@activemind/scd 1.4.0

package/lib/insights-output.js

@@ -0,0 +1,160 @@
+/**
+ * insights-output.js
+ * Terminal-rendering of behavioural analysis from scd insights.
+ */
+
+'use strict';
+const { RESET, BOLD, DIM, RED, GREEN, YELLOW, BLUE, CYAN } = require('./output-constants');
+
+
+function bar(value, max, width = 20, color = CYAN) {
+  const filled = max > 0 ? Math.round((value / max) * width) : 0;
+  return color + '█'.repeat(filled) + DIM + '░'.repeat(width - filled) + RESET;
+}
+
+function pad(str, len) {
+  return String(str).slice(0, len).padEnd(len);
+}
+
+function renderInsights(analysis) {
+  if (analysis.empty) {
+    console.log(`\n${DIM} ℹ️  ${analysis.reason || 'No audit data found. Run scd scan to start collecting data.'}${RESET}\n`);
+    return;
+  }
+
+  const { meta, recurringRules, avoidance, timePatterns,
+          knowledgeGaps, fileHotspots, trend, developers, signals } = analysis;
+
+  // ── Header ──────────────────────────────────────────────────────────────
+  console.log(`\n${CYAN}${BOLD}╔═══════════════════════════════════════════════╗${RESET}`);
+  console.log(`${CYAN}${BOLD}║     Secure Code by Design – Behavior Insights ║${RESET}`);
+  console.log(`${CYAN}${BOLD}╚═══════════════════════════════════════════════╝${RESET}`);
+  console.log(`  ${DIM}Period: ${meta.firstFinding} → ${meta.lastFinding}  ·  ${meta.periodDays} days${RESET}`);
+  console.log(`  ${DIM}Scans: ${meta.totalScans}  ·  Findings: ${meta.totalFindings}  ·  Developers: ${meta.uniqueDevelopers}${RESET}\n`);
+
+  // ── Signals (most important first) ──────────────────────────────────────────
+  if (signals && signals.length > 0) {
+    console.log(`${BOLD}Detected patterns${RESET}`);
+    console.log('─'.repeat(52));
+    for (const s of signals) {
+      console.log(`\n  ${s.level}  ${BOLD}${s.title}${RESET}`);
+      console.log(`     ${DIM}${s.detail}${RESET}`);
+      console.log(`     ${GREEN}→ ${s.action}${RESET}`);
+    }
+    console.log();
+  }
+
+  // ── Trend ────────────────────────────────────────────────────────────────
+  if (trend.signal !== 'INSUFFICIENT_DATA' && trend.weeks?.length > 2) {
+    console.log(`${BOLD}Findings per week (trend)${RESET}`);
+    console.log('─'.repeat(52));
+    const maxVal = Math.max(...trend.weeks.map(w => w.total), 1);
+    for (const w of trend.weeks.slice(-8)) {  // visa max 8 veckor
+      const critStr = w.critical > 0 ? ` ${RED}(${w.critical} CRIT)${RESET}` : '';
+      console.log(`  ${DIM}${w.week}${RESET}  ${bar(w.total, maxVal, 24)}  ${String(w.total).padStart(3)}${critStr}`);
+    }
+    const trendSymbol = trend.signal === 'IMPROVING' ? `${GREEN}↓ Improving${RESET}`
+                      : trend.signal === 'WORSENING' ? `${RED}↑ Worsening${RESET}`
+                      : `${DIM}→ Stable${RESET}`;
+    console.log(`\n  Trend: ${trendSymbol}${trend.trendPct ? ` ${DIM}(${trend.trendPct > 0 ? '+' : ''}${trend.trendPct}%)${RESET}` : ''}\n`);
+  }
+
+  // ── Kunskapsgap ──────────────────────────────────────────────────────────
+  if (knowledgeGaps.gaps.length > 0) {
+    console.log(`${BOLD}Knowledge gaps – OWASP categories${RESET}`);
+    console.log('─'.repeat(52));
+    const maxCat = Math.max(...knowledgeGaps.gaps.map(g => g.count), 1);
+    for (const g of knowledgeGaps.gaps) {
+      const critStr = g.breakdown?.CRITICAL > 0 ? ` ${RED}${g.breakdown.CRITICAL}C${RESET}` : '';
+      const highStr = g.breakdown?.HIGH > 0      ? ` ${YELLOW}${g.breakdown.HIGH}H${RESET}` : '';
+      // Shorten category name for terminal
+      const shortCat = g.category.replace(' (OWASP A0\\d+)', '').replace(/\(OWASP .+?\)/, '').trim();
