cli/pkg/security/cmd_secrets.go

package security

import (
	"encoding/json"
	"fmt"

	"github.com/host-uk/core/pkg/cli"
	"github.com/host-uk/core/pkg/i18n"
)

func addSecretsCommand(parent *cli.Command) {
	cmd := &cli.Command{
		Use:   "secrets",
		Short: i18n.T("cmd.security.secrets.short"),
		Long:  i18n.T("cmd.security.secrets.long"),
		RunE: func(c *cli.Command, args []string) error {
			return runSecrets()
		},
	}

	cmd.Flags().StringVar(&securityRegistryPath, "registry", "", i18n.T("common.flag.registry"))
	cmd.Flags().StringVar(&securityRepo, "repo", "", i18n.T("cmd.security.flag.repo"))
	cmd.Flags().BoolVar(&securityJSON, "json", false, i18n.T("common.flag.json"))

	parent.AddCommand(cmd)
}

// SecretAlert represents a secret scanning alert for output.
type SecretAlert struct {
	Repo           string `json:"repo"`
	Number         int    `json:"number"`
	SecretType     string `json:"secret_type"`
	State          string `json:"state"`
	Resolution     string `json:"resolution,omitempty"`
	PushProtection bool   `json:"push_protection_bypassed"`
}

func runSecrets() error {
	if err := checkGH(); err != nil {
		return err
	}

	reg, err := loadRegistry(securityRegistryPath)
	if err != nil {
		return err
	}

	repoList := getReposToCheck(reg, securityRepo)
	if len(repoList) == 0 {
		return cli.Err("repo not found: %s", securityRepo)
	}

	var allAlerts []SecretAlert
	openCount := 0

	for _, repo := range repoList {
		repoFullName := fmt.Sprintf("%s/%s", reg.Org, repo.Name)

		alerts, err := fetchSecretScanningAlerts(repoFullName)
		if err != nil {
			continue
		}

		for _, alert := range alerts {
			if alert.State != "open" {
				continue
			}
			openCount++

			secretAlert := SecretAlert{
				Repo:           repo.Name,
				Number:         alert.Number,
				SecretType:     alert.SecretType,
				State:          alert.State,
				Resolution:     alert.Resolution,
				PushProtection: alert.PushProtection,
			}
			allAlerts = append(allAlerts, secretAlert)
		}
	}

	if securityJSON {
		output, err := json.MarshalIndent(allAlerts, "", "  ")
		if err != nil {
			return cli.Wrap(err, "marshal JSON output")
		}
		cli.Text(string(output))
		return nil
	}

	// Print summary
	cli.Blank()
	if openCount > 0 {
		cli.Print("%s %s\n", cli.DimStyle.Render("Secrets:"), cli.ErrorStyle.Render(fmt.Sprintf("%d open", openCount)))
	} else {
		cli.Print("%s %s\n", cli.DimStyle.Render("Secrets:"), cli.SuccessStyle.Render("No exposed secrets"))
	}
	cli.Blank()

	if len(allAlerts) == 0 {
		return nil
	}

	// Print table
	for _, alert := range allAlerts {
		bypassed := ""
		if alert.PushProtection {
			bypassed = cli.WarningStyle.Render(" (push protection bypassed)")
		}

		cli.Print("%-16s %-6d %-30s%s\n",
			cli.ValueStyle.Render(alert.Repo),
			alert.Number,
			cli.ErrorStyle.Render(alert.SecretType),
			bypassed,
		)
	}
	cli.Blank()

	return nil
}
feat(security): add core security command for vulnerability alerts (#66) * feat(security): add core security command for vulnerability alerts Adds `core security` command area to expose GitHub security data: - `core security alerts` - aggregated view of all security alerts - `core security deps` - Dependabot vulnerability alerts with upgrade paths - `core security scan` - CodeQL and code scanning alerts - `core security secrets` - secret scanning alerts Features: - Filter by --repo, --severity (critical,high,medium,low) - JSON output with --json for AI agent consumption - Aggregated summary with severity breakdown - Shows patched versions for easy upgrades Closes #48 Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * fix(security): address CodeRabbit review feedback - Remove unused flattened fields from DependabotAlert struct - Add Unknown field to AlertSummary for unrecognized severities - Add doc comments for exported Add and String methods - Use cli.Wrap for contextual error wrapping - Fix secret scanning summary counting after filter - Remove unused --vulnerable flag from deps command - Fix JSON output to only include open alerts in secrets command Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * fix(security): handle json.MarshalIndent errors Address CodeRabbit review feedback by properly handling errors from json.MarshalIndent in all security subcommands instead of ignoring them. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com> 2026-02-01 06:04:21 +00:00			`package security`

