circle-ir-ai 2.7.17 → 2.8.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +171 -0
- package/dist/secret-scan/history-patterns.d.ts +30 -0
- package/dist/secret-scan/history-patterns.d.ts.map +1 -0
- package/dist/secret-scan/history-patterns.js +162 -0
- package/dist/secret-scan/history-patterns.js.map +1 -0
- package/dist/secret-scan/index.d.ts +14 -7
- package/dist/secret-scan/index.d.ts.map +1 -1
- package/dist/secret-scan/index.js +15 -8
- package/dist/secret-scan/index.js.map +1 -1
- package/dist/secret-scan/patterns.d.ts +14 -1
- package/dist/secret-scan/patterns.d.ts.map +1 -1
- package/dist/secret-scan/patterns.js +14 -1
- package/dist/secret-scan/patterns.js.map +1 -1
- package/dist/secret-scan/scanner.d.ts +29 -39
- package/dist/secret-scan/scanner.d.ts.map +1 -1
- package/dist/secret-scan/scanner.js +233 -189
- package/dist/secret-scan/scanner.js.map +1 -1
- package/dist/security-scan/scanner.d.ts.map +1 -1
- package/dist/security-scan/scanner.js +13 -5
- package/dist/security-scan/scanner.js.map +1 -1
- package/dist/trust/passes/hardcoded-secrets.d.ts +11 -1
- package/dist/trust/passes/hardcoded-secrets.d.ts.map +1 -1
- package/dist/trust/passes/hardcoded-secrets.js +19 -5
- package/dist/trust/passes/hardcoded-secrets.js.map +1 -1
- package/package.json +2 -2
|
@@ -1,15 +1,18 @@
|
|
|
1
1
|
/**
|
|
2
|
-
* Secret Scanner Module
|
|
2
|
+
* Secret Scanner Module (Refactored)
|
|
3
3
|
*
|
|
4
|
-
*
|
|
4
|
+
* Architecture:
|
|
5
|
+
* - SAST detection: Delegates to circle-ir's ScanSecretsPass (no regex duplication)
|
|
6
|
+
* - Git history: Scans commits for secrets introduced historically (circle-ir-ai domain)
|
|
7
|
+
* - LLM verification: Reduces false positives via context-aware analysis
|
|
8
|
+
*
|
|
9
|
+
* This module consumes CircleIR findings rather than reimplementing SAST logic.
|
|
5
10
|
*/
|
|
6
|
-
|
|
11
|
+
export type SecretSeverity = 'critical' | 'high' | 'medium' | 'low';
|
|
7
12
|
/**
|
|
8
13
|
* Options for secret scanning
|
|
9
14
|
*/
|
|
10
15
|
export interface SecretScanOptions {
|
|
11
|
-
/** Patterns to use (defaults to all) */
|
|
12
|
-
patterns?: SecretPattern[];
|
|
13
16
|
/** Categories to include (defaults to all) */
|
|
14
17
|
includeCategories?: string[];
|
|
15
18
|
/** Categories to exclude */
|
|
@@ -24,6 +27,8 @@ export interface SecretScanOptions {
|
|
|
24
27
|
includeFiles?: string[];
|
|
25
28
|
/** File patterns to exclude (glob) */
|
|
26
29
|
excludeFiles?: string[];
|
|
30
|
+
/** Enable LLM verification to reduce false positives */
|
|
31
|
+
llmVerify?: boolean;
|
|
27
32
|
/** Progress callback */
|
|
28
33
|
onProgress?: (progress: ScanProgress) => void;
|
|
29
34
|
}
|
|
@@ -31,7 +36,7 @@ export interface SecretScanOptions {
|
|
|
31
36
|
* Scan progress information
|
|
32
37
|
*/
|
|
33
38
|
export interface ScanProgress {
|
|
34
|
-
phase: 'indexing' | 'scanning-files' | 'scanning-history' | 'complete';
|
|
39
|
+
phase: 'indexing' | 'scanning-files' | 'scanning-history' | 'verifying' | 'complete';
|
|
35
40
|
currentFile?: string;
|
|
36
41
|
filesScanned: number;
|
|
37
42
|
totalFiles: number;
|
|
@@ -69,6 +74,10 @@ export interface DetectedSecret {
|
|
|
69
74
|
commitDate?: string;
|
|
70
75
|
/** Whether secret is still present in HEAD */
