tc-scanner 0.1.0

package/.env

@@ -0,0 +1 @@
+NPM_TOKEN=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

package/README.md

@@ -0,0 +1,131 @@
+# tc-scanner
+
+CI security scanner for Dockerfiles, dependencies, and secrets. Powered by Trivy.
+
+## Requirements
+
+**Docker is required.** Trivy runs inside a container - no other installation needed. All major CI platforms (Bitbucket, GitHub Actions, GitLab CI, CircleCI) have Docker available.
+
+## One-Line Usage
+
+```bash
+# Scan a Dockerfile
+npx tc-scanner scan ./Dockerfile
+
+# Scan dependencies (requires package-lock.json, yarn.lock, or pnpm-lock.yaml)
+npx tc-scanner deps ./my-project
+
+# Scan for secrets
+npx tc-scanner secrets ./src
+
+# Scan a container image
+npx tc-scanner image nginx:latest
+```
+
+## Send Results to Webhook
+
+```bash
+npx tc-scanner scan ./Dockerfile --webhook https://your-webhook.com/endpoint
+npx tc-scanner deps . --webhook https://hooks.slack.com/services/xxx
+```
+
+Webhook payload:
+```json
+{
+  "scanner": "tc-scanner",
+  "scanType": "dockerfile",
+  "timestamp": "2024-01-15T10:30:00.000Z",
+  "summary": { "total": 2, "critical": 0, "high": 1, "medium": 1, "low": 0 },
+  "issues": [...]
+}
+```
+
+## Bitbucket Pipelines
+
+```yaml
+image: node:20
+
+definitions:
+  services:
+    docker:
+      memory: 2048
+
+pipelines:
+  default:
+    - step:
+        name: Security Scan
+        services:
+          - docker
+        script:
+          - npx tc-scanner scan ./Dockerfile --severity HIGH
+          - npx tc-scanner deps . --severity HIGH
+```
+
+## GitHub Actions
+
+```yaml
+jobs:
+  security:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Security Scan
+        run: |
+          npx tc-scanner scan ./Dockerfile --severity HIGH
+          npx tc-scanner deps . --severity HIGH
+```
+
+## GitLab CI
+
+```yaml
+security-scan:
+  image: node:20
+  services:
+    - docker:dind
+  script:
+    - npx tc-scanner scan ./Dockerfile --severity HIGH
+    - npx tc-scanner deps . --severity HIGH
+```
+
+## CLI Options
+
+```
+Usage: tc-scan [command] [options]
+
+Commands:
+  scan [path]      Scan a Dockerfile
+  deps [path]      Scan project dependencies
+  secrets [path]   Scan for secrets in code
+  image <name>     Scan a container image
+
+Options:
+  -s, --severity   Minimum severity: LOW, MEDIUM, HIGH, CRITICAL (default: HIGH)
+  -o, --output     Save report to file (generates .json, .txt, .html)
+  --exit-code      Exit code when issues found (default: 1)
+  --include-dev    Include dev dependencies in scan
+```
+
+## Generate Reports
+
+```bash
+# Generates scan-report.json, scan-report.txt, scan-report.html
+npx tc-scanner scan ./Dockerfile --output ./reports/scan-report
+```
+
+Reports can be:
+- Attached to CI artifacts
+- Sent via email
+- Posted to Slack/webhooks
+
+## What It Detects
+
+| Scan Type | Detects |
+|-----------|---------|
+| `scan` | Dockerfile misconfigurations (missing HEALTHCHECK, running as root, etc.) |
+| `deps` | Known CVEs in npm/yarn/pnpm packages |
+| `secrets` | API keys, tokens, passwords, private keys in code |
+| `image` | OS package vulnerabilities + app dependencies in containers |
+
+## License
+
+MIT

