a4971fe0df
* feat(monitor): add security findings aggregation command Implements `core monitor` to aggregate security findings from GitHub: - Code scanning alerts (Semgrep, Trivy, Gitleaks, CodeQL, etc.) - Dependabot vulnerability alerts - Secret scanning alerts Features: - Scan current repo, specific repo, or all repos via registry - Filter by severity (--severity critical,high) - JSON output for piping to other tools (--json) - Grouped output by repo with severity highlighting Closes #49 Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * fix(monitor): address CodeRabbit review feedback - Fix DependabotAlert JSON parsing with proper nested struct for dependency.manifest_path field - Remove unnecessary --jq flag from code scanning API call - Fix truncate() to use runes for proper UTF-8 handling - Sort repo names for deterministic output ordering - Document hardcoded org fallback behavior Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * fix(monitor): improve error handling per CodeRabbit review - Use errors.E() consistently instead of errors.Wrap() - Pass underlying errors to errors.E() for better context - Return errors from fetch functions instead of swallowing - Distinguish expected conditions (feature not enabled) from real errors - Display fetch warnings in non-JSON mode - Continue scanning other repos even if one fails Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
47 lines
1.4 KiB
Go
47 lines
1.4 KiB
Go
// Package monitor provides security monitoring commands.
|
|
//
|
|
// Commands:
|
|
// - monitor: Aggregate security findings from GitHub Security Tab, workflow artifacts, and PR comments
|
|
//
|
|
// Data sources (all free tier):
|
|
// - Code scanning: Semgrep, Trivy, Gitleaks, OSV-Scanner, Checkov, CodeQL
|
|
// - Dependabot: Dependency vulnerability alerts
|
|
// - Secret scanning: Exposed secrets/credentials
|
|
package monitor
|
|
|
|
import (
|
|
"github.com/host-uk/core/pkg/cli"
|
|
"github.com/host-uk/core/pkg/i18n"
|
|
)
|
|
|
|
func init() {
|
|
cli.RegisterCommands(AddMonitorCommands)
|
|
}
|
|
|
|
// Style aliases from shared package
|
|
var (
|
|
successStyle = cli.SuccessStyle
|
|
errorStyle = cli.ErrorStyle
|
|
warningStyle = cli.WarningStyle
|
|
dimStyle = cli.DimStyle
|
|
)
|
|
|
|
// AddMonitorCommands registers the 'monitor' command.
|
|
func AddMonitorCommands(root *cli.Command) {
|
|
monitorCmd := &cli.Command{
|
|
Use: "monitor",
|
|
Short: i18n.T("cmd.monitor.short"),
|
|
Long: i18n.T("cmd.monitor.long"),
|
|
RunE: func(cmd *cli.Command, args []string) error {
|
|
return runMonitor()
|
|
},
|
|
}
|
|
|
|
// Flags
|
|
monitorCmd.Flags().StringVarP(&monitorRepo, "repo", "r", "", i18n.T("cmd.monitor.flag.repo"))
|
|
monitorCmd.Flags().StringSliceVarP(&monitorSeverity, "severity", "s", []string{}, i18n.T("cmd.monitor.flag.severity"))
|
|
monitorCmd.Flags().BoolVar(&monitorJSON, "json", false, i18n.T("cmd.monitor.flag.json"))
|
|
monitorCmd.Flags().BoolVar(&monitorAll, "all", false, i18n.T("cmd.monitor.flag.all"))
|
|
|
|
root.AddCommand(monitorCmd)
|
|
}
|