@vibe-validate/cli 0.17.0-rc.7 → 0.17.0-rc.9

package/dist/utils/secret-scanning.js

@@ -0,0 +1,205 @@
+/**
+ * Secret Scanning Tool Detection and Execution
+ *
+ * Handles automatic detection and execution of secret scanning tools:
+ * - gitleaks (native binary, fast)
+ * - secretlint (npm-based, containerized-friendly)
+ */
+import { execSync } from 'node:child_process';
+import { existsSync } from 'node:fs';
+import { resolve } from 'node:path';
+import chalk from 'chalk';
+/**
+ * Check if gitleaks command is available
+ */
+export function isGitleaksAvailable() {
+    try {
+        execSync('gitleaks --version', { stdio: 'ignore' });
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+/**
+ * Check if gitleaks config files exist
+ */
+export function hasGitleaksConfig(cwd = process.cwd()) {
+    return (existsSync(resolve(cwd, '.gitleaks.toml')) ||
+        existsSync(resolve(cwd, '.gitleaksignore')));
+}
+/**
+ * Check if secretlint config exists
+ */
+export function hasSecretlintConfig(cwd = process.cwd()) {
+    return existsSync(resolve(cwd, '.secretlintrc.json'));
+}
+/**
+ * Detect available secret scanning tools and their configurations
+ */
+export function detectSecretScanningTools(cwd = process.cwd()) {
+    const gitleaksAvailable = isGitleaksAvailable();
+    const gitleaksConfigured = hasGitleaksConfig(cwd);
+    const secretlintConfigured = hasSecretlintConfig(cwd);
+    return [
+        {
+            tool: 'gitleaks',
+            available: gitleaksAvailable,
+            hasConfig: gitleaksConfigured,
+            defaultCommand: 'gitleaks protect --staged --verbose',
+        },
+        {
+            tool: 'secretlint',
+            available: true, // Always available via npx
+            hasConfig: secretlintConfigured,
+            defaultCommand: 'npx secretlint "**/*"',
+        },
+    ];
+}
+/**
+ * Determine which tools to run based on configuration and availability
+ */
+export function selectToolsToRun(scanCommand, cwd = process.cwd()) {
+    // If explicit scanCommand provided (not "autodetect"), use it
+    if (scanCommand && scanCommand !== 'autodetect') {
+        // Detect which tool the command is for
+        const tool = scanCommand.includes('gitleaks') ? 'gitleaks' : 'secretlint';
+        return [{ tool, command: scanCommand }];
+    }
+    // Autodetect mode
+    const tools = detectSecretScanningTools(cwd);
+    const toRun = [];
+    // Check gitleaks
+    const gitleaks = tools.find(t => t.tool === 'gitleaks');
+    if (gitleaks?.hasConfig) {
+        // Config exists - add to run list (will warn during execution if unavailable)
+        toRun.push({ tool: 'gitleaks', command: gitleaks.defaultCommand });
+    }
+    // Check secretlint
+    const secretlint = tools.find(t => t.tool === 'secretlint');
+    if (secretlint?.hasConfig) {
+        toRun.push({ tool: 'secretlint', command: secretlint.defaultCommand });
+    }
+    // Fallback if no config files present
+    if (toRun.length === 0) {
+        if (gitleaks?.available) {
+            toRun.push({ tool: 'gitleaks', command: gitleaks.defaultCommand });
+        }
+        else if (secretlint) {
+            // Always fallback to secretlint via npx
+            toRun.push({ tool: 'secretlint', command: secretlint.defaultCommand });
+        }
+    }
+    return toRun;
+}
+/**
+ * Run a secret scanning command
+ */
+export function runSecretScan(tool, command, verbose = false) {
+    const startTime = Date.now();
+    // Special handling for gitleaks - check availability first
+    if (tool === 'gitleaks' && !isGitleaksAvailable()) {
+        return {
+            tool,
+            passed: true, // Don't fail, just skip
