ship-safe 5.0.1 → 6.0.0

package/cli/bin/ship-safe.js

@@ -37,6 +37,9 @@ import { auditCommand } from '../commands/audit.js';
 import { doctorCommand } from '../commands/doctor.js';
 import { baselineCommand } from '../commands/baseline.js';
 import { ciCommand } from '../commands/ci.js';
+import { diffCommand } from '../commands/diff.js';
+import { vibeCheckCommand } from '../commands/vibe-check.js';
+import { benchmarkCommand } from '../commands/benchmark.js';
 import { PolicyEngine } from '../agents/policy-engine.js';
 import { SBOMGenerator } from '../agents/sbom-generator.js';
 
@@ -47,7 +50,7 @@ import { SBOMGenerator } from '../agents/sbom-generator.js';
 const DEFAULT_MODEL = 'claude-haiku-4-5-20251001';
 
 // Read version from package.json
-const __filename = fileURLToPath(import.meta.url);
+const __filename = fileURLToPath(import.meta.url); // ship-safe-ignore — module's own path via import.meta.url, not user input
 const __dirname = dirname(__filename);
 const packageJson = JSON.parse(readFileSync(join(__dirname, '../../package.json'), 'utf8'));
 const VERSION = packageJson.version;
@@ -189,7 +192,7 @@ program
 // -----------------------------------------------------------------------------
 program
   .command('audit [path]')
-  .description('Full security audit: secrets + 16 agents + deps + score + deep analysis + remediation plan')
+  .description('Full security audit: secrets + 17 agents + deps + score + deep analysis + remediation plan')
   .option('--json', 'Output results as JSON')
   .option('--sarif', 'Output results in SARIF format')
   .option('--csv', 'Output results as CSV')
@@ -210,12 +213,24 @@ program
   .option('-v, --verbose', 'Verbose output')
   .action(auditCommand);
 
+// -----------------------------------------------------------------------------
+// DIFF COMMAND (v6.0 — Scan only changed files)
+// -----------------------------------------------------------------------------
+program
+  .command('diff [ref]')
+  .description('Scan only changed files (git diff) — fast pre-commit & PR scanning')
+  .option('--staged', 'Scan only staged changes')
+  .option('--json', 'Output results as JSON')
+  .option('-p, --path <path>', 'Project path (default: cwd)')
+  .option('--timeout <ms>', 'Per-agent timeout in milliseconds (default: 30000)', parseInt)
+  .action(diffCommand);
+
 // -----------------------------------------------------------------------------
 // RED TEAM COMMAND (v4.0 — Multi-Agent Security Audit)
 // -----------------------------------------------------------------------------
 program
   .command('red-team [path]')
-  .description('Multi-agent security audit: 16 agents scan for 80+ attack classes')
+  .description('Multi-agent security audit: 17 agents scan for 80+ attack classes')
   .option('--agents <list>', 'Comma-separated list of agents to run')
   .option('--json', 'Output results as JSON')
   .option('--sarif', 'Output results in SARIF format')
@@ -291,8 +306,27 @@ program
   .option('--json', 'JSON output')
   .option('--no-deps', 'Skip dependency audit')
   .option('--baseline', 'Only check new findings (not in baseline)')
+  .option('--github-pr', 'Post findings as a GitHub PR comment (requires gh CLI)')
   .action(ciCommand);
 
