mobbdev 0.0.130 → 0.0.134

package/dist/index.mjs

@@ -520,456 +520,21 @@ var CliError = class extends Error {
 // src/features/analysis/index.ts
 import chalk4 from "chalk";
 import Configstore from "configstore";
-import Debug11 from "debug";
-import extract from "extract-zip";
-import fetch3 from "node-fetch";
-import open2 from "open";
-import semver from "semver";
-import tmp2 from "tmp";
-import { z as z12 } from "zod";
-
-// src/features/analysis/git.ts
-import Debug2 from "debug";
-import { simpleGit } from "simple-git";
-var debug2 = Debug2("mobbdev:git");
-var GIT_NOT_INITIALIZED_ERROR_MESSAGE = "not a git repository";
-async function getGitInfo(srcDirPath) {
-  debug2("getting git info for %s", srcDirPath);
-  const git = simpleGit({
-    baseDir: srcDirPath,
-    maxConcurrentProcesses: 1,
-    trimmed: true
-  });
-  let repoUrl = "";
-  let hash = "";
-  let reference = "";
-  try {
-    repoUrl = (await git.getConfig("remote.origin.url")).value || "";
-    hash = await git.revparse(["HEAD"]) || "";
-    reference = await git.revparse(["--abbrev-ref", "HEAD"]) || "";
-  } catch (e) {
-    if (e instanceof Error) {
-      debug2("failed to run git %o", e);
-      if (e.message.includes(" spawn ")) {
-        debug2("git cli not installed");
-      } else if (e.message.includes(GIT_NOT_INITIALIZED_ERROR_MESSAGE)) {
-        debug2("folder is not a git repo");
-        return {
-          success: false,
-          hash: void 0,
-          reference: void 0,
-          repoUrl: void 0
-        };
-      } else {
-        throw e;
-      }
-    }
-    throw e;
-  }
-  if (repoUrl.endsWith(".git")) {
-    repoUrl = repoUrl.slice(0, -".git".length);
-  }
-  if (repoUrl.startsWith("git@github.com:")) {
-    repoUrl = repoUrl.replace("git@github.com:", "https://github.com/");
-  }
-  return {
-    success: true,
-    repoUrl,
-    hash,
-    reference
-  };
-}
-
-// src/features/analysis/graphql/gql.ts
-import Debug3 from "debug";
-import { GraphQLClient } from "graphql-request";
-import { v4 as uuidv4 } from "uuid";
-
-// src/features/analysis/graphql/subscribe.ts
-import { createClient } from "graphql-ws";
-import WebSocket from "ws";
-var SUBSCRIPTION_TIMEOUT_MS = 10 * 60 * 1e3;
-function createWSClient(options) {
-  return createClient({
-    url: options.url,
-    webSocketImpl: options.websocket || WebSocket,
-    connectionParams: () => {
-      return {
-        headers: options.type === "apiKey" ? {
-          [API_KEY_HEADER_NAME]: options.apiKey
-        } : { authorization: `Bearer ${options.token}` }
-      };
-    }
-  });
-}
-function subscribe(query, variables, callback, wsClientOptions) {
-  return new Promise((resolve, reject) => {
-    let timer = null;
-    const { timeoutInMs = SUBSCRIPTION_TIMEOUT_MS } = wsClientOptions;
-    const client = createWSClient({
-      ...wsClientOptions,
-      websocket: WebSocket,
-      url: API_URL.replace("http", "ws")
-    });
-    const unsubscribe = client.subscribe(
-      { query, variables },
-      {
-        next: (data) => {
-          function callbackResolve(data2) {
-            unsubscribe();
-            if (timer) {
-              clearTimeout(timer);
-            }
-            resolve(data2);
-          }
-          function callbackReject(data2) {
-            unsubscribe();
-            if (timer) {
-              clearTimeout(timer);
-            }
-            reject(data2);
-          }
-          if (!data.data) {
-            reject(
-              new Error(
-                `Broken data object from graphQL subscribe: ${JSON.stringify(
-                  data
-                )} for query: ${query}`
-              )
-            );
-          } else {
-            callback(callbackResolve, callbackReject, data.data);
-          }
-        },
-        error: (error) => {
-          if (timer) {
-            clearTimeout(timer);
-          }
-          reject(error);
-        },
-        complete: () => {
-          return;
-        }
-      }
-    );
-    if (typeof timeoutInMs === "number") {
-      timer = setTimeout(() => {
-        unsubscribe();
-        reject(
-          new Error(
-            `Timeout expired for graphQL subscribe query: ${query} with timeout: ${timeoutInMs}`
-          )
-        );
-      }, timeoutInMs);
-    }
-  });
-}
-
-// src/features/analysis/graphql/types.ts
-import { z as z2 } from "zod";
-var VulnerabilityReportIssueCodeNodeZ = z2.object({
-  vulnerabilityReportIssueId: z2.string(),
-  path: z2.string(),
-  startLine: z2.number(),
-  vulnerabilityReportIssue: z2.object({
-    fixId: z2.string()
-  })
-});
-var GetVulByNodesMetadataZ = z2.object({
-  vulnerabilityReportIssueCodeNodes: z2.array(VulnerabilityReportIssueCodeNodeZ),
-  nonFixablePrVuls: z2.object({
-    aggregate: z2.object({
-      count: z2.number()
-    })
-  }),
-  fixablePrVuls: z2.object({
-    aggregate: z2.object({
-      count: z2.number()
-    })
-  }),
-  totalScanVulnerabilities: z2.object({
-    aggregate: z2.object({
-      count: z2.number()
-    })
-  })
-});
-
-// src/features/analysis/graphql/gql.ts
-var debug3 = Debug3("mobbdev:gql");
-var API_KEY_HEADER_NAME = "x-mobb-key";
-var REPORT_STATE_CHECK_DELAY = 5 * 1e3;
-var GQLClient = class {
-  constructor(args) {
-    __publicField(this, "_client");
-    __publicField(this, "_clientSdk");
-    __publicField(this, "_auth");
-    debug3(`init with  ${args}`);
-    this._auth = args;
-    this._client = new GraphQLClient(API_URL, {
-      headers: args.type === "apiKey" ? { [API_KEY_HEADER_NAME]: args.apiKey || "" } : {
-        Authorization: `Bearer ${args.token}`
-      },
-      requestMiddleware: (request) => {
-        const requestId = uuidv4();
-        debug3(
-          `sending API request with id: ${requestId} and with request: ${request.body}`
-        );
-        return {
-          ...request,
-          headers: {
-            ...request.headers,
-            "x-hasura-request-id": requestId
-          }
-        };
-      }
-    });
-    this._clientSdk = getSdk(this._client);
-  }
-  async getUserInfo() {
-    const { me } = await this._clientSdk.Me();
-    return me;
-  }
-  async createCliLogin(variables) {
-    const res = await this._clientSdk.CreateCliLogin(variables, {
-      // We may have outdated API key in the config storage. Avoid using it for the login request.
-      [API_KEY_HEADER_NAME]: ""
-    });
-    return res.insert_cli_login_one?.id || "";
-  }
-  async verifyToken() {
-    await this.createCommunityUser();
-    try {
-      await this.getUserInfo();
-    } catch (e) {
-      debug3("verify token failed %o", e);
-      return false;
-    }
-    return true;
-  }
-  async getOrgAndProjectId(projectName) {
-    const getOrgAndProjectIdResult = await this._clientSdk.getOrgAndProjectId();
-    const org = getOrgAndProjectIdResult?.users?.at(0)?.userOrganizationsAndUserOrganizationRoles?.at(0)?.organization;
-    if (!org?.id) {
-      throw new Error("Organization not found");
-    }
-    const project = projectName ? org?.projects.find((project2) => project2.name === projectName) ?? null : org?.projects[0];
-    if (!project?.id) {
-      throw new Error("Project not found");
-    }
-    let projectId = project?.id;
-    if (!projectId) {
-      const createdProject = await this._clientSdk.CreateProject({
-        organizationId: org.id,
-        projectName: projectName || "My project"
-      });
-      projectId = createdProject.createProject.projectId;
-    }
-    return {
-      organizationId: org.id,
-      projectId
-    };
-  }
-  async getEncryptedApiToken(variables) {
-    const res = await this._clientSdk.GetEncryptedApiToken(variables, {
-      // We may have outdated API key in the config storage. Avoid using it for the login request.
-      [API_KEY_HEADER_NAME]: ""
-    });
-    return res?.cli_login_by_pk?.encryptedApiToken || null;
-  }
-  async createCommunityUser() {
-    try {
-      await this._clientSdk.CreateCommunityUser();
-    } catch (e) {
-      debug3("create community user failed %o", e);
-    }
-  }
-  async updateScmToken(args) {
-    const { scmType, url, token, org, username, refreshToken } = args;
-    const updateScmTokenResult = await this._clientSdk.updateScmToken({
-      scmType,
-      url,
-      token,
-      org,
-      username,
-      refreshToken
-    });
-    return updateScmTokenResult;
-  }
-  async uploadS3BucketInfo() {
-    const uploadS3BucketInfoResult = await this._clientSdk.uploadS3BucketInfo({
-      fileName: "report.json"
-    });
-    return uploadS3BucketInfoResult;
-  }
-  async getVulByNodesMetadata({
-    hunks,
-    vulnerabilityReportId
-  }) {
-    const filters = hunks.map((hunk) => {
-      const filter = {
-        path: { _eq: hunk.path },
-        _or: hunk.ranges.flatMap(({ endLine, startLine }) => {
-          return [
-            { startLine: { _gte: startLine, _lte: endLine } },
-            { endLine: { _gte: startLine, _lte: endLine } }
-          ];
-        })
-      };
-      return filter;
-    });
-    const getVulByNodesMetadataRes = await this._clientSdk.getVulByNodesMetadata({
-      filters: { _or: filters },
-      vulnerabilityReportId
-    });
-    const parsedGetVulByNodesMetadataRes = GetVulByNodesMetadataZ.parse(
-      getVulByNodesMetadataRes
-    );
-    const uniqueVulByNodesMetadata = parsedGetVulByNodesMetadataRes.vulnerabilityReportIssueCodeNodes.reduce((acc, vulnerabilityReportIssueCodeNode) => {
-      if (acc[vulnerabilityReportIssueCodeNode.vulnerabilityReportIssueId]) {
-        return acc;
-      }
-      return {
-        ...acc,
-        [vulnerabilityReportIssueCodeNode.vulnerabilityReportIssueId]: vulnerabilityReportIssueCodeNode
-      };
-    }, {});
-    const nonFixablePrVuls = parsedGetVulByNodesMetadataRes.nonFixablePrVuls.aggregate.count;
-    const fixablePrVuls = parsedGetVulByNodesMetadataRes.fixablePrVuls.aggregate.count;
-    const totalScanVulnerabilities = parsedGetVulByNodesMetadataRes.totalScanVulnerabilities.aggregate.count;
-    const vulnerabilitiesOutsidePr = totalScanVulnerabilities - nonFixablePrVuls - fixablePrVuls;
-    const totalPrVulnerabilities = nonFixablePrVuls + fixablePrVuls;
-    return {
-      vulnerabilityReportIssueCodeNodes: Object.values(
-        uniqueVulByNodesMetadata
-      ),
-      nonFixablePrVuls,
-      fixablePrVuls,
-      totalScanVulnerabilities,
-      vulnerabilitiesOutsidePr,
-      totalPrVulnerabilities
-    };
-  }
-  async digestVulnerabilityReport({
-    fixReportId,
-    projectId,
-    scanSource
-  }) {
-    const res = await this._clientSdk.DigestVulnerabilityReport({
-      fixReportId,
-      vulnerabilityReportFileName: "report.json",
-      projectId,
-      scanSource
-    });
-    if (res.digestVulnerabilityReport.__typename !== "VulnerabilityReport") {
-      throw new Error("Digesting vulnerability report failed");
-    }
-    return res.digestVulnerabilityReport;
-  }
-  async submitVulnerabilityReport(params) {
-    const {
-      fixReportId,
-      repoUrl,
-      reference,
-      projectId,
-      sha,
-      experimentalEnabled,
-      vulnerabilityReportFileName,
-      pullRequest
-    } = params;
-    return await this._clientSdk.SubmitVulnerabilityReport({
-      fixReportId,
-      repoUrl,
-      reference,
-      vulnerabilityReportFileName,
-      projectId,
-      pullRequest,
-      sha: sha || "",
-      experimentalEnabled,
-      scanSource: params.scanSource
-    });
-  }
-  async getFixReportState(fixReportId) {
-    const res = await this._clientSdk.FixReportState({ id: fixReportId });
-    return res?.fixReport_by_pk?.state || "Created" /* Created */;
-  }
-  async waitFixReportInit(fixReportId, includeDigested = false) {
-    const FINAL_STATES = [
-      "Finished" /* Finished */,
-      "Failed" /* Failed */
-    ];
-    let lastState = "Created" /* Created */;
-    let attempts = 100;
-    if (includeDigested) {
-      FINAL_STATES.push("Digested" /* Digested */);
-    }
-    do {
-      await sleep(REPORT_STATE_CHECK_DELAY);
-      lastState = await this.getFixReportState(fixReportId);
-    } while (!FINAL_STATES.includes(
-      lastState
-      // wait for final the state of the fix report
-    ) && attempts-- > 0);
-    return lastState;
-  }
-  async getVulnerabilityReportPaths(vulnerabilityReportId) {
-    const res = await this._clientSdk.GetVulnerabilityReportPaths({
-      vulnerabilityReportId
-    });
-    return res.vulnerability_report_path.map((p) => p.path);
-  }
-  async subscribeToAnalysis(params) {
-    const { callbackStates } = params;
-    return subscribe(
-      GetAnalysisDocument,
-      params.subscribeToAnalysisParams,
-      async (resolve, reject, data) => {
-        if (!data.analysis?.state || data.analysis?.state === "Failed" /* Failed */) {
-          reject(data);
-          throw new Error(`Analysis failed with id: ${data.analysis?.id}`);
-        }
-        if (callbackStates.includes(data.analysis?.state)) {
-          await params.callback(data.analysis.id);
-          resolve(data);
-        }
-      },
-      this._auth.type === "apiKey" ? {
-        apiKey: this._auth.apiKey,
-        type: "apiKey",
-        timeoutInMs: params.timeoutInMs
-      } : {
-        token: this._auth.token,
-        type: "token",
-        timeoutInMs: params.timeoutInMs
-      }
-    );
-  }
-  async getAnalysis(analysisId) {
-    const res = await this._clientSdk.getAnalsyis({
-      analysisId
-    });
-    if (!res.analysis) {
-      throw new Error(`Analysis not found: ${analysisId}`);
-    }
-    return res.analysis;
-  }
-  async getFixes(fixIds) {
-    const res = await this._clientSdk.getFixes({
-      filters: { id: { _in: fixIds } }
-    });
-    return res;
-  }
-};
+import Debug12 from "debug";
+import extract from "extract-zip";
+import fetch3 from "node-fetch";
+import open2 from "open";
+import semver from "semver";
+import tmp2 from "tmp";
+import { z as z12 } from "zod";
 
