@panguard-ai/panguard-scan 0.2.0 → 1.0.0

package/dist/scanners/sast-checker.js

@@ -0,0 +1,289 @@
+/**
+ * SAST (Static Application Security Testing) - Semgrep integration
+ * 靜態應用程式安全測試 - Semgrep 整合
+ *
+ * Runs Semgrep-based SAST analysis when semgrep is installed.
+ * If Semgrep is not available, returns an empty result with an info message.
+ * 當 semgrep 已安裝時執行基於 Semgrep 的 SAST 分析。
+ * 若 Semgrep 不可用，回傳空結果並附帶提示訊息。
+ *
+ * @module @panguard-ai/panguard-scan/scanners/sast-checker
+ */
+import { execFile } from 'node:child_process';
+import { promisify } from 'node:util';
+import { promises as fs } from 'node:fs';
+import path from 'node:path';
+import { createLogger } from '@panguard-ai/core';
+const logger = createLogger('panguard-scan:sast');
+const execFileAsync = promisify(execFile);
+/**
+ * Semgrep execution timeout in milliseconds (60 seconds)
+ * Semgrep 執行逾時（毫秒，60 秒）
+ */
+const SEMGREP_TIMEOUT_MS = 60_000;
+/**
+ * Check if semgrep is available on the PATH
+ * 檢查 semgrep 是否在 PATH 上可用
+ *
+ * @returns True if semgrep is available / 若 semgrep 可用則為 true
+ */
+async function isSemgrepAvailable() {
+    try {
+        await execFileAsync('which', ['semgrep'], { timeout: 5_000 });
+        return true;
+    }
+    catch {
+        try {
+            await execFileAsync('semgrep', ['--version'], { timeout: 5_000 });
+            return true;
+        }
+        catch {
+            return false;
+        }
+    }
+}
+/**
+ * Map semgrep severity string to Severity type
+ * 將 semgrep 嚴重度字串映射到 Severity 型別
+ *
+ * @param semgrepSeverity - Semgrep severity string / Semgrep 嚴重度字串
+ * @param metadataSeverity - Optional metadata severity override / 可選的元資料嚴重度覆蓋
+ * @returns Mapped severity level / 映射後的嚴重等級
+ */
+function mapSemgrepSeverity(semgrepSeverity, metadataSeverity) {
+    if (metadataSeverity) {
+        const upper = metadataSeverity.toUpperCase();
+        if (upper === 'CRITICAL')
+            return 'critical';
+        if (upper === 'HIGH')
+            return 'high';
+        if (upper === 'MEDIUM')
+            return 'medium';
+        if (upper === 'LOW')
+            return 'low';
+    }
+    switch (semgrepSeverity.toUpperCase()) {
+        case 'ERROR':
+            return 'high';
+        case 'WARNING':
+            return 'medium';
+        default:
+            return 'low';
+    }
+}
+/**
+ * Derive a remediation message from a semgrep check_id
+ * 從 semgrep check_id 推導修復建議訊息
+ *
+ * @param checkId - Semgrep rule ID / Semgrep 規則 ID
+ * @returns Remediation recommendation / 修復建議
+ */
+function deriveRemediation(checkId) {
+    const lower = checkId.toLowerCase();
+    if (lower.includes('secret') || lower.includes('password') || lower.includes('key')) {
+        return ('Move secrets to environment variables or a dedicated secrets manager. / ' +
+            '將密鑰移至環境變數或專用密鑰管理員。');
+    }
+    if (lower.includes('sql') || lower.includes('injection') || lower.includes('sqli')) {
+        return ('Use parameterized queries or prepared statements to prevent SQL injection. / ' +
+            '使用參數化查詢或預備語句以防止 SQL 注入。');
+    }
+    if (lower.includes('xss') || lower.includes('html') || lower.includes('innerhtml')) {
+        return ('Sanitize user-supplied content before rendering it as HTML. / ' +
+            '在將使用者提供的內容呈現為 HTML 之前進行清理。');
+    }
+    if (lower.includes('eval') || lower.includes('exec') || lower.includes('command')) {
+        return ('Avoid executing user-controlled input as code or system commands. / ' +
+            '避免將使用者控制的輸入作為代碼或系統命令執行。');
+    }
+    if (lower.includes('crypto') || lower.includes('hash') || lower.includes('random')) {
+        return ('Use cryptographically secure algorithms and random number generators. / ' +
+            '使用加密安全的演算法和隨機數生成器。');
+    }
+    if (lower.includes('tls') || lower.includes('ssl') || lower.includes('cert')) {
+        return ('Ensure proper TLS/SSL configuration and certificate validation. / ' +
+            '確保正確的 TLS/SSL 配置和憑證驗證。');
+    }
+    return ('Review and remediate this security finding according to your security policy. / ' +
+        '根據您的安全策略審查並修復此安全發現。');
+}
+/**
+ * Map OWASP reference string to a compliance ref
+ * 將 OWASP 參照字串映射到合規參照
+ *
+ * @param owasp - OWASP category / OWASP 類別
+ * @returns Compliance reference string or undefined / 合規參照字串或 undefined
+ */
+function mapOwaspToComplianceRef(owasp) {
+    if (!owasp)
+        return undefined;
+    const owaspStr = Array.isArray(owasp) ? owasp.join(' ') : owasp;
+    const lower = owaspStr.toLowerCase();
+    if (lower.includes('a01') || lower.includes('broken access'))
+        return '4.1';
+    if (lower.includes('a02') || lower.includes('cryptographic'))
+        return '4.4';
+    if (lower.includes('a03') || lower.includes('injection'))
+        return '4.3';
+    if (lower.includes('a07') || lower.includes('identification'))
