projscan 0.2.0 → 0.3.1

package/README.md

@@ -60,16 +60,18 @@ npx projscan
 Run inside any repository:
 
 ```bash
-projscan                # Full project analysis
-projscan doctor         # Health check
-projscan hotspots       # Rank files by risk (churn × complexity × issues × ownership)
-projscan file <path>    # Drill into a file — purpose, risk, ownership, issues
-projscan fix            # Auto-fix detected issues
-projscan ci             # CI health gate (exits 1 on low score)
-projscan diff           # Compare health + hotspot trends against a baseline
-projscan diagram        # Architecture visualization
-projscan structure      # Directory tree
-projscan mcp            # Run as an MCP server for AI coding agents
+projscan                            # Full project analysis
+projscan doctor                     # Health check
+projscan hotspots                   # Rank files by risk (churn × complexity × issues × ownership)
+projscan file <path>                # Drill into a file — purpose, risk, ownership, issues
+projscan fix                        # Auto-fix detected issues
+projscan ci                         # CI health gate (exits 1 on low score)
+projscan ci --changed-only          # Gate only on this PR's diff
+projscan ci --format sarif          # SARIF 2.1.0 for GitHub Code Scanning
+projscan diff                       # Compare health + hotspot trends against a baseline
+projscan diagram                    # Architecture visualization
+projscan structure                  # Directory tree
+projscan mcp                        # Run as an MCP server for AI coding agents
 ```
 
 <img src="docs/npx%20projscan%20--help.png" alt="npx projscan --help" width="700">
@@ -85,7 +87,7 @@ For a comprehensive walkthrough, see the **[Full Guide](docs/GUIDE.md)**.
 | `projscan hotspots` | Rank files by risk — churn × complexity × issues × ownership |
 | `projscan file <path>` | Drill into a file — purpose, risk, ownership, related issues |
 | `projscan fix` | Auto-fix issues (ESLint, Prettier, Vitest, .editorconfig) |
-| `projscan ci` | CI pipeline health gate — exits 1 if score below threshold |
+| `projscan ci` | CI health gate — SARIF output, `--changed-only` PR-diff mode, exits 1 if score below threshold |
 | `projscan diff` | Compare current health **and hotspot trends** against a baseline |
 | `projscan explain <file>` | Explain a file's purpose, imports, exports, and issues |
 | `projscan diagram` | ASCII architecture diagram of your project |
@@ -139,15 +141,19 @@ All commands support `--format` for different output targets:
 ```bash
 projscan analyze --format json       # Machine-readable JSON
 projscan doctor --format markdown    # Markdown for docs/PRs
+projscan ci --format sarif           # SARIF 2.1.0 for GitHub Code Scanning
 ```
 
-Formats: `console` (default), `json`, `markdown`
+Formats: `console` (default), `json`, `markdown`, `sarif`
 
 ### Options
 
 | Flag | Description |
 |------|-------------|
-| `--format <type>` | Output format: console, json, markdown |
+| `--format <type>` | Output format: console, json, markdown, sarif |
+| `--config <path>` | Path to a `.projscanrc` config file |
+| `--changed-only` | Scope to files changed vs base ref (ci/analyze/doctor) |
+| `--base-ref <ref>` | Git base ref for `--changed-only` (default: origin/main) |
 | `--verbose` | Enable debug output |
 | `--quiet` | Suppress non-essential output |
 | `-V, --version` | Show version |
@@ -204,21 +210,79 @@ This outputs a [shields.io](https://shields.io) badge URL and markdown snippet y
 Use `projscan ci` to gate your pipelines:
 
 ```bash
-projscan ci --min-score 70          # Exits 1 if score < 70
-projscan ci --min-score 80 --format json  # JSON output for parsing
+projscan ci --min-score 70                     # Exits 1 if score < 70
+projscan ci --min-score 80 --format json       # JSON output for parsing
+projscan ci --changed-only                     # Gate only on this PR's diff
+projscan ci --format sarif > projscan.sarif    # SARIF for Code Scanning
 ```
 
 <img src="docs/npx%20projscan%20ci%20--min-score%2070.png" alt="npx projscan ci --min-score 70" width="700">
 
-### GitHub Actions
+### GitHub Action (recommended)
+
+projscan ships a first-party GitHub Action that installs, runs, and uploads SARIF to **GitHub Code Scanning** in one step:
+
+```yaml
+# .github/workflows/projscan.yml
+name: ProjScan
+on:
+  push: { branches: [main] }
+  pull_request: { branches: [main] }
+
+permissions:
+  contents: read
+  security-events: write   # required for SARIF upload
+
+jobs:
+  scan:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with: { fetch-depth: 0 }  # needed for --changed-only
+      - uses: actions/setup-node@v4
+        with: { node-version: 20 }
+      - uses: abhiyoheswaran1/projscan@v0.3.0
+        with:
+          min-score: '70'
+          changed-only: 'true'
+```
 
-Copy the included workflow template to your project:
+Inputs: `min-score`, `changed-only`, `base-ref`, `config`, `sarif-file`, `upload-sarif`, `working-directory`, `version`. Outputs: `score`, `grade`.
 
-```bash
-cp .github/projscan-ci.yml .github/workflows/projscan.yml
+Findings appear in the **Security → Code scanning** tab, annotated on files and lines. PRs get inline annotations on changed lines.
+
+### Plain workflow (no SARIF upload)
+
+If you'd rather not upload SARIF, [`.github/projscan-ci.yml`](.github/projscan-ci.yml) is a drop-in workflow that runs projscan and posts a markdown health report as a PR comment.
+
+## Configuration (`.projscanrc`)
+
+Drop a `.projscanrc.json` at your repo root to set defaults — CLI flags always win over config. A `"projscan"` key in `package.json` and plain `.projscanrc` are also supported.
