api-tests-coverage 1.0.23 → 1.0.24

package/dist/src/security/hub.d.ts

@@ -0,0 +1,81 @@
+import type { AnalyzerConfig } from '../config/types';
+import type { SecurityControlCoverage, SecurityCoverageReport } from '../securityCoverage';
+import { FindingSeverity, ScannerName, SecurityFinding } from './types';
+type OwnFinding = {
+    severity: FindingSeverity;
+    title: string;
+    filePath: string;
+    lineStart?: number;
+    pattern: string;
+};
+type SecurityToolSection = {
+    source: ScannerName | null;
+    toolName: string;
+    version?: string;
+    generatedAt?: string;
+    reportFile?: string;
+    fullReportLink?: string;
+    reason?: string;
+    severityBreakdown: Record<FindingSeverity, number>;
+    topFindings: SecurityFinding[];
+};
+export interface SecurityFullReport {
+    generatedAt: string;
+    authCoverage: {
+        source: 'own-scanner';
+        oauth2Detected: boolean;
+        jwtDetected: boolean;
+        endpointsWithAuth: number;
+        endpointsTotal: number;
+        endpointsMissingAuth: string[];
+        testedAuthFlows: number;
+    };
+    ownScanFindings: {
+        source: 'own-scanner';
+        hardcodedSecrets: OwnFinding[];
+        injectionRisks: OwnFinding[];
+        kafkaSecurityIssues: OwnFinding[];
+        insecurePatterns: OwnFinding[];
+    };
+    dependencyScan: SecurityToolSection & {
+        vulnerabilities: SecurityFinding[];
+    };
+    sastScan: SecurityToolSection & {
+        findings: SecurityFinding[];
+    };
+    secretScan: SecurityToolSection & {
+        secrets: SecurityFinding[];
+    };
+    dastScan: SecurityToolSection & {
+        findings: SecurityFinding[];
+    };
+    riskSummary: {
+        overallRisk: 'LOW' | 'MEDIUM' | 'HIGH' | 'CRITICAL';
+        criticalItems: Array<{
+            source: string;
+            severity: FindingSeverity;
+            title: string;
+            file?: string;
+            line?: number;
+        }>;
+        recommendations: string[];
+    };
+}
+export interface SecurityHubOptions {
+    specPath: string;
+    testsGlob: string;
+    sourceGlob?: string;
+    reportsDir: string;
+    coverageReport: SecurityCoverageReport;
+    coverages: SecurityControlCoverage[];
+    config: AnalyzerConfig;
+    semgrepReport?: string;
+    trivyReport?: string;
+    gitleaksReport?: string;
+    zapReport?: string;
+    workspace?: string;
+}
+export declare function generateSecurityFullReport(options: SecurityHubOptions): Promise<SecurityFullReport>;
+export declare function writeSecurityFullReport(report: SecurityFullReport, reportsDir: string): string;
+export {};
+//# sourceMappingURL=hub.d.ts.map

