jaku.sh 1.0.0

package/src/reporting/report-generator.js

@@ -0,0 +1,408 @@
+import fs from 'fs';
+import path from 'path';
+import { sortFindings, filterBySeverity, severitySummary } from '../utils/finding.js';
+import { writeSARIF } from './sarif-generator.js';
+import { DiffReporter } from './diff-reporter.js';
+
+/**
+ * Report Generator — Generates structured output in JSON, Markdown, HTML, and SARIF formats.
+ */
+export class ReportGenerator {
+  constructor(config, logger) {
+    this.config = config;
+    this.logger = logger;
+  }
+
+  /**
+   * Generate all reports from findings and test results.
+   */
+  async generate({ findings, deduplicated, dedupStats, correlations, modules, testSummary, surfaceInventory, outputDir }) {
+    const reportDir = outputDir || path.join(process.cwd(), 'jaku-reports', this._timestamp());
+    if (!fs.existsSync(reportDir)) {
+      fs.mkdirSync(reportDir, { recursive: true });
+    }
+
+    const filteredFindings = filterBySeverity(
+      sortFindings(findings),
+      this.config.severity_threshold || 'low'
+    );
+
+    // Use deduplicated findings for human-readable reports
+    const reportFindings = deduplicated
+      ? filterBySeverity(sortFindings(deduplicated), this.config.severity_threshold || 'low')
+      : filteredFindings;
+
+    const summary = severitySummary(filteredFindings);
+    const dedupSummary = severitySummary(reportFindings);
+
+    const moduleList = modules || ['qa'];
+    const moduleLabel = moduleList.map(m => m.toUpperCase()).join(' + ');
+
+    const reportData = {
+      meta: {
+        agent: 'JAKU',
+        version: '1.0.0',
+        modules: moduleList,
+        moduleLabel,
+        target: this.config.target_url,
+        scannedAt: new Date().toISOString(),
+        duration: testSummary?.duration || null,
+      },
+      summary,
+      dedupSummary,
+      dedupStats: dedupStats || null,
+      correlations: correlations || [],
+      testSummary: testSummary || {},
+      surfaceInventory: {
+        totalPages: surfaceInventory?.totalPages || 0,
+        totalApis: surfaceInventory?.totalApis || 0,
+        totalForms: surfaceInventory?.totalForms || 0,
+      },
+      findings: reportFindings,
+      rawFindings: filteredFindings,
+    };
+
+    // Generate JSON
+    const jsonPath = path.join(reportDir, 'report.json');
+    fs.writeFileSync(jsonPath, JSON.stringify(reportData, null, 2), 'utf-8');
+
+    // Copy to latest-report.json at project root for easy access
+    const latestPath = path.join(process.cwd(), 'latest-report.json');
+    try {
+      fs.copyFileSync(jsonPath, latestPath);
+      this.logger?.info?.(`Latest report copied to ${latestPath}`);
+    } catch {
+      // Non-critical — skip if CWD is read-only (e.g. CI)
+    }
+
+    // Generate Markdown (uses deduped findings)
+    const mdPath = path.join(reportDir, 'report.md');
+    fs.writeFileSync(mdPath, this._generateMarkdown(reportData), 'utf-8');
+
+    // Generate HTML (uses deduped findings)
+    const htmlPath = path.join(reportDir, 'report.html');
+    fs.writeFileSync(htmlPath, this._generateHTML(reportData), 'utf-8');
+
+    // Generate SARIF (uses raw findings for CI/CD accuracy)
+    const sarifPath = writeSARIF(filteredFindings, reportDir, reportData.meta);
+    this.logger?.info?.(`SARIF report generated: ${sarifPath}`);
+
+    // Generate Diff Report (regression detection)
+    const diffReporter = new DiffReporter(this.logger);
+    const diff = diffReporter.generateDiff(filteredFindings, reportDir);
+
