secure-review-extension 1.0.5 → 1.0.6

package/bin/secure-review.js

@@ -147,6 +147,7 @@ async function scanWorkspace(workspaceArg, flags) {
         workspaceRoot,
         target: flags["dynamic-url"],
         scanMode: flags["dynamic-mode"] || "baseline",
+        apiDefinitionUrl: flags["dynamic-api-url"] || "",
         allowHosts: splitCsv(flags["dynamic-allow-hosts"]) || ["127.0.0.1", "localhost"],
         spiderMinutes: Number(flags["dynamic-spider-minutes"] || 1),
         useAjaxSpider: Boolean(flags["dynamic-ajax"]),
@@ -187,12 +188,15 @@ function buildStaticConfig(flags) {
     enableNpmAudit: !isFalse(flags["npm-audit"]),
     enableBandit: !isFalse(flags.bandit),
     enablePipAudit: !isFalse(flags["pip-audit"]),
+    enableBrakeman: !isFalse(flags.brakeman),
+    enablePhpStan: !isFalse(flags.phpstan),
     enableSpotBugs: !isFalse(flags.spotbugs),
     enableGosec: !isFalse(flags.gosec),
     enableGovulncheck: !isFalse(flags.govulncheck),
     enableCargoAudit: !isFalse(flags["cargo-audit"]),
     enableClippy: !isFalse(flags.clippy),
-    enableCppcheck: !isFalse(flags.cppcheck)
+    enableCppcheck: !isFalse(flags.cppcheck),
+    enableDotnetVuln: !isFalse(flags["dotnet-vuln"])
   };
 }
 
@@ -238,14 +242,18 @@ function buildScanConfiguration(flags) {
     `Bandit: ${isFalse(flags.bandit) ? "Disabled" : "Enabled"}`,
     `npm audit: ${isFalse(flags["npm-audit"]) ? "Disabled" : "Enabled"}`,
     `pip-audit: ${isFalse(flags["pip-audit"]) ? "Disabled" : "Enabled"}`,
+    `Brakeman: ${isFalse(flags.brakeman) ? "Disabled" : "Enabled"}`,
+    `PHPStan: ${isFalse(flags.phpstan) ? "Disabled" : "Enabled"}`,
     `SpotBugs: ${isFalse(flags.spotbugs) ? "Disabled" : "Enabled"}`,
     `gosec: ${isFalse(flags.gosec) ? "Disabled" : "Enabled"}`,
     `govulncheck: ${isFalse(flags.govulncheck) ? "Disabled" : "Enabled"}`,
     `cargo-audit: ${isFalse(flags["cargo-audit"]) ? "Disabled" : "Enabled"}`,
     `Clippy: ${isFalse(flags.clippy) ? "Disabled" : "Enabled"}`,
     `cppcheck: ${isFalse(flags.cppcheck) ? "Disabled" : "Enabled"}`,
+    `.NET package audit: ${isFalse(flags["dotnet-vuln"]) ? "Disabled" : "Enabled"}`,
     flags["dynamic-url"] ? `Dynamic URL: ${flags["dynamic-url"]}` : null,
-    flags["dynamic-mode"] ? `Dynamic Mode: ${flags["dynamic-mode"]}` : null
+    flags["dynamic-mode"] ? `Dynamic Mode: ${flags["dynamic-mode"]}` : null,
+    flags["dynamic-api-url"] ? `Dynamic API Definition URL: ${flags["dynamic-api-url"]}` : null
   ].filter(Boolean).join("; ");
 }
 
@@ -263,7 +271,7 @@ function printScanSummary(findings, workspaceRoot) {
     const location = finding.relativePath
       ? `${finding.relativePath}:${finding.line || 1}`
       : finding.targetUrl || "unknown-location";
-    console.log(`[${String(finding.severity || "low").toUpperCase()}] ${finding.title} :: ${location}`);
+    console.log(`[${String(finding.severity || "low").toUpperCase()}][${String(finding.findingType || "contextual-warning")}] ${finding.title} :: ${location} (${String(finding.evidenceStrength || "medium")} evidence)`);
   }
 
   if (findings.length > 25) {
@@ -313,21 +321,315 @@ function defaultProjectName(workspaceLabel) {
 function printHelp() {
   console.log(`secure-review
 