-// src/features/analysis/handle_finished_analysis.ts
-import { Octokit as Octokit3 } from "@octokit/core";
-import Debug5 from "debug";
-import parseDiff2 from "parse-diff";
-import { z as z11 } from "zod";
+// src/features/analysis/add_fix_comments_for_pr/add_fix_comments_for_pr.ts
+import Debug4 from "debug";
 
 // src/features/analysis/scm/ado.ts
 import querystring from "node:querystring";
 import * as api from "azure-devops-node-api";
-import { z as z3 } from "zod";
+import { z as z2 } from "zod";
 
 // src/features/analysis/scm/types.ts
 var ReferenceType = /* @__PURE__ */ ((ReferenceType2) => {
@@ -1148,22 +713,22 @@ function removeTrailingSlash(str) {
   return str.trim().replace(/\/+$/, "");
 }
 async function _getOrgsForOauthToken({ oauthToken }) {
-  const profileZ = z3.object({
-    displayName: z3.string(),
-    publicAlias: z3.string().min(1),
-    emailAddress: z3.string(),
-    coreRevision: z3.number(),
-    timeStamp: z3.string(),
-    id: z3.string(),
-    revision: z3.number()
+  const profileZ = z2.object({
+    displayName: z2.string(),
+    publicAlias: z2.string().min(1),
+    emailAddress: z2.string(),
+    coreRevision: z2.number(),
+    timeStamp: z2.string(),
+    id: z2.string(),
+    revision: z2.number()
   });
-  const accountsZ = z3.object({
-    count: z3.number(),
-    value: z3.array(
-      z3.object({
-        accountId: z3.string(),
-        accountUri: z3.string(),
-        accountName: z3.string()
+  const accountsZ = z2.object({
+    count: z2.number(),
+    value: z2.array(
+      z2.object({
+        accountId: z2.string(),
+        accountUri: z2.string(),
+        accountName: z2.string()
       })
     )
   });
@@ -1594,10 +1159,10 @@ async function getAdoBlameRanges() {
   return [];
 }
 var ADO_ACCESS_TOKEN_URL = "https://app.vssps.visualstudio.com/oauth2/token";
-var AdoAuthResultZ = z3.object({
-  access_token: z3.string().min(1),
-  token_type: z3.string().min(1),
-  refresh_token: z3.string().min(1)
+var AdoAuthResultZ = z2.object({
+  access_token: z2.string().min(1),
+  token_type: z2.string().min(1),
+  refresh_token: z2.string().min(1)
 });
 async function getAdoToken({
   token,
@@ -1643,11 +1208,11 @@ var AdoSdk = {
 // src/features/analysis/scm/bitbucket/bitbucket.ts
 import querystring3 from "node:querystring";
 import * as bitbucketPkg from "bitbucket";
-import { z as z10 } from "zod";
+import { z as z9 } from "zod";
 
 // src/features/analysis/scm/scm.ts
 import { Octokit as Octokit2 } from "@octokit/core";
-import { z as z9 } from "zod";
+import { z as z8 } from "zod";
 
 // src/features/analysis/scm/github/encryptSecret.ts
 import sodium from "libsodium-wrappers";
@@ -1662,7 +1227,7 @@ async function encryptSecret(secret, key) {
 // src/features/analysis/scm/github/github.ts
 import { RequestError } from "@octokit/request-error";
 import { Octokit } from "octokit";
-import { z as z4 } from "zod";
+import { z as z3 } from "zod";
 
 // src/features/analysis/scm/utils/get_issue_type.ts
 var getIssueType = (issueType) => {
@@ -1866,8 +1431,8 @@ function normalizeUrl(repoUrl) {
 }
 
 // src/features/analysis/scm/github/github.ts
-var EnvVariablesZod = z4.object({
-  GITHUB_API_TOKEN: z4.string().optional()
+var EnvVariablesZod = z3.object({
+  GITHUB_API_TOKEN: z3.string().optional()
 });
 var { GITHUB_API_TOKEN } = EnvVariablesZod.parse(process.env);
 var GetBlameDocument = `
@@ -1909,17 +1474,25 @@ function getOktoKit(options) {
   const token = options?.githubAuthToken ?? GITHUB_API_TOKEN ?? "";
   return new Octokit({ auth: token });
 }
+function isGithbActionActionToken(token) {
+  return token.startsWith("ghs_");
+}
 async function githubValidateParams(url, accessToken) {
   try {
     const oktoKit = getOktoKit({ githubAuthToken: accessToken });
     if (accessToken) {
-      await oktoKit.rest.users.getAuthenticated();
+      isGithbActionActionToken(accessToken) ? null : await oktoKit.rest.users.getAuthenticated();
     }
     if (url) {
       const { owner, repo } = parseGithubOwnerAndRepo(url);
-      await oktoKit.rest.repos.get({ repo, owner });
+      await oktoKit.request("GET /repos/{owner}/{repo}/branches", {
+        owner,
+        repo,
+        per_page: 1
+      });
     }
   } catch (e) {
+    console.log("could not init github scm", e);
     const error = e;
     const code = error.status || error.statusCode || error.response?.status || error.response?.statusCode || error.response?.code;
     if (code === 401 || code === 403) {
@@ -2349,20 +1922,20 @@ import {
   Gitlab
 } from "@gitbeaker/rest";
 import { ProxyAgent } from "undici";
-import { z as z6 } from "zod";
+import { z as z5 } from "zod";
 
 // src/features/analysis/scm/gitlab/types.ts
-import { z as z5 } from "zod";
-var GitlabAuthResultZ = z5.object({
-  access_token: z5.string(),
-  token_type: z5.string(),
-  refresh_token: z5.string()
+import { z as z4 } from "zod";
+var GitlabAuthResultZ = z4.object({
+  access_token: z4.string(),
+  token_type: z4.string(),
+  refresh_token: z4.string()
 });
 
 // src/features/analysis/scm/gitlab/gitlab.ts
-var EnvVariablesZod2 = z6.object({
-  GITLAB_API_TOKEN: z6.string().optional(),
-  BROKERED_HOSTS: z6.string().toLowerCase().transform(
+var EnvVariablesZod2 = z5.object({
+  GITLAB_API_TOKEN: z5.string().optional(),
+  BROKERED_HOSTS: z5.string().toLowerCase().transform(
     (x) => x.split(",").map((url) => url.trim(), []).filter(Boolean)
   ).default("")
 });
@@ -2659,92 +2232,92 @@ initGitlabFetchMock();
 import fs from "node:fs/promises";
 import parseDiff from "parse-diff";
 import path3 from "path";
-import { simpleGit as simpleGit2 } from "simple-git";
+import { simpleGit } from "simple-git";
 import tmp from "tmp";
-import { z as z8 } from "zod";
+import { z as z7 } from "zod";
 
