@darrenjcoxon/codeguard 1.0.0

package/dist/scanners/semgrep.js

@@ -0,0 +1,175 @@
+/**
+ * Semgrep Scanner
+ *
+ * Provides SAST scanning using Semgrep CLI with fallback to MCP
+ * Covers: security, quality, style categories
+ */
+import { execSync, exec } from 'child_process';
+import { promisify } from 'util';
+import { generateFingerprint } from '../types.js';
+const execAsync = promisify(exec);
+export class SemgrepScanner {
+    name = 'semgrep';
+    categories = ['security', 'quality', 'style'];
+    rulesets;
+    constructor(rulesets = ['auto']) {
+        // Default rulesets for comprehensive scanning
+        this.rulesets = rulesets.length > 0 && rulesets[0] !== 'auto' ? rulesets : [
+            'p/security-audit', // Security vulnerabilities
+            'p/secrets', // Secret detection
+            'p/javascript', // JS best practices
+            'p/nodejs', // Node.js specific
+            'p/typescript', // TypeScript specific
+            'p/owasp-top-ten' // OWASP Top 10
+        ];
+    }
+    async isAvailable() {
+        try {
+            execSync('semgrep --version', { stdio: 'pipe' });
+            return true;
+        }
+        catch {
+            return false;
+        }
+    }
+    async scan(target, config) {
+        const startTime = Date.now();
+        if (!await this.isAvailable()) {
+            return {
+                scanner: this.name,
+                success: false,
+                error: 'Semgrep CLI not installed. Install with: pip install semgrep',
+                findings: [],
+                metrics: { duration: Date.now() - startTime }
+            };
+        }
+        try {
+            const findings = await this.runSemgrep(target);
+            return {
+                scanner: this.name,
+                success: true,
+                findings,
+                metrics: {
+                    duration: Date.now() - startTime,
+                    filesScanned: findings.length > 0 ? new Set(findings.map(f => f.file)).size : 0
+                }
+            };
+        }
+        catch (error) {
+            return {
+                scanner: this.name,
+                success: false,
+                error: error instanceof Error ? error.message : String(error),
+                findings: [],
+                metrics: { duration: Date.now() - startTime }
+            };
+        }
+    }
+    async runSemgrep(target) {
+        const configArgs = this.rulesets.map(r => `--config ${r}`).join(' ');
+        // Build exclude patterns
+        const defaultExcludes = [
+            'node_modules',
+            'vendor',
+            '.git',
+            'dist',
+            'build',
+            '__pycache__',
+            '*.min.js',
+            '*.bundle.js'
+        ];
+        const excludes = [...defaultExcludes, ...(target.exclude || [])];
+        const excludeArgs = excludes.map(e => `--exclude '${e}'`).join(' ');
+        const cmd = `semgrep ${configArgs} ${excludeArgs} --json --quiet ${target.path}`;
+        try {
+            const { stdout } = await execAsync(cmd, {