+
+```json
+{
+  "minScore": 80,
+  "baseRef": "origin/main",
+  "ignore": ["**/fixtures/**", "**/generated/**"],
+  "disableRules": ["missing-editorconfig", "large-*"],
+  "severityOverrides": {
+    "missing-prettier": "info"
+  },
+  "hotspots": {
+    "limit": 20,
+    "since": "6 months ago"
+  }
+}
 ```
 
-This runs health checks on every push/PR and posts a markdown health report as a PR comment. See [`.github/projscan-ci.yml`](.github/projscan-ci.yml) for the full workflow.
+Fields:
+
+- `minScore` — default `ci` threshold (0–100)
+- `baseRef` — default base ref for `--changed-only`
+- `ignore` — extra glob patterns added to the built-in ignore list
+- `disableRules` — silence rules by id; supports wildcard `prefix-*`
+- `severityOverrides` — remap a rule's severity (`info` / `warning` / `error`)
+- `hotspots.limit` / `hotspots.since` — defaults for the `hotspots` command
 
 ## Tracking Health Over Time
 

package/dist/analyzers/architectureCheck.js

@@ -24,6 +24,7 @@ export async function check(rootPath, files) {
                 severity: 'warning',
                 category: 'architecture',
                 fixAvailable: false,
+                locations: [{ file: dir }],
             });
         }
     }

package/dist/analyzers/architectureCheck.js.map

@@ -1 +1 @@
-{"version":3,"file":"architectureCheck.js","sourceRoot":"","sources":["../../src/analyzers/architectureCheck.ts"],"names":[],"mappings":"AAAA,OAAO,IAAI,MAAM,WAAW,CAAC;AAG7B,MAAM,mBAAmB,GAAG,EAAE,CAAC;AAC/B,MAAM,YAAY,GAAG,CAAC,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,QAAQ,CAAC,CAAC;AAE3D,MAAM,CAAC,KAAK,UAAU,KAAK,CAAC,QAAgB,EAAE,KAAkB;IAC9D,MAAM,MAAM,GAAY,EAAE,CAAC;IAE3B,sCAAsC;IACtC,MAAM,aAAa,GAAG,IAAI,GAAG,EAAkB,CAAC;IAChD,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,KAAK,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC7C,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,IAAI,YAAY,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;gBAChC,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC;gBAC3B,aAAa,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,aAAa,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;YAC5D,CAAC;QACH,CAAC;IACH,CAAC;IAED,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,aAAa,EAAE,CAAC;QACzC,IAAI,KAAK,GAAG,mBAAmB,EAAE,CAAC;YAChC,MAAM,OAAO,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;YACnC,MAAM,CAAC,IAAI,CAAC;gBACV,EAAE,EAAE,SAAS,OAAO,MAAM;gBAC1B,KAAK,EAAE,SAAS,OAAO,gBAAgB,KAAK,SAAS;gBACrD,WAAW,EAAE,OAAO,GAAG,wBAAwB,KAAK,kFAAkF;gBACtI,QAAQ,EAAE,SAAS;gBACnB,QAAQ,EAAE,cAAc;gBACxB,YAAY,EAAE,KAAK;aACpB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,kDAAkD;IAClD,MAAM,YAAY,GAAG,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE;QACpC,MAAM,MAAM,GAAG,CAAC,CAAC,SAAS,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;QAC9C,OAAO,CAAC,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IACnE,CAAC,CAAC,CAAC;IAEH,MAAM,YAAY,GAAG,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CACpC,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC,CACnF,CAAC;IAEF,IAAI,YAAY,IAAI,CAAC,YAAY,EAAE,CAAC;QAClC,MAAM,aAAa,GAAG,KAAK,CAAC,MAAM,CAChC,CAAC,CAAC,EAAE,EAAE,CACJ,CAAC,CAAC,CAAC,CAAC,SAAS,IAAI,CAAC,CAAC,SAAS,KAAK,GAAG,CAAC;YACrC,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC,CACvD,CAAC;QACF,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC7B,MAAM,CAAC,IAAI,CAAC;gBACV,EAAE,EAAE,eAAe;gBACnB,KAAK,EAAE,kCAAkC;gBACzC,WAAW,EACT,+HAA+H;gBACjI,QAAQ,EAAE,MAAM;gBAChB,QAAQ,EAAE,cAAc;gBACxB,YAAY,EAAE,KAAK;aACpB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,kCAAkC;IAClC,MAAM,eAAe,GAAG,KAAK,CAAC,IAAI,CAChC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,YAAY,CAAC,KAAK,eAAe,IAAI,CAAC,CAAC,CAAC,CAAC,SAAS,IAAI,CAAC,CAAC,SAAS,KAAK,GAAG,CAAC,CAClG,CAAC;IACF,IAAI,CAAC,eAAe,EAAE,CAAC;QACrB,MAAM,CAAC,IAAI,CAAC;YACV,EAAE,EAAE,sBAAsB;YAC1B,KAAK,EAAE,uBAAuB;YAC9B,WAAW,EACT,6GAA6G;YAC/G,QAAQ,EAAE,MAAM;YAChB,QAAQ,EAAE,cAAc;YACxB,YAAY,EAAE,IAAI;YAClB,KAAK,EAAE,kBAAkB;SAC1B,CAAC,CAAC;IACL,CAAC;IAED,oCAAoC;IACpC,MAAM,UAAU,GAAG,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE;QAClC,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,WAAW,EAAE,CAAC;QACzD,OAAO,CACL,CAAC,IAAI,KAAK,WAAW,IAAI,IAAI,KAAK,QAAQ,IAAI,IAAI,KAAK,YAAY,CAAC;YACpE,CAAC,CAAC,CAAC,CAAC,SAAS,IAAI,CAAC,CAAC,SAAS,KAAK,GAAG,CAAC,CACtC,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,MAAM,CAAC,IAAI,CAAC;YACV,EAAE,EAAE,gBAAgB;YACpB,KAAK,EAAE,gBAAgB;YACvB,WAAW,EACT,uFAAuF;YACzF,QAAQ,EAAE,SAAS;YACnB,QAAQ,EAAE,cAAc;YACxB,YAAY,EAAE,KAAK;SACpB,CAAC,CAAC;IACL,CAAC;SAAM,IAAI,UAAU,CAAC,SAAS,GAAG,EAAE,EAAE,CAAC;QACrC,MAAM,CAAC,IAAI,CAAC;YACV,EAAE,EAAE,cAAc;YAClB,KAAK,EAAE,wBAAwB;YAC/B,WAAW,EACT,4HAA4H;YAC9H,QAAQ,EAAE,MAAM;YAChB,QAAQ,EAAE,cAAc;YACxB,YAAY,EAAE,KAAK;SACpB,CAAC,CAAC;IACL,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC"}
