@greenarmor/ges-audit-engine 0.1.0

package/dist/scanners/config-scanner.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config-scanner.js","sourceRoot":"","sources":["../../src/scanners/config-scanner.ts"],"names":[],"mappings":"AAEA,MAAM,OAAO,aAAa;IACxB,IAAI,GAAG,QAAQ,CAAC;IAEhB,IAAI,CAAC,GAAgB;QACnB,MAAM,QAAQ,GAAc,EAAE,CAAC;QAE/B,IAAI,CAAC,gBAAgB,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;QACrC,IAAI,CAAC,aAAa,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;QAClC,IAAI,CAAC,iBAAiB,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;QACtC,IAAI,CAAC,cAAc,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;QACnC,IAAI,CAAC,cAAc,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;QACnC,IAAI,CAAC,kBAAkB,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;QAEvC,OAAO,QAAQ,CAAC;IAClB,CAAC;IAEO,gBAAgB,CAAC,GAAgB,EAAE,QAAmB;QAC5D,MAAM,UAAU,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;QACxD,IAAI,CAAC,UAAU;YAAE,OAAO;QAExB,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,UAAU,CAAC,CAAC;YACnC,MAAM,IAAI,GAAG,EAAE,GAAG,GAAG,CAAC,YAAY,EAAE,GAAG,GAAG,CAAC,eAAe,EAAE,CAAC;YAE7D,IAAI,IAAI,CAAC,MAAM,KAAK,SAAS,IAAI,CAAC,IAAI,CAAC,OAAO,IAAI,IAAI,CAAC,GAAG,IAAI,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;gBAC5E,QAAQ,CAAC,IAAI,CAAC;oBACZ,MAAM,EAAE,YAAY;oBACpB,QAAQ,EAAE,MAAM;oBAChB,QAAQ,EAAE,UAAU;oBACpB,KAAK,EAAE,sCAAsC;oBAC7C,WAAW,EAAE,0HAA0H;oBACvI,IAAI,EAAE,cAAc;oBACpB,QAAQ,EAAE,4BAA4B;oBACtC,UAAU,EAAE,CAAC,gBAAgB,EAAE,gBAAgB,CAAC;oBAChD,GAAG,EAAE,yCAAyC;iBAC/C,CAAC,CAAC;YACL,CAAC;YAED,IAAI,IAAI,CAAC,IAAI,KAAK,SAAS,IAAI,CAAC,IAAI,CAAC,OAAO,IAAI,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;gBAC9D,QAAQ,CAAC,IAAI,CAAC;oBACZ,MAAM,EAAE,YAAY;oBACpB,QAAQ,EAAE,QAAQ;oBAClB,QAAQ,EAAE,UAAU;oBACpB,KAAK,EAAE,uBAAuB;oBAC9B,WAAW,EAAE,uFAAuF;oBACpG,IAAI,EAAE,cAAc;oBACpB,QAAQ,EAAE,0BAA0B;oBACpC,UAAU,EAAE,CAAC,gBAAgB,CAAC;oBAC9B,GAAG,EAAE,4DAA4D;iBAClE,CAAC,CAAC;YACL,CAAC;YAED,MAAM,SAAS,GAAG,CAAC,SAAS,EAAE,QAAQ,EAAE,OAAO,EAAE,YAAY,CAAC,CAAC;YAC/D,KAAK,MAAM,GAAG,IAAI,SAAS,EAAE,CAAC;gBAC5B,IAAI,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC;oBACd,QAAQ,CAAC,IAAI,CAAC;wBACZ,MAAM,EAAE,YAAY;wBACpB,QAAQ,EAAE,QAAQ;wBAClB,QAAQ,EAAE,cAAc;wBACxB,KAAK,EAAE,6BAA6B,GAAG,EAAE;wBACzC,WAAW,EAAE,GAAG,GAAG,+GAA+G;wBAClI,IAAI,EAAE,cAAc;wBACpB,QAAQ,EAAE,GAAG,GAAG,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE;wBAChC,UAAU,EAAE,CAAC,SAAS,EAAE,gBAAgB,CAAC;wBACzC,GAAG,EAAE,4FAA4F;qBAClG,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,iBAAiB;QACnB,CAAC;IACH,CAAC;IAEO,aAAa,CAAC,GAAgB,EAAE,QAAmB;QACzD,KAAK,MAAM,CAAC,QAAQ,EAAE,OAAO,CAAC,IAAI,GAAG,CAAC,YAAY,EAAE,CAAC;YACnD,IAAI,QAAQ,KAAK,MAAM,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,OAAO,CAAC;gBAAE,SAAS;YAClG,IAAI,QAAQ,CAAC,QAAQ,CAAC,SAAS,CAAC,IAAI,QAAQ,CAAC,QAAQ,CAAC,UAAU,CAAC;gBAAE,SAAS;YAE5E,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YAClC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;gBAC7B,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC;oBAAE,SAAS;gBAE5C,IAAI,qDAAqD,CAAC,IAAI,CAAC,IAAI,CAAC;oBAChE,CAAC,IAAI,CAAC,QAAQ,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;oBACnF,QAAQ,CAAC,IAAI,CAAC;wBACZ,MAAM,EAAE,YAAY;wBACpB,QAAQ,EAAE,UAAU;wBACpB,QAAQ,EAAE,SAAS;wBACnB,KAAK,EAAE,gCAAgC;wBACvC,WAAW,EAAE,qGAAqG;wBAClH,IAAI,EAAE,QAAQ;wBACd,IAAI,EAAE,CAAC,GAAG,CAAC;wBACX,QAAQ,EAAE,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,MAAM;wBACrC,UAAU,EAAE,CAAC,gBAAgB,EAAE,gBAAgB,CAAC;wBAChD,GAAG,EAAE,iFAAiF;qBACvF,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAEO,iBAAiB,CAAC,GAAgB,EAAE,QAAmB;QAC7D,MAAM,UAAU,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;QACtD,IAAI,UAAU,EAAE,CAAC;YACf,IAAI,cAAc,CAAC,IAAI,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC,UAAU,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,EAAE,CAAC;gBACtE,QAAQ,CAAC,IAAI,CAAC;oBACZ,MAAM,EAAE,YAAY;oBACpB,QAAQ,EAAE,QAAQ;oBAClB,QAAQ,EAAE,gBAAgB;oBAC1B,KAAK,EAAE,wBAAwB;oBAC/B,WAAW,EAAE,qEAAqE;oBAClF,IAAI,EAAE,YAAY;oBAClB,QAAQ,EAAE,kCAAkC;oBAC5C,UAAU,EAAE,CAAC,SAAS,CAAC;oBACvB,GAAG,EAAE,6DAA6D;iBACnE,CAAC,CAAC;YACL,CAAC;YAED,IAAI,mDAAmD,CAAC,IAAI,CAAC,UAAU,CAAC,EAAE,CAAC;gBACzE,QAAQ,CAAC,IAAI,CAAC;oBACZ,MAAM,EAAE,YAAY;oBACpB,QAAQ,EAAE,UAAU;oBACpB,QAAQ,EAAE,SAAS;oBACnB,KAAK,EAAE,0BAA0B;oBACjC,WAAW,EAAE,+CAA+C;oBAC5D,IAAI,EAAE,YAAY;oBAClB,QAAQ,EAAE,uBAAuB;oBACjC,UAAU,EAAE,CAAC,gBAAgB,CAAC;oBAC9B,GAAG,EAAE,iEAAiE;iBACvE,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAEO,cAAc,CAAC,GAAgB,EAAE,QAAmB;QAC1D,KAAK,MAAM,CAAC,QAAQ,EAAE,OAAO,CAAC,IAAI,GAAG,CAAC,YAAY,EAAE,CAAC;YACnD,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC;gBAAE,SAAS;YAEzE,IAAI,mDAAmD,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;gBACtE,QAAQ,CAAC,IAAI,CAAC;oBACZ,MAAM,EAAE,YAAY;oBACpB,QAAQ,EAAE,UAAU;oBACpB,QAAQ,EAAE,YAAY;oBACtB,KAAK,EAAE,2BAA2B;oBAClC,WAAW,EAAE,8FAA8F;oBAC3G,IAAI,EAAE,QAAQ;oBACd,QAAQ,EAAE,gCAAgC;oBAC1C,UAAU,EAAE,CAAC,gBAAgB,EAAE,gBAAgB,CAAC;oBAChD,GAAG,EAAE,2EAA2E;iBACjF,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAEO,cAAc,CAAC,GAAgB,EAAE,QAAmB;QAC1D,MAAM,SAAS,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,YAAY,CAAC,CAAC;QACrD,IAAI,CAAC,SAAS,EAAE,CAAC;YACf,QAAQ,CAAC,IAAI,CAAC;gBACZ,MAAM,EAAE,YAAY;gBACpB,QAAQ,EAAE,MAAM;gBAChB,QAAQ,EAAE,UAAU;gBACpB,KAAK,EAAE,oBAAoB;gBAC3B,WAAW,EAAE,iFAAiF;gBAC9F,IAAI,EAAE,YAAY;gBAClB,QAAQ,EAAE,gBAAgB;gBAC1B,UAAU,EAAE,CAAC,gBAAgB,CAAC;gBAC9B,GAAG,EAAE,gEAAgE;aACtE,CAAC,CAAC;YACH,OAAO;QACT,CAAC;QAED,MAAM,QAAQ,GAAG,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC;QAC1C,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;YAC/B,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;gBACjC,QAAQ,CAAC,IAAI,CAAC;oBACZ,MAAM,EAAE,YAAY;oBACpB,QAAQ,EAAE,MAAM;oBAChB,QAAQ,EAAE,UAAU;oBACpB,KAAK,EAAE,sBAAsB,OAAO,EAAE;oBACtC,WAAW,EAAE,GAAG,OAAO,yDAAyD;oBAChF,IAAI,EAAE,YAAY;oBAClB,QAAQ,EAAE,GAAG,OAAO,0BAA0B;oBAC9C,UAAU,EAAE,CAAC,gBAAgB,CAAC;oBAC9B,GAAG,EAAE,OAAO,OAAO,iBAAiB;iBACrC,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAEO,kBAAkB,CAAC,GAAgB,EAAE,QAAmB;QAC9D,MAAM,UAAU,GAAG,IAAI,CAAC,aAAa,CAAC,GAAG,EAAE;YACzC,oCAAoC;YACpC,iBAAiB;YACjB,qBAAqB;SACtB,CAAC,CAAC;QAEH,IAAI,CAAC,UAAU,EAAE,CAAC;YAChB,QAAQ,CAAC,IAAI,CAAC;gBACZ,MAAM,EAAE,YAAY;gBACpB,QAAQ,EAAE,MAAM;gBAChB,QAAQ,EAAE,OAAO;gBACjB,KAAK,EAAE,+BAA+B;gBACtC,WAAW,EAAE,4FAA4F;gBACzG,IAAI,EAAE,SAAS;gBACf,QAAQ,EAAE,gDAAgD;gBAC1D,UAAU,EAAE,CAAC,gBAAgB,EAAE,gBAAgB,CAAC;gBAChD,GAAG,EAAE,qFAAqF;aAC3F,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAEO,aAAa,CAAC,GAAgB,EAAE,QAAkB;QACxD,KAAK,MAAM,CAAC,EAAE,OAAO,CAAC,IAAI,GAAG,CAAC,YAAY,EAAE,CAAC;YAC3C,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;gBAC/B,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;gBACtB,IAAI,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC;oBAAE,OAAO,IAAI,CAAC;YACzC,CAAC;QACH,CAAC;QACD,OAAO,KAAK,CAAC;IACf,CAAC;CACF"}

