pinata-security-cli 0.4.0 → 0.4.1

package/README.md

@@ -90,7 +90,8 @@ dist/
 --dry-run             # Preview generated tests without running
 --confidence <level>  # high (default), medium, low
 --output <format>     # terminal, json, sarif, junit, markdown
---domain <domain>     # security, data, concurrency, etc.
+--output-file <path>  # Write results to file (for SARIF upload)
+--domains <domains>   # security, data, concurrency, etc.
 --severity <level>    # critical, high, medium, low
 --exclude <dirs>      # Comma-separated directories to skip
 ```
@@ -149,21 +150,50 @@ pinata analyze . --execute --dry-run
 
 ## CI/CD Integration
 
-**GitHub Actions**
+**GitHub Action (recommended)**
+
 ```yaml
 name: Security Scan
 on: [push, pull_request]
 
 jobs:
-  pinata:
+  security:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
     steps:
       - uses: actions/checkout@v4
-      - name: Run Pinata
-        run: npx --yes pinata-security-cli@latest analyze . --output sarif > results.sarif
-      - uses: github/codeql-action/upload-sarif@v3
+      - uses: christiancattaneo/pinata-security@v1
         with:
-          sarif_file: results.sarif
+          confidence: high
+          sarif-output: pinata.sarif
+      # Optional: AI verification
+      # with:
+      #   verify: true
+      # env:
+      #   ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
+```
+
+**Action inputs:**
+- `path` - Directory to scan (default: `.`)
+- `confidence` - high, medium, low (default: `high`)
+- `domains` - Comma-separated domains to scan
+- `verify` - Enable AI verification (default: `false`)
+- `fail-on-gaps` - Fail if gaps found (default: `true`)
+- `sarif-output` - Path for SARIF file (auto-uploads to GitHub Security)
+
+**Action outputs:**
+- `score` - Pinata score (0-100)
+- `gaps` - Number of gaps found
+- `sarif-file` - Path to SARIF file
+
+**Manual workflow (any CI)**
+```yaml
+- run: npx --yes pinata-security-cli@latest analyze . --output sarif --output-file results.sarif
+- uses: github/codeql-action/upload-sarif@v3
+  with:
+    sarif_file: results.sarif
 ```
 
 **GitLab CI**

package/dist/cli/index.js

@@ -2,7 +2,7 @@
 import { z } from 'zod';
 import fs, { mkdir, writeFile, readFile, stat, readdir, mkdtemp, rm } from 'fs/promises';
 import path, { dirname, resolve, join, basename, relative, extname } from 'path';
-import { existsSync, readFileSync, writeFileSync, chmodSync, mkdirSync } from 'fs';
+import { existsSync, writeFileSync, readFileSync, chmodSync, mkdirSync } from 'fs';
 import { homedir, tmpdir } from 'os';
 import { spawn } from 'child_process';
 import { useState } from 'react';
@@ -2553,6 +2553,174 @@ var init_tui = __esm({
     init_App();
   }
 });
+
+// src/feedback/types.ts
+function suggestConfidence(precision) {
+  if (precision >= CONFIDENCE_THRESHOLDS.high) return "high";
+  if (precision >= CONFIDENCE_THRESHOLDS.medium) return "medium";
+  return "low";
+}
+var EMPTY_FEEDBACK_STATE, CONFIDENCE_THRESHOLDS;
+var init_types3 = __esm({
+  "src/feedback/types.ts"() {
+    EMPTY_FEEDBACK_STATE = {
+      version: 1,
+      patterns: {},
+      totalScans: 0,
+      lastScanAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
+    CONFIDENCE_THRESHOLDS = {
+      /** Precision >= 0.7 → high confidence */
+      high: 0.7,
+      /** Precision >= 0.4 → medium confidence */
+      medium: 0.4,
+      /** Precision < 0.4 → low confidence */
+      low: 0
+    };
+  }
+});
+async function loadFeedback() {
+  try {
+    const content = await readFile(FEEDBACK_FILE, "utf-8");
+    const state = JSON.parse(content);
+    if (state.version !== 1) {
+      console.warn("Feedback version mismatch, resetting...");
+      return { ...EMPTY_FEEDBACK_STATE };
+    }
+    return state;
+  } catch {
+    return { ...EMPTY_FEEDBACK_STATE };
+  }
+}
+async function saveFeedback(state) {
+  try {
+    await mkdir(FEEDBACK_DIR, { recursive: true });
