mobbdev 0.0.23 → 0.0.28

package/README.md

@@ -1,26 +1,34 @@
 # Bugsy
 
-Bugsy is a command-line interface (CLI) tool that provides automatic security vulnerability remediation for your code. It is the community edition version of [Mobb](https://www.mobb.dev), the first vendor-agnostic automatic security vulnerability remediation tool. Bugsy is designed to help developers easily identify and fix security vulnerabilities in their code.
+Bugsy is a command-line interface (CLI) tool that provides automatic security vulnerability remediation for your code. It is the community edition version of [Mobb](https://www.mobb.dev), the first vendor-agnostic automated security vulnerability remediation tool. Bugsy is designed to help developers quickly identify and fix security vulnerabilities in their code.
 
-<img width="750" alt="Screenshot 2023-03-27 at 5 23 19 PM" src="https://user-images.githubusercontent.com/96389636/228070025-2a1c3aae-6b40-427f-a1e9-2b10ef97b5ea.png">
+<img width="1888" alt="Bugsy" src="./img/bugsy.png">
 
 ## What is [Mobb](https://www.mobb.dev)?
 
-[Mobb](https://www.mobb.dev) is the first vendor-agnostic automatic security vulnerability remediation tool. It ingests SAST results from Checkmarx, GitHub Advanced Security, and Snyk and produces code fixes for developers to review and commit to their code.
+[Mobb](https://www.mobb.dev) is the first vendor-agnostic automatic security vulnerability remediation tool. It ingests SAST results from Checkmarx, CodeQL (GitHub Advanced Security), OpenText Fortify, and Snyk and produces code fixes for developers to review and commit to their code.
 
 ## What does Bugsy do?
 
+Bugsy has two modes - Analyze (the user has a pre-generated SAST report from one of the supported SAST tools) and Scan (no SAST report needed).
+
+Scan
+
 -   Uses Snyk CLI tool to run a SAST analysis on a given open-source GitHub repo
 -   Analyzes the vulnerability report to identify issues that can be remediated automatically
 -   Produces the code fixes and redirects the user to the fix report page on the Mobb platform
 
+Analyze
+
+-   Analyzes the vulnerability report to identify issues that can be remediated automatically
+-   Produces the code fixes and redirects the user to the fix report page on the Mobb platform
+
 ## Disclaimer
 
-This is a community edition version that only analyzes public GitHub repositories.
+This is a community edition version that only analyzes public GitHub repositories. Analyzing private repositories is allowed for a limited amount of time.
 Snyk CLI is used to produce a SAST vulnerability report.
 
--   Only Java projects are supported at the moment.
--   Only SQLi, CMDi, XSS, XXE, and Path Traversal are currently supported.
+-   Only Java and Node.js projects are supported at the moment.
 
 ## Usage
 
@@ -34,4 +42,4 @@ Bugsy will automatically generate a fix for each supported vulnerability identif
 
 ## Getting support
 
-If you need support using Bugsy or just want to share your thoughts and learn more, you are more than welcome to join our [discord server](https://discord.gg/Jmpb5QUa)
+If you need support using Bugsy or just want to share your thoughts and learn more, you are more than welcome to join our [discord server](https://bit.ly/Mobb-discord)

package/index.mjs

@@ -1,4 +1,4 @@
-import { analyze, scan } from './src/commands/index.mjs';
+import { analyze, scan, CliError } from './src/commands/index.mjs';
 import { parseArgs } from './src/yargs.mjs';
 import { hideBin } from 'yargs/helpers';
 
@@ -20,6 +20,11 @@ async function run() {
         await run();
         process.exit(0);
     } catch (err) {
+        if (err instanceof CliError) {
+            console.error(err.message);
+            process.exit(1);
+        }
+        // unexpected error - print stack trace
         console.error(
             'Something went wrong, please try again or contact support if issue persists.'
         );