package/dist/scanners/crypto-scanner.d.ts

@@ -0,0 +1,5 @@
+import type { Scanner, Finding, ScanContext } from "./types.js";
+export declare class CryptoScanner implements Scanner {
+    name: string;
+    scan(ctx: ScanContext): Finding[];
+}

package/dist/scanners/crypto-scanner.js

@@ -0,0 +1,92 @@
+const WEAK_HASH_PATTERNS = [
+    { pattern: /\bmd5\s*\(/gi, algo: "MD5" },
+    { pattern: /\bsha1\s*\(/gi, algo: "SHA1" },
+    { pattern: /\bcreateHash\s*\(\s*['"]md5['"]\s*\)/gi, algo: "MD5 (Node.js crypto)" },
+    { pattern: /\bcreateHash\s*\(\s*['"]sha1['"]\s*\)/gi, algo: "SHA1 (Node.js crypto)" },
+    { pattern: /\.digest\s*\(\s*['"]md5['"]\s*\)/gi, algo: "MD5 digest" },
+    { pattern: /hashlib\.md5\(/gi, algo: "MD5 (Python)" },
+    { pattern: /hashlib\.sha1\(/gi, algo: "SHA1 (Python)" },
+];
+const WEAK_CRYPTO_PATTERNS = [
+    { pattern: /\bDES\b|\b3DES\b|\bBlowfish\b/g, algo: "Weak encryption algorithm" },
+    { pattern: /\bcreateCipheriv\s*\(\s*['"]aes-128/gi, algo: "AES-128 (use AES-256)" },
+    { pattern: /\bcreateCipher\b\s*\(/g, algo: "Deprecated createCipher (use createCipheriv)" },
+    { pattern: /\btc_aes_encrypt\b/gi, algo: "AES-128 (use AES-256)" },
+    { pattern: /\bAES.*ECB\b/gi, algo: "AES ECB mode (use GCM or CBC)" },
+    { pattern: /Cipher\s*\(\s*['"]des/gi, algo: "DES cipher (deprecated)" },
+    { pattern: /\btls\.connect\s*\([^)]*rejectUnauthorized\s*:\s*false/gi, algo: "TLS with certificate verification disabled" },
+    { pattern: /process\.env\.NODE_TLS_REJECT_UNAUTHORIZED\s*=\s*['"]0['"]/gi, algo: "TLS verification globally disabled" },
+];
+const INSECURE_PASSWORD_PATTERNS = [
+    { pattern: /\.compare\s*\(.*,\s*.*\)|bcrypt\.compare|argon2\.verify/gi, check: false, desc: "Secure password comparison" },
+    { pattern: /password\s*===?\s*|password\s*!==?\s*|\.equals\s*\(\s*password/gi, check: true, desc: "Plaintext password comparison (use Argon2id/bcrypt)" },
+];
+const SCAN_EXTENSIONS = new Set([".ts", ".tsx", ".js", ".jsx", ".py", ".rb", ".go", ".java", ".php", ".cs"]);
+export class CryptoScanner {
+    name = "crypto";
+    scan(ctx) {
+        const findings = [];
+        for (const [filePath, content] of ctx.fileContents) {
+            const ext = filePath.substring(filePath.lastIndexOf("."));
+            if (!SCAN_EXTENSIONS.has(ext))
+                continue;
+            const lines = content.split("\n");
+            for (let i = 0; i < lines.length; i++) {
+                const line = lines[i];
+                for (const { pattern, algo } of WEAK_HASH_PATTERNS) {
+                    pattern.lastIndex = 0;
+                    if (pattern.test(line)) {
+                        findings.push({
+                            ruleId: "CRYPTO-001",
+                            severity: "critical",
+                            category: "authentication",
+                            title: `Weak hashing algorithm: ${algo}`,
+                            description: `${algo} is cryptographically broken and must not be used for passwords or security-sensitive operations. Use Argon2id for passwords, SHA-256+ for general hashing.`,
+                            file: filePath,
+                            line: i + 1,
+                            evidence: line.trim(),
+                            controlIds: ["GDPR-ART32-004", "OWASP-ASVS-003"],
+                            fix: `Replace ${algo} with Argon2id (passwords) or SHA-256+ (general hashing).`,
+                        });
+                    }
+                }
+                for (const { pattern, algo } of WEAK_CRYPTO_PATTERNS) {
+                    pattern.lastIndex = 0;
+                    if (pattern.test(line)) {
+                        findings.push({
+                            ruleId: "CRYPTO-002",
+                            severity: "high",
+                            category: "encryption",
+                            title: `Insecure encryption: ${algo}`,
+                            description: `${algo} is not approved for use. Use AES-256-GCM or ChaCha20-Poly1305.`,
+                            file: filePath,
+                            line: i + 1,
+                            evidence: line.trim(),
+                            controlIds: ["GDPR-ART32-002", "GDPR-ART32-003"],
+                            fix: "Replace with AES-256-GCM or ChaCha20-Poly1305 for data at rest, TLS 1.3 for data in transit.",
+                        });
+                    }
+                }
+                for (const { pattern, check, desc } of INSECURE_PASSWORD_PATTERNS) {
+                    pattern.lastIndex = 0;
+                    if (check && pattern.test(line)) {
+                        findings.push({
+                            ruleId: "CRYPTO-003",
+                            severity: "critical",
+                            category: "authentication",
+                            title: desc,
+                            description: "Passwords must be hashed using Argon2id before comparison. Never compare plaintext passwords.",
+                            file: filePath,
+                            line: i + 1,
+                            evidence: line.trim(),
+                            controlIds: ["GDPR-ART32-004", "OWASP-ASVS-003"],
+                            fix: "Use argon2.verify(hashedPassword, inputPassword) for password comparison.",
+                        });
+                    }
+                }
+            }
+        }
+        return findings;
+    }
+}
+//# sourceMappingURL=crypto-scanner.js.map