+{"version":3,"file":"architectureCheck.js","sourceRoot":"","sources":["../../src/analyzers/architectureCheck.ts"],"names":[],"mappings":"AAAA,OAAO,IAAI,MAAM,WAAW,CAAC;AAG7B,MAAM,mBAAmB,GAAG,EAAE,CAAC;AAC/B,MAAM,YAAY,GAAG,CAAC,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,QAAQ,CAAC,CAAC;AAE3D,MAAM,CAAC,KAAK,UAAU,KAAK,CAAC,QAAgB,EAAE,KAAkB;IAC9D,MAAM,MAAM,GAAY,EAAE,CAAC;IAE3B,sCAAsC;IACtC,MAAM,aAAa,GAAG,IAAI,GAAG,EAAkB,CAAC;IAChD,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,KAAK,GAAG,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC7C,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;YACzB,IAAI,YAAY,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;gBAChC,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC;gBAC3B,aAAa,CAAC,GAAG,CAAC,GAAG,EAAE,CAAC,aAAa,CAAC,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;YAC5D,CAAC;QACH,CAAC;IACH,CAAC;IAED,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,aAAa,EAAE,CAAC;QACzC,IAAI,KAAK,GAAG,mBAAmB,EAAE,CAAC;YAChC,MAAM,OAAO,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;YACnC,MAAM,CAAC,IAAI,CAAC;gBACV,EAAE,EAAE,SAAS,OAAO,MAAM;gBAC1B,KAAK,EAAE,SAAS,OAAO,gBAAgB,KAAK,SAAS;gBACrD,WAAW,EAAE,OAAO,GAAG,wBAAwB,KAAK,kFAAkF;gBACtI,QAAQ,EAAE,SAAS;gBACnB,QAAQ,EAAE,cAAc;gBACxB,YAAY,EAAE,KAAK;gBACnB,SAAS,EAAE,CAAC,EAAE,IAAI,EAAE,GAAG,EAAE,CAAC;aAC3B,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,kDAAkD;IAClD,MAAM,YAAY,GAAG,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE;QACpC,MAAM,MAAM,GAAG,CAAC,CAAC,SAAS,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;QAC9C,OAAO,CAAC,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,QAAQ,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IACnE,CAAC,CAAC,CAAC;IAEH,MAAM,YAAY,GAAG,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CACpC,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC,CACnF,CAAC;IAEF,IAAI,YAAY,IAAI,CAAC,YAAY,EAAE,CAAC;QAClC,MAAM,aAAa,GAAG,KAAK,CAAC,MAAM,CAChC,CAAC,CAAC,EAAE,EAAE,CACJ,CAAC,CAAC,CAAC,CAAC,SAAS,IAAI,CAAC,CAAC,SAAS,KAAK,GAAG,CAAC;YACrC,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS,CAAC,CACvD,CAAC;QACF,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC7B,MAAM,CAAC,IAAI,CAAC;gBACV,EAAE,EAAE,eAAe;gBACnB,KAAK,EAAE,kCAAkC;gBACzC,WAAW,EACT,+HAA+H;gBACjI,QAAQ,EAAE,MAAM;gBAChB,QAAQ,EAAE,cAAc;gBACxB,YAAY,EAAE,KAAK;aACpB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,kCAAkC;IAClC,MAAM,eAAe,GAAG,KAAK,CAAC,IAAI,CAChC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,YAAY,CAAC,KAAK,eAAe,IAAI,CAAC,CAAC,CAAC,CAAC,SAAS,IAAI,CAAC,CAAC,SAAS,KAAK,GAAG,CAAC,CAClG,CAAC;IACF,IAAI,CAAC,eAAe,EAAE,CAAC;QACrB,MAAM,CAAC,IAAI,CAAC;YACV,EAAE,EAAE,sBAAsB;YAC1B,KAAK,EAAE,uBAAuB;YAC9B,WAAW,EACT,6GAA6G;YAC/G,QAAQ,EAAE,MAAM;YAChB,QAAQ,EAAE,cAAc;YACxB,YAAY,EAAE,IAAI;YAClB,KAAK,EAAE,kBAAkB;SAC1B,CAAC,CAAC;IACL,CAAC;IAED,oCAAoC;IACpC,MAAM,UAAU,GAAG,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE;QAClC,MAAM,IAAI,GAAG,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,WAAW,EAAE,CAAC;QACzD,OAAO,CACL,CAAC,IAAI,KAAK,WAAW,IAAI,IAAI,KAAK,QAAQ,IAAI,IAAI,KAAK,YAAY,CAAC;YACpE,CAAC,CAAC,CAAC,CAAC,SAAS,IAAI,CAAC,CAAC,SAAS,KAAK,GAAG,CAAC,CACtC,CAAC;IACJ,CAAC,CAAC,CAAC;IAEH,IAAI,CAAC,UAAU,EAAE,CAAC;QAChB,MAAM,CAAC,IAAI,CAAC;YACV,EAAE,EAAE,gBAAgB;YACpB,KAAK,EAAE,gBAAgB;YACvB,WAAW,EACT,uFAAuF;YACzF,QAAQ,EAAE,SAAS;YACnB,QAAQ,EAAE,cAAc;YACxB,YAAY,EAAE,KAAK;SACpB,CAAC,CAAC;IACL,CAAC;SAAM,IAAI,UAAU,CAAC,SAAS,GAAG,EAAE,EAAE,CAAC;QACrC,MAAM,CAAC,IAAI,CAAC;YACV,EAAE,EAAE,cAAc;YAClB,KAAK,EAAE,wBAAwB;YAC/B,WAAW,EACT,4HAA4H;YAC9H,QAAQ,EAAE,MAAM;YAChB,QAAQ,EAAE,cAAc;YACxB,YAAY,EAAE,KAAK;SACpB,CAAC,CAAC;IACL,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC"}

package/dist/analyzers/securityCheck.js

@@ -38,6 +38,7 @@ export async function check(rootPath, files) {
                 severity: 'warning',
                 category: 'security',
                 fixAvailable: false,
+                locations: [{ file: file.relativePath, line: 1 }],
             });
         }
     }
@@ -55,6 +56,7 @@ export async function check(rootPath, files) {
                 severity: 'error',
                 category: 'security',
                 fixAvailable: false,
+                locations: [{ file: file.relativePath, line: 1 }],
             });
         }
     }
@@ -101,7 +103,9 @@ async function scanFileForSecrets(file) {
     try {
         const content = await fs.readFile(file.absolutePath, 'utf-8');
         for (const { name, pattern } of SECRET_PATTERNS) {
-            if (pattern.test(content)) {
+            const match = pattern.exec(content);
+            if (match) {
+                const line = lineNumberFor(content, match.index);
                 return {
                     id: 'hardcoded-secret',
