@oculum/scanner 1.0.0

package/src/layer1/comments.ts

@@ -0,0 +1,218 @@
+/**
+ * Layer 1: Comment Scanning for AI Patterns
+ * Detects suspicious patterns in code comments that may indicate
+ * prompt injection attempts or AI-generated security bypasses
+ */
+
+import type { Vulnerability } from '../types'
+
+// Patterns that indicate potential prompt injection or AI manipulation
+const AI_COMMENT_PATTERNS = [
+  // Prompt injection attempts
+  {
+    pattern: /ignore\s+(previous|all|above)\s+instructions?/i,
+    name: 'Prompt Injection Attempt',
+    severity: 'high' as const,
+    description: 'Comment contains prompt injection language that could manipulate AI assistants',
+  },
+  {
+    pattern: /disregard\s+(security|safety|previous|all)/i,
+    name: 'Security Disregard Instruction',
+    severity: 'high' as const,
+    description: 'Comment instructs to disregard security measures',
+  },
+  {
+    pattern: /you\s+are\s+now\s+in\s+(developer|debug|admin)\s+mode/i,
+    name: 'Mode Override Attempt',
+    severity: 'high' as const,
+    description: 'Comment attempts to override AI mode or permissions',
+  },
+  {
+    pattern: /override\s+(security|safety)\s+protocols?/i,
+    name: 'Security Override Instruction',
+    severity: 'high' as const,
+    description: 'Comment instructs to override security protocols',
+  },
+  {
+    pattern: /system:\s*ignore/i,
+    name: 'System Prompt Injection',
+    severity: 'critical' as const,
+    description: 'Comment contains system-level prompt injection',
+  },
+
+  // Developer instructions to skip security
+  {
+    pattern: /skip\s+(security|validation|sanitization|auth)/i,
+    name: 'Security Skip Instruction',
+    severity: 'medium' as const,
+    description: 'Comment instructs to skip security measures',
+  },
+  {
+    pattern: /don['']?t\s+(validate|sanitize|check|verify)/i,
+    name: 'Validation Skip Instruction',
+    severity: 'medium' as const,
+    description: 'Comment instructs to skip validation',
+  },
+  {
+    pattern: /disable\s+(auth|authentication|authorization|csrf|xss)/i,
+    name: 'Security Disable Instruction',
+    severity: 'high' as const,
+    description: 'Comment instructs to disable security features',
+  },
+
+  // Security-related TODOs - downgraded as these are often addressed or intentional
+  {
+    pattern: /TODO[:\s].*fix.*security/i,
+    name: 'Security TODO',
+    severity: 'low' as const,  // Downgraded from medium
+    description: 'Unresolved security-related TODO comment',
+  },
+  {
+    pattern: /FIXME[:\s].*vulnerab/i,
+    name: 'Vulnerability FIXME',
+    severity: 'medium' as const,  // Downgraded from high
+    description: 'Unresolved vulnerability-related FIXME comment',
+  },
+  {
+    pattern: /HACK[:\s].*bypass/i,
+    name: 'Security Bypass HACK',
+    severity: 'medium' as const,  // Downgraded from high
+    description: 'Hack comment indicating security bypass',
+  },
+  {
+    pattern: /TODO[:\s].*add\s+(auth|authentication|authorization)/i,
+    name: 'Missing Auth TODO',
+    severity: 'low' as const,  // Downgraded from high - often outdated or in test code
+    description: 'TODO indicates authentication may need implementation',
+  },
+  {
+    pattern: /TODO[:\s].*implement\s+(validation|sanitization)/i,
+    name: 'Missing Validation TODO',
+    severity: 'low' as const,  // Downgraded from medium
+    description: 'TODO indicates validation may need implementation',
+  },
+
+  // AI-generated placeholder patterns - downgraded to info (usually harmless)
+  {
+    pattern: /TODO[:\s].*add\s+proper\s+error\s+handling/i,
+    name: 'AI Placeholder: Error Handling',
+    severity: 'info' as const,  // Downgraded from low
+    description: 'AI-typical placeholder comment for error handling',
+  },
+  {
+    pattern: /TODO[:\s].*implement\s+proper/i,
+    name: 'AI Placeholder: Implementation',
+    severity: 'info' as const,  // Downgraded from low
+    description: 'AI-typical placeholder comment for implementation',
+  },
+  {
+    pattern: /add\s+your\s+(code|logic|implementation)\s+here/i,
+    name: 'AI Placeholder: Code Here',
+    severity: 'info' as const,  // Downgraded from low
+    description: 'AI-typical placeholder comment',
+  },
+
+  // Temporary security bypasses
+  {
+    pattern: /temporary\s+(bypass|workaround|fix).*security/i,
+    name: 'Temporary Security Bypass',
+    severity: 'medium' as const,  // Downgraded from high
