shield_ast 1.0.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: baa8585d940103a2ffa3e2b7ccd47166dd75d3caebd58b16031d814c1f9a9af1
+  data.tar.gz: 794fb75bf613ea453cc5628cddb7d37d43751f43d215619053958bec757069bf
+SHA512:
+  metadata.gz: b9ca658a73fc85de6ef32f09a4525e8945e558ea52a00362b714ce26dc22162f81ecabd5684bf6e9aea92a51b70f6a0b1bcbad035d977d0eb467940a7339f7b8
+  data.tar.gz: fa30e723c35d87b199e79d7fad982dcb47ac868b04133e85216d6eb3023e902f9a6c2648cef2653118b58ff7b94ff84c55b05692030907a90b92ca58c1e1ae98

data/.idea/.gitignore

@@ -0,0 +1,8 @@
+# Default ignored files
+/shelf/
+/workspace.xml
+# Editor-based HTTP Client requests
+/httpRequests/
+# Datasource local storage ignored files
+/dataSources/
+/dataSources.local.xml

data/.idea/dictionaries/project.xml

@@ -0,0 +1,7 @@
+<component name="ProjectDictionaryState">
+  <dictionary name="project">
+    <words>
+      <w>sast</w>
+    </words>
+  </dictionary>
+</component>

data/.idea/misc.xml

@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="ProjectRootManager" version="2" project-jdk-name="rbenv: 3.4.5" project-jdk-type="RUBY_SDK" />
+</project>

data/.idea/modules.xml

@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="ProjectModuleManager">
+    <modules>
+      <module fileurl="file://$PROJECT_DIR$/.idea/shield_ast.iml" filepath="$PROJECT_DIR$/.idea/shield_ast.iml" />
+    </modules>
+  </component>
+</project>