+    await writeFile(FEEDBACK_FILE, JSON.stringify(state, null, 2));
+  } catch (error) {
+    console.warn(`Failed to save feedback: ${error instanceof Error ? error.message : String(error)}`);
+  }
+}
+function applyUpdates(state, updates) {
+  const newState = { ...state };
+  newState.patterns = { ...state.patterns };
+  for (const update of updates) {
+    const existing = newState.patterns[update.patternId];
+    const pattern = existing ?? {
+      patternId: update.patternId,
+      categoryId: update.categoryId,
+      totalMatches: 0,
+      confirmedCount: 0,
+      unconfirmedCount: 0,
+      aiDismissedCount: 0,
+      aiVerifiedCount: 0,
+      precision: 0,
+      suggestedConfidence: "medium",
+      updatedAt: (/* @__PURE__ */ new Date()).toISOString()
+    };
+    switch (update.outcome) {
+      case "matched":
+        pattern.totalMatches++;
+        break;
+      case "confirmed":
+        pattern.confirmedCount++;
+        break;
+      case "unconfirmed":
+        pattern.unconfirmedCount++;
+        break;
+      case "ai_verified":
+        pattern.aiVerifiedCount++;
+        break;
+      case "ai_dismissed":
+        pattern.aiDismissedCount++;
+        break;
+    }
+    const total = pattern.confirmedCount + pattern.unconfirmedCount;
+    pattern.precision = total > 0 ? pattern.confirmedCount / total : 0.5;
+    pattern.suggestedConfidence = suggestConfidence(pattern.precision);
+    pattern.updatedAt = (/* @__PURE__ */ new Date()).toISOString();
+    newState.patterns[update.patternId] = pattern;
+  }
+  newState.totalScans++;
+  newState.lastScanAt = (/* @__PURE__ */ new Date()).toISOString();
+  return newState;
+}
+function getConfidenceAdjustment(state, patternId) {
+  const pattern = state.patterns[patternId];
+  if (!pattern) return null;
+  const totalExecutions = pattern.confirmedCount + pattern.unconfirmedCount;
+  if (totalExecutions < 5) return null;
+  return pattern.suggestedConfidence;
+}
+function getLowPrecisionPatterns(state, threshold = 0.3) {
+  return Object.values(state.patterns).filter((p) => {
+    const total = p.confirmedCount + p.unconfirmedCount;
+    return total >= 5 && p.precision < threshold;
+  }).sort((a, b) => a.precision - b.precision);
+}
+function getHighPrecisionPatterns(state, threshold = 0.8) {
+  return Object.values(state.patterns).filter((p) => {
+    const total = p.confirmedCount + p.unconfirmedCount;
+    return total >= 5 && p.precision >= threshold;
+  }).sort((a, b) => b.precision - a.precision);
+}
+function generateReport(state) {
+  const lines = [
+    "# Pinata Feedback Report",
+    "",
+    `Total scans: ${state.totalScans}`,
+    `Last scan: ${state.lastScanAt}`,
+    `Patterns tracked: ${Object.keys(state.patterns).length}`,
+    ""
+  ];
+  const lowPrecision = getLowPrecisionPatterns(state);
+  if (lowPrecision.length > 0) {
+    lines.push("## Low Precision Patterns (potential false positive sources)");
+    lines.push("");
+    for (const p of lowPrecision.slice(0, 10)) {
+      lines.push(`- ${p.patternId}: ${(p.precision * 100).toFixed(1)}% precision (${p.confirmedCount}/${p.confirmedCount + p.unconfirmedCount})`);
+    }
+    lines.push("");
+  }
+  const highPrecision = getHighPrecisionPatterns(state);
+  if (highPrecision.length > 0) {
+    lines.push("## High Precision Patterns");
+    lines.push("");
+    for (const p of highPrecision.slice(0, 10)) {
+      lines.push(`- ${p.patternId}: ${(p.precision * 100).toFixed(1)}% precision (${p.confirmedCount}/${p.confirmedCount + p.unconfirmedCount})`);
+    }
+    lines.push("");
+  }
+  return lines.join("\n");
+}
+var FEEDBACK_DIR, FEEDBACK_FILE;
+var init_store = __esm({
+  "src/feedback/store.ts"() {
+    init_types3();
+    FEEDBACK_DIR = join(homedir(), ".pinata");
+    FEEDBACK_FILE = join(FEEDBACK_DIR, "feedback.json");
+  }
+});
+
+// src/feedback/index.ts
