@cencori/scan 0.1.0

package/dist/cli.mjs

@@ -0,0 +1,656 @@
+#!/usr/bin/env node
+
+// src/cli.ts
+import { program } from "commander";
+import chalk from "chalk";
+import ora from "ora";
+
+// src/scanner/index.ts
+import * as fs from "fs";
+import * as path from "path";
+import { glob } from "glob";
+
+// src/scanner/patterns.ts
+var SECRET_PATTERNS = [
+  // OpenAI
+  {
+    name: "OpenAI API Key",
+    provider: "OpenAI",
+    pattern: /sk-[a-zA-Z0-9]{20}T3BlbkFJ[a-zA-Z0-9]{20}/g,
+    severity: "critical"
+  },
+  {
+    name: "OpenAI Project Key",
+    provider: "OpenAI",
+    pattern: /sk-proj-[a-zA-Z0-9_-]{80,}/g,
+    severity: "critical"
+  },
+  // Anthropic
+  {
+    name: "Anthropic API Key",
+    provider: "Anthropic",
+    pattern: /sk-ant-[a-zA-Z0-9-]{90,}/g,
+    severity: "critical"
+  },
+  // Google
+  {
+    name: "Google API Key",
+    provider: "Google",
+    pattern: /AIza[0-9A-Za-z_-]{35}/g,
+    severity: "critical"
+  },
+  // Supabase
+  {
+    name: "Supabase Service Role Key",
+    provider: "Supabase",
+    pattern: /eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9\.[a-zA-Z0-9_-]+\.[a-zA-Z0-9_-]+/g,
+    severity: "critical"
+  },
+  {
+    name: "Supabase Anon Key (if hardcoded)",
+    provider: "Supabase",
+    pattern: /SUPABASE_ANON_KEY\s*[:=]\s*["']eyJ[^"']+["']/g,
+    severity: "medium"
+  },
+  // Stripe
+  {
+    name: "Stripe Secret Key",
+    provider: "Stripe",
+    pattern: /sk_live_[0-9a-zA-Z]{24,}/g,
+    severity: "critical"
+  },
+  {
+    name: "Stripe Test Key",
+    provider: "Stripe",
+    pattern: /sk_test_[0-9a-zA-Z]{24,}/g,
+    severity: "medium"
+  },
+  // AWS
+  {
+    name: "AWS Access Key ID",
+    provider: "AWS",
+    pattern: /AKIA[0-9A-Z]{16}/g,
+    severity: "critical"
+  },
+  {
+    name: "AWS Secret Access Key",
+    provider: "AWS",
+    pattern: /aws_secret_access_key\s*[:=]\s*["'][A-Za-z0-9/+=]{40}["']/gi,
+    severity: "critical"
+  },
+  // GitHub
+  {
+    name: "GitHub Personal Access Token",
+    provider: "GitHub",
+    pattern: /ghp_[a-zA-Z0-9]{36}/g,
+    severity: "critical"
+  },
+  {
+    name: "GitHub OAuth Token",
+    provider: "GitHub",
+    pattern: /gho_[a-zA-Z0-9]{36}/g,
+    severity: "critical"
+  },
+  // Telegram
+  {
+    name: "Telegram Bot Token",
+    provider: "Telegram",
+    pattern: /[0-9]{9,10}:[a-zA-Z0-9_-]{35}/g,
+    severity: "high"
+  },
+  // Discord
+  {
+    name: "Discord Bot Token",
+    provider: "Discord",
+    pattern: /[MN][A-Za-z\d]{23,}\.[\w-]{6}\.[\w-]{27}/g,
+    severity: "high"
+  },
+  // Slack
+  {
+    name: "Slack Bot Token",
+    provider: "Slack",
+    pattern: /xoxb-[0-9]{11}-[0-9]{11}-[a-zA-Z0-9]{24}/g,
+    severity: "high"
+  },
+  // SendGrid
+  {
+    name: "SendGrid API Key",
+    provider: "SendGrid",
+    pattern: /SG\.[a-zA-Z0-9_-]{22}\.[a-zA-Z0-9_-]{43}/g,
+    severity: "high"
+  },
+  // Twilio
+  {
+    name: "Twilio API Key",
+    provider: "Twilio",
+    pattern: /SK[a-fA-F0-9]{32}/g,
+    severity: "high"
+  },
+  // Mailgun
+  {
+    name: "Mailgun API Key",
+    provider: "Mailgun",
+    pattern: /key-[a-zA-Z0-9]{32}/g,
+    severity: "high"
+  },
+  // Firebase
+  {
+    name: "Firebase Database URL",
+    provider: "Firebase",
+    pattern: /https:\/\/[a-z0-9-]+\.firebaseio\.com/g,
+    severity: "medium"
+  },
+  // Generic patterns
+  {
+    name: "Private Key",
+    provider: "Generic",
+    pattern: /-----BEGIN (RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----/g,
+    severity: "critical"
+  },
+  {
+    name: "Generic API Key Assignment",
+    provider: "Generic",
+    pattern: /(api_key|apikey|api_secret|secret_key)\s*[:=]\s*["'][a-zA-Z0-9_-]{20,}["']/gi,
+    severity: "high"
+  },
+  {
