npm - secure-review-extension - Versions diffs - 1.0.6 → 1.0.9 - Mend

secure-review-extension 1.0.6 → 1.0.9

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/README.md +364 -203
package/extension.js +92 -11
package/package.json +2 -2
package/src/scanners/static-scan.js +23 -7

package/README.md CHANGED Viewed

@@ -1,76 +1,123 @@
-# Secure Review VS Code Extension
+# Secure Review
-Secure Review is a VS Code extension for internal engineering teams that runs deep static secure code reviews and Docker-based dynamic web security scans directly from VS Code.
+Secure Review is a VS Code extension and local CLI for static secure code review, dependency review, and Docker-based dynamic web security testing.
-It can also run as a local terminal agent through the `secure-review` CLI.
+It is designed to help developers and security teams scan local repositories or Bitbucket-hosted repositories without needing to manually stitch together multiple tools.
-## Features
+## What You Can Do With It
-- Static workspace scan with built-in review packs
-- Current-file scan command
-- Docker-based OWASP ZAP dynamic scan for local/test applications
-- Optional local external tool enrichment when available
-- Findings tree view in the VS Code activity bar
-- Inline diagnostics in the editor
-- Report webview with summary, findings, and evidence
-- DOCX security report export with project metadata prompts
-- Ignore findings for the current workspace session
-- Optional scan-on-save behavior
+- Run static workspace scans inside VS Code
+- Scan the currently open file
+- Review findings in a dedicated activity bar view
+- See inline diagnostics in the editor
+- Open a report webview with summaries, evidence, and remediation guidance
+- Export findings as DOCX from the extension
+- Run the same engine from the terminal with the `secure-review` CLI
+- Scan Bitbucket repositories directly by URL
+- Enrich results with local tools such as `semgrep`, `eslint`, `bandit`, `pip-audit`, `gosec`, `cppcheck`, and others when available
+- Run OWASP ZAP dynamic scans against developer-controlled local or test web applications
+## Key Capabilities
+### Static review
+Secure Review combines built-in rule packs, repository heuristics, optional external tools, and stack-aware checks.
+It covers areas such as:
+- hard-coded secrets and credentials
+- weak cryptography usage
+- command execution risks
+- injection-style patterns
+- auth and authorization issues
+- dependency and supply-chain risks
+- configuration and infrastructure risks
+- testing gaps
+- reliability, maintainability, and performance smells
+### Dynamic review
+Secure Review can launch OWASP ZAP through Docker and run:
+- baseline scans for passive checks
+- full scans for active testing
+- API-focused scans using an API definition URL when available
+Dynamic findings are grouped and normalized into the same reporting model used by static scans.
+### CLI agent
+The `secure-review` CLI supports:
+- local repository inspection
+- bootstrap planning for scanner tools
+- local path scans
+- Bitbucket repository scans by HTTPS or SSH URL
+- optional report export
+- optional dynamic scan integration
 ## Installation
-### Visual Studio Marketplace
+### Option 1: Install From Visual Studio Marketplace
-1. Publish the extension with your real publisher identity.
-2. Search for `Secure Review` in VS Code Extensions.
-3. Click `Install`.
+1. Open VS Code.
+2. Open the Extensions view.
+3. Search for `Secure Review`.
+4. Click `Install`.
-### VSIX
+### Option 2: Install From VSIX
-1. Package the extension:
+If you have a packaged `.vsix` file:
+1. Open VS Code.
+2. Open the Extensions view.
+3. Choose `Extensions: Install from VSIX...`
+4. Select the `.vsix` file.
+If you are packaging the extension from source:
 ```bash
+npm install
+npm run verify
 npm run package
 ```
-2. In VS Code, run `Extensions: Install from VSIX...`
-3. Select the generated `.vsix` file.
+This creates a `.vsix` package in the repository root.
-### CLI Agent
+### Option 3: Install The CLI
-To use Secure Review as a terminal agent from this repo:
+From npm:
 ```bash
-npm link
+npm install -g secure-review-extension
 ```
-Then the `secure-review` command will be available on your machine:
+Then run:
 ```bash
 secure-review help
 ```
-To prepare the CLI package for distribution:
+If you are using the source repository locally:
 ```bash
-npm run verify
-npm run pack:cli:dry-run
-```
-To build the tarball you would share or publish:
-```bash
-npm run pack:cli
+npm install
+npm link
+secure-review help
 ```
-To publish to npm after setting the final package name and metadata:
+## Quick Start In VS Code
-```bash
-npm run publish:npm
-```
+1. Open a project folder in VS Code.
