oauthlint 0.4.0 → 0.6.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/README.md CHANGED
@@ -2,15 +2,16 @@
2
2
 
3
3
  # oauthlint
4
4
 
5
- **Catch the OAuth / OIDC / JWT anti-patterns AI coding tools systematically produce.**
5
+ **Catch the OAuth / OIDC / JWT / session / CORS anti-patterns AI coding tools systematically produce.**
6
6
 
7
- A curated, multi-language Semgrep rule pack · JS/TS · Python · Go · Java · Rust (and growing) · CLI + GitHub Action + VS Code · free & MIT
7
+ A curated, multi-language Semgrep rule pack · JS/TS · Python · Go · Java · Rust · CLI + GitHub Action + VS Code · free & MIT
8
8
 
9
9
  [![npm](https://img.shields.io/npm/v/oauthlint.svg)](https://www.npmjs.com/package/oauthlint)
10
10
  [![npm downloads](https://img.shields.io/npm/dm/oauthlint.svg)](https://www.npmjs.com/package/oauthlint)
11
11
  [![CI](https://github.com/Auspeo/oauthlint/actions/workflows/ci.yml/badge.svg)](https://github.com/Auspeo/oauthlint/actions/workflows/ci.yml)
12
12
  [![license](https://img.shields.io/badge/license-MIT-blue.svg)](https://opensource.org/licenses/MIT)
13
13
  [![docs](https://img.shields.io/badge/docs-oauthlint.dev-2f6feb.svg)](https://oauthlint.dev)
14
+ [![powered by Semgrep](https://img.shields.io/badge/powered%20by-Semgrep-0a7d6b.svg)](https://semgrep.dev)
14
15
 
15
16
  </div>
16
17
 
@@ -20,59 +21,10 @@ npx oauthlint scan ./src
20
21
 
21
22
  > Requires [Semgrep](https://semgrep.dev/docs/getting-started/) on the machine running the scan (`pipx install semgrep` or `brew install semgrep`). The CLI invokes it under the hood and normalises the output for humans and CI.
22
23
 
23
- 📖 **Full documentation & rule catalogue → [oauthlint.dev](https://oauthlint.dev)**
24
+ 📖 **Full docs & rule catalogue → [oauthlint.dev/docs](https://oauthlint.dev/docs)** · 🔬 **the research behind it → [oauthlint.dev/research](https://oauthlint.dev/research)**
24
25
 
25
26
  ---
26
27
 
27
- ## The problem
28
-
29
- LLM coding assistants — Cursor, Claude, GitHub Copilot, Gemini — ship the *same*
30
- OAuth/JWT mistakes across every project they touch:
31
-
32
- - a JWT verified with `alg: none` accepted
33
- - `client_secret` hard-coded in source
34
- - an OAuth flow with no `state` and no PKCE
35
- - a token written to `localStorage`, readable by any XSS
36
- - `redirect_uri` allow-listed with a `*` wildcard
37
- - a `/login` POST with no rate limiting
38
- - a password persisted in plaintext
39
- - `Math.random()` used for a CSRF token
40
-
41
- oauthlint is the layer between generic SAST and an enterprise IAM program:
42
- **free, focused, developer-first.** Every finding names the rule, the exact
43
- `file:line`, *why* it's dangerous, and *how* to fix it — with CWE/OWASP mappings.
44
-
45
- <div align="center">
46
-
47
- ![oauthlint scanning a project and flagging JWT auth issues](https://raw.githubusercontent.com/Auspeo/oauthlint/main/docs/public/demo.gif)
48
-
49
- </div>
50
-
51
- ## Why oauthlint, and not just Semgrep?
52
-
53
- Honest answer: nothing stops you from writing these rules yourself. Semgrep is
54
- open source — it's the engine we run — and a capable engineer could reproduce a
55
- lot of this. There's no technical moat and we won't pretend otherwise. What
56
- oauthlint gives you is the work most people never do:
57
-
58
- - **Low false positives, validated against real auth libraries.** The rules are
59
- run against `jose`, NextAuth, PyJWT, Authlib, `golang/oauth2`, `oauth2-rs`,
60
- Spring Security and more. Anything that fires on mature library source goes to
61
- a triage queue, not to you — validated across thousands of files of real
62
- auth-library source, with **zero false positives** on the clean libraries
63
- ([validation report](https://oauthlint.dev/VALIDATION)).
64
- - **One coherent product across every language it covers.** Same concepts, same ID scheme,
65
- same docs — not a patchwork of community rules with mismatched styles.
66
- - **Every finding teaches.** The 100+ rules — across JS/TS · Python · Go · Java
67
- · Rust — each link to a fix page with CWE and OWASP mappings. It's a lesson,
68
- not a grep hit.
69
- - **The angle the registry doesn't have:** oauthlint specifically targets the
70
- auth bugs AI coding tools ship on repeat, encoded in each rule's
71
- `llm-prevalence` metadata and measured by a [reproducible benchmark](https://github.com/Auspeo/oauthlint/tree/main/benchmark).
72
-
73
- Use oauthlint when you'd rather not write and maintain an auth rule pack
74
- yourself. That's the whole pitch.
75
-
76
28
  ## Quick start
77
29
 
78
30
  ```bash
@@ -82,236 +34,56 @@ npx oauthlint scan ./src
82
34
  # fail CI on HIGH severity and above
83
35
  npx oauthlint scan ./src --fail-on HIGH
84
36
 
85
- # machine-readable output
86
- npx oauthlint scan ./src --json
87
-
88
- # GitHub Code Scanning
37
+ # GitHub Code Scanning (SARIF) or a shareable HTML audit report
89
38
  npx oauthlint scan ./src --format sarif > oauthlint.sarif
39
+ npx oauthlint scan ./src --format html > report.html
90
40
 
91
- # auto-apply safe fixes (e.g. cookie flags)
92
- npx oauthlint scan ./src --fix
93
-
94
- # scan several explicit paths (e.g. a list of changed files)
95
- npx oauthlint scan src/auth.ts src/session.ts
96
-
97
- # scan only what changed vs the default branch (fast, incremental)
98
- npx oauthlint scan --diff
99
-
100
- # scan only git-staged files (ideal in a pre-commit hook)
101
- npx oauthlint scan --staged
102
-
103
- # adopt on a large existing codebase: snapshot today's findings…
104
- npx oauthlint baseline ./src
105
- # …then only get alerted on NEW findings from here on
106
- npx oauthlint scan ./src --baseline --fail-on HIGH
41
+ # learn a rule in the terminal: the why, the fix, and vulnerable/safe examples
42
+ npx oauthlint explain auth.jwt.alg-none
107
43
  ```
108
44
 