+        return '4.5';
+    if (lower.includes('a09') || lower.includes('logging'))
+        return '4.7';
+    return undefined;
+}
+/**
+ * Convert a semgrep result to a Finding
+ * 將 semgrep 結果轉換為 Finding
+ *
+ * @param result - Semgrep result item / Semgrep 結果項目
+ * @returns Converted Finding / 轉換後的 Finding
+ */
+function semgrepResultToFinding(result) {
+    const checkId = result.check_id;
+    const lineNum = result.start.line;
+    const col = result.start.col;
+    const filePath = result.path;
+    // Build a safe ID from the check_id last segment + line number
+    // 從 check_id 最後片段和行號建立安全 ID
+    const idSuffix = (checkId.split('.').pop() ?? checkId)
+        .toUpperCase()
+        .replace(/[^A-Z0-9-_]/g, '-')
+        .slice(0, 30);
+    const id = `SAST-${idSuffix}-${lineNum}`;
+    const message = result.extra.message;
+    const title = message.length > 80 ? message.slice(0, 80) : message;
+    const description = `${message}\n\nFile: ${filePath}, Line: ${lineNum}, Col: ${col}`;
+    const severity = mapSemgrepSeverity(result.extra.severity, result.extra.metadata?.severity);
+    const remediation = deriveRemediation(checkId);
+    const cwe = result.extra.metadata?.cwe;
+    const owasp = result.extra.metadata?.owasp;
+    const complianceRef = mapOwaspToComplianceRef(owasp) ?? (cwe ? '4.3' : undefined);
+    return {
+        id,
+        title,
+        description,
+        severity,
+        category: 'code',
+        remediation,
+        complianceRef,
+        details: `${filePath}:${lineNum}:${col}`,
+    };
+}
+/**
+ * Run semgrep and parse the JSON output into findings
+ * 執行 semgrep 並將 JSON 輸出解析為發現
+ *
+ * @param targetDir - Directory to scan / 要掃描的目錄
+ * @returns Array of findings from semgrep / 來自 semgrep 的發現陣列
+ */
+async function runSemgrep(targetDir) {
+    logger.info('Running semgrep SAST scan', { targetDir });
+    try {
+        const { stdout } = await execFileAsync('semgrep', [
+            '--json',
+            '--config=p/security-audit',
+            '--config=p/secrets',
+            '--no-git-ignore',
+            '--timeout=60',
+            targetDir,
+        ], { timeout: SEMGREP_TIMEOUT_MS });
+        let parsed;
+        try {
+            parsed = JSON.parse(stdout);
+        }
+        catch (parseErr) {
+            logger.warn('Failed to parse semgrep JSON output', {
+                error: parseErr instanceof Error ? parseErr.message : String(parseErr),
+            });
+            return [];
+        }
+        const results = parsed.results ?? [];
+        logger.info(`Semgrep found ${results.length} raw result(s)`);
+        // Convert results to findings, deduplicating by check_id + path + line
+        // 將結果轉換為發現，按 check_id + 路徑 + 行號去重
+        const seen = new Set();
+        const findings = [];
+        for (const result of results) {
+            const dedupeKey = `${result.check_id}:${result.path}:${result.start.line}`;
+            if (seen.has(dedupeKey))
+                continue;
+            seen.add(dedupeKey);
+            findings.push(semgrepResultToFinding(result));
+        }
+        logger.info(`Semgrep produced ${findings.length} deduplicated finding(s)`);
+        return findings;
+    }
+    catch (err) {
+        // Exit code 1 from semgrep means findings were found (not an error)
+        // semgrep 退出碼 1 表示有發現（非錯誤）
+        if (err &&
+            typeof err === 'object' &&
+            'code' in err &&
+            err.code === 1 &&
+            'stdout' in err &&
+            typeof err.stdout === 'string') {
+            const stdout = err.stdout;
+            try {
+                const parsed = JSON.parse(stdout);
+                const results = parsed.results ?? [];
+                logger.info(`Semgrep (exit 1) found ${results.length} result(s)`);
+                const seen = new Set();
+                const findings = [];
+                for (const result of results) {
+                    const dedupeKey = `${result.check_id}:${result.path}:${result.start.line}`;
+                    if (seen.has(dedupeKey))
+                        continue;
+                    seen.add(dedupeKey);
+                    findings.push(semgrepResultToFinding(result));
+                }
+                return findings;
+            }
+            catch {
+                logger.warn('Failed to parse semgrep exit-1 output');
+                return [];
+            }
+        }
+        logger.warn('Semgrep execution failed', {
+            error: err instanceof Error ? err.message : String(err),
+        });
+        return [];
+    }
+}
+/**
+ * Scan source code for security vulnerabilities using SAST
+ * 使用 SAST 掃描原始碼的安全漏洞
+ *
+ * Runs Semgrep if available. If Semgrep is not installed, returns an empty
+ * result array. Install Semgrep for full SAST coverage.