package/bin/cli.js

@@ -0,0 +1,133 @@
+#!/usr/bin/env node
+
+import { defineCommand, runMain } from 'citty';
+import { scanDockerfile, scanImage, scanFilesystem, sendWebhook } from '../src/scanner.js';
+
+const main = defineCommand({
+  meta: {
+    name: 'tc-scan',
+    version: '0.1.0',
+    description: 'CI security scanner for Dockerfiles, dependencies, and secrets. Requires Docker.',
+  },
+  subCommands: {
+    scan: defineCommand({
+      meta: { description: 'Scan a Dockerfile for misconfigurations' },
+      args: {
+        path: { type: 'positional', description: 'Path to Dockerfile', default: './Dockerfile' },
+        severity: { type: 'string', alias: 's', description: 'Minimum severity (LOW, MEDIUM, HIGH, CRITICAL)', default: 'HIGH' },
+        output: { type: 'string', alias: 'o', description: 'Save report to file (generates .json, .txt, .html)' },
+        webhook: { type: 'string', alias: 'w', description: 'Send results to webhook URL' },
+        'exit-code': { type: 'string', description: 'Exit code when issues found', default: '1' },
+      },
+      async run({ args }) {
+        console.log('━'.repeat(50));
+        console.log('  TC-Secure Scanner');
+        console.log('━'.repeat(50));
+        console.log();
+
+        const result = await scanDockerfile(args.path, {
+          severity: args.severity,
+          output: args.output,
+          exitCode: args['exit-code'],
+        });
+
+        if (args.webhook && result.json) {
+          await sendWebhook(args.webhook, result.json, 'dockerfile');
+        }
+
+        process.exit(result.exitCode);
+      },
+    }),
+
+    image: defineCommand({
+      meta: { description: 'Scan a container image for vulnerabilities' },
+      args: {
+        image: { type: 'positional', description: 'Image name (e.g., nginx:latest)', required: true },
+        severity: { type: 'string', alias: 's', description: 'Minimum severity', default: 'HIGH' },
+        output: { type: 'string', alias: 'o', description: 'Save report to file' },
+        webhook: { type: 'string', alias: 'w', description: 'Send results to webhook URL' },
+        'exit-code': { type: 'string', description: 'Exit code when issues found', default: '1' },
+      },
+      async run({ args }) {
+        console.log('━'.repeat(50));
+        console.log('  TC-Secure Image Scanner');
+        console.log('━'.repeat(50));
+        console.log();
+
+        const result = await scanImage(args.image, {
+          severity: args.severity,
+          output: args.output,
+          exitCode: args['exit-code'],
+        });
+
+        if (args.webhook && result.json) {
+          await sendWebhook(args.webhook, result.json, 'image');
+        }
+
+        process.exit(result.exitCode);
+      },
+    }),
+
+    deps: defineCommand({
+      meta: { description: 'Scan project dependencies (package-lock.json, yarn.lock, etc.)' },
+      args: {
+        path: { type: 'positional', description: 'Path to project directory', default: '.' },
+        severity: { type: 'string', alias: 's', description: 'Minimum severity', default: 'HIGH' },
+        output: { type: 'string', alias: 'o', description: 'Save report to file' },
+        webhook: { type: 'string', alias: 'w', description: 'Send results to webhook URL' },
+        'exit-code': { type: 'string', description: 'Exit code when issues found', default: '1' },
+        'include-dev': { type: 'boolean', description: 'Include dev dependencies', default: false },
+      },
+      async run({ args }) {
+        console.log('━'.repeat(50));
+        console.log('  TC-Secure Dependency Scanner');
+        console.log('━'.repeat(50));
+        console.log();
+
+        const result = await scanFilesystem(args.path, {
+          severity: args.severity,
+          output: args.output,
+          exitCode: args['exit-code'],
+          includeDev: args['include-dev'],
+          scanType: 'vuln',
+        });
+
+        if (args.webhook && result.json) {
+          await sendWebhook(args.webhook, result.json, 'dependencies');
+        }
+
+        process.exit(result.exitCode);
+      },
+    }),
+
+    secrets: defineCommand({
+      meta: { description: 'Scan for secrets and sensitive data in code' },
+      args: {
+        path: { type: 'positional', description: 'Path to project directory', default: '.' },
+        output: { type: 'string', alias: 'o', description: 'Save report to file' },
+        webhook: { type: 'string', alias: 'w', description: 'Send results to webhook URL' },
+        'exit-code': { type: 'string', description: 'Exit code when secrets found', default: '1' },
+      },
+      async run({ args }) {
+        console.log('━'.repeat(50));
+        console.log('  TC-Secure Secrets Scanner');
+        console.log('━'.repeat(50));
+        console.log();
+
+        const result = await scanFilesystem(args.path, {
+          output: args.output,
+          exitCode: args['exit-code'],
+          scanType: 'secret',
+        });
+
+        if (args.webhook && result.json) {
+          await sendWebhook(args.webhook, result.json, 'secrets');
+        }
+
+        process.exit(result.exitCode);
+      },
+    }),
+  },
+});
+
+runMain(main);