+2. Open the Command Palette.
+3. Run `Secure Review: Scan Workspace`.
+4. Open the `Secure Review` activity bar view to inspect findings.
+5. Run `Secure Review: Open Review Report` to see the in-editor report.
+6. Run `Secure Review: Export Findings Report` to create a DOCX report.
-## Commands
+Available extension commands:
+- `Secure Review: Check Workspace Requirements`
 - `Secure Review: Scan Workspace`
 - `Secure Review: Scan Current File`
 - `Secure Review: Dynamic Scan Local App`
@@ -79,183 +126,192 @@ npm run publish:npm
 - `Secure Review: Clear Findings`
 - `Secure Review: Ignore Finding`
-## CLI Usage
+## Quick Start In The CLI
-The terminal agent supports:
+Inspect a local repository:
 ```bash
 secure-review inspect /path/to/repo
-secure-review inspect https://bitbucket.org/acme/payments-service
-secure-review inspect https://bitbucket.org/acme/payments-service/src/main/
-secure-review bootstrap /path/to/repo
-secure-review bootstrap /path/to/repo --run
-secure-review bootstrap git@bitbucket.org:acme/payments-service.git
-secure-review scan /path/to/repo --severity medium
-secure-review scan https://bitbucket.org/acme/payments-service/src/release-1.2/ --severity high
-secure-review scan /path/to/repo --format html --out report.html
-secure-review scan /path/to/repo --format docx --out report.docx
-secure-review scan /path/to/repo --dynamic-url http://127.0.0.1:3001 --dynamic-mode baseline
 ```
-Command summary:
-- `inspect`
-  Shows detected languages, frameworks, and recommended scanner tools for a workspace or Bitbucket repository URL.
-- `bootstrap`
-  Prints the install plan for the workspace, or runs the supported install commands with `--run`.
-- `scan`
-  Runs static review, optionally adds a Docker-based ZAP dynamic scan, and can export text, JSON, HTML, Markdown, or DOCX output.
-Bitbucket remote scan support:
-- pass a normal Bitbucket repo URL such as `https://bitbucket.org/workspace/repo`
-- pass a Bitbucket browser URL such as `https://bitbucket.org/workspace/repo/src/main/`
-- pass an SSH clone URL such as `git@bitbucket.org:workspace/repo.git`
-- Secure Review clones the repo to a temporary workspace, scans it, then cleans up automatically
-- use `--branch <name>` to override the branch when the URL does not already specify one
-- default scan exclusions skip noisy dependency and build folders such as `.venv`, `venv`, `node_modules`, `dist`, `build`, `target`, `coverage`, and `__pycache__`
-## npm Publishing Notes
-Before publishing the CLI package for other users:
-- replace the placeholder npm package name in [package.json](/home/ankit.singh/CODE_REVIEW_TOOL/package.json) if needed
-- replace placeholder homepage, repository, and bugs URLs
-- make sure the package name is actually available on npm
-- run `npm run verify`
-- run `npm run pack:cli:dry-run`
-- run `npm run pack:cli`
-- test the generated tarball locally with `npm install -g ./<tarball>.tgz`
-- publish with `npm run publish:npm`
-## What The Extension Checks
-### Static checks
+Inspect a Bitbucket repository:
-- hard-coded secrets and credentials
-- weak crypto algorithms like `md5` and `sha1`
-- SQL injection style string concatenation
-- command execution sinks
-- dangerous HTML injection patterns
-- debug and verbose logging smells
-- unsafe eval-like execution
-### Review domains
-- security and vulnerability checks
-- dependency and supply-chain checks
-- code quality and maintainability
-- reliability and error handling
-- performance smells
-- outdated practices
-- testing gaps
+```bash
+secure-review inspect https://bitbucket.org/workspace/repository
+```
-### Dynamic checks
+See which optional scanner tools are recommended:
-- ZAP baseline scan for passive web checks
-- ZAP full scan for active testing against local/test apps
-- missing headers
-- cookie issues
-- information disclosure
-- XSS and injection candidates surfaced by ZAP
-Dynamic scans are intended only for developer-controlled local or test URLs. Full scan mode is intrusive and requires explicit confirmation.
