* feat: Add support for filter v2
* Add filter v2 support
* Add test for filter v2 evaluator
* fix: CEL v2 query engine
* chore: Add sample policy-v2
* chore: Remove deprecated API use
* fix: Remove deprecated API
* fix: Misc linter fixes
* fix: Linter fixes
* fix: Policy v2 sample
* refactor: Extract filter match rendering into common concern
* test: Update test case
* fix: JSON round trip problem by using PB messages for filter eval
* Improve DX by declaring enum constants in CEL env
* fix: Code generator for enum type names
* docs: Add policy dev enumgen docs
* chore: Add example policy
* test: Add test for CEL filter suite v2 analyser
* Code review fixes
* fix: Code review comments
* chore: Add CI check to ensure generated code is updated
* fix: Add nil guards during init
* introduce config for lockfile reader
* add exclusion support
* add test cases for exclusion patterns
* refactor: introduce common exclusion matcher and update lockfile reader to use it
* chore: rm print statements
* refactor: use better naming for tests
* use doublestar lib for supporting dir reader exclusion patterns
* fix: path handling in exclusion matcher to support relative & absolute paths
* Add initial UI for agent mode
* fix: Cleanup and define agent contract
* Add react agent
* Add interactions memory
* Add support for stdio based MCP integration
* Add basic sqlite3 report generator
* fix: Persist vulnerabilities with package relation
* fix: Persist license information
* refactor: Agents into its own command package
* feat: Add support for tool calling introspection
* refactor: UI to hide implementation detail
* sqlite3 reporter persist dependency graph
* fix: Support multiple LLM provider for agent
* docs: Update agents doc
* docs: Remove deprecated query docs
* fix: UI tests
* fix: Linter issue
* Add support for prompt mode
* Improve UI with animation
* Fix UI tests after update
* Add OpenSSF scorecard persistence
* Add slsa provenances in sqlite3 reporter
* Add test cases for sqlite3 reporter
* Fix agent doc
* fix: Sqlite3 reporter use safe accessors
* feat: Add support for fast model
* feat: Simplify and streamline agent UI for better user experience
- Remove decorative borders and excessive styling to maximize output area
- Implement clean minimal design similar to modern TUI interfaces
- Add bordered input area for clear visual separation
- Move thinking indicator above input area for better visibility
- Enhance input field reset logic for proper line alignment
- Remove verbose help text and status messages
- Optimize layout calculations for full width utilization
- Add smooth animations for agent thinking state with spinner
- Clean up code structure and remove unused progress bar functionality
🤖 Generated with [Claude Code](https://claude.ai/code)
Co-Authored-By: Claude <noreply@anthropic.com>
* fix: Improve agent status line
* test: Update UI tests
* fix: Use terminal safe rendering
* fix: Fix nil deref without storing empty strings in DB
* fix: Support overwriting sqlite3 database
* fix: Data model to use m2m between manifest and package
* style: Fix linter issue with unused variables
* Misc fixes
* Add test for agent memory
---------
Co-authored-by: Claude <noreply@anthropic.com>
* refactor: convert current image resolution into workflow pattern
* feat: image from local tarball folder
* feat: image from local docker catalog
* refacot: decompose docker image catalog resolver into multiple functions
* refactor: using utilit function for logging and return error
* feat: remove tem tar dir after image obj is created
* refactor: handle empty nil error in log and error funciton
* removed local image not supported test
* fix: error fmt.Errorf with non-constant values
* go mod tidy
* fix: linter unreachable code
* refactor: removed unwanted parameter
* test: added scenerio for different image scan operations
* fix: added scenario into all.sh
* fix: missed .sh extension for one entry
* fix: test bad file path for local tar scan
* remvoed logger and error combined function
* refactor: using context form top of tree
* feat: using custom error for image resolution unsupported
* refactor: returning unsupported workflow error for each docker api fail
* feat: added no-remote flag for disable remote fetch
* feat: --image-no-remote
* fix: test, creating temp files witn \/ causing issue
* chore: Misc cleanup for Container Image Resolver (#499)
* chore: Misc cleanup
* fix: Bug with docker image resolver
* fix: Error msg
* chore: Improve debug logging for docker enumeration
* chore: Improve debug logging for docker enumeration
---------
Co-authored-by: Abhisek Datta <abhisek.datta@gmail.com>
* feat: container scanning
* fix: tests
* refactor: added commens and set running-system for remote image to false
* using standalone extractors with all scope
* feat: handle manifects
* using set for duplicate purl
* feat: added initial tests
* refactor: creating manifest from local and modified tests
* refactor: decouple parser and reader for container scanning
* refactor: seperated image and reader config
* refactor: using applicatoin name to purl
* refactor: removed technical osv-scalibr names from error message
* refactor: misc
* added analytics
* moved container image reader test to e2e test
* refactor: getting image in consutrctor
* refactor: composit grouping of ecosystem and file
* feat: cache to reudce duplicate packages
