@datahogo/core 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (153) hide show
  1. package/LICENSE +661 -0
  2. package/README.md +17 -0
  3. package/dist/engines/config.d.ts +3 -0
  4. package/dist/engines/config.d.ts.map +1 -0
  5. package/dist/engines/config.js +433 -0
  6. package/dist/engines/config.js.map +1 -0
  7. package/dist/engines/dast.d.ts +3 -0
  8. package/dist/engines/dast.d.ts.map +1 -0
  9. package/dist/engines/dast.js +167 -0
  10. package/dist/engines/dast.js.map +1 -0
  11. package/dist/engines/db-rules.d.ts +3 -0
  12. package/dist/engines/db-rules.d.ts.map +1 -0
  13. package/dist/engines/db-rules.js +166 -0
  14. package/dist/engines/db-rules.js.map +1 -0
  15. package/dist/engines/dependencies.d.ts +3 -0
  16. package/dist/engines/dependencies.d.ts.map +1 -0
  17. package/dist/engines/dependencies.js +167 -0
  18. package/dist/engines/dependencies.js.map +1 -0
  19. package/dist/engines/github-actions.d.ts +3 -0
  20. package/dist/engines/github-actions.d.ts.map +1 -0
  21. package/dist/engines/github-actions.js +215 -0
  22. package/dist/engines/github-actions.js.map +1 -0
  23. package/dist/engines/gitleaks.d.ts +3 -0
  24. package/dist/engines/gitleaks.d.ts.map +1 -0
  25. package/dist/engines/gitleaks.js +107 -0
  26. package/dist/engines/gitleaks.js.map +1 -0
  27. package/dist/engines/npm-audit.d.ts +3 -0
  28. package/dist/engines/npm-audit.d.ts.map +1 -0
  29. package/dist/engines/npm-audit.js +113 -0
  30. package/dist/engines/npm-audit.js.map +1 -0
  31. package/dist/engines/patterns.d.ts +3 -0
  32. package/dist/engines/patterns.d.ts.map +1 -0
  33. package/dist/engines/patterns.js +1330 -0
  34. package/dist/engines/patterns.js.map +1 -0
  35. package/dist/engines/secrets.d.ts +4 -0
  36. package/dist/engines/secrets.d.ts.map +1 -0
  37. package/dist/engines/secrets.js +260 -0
  38. package/dist/engines/secrets.js.map +1 -0
  39. package/dist/engines/semgrep.d.ts +3 -0
  40. package/dist/engines/semgrep.d.ts.map +1 -0
  41. package/dist/engines/semgrep.js +173 -0
  42. package/dist/engines/semgrep.js.map +1 -0
  43. package/dist/engines/types.d.ts +30 -0
  44. package/dist/engines/types.d.ts.map +1 -0
  45. package/dist/engines/types.js +3 -0
  46. package/dist/engines/types.js.map +1 -0
  47. package/dist/engines/url-scanner.d.ts +3 -0
  48. package/dist/engines/url-scanner.d.ts.map +1 -0
  49. package/dist/engines/url-scanner.js +469 -0
  50. package/dist/engines/url-scanner.js.map +1 -0
  51. package/dist/index.d.ts +8 -0
  52. package/dist/index.d.ts.map +1 -0
  53. package/dist/index.js +8 -0
  54. package/dist/index.js.map +1 -0
  55. package/dist/orchestrator.d.ts +32 -0
  56. package/dist/orchestrator.d.ts.map +1 -0
  57. package/dist/orchestrator.js +237 -0
  58. package/dist/orchestrator.js.map +1 -0
  59. package/dist/rules/.gitkeep +0 -0
  60. package/dist/rules/ai-llm-security.yaml +199 -0
  61. package/dist/rules/api-security.yaml +489 -0
  62. package/dist/rules/auth-patterns.yaml +406 -0
  63. package/dist/rules/crypto-patterns.yaml +227 -0
  64. package/dist/rules/database-cloud-security.yaml +169 -0
  65. package/dist/rules/general-security.yaml +588 -0
  66. package/dist/rules/injection-patterns.yaml +318 -0
  67. package/dist/rules/nextjs-security.yaml +532 -0
  68. package/dist/rules/node-security.yaml +380 -0
  69. package/dist/rules/rules/.gitkeep +0 -0
  70. package/dist/rules/rules/ai-llm-security.yaml +199 -0
  71. package/dist/rules/rules/api-security.yaml +489 -0
  72. package/dist/rules/rules/auth-patterns.yaml +406 -0
  73. package/dist/rules/rules/crypto-patterns.yaml +227 -0
  74. package/dist/rules/rules/database-cloud-security.yaml +169 -0
  75. package/dist/rules/rules/general-security.yaml +588 -0
  76. package/dist/rules/rules/injection-patterns.yaml +318 -0
  77. package/dist/rules/rules/nextjs-security.yaml +532 -0
  78. package/dist/rules/rules/node-security.yaml +380 -0
  79. package/dist/rules/rules/supabase-security.yaml +387 -0
  80. package/dist/rules/supabase-security.yaml +387 -0
  81. package/dist/scanning/agents/csharp-agent.d.ts +12 -0
  82. package/dist/scanning/agents/csharp-agent.d.ts.map +1 -0
  83. package/dist/scanning/agents/csharp-agent.js +592 -0
  84. package/dist/scanning/agents/csharp-agent.js.map +1 -0
  85. package/dist/scanning/agents/go-agent.d.ts +14 -0
  86. package/dist/scanning/agents/go-agent.d.ts.map +1 -0
  87. package/dist/scanning/agents/go-agent.js +641 -0
  88. package/dist/scanning/agents/go-agent.js.map +1 -0
  89. package/dist/scanning/agents/java-agent.d.ts +8 -0
  90. package/dist/scanning/agents/java-agent.d.ts.map +1 -0
  91. package/dist/scanning/agents/java-agent.js +807 -0
  92. package/dist/scanning/agents/java-agent.js.map +1 -0
  93. package/dist/scanning/agents/javascript-agent.d.ts +8 -0
  94. package/dist/scanning/agents/javascript-agent.d.ts.map +1 -0
  95. package/dist/scanning/agents/javascript-agent.js +77 -0
  96. package/dist/scanning/agents/javascript-agent.js.map +1 -0
  97. package/dist/scanning/agents/mobile-agent.d.ts +8 -0
  98. package/dist/scanning/agents/mobile-agent.d.ts.map +1 -0
  99. package/dist/scanning/agents/mobile-agent.js +916 -0
  100. package/dist/scanning/agents/mobile-agent.js.map +1 -0
  101. package/dist/scanning/agents/php-agent.d.ts +8 -0
  102. package/dist/scanning/agents/php-agent.d.ts.map +1 -0
  103. package/dist/scanning/agents/php-agent.js +679 -0
  104. package/dist/scanning/agents/php-agent.js.map +1 -0
  105. package/dist/scanning/agents/python-agent.d.ts +8 -0
  106. package/dist/scanning/agents/python-agent.d.ts.map +1 -0
  107. package/dist/scanning/agents/python-agent.js +701 -0
  108. package/dist/scanning/agents/python-agent.js.map +1 -0
  109. package/dist/scanning/agents/supabase-agent.d.ts +8 -0
  110. package/dist/scanning/agents/supabase-agent.d.ts.map +1 -0
  111. package/dist/scanning/agents/supabase-agent.js +484 -0
  112. package/dist/scanning/agents/supabase-agent.js.map +1 -0
  113. package/dist/scanning/orchestrator.d.ts +29 -0
  114. package/dist/scanning/orchestrator.d.ts.map +1 -0
  115. package/dist/scanning/orchestrator.js +186 -0
  116. package/dist/scanning/orchestrator.js.map +1 -0
