mobbdev 0.0.62 → 0.0.63

package/dist/index.mjs

@@ -12,8 +12,15 @@ var __publicField = (obj, key, value) => {
 // src/index.ts
 import { hideBin } from "yargs/helpers";
 
+// src/types.ts
+var mobbCliCommand = {
+  scan: "scan",
+  analyze: "analyze",
+  review: "review"
+};
+
 // src/args/yargs.ts
-import chalk8 from "chalk";
+import chalk9 from "chalk";
 import yargs from "yargs/yargs";
 
 // src/args/commands/analyze.ts
@@ -35,6 +42,7 @@ var SCANNERS = {
   Fortify: "fortify",
   Snyk: "snyk"
 };
+var SupportedScannersZ = z.enum([SCANNERS.Checkmarx, SCANNERS.Snyk]);
 var envVariablesSchema = z.object({
   WEB_APP_URL: z.string(),
   API_URL: z.string()
@@ -146,14 +154,16 @@ var CliError = class extends Error {
 };
 
 // src/features/analysis/index.ts
+import { Octokit as Octokit3 } from "@octokit/core";
 import chalk4 from "chalk";
 import Configstore from "configstore";
-import Debug9 from "debug";
+import Debug10 from "debug";
 import extract from "extract-zip";
 import fetch3 from "node-fetch";
 import open2 from "open";
 import semver from "semver";
-import tmp from "tmp";
+import tmp2 from "tmp";
+import { z as z8 } from "zod";
 
 // src/features/analysis/git.ts
 import Debug2 from "debug";
@@ -265,16 +275,22 @@ var SUBMIT_VULNERABILITY_REPORT = gql`
     $projectId: String!
     $sha: String
     $vulnerabilityReportFileName: String
+    $pullRequest: Int
   ) {
     submitVulnerabilityReport(
       fixReportId: $fixReportId
       repoUrl: $repoUrl
       reference: $reference
       sha: $sha
+      pullRequest: $pullRequest
       projectId: $projectId
       vulnerabilityReportFileName: $vulnerabilityReportFileName
     ) {
       __typename
+      ... on VulnerabilityReport {
+        vulnerabilityReportId
+        fixReportId
+      }
     }
   }
 `;
@@ -352,6 +368,136 @@ var GET_VULNERABILITY_REPORT_PATHS = gql2`
     }
   }
 `;
+var SUBSCRIBE_TO_ANALYSIS = gql2`
+  subscription getAnalysis($analysisId: uuid!) {
+    analysis: fixReport_by_pk(id: $analysisId) {
+      id
+      state
+    }
+  }
+`;
+var GET_ANALYSIS = gql2`
+  query getAnalsyis($analysisId: uuid!) {
+    analysis: fixReport_by_pk(id: $analysisId) {
+      id
+      state
+      repo {
+        commitSha
+        pullRequest
+      }
+      fixes {
+        id
+        issueType
+        vulnerabilityReportIssues {
+          issueLanguage
+          state
+          issueType
+          vendorIssueId
+        }
+      }
+      vulnerabilityReport {
+        projectId
+        project {
+          organizationId
+        }
+        file {
+          signedFile {
+            url
+          }
+        }
+      }
+    }
+  }
+`;
+var GET_FIX = gql2`
+  query getFix($fixId: uuid!) {
+    fix_by_pk(id: $fixId) {
+      patchAndQuestions {
+        patch
+      }
+    }
+  }
+`;
+
+// src/features/analysis/graphql/subscirbe.ts
+import { createClient } from "graphql-ws";
+import WebSocket from "ws";
+var SUBSCRIPTION_TIMEOUT_MS = 5 * 60 * 1e3;
+function createWSClient(options) {
+  return createClient({
+    url: options.url,
+    webSocketImpl: options.websocket || WebSocket,
+    connectionParams: () => {
+      return {
+        headers: {
+          [API_KEY_HEADER_NAME]: options.apiKey
+        }
+      };
+    }
+  });
+}
+function subscribe(query, variables, callback, wsClientOptions) {
+  return new Promise((resolve, reject) => {
+    let timer = null;
+    const { timeoutInMs = SUBSCRIPTION_TIMEOUT_MS } = wsClientOptions;
+    const client = createWSClient({
+      ...wsClientOptions,
+      websocket: WebSocket,
+      url: API_URL.replace("http", "ws")
+    });
+    const unsubscribe = client.subscribe(
+      { query, variables },
+      {
+        next: (data) => {
+          function callbackResolve(data2) {
+            unsubscribe();
+            if (timer) {
+              clearTimeout(timer);
+            }
+            resolve(data2);
+          }
+          function callbackReject(data2) {
+            unsubscribe();
+            if (timer) {
+              clearTimeout(timer);
+            }
+            reject(data2);
+          }
+          if (!data.data) {
+            reject(
+              new Error(
+                `Broken data object from graphQL subscribe: ${JSON.stringify(
+                  data
+                )} for query: ${query}`
+              )
+            );
+          } else {
+            callback(callbackResolve, callbackReject, data.data);
+          }
+        },
+        error: (error) => {
+          if (timer) {
+            clearTimeout(timer);
+          }
+          reject(error);
+        },
+        complete: () => {
+          return;
+        }
+      }
+    );
+    if (typeof timeoutInMs === "number") {
+      timer = setTimeout(() => {
+        unsubscribe();
+        reject(
+          new Error(
+            `Timeout expired for graphQL subscribe query: ${query} with timeout: ${timeoutInMs}`
+          )
+        );
+      }, timeoutInMs);
+    }
+  });
+}
 
 // src/features/analysis/graphql/types.ts
 import { z as z2 } from "zod";
@@ -421,9 +567,25 @@ var DigestVulnerabilityReportZ = z2.object({
     vulnerabilityReportId: z2.string()
   })
 });
+var AnalysisStateZ = z2.enum([
+  "Created",
+  "Deleted",
+  "Digested",
+  "Expired",
+  "Failed",
+  "Finished",
+  "Initialized",
+  "Requested"
+]);
 var GetFixReportZ = z2.object({
   fixReport_by_pk: z2.object({
-    state: z2.string()
+    state: AnalysisStateZ
+  })
+});
+var GetFixReportSubscriptionZ = z2.object({
+  analysis: z2.object({
+    id: z2.string(),
+    state: AnalysisStateZ
   })
 });
 var GetVulnerabilityReportPathsZ = z2.object({
@@ -433,6 +595,55 @@ var GetVulnerabilityReportPathsZ = z2.object({
     })
   )
 });
+var CreateUpdateFixReportMutationZ = z2.object({
+  submitVulnerabilityReport: z2.object({
+    __typename: z2.literal("VulnerabilityReport"),
+    vulnerabilityReportId: z2.string(),
+    fixReportId: z2.string()
+  })
+});
+var GetAnalysisQueryZ = z2.object({
+  analysis: z2.object({
+    id: z2.string(),
+    state: z2.string(),
+    repo: z2.object({
+      commitSha: z2.string(),
+      pullRequest: z2.number()
+    }),
+    fixes: z2.array(
+      z2.object({
+        id: z2.string(),
+        issueType: z2.string(),
+        vulnerabilityReportIssues: z2.array(
+          z2.object({
+            issueLanguage: z2.string(),
+            state: z2.string(),
+            issueType: z2.string(),
+            vendorIssueId: z2.string()
+          })
+        )
+      })
+    ),
+    vulnerabilityReport: z2.object({
+      projectId: z2.string(),
+      project: z2.object({
+        organizationId: z2.string()
+      }),
+      file: z2.object({
+        signedFile: z2.object({
+          url: z2.string()
+        })
+      })
+    })
+  })
+});
+var GetFixQueryZ = z2.object({
+  fix_by_pk: z2.object({
+    patchAndQuestions: z2.object({
+      patch: z2.string()
+    })
+  })
+});
 
 // src/features/analysis/graphql/gql.ts
 var debug3 = Debug3("mobbdev:gql");
@@ -441,7 +652,9 @@ var REPORT_STATE_CHECK_DELAY = 5 * 1e3;
 var GQLClient = class {
   constructor(args) {
     __publicField(this, "_client");
+    __publicField(this, "_apiKey");
     const { apiKey } = args;
+    this._apiKey = apiKey;
     debug3(`init with apiKey ${apiKey}`);
     this._client = new GraphQLClient(API_URL, {
       headers: { [API_KEY_HEADER_NAME]: apiKey || "" },
@@ -539,22 +752,26 @@ var GQLClient = class {
     );
     return DigestVulnerabilityReportZ.parse(res).digestVulnerabilityReport;
   }
-  async submitVulnerabilityReport({
-    fixReportId,
-    repoUrl,
-    reference,
-    projectId,
-    sha,
-    vulnerabilityReportFileName
-  }) {
-    await this._client.request(SUBMIT_VULNERABILITY_REPORT, {
+  async submitVulnerabilityReport(params) {
+    const {
+      fixReportId,
+      repoUrl,
+      reference,
+      projectId,
+      sha,
+      vulnerabilityReportFileName,
+      pullRequest
+    } = params;
+    const res = await this._client.request(SUBMIT_VULNERABILITY_REPORT, {
       fixReportId,
       repoUrl,
       reference,
       vulnerabilityReportFileName,
       projectId,
+      pullRequest,
       sha: sha || ""
     });
+    return CreateUpdateFixReportMutationZ.parse(res);
   }
   async getFixReportState(fixReportId) {
     const res = await this._client.request(
@@ -588,957 +805,682 @@ var GQLClient = class {
       res
     ).vulnerability_report_path.map((p) => p.path);
   }
+  async subscribeToAnalysis(params, callback) {
+    return subscribe(
+      SUBSCRIBE_TO_ANALYSIS,
+      params,
+      async (resolve, reject, data) => {
+        if (data.analysis.state === "Failed") {
+          reject(data);
+          throw new Error(`Analysis failed with id: ${data.analysis.id}`);
+        }
+        if (data.analysis?.state === "Finished") {
+          await callback(data.analysis.id);
+          resolve(data);
+        }
+      },
+      {
+        apiKey: this._apiKey
+      }
+    );
+  }
+  async getAnalysis(analysisId) {
+    const res = await this._client.request(GET_ANALYSIS, {
+      analysisId
+    });
+    return GetAnalysisQueryZ.parse(res);
+  }
+  async getFix(fixId) {
+    const res = await this._client.request(GET_FIX, {
+      fixId
+    });
+    return GetFixQueryZ.parse(res);
+  }
 };
 