 // src/features/analysis/scm/scmSubmit/types.ts
-import { z as z7 } from "zod";
-var BaseSubmitToScmMessageZ = z7.object({
-  submitFixRequestId: z7.string().uuid(),
-  fixes: z7.array(
-    z7.object({
-      fixId: z7.string().uuid(),
-      patches: z7.array(z7.string())
+import { z as z6 } from "zod";
+var BaseSubmitToScmMessageZ = z6.object({
+  submitFixRequestId: z6.string().uuid(),
+  fixes: z6.array(
+    z6.object({
+      fixId: z6.string().uuid(),
+      patches: z6.array(z6.string())
     })
   ),
-  commitHash: z7.string(),
-  repoUrl: z7.string()
+  commitHash: z6.string(),
+  repoUrl: z6.string()
 });
 var submitToScmMessageType = {
   commitToSameBranch: "commitToSameBranch",
   submitFixesForDifferentBranch: "submitFixesForDifferentBranch"
 };
 var CommitToSameBranchParamsZ = BaseSubmitToScmMessageZ.merge(
-  z7.object({
-    type: z7.literal(submitToScmMessageType.commitToSameBranch),
-    branch: z7.string(),
-    commitMessage: z7.string(),
-    commitDescription: z7.string().nullish(),
-    githubCommentId: z7.number().nullish()
+  z6.object({
+    type: z6.literal(submitToScmMessageType.commitToSameBranch),
+    branch: z6.string(),
+    commitMessage: z6.string(),
+    commitDescription: z6.string().nullish(),
+    githubCommentId: z6.number().nullish()
   })
 );
-var SubmitFixesToDifferentBranchParamsZ = z7.object({
-  type: z7.literal(submitToScmMessageType.submitFixesForDifferentBranch),
-  submitBranch: z7.string(),
-  baseBranch: z7.string()
+var SubmitFixesToDifferentBranchParamsZ = z6.object({
+  type: z6.literal(submitToScmMessageType.submitFixesForDifferentBranch),
+  submitBranch: z6.string(),
+  baseBranch: z6.string()
 }).merge(BaseSubmitToScmMessageZ);
-var SubmitFixesMessageZ = z7.union([
+var SubmitFixesMessageZ = z6.union([
   CommitToSameBranchParamsZ,
   SubmitFixesToDifferentBranchParamsZ
 ]);
-var FixResponseArrayZ = z7.array(
-  z7.object({
-    fixId: z7.string().uuid()
+var FixResponseArrayZ = z6.array(
+  z6.object({
+    fixId: z6.string().uuid()
   })
 );
-var SubmitFixesBaseResponseMessageZ = z7.object({
-  submitFixRequestId: z7.string().uuid(),
-  submitBranches: z7.array(
-    z7.object({
-      branchName: z7.string(),
+var SubmitFixesBaseResponseMessageZ = z6.object({
+  submitFixRequestId: z6.string().uuid(),
+  submitBranches: z6.array(
+    z6.object({
+      branchName: z6.string(),
       fixes: FixResponseArrayZ
     })
   ),
-  error: z7.object({
-    type: z7.enum([
+  error: z6.object({
+    type: z6.enum([
       "InitialRepoAccessError",
       "PushBranchError",
       "UnknownError"
     ]),
-    info: z7.object({
-      message: z7.string(),
-      pushBranchName: z7.string().optional()
+    info: z6.object({
+      message: z6.string(),
+      pushBranchName: z6.string().optional()
     })
   }).optional()
 });
-var SubmitFixesToSameBranchResponseMessageZ = z7.object({
-  type: z7.literal(submitToScmMessageType.commitToSameBranch),
-  githubCommentId: z7.number().nullish()
+var SubmitFixesToSameBranchResponseMessageZ = z6.object({
+  type: z6.literal(submitToScmMessageType.commitToSameBranch),
+  githubCommentId: z6.number().nullish()
 }).merge(SubmitFixesBaseResponseMessageZ);
-var SubmitFixesToDifferentBranchResponseMessageZ = z7.object({
-  type: z7.literal(submitToScmMessageType.submitFixesForDifferentBranch),
-  githubCommentId: z7.number().optional()
+var SubmitFixesToDifferentBranchResponseMessageZ = z6.object({
+  type: z6.literal(submitToScmMessageType.submitFixesForDifferentBranch),
+  githubCommentId: z6.number().optional()
 }).merge(SubmitFixesBaseResponseMessageZ);
-var SubmitFixesResponseMessageZ = z7.discriminatedUnion("type", [
+var SubmitFixesResponseMessageZ = z6.discriminatedUnion("type", [
   SubmitFixesToSameBranchResponseMessageZ,
   SubmitFixesToDifferentBranchResponseMessageZ
 ]);
 
 // src/features/analysis/scm/scmSubmit/index.ts
-var EnvVariablesZod3 = z8.object({
-  BROKERED_HOSTS: z8.string().toLowerCase().transform(
+var EnvVariablesZod3 = z7.object({
+  BROKERED_HOSTS: z7.string().toLowerCase().transform(
     (x) => x.split(",").map((url) => url.trim(), []).filter(Boolean)
   ).default("")
 });
 var { BROKERED_HOSTS: BROKERED_HOSTS2 } = EnvVariablesZod3.parse(process.env);
 var isValidBranchName = async (branchName) => {
-  const git = simpleGit2();
+  const git = simpleGit();
   try {
     const res = await git.raw(["check-ref-format", "--branch", branchName]);
     if (res) {
@@ -2755,18 +2328,18 @@ var isValidBranchName = async (branchName) => {
     return false;
   }
 };
-var FixesZ = z8.array(
-  z8.object({
-    fixId: z8.string(),
-    patches: z8.array(z8.string())
+var FixesZ = z7.array(
+  z7.object({
+    fixId: z7.string(),
+    patches: z7.array(z7.string())
   })
 ).nonempty();
 
 // src/features/analysis/scm/scm.ts
-var GetRefererenceResultZ = z9.object({
-  date: z9.date().optional(),
-  sha: z9.string(),
-  type: z9.nativeEnum(ReferenceType)
+var GetRefererenceResultZ = z8.object({
+  date: z8.date().optional(),
+  sha: z8.string(),
+  type: z8.nativeEnum(ReferenceType)
 });
 function getCloudScmLibTypeFromUrl(url) {
   if (!url) {
@@ -2807,11 +2380,11 @@ var scmTypeToScmLibScmType = {
   ["Bitbucket" /* Bitbucket */]: "BITBUCKET" /* BITBUCKET */
 };
 function getScmTypeFromScmLibType(scmLibType) {
-  const parsedScmLibType = z9.nativeEnum(ScmLibScmType).parse(scmLibType);
+  const parsedScmLibType = z8.nativeEnum(ScmLibScmType).parse(scmLibType);
   return scmLibScmTypeToScmType[parsedScmLibType];
 }
 function getScmLibTypeFromScmType(scmType) {
-  const parsedScmType = z9.nativeEnum(ScmType).parse(scmType);
+  const parsedScmType = z8.nativeEnum(ScmType).parse(scmType);
   return scmTypeToScmLibScmType[parsedScmType];
 }
 function getScmConfig({
@@ -2904,8 +2477,9 @@ var RefNotFoundError = class extends Error {
   }
 };
 var RepoNoTokenAccessError = class extends Error {
-  constructor(m) {
+  constructor(m, scmType) {
     super(m);
+    this.scmType = scmType;
   }
 };
 function buildAuthrizedRepoUrl(args) {
@@ -3034,7 +2608,10 @@ var SCMLib = class {
       }
     } catch (e) {
       if (e instanceof InvalidRepoUrlError && url) {
-        throw new RepoNoTokenAccessError("no access to repo");
+        throw new RepoNoTokenAccessError(
+          "no access to repo",
+          scmLibScmTypeToScmType[z8.nativeEnum(ScmLibScmType).parse(scmType)]
+        );
       }
     }
     return new StubSCMLib(trimmedUrl, void 0, void 0);
@@ -3452,7 +3029,7 @@ var GithubSCMLib = class extends SCMLib {
       owner,
       repo
     });
-    return z9.string().parse(prRes.data);
+    return z8.string().parse(prRes.data);
   }
   async getRepoList(_scmOrg) {
     if (!this.accessToken) {
@@ -3566,12 +3143,11 @@ var GithubSCMLib = class extends SCMLib {
     });
     return getPrRes.data.html_url;
   }
-  async postGeneralPrComment(params, auth) {
+  async postGeneralPrComment(params) {
     const { prNumber, body } = params;
     this._validateUrl();
-    const oktoKit = auth ? new Octokit2({ auth: auth.authToken }) : this.oktokit;
     const { owner, repo } = parseGithubOwnerAndRepo(this.url);
-    return await postGeneralPrComment(oktoKit, {
+    return await postGeneralPrComment(this.oktokit, {
       issue_number: prNumber,
       owner,
       repo,
@@ -3589,11 +3165,12 @@ var GithubSCMLib = class extends SCMLib {
       repo
     });
   }
-  async deleteGeneralPrComment({ commentId }, auth) {
+  async deleteGeneralPrComment({
+    commentId
+  }) {
     this._validateUrl();
-    const oktoKit = auth ? new Octokit2({ auth: auth.authToken }) : this.oktokit;
     const { owner, repo } = parseGithubOwnerAndRepo(this.url);
-    return deleteGeneralPrComment(oktoKit, {
+    return deleteGeneralPrComment(this.oktokit, {
       owner,
       repo,
       comment_id: commentId
@@ -3667,7 +3244,7 @@ var StubSCMLib = class extends SCMLib {
 };
 function getUserAndPassword(token) {
   const [username, password] = token.split(":");
-  const safePasswordAndUsername = z9.object({ username: z9.string(), password: z9.string() }).parse({ username, password });
+  const safePasswordAndUsername = z8.object({ username: z8.string(), password: z8.string() }).parse({ username, password });
   return {
     username: safePasswordAndUsername.username,
     password: safePasswordAndUsername.password
@@ -3703,7 +3280,7 @@ var BitbucketSCMLib = class extends SCMLib {
         return { username, password, authType };
       }
       case "token": {
-        return { authType, token: z9.string().parse(this.accessToken) };
+        return { authType, token: z8.string().parse(this.accessToken) };
       }
       case "public":
         return { authType };
@@ -3715,7 +3292,7 @@ var BitbucketSCMLib = class extends SCMLib {
       ...params,
       repoUrl: this.url
     });
-    return String(z9.number().parse(pullRequestRes.id));
+    return String(z8.number().parse(pullRequestRes.id));
   }
   async validateParams() {
     return validateBitbucketParams({
@@ -3787,7 +3364,7 @@ var BitbucketSCMLib = class extends SCMLib {
   async getUsername() {
     this._validateToken();
     const res = await this.bitbucketSdk.getUser();
-    return z9.string().parse(res.username);
+    return z8.string().parse(res.username);
   }
   async getSubmitRequestStatus(_scmSubmitRequestId) {
     this._validateAccessTokenAndUrl();
@@ -3816,7 +3393,7 @@ var BitbucketSCMLib = class extends SCMLib {
   async getRepoDefaultBranch() {
     this._validateUrl();
     const repoRes = await this.bitbucketSdk.getRepo({ repoUrl: this.url });
-    return z9.string().parse(repoRes.mainbranch?.name);
+    return z8.string().parse(repoRes.mainbranch?.name);
   }
   getPrUrl(prNumber) {
     this._validateUrl();
@@ -3840,25 +3417,25 @@ var BitbucketSCMLib = class extends SCMLib {
 // src/features/analysis/scm/bitbucket/bitbucket.ts
 var { Bitbucket } = bitbucketPkg;
 var BITBUCKET_HOSTNAME = "bitbucket.org";
-var TokenExpiredErrorZ = z10.object({
-  status: z10.number(),
-  error: z10.object({
-    type: z10.string(),
-    error: z10.object({
-      message: z10.string()
+var TokenExpiredErrorZ = z9.object({
+  status: z9.number(),
+  error: z9.object({
+    type: z9.string(),
+    error: z9.object({
+      message: z9.string()
     })
   })
 });
 var BITBUCKET_ACCESS_TOKEN_URL = `https://${BITBUCKET_HOSTNAME}/site/oauth2/access_token`;
-var BitbucketAuthResultZ = z10.object({
-  access_token: z10.string(),
-  token_type: z10.string(),
-  refresh_token: z10.string()
+var BitbucketAuthResultZ = z9.object({
+  access_token: z9.string(),
+  token_type: z9.string(),
+  refresh_token: z9.string()
 });
-var BitbucketParseResultZ = z10.object({
-  organization: z10.string(),
-  repoName: z10.string(),
-  hostname: z10.literal(BITBUCKET_HOSTNAME)
+var BitbucketParseResultZ = z9.object({
+  organization: z9.string(),
+  repoName: z9.string(),
+  hostname: z9.literal(BITBUCKET_HOSTNAME)
 });
 function parseBitbucketOrganizationAndRepo(bitbucketUrl) {
   const parsedGitHubUrl = normalizeUrl(bitbucketUrl);
@@ -3936,7 +3513,7 @@ function getBitbucketSdk(params) {
       if (!res.data.values) {
         return [];
       }
-      return res.data.values.filter((branch) => !!branch.name).map((branch) => z10.string().parse(branch.name));
+      return res.data.values.filter((branch) => !!branch.name).map((branch) => z9.string().parse(branch.name));
     },
     async getIsUserCollaborator(params2) {
       const { repoUrl } = params2;
@@ -4051,7 +3628,7 @@ function getBitbucketSdk(params) {
       return GetRefererenceResultZ.parse({
         sha: tagRes.data.target?.hash,
         type: "TAG" /* TAG */,
-        date: new Date(z10.string().parse(tagRes.data.target?.date))
+        date: new Date(z9.string().parse(tagRes.data.target?.date))
       });
     },
     async getBranchRef(params2) {
@@ -4059,7 +3636,7 @@ function getBitbucketSdk(params) {
       return GetRefererenceResultZ.parse({
         sha: getBranchRes.target?.hash,
         type: "BRANCH" /* BRANCH */,
-        date: new Date(z10.string().parse(getBranchRes.target?.date))
+        date: new Date(z9.string().parse(getBranchRes.target?.date))
       });
     },
     async getCommitRef(params2) {
@@ -4067,13 +3644,13 @@ function getBitbucketSdk(params) {
       return GetRefererenceResultZ.parse({
         sha: getCommitRes.hash,
         type: "COMMIT" /* COMMIT */,
-        date: new Date(z10.string().parse(getCommitRes.date))
+        date: new Date(z9.string().parse(getCommitRes.date))
       });
     },
     async getDownloadUrl({ url, sha }) {
       this.getReferenceData({ ref: sha, url });
       const repoRes = await this.getRepo({ repoUrl: url });
-      const parsedRepoUrl = z10.string().url().parse(repoRes.links?.html?.href);
+      const parsedRepoUrl = z9.string().url().parse(repoRes.links?.html?.href);
       return `${parsedRepoUrl}/get/${sha}.zip`;
     },
     async getPullRequest(params2) {
@@ -4116,7 +3693,7 @@ async function validateBitbucketParams(params) {
 }
 async function getUsersworkspacesSlugs(bitbucketClient) {
   const res = await bitbucketClient.workspaces.getWorkspaces({});
-  return res.data.values?.map((v) => z10.string().parse(v.slug));
+  return res.data.values?.map((v) => z9.string().parse(v.slug));
 }
 async function getllUsersrepositories(bitbucketClient) {
   const userWorspacesSlugs = await getUsersworkspacesSlugs(bitbucketClient);
@@ -4144,7 +3721,11 @@ async function getRepositoriesByWorkspace(bitbucketClient, { workspaceSlug }) {
 