  117. package/dist/scanning/tech-detector.d.ts +12 -0
  118. package/dist/scanning/tech-detector.d.ts.map +1 -0
  119. package/dist/scanning/tech-detector.js +252 -0
  120. package/dist/scanning/tech-detector.js.map +1 -0
  121. package/dist/scanning/types.d.ts +87 -0
  122. package/dist/scanning/types.d.ts.map +1 -0
  123. package/dist/scanning/types.js +5 -0
  124. package/dist/scanning/types.js.map +1 -0
  125. package/dist/utils/child-process.d.ts +2 -0
  126. package/dist/utils/child-process.d.ts.map +1 -0
  127. package/dist/utils/child-process.js +4 -0
  128. package/dist/utils/child-process.js.map +1 -0
  129. package/dist/utils/context-classifier.d.ts +11 -0
  130. package/dist/utils/context-classifier.d.ts.map +1 -0
  131. package/dist/utils/context-classifier.js +79 -0
  132. package/dist/utils/context-classifier.js.map +1 -0
  133. package/dist/utils/exec.d.ts +18 -0
  134. package/dist/utils/exec.d.ts.map +1 -0
  135. package/dist/utils/exec.js +51 -0
  136. package/dist/utils/exec.js.map +1 -0
  137. package/dist/utils/file-filter.d.ts +4 -0
  138. package/dist/utils/file-filter.d.ts.map +1 -0
  139. package/dist/utils/file-filter.js +68 -0
  140. package/dist/utils/file-filter.js.map +1 -0
  141. package/dist/utils/fs.d.ts +2 -0
  142. package/dist/utils/fs.d.ts.map +1 -0
  143. package/dist/utils/fs.js +5 -0
  144. package/dist/utils/fs.js.map +1 -0
  145. package/dist/utils/logger.d.ts +12 -0
  146. package/dist/utils/logger.d.ts.map +1 -0
  147. package/dist/utils/logger.js +27 -0
  148. package/dist/utils/logger.js.map +1 -0
  149. package/dist/utils/post-processor.d.ts +10 -0
  150. package/dist/utils/post-processor.d.ts.map +1 -0
  151. package/dist/utils/post-processor.js +183 -0
  152. package/dist/utils/post-processor.js.map +1 -0
  153. package/package.json +44 -0
@@ -0,0 +1,166 @@
1
+ // Database rules parser engine - analyzes Supabase RLS and Firebase security rules
2
+ // Parses user-provided rule text to detect misconfigurations
3
+ export function analyzeDbRules(rulesInput, rulesType) {
4
+ const detectedType = rulesType === "auto" ? detectRulesType(rulesInput) : rulesType;
5
+ if (detectedType === "supabase") {
6
+ return analyzeSupabaseRules(rulesInput);
7
+ }
8
+ if (detectedType === "firebase") {
9
+ return analyzeFirebaseRules(rulesInput);
10
+ }
11
+ return [];
12
+ }
13
+ function detectRulesType(input) {
14
+ if (input.includes("CREATE POLICY") || input.includes("ENABLE ROW LEVEL SECURITY") || input.includes("CREATE TABLE")) {
15
+ return "supabase";
16
+ }
17
+ if (input.includes("allow read") || input.includes("allow write") || input.includes("match /") || input.includes(".read") || input.includes(".write")) {
18
+ return "firebase";
19
+ }
20
+ return "unknown";
21
+ }
22
+ // === Supabase RLS Analysis ===
23
+ function analyzeSupabaseRules(sql) {
24
+ const findings = [];
25
+ // Find all CREATE TABLE statements
26
+ const tableRegex = /CREATE\s+TABLE\s+(?:IF\s+NOT\s+EXISTS\s+)?(\w+)/gi;
27
+ let tableMatch;
28
+ const tables = [];
29
+ while ((tableMatch = tableRegex.exec(sql)) !== null) {
30
+ tables.push(tableMatch[1]);
31
+ }
32
+ // Check if each table has RLS enabled
33
+ for (const table of tables) {
34
+ const rlsPattern = new RegExp(`ALTER\\s+TABLE\\s+${table}\\s+ENABLE\\s+ROW\\s+LEVEL\\s+SECURITY`, "i");
35
+ if (!rlsPattern.test(sql)) {
36
+ findings.push({
37
+ vulnerability_id: 31,
38
+ severity: "critical",
39
+ category: "supabase",
40
+ title: `RLS Not Enabled on Table: ${table}`,
41
+ description_technical: `Table ${table} does not have Row Level Security enabled. All data is accessible without restrictions.`,
42
+ code_snippet: `CREATE TABLE ${table} (...)\n-- Missing: ALTER TABLE ${table} ENABLE ROW LEVEL SECURITY;`,
43
+ fix_code: `ALTER TABLE ${table} ENABLE ROW LEVEL SECURITY;`,
44
+ status: "open",
45
+ });
46
+ }
47
+ }
48
+ // Check for USING(true) policies (allow everything)
49
+ const policyUsingTrue = /CREATE\s+POLICY\s+["']?(\w+)["']?\s+ON\s+(\w+)[\s\S]*?USING\s*\(\s*true\s*\)/gi;
50
+ let policyMatch;
51
+ while ((policyMatch = policyUsingTrue.exec(sql)) !== null) {
52
+ findings.push({
53
+ vulnerability_id: 32,
54
+ severity: "critical",
55
+ category: "supabase",
56
+ title: `RLS Policy Allows Everything: ${policyMatch[1]}`,
57
+ description_technical: `Policy "${policyMatch[1]}" on table "${policyMatch[2]}" uses USING(true), which allows all rows to be accessed by any user.`,
58
+ code_snippet: policyMatch[0],
59
+ status: "open",
60
+ });
61
+ }
62
+ // Check for tables with RLS enabled but no policies
63
+ for (const table of tables) {
64
+ const rlsEnabled = new RegExp(`ALTER\\s+TABLE\\s+${table}\\s+ENABLE\\s+ROW\\s+LEVEL\\s+SECURITY`, "i").test(sql);
65
+ const hasPolicies = new RegExp(`CREATE\\s+POLICY[\\s\\S]*?ON\\s+${table}\\b`, "i").test(sql);
66
+ if (rlsEnabled && !hasPolicies) {
67
+ findings.push({
68
+ vulnerability_id: 33,
69
+ severity: "high",
70
+ category: "supabase",
71
+ title: `RLS Enabled But No Policies on: ${table}`,
72
+ description_technical: `Table "${table}" has RLS enabled but no policies defined. This blocks ALL access, which may be intentional for service-role-only tables, but verify this is expected.`,
73
+ code_snippet: `ALTER TABLE ${table} ENABLE ROW LEVEL SECURITY;\n-- No CREATE POLICY found for this table`,
74
+ status: "open",
75
+ });
76
+ }
77
+ }
78
+ // Check for RPC functions without auth.uid()
79
+ const functionRegex = /CREATE\s+(?:OR\s+REPLACE\s+)?FUNCTION\s+(\w+)[\s\S]*?(?:LANGUAGE\s+plpgsql|LANGUAGE\s+sql)/gi;
80
+ let funcMatch;
81
+ while ((funcMatch = functionRegex.exec(sql)) !== null) {
82
+ const funcBody = funcMatch[0];
83
+ const funcName = funcMatch[1];
84
+ // Skip trigger functions (they use SECURITY DEFINER for a reason)
85
+ if (/RETURNS\s+TRIGGER/i.test(funcBody))
86
+ continue;
87
+ if (!funcBody.includes("auth.uid()") && !funcBody.includes("SECURITY DEFINER")) {
88
+ // Only flag functions that could be called via RPC
89
+ if (!funcName.startsWith("handle_") && !funcName.startsWith("update_")) {
90
+ findings.push({
91
+ vulnerability_id: 36,
92
+ severity: "high",
93
+ category: "supabase",
94
+ title: `RPC Function Without Auth Check: ${funcName}`,
95