                     title: `Potential ${name} detected in ${file.relativePath}`,
@@ -109,6 +113,7 @@ async function scanFileForSecrets(file) {
                     severity: 'error',
                     category: 'security',
                     fixAvailable: false,
+                    locations: [{ file: file.relativePath, line }],
                 };
             }
         }
@@ -118,4 +123,14 @@ async function scanFileForSecrets(file) {
     }
     return null;
 }
+function lineNumberFor(content, index) {
+    if (index <= 0)
+        return 1;
+    let line = 1;
+    for (let i = 0; i < index && i < content.length; i++) {
+        if (content.charCodeAt(i) === 10)
+            line++;
+    }
+    return line;
+}
 //# sourceMappingURL=securityCheck.js.map

package/dist/analyzers/securityCheck.js.map

@@ -1 +1 @@
-{"version":3,"file":"securityCheck.js","sourceRoot":"","sources":["../../src/analyzers/securityCheck.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,kBAAkB,CAAC;AAClC,OAAO,IAAI,MAAM,WAAW,CAAC;AAG7B,MAAM,gBAAgB,GAAG,gBAAgB,CAAC;AAC1C,MAAM,iBAAiB,GAAG,CAAC,UAAU,EAAE,SAAS,EAAE,WAAW,CAAC,CAAC;AAE/D,MAAM,iBAAiB,GAAG,CAAC,QAAQ,EAAE,YAAY,EAAE,UAAU,EAAE,QAAQ,CAAC,CAAC;AACzE,MAAM,sBAAsB,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC;AAEhE,MAAM,oBAAoB,GAAG,IAAI,GAAG,CAAC;IACnC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM;IAC5C,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM;IAC3C,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM;IACzC,MAAM,EAAE,OAAO,EAAE,aAAa,EAAE,KAAK,EAAE,OAAO;IAC9C,MAAM,EAAE,MAAM;CACf,CAAC,CAAC;AAEH,MAAM,aAAa,GAAG,GAAG,GAAG,IAAI,CAAC,CAAC,SAAS;AAE3C,MAAM,eAAe,GAAwC;IAC3D,EAAE,IAAI,EAAE,gBAAgB,EAAE,OAAO,EAAE,kBAAkB,EAAE;IACvD,EAAE,IAAI,EAAE,cAAc,EAAE,OAAO,EAAE,0BAA0B,EAAE;IAC7D,EAAE,IAAI,EAAE,aAAa,EAAE,OAAO,EAAE,0BAA0B,EAAE;IAC5D,EAAE,IAAI,EAAE,aAAa,EAAE,OAAO,EAAE,+CAA+C,EAAE;IACjF;QACE,IAAI,EAAE,gBAAgB;QACtB,OAAO,EAAE,2EAA2E;KACrF;CACF,CAAC;AAEF,MAAM,CAAC,KAAK,UAAU,KAAK,CAAC,QAAgB,EAAE,KAAkB;IAC9D,MAAM,MAAM,GAAY,EAAE,CAAC;IAE3B,oCAAoC;IACpC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QAClD,IAAI,gBAAgB,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;YACpC,MAAM,MAAM,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,0BAA0B;YAC5D,IAAI,MAAM,IAAI,iBAAiB,CAAC,QAAQ,CAAC,MAAM,CAAC;gBAAE,SAAS;YAE3D,MAAM,CAAC,IAAI,CAAC;gBACV,EAAE,EAAE,oBAAoB;gBACxB,KAAK,EAAE,+BAA+B,IAAI,CAAC,YAAY,EAAE;gBACzD,WAAW,EAAE,aAAa,IAAI,CAAC,YAAY,8CAA8C;gBACzF,QAAQ,EAAE,SAAS;gBACnB,QAAQ,EAAE,UAAU;gBACpB,YAAY,EAAE,KAAK;aACpB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,iCAAiC;IACjC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC,WAAW,EAAE,CAAC;QAChE,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,WAAW,EAAE,CAAC;QAEzC,MAAM,SAAS,GACb,iBAAiB,CAAC,QAAQ,CAAC,QAAQ,CAAC;YACpC,sBAAsB,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;QAEvC,IAAI,SAAS,EAAE,CAAC;YACd,MAAM,CAAC,IAAI,CAAC;gBACV,EAAE,EAAE,uBAAuB;gBAC3B,KAAK,EAAE,+BAA+B,IAAI,CAAC,YAAY,EAAE;gBACzD,WAAW,EAAE,aAAa,IAAI,CAAC,YAAY,iEAAiE;gBAC5G,QAAQ,EAAE,OAAO;gBACjB,QAAQ,EAAE,UAAU;gBACpB,YAAY,EAAE,KAAK;aACpB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,kDAAkD;IAClD,MAAM,WAAW,GAAG,KAAK,CAAC,MAAM,CAC9B,CAAC,CAAC,EAAE,EAAE,CACJ,CAAC,CAAC,SAAS,IAAI,aAAa;QAC5B,CAAC,oBAAoB,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC;YACpC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CACtD,CAAC;IAEF,MAAM,WAAW,GAAG,MAAM,OAAO,CAAC,GAAG,CACnC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,kBAAkB,CAAC,CAAC,CAAC,CAAC,CAC9C,CAAC;IAEF,KAAK,MAAM,MAAM,IAAI,WAAW,EAAE,CAAC;QACjC,IAAI,MAAM;YAAE,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAClC,CAAC;IAED,+CAA+C;IAC/C,MAAM,aAAa,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,YAAY,CAAC,CAAC;IACxD,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,aAAa,EAAE,OAAO,CAAC,CAAC;QAC1D,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;YAC9B,MAAM,CAAC,IAAI,CAAC;gBACV,EAAE,EAAE,uBAAuB;gBAC3B,KAAK,EAAE,wCAAwC;gBAC/C,WAAW,EAAE,oEAAoE;gBACjF,QAAQ,EAAE,SAAS;gBACnB,QAAQ,EAAE,UAAU;gBACpB,YAAY,EAAE,KAAK;aACpB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,uBAAuB;QACvB,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACrB,MAAM,CAAC,IAAI,CAAC;gBACV,EAAE,EAAE,uBAAuB;gBAC3B,KAAK,EAAE,0BAA0B;gBACjC,WAAW,EAAE,yEAAyE;gBACtF,QAAQ,EAAE,SAAS;gBACnB,QAAQ,EAAE,UAAU;gBACpB,YAAY,EAAE,KAAK;aACpB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,KAAK,UAAU,kBAAkB,CAAC,IAAe;IAC/C,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,IAAI,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC;QAE9D,KAAK,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,eAAe,EAAE,CAAC;YAChD,IAAI,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;gBAC1B,OAAO;oBACL,EAAE,EAAE,kBAAkB;oBACtB,KAAK,EAAE,aAAa,IAAI,gBAAgB,IAAI,CAAC,YAAY,EAAE;oBAC3D,WAAW,EAAE,aAAa,IAAI,CAAC,YAAY,4EAA4E;oBACvH,QAAQ,EAAE,OAAO;oBACjB,QAAQ,EAAE,UAAU;oBACpB,YAAY,EAAE,KAAK;iBACpB,CAAC;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,gCAAgC;IAClC,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC"}
