ship-safe 5.0.1 → 6.1.0

package/cli/bin/ship-safe.js

@@ -37,6 +37,14 @@ import { auditCommand } from '../commands/audit.js';
 import { doctorCommand } from '../commands/doctor.js';
 import { baselineCommand } from '../commands/baseline.js';
 import { ciCommand } from '../commands/ci.js';
+import { diffCommand } from '../commands/diff.js';
+import { vibeCheckCommand } from '../commands/vibe-check.js';
+import { benchmarkCommand } from '../commands/benchmark.js';
+import { openclawCommand } from '../commands/openclaw.js';
+import { scanSkillCommand } from '../commands/scan-skill.js';
+import { abomCommand } from '../commands/abom.js';
+import { updateIntelCommand } from '../commands/update-intel.js';
+import { ABOMGenerator } from '../agents/abom-generator.js';
 import { PolicyEngine } from '../agents/policy-engine.js';
 import { SBOMGenerator } from '../agents/sbom-generator.js';
 
@@ -47,7 +55,7 @@ import { SBOMGenerator } from '../agents/sbom-generator.js';
 const DEFAULT_MODEL = 'claude-haiku-4-5-20251001';
 
 // Read version from package.json
-const __filename = fileURLToPath(import.meta.url);
+const __filename = fileURLToPath(import.meta.url); // ship-safe-ignore — module's own path via import.meta.url, not user input
 const __dirname = dirname(__filename);
 const packageJson = JSON.parse(readFileSync(join(__dirname, '../../package.json'), 'utf8'));
 const VERSION = packageJson.version;
@@ -107,6 +115,7 @@ program
   .option('--gitignore', 'Only copy .gitignore')
   .option('--headers', 'Only copy security headers config')
   .option('--agents', 'Only add security rules to AI agent instruction files (CLAUDE.md, .cursor/rules/, .windsurfrules, copilot-instructions.md)')
+  .option('--openclaw', 'Generate a hardened openclaw.json template')
   .action(initCommand);
 
 // -----------------------------------------------------------------------------
@@ -125,6 +134,7 @@ program
   .command('guard [action]')
   .description('Install a git hook to block pushes if secrets are found')
   .option('--pre-commit', 'Install as pre-commit hook instead of pre-push')
+  .option('--generate-hooks', 'Generate defensive Claude Code hooks (.claude/settings.json)')
   .action(guardCommand);
 
 // -----------------------------------------------------------------------------
@@ -189,7 +199,7 @@ program
 // -----------------------------------------------------------------------------
 program
   .command('audit [path]')
-  .description('Full security audit: secrets + 16 agents + deps + score + deep analysis + remediation plan')
+  .description('Full security audit: secrets + 18 agents + deps + score + deep analysis + remediation plan')
   .option('--json', 'Output results as JSON')
   .option('--sarif', 'Output results in SARIF format')
   .option('--csv', 'Output results as CSV')
@@ -210,12 +220,24 @@ program
   .option('-v, --verbose', 'Verbose output')
   .action(auditCommand);
 
+// -----------------------------------------------------------------------------
+// DIFF COMMAND (v6.0 — Scan only changed files)
+// -----------------------------------------------------------------------------
+program
+  .command('diff [ref]')
+  .description('Scan only changed files (git diff) — fast pre-commit & PR scanning')
+  .option('--staged', 'Scan only staged changes')
+  .option('--json', 'Output results as JSON')
+  .option('-p, --path <path>', 'Project path (default: cwd)')
+  .option('--timeout <ms>', 'Per-agent timeout in milliseconds (default: 30000)', parseInt)
+  .action(diffCommand);
+
 // -----------------------------------------------------------------------------
 // RED TEAM COMMAND (v4.0 — Multi-Agent Security Audit)
 // -----------------------------------------------------------------------------
 program
   .command('red-team [path]')
-  .description('Multi-agent security audit: 16 agents scan for 80+ attack classes')
+  .description('Multi-agent security audit: 18 agents scan for 80+ attack classes')
   .option('--agents <list>', 'Comma-separated list of agents to run')
   .option('--json', 'Output results as JSON')
   .option('--sarif', 'Output results in SARIF format')
@@ -237,6 +259,7 @@ program
   .command('watch [path]')
   .description('Continuous monitoring: watch files for security issues in real-time')
   .option('--poll', 'Use polling mode (for network drives)')
+  .option('--configs', 'Watch only agent config files (openclaw.json, .cursorrules, mcp.json, etc.)')
   .action(watchCommand);
 
