@vibecheckai/cli 3.5.0 → 3.5.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/bin/registry.js +214 -237
- package/bin/runners/cli-utils.js +33 -2
- package/bin/runners/context/analyzer.js +52 -1
- package/bin/runners/context/generators/cursor.js +2 -49
- package/bin/runners/context/git-context.js +3 -1
- package/bin/runners/context/team-conventions.js +33 -7
- package/bin/runners/lib/analysis-core.js +25 -5
- package/bin/runners/lib/analyzers.js +431 -481
- package/bin/runners/lib/default-config.js +127 -0
- package/bin/runners/lib/doctor/modules/security.js +3 -1
- package/bin/runners/lib/engine/ast-cache.js +210 -0
- package/bin/runners/lib/engine/auth-extractor.js +211 -0
- package/bin/runners/lib/engine/billing-extractor.js +112 -0
- package/bin/runners/lib/engine/enforcement-extractor.js +100 -0
- package/bin/runners/lib/engine/env-extractor.js +207 -0
- package/bin/runners/lib/engine/express-extractor.js +208 -0
- package/bin/runners/lib/engine/extractors.js +849 -0
- package/bin/runners/lib/engine/index.js +207 -0
- package/bin/runners/lib/engine/repo-index.js +514 -0
- package/bin/runners/lib/engine/types.js +124 -0
- package/bin/runners/lib/engines/accessibility-engine.js +18 -218
- package/bin/runners/lib/engines/api-consistency-engine.js +30 -335
- package/bin/runners/lib/engines/cross-file-analysis-engine.js +27 -292
- package/bin/runners/lib/engines/empty-catch-engine.js +17 -127
- package/bin/runners/lib/engines/mock-data-engine.js +10 -53
- package/bin/runners/lib/engines/performance-issues-engine.js +36 -176
- package/bin/runners/lib/engines/security-vulnerabilities-engine.js +54 -382
- package/bin/runners/lib/engines/type-aware-engine.js +39 -263
- package/bin/runners/lib/engines/vibecheck-engines/index.js +13 -122
- package/bin/runners/lib/engines/vibecheck-engines/lib/ast-cache.js +164 -0
- package/bin/runners/lib/engines/vibecheck-engines/lib/code-quality-engine.js +291 -0
- package/bin/runners/lib/engines/vibecheck-engines/lib/console-logs-engine.js +83 -0
- package/bin/runners/lib/engines/vibecheck-engines/lib/dead-code-engine.js +198 -0
- package/bin/runners/lib/engines/vibecheck-engines/lib/deprecated-api-engine.js +275 -0
- package/bin/runners/lib/engines/vibecheck-engines/lib/empty-catch-engine.js +167 -0
- package/bin/runners/lib/engines/vibecheck-engines/lib/file-filter.js +217 -0
- package/bin/runners/lib/engines/vibecheck-engines/lib/hardcoded-secrets-engine.js +73 -373
- package/bin/runners/lib/engines/vibecheck-engines/lib/mock-data-engine.js +140 -0
- package/bin/runners/lib/engines/vibecheck-engines/lib/parallel-processor.js +164 -0
- package/bin/runners/lib/engines/vibecheck-engines/lib/performance-issues-engine.js +234 -0
- package/bin/runners/lib/engines/vibecheck-engines/lib/type-aware-engine.js +217 -0
- package/bin/runners/lib/engines/vibecheck-engines/lib/unsafe-regex-engine.js +78 -0
- package/bin/runners/lib/entitlements-v2.js +73 -97
- package/bin/runners/lib/error-handler.js +44 -3
- package/bin/runners/lib/error-messages.js +289 -0
- package/bin/runners/lib/evidence-pack.js +7 -1
- package/bin/runners/lib/finding-id.js +69 -0
- package/bin/runners/lib/finding-sorter.js +89 -0
- package/bin/runners/lib/html-proof-report.js +700 -350
- package/bin/runners/lib/missions/plan.js +6 -46
- package/bin/runners/lib/missions/templates.js +0 -232
- package/bin/runners/lib/next-action.js +560 -0
- package/bin/runners/lib/prerequisites.js +149 -0
- package/bin/runners/lib/route-detection.js +137 -68
- package/bin/runners/lib/scan-output.js +91 -76
- package/bin/runners/lib/scan-runner.js +135 -0
- package/bin/runners/lib/schemas/ajv-validator.js +464 -0
- package/bin/runners/lib/schemas/error-envelope.schema.json +105 -0
- package/bin/runners/lib/schemas/finding-v3.schema.json +151 -0
