@rafter-security/cli 0.1.0 → 0.4.0

package/dist/scanners/secret-patterns.js

@@ -0,0 +1,155 @@
+/**
+ * Default secret detection patterns
+ * Based on common secret formats and Gitleaks rules
+ */
+export const DEFAULT_SECRET_PATTERNS = [
+    // AWS
+    {
+        name: "AWS Access Key ID",
+        regex: "(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}",
+        severity: "critical",
+        description: "AWS Access Key ID detected"
+    },
+    {
+        name: "AWS Secret Access Key",
+        regex: "(?i)aws(.{0,20})?['\"][0-9a-zA-Z\\/+]{40}['\"]",
+        severity: "critical",
+        description: "AWS Secret Access Key detected"
+    },
+    // GitHub
+    {
+        name: "GitHub Personal Access Token",
+        regex: "ghp_[0-9a-zA-Z]{36}",
+        severity: "critical",
+        description: "GitHub Personal Access Token detected"
+    },
+    {
+        name: "GitHub OAuth Token",
+        regex: "gho_[0-9a-zA-Z]{36}",
+        severity: "critical",
+        description: "GitHub OAuth Token detected"
+    },
+    {
+        name: "GitHub App Token",
+        regex: "(ghu|ghs)_[0-9a-zA-Z]{36}",
+        severity: "critical",
+        description: "GitHub App Token detected"
+    },
+    {
+        name: "GitHub Refresh Token",
+        regex: "ghr_[0-9a-zA-Z]{76}",
+        severity: "critical",
+        description: "GitHub Refresh Token detected"
+    },
+    // Google
+    {
+        name: "Google API Key",
+        regex: "AIza[0-9A-Za-z\\-_]{35}",
+        severity: "critical",
+        description: "Google API Key detected"
+    },
+    {
+        name: "Google OAuth",
+        regex: "[0-9]+-[0-9A-Za-z_]{32}\\.apps\\.googleusercontent\\.com",
+        severity: "critical",
+        description: "Google OAuth Client ID detected"
+    },
+    // Slack
+    {
+        name: "Slack Token",
+        regex: "xox[baprs]-([0-9a-zA-Z]{10,48})",
+        severity: "critical",
+        description: "Slack Token detected"
+    },
+    {
+        name: "Slack Webhook",
+        regex: "https://hooks\\.slack\\.com/services/T[a-zA-Z0-9_]{8}/B[a-zA-Z0-9_]{8}/[a-zA-Z0-9_]{24}",
+        severity: "high",
+        description: "Slack Webhook URL detected"
+    },
+    // Stripe
+    {
+        name: "Stripe API Key",
+        regex: "(?i)sk_live_[0-9a-zA-Z]{24}",
+        severity: "critical",
+        description: "Stripe Live API Key detected"
+    },
+    {
+        name: "Stripe Restricted API Key",
+        regex: "(?i)rk_live_[0-9a-zA-Z]{24}",
+        severity: "critical",
+        description: "Stripe Restricted API Key detected"
+    },
+    // Twilio
+    {
+        name: "Twilio API Key",
+        regex: "SK[0-9a-fA-F]{32}",
+        severity: "critical",
+        description: "Twilio API Key detected"
+    },
+    // Generic patterns
+    {
+        name: "Generic API Key",
+        regex: "(?i)(api[_-]?key|apikey)[\\s]*[:=][\\s]*['\"]?[0-9a-zA-Z\\-_]{16,}['\"]?",
+        severity: "high",
+        description: "Generic API key pattern detected"
+    },
+    {
+        name: "Generic Secret",
+        regex: "(?i)(secret|password|passwd|pwd)[\\s]*[:=][\\s]*['\"]?[0-9a-zA-Z\\-_!@#$%^&*()]{8,}['\"]?",
+        severity: "high",
+        description: "Generic secret pattern detected"
+    },
+    {
+        name: "Private Key",
+        regex: "-----BEGIN (RSA |DSA |EC |OPENSSH )?PRIVATE KEY-----",
+        severity: "critical",
+        description: "Private key detected"
+    },
+    {
+        name: "Bearer Token",
+        regex: "(?i)bearer[\\s]+[a-zA-Z0-9\\-_\\.=]+",
+        severity: "high",
+        description: "Bearer token detected"
+    },
+    // Database connection strings
+    {
+        name: "Database Connection String",
+        regex: "(?i)(postgres|mysql|mongodb)://[^\\s]+:[^\\s]+@[^\\s]+",
+        severity: "critical",
+        description: "Database connection string with credentials detected"
+    },
+    // JWT
+    {
+        name: "JSON Web Token",
+        regex: "eyJ[A-Za-z0-9_-]{10,}\\.[A-Za-z0-9_-]{10,}\\.[A-Za-z0-9_-]{10,}",
+        severity: "high",
+        description: "JWT token detected"
+    },
+    // npm token
+    {
+        name: "npm Access Token",
+        regex: "npm_[A-Za-z0-9]{36}",
+        severity: "critical",
+        description: "npm access token detected"
+    },
+    // PyPI token
+    {
+        name: "PyPI Token",
+        regex: "pypi-AgEIcHlwaS5vcmc[A-Za-z0-9\\-_]{50,}",
+        severity: "critical",
+        description: "PyPI API token detected"
+    }
+];
+/**
+ * Get patterns by severity level
+ */
+export function getPatternsBySeverity(severity) {
+    return DEFAULT_SECRET_PATTERNS.filter(p => p.severity === severity);
+}
+/**
+ * Get all critical patterns
+ */
+export function getCriticalPatterns() {
+    return getPatternsBySeverity("critical");
+}