 // -----------------------------------------------------------------------------
@@ -291,8 +314,68 @@ program
   .option('--json', 'JSON output')
   .option('--no-deps', 'Skip dependency audit')
   .option('--baseline', 'Only check new findings (not in baseline)')
+  .option('--github-pr', 'Post findings as a GitHub PR comment (requires gh CLI)')
   .action(ciCommand);
 
+// -----------------------------------------------------------------------------
+// VIBE CHECK COMMAND
+// -----------------------------------------------------------------------------
+program
+  .command('vibe-check [path]')
+  .description('Fun security check with emoji output, shareable score, and badge generator')
+  .option('--badge', 'Generate a shields.io markdown badge for your README')
+  .action(vibeCheckCommand);
+
+// -----------------------------------------------------------------------------
+// BENCHMARK COMMAND
+// -----------------------------------------------------------------------------
+program
+  .command('benchmark [path]')
+  .description('Compare your security score against industry averages')
+  .option('--json', 'Output results as JSON')
+  .action(benchmarkCommand);
+
+// -----------------------------------------------------------------------------
+// OPENCLAW COMMAND
+// -----------------------------------------------------------------------------
+program
+  .command('openclaw [path]')
+  .description('OpenClaw security scan: agent configs, MCP servers, skills, hooks')
+  .option('--fix', 'Auto-harden OpenClaw and agent configurations')
+  .option('--preflight', 'Exit non-zero on critical findings (for CI)')
+  .option('--red-team', 'Simulate adversarial attacks against agent configs')
+  .option('--json', 'Output results as JSON')
+  .action(openclawCommand);
+
+// -----------------------------------------------------------------------------
+// SCAN-SKILL COMMAND
+// -----------------------------------------------------------------------------
+program
+  .command('scan-skill [target]')
+  .description('Analyze an AI agent skill for security issues before installing it')
+  .option('--all', 'Scan all skills defined in openclaw.json')
+  .option('--json', 'Output results as JSON')
+  .action(scanSkillCommand);
+
+// -----------------------------------------------------------------------------
+// ABOM COMMAND
+// -----------------------------------------------------------------------------
+program
+  .command('abom [path]')
+  .description('Generate Agent Bill of Materials (CycloneDX ABOM) — MCP servers, skills, configs, LLM providers')
+  .option('-o, --output <file>', 'Output file path', 'abom.json')
+  .option('--json', 'Output to stdout as JSON')
+  .action(abomCommand);
+
+// -----------------------------------------------------------------------------
+// UPDATE-INTEL COMMAND
+// -----------------------------------------------------------------------------
+program
+  .command('update-intel')
+  .description('Update threat intelligence feed (malicious skill hashes, compromised MCP servers)')
+  .option('--url <url>', 'Custom feed URL')
+  .action(updateIntelCommand);
+
 // -----------------------------------------------------------------------------
 // DOCTOR COMMAND
 // -----------------------------------------------------------------------------
@@ -309,13 +392,20 @@ program
 if (process.argv.length === 2) {
   console.log(banner);
   console.log(chalk.yellow('\nQuick start:\n'));
-  console.log(chalk.cyan.bold('  v5.0 — Full Security Audit'));
-  console.log(chalk.white('  npx ship-safe audit .       ') + chalk.gray('# Full audit: secrets + 16 agents + deps + remediation'));
+  console.log(chalk.cyan.bold('  v6.0 — Full Security Audit'));
+  console.log(chalk.white('  npx ship-safe audit .       ') + chalk.gray('# Full audit: secrets + 18 agents + deps + remediation'));
   console.log(chalk.white('  npx ship-safe audit . --deep') + chalk.gray('# LLM-powered taint analysis (Anthropic/Ollama)'));
-  console.log(chalk.white('  npx ship-safe red-team .    ') + chalk.gray('# 16-agent red team scan (80+ attack classes)'));
+  console.log(chalk.white('  npx ship-safe red-team .    ') + chalk.gray('# 18-agent red team scan (80+ attack classes)'));
+  console.log(chalk.white('  npx ship-safe vibe-check .  ') + chalk.gray('# Fun security check with emoji & shareable badge'));
+  console.log(chalk.white('  npx ship-safe benchmark .   ') + chalk.gray('# Compare score against industry averages'));
   console.log(chalk.white('  npx ship-safe ci .          ') + chalk.gray('# CI/CD mode: scan, score, exit code'));
+  console.log(chalk.white('  npx ship-safe diff          ') + chalk.gray('# Scan only changed files (fast pre-commit)'));
   console.log(chalk.white('  npx ship-safe watch .       ') + chalk.gray('# Continuous monitoring mode'));
+  console.log(chalk.white('  npx ship-safe openclaw .    ') + chalk.gray('# OpenClaw & agent config security scan'));
+  console.log(chalk.white('  npx ship-safe scan-skill <u>') + chalk.gray('# Vet a skill before installing'));
+  console.log(chalk.white('  npx ship-safe abom .        ') + chalk.gray('# Agent Bill of Materials (CycloneDX)'));
   console.log(chalk.white('  npx ship-safe sbom .        ') + chalk.gray('# Generate CycloneDX SBOM (CRA-ready)'));
+  console.log(chalk.white('  npx ship-safe update-intel  ') + chalk.gray('# Update threat intelligence feed'));
   console.log(chalk.white('  npx ship-safe policy init   ') + chalk.gray('# Create security policy template'));
   console.log(chalk.white('  npx ship-safe doctor        ') + chalk.gray('# Check environment and configuration'));
   console.log();