109
- ## Adopting on an existing codebase (baseline)
110
-
111
- Turning a linter on for the first time on a large repo usually drowns you in
112
- pre-existing findings. A **baseline** snapshots the findings that exist *today*
113
- so `scan` only alerts on **new** ones — letting you adopt OAuthLint without
114
- fixing everything up front.
45
+ Scan only what changed for fast pre-commit hooks and editors with `--diff` / `--staged`, or adopt on a large repo with a [baseline](https://oauthlint.dev/docs/baseline) (`oauthlint baseline ./src` then `scan --baseline`) so you're alerted on **new** findings only. Other commands: `list`, `explain`, `init`, `doctor`. Run `oauthlint --help` or see the [full CLI reference](https://oauthlint.dev/docs/cli).
115
46
 
116
- ```bash
117
- # 1. capture the current findings into .oauthlint-baseline.json (commit this file)
118
- oauthlint baseline ./src
119
-
120
- # 2. from now on, scan reports only findings NOT in the baseline
121
- oauthlint scan ./src --baseline --fail-on HIGH
122
- ```
47
+ ### Every finding teaches
123
48
 
124
- - **`oauthlint baseline [paths...]`** scans and writes
125
- `.oauthlint-baseline.json` (override with `-o, --output <file>`). It prints how
126
- many findings were baselined. Commit the file so the whole team shares it.
127
- - **`oauthlint scan --baseline [file]`** runs a normal scan, then suppresses any
128
- finding already in the baseline and reports only the rest. `--fail-on` and the
129
- exit code consider **only the new findings**. With no value it defaults to
130
- `.oauthlint-baseline.json`; a missing baseline file is a **clear error**
131
- (exit `2`), never silently treated as empty.
132
-
133
- **How a finding is fingerprinted.** Each finding gets a stable fingerprint —
134
- `sha256(oauthlintRuleId + repo-relative path + a whitespace-normalised snapshot
135
- of the matched code)`. Crucially the **raw line number is not part of the hash**,
136
- so moving a finding up or down (adding imports, reformatting) keeps it
137
- baselined, while **changing the flagged code** surfaces it as new. The same
138
- fingerprint occurring multiple times in one file is disambiguated by a
139
- deterministic occurrence index. Paths are normalised to repo/cwd-relative
140
- (POSIX separators) so a baseline is portable across machines, and unreadable
141
- files (deleted/binary) degrade gracefully instead of crashing. The baseline
142
- JSON is small, sorted and human-diffable (a `version`, a `generatedAt`, and the
143
- fingerprint list).
144
-
145
- ## Incremental scanning
146
-
147
- For pre-commit hooks and editor integrations, scanning the whole tree on every
148
- keystroke is wasteful. OAuthLint can scan **only the files that changed**:
49
+ Each finding ends with a hint, `↳ run \`oauthlint explain <rule-id>\` for details + the fix`. `oauthlint explain` brings the rule docs into your terminal, offline, from the bundled pack: severity, CWE/OWASP with canonical links, `llm-prevalence`, the why + how-to-fix, and side-by-side **vulnerable** vs **safe** code. It resolves a rule by id (`auth.jwt.alg-none`), slug (`jwt-alg-none`), or oauthlint-rule-id (`AUTH-JWT-001`); add `--json` for the structured rule object.
149
50
 
150
- ```bash
151
- # files changed vs the merge-base with the repo's default branch
152
- oauthlint scan --diff
51
+ ## What it catches
153
52
 
154
- # files changed vs an explicit ref (branch, tag, or commit)
155
- oauthlint scan --diff origin/main
156
- oauthlint scan --diff HEAD~5
53
+ LLM coding assistants (Cursor, Claude, Copilot, Gemini) ship the *same* auth bugs across every project: a JWT accepted with `alg: none`, a hard-coded `client_secret`, an OAuth flow with no `state`/PKCE, a token in `localStorage`, a `*` wildcard `redirect_uri`, an unrate-limited `/login`, a plaintext password, `Math.random()` for a CSRF token.
157
54
 
158
- # only git-staged files drop this in a pre-commit hook
159
- oauthlint scan --staged --fail-on HIGH
160
- ```
55
+ - **100+ rules** across **JS/TS · Python · Go · Java · Rust**, each mapped to CWE/OWASP with a fix page (a lesson, not a grep hit).
56
+ - **Dataflow (taint) analysis.** Beyond pattern-matching, the pack traces untrusted input through to dangerous sinks to catch **open-redirect** and **SSRF**.
57
+ - **HTML report.** `scan --format html` renders a self-contained, offline, no-JavaScript audit you can email or attach to a PR.
58
+ - Plus **SARIF** for Code Scanning, `--fix` for safe auto-fixes, incremental `--diff`/`--staged`, and a [baseline](https://oauthlint.dev/docs/baseline) for existing codebases.
161
59
 
162
- How the change set is resolved:
60
+ 👉 **Browse the always-current catalogue at [oauthlint.dev/rules](https://oauthlint.dev/rules/).**
163
61
 
164
- - **`--diff [ref]`** when no `ref` is given, the base is the merge-base with the
165
- repo's default branch (`origin/HEAD` → `origin/main` → `origin/master`, falling
166
- back to `HEAD` when there's no remote). The change set is everything Added /
167
- Copied / Modified / Renamed since that base, plus uncommitted work-tree and
168
- staged changes, plus new untracked files. Deleted files are skipped.
169
- - **`--staged`** — only the staged set (`git diff --cached`), the same files a
170
- commit is about to capture.
171
- - Explicit path args (`oauthlint scan a.ts b.ts`) scan exactly those paths.
62
+ ## Use directly with Semgrep, no install
172
63
 
173
- In every mode, files in a language the rule pack doesn't cover (Markdown,
174
- lockfiles, images, …) are filtered out automatically, and an **empty change set
175
- exits `0`** with a `No changed files to scan.` note — it never fails your commit.
176
- Outside a git repository, `--diff` / `--staged` print a clear error and exit `2`
177
- instead of crashing. Git is always invoked with arguments passed as an array
178
- (never a shell string), so a ref name can't inject a shell command.
179
-
180
- Example pre-commit hook (`.git/hooks/pre-commit`):
64
+ Already have [Semgrep](https://semgrep.dev)? Run the full pack with one command, no config file:
181
65
 
