@indicated/vibeguard 1.0.0

package/src/scanner/rules/matcher.ts

@@ -0,0 +1,68 @@
+import { SecurityRule, Finding } from '../../types';
+
+export interface MatchContext {
+  code: string;
+  lines: string[];
+  filePath: string;
+  language: string;
+}
+
+export function matchPatterns(
+  rule: SecurityRule,
+  context: MatchContext
+): Finding[] {
+  const findings: Finding[] = [];
+
+  if (!rule.patterns) return findings;
+
+  for (const pattern of rule.patterns) {
+    let match;
+    const regex = new RegExp(
+      pattern.source,
+      pattern.flags + (pattern.flags.includes('g') ? '' : 'g')
+    );
+
+    while ((match = regex.exec(context.code)) !== null) {
+      const beforeMatch = context.code.substring(0, match.index);
+      const lineNumber = (beforeMatch.match(/\n/g) || []).length + 1;
+      const lineStart = beforeMatch.lastIndexOf('\n') + 1;
+      const column = match.index - lineStart;
+
+      findings.push({
+        rule,
+        file: context.filePath,
+        line: lineNumber,
+        column,
+        code: context.lines[lineNumber - 1] || '',
+        message: rule.description,
+      });
+
+      // Prevent infinite loops on zero-width matches
+      if (match.index === regex.lastIndex) {
+        regex.lastIndex++;
+      }
+    }
+  }
+
+  return findings;
+}
+
+export function deduplicateFindings(findings: Finding[]): Finding[] {
+  const seen = new Set<string>();
+  return findings.filter(finding => {
+    const key = `${finding.rule.id}:${finding.file}:${finding.line}`;
+    if (seen.has(key)) return false;
+    seen.add(key);
+    return true;
+  });
+}
+
+export function sortBySeverity(findings: Finding[]): Finding[] {
+  const severityOrder = { critical: 0, high: 1, medium: 2, low: 3 };
+  return findings.sort((a, b) => {
+    const severityDiff =
+      severityOrder[a.rule.severity] - severityOrder[b.rule.severity];
+    if (severityDiff !== 0) return severityDiff;
+    return a.file.localeCompare(b.file) || a.line - b.line;
+  });
+}

package/src/types.ts

@@ -0,0 +1,36 @@
+export type Severity = 'critical' | 'high' | 'medium' | 'low';
+
+export interface SecurityRule {
+  id: string;
+  name: string;
+  description: string;
+  severity: Severity;
+  languages: ('javascript' | 'typescript' | 'python')[];
+  patterns?: RegExp[];
+  astMatcher?: string;
+  fix?: string;
+}
+
+export interface Finding {
+  rule: SecurityRule;
+  file: string;
+  line: number;
+  column: number;
+  code: string;
+  message: string;
+}
+
+export interface ScanResult {
+  files: number;
+  findings: Finding[];
+  duration: number;
+}
+
+export interface Config {
+  exclude?: string[];
+  severity?: Severity;
+  rules?: {
+    enabled?: string[];
+    disabled?: string[];
+  };
+}

package/test-samples/secure.js

@@ -0,0 +1,52 @@
+// Test file with secure code patterns
+
+// Good: Using environment variables
+const apiKey = process.env.API_KEY;
+const dbPassword = process.env.DB_PASSWORD;
+
+// Good: Parameterized queries
+async function getUser(userId) {
+  return db.query('SELECT * FROM users WHERE id = $1', [userId]);
+}
+
+// Good: Safe JSON parsing
+function processData(userInput) {
+  return JSON.parse(userInput);
+}
+
+// Good: Using textContent instead of innerHTML
+function renderContent(content) {
+  document.getElementById('output').textContent = content;
+}
+
+// Good: httpOnly cookies must be set server-side
+// This is the correct way (in Express/Node.js):
+// res.cookie('token', token, { httpOnly: true, secure: true, sameSite: 'strict' });
+
+// Client-side, we only set non-sensitive cookies:
+function savePreference(theme) {
+  document.cookie = `theme=${theme}; SameSite=Strict`;
+}
+
+// Good: CORS with specific origin
+app.use(cors({ origin: 'https://myapp.com' }));
+
+// Good: HTTPS
+fetch('https://api.example.com/data');
+
+// Good: Strong password validation
+if (password.length >= 12 && /[A-Z]/.test(password) && /[0-9]/.test(password)) {
+  console.log('Password is valid');
+}
+
+// Good: Generic error messages
+app.use((err, req, res, next) => {
+  console.error(err);
+  res.status(500).json({ error: 'An error occurred' });
+});
+
+// Good: Route with authentication
+app.post('/api/users', authMiddleware, (req, res) => {
+  const user = createUser(req.body);
+  res.json(user);
+});