package/package.json

@@ -1,7 +1,8 @@
 {
     "name": "mobbdev",
-    "version": "0.0.23",
+    "version": "0.0.28",
     "description": "Automated secure code remediation tool",
+    "repository": "https://github.com/mobb-dev/bugsy",
     "main": "index.mjs",
     "scripts": {
         "lint": "prettier --check . && eslint **/*.mjs",
@@ -15,6 +16,7 @@
     "author": "",
     "license": "MIT",
     "dependencies": {
+        "adm-zip": "0.5.10",
         "chalk": "5.3.0",
         "chalk-animation": "2.0.3",
         "colors": "1.4.0",
@@ -23,11 +25,13 @@
         "dotenv": "16.0.3",
         "extract-zip": "2.0.1",
         "inquirer": "9.2.7",
+        "globby": "13.2.2",
         "nanospinner": "1.1.0",
         "node-fetch": "3.3.1",
         "open": "8.4.2",
         "semver": "7.5.0",
         "snyk": "1.1118.0",
+        "simple-git": "3.19.1",
         "tmp": "0.2.1",
         "yargs": "17.7.2",
         "zod": "3.21.4"

package/src/commands/index.mjs

@@ -11,6 +11,7 @@ import path from 'path';
 const GITHUB_REPO_URL_PATTERN = new RegExp(
     'https://github.com/[\\w-]+/[\\w-]+'
 );
+export class CliError extends Error {}
 
 const UrlZ = z
     .string({
@@ -20,45 +21,53 @@ const UrlZ = z
         message: 'is not a valid github URL',
     });
 
-function printRepoUrlErrorMessage({ error, repoUrl, command }) {
+function throwRepoUrlErrorMessage({ error, repoUrl, command }) {
     const errorMessage = error.issues[error.issues.length - 1].message;
-    console.error(`\nError: ${chalk.bold(repoUrl)} is ${errorMessage}`);
-    console.error(
-        `Example: \n\tmobbdev ${command} -r ${chalk.bold(
-            'https://github.com/WebGoat/WebGoat'
-        )}`
-    );
+    const formattedErrorMessage = `\nError: ${chalk.bold(
+        repoUrl
+    )} is ${errorMessage}
+Example: \n\tmobbdev ${command} -r ${chalk.bold(
+        'https://github.com/WebGoat/WebGoat'
+    )}`;
+    throw new CliError(formattedErrorMessage);
 }
 
 export async function analyze(
-    { repo, scanFile, branch, apiKey, ci },
+    { repo, scanFile, ref, apiKey, ci, commitHash, srcPath },
     { skipPrompts = false } = {}
 ) {
     const { success, error } = UrlZ.safeParse(repo);
-    if (!success) {
-        printRepoUrlErrorMessage({
+
+    if (!success && !srcPath) {
+        throwRepoUrlErrorMessage({
             error,
             repoUrl: repo,
             command: 'analyze',
         });
-        process.exit(1);
-    }
-    if (ci && !apiKey) {
-        console.error(
-            '\nError: --ci flag requires --api-key to be provided as well'
-        );
-        process.exit(1);
     }
+
     if (!fs.existsSync(scanFile)) {
-        console.error(`\nCan't access ${chalk.bold(scanFile)}`);
-        process.exit(1);
+        throw new CliError(`\nCan't access ${chalk.bold(scanFile)}`);
     }
+
     if (path.extname(scanFile) !== '.json') {
-        console.error(`\n${chalk.bold(scanFile)} is not a json file`);
-        process.exit(1);
+        throw new CliError(`\n${chalk.bold(scanFile)} is not a json file`);
     }
+
     !ci && (await showWelcomeMessage(skipPrompts));
-    await runAnalysis({ repo, scanFile, branch, apiKey, ci }, { skipPrompts });
+
+    await runAnalysis(
+        {
+            repo,
+            scanFile,
+            ref,
+            apiKey,
+            ci,
+            commitHash,
+            srcPath,
+        },
+        { skipPrompts }
+    );
 }
 
 export async function scan(
@@ -67,23 +76,20 @@ export async function scan(
 ) {
     const { success, error } = UrlZ.safeParse(repo);
     if (ci && !apiKey) {
-        console.error(
+        throw new CliError(
             '\nError: --ci flag requires --api-key to be provided as well'
         );
-        process.exit(1);
     }
 
     if (!success) {
-        printRepoUrlErrorMessage({ error, repoUrl: repo, command: 'scan' });
-        process.exit(1);
+        throwRepoUrlErrorMessage({ error, repoUrl: repo, command: 'scan' });
     }
     !ci && (await showWelcomeMessage(skipPrompts));
     scanner ??= scanner || (await choseScanner());
     if (scanner !== SCANNERS.Snyk) {
-        console.error(
+        throw new CliError(
             'Vulnerability scanning via Bugsy is available only with Snyk at the moment. Additional scanners will follow soon.'
         );
-        process.exit(1);
     }
     await runAnalysis({ repo, scanner, branch, apiKey }, { skipPrompts });
 }

package/src/constants.mjs

@@ -20,7 +20,6 @@ const envVariablesSchema = z
         WEB_LOGIN_URL: z.string(),
         WEB_APP_URL: z.string(),
         API_URL: z.string(),
-        GITHUB_CLIENT_ID: z.string(),
     })
     .required();
 