182
66
  ```bash
183
- #!/bin/sh
184
- npx oauthlint scan --staged --fail-on HIGH
185
- ```
186
-
187
- ## Commands
188
-
189
- ```
190
- oauthlint scan [paths...] Scan files/directories (default: current dir)
191
- oauthlint scan a.ts b.ts Scan an explicit list of paths
192
- oauthlint scan --diff [ref] Scan only files changed vs a git ref
193
- oauthlint scan --staged Scan only git-staged files (pre-commit)
194
- oauthlint scan --json Emit machine-readable JSON
195
- oauthlint scan --format sarif Emit SARIF for GitHub Code Scanning
196
- oauthlint scan --severity HIGH Only show findings ≥ HIGH
197
- oauthlint scan --fail-on off Never fail the build (CI dry-run)
198
- oauthlint scan --fix Auto-apply safe fixes
199
- oauthlint scan --baseline Report only findings NOT in the baseline
200
- oauthlint baseline [paths...] Snapshot current findings to a baseline file
201
- oauthlint baseline -o <file> Write the baseline to a custom path
202
- oauthlint list List every shipped rule
203
- oauthlint list --json Same, as JSON
204
- oauthlint init Generate .oauthlintrc.yml at cwd
205
- oauthlint init --force Overwrite an existing config
206
- oauthlint doctor Check your setup (Semgrep, config, …)
207
- oauthlint --no-update-check Skip the "update available" check (any command)
208
- ```
209
-
210
- ## Use it in CI
211
-
212
- Run the CLI in a workflow and upload SARIF to **GitHub Code Scanning** so
213
- findings appear inline on the PR:
214
-
215
- ```yaml
216
- # .github/workflows/oauthlint.yml
217
- jobs:
218
- oauthlint:
219
- runs-on: ubuntu-latest
220
- steps:
221
- - uses: actions/checkout@v4
222
- - run: pipx install semgrep # the engine oauthlint runs
223
- - run: npx oauthlint scan ./src --format sarif > oauthlint.sarif
224
- - uses: github/codeql-action/upload-sarif@v3
225
- with:
226
- sarif_file: oauthlint.sarif
227
- ```
228
-
229
- Or just fail the build on HIGH findings: `npx oauthlint scan ./src --fail-on HIGH`.
230
-
231
- ### GitHub Action
232
-
233
- Prefer not to wire up the CLI by hand? The **[GitHub Action](https://github.com/Auspeo/oauthlint/tree/main/action)** wraps it for you — it's Docker-based, so it runs in any repo regardless of language:
234
-
235
- ```yaml
236
- - uses: Auspeo/oauthlint/action@v1
237
- with:
238
- severity: HIGH
239
- fail-on: HIGH
67
+ semgrep --config https://oauthlint.dev/r/oauthlint.yaml ./src
240
68
  ```
241
69
 
242
- ### VS Code extension
70
+ Per-language bundles exist too (`oauthlint-python.yaml`, `oauthlint-go.yaml`, …). That URL is always the latest pack; for a pinned ruleset in CI, use this CLI (`npx oauthlint@<version> scan`) or vendor [`oauthlint-rules`](https://www.npmjs.com/package/oauthlint-rules). See [the Semgrep docs](https://oauthlint.dev/docs/semgrep).
243
71
 
244
- Catch findings as you type. Install **[oauthlint](https://marketplace.visualstudio.com/items?itemName=auspeo.oauthlint-vscode)** (`auspeo.oauthlint-vscode`) from the VS Code Marketplace for inline diagnostics on save, plus Quick Fix suppressions.
245
-
246
- ## What it catches
247
-
248
- Rules across OAuth 2.0, OIDC, JWT, cookies, CORS, secrets and session hygiene —
249
- each mapped to CWE & OWASP, each with a documentation page. Languages covered
250
- today (more on the way):
251
-
252
- | Language | Libraries |
253
- |----------|-----------|
254
- | JavaScript / TypeScript | jose, jsonwebtoken, NextAuth, express, … |
255
- | Python | PyJWT, Authlib, requests, Flask, Django |
256
- | Java | Spring Security, jjwt, nimbus-jose-jwt |
257
- | Go | golang-jwt, crypto/tls, net/http |
258
- | Rust | jsonwebtoken, reqwest, actix/tower |
259
-
260
- 👉 **Browse the full, always-current catalogue at [oauthlint.dev/rules](https://oauthlint.dev/rules/).**
261
-
262
- ## Configuration
263
-
264
- Generate a `.oauthlintrc.yml` at your repo root with `oauthlint init`:
265
-
266
- ```yaml
267
- version: 1
268
- include:
269
- - "src/**/*.{ts,tsx,js,jsx}"
270
- exclude:
271
- - "**/*.test.ts"
272
- rules:
273
- auth.cookie.no-samesite: warn
274
- auth.session.id-in-url: off
275
- failOn: HIGH
276
- ```
277
-
278
- ### Inline suppression
279
-
280
- ```ts
281
- // oauthlint-disable-next-line auth.jwt.alg-none -- legacy code, replaced in Q2
282
- return jwt.verify(token, key, { algorithms: ['RS256', 'none'] });
283
- ```
284
-
285
- Wholesale silencing (`oauthlint-disable-file *`) is intentionally unsupported —
286
- the next reviewer needs to see exactly which lines opted out, and why.
287
-
288
- ## Exit codes
289
-
290
- | Code | When |
291
- |:----:|------|
292
- | `0` | No finding at or above the `--fail-on` threshold |
293
- | `1` | At least one **HIGH** finding |
294
- | `2` | At least one **CRITICAL** finding, a scan whose output could not be parsed (it never silently exits clean), or a missing/malformed `--baseline` file |
295
- | `127` | Semgrep is not installed |
72
+ ## Why oauthlint, and not just Semgrep?
296
73
 
297
- > With `--baseline`, the `--fail-on` gate and these exit codes consider only the
298
- > **new** (non-baselined) findings.
74
+ Honest answer: nothing stops you writing these rules yourself. Semgrep is open source and it's the engine we run, so there's no technical moat. What oauthlint gives you is the work most people never do:
299
75
 
300
- ## Stay up to date
76
+ - **Low false positives, validated against real auth libraries.** `jose`, NextAuth, PyJWT, Authlib, `golang/oauth2`, `oauth2-rs`, Spring Security and more. Anything that fires on mature library source goes to a triage queue, not to you ([validation report](https://oauthlint.dev/VALIDATION)).
77
+ - **One coherent product across every language.** Same concepts, same ID scheme, same docs, not a patchwork of community rules.
78
+ - **The angle the registry doesn't have.** It targets the auth bugs AI tools ship on repeat, encoded in each rule's `llm-prevalence` metadata and measured by a reproducible benchmark ([the research](https://oauthlint.dev/research)).
301
79
 