package/bitbucket-pipelines.example.yml

@@ -0,0 +1,38 @@
+# Example Bitbucket Pipelines configuration for tc-scan
+# Copy this to your project's bitbucket-pipelines.yml
+
+image: node:20
+
+definitions:
+  services:
+    docker:
+      memory: 2048
+
+pipelines:
+  default:
+    - step:
+        name: Security Scan
+        services:
+          - docker
+        caches:
+          - node
+          - docker
+        script:
+          # Install scanner dependencies
+          - cd ci-scanner && npm install
+          
+          # Scan Dockerfile
+          - npm run scan -- ../pentest/Dockerfile --severity HIGH
+          
+          # Optionally scan the built image
+          # - npm run scan image your-image:latest
+
+  pull-requests:
+    '**':
+      - step:
+          name: PR Security Scan
+          services:
+            - docker
+          script:
+            - cd ci-scanner && npm install
+            - node bin/cli.js scan ../pentest/Dockerfile --severity MEDIUM

package/package.json

@@ -0,0 +1,35 @@
+{
+  "name": "tc-scanner",
+  "version": "0.1.0",
+  "description": "CI security scanner for Dockerfiles, dependencies, and secrets using Trivy",
+  "type": "module",
+  "bin": {
+    "tc-scan": "./bin/cli.js"
+  },
+  "scripts": {
+    "scan": "node bin/cli.js scan",
+    "test": "node bin/cli.js scan ./samples/Dockerfile"
+  },
+  "keywords": [
+    "security",
+    "scanner",
+    "trivy",
+    "docker",
+    "dockerfile",
+    "vulnerability",
+    "ci",
+    "devops"
+  ],
+  "author": "TC-Secure",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/aspect-software-co/tc-scanner.git"
+  },
+  "engines": {
+    "node": ">=18"
+  },
+  "dependencies": {
+    "citty": "^0.1.6"
+  }
+}

package/reports/scan-report.html

@@ -0,0 +1,61 @@
+
+<!DOCTYPE html>
+<html>
+<head>
+  <style>
+    body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; max-width: 800px; margin: 0 auto; padding: 20px; }
+    .header { background: #1e293b; color: white; padding: 20px; border-radius: 8px 8px 0 0; }
+    .content { border: 1px solid #e2e8f0; border-top: none; padding: 20px; border-radius: 0 0 8px 8px; }
+    .summary-grid { display: grid; grid-template-columns: repeat(4, 1fr); gap: 10px; margin: 20px 0; }
+    .stat { text-align: center; padding: 15px; border-radius: 8px; }
+    .stat-critical { background: #fef2f2; border: 1px solid #fecaca; }
+    .stat-high { background: #fff7ed; border: 1px solid #fed7aa; }
+    .stat-medium { background: #fefce8; border: 1px solid #fef08a; }
+    .stat-low { background: #eff6ff; border: 1px solid #bfdbfe; }
+    .stat-value { font-size: 24px; font-weight: bold; }
+    .issue { border-left: 4px solid; padding: 12px; margin: 10px 0; background: #f8fafc; }
+    .issue-critical { border-color: #dc2626; }
+    .issue-high { border-color: #ea580c; }
+    .issue-medium { border-color: #ca8a04; }
+    .issue-low { border-color: #2563eb; }
+    .badge { display: inline-block; padding: 2px 8px; border-radius: 4px; font-size: 12px; font-weight: 600; color: white; }
+    a { color: #2563eb; }
+  </style>
+</head>
+<body>
+  <div class="header">
+    <h1 style="margin: 0;">TC-Secure Scan Report</h1>
+    <p style="margin: 5px 0 0 0; opacity: 0.8;">Target: /Users/themba/Teamcoda/teamcoda/tc-secure/pentest/Dockerfile</p>
+    <p style="margin: 5px 0 0 0; opacity: 0.8;">Scan Time: 2026-02-02T00:06:36.733Z</p>
+  </div>
+  <div class="content">
+    <h2>Summary</h2>
+    <div class="summary-grid">
+      <div class="stat stat-critical">
+        <div class="stat-value" style="color: #dc2626">0</div>
+        <div>Critical</div>
+      </div>
+      <div class="stat stat-high">
+        <div class="stat-value" style="color: #ea580c">0</div>
+        <div>High</div>
+      </div>
+      <div class="stat stat-medium">
+        <div class="stat-value" style="color: #ca8a04">0</div>
+        <div>Medium</div>
+      </div>
+      <div class="stat stat-low">
+        <div class="stat-value" style="color: #2563eb">1</div>
+        <div>Low</div>
+      </div>
+    </div>
+<h2>Issues (1)</h2>
+      <div class="issue issue-low">
+        <span class="badge" style="background: #2563eb">LOW</span>
+        <strong>DS-0026</strong>
+        <p style="margin: 8px 0;">No HEALTHCHECK defined</p>
+        
+        <a href="https://avd.aquasec.com/misconfig/ds-0026" style="font-size: 14px;">View details →</a>
+      </div>
+  </div>
+</body>
+</html>