data/.idea/shield_ast.iml

@@ -0,0 +1,48 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<module type="RUBY_MODULE" version="4">
+  <component name="ModuleRunConfigurationManager">
+    <shared />
+  </component>
+  <component name="NewModuleRootManager">
+    <content url="file://$MODULE_DIR$">
+      <sourceFolder url="file://$MODULE_DIR$/features" isTestSource="true" />
+      <sourceFolder url="file://$MODULE_DIR$/spec" isTestSource="true" />
+      <sourceFolder url="file://$MODULE_DIR$/test" isTestSource="true" />
+    </content>
+    <orderEntry type="inheritedJdk" />
+    <orderEntry type="sourceFolder" forTests="false" />
+    <orderEntry type="library" scope="PROVIDED" name="ast (v2.4.3, rbenv: 3.4.5) [gem]" level="application" />
+    <orderEntry type="library" scope="PROVIDED" name="bundler (v2.7.1, rbenv: 3.4.5) [gem]" level="application" />
+    <orderEntry type="library" scope="PROVIDED" name="date (v3.4.1, rbenv: 3.4.5) [gem]" level="application" />
+    <orderEntry type="library" scope="PROVIDED" name="diff-lcs (v1.6.2, rbenv: 3.4.5) [gem]" level="application" />
+    <orderEntry type="library" scope="PROVIDED" name="erb (v5.0.2, rbenv: 3.4.5) [gem]" level="application" />
+    <orderEntry type="library" scope="PROVIDED" name="io-console (v0.8.1, rbenv: 3.4.5) [gem]" level="application" />
+    <orderEntry type="library" scope="PROVIDED" name="irb (v1.15.2, rbenv: 3.4.5) [gem]" level="application" />
+    <orderEntry type="library" scope="PROVIDED" name="json (v2.13.2, rbenv: 3.4.5) [gem]" level="application" />
+    <orderEntry type="library" scope="PROVIDED" name="language_server-protocol (v3.17.0.5, rbenv: 3.4.5) [gem]" level="application" />
+    <orderEntry type="library" scope="PROVIDED" name="lint_roller (v1.1.0, rbenv: 3.4.5) [gem]" level="application" />
+    <orderEntry type="library" scope="PROVIDED" name="parallel (v1.27.0, rbenv: 3.4.5) [gem]" level="application" />
+    <orderEntry type="library" scope="PROVIDED" name="parser (v3.3.9.0, rbenv: 3.4.5) [gem]" level="application" />
+    <orderEntry type="library" scope="PROVIDED" name="pp (v0.6.2, rbenv: 3.4.5) [gem]" level="application" />
+    <orderEntry type="library" scope="PROVIDED" name="prettyprint (v0.2.0, rbenv: 3.4.5) [gem]" level="application" />
+    <orderEntry type="library" scope="PROVIDED" name="prism (v1.4.0, rbenv: 3.4.5) [gem]" level="application" />
+    <orderEntry type="library" scope="PROVIDED" name="psych (v5.2.6, rbenv: 3.4.5) [gem]" level="application" />
+    <orderEntry type="library" scope="PROVIDED" name="racc (v1.8.1, rbenv: 3.4.5) [gem]" level="application" />
+    <orderEntry type="library" scope="PROVIDED" name="rainbow (v3.1.1, rbenv: 3.4.5) [gem]" level="application" />
+    <orderEntry type="library" scope="PROVIDED" name="rake (v13.3.0, rbenv: 3.4.5) [gem]" level="application" />
+    <orderEntry type="library" scope="PROVIDED" name="rdoc (v6.14.2, rbenv: 3.4.5) [gem]" level="application" />
+    <orderEntry type="library" scope="PROVIDED" name="regexp_parser (v2.11.0, rbenv: 3.4.5) [gem]" level="application" />
+    <orderEntry type="library" scope="PROVIDED" name="reline (v0.6.2, rbenv: 3.4.5) [gem]" level="application" />
+    <orderEntry type="library" scope="PROVIDED" name="rspec (v3.13.1, rbenv: 3.4.5) [gem]" level="application" />
+    <orderEntry type="library" scope="PROVIDED" name="rspec-core (v3.13.5, rbenv: 3.4.5) [gem]" level="application" />
+    <orderEntry type="library" scope="PROVIDED" name="rspec-expectations (v3.13.5, rbenv: 3.4.5) [gem]" level="application" />
+    <orderEntry type="library" scope="PROVIDED" name="rspec-mocks (v3.13.5, rbenv: 3.4.5) [gem]" level="application" />
+    <orderEntry type="library" scope="PROVIDED" name="rspec-support (v3.13.4, rbenv: 3.4.5) [gem]" level="application" />
+    <orderEntry type="library" scope="PROVIDED" name="rubocop (v1.79.1, rbenv: 3.4.5) [gem]" level="application" />
+    <orderEntry type="library" scope="PROVIDED" name="rubocop-ast (v1.46.0, rbenv: 3.4.5) [gem]" level="application" />
+    <orderEntry type="library" scope="PROVIDED" name="ruby-progressbar (v1.13.0, rbenv: 3.4.5) [gem]" level="application" />
+    <orderEntry type="library" scope="PROVIDED" name="stringio (v3.1.7, rbenv: 3.4.5) [gem]" level="application" />
+    <orderEntry type="library" scope="PROVIDED" name="unicode-display_width (v3.1.4, rbenv: 3.4.5) [gem]" level="application" />
+    <orderEntry type="library" scope="PROVIDED" name="unicode-emoji (v4.0.4, rbenv: 3.4.5) [gem]" level="application" />
+  </component>
+</module>

data/.idea/vcs.xml

@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project version="4">
+  <component name="VcsDirectoryMappings">
+    <mapping directory="" vcs="Git" />
+  </component>
+</project>

