toolip 1.0.7 → 2.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (174) hide show
  1. package/README.md +189 -448
  2. package/dist/src/analyzers/ast/ast-security-analyzer.d.ts +6 -0
  3. package/dist/src/analyzers/ast/ast-security-analyzer.js +64 -0
  4. package/dist/src/analyzers/ast/ast-security-analyzer.js.map +1 -0
  5. package/dist/src/analyzers/ast/rules.d.ts +48 -0
  6. package/dist/src/analyzers/ast/rules.js +39 -0
  7. package/dist/src/analyzers/ast/rules.js.map +1 -0
  8. package/dist/src/analyzers/ast/source-analysis.d.ts +2 -0
  9. package/dist/src/analyzers/ast/source-analysis.js +225 -0
  10. package/dist/src/analyzers/ast/source-analysis.js.map +1 -0
  11. package/dist/src/analyzers/dependency-confusion/analyzer.d.ts +9 -0
  12. package/dist/src/analyzers/dependency-confusion/analyzer.js +98 -0
  13. package/dist/src/analyzers/dependency-confusion/analyzer.js.map +1 -0
  14. package/dist/src/analyzers/docker/analyzer.d.ts +6 -0
  15. package/dist/src/analyzers/docker/analyzer.js +103 -0
  16. package/dist/src/analyzers/docker/analyzer.js.map +1 -0
  17. package/dist/src/analyzers/git-history/analyzer.d.ts +8 -0
  18. package/dist/src/analyzers/git-history/analyzer.js +157 -0
  19. package/dist/src/analyzers/git-history/analyzer.js.map +1 -0
  20. package/dist/src/analyzers/git-history/secret-patterns.d.ts +7 -0
  21. package/dist/src/analyzers/git-history/secret-patterns.js +33 -0
  22. package/dist/src/analyzers/git-history/secret-patterns.js.map +1 -0
  23. package/dist/src/analyzers/install-scripts/install-script-analyzer.d.ts +6 -0
  24. package/dist/src/analyzers/install-scripts/install-script-analyzer.js +135 -0
  25. package/dist/src/analyzers/install-scripts/install-script-analyzer.js.map +1 -0
  26. package/dist/src/analyzers/reachability/import-graph.d.ts +9 -0
  27. package/dist/src/analyzers/reachability/import-graph.js +110 -0
  28. package/dist/src/analyzers/reachability/import-graph.js.map +1 -0
  29. package/dist/src/analyzers/reachability/reachability-analyzer.d.ts +16 -0
  30. package/dist/src/analyzers/reachability/reachability-analyzer.js +95 -0
  31. package/dist/src/analyzers/reachability/reachability-analyzer.js.map +1 -0
  32. package/dist/src/analyzers/vulnerability/osv-analyzer.d.ts +9 -0
  33. package/dist/src/analyzers/vulnerability/osv-analyzer.js +94 -0
  34. package/dist/src/analyzers/vulnerability/osv-analyzer.js.map +1 -0
  35. package/dist/src/analyzers/vulnerability/severity.d.ts +3 -0
  36. package/dist/src/analyzers/vulnerability/severity.js +13 -0
  37. package/dist/src/analyzers/vulnerability/severity.js.map +1 -0
  38. package/dist/src/application/analyzer-runner.d.ts +12 -0
  39. package/dist/src/application/analyzer-runner.js +45 -0
  40. package/dist/src/application/analyzer-runner.js.map +1 -0
  41. package/dist/src/commands/announce.d.ts +2 -0
  42. package/dist/src/commands/announce.js +27 -0
  43. package/dist/src/commands/announce.js.map +1 -0
  44. package/dist/src/commands/ast-scan.d.ts +2 -0
  45. package/dist/src/commands/ast-scan.js +86 -0
  46. package/dist/src/commands/ast-scan.js.map +1 -0
  47. package/dist/src/commands/audit-repo.d.ts +2 -0
  48. package/dist/src/commands/audit-repo.js +20 -0
  49. package/dist/src/commands/audit-repo.js.map +1 -0
  50. package/dist/src/commands/config.d.ts +2 -0
  51. package/dist/src/commands/config.js +69 -0
  52. package/dist/src/commands/config.js.map +1 -0
  53. package/dist/src/commands/dependency-confusion.d.ts +2 -0
  54. package/dist/src/commands/dependency-confusion.js +37 -0
  55. package/dist/src/commands/dependency-confusion.js.map +1 -0
  56. package/dist/src/commands/diff.d.ts +2 -0
  57. package/dist/src/commands/diff.js +24 -0
  58. package/dist/src/commands/diff.js.map +1 -0
  59. package/dist/src/commands/docker-scan.d.ts +2 -0
  60. package/dist/src/commands/docker-scan.js +34 -0
  61. package/dist/src/commands/docker-scan.js.map +1 -0
  62. package/dist/src/commands/git-history.d.ts +2 -0
  63. package/dist/src/commands/git-history.js +40 -0
  64. package/dist/src/commands/git-history.js.map +1 -0
  65. package/dist/src/commands/history.d.ts +2 -0
  66. package/dist/src/commands/history.js +69 -0
  67. package/dist/src/commands/history.js.map +1 -0
  68. package/dist/src/commands/install-scripts.d.ts +2 -0
  69. package/dist/src/commands/install-scripts.js +52 -0
  70. package/dist/src/commands/install-scripts.js.map +1 -0
  71. package/dist/src/commands/mcp.d.ts +2 -0
  72. package/dist/src/commands/mcp.js +10 -0
  73. package/dist/src/commands/mcp.js.map +1 -0
  74. package/dist/src/commands/monorepo.d.ts +2 -0
  75. package/dist/src/commands/monorepo.js +21 -0
  76. package/dist/src/commands/monorepo.js.map +1 -0
  77. package/dist/src/commands/package-health.d.ts +2 -0
  78. package/dist/src/commands/package-health.js +50 -0
  79. package/dist/src/commands/package-health.js.map +1 -0
  80. package/dist/src/commands/publish.d.ts +2 -0
  81. package/dist/src/commands/publish.js +25 -0
  82. package/dist/src/commands/publish.js.map +1 -0
  83. package/dist/src/commands/reachability.d.ts +2 -0
  84. package/dist/src/commands/reachability.js +47 -0
  85. package/dist/src/commands/reachability.js.map +1 -0
  86. package/dist/src/commands/sbom.d.ts +2 -0
  87. package/dist/src/commands/sbom.js +33 -0
  88. package/dist/src/commands/sbom.js.map +1 -0
  89. package/dist/src/commands/upgrade-pr.d.ts +2 -0
  90. package/dist/src/commands/upgrade-pr.js +15 -0
  91. package/dist/src/commands/upgrade-pr.js.map +1 -0
  92. package/dist/src/commands/vulnerabilities.d.ts +2 -0
  93. package/dist/src/commands/vulnerabilities.js +42 -0
  94. package/dist/src/commands/vulnerabilities.js.map +1 -0
  95. package/dist/src/commands/watch.d.ts +2 -0
  96. package/dist/src/commands/watch.js +34 -0
  97. package/dist/src/commands/watch.js.map +1 -0
  98. package/dist/src/contracts/analyzer.d.ts +23 -0
  99. package/dist/src/contracts/analyzer.js +2 -0
  100. package/dist/src/contracts/analyzer.js.map +1 -0
  101. package/dist/src/contracts/finding.d.ts +35 -0
  102. package/dist/src/contracts/finding.js +13 -0
  103. package/dist/src/contracts/finding.js.map +1 -0
  104. package/dist/src/contracts/report.d.ts +30 -0
  105. package/dist/src/contracts/report.js +2 -0
  106. package/dist/src/contracts/report.js.map +1 -0
  107. package/dist/src/contracts/rule.d.ts +12 -0
  108. package/dist/src/contracts/rule.js +7 -0
  109. package/dist/src/contracts/rule.js.map +1 -0
  110. package/dist/src/core/announce/generate.d.ts +9 -0
  111. package/dist/src/core/announce/generate.js +19 -0
  112. package/dist/src/core/announce/generate.js.map +1 -0
  113. package/dist/src/core/config/load.d.ts +3 -0
