Skip to content

docs: fix README/launch-post to match actual CLI flag and score semantics#13

Open
dmchaledev wants to merge 1 commit into
mainfrom
claude/amazing-franklin-kA1VF
Open

docs: fix README/launch-post to match actual CLI flag and score semantics#13
dmchaledev wants to merge 1 commit into
mainfrom
claude/amazing-franklin-kA1VF

Conversation

@dmchaledev
Copy link
Copy Markdown
Contributor

@dmchaledev dmchaledev commented Jun 2, 2026

Summary

Two user-facing documentation bugs where the docs contradict the code. Both are small, self-contained, and docs-only.

1. Documented SARIF command errors out (--output= vs --format=)

README.md and dev-to/launch-post.md both advertise:

npx @hailbytes/mcp-security-scanner ./config.json --output=sarif --exit-code

But the CLI only accepts --format= (see src/cli.ts). The documented command fails outright:

$ node dist/cli.js --output=sarif examples/vulnerable-config.json
Error: Unknown flag "--output=sarif". Use --help to see available options.   # exit 2

Fixed to --format=sarif, which produces valid SARIF as intended. (This was flagged as out-of-scope in #12; addressing it here.)

2. README inverts the meaning of report.score

The programmatic example described the score as:

console.log(report.score);     // 0–100 risk score (lower = riskier)

This is backwards. The code is unambiguous that higher = riskier:

  • src/scorer.ts: "Higher score = more risk" — score sums severity weights.
  • src/types.ts: "Risk score 0 (safest) – 100 (most risk)".
  • src/scanner.ts: passed = score < 50 && !hasCritical.

A CI gate written from the old comment would invert its pass/fail logic — a meaningful footgun for a security tool. Corrected to higher = riskier; 0 is safest.

Verification

$ node dist/cli.js --format=sarif examples/vulnerable-config.json   # valid SARIF, exit 1
$ node dist/cli.js examples/vulnerable-config.json   ->  score 100, passed false
$ node dist/cli.js examples/secure-config.json       ->  score 0,   passed true

Confirms higher score = riskier and that --format=sarif is the correct flag.

No production code changed.

https://claude.ai/code/session_01WUxsN7GXqccfdLHTb4k86R

Generated by Claude Code

@claude
docs: correct README/launch-post to match actual CLI and score semantics
054cb58 
Two user-facing documentation bugs where the docs contradicted the code:

- The SARIF example used `--output=sarif`, but the CLI only accepts
  `--format=`. The documented command errors with `Unknown flag
  "--output=sarif"` and exits 2. Fixed to `--format=sarif` in both
  README.md and dev-to/launch-post.md.

- The README's programmatic example described `report.score` as
  "0–100 risk score (lower = riskier)", which is inverted. The code is
  unambiguous: scorer.ts ("Higher score = more risk"), types.ts ("0
  (safest) – 100 (most risk)"), and scanner.ts (`passed = score < 50`).
  A CI gate built from the old comment would invert pass/fail logic.
  Verified: vulnerable example -> score 100/failed, secure -> 0/passed.

Docs-only; no production code changed.
@dmchaledev dmchaledev mentioned this pull request Jun 3, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dmchaledev @claude