+            duration: Date.now() - startTime,
+            skipped: true,
+            skipReason: 'gitleaks command not available',
+        };
+    }
+    try {
+        const result = execSync(command, {
+            encoding: 'utf8',
+            stdio: 'pipe',
+        });
+        const duration = Date.now() - startTime;
+        return {
+            tool,
+            passed: true,
+            duration,
+            output: verbose ? result : undefined,
+        };
+    }
+    catch (error) {
+        const duration = Date.now() - startTime;
+        if (error && typeof error === 'object' && 'stderr' in error && 'stdout' in error) {
+            // Safely convert stderr/stdout to strings (may be Buffer or string from child_process)
+            // Handle potential undefined/null values before stringification to avoid [object Object]
+            const stderrValue = error.stderr;
+            const stdoutValue = error.stdout;
+            let stderr = '';
+            if (typeof stderrValue === 'string') {
+                stderr = stderrValue;
+            }
+            else if (stderrValue) {
+                stderr = String(stderrValue);
+            }
+            let stdout = '';
+            if (typeof stdoutValue === 'string') {
+                stdout = stdoutValue;
+            }
+            else if (stdoutValue) {
+                stdout = String(stdoutValue);
+            }
+            return {
+                tool,
+                passed: false,
+                duration,
+                output: stdout,
+                error: stderr,
+            };
+        }
+        return {
+            tool,
+            passed: false,
+            duration,
+            error: String(error),
+        };
+    }
+}
+/**
+ * Format tool name for display
+ */
+export function formatToolName(tool) {
+    return tool === 'gitleaks' ? 'gitleaks' : 'secretlint';
+}
+/**
+ * Show performance warning if scan was slow
+ */
+export function showPerformanceWarning(tool, duration, threshold) {
+    if (duration <= threshold) {
+        return;
+    }
+    const seconds = (duration / 1000).toFixed(1);
+    console.warn(chalk.yellow(`\n⚠️  Secret scanning took ${seconds}s (${formatToolName(tool)})`));
+    if (tool === 'secretlint') {
+        console.warn(chalk.gray('   Consider installing gitleaks for faster scanning:'));
+        console.warn(chalk.gray('   • macOS: brew install gitleaks'));
+        console.warn(chalk.gray('   • Linux: See https://github.com/gitleaks/gitleaks#installation'));
+        console.warn(chalk.gray('   • Or add explicit scanCommand in config\n'));
+    }
+}
+/**
+ * Show error message when secrets are detected
+ */
+export function showSecretsDetectedError(results) {
+    console.error(chalk.red('\n❌ Secret scanning detected potential secrets in staged files\n'));
+    for (const result of results) {
+        if (!result.passed) {
+            console.error(chalk.yellow(`Tool: ${formatToolName(result.tool)}`));
+            if (result.output) {
+                console.error(result.output);
+            }
+            if (result.error) {
+                console.error(result.error);
+            }
+            console.error('');
+        }
+    }
+    console.error(chalk.blue('💡 Fix options:'));
+    console.error(chalk.gray('   1. Remove secrets from staged files'));
+    console.error(chalk.gray('   2. Use .gitleaksignore to mark false positives (if using gitleaks)'));
+    console.error(chalk.gray('   3. Use .secretlintignore to mark false positives (if using secretlint)'));
+    console.error(chalk.gray('   4. Disable scanning: set hooks.preCommit.secretScanning.enabled=false'));
+}
+//# sourceMappingURL=secret-scanning.js.map