package/dist/scanners/crypto-scanner.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto-scanner.js","sourceRoot":"","sources":["../../src/scanners/crypto-scanner.ts"],"names":[],"mappings":"AAEA,MAAM,kBAAkB,GAAG;IACzB,EAAE,OAAO,EAAE,cAAc,EAAE,IAAI,EAAE,KAAK,EAAE;IACxC,EAAE,OAAO,EAAE,eAAe,EAAE,IAAI,EAAE,MAAM,EAAE;IAC1C,EAAE,OAAO,EAAE,wCAAwC,EAAE,IAAI,EAAE,sBAAsB,EAAE;IACnF,EAAE,OAAO,EAAE,yCAAyC,EAAE,IAAI,EAAE,uBAAuB,EAAE;IACrF,EAAE,OAAO,EAAE,oCAAoC,EAAE,IAAI,EAAE,YAAY,EAAE;IACrE,EAAE,OAAO,EAAE,kBAAkB,EAAE,IAAI,EAAE,cAAc,EAAE;IACrD,EAAE,OAAO,EAAE,mBAAmB,EAAE,IAAI,EAAE,eAAe,EAAE;CACxD,CAAC;AAEF,MAAM,oBAAoB,GAAG;IAC3B,EAAE,OAAO,EAAE,gCAAgC,EAAE,IAAI,EAAE,2BAA2B,EAAE;IAChF,EAAE,OAAO,EAAE,uCAAuC,EAAE,IAAI,EAAE,uBAAuB,EAAE;IACnF,EAAE,OAAO,EAAE,wBAAwB,EAAE,IAAI,EAAE,8CAA8C,EAAE;IAC3F,EAAE,OAAO,EAAE,sBAAsB,EAAE,IAAI,EAAE,uBAAuB,EAAE;IAClE,EAAE,OAAO,EAAE,gBAAgB,EAAE,IAAI,EAAE,+BAA+B,EAAE;IACpE,EAAE,OAAO,EAAE,yBAAyB,EAAE,IAAI,EAAE,yBAAyB,EAAE;IACvE,EAAE,OAAO,EAAE,0DAA0D,EAAE,IAAI,EAAE,4CAA4C,EAAE;IAC3H,EAAE,OAAO,EAAE,8DAA8D,EAAE,IAAI,EAAE,oCAAoC,EAAE;CACxH,CAAC;AAEF,MAAM,0BAA0B,GAAG;IACjC,EAAE,OAAO,EAAE,2DAA2D,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,EAAE,4BAA4B,EAAE;IAC1H,EAAE,OAAO,EAAE,kEAAkE,EAAE,KAAK,EAAE,IAAI,EAAE,IAAI,EAAE,qDAAqD,EAAE;CAC1J,CAAC;AAEF,MAAM,eAAe,GAAG,IAAI,GAAG,CAAC,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC,CAAC;AAE7G,MAAM,OAAO,aAAa;IACxB,IAAI,GAAG,QAAQ,CAAC;IAEhB,IAAI,CAAC,GAAgB;QACnB,MAAM,QAAQ,GAAc,EAAE,CAAC;QAE/B,KAAK,MAAM,CAAC,QAAQ,EAAE,OAAO,CAAC,IAAI,GAAG,CAAC,YAAY,EAAE,CAAC;YACnD,MAAM,GAAG,GAAG,QAAQ,CAAC,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC;YAC1D,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,GAAG,CAAC;gBAAE,SAAS;YAExC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YAClC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;gBAEtB,KAAK,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,kBAAkB,EAAE,CAAC;oBACnD,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;oBACtB,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;wBACvB,QAAQ,CAAC,IAAI,CAAC;4BACZ,MAAM,EAAE,YAAY;4BACpB,QAAQ,EAAE,UAAU;4BACpB,QAAQ,EAAE,gBAAgB;4BAC1B,KAAK,EAAE,2BAA2B,IAAI,EAAE;4BACxC,WAAW,EAAE,GAAG,IAAI,6JAA6J;4BACjL,IAAI,EAAE,QAAQ;4BACd,IAAI,EAAE,CAAC,GAAG,CAAC;4BACX,QAAQ,EAAE,IAAI,CAAC,IAAI,EAAE;4BACrB,UAAU,EAAE,CAAC,gBAAgB,EAAE,gBAAgB,CAAC;4BAChD,GAAG,EAAE,WAAW,IAAI,2DAA2D;yBAChF,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;gBAED,KAAK,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,oBAAoB,EAAE,CAAC;oBACrD,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;oBACtB,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;wBACvB,QAAQ,CAAC,IAAI,CAAC;4BACZ,MAAM,EAAE,YAAY;4BACpB,QAAQ,EAAE,MAAM;4BAChB,QAAQ,EAAE,YAAY;4BACtB,KAAK,EAAE,wBAAwB,IAAI,EAAE;4BACrC,WAAW,EAAE,GAAG,IAAI,iEAAiE;4BACrF,IAAI,EAAE,QAAQ;4BACd,IAAI,EAAE,CAAC,GAAG,CAAC;4BACX,QAAQ,EAAE,IAAI,CAAC,IAAI,EAAE;4BACrB,UAAU,EAAE,CAAC,gBAAgB,EAAE,gBAAgB,CAAC;4BAChD,GAAG,EAAE,8FAA8F;yBACpG,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;gBAED,KAAK,MAAM,EAAE,OAAO,EAAE,KAAK,EAAE,IAAI,EAAE,IAAI,0BAA0B,EAAE,CAAC;oBAClE,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;oBACtB,IAAI,KAAK,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;wBAChC,QAAQ,CAAC,IAAI,CAAC;4BACZ,MAAM,EAAE,YAAY;4BACpB,QAAQ,EAAE,UAAU;4BACpB,QAAQ,EAAE,gBAAgB;4BAC1B,KAAK,EAAE,IAAI;4BACX,WAAW,EAAE,+FAA+F;4BAC5G,IAAI,EAAE,QAAQ;4BACd,IAAI,EAAE,CAAC,GAAG,CAAC;4BACX,QAAQ,EAAE,IAAI,CAAC,IAAI,EAAE;4BACrB,UAAU,EAAE,CAAC,gBAAgB,EAAE,gBAAgB,CAAC;4BAChD,GAAG,EAAE,2EAA2E;yBACjF,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF"}

