@indicated/vibeguard 1.0.0

package/src/scanner/index.ts

@@ -0,0 +1,195 @@
+import * as fs from 'fs';
+import * as path from 'path';
+import { glob } from 'glob';
+import { Finding, ScanResult, SecurityRule, Config } from '../types';
+import { loadRules, filterRules } from './rules/loader';
+import { parseJavaScript, scanWithAST, scanWithPatterns } from './parsers/javascript';
+import { scanPythonWithPatterns } from './parsers/python';
+
+const SUPPORTED_EXTENSIONS: Record<string, string> = {
+  '.js': 'javascript',
+  '.jsx': 'javascript',
+  '.ts': 'typescript',
+  '.tsx': 'typescript',
+  '.mjs': 'javascript',
+  '.cjs': 'javascript',
+  '.py': 'python',
+};
+
+const DEFAULT_EXCLUDE = [
+  '**/node_modules/**',
+  '**/dist/**',
+  '**/build/**',
+  '**/.git/**',
+  '**/coverage/**',
+  '**/__pycache__/**',
+  '**/venv/**',
+  '**/.venv/**',
+  '**/env/**',
+  '**/*.min.js',
+  '**/*.bundle.js',
+];
+
+export class Scanner {
+  private rules: SecurityRule[] = [];
+  private config: Config;
+
+  constructor(config: Config = {}) {
+    this.config = config;
+  }
+
+  async initialize(licenseKey?: string): Promise<void> {
+    const allRules = await loadRules(licenseKey);
+    this.rules = filterRules(allRules, {
+      enabled: this.config.rules?.enabled,
+      disabled: this.config.rules?.disabled,
+    });
+  }
+
+  async scan(targets: string[]): Promise<ScanResult> {
+    const startTime = Date.now();
+    const findings: Finding[] = [];
+    const files: string[] = [];
+
+    for (const target of targets) {
+      const targetPath = path.resolve(target);
+      const stat = fs.statSync(targetPath);
+
+      if (stat.isDirectory()) {
+        const globPattern = path.join(targetPath, '**/*');
+        const exclude = [...DEFAULT_EXCLUDE, ...(this.config.exclude || [])];
+
+        const matchedFiles = await glob(globPattern, {
+          ignore: exclude,
+          nodir: true,
+        });
+
+        files.push(...matchedFiles.filter(f => this.isSupportedFile(f)));
+      } else if (stat.isFile() && this.isSupportedFile(targetPath)) {
+        files.push(targetPath);
+      }
+    }
+
+    for (const file of files) {
+      const fileFindings = await this.scanFile(file);
+      findings.push(...fileFindings);
+    }
+
+    return {
+      files: files.length,
+      findings: this.sortFindings(findings),
+      duration: Date.now() - startTime,
+    };
+  }
+
+  async scanStaged(): Promise<ScanResult> {
+    const startTime = Date.now();
+    const findings: Finding[] = [];
+
+    // Get staged files from git
+    const { execSync } = await import('child_process');
+    let stagedFiles: string[] = [];
+
+    try {
+      const output = execSync('git diff --cached --name-only --diff-filter=ACM', {
+        encoding: 'utf-8',
+      });
+      stagedFiles = output
+        .split('\n')
+        .filter(f => f.trim() && this.isSupportedFile(f))
+        .map(f => path.resolve(f));
+    } catch {
+      // Not in a git repo or git not available
+      return {
+        files: 0,
+        findings: [],
+        duration: Date.now() - startTime,
+      };
+    }
+
+    for (const file of stagedFiles) {
+      if (fs.existsSync(file)) {
+        const fileFindings = await this.scanFile(file);
+        findings.push(...fileFindings);
+      }
+    }
+
+    return {
+      files: stagedFiles.length,
+      findings: this.sortFindings(findings),
+      duration: Date.now() - startTime,
+    };
+  }
+
+  private async scanFile(filePath: string): Promise<Finding[]> {
+    const findings: Finding[] = [];
+    const ext = path.extname(filePath);
+    const language = SUPPORTED_EXTENSIONS[ext];
+
+    if (!language) return findings;
+
+    let code: string;
+    try {