+    this.logger?.info?.(`Reports generated at ${reportDir}`);
+    return { reportDir, jsonPath, mdPath, htmlPath, sarifPath, summary, dedupSummary, diff };
+  }
+
+
+  _generateMarkdown(data) {
+    const { meta, dedupSummary: summary, correlations, testSummary, surfaceInventory, findings } = data;
+    let md = '';
+
+    md += `# 呪 JAKU Security & Quality Report\n\n`;
+    md += `**Target:** ${meta.target}  \n`;
+    md += `**Modules:** ${meta.moduleLabel}  \n`;
+    md += `**Scanned:** ${meta.scannedAt}  \n`;
+    md += `**Agent Version:** ${meta.version}  \n\n`;
+
+    md += `---\n\n`;
+    md += `## Executive Summary\n\n`;
+    md += `| Metric | Value |\n`;
+    md += `|--------|-------|\n`;
+    md += `| Total Findings | ${summary.total} |\n`;
+    md += `| Critical | 🔴 ${summary.critical} |\n`;
+    md += `| High | 🟠 ${summary.high} |\n`;
+    md += `| Medium | 🟡 ${summary.medium} |\n`;
+    md += `| Low | 🔵 ${summary.low} |\n`;
+    md += `| Info | ⚪ ${summary.info} |\n\n`;
+
+    if (testSummary.total) {
+      md += `### Test Execution\n\n`;
+      md += `| Metric | Value |\n`;
+      md += `|--------|-------|\n`;
+      md += `| Total Tests | ${testSummary.total} |\n`;
+      md += `| Passed | ✅ ${testSummary.passed} |\n`;
+      md += `| Failed | ❌ ${testSummary.failed} |\n`;
+      md += `| Errors | ⚠️ ${testSummary.errors} |\n\n`;
+    }
+
+    md += `### Coverage\n\n`;
+    md += `| Surface | Count |\n`;
+    md += `|---------|-------|\n`;
+    md += `| Pages Crawled | ${surfaceInventory.totalPages} |\n`;
+    md += `| API Endpoints | ${surfaceInventory.totalApis} |\n`;
+    md += `| Forms Tested | ${surfaceInventory.totalForms} |\n\n`;
+
+    // ── Correlations / Attack Chains ──
+    if (correlations && correlations.length > 0) {
+      md += `---\n\n`;
+      md += `## ⚡ Attack Chain Correlations (${correlations.length})\n\n`;
+      md += `> Correlations show how individual findings combine into exploitable attack chains.\n\n`;
+
+      for (const c of correlations) {
+        const sevIcon = { critical: '🔴', high: '🟠', medium: '🟡', low: '🔵', info: '⚪' }[c.severity] || '⚪';
+        md += `### ${sevIcon} ${c.title}\n\n`;
+        md += `**Type:** ${c.type === 'attack_chain' ? 'Attack Chain' : 'Defense Gap'}  \n`;
+        md += `**Severity:** ${c.severity.toUpperCase()}  \n`;
+        md += `**Exploitation:** ${c.exploitation}  \n\n`;
+        md += `${c.narrative}\n\n`;
+        if (c.findings && c.findings.length > 0) {
+          md += `**Linked Findings:** ${c.findings.join(', ')}\n\n`;
+        }
+        md += `---\n\n`;
+      }
+    }
+
+    md += `---\n\n`;
+    md += `## Findings\n\n`;
+
+    if (findings.length === 0) {
+      md += `✅ No findings at the configured severity threshold.\n\n`;
+    }
+
+    for (const sev of ['critical', 'high', 'medium', 'low', 'info']) {
+      const sevFindings = findings.filter(f => f.severity === sev);
+      if (sevFindings.length === 0) continue;
+
+      const icons = { critical: '🔴', high: '🟠', medium: '🟡', low: '🔵', info: '⚪' };
+      md += `### ${icons[sev]} ${sev.toUpperCase()} (${sevFindings.length})\n\n`;
+
+      for (const f of sevFindings) {
+        md += `#### ${f.id}: ${f.title}\n\n`;
+        md += `**Affected:** ${f.affected_surface}  \n`;
+        md += `**Status:** ${f.status}  \n\n`;
+        md += `${f.description}\n\n`;
+
+        if (f.reproduction.length > 0) {
+          md += `**Reproduction Steps:**\n`;
+          for (const step of f.reproduction) {
+            md += `${step}\n`;
+          }
+          md += `\n`;
+        }
+