|
|
71
76
|
presentInHead: boolean;
|
|
77
|
+
/** LLM verification result */
|
|
78
|
+
llmVerified?: boolean;
|
|
79
|
+
/** LLM confidence score */
|
|
80
|
+
llmConfidence?: number;
|
|
72
81
|
}
|
|
73
82
|
/**
|
|
74
83
|
* Scan result summary
|
|
@@ -99,51 +108,40 @@ export interface SecretScanResult {
|
|
|
99
108
|
* Secret Scanner class
|
|
100
109
|
*/
|
|
101
110
|
export declare class SecretScanner {
|
|
102
|
-
private patterns;
|
|
103
111
|
private options;
|
|
104
112
|
constructor(options?: SecretScanOptions);
|
|
105
|
-
/**
|
|
106
|
-
* Select patterns based on options
|
|
107
|
-
*/
|
|
108
|
-
private selectPatterns;
|
|
109
113
|
/**
|
|
110
114
|
* Scan a directory for secrets
|
|
111
115
|
*/
|
|
112
116
|
scan(directory: string): Promise<SecretScanResult>;
|
|
113
117
|
/**
|
|
114
|
-
* Scan a single file
|
|
118
|
+
* Scan a single file using circle-ir's ScanSecretsPass
|
|
115
119
|
*/
|
|
116
|
-
|
|
120
|
+
private scanFileWithCircleIR;
|
|
117
121
|
/**
|
|
118
|
-
* Scan
|
|
122
|
+
* Scan git history for secrets
|
|
123
|
+
* Uses minimal patterns since we can't run circle-ir on diffs
|
|
119
124
|
*/
|
|
120
|
-
private
|
|
125
|
+
private scanGitHistory;
|
|
121
126
|
/**
|
|
122
|
-
*
|
|
123
|
-
* Looks for unescaped `/` delimiters surrounding the match range.
|
|
127
|
+
* Scan a git diff for secrets using minimal history patterns
|
|
124
128
|
*/
|
|
125
|
-
private
|
|
129
|
+
private scanDiff;
|
|
126
130
|
/**
|
|
127
|
-
* Scan
|
|
131
|
+
* Scan a single line using minimal history patterns
|
|
132
|
+
* This is only used for git history scanning where we can't use circle-ir
|
|
128
133
|
*/
|
|
129
|
-
private
|
|
134
|
+
private scanLineWithPatterns;
|
|
130
135
|
/**
|
|
131
|
-
*
|
|
136
|
+
* LLM verification to reduce false positives
|
|
132
137
|
*/
|
|
133
|
-
private
|
|
138
|
+
private llmVerifySecrets;
|
|
134
139
|
/**
|
|
135
|
-
* Built-in path-skip
|
|
136
|
-
* (`getFiles`) and the git-history diff path (`scanDiff`). #60: previously
|
|
137
|
-
* only the working-tree walk applied these — git-history scans walked
|
|
138
|
-
* every diff including `Cargo.lock`, `*.lock`, binary blobs, etc.,
|
|
139
|
-
* producing noisy "Status: Historical" findings on paths the user had
|
|
140
|
-
* already excluded from their working-tree scan.
|
|
140
|
+
* Built-in path-skip patterns
|
|
141
141
|
*/
|
|
142
142
|
private static readonly BUILTIN_EXCLUDE_PATTERNS;
|
|
143
143
|
/**
|
|
144
|
-
*
|
|
145
|
-
* regex excludes + user-supplied include/exclude minimatch globs.
|
|
146
|
-
* Used by both the working-tree walk and the git-history diff parser.
|
|
144
|
+
* Check if path should be excluded
|
|
147
145
|
*/
|
|
148
146
|
private isPathExcluded;
|
|
149
147
|
/**
|
|
@@ -154,14 +152,6 @@ export declare class SecretScanner {
|
|
|
154
152
|
* Check if directory is a git repo
|
|
155
153
|
*/
|
|
156
154
|
private isGitRepo;
|
|
157
|
-
/**
|
|
158
|
-
* Redact a secret for safe display
|
|
159
|
-
*/
|
|
160
|
-
private redactSecret;
|
|
161
|
-
/**
|
|
162
|
-
* Truncate long lines
|
|
163
|
-
*/
|
|
164
|
-
private truncateLine;
|
|
165
155
|
/**
|
|
166
156
|
* Generate .gitignore recommendations
|
|
167
157
|
*/
