npm - bastion-scan - Versions diffs - 0.1.0 → 0.1.3 - Mend

bastion-scan 0.1.0 → 0.1.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/README.md CHANGED Viewed

@@ -7,7 +7,7 @@
   <img alt="Build" src="https://img.shields.io/github/actions/workflow/status/absastreon/bastion/ci.yml?branch=main&style=flat-square" />
   <img alt="Tests" src="https://img.shields.io/badge/tests-783%20passing-brightgreen?style=flat-square" />
   <img alt="License" src="https://img.shields.io/badge/license-MIT-blue?style=flat-square" />
-  <img alt="npm" src="https://img.shields.io/npm/v/@bastion/cli?style=flat-square" />
+  <img alt="npm" src="https://img.shields.io/npm/v/bastion-scan?style=flat-square" />
 </p>
 ---
@@ -26,19 +26,19 @@ Every finding comes with a prompt you can paste into Claude, ChatGPT, or Copilot
 ```bash
 # Install globally
-npm install -g @bastion/cli
+npm install -g bastion-scan
 # Scan your project
-npx bastion scan
+npx bastion-scan scan
 # Scan a live URL (headers, SSL, security.txt)
-npx bastion scan --url https://yourapp.com
+npx bastion-scan scan --url https://yourapp.com
 # JSON output for CI/CD
-npx bastion scan --format json
+npx bastion-scan scan --format json
 # Generate security configs for your stack
-npx bastion scan --generate-configs
+npx bastion-scan scan --generate-configs
 ```
 ---
@@ -48,7 +48,7 @@ npx bastion scan --generate-configs
 | Check | What it does |
 |-------|-------------|
 | `.gitignore` coverage | Makes sure `.env`, `node_modules`, and keys are excluded |
-| Hardcoded secrets | Looks for API keys from OpenAI, Stripe, AWS, and others |
+| Hardcoded secrets | API keys from OpenAI, Anthropic, GitHub, Stripe, AWS, Google, Slack, and more |
 | Dependency audit | Wraps `npm audit` and maps findings to severity levels |
 | `.env.example` | Checks that a template exists with safe placeholder values |
 | `security.txt` | Validates RFC 9116 Contact + Expires fields |
@@ -83,7 +83,7 @@ Bastion can output ready-to-paste configs for your stack:
 Interactive CLI that walks you through creating a valid RFC 9116 `security.txt`:
 ```bash
-npx bastion generate security-txt
+npx bastion-scan generate security-txt
 ```
 ---
@@ -193,7 +193,7 @@ Floor is 0. Only `fail` results deduct. `warn`, `skip`, and `pass` don't affect
 ```
 bastion/
 ├── packages/
-│   ├── cli/          # npx bastion scan, 12 checks, 3 reporters
+│   ├── cli/          # npx bastion-scan scan, 12 checks, 3 reporters
 │   ├── shared/       # Types, checklist data, OWASP data, tools
 │   └── web/          # Next.js 14 dashboard
 └── docs/playbooks/   # Stack-specific security guides

package/dist/index.js CHANGED Viewed

@@ -7,7 +7,7 @@ import { createRequire } from "module";
 import { Command, Option } from "commander";
 import chalk2 from "chalk";
 import ora from "ora";
-import { OUTPUT_FORMATS } from "@bastion/shared";
+import { OUTPUT_FORMATS } from "bastion-shared";
 // src/scanner.ts
 import { readdir, readFile as readFile9, stat } from "fs/promises";
@@ -196,40 +196,145 @@ var SCANNABLE_EXTENSIONS = /* @__PURE__ */ new Set([
 ]);
 var IGNORED_DIRS = /* @__PURE__ */ new Set(["node_modules", "dist", "build", ".git", "tests", "__tests__", "test", "fixtures"]);
 var SECRET_PATTERNS = [
+  // ── OpenAI ──────────────────────────────────────────────────────────────
   {
-    name: "OpenAI API key",
-    regex: /sk-[A-Za-z0-9]{20,}/,
-    description: "OpenAI API key detected"
+    name: "OpenAI API key (project)",
+    regex: /sk-proj-[a-zA-Z0-9_-]{20,}/,
+    description: "OpenAI project API key detected",
+    severity: "critical"
   },
+  {
+    name: "OpenAI API key (service account)",
+    regex: /sk-svcacct-[a-zA-Z0-9_-]{20,}/,
+    description: "OpenAI service account key detected",
+    severity: "critical"
+  },
+  {
+    name: "OpenAI API key (legacy)",
+    regex: /sk-[a-zA-Z0-9]{20,}/,
+    description: "OpenAI API key detected",
+    severity: "critical"
+  },
+  // ── Anthropic ───────────────────────────────────────────────────────────
+  {
+    name: "Anthropic API key",
+    regex: /sk-ant-api[0-9]{2}-[a-zA-Z0-9_-]{40,}/,
+    description: "Anthropic API key detected",
+    severity: "critical"
+  },
+  {
+    name: "Anthropic admin key",
+    regex: /sk-ant-admin[0-9]{2}-[a-zA-Z0-9_-]{40,}/,
+    description: "Anthropic admin API key detected",
+    severity: "critical"
+  },
+  // ── GitHub ──────────────────────────────────────────────────────────────
+  {
+    name: "GitHub PAT (classic)",
+    regex: /ghp_[a-zA-Z0-9]{36}/,
+    description: "GitHub personal access token (classic) detected",
+    severity: "critical"
+  },
+  {
+    name: "GitHub OAuth token",
+    regex: /gho_[a-zA-Z0-9]{36}/,
+    description: "GitHub OAuth access token detected",
