@panguard-ai/panguard-scan 0.1.0

package/dist/scanners/ssl-checker.d.ts

@@ -0,0 +1,27 @@
+/**
+ * SSL/TLS certificate checker
+ * SSL/TLS 憑證檢查器
+ *
+ * Checks SSL/TLS certificates on HTTPS-capable ports for expiration and
+ * validity issues. Connects to localhost on identified ports to inspect
+ * the presented certificate.
+ * 檢查具有 HTTPS 功能的埠上的 SSL/TLS 憑證是否有到期和有效性問題。
+ * 連線到 localhost 上已識別的埠以檢查呈現的憑證。
+ *
+ * @module @panguard-ai/panguard-scan/scanners/ssl-checker
+ */
+import { type PortInfo } from '@panguard-ai/core';
+import type { Finding } from './types.js';
+/**
+ * Check SSL/TLS certificates on all HTTPS-capable ports
+ * 檢查所有具有 HTTPS 功能的埠上的 SSL/TLS 憑證
+ *
+ * Iterates through the provided port list, identifies ports that are likely
+ * serving HTTPS, and checks each certificate for expiration.
+ * 遍歷提供的埠列表，識別可能提供 HTTPS 服務的埠，並檢查每個憑證的到期情況。
+ *
+ * @param ports - Array of open port info from discovery / 來自偵察的開放埠資訊陣列
+ * @returns Array of certificate-related findings / 與憑證相關的發現陣列
+ */
+export declare function checkSslCertificates(ports: PortInfo[]): Promise<Finding[]>;
+//# sourceMappingURL=ssl-checker.d.ts.map

package/dist/scanners/ssl-checker.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ssl-checker.d.ts","sourceRoot":"","sources":["../../src/scanners/ssl-checker.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAGH,OAAO,EAAgB,KAAK,QAAQ,EAAE,MAAM,mBAAmB,CAAC;AAChE,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,YAAY,CAAC;AA8K1C;;;;;;;;;;GAUG;AACH,wBAAsB,oBAAoB,CAAC,KAAK,EAAE,QAAQ,EAAE,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC,CA2BhF"}

