feat: implement environment-aware vulnerability scanning with offline mode for local development

Author: snowdream

.unirtm.toml

@@ -60,14 +60,28 @@ fi
 [tasks."audit:osv"]
 description = 'Generic vulnerability scan across lockfiles'
 run = '''
-for i in 1 2 3; do
-    if unirtm exec -- osv-scanner scan . --config .osv-scanner.toml; then
-        exit 0
-    fi
-    echo "⚠️  osv-scanner failed (likely network timeout). Retrying ($i/3)..."
-    sleep 2
-done
-exit 1
+# Strategy 1: Environment-based routing (Local: Offline, CI: Online)
+if [ "$CI" = "true" ] || [ "$GITHUB_ACTIONS" = "true" ]; then
+    # CI Environment: Call API directly (fast, avoids large DB downloads)
+    for i in 1 2 3; do
+        if unirtm exec -- osv-scanner scan . --config .osv-scanner.toml; then
+            exit 0
+        fi
+        echo "⚠️  osv-scanner (Online) failed. Retrying ($i/3)..."
+        sleep 2
+    done
+    exit 1
+else
+    # Local Environment: Use offline DB to prevent network timeouts
+    for i in 1 2 3; do
+        if unirtm exec -- osv-scanner scan . --config .osv-scanner.toml --offline-vulnerabilities --download-offline-databases; then
+            exit 0
+        fi
+        echo "⚠️  osv-scanner (Offline) failed. Retrying ($i/3)..."
+        sleep 2
+    done
+    exit 1
+fi
 '''
 
 [tasks."audit:npm"]