npm - api-tests-coverage - Versions diffs - 1.0.0 - Mend

api-tests-coverage 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (288) hide show

package/README.md +703 -0
package/config.yaml.example +227 -0
package/dist/action/src/index.d.ts +2 -0
package/dist/action/src/index.d.ts.map +1 -0
package/dist/action/src/index.js +349 -0
package/dist/action/src/prComment.d.ts +34 -0
package/dist/action/src/prComment.d.ts.map +1 -0
package/dist/action/src/prComment.js +146 -0
package/dist/src/ast/astAnalysisOrchestrator.d.ts +36 -0
package/dist/src/ast/astAnalysisOrchestrator.d.ts.map +1 -0
package/dist/src/ast/astAnalysisOrchestrator.js +123 -0
package/dist/src/ast/astTypes.d.ts +105 -0
package/dist/src/ast/astTypes.d.ts.map +1 -0
package/dist/src/ast/astTypes.js +9 -0
package/dist/src/ast/languageAnalyzer.d.ts +46 -0
package/dist/src/ast/languageAnalyzer.d.ts.map +1 -0
package/dist/src/ast/languageAnalyzer.js +9 -0
package/dist/src/ast/languageCapabilities.d.ts +24 -0
package/dist/src/ast/languageCapabilities.d.ts.map +1 -0
package/dist/src/ast/languageCapabilities.js +92 -0
package/dist/src/ast/parseFile.d.ts +16 -0
package/dist/src/ast/parseFile.d.ts.map +1 -0
package/dist/src/ast/parseFile.js +65 -0
package/dist/src/ast/parserRegistry.d.ts +39 -0
package/dist/src/ast/parserRegistry.d.ts.map +1 -0
package/dist/src/ast/parserRegistry.js +66 -0
package/dist/src/buildSummary.d.ts +26 -0
package/dist/src/buildSummary.d.ts.map +1 -0
package/dist/src/buildSummary.js +193 -0
package/dist/src/businessCoverage.d.ts +68 -0
package/dist/src/businessCoverage.d.ts.map +1 -0
package/dist/src/businessCoverage.js +290 -0
package/dist/src/compatibilityCoverage.d.ts +83 -0
package/dist/src/compatibilityCoverage.d.ts.map +1 -0
package/dist/src/compatibilityCoverage.js +501 -0
package/dist/src/config/defaultConfig.d.ts +9 -0
package/dist/src/config/defaultConfig.d.ts.map +1 -0
package/dist/src/config/defaultConfig.js +97 -0
package/dist/src/config/index.d.ts +12 -0
package/dist/src/config/index.d.ts.map +1 -0
package/dist/src/config/index.js +37 -0
package/dist/src/config/loadConfig.d.ts +29 -0
package/dist/src/config/loadConfig.d.ts.map +1 -0
package/dist/src/config/loadConfig.js +135 -0
package/dist/src/config/mergeConfig.d.ts +15 -0
package/dist/src/config/mergeConfig.d.ts.map +1 -0
package/dist/src/config/mergeConfig.js +57 -0
package/dist/src/config/schema.d.ts +15 -0
package/dist/src/config/schema.d.ts.map +1 -0
package/dist/src/config/schema.js +30 -0
package/dist/src/config/types.d.ts +175 -0
package/dist/src/config/types.d.ts.map +1 -0
package/dist/src/config/types.js +9 -0
package/dist/src/config/validateConfig.d.ts +22 -0
package/dist/src/config/validateConfig.d.ts.map +1 -0
package/dist/src/config/validateConfig.js +171 -0
package/dist/src/config.d.ts +168 -0
package/dist/src/config.d.ts.map +1 -0
package/dist/src/config.js +204 -0
package/dist/src/coverage/deep-analysis/callGraph.d.ts +67 -0
package/dist/src/coverage/deep-analysis/callGraph.d.ts.map +1 -0
package/dist/src/coverage/deep-analysis/callGraph.js +275 -0
package/dist/src/coverage/deep-analysis/deepEndpointResolver.d.ts +23 -0
package/dist/src/coverage/deep-analysis/deepEndpointResolver.d.ts.map +1 -0
package/dist/src/coverage/deep-analysis/deepEndpointResolver.js +394 -0
package/dist/src/coverage/deep-analysis/index.d.ts +17 -0
package/dist/src/coverage/deep-analysis/index.d.ts.map +1 -0
package/dist/src/coverage/deep-analysis/index.js +63 -0
package/dist/src/coverage/deep-analysis/resolveAssertions.d.ts +60 -0
package/dist/src/coverage/deep-analysis/resolveAssertions.d.ts.map +1 -0
package/dist/src/coverage/deep-analysis/resolveAssertions.js +121 -0
package/dist/src/coverage/deep-analysis/resolveConstants.d.ts +36 -0
package/dist/src/coverage/deep-analysis/resolveConstants.d.ts.map +1 -0