+        if (f.remediation) {
+          md += `**Remediation:** ${f.remediation}\n\n`;
+        }
+
+        md += `---\n\n`;
+      }
+    }
+
+    md += `\n*Report generated by JAKU 呪 v${meta.version}*\n`;
+    return md;
+  }
+
+  _generateHTML(data) {
+    const { meta, dedupSummary: summary, correlations, testSummary, surfaceInventory, findings } = data;
+    const sevColors = {
+      critical: '#ff1744',
+      high: '#ff6d00',
+      medium: '#ffd600',
+      low: '#2979ff',
+      info: '#90a4ae',
+    };
+
+    // Build correlations HTML
+    const correlationsHTML = (correlations && correlations.length > 0) ? `
+  <h2>⚡ Attack Chain Correlations (${correlations.length})</h2>
+  <p style="color:var(--text-dim);font-size:0.85rem;margin-bottom:1rem">Correlations show how individual findings combine into exploitable attack chains.</p>
+  ${correlations.map(c => `
+  <div class="finding-card ${c.severity}" style="border-left-width:4px;border-left-style:solid">
+    <div class="finding-header">
+      <span class="finding-title">⚡ ${this._escapeHtml(c.title)}</span>
+      <span class="sev-badge ${c.severity}">${c.severity}</span>
+    </div>
+    <div style="font-size:0.8rem;color:var(--text-dim);margin:0.25rem 0">
+      <strong>Type:</strong> ${c.type === 'attack_chain' ? 'Attack Chain' : 'Defense Gap'}
+      &nbsp;·&nbsp;
+      <strong>Exploitation:</strong> ${this._escapeHtml(c.exploitation)}
+    </div>
+    <div class="finding-desc">${this._escapeHtml(c.narrative)}</div>
+    ${c.findings && c.findings.length > 0 ? `<div style="font-size:0.75rem;color:var(--accent);margin-top:0.5rem"><strong>Linked Findings:</strong> ${c.findings.join(', ')}</div>` : ''}
+  </div>`).join('')}` : '';
+
+    return `<!DOCTYPE html>
+<html lang="en" data-theme="dark">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>JAKU Report — ${meta.target}</title>
+  <style>
+    * { margin: 0; padding: 0; box-sizing: border-box; }
+    :root {
+      --bg: #0a0a0f; --surface: #12121a; --surface-2: #1a1a25;
+      --text: #e0e0e8; --text-dim: #8888a0; --accent: #00ff88;
+      --critical: #ff1744; --high: #ff6d00; --medium: #ffd600;
+      --low: #2979ff; --info: #90a4ae; --border: #2a2a3a;
+    }
+    body {
+      font-family: 'SF Mono', 'Fira Code', 'Cascadia Code', monospace;
+      background: var(--bg); color: var(--text); line-height: 1.6;
+      padding: 2rem; max-width: 1200px; margin: 0 auto;
+    }
+    h1 { font-size: 1.8rem; color: var(--accent); margin-bottom: 0.5rem; }
+    h2 { font-size: 1.3rem; color: var(--text); margin: 2rem 0 1rem; border-bottom: 1px solid var(--border); padding-bottom: 0.5rem; }
+    h3 { font-size: 1.1rem; margin: 1.5rem 0 0.5rem; }
+    .meta { color: var(--text-dim); font-size: 0.85rem; margin-bottom: 2rem; }
+    .meta span { margin-right: 2rem; }
+    .summary-grid {
+      display: grid; grid-template-columns: repeat(auto-fit, minmax(120px, 1fr));
+      gap: 1rem; margin: 1rem 0 2rem;
+    }
+    .summary-card {
+      background: var(--surface); border: 1px solid var(--border);
+      border-radius: 8px; padding: 1rem; text-align: center;
+    }
+    .summary-card .count { font-size: 2rem; font-weight: bold; }
+    .summary-card .label { font-size: 0.75rem; color: var(--text-dim); text-transform: uppercase; }
+    .sev-critical .count { color: var(--critical); }
+    .sev-high .count { color: var(--high); }
+    .sev-medium .count { color: var(--medium); }
+    .sev-low .count { color: var(--low); }
+    .sev-info .count { color: var(--info); }
+    .chart-bar {