package/cli/commands/abom.js

@@ -0,0 +1,73 @@
+/**
+ * ABOM Command
+ * =============
+ *
+ * Generate an Agent Bill of Materials in CycloneDX format.
+ * Lists all AI agent components: MCP servers, skills, configs, LLM providers.
+ *
+ * USAGE:
+ *   ship-safe abom [path]               Generate ABOM
+ *   ship-safe abom . -o agent-bom.json  Custom output path
+ */
+
+import path from 'path';
+import chalk from 'chalk';
+import { ABOMGenerator } from '../agents/abom-generator.js';
+import * as output from '../utils/output.js';
+
+export async function abomCommand(targetPath = '.', options = {}) {
+  const absolutePath = path.resolve(targetPath);
+  const outputFile = options.output || 'abom.json';
+
+  console.log();
+  output.header('Ship Safe — Agent Bill of Materials');
+  console.log();
+
+  const generator = new ABOMGenerator();
+  const bom = generator.generate(absolutePath);
+
+  if (options.json) {
+    console.log(JSON.stringify(bom, null, 2));
+    return;
+  }
+
+  generator.generateToFile(absolutePath, outputFile);
+
+  const agentComponents = bom.components.filter(c => c.properties?.some(p => p.name?.startsWith('agent:')));
+  const mcpServers = agentComponents.filter(c => c.properties?.some(p => p.value === 'mcp-server'));
+  const skills = agentComponents.filter(c => c.properties?.some(p => p.value === 'openclaw-skill'));
+  const configs = agentComponents.filter(c => c.properties?.some(p => p.value === 'agent-rules' || p.value === 'agent-config'));
+  const providers = agentComponents.filter(c => c.properties?.some(p => p.value === 'llm-provider'));
+
+  console.log(chalk.gray(`  Project: ${bom.metadata.component.name}`));
+  console.log();
+  console.log(`  ${chalk.cyan('MCP Servers')}:      ${mcpServers.length}`);
+  console.log(`  ${chalk.cyan('OpenClaw Skills')}:  ${skills.length}`);
+  console.log(`  ${chalk.cyan('Agent Configs')}:    ${configs.length}`);
+  console.log(`  ${chalk.cyan('LLM Providers')}:    ${providers.length}`);
+  console.log(`  ${chalk.cyan('Total Components')}: ${bom.components.length}`);
+  console.log();
+
+  if (mcpServers.length > 0) {
+    console.log(chalk.white.bold('  MCP Servers:'));
+    for (const s of mcpServers) {
+      const cmd = s.properties?.find(p => p.name === 'agent:command')?.value || 'N/A';
+      console.log(chalk.gray(`    · ${s.name} (${cmd})`));
+    }
+    console.log();
+  }
+
+  if (skills.length > 0) {
+    console.log(chalk.white.bold('  OpenClaw Skills:'));
+    for (const s of skills) {
+      const verified = s.properties?.find(p => p.name === 'agent:verified')?.value;
+      const icon = verified === 'true' ? chalk.green('✔') : chalk.yellow('?');
+      console.log(chalk.gray(`    ${icon} ${s.name}`));
+    }
+    console.log();
+  }
+
+  console.log(chalk.green(`  ✔ ABOM saved to ${outputFile}`));
+  console.log(chalk.gray(`    Format: CycloneDX ${bom.specVersion}`));
+  console.log();
+}