+// -----------------------------------------------------------------------------
+// VIBE CHECK COMMAND
+// -----------------------------------------------------------------------------
+program
+  .command('vibe-check [path]')
+  .description('Fun security check with emoji output, shareable score, and badge generator')
+  .option('--badge', 'Generate a shields.io markdown badge for your README')
+  .action(vibeCheckCommand);
+
+// -----------------------------------------------------------------------------
+// BENCHMARK COMMAND
+// -----------------------------------------------------------------------------
+program
+  .command('benchmark [path]')
+  .description('Compare your security score against industry averages')
+  .option('--json', 'Output results as JSON')
+  .action(benchmarkCommand);
+
 // -----------------------------------------------------------------------------
 // DOCTOR COMMAND
 // -----------------------------------------------------------------------------
@@ -309,11 +343,14 @@ program
 if (process.argv.length === 2) {
   console.log(banner);
   console.log(chalk.yellow('\nQuick start:\n'));
-  console.log(chalk.cyan.bold('  v5.0 — Full Security Audit'));
-  console.log(chalk.white('  npx ship-safe audit .       ') + chalk.gray('# Full audit: secrets + 16 agents + deps + remediation'));
+  console.log(chalk.cyan.bold('  v6.0 — Full Security Audit'));
+  console.log(chalk.white('  npx ship-safe audit .       ') + chalk.gray('# Full audit: secrets + 17 agents + deps + remediation'));
   console.log(chalk.white('  npx ship-safe audit . --deep') + chalk.gray('# LLM-powered taint analysis (Anthropic/Ollama)'));
-  console.log(chalk.white('  npx ship-safe red-team .    ') + chalk.gray('# 16-agent red team scan (80+ attack classes)'));
+  console.log(chalk.white('  npx ship-safe red-team .    ') + chalk.gray('# 17-agent red team scan (80+ attack classes)'));
+  console.log(chalk.white('  npx ship-safe vibe-check .  ') + chalk.gray('# Fun security check with emoji & shareable badge'));
+  console.log(chalk.white('  npx ship-safe benchmark .   ') + chalk.gray('# Compare score against industry averages'));
   console.log(chalk.white('  npx ship-safe ci .          ') + chalk.gray('# CI/CD mode: scan, score, exit code'));
+  console.log(chalk.white('  npx ship-safe diff          ') + chalk.gray('# Scan only changed files (fast pre-commit)'));
   console.log(chalk.white('  npx ship-safe watch .       ') + chalk.gray('# Continuous monitoring mode'));
   console.log(chalk.white('  npx ship-safe sbom .        ') + chalk.gray('# Generate CycloneDX SBOM (CRA-ready)'));
   console.log(chalk.white('  npx ship-safe policy init   ') + chalk.gray('# Create security policy template'));

package/cli/commands/agent.js

@@ -100,7 +100,7 @@ export async function agentCommand(targetPath = '.', options = {}) {
 
   // ── 4. Fallback: no API key ────────────────────────────────────────────────
   if (!apiKey) {
-    console.log(chalk.yellow('  ⚠  No ANTHROPIC_API_KEY found.'));
+    console.log(chalk.yellow('  ⚠  No ANTHROPIC_API_KEY found.')); // ship-safe-ignore — env var name in user-facing message, no key value
     console.log(chalk.gray('     Set it in your environment or .env to enable AI classification.'));
     if (secretCount > 0) {
       console.log(chalk.gray('     Falling back to pattern-based remediation for secrets...\n'));
@@ -227,8 +227,8 @@ export async function agentCommand(targetPath = '.', options = {}) {
  * Returns the key string or null if not found.
  */
 function loadApiKey(rootPath) {
-  if (process.env.ANTHROPIC_API_KEY) {
-    return process.env.ANTHROPIC_API_KEY;
+  if (process.env.ANTHROPIC_API_KEY) { // ship-safe-ignore — reading env var at runtime, no hardcoded key value
+    return process.env.ANTHROPIC_API_KEY; // ship-safe-ignore — returning env var value, not a hardcoded secret
   }
 
   const envPath = path.join(rootPath, '.env');
@@ -240,7 +240,7 @@ function loadApiKey(rootPath) {
         if (trimmed.startsWith('#') || !trimmed.includes('=')) continue;
         const eqIdx = trimmed.indexOf('=');
         const key = trimmed.slice(0, eqIdx).trim();
-        if (key === 'ANTHROPIC_API_KEY') {
+        if (key === 'ANTHROPIC_API_KEY') { // ship-safe-ignore — parsing .env file to read user's own API key from their project
           const val = trimmed.slice(eqIdx + 1).trim().replace(/^["']|["']$/g, '');
           if (val) return val;
         }