package/reports/scan-report.json

@@ -0,0 +1,21 @@
+{
+  "target": "/Users/themba/Teamcoda/teamcoda/tc-secure/pentest/Dockerfile",
+  "scanTime": "2026-02-02T00:06:36.733Z",
+  "totalIssues": 1,
+  "bySeverity": {
+    "CRITICAL": 0,
+    "HIGH": 0,
+    "MEDIUM": 0,
+    "LOW": 1
+  },
+  "issues": [
+    {
+      "id": "DS-0026",
+      "severity": "LOW",
+      "title": "No HEALTHCHECK defined",
+      "description": "You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.",
+      "resolution": "Add HEALTHCHECK instruction in Dockerfile",
+      "url": "https://avd.aquasec.com/misconfig/ds-0026"
+    }
+  ]
+}

package/reports/scan-report.txt

@@ -0,0 +1,20 @@
+
+TC-SECURE SCAN REPORT
+=====================
+Target: /Users/themba/Teamcoda/teamcoda/tc-secure/pentest/Dockerfile
+Scan Time: 2026-02-02T00:06:36.733Z
+
+SUMMARY
+-------
+Total Issues: 1
+  CRITICAL: 0
+  HIGH: 0
+  MEDIUM: 0
+  LOW: 1
+
+DETAILS
+-------
+
+[LOW] DS-0026
+  No HEALTHCHECK defined
+  More info: https://avd.aquasec.com/misconfig/ds-0026

package/samples/Dockerfile

@@ -0,0 +1,17 @@
+# Sample Dockerfile for testing the scanner
+FROM node:20-alpine
+
+# Intentional misconfiguration: running as root
+USER root
+
+WORKDIR /app
+
+COPY package*.json ./
+RUN npm install
+
+COPY . .
+
+# Intentional: exposing common port
+EXPOSE 3000
+
+CMD ["node", "server.js"]