@@ -59,4 +58,3 @@ export const mobbAscii = `
 export const WEB_LOGIN_URL = envVariables.WEB_LOGIN_URL;
 export const WEB_APP_URL = envVariables.WEB_APP_URL;
 export const API_URL = envVariables.API_URL;
-export const GITHUB_CLIENT_ID = envVariables.GITHUB_CLIENT_ID;

package/src/features/analysis/git.mjs

@@ -0,0 +1,50 @@
+import { simpleGit } from 'simple-git';
+import Debug from 'debug';
+
+const debug = Debug('mobbdev:git');
+
+export async function getGitInfo(srcDirPath) {
+    debug('getting git info for %s', srcDirPath);
+
+    const git = simpleGit({
+        baseDir: srcDirPath,
+        // binary: 'git123',
+        maxConcurrentProcesses: 1,
+        trimmed: true,
+    });
+
+    let repoUrl = '';
+    let hash = '';
+    let reference = '';
+
+    try {
+        repoUrl = (await git.getConfig('remote.origin.url')).value || '';
+        hash = (await git.revparse(['HEAD'])) || '';
+        reference = (await git.revparse(['--abbrev-ref', 'HEAD'])) || '';
+    } catch (e) {
+        debug('failed to run git %o', e);
+        if (e.message && e.message.includes(' spawn ')) {
+            debug('git cli not installed');
+        } else if (e.message && e.message.includes(' not a git repository ')) {
+            debug('folder is not a git repo');
+        } else {
+            throw e;
+        }
+    }
+
+    // Normalize git URL. We may need more generic code here, but it's not very
+    // important at the moment.
+    if (repoUrl.endsWith('.git')) {
+        repoUrl = repoUrl.slice(0, -'.git'.length);
+    }
+
+    if (repoUrl.startsWith('git@github.com:')) {
+        repoUrl = repoUrl.replace('git@github.com:', 'https://github.com/');
+    }
+
+    return {
+        repoUrl,
+        hash,
+        reference,
+    };
+}

package/src/features/analysis/github.mjs

@@ -7,14 +7,9 @@ import fetch from 'node-fetch';
 import extract from 'extract-zip';
 import Debug from 'debug';
 import { Spinner } from '../../utils.mjs';
-import { GITHUB_CLIENT_ID, WEB_APP_URL } from '../../constants.mjs';
 const pipeline = promisify(stream.pipeline);
 const debug = Debug('mobbdev:github');
 
-const githubTokenUrl = `${WEB_APP_URL}/gh-callback`;
-
-export const GITHUB_OAUTH_URL = `https://github.com/login/oauth/authorize?client_id=${GITHUB_CLIENT_ID}&scope=repo&redirect_uri=${githubTokenUrl}`;
-
 async function getRepo(slug, { token } = {}) {
     try {
         return fetch(`https://api.github.com/repos/${slug}`, {

package/src/features/analysis/gql.mjs

@@ -49,16 +49,23 @@ mutation uploadS3BucketInfo($fileName: String!) {
       uploadFieldsJSON
       uploadKey
     }
+    repoUploadInfo {
+      url
+      fixReportId
+      uploadFieldsJSON
+      uploadKey
+    }
   }
 }
 `;
 