+ description_technical: `Function "${funcName}" doesn't check auth.uid(). If exposed via RPC, any user can call it.`,
96
+ code_snippet: funcBody.substring(0, 200),
97
+ status: "open",
98
+ });
99
+ }
100
+ }
101
+ }
102
+ return findings;
103
+ }
104
+ // === Firebase Rules Analysis ===
105
+ function analyzeFirebaseRules(rules) {
106
+ const findings = [];
107
+ // Check for "allow read, write: if true" (Firestore)
108
+ const firestoreOpenRegex = /allow\s+(?:read|write|read,\s*write)\s*:\s*if\s+true/gi;
109
+ let firestoreMatch;
110
+ while ((firestoreMatch = firestoreOpenRegex.exec(rules)) !== null) {
111
+ findings.push({
112
+ vulnerability_id: 39,
113
+ severity: "critical",
114
+ category: "firebase",
115
+ title: "Firestore Rules Allow All Access",
116
+ description_technical: "Rule 'allow read, write: if true' makes your database completely open to anyone.",
117
+ code_snippet: getContextAroundMatch(rules, firestoreMatch.index),
118
+ status: "open",
119
+ });
120
+ }
121
+ // Check for ".read": true or ".write": true (Realtime DB)
122
+ const realtimeOpenRegex = /["']\.(?:read|write)["']\s*:\s*(?:true|"true")/gi;
123
+ let realtimeMatch;
124
+ while ((realtimeMatch = realtimeOpenRegex.exec(rules)) !== null) {
125
+ findings.push({
126
+ vulnerability_id: 40,
127
+ severity: "critical",
128
+ category: "firebase",
129
+ title: "Realtime Database Rules Allow All Access",
130
+ description_technical: "Open .read or .write rules make your database accessible to anyone.",
131
+ code_snippet: getContextAroundMatch(rules, realtimeMatch.index),
132
+ status: "open",
133
+ });
134
+ }
135
+ // Check for permissive storage rules
136
+ const storageOpenRegex = /allow\s+(?:read|write|read,\s*write)\s*:\s*if\s+true[\s\S]*?match\s+\/b\/\{bucket\}\/o\/\{allPaths=\*\*\}/gi;
137
+ if (storageOpenRegex.test(rules)) {
138
+ findings.push({
139
+ vulnerability_id: 41,
140
+ severity: "high",
141
+ category: "firebase",
142
+ title: "Storage Rules Are Permissive",
143
+ description_technical: "Storage rules allow unrestricted access to all files.",
144
+ status: "open",
145
+ });
146
+ }
147
+ // Check for missing request.auth in rules
148
+ if (rules.includes("match /") && !rules.includes("request.auth")) {
149
+ findings.push({
150
+ vulnerability_id: 39,
151
+ severity: "high",
152
+ category: "firebase",
153
+ title: "Firestore Rules Missing Authentication Check",
154
+ description_technical: "Rules don't check request.auth, meaning unauthenticated users may have access.",
155
+ code_snippet: rules.substring(0, 300),
156
+ status: "open",
157
+ });
158
+ }
159
+ return findings;
160
+ }
161
+ function getContextAroundMatch(text, index) {
162
+ const start = Math.max(0, text.lastIndexOf("\n", index - 1));
163
+ const end = text.indexOf("\n", index + 50);
164
+ return text.substring(start, end === -1 ? text.length : end).trim();
165
+ }
166
+ //# sourceMappingURL=db-rules.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"db-rules.js","sourceRoot":"","sources":["../../src/engines/db-rules.ts"],"names":[],"mappings":"AAAA,mFAAmF;AACnF,6DAA6D;AAI7D,MAAM,UAAU,cAAc,CAC5B,UAAkB,EAClB,SAA2C;IAE3C,MAAM,YAAY,GAAG,SAAS,KAAK,MAAM,CAAC,CAAC,CAAC,eAAe,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;IAEpF,IAAI,YAAY,KAAK,UAAU,EAAE,CAAC;QAChC,OAAO,oBAAoB,CAAC,UAAU,CAAC,CAAC;IAC1C,CAAC;IACD,IAAI,YAAY,KAAK,UAAU,EAAE,CAAC;QAChC,OAAO,oBAAoB,CAAC,UAAU,CAAC,CAAC;IAC1C,CAAC;IAED,OAAO,EAAE,CAAC;AACZ,CAAC;AAED,SAAS,eAAe,CAAC,KAAa;IACpC,IAAI,KAAK,CAAC,QAAQ,CAAC,eAAe,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,2BAA2B,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,cAAc,CAAC,EAAE,CAAC;QACrH,OAAO,UAAU,CAAC;IACpB,CAAC;IACD,IAAI,KAAK,CAAC,QAAQ,CAAC,YAAY,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,aAAa,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;QACtJ,OAAO,UAAU,CAAC;IACpB,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,gCAAgC;AAEhC,SAAS,oBAAoB,CAAC,GAAW;IACvC,MAAM,QAAQ,GAAkB,EAAE,CAAC;IAEnC,mCAAmC;IACnC,MAAM,UAAU,GAAG,mDAAmD,CAAC;IACvE,IAAI,UAAU,CAAC;IACf,MAAM,MAAM,GAAa,EAAE,CAAC;IAE5B,OAAO,CAAC,UAAU,GAAG,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QACpD,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC;IAC7B,CAAC;IAED,sCAAsC;IACtC,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,MAAM,UAAU,GAAG,IAAI,MAAM,CAC3B,qBAAqB,KAAK,wCAAwC,EAClE,GAAG,CACJ,CAAC;QACF,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;YAC1B,QAAQ,CAAC,IAAI,CAAC;gBACZ,gBAAgB,EAAE,EAAE;gBACpB,QAAQ,EAAE,UAAU;gBACpB,QAAQ,EAAE,UAAU;gBACpB,KAAK,EAAE,6BAA6B,KAAK,EAAE;gBAC3C,qBAAqB,EAAE,SAAS,KAAK,yFAAyF;gBAC9H,YAAY,EAAE,gBAAgB,KAAK,mCAAmC,KAAK,6BAA6B;gBACxG,QAAQ,EAAE,eAAe,KAAK,6BAA6B;gBAC3D,MAAM,EAAE,MAAM;aACf,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,oDAAoD;IACpD,MAAM,eAAe,GAAG,gFAAgF,CAAC;IACzG,IAAI,WAAW,CAAC;IAChB,OAAO,CAAC,WAAW,GAAG,eAAe,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QAC1D,QAAQ,CAAC,IAAI,CAAC;YACZ,gBAAgB,EAAE,EAAE;YACpB,QAAQ,EAAE,UAAU;YACpB,QAAQ,EAAE,UAAU;YACpB,KAAK,EAAE,iCAAiC,WAAW,CAAC,CAAC,CAAC,EAAE;YACxD,qBAAqB,EAAE,WAAW,WAAW,CAAC,CAAC,CAAC,eAAe,WAAW,CAAC,CAAC,CAAC,uEAAuE;YACpJ,YAAY,EAAE,WAAW,CAAC,CAAC,CAAC;YAC5B,MAAM,EAAE,MAAM;SACf,CAAC,CAAC;IACL,CAAC;IAED,oDAAoD;IACpD,KAAK,MAAM,KAAK,IAAI,MAAM,EAAE,CAAC;QAC3B,MAAM,UAAU,GAAG,IAAI,MAAM,CAC3B,qBAAqB,KAAK,wCAAwC,EAClE,GAAG,CACJ,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAEZ,MAAM,WAAW,GAAG,IAAI,MAAM,CAC5B,mCAAmC,KAAK,KAAK,EAC7C,GAAG,CACJ,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAEZ,IAAI,UAAU,IAAI,CAAC,WAAW,EAAE,CAAC;YAC/B,QAAQ,CAAC,IAAI,CAAC;gBACZ,gBAAgB,EAAE,EAAE;gBACpB,QAAQ,EAAE,MAAM;gBAChB,QAAQ,EAAE,UAAU;gBACpB,KAAK,EAAE,mCAAmC,KAAK,EAAE;gBACjD,qBAAqB,EAAE,UAAU,KAAK,wJAAwJ;gBAC9L,YAAY,EAAE,eAAe,KAAK,uEAAuE;gBACzG,MAAM,EAAE,MAAM;aACf,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,6CAA6C;IAC7C,MAAM,aAAa,GAAG,8FAA8F,CAAC;IACrH,IAAI,SAAS,CAAC;IACd,OAAO,CAAC,SAAS,GAAG,aAAa,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QACtD,MAAM,QAAQ,GAAG,SAAS,CAAC,CAAC,CAAC,CAAC;QAC9B,MAAM,QAAQ,GAAG,SAAS,CAAC,CAAC,CAAC,CAAC;QAE9B,kEAAkE;QAClE,IAAI,oBAAoB,CAAC,IAAI,CAAC,QAAQ,CAAC;YAAE,SAAS;QAElD,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,YAAY,CAAC,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,kBAAkB,CAAC,