package/test-samples/vulnerable.js

@@ -0,0 +1,56 @@
+// Test file with intentional vulnerabilities for scanner testing
+
+// CRITICAL: Hardcoded API key
+const OPENAI_KEY = "sk-1234567890abcdefghijklmnopqrstuvwxyz";
+const apiKey = "ghp_abcdefghijklmnopqrstuvwxyz1234567890";
+
+// CRITICAL: SQL injection
+async function getUser(userId) {
+  const query = `SELECT * FROM users WHERE id = ${userId}`;
+  return db.query(query);
+}
+
+// CRITICAL: eval with user input
+function processData(userInput) {
+  return eval(userInput);
+}
+
+// HIGH: XSS via innerHTML
+function renderContent(content) {
+  document.getElementById('output').innerHTML = content;
+}
+
+// HIGH: Storing tokens in localStorage
+function saveToken(token) {
+  localStorage.setItem('auth_token', token);
+  sessionStorage.setItem('jwt', token);
+}
+
+// HIGH: Supabase without RLS consideration
+async function getData() {
+  const { data } = await supabase.from('users').select('*');
+  return data;
+}
+
+// MEDIUM: Permissive CORS
+app.use(cors());
+const headers = { 'Access-Control-Allow-Origin': '*' };
+
+// MEDIUM: HTTP instead of HTTPS
+fetch('http://api.example.com/data');
+
+// MEDIUM: Weak password
+if (password.length >= 4) {
+  console.log('Password is valid');
+}
+
+// LOW: Verbose errors
+app.use((err, req, res, next) => {
+  res.status(500).json(err.message);
+});
+
+// HIGH: API route without auth
+app.post('/api/users', (req, res) => {
+  const user = createUser(req.body);
+  res.json(user);
+});

package/test-samples/vulnerable.py

@@ -0,0 +1,39 @@
+# Test file with intentional Python vulnerabilities
+
+import sqlite3
+from flask import Flask, request
+from flask_cors import CORS
+
+app = Flask(__name__)
+CORS(app)
+
+# CRITICAL: Hardcoded secret
+api_key = "sk-1234567890abcdefghijklmnopqrstuvwxyz"
+password = "supersecret123"
+
+# CRITICAL: SQL injection with f-string
+def get_user(user_id):
+    cursor.execute(f"SELECT * FROM users WHERE id = {user_id}")
+    return cursor.fetchone()
+
+# CRITICAL: SQL injection with string formatting
+def search_users(name):
+    cursor.execute("SELECT * FROM users WHERE name = '%s'" % name)
+    return cursor.fetchall()
+
+# CRITICAL: eval with user input
+def process_input(data):
+    return eval(request.form['expression'])
+
+# MEDIUM: Debug mode in production
+if __name__ == '__main__':
+    app.run(debug=True)
+
+# MEDIUM: Weak password validation
+def validate_password(password):
+    if len(password) >= 4:
+        return True
+    return False
+
+# MEDIUM: HTTP URL
+response = requests.get('http://api.example.com/data')

package/tests/helpers.ts

@@ -0,0 +1,43 @@
+import { securityRules } from '../src/scanner/rules/definitions';
+import { SecurityRule } from '../src/types';
+
+/**
+ * Test if a code snippet triggers a specific rule
+ */
+export function testRule(ruleId: string, code: string): boolean {
+  const rule = securityRules.find(r => r.id === ruleId);
+  if (!rule) {
+    throw new Error(`Rule not found: ${ruleId}`);
+  }
+
+  if (!rule.patterns || rule.patterns.length === 0) {
+    // Rule uses AST matcher only, skip pattern test
+    return false;
+  }
+
+  for (const pattern of rule.patterns) {
+    // Reset lastIndex for global patterns
+    if (pattern.global) {
+      pattern.lastIndex = 0;
+    }
+    if (pattern.test(code)) {
+      return true;
+    }
+  }
+
+  return false;
+}
+
+/**
+ * Get a rule by ID
+ */
+export function getRule(ruleId: string): SecurityRule | undefined {
+  return securityRules.find(r => r.id === ruleId);
+}
+
+/**
+ * Get all rule IDs
+ */
+export function getAllRuleIds(): string[] {
+  return securityRules.map(r => r.id);
+}