 const SUBMIT_VULNERABILITY_REPORT = `
-mutation SubmitVulnerabilityReport($vulnerabilityReportFileName: String!, $fixReportId: String!, $repoUrl: String!, $reference: String!, $projectId: String!) {
+mutation SubmitVulnerabilityReport($vulnerabilityReportFileName: String!, $fixReportId: String!, $repoUrl: String!, $reference: String!, $projectId: String!, $sha: String) {
   submitVulnerabilityReport(
     fixReportId: $fixReportId
     repoUrl: $repoUrl
     reference: $reference
+    sha: $sha
     vulnerabilityReportFileName: $vulnerabilityReportFileName
     projectId: $projectId
   ) {
@@ -162,6 +169,13 @@ export class GQLClient {
             uploadFields: JSON.parse(
                 data.uploadS3BucketInfo.uploadInfo.uploadFieldsJSON
             ),
+
+            repoFixReportId: data.uploadS3BucketInfo.repoUploadInfo.fixReportId,
+            repoUploadKey: data.uploadS3BucketInfo.repoUploadInfo.uploadKey,
+            repoUrl: data.uploadS3BucketInfo.repoUploadInfo.url,
+            repoUploadFields: JSON.parse(
+                data.uploadS3BucketInfo.repoUploadInfo.uploadFieldsJSON
+            ),
         };
     }
 
@@ -169,7 +183,8 @@ export class GQLClient {
         fixReportId,
         repoUrl,
         reference,
-        projectId
+        projectId,
+        sha
     ) {
         await this._apiCall(SUBMIT_VULNERABILITY_REPORT, {
             fixReportId,
@@ -177,6 +192,7 @@ export class GQLClient {
             reference,
             vulnerabilityReportFileName: 'report.json',
             projectId,
+            sha: sha || '',
         });
     }
 }

package/src/features/analysis/index.mjs

@@ -8,22 +8,21 @@ import open from 'open';
 import semver from 'semver';
 import { callbackServer } from './callback-server.mjs';
 import tmp from 'tmp';
+import { CliError } from '../../commands/index.mjs';
 
 import { WEB_APP_URL } from '../../constants.mjs';
-import {
-    canReachRepo,
-    downloadRepo,
-    getDefaultBranch,
-    GITHUB_OAUTH_URL,
-} from './github.mjs';
+import { canReachRepo, downloadRepo, getDefaultBranch } from './github.mjs';
 import { GQLClient } from './gql.mjs';
 import { githubIntegrationPrompt, mobbAnalysisPrompt } from './prompts.mjs';
 import { getSnykReport } from './snyk.mjs';
 import { uploadFile } from './upload-file.mjs';
 import { keypress, Spinner } from '../../utils.mjs';
+import { pack } from './pack.mjs';
+import { getGitInfo } from './git.mjs';
 
 const webLoginUrl = `${WEB_APP_URL}/cli-login`;
 const githubSubmitUrl = `${WEB_APP_URL}/gh-callback`;
+const githubAuthUrl = `${WEB_APP_URL}/github-auth`;
 
 const MOBB_LOGIN_REQUIRED_MSG = `🔓 Login to Mobb is Required, you will be redirected to our login page, once the authorization is complete return to this prompt, ${chalk.bgBlue(
     'press any key to continue'
@@ -40,17 +39,16 @@ const packageJson = JSON.parse(
 );
 
 if (!semver.satisfies(process.version, packageJson.engines.node)) {
-    console.error(
+    throw new CliError(
         `${packageJson.name} requires node version ${packageJson.engines.node}, but running ${process.version}.`
     );
-    process.exit(1);
 }
 
 const config = new Configstore(packageJson.name, { token: '' });
 debug('config %o', config);
 
 export async function runAnalysis(
-    { repo, scanner, scanFile, branch, apiKey, ci },
+    { repo, scanner, scanFile, apiKey, ci, commitHash, srcPath, ref },
     options
 ) {
     try {
@@ -60,9 +58,11 @@ export async function runAnalysis(
                 repo,
                 scanner,
                 scanFile,
-                branch,
+                ref,
                 apiKey,
                 ci,
+                srcPath,
+                commitHash,
             },
             options
         );
@@ -72,7 +72,7 @@ export async function runAnalysis(
 }
 
 export async function _scan(
-    { dirname, repo, scanFile, branch, apiKey, ci },
+    { dirname, repo, scanFile, branch, apiKey, ci, srcPath, commitHash, ref },
     { skipPrompts = false } = {}
 ) {
     debug('start %s %s', dirname, repo);
@@ -83,23 +83,34 @@ export async function _scan(
     apiKey ?? debug('token %s', apiKey);
     let gqlClient = new GQLClient(apiKey ? { apiKey } : { token });
     await handleMobbLogin();
+    const { projectId, organizationId } = await gqlClient.getOrgAndProjectId();
+    const uploadData = await gqlClient.uploadS3BucketInfo();
+    let reportPath = scanFile;
+
+    if (srcPath) {
+        return await uploadExistingRepo();
+    }
+
     const userInfo = await gqlClient.getUserInfo();
     let { githubToken } = userInfo;
     const isRepoAvailable = await canReachRepo(repo, {
         token: userInfo.githubToken,
     });
     if (!isRepoAvailable) {
+        if (ci) {
+            throw new Error(
+                `Cannot access repo ${repo} with the provided token, please visit ${githubAuthUrl} to refresh your Github token`
+            );
+        }
         const { token } = await handleGithubIntegration();
         githubToken = token;
     }
 