package/dist/scanners/ssl-checker.js

@@ -0,0 +1,197 @@
+/**
+ * SSL/TLS certificate checker
+ * SSL/TLS 憑證檢查器
+ *
+ * Checks SSL/TLS certificates on HTTPS-capable ports for expiration and
+ * validity issues. Connects to localhost on identified ports to inspect
+ * the presented certificate.
+ * 檢查具有 HTTPS 功能的埠上的 SSL/TLS 憑證是否有到期和有效性問題。
+ * 連線到 localhost 上已識別的埠以檢查呈現的憑證。
+ *
+ * @module @panguard-ai/panguard-scan/scanners/ssl-checker
+ */
+import tls from 'node:tls';
+import { createLogger } from '@panguard-ai/core';
+const logger = createLogger('panguard-scan:ssl-checker');
+/**
+ * Well-known HTTPS port numbers
+ * 已知的 HTTPS 埠號
+ */
+const HTTPS_PORTS = new Set([443, 8443]);
+/**
+ * Number of days before expiration to trigger a warning
+ * 到期前觸發警告的天數
+ */
+const EXPIRY_WARNING_DAYS = 30;
+/**
+ * Connection timeout in milliseconds
+ * 連線逾時（毫秒）
+ */
+const CONNECT_TIMEOUT_MS = 5_000;
+/**
+ * Determine whether a port is likely serving HTTPS
+ * 判斷埠是否可能提供 HTTPS 服務
+ *
+ * @param portInfo - Port information to evaluate / 要評估的埠資訊
+ * @returns True if the port likely serves HTTPS / 如果埠可能提供 HTTPS 服務則為 true
+ */
+function isHttpsPort(portInfo) {
+    if (HTTPS_PORTS.has(portInfo.port))
+        return true;
+    if (portInfo.service && portInfo.service.toLowerCase().includes('https'))
+        return true;
+    return false;
+}
+/**
+ * Check the SSL certificate on a single port
+ * 檢查單一埠上的 SSL 憑證
+ *
+ * Establishes a TLS connection to localhost on the specified port and
+ * inspects the certificate's validity period.
+ * 在指定埠上建立到 localhost 的 TLS 連線，並檢查憑證的有效期間。
+ *
+ * @param port - Port number to check / 要檢查的埠號
+ * @returns A Finding if the certificate is expired or expiring soon, or null / 如果憑證已過期或即將到期則回傳 Finding，否則為 null
+ */
+async function checkCertOnPort(port) {
+    return new Promise((resolve) => {
+        const socket = tls.connect({
+            host: 'localhost',
+            port,
+            rejectUnauthorized: false,
+            timeout: CONNECT_TIMEOUT_MS,
+        }, () => {
+            try {
+                const cert = socket.getPeerCertificate();
+                if (!cert || !cert.valid_to) {
+                    logger.debug(`No certificate found on port ${port}`);
+                    socket.destroy();
+                    resolve(null);
+                    return;
+                }
+                const validTo = new Date(cert.valid_to);
+                const validFrom = new Date(cert.valid_from);
+                const now = new Date();
+                const daysUntilExpiry = Math.floor((validTo.getTime() - now.getTime()) / (1000 * 60 * 60 * 24));
+                const subject = cert.subject?.CN || 'unknown';
+                if (now > validTo) {
+                    // Certificate has expired
+                    // 憑證已過期
+                    logger.info(`Expired certificate on port ${port}: expired ${Math.abs(daysUntilExpiry)} days ago`);
+                    socket.destroy();
+                    resolve({
+                        id: `SCAN-SSL-${port}`,
+                        title: `Expired SSL certificate on port ${port} / ` + `埠 ${port} 上的 SSL 憑證已過期`,
+                        description: `The SSL/TLS certificate on port ${port} (subject: ${subject}) ` +
+                            `expired on ${validTo.toISOString().split('T')[0]}. ` +
+                            `It has been expired for ${Math.abs(daysUntilExpiry)} day(s). / ` +
+                            `埠 ${port} 上的 SSL/TLS 憑證（主體：${subject}）` +
+                            `已於 ${validTo.toISOString().split('T')[0]} 過期。` +
+                            `已過期 ${Math.abs(daysUntilExpiry)} 天。`,
+                        severity: 'high',
+                        category: 'certificate',
+                        remediation: `Renew the SSL/TLS certificate for port ${port} immediately. ` +
+                            "Consider using automated certificate management (e.g., Let's Encrypt). / " +
+                            `立即續期埠 ${port} 的 SSL/TLS 憑證。` +
+                            "考慮使用自動憑證管理（例如 Let's Encrypt）。",
+                        complianceRef: '4.4',
+                        details: `Subject: ${subject}, Valid from: ${validFrom.toISOString()}, ` +
+                            `Valid to: ${validTo.toISOString()}, Days expired: ${Math.abs(daysUntilExpiry)}`,