package/dist/src/security/hub.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"hub.d.ts","sourceRoot":"","sources":["../../../src/security/hub.ts"],"names":[],"mappings":"AAMA,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,iBAAiB,CAAC;AACtD,OAAO,KAAK,EAAE,uBAAuB,EAAE,sBAAsB,EAAE,MAAM,qBAAqB,CAAC;AAC3F,OAAO,EACL,eAAe,EACf,WAAW,EAEX,eAAe,EAEhB,MAAM,SAAS,CAAC;AAMjB,KAAK,UAAU,GAAG;IAChB,QAAQ,EAAE,eAAe,CAAC;IAC1B,KAAK,EAAE,MAAM,CAAC;IACd,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,OAAO,EAAE,MAAM,CAAC;CACjB,CAAC;AAOF,KAAK,mBAAmB,GAAG;IACzB,MAAM,EAAE,WAAW,GAAG,IAAI,CAAC;IAC3B,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,iBAAiB,EAAE,MAAM,CAAC,eAAe,EAAE,MAAM,CAAC,CAAC;IACnD,WAAW,EAAE,eAAe,EAAE,CAAC;CAChC,CAAC;AAEF,MAAM,WAAW,kBAAkB;IACjC,WAAW,EAAE,MAAM,CAAC;IACpB,YAAY,EAAE;QACZ,MAAM,EAAE,aAAa,CAAC;QACtB,cAAc,EAAE,OAAO,CAAC;QACxB,WAAW,EAAE,OAAO,CAAC;QACrB,iBAAiB,EAAE,MAAM,CAAC;QAC1B,cAAc,EAAE,MAAM,CAAC;QACvB,oBAAoB,EAAE,MAAM,EAAE,CAAC;QAC/B,eAAe,EAAE,MAAM,CAAC;KACzB,CAAC;IACF,eAAe,EAAE;QACf,MAAM,EAAE,aAAa,CAAC;QACtB,gBAAgB,EAAE,UAAU,EAAE,CAAC;QAC/B,cAAc,EAAE,UAAU,EAAE,CAAC;QAC7B,mBAAmB,EAAE,UAAU,EAAE,CAAC;QAClC,gBAAgB,EAAE,UAAU,EAAE,CAAC;KAChC,CAAC;IACF,cAAc,EAAE,mBAAmB,GAAG;QAAE,eAAe,EAAE,eAAe,EAAE,CAAA;KAAE,CAAC;IAC7E,QAAQ,EAAE,mBAAmB,GAAG;QAAE,QAAQ,EAAE,eAAe,EAAE,CAAA;KAAE,CAAC;IAChE,UAAU,EAAE,mBAAmB,GAAG;QAAE,OAAO,EAAE,eAAe,EAAE,CAAA;KAAE,CAAC;IACjE,QAAQ,EAAE,mBAAmB,GAAG;QAAE,QAAQ,EAAE,eAAe,EAAE,CAAA;KAAE,CAAC;IAChE,WAAW,EAAE;QACX,WAAW,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,GAAG,UAAU,CAAC;QACpD,aAAa,EAAE,KAAK,CAAC;YACnB,MAAM,EAAE,MAAM,CAAC;YACf,QAAQ,EAAE,eAAe,CAAC;YAC1B,KAAK,EAAE,MAAM,CAAC;YACd,IAAI,CAAC,EAAE,MAAM,CAAC;YACd,IAAI,CAAC,EAAE,MAAM,CAAC;SACf,CAAC,CAAC;QACH,eAAe,EAAE,MAAM,EAAE,CAAC;KAC3B,CAAC;CACH;AAED,MAAM,WAAW,kBAAkB;IACjC,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,UAAU,EAAE,MAAM,CAAC;IACnB,cAAc,EAAE,sBAAsB,CAAC;IACvC,SAAS,EAAE,uBAAuB,EAAE,CAAC;IACrC,MAAM,EAAE,cAAc,CAAC;IACvB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AA8VD,wBAAsB,0BAA0B,CAAC,OAAO,EAAE,kBAAkB,GAAG,OAAO,CAAC,kBAAkB,CAAC,CAmEzG;AAED,wBAAgB,uBAAuB,CAAC,MAAM,EAAE,kBAAkB,EAAE,UAAU,EAAE,MAAM,GAAG,MAAM,CAM9F"}

