cli/internal/cmd/security/cmd_scan.go

package security

import (
	"encoding/json"
	"fmt"

	"github.com/host-uk/core/pkg/cli"
	"github.com/host-uk/core/pkg/i18n"
)

var (
	scanTool string
)

func addScanCommand(parent *cli.Command) {
	cmd := &cli.Command{
		Use:   "scan",
		Short: i18n.T("cmd.security.scan.short"),
		Long:  i18n.T("cmd.security.scan.long"),
		RunE: func(c *cli.Command, args []string) error {
			return runScan()
		},
	}

	cmd.Flags().StringVar(&securityRegistryPath, "registry", "", i18n.T("common.flag.registry"))
	cmd.Flags().StringVar(&securityRepo, "repo", "", i18n.T("cmd.security.flag.repo"))
	cmd.Flags().StringVar(&securitySeverity, "severity", "", i18n.T("cmd.security.flag.severity"))
	cmd.Flags().StringVar(&scanTool, "tool", "", i18n.T("cmd.security.scan.flag.tool"))
	cmd.Flags().BoolVar(&securityJSON, "json", false, i18n.T("common.flag.json"))

	parent.AddCommand(cmd)
}

// ScanAlert represents a code scanning alert for output.
type ScanAlert struct {
	Repo        string `json:"repo"`
	Severity    string `json:"severity"`
	RuleID      string `json:"rule_id"`
	Tool        string `json:"tool"`
	Path        string `json:"path"`
	Line        int    `json:"line"`
	Description string `json:"description"`
	Message     string `json:"message"`
}

func runScan() error {
	if err := checkGH(); err != nil {
		return err
	}

	reg, err := loadRegistry(securityRegistryPath)
	if err != nil {
		return err
	}

	repoList := getReposToCheck(reg, securityRepo)
	if len(repoList) == 0 {
		return cli.Err("repo not found: %s", securityRepo)
	}

	var allAlerts []ScanAlert
	summary := &AlertSummary{}

	for _, repo := range repoList {
		repoFullName := fmt.Sprintf("%s/%s", reg.Org, repo.Name)

		alerts, err := fetchCodeScanningAlerts(repoFullName)
		if err != nil {
			continue
		}

		for _, alert := range alerts {
			if alert.State != "open" {
				continue
			}

			// Filter by tool if specified
			if scanTool != "" && alert.Tool.Name != scanTool {
				continue
			}

			severity := alert.Rule.Severity
			if severity == "" {
				severity = "medium" // Default if not specified
			}

			if !filterBySeverity(severity, securitySeverity) {
				continue
			}

			summary.Add(severity)

			scanAlert := ScanAlert{
				Repo:        repo.Name,
				Severity:    severity,
				RuleID:      alert.Rule.ID,
				Tool:        alert.Tool.Name,
				Path:        alert.MostRecentInstance.Location.Path,
				Line:        alert.MostRecentInstance.Location.StartLine,
				Description: alert.Rule.Description,
				Message:     alert.MostRecentInstance.Message.Text,
			}
			allAlerts = append(allAlerts, scanAlert)
		}
	}

	if securityJSON {
		output, err := json.MarshalIndent(allAlerts, "", "  ")
		if err != nil {
			return cli.Wrap(err, "marshal JSON output")
		}
		cli.Text(string(output))
		return nil
	}

	// Print summary
	cli.Blank()
	cli.Print("%s %s\n", cli.DimStyle.Render("Code Scanning:"), summary.String())
	cli.Blank()

	if len(allAlerts) == 0 {
		return nil
	}

	// Print table
	for _, alert := range allAlerts {
		sevStyle := severityStyle(alert.Severity)

		location := fmt.Sprintf("%s:%d", alert.Path, alert.Line)

		cli.Print("%-16s %s  %-20s %-40s %s\n",
			cli.ValueStyle.Render(alert.Repo),
			sevStyle.Render(fmt.Sprintf("%-8s", alert.Severity)),
			alert.RuleID,
			location,
			cli.DimStyle.Render(alert.Tool),
		)
	}
	cli.Blank()

	return nil
}
feat(security): add core security command for vulnerability alerts (#66) * feat(security): add core security command for vulnerability alerts Adds `core security` command area to expose GitHub security data: - `core security alerts` - aggregated view of all security alerts - `core security deps` - Dependabot vulnerability alerts with upgrade paths - `core security scan` - CodeQL and code scanning alerts - `core security secrets` - secret scanning alerts Features: - Filter by --repo, --severity (critical,high,medium,low) - JSON output with --json for AI agent consumption - Aggregated summary with severity breakdown - Shows patched versions for easy upgrades Closes #48 Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * fix(security): address CodeRabbit review feedback - Remove unused flattened fields from DependabotAlert struct - Add Unknown field to AlertSummary for unrecognized severities - Add doc comments for exported Add and String methods - Use cli.Wrap for contextual error wrapping - Fix secret scanning summary counting after filter - Remove unused --vulnerable flag from deps command - Fix JSON output to only include open alerts in secrets command Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * fix(security): handle json.MarshalIndent errors Address CodeRabbit review feedback by properly handling errors from json.MarshalIndent in all security subcommands instead of ignoring them. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com> 2026-02-01 06:04:21 +00:00			`package security`

