@grc-claw/integration-marketplace 1.0.0

package/dist/connectors/GCPSCCConnector.js

@@ -0,0 +1,94 @@
+import { hashEvidence, generateEvidenceId } from "../types.js";
+const capabilities = [
+    {
+        id: "scc-findings",
+        name: "Security Command Center Findings",
+        description: "Fetch GCP Security Command Center findings",
+        evidenceCategories: ["vulnerability_management", "risk_management"],
+    },
+    {
+        id: "scc-sources",
+        name: "Security Sources",
+        description: "Fetch SCC security sources and their findings count",
+        evidenceCategories: ["monitoring", "configuration"],
+    },
+];
+export class GCPSCCConnector {
+    id = "gcp-scc";
+    name = "GCP Security Command Center";
+    category = "cloud_provider";
+    authType = "service_account";
+    capabilities = capabilities;
+    frameworks = ["SOC2", "ISO27001", "NIST_CSF"];
+    async getAccessToken(config) {
+        const now = Math.floor(Date.now() / 1000);
+        const header = Buffer.from(JSON.stringify({ alg: "RS256", typ: "JWT" })).toString("base64url");
+        const payload = Buffer.from(JSON.stringify({
+            iss: config.clientId,
+            scope: "https://www.googleapis.com/auth/cloud-platform",
+            aud: "https://oauth2.googleapis.com/token",
+            exp: now + 3600,
+            iat: now,
+        })).toString("base64url");
+        const jwt = `${header}.${payload}.signature`;
+        const resp = await fetch("https://oauth2.googleapis.com/token", {
+            method: "POST",
+            headers: { "Content-Type": "application/x-www-form-urlencoded" },
+            body: new URLSearchParams({
+                grant_type: "urn:ietf:params:oauth:grant-type:jwt-bearer",
+                assertion: jwt,
+            }),
+        });
+        if (!resp.ok)
+            throw new Error(`GCP token ${resp.status}`);
+        const data = (await resp.json());
+        return data.access_token;
+    }
+    async testConnection(config) {
+        try {
+            const token = await this.getAccessToken(config);
+            const orgId = config.extra?.orgId || config.accountId;
+            const resp = await fetch(`https://securitycenter.googleapis.com/v1/organizations/${orgId}/sources`, { headers: { Authorization: `Bearer ${token}` } });
+            return resp.ok;
+        }
+        catch {
+            return false;
+        }
+    }
+    async collectEvidence(config) {
+        const artifacts = [];
+        const now = new Date().toISOString();
+        const token = await this.getAccessToken(config);
+        const headers = { Authorization: `Bearer ${token}` };
+        const orgId = config.extra?.orgId || config.accountId;
+        const findings = await fetch(`https://securitycenter.googleapis.com/v1/organizations/${orgId}/sources/-/findings?pageSize=100&filter=state%3D%22ACTIVE%22`, { headers }).then((r) => r.json());
+        artifacts.push({
+            id: generateEvidenceId(),
+            connectorId: this.id,
+            capabilityId: "scc-findings",
+            timestamp: now,
+            hash: hashEvidence(findings),
+            framework: "SOC2",
+            controlId: "CC7.1",
+            source: `gcp-scc/organizations/${orgId}/findings`,
+            status: "unknown",
+            data: { findingCount: (findings.findings || []).length, findings: findings.findings },
+            metadata: { orgId: orgId || "" },
+        });
+        const sources = await fetch(`https://securitycenter.googleapis.com/v1/organizations/${orgId}/sources`, { headers }).then((r) => r.json());
+        artifacts.push({
+            id: generateEvidenceId(),
+            connectorId: this.id,
+            capabilityId: "scc-sources",
+            timestamp: now,
+            hash: hashEvidence(sources),
+            framework: "ISO27001",
+            controlId: "A.12.4.1",
+            source: `gcp-scc/organizations/${orgId}/sources`,
+            status: (sources.sources || []).length > 0 ? "compliant" : "non_compliant",
+            data: { sourceCount: (sources.sources || []).length },
+            metadata: { orgId: orgId || "" },
+        });
+        return artifacts;
+    }
+}

