JSPM

@ruizrica/mako-cli

0.1.5
  • ESM via JSPM
  • ES Module Entrypoint
  • Export Map
  • Keywords
  • License
  • Repository URL
  • TypeScript Types
  • README
  • Created
  • Published
  • Downloads 20
  • Score
    100M100P100Q84962F
  • License MIT

Mako Security CLI - scan for vulnerabilities in dependencies, code, and infrastructure

Package Exports

  • @ruizrica/mako-cli

Readme

Mako

Mako Security CLI

Unified command-line tool for security scanning with server sync and AI-powered microtask fixes.

Features

  • SCA (Software Composition Analysis): Scan dependencies for known vulnerabilities
  • SAST (Static Application Security Testing): Detect secrets and code vulnerabilities
  • IaC (Infrastructure as Code): Scan Terraform, Docker, Kubernetes configs
  • Server Sync: Download vuln intel before scanning, upload results after
  • AI Microtask Fixes: Claude generates targeted fixes with exact file, line, and diff
  • Dashboard Commands: Check status, manage findings, view history from the terminal
  • Unified Reporting: JSON, SARIF, and terminal output formats
  • Policy Gates: Fail builds based on severity thresholds

Quick Start

# Initialize config
mako init

# Run a scan (local only)
mako scan

# Run a scan with AI fixes
ANTHROPIC_API_KEY=sk-ant-... mako scan --fix

# Run a scan with server sync + AI fixes
# (configure api.dsn in .mako-security.yml first)
mako scan --fix

The Pipeline

When fully configured, mako scan runs a 6-step pipeline:

1. SYNC DOWN  → Download vuln intel + config from server
2. SCAN       → Run SCA/SAST/IaC against local files
3. AI FIX     → Generate microtask fixes for each finding
4. PRESENT    → Show findings + fixes in terminal
5. SYNC UP    → Upload results back to server

Each step is optional — the CLI works perfectly offline with no keys configured.

Commands

Scanning

mako scan              # Run all enabled scanners
mako scan --fix        # Run with AI microtask fixes
mako scan:sca          # SCA only
mako scan:sast         # SAST only
mako scan:iac          # IaC only

Dashboard (requires API)

mako status            # Project security posture + feed health
mako findings          # List findings from server
mako findings --severity critical,high
mako findings resolve abc123   # Mark finding as resolved
mako findings ignore def456    # Mark finding as ignored
mako history           # Scan run history
mako history --last 10

AI Microtask Fixes

When --fix is passed and ANTHROPIC_API_KEY is set, the CLI uses Claude to generate targeted fixes:

┌─ CRITICAL ──────────────────────────────────────────────────
│ SQL Injection in user query
│
│ 📁 src/routes/users.ts:47-49
│
│ ❌ Vulnerable:
│   const query = `SELECT * FROM users WHERE id = ${id}`;
│   const result = await db.execute(query);
│
│ ✅ Fixed:
│   const query = `SELECT * FROM users WHERE id = ?`;
│   const result = await db.execute(query, [id]);
│
│ 💡 User input is interpolated directly into the SQL string,
│    allowing arbitrary SQL injection. Use parameterized queries.
│ 🧪 Test: Run existing user query tests, verify parameterized queries
└─────────────────────────────────────────────────────────────

Each fix includes: exact file path, line numbers, actual vulnerable code, drop-in replacement, explanation, and what to test.

Configuration

.mako-security.yml:

version: 1

# Server sync (optional)
api:
  endpoint: https://api.mako.security
  dsn: https://<key>@api.mako.security/api/v1/<project-id>
  auto_upload: true

# AI fixes (optional, also needs ANTHROPIC_API_KEY env var)
ai:
  enabled: true
  model: claude-sonnet-4-20250514
  fix_severity: medium   # minimum severity for fixes

# Scanners
scanners:
  sca:
    enabled: true
    fail_on: high
  sast:
    enabled: true
    fail_on: medium
  iac:
    enabled: true
    fail_on: high
  dast:
    enabled: false

# Suppress findings
ignore:
  cves: []
  rules: []
  paths: []

Options

--json                Output as JSON
--sarif               Output in SARIF format
--quiet, -q           Suppress output
--fix                 Generate AI microtask fixes
--fix-severity LEVEL  Minimum severity for AI fixes (default: medium)
--config FILE         Custom config file path
--output FILE, -o     Write results to file
--severity-threshold  Override threshold (critical, high, medium, low, info)

Exit Codes

  • 0: All findings below threshold (pass)
  • 1: Findings at or above threshold (fail)

Server-Side Vulnerability Intelligence

When connected to the Mako API, the server continuously syncs vulnerability data:

Feed Source Schedule
NVD NIST National Vulnerability Database Every 30 min
OSV Google Open Source Vulnerabilities Every 30 min
GHSA GitHub Security Advisories Every 30 min
EPSS FIRST.org Exploit Prediction Scores Daily
CISA KEV Known Exploited Vulnerabilities Every 30 min

The CLI syncs this data before scanning, enriching SCA findings with CVSS scores, EPSS probabilities, and CISA KEV flags.

License

MIT