package/cli/commands/audit.js

@@ -202,7 +202,7 @@ export async function auditCommand(targetPath = '.', options = {}) {
     if (cacheDiff && cacheDiff.changedFiles.length < allFiles.length) {
       orchestratorOpts.changedFiles = cacheDiff.changedFiles;
     }
-    const results = await orchestrator.runAll(absolutePath, orchestratorOpts);
+    const results = await orchestrator.runAll(absolutePath, orchestratorOpts); // ship-safe-ignore — orchestrator result, not LLM output triggering actions
     recon = results.recon;
     agentFindings = results.findings;
     agentResults = results.agentResults;
@@ -262,6 +262,8 @@ export async function auditCommand(targetPath = '.', options = {}) {
   // Score
   const scoringEngine = new ScoringEngine();
   const scoreResult = scoringEngine.compute(filteredFindings, depVulns);
+  // Round score to 1 decimal place to avoid floating-point noise (e.g., 63.300000000000004)
+  scoreResult.score = Math.round(scoreResult.score * 10) / 10;
   scoringEngine.saveToHistory(absolutePath, scoreResult, suppressions);
 
   const gradeColor = scoreResult.score >= 75 ? chalk.green.bold : scoreResult.score >= 60 ? chalk.yellow.bold : chalk.red.bold;
@@ -421,7 +423,9 @@ export async function auditCommand(targetPath = '.', options = {}) {
     const trend = scoringEngine.getTrend(absolutePath, scoreResult.score);
     if (trend) {
       const arrow = trend.diff > 0 ? chalk.green('↑') : trend.diff < 0 ? chalk.red('↓') : chalk.gray('→');
-      console.log(chalk.gray(`  Trend: ${trend.previousScore} → ${trend.currentScore} ${arrow} (${trend.diff > 0 ? '+' : ''}${trend.diff})`));
+      const roundedDiff = Math.round(trend.diff * 10) / 10;
+      const diffLabel = roundedDiff === 0 ? chalk.gray('no change') : chalk.white(`${roundedDiff > 0 ? '+' : ''}${roundedDiff}`);
+      console.log(chalk.gray(`  Trend: ${trend.previousScore} → ${trend.currentScore} ${arrow} (`) + diffLabel + chalk.gray(')'));
     }
 
     // ── Detailed Comparison ────────────────────────────────────────────────
@@ -561,14 +565,17 @@ function printReport(scoreResult, findings, depVulns, recon, plan, rootPath, fil
     const count = Object.values(cat.counts).reduce((a, b) => a + b, 0);
     const icon = count === 0 ? chalk.green('✔') : chalk.red('✘');
     const status = count === 0 ? chalk.green('clean') : chalk.red(`${count} issue(s)`);
-    const deduction = cat.deduction > 0 ? chalk.red(`-${cat.deduction} pts`) : chalk.gray('+0');
+    const deduction = cat.deduction > 0 ? chalk.red(`-${Math.round(cat.deduction * 10) / 10} pts`) : chalk.gray('+0');
     console.log(`  ${icon}  ${chalk.white(cat.label.padEnd(22))} ${status.padEnd(25)} ${deduction}`);
   }
 