  114. package/dist/src/core/config/load.js +21 -0
  115. package/dist/src/core/config/load.js.map +1 -0
  116. package/dist/src/core/config/policy.d.ts +3 -0
  117. package/dist/src/core/config/policy.js +48 -0
  118. package/dist/src/core/config/policy.js.map +1 -0
  119. package/dist/src/core/config/schema.d.ts +172 -0
  120. package/dist/src/core/config/schema.js +84 -0
  121. package/dist/src/core/config/schema.js.map +1 -0
  122. package/dist/src/core/dependencies/inventory.d.ts +9 -0
  123. package/dist/src/core/dependencies/inventory.js +43 -0
  124. package/dist/src/core/dependencies/inventory.js.map +1 -0
  125. package/dist/src/core/diff/security-diff.d.ts +10 -0
  126. package/dist/src/core/diff/security-diff.js +20 -0
  127. package/dist/src/core/diff/security-diff.js.map +1 -0
  128. package/dist/src/core/github/remote-audit.d.ts +5 -0
  129. package/dist/src/core/github/remote-audit.js +28 -0
  130. package/dist/src/core/github/remote-audit.js.map +1 -0
  131. package/dist/src/core/github/upgrade-pr.d.ts +4 -0
  132. package/dist/src/core/github/upgrade-pr.js +41 -0
  133. package/dist/src/core/github/upgrade-pr.js.map +1 -0
  134. package/dist/src/core/history/git-metadata.d.ts +5 -0
  135. package/dist/src/core/history/git-metadata.js +37 -0
  136. package/dist/src/core/history/git-metadata.js.map +1 -0
  137. package/dist/src/core/history/store.d.ts +5 -0
  138. package/dist/src/core/history/store.js +65 -0
  139. package/dist/src/core/history/store.js.map +1 -0
  140. package/dist/src/core/history/types.d.ts +27 -0
  141. package/dist/src/core/history/types.js +2 -0
  142. package/dist/src/core/history/types.js.map +1 -0
  143. package/dist/src/core/monorepo/discover.d.ts +7 -0
  144. package/dist/src/core/monorepo/discover.js +49 -0
  145. package/dist/src/core/monorepo/discover.js.map +1 -0
  146. package/dist/src/core/publish/html.d.ts +6 -0
  147. package/dist/src/core/publish/html.js +44 -0
  148. package/dist/src/core/publish/html.js.map +1 -0
  149. package/dist/src/core/sbom/generate.d.ts +2 -0
  150. package/dist/src/core/sbom/generate.js +120 -0
  151. package/dist/src/core/sbom/generate.js.map +1 -0
  152. package/dist/src/core/security-doctor.js +19 -5
  153. package/dist/src/core/security-doctor.js.map +1 -1
  154. package/dist/src/core/watch/watch.d.ts +5 -0
  155. package/dist/src/core/watch/watch.js +49 -0
  156. package/dist/src/core/watch/watch.js.map +1 -0
  157. package/dist/src/index.js +38 -0
  158. package/dist/src/index.js.map +1 -1
  159. package/dist/src/mcp/server.d.ts +1 -0
  160. package/dist/src/mcp/server.js +64 -0
  161. package/dist/src/mcp/server.js.map +1 -0
  162. package/dist/src/providers/depsdev/client.d.ts +71 -0
  163. package/dist/src/providers/depsdev/client.js +44 -0
  164. package/dist/src/providers/depsdev/client.js.map +1 -0
  165. package/dist/src/providers/osv/client.d.ts +15 -0
  166. package/dist/src/providers/osv/client.js +51 -0
  167. package/dist/src/providers/osv/client.js.map +1 -0
  168. package/dist/src/providers/osv/types.d.ts +38 -0
  169. package/dist/src/providers/osv/types.js +2 -0
  170. package/dist/src/providers/osv/types.js.map +1 -0
  171. package/dist/src/storage/memory-cache.d.ts +7 -0
  172. package/dist/src/storage/memory-cache.js +25 -0
  173. package/dist/src/storage/memory-cache.js.map +1 -0
  174. package/package.json +5 -3
@@ -0,0 +1,94 @@
1
+ import { performance } from 'node:perf_hooks';
2
+ import { readNpmDependencyInventory } from '../../core/dependencies/inventory.js';
3
+ import { OsvClient } from '../../providers/osv/client.js';
4
+ import { mapOsvSeverity } from './severity.js';
5
+ function fixedVersions(vulnerability) {
6
+ const versions = new Set();
7
+ for (const affected of vulnerability.affected ?? []) {
8
+ for (const range of affected.ranges ?? []) {
9
+ for (const event of range.events ?? [])
10
+ if (event.fixed)
11
+ versions.add(event.fixed);
12
+ }
13
+ }
14
+ return [...versions];
15
+ }
16
+ function toFinding(dependency, vulnerability) {
17
+ const fixes = fixedVersions(vulnerability);
18
+ return {
19
+ id: `TLP-CVE-${dependency.name}-${vulnerability.id}`.toUpperCase().replaceAll(/[^A-Z0-9-]/g, '-'),
20
+ ruleId: 'TLP-CVE-001',
21
+ title: vulnerability.summary ?? `Known vulnerability in ${dependency.name}`,
22
+ category: 'vulnerability',
23
+ severity: mapOsvSeverity(vulnerability),
24
+ confidence: 'high',
25
+ message: `${dependency.name}@${dependency.version} matches ${vulnerability.id} in OSV.`,
26
+ source: 'osv',
27
+ evidence: [{
28
+ summary: `${dependency.name}@${dependency.version} is resolved in package-lock.json.`,
29
+ fingerprint: `npm:${dependency.name}@${dependency.version}:${vulnerability.id}`
30
+ }],
31
+ remediation: {
32
+ summary: fixes.length > 0
33
+ ? `Upgrade ${dependency.name} to a fixed version: ${fixes.join(', ')}.`
34
+ : `Review ${vulnerability.id} and upgrade or replace ${dependency.name} when a fix is available.`,
35
+ fixedVersion: fixes[0],
36
+ references: (vulnerability.references ?? [])
37
+ .map((reference) => reference.url)
38
+ .filter((url) => Boolean(url))
39
+ .slice(0, 10)
40
+ },
41
+ metadata: {
42
+ package: dependency.name,
43
+ installedVersion: dependency.version,
44
+ direct: dependency.direct,
45
+ development: dependency.development,
46
+ vulnerabilityId: vulnerability.id,
47
+ aliases: vulnerability.aliases ?? []
48
+ }
49
+ };
50
+ }
51
+ export class OsvVulnerabilityAnalyzer {
52
+ client;
53
+ id = 'osv-vulnerability';
54
+ version = '1.0.0';
55
+ constructor(client = new OsvClient()) {
56
+ this.client = client;
57
+ }
58
+ async analyze(context) {
59
+ const startedAt = performance.now();
60
+ const dependencies = await readNpmDependencyInventory(context.root);
61
+ const cachedResults = [];
62
+ const uncached = [];
63
+ for (const dependency of dependencies) {
64
+ const key = `osv:v1:npm:${dependency.name}@${dependency.version}`;
65
+ const cached = await context.cache?.get(key);
66
+ if (cached)
67
+ cachedResults.push(cached);
68
+ else
69
+ uncached.push(dependency);
70
+ }
71
+ const freshResults = uncached.length === 0 ? [] : await this.client.queryBatch(uncached.map((dependency) => ({
72
+ package: { ecosystem: 'npm', name: dependency.name },
73
+ version: dependency.version
74
+ })), context.signal);
75
+ for (const result of freshResults) {
76
+ await context.cache?.set(`osv:v1:npm:${result.query.package.name}@${result.query.version}`, result, 6 * 60 * 60 * 1000);
77
+ }
78
+ const queryResults = [...cachedResults, ...freshResults];
79
+ const findings = queryResults.flatMap((result) => {
80
+ const dependency = dependencies.find((item) => item.name === result.query.package.name && item.version === result.query.version);