EAAE,CAAC;YAC/E,mDAAmD;YACnD,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,SAAS,CAAC,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;gBACvE,QAAQ,CAAC,IAAI,CAAC;oBACZ,gBAAgB,EAAE,EAAE;oBACpB,QAAQ,EAAE,MAAM;oBAChB,QAAQ,EAAE,UAAU;oBACpB,KAAK,EAAE,oCAAoC,QAAQ,EAAE;oBACrD,qBAAqB,EAAE,aAAa,QAAQ,uEAAuE;oBACnH,YAAY,EAAE,QAAQ,CAAC,SAAS,CAAC,CAAC,EAAE,GAAG,CAAC;oBACxC,MAAM,EAAE,MAAM;iBACf,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,kCAAkC;AAElC,SAAS,oBAAoB,CAAC,KAAa;IACzC,MAAM,QAAQ,GAAkB,EAAE,CAAC;IAEnC,qDAAqD;IACrD,MAAM,kBAAkB,GAAG,wDAAwD,CAAC;IACpF,IAAI,cAAc,CAAC;IACnB,OAAO,CAAC,cAAc,GAAG,kBAAkB,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QAClE,QAAQ,CAAC,IAAI,CAAC;YACZ,gBAAgB,EAAE,EAAE;YACpB,QAAQ,EAAE,UAAU;YACpB,QAAQ,EAAE,UAAU;YACpB,KAAK,EAAE,kCAAkC;YACzC,qBAAqB,EAAE,kFAAkF;YACzG,YAAY,EAAE,qBAAqB,CAAC,KAAK,EAAE,cAAc,CAAC,KAAK,CAAC;YAChE,MAAM,EAAE,MAAM;SACf,CAAC,CAAC;IACL,CAAC;IAED,0DAA0D;IAC1D,MAAM,iBAAiB,GAAG,kDAAkD,CAAC;IAC7E,IAAI,aAAa,CAAC;IAClB,OAAO,CAAC,aAAa,GAAG,iBAAiB,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QAChE,QAAQ,CAAC,IAAI,CAAC;YACZ,gBAAgB,EAAE,EAAE;YACpB,QAAQ,EAAE,UAAU;YACpB,QAAQ,EAAE,UAAU;YACpB,KAAK,EAAE,0CAA0C;YACjD,qBAAqB,EAAE,qEAAqE;YAC5F,YAAY,EAAE,qBAAqB,CAAC,KAAK,EAAE,aAAa,CAAC,KAAK,CAAC;YAC/D,MAAM,EAAE,MAAM;SACf,CAAC,CAAC;IACL,CAAC;IAED,qCAAqC;IACrC,MAAM,gBAAgB,GAAG,6GAA6G,CAAC;IACvI,IAAI,gBAAgB,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;QACjC,QAAQ,CAAC,IAAI,CAAC;YACZ,gBAAgB,EAAE,EAAE;YACpB,QAAQ,EAAE,MAAM;YAChB,QAAQ,EAAE,UAAU;YACpB,KAAK,EAAE,8BAA8B;YACrC,qBAAqB,EAAE,uDAAuD;YAC9E,MAAM,EAAE,MAAM;SACf,CAAC,CAAC;IACL,CAAC;IAED,0CAA0C;IAC1C,IAAI,KAAK,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,cAAc,CAAC,EAAE,CAAC;QACjE,QAAQ,CAAC,IAAI,CAAC;YACZ,gBAAgB,EAAE,EAAE;YACpB,QAAQ,EAAE,MAAM;YAChB,QAAQ,EAAE,UAAU;YACpB,KAAK,EAAE,8CAA8C;YACrD,qBAAqB,EAAE,gFAAgF;YACvG,YAAY,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC,EAAE,GAAG,CAAC;YACrC,MAAM,EAAE,MAAM;SACf,CAAC,CAAC;IACL,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,SAAS,qBAAqB,CAAC,IAAY,EAAE,KAAa;IACxD,MAAM,KAAK,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,WAAW,CAAC,IAAI,EAAE,KAAK,GAAG,CAAC,CAAC,CAAC,CAAC;IAC7D,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,EAAE,KAAK,GAAG,EAAE,CAAC,CAAC;IAC3C,OAAO,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;AACtE,CAAC"}
@@ -0,0 +1,3 @@
1
+ import type { FindingData } from "./types.js";
2
+ export declare function analyzeDependencies(files: Map<string, string>): FindingData[];
3
+ //# sourceMappingURL=dependencies.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"dependencies.d.ts","sourceRoot":"","sources":["../../src/engines/dependencies.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAyD9C,wBAAgB,mBAAmB,CACjC,KAAK,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,GACzB,WAAW,EAAE,CAuFf"}
@@ -0,0 +1,167 @@
1
+ // Dependencies analysis engine - checks for vulnerable packages
2
+ // In production, this calls npm audit and OSV. For now, checks package.json/lock.
3
+ // Known vulnerable packages (subset - in production, use npm audit + OSV API)
4
+ const KNOWN_VULNERABLE = {
5
+ "node-serialize": {
6
+ severity: "critical",
7
+ description: "Remote code execution via deserialization",
8
+ },
9
+ "serialize-javascript": {
10
+ severity: "high",
11
+ description: "Cross-site scripting via crafted regex",
12
+ fixVersion: "3.1.0",
13
+ },
14
+ "lodash": {
15
+ severity: "high",
16
+ description: "Prototype pollution in older versions",
17
+ fixVersion: "4.17.21",
18
+ },
19
+ "minimist": {
20
+ severity: "high",
21
+ description: "Prototype pollution",
22
+ fixVersion: "1.2.6",
23
+ },
24
+ "axios": {
25
+ severity: "medium",
26
+ description: "SSRF via server-side requests",
27
+ fixVersion: "1.6.0",
28
+ },
29
+ "jsonwebtoken": {
30
+ severity: "high",
31
+ description: "Algorithm confusion vulnerability in older versions",
32
+ fixVersion: "9.0.0",
33
+ },
34
+ "express": {
35
+ severity: "medium",
36
+ description: "Open redirect in older versions",
37
+ fixVersion: "4.19.2",
38
+ },
39
+ "yaml": {
40
+ severity: "critical",
41
+ description: "Code execution via yaml.load unsafe",
42
+ fixVersion: "2.0.0",
43
+ },
44
+ };
45
+ // Packages that are suspicious or commonly typosquatted
46
+ const SUSPICIOUS_PACKAGES = [
47
+ "crossenv", // typosquat of cross-env
48
+ "event-stream", // known supply chain attack
49
+ "flatmap-stream", // part of event-stream attack
50
+ "eslint-scope", // known compromised version
51
+ "electron-native-notify", // known malware
52
+ "discord.js-user", // typosquat
53
+ "colors-js", // typosquat of colors
54
+ "node-ipc-2", // typosquat
55
+ ];
56
+ export function analyzeDependencies(files) {
57
+ const findings = [];
58
+ const packageJsonContent = files.get("package.json");
59
+ if (!packageJsonContent)
60
+ return findings;
61
+ try {
62
+ const pkg = JSON.parse(packageJsonContent);
63
+ const allDeps = {
64
+ ...pkg.dependencies,
65
+ ...pkg.devDependencies,
66
+ };
67
+ // Check for known vulnerable packages
68
+ for (const [name, versionRange] of Object.entries(allDeps)) {
69
+ const version = String(versionRange);
70
+ const known = KNOWN_VULNERABLE[name];
71
+ if (known) {
72
+ // If fixVersion exists, check if current version might be vulnerable
73
+ if (known.fixVersion && isVersionPotentiallyFixed(version, known.fixVersion)) {
74
+ continue;
75
+ }
76
+ findings.push({
77
+ vulnerability_id: 3,
78
+ severity: known.severity,
79
+ category: "supply-chain",
80
+ title: `Vulnerable Package: ${name}`,
81
+ description_technical: known.description,
82
+ file_path: "package.json",
83
+ code_snippet: `"${name}": "${version}"`,
84
+ fix_description: known.fixVersion
85
+ ? `Update to version ${known.fixVersion} or later`
86
+ : "Remove this package and find a secure alternative",
87
+ owasp_ref: "A06:2021",
88
+ status: "open",
89
+ confidence: known.fixVersion ? "medium" : "high",
90
+ });
91
+ }
92
+ // Check for suspicious packages
93
+ if (SUSPICIOUS_PACKAGES.includes(name)) {
94
+ findings.push({
95
+ vulnerability_id: 137,
96
+ severity: "high",
97
+ category: "supply-chain",
98
+ title: `Suspicious Package: ${name}`,
99
