feat: send commit SHA with scan dispatch

README.md

@@ -20,21 +20,25 @@ pensar status <scan-id>
 
 ### Options
 
-| Option              | Description                                           |
-| ------------------- | ----------------------------------------------------- |
-| `-p, --project`     | Project ID (or set `PENSAR_PROJECT_ID`)               |
-| `-b, --branch`      | Branch to pentest                                     |
-| `-l, --level`       | Pentest level: `priority` or `full`                   |
-| `-e, --environment` | Target environment: `dev`, `staging`, or `production` |
-| `--no-wait`         | Don't wait for pentest to complete                    |
+| Option              | Description                                                                 |
+| ------------------- | --------------------------------------------------------------------------- |
+| `-p, --project`     | Project ID (or set `PENSAR_PROJECT_ID`)                                     |
+| `-b, --branch`      | Branch to pentest                                                           |
+| `-l, --level`       | Pentest level: `priority` or `full`                                         |
+| `-e, --environment` | Target environment: `dev`, `staging`, or `production`                       |
+| `-c, --commit`      | Commit SHA (auto-detected from CI env vars, or set `PENSAR_COMMIT_SHA`)     |
+| `-s, --severity`    | Minimum severity threshold to error on (or set `PENSAR_ERROR_SEVERITY_THRESHOLD`) |
+| `--no-wait`         | Don't wait for pentest to complete                                          |
 
 ## Environment Variables
 
-| Variable             | Description                                            |
-| -------------------- | ------------------------------------------------------ |
-| `PENSAR_API_KEY`     | Your Pensar API key                                    |
-| `PENSAR_PROJECT_ID`  | Your Pensar project ID                                 |
-| `PENSAR_ENVIRONMENT` | Target environment (`dev`, `staging`, or `production`) |
+| Variable                         | Description                                            |
+| -------------------------------- | ------------------------------------------------------ |
+| `PENSAR_API_KEY`                 | Your Pensar API key                                    |
+| `PENSAR_PROJECT_ID`              | Your Pensar project ID                                 |
+| `PENSAR_ENVIRONMENT`             | Target environment (`dev`, `staging`, or `production`) |
+| `PENSAR_COMMIT_SHA`              | Commit SHA override (auto-detected from `GITHUB_SHA`, `CI_COMMIT_SHA`, `BITBUCKET_COMMIT`) |
+| `PENSAR_ERROR_SEVERITY_THRESHOLD`| Minimum severity to trigger a non-zero exit (`critical`, `high`, `medium`, `low`, `info`) |
 
 ## CI/CD Integration
 

src/bin/index.ts

@@ -20,6 +20,10 @@ program
   .option("-l, --level <level>", "Pentest level: priority or full", "full")
   .option("--no-wait", "Don't wait for pentest to complete")
   .option("-e, --environment <env>", "Environment: dev, staging, or production")
+  .option(
+    "-c, --commit <sha>",
+    "Commit SHA (auto-detected from GITHUB_SHA, CI_COMMIT_SHA, BITBUCKET_COMMIT, or PENSAR_COMMIT_SHA)"
+  )
   .option(
     "-s, --severity <severity>",
     "Minimum severity threshold to trigger error (critical, high, medium, low, info). Or set PENSAR_ERROR_SEVERITY_THRESHOLD env var.",
@@ -48,6 +52,7 @@ program
         wait: options.wait,
         environment: options.environment as Environment | undefined,
         errorSeverityThreshold: severityThreshold,
+        commitSha: options.commit,
       });
 
       if (result.status === "completed") {

src/lib/ci.ts

@@ -33,6 +33,16 @@ export function getEnvironmentEnvVar(): Environment {
   return (process.env.PENSAR_ENVIRONMENT as Environment) ?? null;
 }
 
+export function getCommitShaEnvVar(): string | undefined {
+  return (
+    process.env.GITHUB_SHA ??
+    process.env.CI_COMMIT_SHA ??
+    process.env.BITBUCKET_COMMIT ??
+    process.env.PENSAR_COMMIT_SHA ??
+    undefined
+  );
+}
+
 export function getErrorSeverityThresholdEnvVar(): SeverityLevel {
   const value = process.env.PENSAR_ERROR_SEVERITY_THRESHOLD;
   if (!value) return 'critical'; // Default to critical
@@ -123,6 +133,7 @@ export interface DispatchScanParams {
   branch?: string;
   scanLevel?: "priority" | "full";
   environment?: Environment;
+  commitSha?: string;
 }
 
 export async function dispatchScan(
@@ -148,6 +159,7 @@ export async function dispatchScan(
         : { repoId: params.repoId }),
       branch: params.branch,
       scanLevel: params.scanLevel,
+      commitSha: params.commitSha,
     }),
   });
 
@@ -249,6 +261,7 @@ export interface RunScanParams {
   wait?: boolean;
   pollIntervalMs?: number;
   errorSeverityThreshold?: SeverityLevel;
+  commitSha?: string;
 }
 
 export async function runScan(params: RunScanParams = {}): Promise<ScanStatus> {
@@ -257,6 +270,7 @@ export async function runScan(params: RunScanParams = {}): Promise<ScanStatus> {
   const repoId = params.repoId ?? getRepoIdEnvVar();
   const environment = params.environment ?? getEnvironmentEnvVar();
   const wait = params.wait ?? true;
+  const commitSha = params.commitSha ?? getCommitShaEnvVar();
 
   if (!projectId && !repoId) {
     throw new Error(
@@ -274,6 +288,7 @@ export async function runScan(params: RunScanParams = {}): Promise<ScanStatus> {
     branch: params.branch,
     scanLevel: params.scanLevel,
     environment,
+    commitSha,
   });
 
   console.log(`Pentest ${label} dispatched (ID: ${scanId})`);

src/lib/gitlab.ts

@@ -13,6 +13,9 @@ function getGitLabEnvVars() {
   // GitLab CI provides the branch name in CI_COMMIT_REF_NAME
   const branch = process.env.CI_COMMIT_REF_NAME ?? undefined;
 
+  // GitLab CI provides the commit SHA in CI_COMMIT_SHA
+  const commitSha = process.env.CI_COMMIT_SHA ?? undefined;
+
   // Check if we should wait for completion
   const wait = process.env.PENSAR_WAIT !== "false";
 
@@ -27,6 +30,7 @@ function getGitLabEnvVars() {
     environment,
     wait,
     scanLevel,
+    commitSha,
   };
 }
 
@@ -35,7 +39,7 @@ function getGitLabEnvVars() {
  */
 export async function runScan(): Promise<void> {
   try {
-    const { apiKey, projectId, branch, environment, wait, scanLevel } =
+    const { apiKey, projectId, branch, environment, wait, scanLevel, commitSha } =
       getGitLabEnvVars();
 
     console.log("Starting Pensar security pentest from GitLab CI...");
@@ -47,6 +51,7 @@ export async function runScan(): Promise<void> {
       scanLevel,
       environment,
       wait,
+      commitSha,
     });
 
     if (result.status === "completed") {