@oops-catcher/core 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/config/loader.d.ts +5 -0
- package/dist/config/loader.d.ts.map +1 -0
- package/dist/config/loader.js +37 -0
- package/dist/config/loader.js.map +1 -0
- package/dist/config/schema.d.ts +117 -0
- package/dist/config/schema.d.ts.map +1 -0
- package/dist/config/schema.js +54 -0
- package/dist/config/schema.js.map +1 -0
- package/dist/engine/fingerprint.d.ts +2 -0
- package/dist/engine/fingerprint.d.ts.map +1 -0
- package/dist/engine/fingerprint.js +5 -0
- package/dist/engine/fingerprint.js.map +1 -0
- package/dist/engine/line.d.ts +2 -0
- package/dist/engine/line.d.ts.map +1 -0
- package/dist/engine/line.js +11 -0
- package/dist/engine/line.js.map +1 -0
- package/dist/engine/scan.d.ts +13 -0
- package/dist/engine/scan.d.ts.map +1 -0
- package/dist/engine/scan.js +57 -0
- package/dist/engine/scan.js.map +1 -0
- package/dist/engine/walker.d.ts +8 -0
- package/dist/engine/walker.d.ts.map +1 -0
- package/dist/engine/walker.js +42 -0
- package/dist/engine/walker.js.map +1 -0
- package/dist/index.d.ts +5 -0
- package/dist/index.d.ts.map +1 -0
- package/dist/index.js +4 -0
- package/dist/index.js.map +1 -0
- package/dist/output/formatters.d.ts +4 -0
- package/dist/output/formatters.d.ts.map +1 -0
- package/dist/output/formatters.js +35 -0
- package/dist/output/formatters.js.map +1 -0
- package/dist/output/redact.d.ts +4 -0
- package/dist/output/redact.d.ts.map +1 -0
- package/dist/output/redact.js +14 -0
- package/dist/output/redact.js.map +1 -0
- package/dist/rules/ai_artifacts_v1.d.ts +3 -0
- package/dist/rules/ai_artifacts_v1.d.ts.map +1 -0
- package/dist/rules/ai_artifacts_v1.js +76 -0
- package/dist/rules/ai_artifacts_v1.js.map +1 -0
- package/dist/rules/containers_v1.d.ts +3 -0
- package/dist/rules/containers_v1.d.ts.map +1 -0
- package/dist/rules/containers_v1.js +392 -0
- package/dist/rules/containers_v1.js.map +1 -0
- package/dist/rules/registry.d.ts +4 -0
- package/dist/rules/registry.d.ts.map +1 -0
- package/dist/rules/registry.js +12 -0
- package/dist/rules/registry.js.map +1 -0
- package/dist/rules/secrets_v1.d.ts +9 -0
- package/dist/rules/secrets_v1.d.ts.map +1 -0
- package/dist/rules/secrets_v1.js +283 -0
- package/dist/rules/secrets_v1.js.map +1 -0
- package/dist/rules/types.d.ts +19 -0
- package/dist/rules/types.d.ts.map +1 -0
- package/dist/rules/types.js +2 -0
- package/dist/rules/types.js.map +1 -0
- package/dist/types.d.ts +41 -0
- package/dist/types.d.ts.map +1 -0
- package/dist/types.js +2 -0
- package/dist/types.js.map +1 -0
- package/package.json +33 -0
|
@@ -0,0 +1,5 @@
|
|
|
1
|
+
import { ParsedConfig } from './schema.js';
|
|
2
|
+
export declare const DEFAULT_CONFIG_PATH = "oops.yml";
|
|
3
|
+
export declare function loadConfig(cwd: string, explicitPath?: string): ParsedConfig;
|
|
4
|
+
export declare function getDefaultConfigYaml(): string;
|
|
5
|
+
//# sourceMappingURL=loader.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"loader.d.ts","sourceRoot":"","sources":["../../src/config/loader.ts"],"names":[],"mappings":"AAGA,OAAO,EAAgB,YAAY,EAAE,MAAM,aAAa,CAAC;AAEzD,eAAO,MAAM,mBAAmB,aAAa,CAAC;AAE9C,wBAAgB,UAAU,CAAC,GAAG,EAAE,MAAM,EAAE,YAAY,CAAC,EAAE,MAAM,GAAG,YAAY,CAY3E;AAED,wBAAgB,oBAAoB,IAAI,MAAM,CAmB7C"}
|
|
@@ -0,0 +1,37 @@
|
|
|
1
|
+
import fs from 'node:fs';
|
|
2
|
+
import path from 'node:path';
|
|
3
|
+
import yaml from 'js-yaml';
|
|
4
|
+
import { ConfigSchema } from './schema.js';
|
|
5
|
+
export const DEFAULT_CONFIG_PATH = 'oops.yml';
|
|
6
|
+
export function loadConfig(cwd, explicitPath) {
|
|
7
|
+
const configPath = explicitPath
|
|
8
|
+
? path.resolve(cwd, explicitPath)
|
|
9
|
+
: path.resolve(cwd, DEFAULT_CONFIG_PATH);
|
|
10
|
+
if (!fs.existsSync(configPath)) {
|
|
11
|
+
return ConfigSchema.parse({});
|
|
12
|
+
}
|
|
13
|
+
const raw = fs.readFileSync(configPath, 'utf8');
|
|
14
|
+
const data = yaml.load(raw) ?? {};
|
|
15
|
+
return ConfigSchema.parse(data);
|
|
16
|
+
}
|
|
17
|
+
export function getDefaultConfigYaml() {
|
|
18
|
+
return `version: 1
|
|
19
|
+
include: ["**/*"]
|
|
20
|
+
exclude: [".git/**","node_modules/**","dist/**","build/**",".next/**","coverage/**"]
|
|
21
|
+
rulesets: ["secrets_v1","containers_v1","ai_artifacts_v1"]
|
|
22
|
+
rules:
|
|
23
|
+
disable: []
|
|
24
|
+
severity_overrides: {}
|
|
25
|
+
output:
|
|
26
|
+
format: text
|
|
27
|
+
failOn: critical
|
|
28
|
+
redact: { showPrefix: 4, showSuffix: 4 }
|
|
29
|
+
baseline:
|
|
30
|
+
mode: off
|
|
31
|
+
file: ".oops-baseline.json"
|
|
32
|
+
allowlist:
|
|
33
|
+
paths: []
|
|
34
|
+
rules: {}
|
|
35
|
+
`;
|
|
36
|
+
}
|
|
37
|
+