81
+ return dependency ? result.vulnerabilities.map((vulnerability) => toFinding(dependency, vulnerability)) : [];
82
+ });
83
+ return {
84
+ analyzer: this.id,
85
+ durationMs: Math.round(performance.now() - startedAt),
86
+ findings,
87
+ metadata: {
88
+ dependenciesChecked: dependencies.length,
89
+ vulnerabilities: findings.length
90
+ }
91
+ };
92
+ }
93
+ }
94
+ //# sourceMappingURL=osv-analyzer.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"osv-analyzer.js","sourceRoot":"","sources":["../../../../src/analyzers/vulnerability/osv-analyzer.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAG9C,OAAO,EAAE,0BAA0B,EAA2B,MAAM,sCAAsC,CAAC;AAC3G,OAAO,EAAE,SAAS,EAAuB,MAAM,+BAA+B,CAAC;AAE/E,OAAO,EAAE,cAAc,EAAE,MAAM,eAAe,CAAC;AAE/C,SAAS,aAAa,CAAC,aAA+B;IACpD,MAAM,QAAQ,GAAG,IAAI,GAAG,EAAU,CAAC;IACnC,KAAK,MAAM,QAAQ,IAAI,aAAa,CAAC,QAAQ,IAAI,EAAE,EAAE,CAAC;QACpD,KAAK,MAAM,KAAK,IAAI,QAAQ,CAAC,MAAM,IAAI,EAAE,EAAE,CAAC;YAC1C,KAAK,MAAM,KAAK,IAAI,KAAK,CAAC,MAAM,IAAI,EAAE;gBAAE,IAAI,KAAK,CAAC,KAAK;oBAAE,QAAQ,CAAC,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QACrF,CAAC;IACH,CAAC;IACD,OAAO,CAAC,GAAG,QAAQ,CAAC,CAAC;AACvB,CAAC;AAED,SAAS,SAAS,CAAC,UAA8B,EAAE,aAA+B;IAChF,MAAM,KAAK,GAAG,aAAa,CAAC,aAAa,CAAC,CAAC;IAC3C,OAAO;QACL,EAAE,EAAE,WAAW,UAAU,CAAC,IAAI,IAAI,aAAa,CAAC,EAAE,EAAE,CAAC,WAAW,EAAE,CAAC,UAAU,CAAC,aAAa,EAAE,GAAG,CAAC;QACjG,MAAM,EAAE,aAAa;QACrB,KAAK,EAAE,aAAa,CAAC,OAAO,IAAI,0BAA0B,UAAU,CAAC,IAAI,EAAE;QAC3E,QAAQ,EAAE,eAAe;QACzB,QAAQ,EAAE,cAAc,CAAC,aAAa,CAAC;QACvC,UAAU,EAAE,MAAM;QAClB,OAAO,EAAE,GAAG,UAAU,CAAC,IAAI,IAAI,UAAU,CAAC,OAAO,YAAY,aAAa,CAAC,EAAE,UAAU;QACvF,MAAM,EAAE,KAAK;QACb,QAAQ,EAAE,CAAC;gBACT,OAAO,EAAE,GAAG,UAAU,CAAC,IAAI,IAAI,UAAU,CAAC,OAAO,oCAAoC;gBACrF,WAAW,EAAE,OAAO,UAAU,CAAC,IAAI,IAAI,UAAU,CAAC,OAAO,IAAI,aAAa,CAAC,EAAE,EAAE;aAChF,CAAC;QACF,WAAW,EAAE;YACX,OAAO,EAAE,KAAK,CAAC,MAAM,GAAG,CAAC;gBACvB,CAAC,CAAC,WAAW,UAAU,CAAC,IAAI,wBAAwB,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG;gBACvE,CAAC,CAAC,UAAU,aAAa,CAAC,EAAE,2BAA2B,UAAU,CAAC,IAAI,2BAA2B;YACnG,YAAY,EAAE,KAAK,CAAC,CAAC,CAAC;YACtB,UAAU,EAAE,CAAC,aAAa,CAAC,UAAU,IAAI,EAAE,CAAC;iBACzC,GAAG,CAAC,CAAC,SAAS,EAAE,EAAE,CAAC,SAAS,CAAC,GAAG,CAAC;iBACjC,MAAM,CAAC,CAAC,GAAG,EAAiB,EAAE,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC;iBAC5C,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC;SAChB;QACD,QAAQ,EAAE;YACR,OAAO,EAAE,UAAU,CAAC,IAAI;YACxB,gBAAgB,EAAE,UAAU,CAAC,OAAO;YACpC,MAAM,EAAE,UAAU,CAAC,MAAM;YACzB,WAAW,EAAE,UAAU,CAAC,WAAW;YACnC,eAAe,EAAE,aAAa,CAAC,EAAE;YACjC,OAAO,EAAE,aAAa,CAAC,OAAO,IAAI,EAAE;SACrC;KACF,CAAC;AACJ,CAAC;AAED,MAAM,OAAO,wBAAwB;IAIN;IAHpB,EAAE,GAAG,mBAAmB,CAAC;IACzB,OAAO,GAAG,OAAO,CAAC;IAE3B,YAA6B,SAAS,IAAI,SAAS,EAAE;QAAxB,WAAM,GAAN,MAAM,CAAkB;IAAG,CAAC;IAEzD,KAAK,CAAC,OAAO,CAAC,OAAwB;QACpC,MAAM,SAAS,GAAG,WAAW,CAAC,GAAG,EAAE,CAAC;QACpC,MAAM,YAAY,GAAG,MAAM,0BAA0B,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QACpE,MAAM,aAAa,GAAqB,EAAE,CAAC;QAC3C,MAAM,QAAQ,GAAyB,EAAE,CAAC;QAE1C,KAAK,MAAM,UAAU,IAAI,YAAY,EAAE,CAAC;YACtC,MAAM,GAAG,GAAG,cAAc,UAAU,CAAC,IAAI,IAAI,UAAU,CAAC,OAAO,EAAE,CAAC;YAClE,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,KAAK,EAAE,GAAG,CAAiB,GAAG,CAAC,CAAC;YAC7D,IAAI,MAAM;gBAAE,aAAa,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;;gBAClC,QAAQ,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QACjC,CAAC;QAED,MAAM,YAAY,GAAG,QAAQ,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,IAAI,CAAC,MAAM,CAAC,UAAU,CAC5E,QAAQ,CAAC,GAAG,CAAC,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC;YAC5B,OAAO,EAAE,EAAE,SAAS,EAAE,KAAc,EAAE,IAAI,EAAE,UAAU,CAAC,IAAI,EAAE;YAC7D,OAAO,EAAE,UAAU,CAAC,OAAO;SAC5B,CAAC,CAAC,EACH,OAAO,CAAC,MAAM,CACf,CAAC;QAEF,KAAK,MAAM,MAAM,IAAI,YAAY,EAAE,CAAC;YAClC,MAAM,OAAO,CAAC,KAAK,EAAE,GAAG,CACtB,cAAc,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,IAAI,MAAM,CAAC,KAAK,CAAC,OAAO,EAAE,EACjE,MAAM,EACN,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CACnB,CAAC;QACJ,CAAC;QAED,MAAM,YAAY,GAAG,CAAC,GAAG,aAAa,EAAE,GAAG,YAAY,CAAC,CAAC;QACzD,MAAM,QAAQ,GAAG,YAAY,CAAC,OAAO,CAAC,CAAC,MAAM,EAAE,EAAE;YAC/C,MAAM,UAAU,GAAG,YAAY,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAC5C,IAAI,CAAC,IAAI,KAAK,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,IAAI,IAAI,IAAI,CAAC,OAAO,KAAK,MAAM,CAAC,KAAK,CAAC,OAAO,CACjF,CAAC;YACF,OAAO,UAAU,CAAC,CAAC,CAAC,MAAM,CAAC,eAAe,CAAC,GAAG,CAAC,CAAC,aAAa,EAAE,EAAE,CAAC,SAAS,CAAC,UAAU,EAAE,aAAa,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QAC/G,CAAC,CAAC,CAAC;QAEH,OAAO;YACL,QAAQ,EAAE,IAAI,CAAC,EAAE;YACjB,UAAU,EAAE,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;YACrD,QAAQ;YACR,QAAQ,EAAE;gBACR,mBAAmB,EAAE,YAAY,CAAC,MAAM;gBACxC,eAAe,EAAE,QAAQ,CAAC,MAAM;aACjC;SACF,CAAC;IACJ,CAAC;CACF"}
@@ -0,0 +1,3 @@
1
+ import type { FindingSeverity } from '../../contracts/finding.js';
2
+ import type { OsvVulnerability } from '../../providers/osv/types.js';
3
+ export declare function mapOsvSeverity(vulnerability: OsvVulnerability): FindingSeverity;
@@ -0,0 +1,13 @@
1
+ export function mapOsvSeverity(vulnerability) {
2
+ const databaseSeverity = vulnerability.database_specific?.severity;
3
+ if (typeof databaseSeverity === 'string') {
4
+ const normalized = databaseSeverity.toLowerCase();
5
+ if (normalized === 'critical' || normalized === 'high' || normalized === 'medium' || normalized === 'low') {
6
+ return normalized;
7
+ }
8
+ if (normalized === 'moderate')
9
+ return 'medium';
10
+ }
11
+ return 'medium';
12
+ }
13
+ //# sourceMappingURL=severity.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"severity.js","sourceRoot":"","sources":["../../../../src/analyzers/vulnerability/severity.ts"],"names":[],"mappings":"AAGA,MAAM,UAAU,cAAc,CAAC,aAA+B;IAC5D,MAAM,gBAAgB,GAAG,aAAa,CAAC,iBAAiB,EAAE,QAAQ,CAAC;IACnE,IAAI,OAAO,gBAAgB,KAAK,QAAQ,EAAE,CAAC;QACzC,MAAM,UAAU,GAAG,gBAAgB,CAAC,WAAW,EAAE,CAAC;QAClD,IAAI,UAAU,KAAK,UAAU,IAAI,UAAU,KAAK,MAAM,IAAI,UAAU,KAAK,QAAQ,IAAI,UAAU,KAAK,KAAK,EAAE,CAAC;YAC1G,OAAO,UAAU,CAAC;QACpB,CAAC;QACD,IAAI,UAAU,KAAK,UAAU;YAAE,OAAO,QAAQ,CAAC;IACjD,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC"}
@@ -0,0 +1,12 @@
1
+ import type { Analyzer, AnalyzerContext, AnalyzerResult } from '../contracts/analyzer.js';
2
+ export type AnalyzerRunnerOptions = {
3
+ concurrency?: number;
4
+ timeoutMs?: number;
5
+ };
6
+ export declare class AnalyzerRunner {
7
+ private readonly concurrency;
8
+ private readonly timeoutMs;
9
+ constructor(options?: AnalyzerRunnerOptions);
10
+ run(analyzers: Analyzer[], context: AnalyzerContext): Promise<AnalyzerResult[]>;
11
+ private runOne;
12
+ }
@@ -0,0 +1,45 @@
1
+ import { performance } from 'node:perf_hooks';
2
+ export class AnalyzerRunner {
3
+ concurrency;
4
+ timeoutMs;
5
+ constructor(options = {}) {
6