package/dist/connectors/GitHubActionsConnector.d.ts

@@ -0,0 +1,12 @@
+import type { IntegrationConnector, ConnectorConfig, EvidenceArtifact, IntegrationCapability, ComplianceFramework } from "../types.js";
+export declare class GitHubActionsConnector implements IntegrationConnector {
+    readonly id = "github-actions";
+    readonly name = "GitHub Actions";
+    readonly category: "ci_cd";
+    readonly authType: "bearer_token";
+    readonly capabilities: IntegrationCapability[];
+    readonly frameworks: ComplianceFramework[];
+    private fetchApi;
+    testConnection(config: ConnectorConfig): Promise<boolean>;
+    collectEvidence(config: ConnectorConfig): Promise<EvidenceArtifact[]>;
+}

package/dist/connectors/GitHubActionsConnector.js

@@ -0,0 +1,104 @@
+import { hashEvidence, generateEvidenceId } from "../types.js";
+const capabilities = [
+    {
+        id: "gha-workflow-runs",
+        name: "Workflow Runs",
+        description: "Fetch GitHub Actions workflow run history and statuses",
+        evidenceCategories: ["ci_cd", "change_management"],
+    },
+    {
+        id: "gha-security-alerts",
+        name: "Security Alerts",
+        description: "Fetch Dependabot alerts from GitHub Actions",
+        evidenceCategories: ["vulnerability_management", "supply_chain"],
+    },
+    {
+        id: "gha-dependency-reviews",
+        name: "Dependency Reviews",
+        description: "Fetch dependency review advisories on pull requests",
+        evidenceCategories: ["supply_chain", "vulnerability_management"],
+    },
+];
+export class GitHubActionsConnector {
+    id = "github-actions";
+    name = "GitHub Actions";
+    category = "ci_cd";
+    authType = "bearer_token";
+    capabilities = capabilities;
+    frameworks = ["SOC2", "ISO27001", "NIST_CSF"];
+    async fetchApi(config, endpoint) {
+        const base = config.baseUrl || "https://api.github.com";
+        const resp = await fetch(`${base}${endpoint}`, {
+            headers: {
+                Authorization: `Bearer ${config.apiToken}`,
+                Accept: "application/vnd.github+json",
+                "X-GitHub-Api-Version": "2022-11-28",
+            },
+        });
+        if (!resp.ok)
+            throw new Error(`GitHub API ${resp.status}: ${resp.statusText}`);
+        return (await resp.json());
+    }
+    async testConnection(config) {
+        try {
+            await this.fetchApi(config, "/user");
+            return true;
+        }
+        catch {
+            return false;
+        }
+    }
+    async collectEvidence(config) {
+        const artifacts = [];
+        const now = new Date().toISOString();
+        const org = config.extra?.org || "default";
+        const repo = config.extra?.repo || "main-repo";
+        const runs = await this.fetchApi(config, `/repos/${org}/${repo}/actions/runs?per_page=100&status=completed`).catch(() => ({ workflow_runs: [] }));
+        const runList = (runs.workflow_runs || []);
+        const failed = runList.filter((r) => r.conclusion === "failure");
+        artifacts.push({
+            id: generateEvidenceId(),
+            connectorId: this.id,
+            capabilityId: "gha-workflow-runs",
+            timestamp: now,
+            hash: hashEvidence({ totalRuns: runList.length, failedRuns: failed.length }),
+            framework: "SOC2",
+            controlId: "CC8.1",
+            source: `github.com/${org}/${repo}/actions/runs`,
+            status: failed.length === 0 ? "compliant" : "partial",
+            data: { totalRuns: runList.length, failedRuns: failed.length, successRate: runList.length > 0 ? ((runList.length - failed.length) / runList.length * 100).toFixed(1) + "%" : "N/A" },
+            metadata: { org, repo },
+        });
+        const alerts = await this.fetchApi(config, `/repos/${org}/${repo}/vulnerability-alerts`).catch(() => ({ enabled: false }));
+        artifacts.push({
+            id: generateEvidenceId(),
+            connectorId: this.id,
+            capabilityId: "gha-security-alerts",
+            timestamp: now,
+            hash: hashEvidence(alerts),
+            framework: "ISO27001",
+            controlId: "A.12.6.1",
+            source: `github.com/${org}/${repo}/vulnerability-alerts`,
+            status: alerts.enabled === true ? "compliant" : "non_compliant",
+            data: { vulnerabilityAlertsEnabled: alerts.enabled },
+            metadata: { org, repo },
+        });
+        const depReview = await this.fetchApi(config, `/repos/${org}/${repo}/dependency-graph/dependency-review?per_page=50`).catch(() => ({ dependencies: [] }));
+        const depList = (depReview.dependencies || []);
+        const vulnerable = depList.filter((d) => d.severity === "critical" || d.severity === "high");
+        artifacts.push({
+            id: generateEvidenceId(),
+            connectorId: this.id,
+            capabilityId: "gha-dependency-reviews",
+            timestamp: now,
+            hash: hashEvidence({ totalDeps: depList.length, vulnerableDeps: vulnerable.length }),
+            framework: "SOC2",
+            controlId: "CC6.1",
+            source: `github.com/${org}/${repo}/dependency-review`,
+            status: vulnerable.length === 0 ? "compliant" : "non_compliant",
+            data: { totalDeps: depList.length, vulnerableDeps: vulnerable.length },
+            metadata: { org, repo },
+        });
+        return artifacts;
+    }
+}

