@catladder/cli 1.135.0 → 1.136.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/bin/catci +3 -0
- package/bin/catci-dev +3 -0
- package/dist/apps/catci/catci.d.ts +1 -0
- package/dist/apps/catci/catci.js +71 -0
- package/dist/apps/catci/catci.js.map +1 -0
- package/dist/apps/catci/commands/security/auditDocument.d.ts +19 -0
- package/dist/apps/catci/commands/security/auditDocument.js +90 -0
- package/dist/apps/catci/commands/security/auditDocument.js.map +1 -0
- package/dist/apps/catci/commands/security/commands.d.ts +2 -0
- package/dist/apps/catci/commands/security/commands.js +175 -0
- package/dist/apps/catci/commands/security/commands.js.map +1 -0
- package/dist/apps/catci/commands/security/createSecurityAuditMergeRequest.d.ts +9 -0
- package/dist/apps/catci/commands/security/createSecurityAuditMergeRequest.js +112 -0
- package/dist/apps/catci/commands/security/createSecurityAuditMergeRequest.js.map +1 -0
- package/dist/apps/catci/commands/security/evaluateSecurityAudit.d.ts +5 -0
- package/dist/apps/catci/commands/security/evaluateSecurityAudit.js +76 -0
- package/dist/apps/catci/commands/security/evaluateSecurityAudit.js.map +1 -0
- package/dist/apps/catci/commands/security/topics.json +112 -0
- package/dist/apps/cli/commands/project/commandSecurityEvaluate.d.ts +3 -0
- package/dist/apps/cli/commands/project/commandSecurityEvaluate.js +70 -0
- package/dist/apps/cli/commands/project/commandSecurityEvaluate.js.map +1 -0
- package/dist/apps/cli/commands/project/index.js +2 -0
- package/dist/apps/cli/commands/project/index.js.map +1 -1
- package/dist/bundles/catci/index.js +41 -0
- package/dist/bundles/catenv/index.js +1 -1
- package/dist/bundles/cli/index.js +3 -3
- package/dist/catci.d.ts +1 -0
- package/dist/catci.js +5 -0
- package/dist/catci.js.map +1 -0
- package/dist/tsconfig.tsbuildinfo +1 -1
- package/package.json +6 -5
- package/scripts/bundle +2 -0
- package/src/apps/catci/catci.ts +20 -0
- package/src/apps/catci/commands/security/auditDocument.ts +150 -0
- package/src/apps/catci/commands/security/commands.ts +146 -0
- package/src/apps/catci/commands/security/createSecurityAuditMergeRequest.ts +98 -0
- package/src/apps/catci/commands/security/evaluateSecurityAudit.ts +30 -0
- package/src/apps/catci/commands/security/topics.json +120 -0
- package/src/apps/cli/commands/project/commandSecurityEvaluate.ts +26 -0
- package/src/apps/cli/commands/project/index.ts +2 -0
- package/src/catci.ts +3 -0
|
@@ -0,0 +1,112 @@
|
|
|
1
|
+
[
|
|
2
|
+
{
|
|
3
|
+
"description": "No API keys or secrets are stored in repository",
|
|
4
|
+
"responsibles": 1,
|
|
5
|
+
"more": ""
|
|
6
|
+
},
|
|
7
|
+
{
|
|
8
|
+
"description": "The app does not provide password login",
|
|
9
|
+
"responsibles": 1,
|
|
10
|
+
"more": ""
|
|
11
|
+
},
|
|
12
|
+
{
|
|
13
|
+
"description": "Passwords are not stored",
|
|
14
|
+
"responsibles": 1,
|
|
15
|
+
"more": ""
|
|
16
|
+
},
|
|
17
|
+
{
|
|
18
|
+