package/src/scanner.js

@@ -0,0 +1,525 @@
+import { spawn } from 'child_process';
+import { resolve, dirname } from 'path';
+import { existsSync, writeFileSync, mkdirSync } from 'fs';
+
+/**
+ * Execute a command and return the result
+ */
+function exec(command, args, options = {}) {
+  return new Promise((resolve, reject) => {
+    const silent = options.silent || false;
+    const proc = spawn(command, args, {
+      stdio: ['inherit', 'pipe', 'pipe'],
+    });
+
+    let stdout = '';
+    let stderr = '';
+
+    proc.stdout.on('data', (data) => {
+      stdout += data.toString();
+      if (!silent) {
+        process.stdout.write(data);
+      }
+    });
+
+    proc.stderr.on('data', (data) => {
+      stderr += data.toString();
+      if (!silent) {
+        process.stderr.write(data);
+      }
+    });
+
+    proc.on('close', (code) => {
+      resolve({ code, stdout, stderr });
+    });
+
+    proc.on('error', (err) => {
+      reject(err);
+    });
+  });
+}
+
+/**
+ * Generate a summary from JSON results
+ */
+export function generateSummary(jsonData, targetName) {
+  const results = JSON.parse(jsonData);
+  
+  let summary = {
+    target: targetName,
+    scanTime: new Date().toISOString(),
+    totalIssues: 0,
+    bySeverity: { CRITICAL: 0, HIGH: 0, MEDIUM: 0, LOW: 0 },
+    issues: [],
+  };
+
+  if (results.Results) {
+    for (const result of results.Results) {
+      if (result.Misconfigurations) {
+        for (const issue of result.Misconfigurations) {
+          summary.totalIssues++;
+          summary.bySeverity[issue.Severity] = (summary.bySeverity[issue.Severity] || 0) + 1;
+          summary.issues.push({
+            id: issue.ID,
+            severity: issue.Severity,
+            title: issue.Title,
+            description: issue.Description,
+            resolution: issue.Resolution,
+            url: issue.PrimaryURL,
+          });
+        }
+      }
+      if (result.Vulnerabilities) {
+        for (const vuln of result.Vulnerabilities) {
+          summary.totalIssues++;
+          summary.bySeverity[vuln.Severity] = (summary.bySeverity[vuln.Severity] || 0) + 1;
+          summary.issues.push({
+            id: vuln.VulnerabilityID,
+            severity: vuln.Severity,
+            title: vuln.Title || vuln.VulnerabilityID,
+            package: vuln.PkgName,
+            installedVersion: vuln.InstalledVersion,
+            fixedVersion: vuln.FixedVersion,
+            url: vuln.PrimaryURL,
+          });
+        }
+      }
+    }
+  }
+
+  return summary;
+}
+
+/**
+ * Format summary as plain text
+ */
+export function formatAsText(summary) {
+  let text = `
+TC-SECURE SCAN REPORT
+=====================
+Target: ${summary.target}
+Scan Time: ${summary.scanTime}
+
+SUMMARY
+-------
+Total Issues: ${summary.totalIssues}
+  CRITICAL: ${summary.bySeverity.CRITICAL}
+  HIGH: ${summary.bySeverity.HIGH}
+  MEDIUM: ${summary.bySeverity.MEDIUM}
+  LOW: ${summary.bySeverity.LOW}
+
+`;
+
+  if (summary.issues.length > 0) {
+    text += `DETAILS\n-------\n`;
+    for (const issue of summary.issues) {
+      text += `\n[${issue.severity}] ${issue.id}\n`;
+      text += `  ${issue.title}\n`;
+      if (issue.package) {
+        text += `  Package: ${issue.package} (${issue.installedVersion})\n`;
+        if (issue.fixedVersion) {
+          text += `  Fix: Upgrade to ${issue.fixedVersion}\n`;
+        }
+      }
+      if (issue.url) {
+        text += `  More info: ${issue.url}\n`;
+      }
+    }
+  } else {
+    text += `No issues found.\n`;
+  }
+
+  return text;
+}
+
+/**
+ * Format summary as HTML
+ */
+export function formatAsHtml(summary) {
+  const severityColors = {
+    CRITICAL: '#dc2626',
+    HIGH: '#ea580c',
+    MEDIUM: '#ca8a04',
+    LOW: '#2563eb',
+  };
+
+  let html = `<!DOCTYPE html>
+<html>
+<head>
+  <style>