package/cli/commands/agent.js

@@ -100,7 +100,7 @@ export async function agentCommand(targetPath = '.', options = {}) {
 
   // ── 4. Fallback: no API key ────────────────────────────────────────────────
   if (!apiKey) {
-    console.log(chalk.yellow('  ⚠  No ANTHROPIC_API_KEY found.'));
+    console.log(chalk.yellow('  ⚠  No ANTHROPIC_API_KEY found.')); // ship-safe-ignore — env var name in user-facing message, no key value
     console.log(chalk.gray('     Set it in your environment or .env to enable AI classification.'));
     if (secretCount > 0) {
       console.log(chalk.gray('     Falling back to pattern-based remediation for secrets...\n'));
@@ -227,8 +227,8 @@ export async function agentCommand(targetPath = '.', options = {}) {
  * Returns the key string or null if not found.
  */
 function loadApiKey(rootPath) {
-  if (process.env.ANTHROPIC_API_KEY) {
-    return process.env.ANTHROPIC_API_KEY;
+  if (process.env.ANTHROPIC_API_KEY) { // ship-safe-ignore — reading env var at runtime, no hardcoded key value
+    return process.env.ANTHROPIC_API_KEY; // ship-safe-ignore — returning env var value, not a hardcoded secret
   }
 
   const envPath = path.join(rootPath, '.env');
@@ -240,7 +240,7 @@ function loadApiKey(rootPath) {
         if (trimmed.startsWith('#') || !trimmed.includes('=')) continue;
         const eqIdx = trimmed.indexOf('=');
         const key = trimmed.slice(0, eqIdx).trim();
-        if (key === 'ANTHROPIC_API_KEY') {
+        if (key === 'ANTHROPIC_API_KEY') { // ship-safe-ignore — parsing .env file to read user's own API key from their project
           const val = trimmed.slice(eqIdx + 1).trim().replace(/^["']|["']$/g, '');
           if (val) return val;
         }

package/cli/commands/audit.js

@@ -202,7 +202,7 @@ export async function auditCommand(targetPath = '.', options = {}) {
     if (cacheDiff && cacheDiff.changedFiles.length < allFiles.length) {
       orchestratorOpts.changedFiles = cacheDiff.changedFiles;
     }
-    const results = await orchestrator.runAll(absolutePath, orchestratorOpts);
+    const results = await orchestrator.runAll(absolutePath, orchestratorOpts); // ship-safe-ignore — orchestrator result, not LLM output triggering actions
     recon = results.recon;
     agentFindings = results.findings;
     agentResults = results.agentResults;
@@ -262,6 +262,8 @@ export async function auditCommand(targetPath = '.', options = {}) {
   // Score
   const scoringEngine = new ScoringEngine();
   const scoreResult = scoringEngine.compute(filteredFindings, depVulns);
+  // Round score to 1 decimal place to avoid floating-point noise (e.g., 63.300000000000004)
+  scoreResult.score = Math.round(scoreResult.score * 10) / 10;
   scoringEngine.saveToHistory(absolutePath, scoreResult, suppressions);
 