- package/bin/runners/lib/schemas/report-artifact.schema.json +120 -0
- package/bin/runners/lib/schemas/run-request.schema.json +108 -0
- package/bin/runners/lib/schemas/validator.js +27 -0
- package/bin/runners/lib/schemas/verdict.schema.json +140 -0
- package/bin/runners/lib/ship-output-enterprise.js +23 -23
- package/bin/runners/lib/ship-output.js +75 -31
- package/bin/runners/lib/terminal-ui.js +6 -113
- package/bin/runners/lib/truth.js +351 -10
- package/bin/runners/lib/unified-cli-output.js +430 -603
- package/bin/runners/lib/unified-output.js +13 -9
- package/bin/runners/runAIAgent.js +10 -5
- package/bin/runners/runAgent.js +0 -3
- package/bin/runners/runAllowlist.js +389 -0
- package/bin/runners/runApprove.js +0 -33
- package/bin/runners/runAuth.js +73 -45
- package/bin/runners/runCheckpoint.js +51 -11
- package/bin/runners/runClassify.js +85 -21
- package/bin/runners/runContext.js +0 -3
- package/bin/runners/runDoctor.js +41 -28
- package/bin/runners/runEvidencePack.js +362 -0
- package/bin/runners/runFirewall.js +0 -3
- package/bin/runners/runFirewallHook.js +0 -3
- package/bin/runners/runFix.js +66 -76
- package/bin/runners/runGuard.js +18 -411
- package/bin/runners/runInit.js +113 -30
- package/bin/runners/runLabs.js +424 -0
- package/bin/runners/runMcp.js +19 -25
- package/bin/runners/runPolish.js +64 -240
- package/bin/runners/runPromptFirewall.js +12 -5
- package/bin/runners/runProve.js +57 -22
- package/bin/runners/runQuickstart.js +531 -0
- package/bin/runners/runReality.js +59 -68
- package/bin/runners/runReport.js +38 -33
- package/bin/runners/runRuntime.js +8 -5
- package/bin/runners/runScan.js +1413 -190
- package/bin/runners/runShip.js +113 -719
- package/bin/runners/runTruth.js +0 -3
- package/bin/runners/runValidate.js +13 -9
- package/bin/runners/runWatch.js +23 -14
- package/bin/scan.js +6 -1
- package/bin/vibecheck.js +204 -185
- package/mcp-server/deprecation-middleware.js +282 -0
- package/mcp-server/handlers/index.ts +15 -0
- package/mcp-server/handlers/tool-handler.ts +554 -0
- package/mcp-server/index-v1.js +698 -0
- package/mcp-server/index.js +210 -238
- package/mcp-server/lib/cache-wrapper.cjs +383 -0
- package/mcp-server/lib/error-envelope.js +138 -0
- package/mcp-server/lib/executor.ts +499 -0
- package/mcp-server/lib/index.ts +19 -0
- package/mcp-server/lib/rate-limiter.js +166 -0
- package/mcp-server/lib/sandbox.test.ts +519 -0
- package/mcp-server/lib/sandbox.ts +395 -0
- package/mcp-server/lib/types.ts +267 -0
- package/mcp-server/package.json +12 -3
- package/mcp-server/registry/tool-registry.js +794 -0
- package/mcp-server/registry/tools.json +605 -0
- package/mcp-server/registry.test.ts +334 -0
- package/mcp-server/tests/tier-gating.test.js +297 -0
- package/mcp-server/tier-auth.js +378 -45
- package/mcp-server/tools-v3.js +353 -442
- package/mcp-server/tsconfig.json +37 -0
- package/mcp-server/vibecheck-2.0-tools.js +14 -1
- package/package.json +1 -1
- package/bin/runners/lib/agent-firewall/learning/learning-engine.js +0 -849
- package/bin/runners/lib/audit-logger.js +0 -532
- package/bin/runners/lib/authority/authorities/architecture.js +0 -364
- package/bin/runners/lib/authority/authorities/compliance.js +0 -341
- package/bin/runners/lib/authority/authorities/human.js +0 -343
- package/bin/runners/lib/authority/authorities/quality.js +0 -420
- package/bin/runners/lib/authority/authorities/security.js +0 -228
- package/bin/runners/lib/authority/index.js +0 -293
- package/bin/runners/lib/bundle/bundle-intelligence.js +0 -846
- package/bin/runners/lib/cli-charts.js +0 -368
- package/bin/runners/lib/cli-config-display.js +0 -405
- package/bin/runners/lib/cli-demo.js +0 -275
- package/bin/runners/lib/cli-errors.js +0 -438
- package/bin/runners/lib/cli-help-formatter.js +0 -439