+```bash
+secure-review bootstrap /path/to/repo
+```
-## Report Export
+Run a scan:
-- Exported reports are generated as `.docx`
-- The export flow prompts for:
-  - project name
-  - report date
-  - scan type
-  - optional notes
-- Reports include:
-  - executive summary
-  - severity summary
-  - findings by category
-  - findings by review domain
-  - overview grouped by severity
-  - detailed findings with evidence, why-it-matters, remediation, and suggestions
-  - recommendations summary
-  - methodology, limitations, and scan configuration
+```bash
+secure-review scan /path/to/repo --severity medium
+```
-## Test In This Workspace
+Export HTML output:
-1. Open this folder in VS Code.
-2. Press `Fn + F5` or use `Run and Debug` to launch the Extension Development Host.
-3. In the new VS Code window, open any code project.
-4. Run `Secure Review: Scan Workspace` from the Command Palette.
-5. Open the `Secure Review` activity bar icon to inspect findings.
-6. Run `Secure Review: Open Review Report` to see the webview report.
-7. Run `Secure Review: Export Findings Report` to create the Word report.
+```bash
+secure-review scan /path/to/repo --format html --out review.html
+```
-This repo already includes a vulnerable sample in [sample-workspace/demo-app.js](/home/ankit.singh/CODE_REVIEW_TOOL/sample-workspace/demo-app.js), so scanning this workspace should immediately produce findings.
+Export DOCX output:
-## Test The CLI Agent
+```bash
+secure-review scan /path/to/repo --format docx --out review.docx
+```
-1. From this repo, run:
+Run a scan against a Bitbucket repository without cloning it manually:
 ```bash
-npm link
+secure-review scan git@bitbucket.org:workspace/repository.git --severity medium
 ```
-2. Inspect a target workspace:
+## CLI Commands
+### `inspect`
+Displays detected languages, frameworks, and recommended scanner tools for:
+- a local workspace path
+- a Bitbucket repository URL
+- a Bitbucket browser URL with `/src/<branch>/`
+- a Bitbucket SSH clone URL
+Examples:
 ```bash
-secure-review inspect /home/ankit.singh/netbox-history-platform
+secure-review inspect /path/to/repo
+secure-review inspect https://bitbucket.org/acme/payments-service
+secure-review inspect https://bitbucket.org/acme/payments-service/src/main/
+secure-review inspect git@bitbucket.org:acme/payments-service.git
 ```
-You can also inspect a Bitbucket repo directly:
+### `bootstrap`
+Prints the install plan for matching scanner tools. With `--run`, Secure Review executes the supported install commands when possible.
+Examples:
 ```bash
-secure-review inspect https://bitbucket.org/macehand/secure-review-extension/src/main/
+secure-review bootstrap /path/to/repo
+secure-review bootstrap /path/to/repo --run
+secure-review bootstrap git@bitbucket.org:acme/payments-service.git
 ```
-3. See which scanners should be installed:
+### `scan`
+Runs static review, optional dynamic review, and optional report export.
+Examples:
 ```bash
-secure-review bootstrap /home/ankit.singh/netbox-history-platform
+secure-review scan /path/to/repo --severity low
+secure-review scan /path/to/repo --severity high --format json --out findings.json
+secure-review scan /path/to/repo --format html --out review.html
+secure-review scan /path/to/repo --format docx --out review.docx
+secure-review scan https://bitbucket.org/acme/payments-service/src/release-1.2/ --severity medium
+secure-review scan git@bitbucket.org:acme/payments-service.git --branch main --severity medium
 ```
-4. Run the code review:
+## Bitbucket Repository Support
+Secure Review can scan repositories that are not already present on the local machine.
+Supported inputs:
+- `https://bitbucket.org/workspace/repo`
+- `https://bitbucket.org/workspace/repo/src/main/`
+- `git@bitbucket.org:workspace/repo.git`
+Behavior:
+- the repository is cloned to a temporary directory
+- the requested branch is resolved automatically when possible
+- the scan runs against that temporary workspace
+- the temporary clone is cleaned up after the scan
+Tips:
+- use SSH URLs for private repositories if SSH access is already configured
+- use `--branch <name>` to override the branch when the URL does not specify one
+## Dynamic Scan Usage
+Dynamic scanning is intended only for applications and endpoints you control.
