fix(cli): apply repository triage file during scans

2026-06-15 20:05:13 +02:00 · 2026-06-05 10:50:25 -05:00 · 2026-06-05 10:50:25 -05:00 · 1148e65f36
commit 1148e65f36
parent 991c84a1eb
42 changed files with 571 additions and 20 deletions
--- a/tests/cli_validation_tests.rs
+++ b/tests/cli_validation_tests.rs
@ -14,8 +14,9 @@
 //! reproducible.

 use assert_cmd::Command;
+use nyx_scanner::commands::scan::Diag;
 use predicates::prelude::*;
-use serde_json::Value;
+use serde_json::{Value, json};
 use std::path::PathBuf;

 /// Build a scan command with a fresh config dir and a writable tempdir as
@ -197,6 +198,91 @@ fn scan_json_stdout_is_machine_clean_when_tracing_warns() {
    );
 }

+#[test]
+fn scan_respects_committed_triage_file_for_cli_output_and_fail_on() {
+    let home = tempfile::tempdir().unwrap();
+    let target = tempfile::tempdir().unwrap();
+    std::fs::write(
+        target.path().join("app.js"),
+        b"const q = req.query.x;\neval(q);\n",
+    )
+    .unwrap();
+    let canonical_target = target.path().canonicalize().unwrap();
+
+    let scan_args = [
+        "--format",
+        "json",
+        "--quiet",
+        "--index",
+        "off",
+        "--no-verify",
+        "--all",
+        "--include-quality",
+        "--parse-timeout-ms",
+        "0",
+    ];
+    let (mut first_cmd, _) = scan_cmd(home.path(), target.path());
+    first_cmd.args(scan_args);
+    let first = first_cmd.assert().success();
+    let first_json = assert_stdout_is_json_from_byte_zero(
+        &first.get_output().stdout,
+        "initial nyx scan --format json",
+    );
+    let findings = first_json["findings"]
+        .as_array()
+        .expect("scan JSON must include findings");
+    assert!(
+        !findings.is_empty(),
+        "fixture should emit at least one finding"
+    );
+
+    let decisions: Vec<Value> = findings
+        .iter()
+        .map(|finding| {
+            let diag: Diag = serde_json::from_value(finding.clone()).unwrap();
+            json!({
+                "fingerprint": nyx_scanner::server::models::compute_portable_fingerprint(
+                    &diag,
+                    &canonical_target,
+                ),
+                "state": "false_positive",
+                "note": "fixture triaged by committed file",
+                "rule_id": diag.id,
+                "path": diag.path.strip_prefix(canonical_target.to_string_lossy().as_ref())
+                    .unwrap_or(&diag.path)
+                    .trim_start_matches('/')
+            })
+        })
+        .collect();
+
+    let nyx_dir = target.path().join(".nyx");
+    std::fs::create_dir(&nyx_dir).unwrap();
+    std::fs::write(
+        nyx_dir.join("triage.json"),
+        serde_json::to_vec_pretty(&json!({
+            "version": 1,
+            "decisions": decisions,
+            "suppression_rules": []
+        }))
+        .unwrap(),
+    )
+    .unwrap();
+
+    let (mut second_cmd, _) = scan_cmd(home.path(), target.path());
+    second_cmd.args(scan_args).args(["--fail-on", "HIGH"]);
+    let second = second_cmd.assert().success();
+    let second_json = assert_stdout_is_json_from_byte_zero(
+        &second.get_output().stdout,
+        "triaged nyx scan --format json",
+    );
+
+    assert_eq!(
+        second_json["findings"].as_array().unwrap().len(),
+        0,
+        "terminal triage decisions from .nyx/triage.json should be hidden by default"
+    );
+}
+
 #[test]
 fn scan_sarif_stdout_is_machine_clean_when_tracing_warns() {
    let home = tempfile::tempdir().unwrap();