package/dist/src/security/hub.js

@@ -0,0 +1,420 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.generateSecurityFullReport = generateSecurityFullReport;
+exports.writeSecurityFullReport = writeSecurityFullReport;
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const child_process_1 = require("child_process");
+const fast_glob_1 = __importDefault(require("fast-glob"));
+const swagger_parser_1 = __importDefault(require("@apidevtools/swagger-parser"));
+const semgrep_1 = require("./scanners/semgrep");
+const trivy_1 = require("./scanners/trivy");
+const zap_1 = require("./scanners/zap");
+const gitleaks_1 = require("./scanners/gitleaks");
+const ZERO_COUNTS = {
+    CRITICAL: 0,
+    HIGH: 0,
+    MEDIUM: 0,
+    LOW: 0,
+};
+const CONFIGURE_COMMANDS = {
+    semgrep: 'semgrep scan --json --config p/security-audit > reports/semgrep.json',
+    trivy: 'trivy fs --format json --output reports/trivy.json .',
+    gitleaks: 'gitleaks detect --report-format json > reports/gitleaks.json',
+    zap: 'zap-baseline.py -J reports/zap.json -t https://your-service.example.com',
+    other: '',
+};
+const SCANNER_ENABLEMENT_HELP = {
+    trivy: 'dependency scanning',
+    semgrep: 'SAST scanning',
+    gitleaks: 'secret scanning',
+    zap: 'DAST scanning',
+};
+// Keep the generic string threshold low enough to catch obvious hardcoded
+// tokens, but high enough to avoid flagging tiny placeholders in fixtures.
+const GENERIC_SECRET_MIN_LENGTH = 8;
+// AWS access keys use a 16-character suffix after the AKIA prefix.
+const AWS_ACCESS_KEY_LENGTH = 16;
+// GitHub PATs are much longer in practice; 20 keeps short test values out.
+const GITHUB_TOKEN_MIN_LENGTH = 20;
+const HARD_CODED_SECRET_PATTERNS = [
+    { pattern: new RegExp(`\\b(?:api[_-]?key|secret|token|password)\\b\\s*[:=]\\s*["'][^"']{${GENERIC_SECRET_MIN_LENGTH},}["']`, 'i'), title: 'Hardcoded secret-like assignment' },
+    { pattern: new RegExp(`\\bAKIA[0-9A-Z]{${AWS_ACCESS_KEY_LENGTH}}\\b`), title: 'AWS access key detected' },
+    { pattern: new RegExp(`\\bghp_[A-Za-z0-9]{${GITHUB_TOKEN_MIN_LENGTH},}\\b`), title: 'GitHub token detected' },
+];
+const INJECTION_PATTERNS = [
+    { pattern: /\b(select|insert|update|delete)\b[\s\S]{0,160}\+\s*[A-Za-z_]/i, title: 'Possible SQL string concatenation' },
+    { pattern: /\b(exec|execSync|system|Runtime\.getRuntime\(\)\.exec)\s*\(/, title: 'Command execution sink detected' },
+    { pattern: /dangerouslySetInnerHTML|innerHTML\s*=/, title: 'Potential XSS sink detected' },
+    { pattern: /DocumentBuilderFactory\.newInstance\(\)/, title: 'Potential XXE parser usage detected' },
+];
+const KAFKA_PATTERNS = [
+    { pattern: /\b(kafka|rabbitmq|amqplib|@KafkaListener|new Kafka\()/i, title: 'Message broker detected without TLS configuration' },
+];
+const INSECURE_PATTERNS = [
+    { pattern: /NODE_TLS_REJECT_UNAUTHORIZED\s*=\s*["']?0["']?/, title: 'TLS verification disabled' },
+    { pattern: /\bverify\s*=\s*False\b/, title: 'TLS verification disabled in client call' },
+    { pattern: /http:\/\/[^\s'"]+/i, title: 'Plain HTTP endpoint detected' },
+];
+function resolveSourceFiles(sourceGlob) {
+    if (!sourceGlob)
+        return [];
+    return fast_glob_1.default.sync(sourceGlob, { onlyFiles: true, absolute: true }).map((filePath) => ({
+        filePath,
+        content: fs.readFileSync(filePath, 'utf-8'),
+    }));
+}
+function isBinaryAvailable(binary) {
+    try {
+        (0, child_process_1.execFileSync)('which', [binary], { stdio: 'ignore' });
+        return true;
+    }
+    catch {
+        return false;
+    }
+}
+function resolvePipelineReportPath(explicitPath, configuredPath, autoLoadReports) {
+    if (explicitPath)
+        return path.resolve(explicitPath);
+    if (!autoLoadReports || !configuredPath)
+        return undefined;
+    const resolved = path.resolve(configuredPath);
+    return fs.existsSync(resolved) ? resolved : undefined;
+}
+function countBySeverity(findings) {
+    const counts = { ...ZERO_COUNTS };
+    for (const finding of findings) {
+        counts[finding.severity] += 1;
+    }
+    return counts;
+}
+function lineNumber(content, index) {
+    return content.slice(0, index).split('\n').length;
+}
+function ownFindingSeverity(title) {
+    const lowered = title.toLowerCase();
+    if (lowered.includes('aws'))
+        return 'CRITICAL';
+    if (lowered.includes('github') || lowered.includes('tls'))
+        return 'HIGH';
+    return 'MEDIUM';
+}
+function severityRank(severity) {
+    return { LOW: 1, MEDIUM: 2, HIGH: 3, CRITICAL: 4 }[severity];
+}
+function scanWithPatterns(files, patterns) {
+    var _a;