+      display: flex; height: 8px; border-radius: 4px; overflow: hidden;
+      margin: 1rem 0; background: var(--surface);
+    }
+    .chart-bar div { height: 100%; transition: width 0.3s; }
+    .finding-card {
+      background: var(--surface); border: 1px solid var(--border);
+      border-radius: 8px; padding: 1.25rem; margin: 1rem 0;
+      border-left: 4px solid var(--info);
+    }
+    .finding-card.critical { border-left-color: var(--critical); }
+    .finding-card.high { border-left-color: var(--high); }
+    .finding-card.medium { border-left-color: var(--medium); }
+    .finding-card.low { border-left-color: var(--low); }
+    .finding-header { display: flex; justify-content: space-between; align-items: center; margin-bottom: 0.75rem; }
+    .finding-id { font-size: 0.75rem; color: var(--text-dim); }
+    .finding-title { font-weight: bold; font-size: 0.95rem; }
+    .sev-badge {
+      display: inline-block; padding: 2px 8px; border-radius: 4px;
+      font-size: 0.7rem; font-weight: bold; text-transform: uppercase;
+    }
+    .sev-badge.critical { background: var(--critical); color: #fff; }
+    .sev-badge.high { background: var(--high); color: #000; }
+    .sev-badge.medium { background: var(--medium); color: #000; }
+    .sev-badge.low { background: var(--low); color: #fff; }
+    .sev-badge.info { background: var(--info); color: #000; }
+    .finding-desc { font-size: 0.85rem; color: var(--text-dim); margin: 0.5rem 0; white-space: pre-wrap; }
+    .finding-details { margin-top: 0.75rem; }
+    .finding-details summary { cursor: pointer; font-size: 0.8rem; color: var(--accent); }
+    .finding-details pre { background: var(--surface-2); padding: 0.75rem; border-radius: 4px; margin-top: 0.5rem; font-size: 0.8rem; overflow-x: auto; }
+    .filter-bar { display: flex; gap: 0.5rem; margin: 1rem 0; flex-wrap: wrap; }
+    .filter-btn {
+      background: var(--surface); border: 1px solid var(--border); color: var(--text);
+      padding: 4px 12px; border-radius: 4px; cursor: pointer; font-size: 0.8rem; font-family: inherit;
+    }
+    .filter-btn.active { border-color: var(--accent); color: var(--accent); }
+    .filter-btn:hover { border-color: var(--accent); }
+    footer { margin-top: 3rem; padding-top: 1rem; border-top: 1px solid var(--border); color: var(--text-dim); font-size: 0.75rem; text-align: center; }
+  </style>
+</head>
+<body>
+  <h1>呪 JAKU</h1>
+  <div class="meta">
+    <span>Target: ${meta.target}</span>
+    <span>Modules: ${meta.moduleLabel}</span>
+    <span>Scanned: ${new Date(meta.scannedAt).toLocaleString()}</span>
+  </div>
+
+  <h2>Severity Breakdown</h2>
+  <div class="summary-grid">
+    <div class="summary-card sev-critical"><div class="count">${summary.critical}</div><div class="label">Critical</div></div>
+    <div class="summary-card sev-high"><div class="count">${summary.high}</div><div class="label">High</div></div>
+    <div class="summary-card sev-medium"><div class="count">${summary.medium}</div><div class="label">Medium</div></div>
+    <div class="summary-card sev-low"><div class="count">${summary.low}</div><div class="label">Low</div></div>
+    <div class="summary-card sev-info"><div class="count">${summary.info}</div><div class="label">Info</div></div>
+  </div>
+
+  <div class="chart-bar">
+    ${summary.total > 0 ? `
+    <div style="width:${(summary.critical / summary.total) * 100}%;background:var(--critical)"></div>
+    <div style="width:${(summary.high / summary.total) * 100}%;background:var(--high)"></div>
+    <div style="width:${(summary.medium / summary.total) * 100}%;background:var(--medium)"></div>