+    description: 'Comment indicates temporary security bypass that may have become permanent',
+  },
+  {
+    pattern: /remove\s+(before|in)\s+production/i,
+    name: 'Pre-Production Code',
+    severity: 'low' as const,  // Downgraded from medium
+    description: 'Comment indicates code should be removed before production',
+  },
+]
+
+// Extract comments from code
+function extractComments(content: string): Array<{ text: string; line: number; lineContent: string }> {
+  const comments: Array<{ text: string; line: number; lineContent: string }> = []
+  const lines = content.split('\n')
+
+  let inBlockComment = false
+  let blockCommentStart = 0
+  let blockCommentText = ''
+
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i]
+    const trimmed = line.trim()
+
+    // Handle block comments
+    if (inBlockComment) {
+      if (trimmed.includes('*/')) {
+        inBlockComment = false
+        blockCommentText += ' ' + trimmed.replace(/\*\/.*$/, '')
+        comments.push({
+          text: blockCommentText,
+          line: blockCommentStart + 1,
+          lineContent: lines[blockCommentStart].trim(),
+        })
+        blockCommentText = ''
+      } else {
+        blockCommentText += ' ' + trimmed.replace(/^\*\s*/, '')
+      }
+      continue
+    }
+
+    // Start of block comment
+    if (trimmed.includes('/*')) {
+      if (trimmed.includes('*/')) {
+        // Single-line block comment
+        const text = trimmed.replace(/\/\*|\*\//g, '')
+        comments.push({ text, line: i + 1, lineContent: trimmed })
+      } else {
+        inBlockComment = true
+        blockCommentStart = i
+        blockCommentText = trimmed.replace(/\/\*/, '')
+      }
+      continue
+    }
+
+    // Single-line comments
+    const singleLineMatch = trimmed.match(/\/\/(.*)$|#(.*)$/)
+    if (singleLineMatch) {
+      const text = singleLineMatch[1] || singleLineMatch[2] || ''
+      comments.push({ text, line: i + 1, lineContent: trimmed })
+    }
+  }
+
+  return comments
+}
+
+export function detectAICommentPatterns(
+  content: string,
+  filePath: string
+): Vulnerability[] {
+  const vulnerabilities: Vulnerability[] = []
+  const comments = extractComments(content)
+
+  for (const comment of comments) {
+    for (const { pattern, name, severity, description } of AI_COMMENT_PATTERNS) {
+      if (pattern.test(comment.text)) {
+        // Most comment-based findings require AI validation to confirm relevance
+        const requiresAIValidation = severity !== 'critical'
+
+        vulnerabilities.push({
+          id: `ai-comment-${filePath}-${comment.line}`,
+          filePath,
+          lineNumber: comment.line,
+          lineContent: comment.lineContent,
+          severity,
+          category: 'ai_pattern',
+          title: name,
+          description,
+          suggestedFix: 'Review and address this comment. If it indicates a security issue, fix it. If it\'s a prompt injection attempt, remove it.',
+          confidence: severity === 'critical' || severity === 'high' ? 'high' : 'low',  // Lower default confidence
+          layer: 1,
+          requiresAIValidation,
+        })
+        break // Only report one pattern per comment
+      }
+    }
+  }
+
+  return vulnerabilities
+}

package/src/layer1/config-audit.ts

@@ -0,0 +1,289 @@
+/**
+ * Layer 1: Configuration Auditing
+ * Scans configuration files for security misconfigurations
+ */
+
+import type { ConfigRule, ConfigViolation, Vulnerability } from '../types'
+
+// Configuration audit rules
+export const CONFIG_RULES: ConfigRule[] = [
+  // Dockerfile rules
+  {
+    name: 'Docker running as root',
+    filePatterns: ['Dockerfile', '*.dockerfile'],
+    check: (content: string): ConfigViolation[] => {
+      const violations: ConfigViolation[] = []
+      const lines = content.split('\n')
+      
+      // Check if USER instruction exists
+      const hasUserInstruction = lines.some(line => 
+        line.trim().toUpperCase().startsWith('USER ')
+      )
+      
+      // Check for explicit root user
+      lines.forEach((line, index) => {
+        if (line.trim().toUpperCase() === 'USER ROOT') {
+          violations.push({
+            line: index + 1,
+            lineContent: line.trim(),
+            message: 'Container explicitly runs as root user',
+            severity: 'high',
+          })
+        }
+      })
+
+      // If no USER instruction at all, flag it
+      if (!hasUserInstruction && lines.length > 5) {
+        violations.push({
+          line: 1,