+ * 若 Semgrep 可用則執行。若 Semgrep 未安裝，回傳空結果陣列。
+ * 安裝 Semgrep 以取得完整 SAST 覆蓋。
+ *
+ * @param targetDir - Source code directory to scan / 要掃描的原始碼目錄
+ * @returns Array of security findings / 安全發現陣列
+ */
+export async function checkSourceCode(targetDir) {
+    // Validate targetDir exists
+    // 驗證 targetDir 存在
+    try {
+        const stat = await fs.stat(targetDir);
+        if (!stat.isDirectory()) {
+            logger.warn(`Target path is not a directory: ${targetDir}`);
+            return [];
+        }
+    }
+    catch (err) {
+        logger.warn(`Target directory does not exist or is not accessible: ${targetDir}`, {
+            error: err instanceof Error ? err.message : String(err),
+        });
+        return [];
+    }
+    const resolvedDir = path.resolve(targetDir);
+    const semgrepAvailable = await isSemgrepAvailable();
+    if (semgrepAvailable) {
+        logger.info('Semgrep is available, running SAST scan', { targetDir: resolvedDir });
+        return runSemgrep(resolvedDir);
+    }
+    logger.info('Semgrep is not installed. Install Semgrep for SAST scanning: https://semgrep.dev');
+    return [];
+}
+//# sourceMappingURL=sast-checker.js.map

package/dist/scanners/sast-checker.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"sast-checker.js","sourceRoot":"","sources":["../../src/scanners/sast-checker.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAEH,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,QAAQ,IAAI,EAAE,EAAE,MAAM,SAAS,CAAC;AACzC,OAAO,IAAI,MAAM,WAAW,CAAC;AAC7B,OAAO,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AAIjD,MAAM,MAAM,GAAG,YAAY,CAAC,oBAAoB,CAAC,CAAC;AAClD,MAAM,aAAa,GAAG,SAAS,CAAC,QAAQ,CAAC,CAAC;AAE1C;;;GAGG;AACH,MAAM,kBAAkB,GAAG,MAAM,CAAC;AAgClC;;;;;GAKG;AACH,KAAK,UAAU,kBAAkB;IAC/B,IAAI,CAAC;QACH,MAAM,aAAa,CAAC,OAAO,EAAE,CAAC,SAAS,CAAC,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC;QAC9D,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,IAAI,CAAC;YACH,MAAM,aAAa,CAAC,SAAS,EAAE,CAAC,WAAW,CAAC,EAAE,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC;YAClE,OAAO,IAAI,CAAC;QACd,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,KAAK,CAAC;QACf,CAAC;IACH,CAAC;AACH,CAAC;AAED;;;;;;;GAOG;AACH,SAAS,kBAAkB,CAAC,eAAuB,EAAE,gBAAyB;IAC5E,IAAI,gBAAgB,EAAE,CAAC;QACrB,MAAM,KAAK,GAAG,gBAAgB,CAAC,WAAW,EAAE,CAAC;QAC7C,IAAI,KAAK,KAAK,UAAU;YAAE,OAAO,UAAU,CAAC;QAC5C,IAAI,KAAK,KAAK,MAAM;YAAE,OAAO,MAAM,CAAC;QACpC,IAAI,KAAK,KAAK,QAAQ;YAAE,OAAO,QAAQ,CAAC;QACxC,IAAI,KAAK,KAAK,KAAK;YAAE,OAAO,KAAK,CAAC;IACpC,CAAC;IAED,QAAQ,eAAe,CAAC,WAAW,EAAE,EAAE,CAAC;QACtC,KAAK,OAAO;YACV,OAAO,MAAM,CAAC;QAChB,KAAK,SAAS;YACZ,OAAO,QAAQ,CAAC;QAClB;YACE,OAAO,KAAK,CAAC;IACjB,CAAC;AACH,CAAC;AAED;;;;;;GAMG;AACH,SAAS,iBAAiB,CAAC,OAAe;IACxC,MAAM,KAAK,GAAG,OAAO,CAAC,WAAW,EAAE,CAAC;IAEpC,IAAI,KAAK,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,UAAU,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;QACpF,OAAO,CACL,0EAA0E;YAC1E,oBAAoB,CACrB,CAAC;IACJ,CAAC;IACD,IAAI,KAAK,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,WAAW,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;QACnF,OAAO,CACL,+EAA+E;YAC/E,yBAAyB,CAC1B,CAAC;IACJ,CAAC;IACD,IAAI,KAAK,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;QACnF,OAAO,CACL,gEAAgE;YAChE,4BAA4B,CAC7B,CAAC;IACJ,CAAC;IACD,IAAI,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;QAClF,OAAO,CACL,sEAAsE;YACtE,yBAAyB,CAC1B,CAAC;IACJ,CAAC;IACD,IAAI,KAAK,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;QACnF,OAAO,CACL,0EAA0E;YAC1E,oBAAoB,CACrB,CAAC;IACJ,CAAC;IACD,IAAI,KAAK,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;QAC7E,OAAO,CACL,oEAAoE;YACpE,wBAAwB,CACzB,CAAC;IACJ,CAAC;IAED,OAAO,CACL,kFAAkF;QAClF,qBAAqB,CACtB,CAAC;AACJ,CAAC;AAED;;;;;;GAMG;AACH,SAAS,uBAAuB,CAAC,KAAyB;IACxD,IAAI,CAAC,KAAK;QAAE,OAAO,SAAS,CAAC;IAE7B,MAAM,QAAQ,GAAG,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC;IAChE,MAAM,KAAK,GAAG,QAAQ,CAAC,WAAW,EAAE,CAAC;IAErC,IAAI,KAAK,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,eAAe,CAAC;QAAE,OAAO,KAAK,CAAC;IAC3E,IAAI,KAAK,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,eAAe,CAAC;QAAE,OAAO,KAAK,CAAC;IAC3E,IAAI,KAAK,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,WAAW,CAAC;QAAE,OAAO,KAAK,CAAC;IACvE,IAAI,KAAK,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,gBAAgB,CAAC;QAAE,OAAO,KAAK,CAAC;IAC5E,IAAI,KAAK,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,SAAS,CAAC;QAAE,OAAO,KAAK,CAAC;IAErE,OAAO,SAAS,CAAC;AACnB,CAAC;AAED;;;;;;GAMG;AACH,SAAS,sBAAsB,CAAC,MAAqB;IACnD,MAAM,OAAO,GAAG,MAAM,CAAC,QAAQ,CAAC;IAChC,MAAM,OAAO,GAAG,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC;IAClC,MAAM,GAAG,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC;IAC7B,MAAM,QAAQ,GAAG,MAAM,CAAC,IAAI,CAAC;IAE7B,+DAA+D;IAC/D,4BAA4B;IAC5B,MAAM,QAAQ,GAAG,CAAC,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,IAAI,OAAO,CAAC;SACnD,WAAW,EAAE;SACb,OAAO,CAAC,cAAc,EAAE,GAAG,CAAC;SAC5B,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;IAChB,MAAM,EAAE,GAAG,QAAQ,QAAQ,IAAI,OAAO,EAAE,CAAC;IAEzC,MAAM,OAAO,GAAG,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC;IACrC,MAAM,KAAK,GAAG,OAAO,CAAC,MAAM,GAAG,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC;IACnE,MAAM,WAAW,GAAG,GAAG,OAAO,aAAa,QAAQ,WAAW,OAAO,UAAU,GAAG,EAAE,CAAC;IAErF,MAAM,QAAQ,GAAG,kBAAkB,CAAC,MAAM,CAAC,KAAK,CAAC,QAAQ,EAAE,MAAM,CAAC,KAAK,CAAC,QAAQ,EAAE,QAAQ,CAAC,CAAC;IAE5F,MAAM,WAAW,GAAG,iBAAiB,CAAC,OAAO,CAAC,CAAC;IAE/C,MAAM,GAAG,GAAG,MAAM,CAAC,KAAK,CAAC,QAAQ,EAAE,GAAG,CAAC;IACvC,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,QAAQ,EAAE,KAAK,CAAC;IAC3C,MAAM,aAAa,GAAG,uBAAuB,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC;IAElF,OAAO;QACL,EAAE;QACF,KAAK;QACL,WAAW;QACX,QAAQ;QACR,QAAQ,EAAE,MAAM;QAChB,WAAW;QACX,aAAa;QACb,OAAO,EAAE,GAAG,QAAQ,IAAI,OAAO,IAAI,GAAG,EAAE;KACzC,CAAC;AACJ,CAAC;AAED;;;;;;GAMG;AACH,KAAK,UAAU,UAAU,CAAC,SAAiB;IACzC,MAAM,CAAC,IAAI,CAAC,2BAA2B,EAAE,EAAE,SAAS,EAAE,CAAC,CAAC;IAExD,IAAI,CAAC;QACH,MAAM,EAAE,MAAM,EAAE,GAAG,MAAM,aAAa,CACpC,SAAS,EACT;YACE,QAAQ;YACR,2BAA2B;YAC3B,oBAAoB;YACpB,iBAAiB;YACjB,cAAc;YACd,SAAS;SACV,EACD,EAAE,OAAO,EAAE,kBAAkB,EAAE,CAChC,CAAC;QAEF,IAAI,MAAqB,CAAC;QAC1B,IAAI,CAAC;YACH,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAkB,CAAC;QAC/C,CAAC;QAAC,OAAO,QAAQ,EAAE,CAAC;YAClB,MAAM,CAAC,IAAI,CAAC,qCAAqC,EAAE;gBACjD,KAAK,EAAE,QAAQ,YAAY,KAAK,CAAC,CAAC,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,QAAQ,CAAC;aACvE,CAAC,CAAC;YACH,OAAO,EAAE,CAAC;QACZ,CAAC;QAED,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,IAAI,EAAE,CAAC;QACrC,MAAM,CAAC,IAAI,CAAC,iBAAiB,OAAO,CAAC,MAAM,gBAAgB,CAAC,CAAC;QAE7D,uEAAuE;QACvE,kCAAkC;QAClC,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;QAC/B,MAAM,QAAQ,GAAc,EAAE,CAAC;QAE/B,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;YAC7B,MAAM,SAAS,GAAG,GAAG,MAAM,CAAC,