package/dist/scanners/database-scanner.d.ts

@@ -0,0 +1,7 @@
+import type { Scanner, Finding, ScanContext } from "./types.js";
+export declare class DatabaseScanner implements Scanner {
+    name: string;
+    scan(ctx: ScanContext): Finding[];
+    private checkSchemaPatterns;
+    private checkORMConfig;
+}

package/dist/scanners/database-scanner.js

@@ -0,0 +1,82 @@
+export class DatabaseScanner {
+    name = "database";
+    scan(ctx) {
+        const findings = [];
+        this.checkSchemaPatterns(ctx, findings);
+        this.checkORMConfig(ctx, findings);
+        return findings;
+    }
+    checkSchemaPatterns(ctx, findings) {
+        const requiredAuditColumns = ["created_at", "updated_at"];
+        const recommendedAuditColumns = ["deleted_at", "created_by", "updated_by"];
+        const codeExtensions = new Set([".ts", ".tsx", ".js", ".jsx", ".prisma", ".sql"]);
+        for (const [filePath, content] of ctx.fileContents) {
+            const ext = filePath.substring(filePath.lastIndexOf("."));
+            if (!codeExtensions.has(ext))
+                continue;
+            const hasTimestamps = /\b(?:timestamps|created_at|createdAt)\s*[:\(]/i.test(content);
+            const hasSoftDelete = /\b(?:deleted_at|deletedAt|softDelete|paranoid)\s*[:\(]/i.test(content);
+            const hasUserAudit = /\b(?:created_by|createdBy|updated_by|updatedBy)\s*[:\(]/i.test(content);
+            if (/\b(?:model|schema|entity|table)\b.*\{/i.test(content) || /\bCREATE\s+TABLE\b/i.test(content)) {
+                if (!hasTimestamps) {
+                    findings.push({
+                        ruleId: "DB-001",
+                        severity: "high",
+                        category: "database",
+                        title: "Missing audit timestamps in schema",
+                        description: "Database schema does not include created_at/updated_at timestamps. These are mandatory for audit trails.",
+                        file: filePath,
+                        evidence: "No created_at/updated_at columns detected",
+                        controlIds: ["GDPR-ART32-006"],
+                        fix: "Add created_at and updated_at columns to all tables. In Prisma: @@map, in Sequelize: timestamps: true.",
+                    });
+                }
+                if (!hasSoftDelete) {
+                    findings.push({
+                        ruleId: "DB-002",
+                        severity: "medium",
+                        category: "database",
+                        title: "Missing soft delete pattern",
+                        description: "No deleted_at column or soft delete pattern found. Hard deletes prevent audit trail and data recovery.",
+                        file: filePath,
+                        evidence: "No deleted_at/softDelete pattern detected",
+                        controlIds: ["GDPR-ART32-007"],
+                        fix: "Add deleted_at column. In Prisma: add DeletedAt DateTime?, in Sequelize: paranoid: true.",
+                    });
+                }
+                if (!hasUserAudit) {
+                    findings.push({
+                        ruleId: "DB-003",
+                        severity: "medium",
+                        category: "database",
+                        title: "Missing user audit columns",
+                        description: "No created_by/updated_by columns found. Track who makes changes for accountability.",
+                        file: filePath,
+                        evidence: "No created_by/updated_by columns detected",
+                        controlIds: ["GDPR-ART32-006"],
+                        fix: "Add created_by and updated_by columns to track which user made changes.",
+                    });
+                }
+            }
+        }
+    }
+    checkORMConfig(ctx, findings) {
+        const prismaSchema = ctx.fileContents.get("prisma/schema.prisma");
+        if (prismaSchema) {
+            if (!/@@map/i.test(prismaSchema) && !/model\s+Audit/i.test(prismaSchema)) {
+                findings.push({
+                    ruleId: "DB-004",
+                    severity: "medium",
+                    category: "database",
+                    title: "No Audit model in Prisma schema",
+                    description: "Consider adding an Audit model for immutable audit logging.",
+                    file: "prisma/schema.prisma",
+                    evidence: "No Audit model found",
+                    controlIds: ["GDPR-ART32-006"],
+                    fix: "Add model Audit { id Int @id @default(autoincrement()) userId String action String resource String timestamp DateTime @default(now()) ipAddress String }",
+                });
+            }
+        }
+    }
+}
+//# sourceMappingURL=database-scanner.js.map