+ this.concurrency = Math.max(1, options.concurrency ?? 4);
7
+ this.timeoutMs = Math.max(1_000, options.timeoutMs ?? 30_000);
8
+ }
9
+ async run(analyzers, context) {
10
+ const results = [];
11
+ let cursor = 0;
12
+ const worker = async () => {
13
+ while (cursor < analyzers.length) {
14
+ const analyzer = analyzers[cursor];
15
+ cursor += 1;
16
+ if (!analyzer) {
17
+ return;
18
+ }
19
+ results.push(await this.runOne(analyzer, context));
20
+ }
21
+ };
22
+ await Promise.all(Array.from({ length: Math.min(this.concurrency, analyzers.length) }, () => worker()));
23
+ return results;
24
+ }
25
+ async runOne(analyzer, context) {
26
+ const controller = new AbortController();
27
+ const timeout = setTimeout(() => controller.abort(), this.timeoutMs);
28
+ const startedAt = performance.now();
29
+ try {
30
+ const result = await analyzer.analyze({
31
+ ...context,
32
+ signal: controller.signal
33
+ });
34
+ return {
35
+ ...result,
36
+ analyzer: analyzer.id,
37
+ durationMs: Math.round(performance.now() - startedAt)
38
+ };
39
+ }
40
+ finally {
41
+ clearTimeout(timeout);
42
+ }
43
+ }
44
+ }
45
+ //# sourceMappingURL=analyzer-runner.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"analyzer-runner.js","sourceRoot":"","sources":["../../../src/application/analyzer-runner.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,MAAM,iBAAiB,CAAC;AAY9C,MAAM,OAAO,cAAc;IACR,WAAW,CAAS;IACpB,SAAS,CAAS;IAEnC,YAAY,UAAiC,EAAE;QAC7C,IAAI,CAAC,WAAW,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,OAAO,CAAC,WAAW,IAAI,CAAC,CAAC,CAAC;QACzD,IAAI,CAAC,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,KAAK,EAAE,OAAO,CAAC,SAAS,IAAI,MAAM,CAAC,CAAC;IAChE,CAAC;IAED,KAAK,CAAC,GAAG,CACP,SAAqB,EACrB,OAAwB;QAExB,MAAM,OAAO,GAAqB,EAAE,CAAC;QACrC,IAAI,MAAM,GAAG,CAAC,CAAC;QAEf,MAAM,MAAM,GAAG,KAAK,IAAmB,EAAE;YACvC,OAAO,MAAM,GAAG,SAAS,CAAC,MAAM,EAAE,CAAC;gBACjC,MAAM,QAAQ,GAAG,SAAS,CAAC,MAAM,CAAC,CAAC;gBACnC,MAAM,IAAI,CAAC,CAAC;gBAEZ,IAAI,CAAC,QAAQ,EAAE,CAAC;oBACd,OAAO;gBACT,CAAC;gBAED,OAAO,CAAC,IAAI,CACV,MAAM,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,OAAO,CAAC,CACrC,CAAC;YACJ,CAAC;QACH,CAAC,CAAC;QAEF,MAAM,OAAO,CAAC,GAAG,CACf,KAAK,CAAC,IAAI,CACR,EAAE,MAAM,EAAE,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,WAAW,EAAE,SAAS,CAAC,MAAM,CAAC,EAAE,EACxD,GAAG,EAAE,CAAC,MAAM,EAAE,CACf,CACF,CAAC;QAEF,OAAO,OAAO,CAAC;IACjB,CAAC;IAEO,KAAK,CAAC,MAAM,CAClB,QAAkB,EAClB,OAAwB;QAExB,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;QACzC,MAAM,OAAO,GAAG,UAAU,CACxB,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EACxB,IAAI,CAAC,SAAS,CACf,CAAC;QACF,MAAM,SAAS,GAAG,WAAW,CAAC,GAAG,EAAE,CAAC;QAEpC,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC;gBACpC,GAAG,OAAO;gBACV,MAAM,EAAE,UAAU,CAAC,MAAM;aAC1B,CAAC,CAAC;YAEH,OAAO;gBACL,GAAG,MAAM;gBACT,QAAQ,EAAE,QAAQ,CAAC,EAAE;gBACrB,UAAU,EAAE,IAAI,CAAC,KAAK,CAAC,WAAW,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;aACtD,CAAC;QACJ,CAAC;gBAAS,CAAC;YACT,YAAY,CAAC,OAAO,CAAC,CAAC;QACxB,CAAC;IACH,CAAC;CACF"}
@@ -0,0 +1,2 @@
1
+ import type { Command } from 'commander';
2
+ export declare function registerAnnounceCommand(program: Command): void;
@@ -0,0 +1,27 @@
1
+ import { generateAnnouncement } from '../core/announce/generate.js';
2
+ export function registerAnnounceCommand(program) {
3
+ program
4
+ .command('announce')
5
+ .description('Generate a deterministic plain-language security update.')
6
+ .option('--version <version>', 'Release version.')
7
+ .option('--fixed <number>', 'Fixed findings.', '0')
8
+ .option('--added <number>', 'New findings.', '0')
9
+ .option('--removed <number>', 'Removed findings.', '0')
10
+ .option('--score-before <number>', 'Previous score.')
11
+ .option('--score-after <number>', 'Current score.')
12
+ .action((options) => {
13
+ console.log(generateAnnouncement({
14
+ version: options.version,
15
+ fixed: Number(options.fixed ?? 0),
16
+ added: Number(options.added ?? 0),
17
+ removed: Number(options.removed ?? 0),
18
+ scoreBefore: options.scoreBefore === undefined
19
+ ? undefined
20
+ : Number(options.scoreBefore),
21
+ scoreAfter: options.scoreAfter === undefined
22
+ ? undefined
23
+ : Number(options.scoreAfter)
24
+ }));
25
+ });
26
+ }
27
+ //# sourceMappingURL=announce.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"announce.js","sourceRoot":"","sources":["../../../src/commands/announce.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,oBAAoB,EAAE,MAAM,8BAA8B,CAAC;AAEpE,MAAM,UAAU,uBAAuB,CAAC,OAAgB;IACtD,OAAO;SACJ,OAAO,CAAC,UAAU,CAAC;SACnB,WAAW,CAAC,0DAA0D,CAAC;SACvE,MAAM,CAAC,qBAAqB,EAAE,kBAAkB,CAAC;SACjD,MAAM,CAAC,kBAAkB,EAAE,iBAAiB,EAAE,GAAG,CAAC;SAClD,MAAM,CAAC,kBAAkB,EAAE,eAAe,EAAE,GAAG,CAAC;SAChD,MAAM,CAAC,oBAAoB,EAAE,mBAAmB,EAAE,GAAG,CAAC;SACtD,MAAM,CAAC,yBAAyB,EAAE,iBAAiB,CAAC;SACpD,MAAM,CAAC,wBAAwB,EAAE,gBAAgB,CAAC;SAClD,MAAM,CAAC,CAAC,OAA2C,EAAE,EAAE;QACtD,OAAO,CAAC,GAAG,CACT,oBAAoB,CAAC;YACnB,OAAO,EAAE,OAAO,CAAC,OAAO;YACxB,KAAK,EAAE,MAAM,CAAC,OAAO,CAAC,KAAK,IAAI,CAAC,CAAC;YACjC,KAAK,EAAE,MAAM,CAAC,OAAO,CAAC,KAAK,IAAI,CAAC,CAAC;YACjC,OAAO,EAAE,MAAM,CAAC,OAAO,CAAC,OAAO,IAAI,CAAC,CAAC;YACrC,WAAW,EACT,OAAO,CAAC,WAAW,KAAK,SAAS;gBAC/B,CAAC,CAAC,SAAS;gBACX,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,WAAW,CAAC;YACjC,UAAU,EACR,OAAO,CAAC,UAAU,KAAK,SAAS;gBAC9B,CAAC,CAAC,SAAS;gBACX,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,UAAU,CAAC;SACjC,CAAC,CACH,CAAC;IACJ,CAAC,CAAC,CAAC;AACP,CAAC"}
@@ -0,0 +1,2 @@
1
+ import type { Command } from 'commander';
2
+ export declare function registerAstScanCommand(program: Command): void;
@@ -0,0 +1,86 @@
1
+ import { AnalyzerRunner } from '../application/analyzer-runner.js';
2
+ import { AstSecurityAnalyzer } from '../analyzers/ast/ast-security-analyzer.js';
3
+ const severityOrder = {
4
+ critical: 4,
5
+ high: 3,
6
+ medium: 2,
7
+ low: 1,
8
+ info: 0
9
+ };
10
+ function shouldFail(findings, failOn) {
11
+ if (!failOn || failOn === 'none') {
12
+ return false;
13
+ }
14
+ const threshold = severityOrder[failOn];
15
+ return findings.some((finding) => severityOrder[finding.severity] >= threshold);
16
+ }
17
+ function printFinding(finding) {
18
+ console.log(`[${finding.severity.toUpperCase()}] ${finding.ruleId} ${finding.title}`);
19
+ if (finding.location) {
20
+ console.log(`Location: ${finding.location.file}:` +
21
+ `${finding.location.line ?? 1}:` +
22
+ `${finding.location.column ?? 1}`);
23
+ }
24
+ console.log(`Message: ${finding.message}`);
25
+ if (finding.remediation?.summary) {
26
+ console.log(`Fix: ${finding.remediation.summary}`);
27
+ }
28
+ console.log('');
29
+ }
30
+ export function registerAstScanCommand(program) {
31
+ program
32
+ .command('ast-scan')
33
+ .description('Run TypeScript Compiler API security analysis on JavaScript and TypeScript source files.')