+    severity: "critical"
+  },
+  {
+    name: "GitHub PAT (fine-grained)",
+    regex: /github_pat_[a-zA-Z0-9_]{82}/,
+    description: "GitHub fine-grained personal access token detected",
+    severity: "critical"
+  },
+  {
+    name: "GitHub app token",
+    regex: /ghs_[a-zA-Z0-9]{36}/,
+    description: "GitHub app installation token detected",
+    severity: "critical"
+  },
+  {
+    name: "GitHub refresh token",
+    regex: /ghr_[a-zA-Z0-9]{36}/,
+    description: "GitHub refresh token detected",
+    severity: "critical"
+  },
+  // ── Stripe ──────────────────────────────────────────────────────────────
   {
     name: "Stripe secret key",
-    regex: /sk_live_[A-Za-z0-9]{20,}/,
-    description: "Stripe secret key detected"
+    regex: /sk_live_[a-zA-Z0-9]{24,}/,
+    description: "Stripe secret key detected",
+    severity: "critical"
   },
   {
     name: "Stripe publishable key",
-    regex: /pk_live_[A-Za-z0-9]{20,}/,
-    description: "Stripe publishable live key detected"
+    regex: /pk_live_[a-zA-Z0-9]{20,}/,
+    description: "Stripe publishable live key detected",
+    severity: "critical"
+  },
+  {
+    name: "Stripe restricted key",
+    regex: /rk_live_[a-zA-Z0-9]{24,}/,
+    description: "Stripe restricted API key detected",
+    severity: "critical"
   },
+  {
+    name: "Stripe test key",
+    regex: /sk_test_[a-zA-Z0-9]{24,}/,
+    description: "Stripe test secret key detected",
+    severity: "high"
+  },
+  // ── AWS ─────────────────────────────────────────────────────────────────
   {
     name: "AWS access key",
     regex: /AKIA[0-9A-Z]{16}/,
-    description: "AWS access key ID detected"
+    description: "AWS access key ID detected",
+    severity: "critical"
+  },
+  // ── Google ──────────────────────────────────────────────────────────────
+  {
+    name: "Google API key",
+    regex: /AIza[a-zA-Z0-9_-]{35}/,
+    description: "Google API key detected",
+    severity: "critical"
   },
+  // ── Slack ───────────────────────────────────────────────────────────────
+  {
+    name: "Slack bot token",
+    regex: /xoxb-[0-9]{10,13}-[0-9]{10,13}-[a-zA-Z0-9]{24,}/,
+    description: "Slack bot token detected",
+    severity: "critical"
+  },
+  {
+    name: "Slack user token",
+    regex: /xoxp-[0-9]{10,13}-[0-9]{10,13}-[0-9]{10,13}-[a-zA-Z0-9]{32}/,
+    description: "Slack user token detected",
+    severity: "critical"
+  },
+  {
+    name: "Slack webhook URL",
+    regex: /https:\/\/hooks\.slack\.com\/services\/T[a-zA-Z0-9]{8,12}\/B[a-zA-Z0-9]{8,12}\/[a-zA-Z0-9]{24}/,
+    description: "Slack incoming webhook URL detected",
+    severity: "high"
+  },
+  // ── Generic ─────────────────────────────────────────────────────────────
   {
     name: "Generic API key assignment",
     regex: /(?:api[_-]?key|apikey|api[_-]?secret)\s*[:=]\s*['"][A-Za-z0-9_\-/.]{8,}['"]/i,
-    description: "Hardcoded API key assignment detected"
+    description: "Hardcoded API key assignment detected",
+    severity: "critical"
   },
   {
     name: "Bearer token",
     regex: /['"]Bearer\s+[A-Za-z0-9_\-/.+]{20,}['"]/,
-    description: "Hardcoded Bearer token detected"
+    description: "Hardcoded Bearer token detected",
+    severity: "critical"
   },
   {
     name: "Database connection string",
     regex: /(?:mongodb(?:\+srv)?|postgres(?:ql)?|mysql|redis):\/\/[^:]+:[^@\s]+@/i,
-    description: "Database connection string with embedded password detected"
+    description: "Database connection string with embedded password detected",
+    severity: "critical"
   }
 ];
 var AI_PROMPT = "I found a hardcoded secret in my source code. Help me move it to an environment variable. Show me: (1) how to add it to .env, (2) how to read it with process.env or the equivalent for my framework, (3) how to add the key name to .env.example with a placeholder value, and (4) how to validate at startup that the variable is set.";
@@ -265,7 +370,7 @@ function scanContent(content, relativePath) {
           id: "secrets",
           name: `Hardcoded secret: ${pattern.name}`,
           status: "fail",
-          severity: "critical",
+          severity: pattern.severity,
           category: "Secrets",
           location: `${relativePath}:${i + 1}`,
           description: pattern.description,

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "bastion-scan",
-  "version": "0.1.0",
+  "version": "0.1.3",
   "description": "Privacy-first security checker for web projects. 15 checks, zero data uploaded, actionable fixes.",
   "type": "module",
   "bin": {
@@ -37,7 +37,7 @@
     "dev": "tsup --watch"
   },
   "dependencies": {
-    "@bastion/shared": "*",
+    "bastion-shared": "^0.1.3",
     "chalk": "^5.6.2",
     "commander": "^14.0.3",
     "ora": "^9.3.0"