@rafter-security/cli 0.5.9 → 0.6.3

package/dist/index.js

@@ -14,12 +14,15 @@ import { createCompletionCommand } from "./commands/completion.js";
 import { createIssuesCommand } from "./commands/issues/index.js";
 import { checkForUpdate } from "./utils/update-checker.js";
 import { setAgentMode } from "./utils/formatter.js";
+import { createRequire } from "module";
 dotenv.config();
-const VERSION = "0.5.7";
+const require = createRequire(import.meta.url);
+const { version: VERSION } = require("../package.json");
 const program = new Command()
     .name("rafter")
     .description("Rafter CLI")
     .version(VERSION)
+    .enablePositionalOptions()
     .option("-a, --agent", "Plain output for AI agents (no colors/emoji)");
 // Set agent mode before any subcommand runs
 program.hook("preAction", (thisCommand) => {

package/dist/scanners/gitleaks.js

@@ -1,5 +1,6 @@
 import { execFile } from "child_process";
 import { promisify } from "util";
+import { randomBytes } from "crypto";
 import { BinaryManager } from "../utils/binary-manager.js";
 import fs from "fs";
 import os from "os";
@@ -26,7 +27,7 @@ export class GitleaksScanner {
             throw new Error("Gitleaks not available");
         }
         const gitleaksPath = this.binaryManager.getGitleaksPath();
-        const tmpReport = path.join(os.tmpdir(), `gitleaks-${Date.now()}-${Math.random().toString(36).slice(2, 8)}.json`);
+        const tmpReport = path.join(os.tmpdir(), `gitleaks-${Date.now()}-${randomBytes(6).toString("hex")}.json`);
         try {
             // Run gitleaks detect on file
             await execFileAsync(gitleaksPath, ["detect", "--no-git", "-f", "json", "-r", tmpReport, "-s", filePath], { timeout: 30000 });
@@ -86,7 +87,7 @@ export class GitleaksScanner {
             throw new Error("Gitleaks not available");
         }
         const gitleaksPath = this.binaryManager.getGitleaksPath();
-        const tmpReport = path.join(os.tmpdir(), `gitleaks-${Date.now()}-${Math.random().toString(36).slice(2, 8)}.json`);
+        const tmpReport = path.join(os.tmpdir(), `gitleaks-${Date.now()}-${randomBytes(6).toString("hex")}.json`);
         try {
             // Run gitleaks detect on directory
             await execFileAsync(gitleaksPath, ["detect", "--no-git", "-f", "json", "-r", tmpReport, "-s", dirPath], { timeout: 60000 });

package/dist/scanners/regex-scanner.js

@@ -112,6 +112,10 @@ export class RegexScanner {
         try {
             const entries = fs.readdirSync(dir, { withFileTypes: true });
             for (const entry of entries) {
+                // Skip symlinks to prevent traversal outside intended scope
+                if (entry.isSymbolicLink()) {
+                    continue;
+                }
                 const fullPath = path.join(dir, entry.name);
                 // Skip excluded directories
                 if (exclude.includes(entry.name)) {

