Add scan_ai_sast support

.licenses/npm/@nodable/entities.dep.yml

@@ -0,0 +1,11 @@
+---
+name: "@nodable/entities"
+version: 2.1.0
+type: npm
+summary: Entity parser for XML, HTML, External entites with security and NCR control
+homepage:
+license: mit
+licenses:
+- sources: README.md
+  text: MIT
+notices: []

.licenses/npm/brace-expansion.dep.yml

@@ -1,6 +1,6 @@
 ---
 name: brace-expansion
-version: 5.0.2
+version: 5.0.6
 type: npm
 summary: Brace expansion as known from sh/bash
 homepage:

.licenses/npm/fast-xml-builder.dep.yml

@@ -1,9 +1,9 @@
 ---
 name: fast-xml-builder
-version: 1.1.4
+version: 1.2.0
 type: npm
 summary: Build XML from JSON without C/C++ based libraries
-homepage: 
+homepage:
 license: mit
 licenses:
 - sources: LICENSE

.licenses/npm/fast-xml-parser.dep.yml

@@ -1,9 +1,9 @@
 ---
 name: fast-xml-parser
-version: 5.5.9
+version: 5.8.0
 type: npm
 summary: Validate XML, Parse XML, Build XML without C/C++ based libraries
-homepage: 
+homepage:
 license: mit
 licenses:
 - sources: LICENSE

.licenses/npm/lodash.dep.yml

@@ -1,6 +1,6 @@
 ---
 name: lodash
-version: 4.17.23
+version: 4.18.1
 type: npm
 summary: Lodash modular utilities.
 homepage: https://lodash.com/

.licenses/npm/path-expression-matcher.dep.yml

@@ -1,6 +1,6 @@
 ---
 name: path-expression-matcher
-version: 1.2.0
+version: 1.5.0
 type: npm
 summary: Efficient path tracking and pattern matching for XML/JSON parsers
 homepage: https://github.com/NaturalIntelligence/path-expression-matcher#readme

.licenses/npm/strnum.dep.yml

@@ -1,9 +1,9 @@
 ---
 name: strnum
-version: 2.2.2
+version: 2.3.0
 type: npm
 summary: Parse String to Number based on configuration
-homepage: 
+homepage:
 license: mit
 licenses:
 - sources: LICENSE

.licenses/npm/xml-naming.dep.yml

@@ -0,0 +1,12 @@
+---
+name: xml-naming
+version: 0.1.0
+type: npm
+summary: Validates XML name productions — Name, NCName, QName, NMToken, NMTokens —
+  for XML 1.0 and 1.1
+homepage:
+license: mit
+licenses:
+- sources: README.md
+  text: MIT
+notices: []

action.yml

@@ -182,6 +182,11 @@ inputs:
     description: >-
       "Scan source code repository and generate findings for SAST."
     default: false
+  # Scan source code for AI SAST.
+  scan_ai_sast:
+    description: >-
+      "Scan source code repository and generate findings for AI SAST."
+    default: false
   # Scan source code for AI models.
   scan_ai_models:
     description: >-

package.json

@@ -59,8 +59,9 @@
     "@octokit/plugin-paginate-rest": "^9.2.2",
     "@octokit/request": "^8.4.1",
     "undici": ">=7.24.0",
-    "lodash": ">=4.17.23",
-    "fast-xml-parser": ">=5.5.6",
+    "lodash": ">=4.18.0",
+    "fast-xml-parser": ">=5.7.0",
+    "brace-expansion": ">=5.0.5",
     "minimatch": ">=10.2.3",
     "test-exclude": "^7.0.1"
   }