"description": "Passwords are stored hashed with salt and salt is not stored in the repository",
|
|
19
|
+
"responsibles": 1,
|
|
20
|
+
"more": "[guide](https://git.panter.ch/panter/security-guide/-/blob/main/docs/audit/hash.md)"
|
|
21
|
+
},
|
|
22
|
+
{
|
|
23
|
+
"description": "Input that ends up in DOM is properly sanitized",
|
|
24
|
+
"responsibles": 1,
|
|
25
|
+
"more": "[guide](https://git.panter.ch/panter/security-guide/-/blob/main/docs/audit/xss.md)"
|
|
26
|
+
},
|
|
27
|
+
{
|
|
28
|
+
"description": "All user inputs have reasonable validations",
|
|
29
|
+
"responsibles": 1,
|
|
30
|
+
"more": "[guide](https://git.panter.ch/panter/security-guide/-/blob/main/docs/audit/validation.md)"
|
|
31
|
+
},
|
|
32
|
+
{
|
|
33
|
+
"description": "The app is not using cookies",
|
|
34
|
+
"responsibles": 1,
|
|
35
|
+
"more": "[guide](https://git.panter.ch/panter/security-guide/-/blob/main/docs/audit/cookies.md)"
|
|
36
|
+
},
|
|
37
|
+
{
|
|
38
|
+
"description": "The app is using cookies and cookies are properly configured",
|
|
39
|
+
"responsibles": 1,
|
|
40
|
+
"more": "[guide](https://git.panter.ch/panter/security-guide/-/blob/main/docs/audit/cookies.md)"
|
|
41
|
+
},
|
|
42
|
+
{
|
|
43
|
+
"description": "The app uses JWT with a secret and the secret is not stored in the repository",
|
|
44
|
+
"responsibles": 1,
|
|
45
|
+
"more": "[guide](https://git.panter.ch/panter/security-guide/-/blob/main/docs/audit/cookies.md)"
|
|
46
|
+
},
|
|
47
|
+
{
|
|
48
|
+
"description": "Authorization and user roles (RBAC) were reviewed thoroughly",
|
|
49
|
+
"responsibles": 2,
|
|
50
|
+
"more": "[guide](https://git.panter.ch/panter/security-guide/-/blob/main/docs/audit/authorization.md)"
|
|
51
|
+
},
|
|
52
|
+
{
|
|
53
|
+
"description": "CORS headers do not use `*`",
|
|
54
|
+
"responsibles": 1,
|
|
55
|
+
"more": "[guide](https://git.panter.ch/panter/security-guide/-/blob/main/docs/audit/cors.md)"
|
|
56
|
+
},
|
|
57
|
+
{
|
|
58
|
+
"description": "CSP headers are properly configured (no `unsafe-inline` or `unsafe-eval`)",
|
|
59
|
+
"responsibles": 1,
|
|
60
|
+
"more": "[guide](https://git.panter.ch/panter/security-guide/-/blob/main/docs/audit/csp.md)"
|
|
61
|
+
},
|
|
62
|
+
{
|
|
63
|
+
"description": "DoS defense mechanism is implemented",
|
|
64
|
+
"responsibles": 1,
|
|
65
|
+
"more": "[guide](https://git.panter.ch/panter/security-guide/-/blob/main/docs/audit/dos.md)"
|
|
66
|
+
},
|
|
67
|
+
{
|
|
68
|
+
"description": "YAML/XML parsing is not used or used YAML/XML parsers have disabled DTD",
|
|
69
|
+
"responsibles": 1,
|
|
70
|
+
"more": "[guide](https://git.panter.ch/panter/security-guide/-/blob/main/docs/audit/dos.md)"
|
|
71
|
+
},
|
|
72
|
+
{
|
|
73
|
+
"description": "The app implements CSRF prevention",
|
|
74
|
+
"responsibles": 1,
|
|
75
|
+
"more": "[guide](https://git.panter.ch/panter/security-guide/-/blob/main/docs/audit/csrf.md)"
|
|
76
|
+
},
|
|
77
|
+
{
|
|
78
|
+
"description": "The app has a rate limitter",
|