 // src/features/analysis/scm/constants.ts
 var MOBB_ICON_IMG = "https://app.mobb.ai/gh-action/Logo_Rounded_Icon.svg";
-var COMMIT_FIX_SVG = `https://app.mobb.ai/gh-action/commit-button.svg`;
+
+// src/features/analysis/add_fix_comments_for_pr/utils.ts
+import Debug3 from "debug";
+import parseDiff2 from "parse-diff";
+import { z as z10 } from "zod";
 
 // src/features/analysis/utils/by_key.ts
 function keyBy(array, keyBy2) {
@@ -4153,34 +3734,9 @@ function keyBy(array, keyBy2) {
   }, {});
 }
 
-// src/features/analysis/utils/calculate_ranges.ts
-function calculateRanges(integers) {
-  if (integers.length === 0) {
-    return [];
-  }
-  integers.sort((a, b) => a - b);
-  const ranges = integers.reduce(
-    (result, current, index) => {
-      if (index === 0) {
-        return [...result, [current, current]];
-      }
-      const currentRange = result[result.length - 1];
-      const [_start, end] = currentRange;
-      if (current === end + 1) {
-        currentRange[1] = current;
-      } else {
-        result.push([current, current]);
-      }
-      return result;
-    },
-    []
-  );
-  return ranges;
-}
-
 // src/features/analysis/utils/send_report.ts
-import Debug4 from "debug";
-var debug4 = Debug4("mobbdev:index");
+import Debug2 from "debug";
+var debug2 = Debug2("mobbdev:index");
 async function sendReport({
   spinner,
   submitVulnerabilityReportVariables,
@@ -4191,7 +3747,7 @@ async function sendReport({
       submitVulnerabilityReportVariables
     );
     if (submitRes.submitVulnerabilityReport.__typename !== "VulnerabilityReport") {
-      debug4("error submit vul report %s", submitRes);
+      debug2("error submit vul report %s", submitRes);
       throw new Error("\u{1F575}\uFE0F\u200D\u2642\uFE0F Mobb analysis failed");
     }
     spinner.update({ text: progressMassages.processingVulnerabilityReport });
@@ -4225,51 +3781,143 @@ function getFromArraySafe(array) {
   }, []);
 }
 
