// Package analyzers defines the static-analysis surface. Each // analyzer is a function that takes the scanner's view of the repo // and returns []Finding. The Finding shape is locked by // docs/REPORT_SCHEMA.md — fields here are the canonical names // that flow into reports + memory + LLM-finding cross-checks. package analyzers // Severity ladder from REPORT_SCHEMA.md. Stored as a string so the // JSON shape is exactly what operators expect to grep for. type Severity string const ( SeverityLow Severity = "low" SeverityMedium Severity = "medium" SeverityHigh Severity = "high" SeverityCritical Severity = "critical" ) // Status reflects the validation state. Static-analysis findings // default to "suspected" — they're regex hits without context. // Validation (Phase D) promotes to "confirmed" or rejects with reason. type Status string const ( StatusConfirmed Status = "confirmed" StatusSuspected Status = "suspected" StatusRejected Status = "rejected" StatusBlocked Status = "blocked" ) // Source tracks who produced a finding. Useful in the JSON for // downstream consumers that want to sort/filter. type Source string const ( SourceStatic Source = "static" SourceLLM Source = "llm" SourceValidator Source = "validator" ) // Finding is the canonical shape per docs/REPORT_SCHEMA.md. // IDs are deterministic-from-content (file + line + check) so the // same finding across runs produces the same ID — useful for memory // dedup later. type Finding struct { ID string `json:"id"` Title string `json:"title"` Severity Severity `json:"severity"` Status Status `json:"status"` File string `json:"file"` LineHint string `json:"line_hint,omitempty"` Evidence string `json:"evidence"` Reason string `json:"reason"` SuggestedFix string `json:"suggested_fix,omitempty"` Source Source `json:"source"` Confidence float64 `json:"confidence"` CheckID string `json:"check_id,omitempty"` // e.g. "static.hardcoded_paths" }