|
79
|
+
"responsibles": 1,
|
|
80
|
+
"more": ""
|
|
81
|
+
},
|
|
82
|
+
{
|
|
83
|
+
"description": "The app has disabled GraphQL introspection and schema registry",
|
|
84
|
+
"responsibles": 1,
|
|
85
|
+
"more": "[guide](https://git.panter.ch/panter/security-guide/-/blob/main/docs/audit/graphql.md)"
|
|
86
|
+
},
|
|
87
|
+
{
|
|
88
|
+
"description": "The app has set GraphQL complexity query limits",
|
|
89
|
+
"responsibles": 1,
|
|
90
|
+
"more": "[guide](https://git.panter.ch/panter/security-guide/-/blob/main/docs/audit/graphql.md)"
|
|
91
|
+
},
|
|
92
|
+
{
|
|
93
|
+
"description": "`sitemap.xml` does not leak any routes with sensitive data",
|
|
94
|
+
"responsibles": 1,
|
|
95
|
+
"more": ""
|
|
96
|
+
},
|
|
97
|
+
{
|
|
98
|
+
"description": "Cloud storage is (private) configured to not leak any sensitive data publicly",
|
|
99
|
+
"responsibles": 1,
|
|
100
|
+
"more": ""
|
|
101
|
+
},
|
|
102
|
+
{
|
|
103
|
+
"description": "Security Dashboard checks weekly vulnerable dependencies https://dep.panter.swiss/",
|
|
104
|
+
"responsibles": 1,
|
|
105
|
+
"more": ""
|
|
106
|
+
},
|
|
107
|
+
{
|
|
108
|
+
"description": "The app has `.well-known/security.txt` https://securitytxt.org/",
|
|
109
|
+
"responsibles": 1,
|
|
110
|
+
"more": ""
|
|
111
|
+
}
|
|
112
|
+
]
|
|
@@ -0,0 +1,70 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
|
|
3
|
+
function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
|
|
4
|
+
return new (P || (P = Promise))(function (resolve, reject) {
|
|
5
|
+
function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
|
|
6
|
+
function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
|
|
7
|
+
function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
|
|
8
|
+
step((generator = generator.apply(thisArg, _arguments || [])).next());
|
|
9
|
+
});
|
|
10
|
+
};
|
|
11
|
+
var __generator = (this && this.__generator) || function (thisArg, body) {
|
|
12
|
+
var _ = { label: 0, sent: function() { if (t[0] & 1) throw t[1]; return t[1]; }, trys: [], ops: [] }, f, y, t, g;
|
|
13
|
+
return g = { next: verb(0), "throw": verb(1), "return": verb(2) }, typeof Symbol === "function" && (g[Symbol.iterator] = function() { return this; }), g;
|
|
14
|
+
function verb(n) { return function (v) { return step([n, v]); }; }
|
|
15
|
+
function step(op) {
|
|
16
|
+
if (f) throw new TypeError("Generator is already executing.");
|
|
17
|
+
while (_) try {
|
|
18
|
+
if (f = 1, y && (t = op[0] & 2 ? y["return"] : op[0] ? y["throw"] || ((t = y["return"]) && t.call(y), 0) : y.next) && !(t = t.call(y, op[1])).done) return t;
|
|
19
|
+
if (y = 0, t) op = [op[0] & 2, t.value];
|
|
20
|
+
switch (op[0]) {
|
|
21
|
+
case 0: case 1: t = op; break;
|
|
22
|
+
case 4: _.label++; return { value: op[1], done: false };
|
|
23
|
+
case 5: _.label++; y = op[1]; op = [0]; continue;
|
|
24
|
+
case 7: op = _.ops.pop(); _.trys.pop(); continue;
|
|
25
|
+
default:
|
|
26
|
+