-// src/features/analysis/handle_finished_analysis.ts
-var debug5 = Debug5("mobbdev:handle-finished-analysis");
+// src/features/analysis/add_fix_comments_for_pr/constants.ts
 var contactUsMarkdown = `For specific requests [contact us](https://mobb.ai/contact) and we'll do the most to answer your need quickly.`;
-var commitFixButton = (commitUrl) => `<a href="${commitUrl}"><img src=${COMMIT_FIX_SVG}></a>`;
 var MobbIconMarkdown = `![image](${MOBB_ICON_IMG})`;
 var noVulnerabilitiesFoundTitle = `# ${MobbIconMarkdown} No security issues were found \u2705`;
-function scannerToFriendlyString(scanner) {
-  switch (scanner) {
-    case "checkmarx":
-      return "Checkmarx";
-    case "codeql":
-      return "CodeQL";
-    case "fortify":
-      return "Fortify";
-    case "snyk":
-      return "Snyk";
+var COMMIT_FIX_SVG = `https://app.mobb.ai/gh-action/commit-button.svg`;
+var scannerToFriendlyString = {
+  checkmarx: "Checkmarx",
+  codeql: "CodeQL",
+  fortify: "Fortify",
+  snyk: "Snyk"
+};
+
+// src/features/analysis/add_fix_comments_for_pr/utils.ts
+var debug3 = Debug3("mobbdev:handle-finished-analysis");
+var getCommitFixButton = (commitUrl) => `<a href="${commitUrl}"><img src=${COMMIT_FIX_SVG}></a>`;
+function calculateRanges(integers) {
+  if (integers.length === 0) {
+    return [];
   }
+  integers.sort((a, b) => a - b);
+  const ranges = integers.reduce(
+    (result, current, index) => {
+      if (index === 0) {
+        return [...result, [current, current]];
+      }
+      const currentRange = result[result.length - 1];
+      const [_start, end] = currentRange;
+      if (current === end + 1) {
+        currentRange[1] = current;
+      } else {
+        result.push([current, current]);
+      }
+      return result;
+    },
+    []
+  );
+  return ranges;
 }
-async function getRelevantVulenrabilitiesFromDiff(params) {
-  const { gqlClient, diff, vulnerabilityReportId } = params;
-  const parsedDiff = parseDiff2(diff);
-  const fileHunks = parsedDiff.map((file) => {
-    const fileNumbers = file.chunks.flatMap((chunk) => chunk.changes).filter((change) => change.type === "add").map((_change) => {
-      const change = _change;
-      return change.ln;
-    });
-    const lineAddedRanges = calculateRanges(fileNumbers);
-    const fileFilter = {
-      path: z11.string().parse(file.to),
-      ranges: lineAddedRanges.map(([startLine, endLine]) => ({
-        endLine,
-        startLine
-      }))
-    };
-    return fileFilter;
+function deleteAllPreviousComments({
+  comments,
+  scm
+}) {
+  return comments.data.filter((comment) => {
+    return comment.body.includes(MOBB_ICON_IMG);
+  }).map((comment) => {
+    try {
+      return scm.deleteComment({ comment_id: comment.id });
+    } catch (e) {
+      debug3("delete comment failed %s", e);
+      return Promise.resolve();
+    }
   });
-  return gqlClient.getVulByNodesMetadata({
-    hunks: fileHunks,
-    vulnerabilityReportId
+}
+function deleteAllPreviousGeneralPrComments(params) {
+  const { generalPrComments, scm } = params;
+  return generalPrComments.data.filter((comment) => {
+    if (!comment.body) {
+      return false;
+    }
+    return comment.body.includes(MOBB_ICON_IMG);
+  }).map((comment) => {
+    try {
+      return scm.deleteGeneralPrComment({ commentId: comment.id });
+    } catch (e) {
+      debug3("delete comment failed %s", e);
+      return Promise.resolve();
+    }
   });
 }
-async function getFixesData(params) {
-  const { gqlClient, fixesId } = params;
-  const { fixes } = await gqlClient.getFixes(fixesId);
-  return keyBy(fixes, "id");
+async function postFixComment(params) {
+  const {
+    vulnerabilityReportIssueCodeNode,
+    projectId,
+    analysisId,
+    organizationId,
+    fixesById,
+    scm,
+    commitSha,
+    pullRequest,
+    scanner
+  } = params;
+  const {
+    path: path9,
+    startLine,
+    vulnerabilityReportIssue: { fixId }
+  } = vulnerabilityReportIssueCodeNode;
+  const fix = fixesById[fixId];
+  if (!fix || fix.patchAndQuestions.__typename !== "FixData") {
+    throw new Error(`fix ${fixId} not found`);
+  }
+  const {
+    patchAndQuestions: { patch }
+  } = fix;
+  const commentRes = await scm.postPrComment({
+    body: "empty",
+    pull_number: pullRequest,
+    commit_id: commitSha,
+    path: path9,
+    line: startLine
+  });
+  const commentId = commentRes.data.id;
+  const commitUrl = getCommitUrl({
+    appBaseUrl: WEB_APP_URL,
+    fixId,
+    projectId,
+    analysisId,
+    organizationId,
+    redirectUrl: commentRes.data.html_url,
+    commentId
+  });
+  const fixUrl = getFixUrlWithRedirect({
+    appBaseUrl: WEB_APP_URL,
+    fixId,
+    projectId,
+    analysisId,
+    organizationId,
+    redirectUrl: commentRes.data.html_url,
+    commentId
+  });
+  const scanerString = scannerToFriendlyString[scanner];
+  const issueType = getIssueType(fix.issueType ?? null);
+  const title = `# ${MobbIconMarkdown} ${issueType} fix is ready`;
+  const subTitle = `### Apply the following code change to fix ${issueType} issue detected by **${scanerString}**:`;
+  const diff = `\`\`\`diff
+${patch} 
+\`\`\``;
+  const fixPageLink = `[Learn more and fine tune the fix](${fixUrl})`;
+  return await scm.updatePrComment({
+    body: `${title}
+${subTitle}
+${diff}
+${getCommitFixButton(
+      commitUrl
+    )}
+${fixPageLink}`,
+    comment_id: commentId
+  });
 }
 function buildAnalysisSummaryComment(params) {
   const { prVulenrabilities: fixesFromDiff, fixesById } = params;
@@ -4297,34 +3945,140 @@ function buildAnalysisSummaryComment(params) {
   return `${title}
 ${summary.join("\n")}`;
 }
-async function handleFinishedAnalysis({
+async function getRelevantVulenrabilitiesFromDiff(params) {
+  const { gqlClient, diff, vulnerabilityReportId } = params;
+  const parsedDiff = parseDiff2(diff);
+  const fileHunks = parsedDiff.map((file) => {
+    const fileNumbers = file.chunks.flatMap((chunk) => chunk.changes).filter((change) => change.type === "add").map((_change) => {
+      const change = _change;
+      return change.ln;
+    });
+    const lineAddedRanges = calculateRanges(fileNumbers);
+    const fileFilter = {
+      path: z10.string().parse(file.to),
+      ranges: lineAddedRanges.map(([startLine, endLine]) => ({
+        endLine,
+        startLine
+      }))
+    };
+    return fileFilter;
+  });
+  return gqlClient.getVulByNodesMetadata({
+    hunks: fileHunks,
+    vulnerabilityReportId
+  });
+}
+async function getFixesData(params) {
+  const { gqlClient, fixesId } = params;
+  const { fixes } = await gqlClient.getFixes(fixesId);
+  return keyBy(fixes, "id");
+}
+async function postAnalysisSummary(params) {
+  const { prVulenrabilities, fixesById, pullRequest, scm } = params;
+  if (Object.values(fixesById).length === 0) {
+    return;
+  }
+  const analysisSummaryComment = buildAnalysisSummaryComment({
+    fixesById,
+    prVulenrabilities
+  });
+  await scm.postGeneralPrComment({
+    body: analysisSummaryComment,
+    prNumber: pullRequest
+  });
+}
+async function postAnalysisInsightComment(params) {
+  const { prVulenrabilities, pullRequest, scanner, scm } = params;
+  const scanerString = scannerToFriendlyString[scanner];
+  const {
+    totalPrVulnerabilities,
+    vulnerabilitiesOutsidePr,
+    fixablePrVuls,
+    nonFixablePrVuls
+  } = prVulenrabilities;
+  debug3({
+    fixablePrVuls,
+    nonFixablePrVuls,
+    vulnerabilitiesOutsidePr,
+    totalPrVulnerabilities
+  });
+  if (totalPrVulnerabilities === 0 && vulnerabilitiesOutsidePr === 0) {
+    const body = `Awesome! No vulnerabilities were found  by **${scanerString}**`;
+    const noVulsFoundComment = `${noVulnerabilitiesFoundTitle}
+${body}`;
+    await scm.postGeneralPrComment({
+      body: noVulsFoundComment,
+      prNumber: pullRequest
+    });
+    return;
+  }
+  if (totalPrVulnerabilities === 0 && vulnerabilitiesOutsidePr > 0) {
+    const body = `Awesome! No vulnerabilities were found by **${scanerString}** in the changes made as part of this PR.`;
+    const body2 = `Please notice there are issues in this repo that are unrelated to this PR.`;
+    const noVulsFoundComment = `${noVulnerabilitiesFoundTitle}
+${body}
+${body2}`;
+    await scm.postGeneralPrComment({
+      body: noVulsFoundComment,
+      prNumber: pullRequest
+    });
+    return;
+  }
+  if (fixablePrVuls === 0 && nonFixablePrVuls > 0) {
+    const title = `# ${MobbIconMarkdown} We couldn't fix the issues detected by **${scanerString}**`;
+    const body = `Mobb Fixer gets better and better every day, but unfortunately your current issues aren't supported yet.`;
+    const noFixableVulsComment = `${title}
+${body}
+${contactUsMarkdown}`;
+    await scm.postGeneralPrComment({
+      body: noFixableVulsComment,
+      prNumber: pullRequest
+    });
+    return;
+  }
+  if (fixablePrVuls < nonFixablePrVuls && fixablePrVuls > 0) {
+    const title = `# ${MobbIconMarkdown} We couldn't fix some of the issues detected by **${scanerString}**`;
+    const body = "Mobb Fixer gets better and better every day, but unfortunately your current issues aren't supported yet.";
+    const fixableVulsComment = `${title}
+${body}
+${contactUsMarkdown}`;
+    await scm.postGeneralPrComment({
+      body: fixableVulsComment,
+      prNumber: pullRequest
+    });
+    return;
+  }
+}
+
+// src/features/analysis/add_fix_comments_for_pr/add_fix_comments_for_pr.ts
+var debug4 = Debug4("mobbdev:handle-finished-analysis");
+async function addFixCommentsForPr({
   analysisId,
   scm: _scm,
   gqlClient,
-  githubActionToken,
   scanner
 }) {
-  const githubActionOctokit = new Octokit3({ auth: githubActionToken });
   if (_scm instanceof GithubSCMLib === false) {
     return;
   }
   const scm = _scm;
-  const getAnalysis = await gqlClient.getAnalysis(analysisId);
+  const getAnalysisRes = await gqlClient.getAnalysis(analysisId);
+  debug4("getAnalysis %o", getAnalysisRes);
   const {
     vulnerabilityReport: {
       projectId,
       project: { organizationId }
     }
-  } = getAnalysis;
-  if (!getAnalysis.repo || !getAnalysis.repo.commitSha || !getAnalysis.repo.pullRequest) {
+  } = getAnalysisRes;
+  if (!getAnalysisRes.repo || !getAnalysisRes.repo.commitSha || !getAnalysisRes.repo.pullRequest) {
     throw new Error("repo not found");
   }
-  const { commitSha, pullRequest } = getAnalysis.repo;
+  const { commitSha, pullRequest } = getAnalysisRes.repo;
   const diff = await scm.getPrDiff({ pull_number: pullRequest });
   const prVulenrabilities = await getRelevantVulenrabilitiesFromDiff({
     diff,
     gqlClient,
-    vulnerabilityReportId: getAnalysis.vulnerabilityReportId
+    vulnerabilityReportId: getAnalysisRes.vulnerabilityReportId
   });
   const { vulnerabilityReportIssueCodeNodes } = prVulenrabilities;
   const fixesId = vulnerabilityReportIssueCodeNodes.map(
@@ -4332,217 +4086,484 @@ async function handleFinishedAnalysis({
   );
   const fixesById = await getFixesData({ fixesId, gqlClient });
   const [comments, generalPrComments] = await Promise.all([
-    scm.getPrComments({ pull_number: pullRequest }, githubActionOctokit),
-    scm.getGeneralPrComments(
-      { prNumber: pullRequest },
-      { authToken: githubActionToken }
-    )
+    scm.getPrComments({ pull_number: pullRequest }),
+    scm.getGeneralPrComments({ prNumber: pullRequest })
   ]);
-  async function postAnalysisSummary() {
-    if (Object.values(fixesById).length === 0) {
-      return;
+  await Promise.all([
+    ...deleteAllPreviousComments({ comments, scm }),
+    ...deleteAllPreviousGeneralPrComments({ generalPrComments, scm })
+  ]);
+  await Promise.all([
+    ...prVulenrabilities.vulnerabilityReportIssueCodeNodes.map(
+      (vulnerabilityReportIssueCodeNode) => {
+        return postFixComment({
+          vulnerabilityReportIssueCodeNode,
+          projectId,
+          analysisId,
+          organizationId,
+          fixesById,
+          scm,
+          pullRequest,
+          scanner,
+          commitSha
+        });
+      }
+    ),
+    postAnalysisInsightComment({
+      prVulenrabilities,
+      pullRequest,
+      scanner,
+      scm
+    }),
+    postAnalysisSummary({
+      fixesById,
+      prVulenrabilities,
+      pullRequest,
+      scm
+    })
+  ]);
+}
+
+// src/features/analysis/git.ts
+import Debug5 from "debug";
+import { simpleGit as simpleGit2 } from "simple-git";
+var debug5 = Debug5("mobbdev:git");
+var GIT_NOT_INITIALIZED_ERROR_MESSAGE = "not a git repository";
+async function getGitInfo(srcDirPath) {
+  debug5("getting git info for %s", srcDirPath);
+  const git = simpleGit2({
+    baseDir: srcDirPath,
+    maxConcurrentProcesses: 1,
+    trimmed: true
+  });
+  let repoUrl = "";
+  let hash = "";
+  let reference = "";
+  try {
+    repoUrl = (await git.getConfig("remote.origin.url")).value || "";
+    hash = await git.revparse(["HEAD"]) || "";
+    reference = await git.revparse(["--abbrev-ref", "HEAD"]) || "";
+  } catch (e) {
+    if (e instanceof Error) {
+      debug5("failed to run git %o", e);
+      if (e.message.includes(" spawn ")) {
+        debug5("git cli not installed");
+      } else if (e.message.includes(GIT_NOT_INITIALIZED_ERROR_MESSAGE)) {
+        debug5("folder is not a git repo");
+        return {
+          success: false,
+          hash: void 0,
+          reference: void 0,
+          repoUrl: void 0
+        };
+      } else {
+        throw e;
+      }
+    }
+    throw e;
+  }
+  if (repoUrl.endsWith(".git")) {
+    repoUrl = repoUrl.slice(0, -".git".length);
+  }
+  if (repoUrl.startsWith("git@github.com:")) {
+    repoUrl = repoUrl.replace("git@github.com:", "https://github.com/");
+  }
+  return {
+    success: true,
+    repoUrl,
+    hash,
+    reference
+  };
+}
+
+// src/features/analysis/graphql/gql.ts
+import Debug6 from "debug";
+import { GraphQLClient } from "graphql-request";
+import { v4 as uuidv4 } from "uuid";
+
+// src/features/analysis/graphql/subscribe.ts
+import { createClient } from "graphql-ws";
+import WebSocket from "ws";
+var SUBSCRIPTION_TIMEOUT_MS = 10 * 60 * 1e3;
+function createWSClient(options) {
+  return createClient({
+    url: options.url,
+    webSocketImpl: options.websocket || WebSocket,
+    connectionParams: () => {
+      return {
+        headers: options.type === "apiKey" ? {
+          [API_KEY_HEADER_NAME]: options.apiKey
+        } : { authorization: `Bearer ${options.token}` }
+      };
+    }
+  });
+}
+function subscribe(query, variables, callback, wsClientOptions) {
+  return new Promise((resolve, reject) => {
+    let timer = null;
+    const { timeoutInMs = SUBSCRIPTION_TIMEOUT_MS } = wsClientOptions;
+    const client = createWSClient({
+      ...wsClientOptions,
+      websocket: WebSocket,
+      url: API_URL.replace("http", "ws")
+    });
+    const unsubscribe = client.subscribe(
+      { query, variables },
+      {
+        next: (data) => {
+          function callbackResolve(data2) {
+            unsubscribe();
+            if (timer) {
+              clearTimeout(timer);
+            }
+            resolve(data2);
+          }
+          function callbackReject(data2) {
+            unsubscribe();
+            if (timer) {
+              clearTimeout(timer);
+            }
+            reject(data2);
+          }
+          if (!data.data) {
+            reject(
+              new Error(
+                `Broken data object from graphQL subscribe: ${JSON.stringify(
+                  data
+                )} for query: ${query}`
+              )
+            );
+          } else {
+            callback(callbackResolve, callbackReject, data.data);
+          }
+        },
+        error: (error) => {
+          if (timer) {
+            clearTimeout(timer);
+          }
+          reject(error);
+        },
+        complete: () => {
+          return;
+        }
+      }
+    );
+    if (typeof timeoutInMs === "number") {
+      timer = setTimeout(() => {
+        unsubscribe();
+        reject(
+          new Error(
+            `Timeout expired for graphQL subscribe query: ${query} with timeout: ${timeoutInMs}`
+          )
+        );
+      }, timeoutInMs);
+    }
+  });
+}
+
+// src/features/analysis/graphql/types.ts
+import { z as z11 } from "zod";
+var VulnerabilityReportIssueCodeNodeZ = z11.object({
+  vulnerabilityReportIssueId: z11.string(),
+  path: z11.string(),
+  startLine: z11.number(),
+  vulnerabilityReportIssue: z11.object({
+    fixId: z11.string()
+  })
+});
+var GetVulByNodesMetadataZ = z11.object({
+  vulnerabilityReportIssueCodeNodes: z11.array(VulnerabilityReportIssueCodeNodeZ),
+  nonFixablePrVuls: z11.object({
+    aggregate: z11.object({
+      count: z11.number()
+    })
+  }),
+  fixablePrVuls: z11.object({
+    aggregate: z11.object({
+      count: z11.number()
+    })
+  }),
+  totalScanVulnerabilities: z11.object({
+    aggregate: z11.object({
+      count: z11.number()
+    })
+  })
+});
+
+// src/features/analysis/graphql/gql.ts
+var debug6 = Debug6("mobbdev:gql");
+var API_KEY_HEADER_NAME = "x-mobb-key";
+var REPORT_STATE_CHECK_DELAY = 5 * 1e3;
+var GQLClient = class {
+  constructor(args) {
+    __publicField(this, "_client");
+    __publicField(this, "_clientSdk");
+    __publicField(this, "_auth");
+    debug6(`init with  ${args}`);
+    this._auth = args;
+    this._client = new GraphQLClient(API_URL, {
+      headers: args.type === "apiKey" ? { [API_KEY_HEADER_NAME]: args.apiKey || "" } : {
+        Authorization: `Bearer ${args.token}`
+      },
+      requestMiddleware: (request) => {
+        const requestId = uuidv4();
+        debug6(
+          `sending API request with id: ${requestId} and with request: ${request.body}`
+        );
+        return {
+          ...request,
+          headers: {
+            ...request.headers,
+            "x-hasura-request-id": requestId
+          }
+        };
+      }
+    });
+    this._clientSdk = getSdk(this._client);
+  }
+  async getUserInfo() {
+    const { me } = await this._clientSdk.Me();
+    return me;
+  }
+  async createCliLogin(variables) {
+    const res = await this._clientSdk.CreateCliLogin(variables, {
+      // We may have outdated API key in the config storage. Avoid using it for the login request.
+      [API_KEY_HEADER_NAME]: ""
+    });
+    return res.insert_cli_login_one?.id || "";
+  }
+  async verifyToken() {
+    await this.createCommunityUser();
+    try {
+      await this.getUserInfo();
+    } catch (e) {
+      debug6("verify token failed %o", e);
+      return false;
+    }
+    return true;
+  }
+  async getOrgAndProjectId(projectName) {
+    const getOrgAndProjectIdResult = await this._clientSdk.getOrgAndProjectId();
+    const org = getOrgAndProjectIdResult?.users?.at(0)?.userOrganizationsAndUserOrganizationRoles?.at(0)?.organization;
+    if (!org?.id) {
+      throw new Error("Organization not found");
+    }
+    const project = projectName ? org?.projects.find((project2) => project2.name === projectName) ?? null : org?.projects[0];
+    if (!project?.id) {
+      throw new Error("Project not found");
+    }
+    let projectId = project?.id;
+    if (!projectId) {
+      const createdProject = await this._clientSdk.CreateProject({
+        organizationId: org.id,
+        projectName: projectName || "My project"
+      });
+      projectId = createdProject.createProject.projectId;
+    }
+    return {
+      organizationId: org.id,
+      projectId
+    };
+  }
+  async getEncryptedApiToken(variables) {
+    const res = await this._clientSdk.GetEncryptedApiToken(variables, {
+      // We may have outdated API key in the config storage. Avoid using it for the login request.
+      [API_KEY_HEADER_NAME]: ""
+    });
+    return res?.cli_login_by_pk?.encryptedApiToken || null;
+  }
+  async createCommunityUser() {
+    try {
+      await this._clientSdk.CreateCommunityUser();
+    } catch (e) {
+      debug6("create community user failed %o", e);
     }
-    const analysisSummaryComment = buildAnalysisSummaryComment({
-      fixesById,
-      prVulenrabilities
+  }
+  async updateScmToken(args) {
+    const { scmType, url, token, org, username, refreshToken } = args;
+    const updateScmTokenResult = await this._clientSdk.updateScmToken({
+      scmType,
+      url,
+      token,
+      org,
+      username,
+      refreshToken
     });
-    await scm.postGeneralPrComment(
-      {
-        body: analysisSummaryComment,
-        prNumber: pullRequest
-      },
-      { authToken: githubActionToken }
-    );
+    return updateScmTokenResult;
   }
-  function deleteAllPreviousGeneralPrComments() {
-    return generalPrComments.data.filter((comment) => {
-      if (!comment.body) {
-        return false;
-      }
-      return comment.body.includes(MOBB_ICON_IMG);
-    }).map((comment) => {
-      try {
-        return scm.deleteGeneralPrComment(
-          { commentId: comment.id },
-          { authToken: githubActionToken }
-        );
-      } catch (e) {
-        debug5("delete comment failed %s", e);
-        return Promise.resolve();
-      }
+  async uploadS3BucketInfo() {
+    const uploadS3BucketInfoResult = await this._clientSdk.uploadS3BucketInfo({
+      fileName: "report.json"
     });
+    return uploadS3BucketInfoResult;
   }
-  function deleteAllPreviousComments() {
-    return comments.data.filter((comment) => {
-      return comment.body.includes(MOBB_ICON_IMG);
-    }).map((comment) => {
-      try {
-        return scm.deleteComment(
-          { comment_id: comment.id },
-          githubActionOctokit
-        );
-      } catch (e) {
-        debug5("delete comment failed %s", e);
-        return Promise.resolve();
-      }
+  async getVulByNodesMetadata({
+    hunks,
+    vulnerabilityReportId
+  }) {
+    const filters = hunks.map((hunk) => {
+      const filter = {
+        path: { _eq: hunk.path },
+        _or: hunk.ranges.flatMap(({ endLine, startLine }) => {
+          return [
+            { startLine: { _gte: startLine, _lte: endLine } },
+            { endLine: { _gte: startLine, _lte: endLine } }
+          ];
+        })
+      };
+      return filter;
+    });
+    const getVulByNodesMetadataRes = await this._clientSdk.getVulByNodesMetadata({
+      filters: { _or: filters },
+      vulnerabilityReportId
     });
+    const parsedGetVulByNodesMetadataRes = GetVulByNodesMetadataZ.parse(
+      getVulByNodesMetadataRes
+    );
+    const uniqueVulByNodesMetadata = parsedGetVulByNodesMetadataRes.vulnerabilityReportIssueCodeNodes.reduce((acc, vulnerabilityReportIssueCodeNode) => {
+      if (acc[vulnerabilityReportIssueCodeNode.vulnerabilityReportIssueId]) {
+        return acc;
+      }
+      return {
+        ...acc,
+        [vulnerabilityReportIssueCodeNode.vulnerabilityReportIssueId]: vulnerabilityReportIssueCodeNode
+      };
+    }, {});
+    const nonFixablePrVuls = parsedGetVulByNodesMetadataRes.nonFixablePrVuls.aggregate.count;
+    const fixablePrVuls = parsedGetVulByNodesMetadataRes.fixablePrVuls.aggregate.count;
+    const totalScanVulnerabilities = parsedGetVulByNodesMetadataRes.totalScanVulnerabilities.aggregate.count;
+    const vulnerabilitiesOutsidePr = totalScanVulnerabilities - nonFixablePrVuls - fixablePrVuls;
+    const totalPrVulnerabilities = nonFixablePrVuls + fixablePrVuls;
+    return {
+      vulnerabilityReportIssueCodeNodes: Object.values(
+        uniqueVulByNodesMetadata
+      ),
+      nonFixablePrVuls,
+      fixablePrVuls,
+      totalScanVulnerabilities,
+      vulnerabilitiesOutsidePr,
+      totalPrVulnerabilities
+    };
   }
-  await Promise.all([
-    ...deleteAllPreviousComments(),
-    ...deleteAllPreviousGeneralPrComments()
-  ]);
-  async function postFixComment(vulnerabilityReportIssueCodeNode) {
-    const {
-      path: path9,
-      startLine,
-      vulnerabilityReportIssue: { fixId }
-    } = vulnerabilityReportIssueCodeNode;
-    const fix = fixesById[fixId];
-    if (!fix || fix.patchAndQuestions.__typename !== "FixData") {
-      throw new Error(`fix ${fixId} not found`);
+  async digestVulnerabilityReport({
+    fixReportId,
+    projectId,
+    scanSource
+  }) {
+    const res = await this._clientSdk.DigestVulnerabilityReport({
+      fixReportId,
+      vulnerabilityReportFileName: "report.json",
+      projectId,
+      scanSource
+    });
+    if (res.digestVulnerabilityReport.__typename !== "VulnerabilityReport") {
+      throw new Error("Digesting vulnerability report failed");
     }
+    return res.digestVulnerabilityReport;
+  }
+  async submitVulnerabilityReport(params) {
     const {
-      patchAndQuestions: { patch }
-    } = fix;
-    const commentRes = await scm.postPrComment(
-      {
-        body: "empty",
-        pull_number: pullRequest,
-        commit_id: commitSha,
-        path: path9,
-        line: startLine
-      },
-      githubActionOctokit
-    );
-    const commentId = commentRes.data.id;
-    const commitUrl = getCommitUrl({
-      appBaseUrl: WEB_APP_URL,
-      fixId,
+      fixReportId,
+      repoUrl,
+      reference,
       projectId,
-      analysisId,
-      organizationId,
-      redirectUrl: commentRes.data.html_url,
-      commentId
-    });
-    const fixUrl = getFixUrlWithRedirect({
-      appBaseUrl: WEB_APP_URL,
-      fixId,
+      sha,
+      experimentalEnabled,
+      vulnerabilityReportFileName,
+      pullRequest
+    } = params;
+    return await this._clientSdk.SubmitVulnerabilityReport({
+      fixReportId,
+      repoUrl,
+      reference,
+      vulnerabilityReportFileName,
       projectId,
-      analysisId,
-      organizationId,
-      redirectUrl: commentRes.data.html_url,
-      commentId
+      pullRequest,
+      sha: sha || "",
+      experimentalEnabled,
+      scanSource: params.scanSource
     });
-    const scanerString = scannerToFriendlyString(scanner);
-    const issueType = getIssueType(fix.issueType ?? null);
-    const title = `# ${MobbIconMarkdown} ${issueType} fix is ready`;
-    const subTitle = `### Apply the following code change to fix ${issueType} issue detected by **${scanerString}**:`;
-    const diff2 = `\`\`\`diff
-${patch} 
-\`\`\``;
-    const fixPageLink = `[Learn more and fine tune the fix](${fixUrl})`;
-    return await scm.updatePrComment(
-      {
-        body: `${title}
-${subTitle}
-${diff2}
-${commitFixButton(
-          commitUrl
-        )}
-${fixPageLink}`,
-        comment_id: commentId
+  }
+  async getFixReportState(fixReportId) {
+    const res = await this._clientSdk.FixReportState({ id: fixReportId });
+    return res?.fixReport_by_pk?.state || "Created" /* Created */;
+  }
+  async waitFixReportInit(fixReportId, includeDigested = false) {
+    const FINAL_STATES = [
+      "Finished" /* Finished */,
+      "Failed" /* Failed */
+    ];
+    let lastState = "Created" /* Created */;
+    let attempts = 100;
+    if (includeDigested) {
+      FINAL_STATES.push("Digested" /* Digested */);
+    }
+    do {
+      await sleep(REPORT_STATE_CHECK_DELAY);
+      lastState = await this.getFixReportState(fixReportId);
+    } while (!FINAL_STATES.includes(
+      lastState
+      // wait for final the state of the fix report
+    ) && attempts-- > 0);
+    return lastState;
+  }
+  async getVulnerabilityReportPaths(vulnerabilityReportId) {
+    const res = await this._clientSdk.GetVulnerabilityReportPaths({
+      vulnerabilityReportId
+    });
+    return res.vulnerability_report_path.map((p) => p.path);
+  }
+  async subscribeToAnalysis(params) {
+    const { callbackStates } = params;
+    return subscribe(
+      GetAnalysisDocument,
+      params.subscribeToAnalysisParams,
+      async (resolve, reject, data) => {
+        if (!data.analysis?.state || data.analysis?.state === "Failed" /* Failed */) {
+          reject(data);
+          throw new Error(`Analysis failed with id: ${data.analysis?.id}`);
+        }
+        if (callbackStates.includes(data.analysis?.state)) {
+          await params.callback(data.analysis.id);
+          resolve(data);
+        }
       },
-      githubActionOctokit
+      this._auth.type === "apiKey" ? {
+        apiKey: this._auth.apiKey,
+        type: "apiKey",
+        timeoutInMs: params.timeoutInMs
+      } : {
+        token: this._auth.token,
+        type: "token",
+        timeoutInMs: params.timeoutInMs
+      }
     );
   }
-  async function postAnalysisInsightComment() {
-    const scanerString = scannerToFriendlyString(scanner);
-    const {
-      totalPrVulnerabilities,
-      vulnerabilitiesOutsidePr,
-      fixablePrVuls,
-      nonFixablePrVuls
-    } = prVulenrabilities;
-    debug5({
-      fixablePrVuls,
-      nonFixablePrVuls,
-      vulnerabilitiesOutsidePr,
-      totalPrVulnerabilities
+  async getAnalysis(analysisId) {
+    const res = await this._clientSdk.getAnalsyis({
+      analysisId
     });
-    if (totalPrVulnerabilities === 0 && vulnerabilitiesOutsidePr === 0) {
-      const body = `Awesome! No vulnerabilities were found  by **${scanerString}**`;
-      const noVulsFoundComment = `${noVulnerabilitiesFoundTitle}
-${body}`;
-      await scm.postGeneralPrComment(
-        {
-          body: noVulsFoundComment,
-          prNumber: pullRequest
-        },
-        { authToken: githubActionToken }
-      );
-      return;
-    }
-    if (totalPrVulnerabilities === 0 && vulnerabilitiesOutsidePr > 0) {
-      const body = `Awesome! No vulnerabilities were found by **${scanerString}** in the changes made as part of this PR.`;
-      const body2 = `Please notice there are issues in this repo that are unrelated to this PR.`;
-      const noVulsFoundComment = `${noVulnerabilitiesFoundTitle}
-${body}
-${body2}`;
-      await scm.postGeneralPrComment(
-        {
-          body: noVulsFoundComment,
-          prNumber: pullRequest
-        },
-        { authToken: githubActionToken }
-      );
-      return;
-    }
-    if (fixablePrVuls === 0 && nonFixablePrVuls > 0) {
-      const title = `# ${MobbIconMarkdown} We couldn't fix the issues detected by **${scanerString}**`;
-      const body = `Mobb Fixer gets better and better every day, but unfortunately your current issues aren't supported yet.`;
-      const noFixableVulsComment = `${title}
-${body}
-${contactUsMarkdown}`;
-      await scm.postGeneralPrComment(
-        {
-          body: noFixableVulsComment,
-          prNumber: pullRequest
-        },
-        { authToken: githubActionToken }
-      );
-      return;
-    }
-    if (fixablePrVuls < nonFixablePrVuls && fixablePrVuls > 0) {
-      const title = `# ${MobbIconMarkdown} We couldn't fix some of the issues detected by **${scanerString}**`;
-      const body = "Mobb Fixer gets better and better every day, but unfortunately your current issues aren't supported yet.";
-      const fixableVulsComment = `${title}
-${body}
-${contactUsMarkdown}`;
-      await scm.postGeneralPrComment(
-        {
-          body: fixableVulsComment,
-          prNumber: pullRequest
-        },
-        { authToken: githubActionToken }
-      );
-      return;
+    if (!res.analysis) {
+      throw new Error(`Analysis not found: ${analysisId}`);
     }
+    return res.analysis;
   }
-  await Promise.all([
-    ...prVulenrabilities.vulnerabilityReportIssueCodeNodes.map(postFixComment),
-    postAnalysisInsightComment(),
-    postAnalysisSummary()
-  ]);
-}
+  async getFixes(fixIds) {
+    const res = await this._clientSdk.getFixes({
+      filters: { id: { _in: fixIds } }
+    });
+    return res;
+  }
+};
 