package/dist/scanners/database-scanner.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"database-scanner.js","sourceRoot":"","sources":["../../src/scanners/database-scanner.ts"],"names":[],"mappings":"AAEA,MAAM,OAAO,eAAe;IAC1B,IAAI,GAAG,UAAU,CAAC;IAElB,IAAI,CAAC,GAAgB;QACnB,MAAM,QAAQ,GAAc,EAAE,CAAC;QAE/B,IAAI,CAAC,mBAAmB,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;QACxC,IAAI,CAAC,cAAc,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;QAEnC,OAAO,QAAQ,CAAC;IAClB,CAAC;IAEO,mBAAmB,CAAC,GAAgB,EAAE,QAAmB;QAC/D,MAAM,oBAAoB,GAAG,CAAC,YAAY,EAAE,YAAY,CAAC,CAAC;QAC1D,MAAM,uBAAuB,GAAG,CAAC,YAAY,EAAE,YAAY,EAAE,YAAY,CAAC,CAAC;QAC3E,MAAM,cAAc,GAAG,IAAI,GAAG,CAAC,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,CAAC,CAAC,CAAC;QAElF,KAAK,MAAM,CAAC,QAAQ,EAAE,OAAO,CAAC,IAAI,GAAG,CAAC,YAAY,EAAE,CAAC;YACnD,MAAM,GAAG,GAAG,QAAQ,CAAC,SAAS,CAAC,QAAQ,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC;YAC1D,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,GAAG,CAAC;gBAAE,SAAS;YAEvC,MAAM,aAAa,GAAG,gDAAgD,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YACrF,MAAM,aAAa,GAAG,yDAAyD,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAC9F,MAAM,YAAY,GAAG,0DAA0D,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YAE9F,IAAI,wCAAwC,CAAC,IAAI,CAAC,OAAO,CAAC,IAAI,qBAAqB,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;gBAClG,IAAI,CAAC,aAAa,EAAE,CAAC;oBACnB,QAAQ,CAAC,IAAI,CAAC;wBACZ,MAAM,EAAE,QAAQ;wBAChB,QAAQ,EAAE,MAAM;wBAChB,QAAQ,EAAE,UAAU;wBACpB,KAAK,EAAE,oCAAoC;wBAC3C,WAAW,EAAE,0GAA0G;wBACvH,IAAI,EAAE,QAAQ;wBACd,QAAQ,EAAE,2CAA2C;wBACrD,UAAU,EAAE,CAAC,gBAAgB,CAAC;wBAC9B,GAAG,EAAE,wGAAwG;qBAC9G,CAAC,CAAC;gBACL,CAAC;gBAED,IAAI,CAAC,aAAa,EAAE,CAAC;oBACnB,QAAQ,CAAC,IAAI,CAAC;wBACZ,MAAM,EAAE,QAAQ;wBAChB,QAAQ,EAAE,QAAQ;wBAClB,QAAQ,EAAE,UAAU;wBACpB,KAAK,EAAE,6BAA6B;wBACpC,WAAW,EAAE,wGAAwG;wBACrH,IAAI,EAAE,QAAQ;wBACd,QAAQ,EAAE,2CAA2C;wBACrD,UAAU,EAAE,CAAC,gBAAgB,CAAC;wBAC9B,GAAG,EAAE,0FAA0F;qBAChG,CAAC,CAAC;gBACL,CAAC;gBAED,IAAI,CAAC,YAAY,EAAE,CAAC;oBAClB,QAAQ,CAAC,IAAI,CAAC;wBACZ,MAAM,EAAE,QAAQ;wBAChB,QAAQ,EAAE,QAAQ;wBAClB,QAAQ,EAAE,UAAU;wBACpB,KAAK,EAAE,4BAA4B;wBACnC,WAAW,EAAE,qFAAqF;wBAClG,IAAI,EAAE,QAAQ;wBACd,QAAQ,EAAE,2CAA2C;wBACrD,UAAU,EAAE,CAAC,gBAAgB,CAAC;wBAC9B,GAAG,EAAE,yEAAyE;qBAC/E,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;QACH,CAAC;IACH,CAAC;IAEO,cAAc,CAAC,GAAgB,EAAE,QAAmB;QAC1D,MAAM,YAAY,GAAG,GAAG,CAAC,YAAY,CAAC,GAAG,CAAC,sBAAsB,CAAC,CAAC;QAClE,IAAI,YAAY,EAAE,CAAC;YACjB,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,YAAY,CAAC,IAAI,CAAC,gBAAgB,CAAC,IAAI,CAAC,YAAY,CAAC,EAAE,CAAC;gBACzE,QAAQ,CAAC,IAAI,CAAC;oBACZ,MAAM,EAAE,QAAQ;oBAChB,QAAQ,EAAE,QAAQ;oBAClB,QAAQ,EAAE,UAAU;oBACpB,KAAK,EAAE,iCAAiC;oBACxC,WAAW,EAAE,6DAA6D;oBAC1E,IAAI,EAAE,sBAAsB;oBAC5B,QAAQ,EAAE,sBAAsB;oBAChC,UAAU,EAAE,CAAC,gBAAgB,CAAC;oBAC9B,GAAG,EAAE,0JAA0J;iBAChK,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;CACF"}

package/dist/scanners/secrets-scanner.d.ts

@@ -0,0 +1,5 @@
+import type { Scanner, Finding, ScanContext } from "./types.js";
+export declare class SecretsScanner implements Scanner {
+    name: string;
+    scan(ctx: ScanContext): Finding[];
+}