+    body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, sans-serif; max-width: 800px; margin: 0 auto; padding: 20px; }
+    .header { background: #1e293b; color: white; padding: 20px; border-radius: 8px 8px 0 0; }
+    .content { border: 1px solid #e2e8f0; border-top: none; padding: 20px; border-radius: 0 0 8px 8px; }
+    .summary-grid { display: grid; grid-template-columns: repeat(4, 1fr); gap: 10px; margin: 20px 0; }
+    .stat { text-align: center; padding: 15px; border-radius: 8px; }
+    .stat-critical { background: #fef2f2; border: 1px solid #fecaca; }
+    .stat-high { background: #fff7ed; border: 1px solid #fed7aa; }
+    .stat-medium { background: #fefce8; border: 1px solid #fef08a; }
+    .stat-low { background: #eff6ff; border: 1px solid #bfdbfe; }
+    .stat-value { font-size: 24px; font-weight: bold; }
+    .issue { border-left: 4px solid; padding: 12px; margin: 10px 0; background: #f8fafc; }
+    .issue-critical { border-color: #dc2626; }
+    .issue-high { border-color: #ea580c; }
+    .issue-medium { border-color: #ca8a04; }
+    .issue-low { border-color: #2563eb; }
+    .badge { display: inline-block; padding: 2px 8px; border-radius: 4px; font-size: 12px; font-weight: 600; color: white; }
+    a { color: #2563eb; }
+  </style>
+</head>
+<body>
+  <div class="header">
+    <h1 style="margin: 0;">TC-Secure Scan Report</h1>
+    <p style="margin: 5px 0 0 0; opacity: 0.8;">Target: ${summary.target}</p>
+    <p style="margin: 5px 0 0 0; opacity: 0.8;">Scan Time: ${summary.scanTime}</p>
+  </div>
+  <div class="content">
+    <h2>Summary</h2>
+    <div class="summary-grid">
+      <div class="stat stat-critical">
+        <div class="stat-value" style="color: ${severityColors.CRITICAL}">${summary.bySeverity.CRITICAL}</div>
+        <div>Critical</div>
+      </div>
+      <div class="stat stat-high">
+        <div class="stat-value" style="color: ${severityColors.HIGH}">${summary.bySeverity.HIGH}</div>
+        <div>High</div>
+      </div>
+      <div class="stat stat-medium">
+        <div class="stat-value" style="color: ${severityColors.MEDIUM}">${summary.bySeverity.MEDIUM}</div>
+        <div>Medium</div>
+      </div>
+      <div class="stat stat-low">
+        <div class="stat-value" style="color: ${severityColors.LOW}">${summary.bySeverity.LOW}</div>
+        <div>Low</div>
+      </div>
+    </div>
+`;
+
+  if (summary.issues.length > 0) {
+    html += `<h2>Issues (${summary.totalIssues})</h2>`;
+    for (const issue of summary.issues) {
+      const severityClass = issue.severity.toLowerCase();
+      html += `
+      <div class="issue issue-${severityClass}">
+        <span class="badge" style="background: ${severityColors[issue.severity]}">${issue.severity}</span>
+        <strong>${issue.id}</strong>
+        <p style="margin: 8px 0;">${issue.title}</p>
+        ${issue.package ? `<p style="margin: 4px 0; font-size: 14px; color: #64748b;">Package: ${issue.package} (${issue.installedVersion})${issue.fixedVersion ? ` → ${issue.fixedVersion}` : ''}</p>` : ''}
+        ${issue.url ? `<a href="${issue.url}" style="font-size: 14px;">View details →</a>` : ''}
+      </div>`;
+    }
+  } else {
+    html += `<p style="color: #16a34a; font-weight: 500;">✓ No security issues found.</p>`;
+  }
+
+  html += `
+  </div>
+</body>
+</html>`;
+
+  return html;
+}
+
+/**
+ * Save report to file
+ */
+export function saveReport(content, filePath) {
+  const dir = dirname(filePath);
+  if (!existsSync(dir)) {
+    mkdirSync(dir, { recursive: true });
+  }
+  writeFileSync(filePath, content);
+  return filePath;
+}
+
+/**
+ * Send results to webhook
+ */
+export async function sendWebhook(url, jsonData, scanType) {
+  const summary = generateSummary(jsonData, scanType);
+  
+  const payload = {
+    scanner: 'tc-scanner',
+    scanType,
+    timestamp: summary.scanTime,
+    target: summary.target,
+    summary: {
+      total: summary.totalIssues,
