What happened
When deepsec scan --matchers includes an unknown matcher slug, deepsec silently ignores the unknown slug and scans with only the known matchers. This makes an invalid scan request look successful.
Reproduction
deepsec scan \
--project-id matcher-repro \
--root fixtures/vulnerable-app \
--matchers xss,does-not-exist
Expected vs actual
Expected: deepsec should fail clearly and name the unknown matcher slug.
Actual: deepsec runs only the xss matcher, completes successfully, and exits 0.
Environment
- deepsec version (
pnpm deepsec --version):
- Node version (
node --version):
- OS: Linux (Ubuntu) through WSL (Win 11)
- Agent backend (
claude-agent-sdk / codex): N/A
- Model: N/A
Logs
xss: 2 match(es)
Scan complete
EXIT_STATUS=0
What happened
When
deepsec scan --matchersincludes an unknown matcher slug, deepsec silently ignores the unknown slug and scans with only the known matchers. This makes an invalid scan request look successful.Reproduction
Expected vs actual
Expected: deepsec should fail clearly and name the unknown matcher slug.
Actual: deepsec runs only the xss matcher, completes successfully, and exits 0.
Environment
pnpm deepsec --version):node --version):claude-agent-sdk/codex): N/ALogs
xss: 2 match(es)
Scan complete
EXIT_STATUS=0