//# sourceMappingURL=loader.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"loader.js","sourceRoot":"","sources":["../../src/config/loader.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,IAAI,MAAM,SAAS,CAAC;AAC3B,OAAO,EAAE,YAAY,EAAgB,MAAM,aAAa,CAAC;AAEzD,MAAM,CAAC,MAAM,mBAAmB,GAAG,UAAU,CAAC;AAE9C,MAAM,UAAU,UAAU,CAAC,GAAW,EAAE,YAAqB;IAC3D,MAAM,UAAU,GAAG,YAAY;QAC7B,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,YAAY,CAAC;QACjC,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,mBAAmB,CAAC,CAAC;IAE3C,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;QAC/B,OAAO,YAAY,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;IAChC,CAAC;IAED,MAAM,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC;IAChD,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,EAAE,CAAC;IAClC,OAAO,YAAY,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;AAClC,CAAC;AAED,MAAM,UAAU,oBAAoB;IAClC,OAAO;;;;;;;;;;;;;;;;;CAiBR,CAAC;AACF,CAAC"}
|
|
@@ -0,0 +1,117 @@
|
|
|
1
|
+
import { z } from 'zod';
|
|
2
|
+
export declare const ConfigSchema: z.ZodObject<{
|
|
3
|
+
version: z.ZodDefault<z.ZodLiteral<1>>;
|
|
4
|
+
include: z.ZodDefault<z.ZodArray<z.ZodString, "many">>;
|
|
5
|
+
exclude: z.ZodDefault<z.ZodArray<z.ZodString, "many">>;
|
|
6
|
+
rulesets: z.ZodDefault<z.ZodArray<z.ZodString, "many">>;
|
|
7
|
+
rules: z.ZodDefault<z.ZodObject<{
|
|
8
|
+
disable: z.ZodDefault<z.ZodArray<z.ZodString, "many">>;
|
|
9
|
+
severity_overrides: z.ZodDefault<z.ZodRecord<z.ZodString, z.ZodEnum<["critical", "warning", "info"]>>>;
|
|
10
|
+
}, "strip", z.ZodTypeAny, {
|
|
11
|
+
disable: string[];
|
|
12
|
+
severity_overrides: Record<string, "critical" | "warning" | "info">;
|
|
13
|
+
}, {
|
|
14
|
+
disable?: string[] | undefined;
|
|
15
|
+
severity_overrides?: Record<string, "critical" | "warning" | "info"> | undefined;
|
|
16
|
+
}>>;
|
|
17
|
+
output: z.ZodDefault<z.ZodObject<{
|
|
18
|
+
format: z.ZodDefault<z.ZodEnum<["text", "json"]>>;
|
|
19
|
+
failOn: z.ZodDefault<z.ZodEnum<["critical", "warning", "info"]>>;
|
|
20
|
+
redact: z.ZodDefault<z.ZodObject<{
|
|
21
|
+
showPrefix: z.ZodDefault<z.ZodNumber>;
|
|
22
|
+
showSuffix: z.ZodDefault<z.ZodNumber>;
|
|
23
|
+
}, "strip", z.ZodTypeAny, {
|
|
24
|
+
showPrefix: number;
|
|
25
|
+
showSuffix: number;
|
|
26
|
+
}, {
|
|
27
|
+
showPrefix?: number | undefined;
|
|
28
|
+
showSuffix?: number | undefined;
|
|
29
|
+
}>>;
|
|
30
|
+
}, "strip", z.ZodTypeAny, {
|
|
31
|
+
format: "text" | "json";
|
|
32
|
+
failOn: "critical" | "warning" | "info";
|
|
33
|
+
redact: {
|
|
34
|
+
showPrefix: number;
|
|
35
|
+
showSuffix: number;
|
|
36
|
+
};
|
|
37
|
+
}, {
|
|
38
|
+
format?: "text" | "json" | undefined;
|
|
39
|
+
failOn?: "critical" | "warning" | "info" | undefined;
|
|
40
|
+
redact?: {
|
|
41
|
+
showPrefix?: number | undefined;
|
|
42
|
+
showSuffix?: number | undefined;
|
|
43
|
+
} | undefined;
|
|
44
|
+
}>>;
|
|
45
|
+
baseline: z.ZodDefault<z.ZodObject<{
|
|
46
|
+
mode: z.ZodDefault<z.ZodEnum<["off", "use", "update"]>>;
|
|
47
|
+
file: z.ZodDefault<z.ZodString>;
|
|
48
|
+
}, "strip", z.ZodTypeAny, {
|
|
49
|
+
mode: "off" | "use" | "update";
|
|
50
|
+
file: string;
|
|
51
|
+
}, {
|
|
52
|
+
mode?: "off" | "use" | "update" | undefined;
|
|
53
|
+
file?: string | undefined;
|
|
54
|
+
}>>;
|
|
55
|
+
allowlist: z.ZodDefault<z.ZodObject<{
|
|
56
|
+
paths: z.ZodDefault<z.ZodArray<z.ZodString, "many">>;
|
|
57
|
+
rules: z.ZodDefault<z.ZodRecord<z.ZodString, z.ZodArray<z.ZodString, "many">>>;
|
|
58
|
+
}, "strip", z.ZodTypeAny, {
|
|
59
|
+
rules: Record<string, string[]>;
|
|
60
|
+
paths: string[];
|
|
61
|
+
}, {
|
|
62
|
+
rules?: Record<string, string[]> | undefined;
|
|
63
|
+
paths?: string[] | undefined;
|
|
64
|
+
}>>;
|
|
65
|
+
}, "strip", z.ZodTypeAny, {
|
|
66
|
+
version: 1;
|
|
67
|
+
include: string[];
|
|
68
|
+
exclude: string[];
|
|
69
|
+
rulesets: string[];
|
|
70
|
+
rules: {
|
|
71
|
+
disable: string[];
|
|
72
|
+
severity_overrides: Record<string, "critical" | "warning" | "info">;
|
|
73
|
+
};
|
|
74
|
+
output: {
|
|
75
|
+
format: "text" | "json";
|
|
76
|
+
failOn: "critical" | "warning" | "info";
|
|
77
|
+
redact: {
|
|
78
|
+
showPrefix: number;
|
|
79
|
+
showSuffix: number;
|
|
80
|
+
};
|
|
81
|
+
};
|
|
82
|
+
baseline: {
|
|
83
|
+
mode: "off" | "use" | "update";
|
|
84
|
+
file: string;
|
|
85
|
+
};
|
|
86
|
+
allowlist: {
|
|
87
|
+
rules: Record<string, string[]>;
|
|
88
|
+
paths: string[];
|
|
89
|
+
};
|
|
90
|
+
}, {
|
|
91
|
+
version?: 1 | undefined;
|
|
92
|
+
include?: string[] | undefined;
|
|
93
|
+
exclude?: string[] | undefined;
|
|
94
|
+
rulesets?: string[] | undefined;
|
|
95
|
+
rules?: {
|
|
96
|
+
disable?: string[] | undefined;
|
|
97
|
+
severity_overrides?: Record<string, "critical" | "warning" | "info"> | undefined;
|
|
98
|
+
} | undefined;
|
|
99
|
+
output?: {
|
|
100
|
+
format?: "text" | "json" | undefined;
|
|
101
|
+
failOn?: "critical" | "warning" | "info" | undefined;
|
|
102
|
+
redact?: {
|
|
103
|
+
showPrefix?: number | undefined;
|
|
104
|
+
showSuffix?: number | undefined;
|
|
105
|
+
} | undefined;
|
|
106
|
+
} | undefined;
|
|
107
|
+
baseline?: {
|
|
108
|
+
mode?: "off" | "use" | "update" | undefined;
|
|
109
|
+
file?: string | undefined;
|
|
110
|
+
} | undefined;
|
|
111
|
+
allowlist?: {
|
|
112
|
+
rules?: Record<string, string[]> | undefined;
|
|
113
|
+
paths?: string[] | undefined;
|
|
114
|
+
} | undefined;
|
|
115
|
+
}>;
|
|
116
|
+