+ description_technical: "This package is known to be malicious or a typosquat of a popular package",
100
+ file_path: "package.json",
101
+ code_snippet: `"${name}": "${version}"`,
102
+ fix_description: "Remove this package immediately and scan for compromises",
103
+ status: "open",
104
+ confidence: "high",
105
+ });
106
+ }
107
+ }
108
+ // Check for unpinned dependencies (using ^ or ~)
109
+ const deps = pkg.dependencies || {};
110
+ let unpinnedCount = 0;
111
+ for (const [, versionRange] of Object.entries(deps)) {
112
+ const version = String(versionRange);
113
+ if (version.startsWith("^") || version.startsWith("~") || version === "*" || version === "latest") {
114
+ unpinnedCount++;
115
+ }
116
+ }
117
+ // Only flag if most deps are unpinned (common enough to not be noise)
118
+ if (unpinnedCount > 5 && unpinnedCount === Object.keys(deps).length) {
119
+ findings.push({
120
+ vulnerability_id: 60,
121
+ severity: "medium",
122
+ category: "supply-chain",
123
+ title: "All Dependencies Use Ranges Instead of Exact Versions",
124
+ file_path: "package.json",
125
+ code_snippet: `${unpinnedCount} dependencies use ^ or ~ version ranges`,
126
+ fix_description: "Pin exact versions in package.json for reproducible builds",
127
+ status: "open",
128
+ confidence: "low",
129
+ });
130
+ }
131
+ }
132
+ catch {
133
+ // Invalid JSON - skip
134
+ }
135
+ return findings;
136
+ }
137
+ function isVersionPotentiallyFixed(currentRange, fixVersion) {
138
+ // Simple heuristic: extract version numbers and compare
139
+ const current = extractVersion(currentRange);
140
+ if (!current)
141
+ return false;
142
+ const fix = fixVersion.split(".").map(Number);
143
+ const cur = current.split(".").map(Number);
144
+ for (let i = 0; i < 3; i++) {
145
+ if ((cur[i] || 0) > (fix[i] || 0))
146
+ return true;
147
+ if ((cur[i] || 0) < (fix[i] || 0))
148
+ return false;
149
+ }
150
+ return true; // equal versions = fixed
151
+ }
152
+ function extractVersion(versionRange) {
153
+ // Handle full semver: ^4.17.21, ~4.17.21, >=4.17.21, 4.17.21
154
+ const fullMatch = versionRange.match(/(\d+\.\d+\.\d+)/);
155
+ if (fullMatch)
156
+ return fullMatch[1];
157
+ // Handle partial: ^4.17, ~4.17 → treat as 4.17.0
158
+ const partialMatch = versionRange.match(/(\d+\.\d+)/);
159
+ if (partialMatch)
160
+ return `${partialMatch[1]}.0`;
161
+ // Handle major only: ^4 → treat as 4.0.0
162
+ const majorMatch = versionRange.match(/(\d+)/);
163
+ if (majorMatch)
164
+ return `${majorMatch[1]}.0.0`;
165
+ return null;
166
+ }
167
+ //# sourceMappingURL=dependencies.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"dependencies.js","sourceRoot":"","sources":["../../src/engines/dependencies.ts"],"names":[],"mappings":"AAAA,gEAAgE;AAChE,kFAAkF;AAIlF,8EAA8E;AAC9E,MAAM,gBAAgB,GAA2G;IAC/H,gBAAgB,EAAE;QAChB,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,2CAA2C;KACzD;IACD,sBAAsB,EAAE;QACtB,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,wCAAwC;QACrD,UAAU,EAAE,OAAO;KACpB;IACD,QAAQ,EAAE;QACR,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,uCAAuC;QACpD,UAAU,EAAE,SAAS;KACtB;IACD,UAAU,EAAE;QACV,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,qBAAqB;QAClC,UAAU,EAAE,OAAO;KACpB;IACD,OAAO,EAAE;QACP,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,+BAA+B;QAC5C,UAAU,EAAE,OAAO;KACpB;IACD,cAAc,EAAE;QACd,QAAQ,EAAE,MAAM;QAChB,WAAW,EAAE,qDAAqD;QAClE,UAAU,EAAE,OAAO;KACpB;IACD,SAAS,EAAE;QACT,QAAQ,EAAE,QAAQ;QAClB,WAAW,EAAE,iCAAiC;QAC9C,UAAU,EAAE,QAAQ;KACrB;IACD,MAAM,EAAE;QACN,QAAQ,EAAE,UAAU;QACpB,WAAW,EAAE,qCAAqC;QAClD,UAAU,EAAE,OAAO;KACpB;CACF,CAAC;AAEF,wDAAwD;AACxD,MAAM,mBAAmB,GAAG;IAC1B,UAAU,EAAE,yBAAyB;IACrC,cAAc,EAAE,4BAA4B;IAC5C,gBAAgB,EAAE,8BAA8B;IAChD,cAAc,EAAE,4BAA4B;IAC5C,wBAAwB,EAAE,gBAAgB;IAC1C,iBAAiB,EAAE,YAAY;IAC/B,WAAW,EAAE,sBAAsB;IACnC,YAAY,EAAE,YAAY;CAC3B,CAAC;AAEF,MAAM,UAAU,mBAAmB,CACjC,KAA0B;IAE1B,MAAM,QAAQ,GAAkB,EAAE,CAAC;IAEnC,MAAM,kBAAkB,GAAG,KAAK,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;IACrD,IAAI,CAAC,kBAAkB;QAAE,OAAO,QAAQ,CAAC;IAEzC,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,kBAAkB,CAAC,CAAC;QAC3C,MAAM,OAAO,GAAG;YACd,GAAG,GAAG,CAAC,YAAY;YACnB,GAAG,GAAG,CAAC,eAAe;SACvB,CAAC;QAEF,sCAAsC;QACtC,KAAK,MAAM,CAAC,IAAI,EAAE,YAAY,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;YAC3D,MAAM,OAAO,GAAG,MAAM,CAAC,YAAY,CAAC,CAAC;YACrC,MAAM,KAAK,GAAG,gBAAgB,CAAC,IAAI,CAAC,CAAC;YAErC,IAAI,KAAK,EAAE,CAAC;gBACV,qEAAqE;gBACrE,IAAI,KAAK,CAAC,UAAU,IAAI,yBAAyB,CAAC,OAAO,EAAE,KAAK,CAAC,UAAU,CAAC,EAAE,CAAC;oBAC7E,SAAS;gBACX,CAAC;gBAED,QAAQ,CAAC,IAAI,CAAC;oBACZ,gBAAgB,EAAE,CAAC;oBACnB,QAAQ,EAAE,KAAK,CAAC,QAAQ;oBACxB,QAAQ,EAAE,cAAc;oBACxB,KAAK,EAAE,uBAAuB,IAAI,EAAE;oBACpC,qBAAqB,EAAE,KAAK,CAAC,WAAW;oBACxC,SAAS,EAAE,cAAc;oBACzB,YAAY,EAAE,IAAI,IAAI,OAAO,OAAO,GAAG;oBACvC,eAAe,EAAE,KAAK,CAAC,UAAU;wBAC/B,CAAC,CAAC,qBAAqB,KAAK,CAAC,UAAU,WAAW;wBAClD,CAAC,CAAC,mDAAmD;oBACvD,SAAS,EAAE,UAAU;oBACrB,MAAM,EAAE,MAAM;oBACd,UAAU,EAAE,KAAK,CAAC,UAAU,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM;iBACjD,CAAC,CAAC;YACL,CAAC;YAED,gCAAgC;YAChC,IAAI,mBAAmB,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;gBACvC,QAAQ,CAAC,IAAI,CAAC;oBACZ,gBAAgB,EAAE,GAAG;oBACrB,QAAQ,EAAE,MAAM;oBAChB,QAAQ,EAAE,cAAc;oBACxB,KAAK,EAAE,uBAAuB,IAAI,EAAE;oBACpC,qBAAqB,EAAE,2EAA2E;oBAClG,SAAS,EAAE,cAAc;oBACzB,YAAY,EAAE,IAAI,IAAI,OAAO,OAAO,GAAG;oBACvC,eAAe,EAAE,0DAA0D;oBAC3E,MAAM,EAAE,MAAM;oBACd,UAAU,EAAE,MAAM;iBACnB,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,iDAAiD;QACjD,MAAM,IAAI,GAAG,GAAG,CAAC,YAAY,IAAI,EAAE,CAAC;QACpC,IAAI,aAAa,GAAG,CAAC,CAAC;QACtB,KAAK,MAAM,CAAC,EAAE,YAAY,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;YACpD,MAAM,OAAO,GAAG,MAAM,CAAC,YAAY,CAAC,CAAC;YACrC,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,IAAI,OAAO,KAAK,GAAG,IAAI,OAAO,KAAK,QAAQ,EAAE,CAAC;gBAClG,aAAa,EAAE,CAAC;YAClB,CAAC;QACH,CAAC;QACD,sEAAsE;QACtE,IAAI,aAAa,GAAG,CAAC,IAAI,aAAa,KAAK,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,CAAC;YACpE,QAAQ,CAAC,IAAI,CAAC;gBACZ,gBAAgB,EAAE,EAAE;gBACpB,QAAQ,EAAE,QAAQ;gBAClB,QAAQ,EAAE,cAAc;gBACxB,KAAK,EAAE,uDAAuD;gBAC9D,SAAS,EAAE,cAAc;gBACzB,YAAY,EAAE,GAAG,aAAa,yCAAyC;gBACvE,eAAe,EAAE,4DAA4D;gBAC7E,MAAM,EAAE,MAAM;gBACd,UAAU,EAAE,KAAK;aAClB,CAAC,CAAC;QACL,CAAC;IAEH,CAAC;IAAC,MAAM,CAAC;QACP,sBAAsB;IACxB,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