			`import (`
			`"encoding/json"`
			`"fmt"`

			`"github.com/host-uk/core/pkg/cli"`
			`"github.com/host-uk/core/pkg/i18n"`
			`)`

			`var (`
			`scanTool string`
			`)`

			`func addScanCommand(parent *cli.Command) {`
			`cmd := &cli.Command{`
			`Use: "scan",`
			`Short: i18n.T("cmd.security.scan.short"),`
			`Long: i18n.T("cmd.security.scan.long"),`
			`RunE: func(c *cli.Command, args []string) error {`
			`return runScan()`
			`},`
			`}`

			`cmd.Flags().StringVar(&securityRegistryPath, "registry", "", i18n.T("common.flag.registry"))`
			`cmd.Flags().StringVar(&securityRepo, "repo", "", i18n.T("cmd.security.flag.repo"))`
			`cmd.Flags().StringVar(&securitySeverity, "severity", "", i18n.T("cmd.security.flag.severity"))`
			`cmd.Flags().StringVar(&scanTool, "tool", "", i18n.T("cmd.security.scan.flag.tool"))`
			`cmd.Flags().BoolVar(&securityJSON, "json", false, i18n.T("common.flag.json"))`

			`parent.AddCommand(cmd)`
			`}`

			`// ScanAlert represents a code scanning alert for output.`
			`type ScanAlert struct {`
			Repo string `json:"repo"`
			Severity string `json:"severity"`
			RuleID string `json:"rule_id"`
			Tool string `json:"tool"`
			Path string `json:"path"`
			Line int `json:"line"`
			Description string `json:"description"`
			Message string `json:"message"`
			`}`

			`func runScan() error {`
			`if err := checkGH(); err != nil {`
			`return err`
			`}`

			`reg, err := loadRegistry(securityRegistryPath)`
			`if err != nil {`
			`return err`
			`}`

			`repoList := getReposToCheck(reg, securityRepo)`
			`if len(repoList) == 0 {`
			`return cli.Err("repo not found: %s", securityRepo)`
			`}`

			`var allAlerts []ScanAlert`
			`summary := &AlertSummary{}`

			`for _, repo := range repoList {`
			`repoFullName := fmt.Sprintf("%s/%s", reg.Org, repo.Name)`

			`alerts, err := fetchCodeScanningAlerts(repoFullName)`
			`if err != nil {`
			`continue`
			`}`

			`for _, alert := range alerts {`
			`if alert.State != "open" {`
			`continue`
			`}`

			`// Filter by tool if specified`
			`if scanTool != "" && alert.Tool.Name != scanTool {`
			`continue`
			`}`

			`severity := alert.Rule.Severity`
			`if severity == "" {`
			`severity = "medium" // Default if not specified`
			`}`

			`if !filterBySeverity(severity, securitySeverity) {`
			`continue`
			`}`

			`summary.Add(severity)`

			`scanAlert := ScanAlert{`
			`Repo: repo.Name,`
			`Severity: severity,`
			`RuleID: alert.Rule.ID,`
			`Tool: alert.Tool.Name,`
			`Path: alert.MostRecentInstance.Location.Path,`
			`Line: alert.MostRecentInstance.Location.StartLine,`
			`Description: alert.Rule.Description,`
			`Message: alert.MostRecentInstance.Message.Text,`
			`}`
			`allAlerts = append(allAlerts, scanAlert)`
			`}`
			`}`

			`if securityJSON {`
			`output, err := json.MarshalIndent(allAlerts, "", " ")`
			`if err != nil {`
			`return cli.Wrap(err, "marshal JSON output")`
			`}`
			`cli.Text(string(output))`
			`return nil`
			`}`

			`// Print summary`
			`cli.Blank()`
			`cli.Print("%s %s\n", cli.DimStyle.Render("Code Scanning:"), summary.String())`
			`cli.Blank()`

			`if len(allAlerts) == 0 {`
			`return nil`
			`}`

			`// Print table`
			`for _, alert := range allAlerts {`
			`sevStyle := severityStyle(alert.Severity)`

			`location := fmt.Sprintf("%s:%d", alert.Path, alert.Line)`

			`cli.Print("%-16s %s %-20s %-40s %s\n",`
			`cli.ValueStyle.Render(alert.Repo),`
			`sevStyle.Render(fmt.Sprintf("%-8s", alert.Severity)),`
			`alert.RuleID,`
			`location,`
			`cli.DimStyle.Render(alert.Tool),`
			`)`
			`}`
			`cli.Blank()`

			`return nil`
			`}`