+    <div style="width:${(summary.low / summary.total) * 100}%;background:var(--low)"></div>
+    <div style="width:${(summary.info / summary.total) * 100}%;background:var(--info)"></div>
+    ` : '<div style="width:100%;background:var(--accent)"></div>'}
+  </div>
+
+  <h2>Coverage</h2>
+  <div class="summary-grid">
+    <div class="summary-card"><div class="count" style="color:var(--accent)">${surfaceInventory.totalPages}</div><div class="label">Pages</div></div>
+    <div class="summary-card"><div class="count" style="color:var(--accent)">${surfaceInventory.totalApis}</div><div class="label">API Endpoints</div></div>
+    <div class="summary-card"><div class="count" style="color:var(--accent)">${surfaceInventory.totalForms}</div><div class="label">Forms</div></div>
+    ${testSummary?.total ? `
+    <div class="summary-card"><div class="count" style="color:var(--accent)">${testSummary.total}</div><div class="label">Tests Run</div></div>
+    <div class="summary-card"><div class="count" style="color:#00e676">${testSummary.passed}</div><div class="label">Passed</div></div>
+    <div class="summary-card"><div class="count" style="color:var(--critical)">${testSummary.failed + (testSummary.errors || 0)}</div><div class="label">Failed</div></div>
+    ` : ''}
+  </div>
+
+  ${correlationsHTML}
+
+  <h2>Findings (${summary.total})</h2>
+  <div class="filter-bar">
+    <button class="filter-btn active" onclick="filterFindings('all')">All (${summary.total})</button>
+    ${summary.critical > 0 ? `<button class="filter-btn" onclick="filterFindings('critical')">Critical (${summary.critical})</button>` : ''}
+    ${summary.high > 0 ? `<button class="filter-btn" onclick="filterFindings('high')">High (${summary.high})</button>` : ''}
+    ${summary.medium > 0 ? `<button class="filter-btn" onclick="filterFindings('medium')">Medium (${summary.medium})</button>` : ''}
+    ${summary.low > 0 ? `<button class="filter-btn" onclick="filterFindings('low')">Low (${summary.low})</button>` : ''}
+    ${summary.info > 0 ? `<button class="filter-btn" onclick="filterFindings('info')">Info (${summary.info})</button>` : ''}
+  </div>
+
+  <div id="findings-container">
+    ${findings.map(f => `
+    <div class="finding-card ${f.severity}" data-severity="${f.severity}">
+      <div class="finding-header">
+        <span class="finding-id">${f.id}</span>
+        <span class="sev-badge ${f.severity}">${f.severity}</span>
+      </div>
+      <div class="finding-title">${this._escapeHtml(f.title)}</div>
+      <div class="finding-desc">${this._escapeHtml(f.description)}</div>
+      <div style="font-size:0.8rem;color:var(--text-dim);margin-top:0.5rem">
+        <strong>Affected:</strong> ${this._escapeHtml(f.affected_surface)}
+      </div>
+      ${f.remediation ? `<div style="font-size:0.85rem;margin-top:0.5rem;color:var(--accent)"><strong>Fix:</strong> ${this._escapeHtml(f.remediation)}</div>` : ''}
+      <details class="finding-details">
+        <summary>Evidence & Reproduction</summary>
+        <pre>${this._escapeHtml(f.reproduction?.join?.('\\n') || '')}</pre>
+        ${f.evidence ? `<pre>${this._escapeHtml(typeof f.evidence === 'string' ? f.evidence : JSON.stringify(f.evidence, null, 2))}</pre>` : ''}
+      </details>
+    </div>`).join('')}
+  </div>
+
+  <footer>JAKU 呪 v${meta.version} — Autonomous Security & Quality Intelligence</footer>
+
+  <script>
+    function filterFindings(severity) {
+      const cards = document.querySelectorAll('.finding-card');
+      const btns = document.querySelectorAll('.filter-btn');
+      btns.forEach(b => b.classList.remove('active'));
+      event.target.classList.add('active');
+      cards.forEach(card => {
+        card.style.display = severity === 'all' || card.dataset.severity === severity ? 'block' : 'none';
+      });
+    }
+  </script>
+</body>
+</html>`;
+  }
+
+  _escapeHtml(text) {
+    if (!text) return '';
+    return String(text)
+      .replace(/&/g, '&amp;')
+      .replace(/</g, '&lt;')
+      .replace(/>/g, '&gt;')
+      .replace(/"/g, '&quot;');
+  }
+
+  _timestamp() {
+    return new Date().toISOString().replace(/[:.]/g, '-').substring(0, 19);
+  }
+}
+
+export default ReportGenerator;

package/src/reporting/sarif-generator.js

@@ -0,0 +1,190 @@
+import fs from 'fs';
+import path from 'path';
+
+/**
+ * SARIF Generator — Generates Static Analysis Results Interchange Format (SARIF) v2.1.0
+ * for integration with GitHub Security Dashboard, GitLab SAST, and Azure DevOps.
+ */
+
+/** CWE mapping for common finding patterns */
+const CWE_MAP = {
+    xss: { id: 'CWE-79', name: 'Cross-site Scripting (XSS)' },
+    sqli: { id: 'CWE-89', name: 'SQL Injection' },
+    nosqli: { id: 'CWE-943', name: 'NoSQL Injection' },
+    csrf: { id: 'CWE-352', name: 'Cross-Site Request Forgery' },
+    idor: { id: 'CWE-639', name: 'Authorization Bypass Through User-Controlled Key' },
+    ssrf: { id: 'CWE-918', name: 'Server-Side Request Forgery' },
+    'open redirect': { id: 'CWE-601', name: 'URL Redirection to Untrusted Site' },
+    'missing header': { id: 'CWE-693', name: 'Protection Mechanism Failure' },
+    hsts: { id: 'CWE-319', name: 'Cleartext Transmission of Sensitive Information' },
+    csp: { id: 'CWE-1021', name: 'Improper Restriction of Rendered UI Layers' },
+    cors: { id: 'CWE-942', name: 'Overly Permissive Cross-domain Whitelist' },
+    tls: { id: 'CWE-295', name: 'Improper Certificate Validation' },
+    jwt: { id: 'CWE-347', name: 'Improper Verification of Cryptographic Signature' },
+    'api key': { id: 'CWE-312', name: 'Cleartext Storage of Sensitive Information' },
+    secret: { id: 'CWE-798', name: 'Use of Hard-coded Credentials' },
+    'prompt injection': { id: 'CWE-77', name: 'Command Injection' },
+    'race condition': { id: 'CWE-362', name: 'Concurrent Execution Using Shared Resource' },
+    'access control': { id: 'CWE-284', name: 'Improper Access Control' },
+    'file upload': { id: 'CWE-434', name: 'Unrestricted Upload of File with Dangerous Type' },
+    'path traversal': { id: 'CWE-22', name: 'Path Traversal' },
+    graphql: { id: 'CWE-200', name: 'Exposure of Sensitive Information' },
+    'rate limit': { id: 'CWE-307', name: 'Improper Restriction of Excessive Authentication Attempts' },
+    websocket: { id: 'CWE-306', name: 'Missing Authentication for Critical Function' },
+    password: { id: 'CWE-521', name: 'Weak Password Requirements' },
+    mfa: { id: 'CWE-308', name: 'Use of Single-factor Authentication' },
+    session: { id: 'CWE-614', name: 'Sensitive Cookie Without Secure Flag' },
+    oauth: { id: 'CWE-346', name: 'Origin Validation Error' },
+    'pricing': { id: 'CWE-20', name: 'Improper Input Validation' },
+    'workflow': { id: 'CWE-841', name: 'Improper Enforcement of Behavioral Workflow' },
+    'abuse': { id: 'CWE-799', name: 'Improper Control of Interaction Frequency' },
+};
+
+const SEVERITY_TO_SARIF = {
+    critical: 'error',
+    high: 'error',
+    medium: 'warning',
+    low: 'note',
+    info: 'note',
+};
+
+/**
+ * Generate SARIF v2.1.0 report from JAKU findings.