+                timeout: 300000, // 5 minutes
+                maxBuffer: 50 * 1024 * 1024 // 50MB buffer for large outputs
+            });
+            const output = JSON.parse(stdout);
+            return this.transformFindings(output.results);
+        }
+        catch (error) {
+            // Semgrep returns exit code 1 when findings exist
+            if (error.stdout) {
+                try {
+                    const output = JSON.parse(error.stdout);
+                    return this.transformFindings(output.results);
+                }
+                catch {
+                    throw new Error(`Failed to parse Semgrep output: ${error.message}`);
+                }
+            }
+            throw error;
+        }
+    }
+    transformFindings(semgrepFindings) {
+        return semgrepFindings.map(sf => {
+            const severity = this.mapSeverity(sf.extra.severity);
+            const category = this.mapCategory(sf.check_id, sf.extra.metadata);
+            const finding = {
+                id: `semgrep-${sf.check_id}-${sf.path}-${sf.start.line}`,
+                source: this.name,
+                severity,
+                category,
+                file: sf.path,
+                line: sf.start.line,
+                endLine: sf.end.line,
+                column: sf.start.col,
+                endColumn: sf.end.col,
+                title: sf.check_id.split('.').pop() || sf.check_id,
+                description: sf.extra.message,
+                snippet: sf.extra.lines,
+                cwe: sf.extra.metadata?.cwe?.[0],
+                owasp: sf.extra.metadata?.owasp?.[0],
+                suggestion: sf.extra.fix,
+                fixAvailable: !!sf.extra.fix,
+                autoFixable: !!sf.extra.fix,
+                ruleId: sf.check_id,
+                ruleUrl: sf.extra.metadata?.references?.[0],
+                confidence: this.mapConfidence(sf.extra.metadata?.confidence),
+                fingerprint: ''
+            };
+            finding.fingerprint = generateFingerprint(finding);
+            return finding;
+        });
+    }
+    mapSeverity(semgrepSeverity) {
+        const mapping = {
+            'ERROR': 'high',
+            'WARNING': 'medium',
+            'INFO': 'low'
+        };
+        return mapping[semgrepSeverity.toUpperCase()] || 'medium';
+    }
+    mapCategory(ruleId, metadata) {
+        // Check rule ID patterns
+        if (ruleId.includes('secret') || ruleId.includes('password') || ruleId.includes('key')) {
+            return 'secret';
+        }
+        if (ruleId.includes('security') || ruleId.includes('injection') || ruleId.includes('xss')) {
+            return 'security';
+        }
+        // Check metadata category
+        const cat = metadata?.category?.toLowerCase();
+        if (cat?.includes('security'))
+            return 'security';
+        if (cat?.includes('best-practice'))
+            return 'quality';
+        return 'security'; // Default for Semgrep
+    }
+    mapConfidence(confidence) {
+        if (!confidence)
+            return undefined;
