feat(cli): focus flags and severity triage; fix(SEC018): context-aware, pattern-first; chore: runtime minConfidence for human runs; docs: CLI and CHANGELOG 1.0.4; tests: SEC018 cases

Author: luisfer

CHANGELOG.md

@@ -61,3 +61,19 @@ Initial stable release.
 ### Notes
 - External link checks are timeout-guarded; internal crawling remains opt-in.
 - Heuristics aim to minimize noise; tune with confidence thresholding, rule enable/disable, and baselines.
+
+## 1.0.4 — 2025-08-24
+
+### Added
+- Human output triage header with severity-first summary (non-breaking; JSON/SARIF unchanged)
+- Focus filters for human output: `--focus-critical`, `--focus-security`, `--focus-new`, and `--detailed`
+
+### Changed (non-disruptive)
+- SEC018 noise reduction: context/file-aware ignores (CSS/Tailwind/globs/data URIs/UUID), pattern-first detection for `sk-`/JWT/DB URLs/etc., higher entropy threshold
+- Runtime default minConfidence=0.8 for human runs (non-JSON) when not provided (does not change config or JSON/SARIF)
+
+### Tests & Docs
+- Added tests covering SEC018 false positives and true positives
+- Updated CLI docs with new flags and examples
+
+This patch focuses on triage-first UX and noise reduction without changing schema or defaults that would break existing workflows.

docs/CLI.md

@@ -35,6 +35,10 @@ Options:
   --crawl-start-url <url>     Starting URL for internal crawl
   --crawl-depth <n>           Max crawl depth (default: 2)
   --crawl-timeout <ms>        Per-page timeout in ms (default: 10000)
+  --detailed                  Show all findings including lower-confidence/noisy ones
+  --focus-critical            Only show critical (high severity) issues
+  --focus-security            Only show security issues (hide a11y/links/etc)
+  --focus-new                 Only show issues not in baseline
 ```
 
 Examples:
@@ -51,6 +55,12 @@ ubon scan --update-baseline
 
 # SARIF report for GitHub code scanning
 ubon scan --sarif ubon.sarif
+
+# Show only critical security issues (progressive disclosure)
+ubon scan --focus-critical --focus-security
+
+# Show everything, including lower-confidence
+ubon scan --detailed
 ```
 
