verimu 0.0.21 → 0.0.22

package/dist/cli.mjs

@@ -18745,10 +18745,12 @@ async function uploadToVerimu(report, config) {
     throw new Error("API key required for upload");
   }
   const client = new VerimuApiClient(config.apiKey, config.apiBaseUrl);
-  const projectName = basename(config.projectPath);
+  const projectName = config.uploadProjectName ?? basename(config.projectPath);
   const upsertRes = await client.upsertProject({
     name: projectName,
     ecosystem: report.project.ecosystem,
+    repositoryUrl: config.repositoryUrl,
+    platform: config.platform,
     groupName: config.groupName
   });
   const projectId = upsertRes.project.id;
@@ -19270,6 +19272,1428 @@ Discovering projects in ${config.projectPath}...`);
   }
 };
 
+// src/gitlab/client.ts
+import { execSync as execSync2 } from "child_process";
+import { mkdtempSync, rmSync, existsSync as existsSync15 } from "fs";
+import { join as join4 } from "path";
+import { tmpdir } from "os";
+var GitLabClient = class {
+  baseUrl;
+  token;
+  apiUrl;
+  constructor(baseUrl, token) {
+    this.baseUrl = baseUrl.replace(/\/+$/, "");
+    this.token = token;
+    this.apiUrl = `${this.baseUrl}/api/v4`;
+  }
+  // ─── Project Listing ────────────────────────────────────────
+  /**
+   * Lists all accessible projects, paginated.
+   * Returns all pages concatenated.
+   */
+  async listAllProjects(options) {
+    const perPage = options?.perPage ?? 100;
+    const maxPages = options?.maxPages ?? 100;
+    const allProjects = [];
+    let page = 1;
+    while (page <= maxPages) {
+      const params = new URLSearchParams({
+        per_page: String(perPage),
+        page: String(page),
+        order_by: "last_activity_at",
+        sort: "desc",
+        simple: "false"
+      });
+      if (options?.archived !== void 0) {
+        params.set("archived", String(options.archived));
+      }
+      const url = `${this.apiUrl}/projects?${params.toString()}`;
+      const projects = await this.fetch(url);
+      if (projects.length === 0) break;
+      allProjects.push(...projects);
+      page++;
+      if (projects.length < perPage) break;
+    }
+    return allProjects;
+  }
+  /**
+   * Lists projects within a specific group (and its subgroups).
+   */
+  async listGroupProjects(groupPath, options) {
+    const perPage = options?.perPage ?? 100;
+    const includeSubgroups = options?.includeSubgroups ?? true;
+    const allProjects = [];
+    let page = 1;
+    while (true) {
+      const params = new URLSearchParams({
+        per_page: String(perPage),
+        page: String(page),
+        include_subgroups: String(includeSubgroups),
+        order_by: "last_activity_at",
+        sort: "desc"
+      });
+      const encoded = encodeURIComponent(groupPath);
+      const url = `${this.apiUrl}/groups/${encoded}/projects?${params.toString()}`;
+      const projects = await this.fetch(url);
+      if (projects.length === 0) break;
+      allProjects.push(...projects);
+      page++;
+      if (projects.length < perPage) break;
+    }
+    return allProjects;
+  }
+  /**
+   * Lists all groups accessible to the token.
+   */
+  async listGroups() {
+    const allGroups = [];
+    let page = 1;
+    while (true) {
+      const params = new URLSearchParams({
+        per_page: "100",
+        page: String(page)
+      });
+      const url = `${this.apiUrl}/groups?${params.toString()}`;
+      const groups = await this.fetch(url);
+      if (groups.length === 0) break;
+      allGroups.push(...groups);
+      page++;
+      if (groups.length < 100) break;
+    }
+    return allGroups;
+  }
+  // ─── Cloning ────────────────────────────────────────────────
+  /**
+   * Shallow-clones a repo into a temporary directory.
+   * Returns the path to the cloned repo.
+   *
+   * Uses HTTPS with token auth embedded in the URL
+   * (works for self-hosted GitLab with private-token).
+   */
+  cloneToTemp(project, branch) {
+    const tempDir = mkdtempSync(join4(tmpdir(), `verimu-gl-${project.id}-`));
+    const cloneUrl = this.buildAuthUrl(project.http_url_to_repo);
+    const targetBranch = branch ?? project.default_branch;
+    try {
+      execSync2(
+        `git clone --depth 1 --branch "${targetBranch}" --single-branch "${cloneUrl}" "${tempDir}"`,
+        {
+          stdio: "pipe",
+          timeout: 12e4,
+          // 2 minute timeout per clone
+          env: {
+            ...process.env,
+            GIT_TERMINAL_PROMPT: "0"
+            // Never prompt for auth
+          }
+        }
+      );
+    } catch (err) {
+      this.cleanupTemp(tempDir);
+      const msg = err instanceof Error ? err.message : String(err);
+      throw new Error(`Clone failed for ${project.path_with_namespace}: ${msg}`);
+    }
+    return tempDir;
+  }
+  /**
+   * Removes a temporary clone directory.
+   */
+  cleanupTemp(tempDir) {
+    if (existsSync15(tempDir)) {
+      rmSync(tempDir, { recursive: true, force: true });
+    }
+  }
+  // ─── Helpers ────────────────────────────────────────────────
+  /**
+   * Builds an authenticated HTTPS URL for git clone.
+   * Embeds the token as oauth2 password.
+   */
+  buildAuthUrl(httpUrl) {
+    const url = new URL(httpUrl);
+    url.username = "oauth2";
+    url.password = this.token;
+    return url.toString();
+  }
+  /**
+   * Makes an authenticated GET request to the GitLab API.
+   */
+  async fetch(url) {
+    const response = await globalThis.fetch(url, {
+      headers: {
+        "PRIVATE-TOKEN": this.token,
+        "Accept": "application/json"
+      }
+    });
+    if (!response.ok) {
+      const body = await response.text().catch(() => "no body");
+      throw new Error(
+        `GitLab API error: ${response.status} ${response.statusText} \u2014 ${url}
+${body}`
+      );
+    }
+    return response.json();
+  }
+};
+
+// src/gitlab/orchestrator.ts
+var GitLabOrchestrator = class {
+  discovery = new LockfileDiscovery();
+  /**
+   * Scans all accessible repos on a GitLab instance.