302
- oauthlint occasionally prints a short *"Update available"* notice to **stderr**
303
- when a newer version is on npm. It's designed to stay out of your way:
80
+ Use oauthlint when you'd rather not write and maintain an auth rule pack yourself. That's the whole pitch.
304
81
 
305
- - It's **non-blocking** and checks npm at most **once a day** (the result is
306
- cached), so it never slows a scan down.
307
- - It writes to **stderr only** and is **silent** under `--json` / `--format
308
- sarif`, when output is piped, in CI, and offline — so it can never corrupt a
309
- machine-readable report or nag automated runs.
82
+ ## Also available
310
83
 
311
- To turn it off entirely, pass `--no-update-check` or set the standard
312
- `NO_UPDATE_NOTIFIER=1` environment variable.
84
+ - **GitHub Action.** `Auspeo/oauthlint/action@v1`, Docker-based (any language), with inline PR annotations and a job summary. [Docs](https://github.com/Auspeo/oauthlint/tree/main/action).
85
+ - **VS Code / Cursor / Windsurf.** [oauthlint](https://marketplace.visualstudio.com/items?itemName=auspeo.oauthlint-vscode) on the VS Code Marketplace and [OpenVSX](https://open-vsx.org/extension/auspeo/oauthlint-vscode): inline diagnostics on save, a status-bar finding count, and Quick Fix suppressions.
313
86
 