 #### ubon check

docs/ROADMAP.md

@@ -0,0 +1,137 @@
+### Ubon Roadmap
+
+This document tracks planned improvements for the next minor release.
+
+## Next version: v1.1.0 (proposed)
+
+### Output and UX
+- **Colorized, branded output**: Chalk theme with lotus (🪷), toggle via `--color auto|always|never` and `--format human|table|json`.
+- **Grouping/deduping**: `--group-by file|rule`, collapse repeated findings, `--min-severity warning|error`, `--max-issues N`.
+- **Actionable snippets**: 3–5 lines of code context and a short “why it matters”.
+
+### Auto-fix and repair
+- **Expand safe fixes**:
+  - Add `alt` attributes and input labels/aria-labels.
+  - Add cookie flags: `HttpOnly; Secure; SameSite=Lax`.
+  - Remove hardcoded env fallbacks and secret-logging statements.
+  - Wrap `fetch` with AbortController timeout and basic retry/backoff.
+- **PR generator**: `--apply-fixes --create-pr` to branch, commit, and open a reviewable PR with a summary.
+- **Per-rule codemods**: Fixers shipped per `ruleId` so teams can opt in/out.
+
+### Rule coverage (security + Next.js)
+- **JWT/cookies**: Detect tokens returned in JSON, weak/inline secrets, missing cookie flags.
+- **Next.js App Router**: Client/server boundary leaks, `NEXT_PUBLIC_*` misuse, `dangerouslySetInnerHTML`, open redirects, CORS in `middleware.ts`.
+- **Data exfil/logging**: Secrets/PII in logs, `JSON.stringify(req)` dumps, verbose prod errors.
+- **Network**: SSRF sinks (`fetch(userInput)`), unbounded axios/fetch, missing `signal`.
+- **Config**: Insecure `next.config.js` (e.g., permissive `images.domains`, `eslint.ignoreDuringBuilds`), risky webpack overrides.
+- **Backend**: String‑built SQL, `new Function`, shell exec, Prisma `.env` leaks.
+
+### Signal/noise controls
+- **Inline suppressions**: `// ubon-disable-next-line RULEID` (optional reason), surfaced in JSON/SARIF.
+- **Tuning**: Per‑rule confidence thresholds in config; first‑class ignore globs for fixtures/mocks/stories.
+- **Taxonomy**: Add CWE/OWASP tags per rule and include in outputs.
+
+### Performance and scale
+- **Caching**: Local OSV cache with TTL; memoize results by file hash for fast re‑runs.
+- **Parallelism**: Bounded concurrency and rate‑limited external link checks.
+- **Watch mode**: `ubon check --watch --fast` incremental scanning on file changes.
+
+### CI and PR integration
+- **Review bot**: Optional GitHub reviewer that posts inline comments for new/changed issues.
+- **Gates**: “New issues only” gate using base SHA; budget mode (cap warnings/errors).
+- **SARIF polish**: Rich `helpUri` links to rule docs and remediation examples.
+
+### IDE and developer ergonomics
+- **VS Code extension**: In‑editor diagnostics and quick‑fixes for autofixable rules.
+- **Init recipes**: `ubon init` can generate `.env.example` and a minimal security checklist tailored to the profile.
+
+### Programmatic API and schema
+- **Stable JSON schema**: Publish `@ubon/schema` for typed consumers (versioned).
+- **Result fingerprints**: Stability across reformatting; document derivation.
+
+### Scanner safety and privacy
+- **Default redaction**: Mask secret‑like strings in human output; keep stable fingerprints.
+- **Sandboxing**: Never execute user code; mock dynamic imports; document network usage and opt‑outs.
+
+### Explore expansion to Rails?
+
+Rails would be very doable with ubon's current architecture.
+
+  Here's why I think it would work well:
+
+  What's already there ✅
+
+  - Multi-language framework - ubon already handles JS, Python with profiles
+  - Pattern-based detection - Ruby syntax is very scannable with regex patterns
+  - CVE database integration - Should already include Ruby gems vulnerabilities
+  - Environment scanning - Would work for Rails config/ files, database.yml, etc.
+  - File structure awareness - Could easily learn Rails conventions
+
+  Rails-specific rules to add 🔨
+
+  High-impact vulnerabilities:
+  # SQL injection patterns
+  User.where("name = '#{params[:name]}'")  # Should flag
+  User.find_by_sql("SELECT * FROM users WHERE id = #{id}")
+
+  # Mass assignment 
+  User.create(params[:user])  # Without strong params
+
+  # Command injection
+  system("ls #{params[:dir]}")  # Shell injection
+  `git log #{branch}`  # Backtick injection
+
+  # Deserialization
+  YAML.load(user_input)  # vs YAML.safe_load
+  Marshal.load(data)
+
+  # Template injection in ERB
+  <%= params[:content].html_safe %>  # XSS risk
+
+  Rails-specific files to scan:
+  - Gemfile.lock - Gem vulnerabilities (like requirements.txt)
+  - config/database.yml - Database credentials
+  - config/secrets.yml - Hardcoded secrets
+  - app/controllers/ - Strong params, authentication
+  - app/views/ - XSS, template injection
+
+  Implementation approach 🛠️
+
+  Phase 1 (Easy wins):
+  - Add --profile rails
+  - Ruby syntax patterns for eval, system, YAML.load
+  - Gemfile.lock vulnerability scanning (similar to requirements.txt)
+  - Config file secret detection
+
+  Phase 2 (Rails-aware):
+  - ActiveRecord query pattern analysis
+  - Strong parameters validation
+  - ERB template scanning
+  - Rails security best practices
+
+  Phase 3 (Advanced):
+  - Semantic analysis of Rails patterns
+  - Route/controller flow analysis
+  - Authentication/authorization checks
+
+  The beauty is ubon's pattern-based + profile system would translate perfectly to
+  Rails. Most Ruby vulnerabilities follow predictable patterns that regex can catch
+  effectively.
+
+  Biggest win: Rails has very established security patterns, so the rules would be
+  highly accurate with fewer false positives than general-purpose scanners.
+
+## v1.1.0 milestone priorities
+- **P1**: Output/UX polish (color/theme, grouping, context snippets); inline suppressions; OSV caching; cookie/JWT rules.
+- **P2**: Expanded autofixes and `--create-pr`; “new issues only” CI gate; watch mode.
+- **P3**: VS Code extension (MVP); SARIF help links; schema package draft.
+- **P4**: New profile 'Rails'. And include it in the relevant documentation, README, etc. (anywhere where it's mentioned that is for Next/React, Python and Vue)
+
+## Success criteria
+- Human output: grouped by file/rule, colorized, with context snippets and < 120 ms added overhead in `--fast` mode on medium repos.
+- JSON/SARIF: include CWE/OWASP tags, suppressions, stable fingerprints; validated by sample CI run.
+- Autofixes: at least A11Y001/A11Y002, cookie flags, secret‑logging removal proven on sample repos.
+
+## Notes
+- Maintain redaction by default in human output; never print full secrets.
+- Add docs for reducing false positives and enabling baselines.

