vaspera 2.5.0

package/dist/scanners/trivy.d.ts

@@ -0,0 +1,26 @@
+/**
+ * Trivy Scanner Integration
+ *
+ * Comprehensive vulnerability scanner for containers, filesystems, and IaC.
+ *
+ * @module scanners/trivy
+ */
+import type { ScannerResult, ScannerAvailability } from "./types.js";
+/**
+ * Check if Trivy is available
+ */
+export declare function checkTrivyAvailable(): Promise<ScannerAvailability>;
+/**
+ * Run Trivy filesystem scan
+ */
+export declare function runTrivy(projectPath: string, options?: {
+    timeout?: number;
+    scanType?: "fs" | "config" | "vuln";
+    ignoreUnfixed?: boolean;
+    severity?: string[];
+}): Promise<ScannerResult>;
+/**
+ * Check if a project has Dockerfiles or IaC files
+ */
+export declare function detectIaC(projectPath: string): Promise<boolean>;
+//# sourceMappingURL=trivy.d.ts.map

package/dist/scanners/trivy.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"trivy.d.ts","sourceRoot":"","sources":["../../src/scanners/trivy.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAIH,OAAO,KAAK,EAAwB,aAAa,EAAE,mBAAmB,EAAE,MAAM,YAAY,CAAC;AA6F3F;;GAEG;AACH,wBAAsB,mBAAmB,IAAI,OAAO,CAAC,mBAAmB,CAAC,CAkBxE;AASD;;GAEG;AACH,wBAAsB,QAAQ,CAC5B,WAAW,EAAE,MAAM,EACnB,OAAO,CAAC,EAAE;IACR,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,QAAQ,CAAC,EAAE,IAAI,GAAG,QAAQ,GAAG,MAAM,CAAC;IACpC,aAAa,CAAC,EAAE,OAAO,CAAC;IACxB,QAAQ,CAAC,EAAE,MAAM,EAAE,CAAC;CACrB,GACA,OAAO,CAAC,aAAa,CAAC,CA8IxB;AAED;;GAEG;AACH,wBAAsB,SAAS,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,CAAC,CAUrE"}

package/dist/scanners/trivy.js

@@ -0,0 +1,187 @@
+/**
+ * Trivy Scanner Integration
+ *
+ * Comprehensive vulnerability scanner for containers, filesystems, and IaC.
+ *
+ * @module scanners/trivy
+ */
+import { exec } from "child_process";
+import { promisify } from "util";
+import { SEVERITY_MAPPINGS } from "./types.js";
+const execAsync = promisify(exec);
+/**
+ * Check if Trivy is available
+ */
+export async function checkTrivyAvailable() {
+    try {
+        const { stdout } = await execAsync("trivy --version", { timeout: 5000 });
+        const match = stdout.match(/Version: ([\d.]+)/);
+        const version = match ? match[1] : stdout.trim().split("\n")[0];
+        return {
+            scanner: "trivy",
+            available: true,
+            version,
+        };
+    }
+    catch (error) {
+        return {
+            scanner: "trivy",
+            available: false,
+            error: error instanceof Error ? error.message : "Trivy not found",
+        };
+    }
+}
+/**
+ * Convert Trivy severity to vaspera severity
+ */
+function mapSeverity(severity) {
+    return SEVERITY_MAPPINGS.trivy[severity];
+}
+/**
+ * Run Trivy filesystem scan
+ */
+export async function runTrivy(projectPath, options) {
+    const startTime = Date.now();
+    try {
+        // Check if Trivy is available
+        const availability = await checkTrivyAvailable();
+        if (!availability.available) {
+            return {
+                scanner: "trivy",
+                findings: [],
+                duration: Date.now() - startTime,
+                success: false,
+                error: "Trivy is not installed. Install from: https://aquasecurity.github.io/trivy/",
+            };
+        }
+        // Build command
+        const scanType = options?.scanType || "fs";
+        let command = `trivy ${scanType} --format json`;
+        if (options?.ignoreUnfixed) {
+            command += " --ignore-unfixed";
+        }
+        if (options?.severity && options.severity.length > 0) {
+            command += ` --severity ${options.severity.join(",")}`;
+        }
+        command += ` "${projectPath}"`;
+        // Run Trivy
+        const { stdout, stderr } = await execAsync(command, {
+            timeout: options?.timeout || 300000, // 5 minutes for Trivy
+            maxBuffer: 50 * 1024 * 1024, // 50MB
+        }).catch((error) => {
+            if (error.stdout) {
+                return { stdout: error.stdout, stderr: error.stderr || "" };
+            }
+            throw error;
+        });
+        // Parse JSON output
+        const output = JSON.parse(stdout);
+        // Convert to DeterministicFindings
+        const findings = [];
+        for (const result of output.Results) {
+            // Process vulnerabilities
+            if (result.Vulnerabilities) {
+                for (const vuln of result.Vulnerabilities) {
+                    findings.push({