+Requirements:
+- Docker installed and running
+- a reachable local or test web application
+- a configured target URL
+Example local app:
 ```bash
-secure-review scan /home/ankit.singh/netbox-history-platform --severity low
+PORT=3001 node sample-workspace/dev-server.js
 ```
-Or scan a Bitbucket repo without cloning it manually:
+CLI example:
 ```bash
-secure-review scan https://bitbucket.org/macehand/secure-review-extension/src/main/ --severity low
+secure-review scan /path/to/repo \
+  --dynamic-url http://127.0.0.1:3001 \
+  --dynamic-mode baseline
 ```
-5. Export a report if needed:
+API scan mode example:
 ```bash
-secure-review scan /home/ankit.singh/netbox-history-platform --format docx --out /home/ankit.singh/netbox-history-platform/review.docx
+secure-review scan /path/to/repo \
+  --dynamic-url http://127.0.0.1:3001 \
+  --dynamic-mode api \
+  --dynamic-api-url http://127.0.0.1:3001/openapi.json
 ```
-## Dynamic Scan Setup
+Dynamic scan modes:
-1. Install Docker and ensure it is running.
-2. Start a local test app or the included sample:
+- `baseline`: passive checks and safer first pass
+- `full`: active testing for controlled targets only
+- `api`: API-oriented scan using a provided definition URL
-```bash
-PORT=3001 node sample-workspace/dev-server.js
-```
+Typical dynamic findings include:
-3. Set `Secure Review > Dynamic Base Url` to match the port you used, for example `http://127.0.0.1:3001`.
-4. Run `Secure Review: Dynamic Scan Local App`.
-5. Use `baseline` mode first; switch to `full` mode only for applications you control.
+- missing security headers
+- cookie security issues
+- information disclosure
+- reflected or stored attack candidates surfaced by ZAP
+- transport and response hardening issues
-## Bootstrap Scanner Tools
+## What Secure Review Checks
-If you want the workspace to prepare the matching external static-analysis tools before scanning, run:
+Secure Review blends several scan styles into one findings model.
-```bash
-npm run bootstrap:tools
-```
+### Built-in static rules
+- secrets and credentials
+- dangerous sinks such as shell execution, HTML injection, and weak crypto
+- auth and authorization patterns
+- framework-aware checks
+- code quality and maintainability warnings
+### Repository heuristics
+- dependency hygiene and supply-chain risks
+- runtime and environment configuration concerns
+- Docker, Kubernetes, Terraform, and compose issues
+- package-manager and deployment misconfiguration
+### External tool integrations
+When the relevant tools are installed locally, Secure Review can enrich results using:
-That command inspects the current workspace and prints the install plan for tools such as:
 - `semgrep`
 - `eslint`
+- `npm audit`
 - `bandit`
 - `pip-audit`
 - `spotbugs`
@@ -264,65 +320,170 @@ That command inspects the current workspace and prints the install plan for tool
 - `cargo-audit`
 - `clippy`
 - `cppcheck`
+- `brakeman`
+- `phpstan`
+- `.NET` package vulnerability checks
-To actually execute the supported install commands:
+### Finding quality metadata
-```bash
-npm run bootstrap:tools:run
-```
+Findings include richer classification so the output is more honest and easier to review manually. Depending on the engine and evidence, findings may be classified as:
+- likely vulnerabilities
+- runtime vulnerabilities
+- dependency risks
+- contextual warnings
+- recommendations
+They may also include evidence strength, origin, and a manual-review recommendation flag.
+## Default Scan Exclusions
+To reduce noise and improve performance, Secure Review skips common dependency and build folders by default, including:
+- `.git`
+- `node_modules`
+- `.venv`
+- `venv`
+- `env`
+- `vendor`
+- `dist`
+- `build`
+- `target`
+- `coverage`
+- `__pycache__`
+This helps the scanner stay focused on project code rather than vendored packages and generated artifacts.
+## Report Output
+### In VS Code
+The extension can export findings as a DOCX report.