   const gradeColor = scoreResult.score >= 75 ? chalk.green.bold : scoreResult.score >= 60 ? chalk.yellow.bold : chalk.red.bold;
@@ -421,7 +423,9 @@ export async function auditCommand(targetPath = '.', options = {}) {
     const trend = scoringEngine.getTrend(absolutePath, scoreResult.score);
     if (trend) {
       const arrow = trend.diff > 0 ? chalk.green('↑') : trend.diff < 0 ? chalk.red('↓') : chalk.gray('→');
-      console.log(chalk.gray(`  Trend: ${trend.previousScore} → ${trend.currentScore} ${arrow} (${trend.diff > 0 ? '+' : ''}${trend.diff})`));
+      const roundedDiff = Math.round(trend.diff * 10) / 10;
+      const diffLabel = roundedDiff === 0 ? chalk.gray('no change') : chalk.white(`${roundedDiff > 0 ? '+' : ''}${roundedDiff}`);
+      console.log(chalk.gray(`  Trend: ${trend.previousScore} → ${trend.currentScore} ${arrow} (`) + diffLabel + chalk.gray(')'));
     }
 
     // ── Detailed Comparison ────────────────────────────────────────────────
@@ -561,14 +565,17 @@ function printReport(scoreResult, findings, depVulns, recon, plan, rootPath, fil
     const count = Object.values(cat.counts).reduce((a, b) => a + b, 0);
     const icon = count === 0 ? chalk.green('✔') : chalk.red('✘');
     const status = count === 0 ? chalk.green('clean') : chalk.red(`${count} issue(s)`);
-    const deduction = cat.deduction > 0 ? chalk.red(`-${cat.deduction} pts`) : chalk.gray('+0');
+    const deduction = cat.deduction > 0 ? chalk.red(`-${Math.round(cat.deduction * 10) / 10} pts`) : chalk.gray('+0');
     console.log(`  ${icon}  ${chalk.white(cat.label.padEnd(22))} ${status.padEnd(25)} ${deduction}`);
   }
 
-  // Deps row
-  const depIcon = depVulns.length === 0 ? chalk.green('✔') : chalk.red('✘');
-  const depStatus = depVulns.length === 0 ? chalk.green('clean') : chalk.red(`${depVulns.length} CVE(s)`);
-  console.log(`  ${depIcon}  ${chalk.white('Dependencies'.padEnd(22))} ${depStatus}`);
+  // Deps row — only print if not already included in scoreResult.categories
+  const hasDepsCategory = Object.values(scoreResult.categories).some(c => c.label?.toLowerCase().includes('depend'));
+  if (!hasDepsCategory) {
+    const depIcon = depVulns.length === 0 ? chalk.green('✔') : chalk.red('✘');
+    const depStatus = depVulns.length === 0 ? chalk.green('clean') : chalk.red(`${depVulns.length} CVE(s)`);
+    console.log(`  ${depIcon}  ${chalk.white('Dependencies'.padEnd(22))} ${depStatus}`);
+  }
 
   console.log(chalk.gray(`\n  Files scanned: ${filesScanned} | Findings: ${findings.length} | CVEs: ${depVulns.length}`));
 
@@ -655,6 +662,7 @@ function outputJSON(scoreResult, findings, depVulns, recon, agentResults, remedi
     recon,
     agents: agentResults,
   };
+  if (scoreResult.compliance) output.compliance = scoreResult.compliance;
   if (suppressions) output.suppressions = suppressions;
   if (history && history.length >= 2) {
     const prev = history[history.length - 2];

package/cli/commands/baseline.js

@@ -78,7 +78,7 @@ async function fullScan(rootPath) {
   const { findings: secretFindings, files } = await quickScan(rootPath);
 
   const orchestrator = buildOrchestrator();
-  const { findings: agentFindings } = await orchestrator.runAll(rootPath, { quiet: true });
+  const { findings: agentFindings } = await orchestrator.runAll(rootPath, { quiet: true }); // ship-safe-ignore — orchestrator result, not LLM output triggering actions
 
