chore(scripts): add cross-platform security runner and ignore /reports

jdalton · jdalton · commit bb1efbde7063 · 2026-04-19T21:32:20.000-04:00
- Add scripts/security.mts as a cross-platform replacement for the
  inline shell \`security\` script; runs agentshield then zizmor if
  available, with consistent logger output.
- Ignore /reports output directory in git and in the markdown-filename
  validator so generated scan reports don't trip validation.
diff --git a/.gitignore b/.gitignore
@@ -22,6 +22,7 @@ Thumbs.db
 /.tap
 /.type-coverage
 /coverage
+/reports
 *.log
 *.pid
 *.seed
diff --git a/scripts/security.mts b/scripts/security.mts
@@ -0,0 +1,51 @@
+/**
+ * @fileoverview Security scan runner. Runs agentshield on Claude config then
+ * optionally runs zizmor against .github/. Cross-platform replacement for the
+ * previous inline shell script.
+ */
+
+import process from 'node:process'
+
+import { getDefaultLogger } from '@socketsecurity/lib/logger'
+import type { Logger } from '@socketsecurity/lib/logger'
+import { spawnSync } from '@socketsecurity/lib/spawn'
+
+import { runCommand } from './utils/run-command.mts'
+
+const logger: Logger = getDefaultLogger()
+
+function hasCommand(command: string): boolean {
+  const probe = process.platform === 'win32' ? 'where' : 'command'
+  const args = process.platform === 'win32' ? [command] : ['-v', command]
+  const result = spawnSync(probe, args, {
+    stdio: 'ignore',
+    shell: process.platform === 'win32',
+  })
+  return result.status === 0
+}
+
+async function main(): Promise<void> {
+  const agentshieldCode = await runCommand('agentshield', ['scan'])
+  if (agentshieldCode !== 0) {
+    process.exitCode = agentshieldCode
+    return
+  }
+
+  if (hasCommand('zizmor')) {
+    const zizmorCode = await runCommand('zizmor', ['.github/'])
+    if (zizmorCode !== 0) {
+      process.exitCode = zizmorCode
+      return
+    }
+  } else {
+    logger.info('zizmor not installed — run pnpm run setup to install')
+  }
+
+  process.exitCode = 0
+}
+
+void main().catch((e: unknown) => {
+  const message = e instanceof Error ? e.message : String(e)
+  logger.error(`security scan failed: ${message}`)
+  process.exitCode = 1
+})
diff --git a/scripts/validate/markdown-filenames.mts b/scripts/validate/markdown-filenames.mts
@@ -60,6 +60,7 @@ const SKIP_DIRS = new Set([
   '.next',
   '.nuxt',
   '.output',
+  'reports',
 ])
 
 type MarkdownFilenameViolation = {