+      code = fs.readFileSync(filePath, 'utf-8');
+    } catch {
+      return findings;
+    }
+
+    // Filter rules by language
+    const languageRules = this.rules.filter(rule =>
+      rule.languages.includes(language as 'javascript' | 'typescript' | 'python')
+    );
+
+    if (language === 'javascript' || language === 'typescript') {
+      // Try AST-based scanning
+      const ast = parseJavaScript(code, filePath);
+      if (ast) {
+        const astFindings = scanWithAST(ast, languageRules, {
+          code,
+          lines: code.split('\n'),
+          filePath,
+        });
+        findings.push(...astFindings);
+      }
+
+      // Also run pattern-based scanning
+      const patternFindings = scanWithPatterns(code, languageRules, filePath);
+      findings.push(...patternFindings);
+    } else if (language === 'python') {
+      const patternFindings = scanPythonWithPatterns(code, languageRules, filePath);
+      findings.push(...patternFindings);
+    }
+
+    // Deduplicate findings
+    return this.deduplicateFindings(findings);
+  }
+
+  private isSupportedFile(filePath: string): boolean {
+    const ext = path.extname(filePath);
+    return ext in SUPPORTED_EXTENSIONS;
+  }
+
+  private sortFindings(findings: Finding[]): Finding[] {
+    const severityOrder = { critical: 0, high: 1, medium: 2, low: 3 };
+    return findings.sort((a, b) => {
+      const severityDiff =
+        severityOrder[a.rule.severity] - severityOrder[b.rule.severity];
+      if (severityDiff !== 0) return severityDiff;
+      return a.file.localeCompare(b.file) || a.line - b.line;
+    });
+  }
+
+  private deduplicateFindings(findings: Finding[]): Finding[] {
+    const seen = new Set<string>();
+    return findings.filter(f => {
+      const key = `${f.rule.id}:${f.file}:${f.line}`;
+      if (seen.has(key)) return false;
+      seen.add(key);
+      return true;
+    });
+  }
+
+  getRules(): SecurityRule[] {
+    return this.rules;
+  }
+}

package/src/scanner/parsers/javascript.ts

@@ -0,0 +1,285 @@
+import * as parser from '@babel/parser';
+import traverse, { NodePath } from '@babel/traverse';
+import * as t from '@babel/types';
+import { Finding, SecurityRule } from '../../types';
+
+interface ASTContext {
+  code: string;
+  lines: string[];
+  filePath: string;
+}
+
+export function parseJavaScript(code: string, filePath: string): t.File | null {
+  try {
+    return parser.parse(code, {
+      sourceType: 'module',
+      plugins: [
+        'jsx',
+        'typescript',
+        'decorators-legacy',
+        'classProperties',
+        'optionalChaining',
+        'nullishCoalescingOperator',
+      ],
+    });
+  } catch {
+    // If parsing fails, return null and rely on regex patterns only
+    return null;
+  }
+}
+
+export function scanWithAST(
+  ast: t.File,
+  rules: SecurityRule[],
+  context: ASTContext
+): Finding[] {
+  const findings: Finding[] = [];
+
+  const astMatchers: Record<string, (path: NodePath) => Finding | null> = {
+    'eval-usage': (path: NodePath) => {
+      if (
+        path.isCallExpression() &&
+        t.isIdentifier(path.node.callee) &&
+        path.node.callee.name === 'eval'
+      ) {
+        const rule = rules.find(r => r.id === 'eval-usage');
+        if (rule) {
+          const loc = path.node.loc;
+          return {
+            rule,
+            file: context.filePath,
+            line: loc?.start.line || 0,
+            column: loc?.start.column || 0,
+            code: context.lines[(loc?.start.line || 1) - 1] || '',
+            message: rule.description,
+          };
+        }
+      }
+      return null;
+    },
+
+    'sql-injection': (path: NodePath) => {
+      if (path.isTemplateLiteral() || path.isBinaryExpression()) {