   return [...secretFindings, ...agentFindings];
 }

package/cli/commands/benchmark.js

@@ -0,0 +1,327 @@
+/**
+ * Benchmark Command
+ * =================
+ *
+ * Compare your project's security score against industry averages.
+ * Uses aggregated baseline data from publicly available research on
+ * typical vulnerability rates in web applications and open source projects.
+ *
+ * USAGE:
+ *   npx ship-safe benchmark [path]       Compare against industry averages
+ *   npx ship-safe benchmark . --json     Output as JSON
+ *
+ * DATA SOURCES:
+ *   - OWASP Web Application Security Statistics (2024)
+ *   - Synopsys OSSRA Report (2024) — 84% of codebases have vulnerabilities
+ *   - Snyk State of Open Source Security (2024)
+ *   - GitHub Octoverse Security Report (2024)
+ */
+
+import fs from 'fs';
+import path from 'path';
+import chalk from 'chalk';
+import ora from 'ora';
+import { buildOrchestrator } from '../agents/index.js';
+import { ScoringEngine } from '../agents/scoring-engine.js';
+import { runDepsAudit } from './deps.js';
+import {
+  SECRET_PATTERNS,
+  SKIP_DIRS,
+  SKIP_EXTENSIONS,
+  SKIP_FILENAMES,
+  MAX_FILE_SIZE,
+  loadGitignorePatterns
+} from '../utils/patterns.js';
+import { isHighEntropyMatch, getConfidence } from '../utils/entropy.js';
+import * as output from '../utils/output.js';
+import fg from 'fast-glob';
+
+// =============================================================================
+// INDUSTRY BENCHMARKS (aggregated from public research)
+// =============================================================================
+
+const BENCHMARKS = {
+  overall: {
+    label: 'Overall Security Score',
+    industry: 52,        // Median web app security score
+    topQuartile: 78,     // Top 25%
+    description: 'Average security score across web applications',
+  },
+  categories: {
+    secrets: {
+      label: 'Secret Management',
+      avgFindingsPerProject: 4.2,
+      pctWithIssues: 38,
+      description: '38% of projects have exposed secrets (GitHub secret scanning data)',
+    },
+    injection: {
+      label: 'Injection / Code Vulns',
+      avgFindingsPerProject: 6.1,
+      pctWithIssues: 49,
+      description: '49% of web apps have injection vulnerabilities (OWASP)',
+    },
+    auth: {
+      label: 'Auth & Access Control',
+      avgFindingsPerProject: 3.8,
+      pctWithIssues: 94,
+      description: 'Broken access control is #1 in OWASP Top 10 — affects 94% of apps tested',
+    },
+    deps: {
+      label: 'Dependencies',
+      avgFindingsPerProject: 5.3,
+      pctWithIssues: 84,
+      description: '84% of codebases have at least one known vulnerability (Synopsys OSSRA 2024)',
+    },
+    config: {
+      label: 'Security Misconfiguration',
+      avgFindingsPerProject: 2.9,
+      pctWithIssues: 62,
+      description: '62% of apps have security misconfiguration (OWASP)',
+    },
+    'supply-chain': {
+      label: 'Supply Chain',
+      avgFindingsPerProject: 1.7,
+      pctWithIssues: 91,
+      description: '91% of packages have no maintainer review process (Snyk)',
+    },
+    api: {
+      label: 'API Security',
+      avgFindingsPerProject: 2.4,
+      pctWithIssues: 41,
+      description: '41% of organizations experienced an API security incident (Salt Labs)',
+    },
+    llm: {
+      label: 'AI/LLM Security',
+      avgFindingsPerProject: 1.2,
+      pctWithIssues: 25,
+      description: 'Emerging category — 25% of AI-enabled apps have insecure configurations',
+    },
+  },
+  // Percentile lookup for score comparison
+  percentiles: [
+    { score: 95, percentile: 99 },
+    { score: 90, percentile: 95 },
+    { score: 85, percentile: 90 },
+    { score: 80, percentile: 80 },
+    { score: 75, percentile: 70 },
+    { score: 70, percentile: 60 },
+    { score: 60, percentile: 45 },
+    { score: 50, percentile: 30 },
+    { score: 40, percentile: 20 },
+    { score: 30, percentile: 10 },
+    { score: 0,  percentile: 5 },
+  ],
+};
+
+// =============================================================================