+ */
+export function generateSARIF(findings, meta = {}) {
+    const rules = [];
+    const results = [];
+    const ruleIndex = new Map();
+
+    for (const finding of findings) {
+        // Build rule ID
+        const ruleId = finding.id || `JAKU-${finding.module?.toUpperCase()}-0000`;
+
+        if (!ruleIndex.has(ruleId)) {
+            ruleIndex.set(ruleId, rules.length);
+
+            const cwe = _matchCWE(finding);
+            const rule = {
+                id: ruleId,
+                name: finding.title?.replace(/[^a-zA-Z0-9]/g, '') || 'Unknown',
+                shortDescription: { text: finding.title || 'Unknown finding' },
+                fullDescription: { text: finding.description || finding.title || '' },
+                defaultConfiguration: { level: SEVERITY_TO_SARIF[finding.severity] || 'note' },
+                helpUri: finding.references?.[0] || 'https://owasp.org/www-project-top-ten/',
+                properties: {
+                    tags: [finding.module || 'security', finding.severity],
+                    precision: 'medium',
+                    'security-severity': _cvssFromSeverity(finding.severity),
+                },
+            };
+
+            if (cwe) {
+                rule.properties.tags.push(`external/cwe/${cwe.id.replace('CWE-', '')}`);
+                rule.relationships = [{
+                    target: { id: cwe.id, toolComponent: { name: 'CWE' } },
+                    kinds: ['superset'],
+                }];
+            }
+
+            rules.push(rule);
+        }
+
+        // Build result
+        const result = {
+            ruleId,
+            ruleIndex: ruleIndex.get(ruleId),
+            level: SEVERITY_TO_SARIF[finding.severity] || 'note',
+            message: { text: finding.description || finding.title },
+            locations: [{
+                physicalLocation: {
+                    artifactLocation: {
+                        uri: finding.affected_surface || meta.target || 'unknown',
+                        uriBaseId: '%SRCROOT%',
+                    },
+                },
+            }],
+            properties: {
+                severity: finding.severity,
+                module: finding.module,
+                status: finding.status || 'open',
+                timestamp: finding.timestamp || new Date().toISOString(),
+            },
+        };
+
+        if (finding.remediation) {
+            result.fixes = [{ description: { text: finding.remediation } }];
+        }
+
+        if (finding.evidence) {
+            result.codeFlows = [{
+                message: { text: 'Evidence' },
+                threadFlows: [{
+                    locations: [{
+                        location: {
+                            message: { text: typeof finding.evidence === 'string' ? finding.evidence : JSON.stringify(finding.evidence) },
+                            physicalLocation: {
+                                artifactLocation: { uri: finding.affected_surface || 'unknown' },
+                            },
+                        },
+                    }],
+                }],
+            }];
+        }
+
+        results.push(result);
+    }
+
+    const sarif = {
+        $schema: 'https://raw.githubusercontent.com/oasis-tcs/sarif-spec/main/sarif-2.1/schema/sarif-schema-2.1.0.json',
+        version: '2.1.0',
+        runs: [{
+            tool: {
+                driver: {
+                    name: 'JAKU',
+                    version: meta.version || '1.0.0',
+                    semanticVersion: meta.version || '1.0.0',
+                    informationUri: 'https://github.com/jaku-security',
+                    rules,
+                },
+            },
+            results,
+            invocations: [{
+                executionSuccessful: true,
+                startTimeUtc: meta.scannedAt || new Date().toISOString(),
+            }],
+        }],
+    };
+
+    return sarif;
+}
+
+/**
+ * Write SARIF to file.