314
87
  ## License
315
88
 
316
- MIT see [LICENSE](https://github.com/Auspeo/oauthlint/blob/main/LICENSE).
317
- Built and maintained by [Auspeo](https://github.com/Auspeo).
89
+ MIT. See [LICENSE](https://github.com/Auspeo/oauthlint/blob/main/LICENSE). Built and maintained by [Auspeo](https://github.com/Auspeo).
package/dist/cli.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAyEpC,wBAAsB,YAAY,IAAI,OAAO,CAAC,OAAO,CAAC,CAwHrD"}
1
+ {"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":"AAGA,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AA0EpC,wBAAsB,YAAY,IAAI,OAAO,CAAC,OAAO,CAAC,CAyIrD"}
package/dist/cli.js CHANGED
@@ -5,6 +5,7 @@ import { Command } from 'commander';
5
5
  import pc from 'picocolors';
6
6
  import { runBaseline } from './commands/baseline.js';
7
7
  import { runDoctor } from './commands/doctor.js';
8
+ import { runExplain } from './commands/explain.js';
8
9
  import { runInit } from './commands/init.js';
9
10
  import { runList } from './commands/list.js';
10
11
  import { runScan } from './commands/scan.js';
@@ -80,7 +81,7 @@ export async function buildProgram() {
80
81
  .argument('[paths...]', 'One or more files/directories to scan', ['.'])
81
82
  .description('Scan files or directories for auth misconfigurations')
82
83
  .option('--json', 'Emit JSON (shortcut for --format json)')
83
- .option('--format <fmt>', 'Output format: pretty | json | sarif', parseFormat)
84
+ .option('--format <fmt>', 'Output format: pretty | json | sarif | html', parseFormat)
84
85
  .option('--severity <level>', 'Only emit findings ≥ this severity', parseSeverity)
85
86
  .option('--fail-on <level>', 'Process exits non-zero if any finding ≥ this severity', parseFailOn)
86
87
  .option('--diff [ref]', 'Scan only files changed vs a git ref (default: merge-base with the default branch)')
@@ -101,7 +102,10 @@ export async function buildProgram() {
101
102
  fix: opts.fix,
102
103
  baseline: opts.baseline,
103
104
  });
104
- const machineReadable = opts.json === true || opts.format === 'json' || opts.format === 'sarif';
105
+ const machineReadable = opts.json === true ||
106
+ opts.format === 'json' ||
107
+ opts.format === 'sarif' ||
108
+ opts.format === 'html';
105
109
  await finishWithNotice(code, { version, machineReadable, updateCheck: updateCheckEnabled() });
106
110
  });
107
111
  program
@@ -147,6 +151,19 @@ export async function buildProgram() {
147
151
  updateCheck: updateCheckEnabled(),
148
152
  });
149
153
  });
154
+ program
155
+ .command('explain')
156
+ .argument('<rule>', 'A rule id (auth.jwt.alg-none), slug (jwt-alg-none), or AUTH-JWT-001')
157
+ .description('Explain one rule — why it matters, the fix, and vulnerable/safe examples')
158
+ .option('--json', 'Emit the structured rule object instead of pretty output')
159
+ .action(async (rule, opts) => {
160
+ const code = await runExplain({ rule, json: opts.json });
161
+ await finishWithNotice(code, {
162
+ version,
163
+ machineReadable: opts.json === true,
164
+ updateCheck: updateCheckEnabled(),
165
+ });
166
+ });
150
167
  program
151
168
  .command('doctor')
152
169
  .description('Diagnose your OAuthLint install (Node, Semgrep, rule pack)')
@@ -174,7 +191,7 @@ function parseFailOn(v) {
174
191
  return 'off';
175
192
  return parseSeverity(v);
176
193
  }
177
- const FORMATS = ['pretty', 'json', 'sarif'];
194
+ const FORMATS = ['pretty', 'json', 'sarif', 'html'];
178
195
  function parseFormat(v) {
179
196
  const lower = v.toLowerCase();
180
197
  if (!FORMATS.includes(lower)) {
package/dist/cli.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"cli.js","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAC7C,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AACzC,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,MAAM,YAAY,CAAC;AAC5B,OAAO,EAAE,WAAW,EAAE,MAAM,wBAAwB,CAAC;AACrD,OAAO,EAAE,SAAS,EAAE,MAAM,sBAAsB,CAAC;AACjD,OAAO,EAAE,OAAO,EAAE,MAAM,oBAAoB,CAAC;AAC7C,OAAO,EAAE,OAAO,EAAE,MAAM,oBAAoB,CAAC;AAC7C,OAAO,EAAmB,OAAO,EAAE,MAAM,oBAAoB,CAAC;AAC9D,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAC9D,OAAO,EAAE,UAAU,EAAqB,MAAM,YAAY,CAAC;AAM3D;;;;;;;;GAQG;AACH,KAAK,UAAU,cAAc,CAAC,IAAY;IACxC,MAAM,KAAK,GAAG,CAAC,CAAqB,EAAiB,EAAE,CACrD,IAAI,OAAO,CAAC,CAAC,GAAG,EAAE,EAAE;QAClB,IAAI,CAAC,CAAC,cAAc,KAAK,CAAC,EAAE,CAAC;YAC3B,GAAG,EAAE,CAAC;YACN,OAAO;QACT,CAAC;QACD,CAAC,CAAC,IAAI,CAAC,OAAO,EAAE,GAAG,EAAE,CAAC,GAAG,EAAE,CAAC,CAAC;IAC/B,CAAC,CAAC,CAAC;IACL,MAAM,OAAO,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;IAClE,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACrB,CAAC;AAED;;;;;;GAMG;AACH,KAAK,UAAU,gBAAgB,CAC7B,IAAY,EACZ,GAAwE;IAExE,MAAM,iBAAiB,CAAC;QACtB,cAAc,EAAE,GAAG,CAAC,OAAO;QAC3B,eAAe,EAAE,GAAG,CAAC,eAAe;QACpC,QAAQ,EAAE,CAAC,GAAG,CAAC,WAAW;KAC3B,CAAC,CAAC;IACH,OAAO,cAAc,CAAC,IAAI,CAAC,CAAC;AAC9B,CAAC;AAED,KAAK,UAAU,kBAAkB;IAC/B,MAAM,IAAI,GAAG,OAAO,