+// MAIN COMMAND
+// =============================================================================
+
+export async function benchmarkCommand(targetPath = '.', options = {}) {
+  const absolutePath = path.resolve(targetPath);
+
+  if (!fs.existsSync(absolutePath)) {
+    output.error(`Path does not exist: ${absolutePath}`);
+    process.exit(1);
+  }
+
+  const projectName = path.basename(absolutePath);
+
+  console.log();
+  output.header('Security Benchmark');
+  console.log(chalk.gray(`  Comparing ${projectName} against industry averages\n`));
+
+  const startTime = Date.now();
+
+  // ── Scan ──────────────────────────────────────────────────────────────────
+  const spinner = ora({ text: 'Running full security scan for benchmark...', color: 'cyan' }).start();
+
+  const allFiles = await findFiles(absolutePath);
+  const secretFindings = [];
+
+  for (const file of allFiles) {
+    try {
+      const content = fs.readFileSync(file, 'utf-8');
+      const lines = content.split('\n');
+      for (let lineNum = 0; lineNum < lines.length; lineNum++) {
+        const line = lines[lineNum];
+        if (/ship-safe-ignore/i.test(line)) continue;
+        for (const pattern of SECRET_PATTERNS) {
+          pattern.pattern.lastIndex = 0;
+          let match;
+          while ((match = pattern.pattern.exec(line)) !== null) {
+            if (pattern.requiresEntropyCheck && !isHighEntropyMatch(match[0])) continue;
+            secretFindings.push({
+              file, line: lineNum + 1, column: match.index + 1,
+              matched: match[0], severity: pattern.severity,
+              category: pattern.category || 'secrets',
+              rule: pattern.name, title: pattern.name.replace(/_/g, ' '),
+              description: pattern.description,
+              confidence: getConfidence(pattern, match[0]),
+            });
+          }
+        }
+      }
+    } catch { /* skip */ }
+  }
+
+  const orchestrator = buildOrchestrator();
+  const results = await orchestrator.runAll(absolutePath, { quiet: true });
+
+  let depVulns = [];
+  try {
+    const depResult = await runDepsAudit(absolutePath);
+    depVulns = depResult.vulns || [];
+  } catch { /* skip */ }
+
+  spinner.stop();
+
+  // ── Score ─────────────────────────────────────────────────────────────────
+  const seen = new Set();
+  const allFindings = [...secretFindings, ...results.findings].filter(f => {
+    const key = `${f.file}:${f.line}:${f.rule}`;
+    if (seen.has(key)) return false;
+    seen.add(key);
+    return true;
+  });
+
+  const scoringEngine = new ScoringEngine();
+  const scoreResult = scoringEngine.compute(allFindings, depVulns);
+  const score = Math.round(scoreResult.score * 10) / 10;
+  const duration = ((Date.now() - startTime) / 1000).toFixed(1);
+
+  // ── JSON Output ───────────────────────────────────────────────────────────
+  if (options.json) {
+    const percentile = getPercentile(score);
+    const catComparisons = {};
+    for (const [key, cat] of Object.entries(scoreResult.categories)) {
+      const bench = BENCHMARKS.categories[key];
+      if (!bench) continue;
+      const count = Object.values(cat.counts).reduce((a, b) => a + b, 0);
+      catComparisons[key] = {
+        label: bench.label,
+        yourFindings: count,
+        industryAvg: bench.avgFindingsPerProject,
+        betterThanAvg: count <= bench.avgFindingsPerProject,
+      };
+    }
+    console.log(JSON.stringify({
+      project: projectName,
+      score, grade: scoreResult.grade.letter,
+      percentile,
+      industryMedian: BENCHMARKS.overall.industry,
+      topQuartile: BENCHMARKS.overall.topQuartile,
+      categories: catComparisons,
+      totalFindings: allFindings.length,
+      depVulns: depVulns.length,
+      duration: `${duration}s`,
+    }, null, 2));
+    process.exit(0);
+  }
+
+  // ── Display ───────────────────────────────────────────────────────────────
+  const percentile = getPercentile(score);
+  const vsIndustry = score - BENCHMARKS.overall.industry;