- package/bin/runners/lib/cli-interactive-menu.js +0 -509
- package/bin/runners/lib/cli-prompts.js +0 -441
- package/bin/runners/lib/cli-scan-cards.js +0 -362
- package/bin/runners/lib/compliance-reporter.js +0 -710
- package/bin/runners/lib/conductor/index.js +0 -671
- package/bin/runners/lib/easy/README.md +0 -123
- package/bin/runners/lib/easy/index.js +0 -140
- package/bin/runners/lib/easy/interactive-wizard.js +0 -788
- package/bin/runners/lib/easy/one-click-firewall.js +0 -564
- package/bin/runners/lib/easy/zero-config-reality.js +0 -714
- package/bin/runners/lib/engines/async-patterns-engine.js +0 -444
- package/bin/runners/lib/engines/bundle-size-engine.js +0 -433
- package/bin/runners/lib/engines/confidence-scoring.js +0 -276
- package/bin/runners/lib/engines/context-detection.js +0 -264
- package/bin/runners/lib/engines/database-patterns-engine.js +0 -429
- package/bin/runners/lib/engines/duplicate-code-engine.js +0 -354
- package/bin/runners/lib/engines/env-variables-engine.js +0 -458
- package/bin/runners/lib/engines/error-handling-engine.js +0 -437
- package/bin/runners/lib/engines/false-positive-prevention.js +0 -630
- package/bin/runners/lib/engines/framework-adapters/index.js +0 -607
- package/bin/runners/lib/engines/framework-detection.js +0 -508
- package/bin/runners/lib/engines/import-order-engine.js +0 -429
- package/bin/runners/lib/engines/naming-conventions-engine.js +0 -544
- package/bin/runners/lib/engines/noise-reduction-engine.js +0 -452
- package/bin/runners/lib/engines/orchestrator.js +0 -334
- package/bin/runners/lib/engines/react-patterns-engine.js +0 -457
- package/bin/runners/lib/engines/vibecheck-engines/lib/ai-hallucination-engine.js +0 -806
- package/bin/runners/lib/engines/vibecheck-engines/lib/smart-fix-engine.js +0 -577
- package/bin/runners/lib/engines/vibecheck-engines/lib/vibe-score-engine.js +0 -543
- package/bin/runners/lib/engines/vibecheck-engines.js +0 -514
- package/bin/runners/lib/enhanced-features/index.js +0 -305
- package/bin/runners/lib/enhanced-output.js +0 -631
- package/bin/runners/lib/enterprise.js +0 -300
- package/bin/runners/lib/firewall/command-validator.js +0 -351
- package/bin/runners/lib/firewall/config.js +0 -341
- package/bin/runners/lib/firewall/content-validator.js +0 -519
- package/bin/runners/lib/firewall/index.js +0 -101
- package/bin/runners/lib/firewall/path-validator.js +0 -256
- package/bin/runners/lib/intelligence/cross-repo-intelligence.js +0 -817
- package/bin/runners/lib/mcp-utils.js +0 -425
- package/bin/runners/lib/output/index.js +0 -1022
- package/bin/runners/lib/policy-engine.js +0 -652
- package/bin/runners/lib/polish/autofix/accessibility-fixes.js +0 -333
- package/bin/runners/lib/polish/autofix/async-handlers.js +0 -273
- package/bin/runners/lib/polish/autofix/dead-code.js +0 -280
- package/bin/runners/lib/polish/autofix/imports-optimizer.js +0 -344
- package/bin/runners/lib/polish/autofix/index.js +0 -200
- package/bin/runners/lib/polish/autofix/remove-consoles.js +0 -209
- package/bin/runners/lib/polish/autofix/strengthen-types.js +0 -245
- package/bin/runners/lib/polish/backend-checks.js +0 -148
- package/bin/runners/lib/polish/documentation-checks.js +0 -111
- package/bin/runners/lib/polish/frontend-checks.js +0 -168
- package/bin/runners/lib/polish/index.js +0 -71
- package/bin/runners/lib/polish/infrastructure-checks.js +0 -131
- package/bin/runners/lib/polish/library-detection.js +0 -175
- package/bin/runners/lib/polish/performance-checks.js +0 -100
- package/bin/runners/lib/polish/security-checks.js +0 -148
- package/bin/runners/lib/polish/utils.js +0 -203
- package/bin/runners/lib/prompt-builder.js +0 -540
- package/bin/runners/lib/proof-certificate.js +0 -634
- package/bin/runners/lib/reality/accessibility-audit.js +0 -946