data/CHANGELOG.md

@@ -0,0 +1,5 @@
+## [Unreleased]
+
+## [0.1.0] - 2025-08-04
+
+- Initial release

data/CODE_OF_CONDUCT.md

@@ -0,0 +1,132 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+We as members, contributors, and leaders pledge to make participation in our
+community a harassment-free experience for everyone, regardless of age, body
+size, visible or invisible disability, ethnicity, sex characteristics, gender
+identity and expression, level of experience, education, socio-economic status,
+nationality, personal appearance, race, caste, color, religion, or sexual
+identity and orientation.
+
+We pledge to act and interact in ways that contribute to an open, welcoming,
+diverse, inclusive, and healthy community.
+
+## Our Standards
+
+Examples of behavior that contributes to a positive environment for our
+community include:
+
+* Demonstrating empathy and kindness toward other people
+* Being respectful of differing opinions, viewpoints, and experiences
+* Giving and gracefully accepting constructive feedback
+* Accepting responsibility and apologizing to those affected by our mistakes,
+  and learning from the experience
+* Focusing on what is best not just for us as individuals, but for the overall
+  community
+
+Examples of unacceptable behavior include:
+
+* The use of sexualized language or imagery, and sexual attention or advances of
+  any kind
+* Trolling, insulting or derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or email address,
+  without their explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+
+## Enforcement Responsibilities
+
+Community leaders are responsible for clarifying and enforcing our standards of
+acceptable behavior and will take appropriate and fair corrective action in
+response to any behavior that they deem inappropriate, threatening, offensive,
+or harmful.
+
+Community leaders have the right and responsibility to remove, edit, or reject
+comments, commits, code, wiki edits, issues, and other contributions that are
+not aligned to this Code of Conduct, and will communicate reasons for moderation
+decisions when appropriate.
+
+## Scope
+
+This Code of Conduct applies within all community spaces, and also applies when
+an individual is officially representing the community in public spaces.
+Examples of representing our community include using an official email address,
+posting via an official social media account, or acting as an appointed
+representative at an online or offline event.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported to the community leaders responsible for enforcement at
+[INSERT CONTACT METHOD].
+All complaints will be reviewed and investigated promptly and fairly.
+
+All community leaders are obligated to respect the privacy and security of the
+reporter of any incident.
+
+## Enforcement Guidelines
+
+Community leaders will follow these Community Impact Guidelines in determining
+the consequences for any action they deem in violation of this Code of Conduct:
+
+### 1. Correction
+
+**Community Impact**: Use of inappropriate language or other behavior deemed
+unprofessional or unwelcome in the community.
+
+**Consequence**: A private, written warning from community leaders, providing
+clarity around the nature of the violation and an explanation of why the
+behavior was inappropriate. A public apology may be requested.
+
+### 2. Warning
+
+**Community Impact**: A violation through a single incident or series of
+actions.
+
+**Consequence**: A warning with consequences for continued behavior. No
+interaction with the people involved, including unsolicited interaction with
+those enforcing the Code of Conduct, for a specified period of time. This
+includes avoiding interactions in community spaces as well as external channels
+like social media. Violating these terms may lead to a temporary or permanent
+ban.
+
+### 3. Temporary Ban
+
+**Community Impact**: A serious violation of community standards, including
+sustained inappropriate behavior.
+
+**Consequence**: A temporary ban from any sort of interaction or public
+communication with the community for a specified period of time. No public or
+private interaction with the people involved, including unsolicited interaction
+with those enforcing the Code of Conduct, is allowed during this period.
+Violating these terms may lead to a permanent ban.
+
+### 4. Permanent Ban
+
+**Community Impact**: Demonstrating a pattern of violation of community
+standards, including sustained inappropriate behavior, harassment of an
+individual, or aggression toward or disparagement of classes of individuals.
+
+**Consequence**: A permanent ban from any sort of public interaction within the
+community.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage],
+version 2.1, available at
+[https://www.contributor-covenant.org/version/2/1/code_of_conduct.html][v2.1].
+
+Community Impact Guidelines were inspired by
+[Mozilla's code of conduct enforcement ladder][Mozilla CoC].
+
+For answers to common questions about this code of conduct, see the FAQ at
+[https://www.contributor-covenant.org/faq][FAQ]. Translations are available at
+[https://www.contributor-covenant.org/translations][translations].
+
+[homepage]: https://www.contributor-covenant.org
+[v2.1]: https://www.contributor-covenant.org/version/2/1/code_of_conduct.html
+[Mozilla CoC]: https://github.com/mozilla/diversity
+[FAQ]: https://www.contributor-covenant.org/faq
+[translations]: https://www.contributor-covenant.org/translations

data/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2025 Jose Augusto
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