package/dist/scanners/secrets-scanner.js

@@ -0,0 +1,69 @@
+const SECRET_PATTERNS = [
+    { pattern: /(?:password|passwd|pwd)\s*[:=]\s*['"][^'"]{4,}/gi, name: "Hardcoded password" },
+    { pattern: /(?:api[_-]?key|apikey)\s*[:=]\s*['"][^'"]{4,}/gi, name: "Hardcoded API key" },
+    { pattern: /(?:secret|token|auth)\s*[:=]\s*['"][^'"]{8,}/gi, name: "Hardcoded secret/token" },
+    { pattern: /(?:mongodb|postgres|mysql|redis):\/\/[^\s'"]{10,}/gi, name: "Database connection string with credentials" },
+    { pattern: /sk-[a-zA-Z0-9]{20,}/g, name: "OpenAI/API key pattern" },
+    { pattern: /AKIA[0-9A-Z]{16}/g, name: "AWS Access Key ID" },
+    { pattern: /-----BEGIN (?:RSA |EC )?PRIVATE KEY-----/g, name: "Private key in source" },
+    { pattern: /ghp_[a-zA-Z0-9]{36}/g, name: "GitHub personal access token" },
+    { pattern: /gho_[a-zA-Z0-9]{36}/g, name: "GitHub OAuth token" },
+    { pattern: /glpat-[a-zA-Z0-9\-]{20,}/g, name: "GitLab personal access token" },
+    { pattern: /xox[bpsa]-[a-zA-Z0-9\-]{10,}/g, name: "Slack token" },
+    { pattern: /eyJ[a-zA-Z0-9_-]{10,}\.[a-zA-Z0-9_-]{10,}/g, name: "JWT token in source" },
+    { pattern: /(?:CONNECTION_STRING|DATABASE_URL|DB_PASSWORD|SECRET_KEY|PRIVATE_KEY)\s*[:=]\s*['"][^'"]{4,}/gi, name: "Sensitive environment variable with value" },
+];
+const IGNORE_DIRS = new Set([
+    "node_modules", ".git", "dist", "build", ".next", ".nuxt", "coverage",
+    ".ges", "vendor", "__pycache__", ".venv", "venv",
+]);
+const IGNORE_FILES = new Set([
+    ".gitignore", "package-lock.json", "pnpm-lock.yaml", "yarn.lock",
+]);
+function shouldScanFile(filePath) {
+    const parts = filePath.split("/");
+    if (parts.some(p => IGNORE_DIRS.has(p)))
+        return false;
+    if (IGNORE_FILES.has(parts[parts.length - 1] || ""))
+        return false;
+    return true;
+}
+export class SecretsScanner {
+    name = "secrets";
+    scan(ctx) {
+        const findings = [];
+        for (const [filePath, content] of ctx.fileContents) {
+            if (!shouldScanFile(filePath))
+                continue;
+            const lines = content.split("\n");
+            for (let i = 0; i < lines.length; i++) {
+                const line = lines[i];
+                for (const { pattern, name } of SECRET_PATTERNS) {
+                    pattern.lastIndex = 0;
+                    const match = pattern.exec(line);
+                    if (match) {
+                        findings.push({
+                            ruleId: "SECRETS-001",
+                            severity: "critical",
+                            category: "secrets",
+                            title: name,
+                            description: "A secret or credential was found in source code. Secrets must never be committed to repositories.",
+                            file: filePath,
+                            line: i + 1,
+                            evidence: maskSecret(match[0]),
+                            controlIds: ["OWASP-ASVS-005", "GDPR-ART32-002"],
+                            fix: "Move this secret to a secure vault (Vault, AWS KMS, etc.) or environment variable. Never commit secrets to source control.",
+                        });
+                    }
+                }
+            }
+        }
+        return findings;
+    }
+}
+function maskSecret(secret) {
+    if (secret.length <= 8)
+        return "***";
+    return secret.slice(0, 4) + "***" + secret.slice(-4);
+}
+//# sourceMappingURL=secrets-scanner.js.map

package/dist/scanners/secrets-scanner.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"secrets-scanner.js","sourceRoot":"","sources":["../../src/scanners/secrets-scanner.ts"],"names":[],"mappings":"AAEA,MAAM,eAAe,GAAG;IACtB,EAAE,OAAO,EAAE,kDAAkD,EAAE,IAAI,EAAE,oBAAoB,EAAE;IAC3F,EAAE,OAAO,EAAE,iDAAiD,EAAE,IAAI,EAAE,mBAAmB,EAAE;IACzF,EAAE,OAAO,EAAE,gDAAgD,EAAE,IAAI,EAAE,wBAAwB,EAAE;IAC7F,EAAE,OAAO,EAAE,qDAAqD,EAAE,IAAI,EAAE,6CAA6C,EAAE;IACvH,EAAE,OAAO,EAAE,sBAAsB,EAAE,IAAI,EAAE,wBAAwB,EAAE;IACnE,EAAE,OAAO,EAAE,mBAAmB,EAAE,IAAI,EAAE,mBAAmB,EAAE;IAC3D,EAAE,OAAO,EAAE,2CAA2C,EAAE,IAAI,EAAE,uBAAuB,EAAE;IACvF,EAAE,OAAO,EAAE,sBAAsB,EAAE,IAAI,EAAE,8BAA8B,EAAE;IACzE,EAAE,OAAO,EAAE,sBAAsB,EAAE,IAAI,EAAE,oBAAoB,EAAE;IAC/D,EAAE,OAAO,EAAE,2BAA2B,EAAE,IAAI,EAAE,8BAA8B,EAAE;IAC9E,EAAE,OAAO,EAAE,+BAA+B,EAAE,IAAI,EAAE,aAAa,EAAE;IACjE,EAAE,OAAO,EAAE,4CAA4C,EAAE,IAAI,EAAE,qBAAqB,EAAE;IACtF,EAAE,OAAO,EAAE,gGAAgG,EAAE,IAAI,EAAE,2CAA2C,EAAE;CACjK,CAAC;AAEF,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC;IAC1B,cAAc,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,UAAU;IACrE,MAAM,EAAE,QAAQ,EAAE,aAAa,EAAE,OAAO,EAAE,MAAM;CACjD,CAAC,CAAC;AAEH,MAAM,YAAY,GAAG,IAAI,GAAG,CAAC;IAC3B,YAAY,EAAE,mBAAmB,EAAE,gBAAgB,EAAE,WAAW;CACjE,CAAC,CAAC;AAEH,SAAS,cAAc,CAAC,QAAgB;IACtC,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;IAClC,IAAI,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC;QAAE,OAAO,KAAK,CAAC;IACtD,IAAI,YAAY,CAAC,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC;QAAE,OAAO,KAAK,CAAC;IAClE,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,OAAO,cAAc;IACzB,IAAI,GAAG,SAAS,CAAC;IAEjB,IAAI,CAAC,GAAgB;QACnB,MAAM,QAAQ,GAAc,EAAE,CAAC;QAE/B,KAAK,MAAM,CAAC,QAAQ,EAAE,OAAO,CAAC,IAAI,GAAG,CAAC,YAAY,EAAE,CAAC;YACnD,IAAI,CAAC,cAAc,CAAC,QAAQ,CAAC;gBAAE,SAAS;YAExC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;YAClC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;gBACtC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;gBACtB,KAAK,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,eAAe,EAAE,CAAC;oBAChD,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;oBACtB,MAAM,KAAK,GAAG,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;oBACjC,IAAI,KAAK,EAAE,CAAC;wBACV,QAAQ,CAAC,IAAI,CAAC;4BACZ,MAAM,EAAE,aAAa;4BACrB,QAAQ,EAAE,UAAU;4BACpB,QAAQ,EAAE,SAAS;4BACnB,KAAK,EAAE,IAAI;4BACX,WAAW,EAAE,mGAAmG;4BAChH,IAAI,EAAE,QAAQ;4BACd,IAAI,EAAE,CAAC,GAAG,CAAC;4BACX,QAAQ,EAAE,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;4BAC9B,UAAU,EAAE,CAAC,gBAAgB,EAAE,gBAAgB,CAAC;4BAChD,GAAG,EAAE,4HAA4H;yBAClI,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,QAAQ,CAAC;IAClB,CAAC;CACF;AAED,SAAS,UAAU,CAAC,MAAc;IAChC,IAAI,MAAM,CAAC,MAAM,IAAI,CAAC;QAAE,OAAO,KAAK,CAAC;IACrC,OAAO,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;AACvD,CAAC"}

