zwischen 0.1.0

data/lib/zwischen/reporter/terminal.rb

@@ -0,0 +1,190 @@
+# frozen_string_literal: true
+
+require "colorize"
+require_relative "../finding/finding"
+
+module Zwischen
+  module Reporter
+    class Terminal
+      SEVERITY_COLORS = {
+        "critical" => :red,
+        "high" => :red,
+        "medium" => :yellow,
+        "low" => :blue,
+        "info" => :cyan
+      }.freeze
+
+      SEVERITY_BADGES = {
+        "critical" => "🔴 CRITICAL",
+        "high" => "🔴 HIGH",
+        "medium" => "🟡 MEDIUM",
+        "low" => "🔵 LOW",
+        "info" => "ℹ️  INFO"
+      }.freeze
+
+      def self.report(aggregated_results, ai_enabled: false)
+        new(aggregated_results, ai_enabled: ai_enabled).report
+      end
+
+      def self.report_compact(aggregated_results, config:, ai_enabled: false)
+        new(aggregated_results, ai_enabled: ai_enabled, config: config).report_compact
+      end
+
+      def initialize(aggregated_results, ai_enabled: false, config: nil)
+        @results = aggregated_results
+        @ai_enabled = ai_enabled
+        @config = config
+      end
+
+      # Show paths relative to the working directory when they live under it.
+      # Scanners may emit symlink-resolved absolute paths (/tmp vs /private/tmp
+      # on macOS), so compare against the resolved cwd too.
+      def display_path(path)
+        expanded = File.expand_path(path.to_s)
+        [Dir.pwd, (File.realpath(Dir.pwd) rescue Dir.pwd)].uniq.each do |root|
+          return expanded.delete_prefix("#{root}/") if expanded.start_with?("#{root}/")
+        end
+        path.to_s
+      end
+
+      def report
+        print_summary
+        print_findings
+        exit_code
+      end
+
+      def report_compact
+        blocking_severity = @config&.blocking_severity || "high"
+        findings = @results[:findings]
+
+        # Filter to only blocking findings
+        blocking_findings = findings.select { |f| should_block?(f, blocking_severity) }
+
+        # If no blocking findings, exit silently (exit code 0)
+        return 0 if blocking_findings.empty?
+
+        # Show compact output for blocking findings
+        puts "🛡️  Zwischen: #{blocking_findings.length} issue#{blocking_findings.length == 1 ? '' : 's'} found\n\n"
+
+        blocking_findings.each do |finding|
+          severity_color = SEVERITY_COLORS[finding.severity] || :white
+          severity_label = finding.severity.upcase
+
+          puts "  #{severity_label}".colorize(severity_color) + "  #{display_path(finding.file)}:#{finding.line || '?'}"
+          puts "            #{finding.message}"
+
+          # Show fix suggestion if available
+          if @ai_enabled && finding.raw_data["ai_fix_suggestion"]
+            puts "            → #{finding.raw_data['ai_fix_suggestion']}"
+          end
+
+          puts ""
+        end
+
+        puts "Push blocked. Fix issues above or:"
+        puts "  • Run 'zwischen scan' for full report"
+        puts "  • Run 'git push --no-verify' to skip (not recommended)"
+
+        1 # Exit code 1 = push blocked
+      end
+
+      private
+
+      def print_summary
+        summary = @results[:summary]
+        puts "\n" + "=" * 60
+        puts "Zwischen Security Scan Results".colorize(:bold)
+        puts "=" * 60
+        puts "\nTotal Findings: #{summary[:total]}".colorize(:bold)
+
+        if summary[:by_severity].any?
+          puts "\nBy Severity:"
+          summary[:by_severity].each do |severity, count|
+            color = SEVERITY_COLORS[severity] || :white
+            puts "  #{severity.capitalize}: #{count}".colorize(color)
+          end
+        end
+
+        puts "\n" + "-" * 60
+      end
+
+      def print_findings
+        findings = @results[:findings]
+        return if findings.empty?
+
+        puts "\nFindings:\n\n"
+
+        @results[:grouped].each do |file, file_findings|
+          puts "📄 #{display_path(file)}".colorize(:bold)
+          puts "-" * 60
+
+          file_findings.each do |finding|
+            print_finding(finding)
+          end
+
+          puts "\n"
+        end
+      end
+
+      def print_finding(finding)
+        # Skip false positives if AI analysis marked them
+        if @ai_enabled && finding.raw_data["ai_false_positive"]
+          puts "  ⚠️  [FALSE POSITIVE] #{finding.message}".colorize(:light_black)
+          return
+        end
+
+        severity_color = SEVERITY_COLORS[finding.severity] || :white
+        badge = SEVERITY_BADGES[finding.severity] || finding.severity.upcase
+
+        puts "  #{badge}".colorize(severity_color) + " #{display_path(finding.file)}:#{finding.line || '?'}"
+        puts "    #{finding.message}"
+
+        if finding.rule_id
+          puts "    Rule: #{finding.rule_id}".colorize(:light_black)
+        end
+
+        if finding.code_snippet
+          snippet = finding.code_snippet.split("\n").first(3).join("\n")
+          puts "    Code:".colorize(:light_black)
+          puts "    #{snippet}".colorize(:light_black)
+        end
+
+        # AI recommendations
+        if @ai_enabled && finding.raw_data["ai_fix_suggestion"]
+          puts "    💡 Fix: #{finding.raw_data['ai_fix_suggestion']}".colorize(:green)
+        end
+
+        if @ai_enabled && finding.raw_data["ai_risk_explanation"]
+          puts "    ⚠️  Risk: #{finding.raw_data['ai_risk_explanation']}".colorize(:yellow)
+        end
+
+        puts ""
+      end
+
+      def should_block?(finding, blocking_severity)
+        return false if @ai_enabled && finding.raw_data["ai_false_positive"]
+
+        case blocking_severity
+        when "critical"
+          finding.critical?
+        when "high"
+          finding.critical? || finding.high?
+        when "none"
+          false
+        else
+          # Default: block on high or critical
+          finding.critical? || finding.high?
+        end
+      end
+
+      def exit_code
+        findings = @results[:findings]
+        blocking_severity = @config&.blocking_severity || "high"
+        
+        blocking = findings.any? { |f| should_block?(f, blocking_severity) }
+
+        blocking ? 1 : 0
+      end
+    end
+  end
+end

