codeprobe-scanner 1.0.10 → 1.0.12

package/README.md

@@ -1,167 +1,208 @@
 # CodeProbe
 
-Automated vulnerability scanner for Node.js projects. Scans your `package.json` dependencies against live security databases, verifies exploits in isolated sandboxes, generates AI patches, and shows you what's trending in npm security right now.
+Automated vulnerability scanner for Node.js / npm projects. Scans dependencies against OSV.dev and the GitHub Advisory Database, verifies exploits in isolated sandboxes, and optionally auto-patches vulnerable packages.
 
+## Install
+
+```sh
+npm install -g codeprobe-scanner
 ```
-npx codeprobe-scanner scan .
+
+Or run without installing:
+
+```sh
+npx codeprobe-scanner scan
 ```
 
----
+## Quick Start
 
-## What it does
+```sh
+# Scan the current directory
+codeprobe scan
 
-1. **Scans your dependencies** — reads `package.json` and checks every package against [OSV.dev](https://osv.dev) (the same database behind `npm audit`)
-2. **Verifies exploits** — spins up isolated [Daytona](https://daytona.io) sandboxes to confirm whether a CVE is actually exploitable in your version, not just theoretical
-3. **Generates patches** — uses Kimi AI to produce a version-bump diff for exploitable vulnerabilities
-4. **Shows recent threats** — pulls the latest npm security advisories from GitHub's Advisory Database so you can see what attacks are trending
+# Scan a specific project
+codeprobe scan ./my-app
 
----
+# Scan and auto-fix vulnerabilities
+codeprobe scan --fix
 
-## Install
+# Output results as JSON
+codeprobe scan --json > report.json
 
-```bash
-npm install -g codeprobe-scanner
+# Show the last scan report
+codeprobe report
 ```
 
-Or run without installing:
+## Commands
 
-```bash
-npx codeprobe-scanner scan .
-```
+### `codeprobe scan [path]`
 
-Requires [Bun](https://bun.sh) — installed automatically if not present.
+Scans a repository for known CVEs in its npm dependencies.
 
----
+| Flag | Description |
+|------|-------------|
+| `--fix` | Auto-fix: upgrades vulnerable packages, creates a git branch and commit |
+| `--json` | Print results as JSON (pipe-friendly) |
+| `--verbose` | Show detailed phase-by-phase logs |
 
-## Usage
+**What it does:**
 
-### Scan a project
+1. Parses `package.json` / `package-lock.json` / `bun.lock` for installed packages and versions
+2. Queries **OSV.dev** for CVEs matching each package+version
+3. Cross-references the **GitHub Advisory Database** for additional intelligence
+4. Runs exploit verification in an isolated **Daytona sandbox** (when configured)
+5. Saves the report to `~/.codeprobe/scans/<scan-id>.json`
+6. Displays a risk score, CVE table, and recent npm threat feed
 
-```bash
-codeprobe scan .
-codeprobe scan ./my-app
-```
+**Exit codes:**
 
-Output:
+| Code | Meaning |
+|------|---------|
+| `0` | No vulnerabilities found |
+| `1` | Vulnerabilities found |
+| `2` | Scan failed |
 
-```
-⚡ CodeProbe v1.0.0
-📦 Parsing dependencies...
-   Found 11 dependencies
-🔍 Checking OSV.dev + npm advisory database...
-   Found 3 CVEs
-🎯 Matching dependencies to CVEs...
+### `codeprobe report`
 
-SCAN COMPLETE
-Risk Score: 6.4/10 (MEDIUM)
+Displays the most recent scan results from `~/.codeprobe/scans/latest.json`.
 
-CVE Details:
-  CVE-2024-39338: axios 1.6.5 [HIGH] ~ Theoretical Risk
-  CVE-2023-45133: babel 7.22.0 [CRITICAL] ✓ CONFIRMED EXPLOITABLE
-  ...
-
-🌐 Recent npm Security Threats:
-  HIGH  esbuild: Missing binary integrity verification enables RCE
-  HIGH  Budibase: Auth bypass on webhook schema endpoint
-  ...
-```
+### `codeprobe config set <key> <value>`
 
-### Scan and auto-fix
+Saves a configuration value to `~/.codeprobe/config.json`.
 
-```bash
-codeprobe scan . --fix
+```sh
+codeprobe config set bright_data_api_key YOUR_KEY
+codeprobe config set daytona_api_key YOUR_KEY
 ```
 
-Walks you through each vulnerability interactively. For each one you approve, it:
-- Updates the version in `package.json`
-- Creates a git branch (`codeprobe-security-fixes-<timestamp>`)
-- Commits and pushes
-- Opens a pull request via GitHub CLI
+## Configuration
 
-### Other commands
+CodeProbe works out of the box with zero configuration using public APIs. Optional integrations unlock deeper exploit verification.
 