package/dist/scanners/secret-patterns.js

@@ -90,13 +90,13 @@ export const DEFAULT_SECRET_PATTERNS = [
     // Generic patterns
     {
         name: "Generic API Key",
-        regex: "(?i)(?<![a-zA-Z0-9_])(api[_-]?key|apikey)[\\s]*[:=][\\s]*['\"](?=[0-9a-zA-Z\\-_]*[0-9])[0-9a-zA-Z\\-_]{16,}['\"]",
+        regex: "(?i)(?<![a-zA-Z0-9_])(api[_-]?key|apikey)[\\s]*[:=][\\s]*['\"](?=[0-9a-zA-Z\\-_]*[0-9])[0-9a-zA-Z\\-_]{16,256}['\"]",
         severity: "high",
         description: "Generic API key pattern detected"
     },
     {
         name: "Generic Secret",
-        regex: "(?i)(?<![a-zA-Z0-9_])(secret|password|passwd|pwd)[\\s]*[:=][\\s]*['\"](?=[^\\s'\"]*[0-9])(?=[^\\s'\"]*[a-zA-Z])[0-9a-zA-Z\\-_!@#$%^&*()]{12,}['\"]",
+        regex: "(?i)(?<![a-zA-Z0-9_])(secret|password|passwd|pwd)[\\s]*[:=][\\s]*['\"](?=[^\\s'\"]*[0-9])(?=[^\\s'\"]*[a-zA-Z])[0-9a-zA-Z\\-_!@#$%^&*()]{12,256}['\"]",
         severity: "high",
         description: "Generic secret pattern detected"
     },
@@ -108,21 +108,21 @@ export const DEFAULT_SECRET_PATTERNS = [
     },
     {
         name: "Bearer Token",
-        regex: "(?i)bearer[\\s]+(?=[a-zA-Z0-9\\-_\\.=]*[0-9])(?=[a-zA-Z0-9\\-_\\.=]*[a-zA-Z])[a-zA-Z0-9\\-_\\.=]{20,}",
+        regex: "(?i)bearer[\\s]+(?=[a-zA-Z0-9\\-_\\.=]*[0-9])(?=[a-zA-Z0-9\\-_\\.=]*[a-zA-Z])[a-zA-Z0-9\\-_\\.=]{20,512}",
         severity: "high",
         description: "Bearer token detected"
     },
     // Database connection strings
     {
         name: "Database Connection String",
-        regex: "(?i)(postgres|mysql|mongodb)://[^\\s]+:[^\\s]+@[^\\s]+",
+        regex: "(?i)(postgres|mysql|mongodb)://[^\\s:@]+:[^\\s@]+@[^\\s]+",
         severity: "critical",
         description: "Database connection string with credentials detected"
     },
     // JWT
     {
         name: "JSON Web Token",
-        regex: "eyJ[A-Za-z0-9_-]{10,}\\.[A-Za-z0-9_-]{10,}\\.[A-Za-z0-9_-]{10,}",
+        regex: "eyJ[A-Za-z0-9_-]{10,2048}\\.[A-Za-z0-9_-]{10,2048}\\.[A-Za-z0-9_-]{10,2048}",
         severity: "high",
         description: "JWT token detected"
     },
@@ -136,7 +136,7 @@ export const DEFAULT_SECRET_PATTERNS = [
     // PyPI token
     {
         name: "PyPI Token",
-        regex: "pypi-AgEIcHlwaS5vcmc[A-Za-z0-9\\-_]{50,}",
+        regex: "pypi-AgEIcHlwaS5vcmc[A-Za-z0-9\\-_]{50,1024}",
         severity: "critical",
         description: "PyPI API token detected"
     }

package/dist/utils/api.js

@@ -4,6 +4,24 @@ export const EXIT_SUCCESS = 0;
 export const EXIT_GENERAL_ERROR = 1;
 export const EXIT_SCAN_NOT_FOUND = 2;
 export const EXIT_QUOTA_EXHAUSTED = 3;
+export const EXIT_INSUFFICIENT_SCOPE = 4;
+/**
+ * Detect a 403 scope-enforcement error from the API and print a helpful message.
+ * Returns true if the error was a scope error (caller should exit), false otherwise.
+ */
+export function handleScopeError(e) {
+    if (!e || e.response?.status !== 403)
+        return false;
+    const body = e.response?.data;
+    const msg = typeof body === "string" ? body : body?.error ?? "";
+    if (msg.includes("scope")) {
+        console.error('Error: This API key only has read access.\nTo trigger scans, create a key with "Read & Scan" scope at https://rfrr.co/account');
+    }
+    else {
+        console.error(`Error: Forbidden (403) — ${msg || "access denied"}`);
+    }
+    return true;
+}
 export function resolveKey(cliKey) {
     if (cliKey)
         return cliKey;