+The export flow prompts for:
+- project name
+- report date
+- scan type
+- optional notes
+The report includes:
+- executive summary
+- severity summary
+- findings by category
+- findings by review domain
+- severity-grouped overview
+- detailed findings with evidence and remediation guidance
+- recommendations summary
+- methodology, limitations, and scan configuration
-The bootstrap is best-effort:
-- it detects the languages and frameworks present in the workspace
-- it chooses the matching scanner tools
-- it only auto-runs commands when there is a reasonable local install path
-- some tools, such as `SpotBugs`, may still need a manual install depending on your OS and package manager setup
+### In The CLI
-## Packaging And Release
+The CLI supports:
-### Precheck
+- plain terminal output
+- `json`
+- `html`
+- `md`
+- `docx`
+Examples:
 ```bash
-npm run verify
+secure-review scan /path/to/repo --format json --out findings.json
+secure-review scan /path/to/repo --format html --out review.html
+secure-review scan /path/to/repo --format md --out review.md
+secure-review scan /path/to/repo --format docx --out review.docx
 ```
-### Package
+## Preparing Optional Scanner Tools
+If you want deeper language-specific coverage, you can inspect or bootstrap recommended local tools before running a scan.
+From the repository source:
 ```bash
-npm run package
+npm run bootstrap:tools
 ```
-### Marketplace publish
+To execute supported install commands:
 ```bash
-npm run publish:marketplace
+npm run bootstrap:tools:run
 ```
-Before publishing:
-- replace `your-publisher-id` in [package.json](/home/ankit.singh/CODE_REVIEW_TOOL/package.json)
-- replace placeholder repository, homepage, and bugs URLs
-- sign in to `vsce` with the publisher PAT for your Azure DevOps publisher
+The bootstrap flow is best-effort:
+- it detects the languages and frameworks present in the target workspace
+- it recommends matching external tools
+- it runs only supported install paths
+- some tools may still require manual installation depending on the operating system and package manager
 ## Security And Privacy Notes
-- This extension is self-contained and does not require external scanner binaries.
-- If local tools like `semgrep`, `npm audit`, or `pip-audit` are available, the extension can enrich static review results with them.
-- Static scans operate only on files in the open workspace.
-- Dynamic scans use OWASP ZAP via Docker and should only target developer-controlled local or test applications.
-- The extension does not send findings to remote services.
-- The rule engine is intentionally local and portable so it can be tested immediately in this workspace.
+- Static scans operate on the repository or workspace you explicitly choose.
+- Dynamic scans use OWASP ZAP through Docker and should only target developer-controlled local or test applications.
+- Secure Review is designed to work locally and does not require a remote analysis service.
+- External tool integrations run only when the corresponding tools are available on the machine.
 ## Troubleshooting
-- `F5 changes brightness`
-  - Use `Fn + F5` or `Run and Debug`.
-- `No findings appear`
-  - Lower `Secure Review > Minimum Severity` and confirm excluded globs are not hiding your files.
-  - Check whether built-in rules or external-tool integrations are disabled in settings.
-- `Dynamic scan failed`
-  - Confirm Docker is installed and running.
-  - Confirm the target host is listed in `Secure Review > Dynamic Allow Hosts`.
-  - For localhost targets, confirm the app is reachable from Docker.
-- `DOCX export opens incorrectly`
-  - Re-export after a fresh scan and test in Word or LibreOffice.
-- `Marketplace package fails`
-  - Confirm your publisher ID, PAT, and repository metadata are set correctly.
+### No findings appear
+- Lower the minimum severity threshold.
+- Confirm excluded globs are not hiding the relevant files.
+- Check whether built-in rules or external tool integrations are disabled.
+### Dynamic scan fails
+- Confirm Docker is installed and running.
+- Confirm the target app is reachable from Docker.
+- Start with `baseline` mode before trying `full`.
+### A Bitbucket scan fails on a private repository
+- Prefer an SSH URL such as `git@bitbucket.org:workspace/repo.git`
+- or configure HTTPS access with the appropriate Bitbucket credentials
+### The editor shows too many problem decorations
+- Run `Secure Review: Clear Findings`
+- or disable VS Code problem decorations if you only want to hide the visual markers
+### A CLI scan seems stuck
+- use the progress output to see which tool is running
+- increase or lower `--tool-timeout-ms` depending on the workspace size and installed tools
+- verify that optional tools such as `semgrep` or `bandit` are installed and working independently
+## Developing From Source
+If you want to test the extension from source:
+1. Clone the repository.