package/dist/src/coverage/deep-analysis/resolveConstants.js +92 -0
package/dist/src/coverage/deep-analysis/resolveEnums.d.ts +55 -0
package/dist/src/coverage/deep-analysis/resolveEnums.d.ts.map +1 -0
package/dist/src/coverage/deep-analysis/resolveEnums.js +152 -0
package/dist/src/coverage/deep-analysis/resolveMethodChains.d.ts +70 -0
package/dist/src/coverage/deep-analysis/resolveMethodChains.d.ts.map +1 -0
package/dist/src/coverage/deep-analysis/resolveMethodChains.js +152 -0
package/dist/src/coverage/deep-analysis/resolvePaths.d.ts +80 -0
package/dist/src/coverage/deep-analysis/resolvePaths.d.ts.map +1 -0
package/dist/src/coverage/deep-analysis/resolvePaths.js +216 -0
package/dist/src/coverage/deep-analysis/resolveRequestWrappers.d.ts +71 -0
package/dist/src/coverage/deep-analysis/resolveRequestWrappers.d.ts.map +1 -0
package/dist/src/coverage/deep-analysis/resolveRequestWrappers.js +226 -0
package/dist/src/coverage/deep-analysis/symbolTable.d.ts +58 -0
package/dist/src/coverage/deep-analysis/symbolTable.d.ts.map +1 -0
package/dist/src/coverage/deep-analysis/symbolTable.js +230 -0
package/dist/src/coverage/deep-analysis/types.d.ts +122 -0
package/dist/src/coverage/deep-analysis/types.d.ts.map +1 -0
package/dist/src/coverage/deep-analysis/types.js +21 -0
package/dist/src/discovery/fileClassifier.d.ts +50 -0
package/dist/src/discovery/fileClassifier.d.ts.map +1 -0
package/dist/src/discovery/fileClassifier.js +238 -0
package/dist/src/discovery/projectDiscovery.d.ts +66 -0
package/dist/src/discovery/projectDiscovery.d.ts.map +1 -0
package/dist/src/discovery/projectDiscovery.js +287 -0
package/dist/src/endpointCoverage.d.ts +70 -0
package/dist/src/endpointCoverage.d.ts.map +1 -0
package/dist/src/endpointCoverage.js +381 -0
package/dist/src/errorCoverage.d.ts +93 -0
package/dist/src/errorCoverage.d.ts.map +1 -0
package/dist/src/errorCoverage.js +698 -0
package/dist/src/index.d.ts +3 -0
package/dist/src/index.d.ts.map +1 -0
package/dist/src/index.js +1441 -0
package/dist/src/inference/businessRuleInference.d.ts +63 -0
package/dist/src/inference/businessRuleInference.d.ts.map +1 -0
package/dist/src/inference/businessRuleInference.js +268 -0
package/dist/src/inference/integrationFlowInference.d.ts +56 -0
package/dist/src/inference/integrationFlowInference.d.ts.map +1 -0
package/dist/src/inference/integrationFlowInference.js +266 -0
package/dist/src/integrationCoverage.d.ts +72 -0
package/dist/src/integrationCoverage.d.ts.map +1 -0
package/dist/src/integrationCoverage.js +317 -0
package/dist/src/intelligence/index.d.ts +20 -0
package/dist/src/intelligence/index.d.ts.map +1 -0
package/dist/src/intelligence/index.js +105 -0
package/dist/src/intelligence/linkageEngine.d.ts +20 -0
package/dist/src/intelligence/linkageEngine.d.ts.map +1 -0
package/dist/src/intelligence/linkageEngine.js +522 -0
package/dist/src/intelligence/markdownReporter.d.ts +12 -0
package/dist/src/intelligence/markdownReporter.d.ts.map +1 -0
package/dist/src/intelligence/markdownReporter.js +265 -0
package/dist/src/intelligence/riskScoring.d.ts +53 -0
package/dist/src/intelligence/riskScoring.d.ts.map +1 -0
package/dist/src/intelligence/riskScoring.js +181 -0
package/dist/src/intelligence/types.d.ts +121 -0
package/dist/src/intelligence/types.d.ts.map +1 -0
package/dist/src/intelligence/types.js +8 -0
package/dist/src/languageDetection.d.ts +100 -0
package/dist/src/languageDetection.d.ts.map +1 -0
package/dist/src/languageDetection.js +349 -0
package/dist/src/languages/java/index.d.ts +16 -0
package/dist/src/languages/java/index.d.ts.map +1 -0
package/dist/src/languages/java/index.js +103 -0
package/dist/src/languages/java/parser.d.ts +7 -0
package/dist/src/languages/java/parser.d.ts.map +1 -0
package/dist/src/languages/java/parser.js +50 -0