-// src/features/analysis/pack.ts
-import fs from "node:fs";
-import path3 from "node:path";
-import AdmZip from "adm-zip";
+// src/features/analysis/handle_finished_analysis.ts
 import Debug4 from "debug";
-import { globby } from "globby";
-import { isBinary } from "istextorbinary";
-var debug4 = Debug4("mobbdev:pack");
-var MAX_FILE_SIZE = 1024 * 1024 * 5;
-function endsWithAny(str, suffixes) {
-  return suffixes.some(function(suffix) {
-    return str.endsWith(suffix);
-  });
+import { z as z7 } from "zod";
+
+// src/features/analysis/scm/gitlab.ts
+import querystring from "node:querystring";
+import { Gitlab } from "@gitbeaker/rest";
+import { z as z5 } from "zod";
+
+// src/features/analysis/scm/scm.ts
+import { Octokit as Octokit2 } from "@octokit/core";
+
+// src/features/analysis/scm/github/github.ts
+import { RequestError } from "@octokit/request-error";
+import { Octokit } from "octokit";
+import { z as z3 } from "zod";
+
+// src/features/analysis/scm/urlParser.ts
+var pathnameParsingMap = {
+  "gitlab.com": (pathname) => {
+    if (pathname.length < 2)
+      return null;
+    return {
+      organization: pathname[0],
+      repoName: pathname[pathname.length - 1]
+    };
+  },
+  "github.com": (pathname) => {
+    if (pathname.length !== 2)
+      return null;
+    return {
+      organization: pathname[0],
+      repoName: pathname[1]
+    };
+  }
+};
+var NAME_REGEX = /[a-z0-9\-_.+]+/i;
+var parseScmURL = (scmURL) => {
+  try {
+    const url = new URL(scmURL);
+    const hostname = url.hostname.toLowerCase();
+    if (!(hostname in pathnameParsingMap))
+      return null;
+    const projectPath = url.pathname.substring(1).replace(/.git$/i, "");
+    const repo = pathnameParsingMap[hostname](
+      projectPath.split("/")
+    );
+    if (!repo)
+      return null;
+    const { organization, repoName } = repo;
+    if (!organization || !repoName)
+      return null;
+    if (!organization.match(NAME_REGEX) || !repoName.match(NAME_REGEX))
+      return null;
+    return {
+      hostname: url.hostname,
+      organization,
+      projectPath,
+      repoName
+    };
+  } catch (e) {
+    return null;
+  }
+};
+
+// src/features/analysis/scm/github/github.ts
+function removeTrailingSlash(str) {
+  return str.trim().replace(/\/+$/, "");
 }
-async function pack(srcDirPath, vulnFiles) {
-  debug4("pack folder %s", srcDirPath);
-  const filepaths = await globby("**", {
-    gitignore: true,
-    onlyFiles: true,
-    cwd: srcDirPath,
-    followSymbolicLinks: false
-  });
-  debug4("files found %d", filepaths.length);
-  const zip = new AdmZip();
-  debug4("compressing files");
-  for (const filepath of filepaths) {
-    const absFilepath = path3.join(srcDirPath, filepath.toString());
-    if (!endsWithAny(
-      absFilepath.toString().replaceAll(path3.win32.sep, path3.posix.sep),
-      vulnFiles
-    )) {
-      debug4("ignoring %s because it is not a vulnerability file", filepath);
-      continue;
+var EnvVariablesZod = z3.object({
+  GITHUB_API_TOKEN: z3.string().optional()
+});
+var { GITHUB_API_TOKEN } = EnvVariablesZod.parse(process.env);
+var GetBlameDocument = `
+      query GetBlame(
+        $owner: String!
+        $repo: String!
+        $ref: String!
+        $path: String!
+      ) {
+        repository(name: $repo, owner: $owner) {
+          # branch name
+          object(expression: $ref) {
+            # cast Target to a Commit
+            ... on Commit {
+              # full repo-relative path to blame file
+              blame(path: $path) {
+                ranges {
+                  commit {
+                    author {
+                      user {
+                        name
+                        login
+                      }
+                    }
+                    authoredDate
+                  }
+                  startingLine
+                  endingLine
+                  age
+                }
+              }
+            }
+            
+          }
+        }
+      }
+    `;
+function getOktoKit(options) {
+  const token = options?.githubAuthToken ?? GITHUB_API_TOKEN ?? "";
+  return new Octokit({ auth: token });
+}
+async function githubValidateParams(url, accessToken) {
+  try {
+    const oktoKit = getOktoKit({ githubAuthToken: accessToken });
+    if (accessToken) {
+      await oktoKit.rest.users.getAuthenticated();
     }
-    if (fs.lstatSync(absFilepath).size > MAX_FILE_SIZE) {
-      debug4("ignoring %s because the size is > 5MB", filepath);
-      continue;
+    if (url) {
+      const { owner, repo } = parseOwnerAndRepo(url);
+      await oktoKit.rest.repos.get({ repo, owner });
     }
-    const data = fs.readFileSync(absFilepath);
-    if (isBinary(null, data)) {
-      debug4("ignoring %s because is seems to be a binary file", filepath);
-      continue;
+  } catch (e) {
+    const error = e;
+    const code = error.status || error.statusCode || error.response?.status || error.response?.statusCode || error.response?.code;
+    if (code === 401 || code === 403) {
+      throw new InvalidAccessTokenError(`invalid github access token`);
     }
-    zip.addFile(filepath.toString(), data);
+    if (code === 404) {
+      throw new InvalidRepoUrlError(`invalid github repo Url ${url}`);
+    }
+    throw e;
   }
-  debug4("get zip file buffer");
-  return zip.toBuffer();
 }
-
-// src/features/analysis/prompts.ts
-import inquirer from "inquirer";
-import { createSpinner } from "nanospinner";
-var scannerChoices = [
-  { name: "Snyk", value: SCANNERS.Snyk },
-  { name: "Checkmarx", value: SCANNERS.Checkmarx },
-  { name: "Codeql", value: SCANNERS.Codeql },
-  { name: "Fortify", value: SCANNERS.Fortify }
-];
-async function choseScanner() {
-  const { scanner } = await inquirer.prompt({
-    name: "scanner",
-    message: "Choose a scanner you wish to use to scan your code",
-    type: "list",
-    choices: scannerChoices
-  });
-  return scanner;
-}
-async function tryCheckmarxConfiguarationAgain() {
-  console.log(
-    "\u{1F513} Oops, seems like checkmarx does not accept the current configuration"
-  );
-  const { confirmCheckmarxRetryConfigrations } = await inquirer.prompt({
-    name: "confirmCheckmarxRetryConfigrations",
-    type: "confirm",
-    message: "Would like to try to configure them again? ",
-    default: true
-  });
-  return confirmCheckmarxRetryConfigrations;
+async function getGithubUsername(accessToken) {
+  const oktoKit = getOktoKit({ githubAuthToken: accessToken });
+  const res = await oktoKit.rest.users.getAuthenticated();
+  return res.data.login;
 }
-async function startCheckmarxConfigationPrompt() {
-  const checkmarxConfigreSpinner = createSpinner(
-    "\u{1F513} Checkmarx needs to be configured before we start, press any key to continue"
-  ).start();
-  await keypress();
-  checkmarxConfigreSpinner.success();
+async function getGithubIsUserCollaborator(username, accessToken, repoUrl) {
+  try {
+    const { owner, repo } = parseOwnerAndRepo(repoUrl);
+    const oktoKit = getOktoKit({ githubAuthToken: accessToken });
+    const res = await oktoKit.rest.repos.checkCollaborator({
+      owner,
+      repo,
+      username
+    });
+    if (res.status === 204) {
+      return true;
+    }
+  } catch (e) {
+    return false;
+  }
+  return false;
 }
-async function scmIntegrationPrompt(scmName) {
-  const answers = await inquirer.prompt({
-    name: "scmConfirm",
-    type: "confirm",
-    message: `It seems we don't have access to the repo, do you want to grant access to your ${scmName} account?`,
-    default: true
+async function getGithubPullRequestStatus(accessToken, repoUrl, prNumber) {
+  const { owner, repo } = parseOwnerAndRepo(repoUrl);
+  const oktoKit = getOktoKit({ githubAuthToken: accessToken });
+  const res = await oktoKit.rest.pulls.get({
+    owner,
+    repo,
+    pull_number: prNumber
   });
-  return answers.scmConfirm;
+  if (res.data.merged) {
+    return "merged";
+  }
+  if (res.data.draft) {
+    return "draft";
+  }
+  return res.data.state;
 }
-async function mobbAnalysisPrompt() {
-  const spinner = createSpinner().start();
-  spinner.update({ text: "Hit any key to view available fixes" });
-  await keypress();
-  return spinner.success();
+async function getGithubIsRemoteBranch(accessToken, repoUrl, branch) {
+  const { owner, repo } = parseOwnerAndRepo(repoUrl);
+  const oktoKit = getOktoKit({ githubAuthToken: accessToken });
+  try {
+    const res = await oktoKit.rest.repos.getBranch({
+      owner,
+      repo,
+      branch
+    });
+    return branch === res.data.name;
+  } catch (e) {
+    return false;
+  }
 }
-async function snykArticlePrompt() {
-  const { snykArticleConfirm } = await inquirer.prompt({
-    name: "snykArticleConfirm",
-    type: "confirm",
-    message: "Do you want to be taken to the relevant Snyk's online article?",
-    default: true
-  });
-  return snykArticleConfirm;
+async function getGithubRepoList(accessToken) {
+  const oktoKit = getOktoKit({ githubAuthToken: accessToken });
+  try {
+    const githubRepos = await getRepos(oktoKit);
+    return githubRepos.map(
+      (repo) => {
+        const repoLanguages = [];
+        if (repo.language) {
+          repoLanguages.push(repo.language);
+        }
+        return {
+          repoName: repo.name,
+          repoUrl: repo.html_url,
+          repoOwner: repo.owner.login,
+          repoLanguages,
+          repoIsPublic: !repo.private,
+          repoUpdatedAt: repo.updated_at
+        };
+      }
+    );
+  } catch (e) {
+    if (e instanceof RequestError && e.status === 401) {
+      return [];
+    }
+    if (e instanceof RequestError && e.status === 404) {
+      return [];
+    }
+    throw e;
+  }
 }
-
-// src/features/analysis/scanners/checkmarx.ts
-import { createRequire } from "node:module";
-
-// src/post_install/constants.mjs
-var cxOperatingSystemSupportMessage = `Your operating system does not support checkmarx.
-  You can see the list of supported operating systems here: https://github.com/Checkmarx/ast-cli#releases`;
-
-// src/utils/child_process.ts
-import cp from "node:child_process";
-import Debug5 from "debug";
-import * as process2 from "process";
-import supportsColor from "supports-color";
-var { stdout: stdout2 } = supportsColor;
-function createFork({ args, processPath, name }, options) {
-  const child = cp.fork(processPath, args, {
-    stdio: ["inherit", "pipe", "pipe", "ipc"],
-    env: { FORCE_COLOR: stdout2 ? "1" : "0" }
+async function getGithubBranchList(accessToken, repoUrl) {
+  const { owner, repo } = parseOwnerAndRepo(repoUrl);
+  const oktoKit = getOktoKit({ githubAuthToken: accessToken });
+  const res = await oktoKit.rest.repos.listBranches({
+    owner,
+    repo,
+    per_page: 1e3,
+    page: 1
   });
-  return createChildProcess({ childProcess: child, name }, options);
+  return res.data.map((branch) => branch.name);
 }
-function createSpwan({ args, processPath, name }, options) {
-  const child = cp.spawn(processPath, args, {
-    stdio: ["inherit", "pipe", "pipe", "ipc"],
-    env: { FORCE_COLOR: stdout2 ? "1" : "0" }
+async function createPullRequest(options) {
+  const { owner, repo } = parseOwnerAndRepo(options.repoUrl);
+  const oktoKit = getOktoKit({ githubAuthToken: options.accessToken });
+  const res = await oktoKit.rest.pulls.create({
+    owner,
+    repo,
+    title: options.title,
+    body: options.body,
+    head: options.sourceBranchName,
+    base: options.targetBranchName,
+    draft: false,
+    maintainer_can_modify: true
   });
-  return createChildProcess({ childProcess: child, name }, options);
+  return res.data.number;
 }
-function createChildProcess({ childProcess, name }, options) {
-  const debug9 = Debug5(`mobbdev:${name}`);
-  const { display } = options;
-  return new Promise((resolve, reject) => {
-    let out = "";
-    const onData = (chunk) => {
-      debug9(`chunk received from ${name} std ${chunk}`);
-      out += chunk;
-    };
-    if (!childProcess || !childProcess?.stdout || !childProcess?.stderr) {
-      debug9(`unable to fork ${name}`);
-      reject(new Error(`unable to fork ${name}`));
-    }
-    childProcess.stdout?.on("data", onData);
-    childProcess.stderr?.on("data", onData);
-    if (display) {
-      childProcess.stdout?.pipe(process2.stdout);
-      childProcess.stderr?.pipe(process2.stderr);
+async function getRepos(oktoKit) {
+  const res = await oktoKit.request("GET /user/repos?sort=updated", {
+    headers: {
+      "X-GitHub-Api-Version": "2022-11-28",
+      per_page: 100
     }
-    childProcess.on("exit", (code) => {
-      debug9(`${name} exit code ${code}`);
-      resolve({ message: out, code });
-    });
-    childProcess.on("error", (err) => {
-      debug9(`${name} error %o`, err);
-      reject(err);
-    });
   });
+  return res.data;
 }
-
-// src/features/analysis/scanners/checkmarx.ts
-import chalk2 from "chalk";
-import Debug6 from "debug";
-import { existsSync } from "fs";
-import { createSpinner as createSpinner2 } from "nanospinner";
-import { type } from "os";
-import path4 from "path";
-var debug5 = Debug6("mobbdev:checkmarx");
-var require2 = createRequire(import.meta.url);
-var getCheckmarxPath = () => {
-  const os3 = type();
-  const cxFileName = os3 === "Windows_NT" ? "cx.exe" : "cx";
+async function getGithubRepoDefaultBranch(repoUrl, options) {
+  const oktoKit = getOktoKit(options);
+  const { owner, repo } = parseOwnerAndRepo(repoUrl);
+  return (await oktoKit.rest.repos.get({ repo, owner })).data.default_branch;
+}
+async function getGithubReferenceData({ ref, gitHubUrl }, options) {
+  const { owner, repo } = parseOwnerAndRepo(gitHubUrl);
+  let res;
   try {
-    return require2.resolve(`.bin/${cxFileName}`);
+    const oktoKit = getOktoKit(options);
+    res = await Promise.any([
+      getBranch({ owner, repo, branch: ref }, oktoKit).then((result) => ({
+        date: result.data.commit.commit.committer?.date ? new Date(result.data.commit.commit.committer?.date) : void 0,
+        type: "BRANCH" /* BRANCH */,
+        sha: result.data.commit.sha
+      })),
+      getCommit({ commitSha: ref, repo, owner }, oktoKit).then((commit) => ({
+        date: new Date(commit.data.committer.date),
+        type: "COMMIT" /* COMMIT */,
+        sha: commit.data.sha
+      })),
+      getTagDate({ owner, repo, tag: ref }, oktoKit).then((data) => ({
+        date: new Date(data.date),
+        type: "TAG" /* TAG */,
+        sha: data.sha
+      }))
+    ]);
+    return res;
   } catch (e) {
-    throw new CliError(cxOperatingSystemSupportMessage);
+    if (e instanceof AggregateError) {
+      throw new RefNotFoundError(`ref: ${ref} does not exist`);
+    }
+    throw e;
   }
-};
-var getCheckmarxCommandArgs = ({
-  repoPath,
-  branch,
-  fileName,
-  filePath,
-  projectName
-}) => [
-  "--project-name",
-  projectName,
-  "-s",
-  repoPath,
-  "--branch",
-  branch,
-  "--scan-types",
-  "sast",
-  "--output-path",
-  filePath,
-  "--output-name",
-  fileName,
-  "--report-format",
-  "json"
-];
-var VALIDATE_COMMAND = ["auth", "validate"];
-var CONFIGURE_COMMAND = ["configure"];
-var SCAN_COMMAND = ["scan", "create"];
-var CHECKMARX_SUCCESS_CODE = 0;
-function validateCheckmarxInstallation() {
-  existsSync(getCheckmarxPath());
 }
-async function forkCheckmarx(args, { display }) {
-  debug5("fork checkmarx with args %o %s", args.join(" "), display);
-  return createSpwan(
-    { args, processPath: getCheckmarxPath(), name: "checkmarx" },
-    { display }
-  );
+async function getBranch({ branch, owner, repo }, oktoKit) {
+  return oktoKit.rest.repos.getBranch({
+    branch,
+    owner,
+    repo
+  });
 }
-async function getCheckmarxReport({ reportPath, repositoryRoot, branch, projectName }, { skipPrompts = false }) {
-  debug5("get checkmarx report start %s %s", reportPath, repositoryRoot);
-  const { code: loginCode } = await forkCheckmarx(VALIDATE_COMMAND, {
-    display: false
+async function getTagDate({ tag, owner, repo }, oktoKit) {
+  const refResponse = await oktoKit.rest.git.getRef({
+    ref: `tags/${tag}`,
+    owner,
+    repo
   });
-  if (loginCode !== CHECKMARX_SUCCESS_CODE) {
-    if (skipPrompts) {
-      await throwCheckmarxConfigError();
-    }
-    await startCheckmarxConfigationPrompt();
-    await validateCheckamxCredentials();
+  const tagSha = refResponse.data.object.sha;
+  if (refResponse.data.object.type === "commit") {
+    const res2 = await oktoKit.rest.git.getCommit({
+      commit_sha: tagSha,
+      owner,
+      repo
+    });
+    return {
+      date: res2.data.committer.date,
+      sha: res2.data.sha
+    };
   }
-  const extension = path4.extname(reportPath);
-  const filePath = path4.dirname(reportPath);
-  const fileName = path4.basename(reportPath, extension);
-  const checkmarxCommandArgs = getCheckmarxCommandArgs({
-    repoPath: repositoryRoot,
-    branch,
-    filePath,
-    fileName,
-    projectName
+  const res = await oktoKit.rest.git.getTag({
+    tag_sha: tagSha,
+    owner,
+    repo
   });
-  console.log("\u280B \u{1F50D} Initiating Checkmarx Scan ");
-  const { code: scanCode } = await forkCheckmarx(
-    [...SCAN_COMMAND, ...checkmarxCommandArgs],
-    {
-      display: true
-    }
-  );
-  if (scanCode !== CHECKMARX_SUCCESS_CODE) {
-    createSpinner2("\u{1F50D} Something went wrong with the checkmarx scan").start().error();
-    throw new CliError();
-  }
-  await createSpinner2("\u{1F50D} Checkmarx Scan completed").start().success();
-  return true;
-}
-async function throwCheckmarxConfigError() {
-  await createSpinner2("\u{1F513} Checkmarx is not configued correctly").start().error();
-  throw new CliError(
-    `Checkmarx is not configued correctly
- you can configure it by using the ${chalk2.bold(
-      "cx configure"
-    )} command`
-  );
+  return {
+    date: res.data.tagger.date,
+    sha: res.data.sha
+  };
 }
-async function validateCheckamxCredentials() {
-  console.log(`
-        Here's a suggestion for checkmarx configuation: 
-          ${chalk2.bold("AST Base URI:")} https://ast.checkmarx.net
-          ${chalk2.bold("AST Base Auth URI (IAM):")} https://iam.checkmarx.net
-  `);
-  await forkCheckmarx(CONFIGURE_COMMAND, { display: true });
-  const { code: loginCode } = await forkCheckmarx(VALIDATE_COMMAND, {
-    display: false
+async function getCommit({
+  commitSha,
+  owner,
+  repo
+}, oktoKit) {
+  return oktoKit.rest.git.getCommit({
+    repo,
+    owner,
+    commit_sha: commitSha
   });
-  if (loginCode !== CHECKMARX_SUCCESS_CODE) {
-    const tryAgain = await tryCheckmarxConfiguarationAgain();
-    if (!tryAgain) {
-      await throwCheckmarxConfigError();
-    }
-    if (await tryCheckmarxConfiguarationAgain()) {
-      validateCheckamxCredentials();
-    }
-  }
-  await createSpinner2("\u{1F513} Checkmarx configured successfully!").start().success();
 }
-
-// src/features/analysis/scanners/snyk.ts
-import { createRequire as createRequire2 } from "node:module";
-import chalk3 from "chalk";
-import Debug7 from "debug";
-import { createSpinner as createSpinner3 } from "nanospinner";
-import open from "open";
-var debug6 = Debug7("mobbdev:snyk");
-var require3 = createRequire2(import.meta.url);
-var SNYK_PATH = require3.resolve("snyk/bin/snyk");
-var SNYK_ARTICLE_URL = "https://docs.snyk.io/scan-application-code/snyk-code/getting-started-with-snyk-code/activating-snyk-code-using-the-web-ui/step-1-enabling-the-snyk-code-option";
-debug6("snyk executable path %s", SNYK_PATH);
-async function forkSnyk(args, { display }) {
-  debug6("fork snyk with args %o %s", args, display);
-  return createFork(
-    { args, processPath: SNYK_PATH, name: "checkmarx" },
-    { display }
-  );
+function parseOwnerAndRepo(gitHubUrl) {
+  gitHubUrl = removeTrailingSlash(gitHubUrl);
+  const parsingResult = parseScmURL(gitHubUrl);
+  if (!parsingResult || parsingResult.hostname !== "github.com") {
+    throw new InvalidUrlPatternError(`invalid github repo Url ${gitHubUrl}`);
+  }
+  const { organization, repoName } = parsingResult;
+  if (!organization || !repoName) {
+    throw new InvalidUrlPatternError(`invalid github repo Url ${gitHubUrl}`);
+  }
+  return { owner: organization, repo: repoName };
 }
-async function getSnykReport(reportPath, repoRoot, { skipPrompts = false }) {
-  debug6("get snyk report start %s %s", reportPath, repoRoot);
-  const config3 = await forkSnyk(["config"], { display: false });
-  const { message: configMessage } = config3;
-  if (!configMessage.includes("api: ")) {
-    const snykLoginSpinner = createSpinner3().start();
-    if (!skipPrompts) {
-      snykLoginSpinner.update({
-        text: "\u{1F513} Login to Snyk is required, press any key to continue"
-      });
-      await keypress();
+async function queryGithubGraphql(query, variables, options) {
+  const token = options?.githubAuthToken ?? GITHUB_API_TOKEN ?? "";
+  const parameters = variables ?? {};
+  const authorizationHeader = {
+    headers: {
+      authorization: `bearer ${token}`
     }
-    snykLoginSpinner.update({
-      text: "\u{1F513} Waiting for Snyk login to complete"
+  };
+  try {
+    const oktoKit = getOktoKit(options);
+    const res = await oktoKit.graphql(query, {
+      ...parameters,
+      ...authorizationHeader
     });
-    debug6("no token in the config %s", config3);
-    await forkSnyk(["auth"], { display: true });
-    snykLoginSpinner.success({ text: "\u{1F513} Login to Snyk Successful" });
+    return res;
+  } catch (e) {
+    if (e instanceof RequestError) {
+      return null;
+    }
+    throw e;
   }
-  const snykSpinner = createSpinner3("\u{1F50D} Scanning your repo with Snyk ").start();
-  const { message: scanOutput } = await forkSnyk(
-    ["code", "test", `--sarif-file-output=${reportPath}`, repoRoot],
-    { display: true }
+}
+async function getGithubBlameRanges({ ref, gitHubUrl, path: path8 }, options) {
+  const { owner, repo } = parseOwnerAndRepo(gitHubUrl);
+  const variables = {
+    owner,
+    repo,
+    path: path8,
+    ref
+  };
+  const res = await queryGithubGraphql(
+    GetBlameDocument,
+    variables,
+    options
   );
-  if (scanOutput.includes(
-    "Snyk Code is not supported for org: enable in Settings > Snyk Code"
-  )) {
-    debug6("snyk code is not enabled %s", scanOutput);
-    snykSpinner.error({ text: "\u{1F50D} Snyk configuration needed" });
-    const answer = await snykArticlePrompt();
-    debug6("answer %s", answer);
-    if (answer) {
-      debug6("opening the browser");
-      await open(SNYK_ARTICLE_URL);
-    }
-    console.log(
-      chalk3.bgBlue(
-        "\nPlease enable Snyk Code in your Snyk account and try again."
-      )
-    );
-    throw Error("snyk is not enbabled");
+  if (!res?.repository?.object?.blame?.ranges) {
+    return [];
   }
-  snykSpinner.success({ text: "\u{1F50D} Snyk code scan completed" });
-  return true;
+  return res.repository.object.blame.ranges.map((range) => ({
+    startingLine: range.startingLine,
+    endingLine: range.endingLine,
+    email: range.commit.author.user.email,
+    name: range.commit.author.user.name,
+    login: range.commit.author.user.login
+  }));
 }
 