+      critical: summary.bySeverity.CRITICAL,
+      high: summary.bySeverity.HIGH,
+      medium: summary.bySeverity.MEDIUM,
+      low: summary.bySeverity.LOW,
+    },
+    issues: summary.issues,
+  };
+
+  console.log(`\nSending results to webhook: ${url}`);
+
+  try {
+    const response = await fetch(url, {
+      method: 'POST',
+      headers: { 'Content-Type': 'application/json' },
+      body: JSON.stringify(payload),
+    });
+
+    if (response.ok) {
+      console.log(`Webhook sent successfully (${response.status})`);
+    } else {
+      console.error(`Webhook failed: ${response.status} ${response.statusText}`);
+    }
+  } catch (error) {
+    console.error(`Webhook error: ${error.message}`);
+  }
+}
+
+/**
+ * Check if Docker is available
+ */
+async function checkDocker() {
+  try {
+    const result = await exec('docker', ['--version']);
+    return result.code === 0;
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * Scan a Dockerfile for misconfigurations
+ */
+export async function scanDockerfile(path, options) {
+  const resolvedPath = resolve(process.cwd(), path);
+  
+  if (!existsSync(resolvedPath)) {
+    throw new Error(`File not found: ${resolvedPath}`);
+  }
+
+  const dockerAvailable = await checkDocker();
+  if (!dockerAvailable) {
+    throw new Error('Docker is required. Install Docker to use this scanner.');
+  }
+
+  console.log(`Scanning: ${resolvedPath}`);
+  console.log(`Severity: ${options.severity}+`);
+  console.log();
+
+  const mountPath = dirname(resolvedPath);
+  const fileName = resolvedPath.split('/').pop();
+
+  // Run with JSON format to get structured data
+  const jsonArgs = [
+    'run', '--rm',
+    '-v', `${mountPath}:/src:ro`,
+    'aquasec/trivy',
+    'config',
+    `/src/${fileName}`,
+    '--severity', options.severity,
+    '--format', 'json',
+  ];
+
+  const jsonResult = await exec('docker', jsonArgs, { silent: true });
+
+  // Run with table format for display
+  const tableArgs = [
+    'run', '--rm',
+    '-v', `${mountPath}:/src:ro`,
+    'aquasec/trivy',
+    'config',
+    `/src/${fileName}`,
+    '--severity', options.severity,
+    '--format', 'table',
+  ];
+
+  if (options.exitCode !== '0') {
+    tableArgs.push('--exit-code', options.exitCode);
+  }
+
+  const tableResult = await exec('docker', tableArgs);
+
+  // Generate reports if output option is set
+  let reportPaths = {};
+  if (options.output && jsonResult.stdout) {
+    const summary = generateSummary(jsonResult.stdout, resolvedPath);
+    const basePath = options.output.replace(/\.[^/.]+$/, '');
+    
+    reportPaths.json = saveReport(JSON.stringify(summary, null, 2), `${basePath}.json`);
+    reportPaths.text = saveReport(formatAsText(summary), `${basePath}.txt`);
+    reportPaths.html = saveReport(formatAsHtml(summary), `${basePath}.html`);
+    
+    console.log();
+    console.log('Reports saved:');
+    console.log(`  JSON: ${reportPaths.json}`);
+    console.log(`  Text: ${reportPaths.text}`);
+    console.log(`  HTML: ${reportPaths.html}`);
+  }
+
+  return {
+    exitCode: tableResult.code,
+    output: tableResult.stdout,
+    json: jsonResult.stdout,
+    reportPaths,
+  };
+}
+
+/**
+ * Scan a container image for vulnerabilities
+ */
+export async function scanImage(image, options) {
+  const dockerAvailable = await checkDocker();
+  if (!dockerAvailable) {
+    throw new Error('Docker is required. Install Docker to use this scanner.');
+  }
+
+  console.log(`Scanning image: ${image}`);
+  console.log(`Severity: ${options.severity}+`);
+  console.log();
+
+  // Run with JSON format
+  const jsonArgs = [
+    'run', '--rm',
+    '-v', '/var/run/docker.sock:/var/run/docker.sock',
+    'aquasec/trivy',
+    'image',
+    image,
+    '--severity', options.severity,
+    '--format', 'json',
+  ];
+
+  const jsonResult = await exec('docker', jsonArgs, { silent: true });
+