+      console.log(`  ${pad(shortCat, 38)} ${bar(g.count, maxCat, 12)}  ${String(g.count).padStart(3)} ${DIM}(${g.percent}%)${RESET}${critStr}${highStr}`);
+    }
+    console.log();
+  }
+
+  // ── Recurring rules ───────────────────────────────────────────────────
+  if (recurringRules.length > 0) {
+    console.log(`${BOLD}Recurring rules${RESET}`);
+    console.log('─'.repeat(52));
+    const maxR = Math.max(...recurringRules.map(r => r.count), 1);
+    for (const r of recurringRules.slice(0, 6)) {
+      const sevColor = r.severity === 'CRITICAL' ? RED : r.severity === 'HIGH' ? YELLOW : DIM;
+      const span = r.spanDays > 0 ? ` ${DIM}(${r.spanDays} days)${RESET}` : '';
+      console.log(`  ${sevColor}${pad(r.ruleId, 16)}${RESET}  ${bar(r.count, maxR, 14)}  ${String(r.count).padStart(3)} findings${span}`);
+    }
+    console.log();
+  }
+
+  // ── File hotspots ──────────────────────────────────────────────────────────
+  if (fileHotspots.hotspots.length > 0) {
+    console.log(`${BOLD}File hotspots${RESET}`);
+    console.log('─'.repeat(52));
+    const maxH = Math.max(...fileHotspots.hotspots.map(h => h.count), 1);
+    for (const h of fileHotspots.hotspots) {
+      const critStr = h.critical > 0 ? ` ${RED}${h.critical} CRIT${RESET}` : '';
+      // Show only filename + one level up for readability
+      const parts   = h.file.replace(/\\/g, '/').split('/');
+      const shortFile = parts.length > 2 ? '…/' + parts.slice(-2).join('/') : h.file;
+      console.log(`  ${pad(shortFile, 36)} ${bar(h.count, maxH, 10)}  ${String(h.count).padStart(3)}${critStr}`);
+    }
+    console.log();
+  }
+
+  // ── Time patterns ───────────────────────────────────────────────────────────
+  if (timePatterns.byHour) {
+    console.log(`${BOLD}Time patterns – findings per hour${RESET}`);
+    console.log('─'.repeat(52));
+    const maxHour = Math.max(...timePatterns.byHour, 1);
+    // Show 4-hour buckets for compact output
+    for (let h = 0; h < 24; h += 4) {
+      const bucket  = timePatterns.byHour.slice(h, h + 4).reduce((a, b) => a + b, 0);
+      const isLate  = h >= 20 || h < 4;
+      const label   = `${String(h).padStart(2, '0')}–${String(h + 4).padStart(2, '0')}`;
+      const color   = isLate && bucket > 0 ? YELLOW : DIM;
+      console.log(`  ${color}${label}${RESET}  ${bar(bucket, maxHour * 4, 20)}  ${String(bucket).padStart(3)}`);
+    }
+    if (timePatterns.lateRate > 0) {
+      const lateColor = timePatterns.lateRate >= 20 ? YELLOW : DIM;
+      console.log(`\n  Late-night findings: ${lateColor}${timePatterns.lateRate}%${RESET}  ${DIM}(peak: ${timePatterns.peakHour}:00, ${timePatterns.peakWeekday})${RESET}`);
+    }
+    console.log();
+  }
+
+  // ── Per-developer ─────────────────────────────────────────────────────────
+  if (developers.isTeam) {
+    console.log(`${BOLD}Per developer${RESET}`);
+    console.log('─'.repeat(52));
+    console.log(`  ${DIM}${'Name'.padEnd(20)} ${'Findings'.padEnd(10)} ${'CRITICAL%'.padEnd(11)} Top category${RESET}`);
+    console.log(`  ${'─'.repeat(20)} ${'─'.repeat(9)} ${'─'.repeat(10)} ${'─'.repeat(18)}`);
+    for (const d of developers.developers) {
+      const critColor = d.criticalRate >= 50 ? RED : d.criticalRate >= 25 ? YELLOW : GREEN;
+      const shortCat  = (d.topCategory || '–').replace(/\s*\(OWASP.+?\)/, '').slice(0, 28);
+      console.log(`  ${pad(d.name, 20)} ${String(d.total).padStart(8)}   ${critColor}${String(d.criticalRate).padStart(6)}%${RESET}    ${DIM}${shortCat}${RESET}`);
+    }
+    console.log();
+  }
+