data/README.md

@@ -0,0 +1,76 @@
+# Shield AST - Application Security Testing CLI
+
+**Shield AST** is a powerful command-line tool for **Application Security Testing**, combining multiple open-source scanners into a single workflow. With `ast`, you can run **SAST** (Static Application Security Testing), **SCA** (Software Composition Analysis), and **IaC** (Infrastructure as Code) analysis quickly and automatically, helping you identify and fix vulnerabilities early in the development lifecycle.
+
+---
+
+## 📦 Requirements
+
+- **Ruby** (version 3.0 or later) must be installed on your system.  
+  You can check your Ruby version with:
+```bash
+ruby -v
+```
+If you don't have Ruby installed, follow the instructions at: [https://www.ruby-lang.org/en/documentation/installation/](https://www.ruby-lang.org/en/documentation/installation/)
+
+---
+
+## 📦 Installation
+
+```bash
+# Install the gem
+gem install ast
+```
+
+---
+
+## 🚀 Usage
+
+```bash
+ast [command] [options]
+```
+
+### Commands
+- **`scan [path]`** – Scans a directory for vulnerabilities. Defaults to the current directory.
+- **`report`** – Generates a detailed report from the last scan.
+- **`help`** – Displays this help message.
+
+### Options
+- **`-s, --sast`** – Run SAST using [Semgrep](https://semgrep.dev).
+- **`-c, --sca`** – Run SCA using [OSV Scanner](https://osv.dev).
+- **`-i, --iac`** – Run IaC analysis using [Semgrep](https://semgrep.dev) with infrastructure rules.
+- **`-o, --output`** – Specify the output format (`json`, `sarif`, `console`).
+- **`-h, --help`** – Show this help message.
+- **`--version`** – Show the AST version.
+
+---
+
+## 📌 Examples
+
+```bash
+# Scan the current directory for all types of vulnerabilities
+ast scan
+
+# Run only SAST and SCA on a specific project folder
+ast scan /path/to/project --sast --sca
+
+# Generate a report in SARIF format
+ast report --output sarif
+```
+
+---
+
+## 🛠 How It Works
+
+AST integrates well-known open-source scanners into a single CLI tool:
+- **SAST** – [Semgrep](https://semgrep.dev) for static code analysis
+- **SCA** – [OSV Scanner](https://osv.dev) for dependency vulnerability scanning
+- **IaC** – [Semgrep](https://semgrep.dev) rules for Infrastructure as Code
+
+This unified approach streamlines security testing, enabling developers to catch security issues earlier in the development process.
+
+---
+
+## 📄 License
+
+Distributed under the MIT License. See the [LICENSE](LICENSE) file for details.

data/Rakefile

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+require "bundler/gem_tasks"
+require "rspec/core/rake_task"
+
+RSpec::Core::RakeTask.new(:spec)
+
+require "rubocop/rake_task"
+
+RuboCop::RakeTask.new
+
+task default: %i[spec rubocop]

data/exe/ast

@@ -0,0 +1,7 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+
+require "shield_ast"
+
+# Call the main service
+ShieldAst::Main.call(ARGV)

data/lib/shield_ast/iac.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+
+require "English"
+require "json"
+
+module ShieldAst
+  class IaC
+    def self.scan(path)
+      # Execute Semgrep with IaC-specific rulesets
+      cmd = "semgrep --config=r/terraform --config=r/kubernetes --config=r/docker --config=r/yaml --json --quiet #{path}"
+      output = `#{cmd}`
+
+      if $CHILD_STATUS.success? && !output.strip.empty?
+        begin
+          report = JSON.parse(output)
+          return { "results" => report["results"] || [] }
+        rescue JSON::ParserError
+          return { "results" => [] }
+        end
+      end
+
+      # Fallback if semgrep fails
+      { "results" => [] }
+    end
+  end
+end

data/lib/shield_ast/runner.rb

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+require_relative "sast"
+require_relative "sca"
+require_relative "iac"
+
+require "json"
+
+module ShieldAst
+  class Runner
+    def self.run(options, path)
+      reports = {}
+
+      if options[:sast]
+        puts "🔍 Running SAST ..."
+        reports[:sast] = SAST.scan(path)
+      end
+
+      if options[:sca]
+        puts "📦 Running SCA ..."
+        reports[:sca] = SCA.scan(path)
+      end
+
+      if options[:iac]
+        puts "☁️ Running IaC ..."
+        reports[:iac] = IaC.scan(path)
+      end
+
+      reports
+    end
+  end
+end

data/lib/shield_ast/sast.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+# lib/shield_ast/sast.rb
+require "json"
+require "open3"
+
+module ShieldAst
+  # Runs SAST analysis using Semgrep.
+  class SAST
+    def self.scan(path)
+      cmd = ["semgrep", "scan", path, "--json", "--disable-version-check"]
+      stdout, stderr, status = Open3.capture3(*cmd)
+
+      if status.success?
+        JSON.parse(stdout)
+      else
+        warn "Semgrep SAST scan failed! Error: #{stderr}"
+        []
+      end
+    rescue JSON::ParserError => e
+      warn "Failed to parse Semgrep output: #{e.message}"
+      []
+    end
+  end
+end