-// src/features/analysis/scm/gitlab.ts
-import querystring from "node:querystring";
-import { Gitlab } from "@gitbeaker/rest";
-import { z as z5 } from "zod";
+// src/features/analysis/scm/github/consts.ts
+var POST_COMMENT_PATH = "POST /repos/{owner}/{repo}/pulls/{pull_number}/comments";
+var DELETE_COMMENT_PATH = "DELETE /repos/{owner}/{repo}/pulls/comments/{comment_id}";
+var UPDATE_COMMENT_PATH = "PATCH /repos/{owner}/{repo}/pulls/comments/{comment_id}";
+var GET_PR_COMMENTS_PATH = "GET /repos/{owner}/{repo}/pulls/comments";
 
-// src/features/analysis/scm/github.ts
-import { RequestError } from "@octokit/request-error";
-import { Octokit } from "octokit";
-import { z as z3 } from "zod";
+// src/features/analysis/scm/github/github-v2.ts
+function postPrComment(client, params) {
+  return client.request(POST_COMMENT_PATH, params);
+}
+function updatePrComment(client, params) {
+  return client.request(UPDATE_COMMENT_PATH, params);
+}
+function getPrComments(client, params) {
+  return client.request(GET_PR_COMMENTS_PATH, params);
+}
+function deleteComment(client, params) {
+  return client.request(DELETE_COMMENT_PATH, params);
+}
 