+ */
+export function writeSARIF(findings, outputDir, meta = {}) {
+    const sarif = generateSARIF(findings, meta);
+    const sarifPath = path.join(outputDir, 'report.sarif');
+    fs.writeFileSync(sarifPath, JSON.stringify(sarif, null, 2), 'utf-8');
+    return sarifPath;
+}
+
+/**
+ * Match a finding to a CWE based on title/description patterns.
+ */
+function _matchCWE(finding) {
+    const text = `${finding.title} ${finding.description}`.toLowerCase();
+    for (const [pattern, cwe] of Object.entries(CWE_MAP)) {
+        if (text.includes(pattern)) return cwe;
+    }
+    return null;
+}
+
+/**
+ * Map JAKU severity to CVSS-like numeric score.
+ */
+function _cvssFromSeverity(severity) {
+    const map = { critical: '9.8', high: '7.5', medium: '5.0', low: '2.5', info: '0.0' };
+    return map[severity] || '0.0';
+}
+
+export default { generateSARIF, writeSARIF };

package/src/utils/config.js

@@ -0,0 +1,57 @@
+import fs from 'fs';
+import path from 'path';
+
+const DEFAULTS = {
+    target_url: null,
+    credentials: [],
+    modules_enabled: ['qa'],
+    severity_threshold: 'low',
+    halt_on_critical: false,
+    notify_webhook: null,
+    crawler: {
+        max_depth: 5,
+        max_pages: 50,
+        timeout: 30000,
+        respect_robots_txt: true,
+    },
+    viewports: {
+        mobile: { width: 375, height: 812 },
+        tablet: { width: 768, height: 1024 },
+        desktop: { width: 1440, height: 900 },
+    },
+};
+
+export function loadConfig(cliOptions = {}) {
+    let fileConfig = {};
+
+    // Load from config file if specified or default path exists
+    const configPath = cliOptions.config || path.join(process.cwd(), 'jaku.config.json');
+    if (fs.existsSync(configPath)) {
+        try {
+            const raw = fs.readFileSync(configPath, 'utf-8');
+            fileConfig = JSON.parse(raw);
+        } catch (e) {
+            console.warn(`⚠ Warning: Could not parse config file at ${configPath}`);
+        }
+    }
+
+    // Merge: defaults < file config < CLI options
+    const config = {
+        ...DEFAULTS,
+        ...fileConfig,
+        crawler: { ...DEFAULTS.crawler, ...(fileConfig.crawler || {}) },
+        viewports: { ...DEFAULTS.viewports, ...(fileConfig.viewports || {}) },
+    };
+
+    // CLI overrides
+    if (cliOptions.targetUrl) config.target_url = cliOptions.targetUrl;
+    if (cliOptions.severity) config.severity_threshold = cliOptions.severity;
+    if (cliOptions.output) config.output_dir = cliOptions.output;
+    if (cliOptions.verbose !== undefined) config.verbose = cliOptions.verbose;
+    if (cliOptions.json) config.output_json = true;
+    if (cliOptions.html) config.output_html = true;
+
+    return config;
+}
+
+export default loadConfig;