package/tests/rules/critical.test.ts

@@ -0,0 +1,186 @@
+import { describe, it, expect } from 'vitest';
+import { testRule, getRule } from '../helpers';
+
+describe('Critical Security Rules', () => {
+  describe('hardcoded-secret', () => {
+    const ruleId = 'hardcoded-secret';
+
+    it('should exist', () => {
+      expect(getRule(ruleId)).toBeDefined();
+    });
+
+    it('should detect OpenAI API keys', () => {
+      expect(testRule(ruleId, `const key = "sk-abc123def456ghi789jkl012mno345pqr678"`)).toBe(true);
+    });
+
+    it('should detect GitHub tokens', () => {
+      expect(testRule(ruleId, `const token = "ghp_1234567890abcdefghijklmnopqrstuvwxyz"`)).toBe(true);
+    });
+
+    it('should detect AWS access keys', () => {
+      expect(testRule(ruleId, `const aws = "AKIAIOSFODNN7EXAMPLE"`)).toBe(true);
+    });
+
+    it('should detect Slack tokens', () => {
+      expect(testRule(ruleId, `const slack = "xoxb-123456789012-1234567890123-abcdefghij"`)).toBe(true);
+    });
+
+    it('should detect JWT tokens', () => {
+      expect(testRule(ruleId, `const jwt = "eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0NTY3ODkwIn0.abc123"`)).toBe(true);
+    });
+
+    it('should NOT detect environment variable usage', () => {
+      expect(testRule(ruleId, `const key = process.env.API_KEY`)).toBe(false);
+    });
+
+    it('should NOT detect placeholder values', () => {
+      expect(testRule(ruleId, `const key = "your-api-key-here"`)).toBe(false);
+    });
+  });
+
+  describe('sql-injection', () => {
+    const ruleId = 'sql-injection';
+
+    it('should exist', () => {
+      expect(getRule(ruleId)).toBeDefined();
+    });
+
+    // Note: sql-injection uses AST matcher, pattern tests may not apply
+    it('should have AST matcher configured', () => {
+      const rule = getRule(ruleId);
+      expect(rule?.astMatcher).toBe('sql-injection');
+    });
+  });
+
+  describe('eval-usage', () => {
+    const ruleId = 'eval-usage';
+
+    it('should exist', () => {
+      expect(getRule(ruleId)).toBeDefined();
+    });
+
+    // Note: eval-usage uses AST matcher
+    it('should have AST matcher configured', () => {
+      const rule = getRule(ruleId);
+      expect(rule?.astMatcher).toBe('eval-usage');
+    });
+  });
+
+  describe('command-injection', () => {
+    const ruleId = 'command-injection';
+
+    it('should exist', () => {
+      expect(getRule(ruleId)).toBeDefined();
+    });
+
+    it('should detect exec with template literal', () => {
+      expect(testRule(ruleId, 'exec(`ls ${userInput}`)'));
+    });
+
+    it('should detect execSync with template literal', () => {
+      expect(testRule(ruleId, 'execSync(`cat ${filename}`)'));
+    });
+
+    it('should detect Python subprocess with shell=True', () => {
+      expect(testRule(ruleId, 'subprocess.call(cmd, shell=True)')).toBe(true);
+    });
+
+    it('should detect Python os.system with f-string', () => {
+      expect(testRule(ruleId, 'os.system(f"rm {file}")')).toBe(true);
+    });
+
+    it('should NOT detect exec with static string', () => {