+                    });
+                    return;
+                }
+                if (daysUntilExpiry <= EXPIRY_WARNING_DAYS) {
+                    // Certificate expiring soon
+                    // 憑證即將到期
+                    logger.info(`Certificate on port ${port} expiring in ${daysUntilExpiry} days`);
+                    socket.destroy();
+                    resolve({
+                        id: `SCAN-SSL-${port}`,
+                        title: `SSL certificate expiring soon on port ${port} / ` +
+                            `埠 ${port} 上的 SSL 憑證即將到期`,
+                        description: `The SSL/TLS certificate on port ${port} (subject: ${subject}) ` +
+                            `will expire on ${validTo.toISOString().split('T')[0]} ` +
+                            `(${daysUntilExpiry} day(s) remaining). / ` +
+                            `埠 ${port} 上的 SSL/TLS 憑證（主體：${subject}）` +
+                            `將於 ${validTo.toISOString().split('T')[0]} 到期` +
+                            `（剩餘 ${daysUntilExpiry} 天）。`,
+                        severity: 'medium',
+                        category: 'certificate',
+                        remediation: `Renew the SSL/TLS certificate for port ${port} before it expires. ` +
+                            'Set up automated renewal to prevent future expirations. / ' +
+                            `在到期前續期埠 ${port} 的 SSL/TLS 憑證。` +
+                            '設定自動續期以防止未來過期。',
+                        complianceRef: '4.4',
+                        details: `Subject: ${subject}, Valid from: ${validFrom.toISOString()}, ` +
+                            `Valid to: ${validTo.toISOString()}, Days remaining: ${daysUntilExpiry}`,
+                    });
+                    return;
+                }
+                // Certificate is valid and not expiring soon
+                // 憑證有效且不會很快到期
+                logger.debug(`Certificate on port ${port} is valid (expires in ${daysUntilExpiry} days)`);
+                socket.destroy();
+                resolve(null);
+            }
+            catch (err) {
+                logger.debug(`Error reading certificate on port ${port}`, {
+                    error: err instanceof Error ? err.message : String(err),
+                });
+                socket.destroy();
+                resolve(null);
+            }
+        });
+        // Handle connection errors
+        // 處理連線錯誤
+        socket.on('error', (err) => {
+            logger.debug(`TLS connection error on port ${port}`, {
+                error: err.message,
+            });
+            socket.destroy();
+            resolve(null);
+        });
+        // Handle timeout
+        // 處理逾時
+        socket.on('timeout', () => {
+            logger.debug(`TLS connection timeout on port ${port}`);
+            socket.destroy();
+            resolve(null);
+        });
+    });
+}
+/**
+ * Check SSL/TLS certificates on all HTTPS-capable ports
+ * 檢查所有具有 HTTPS 功能的埠上的 SSL/TLS 憑證
+ *
+ * Iterates through the provided port list, identifies ports that are likely
+ * serving HTTPS, and checks each certificate for expiration.
+ * 遍歷提供的埠列表，識別可能提供 HTTPS 服務的埠，並檢查每個憑證的到期情況。
+ *
+ * @param ports - Array of open port info from discovery / 來自偵察的開放埠資訊陣列
+ * @returns Array of certificate-related findings / 與憑證相關的發現陣列
+ */
+export async function checkSslCertificates(ports) {
+    const findings = [];
+    const httpsPorts = ports.filter(isHttpsPort);
+    if (httpsPorts.length === 0) {
+        logger.info('No HTTPS-capable ports found to check');
+        return findings;
+    }
+    logger.info(`Checking SSL certificates on ${httpsPorts.length} HTTPS-capable port(s)`);
+    for (const portInfo of httpsPorts) {
+        try {
+            const finding = await checkCertOnPort(portInfo.port);
+            if (finding) {
+                findings.push(finding);
+            }
+        }
+        catch (err) {
+            logger.debug(`Failed to check SSL on port ${portInfo.port}`, {
+                error: err instanceof Error ? err.message : String(err),
+            });
+        }
+    }
+    logger.info(`SSL certificate check complete: ${findings.length} finding(s)`);
+    return findings;
+}
+//# sourceMappingURL=ssl-checker.js.map