package/dist/utils/secret-scanning.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"secret-scanning.js","sourceRoot":"","sources":["../../src/utils/secret-scanning.ts"],"names":[],"mappings":"AAAA;;;;;;GAMG;AAEH,OAAO,EAAE,QAAQ,EAAE,MAAM,oBAAoB,CAAC;AAC9C,OAAO,EAAE,UAAU,EAAE,MAAM,SAAS,CAAC;AACrC,OAAO,EAAE,OAAO,EAAE,MAAM,WAAW,CAAC;AACpC,OAAO,KAAK,MAAM,OAAO,CAAC;AAiB1B;;GAEG;AACH,MAAM,UAAU,mBAAmB;IACjC,IAAI,CAAC;QACH,QAAQ,CAAC,oBAAoB,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC,CAAC;QACpD,OAAO,IAAI,CAAC;IACd,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,KAAK,CAAC;IACf,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,iBAAiB,CAAC,MAAc,OAAO,CAAC,GAAG,EAAE;IAC3D,OAAO,CACL,UAAU,CAAC,OAAO,CAAC,GAAG,EAAE,gBAAgB,CAAC,CAAC;QAC1C,UAAU,CAAC,OAAO,CAAC,GAAG,EAAE,iBAAiB,CAAC,CAAC,CAC5C,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,mBAAmB,CAAC,MAAc,OAAO,CAAC,GAAG,EAAE;IAC7D,OAAO,UAAU,CAAC,OAAO,CAAC,GAAG,EAAE,oBAAoB,CAAC,CAAC,CAAC;AACxD,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,yBAAyB,CAAC,MAAc,OAAO,CAAC,GAAG,EAAE;IACnE,MAAM,iBAAiB,GAAG,mBAAmB,EAAE,CAAC;IAChD,MAAM,kBAAkB,GAAG,iBAAiB,CAAC,GAAG,CAAC,CAAC;IAClD,MAAM,oBAAoB,GAAG,mBAAmB,CAAC,GAAG,CAAC,CAAC;IAEtD,OAAO;QACL;YACE,IAAI,EAAE,UAAU;YAChB,SAAS,EAAE,iBAAiB;YAC5B,SAAS,EAAE,kBAAkB;YAC7B,cAAc,EAAE,qCAAqC;SACtD;QACD;YACE,IAAI,EAAE,YAAY;YAClB,SAAS,EAAE,IAAI,EAAE,2BAA2B;YAC5C,SAAS,EAAE,oBAAoB;YAC/B,cAAc,EAAE,uBAAuB;SACxC;KACF,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,gBAAgB,CAC9B,WAA+B,EAC/B,MAAc,OAAO,CAAC,GAAG,EAAE;IAE3B,8DAA8D;IAC9D,IAAI,WAAW,IAAI,WAAW,KAAK,YAAY,EAAE,CAAC;QAChD,uCAAuC;QACvC,MAAM,IAAI,GAAG,WAAW,CAAC,QAAQ,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,YAAY,CAAC;QAC1E,OAAO,CAAC,EAAE,IAAI,EAAE,OAAO,EAAE,WAAW,EAAE,CAAC,CAAC;IAC1C,CAAC;IAED,kBAAkB;IAClB,MAAM,KAAK,GAAG,yBAAyB,CAAC,GAAG,CAAC,CAAC;IAC7C,MAAM,KAAK,GAAoD,EAAE,CAAC;IAElE,iBAAiB;IACjB,MAAM,QAAQ,GAAG,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,UAAU,CAAC,CAAC;IACxD,IAAI,QAAQ,EAAE,SAAS,EAAE,CAAC;QACxB,8EAA8E;QAC9E,KAAK,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,UAAU,EAAE,OAAO,EAAE,QAAQ,CAAC,cAAc,EAAE,CAAC,CAAC;IACrE,CAAC;IAED,mBAAmB;IACnB,MAAM,UAAU,GAAG,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,YAAY,CAAC,CAAC;IAC5D,IAAI,UAAU,EAAE,SAAS,EAAE,CAAC;QAC1B,KAAK,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,YAAY,EAAE,OAAO,EAAE,UAAU,CAAC,cAAc,EAAE,CAAC,CAAC;IACzE,CAAC;IAED,sCAAsC;IACtC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,IAAI,QAAQ,EAAE,SAAS,EAAE,CAAC;YACxB,KAAK,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,UAAU,EAAE,OAAO,EAAE,QAAQ,CAAC,cAAc,EAAE,CAAC,CAAC;QACrE,CAAC;aAAM,IAAI,UAAU,EAAE,CAAC;YACtB,wCAAwC;YACxC,KAAK,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,YAAY,EAAE,OAAO,EAAE,UAAU,CAAC,cAAc,EAAE,CAAC,CAAC;QACzE,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAeD;;GAEG;AACH,MAAM,UAAU,aAAa,CAC3B,IAAwB,EACxB,OAAe,EACf,UAAmB,KAAK;IAExB,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAE7B,2DAA2D;IAC3D,IAAI,IAAI,KAAK,UAAU,IAAI,CAAC,mBAAmB,EAAE,EAAE,CAAC;QAClD,OAAO;YACL,IAAI;YACJ,MAAM,EAAE,IAAI,EAAE,wBAAwB;YACtC,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;YAChC,OAAO,EAAE,IAAI;YACb,UAAU,EAAE,gCAAgC;SAC7C,CAAC;IACJ,CAAC;IAED,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,QAAQ,CAAC,OAAO,EAAE;YAC/B,QAAQ,EAAE,MAAM;YAChB,KAAK,EAAE,MAAM;SACd,CAAC,CAAC;QAEH,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;QAExC,OAAO;YACL,IAAI;YACJ,MAAM,EAAE,IAAI;YACZ,QAAQ;YACR,MAAM,EAAE,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,SAAS;SACrC,CAAC;IACJ,CAAC;IAAC,OAAO,KAAc,EAAE,CAAC;QACxB,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS,CAAC;QAExC,IAAI,KAAK,IAAI,OAAO,KAAK,KAAK,QAAQ,IAAI,QAAQ,IAAI,KAAK,IAAI,QAAQ,IAAI,KAAK,EAAE,CAAC;YACjF,uFAAuF;YACvF,yFAAyF;YACzF,MAAM,WAAW,GAAG,KAAK,CAAC,MAAM,CAAC;YACjC,MAAM,WAAW,GAAG,KAAK,CAAC,MAAM,CAAC;YAEjC,IAAI,MAAM,GAAG,EAAE,CAAC;YAChB,IAAI,OAAO,WAAW,KAAK,QAAQ,EAAE,CAAC;gBACpC,MAAM,GAAG,WAAW,CAAC;YACvB,CAAC;iBAAM,IAAI,WAAW,EAAE,CAAC;gBACvB,MAAM,GAAG,MAAM,CAAC,WAAW,CAAC,CAAC;YAC/B,CAAC;YAED,IAAI,MAAM,GAAG,EAAE,CAAC;YAChB,IAAI,OAAO,WAAW,KAAK,QAAQ,EAAE,CAAC;gBACpC,MAAM,GAAG,WAAW,CAAC;YACvB,CAAC;iBAAM,IAAI,WAAW,EAAE,CAAC;gBACvB,MAAM,GAAG,MAAM,CAAC,WAAW,CAAC,CAAC;YAC/B,CAAC;YAED,OAAO;gBACL,IAAI;gBACJ,MAAM,EAAE,KAAK;gBACb,QAAQ;gBACR,MAAM,EAAE,MAAM;gBACd,KAAK,EAAE,MAAM;aACd,CAAC;QACJ,CAAC;QAED,OAAO;YACL,IAAI;YACJ,MAAM,EAAE,KAAK;YACb,QAAQ;YACR,KAAK,EAAE,MAAM,CAAC,KAAK,CAAC;SACrB,CAAC;IACJ,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,cAAc,CAAC,IAAwB;IACrD,OAAO,IAAI,KAAK,UAAU,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,YAAY,CAAC;AACzD,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,sBAAsB,CACpC,IAAwB,EACxB,QAAgB,EAChB,SAAiB;IAEjB,IAAI,QAAQ,IAAI,SAAS,EAAE,CAAC;QAC1B,OAAO;IACT,CAAC;IAED,MAAM,OAAO,GAAG,CAAC,QAAQ,GAAG,IAAI,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC;IAE7C,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,MAAM,CAAC,8BAA8B,OAAO,MAAM,cAAc,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;IAE/F,IAAI,IAAI,KAAK,YAAY,EAAE,CAAC;QAC1B,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,sDAAsD,CAAC,CAAC,CAAC;QACjF,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,mCAAmC,CAAC,CAAC,CAAC;QAC9D,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,mEAAmE,CAAC,CAAC,CAAC;QAC9F,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,8CAA8C,CAAC,CAAC,CAAC;IAC3E,CAAC;AACH,CAAC;AAED;;GAEG;AACH,MAAM,UAAU,wBAAwB,CAAC,OAAqB;IAC5D,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,kEAAkE,CAAC,CAAC,CAAC;IAE7F,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;QAC7B,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;YACnB,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,MAAM,CAAC,SAAS,cAAc,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC;YAEpE,IAAI,MAAM,CAAC,MAAM,EAAE,CAAC;gBAClB,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC;YAC/B,CAAC;YACD,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;gBACjB,OAAO,CAAC,KAAK,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC;YAC9B,CAAC;YACD,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC;QACpB,CAAC;IACH,CAAC;IAED,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC,CAAC;IAC7C,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,wCAAwC,CAAC,CAAC,CAAC;IACpE,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,uEAAuE,CAAC,CAAC,CAAC;IACnG,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,2EAA2E,CAAC,CAAC,CAAC;IACvG,OAAO,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,0EAA0E,CAAC,CAAC,CAAC;AACxG,CAAC"}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vibe-validate/cli",
-  "version": "0.17.0-rc.7",
+  "version": "0.17.0-rc.9",
   "description": "Command-line interface for vibe-validate validation framework",
   "type": "module",
   "main": "./dist/index.js",
@@ -62,11 +62,11 @@
     "yaml": "^2.6.1",
     "zod": "^3.24.1",
     "zod-to-json-schema": "^3.24.6",
-    "@vibe-validate/core": "0.17.0-rc.7",
-    "@vibe-validate/config": "0.17.0-rc.7",
-    "@vibe-validate/extractors": "0.17.0-rc.7",
-    "@vibe-validate/git": "0.17.0-rc.7",
-    "@vibe-validate/history": "0.17.0-rc.7"
+    "@vibe-validate/extractors": "0.17.0-rc.9",
+    "@vibe-validate/git": "0.17.0-rc.9",
+    "@vibe-validate/config": "0.17.0-rc.9",
+    "@vibe-validate/core": "0.17.0-rc.9",
+    "@vibe-validate/history": "0.17.0-rc.9"
   },
   "devDependencies": {
     "@types/node": "^20.14.8",