data/lib/shield_ast/sca.rb

@@ -0,0 +1,220 @@
+# frozen_string_literal: true
+
+require "json"
+
+module ShieldAst
+  class SCA
+    def self.scan(path)
+      puts "Scanning path: #{path}" if ENV["DEBUG"]
+
+      if scanner_available?
+        puts "OSV Scanner is available" if ENV["DEBUG"]
+      else
+        puts "OSV Scanner not found in PATH. Please install it first:"
+        puts "go install github.com/google/osv-scanner/cmd/osv-scanner@v1"
+        return { "results" => [] }
+      end
+
+      begin
+        cmd = "osv-scanner scan --format json #{path}"
+        puts "Executing command: #{cmd}" if ENV["DEBUG"]
+
+        output = `#{cmd} 2>&1`
+        exit_code = $?.exitstatus
+
+        puts "Exit code: #{exit_code}" if ENV["DEBUG"]
+        puts "Output: #{output}" if ENV["DEBUG"]
+
+        # OSV Scanner exit codes:
+        # 0: No vulnerabilities found
+        # 1: Vulnerabilities found
+        # 1-126: Vulnerability result related errors
+        # 127: General error
+        # 128: No packages found
+        # 129-255: Non result related errors
+
+        case exit_code
+        when 0
+          { "results" => [] } # No vulnerabilities
+        when 1
+          { "results" => parse_json_output(output) } # Vulnerabilities found
+        when 1..126
+          # Vulnerability related errors, but try to parse results anyway
+          puts "OSV Scanner vulnerability error (exit code: #{exit_code})" if ENV["DEBUG"]
+          { "results" => parse_json_output(output) }
+        when 127
+          # General error, but if we have JSON output, use it
+          if output.include?('{"results"')
+            puts "OSV Scanner completed with general error but has results" if ENV["DEBUG"]
+            { "results" => parse_json_output(output) }
+          else
+            puts "OSV Scanner general error (exit code: #{exit_code})"
+            { "results" => [] }
+          end
+        when 128
+          puts "OSV Scanner found no packages to scan" if ENV["DEBUG"]
+          { "results" => [] }
+        else
+          puts "OSV Scanner non-result error (exit code: #{exit_code})"
+          { "results" => [] }
+        end
+      rescue => e
+        puts "Error running OSV Scanner: #{e.message}"
+        { "results" => [] }
+      end
+    end
+
+    def self.scanner_available?
+      result = system("osv-scanner scan --help > /dev/null 2>&1")
+      puts "Scanner availability check result: #{result}" if ENV["DEBUG"]
+      result
+    end
+
+    def self.parse_json_output(output)
+      json_start = output.index("{")
+      return [] unless json_start
+
+      json_data = JSON.parse(output[json_start..-1])
+      convert_to_shield_format(json_data)
+    rescue JSON::ParserError
+      []
+    end
+
+    def self.convert_to_shield_format(osv_data)
+      results = []
+      scan_results = osv_data["results"] || []
+
+      scan_results.each do |scan_result|
+        packages = scan_result["packages"] || []
+
+        packages.each do |package_data|
+          vulnerabilities = package_data["vulnerabilities"] || []
+
+          vulnerabilities.each do |vuln|
+            results << build_shield_result(vuln, package_data)
+          end
+        end
+      end
+
+      results
+    end
+
+    def self.build_shield_result(vuln, package_data)
+      package_info = package_data["package"] || {}
+      package_name = package_info["name"] || "unknown"
+      package_version = package_info["version"] || "unknown"
+      ecosystem = package_info["ecosystem"] || "unknown"
+
+      vuln_id = vuln["id"] || "unknown"
+      summary = vuln["summary"] || vuln["details"] || "No description available"
+
+      severity = determine_severity(vuln, package_data)
+      file_path = determine_file_path(ecosystem)
+
+      # Extract fixed version info
+      fixed_version = extract_fixed_version(vuln)
+
+      {
+        "title" => "#{vuln_id}: #{package_name}",
+        "severity" => severity,
+        "file" => file_path,
+        "description" => summary,
+        "vulnerable_version" => package_version,
+        "fixed_version" => fixed_version,
+        "path" => file_path,
+        "start" => { "line" => 1 },
+        "extra" => {
+          "message" => "Vulnerable dependency: #{package_name} (#{package_version}) - #{vuln_id}",
+          "severity" => severity,
+          "metadata" => {
+            "category" => "security",
+            "subcategory" => "vulnerable-dependencies",
+            "vulnerability_id" => vuln_id,
+            "package" => {
+              "name" => package_name,
+              "ecosystem" => ecosystem,
+              "vulnerable_version" => package_version,
+              "fixed_version" => fixed_version
+            }
+          }
+        }
+      }
+    end
+
+    def self.extract_fixed_version(vuln)
+      # Try to find fixed version in affected ranges
+      if vuln["affected"] && vuln["affected"].is_a?(Array)
+        vuln["affected"].each do |affected|
+          if affected["ranges"] && affected["ranges"].is_a?(Array)
+            affected["ranges"].each do |range|
+              if range["events"] && range["events"].is_a?(Array)
+                # Look for "fixed" events
+                fixed_event = range["events"].find { |event| event["fixed"] }
+                return fixed_event["fixed"] if fixed_event
+              end
+            end
+          end
+
+          # Also check database_specific for fixed version
+          if affected["database_specific"] && affected["database_specific"]["last_affected"]
+            return ">" + affected["database_specific"]["last_affected"]
+          end
+        end
+      end
+
+      # Fallback: check database_specific at root level
+      if vuln["database_specific"]
+        return vuln["database_specific"]["fixed_version"] if vuln["database_specific"]["fixed_version"]
+      end
+
+      "Not specified"
+    end
+
+    def self.determine_severity(vuln, package_data)
+      # Check database_specific severity first
+      if vuln.dig("database_specific", "severity")
+        return map_severity(vuln["database_specific"]["severity"])
+      end
+
+      # Check groups max_severity
+      groups = package_data&.dig("groups") || []
+      max_severity = groups.first&.dig("max_severity")
+      return cvss_to_severity(max_severity.to_f) if max_severity
+
+      "WARNING" # Default
+    end
+
+    def self.determine_file_path(ecosystem)
+      case ecosystem&.downcase
+      when "npm", "nodejs" then "package.json"
+      when "pip", "pypi" then "requirements.txt"
+      when "rubygems" then "Gemfile"
+      when "maven" then "pom.xml"
+      when "gradle" then "build.gradle"
+      when "composer" then "composer.json"
+      when "nuget" then "packages.config"
+      when "cargo" then "Cargo.toml"
+      when "go" then "go.mod"
+      else "dependencies"
+      end
+    end
+
+    def self.map_severity(severity)
+      case severity&.to_s&.upcase
+      when "CRITICAL", "HIGH" then "ERROR"
+      when "MEDIUM", "MODERATE" then "WARNING"
+      when "LOW" then "INFO"
+      else "WARNING"
+      end
+    end
+
+    def self.cvss_to_severity(score)
+      case score
+      when 7.0..10.0 then "ERROR"
+      when 4.0..6.9 then "WARNING"
+      when 0.1..3.9 then "INFO"
+      else "WARNING"
+      end
+    end
+  end
+end