export type ParsedConfig = z.infer<typeof ConfigSchema>;
|
|
117
|
+
//# sourceMappingURL=schema.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"schema.d.ts","sourceRoot":"","sources":["../../src/config/schema.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAIxB,eAAO,MAAM,YAAY;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;EAkDvB,CAAC;AAEH,MAAM,MAAM,YAAY,GAAG,CAAC,CAAC,KAAK,CAAC,OAAO,YAAY,CAAC,CAAC"}
|
|
@@ -0,0 +1,54 @@
|
|
|
1
|
+
import { z } from 'zod';
|
|
2
|
+
const SeveritySchema = z.enum(['critical', 'warning', 'info']);
|
|
3
|
+
export const ConfigSchema = z.object({
|
|
4
|
+
version: z.literal(1).default(1),
|
|
5
|
+
include: z.array(z.string()).default(['**/*']),
|
|
6
|
+
exclude: z
|
|
7
|
+
.array(z.string())
|
|
8
|
+
.default([
|
|
9
|
+
'.git/**',
|
|
10
|
+
'node_modules/**',
|
|
11
|
+
'dist/**',
|
|
12
|
+
'build/**',
|
|
13
|
+
'.next/**',
|
|
14
|
+
'coverage/**',
|
|
15
|
+
]),
|
|
16
|
+
rulesets: z
|
|
17
|
+
.array(z.string())
|
|
18
|
+
.default(['secrets_v1', 'containers_v1', 'ai_artifacts_v1']),
|
|
19
|
+
rules: z
|
|
20
|
+
.object({
|
|
21
|
+
disable: z.array(z.string()).default([]),
|
|
22
|
+
severity_overrides: z.record(SeveritySchema).default({}),
|
|
23
|
+
})
|
|
24
|
+
.default({ disable: [], severity_overrides: {} }),
|
|
25
|
+
output: z
|
|
26
|
+
.object({
|
|
27
|
+
format: z.enum(['text', 'json']).default('text'),
|
|
28
|
+
failOn: SeveritySchema.default('critical'),
|
|
29
|
+
redact: z
|
|
30
|
+
.object({
|
|
31
|
+
showPrefix: z.number().int().min(0).default(4),
|
|
32
|
+
showSuffix: z.number().int().min(0).default(4),
|
|
33
|
+
})
|
|
34
|
+
.default({ showPrefix: 4, showSuffix: 4 }),
|
|
35
|
+
})
|
|
36
|
+
.default({
|
|
37
|
+
format: 'text',
|
|
38
|
+
failOn: 'critical',
|
|
39
|
+
redact: { showPrefix: 4, showSuffix: 4 },
|
|
40
|
+
}),
|
|
41
|
+
baseline: z
|
|
42
|
+
.object({
|
|
43
|
+
mode: z.enum(['off', 'use', 'update']).default('off'),
|
|
44
|
+
file: z.string().default('.oops-baseline.json'),
|
|
45
|
+
})
|
|
46
|
+
.default({ mode: 'off', file: '.oops-baseline.json' }),
|
|
47
|
+
allowlist: z
|
|
48
|
+
.object({
|
|
49
|
+
paths: z.array(z.string()).default([]),
|
|
50
|
+
rules: z.record(z.array(z.string())).default({}),
|
|
51
|
+
})
|
|
52
|
+
.default({ paths: [], rules: {} }),
|
|
53
|
+
});
|
|
54
|
+
//# sourceMappingURL=schema.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"schema.js","sourceRoot":"","sources":["../../src/config/schema.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AAExB,MAAM,cAAc,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE,SAAS,EAAE,MAAM,CAAC,CAAC,CAAC;AAE/D,MAAM,CAAC,MAAM,YAAY,GAAG,CAAC,CAAC,MAAM,CAAC;IACnC,OAAO,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC;IAChC,OAAO,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,CAAC;IAC9C,OAAO,EAAE,CAAC;SACP,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;SACjB,OAAO,CAAC;QACP,SAAS;QACT,iBAAiB;QACjB,SAAS;QACT,UAAU;QACV,UAAU;QACV,aAAa;KACd,CAAC;IACJ,QAAQ,EAAE,CAAC;SACR,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;SACjB,OAAO,CAAC,CAAC,YAAY,EAAE,eAAe,EAAE,iBAAiB,CAAC,CAAC;IAC9D,KAAK,EAAE,CAAC;SACL,MAAM,CAAC;QACN,OAAO,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC;QACxC,kBAAkB,EAAE,CAAC,CAAC,MAAM,CAAC,cAAc,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC;KACzD,CAAC;SACD,OAAO,CAAC,EAAE,OAAO,EAAE,EAAE,EAAE,kBAAkB,EAAE,EAAE,EAAE,CAAC;IACnD,MAAM,EAAE,CAAC;SACN,MAAM,CAAC;QACN,MAAM,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC;QAChD,MAAM,EAAE,cAAc,CAAC,OAAO,CAAC,UAAU,CAAC;QAC1C,MAAM,EAAE,CAAC;aACN,MAAM,CAAC;YACN,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC;YAC9C,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,GAAG,EAAE,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC;SAC/C,CAAC;aACD,OAAO,CAAC,EAAE,UAAU,EAAE,CAAC,EAAE,UAAU,EAAE,CAAC,EAAE,CAAC;KAC7C,CAAC;SACD,OAAO,CAAC;QACP,MAAM,EAAE,MAAM;QACd,MAAM,EAAE,UAAU;QAClB,MAAM,EAAE,EAAE,UAAU,EAAE,CAAC,EAAE,UAAU,EAAE,CAAC,EAAE;KACzC,CAAC;IACJ,QAAQ,EAAE,CAAC;SACR,MAAM,CAAC;QACN,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,KAAK,EAAE,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC;QACrD,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,OAAO,CAAC,qBAAqB,CAAC;KAChD,CAAC;SACD,OAAO,CAAC,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,qBAAqB,EAAE,CAAC;IACxD,SAAS,EAAE,CAAC;SACT,MAAM,CAAC;QACN,KAAK,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC;QACtC,KAAK,EAAE,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,EAAE,CAAC;KACjD,CAAC;SACD,OAAO,CAAC,EAAE,KAAK,EAAE,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC;CACrC,CAAC,CAAC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"fingerprint.d.ts","sourceRoot":"","sources":["../../src/engine/fingerprint.ts"],"names":[],"mappings":"AAEA,wBAAgB,iBAAiB,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,CAEvD"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"fingerprint.js","sourceRoot":"","sources":["../../src/engine/fingerprint.ts"],"names":[],"mappings":"AAAA,OAAO,MAAM,MAAM,aAAa,CAAC;AAEjC,MAAM,UAAU,iBAAiB,CAAC,KAAa;IAC7C,OAAO,MAAM,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;AACjE,CAAC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"line.d.ts","sourceRoot":"","sources":["../../src/engine/line.ts"],"names":[],"mappings":"AAAA,wBAAgB,YAAY,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,MAAM,CAOnE"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"line.js","sourceRoot":"","sources":["../../src/engine/line.ts"],"names":[],"mappings":"AAAA,MAAM,UAAU,YAAY,CAAC,OAAe,EAAE,KAAa;IACzD,IAAI,KAAK,IAAI,CAAC;QAAE,OAAO,CAAC,CAAC;IACzB,IAAI,IAAI,GAAG,CAAC,CAAC;IACb,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,OAAO,CAAC,MAAM,IAAI,CAAC,GAAG,KAAK,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC;QACxD,IAAI,OAAO,CAAC,CAAC,CAAC,KAAK,IAAI;YAAE,IAAI,IAAI,CAAC,CAAC;IACrC,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC"}
|
|
@@ -0,0 +1,13 @@
|
|
|
1
|
+
import { OopsConfig, Finding, Severity } from '../types.js';
|
|
2
|
+
import { Rule } from '../rules/types.js';
|
|
3
|
+
export declare function applyRules(rules: Rule[], config: OopsConfig, cwd: string, pathValue: string, content: string): Finding[];
|
|
4
|
+
export type ScanResult = {
|
|
5
|
+
findings: Finding[];
|
|
6
|
+
};
|
|
7
|
+
export declare function scanRepo(cwd: string, config: OopsConfig): Promise<ScanResult>;
|
|
8
|
+
export declare function scanEntries(cwd: string, config: OopsConfig, entries: {
|
|
9
|
+
path: string;
|
|
10
|
+
content: string;
|
|
11
|
+
}[]): ScanResult;
|
|
12
|
+
export declare function hasFindingsAtOrAbove(findings: Finding[], failOn: Severity): boolean;
|
|
13
|
+
//# sourceMappingURL=scan.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"scan.d.ts","sourceRoot":"","sources":["../../src/engine/scan.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,aAAa,CAAC;AAG5D,OAAO,EAAE,IAAI,EAAE,MAAM,mBAAmB,CAAC;AAoBzC,wBAAgB,UAAU,CACxB,KAAK,EAAE,IAAI,EAAE,EACb,MAAM,EAAE,UAAU,EAClB,GAAG,EAAE,MAAM,EACX,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,MAAM,GACd,OAAO,EAAE,CAaX;AAED,MAAM,MAAM,UAAU,GAAG;IACvB,QAAQ,EAAE,OAAO,EAAE,CAAC;CACrB,CAAC;AAEF,wBAAsB,QAAQ,CAAC,GAAG,EAAE,MAAM,EAAE,MAAM,EAAE,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC,CAMnF;AAED,wBAAgB,WAAW,CACzB,GAAG,EAAE,MAAM,EACX,MAAM,EAAE,UAAU,EAClB,OAAO,EAAE;IAAE,IAAI,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,EAAE,GAC3C,UAAU,CAYZ;AAED,wBAAgB,oBAAoB,CAAC,QAAQ,EAAE,OAAO,EAAE,EAAE,MAAM,EAAE,QAAQ,GAAG,OAAO,CAGnF"}
|
|
@@ -0,0 +1,57 @@
|
|
|
1
|
+
import { listFiles, readFileSafely } from './walker.js';
|
|
2
|
+
import { getRulesets } from '../rules/registry.js';
|
|
3
|
+
const SEVERITY_ORDER = ['info', 'warning', 'critical'];
|
|
4
|
+
function applySeverityOverride(ruleId, severity, config) {
|
|
5
|
+
return config.rules.severity_overrides[ruleId] ?? severity;
|
|
6
|
+
}
|
|
7
|
+
function isAllowed(pathValue, ruleId, config) {
|
|
8
|
+
if (config.allowlist.paths.some((p) => pathValue.includes(p)))
|
|
9
|
+
return true;
|
|
10
|
+
const ruleAllows = config.allowlist.rules[ruleId] ?? [];
|
|
11
|
+
return ruleAllows.some((p) => pathValue.includes(p));
|
|
12
|
+
}
|
|
13
|
+
function shouldIncludeFinding(finding, config) {
|
|
14
|
+
if (config.rules.disable.includes(finding.ruleId))
|
|
15
|
+
return false;
|
|
16
|
+
if (isAllowed(finding.path, finding.ruleId, config))
|
|
17
|
+
return false;
|
|
18
|
+
return true;
|
|
19
|
+
}
|
|
20
|
+
export function applyRules(rules, config, cwd, pathValue, content) {
|
|
21
|
+
const findings = [];
|
|
22
|
+
for (const rule of rules) {
|
|
23
|
+
if (!rule.appliesTo(pathValue))
|
|
24
|
+
continue;
|
|
25
|
+
const ruleFindings = rule.run({ cwd, path: pathValue, content, config });
|
|
26
|
+
for (const f of ruleFindings) {
|
|
27
|
+
findings.push({
|
|
28
|
+
...f,
|
|
29
|
+
severity: applySeverityOverride(rule.id, f.severity, config),
|
|
30
|
+
});
|
|
31
|
+
}
|
|
32
|
+
}
|
|
33
|
+
return findings;
|
|
34
|
+
}
|
|
35
|
+
export async function scanRepo(cwd, config) {
|
|
36
|
+
const files = await listFiles(cwd, config.include, config.exclude);
|
|
37
|
+
const entries = files
|
|
38
|
+
.map((filePath) => readFileSafely(cwd, filePath))
|
|
39
|
+
.filter((entry) => Boolean(entry));
|
|
40
|
+
return scanEntries(cwd, config, entries);
|
|
41
|
+
}
|
|
42
|
+
export function scanEntries(cwd, config, entries) {
|
|
43
|
+
const rulesets = getRulesets(config.rulesets);
|
|
44
|
+
const rules = rulesets.flatMap((set) => set.rules);
|
|
45
|
+
const findings = [];
|
|
46
|
+
for (const entry of entries) {
|
|
47
|
+
const fileFindings = applyRules(rules, config, cwd, entry.path, entry.content)
|
|
48
|
+
.filter((f) => shouldIncludeFinding(f, config));
|
|
49
|
+
findings.push(...fileFindings);
|
|
50
|
+
}
|
|
51
|
+
return { findings };
|
|
52
|
+
}
|
|
53
|
+
export function hasFindingsAtOrAbove(findings, failOn) {
|
|
54
|
+
const failIndex = SEVERITY_ORDER.indexOf(failOn);
|
|
55
|
+
return findings.some((f) => SEVERITY_ORDER.indexOf(f.severity) >= failIndex);
|
|
56
|
+
}
|
|
57
|
+