package/dist/src/languages/java/semanticBuilder.d.ts +21 -0
package/dist/src/languages/java/semanticBuilder.d.ts.map +1 -0
package/dist/src/languages/java/semanticBuilder.js +358 -0
package/dist/src/languages/javascript/annotationExtractor.d.ts +20 -0
package/dist/src/languages/javascript/annotationExtractor.d.ts.map +1 -0
package/dist/src/languages/javascript/annotationExtractor.js +94 -0
package/dist/src/languages/javascript/assertionResolver.d.ts +18 -0
package/dist/src/languages/javascript/assertionResolver.d.ts.map +1 -0
package/dist/src/languages/javascript/assertionResolver.js +150 -0
package/dist/src/languages/javascript/callResolver.d.ts +23 -0
package/dist/src/languages/javascript/callResolver.d.ts.map +1 -0
package/dist/src/languages/javascript/callResolver.js +236 -0
package/dist/src/languages/javascript/httpInteractionExtractor.d.ts +23 -0
package/dist/src/languages/javascript/httpInteractionExtractor.d.ts.map +1 -0
package/dist/src/languages/javascript/httpInteractionExtractor.js +205 -0
package/dist/src/languages/javascript/index.d.ts +20 -0
package/dist/src/languages/javascript/index.d.ts.map +1 -0
package/dist/src/languages/javascript/index.js +136 -0
package/dist/src/languages/javascript/parser.d.ts +14 -0
package/dist/src/languages/javascript/parser.d.ts.map +1 -0
package/dist/src/languages/javascript/parser.js +38 -0
package/dist/src/languages/javascript/symbolResolver.d.ts +31 -0
package/dist/src/languages/javascript/symbolResolver.d.ts.map +1 -0
package/dist/src/languages/javascript/symbolResolver.js +183 -0
package/dist/src/languages/kotlin/index.d.ts +16 -0
package/dist/src/languages/kotlin/index.d.ts.map +1 -0
package/dist/src/languages/kotlin/index.js +151 -0
package/dist/src/languages/kotlin/parser.d.ts +11 -0
package/dist/src/languages/kotlin/parser.d.ts.map +1 -0
package/dist/src/languages/kotlin/parser.js +74 -0
package/dist/src/languages/python/index.d.ts +15 -0
package/dist/src/languages/python/index.d.ts.map +1 -0
package/dist/src/languages/python/index.js +293 -0
package/dist/src/languages/ruby/index.d.ts +15 -0
package/dist/src/languages/ruby/index.d.ts.map +1 -0
package/dist/src/languages/ruby/index.js +274 -0
package/dist/src/languages/shared/treeSitterUtils.d.ts +43 -0
package/dist/src/languages/shared/treeSitterUtils.d.ts.map +1 -0
package/dist/src/languages/shared/treeSitterUtils.js +100 -0
package/dist/src/languages/typescript/index.d.ts +14 -0
package/dist/src/languages/typescript/index.d.ts.map +1 -0
package/dist/src/languages/typescript/index.js +25 -0
package/dist/src/lib/index.d.ts +228 -0
package/dist/src/lib/index.d.ts.map +1 -0
package/dist/src/lib/index.js +486 -0
package/dist/src/mcp/client/index.d.ts +37 -0
package/dist/src/mcp/client/index.d.ts.map +1 -0
package/dist/src/mcp/client/index.js +235 -0
package/dist/src/mcp/config.d.ts +50 -0
package/dist/src/mcp/config.d.ts.map +1 -0
package/dist/src/mcp/config.js +125 -0
package/dist/src/mcp/events.d.ts +24 -0
package/dist/src/mcp/events.d.ts.map +1 -0
package/dist/src/mcp/events.js +48 -0
package/dist/src/mcp/fallback/index.d.ts +50 -0
package/dist/src/mcp/fallback/index.d.ts.map +1 -0
package/dist/src/mcp/fallback/index.js +216 -0
package/dist/src/mcp/index.d.ts +67 -0
package/dist/src/mcp/index.d.ts.map +1 -0
package/dist/src/mcp/index.js +212 -0
package/dist/src/mcp/normalizer.d.ts +21 -0
package/dist/src/mcp/normalizer.d.ts.map +1 -0
package/dist/src/mcp/normalizer.js +99 -0
package/dist/src/mcp/prompts/index.d.ts +86 -0
package/dist/src/mcp/prompts/index.d.ts.map +1 -0
package/dist/src/mcp/prompts/index.js +304 -0
package/dist/src/mcp/templates/index.d.ts +35 -0
package/dist/src/mcp/templates/index.d.ts.map +1 -0
package/dist/src/mcp/templates/index.js +143 -0
package/dist/src/mcp/testing/mock-server/index.d.ts +47 -0