if (!(t = _.trys, t = t.length > 0 && t[t.length - 1]) && (op[0] === 6 || op[0] === 2)) { _ = 0; continue; }
|
|
27
|
+
if (op[0] === 3 && (!t || (op[1] > t[0] && op[1] < t[3]))) { _.label = op[1]; break; }
|
|
28
|
+
if (op[0] === 6 && _.label < t[1]) { _.label = t[1]; t = op; break; }
|
|
29
|
+
if (t && _.label < t[2]) { _.label = t[2]; _.ops.push(op); break; }
|
|
30
|
+
if (t[2]) _.ops.pop();
|
|
31
|
+
_.trys.pop(); continue;
|
|
32
|
+
}
|
|
33
|
+
op = body.call(thisArg, _);
|
|
34
|
+
} catch (e) { op = [6, e]; y = 0; } finally { f = t = 0; }
|
|
35
|
+
if (op[0] & 5) throw op[1]; return { value: op[0] ? op[1] : void 0, done: true };
|
|
36
|
+
}
|
|
37
|
+
};
|
|
38
|
+
exports.__esModule = true;
|
|
39
|
+
var evaluateSecurityAudit_1 = require("../../../catci/commands/security/evaluateSecurityAudit");
|
|
40
|
+
var projects_1 = require("../../../../utils/projects");
|
|
41
|
+
exports["default"] = (function (vorpal) { return __awaiter(void 0, void 0, void 0, function () {
|
|
42
|
+
return __generator(this, function (_a) {
|
|
43
|
+
vorpal
|
|
44
|
+
.command("project-security-evaluate", "evaluate project's security audit document")
|
|
45
|
+
.action(function () {
|
|
46
|
+
return __awaiter(this, void 0, void 0, function () {
|
|
47
|
+
var gitRoot, result;
|
|
48
|
+
return __generator(this, function (_a) {
|
|
49
|
+
switch (_a.label) {
|
|
50
|
+
case 0: return [4 /*yield*/, (0, projects_1.getGitRoot)()];
|
|
51
|
+
case 1:
|
|
52
|
+
gitRoot = _a.sent();
|
|
53
|
+
return [4 /*yield*/, (0, evaluateSecurityAudit_1.evaluateSecurityAudit)({ path: gitRoot })];
|
|
54
|
+
case 2:
|
|
55
|
+
result = _a.sent();
|
|
56
|
+
if (result.isErr()) {
|
|
57
|
+
console.error("Could not evaluate security audit document:", result.error);
|
|
58
|
+
}
|
|
59
|
+
else {
|
|
60
|
+
console.log((0, evaluateSecurityAudit_1.makeSecurityAuditOverview)(result.value));
|
|
61
|
+
}
|
|
62
|
+
return [2 /*return*/];
|
|
63
|
+
}
|
|
64
|
+
});
|
|
65
|
+
});
|
|
66
|
+
});
|
|
67
|
+
return [2 /*return*/];
|
|
68
|
+
});
|
|
69
|
+
}); });
|
|
70
|
+
//# sourceMappingURL=commandSecurityEvaluate.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"commandSecurityEvaluate.js","sourceRoot":"","sources":["../../../../../src/apps/cli/commands/project/commandSecurityEvaluate.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AACA,gGAGgE;AAChE,uDAAwD;AAExD,sBAAe,UAAO,MAAc;;QAClC,MAAM;aACH,OAAO,CACN,2BAA2B,EAC3B,4CAA4C,CAC7C;aACA,MAAM,CAAC;;;;;gCACU,qBAAM,IAAA,qBAAU,GAAE,EAAA;;4BAA5B,OAAO,GAAG,SAAkB;4BACnB,qBAAM,IAAA,6CAAqB,EAAC,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,EAAA;;4BAAvD,MAAM,GAAG,SAA8C;4BAC7D,IAAI,MAAM,CAAC,KAAK,EAAE,EAAE;gCAClB,OAAO,CAAC,KAAK,CACX,6CAA6C,EAC7C,MAAM,CAAC,KAAK,CACb,CAAC;6BACH;iCAAM;gCACL,OAAO,CAAC,GAAG,CAAC,IAAA,iDAAyB,EAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC;6BACtD;;;;;SACF,CAAC,CAAC;;;KACN,EAAC"}
|
|
@@ -64,6 +64,7 @@ var commandTriggerCronjob_1 = __importDefault(require("./commandTriggerCronjob")
|