-Commands:
+Secure Review is a local security-focused code review CLI for:
+- local workspaces
+- Bitbucket repositories
+- static analysis
+- dependency review
+- runtime/config review
+- optional Docker-based OWASP ZAP dynamic scans
+- exportable reports in text, json, html, md, and docx
+
+General syntax:
+  secure-review <command> [workspace-or-bitbucket-url] [flags]
+
+Workspace input supports:
+- local paths
+- Bitbucket HTTPS repo URLs
+- Bitbucket browser URLs like /src/<branch>/
+- Bitbucket SSH clone URLs
+
+Examples of valid workspace inputs:
+  /home/user/project
+  .
+  https://bitbucket.org/acme/payments-service
+  https://bitbucket.org/acme/payments-service/src/main/
+  git@bitbucket.org:acme/payments-service.git
+
+Commands
+
+1. inspect
+  Purpose:
+  Detect the workspace stack and show which scanner tools are relevant.
+
+  Syntax:
   secure-review inspect [workspace-or-bitbucket-url] [--branch <name>]
-  secure-review bootstrap [workspace-or-bitbucket-url] [--run] [--branch <name>]
-  secure-review scan [workspace-or-bitbucket-url] [--severity low|medium|high|critical] [--tool-timeout-ms 120000] [--format text|json|html|md|docx] [--out <path>] [--branch <name>]
-  secure-review scan [workspace-or-bitbucket-url] --dynamic-url <url> [--dynamic-mode baseline|full]
 