//# sourceMappingURL=scan.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"scan.js","sourceRoot":"","sources":["../../src/engine/scan.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,SAAS,EAAE,cAAc,EAAE,MAAM,aAAa,CAAC;AACxD,OAAO,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAC;AAGnD,MAAM,cAAc,GAAe,CAAC,MAAM,EAAE,SAAS,EAAE,UAAU,CAAC,CAAC;AAEnE,SAAS,qBAAqB,CAAC,MAAc,EAAE,QAAkB,EAAE,MAAkB;IACnF,OAAO,MAAM,CAAC,KAAK,CAAC,kBAAkB,CAAC,MAAM,CAAC,IAAI,QAAQ,CAAC;AAC7D,CAAC;AAED,SAAS,SAAS,CAAC,SAAiB,EAAE,MAAc,EAAE,MAAkB;IACtE,IAAI,MAAM,CAAC,SAAS,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC;QAAE,OAAO,IAAI,CAAC;IAC3E,MAAM,UAAU,GAAG,MAAM,CAAC,SAAS,CAAC,KAAK,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC;IACxD,OAAO,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,SAAS,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC;AACvD,CAAC;AAED,SAAS,oBAAoB,CAAC,OAAgB,EAAE,MAAkB;IAChE,IAAI,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,MAAM,CAAC;QAAE,OAAO,KAAK,CAAC;IAChE,IAAI,SAAS,CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,MAAM,EAAE,MAAM,CAAC;QAAE,OAAO,KAAK,CAAC;IAClE,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,UAAU,UAAU,CACxB,KAAa,EACb,MAAkB,EAClB,GAAW,EACX,SAAiB,EACjB,OAAe;IAEf,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,SAAS,CAAC;YAAE,SAAS;QACzC,MAAM,YAAY,GAAG,IAAI,CAAC,GAAG,CAAC,EAAE,GAAG,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,EAAE,CAAC,CAAC;QACzE,KAAK,MAAM,CAAC,IAAI,YAAY,EAAE,CAAC;YAC7B,QAAQ,CAAC,IAAI,CAAC;gBACZ,GAAG,CAAC;gBACJ,QAAQ,EAAE,qBAAqB,CAAC,IAAI,CAAC,EAAE,EAAE,CAAC,CAAC,QAAQ,EAAE,MAAM,CAAC;aAC7D,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IACD,OAAO,QAAQ,CAAC;AAClB,CAAC;AAMD,MAAM,CAAC,KAAK,UAAU,QAAQ,CAAC,GAAW,EAAE,MAAkB;IAC5D,MAAM,KAAK,GAAG,MAAM,SAAS,CAAC,GAAG,EAAE,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,OAAO,CAAC,CAAC;IACnE,MAAM,OAAO,GAAG,KAAK;SAClB,GAAG,CAAC,CAAC,QAAQ,EAAE,EAAE,CAAC,cAAc,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;SAChD,MAAM,CAAC,CAAC,KAAK,EAAsC,EAAE,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC;IACzE,OAAO,WAAW,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,CAAC,CAAC;AAC3C,CAAC;AAED,MAAM,UAAU,WAAW,CACzB,GAAW,EACX,MAAkB,EAClB,OAA4C;IAE5C,MAAM,QAAQ,GAAG,WAAW,CAAC,MAAM,CAAC,QAAQ,CAAC,CAAC;IAC9C,MAAM,KAAK,GAAG,QAAQ,CAAC,OAAO,CAAC,CAAC,GAAG,EAAE,EAAE,CAAC,GAAG,CAAC,KAAK,CAAC,CAAC;IACnD,MAAM,QAAQ,GAAc,EAAE,CAAC;IAE/B,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;QAC5B,MAAM,YAAY,GAAG,UAAU,CAAC,KAAK,EAAE,MAAM,EAAE,GAAG,EAAE,KAAK,CAAC,IAAI,EAAE,KAAK,CAAC,OAAO,CAAC;aAC3E,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,oBAAoB,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC;QAClD,QAAQ,CAAC,IAAI,CAAC,GAAG,YAAY,CAAC,CAAC;IACjC,CAAC;IAED,OAAO,EAAE,QAAQ,EAAE,CAAC;AACtB,CAAC;AAED,MAAM,UAAU,oBAAoB,CAAC,QAAmB,EAAE,MAAgB;IACxE,MAAM,SAAS,GAAG,cAAc,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC;IACjD,OAAO,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,cAAc,CAAC,OAAO,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,SAAS,CAAC,CAAC;AAC/E,CAAC"}
|
|
@@ -0,0 +1,8 @@
|
|
|
1
|
+
export type FileEntry = {
|
|
2
|
+
path: string;
|
|
3
|
+
content: string;
|
|
4
|
+
};
|
|
5
|
+
export declare function listFiles(cwd: string, include: string[], exclude: string[]): Promise<string[]>;
|
|
6
|
+
export declare function isBinary(buffer: Buffer): boolean;
|
|
7
|
+
export declare function readFileSafely(cwd: string, relativePath: string): FileEntry | null;
|
|
8
|
+
//# sourceMappingURL=walker.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"walker.d.ts","sourceRoot":"","sources":["../../src/engine/walker.ts"],"names":[],"mappings":"AAOA,MAAM,MAAM,SAAS,GAAG;IACtB,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;CACjB,CAAC;AAEF,wBAAsB,SAAS,CAAC,GAAG,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,EAAE,OAAO,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,MAAM,EAAE,CAAC,CAQpG;AAED,wBAAgB,QAAQ,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAKhD;AAED,wBAAgB,cAAc,CAAC,GAAG,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,SAAS,GAAG,IAAI,CAiBlF"}
|
|
@@ -0,0 +1,42 @@
|
|
|
1
|
+
import fs from 'node:fs';
|
|
2
|
+
import path from 'node:path';
|
|
3
|
+
import fg from 'fast-glob';
|
|
4
|
+
const MAX_FILE_SIZE_BYTES = 1024 * 1024; // 1MB
|
|
5
|
+
const BINARY_SAMPLE_BYTES = 8192;
|
|
6
|
+
export async function listFiles(cwd, include, exclude) {
|
|
7
|
+
return fg(include, {
|
|
8
|
+
cwd,
|
|
9
|
+
ignore: exclude,
|
|
10
|
+
dot: true,
|
|
11
|
+
onlyFiles: true,
|
|
12
|
+
followSymbolicLinks: false,
|
|
13
|
+
});
|
|
14
|
+
}
|
|
15
|
+
export function isBinary(buffer) {
|
|
16
|
+
for (let i = 0; i < buffer.length; i += 1) {
|
|
17
|
+
if (buffer[i] === 0)
|
|
18
|
+
return true;
|
|
19
|
+
}
|
|
20
|
+
return false;
|
|
21
|
+
}
|
|
22
|
+
export function readFileSafely(cwd, relativePath) {
|
|
23
|
+
const fullPath = path.resolve(cwd, relativePath);
|
|
24
|
+
const stat = fs.statSync(fullPath, { throwIfNoEntry: false });
|
|
25
|
+
if (!stat || !stat.isFile())
|
|
26
|
+
return null;
|
|
27
|
+