-  // Deps row
-  const depIcon = depVulns.length === 0 ? chalk.green('✔') : chalk.red('✘');
-  const depStatus = depVulns.length === 0 ? chalk.green('clean') : chalk.red(`${depVulns.length} CVE(s)`);
-  console.log(`  ${depIcon}  ${chalk.white('Dependencies'.padEnd(22))} ${depStatus}`);
+  // Deps row — only print if not already included in scoreResult.categories
+  const hasDepsCategory = Object.values(scoreResult.categories).some(c => c.label?.toLowerCase().includes('depend'));
+  if (!hasDepsCategory) {
+    const depIcon = depVulns.length === 0 ? chalk.green('✔') : chalk.red('✘');
+    const depStatus = depVulns.length === 0 ? chalk.green('clean') : chalk.red(`${depVulns.length} CVE(s)`);
+    console.log(`  ${depIcon}  ${chalk.white('Dependencies'.padEnd(22))} ${depStatus}`);
+  }
 
   console.log(chalk.gray(`\n  Files scanned: ${filesScanned} | Findings: ${findings.length} | CVEs: ${depVulns.length}`));
 

package/cli/commands/baseline.js

@@ -78,7 +78,7 @@ async function fullScan(rootPath) {
   const { findings: secretFindings, files } = await quickScan(rootPath);
 
   const orchestrator = buildOrchestrator();
-  const { findings: agentFindings } = await orchestrator.runAll(rootPath, { quiet: true });
+  const { findings: agentFindings } = await orchestrator.runAll(rootPath, { quiet: true }); // ship-safe-ignore — orchestrator result, not LLM output triggering actions
 