+    const findings = new Map();
+    for (const { filePath, content } of files) {
+        for (const { pattern, title } of patterns) {
+            const match = pattern.exec(content);
+            if (!match)
+                continue;
+            const finding = {
+                severity: ownFindingSeverity(title),
+                title,
+                filePath,
+                lineStart: lineNumber(content, match.index),
+                pattern: match[0].slice(0, 120),
+            };
+            const key = `${finding.filePath}:${(_a = finding.lineStart) !== null && _a !== void 0 ? _a : 0}`;
+            const existing = findings.get(key);
+            if (!existing || severityRank(finding.severity) > severityRank(existing.severity)) {
+                findings.set(key, finding);
+            }
+        }
+    }
+    return [...findings.values()];
+}
+function someFileMatches(files, pattern) {
+    for (const { content } of files) {
+        if (pattern.test(content)) {
+            return true;
+        }
+    }
+    return false;
+}
+async function loadSpec(specPath) {
+    return (await swagger_parser_1.default.validate(specPath));
+}
+function deriveZapTarget(spec) {
+    var _a, _b;
+    const serverUrl = (_b = (_a = spec.servers) === null || _a === void 0 ? void 0 : _a.find((server) => typeof server.url === 'string')) === null || _b === void 0 ? void 0 : _b.url;
+    return serverUrl && /^https?:\/\//i.test(serverUrl) ? serverUrl : undefined;
+}
+async function buildAuthCoverage(specPath, coverages, sourceFiles) {
+    var _a, _b, _c, _d;
+    const api = await loadSpec(specPath);
+    let endpointsTotal = 0;
+    let endpointsWithAuth = 0;
+    const endpointsMissingAuth = [];
+    for (const [routePath, pathItem] of Object.entries((_a = api.paths) !== null && _a !== void 0 ? _a : {})) {
+        for (const method of ['get', 'post', 'put', 'patch', 'delete', 'head', 'options']) {
+            const operation = pathItem === null || pathItem === void 0 ? void 0 : pathItem[method];
+            if (!operation)
+                continue;
+            endpointsTotal += 1;
+            const effectiveSecurity = (_b = operation.security) !== null && _b !== void 0 ? _b : api.security;
+            if (Array.isArray(effectiveSecurity) && effectiveSecurity.length > 0) {
+                endpointsWithAuth += 1;
+            }
+            else {
+                endpointsMissingAuth.push(`${method.toUpperCase()} ${routePath}`);
+            }
+        }
+    }
+    const securitySchemes = Object.values(((_d = (_c = api.components) === null || _c === void 0 ? void 0 : _c.securitySchemes) !== null && _d !== void 0 ? _d : {}));
+    const oauth2Detected = securitySchemes.some((scheme) => scheme.type === 'oauth2')
+        || someFileMatches(sourceFiles, /\boauth2\b/i);
+    const jwtDetected = securitySchemes.some((scheme) => { var _a; return scheme.type === 'http' && ((_a = scheme.scheme) === null || _a === void 0 ? void 0 : _a.toLowerCase()) === 'bearer'; }) || someFileMatches(sourceFiles, /\b(jwt|bearer|@jwt_required|@PreAuthorize|passport\.authenticate\(['"]jwt)/i);
+    const testedAuthFlows = new Set(coverages
+        .filter((coverage) => coverage.covered && ['authentication', 'authorization', 'session-management'].includes(coverage.control.category))
+        .flatMap((coverage) => coverage.matchedTests)).size;
+    return {
+        source: 'own-scanner',
+        oauth2Detected,
+        jwtDetected,
+        endpointsWithAuth,
+        endpointsTotal,
+        endpointsMissingAuth,
+        testedAuthFlows,
+    };
+}
+function buildOwnScanFindings(sourceFiles) {
+    return {
+        source: 'own-scanner',
+        hardcodedSecrets: scanWithPatterns(sourceFiles, HARD_CODED_SECRET_PATTERNS),
+        injectionRisks: scanWithPatterns(sourceFiles, INJECTION_PATTERNS),
+        kafkaSecurityIssues: scanWithPatterns(sourceFiles, KAFKA_PATTERNS),
+        insecurePatterns: scanWithPatterns(sourceFiles, INSECURE_PATTERNS),
+    };
+}
+function enabledScanners(config) {
+    var _a, _b;
+    return new Set((_b = (_a = config.scans.security) === null || _a === void 0 ? void 0 : _a.scanners) !== null && _b !== void 0 ? _b : []);
+}
+async function runOptionalScanner(scanner, options, api) {
+    var _a;
+    const enabled = enabledScanners(options.config).has(scanner);
+    const pipelineConfig = options.config.security.pipeline;
+    const autoLoad = options.config.security.autoLoadReports !== false;
+    const workspace = path.resolve((_a = options.workspace) !== null && _a !== void 0 ? _a : '.');
+    if (scanner === 'semgrep') {