+      expect(testRule(ruleId, 'exec("ls -la")')).toBe(false);
+    });
+  });
+
+  describe('insecure-deserialization', () => {
+    const ruleId = 'insecure-deserialization';
+
+    it('should exist', () => {
+      expect(getRule(ruleId)).toBeDefined();
+    });
+
+    it('should detect pickle.loads', () => {
+      expect(testRule(ruleId, 'data = pickle.loads(user_input)')).toBe(true);
+    });
+
+    it('should detect pickle.load', () => {
+      expect(testRule(ruleId, 'data = pickle.load(file)')).toBe(true);
+    });
+
+    it('should detect yaml.load without Loader', () => {
+      expect(testRule(ruleId, 'config = yaml.load(data)')).toBe(true);
+    });
+
+    it('should detect node-serialize', () => {
+      expect(testRule(ruleId, 'const obj = node-serialize.unserialize(data)')).toBe(true);
+    });
+
+    it('should NOT detect yaml.safe_load', () => {
+      expect(testRule(ruleId, 'config = yaml.safe_load(data)')).toBe(false);
+    });
+  });
+
+  describe('django-debug-true', () => {
+    const ruleId = 'django-debug-true';
+
+    it('should exist', () => {
+      expect(getRule(ruleId)).toBeDefined();
+    });
+
+    it('should detect DEBUG = True', () => {
+      expect(testRule(ruleId, 'DEBUG = True')).toBe(true);
+    });
+
+    it('should NOT detect DEBUG = False', () => {
+      expect(testRule(ruleId, 'DEBUG = False')).toBe(false);
+    });
+
+    it('should NOT detect DEBUG from env', () => {
+      expect(testRule(ruleId, 'DEBUG = os.environ.get("DEBUG", False)')).toBe(false);
+    });
+  });
+
+  describe('django-secret-key-exposed', () => {
+    const ruleId = 'django-secret-key-exposed';
+
+    it('should exist', () => {
+      expect(getRule(ruleId)).toBeDefined();
+    });
+
+    it('should detect hardcoded SECRET_KEY', () => {
+      expect(testRule(ruleId, `SECRET_KEY = "django-insecure-abc123def456ghi789"`)).toBe(true);
+    });
+
+    it('should NOT detect SECRET_KEY from env', () => {
+      expect(testRule(ruleId, `SECRET_KEY = os.environ.get("SECRET_KEY")`)).toBe(false);
+    });
+  });
+
+  describe('django-raw-sql', () => {
+    const ruleId = 'django-raw-sql';
+
+    it('should exist', () => {
+      expect(getRule(ruleId)).toBeDefined();
+    });
+
+    it('should detect .raw() with f-string', () => {
+      expect(testRule(ruleId, 'User.objects.raw(f"SELECT * FROM users WHERE id = {user_id}")')).toBe(true);
+    });
+
+    it('should detect cursor.execute with f-string', () => {
+      expect(testRule(ruleId, 'cursor.execute(f"DELETE FROM {table}")')).toBe(true);
+    });
+
+    it('should detect .extra() with where clause', () => {
+      expect(testRule(ruleId, '.extra(where=["id = %s"])')).toBe(true);
+    });
+
+    it('should detect .raw() even with params (requires manual review)', () => {
+      // Pattern flags all .raw() calls for manual review since parameterized
+      // queries can still be vulnerable if params come from user input
+      expect(testRule(ruleId, 'User.objects.raw("SELECT * FROM users WHERE id = %s", [user_id])')).toBe(true);
+    });
+  });
+});