,SAAS,yBAAyB,CAChC,YAAoB,EACpB,UAAkB;IAElB,wDAAwD;IACxD,MAAM,OAAO,GAAG,cAAc,CAAC,YAAY,CAAC,CAAC;IAC7C,IAAI,CAAC,OAAO;QAAE,OAAO,KAAK,CAAC;IAE3B,MAAM,GAAG,GAAG,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IAC9C,MAAM,GAAG,GAAG,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC;IAE3C,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC;QAC3B,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;YAAE,OAAO,IAAI,CAAC;QAC/C,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC;YAAE,OAAO,KAAK,CAAC;IAClD,CAAC;IACD,OAAO,IAAI,CAAC,CAAC,yBAAyB;AACxC,CAAC;AAED,SAAS,cAAc,CAAC,YAAoB;IAC1C,6DAA6D;IAC7D,MAAM,SAAS,GAAG,YAAY,CAAC,KAAK,CAAC,iBAAiB,CAAC,CAAC;IACxD,IAAI,SAAS;QAAE,OAAO,SAAS,CAAC,CAAC,CAAC,CAAC;IAEnC,iDAAiD;IACjD,MAAM,YAAY,GAAG,YAAY,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC;IACtD,IAAI,YAAY;QAAE,OAAO,GAAG,YAAY,CAAC,CAAC,CAAC,IAAI,CAAC;IAEhD,yCAAyC;IACzC,MAAM,UAAU,GAAG,YAAY,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;IAC/C,IAAI,UAAU;QAAE,OAAO,GAAG,UAAU,CAAC,CAAC,CAAC,MAAM,CAAC;IAE9C,OAAO,IAAI,CAAC;AACd,CAAC"}
@@ -0,0 +1,3 @@
1
+ import type { FindingData } from "./types.js";
2
+ export declare function analyzeGitHubActions(files: Map<string, string>): FindingData[];
3
+ //# sourceMappingURL=github-actions.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"github-actions.d.ts","sourceRoot":"","sources":["../../src/engines/github-actions.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,YAAY,CAAC;AAE9C,wBAAgB,oBAAoB,CAAC,KAAK,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,WAAW,EAAE,CAe9E"}
@@ -0,0 +1,215 @@
1
+ // GitHub Actions security engine - scans workflow files for common CI/CD vulnerabilities.
2
+ // Operates on the files Map (no filesystem access needed).
3
+ export function analyzeGitHubActions(files) {
4
+ const findings = [];
5
+ for (const [filePath, content] of files) {
6
+ if (!filePath.match(/\.github\/workflows\/.*\.ya?ml$/))
7
+ continue;
8
+ findings.push(...checkUnpinnedActions(content, filePath));
9
+ findings.push(...checkScriptInjection(content, filePath));
10
+ findings.push(...checkSecretsExposure(content, filePath));
11
+ findings.push(...checkExcessivePermissions(content, filePath));
12
+ findings.push(...checkSelfHostedRunners(content, filePath));
13
+ findings.push(...checkPullRequestTarget(content, filePath));
14
+ }
15
+ return findings;
16
+ }
17
+ function checkUnpinnedActions(content, filePath) {
18
+ const findings = [];
19
+ const lines = content.split("\n");
20
+ for (let i = 0; i < lines.length; i++) {
21
+ const line = lines[i];
22
+ const match = line.match(/uses:\s*["']?([^"'\s]+)@([^"'\s]+)/);
23
+ if (!match)
24
+ continue;
25
+ const [, action, ref] = match;
26
+ // Skip Docker and local actions
27
+ if (action.startsWith("docker://") || action.startsWith("./"))
28
+ continue;
29
+ // Flag if using branch ref instead of SHA or version tag
30
+ if (ref === "main" || ref === "master" || ref === "latest" || ref === "dev") {
31
+ findings.push({
32
+ vulnerability_id: 140,
33
+ severity: "medium",
34
+ category: "supply-chain",
35
+ title: `Unpinned Action: ${action}@${ref}`,
36
+ description_technical: `Action ${action} is pinned to branch '${ref}' instead of a SHA or version tag. This is vulnerable to supply chain attacks if the action is compromised.`,
37
+ file_path: filePath,
38
+ line_number: i + 1,
39
+ code_snippet: line.trim(),
40
+ fix_description: `Pin to a specific version tag (e.g., @v4) or full SHA (e.g., @abc123...)`,
41
+ status: "open",
42
+ });
43
+ }
44
+ }
45
+ return findings;
46
+ }
47
+ function checkScriptInjection(content, filePath) {
48
+ const findings = [];
49
+ const lines = content.split("\n");
50
+ // Dangerous GitHub context expressions in run: blocks
51
+ const dangerousContexts = [
52
+ "github.event.issue.title",
53
+ "github.event.issue.body",
54
+ "github.event.pull_request.title",
55
+ "github.event.pull_request.body",
56
+ "github.event.comment.body",
57
+ "github.event.review.body",
58
+ "github.event.discussion.title",
59
+ "github.event.discussion.body",
60
+ "github.head_ref",
61
+ "github.event.pages.page_name",
62
+ ];
63
+ let inRunBlock = false;
64
+ for (let i = 0; i < lines.length; i++) {
65
+ const line = lines[i];
66
+ if (line.match(/^\s*run:\s*[|>]?\s*$/)) {
67
+ inRunBlock = true;
68
+ continue;
69
+ }
70
+ if (line.match(/^\s*run:\s*\S/)) {
71
+ // Single-line run
72
+ inRunBlock = false;
73
+ checkLineForInjection(line, i, filePath, dangerousContexts, findings);
74
+ continue;
75
+ }
76
+ if (inRunBlock && line.match(/^\s*\w+:/)) {
77
+ inRunBlock = false;
78
+ continue;
79
+ }
80
+ if (inRunBlock || line.match(/^\s*run:/)) {
81
+ checkLineForInjection(line, i, filePath, dangerousContexts, findings);
82
+ }
83
+ }
84
+ return findings;
85
+ }
86
+ function checkLineForInjection(line, lineIndex, filePath, dangerousContexts, findings) {
87
+ for (const context of dangerousContexts) {
88
+ if (line.includes(`\${{ ${context}`) || line.includes(`\${{${context}`)) {
89
+ findings.push({
90
+ vulnerability_id: 76,
91
+ severity: "high",
92
+ category: "injection",
93
+ title: `Script Injection via ${context}`,
94
+ description_technical: `Untrusted input from '${context}' is used in a run: block. An attacker can inject arbitrary commands by crafting a malicious title/body.`,
95
+ file_path: filePath,
96
+ line_number: lineIndex + 1,
97
+ code_snippet: line.trim(),
98
+ fix_description: "Use an environment variable instead: env: TITLE: ${{ github.event.issue.title }} and reference $TITLE in the script",
99
+ owasp_ref: "A03:2021",
100
+ status: "open",
101
+ });
102
+ break; // One finding per line
103
+ }
104
+ }
105
+ }
106
+ function checkSecretsExposure(content, filePath) {
107
+ const findings = [];
108
+ const lines = content.split("\n");
109
+ for (let i = 0; i < lines.length; i++) {
110
+ const line = lines[i];
111
+ // Check for hardcoded secret-like values in env or with blocks
112
+ if (line.match(/(?:env|with):\s*$/))
113
+ continue; // Block header, skip
114
+ if (line.match(/^\s+\w+:\s*["'][A-Za-z0-9_\-./+=]{20,}["']/)) {
115
+ // Skip if it references secrets context
116
+ if (line.includes("${{ secrets.") || line.includes("${{ github."))