package.json

@@ -1,6 +1,6 @@
 {
   "name": "ubon",
-  "version": "1.0.3",
+  "version": "1.0.4",
   "description": "Security scanner for AI-generated React/Next.js and Python apps. Catches hardcoded secrets, accessibility issues, and vulnerabilities that traditional linters miss.",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",

src/__tests__/rules-misc.test.ts

@@ -23,6 +23,24 @@ describe('Misc rules', () => {
     const res = await iac.scan({ directory: tmp });
     expect(res.some(r => r.ruleId === 'DOCKER004')).toBe(true);
   });
+
+  it('does not flag CSS/Tailwind noise for SEC018', async () => {
+    const fp = join(tmp, 'styles.css');
+    writeFileSync(fp, `.btn{color:#3b82f6} .bg{background:linear-gradient(#fff,#000)}`);
+    const tw = join(tmp, 'tailwind.config.js');
+    writeFileSync(tw, `module.exports={ theme:{ colors:{ primary:'#3b82f6' }}}`);
+    const s = new SecurityScanner();
+    const res = await s.scan({ directory: tmp });
+    expect(res.some(r => r.ruleId === 'SEC018')).toBe(false);
+  });
+
+  it('flags obvious secret patterns for SEC018', async () => {
+    const fp = join(tmp, 'app.ts');
+    writeFileSync(fp, `const k = 'sk-1234567890abcdefZZZZ'; const jwt = 'eyJhbGciOiJIUzI1NiIs.eyJzdWIiOiIx'.repeat(1);`);
+    const s = new SecurityScanner();
+    const res = await s.scan({ directory: tmp });
+    expect(res.some(r => r.ruleId === 'SEC018')).toBe(true);
+  });
 });
 
 

src/cli.ts

@@ -83,6 +83,10 @@ program
   .option('--crawl-start-url <url>', 'Starting URL for internal crawl')
   .option('--crawl-depth <n>', 'Max crawl depth', '2')
   .option('--crawl-timeout <ms>', 'Per-page timeout in ms', '10000')
+  .option('--detailed', 'Show all findings including lower-confidence/noisy ones')
+  .option('--focus-critical', 'Only show critical (high severity) issues')
+  .option('--focus-security', 'Only show security issues (hide a11y/links/etc)')
+  .option('--focus-new', 'Only show issues not in baseline')
   .action(async (options) => {
     const scanner = new UbonScan(options.verbose, options.json);
 