+        const parent = path.parentPath;
+        if (
+          parent?.isCallExpression() &&
+          t.isMemberExpression(parent.node.callee)
+        ) {
+          const callee = parent.node.callee;
+          const methodName = t.isIdentifier(callee.property) ? callee.property.name : '';
+
+          if (['query', 'exec', 'execute', 'raw'].includes(methodName)) {
+            // Check if there's string concatenation or template literal with expressions
+            if (
+              path.isTemplateLiteral() &&
+              path.node.expressions.length > 0
+            ) {
+              const codeSnippet = context.code.substring(
+                path.node.start || 0,
+                path.node.end || 0
+              ).toLowerCase();
+
+              if (
+                codeSnippet.includes('select') ||
+                codeSnippet.includes('insert') ||
+                codeSnippet.includes('update') ||
+                codeSnippet.includes('delete') ||
+                codeSnippet.includes('where')
+              ) {
+                const rule = rules.find(r => r.id === 'sql-injection');
+                if (rule) {
+                  const loc = path.node.loc;
+                  return {
+                    rule,
+                    file: context.filePath,
+                    line: loc?.start.line || 0,
+                    column: loc?.start.column || 0,
+                    code: context.lines[(loc?.start.line || 1) - 1] || '',
+                    message: rule.description,
+                  };
+                }
+              }
+            }
+          }
+        }
+      }
+      return null;
+    },
+
+    'xss-innerhtml': (path: NodePath) => {
+      if (path.isAssignmentExpression()) {
+        const left = path.node.left;
+        if (
+          t.isMemberExpression(left) &&
+          t.isIdentifier(left.property) &&
+          left.property.name === 'innerHTML'
+        ) {
+          const rule = rules.find(r => r.id === 'xss-innerhtml');
+          if (rule) {
+            const loc = path.node.loc;
+            return {
+              rule,
+              file: context.filePath,
+              line: loc?.start.line || 0,
+              column: loc?.start.column || 0,
+              code: context.lines[(loc?.start.line || 1) - 1] || '',
+              message: rule.description,
+            };
+          }
+        }
+      }
+
+      // Check for dangerouslySetInnerHTML in JSX
+      if (path.isJSXAttribute()) {
+        const name = path.node.name;
+        if (t.isJSXIdentifier(name) && name.name === 'dangerouslySetInnerHTML') {
+          const rule = rules.find(r => r.id === 'xss-innerhtml');
+          if (rule) {
+            const loc = path.node.loc;
+            return {
+              rule,
+              file: context.filePath,
+              line: loc?.start.line || 0,
+              column: loc?.start.column || 0,
+              code: context.lines[(loc?.start.line || 1) - 1] || '',
+              message: rule.description,
+            };
+          }
+        }
+      }
+
+      return null;
+    },
+
+    'missing-auth': (path: NodePath) => {
+      // Detect Express/Next.js API routes without auth checks
+      if (path.isCallExpression()) {
+        const callee = path.node.callee;
+        if (
+          t.isMemberExpression(callee) &&
+          t.isIdentifier(callee.property) &&
+          ['get', 'post', 'put', 'delete', 'patch'].includes(callee.property.name)
+        ) {
+          const args = path.node.arguments;
+          if (args.length >= 2) {
+            // Get the full call expression code to check for middleware
+            const callCode = context.code.substring(
+              path.node.start || 0,