+                        scanner: "trivy",
+                        ruleId: `trivy:${vuln.VulnerabilityID}`,
+                        file: result.Target,
+                        line: 1,
+                        message: `${vuln.PkgName}@${vuln.InstalledVersion}: ${vuln.Title || vuln.VulnerabilityID}${vuln.FixedVersion ? ` (fixed in ${vuln.FixedVersion})` : ""}`,
+                        severity: mapSeverity(vuln.Severity),
+                        confidence: 100,
+                        cweIds: vuln.CweIDs,
+                        cveIds: [vuln.VulnerabilityID],
+                        fixAvailable: !!vuln.FixedVersion,
+                        fix: vuln.FixedVersion ? `Upgrade to ${vuln.FixedVersion}` : undefined,
+                        metadata: {
+                            pkgName: vuln.PkgName,
+                            installedVersion: vuln.InstalledVersion,
+                            fixedVersion: vuln.FixedVersion,
+                            primaryURL: vuln.PrimaryURL,
+                        },
+                    });
+                }
+            }
+            // Process misconfigurations
+            if (result.Misconfigurations) {
+                for (const misconfig of result.Misconfigurations) {
+                    const startLine = misconfig.CauseMetadata?.StartLine || 1;
+                    findings.push({
+                        scanner: "trivy",
+                        ruleId: `trivy:${misconfig.ID}`,
+                        file: result.Target,
+                        line: startLine,
+                        endLine: misconfig.CauseMetadata?.EndLine,
+                        message: `${misconfig.Title}: ${misconfig.Message}`,
+                        severity: mapSeverity(misconfig.Severity),
+                        confidence: 100,
+                        fix: misconfig.Resolution,
+                        evidence: misconfig.CauseMetadata?.Code?.Lines
+                            ?.map((l) => l.Content)
+                            .join("\n"),
+                        metadata: {
+                            type: misconfig.Type,
+                            namespace: misconfig.Namespace,
+                            resource: misconfig.CauseMetadata?.Resource,
+                            provider: misconfig.CauseMetadata?.Provider,
+                            service: misconfig.CauseMetadata?.Service,
+                            primaryURL: misconfig.PrimaryURL,
+                        },
+                    });
+                }
+            }
+            // Process secrets
+            if (result.Secrets) {
+                for (const secret of result.Secrets) {
+                    findings.push({
+                        scanner: "trivy",
+                        ruleId: `trivy:${secret.RuleID}`,
+                        file: result.Target,
+                        line: secret.StartLine,
+                        endLine: secret.EndLine,
+                        message: `${secret.Title}: ${secret.Category}`,
+                        severity: mapSeverity(secret.Severity),
+                        confidence: 100,
+                        evidence: secret.Code?.Lines
+                            ?.map((l) => l.Content)
+                            .join("\n"),
+                        metadata: {
+                            category: secret.Category,
+                            match: secret.Match,
+                        },
+                    });
+                }
+            }
+        }
+        return {
+            scanner: "trivy",
+            findings,
+            duration: Date.now() - startTime,
+            success: true,
+            version: availability.version,
+        };
+    }
+    catch (error) {
+        return {
+            scanner: "trivy",
+            findings: [],
+            duration: Date.now() - startTime,
+            success: false,
+            error: error instanceof Error ? error.message : "Unknown error",
+        };
+    }
+}
+/**
+ * Check if a project has Dockerfiles or IaC files
+ */
+export async function detectIaC(projectPath) {
+    try {
+        const { stdout } = await execAsync(`find "${projectPath}" -maxdepth 3 \\( -name "Dockerfile*" -o -name "*.tf" -o -name "*.yaml" -name "*compose*.yml" -o -name "kubernetes*.yaml" \\) | head -1`, { timeout: 5000 });
+        return stdout.trim().length > 0;
+    }
+    catch {
+        return false;
+    }
+}
+//# sourceMappingURL=trivy.js.map