package/dist/src/mcp/testing/mock-server/index.d.ts.map +1 -0
package/dist/src/mcp/testing/mock-server/index.js +157 -0
package/dist/src/mcp/types.d.ts +127 -0
package/dist/src/mcp/types.d.ts.map +1 -0
package/dist/src/mcp/types.js +8 -0
package/dist/src/observability.d.ts +138 -0
package/dist/src/observability.d.ts.map +1 -0
package/dist/src/observability.js +519 -0
package/dist/src/parameterCoverage.d.ts +75 -0
package/dist/src/parameterCoverage.d.ts.map +1 -0
package/dist/src/parameterCoverage.js +629 -0
package/dist/src/perfResilienceCoverage.d.ts +155 -0
package/dist/src/perfResilienceCoverage.d.ts.map +1 -0
package/dist/src/perfResilienceCoverage.js +670 -0
package/dist/src/pluginLoader.d.ts +51 -0
package/dist/src/pluginLoader.d.ts.map +1 -0
package/dist/src/pluginLoader.js +72 -0
package/dist/src/publishing.d.ts +63 -0
package/dist/src/publishing.d.ts.map +1 -0
package/dist/src/publishing.js +379 -0
package/dist/src/qualityGate.d.ts +58 -0
package/dist/src/qualityGate.d.ts.map +1 -0
package/dist/src/qualityGate.js +118 -0
package/dist/src/reporting.d.ts +41 -0
package/dist/src/reporting.d.ts.map +1 -0
package/dist/src/reporting.js +278 -0
package/dist/src/screenshots.d.ts +71 -0
package/dist/src/screenshots.d.ts.map +1 -0
package/dist/src/screenshots.js +141 -0
package/dist/src/security/gate/index.d.ts +11 -0
package/dist/src/security/gate/index.d.ts.map +1 -0
package/dist/src/security/gate/index.js +65 -0
package/dist/src/security/index.d.ts +30 -0
package/dist/src/security/index.d.ts.map +1 -0
package/dist/src/security/index.js +342 -0
package/dist/src/security/normalizers/semgrep.d.ts +10 -0
package/dist/src/security/normalizers/semgrep.d.ts.map +1 -0
package/dist/src/security/normalizers/semgrep.js +104 -0
package/dist/src/security/normalizers/trivy.d.ts +10 -0
package/dist/src/security/normalizers/trivy.d.ts.map +1 -0
package/dist/src/security/normalizers/trivy.js +78 -0
package/dist/src/security/normalizers/zap.d.ts +10 -0
package/dist/src/security/normalizers/zap.d.ts.map +1 -0
package/dist/src/security/normalizers/zap.js +104 -0
package/dist/src/security/scanners/semgrep.d.ts +6 -0
package/dist/src/security/scanners/semgrep.d.ts.map +1 -0
package/dist/src/security/scanners/semgrep.js +125 -0
package/dist/src/security/scanners/trivy.d.ts +6 -0
package/dist/src/security/scanners/trivy.d.ts.map +1 -0
package/dist/src/security/scanners/trivy.js +115 -0
package/dist/src/security/scanners/zap.d.ts +6 -0
package/dist/src/security/scanners/zap.d.ts.map +1 -0
package/dist/src/security/scanners/zap.js +135 -0
package/dist/src/security/types.d.ts +146 -0
package/dist/src/security/types.d.ts.map +1 -0
package/dist/src/security/types.js +6 -0
package/dist/src/securityCoverage.d.ts +116 -0
package/dist/src/securityCoverage.d.ts.map +1 -0
package/dist/src/securityCoverage.js +725 -0
package/dist/src/summary/buildSummary.d.ts +28 -0
package/dist/src/summary/buildSummary.d.ts.map +1 -0
package/dist/src/summary/buildSummary.js +257 -0
package/dist/src/summary/evaluateMetrics.d.ts +31 -0
package/dist/src/summary/evaluateMetrics.d.ts.map +1 -0
package/dist/src/summary/evaluateMetrics.js +118 -0
package/dist/src/summary/index.d.ts +10 -0
package/dist/src/summary/index.d.ts.map +1 -0
package/dist/src/summary/index.js +22 -0
package/dist/src/summary/markdownRenderer.d.ts +139 -0
package/dist/src/summary/markdownRenderer.d.ts.map +1 -0
package/dist/src/summary/markdownRenderer.js +459 -0
package/dist/src/summary/prSummary.d.ts +24 -0
package/dist/src/summary/prSummary.d.ts.map +1 -0
package/dist/src/summary/prSummary.js +233 -0
package/dist/src/summary/summaryTypes.d.ts +35 -0
package/dist/src/summary/summaryTypes.d.ts.map +1 -0
package/dist/src/summary/summaryTypes.js +27 -0
package/package.json +84 -0