 // src/features/analysis/pack.ts
 import fs2 from "node:fs";
 import path4 from "node:path";
 import AdmZip from "adm-zip";
-import Debug6 from "debug";
+import Debug7 from "debug";
 import { globby } from "globby";
 import { isBinary } from "istextorbinary";
-var debug6 = Debug6("mobbdev:pack");
+var debug7 = Debug7("mobbdev:pack");
 var MAX_FILE_SIZE = 1024 * 1024 * 5;
 function endsWithAny(str, suffixes) {
   return suffixes.some(function(suffix) {
@@ -4553,16 +4574,17 @@ function _get_manifest_files_suffixes() {
   return ["package.json"];
 }
 async function pack(srcDirPath, vulnFiles) {
-  debug6("pack folder %s", srcDirPath);
+  debug7("pack folder %s", srcDirPath);
   const filepaths = await globby("**", {
     gitignore: true,
     onlyFiles: true,
     cwd: srcDirPath,
-    followSymbolicLinks: false
+    followSymbolicLinks: false,
+    dot: true
   });
-  debug6("files found %d", filepaths.length);
+  debug7("files found %d", filepaths.length);
   const zip = new AdmZip();
-  debug6("compressing files");
+  debug7("compressing files");
   for (const filepath of filepaths) {
     const absFilepath = path4.join(srcDirPath, filepath.toString());
     vulnFiles = vulnFiles.concat(_get_manifest_files_suffixes());
@@ -4570,21 +4592,21 @@ async function pack(srcDirPath, vulnFiles) {
       absFilepath.toString().replaceAll(path4.win32.sep, path4.posix.sep),
       vulnFiles
     )) {
-      debug6("ignoring %s because it is not a vulnerability file", filepath);
+      debug7("ignoring %s because it is not a vulnerability file", filepath);
       continue;
     }
     if (fs2.lstatSync(absFilepath).size > MAX_FILE_SIZE) {
-      debug6("ignoring %s because the size is > 5MB", filepath);
+      debug7("ignoring %s because the size is > 5MB", filepath);
       continue;
     }
     const data = fs2.readFileSync(absFilepath);
     if (isBinary(null, data)) {
-      debug6("ignoring %s because is seems to be a binary file", filepath);
+      debug7("ignoring %s because is seems to be a binary file", filepath);
       continue;
     }
     zip.addFile(filepath.toString(), data);
   }
-  debug6("get zip file buffer");
+  debug7("get zip file buffer");
   return zip.toBuffer();
 }
 