package/tests/rules/definitions.test.ts

@@ -0,0 +1,167 @@
+import { describe, it, expect } from 'vitest';
+import { securityRules, getRuleById, getRulesBySeverity } from '../../src/scanner/rules/definitions';
+
+describe('Security Rules Definitions', () => {
+  describe('rule structure', () => {
+    it('should have at least 40 rules', () => {
+      expect(securityRules.length).toBeGreaterThanOrEqual(40);
+    });
+
+    it('all rules should have required fields', () => {
+      for (const rule of securityRules) {
+        expect(rule.id).toBeDefined();
+        expect(rule.id).toMatch(/^[a-zA-Z0-9-]+$/);
+        expect(rule.name).toBeDefined();
+        expect(rule.name.length).toBeGreaterThan(0);
+        expect(rule.description).toBeDefined();
+        expect(rule.description.length).toBeGreaterThan(0);
+        expect(rule.severity).toBeDefined();
+        expect(['critical', 'high', 'medium', 'low']).toContain(rule.severity);
+        expect(rule.languages).toBeDefined();
+        expect(rule.languages.length).toBeGreaterThan(0);
+        expect(rule.fix).toBeDefined();
+        expect(rule.fix.length).toBeGreaterThan(0);
+      }
+    });
+
+    it('all rules should have either patterns or astMatcher', () => {
+      for (const rule of securityRules) {
+        const hasPatterns = rule.patterns && rule.patterns.length > 0;
+        const hasAstMatcher = !!rule.astMatcher;
+        expect(hasPatterns || hasAstMatcher).toBe(true);
+      }
+    });
+
+    it('all rule IDs should be unique', () => {
+      const ids = securityRules.map(r => r.id);
+      const uniqueIds = new Set(ids);
+      expect(uniqueIds.size).toBe(ids.length);
+    });
+
+    it('all patterns should be valid RegExp', () => {
+      for (const rule of securityRules) {
+        if (rule.patterns) {
+          for (const pattern of rule.patterns) {
+            expect(pattern).toBeInstanceOf(RegExp);
+          }
+        }
+      }
+    });
+  });
+
+  describe('severity distribution', () => {
+    it('should have critical rules', () => {
+      const critical = securityRules.filter(r => r.severity === 'critical');
+      expect(critical.length).toBeGreaterThan(0);
+    });
+
+    it('should have high rules', () => {
+      const high = securityRules.filter(r => r.severity === 'high');
+      expect(high.length).toBeGreaterThan(0);
+    });
+
+    it('should have medium rules', () => {
+      const medium = securityRules.filter(r => r.severity === 'medium');
+      expect(medium.length).toBeGreaterThan(0);
+    });
+
+    it('should have low rules', () => {
+      const low = securityRules.filter(r => r.severity === 'low');
+      expect(low.length).toBeGreaterThan(0);
+    });
+  });
+
+  describe('language support', () => {
+    it('should have JavaScript rules', () => {
+      const jsRules = securityRules.filter(r => r.languages.includes('javascript'));
+      expect(jsRules.length).toBeGreaterThan(0);
+    });
+
+    it('should have TypeScript rules', () => {
+      const tsRules = securityRules.filter(r => r.languages.includes('typescript'));
+      expect(tsRules.length).toBeGreaterThan(0);
+    });
+
+    it('should have Python rules', () => {
+      const pyRules = securityRules.filter(r => r.languages.includes('python'));
+      expect(pyRules.length).toBeGreaterThan(0);
+    });
+  });
+
+  describe('getRuleById', () => {
+    it('should return rule by ID', () => {
+      const rule = getRuleById('hardcoded-secret');
+      expect(rule).toBeDefined();
+      expect(rule?.id).toBe('hardcoded-secret');
+    });
+
+    it('should return undefined for non-existent ID', () => {
+      const rule = getRuleById('non-existent-rule');
+      expect(rule).toBeUndefined();
+    });
+  });
+
+  describe('getRulesBySeverity', () => {
+    it('should return critical rules', () => {
+      const rules = getRulesBySeverity('critical');
+      expect(rules.length).toBeGreaterThan(0);
+      expect(rules.every(r => r.severity === 'critical')).toBe(true);
+    });
+
+    it('should return high rules', () => {
+      const rules = getRulesBySeverity('high');
+      expect(rules.length).toBeGreaterThan(0);
+      expect(rules.every(r => r.severity === 'high')).toBe(true);
+    });
+
+    it('should return empty array for invalid severity', () => {
+      const rules = getRulesBySeverity('invalid');
+      expect(rules).toEqual([]);
+    });
+  });
+
+  describe('specific rules exist', () => {
+    const expectedRules = [
+      // Critical
+      'hardcoded-secret',
+      'sql-injection',
+      'eval-usage',
+      'command-injection',
+      'insecure-deserialization',
+      'django-debug-true',
+      'django-secret-key-exposed',
+      'django-raw-sql',
+      // High
+      'missing-auth-route',
+      'xss-innerhtml',
+      'secrets-localstorage',
+      'supabase-no-rls',
+      'firebase-no-rules',
+      'idor-vulnerability',
+      'path-traversal',
+      'ssrf-vulnerability',
+      'open-redirect',
+      'insecure-cookie',
+      'missing-csrf',
+      // Medium
+      'permissive-cors',
+      'http-not-https',
+      'weak-password',
+      'hardcoded-ip',
+      'xxe-vulnerability',
+      'jwt-none-algorithm',
+      // Low
+      'verbose-errors',
+      'missing-rate-limit',
+      'console-log-sensitive',
+      'debug-mode-enabled',
+      'prototype-pollution',
+    ];
+
+    for (const ruleId of expectedRules) {
+      it(`should have rule: ${ruleId}`, () => {
+        expect(getRuleById(ruleId)).toBeDefined();
+      });
+    }
+  });
+});