+  // ── Undvikandebeteende ────────────────────────────────────────────────────
+  if (avoidance.totalFindings > 0) {
+    console.log(`${BOLD}Exception handling${RESET}`);
+    console.log('─'.repeat(52));
+    const excColor = avoidance.signal === 'HIGH' ? RED : avoidance.signal === 'MEDIUM' ? YELLOW : GREEN;
+    console.log(`  Excepted:    ${excColor}${avoidance.excepted}${RESET} of ${avoidance.totalFindings} findings ${DIM}(${avoidance.exceptRate}%)${RESET}`);
+    if (avoidance.expiredExceptions > 0) {
+      console.log(`  Expired:      ${RED}${avoidance.expiredExceptions} exceptions have expired – action required${RESET}`);
+    }
+    if (avoidance.topApprovers.length > 0) {
+      const approvers = avoidance.topApprovers.map(a => `${a.key} (${a.count})`).join(', ');
+      console.log(`  Approvers:    ${DIM}${approvers}${RESET}`);
+    }
+    console.log();
+  }
+
+  // ── Footer ────────────────────────────────────────────────────────────────
+  console.log(`${DIM}${'─'.repeat(52)}${RESET}`);
+  console.log(`${DIM}  Run 'scd audit' for event log  ·  'scd report' for full report${RESET}\n`);
+}
+
+module.exports = { renderInsights };

package/lib/installer.js

@@ -0,0 +1,128 @@
+const { RESET, BOLD, DIM, RED, GREEN, YELLOW, CYAN } = require('./output-constants');
+/**
+ * installer.js
+ * Sets up global git hooks that point to the CLI agent.
+ *
+ * After install, ALL repos on this machine are protected automatically.
+ * Uses git config --global core.hooksPath
+ */
+
+const { execSync } = require('child_process');
+const fs = require('fs');
+const path = require('path');
+const os = require('os');
+
+const HOOKS_DIR = path.join(os.homedir(), '.scd', 'hooks');
+const CLI_PATH = path.resolve(__dirname, '../bin/scd.js');
+
+const PRE_COMMIT_HOOK = `#!/bin/sh
+# Secure Code by Design – pre-commit hook
+# Scans for secrets BEFORE they enter git history
+# Installed by: scd install
+
+node "${CLI_PATH}" scan --hook=pre-commit
+exit $?
+`;
+
+const PRE_PUSH_HOOK = `#!/bin/sh
+# Secure Code by Design – pre-push hook
+# Full security scan before code leaves this machine
+# Installed by: scd install
+
+node "${CLI_PATH}" scan --hook=pre-push
+exit $?
+`;
+
+async function install() {
+  console.log('\nCYAN Secure Code by Design – InstallationRESET\n');
+
+  // 1. Create hooks directory
+  fs.mkdirSync(HOOKS_DIR, { recursive: true });
+  console.log(`${GREEN}✅ Hooks directory created:${RESET} ${HOOKS_DIR}`);
+
+  // 2. Write hook files
+  const preCommitPath = path.join(HOOKS_DIR, 'pre-commit');
+  const prePushPath   = path.join(HOOKS_DIR, 'pre-push');
+
+  fs.writeFileSync(preCommitPath, PRE_COMMIT_HOOK, { mode: 0o755 });
+  fs.writeFileSync(prePushPath,   PRE_PUSH_HOOK,   { mode: 0o755 });
+  console.log(`${GREEN}✅ pre-commit hook installed${RESET} (secrets scanning)`);
+  console.log(`${GREEN}✅ pre-push hook installed${RESET} (full OWASP scan)`);
+
+  // 3. Configure git to use our hooks globally
+  try {
+    execSync(`git config --global core.hooksPath "${HOOKS_DIR}"`, { encoding: 'utf8' });
+    console.log(`${GREEN}✅ Git configuredRESET (core.hooksPath → ${HOOKS_DIR})`);
+  } catch (err) {
+    console.error(RED + '❌ Kunde inte konfigurera git:' + RESET, err.message);
+    console.log(YELLOW + '   Run manually:' + RESET + ' git config --global core.hooksPath "' + HOOKS_DIR + '"');
+  }
+
+  console.log('\nGREENBOLD Installation complete!' + RESET);
+  console.log(DIM + ' All git repos on this machine are now protected.' + RESET);
+  console.log('');
+  console.log(DIM + ' By using scd you agree to the disclaimer at:' + RESET);
