feat: hosted scanning, env/config/OAS management, and developer tooling#14
Merged
feat: hosted scanning, env/config/OAS management, and developer tooling#14
Conversation
Implements full hosted scanning CLI coverage as defined in the plan: Sprint 1 - Scanner Execution (`run` command): - `run start` - Start hosted scans with --app, --env, --config, --watch - `run stop` - Stop running scans with confirmation - `run status` - Check scan status with watch mode and refresh interval Sprint 2 - Configuration Management: - `config list` - List org-scoped scan configurations - `config get` - Download configuration content - `config set` - Create/update from YAML file with validation - `config delete` - Delete with confirmation - `config rename` - Rename configurations - `config validate` - Validate local files or stored configs Sprint 3 - Environment Management: - `env list` - List application environments - `env config` - Get default YAML config for environment - `env create` - Create new environment - `env delete` - Delete with confirmation (warns about scan data loss) Sprint 4 - Extended OAS Support: - `oas get` - Download OpenAPI spec content - `oas mappings` - List specs mapped to an application Also includes: - 29 new functional tests for all hosted scanning commands - Fix for API string-to-number deserialization in environment models - New API traits: PerchApi, ConfigApi, EnvironmentApi, OASApi - Display models for run status and environment data Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Inventories all 60 StackHawk public API endpoints, maps current implementation status (36/60 = 60%), and defines 4 prioritized phases: App CRUD, Policy Management, Env/OAS, and Repo/Misc. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Complete taxonomy of all 54 command paths (32 implemented, 22 planned), every flag/argument with types and defaults, shared argument groups, aliases, API endpoint mappings, and a functional test coverage map that identifies gaps. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Two-layer quality gate for contributors: - Layer 1 (universal): .githooks/ with pre-commit (fmt+clippy+test) and pre-push (+ functional tests), plus make setup-hooks and make check-test-coverage targets - Layer 2 (Claude Code): /pre-commit command with 5-step checklist including doc currency and CLI design review Also updates CHANGELOG.md with all unreleased features on this branch and expands CONTRIBUTING.md PR checklist. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Adds 30 new functional tests covering all previously untested commands: - Profile management: list, show, create (with --from), delete, use (both happy paths and error conditions) - Cache clear command - Org set with roundtrip verification - Team set-users (dry-run with real user, nonexistent user error) - Team set-apps (help verification, nonexistent app error) - Scan get happy paths (latest, JSON format, --app filter) - Config CRUD roundtrip (set/get/delete with temp file) - Config validate (valid file, invalid YAML) - Env list with real app (feature-flag aware) - Audit list with type and date range filters Coverage: 132 functional tests, 50/50 commands tested, 0 gaps. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The StackHawk API returns hosted assets (configs, OAS specs) via a two-step process: first a JSON envelope with a presigned S3 URL, then the actual content. However, the API also sends a 308 redirect header pointing to S3, which reqwest follows automatically — causing the client to receive raw YAML/JSON content and fail to parse it as the JSON envelope. This adds a fetch_hosted_asset() method that detects when reqwest followed a redirect (by comparing the final URL host) and returns the content directly instead of trying to parse the envelope. Also properly maps 401/403/404 status codes to appropriate error types. Fixes config get and oas get commands on test/preprod environments. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
/pre-commit now accepts an optional 'full' argument: - /pre-commit — fast checks (fmt, clippy, unit tests, coverage, docs) - /pre-commit full — adds functional tests against real API Also suggests specific test functions when coverage gaps are found. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- bytes 1.10.1 → 1.11.1 (RUSTSEC-2026-0007: integer overflow in BytesMut::reserve) - quinn-proto 0.11.13 → 0.11.14 (RUSTSEC-2026-0037: DoS in Quinn endpoints, severity 8.7) Both are transitive dependencies via reqwest. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Major feature release adding hosted scan control, environment management, config CRUD, OAS extensions, and comprehensive developer tooling.
New CLI Commands
hawkop run start|stop|status— Start, stop, and monitor hosted scans with--watchauto-refreshhawkop env list|create|delete|config— Full environment management per applicationhawkop config get|set|delete|rename|validate— Scan configuration CRUD with YAML file supporthawkop oas get|mappings— Download OAS content and view app-to-spec mappingsBug Fixes
config getandoas get— API returns 308 redirect to S3 presigned URLs; reqwest followed the redirect silently, causing JSON parse failures on the raw YAML/JSON content. Addedfetch_hosted_asset()with redirect detection.Developer Tooling
docs/ROADMAP.md) — Tracks 60% → 100% StackHawk API coverage in 4 phasesdocs/CLI_REFERENCE.md) — Complete taxonomy of 54 command paths with test coverage map.githooks/) — Pre-commit (fmt + clippy + test) and pre-push (+ functional tests)/pre-commitcommand — Intelligent 6-step checklist withfulloption for functional testsmake setup-hooks— One-command hook installation for contributorsmake check-test-coverage— Detects commands missing functional testsTest Coverage
local_tests.rs(profile/cache), enhancedhosted_tests.rs,mutation_tests.rs,read_tests.rsapi.test.stackhawk.comwith zero feature flag skipsTest plan
cargo fmt && cargo clippy -- -D warnings— passescargo test— 215 passed, 0 failedmake check-test-coverage— 50/50 commands, 0 gapsGEN_OPEN_API_SPECfeature flag🤖 Generated with Claude Code