data/lib/zwischen/scanner/base.rb

@@ -0,0 +1,89 @@
+# frozen_string_literal: true
+
+require "open3"
+require_relative "../installer"
+
+module Zwischen
+  module Scanner
+    class Base
+      attr_reader :name, :command
+
+      ZWISCHEN_BIN_DIR = File.expand_path("~/.zwischen/bin")
+
+      def initialize(name:, command:)
+        @name = name
+        @command = command
+        @executable_path = nil
+      end
+
+      def available?
+        !executable_path.nil?
+      end
+
+      # Find executable in ~/.zwischen/bin or system PATH
+      def executable_path
+        @executable_path ||= find_executable(@command)
+      end
+
+      def find_executable(name)
+        # Check ~/.zwischen/bin first
+        local = File.join(ZWISCHEN_BIN_DIR, name)
+        return local if File.executable?(local)
+
+        # Fall back to system PATH
+        system("which", name, out: File::NULL, err: File::NULL) ? name : nil
+      end
+
+      def scan(project_root = Dir.pwd, files: nil)
+        return [] unless available?
+
+        if files && !files.empty?
+          return scan_files(files, project_root) if respond_to?(:scan_files, true)
+          command = build_command_for_files(files, project_root)
+        else
+          command = build_command(project_root)
+        end
+
+        stdout, stderr, status = Open3.capture3(*command, chdir: project_root)
+
+        # Most security scanners use exit code 0 = clean, 1 = findings found, 2+ = error
+        # We treat both 0 and 1 as success since findings are valid results
+        if status.exitstatus <= 1
+          parse_output(stdout)
+        else
+          warn "Warning: #{@name} scan failed (exit #{status.exitstatus}): #{stderr}" unless stderr.empty?
+          []
+        end
+      rescue StandardError => e
+        warn "Error running #{@name}: #{e.message}"
+        []
+      end
+
+      def parse_output(_output)
+        raise NotImplementedError, "Subclasses must implement parse_output"
+      end
+
+      protected
+
+      def build_command(_project_root)
+        raise NotImplementedError, "Subclasses must implement build_command"
+      end
+
+      def build_command_for_files(_files, _project_root)
+        raise NotImplementedError, "Subclasses must implement build_command_for_files"
+      end
+
+      def read_file_snippet(file_path, line_number, context_lines = 3)
+        return nil unless File.exist?(file_path)
+
+        lines = File.readlines(file_path)
+        start_line = [0, line_number - context_lines - 1].max
+        end_line = [lines.length - 1, line_number + context_lines - 1].min
+
+        lines[start_line..end_line].join
+      rescue StandardError
+        nil
+      end
+    end
+  end
+end