@@ -106,7 +110,11 @@ program
       crawlInternal: !!options.crawlInternal,
       crawlStartUrl: options.crawlStartUrl,
       crawlDepth: options.crawlDepth ? parseInt(options.crawlDepth) : undefined,
-      crawlTimeoutMs: options.crawlTimeout ? parseInt(options.crawlTimeout) : undefined
+      crawlTimeoutMs: options.crawlTimeout ? parseInt(options.crawlTimeout) : undefined,
+      detailed: !!options.detailed,
+      focusCritical: !!options.focusCritical,
+      focusSecurity: !!options.focusSecurity,
+      focusNew: !!options.focusNew
     };
     const scanOptions = mergeOptions(config, cliOptions);
 
@@ -202,6 +210,10 @@ program
   .option('--crawl-start-url <url>', 'Starting URL for internal crawl')
   .option('--crawl-depth <n>', 'Max crawl depth', '2')
   .option('--crawl-timeout <ms>', 'Per-page timeout in ms', '10000')
+  .option('--detailed', 'Show all findings including lower-confidence/noisy ones')
+  .option('--focus-critical', 'Only show critical (high severity) issues')
+  .option('--focus-security', 'Only show security issues (hide a11y/links/etc)')
+  .option('--focus-new', 'Only show issues not in baseline')
   .action(async (options) => {
     const scanner = new UbonScan(options.verbose, options.json);
 
@@ -224,7 +236,11 @@ program
       crawlInternal: !!options.crawlInternal,
       crawlStartUrl: options.crawlStartUrl,
       crawlDepth: options.crawlDepth ? parseInt(options.crawlDepth) : undefined,
-      crawlTimeoutMs: options.crawlTimeout ? parseInt(options.crawlTimeout) : undefined
+      crawlTimeoutMs: options.crawlTimeout ? parseInt(options.crawlTimeout) : undefined,
+      detailed: !!options.detailed,
+      focusCritical: !!options.focusCritical,
+      focusSecurity: !!options.focusSecurity,
+      focusNew: !!options.focusNew
     };
     const scanOptions = mergeOptions(config, cliOptions);
 

src/index.ts

@@ -37,6 +37,14 @@ export class UbonScan {
     }
     // Select scanners based on profile
     this.scanners = this.resolveScanners(profile as any, options.fast);
+
+    // Runtime, non-persistent defaults for human-friendly noise reduction
+    if (!options.json && options.profile !== 'python') {
+      // If user didn't set minConfidence, prefer a gentle default
+      if (typeof options.minConfidence !== 'number') {
+        (options as any).minConfidence = 0.8;
+      }
+    }
     const allResults: ScanResult[] = [];
 
     // Run static file scanners
@@ -93,7 +101,8 @@ export class UbonScan {
 
     const filtered = this.filterResults(allResults, options);
     const withFingerprints = filtered.map(r => ({ ...r, fingerprint: this.computeFingerprint(r) }));
-    const finalResults = await this.applyBaseline(withFingerprints, options);
+    const afterBaseline = await this.applyBaseline(withFingerprints, options);
+    const finalResults = this.applyFocusFilters(afterBaseline, options);
     return this.sortResults(finalResults);
   }
 
@@ -117,6 +126,13 @@ export class UbonScan {
       return;
     }
 
+    // Severity-first header
+    const errorCount = results.filter(r => r.type === 'error').length;
+    const warnCount = results.filter(r => r.type === 'warning').length;
+    const criticalCount = results.filter(r => r.severity === 'high').length;
+    const highText = criticalCount > 0 ? chalk.bgRed.white(` ${criticalCount} CRITICAL `) : '';
+    console.log(`\n${chalk.hex('#c99cb3')('🪷')} ${chalk.bold('Triage')}: ${highText} ${chalk.red(errorCount + ' errors')}, ${chalk.yellow(warnCount + ' warnings')}`);
+
     this.logger.separator();
     this.logger.title(`Found ${results.length} issues:`);
 