-Examples:
-  secure-review inspect /path/to/repo
+  Typical use cases:
+  - understand what languages/frameworks were detected
+  - see which external scanner tools should be installed
+  - inspect a local repo before first scan
+  - inspect a remote Bitbucket repo without cloning it manually
+
+  Examples:
+  secure-review inspect .
+  secure-review inspect /home/user/my-api
   secure-review inspect https://bitbucket.org/acme/payments-service
-  secure-review inspect https://bitbucket.org/acme/payments-service/src/main/
-  secure-review bootstrap /path/to/repo --run
+  secure-review inspect https://bitbucket.org/acme/payments-service/src/release-1.2/
+  secure-review inspect git@bitbucket.org:acme/payments-service.git --branch develop
+
+2. bootstrap
+  Purpose:
+  Show or execute the recommended scanner-tool installation plan for the target workspace.
+
+  Syntax:
+  secure-review bootstrap [workspace-or-bitbucket-url] [--branch <name>] [--run]
+
+  Behavior:
+  - without --run:
+    dry run only, prints planned installs
+  - with --run:
+    executes supported install commands for detected tools
+
+  Typical use cases:
+  - prepare a machine before scanning a new language stack
+  - check whether Python / Go / Rust / Java / Ruby / PHP / .NET helpers are needed
+  - bootstrap tools for a remote Bitbucket repo you do not have locally
+
+  Examples:
+  secure-review bootstrap .
+  secure-review bootstrap /home/user/service --run
   secure-review bootstrap git@bitbucket.org:acme/payments-service.git
-  secure-review scan /path/to/repo --severity medium
-  secure-review scan https://bitbucket.org/acme/payments-service/src/release-1.2/ --severity high
-  secure-review scan /path/to/repo --format docx --out review.docx
-  secure-review scan /path/to/repo --dynamic-url http://127.0.0.1:3001 --format html --out report.html
+  secure-review bootstrap https://bitbucket.org/acme/payments-service/src/main/ --run
+
+3. scan
+  Purpose:
+  Run static review, optional dynamic review, and optional report export.
+
+  Syntax:
+  secure-review scan [workspace-or-bitbucket-url] [flags]
+
+  Core scan flags:
+  --severity <low|medium|high|critical>
+    Minimum severity shown in the final output. Default: low
+
+  --max-files <number>
+    Maximum number of files scanned from the workspace. Default: 400
+
+  --tool-timeout-ms <milliseconds>
+    Per-tool timeout for external scanners. Default: 120000
+
+  --format <text|json|html|md|docx>
+    Output format. Default: text
+
+  --out <path>
+    Output report path when using json/html/md/docx
+
+  --branch <name>
+    Branch name to use when the target is a Bitbucket repository
+
+  Static scanner toggle flags:
+  --built-in-rules <true|false>
+  --semgrep <true|false>
+  --eslint <true|false>
+  --npm-audit <true|false>
+  --bandit <true|false>
+  --pip-audit <true|false>
+  --brakeman <true|false>
+  --phpstan <true|false>
+  --spotbugs <true|false>
+  --gosec <true|false>
+  --govulncheck <true|false>
+  --cargo-audit <true|false>
+  --clippy <true|false>
+  --cppcheck <true|false>
+  --dotnet-vuln <true|false>
+
+  Dynamic scan flags:
+  --dynamic-url <url>
+    Base URL of the running local/test application to scan with ZAP
+
+  --dynamic-mode <baseline|full|api>
+    baseline:
+      passive-oriented runtime scan
+    full:
+      active/intrusive runtime scan
+    api:
+      API-definition-driven ZAP scan
+
+  --dynamic-api-url <url>
+    API definition URL used when --dynamic-mode api
+    Supported practical inputs include OpenAPI/Swagger, GraphQL, and WSDL definition URLs
+
+  --dynamic-allow-hosts <csv>
+    Comma-separated allowlist of target hosts
+    Example: --dynamic-allow-hosts 127.0.0.1,localhost,dev.internal
+
+  --dynamic-spider-minutes <number>
+    ZAP spider duration in minutes. Default: 1
+
+  --dynamic-ajax
+    Enable the ZAP Ajax spider in addition to the traditional spider
+
+  --zap-image <image>
+    Override the Docker image used for ZAP
+
+  Report metadata flags:
+  --project <name>
+    Override report project name
+
+  --date <value>
+    Override report date
+
+  --notes <text>
+    Extra methodology/limitation notes included in exports
+
+Common scenarios
+
+Local static-only scan:
+  secure-review scan /home/user/project --severity medium
+
+Local static scan with JSON output:
+  secure-review scan /home/user/project --severity low --format json --out findings.json
+
+Local scan with HTML report:
+  secure-review scan /home/user/project --format html --out secure-review-report.html
+
+Local scan with DOCX report:
+  secure-review scan /home/user/project --format docx --out secure-review-report.docx
+
+Remote Bitbucket scan over SSH:
+  secure-review scan git@bitbucket.org:acme/payments-service.git --severity medium
+
+Remote Bitbucket scan for a specific branch:
+  secure-review scan git@bitbucket.org:acme/payments-service.git --branch release-1.2 --severity high
+
+Remote Bitbucket browser URL scan:
+  secure-review scan https://bitbucket.org/acme/payments-service/src/main/ --severity medium