117
+ continue;
118
+ findings.push({
119
+ vulnerability_id: 53,
120
+ severity: "critical",
121
+ category: "vibecoding",
122
+ title: "Hardcoded Secret in Workflow",
123
+ description_technical: "A long string value in the workflow file may be a hardcoded secret. Use GitHub Secrets instead.",
124
+ file_path: filePath,
125
+ line_number: i + 1,
126
+ code_snippet: line.trim().replace(/["'][A-Za-z0-9_\-./+=]{20,}["']/, '"***REDACTED***"'),
127
+ fix_description: "Store the value as a GitHub Secret and reference it via ${{ secrets.SECRET_NAME }}",
128
+ owasp_ref: "A07:2021",
129
+ status: "open",
130
+ });
131
+ }
132
+ }
133
+ return findings;
134
+ }
135
+ function checkExcessivePermissions(content, filePath) {
136
+ const findings = [];
137
+ const lines = content.split("\n");
138
+ for (let i = 0; i < lines.length; i++) {
139
+ const line = lines[i];
140
+ // Check for write-all permissions
141
+ if (line.match(/^\s*permissions:\s*write-all/)) {
142
+ findings.push({
143
+ vulnerability_id: 133,
144
+ severity: "medium",
145
+ category: "serverless",
146
+ title: "Workflow Has write-all Permissions",
147
+ description_technical: "The workflow grants write permissions to all scopes. Follow the principle of least privilege.",
148
+ file_path: filePath,
149
+ line_number: i + 1,
150
+ code_snippet: line.trim(),
151
+ fix_description: "Specify only the permissions needed, e.g., permissions: { contents: read, pull-requests: write }",
152
+ status: "open",
153
+ });
154
+ }
155
+ // Check for no permissions block at top level
156
+ if (i === 0 && !content.includes("permissions:")) {
157
+ findings.push({
158
+ vulnerability_id: 133,
159
+ severity: "low",
160
+ category: "serverless",
161
+ title: "Workflow Missing Permissions Block",
162
+ description_technical: "No permissions block defined. The workflow inherits default permissions which may be broader than needed.",
163
+ file_path: filePath,
164
+ line_number: 1,
165
+ code_snippet: lines.slice(0, 3).join("\n"),
166
+ fix_description: "Add a top-level permissions block to restrict token scope",
167
+ status: "open",
168
+ });
169
+ }
170
+ }
171
+ return findings;
172
+ }
173
+ function checkSelfHostedRunners(content, filePath) {
174
+ const findings = [];
175
+ const lines = content.split("\n");
176
+ for (let i = 0; i < lines.length; i++) {
177
+ const line = lines[i];
178
+ if (line.match(/runs-on:\s*["']?self-hosted/)) {
179
+ findings.push({
180
+ vulnerability_id: 136,
181
+ severity: "info",
182
+ category: "serverless",
183
+ title: "Self-Hosted Runner Used",
184
+ description_technical: "Self-hosted runners can persist state between jobs. Ensure runners are ephemeral or properly hardened.",
185
+ file_path: filePath,
186
+ line_number: i + 1,
187
+ code_snippet: line.trim(),
188
+ status: "open",
189
+ });
190
+ }
191
+ }
192
+ return findings;
193
+ }
194
+ function checkPullRequestTarget(content, filePath) {
195
+ const findings = [];
196
+ if (content.includes("pull_request_target") && content.includes("actions/checkout")) {
197
+ // This is a dangerous pattern: pull_request_target + checkout = code execution from fork
198
+ const lineNum = content.split("\n").findIndex((l) => l.includes("pull_request_target")) + 1;
199
+ findings.push({
200
+ vulnerability_id: 76,
201
+ severity: "critical",
202
+ category: "injection",
203
+ title: "Dangerous pull_request_target + Checkout Pattern",
204
+ description_technical: "Using pull_request_target with actions/checkout can execute untrusted code from forks with write permissions and secrets access.",
205
+ file_path: filePath,
206
+ line_number: lineNum,
207
+ code_snippet: "on: pull_request_target\n...\nuses: actions/checkout@...",
208
+ fix_description: "Use pull_request instead, or avoid checking out PR code in pull_request_target workflows",
209
+ owasp_ref: "A03:2021",
210
+ status: "open",
211
+ });
212
+ }
213
+ return findings;
214
+ }
215
+ //# sourceMappingURL=github-actions.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"github-actions.js","sourceRoot":"","sources":["../../src/engines/github-actions.ts"],"names":[],"mappings":"AAAA,0FAA0F;AAC1F,2DAA2D;AAI3D,MAAM,UAAU,oBAAoB,CAAC,KAA0B;IAC7D,MAAM,QAAQ,GAAkB,EAAE,CAAC;IAEnC,KAAK,MAAM,CAAC,QAAQ,EAAE,OAAO,CAAC,IAAI,KAAK,EAAE,CAAC;QACxC,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,iCAAiC,CAAC;YAAE,SAAS;QAEjE,QAAQ,CAAC,IAAI,CAAC,GAAG,oBAAoB,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,CAAC;QAC1D,QAAQ,CAAC,IAAI,CAAC,GAAG,oBAAoB,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,CAAC;QAC1D,QAAQ,CAAC,IAAI,CAAC,GAAG,oBAAoB,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,CAAC;QAC1D,QAAQ,CAAC,IAAI,CAAC,GAAG,yBAAyB,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,CAAC;QAC/D,QAAQ,CAAC,IAAI,CAAC,GAAG,sBAAsB,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,CAAC;QAC5D,QAAQ,CAAC,IAAI,CAAC,GAAG,sBAAsB,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,CAAC;IAC9D,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,SAAS,oBAAoB,CAAC,OAAe,EAAE,QAAgB;IAC7D,MAAM,QAAQ,GAAkB,EAAE,CAAC;IACnC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAElC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QACtB,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,oCAAoC,CAAC,CAAC;QAC/D,IAAI,CAAC,KAAK;YAAE,SAAS;QAErB,MAAM,CAAC,EAAE,MAAM,EAAE,GAAG,CAAC,GAAG,KAAK,CAAC;QAE9B,gCAAgC;QAChC,IAAI,MAAM,CAAC,UAAU,CAAC,WAAW,CAAC,IAAI,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC;YAAE,SAAS;QAExE,yDAAyD;QACzD,IAAI,GAAG,KAAK,MAAM,IAAI,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