+              path.node.end || 0
+            ).toLowerCase();
+
+            // Check if any argument mentions auth-related terms (middleware)
+            const hasAuthMiddleware =
+              callCode.includes('auth') ||
+              callCode.includes('session') ||
+              callCode.includes('token') ||
+              callCode.includes('jwt') ||
+              callCode.includes('middleware') ||
+              callCode.includes('isauthenticated') ||
+              callCode.includes('requireauth') ||
+              callCode.includes('protect') ||
+              callCode.includes('verify');
+
+            if (!hasAuthMiddleware) {
+              // Check route path for sensitive endpoints
+              const routePath = args[0];
+              if (t.isStringLiteral(routePath)) {
+                const pathValue = routePath.value.toLowerCase();
+                if (
+                  pathValue.includes('/api/') ||
+                  pathValue.includes('/user') ||
+                  pathValue.includes('/admin') ||
+                  pathValue.includes('/account') ||
+                  pathValue.includes('/profile')
+                ) {
+                  const rule = rules.find(r => r.id === 'missing-auth-route');
+                  if (rule) {
+                    const loc = path.node.loc;
+                    return {
+                      rule,
+                      file: context.filePath,
+                      line: loc?.start.line || 0,
+                      column: loc?.start.column || 0,
+                      code: context.lines[(loc?.start.line || 1) - 1] || '',
+                      message: `API route ${routePath.value} may be missing authentication`,
+                    };
+                  }
+                }
+              }
+            }
+          }
+        }
+      }
+      return null;
+    },
+  };
+
+  traverse(ast, {
+    enter(path) {
+      for (const matcherKey of Object.keys(astMatchers)) {
+        const finding = astMatchers[matcherKey](path);
+        if (finding) {
+          // Avoid duplicates
+          const isDuplicate = findings.some(
+            f =>
+              f.rule.id === finding.rule.id &&
+              f.line === finding.line &&
+              f.file === finding.file
+          );
+          if (!isDuplicate) {
+            findings.push(finding);
+          }
+        }
+      }
+    },
+  });
+
+  return findings;
+}
+
+export function scanWithPatterns(
+  code: string,
+  rules: SecurityRule[],
+  filePath: string
+): Finding[] {
+  const findings: Finding[] = [];
+  const lines = code.split('\n');
+
+  for (const rule of rules) {
+    if (!rule.patterns) continue;
+
+    for (const pattern of rule.patterns) {
+      let match;
+      const regex = new RegExp(pattern.source, pattern.flags + (pattern.flags.includes('g') ? '' : 'g'));
+
+      while ((match = regex.exec(code)) !== null) {
+        // Calculate line number from match index
+        const beforeMatch = code.substring(0, match.index);
+        const lineNumber = (beforeMatch.match(/\n/g) || []).length + 1;
+        const lineStart = beforeMatch.lastIndexOf('\n') + 1;
+        const column = match.index - lineStart;
+
+        // Avoid duplicates
+        const isDuplicate = findings.some(
+          f =>
+            f.rule.id === rule.id &&
+            f.line === lineNumber &&
+            f.file === filePath
+        );
+
+        if (!isDuplicate) {
+          findings.push({
+            rule,
+            file: filePath,
+            line: lineNumber,
+            column,
+            code: lines[lineNumber - 1] || '',
+            message: rule.description,
+          });
+        }
+      }
+    }
+  }
+
+  return findings;
+}