+var feedback_exports = {};
+__export(feedback_exports, {
+  CONFIDENCE_THRESHOLDS: () => CONFIDENCE_THRESHOLDS,
+  EMPTY_FEEDBACK_STATE: () => EMPTY_FEEDBACK_STATE,
+  applyUpdates: () => applyUpdates,
+  generateReport: () => generateReport,
+  getConfidenceAdjustment: () => getConfidenceAdjustment,
+  getHighPrecisionPatterns: () => getHighPrecisionPatterns,
+  getLowPrecisionPatterns: () => getLowPrecisionPatterns,
+  loadFeedback: () => loadFeedback,
+  saveFeedback: () => saveFeedback,
+  suggestConfidence: () => suggestConfidence
+});
+var init_feedback = __esm({
+  "src/feedback/index.ts"() {
+    init_types3();
+    init_store();
+  }
+});
 var RiskDomainSchema = z.enum([
   "security",
   "data",
@@ -5492,9 +5660,9 @@ var AIService = class {
   getApiKeyFromConfig(provider) {
     try {
       const { existsSync: existsSync4, readFileSync: readFileSync3 } = __require("fs");
-      const { homedir: homedir2 } = __require("os");
-      const { join: join4 } = __require("path");
-      const configPath = join4(homedir2(), ".pinata", "config.json");
+      const { homedir: homedir3 } = __require("os");
+      const { join: join5 } = __require("path");
+      const configPath = join5(homedir3(), ".pinata", "config.json");
       if (!existsSync4(configPath)) {
         return "";
       }
@@ -6882,7 +7050,7 @@ function getDefinitionsPath() {
 }
 var program = new Command();
 program.name("pinata").description("AI-powered test coverage analysis and generation").version(VERSION);
-program.command("analyze [path]").description("Analyze codebase for test coverage gaps").option("-o, --output <format>", "Output format: terminal, json, markdown, sarif, html, junit-xml", "terminal").option("-d, --domains <domains>", "Filter to specific domains (comma-separated)").option("-s, --severity <level>", "Minimum severity: critical, high, medium, low", "low").option("-c, --confidence <level>", "Minimum confidence: high, medium, low", "high").option("--fail-on <level>", "Exit non-zero if gaps at level: critical, high, medium").option("--exclude <dirs>", "Directories to exclude (comma-separated)").option("--verify", "Use AI to verify each match (reduces false positives)").option("--execute", "Run dynamic tests in Docker sandbox to confirm vulnerabilities").option("--dry-run", "Preview generated tests without executing (use with --execute)").option("-v, --verbose", "Verbose output").option("-q, --quiet", "Quiet mode (errors only)").action(async (targetPath, options) => {
+program.command("analyze [path]").description("Analyze codebase for test coverage gaps").option("-o, --output <format>", "Output format: terminal, json, markdown, sarif, html, junit-xml", "terminal").option("--output-file <path>", "Write output to file (useful for SARIF upload)").option("-d, --domains <domains>", "Filter to specific domains (comma-separated)").option("-s, --severity <level>", "Minimum severity: critical, high, medium, low", "low").option("-c, --confidence <level>", "Minimum confidence: high, medium, low", "high").option("--fail-on <level>", "Exit non-zero if gaps at level: critical, high, medium").option("--exclude <dirs>", "Directories to exclude (comma-separated)").option("--verify", "Use AI to verify each match (reduces false positives)").option("--execute", "Run dynamic tests in Docker sandbox to confirm vulnerabilities").option("--dry-run", "Preview generated tests without executing (use with --execute)").option("-v, --verbose", "Verbose output").option("-q, --quiet", "Quiet mode (errors only)").action(async (targetPath, options) => {
   const isQuiet = Boolean(options["quiet"]);
   const isVerbose = Boolean(options["verbose"]);
   if (isQuiet) {
@@ -7005,12 +7173,12 @@ program.command("analyze [path]").description("Analyze codebase for test coverag
         const verifySpinner = showSpinner ? ora("Verifying gaps with AI...").start() : null;
         try {