- package/bin/runners/lib/reality/api-contract-validator.js +0 -1012
- package/bin/runners/lib/reality/chaos-engineering.js +0 -1084
- package/bin/runners/lib/reality/performance-tracker.js +0 -1077
- package/bin/runners/lib/reality/scenario-generator.js +0 -1404
- package/bin/runners/lib/reality/visual-regression.js +0 -852
- package/bin/runners/lib/reality-profiler.js +0 -717
- package/bin/runners/lib/replay/flight-recorder-viewer.js +0 -1160
- package/bin/runners/lib/review/ai-code-review.js +0 -832
- package/bin/runners/lib/rules/custom-rule-engine.js +0 -985
- package/bin/runners/lib/sbom-generator.js +0 -641
- package/bin/runners/lib/scan-output-enhanced.js +0 -512
- package/bin/runners/lib/security/owasp-scanner.js +0 -939
- package/bin/runners/lib/validators/contract-validator.js +0 -283
- package/bin/runners/lib/validators/dead-export-detector.js +0 -279
- package/bin/runners/lib/validators/dep-audit.js +0 -245
- package/bin/runners/lib/validators/env-validator.js +0 -319
- package/bin/runners/lib/validators/index.js +0 -120
- package/bin/runners/lib/validators/license-checker.js +0 -252
- package/bin/runners/lib/validators/route-validator.js +0 -290
- package/bin/runners/runAuthority.js +0 -528
- package/bin/runners/runConductor.js +0 -772
- package/bin/runners/runContainer.js +0 -366
- package/bin/runners/runEasy.js +0 -410
- package/bin/runners/runIaC.js +0 -372
- package/bin/runners/runVibe.js +0 -791
- package/mcp-server/tools.js +0 -495
package/bin/runners/runIaC.js
DELETED
|
@@ -1,372 +0,0 @@
|
|
|
1
|
-
/**
|
|
2
|
-
* Infrastructure as Code (IaC) Security Scanner CLI
|
|
3
|
-
*
|
|
4
|
-
* Scans Terraform and CloudFormation files for security issues
|
|
5
|
-
*/
|
|
6
|
-
|
|
7
|
-
"use strict";
|
|
8
|
-
|
|
9
|
-
const path = require("path");
|
|
10
|
-
const fs = require("fs");
|
|
11
|
-
const { parseGlobalFlags, shouldShowBanner } = require("./lib/global-flags");
|
|
12
|
-
const { EXIT } = require("./lib/exit-codes");
|
|
13
|
-
|
|
14
|
-
// Terminal UI
|
|
15
|
-
let terminalUI;
|
|
16
|
-
try {
|
|
17
|
-
terminalUI = require("./lib/terminal-ui");
|
|
18
|
-
} catch {
|
|
19
|
-
terminalUI = {
|
|
20
|
-
c: { reset: "", bold: "", dim: "", red: "", yellow: "", green: "", cyan: "" },
|
|
21
|
-
rgb: () => "",
|
|
22
|
-
icons: { check: "✓", cross: "✗", warning: "⚠", info: "ℹ" },
|
|
23
|
-
Spinner: class { start() {} succeed() {} fail() {} },
|
|
24
|
-
};
|
|
25
|
-
}
|
|
26
|
-
|
|
27
|
-
const { c, rgb, icons, Spinner } = terminalUI;
|
|
28
|
-
|
|
29
|
-
// Unified Output System
|
|
30
|
-
const { output } = require("./lib/output/index.js");
|
|
31
|
-
|
|
32
|
-
// Colors
|
|
33
|
-
const colors = {
|
|
34
|
-
critical: rgb(255, 80, 80),
|
|
35
|
-
high: rgb(255, 150, 50),
|
|
36
|
-
medium: rgb(255, 200, 0),
|
|
37
|
-
low: rgb(100, 200, 255),
|
|
38
|
-
info: rgb(150, 150, 150),
|
|
39
|
-
success: rgb(0, 255, 150),
|
|
40
|
-
accent: rgb(0, 200, 255),
|
|
41
|
-
terraform: rgb(123, 66, 255),
|
|
42
|
-
cloudformation: rgb(255, 153, 0),
|
|
43
|
-
};
|
|
44
|
-
|
|
45
|
-
const BANNER = `
|
|
46
|
-
${rgb(123, 66, 255)} ╔═══════════════════════════════════════════════════════════════╗${c.reset}
|
|
47
|
-
${rgb(123, 66, 255)} ║ ${c.bold}IAC SECURITY${c.reset}${rgb(123, 66, 255)} • Terraform / CloudFormation Scanning ║${c.reset}
|
|
48
|
-
${rgb(123, 66, 255)} ╚═══════════════════════════════════════════════════════════════╝${c.reset}
|
|
49
|
-
`;
|
|
50
|
-
|
|
51
|
-
function printBanner() {
|
|
52
|
-
console.log(BANNER);
|
|
53
|
-
}
|
|
54
|
-
|
|
55
|
-
function printHelp() {
|
|
56
|
-
console.log(`
|
|
57
|
-
${c.bold}Usage:${c.reset} vibecheck iac [options] [path]
|
|
58
|
-
|
|
59
|
-
${c.bold}Description:${c.reset}
|
|
60
|
-
Scan Infrastructure as Code files for security misconfigurations.