if (stat.size > MAX_FILE_SIZE_BYTES)
|
|
28
|
+
return null;
|
|
29
|
+
const fd = fs.openSync(fullPath, 'r');
|
|
30
|
+
try {
|
|
31
|
+
const sample = Buffer.alloc(Math.min(BINARY_SAMPLE_BYTES, stat.size));
|
|
32
|
+
fs.readSync(fd, sample, 0, sample.length, 0);
|
|
33
|
+
if (isBinary(sample))
|
|
34
|
+
return null;
|
|
35
|
+
}
|
|
36
|
+
finally {
|
|
37
|
+
fs.closeSync(fd);
|
|
38
|
+
}
|
|
39
|
+
const content = fs.readFileSync(fullPath, 'utf8');
|
|
40
|
+
return { path: relativePath, content };
|
|
41
|
+
}
|
|
42
|
+
//# sourceMappingURL=walker.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"walker.js","sourceRoot":"","sources":["../../src/engine/walker.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,MAAM,SAAS,CAAC;AACzB,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,MAAM,WAAW,CAAC;AAE3B,MAAM,mBAAmB,GAAG,IAAI,GAAG,IAAI,CAAC,CAAC,MAAM;AAC/C,MAAM,mBAAmB,GAAG,IAAI,CAAC;AAOjC,MAAM,CAAC,KAAK,UAAU,SAAS,CAAC,GAAW,EAAE,OAAiB,EAAE,OAAiB;IAC/E,OAAO,EAAE,CAAC,OAAO,EAAE;QACjB,GAAG;QACH,MAAM,EAAE,OAAO;QACf,GAAG,EAAE,IAAI;QACT,SAAS,EAAE,IAAI;QACf,mBAAmB,EAAE,KAAK;KAC3B,CAAC,CAAC;AACL,CAAC;AAED,MAAM,UAAU,QAAQ,CAAC,MAAc;IACrC,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,MAAM,CAAC,MAAM,EAAE,CAAC,IAAI,CAAC,EAAE,CAAC;QAC1C,IAAI,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC;YAAE,OAAO,IAAI,CAAC;IACnC,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAM,UAAU,cAAc,CAAC,GAAW,EAAE,YAAoB;IAC9D,MAAM,QAAQ,GAAG,IAAI,CAAC,OAAO,CAAC,GAAG,EAAE,YAAY,CAAC,CAAC;IACjD,MAAM,IAAI,GAAG,EAAE,CAAC,QAAQ,CAAC,QAAQ,EAAE,EAAE,cAAc,EAAE,KAAK,EAAE,CAAC,CAAC;IAC9D,IAAI,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,MAAM,EAAE;QAAE,OAAO,IAAI,CAAC;IACzC,IAAI,IAAI,CAAC,IAAI,GAAG,mBAAmB;QAAE,OAAO,IAAI,CAAC;IAEjD,MAAM,EAAE,GAAG,EAAE,CAAC,QAAQ,CAAC,QAAQ,EAAE,GAAG,CAAC,CAAC;IACtC,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,mBAAmB,EAAE,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;QACtE,EAAE,CAAC,QAAQ,CAAC,EAAE,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;QAC7C,IAAI,QAAQ,CAAC,MAAM,CAAC;YAAE,OAAO,IAAI,CAAC;IACpC,CAAC;YAAS,CAAC;QACT,EAAE,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;IACnB,CAAC;IAED,MAAM,OAAO,GAAG,EAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;IAClD,OAAO,EAAE,IAAI,EAAE,YAAY,EAAE,OAAO,EAAE,CAAC;AACzC,CAAC"}
|
package/dist/index.d.ts
ADDED
|
@@ -0,0 +1,5 @@
|
|
|
1
|
+
export { loadConfig, getDefaultConfigYaml } from './config/loader.js';
|
|
2
|
+
export { scanRepo, scanEntries, hasFindingsAtOrAbove, applyRules } from './engine/scan.js';
|
|
3
|
+
export { formatText, formatJson } from './output/formatters.js';
|
|
4
|
+
export type { OopsConfig, Finding, Severity } from './types.js';
|
|
5
|
+
//# sourceMappingURL=index.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAC;AACtE,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,oBAAoB,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAC3F,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,wBAAwB,CAAC;AAChE,YAAY,EAAE,UAAU,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,YAAY,CAAC"}
|
package/dist/index.js
ADDED
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAE,oBAAoB,EAAE,MAAM,oBAAoB,CAAC;AACtE,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,oBAAoB,EAAE,UAAU,EAAE,MAAM,kBAAkB,CAAC;AAC3F,OAAO,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,wBAAwB,CAAC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"formatters.d.ts","sourceRoot":"","sources":["../../src/output/formatters.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAY,MAAM,aAAa,CAAC;AAYhD,wBAAgB,UAAU,CAAC,QAAQ,EAAE,OAAO,EAAE,GAAG,MAAM,CAsBtD;AAED,wBAAgB,UAAU,CAAC,QAAQ,EAAE,OAAO,EAAE,GAAG,MAAM,CAEtD"}
|
|
@@ -0,0 +1,35 @@
|
|
|
1
|
+
const ORDER = ['critical', 'warning', 'info'];
|
|
2
|
+
function groupBySeverity(findings) {
|
|
3
|
+
return {
|
|
4
|
+
critical: findings.filter((f) => f.severity === 'critical'),
|
|
5
|
+
warning: findings.filter((f) => f.severity === 'warning'),
|
|
6
|
+
info: findings.filter((f) => f.severity === 'info'),
|
|
7
|
+
};
|
|
8
|
+
}
|
|
9
|
+
export function formatText(findings) {
|
|
10
|
+
if (findings.length === 0)
|
|
11
|
+
return 'No findings.\n';
|
|
12
|
+
const grouped = groupBySeverity(findings);
|
|
13
|
+
const lines = [];
|
|
14
|
+
for (const severity of ORDER) {
|
|
15
|
+
const bucket = grouped[severity];
|
|
16
|
+
if (bucket.length === 0)
|
|
17
|
+
continue;
|
|
18
|
+
lines.push(`${severity.toUpperCase()} (${bucket.length})`);
|
|
19
|
+
for (const f of bucket) {
|
|
20
|
+
const location = f.line ? `${f.path}:${f.line}` : f.path;
|
|
21
|
+
lines.push(`- ${f.ruleId} ${location}: ${f.message}`);
|
|
22
|
+
lines.push(` Why: ${f.why}`);
|
|
23
|
+
lines.push(` Fix: ${f.fix}`);
|
|
24
|
+
if (f.redactedExcerpt) {
|
|
25
|
+
lines.push(` Excerpt: ${f.redactedExcerpt}`);
|
|
26
|
+
}
|
|
27
|
+
}
|
|
28
|
+
lines.push('');
|
|
29
|
+
}
|
|
30
|
+
return lines.join('\n');
|
|
31
|
+
}
|
|
32
|
+
export function formatJson(findings) {
|
|
33
|
+
return JSON.stringify({ findings }, null, 2) + '\n';
|
|
34
|
+
}
|
|
35
|
+
