@clear-capabilities/agentic-security-scanner 0.74.0

package/src/report/mascot.js

@@ -0,0 +1,42 @@
+// Patch — terminal mascot expressions for the ship-verdict renderer.
+//
+// Mirrors the ALERT (02) and APPROVE (05) expressions from
+// docs/brand/patch-mascot.html, scaled down to a four-line monospace face.
+// The caller passes `color` (the same flag toShipVerdict already gates on);
+// NO_COLOR additionally forces a plain render.
+//
+// Kept self-contained so the bundled scanner has no extra import surface.
+
+const ON = {
+  FROG:  '\x1b[38;2;255;107;44m',
+  DEEP:  '\x1b[38;2;201;52;20m',
+  BOLD:  '\x1b[1m',
+  RESET: '\x1b[0m',
+};
+const OFF = { FROG: '', DEEP: '', BOLD: '', RESET: '' };
+
+function paint(enabled) {
+  return (enabled === false || process.env.NO_COLOR) ? OFF : ON;
+}
+
+// Dilated wide pupils + small "O" mouth: scanner caught something.
+export function alertFace({ color } = {}) {
+  const { FROG, DEEP, BOLD, RESET } = paint(color);
+  return [
+    `   ${FROG}╭───╮ ╭───╮${RESET}`,
+    `   ${FROG}│ ${BOLD}⊙${RESET}${FROG} │ │ ${BOLD}⊙${RESET}${FROG} │${RESET}`,
+    `   ${FROG}╰───╯ ╰───╯${RESET}`,
+    `       ${DEEP}${BOLD}◯${RESET}`,
+  ].join('\n');
+}
+
+// Happy closed eyes + smile: safe to deploy.
+export function approveFace({ color } = {}) {
+  const { FROG, BOLD, RESET } = paint(color);
+  return [
+    `   ${FROG}╭───╮ ╭───╮${RESET}`,
+    `   ${FROG}│ ${BOLD}‿${RESET}${FROG} │ │ ${BOLD}‿${RESET}${FROG} │${RESET}`,
+    `   ${FROG}╰───╯ ╰───╯${RESET}`,
+    `      ${BOLD}‿‿${RESET}`,
+  ].join('\n');
+}