+    name: "Password Assignment",
+    provider: "Generic",
+    pattern: /(password|passwd|pwd)\s*[:=]\s*["'][^"']{8,}["']/gi,
+    severity: "high"
+  },
+  // Replicate
+  {
+    name: "Replicate API Token",
+    provider: "Replicate",
+    pattern: /r8_[a-zA-Z0-9]{38}/g,
+    severity: "critical"
+  },
+  // Hugging Face
+  {
+    name: "Hugging Face Token",
+    provider: "Hugging Face",
+    pattern: /hf_[a-zA-Z0-9]{34}/g,
+    severity: "critical"
+  },
+  // Cohere
+  {
+    name: "Cohere API Key",
+    provider: "Cohere",
+    pattern: /[a-zA-Z0-9]{40}/g,
+    // Less specific, check context
+    severity: "medium"
+  }
+];
+var PII_PATTERNS = [
+  {
+    name: "Email Address",
+    pattern: /[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}/g,
+    severity: "medium"
+  },
+  {
+    name: "Phone Number (US)",
+    pattern: /(\+1[-.\s]?)?\(?\d{3}\)?[-.\s]?\d{3}[-.\s]?\d{4}/g,
+    severity: "medium"
+  },
+  {
+    name: "Phone Number (International)",
+    pattern: /\+[1-9]\d{1,14}/g,
+    severity: "medium"
+  },
+  {
+    name: "Social Security Number",
+    pattern: /\b\d{3}-\d{2}-\d{4}\b/g,
+    severity: "high"
+  },
+  {
+    name: "Credit Card Number",
+    pattern: /\b(?:\d{4}[-\s]?){3}\d{4}\b/g,
+    severity: "high"
+  },
+  {
+    name: "IP Address",
+    pattern: /\b(?:\d{1,3}\.){3}\d{1,3}\b/g,
+    severity: "low"
+  }
+];
+var ROUTE_PATTERNS = [
+  // Next.js API routes without auth
+  {
+    name: "Next.js API Route (check for auth)",
+    framework: "Next.js",
+    pattern: /export\s+(async\s+)?function\s+(GET|POST|PUT|DELETE|PATCH)\s*\(/g,
+    severity: "medium",
+    description: "API route handler - verify authentication is implemented"
+  },
+  // Express routes
+  {
+    name: "Express Route without Auth Middleware",
+    framework: "Express",
+    pattern: /app\.(get|post|put|delete|patch)\s*\(\s*["'`][^"'`]+["'`]\s*,\s*(?!.*auth)/gi,
+    severity: "medium",
+    description: "Express route - check if auth middleware is applied"
+  }
+];
+var IGNORE_PATTERNS = [
+  "node_modules",
+  ".git",
+  "dist",
+  "build",
+  ".next",
+  ".venv",
+  "__pycache__",
+  "*.min.js",
+  "*.min.css",
+  "*.map",
+  "package-lock.json",
+  "yarn.lock",
+  "pnpm-lock.yaml"
+];
+var SCANNABLE_EXTENSIONS = [
+  ".js",
+  ".jsx",
+  ".ts",
+  ".tsx",
+  ".mjs",
+  ".cjs",
+  ".py",
+  ".rb",
+  ".go",
+  ".java",
+  ".php",
+  ".env",
+  ".json",
+  ".yaml",
+  ".yml",
+  ".toml",
+  ".xml",
+  ".md",
+  ".txt",
+  ".sql",
+  ".sh",
+  ".bash",
+  ".zsh"
+];
+
+// src/scanner/index.ts
+function redact(match, showChars = 4) {
+  if (match.length <= showChars * 2) {
+    return "*".repeat(match.length);
+  }
+  return match.slice(0, showChars) + "****" + match.slice(-showChars);
+}
+function getPosition(content, index) {
+  const lines = content.slice(0, index).split("\n");
+  return {
+    line: lines.length,
+    column: lines[lines.length - 1].length + 1
+  };
+}
+function shouldIgnore(filePath) {
+  const normalized = filePath.replace(/\\/g, "/");
+  return IGNORE_PATTERNS.some((pattern) => {
+    if (pattern.startsWith("*")) {
+      return normalized.endsWith(pattern.slice(1));
+    }
+    return normalized.includes(pattern);
+  });
+}
+function isScannable(filePath) {
+  const ext = path.extname(filePath).toLowerCase();
+  return SCANNABLE_EXTENSIONS.includes(ext);
+}
+function scanFile(filePath, content) {
+  const issues = [];
+  const relativePath = filePath;
+  for (const pattern of SECRET_PATTERNS) {
+    pattern.pattern.lastIndex = 0;
+    let match;
+    while ((match = pattern.pattern.exec(content)) !== null) {
+      const pos = getPosition(content, match.index);
+      issues.push({
+        type: "secret",
+        severity: pattern.severity,