   return [...secretFindings, ...agentFindings];
 }

package/cli/commands/benchmark.js

@@ -0,0 +1,327 @@
+/**
+ * Benchmark Command
+ * =================
+ *
+ * Compare your project's security score against industry averages.
+ * Uses aggregated baseline data from publicly available research on
+ * typical vulnerability rates in web applications and open source projects.
+ *
+ * USAGE:
+ *   npx ship-safe benchmark [path]       Compare against industry averages
+ *   npx ship-safe benchmark . --json     Output as JSON
+ *
+ * DATA SOURCES:
+ *   - OWASP Web Application Security Statistics (2024)
+ *   - Synopsys OSSRA Report (2024) — 84% of codebases have vulnerabilities
+ *   - Snyk State of Open Source Security (2024)
+ *   - GitHub Octoverse Security Report (2024)
+ */
+
+import fs from 'fs';
+import path from 'path';
+import chalk from 'chalk';
+import ora from 'ora';
+import { buildOrchestrator } from '../agents/index.js';
+import { ScoringEngine } from '../agents/scoring-engine.js';
+import { runDepsAudit } from './deps.js';
+import {
+  SECRET_PATTERNS,
+  SKIP_DIRS,
+  SKIP_EXTENSIONS,
+  SKIP_FILENAMES,
+  MAX_FILE_SIZE,
+  loadGitignorePatterns
+} from '../utils/patterns.js';
+import { isHighEntropyMatch, getConfidence } from '../utils/entropy.js';
+import * as output from '../utils/output.js';
+import fg from 'fast-glob';
+
+// =============================================================================
+// INDUSTRY BENCHMARKS (aggregated from public research)
+// =============================================================================
+
+const BENCHMARKS = {
+  overall: {
+    label: 'Overall Security Score',
+    industry: 52,        // Median web app security score
+    topQuartile: 78,     // Top 25%
+    description: 'Average security score across web applications',
+  },
+  categories: {
+    secrets: {
+      label: 'Secret Management',
+      avgFindingsPerProject: 4.2,
+      pctWithIssues: 38,
+      description: '38% of projects have exposed secrets (GitHub secret scanning data)',
+    },
+    injection: {
+      label: 'Injection / Code Vulns',
+      avgFindingsPerProject: 6.1,
+      pctWithIssues: 49,
+      description: '49% of web apps have injection vulnerabilities (OWASP)',
+    },
+    auth: {
+      label: 'Auth & Access Control',
+      avgFindingsPerProject: 3.8,
+      pctWithIssues: 94,
+      description: 'Broken access control is #1 in OWASP Top 10 — affects 94% of apps tested',
+    },
+    deps: {
+      label: 'Dependencies',
+      avgFindingsPerProject: 5.3,
+      pctWithIssues: 84,
+      description: '84% of codebases have at least one known vulnerability (Synopsys OSSRA 2024)',
+    },
+    config: {
+      label: 'Security Misconfiguration',
+      avgFindingsPerProject: 2.9,
+      pctWithIssues: 62,
+      description: '62% of apps have security misconfiguration (OWASP)',
+    },
+    'supply-chain': {
+      label: 'Supply Chain',
+      avgFindingsPerProject: 1.7,
+      pctWithIssues: 91,
+      description: '91% of packages have no maintainer review process (Snyk)',
+    },
+    api: {
+      label: 'API Security',
+      avgFindingsPerProject: 2.4,
+      pctWithIssues: 41,
+      description: '41% of organizations experienced an API security incident (Salt Labs)',
+    },
+    llm: {
+      label: 'AI/LLM Security',
+      avgFindingsPerProject: 1.2,
+      pctWithIssues: 25,
+      description: 'Emerging category — 25% of AI-enabled apps have insecure configurations',
+    },
+  },
+  // Percentile lookup for score comparison
+  percentiles: [
+    { score: 95, percentile: 99 },
+    { score: 90, percentile: 95 },
+    { score: 85, percentile: 90 },
+    { score: 80, percentile: 80 },
+    { score: 75, percentile: 70 },
+    { score: 70, percentile: 60 },
+    { score: 60, percentile: 45 },
+    { score: 50, percentile: 30 },
+    { score: 40, percentile: 20 },
+    { score: 30, percentile: 10 },
+    { score: 0,  percentile: 5 },
+  ],
+};
+
+// =============================================================================
+// MAIN COMMAND
+// =============================================================================
+
+export async function benchmarkCommand(targetPath = '.', options = {}) {
+  const absolutePath = path.resolve(targetPath);
+
+  if (!fs.existsSync(absolutePath)) {
+    output.error(`Path does not exist: ${absolutePath}`);
+    process.exit(1);
+  }
+
+  const projectName = path.basename(absolutePath);
+
+  console.log();
+  output.header('Security Benchmark');
+  console.log(chalk.gray(`  Comparing ${projectName} against industry averages\n`));
+
+  const startTime = Date.now();
+
+  // ── Scan ──────────────────────────────────────────────────────────────────
+  const spinner = ora({ text: 'Running full security scan for benchmark...', color: 'cyan' }).start();
+
+  const allFiles = await findFiles(absolutePath);
+  const secretFindings = [];
+
+  for (const file of allFiles) {
+    try {
+      const content = fs.readFileSync(file, 'utf-8');
+      const lines = content.split('\n');
+      for (let lineNum = 0; lineNum < lines.length; lineNum++) {
+        const line = lines[lineNum];
+        if (/ship-safe-ignore/i.test(line)) continue;
+        for (const pattern of SECRET_PATTERNS) {
+          pattern.pattern.lastIndex = 0;
+          let match;
+          while ((match = pattern.pattern.exec(line)) !== null) {
+            if (pattern.requiresEntropyCheck && !isHighEntropyMatch(match[0])) continue;
+            secretFindings.push({
+              file, line: lineNum + 1, column: match.index + 1,
+              matched: match[0], severity: pattern.severity,
+              category: pattern.category || 'secrets',
+              rule: pattern.name, title: pattern.name.replace(/_/g, ' '),
+              description: pattern.description,
+              confidence: getConfidence(pattern, match[0]),
+            });
+          }
+        }
+      }
+    } catch { /* skip */ }
+  }
+
+  const orchestrator = buildOrchestrator();