+{"version":3,"file":"securityCheck.js","sourceRoot":"","sources":["../../src/analyzers/securityCheck.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,kBAAkB,CAAC;AAClC,OAAO,IAAI,MAAM,WAAW,CAAC;AAG7B,MAAM,gBAAgB,GAAG,gBAAgB,CAAC;AAC1C,MAAM,iBAAiB,GAAG,CAAC,UAAU,EAAE,SAAS,EAAE,WAAW,CAAC,CAAC;AAE/D,MAAM,iBAAiB,GAAG,CAAC,QAAQ,EAAE,YAAY,EAAE,UAAU,EAAE,QAAQ,CAAC,CAAC;AACzE,MAAM,sBAAsB,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,CAAC,CAAC;AAEhE,MAAM,oBAAoB,GAAG,IAAI,GAAG,CAAC;IACnC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM;IAC5C,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,KAAK,EAAE,MAAM;IAC3C,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,MAAM;IACzC,MAAM,EAAE,OAAO,EAAE,aAAa,EAAE,KAAK,EAAE,OAAO;IAC9C,MAAM,EAAE,MAAM;CACf,CAAC,CAAC;AAEH,MAAM,aAAa,GAAG,GAAG,GAAG,IAAI,CAAC,CAAC,SAAS;AAE3C,MAAM,eAAe,GAAwC;IAC3D,EAAE,IAAI,EAAE,gBAAgB,EAAE,OAAO,EAAE,kBAAkB,EAAE;IACvD,EAAE,IAAI,EAAE,cAAc,EAAE,OAAO,EAAE,0BAA0B,EAAE;IAC7D,EAAE,IAAI,EAAE,aAAa,EAAE,OAAO,EAAE,0BAA0B,EAAE;IAC5D,EAAE,IAAI,EAAE,aAAa,EAAE,OAAO,EAAE,+CAA+C,EAAE;IACjF;QACE,IAAI,EAAE,gBAAgB;QACtB,OAAO,EAAE,2EAA2E;KACrF;CACF,CAAC;AAEF,MAAM,CAAC,KAAK,UAAU,KAAK,CAAC,QAAgB,EAAE,KAAkB;IAC9D,MAAM,MAAM,GAAY,EAAE,CAAC;IAE3B,oCAAoC;IACpC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QAClD,IAAI,gBAAgB,CAAC,IAAI,CAAC,QAAQ,CAAC,EAAE,CAAC;YACpC,MAAM,MAAM,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,0BAA0B;YAC5D,IAAI,MAAM,IAAI,iBAAiB,CAAC,QAAQ,CAAC,MAAM,CAAC;gBAAE,SAAS;YAE3D,MAAM,CAAC,IAAI,CAAC;gBACV,EAAE,EAAE,oBAAoB;gBACxB,KAAK,EAAE,+BAA+B,IAAI,CAAC,YAAY,EAAE;gBACzD,WAAW,EAAE,aAAa,IAAI,CAAC,YAAY,8CAA8C;gBACzF,QAAQ,EAAE,SAAS;gBACnB,QAAQ,EAAE,UAAU;gBACpB,YAAY,EAAE,KAAK;gBACnB,SAAS,EAAE,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,YAAY,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC;aAClD,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,iCAAiC;IACjC,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,QAAQ,GAAG,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC,WAAW,EAAE,CAAC;QAChE,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,WAAW,EAAE,CAAC;QAEzC,MAAM,SAAS,GACb,iBAAiB,CAAC,QAAQ,CAAC,QAAQ,CAAC;YACpC,sBAAsB,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;QAEvC,IAAI,SAAS,EAAE,CAAC;YACd,MAAM,CAAC,IAAI,CAAC;gBACV,EAAE,EAAE,uBAAuB;gBAC3B,KAAK,EAAE,+BAA+B,IAAI,CAAC,YAAY,EAAE;gBACzD,WAAW,EAAE,aAAa,IAAI,CAAC,YAAY,iEAAiE;gBAC5G,QAAQ,EAAE,OAAO;gBACjB,QAAQ,EAAE,UAAU;gBACpB,YAAY,EAAE,KAAK;gBACnB,SAAS,EAAE,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,YAAY,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC;aAClD,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,kDAAkD;IAClD,MAAM,WAAW,GAAG,KAAK,CAAC,MAAM,CAC9B,CAAC,CAAC,EAAE,EAAE,CACJ,CAAC,CAAC,SAAS,IAAI,aAAa;QAC5B,CAAC,oBAAoB,CAAC,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC;YACpC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CACtD,CAAC;IAEF,MAAM,WAAW,GAAG,MAAM,OAAO,CAAC,GAAG,CACnC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,kBAAkB,CAAC,CAAC,CAAC,CAAC,CAC9C,CAAC;IAEF,KAAK,MAAM,MAAM,IAAI,WAAW,EAAE,CAAC;QACjC,IAAI,MAAM;YAAE,MAAM,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAClC,CAAC;IAED,+CAA+C;IAC/C,MAAM,aAAa,GAAG,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,YAAY,CAAC,CAAC;IACxD,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,aAAa,EAAE,OAAO,CAAC,CAAC;QAC1D,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;YAC9B,MAAM,CAAC,IAAI,CAAC;gBACV,EAAE,EAAE,uBAAuB;gBAC3B,KAAK,EAAE,wCAAwC;gBAC/C,WAAW,EAAE,oEAAoE;gBACjF,QAAQ,EAAE,SAAS;gBACnB,QAAQ,EAAE,UAAU;gBACpB,YAAY,EAAE,KAAK;aACpB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,uBAAuB;QACvB,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACrB,MAAM,CAAC,IAAI,CAAC;gBACV,EAAE,EAAE,uBAAuB;gBAC3B,KAAK,EAAE,0BAA0B;gBACjC,WAAW,EAAE,yEAAyE;gBACtF,QAAQ,EAAE,SAAS;gBACnB,QAAQ,EAAE,UAAU;gBACpB,YAAY,EAAE,KAAK;aACpB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,KAAK,UAAU,kBAAkB,CAAC,IAAe;IAC/C,IAAI,CAAC;QACH,MAAM,OAAO,GAAG,MAAM,EAAE,CAAC,QAAQ,CAAC,IAAI,CAAC,YAAY,EAAE,OAAO,CAAC,CAAC;QAE9D,KAAK,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,eAAe,EAAE,CAAC;YAChD,MAAM,KAAK,GAAG,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YACpC,IAAI,KAAK,EAAE,CAAC;gBACV,MAAM,IAAI,GAAG,aAAa,CAAC,OAAO,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;gBACjD,OAAO;oBACL,EAAE,EAAE,kBAAkB;oBACtB,KAAK,EAAE,aAAa,IAAI,gBAAgB,IAAI,CAAC,YAAY,EAAE;oBAC3D,WAAW,EAAE,aAAa,IAAI,CAAC,YAAY,4EAA4E;oBACvH,QAAQ,EAAE,OAAO;oBACjB,QAAQ,EAAE,UAAU;oBACpB,YAAY,EAAE,KAAK;oBACnB,SAAS,EAAE,CAAC,EAAE,IAAI,EAAE,IAAI,CAAC,YAAY,EAAE,IAAI,EAAE,CAAC;iBAC/C,CAAC;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,gCAAgC;IAClC,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,aAAa,CAAC,OAAe,EAAE,KAAa;IACnD,IAAI,KAAK,IAAI,CAAC;QAAE,OAAO,CAAC,CAAC;IACzB,IAAI,IAAI,GAAG,CAAC,CAAC;IACb,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,IAAI,CAAC,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACrD,IAAI,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC,KAAK,EAAE;YAAE,IAAI,EAAE,CAAC;IAC3C,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC"}