+        const c = confidence.toLowerCase();
+        if (c === 'high')
+            return 'high';
+        if (c === 'medium')
+            return 'medium';
+        if (c === 'low')
+            return 'low';
+        return undefined;
+    }
+}
+export default SemgrepScanner;
+//# sourceMappingURL=semgrep.js.map

package/dist/scanners/semgrep.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"semgrep.js","sourceRoot":"","sources":["../../src/scanners/semgrep.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,eAAe,CAAC;AAC/C,OAAO,EAAE,SAAS,EAAE,MAAM,MAAM,CAAC;AAEjC,OAAO,EAQL,mBAAmB,EACpB,MAAM,aAAa,CAAC;AAErB,MAAM,SAAS,GAAG,SAAS,CAAC,IAAI,CAAC,CAAC;AA+BlC,MAAM,OAAO,cAAc;IACzB,IAAI,GAAG,SAAS,CAAC;IACjB,UAAU,GAAsB,CAAC,UAAU,EAAE,SAAS,EAAE,OAAO,CAAC,CAAC;IAEzD,QAAQ,CAAW;IAE3B,YAAY,WAAqB,CAAC,MAAM,CAAC;QACvC,8CAA8C;QAC9C,IAAI,CAAC,QAAQ,GAAG,QAAQ,CAAC,MAAM,GAAG,CAAC,IAAI,QAAQ,CAAC,CAAC,CAAC,KAAK,MAAM,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC;YACzE,kBAAkB,EAAO,2BAA2B;YACpD,WAAW,EAAc,mBAAmB;YAC5C,cAAc,EAAW,oBAAoB;YAC7C,UAAU,EAAe,mBAAmB;YAC5C,cAAc,EAAW,sBAAsB;YAC/C,iBAAiB,CAAQ,eAAe;SACzC,CAAC;IACJ,CAAC;IAED,KAAK,CAAC,WAAW;QACf,IAAI,CAAC;YACH,QAAQ,CAAC,mBAAmB,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,CAAC,CAAC;YACjD,OAAO,IAAI,CAAC;QACd,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,MAAkB,EAAE,MAAsB;QACnD,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAE7B,IAAI,CAAC,MAAM,IAAI,CAAC,WAAW,EAAE,EAAE,CAAC;YAC9B,OAAO;gBACL,OAAO,EAAE,IAAI,CAAC,IAAI;gBAClB,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE,8DAA8D;gBACrE,QAAQ,EAAE,EAAE;gBACZ,OAAO,EAAE,EAAE,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,EAAE;aAC9C,CAAC;QACJ,CAAC;QAED,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC;YAE/C,OAAO;gBACL,OAAO,EAAE,IAAI,CAAC,IAAI;gBAClB,OAAO,EAAE,IAAI;gBACb,QAAQ;gBACR,OAAO,EAAE;oBACP,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;oBAChC,YAAY,EAAE,QAAQ,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;iBAChF;aACF,CAAC;QACJ,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO;gBACL,OAAO,EAAE,IAAI,CAAC,IAAI;gBAClB,OAAO,EAAE,KAAK;gBACd,KAAK,EAAE,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC;gBAC7D,QAAQ,EAAE,EAAE;gBACZ,OAAO,EAAE,EAAE,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,EAAE;aAC9C,CAAC;QACJ,CAAC;IACH,CAAC;IAEO,KAAK,CAAC,UAAU,CAAC,MAAkB;QACzC,MAAM,UAAU,GAAG,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,YAAY,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAErE,yBAAyB;QACzB,MAAM,eAAe,GAAG;YACtB,cAAc;YACd,QAAQ;YACR,MAAM;YACN,MAAM;YACN,OAAO;YACP,aAAa;YACb,UAAU;YACV,aAAa;SACd,CAAC;QACF,MAAM,QAAQ,GAAG,CAAC,GAAG,eAAe,EAAE,GAAG,CAAC,MAAM,CAAC,OAAO,IAAI,EAAE,CAAC,CAAC,CAAC;QACjE,MAAM,WAAW,GAAG,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAEpE,MAAM,GAAG,GAAG,WAAW,UAAU,IAAI,WAAW,mBAAmB,MAAM,CAAC,IAAI,EAAE,CAAC;QAEjF,IAAI,CAAC;YACH,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,SAAS,CAAC,GAAG,EAAE;gBACtC,OAAO,EAAE,MAAM,EAAE,YAAY;gBAC7B,SAAS,EAAE,EAAE,GAAG,IAAI,GAAG,IAAI,CAAC,gCAAgC;aAC7D,CAAC,CAAC;YAEH,MAAM,MAAM,GAAkB,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;YACjD,OAAO,IAAI,CAAC,iBAAiB,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QAEhD,CAAC;QAAC,OAAO,KAAU,EAAE,CAAC;YACpB,kDAAkD;YAClD,IAAI,KAAK,CAAC,MAAM,EAAE,CAAC;gBACjB,IAAI,CAAC;oBACH,MAAM,MAAM,GAAkB,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;oBACvD,OAAO,IAAI,CAAC,iBAAiB,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;gBAChD,CAAC;gBAAC,MAAM,CAAC;oBACP,MAAM,IAAI,KAAK,CAAC,mCAAmC,KAAK,CAAC,OAAO,EAAE,CAAC,CAAC;gBACtE,CAAC;YACH,CAAC;YACD,MAAM,KAAK,CAAC;QACd,CAAC;IACH,CAAC;IAEO,iBAAiB,CAAC,eAAiC;QACzD,OAAO,eAAe,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE;YAC9B,MAAM,QAAQ,GAAG,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;YACrD,MAAM,QAAQ,GAAG,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC,QAAQ,EAAE,EAAE,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC;YAElE,MAAM,OAAO,GAAY;gBACvB,EAAE,EAAE,WAAW,EAAE,CAAC,QAAQ,IAAI,EAAE,CAAC,IAAI,IAAI,EAAE,CAAC,KAAK,CAAC,IAAI,EAAE;gBACxD,MAAM,EAAE,IAAI,CAAC,IAAI;gBACjB,QAAQ;gBACR,QAAQ;gBACR,IAAI,EAAE,EAAE,CAAC,IAAI;gBACb,IAAI,EAAE,EAAE,CAAC,KAAK,CAAC,IAAI;gBACnB,OAAO,EAAE,EAAE,CAAC,GAAG,CAAC,IAAI;gBACpB,MAAM,EAAE,EAAE,CAAC,KAAK,CAAC,GAAG;gBACpB,SAAS,EAAE,EAAE,CAAC,GAAG,CAAC,GAAG;gBACrB,KAAK,EAAE,EAAE,CAAC,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC,QAAQ;gBAClD,WAAW,EAAE,EAAE,CAAC,KAAK,CAAC,OAAO;gBAC7B,OAAO,EAAE,EAAE,CAAC,KAAK,CAAC,KAAK;gBACvB,GAAG,EAAE,EAAE,CAAC,KAAK,CAAC,QAAQ,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC;gBAChC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,QAAQ,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC;gBACpC,UAAU,EAAE,EAAE,CAAC,KAAK,CAAC,GAAG;gBACxB,YAAY,EAAE,CAAC,CAAC,EAAE,CAAC,KAAK,CAAC,GAAG;gBAC5B,WAAW,EAAE,CAAC,CAAC,EAAE,CAAC,KAAK,CAAC,GAAG;gBAC3B,MAAM,EAAE,EAAE,CAAC,QAAQ;gBACnB,OAAO,EAAE,EAAE,CAAC,KAAK,CAAC,QAAQ,EAAE,UAAU,EAAE,CAAC,CAAC,CAAC;gBAC3C,UAAU,EAAE,IAAI,CAAC,aAAa,CAAC,EAAE,CAAC,KAAK,CAAC,QAAQ,EAAE,UAAU,CAAC;gBAC7D,WAAW,EAAE,EAAE;aAChB,CAAC;YAEF,OAAO,CAAC,WAAW,GAAG,mBAAmB,CAAC,OAAO,CAAC,CAAC;YACnD,OAAO,OAAO,CAAC;QACjB,CAAC,CAAC,CAAC;IACL,CAAC;IAEO,WAAW,CAAC,eAAuB;QACzC,MAAM,OAAO,GAAkC;YAC7C,OAAO,EAAE,MAAM;YACf,SAAS,EAAE,QAAQ;YACnB,MAAM,EAAE,KAAK;SACd,CAAC;QACF,OAAO,OAAO,CAAC,eAAe,CAAC,WAAW,EAAE,CAAC,IAAI,QAAQ,CAAC;IAC5D,CAAC;IAEO,WAAW,CAAC,MAAc,EAAE,QAA8C;QAChF,yBAAyB;QACzB,IAAI,MAAM,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,MAAM,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;YACvF,OAAO,QAAQ,CAAC;QAClB,CAAC;QACD,IAAI,MAAM,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,MAAM,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;YAC1F,OAAO,UAAU,CAAC;QACpB,CAAC;QAED,0BAA0B;QAC1B,MAAM,GAAG,GAAG,QAAQ,EAAE,QAAQ,EAAE,WAAW,EAAE,CAAC;QAC9C,IAAI,GAAG,EAAE,QAAQ,CAAC,UAAU,CAAC;YAAE,OAAO,UAAU,CAAC;QACjD,IAAI,GAAG,EAAE,QAAQ,CAAC,eAAe,CAAC;YAAE,OAAO,SAAS,CAAC;QAErD,OAAO,UAAU,CAAC,CAAC,sBAAsB;IAC3C,CAAC;IAEO,aAAa,CAAC,UAAmB;QACvC,IAAI,CAAC,UAAU;YAAE,OAAO,SAAS,CAAC;QAClC,MAAM,CAAC,GAAG,UAAU,CAAC,WAAW,EAAE,CAAC;QACnC,IAAI,CAAC,KAAK,MAAM;YAAE,OAAO,MAAM,CAAC;QAChC,IAAI,CAAC,KAAK,QAAQ;YAAE,OAAO,QAAQ,CAAC;QACpC,IAAI,CAAC,KAAK,KAAK;YAAE,OAAO,KAAK,CAAC;QAC9B,OAAO,SAAS,CAAC;IACnB,CAAC;CACF;AAED,eAAe,cAAc,CAAC"}