+  const results = await orchestrator.runAll(absolutePath, { quiet: true });
+
+  let depVulns = [];
+  try {
+    const depResult = await runDepsAudit(absolutePath);
+    depVulns = depResult.vulns || [];
+  } catch { /* skip */ }
+
+  spinner.stop();
+
+  // ── Score ─────────────────────────────────────────────────────────────────
+  const seen = new Set();
+  const allFindings = [...secretFindings, ...results.findings].filter(f => {
+    const key = `${f.file}:${f.line}:${f.rule}`;
+    if (seen.has(key)) return false;
+    seen.add(key);
+    return true;
+  });
+
+  const scoringEngine = new ScoringEngine();
+  const scoreResult = scoringEngine.compute(allFindings, depVulns);
+  const score = Math.round(scoreResult.score * 10) / 10;
+  const duration = ((Date.now() - startTime) / 1000).toFixed(1);
+
+  // ── JSON Output ───────────────────────────────────────────────────────────
+  if (options.json) {
+    const percentile = getPercentile(score);
+    const catComparisons = {};
+    for (const [key, cat] of Object.entries(scoreResult.categories)) {
+      const bench = BENCHMARKS.categories[key];
+      if (!bench) continue;
+      const count = Object.values(cat.counts).reduce((a, b) => a + b, 0);
+      catComparisons[key] = {
+        label: bench.label,
+        yourFindings: count,
+        industryAvg: bench.avgFindingsPerProject,
+        betterThanAvg: count <= bench.avgFindingsPerProject,
+      };
+    }
+    console.log(JSON.stringify({
+      project: projectName,
+      score, grade: scoreResult.grade.letter,
+      percentile,
+      industryMedian: BENCHMARKS.overall.industry,
+      topQuartile: BENCHMARKS.overall.topQuartile,
+      categories: catComparisons,
+      totalFindings: allFindings.length,
+      depVulns: depVulns.length,
+      duration: `${duration}s`,
+    }, null, 2));
+    process.exit(0);
+  }
+
+  // ── Display ───────────────────────────────────────────────────────────────
+  const percentile = getPercentile(score);
+  const vsIndustry = score - BENCHMARKS.overall.industry;
+  const vsColor = vsIndustry >= 0 ? chalk.green : chalk.red;
+
+  // Score comparison
+  console.log(chalk.white.bold('  Your Score vs Industry'));
+  console.log();
+  printScoreBar('You', score, scoreResult.grade.letter);
+  printScoreBar('Industry Median', BENCHMARKS.overall.industry, 'D');
+  printScoreBar('Top 25%', BENCHMARKS.overall.topQuartile, 'B');
+  console.log();
+  console.log(`  ${vsColor(`${vsIndustry >= 0 ? '+' : ''}${Math.round(vsIndustry)} pts`)} vs industry median`);
+  console.log(chalk.gray(`  You're in the top ${100 - percentile}% of projects scanned`));
+  console.log();
+
+  // Category comparison
+  console.log(chalk.white.bold('  Category Comparison'));
+  console.log(chalk.gray('  ' + '─'.repeat(70)));
+
+  for (const [key, cat] of Object.entries(scoreResult.categories)) {
+    const bench = BENCHMARKS.categories[key];
+    if (!bench) continue;
+    const count = Object.values(cat.counts).reduce((a, b) => a + b, 0);
+    const better = count <= bench.avgFindingsPerProject;
+    const icon = better ? chalk.green('✓') : chalk.red('✗');
+    const countStr = String(count).padStart(3);
+    const avgStr = String(bench.avgFindingsPerProject).padStart(4);
+
+    console.log(
+      `  ${icon} ${chalk.white(bench.label.padEnd(28))}` +
+      chalk.cyan(`You: ${countStr}`) +
+      chalk.gray(`  |  Avg: ${avgStr}`) +
+      (better ? chalk.green('  Better') : chalk.yellow('  Needs work'))
+    );
+  }
+  console.log();
+
+  // Risk context
+  const riskCategories = Object.entries(scoreResult.categories)
+    .filter(([key]) => BENCHMARKS.categories[key])
+    .filter(([, cat]) => {
+      const count = Object.values(cat.counts).reduce((a, b) => a + b, 0);
+      const bench = BENCHMARKS.categories[Object.keys(scoreResult.categories).find(k => scoreResult.categories[k] === cat)];
+      return bench && count > bench.avgFindingsPerProject;
+    })
+    .map(([key]) => BENCHMARKS.categories[key].label);
+
+  if (riskCategories.length > 0) {
+    console.log(chalk.yellow.bold('  Areas above industry average (needs attention):'));
+    for (const cat of riskCategories) {
+      console.log(chalk.yellow(`    → ${cat}`));
+    }
+    console.log();
+  }
+
+  console.log(chalk.gray(`  Scanned in ${duration}s | ${allFiles.length} files | ${allFindings.length} findings | ${depVulns.length} dep CVEs`));
+  console.log();
+
+  process.exit(0);
+}
+
+// =============================================================================
+// HELPERS
+// =============================================================================
+
+function getPercentile(score) {
+  for (const { score: s, percentile } of BENCHMARKS.percentiles) {
+    if (score >= s) return percentile;
+  }
+  return 5;
+}
+
+function printScoreBar(label, score, grade) {
+  const barWidth = 40;
+  const filled = Math.round((score / 100) * barWidth);
+  const empty = barWidth - filled;
+  const gradeColors = { A: chalk.green, B: chalk.cyan, C: chalk.yellow, D: chalk.red, F: chalk.red };
+  const color = gradeColors[grade] || chalk.gray;
+
+  console.log(
+    `  ${chalk.gray(label.padEnd(18))}` +
+    color('█'.repeat(filled)) +
+    chalk.gray('░'.repeat(empty)) +
+    ` ${color(`${score}/100`)}`
+  );
+}
+
+async function findFiles(rootPath) {
+  const globIgnore = Array.from(SKIP_DIRS).map(dir => `**/${dir}/**`);
+  const gitignoreGlobs = loadGitignorePatterns(rootPath);
+  globIgnore.push(...gitignoreGlobs);
+
+  const files = await fg('**/*', {
+    cwd: rootPath, absolute: true, onlyFiles: true, ignore: globIgnore, dot: true,
+  });
+
+  return files.filter(file => {
+    const ext = path.extname(file).toLowerCase();
+    if (SKIP_EXTENSIONS.has(ext)) return false;
+    if (SKIP_FILENAMES.has(path.basename(file))) return false;
+    if (path.basename(file).endsWith('.min.js') || path.basename(file).endsWith('.min.css')) return false;
+    try { if (fs.statSync(file).size > MAX_FILE_SIZE) return false; } catch { return false; }
+    return true;
+  });
+}