@@ -4659,7 +4681,7 @@ var cxOperatingSystemSupportMessage = `Your operating system does not support ch
 
 // src/utils/child_process.ts
 import cp from "node:child_process";
-import Debug7 from "debug";
+import Debug8 from "debug";
 import * as process2 from "process";
 import supportsColor from "supports-color";
 var { stdout: stdout2 } = supportsColor;
@@ -4678,16 +4700,16 @@ function createSpwan({ args, processPath, name }, options) {
   return createChildProcess({ childProcess: child, name }, options);
 }
 function createChildProcess({ childProcess, name }, options) {
-  const debug11 = Debug7(`mobbdev:${name}`);
+  const debug12 = Debug8(`mobbdev:${name}`);
   const { display } = options;
   return new Promise((resolve, reject) => {
     let out = "";
     const onData = (chunk) => {
-      debug11(`chunk received from ${name} std ${chunk}`);
+      debug12(`chunk received from ${name} std ${chunk}`);
       out += chunk;
     };
     if (!childProcess || !childProcess?.stdout || !childProcess?.stderr) {
-      debug11(`unable to fork ${name}`);
+      debug12(`unable to fork ${name}`);
       reject(new Error(`unable to fork ${name}`));
     }
     childProcess.stdout?.on("data", onData);
@@ -4697,11 +4719,11 @@ function createChildProcess({ childProcess, name }, options) {
       childProcess.stderr?.pipe(process2.stderr);
     }
     childProcess.on("exit", (code) => {
-      debug11(`${name} exit code ${code}`);
+      debug12(`${name} exit code ${code}`);
       resolve({ message: out, code });
     });
     childProcess.on("error", (err) => {
-      debug11(`${name} error %o`, err);
+      debug12(`${name} error %o`, err);
       reject(err);
     });
   });
@@ -4709,12 +4731,12 @@ function createChildProcess({ childProcess, name }, options) {
 
 // src/features/analysis/scanners/checkmarx.ts
 import chalk2 from "chalk";
-import Debug8 from "debug";
+import Debug9 from "debug";
 import { existsSync } from "fs";
 import { createSpinner as createSpinner2 } from "nanospinner";
 import { type } from "os";
 import path5 from "path";
-var debug7 = Debug8("mobbdev:checkmarx");
+var debug8 = Debug9("mobbdev:checkmarx");
 var require2 = createRequire(import.meta.url);
 var getCheckmarxPath = () => {
   const os2 = type();
@@ -4755,14 +4777,14 @@ function validateCheckmarxInstallation() {
   existsSync(getCheckmarxPath());
 }
 async function forkCheckmarx(args, { display }) {
-  debug7("fork checkmarx with args %o %s", args.join(" "), display);
+  debug8("fork checkmarx with args %o %s", args.join(" "), display);
   return createSpwan(
     { args, processPath: getCheckmarxPath(), name: "checkmarx" },
     { display }
   );
 }
 async function getCheckmarxReport({ reportPath, repositoryRoot, branch, projectName }, { skipPrompts = false }) {
-  debug7("get checkmarx report start %s %s", reportPath, repositoryRoot);
+  debug8("get checkmarx report start %s %s", reportPath, repositoryRoot);
   const { code: loginCode } = await forkCheckmarx(VALIDATE_COMMAND, {
     display: false
   });
@@ -4830,23 +4852,23 @@ async function validateCheckamxCredentials() {
 // src/features/analysis/scanners/snyk.ts
 import { createRequire as createRequire2 } from "node:module";
 import chalk3 from "chalk";
-import Debug9 from "debug";
+import Debug10 from "debug";
 import { createSpinner as createSpinner3 } from "nanospinner";
 import open from "open";
-var debug8 = Debug9("mobbdev:snyk");
+var debug9 = Debug10("mobbdev:snyk");
 var require3 = createRequire2(import.meta.url);
 var SNYK_PATH = require3.resolve("snyk/bin/snyk");
 var SNYK_ARTICLE_URL = "https://docs.snyk.io/scan-application-code/snyk-code/getting-started-with-snyk-code/activating-snyk-code-using-the-web-ui/step-1-enabling-the-snyk-code-option";
-debug8("snyk executable path %s", SNYK_PATH);
+debug9("snyk executable path %s", SNYK_PATH);
 async function forkSnyk(args, { display }) {
-  debug8("fork snyk with args %o %s", args, display);
+  debug9("fork snyk with args %o %s", args, display);
   return createFork(
     { args, processPath: SNYK_PATH, name: "checkmarx" },
     { display }
   );
 }
 async function getSnykReport(reportPath, repoRoot, { skipPrompts = false }) {
-  debug8("get snyk report start %s %s", reportPath, repoRoot);
+  debug9("get snyk report start %s %s", reportPath, repoRoot);
   const config4 = await forkSnyk(["config"], { display: false });
   const { message: configMessage } = config4;
   if (!configMessage.includes("api: ")) {
@@ -4860,7 +4882,7 @@ async function getSnykReport(reportPath, repoRoot, { skipPrompts = false }) {
     snykLoginSpinner.update({
       text: "\u{1F513} Waiting for Snyk login to complete"
     });
-    debug8("no token in the config %s", config4);
+    debug9("no token in the config %s", config4);
     await forkSnyk(["auth"], { display: true });
     snykLoginSpinner.success({ text: "\u{1F513} Login to Snyk Successful" });
   }
@@ -4872,12 +4894,12 @@ async function getSnykReport(reportPath, repoRoot, { skipPrompts = false }) {
   if (scanOutput.includes(
     "Snyk Code is not supported for org: enable in Settings > Snyk Code"
   )) {
-    debug8("snyk code is not enabled %s", scanOutput);
+    debug9("snyk code is not enabled %s", scanOutput);
     snykSpinner.error({ text: "\u{1F50D} Snyk configuration needed" });
     const answer = await snykArticlePrompt();
-    debug8("answer %s", answer);
+    debug9("answer %s", answer);
     if (answer) {
-      debug8("opening the browser");
+      debug9("opening the browser");
       await open(SNYK_ARTICLE_URL);
     }
     console.log(
@@ -4892,18 +4914,18 @@ async function getSnykReport(reportPath, repoRoot, { skipPrompts = false }) {
 }
 