package/dist/scanners/types.d.ts

@@ -0,0 +1,22 @@
+export interface Finding {
+    ruleId: string;
+    severity: "critical" | "high" | "medium" | "low";
+    category: string;
+    title: string;
+    description: string;
+    file: string;
+    line?: number;
+    evidence: string;
+    controlIds: string[];
+    fix: string;
+}
+export interface ScanContext {
+    root: string;
+    files: string[];
+    fileContents: Map<string, string>;
+    config?: Record<string, unknown>;
+}
+export interface Scanner {
+    name: string;
+    scan(ctx: ScanContext): Finding[];
+}

package/dist/scanners/types.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=types.js.map

package/dist/scanners/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/scanners/types.ts"],"names":[],"mappings":""}

package/package.json

@@ -0,0 +1,26 @@
+{
+  "name": "@greenarmor/ges-audit-engine",
+  "version": "0.1.0",
+  "type": "module",
+  "description": "GESF Audit Engine - Audit trails and compliance evaluation",
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "default": "./dist/index.js"
+    }
+  },
+  "dependencies": {
+    "@greenarmor/ges-core": "0.1.0"
+  },
+  "devDependencies": {
+    "typescript": "^6.0.0",
+    "@types/node": "^22.0.0"
+  },
+  "scripts": {
+    "build": "tsc",
+    "clean": "rm -rf dist tsconfig.tsbuildinfo",
+    "test": "echo \"no tests yet\""
+  }
+}

package/src/index.ts

@@ -0,0 +1,97 @@
+import * as fs from "node:fs";
+import * as path from "node:path";
+import type { Finding, ScanContext } from "./scanners/types.js";
+import { SecretsScanner } from "./scanners/secrets-scanner.js";
+import { CryptoScanner } from "./scanners/crypto-scanner.js";
+import { CodeSecurityScanner } from "./scanners/code-security-scanner.js";
+import { AuthScanner } from "./scanners/auth-scanner.js";
+import { ConfigScanner } from "./scanners/config-scanner.js";
+import { DatabaseScanner } from "./scanners/database-scanner.js";
+
+export type { Finding } from "./scanners/types.js";
+
+const IGNORE_DIRS = new Set([
+  "node_modules", ".git", "dist", "build", ".next", ".nuxt", "coverage",
+  ".ges", "vendor", "__pycache__", ".venv", "venv", ".turbo", ".cache",
+  "reports", "compliance", "security", "controls", "policies", "checklists", "docs",
+]);
+
+const IGNORE_EXTENSIONS = new Set([
+  ".png", ".jpg", ".jpeg", ".gif", ".webp", ".svg", ".ico", ".woff",
+  ".woff2", ".ttf", ".eot", ".mp4", ".mp3", ".zip", ".gz", ".tar",
+  ".lock", ".map", ".wasm",
+]);
+
+function collectFiles(root: string): string[] {
+  const files: string[] = [];
+
+  function walk(dir: string) {
+    const entries = fs.readdirSync(dir, { withFileTypes: true });
+    for (const entry of entries) {
+      if (IGNORE_DIRS.has(entry.name)) continue;
+      const fullPath = path.join(dir, entry.name);
+      if (entry.isDirectory()) {
+        walk(fullPath);
+      } else if (entry.isFile()) {
+        const ext = path.extname(entry.name);
+        if (!IGNORE_EXTENSIONS.has(ext)) {
+          files.push(path.relative(root, fullPath));
+        }
+      }
+    }
+  }
+
+  walk(root);
+  return files;
+}
+
+function readFiles(root: string, files: string[]): Map<string, string> {
+  const contents = new Map<string, string>();
+  const MAX_FILE_SIZE = 1024 * 1024;
+
+  for (const file of files) {
+    try {
+      const fullPath = path.join(root, file);
+      const stat = fs.statSync(fullPath);
+      if (stat.size > MAX_FILE_SIZE) continue;
+      const content = fs.readFileSync(fullPath, "utf-8");
+      contents.set(file, content);
+    } catch {
+      // skip unreadable files
+    }
+  }
+
+  return contents;
+}
+
+export function runAudit(root: string): { findings: Finding[]; scannedFiles: number } {
+  const files = collectFiles(root);
+  const fileContents = readFiles(root, files);
+  const ctx: ScanContext = { root, files, fileContents };
+
+  const scanners = [
+    new SecretsScanner(),
+    new CryptoScanner(),
+    new CodeSecurityScanner(),
+    new AuthScanner(),
+    new ConfigScanner(),
+    new DatabaseScanner(),
+  ];
+
+  const allFindings: Finding[] = [];
+  for (const scanner of scanners) {
+    allFindings.push(...scanner.scan(ctx));
+  }
+
+  return { findings: allFindings, scannedFiles: files.length };
+}
+
+export function deduplicateFindings(findings: Finding[]): Finding[] {
+  const seen = new Set<string>();
+  return findings.filter(f => {
+    const key = `${f.ruleId}:${f.file}:${f.line || ""}:${f.evidence}`;
+    if (seen.has(key)) return false;
+    seen.add(key);
+    return true;
+  });
+}