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;IACrD,iDAAiD;IACjD,8DAA8D;IAC9D,KAAK,MAAM,SAAS,IAAI;QACtB,OAAO,CAAC,IAAI,EAAE,IAAI,EAAE,cAAc,CAAC;QACnC,OAAO,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,cAAc,CAAC;KAC1C,EAAE,CAAC;QACF,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC,CAAY,CAAC;YACrE,IAAI,GAAG,CAAC,OAAO;gBAAE,OAAO,GAAG,CAAC,OAAO,CAAC;QACtC,CAAC;QAAC,MAAM,CAAC;YACP,cAAc;QAChB,CAAC;IACH,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,YAAY;IAChC,MAAM,OAAO,GAAG,IAAI,OAAO,EAAE,CAAC;IAC9B,MAAM,OAAO,GAAG,MAAM,kBAAkB,EAAE,CAAC;IAE3C,OAAO;SACJ,IAAI,CAAC,WAAW,CAAC;SACjB,WAAW,CACV,4FAA4F,CAC7F;SACA,OAAO,CAAC,OAAO,EAAE,eAAe,CAAC;SACjC,MAAM,CAAC,mBAAmB,EAAE,gDAAgD,CAAC,CAAC;IAEjF,+EAA+E;IAC/E,yEAAyE;IACzE,MAAM,kBAAkB,GAAG,GAAY,EAAE,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,WAAW,KAAK,KAAK,CAAC;IAE/E,OAAO;SACJ,OAAO,CAAC,MAAM,CAAC;SACf,QAAQ,CAAC,YAAY,EAAE,uCAAuC,EAAE,CAAC,GAAG,CAAC,CAAC;SACtE,WAAW,CAAC,sDAAsD,CAAC;SACnE,MAAM,CAAC,QAAQ,EAAE,wCAAwC,CAAC;SAC1D,MAAM,CAAC,gBAAgB,EAAE,sCAAsC,EAAE,WAAW,CAAC;SAC7E,MAAM,CAAC,oBAAoB,EAAE,oCAAoC,EAAE,aAAa,CAAC;SACjF,MAAM,CACL,mBAAmB,EACnB,uDAAuD,EACvD,WAAW,CACZ;SACA,MAAM,CACL,cAAc,EACd,oFAAoF,CACrF;SACA,MAAM,CAAC,UAAU,EAAE,0DAA0D,CAAC;SAC9E,MAAM,CAAC,oBAAoB,EAAE,sCAAsC,CAAC;SACpE,MAAM,CAAC,OAAO,EAAE,4DAA4D,CAAC;SAC7E,MAAM,CACL,mBAAmB,EACnB,4GAA4G,CAC7G;SACA,MAAM,CAAC,KAAK,EAAE,KAAe,EAAE,IAAoB,EAAE,EAAE;QACtD,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC;YACzB,KAAK;YACL,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,GAAG,EAAE,IAAI,CAAC,GAAG;YACb,QAAQ,EAAE,IAAI,CAAC,QAAQ;SACxB,CAAC,CAAC;QACH,MAAM,eAAe,GACnB,IAAI,CAAC,IAAI,KAAK,IAAI,IAAI,IAAI,CAAC,MAAM,KAAK,MAAM,IAAI,IAAI,CAAC,MAAM,KAAK,OAAO,CAAC;QAC1E,MAAM,gBAAgB,CAAC,IAAI,EAAE,EAAE,OAAO,EAAE,eAAe,EAAE,WAAW,EAAE,kBAAkB,EAAE,EAAE,CAAC,CAAC;IAChG,CAAC,CAAC,CAAC;IAEL,OAAO;SACJ,OAAO,CAAC,UAAU,CAAC;SACnB,QAAQ,CAAC,YAAY,EAAE,uCAAuC,EAAE,CAAC,GAAG,CAAC,CAAC;SACtE,WAAW,CACV,sFAAsF,CACvF;SACA,MAAM,CAAC,qBAAqB,EAAE,kCAAkC,EAAE,0BAA0B,CAAC;SAC7F,MAAM,CAAC,oBAAoB,EAAE,sCAAsC,CAAC;SACpE,MAAM,CAAC,KAAK,EAAE,KAAe,EAAE,IAAwB,EAAE,EAAE;QAC1D,MAAM,IAAI,GAAG,MAAM,WAAW,CAAC;YAC7B,KAAK;YACL,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,QAAQ,EAAE,IAAI,CAAC,QAAQ;SACxB,CAAC,CAAC;QACH,iEAAiE;QACjE,MAAM,gBAAgB,CAAC,IAAI,EAAE;YAC3B,OAAO;YACP,eAAe,EAAE,KAAK;YACtB,WAAW,EAAE,kBAAkB,EAAE;SAClC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEL,OAAO;SACJ,OAAO,CAAC,MAAM,CAAC;SACf,WAAW,CAAC,gDAAgD,CAAC;SAC7D,MAAM,CAAC,QAAQ,EAAE,oCAAoC,CAAC;SACtD,MAAM,CAAC,KAAK,EAAE,IAAwB,EAAE,EAAE;QACzC,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;QAChD,MAAM,gBAAgB,CAAC,IAAI,EAAE;YAC3B,OAAO;YACP,eAAe,EAAE,IAAI,CAAC,IAAI,KAAK,IAAI;YACnC,WAAW,EAAE,kBAAkB,EAAE;SAClC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEL,OAAO;SACJ,OAAO,CAAC,MAAM,CAAC;SACf,WAAW,CAAC,sDAAsD,CAAC;SACnE,MAAM,CAAC,aAAa,EAAE,mCAAmC,CAAC;SAC1D,MAAM,CAAC,KAAK,EAAE,IAAyB,EAAE,EAAE;QAC1C,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC;QACtE,MAAM,gBAAgB,CAAC,IAAI,EAAE;YAC3B,OAAO;YACP,eAAe,EAAE,KAAK;YACtB,WAAW,EAAE,kBAAkB,EAAE;SAClC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEL,OAAO;SACJ,OAAO,CAAC,QAAQ,CAAC;SACjB,WAAW,CAAC,4DAA4D,CAAC;SACzE,MAAM,CAAC,QAAQ,EAAE,oCAAoC,CAAC;SACtD,MAAM,CAAC,KAAK,EAAE,IAAwB,EAAE,EAAE;QACzC,MAAM,IAAI,GAAG,MAAM,SAAS,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;QAClD,MAAM,gBAAgB,CAAC,IAAI,EAAE;YAC3B,OAAO;YACP,eAAe,EAAE,IAAI,CAAC,IAAI,KAAK,IAAI;YACnC,WAAW,EAAE,kBAAkB,EAAE;SAClC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEL,OAAO,CAAC,kBAAkB,CAAC,EAAE,CAAC,GAAG,CAAC,iDAAiD,CAAC,CAAC,CAAC;IACtF,OAAO,OAAO,CAAC;AACjB,CAAC;AAsBD,SAAS,aAAa,CAAC,CAAS;IAC9B,MAAM,KAAK,GAAG,CAAC,CAAC,WAAW,EAAkB,CAAC;IAC9C,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;QAChC,MAAM,IAAI,KAAK,CAAC,qBAAqB,CAAC,uBAAuB,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACxF,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,WAAW,CAAC,CAAS;IAC5B,IAAI,CAAC,KAAK,KAAK;QAAE,OAAO,KAAK,CAAC;IAC9B,OAAO,aAAa,CAAC,CAAC,CAAC,CAAC;AAC1B,CAAC;AAED,MAAM,OAAO,GAAG,CAAC,QAAQ,EAAE,MAAM,EAAE,OAAO,CAAU,CAAC;AACrD,SAAS,WAAW,CAAC,CAAS;IAC5B,MAAM,KAAK,GAAG,CAAC,CAAC,WAAW,EAAgB,CAAC;IAC5C,IAAI,CAAE,OAA6B,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;QACpD,MAAM,IAAI,KAAK,CAAC,mBAAmB,CAAC,uBAAuB,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACnF,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC"}
1