|
|
61
|
-
Supports Terraform (.tf) and CloudFormation (YAML/JSON).
|
|
62
|
-
|
|
63
|
-
${c.bold}Options:${c.reset}
|
|
64
|
-
${colors.accent}--path, -p${c.reset} Path to IaC files or directory (default: .)
|
|
65
|
-
${colors.accent}--json${c.reset} Output as JSON
|
|
66
|
-
${colors.accent}--sarif${c.reset} Output as SARIF for GitHub
|
|
67
|
-
${colors.accent}--ignore${c.reset} Ignore specific rule IDs (comma-separated)
|
|
68
|
-
${colors.accent}--min-severity${c.reset} Minimum severity to report (critical/high/medium/low)
|
|
69
|
-
${colors.accent}--provider${c.reset} Scan only specific provider (terraform/cloudformation)
|
|
70
|
-
${colors.accent}--verbose, -v${c.reset} Show detailed output
|
|
71
|
-
${colors.accent}--help, -h${c.reset} Show this help
|
|
72
|
-
|
|
73
|
-
${c.bold}Examples:${c.reset}
|
|
74
|
-
${c.dim}# Scan current directory${c.reset}
|
|
75
|
-
vibecheck iac
|
|
76
|
-
|
|
77
|
-
${c.dim}# Scan Terraform files only${c.reset}
|
|
78
|
-
vibecheck iac --provider terraform
|
|
79
|
-
|
|
80
|
-
${c.dim}# JSON output for CI${c.reset}
|
|
81
|
-
vibecheck iac --json
|
|
82
|
-
|
|
83
|
-
${c.dim}# SARIF output for GitHub Security${c.reset}
|
|
84
|
-
vibecheck iac --sarif
|
|
85
|
-
|
|
86
|
-
${c.dim}# Ignore specific rules${c.reset}
|
|
87
|
-
vibecheck iac --ignore AWS-S3-001,AWS-IAM-001
|
|
88
|
-
`);
|
|
89
|
-
}
|
|
90
|
-
|
|
91
|
-
function parseArgs(args) {
|
|
92
|
-
const { flags: globalFlags, cleanArgs } = parseGlobalFlags(args);
|
|
93
|
-
|
|
94
|
-
const opts = {
|
|
95
|
-
path: globalFlags.path || ".",
|
|
96
|
-
json: globalFlags.json || false,
|
|
97
|
-
sarif: false,
|
|
98
|
-
verbose: globalFlags.verbose || false,
|
|
99
|
-
help: globalFlags.help || false,
|
|
100
|
-
ignore: [],
|
|
101
|
-
minSeverity: null,
|
|
102
|
-
provider: null,
|
|
103
|
-
noBanner: globalFlags.noBanner || false,
|
|
104
|
-
ci: globalFlags.ci || false,
|
|
105
|
-
quiet: globalFlags.quiet || false,
|
|
106
|
-
};
|
|
107
|
-
|
|
108
|
-
for (let i = 0; i < cleanArgs.length; i++) {
|
|
109
|
-
const arg = cleanArgs[i];
|
|
110
|
-
|
|
111
|
-
if (arg === "--sarif") opts.sarif = true;
|
|
112
|
-
else if (arg === "--ignore") {
|
|
113
|
-
opts.ignore = (cleanArgs[++i] || "").split(",").filter(Boolean);
|
|
114
|
-
}
|
|
115
|
-
else if (arg.startsWith("--ignore=")) {
|
|
116
|
-
opts.ignore = arg.split("=")[1].split(",").filter(Boolean);
|
|
117
|
-
}
|
|
118
|
-
else if (arg === "--min-severity") {
|
|
119
|
-
opts.minSeverity = cleanArgs[++i];
|
|
120
|
-
}
|
|
121
|
-
else if (arg.startsWith("--min-severity=")) {
|
|
122
|
-
opts.minSeverity = arg.split("=")[1];
|
|
123
|
-
}
|
|
124
|
-
else if (arg === "--provider") {
|
|
125
|
-
opts.provider = cleanArgs[++i];
|
|
126
|
-
}
|
|
127
|
-
else if (arg.startsWith("--provider=")) {
|
|
128
|
-
opts.provider = arg.split("=")[1];
|
|
129
|
-
}
|
|
130
|
-
else if (!arg.startsWith("-")) {
|
|
131
|
-
opts.path = arg;
|
|
132
|
-
}
|
|
133
|
-
}
|
|
134
|
-
|
|
135
|
-
return opts;
|
|
136
|
-
}
|
|
137
|
-
|
|
138
|
-
function formatFinding(finding, verbose = false) {
|