+  // Run with table format for display
+  const tableArgs = [
+    'run', '--rm',
+    '-v', '/var/run/docker.sock:/var/run/docker.sock',
+    'aquasec/trivy',
+    'image',
+    image,
+    '--severity', options.severity,
+    '--format', 'table',
+  ];
+
+  if (options.exitCode !== '0') {
+    tableArgs.push('--exit-code', options.exitCode);
+  }
+
+  const tableResult = await exec('docker', tableArgs);
+
+  // Generate reports
+  let reportPaths = {};
+  if (options.output && jsonResult.stdout) {
+    const summary = generateSummary(jsonResult.stdout, image);
+    const basePath = options.output.replace(/\.[^/.]+$/, '');
+    
+    reportPaths.json = saveReport(JSON.stringify(summary, null, 2), `${basePath}.json`);
+    reportPaths.text = saveReport(formatAsText(summary), `${basePath}.txt`);
+    reportPaths.html = saveReport(formatAsHtml(summary), `${basePath}.html`);
+    
+    console.log();
+    console.log('Reports saved:');
+    console.log(`  JSON: ${reportPaths.json}`);
+    console.log(`  Text: ${reportPaths.text}`);
+    console.log(`  HTML: ${reportPaths.html}`);
+  }
+
+  return {
+    exitCode: tableResult.code,
+    output: tableResult.stdout,
+    json: jsonResult.stdout,
+    reportPaths,
+  };
+}
+
+/**
+ * Scan a filesystem/project for vulnerabilities or secrets
+ */
+export async function scanFilesystem(path, options) {
+  const resolvedPath = resolve(process.cwd(), path);
+  
+  if (!existsSync(resolvedPath)) {
+    throw new Error(`Directory not found: ${resolvedPath}`);
+  }
+
+  const dockerAvailable = await checkDocker();
+  if (!dockerAvailable) {
+    throw new Error('Docker is required. Install Docker to use this scanner.');
+  }
+
+  const scanType = options.scanType || 'vuln';
+  const scanners = scanType === 'secret' ? 'secret' : 'vuln';
+
+  console.log(`Scanning: ${resolvedPath}`);
+  console.log(`Scan type: ${scanners}`);
+  if (scanType !== 'secret') {
+    console.log(`Severity: ${options.severity}+`);
+  }
+  console.log();
+
+  // Run with JSON format
+  const jsonArgs = [
+    'run', '--rm',
+    '-v', `${resolvedPath}:/src:ro`,
+    'aquasec/trivy',
+    'fs',
+    '/src',
+    '--scanners', scanners,
+    '--format', 'json',
+  ];
+
+  if (scanType !== 'secret' && options.severity) {
+    jsonArgs.push('--severity', options.severity);
+  }
+
+  if (options.includeDev) {
+    jsonArgs.push('--include-dev-deps');
+  }
+
+  const jsonResult = await exec('docker', jsonArgs, { silent: true });
+
+  // Run with table format for display
+  const tableArgs = [
+    'run', '--rm',
+    '-v', `${resolvedPath}:/src:ro`,
+    'aquasec/trivy',
+    'fs',
+    '/src',
+    '--scanners', scanners,
+    '--format', 'table',
+  ];
+
+  if (scanType !== 'secret' && options.severity) {
+    tableArgs.push('--severity', options.severity);
+  }
+
+  if (options.includeDev) {
+    tableArgs.push('--include-dev-deps');
+  }
+
+  if (options.exitCode !== '0') {
+    tableArgs.push('--exit-code', options.exitCode);
+  }
+
+  const tableResult = await exec('docker', tableArgs);
+
+  // Generate reports
+  let reportPaths = {};
+  if (options.output && jsonResult.stdout) {
+    const summary = generateSummary(jsonResult.stdout, resolvedPath);
+    const basePath = options.output.replace(/\.[^/.]+$/, '');
+    
+    reportPaths.json = saveReport(JSON.stringify(summary, null, 2), `${basePath}.json`);
+    reportPaths.text = saveReport(formatAsText(summary), `${basePath}.txt`);
+    reportPaths.html = saveReport(formatAsHtml(summary), `${basePath}.html`);
+    
+    console.log();
+    console.log('Reports saved:');
+    console.log(`  JSON: ${reportPaths.json}`);
+    console.log(`  Text: ${reportPaths.text}`);
+    console.log(`  HTML: ${reportPaths.html}`);
+  }
+
+  return {
+    exitCode: tableResult.code,
+    output: tableResult.stdout,
+    json: jsonResult.stdout,
+    reportPaths,
+  };
+}