package/dist/src/security/normalizers/zap.d.ts ADDED Viewed

@@ -0,0 +1,10 @@
+/**
+ * OWASP ZAP output normalizer.
+ * Converts ZAP JSON/XML findings to the common SecurityFinding model.
+ */
+import { SecurityFinding } from '../types';
+/**
+ * Parse ZAP JSON output and return normalized SecurityFindings.
+ */
+export declare function normalizeZapOutput(raw: unknown): SecurityFinding[];
+//# sourceMappingURL=zap.d.ts.map

package/dist/src/security/normalizers/zap.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"zap.d.ts","sourceRoot":"","sources":["../../../../src/security/normalizers/zap.ts"],"names":[],"mappings":"AAAA;;;GAGG;AACH,OAAO,EACL,eAAe,EAGhB,MAAM,UAAU,CAAC;AA2HlB;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,GAAG,EAAE,OAAO,GAAG,eAAe,EAAE,CAyBlE"}

package/dist/src/security/normalizers/zap.js ADDED Viewed

@@ -0,0 +1,104 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.normalizeZapOutput = normalizeZapOutput;
+// ─── Severity mapping ─────────────────────────────────────────────────────────
+function mapZapSeverity(riskdesc, riskcode) {
+    const desc = (riskdesc !== null && riskdesc !== void 0 ? riskdesc : '').toLowerCase();
+    const code = Number(riskcode !== null && riskcode !== void 0 ? riskcode : -1);
+    if (desc.startsWith('critical') || code === 4)
+        return 'CRITICAL';
+    if (desc.startsWith('high') || code === 3)
+        return 'HIGH';
+    if (desc.startsWith('medium') || code === 2)
+        return 'MEDIUM';
+    return 'LOW';
+}
+// ─── Category mapping ─────────────────────────────────────────────────────────
+const ZAP_CATEGORY_PATTERNS = [
+    { pattern: /authentication|csrf|anti.forgery|brute.force|session.fixation|auth.bypass/i, category: 'auth' },
+    { pattern: /authorization|access.control|privilege|insecure.direct.object/i, category: 'auth' },
+    { pattern: /ssl|tls|certificate|cipher|transport.security|https|weak.cipher|insecure.transport/i, category: 'crypto' },
+    { pattern: /information.disclosure|sensitive.data|data.exposure|stack.trace|error.message|server.banner/i, category: 'data-exposure' },
+    { pattern: /misconfiguration|security.header|csp|cors|clickjacking|x.frame|x.content.type/i, category: 'misconfig' },
+    { pattern: /session|cookie|samesite|httponly|secure.flag/i, category: 'auth' },
+    { pattern: /injection|sqli|xss|cross.site|path.traversal|parameter.tamper|directory.traversal|template.injection|command.injection/i, category: 'injection' },
+];
+function mapZapCategory(alertName) {
+    for (const { pattern, category } of ZAP_CATEGORY_PATTERNS) {
+        if (pattern.test(alertName))
+            return category;
+    }
+    return 'dast';
+}
+function parseEndpoint(uri) {
+    if (!uri)
+        return undefined;
+    try {
+        const url = new URL(uri);
+        return { path: url.pathname };
+    }
+    catch {
+        return { path: uri };
+    }
+}
+// ─── Alert extraction ─────────────────────────────────────────────────────────
+function extractAlerts(data) {
+    // Top-level alerts array
+    if (Array.isArray(data.alerts) && data.alerts.length > 0) {
+        return data.alerts;
+    }
+    // site.alerts (single or array of sites)
+    const sites = data.site
+        ? Array.isArray(data.site)
+            ? data.site
+            : [data.site]
+        : [];
+    const alerts = [];
+    for (const site of sites) {
+        if (Array.isArray(site.alerts)) {
+            alerts.push(...site.alerts);
+        }
+    }
+    // Fallback: look for top-level key that looks like alerts
+    if (alerts.length === 0) {
+        for (const value of Object.values(data)) {
+            if (Array.isArray(value) && value.length > 0 && value[0] && typeof value[0] === 'object') {
+                const first = value[0];
+                if ('alert' in first || 'name' in first || 'riskdesc' in first) {
+                    alerts.push(...value);
+                    break;
+                }
+            }
+        }
+    }
+    return alerts;
+}
+// ─── Normalizer ───────────────────────────────────────────────────────────────
+/**
+ * Parse ZAP JSON output and return normalized SecurityFindings.
+ */
+function normalizeZapOutput(raw) {
+    const data = raw;
+    const alerts = extractAlerts(data);
+    return alerts.map((alert) => {
+        var _a, _b, _c, _d, _e, _f, _g, _h, _j, _k;
+        const name = (_b = (_a = alert.alert) !== null && _a !== void 0 ? _a : alert.name) !== null && _b !== void 0 ? _b : 'Unknown ZAP finding';
+        const uri = (_d = (_c = alert.uri) !== null && _c !== void 0 ? _c : alert.url) !== null && _d !== void 0 ? _d : (_f = (_e = alert.instances) === null || _e === void 0 ? void 0 : _e[0]) === null || _f === void 0 ? void 0 : _f.uri;
+        const method = (_g = alert.method) !== null && _g !== void 0 ? _g : (_j = (_h = alert.instances) === null || _h === void 0 ? void 0 : _h[0]) === null || _j === void 0 ? void 0 : _j.method;
+        return {
+            scanner: 'zap',
+            category: mapZapCategory(name),
+            severity: mapZapSeverity(alert.riskdesc, alert.riskcode),
+            title: name,
+            description: alert.description,
+            ruleId: (_k = alert.pluginid) !== null && _k !== void 0 ? _k : alert.sourceid,
+            cwe: alert.cweid ? [`CWE-${alert.cweid}`] : undefined,
+            endpoint: uri
+                ? { ...parseEndpoint(uri), method: method === null || method === void 0 ? void 0 : method.toUpperCase() }
+                : method
+                    ? { method: method.toUpperCase() }
+                    : undefined,
+            scannerNativePayload: alert,
+        };
+    });
+}

package/dist/src/security/scanners/semgrep.d.ts ADDED Viewed

@@ -0,0 +1,6 @@
+import { SemgrepScannerConfig, ScannerResult } from '../types';
+/**
+ * Run the Semgrep scanner according to the given configuration.
+ */
+export declare function runSemgrep(config: SemgrepScannerConfig, workspace?: string): Promise<ScannerResult>;
+//# sourceMappingURL=semgrep.d.ts.map

package/dist/src/security/scanners/semgrep.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"semgrep.d.ts","sourceRoot":"","sources":["../../../../src/security/scanners/semgrep.ts"],"names":[],"mappings":"AAQA,OAAO,EAAE,oBAAoB,EAAmB,aAAa,EAAE,MAAM,UAAU,CAAC;AAkEhF;;GAEG;AACH,wBAAsB,UAAU,CAC9B,MAAM,EAAE,oBAAoB,EAC5B,SAAS,GAAE,MAAY,GACtB,OAAO,CAAC,aAAa,CAAC,CAuBxB"}