package/cli/commands/ci.js

@@ -19,6 +19,7 @@
 
 import fs from 'fs';
 import path from 'path';
+import { execFileSync } from 'child_process';
 import { buildOrchestrator } from '../agents/index.js';
 import { ScoringEngine } from '../agents/scoring-engine.js';
 import { PolicyEngine } from '../agents/policy-engine.js';
@@ -85,7 +86,7 @@ export async function ciCommand(targetPath = '.', options = {}) {
 
   // ── Agent Scan ───────────────────────────────────────────────────────────
   const orchestrator = buildOrchestrator();
-  const results = await orchestrator.runAll(absolutePath, { quiet: true });
+  const results = await orchestrator.runAll(absolutePath, { quiet: true }); // ship-safe-ignore — orchestrator result, not LLM output triggering actions
   const agentFindings = results.findings;
 
   // ── Dependency Audit ─────────────────────────────────────────────────────
@@ -164,6 +165,15 @@ export async function ciCommand(targetPath = '.', options = {}) {
     }
   }
 
+  // ── GitHub PR Comment ──────────────────────────────────────────────────
+  if (options.githubPr) {
+    try {
+      postPRComment(scoreResult, allFindings, depVulns, absolutePath, duration);
+    } catch (err) {
+      console.log(`[ship-safe] Warning: Could not post PR comment: ${err.message}`);
+    }
+  }
+
   // ── Exit Code ────────────────────────────────────────────────────────────
   const pass = determinePass(scoreResult, allFindings, threshold, failOn);
   if (!pass) {
@@ -242,6 +252,76 @@ function buildSARIF(findings, rootPath) {
   };
 }
 