+        const reportPath = resolvePipelineReportPath(options.semgrepReport, pipelineConfig === null || pipelineConfig === void 0 ? void 0 : pipelineConfig.semgrepReport, autoLoad);
+        if (reportPath) {
+            return (0, semgrep_1.runSemgrep)({ enabled: true, mode: 'import', reportPath, config: 'p/security-audit' }, workspace);
+        }
+        if (enabled && isBinaryAvailable('semgrep')) {
+            return (0, semgrep_1.runSemgrep)({ enabled: true, mode: 'embedded', config: 'p/security-audit' }, workspace);
+        }
+        return undefined;
+    }
+    if (scanner === 'trivy') {
+        const reportPath = resolvePipelineReportPath(options.trivyReport, pipelineConfig === null || pipelineConfig === void 0 ? void 0 : pipelineConfig.trivyReport, autoLoad);
+        if (reportPath) {
+            return (0, trivy_1.runTrivy)({ enabled: true, mode: 'import', reportPath, scanners: ['vuln', 'secret', 'misconfig'] }, workspace);
+        }
+        if (enabled && isBinaryAvailable('trivy')) {
+            return (0, trivy_1.runTrivy)({ enabled: true, mode: 'embedded', scanners: ['vuln', 'secret', 'misconfig'] }, workspace);
+        }
+        return undefined;
+    }
+    if (scanner === 'gitleaks') {
+        const reportPath = resolvePipelineReportPath(options.gitleaksReport, pipelineConfig === null || pipelineConfig === void 0 ? void 0 : pipelineConfig.gitleaksReport, autoLoad);
+        if (reportPath) {
+            return (0, gitleaks_1.runGitleaks)({ enabled: true, mode: 'import', reportPath }, workspace);
+        }
+        if (enabled && isBinaryAvailable('gitleaks')) {
+            return (0, gitleaks_1.runGitleaks)({ enabled: true, mode: 'embedded' }, workspace);
+        }
+        return undefined;
+    }
+    const reportPath = resolvePipelineReportPath(options.zapReport, pipelineConfig === null || pipelineConfig === void 0 ? void 0 : pipelineConfig.zapReport, autoLoad);
+    if (reportPath) {
+        return (0, zap_1.runZap)({ enabled: true, mode: 'import', reportPath });
+    }
+    const targetUrl = deriveZapTarget(api);
+    if (enabled && targetUrl && isBinaryAvailable('zap-baseline.py')) {
+        return (0, zap_1.runZap)({ enabled: true, mode: 'embedded', targetUrl });
+    }
+    return undefined;
+}
+function buildSectionBase(scanner, findings, result) {
+    var _a, _b, _c, _d;
+    if (!result || (!result.success && findings.length === 0)) {
+        return {
+            source: null,
+            toolName: scanner,
+            reason: scanner === 'other'
+                ? 'Scanner not configured'
+                : `Configure ${scanner} in CI to enable ${SCANNER_ENABLEMENT_HELP[scanner]}.\n${CONFIGURE_COMMANDS[scanner]}`,
+            severityBreakdown: { ...ZERO_COUNTS },
+            topFindings: [],
+        };
+    }
+    return {
+        source: scanner,
+        toolName: scanner,
+        version: typeof ((_a = result.metadata) === null || _a === void 0 ? void 0 : _a.version) === 'string' ? result.metadata.version : undefined,
+        generatedAt: typeof ((_b = result.metadata) === null || _b === void 0 ? void 0 : _b.generatedAt) === 'string' ? result.metadata.generatedAt : undefined,
+        reportFile: typeof ((_c = result.metadata) === null || _c === void 0 ? void 0 : _c.reportFile) === 'string' ? result.metadata.reportFile : undefined,
+        fullReportLink: typeof ((_d = result.metadata) === null || _d === void 0 ? void 0 : _d.reportFile) === 'string'
+            ? path.relative(process.cwd(), result.metadata.reportFile)
+            : undefined,
+        reason: result.success ? undefined : result.error,
+        severityBreakdown: countBySeverity(findings),
+        topFindings: findings.slice(0, 5),
+    };
+}
+function ownFindingsToCriticalItems(ownFindings) {
+    return [
+        ...ownFindings.hardcodedSecrets,
+        ...ownFindings.injectionRisks,
+        ...ownFindings.kafkaSecurityIssues,
+        ...ownFindings.insecurePatterns,
+    ]
+        .filter((finding) => finding.severity === 'CRITICAL' || finding.severity === 'HIGH')
+        .slice(0, 10)
+        .map((finding) => ({
+        source: 'own-scanner',
+        severity: finding.severity,
+        title: finding.title,
+        file: path.relative(process.cwd(), finding.filePath),
+        line: finding.lineStart,
+    }));
+}
+function scannerFindingsToCriticalItems(source, findings) {
+    return findings
+        .filter((finding) => finding.severity === 'CRITICAL' || finding.severity === 'HIGH')
+        .slice(0, 10)
+        .map((finding) => ({
+        source,
+        severity: finding.severity,
+        title: finding.title,