+          lineContent: 'Dockerfile',
+          message: 'No USER instruction found - container will run as root by default',
+          severity: 'medium',
+        })
+      }
+
+      return violations
+    },
+  },
+  {
+    name: 'Hardcoded secrets in Docker build args',
+    filePatterns: ['Dockerfile', '*.dockerfile', 'docker-compose.yml', 'docker-compose.yaml'],
+    check: (content: string): ConfigViolation[] => {
+      const violations: ConfigViolation[] = []
+      const lines = content.split('\n')
+
+      const sensitivePatterns = [
+        /ARG\s+\w*(PASSWORD|SECRET|KEY|TOKEN|CREDENTIAL)\w*\s*=\s*[^\s$]/i,
+        /ENV\s+\w*(PASSWORD|SECRET|KEY|TOKEN|CREDENTIAL)\w*\s*=\s*[^\s$]/i,
+        /environment:[\s\S]*?(PASSWORD|SECRET|KEY|TOKEN)\s*[:=]\s*[^\s${\n]/i,
+      ]
+
+      lines.forEach((line, index) => {
+        for (const pattern of sensitivePatterns) {
+          if (pattern.test(line)) {
+            violations.push({
+              line: index + 1,
+              lineContent: line.trim(),
+              message: 'Hardcoded sensitive value in build argument or environment variable',
+              severity: 'critical',
+            })
+            break
+          }
+        }
+      })
+
+      return violations
+    },
+  },
+  // CORS configuration
+  {
+    name: 'Permissive CORS configuration',
+    filePatterns: ['*.ts', '*.js', '*.tsx', '*.jsx', 'next.config.*', 'vercel.json', '*.yaml', '*.yml'],
+    check: (content: string): ConfigViolation[] => {
+      const violations: ConfigViolation[] = []
+      const lines = content.split('\n')
+
+      const corsPatterns = [
+        /['"]Access-Control-Allow-Origin['"]\s*[,:]\s*['"]\*['"]/i,
+        /cors\s*\(\s*\{\s*origin\s*:\s*['"]\*['"]/i,
+        /origin\s*:\s*['"]\*['"]/i,
+        /allowedOrigins?\s*[=:]\s*\[\s*['"]\*['"]/i,
+        /Access-Control-Allow-Origin:\s*\*/i,
+      ]
+
+      lines.forEach((line, index) => {
+        for (const pattern of corsPatterns) {
+          if (pattern.test(line)) {
+            violations.push({
+              line: index + 1,
+              lineContent: line.trim(),
+              message: 'Permissive CORS policy allows requests from any origin (*)',
+              severity: 'medium',
+            })
+            break
+          }
+        }
+      })
+
+      return violations
+    },
+  },
+  // GitHub Actions secrets exposure
+  {
+    name: 'GitHub Actions security issues',
+    filePatterns: ['.github/workflows/*.yml', '.github/workflows/*.yaml'],
+    check: (content: string): ConfigViolation[] => {
+      const violations: ConfigViolation[] = []
+      const lines = content.split('\n')
+
+      // Check for pull_request_target with checkout
+      const hasPRTarget = content.includes('pull_request_target')
+      const hasCheckout = content.includes('actions/checkout')
+      
+      if (hasPRTarget && hasCheckout) {
+        const checkoutLine = lines.findIndex(l => l.includes('actions/checkout'))
+        violations.push({
+          line: checkoutLine + 1,
+          lineContent: lines[checkoutLine]?.trim() || '',
+          message: 'Using actions/checkout with pull_request_target can expose secrets to untrusted code',
+          severity: 'high',
+        })
+      }
+
+      // Check for hardcoded secrets
+      lines.forEach((line, index) => {
+        if (/env:\s*\w+\s*=\s*['"][^$]/.test(line) && 
+            /(SECRET|TOKEN|KEY|PASSWORD)/i.test(line)) {
+          violations.push({
+            line: index + 1,
+            lineContent: line.trim(),
+            message: 'Potential hardcoded secret in GitHub Actions workflow',
+            severity: 'critical',
+          })
+        }
+      })
+
+      return violations
+    },
+  },
+  // Next.js security config
+  {
+    name: 'Next.js security configuration',
+    filePatterns: ['next.config.js', 'next.config.ts', 'next.config.mjs'],
+    check: (content: string): ConfigViolation[] => {
+      const violations: ConfigViolation[] = []
+      const lines = content.split('\n')
+
+      // Only flag if poweredByHeader is explicitly set to true (not if missing)
+      if (content.includes('poweredByHeader: true') || content.includes('poweredByHeader:true')) {
+        const lineIndex = lines.findIndex(l => l.includes('poweredByHeader'))
+        violations.push({
+          line: lineIndex >= 0 ? lineIndex + 1 : 1,
+          lineContent: lines[lineIndex]?.trim() || 'poweredByHeader: true',