34
+ .option('-p, --path <path>', 'Project path to inspect.', process.cwd())
35
+ .option('--json', 'Print structured JSON output.')
36
+ .option('--fail-on <severity>', 'Exit non-zero at or above: critical, high, medium, low, none.', 'high')
37
+ .action(async (options) => {
38
+ const runner = new AnalyzerRunner({
39
+ concurrency: 1,
40
+ timeoutMs: 60_000
41
+ });
42
+ const [result] = await runner.run([new AstSecurityAnalyzer()], {
43
+ root: options.path
44
+ });
45
+ if (!result) {
46
+ throw new Error('The AST security analyzer returned no result.');
47
+ }
48
+ if (options.json) {
49
+ console.log(JSON.stringify({
50
+ analyzer: result.analyzer,
51
+ durationMs: result.durationMs,
52
+ summary: {
53
+ filesAnalyzed: result.metadata?.filesAnalyzed ?? 0,
54
+ findings: result.findings.length,
55
+ warnings: result.warnings?.length ?? 0
56
+ },
57
+ findings: result.findings,
58
+ warnings: result.warnings ?? []
59
+ }, null, 2));
60
+ }
61
+ else {
62
+ console.log('Toolip AST Security Analysis');
63
+ console.log('');
64
+ console.log(`Files analyzed: ${result.metadata?.filesAnalyzed ?? 0}`);
65
+ console.log(`Findings: ${result.findings.length}`);
66
+ console.log('');
67
+ for (const finding of result.findings) {
68
+ printFinding(finding);
69
+ }
70
+ if (result.findings.length === 0) {
71
+ console.log('No supported dangerous-code patterns were resolved through the AST.');
72
+ }
73
+ if ((result.warnings?.length ?? 0) > 0) {
74
+ console.log('');
75
+ console.log('Warnings');
76
+ for (const warning of result.warnings ?? []) {
77
+ console.log(`- ${warning}`);
78
+ }
79
+ }
80
+ }
81
+ if (shouldFail(result.findings, options.failOn)) {
82
+ process.exitCode = 2;
83
+ }
84
+ });
85
+ }
86
+ //# sourceMappingURL=ast-scan.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"ast-scan.js","sourceRoot":"","sources":["../../../src/commands/ast-scan.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,EAAE,MAAM,mCAAmC,CAAC;AACnE,OAAO,EAAE,mBAAmB,EAAE,MAAM,2CAA2C,CAAC;AAShF,MAAM,aAAa,GAAG;IACpB,QAAQ,EAAE,CAAC;IACX,IAAI,EAAE,CAAC;IACP,MAAM,EAAE,CAAC;IACT,GAAG,EAAE,CAAC;IACN,IAAI,EAAE,CAAC;CACC,CAAC;AAEX,SAAS,UAAU,CACjB,QAAmB,EACnB,MAAgC;IAEhC,IAAI,CAAC,MAAM,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;QACjC,OAAO,KAAK,CAAC;IACf,CAAC;IAED,MAAM,SAAS,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC;IAExC,OAAO,QAAQ,CAAC,IAAI,CAClB,CAAC,OAAO,EAAE,EAAE,CACV,aAAa,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,SAAS,CAC/C,CAAC;AACJ,CAAC;AAED,SAAS,YAAY,CAAC,OAAgB;IACpC,OAAO,CAAC,GAAG,CACT,IAAI,OAAO,CAAC,QAAQ,CAAC,WAAW,EAAE,KAAK,OAAO,CAAC,MAAM,IAAI,OAAO,CAAC,KAAK,EAAE,CACzE,CAAC;IAEF,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAC;QACrB,OAAO,CAAC,GAAG,CACT,aAAa,OAAO,CAAC,QAAQ,CAAC,IAAI,GAAG;YACrC,GAAG,OAAO,CAAC,QAAQ,CAAC,IAAI,IAAI,CAAC,GAAG;YAChC,GAAG,OAAO,CAAC,QAAQ,CAAC,MAAM,IAAI,CAAC,EAAE,CAClC,CAAC;IACJ,CAAC;IAED,OAAO,CAAC,GAAG,CAAC,YAAY,OAAO,CAAC,OAAO,EAAE,CAAC,CAAC;IAE3C,IAAI,OAAO,CAAC,WAAW,EAAE,OAAO,EAAE,CAAC;QACjC,OAAO,CAAC,GAAG,CACT,QAAQ,OAAO,CAAC,WAAW,CAAC,OAAO,EAAE,CACtC,CAAC;IACJ,CAAC;IAED,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;AAClB,CAAC;AAED,MAAM,UAAU,sBAAsB,CACpC,OAAgB;IAEhB,OAAO;SACJ,OAAO,CAAC,UAAU,CAAC;SACnB,WAAW,CACV,0FAA0F,CAC3F;SACA,MAAM,CACL,mBAAmB,EACnB,0BAA0B,EAC1B,OAAO,CAAC,GAAG,EAAE,CACd;SACA,MAAM,CAAC,QAAQ,EAAE,+BAA+B,CAAC;SACjD,MAAM,CACL,sBAAsB,EACtB,+DAA+D,EAC/D,MAAM,CACP;SACA,MAAM,CAAC,KAAK,EAAE,OAAuB,EAAE,EAAE;QACxC,MAAM,MAAM,GAAG,IAAI,cAAc,CAAC;YAChC,WAAW,EAAE,CAAC;YACd,SAAS,EAAE,MAAM;SAClB,CAAC,CAAC;QAEH,MAAM,CAAC,MAAM,CAAC,GAAG,MAAM,MAAM,CAAC,GAAG,CAC/B,CAAC,IAAI,mBAAmB,EAAE,CAAC,EAC3B;YACE,IAAI,EAAE,OAAO,CAAC,IAAI;SACnB,CACF,CAAC;QAEF,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,IAAI,KAAK,CACb,+CAA+C,CAChD,CAAC;QACJ,CAAC;QAED,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC;YACjB,OAAO,CAAC,GAAG,CACT,IAAI,CAAC,SAAS,CACZ;gBACE,QAAQ,EAAE,MAAM,CAAC,QAAQ;gBACzB,UAAU,EAAE,MAAM,CAAC,UAAU;gBAC7B,OAAO,EAAE;oBACP,aAAa,EACX,MAAM,CAAC,QAAQ,EAAE,aAAa,IAAI,CAAC;oBACrC,QAAQ,EAAE,MAAM,CAAC,QAAQ,CAAC,MAAM;oBAChC,QAAQ,EAAE,MAAM,CAAC,QAAQ,EAAE,MAAM,IAAI,CAAC;iBACvC;gBACD,QAAQ,EAAE,MAAM,CAAC,QAAQ;gBACzB,QAAQ,EAAE,MAAM,CAAC,QAAQ,IAAI,EAAE;aAChC,EACD,IAAI,EACJ,CAAC,CACF,CACF,CAAC;QACJ,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,GAAG,CAAC,8BAA8B,CAAC,CAAC;YAC5C,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;YAChB,OAAO,CAAC,GAAG,CACT,mBACE,MAAM,CAAC,QAAQ,EAAE,aAAa,IAAI,CACpC,EAAE,CACH,CAAC;YACF,OAAO,CAAC,GAAG,CACT,aAAa,MAAM,CAAC,QAAQ,CAAC,MAAM,EAAE,CACtC,CAAC;YACF,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;YAEhB,KAAK,MAAM,OAAO,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;gBACtC,YAAY,CAAC,OAAO,CAAC,CAAC;YACxB,CAAC;YAED,IAAI,MAAM,CAAC,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBACjC,OAAO,CAAC,GAAG,CACT,qEAAqE,CACtE,CAAC;YACJ,CAAC;YAED,IAAI,CAAC,MAAM,CAAC,QAAQ,EAAE,MAAM,IAAI,CAAC,CAAC,GAAG,CAAC,EAAE,CAAC;gBACvC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;gBAChB,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;gBAExB,KAAK,MAAM,OAAO,IAAI,MAAM,CAAC,QAAQ,IAAI,EAAE,EAAE,CAAC;oBAC5C,OAAO,CAAC,GAAG,CAAC,KAAK,OAAO,EAAE,CAAC,CAAC;gBAC9B,CAAC;YACH,CAAC;QACH,CAAC;QAED,IACE,UAAU,CACR,MAAM,CAAC,QAAQ,EACf,OAAO,CAAC,MAAM,CACf,EACD,CAAC;YACD,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;QACvB,CAAC;IACH,CAAC,CAAC,CAAC;AACP,CAAC"}
@@ -0,0 +1,2 @@
1
+ import type { Command } from 'commander';
2
+ export declare function registerAuditRepoCommand(program: Command): void;
@@ -0,0 +1,20 @@
1
+ import { auditRemoteRepository } from '../core/github/remote-audit.js';
2
+ export function registerAuditRepoCommand(program) {
3
+ program
4
+ .command('audit-repo <url>')
5
+ .description('Audit a public GitHub repository through the authenticated gh CLI.')