+  console.log(DIM + ' https://github.com/activemindsolutions/scd/blob/main/DISCLAIMER.md' + RESET);
+  console.log(DIM + ' scd is a static analysis aid — it does not replace penetration testing.' + RESET + '\n');
+}
+
+async function uninstall() {
+
+  console.log(`\n${CYAN} Secure Code by Design – Uninstall${RESET}\n`);
+
+  let anyAction = false;
+
+  // 1. Remove hook files
+  const preCommitPath = path.join(HOOKS_DIR, 'pre-commit');
+  const prePushPath   = path.join(HOOKS_DIR, 'pre-push');
+  let hooksRemoved = false;
+  for (const p of [preCommitPath, prePushPath]) {
+    if (fs.existsSync(p)) {
+      fs.unlinkSync(p);
+      hooksRemoved = true;
+    }
+  }
+  if (hooksRemoved) {
+    console.log(`${GREEN}✅ Hook files removed${RESET}`);
+    anyAction = true;
+  } else {
+    console.log(`${DIM}   No hook files found — skipping${RESET}`);
+  }
+
+  // 2. Remove hooks directory if empty
+  if (fs.existsSync(HOOKS_DIR)) {
+    const remaining = fs.readdirSync(HOOKS_DIR);
+    if (remaining.length === 0) {
+      fs.rmdirSync(HOOKS_DIR);
+      console.log(`${GREEN}✅ Hooks directory removed${RESET} (${HOOKS_DIR})`);
+    } else {
+      console.log(`${DIM}   Hooks directory not empty — left in place${RESET} (${HOOKS_DIR})`);
+    }
+    anyAction = true;
+  }
+
+  // 3. Remove global git core.hooksPath
+  try {
+    const current = execSync('git config --global core.hooksPath', { encoding: 'utf8' }).trim();
+    if (current) {
+      execSync('git config --global --unset core.hooksPath', { encoding: 'utf8' });
+      console.log(`${GREEN}✅ Global git core.hooksPath removed${RESET}`);
+      anyAction = true;
+    }
+  } catch (_) {
+    // Not set — nothing to do
+    console.log(`${DIM}   No global core.hooksPath configured — skipping${RESET}`);
+  }
+
+  // 4. Leave ~/.scd/ store intact — user data (scans, audit log, exceptions)
+  console.log(`${DIM}   ~/.scd/ store preserved — your scan history and exceptions are kept${RESET}`);
+  console.log(`${DIM}   Remove manually with: rm -rf ~/.scd${RESET}`);
+
+  console.log(`\n${GREEN}${BOLD} Uninstall complete!${RESET}`);
+  if (anyAction) {
+    console.log(`${DIM} Git hooks are no longer active on this machine.${RESET}`);
+    console.log(`${DIM} Run ${RESET}scd install${DIM} to re-enable.${RESET}\n`);
+  }
+}
+
+module.exports = { install, uninstall };

package/lib/output-constants.js

@@ -0,0 +1,32 @@
+'use strict';
+/**
+ * output-constants.js
+ * Terminal presentation constants — colours and symbols.
+ *
+ * Single source of truth for all ANSI styling used in scd CLI output.
+ * Import in command and lib files:
+ *   const { CYAN, GREEN, DIM, RESET, OK, WARN, FAIL } = require('../output-constants');
+ *   (from lib/commands/: ../output-constants)
+ *   (from lib/:          ./output-constants)
+ *
+ * DIM uses \x1b[90m (bright black) — more widely supported than \x1b[2m.
+ */
+
+// ── Colours ────────────────────────────────────────────────────────────────
+const RESET  = '\x1b[0m';
+const BOLD   = '\x1b[1m';
+const DIM    = '\x1b[90m';
+const RED    = '\x1b[31m';
+const GREEN  = '\x1b[32m';
+const YELLOW = '\x1b[33m';
+const BLUE   = '\x1b[34m';
+const CYAN   = '\x1b[36m';
+
+// ── Symbols ────────────────────────────────────────────────────────────────
+const OK   = '✓';   // success
+const FAIL = '✗';   // hard failure / error
+const WARN = '⚠';   // warning
+const DASH = '–';   // en dash — used for empty/none values
+const SEP  = '─';   // horizontal separator (repeat as needed: SEP.repeat(52))
+
+module.exports = { RESET, BOLD, DIM, RED, GREEN, YELLOW, BLUE, CYAN, OK, FAIL, WARN, DASH, SEP };