@@ -205,6 +221,24 @@ export class UbonScan {
     return filtered;
   }
 
+  private applyFocusFilters(results: ScanResult[], options: ScanOptions): ScanResult[] {
+    let out = results;
+    if (options.focusNew) {
+      // already applied baseline; no-op here since baseline removed old issues
+    }
+    if (options.focusSecurity) {
+      out = out.filter(r => r.category === 'security');
+    }
+    if (options.focusCritical) {
+      out = out.filter(r => r.severity === 'high');
+    }
+    if (!options.detailed && typeof options.minConfidence !== 'number') {
+      // gentle noise reduction when not detailed: default minConfidence 0.8 for human runs
+      out = out.filter(r => (r.confidence ?? 1) >= 0.8);
+    }
+    return out;
+  }
+
   private computeFingerprint(result: ScanResult): string {
     const hash = createHash('sha256');
     const normalizedPath = (result.file || '').replace(/\\/g, '/');

src/scanners/security-scanner.ts

@@ -299,27 +299,45 @@ export class SecurityScanner implements Scanner {
             }
           }
         });
-        // Entropy-based secret detection
+        // Entropy-based secret detection (context-aware, reduced noise)
         lines.forEach((line, index) => {
           const toks = extractQuotedLiterals(line).filter(s => s.length >= 16);
           for (const tok of toks) {
             const ent = shannonEntropy(tok);
-            if (ent >= 3.5 && /[A-Za-z0-9]/.test(tok)) {
-              const meta = RULES.SEC018;
-              results.push({
-                type: meta.severity === 'high' ? 'error' : 'warning',
-                category: meta.category,
-                message: meta.message,
-                file,
-                line: index + 1,
-                range: { startLine: index + 1, startColumn: 1, endLine: index + 1, endColumn: Math.max(1, line.length) },
-                severity: meta.severity,
-                ruleId: meta.id,
-                match: tok.slice(0, 200),
-                confidence: 0.8,
-                fix: meta.fix
-              });
-            }
+            if (ent < 3.8 || !/[A-Za-z0-9]/.test(tok)) continue;
+
+            // File/context-based ignores: CSS/Tailwind, configs, globs
+            const lowerFile = file.toLowerCase();
+            const isCssContext = lowerFile.endsWith('.css') || lowerFile.endsWith('.scss') || lowerFile.endsWith('.sass') || lowerFile.endsWith('.less') || lowerFile.includes('tailwind.config');
+            if (isCssContext) continue;
+
+            // Token-based ignores: hex colors, tailwind classes, data URIs, globs, UUIDs
+            const isHexColor = /^#([0-9a-fA-F]{3}|[0-9a-fA-F]{6})$/.test(tok);
+            const isTailwind = /(bg|text|border|from|to|via)-[a-zA-Z]+-\d{2,3}/.test(tok);
+            const isDataUri = /^data:image\//.test(tok);
+            const isGlobLike = /\*\*?|\{.*\}|\*\.[a-zA-Z0-9]+/.test(tok);
+            const isUuid = /[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}/.test(tok);
+            if (isHexColor || isTailwind || isDataUri || isGlobLike || isUuid) continue;
+
+            // Suspicious indicators increase confidence
+            const looksLikeSecret = /\b(sk-|pk_live_|rk_(live|test)_|eyJ[A-Za-z0-9._-]{10,}|AKIA[0-9A-Z]{16}|password=|secret=|api_key=|token=|postgres(ql)?:\/\/|mongodb:\/\/)/.test(tok);
+            const isDotEnvFile = /(^|\/)\.env(\.|$)/.test(lowerFile);
+            if (!looksLikeSecret && !isDotEnvFile) continue;
+
+            const meta = RULES.SEC018;
+            results.push({
+              type: meta.severity === 'high' ? 'error' : 'warning',
+              category: meta.category,
+              message: meta.message,
+              file,
+              line: index + 1,
+              range: { startLine: index + 1, startColumn: 1, endLine: index + 1, endColumn: Math.max(1, line.length) },
+              severity: meta.severity,
+              ruleId: meta.id,
+              match: tok.slice(0, 200),
+              confidence: looksLikeSecret ? 0.9 : 0.8,
+              fix: meta.fix
+            });
           }
         });