|
139
|
-
const severityColors = {
|
|
140
|
-
critical: colors.critical,
|
|
141
|
-
high: colors.high,
|
|
142
|
-
medium: colors.medium,
|
|
143
|
-
low: colors.low,
|
|
144
|
-
info: colors.info,
|
|
145
|
-
};
|
|
146
|
-
|
|
147
|
-
const severityIcons = {
|
|
148
|
-
critical: "🔴",
|
|
149
|
-
high: "🟠",
|
|
150
|
-
medium: "🟡",
|
|
151
|
-
low: "🔵",
|
|
152
|
-
info: "⚪",
|
|
153
|
-
};
|
|
154
|
-
|
|
155
|
-
const color = severityColors[finding.severity] || colors.info;
|
|
156
|
-
const icon = severityIcons[finding.severity] || "⚪";
|
|
157
|
-
|
|
158
|
-
let output = ` ${icon} ${color}${finding.severity.toUpperCase()}${c.reset} ${finding.title}\n`;
|
|
159
|
-
output += ` ${c.dim}${finding.id}${c.reset}`;
|
|
160
|
-
|
|
161
|
-
if (finding.resource) {
|
|
162
|
-
output += ` ${c.dim}• ${finding.resource}${c.reset}`;
|
|
163
|
-
}
|
|
164
|
-
|
|
165
|
-
if (finding.line) {
|
|
166
|
-
output += ` ${c.dim}(line ${finding.line})${c.reset}`;
|
|
167
|
-
}
|
|
168
|
-
|
|
169
|
-
output += "\n";
|
|
170
|
-
|
|
171
|
-
if (verbose) {
|
|
172
|
-
output += ` ${c.dim}${finding.description}${c.reset}\n`;
|
|
173
|
-
output += ` ${colors.accent}Fix:${c.reset} ${finding.recommendation}\n`;
|
|
174
|
-
if (finding.cwe) {
|
|
175
|
-
output += ` ${c.dim}CWE: ${finding.cwe}${c.reset}\n`;
|
|
176
|
-
}
|
|
177
|
-
}
|
|
178
|
-
|
|
179
|
-
return output;
|
|
180
|
-
}
|
|
181
|
-
|
|
182
|
-
async function runIaC(args) {
|
|
183
|
-
const opts = parseArgs(args);
|
|
184
|
-
|
|
185
|
-
if (opts.help) {
|
|
186
|
-
printHelp();
|
|
187
|
-
return EXIT.SUCCESS;
|
|
188
|
-
}
|
|
189
|
-
|
|
190
|
-
if (shouldShowBanner(opts)) {
|
|
191
|
-
printBanner();
|
|
192
|
-
}
|
|
193
|
-
|
|
194
|
-
const spinner = new Spinner();
|
|
195
|
-
spinner.start("Scanning for IaC files...");
|
|
196
|
-
|
|
197
|
-
try {
|
|
198
|
-
// Dynamic import of the security package
|
|
199
|
-
let iacScanner;
|
|
200
|
-
try {
|
|
201
|
-
iacScanner = require("@vibecheck/security").scanIaC ||
|
|
202
|
-
require("@vibecheck/security").iac?.scanIaC;
|
|
203
|
-
|
|
204
|
-
if (!iacScanner) {
|
|
205
|
-
// Try direct import
|
|
206
|
-
const security = require("../../packages/security/src/iac/scanner");
|
|
207
|
-
iacScanner = security.scanIaC;
|
|
208
|
-
}
|
|
209
|
-
} catch (e) {
|
|
210
|
-
// Fallback: try relative path
|
|
211
|
-
try {
|
|
212
|
-
const security = require("../../packages/security/src/iac/scanner");
|
|
213
|
-
iacScanner = security.scanIaC;
|
|
214
|
-
} catch {
|
|
215
|
-
spinner.fail("IaC scanning module not available");
|
|
216
|
-
console.error(`\n ${colors.critical}${icons.cross}${c.reset} IaC scanning requires @vibecheck/security package\n`);
|
|
217
|
-
return EXIT.INTERNAL_ERROR;
|
|
218
|
-
}
|
|
219
|
-
}
|
|
220
|
-
|
|
221
|
-
const targetPath = path.resolve(opts.path);
|
|
222
|
-
|
|
223
|
-
// Determine providers to scan
|
|
224
|
-
const providers = opts.provider
|
|
225
|
-
? [opts.provider]
|
|
226
|
-
: ["terraform", "cloudformation"];
|
|
227
|
-
|
|
228
|
-
const results = await iacScanner({
|
|
229
|
-
paths: [targetPath],
