CLI-563 SCA hook: add integrate git option

[georgii-borovinskikh-sonarsource]

Part of CLI-541

---

Summary by Gitar

• CLI enhancements:
  • Added --with-dependency-risks and -p, --project options to integrate git command.
  • Restricted --with-dependency-risks to pre-push hooks and enforced project key validation.
• Feature integration:
  • Implemented SCA scanner binary installation for pre-push hooks.
  • Added mandatory server-side validation for project existence and SCA capability during pre-push setup.
• Resource management:
  • Updated textSnippet to support legacyStartMarkers, enabling smooth migration of existing hook markers.
• New utilities:
  • Added project-key.ts for standardized validation of project keys.

_{This will update automatically on new commits.}

[sonarqubecloud]

Agentic Analysis: Early Results

Agentic Analysis and Context Augmentation are available on your project. Here are some issues that could have been prevented. Follow the links to learn how to put them into action.

3 issue(s) found across 2 file(s):

Rule	File	Line	Message
typescript:S109	tests/unit/cli/commands/integrate/git/integrate-git.test.ts	99	No magic number: 401.
typescript:S109	tests/unit/lib/project-key.test.ts	31	No magic number: 400.
typescript:S109	tests/unit/lib/project-key.test.ts	39	No magic number: 401.

_{Analyzed by SonarQube Agentic Analysis in 6.6 s}

[hashicorp-vault-sonar-prod]

CLI-563

[gitar-bot]

Code Review ✅ Approved 1 resolved / 1 findings

Integrates SCA functionality into the git command with new project key validation and marker support. Adds user feedback for skipped dependency risks, resolving the previous silent failure issue.

✅ 1 resolved

✅ Quality: No user feedback when dependency-risks is silently skipped

📄 src/cli/commands/integrate/git/index.ts:343-346
When resolveProjectKey returns null (user cancels the prompt), installDepRisks becomes false and the integration proceeds without dependency-risks scanning but prints no message explaining why. The user explicitly opted into dep-risks via the confirm prompt but then cancelled the project-key prompt — they may be confused about what was actually installed.

Consider adding a brief info/warn message when depRisksEnabled && projectKey == null, e.g.:

if (depRisksEnabled && projectKey == null) {
  warn('Skipping dependency-risks scanning (no project key provided).');
  blank();
}

Options

Auto-apply is off → Gitar will not commit updates to this branch.
Display: compact → Showing less information.

Comment with these commands to change:

Auto-apply	Compact
gitar auto-apply:on	gitar display:verbose

_{Was this helpful? React with 👍 / 👎 | Gitar}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
95.9% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud