f3ee4722a8
Implements the MVP cutline from the planning artifact: - Phase A: skeleton + CLI dispatch + provider interface + stub model doctor - Phase B: scanner + git probe + 12 static analyzers + reporters + pipeline - Phase B fixtures: clean-repo, insecure-repo, degraded-repo 12 static analyzers per PROMPT.md "Suggested Static Checks For MVP": hardcoded_paths, shell_execution, raw_sql_interpolation, broad_cors, secret_patterns, large_files, todo_comments, missing_tests, env_file_committed, unsafe_file_io, exposed_mutation_endpoint, hardcoded_local_ip. Acceptance gates passing: - B1 (intake produces accurate counts) ✓ - B2 (insecure fixture fires ≥8 distinct check_ids — actually 11/12) ✓ - B3 (clean fixture produces 0 confirmed findings — no false positives) ✓ - B4 (scrum mode produces all 6 required markdown + JSON reports) ✓ - B5 (receipts.json marks degraded phases honestly) ✓ - F (self-review on this repo runs without crashing) ✓ — exit 66 (degraded because Phase C LLM review is hardcoded skipped) Phases C (LLM review), D (validation cross-check), E (memory + diff + rules subcommands) deferred per the cutline. The MVP delivers the evidence-first path; LLM is purely additive. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
54 lines
1.6 KiB
Go
54 lines
1.6 KiB
Go
package scanner
|
|
|
|
import (
|
|
"path/filepath"
|
|
"strings"
|
|
)
|
|
|
|
// isManifest detects dependency / build manifests by basename.
|
|
// Used to populate Result.DependencyManifests for repo-intake.
|
|
func isManifest(name string) bool {
|
|
switch strings.ToLower(name) {
|
|
case "go.mod", "go.sum",
|
|
"package.json", "package-lock.json", "yarn.lock", "pnpm-lock.yaml", "bun.lockb",
|
|
"cargo.toml", "cargo.lock",
|
|
"requirements.txt", "pyproject.toml", "poetry.lock", "pipfile", "pipfile.lock",
|
|
"gemfile", "gemfile.lock",
|
|
"composer.json", "composer.lock",
|
|
"pom.xml", "build.gradle", "build.gradle.kts",
|
|
"makefile", "justfile",
|
|
"dockerfile", "docker-compose.yml", "docker-compose.yaml",
|
|
"helm.yaml", "chart.yaml":
|
|
return true
|
|
}
|
|
return false
|
|
}
|
|
|
|
// isTestPath detects test files / dirs by path. A repo is "has tests"
|
|
// iff at least one returns true. Used both for repo-intake's
|
|
// test_manifests list and the missing-tests analyzer's threshold.
|
|
func isTestPath(rel string) bool {
|
|
low := strings.ToLower(rel)
|
|
// Directory-shaped signals
|
|
parts := strings.Split(filepath.ToSlash(low), "/")
|
|
for _, p := range parts {
|
|
if p == "tests" || p == "test" || p == "__tests__" || p == "spec" || p == "specs" {
|
|
return true
|
|
}
|
|
}
|
|
// File-shape signals
|
|
base := strings.ToLower(filepath.Base(rel))
|
|
if strings.HasSuffix(base, "_test.go") ||
|
|
strings.HasSuffix(base, ".test.ts") ||
|
|
strings.HasSuffix(base, ".test.tsx") ||
|
|
strings.HasSuffix(base, ".test.js") ||
|
|
strings.HasSuffix(base, ".spec.ts") ||
|
|
strings.HasSuffix(base, ".spec.js") {
|
|
return true
|
|
}
|
|
if strings.HasPrefix(base, "test_") && strings.HasSuffix(base, ".py") {
|
|
return true
|
|
}
|
|
return false
|
|
}
|