@rafter-security/cli 0.5.3 → 0.5.5

package/dist/utils/binary-manager.js

@@ -1,4 +1,5 @@
 import fs from "fs";
+import os from "os";
 import path from "path";
 import https from "https";
 import { exec, execSync } from "child_process";
@@ -6,7 +7,7 @@ import { promisify } from "util";
 import { getBinDir } from "../core/config-defaults.js";
 import * as tar from "tar";
 const execAsync = promisify(exec);
-const GITLEAKS_VERSION = "8.18.2";
+export const GITLEAKS_VERSION = "8.18.2";
 export class BinaryManager {
     constructor() {
         this.binDir = getBinDir();
@@ -145,9 +146,11 @@ export class BinaryManager {
         return lines.join("\n");
     }
     /**
-     * Download and install Gitleaks
+     * Download and install Gitleaks.
+     * @param onProgress  Optional progress callback.
+     * @param version     Gitleaks version to install (defaults to GITLEAKS_VERSION).
      */
-    async downloadGitleaks(onProgress) {
+    async downloadGitleaks(onProgress, version = GITLEAKS_VERSION) {
         const log = onProgress || (() => { });
         // Check platform support
         if (!this.isPlatformSupported()) {
@@ -159,8 +162,8 @@ export class BinaryManager {
         }
         const platform = this.getPlatformString();
         const arch = this.getArchString();
-        const url = this.getDownloadUrl(platform, arch);
-        log(`Downloading Gitleaks v${GITLEAKS_VERSION} for ${platform}/${arch}...`);
+        const url = this.getDownloadUrl(platform, arch, version);
+        log(`Downloading Gitleaks v${version} for ${platform}/${arch}...`);
         log(`  URL: ${url}`);
         const archivePath = path.join(this.binDir, platform === "windows" ? "gitleaks.zip" : "gitleaks.tar.gz");
         try {
@@ -172,8 +175,7 @@ export class BinaryManager {
             // Extract binary
             log("Extracting binary...");
             if (platform === "windows") {
-                // For Windows, we'd need unzip - for now just error
-                throw new Error("Windows support coming soon");
+                await this.extractZip(archivePath);
             }
             else {
                 await this.extractTarball(archivePath);
@@ -255,15 +257,15 @@ export class BinaryManager {
         throw new Error(`Unsupported architecture: ${arch}`);
     }
     /**
-     * Get download URL for platform/arch
+     * Get download URL for platform/arch/version
      */
-    getDownloadUrl(platform, arch) {
-        const baseUrl = `https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}`;
+    getDownloadUrl(platform, arch, version = GITLEAKS_VERSION) {
+        const baseUrl = `https://github.com/gitleaks/gitleaks/releases/download/v${version}`;
         if (platform === "windows") {
-            return `${baseUrl}/gitleaks_${GITLEAKS_VERSION}_windows_${arch}.zip`;
+            return `${baseUrl}/gitleaks_${version}_windows_${arch}.zip`;
         }
         else {
-            return `${baseUrl}/gitleaks_${GITLEAKS_VERSION}_${platform}_${arch}.tar.gz`;
+            return `${baseUrl}/gitleaks_${version}_${platform}_${arch}.tar.gz`;
         }
     }
     /**
@@ -320,13 +322,49 @@ export class BinaryManager {
         });
     }
     /**
-     * Extract tarball — binary only, strip packaging extras (LICENSE, README.md)
+     * Extract zip (Windows) — uses PowerShell's Expand-Archive, then copies
+     * only the gitleaks.exe binary to binDir. Cleans up the temp extract dir.
+     */
+    async extractZip(zipPath) {
+        const tempDir = fs.mkdtempSync(path.join(os.tmpdir(), "rafter-gitleaks-"));
+        try {
+            // PowerShell 5+ ships on all supported Windows versions
+            await execAsync(`powershell -NoProfile -Command "Expand-Archive -Force -LiteralPath '${zipPath}' -DestinationPath '${tempDir}'"`, { timeout: 30000 });
+            // Find gitleaks.exe — may be at root or inside a subdirectory
+            const findBinary = (dir) => {
+                for (const entry of fs.readdirSync(dir)) {
+                    const full = path.join(dir, entry);
+                    if (entry === "gitleaks.exe")
+                        return full;
+                    if (fs.statSync(full).isDirectory()) {
+                        const found = findBinary(full);
+                        if (found)
+                            return found;
+                    }
+                }
+                return null;
+            };
+            const found = findBinary(tempDir);
+            if (!found)
+                throw new Error("gitleaks.exe not found in archive");
+            fs.copyFileSync(found, path.join(this.binDir, "gitleaks.exe"));
+        }
+        finally {
+            fs.rmSync(tempDir, { recursive: true, force: true });
+        }
+    }
+    /**
+     * Extract tarball — binary only, strip packaging extras (LICENSE, README.md).
+     *
+     * The gitleaks release tarball has all files at the archive root (no top-level
+     * directory), so strip: 0 (the default). With strip: 1, node-tar reduces the
+     * single-component paths to empty strings; the filter never matches "gitleaks"
+     * and nothing is extracted. The filter alone is sufficient.
      */
     async extractTarball(tarballPath) {
         await tar.extract({
             file: tarballPath,
             cwd: this.binDir,
-            strip: 1,
             filter: (p) => {
                 const base = path.basename(p);
                 return base === "gitleaks" || base === "gitleaks.exe";