//# sourceMappingURL=formatters.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"formatters.js","sourceRoot":"","sources":["../../src/output/formatters.ts"],"names":[],"mappings":"AAEA,MAAM,KAAK,GAAe,CAAC,UAAU,EAAE,SAAS,EAAE,MAAM,CAAC,CAAC;AAE1D,SAAS,eAAe,CAAC,QAAmB;IAC1C,OAAO;QACL,QAAQ,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,CAAC;QAC3D,OAAO,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,SAAS,CAAC;QACzD,IAAI,EAAE,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC;KACpD,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,UAAU,CAAC,QAAmB;IAC5C,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,gBAAgB,CAAC;IACnD,MAAM,OAAO,GAAG,eAAe,CAAC,QAAQ,CAAC,CAAC;IAC1C,MAAM,KAAK,GAAa,EAAE,CAAC;IAE3B,KAAK,MAAM,QAAQ,IAAI,KAAK,EAAE,CAAC;QAC7B,MAAM,MAAM,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC;QACjC,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC;YAAE,SAAS;QAClC,KAAK,CAAC,IAAI,CAAC,GAAG,QAAQ,CAAC,WAAW,EAAE,KAAK,MAAM,CAAC,MAAM,GAAG,CAAC,CAAC;QAC3D,KAAK,MAAM,CAAC,IAAI,MAAM,EAAE,CAAC;YACvB,MAAM,QAAQ,GAAG,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;YACzD,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,MAAM,IAAI,QAAQ,KAAK,CAAC,CAAC,OAAO,EAAE,CAAC,CAAC;YACtD,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC;YAC9B,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC;YAC9B,IAAI,CAAC,CAAC,eAAe,EAAE,CAAC;gBACtB,KAAK,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC,eAAe,EAAE,CAAC,CAAC;YAChD,CAAC;QACH,CAAC;QACD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACjB,CAAC;IAED,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC;AAED,MAAM,UAAU,UAAU,CAAC,QAAmB;IAC5C,OAAO,IAAI,CAAC,SAAS,CAAC,EAAE,QAAQ,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,CAAC;AACtD,CAAC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"redact.d.ts","sourceRoot":"","sources":["../../src/output/redact.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAC;AAE3C,wBAAgB,MAAM,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,YAAY,GAAG,MAAM,CAQlE;AAED,wBAAgB,aAAa,CAAC,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,SAAM,GAAG,MAAM,CAGvF"}
|
|
@@ -0,0 +1,14 @@
|
|
|
1
|
+
export function redact(value, config) {
|
|
2
|
+
const { showPrefix, showSuffix } = config;
|
|
3
|
+
if (value.length <= showPrefix + showSuffix) {
|
|
4
|
+
return `${value.slice(0, showPrefix)}…${value.slice(-showSuffix)}`;
|
|
5
|
+
}
|
|
6
|
+
const prefix = value.slice(0, showPrefix);
|
|
7
|
+
const suffix = value.slice(-showSuffix);
|
|
8
|
+
return `${prefix}…${suffix}`;
|
|
9
|
+
}
|
|
10
|
+
export function redactExcerpt(value, config, maxLen = 120) {
|
|
11
|
+
const clipped = value.length > maxLen ? value.slice(0, maxLen) : value;
|
|
12
|
+
return redact(clipped, config);
|
|
13
|
+
}
|
|
14
|
+
//# sourceMappingURL=redact.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"redact.js","sourceRoot":"","sources":["../../src/output/redact.ts"],"names":[],"mappings":"AAEA,MAAM,UAAU,MAAM,CAAC,KAAa,EAAE,MAAoB;IACxD,MAAM,EAAE,UAAU,EAAE,UAAU,EAAE,GAAG,MAAM,CAAC;IAC1C,IAAI,KAAK,CAAC,MAAM,IAAI,UAAU,GAAG,UAAU,EAAE,CAAC;QAC5C,OAAO,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,UAAU,CAAC,IAAI,KAAK,CAAC,KAAK,CAAC,CAAC,UAAU,CAAC,EAAE,CAAC;IACrE,CAAC;IACD,MAAM,MAAM,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,UAAU,CAAC,CAAC;IAC1C,MAAM,MAAM,GAAG,KAAK,CAAC,KAAK,CAAC,CAAC,UAAU,CAAC,CAAC;IACxC,OAAO,GAAG,MAAM,IAAI,MAAM,EAAE,CAAC;AAC/B,CAAC;AAED,MAAM,UAAU,aAAa,CAAC,KAAa,EAAE,MAAoB,EAAE,MAAM,GAAG,GAAG;IAC7E,MAAM,OAAO,GAAG,KAAK,CAAC,MAAM,GAAG,MAAM,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC;IACvE,OAAO,MAAM,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;AACjC,CAAC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"ai_artifacts_v1.d.ts","sourceRoot":"","sources":["../../src/rules/ai_artifacts_v1.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,IAAI,EAAE,MAAM,YAAY,CAAC;AAwClC,eAAO,MAAM,kBAAkB,EAAE,IAAI,EAqDpC,CAAC"}
|
|
@@ -0,0 +1,76 @@
|
|
|
1
|
+
import { lineForIndex } from '../engine/line.js';
|
|
2
|
+
import { redactExcerpt } from '../output/redact.js';
|
|
3
|
+
import { stableFingerprint } from '../engine/fingerprint.js';
|
|
4
|
+
import { PRIVATE_KEY_BLOCK, GITHUB_TOKEN, AWS_ACCESS_KEY, STRIPE_LIVE_KEY, SLACK_TOKEN, } from './secrets_v1.js';
|
|
5
|
+
const AI_ARTIFACT_PATTERNS = [
|
|
6
|
+
/\bchat\b/i,
|
|
7
|
+
/\bprompt\b/i,
|
|
8
|
+
/\btranscript\b/i,
|
|
9
|
+
/\.prompt_history$/,
|
|
10
|
+
/\bgpt\b/i,
|
|
11
|
+
/\bclaude\b/i,
|
|
12
|
+
/\bllm[-_]?output\b/i,
|
|
13
|
+
];
|
|
14
|
+
function isAiArtifact(filePath) {
|
|
15
|
+
const base = filePath.split('/').pop() ?? filePath;
|
|
16
|
+
return AI_ARTIFACT_PATTERNS.some((p) => p.test(base));
|
|
17
|
+
}
|
|
18
|
+
const SECRET_PATTERNS = [
|
|
19
|
+
{ regex: PRIVATE_KEY_BLOCK, label: 'Private key block' },
|
|
20
|
+
{ regex: GITHUB_TOKEN, label: 'GitHub token' },
|
|
21
|
+
{ regex: AWS_ACCESS_KEY, label: 'AWS access key' },
|
|
22
|
+
{ regex: STRIPE_LIVE_KEY, label: 'Stripe live key' },
|
|
23
|
+
{ regex: SLACK_TOKEN, label: 'Slack token' },
|
|
24