data/lib/shield_ast/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module ShieldAst
+  VERSION = "1.0.0"
+end

data/lib/shield_ast.rb

@@ -0,0 +1,237 @@
+# frozen_string_literal: true
+
+require_relative "shield_ast/version"
+require_relative "shield_ast/runner"
+
+require "json"
+
+# Main module for the Shield AST gem.
+module ShieldAst
+  class Error < StandardError; end
+
+  # Main class for the Shield AST command-line tool.
+  # Handles command-line argument parsing and delegates to the Runner.
+  class Main
+    def self.call(args)
+      options = parse_args(args)
+      handle_options(options)
+    end
+
+    private_class_method def self.handle_options(options)
+      if options[:help]
+        show_help
+      elsif options[:version]
+        puts "Shield AST version #{ShieldAst::VERSION}"
+      elsif options[:command] == "scan"
+        run_scan(options)
+      elsif options[:command] == "report"
+        puts "Generating report... (not yet implemented)"
+      else
+        puts "Invalid command. Use 'ast help' for more information."
+        show_help
+      end
+    end
+
+    private_class_method def self.run_scan(options)
+      path = options[:path] || Dir.pwd
+      options = apply_default_scanners(options)
+
+      puts "🚀 Starting scan ..."
+      start_time = Time.now
+
+      reports = Runner.run(options, path) || {}
+
+      end_time = Time.now
+      execution_time = end_time - start_time
+
+      display_reports(reports, execution_time)
+    end
+
+    private_class_method def self.apply_default_scanners(options)
+      options.tap do |o|
+        if !o[:sast] && !o[:sca] && !o[:iac]
+          o[:sast] = true
+          o[:sca] = true
+          o[:iac] = true
+        end
+      end
+    end
+
+    private_class_method def self.display_reports(reports, execution_time)
+      total_issues = 0
+
+      reports.each do |type, report_data|
+        results = report_data["results"] || []
+        total_issues += results.length
+
+        next if results.empty?
+
+        puts "\n#{get_scan_icon(type)} #{type.to_s.upcase} (#{results.length} #{results.length == 1 ? "issue" : "issues"})"
+        puts "-" * 60
+
+        format_report(results, type)
+      end
+
+      puts "\n✅ Scan finished in: #{format_duration(execution_time)}"
+
+      if total_issues.zero?
+        puts "✅ No security issues found! Your code looks clean."
+      else
+        severity_summary = calculate_severity_summary(reports)
+        puts "📊 Total: #{total_issues} findings #{severity_summary}"
+      end
+    end
+
+    private_class_method def self.format_report(results, scan_type)
+      results.each_with_index do |result, index|
+        if scan_type == :sca && has_sca_format?(result)
+          format_sca_result(result)
+        else
+          format_default_result(result)
+        end
+        puts "" if index < results.length - 1 # Add spacing between items, but not after last
+      end
+    end
+
+    # Helper methods for better formatting
+    private_class_method def self.get_severity_icon(severity)
+      case severity&.upcase
+      when "ERROR" then "🔴"
+      when "WARNING" then "🟡"
+      when "INFO" then "🔵"
+      else "⚪"
+      end
+    end
+
+    private_class_method def self.get_scan_icon(scan_type)
+      case scan_type
+      when :sast then "🔍"
+      when :sca then "📦"
+      when :iac then "☁️"
+      else "🛡️"
+      end
+    end
+
+    private_class_method def self.extract_short_description(result)
+      description = result["extra"]["message"].gsub("\n", " ").strip
+      if description.length > 80
+        "#{description[0..80]}..."
+      else
+        description
+      end
+    end
+
+    private_class_method def self.calculate_severity_summary(reports)
+      error_count = 0
+      warning_count = 0
+      info_count = 0
+
+      reports.each_value do |report_data|
+        (report_data["results"] || []).each do |result|
+          severity = result["severity"] || result.dig("extra", "severity")
+          case severity&.upcase
+          when "ERROR" then error_count += 1