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rafter-security/cli",
-  "version": "0.5.3",
+  "version": "0.5.5",
   "type": "module",
   "bin": {
     "rafter": "./dist/index.js"

package/resources/pre-push-hook.sh

@@ -0,0 +1,60 @@
+#!/bin/bash
+# Rafter Security Pre-Push Hook
+# Scans commits being pushed for secrets
+
+# Colors for output
+RED='\033[0;31m'
+YELLOW='\033[1;33m'
+GREEN='\033[0;32m'
+NC='\033[0m' # No Color
+
+# Check if rafter is installed
+if ! command -v rafter &> /dev/null; then
+    echo -e "${YELLOW}⚠️  Warning: rafter CLI not found in PATH${NC}"
+    echo "   Install: npm install -g @rafter-security/cli"
+    echo "   Skipping secret scan..."
+    exit 0
+fi
+
+ZERO_SHA="0000000000000000000000000000000000000000"
+FOUND_SECRETS=0
+
+while read local_ref local_sha remote_ref remote_sha; do
+    # Skip branch deletions
+    if [ "$local_sha" = "$ZERO_SHA" ]; then
+        continue
+    fi
+
+    if [ "$remote_sha" = "$ZERO_SHA" ]; then
+        # New branch — scan all commits on this branch not on any remote branch
+        ref_arg=$(git rev-list --max-parents=0 "$local_sha" 2>/dev/null | head -1)
+        if [ -z "$ref_arg" ]; then
+            ref_arg="$local_sha^"
+        fi
+    else
+        # Existing branch — scan only new commits
+        ref_arg="$remote_sha"
+    fi
+
+    echo "🔍 Rafter: Scanning commits being pushed ($local_ref)..."
+
+    rafter agent scan --diff "$ref_arg" --quiet
+    EXIT_CODE=$?
+
+    if [ $EXIT_CODE -ne 0 ]; then
+        FOUND_SECRETS=1
+    fi
+done
+
+if [ $FOUND_SECRETS -ne 0 ]; then
+    echo -e "${RED}❌ Push blocked: Secrets detected in commits being pushed${NC}"
+    echo ""
+    echo "   Run: rafter agent scan --diff <remote-sha>"
+    echo "   To see details and remediate."
+    echo ""
+    echo "   To bypass (NOT recommended): git push --no-verify"
+    exit 1
+fi
+
+echo -e "${GREEN}✓ No secrets detected${NC}"
+exit 0