package/dist/src/security/scanners/semgrep.js ADDED Viewed

@@ -0,0 +1,125 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.runSemgrep = runSemgrep;
+/**
+ * Semgrep scanner integration.
+ * Supports embedded (binary) and import (pre-generated JSON) modes.
+ */
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const child_process_1 = require("child_process");
+const util_1 = require("util");
+const semgrep_1 = require("../normalizers/semgrep");
+const execFileAsync = (0, util_1.promisify)(child_process_1.execFile);
+/**
+ * Run Semgrep in embedded mode.
+ * Invokes the `semgrep` binary and parses its JSON output.
+ */
+async function runEmbedded(config, workspace) {
+    var _a, _b, _c;
+    const binary = (_a = config.binaryPath) !== null && _a !== void 0 ? _a : 'semgrep';
+    const semgrepConfig = (_b = config.config) !== null && _b !== void 0 ? _b : 'p/default';
+    const timeout = ((_c = config.timeout) !== null && _c !== void 0 ? _c : 120) * 1000;
+    const args = [
+        'scan',
+        '--json',
+        '--config', semgrepConfig,
+    ];
+    if (config.include && config.include.length > 0) {
+        for (const inc of config.include) {
+            args.push('--include', inc);
+        }
+    }
+    if (config.exclude && config.exclude.length > 0) {
+        for (const exc of config.exclude) {
+            args.push('--exclude', exc);
+        }
+    }
+    args.push(workspace);
+    const { stdout } = await execFileAsync(binary, args, { timeout, maxBuffer: 50 * 1024 * 1024 });
+    let raw;
+    try {
+        raw = JSON.parse(stdout);
+    }
+    catch {
+        throw new Error(`Failed to parse Semgrep JSON output: ${stdout.slice(0, 500)}`);
+    }
+    return (0, semgrep_1.normalizeSemgrepOutput)(raw);
+}
+/**
+ * Import Semgrep findings from a pre-generated JSON report.
+ */
+function importFromFile(reportPath) {
+    const resolved = path.resolve(reportPath);
+    if (!fs.existsSync(resolved)) {
+        throw new Error(`Semgrep report file not found: ${resolved}`);
+    }
+    const content = fs.readFileSync(resolved, 'utf-8');
+    let raw;
+    try {
+        raw = JSON.parse(content);
+    }
+    catch {
+        throw new Error(`Failed to parse Semgrep report file: ${resolved}`);
+    }
+    return (0, semgrep_1.normalizeSemgrepOutput)(raw);
+}
+/**
+ * Run the Semgrep scanner according to the given configuration.
+ */
+async function runSemgrep(config, workspace = '.') {
+    if (!config.enabled || config.mode === 'disabled') {
+        return { scanner: 'semgrep', findings: [], success: true };
+    }
+    try {
+        let findings;
+        if (config.mode === 'import') {
+            if (!config.reportPath) {
+                throw new Error('Semgrep import mode requires reportPath to be set');
+            }
+            findings = importFromFile(config.reportPath);
+        }
+        else {
+            // embedded or hybrid: run the binary
+            findings = await runEmbedded(config, workspace);
+        }
+        return { scanner: 'semgrep', findings, success: true };
+    }
+    catch (err) {
+        const error = err instanceof Error ? err.message : String(err);
+        return { scanner: 'semgrep', findings: [], success: false, error };
+    }
+}

package/dist/src/security/scanners/trivy.d.ts ADDED Viewed

@@ -0,0 +1,6 @@
+import { TrivyScannerConfig, ScannerResult } from '../types';
+/**
+ * Run the Trivy scanner according to the given configuration.
+ */
+export declare function runTrivy(config: TrivyScannerConfig, workspace?: string): Promise<ScannerResult>;
+//# sourceMappingURL=trivy.d.ts.map

package/dist/src/security/scanners/trivy.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"trivy.d.ts","sourceRoot":"","sources":["../../../../src/security/scanners/trivy.ts"],"names":[],"mappings":"AAQA,OAAO,EAAE,kBAAkB,EAAmB,aAAa,EAAE,MAAM,UAAU,CAAC;AAuD9E;;GAEG;AACH,wBAAsB,QAAQ,CAC5B,MAAM,EAAE,kBAAkB,EAC1B,SAAS,GAAE,MAAY,GACtB,OAAO,CAAC,aAAa,CAAC,CAsBxB"}

package/dist/src/security/scanners/trivy.js ADDED Viewed

@@ -0,0 +1,115 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.runTrivy = runTrivy;
+/**
+ * Trivy scanner integration.
+ * Supports embedded (binary) and import (pre-generated JSON) modes.
+ */
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const child_process_1 = require("child_process");
+const util_1 = require("util");
+const trivy_1 = require("../normalizers/trivy");
+const execFileAsync = (0, util_1.promisify)(child_process_1.execFile);
+/**
+ * Run Trivy in embedded mode.
+ * Invokes the `trivy` binary and parses its JSON output.
+ */
+async function runEmbedded(config, workspace) {
+    var _a, _b, _c, _d;
+    const binary = (_a = config.binaryPath) !== null && _a !== void 0 ? _a : 'trivy';
+    const scanMode = (_b = config.scanMode) !== null && _b !== void 0 ? _b : 'fs';
+    const scanners = (_c = config.scanners) !== null && _c !== void 0 ? _c : ['vuln', 'secret'];
+    const timeout = ((_d = config.timeout) !== null && _d !== void 0 ? _d : 120) * 1000;
+    const args = [
+        scanMode,
+        '--format', 'json',
+        '--scanners', scanners.join(','),
+        workspace,
+    ];
+    const { stdout } = await execFileAsync(binary, args, { timeout, maxBuffer: 50 * 1024 * 1024 });
+    let raw;
+    try {
+        raw = JSON.parse(stdout);
+    }
+    catch {
+        throw new Error(`Failed to parse Trivy JSON output: ${stdout.slice(0, 500)}`);
+    }
+    return (0, trivy_1.normalizeTrivyOutput)(raw);
+}
+/**
+ * Import Trivy findings from a pre-generated JSON report.
+ */
+function importFromFile(reportPath) {
+    const resolved = path.resolve(reportPath);
+    if (!fs.existsSync(resolved)) {
+        throw new Error(`Trivy report file not found: ${resolved}`);
+    }
+    const content = fs.readFileSync(resolved, 'utf-8');
+    let raw;
+    try {
+        raw = JSON.parse(content);
+    }
+    catch {
+        throw new Error(`Failed to parse Trivy report file: ${resolved}`);
+    }
+    return (0, trivy_1.normalizeTrivyOutput)(raw);
+}
+/**
+ * Run the Trivy scanner according to the given configuration.
+ */
+async function runTrivy(config, workspace = '.') {
+    if (!config.enabled || config.mode === 'disabled') {
+        return { scanner: 'trivy', findings: [], success: true };
+    }
+    try {
+        let findings;
+        if (config.mode === 'import') {
+            if (!config.reportPath) {
+                throw new Error('Trivy import mode requires reportPath to be set');
+            }
+            findings = importFromFile(config.reportPath);
+        }
+        else {
+            findings = await runEmbedded(config, workspace);
+        }
+        return { scanner: 'trivy', findings, success: true };
+    }
+    catch (err) {
+        const error = err instanceof Error ? err.message : String(err);
+        return { scanner: 'trivy', findings: [], success: false, error };
+    }
+}