package/dist/scanners/ssl-checker.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ssl-checker.js","sourceRoot":"","sources":["../../src/scanners/ssl-checker.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAEH,OAAO,GAAG,MAAM,UAAU,CAAC;AAC3B,OAAO,EAAE,YAAY,EAAiB,MAAM,mBAAmB,CAAC;AAGhE,MAAM,MAAM,GAAG,YAAY,CAAC,2BAA2B,CAAC,CAAC;AAEzD;;;GAGG;AACH,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC,CAAC;AAEzC;;;GAGG;AACH,MAAM,mBAAmB,GAAG,EAAE,CAAC;AAE/B;;;GAGG;AACH,MAAM,kBAAkB,GAAG,KAAK,CAAC;AAEjC;;;;;;GAMG;AACH,SAAS,WAAW,CAAC,QAAkB;IACrC,IAAI,WAAW,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC;QAAE,OAAO,IAAI,CAAC;IAChD,IAAI,QAAQ,CAAC,OAAO,IAAI,QAAQ,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,OAAO,CAAC;QAAE,OAAO,IAAI,CAAC;IACtF,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;;;;;;;GAUG;AACH,KAAK,UAAU,eAAe,CAAC,IAAY;IACzC,OAAO,IAAI,OAAO,CAAiB,CAAC,OAAO,EAAE,EAAE;QAC7C,MAAM,MAAM,GAAG,GAAG,CAAC,OAAO,CACxB;YACE,IAAI,EAAE,WAAW;YACjB,IAAI;YACJ,kBAAkB,EAAE,KAAK;YACzB,OAAO,EAAE,kBAAkB;SAC5B,EACD,GAAG,EAAE;YACH,IAAI,CAAC;gBACH,MAAM,IAAI,GAAG,MAAM,CAAC,kBAAkB,EAAE,CAAC;gBACzC,IAAI,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC;oBAC5B,MAAM,CAAC,KAAK,CAAC,gCAAgC,IAAI,EAAE,CAAC,CAAC;oBACrD,MAAM,CAAC,OAAO,EAAE,CAAC;oBACjB,OAAO,CAAC,IAAI,CAAC,CAAC;oBACd,OAAO;gBACT,CAAC;gBAED,MAAM,OAAO,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;gBACxC,MAAM,SAAS,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;gBAC5C,MAAM,GAAG,GAAG,IAAI,IAAI,EAAE,CAAC;gBACvB,MAAM,eAAe,GAAG,IAAI,CAAC,KAAK,CAChC,CAAC,OAAO,CAAC,OAAO,EAAE,GAAG,GAAG,CAAC,OAAO,EAAE,CAAC,GAAG,CAAC,IAAI,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,CAC5D,CAAC;gBAEF,MAAM,OAAO,GAAG,IAAI,CAAC,OAAO,EAAE,EAAE,IAAI,SAAS,CAAC;gBAE9C,IAAI,GAAG,GAAG,OAAO,EAAE,CAAC;oBAClB,0BAA0B;oBAC1B,QAAQ;oBACR,MAAM,CAAC,IAAI,CACT,+BAA+B,IAAI,aAAa,IAAI,CAAC,GAAG,CAAC,eAAe,CAAC,WAAW,CACrF,CAAC;oBACF,MAAM,CAAC,OAAO,EAAE,CAAC;oBACjB,OAAO,CAAC;wBACN,EAAE,EAAE,YAAY,IAAI,EAAE;wBACtB,KAAK,EACH,mCAAmC,IAAI,KAAK,GAAG,KAAK,IAAI,eAAe;wBACzE,WAAW,EACT,mCAAmC,IAAI,cAAc,OAAO,IAAI;4BAChE,cAAc,OAAO,CAAC,WAAW,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI;4BACrD,2BAA2B,IAAI,CAAC,GAAG,CAAC,eAAe,CAAC,aAAa;4BACjE,KAAK,IAAI,qBAAqB,OAAO,GAAG;4BACxC,MAAM,OAAO,CAAC,WAAW,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM;4BAC/C,OAAO,IAAI,CAAC,GAAG,CAAC,eAAe,CAAC,KAAK;wBACvC,QAAQ,EAAE,MAAM;wBAChB,QAAQ,EAAE,aAAa;wBACvB,WAAW,EACT,0CAA0C,IAAI,gBAAgB;4BAC9D,2EAA2E;4BAC3E,SAAS,IAAI,gBAAgB;4BAC7B,+BAA+B;wBACjC,aAAa,EAAE,KAAK;wBACpB,OAAO,EACL,YAAY,OAAO,iBAAiB,SAAS,CAAC,WAAW,EAAE,IAAI;4BAC/D,aAAa,OAAO,CAAC,WAAW,EAAE,mBAAmB,IAAI,CAAC,GAAG,CAAC,eAAe,CAAC,EAAE;qBACnF,CAAC,CAAC;oBACH,OAAO;gBACT,CAAC;gBAED,IAAI,eAAe,IAAI,mBAAmB,EAAE,CAAC;oBAC3C,4BAA4B;oBAC5B,SAAS;oBACT,MAAM,CAAC,IAAI,CAAC,uBAAuB,IAAI,gBAAgB,eAAe,OAAO,CAAC,CAAC;oBAC/E,MAAM,CAAC,OAAO,EAAE,CAAC;oBACjB,OAAO,CAAC;wBACN,EAAE,EAAE,YAAY,IAAI,EAAE;wBACtB,KAAK,EACH,yCAAyC,IAAI,KAAK;4BAClD,KAAK,IAAI,gBAAgB;wBAC3B,WAAW,EACT,mCAAmC,IAAI,cAAc,OAAO,IAAI;4BAChE,kBAAkB,OAAO,CAAC,WAAW,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG;4BACxD,IAAI,eAAe,wBAAwB;4BAC3C,KAAK,IAAI,qBAAqB,OAAO,GAAG;4BACxC,MAAM,OAAO,CAAC,WAAW,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK;4BAC9C,OAAO,eAAe,MAAM;wBAC9B,QAAQ,EAAE,QAAQ;wBAClB,QAAQ,EAAE,aAAa;wBACvB,WAAW,EACT,0CAA0C,IAAI,sBAAsB;4BACpE,4DAA4D;4BAC5D,WAAW,IAAI,gBAAgB;4BAC/B,gBAAgB;wBAClB,aAAa,EAAE,KAAK;wBACpB,OAAO,EACL,YAAY,OAAO,iBAAiB,SAAS,CAAC,WAAW,EAAE,IAAI;4BAC/D,aAAa,OAAO,CAAC,WAAW,EAAE,qBAAqB,eAAe,EAAE;qBAC3E,CAAC,CAAC;oBACH,OAAO;gBACT,CAAC;gBAED,6CAA6C;gBAC7C,cAAc;gBACd,MAAM,CAAC,KAAK,CAAC,uBAAuB,IAAI,yBAAyB,eAAe,QAAQ,CAAC,CAAC;gBAC1F,MAAM,CAAC,OAAO,EAAE,CAAC;gBACjB,OAAO,CAAC,IAAI,CAAC,CAAC;YAChB,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,MAAM,CAAC,KAAK,CAAC,qCAAqC,IAAI,EAAE,EAAE;oBACxD,KAAK,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;iBACxD,CAAC,CAAC;gBACH,MAAM,CAAC,OAAO,EAAE,CAAC;gBACjB,OAAO,CAAC,IAAI,CAAC,CAAC;YAChB,CAAC;QACH,CAAC,CACF,CAAC;QAEF,2BAA2B;QAC3B,SAAS;QACT,MAAM,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;YACzB,MAAM,CAAC,KAAK,CAAC,gCAAgC,IAAI,EAAE,EAAE;gBACnD,KAAK,EAAE,GAAG,CAAC,OAAO;aACnB,CAAC,CAAC;YACH,MAAM,CAAC,OAAO,EAAE,CAAC;YACjB,OAAO,CAAC,IAAI,CAAC,CAAC;QAChB,CAAC,CAAC,CAAC;QAEH,iBAAiB;QACjB,OAAO;QACP,MAAM,CAAC,EAAE,CAAC,SAAS,EAAE,GAAG,EAAE;YACxB,MAAM,CAAC,KAAK,CAAC,kCAAkC,IAAI,EAAE,CAAC,CAAC;YACvD,MAAM,CAAC,OAAO,EAAE,CAAC;YACjB,OAAO,CAAC,IAAI,CAAC,CAAC;QAChB,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,CAAC,KAAK,UAAU,oBAAoB,CAAC,KAAiB;IAC1D,MAAM,QAAQ,GAAc,EAAE,CAAC;IAE/B,MAAM,UAAU,GAAG,KAAK,CAAC,MAAM,CAAC,WAAW,CAAC,CAAC;IAE7C,IAAI,UAAU,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC5B,MAAM,CAAC,IAAI,CAAC,uCAAuC,CAAC,CAAC;QACrD,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,MAAM,CAAC,IAAI,CAAC,gCAAgC,UAAU,CAAC,MAAM,wBAAwB,CAAC,CAAC;IAEvF,KAAK,MAAM,QAAQ,IAAI,UAAU,EAAE,CAAC;QAClC,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,MAAM,eAAe,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;YACrD,IAAI,OAAO,EAAE,CAAC;gBACZ,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;YACzB,CAAC;QACH,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,CAAC,KAAK,CAAC,+BAA+B,QAAQ,CAAC,IAAI,EAAE,EAAE;gBAC3D,KAAK,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;aACxD,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,MAAM,CAAC,IAAI,CAAC,mCAAmC,QAAQ,CAAC,MAAM,aAAa,CAAC,CAAC;IAC7E,OAAO,QAAQ,CAAC;AAClB,CAAC"}