+          message: 'poweredByHeader is enabled - consider setting to false to hide X-Powered-By header',
+          severity: 'low',
+        })
+      }
+
+      // Check for exposed source maps in production
+      lines.forEach((line, index) => {
+        if (/productionBrowserSourceMaps\s*:\s*true/.test(line)) {
+          violations.push({
+            line: index + 1,
+            lineContent: line.trim(),
+            message: 'Production source maps are enabled - this exposes your source code',
+            severity: 'medium',
+          })
+        }
+      })
+
+      return violations
+    },
+  },
+  // Package.json security
+  {
+    name: 'Package.json security issues',
+    filePatterns: ['package.json'],
+    check: (content: string): ConfigViolation[] => {
+      const violations: ConfigViolation[] = []
+      
+      try {
+        const pkg = JSON.parse(content)
+        
+        // Check for postinstall scripts that could be malicious
+        if (pkg.scripts?.postinstall || pkg.scripts?.preinstall) {
+          const lines = content.split('\n')
+          const scriptLine = lines.findIndex(l => 
+            l.includes('"postinstall"') || l.includes('"preinstall"')
+          )
+          violations.push({
+            line: scriptLine + 1,
+            lineContent: lines[scriptLine]?.trim() || '',
+            message: 'Pre/post install scripts can execute arbitrary code - review carefully',
+            severity: 'low',
+          })
+        }
+
+        // Check for wildcard dependencies
+        const allDeps = { ...pkg.dependencies, ...pkg.devDependencies }
+        const lines = content.split('\n')
+        
+        for (const [name, version] of Object.entries(allDeps)) {
+          if (version === '*' || version === 'latest') {
+            const depLine = lines.findIndex(l => l.includes(`"${name}"`))
+            violations.push({
+              line: depLine + 1,
+              lineContent: lines[depLine]?.trim() || '',
+              message: `Dependency "${name}" uses wildcard/latest version - pin to specific version`,
+              severity: 'medium',
+            })
+          }
+        }
+      } catch {
+        // Invalid JSON, skip
+      }
+
+      return violations
+    },
+  },
+]
+
+// Check if file matches any of the patterns
+function matchesFilePattern(filePath: string, patterns: string[]): boolean {
+  const fileName = filePath.split('/').pop() || ''
+  
+  return patterns.some(pattern => {
+    if (pattern.includes('*')) {
+      const regex = new RegExp(
+        '^' + pattern.replace(/\*/g, '.*').replace(/\./g, '\\.') + '$',
+        'i'
+      )
+      return regex.test(fileName) || regex.test(filePath)
+    }
+    return fileName === pattern || filePath.endsWith(pattern)
+  })
+}
+
+export function auditConfiguration(
+  content: string,
+  filePath: string
+): Vulnerability[] {
+  const vulnerabilities: Vulnerability[] = []
+
+  for (const rule of CONFIG_RULES) {
+    if (matchesFilePattern(filePath, rule.filePatterns)) {
+      const violations = rule.check(content, filePath)
+      
+      for (const violation of violations) {
+        vulnerabilities.push({
+          id: `config-${filePath}-${violation.line}-${rule.name}`,
+          filePath,
+          lineNumber: violation.line,
+          lineContent: violation.lineContent,
+          severity: violation.severity,
+          category: 'insecure_config',
+          title: rule.name,
+          description: violation.message,
+          suggestedFix: getConfigFix(rule.name, violation),
+          confidence: 'high',
+          layer: 1,
+        })
+      }
+    }
+  }
+
+  return vulnerabilities
+}
+
+function getConfigFix(ruleName: string, violation: ConfigViolation): string {
+  const fixes: Record<string, string> = {
+    'Docker running as root': 'Add a USER instruction to run as a non-root user: USER node',
+    'Hardcoded secrets in Docker build args': 'Use Docker secrets or pass values at runtime via environment variables',
+    'Permissive CORS configuration': 'Specify allowed origins explicitly instead of using wildcard (*)',
+    'GitHub Actions security issues': 'Use secrets context (${{ secrets.NAME }}) for sensitive values',
+    'Next.js security configuration': 'Review Next.js security best practices and configure headers appropriately',
+    'Package.json security issues': 'Pin dependencies to specific versions and review install scripts',
+  }
+
+  return fixes[ruleName] || 'Review and fix the security configuration'
+}