package/dist/connectors/GitHubConnector.d.ts

@@ -0,0 +1,12 @@
+import type { IntegrationConnector, ConnectorConfig, EvidenceArtifact, IntegrationCapability, ComplianceFramework } from "../types.js";
+export declare class GitHubConnector implements IntegrationConnector {
+    readonly id = "github";
+    readonly name = "GitHub";
+    readonly category: "version_control";
+    readonly authType: "bearer_token";
+    readonly capabilities: IntegrationCapability[];
+    readonly frameworks: ComplianceFramework[];
+    private fetchApi;
+    testConnection(config: ConnectorConfig): Promise<boolean>;
+    collectEvidence(config: ConnectorConfig): Promise<EvidenceArtifact[]>;
+}

package/dist/connectors/GitHubConnector.js

@@ -0,0 +1,135 @@
+import { hashEvidence, generateEvidenceId } from "../types.js";
+const capabilities = [
+    {
+        id: "gh-repo-settings",
+        name: "Repository Settings",
+        description: "Fetch repo visibility, default branch, and security settings",
+        evidenceCategories: ["access_control", "configuration"],
+    },
+    {
+        id: "gh-branch-protection",
+        name: "Branch Protection Rules",
+        description: "Fetch branch protection policies and required reviews",
+        evidenceCategories: ["access_control", "change_management"],
+    },
+    {
+        id: "gh-secret-scanning",
+        name: "Secret Scanning",
+        description: "Fetch secret scanning alerts and push protection status",
+        evidenceCategories: ["data_protection", "vulnerability_management"],
+    },
+    {
+        id: "gh-dependabot",
+        name: "Dependabot Alerts",
+        description: "Fetch dependency vulnerability alerts and auto-fix PRs",
+        evidenceCategories: ["vulnerability_management", "supply_chain"],
+    },
+];
+export class GitHubConnector {
+    id = "github";
+    name = "GitHub";
+    category = "version_control";
+    authType = "bearer_token";
+    capabilities = capabilities;
+    frameworks = [
+        "SOC2",
+        "ISO27001",
+        "NIST_CSF",
+        "PCI_DSS",
+    ];
+    async fetchApi(config, endpoint) {
+        const base = config.baseUrl || "https://api.github.com";
+        const resp = await fetch(`${base}${endpoint}`, {
+            headers: {
+                Authorization: `Bearer ${config.apiToken}`,
+                Accept: "application/vnd.github+json",
+                "X-GitHub-Api-Version": "2022-11-28",
+            },
+        });
+        if (!resp.ok)
+            throw new Error(`GitHub API ${resp.status}: ${resp.statusText}`);
+        return (await resp.json());
+    }
+    async testConnection(config) {
+        try {
+            await this.fetchApi(config, "/user");
+            return true;
+        }
+        catch {
+            return false;
+        }
+    }
+    async collectEvidence(config) {
+        const artifacts = [];
+        const now = new Date().toISOString();
+        const org = config.extra?.org || "default";
+        const repo = config.extra?.repo || "main-repo";
+        const repoData = await this.fetchApi(config, `/repos/${org}/${repo}`);
+        artifacts.push({
+            id: generateEvidenceId(),
+            connectorId: this.id,
+            capabilityId: "gh-repo-settings",
+            timestamp: now,
+            hash: hashEvidence(repoData),
+            framework: "SOC2",
+            controlId: "CC6.1",
+            source: `github.com/${org}/${repo}`,
