{
"schema_version": 1,
"summary": {
"files_scanned": 3,
"files_skipped": 1,
"commands_extracted": 16,
"findings_total": 11,
"decisions": {
"allow": 0,
"warn": 0,
"deny": 11
},
"severities": {
"info": 0,
"warning": 0,
"error": 11
},
"max_findings_reached": false,
"elapsed_ms": 70
},
"findings": [
{
"file": "tests/fixtures/scan/.github/workflows/test.yml",
"line": 27,
"extractor_id": "github_actions.steps.run",
"extracted_command": "git push --force origin main",
"decision": "deny",
"severity": "error",
"rule_id": "core.git:push-force-long",
"reason": "Force push can destroy remote history. Use --force-with-lease if necessary.",
"suggestion": "Use `git push --force-with-lease` to prevent overwriting others' work"
},
{
"file": "tests/fixtures/scan/.github/workflows/test.yml",
"line": 28,
"extractor_id": "github_actions.steps.run",
"extracted_command": "rm -rf dist/*",
"decision": "deny",
"severity": "error",
"rule_id": "core.filesystem:rm-rf-general",
"reason": "rm -rf is destructive and requires human approval. Explain what you want to delete and why, then ask the user to run the command manually.",
"suggestion": "Use `rm -ri` for interactive confirmation of each file"
},
{
"file": "tests/fixtures/scan/.github/workflows/test.yml",
"line": 43,
"extractor_id": "github_actions.steps.run",
"extracted_command": "git reset --hard HEAD~1",
"decision": "deny",
"severity": "error",
"rule_id": "core.git:reset-hard",
"reason": "git reset --hard destroys uncommitted changes. Use 'git stash' first.",
"suggestion": "Use `git reset --soft` or `--mixed` to preserve changes"
},
{
"file": "tests/fixtures/scan/.github/workflows/test.yml",
"line": 46,
"extractor_id": "github_actions.steps.run",
"extracted_command": "git clean -fdx",
"decision": "deny",
"severity": "error",
"rule_id": "core.git:clean-force",
"reason": "git clean -f/--force removes untracked files permanently. Review with 'git clean -n' first.",
"suggestion": "Use `git clean -i` for interactive mode to select files"
},
{
"file": "tests/fixtures/scan/Dockerfile.test",
"line": 12,
"extractor_id": "dockerfile.run",
"extracted_command": "rm -rf /var/cache/apk/*",
"decision": "deny",
"severity": "error",
"rule_id": "core.filesystem:rm-rf-root-home",
"reason": "rm -rf on root or home paths is EXTREMELY DANGEROUS. This command will NOT be executed. Ask the user to run it manually if truly needed.",
"suggestion": "Use `rm -ri` for interactive confirmation of each file"
},
{
"file": "tests/fixtures/scan/Dockerfile.test",
"line": 13,
"extractor_id": "dockerfile.run",
"extracted_command": "rm -rf node_modules",
"decision": "deny",
"severity": "error",
"rule_id": "core.filesystem:rm-rf-general",
"reason": "rm -rf is destructive and requires human approval. Explain what you want to delete and why, then ask the user to run the command manually.",
"suggestion": "Use `rm -ri` for interactive confirmation of each file"
},
{
"file": "tests/fixtures/scan/shell_commands.sh",
"line": 13,
"extractor_id": "shell.script",
"extracted_command": "git reset --hard",
"decision": "deny",
"severity": "error",
"rule_id": "core.git:reset-hard",
"reason": "git reset --hard destroys uncommitted changes. Use 'git stash' first.",
"suggestion": "Use `git reset --soft` or `--mixed` to preserve changes"
},
{
"file": "tests/fixtures/scan/shell_commands.sh",
"line": 14,
"extractor_id": "shell.script",
"extracted_command": "git push --force origin main",
"decision": "deny",
"severity": "error",
"rule_id": "core.git:push-force-long",
"reason": "Force push can destroy remote history. Use --force-with-lease if necessary.",
"suggestion": "Use `git push --force-with-lease` to prevent overwriting others' work"
},
{
"file": "tests/fixtures/scan/shell_commands.sh",
"line": 15,
"extractor_id": "shell.script",
"extracted_command": "git clean -fd",
"decision": "deny",
"severity": "error",
"rule_id": "core.git:clean-force",
"reason": "git clean -f/--force removes untracked files permanently. Review with 'git clean -n' first.",
"suggestion": "Use `git clean -i` for interactive mode to select files"
},
{
"file": "tests/fixtures/scan/shell_commands.sh",
"line": 22,
"extractor_id": "shell.script",
"extracted_command": "rm -rf ~/projects",
"decision": "deny",
"severity": "error",
"rule_id": "core.filesystem:rm-rf-root-home",
"reason": "rm -rf on root or home paths is EXTREMELY DANGEROUS. This command will NOT be executed. Ask the user to run it manually if truly needed.",
"suggestion": "Use `rm -ri` for interactive confirmation of each file"
},
{
"file": "tests/fixtures/scan/shell_commands.sh",
"line": 23,
"extractor_id": "shell.script",
"extracted_command": "rm -rf /home/*",
"decision": "deny",
"severity": "error",
"rule_id": "core.filesystem:rm-rf-root-home",
"reason": "rm -rf on root or home paths is EXTREMELY DANGEROUS. This command will NOT be executed. Ask the user to run it manually if truly needed.",
"suggestion": "Use `rm -ri` for interactive confirmation of each file"
}
]
}