@continum/cli 0.1.0

package/src/scanner/local-scan.ts

@@ -0,0 +1,222 @@
+import * as fs from 'fs';
+import * as path from 'path';
+import { ScanResult, Violation, UnknownPattern, Pattern, ContinumConfig } from '../types';
+import { BUILTIN_PATTERNS, isHighEntropyCredential, calculateEntropy } from './patterns';
+
+export class LocalScanner {
+  private patterns: Pattern[] = [];
+  private config: ContinumConfig;
+
+  constructor(config: ContinumConfig, customPatterns: Pattern[] = []) {
+    this.config = config;
+    this.patterns = [...BUILTIN_PATTERNS, ...customPatterns];
+    
+    // Add custom regex patterns from config
+    if (config.patterns?.custom) {
+      config.patterns.custom.forEach((pattern, index) => {
+        this.patterns.push({
+          pattern,
+          patternType: 'CUSTOM',
+          description: `Custom Pattern ${index + 1}`,
+          severity: 'HIGH'
+        });
+      });
+    }
+  }
+
+  async scanFiles(files: string[]): Promise<ScanResult> {
+    const violations: Violation[] = [];
+    const unknownPatterns: UnknownPattern[] = [];
+    let filesScanned = 0;
+
+    for (const file of files) {
+      // Skip ignored files
+      if (this.shouldIgnore(file)) {
+        continue;
+      }
+
+      try {
+        const content = fs.readFileSync(file, 'utf-8');
+        const lines = content.split('\n');
+        
+        filesScanned++;
+
+        // Scan with known patterns
+        const fileViolations = this.scanContent(content, file, lines);
+        violations.push(...fileViolations);
+
+        // Detect high-entropy strings that might be credentials
+        const possibleCredentials = this.detectHighEntropyStrings(content, file, lines);
+        unknownPatterns.push(...possibleCredentials);
+      } catch (error) {
+        // Skip files that can't be read (binary, etc.)
+        continue;
+      }
+    }
+
+    return {
+      violations,
+      unknownPatterns,
+      filesScanned,
+      clean: violations.length === 0 && unknownPatterns.length === 0
+    };
+  }
+
+  private scanContent(content: string, file: string, lines: string[]): Violation[] {
+    const violations: Violation[] = [];
+
+    for (const pattern of this.patterns) {
+      const regex = new RegExp(pattern.pattern, 'gi');
+      let match;
+
+      while ((match = regex.exec(content)) !== null) {
+        const lineNumber = this.getLineNumber(content, match.index);
+        
+        violations.push({
+          file,
+          line: lineNumber,
+          type: pattern.patternType,
+          pattern: pattern.pattern,
+          value: match[0],
+          severity: pattern.severity,
+          message: pattern.description
+        });
+      }
+    }
+
+    return violations;
+  }
+
+  private detectHighEntropyStrings(content: string, file: string, lines: string[]): UnknownPattern[] {
+    const unknownPatterns: UnknownPattern[] = [];
+    
+    // Look for string assignments with high entropy
+    const stringPatterns = [
+      /(\w+)\s*[:=]\s*["']([a-zA-Z0-9_\-+=\/]{16,})["']/g,
+      /const\s+(\w+)\s*=\s*["']([a-zA-Z0-9_\-+=\/]{16,})["']/g,
+      /let\s+(\w+)\s*=\s*["']([a-zA-Z0-9_\-+=\/]{16,})["']/g,
+      /var\s+(\w+)\s*=\s*["']([a-zA-Z0-9_\-+=\/]{16,})["']/g
+    ];
+
+    for (const pattern of stringPatterns) {
+      let match;
+      while ((match = pattern.exec(content)) !== null) {
+        const variableName = match[1];
+        const value = match[2];
+        const lineNumber = this.getLineNumber(content, match.index);
+        
+        // Get surrounding context
+        const contextStart = Math.max(0, lineNumber - 3);
+        const contextEnd = Math.min(lines.length, lineNumber + 2);
+        const surroundingCode = lines.slice(contextStart, contextEnd).join('\n');
+        
+        // Check if this looks like a credential
+        if (isHighEntropyCredential(value, variableName + ' ' + surroundingCode)) {
+          // Check if it matches any known pattern
+          const matchesKnown = this.patterns.some(p => 
+            new RegExp(p.pattern, 'i').test(value)
+          );
+          
+          if (!matchesKnown) {
+            const suggestedPattern = this.extractPattern(value);
+            const confidence = this.calculateConfidence(value, variableName);
+            
+            unknownPatterns.push({
+              value,
+              suggestedPattern,
+              confidence,
+              context: {
+                file,
+                line: lineNumber,
+                variableName,
+                surroundingCode
+              }
+            });
+          }
+        }
+      }
+    }
+
+    return unknownPatterns;
+  }
+
+  private extractPattern(value: string): string {
+    // Try to extract a pattern from the value
+    const hasPrefix = /^[a-z]{2,}_/.test(value);
+    
+    if (hasPrefix) {
+      const prefix = value.match(/^[a-z_]+/)?.[0] || '';
+      const rest = value.slice(prefix.length);
+      
+      // Determine character set
+      const hasUppercase = /[A-Z]/.test(rest);
+      const hasLowercase = /[a-z]/.test(rest);
+      const hasDigits = /[0-9]/.test(rest);
+      const hasSpecial = /[_\-]/.test(rest);
+      
+      let charSet = '';
+      if (hasUppercase) charSet += 'A-Z';
+      if (hasLowercase) charSet += 'a-z';
+      if (hasDigits) charSet += '0-9';
+      if (hasSpecial) charSet += '_\\-';
+      
+      return `${prefix}[${charSet}]{${rest.length}}`;
+    }
+    
+    // No clear prefix, just match character set and length
+    const hasUppercase = /[A-Z]/.test(value);
+    const hasLowercase = /[a-z]/.test(value);
+    const hasDigits = /[0-9]/.test(value);
+    const hasSpecial = /[_\-+=\/]/.test(value);
+    
+    let charSet = '';
+    if (hasUppercase) charSet += 'A-Z';
+    if (hasLowercase) charSet += 'a-z';
+    if (hasDigits) charSet += '0-9';
+    if (hasSpecial) charSet += '_\\-+=\\/';
+    
+    return `[${charSet}]{${value.length}}`;
+  }
+
+  private calculateConfidence(value: string, variableName: string): 'HIGH' | 'MEDIUM' | 'LOW' {
+    const entropy = calculateEntropy(value);
+    const suspiciousNames = ['key', 'token', 'secret', 'password', 'credential', 'auth', 'api'];
+    const hasSuspiciousName = suspiciousNames.some(name => 
+      variableName.toLowerCase().includes(name)
+    );
+    
+    if (entropy > 5.0 && hasSuspiciousName) return 'HIGH';
+    if (entropy > 4.5 && hasSuspiciousName) return 'MEDIUM';
+    if (entropy > 5.5) return 'MEDIUM';
+    return 'LOW';
+  }
+
+  private getLineNumber(content: string, index: number): number {
+    return content.substring(0, index).split('\n').length;
+  }
+
+  private shouldIgnore(file: string): boolean {
+    const normalizedFile = file.replace(/\\/g, '/');
+    
+    return this.config.ignore.some(pattern => {
+      // Convert glob pattern to regex
+      const regexPattern = pattern
+        .replace(/\*\*/g, '.*')
+        .replace(/\*/g, '[^/]*')
+        .replace(/\?/g, '.');
+      
+      const regex = new RegExp(regexPattern);
+      return regex.test(normalizedFile);
+    });
+  }
+
+  redactValue(value: string): string {
+    if (value.length <= 8) {
+      return '•'.repeat(value.length);
+    }
+    const visibleChars = 4;
+    const start = value.substring(0, visibleChars);
+    const redacted = '•'.repeat(Math.min(10, value.length - visibleChars));
+    return start + redacted;
+  }
+}