6
+ .option('--json', 'Print JSON.')
7
+ .action(async (url, options) => {
8
+ const result = await auditRemoteRepository(url);
9
+ if (options.json) {
10
+ console.log(JSON.stringify(result, null, 2));
11
+ return;
12
+ }
13
+ console.log('Toolip Remote Repository Audit');
14
+ console.log('');
15
+ console.log(`Repository: ${result.repository}`);
16
+ console.log(`Findings: ${result.report.findings.length}`);
17
+ console.log(`Critical: ${result.report.summary.secrets}`);
18
+ });
19
+ }
20
+ //# sourceMappingURL=audit-repo.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"audit-repo.js","sourceRoot":"","sources":["../../../src/commands/audit-repo.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,qBAAqB,EAAE,MAAM,gCAAgC,CAAC;AAEvE,MAAM,UAAU,wBAAwB,CAAC,OAAgB;IACvD,OAAO;SACJ,OAAO,CAAC,kBAAkB,CAAC;SAC3B,WAAW,CAAC,oEAAoE,CAAC;SACjF,MAAM,CAAC,QAAQ,EAAE,aAAa,CAAC;SAC/B,MAAM,CAAC,KAAK,EAAE,GAAW,EAAE,OAA2B,EAAE,EAAE;QACzD,MAAM,MAAM,GAAG,MAAM,qBAAqB,CAAC,GAAG,CAAC,CAAC;QAEhD,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC;YACjB,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;YAC7C,OAAO;QACT,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,gCAAgC,CAAC,CAAC;QAC9C,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAChB,OAAO,CAAC,GAAG,CAAC,eAAe,MAAM,CAAC,UAAU,EAAE,CAAC,CAAC;QAChD,OAAO,CAAC,GAAG,CAAC,aAAa,MAAM,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;QAC1D,OAAO,CAAC,GAAG,CAAC,aAAa,MAAM,CAAC,MAAM,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC,CAAC;IAC5D,CAAC,CAAC,CAAC;AACP,CAAC"}
@@ -0,0 +1,2 @@
1
+ import type { Command } from 'commander';
2
+ export declare function registerConfigCommand(program: Command): void;
@@ -0,0 +1,69 @@
1
+ import { access, writeFile } from 'node:fs/promises';
2
+ import path from 'node:path';
3
+ import { loadToolipConfig, TOOLIP_CONFIG_FILE } from '../core/config/load.js';
4
+ async function exists(filePath) {
5
+ try {
6
+ await access(filePath);
7
+ return true;
8
+ }
9
+ catch {
10
+ return false;
11
+ }
12
+ }
13
+ export function registerConfigCommand(program) {
14
+ const command = program
15
+ .command('config')
16
+ .description('Initialize and validate Toolip project configuration.');
17
+ command
18
+ .command('init')
19
+ .option('-p, --path <path>', 'Project path.', process.cwd())
20
+ .option('--force', 'Replace an existing configuration.')
21
+ .action(async (options) => {
22
+ const filePath = path.join(options.path, TOOLIP_CONFIG_FILE);
23
+ if (!options.force &&
24
+ await exists(filePath)) {
25
+ throw new Error(`${TOOLIP_CONFIG_FILE} already exists.`);
26
+ }
27
+ const config = {
28
+ schemaVersion: '1.0',
29
+ include: [],
30
+ exclude: [
31
+ 'dist/**',
32
+ 'coverage/**'
33
+ ],
34
+ rules: {},
35
+ suppressions: [],
36
+ history: {
37
+ enabled: true,
38
+ maxEntries: 500
39
+ },
40
+ providers: {
41
+ osv: {
42
+ enabled: true,
43
+ timeoutMs: 20000
44
+ },
45
+ depsDev: {
46
+ enabled: true,
47
+ timeoutMs: 20000
48
+ }
49
+ }
50
+ };
51
+ await writeFile(filePath, `${JSON.stringify(config, null, 2)}\n`, 'utf8');
52
+ console.log(`Created ${filePath}`);
53
+ });
54
+ command
55
+ .command('validate')
56
+ .option('-p, --path <path>', 'Project path.', process.cwd())
57
+ .action(async (options) => {
58
+ await loadToolipConfig(options.path);
59
+ console.log('Toolip configuration is valid.');
60
+ });
61
+ command
62
+ .command('show')
63
+ .option('-p, --path <path>', 'Project path.', process.cwd())
64
+ .action(async (options) => {
65
+ const config = await loadToolipConfig(options.path);
66
+ console.log(JSON.stringify(config, null, 2));
67
+ });
68
+ }
69
+ //# sourceMappingURL=config.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"config.js","sourceRoot":"","sources":["../../../src/commands/config.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,MAAM,EACN,SAAS,EACV,MAAM,kBAAkB,CAAC;AAC1B,OAAO,IAAI,MAAM,WAAW,CAAC;AAE7B,OAAO,EACL,gBAAgB,EAChB,kBAAkB,EACnB,MAAM,wBAAwB,CAAC;AAEhC,KAAK,UAAU,MAAM,CACnB,QAAgB;IAEhB,IAAI,CAAC;QACH,MAAM,MAAM,CAAC,QAAQ,CAAC,CAAC;QACvB,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED,MAAM,UAAU,qBAAqB,CACnC,OAAgB;IAEhB,MAAM,OAAO,GAAG,OAAO;SACpB,OAAO,CAAC,QAAQ,CAAC;SACjB,WAAW,CACV,uDAAuD,CACxD,CAAC;IAEJ,OAAO;SACJ,OAAO,CAAC,MAAM,CAAC;SACf,MAAM,CACL,mBAAmB,EACnB,eAAe,EACf,OAAO,CAAC,GAAG,EAAE,CACd;SACA,MAAM,CACL,SAAS,EACT,oCAAoC,CACrC;SACA,MAAM,CACL,KAAK,EACH,OAGC,EACD,EAAE;QACF,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CACxB,OAAO,CAAC,IAAI,EACZ,kBAAkB,CACnB,CAAC;QAEF,IACE,CAAC,OAAO,CAAC,KAAK;YACd,MAAM,MAAM,CAAC,QAAQ,CAAC,EACtB,CAAC;YACD,MAAM,IAAI,KAAK,CACb,GAAG,kBAAkB,kBAAkB,CACxC,CAAC;QACJ,CAAC;QAED,MAAM,MAAM,GAAG;YACb,aAAa,EAAE,KAAK;YACpB,OAAO,EAAE,EAAE;YACX,OAAO,EAAE;gBACP,SAAS;gBACT,aAAa;aACd;YACD,KAAK,EAAE,EAAE;YACT,YAAY,EAAE,EAAE;YAChB,OAAO,EAAE;gBACP,OAAO,EAAE,IAAI;gBACb,UAAU,EAAE,GAAG;aAChB;YACD,SAAS,EAAE;gBACT,GAAG,EAAE;oBACH,OAAO,EAAE,IAAI;oBACb,SAAS,EAAE,KAAK;iBACjB;gBACD,OAAO,EAAE;oBACP,OAAO,EAAE,IAAI;oBACb,SAAS,EAAE,KAAK;iBACjB;aACF;SACF,CAAC;QAEF,MAAM,SAAS,CACb,QAAQ,EACR,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EACtC,MAAM,CACP,CAAC;QAEF,OAAO,CAAC,GAAG,CACT,WAAW,QAAQ,EAAE,CACtB,CAAC;IACJ,CAAC,CACF,CAAC;IAEJ,OAAO;SACJ,OAAO,CAAC,UAAU,CAAC;SACnB,MAAM,CACL,mBAAmB,EACnB,eAAe,EACf,OAAO,CAAC,GAAG,EAAE,CACd;SACA,MAAM,CAAC,KAAK,EAAE,OAAyB,EAAE,EAAE;QAC1C,MAAM,gBAAgB,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QACrC,OAAO,CAAC,GAAG,CACT,gCAAgC,CACjC,CAAC;IACJ,CAAC,CAAC,CAAC;IAEL,OAAO;SACJ,OAAO,CAAC,MAAM,CAAC;SACf,MAAM,CACL,mBAAmB,EACnB,eAAe,EACf,OAAO,CAAC,GAAG,EAAE,CACd;SACA,MAAM,CAAC,KAAK,EAAE,OAAyB,EAAE,EAAE;QAC1C,MAAM,MAAM,GACV,MAAM,gBAAgB,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QAEvC,OAAO,CAAC,GAAG,CACT,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAChC,CAAC;IACJ,CAAC,CAAC,CAAC;AACP,CAAC"}
@@ -0,0 +1,2 @@
1
+ import type { Command } from 'commander';
2
+ export declare function registerDependencyConfusionCommand(program: Command): void;
@@ -0,0 +1,37 @@
1
+ import { AnalyzerRunner } from '../application/analyzer-runner.js';
2
+ import { DependencyConfusionAnalyzer } from '../analyzers/dependency-confusion/analyzer.js';
3
+ export function registerDependencyConfusionCommand(program) {
4
+ program
5
+ .command('dependency-confusion')
6
+ .description('Check internal-looking dependency names against the public npm registry.')