+   */
+  async scanInstance(config) {
+    const startTime = Date.now();
+    const client = new GitLabClient(config.url, config.token);
+    console.log(`
+  Connecting to ${config.url}...`);
+    let projects;
+    if (config.groups && config.groups.length > 0) {
+      const grouped = [];
+      for (const group of config.groups) {
+        console.log(`  Listing projects in group: ${group}`);
+        const groupProjects = await client.listGroupProjects(group);
+        grouped.push(...groupProjects);
+      }
+      const seen = /* @__PURE__ */ new Set();
+      projects = grouped.filter((p) => {
+        if (seen.has(p.id)) return false;
+        seen.add(p.id);
+        return true;
+      });
+    } else {
+      console.log("  Listing all accessible projects...");
+      projects = await client.listAllProjects({
+        archived: config.excludeArchived !== false ? false : void 0
+      });
+    }
+    console.log(`  Found ${projects.length} projects
+`);
+    const { toScan, skipped } = this.filterProjects(projects, config);
+    console.log(`  Scanning ${toScan.length} repos (${skipped.length} skipped)
+`);
+    const scannedRepos = [];
+    const failedRepos = [];
+    for (let i = 0; i < toScan.length; i++) {
+      const project = toScan[i];
+      const label = `[${i + 1}/${toScan.length}]`;
+      console.log(`  ${label} ${project.path_with_namespace}`);
+      const repoStart = Date.now();
+      let tempDir = null;
+      try {
+        process.stdout.write("    Cloning... ");
+        tempDir = client.cloneToTemp(project, config.branch);
+        console.log("done");
+        const discovered = await this.discovery.discover({
+          rootPath: tempDir
+        });
+        if (discovered.length === 0) {
+          console.log("    no lockfile found");
+          scannedRepos.push({
+            project,
+            reports: [],
+            hasLockfile: false,
+            durationMs: Date.now() - repoStart
+          });
+          continue;
+        }
+        console.log(`    Found ${discovered.length} project(s)`);
+        const reports = [];
+        for (const disc of discovered) {
+          const subLabel = discovered.length > 1 ? ` (${disc.relativePath})` : "";
+          const uploadProjectName = discovered.length > 1 && disc.relativePath !== "." ? `${project.path_with_namespace}/${disc.relativePath}` : project.path_with_namespace;
+          const safeArtifactSuffix = uploadProjectName.replace(/[\\/:*?"<>|]/g, "-").replace(/\s+/g, "-").toLowerCase();
+          const sbomOutput = `${tempDir}/sbom.${safeArtifactSuffix}.cdx.json`;
+          process.stdout.write(`    Scanning${subLabel}... `);
+          try {
+            const report = await scan({
+              projectPath: disc.projectPath,
+              sbomOutput,
+              skipCveCheck: config.skipCveCheck ?? false,
+              apiKey: config.apiKey,
+              apiBaseUrl: config.apiBaseUrl,
+              groupName: config.groupName,
+              uploadProjectName,
+              repositoryUrl: project.web_url,
+              platform: "gitlab"
+            });
+            const vulnCount = report.summary.totalVulnerabilities;
+            const depCount = report.summary.totalDependencies;
+            if (vulnCount > 0) {
+              console.log(
+                `${depCount} deps, ${vulnCount} vulns (C:${report.summary.critical} H:${report.summary.high} M:${report.summary.medium} L:${report.summary.low})`
+              );
+            } else {
+              console.log(`${depCount} deps, clean`);
+            }
+            reports.push(report);
+          } catch (scanErr) {
+            const msg = scanErr instanceof Error ? scanErr.message : String(scanErr);
+            console.log(`FAILED: ${msg.slice(0, 80)}`);
+          }
+        }
+        const durationMs = Date.now() - repoStart;
+        scannedRepos.push({
+          project,
+          reports,
+          hasLockfile: true,
+          durationMs
+        });
+      } catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        const durationMs = Date.now() - repoStart;
+        if (msg.includes("No supported lockfile") || msg.includes("NoLockfileError")) {
+          console.log("    no lockfile found");
+          scannedRepos.push({
+            project,
+            reports: [],
+            hasLockfile: false,
+            durationMs
+          });
+        } else {
+          console.log(`    FAILED: ${msg.slice(0, 100)}`);
+          failedRepos.push({ project, error: msg });
+        }
+      } finally {
+        if (tempDir) {
+          client.cleanupTemp(tempDir);
+        }
+      }
+      console.log("");
+    }
+    const result = this.aggregate(
+      config.url,
+      projects.length,
+      scannedRepos,
+      skipped,
+      failedRepos,
+      Date.now() - startTime
+    );
+    this.printSummary(result);
+    return result;
+  }
+  // ─── Filtering ──────────────────────────────────────────────
+  filterProjects(projects, config) {
+    const toScan = [];
+    const skipped = [];
+    for (const project of projects) {
+      if (config.excludeArchived !== false && project.archived) {
+        skipped.push({ project, reason: "archived" });
+        continue;
+      }
+      if (config.excludeEmpty !== false && project.empty_repo) {
+        skipped.push({ project, reason: "empty repository" });
+        continue;
+      }
+      if (config.excludePatterns?.length) {
+        const matched = config.excludePatterns.some(
+          (pattern) => this.matchGlob(project.path_with_namespace, pattern)
+        );
+        if (matched) {
+          skipped.push({ project, reason: "matched exclude pattern" });
+          continue;
+        }
+      }
+      toScan.push(project);
+    }
+    if (config.maxRepos && toScan.length > config.maxRepos) {
+      const trimmed = toScan.splice(config.maxRepos);
+      for (const p of trimmed) {
+        skipped.push({ project: p, reason: "exceeded --max-repos limit" });
+      }
+    }
+    return { toScan, skipped };
+  }
+  matchGlob(str, pattern) {
+    const regex = pattern.replace(/[.+^${}()|[\]\\]/g, "\\$&").replace(/\*\*/g, "{{GLOBSTAR}}").replace(/\*/g, "[^/]*").replace(/{{GLOBSTAR}}/g, ".*").replace(/\?/g, ".");
+    return new RegExp(`^${regex}$`).test(str);
+  }
+  // ─── Aggregation ────────────────────────────────────────────
+  aggregate(instanceUrl, totalDiscovered, scannedRepos, skippedRepos, failedRepos, durationMs) {
+    const reposWithData = scannedRepos.filter((r) => r.reports.length > 0);
+    const ecosystemBreakdown = {};
+    let totalDeps = 0;
+    let totalVulns = 0;
+    let critical = 0;
+    let high = 0;
+    let medium = 0;
+    let low = 0;
+    let exploitedInWild = 0;
+    let reposWithVulns = 0;
+    for (const { reports } of reposWithData) {
+      let repoHasVulns = false;
+      for (const report of reports) {
+        totalDeps += report.summary.totalDependencies;
+        totalVulns += report.summary.totalVulnerabilities;
+        critical += report.summary.critical;
+        high += report.summary.high;
+        medium += report.summary.medium;
+        low += report.summary.low;
+        exploitedInWild += report.summary.exploitedInWild;
+        if (report.summary.totalVulnerabilities > 0) {
+          repoHasVulns = true;
+        }
+        const eco = report.project.ecosystem;
+        ecosystemBreakdown[eco] = (ecosystemBreakdown[eco] ?? 0) + 1;
+      }
+      if (repoHasVulns) reposWithVulns++;
+    }
+    const vulnMap = /* @__PURE__ */ new Map();
+    for (const { project, reports } of reposWithData) {
+      for (const report of reports) {
+        for (const vuln of report.cveCheck.vulnerabilities) {
+          const existing = vulnMap.get(vuln.id);
+          if (existing) {
+            if (!existing.affectedRepos.includes(project.path_with_namespace)) {
+              existing.affectedRepos.push(project.path_with_namespace);
+            }
+          } else {
+            vulnMap.set(vuln.id, {
+              id: vuln.id,
+              severity: vuln.severity,
+              summary: vuln.summary,
+              affectedRepos: [project.path_with_namespace],
+              fixedVersion: vuln.fixedVersion,
+              exploitedInWild: vuln.exploitedInWild
+            });
+          }
+        }
+      }
+    }
+    const severityOrder3 = {
+      CRITICAL: 0,
+      HIGH: 1,
+      MEDIUM: 2,
+      LOW: 3,
+      UNKNOWN: 4
+    };
+    const topVulnerabilities = Array.from(vulnMap.values()).sort((a, b) => {
+      const sevDiff = severityOrder3[a.severity] - severityOrder3[b.severity];
+      if (sevDiff !== 0) return sevDiff;
+      return b.affectedRepos.length - a.affectedRepos.length;
+    });
+    return {
+      instanceUrl,
+      totalReposDiscovered: totalDiscovered,
+      scannedRepos,
+      skippedRepos,
+      failedRepos,
+      summary: {
+        totalRepos: reposWithData.length,
+        reposWithVulnerabilities: reposWithVulns,
+        totalDependencies: totalDeps,
+        totalVulnerabilities: totalVulns,
+        critical,
+        high,
+        medium,
+        low,
+        exploitedInWild,
+        ecosystemBreakdown
+      },
+      topVulnerabilities,
+      scannedAt: (/* @__PURE__ */ new Date()).toISOString(),
+      durationMs
+    };
+  }
+  // ─── Summary Printing ───────────────────────────────────────
+  printSummary(result) {
+    console.log("\n" + "\u2550".repeat(60));
+    console.log("  VERIMU GITLAB INSTANCE SCAN \u2014 COMPLETE");
+    console.log("\u2550".repeat(60));
+    console.log(`
+  Instance:     ${result.instanceUrl}`);
+    console.log(`  Repos found:  ${result.totalReposDiscovered}`);
+    console.log(`  Repos scanned: ${result.summary.totalRepos}`);
+    console.log(`  Repos with vulns: ${result.summary.reposWithVulnerabilities}`);
+    console.log(`  Skipped:      ${result.skippedRepos.length}`);
+    console.log(`  Failed:       ${result.failedRepos.length}`);
+    console.log("");
+    console.log(`  Total dependencies:     ${result.summary.totalDependencies}`);
+    console.log(`  Total vulnerabilities:  ${result.summary.totalVulnerabilities}`);
+    console.log(`    Critical: ${result.summary.critical}`);
+    console.log(`    High:     ${result.summary.high}`);
+    console.log(`    Medium:   ${result.summary.medium}`);
+    console.log(`    Low:      ${result.summary.low}`);
+    if (result.summary.exploitedInWild > 0) {
+      console.log(`
+  \u{1F534} ${result.summary.exploitedInWild} actively exploited \u2014 CRA 24h reporting required`);
+    }
+    if (Object.keys(result.summary.ecosystemBreakdown).length > 0) {
+      console.log("\n  Ecosystems:");
+      for (const [eco, count] of Object.entries(result.summary.ecosystemBreakdown)) {
+        console.log(`    ${eco}: ${count} project(s)`);
+      }
+    }
+    console.log(`
+  Completed in ${(result.durationMs / 1e3).toFixed(1)}s`);
+    console.log("");
+  }
+};
+
+// src/github/client.ts
+import { execSync as execSync3 } from "child_process";
+import { mkdtempSync as mkdtempSync2, rmSync as rmSync2, existsSync as existsSync16 } from "fs";
+import { join as join5 } from "path";
+import { tmpdir as tmpdir2 } from "os";
+function parseProfile(input, baseUrl) {
+  const trimmed = input.trim();
+  try {
+    const url = new URL(trimmed);
+    const pathSegments = url.pathname.split("/").filter(Boolean);
+    if (pathSegments.length >= 1) {
+      return { login: pathSegments[0] };
+    }
+  } catch {
+  }
+  if (trimmed.includes("/") && !trimmed.startsWith("http")) {
+    try {
+      const url = new URL(`https://${trimmed}`);
+      const pathSegments = url.pathname.split("/").filter(Boolean);
+      if (pathSegments.length >= 1) {
+        return { login: pathSegments[0] };
+      }
+    } catch {
+    }
+  }
+  if (!trimmed || trimmed.includes(" ")) {
+    throw new Error(`Invalid GitHub profile: "${input}". Provide an org/user handle or URL.`);
+  }
+  return { login: trimmed };
+}
+var GitHubClient = class {
+  baseUrl;
+  apiUrl;
+  token;
+  lastRateLimit;
+  constructor(baseUrl, token) {
+    this.baseUrl = baseUrl.replace(/\/+$/, "");
+    this.token = token;
+    if (this.baseUrl === "https://github.com" || this.baseUrl === "http://github.com") {
+      this.apiUrl = "https://api.github.com";
+    } else {
+      this.apiUrl = `${this.baseUrl}/api/v3`;
+    }
+  }
+  // ─── Owner Type Detection ──────────────────────────────────
+  /**
+   * Determines whether a login is a User or Organization by
+   * calling GET /users/{username} and reading the `type` field.