package/dist/utils/binary-manager.js

@@ -1,6 +1,7 @@
 import fs from "fs";
 import os from "os";
 import path from "path";
+import crypto from "crypto";
 import https from "https";
 import { exec, execSync } from "child_process";
 import { promisify } from "util";
@@ -173,6 +174,10 @@ export class BinaryManager {
             // Log downloaded file size as basic integrity signal
             const stats = fs.statSync(archivePath);
             log(`  Downloaded: ${(stats.size / 1024).toFixed(1)} KB`);
+            // Verify SHA256 checksum against official checksums file
+            log("Verifying checksum...");
+            await this.verifyChecksum(archivePath, platform, arch, version, log);
+            log("  ✓ Checksum verified");
             // Extract binary
             log("Extracting binary...");
             if (platform === "windows") {
@@ -322,6 +327,64 @@ export class BinaryManager {
             });
         });
     }
+    /**
+     * Verify downloaded archive checksum against official gitleaks checksums file.
+     */
+    async verifyChecksum(archivePath, platform, arch, version, onProgress) {
+        const checksumsUrl = `https://github.com/gitleaks/gitleaks/releases/download/v${version}/gitleaks_${version}_checksums.txt`;
+        const checksumsPath = path.join(this.binDir, "checksums.txt");
+        try {
+            await this.downloadFile(checksumsUrl, checksumsPath, () => { });
+            const checksumsContent = fs.readFileSync(checksumsPath, "utf-8");
+            const archiveFilename = platform === "windows"
+                ? `gitleaks_${version}_windows_${arch}.zip`
+                : `gitleaks_${version}_${platform}_${arch}.tar.gz`;
+            const expectedHash = this.parseChecksumFile(checksumsContent, archiveFilename);
+            if (!expectedHash) {
+                throw new Error(`Checksum not found for ${archiveFilename} in checksums file`);
+            }
+            const actualHash = await this.computeSHA256(archivePath);
+            if (actualHash !== expectedHash) {
+                throw new Error(`Checksum mismatch for ${archiveFilename}:\n` +
+                    `  Expected: ${expectedHash}\n` +
+                    `  Actual:   ${actualHash}\n` +
+                    `The downloaded file may be corrupted or tampered with.`);
+            }
+        }
+        finally {
+            if (fs.existsSync(checksumsPath)) {
+                fs.unlinkSync(checksumsPath);
+            }
+        }
+    }
+    /**
+     * Parse a checksums.txt file and return the SHA256 hash for the given filename.
+     */
+    parseChecksumFile(content, filename) {
+        for (const line of content.split("\n")) {
+            const trimmed = line.trim();
+            if (!trimmed)
+                continue;
+            // Format: "<sha256>  <filename>" (two spaces between hash and filename)
+            const parts = trimmed.split(/\s+/);
+            if (parts.length >= 2 && parts[1] === filename) {
+                return parts[0].toLowerCase();
+            }
+        }
+        return null;
+    }
+    /**
+     * Compute SHA256 hash of a file.
+     */
+    computeSHA256(filePath) {
+        return new Promise((resolve, reject) => {
+            const hash = crypto.createHash("sha256");
+            const stream = fs.createReadStream(filePath);
+            stream.on("data", (data) => hash.update(data));
+            stream.on("end", () => resolve(hash.digest("hex")));
+            stream.on("error", reject);
+        });
+    }
     /**
      * Extract zip (Windows) — uses PowerShell's Expand-Archive, then copies
      * only the gitleaks.exe binary to binDir. Cleans up the temp extract dir.
@@ -330,7 +393,10 @@ export class BinaryManager {
         const tempDir = fs.mkdtempSync(path.join(os.tmpdir(), "rafter-gitleaks-"));
         try {
             // PowerShell 5+ ships on all supported Windows versions
-            await execAsync(`powershell -NoProfile -Command "Expand-Archive -Force -LiteralPath '${zipPath}' -DestinationPath '${tempDir}'"`, { timeout: 30000 });
+            // Escape single quotes to prevent shell injection ('' is the PS escape for ')
+            const safeZipPath = zipPath.replace(/'/g, "''");
+            const safeTempDir = tempDir.replace(/'/g, "''");
+            await execAsync(`powershell -NoProfile -Command "Expand-Archive -Force -LiteralPath '${safeZipPath}' -DestinationPath '${safeTempDir}'"`, { timeout: 30000 });
             // Find gitleaks.exe — may be at root or inside a subdirectory
             const findBinary = (dir) => {
                 for (const entry of fs.readdirSync(dir)) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@rafter-security/cli",
-  "version": "0.5.9",
+  "version": "0.6.3",
   "type": "module",
   "bin": {
     "rafter": "./dist/index.js"
@@ -20,14 +20,15 @@
   "license": "MIT",
   "dependencies": {
     "@modelcontextprotocol/sdk": "^1.12.0",
-    "axios": "^1.6.8",
+    "axios": "^1.13.5",
     "chalk": "^5.3.0",
     "chokidar": "^5.0.0",
     "commander": "^11.1.0",
     "dotenv": "^16.4.5",
     "js-yaml": "^4.1.0",
+    "minimatch": "^10.2.4",
     "ora": "^7.0.1",
-    "tar": "^7.5.7"
+    "tar": "^7.5.10"
   },
   "devDependencies": {
     "@types/js-yaml": "^4.0.9",