package/dist/scanners/trivy.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"trivy.js","sourceRoot":"","sources":["../../src/scanners/trivy.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,IAAI,EAAE,MAAM,eAAe,CAAC;AACrC,OAAO,EAAE,SAAS,EAAE,MAAM,MAAM,CAAC;AAEjC,OAAO,EAAE,iBAAiB,EAAE,MAAM,YAAY,CAAC;AAE/C,MAAM,SAAS,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC;AA0FlC;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,mBAAmB;IACvC,IAAI,CAAC;QACH,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,SAAS,CAAC,iBAAiB,EAAE,EAAE,OAAO,EAAE,IAAI,EAAE,CAAC,CAAC;QACzE,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,mBAAmB,CAAC,CAAC;QAChD,MAAM,OAAO,GAAG,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC;QAEhE,OAAO;YACL,OAAO,EAAE,OAAO;YAChB,SAAS,EAAE,IAAI;YACf,OAAO;SACR,CAAC;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO;YACL,OAAO,EAAE,OAAO;YAChB,SAAS,EAAE,KAAK;YAChB,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,iBAAiB;SAClE,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,WAAW,CAAC,QAA4D;IAC/E,OAAO,iBAAiB,CAAC,KAAK,CAAC,QAAQ,CAAoD,CAAC;AAC9F,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,QAAQ,CAC5B,WAAmB,EACnB,OAKC;IAED,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAE7B,IAAI,CAAC;QACH,8BAA8B;QAC9B,MAAM,YAAY,GAAG,MAAM,mBAAmB,EAAE,CAAC;QACjD,IAAI,CAAC,YAAY,CAAC,SAAS,EAAE,CAAC;YAC5B,OAAO;gBACL,OAAO,EAAE,OAAO;gBAChB,QAAQ,EAAE,EAAE;gBACZ,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;gBAChC,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE,6EAA6E;aACrF,CAAC;QACJ,CAAC;QAED,gBAAgB;QAChB,MAAM,QAAQ,GAAG,OAAO,EAAE,QAAQ,IAAI,IAAI,CAAC;QAC3C,IAAI,OAAO,GAAG,SAAS,QAAQ,gBAAgB,CAAC;QAEhD,IAAI,OAAO,EAAE,aAAa,EAAE,CAAC;YAC3B,OAAO,IAAI,mBAAmB,CAAC;QACjC,CAAC;QAED,IAAI,OAAO,EAAE,QAAQ,IAAI,OAAO,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACrD,OAAO,IAAI,eAAe,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;QACzD,CAAC;QAED,OAAO,IAAI,KAAK,WAAW,GAAG,CAAC;QAE/B,YAAY;QACZ,MAAM,EAAE,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,SAAS,CAAC,OAAO,EAAE;YAClD,OAAO,EAAE,OAAO,EAAE,OAAO,IAAI,MAAM,EAAE,sBAAsB;YAC3D,SAAS,EAAE,EAAE,GAAG,IAAI,GAAG,IAAI,EAAE,OAAO;SACrC,CAAC,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE;YACjB,IAAI,KAAK,CAAC,MAAM,EAAE,CAAC;gBACjB,OAAO,EAAE,MAAM,EAAE,KAAK,CAAC,MAAM,EAAE,MAAM,EAAE,KAAK,CAAC,MAAM,IAAI,EAAE,EAAE,CAAC;YAC9D,CAAC;YACD,MAAM,KAAK,CAAC;QACd,CAAC,CAAC,CAAC;QAEH,oBAAoB;QACpB,MAAM,MAAM,GAAgB,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;QAE/C,mCAAmC;QACnC,MAAM,QAAQ,GAA2B,EAAE,CAAC;QAE5C,KAAK,MAAM,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;YACpC,0BAA0B;YAC1B,IAAI,MAAM,CAAC,eAAe,EAAE,CAAC;gBAC3B,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,eAAe,EAAE,CAAC;oBAC1C,QAAQ,CAAC,IAAI,CAAC;wBACZ,OAAO,EAAE,OAAgB;wBACzB,MAAM,EAAE,SAAS,IAAI,CAAC,eAAe,EAAE;wBACvC,IAAI,EAAE,MAAM,CAAC,MAAM;wBACnB,IAAI,EAAE,CAAC;wBACP,OAAO,EAAE,GAAG,IAAI,CAAC,OAAO,IAAI,IAAI,CAAC,gBAAgB,KAAK,IAAI,CAAC,KAAK,IAAI,IAAI,CAAC,eAAe,GAAG,IAAI,CAAC,YAAY,CAAC,CAAC,CAAC,cAAc,IAAI,CAAC,YAAY,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE;wBACxJ,QAAQ,EAAE,WAAW,CAAC,IAAI,CAAC,QAAQ,CAAC;wBACpC,UAAU,EAAE,GAAG;wBACf,MAAM,EAAE,IAAI,CAAC,MAAM;wBACnB,MAAM,EAAE,CAAC,IAAI,CAAC,eAAe,CAAC;wBAC9B,YAAY,EAAE,CAAC,CAAC,IAAI,CAAC,YAAY;wBACjC,GAAG,EAAE,IAAI,CAAC,YAAY,CAAC,CAAC,CAAC,cAAc,IAAI,CAAC,YAAY,EAAE,CAAC,CAAC,CAAC,SAAS;wBACtE,QAAQ,EAAE;4BACR,OAAO,EAAE,IAAI,CAAC,OAAO;4BACrB,gBAAgB,EAAE,IAAI,CAAC,gBAAgB;4BACvC,YAAY,EAAE,IAAI,CAAC,YAAY;4BAC/B,UAAU,EAAE,IAAI,CAAC,UAAU;yBAC5B;qBACF,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;YAED,4BAA4B;YAC5B,IAAI,MAAM,CAAC,iBAAiB,EAAE,CAAC;gBAC7B,KAAK,MAAM,SAAS,IAAI,MAAM,CAAC,iBAAiB,EAAE,CAAC;oBACjD,MAAM,SAAS,GAAG,SAAS,CAAC,aAAa,EAAE,SAAS,IAAI,CAAC,CAAC;oBAC1D,QAAQ,CAAC,IAAI,CAAC;wBACZ,OAAO,EAAE,OAAgB;wBACzB,MAAM,EAAE,SAAS,SAAS,CAAC,EAAE,EAAE;wBAC/B,IAAI,EAAE,MAAM,CAAC,MAAM;wBACnB,IAAI,EAAE,SAAS;wBACf,OAAO,EAAE,SAAS,CAAC,aAAa,EAAE,OAAO;wBACzC,OAAO,EAAE,GAAG,SAAS,CAAC,KAAK,KAAK,SAAS,CAAC,OAAO,EAAE;wBACnD,QAAQ,EAAE,WAAW,CAAC,SAAS,CAAC,QAAQ,CAAC;wBACzC,UAAU,EAAE,GAAG;wBACf,GAAG,EAAE,SAAS,CAAC,UAAU;wBACzB,QAAQ,EAAE,SAAS,CAAC,aAAa,EAAE,IAAI,EAAE,KAAK;4BAC5C,EAAE,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC;6BACtB,IAAI,CAAC,IAAI,CAAC;wBACb,QAAQ,EAAE;4BACR,IAAI,EAAE,SAAS,CAAC,IAAI;4BACpB,SAAS,EAAE,SAAS,CAAC,SAAS;4BAC9B,QAAQ,EAAE,SAAS,CAAC,aAAa,EAAE,QAAQ;4BAC3C,QAAQ,EAAE,SAAS,CAAC,aAAa,EAAE,QAAQ;4BAC3C,OAAO,EAAE,SAAS,CAAC,aAAa,EAAE,OAAO;4BACzC,UAAU,EAAE,SAAS,CAAC,UAAU;yBACjC;qBACF,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;YAED,kBAAkB;YAClB,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;gBACnB,KAAK,MAAM,MAAM,IAAI,MAAM,CAAC,OAAO,EAAE,CAAC;oBACpC,QAAQ,CAAC,IAAI,CAAC;wBACZ,OAAO,EAAE,OAAgB;wBACzB,MAAM,EAAE,SAAS,MAAM,CAAC,MAAM,EAAE;wBAChC,IAAI,EAAE,MAAM,CAAC,MAAM;wBACnB,IAAI,EAAE,MAAM,CAAC,SAAS;wBACtB,OAAO,EAAE,MAAM,CAAC,OAAO;wBACvB,OAAO,EAAE,GAAG,MAAM,CAAC,KAAK,KAAK,MAAM,CAAC,QAAQ,EAAE;wBAC9C,QAAQ,EAAE,WAAW,CAAC,MAAM,CAAC,QAAQ,CAAC;wBACtC,UAAU,EAAE,GAAG;wBACf,QAAQ,EAAE,MAAM,CAAC,IAAI,EAAE,KAAK;4BAC1B,EAAE,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC;6BACtB,IAAI,CAAC,IAAI,CAAC;wBACb,QAAQ,EAAE;4BACR,QAAQ,EAAE,MAAM,CAAC,QAAQ;4BACzB,KAAK,EAAE,MAAM,CAAC,KAAK;yBACpB;qBACF,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO;YACL,OAAO,EAAE,OAAO;YAChB,QAAQ;YACR,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;YAChC,OAAO,EAAE,IAAI;YACb,OAAO,EAAE,YAAY,CAAC,OAAO;SAC9B,CAAC;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO;YACL,OAAO,EAAE,OAAO;YAChB,QAAQ,EAAE,EAAE;YACZ,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;YAChC,OAAO,EAAE,KAAK;YACd,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe;SAChE,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,WAAmB;IACjD,IAAI,CAAC;QACH,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,SAAS,CAChC,SAAS,WAAW,yIAAyI,EAC7J,EAAE,OAAO,EAAE,IAAI,EAAE,CAClB,CAAC;QACF,OAAO,MAAM,CAAC,IAAI,EAAE,CAAC,MAAM,GAAG,CAAC,CAAC;IAClC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC"}