package/src/runScan.js

@@ -0,0 +1,141 @@
+// Filesystem driver: reads a directory, builds the fileContents/depFileContents
+// maps the engine expects, and invokes runFullScan.
+import * as fs from 'node:fs/promises';
+import * as path from 'node:path';
+import * as cp from 'node:child_process';
+import fg from 'fast-glob';
+import { runFullScan, shouldScan } from './engine.js';
+import { appendScanSnapshot } from './posture/security-trend.js';
+import { recover as recoverFixHistory } from './posture/fix-history.js';
+import { stampScan } from './posture/ruleset-version.js';
+
+const DEP_FILE_NAMES = new Set([
+  'package.json','package-lock.json','yarn.lock','pnpm-lock.yaml',
+  'requirements.txt','pyproject.toml','poetry.lock','Pipfile.lock',
+  'composer.json','composer.lock','Gemfile','Gemfile.lock',
+  'go.mod','Cargo.toml','Cargo.lock',
+  'pom.xml','build.gradle','build.gradle.kts',
+  'pubspec.yaml','pubspec.lock',
+]);
+
+const DEFAULT_IGNORE = [
+  '**/node_modules/**','**/.git/**','**/__pycache__/**','**/vendor/**',
+  '**/dist/**','**/build/**','**/.next/**','**/venv/**','**/env/**','**/.venv/**',
+  '**/target/**','**/bin/**','**/obj/**','**/.cache/**','**/coverage/**',
+  '**/bower_components/**','**/tests/**','**/test/**','**/__tests__/**','**/spec/**','**/mocks/**',
+];
+
+export async function readTree(root, { ignore = [] } = {}) {
+  const entries = await fg('**/*', {
+    cwd: root, dot: true, onlyFiles: true,
+    ignore: [...DEFAULT_IGNORE, ...ignore], followSymbolicLinks: false,
+    suppressErrors: true,
+  });
+  const fileContents = {};
+  const depFileContents = {};
+  for (const rel of entries) {
+    const abs = path.join(root, rel);
+    let stat;
+    try { stat = await fs.stat(abs); } catch { continue; }
+    if (stat.size > 500_000) continue;
+    let content;
+    try { content = await fs.readFile(abs, 'utf8'); } catch { continue; }
+    const base = path.basename(rel);
+    if (DEP_FILE_NAMES.has(base)) depFileContents[rel] = content;
+    // Cross-language taint module needs to see openapi/swagger specs even
+    // though they aren't "code" per se. Stash them in depFileContents so
+    // they ride through to runFullScan without polluting the SAST loop.
+    if (/(?:openapi|swagger)\.(?:ya?ml|json)$/i.test(base)) depFileContents[rel] = content;
+    else if (/\.proto$/i.test(base)) depFileContents[rel] = content;
+    else if (/\.(?:graphql|gql)$/i.test(base)) depFileContents[rel] = content;
+    else if (/\.tf$/i.test(base)) depFileContents[rel] = content;
+    if (shouldScan(rel)) fileContents[rel] = content;
+    // Auxiliary files: .properties files are referenced by Java rules
+    // (e.g. OWASP Benchmark's benchmark.properties resolves algorithm
+    // aliases). They are not scannable for vulns themselves, but the
+    // project index parses key=value lines for cross-file lookup.
+    else if (/\.properties$/i.test(rel)) fileContents[rel] = content;
+  }
+  return { fileContents, depFileContents };
+}
+
+// Feat-10: incremental scan via `--changed-since <git-ref>`. Returns the set of
+// repo-relative paths modified since the ref, or null if git is unavailable.
+export function changedSince(root, gitRef) {
+  if (!gitRef) return null;
+  try {
+    const out = cp.execFileSync('git', ['diff', '--name-only', `${gitRef}...HEAD`], {
+      cwd: root, encoding: 'utf8', stdio: ['ignore', 'pipe', 'ignore'],
+    });
+    const set = new Set(out.split('\n').filter(Boolean));
+    // Also include uncommitted changes
+    try {
+      const dirty = cp.execFileSync('git', ['status', '--porcelain'], {
+        cwd: root, encoding: 'utf8', stdio: ['ignore', 'pipe', 'ignore'],
+      });
+      for (const line of dirty.split('\n')) {
+        const f = line.slice(3).trim();
+        if (f) set.add(f);
+      }
+    } catch {}
+    return set;
+  } catch {
+    return null;
+  }
+}
+
+export async function runScan(rootDir, opts = {}) {
+  const root = path.resolve(rootDir);
+  const startedAt = new Date().toISOString();
+  const t0 = Date.now();
+  // Premortem 2R4.1: reconcile any pending entries from a crash mid-apply_fix
+  // before we do anything else. Idempotent + best-effort; logs to stderr.
+  try {
+    const recovered = await recoverFixHistory(root);
+    if (Array.isArray(recovered) && recovered.length) {
+      for (const r of recovered) {
+        process.stderr.write(`agentic-security: recovered fix-history entry ${r.id} → status=${r.status}${r.error ? ' (' + r.error + ')' : ''}\n`);
+      }
+    }
+  } catch (_) { /* best-effort */ }
+  // Caller may pre-build fileContents (used by the MCP server's scan_diff to
+  // scope a scan to a specific file list without walking the whole tree).
+  let fileContents, depFileContents;
+  if (opts.fileContents) {
+    fileContents = opts.fileContents;
+    depFileContents = opts.depFileContents || {};
+  } else {
+    ({ fileContents, depFileContents } = await readTree(root, opts));
+  }
+
+  // Feat-10: incremental mode — restrict the scan to files changed since a git ref
+  if (opts.changedSince) {
+    const changed = changedSince(root, opts.changedSince);
+    if (changed) {
+      const filtered = {};
+      for (const f of Object.keys(fileContents)) {
+        if (changed.has(f)) filtered[f] = fileContents[f];
+      }
+      fileContents = filtered;
+    } else if (opts.onProgress) {
+      opts.onProgress({ phase: 'warning', file: 'changedSince ignored: not a git repo or invalid ref', current: 0, total: 0 });
+    }
+  }
+
+  const scan = await runFullScan({ fileContents, depFileContents, scanRoot: root }, opts.onProgress || (()=>{}));
+  // Premortem 2R4.2: stamp ruleset version + source on the scan result, and
+  // notify if the operator pinned a different version than what's installed.
+  try { stampScan(root, scan); } catch {}
+  // Append snapshot to history for /security-trend (non-blocking, never throws)
+  try { appendScanSnapshot(scan, root); } catch {}
+  return {
+    scan,
+    meta: { scanId: cryptoUUID(), startedAt, durationMs: Date.now() - t0, root, mode: opts.changedSince ? 'incremental' : 'full' },
+  };
+}
+
+export const scanPath = runScan;
+
+function cryptoUUID(){
+  return globalThis.crypto?.randomUUID?.() || `scan-${Date.now().toString(36)}`;
+}