			`import (`
			`"encoding/json"`
			`"fmt"`

			`"github.com/host-uk/core/pkg/cli"`
			`"github.com/host-uk/core/pkg/i18n"`
			`)`

			`func addSecretsCommand(parent *cli.Command) {`
			`cmd := &cli.Command{`
			`Use: "secrets",`
			`Short: i18n.T("cmd.security.secrets.short"),`
			`Long: i18n.T("cmd.security.secrets.long"),`
			`RunE: func(c *cli.Command, args []string) error {`
			`return runSecrets()`
			`},`
			`}`

			`cmd.Flags().StringVar(&securityRegistryPath, "registry", "", i18n.T("common.flag.registry"))`
			`cmd.Flags().StringVar(&securityRepo, "repo", "", i18n.T("cmd.security.flag.repo"))`
			`cmd.Flags().BoolVar(&securityJSON, "json", false, i18n.T("common.flag.json"))`

			`parent.AddCommand(cmd)`
			`}`

			`// SecretAlert represents a secret scanning alert for output.`
			`type SecretAlert struct {`
			Repo string `json:"repo"`
			Number int `json:"number"`
			SecretType string `json:"secret_type"`
			State string `json:"state"`
			Resolution string `json:"resolution,omitempty"`
			PushProtection bool `json:"push_protection_bypassed"`
			`}`

			`func runSecrets() error {`
			`if err := checkGH(); err != nil {`
			`return err`
			`}`

			`reg, err := loadRegistry(securityRegistryPath)`
			`if err != nil {`
			`return err`
			`}`

			`repoList := getReposToCheck(reg, securityRepo)`
			`if len(repoList) == 0 {`
			`return cli.Err("repo not found: %s", securityRepo)`
			`}`

			`var allAlerts []SecretAlert`
			`openCount := 0`

			`for _, repo := range repoList {`
			`repoFullName := fmt.Sprintf("%s/%s", reg.Org, repo.Name)`

			`alerts, err := fetchSecretScanningAlerts(repoFullName)`
			`if err != nil {`
			`continue`
			`}`

			`for _, alert := range alerts {`
			`if alert.State != "open" {`
			`continue`
			`}`
			`openCount++`

			`secretAlert := SecretAlert{`
			`Repo: repo.Name,`
			`Number: alert.Number,`
			`SecretType: alert.SecretType,`
			`State: alert.State,`
			`Resolution: alert.Resolution,`
			`PushProtection: alert.PushProtection,`
			`}`
			`allAlerts = append(allAlerts, secretAlert)`
			`}`
			`}`

			`if securityJSON {`
			`output, err := json.MarshalIndent(allAlerts, "", " ")`
			`if err != nil {`
			`return cli.Wrap(err, "marshal JSON output")`
			`}`
			`cli.Text(string(output))`
			`return nil`
			`}`

			`// Print summary`
			`cli.Blank()`
			`if openCount > 0 {`
			`cli.Print("%s %s\n", cli.DimStyle.Render("Secrets:"), cli.ErrorStyle.Render(fmt.Sprintf("%d open", openCount)))`
			`} else {`
			`cli.Print("%s %s\n", cli.DimStyle.Render("Secrets:"), cli.SuccessStyle.Render("No exposed secrets"))`
			`}`
			`cli.Blank()`

			`if len(allAlerts) == 0 {`
			`return nil`
			`}`

			`// Print table`
			`for _, alert := range allAlerts {`
			`bypassed := ""`
			`if alert.PushProtection {`
			`bypassed = cli.WarningStyle.Render(" (push protection bypassed)")`
			`}`

			`cli.Print("%-16s %-6d %-30s%s\n",`
			`cli.ValueStyle.Render(alert.Repo),`
			`alert.Number,`
			`cli.ErrorStyle.Render(alert.SecretType),`
			`bypassed,`
			`)`
			`}`
			`cli.Blank()`

			`return nil`
			`}`