src/scan.ts

@@ -32,6 +32,7 @@ function get_scan_options(options: string[]): void {
   const SCAN_IMAGE_NAME = core.getInput("image");
   const SCAN_IMAGE_TAR = core.getInput("image_tar");
   const SCAN_SAST = core.getBooleanInput("scan_sast");
+  const SCAN_AI_SAST = core.getBooleanInput("scan_ai_sast");
   const SCAN_AI_MODELS = core.getBooleanInput("scan_ai_models");
   const DISABLE_CODE_SNIPPET_STORAGE = core.getBooleanInput(
     "disable_code_snippet_storage"
@@ -54,13 +55,14 @@ function get_scan_options(options: string[]): void {
     !SCAN_DEPENDENCIES &&
     !SCAN_SECRETS &&
     !SCAN_SAST &&
+    !SCAN_AI_SAST &&
     !SCAN_CONTAINER &&
     !SCAN_TOOLS &&
     !SCAN_PACKAGE &&
     !SCAN_GITHUB_ACTIONS
   ) {
     core.error(
-      "At least one of `scan_dependencies`, `scan_secrets`, `scan_tools`, `scan_sast`, `scan_container` or `scan_github_actions` or `scan_package` must be enabled"
+      "At least one of `scan_dependencies`, `scan_secrets`, `scan_tools`, `scan_sast`, `scan_ai_sast`, `scan_container` or `scan_github_actions` or `scan_package` must be enabled"
     );
   }
   if (SCAN_CONTAINER) {
@@ -99,6 +101,11 @@ function get_scan_options(options: string[]): void {
     if (SCAN_SAST) {
       core.error("Package scan and SAST scan cannot be set at the same time");
     }
+    if (SCAN_AI_SAST) {
+      core.error(
+        "Package scan and AI SAST scan cannot be set at the same time"
+      );
+    }
     if (SCAN_AI_MODELS) {
       core.error(
         "Package scan and AI models scan cannot be set at the same time"
@@ -126,6 +133,9 @@ function get_scan_options(options: string[]): void {
   if (SCAN_SAST) {
     options.push(`--sast=true`);
   }
+  if (SCAN_AI_SAST) {
+    options.push(`--ai-sast=true`);
+  }
   if (DISABLE_CODE_SNIPPET_STORAGE) {
     if (!SCAN_SAST) {
       core.error(

yarn.lock

@@ -881,6 +881,11 @@
     "@emnapi/runtime" "^1.4.3"
     "@tybys/wasm-util" "^0.10.0"
 
+"@nodable/entities@^2.1.0":
+  version "2.1.0"
+  resolved "https://registry.yarnpkg.com/@nodable/entities/-/entities-2.1.0.tgz#f543e5c6446720d4cf9e498a83019dd159973bc2"
+  integrity sha512-nyT7T3nbMyBI/lvr6L5TyWbFJAI9FTgVRakNoBqCD+PmID8DzFrrNdLLtHMwMszOtqZa8PAOV24ZqDnQrhQINA==
+
 "@nodelib/fs.scandir@2.1.5":
   version "2.1.5"
   resolved "https://registry.yarnpkg.com/@nodelib/fs.scandir/-/fs.scandir-2.1.5.tgz#7619c2eb21b25483f6d167548b4cfd5a7488c3d5"
@@ -1795,10 +1800,10 @@ bottleneck@^2.15.3:
   resolved "https://registry.yarnpkg.com/bottleneck/-/bottleneck-2.19.5.tgz#5df0b90f59fd47656ebe63c78a98419205cadd91"
   integrity sha512-VHiNCbI1lKdl44tGrhNfU3lup0Tj/ZBMJB5/2ZbNXRCPuRCO7ed2mgcK4r17y+KB2EfuYuRaVlwNbAeaWGSpbw==
 
-brace-expansion@^5.0.2:
-  version "5.0.2"
-  resolved "https://registry.yarnpkg.com/brace-expansion/-/brace-expansion-5.0.2.tgz#b6c16d0791087af6c2bc463f52a8142046c06b6f"
-  integrity sha512-Pdk8c9poy+YhOgVWw1JNN22/HcivgKWwpxKq04M/jTmHyCZn12WPJebZxdjSa5TmBqISrUSgNYU3eRORljfCCw==
+brace-expansion@>=5.0.5, brace-expansion@^5.0.2:
+  version "5.0.6"
+  resolved "https://registry.yarnpkg.com/brace-expansion/-/brace-expansion-5.0.6.tgz#ec68fe0a641a29d8711579caf641d05bae1f2285"
+  integrity sha512-kLpxurY4Z4r9sgMsyG0Z9uzsBlgiU/EFKhj/h91/8yHu0edo7XuixOIH3VcJ8kkxs6/jPzoI6U9Vj3WqbMQ94g==
   dependencies:
     balanced-match "^4.0.2"
 