package/src/scanner/pattern-updater.ts

@@ -0,0 +1,94 @@
+import * as fs from 'fs';
+import { ContinumApiClient } from '../api/client';
+import { Pattern } from '../types';
+import { getCacheFile, getCacheDir } from '../config/loader';
+import { BUILTIN_PATTERNS } from './patterns';
+
+interface PatternCache {
+  builtin: Pattern[];
+  customer: Pattern[];
+  global: Pattern[];
+  lastUpdate: number;
+}
+
+export class PatternUpdater {
+  private client: ContinumApiClient;
+  private cacheFile: string;
+
+  constructor(client: ContinumApiClient) {
+    this.client = client;
+    this.cacheFile = getCacheFile();
+  }
+
+  async updatePatterns(force: boolean = false): Promise<void> {
+    const cache = this.loadCache();
+    
+    // Update every 24 hours, or on force
+    if (!force && Date.now() - cache.lastUpdate < 86400000) {
+      return;
+    }
+
+    try {
+      // Fetch patterns from API
+      const patterns = await this.client.getPatternLibrary();
+      
+      // Separate customer and global patterns
+      const customerPatterns = patterns.filter(p => !('isGlobal' in p) || !(p as any).isGlobal);
+      const globalPatterns = patterns.filter(p => (p as any).isGlobal);
+      
+      // Update cache
+      const newCache: PatternCache = {
+        builtin: BUILTIN_PATTERNS,
+        customer: customerPatterns,
+        global: globalPatterns,
+        lastUpdate: Date.now()
+      };
+      
+      this.saveCache(newCache);
+    } catch (error) {
+      // If update fails, continue with cached patterns
+      console.warn('Failed to update patterns, using cache');
+    }
+  }
+
+  loadPatterns(): Pattern[] {
+    const cache = this.loadCache();
+    return [
+      ...cache.builtin,
+      ...cache.customer,
+      ...cache.global
+    ];
+  }
+
+  private loadCache(): PatternCache {
+    if (!fs.existsSync(this.cacheFile)) {
+      return {
+        builtin: BUILTIN_PATTERNS,
+        customer: [],
+        global: [],
+        lastUpdate: 0
+      };
+    }
+
+    try {
+      const content = fs.readFileSync(this.cacheFile, 'utf-8');
+      return JSON.parse(content);
+    } catch (error) {
+      return {
+        builtin: BUILTIN_PATTERNS,
+        customer: [],
+        global: [],
+        lastUpdate: 0
+      };
+    }
+  }
+
+  private saveCache(cache: PatternCache): void {
+    const cacheDir = getCacheDir();
+    if (!fs.existsSync(cacheDir)) {
+      fs.mkdirSync(cacheDir, { recursive: true });
+    }
+    
+    fs.writeFileSync(this.cacheFile, JSON.stringify(cache, null, 2));
+  }
+}