package/dist/src/security/scanners/zap.d.ts ADDED Viewed

@@ -0,0 +1,6 @@
+import { ZapScannerConfig, ScannerResult } from '../types';
+/**
+ * Run the ZAP scanner according to the given configuration.
+ */
+export declare function runZap(config: ZapScannerConfig): Promise<ScannerResult>;
+//# sourceMappingURL=zap.d.ts.map

package/dist/src/security/scanners/zap.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"zap.d.ts","sourceRoot":"","sources":["../../../../src/security/scanners/zap.ts"],"names":[],"mappings":"AAQA,OAAO,EAAE,gBAAgB,EAAmB,aAAa,EAAE,MAAM,UAAU,CAAC;AA+E5E;;GAEG;AACH,wBAAsB,MAAM,CAAC,MAAM,EAAE,gBAAgB,GAAG,OAAO,CAAC,aAAa,CAAC,CAsB7E"}

package/dist/src/security/scanners/zap.js ADDED Viewed

@@ -0,0 +1,135 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.runZap = runZap;
+/**
+ * OWASP ZAP scanner integration.
+ * Supports import (pre-generated JSON) and embedded (binary) modes.
+ */
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const child_process_1 = require("child_process");
+const util_1 = require("util");
+const zap_1 = require("../normalizers/zap");
+const execFileAsync = (0, util_1.promisify)(child_process_1.execFile);
+/**
+ * Run ZAP in embedded mode using the baseline scan script.
+ */
+async function runEmbedded(config) {
+    var _a;
+    if (!config.targetUrl) {
+        throw new Error('ZAP embedded mode requires targetUrl to be set');
+    }
+    const timeout = ((_a = config.timeout) !== null && _a !== void 0 ? _a : 300) * 1000;
+    const reportFile = path.join(process.cwd(), 'reports', 'zap-raw.json');
+    // Ensure reports directory exists
+    const reportsDir = path.dirname(reportFile);
+    if (!fs.existsSync(reportsDir)) {
+        fs.mkdirSync(reportsDir, { recursive: true });
+    }
+    // Run zap-baseline.py with parameterized arguments (no shell interpolation)
+    let ranSuccessfully = false;
+    try {
+        await execFileAsync('zap-baseline.py', ['-t', config.targetUrl, '-J', reportFile], { timeout, maxBuffer: 10 * 1024 * 1024 });
+        ranSuccessfully = true;
+    }
+    catch {
+        // zap-baseline.py may exit with non-zero even on success; check the output file
+        ranSuccessfully = fs.existsSync(reportFile);
+    }
+    if (!ranSuccessfully) {
+        // Try zap.sh as fallback (also parameterized, no shell interpolation)
+        try {
+            await execFileAsync('zap.sh', ['-cmd', '-quickurl', config.targetUrl, '-quickout', reportFile, '-quickprogress'], { timeout, maxBuffer: 10 * 1024 * 1024 });
+        }
+        catch (e) {
+            if (!fs.existsSync(reportFile)) {
+                throw new Error(`ZAP embedded scan failed: ${e instanceof Error ? e.message : String(e)}`);
+            }
+        }
+    }
+    const content = fs.readFileSync(reportFile, 'utf-8');
+    let raw;
+    try {
+        raw = JSON.parse(content);
+    }
+    catch {
+        throw new Error(`Failed to parse ZAP JSON output from ${reportFile}`);
+    }
+    return (0, zap_1.normalizeZapOutput)(raw);
+}
+/**
+ * Import ZAP findings from a pre-generated JSON report.
+ */
+function importFromFile(reportPath) {
+    const resolved = path.resolve(reportPath);
+    if (!fs.existsSync(resolved)) {
+        throw new Error(`ZAP report file not found: ${resolved}`);
+    }
+    const content = fs.readFileSync(resolved, 'utf-8');
+    let raw;
+    try {
+        raw = JSON.parse(content);
+    }
+    catch {
+        throw new Error(`Failed to parse ZAP report file: ${resolved}`);
+    }
+    return (0, zap_1.normalizeZapOutput)(raw);
+}
+/**
+ * Run the ZAP scanner according to the given configuration.
+ */
+async function runZap(config) {
+    if (!config.enabled || config.mode === 'disabled') {
+        return { scanner: 'zap', findings: [], success: true };
+    }
+    try {
+        let findings;
+        if (config.mode === 'import') {
+            if (!config.reportPath) {
+                throw new Error('ZAP import mode requires reportPath to be set');
+            }
+            findings = importFromFile(config.reportPath);
+        }
+        else {
+            findings = await runEmbedded(config);
+        }
+        return { scanner: 'zap', findings, success: true };
+    }
+    catch (err) {
+        const error = err instanceof Error ? err.message : String(err);
+        return { scanner: 'zap', findings: [], success: false, error };
+    }
+}