package/src/scanner/parsers/python.ts

@@ -0,0 +1,126 @@
+import { Finding, SecurityRule } from '../../types';
+
+// Python-specific patterns in addition to shared patterns
+const pythonPatterns: { ruleId: string; pattern: RegExp }[] = [
+  // SQL injection patterns
+  {
+    ruleId: 'sql-injection',
+    pattern: /cursor\.execute\s*\(\s*f?['"`](?:SELECT|INSERT|UPDATE|DELETE)[^'"`]*\{[^}]+\}/i,
+  },
+  {
+    ruleId: 'sql-injection',
+    pattern: /\.execute\s*\(\s*['"`](?:SELECT|INSERT|UPDATE|DELETE)[^'"`]*['"]\s*%\s*/i,
+  },
+  {
+    ruleId: 'sql-injection',
+    pattern: /\.execute\s*\(\s*['"`](?:SELECT|INSERT|UPDATE|DELETE)[^'"`]*['"`]\s*\+/i,
+  },
+  // Eval usage
+  {
+    ruleId: 'eval-usage',
+    pattern: /\beval\s*\([^)]*(?:input|request|data|params|args)/i,
+  },
+  {
+    ruleId: 'eval-usage',
+    pattern: /\bexec\s*\([^)]*(?:input|request|data|params|args)/i,
+  },
+  // Hardcoded secrets
+  {
+    ruleId: 'hardcoded-secret',
+    pattern: /(?:api[_-]?key|secret[_-]?key|password|token)\s*=\s*['"][^'"]{8,}['"]/i,
+  },
+  // Flask/Django without CSRF
+  {
+    ruleId: 'permissive-cors',
+    pattern: /CORS\s*\(\s*app\s*(?:,\s*resources\s*=\s*\{[^}]*\*[^}]*\})?/,
+  },
+  // Debug mode in production
+  {
+    ruleId: 'verbose-errors',
+    pattern: /app\.run\s*\([^)]*debug\s*=\s*True/i,
+  },
+  {
+    ruleId: 'verbose-errors',
+    pattern: /DEBUG\s*=\s*True/,
+  },
+];
+
+export function scanPythonWithPatterns(
+  code: string,
+  rules: SecurityRule[],
+  filePath: string
+): Finding[] {
+  const findings: Finding[] = [];
+  const lines = code.split('\n');
+
+  // First, scan with rule-defined patterns
+  for (const rule of rules) {
+    if (!rule.patterns || !rule.languages.includes('python')) continue;
+
+    for (const pattern of rule.patterns) {
+      let match;
+      const regex = new RegExp(pattern.source, pattern.flags + (pattern.flags.includes('g') ? '' : 'g'));
+
+      while ((match = regex.exec(code)) !== null) {
+        const beforeMatch = code.substring(0, match.index);
+        const lineNumber = (beforeMatch.match(/\n/g) || []).length + 1;
+        const lineStart = beforeMatch.lastIndexOf('\n') + 1;
+        const column = match.index - lineStart;
+
+        const isDuplicate = findings.some(
+          f =>
+            f.rule.id === rule.id &&
+            f.line === lineNumber &&
+            f.file === filePath
+        );
+
+        if (!isDuplicate) {
+          findings.push({
+            rule,
+            file: filePath,
+            line: lineNumber,
+            column,
+            code: lines[lineNumber - 1] || '',
+            message: rule.description,
+          });
+        }
+      }
+    }
+  }
+
+  // Then scan with Python-specific patterns
+  for (const { ruleId, pattern } of pythonPatterns) {
+    const rule = rules.find(r => r.id === ruleId);
+    if (!rule) continue;
+
+    let match;
+    const regex = new RegExp(pattern.source, pattern.flags + (pattern.flags.includes('g') ? '' : 'g'));
+
+    while ((match = regex.exec(code)) !== null) {
+      const beforeMatch = code.substring(0, match.index);
+      const lineNumber = (beforeMatch.match(/\n/g) || []).length + 1;
+      const lineStart = beforeMatch.lastIndexOf('\n') + 1;
+      const column = match.index - lineStart;
+
+      const isDuplicate = findings.some(
+        f =>
+          f.rule.id === ruleId &&
+          f.line === lineNumber &&
+          f.file === filePath
+      );
+
+      if (!isDuplicate) {
+        findings.push({
+          rule,
+          file: filePath,
+          line: lineNumber,
+          column,
+          code: lines[lineNumber - 1] || '',
+          message: rule.description,
+        });
+      }
+    }
+  }
+
+  return findings;
+}