-// src/features/analysis/scm/urlParser.ts
-var pathnameParsingMap = {
-  "gitlab.com": (pathname) => {
-    if (pathname.length < 2)
-      return null;
-    return {
-      organization: pathname[0],
-      repoName: pathname[pathname.length - 1]
-    };
-  },
-  "github.com": (pathname) => {
-    if (pathname.length !== 2)
-      return null;
-    return {
-      organization: pathname[0],
-      repoName: pathname[1]
-    };
+// src/features/analysis/scm/scmSubmit.ts
+import fs from "node:fs/promises";
+import os from "os";
+import path3 from "path";
+import { simpleGit as simpleGit2 } from "simple-git";
+import tmp from "tmp";
+import { z as z4 } from "zod";
+var isValidBranchName = async (branchName) => {
+  const git = simpleGit2();
+  try {
+    const res = await git.raw(["check-ref-format", "--branch", branchName]);
+    if (res) {
+      return true;
+    }
+    return false;
+  } catch (e) {
+    return false;
   }
 };
-var NAME_REGEX = /[a-z0-9\-_.+]+/i;
-var parseScmURL = (scmURL) => {
-  try {
-    const url = new URL(scmURL);
-    const hostname = url.hostname.toLowerCase();
-    if (!(hostname in pathnameParsingMap))
-      return null;
-    const projectPath = url.pathname.substring(1).replace(/.git$/i, "");
-    const repo = pathnameParsingMap[hostname](
-      projectPath.split("/")
-    );
-    if (!repo)
-      return null;
-    const { organization, repoName } = repo;
-    if (!organization || !repoName)
-      return null;
-    if (!organization.match(NAME_REGEX) || !repoName.match(NAME_REGEX))
-      return null;
-    return {
-      hostname: url.hostname,
-      organization,
-      projectPath,
-      repoName
-    };
-  } catch (e) {
-    return null;
-  }
+var BaseSubmitToScmMessageZ = z4.object({
+  submitFixRequestId: z4.string().uuid(),
+  fixes: z4.array(
+    z4.object({
+      fixId: z4.string().uuid(),
+      diff: z4.string()
+    })
+  ),
+  commitHash: z4.string(),
+  repoUrl: z4.string()
+});
+var submitToScmMessageType = {
+  commitToSameBranch: "commitToSameBranch",
+  submitFixesForDifferentBranch: "submitFixesForDifferentBranch"
 };
-
-// src/features/analysis/scm/github.ts
-function removeTrailingSlash(str) {
-  return str.trim().replace(/\/+$/, "");
-}
-var EnvVariablesZod = z3.object({
-  GITHUB_API_TOKEN: z3.string().optional()
+var CommitToSameBranchParamsZ = BaseSubmitToScmMessageZ.merge(
+  z4.object({
+    type: z4.literal(submitToScmMessageType.commitToSameBranch),
+    branch: z4.string()
+  })
+);
+var SubmitFixesToDifferentBranchParamsZ = z4.object({
+  type: z4.literal(submitToScmMessageType.submitFixesForDifferentBranch),
+  submitBranch: z4.string(),
+  baseBranch: z4.string()
+}).merge(BaseSubmitToScmMessageZ);
+var SubmitFixesMessageZ = z4.union([
+  CommitToSameBranchParamsZ,
+  SubmitFixesToDifferentBranchParamsZ
+]);
+var FixResponseArrayZ = z4.array(
+  z4.object({
+    fixId: z4.string().uuid()
+  })
+);
+var SubmitFixesResponseMessageZ = z4.object({
+  type: z4.nativeEnum(submitToScmMessageType),
+  submitFixRequestId: z4.string().uuid(),
+  submitBranches: z4.array(
+    z4.object({
+      branchName: z4.string(),
+      fixes: FixResponseArrayZ
+    })
+  ),
+  error: z4.object({
+    type: z4.enum([
+      "InitialRepoAccessError",
+      "PushBranchError",
+      "UnknownError"
+    ]),
+    info: z4.object({
+      message: z4.string(),
+      pushBranchName: z4.string().optional()
+    })
+  }).optional()
 });
-var { GITHUB_API_TOKEN } = EnvVariablesZod.parse(process.env);
-var GetBlameDocument = `
-      query GetBlame(
-        $owner: String!
-        $repo: String!
-        $ref: String!
-        $path: String!
-      ) {
-        repository(name: $repo, owner: $owner) {
-          # branch name
-          object(expression: $ref) {
-            # cast Target to a Commit
-            ... on Commit {
-              # full repo-relative path to blame file
-              blame(path: $path) {
-                ranges {
-                  commit {
-                    author {
-                      user {
-                        name
-                        login
-                      }
-                    }
-                    authoredDate
-                  }
-                  startingLine
-                  endingLine
-                  age
-                }
-              }
-            }
-            
-          }
-        }
-      }
-    `;
-function getOktoKit(options) {
-  const token = options?.githubAuthToken ?? GITHUB_API_TOKEN ?? "";
-  return new Octokit({ auth: token });
-}
-async function githubValidateParams(url, accessToken) {
-  try {
-    const oktoKit = getOktoKit({ githubAuthToken: accessToken });
-    if (accessToken) {
-      await oktoKit.rest.users.getAuthenticated();
-    }
-    if (url) {
-      const { owner, repo } = parseOwnerAndRepo(url);
-      await oktoKit.rest.repos.get({ repo, owner });
-    }
-  } catch (e) {
-    const error = e;
-    const code = error.status || error.statusCode || error.response?.status || error.response?.statusCode || error.response?.code;
-    if (code === 401 || code === 403) {
-      throw new InvalidAccessTokenError(`invalid github access token`);
-    }
-    if (code === 404) {
-      throw new InvalidRepoUrlError(`invalid github repo Url ${url}`);
-    }
-    throw e;
+var FixesZ = z4.array(z4.object({ fixId: z4.string(), diff: z4.string() })).nonempty();
+
+// src/features/analysis/scm/scm.ts
+function getScmLibTypeFromUrl(url) {
+  if (!url) {
+    return void 0;
   }
+  if (url.toLowerCase().startsWith("https://gitlab.com/")) {
+    return "GITLAB" /* GITLAB */;
+  }
+  if (url.toLowerCase().startsWith("https://github.com/")) {
+    return "GITHUB" /* GITHUB */;
+  }
+  return void 0;
 }
-async function getGithubUsername(accessToken) {
-  const oktoKit = getOktoKit({ githubAuthToken: accessToken });
-  const res = await oktoKit.rest.users.getAuthenticated();
-  return res.data.login;
-}
-async function getGithubIsUserCollaborator(username, accessToken, repoUrl) {
+async function scmCanReachRepo({
+  repoUrl,
+  githubToken,
+  gitlabToken
+}) {
   try {
-    const { owner, repo } = parseOwnerAndRepo(repoUrl);
-    const oktoKit = getOktoKit({ githubAuthToken: accessToken });
-    const res = await oktoKit.rest.repos.checkCollaborator({
-      owner,
-      repo,
-      username
+    const scmLibType = getScmLibTypeFromUrl(repoUrl);
+    await SCMLib.init({
+      url: repoUrl,
+      accessToken: scmLibType === "GITHUB" /* GITHUB */ ? githubToken : scmLibType === "GITLAB" /* GITLAB */ ? gitlabToken : "",
+      scmType: scmLibType
     });
-    if (res.status === 204) {
-      return true;
-    }
+    return true;
   } catch (e) {
     return false;
   }
-  return false;
 }
-async function getGithubPullRequestStatus(accessToken, repoUrl, prNumber) {
-  const { owner, repo } = parseOwnerAndRepo(repoUrl);
-  const oktoKit = getOktoKit({ githubAuthToken: accessToken });
-  const res = await oktoKit.rest.pulls.get({
-    owner,
-    repo,
-    pull_number: prNumber
-  });
-  if (res.data.merged) {
-    return "merged";
+var InvalidRepoUrlError = class extends Error {
+  constructor(m) {
+    super(m);
   }
-  if (res.data.draft) {
-    return "draft";
+};
+var InvalidAccessTokenError = class extends Error {
+  constructor(m) {
+    super(m);
   }
-  return res.data.state;
-}
-async function getGithubIsRemoteBranch(accessToken, repoUrl, branch) {
-  const { owner, repo } = parseOwnerAndRepo(repoUrl);
-  const oktoKit = getOktoKit({ githubAuthToken: accessToken });
-  try {
-    const res = await oktoKit.rest.repos.getBranch({
-      owner,
-      repo,
-      branch
-    });
-    return branch === res.data.name;
-  } catch (e) {
-    return false;
+};
+var InvalidUrlPatternError = class extends Error {
+  constructor(m) {
+    super(m);
   }
-}
-async function getGithubRepoList(accessToken) {
-  const oktoKit = getOktoKit({ githubAuthToken: accessToken });
-  try {
-    const githubRepos = await getRepos(oktoKit);
-    return githubRepos.map(
-      (repo) => {
-        const repoLanguages = [];
-        if (repo.language) {
-          repoLanguages.push(repo.language);
-        }
-        return {
-          repoName: repo.name,
-          repoUrl: repo.html_url,
-          repoOwner: repo.owner.login,
-          repoLanguages,
-          repoIsPublic: !repo.private,
-          repoUpdatedAt: repo.updated_at
-        };
-      }
-    );
-  } catch (e) {
-    if (e instanceof RequestError && e.status === 401) {
-      return [];
+};
+var RefNotFoundError = class extends Error {
+  constructor(m) {
+    super(m);
+  }
+};
+var RepoNoTokenAccessError = class extends Error {
+  constructor(m) {
+    super(m);
+  }
+};
+var SCMLib = class {
+  constructor(url, accessToken) {
+    __publicField(this, "url");
+    __publicField(this, "accessToken");
+    this.accessToken = accessToken;
+    this.url = url;
+  }
+  async getUrlWithCredentials() {
+    if (!this.url) {
+      console.error("no url for getUrlWithCredentials()");
+      throw new Error("no url");
     }
-    if (e instanceof RequestError && e.status === 404) {
-      return [];
+    const trimmedUrl = this.url.trim().replace(/\/$/, "");
+    if (!this.accessToken) {
+      return trimmedUrl;
     }
-    throw e;
-  }
-}
-async function getGithubBranchList(accessToken, repoUrl) {
-  const { owner, repo } = parseOwnerAndRepo(repoUrl);
-  const oktoKit = getOktoKit({ githubAuthToken: accessToken });
-  const res = await oktoKit.rest.repos.listBranches({
-    owner,
-    repo,
-    per_page: 1e3,
-    page: 1
-  });
-  return res.data.map((branch) => branch.name);
-}
-async function createPullRequest(options) {
-  const { owner, repo } = parseOwnerAndRepo(options.repoUrl);
-  const oktoKit = getOktoKit({ githubAuthToken: options.accessToken });
-  const res = await oktoKit.rest.pulls.create({
-    owner,
-    repo,
-    title: options.title,
-    body: options.body,
-    head: options.sourceBranchName,
-    base: options.targetBranchName,
-    draft: false,
-    maintainer_can_modify: true
-  });
-  return res.data.number;
-}
-async function getRepos(oktoKit) {
-  const res = await oktoKit.request("GET /user/repos?sort=updated", {
-    headers: {
-      "X-GitHub-Api-Version": "2022-11-28",
-      per_page: 100
-    }
-  });
-  return res.data;
-}
-async function getGithubRepoDefaultBranch(repoUrl, options) {
-  const oktoKit = getOktoKit(options);
-  const { owner, repo } = parseOwnerAndRepo(repoUrl);
-  return (await oktoKit.rest.repos.get({ repo, owner })).data.default_branch;
-}
-async function getGithubReferenceData({ ref, gitHubUrl }, options) {
-  const { owner, repo } = parseOwnerAndRepo(gitHubUrl);
-  let res;
-  try {
-    const oktoKit = getOktoKit(options);
-    res = await Promise.any([
-      getBranch({ owner, repo, branch: ref }, oktoKit).then((result) => ({
-        date: result.data.commit.commit.committer?.date ? new Date(result.data.commit.commit.committer?.date) : void 0,
-        type: "BRANCH" /* BRANCH */,
-        sha: result.data.commit.sha
-      })),
-      getCommit({ commitSha: ref, repo, owner }, oktoKit).then((commit) => ({
-        date: new Date(commit.data.committer.date),
-        type: "COMMIT" /* COMMIT */,
-        sha: commit.data.sha
-      })),
-      getTagDate({ owner, repo, tag: ref }, oktoKit).then((data) => ({
-        date: new Date(data.date),
-        type: "TAG" /* TAG */,
-        sha: data.sha
-      }))
-    ]);
-    return res;
-  } catch (e) {
-    if (e instanceof AggregateError) {
-      throw new RefNotFoundError(`ref: ${ref} does not exist`);
+    const username = await this._getUsernameForAuthUrl();
+    const is_http = trimmedUrl.toLowerCase().startsWith("http://");
+    const is_https = trimmedUrl.toLowerCase().startsWith("https://");
+    if (is_http) {
+      return `http://${username}:${this.accessToken}@${trimmedUrl.toLowerCase().replace("http://", "")}`;
+    } else if (is_https) {
+      return `https://${username}:${this.accessToken}@${trimmedUrl.toLowerCase().replace("https://", "")}`;
+    } else {
+      console.error(`invalid scm url ${trimmedUrl}`);
+      throw new Error(`invalid scm url ${trimmedUrl}`);
     }
-    throw e;
   }
-}
-async function getBranch({ branch, owner, repo }, oktoKit) {
-  return oktoKit.rest.repos.getBranch({
-    branch,
-    owner,
-    repo
-  });
-}
-async function getTagDate({ tag, owner, repo }, oktoKit) {
-  const refResponse = await oktoKit.rest.git.getRef({
-    ref: `tags/${tag}`,
-    owner,
-    repo
-  });
-  const tagSha = refResponse.data.object.sha;
-  if (refResponse.data.object.type === "commit") {
-    const res2 = await oktoKit.rest.git.getCommit({
-      commit_sha: tagSha,
-      owner,
-      repo
-    });
-    return {
-      date: res2.data.committer.date,
-      sha: res2.data.sha
-    };
+  getAccessToken() {
+    return this.accessToken || "";
   }
-  const res = await oktoKit.rest.git.getTag({
-    tag_sha: tagSha,
-    owner,
-    repo
-  });
-  return {
-    date: res.data.tagger.date,
-    sha: res.data.sha
-  };
-}
-async function getCommit({
-  commitSha,
-  owner,
-  repo
-}, oktoKit) {
-  return oktoKit.rest.git.getCommit({
-    repo,
-    owner,
-    commit_sha: commitSha
-  });
-}
-function parseOwnerAndRepo(gitHubUrl) {
-  gitHubUrl = removeTrailingSlash(gitHubUrl);
-  const parsingResult = parseScmURL(gitHubUrl);
-  if (!parsingResult || parsingResult.hostname !== "github.com") {
-    throw new InvalidUrlPatternError(`invalid github repo Url ${gitHubUrl}`);
+  getUrl() {
+    return this.url;
   }
-  const { organization, repoName } = parsingResult;
-  if (!organization || !repoName) {
-    throw new InvalidUrlPatternError(`invalid github repo Url ${gitHubUrl}`);
+  getName() {
+    if (!this.url) {
+      return "";
+    }
+    return this.url.split("/").at(-1) || "";
   }
-  return { owner: organization, repo: repoName };
-}
-async function queryGithubGraphql(query, variables, options) {
-  const token = options?.githubAuthToken ?? GITHUB_API_TOKEN ?? "";
-  const parameters = variables ?? {};
-  const authorizationHeader = {
-    headers: {
-      authorization: `bearer ${token}`
+  static async getIsValidBranchName(branchName) {
+    return isValidBranchName(branchName);
+  }
+  static async init({
+    url,
+    accessToken,
+    scmType
+  }) {
+    let trimmedUrl = void 0;
+    if (url) {
+      trimmedUrl = url.trim().replace(/\/$/, "");
     }
-  };
-  try {
-    const oktoKit = getOktoKit(options);
-    const res = await oktoKit.graphql(query, {
-      ...parameters,
-      ...authorizationHeader
-    });
-    return res;
-  } catch (e) {
-    if (e instanceof RequestError) {
-      return null;
+    try {
+      if ("GITHUB" /* GITHUB */ === scmType) {
+        const scm = new GithubSCMLib(trimmedUrl, accessToken);
+        await scm.validateParams();
+        return scm;
+      }
+      if ("GITLAB" /* GITLAB */ === scmType) {
+        const scm = new GitlabSCMLib(trimmedUrl, accessToken);
+        await scm.validateParams();
+        return scm;
+      }
+    } catch (e) {
+      if (e instanceof InvalidRepoUrlError && url) {
+        throw new RepoNoTokenAccessError("no access to repo");
+      }
     }
-    throw e;
+    return new StubSCMLib(trimmedUrl);
   }
-}
-async function getGithubBlameRanges({ ref, gitHubUrl, path: path8 }, options) {
-  const { owner, repo } = parseOwnerAndRepo(gitHubUrl);
-  const variables = {
-    owner,
-    repo,
-    path: path8,
-    ref
-  };
-  const res = await queryGithubGraphql(
-    GetBlameDocument,
-    variables,
-    options
-  );
-  if (!res?.repository?.object?.blame?.ranges) {
-    return [];
+};
+var GitlabSCMLib = class extends SCMLib {
+  async createSubmitRequest(targetBranchName, sourceBranchName, title, body) {
+    if (!this.accessToken || !this.url) {
+      console.error("no access token or no url");
+      throw new Error("no access token or no url");
+    }
+    return String(
+      await createMergeRequest({
+        title,
+        body,
+        targetBranchName,
+        sourceBranchName,
+        repoUrl: this.url,
+        accessToken: this.accessToken
+      })
+    );
   }
-  return res.repository.object.blame.ranges.map((range) => ({
-    startingLine: range.startingLine,
-    endingLine: range.endingLine,
-    email: range.commit.author.user.email,
-    name: range.commit.author.user.name,
-    login: range.commit.author.user.login
-  }));
-}
-
-// src/features/analysis/scm/scmSubmit.ts
-import fs2 from "node:fs/promises";
-import os from "os";
-import path5 from "path";
-import { simpleGit as simpleGit2 } from "simple-git";
-import { z as z4 } from "zod";
-var isValidBranchName = async (branchName) => {
-  const git = simpleGit2();
-  try {
-    const res = await git.raw(["check-ref-format", "--branch", branchName]);
-    if (res) {
-      return true;
+  async validateParams() {
+    return gitlabValidateParams({
+      url: this.url,
+      accessToken: this.accessToken
+    });
+  }
+  async getRepoList() {
+    if (!this.accessToken) {
+      console.error("no access token");
+      throw new Error("no access token");
     }
-    return false;
-  } catch (e) {
-    return false;
-  }
-};
-var SubmitFixesMessageZ = z4.object({
-  submitFixRequestId: z4.string().uuid(),
-  fixes: z4.array(
-    z4.object({
-      fixId: z4.string().uuid(),
-      diff: z4.string()
-    })
-  ),
-  branchName: z4.string(),
-  commitHash: z4.string(),
-  targetBranch: z4.string(),
-  repoUrl: z4.string()
-});
-var FixResponseArrayZ = z4.array(
-  z4.object({
-    fixId: z4.string().uuid()
-  })
-);
-var SubmitFixesResponseMessageZ = z4.object({
-  submitFixRequestId: z4.string().uuid(),
-  submitBranches: z4.array(
-    z4.object({
-      branchName: z4.string(),
-      fixes: FixResponseArrayZ
-    })
-  ),
-  error: z4.object({
-    type: z4.enum([
-      "InitialRepoAccessError",
-      "PushBranchError",
-      "UnknownError"
-    ]),
-    info: z4.object({
-      message: z4.string(),
-      pushBranchName: z4.string().optional()
-    })
-  }).optional()
-});
-
-// src/features/analysis/scm/scm.ts
-function getScmLibTypeFromUrl(url) {
-  if (!url) {
-    return void 0;
-  }
-  if (url.toLowerCase().startsWith("https://gitlab.com/")) {
-    return "GITLAB" /* GITLAB */;
-  }
-  if (url.toLowerCase().startsWith("https://github.com/")) {
-    return "GITHUB" /* GITHUB */;
-  }
-  return void 0;
-}
-async function scmCanReachRepo({
-  repoUrl,
-  githubToken,
-  gitlabToken
-}) {
-  try {
-    const scmLibType = getScmLibTypeFromUrl(repoUrl);
-    await SCMLib.init({
-      url: repoUrl,
-      accessToken: scmLibType === "GITHUB" /* GITHUB */ ? githubToken : scmLibType === "GITLAB" /* GITLAB */ ? gitlabToken : "",
-      scmType: scmLibType
-    });
-    return true;
-  } catch (e) {
-    return false;
-  }
-}
-var InvalidRepoUrlError = class extends Error {
-  constructor(m) {
-    super(m);
-  }
-};
-var InvalidAccessTokenError = class extends Error {
-  constructor(m) {
-    super(m);
-  }
-};
-var InvalidUrlPatternError = class extends Error {
-  constructor(m) {
-    super(m);
-  }
-};
-var RefNotFoundError = class extends Error {
-  constructor(m) {
-    super(m);
-  }
-};
-var RepoNoTokenAccessError = class extends Error {
-  constructor(m) {
-    super(m);
-  }
-};
-var SCMLib = class {
-  constructor(url, accessToken) {
-    __publicField(this, "url");
-    __publicField(this, "accessToken");
-    this.accessToken = accessToken;
-    this.url = url;
-  }
-  async getUrlWithCredentials() {
-    if (!this.url) {
-      console.error("no url for getUrlWithCredentials()");
-      throw new Error("no url");
-    }
-    const trimmedUrl = this.url.trim().replace(/\/$/, "");
-    if (!this.accessToken) {
-      return trimmedUrl;
-    }
-    const username = await this._getUsernameForAuthUrl();
-    const is_http = trimmedUrl.toLowerCase().startsWith("http://");
-    const is_https = trimmedUrl.toLowerCase().startsWith("https://");
-    if (is_http) {
-      return `http://${username}:${this.accessToken}@${trimmedUrl.toLowerCase().replace("http://", "")}`;
-    } else if (is_https) {
-      return `https://${username}:${this.accessToken}@${trimmedUrl.toLowerCase().replace("https://", "")}`;
-    } else {
-      console.error(`invalid scm url ${trimmedUrl}`);
-      throw new Error(`invalid scm url ${trimmedUrl}`);
-    }
-  }
-  getAccessToken() {
-    return this.accessToken || "";
-  }
-  getUrl() {
-    return this.url;
-  }
-  getName() {
-    if (!this.url) {
-      return "";
-    }
-    return this.url.split("/").at(-1) || "";
-  }
-  static async getIsValidBranchName(branchName) {
-    return isValidBranchName(branchName);
-  }
-  static async init({
-    url,
-    accessToken,
-    scmType
-  }) {
-    let trimmedUrl = void 0;
-    if (url) {
-      trimmedUrl = url.trim().replace(/\/$/, "");
-    }
-    try {
-      if ("GITHUB" /* GITHUB */ === scmType) {
-        const scm = new GithubSCMLib(trimmedUrl, accessToken);
-        await scm.validateParams();
-        return scm;
-      }
-      if ("GITLAB" /* GITLAB */ === scmType) {
-        const scm = new GitlabSCMLib(trimmedUrl, accessToken);
-        await scm.validateParams();
-        return scm;
-      }
-    } catch (e) {
-      if (e instanceof InvalidRepoUrlError && url) {
-        throw new RepoNoTokenAccessError("no access to repo");
-      }
-    }
-    return new StubSCMLib(trimmedUrl);
-  }
-};
-var GitlabSCMLib = class extends SCMLib {
-  async createSubmitRequest(targetBranchName, sourceBranchName, title, body) {
-    if (!this.accessToken || !this.url) {
-      console.error("no access token or no url");
-      throw new Error("no access token or no url");
-    }
-    return String(
-      await createMergeRequest({
-        title,
-        body,
-        targetBranchName,
-        sourceBranchName,
-        repoUrl: this.url,
-        accessToken: this.accessToken
-      })
-    );
-  }
-  async validateParams() {
-    return gitlabValidateParams({
-      url: this.url,
-      accessToken: this.accessToken
-    });
-  }
-  async getRepoList() {
-    if (!this.accessToken) {
-      console.error("no access token");
-      throw new Error("no access token");
-    }
-    return getGitlabRepoList(this.accessToken);
+    return getGitlabRepoList(this.accessToken);
   }
   async getBranchList() {
     if (!this.accessToken || !this.url) {
@@ -1656,6 +1598,11 @@ var GitlabSCMLib = class extends SCMLib {
   }
 };
 var GithubSCMLib = class extends SCMLib {
+  constructor(url, accessToken) {
+    super(url, accessToken);
+    __publicField(this, "oktokit");
+    this.oktokit = new Octokit2({ auth: accessToken });
+  }
   async createSubmitRequest(targetBranchName, sourceBranchName, title, body) {
     if (!this.accessToken || !this.url) {
       console.error("no access token or no url");
@@ -1675,6 +1622,55 @@ var GithubSCMLib = class extends SCMLib {
   async validateParams() {
     return githubValidateParams(this.url, this.accessToken);
   }
+  async postPrComment(params, _oktokit) {
+    if (!_oktokit && !this.accessToken || !this.url) {
+      throw new Error("cannot post on PR without access token or url");
+    }
+    const oktokit = _oktokit || this.oktokit;
+    const { owner, repo } = parseOwnerAndRepo(this.url);
+    return postPrComment(oktokit, {
+      ...params,
+      owner,
+      repo
+    });
+  }
+  async updatePrComment(params, _oktokit) {
+    if (!_oktokit && !this.accessToken || !this.url) {
+      throw new Error("cannot update on PR without access token or url");
+    }
+    const oktokit = _oktokit || this.oktokit;
+    const { owner, repo } = parseOwnerAndRepo(this.url);
+    return updatePrComment(oktokit, {
+      ...params,
+      owner,
+      repo
+    });
+  }
+  async deleteComment(params, _oktokit) {
+    if (!_oktokit && !this.accessToken || !this.url) {
+      throw new Error("cannot delete comment without access token or url");
+    }
+    const oktokit = _oktokit || this.oktokit;
+    const { owner, repo } = parseOwnerAndRepo(this.url);
+    return deleteComment(oktokit, {
+      ...params,
+      owner,
+      repo
+    });
+  }
+  async getPrComments(params, _oktokit) {
+    if (!_oktokit && !this.accessToken || !this.url) {
+      throw new Error("cannot get Pr Comments without access token or url");
+    }
+    const oktokit = _oktokit || this.oktokit;
+    const { owner, repo } = parseOwnerAndRepo(this.url);
+    return getPrComments(oktokit, {
+      per_page: 100,
+      ...params,
+      owner,
+      repo
+    });
+  }
   async getRepoList() {
     if (!this.accessToken) {
       console.error("no access token");
@@ -1840,259 +1836,849 @@ var StubSCMLib = class extends SCMLib {
   }
 };
 