package/dist/src/security/types.d.ts ADDED Viewed

@@ -0,0 +1,146 @@
+/**
+ * Normalized security finding model.
+ * All scanner outputs (Semgrep, Trivy, ZAP, etc.) are mapped to this common schema.
+ */
+export type ScannerName = 'semgrep' | 'trivy' | 'zap' | 'gitleaks' | 'other';
+export type FindingCategory = 'sast' | 'sca' | 'secret' | 'misconfig' | 'dast' | 'auth' | 'injection' | 'data-exposure' | 'crypto' | 'unknown';
+export type FindingSeverity = 'LOW' | 'MEDIUM' | 'HIGH' | 'CRITICAL';
+export interface SecurityFinding {
+    scanner: ScannerName;
+    category: FindingCategory;
+    severity: FindingSeverity;
+    title: string;
+    description?: string;
+    ruleId?: string;
+    cwe?: string[];
+    cve?: string[];
+    owasp?: string[];
+    filePath?: string;
+    lineStart?: number;
+    lineEnd?: number;
+    endpoint?: {
+        method?: string;
+        path?: string;
+    };
+    packageName?: string;
+    installedVersion?: string;
+    fixedVersion?: string;
+    secretType?: string;
+    scannerNativePayload?: unknown;
+}
+export type ScannerMode = 'embedded' | 'import' | 'disabled';
+export interface SemgrepScannerConfig {
+    enabled: boolean;
+    mode: ScannerMode;
+    /** Semgrep config (e.g. "p/default", "p/security-audit", or path to custom rules) */
+    config?: string;
+    /** Binary path override */
+    binaryPath?: string;
+    /** Include globs */
+    include?: string[];
+    /** Exclude globs */
+    exclude?: string[];
+    /** Timeout in seconds */
+    timeout?: number;
+    /** Path to pre-generated Semgrep JSON report (import mode) */
+    reportPath?: string;
+}
+export interface TrivyScannerConfig {
+    enabled: boolean;
+    mode: ScannerMode;
+    /** Scan mode: 'fs' (filesystem) or 'repo' */
+    scanMode?: 'fs' | 'repo';
+    /** What to scan: combinations of 'vuln', 'misconfig', 'secret' */
+    scanners?: Array<'vuln' | 'misconfig' | 'secret'>;
+    /** Binary path override */
+    binaryPath?: string;
+    /** Timeout in seconds */
+    timeout?: number;
+    /** Path to pre-generated Trivy JSON report (import mode) */
+    reportPath?: string;
+}
+export interface ZapScannerConfig {
+    enabled: boolean;
+    mode: ScannerMode;
+    /** Base URL for dynamic scanning */
+    targetUrl?: string;
+    /** Scan profile */
+    profile?: 'baseline' | 'full';
+    /** Authentication configuration */
+    auth?: {
+        loginUrl?: string;
+        username?: string;
+        password?: string;
+        tokenHeader?: string;
+        tokenValue?: string;
+    };
+    /** Timeout in seconds */
+    timeout?: number;
+    /** Path to pre-generated ZAP JSON/XML report (import mode) */
+    reportPath?: string;
+}
+export interface SecurityScannerConfigs {
+    semgrep?: SemgrepScannerConfig;
+    trivy?: TrivyScannerConfig;
+    zap?: ZapScannerConfig;
+}
+export interface SecurityGateConfig {
+    /** Fail if any CRITICAL finding exists */
+    failOnCritical?: boolean;
+    /** Fail if any HIGH finding exists */
+    failOnHigh?: boolean;
+    /** Maximum allowed MEDIUM findings */
+    maxMedium?: number;
+    /** Maximum allowed LOW findings */
+    maxLow?: number;
+    /** Maximum allowed secrets (any severity) */
+    maxSecrets?: number;
+    /** Maximum allowed HIGH misconfigurations */
+    maxMisconfigHigh?: number;
+    /** Maximum allowed CRITICAL vulnerabilities */
+    maxCriticalVulns?: number;
+    /** Maximum allowed HIGH vulnerabilities */
+    maxHighVulns?: number;
+}
+export interface SecurityScanConfig {
+    enabled: boolean;
+    /** Workspace directory to scan. Default: '.' */
+    workspace?: string;
+    scanners?: SecurityScannerConfigs;
+    gate?: SecurityGateConfig;
+}
+export interface ScannerResult {
+    scanner: ScannerName;
+    findings: SecurityFinding[];
+    /** Whether the scanner ran successfully */
+    success: boolean;
+    /** Error message if the scanner failed */
+    error?: string;
+    /** Raw output or metadata from the scanner */
+    metadata?: Record<string, unknown>;
+}
+export interface SecurityScanSummary {
+    scannersRun: ScannerName[];
+    totalFindings: number;
+    bySeverity: Record<FindingSeverity, number>;
+    byCategory: Record<FindingCategory, number>;
+    byScanner: Record<ScannerName, number>;
+    findings: SecurityFinding[];
+    gateResult?: SecurityGateResult;
+}
+export interface SecurityGateResult {
+    passed: boolean;
+    reasons: string[];
+    thresholds: SecurityGateConfig;
+    counts: {
+        critical: number;
+        high: number;
+        medium: number;
+        low: number;
+        secrets: number;
+        misconfigHigh: number;
+        criticalVulns: number;
+        highVulns: number;
+    };
+}
+//# sourceMappingURL=types.d.ts.map