@@ -2652,21 +2657,24 @@ fast-levenshtein@^2.0.6:
   resolved "https://registry.yarnpkg.com/fast-levenshtein/-/fast-levenshtein-2.0.6.tgz#3d8a5c66883a16a30ca8643e851f19baa7797917"
   integrity sha512-DCXu6Ifhqcks7TZKY3Hxp3y6qphY5SJZmrWMDrKcERSOXWQdMhU9Ig/PYrzyw/ul9jOIyh0N4M0tbC5hodg8dw==
 
-fast-xml-builder@^1.1.4:
-  version "1.1.4"
-  resolved "https://registry.yarnpkg.com/fast-xml-builder/-/fast-xml-builder-1.1.4.tgz#0c407a1d9d5996336c0cd76f7ff785cac6413017"
-  integrity sha512-f2jhpN4Eccy0/Uz9csxh3Nu6q4ErKxf0XIsasomfOihuSUa3/xw6w8dnOtCDgEItQFJG8KyXPzQXzcODDrrbOg==
+fast-xml-builder@^1.2.0:
+  version "1.2.0"
+  resolved "https://registry.yarnpkg.com/fast-xml-builder/-/fast-xml-builder-1.2.0.tgz#abd2363145a7625d9789ad96da375fabe3cff28c"
+  integrity sha512-00aAWieqff+ZJhsXA4g1g7M8k+7AYoMUUHF+/zFb5U6Uv/P0Vl4QZo84/IcufzYalLuEj9928bXN9PbbFzMF0Q==
   dependencies:
-    path-expression-matcher "^1.1.3"
+    path-expression-matcher "^1.5.0"
+    xml-naming "^0.1.0"
 
-fast-xml-parser@>=5.5.6, fast-xml-parser@^5.0.7:
-  version "5.5.9"
-  resolved "https://registry.yarnpkg.com/fast-xml-parser/-/fast-xml-parser-5.5.9.tgz#e59637abebec3dbfbb4053b532d787af6ea11527"
-  integrity sha512-jldvxr1MC6rtiZKgrFnDSvT8xuH+eJqxqOBThUVjYrxssYTo1avZLGql5l0a0BAERR01CadYzZ83kVEkbyDg+g==
+fast-xml-parser@>=5.7.0, fast-xml-parser@^5.0.7:
+  version "5.8.0"
+  resolved "https://registry.yarnpkg.com/fast-xml-parser/-/fast-xml-parser-5.8.0.tgz#64d71f0f8d4bf23621dffd762aef7e98c1884fc1"
+  integrity sha512-6bIM7fsJxeo3uXv7OncQYsBAMPJ7V16Slahl/6M98C/i2q+vB1+4a0MtrvYwDFEUrwDSbAmeLDRXsOBwrL7yAg==
   dependencies:
-    fast-xml-builder "^1.1.4"
-    path-expression-matcher "^1.2.0"
-    strnum "^2.2.2"
+    "@nodable/entities" "^2.1.0"
+    fast-xml-builder "^1.2.0"
+    path-expression-matcher "^1.5.0"
+    strnum "^2.3.0"
+    xml-naming "^0.1.0"
 
 fastq@^1.6.0:
   version "1.19.1"
@@ -3887,10 +3895,10 @@ lodash.upperfirst@4.3.1:
   resolved "https://registry.yarnpkg.com/lodash.upperfirst/-/lodash.upperfirst-4.3.1.tgz#1365edf431480481ef0d1c68957a5ed99d49f7ce"
   integrity sha512-sReKOYJIJf74dhJONhU4e0/shzi1trVbSWDOhKYE5XV2O+H7Sb2Dihwuc7xWxVl+DgFPyTqIN3zMfT9cq5iWDg==
 
-lodash@>=4.17.23, lodash@^4.17.15:
-  version "4.17.23"
-  resolved "https://registry.yarnpkg.com/lodash/-/lodash-4.17.23.tgz#f113b0378386103be4f6893388c73d0bde7f2c5a"
-  integrity sha512-LgVTMpQtIopCi79SJeDiP0TfWi5CNEc/L/aRdTh3yIvmZXTnheWpKjSZhnvMl8iXbC1tFg9gdHHDMLoV7CnG+w==
+lodash@>=4.18.0, lodash@^4.17.15:
+  version "4.18.1"
+  resolved "https://registry.yarnpkg.com/lodash/-/lodash-4.18.1.tgz#ff2b66c1f6326d59513de2407bf881439812771c"
+  integrity sha512-dMInicTPVE8d1e5otfwmmjlxkZoUpiVLwyeTdUsi/Caj/gfzzblBcCE5sRHV/AsjuCmxWrte2TNGSYuCeCq+0Q==
 