|
|
230
|
-
providers,
|
|
231
|
-
ignoreRules: opts.ignore,
|
|
232
|
-
minSeverity: opts.minSeverity,
|
|
233
|
-
includeInfo: opts.verbose,
|
|
234
|
-
});
|
|
235
|
-
|
|
236
|
-
spinner.succeed(`Found ${results.length} provider(s) with IaC files`);
|
|
237
|
-
|
|
238
|
-
if (results.length === 0) {
|
|
239
|
-
console.log(`\n ${c.dim}No IaC files found in ${targetPath}${c.reset}\n`);
|
|
240
|
-
return EXIT.SUCCESS;
|
|
241
|
-
}
|
|
242
|
-
|
|
243
|
-
// Aggregate findings
|
|
244
|
-
const totalFindings = results.flatMap(r => r.findings);
|
|
245
|
-
const totalScore = results.length > 0
|
|
246
|
-
? Math.round(results.reduce((sum, r) => sum + r.score, 0) / results.length)
|
|
247
|
-
: 100;
|
|
248
|
-
|
|
249
|
-
// JSON output
|
|
250
|
-
if (opts.json) {
|
|
251
|
-
console.log(JSON.stringify({
|
|
252
|
-
success: true,
|
|
253
|
-
results,
|
|
254
|
-
summary: {
|
|
255
|
-
providersScanned: results.length,
|
|
256
|
-
filesScanned: results.reduce((sum, r) => sum + r.files.length, 0),
|
|
257
|
-
resourcesScanned: results.reduce((sum, r) => sum + r.resourceCount, 0),
|
|
258
|
-
totalFindings: totalFindings.length,
|
|
259
|
-
score: totalScore,
|
|
260
|
-
critical: totalFindings.filter(f => f.severity === "critical").length,
|
|
261
|
-
high: totalFindings.filter(f => f.severity === "high").length,
|
|
262
|
-
medium: totalFindings.filter(f => f.severity === "medium").length,
|
|
263
|
-
low: totalFindings.filter(f => f.severity === "low").length,
|
|
264
|
-
},
|
|
265
|
-
}, null, 2));
|
|
266
|
-
|
|
267
|
-
return totalFindings.some(f => f.severity === "critical" || f.severity === "high")
|
|
268
|
-
? EXIT.BLOCKING
|
|
269
|
-
: totalFindings.length > 0 ? EXIT.WARNINGS : EXIT.SUCCESS;
|
|
270
|
-
}
|
|
271
|
-
|
|
272
|
-
// SARIF output
|
|
273
|
-
if (opts.sarif) {
|
|
274
|
-
let formatAsSARIF;
|
|
275
|
-
try {
|
|
276
|
-
formatAsSARIF = require("@vibecheck/security").formatAsSARIF ||
|
|
277
|
-
require("../../packages/security/src/iac/scanner").formatAsSARIF;
|
|
278
|
-
} catch {
|
|
279
|
-
// Manual SARIF format
|
|
280
|
-
formatAsSARIF = (results) => ({
|
|
281
|
-
$schema: "https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json",
|
|
282
|
-
version: "2.1.0",
|
|
283
|
-
runs: results.map(result => ({
|
|
284
|
-
tool: {
|
|
285
|
-
driver: {
|
|
286
|
-
name: `vibecheck-${result.provider}`,
|
|
287
|
-
version: "1.0.0",
|
|
288
|
-
informationUri: "https://vibecheckai.dev",
|
|
289
|
-
},
|
|
290
|
-
},
|
|
291
|
-
results: result.findings.map(f => ({
|
|
292
|
-
ruleId: f.id,
|
|
293
|
-
level: f.severity === "critical" || f.severity === "high" ? "error" : "warning",
|
|
294
|
-
message: { text: f.description },
|
|
295
|
-
locations: [{
|
|
296
|
-
physicalLocation: {
|
|
297
|
-
artifactLocation: { uri: f.file },
|
|
298
|
-
region: f.line ? { startLine: f.line } : undefined,
|
|
299
|
-
},
|
|
300
|
-
}],
|
|
301
|
-
})),
|
|
302
|
-
})),
|
|
303
|
-
});
|
|
304
|
-
}
|
|
305
|
-
|
|
306
|
-
console.log(JSON.stringify(formatAsSARIF(results), null, 2));
|
|
307
|
-
return EXIT.SUCCESS;
|
|
308