+   */
+  async detectOwnerType(login) {
+    const data = await this.fetch(`${this.apiUrl}/users/${encodeURIComponent(login)}`);
+    if (data.type === "Organization") return "org";
+    return "user";
+  }
+  // ─── Repo Listing ──────────────────────────────────────────
+  /**
+   * Lists repositories for an organization.
+   * Uses GET /orgs/{org}/repos with pagination.
+   */
+  async listOrgRepos(org) {
+    return this.paginate(
+      `${this.apiUrl}/orgs/${encodeURIComponent(org)}/repos`,
+      { type: "all", sort: "pushed", direction: "desc" }
+    );
+  }
+  /**
+   * Lists repositories for a user.
+   *
+    * - Without token: GET /users/{username}/repos
+    *   - default: type=all
+    *   - ownerOnly: type=owner
+   * - With token for own user: GET /user/repos filtered by owner login
+   *   (includes private repos the token can see)
+    * - With token for other user: GET /users/{username}/repos
+   *   (only public repos visible)
+   */
+  async listUserRepos(login, ownerOnly = false) {
+    if (this.token) {
+      try {
+        const authedUser = await this.fetch(`${this.apiUrl}/user`);
+        if (authedUser.login.toLowerCase() === login.toLowerCase()) {
+          const allRepos = await this.paginate(
+            `${this.apiUrl}/user/repos`,
+            { sort: "pushed", direction: "desc", affiliation: "owner" }
+          );
+          return allRepos;
+        }
+      } catch {
+      }
+    }
+    return this.paginate(
+      `${this.apiUrl}/users/${encodeURIComponent(login)}/repos`,
+      { type: ownerOnly ? "owner" : "all", sort: "pushed", direction: "desc" }
+    );
+  }
+  /**
+   * Lists repos based on resolved owner type.
+   */
+  async listRepos(login, ownerType, options) {
+    if (ownerType === "org") {
+      return this.listOrgRepos(login);
+    }
+    return this.listUserRepos(login, options?.ownerOnly ?? false);
+  }
+  // ─── Cloning ───────────────────────────────────────────────
+  /**
+   * Shallow-clones a repo into a temporary directory.
+   * Returns the path to the cloned repo.
+   *
+   * Uses HTTPS with token auth embedded in the URL (when token is available).
+   */
+  cloneToTemp(repo, branch) {
+    const tempDir = mkdtempSync2(join5(tmpdir2(), `verimu-gh-${repo.id}-`));
+    const cloneUrl = this.token ? this.buildAuthUrl(repo.clone_url) : repo.clone_url;
+    const targetBranch = branch ?? repo.default_branch;
+    try {
+      execSync3(
+        `git clone --depth 1 --branch "${targetBranch}" --single-branch "${cloneUrl}" "${tempDir}"`,
+        {
+          stdio: "pipe",
+          timeout: 12e4,
+          // 2 minute timeout per clone
+          env: {
+            ...process.env,
+            GIT_TERMINAL_PROMPT: "0"
+            // Never prompt for auth
+          }
+        }
+      );
+    } catch (err) {
+      this.cleanupTemp(tempDir);
+      const msg = err instanceof Error ? err.message : String(err);
+      throw new Error(`Clone failed for ${repo.full_name}: ${msg}`);
+    }
+    return tempDir;
+  }
+  /**
+   * Removes a temporary clone directory.
+   */
+  cleanupTemp(tempDir) {
+    if (existsSync16(tempDir)) {
+      rmSync2(tempDir, { recursive: true, force: true });
+    }
+  }
+  // ─── Rate Limit Accessors ──────────────────────────────────
+  /** Returns the last observed rate limit info, if any. */
+  getRateLimit() {
+    return this.lastRateLimit;
+  }
+  /**
+   * Returns the hourly rate limit for this client configuration.
+   * - Unauthenticated: 60 requests/hour
+   * - Authenticated (PAT/OAuth): 5,000 requests/hour
+   */
+  getExpectedRateLimit() {
+    return this.token ? 5e3 : 60;
+  }
+  // ─── Internals ─────────────────────────────────────────────
+  /**
+   * Paginated GET — fetches all pages of a list endpoint.
+   * GitHub uses `per_page` (max 100) and `page` parameters.
+   */
+  async paginate(url, params = {}) {
+    const all = [];
+    let page = 1;
+    const perPage = 100;
+    while (true) {
+      const searchParams = new URLSearchParams({
+        ...params,
+        per_page: String(perPage),
+        page: String(page)
+      });
+      const fullUrl = `${url}?${searchParams.toString()}`;
+      const items = await this.fetch(fullUrl);
+      if (items.length === 0) break;
+      all.push(...items);
+      page++;
+      if (items.length < perPage) break;
+    }
+    return all;
+  }
+  /**
+   * Builds an authenticated HTTPS URL for git clone.
+   * Embeds the token as a password with "x-access-token" user.
+   */
+  buildAuthUrl(httpUrl) {
+    const url = new URL(httpUrl);
+    url.username = "x-access-token";
+    url.password = this.token;
+    return url.toString();
+  }
+  /**
+   * Makes an authenticated GET request to the GitHub API.
+   *
+   * Rate limit handling:
+   * - Reads X-RateLimit-Remaining and X-RateLimit-Reset headers
+   * - If remaining is 0, waits until the reset time or throws with actionable message
+   * - Retries on transient 502/503/504 with exponential backoff (up to 3 retries)
+   * - Returns 403/429 rate limit errors with reset time information
+   */
+  async fetch(url) {
+    const maxRetries = 3;
+    let lastError = null;
+    for (let attempt = 0; attempt <= maxRetries; attempt++) {
+      if (this.lastRateLimit && this.lastRateLimit.remaining === 0) {
+        const now = Date.now();
+        const resetMs = this.lastRateLimit.resetAt.getTime();
+        if (now < resetMs) {
+          const waitSec = Math.ceil((resetMs - now) / 1e3);
+          if (waitSec <= 60) {
+            console.log(`    Rate limit reached. Waiting ${waitSec}s for reset...`);
+            await this.sleep(waitSec * 1e3);
+          } else {
+            throw new Error(
+              `GitHub API rate limit exceeded. Limit: ${this.lastRateLimit.limit} requests/hour${this.token ? "" : " (unauthenticated \u2014 use --token for 5,000/hour)"}. Resets at ${this.lastRateLimit.resetAt.toLocaleTimeString()} (${waitSec}s from now).`
+            );
+          }
+        }
+      }
+      const headers = {
+        "Accept": "application/vnd.github+json",
+        "X-GitHub-Api-Version": "2022-11-28"
+      };
+      if (this.token) {
+        headers["Authorization"] = `Bearer ${this.token}`;
+      }
+      let response;
+      try {
+        response = await globalThis.fetch(url, { headers });
+      } catch (err) {
+        lastError = err instanceof Error ? err : new Error(String(err));
+        if (attempt < maxRetries) {
+          await this.sleep(1e3 * 2 ** attempt);
+          continue;
+        }
+        throw lastError;
+      }
+      this.updateRateLimit(response);
+      if (response.ok) {
+        return response.json();
+      }
+      if (response.status === 403 || response.status === 429) {
+        const body2 = await response.text().catch(() => "no body");
+        if (body2.includes("rate limit") || body2.includes("API rate limit") || response.status === 429) {
+          const resetHeader = response.headers.get("X-RateLimit-Reset");
+          const resetAt = resetHeader ? new Date(Number(resetHeader) * 1e3) : new Date(Date.now() + 6e4);
+          const waitSec = Math.ceil((resetAt.getTime() - Date.now()) / 1e3);
+          const retryAfter = response.headers.get("Retry-After");
+          if (retryAfter && attempt < maxRetries) {
+            const waitMs = Number(retryAfter) * 1e3;
+            console.log(`    Rate limited (secondary). Waiting ${retryAfter}s...`);
+            await this.sleep(Math.min(waitMs, 6e4));
+            continue;
+          }
+          throw new Error(
+            `GitHub API rate limit exceeded (${response.status}). ${this.token ? "" : "Unauthenticated requests are limited to 60/hour \u2014 use --token for 5,000/hour. "}Resets at ${resetAt.toLocaleTimeString()} (${Math.max(0, waitSec)}s from now).`
+          );
+        }
+        throw new Error(
+          `GitHub API error: ${response.status} ${response.statusText} \u2014 ${url}
+${body2}`
+        );
+      }
+      if ([502, 503, 504].includes(response.status) && attempt < maxRetries) {
+        lastError = new Error(`GitHub API error: ${response.status} ${response.statusText}`);
+        await this.sleep(1e3 * 2 ** attempt);
+        continue;
+      }
+      const body = await response.text().catch(() => "no body");
+      throw new Error(
+        `GitHub API error: ${response.status} ${response.statusText} \u2014 ${url}
+${body}`
+      );
+    }
+    throw lastError ?? new Error(`GitHub API request failed after ${maxRetries} retries`);
+  }
+  /**
+   * Updates internal rate limit tracker from response headers.
