npm - @cencori/scan - Versions diffs - 0.2.0 → 0.3.1 - Mend

@cencori/scan 0.2.0 → 0.3.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/cli.js CHANGED Viewed

@@ -27,6 +27,7 @@ var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__ge
 var import_commander = require("commander");
 var import_chalk = __toESM(require("chalk"));
 var import_ora = __toESM(require("ora"));
+var import_prompts = require("@inquirer/prompts");
 // src/scanner/index.ts
 var fs = __toESM(require("fs"));
@@ -714,8 +715,220 @@ async function scan(targetPath) {
   };
 }
+// src/ai/index.ts
+var fs2 = __toESM(require("fs"));
+var path2 = __toESM(require("path"));
+var os = __toESM(require("os"));
+var CENCORI_API_URL = "https://api.cencori.com/v1";
+var CONFIG_FILE = ".cencorirc";
+function getConfigPath() {
+  return path2.join(os.homedir(), CONFIG_FILE);
+}
+function loadApiKeyFromConfig() {
+  try {
+    const configPath = getConfigPath();
+    if (fs2.existsSync(configPath)) {
+      const content = fs2.readFileSync(configPath, "utf-8");
+      const lines = content.split("\n");
+      for (const line of lines) {
+        if (line.startsWith("api_key=")) {
+          return line.slice("api_key=".length).trim();
+        }
+      }
+    }
+  } catch {
+  }
+  return void 0;
+}
+function saveApiKey(apiKey) {
+  const configPath = getConfigPath();
+  fs2.writeFileSync(configPath, `api_key=${apiKey}
+`, { mode: 384 });
+}
+function getApiKey() {
+  return process.env.CENCORI_API_KEY || loadApiKeyFromConfig();
+}
+var sessionApiKey;
+function setSessionApiKey(apiKey) {
+  sessionApiKey = apiKey;
+}
+function getEffectiveApiKey() {
+  return sessionApiKey || getApiKey();
+}
+async function validateApiKey(apiKey) {
+  try {
+    const response = await fetch(`${CENCORI_API_URL}/models`, {
+      method: "GET",
+      headers: {
+        "Authorization": `Bearer ${apiKey}`
+      }
+    });
+    return response.ok;
+  } catch {
+    return false;
+  }
+}
+async function analyzeIssues(issues, fileContents) {
+  const apiKey = getEffectiveApiKey();
+  if (!apiKey) {
+    throw new Error("No API key available");
+  }
+  const results = [];
+  for (const issue of issues) {
+    const content = fileContents.get(issue.file) || "";
+    const lines = content.split("\n");
+    const startLine = Math.max(0, issue.line - 3);
+    const endLine = Math.min(lines.length, issue.line + 3);
+    const context = lines.slice(startLine, endLine).join("\n");
+    try {
+      const response = await fetch(`${CENCORI_API_URL}/chat/completions`, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          "Authorization": `Bearer ${apiKey}`
+        },
+        body: JSON.stringify({
+          model: "gpt-4o-mini",
+          messages: [
+            {
+              role: "system",
+              content: `You are a security analyst. Analyze code findings and determine if they are real security issues or false positives. Respond in JSON format: {"isFalsePositive": boolean, "confidence": number (0-100), "reason": "brief explanation"}`
+            },
+            {
+              role: "user",
+              content: `Analyze this security finding:
+Type: ${issue.type}
+Name: ${issue.name}
+Match: ${issue.match}
+File: ${issue.file}:${issue.line}
+Context:
+\`\`\`
+${context}
+\`\`\`
+Is this a real security issue or a false positive (e.g., test data, example code, documentation)?`
+            }
+          ],
+          temperature: 0,
+          max_tokens: 150
+        })
+      });
+      if (!response.ok) {
+        throw new Error(`API error: ${response.status}`);
+      }
+      const data = await response.json();
+      const content_response = data.choices[0]?.message?.content || "{}";
+      const parsed = JSON.parse(content_response);
+      results.push({
+        issue,
+        isFalsePositive: parsed.isFalsePositive || false,