-// src/features/analysis/scm/gitlab.ts
-function removeTrailingSlash2(str) {
-  return str.trim().replace(/\/+$/, "");
+// src/features/analysis/scm/gitlab.ts
+function removeTrailingSlash2(str) {
+  return str.trim().replace(/\/+$/, "");
+}
+var EnvVariablesZod2 = z5.object({
+  GITLAB_API_TOKEN: z5.string().optional()
+});
+var { GITLAB_API_TOKEN } = EnvVariablesZod2.parse(process.env);
+function getGitBeaker(options) {
+  const token = options?.gitlabAuthToken ?? GITLAB_API_TOKEN ?? "";
+  if (token?.startsWith("glpat-") || token === "") {
+    return new Gitlab({ token });
+  }
+  return new Gitlab({ oauthToken: token });
+}
+async function gitlabValidateParams({
+  url,
+  accessToken
+}) {
+  try {
+    const api = getGitBeaker({ gitlabAuthToken: accessToken });
+    if (accessToken) {
+      await api.Users.showCurrentUser();
+    }
+    if (url) {
+      const { projectPath } = parseOwnerAndRepo2(url);
+      await api.Projects.show(projectPath);
+    }
+  } catch (e) {
+    const error = e;
+    const code = error.code || error.status || error.statusCode || error.response?.status || error.response?.statusCode || error.response?.code;
+    const description = error.description || `${e}`;
+    if (code === 401 || code === 403 || description.includes("401") || description.includes("403")) {
+      throw new InvalidAccessTokenError(`invalid gitlab access token`);
+    }
+    if (code === 404 || description.includes("404") || description.includes("Not Found")) {
+      throw new InvalidRepoUrlError(`invalid gitlab repo Url ${url}`);
+    }
+    throw e;
+  }
+}
+async function getGitlabUsername(accessToken) {
+  const api = getGitBeaker({ gitlabAuthToken: accessToken });
+  const res = await api.Users.showCurrentUser();
+  return res.username;
+}
+async function getGitlabIsUserCollaborator({
+  username,
+  accessToken,
+  repoUrl
+}) {
+  try {
+    const { projectPath } = parseOwnerAndRepo2(repoUrl);
+    const api = getGitBeaker({ gitlabAuthToken: accessToken });
+    const res = await api.Projects.show(projectPath);
+    const members = await api.ProjectMembers.all(res.id, {
+      includeInherited: true
+    });
+    return !!members.find((member) => member.username === username);
+  } catch (e) {
+    return false;
+  }
+}
+async function getGitlabMergeRequestStatus({
+  accessToken,
+  repoUrl,
+  mrNumber
+}) {
+  const { projectPath } = parseOwnerAndRepo2(repoUrl);
+  const api = getGitBeaker({ gitlabAuthToken: accessToken });
+  const res = await api.MergeRequests.show(projectPath, mrNumber);
+  switch (res.state) {
+    case "merged" /* merged */:
+    case "opened" /* opened */:
+    case "closed" /* closed */:
+      return res.state;
+    default:
+      throw new Error(`unknown merge request state ${res.state}`);
+  }
+}
+async function getGitlabIsRemoteBranch({
+  accessToken,
+  repoUrl,
+  branch
+}) {
+  const { projectPath } = parseOwnerAndRepo2(repoUrl);
+  const api = getGitBeaker({ gitlabAuthToken: accessToken });
+  try {
+    const res = await api.Branches.show(projectPath, branch);
+    return res.name === branch;
+  } catch (e) {
+    return false;
+  }
+}
+async function getGitlabRepoList(accessToken) {
+  const api = getGitBeaker({ gitlabAuthToken: accessToken });
+  const res = await api.Projects.all({
+    membership: true,
+    //TODO: a bug in the sorting mechanism of this api call
+    //disallows us to sort by updated_at in descending order
+    //so we have to sort by updated_at in ascending order.
+    //We can wait for the bug to be fixed or call the api
+    //directly with fetch()
+    sort: "asc",
+    orderBy: "updated_at",
+    perPage: 100
+  });
+  return Promise.all(
+    res.map(async (project) => {
+      const proj = await api.Projects.show(project.id);
+      const owner = proj.namespace.name;
+      const repoLanguages = await api.Projects.showLanguages(project.id);
+      return {
+        repoName: project.path,
+        repoUrl: project.web_url,
+        repoOwner: owner,
+        repoLanguages: Object.keys(repoLanguages),
+        repoIsPublic: project.visibility === "public",
+        repoUpdatedAt: project.last_activity_at
+      };
+    })
+  );
+}
+async function getGitlabBranchList({
+  accessToken,
+  repoUrl
+}) {
+  const { projectPath } = parseOwnerAndRepo2(repoUrl);
+  const api = getGitBeaker({ gitlabAuthToken: accessToken });
+  try {
+    const res = await api.Branches.all(projectPath, {
+      perPage: 100,
+      pagination: "keyset",
+      orderBy: "updated_at",
+      sort: "dec"
+    });
+    return res.map((branch) => branch.name);
+  } catch (e) {
+    return [];
+  }
+}
+async function createMergeRequest(options) {
+  const { projectPath } = parseOwnerAndRepo2(options.repoUrl);
+  const api = getGitBeaker({ gitlabAuthToken: options.accessToken });
+  const res = await api.MergeRequests.create(
+    projectPath,
+    options.sourceBranchName,
+    options.targetBranchName,
+    options.title,
+    {
+      description: options.body
+    }
+  );
+  return res.iid;
+}
+async function getGitlabRepoDefaultBranch(repoUrl, options) {
+  const api = getGitBeaker({ gitlabAuthToken: options?.gitlabAuthToken });
+  const { projectPath } = parseOwnerAndRepo2(repoUrl);
+  const project = await api.Projects.show(projectPath);
+  if (!project.default_branch) {
+    throw new Error("no default branch");
+  }
+  return project.default_branch;
+}
+async function getGitlabReferenceData({ ref, gitlabUrl }, options) {
+  const { projectPath } = parseOwnerAndRepo2(gitlabUrl);
+  const api = getGitBeaker({ gitlabAuthToken: options?.gitlabAuthToken });
+  const results = await Promise.allSettled([
+    (async () => {
+      const res = await api.Branches.show(projectPath, ref);
+      return {
+        sha: res.commit.id,
+        type: "BRANCH" /* BRANCH */,
+        date: res.commit.committed_date ? new Date(res.commit.committed_date) : void 0
+      };
+    })(),
+    (async () => {
+      const res = await api.Commits.show(projectPath, ref);
+      return {
+        sha: res.id,
+        type: "COMMIT" /* COMMIT */,
+        date: res.committed_date ? new Date(res.committed_date) : void 0
+      };
+    })(),
+    (async () => {
+      const res = await api.Tags.show(projectPath, ref);
+      return {
+        sha: res.commit.id,
+        type: "TAG" /* TAG */,
+        date: res.commit.committed_date ? new Date(res.commit.committed_date) : void 0
+      };
+    })()
+  ]);
+  const [branchRes, commitRes, tagRes] = results;
+  if (tagRes.status === "fulfilled") {
+    return tagRes.value;
+  }
+  if (branchRes.status === "fulfilled") {
+    return branchRes.value;
+  }
+  if (commitRes.status === "fulfilled") {
+    return commitRes.value;
+  }
+  throw new RefNotFoundError(`ref: ${ref} does not exist`);
+}
+function parseOwnerAndRepo2(gitlabUrl) {
+  gitlabUrl = removeTrailingSlash2(gitlabUrl);
+  const parsingResult = parseScmURL(gitlabUrl);
+  if (!parsingResult || parsingResult.hostname !== "gitlab.com") {
+    throw new InvalidUrlPatternError(`invalid gitlab repo Url ${gitlabUrl}`);
+  }
+  const { organization, repoName, projectPath } = parsingResult;
+  return { owner: organization, repo: repoName, projectPath };
+}
+async function getGitlabBlameRanges({ ref, gitlabUrl, path: path8 }, options) {
+  const { projectPath } = parseOwnerAndRepo2(gitlabUrl);
+  const api = getGitBeaker({ gitlabAuthToken: options?.gitlabAuthToken });
+  const resp = await api.RepositoryFiles.allFileBlames(projectPath, path8, ref);
+  let lineNumber = 1;
+  return resp.filter((range) => range.lines).map((range) => {
+    const oldLineNumber = lineNumber;
+    if (!range.lines) {
+      throw new Error("range.lines should not be undefined");
+    }
+    lineNumber += range.lines.length;
+    return {
+      startingLine: oldLineNumber,
+      endingLine: lineNumber - 1,
+      login: range.commit.author_email,
+      email: range.commit.author_email,
+      name: range.commit.author_name
+    };
+  });
+}
+var GitlabAuthResultZ = z5.object({
+  access_token: z5.string(),
+  token_type: z5.string(),
+  refresh_token: z5.string()
+});
+
+// src/features/analysis/types.ts
+import { z as z6 } from "zod";
+var VulReportLocationZ = z6.object({
+  physicalLocation: z6.object({
+    artifactLocation: z6.object({
+      uri: z6.string(),
+      uriBaseId: z6.string(),
+      index: z6.number()
+    }),
+    region: z6.object({
+      startLine: z6.number(),
+      startColumn: z6.number(),
+      endColumn: z6.number()
+    })
+  })
+});
+
+// src/features/analysis/utils/get_issue_type.ts
+var getIssueType = (issueType) => {
+  switch (issueType) {
+    case "SQL_Injection" /* SqlInjection */:
+      return "SQL Injection";
+    case "CMDi_relative_path_command" /* CmDiRelativePathCommand */:
+      return "Relative Path Command Injection";
+    case "CMDi" /* CmDi */:
+      return "Command Injection";
+    case "XXE" /* Xxe */:
+      return "XXE";
+    case "XSS" /* Xss */:
+      return "XSS";
+    case "PT" /* Pt */:
+      return "Path Traversal";
+    case "INSECURE_RANDOMNESS" /* InsecureRandomness */:
+      return "Insecure Randomness";
+    case "SSRF" /* Ssrf */:
+      return "Server Side Request Forgery";
+    case "TYPE_CONFUSION" /* TypeConfusion */:
+      return "Type Confusion";
+    case "REGEX_INJECTION" /* RegexInjection */:
+      return "Regular Expression Injection";
+    case "INCOMPLETE_URL_SANITIZATION" /* IncompleteUrlSanitization */:
+      return "Incomplete URL Sanitization";
+    case "LOG_FORGING" /* LogForging */:
+      return "Log Forging";
+    case "MISSING_CHECK_AGAINST_NULL" /* MissingCheckAgainstNull */:
+      return "Missing Check against Null";
+    case "PASSWORD_IN_COMMENT" /* PasswordInComment */:
+      return "Password in Comment";
+    case "OVERLY_BROAD_CATCH" /* OverlyBroadCatch */:
+      return "Poor Error Handling: Overly Broad Catch";
+    case "USE_OF_SYSTEM_OUTPUT_STREAM" /* UseOfSystemOutputStream */:
+      return "Use of System.out/System.err";
+    case "DANGEROUS_FUNCTION_OVERFLOW" /* DangerousFunctionOverflow */:
+      return "Use of dangerous function";
+    case "DOS_STRING_BUILDER" /* DosStringBuilder */:
+      return "Denial of Service: StringBuilder";
+    case "OPEN_REDIRECT" /* OpenRedirect */:
+      return "Open Redirect";
+    case "WEAK_XML_SCHEMA_UNBOUNDED_OCCURRENCES" /* WeakXmlSchemaUnboundedOccurrences */:
+      return "Weak XML Schema: Unbounded Occurrences";
+    case "SYSTEM_INFORMATION_LEAK" /* SystemInformationLeak */:
+      return "System Information Leak";
+    case "HTTP_RESPONSE_SPLITTING" /* HttpResponseSplitting */:
+      return "HTTP response splitting";
+    case "HTTP_ONLY_COOKIE" /* HttpOnlyCookie */:
+      return "Cookie is not HttpOnly";
+    case "INSECURE_COOKIE" /* InsecureCookie */:
+      return "Insecure Cookie";
+    default: {
+      return issueType ? issueType.replaceAll("_", " ") : "Other";
+    }
+  }
+};
+
+// src/features/analysis/utils/index.ts
+function getFixUrl({
+  fixId,
+  projectId,
+  organizationId,
+  analysisId
+}) {
+  return `${WEB_APP_URL}/organization/${organizationId}/project/${projectId}/report/${analysisId}/fix/${fixId}`;
+}
+function getCommitUrl({
+  fixId,
+  projectId,
+  organizationId,
+  analysisId,
+  redirectUrl
+}) {
+  return `${getFixUrl({
+    fixId,
+    projectId,
+    organizationId,
+    analysisId
+  })}/commit?redirect_url=${encodeURIComponent(redirectUrl)}`;
+}
+
+// src/features/analysis/handle_finished_analysis.ts
+var debug4 = Debug4("mobbdev:handle-finished-analysis");
+var MOBB_ICON_IMG = "![image](https://github.com/yhaggai/GitHub-Fixer-Demo/assets/1255845/30f566df-6544-4612-929e-2ee5e8b9d345)";
+var COMMIT_FIX_SVG = `https://felt-laptop-20190711103614-deployment.s3.us-east-1.amazonaws.com/commit-button.svg`;
+var commitFixButton = (commitUrl) => `<a href="${commitUrl}"><img src=${COMMIT_FIX_SVG}></a>`;
+function scannerToFriendlyString(scanner) {
+  switch (scanner) {
+    case "checkmarx":
+      return "Checkmarx";
+    case "codeql":
+      return "CodeQL";
+    case "fortify":
+      return "Fortify";
+    case "snyk":
+      return "Snyk";
+  }
+}
+async function handleFinishedAnalysis({
+  analysisId,
+  scm: _scm,
+  gqlClient,
+  githubActionOctokit,
+  scanner
+}) {
+  if (_scm instanceof GithubSCMLib === false) {
+    return;
+  }
+  const scm = _scm;
+  const res = await gqlClient.getAnalysis(analysisId);
+  const comments = await scm.getPrComments({}, githubActionOctokit);
+  await Promise.all(
+    comments.data.filter((comment) => {
+      return comment.body.includes("fix by Mobb is ready");
+    }).map((comment) => {
+      try {
+        return scm.deleteComment(
+          { comment_id: comment.id },
+          githubActionOctokit
+        );
+      } catch (e) {
+        debug4("delete comment failed %s", e);
+        return Promise.resolve();
+      }
+    })
+  );
+  const {
+    vulnerabilityReport: {
+      file: {
+        signedFile: { url: vulReportUrl }
+      }
+    },
+    repo: { commitSha, pullRequest }
+  } = res.analysis;
+  const {
+    projectId,
+    project: { organizationId }
+  } = res.analysis.vulnerabilityReport;
+  const vulReportRes = await fetch(vulReportUrl);
+  const vulReport = await vulReportRes.json();
+  return Promise.all(
+    res.analysis.fixes.map((fix) => {
+      const [vulnerabilityReportIssue] = fix.vulnerabilityReportIssues;
+      const issueIndex = parseInt(
+        z7.string().parse(vulnerabilityReportIssue?.vendorIssueId)
+      );
+      const results = vulReport.runs[0]?.results || [];
+      const ruleId = results[issueIndex]?.ruleId;
+      const location = VulReportLocationZ.parse(
+        results[issueIndex]?.locations[0]
+      );
+      const { uri: filePath } = location.physicalLocation.artifactLocation;
+      const { startLine, startColumn, endColumn } = location.physicalLocation.region;
+      const fixLocation = {
+        filePath,
+        startLine,
+        startColumn,
+        endColumn,
+        ruleId
+      };
+      return {
+        fix,
+        fixLocation
+      };
+    }).map(async ({ fix, fixLocation }) => {
+      const { filePath, startLine } = fixLocation;
+      const getFixContent = await gqlClient.getFix(fix.id);
+      const {
+        fix_by_pk: {
+          patchAndQuestions: { patch }
+        }
+      } = getFixContent;
+      const commentRes = await scm.postPrComment(
+        {
+          body: "empty",
+          pull_number: pullRequest,
+          commit_id: commitSha,
+          path: filePath,
+          line: startLine
+        },
+        githubActionOctokit
+      );
+      const commitUrl = getCommitUrl({
+        fixId: fix.id,
+        projectId,
+        analysisId,
+        organizationId,
+        redirectUrl: commentRes.data.html_url
+      });
+      const fixUrl = getFixUrl({
+        fixId: fix.id,
+        projectId,
+        analysisId,
+        organizationId
+      });
+      const scanerString = scannerToFriendlyString(scanner);
+      const issueType = getIssueType(fix.issueType);
+      const title = `# ${MOBB_ICON_IMG} ${issueType} fix by Mobb is ready`;
+      const subTitle = `### Apply the following code change to fix ${issueType} issue detected by ${scanerString}:`;
+      const diff = `\`\`\`diff
+${patch} 
+\`\`\``;
+      const fixPageLink = `[Learn more and fine tune the fix](${fixUrl})`;
+      await scm.updatePrComment(
+        {
+          body: `${title}
+${subTitle}
+${diff}
+${commitFixButton(
+            commitUrl
+          )}
+${fixPageLink}`,
+          comment_id: commentRes.data.id
+        },
+        githubActionOctokit
+      );
+    })
+  );
+}
+
+// src/features/analysis/pack.ts
+import fs2 from "node:fs";
+import path4 from "node:path";
+import AdmZip from "adm-zip";
+import Debug5 from "debug";
+import { globby } from "globby";
+import { isBinary } from "istextorbinary";
+var debug5 = Debug5("mobbdev:pack");
+var MAX_FILE_SIZE = 1024 * 1024 * 5;
+function endsWithAny(str, suffixes) {
+  return suffixes.some(function(suffix) {
+    return str.endsWith(suffix);
+  });
+}
+async function pack(srcDirPath, vulnFiles) {
+  debug5("pack folder %s", srcDirPath);
+  const filepaths = await globby("**", {
+    gitignore: true,
+    onlyFiles: true,
+    cwd: srcDirPath,
+    followSymbolicLinks: false
+  });
+  debug5("files found %d", filepaths.length);
+  const zip = new AdmZip();
+  debug5("compressing files");
+  for (const filepath of filepaths) {
+    const absFilepath = path4.join(srcDirPath, filepath.toString());
+    if (!endsWithAny(
+      absFilepath.toString().replaceAll(path4.win32.sep, path4.posix.sep),
+      vulnFiles
+    )) {
+      debug5("ignoring %s because it is not a vulnerability file", filepath);
+      continue;
+    }
+    if (fs2.lstatSync(absFilepath).size > MAX_FILE_SIZE) {
+      debug5("ignoring %s because the size is > 5MB", filepath);
+      continue;
+    }
+    const data = fs2.readFileSync(absFilepath);
+    if (isBinary(null, data)) {
+      debug5("ignoring %s because is seems to be a binary file", filepath);
+      continue;
+    }
+    zip.addFile(filepath.toString(), data);
+  }
+  debug5("get zip file buffer");
+  return zip.toBuffer();
+}
+
+// src/features/analysis/prompts.ts
+import inquirer from "inquirer";
+import { createSpinner } from "nanospinner";
+var scannerChoices = [
+  { name: "Snyk", value: SCANNERS.Snyk },
+  { name: "Checkmarx", value: SCANNERS.Checkmarx },
+  { name: "Codeql", value: SCANNERS.Codeql },
+  { name: "Fortify", value: SCANNERS.Fortify }
+];
+async function choseScanner() {
+  const { scanner } = await inquirer.prompt({
+    name: "scanner",
+    message: "Choose a scanner you wish to use to scan your code",
+    type: "list",
+    choices: scannerChoices
+  });
+  return scanner;
+}
+async function tryCheckmarxConfiguarationAgain() {
+  console.log(
+    "\u{1F513} Oops, seems like checkmarx does not accept the current configuration"
+  );
+  const { confirmCheckmarxRetryConfigrations } = await inquirer.prompt({
+    name: "confirmCheckmarxRetryConfigrations",
+    type: "confirm",
+    message: "Would like to try to configure them again? ",
+    default: true
+  });
+  return confirmCheckmarxRetryConfigrations;
+}
+async function startCheckmarxConfigationPrompt() {
+  const checkmarxConfigreSpinner = createSpinner(
+    "\u{1F513} Checkmarx needs to be configured before we start, press any key to continue"
+  ).start();
+  await keypress();
+  checkmarxConfigreSpinner.success();
+}
+async function scmIntegrationPrompt(scmName) {
+  const answers = await inquirer.prompt({
+    name: "scmConfirm",
+    type: "confirm",
+    message: `It seems we don't have access to the repo, do you want to grant access to your ${scmName} account?`,
+    default: true
+  });
+  return answers.scmConfirm;
+}
+async function mobbAnalysisPrompt() {
+  const spinner = createSpinner().start();
+  spinner.update({ text: "Hit any key to view available fixes" });
+  await keypress();
+  return spinner.success();
+}
+async function snykArticlePrompt() {
+  const { snykArticleConfirm } = await inquirer.prompt({
+    name: "snykArticleConfirm",
+    type: "confirm",
+    message: "Do you want to be taken to the relevant Snyk's online article?",
+    default: true
+  });
+  return snykArticleConfirm;
+}
+
+// src/features/analysis/scanners/checkmarx.ts
+import { createRequire } from "node:module";
+
+// src/post_install/constants.mjs
+var cxOperatingSystemSupportMessage = `Your operating system does not support checkmarx.
+  You can see the list of supported operating systems here: https://github.com/Checkmarx/ast-cli#releases`;
+
+// src/utils/child_process.ts
+import cp from "node:child_process";
+import Debug6 from "debug";
+import * as process2 from "process";
+import supportsColor from "supports-color";
+var { stdout: stdout2 } = supportsColor;
+function createFork({ args, processPath, name }, options) {
+  const child = cp.fork(processPath, args, {
+    stdio: ["inherit", "pipe", "pipe", "ipc"],
+    env: { FORCE_COLOR: stdout2 ? "1" : "0" }
+  });
+  return createChildProcess({ childProcess: child, name }, options);
 }
-var EnvVariablesZod2 = z5.object({
-  GITLAB_API_TOKEN: z5.string().optional()
-});
-var { GITLAB_API_TOKEN } = EnvVariablesZod2.parse(process.env);
-function getGitBeaker(options) {
-  const token = options?.gitlabAuthToken ?? GITLAB_API_TOKEN ?? "";
-  if (token?.startsWith("glpat-") || token === "") {
-    return new Gitlab({ token });
-  }
-  return new Gitlab({ oauthToken: token });
+function createSpwan({ args, processPath, name }, options) {
+  const child = cp.spawn(processPath, args, {
+    stdio: ["inherit", "pipe", "pipe", "ipc"],
+    env: { FORCE_COLOR: stdout2 ? "1" : "0" }
+  });
+  return createChildProcess({ childProcess: child, name }, options);
 }
-async function gitlabValidateParams({
-  url,
-  accessToken
-}) {
-  try {
-    const api = getGitBeaker({ gitlabAuthToken: accessToken });
-    if (accessToken) {
-      await api.Users.showCurrentUser();
-    }
-    if (url) {
-      const { projectPath } = parseOwnerAndRepo2(url);
-      await api.Projects.show(projectPath);
-    }
-  } catch (e) {
-    const error = e;
-    const code = error.code || error.status || error.statusCode || error.response?.status || error.response?.statusCode || error.response?.code;
-    const description = error.description || `${e}`;
-    if (code === 401 || code === 403 || description.includes("401") || description.includes("403")) {
-      throw new InvalidAccessTokenError(`invalid gitlab access token`);
+function createChildProcess({ childProcess, name }, options) {
+  const debug10 = Debug6(`mobbdev:${name}`);
+  const { display } = options;
+  return new Promise((resolve, reject) => {
+    let out = "";
+    const onData = (chunk) => {
+      debug10(`chunk received from ${name} std ${chunk}`);
+      out += chunk;
+    };
+    if (!childProcess || !childProcess?.stdout || !childProcess?.stderr) {
+      debug10(`unable to fork ${name}`);
+      reject(new Error(`unable to fork ${name}`));
     }
-    if (code === 404 || description.includes("404") || description.includes("Not Found")) {
-      throw new InvalidRepoUrlError(`invalid gitlab repo Url ${url}`);
+    childProcess.stdout?.on("data", onData);
+    childProcess.stderr?.on("data", onData);
+    if (display) {
+      childProcess.stdout?.pipe(process2.stdout);
+      childProcess.stderr?.pipe(process2.stderr);
     }
-    throw e;
-  }
-}
-async function getGitlabUsername(accessToken) {
-  const api = getGitBeaker({ gitlabAuthToken: accessToken });
-  const res = await api.Users.showCurrentUser();
-  return res.username;
-}
-async function getGitlabIsUserCollaborator({
-  username,
-  accessToken,
-  repoUrl
-}) {
-  try {
-    const { projectPath } = parseOwnerAndRepo2(repoUrl);
-    const api = getGitBeaker({ gitlabAuthToken: accessToken });
-    const res = await api.Projects.show(projectPath);
-    const members = await api.ProjectMembers.all(res.id, {
-      includeInherited: true
+    childProcess.on("exit", (code) => {
+      debug10(`${name} exit code ${code}`);
+      resolve({ message: out, code });
     });
-    return !!members.find((member) => member.username === username);
-  } catch (e) {
-    return false;
-  }
-}
-async function getGitlabMergeRequestStatus({
-  accessToken,
-  repoUrl,
-  mrNumber
-}) {
-  const { projectPath } = parseOwnerAndRepo2(repoUrl);
-  const api = getGitBeaker({ gitlabAuthToken: accessToken });
-  const res = await api.MergeRequests.show(projectPath, mrNumber);
-  switch (res.state) {
-    case "merged" /* merged */:
-    case "opened" /* opened */:
-    case "closed" /* closed */:
-      return res.state;
-    default:
-      throw new Error(`unknown merge request state ${res.state}`);
-  }
+    childProcess.on("error", (err) => {
+      debug10(`${name} error %o`, err);
+      reject(err);
+    });
+  });
 }
-async function getGitlabIsRemoteBranch({
-  accessToken,
-  repoUrl,
-  branch
-}) {
-  const { projectPath } = parseOwnerAndRepo2(repoUrl);
-  const api = getGitBeaker({ gitlabAuthToken: accessToken });
+
+// src/features/analysis/scanners/checkmarx.ts
+import chalk2 from "chalk";
+import Debug7 from "debug";
+import { existsSync } from "fs";
+import { createSpinner as createSpinner2 } from "nanospinner";
+import { type } from "os";
+import path5 from "path";
+var debug6 = Debug7("mobbdev:checkmarx");
+var require2 = createRequire(import.meta.url);
+var getCheckmarxPath = () => {
+  const os3 = type();
+  const cxFileName = os3 === "Windows_NT" ? "cx.exe" : "cx";
   try {
-    const res = await api.Branches.show(projectPath, branch);
-    return res.name === branch;
+    return require2.resolve(`.bin/${cxFileName}`);
   } catch (e) {
-    return false;
+    throw new CliError(cxOperatingSystemSupportMessage);
   }
+};
+var getCheckmarxCommandArgs = ({
+  repoPath,
+  branch,
+  fileName,
+  filePath,
+  projectName
+}) => [
+  "--project-name",
+  projectName,
+  "-s",
+  repoPath,
+  "--branch",
+  branch,
+  "--scan-types",
+  "sast",
+  "--output-path",
+  filePath,
+  "--output-name",
+  fileName,
+  "--report-format",
+  "json"
+];
+var VALIDATE_COMMAND = ["auth", "validate"];
+var CONFIGURE_COMMAND = ["configure"];
+var SCAN_COMMAND = ["scan", "create"];
+var CHECKMARX_SUCCESS_CODE = 0;
+function validateCheckmarxInstallation() {
+  existsSync(getCheckmarxPath());
 }
-async function getGitlabRepoList(accessToken) {
-  const api = getGitBeaker({ gitlabAuthToken: accessToken });
-  const res = await api.Projects.all({
-    membership: true,
-    //TODO: a bug in the sorting mechanism of this api call
-    //disallows us to sort by updated_at in descending order
-    //so we have to sort by updated_at in ascending order.
-    //We can wait for the bug to be fixed or call the api
-    //directly with fetch()
-    sort: "asc",
-    orderBy: "updated_at",
-    perPage: 100
-  });
-  return Promise.all(
-    res.map(async (project) => {
-      const proj = await api.Projects.show(project.id);
-      const owner = proj.namespace.name;
-      const repoLanguages = await api.Projects.showLanguages(project.id);
-      return {
-        repoName: project.path,
-        repoUrl: project.web_url,
-        repoOwner: owner,
-        repoLanguages: Object.keys(repoLanguages),
-        repoIsPublic: project.visibility === "public",
-        repoUpdatedAt: project.last_activity_at
-      };
-    })
+async function forkCheckmarx(args, { display }) {
+  debug6("fork checkmarx with args %o %s", args.join(" "), display);
+  return createSpwan(
+    { args, processPath: getCheckmarxPath(), name: "checkmarx" },
+    { display }
   );
 }
-async function getGitlabBranchList({
-  accessToken,
-  repoUrl
-}) {
-  const { projectPath } = parseOwnerAndRepo2(repoUrl);
-  const api = getGitBeaker({ gitlabAuthToken: accessToken });
-  try {
-    const res = await api.Branches.all(projectPath, {
-      perPage: 100,
-      pagination: "keyset",
-      orderBy: "updated_at",
-      sort: "dec"
-    });
-    return res.map((branch) => branch.name);
-  } catch (e) {
-    return [];
+async function getCheckmarxReport({ reportPath, repositoryRoot, branch, projectName }, { skipPrompts = false }) {
+  debug6("get checkmarx report start %s %s", reportPath, repositoryRoot);
+  const { code: loginCode } = await forkCheckmarx(VALIDATE_COMMAND, {
+    display: false
+  });
+  if (loginCode !== CHECKMARX_SUCCESS_CODE) {
+    if (skipPrompts) {
+      await throwCheckmarxConfigError();
+    }
+    await startCheckmarxConfigationPrompt();
+    await validateCheckamxCredentials();
   }
-}
-async function createMergeRequest(options) {
-  const { projectPath } = parseOwnerAndRepo2(options.repoUrl);
-  const api = getGitBeaker({ gitlabAuthToken: options.accessToken });
-  const res = await api.MergeRequests.create(
-    projectPath,
-    options.sourceBranchName,
-    options.targetBranchName,
-    options.title,
+  const extension = path5.extname(reportPath);
+  const filePath = path5.dirname(reportPath);
+  const fileName = path5.basename(reportPath, extension);
+  const checkmarxCommandArgs = getCheckmarxCommandArgs({
+    repoPath: repositoryRoot,
+    branch,
+    filePath,
+    fileName,
+    projectName
+  });
+  console.log("\u280B \u{1F50D} Initiating Checkmarx Scan ");
+  const { code: scanCode } = await forkCheckmarx(
+    [...SCAN_COMMAND, ...checkmarxCommandArgs],
     {
-      description: options.body
+      display: true
     }
   );
-  return res.iid;
-}
-async function getGitlabRepoDefaultBranch(repoUrl, options) {
-  const api = getGitBeaker({ gitlabAuthToken: options?.gitlabAuthToken });
-  const { projectPath } = parseOwnerAndRepo2(repoUrl);
-  const project = await api.Projects.show(projectPath);
-  if (!project.default_branch) {
-    throw new Error("no default branch");
+  if (scanCode !== CHECKMARX_SUCCESS_CODE) {
+    createSpinner2("\u{1F50D} Something went wrong with the checkmarx scan").start().error();
+    throw new CliError();
   }
-  return project.default_branch;
+  await createSpinner2("\u{1F50D} Checkmarx Scan completed").start().success();
+  return true;
 }
-async function getGitlabReferenceData({ ref, gitlabUrl }, options) {
-  const { projectPath } = parseOwnerAndRepo2(gitlabUrl);
-  const api = getGitBeaker({ gitlabAuthToken: options?.gitlabAuthToken });
-  const results = await Promise.allSettled([
-    (async () => {
-      const res = await api.Branches.show(projectPath, ref);
-      return {
-        sha: res.commit.id,
-        type: "BRANCH" /* BRANCH */,
-        date: res.commit.committed_date ? new Date(res.commit.committed_date) : void 0
-      };
-    })(),
-    (async () => {
-      const res = await api.Commits.show(projectPath, ref);
-      return {
-        sha: res.id,
-        type: "COMMIT" /* COMMIT */,
-        date: res.committed_date ? new Date(res.committed_date) : void 0
-      };
-    })(),
-    (async () => {
-      const res = await api.Tags.show(projectPath, ref);
-      return {
-        sha: res.commit.id,
-        type: "TAG" /* TAG */,
-        date: res.commit.committed_date ? new Date(res.commit.committed_date) : void 0
-      };
-    })()
-  ]);
-  const [branchRes, commitRes, tagRes] = results;
-  if (tagRes.status === "fulfilled") {
-    return tagRes.value;
-  }
-  if (branchRes.status === "fulfilled") {
-    return branchRes.value;
-  }
-  if (commitRes.status === "fulfilled") {
-    return commitRes.value;
-  }
-  throw new RefNotFoundError(`ref: ${ref} does not exist`);
+async function throwCheckmarxConfigError() {
+  await createSpinner2("\u{1F513} Checkmarx is not configued correctly").start().error();
+  throw new CliError(
+    `Checkmarx is not configued correctly
+ you can configure it by using the ${chalk2.bold(
+      "cx configure"
+    )} command`
+  );
 }
-function parseOwnerAndRepo2(gitlabUrl) {
-  gitlabUrl = removeTrailingSlash2(gitlabUrl);
-  const parsingResult = parseScmURL(gitlabUrl);
-  if (!parsingResult || parsingResult.hostname !== "gitlab.com") {
-    throw new InvalidUrlPatternError(`invalid gitlab repo Url ${gitlabUrl}`);
+async function validateCheckamxCredentials() {
+  console.log(`
+        Here's a suggestion for checkmarx configuation: 
+          ${chalk2.bold("AST Base URI:")} https://ast.checkmarx.net
+          ${chalk2.bold("AST Base Auth URI (IAM):")} https://iam.checkmarx.net
+  `);
+  await forkCheckmarx(CONFIGURE_COMMAND, { display: true });
+  const { code: loginCode } = await forkCheckmarx(VALIDATE_COMMAND, {
+    display: false
+  });
+  if (loginCode !== CHECKMARX_SUCCESS_CODE) {
+    const tryAgain = await tryCheckmarxConfiguarationAgain();
+    if (!tryAgain) {
+      await throwCheckmarxConfigError();
+    }
+    if (await tryCheckmarxConfiguarationAgain()) {
+      validateCheckamxCredentials();
+    }
   }
-  const { organization, repoName, projectPath } = parsingResult;
-  return { owner: organization, repo: repoName, projectPath };
+  await createSpinner2("\u{1F513} Checkmarx configured successfully!").start().success();
 }
-async function getGitlabBlameRanges({ ref, gitlabUrl, path: path8 }, options) {
-  const { projectPath } = parseOwnerAndRepo2(gitlabUrl);
-  const api = getGitBeaker({ gitlabAuthToken: options?.gitlabAuthToken });
-  const resp = await api.RepositoryFiles.allFileBlames(projectPath, path8, ref);
-  let lineNumber = 1;
-  return resp.filter((range) => range.lines).map((range) => {
-    const oldLineNumber = lineNumber;
-    if (!range.lines) {
-      throw new Error("range.lines should not be undefined");
+
+// src/features/analysis/scanners/snyk.ts
+import { createRequire as createRequire2 } from "node:module";
+import chalk3 from "chalk";
+import Debug8 from "debug";
+import { createSpinner as createSpinner3 } from "nanospinner";
+import open from "open";
+var debug7 = Debug8("mobbdev:snyk");
+var require3 = createRequire2(import.meta.url);
+var SNYK_PATH = require3.resolve("snyk/bin/snyk");
+var SNYK_ARTICLE_URL = "https://docs.snyk.io/scan-application-code/snyk-code/getting-started-with-snyk-code/activating-snyk-code-using-the-web-ui/step-1-enabling-the-snyk-code-option";
+debug7("snyk executable path %s", SNYK_PATH);
+async function forkSnyk(args, { display }) {
+  debug7("fork snyk with args %o %s", args, display);
+  return createFork(
+    { args, processPath: SNYK_PATH, name: "checkmarx" },
+    { display }
+  );
+}
+async function getSnykReport(reportPath, repoRoot, { skipPrompts = false }) {
+  debug7("get snyk report start %s %s", reportPath, repoRoot);
+  const config3 = await forkSnyk(["config"], { display: false });
+  const { message: configMessage } = config3;
+  if (!configMessage.includes("api: ")) {
+    const snykLoginSpinner = createSpinner3().start();
+    if (!skipPrompts) {
+      snykLoginSpinner.update({
+        text: "\u{1F513} Login to Snyk is required, press any key to continue"
+      });
+      await keypress();
     }
-    lineNumber += range.lines.length;
-    return {
-      startingLine: oldLineNumber,
-      endingLine: lineNumber - 1,
-      login: range.commit.author_email,
-      email: range.commit.author_email,
-      name: range.commit.author_name
-    };
-  });
+    snykLoginSpinner.update({
+      text: "\u{1F513} Waiting for Snyk login to complete"
+    });
+    debug7("no token in the config %s", config3);
+    await forkSnyk(["auth"], { display: true });
+    snykLoginSpinner.success({ text: "\u{1F513} Login to Snyk Successful" });
+  }
+  const snykSpinner = createSpinner3("\u{1F50D} Scanning your repo with Snyk ").start();
+  const { message: scanOutput } = await forkSnyk(
+    ["code", "test", `--sarif-file-output=${reportPath}`, repoRoot],
+    { display: true }
+  );
+  if (scanOutput.includes(
+    "Snyk Code is not supported for org: enable in Settings > Snyk Code"
+  )) {
+    debug7("snyk code is not enabled %s", scanOutput);
+    snykSpinner.error({ text: "\u{1F50D} Snyk configuration needed" });
+    const answer = await snykArticlePrompt();
+    debug7("answer %s", answer);
+    if (answer) {
+      debug7("opening the browser");
+      await open(SNYK_ARTICLE_URL);
+    }
+    console.log(
+      chalk3.bgBlue(
+        "\nPlease enable Snyk Code in your Snyk account and try again."
+      )
+    );
+    throw Error("snyk is not enbabled");
+  }
+  snykSpinner.success({ text: "\u{1F50D} Snyk code scan completed" });
+  return true;
 }
-var GitlabAuthResultZ = z5.object({
-  access_token: z5.string(),
-  token_type: z5.string(),
-  refresh_token: z5.string()
-});
 
