feat: add Lizard, jscpd, and docs/CI file checks to scan pipeline

THIRD-PARTY-NOTICES.md

@@ -717,3 +717,73 @@ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
     of your accepting any such warranty or additional liability.
 
 END OF TERMS AND CONDITIONS
+
+---
+
+## Lizard
+
+- **Version:** v1.9.25
+- **Project URL:** https://github.com/terryyin/lizard
+- **Source code:** https://github.com/terryyin/lizard
+- **License:** MIT
+
+GitAGrip invokes Lizard as a standalone Python package installed via pip in the API container.
+
+### MIT License Text
+
+MIT License
+
+Copyright (c) 2011-2026 Terry Yin
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+
+---
+
+## jscpd
+
+- **Version:** v4.2.5
+- **Project URL:** https://github.com/kucherenko/jscpd
+- **Source code:** https://github.com/kucherenko/jscpd
+- **License:** MIT
+
+GitAGrip invokes jscpd as a standalone npm global package in the API container.
+
+### MIT License Text
+
+MIT License
+
+Copyright (c) 2013-2024 Andrey Kucherenko
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

apps/api/package.json

@@ -19,6 +19,7 @@
     "@gitagrip/shared": "workspace:*",
     "bullmq": "^5.0.0",
     "cookie-parser": "^1.4.7",
+    "csv-parse": "^5.6.0",
     "cors": "^2.8.5",
     "drizzle-orm": "^0.45.1",
     "express": "^5.0.0",

apps/api/src/scanner/applicability.ts

@@ -28,7 +28,7 @@ export function getCategoryApplicability(manifest: FileManifest): CategoryApplic
     // conditional
     dependency_health: manifest.hasLockFiles,
     code_quality: manifest.supportedLanguageFiles > 0,
-    cicd_devops: manifest.hasCIConfig,
+    cicd_devops: manifest.hasCIConfig || manifest.hasHusky || manifest.hasPreCommit,
     workflow_security: manifest.hasWorkflowFiles,
     iac_security: manifest.hasIaCFiles,
     dockerfile_best_practices: manifest.hasDockerfile,

apps/api/src/scanner/detect-files.ts

@@ -10,6 +10,10 @@ export interface FileManifest {
   hasLockFiles: boolean;
   hasCIConfig: boolean;
   hasWorkflowFiles: boolean;
+  hasHusky: boolean;
+  hasPreCommit: boolean;
+  hasCodeowners: boolean;
+  workflowFileCount: number;
   hasReadme: boolean;
   hasLicense: boolean;
   hasContributing: boolean;
@@ -73,6 +77,10 @@ export async function detectFiles(repoDir: string): Promise<FileManifest> {
     hasLockFiles: false,
     hasCIConfig: false,
     hasWorkflowFiles: false,
+    hasHusky: false,
+    hasPreCommit: false,
+    hasCodeowners: false,
+    workflowFileCount: 0,
     hasReadme: false,
     hasLicense: false,
     hasContributing: false,
@@ -104,6 +112,7 @@ export async function detectFiles(repoDir: string): Promise<FileManifest> {
         if (stats.isSymbolicLink()) continue;
 
         if (stats.isDirectory()) {
+          if (entry.name === '.husky') manifest.hasHusky = true;
           await walk(fullPath);
           continue;
         }
@@ -133,14 +142,23 @@ export async function detectFiles(repoDir: string): Promise<FileManifest> {
         ) {
           manifest.hasCIConfig = true;
           manifest.hasWorkflowFiles = true;
+          manifest.workflowFileCount++;
         }
 
         if (CI_FILES.has(fileNameRaw)) manifest.hasCIConfig = true;
         if (CI_DIRS.some((d) => relativePath.startsWith(d + '/'))) manifest.hasCIConfig = true;
 
         const dir = path.dirname(relativePath);
+
+        if (fileName === 'codeowners' && (dir === '.' || dir === '.github')) {
+          manifest.hasCodeowners = true;
+        }
         const isTopLevelOrGithub = dir === '.' || dir === '.github';
 
+        if (dir === '.' && fileNameRaw === '.pre-commit-config.yaml') {
+          manifest.hasPreCommit = true;
+        }
+
         if (isTopLevelOrGithub) {
           if (/^readme(\..+)?$/i.test(fileNameRaw)) manifest.hasReadme = true;
           if (/^(license|copying)(\..+)?$/i.test(fileNameRaw)) manifest.hasLicense = true;

apps/api/src/scanner/scoring/code-quality.ts

@@ -0,0 +1,64 @@
+// combines Lizard + jscpd partial scores into published code_quality category
+
+import {
+  clampScore,
+  notApplicableScore,
+  type CategoryScore,
+  type PartialToolScore,
+} from '../types.js';
+
+export function combineCodeQuality(
+  lizard: PartialToolScore,
+  jscpd: PartialToolScore,
+  applicable: boolean,
+): CategoryScore {
+  if (!applicable) {
+    return notApplicableScore('code_quality', 'No supported source files detected');
+  }
+
+  const lizardOk = !lizard.failed;
+  const jscpdOk = !jscpd.failed;
+
+  if (!lizardOk && !jscpdOk) {
+    const reasons: string[] = [];
+    if (lizard.failed) reasons.push(`lizard ${lizard.failureReason ?? 'failed'}`);
+    if (jscpd.failed) reasons.push(`jscpd ${jscpd.failureReason ?? 'failed'}`);
+    return {
+      category: 'code_quality',
+      score: 0,
+      applicable: true,
+      message: `Tool failed: ${reasons.join('; ')}`,
+      findingCount: 0,
+    };
+  }
+
+  let score: number;
+  const parts: string[] = [];
+  const unavailable: string[] = [];
+
+  if (lizardOk && jscpdOk) {
+    score = clampScore(lizard.score * 0.6 + jscpd.score * 0.4);
+    parts.push(lizard.detail, jscpd.detail);
+  } else if (lizardOk) {
+    score = lizard.score;
+    parts.push(lizard.detail);
+    unavailable.push('duplication unavailable');
+  } else {
+    score = jscpd.score;
+    parts.push(jscpd.detail);
+    unavailable.push('complexity unavailable');
+  }
+
+  let message = parts.filter(Boolean).join(', ');
+  if (unavailable.length > 0) {
+    message = message ? `${message} (${unavailable.join(', ')})` : unavailable.join(', ');
+  }
+
+  return {
+    category: 'code_quality',
+    score,
+    applicable: true,
+    message,
+    findingCount: 0,
+  };
+}