|
+
];
|
|
25
|
+
export const aiArtifactsV1Rules = [
|
|
26
|
+
// AI001 — AI transcript/prompt artifacts tracked
|
|
27
|
+
{
|
|
28
|
+
id: 'AI001',
|
|
29
|
+
title: 'AI artifact file tracked',
|
|
30
|
+
defaultSeverity: 'info',
|
|
31
|
+
appliesTo: (path) => isAiArtifact(path),
|
|
32
|
+
run: (ctx) => [
|
|
33
|
+
{
|
|
34
|
+
ruleId: 'AI001',
|
|
35
|
+
severity: 'info',
|
|
36
|
+
path: ctx.path,
|
|
37
|
+
message: `AI artifact file tracked in repository: ${ctx.path.split('/').pop()}`,
|
|
38
|
+
why: 'AI transcripts and prompt logs may contain sensitive context or secrets.',
|
|
39
|
+
fix: 'Remove the file or add it to .gitignore.',
|
|
40
|
+
fingerprint: stableFingerprint(`AI001:${ctx.path}`),
|
|
41
|
+
},
|
|
42
|
+
],
|
|
43
|
+
},
|
|
44
|
+
// AI002 — Secrets in AI artifacts
|
|
45
|
+
{
|
|
46
|
+
id: 'AI002',
|
|
47
|
+
title: 'Secret detected in AI artifact',
|
|
48
|
+
defaultSeverity: 'critical',
|
|
49
|
+
appliesTo: (path) => isAiArtifact(path),
|
|
50
|
+
run: (ctx) => {
|
|
51
|
+
const findings = [];
|
|
52
|
+
for (const { regex, label } of SECRET_PATTERNS) {
|
|
53
|
+
// Reset lastIndex since these are exported compiled regexes
|
|
54
|
+
const re = new RegExp(regex.source, regex.flags);
|
|
55
|
+
for (const match of ctx.content.matchAll(re)) {
|
|
56
|
+
const index = match.index ?? 0;
|
|
57
|
+
const line = lineForIndex(ctx.content, index);
|
|
58
|
+
const matched = match[0];
|
|
59
|
+
findings.push({
|
|
60
|
+
ruleId: 'AI002',
|
|
61
|
+
severity: 'critical',
|
|
62
|
+
path: ctx.path,
|
|
63
|
+
line,
|
|
64
|
+
message: `${label} found in AI artifact`,
|
|
65
|
+
why: 'Secrets in AI artifacts should be removed and rotated immediately.',
|
|
66
|
+
fix: 'Remove the file, rotate the secret, and add the file to .gitignore.',
|
|
67
|
+
redactedExcerpt: redactExcerpt(matched, ctx.config.output.redact),
|
|
68
|
+
fingerprint: stableFingerprint(`AI002:${ctx.path}:${line}:${matched.slice(0, 8)}`),
|
|
69
|
+
});
|
|
70
|
+
}
|
|
71
|
+
}
|
|
72
|
+
return findings;
|
|
73
|
+
},
|
|
74
|
+
},
|
|
75
|
+
];
|
|
76
|
+
//# sourceMappingURL=ai_artifacts_v1.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"ai_artifacts_v1.js","sourceRoot":"","sources":["../../src/rules/ai_artifacts_v1.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AACjD,OAAO,EAAE,aAAa,EAAE,MAAM,qBAAqB,CAAC;AACpD,OAAO,EAAE,iBAAiB,EAAE,MAAM,0BAA0B,CAAC;AAC7D,OAAO,EACL,iBAAiB,EACjB,YAAY,EACZ,cAAc,EACd,eAAe,EACf,WAAW,GACZ,MAAM,iBAAiB,CAAC;AAEzB,MAAM,oBAAoB,GAAG;IAC3B,WAAW;IACX,aAAa;IACb,iBAAiB;IACjB,mBAAmB;IACnB,UAAU;IACV,aAAa;IACb,qBAAqB;CACtB,CAAC;AAEF,SAAS,YAAY,CAAC,QAAgB;IACpC,MAAM,IAAI,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,IAAI,QAAQ,CAAC;IACnD,OAAO,oBAAoB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC;AACxD,CAAC;AAOD,MAAM,eAAe,GAAoB;IACvC,EAAE,KAAK,EAAE,iBAAiB,EAAE,KAAK,EAAE,mBAAmB,EAAE;IACxD,EAAE,KAAK,EAAE,YAAY,EAAE,KAAK,EAAE,cAAc,EAAE;IAC9C,EAAE,KAAK,EAAE,cAAc,EAAE,KAAK,EAAE,gBAAgB,EAAE;IAClD,EAAE,KAAK,EAAE,eAAe,EAAE,KAAK,EAAE,iBAAiB,EAAE;IACpD,EAAE,KAAK,EAAE,WAAW,EAAE,KAAK,EAAE,aAAa,EAAE;CAC7C,CAAC;AAEF,MAAM,CAAC,MAAM,kBAAkB,GAAW;IACxC,iDAAiD;IACjD;QACE,EAAE,EAAE,OAAO;QACX,KAAK,EAAE,0BAA0B;QACjC,eAAe,EAAE,MAAM;QACvB,SAAS,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC;QACvC,GAAG,EAAE,CAAC,GAAG,EAAE,EAAE,CAAC;YACZ;gBACE,MAAM,EAAE,OAAO;gBACf,QAAQ,EAAE,MAAM;gBAChB,IAAI,EAAE,GAAG,CAAC,IAAI;gBACd,OAAO,EAAE,2CAA2C,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,EAAE;gBAC/E,GAAG,EAAE,0EAA0E;gBAC/E,GAAG,EAAE,0CAA0C;gBAC/C,WAAW,EAAE,iBAAiB,CAAC,SAAS,GAAG,CAAC,IAAI,EAAE,CAAC;aACpD;SACF;KACF;IAED,kCAAkC;IAClC;QACE,EAAE,EAAE,OAAO;QACX,KAAK,EAAE,gCAAgC;QACvC,eAAe,EAAE,UAAU;QAC3B,SAAS,EAAE,CAAC,IAAI,EAAE,EAAE,CAAC,YAAY,CAAC,IAAI,CAAC;QACvC,GAAG,EAAE,CAAC,GAAG,EAAE,EAAE;YACX,MAAM,QAAQ,GAAc,EAAE,CAAC;YAE/B,KAAK,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,IAAI,eAAe,EAAE,CAAC;gBAC/C,4DAA4D;gBAC5D,MAAM,EAAE,GAAG,IAAI,MAAM,CAAC,KAAK,CAAC,MAAM,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;gBACjD,KAAK,MAAM,KAAK,IAAI,GAAG,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC,EAAE,CAAC;oBAC7C,MAAM,KAAK,GAAG,KAAK,CAAC,KAAK,IAAI,CAAC,CAAC;oBAC/B,MAAM,IAAI,GAAG,YAAY,CAAC,GAAG,CAAC,OAAO,EAAE,KAAK,CAAC,CAAC;oBAC9C,MAAM,OAAO,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;oBACzB,QAAQ,CAAC,IAAI,CAAC;wBACZ,MAAM,EAAE,OAAO;wBACf,QAAQ,EAAE,UAAU;wBACpB,IAAI,EAAE,GAAG,CAAC,IAAI;wBACd,IAAI;wBACJ,OAAO,EAAE,GAAG,KAAK,uBAAuB;wBACxC,GAAG,EAAE,oEAAoE;wBACzE,GAAG,EAAE,qEAAqE;wBAC1E,eAAe,EAAE,aAAa,CAAC,OAAO,EAAE,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC;wBACjE,WAAW,EAAE,iBAAiB,CAAC,SAAS,GAAG,CAAC,IAAI,IAAI,IAAI,IAAI,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,CAAC;qBACnF,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;YAED,OAAO,QAAQ,CAAC;QAClB,CAAC;KACF;CACF,CAAC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"containers_v1.d.ts","sourceRoot":"","sources":["../../src/rules/containers_v1.ts"],"names":[],"mappings":"AAEA,OAAO,EAAE,IAAI,EAAE,MAAM,YAAY,CAAC;AA8FlC,eAAO,MAAM,iBAAiB,EAAE,IAAI,EAkTnC,CAAC"}
|