           const { AIVerifier: AIVerifier2 } = await Promise.resolve().then(() => (init_verifier(), verifier_exports));
-          const { readFile: readFile5 } = await import('fs/promises');
+          const { readFile: readFile6 } = await import('fs/promises');
           const apiKey = getApiKey2(provider);
           const verifier = new AIVerifier2({ provider, ...apiKey ? { apiKey } : {} });
           const { verified, dismissed, stats } = await verifier.verifyAll(
             scanResult.data.gaps,
-            async (path2) => readFile5(path2, "utf-8")
+            async (path2) => readFile6(path2, "utf-8")
           );
           scanResult.data.gaps = verified;
           const severityWeights = { critical: 10, high: 5, medium: 2, low: 1 };
@@ -7047,7 +7215,7 @@ program.command("analyze [path]").description("Analyze codebase for test coverag
     const isDryRun = Boolean(options["dryRun"]);
     if (shouldExecute && scanResult.data.gaps.length > 0) {
       const { createRunner: createRunner2, isTestable: isTestable2 } = await Promise.resolve().then(() => (init_execution(), execution_exports));
-      const { readFile: readFile5 } = await import('fs/promises');
+      const { readFile: readFile6 } = await import('fs/promises');
       const testableGaps = scanResult.data.gaps.filter((g) => isTestable2(g.categoryId));
       if (testableGaps.length === 0) {
         console.log(chalk5.yellow("\nNo dynamically testable gaps found."));
@@ -7063,7 +7231,7 @@ Dynamic execution unavailable: ${initResult.error}`));
           for (const gap of testableGaps) {
             if (!fileContents.has(gap.filePath)) {
               try {
-                fileContents.set(gap.filePath, await readFile5(gap.filePath, "utf-8"));
+                fileContents.set(gap.filePath, await readFile6(gap.filePath, "utf-8"));
               } catch {
               }
             }
@@ -7090,7 +7258,14 @@ Dynamic execution unavailable: ${initResult.error}`));
       logger.debug(`Failed to cache results: ${cacheResult.error.message}`);
     }
     const output = formatScanResult(scanResult.data, outputFormat, targetDirectory);
-    console.log(output);
+    const outputFile = options["outputFile"];
+    if (outputFile) {
+      const outputPath = resolve(outputFile);
+      writeFileSync(outputPath, output, "utf-8");
+      logger.info(`Results written to: ${outputPath}`);
+    } else {
+      console.log(output);
+    }
     if (isVerbose && scanResult.data.warnings.length > 0) {
       console.error("\nWarnings:");
       for (const warning of scanResult.data.warnings) {
@@ -7497,8 +7672,8 @@ program.command("suggest-patterns").description("Use AI to suggest new detection
   let vulnerableCode = [...codeSnippets];
   if (filePath) {
     try {
-      const { readFile: readFile5 } = await import('fs/promises');
-      const content = await readFile5(filePath, "utf-8");
+      const { readFile: readFile6 } = await import('fs/promises');
+      const content = await readFile6(filePath, "utf-8");
       vulnerableCode = [...vulnerableCode, ...content.split("\n---\n").filter(Boolean)];
     } catch (error) {
       console.error(formatError(new Error(`Failed to read file: ${filePath}`)));
@@ -7797,16 +7972,16 @@ thresholds:
   high: 5
   medium: 20
 `;
-  const { writeFile: writeFileAsync, mkdir: mkdir3 } = await import('fs/promises');
+  const { writeFile: writeFileAsync, mkdir: mkdir4 } = await import('fs/promises');
   try {
     await writeFileAsync(configPath, defaultConfig, "utf8");
     console.log(chalk5.green("Created .pinata.yml"));
-    await mkdir3(cacheDir, { recursive: true });
+    await mkdir4(cacheDir, { recursive: true });
     console.log(chalk5.green("Created .pinata/ directory"));
     const gitignorePath = resolve(process.cwd(), ".gitignore");
     if (existsSync(gitignorePath)) {
-      const { readFile: readFile5, appendFile } = await import('fs/promises');