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"scanner.d.ts","sourceRoot":"","sources":["../../src/secret-scan/scanner.ts"],"names":[],"mappings":"AAAA
|
|
1
|
+
{"version":3,"file":"scanner.d.ts","sourceRoot":"","sources":["../../src/secret-scan/scanner.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAaH,MAAM,MAAM,cAAc,GAAG,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAC;AAEpE;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,8CAA8C;IAC9C,iBAAiB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC7B,4BAA4B;IAC5B,iBAAiB,CAAC,EAAE,MAAM,EAAE,CAAC;IAC7B,iCAAiC;IACjC,WAAW,CAAC,EAAE,cAAc,CAAC;IAC7B,kCAAkC;IAClC,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,mDAAmD;IACnD,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,sCAAsC;IACtC,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,sCAAsC;IACtC,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;IACxB,wDAAwD;IACxD,SAAS,CAAC,EAAE,OAAO,CAAC;IACpB,wBAAwB;IACxB,UAAU,CAAC,EAAE,CAAC,QAAQ,EAAE,YAAY,KAAK,IAAI,CAAC;CAC/C;AAED;;GAEG;AACH,MAAM,WAAW,YAAY;IAC3B,KAAK,EAAE,UAAU,GAAG,gBAAgB,GAAG,kBAAkB,GAAG,WAAW,GAAG,UAAU,CAAC;IACrF,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC;IACnB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,YAAY,EAAE,MAAM,CAAC;CACtB;AAED;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,8BAA8B;IAC9B,SAAS,EAAE,MAAM,CAAC;IAClB,0BAA0B;IAC1B,WAAW,EAAE,MAAM,CAAC;IACpB,uCAAuC;IACvC,IAAI,EAAE,MAAM,CAAC;IACb,kBAAkB;IAClB,IAAI,EAAE,MAAM,CAAC;IACb,sBAAsB;IACtB,MAAM,EAAE,MAAM,CAAC;IACf,8CAA8C;IAC9C,KAAK,EAAE,MAAM,CAAC;IACd,sCAAsC;IACtC,WAAW,EAAE,MAAM,CAAC;IACpB,qBAAqB;IACrB,QAAQ,EAAE,cAAc,CAAC;IACzB,eAAe;IACf,QAAQ,EAAE,MAAM,CAAC;IACjB,4CAA4C;IAC5C,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,uCAAuC;IACvC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,4CAA4C;IAC5C,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,8CAA8C;IAC9C,aAAa,EAAE,OAAO,CAAC;IACvB,8BAA8B;IAC9B,WAAW,CAAC,EAAE,OAAO,CAAC;IACtB,2BAA2B;IAC3B,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB;AAED;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B,iCAAiC;IACjC,SAAS,EAAE,MAAM,CAAC;IAClB,0BAA0B;IAC1B,YAAY,EAAE,MAAM,CAAC;IACrB,gDAAgD;IAChD,cAAc,EAAE,MAAM,CAAC;IACvB,2BAA2B;IAC3B,OAAO,EAAE,cAAc,EAAE,CAAC;IAC1B,0BAA0B;IAC1B,UAAU,EAAE,MAAM,CAAC,cAAc,EAAE,MAAM,CAAC,CAAC;IAC3C,0BAA0B;IAC1B,UAAU,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACnC,mDAAmD;IACnD,aAAa,EAAE,MAAM,CAAC;IACtB,8BAA8B;IAC9B,iBAAiB,EAAE,MAAM,CAAC;IAC1B,0BAA0B;IAC1B,UAAU,EAAE,MAAM,CAAC;IACnB,iCAAiC;IACjC,wBAAwB,EAAE,MAAM,EAAE,CAAC;CACpC;AA4DD;;GAEG;AACH,qBAAa,aAAa;IACxB,OAAO,CAAC,OAAO,CAAoB;gBAEvB,OAAO,GAAE,iBAAsB;IAI3C;;OAEG;IACG,IAAI,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,gBAAgB,CAAC;IAgIxD;;OAEG;YACW,oBAAoB;IA8BlC;;;OAGG;YACW,cAAc;IAmD5B;;OAEG;IACH,OAAO,CAAC,QAAQ;IAmDhB;;;OAGG;IACH,OAAO,CAAC,oBAAoB;IAkD5B;;OAEG;YACW,gBAAgB;IAgD9B;;OAEG;IACH,OAAO,CAAC,MAAM,CAAC,QAAQ,CAAC,wBAAwB,CA4B9C;IAEF;;OAEG;IACH,OAAO,CAAC,cAAc;IAetB;;OAEG;IACH,OAAO,CAAC,QAAQ;IAuChB;;OAEG;IACH,OAAO,CAAC,SAAS;IAYjB;;OAEG;IACH,OAAO,CAAC,gCAAgC;CAmDzC;AAyBD;;GAEG;AACH,wBAAsB,cAAc,CAClC,SAAS,EAAE,MAAM,EACjB,OAAO,GAAE,iBAAsB,GAC9B,OAAO,CAAC,gBAAgB,CAAC,CAG3B;AAED;;GAEG;AACH,wBAAsB,eAAe,CACnC,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,gBAAgB,CAAC,CAK3B;AAED;;GAEG;AACH,wBAAgB,kBAAkB,CAAC,MAAM,EAAE,gBAAgB,GAAG,MAAM,CAiFnE"}
|