QAAQ,IAAI,MAAM,CAAC,IAAI,IAAI,MAAM,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;YAC3E,IAAI,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC;gBAAE,SAAS;YAClC,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;YACpB,QAAQ,CAAC,IAAI,CAAC,sBAAsB,CAAC,MAAM,CAAC,CAAC,CAAC;QAChD,CAAC;QAED,MAAM,CAAC,IAAI,CAAC,oBAAoB,QAAQ,CAAC,MAAM,0BAA0B,CAAC,CAAC;QAC3E,OAAO,QAAQ,CAAC;IAClB,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,oEAAoE;QACpE,2BAA2B;QAC3B,IACE,GAAG;YACH,OAAO,GAAG,KAAK,QAAQ;YACvB,MAAM,IAAI,GAAG;YACb,GAAG,CAAC,IAAI,KAAK,CAAC;YACd,QAAQ,IAAI,GAAG;YACf,OAAQ,GAA2B,CAAC,MAAM,KAAK,QAAQ,EACvD,CAAC;YACD,MAAM,MAAM,GAAI,GAA0B,CAAC,MAAM,CAAC;YAClD,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,MAAM,CAAkB,CAAC;gBACnD,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,IAAI,EAAE,CAAC;gBACrC,MAAM,CAAC,IAAI,CAAC,0BAA0B,OAAO,CAAC,MAAM,YAAY,CAAC,CAAC;gBAElE,MAAM,IAAI,GAAG,IAAI,GAAG,EAAU,CAAC;gBAC/B,MAAM,QAAQ,GAAc,EAAE,CAAC;gBAE/B,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;oBAC7B,MAAM,SAAS,GAAG,GAAG,MAAM,CAAC,QAAQ,IAAI,MAAM,CAAC,IAAI,IAAI,MAAM,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC;oBAC3E,IAAI,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC;wBAAE,SAAS;oBAClC,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;oBACpB,QAAQ,CAAC,IAAI,CAAC,sBAAsB,CAAC,MAAM,CAAC,CAAC,CAAC;gBAChD,CAAC;gBAED,OAAO,QAAQ,CAAC;YAClB,CAAC;YAAC,MAAM,CAAC;gBACP,MAAM,CAAC,IAAI,CAAC,uCAAuC,CAAC,CAAC;gBACrD,OAAO,EAAE,CAAC;YACZ,CAAC;QACH,CAAC;QAED,MAAM,CAAC,IAAI,CAAC,0BAA0B,EAAE;YACtC,KAAK,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;SACxD,CAAC,CAAC;QACH,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED;;;;;;;;;;;GAWG;AACH,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,SAAiB;IACrD,4BAA4B;IAC5B,kBAAkB;IAClB,IAAI,CAAC;QACH,MAAM,IAAI,GAAG,MAAM,EAAE,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QACtC,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,EAAE,CAAC;YACxB,MAAM,CAAC,IAAI,CAAC,mCAAmC,SAAS,EAAE,CAAC,CAAC;YAC5D,OAAO,EAAE,CAAC;QACZ,CAAC;IACH,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,CAAC,IAAI,CAAC,yDAAyD,SAAS,EAAE,EAAE;YAChF,KAAK,EAAE,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC;SACxD,CAAC,CAAC;QACH,OAAO,EAAE,CAAC;IACZ,CAAC;IAED,MAAM,WAAW,GAAG,IAAI,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IAE5C,MAAM,gBAAgB,GAAG,MAAM,kBAAkB,EAAE,CAAC;IAEpD,IAAI,gBAAgB,EAAE,CAAC;QACrB,MAAM,CAAC,IAAI,CAAC,yCAAyC,EAAE,EAAE,SAAS,EAAE,WAAW,EAAE,CAAC,CAAC;QACnF,OAAO,UAAU,CAAC,WAAW,CAAC,CAAC;IACjC,CAAC;IAED,MAAM,CAAC,IAAI,CAAC,kFAAkF,CAAC,CAAC;IAChG,OAAO,EAAE,CAAC;AACZ,CAAC"}

package/dist/scanners/secrets-checker.d.ts

@@ -0,0 +1,41 @@
+/**
+ * Hardcoded secrets scanner
+ * 硬編碼密鑰掃描器
+ *
+ * Scans source files for hardcoded secrets such as API keys, tokens, credentials,
+ * and private keys. Works independently of semgrep.
+ * 掃描原始碼檔案中的硬編碼密鑰，如 API 金鑰、令牌、憑證和私鑰。
+ * 獨立於 semgrep 運作。
+ *
+ * @module @panguard-ai/panguard-scan/scanners/secrets-checker
+ */
+import type { Finding } from './types.js';
+/**
+ * Scan source code directory for hardcoded secrets
+ * 掃描原始碼目錄中的硬編碼密鑰
+ *
+ * Detects common secret patterns including:
+ * - AWS Access Key IDs
+ * - GitHub tokens (ghp_, gho_, ghs_, ghr_ prefixes)
+ * - Slack tokens (xox[pboa]-)
+ * - Stripe live keys (sk_live_, pk_live_)
+ * - Bearer tokens in hardcoded strings
+ * - Private key headers (RSA, EC, etc.)