package/dist/scanners/types.d.ts

@@ -0,0 +1,210 @@
+/**
+ * Deterministic Scanner Types
+ *
+ * Types for the pre-pass scanner layer that runs deterministic tools
+ * (Semgrep, npm audit, gitleaks, tsc) before LLM agents.
+ *
+ * All deterministic findings have confidence: 100 by definition.
+ *
+ * @module scanners/types
+ */
+import type { Severity } from "../certification/types.js";
+export type { Severity };
+/**
+ * Supported scanner types
+ */
+export type ScannerType = "semgrep" | "npm-audit" | "gitleaks" | "tsc" | "eslint" | "bandit" | "gosec" | "brakeman" | "trivy" | "binary-analysis" | "memory-safety" | "race-condition" | "plugin";
+/**
+ * A finding from a deterministic scanner.
+ *
+ * Unlike LLM-generated findings, these have confidence: 100 because
+ * they come from deterministic tools with known rule IDs.
+ */
+export interface DeterministicFinding {
+    /** Which scanner found this issue */
+    scanner: ScannerType;
+    /** The rule/check ID from the scanner (e.g., "semgrep:owasp.sql-injection") */
+    ruleId: string;
+    /** Relative file path where the issue was found */
+    file: string;
+    /** Line number (1-indexed) */
+    line: number;
+    /** Column number (1-indexed, optional) */
+    column?: number;
+    /** End line for multi-line issues */
+    endLine?: number;
+    /** End column for multi-line issues */
+    endColumn?: number;
+    /** Human-readable description of the issue */
+    message: string;
+    /** Severity level */
+    severity: Severity;
+    /** Confidence level (100 for deterministic, lower for pattern-based) */
+    confidence: number;
+    /** Finding category for compliance mapping */
+    category?: string;
+    /** CWE IDs if applicable (e.g., ["CWE-89", "CWE-564"]) */
+    cweIds?: string[];
+    /** CVE IDs for dependency vulnerabilities */
+    cveIds?: string[];
+    /** Whether an automatic fix is available */
+    fixAvailable?: boolean;
+    /** Suggested fix if available */
+    fix?: string;
+    /** Raw evidence/code snippet from the scanner */
+    evidence?: string;
+    /** Additional metadata from the scanner */
+    metadata?: Record<string, unknown>;
+}
+/**
+ * Result from running a single scanner
+ */
+export interface ScannerResult {
+    /** Which scanner was run */
+    scanner: ScannerType;
+    /** Findings discovered by this scanner */
+    findings: DeterministicFinding[];
+    /** How long the scan took in milliseconds */
+    duration: number;
+    /** Whether the scan completed successfully */
+    success: boolean;
+    /** Error message if scan failed */
+    error?: string;
+    /** Exit code from the scanner process */
+    exitCode?: number;
+    /** Scanner version used */
+    version?: string;
+    /** Number of files scanned */
+    filesScanned?: number;
+    /** Rules/checks that were run */
+    rulesUsed?: string[];
+    /** Additional metadata from the scanner */
+    metadata?: Record<string, unknown>;
+}
+/**
+ * Aggregated results from running multiple scanners
+ */
+export interface AggregatedScanResult {
+    /** When the scan started */
+    timestamp: string;
+    /** Project path that was scanned */
+    projectPath: string;
+    /** Results from each scanner */
+    scanners: ScannerResult[];
+    /** Total findings across all scanners */
+    totalFindings: number;
+    /** Findings grouped by severity */
+    bySeverity: Record<Severity, number>;
+    /** Findings grouped by scanner */
+    byScanner: Record<ScannerType, number>;
+    /** Total scan duration in milliseconds */
+    totalDuration: number;
+    /** Whether all scanners succeeded */
+    allSucceeded: boolean;
+    /** Scanners that failed */
+    failedScanners: ScannerType[];
+}
+/**
+ * Options for running scanners
+ */
+export interface ScannerOptions {
+    /** Run Semgrep for OWASP/security patterns */
+    semgrep?: boolean;
+    /** Run npm audit / osv-scanner for dependency vulns */
+    dependencies?: boolean;
+    /** Run gitleaks for secrets detection */
+    secrets?: boolean;
+    /** Run TypeScript compiler for type coverage */
+    typescript?: boolean;
+    /** Run ESLint for code quality */
+    eslint?: boolean;
+    /** Run Bandit for Python security */
+    bandit?: boolean;
+    /** Run gosec for Go security */
+    gosec?: boolean;
+    /** Run Brakeman for Ruby security */
+    brakeman?: boolean;
+    /** Run Trivy for container/IaC scanning */
+    trivy?: boolean;
+    /** Run binary analysis for native modules */
+    binaryAnalysis?: boolean;
+    /** Run memory safety analysis for C/C++/Rust */
+    memorySafety?: boolean;
+    /** Run race condition detection */
+    raceCondition?: boolean;
+    /** Custom Semgrep rules directory */
+    semgrepRulesDir?: string;
+    /** Files to include (glob patterns) */
+    include?: string[];
+    /** Files to exclude (glob patterns) */
+    exclude?: string[];
+    /** Timeout per scanner in milliseconds */
+    timeout?: number;
+}
+/**
+ * Default scanner options
+ */
+export declare const DEFAULT_SCANNER_OPTIONS: Required<Omit<ScannerOptions, "semgrepRulesDir" | "include" | "exclude">>;
+/**
+ * Severity mapping from scanner-specific severities to vaspera severities
+ */
+export declare const SEVERITY_MAPPINGS: {
+    npm: {
+        critical: Severity;
+        high: Severity;
+        moderate: Severity;
+        low: Severity;
+        info: Severity;
+    };
+    semgrep: {
+        ERROR: Severity;
+        WARNING: Severity;
+        INFO: Severity;
+    };
+    gitleaks: {
+        default: Severity;
+    };
+    typescript: {
+        error: Severity;
+        warning: Severity;
+        suggestion: Severity;
+        message: Severity;
+    };
+    bandit: {
+        HIGH: Severity;
+        MEDIUM: Severity;
+        LOW: Severity;
+    };
+    gosec: {
+        HIGH: Severity;
+        MEDIUM: Severity;
+        LOW: Severity;
+    };
+    brakeman: {
+        High: Severity;
+        Medium: Severity;
+        Weak: Severity;
+    };
+    trivy: {
+        CRITICAL: Severity;
+        HIGH: Severity;
+        MEDIUM: Severity;
+        LOW: Severity;
+        UNKNOWN: Severity;
+    };
+};
+/**
+ * Check if a scanner is available on the system
+ */
+export interface ScannerAvailability {
+    scanner: ScannerType;
+    available: boolean;
+    version?: string;
+    path?: string;
+    error?: string;
+}
+/**
+ * Convert a DeterministicFinding to a certification Finding
+ */
+export declare function toFindingId(scanner: ScannerType, ruleId: string, index: number): string;
+//# sourceMappingURL=types.d.ts.map