package/dist/cli/index.js

@@ -21,29 +21,67 @@ import { setLogLevel } from '../utils/logger.js';
 import { calculateScore, badgeUrl, badgeMarkdown } from '../utils/scoreCalculator.js';
 import { showBanner, showCompactBanner, showHelp } from '../utils/banner.js';
 import { saveBaseline, loadBaseline, computeDiff } from '../utils/baseline.js';
+import { loadConfig, applyConfigToIssues } from '../utils/config.js';
+import { getChangedFiles } from '../utils/changedFiles.js';
 import { runMcpServer } from '../mcp/server.js';
 import { reportAnalysis, reportHealth, reportCi, reportDiff, reportDetectedIssues, reportExplanation, reportDiagram, reportStructure, reportDependencies, reportHotspots, reportFileInspection, } from '../reporters/consoleReporter.js';
 import { reportAnalysisJson, reportHealthJson, reportCiJson, reportDiffJson, reportExplanationJson, reportDiagramJson, reportStructureJson, reportDependenciesJson, reportHotspotsJson, reportFileJson, } from '../reporters/jsonReporter.js';
 import { reportAnalysisMarkdown, reportHealthMarkdown, reportCiMarkdown, reportDiffMarkdown, reportExplanationMarkdown, reportDiagramMarkdown, reportStructureMarkdown, reportDependenciesMarkdown, reportHotspotsMarkdown, reportFileMarkdown, } from '../reporters/markdownReporter.js';
+import { reportAnalysisSarif, reportHealthSarif, reportCiSarif, } from '../reporters/sarifReporter.js';
 // ── CLI Setup ─────────────────────────────────────────────
 const program = new Command();
 program
     .name('projscan')
     .description('Instant codebase insights — doctor, x-ray, and architecture map for any repository')
     .version(pkg.version)
-    .option('--format <type>', 'output format: console, json, markdown', 'console')
+    .option('--format <type>', 'output format: console, json, markdown, sarif', 'console')
+    .option('--config <path>', 'path to .projscanrc config file')
     .option('--verbose', 'enable verbose output')
     .option('--quiet', 'suppress non-essential output');
 function getFormat() {
     const opts = program.opts();
     const f = opts.format;
-    if (f === 'json' || f === 'markdown')
+    if (f === 'json' || f === 'markdown' || f === 'sarif')
         return f;
     return 'console';
 }
 function getRootPath() {
     return process.cwd();
 }
+async function loadProjectConfig() {
+    const opts = program.opts();
+    const explicit = typeof opts.config === 'string' ? opts.config : undefined;
+    try {
+        const { config, source } = await loadConfig(getRootPath(), explicit);
+        if (source && !opts.quiet && getFormat() === 'console') {
+            console.error(chalk.dim(`  [config: ${path.relative(getRootPath(), source) || source}]`));
+        }
+        return config;
+    }
+    catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        console.error(chalk.red(`  Config error: ${msg}`));
+        process.exit(1);
+    }
+}
+async function filterIssuesByChangedFiles(issues, rootPath, baseRef) {
+    const result = await getChangedFiles(rootPath, baseRef);
+    if (!result.available) {
+        if (getFormat() === 'console' && !program.opts().quiet) {
+            console.error(chalk.yellow(`  [--changed-only: ${result.reason ?? 'unavailable'} — reporting all issues]`));
+        }
+        return issues;
+    }
+    if (getFormat() === 'console' && !program.opts().quiet) {
+        console.error(chalk.dim(`  [--changed-only: base=${result.baseRef}, ${result.files.length} file(s)]`));
+    }
+    const set = new Set(result.files);
+    return issues.filter((issue) => {
+        if (!issue.locations || issue.locations.length === 0)
+            return false;
+        return issue.locations.some((loc) => set.has(loc.file));
+    });
+}
 function setupLogLevel() {
     const opts = program.opts();
     if (opts.verbose)
@@ -77,14 +115,17 @@ function maybeCompactBanner() {
 program
     .command('analyze', { isDefault: true })
     .description('Analyze repository and show project report')
-    .action(async () => {
+    .option('--changed-only', 'only report issues on files changed vs base ref')
+    .option('--base-ref <ref>', 'git base ref for --changed-only (default: origin/main)')
+    .action(async (cmdOpts) => {
     setupLogLevel();
     maybeBanner();
     const rootPath = getRootPath();