+   */
+  updateRateLimit(response) {
+    const limit = response.headers.get("X-RateLimit-Limit");
+    const remaining = response.headers.get("X-RateLimit-Remaining");
+    const reset = response.headers.get("X-RateLimit-Reset");
+    const used = response.headers.get("X-RateLimit-Used");
+    if (limit && remaining && reset) {
+      this.lastRateLimit = {
+        limit: Number(limit),
+        remaining: Number(remaining),
+        resetAt: new Date(Number(reset) * 1e3),
+        used: used ? Number(used) : 0
+      };
+    }
+  }
+  sleep(ms) {
+    return new Promise((resolve2) => setTimeout(resolve2, ms));
+  }
+};
+
+// src/github/orchestrator.ts
+var GitHubOrchestrator = class {
+  discovery = new LockfileDiscovery();
+  /**
+   * Scans all repos for a GitHub profile (org or user).
+   */
+  async scanProfile(config) {
+    const startTime = Date.now();
+    const client = new GitHubClient(config.baseUrl, config.token);
+    const { login } = parseProfile(config.profile, config.baseUrl);
+    console.log(`
+  GitHub profile: ${login}`);
+    console.log(`  Base URL: ${config.baseUrl}`);
+    console.log(`  Auth: ${config.token ? "token provided (5,000 req/h)" : "unauthenticated (60 req/h)"}`);
+    process.stdout.write("  Detecting profile type... ");
+    const ownerType = await client.detectOwnerType(login);
+    console.log(ownerType);
+    console.log("  Listing repositories...");
+    const repos = await client.listRepos(login, ownerType, {
+      ownerOnly: config.ownerOnly ?? false
+    });
+    console.log(`  Found ${repos.length} repositories
+`);
+    const { toScan, skipped } = this.filterRepos(repos, config);
+    console.log(`  Scanning ${toScan.length} repos (${skipped.length} skipped)
+`);
+    const scannedRepos = [];
+    const failedRepos = [];
+    for (let i = 0; i < toScan.length; i++) {
+      const repo = toScan[i];
+      const label = `[${i + 1}/${toScan.length}]`;
+      console.log(`  ${label} ${repo.full_name}`);
+      const repoStart = Date.now();
+      let tempDir = null;
+      try {
+        process.stdout.write("    Cloning... ");
+        tempDir = client.cloneToTemp(repo, config.branch);
+        console.log("done");
+        const discovered = await this.discovery.discover({
+          rootPath: tempDir
+        });
+        if (discovered.length === 0) {
+          console.log("    no lockfile found");
+          scannedRepos.push({
+            repo,
+            reports: [],
+            hasLockfile: false,
+            durationMs: Date.now() - repoStart
+          });
+          continue;
+        }
+        console.log(`    Found ${discovered.length} project(s)`);
+        const reports = [];
+        const autoGroupName = this.getAutoGroupName(repo, discovered.length, config.groupName);
+        for (const disc of discovered) {
+          const subLabel = discovered.length > 1 ? ` (${disc.relativePath})` : "";
+          const uploadProjectName = this.getUploadProjectName(repo, disc.relativePath, discovered.length);
+          const safeArtifactSuffix = uploadProjectName.replace(/[\\/:*?"<>|]/g, "-").replace(/\s+/g, "-").toLowerCase();
+          const sbomOutput = `${tempDir}/sbom.${safeArtifactSuffix}.cdx.json`;
+          process.stdout.write(`    Scanning${subLabel}... `);
+          try {
+            const report = await scan({
+              projectPath: disc.projectPath,
+              sbomOutput,
+              skipCveCheck: config.skipCveCheck ?? false,
+              apiKey: config.apiKey,
+              apiBaseUrl: config.apiBaseUrl,
+              groupName: autoGroupName,
+              uploadProjectName,
+              repositoryUrl: repo.html_url,
+              platform: "github"
+            });
+            const vulnCount = report.summary.totalVulnerabilities;
+            const depCount = report.summary.totalDependencies;
+            if (vulnCount > 0) {
+              console.log(
+                `${depCount} deps, ${vulnCount} vulns (C:${report.summary.critical} H:${report.summary.high} M:${report.summary.medium} L:${report.summary.low})`
+              );
+            } else {
+              console.log(`${depCount} deps, clean`);
+            }
+            reports.push(report);
+          } catch (scanErr) {
+            const msg = scanErr instanceof Error ? scanErr.message : String(scanErr);
+            console.log(`FAILED: ${msg.slice(0, 80)}`);
+          }
+        }
+        const durationMs = Date.now() - repoStart;
+        scannedRepos.push({
+          repo,
+          reports,
+          hasLockfile: true,
+          durationMs
+        });
+      } catch (err) {
+        const msg = err instanceof Error ? err.message : String(err);
+        const durationMs = Date.now() - repoStart;
+        if (msg.includes("No supported lockfile") || msg.includes("NoLockfileError")) {
+          console.log("    no lockfile found");
+          scannedRepos.push({
+            repo,
+            reports: [],
+            hasLockfile: false,
+            durationMs
+          });
+        } else {
+          console.log(`    FAILED: ${msg.slice(0, 100)}`);
+          failedRepos.push({ repo, error: msg });
+        }
+      } finally {
+        if (tempDir) {
+          client.cleanupTemp(tempDir);
+        }
+      }
+      console.log("");
+    }
+    const result = this.aggregate(
+      config.baseUrl,
+      login,
+      ownerType,
+      repos.length,
+      scannedRepos,
+      skipped,
+      failedRepos,
+      Date.now() - startTime
+    );
+    this.printSummary(result);
+    return result;
+  }
+  // ─── Filtering ──────────────────────────────────────────────
+  filterRepos(repos, config) {
+    const toScan = [];
+    const skipped = [];
+    for (const repo of repos) {
+      if (config.excludeArchived !== false && repo.archived) {
+        skipped.push({ repo, reason: "archived" });
+        continue;
+      }
+      if (config.excludeForks && repo.fork) {
+        skipped.push({ repo, reason: "fork" });
+        continue;
+      }
+      toScan.push(repo);
+    }
+    if (config.maxRepos && toScan.length > config.maxRepos) {
+      const trimmed = toScan.splice(config.maxRepos);
+      for (const r of trimmed) {
+        skipped.push({ repo: r, reason: "exceeded --max-repos limit" });
+      }
+    }
+    return { toScan, skipped };
+  }
+  getUploadProjectName(repo, relativePath, totalProjectsInRepo) {
+    if (totalProjectsInRepo > 1) {
+      return relativePath === "." ? repo.name : relativePath;
+    }
+    return repo.full_name;
+  }
+  getAutoGroupName(repo, totalProjectsInRepo, configuredGroupName) {
+    if (configuredGroupName) {
+      return configuredGroupName;
+    }
+    return totalProjectsInRepo > 1 ? repo.full_name : void 0;
+  }
+  // ─── Aggregation ────────────────────────────────────────────
+  aggregate(instanceUrl, profile, profileType, totalDiscovered, scannedRepos, skippedRepos, failedRepos, durationMs) {
+    const reposWithData = scannedRepos.filter((r) => r.reports.length > 0);
+    const ecosystemBreakdown = {};
+    let totalDeps = 0;
+    let totalVulns = 0;
+    let critical = 0;
+    let high = 0;
+    let medium = 0;
+    let low = 0;
+    let exploitedInWild = 0;
+    let reposWithVulns = 0;
+    for (const { reports } of reposWithData) {
+      let repoHasVulns = false;
+      for (const report of reports) {
+        totalDeps += report.summary.totalDependencies;
+        totalVulns += report.summary.totalVulnerabilities;
+        critical += report.summary.critical;
+        high += report.summary.high;
+        medium += report.summary.medium;
+        low += report.summary.low;
+        exploitedInWild += report.summary.exploitedInWild;
+        if (report.summary.totalVulnerabilities > 0) {