-```bash
-codeprobe report                  # show last scan results again
-codeprobe scan . --json           # JSON output (for CI pipelines)
-codeprobe scan . --verbose        # detailed logs
-codeprobe config get              # show stored config
-```
+### Environment Variables
 
----
+| Variable | Description |
+|----------|-------------|
+| `BRIGHT_DATA_API_KEY` | Bright Data scraping proxy (optional) |
+| `DAYTONA_API_KEY` | Daytona sandbox for exploit verification (optional) |
+| `NOSANA_API_KEY` | Nosana LLM for AI-assisted analysis (optional) |
+| `GITHUB_TOKEN` | GitHub token for higher Advisory API rate limits |
+| `PORT` | API server port (default: `3000`) |
 
-## Configuration
-
-No API keys are required for basic scanning — OSV.dev and the GitHub Advisory Database are free public APIs.
+Create a `.env` file in your project root or export variables in your shell.
 
-For exploit verification and AI patch generation, configure optional keys once:
+## How It Works
 
-```bash
-codeprobe config set daytona_api_key <key>    # sandbox exploit verification
-codeprobe config set kimi_api_key <key>       # AI patch generation
-codeprobe config set nosana_api_key <key>     # backup LLM for patches
+```
+package.json / lockfile
+        ↓
+   Dependency Parser
+        ↓
+  OSV.dev + GitHub Advisory DB  ──→  CVE list
+        ↓
+  Sandbox Exploit Verification  ──→  Confirmed / Theoretical
+        ↓
+   Risk Score + Report
 ```
 
-Keys are stored encrypted at `~/.codeprobe/config.json`. You can also pass them as environment variables:
+- **Risk score** = (confirmed exploitable × 10) + (theoretical × 3)
+- Scans are saved locally at `~/.codeprobe/scans/`
+- `latest.json` always points to the most recent scan
 
-```bash
-DAYTONA_API_KEY=xxx KIMI_API_KEY=xxx codeprobe scan .
-```
+## Auto-Fix (`--fix`)
 
-| Key | Where to get it | What it enables |
-|-----|----------------|-----------------|
-| `DAYTONA_API_KEY` | [daytona.io](https://daytona.io) | Confirms if CVEs are truly exploitable |
-| `KIMI_API_KEY` | [aimlapi.com](https://aimlapi.com) | AI-generated patch diffs |
-| `NOSANA_API_KEY` | [nosana.io](https://nosana.io) | Backup LLM for patches |
+When `--fix` is passed, CodeProbe:
 
----
+1. Identifies vulnerable packages that have a patched version available
+2. Updates `package.json` to the safe version
+3. Runs `bun install` (or `npm install`) to apply the change
+4. Creates a git commit on a new branch: `codeprobe-fix/<scan-id>`
 
-## CI / GitHub Actions
+Review the branch and open a PR — no changes are pushed automatically.
 
-```yaml
-- name: Security scan
-  run: npx codeprobe-scanner scan . --json > security-report.json
+## API Server
+
+Start the REST API server:
 
-- name: Fail on exploitable CVEs
-  run: npx codeprobe-scanner scan .
-  # exits with code 1 if exploitable CVEs found
+```sh
+bun run src/api/server.ts
 ```
 
----
+| Endpoint | Method | Description |
+|----------|--------|-------------|
+| `POST /api/scan` | POST | Trigger a scan (`{ "repoPath": "./path" }`) |
+| `GET /api/scans` | GET | List all past scans (requires auth) |
+| `GET /api/scans/:id` | GET | Get a specific scan (requires auth) |
+| `GET /api/auth/github` | GET | GitHub OAuth callback |
+| `GET /api/auth/logout` | GET | Logout |
 
-## Exit codes
+Authentication: pass a `Bearer <token>` header. In development mode any non-empty token is accepted.
 
-| Code | Meaning |
-|------|---------|
-| `0` | No vulnerabilities found |
-| `1` | Vulnerabilities found |
-| `2` | Scan error |
+## Docker
+
+```sh
+docker build -t codeprobe .
+docker run -e PORT=8080 -p 8080:8080 codeprobe
+```
 
----
+## GitHub Actions
 
-## How it works
+Add CodeProbe to your CI pipeline:
 
+```yaml
+# .github/workflows/codeprobe-scan.yml
+name: Security Scan
+on: [push, pull_request]
+jobs:
+  scan:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - run: npx codeprobe-scanner scan --json > report.json
+      - uses: actions/upload-artifact@v3
+        with:
+          name: security-report
+          path: report.json
 ```
-package.json
-     │
-     ▼
- Parse deps          (reads your dependencies + exact versions)
-     │
-     ▼
- OSV.dev query       (exact version match — no false positives)
-     │
-     ▼
- Daytona sandbox     (runs the exploit in isolation to confirm)
-     │
-     ▼
- Kimi / Nosana       (generates a patch diff via AI)
-     │
-     ▼
- Report + PR         (shows results, optionally opens a fix PR)
+
+## Output Example
+
 ```
+╔══════════════════════════════════════════╗
+║           CodeProbe Scanner              ║
+╚══════════════════════════════════════════╝
 
-No source code is sent to any external service. Only package names and versions are used for lookups.
+SCAN COMPLETE
+Risk Score: 🔴 HIGH (43)
+Confirmed Exploitable: 2 | Theoretical Risk: 5
+Patches Available: 3
+Duration: 8.3s
 