+        file: finding.filePath,
+        line: finding.lineStart,
+    }));
+}
+function overallRisk(findings, ownFindings) {
+    const severities = [
+        ...findings.map((finding) => finding.severity),
+        ...ownFindings.hardcodedSecrets.map((finding) => finding.severity),
+        ...ownFindings.injectionRisks.map((finding) => finding.severity),
+        ...ownFindings.kafkaSecurityIssues.map((finding) => finding.severity),
+        ...ownFindings.insecurePatterns.map((finding) => finding.severity),
+    ];
+    if (severities.includes('CRITICAL'))
+        return 'CRITICAL';
+    if (severities.includes('HIGH'))
+        return 'HIGH';
+    if (severities.includes('MEDIUM'))
+        return 'MEDIUM';
+    return 'LOW';
+}
+async function generateSecurityFullReport(options) {
+    var _a, _b, _c, _d;
+    const sourceFiles = resolveSourceFiles(options.sourceGlob);
+    const ownScanFindings = buildOwnScanFindings(sourceFiles);
+    const authCoverage = await buildAuthCoverage(options.specPath, options.coverages, sourceFiles);
+    const api = await loadSpec(options.specPath);
+    const semgrepResult = await runOptionalScanner('semgrep', options, api);
+    const trivyResult = await runOptionalScanner('trivy', options, api);
+    const gitleaksResult = await runOptionalScanner('gitleaks', options, api);
+    const zapResult = await runOptionalScanner('zap', options, api);
+    const dependencyFindings = ((_a = trivyResult === null || trivyResult === void 0 ? void 0 : trivyResult.findings) !== null && _a !== void 0 ? _a : []).filter((finding) => finding.category === 'sca');
+    const sastFindings = (_b = semgrepResult === null || semgrepResult === void 0 ? void 0 : semgrepResult.findings) !== null && _b !== void 0 ? _b : [];
+    const secretFindings = (_c = gitleaksResult === null || gitleaksResult === void 0 ? void 0 : gitleaksResult.findings) !== null && _c !== void 0 ? _c : [];
+    const dastFindings = (_d = zapResult === null || zapResult === void 0 ? void 0 : zapResult.findings) !== null && _d !== void 0 ? _d : [];
+    const allScannerFindings = [
+        ...dependencyFindings,
+        ...sastFindings,
+        ...secretFindings,
+        ...dastFindings,
+    ];
+    const recommendations = [
+        authCoverage.endpointsMissingAuth.length > 0
+            ? `Add authentication/authorization coverage for: ${authCoverage.endpointsMissingAuth.slice(0, 5).join(', ')}`
+            : 'Authentication coverage looks complete for documented endpoints.',
+        !(trivyResult === null || trivyResult === void 0 ? void 0 : trivyResult.success)
+            ? `Configure trivy in CI: ${CONFIGURE_COMMANDS.trivy}`
+            : 'Review dependency findings and patch vulnerable packages first.',
+        !(gitleaksResult === null || gitleaksResult === void 0 ? void 0 : gitleaksResult.success)
+            ? `Configure gitleaks in CI: ${CONFIGURE_COMMANDS.gitleaks}`
+            : 'Rotate any discovered secrets and remove them from history.',
+    ];
+    return {
+        generatedAt: new Date().toISOString(),
+        authCoverage,
+        ownScanFindings,
+        dependencyScan: {
+            ...buildSectionBase('trivy', dependencyFindings, trivyResult),
+            vulnerabilities: dependencyFindings,
+        },
+        sastScan: {
+            ...buildSectionBase('semgrep', sastFindings, semgrepResult),
+            findings: sastFindings,
+        },
+        secretScan: {
+            ...buildSectionBase('gitleaks', secretFindings, gitleaksResult),
+            secrets: secretFindings,
+        },
+        dastScan: {
+            ...buildSectionBase('zap', dastFindings, zapResult),
+            findings: dastFindings,
+        },
+        riskSummary: {
+            overallRisk: overallRisk(allScannerFindings, ownScanFindings),
+            criticalItems: [
+                ...ownFindingsToCriticalItems(ownScanFindings),
+                ...scannerFindingsToCriticalItems('trivy', dependencyFindings),
+                ...scannerFindingsToCriticalItems('semgrep', sastFindings),
+                ...scannerFindingsToCriticalItems('gitleaks', secretFindings),
+                ...scannerFindingsToCriticalItems('zap', dastFindings),
+            ].slice(0, 10),
+            recommendations,
+        },
+    };
+}
+function writeSecurityFullReport(report, reportsDir) {
+    const resolvedDir = path.resolve(reportsDir);
+    fs.mkdirSync(resolvedDir, { recursive: true });
+    const filePath = path.join(resolvedDir, 'security-full.json');
+    fs.writeFileSync(filePath, JSON.stringify(report, null, 2), 'utf-8');
+    return filePath;
+}