+2. Run `npm install`.
+3. Press `Fn + F5` in VS Code, or launch `Run Secure Review Extension` from `Run and Debug`.
+4. In the Extension Development Host, open a target project and run `Secure Review: Scan Workspace`.
+This repository includes a deliberately vulnerable sample in `sample-workspace`, which is useful for smoke testing.
+## For Maintainers
+Common maintenance commands:
+```bash
+npm run verify
+npm run package
+npm run pack:cli:dry-run
+npm run pack:cli
+npm run publish:npm
+npm run publish:marketplace
+```
+Before releasing:
+- verify package metadata in `package.json`
+- confirm the publisher ID is correct
+- validate the packaged VSIX locally
+- validate the npm tarball locally if you are shipping the CLI

package/extension.js CHANGED Viewed

@@ -1,7 +1,7 @@
 const vscode = require("vscode");
 const { FindingsStore } = require("./src/store");
 const { FindingsProvider } = require("./src/findings-provider");
-const { scanWorkspace, scanCurrentFile } = require("./src/scanners/static-scan");
+const { scanWorkspace, scanFileAtPath } = require("./src/scanners/static-scan");
 const { runDockerZapScan } = require("./src/scanners/dynamic-scan");
 const { detectWorkspace, buildInstallPlan, formatInstallPlan } = require("./src/scanners/bootstrap-tools");
 const { applyDiagnostics } = require("./src/diagnostics");
@@ -11,6 +11,7 @@ const { severityOrder } = require("./src/constants");
 let reportPanel;
 let lastReportMetadata;
+const saveScanTimers = new Map();
 function activate(context) {
   const store = new FindingsStore();
@@ -82,13 +83,7 @@ function activate(context) {
         cancellable: false
       },
       async () => {
-        const currentFileFindings = await scanCurrentFile();
-        const otherStaticFindings = store.findings.filter(
-          (item) => item.source === "static" && item.filePath !== editor.document.uri.fsPath
-        );
-        const dynamicFindings = store.findings.filter((item) => item.source === "dynamic");
-        store.setFindings(sortFindings([...otherStaticFindings, ...currentFileFindings, ...dynamicFindings]));
+        await rescanFile(editor.document.uri.fsPath);
         vscode.window.showInformationMessage(`Secure Review updated findings for ${editor.document.fileName}.`);
       }
     );
@@ -263,11 +258,97 @@ function activate(context) {
     vscode.commands.registerCommand("secureReview.ignoreFinding", ignoreFinding)
   );
+  async function rescanFile(filePath) {
+    const currentFileFindings = await scanFileAtPath(filePath, {
+      workspaceRoot: vscode.workspace.workspaceFolders?.[0]?.uri.fsPath,
+      excludeGlobs: configAccessor().get("excludeGlobs", []),
+      maxFiles: configAccessor().get("maxFiles", 400)
+    });
+    const otherStaticFindings = store.findings.filter(
+      (item) => item.source === "static" && item.filePath !== filePath
+    );
+    const dynamicFindings = store.findings.filter((item) => item.source === "dynamic");
+    store.setFindings(sortFindings([...otherStaticFindings, ...currentFileFindings, ...dynamicFindings]));
+    return currentFileFindings;
+  }
+  async function handleRunOnSave(document) {
+    if (!document || document.uri.scheme !== "file") {
+      return;
+    }
+    const workspaceFolder = vscode.workspace.getWorkspaceFolder(document.uri);
+    if (!workspaceFolder) {
+      return;
+    }
+    const filePath = document.uri.fsPath;
+    const existingFindings = store.findings.filter(
+      (item) => item.source === "static" && item.filePath === filePath
+    );
+    const previousIds = new Set(existingFindings.map((item) => item.id));
+    const updatedFindings = await rescanFile(filePath);
+    const nextIds = new Set(updatedFindings.map((item) => item.id));
+    const newCount = updatedFindings.filter((item) => !previousIds.has(item.id)).length;