 // src/features/analysis/upload-file.ts
-import Debug10 from "debug";
+import Debug11 from "debug";
 import fetch2, { File, fileFrom, FormData } from "node-fetch";
-var debug9 = Debug10("mobbdev:upload-file");
+var debug10 = Debug11("mobbdev:upload-file");
 async function uploadFile({
   file,
   url,
   uploadKey,
   uploadFields
 }) {
-  debug9("upload file start %s", url);
-  debug9("upload fields %o", uploadFields);
-  debug9("upload key %s", uploadKey);
+  debug10("upload file start %s", url);
+  debug10("upload fields %o", uploadFields);
+  debug10("upload key %s", uploadKey);
   const form = new FormData();
   Object.entries(uploadFields).forEach(([key, value]) => {
     form.append(key, value);
@@ -4912,10 +4934,10 @@ async function uploadFile({
     form.append("key", uploadKey);
   }
   if (typeof file === "string") {
-    debug9("upload file from path %s", file);
+    debug10("upload file from path %s", file);
     form.append("file", await fileFrom(file));
   } else {
-    debug9("upload file from buffer");
+    debug10("upload file from buffer");
     form.append("file", new File([file], "file"));
   }
   const response = await fetch2(url, {
@@ -4923,10 +4945,10 @@ async function uploadFile({
     body: form
   });
   if (!response.ok) {
-    debug9("error from S3 %s %s", response.body, response.status);
+    debug10("error from S3 %s %s", response.body, response.status);
     throw new Error(`Failed to upload the file: ${response.status}`);
   }
-  debug9("upload file done");
+  debug10("upload file done");
 }
 
 // src/features/analysis/index.ts
@@ -4946,9 +4968,9 @@ async function downloadRepo({
 }) {
   const { createSpinner: createSpinner4 } = Spinner2({ ci });
   const repoSpinner = createSpinner4("\u{1F4BE} Downloading Repo").start();
-  debug10("download repo %s %s %s", repoUrl, dirname);
+  debug11("download repo %s %s %s", repoUrl, dirname);
   const zipFilePath = path6.join(dirname, "repo.zip");
-  debug10("download URL: %s auth headers: %o", downloadUrl, authHeaders);
+  debug11("download URL: %s auth headers: %o", downloadUrl, authHeaders);
   const response = await fetch3(downloadUrl, {
     method: "GET",
     headers: {
@@ -4956,7 +4978,7 @@ async function downloadRepo({
     }
   });
   if (!response.ok) {
-    debug10("SCM zipball request failed %s %s", response.body, response.status);
+    debug11("SCM zipball request failed %s %s", response.body, response.status);
     repoSpinner.error({ text: "\u{1F4BE} Repo download failed" });
     throw new Error(`Can't access ${chalk4.bold(repoUrl)}`);
   }
@@ -4970,7 +4992,7 @@ async function downloadRepo({
   if (!repoRoot) {
     throw new Error("Repo root not found");
   }
-  debug10("repo root %s", repoRoot);
+  debug11("repo root %s", repoRoot);
   repoSpinner.success({ text: "\u{1F4BE} Repo downloaded successfully" });
   return path6.join(dirname, repoRoot);
 }
@@ -4984,7 +5006,7 @@ var getReportUrl = ({
   projectId,
   fixReportId
 }) => `${WEB_APP_URL}/organization/${organizationId}/project/${projectId}/report/${fixReportId}`;
-var debug10 = Debug11("mobbdev:index");
+var debug11 = Debug12("mobbdev:index");
 var packageJson = JSON.parse(
   fs3.readFileSync(path6.join(getDirName(), "../package.json"), "utf8")
 );
@@ -4994,7 +5016,7 @@ if (!semver.satisfies(process.version, packageJson.engines.node)) {
   );
 }
 var config2 = new Configstore(packageJson.name, { apiToken: "" });
-debug10("config %o", config2);
+debug11("config %o", config2);
 async function runAnalysis(params, options) {
   const tmpObj = tmp2.dirSync({
     unsafeCleanup: true
@@ -5053,7 +5075,7 @@ async function _scan(params, { skipPrompts = false } = {}) {
     githubToken: githubActionToken,
     command
   } = params;
-  debug10("start %s %s", dirname, repo);
+  debug11("start %s %s", dirname, repo);
   const { createSpinner: createSpinner4 } = Spinner2({ ci });
   skipPrompts = skipPrompts || ci;
   let gqlClient = new GQLClient({
@@ -5125,9 +5147,9 @@ async function _scan(params, { skipPrompts = false } = {}) {
   const reference = ref ?? await scm.getRepoDefaultBranch();
   const { sha } = await scm.getReferenceData(reference);
   const downloadUrl = await scm.getDownloadUrl(sha);
-  debug10("org id %s", organizationId);
-  debug10("project id %s", projectId);
-  debug10("default branch %s", reference);
+  debug11("org id %s", organizationId);
+  debug11("project id %s", projectId);
+  debug11("default branch %s", reference);
   const repositoryRoot = await downloadRepo({
     repoUrl: repo,
     dirname,
@@ -5174,21 +5196,6 @@ async function _scan(params, { skipPrompts = false } = {}) {
     mobbSpinner.error({ text: "\u{1F575}\uFE0F\u200D\u2642\uFE0F Mobb analysis failed" });
     throw new Error("\u{1F575}\uFE0F\u200D\u2642\uFE0F Mobb analysis failed");
   }
-  if (command === "review") {
-    await gqlClient.subscribeToAnalysis({
-      subscribeToAnalysisParams: {
-        analysisId: sendReportRes.submitVulnerabilityReport.fixReportId
-      },
-      callback: (analysisId) => handleFinishedAnalysis({
-        analysisId,
-        gqlClient,
-        scm,
-        githubActionToken: z12.string().parse(githubActionToken),
-        scanner: z12.nativeEnum(SCANNERS).parse(scanner)
-      }),
-      callbackStates: ["Finished" /* Finished */]
-    });
-  }
   mobbSpinner.success({
     text: "\u{1F575}\uFE0F\u200D\u2642\uFE0F Generating fixes..."
   });
@@ -5272,9 +5279,9 @@ async function _scan(params, { skipPrompts = false } = {}) {
       });
       loginSpinner.spin();
       if (encryptedApiToken) {
-        debug10("encrypted API token received %s", encryptedApiToken);
+        debug11("encrypted API token received %s", encryptedApiToken);
         newApiToken = crypto.privateDecrypt(privateKey, Buffer.from(encryptedApiToken, "base64")).toString("utf-8");
-        debug10("API token decrypted");
+        debug11("API token decrypted");
         break;
       }
       await sleep(LOGIN_CHECK_DELAY);
@@ -5287,7 +5294,7 @@ async function _scan(params, { skipPrompts = false } = {}) {
     }
     gqlClient = new GQLClient({ apiKey: newApiToken, type: "apiKey" });
     if (await gqlClient.verifyToken()) {
-      debug10("set api token %s", newApiToken);
+      debug11("set api token %s", newApiToken);
       config2.set("apiToken", newApiToken);
       loginSpinner.success({ text: "\u{1F513} Login to Mobb successful!" });
     } else {
@@ -5420,11 +5427,38 @@ async function _scan(params, { skipPrompts = false } = {}) {
           fixReportId: reportUploadInfo.fixReportId,
           projectId,
           repoUrl: repo || gitInfo.repoUrl || getTopLevelDirName(srcPath),
-          reference: gitInfo.reference || "no-branch",
+          reference: ref || gitInfo.reference || "no-branch",
           sha: commitHash || gitInfo.hash || "0123456789abcdef",
-          scanSource: _getScanSource(command)
+          scanSource: _getScanSource(command),
+          pullRequest: params.pullRequest
         }
       });
+      if (command === "review") {
+        const params2 = z12.object({
+          repo: z12.string().url(),
+          githubActionToken: z12.string()
+        }).parse({ repo, githubActionToken });
+        const scm2 = await SCMLib.init({
+          url: params2.repo,
+          accessToken: params2.githubActionToken,
+          scmOrg: "",
+          scmType: "GITHUB" /* GITHUB */
+        });
+        await gqlClient.subscribeToAnalysis({
+          subscribeToAnalysisParams: {
+            analysisId: reportUploadInfo.fixReportId
+          },
+          callback: (analysisId) => {
+            return addFixCommentsForPr({
+              analysisId,
+              gqlClient,
+              scm: scm2,
+              scanner: z12.nativeEnum(SCANNERS).parse(scanner)
+            });
+          },
+          callbackStates: ["Finished" /* Finished */]
+        });
+      }
     } catch (e) {
       mobbSpinner2.error({ text: "\u{1F575}\uFE0F\u200D\u2642\uFE0F Mobb analysis failed" });
       throw e;
@@ -5450,7 +5484,8 @@ async function review(params, { skipPrompts = true } = {}) {
     mobbProjectName,
     pullRequest,
     githubToken,
-    scanner
+    scanner,
+    srcPath
   } = params;
   await runAnalysis(
     {
@@ -5465,7 +5500,8 @@ async function review(params, { skipPrompts = true } = {}) {
       pullRequest,
       githubToken,
       scanner,
-      command: "review"
+      command: "review",
+      srcPath
     },
     { skipPrompts }
   );
@@ -5749,8 +5785,15 @@ function reviewBuilder(yargs2) {
     describe: chalk8.bold("Number of the pull request"),
     type: "number",
     demandOption: true
+  }).option("p", {
+    alias: "src-path",
+    describe: chalk8.bold(
+      "Path to the repository folder with the source code"
+    ),
+    type: "string",
+    demandOption: true
   }).example(
-    "$0 review -r https://github.com/WebGoat/WebGoat -f <your_vulirabitliy_report_path>  --ch <pr_last_commit>   --pr <pr_number> --ref <pr_branch_name>  --api-key <api_key>",
+    "$0 review -r https://github.com/WebGoat/WebGoat -f <your_vulirabitliy_report_path>  --ch <pr_last_commit>   --pr <pr_number> --ref <pr_branch_name>  --api-key <api_key> --src-path <your_repo_path>",
     "add fixes to your pr"
   ).help();
 }