7
+ .option('-p, --path <path>', 'Project path.', process.cwd())
8
+ .option('--json', 'Print JSON.')
9
+ .action(async (options) => {
10
+ const [result] = await new AnalyzerRunner({
11
+ concurrency: 1,
12
+ timeoutMs: 60_000
13
+ }).run([
14
+ new DependencyConfusionAnalyzer()
15
+ ], {
16
+ root: options.path
17
+ });
18
+ if (!result) {
19
+ throw new Error('Dependency-confusion analyzer returned no result.');
20
+ }
21
+ if (options.json) {
22
+ console.log(JSON.stringify(result, null, 2));
23
+ return;
24
+ }
25
+ console.log('Toolip Dependency Confusion Audit');
26
+ console.log('');
27
+ console.log(`Candidates: ${result.metadata?.candidates ?? 0}`);
28
+ console.log(`Public collisions: ${result.findings.length}`);
29
+ console.log('');
30
+ for (const finding of result.findings) {
31
+ console.log(`[${finding.severity.toUpperCase()}] ${finding.title}`);
32
+ console.log(finding.message);
33
+ console.log('');
34
+ }
35
+ });
36
+ }
37
+ //# sourceMappingURL=dependency-confusion.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"dependency-confusion.js","sourceRoot":"","sources":["../../../src/commands/dependency-confusion.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,EAAE,MAAM,mCAAmC,CAAC;AACnE,OAAO,EAAE,2BAA2B,EAAE,MAAM,+CAA+C,CAAC;AAE5F,MAAM,UAAU,kCAAkC,CAChD,OAAgB;IAEhB,OAAO;SACJ,OAAO,CAAC,sBAAsB,CAAC;SAC/B,WAAW,CACV,0EAA0E,CAC3E;SACA,MAAM,CACL,mBAAmB,EACnB,eAAe,EACf,OAAO,CAAC,GAAG,EAAE,CACd;SACA,MAAM,CAAC,QAAQ,EAAE,aAAa,CAAC;SAC/B,MAAM,CACL,KAAK,EACH,OAGC,EACD,EAAE;QACF,MAAM,CAAC,MAAM,CAAC,GACZ,MAAM,IAAI,cAAc,CAAC;YACvB,WAAW,EAAE,CAAC;YACd,SAAS,EAAE,MAAM;SAClB,CAAC,CAAC,GAAG,CACJ;YACE,IAAI,2BAA2B,EAAE;SAClC,EACD;YACE,IAAI,EAAE,OAAO,CAAC,IAAI;SACnB,CACF,CAAC;QAEJ,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,IAAI,KAAK,CACb,mDAAmD,CACpD,CAAC;QACJ,CAAC;QAED,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC;YACjB,OAAO,CAAC,GAAG,CACT,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAChC,CAAC;YACF,OAAO;QACT,CAAC;QAED,OAAO,CAAC,GAAG,CACT,mCAAmC,CACpC,CAAC;QACF,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAChB,OAAO,CAAC,GAAG,CACT,eACE,MAAM,CAAC,QAAQ,EAAE,UAAU,IAAI,CACjC,EAAE,CACH,CAAC;QACF,OAAO,CAAC,GAAG,CACT,sBAAsB,MAAM,CAAC,QAAQ,CAAC,MAAM,EAAE,CAC/C,CAAC;QACF,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAEhB,KAAK,MAAM,OAAO,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;YACtC,OAAO,CAAC,GAAG,CACT,IAAI,OAAO,CAAC,QAAQ,CAAC,WAAW,EAAE,KAAK,OAAO,CAAC,KAAK,EAAE,CACvD,CAAC;YACF,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;YAC7B,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAClB,CAAC;IACH,CAAC,CACF,CAAC;AACN,CAAC"}
@@ -0,0 +1,2 @@
1
+ import type { Command } from 'commander';
2
+ export declare function registerDiffCommand(program: Command): void;
@@ -0,0 +1,24 @@
1
+ import { securityDiff } from '../core/diff/security-diff.js';
2
+ export function registerDiffCommand(program) {
3
+ program
4
+ .command('diff <base> [head]')
5
+ .description('Summarize security-relevant changes between Git revisions.')
6
+ .option('-p, --path <path>', 'Repository path.', process.cwd())
7
+ .option('--json', 'Print JSON.')
8
+ .action(async (base, head, options) => {
9
+ const result = await securityDiff(options.path, base, head ?? 'HEAD');
10
+ if (options.json) {
11
+ console.log(JSON.stringify(result, null, 2));
12
+ return;
13
+ }
14
+ console.log('Toolip Security Diff');
15
+ console.log('');
16
+ console.log(`Range: ${result.base}..${result.head}`);
17
+ console.log(`Changed files: ${result.files.length}`);
18
+ console.log(`Manifest changed: ${result.packageManifestChanged}`);
19
+ console.log(`Lockfile changed: ${result.lockfileChanged}`);
20
+ console.log(`Dockerfiles changed: ${result.dockerfilesChanged.length}`);
21
+ console.log(`Source files changed: ${result.sourceFilesChanged.length}`);
22
+ });
23
+ }
24
+ //# sourceMappingURL=diff.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"diff.js","sourceRoot":"","sources":["../../../src/commands/diff.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,YAAY,EAAE,MAAM,+BAA+B,CAAC;AAE7D,MAAM,UAAU,mBAAmB,CAAC,OAAgB;IAClD,OAAO;SACJ,OAAO,CAAC,oBAAoB,CAAC;SAC7B,WAAW,CAAC,4DAA4D,CAAC;SACzE,MAAM,CAAC,mBAAmB,EAAE,kBAAkB,EAAE,OAAO,CAAC,GAAG,EAAE,CAAC;SAC9D,MAAM,CAAC,QAAQ,EAAE,aAAa,CAAC;SAC/B,MAAM,CAAC,KAAK,EACX,IAAY,EACZ,IAAwB,EACxB,OAAyC,EACzC,EAAE;QACF,MAAM,MAAM,GAAG,MAAM,YAAY,CAAC,OAAO,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,IAAI,MAAM,CAAC,CAAC;QAEtE,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC;YACjB,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;YAC7C,OAAO;QACT,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,sBAAsB,CAAC,CAAC;QACpC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAChB,OAAO,CAAC,GAAG,CAAC,UAAU,MAAM,CAAC,IAAI,KAAK,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC;QACrD,OAAO,CAAC,GAAG,CAAC,kBAAkB,MAAM,CAAC,KAAK,CAAC,MAAM,EAAE,CAAC,CAAC;QACrD,OAAO,CAAC,GAAG,CAAC,qBAAqB,MAAM,CAAC,sBAAsB,EAAE,CAAC,CAAC;QAClE,OAAO,CAAC,GAAG,CAAC,qBAAqB,MAAM,CAAC,eAAe,EAAE,CAAC,CAAC;QAC3D,OAAO,CAAC,GAAG,CAAC,wBAAwB,MAAM,CAAC,kBAAkB,CAAC,MAAM,EAAE,CAAC,CAAC;QACxE,OAAO,CAAC,GAAG,CAAC,yBAAyB,MAAM,CAAC,kBAAkB,CAAC,MAAM,EAAE,CAAC,CAAC;IAC3E,CAAC,CAAC,CAAC;AACP,CAAC"}
@@ -0,0 +1,2 @@
1
+ import type { Command } from 'commander';
2
+ export declare function registerDockerScanCommand(program: Command): void;
@@ -0,0 +1,34 @@
1
+ import { AnalyzerRunner } from '../application/analyzer-runner.js';
2
+ import { DockerfileAnalyzer } from '../analyzers/docker/analyzer.js';
3
+ export function registerDockerScanCommand(program) {
4
+ program
5
+ .command('docker-scan')
6
+ .description('Scan Dockerfiles for risky container build patterns.')
7
+ .option('-p, --path <path>', 'Project path.', process.cwd())
8
+ .option('--json', 'Print JSON.')