|
|
64
64
|
var commandOpenGrafanaPod_1 = __importDefault(require("./commandOpenGrafanaPod"));
|
|
65
65
|
var commandSecretsClearBackups_1 = __importDefault(require("./commandSecretsClearBackups"));
|
|
66
66
|
var commandProjectRestoreDb_1 = __importDefault(require("./cloudSql/commandProjectRestoreDb"));
|
|
67
|
+
var commandSecurityEvaluate_1 = __importDefault(require("./commandSecurityEvaluate"));
|
|
67
68
|
exports["default"] = (function (vorpal) { return __awaiter(void 0, void 0, void 0, function () {
|
|
68
69
|
return __generator(this, function (_a) {
|
|
69
70
|
(0, commandSetup_1["default"])(vorpal);
|
|
@@ -90,6 +91,7 @@ exports["default"] = (function (vorpal) { return __awaiter(void 0, void 0, void
|
|
|
90
91
|
(0, commandGitlabCi_1["default"])(vorpal);
|
|
91
92
|
(0, commandGetMyTotalWorktime_1["default"])(vorpal);
|
|
92
93
|
(0, commandMigrateHelm3_1["default"])(vorpal);
|
|
94
|
+
(0, commandSecurityEvaluate_1["default"])(vorpal);
|
|
93
95
|
return [2 /*return*/];
|
|
94
96
|
});
|
|
95
97
|
}); });
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../../src/apps/cli/commands/project/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AACA,gFAA0D;AAC1D,gFAA0D;AAE1D,0EAAoD;AACpD,gFAA0D;AAC1D,oEAA8C;AAC9C,0FAAoE;AACpE,sEAAgD;AAChD,sEAAgD;AAChD,gEAA0C;AAC1C,4DAA4D;AAC5D,sEAAgD;AAChD,8EAAwD;AACxD,wEAAkD;AAClD,wFAAkE;AAClE,gFAA0D;AAC1D,oEAA8C;AAC9C,oEAA8C;AAC9C,sEAAgD;AAChD,8EAAwD;AACxD,4EAAsD;AACtD,4EAAsD;AACtD,kFAA4D;AAE5D,kFAA4D;AAC5D,4FAAsE;AACtE,+FAAyE;
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../../../src/apps/cli/commands/project/index.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AACA,gFAA0D;AAC1D,gFAA0D;AAE1D,0EAAoD;AACpD,gFAA0D;AAC1D,oEAA8C;AAC9C,0FAAoE;AACpE,sEAAgD;AAChD,sEAAgD;AAChD,gEAA0C;AAC1C,4DAA4D;AAC5D,sEAAgD;AAChD,8EAAwD;AACxD,wEAAkD;AAClD,wFAAkE;AAClE,gFAA0D;AAC1D,oEAA8C;AAC9C,oEAA8C;AAC9C,sEAAgD;AAChD,8EAAwD;AACxD,4EAAsD;AACtD,4EAAsD;AACtD,kFAA4D;AAE5D,kFAA4D;AAC5D,4FAAsE;AACtE,+FAAyE;AACzE,sFAAgE;AAEhE,sBAAe,UAAO,MAAc;;QAClC,IAAA,yBAAY,EAAC,MAAM,CAAC,CAAC;QAErB,IAAA,2BAAc,EAAC,MAAM,CAAC,CAAC;QAEvB,IAAA,6BAAgB,EAAC,MAAM,CAAC,CAAC;QACzB,IAAA,4BAAe,EAAC,MAAM,CAAC,CAAC;QACxB,IAAA,gCAAmB,EAAC,MAAM,CAAC,CAAC;QAC5B,IAAA,iCAAoB,EAAC,MAAM,CAAC,CAAC;QAE7B,IAAA,iCAAoB,EAAC,MAAM,CAAC,CAAC;QAE7B,IAAA,4BAAe,EAAC,MAAM,CAAC,CAAC;QAExB,IAAA,qCAAwB,EAAC,MAAM,CAAC,CAAC;QAEjC,IAAA,+BAAkB,EAAC,MAAM,CAAC,CAAC;QAC3B,IAAA,kCAAqB,EAAC,MAAM,CAAC,CAAC;QAC9B,IAAA,iCAAoB,EAAC,MAAM,CAAC,CAAC;QAC7B,IAAA,oCAAuB,EAAC,MAAM,CAAC,CAAC;QAChC,IAAA,2BAAc,EAAC,MAAM,CAAC,CAAC;QACvB,IAAA,2BAAc,EAAC,MAAM,CAAC,CAAC;QACvB,IAAA,kCAAqB,EAAC,MAAM,CAAC,CAAC;QAC9B,IAAA,iCAAoB,EAAC,MAAM,CAAC,CAAC;QAC7B,IAAA,uCAA0B,EAAC,MAAM,CAAC,CAAC;QACnC,IAAA,8BAAiB,EAAC,MAAM,CAAC,CAAC;QAE1B,IAAA,4BAAe,EAAC,MAAM,CAAC,CAAC;QACxB,IAAA,+BAAkB,EAAC,MAAM,CAAC,CAAC;QAE3B,IAAA,4BAAe,EAAC,MAAM,CAAC,CAAC;QAExB,IAAA,sCAAyB,EAAC,MAAM,CAAC,CAAC;QAClC,IAAA,gCAAmB,EAAC,MAAM,CAAC,CAAC;QAC5B,IAAA,oCAAuB,EAAC,MAAM,CAAC,CAAC;;;KACjC,EAAC"}
|