+        name: pattern.name,
+        provider: pattern.provider,
+        file: relativePath,
+        line: pos.line,
+        column: pos.column,
+        match: redact(match[0])
+      });
+    }
+  }
+  for (const pattern of PII_PATTERNS) {
+    pattern.pattern.lastIndex = 0;
+    let match;
+    while ((match = pattern.pattern.exec(content)) !== null) {
+      const matchStr = match[0];
+      if (isLikelyFalsePositive(matchStr, pattern.name)) {
+        continue;
+      }
+      const pos = getPosition(content, match.index);
+      issues.push({
+        type: "pii",
+        severity: pattern.severity,
+        name: pattern.name,
+        file: relativePath,
+        line: pos.line,
+        column: pos.column,
+        match: redact(matchStr, 3)
+      });
+    }
+  }
+  for (const pattern of ROUTE_PATTERNS) {
+    pattern.pattern.lastIndex = 0;
+    let match;
+    while ((match = pattern.pattern.exec(content)) !== null) {
+      const pos = getPosition(content, match.index);
+      issues.push({
+        type: "route",
+        severity: pattern.severity,
+        name: pattern.name,
+        file: relativePath,
+        line: pos.line,
+        column: pos.column,
+        match: match[0],
+        description: pattern.description
+      });
+    }
+  }
+  const fileName = path.basename(filePath);
+  if (fileName.startsWith(".env") && !fileName.includes(".example")) {
+    const gitignorePath = path.join(path.dirname(filePath), ".gitignore");
+    const gitignoreExists = fs.existsSync(gitignorePath);
+    issues.push({
+      type: "config",
+      severity: "high",
+      name: "Environment file in repository",
+      file: relativePath,
+      line: 1,
+      column: 1,
+      match: fileName,
+      description: gitignoreExists ? "Verify this file is in .gitignore" : "Add .env* to .gitignore"
+    });
+  }
+  return issues;
+}
+function isLikelyFalsePositive(match, patternName) {
+  if (patternName === "Email Address") {
+    const falseDomains = [
+      "example.com",
+      "example.org",
+      "test.com",
+      "localhost",
+      "placeholder.com"
+    ];
+    if (falseDomains.some((d) => match.includes(d))) {
+      return true;
+    }
+    const publicPrefixes = [
+      "support@",
+      "help@",
+      "info@",
+      "contact@",
+      "sales@",
+      "admin@",
+      "noreply@",
+      "no-reply@",
+      "hello@",
+      "team@",
+      "partners@",
+      "enterprise@",
+      "security@",
+      "privacy@",
+      "legal@"
+    ];
+    if (publicPrefixes.some((p) => match.toLowerCase().startsWith(p))) {
+      return true;
+    }
+  }
+  if (patternName === "IP Address") {
+    const falseIPs = ["0.0.0.0", "127.0.0.1", "192.168.", "10.0.", "172.16."];
+    if (falseIPs.some((ip) => match.startsWith(ip))) {
+      return true;
+    }
+  }
+  if (patternName.includes("Phone Number")) {
+    if (match.includes("555") || match.includes("123-456") || match.includes("000-000")) {
+      return true;
+    }
+  }
+  return false;
+}
+function calculateScore(issues) {
+  const critical = issues.filter((i) => i.severity === "critical").length;
+  const high = issues.filter((i) => i.severity === "high").length;
+  const medium = issues.filter((i) => i.severity === "medium").length;
+  const total = issues.length;
+  if (critical > 0) return "F";
+  if (high >= 3) return "F";
+  if (high >= 2) return "D";
+  if (high >= 1 || medium >= 5) return "C";
+  if (medium >= 2) return "B";
+  if (total === 0) return "A";
+  return "B";
+}
+function getTierDescription(score) {
+  switch (score) {
+    case "A":
+      return "Excellent! No security issues detected.";
+    case "B":
+      return "Good, but minor improvements recommended.";
+    case "C":