+  const vsColor = vsIndustry >= 0 ? chalk.green : chalk.red;
+
+  // Score comparison
+  console.log(chalk.white.bold('  Your Score vs Industry'));
+  console.log();
+  printScoreBar('You', score, scoreResult.grade.letter);
+  printScoreBar('Industry Median', BENCHMARKS.overall.industry, 'D');
+  printScoreBar('Top 25%', BENCHMARKS.overall.topQuartile, 'B');
+  console.log();
+  console.log(`  ${vsColor(`${vsIndustry >= 0 ? '+' : ''}${Math.round(vsIndustry)} pts`)} vs industry median`);
+  console.log(chalk.gray(`  You're in the top ${100 - percentile}% of projects scanned`));
+  console.log();
+
+  // Category comparison
+  console.log(chalk.white.bold('  Category Comparison'));
+  console.log(chalk.gray('  ' + '─'.repeat(70)));
+
+  for (const [key, cat] of Object.entries(scoreResult.categories)) {
+    const bench = BENCHMARKS.categories[key];
+    if (!bench) continue;
+    const count = Object.values(cat.counts).reduce((a, b) => a + b, 0);
+    const better = count <= bench.avgFindingsPerProject;
+    const icon = better ? chalk.green('✓') : chalk.red('✗');
+    const countStr = String(count).padStart(3);
+    const avgStr = String(bench.avgFindingsPerProject).padStart(4);
+
+    console.log(
+      `  ${icon} ${chalk.white(bench.label.padEnd(28))}` +
+      chalk.cyan(`You: ${countStr}`) +
+      chalk.gray(`  |  Avg: ${avgStr}`) +
+      (better ? chalk.green('  Better') : chalk.yellow('  Needs work'))
+    );
+  }
+  console.log();
+
+  // Risk context
+  const riskCategories = Object.entries(scoreResult.categories)
+    .filter(([key]) => BENCHMARKS.categories[key])
+    .filter(([, cat]) => {
+      const count = Object.values(cat.counts).reduce((a, b) => a + b, 0);
+      const bench = BENCHMARKS.categories[Object.keys(scoreResult.categories).find(k => scoreResult.categories[k] === cat)];
+      return bench && count > bench.avgFindingsPerProject;
+    })
+    .map(([key]) => BENCHMARKS.categories[key].label);
+
+  if (riskCategories.length > 0) {
+    console.log(chalk.yellow.bold('  Areas above industry average (needs attention):'));
+    for (const cat of riskCategories) {
+      console.log(chalk.yellow(`    → ${cat}`));
+    }
+    console.log();
+  }
+
+  console.log(chalk.gray(`  Scanned in ${duration}s | ${allFiles.length} files | ${allFindings.length} findings | ${depVulns.length} dep CVEs`));
+  console.log();
+
+  process.exit(0);
+}
+
+// =============================================================================
+// HELPERS
+// =============================================================================
+
+function getPercentile(score) {
+  for (const { score: s, percentile } of BENCHMARKS.percentiles) {
+    if (score >= s) return percentile;
+  }
+  return 5;
+}
+
+function printScoreBar(label, score, grade) {
+  const barWidth = 40;
+  const filled = Math.round((score / 100) * barWidth);
+  const empty = barWidth - filled;
+  const gradeColors = { A: chalk.green, B: chalk.cyan, C: chalk.yellow, D: chalk.red, F: chalk.red };
+  const color = gradeColors[grade] || chalk.gray;
+
+  console.log(
+    `  ${chalk.gray(label.padEnd(18))}` +
+    color('█'.repeat(filled)) +
+    chalk.gray('░'.repeat(empty)) +
+    ` ${color(`${score}/100`)}`
+  );
+}
+
+async function findFiles(rootPath) {
+  const globIgnore = Array.from(SKIP_DIRS).map(dir => `**/${dir}/**`);
+  const gitignoreGlobs = loadGitignorePatterns(rootPath);
+  globIgnore.push(...gitignoreGlobs);
+
+  const files = await fg('**/*', {
+    cwd: rootPath, absolute: true, onlyFiles: true, ignore: globIgnore, dot: true,
+  });
+
+  return files.filter(file => {
+    const ext = path.extname(file).toLowerCase();
+    if (SKIP_EXTENSIONS.has(ext)) return false;
+    if (SKIP_FILENAMES.has(path.basename(file))) return false;
+    if (path.basename(file).endsWith('.min.js') || path.basename(file).endsWith('.min.css')) return false;
+    try { if (fs.statSync(file).size > MAX_FILE_SIZE) return false; } catch { return false; }
+    return true;
+  });
+}