data/lib/zwischen/scanner/gitleaks.rb

@@ -0,0 +1,115 @@
+# frozen_string_literal: true
+
+require_relative "base"
+require "json"
+require_relative "../finding/finding"
+
+module Zwischen
+  module Scanner
+    class Gitleaks < Base
+      def initialize
+        super(name: "gitleaks", command: "gitleaks")
+      end
+
+      def build_command(project_root)
+        [
+          executable_path, "detect",
+          "--source", project_root,
+          "--report-format", "json",
+          "--report-path", "-",
+          "--no-git"
+        ]
+      end
+
+      def scan_files(files, project_root)
+        return [] if files.empty?
+
+        # Gitleaks doesn't have native multi-file support, so we scan each file individually
+        # This is acceptable for pre-push since we typically have only a few changed files
+        findings = []
+
+        files.each do |file|
+          file_path = File.join(project_root, file)
+          next unless File.exist?(file_path)
+
+          command = [
+            executable_path, "detect",
+            "--source", file_path,
+            "--report-format", "json",
+            "--report-path", "-",
+            "--no-git"
+          ]
+
+          stdout, stderr, status = Open3.capture3(*command, chdir: project_root)
+
+          # Gitleaks: exit 0 = clean, exit 1 = findings, exit 2+ = error
+          if status.exitstatus <= 1
+            findings.concat(parse_output(stdout)) unless stdout.strip.empty?
+          elsif status.exitstatus > 1
+            warn "Warning: #{@name} scan failed on #{file} (exit #{status.exitstatus}): #{stderr}" if ENV["DEBUG"]
+          end
+        end
+
+        findings
+      rescue StandardError => e
+        warn "Error running #{@name}: #{e.message}"
+        []
+      end
+
+      def parse_output(output)
+        return [] if output.strip.empty?
+
+        findings = []
+        json_data = JSON.parse(output)
+
+        # Gitleaks returns an array of findings
+        Array(json_data).each do |finding|
+          findings << Zwischen::Finding::Finding.new(
+            type: "secret",
+            scanner: "gitleaks",
+            severity: map_severity(finding["RuleID"]),
+            file: finding["File"],
+            line: finding["StartLine"],
+            message: finding["Description"] || finding["RuleID"] || "Secret detected",
+            rule_id: finding["RuleID"],
+            code_snippet: finding["Secret"],
+            raw_data: finding
+          )
+        end
+
+        findings
+      rescue JSON::ParserError => e
+        warn "Failed to parse Gitleaks output: #{e.message}"
+        []
+      end
+
+      private
+
+      def build_command_for_files(files, project_root)
+        files.map do |file|
+          [
+            executable_path, "detect",
+            "--source", File.join(project_root, file),
+            "--report-format", "json",
+            "--report-path", "-",
+            "--no-git"
+          ]
+        end
+      end
+
+      def map_severity(rule_id)
+        # Gitleaks doesn't provide severity, so we map based on rule type
+        case rule_id.to_s.downcase
+        when /aws.*key|api.*key|private.*key|secret.*key/
+          "critical"
+        when /password|token|credential/
+          "high"
+        when /key|secret/
+          "medium"
+        else
+          "medium"
+        end
+      end
+    end
+  end
+end