+        confidence: parsed.confidence || 50,
+        reason: parsed.reason || "Unable to analyze"
+      });
+    } catch {
+      results.push({
+        issue,
+        isFalsePositive: false,
+        confidence: 50,
+        reason: "Analysis failed - treating as potential issue"
+      });
+    }
+  }
+  return results;
+}
+async function generateFixes(issues, fileContents) {
+  const apiKey = getEffectiveApiKey();
+  if (!apiKey) {
+    throw new Error("No API key available");
+  }
+  const results = [];
+  for (const issue of issues) {
+    const content = fileContents.get(issue.file) || "";
+    const lines = content.split("\n");
+    const startLine = Math.max(0, issue.line - 5);
+    const endLine = Math.min(lines.length, issue.line + 5);
+    const codeSnippet = lines.slice(startLine, endLine).join("\n");
+    try {
+      const response = await fetch(`${CENCORI_API_URL}/chat/completions`, {
+        method: "POST",
+        headers: {
+          "Content-Type": "application/json",
+          "Authorization": `Bearer ${apiKey}`
+        },
+        body: JSON.stringify({
+          model: "gpt-4o-mini",
+          messages: [
+            {
+              role: "system",
+              content: `You are a security engineer. Generate secure code fixes. For secrets, use environment variables. For XSS, use sanitization. Respond in JSON: {"fixedCode": "the fixed code snippet", "explanation": "what was changed"}`
+            },
+            {
+              role: "user",
+              content: `Fix this security issue:
+Type: ${issue.type}
+Name: ${issue.name}
+File: ${issue.file}:${issue.line}
+Code to fix:
+\`\`\`
+${codeSnippet}
+\`\`\`
+Generate a secure fix.`
+            }
+          ],
+          temperature: 0,
+          max_tokens: 500
+        })
+      });
+      if (!response.ok) {
+        throw new Error(`API error: ${response.status}`);
+      }
+      const data = await response.json();
+      const content_response = data.choices[0]?.message?.content || "{}";
+      const parsed = JSON.parse(content_response);
+      results.push({
+        issue,
+        originalCode: codeSnippet,
+        fixedCode: parsed.fixedCode || codeSnippet,
+        explanation: parsed.explanation || "No explanation provided",
+        applied: false
+      });
+    } catch {
+      results.push({
+        issue,
+        originalCode: codeSnippet,
+        fixedCode: codeSnippet,
+        explanation: "Unable to generate fix - manual review required",
+        applied: false
+      });
+    }
+  }
+  return results;
+}
+async function applyFixes(fixes, fileContents) {
+  for (const fix of fixes) {
+    if (fix.fixedCode === fix.originalCode) {
+      continue;
+    }
+    const content = fileContents.get(fix.issue.file);
+    if (!content) {
+      continue;
+    }
+    const newContent = content.replace(fix.originalCode, fix.fixedCode);
+    if (newContent !== content) {
+      const filePath = path2.resolve(fix.issue.file);
+      fs2.writeFileSync(filePath, newContent, "utf-8");
+      fix.applied = true;
+    }
+  }
+  return fixes;
+}
 // src/cli.ts
-var VERSION = "0.2.0";
+var fs3 = __toESM(require("fs"));
+var path3 = __toESM(require("path"));
+var VERSION = "0.3.1";
 var scoreStyles = {
   A: { color: import_chalk.default.green },
   B: { color: import_chalk.default.blue },
@@ -808,17 +1021,15 @@ function printSummary(result) {
   }
   console.log();
 }
-function printFixes(issues) {
+function printRecommendations(issues) {
   if (issues.length === 0) return;
   console.log(`  ${import_chalk.default.bold("Recommendations:")}`);
   const hasSecrets = issues.some((i) => i.type === "secret");
   const hasPII = issues.some((i) => i.type === "pii");
   const hasConfig = issues.some((i) => i.type === "config");
-  const hasVulnerabilities = issues.some((i) => i.type === "vulnerability");