* refactor: removed json-dump-dir output dir
* feat: added ui for better UX
* test: skip when not e2e
* refactor: made scalibr image object reference private
* test: application name testing'
* test, different image with invalid cases
* feat: clean up image after use
* refactor: fetching image in enum manifests
* fix: tests, handing error from enum manifests
* tests: added test for local image not supported
* refactor: removed ui reference in container reader
* feat: github repos version resolution
* fix: malware analysis e2e testing
* fix: e2e testing for malware analysis using vet scan
* revert: e2e testing
* fix(test): remove bad e2e tests commands, scan without version has not effect
* fix: test failing 🔥, for scoped packages
* feat(e2e): added inspect malware command
* fix: use of internal code to library
* refactor: Maintain separation of concerns and loose coupling
* fix: PURL reader test
---------
Co-authored-by: abhisek <abhisek.datta@gmail.com>
* feat: new gitlab report
* fix: gitlab-report version missing
Signed-off-by: Kunal Singh <kunalsin9h@gmail.com>
* fix: isseues with schema
* added comments
* fix: removed unknown identifiers
* fix: direct dependency suing depth == 0
* oops: pushed output file :)
* fix: identifiers was taken only one eacy type
* fix: nested struct on GitLabReport
* added relavent docs reference
* fix: hardcoded vet version, with correct version from version.go
* added malwares
* refactor: minor
* fix: summary and name
* added tests
* refactor: seperate function for severity
* refactor: using enums for severity
Signed-off-by: Kunal Singh <kunalsin9h@gmail.com>
* feat: using all gitlab identifiers
* refactor: removed unwanted package struct exports
* refactor: IsDirect function to check if package is direct dependency
* removed TODO comments
* refactor: using non-standard id for malware analysis
* refactor: removed hardcoded valuesin gitlab.go
* refactor: gitlab consts
* feat: add gitlab scan fail status const
* refactor: extracted identifiers urls
* fix: github adivisory link
* refactor: solid principle for identifiers url, and scoped method for gitlab reporter
---------
Signed-off-by: Kunal Singh <kunalsin9h@gmail.com>
* feat: Add support for github actions scanning
* fix: enrich malware test cases
* fix: fail fast for malware inspect if auth not available
* fix: bug with package version
* chore: Update API sdk to add support for vsx scanning
* chore: Add inspect cmd flag to skip waiting for result
* feat: Add support for VS Code extension reader
* fix: Remove unnecessary vsx distribution path
* Implemented code scan command for building sqlite storage with code analysis data
Signed-off-by: Omkar Phansopkar <omkarphansopkar@gmail.com>
* Added E2E test for code scan command
Signed-off-by: Omkar Phansopkar <omkarphansopkar@gmail.com>
* refactor: Migrate pkg/command to internal/command since we use pkg as a independent concern
---------
Signed-off-by: Omkar Phansopkar <omkarphansopkar@gmail.com>
Co-authored-by: abhisek <abhisek.datta@gmail.com>
* feat: Integrate malysis based malware analysis data enricher
* feat: Extend package model to store malware analysis data
* fix: Wait for package enrichers with timeout
* feat: Add malware analyzer plugin
* feat: Add support for malware analyser for classification
* feat: Add support for backoff retry
* fix: Bug with backoff/retry loop
* feat: Update markdown summary reporter for malware analysis stats
* docs: Add docs for malysis enricher config
* docs: Update README.md for malware analysis reference
* feat: Add cli flag to configure trust on tool result
* feat: Add cli flag to customize malware analysis wait time
* test: Add E2E test for malware analysis integration
* fix: Path of malware analysis e2e test
* fix: Show malysis metrics in markdown summary report
* fix: Malware analyser raise filter event for rest of the engine to know about malware
refactor: Parser target resolver to re-use from lockfile and directory reader
feat: Add support for scope based parse target resolution
refactor: Dir reader to use config struct
test: Fix directory reader tests
refactor: Rename parser utils to resolver
doc: Add jar scanning example in README.md
feat: Add npm package-lock.json graph parser
fix: Npm graph parser path to root traversal
fix: File naming convention for npm graph parser
feat: Add reporter for graph visualization in dot format
feat: Add support for showing dependency upgrade path in summary report
fix: Bug in summary reporter related to random ordering of entries with same score
chore: Add support for experimental flag in scanner config
refactor: Test cases or npm package name extractor into utils
feat: Add support for dependency graph data in CSV report generator
fix: LFP npm handle package links
test: Improve test for npm name extraction
feat: Add support for reconstructing dependency graph using insights data
fix: purl reader to use package manifest builder
test: Add E2E for gradle dependency graph reconstruction
fix: Handle root node marking heuristics for enriched dependency graph
feat: Allow query command to generate dependency graph
fix: Scanner dependency graph reconstruction using dependency distance
fix: Test case for maven dependency graph reconstruction
chore: Improve summary report text for dependency path to root
refactor: Code re-use in npm graph to find by semver range