package/dist/scanners/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/scanners/types.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAEH,OAAO,KAAK,EAAE,QAAQ,EAAE,MAAM,2BAA2B,CAAC;AAG1D,YAAY,EAAE,QAAQ,EAAE,CAAC;AAEzB;;GAEG;AACH,MAAM,MAAM,WAAW,GACnB,SAAS,GACT,WAAW,GACX,UAAU,GACV,KAAK,GACL,QAAQ,GACR,QAAQ,GACR,OAAO,GACP,UAAU,GACV,OAAO,GACP,iBAAiB,GACjB,eAAe,GACf,gBAAgB,GAChB,QAAQ,CAAC;AAEb;;;;;GAKG;AACH,MAAM,WAAW,oBAAoB;IACnC,qCAAqC;IACrC,OAAO,EAAE,WAAW,CAAC;IAErB,+EAA+E;IAC/E,MAAM,EAAE,MAAM,CAAC;IAEf,mDAAmD;IACnD,IAAI,EAAE,MAAM,CAAC;IAEb,8BAA8B;IAC9B,IAAI,EAAE,MAAM,CAAC;IAEb,0CAA0C;IAC1C,MAAM,CAAC,EAAE,MAAM,CAAC;IAEhB,qCAAqC;IACrC,OAAO,CAAC,EAAE,MAAM,CAAC;IAEjB,uCAAuC;IACvC,SAAS,CAAC,EAAE,MAAM,CAAC;IAEnB,8CAA8C;IAC9C,OAAO,EAAE,MAAM,CAAC;IAEhB,qBAAqB;IACrB,QAAQ,EAAE,QAAQ,CAAC;IAEnB,wEAAwE;IACxE,UAAU,EAAE,MAAM,CAAC;IAEnB,8CAA8C;IAC9C,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB,0DAA0D;IAC1D,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAElB,6CAA6C;IAC7C,MAAM,CAAC,EAAE,MAAM,EAAE,CAAC;IAElB,4CAA4C;IAC5C,YAAY,CAAC,EAAE,OAAO,CAAC;IAEvB,iCAAiC;IACjC,GAAG,CAAC,EAAE,MAAM,CAAC;IAEb,iDAAiD;IACjD,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB,2CAA2C;IAC3C,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACpC;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,4BAA4B;IAC5B,OAAO,EAAE,WAAW,CAAC;IAErB,0CAA0C;IAC1C,QAAQ,EAAE,oBAAoB,EAAE,CAAC;IAEjC,6CAA6C;IAC7C,QAAQ,EAAE,MAAM,CAAC;IAEjB,8CAA8C;IAC9C,OAAO,EAAE,OAAO,CAAC;IAEjB,mCAAmC;IACnC,KAAK,CAAC,EAAE,MAAM,CAAC;IAEf,yCAAyC;IACzC,QAAQ,CAAC,EAAE,MAAM,CAAC;IAElB,2BAA2B;IAC3B,OAAO,CAAC,EAAE,MAAM,CAAC;IAEjB,8BAA8B;IAC9B,YAAY,CAAC,EAAE,MAAM,CAAC;IAEtB,iCAAiC;IACjC,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;IAErB,2CAA2C;IAC3C,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;CACpC;AAED;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC,4BAA4B;IAC5B,SAAS,EAAE,MAAM,CAAC;IAElB,oCAAoC;IACpC,WAAW,EAAE,MAAM,CAAC;IAEpB,gCAAgC;IAChC,QAAQ,EAAE,aAAa,EAAE,CAAC;IAE1B,yCAAyC;IACzC,aAAa,EAAE,MAAM,CAAC;IAEtB,mCAAmC;IACnC,UAAU,EAAE,MAAM,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;IAErC,kCAAkC;IAClC,SAAS,EAAE,MAAM,CAAC,WAAW,EAAE,MAAM,CAAC,CAAC;IAEvC,0CAA0C;IAC1C,aAAa,EAAE,MAAM,CAAC;IAEtB,qCAAqC;IACrC,YAAY,EAAE,OAAO,CAAC;IAEtB,2BAA2B;IAC3B,cAAc,EAAE,WAAW,EAAE,CAAC;CAC/B;AAED;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,8CAA8C;IAC9C,OAAO,CAAC,EAAE,OAAO,CAAC;IAElB,uDAAuD;IACvD,YAAY,CAAC,EAAE,OAAO,CAAC;IAEvB,yCAAyC;IACzC,OAAO,CAAC,EAAE,OAAO,CAAC;IAElB,gDAAgD;IAChD,UAAU,CAAC,EAAE,OAAO,CAAC;IAErB,kCAAkC;IAClC,MAAM,CAAC,EAAE,OAAO,CAAC;IAEjB,qCAAqC;IACrC,MAAM,CAAC,EAAE,OAAO,CAAC;IAEjB,gCAAgC;IAChC,KAAK,CAAC,EAAE,OAAO,CAAC;IAEhB,qCAAqC;IACrC,QAAQ,CAAC,EAAE,OAAO,CAAC;IAEnB,2CAA2C;IAC3C,KAAK,CAAC,EAAE,OAAO,CAAC;IAEhB,6CAA6C;IAC7C,cAAc,CAAC,EAAE,OAAO,CAAC;IAEzB,gDAAgD;IAChD,YAAY,CAAC,EAAE,OAAO,CAAC;IAEvB,mCAAmC;IACnC,aAAa,CAAC,EAAE,OAAO,CAAC;IAExB,qCAAqC;IACrC,eAAe,CAAC,EAAE,MAAM,CAAC;IAEzB,uCAAuC;IACvC,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IAEnB,uCAAuC;IACvC,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IAEnB,0CAA0C;IAC1C,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB;AAED;;GAEG;AACH,eAAO,MAAM,uBAAuB,EAAE,QAAQ,CAAC,IAAI,CAAC,cAAc,EAAE,iBAAiB,GAAG,SAAS,GAAG,SAAS,CAAC,CAc7G,CAAC;AAEF;;GAEG;AACH,eAAO,MAAM,iBAAiB;;kBAGF,QAAQ;cAChB,QAAQ;kBACF,QAAQ;aAChB,QAAQ;cACN,QAAQ;;;eAKP,QAAQ;iBACJ,QAAQ;cACd,QAAQ;;;iBAKA,QAAQ;;;eAKd,QAAQ;iBACJ,QAAQ;oBACR,QAAQ;iBACV,QAAQ;;;cAKX,QAAQ;gBACJ,QAAQ;aACd,QAAQ;;;cAKN,QAAQ;gBACJ,QAAQ;aACd,QAAQ;;;cAKN,QAAQ;gBACJ,QAAQ;cACb,QAAQ;;;kBAKC,QAAQ;cAChB,QAAQ;gBACJ,QAAQ;aACd,QAAQ;iBACH,QAAQ;;CAE9B,CAAC;AAEF;;GAEG;AACH,MAAM,WAAW,mBAAmB;IAClC,OAAO,EAAE,WAAW,CAAC;IACrB,SAAS,EAAE,OAAO,CAAC;IACnB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED;;GAEG;AACH,wBAAgB,WAAW,CAAC,OAAO,EAAE,WAAW,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,CAkBvF"}