+      return "Fair. Some security concerns need attention.";
+    case "D":
+      return "Poor. Significant security issues detected.";
+    case "F":
+      return "Critical! Your app is leaking secrets.";
+    default:
+      return "";
+  }
+}
+async function scan(targetPath) {
+  const startTime = Date.now();
+  const absolutePath = path.resolve(targetPath);
+  const files = await glob("**/*", {
+    cwd: absolutePath,
+    nodir: true,
+    ignore: IGNORE_PATTERNS,
+    absolute: true
+  });
+  const issues = [];
+  let filesScanned = 0;
+  for (const file of files) {
+    if (!isScannable(file) || shouldIgnore(file)) {
+      continue;
+    }
+    try {
+      const content = fs.readFileSync(file, "utf-8");
+      const relativePath = path.relative(absolutePath, file);
+      const fileIssues = scanFile(relativePath, content);
+      issues.push(...fileIssues);
+      filesScanned++;
+    } catch {
+      continue;
+    }
+  }
+  const score = calculateScore(issues);
+  const scanDuration = Date.now() - startTime;
+  return {
+    score,
+    tierDescription: getTierDescription(score),
+    issues,
+    filesScanned,
+    scanDuration,
+    summary: {
+      secrets: issues.filter((i) => i.type === "secret").length,
+      pii: issues.filter((i) => i.type === "pii").length,
+      routes: issues.filter((i) => i.type === "route").length,
+      config: issues.filter((i) => i.type === "config").length,
+      critical: issues.filter((i) => i.severity === "critical").length,
+      high: issues.filter((i) => i.severity === "high").length,
+      medium: issues.filter((i) => i.severity === "medium").length,
+      low: issues.filter((i) => i.severity === "low").length
+    }
+  };
+}
+
+// src/cli.ts
+var VERSION = "0.1.0";
+var scoreStyles = {
+  A: { color: chalk.green },
+  B: { color: chalk.blue },
+  C: { color: chalk.yellow },
+  D: { color: chalk.red },
+  F: { color: chalk.bgRed.white }
+};
+var severityColors = {
+  critical: chalk.bgRed.white,
+  high: chalk.red,
+  medium: chalk.yellow,
+  low: chalk.blue
+};
+var typeLabels = {
+  secret: "SECRETS",
+  pii: "PII",
+  route: "ROUTES",
+  config: "CONFIG"
+};
+function printBanner() {
+  console.log();
+  console.log(chalk.cyan.bold("  Cencori Scan"));
+  console.log(chalk.gray(`  v${VERSION}`));
+  console.log();
+}
+function printScore(result) {
+  const style = scoreStyles[result.score];
+  const scoreText = `${result.score}-Tier`;
+  const content = `   Security Score: ${scoreText}`;
+  console.log();
+  console.log(chalk.gray("  \u250C\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2510"));
+  console.log(chalk.gray("  \u2502") + style.color.bold(content.padEnd(45)) + chalk.gray("\u2502"));
+  console.log(chalk.gray("  \u2514\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2518"));
+  console.log();
+  console.log(chalk.gray(`  ${result.tierDescription}`));
+  console.log();
+}
+function printIssues(issues) {
+  if (issues.length === 0) {
+    console.log(chalk.green("  No security issues found."));
+    console.log();
+    return;
+  }
+  const grouped = {};
+  for (const issue of issues) {
+    if (!grouped[issue.type]) {
+      grouped[issue.type] = [];
+    }
+    grouped[issue.type].push(issue);
+  }
+  for (const [type, typeIssues] of Object.entries(grouped)) {
+    const label = typeLabels[type] || type.toUpperCase();
+    console.log(`  ${chalk.bold(label)} (${typeIssues.length})`);
+    for (let i = 0; i < typeIssues.length; i++) {
+      const issue = typeIssues[i];
+      const isLast = i === typeIssues.length - 1;
+      const prefix = isLast ? "  \u2514\u2500" : "  \u251C\u2500";
+      const severityColor = severityColors[issue.severity];
+      console.log(