     const format = getFormat();
+    const config = await loadProjectConfig();
     const spinner = format === 'console' ? ora('Scanning repository...').start() : null;
     try {
-        const scan = await scanRepository(rootPath);
+        const scan = await scanRepository(rootPath, { ignore: config.ignore });
         if (spinner)
             spinner.text = 'Detecting languages...';
         const languages = detectLanguages(scan.files);
@@ -96,7 +137,11 @@ program
         const dependencies = await analyzeDependencies(rootPath);
         if (spinner)
             spinner.text = 'Checking for issues...';
-        const issues = await collectIssues(rootPath, scan.files);
+        let issues = await collectIssues(rootPath, scan.files);
+        issues = applyConfigToIssues(issues, config);
+        if (cmdOpts.changedOnly) {
+            issues = await filterIssuesByChangedFiles(issues, rootPath, cmdOpts.baseRef ?? config.baseRef);
+        }
         if (spinner)
             spinner.stop();
         const report = {
@@ -116,6 +161,9 @@ program
             case 'markdown':
                 reportAnalysisMarkdown(report);
                 break;
+            case 'sarif':
+                reportAnalysisSarif(issues, pkg.version);
+                break;
             default:
                 reportAnalysis(report);
         }
@@ -131,15 +179,22 @@ program
 program
     .command('doctor')
     .description('Evaluate project health and detect issues')
-    .action(async () => {
+    .option('--changed-only', 'only report issues on files changed vs base ref')
+    .option('--base-ref <ref>', 'git base ref for --changed-only (default: origin/main)')
+    .action(async (cmdOpts) => {
     setupLogLevel();
     maybeCompactBanner();
     const rootPath = getRootPath();
     const format = getFormat();
+    const config = await loadProjectConfig();
     const spinner = format === 'console' ? ora('Running health checks...').start() : null;
     try {
-        const scan = await scanRepository(rootPath);
-        const issues = await collectIssues(rootPath, scan.files);
+        const scan = await scanRepository(rootPath, { ignore: config.ignore });
+        let issues = await collectIssues(rootPath, scan.files);
+        issues = applyConfigToIssues(issues, config);
+        if (cmdOpts.changedOnly) {
+            issues = await filterIssuesByChangedFiles(issues, rootPath, cmdOpts.baseRef ?? config.baseRef);
+        }
         if (spinner)
             spinner.stop();
         switch (format) {
@@ -149,6 +204,9 @@ program
             case 'markdown':
                 reportHealthMarkdown(issues);
                 break;
+            case 'sarif':
+                reportHealthSarif(issues, pkg.version);
+                break;
             default:
                 reportHealth(issues, scan.scanDurationMs);
         }
@@ -164,16 +222,24 @@ program
 program
     .command('ci')
     .description('Run health check for CI pipelines (exits 1 if score below threshold)')
-    .option('--min-score <score>', 'minimum passing score (0-100)', '70')
+    .option('--min-score <score>', 'minimum passing score (0-100)')
+    .option('--changed-only', 'gate only on issues in files changed vs base ref')
+    .option('--base-ref <ref>', 'git base ref for --changed-only (default: origin/main)')
     .action(async (cmdOpts) => {
     setupLogLevel();
     maybeCompactBanner();
     const rootPath = getRootPath();
     const format = getFormat();
+    const config = await loadProjectConfig();
     try {
-        const scan = await scanRepository(rootPath);
-        const issues = await collectIssues(rootPath, scan.files);
-        const threshold = Math.max(0, Math.min(100, parseInt(cmdOpts.minScore, 10) || 70));
+        const scan = await scanRepository(rootPath, { ignore: config.ignore });
+        let issues = await collectIssues(rootPath, scan.files);
+        issues = applyConfigToIssues(issues, config);
+        if (cmdOpts.changedOnly) {
+            issues = await filterIssuesByChangedFiles(issues, rootPath, cmdOpts.baseRef ?? config.baseRef);
+        }
+        const rawThreshold = cmdOpts.minScore ?? config.minScore ?? 70;
+        const threshold = Math.max(0, Math.min(100, typeof rawThreshold === 'string' ? parseInt(rawThreshold, 10) || 70 : rawThreshold));
         const { score } = calculateScore(issues);
         switch (format) {
             case 'json':
@@ -182,6 +248,9 @@ program
             case 'markdown':
                 reportCiMarkdown(issues, threshold);
                 break;
+            case 'sarif':
+                reportCiSarif(issues, pkg.version);
+                break;
             default:
                 reportCi(issues, threshold);
         }
@@ -205,9 +274,11 @@ program