package/dist/src/security/index.d.ts

@@ -3,6 +3,7 @@ export * from './types';
 export { normalizeSemgrepOutput } from './normalizers/semgrep';
 export { normalizeTrivyOutput } from './normalizers/trivy';
 export { normalizeZapOutput } from './normalizers/zap';
+export { normalizeGitleaksOutput } from './normalizers/gitleaks';
 export { evaluateSecurityGate } from './gate/index';
 /**
  * Run all configured security scanners and collect findings.

package/dist/src/security/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/security/index.ts"],"names":[],"mappings":"AAOA,OAAO,EACL,kBAAkB,EAClB,mBAAmB,EAKnB,aAAa,EACd,MAAM,SAAS,CAAC;AAQjB,cAAc,SAAS,CAAC;AACxB,OAAO,EAAE,sBAAsB,EAAE,MAAM,uBAAuB,CAAC;AAC/D,OAAO,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAC3D,OAAO,EAAE,kBAAkB,EAAE,MAAM,mBAAmB,CAAC;AACvD,OAAO,EAAE,oBAAoB,EAAE,MAAM,cAAc,CAAC;AAIpD;;GAEG;AACH,wBAAsB,mBAAmB,CACvC,MAAM,EAAE,kBAAkB,GACzB,OAAO,CAAC,aAAa,EAAE,CAAC,CAkB1B;AAID;;GAEG;AACH,wBAAgB,wBAAwB,CACtC,OAAO,EAAE,aAAa,EAAE,EACxB,MAAM,EAAE,kBAAkB,GACzB,mBAAmB,CAoDrB;AAID;;GAEG;AACH,wBAAgB,2BAA2B,CACzC,OAAO,EAAE,mBAAmB,EAC5B,UAAU,EAAE,MAAM,GACjB,IAAI,CA2EN;AAuKD;;;;;;;;;GASG;AACH,wBAAsB,eAAe,CACnC,MAAM,EAAE,kBAAkB,EAC1B,UAAU,GAAE,MAAkB,GAC7B,OAAO,CAAC,mBAAmB,CAAC,CAM9B"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/security/index.ts"],"names":[],"mappings":"AAOA,OAAO,EACL,kBAAkB,EAClB,mBAAmB,EAKnB,aAAa,EACd,MAAM,SAAS,CAAC;AASjB,cAAc,SAAS,CAAC;AACxB,OAAO,EAAE,sBAAsB,EAAE,MAAM,uBAAuB,CAAC;AAC/D,OAAO,EAAE,oBAAoB,EAAE,MAAM,qBAAqB,CAAC;AAC3D,OAAO,EAAE,kBAAkB,EAAE,MAAM,mBAAmB,CAAC;AACvD,OAAO,EAAE,uBAAuB,EAAE,MAAM,wBAAwB,CAAC;AACjE,OAAO,EAAE,oBAAoB,EAAE,MAAM,cAAc,CAAC;AAIpD;;GAEG;AACH,wBAAsB,mBAAmB,CACvC,MAAM,EAAE,kBAAkB,GACzB,OAAO,CAAC,aAAa,EAAE,CAAC,CAsB1B;AAID;;GAEG;AACH,wBAAgB,wBAAwB,CACtC,OAAO,EAAE,aAAa,EAAE,EACxB,MAAM,EAAE,kBAAkB,GACzB,mBAAmB,CAoDrB;AAID;;GAEG;AACH,wBAAgB,2BAA2B,CACzC,OAAO,EAAE,mBAAmB,EAC5B,UAAU,EAAE,MAAM,GACjB,IAAI,CA2EN;AAuKD;;;;;;;;;GASG;AACH,wBAAsB,eAAe,CACnC,MAAM,EAAE,kBAAkB,EAC1B,UAAU,GAAE,MAAkB,GAC7B,OAAO,CAAC,mBAAmB,CAAC,CAM9B"}

package/dist/src/security/index.js

@@ -36,7 +36,7 @@ var __exportStar = (this && this.__exportStar) || function(m, exports) {
     for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.evaluateSecurityGate = exports.normalizeZapOutput = exports.normalizeTrivyOutput = exports.normalizeSemgrepOutput = void 0;
+exports.evaluateSecurityGate = exports.normalizeGitleaksOutput = exports.normalizeZapOutput = exports.normalizeTrivyOutput = exports.normalizeSemgrepOutput = void 0;
 exports.runSecurityScanners = runSecurityScanners;
 exports.buildSecurityScanSummary = buildSecurityScanSummary;
 exports.generateSecurityScanReports = generateSecurityScanReports;
@@ -51,6 +51,7 @@ const path = __importStar(require("path"));
 const semgrep_1 = require("./scanners/semgrep");
 const trivy_1 = require("./scanners/trivy");
 const zap_1 = require("./scanners/zap");
+const gitleaks_1 = require("./scanners/gitleaks");
 const index_1 = require("./gate/index");
 // ─── Re-exports ───────────────────────────────────────────────────────────────
 __exportStar(require("./types"), exports);
@@ -60,6 +61,8 @@ var trivy_2 = require("./normalizers/trivy");
 Object.defineProperty(exports, "normalizeTrivyOutput", { enumerable: true, get: function () { return trivy_2.normalizeTrivyOutput; } });
 var zap_2 = require("./normalizers/zap");
 Object.defineProperty(exports, "normalizeZapOutput", { enumerable: true, get: function () { return zap_2.normalizeZapOutput; } });
+var gitleaks_2 = require("./normalizers/gitleaks");
+Object.defineProperty(exports, "normalizeGitleaksOutput", { enumerable: true, get: function () { return gitleaks_2.normalizeGitleaksOutput; } });
 var index_2 = require("./gate/index");
 Object.defineProperty(exports, "evaluateSecurityGate", { enumerable: true, get: function () { return index_2.evaluateSecurityGate; } });
 // ─── Scanner orchestration ────────────────────────────────────────────────────
@@ -67,7 +70,7 @@ Object.defineProperty(exports, "evaluateSecurityGate", { enumerable: true, get:
  * Run all configured security scanners and collect findings.
  */
 async function runSecurityScanners(config) {
-    var _a, _b, _c, _d, _e;
+    var _a, _b, _c, _d, _e, _f;
     const workspace = path.resolve((_a = config.workspace) !== null && _a !== void 0 ? _a : '.');
     const results = [];
     const scanners = (_b = config.scanners) !== null && _b !== void 0 ? _b : {};
@@ -80,6 +83,9 @@ async function runSecurityScanners(config) {
     if ((_e = scanners.zap) === null || _e === void 0 ? void 0 : _e.enabled) {
         results.push(await (0, zap_1.runZap)(scanners.zap));
     }
+    if ((_f = scanners.gitleaks) === null || _f === void 0 ? void 0 : _f.enabled) {
+        results.push(await (0, gitleaks_1.runGitleaks)(scanners.gitleaks, workspace));
+    }
     return results;
 }
 // ─── Summary builder ──────────────────────────────────────────────────────────