+    const resolvedCount = existingFindings.filter((item) => !nextIds.has(item.id)).length;
+    if (!updatedFindings.length && !resolvedCount) {
+      return;
+    }
+    const message = updatedFindings.length
+      ? `Secure Review found ${updatedFindings.length} finding${updatedFindings.length === 1 ? "" : "s"} in ${document.fileName}${newCount || resolvedCount ? ` (${newCount} new, ${resolvedCount} resolved)` : ""}.`
+      : `Secure Review resolved all findings in ${document.fileName}.`;
+    const action = await vscode.window.showInformationMessage(
+      message,
+      "Open Findings",
+      "Open Report",
+      "Export DOCX"
+    );
+    if (action === "Open Findings") {
+      await vscode.commands.executeCommand("secureReview.findingsView.focus");
+      return;
+    }
+    if (action === "Open Report") {
+      openReport();
+      return;
+    }
+    if (action === "Export DOCX") {
+      await exportFindingsReport();
+    }
+  }
   context.subscriptions.push(
-    vscode.workspace.onDidSaveTextDocument(async () => {
-      if (configAccessor().get("runOnSave", false)) {
-        await runCurrentFileScan();
+    vscode.workspace.onDidSaveTextDocument(async (document) => {
+      if (!configAccessor().get("runOnSave", false)) {
+        return;
       }
+      const filePath = document?.uri?.fsPath;
+      if (!filePath) {
+        return;
+      }
+      const existingTimer = saveScanTimers.get(filePath);
+      if (existingTimer) {
+        clearTimeout(existingTimer);
+      }
+      const timer = setTimeout(async () => {
+        saveScanTimers.delete(filePath);
+        try {
+          await handleRunOnSave(document);
+        } catch (error) {
+          vscode.window.showErrorMessage(`Secure Review run-on-save scan failed: ${error.message}`);
+        }
+      }, 250);
+      saveScanTimers.set(filePath, timer);
     })
   );

package/package.json CHANGED Viewed

@@ -2,8 +2,8 @@
   "name": "secure-review-extension",
   "displayName": "Secure Review",
   "description": "Run deep static and Docker-based dynamic secure code reviews directly inside VS Code.",
-  "version": "1.0.6",
-  "publisher": "your-publisher-id",
+  "version": "1.0.9",
+  "publisher": "Ankit-QI",
   "icon": "media/shield.png",
   "license": "MIT",
   "homepage": "https://bitbucket.org/macehand/secure-review-extension",

package/src/scanners/static-scan.js CHANGED Viewed

@@ -135,16 +135,31 @@ async function scanCurrentFile() {
     return [];
   }
-  const content = await readText(editor.document.uri.fsPath);
+  return scanFileAtPath(editor.document.uri.fsPath);
+}
+async function scanFileAtPath(filePath, options = {}) {
+  const content = await readText(filePath);
   if (content === null) {
     return [];
   }
-  const workspaceRoot = vscode?.workspace?.workspaceFolders?.[0]?.uri.fsPath || path.dirname(editor.document.uri.fsPath);
-  return dedupeFindings(scanContent(editor.document.uri.fsPath, content, workspaceRoot, {
-    languages: [],
-    frameworks: [],
-    isSecureReviewWorkspace: false
+  const workspaceRoot = options.workspaceRoot
+    || vscode?.workspace?.workspaceFolders?.[0]?.uri.fsPath
+    || path.dirname(filePath);
+  const workspaceProfile = await buildWorkspaceProfileForRoot(workspaceRoot, {
+    excludeGlobs: options.excludeGlobs || [],
+    maxFiles: options.maxFiles || 400
+  });
+  if (!shouldAnalyzeFile(filePath)) {
+    return [];
+  }
+  return dedupeFindings(scanContent(filePath, content, workspaceRoot, {
+    languages: workspaceProfile.languages,
+    frameworks: workspaceProfile.frameworks,
+    isSecureReviewWorkspace: workspaceProfile.isSecureReviewWorkspace
   }));
 }
@@ -654,7 +669,8 @@ async function readText(filePath) {
 module.exports = {
   scanWorkspace,
   scanWorkspaceAtPath,
-  scanCurrentFile
+  scanCurrentFile,
+  scanFileAtPath
 };
 function analyzeRepository(files, workspaceRoot) {