+        chalk.gray(prefix) + " " + chalk.gray(`${issue.file}:${issue.line}`) + "  " + severityColor(issue.match)
+      );
+      if (issue.description) {
+        const descPrefix = isLast ? "     " : "  \u2502  ";
+        console.log(chalk.gray(descPrefix) + chalk.dim(issue.description));
+      }
+    }
+    console.log();
+  }
+}
+function printSummary(result) {
+  const { summary } = result;
+  console.log(chalk.gray("  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
+  console.log();
+  console.log(`  ${chalk.bold("Summary")}`);
+  console.log(`    Files scanned: ${chalk.cyan(result.filesScanned)}`);
+  console.log(`    Scan time: ${chalk.cyan(result.scanDuration + "ms")}`);
+  console.log();
+  if (summary.critical > 0) {
+    console.log(`    ${chalk.bgRed.white(" CRITICAL ")} ${summary.critical} issues`);
+  }
+  if (summary.high > 0) {
+    console.log(`    ${chalk.red("   HIGH   ")} ${summary.high} issues`);
+  }
+  if (summary.medium > 0) {
+    console.log(`    ${chalk.yellow(" MEDIUM  ")} ${summary.medium} issues`);
+  }
+  if (summary.low > 0) {
+    console.log(`    ${chalk.blue("   LOW    ")} ${summary.low} issues`);
+  }
+  console.log();
+}
+function printFixes(issues) {
+  if (issues.length === 0) return;
+  console.log(`  ${chalk.bold("Recommendations:")}`);
+  const hasSecrets = issues.some((i) => i.type === "secret");
+  const hasPII = issues.some((i) => i.type === "pii");
+  const hasConfig = issues.some((i) => i.type === "config");
+  if (hasSecrets) {
+    console.log(chalk.gray("    - Use environment variables for secrets"));
+    console.log(chalk.gray("    - Never commit API keys to version control"));
+  }
+  if (hasConfig) {
+    console.log(chalk.gray("    - Add .env* to .gitignore"));
+  }
+  if (hasPII) {
+    console.log(chalk.gray("    - Remove personal data from source code"));
+  }
+  console.log();
+}
+function printFooter() {
+  console.log(chalk.gray("  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
+  console.log();
+  console.log(`  Share: ${chalk.cyan("https://scan.cencori.com")}`);
+  console.log(`  Docs:  ${chalk.cyan("https://cencori.com/docs")}`);
+  console.log();
+}
+async function main() {
+  program.name("cencori-scan").description("Security scanner for AI apps. Detect secrets, PII, and exposed routes.").version(VERSION).argument("[path]", "Path to scan", ".").option("-j, --json", "Output results as JSON").option("-q, --quiet", "Only output the score").option("--no-color", "Disable colored output").action(async (targetPath, options) => {
+    if (options.json) {
+      const result = await scan(targetPath);
+      console.log(JSON.stringify(result, null, 2));
+      process.exit(result.score === "A" || result.score === "B" ? 0 : 1);
+      return;
+    }
+    printBanner();
+    const spinner = ora({
+      text: "Scanning for security issues...",
+      color: "cyan"
+    }).start();
+    try {
+      const result = await scan(targetPath);
+      spinner.succeed(`Scanned ${result.filesScanned} files`);
+      if (options.quiet) {
+        const style = scoreStyles[result.score];
+        console.log(`
+  Score: ${style.color.bold(result.score + "-Tier")}
+`);
+        process.exit(result.score === "A" || result.score === "B" ? 0 : 1);
+        return;
+      }
+      printScore(result);
+      printIssues(result.issues);
+      printSummary(result);
+      printFixes(result.issues);
+      printFooter();
+      process.exit(result.score === "A" || result.score === "B" ? 0 : 1);
+    } catch (error) {
+      spinner.fail("Scan failed");
+      console.error(chalk.red(`
+  Error: ${error instanceof Error ? error.message : "Unknown error"}`));
+      process.exit(1);
+    }
+  });
+  program.parse();
+}
+main();
+//# sourceMappingURL=cli.mjs.map