 // src/features/analysis/upload-file.ts
-import Debug8 from "debug";
+import Debug9 from "debug";
 import fetch2, { File, fileFrom, FormData } from "node-fetch";
-var debug7 = Debug8("mobbdev:upload-file");
+var debug8 = Debug9("mobbdev:upload-file");
 async function uploadFile({
   file,
   url,
   uploadKey,
   uploadFields
 }) {
-  debug7("upload file start %s", url);
-  debug7("upload fields %o", uploadFields);
-  debug7("upload key %s", uploadKey);
+  debug8("upload file start %s", url);
+  debug8("upload fields %o", uploadFields);
+  debug8("upload key %s", uploadKey);
   const form = new FormData();
   Object.entries(uploadFields).forEach(([key, value]) => {
     form.append(key, value);
@@ -2101,10 +2687,10 @@ async function uploadFile({
     form.append("key", uploadKey);
   }
   if (typeof file === "string") {
-    debug7("upload file from path %s", file);
+    debug8("upload file from path %s", file);
     form.append("file", await fileFrom(file));
   } else {
-    debug7("upload file from buffer");
+    debug8("upload file from buffer");
     form.append("file", new File([file], "file"));
   }
   const response = await fetch2(url, {
@@ -2112,10 +2698,10 @@ async function uploadFile({
     body: form
   });
   if (!response.ok) {
-    debug7("error from S3 %s %s", response.body, response.status);
+    debug8("error from S3 %s %s", response.body, response.status);
     throw new Error(`Failed to upload the file: ${response.status}`);
   }
-  debug7("upload file done");
+  debug8("upload file done");
 }
 