+          repoHasVulns = true;
+        }
+        const eco = report.project.ecosystem;
+        ecosystemBreakdown[eco] = (ecosystemBreakdown[eco] ?? 0) + 1;
+      }
+      if (repoHasVulns) reposWithVulns++;
+    }
+    const vulnMap = /* @__PURE__ */ new Map();
+    for (const { repo, reports } of reposWithData) {
+      for (const report of reports) {
+        for (const vuln of report.cveCheck.vulnerabilities) {
+          const existing = vulnMap.get(vuln.id);
+          if (existing) {
+            if (!existing.affectedRepos.includes(repo.full_name)) {
+              existing.affectedRepos.push(repo.full_name);
+            }
+          } else {
+            vulnMap.set(vuln.id, {
+              id: vuln.id,
+              severity: vuln.severity,
+              summary: vuln.summary,
+              affectedRepos: [repo.full_name],
+              fixedVersion: vuln.fixedVersion,
+              exploitedInWild: vuln.exploitedInWild
+            });
+          }
+        }
+      }
+    }
+    const severityOrder3 = {
+      CRITICAL: 0,
+      HIGH: 1,
+      MEDIUM: 2,
+      LOW: 3,
+      UNKNOWN: 4
+    };
+    const topVulnerabilities = Array.from(vulnMap.values()).sort((a, b) => {
+      const sevDiff = severityOrder3[a.severity] - severityOrder3[b.severity];
+      if (sevDiff !== 0) return sevDiff;
+      return b.affectedRepos.length - a.affectedRepos.length;
+    });
+    return {
+      instanceUrl,
+      profile,
+      profileType,
+      totalReposDiscovered: totalDiscovered,
+      scannedRepos,
+      skippedRepos,
+      failedRepos,
+      summary: {
+        totalRepos: reposWithData.length,
+        reposWithVulnerabilities: reposWithVulns,
+        totalDependencies: totalDeps,
+        totalVulnerabilities: totalVulns,
+        critical,
+        high,
+        medium,
+        low,
+        exploitedInWild,
+        ecosystemBreakdown
+      },
+      topVulnerabilities,
+      scannedAt: (/* @__PURE__ */ new Date()).toISOString(),
+      durationMs
+    };
+  }
+  // ─── Summary Printing ───────────────────────────────────────
+  printSummary(result) {
+    const noLockfile = result.scannedRepos.filter((r) => !r.hasLockfile).length;
+    const withLockfile = result.scannedRepos.filter((r) => r.hasLockfile).length;
+    console.log("\n" + "\u2550".repeat(60));
+    console.log("  VERIMU GITHUB SCAN \u2014 COMPLETE");
+    console.log("\u2550".repeat(60));
+    console.log(`
+  Profile:      ${result.profile} (${result.profileType})`);
+    console.log(`  Instance:     ${result.instanceUrl}`);
+    console.log("");
+    console.log(`  Repos found:      ${result.totalReposDiscovered}`);
+    console.log(`    With lockfile:  ${withLockfile}`);
+    console.log(`    No lockfile:    ${noLockfile}`);
+    console.log(`    Skipped:        ${result.skippedRepos.length}  (archived/fork/limit)`);
+    console.log(`    Failed:         ${result.failedRepos.length}  (clone/scan error)`);
+    console.log("");
+    console.log(`  Repos with vulns: ${result.summary.reposWithVulnerabilities} / ${withLockfile}`);
+    console.log("");
+    console.log(`  Total dependencies:     ${result.summary.totalDependencies}`);
+    console.log(`  Total vulnerabilities:  ${result.summary.totalVulnerabilities}`);
+    console.log(`    Critical: ${result.summary.critical}`);
+    console.log(`    High:     ${result.summary.high}`);
+    console.log(`    Medium:   ${result.summary.medium}`);
+    console.log(`    Low:      ${result.summary.low}`);
+    if (result.summary.exploitedInWild > 0) {
+      console.log(`
+  \u{1F534} ${result.summary.exploitedInWild} actively exploited \u2014 CRA 24h reporting required`);
+    }
+    if (Object.keys(result.summary.ecosystemBreakdown).length > 0) {
+      console.log("\n  Ecosystems:");
+      for (const [eco, count] of Object.entries(result.summary.ecosystemBreakdown)) {
+        console.log(`    ${eco}: ${count} project(s)`);
+      }
+    }
+    console.log(`
+  Completed in ${(result.durationMs / 1e3).toFixed(1)}s`);
+    console.log("");
+  }
+};
+
+// src/reporters/html.ts
+var HtmlReporter = class {
+  name = "html";
+  generate(result) {
+    return `<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="UTF-8">
+<meta name="viewport" content="width=device-width, initial-scale=1.0">
+<title>Verimu Security Report \u2014 ${this.escapeHtml(result.instanceUrl)}</title>
+${this.styles()}
+</head>
+<body>
+<div class="container">
+  ${this.header(result)}
+  ${this.summaryCards(result)}
+  ${this.severityChart(result)}
+  ${this.topVulnerabilities(result)}
+  ${this.repoBreakdown(result)}
+  ${this.ecosystemBreakdown(result)}
+  ${this.craTimeline(result)}
+  ${this.footer(result)}
+</div>
+</body>
+</html>`;
+  }
+  // ─── Sections ─────────────────────────────────────────────
+  header(result) {
+    const date = new Date(result.scannedAt).toLocaleDateString("en-US", {
+      year: "numeric",
+      month: "long",
+      day: "numeric"
+    });
+    return `
+  <header>
+    <div class="brand">
+      <div class="logo">V</div>
+      <div>
+        <h1>Security posture report</h1>
+        <p class="subtitle">${this.escapeHtml(result.instanceUrl)} \u2014 ${date}</p>
+      </div>
+    </div>
+    <p class="intro">
+      This report summarizes the current vulnerability landscape across
+      <strong>${result.summary.totalRepos} repositories</strong> containing
+      <strong>${result.summary.totalDependencies.toLocaleString()} dependencies</strong>.
+      Generated by <a href="https://verimu.com">Verimu</a> CRA Compliance Scanner.
+    </p>
+  </header>`;
+  }
+  summaryCards(result) {
+    const s = result.summary;
+    const vulnRepoPercent = s.totalRepos > 0 ? Math.round(s.reposWithVulnerabilities / s.totalRepos * 100) : 0;
+    return `
+  <section class="cards">
+    <div class="card">
+      <div class="card-value">${s.totalRepos}</div>
+      <div class="card-label">Repos scanned</div>
+    </div>
+    <div class="card">
+      <div class="card-value">${s.totalDependencies.toLocaleString()}</div>
+      <div class="card-label">Total dependencies</div>
+    </div>
+    <div class="card card-danger">
+      <div class="card-value">${s.totalVulnerabilities}</div>
+      <div class="card-label">Vulnerabilities found</div>
+    </div>
+    <div class="card ${vulnRepoPercent > 50 ? "card-danger" : vulnRepoPercent > 25 ? "card-warn" : ""}">
+      <div class="card-value">${vulnRepoPercent}%</div>
+      <div class="card-label">Repos with vulns</div>
+    </div>
+  </section>`;
+  }
+  severityChart(result) {
+    const s = result.summary;
+    const total = s.totalVulnerabilities || 1;
+    const bars = [
+      { label: "Critical", count: s.critical, cls: "sev-critical" },
+      { label: "High", count: s.high, cls: "sev-high" },
+      { label: "Medium", count: s.medium, cls: "sev-medium" },
+      { label: "Low", count: s.low, cls: "sev-low" }
+    ];
+    const barHtml = bars.map((b) => {
+      const width = Math.max(2, b.count / total * 100);
+      return `
+      <div class="bar-row">
+        <span class="bar-label">${b.label}</span>
+        <div class="bar-track">
+          <div class="bar-fill ${b.cls}" style="width: ${width}%"></div>
+        </div>
+        <span class="bar-count">${b.count}</span>
+      </div>`;
+    }).join("");
+    return `
+  <section>
+    <h2>Severity breakdown</h2>
+    <div class="chart">${barHtml}</div>
+    ${s.exploitedInWild > 0 ? `
+    <div class="alert alert-critical">
+      <strong>\u26A0 ${s.exploitedInWild} vulnerabilit${s.exploitedInWild === 1 ? "y" : "ies"} actively exploited in the wild.</strong>
+      Under the EU Cyber Resilience Act, actively exploited vulnerabilities require
+      notification to ENISA within 24 hours of awareness.