package/dist/utils/api.js

@@ -0,0 +1,20 @@
+export const API = "https://rafter.so/api/";
+// Exit codes
+export const EXIT_SUCCESS = 0;
+export const EXIT_GENERAL_ERROR = 1;
+export const EXIT_SCAN_NOT_FOUND = 2;
+export const EXIT_QUOTA_EXHAUSTED = 3;
+export function resolveKey(cliKey) {
+    if (cliKey)
+        return cliKey;
+    if (process.env.RAFTER_API_KEY)
+        return process.env.RAFTER_API_KEY;
+    console.error("No API key provided. Use --api-key or set RAFTER_API_KEY");
+    process.exit(EXIT_GENERAL_ERROR);
+}
+export function writePayload(data, fmt, quiet) {
+    const payload = fmt === "md" && data.markdown ? data.markdown : JSON.stringify(data, null, quiet ? 0 : 2);
+    // Stream to stdout for pipelines
+    process.stdout.write(payload);
+    return EXIT_SUCCESS;
+}

package/dist/utils/binary-manager.js

@@ -0,0 +1,243 @@
+import fs from "fs";
+import path from "path";
+import https from "https";
+import { exec } from "child_process";
+import { promisify } from "util";
+import { getBinDir } from "../core/config-defaults.js";
+import * as tar from "tar";
+const execAsync = promisify(exec);
+const GITLEAKS_VERSION = "8.18.2";
+export class BinaryManager {
+    constructor() {
+        this.binDir = getBinDir();
+    }
+    /**
+     * Check if current platform is supported
+     */
+    isPlatformSupported() {
+        const platform = process.platform;
+        const arch = process.arch;
+        // Supported platforms
+        const supported = [
+            "darwin-x64",
+            "darwin-arm64",
+            "linux-x64",
+            "linux-arm64",
+            "win32-x64"
+        ];
+        return supported.includes(`${platform}-${arch}`);
+    }
+    /**
+     * Get platform info for display
+     */
+    getPlatformInfo() {
+        return {
+            platform: process.platform,
+            arch: process.arch,
+            supported: this.isPlatformSupported()
+        };
+    }
+    /**
+     * Get Gitleaks binary path
+     */
+    getGitleaksPath() {
+        const platform = process.platform;
+        const ext = platform === "win32" ? ".exe" : "";
+        return path.join(this.binDir, `gitleaks${ext}`);
+    }
+    /**
+     * Check if Gitleaks is installed
+     */
+    isGitleaksInstalled() {
+        const gitleaksPath = this.getGitleaksPath();
+        return fs.existsSync(gitleaksPath);
+    }
+    /**
+     * Verify Gitleaks binary works
+     */
+    async verifyGitleaks() {
+        if (!this.isGitleaksInstalled()) {
+            return false;
+        }
+        try {
+            const { stdout } = await execAsync(`"${this.getGitleaksPath()}" version`, {
+                timeout: 5000
+            });
+            return stdout.includes("gitleaks version");
+        }
+        catch {
+            return false;
+        }
+    }
+    /**
+     * Download and install Gitleaks
+     */
+    async downloadGitleaks(onProgress) {
+        const log = onProgress || (() => { });
+        // Check platform support
+        if (!this.isPlatformSupported()) {
+            throw new Error(`Gitleaks not available for ${process.platform}/${process.arch}`);
+        }
+        // Ensure bin directory exists
+        if (!fs.existsSync(this.binDir)) {
+            fs.mkdirSync(this.binDir, { recursive: true });
+        }
+        const platform = this.getPlatformString();
+        const arch = this.getArchString();
+        const url = this.getDownloadUrl(platform, arch);
+        log(`Downloading Gitleaks v${GITLEAKS_VERSION} for ${platform}/${arch}...`);
+        const archivePath = path.join(this.binDir, platform === "windows" ? "gitleaks.zip" : "gitleaks.tar.gz");
+        try {
+            // Download archive
+            await this.downloadFile(url, archivePath, log);
+            // Extract binary
+            log("Extracting binary...");
+            if (platform === "windows") {
+                // For Windows, we'd need unzip - for now just error
+                throw new Error("Windows support coming soon");
+            }
+            else {
+                await this.extractTarball(archivePath);
+            }
+            // Make executable (Unix systems)
+            if (process.platform !== "win32") {
+                await execAsync(`chmod +x "${this.getGitleaksPath()}"`);
+            }
+            // Verify it works
+            const works = await this.verifyGitleaks();
+            if (!works) {
+                throw new Error("Downloaded binary doesn't execute correctly");
+            }