-      const gitignore = await readFile5(gitignorePath, "utf8");
+      const { readFile: readFile6, appendFile } = await import('fs/promises');
+      const gitignore = await readFile6(gitignorePath, "utf8");
       if (!gitignore.includes(".pinata/")) {
         await appendFile(gitignorePath, "\n# Pinata cache\n.pinata/\n");
         console.log(chalk5.green("Added .pinata/ to .gitignore"));
@@ -7950,6 +8125,43 @@ Warnings (${warnings.length}):`));
     process.exit(1);
   }
 });
+program.command("feedback").description("View pattern performance feedback (Layer 6)").option("--reset", "Reset all feedback data").option("-o, --output <format>", "Output format: terminal, json, markdown", "terminal").action(async (options) => {
+  const { loadFeedback: loadFeedback2, saveFeedback: saveFeedback2, generateReport: generateReport2, EMPTY_FEEDBACK_STATE: EMPTY_FEEDBACK_STATE2 } = await Promise.resolve().then(() => (init_feedback(), feedback_exports));
+  const outputFormat = String(options["output"] ?? "terminal");
+  const shouldReset = Boolean(options["reset"]);
+  if (shouldReset) {
+    await saveFeedback2({ ...EMPTY_FEEDBACK_STATE2 });
+    console.log(chalk5.green("Feedback data reset."));
+    return;
+  }
+  const state = await loadFeedback2();
+  if (outputFormat === "json") {
+    console.log(JSON.stringify(state, null, 2));
+    return;
+  }
+  if (outputFormat === "markdown") {
+    console.log(generateReport2(state));
+    return;
+  }
+  console.log(chalk5.bold("\nPinata Feedback Report\n"));
+  console.log(`Total scans: ${state.totalScans}`);
+  console.log(`Patterns tracked: ${Object.keys(state.patterns).length}`);
+  if (state.totalScans === 0) {
+    console.log(chalk5.gray("\nNo feedback data yet. Run scans with --execute to collect data.\n"));
+    return;
+  }
+  const patterns = Object.values(state.patterns).filter((p) => p.confirmedCount + p.unconfirmedCount >= 1).sort((a, b) => b.precision - a.precision);
+  if (patterns.length > 0) {
+    console.log(chalk5.bold("\nPattern Performance:"));
+    for (const p of patterns.slice(0, 15)) {
+      const total = p.confirmedCount + p.unconfirmedCount;
+      const precisionPct = (p.precision * 100).toFixed(0);
+      const color = p.precision >= 0.7 ? chalk5.green : p.precision >= 0.4 ? chalk5.yellow : chalk5.red;
+      console.log(`  ${color(`${precisionPct}%`)} ${p.patternId} (${p.confirmedCount}/${total} confirmed)`);
+    }
+  }
+  console.log();
+});
 var config = program.command("config").description("Manage AI provider configuration");
 config.command("set <key> <value>").description("Set a configuration value").addHelpText("after", `
 Available keys:
@@ -8078,9 +8290,9 @@ auth.command("login").description("Set API key for Pinata Cloud").option("-k, --
   }
   const configDir = resolve(process.cwd(), ".pinata");
   const authPath = resolve(configDir, "auth.json");
-  const { mkdir: mkdir3, writeFile: writeFileAsync } = await import('fs/promises');
+  const { mkdir: mkdir4, writeFile: writeFileAsync } = await import('fs/promises');
   try {
-    await mkdir3(configDir, { recursive: true });
+    await mkdir4(configDir, { recursive: true });
     const maskedKey = `****${apiKey.slice(-8)}`;
     const authData = {
       configured: true,
@@ -8133,8 +8345,8 @@ auth.command("status").description("Check authentication status").action(async (
     process.exit(0);
   }
   try {
-    const { readFile: readFile5 } = await import('fs/promises');
-    const authData = JSON.parse(await readFile5(authPath, "utf8"));
+    const { readFile: readFile6 } = await import('fs/promises');
+    const authData = JSON.parse(await readFile6(authPath, "utf8"));
     console.log(chalk5.green("Authenticated"));
     console.log(chalk5.gray(`Key ID: ${authData.keyId ?? "unknown"}`));
     console.log(chalk5.gray(`Configured: ${authData.configuredAt ?? "unknown"}`));