+
+Quick built-in-rules-only scan:
+  secure-review scan /home/user/project --semgrep false --eslint false --bandit false --pip-audit false --npm-audit false
+
+Scan with slower tools given more time:
+  secure-review scan /home/user/project --tool-timeout-ms 600000
+
+Scan with selected tools disabled:
+  secure-review scan /home/user/project --semgrep false --bandit false --gosec false
+
+Baseline dynamic scan against a local app:
+  secure-review scan /home/user/project --dynamic-url http://127.0.0.1:3001 --dynamic-mode baseline
+
+Baseline dynamic scan plus HTML report:
+  secure-review scan /home/user/project --dynamic-url http://127.0.0.1:3001 --dynamic-mode baseline --format html --out report.html
+
+Full dynamic scan against a developer-controlled test app:
+  secure-review scan /home/user/project --dynamic-url http://127.0.0.1:3001 --dynamic-mode full --dynamic-spider-minutes 3
+
+API-definition-driven dynamic scan:
+  secure-review scan /home/user/project --dynamic-url http://127.0.0.1:3001 --dynamic-mode api --dynamic-api-url http://127.0.0.1:3001/openapi.json
+
+Remote repo + dynamic scan together:
+  secure-review scan git@bitbucket.org:acme/payments-service.git --dynamic-url http://127.0.0.1:3001 --dynamic-mode baseline --format docx --out remote-review.docx
+
+Language-specific examples
+
+Python-heavy repo:
+  secure-review bootstrap /home/user/python-service --run
+  secure-review scan /home/user/python-service --bandit true --pip-audit true --severity medium
+
+Node / React repo:
+  secure-review bootstrap /home/user/frontend --run
+  secure-review scan /home/user/frontend --eslint true --npm-audit true --format html --out frontend-review.html
+
+Java repo:
+  secure-review scan /home/user/java-service --spotbugs true --semgrep true
+
+Go repo:
+  secure-review scan /home/user/go-service --gosec true --govulncheck true
+
+Rust repo:
+  secure-review scan /home/user/rust-service --cargo-audit true --clippy true
+
+PHP repo:
+  secure-review bootstrap /home/user/php-app --run
+  secure-review scan /home/user/php-app --phpstan true
+
+Ruby / Rails repo:
+  secure-review bootstrap /home/user/rails-app --run
+  secure-review scan /home/user/rails-app --brakeman true
+
+.NET repo:
+  secure-review scan /home/user/dotnet-api --dotnet-vuln true
+
+How severity filtering works:
+  --severity low
+    show everything
+  --severity medium
+    hide low
+  --severity high
+    show only high and critical
+  --severity critical
+    show only critical
+
+How output formats behave:
+  text
+    prints a summary and first 25 findings to terminal
+  json
+    prints JSON to terminal if --out is omitted
+    writes JSON to file if --out is provided
+  html
+    writes an HTML report
+  md
+    writes a Markdown report
+  docx
+    writes a Word report
+
+Bitbucket notes:
+  - public repos can often be scanned with HTTPS URLs
+  - private repos are best scanned with SSH URLs
+  - example SSH form:
+    git@bitbucket.org:workspace/repository.git
+  - if HTTPS auth is required, use a Bitbucket app password rather than a normal login password
+
+Dynamic scan notes:
+  - dynamic scan requires Docker
+  - scans should only target developer-controlled local/test apps
+  - full mode is intrusive
+  - localhost targets are rewritten for Docker container access
+  - api mode requires both --dynamic-url and --dynamic-api-url
+
+Exit behavior:
+  - prints findings to terminal for text mode
+  - writes files for json/html/md/docx modes
+  - returns non-zero on command failure
+
+Troubleshooting
+
+If a scan looks stuck:
+  - increase --tool-timeout-ms
+  - disable slower tools one by one
+  - use inspect/bootstrap first to confirm relevant tools
+
+If a Bitbucket scan fails:
+  - prefer SSH URLs for private repos
+  - test SSH separately with:
+    ssh -T git@bitbucket.org
+
+If a global npm install fails with EACCES:
+  - use sudo for system-wide install
+  - or configure a user-local npm global directory
+
+If dynamic scan fails:
+  - confirm Docker is running
+  - confirm the app is reachable in a browser or curl
+  - confirm the host is in the allowed host list
+  - confirm the API definition URL is valid when using api mode
+
+Quick start
+  1. secure-review inspect /path/to/repo
+  2. secure-review bootstrap /path/to/repo --run
+  3. secure-review scan /path/to/repo --severity medium
+  4. secure-review scan /path/to/repo --format docx --out review.docx
+
+More examples
+  secure-review inspect .
+  secure-review bootstrap . --run
+  secure-review scan . --severity medium
+  secure-review scan . --format json
+  secure-review scan . --format html --out report.html
+  secure-review scan . --format md --out report.md
+  secure-review scan . --format docx --out report.docx
+  secure-review scan . --dynamic-url http://127.0.0.1:3001 --dynamic-mode baseline
+  secure-review scan . --dynamic-url http://127.0.0.1:3001 --dynamic-mode api --dynamic-api-url http://127.0.0.1:3001/openapi.json
 `);
 }