+ * - Database connection strings with credentials
+ * - Generic API keys in environment files
+ *
+ * 偵測常見的密鑰模式包括：
+ * - AWS 存取金鑰 ID
+ * - GitHub 令牌（ghp_、gho_、ghs_、ghr_ 前綴）
+ * - Slack 令牌（xox[pboa]-）
+ * - Stripe 正式金鑰（sk_live_、pk_live_）
+ * - 硬編碼字串中的 Bearer 令牌
+ * - 私鑰標頭（RSA、EC 等）
+ * - 含憑證的資料庫連線字串
+ * - 環境檔案中的通用 API 金鑰
+ *
+ * @param targetDir - Source code directory to scan / 要掃描的原始碼目錄
+ * @returns Array of secret findings / 密鑰發現陣列
+ */
+export declare function checkHardcodedSecrets(targetDir: string): Promise<Finding[]>;
+//# sourceMappingURL=secrets-checker.d.ts.map

package/dist/scanners/secrets-checker.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"secrets-checker.d.ts","sourceRoot":"","sources":["../../src/scanners/secrets-checker.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAKH,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,YAAY,CAAC;AAmS1C;;;;;;;;;;;;;;;;;;;;;;;;;;GA0BG;AACH,wBAAsB,qBAAqB,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC,CAyCjF"}

package/dist/scanners/secrets-checker.js

@@ -0,0 +1,332 @@
+/**
+ * Hardcoded secrets scanner
+ * 硬編碼密鑰掃描器
+ *
+ * Scans source files for hardcoded secrets such as API keys, tokens, credentials,
+ * and private keys. Works independently of semgrep.
+ * 掃描原始碼檔案中的硬編碼密鑰，如 API 金鑰、令牌、憑證和私鑰。
+ * 獨立於 semgrep 運作。
+ *
+ * @module @panguard-ai/panguard-scan/scanners/secrets-checker
+ */
+import { promises as fs } from 'node:fs';
+import path from 'node:path';
+import { createLogger } from '@panguard-ai/core';
+const logger = createLogger('panguard-scan:secrets-checker');
+/**
+ * Maximum file size in bytes to scan (500 KB)
+ * 最大掃描檔案大小（500 KB）
+ */
+const MAX_FILE_SIZE_BYTES = 500 * 1024;
+/**
+ * Directories to skip when walking the source tree
+ * 遍歷原始碼樹時要跳過的目錄
+ */
+const SKIP_DIRS = new Set([
+    'node_modules',
+    '.git',
+    'dist',
+    'build',
+    'coverage',
+    'vendor',
+    '.next',
+    '__pycache__',
+]);
+/**
+ * Source file extensions to scan for secrets
+ * 要掃描密鑰的原始碼檔案副檔名
+ */
+const SCANNABLE_EXTENSIONS = new Set([
+    '.ts',
+    '.tsx',
+    '.js',
+    '.jsx',
+    '.mjs',
+    '.cjs',
+    '.py',
+    '.go',
+    '.java',
+    '.php',
+    '.rb',
+    '.cs',
+    '.rs',
+    '.cpp',
+    '.c',
+    '.h',
+    '.env',
+    '.env.local',
+    '.env.production',
+    '.env.staging',
+    '.env.development',
+    '.env.test',
+    '.yaml',
+    '.yml',
+    '.json',
+    '.toml',
+    '.ini',
+    '.cfg',
+    '.conf',
+    '.properties',
+    '.xml',
+    '.pem',
+    '.key',
+    '.crt',
+    '.cert',
+]);
+/**
+ * Secret detection patterns
+ * 密鑰偵測模式
+ */
+const SECRET_PATTERNS = [
+    {
+        id: 'SECRETS-AWS-KEY',
+        pattern: /\bAKIA[0-9A-Z]{16}\b/g,
+        title: 'AWS Access Key ID detected / 偵測到 AWS 存取金鑰 ID',
+        description: 'An AWS Access Key ID (starting with AKIA) was found hardcoded in source code. ' +
+            'This credential can be used to access AWS services. / ' +
+            '在原始碼中發現硬編碼的 AWS 存取金鑰 ID（以 AKIA 開頭）。此憑證可用於存取 AWS 服務。',
+    },
+    {
+        id: 'SECRETS-GITHUB-TOKEN',
+        pattern: /\b(ghp|gho|ghs|ghr)_[A-Za-z0-9]{36,}\b/g,
+        title: 'GitHub token detected / 偵測到 GitHub 令牌',
+        description: 'A GitHub personal access token or OAuth token was found hardcoded in source code. ' +
+            'This token can be used to access GitHub repositories and APIs. / ' +
+            '在原始碼中發現硬編碼的 GitHub 個人存取令牌或 OAuth 令牌。此令牌可用於存取 GitHub 儲存庫和 API。',
+    },
+    {
+        id: 'SECRETS-SLACK-TOKEN',
+        pattern: /\bxox[pboa]-[0-9A-Za-z-]{10,}\b/g,
+        title: 'Slack token detected / 偵測到 Slack 令牌',
+        description: 'A Slack API token was found hardcoded in source code. ' +
+            'This token can be used to access Slack workspaces and data. / ' +
+            '在原始碼中發現硬編碼的 Slack API 令牌。此令牌可用於存取 Slack 工作區和資料。',
+    },
+    {
+        id: 'SECRETS-STRIPE-LIVE-KEY',
+        pattern: /\b(sk_live_|pk_live_)[0-9A-Za-z]{24,}\b/g,
+        title: 'Stripe live key detected / 偵測到 Stripe 正式金鑰',
+        description: 'A Stripe live API key was found hardcoded in source code. ' +
+            'This key can be used to process real financial transactions. / ' +
+            '在原始碼中發現硬編碼的 Stripe 正式 API 金鑰。此金鑰可用於處理真實的金融交易。',
+    },
+    {
+        id: 'SECRETS-BEARER-TOKEN',
+        pattern: /["']Bearer\s+[A-Za-z0-9\-._~+/]{20,}={0,2}["']/g,