package/dist/scanners/types.d.ts

@@ -0,0 +1,140 @@
+/**
+ * PanguardScan scanner type definitions
+ * PanguardScan 掃描器型別定義
+ *
+ * @module @panguard-ai/panguard-scan/scanners/types
+ */
+import type { DiscoveryResult, Severity, Language } from '@panguard-ai/core';
+/**
+ * Scan configuration options
+ * 掃描配置選項
+ */
+export interface ScanConfig {
+    /**
+     * Scan depth - 'quick' (~30s) or 'full' (~60s)
+     * 掃描深度 - 'quick'（約 30 秒）或 'full'（約 60 秒）
+     */
+    depth: 'quick' | 'full';
+    /**
+     * Output language
+     * 輸出語言
+     */
+    lang: Language;
+    /**
+     * Output PDF file path
+     * 輸出 PDF 檔案路徑
+     */
+    output?: string;
+    /**
+     * Enable verbose output
+     * 啟用詳細輸出
+     */
+    verbose?: boolean;
+}
+/**
+ * Individual security finding from a scanner
+ * 掃描器的個別安全發現
+ */
+export interface Finding {
+    /**
+     * Unique finding identifier
+     * 唯一發現識別碼
+     */
+    id: string;
+    /**
+     * Finding title (human-readable)
+     * 發現標題（人類可讀）
+     */
+    title: string;
+    /**
+     * Detailed description
+     * 詳細描述
+     */
+    description: string;
+    /**
+     * Severity level
+     * 嚴重等級
+     */
+    severity: Severity;
+    /**
+     * Finding category (e.g. 'password', 'network', 'system')
+     * 發現分類（如 'password'、'network'、'system'）
+     */
+    category: string;
+    /**
+     * Remediation recommendation
+     * 修復建議
+     */
+    remediation: string;
+    /**
+     * Taiwan ISMS compliance reference (e.g. "4.1.2")
+     * 台灣資通安全管理法條目參照（如 "4.1.2"）
+     */
+    complianceRef?: string;
+    /**
+     * Additional technical details
+     * 額外技術詳情
+     */
+    details?: string;
+    /**
+     * Manual fix commands for free-tier users
+     * 免費版用戶的手動修復指令
+     */
+    manualFix?: string[];
+}
+/**
+ * Complete scan result
+ * 完整掃描結果
+ */
+export interface ScanResult {
+    /**
+     * Environment discovery result from core
+     * 來自 core 的環境偵察結果
+     */
+    discovery: DiscoveryResult;
+    /**
+     * All security findings (sorted by severity)
+     * 所有安全發現（按嚴重度排序）
+     */
+    findings: Finding[];
+    /**
+     * Overall risk score (0-100)
+     * 總體風險評分（0-100）
+     */
+    riskScore: number;
+    /**
+     * Risk level label
+     * 風險等級標籤
+     */
+    riskLevel: Severity;
+    /**
+     * Scan duration in milliseconds
+     * 掃描持續時間（毫秒）
+     */
+    scanDuration: number;
+    /**
+     * Scan timestamp (ISO 8601)
+     * 掃描時間戳（ISO 8601）
+     */
+    scannedAt: string;
+    /**
+     * Scan configuration used
+     * 使用的掃描配置
+     */
+    config: ScanConfig;
+}
+/**
+ * Severity sort order (lower = more severe)
+ * 嚴重度排序（越低越嚴重）
+ */
+export declare const SEVERITY_ORDER: Record<string, number>;
+/**
+ * Sort findings by severity (most severe first)
+ * 按嚴重度排序發現（最嚴重的在前）
+ *
+ * @param a - First finding / 第一個發現
+ * @param b - Second finding / 第二個發現
+ * @returns Sort comparison value / 排序比較值
+ */
+export declare function sortBySeverity(a: Finding, b: Finding): number;
+//# sourceMappingURL=types.d.ts.map