+ {"version":3,"file":"cli.js","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,QAAQ,EAAE,MAAM,kBAAkB,CAAC;AAC5C,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AAC7C,OAAO,EAAE,aAAa,EAAE,MAAM,UAAU,CAAC;AACzC,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,EAAE,MAAM,YAAY,CAAC;AAC5B,OAAO,EAAE,WAAW,EAAE,MAAM,wBAAwB,CAAC;AACrD,OAAO,EAAE,SAAS,EAAE,MAAM,sBAAsB,CAAC;AACjD,OAAO,EAAE,UAAU,EAAE,MAAM,uBAAuB,CAAC;AACnD,OAAO,EAAE,OAAO,EAAE,MAAM,oBAAoB,CAAC;AAC7C,OAAO,EAAE,OAAO,EAAE,MAAM,oBAAoB,CAAC;AAC7C,OAAO,EAAmB,OAAO,EAAE,MAAM,oBAAoB,CAAC;AAC9D,OAAO,EAAE,iBAAiB,EAAE,MAAM,2BAA2B,CAAC;AAC9D,OAAO,EAAE,UAAU,EAAqB,MAAM,YAAY,CAAC;AAM3D;;;;;;;;GAQG;AACH,KAAK,UAAU,cAAc,CAAC,IAAY;IACxC,MAAM,KAAK,GAAG,CAAC,CAAqB,EAAiB,EAAE,CACrD,IAAI,OAAO,CAAC,CAAC,GAAG,EAAE,EAAE;QAClB,IAAI,CAAC,CAAC,cAAc,KAAK,CAAC,EAAE,CAAC;YAC3B,GAAG,EAAE,CAAC;YACN,OAAO;QACT,CAAC;QACD,CAAC,CAAC,IAAI,CAAC,OAAO,EAAE,GAAG,EAAE,CAAC,GAAG,EAAE,CAAC,CAAC;IAC/B,CAAC,CAAC,CAAC;IACL,MAAM,OAAO,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC;IAClE,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACrB,CAAC;AAED;;;;;;GAMG;AACH,KAAK,UAAU,gBAAgB,CAC7B,IAAY,EACZ,GAAwE;IAExE,MAAM,iBAAiB,CAAC;QACtB,cAAc,EAAE,GAAG,CAAC,OAAO;QAC3B,eAAe,EAAE,GAAG,CAAC,eAAe;QACpC,QAAQ,EAAE,CAAC,GAAG,CAAC,WAAW;KAC3B,CAAC,CAAC;IACH,OAAO,cAAc,CAAC,IAAI,CAAC,CAAC;AAC9B,CAAC;AAED,KAAK,UAAU,kBAAkB;IAC/B,MAAM,IAAI,GAAG,OAAO,CAAC,aAAa,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;IACrD,iDAAiD;IACjD,8DAA8D;IAC9D,KAAK,MAAM,SAAS,IAAI;QACtB,OAAO,CAAC,IAAI,EAAE,IAAI,EAAE,cAAc,CAAC;QACnC,OAAO,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,cAAc,CAAC;KAC1C,EAAE,CAAC;QACF,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,QAAQ,CAAC,SAAS,EAAE,MAAM,CAAC,CAAY,CAAC;YACrE,IAAI,GAAG,CAAC,OAAO;gBAAE,OAAO,GAAG,CAAC,OAAO,CAAC;QACtC,CAAC;QAAC,MAAM,CAAC;YACP,cAAc;QAChB,CAAC;IACH,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,YAAY;IAChC,MAAM,OAAO,GAAG,IAAI,OAAO,EAAE,CAAC;IAC9B,MAAM,OAAO,GAAG,MAAM,kBAAkB,EAAE,CAAC;IAE3C,OAAO;SACJ,IAAI,CAAC,WAAW,CAAC;SACjB,WAAW,CACV,4FAA4F,CAC7F;SACA,OAAO,CAAC,OAAO,EAAE,eAAe,CAAC;SACjC,MAAM,CAAC,mBAAmB,EAAE,gDAAgD,CAAC,CAAC;IAEjF,+EAA+E;IAC/E,yEAAyE;IACzE,MAAM,kBAAkB,GAAG,GAAY,EAAE,CAAC,OAAO,CAAC,IAAI,EAAE,CAAC,WAAW,KAAK,KAAK,CAAC;IAE/E,OAAO;SACJ,OAAO,CAAC,MAAM,CAAC;SACf,QAAQ,CAAC,YAAY,EAAE,uCAAuC,EAAE,CAAC,GAAG,CAAC,CAAC;SACtE,WAAW,CAAC,sDAAsD,CAAC;SACnE,MAAM,CAAC,QAAQ,EAAE,wCAAwC,CAAC;SAC1D,MAAM,CAAC,gBAAgB,EAAE,6CAA6C,EAAE,WAAW,CAAC;SACpF,MAAM,CAAC,oBAAoB,EAAE,oCAAoC,EAAE,aAAa,CAAC;SACjF,MAAM,CACL,mBAAmB,EACnB,uDAAuD,EACvD,WAAW,CACZ;SACA,MAAM,CACL,cAAc,EACd,oFAAoF,CACrF;SACA,MAAM,CAAC,UAAU,EAAE,0DAA0D,CAAC;SAC9E,MAAM,CAAC,oBAAoB,EAAE,sCAAsC,CAAC;SACpE,MAAM,CAAC,OAAO,EAAE,4DAA4D,CAAC;SAC7E,MAAM,CACL,mBAAmB,EACnB,4GAA4G,CAC7G;SACA,MAAM,CAAC,KAAK,EAAE,KAAe,EAAE,IAAoB,EAAE,EAAE;QACtD,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC;YACzB,KAAK;YACL,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,IAAI,EAAE,IAAI,CAAC,IAAI;YACf,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,QAAQ,EAAE,IAAI,CAAC,QAAQ;YACvB,GAAG,EAAE,IAAI,CAAC,GAAG;YACb,QAAQ,EAAE,IAAI,CAAC,QAAQ;SACxB,CAAC,CAAC;QACH,MAAM,eAAe,GACnB,IAAI,CAAC,IAAI,KAAK,IAAI;YAClB,IAAI,CAAC,MAAM,KAAK,MAAM;YACtB,IAAI,CAAC,MAAM,KAAK,OAAO;YACvB,IAAI,CAAC,MAAM,KAAK,MAAM,CAAC;QACzB,MAAM,gBAAgB,CAAC,IAAI,EAAE,EAAE,OAAO,EAAE,eAAe,EAAE,WAAW,EAAE,kBAAkB,EAAE,EAAE,CAAC,CAAC;IAChG,CAAC,CAAC,CAAC;IAEL,OAAO;SACJ,OAAO,CAAC,UAAU,CAAC;SACnB,QAAQ,CAAC,YAAY,EAAE,uCAAuC,EAAE,CAAC,GAAG,CAAC,CAAC;SACtE,WAAW,CACV,sFAAsF,CACvF;SACA,MAAM,CAAC,qBAAqB,EAAE,kCAAkC,EAAE,0BAA0B,CAAC;SAC7F,MAAM,CAAC,oBAAoB,EAAE,sCAAsC,CAAC;SACpE,MAAM,CAAC,KAAK,EAAE,KAAe,EAAE,IAAwB,EAAE,EAAE;QAC1D,MAAM,IAAI,GAAG,MAAM,WAAW,CAAC;YAC7B,KAAK;YACL,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,QAAQ,EAAE,IAAI,CAAC,QAAQ;SACxB,CAAC,CAAC;QACH,iEAAiE;QACjE,MAAM,gBAAgB,CAAC,IAAI,EAAE;YAC3B,OAAO;YACP,eAAe,EAAE,KAAK;YACtB,WAAW,EAAE,kBAAkB,EAAE;SAClC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEL,OAAO;SACJ,OAAO,CAAC,MAAM,CAAC;SACf,WAAW,CAAC,gDAAgD,CAAC;SAC7D,MAAM,CAAC,QAAQ,EAAE,oCAAoC,CAAC;SACtD,MAAM,CAAC,KAAK,EAAE,IAAwB,EAAE,EAAE;QACzC,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;QAChD,MAAM,gBAAgB,CAAC,IAAI,EAAE;YAC3B,OAAO;YACP,eAAe,EAAE,IAAI,CAAC,IAAI,KAAK,IAAI;YACnC,WAAW,EAAE,kBAAkB,EAAE;SAClC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEL,OAAO;SACJ,OAAO,CAAC,MAAM,CAAC;SACf,WAAW,CAAC,sDAAsD,CAAC;SACnE,MAAM,CAAC,aAAa,EAAE,mCAAmC,CAAC;SAC1D,MAAM,CAAC,KAAK,EAAE,IAAyB,EAAE,EAAE;QAC1C,MAAM,IAAI,GAAG,MAAM,OAAO,CAAC,EAAE,GAAG,EAAE,OAAO,CAAC,GAAG,EAAE,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,CAAC,CAAC;QACtE,MAAM,gBAAgB,CAAC,IAAI,EAAE;YAC3B,OAAO;YACP,eAAe,EAAE,KAAK;YACtB,WAAW,EAAE,kBAAkB,EAAE;SAClC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEL,OAAO;SACJ,OAAO,CAAC,SAAS,CAAC;SAClB,QAAQ,CAAC,QAAQ,EAAE,qEAAqE,CAAC;SACzF,WAAW,CAAC,0EAA0E,CAAC;SACvF,MAAM,CAAC,QAAQ,EAAE,0DAA0D,CAAC;SAC5E,MAAM,CAAC,KAAK,EAAE,IAAY,EAAE,IAAwB,EAAE,EAAE;QACvD,MAAM,IAAI,GAAG,MAAM,UAAU,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;QACzD,MAAM,gBAAgB,CAAC,IAAI,EAAE;YAC3B,OAAO;YACP,eAAe,EAAE,IAAI,CAAC,IAAI,KAAK,IAAI;YACnC,WAAW,EAAE,kBAAkB,EAAE;SAClC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEL,OAAO;SACJ,OAAO,CAAC,QAAQ,CAAC;SACjB,WAAW,CAAC,4DAA4D,CAAC;SACzE,MAAM,CAAC,QAAQ,EAAE,oCAAoC,CAAC;SACtD,MAAM,CAAC,KAAK,EAAE,IAAwB,EAAE,EAAE;QACzC,MAAM,IAAI,GAAG,MAAM,SAAS,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