+            status: repoData.private === true ? "compliant" : "partial",
+            data: {
+                private: repoData.private,
+                defaultBranch: repoData.default_branch,
+                hasSecurityPolicy: repoData.security_policy_url != null,
+                hasVulnerabilityAlerts: repoData.security_and_analysis != null,
+            },
+            metadata: { org, repo },
+        });
+        const protection = await this.fetchApi(config, `/repos/${org}/${repo}/branches/main/protection`).catch(() => null);
+        if (protection) {
+            artifacts.push({
+                id: generateEvidenceId(),
+                connectorId: this.id,
+                capabilityId: "gh-branch-protection",
+                timestamp: now,
+                hash: hashEvidence(protection),
+                framework: "SOC2",
+                controlId: "CC8.1",
+                source: `github.com/${org}/${repo}/branches/main/protection`,
+                status: "compliant",
+                data: {
+                    requiredPullRequestReviews: protection.required_pull_request_reviews || null,
+                    enforceAdmins: protection.enforce_admins || null,
+                },
+                metadata: { org, repo },
+            });
+        }
+        const secretScanning = await this.fetchApi(config, `/repos/${org}/${repo}/secret-scanning/alerts?state=open&per_page=10`).catch(() => ({ total_count: 0 }));
+        artifacts.push({
+            id: generateEvidenceId(),
+            connectorId: this.id,
+            capabilityId: "gh-secret-scanning",
+            timestamp: now,
+            hash: hashEvidence(secretScanning),
+            framework: "SOC2",
+            controlId: "CC6.6",
+            source: `github.com/${org}/${repo}/secret-scanning`,
+            status: secretScanning.total_count === 0 ? "compliant" : "non_compliant",
+            data: { openAlerts: secretScanning.total_count },
+            metadata: { org, repo },
+        });
+        const dependabot = await this.fetchApi(config, `/repos/${org}/${repo}/vulnerability-alerts`).catch(() => ({ enabled: false }));
+        artifacts.push({
+            id: generateEvidenceId(),
+            connectorId: this.id,
+            capabilityId: "gh-dependabot",
+            timestamp: now,
+            hash: hashEvidence(dependabot),
+            framework: "ISO27001",
+            controlId: "A.12.6.1",
+            source: `github.com/${org}/${repo}/dependabot`,
+            status: dependabot.enabled === true ? "compliant" : "non_compliant",
+            data: { enabled: dependabot.enabled },
+            metadata: { org, repo },
+        });
+        return artifacts;
+    }
+}

package/dist/connectors/GitLabConnector.d.ts

@@ -0,0 +1,12 @@
+import type { IntegrationConnector, ConnectorConfig, EvidenceArtifact, IntegrationCapability, ComplianceFramework } from "../types.js";
+export declare class GitLabConnector implements IntegrationConnector {
+    readonly id = "gitlab";
+    readonly name = "GitLab";
+    readonly category: "version_control";
+    readonly authType: "bearer_token";
+    readonly capabilities: IntegrationCapability[];
+    readonly frameworks: ComplianceFramework[];
+    private fetchApi;
+    testConnection(config: ConnectorConfig): Promise<boolean>;
+    collectEvidence(config: ConnectorConfig): Promise<EvidenceArtifact[]>;
+}