 // src/features/analysis/index.ts
@@ -2132,7 +2718,7 @@ async function downloadRepo({
 }) {
   const { createSpinner: createSpinner4 } = Spinner2({ ci });
   const repoSpinner = createSpinner4("\u{1F4BE} Downloading Repo").start();
-  debug8("download repo %s %s %s", repoUrl, dirname);
+  debug9("download repo %s %s %s", repoUrl, dirname);
   const zipFilePath = path6.join(dirname, "repo.zip");
   const response = await fetch3(downloadUrl, {
     method: "GET",
@@ -2141,7 +2727,7 @@ async function downloadRepo({
     }
   });
   if (!response.ok) {
-    debug8("SCM zipball request failed %s %s", response.body, response.status);
+    debug9("SCM zipball request failed %s %s", response.body, response.status);
     repoSpinner.error({ text: "\u{1F4BE} Repo download failed" });
     throw new Error(`Can't access ${chalk4.bold(repoUrl)}`);
   }
@@ -2155,7 +2741,7 @@ async function downloadRepo({
   if (!repoRoot) {
     throw new Error("Repo root not found");
   }
-  debug8("repo root %s", repoRoot);
+  debug9("repo root %s", repoRoot);
   repoSpinner.success({ text: "\u{1F4BE} Repo downloaded successfully" });
   return path6.join(dirname, repoRoot);
 }
@@ -2164,7 +2750,7 @@ var LOGIN_CHECK_DELAY = 5 * 1e3;
 var MOBB_LOGIN_REQUIRED_MSG = `\u{1F513} Login to Mobb is Required, you will be redirected to our login page, once the authorization is complete return to this prompt, ${chalk4.bgBlue(
   "press any key to continue"
 )};`;
-var tmpObj = tmp.dirSync({
+var tmpObj = tmp2.dirSync({
   unsafeCleanup: true
 });
 var getReportUrl = ({
@@ -2172,7 +2758,7 @@ var getReportUrl = ({
   projectId,
   fixReportId
 }) => `${WEB_APP_URL}/organization/${organizationId}/project/${projectId}/report/${fixReportId}`;
-var debug8 = Debug9("mobbdev:index");
+var debug9 = Debug10("mobbdev:index");
 var packageJson = JSON.parse(
   fs3.readFileSync(path6.join(getDirName2(), "../package.json"), "utf8")
 );
@@ -2182,7 +2768,7 @@ if (!semver.satisfies(process.version, packageJson.engines.node)) {
   );
 }
 var config2 = new Configstore(packageJson.name, { apiToken: "" });
-debug8("config %o", config2);
+debug9("config %o", config2);
 async function runAnalysis(params, options) {
   try {
     await _scan(
@@ -2196,20 +2782,23 @@ async function runAnalysis(params, options) {
     tmpObj.removeCallback();
   }
 }
-async function _scan({
-  dirname,
-  repo,
-  scanFile,
-  apiKey,
-  ci,
-  srcPath,
-  commitHash,
-  ref,
-  scanner,
-  cxProjectName,
-  mobbProjectName
-}, { skipPrompts = false } = {}) {
-  debug8("start %s %s", dirname, repo);
+async function _scan(params, { skipPrompts = false } = {}) {
+  const {
+    dirname,
+    repo,
+    scanFile,
+    apiKey,
+    ci,
+    srcPath,
+    commitHash,
+    ref,
+    scanner,
+    cxProjectName,
+    mobbProjectName,
+    githubToken: githubActionToken,
+    command
+  } = params;
+  debug9("start %s %s", dirname, repo);
   const { createSpinner: createSpinner4 } = Spinner2({ ci });
   skipPrompts = skipPrompts || ci;
   let gqlClient = new GQLClient({
@@ -2265,9 +2854,9 @@ async function _scan({
   });
   const reference = ref ?? await scm.getRepoDefaultBranch();
   const { sha } = await scm.getReferenceData(reference);
-  debug8("org id %s", organizationId);
-  debug8("project id %s", projectId);
-  debug8("default branch %s", reference);
+  debug9("org id %s", organizationId);
+  debug9("project id %s", projectId);
+  debug9("default branch %s", reference);
   const repositoryRoot = await downloadRepo({
     repoUrl: repo,
     dirname,
@@ -2275,8 +2864,8 @@ async function _scan({
     authHeaders: scm.getAuthHeaders(),
     downloadUrl: scm.getDownloadUrl(sha)
   });
-  if (scanner) {
-    reportPath = await getReport(scanner);
+  if (command === "scan") {
+    reportPath = await getReport(SupportedScannersZ.parse(scanner));
   }
   if (!reportPath) {
     throw new Error("reportPath is null");
@@ -2295,23 +2884,43 @@ async function _scan({
   }
   uploadReportSpinner.success({ text: "\u{1F4C1} Report uploaded successfully" });
   const mobbSpinner = createSpinner4("\u{1F575}\uFE0F\u200D\u2642\uFE0F Initiating Mobb analysis").start();
-  try {
-    await gqlClient.submitVulnerabilityReport({
-      fixReportId: reportUploadInfo.fixReportId,
-      repoUrl: repo,
-      reference,
-      projectId,
-      vulnerabilityReportFileName: "report.json",
-      sha
-    });
-  } catch (e) {
-    mobbSpinner.error({ text: "\u{1F575}\uFE0F\u200D\u2642\uFE0F Mobb analysis failed" });
-    throw e;
+  const sendReportRes = await sendReport();
+  if (command === "review") {
+    await gqlClient.subscribeToAnalysis(
+      { analysisId: sendReportRes.submitVulnerabilityReport.fixReportId },
+      (analysisId) => handleFinishedAnalysis({
+        analysisId,
+        gqlClient,
+        scm,
+        githubActionOctokit: new Octokit3({ auth: githubActionToken }),
+        scanner: z8.nativeEnum(SCANNERS).parse(scanner)
+      })
+    );
   }
   mobbSpinner.success({
     text: "\u{1F575}\uFE0F\u200D\u2642\uFE0F Generating fixes..."
   });
   await askToOpenAnalysis();
+  async function sendReport() {
+    try {
+      const sumbitRes = await gqlClient.submitVulnerabilityReport({
+        fixReportId: reportUploadInfo.fixReportId,
+        repoUrl: z8.string().parse(repo),
+        reference,
+        projectId,
+        vulnerabilityReportFileName: "report.json",
+        sha,
+        pullRequest: params.pullRequest
+      });
+      if (sumbitRes.submitVulnerabilityReport.__typename !== "VulnerabilityReport") {
+        throw new Error("\u{1F575}\uFE0F\u200D\u2642\uFE0F Mobb analysis failed");
+      }
+      return sumbitRes;
+    } catch (e) {
+      mobbSpinner.error({ text: "\u{1F575}\uFE0F\u200D\u2642\uFE0F Mobb analysis failed" });
+      throw e;
+    }
+  }
   async function getReport(scanner2) {
     const reportPath2 = path6.join(dirname, "report.json");
     switch (scanner2) {
@@ -2342,7 +2951,6 @@ async function _scan({
       fixReportId: reportUploadInfo.fixReportId
     });
     !ci && console.log("You can access the analysis at: \n");
-    console.log(chalk4.bold(reportUrl));
     !skipPrompts && await mobbAnalysisPrompt();
     !ci && open2(reportUrl);
     !ci && console.log(
@@ -2387,9 +2995,9 @@ async function _scan({
       });
       loginSpinner.spin();
       if (encryptedApiToken) {
-        debug8("encrypted API token received %s", encryptedApiToken);
+        debug9("encrypted API token received %s", encryptedApiToken);
         newApiToken = crypto.privateDecrypt(privateKey, Buffer.from(encryptedApiToken, "base64")).toString("utf-8");
-        debug8("API token decrypted");
+        debug9("API token decrypted");
         break;
       }
       await sleep(LOGIN_CHECK_DELAY);
@@ -2402,7 +3010,7 @@ async function _scan({
     }
     gqlClient = new GQLClient({ apiKey: newApiToken });
     if (await gqlClient.verifyToken()) {
-      debug8("set api token %s", newApiToken);
+      debug9("set api token %s", newApiToken);
       config2.set("apiToken", newApiToken);
       loginSpinner.success({ text: "\u{1F513} Login to Mobb successful!" });
     } else {
@@ -2526,6 +3134,35 @@ async function _scan({
 