package/extension.js

@@ -107,6 +107,10 @@ function activate(context) {
         return;
       }
     }
+    if (mode === "api" && !configAccessor().get("dynamicApiDefinitionUrl", "")) {
+      vscode.window.showWarningMessage("Set Secure Review > Dynamic API Definition URL before running api mode scans.");
+      return;
+    }
 
     await vscode.window.withProgress(
       {
@@ -275,7 +279,7 @@ function activate(context) {
       reportDate: lastReportMetadata?.reportDate || (lastRun || new Date()),
       scanType: lastReportMetadata?.scanType || defaultScanType || (store.findings.some((item) => item.source === "dynamic") ? "Static + Dynamic Analysis" : "Static Analysis"),
       notes: lastReportMetadata?.notes || "",
-      scanConfiguration: `Minimum Severity: ${configAccessor().get("minimumSeverity", "low")}; Run On Save: ${configAccessor().get("runOnSave", false) ? "Enabled" : "Disabled"}; Built-In Rules: ${configAccessor().get("enableBuiltInRules", true) ? "Enabled" : "Disabled"}; Semgrep: ${configAccessor().get("enableSemgrep", true) ? "Enabled" : "Disabled"}; ESLint: ${configAccessor().get("enableEslint", true) ? "Enabled" : "Disabled"}; Bandit: ${configAccessor().get("enableBandit", true) ? "Enabled" : "Disabled"}; npm audit: ${configAccessor().get("enableNpmAudit", true) ? "Enabled" : "Disabled"}; pip-audit: ${configAccessor().get("enablePipAudit", true) ? "Enabled" : "Disabled"}; SpotBugs: ${configAccessor().get("enableSpotBugs", true) ? "Enabled" : "Disabled"}; gosec: ${configAccessor().get("enableGosec", true) ? "Enabled" : "Disabled"}; govulncheck: ${configAccessor().get("enableGovulncheck", true) ? "Enabled" : "Disabled"}; cargo-audit: ${configAccessor().get("enableCargoAudit", true) ? "Enabled" : "Disabled"}; Clippy: ${configAccessor().get("enableClippy", true) ? "Enabled" : "Disabled"}; cppcheck: ${configAccessor().get("enableCppcheck", true) ? "Enabled" : "Disabled"}; Dynamic URL: ${configAccessor().get("dynamicBaseUrl", "http://127.0.0.1:3000")}; Dynamic Mode: ${configAccessor().get("dynamicScanMode", "baseline")}; Ajax Spider: ${configAccessor().get("dynamicUseAjaxSpider", false) ? "Enabled" : "Disabled"}`
+      scanConfiguration: `Minimum Severity: ${configAccessor().get("minimumSeverity", "low")}; Run On Save: ${configAccessor().get("runOnSave", false) ? "Enabled" : "Disabled"}; Built-In Rules: ${configAccessor().get("enableBuiltInRules", true) ? "Enabled" : "Disabled"}; Semgrep: ${configAccessor().get("enableSemgrep", true) ? "Enabled" : "Disabled"}; ESLint: ${configAccessor().get("enableEslint", true) ? "Enabled" : "Disabled"}; Bandit: ${configAccessor().get("enableBandit", true) ? "Enabled" : "Disabled"}; npm audit: ${configAccessor().get("enableNpmAudit", true) ? "Enabled" : "Disabled"}; pip-audit: ${configAccessor().get("enablePipAudit", true) ? "Enabled" : "Disabled"}; Brakeman: ${configAccessor().get("enableBrakeman", true) ? "Enabled" : "Disabled"}; PHPStan: ${configAccessor().get("enablePhpStan", true) ? "Enabled" : "Disabled"}; SpotBugs: ${configAccessor().get("enableSpotBugs", true) ? "Enabled" : "Disabled"}; gosec: ${configAccessor().get("enableGosec", true) ? "Enabled" : "Disabled"}; govulncheck: ${configAccessor().get("enableGovulncheck", true) ? "Enabled" : "Disabled"}; cargo-audit: ${configAccessor().get("enableCargoAudit", true) ? "Enabled" : "Disabled"}; Clippy: ${configAccessor().get("enableClippy", true) ? "Enabled" : "Disabled"}; cppcheck: ${configAccessor().get("enableCppcheck", true) ? "Enabled" : "Disabled"}; .NET package audit: ${configAccessor().get("enableDotnetVuln", true) ? "Enabled" : "Disabled"}; Dynamic URL: ${configAccessor().get("dynamicBaseUrl", "http://127.0.0.1:3000")}; Dynamic Mode: ${configAccessor().get("dynamicScanMode", "baseline")}; Dynamic API Definition URL: ${configAccessor().get("dynamicApiDefinitionUrl", "") || "n/a"}; Ajax Spider: ${configAccessor().get("dynamicUseAjaxSpider", false) ? "Enabled" : "Disabled"}`
     };
   }
 }