package/src/scanner/patterns.ts

@@ -0,0 +1,156 @@
+import { Pattern } from '../types';
+
+// Built-in credential patterns
+export const BUILTIN_PATTERNS: Pattern[] = [
+  // AWS
+  {
+    pattern: 'AKIA[0-9A-Z]{16}',
+    patternType: 'AWS_ACCESS_KEY',
+    description: 'AWS Access Key ID',
+    severity: 'CRITICAL'
+  },
+  {
+    pattern: 'aws_secret_access_key\\s*=\\s*["\']?([A-Za-z0-9/+=]{40})["\']?',
+    patternType: 'AWS_SECRET_KEY',
+    description: 'AWS Secret Access Key',
+    severity: 'CRITICAL'
+  },
+  
+  // Stripe
+  {
+    pattern: 'sk_live_[0-9a-zA-Z]{24,}',
+    patternType: 'STRIPE_LIVE_KEY',
+    description: 'Stripe Live Secret Key',
+    severity: 'CRITICAL'
+  },
+  {
+    pattern: 'rk_live_[0-9a-zA-Z]{24,}',
+    patternType: 'STRIPE_RESTRICTED_KEY',
+    description: 'Stripe Restricted Key',
+    severity: 'HIGH'
+  },
+  
+  // GitHub
+  {
+    pattern: 'ghp_[0-9a-zA-Z]{36}',
+    patternType: 'GITHUB_PAT',
+    description: 'GitHub Personal Access Token',
+    severity: 'CRITICAL'
+  },
+  {
+    pattern: 'gho_[0-9a-zA-Z]{36}',
+    patternType: 'GITHUB_OAUTH',
+    description: 'GitHub OAuth Token',
+    severity: 'CRITICAL'
+  },
+  
+  // Anthropic
+  {
+    pattern: 'sk-ant-api03-[0-9a-zA-Z_-]{95}',
+    patternType: 'ANTHROPIC_API_KEY',
+    description: 'Anthropic API Key',
+    severity: 'CRITICAL'
+  },
+  
+  // OpenAI
+  {
+    pattern: 'sk-[a-zA-Z0-9]{48}',
+    patternType: 'OPENAI_API_KEY',
+    description: 'OpenAI API Key',
+    severity: 'CRITICAL'
+  },
+  
+  // Database Connection Strings
+  {
+    pattern: 'postgresql://[^\\s:]+:[^\\s@]+@[^\\s/]+',
+    patternType: 'POSTGRES_CONNECTION',
+    description: 'PostgreSQL Connection String with Password',
+    severity: 'CRITICAL'
+  },
+  {
+    pattern: 'mysql://[^\\s:]+:[^\\s@]+@[^\\s/]+',
+    patternType: 'MYSQL_CONNECTION',
+    description: 'MySQL Connection String with Password',
+    severity: 'CRITICAL'
+  },
+  {
+    pattern: 'mongodb(\\+srv)?://[^\\s:]+:[^\\s@]+@[^\\s/]+',
+    patternType: 'MONGODB_CONNECTION',
+    description: 'MongoDB Connection String with Password',
+    severity: 'CRITICAL'
+  },
+  
+  // Private Keys
+  {
+    pattern: '-----BEGIN (RSA |EC |OPENSSH )?PRIVATE KEY-----',
+    patternType: 'PRIVATE_KEY',
+    description: 'Private Key (PEM format)',
+    severity: 'CRITICAL'
+  },
+  
+  // Generic API Keys (high entropy)
+  {
+    pattern: '(api[_-]?key|apikey|api[_-]?secret)\\s*[:=]\\s*["\']([a-zA-Z0-9_\\-]{32,})["\']',
+    patternType: 'GENERIC_API_KEY',
+    description: 'Generic API Key',
+    severity: 'HIGH'
+  },
+  
+  // JWT Tokens
+  {
+    pattern: 'eyJ[a-zA-Z0-9_-]*\\.eyJ[a-zA-Z0-9_-]*\\.[a-zA-Z0-9_-]*',
+    patternType: 'JWT_TOKEN',
+    description: 'JWT Token',
+    severity: 'HIGH'
+  },
+  
+  // UK PII
+  {
+    pattern: '\\b[A-Z]{2}[0-9]{6}[A-Z]?\\b',
+    patternType: 'NHS_NUMBER',
+    description: 'NHS Number',
+    severity: 'HIGH'
+  },
+  {
+    pattern: '\\b[A-Z]{2}\\s?[0-9]{2}\\s?[0-9]{2}\\s?[0-9]{2}\\s?[A-Z]\\b',
+    patternType: 'NI_NUMBER',
+    description: 'National Insurance Number',
+    severity: 'HIGH'
+  }
+];
+
+// Calculate entropy of a string (measure of randomness)
+export function calculateEntropy(str: string): number {
+  const len = str.length;
+  const frequencies: { [key: string]: number } = {};
+  
+  for (const char of str) {
+    frequencies[char] = (frequencies[char] || 0) + 1;
+  }
+  
+  let entropy = 0;
+  for (const char in frequencies) {
+    const p = frequencies[char] / len;
+    entropy -= p * Math.log2(p);
+  }
+  
+  return entropy;
+}
+
+// Check if a string looks like a credential based on entropy and context
+export function isHighEntropyCredential(value: string, context: string): boolean {
+  // Must be long enough
+  if (value.length < 16) return false;
+  
+  // Must have high entropy (randomness)
+  const entropy = calculateEntropy(value);
+  if (entropy < 4.5) return false;
+  
+  // Must be in a suspicious context
+  const suspiciousPatterns = [
+    /\b(key|token|secret|password|credential|auth|api)\b/i,
+    /\b(access|private|bearer|jwt)\b/i
+  ];
+  
+  return suspiciousPatterns.some(pattern => pattern.test(context));
+}