data/lib/zwischen/scanner/orchestrator.rb

@@ -0,0 +1,99 @@
+# frozen_string_literal: true
+
+require "pathname"
+require_relative "gitleaks"
+require_relative "semgrep"
+
+module Zwischen
+  module Scanner
+    class Orchestrator
+      def initialize(config:)
+        @config = config
+        @scanners = build_scanners
+      end
+
+      def scan(project_root = Dir.pwd, only: nil, pre_push: false, files: nil)
+        enabled_scanners = select_scanners(only)
+        available_scanners = enabled_scanners.select(&:available?)
+
+        if available_scanners.empty?
+          warn "No scanners available. Run 'zwischen doctor' to check installation." unless pre_push
+          return []
+        end
+
+        # Run scanners in parallel using threads
+        threads = available_scanners.map do |scanner|
+          Thread.new do
+            [scanner.name, scanner.scan(project_root, files: files)]
+          end
+        end
+
+        results = {}
+        threads.each do |thread|
+          scanner_name, findings = thread.value
+          results[scanner_name] = findings
+        end
+
+        # Flatten all findings
+        # Note: In pre-push mode, we pass file lists to scanners when available
+        reject_ignored(results.values.flatten, project_root)
+      end
+
+      def available_scanners
+        @scanners.select(&:available?)
+      end
+
+      def missing_scanners
+        @scanners.reject(&:available?)
+      end
+
+      private
+
+      # Drop findings whose file matches an ignore glob from .zwischen.yml.
+      # Scanner output may use absolute or project-relative paths, so match
+      # against the path relative to project_root.
+      def reject_ignored(findings, project_root)
+        globs = @config.ignored_paths
+        return findings if globs.empty?
+
+        findings.reject do |finding|
+          path = finding.file
+          if File.absolute_path?(path)
+            path = Pathname.new(path).relative_path_from(project_root).to_s rescue path
+          end
+
+          flags = File::FNM_PATHNAME | File::FNM_EXTGLOB
+          globs.any? do |glob|
+            # A trailing "**" under FNM_PATHNAME only matches one path segment;
+            # also try "**/*" so "**/dist/**" covers files nested below dist/.
+            File.fnmatch?(glob, path, flags) ||
+              File.fnmatch?(glob.sub(%r{/\*\*\z}, "/**/*"), path, flags)
+          end
+        end
+      end
+
+      def build_scanners
+        scanners = []
+
+        scanners << Gitleaks.new if @config.scanner_enabled?("gitleaks")
+        scanners << Semgrep.new(config: @config.semgrep_config) if @config.scanner_enabled?("semgrep")
+
+        scanners
+      end
+
+      def select_scanners(only)
+        return @scanners if only.nil? || only.empty?
+
+        only_list = only.split(",").map(&:strip)
+        scanner_map = {
+          "secrets" => "gitleaks",
+          "sast" => "semgrep"
+        }
+
+        selected = only_list.map { |name| scanner_map[name.downcase] }.compact
+
+        @scanners.select { |s| selected.include?(s.name) }
+      end
+    end
+  end
+end

data/lib/zwischen/scanner/semgrep.rb

@@ -0,0 +1,78 @@
+# frozen_string_literal: true
+
+require_relative "base"
+require "json"
+require_relative "../finding/finding"
+
+module Zwischen
+  module Scanner
+    class Semgrep < Base
+      # Use open ruleset that works without Semgrep login
+      DEFAULT_CONFIG = "p/security-audit"
+
+      def initialize(config: DEFAULT_CONFIG)
+        super(name: "semgrep", command: "semgrep")
+        @config = config
+      end
+
+      def build_command(project_root)
+        [executable_path, "--json", *config_args, project_root]
+      end
+
+      def build_command_for_files(files, _project_root)
+        [executable_path, "--json", *config_args, *files]
+      end
+
+      def parse_output(output)
+        return [] if output.strip.empty?
+
+        findings = []
+        json_data = JSON.parse(output)
+
+        # Semgrep returns results in a "results" array
+        Array(json_data["results"]).each do |result|
+          severity = map_severity(result["extra"]&.dig("severity"))
+          
+          findings << Zwischen::Finding::Finding.new(
+            type: "sast",
+            scanner: "semgrep",
+            severity: severity,
+            file: result["path"],
+            line: result["start"]&.dig("line"),
+            message: result.dig("extra", "message") || result["message"] || result["check_id"],
+            rule_id: result["check_id"],
+            code_snippet: result["extra"]&.dig("lines"),
+            raw_data: result
+          )
+        end
+
+        findings
+      rescue JSON::ParserError => e
+        warn "Failed to parse Semgrep output: #{e.message}"
+        []
+      end
+
+      private
+
+      # Accept a comma-separated list of rulesets ("p/security-audit,p/expressjs")
+      def config_args
+        @config.to_s.split(",").map(&:strip).reject(&:empty?).flat_map { |c| ["--config", c] }
+      end
+
+      def map_severity(severity)
+        case severity.to_s.downcase
+        when "error", "critical"
+          "critical"
+        when "warning", "high"
+          "high"
+        when "info", "medium"
+          "medium"
+        when "low"
+          "low"
+        else
+          "medium" # Default for unknown
+        end
+      end
+    end
+  end
+end