package/package.json

@@ -2,7 +2,7 @@
   "name": "secure-review-extension",
   "displayName": "Secure Review",
   "description": "Run deep static and Docker-based dynamic secure code reviews directly inside VS Code.",
-  "version": "1.0.5",
+  "version": "1.0.6",
   "publisher": "your-publisher-id",
   "icon": "media/shield.png",
   "license": "MIT",
@@ -232,6 +232,16 @@
           "default": true,
           "description": "If Python dependency files exist and pip-audit is installed locally, include its results."
         },
+        "secureReview.enableBrakeman": {
+          "type": "boolean",
+          "default": true,
+          "description": "If Brakeman is installed locally, include Ruby and Rails security findings."
+        },
+        "secureReview.enablePhpStan": {
+          "type": "boolean",
+          "default": true,
+          "description": "If PHPStan is installed locally, include PHP static analysis findings."
+        },
         "secureReview.enableSpotBugs": {
           "type": "boolean",
           "default": true,
@@ -262,6 +272,11 @@
           "default": true,
           "description": "If cppcheck is installed locally, include C and C++ static analysis findings."
         },
+        "secureReview.enableDotnetVuln": {
+          "type": "boolean",
+          "default": true,
+          "description": "If the .NET SDK is installed locally, include NuGet vulnerability findings from dotnet package audit."
+        },
         "secureReview.dynamicBaseUrl": {
           "type": "string",
           "default": "http://127.0.0.1:3000",
@@ -271,10 +286,16 @@
           "type": "string",
           "enum": [
             "baseline",
-            "full"
+            "full",
+            "api"
           ],
           "default": "baseline",
-          "description": "ZAP Docker scan mode. Baseline is passive-focused; full scan is more intrusive."
+          "description": "ZAP Docker scan mode. Baseline is passive-focused, full scan is more intrusive, and api uses an API definition URL."
+        },
+        "secureReview.dynamicApiDefinitionUrl": {
+          "type": "string",
+          "default": "",
+          "description": "OpenAPI, GraphQL, or WSDL definition URL used when Dynamic Scan Mode is set to api."
         },
         "secureReview.dynamicSpiderMinutes": {
           "type": "number",

package/src/findings-provider.js

@@ -14,9 +14,9 @@ class FindingNode extends vscode.TreeItem {
     this.finding = finding;
     this.contextValue = "finding";
     this.description = finding.source === "dynamic"
-      ? `${finding.category} • ${finding.targetUrl || finding.reviewDomain}`
-      : `${finding.category} • ${finding.reviewDomain}`;
-    this.tooltip = `${finding.title}\nSeverity: ${finding.severity}\nConfidence: ${finding.confidence}\n${finding.message}`;
+      ? `${finding.findingType || finding.category} • ${finding.targetUrl || finding.reviewDomain}`
+      : `${finding.findingType || finding.category} • ${finding.reviewDomain}`;
+    this.tooltip = `${finding.title}\nSeverity: ${finding.severity}\nConfidence: ${finding.confidence}\nEvidence strength: ${finding.evidenceStrength || "medium"}\nType: ${finding.findingType || "contextual-warning"}\n${finding.message}`;
     this.command = {
       command: "secureReview.openFinding",
       title: "Open Finding",