+          when "WARNING" then warning_count += 1
+          when "INFO" then info_count += 1
+          end
+        end
+      end
+
+      parts = []
+      parts << "#{error_count} 🔴" if error_count.positive?
+      parts << "#{warning_count} 🟡" if warning_count.positive?
+      parts << "#{info_count} 🔵" if info_count.positive?
+
+      "(#{parts.join(", ")})"
+    end
+
+    private_class_method def self.format_duration(seconds)
+      if seconds < 1
+        "#{(seconds * 1000).round}ms"
+      elsif seconds < 60
+        "#{seconds.round(1)}s"
+      else
+        minutes = (seconds / 60).floor
+        remaining_seconds = (seconds % 60).round
+        "#{minutes}m #{remaining_seconds}s"
+      end
+    end
+
+    private_class_method def self.has_sca_format?(result)
+      result.key?("title") && result.key?("description") &&
+      result.key?("vulnerable_version") && result.key?("fixed_version")
+    end
+
+    private_class_method def self.format_sca_result(result)
+      severity_icon = get_severity_icon(result['severity'])
+      puts "  #{severity_icon} #{result["title"]} (#{result["vulnerable_version"]} → #{result["fixed_version"]})"
+      puts "     📁 #{result["file"]} | #{result["description"][0..80]}#{result["description"].length > 80 ? "..." : ""}"
+    end
+
+    private_class_method def self.format_default_result(result)
+      severity_icon = get_severity_icon(result["extra"]["severity"])
+      title = result["extra"]["message"].split(".")[0].strip
+      file_info = "#{File.basename(result["path"])}:#{result["start"]["line"]}"
+
+      puts "  #{severity_icon} #{title}"
+      puts "     📁 #{file_info} | #{extract_short_description(result)}"
+    end
+
+    # Parses command-line arguments to build an options hash.
+    private_class_method def self.parse_args(args)
+      options = { command: nil, path: nil, sast: false, sca: false, iac: false, help: false, version: false }
+
+      args.each do |arg|
+        case arg
+        when "scan" then options[:command] = "scan"
+        when "report" then options[:command] = "report"
+        when "-s", "--sast" then options[:sast] = true
+        when "-c", "--sca" then options[:sca] = true
+        when "-i", "--iac" then options[:iac] = true
+        when "-h", "--help" then options[:help] = true
+        when "--version" then options[:version] = true
+        when /^[^-]/ then options[:path] = arg if options[:command] == "scan" && options[:path].nil?
+        end
+      end
+      options
+    end
+
+    # Displays the help message for the CLI tool.
+    private_class_method def self.show_help
+      puts <<~HELP
+        ast - A powerful command-line tool for Application Security Testing
+
+        Usage:
+          ast [command] [options]
+
+        Commands:
+          scan [path]    Scans a directory for vulnerabilities. Defaults to the current directory.
+          report         Generates a detailed report from the last scan.
+          help           Shows this help message.
+
+        Options:
+          -s, --sast       Run Static Application Security Testing (SAST) with Semgrep.
+          -c, --sca        Run Software Composition Analysis (SCA) with OSV Scanner.
+          -i, --iac        Run Infrastructure as Code (IaC) analysis with Semgrep.
+          -o, --output     Specify the output format (e.g., json, sarif, console).
+          -h, --help       Show this help message.
+          --version        Show the ast version.
+
+        Examples:
+          # Scan the current directory for all types of vulnerabilities
+          ast scan
+
+          # Run only SAST and SCA on a specific project folder
+          ast scan /path/to/project --sast --sca
+
+          # Generate a report in SARIF format
+          ast report --output sarif
+
+        Description:
+          ast is an all-in-one command-line tool that automates security testing by
+          integrating popular open-source scanners for SAST, SCA, and IaC, helping you
+          find and fix vulnerabilities early in the development lifecycle.
+      HELP
+    end
+  end
+end