+            // Clean up archive
+            if (fs.existsSync(archivePath)) {
+                fs.unlinkSync(archivePath);
+            }
+            log("✓ Gitleaks installed successfully");
+        }
+        catch (e) {
+            // Clean up on failure
+            if (fs.existsSync(archivePath)) {
+                fs.unlinkSync(archivePath);
+            }
+            const gitleaksPath = this.getGitleaksPath();
+            if (fs.existsSync(gitleaksPath)) {
+                fs.unlinkSync(gitleaksPath);
+            }
+            throw e;
+        }
+    }
+    /**
+     * Get Gitleaks version
+     */
+    async getGitleaksVersion() {
+        if (!this.isGitleaksInstalled()) {
+            return "not installed";
+        }
+        try {
+            const { stdout } = await execAsync(`"${this.getGitleaksPath()}" version`);
+            return stdout.trim();
+        }
+        catch {
+            return "unknown";
+        }
+    }
+    /**
+     * Get platform string for download URL
+     */
+    getPlatformString() {
+        const platform = process.platform;
+        if (platform === "darwin")
+            return "darwin";
+        if (platform === "win32")
+            return "windows";
+        if (platform === "linux")
+            return "linux";
+        throw new Error(`Unsupported platform: ${platform}`);
+    }
+    /**
+     * Get architecture string for download URL
+     */
+    getArchString() {
+        const arch = process.arch;
+        if (arch === "x64")
+            return "x64";
+        if (arch === "arm64")
+            return "arm64";
+        throw new Error(`Unsupported architecture: ${arch}`);
+    }
+    /**
+     * Get download URL for platform/arch
+     */
+    getDownloadUrl(platform, arch) {
+        const baseUrl = `https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}`;
+        if (platform === "windows") {
+            return `${baseUrl}/gitleaks_${GITLEAKS_VERSION}_windows_${arch}.zip`;
+        }
+        else {
+            return `${baseUrl}/gitleaks_${GITLEAKS_VERSION}_${platform}_${arch}.tar.gz`;
+        }
+    }
+    /**
+     * Download file from URL
+     */
+    downloadFile(url, dest, onProgress) {
+        return new Promise((resolve, reject) => {
+            const file = fs.createWriteStream(dest);
+            https.get(url, (response) => {
+                // Follow redirects
+                if (response.statusCode === 302 || response.statusCode === 301) {
+                    const redirectUrl = response.headers.location;
+                    if (!redirectUrl) {
+                        reject(new Error("Redirect without location"));
+                        return;
+                    }
+                    file.close();
+                    fs.unlinkSync(dest);
+                    this.downloadFile(redirectUrl, dest, onProgress).then(resolve).catch(reject);
+                    return;
+                }
+                if (response.statusCode !== 200) {
+                    reject(new Error(`Download failed: ${response.statusCode}`));
+                    return;
+                }
+                const totalBytes = parseInt(response.headers["content-length"] || "0", 10);
+                let downloadedBytes = 0;
+                let lastPercent = 0;
+                response.on("data", (chunk) => {
+                    downloadedBytes += chunk.length;
+                    if (totalBytes > 0) {
+                        const percent = Math.round((downloadedBytes / totalBytes) * 100);
+                        if (percent > lastPercent && percent % 10 === 0) {
+                            onProgress(`Downloading... ${percent}%`);
+                            lastPercent = percent;
+                        }
+                    }
+                });
+                response.pipe(file);
+                file.on("finish", () => {
+                    file.close();
+                    resolve();
+                });
+                file.on("error", (err) => {
+                    fs.unlinkSync(dest);
+                    reject(err);
+                });
+            }).on("error", (err) => {
+                if (fs.existsSync(dest)) {
+                    fs.unlinkSync(dest);
+                }
+                reject(err);
+            });
+        });
+    }
+    /**
+     * Extract tarball
+     */
+    async extractTarball(tarballPath) {
+        await tar.extract({
+            file: tarballPath,
+            cwd: this.binDir,
+            strip: 0
+        });
+    }
+}