     maybeCompactBanner();
     const rootPath = getRootPath();
     const format = getFormat();
+    const config = await loadProjectConfig();
     try {
-        const scan = await scanRepository(rootPath);
-        const issues = await collectIssues(rootPath, scan.files);
+        const scan = await scanRepository(rootPath, { ignore: config.ignore });
+        let issues = await collectIssues(rootPath, scan.files);
+        issues = applyConfigToIssues(issues, config);
         const hotspotReport = await analyzeHotspots(rootPath, scan.files, issues, { limit: 20 });
         if (cmdOpts.saveBaseline) {
             const filePath = await saveBaseline(rootPath, issues, hotspotReport);
@@ -259,9 +330,11 @@ program
     maybeCompactBanner();
     const rootPath = getRootPath();
     const spinner = ora('Detecting issues...').start();
+    const config = await loadProjectConfig();
     try {
-        const scan = await scanRepository(rootPath);
-        const issues = await collectIssues(rootPath, scan.files);
+        const scan = await scanRepository(rootPath, { ignore: config.ignore });
+        let issues = await collectIssues(rootPath, scan.files);
+        issues = applyConfigToIssues(issues, config);
         const fixes = getAllAvailableFixes(issues);
         spinner.stop();
         if (fixes.length === 0) {
@@ -387,9 +460,10 @@ program
     maybeCompactBanner();
     const rootPath = getRootPath();
     const format = getFormat();
+    const config = await loadProjectConfig();
     const spinner = format === 'console' ? ora('Analyzing architecture...').start() : null;
     try {
-        const scan = await scanRepository(rootPath);
+        const scan = await scanRepository(rootPath, { ignore: config.ignore });
         const frameworks = await detectFrameworks(rootPath, scan.files);
         const layers = buildArchitectureLayers(scan.files, frameworks.frameworks.map((f) => f.name));
         if (spinner)
@@ -421,9 +495,10 @@ program
     maybeCompactBanner();
     const rootPath = getRootPath();
     const format = getFormat();
+    const config = await loadProjectConfig();
     const spinner = format === 'console' ? ora('Scanning...').start() : null;
     try {
-        const scan = await scanRepository(rootPath);
+        const scan = await scanRepository(rootPath, { ignore: config.ignore });
         if (spinner)
             spinner.stop();
         switch (format) {
@@ -484,20 +559,24 @@ program
 program
     .command('hotspots')
     .description('Rank files by risk (git churn × complexity × open issues)')
-    .option('--limit <n>', 'number of hotspots to show', '10')
-    .option('--since <when>', 'git history window (e.g. "6 months ago", "2024-01-01")', '12 months ago')
+    .option('--limit <n>', 'number of hotspots to show')
+    .option('--since <when>', 'git history window (e.g. "6 months ago", "2024-01-01")')
     .action(async (cmdOpts) => {
     setupLogLevel();
     maybeCompactBanner();
     const rootPath = getRootPath();
     const format = getFormat();
+    const config = await loadProjectConfig();
     const spinner = format === 'console' ? ora('Analyzing hotspots...').start() : null;
     try {
-        const scan = await scanRepository(rootPath);
-        const issues = await collectIssues(rootPath, scan.files);
-        const limit = Math.max(1, Math.min(100, parseInt(cmdOpts.limit, 10) || 10));
+        const scan = await scanRepository(rootPath, { ignore: config.ignore });
+        let issues = await collectIssues(rootPath, scan.files);
+        issues = applyConfigToIssues(issues, config);
+        const limitRaw = cmdOpts.limit ?? config.hotspots?.limit ?? 10;
+        const limit = Math.max(1, Math.min(100, typeof limitRaw === 'string' ? parseInt(limitRaw, 10) || 10 : limitRaw));
+        const since = cmdOpts.since ?? config.hotspots?.since ?? '12 months ago';
         const report = await analyzeHotspots(rootPath, scan.files, issues, {
-            since: cmdOpts.since,
+            since,
             limit,
         });
         if (spinner)
@@ -545,9 +624,11 @@ program
     maybeCompactBanner();
     const rootPath = getRootPath();
     const spinner = ora('Calculating health score...').start();
+    const config = await loadProjectConfig();
     try {
-        const scan = await scanRepository(rootPath);
-        const issues = await collectIssues(rootPath, scan.files);
+        const scan = await scanRepository(rootPath, { ignore: config.ignore });
+        let issues = await collectIssues(rootPath, scan.files);
+        issues = applyConfigToIssues(issues, config);
         const { score, grade } = calculateScore(issues);
         spinner.stop();
         const gradeColor = grade === 'A' || grade === 'B' ? chalk.green : grade === 'C' ? chalk.yellow : chalk.red;