 lru-cache@^10.2.0:
   version "10.4.3"
@@ -4163,10 +4171,10 @@ path-exists@^4.0.0:
   resolved "https://registry.yarnpkg.com/path-exists/-/path-exists-4.0.0.tgz#513bdbe2d3b95d7762e8c1137efa195c6c61b5b3"
   integrity sha512-ak9Qy5Q7jYb2Wwcey5Fpvg2KoAc/ZIhLSLOSBmRmygPsGwkVVt0fZa0qrtMz+m6tJTAHfZQ8FnmB4MG4LWy7/w==
 
-path-expression-matcher@^1.1.3, path-expression-matcher@^1.2.0:
-  version "1.2.0"
-  resolved "https://registry.yarnpkg.com/path-expression-matcher/-/path-expression-matcher-1.2.0.tgz#9bdae3787f43b0857b0269e9caaa586c12c8abee"
-  integrity sha512-DwmPWeFn+tq7TiyJ2CxezCAirXjFxvaiD03npak3cRjlP9+OjTmSy1EpIrEbh+l6JgUundniloMLDQ/6VTdhLQ==
+path-expression-matcher@^1.5.0:
+  version "1.5.0"
+  resolved "https://registry.yarnpkg.com/path-expression-matcher/-/path-expression-matcher-1.5.0.tgz#3b98545dc88ffebb593e2d8458d0929da9275f4a"
+  integrity sha512-cbrerZV+6rvdQrrD+iGMcZFEiiSrbv9Tfdkvnusy6y0x0GKBXREFg/Y65GhIfm0tnLntThhzCnfKwp1WRjeCyQ==
 
 path-is-absolute@^1.0.0:
   version "1.0.1"
@@ -4719,10 +4727,10 @@ strip-json-comments@^3.1.1:
   resolved "https://registry.yarnpkg.com/strip-json-comments/-/strip-json-comments-3.1.1.tgz#31f1281b3832630434831c310c01cccda8cbe006"
   integrity sha512-6fPc+R4ihwqP6N/aIv2f1gMH8lOVtWQHoqC4yK6oSDVVocumAsfCqjkXnqiYMhmMwS/mEHLp7Vehlt3ql6lEig==
 
-strnum@^2.2.2:
-  version "2.2.2"
-  resolved "https://registry.yarnpkg.com/strnum/-/strnum-2.2.2.tgz#f11fd94ab62b536ba2ecc615858f3747c2881b3f"
-  integrity sha512-DnR90I+jtXNSTXWdwrEy9FakW7UX+qUZg28gj5fk2vxxl7uS/3bpI4fjFYVmdK9etptYBPNkpahuQnEwhwECqA==
+strnum@^2.3.0:
+  version "2.3.0"
+  resolved "https://registry.yarnpkg.com/strnum/-/strnum-2.3.0.tgz#81bfbfef53db8c3217ea62a98c026886ec4a2761"
+  integrity sha512-ums3KNd42PGyx5xaoVTO1mjU1bH3NpY4vsrVlnv9PNGqQj8wd7rJ6nEypLrJ7z5vxK5RP0yMLo6J/Gsm62DI5Q==
 
 supports-color@^7.1.0:
   version "7.2.0"
@@ -5157,6 +5165,11 @@ write-file-atomic@^5.0.1:
     imurmurhash "^0.1.4"
     signal-exit "^4.0.1"
 
+xml-naming@^0.1.0:
+  version "0.1.0"
+  resolved "https://registry.yarnpkg.com/xml-naming/-/xml-naming-0.1.0.tgz#8ab7106c5b8d23caa2fabac1cadf17136379fbd8"
+  integrity sha512-k8KO9hrMyNk6tUWqUfkTEZbezRRpONVOzUTnc97VnCvyj6Tf9lyUR9EDAIeiVLv56jsMcoXEwjW8Kv5yPY52lw==
+
 y18n@^5.0.5:
   version "5.0.8"
   resolved "https://registry.yarnpkg.com/y18n/-/y18n-5.0.8.tgz#7f4934d0f7ca8c56f95314939ddcd2dd91ce1d55"