package/dist/src/security/normalizers/gitleaks.d.ts

@@ -0,0 +1,7 @@
+/**
+ * Gitleaks output normalizer.
+ * Converts Gitleaks JSON findings to the common SecurityFinding model.
+ */
+import { SecurityFinding } from '../types';
+export declare function normalizeGitleaksOutput(raw: unknown): SecurityFinding[];
+//# sourceMappingURL=gitleaks.d.ts.map

package/dist/src/security/normalizers/gitleaks.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"gitleaks.d.ts","sourceRoot":"","sources":["../../../../src/security/normalizers/gitleaks.ts"],"names":[],"mappings":"AAAA;;;GAGG;AACH,OAAO,EAAE,eAAe,EAAmB,MAAM,UAAU,CAAC;AA4B5D,wBAAgB,uBAAuB,CAAC,GAAG,EAAE,OAAO,GAAG,eAAe,EAAE,CAgBvE"}

package/dist/src/security/normalizers/gitleaks.js

@@ -0,0 +1,32 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.normalizeGitleaksOutput = normalizeGitleaksOutput;
+const GITLEAKS_CRITICAL_MARKERS = ['private-key', 'rsa'];
+const GITLEAKS_HIGH_MARKERS = ['token', 'aws', 'github'];
+function mapGitleaksSeverity(tags, ruleId) {
+    const values = [...(tags !== null && tags !== void 0 ? tags : []), ruleId !== null && ruleId !== void 0 ? ruleId : ''].map((value) => value.toLowerCase());
+    if (values.some((value) => GITLEAKS_CRITICAL_MARKERS.some((marker) => value.includes(marker))))
+        return 'CRITICAL';
+    if (values.some((value) => GITLEAKS_HIGH_MARKERS.some((marker) => value.includes(marker))))
+        return 'HIGH';
+    return 'MEDIUM';
+}
+function normalizeGitleaksOutput(raw) {
+    const findings = Array.isArray(raw) ? raw : [];
+    return findings.map((finding) => {
+        var _a, _b, _c, _d;
+        return ({
+            scanner: 'gitleaks',
+            category: 'secret',
+            severity: mapGitleaksSeverity(finding.Tags, finding.RuleID),
+            title: (_b = (_a = finding.Description) !== null && _a !== void 0 ? _a : finding.RuleID) !== null && _b !== void 0 ? _b : 'Secret detected',
+            description: (_c = finding.Match) !== null && _c !== void 0 ? _c : finding.Secret,
+            ruleId: finding.RuleID,
+            filePath: (_d = finding.File) !== null && _d !== void 0 ? _d : finding.SymlinkFile,
+            lineStart: finding.StartLine,
+            lineEnd: finding.EndLine,
+            secretType: finding.RuleID,
+            scannerNativePayload: finding,
+        });
+    });
+}

package/dist/src/security/scanners/gitleaks.d.ts

@@ -0,0 +1,3 @@
+import { GitleaksScannerConfig, ScannerResult } from '../types';
+export declare function runGitleaks(config: GitleaksScannerConfig, workspace?: string): Promise<ScannerResult>;
+//# sourceMappingURL=gitleaks.d.ts.map

package/dist/src/security/scanners/gitleaks.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"gitleaks.d.ts","sourceRoot":"","sources":["../../../../src/security/scanners/gitleaks.ts"],"names":[],"mappings":"AAQA,OAAO,EAAE,qBAAqB,EAAmB,aAAa,EAAE,MAAM,UAAU,CAAC;AAuCjF,wBAAsB,WAAW,CAC/B,MAAM,EAAE,qBAAqB,EAC7B,SAAS,GAAE,MAAY,GACtB,OAAO,CAAC,aAAa,CAAC,CAuCxB"}