package/dist/scanners/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../src/scanners/types.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAEH,OAAO,KAAK,EAAE,eAAe,EAAE,QAAQ,EAAE,QAAQ,EAAE,MAAM,mBAAmB,CAAC;AAE7E;;;GAGG;AACH,MAAM,WAAW,UAAU;IACzB;;;OAGG;IACH,KAAK,EAAE,OAAO,GAAG,MAAM,CAAC;IAExB;;;OAGG;IACH,IAAI,EAAE,QAAQ,CAAC;IAEf;;;OAGG;IACH,MAAM,CAAC,EAAE,MAAM,CAAC;IAEhB;;;OAGG;IACH,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAED;;;GAGG;AACH,MAAM,WAAW,OAAO;IACtB;;;OAGG;IACH,EAAE,EAAE,MAAM,CAAC;IAEX;;;OAGG;IACH,KAAK,EAAE,MAAM,CAAC;IAEd;;;OAGG;IACH,WAAW,EAAE,MAAM,CAAC;IAEpB;;;OAGG;IACH,QAAQ,EAAE,QAAQ,CAAC;IAEnB;;;OAGG;IACH,QAAQ,EAAE,MAAM,CAAC;IAEjB;;;OAGG;IACH,WAAW,EAAE,MAAM,CAAC;IAEpB;;;OAGG;IACH,aAAa,CAAC,EAAE,MAAM,CAAC;IAEvB;;;OAGG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;IAEjB;;;OAGG;IACH,SAAS,CAAC,EAAE,MAAM,EAAE,CAAC;CACtB;AAED;;;GAGG;AACH,MAAM,WAAW,UAAU;IACzB;;;OAGG;IACH,SAAS,EAAE,eAAe,CAAC;IAE3B;;;OAGG;IACH,QAAQ,EAAE,OAAO,EAAE,CAAC;IAEpB;;;OAGG;IACH,SAAS,EAAE,MAAM,CAAC;IAElB;;;OAGG;IACH,SAAS,EAAE,QAAQ,CAAC;IAEpB;;;OAGG;IACH,YAAY,EAAE,MAAM,CAAC;IAErB;;;OAGG;IACH,SAAS,EAAE,MAAM,CAAC;IAElB;;;OAGG;IACH,MAAM,EAAE,UAAU,CAAC;CACpB;AAED;;;GAGG;AACH,eAAO,MAAM,cAAc,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAMjD,CAAC;AAEF;;;;;;;GAOG;AACH,wBAAgB,cAAc,CAAC,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE,OAAO,GAAG,MAAM,CAI7D"}

package/dist/scanners/types.js

@@ -0,0 +1,31 @@
+/**
+ * PanguardScan scanner type definitions
+ * PanguardScan 掃描器型別定義
+ *
+ * @module @panguard-ai/panguard-scan/scanners/types
+ */
+/**
+ * Severity sort order (lower = more severe)
+ * 嚴重度排序（越低越嚴重）
+ */
+export const SEVERITY_ORDER = {
+    critical: 0,
+    high: 1,
+    medium: 2,
+    low: 3,
+    info: 4,
+};
+/**
+ * Sort findings by severity (most severe first)
+ * 按嚴重度排序發現（最嚴重的在前）
+ *
+ * @param a - First finding / 第一個發現
+ * @param b - Second finding / 第二個發現
+ * @returns Sort comparison value / 排序比較值
+ */
+export function sortBySeverity(a, b) {
+    const aOrder = SEVERITY_ORDER[a.severity] ?? 5;
+    const bOrder = SEVERITY_ORDER[b.severity] ?? 5;
+    return aOrder - bOrder;
+}
+//# sourceMappingURL=types.js.map

package/dist/scanners/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../src/scanners/types.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AA8IH;;;GAGG;AACH,MAAM,CAAC,MAAM,cAAc,GAA2B;IACpD,QAAQ,EAAE,CAAC;IACX,IAAI,EAAE,CAAC;IACP,MAAM,EAAE,CAAC;IACT,GAAG,EAAE,CAAC;IACN,IAAI,EAAE,CAAC;CACR,CAAC;AAEF;;;;;;;GAOG;AACH,MAAM,UAAU,cAAc,CAAC,CAAU,EAAE,CAAU;IACnD,MAAM,MAAM,GAAG,cAAc,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;IAC/C,MAAM,MAAM,GAAG,cAAc,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;IAC/C,OAAO,MAAM,GAAG,MAAM,CAAC;AACzB,CAAC"}

package/package.json

@@ -0,0 +1,38 @@
+{
+  "name": "@panguard-ai/panguard-scan",
+  "version": "0.1.0",
+  "type": "module",
+  "description": "60-second security scanning CLI tool / 60 秒資安健檢工具",
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "bin": {
+    "panguard-scan": "./dist/cli/index.js"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "files": [
+    "dist",
+    "package.json",
+    "README.md"
+  ],
+  "scripts": {
+    "build": "tsc --build",
+    "clean": "rm -rf dist tsconfig.tsbuildinfo",
+    "typecheck": "tsc --noEmit",
+    "test": "vitest run",
+    "dev": "tsc --build --watch",
+    "prepublishOnly": "pnpm run build"
+  },
+  "dependencies": {
+    "@panguard-ai/core": "workspace:*",
+    "@panguard-ai/security-hardening": "workspace:*",
+    "commander": "^12.0.0",
+    "pdfkit": "^0.15.0"
+  },
+  "devDependencies": {
+    "@types/node": "^22.14.0",
+    "@types/pdfkit": "^0.13.0",
+    "typescript": "~5.7.3"
+  }
+}