apps/api/src/scanner/tools/cicd-check.ts

@@ -0,0 +1,55 @@
+// pure Node.js CI/CD and DevOps file scorer
+
+import type { CategoryApplicability } from '../applicability.js';
+import type { FileManifest } from '../detect-files.js';
+import {
+  clampScore,
+  notApplicableScore,
+  type CategoryScore,
+  type ToolRunContext,
+} from '../types.js';
+
+export async function runCICDCheck(
+  ctx: ToolRunContext & { manifest: FileManifest; applicability: CategoryApplicability },
+): Promise<CategoryScore[]> {
+  const { manifest, applicability } = ctx;
+
+  if (!applicability.cicd_devops) {
+    return [notApplicableScore('cicd_devops', 'No CI or DevOps tooling detected')];
+  }
+
+  let score = 0;
+  const signals: string[] = [];
+
+  if (manifest.hasCIConfig) {
+    score += 40;
+    signals.push('CI config');
+  }
+  if (manifest.hasWorkflowFiles) {
+    score += 20;
+    signals.push('GitHub Actions');
+  }
+  if (manifest.workflowFileCount >= 2) {
+    score += 10;
+    signals.push(`${manifest.workflowFileCount} workflows`);
+  }
+  if (manifest.hasCodeowners) {
+    score += 15;
+    signals.push('CODEOWNERS');
+  }
+  if (manifest.hasHusky || manifest.hasPreCommit) {
+    score += 15;
+    if (manifest.hasHusky) signals.push('husky');
+    if (manifest.hasPreCommit) signals.push('pre-commit');
+  }
+
+  return [
+    {
+      category: 'cicd_devops',
+      score: clampScore(score),
+      applicable: true,
+      message: signals.length > 0 ? signals.join(', ') : 'No CI/DevOps signals detected',
+      findingCount: signals.length,
+    },
+  ];
+}

apps/api/src/scanner/tools/docs-check.ts

@@ -0,0 +1,100 @@
+// pure Node.js documentation standards scorer
+
+import { readFile, readdir } from 'fs/promises';
+import path from 'path';
+import type { FileManifest } from '../detect-files.js';
+import { clampScore, type CategoryScore, type ToolRunContext } from '../types.js';
+
+async function findRootReadme(repoDir: string): Promise<string | null> {
+  const entries = await readdir(repoDir, { withFileTypes: true });
+  for (const entry of entries) {
+    if (!entry.isFile()) continue;
+    if (/^readme(\..+)?$/i.test(entry.name)) {
+      return path.join(repoDir, entry.name);
+    }
+  }
+  return null;
+}
+
+function scoreReadmeQuality(content: string): { points: number; signals: string[] } {
+  const signals: string[] = [];
+  let points = 0;
+
+  if (content.length > 500) {
+    points += 5;
+    signals.push('substantial length');
+  }
+  if (/^#{1,6}\s/m.test(content)) {
+    points += 5;
+    signals.push('has headings');
+  }
+  if (/```/.test(content)) {
+    points += 5;
+    signals.push('has code blocks');
+  }
+
+  return { points, signals };
+}
+
+export async function runDocsCheck(
+  ctx: ToolRunContext & { manifest: FileManifest },
+): Promise<CategoryScore[]> {
+  const { repoDir, manifest } = ctx;
+
+  let score = 0;
+  const present: string[] = [];
+
+  if (manifest.hasReadme) {
+    score += 25;
+    present.push('README');
+  }
+  if (manifest.hasLicense) {
+    score += 20;
+    present.push('LICENSE');
+  }
+  if (manifest.hasContributing) {
+    score += 10;
+    present.push('CONTRIBUTING');
+  }
+  if (manifest.hasChangelog) {
+    score += 10;
+    present.push('CHANGELOG');
+  }
+  if (manifest.hasCodeOfConduct) {
+    score += 5;
+    present.push('CODE_OF_CONDUCT');
+  }
+  if (manifest.hasSecurityPolicy) {
+    score += 15;
+    present.push('SECURITY');
+  }
+
+  const qualitySignals: string[] = [];
+  if (manifest.hasReadme) {
+    try {
+      const readmePath = await findRootReadme(repoDir);
+      if (readmePath) {
+        const content = await readFile(readmePath, 'utf8');
+        const quality = scoreReadmeQuality(content);
+        score += quality.points;
+        qualitySignals.push(...quality.signals);
+      }
+    } catch {
+      // existence points already awarded from manifest
+    }
+  }
+
+  const parts: string[] = [];
+  if (present.length > 0) parts.push(`Found: ${present.join(', ')}`);
+  if (qualitySignals.length > 0) parts.push(`README quality: ${qualitySignals.join(', ')}`);
+
+  return [
+    {
+      category: 'documentation_standards',
+      score: clampScore(score),
+      applicable: true,
+      message: parts.length > 0 ? parts.join('; ') : 'No documentation files detected',
+      findingCount: present.length,
+    },
+  ];
+}