package/dist/utils/git.js

@@ -0,0 +1,52 @@
+import { execSync } from "child_process";
+export function git(cmd) {
+    return execSync(`git ${cmd}`, { stdio: ["ignore", "pipe", "ignore"] })
+        .toString()
+        .trim();
+}
+export function safeBranch(gitFn) {
+    try {
+        return gitFn("symbolic-ref --quiet --short HEAD");
+    }
+    catch {
+        return gitFn("rev-parse --short HEAD");
+    }
+}
+export function parseRemote(url) {
+    url = url.replace(/^(https?:\/\/|git@)/, "").replace(":", "/");
+    if (url.endsWith(".git"))
+        url = url.slice(0, -4);
+    const parts = url.split("/");
+    return parts.slice(-2).join("/"); // owner/repo
+}
+export function detectRepo(opts) {
+    if (opts.repo && opts.branch)
+        return opts;
+    const repoEnv = process.env.GITHUB_REPOSITORY || process.env.CI_REPOSITORY;
+    const branchEnv = process.env.GITHUB_REF_NAME || process.env.CI_COMMIT_BRANCH || process.env.CI_BRANCH;
+    let repoSlug = opts.repo || repoEnv;
+    let branch = opts.branch || branchEnv;
+    try {
+        if (!repoSlug || !branch) {
+            if (git("rev-parse --is-inside-work-tree") !== "true")
+                throw new Error("not a repo");
+            if (!repoSlug)
+                repoSlug = parseRemote(git("remote get-url origin"));
+            if (!branch) {
+                try {
+                    branch = safeBranch(git);
+                }
+                catch {
+                    branch = "main";
+                }
+            }
+        }
+        if ((!opts.repo || !opts.branch) && !opts.quiet) {
+            console.error(`Repo auto-detected: ${repoSlug} @ ${branch} (note: scanning remote)`);
+        }
+        return { repo: repoSlug, branch };
+    }
+    catch {
+        throw new Error("Could not auto-detect Git repository. Please pass --repo and --branch explicitly.");
+    }
+}