 // src/commands/index.ts
 import chalkAnimation from "chalk-animation";
+async function review(params, { skipPrompts = true } = {}) {
+  const {
+    repo,
+    f: scanFile,
+    ref,
+    apiKey,
+    commitHash,
+    mobbProjectName,
+    pullRequest,
+    githubToken,
+    scanner
+  } = params;
+  await runAnalysis(
+    {
+      repo,
+      scanFile,
+      ref,
+      apiKey,
+      ci: true,
+      commitHash,
+      mobbProjectName,
+      pullRequest,
+      githubToken,
+      scanner,
+      command: "review"
+    },
+    { skipPrompts }
+  );
+}
 async function analyze({
   repo,
   f: scanFile,
@@ -2546,7 +3183,8 @@ async function analyze({
       ci,
       commitHash,
       mobbProjectName,
-      srcPath
+      srcPath,
+      command: "analyze"
     },
     { skipPrompts }
   );
@@ -2565,7 +3203,7 @@ async function scan(scanOptions, { skipPrompts = false } = {}) {
     throw new CliError(errorMessages.missingCxProjectName);
   }
   await runAnalysis(
-    { ...scanOptions, scanner: selectedScanner },
+    { ...scanOptions, scanner: selectedScanner, command: "scan" },
     { skipPrompts }
   );
 }
@@ -2631,7 +3269,7 @@ var commitHashOption = {
 // src/args/validation.ts
 import chalk6 from "chalk";
 import path7 from "path";
-import { z as z6 } from "zod";
+import { z as z9 } from "zod";
 function throwRepoUrlErrorMessage({
   error,
   repoUrl,
@@ -2648,7 +3286,7 @@ Example:
   )}`;
   throw new CliError(formattedErrorMessage);
 }
-var UrlZ = z6.string({
+var UrlZ = z9.string({
   invalid_type_error: "is not a valid GitHub / GitLab URL"
 }).refine((data) => !!parseScmURL(data), {
   message: "is not a valid GitHub / GitLab URL"
@@ -2728,6 +3366,49 @@ async function analyzeHandler(args) {
   await analyze(args, { skipPrompts: args.yes });
 }
 
+// src/args/commands/review.ts
+import fs5 from "node:fs";
+import chalk8 from "chalk";
+function reviewBuilder(yargs2) {
+  return yargs2.option("f", {
+    alias: "scan-file",
+    demandOption: true,
+    type: "string",
+    describe: chalk8.bold(
+      "Select the vulnerability report to analyze (Checkmarx, Snyk, Fortify, CodeQL)"
+    )
+  }).option("repo", { ...repoOption, demandOption: true }).option("scanner", { ...scannerOptions, demandOption: true }).option("ref", { ...refOption, demandOption: true }).option("ch", {
+    alias: "commit-hash",
+    describe: chalk8.bold("Hash of the commit"),
+    type: "string",
+    demandOption: true
+  }).option("mobb-project-name", mobbProjectNameOption).option("api-key", { ...apiKeyOption, demandOption: true }).option("commit-hash", { ...commitHashOption, demandOption: true }).option("github-token", {
+    describe: chalk8.bold("Github action token"),
+    type: "string",
+    demandOption: true
+  }).option("pull-request", {
+    alias: "pr",
+    describe: chalk8.bold("Number of the pull request"),
+    type: "number",
+    demandOption: true
+  }).example(
+    "$0 review -r https://github.com/WebGoat/WebGoat -f <your_vulirabitliy_report_path>  --ch <pr_last_commit>   --pr <pr_number> --ref <pr_branch_name>  --api-key <api_key>",
+    "add fixes to your pr"
+  ).help();
+}
+function validateReviewOptions(argv) {
+  if (!fs5.existsSync(argv.f)) {
+    throw new CliError(`
+Can't access ${chalk8.bold(argv.f)}`);
+  }
+  validateRepoUrl(argv);
+  validateReportFileFormat(argv.f);
+}
+async function reviewHandler(args) {
+  validateReviewOptions(args);
+  await review(args, { skipPrompts: true });
+}
+
 // src/args/commands/scan.ts
 function scanBuilder(args) {
   return args.coerce("scanner", (arg) => arg.toLowerCase()).option("repo", repoOption).option("ref", refOption).option("scanner", scannerOptions).option("mobb-project-name", mobbProjectNameOption).option("y", yesOption).option("ci", ciOption).option("api-key", apiKeyOption).option("cx-project-name", projectNameOption).example(
@@ -2756,32 +3437,39 @@ async function scanHandler(args) {
 var parseArgs = async (args) => {
   const yargsInstance = yargs(args);
   return yargsInstance.updateStrings({
-    "Commands:": chalk8.yellow.underline.bold("Commands:"),
-    "Options:": chalk8.yellow.underline.bold("Options:"),
-    "Examples:": chalk8.yellow.underline.bold("Examples:"),
-    "Show help": chalk8.bold("Show help")
+    "Commands:": chalk9.yellow.underline.bold("Commands:"),
+    "Options:": chalk9.yellow.underline.bold("Options:"),
+    "Examples:": chalk9.yellow.underline.bold("Examples:"),
+    "Show help": chalk9.bold("Show help")
   }).usage(
-    `${chalk8.bold(
+    `${chalk9.bold(
       "\n Bugsy - Trusted, Automatic Vulnerability Fixer \u{1F575}\uFE0F\u200D\u2642\uFE0F\n\n"
-    )} ${chalk8.yellow.underline.bold("Usage:")} 
-  $0 ${chalk8.green(
+    )} ${chalk9.yellow.underline.bold("Usage:")} 
+  $0 ${chalk9.green(
       "<command>"
-    )} ${chalk8.dim("[options]")}
+    )} ${chalk9.dim("[options]")}
             `
   ).version(false).command(
-    "scan",
-    chalk8.bold(
+    mobbCliCommand.scan,
+    chalk9.bold(
       "Scan your code for vulnerabilities, get automated fixes right away."
     ),
     scanBuilder,
     scanHandler
   ).command(
-    "analyze",
-    chalk8.bold(
+    mobbCliCommand.analyze,
+    chalk9.bold(
       "Provide a vulnerability report and relevant code repository, get automated fixes right away."
     ),
     analyzeBuilder,
     analyzeHandler
+  ).command(
+    mobbCliCommand.review,
+    chalk9.bold(
+      "(beta) Mobb will review your github pull requests and provide comments with fixes "
+    ),
+    reviewBuilder,
+    reviewHandler
   ).example(
     "$0 scan -r https://github.com/WebGoat/WebGoat",
     "Scan an existing repository"
@@ -2790,7 +3478,7 @@ var parseArgs = async (args) => {
     handler() {
       yargsInstance.showHelp();
     }
-  }).strictOptions().help("h").alias("h", "help").epilog(chalk8.bgBlue("Made with \u2764\uFE0F  by Mobb")).showHelpOnFail(true).wrap(Math.min(120, yargsInstance.terminalWidth())).parse();
+  }).strictOptions().help("h").alias("h", "help").epilog(chalk9.bgBlue("Made with \u2764\uFE0F  by Mobb")).showHelpOnFail(true).wrap(Math.min(120, yargsInstance.terminalWidth())).parse();
 };
 
 // src/index.ts