package/src/report.js

@@ -105,14 +105,15 @@ function buildReportModel(findings, metadata = {}) {
 
 function normalizeFinding(finding) {
   const isDynamic = finding.source === "dynamic";
+  const dynamicLocation = formatDynamicLocation(finding);
   const locationDisplay = isDynamic
-    ? (finding.targetUrl || "Unknown URL")
+    ? dynamicLocation
     : finding.relativePath && finding.line
       ? `${finding.relativePath} (line ${finding.line})`
       : finding.relativePath || finding.filePath || "Unknown file";
 
   const overviewLocationDisplay = isDynamic
-    ? (finding.targetUrl || "Unknown URL")
+    ? dynamicLocation
     : finding.relativePath && finding.line
       ? `${finding.relativePath}:${finding.line}`
       : finding.relativePath || finding.filePath || "Unknown file";
@@ -125,6 +126,10 @@ function normalizeFinding(finding) {
     subcategory: finding.subcategory || "General",
     reviewDomain: finding.reviewDomain || "security",
     confidence: finding.confidence || "medium",
+    findingType: finding.findingType || inferReportFindingType(finding),
+    evidenceStrength: finding.evidenceStrength || inferReportEvidenceStrength(finding),
+    flaggedBy: finding.flaggedBy || inferFlaggedBy(finding),
+    manualReviewDisplay: finding.manualReviewRecommended === false ? "No" : "Yes",
     locationDisplay,
     overviewLocationDisplay,
     remediationSummary: shorten(stripHtml(finding.remediation || "No remediation provided."), 100),
@@ -136,6 +141,42 @@ function normalizeFinding(finding) {
   };
 }
 
+function inferReportFindingType(finding) {
+  if (finding.source === "dynamic") {
+    return "runtime-vulnerability";
+  }
+  if (finding.reviewDomain === "dependency-risk") {
+    return "dependency-risk";
+  }
+  if (finding.reviewDomain === "maintainability" || finding.reviewDomain === "code-quality") {
+    return "recommendation";
+  }
+  return "contextual-warning";
+}
+
+function inferReportEvidenceStrength(finding) {
+  if (finding.source === "dynamic") {
+    return "medium";
+  }
+  return "medium";
+}
+
+function inferFlaggedBy(finding) {
+  if (finding.source === "dynamic") {
+    return "owasp-zap";
+  }
+  return "secure-review";
+}
+
+function formatDynamicLocation(finding) {
+  const primary = finding.targetUrl || "Unknown URL";
+  const extraCount = Math.max(0, Number(finding.relatedTargetCount || 0) - 1);
+  if (extraCount === 0) {
+    return primary;
+  }
+  return `${primary} (+${extraCount} more endpoint${extraCount === 1 ? "" : "s"})`;
+}
+
 function buildRecommendations(findings) {
   const grouped = new Map();
   for (const finding of findings) {
@@ -331,6 +372,10 @@ function renderFindingDetail(finding, index) {
         <strong>Subcategory</strong><span>${escapeHtml(finding.subcategory)}</span>
         <strong>Review Domain</strong><span>${escapeHtml(finding.reviewDomain)}</span>
         <strong>Confidence</strong><span>${escapeHtml(finding.confidence)}</span>
+        <strong>Finding Type</strong><span>${escapeHtml(finding.findingType)}</span>
+        <strong>Evidence Strength</strong><span>${escapeHtml(finding.evidenceStrength)}</span>
+        <strong>Flagged By</strong><span>${escapeHtml(finding.flaggedBy)}</span>
+        <strong>Manual Review</strong><span>${escapeHtml(finding.manualReviewDisplay)}</span>
         <strong>Finding ID</strong><span>${escapeHtml(finding.id)}</span>
         <strong>File / Location</strong><span>${escapeHtml(finding.locationDisplay)}</span>
         <strong>Source</strong><span>${escapeHtml(finding.source)}</span>

package/src/scanners/bootstrap-tools.js

@@ -58,6 +58,19 @@ function detectWorkspace(workspaceRoot) {
     languages.add("cpp");
   }
 