package/dist/scanners/types.js

@@ -0,0 +1,106 @@
+/**
+ * Deterministic Scanner Types
+ *
+ * Types for the pre-pass scanner layer that runs deterministic tools
+ * (Semgrep, npm audit, gitleaks, tsc) before LLM agents.
+ *
+ * All deterministic findings have confidence: 100 by definition.
+ *
+ * @module scanners/types
+ */
+/**
+ * Default scanner options
+ */
+export const DEFAULT_SCANNER_OPTIONS = {
+    semgrep: true,
+    dependencies: true,
+    secrets: true,
+    typescript: true,
+    eslint: false, // Optional, not enabled by default
+    bandit: false, // Auto-enabled if Python detected
+    gosec: false, // Auto-enabled if Go detected
+    brakeman: false, // Auto-enabled if Ruby detected
+    trivy: false, // Optional container/IaC scanning
+    binaryAnalysis: true, // Enabled by default (checks native modules)
+    memorySafety: false, // Auto-enabled if C/C++/Rust detected
+    raceCondition: true, // Enabled by default
+    timeout: 120000, // 2 minutes per scanner
+};
+/**
+ * Severity mapping from scanner-specific severities to vaspera severities
+ */
+export const SEVERITY_MAPPINGS = {
+    // npm audit / osv-scanner
+    npm: {
+        critical: "critical",
+        high: "high",
+        moderate: "medium",
+        low: "low",
+        info: "info",
+    },
+    // Semgrep
+    semgrep: {
+        ERROR: "high",
+        WARNING: "medium",
+        INFO: "low",
+    },
+    // gitleaks (all secrets are critical)
+    gitleaks: {
+        default: "critical",
+    },
+    // TypeScript compiler
+    typescript: {
+        error: "high",
+        warning: "medium",
+        suggestion: "low",
+        message: "info",
+    },
+    // Bandit (Python)
+    bandit: {
+        HIGH: "high",
+        MEDIUM: "medium",
+        LOW: "low",
+    },
+    // gosec (Go)
+    gosec: {
+        HIGH: "high",
+        MEDIUM: "medium",
+        LOW: "low",
+    },
+    // Brakeman (Ruby)
+    brakeman: {
+        High: "high",
+        Medium: "medium",
+        Weak: "low",
+    },
+    // Trivy
+    trivy: {
+        CRITICAL: "critical",
+        HIGH: "high",
+        MEDIUM: "medium",
+        LOW: "low",
+        UNKNOWN: "info",
+    },
+};
+/**
+ * Convert a DeterministicFinding to a certification Finding
+ */
+export function toFindingId(scanner, ruleId, index) {
+    const prefix = {
+        semgrep: "sem",
+        "npm-audit": "dep",
+        gitleaks: "sec",
+        tsc: "ts",
+        eslint: "lint",
+        bandit: "py",
+        gosec: "go",
+        brakeman: "rb",
+        trivy: "trv",
+        "binary-analysis": "bin",
+        "memory-safety": "mem",
+        "race-condition": "rac",
+        plugin: "plg",
+    };
+    return `${prefix[scanner]}-${String(index + 1).padStart(3, "0")}`;
+}
+//# sourceMappingURL=types.js.map

package/dist/scanners/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/scanners/types.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AA4MH;;GAEG;AACH,MAAM,CAAC,MAAM,uBAAuB,GAA8E;IAChH,OAAO,EAAE,IAAI;IACb,YAAY,EAAE,IAAI;IAClB,OAAO,EAAE,IAAI;IACb,UAAU,EAAE,IAAI;IAChB,MAAM,EAAE,KAAK,EAAU,mCAAmC;IAC1D,MAAM,EAAE,KAAK,EAAU,kCAAkC;IACzD,KAAK,EAAE,KAAK,EAAW,8BAA8B;IACrD,QAAQ,EAAE,KAAK,EAAQ,gCAAgC;IACvD,KAAK,EAAE,KAAK,EAAW,kCAAkC;IACzD,cAAc,EAAE,IAAI,EAAG,6CAA6C;IACpE,YAAY,EAAE,KAAK,EAAI,sCAAsC;IAC7D,aAAa,EAAE,IAAI,EAAI,qBAAqB;IAC5C,OAAO,EAAE,MAAM,EAAQ,wBAAwB;CAChD,CAAC;AAEF;;GAEG;AACH,MAAM,CAAC,MAAM,iBAAiB,GAAG;IAC/B,0BAA0B;IAC1B,GAAG,EAAE;QACH,QAAQ,EAAE,UAAsB;QAChC,IAAI,EAAE,MAAkB;QACxB,QAAQ,EAAE,QAAoB;QAC9B,GAAG,EAAE,KAAiB;QACtB,IAAI,EAAE,MAAkB;KACzB;IAED,UAAU;IACV,OAAO,EAAE;QACP,KAAK,EAAE,MAAkB;QACzB,OAAO,EAAE,QAAoB;QAC7B,IAAI,EAAE,KAAiB;KACxB;IAED,sCAAsC;IACtC,QAAQ,EAAE;QACR,OAAO,EAAE,UAAsB;KAChC;IAED,sBAAsB;IACtB,UAAU,EAAE;QACV,KAAK,EAAE,MAAkB;QACzB,OAAO,EAAE,QAAoB;QAC7B,UAAU,EAAE,KAAiB;QAC7B,OAAO,EAAE,MAAkB;KAC5B;IAED,kBAAkB;IAClB,MAAM,EAAE;QACN,IAAI,EAAE,MAAkB;QACxB,MAAM,EAAE,QAAoB;QAC5B,GAAG,EAAE,KAAiB;KACvB;IAED,aAAa;IACb,KAAK,EAAE;QACL,IAAI,EAAE,MAAkB;QACxB,MAAM,EAAE,QAAoB;QAC5B,GAAG,EAAE,KAAiB;KACvB;IAED,kBAAkB;IAClB,QAAQ,EAAE;QACR,IAAI,EAAE,MAAkB;QACxB,MAAM,EAAE,QAAoB;QAC5B,IAAI,EAAE,KAAiB;KACxB;IAED,QAAQ;IACR,KAAK,EAAE;QACL,QAAQ,EAAE,UAAsB;QAChC,IAAI,EAAE,MAAkB;QACxB,MAAM,EAAE,QAAoB;QAC5B,GAAG,EAAE,KAAiB;QACtB,OAAO,EAAE,MAAkB;KAC5B;CACF,CAAC;AAaF;;GAEG;AACH,MAAM,UAAU,WAAW,CAAC,OAAoB,EAAE,MAAc,EAAE,KAAa;IAC7E,MAAM,MAAM,GAAgC;QAC1C,OAAO,EAAE,KAAK;QACd,WAAW,EAAE,KAAK;QAClB,QAAQ,EAAE,KAAK;QACf,GAAG,EAAE,IAAI;QACT,MAAM,EAAE,MAAM;QACd,MAAM,EAAE,IAAI;QACZ,KAAK,EAAE,IAAI;QACX,QAAQ,EAAE,IAAI;QACd,KAAK,EAAE,KAAK;QACZ,iBAAiB,EAAE,KAAK;QACxB,eAAe,EAAE,KAAK;QACtB,gBAAgB,EAAE,KAAK;QACvB,MAAM,EAAE,KAAK;KACd,CAAC;IAEF,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC,IAAI,MAAM,CAAC,KAAK,GAAG,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,EAAE,GAAG,CAAC,EAAE,CAAC;AACpE,CAAC"}