+        title: 'Hardcoded Bearer token detected / 偵測到硬編碼 Bearer 令牌',
+        description: 'A hardcoded Bearer token was found in source code. ' +
+            'Bearer tokens grant access to protected APIs and should not be stored in code. / ' +
+            '在原始碼中發現硬編碼的 Bearer 令牌。Bearer 令牌授予對受保護 API 的存取權限，不應儲存在代碼中。',
+    },
+    {
+        id: 'SECRETS-RSA-PRIVATE-KEY',
+        pattern: /-----BEGIN (?:RSA |EC |DSA |OPENSSH )?PRIVATE KEY-----/g,
+        title: 'Private key material detected / 偵測到私鑰材料',
+        description: 'A private key header was found in source code or a committed file. ' +
+            'Private keys should never be stored in source code repositories. / ' +
+            '在原始碼或已提交的檔案中發現私鑰標頭。私鑰絕不應儲存在原始碼儲存庫中。',
+    },
+    {
+        id: 'SECRETS-DB-CONNECTION-STRING',
+        pattern: /(?:mongodb(?:\+srv)?|postgresql|postgres|mysql|redis|amqp|rabbitmq):\/\/[^:/@\s]+:[^:/@\s]+@[^\s"'`]+/gi,
+        title: 'Database connection string with credentials / 含憑證的資料庫連線字串',
+        description: 'A database connection string with embedded credentials was found in source code. ' +
+            'Database credentials should be managed via environment variables or secrets management. / ' +
+            '在原始碼中發現含嵌入憑證的資料庫連線字串。資料庫憑證應透過環境變數或密鑰管理進行管理。',
+    },
+    {
+        id: 'SECRETS-GENERIC-API-KEY-ENV',
+        pattern: /^(?:API_KEY|API_SECRET|SECRET_KEY|PRIVATE_KEY|ACCESS_TOKEN|AUTH_TOKEN|OAUTH_TOKEN|APP_SECRET)\s*=\s*[^\s#]{8,}/gm,
+        title: 'Generic API key or secret in environment file / 環境檔案中的通用 API 金鑰或密鑰',
+        description: 'A generic API key, secret, or token was found hardcoded in a configuration or environment file. ' +
+            'These values should be injected at runtime, not stored in files. / ' +
+            '在設定或環境檔案中發現硬編碼的通用 API 金鑰、密鑰或令牌。這些值應在執行時注入，而非儲存在檔案中。',
+    },
+];
+/**
+ * Remediation message for all secret findings (shared)
+ * 所有密鑰發現的修復建議（共用）
+ */
+const SECRETS_REMEDIATION = 'Remove the secret from source code immediately. Rotate the compromised credential. ' +
+    'Store secrets in environment variables or a secrets manager (e.g., AWS Secrets Manager, HashiCorp Vault). ' +
+    'Add the file to .gitignore if it contains environment configuration. / ' +
+    '立即從原始碼中移除密鑰。輪換已洩露的憑證。' +
+    '將密鑰儲存在環境變數或密鑰管理員中（如 AWS Secrets Manager、HashiCorp Vault）。' +
+    '如果檔案包含環境設定，請將其加入 .gitignore。';
+/**
+ * Determine if a file should be scanned based on its name and extension
+ * 根據檔案名稱和副檔名決定是否應掃描
+ *
+ * @param fileName - File name to check / 要檢查的檔案名稱
+ * @returns True if the file should be scanned / 若應掃描則為 true
+ */
+function shouldScanFile(fileName) {
+    // Always scan .env files and variants
+    // 始終掃描 .env 檔案及其變體
+    if (/^\.env(\.|$)/.test(fileName))
+        return true;
+    const ext = path.extname(fileName).toLowerCase();
+    return SCANNABLE_EXTENSIONS.has(ext);
+}
+/**
+ * Recursively collect all files that should be scanned for secrets
+ * 遞迴收集所有應掃描密鑰的檔案
+ *
+ * @param dir - Directory to walk / 要遍歷的目錄
+ * @returns Array of absolute file paths / 絕對檔案路徑陣列
+ */
+async function collectFilesForSecretScan(dir) {
+    const files = [];
+    async function walk(current) {
+        let entries;
+        try {
+            entries = await fs.readdir(current, { withFileTypes: true, encoding: 'utf-8' });
+        }
+        catch (err) {
+            logger.debug(`Cannot read directory: ${current}`, {
+                error: err instanceof Error ? err.message : String(err),
+            });
+            return;
+        }
+        for (const entry of entries) {
+            const fullPath = path.join(current, entry.name);
+            if (entry.isDirectory()) {
+                if (SKIP_DIRS.has(entry.name)) {
+                    logger.debug(`Skipping directory: ${fullPath}`);
+                    continue;
+                }
+                await walk(fullPath);
+            }
+            else if (entry.isFile()) {
+                if (!shouldScanFile(entry.name))
+                    continue;
+                try {
+                    const stat = await fs.stat(fullPath);
+                    if (stat.size > MAX_FILE_SIZE_BYTES) {
+                        logger.debug(`Skipping large file (${stat.size} bytes): ${fullPath}`);
+                        continue;
+                    }
+                    files.push(fullPath);
+                }
+                catch {