+  if (exists("composer.json")) {
+    languages.add("php");
+  }
+
+  if (exists("Gemfile")) {
+    languages.add("ruby");
+    frameworks.add("rails");
+  }
+
+  if (manifestNames.has("global.json") || [...manifestNames].some((file) => file.endsWith(".csproj") || file.endsWith(".sln"))) {
+    languages.add("csharp");
+  }
+
   for (const file of manifestNames) {
     const ext = path.extname(file).toLowerCase();
     if ([".c", ".h"].includes(ext)) languages.add("c");
@@ -66,6 +79,9 @@ function detectWorkspace(workspaceRoot) {
     if (ext === ".py") languages.add("python");
     if (ext === ".go") languages.add("go");
     if (ext === ".rs") languages.add("rust");
+    if (ext === ".php") languages.add("php");
+    if (ext === ".rb") languages.add("ruby");
+    if (ext === ".cs") languages.add("csharp");
     if ([".js", ".jsx", ".ts", ".tsx", ".mjs", ".cjs"].includes(ext)) languages.add("javascript");
   }
 
@@ -120,6 +136,24 @@ function buildInstallPlan(profile) {
     });
   }
 
+  if (hasAny(profile.languages, ["ruby"])) {
+    addTool(plan, seen, {
+      tool: "Brakeman",
+      requiredFor: ["Ruby / Rails"],
+      install: resolveGemInstall("brakeman"),
+      verify: ["brakeman", "--version"]
+    });
+  }
+
+  if (hasAny(profile.languages, ["php"])) {
+    addTool(plan, seen, {
+      tool: "PHPStan",
+      requiredFor: ["PHP"],
+      install: resolveComposerGlobalInstall("phpstan/phpstan"),
+      verify: ["phpstan", "--version"]
+    });
+  }
+
   if (hasAny(profile.languages, ["java"])) {
     addTool(plan, seen, {
       tool: "SpotBugs",
@@ -168,6 +202,15 @@ function buildInstallPlan(profile) {
     });
   }
 
+  if (hasAny(profile.languages, ["csharp"])) {
+    addTool(plan, seen, {
+      tool: ".NET package audit",
+      requiredFor: ["C# / .NET"],
+      install: resolveDotnetInstall(),
+      verify: ["dotnet", "--version"]
+    });
+  }
+
   return plan;
 }
 
@@ -229,6 +272,16 @@ function resolveCargoInstall(crateName) {
   return { kind: "manual", note: `Install ${crateName} with Cargo.` };
 }
 
+function resolveGemInstall(packageName) {
+  if (hasCommand("gem")) return { kind: "command", command: ["gem", "install", packageName] };
+  return { kind: "manual", note: `Install ${packageName} with RubyGems.` };
+}
+
+function resolveComposerGlobalInstall(packageName) {
+  if (hasCommand("composer")) return { kind: "command", command: ["composer", "global", "require", packageName] };
+  return { kind: "manual", note: `Install ${packageName} with Composer globally or add it to the project dev dependencies.` };
+}
+
 function resolveRustupComponent(component) {
   if (hasCommand("rustup")) return { kind: "command", command: ["rustup", "component", "add", component] };
   return { kind: "manual", note: `Install Rustup and add the ${component} component.` };
@@ -247,6 +300,11 @@ function resolveSpotBugsInstall() {
   return { kind: "manual", note: "Install SpotBugs manually and ensure `spotbugs` is on PATH." };
 }
 
+function resolveDotnetInstall() {
+  if (hasCommand("dotnet")) return { kind: "already-installed" };
+  return { kind: "manual", note: "Install the .NET SDK so Secure Review can run dotnet package vulnerability checks." };
+}
+
 function hasAny(values, expected) {
   return expected.some((value) => values.includes(value));
 }