     const reference =
-        branch ?? (await getDefaultBranch(repo, { token: githubToken }));
-    const { projectId, organizationId } = await gqlClient.getOrgAndProjectId();
+        ref ?? (await getDefaultBranch(repo, { token: githubToken }));
     debug('org id %s', organizationId);
     debug('project id %s', projectId);
     debug('default branch %s', reference);
-    const uploadData = await gqlClient.uploadS3BucketInfo();
 
     const repositoryRoot = await downloadRepo(
         {
@@ -111,7 +122,9 @@ export async function _scan(
         { token: githubToken }
     );
 
-    const reportPath = scanFile || (await getReportFromSnyk());
+    if (!reportPath) {
+        reportPath = await getReportFromSnyk();
+    }
 
     const report = JSON.parse(fs.readFileSync(reportPath, 'utf8'));
     await uploadFile(
@@ -188,7 +201,7 @@ export async function _scan(
             createSpinner().start().error({
                 text: '🔓 Logged in to Mobb failed - check your api-key',
             });
-            process.exit(1);
+            throw new CliError();
         }
         const mobbLoginSpinner = createSpinner().start();
         if (!skipPrompts) {
@@ -212,7 +225,7 @@ export async function _scan(
             mobbLoginSpinner.error({
                 text: 'Something went wrong, API token is invalid.',
             });
-            process.exit(1);
+            throw new CliError();
         }
         debug('set token %s', token);
         config.set('token', token);
@@ -231,10 +244,49 @@ export async function _scan(
             throw Error('Could not reach github repo');
         }
         const result = await callbackServer(
-            GITHUB_OAUTH_URL,
+            githubAuthUrl,
             `${githubSubmitUrl}?done=true`
         );
         githubSpinner.success({ text: '🔗 Github integration successful!' });
         return result;
     }
+    async function uploadExistingRepo() {
+        const gitInfo = await getGitInfo(srcPath);
+        const zipBuffer = await pack(srcPath);
+
+        await uploadFile(
+            reportPath,
+            uploadData.url,
+            uploadData.uploadKey,
+            uploadData.uploadFields
+        );
+        await uploadFile(
+            zipBuffer,
+            uploadData.repoUrl,
+            uploadData.repoUploadKey,
+            uploadData.repoUploadFields
+        );
+
+        const mobbSpinner = createSpinner(
+            '🕵️‍♂️ Initiating Mobb analysis'
+        ).start();
+
+        try {
+            await gqlClient.submitVulnerabilityReport(
+                uploadData.fixReportId,
+                repo || gitInfo.repoUrl,
+                branch || gitInfo.reference,
+                projectId,
+                commitHash || gitInfo.hash
+            );
+        } catch (e) {
+            mobbSpinner.error({ text: '🕵️‍♂️ Mobb analysis failed' });
+            throw e;
+        }
+
+        mobbSpinner.success({
+            text: '🕵️‍♂️ Generating fixes...',
+        });
+        await askToOpenAnalysis();
+    }
 }

package/src/features/analysis/pack.mjs

@@ -0,0 +1,31 @@
+import fs from 'node:fs';
+import path from 'node:path';
+import { globby } from 'globby';
+import AdmZip from 'adm-zip';
+import Debug from 'debug';
+
+const debug = Debug('mobbdev:pack');
+
+export async function pack(srcDirPath) {
+    debug('pack folder %s', srcDirPath);
+    const filepaths = await globby('**', {
+        gitignore: true,
+        onlyFiles: true,
+        cwd: srcDirPath,
+        followSymbolicLinks: false,
+    });
+    debug('files found %d', filepaths.length);
+
+    const zip = new AdmZip();
+
+    debug('compressing files');
+    for (const filepath of filepaths) {
+        zip.addFile(
+            filepath.toString(),
+            fs.readFileSync(path.join(srcDirPath, filepath.toString()))
+        );
+    }
+
+    debug('get zip file buffer');
+    return zip.toBuffer();
+}

package/src/features/analysis/upload-file.mjs

@@ -1,10 +1,11 @@
-import fetch, { FormData, fileFrom } from 'node-fetch';
+import fetch, { FormData, fileFrom, File } from 'node-fetch';
 import Debug from 'debug';
 
 const debug = Debug('mobbdev:upload-file');
 