,QAAQ,IAAI,GAAG,KAAK,KAAK,EAAE,CAAC;YAC5E,QAAQ,CAAC,IAAI,CAAC;gBACZ,gBAAgB,EAAE,GAAG;gBACrB,QAAQ,EAAE,QAAQ;gBAClB,QAAQ,EAAE,cAAc;gBACxB,KAAK,EAAE,oBAAoB,MAAM,IAAI,GAAG,EAAE;gBAC1C,qBAAqB,EAAE,UAAU,MAAM,yBAAyB,GAAG,6GAA6G;gBAChL,SAAS,EAAE,QAAQ;gBACnB,WAAW,EAAE,CAAC,GAAG,CAAC;gBAClB,YAAY,EAAE,IAAI,CAAC,IAAI,EAAE;gBACzB,eAAe,EAAE,0EAA0E;gBAC3F,MAAM,EAAE,MAAM;aACf,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,SAAS,oBAAoB,CAAC,OAAe,EAAE,QAAgB;IAC7D,MAAM,QAAQ,GAAkB,EAAE,CAAC;IACnC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAElC,sDAAsD;IACtD,MAAM,iBAAiB,GAAG;QACxB,0BAA0B;QAC1B,yBAAyB;QACzB,iCAAiC;QACjC,gCAAgC;QAChC,2BAA2B;QAC3B,0BAA0B;QAC1B,+BAA+B;QAC/B,8BAA8B;QAC9B,iBAAiB;QACjB,8BAA8B;KAC/B,CAAC;IAEF,IAAI,UAAU,GAAG,KAAK,CAAC;IACvB,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QAEtB,IAAI,IAAI,CAAC,KAAK,CAAC,sBAAsB,CAAC,EAAE,CAAC;YACvC,UAAU,GAAG,IAAI,CAAC;YAClB,SAAS;QACX,CAAC;QACD,IAAI,IAAI,CAAC,KAAK,CAAC,eAAe,CAAC,EAAE,CAAC;YAChC,kBAAkB;YAClB,UAAU,GAAG,KAAK,CAAC;YACnB,qBAAqB,CAAC,IAAI,EAAE,CAAC,EAAE,QAAQ,EAAE,iBAAiB,EAAE,QAAQ,CAAC,CAAC;YACtE,SAAS;QACX,CAAC;QACD,IAAI,UAAU,IAAI,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,EAAE,CAAC;YACzC,UAAU,GAAG,KAAK,CAAC;YACnB,SAAS;QACX,CAAC;QAED,IAAI,UAAU,IAAI,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,EAAE,CAAC;YACzC,qBAAqB,CAAC,IAAI,EAAE,CAAC,EAAE,QAAQ,EAAE,iBAAiB,EAAE,QAAQ,CAAC,CAAC;QACxE,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,SAAS,qBAAqB,CAC5B,IAAY,EACZ,SAAiB,EACjB,QAAgB,EAChB,iBAA2B,EAC3B,QAAuB;IAEvB,KAAK,MAAM,OAAO,IAAI,iBAAiB,EAAE,CAAC;QACxC,IAAI,IAAI,CAAC,QAAQ,CAAC,QAAQ,OAAO,EAAE,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,OAAO,OAAO,EAAE,CAAC,EAAE,CAAC;YACxE,QAAQ,CAAC,IAAI,CAAC;gBACZ,gBAAgB,EAAE,EAAE;gBACpB,QAAQ,EAAE,MAAM;gBAChB,QAAQ,EAAE,WAAW;gBACrB,KAAK,EAAE,wBAAwB,OAAO,EAAE;gBACxC,qBAAqB,EAAE,yBAAyB,OAAO,0GAA0G;gBACjK,SAAS,EAAE,QAAQ;gBACnB,WAAW,EAAE,SAAS,GAAG,CAAC;gBAC1B,YAAY,EAAE,IAAI,CAAC,IAAI,EAAE;gBACzB,eAAe,EAAE,qHAAqH;gBACtI,SAAS,EAAE,UAAU;gBACrB,MAAM,EAAE,MAAM;aACf,CAAC,CAAC;YACH,MAAM,CAAC,uBAAuB;QAChC,CAAC;IACH,CAAC;AACH,CAAC;AAED,SAAS,oBAAoB,CAAC,OAAe,EAAE,QAAgB;IAC7D,MAAM,QAAQ,GAAkB,EAAE,CAAC;IACnC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAElC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QAEtB,+DAA+D;QAC/D,IAAI,IAAI,CAAC,KAAK,CAAC,mBAAmB,CAAC;YAAE,SAAS,CAAC,qBAAqB;QACpE,IAAI,IAAI,CAAC,KAAK,CAAC,4CAA4C,CAAC,EAAE,CAAC;YAC7D,wCAAwC;YACxC,IAAI,IAAI,CAAC,QAAQ,CAAC,cAAc,CAAC,IAAI,IAAI,CAAC,QAAQ,CAAC,aAAa,CAAC;gBAAE,SAAS;YAE5E,QAAQ,CAAC,IAAI,CAAC;gBACZ,gBAAgB,EAAE,EAAE;gBACpB,QAAQ,EAAE,UAAU;gBACpB,QAAQ,EAAE,YAAY;gBACtB,KAAK,EAAE,8BAA8B;gBACrC,qBAAqB,EAAE,iGAAiG;gBACxH,SAAS,EAAE,QAAQ;gBACnB,WAAW,EAAE,CAAC,GAAG,CAAC;gBAClB,YAAY,EAAE,IAAI,CAAC,IAAI,EAAE,CAAC,OAAO,CAAC,iCAAiC,EAAE,kBAAkB,CAAC;gBACxF,eAAe,EAAE,oFAAoF;gBACrG,SAAS,EAAE,UAAU;gBACrB,MAAM,EAAE,MAAM;aACf,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,SAAS,yBAAyB,CAAC,OAAe,EAAE,QAAgB;IAClE,MAAM,QAAQ,GAAkB,EAAE,CAAC;IACnC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAElC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QAEtB,kCAAkC;QAClC,IAAI,IAAI,CAAC,KAAK,CAAC,8BAA8B,CAAC,EAAE,CAAC;YAC/C,QAAQ,CAAC,IAAI,CAAC;gBACZ,gBAAgB,EAAE,GAAG;gBACrB,QAAQ,EAAE,QAAQ;gBAClB,QAAQ,EAAE,YAAY;gBACtB,KAAK,EAAE,oCAAoC;gBAC3C,qBAAqB,EAAE,+FAA+F;gBACtH,SAAS,EAAE,QAAQ;gBACnB,WAAW,EAAE,CAAC,GAAG,CAAC;gBAClB,YAAY,EAAE,IAAI,CAAC,IAAI,EAAE;gBACzB,eAAe,EAAE,kGAAkG;gBACnH,MAAM,EAAE,MAAM;aACf,CAAC,CAAC;QACL,CAAC;QAED,8CAA8C;QAC9C,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,cAAc,CAAC,EAAE,CAAC;YACjD,QAAQ,CAAC,IAAI,CAAC;gBACZ,gBAAgB,EAAE,GAAG;gBACrB,QAAQ,EAAE,KAAK;gBACf,QAAQ,EAAE,YAAY;gBACtB,KAAK,EAAE,oCAAoC;gBAC3C,qBAAqB,EAAE,2GAA2G;gBAClI,SAAS,EAAE,QAAQ;gBACnB,WAAW,EAAE,CAAC;gBACd,YAAY,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC;gBAC1C,eAAe,EAAE,2DAA2D;gBAC5E,MAAM,EAAE,MAAM;aACf,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,SAAS,sBAAsB,CAAC,OAAe,EAAE,QAAgB;IAC/D,MAAM,QAAQ,GAAkB,EAAE,CAAC;IACnC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAElC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;QAEtB,IAAI,IAAI,CAAC,KAAK,CAAC,6BAA6B,CAAC,EAAE,CAAC;YAC9C,QAAQ,CAAC,IAAI,CAAC;gBACZ,gBAAgB,EAAE,GAAG;gBACrB,QAAQ,EAAE,MAAM;gBAChB,QAAQ,EAAE,YAAY;gBACtB,KAAK,EAAE,yBAAyB;gBAChC,qBAAqB,EAAE,wGAAwG;gBAC/H,SAAS,EAAE,QAAQ;gBACnB,WAAW,EAAE,CAAC,GAAG,CAAC;gBAClB,YAAY,EAAE,IAAI,CAAC,IAAI,EAAE;gBACzB,MAAM,EAAE,MAAM;aACf,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,SAAS,sBAAsB,CAAC,OAAe,EAAE,QAAgB;IAC/D,MAAM,QAAQ,GAAkB,EAAE,CAAC;IAEnC,IAAI,OAAO,CAAC,QAAQ,CAAC,qBAAqB,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,kBAAkB,CAAC,EAAE,CAAC;QACpF,yFAAyF;QACzF,MAAM,OAAO,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,qBAAqB,CAAC,CAAC,GAAG,CAAC,CAAC;QAC5F,QAAQ,CAAC,IAAI,CAAC;YACZ,gBAAgB,EAAE,EAAE;YACpB,QAAQ,EAAE,UAAU;YACpB,QAAQ,EAAE,WAAW;YACrB,KAAK,EAAE,kDAAkD;YACzD,qBAAqB,EAAE,kIAAkI;YACzJ,SAAS,EAAE,QAAQ;YACnB,WAAW,EAAE,OAAO;YACpB,YAAY,EAAE,0DAA0D;YACxE,eAAe,EAAE,0FAA0F;YAC3G,SAAS,EAAE,UAAU;YACrB,MAAM,EAAE,MAAM;SACf,CAAC,CAAC;IACL,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC"}
@@ -0,0 +1,3 @@
1
+ import type { FindingData } from "./types.js";
2
+ export declare function runGitleaks(repoDir: string): Promise<FindingData[]>;
3
+ //# sourceMappingURL=gitleaks.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"gitleaks.d.ts","sourceRoot":"","sources":["../../src/engines/gitleaks.ts"],"names":[],"mappings":"AAOA,OAAO,KAAK,EAAE,WAAW,EAAY,MAAM,YAAY,CAAC;AA0DxD,wBAAsB,WAAW,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC,CA4CzE"}