .command('scan:vulnerabilities')
+        .description('Scan dependencies for known vulnerabilities (OSV integration)')
+        .option('-p, --path <path>', 'Project path to scan', '.')
+        .option('-f, --format <format>', 'Output format: table, json, sarif', 'table')
+        .option('-o, --output <file>', 'Output file path')
+        .option('--fail-on-critical', 'Exit with error if critical vulnerabilities found', false)
+        .option('--fail-on-high', 'Exit with error if high+ vulnerabilities found', false)
+        .option('--evidence', 'Generate signed evidence pack', false)
+        .option('--ecosystem <ecosystem>', 'Filter by ecosystem: npm, PyPI, RubyGems, Go')
+        .action(async (opts) => {
+        requireAuth();
+        printLogo();
+        console.log(`\n${c.bold('🛡️  VULNERABILITY SCAN (OSV Integration)')}\n`);
+        const projectPath = (0, path_1.resolve)(opts.path);
+        const results = await scanVulnerabilitiesEnhanced(projectPath, opts);
+        console.log(`${c.success('✓')} Vulnerability scan complete`);
+        outputEnhancedVulnResults(results, opts);
+        if (opts.evidence) {
+            await (0, evidence_1.generateEvidence)('vulnerabilities', results, projectPath);
+        }
+        if (opts.failOnCritical && results.summary.critical > 0) {
+            (0, exit_codes_1.exitWith)(exit_codes_1.ExitCode.POLICY_FAIL, `${results.summary.critical} critical vulnerabilities found`);
+        }
+        if (opts.failOnHigh && (results.summary.critical + results.summary.high) > 0) {
+            (0, exit_codes_1.exitWith)(exit_codes_1.ExitCode.POLICY_FAIL, `${results.summary.critical + results.summary.high} high+ vulnerabilities found`);
+        }
+    });
+}
+//# sourceMappingURL=scan-vulnerabilities-enhanced.js.map