9
+ .action(async (options) => {
10
+ const [result] = await new AnalyzerRunner({
11
+ concurrency: 1,
12
+ timeoutMs: 60_000
13
+ }).run([new DockerfileAnalyzer()], {
14
+ root: options.path
15
+ });
16
+ if (!result)
17
+ throw new Error('Docker analyzer returned no result.');
18
+ if (options.json) {
19
+ console.log(JSON.stringify(result, null, 2));
20
+ return;
21
+ }
22
+ console.log('Toolip Dockerfile Security');
23
+ console.log('');
24
+ console.log(`Dockerfiles: ${result.metadata?.dockerfiles ?? 0}`);
25
+ console.log(`Findings: ${result.findings.length}`);
26
+ console.log('');
27
+ for (const finding of result.findings) {
28
+ console.log(`[${finding.severity.toUpperCase()}] ${finding.title}`);
29
+ console.log(`${finding.location?.file}:${finding.location?.line}`);
30
+ console.log('');
31
+ }
32
+ });
33
+ }
34
+ //# sourceMappingURL=docker-scan.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"docker-scan.js","sourceRoot":"","sources":["../../../src/commands/docker-scan.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,EAAE,MAAM,mCAAmC,CAAC;AACnE,OAAO,EAAE,kBAAkB,EAAE,MAAM,iCAAiC,CAAC;AAErE,MAAM,UAAU,yBAAyB,CAAC,OAAgB;IACxD,OAAO;SACJ,OAAO,CAAC,aAAa,CAAC;SACtB,WAAW,CAAC,sDAAsD,CAAC;SACnE,MAAM,CAAC,mBAAmB,EAAE,eAAe,EAAE,OAAO,CAAC,GAAG,EAAE,CAAC;SAC3D,MAAM,CAAC,QAAQ,EAAE,aAAa,CAAC;SAC/B,MAAM,CAAC,KAAK,EAAE,OAAyC,EAAE,EAAE;QAC1D,MAAM,CAAC,MAAM,CAAC,GAAG,MAAM,IAAI,cAAc,CAAC;YACxC,WAAW,EAAE,CAAC;YACd,SAAS,EAAE,MAAM;SAClB,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,kBAAkB,EAAE,CAAC,EAAE;YACjC,IAAI,EAAE,OAAO,CAAC,IAAI;SACnB,CAAC,CAAC;QAEH,IAAI,CAAC,MAAM;YAAE,MAAM,IAAI,KAAK,CAAC,qCAAqC,CAAC,CAAC;QAEpE,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC;YACjB,OAAO,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC;YAC7C,OAAO;QACT,CAAC;QAED,OAAO,CAAC,GAAG,CAAC,4BAA4B,CAAC,CAAC;QAC1C,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAChB,OAAO,CAAC,GAAG,CAAC,gBAAgB,MAAM,CAAC,QAAQ,EAAE,WAAW,IAAI,CAAC,EAAE,CAAC,CAAC;QACjE,OAAO,CAAC,GAAG,CAAC,aAAa,MAAM,CAAC,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;QACnD,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAEhB,KAAK,MAAM,OAAO,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;YACtC,OAAO,CAAC,GAAG,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,WAAW,EAAE,KAAK,OAAO,CAAC,KAAK,EAAE,CAAC,CAAC;YACpE,OAAO,CAAC,GAAG,CAAC,GAAG,OAAO,CAAC,QAAQ,EAAE,IAAI,IAAI,OAAO,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC;YACnE,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAClB,CAAC;IACH,CAAC,CAAC,CAAC;AACP,CAAC"}
@@ -0,0 +1,2 @@
1
+ import type { Command } from 'commander';
2
+ export declare function registerGitHistoryCommand(program: Command): void;
@@ -0,0 +1,40 @@
1
+ import { AnalyzerRunner } from '../application/analyzer-runner.js';
2
+ import { GitHistorySecretAnalyzer } from '../analyzers/git-history/analyzer.js';
3
+ export function registerGitHistoryCommand(program) {
4
+ program
5
+ .command('git-history')
6
+ .description('Scan added lines across Git commit history for secret-like values.')
7
+ .option('-p, --path <path>', 'Repository path.', process.cwd())
8
+ .option('--max-commits <number>', 'Maximum commits to scan.', '1000')
9
+ .option('--json', 'Print JSON.')
10
+ .action(async (options) => {
11
+ const maxCommits = Math.max(1, Number.parseInt(options.maxCommits, 10) || 1000);
12
+ const [result] = await new AnalyzerRunner({
13
+ concurrency: 1,
14
+ timeoutMs: 120_000
15
+ }).run([
16
+ new GitHistorySecretAnalyzer(maxCommits)
17
+ ], {
18
+ root: options.path
19
+ });
20
+ if (!result) {
21
+ throw new Error('Git-history analyzer returned no result.');
22
+ }
23
+ if (options.json) {
24
+ console.log(JSON.stringify(result, null, 2));
25
+ return;
26
+ }
27
+ console.log('Toolip Git History Secret Audit');
28
+ console.log('');
29
+ console.log(`Commits scanned: ${result.metadata?.commitsScanned ?? 0}`);
30
+ console.log(`Findings: ${result.findings.length}`);
31
+ console.log('');
32
+ for (const finding of result.findings) {
33
+ console.log(`[${finding.severity.toUpperCase()}] ${finding.title}`);
34
+ console.log(`Commit: ${finding.metadata?.commit}`);
35
+ console.log(`Evidence: ${finding.evidence?.[0]?.summary}`);
36
+ console.log('');
37
+ }
38
+ });
39
+ }
40
+ //# sourceMappingURL=git-history.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"git-history.js","sourceRoot":"","sources":["../../../src/commands/git-history.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,cAAc,EAAE,MAAM,mCAAmC,CAAC;AACnE,OAAO,EAAE,wBAAwB,EAAE,MAAM,sCAAsC,CAAC;AAEhF,MAAM,UAAU,yBAAyB,CACvC,OAAgB;IAEhB,OAAO;SACJ,OAAO,CAAC,aAAa,CAAC;SACtB,WAAW,CACV,oEAAoE,CACrE;SACA,MAAM,CACL,mBAAmB,EACnB,kBAAkB,EAClB,OAAO,CAAC,GAAG,EAAE,CACd;SACA,MAAM,CACL,wBAAwB,EACxB,0BAA0B,EAC1B,MAAM,CACP;SACA,MAAM,CAAC,QAAQ,EAAE,aAAa,CAAC;SAC/B,MAAM,CACL,KAAK,EACH,OAIC,EACD,EAAE;QACF,MAAM,UAAU,GAAG,IAAI,CAAC,GAAG,CACzB,CAAC,EACD,MAAM,CAAC,QAAQ,CACb,OAAO,CAAC,UAAU,EAClB,EAAE,CACH,IAAI,IAAI,CACV,CAAC;QAEF,MAAM,CAAC,MAAM,CAAC,GACZ,MAAM,IAAI,cAAc,CAAC;YACvB,WAAW,EAAE,CAAC;YACd,SAAS,EAAE,OAAO;SACnB,CAAC,CAAC,GAAG,CACJ;YACE,IAAI,wBAAwB,CAC1B,UAAU,CACX;SACF,EACD;YACE,IAAI,EAAE,OAAO,CAAC,IAAI;SACnB,CACF,CAAC;QAEJ,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,MAAM,IAAI,KAAK,CACb,0CAA0C,CAC3C,CAAC;QACJ,CAAC;QAED,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC;YACjB,OAAO,CAAC,GAAG,CACT,IAAI,CAAC,SAAS,CAAC,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAChC,CAAC;YACF,OAAO;QACT,CAAC;QAED,OAAO,CAAC,GAAG,CACT,iCAAiC,CAClC,CAAC;QACF,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAChB,OAAO,CAAC,GAAG,CACT,oBACE,MAAM,CAAC,QAAQ,EAAE,cAAc,IAAI,CACrC,EAAE,CACH,CAAC;QACF,OAAO,CAAC,GAAG,CACT,aAAa,MAAM,CAAC,QAAQ,CAAC,MAAM,EAAE,CACtC,CAAC;QACF,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAEhB,KAAK,MAAM,OAAO,IAAI,MAAM,CAAC,QAAQ,EAAE,CAAC;YACtC,OAAO,CAAC,GAAG,CACT,IAAI,OAAO,CAAC,QAAQ,CAAC,WAAW,EAAE,KAAK,OAAO,CAAC,KAAK,EAAE,CACvD,CAAC;YACF,OAAO,CAAC,GAAG,CACT,WACE,OAAO,CAAC,QAAQ,EAAE,MACpB,EAAE,CACH,CAAC;YACF,OAAO,CAAC,GAAG,CACT,aACE,OAAO,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,EAAE,OACzB,EAAE,CACH,CAAC;YACF,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAClB,CAAC;IACH,CAAC,CACF,CAAC;AACN,CAAC"}
@@ -0,0 +1,2 @@
1
+ import type { Command } from 'commander';
2
+ export declare function registerHistoryCommand(program: Command): void;