   const hasXSS = issues.some((i) => i.category === "xss");
   const hasInjection = issues.some((i) => i.category === "injection");
   const hasCORS = issues.some((i) => i.category === "cors");
-  const hasDebug = issues.some((i) => i.category === "debug");
   if (hasSecrets) {
     console.log(import_chalk.default.gray("    - Use environment variables for secrets"));
     console.log(import_chalk.default.gray("    - Never commit API keys to version control"));
@@ -831,19 +1042,13 @@ function printFixes(issues) {
   }
   if (hasXSS) {
     console.log(import_chalk.default.gray("    - Sanitize user input before rendering HTML"));
-    console.log(import_chalk.default.gray("    - Use textContent instead of innerHTML"));
   }
   if (hasInjection) {
     console.log(import_chalk.default.gray("    - Use parameterized queries for SQL"));
-    console.log(import_chalk.default.gray("    - Avoid using eval and dynamic code execution"));
   }
   if (hasCORS) {
     console.log(import_chalk.default.gray("    - Configure CORS with specific allowed origins"));
   }
-  if (hasDebug) {
-    console.log(import_chalk.default.gray("    - Remove console.log statements before production"));
-    console.log(import_chalk.default.gray("    - Use environment variables for debug flags"));
-  }
   console.log();
 }
 function printFooter() {
@@ -853,8 +1058,138 @@ function printFooter() {
   console.log(`  Docs:  ${import_chalk.default.cyan("https://cencori.com/docs")}`);
   console.log();
 }
+function loadFileContents(issues, basePath) {
+  const contents = /* @__PURE__ */ new Map();
+  const uniqueFiles = [...new Set(issues.map((i) => i.file))];
+  for (const file of uniqueFiles) {
+    try {
+      const fullPath = path3.resolve(basePath, file);
+      const content = fs3.readFileSync(fullPath, "utf-8");
+      contents.set(file, content);
+    } catch {
+    }
+  }
+  return contents;
+}
+async function promptForApiKey() {
+  console.log();
+  console.log(import_chalk.default.gray("  \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500"));
+  console.log();
+  console.log(`  ${import_chalk.default.cyan.bold("Cencori Pro")}`);
+  console.log(import_chalk.default.gray("  AI-powered auto-fix requires an API key."));
+  console.log();
+  console.log(`  Get your free API key at:`);
+  console.log(`  ${import_chalk.default.cyan("https://cencori.com/dashboard")} \u2192 API Keys`);
+  console.log();
+  try {
+    const apiKey = await (0, import_prompts.password)({
+      message: "Enter your Cencori API key:",
+      mask: "*"
+    });
+    if (!apiKey || apiKey.trim() === "") {
+      console.log(import_chalk.default.yellow("  No API key entered. Skipping auto-fix."));
+      return void 0;
+    }
+    return apiKey.trim();
+  } catch {
+    return void 0;
+  }
+}
+async function handleAutoFix(result, targetPath) {
+  if (result.issues.length === 0) return;
+  console.log();
+  const shouldFix = await (0, import_prompts.confirm)({
+    message: "Would you like Cencori to auto-fix these issues?",
+    default: false
+  });
+  if (!shouldFix) {
+    console.log();
+    console.log(import_chalk.default.gray("  Skipped auto-fix. Run again anytime to fix issues."));
+    console.log();
+    return;
+  }
+  let apiKey = getApiKey();
+  if (!apiKey) {
+    apiKey = await promptForApiKey();
+    if (!apiKey) {
+      console.log();
+      return;
+    }
+    const validatingSpinner = (0, import_ora.default)({
+      text: "Validating API key...",
+      color: "cyan"
+    }).start();
+    const isValid = await validateApiKey(apiKey);
+    if (!isValid) {
+      validatingSpinner.fail("Invalid API key");
+      console.log(import_chalk.default.red("  The API key could not be validated. Please check and try again."));
+      console.log();
+      return;
+    }
+    validatingSpinner.succeed("API key validated");
+    try {