+                    logger.debug(`Cannot stat file: ${fullPath}`);
+                }
+            }
+        }
+    }
+    await walk(dir);
+    return files;
+}
+/**
+ * Scan a single file for hardcoded secrets
+ * 掃描單個檔案中的硬編碼密鑰
+ *
+ * @param filePath - Absolute path to the file / 檔案的絕對路徑
+ * @param content - File content / 檔案內容
+ * @returns Array of secret findings / 密鑰發現陣列
+ */
+function scanFileForSecrets(filePath, content) {
+    const findings = [];
+    const seen = new Set();
+    for (const secretPattern of SECRET_PATTERNS) {
+        // Reset lastIndex for global regexes
+        // 重置全域正規表示式的 lastIndex
+        secretPattern.pattern.lastIndex = 0;
+        let match;
+        while ((match = secretPattern.pattern.exec(content)) !== null) {
+            const lineNum = content.slice(0, match.index).split('\n').length;
+            const matchedSnippet = match[0].slice(0, 40);
+            const dedupeKey = `${secretPattern.id}:${filePath}:${lineNum}`;
+            if (seen.has(dedupeKey))
+                continue;
+            seen.add(dedupeKey);
+            findings.push({
+                id: `${secretPattern.id}-${lineNum}`,
+                title: secretPattern.title,
+                description: `${secretPattern.description}\n\n` +
+                    `File: ${filePath}, Line: ${lineNum}\n` +
+                    `Found: ${matchedSnippet}${match[0].length > 40 ? '...' : ''}`,
+                severity: 'critical',
+                category: 'secrets',
+                remediation: SECRETS_REMEDIATION,
+                complianceRef: '4.5',
+                details: `${filePath}:${lineNum}`,
+            });
+            // For non-global patterns, break after first match per file
+            // 對於非全域模式，每個檔案匹配到第一個後中斷
+            if (!secretPattern.pattern.flags.includes('g'))
+                break;
+        }
+        // Reset lastIndex after each file
+        // 每個檔案後重置 lastIndex
+        secretPattern.pattern.lastIndex = 0;
+    }
+    return findings;
+}
+/**
+ * Scan source code directory for hardcoded secrets
+ * 掃描原始碼目錄中的硬編碼密鑰
+ *
+ * Detects common secret patterns including:
+ * - AWS Access Key IDs
+ * - GitHub tokens (ghp_, gho_, ghs_, ghr_ prefixes)
+ * - Slack tokens (xox[pboa]-)
+ * - Stripe live keys (sk_live_, pk_live_)
+ * - Bearer tokens in hardcoded strings
+ * - Private key headers (RSA, EC, etc.)
+ * - Database connection strings with credentials
+ * - Generic API keys in environment files
+ *
+ * 偵測常見的密鑰模式包括：
+ * - AWS 存取金鑰 ID
+ * - GitHub 令牌（ghp_、gho_、ghs_、ghr_ 前綴）
+ * - Slack 令牌（xox[pboa]-）
+ * - Stripe 正式金鑰（sk_live_、pk_live_）
+ * - 硬編碼字串中的 Bearer 令牌
+ * - 私鑰標頭（RSA、EC 等）
+ * - 含憑證的資料庫連線字串
+ * - 環境檔案中的通用 API 金鑰
+ *
+ * @param targetDir - Source code directory to scan / 要掃描的原始碼目錄
+ * @returns Array of secret findings / 密鑰發現陣列
+ */
+export async function checkHardcodedSecrets(targetDir) {
+    // Validate targetDir exists
+    // 驗證 targetDir 存在
+    try {
+        const stat = await fs.stat(targetDir);
+        if (!stat.isDirectory()) {
+            logger.warn(`Target path is not a directory: ${targetDir}`);
+            return [];
+        }
+    }
+    catch (err) {
+        logger.warn(`Target directory does not exist or is not accessible: ${targetDir}`, {
+            error: err instanceof Error ? err.message : String(err),
+        });
+        return [];
+    }
+    const resolvedDir = path.resolve(targetDir);
+    logger.info('Starting hardcoded secrets scan', { targetDir: resolvedDir });
+    const files = await collectFilesForSecretScan(resolvedDir);
+    logger.info(`Secrets scanner: found ${files.length} file(s) to scan`);
+    const allFindings = [];
+    for (const filePath of files) {
+        try {
+            const content = await fs.readFile(filePath, 'utf-8');
+            const findings = scanFileForSecrets(filePath, content);
+            if (findings.length > 0) {
+                logger.info(`Found ${findings.length} secret(s) in: ${filePath}`);
+                allFindings.push(...findings);
+            }
+        }
+        catch (err) {
+            logger.debug(`Cannot read file: ${filePath}`, {
+                error: err instanceof Error ? err.message : String(err),
+            });
+        }
+    }
+    logger.info(`Secrets scan complete: ${allFindings.length} finding(s)`);
+    return allFindings;
+}
+//# sourceMappingURL=secrets-checker.js.map