-export async function uploadFile(reportPath, url, uploadKey, uploadFields) {
-    debug('upload report file start %s %s', reportPath, url);
+// `file` can be string representing absolute path or buffer.
+export async function uploadFile(file, url, uploadKey, uploadFields) {
+    debug('upload file start %s', url);
     debug('upload fields %o', uploadFields);
     debug('upload key %s', uploadKey);
 
@@ -15,7 +16,13 @@ export async function uploadFile(reportPath, url, uploadKey, uploadFields) {
     }
 
     form.append('key', uploadKey);
-    form.append('file', await fileFrom(reportPath));
+    if (typeof file === 'string') {
+        debug('upload file from path %s', file);
+        form.append('file', await fileFrom(file));
+    } else {
+        debug('upload file from buffer');
+        form.append('file', new File([file], 'file'));
+    }
 
     const response = await fetch(url, {
         method: 'POST',
@@ -24,7 +31,7 @@ export async function uploadFile(reportPath, url, uploadKey, uploadFields) {
 
     if (!response.ok) {
         debug('error from S3 %s %s', response.body, response.status);
-        throw new Error(`Failed to upload the report: ${response.status}`);
+        throw new Error(`Failed to upload the file: ${response.status}`);
     }
-    debug('upload report file done');
+    debug('upload file done');
 }

package/src/yargs.mjs

@@ -3,9 +3,20 @@ import chalk from 'chalk';
 
 import { SCANNERS } from './constants.mjs';
 
-const branchOption = {
-    alias: 'branch',
-    describe: chalk.bold('Branch of the repository'),
+const refOption = {
+    describe: chalk.bold('reference of the repository (branch, tag, commit)'),
+    type: 'string',
+};
+
+const srcPathOption = {
+    alias: 'src-path',
+    describe: chalk.bold('Path to the repository folder with the source code'),
+    type: 'string',
+};
+
+const commitHash = {
+    alias: 'commit-hash',
+    describe: chalk.bold('Hash of the commit'),
     type: 'string',
 };
 
@@ -59,7 +70,7 @@ export const parseArgs = (args) => {
             builder: (yargs) => {
                 return yargs.options({
                     r: repoOption,
-                    b: branchOption,
+                    ref: refOption,
                     s: {
                         alias: 'scanner',
                         choices: Object.values(SCANNERS),
@@ -76,20 +87,41 @@ export const parseArgs = (args) => {
                 'Provide a vulnerability report and relevant code repository, get automated fixes right away.'
             ),
             builder: (yargs) => {
-                return yargs.options({
-                    f: {
-                        alias: 'scan-file',
-                        demandOption: true,
-                        describe: chalk.bold(
-                            'Select the vulnerability report to analyze'
-                        ),
-                    },
-                    r: repoOption,
-                    b: branchOption,
-                    y: yesOption,
-                    ['api-key']: apiKeyOption,
-                    ci: ciOption,
-                });
+                return yargs
+                    .options({
+                        f: {
+                            alias: 'scan-file',
+                            demandOption: true,
+                            describe: chalk.bold(
+                                'Select the vulnerability report to analyze'
+                            ),
+                        },
+                        r: {
+                            ...repoOption,
+                            demandOption: false,
+                        },
+                        p: srcPathOption,
+                        ref: refOption,
+                        ch: commitHash,
+                        y: yesOption,
+                        ['api-key']: apiKeyOption,
+                        ci: ciOption,
+                    })
+                    .check((argv) => {
+                        if (!argv.srcPath && !argv.repo) {
+                            throw new Error(
+                                'You must supply either --src-path or --repo'
+                            );
+                        }
+
+                        if (argv.ci && !argv.apiKey) {
+                            throw new Error(
+                                '--ci flag requires --api-key to be provided as well'
+                            );
+                        }
+
+                        return true;
+                    });
             },
         })
         .example('$0 scan -r https://github.com/WebGoat/WebGoat')