+    </div>` : ""}
+  </section>`;
+  }
+  topVulnerabilities(result) {
+    if (result.topVulnerabilities.length === 0) {
+      return `
+  <section>
+    <h2>Vulnerabilities</h2>
+    <p class="empty">No known vulnerabilities detected. Nice work.</p>
+  </section>`;
+    }
+    const top = result.topVulnerabilities.slice(0, 30);
+    const rows = top.map(
+      (vuln) => `
+      <tr>
+        <td><span class="sev-badge ${this.sevClass(vuln.severity)}">${vuln.severity}</span></td>
+        <td class="vuln-id">${this.escapeHtml(vuln.id)}</td>
+        <td>${this.escapeHtml(vuln.summary.slice(0, 120))}</td>
+        <td>${vuln.fixedVersion ? this.escapeHtml(vuln.fixedVersion) : '<span class="no-fix">none</span>'}</td>
+        <td>${vuln.affectedRepos.length}</td>
+        <td>${vuln.exploitedInWild ? '<span class="exploited">YES</span>' : ""}</td>
+      </tr>`
+    ).join("");
+    return `
+  <section>
+    <h2>Top vulnerabilities</h2>
+    <p class="section-desc">Sorted by severity, then by number of affected repositories.</p>
+    <div class="table-wrap">
+      <table>
+        <thead>
+          <tr>
+            <th>Severity</th>
+            <th>ID</th>
+            <th>Summary</th>
+            <th>Fix</th>
+            <th>Repos</th>
+            <th>Exploited</th>
+          </tr>
+        </thead>
+        <tbody>${rows}</tbody>
+      </table>
+    </div>
+  </section>`;
+  }
+  repoBreakdown(result) {
+    const repos = result.scannedRepos.filter((r) => r.reports.length > 0).sort((a, b) => {
+      const aVulns = a.reports.reduce((s, r) => s + r.summary.totalVulnerabilities, 0);
+      const bVulns = b.reports.reduce((s, r) => s + r.summary.totalVulnerabilities, 0);
+      return bVulns - aVulns;
+    });
+    const rows = repos.map((r) => {
+      const s = r.reports.reduce((acc, rpt) => ({ totalVulnerabilities: acc.totalVulnerabilities + rpt.summary.totalVulnerabilities, critical: acc.critical + rpt.summary.critical, high: acc.high + rpt.summary.high, medium: acc.medium + rpt.summary.medium, low: acc.low + rpt.summary.low, totalDependencies: acc.totalDependencies + rpt.summary.totalDependencies }), { totalVulnerabilities: 0, critical: 0, high: 0, medium: 0, low: 0, totalDependencies: 0 });
+      const vulnBadge = s.totalVulnerabilities > 0 ? `<span class="sev-badge ${s.critical > 0 ? "sev-critical" : s.high > 0 ? "sev-high" : s.medium > 0 ? "sev-medium" : "sev-low"}">${s.totalVulnerabilities}</span>` : '<span class="clean">clean</span>';
+      return `
+      <tr>
+        <td class="repo-name">${this.escapeHtml(r.project.path_with_namespace)}</td>
+        <td>${r.reports.map((rpt) => rpt.project.ecosystem).filter((v, i, a) => a.indexOf(v) === i).join(", ")}</td>
+        <td>${s.totalDependencies}</td>
+        <td>${vulnBadge}</td>
+        <td>${s.critical}</td>
+        <td>${s.high}</td>
+        <td>${s.medium}</td>
+        <td>${s.low}</td>
+      </tr>`;
+    }).join("");
+    return `
+  <section>
+    <h2>Repository breakdown</h2>
+    <p class="section-desc">${repos.length} repositories with dependency lockfiles.</p>
+    <div class="table-wrap">
+      <table>
+        <thead>
+          <tr>
+            <th>Repository</th>
+            <th>Ecosystem</th>
+            <th>Deps</th>
+            <th>Vulns</th>
+            <th>Crit</th>
+            <th>High</th>
+            <th>Med</th>
+            <th>Low</th>
+          </tr>
+        </thead>
+        <tbody>${rows}</tbody>
+      </table>
+    </div>
+  </section>`;
+  }
+  ecosystemBreakdown(result) {
+    const eco = result.summary.ecosystemBreakdown;
+    if (Object.keys(eco).length === 0) return "";
+    const items = Object.entries(eco).sort((a, b) => b[1] - a[1]).map(([name, count]) => `
+        <div class="eco-item">
+          <span class="eco-name">${name}</span>
+          <span class="eco-count">${count} repo${count !== 1 ? "s" : ""}</span>
+        </div>`).join("");
+    return `
+  <section>
+    <h2>Ecosystem distribution</h2>
+    <div class="eco-grid">${items}</div>
+  </section>`;
+  }
+  craTimeline(result) {
+    const s = result.summary;
+    if (s.totalVulnerabilities === 0) return "";
+    return `
+  <section>
+    <h2>CRA compliance implications</h2>
+    <div class="cra-box">
+      <p>The <strong>EU Cyber Resilience Act</strong> (Regulation 2024/2847) establishes
+      mandatory cybersecurity requirements for products with digital elements.
+      Key obligations relevant to this scan:</p>
+      <ul>
+        <li><strong>Article 14(2):</strong> Manufacturers must identify and document
+        vulnerabilities, including in third-party components (your dependencies).</li>
+        <li><strong>Article 14(4):</strong> Actively exploited vulnerabilities must be
+        reported to ENISA within 24 hours of awareness${s.exploitedInWild > 0 ? ` \u2014 <strong class="text-danger">${s.exploitedInWild} found in this scan</strong>` : ""}.</li>
+        <li><strong>Article 14(3):</strong> Security updates must be provided free of charge
+        for the support period.</li>
+        <li><strong>Annex I, Part II(1):</strong> An SBOM documenting all components must
+        be maintained \u2014 Verimu generates these in CycloneDX, SPDX, and SWID formats.</li>
+      </ul>
+      <p class="cra-note">Full enforcement begins <strong>11 December 2027</strong>.