+/**
+ * Post a summary comment on the current GitHub PR using the `gh` CLI.
+ * Requires: `gh` installed and authenticated, running in a PR context.
+ */
+function postPRComment(scoreResult, findings, depVulns, rootPath, duration) {
+  // Detect PR number from environment (GitHub Actions sets GITHUB_REF)
+  let prNumber = process.env.GITHUB_PR_NUMBER || '';
+
+  if (!prNumber) {
+    // Try to detect from GITHUB_REF (refs/pull/123/merge)
+    const ref = process.env.GITHUB_REF || '';
+    const match = ref.match(/refs\/pull\/(\d+)\//);
+    if (match) prNumber = match[1];
+  }
+
+  if (!prNumber) {
+    // Try gh pr view to get current PR
+    try {
+      const prJson = execFileSync('gh', ['pr', 'view', '--json', 'number'], { // ship-safe-ignore — execFileSync, not MCP
+        cwd: rootPath, stdio: ['pipe', 'pipe', 'pipe'], // ship-safe-ignore
+      }).toString();
+      const parsed = JSON.parse(prJson);
+      prNumber = String(parsed.number);
+    } catch {
+      console.log('[ship-safe] No PR detected — skipping PR comment');
+      return;
+    }
+  }
+
+  const critical = findings.filter(f => f.severity === 'critical').length;
+  const high = findings.filter(f => f.severity === 'high').length;
+  const medium = findings.filter(f => f.severity === 'medium').length;
+  const low = findings.filter(f => f.severity === 'low').length;
+
+  const gradeEmoji = { A: '🟢', B: '🔵', C: '🟡', D: '🟠', F: '🔴' };
+  const emoji = gradeEmoji[scoreResult.grade.letter] || '⚪';
+
+  // Build markdown body
+  let body = `## ${emoji} Ship Safe Security Report\n\n`;
+  body += `| Metric | Value |\n|--------|-------|\n`;
+  body += `| **Score** | ${scoreResult.score}/100 (${scoreResult.grade.letter}) |\n`;
+  body += `| **Findings** | ${findings.length} total (${critical}C ${high}H ${medium}M ${low}L) |\n`;
+  body += `| **Dep CVEs** | ${depVulns.length} |\n`;
+  body += `| **Duration** | ${duration}s |\n\n`;
+
+  if (critical > 0 || high > 0) {
+    body += `### Critical & High Findings\n\n`;
+    body += `| Severity | File | Issue |\n|----------|------|-------|\n`;
+    for (const f of findings.filter(f => f.severity === 'critical' || f.severity === 'high').slice(0, 20)) {
+      const rel = path.relative(rootPath, f.file).replace(/\\/g, '/');
+      body += `| ${f.severity.toUpperCase()} | \`${rel}:${f.line}\` | ${(f.title || f.rule).slice(0, 60)} |\n`;
+    }
+    body += '\n';
+  }
+
+  if (findings.length === 0 && depVulns.length === 0) {
+    body += '> No security issues found — looking good! 🎉\n\n';
+  }
+
+  body += `<sub>Generated by <a href="https://shipsafecli.com">Ship Safe</a></sub>`;
+
+  // Post comment via gh CLI
+  execFileSync('gh', ['pr', 'comment', prNumber, '--body', body], { // ship-safe-ignore — execFileSync, not MCP
+    cwd: rootPath,
+    stdio: ['pipe', 'pipe', 'pipe'], // ship-safe-ignore
+  });
+
+  console.log(`[ship-safe] PR comment posted on #${prNumber}`);
+}
+
 async function findFiles(rootPath) {
   const globIgnore = Array.from(SKIP_DIRS).map(dir => `**/${dir}/**`);
   const gitignoreGlobs = loadGitignorePatterns(rootPath);