|
-
}
|
|
309
|
-
|
|
310
|
-
// Human-readable output
|
|
311
|
-
console.log("");
|
|
312
|
-
|
|
313
|
-
for (const result of results) {
|
|
314
|
-
const providerColor = result.provider === "terraform" ? colors.terraform : colors.cloudformation;
|
|
315
|
-
const providerIcon = result.provider === "terraform" ? "🏗️" : "☁️";
|
|
316
|
-
|
|
317
|
-
console.log(`${providerIcon} ${c.bold}${providerColor}${result.provider.toUpperCase()}${c.reset}`);
|
|
318
|
-
console.log(` Files: ${result.files.length} • Resources: ${result.resourceCount} • Score: ${result.score >= 80 ? colors.success : result.score >= 60 ? colors.medium : colors.critical}${result.score}/100${c.reset}`);
|
|
319
|
-
console.log("");
|
|
320
|
-
|
|
321
|
-
if (result.findings.length === 0) {
|
|
322
|
-
console.log(` ${colors.success}${icons.check}${c.reset} No issues found\n`);
|
|
323
|
-
} else {
|
|
324
|
-
// Group by severity
|
|
325
|
-
const bySeverity = {
|
|
326
|
-
critical: result.findings.filter(f => f.severity === "critical"),
|
|
327
|
-
high: result.findings.filter(f => f.severity === "high"),
|
|
328
|
-
medium: result.findings.filter(f => f.severity === "medium"),
|
|
329
|
-
low: result.findings.filter(f => f.severity === "low"),
|
|
330
|
-
};
|
|
331
|
-
|
|
332
|
-
for (const [severity, findings] of Object.entries(bySeverity)) {
|
|
333
|
-
if (findings.length > 0) {
|
|
334
|
-
for (const finding of findings) {
|
|
335
|
-
console.log(formatFinding(finding, opts.verbose));
|
|
336
|
-
}
|
|
337
|
-
}
|
|
338
|
-
}
|
|
339
|
-
}
|
|
340
|
-
|
|
341
|
-
// Show scanned files
|
|
342
|
-
if (opts.verbose && result.files.length > 0) {
|
|
343
|
-
console.log(` ${c.dim}Files scanned:${c.reset}`);
|
|
344
|
-
for (const file of result.files.slice(0, 10)) {
|
|
345
|
-
console.log(` ${c.dim}• ${path.relative(process.cwd(), file)}${c.reset}`);
|
|
346
|
-
}
|
|
347
|
-
if (result.files.length > 10) {
|
|
348
|
-
console.log(` ${c.dim}... and ${result.files.length - 10} more${c.reset}`);
|
|
349
|
-
}
|
|
350
|
-
console.log("");
|
|
351
|
-
}
|
|
352
|
-
}
|
|
353
|
-
|
|
354
|
-
// Summary
|
|
355
|
-
console.log(`${c.dim}─────────────────────────────────────────────────────────────${c.reset}`);
|
|
356
|
-
const totalFiles = results.reduce((sum, r) => sum + r.files.length, 0);
|
|
357
|
-
const totalResources = results.reduce((sum, r) => sum + r.resourceCount, 0);
|
|
358
|
-
console.log(`${c.bold}Summary:${c.reset} ${totalFiles} file(s), ${totalResources} resource(s), ${totalFindings.length} finding(s), Score: ${totalScore}/100`);
|
|
359
|
-
console.log("");
|
|
360
|
-
|
|
361
|
-
return totalFindings.some(f => f.severity === "critical" || f.severity === "high")
|
|
362
|
-
? EXIT.BLOCKING
|
|
363
|
-
: totalFindings.length > 0 ? EXIT.WARNINGS : EXIT.SUCCESS;
|
|
364
|
-
|
|
365
|
-
} catch (error) {
|
|
366
|
-
spinner.fail("Scan failed");
|
|
367
|
-
console.error(`\n ${colors.critical}${icons.cross}${c.reset} ${error.message}\n`);
|
|
368
|
-
return EXIT.INTERNAL_ERROR;
|
|
369
|
-
}
|
|
370
|
-
}
|
|
371
|
-
|
|
372
|
-
module.exports = { runIaC };
|