package/resources/skills/rafter/SKILL.md

@@ -0,0 +1,119 @@
+---
+name: rafter
+description: "Trigger Rafter backend security scans on GitHub repositories. Use when the user asks about SAST, code security analysis, vulnerability scanning, or wants to scan a repo for security issues before merging or deploying. Also use when starting new features or reviewing pull requests."
+version: 0.6.3
+allowed-tools: [Bash]
+---
+
+# Rafter Security Scanning
+
+Rafter provides automated security scanning for GitHub repositories via backend API.
+
+## Core Commands
+
+### Trigger a Security Scan
+
+```bash
+rafter run [--repo org/repo] [--branch branch-name]
+# or
+rafter scan [--repo org/repo] [--branch branch-name]
+```
+
+Triggers a comprehensive security scan on a repository. Auto-detects current repo and branch if in a git directory. (`scan` is an alias for `run`)
+
+**When to use:**
+- User asks: "Can you scan this code for security issues?"
+- Starting work on a new feature
+- Before merging a PR
+- After dependency updates
+- User mentions: security audit, vulnerability scan, SAST, code analysis
+
+**Example:**
+```bash
+# In a git repo
+rafter scan
+
+# Specific repo
+rafter scan --repo myorg/myrepo --branch main
+```
+
+### Get Scan Results
+
+```bash
+rafter get <scan-id>
+```
+
+Retrieves results from a completed or in-progress scan.
+
+**When to use:**
+- After triggering a scan with `rafter run`
+- User asks: "What were the results?" or "Did the scan finish?"
+- Checking on a scan's progress
+
+**Example:**
+```bash
+rafter get scan_abc123xyz
+```
+
+### Check API Usage
+
+```bash
+rafter usage
+```
+
+View your API quota and usage statistics.
+
+**When to use:**
+- User asks about remaining scans
+- Before triggering a scan to confirm quota
+- User mentions: quota, usage, limits, remaining scans
+
+## Configuration
+
+Rafter requires an API key. Set via:
+```bash
+export RAFTER_API_KEY="your-api-key-here"
+```
+
+Or create `.env` file:
+```bash
+echo "RAFTER_API_KEY=your-api-key-here" >> .env
+```
+
+## Common Workflows
+
+**Workflow 1: Quick Security Check**
+1. Trigger scan: `rafter run`
+2. Get results: `rafter get <scan-id>`
+3. Review findings and suggest fixes
+
+**Workflow 2: Pre-PR Review**
+1. Check quota: `rafter usage`
+2. Trigger scan on feature branch: `rafter run --branch feature-branch`
+3. Review results before creating PR
+
+**Workflow 3: Dependency Update Check**
+1. User updates dependencies
+2. Trigger scan: `rafter run`
+3. Check for new vulnerabilities
+
+## Output Format
+
+Scans return:
+- **Code security findings** - SAST issues, security anti-patterns, hardcoded credentials
+- **Configuration issues** - Insecure settings, exposed secrets
+- **Severity levels** - Each finding rated by risk impact
+
+## Best Practices
+
+1. **Proactive scanning** - Suggest scans when user is working on security-sensitive code
+2. **Quota awareness** - Check usage before triggering multiple scans
+3. **Context interpretation** - Explain findings in context of user's code
+4. **Actionable recommendations** - Provide specific fixes for each finding
+
+## Integration Tips
+
+- Auto-detect git repo for convenient `rafter run` with no arguments
+- Wait for scan completion or show scan ID for later retrieval
+- Parse JSON output for structured analysis
+- Link findings to specific files and lines when available