package/src/types.ts

@@ -0,0 +1,64 @@
+export interface ContinumConfig {
+  scanOnCommit: boolean;
+  sandbox: string;
+  apiUrl?: string;
+  apiKey?: string;
+  block: RiskLevel[];
+  warn: RiskLevel[];
+  ignore: string[];
+  patterns?: {
+    custom?: string[];
+  };
+}
+
+export type RiskLevel = 'CRITICAL' | 'HIGH' | 'MEDIUM' | 'LOW';
+
+export interface Violation {
+  file: string;
+  line: number;
+  type: string;
+  pattern: string;
+  value: string;
+  severity: RiskLevel;
+  message?: string;
+}
+
+export interface UnknownPattern {
+  value: string;
+  suggestedPattern: string;
+  confidence: 'HIGH' | 'MEDIUM' | 'LOW';
+  context: {
+    file: string;
+    line: number;
+    variableName?: string;
+    surroundingCode?: string;
+  };
+}
+
+export interface ScanResult {
+  violations: Violation[];
+  unknownPatterns: UnknownPattern[];
+  filesScanned: number;
+  clean: boolean;
+}
+
+export interface Pattern {
+  pattern: string;
+  patternType: string;
+  description: string;
+  severity: RiskLevel;
+}
+
+export interface ApprovePatternDto {
+  pattern: string;
+  patternType: string;
+  description: string;
+  severity: RiskLevel;
+  exampleValue: string;
+  confidence: string;
+  context: {
+    file: string;
+    line: number;
+    variableName?: string;
+  };
+}

package/tsconfig.json

@@ -0,0 +1,19 @@
+{
+  "compilerOptions": {
+    "target": "ES2020",
+    "module": "commonjs",
+    "lib": ["ES2020"],
+    "outDir": "./dist",
+    "rootDir": "./src",
+    "strict": true,
+    "esModuleInterop": true,
+    "skipLibCheck": true,
+    "forceConsistentCasingInFileNames": true,
+    "resolveJsonModule": true,
+    "declaration": true,
+    "declarationMap": true,
+    "sourceMap": true
+  },
+  "include": ["src/**/*"],
+  "exclude": ["node_modules", "dist"]
+}