Scan files for security vulnerabilities and misconfigurations using Symbiotic Security CLI.
The tool automatically installs the scanner binary and returns JSON results with vulnerability findings.

CRITICAL USAGE RULE:
- ALWAYS call this tool AFTER any file create/edit/write operations
- Should be included in todo lists when file operations are planned
- Validates that new/modified code meets security standards

Example todo structure:
1. Load security guardrails (ALWAYS FIRST)
2. Create authentication service
3. Write login endpoint
4. Scan modified files for vulnerabilities (ALWAYS AFTER FILE OPS)

IMPORTANT: You MUST automatically determine the scan type based on file extensions:

Infrastructure Scan - Use when scanning these file types:
- Terraform: .tf, .tfvars, .tf.json
- CloudFormation: .yaml, .yml, .json (AWS CloudFormation templates)
- Kubernetes: .yaml, .yml (K8s manifests, Helm charts)
- Docker: Dockerfile, docker-compose.yml, .dockerignore
- Ansible: .yaml, .yml (playbooks, roles)
- Pulumi: .ts, .py, .go, .cs (Pulumi IaC files)

Code Scan - Use for application source code files:
- Python: .py
- JavaScript/TypeScript: .js, .ts, .jsx, .tsx
- Java: .java
- Go: .go
- C/C++: .c, .cpp, .h, .hpp
- C#: .cs
- Ruby: .rb
- PHP: .php
- And other application code files

Commands:

1. For Infrastructure as Code files:
   securityscan(args: ["infra", "scan", "/path/to/file/or/directory", "--origin", "symbiotic_code"])

2. For Application Code files:
   securityscan(args: ["code", "scan", "/path/to/file/or/directory", "--origin", "symbiotic_code"])

3. For AI-powered remediation (after finding a vulnerability):
   securityscan(args: ["airemediate", "remediate", "<PROJECT_DIR>", "<RULE_ID>", "<FILE_PATH>", "<START_LINE>", "<END_LINE>", "<START_COL>", "<END_COL>", "<LANGUAGE>"])

4. To explain why a finding might be a false positive:
   securityscan(args: ["airemediate", "fp_reason", "<PROJECT_DIR>", "<RULE_ID>", "<FILE_PATH>", "<START_LINE>", "<END_LINE>", "<START_COL>", "<END_COL>", "<LANGUAGE>"])

FLAGGING FALSE POSITIVES:

When you're absolutely sure that a scan finding is a false positive, you can make sure it will be
ignored in future scans by adding a comment the line above the finding with the pattern:
  nosymbiotic <RULE_ID> -fp -- [reason for false positive]

Examples:
JavaScript:
  // nosymbiotic SYM_JSTS_0102 -fp -- path is application-controlled, not user input
  await fs.rename(extractedBinaryPath, binaryPath);

Python:
  # nosymbiotic SYM_PY_0042 -fp -- input validated by pydantic schema before reaching this point
  user_data = json.loads(request_body)