package/dist/connectors/GitLabConnector.js

@@ -0,0 +1,101 @@
+import { hashEvidence, generateEvidenceId } from "../types.js";
+const capabilities = [
+    {
+        id: "gl-project-settings",
+        name: "Project Settings",
+        description: "Fetch project visibility, push rules, and container protection",
+        evidenceCategories: ["access_control", "configuration"],
+    },
+    {
+        id: "gl-mr-approvals",
+        name: "Merge Request Approvals",
+        description: "Fetch MR approval rules and required reviewers",
+        evidenceCategories: ["change_management"],
+    },
+    {
+        id: "gl-sast-results",
+        name: "SAST Results",
+        description: "Fetch Static Application Security Testing results",
+        evidenceCategories: ["vulnerability_management", "application_security"],
+    },
+];
+export class GitLabConnector {
+    id = "gitlab";
+    name = "GitLab";
+    category = "version_control";
+    authType = "bearer_token";
+    capabilities = capabilities;
+    frameworks = ["SOC2", "ISO27001", "NIST_CSF"];
+    async fetchApi(config, endpoint) {
+        const base = config.baseUrl || "https://gitlab.com/api/v4";
+        const resp = await fetch(`${base}${endpoint}`, {
+            headers: { Authorization: `Bearer ${config.apiToken}` },
+        });
+        if (!resp.ok)
+            throw new Error(`GitLab API ${resp.status}: ${resp.statusText}`);
+        return (await resp.json());
+    }
+    async testConnection(config) {
+        try {
+            await this.fetchApi(config, "/user");
+            return true;
+        }
+        catch {
+            return false;
+        }
+    }
+    async collectEvidence(config) {
+        const artifacts = [];
+        const now = new Date().toISOString();
+        const projectId = config.extra?.projectId || "1";
+        const project = await this.fetchApi(config, `/projects/${projectId}`);
+        artifacts.push({
+            id: generateEvidenceId(),
+            connectorId: this.id,
+            capabilityId: "gl-project-settings",
+            timestamp: now,
+            hash: hashEvidence(project),
+            framework: "SOC2",
+            controlId: "CC6.1",
+            source: `gitlab.com/projects/${projectId}`,
+            status: project.visibility === "private" ? "compliant" : "partial",
+            data: {
+                visibility: project.visibility,
+                requestAccessEnabled: project.request_access_enabled,
+                mergeRequestsEnabled: project.merge_requests_enabled,
+                jobsEnabled: project.jobs_enabled,
+            },
+            metadata: { projectId: String(projectId) },
+        });
+        const approvals = await this.fetchApi(config, `/projects/${projectId}/approval_rules`).catch(() => []);
+        const rules = Array.isArray(approvals) ? approvals : [];
+        artifacts.push({
+            id: generateEvidenceId(),
+            connectorId: this.id,
+            capabilityId: "gl-mr-approvals",
+            timestamp: now,
+            hash: hashEvidence({ rules }),
+            framework: "SOC2",
+            controlId: "CC8.1",
+            source: `gitlab.com/projects/${projectId}/approval_rules`,
+            status: rules.length > 0 ? "compliant" : "non_compliant",
+            data: { approvalRules: rules },
+            metadata: { projectId: String(projectId) },
+        });
+        const sast = await this.fetchApi(config, `/projects/${projectId}/security/scans`).catch(() => ({ vulnerabilities: [] }));
+        artifacts.push({
+            id: generateEvidenceId(),
+            connectorId: this.id,
+            capabilityId: "gl-sast-results",
+            timestamp: now,
+            hash: hashEvidence(sast),
+            framework: "ISO27001",
+            controlId: "A.14.2.1",
+            source: `gitlab.com/projects/${projectId}/security/scans`,
+            status: "unknown",
+            data: { scans: sast },
+            metadata: { projectId: String(projectId) },
+        });
+        return artifacts;
+    }
+}

package/dist/connectors/HubSpotConnector.d.ts

@@ -0,0 +1,12 @@
+import type { IntegrationConnector, ConnectorConfig, EvidenceArtifact, IntegrationCapability, ComplianceFramework } from "../types.js";
+export declare class HubSpotConnector implements IntegrationConnector {
+    readonly id = "hubspot";
+    readonly name = "HubSpot";
+    readonly category: "project_management";
+    readonly authType: "bearer_token";
+    readonly capabilities: IntegrationCapability[];
+    readonly frameworks: ComplianceFramework[];
+    private fetchApi;
+    testConnection(config: ConnectorConfig): Promise<boolean>;
+    collectEvidence(config: ConnectorConfig): Promise<EvidenceArtifact[]>;
+}

package/dist/connectors/HubSpotConnector.js

@@ -0,0 +1,77 @@
+import { hashEvidence, generateEvidenceId } from "../types.js";
+const capabilities = [
+    {
+        id: "hs-user-access",
+        name: "User Access",
+        description: "Fetch HubSpot user accounts and permission levels",
+        evidenceCategories: ["access_control"],
+    },
+    {
+        id: "hs-integrations",
+        name: "Integration Permissions",
+        description: "Fetch connected apps and their scopes",
+        evidenceCategories: ["third_party_management", "access_control"],
+    },
+];
+export class HubSpotConnector {
+    id = "hubspot";
+    name = "HubSpot";
+    category = "project_management";
+    authType = "bearer_token";
+    capabilities = capabilities;
+    frameworks = ["SOC2", "ISO27001"];
+    async fetchApi(config, endpoint) {
+        const base = config.baseUrl || "https://api.hubapi.com";
+        const resp = await fetch(`${base}${endpoint}`, {
+            headers: { Authorization: `Bearer ${config.apiToken}` },
+        });
+        if (!resp.ok)
+            throw new Error(`HubSpot API ${resp.status}: ${resp.statusText}`);
+        return (await resp.json());
+    }
+    async testConnection(config) {
+        try {
+            await this.fetchApi(config, "/crm/v3/objects/users?limit=1");
+            return true;
+        }
+        catch {
+            return false;
+        }
+    }
+    async collectEvidence(config) {
+        const artifacts = [];
+        const now = new Date().toISOString();
+        const users = await this.fetchApi(config, "/crm/v3/objects/users?limit=100");
+        const userList = (users.results || []);
+        artifacts.push({
+            id: generateEvidenceId(),
+            connectorId: this.id,
+            capabilityId: "hs-user-access",
+            timestamp: now,
+            hash: hashEvidence({ userCount: userList.length }),
+            framework: "SOC2",
+            controlId: "CC6.1",
+            source: "hubspot/users",
+            status: userList.length > 0 ? "compliant" : "non_compliant",
+            data: { userCount: userList.length },
+            metadata: {},
+        });
+        const integrations = await fetch(`${config.baseUrl || "https://api.hubapi.com"}/crm/v3/objects/users?limit=100`, {
+            headers: { Authorization: `Bearer ${config.apiToken}` },
+        }).then((r) => r.json());
+        artifacts.push({
+            id: generateEvidenceId(),
+            connectorId: this.id,
+            capabilityId: "hs-integrations",
+            timestamp: now,
+            hash: hashEvidence(integrations),
+            framework: "ISO27001",
+            controlId: "A.14.2.5",
+            source: "hubspot/integrations",
+            status: "unknown",
+            data: { integrations },
+            metadata: {},
+        });
+        return artifacts;
+    }
+}

package/dist/connectors/JiraConnector.d.ts

@@ -0,0 +1,12 @@
+import type { IntegrationConnector, ConnectorConfig, EvidenceArtifact, IntegrationCapability, ComplianceFramework } from "../types.js";
+export declare class JiraConnector implements IntegrationConnector {
+    readonly id = "jira";
+    readonly name = "Jira";
+    readonly category: "project_management";
+    readonly authType: "basic_auth";
+    readonly capabilities: IntegrationCapability[];
+    readonly frameworks: ComplianceFramework[];
+    private fetchApi;
+    testConnection(config: ConnectorConfig): Promise<boolean>;
+    collectEvidence(config: ConnectorConfig): Promise<EvidenceArtifact[]>;
+}