data/sig/shield_ast.rbs

@@ -0,0 +1,4 @@
+module ShieldAst
+  VERSION: String
+  # See the writing guide of rbs: https://github.com/ruby/rbs#guides
+end

metadata

@@ -0,0 +1,67 @@
+--- !ruby/object:Gem::Specification
+name: shield_ast
+version: !ruby/object:Gem::Version
+  version: 1.0.0
+platform: ruby
+authors:
+- Jose Augusto
+bindir: exe
+cert_chain: []
+date: 1980-01-02 00:00:00.000000000 Z
+dependencies: []
+description: |-
+  Shield AST is an all-in-one command-line tool that automates security testing by integrating
+                        popular open-source scanners for SAST, SCA, and IaC, helping you find and fix vulnerabilities
+                        early in the development lifecycle.
+email:
+- joseaugusto.881@outlook.com
+executables:
+- ast
+extensions: []
+extra_rdoc_files: []
+files:
+- ".idea/.gitignore"
+- ".idea/dictionaries/project.xml"
+- ".idea/misc.xml"
+- ".idea/modules.xml"
+- ".idea/shield_ast.iml"
+- ".idea/vcs.xml"
+- CHANGELOG.md
+- CODE_OF_CONDUCT.md
+- LICENSE.txt
+- README.md
+- Rakefile
+- exe/ast
+- lib/shield_ast.rb
+- lib/shield_ast/iac.rb
+- lib/shield_ast/runner.rb
+- lib/shield_ast/sast.rb
+- lib/shield_ast/sca.rb
+- lib/shield_ast/version.rb
+- sig/shield_ast.rbs
+homepage: https://github.com/JAugusto42/shield_ast
+licenses:
+- MIT
+metadata:
+  allowed_push_host: https://rubygems.org
+  homepage_uri: https://github.com/JAugusto42/shield_ast
+  source_code_uri: https://github.com/JAugusto42/shield_ast
+  changelog_uri: https://github.com/JAugusto42/shield_ast/blob/main/CHANGELOG.md
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 3.2.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.7.1
+specification_version: 4
+summary: A command-line tool for multi-scanner Application Security Testing.
+test_files: []