package/dist/scanners/types.test.d.ts

@@ -0,0 +1,5 @@
+/**
+ * Unit tests for scanner types module
+ */
+export {};
+//# sourceMappingURL=types.test.d.ts.map

package/dist/scanners/types.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.test.d.ts","sourceRoot":"","sources":["../../src/scanners/types.test.ts"],"names":[],"mappings":"AAAA;;GAEG"}

package/dist/scanners/types.test.js

@@ -0,0 +1,103 @@
+/**
+ * Unit tests for scanner types module
+ */
+import { describe, it, expect } from "vitest";
+import { SEVERITY_MAPPINGS, DEFAULT_SCANNER_OPTIONS, toFindingId, } from "./types.js";
+describe("SEVERITY_MAPPINGS", () => {
+    describe("npm severity mapping", () => {
+        it("maps critical to critical", () => {
+            expect(SEVERITY_MAPPINGS.npm.critical).toBe("critical");
+        });
+        it("maps high to high", () => {
+            expect(SEVERITY_MAPPINGS.npm.high).toBe("high");
+        });
+        it("maps moderate to medium", () => {
+            expect(SEVERITY_MAPPINGS.npm.moderate).toBe("medium");
+        });
+        it("maps low to low", () => {
+            expect(SEVERITY_MAPPINGS.npm.low).toBe("low");
+        });
+        it("maps info to info", () => {
+            expect(SEVERITY_MAPPINGS.npm.info).toBe("info");
+        });
+    });
+    describe("semgrep severity mapping", () => {
+        it("maps ERROR to high", () => {
+            expect(SEVERITY_MAPPINGS.semgrep.ERROR).toBe("high");
+        });
+        it("maps WARNING to medium", () => {
+            expect(SEVERITY_MAPPINGS.semgrep.WARNING).toBe("medium");
+        });
+        it("maps INFO to low", () => {
+            expect(SEVERITY_MAPPINGS.semgrep.INFO).toBe("low");
+        });
+    });
+    describe("gitleaks severity mapping", () => {
+        it("maps all secrets to critical", () => {
+            expect(SEVERITY_MAPPINGS.gitleaks.default).toBe("critical");
+        });
+    });
+    describe("typescript severity mapping", () => {
+        it("maps error to high", () => {
+            expect(SEVERITY_MAPPINGS.typescript.error).toBe("high");
+        });
+        it("maps warning to medium", () => {
+            expect(SEVERITY_MAPPINGS.typescript.warning).toBe("medium");
+        });
+        it("maps suggestion to low", () => {
+            expect(SEVERITY_MAPPINGS.typescript.suggestion).toBe("low");
+        });
+        it("maps message to info", () => {
+            expect(SEVERITY_MAPPINGS.typescript.message).toBe("info");
+        });
+    });
+});
+describe("DEFAULT_SCANNER_OPTIONS", () => {
+    it("enables semgrep by default", () => {
+        expect(DEFAULT_SCANNER_OPTIONS.semgrep).toBe(true);
+    });
+    it("enables dependencies by default", () => {
+        expect(DEFAULT_SCANNER_OPTIONS.dependencies).toBe(true);
+    });
+    it("enables secrets by default", () => {
+        expect(DEFAULT_SCANNER_OPTIONS.secrets).toBe(true);
+    });
+    it("enables typescript by default", () => {
+        expect(DEFAULT_SCANNER_OPTIONS.typescript).toBe(true);
+    });
+    it("disables eslint by default", () => {
+        expect(DEFAULT_SCANNER_OPTIONS.eslint).toBe(false);
+    });
+    it("sets timeout to 2 minutes", () => {
+        expect(DEFAULT_SCANNER_OPTIONS.timeout).toBe(120000);
+    });
+});
+describe("toFindingId", () => {
+    it("generates semgrep finding ID with sem prefix", () => {
+        expect(toFindingId("semgrep", "owasp.sql-injection", 0)).toBe("sem-001");
+        expect(toFindingId("semgrep", "owasp.xss", 9)).toBe("sem-010");
+        expect(toFindingId("semgrep", "rule", 99)).toBe("sem-100");
+    });
+    it("generates npm-audit finding ID with dep prefix", () => {
+        expect(toFindingId("npm-audit", "lodash", 0)).toBe("dep-001");
+        expect(toFindingId("npm-audit", "express", 4)).toBe("dep-005");
+    });
+    it("generates gitleaks finding ID with sec prefix", () => {
+        expect(toFindingId("gitleaks", "aws-access-key", 0)).toBe("sec-001");
+        expect(toFindingId("gitleaks", "github-token", 2)).toBe("sec-003");
+    });
+    it("generates tsc finding ID with ts prefix", () => {
+        expect(toFindingId("tsc", "any-usage", 0)).toBe("ts-001");
+        expect(toFindingId("tsc", "ts-ignore", 5)).toBe("ts-006");
+    });
+    it("generates eslint finding ID with lint prefix", () => {
+        expect(toFindingId("eslint", "no-console", 0)).toBe("lint-001");
+        expect(toFindingId("eslint", "prefer-const", 3)).toBe("lint-004");
+    });
+    it("pads index to 3 digits", () => {
+        expect(toFindingId("semgrep", "rule", 0)).toBe("sem-001");
+        expect(toFindingId("semgrep", "rule", 99)).toBe("sem-100");
+        expect(toFindingId("semgrep", "rule", 999)).toBe("sem-1000"); // Overflow, but still works
+    });
+});
+//# sourceMappingURL=types.test.js.map