+      Vulnerability reporting obligations apply from <strong>11 September 2026</strong>.</p>
+    </div>
+  </section>`;
+  }
+  footer(result) {
+    const duration = (result.durationMs / 1e3).toFixed(1);
+    return `
+  <footer>
+    <p>Generated by <a href="https://verimu.com">Verimu</a> CRA Compliance Scanner
+    in ${duration}s on ${new Date(result.scannedAt).toISOString()}</p>
+    <p class="footer-cta">
+      Continuous monitoring, SBOM management, and CRA compliance dashboards available at
+      <a href="https://app.verimu.com">app.verimu.com</a>
+    </p>
+  </footer>`;
+  }
+  // ─── Styling ──────────────────────────────────────────────
+  styles() {
+    return `<style>
+  :root {
+    --bg: #ffffff; --bg2: #f7f8fa; --text: #1a1a2e; --text2: #555770;
+    --border: #e2e4ea; --accent: #4f46e5; --accent-light: #eef2ff;
+    --crit: #dc2626; --crit-bg: #fef2f2;
+    --high: #ea580c; --high-bg: #fff7ed;
+    --med: #d97706; --med-bg: #fffbeb;
+    --low: #2563eb; --low-bg: #eff6ff;
+    --green: #16a34a; --green-bg: #f0fdf4;
+    --radius: 8px; --radius-lg: 12px;
+  }
+  @media (prefers-color-scheme: dark) {
+    :root {
+      --bg: #0f0f1a; --bg2: #1a1a2e; --text: #e4e4f0; --text2: #9595ad;
+      --border: #2a2a40; --accent: #818cf8; --accent-light: #1e1b4b;
+      --crit-bg: #2a0a0a; --high-bg: #2a1a0a; --med-bg: #2a2200; --low-bg: #0a1a2e;
+      --green-bg: #0a2a1a;
+    }
+  }
+  * { box-sizing: border-box; margin: 0; padding: 0; }
+  body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', system-ui, sans-serif;
+    background: var(--bg); color: var(--text); line-height: 1.6; }
+  .container { max-width: 960px; margin: 0 auto; padding: 2rem 1.5rem; }
+  a { color: var(--accent); text-decoration: none; }
+  a:hover { text-decoration: underline; }
+
+  /* Header */
+  header { margin-bottom: 2rem; }
+  .brand { display: flex; align-items: center; gap: 1rem; margin-bottom: 1rem; }
+  .logo { width: 48px; height: 48px; background: var(--accent); color: #fff;
+    border-radius: var(--radius); display: flex; align-items: center; justify-content: center;
+    font-size: 24px; font-weight: 700; }
+  h1 { font-size: 22px; font-weight: 600; }
+  .subtitle { color: var(--text2); font-size: 14px; }
+  .intro { color: var(--text2); font-size: 15px; max-width: 700px; }
+
+  /* Cards */
+  .cards { display: grid; grid-template-columns: repeat(auto-fit, minmax(140px, 1fr));
+    gap: 12px; margin-bottom: 2rem; }
+  .card { background: var(--bg2); border-radius: var(--radius-lg); padding: 1.25rem;
+    border: 1px solid var(--border); }
+  .card-value { font-size: 28px; font-weight: 700; }
+  .card-label { font-size: 13px; color: var(--text2); margin-top: 4px; }
+  .card-danger .card-value { color: var(--crit); }
+  .card-warn .card-value { color: var(--med); }
+
+  /* Sections */
+  section { margin-bottom: 2.5rem; }
+  h2 { font-size: 18px; font-weight: 600; margin-bottom: 0.75rem; }
+  .section-desc { color: var(--text2); font-size: 14px; margin-bottom: 1rem; }
+  .empty { color: var(--green); font-weight: 500; }
+
+  /* Bar chart */
+  .chart { max-width: 500px; }
+  .bar-row { display: flex; align-items: center; gap: 8px; margin-bottom: 8px; }
+  .bar-label { width: 60px; font-size: 13px; color: var(--text2); text-align: right; }
+  .bar-track { flex: 1; height: 24px; background: var(--bg2); border-radius: 4px;
+    overflow: hidden; border: 1px solid var(--border); }
+  .bar-fill { height: 100%; border-radius: 3px; transition: width 0.3s; }
+  .bar-count { width: 36px; font-size: 14px; font-weight: 600; }
+  .sev-critical, .bar-fill.sev-critical { background: var(--crit); color: #fff; }
+  .sev-high, .bar-fill.sev-high { background: var(--high); color: #fff; }
+  .sev-medium, .bar-fill.sev-medium { background: var(--med); color: #fff; }
+  .sev-low, .bar-fill.sev-low { background: var(--low); color: #fff; }
+
+  /* Tables */
+  .table-wrap { overflow-x: auto; border: 1px solid var(--border); border-radius: var(--radius-lg); }
+  table { width: 100%; border-collapse: collapse; font-size: 13px; }
+  th { background: var(--bg2); font-weight: 600; font-size: 12px; text-transform: uppercase;
+    letter-spacing: 0.5px; color: var(--text2); padding: 10px 12px; text-align: left;
+    border-bottom: 1px solid var(--border); }
+  td { padding: 10px 12px; border-bottom: 1px solid var(--border); vertical-align: middle; }
+  tr:last-child td { border-bottom: none; }
+  tr:hover td { background: var(--bg2); }
+  .repo-name { font-weight: 500; font-size: 13px; }
+  .vuln-id { font-family: monospace; font-size: 12px; white-space: nowrap; }
+
+  /* Badges */
+  .sev-badge { display: inline-block; padding: 2px 8px; border-radius: 4px;
+    font-size: 11px; font-weight: 700; text-transform: uppercase; }
+  .clean { color: var(--green); font-size: 12px; font-weight: 500; }
+  .no-fix { color: var(--text2); font-size: 12px; }
+  .exploited { color: var(--crit); font-weight: 700; font-size: 12px; }
+
+  /* Alert */
+  .alert { padding: 1rem 1.25rem; border-radius: var(--radius); margin-top: 1rem; font-size: 14px; }
+  .alert-critical { background: var(--crit-bg); border: 1px solid var(--crit); color: var(--crit); }
+
+  /* Ecosystem grid */
+  .eco-grid { display: flex; flex-wrap: wrap; gap: 8px; }
+  .eco-item { background: var(--bg2); border: 1px solid var(--border); border-radius: var(--radius);
+    padding: 8px 16px; display: flex; align-items: center; gap: 8px; }
+  .eco-name { font-weight: 600; font-size: 14px; }
+  .eco-count { color: var(--text2); font-size: 13px; }
+
+  /* CRA */
+  .cra-box { background: var(--accent-light); border: 1px solid var(--accent);
+    border-radius: var(--radius-lg); padding: 1.5rem; font-size: 14px; }
+  .cra-box ul { margin: 0.75rem 0; padding-left: 1.5rem; }
+  .cra-box li { margin-bottom: 0.5rem; }
+  .cra-note { margin-top: 1rem; font-weight: 600; }
+  .text-danger { color: var(--crit); }
+
+  /* Footer */
+  footer { border-top: 1px solid var(--border); padding-top: 1.5rem; margin-top: 2rem;
+    color: var(--text2); font-size: 13px; }
+  .footer-cta { margin-top: 0.5rem; }
+
+  @media print {
+    .container { max-width: 100%; }
+    .card { break-inside: avoid; }
+  }
+</style>`;
+  }
+  // ─── Helpers ──────────────────────────────────────────────
+  escapeHtml(str) {
+    return str.replace(/&/g, "&amp;").replace(/</g, "&lt;").replace(/>/g, "&gt;").replace(/"/g, "&quot;");
+  }
+  sevClass(severity) {
+    const map = {
+      CRITICAL: "sev-critical",
+      HIGH: "sev-high",
+      MEDIUM: "sev-medium",
+      LOW: "sev-low",
+      UNKNOWN: "sev-low"
+    };
+    return map[severity] ?? "sev-low";
+  }
+};
+
 // src/cli.ts
 var require2 = createRequire(import.meta.url);
 var pkg = require2("../package.json");
@@ -19306,6 +20730,14 @@ function parseArgs(argv) {
     groupName: void 0,
     recursive: true,
     // Recursive by default
+    gitlabUrl: void 0,
+    gitlabToken: void 0,
+    gitlabGroups: void 0,
+    excludeArchived: true,
+    excludeForks: true,
+    maxRepos: void 0,
+    htmlOutput: void 0,
+    jsonOutput: void 0,
     exclude: void 0
   };
   let i = 0;
@@ -19316,6 +20748,37 @@ function parseArgs(argv) {
     } else if (arg === "generate-sbom" || arg === "sbom") {
       result.command = "generate-sbom";
       result.skipCveCheck = true;
+    } else if (arg === "gitlab") {
+      result.command = "gitlab";
+    } else if (arg === "github") {
+      result.command = "github";
+    } else if (arg === "--url") {
+      const urlVal = args[++i] ?? "";
+      result.gitlabUrl = urlVal;
+      result.githubUrl = urlVal;
+    } else if (arg === "--token") {
+      const tokenVal = args[++i] ?? "";
+      result.gitlabToken = tokenVal;
+      result.githubToken = tokenVal;
+    } else if (arg === "--profile") {
+      result.githubProfile = args[++i] ?? "";
+    } else if (arg === "--owner-only") {
+      result.githubOwnerOnly = true;
+    } else if (arg === "--groups") {
+      const val = args[++i] ?? "";
+      result.gitlabGroups = val.split(",").map((g) => g.trim());
+    } else if (arg === "--no-archived") {
+      result.excludeArchived = true;
+    } else if (arg === "--include-archived") {
+      result.excludeArchived = false;
+    } else if (arg === "--include-forks") {
+      result.excludeForks = false;
+    } else if (arg === "--max-repos") {
+      result.maxRepos = Number.parseInt(args[++i] ?? "0", 10);
+    } else if (arg === "--html-output" || arg === "--html") {
+      result.htmlOutput = args[++i] ?? "./verimu-report.html";
+    } else if (arg === "--json-output") {
+      result.jsonOutput = args[++i] ?? "./verimu-report.json";
     } else if (arg === "help" || arg === "--help" || arg === "-h") {
       result.command = "help";
     } else if (arg === "version" || arg === "--version" || arg === "-v") {
@@ -19389,6 +20852,16 @@ async function main() {
     printHelp();
     return;
   }
+  if (args.command === "gitlab") {
+    console.log(BRAND);
+    await runGitLabScan(args);
+    return;