;QAClD,MAAM,gBAAgB,CAAC,IAAI,EAAE;YAC3B,OAAO;YACP,eAAe,EAAE,IAAI,CAAC,IAAI,KAAK,IAAI;YACnC,WAAW,EAAE,kBAAkB,EAAE;SAClC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEL,OAAO,CAAC,kBAAkB,CAAC,EAAE,CAAC,GAAG,CAAC,iDAAiD,CAAC,CAAC,CAAC;IACtF,OAAO,OAAO,CAAC;AACjB,CAAC;AAsBD,SAAS,aAAa,CAAC,CAAS;IAC9B,MAAM,KAAK,GAAG,CAAC,CAAC,WAAW,EAAkB,CAAC;IAC9C,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;QAChC,MAAM,IAAI,KAAK,CAAC,qBAAqB,CAAC,uBAAuB,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACxF,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,WAAW,CAAC,CAAS;IAC5B,IAAI,CAAC,KAAK,KAAK;QAAE,OAAO,KAAK,CAAC;IAC9B,OAAO,aAAa,CAAC,CAAC,CAAC,CAAC;AAC1B,CAAC;AAED,MAAM,OAAO,GAAG,CAAC,QAAQ,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,CAAU,CAAC;AAC7D,SAAS,WAAW,CAAC,CAAS;IAC5B,MAAM,KAAK,GAAG,CAAC,CAAC,WAAW,EAAgB,CAAC;IAC5C,IAAI,CAAE,OAA6B,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;QACpD,MAAM,IAAI,KAAK,CAAC,mBAAmB,CAAC,uBAAuB,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACnF,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC"}
@@ -0,0 +1,58 @@
1
+ import { type SeverityName } from '../types.js';
2
+ export interface ExplainOptions {
3
+ /** The rule to explain — a rule id, slug, or oauthlint-rule-id. */
4
+ rule: string;
5
+ /** When true, emit the structured rule object as JSON instead of pretty output. */
6
+ json?: boolean;
7
+ /** Stream to write the explanation to (defaults to process.stdout). */
8
+ stream?: NodeJS.WritableStream;
9
+ /** Stream for errors / chrome (defaults to process.stderr). */
10
+ errStream?: NodeJS.WritableStream;
11
+ /** Override the bundled rules root (used by tests). */
12
+ rulesRoot?: string;
13
+ }
14
+ interface CodeExample {
15
+ /** Absolute path to the fixture file the example was read from. */
16
+ file: string;
17
+ /** The fixture source, with Semgrep test annotations stripped. */
18
+ code: string;
19
+ }
20
+ /** The structured object emitted by `--json` and rendered by the pretty path. */
21
+ export interface ExplainedRule {
22
+ id: string;
23
+ oauthlintRuleId: string;
24
+ slug: string;
25
+ /** Rule-declared Semgrep severity (INFO | WARNING | ERROR). */
26
+ severity: string;
27
+ /** The 5-level severity a scan finding would carry (mapped from `severity`). */
28
+ findingSeverity: SeverityName;
29
+ /** Rule family taken from the id, e.g. `jwt`, `oauth`, `cookie`. */
30
+ category: string;
31
+ /** Language segment of the id for language packs (e.g. `py`, `go`), else null. */
32
+ language: string | null;
33
+ languages: string[];
34
+ cwe: string | null;
35
+ cweUrl: string | null;
36
+ owasp: string | null;
37
+ owaspUrl: string | null;
38
+ llmPrevalence: 'HIGH' | 'MEDIUM' | 'LOW';
39
+ message: string;
40
+ docUrl: string;
41
+ references: string[];
42
+ technology: string[];
43
+ examples: {
44
+ vulnerable: CodeExample | null;
45
+ safe: CodeExample | null;
46
+ };
47
+ }
48
+ /**
49
+ * `oauthlint explain <rule>` — bring the rule docs into the terminal.
50
+ *
51
+ * Resolves `<rule>` offline from the bundled pack by rule id
52
+ * (`auth.jwt.alg-none`), slug (`jwt-alg-none`), or oauthlint-rule-id
53
+ * (`AUTH-JWT-001`), then prints the why/how-to-fix plus the vulnerable & safe
54
+ * code examples. `--json` emits the structured rule object instead.
55
+ */
56
+ export declare function runExplain(opts: ExplainOptions): Promise<number>;
57
+ export {};
58
+ //# sourceMappingURL=explain.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"explain.d.ts","sourceRoot":"","sources":["../../src/commands/explain.ts"],"names":[],"mappings":"AAIA,OAAO,EAAwB,KAAK,YAAY,EAAE,MAAM,aAAa,CAAC;AAEtE,MAAM,WAAW,cAAc;IAC7B,mEAAmE;IACnE,IAAI,EAAE,MAAM,CAAC;IACb,mFAAmF;IACnF,IAAI,CAAC,EAAE,OAAO,CAAC;IACf,uEAAuE;IACvE,MAAM,CAAC,EAAE,MAAM,CAAC,cAAc,CAAC;IAC/B,+DAA+D;IAC/D,SAAS,CAAC,EAAE,MAAM,CAAC,cAAc,CAAC;IAClC,uDAAuD;IACvD,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,UAAU,WAAW;IACnB,mEAAmE;IACnE,IAAI,EAAE,MAAM,CAAC;IACb,kEAAkE;IAClE,IAAI,EAAE,MAAM,CAAC;CACd;AAED,iFAAiF;AACjF,MAAM,WAAW,aAAa;IAC5B,EAAE,EAAE,MAAM,CAAC;IACX,eAAe,EAAE,MAAM,CAAC;IACxB,IAAI,EAAE,MAAM,CAAC;IACb,+DAA+D;IAC/D,QAAQ,EAAE,MAAM,CAAC;IACjB,gFAAgF;IAChF,eAAe,EAAE,YAAY,CAAC;IAC9B,oEAAoE;IACpE,QAAQ,EAAE,MAAM,CAAC;IACjB,kFAAkF;IAClF,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,SAAS,EAAE,MAAM,EAAE,CAAC;IACpB,GAAG,EAAE,MAAM,GAAG,IAAI,CAAC;IACnB,MAAM,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,KAAK,EAAE,MAAM,GAAG,IAAI,CAAC;IACrB,QAAQ,EAAE,MAAM,GAAG,IAAI,CAAC;IACxB,aAAa,EAAE,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAC;IACzC,OAAO,EAAE,MAAM,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,UAAU,EAAE,MAAM,EAAE,CAAC;IACrB,QAAQ,EAAE;QACR,UAAU,EAAE,WAAW,GAAG,IAAI,CAAC;QAC/B,IAAI,EAAE,WAAW,GAAG,IAAI,CAAC;KAC1B,CAAC;CACH;AAED;;;;;;;GAOG;AACH,wBAAsB,UAAU,CAAC,IAAI,EAAE,cAAc,GAAG,OAAO,CAAC,MAAM,CAAC,CAqBtE"}