+      saveApiKey(apiKey);
+      console.log(import_chalk.default.green("  \u2714 API key saved to ~/.cencorirc"));
+    } catch {
+    }
+    setSessionApiKey(apiKey);
+  } else {
+    console.log(import_chalk.default.gray("  Using saved API key..."));
+  }
+  const fileContents = loadFileContents(result.issues, targetPath);
+  const analyzeSpinner = (0, import_ora.default)({
+    text: "Analyzing issues with AI...",
+    color: "cyan"
+  }).start();
+  try {
+    const analysis = await analyzeIssues(result.issues, fileContents);
+    const realIssues = analysis.filter((a) => !a.isFalsePositive);
+    const falsePositives = analysis.filter((a) => a.isFalsePositive);
+    if (falsePositives.length > 0) {
+      analyzeSpinner.succeed(`${import_chalk.default.green(falsePositives.length)} false positives filtered`);
+    } else {
+      analyzeSpinner.succeed("Analysis complete");
+    }
+    if (realIssues.length === 0) {
+      console.log(import_chalk.default.green("  All issues were false positives!"));
+      return;
+    }
+    const fixSpinner = (0, import_ora.default)({
+      text: "Generating fixes...",
+      color: "cyan"
+    }).start();
+    const fixes = await generateFixes(
+      realIssues.map((a) => a.issue),
+      fileContents
+    );
+    fixSpinner.succeed(`Generated ${fixes.length} fixes`);
+    const applySpinner = (0, import_ora.default)({
+      text: "Applying fixes...",
+      color: "cyan"
+    }).start();
+    const appliedFixes = await applyFixes(fixes, fileContents);
+    const appliedCount = appliedFixes.filter((f) => f.applied).length;
+    applySpinner.succeed(`Applied ${appliedCount}/${fixes.length} fixes`);
+    console.log();
+    console.log(`  ${import_chalk.default.bold("Applied fixes:")}`);
+    for (const fix of appliedFixes.filter((f) => f.applied)) {
+      console.log(import_chalk.default.green(`    \u2714 ${fix.issue.file}:${fix.issue.line}`));
+      console.log(import_chalk.default.gray(`      ${fix.explanation}`));
+    }
+    const notApplied = appliedFixes.filter((f) => !f.applied);
+    if (notApplied.length > 0) {
+      console.log();
+      console.log(`  ${import_chalk.default.yellow(`${notApplied.length} issues require manual review`)}`);
+    }
+    console.log();
+  } catch (error) {
+    analyzeSpinner.fail("Auto-fix failed");
+    console.error(import_chalk.default.red(`  Error: ${error instanceof Error ? error.message : "Unknown error"}`));
+    console.log();
+  }
+}
 async function main() {
-  import_commander.program.name("cencori-scan").description("Security scanner for AI apps. Detect secrets, PII, and exposed routes.").version(VERSION).argument("[path]", "Path to scan", ".").option("-j, --json", "Output results as JSON").option("-q, --quiet", "Only output the score").option("--no-color", "Disable colored output").action(async (targetPath, options) => {
+  import_commander.program.name("cencori-scan").description("Security scanner for AI apps. Detect secrets, PII, and exposed routes.").version(VERSION).argument("[path]", "Path to scan", ".").option("-j, --json", "Output results as JSON").option("-q, --quiet", "Only output the score").option("--no-prompt", "Skip interactive prompts").option("--no-color", "Disable colored output").action(async (targetPath, options) => {
     if (options.json) {
       const result = await scan(targetPath);
       console.log(JSON.stringify(result, null, 2));
@@ -880,7 +1215,10 @@ async function main() {
       printScore(result);
       printIssues(result.issues);
       printSummary(result);
-      printFixes(result.issues);
+      printRecommendations(result.issues);
+      if (options.prompt !== false && result.issues.length > 0) {
+        await handleAutoFix(result, targetPath);
+      }
       printFooter();
       process.exit(result.score === "A" || result.score === "B" ? 0 : 1);
     } catch (error) {