+  }
+  if (args.command === "github") {
+    console.log(BRAND);
+    await runGitHubScan(args);
+    return;
+  }
   console.log(BRAND);
   const apiKey = process.env.VERIMU_API_KEY;
   const apiBaseUrl = process.env.VERIMU_API_URL;
@@ -19474,6 +20947,146 @@ async function main() {
     process.exit(1);
   }
 }
+async function runGitLabScan(args) {
+  const url = args.gitlabUrl || process.env.GITLAB_URL || process.env.VERIMU_GITLAB_URL;
+  const token = args.gitlabToken || process.env.GITLAB_TOKEN || process.env.VERIMU_GITLAB_TOKEN;
+  if (!url) {
+    logError("GitLab URL required. Use --url or set GITLAB_URL / VERIMU_GITLAB_URL");
+    process.exit(2);
+  }
+  if (!token) {
+    logError("GitLab token required. Use --token or set GITLAB_TOKEN / VERIMU_GITLAB_TOKEN");
+    process.exit(2);
+  }
+  const config = {
+    url,
+    token,
+    groups: args.gitlabGroups,
+    excludeArchived: args.excludeArchived ?? true,
+    excludeForks: args.excludeForks ?? true,
+    maxRepos: args.maxRepos,
+    htmlOutput: args.htmlOutput,
+    jsonOutput: args.jsonOutput,
+    skipCveCheck: args.skipCveCheck,
+    apiKey: process.env.VERIMU_API_KEY,
+    apiBaseUrl: process.env.VERIMU_API_URL,
+    groupName: args.groupName
+  };
+  const orchestrator = new GitLabOrchestrator();
+  const result = await orchestrator.scanInstance(config);
+  if (args.htmlOutput) {
+    const reporter = new HtmlReporter();
+    const html = reporter.generate(result);
+    const { writeFile: wf } = await import("fs/promises");
+    await wf(args.htmlOutput, html, "utf-8");
+    logSuccess("HTML report: " + args.htmlOutput);
+  }
+  if (args.jsonOutput) {
+    const { writeFile: wf } = await import("fs/promises");
+    await wf(args.jsonOutput, JSON.stringify(result, null, 2), "utf-8");
+    logSuccess("JSON report: " + args.jsonOutput);
+  }
+  if (result.summary.totalVulnerabilities > 0 && args.failOnSeverity) {
+    process.exit(1);
+  }
+}
+async function runGitHubScan(args) {
+  const baseUrl = args.githubUrl || process.env.GITHUB_URL || "https://github.com";
+  const token = args.githubToken || process.env.GITHUB_TOKEN;
+  const profile = args.githubProfile || process.env.GITHUB_PROFILE;
+  if (!profile) {
+    logError("GitHub profile required. Use --profile <org-or-user> or set GITHUB_PROFILE");
+    log("  Example: npx verimu github --profile octokit");
+    log("  Example: npx verimu github --profile https://github.com/my-org");
+    process.exit(2);
+  }
+  if (!token) {
+    logWarn("No GitHub token provided. Only public repos will be scanned (60 API requests/hour).");
+    log("  Use --token or set GITHUB_TOKEN for private repo access (5,000 requests/hour).");
+    console.log("");
+  }
+  const config = {
+    baseUrl,
+    profile,
+    token: token || void 0,
+    ownerOnly: args.githubOwnerOnly ?? false,
+    excludeArchived: args.excludeArchived ?? true,
+    excludeForks: args.excludeForks ?? true,
+    maxRepos: args.maxRepos,
+    htmlOutput: args.htmlOutput,
+    jsonOutput: args.jsonOutput,
+    skipCveCheck: args.skipCveCheck,
+    apiKey: process.env.VERIMU_API_KEY,
+    apiBaseUrl: process.env.VERIMU_API_URL,
+    groupName: args.groupName
+  };
+  const orchestrator = new GitHubOrchestrator();
+  const result = await orchestrator.scanProfile(config);
+  if (args.htmlOutput) {
+    const reporter = new HtmlReporter();
+    const adapted = adaptGitHubResultForHtml(result);
+    const html = reporter.generate(adapted);
+    const { writeFile: wf } = await import("fs/promises");
+    await wf(args.htmlOutput, html, "utf-8");
+    logSuccess("HTML report: " + args.htmlOutput);
+  }
+  if (args.jsonOutput) {
+    const { writeFile: wf } = await import("fs/promises");
+    await wf(args.jsonOutput, JSON.stringify(result, null, 2), "utf-8");
+    logSuccess("JSON report: " + args.jsonOutput);
+  }
+  if (result.summary.totalVulnerabilities > 0 && args.failOnSeverity) {
+    process.exit(1);
+  }
+}
+function adaptGitHubResultForHtml(result) {
+  const toGitLabProject = (repo) => ({
+    id: repo.id,
+    name: repo.name,
+    name_with_namespace: repo.full_name,
+    path: repo.name,
+    path_with_namespace: repo.full_name,
+    description: null,
+    http_url_to_repo: repo.clone_url,
+    ssh_url_to_repo: "",
+    web_url: repo.html_url,
+    default_branch: repo.default_branch,
+    archived: repo.archived,
+    empty_repo: false,
+    visibility: repo.private ? "private" : "public",
+    last_activity_at: "",
+    namespace: {
+      id: 0,
+      name: repo.owner.login,
+      path: repo.owner.login,
+      kind: repo.owner.type === "Organization" ? "group" : "user",
+      full_path: repo.owner.login
+    }
+  });
+  return {
+    instanceUrl: `${result.instanceUrl}/${result.profile}`,
+    totalReposDiscovered: result.totalReposDiscovered,
+    scannedRepos: result.scannedRepos.map((r) => ({
+      project: toGitLabProject(r.repo),
+      reports: r.reports,
+      hasLockfile: r.hasLockfile,
+      error: r.error,
+      durationMs: r.durationMs
+    })),
+    skippedRepos: result.skippedRepos.map((s) => ({
+      project: toGitLabProject(s.repo),
+      reason: s.reason
+    })),
+    failedRepos: result.failedRepos.map((f) => ({
+      project: toGitLabProject(f.repo),
+      error: f.error
+    })),
+    summary: result.summary,
+    topVulnerabilities: result.topVulnerabilities,
+    scannedAt: result.scannedAt,
+    durationMs: result.durationMs
+  };
+}
 function printMultiProjectSummary(result) {
   console.log("\n" + "\u2500".repeat(60));
   console.log("Multi-Project Scan Summary");
@@ -19523,6 +21136,37 @@ function printHelp() {
     verimu help                     Show this help
     verimu version                  Show version
 
+  GitLab scanning:
+    verimu gitlab [options]       Scan all repos on a GitLab instance
+
+  GitLab options:
+    --url <url>            GitLab instance URL (or GITLAB_URL env)
+    --token <token>        Personal access token (or GITLAB_TOKEN env)
+    --groups <g1,g2>       Only scan repos in these groups
+    --include-archived     Include archived repos (excluded by default)
+    --include-forks        Include forked repos (excluded by default)
+    --max-repos <n>        Limit number of repos to scan
+    --html-output <file>   Write HTML report (e.g., ./report.html)
+    --json-output <file>   Write JSON aggregate report
+
+  GitHub scanning:
+    verimu github [options]       Scan repos for a GitHub org or user
+
+  GitHub options:
+    --profile <handle|url> GitHub org/user to scan (required)
+    --url <url>            GitHub base URL (default: https://github.com, for GHES)
+    --token <token>        GitHub PAT (or GITHUB_TOKEN env). Without token: public
+                           repos only, 60 API requests/hour. With token: private +
+                           public repos, 5,000 requests/hour.
+    --owner-only           For user profiles, list only owner repos (default: all)
+    --include-archived     Include archived repos (excluded by default)
+    --include-forks        Include forked repos (excluded by default)
+    --max-repos <n>        Limit number of repos to scan
+    --html-output <file>   Write HTML report
+    --json-output <file>   Write JSON aggregate report
+    --skip-cve             Skip CVE vulnerability checking
+    --group-name <name>    Group name for Verimu platform
+
   Options:
     --path, -p <dir>       Project directory to scan (default: .)
     --output, -o <file>    CycloneDX output path (SPDX/SWID are written alongside it)
@@ -19544,6 +21188,8 @@ function printHelp() {
   Environment:
     VERIMU_API_KEY         API key for Verimu platform (from app.verimu.com)
     VERIMU_API_URL         Custom API URL (default: https://api.verimu.com)
+    GITHUB_TOKEN           GitHub personal access token
+    GITHUB_URL             GitHub base URL for GHES (default: https://github.com)
 
   Examples:
     npx verimu                                    # Scan all projects recursively
@@ -19556,6 +21202,18 @@ function printHelp() {
     npx verimu scan --no-recursive                # Scan only root directory
     npx verimu scan --exclude "legacy/*"          # Exclude legacy projects
 
+  GitLab examples:
+    GITLAB_TOKEN=xxx npx verimu gitlab --url https://git.example.com --html report.html
+    npx verimu gitlab --url https://git.example.com --token xxx --groups myteam
+    npx verimu gitlab --url https://git.example.com --token xxx --max-repos 5
+
+  GitHub examples:
+    npx verimu github --profile octokit --max-repos 5 --json-output report.json
+    npx verimu github --profile Saksham0170 --owner-only
+    GITHUB_TOKEN=ghp_xxx npx verimu github --profile my-org --html-output report.html
+    npx verimu github --profile https://github.com/my-org --token ghp_xxx
+    npx verimu github --url https://github.company.com --profile team --token xxx
+
   Supported ecosystems:
     npm (package-lock.json)         pip (requirements.txt)
     Maven (pom.xml)                 NuGet (packages.lock.json)