----
+CVE Details:
+  CVE-2022-29078: ejs 3.1.6 [CRITICAL] ✓ CONFIRMED EXPLOITABLE
+    → Patch available: 3.1.7
+  CVE-2023-44487: http2-server 1.0.0 [HIGH] ✓ CONFIRMED EXPLOITABLE
+    → Patch available: 1.0.1
+
+🌐 Recent npm Security Threats (GitHub Advisory Database):
+  CRITICAL lodash - Prototype Pollution
+  HIGH     axios - SSRF via redirect
+```
+
+## Project Structure
+
+```
+src/
+├── cli/          # CLI entry point and commands (scan, report, config)
+├── engine/       # Core scanner: parser, scraper, sandbox, patcher
+├── api/          # REST API server
+├── shared/       # Types, constants, utilities
+├── integrations/ # VideoDB, Daytona, Nosana integrations
+├── bot/          # Bot server
+└── mcp/          # MCP server
+bin/
+└── codeprobe.cjs # CLI binary entry point
+```
 
 ## License
 

package/bin/codeprobe.cjs

@@ -45,7 +45,7 @@ const cmd = `${bunCmd} run ${path.join(packageRoot, 'src/cli/index.ts')} ${args.
 try {
   execSync(cmd, {
     stdio: 'inherit',
-    cwd: packageRoot
+    cwd: process.cwd()
   });
 } catch (err) {
   process.exit(err.status || 1);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "codeprobe-scanner",
-  "version": "1.0.10",
+  "version": "1.0.12",
   "description": "Automated vulnerability scanner with exploit verification and video evidence",
   "type": "module",
   "bin": {
@@ -14,7 +14,7 @@
   },
   "dependencies": {
     "@daytona/sdk": "^0.187.0",
-    "axios": "^1.6.5",
+    "axios": "^1.16.0",
     "chalk": "^5.3.0",
     "cli-table3": "^0.6.3",
     "dayjs": "^1.11.10",

package/src/cli/commands/scan-with-fix.ts

@@ -1,22 +1,16 @@
 import chalk from 'chalk';
 import { execSync } from 'child_process';
+import { readFileSync, writeFileSync } from 'fs';
+import path from 'path';
 import dayjs from 'dayjs';
 import { Report } from '../../shared/types.js';
 import { ProgressLogger } from '../progress.js';
 import { GitError, handleError } from '../errors.js';
 import { EXIT_CODES } from '../../shared/constants.js';
 
-function getGitStatus(): string {
-  try {
-    return execSync('git status --porcelain', { encoding: 'utf-8' });
-  } catch {
-    throw new GitError('Not a git repository');
-  }
-}
-
 function checkGitRepo(): boolean {
   try {
-    execSync('git rev-parse --git-dir', { encoding: 'utf-8' });
+    execSync('git rev-parse --git-dir', { encoding: 'utf-8', stdio: 'pipe' });
     return true;
   } catch {
     return false;
@@ -24,25 +18,48 @@ function checkGitRepo(): boolean {
 }
 
 function isGitDirty(): boolean {
-  const status = getGitStatus();
-  return status.trim().length > 0;
+  try {
+    const status = execSync('git status --porcelain', { encoding: 'utf-8', stdio: 'pipe' });
+    return status.trim().length > 0;
+  } catch {
+    throw new GitError('Not a git repository');
+  }
 }
 
 function createBranch(name: string): void {
   try {
-    execSync(`git checkout -b ${name}`, { encoding: 'utf-8' });
-  } catch (error) {
+    execSync(`git checkout -b ${name}`, { encoding: 'utf-8', stdio: 'pipe' });
+  } catch {
     throw new GitError(`Failed to create branch: ${name}`);
   }
 }
 
-function commitChanges(message: string): void {
+function commitAndPush(message: string, branchName: string): void {
+  execSync('git add package.json', { encoding: 'utf-8', stdio: 'pipe' });
+  execSync(`git -c commit.gpgsign=false commit -m "${message}"`, { encoding: 'utf-8', stdio: 'pipe' });
   try {
-    execSync('git add .', { encoding: 'utf-8' });
-    execSync(`git commit -m "${message}"`, { encoding: 'utf-8' });
-  } catch (error) {
-    throw new GitError('Failed to commit changes');
+    execSync(`git push -u origin ${branchName}`, { encoding: 'utf-8', stdio: 'pipe' });
+  } catch {
+    // Push failed — not fatal, user can push manually
+  }
+}
+
+function applyVersionBumps(
+  repoPath: string,
+  bumps: Array<{ package: string; from: string; to: string }>
+): void {
+  const pkgPath = path.join(repoPath, 'package.json');
+  const pkg = JSON.parse(readFileSync(pkgPath, 'utf-8'));
+
+  for (const bump of bumps) {
+    if (pkg.dependencies?.[bump.package]) {
+      pkg.dependencies[bump.package] = `^${bump.to}`;
+    } else if (pkg.devDependencies?.[bump.package]) {
+      pkg.devDependencies[bump.package] = `^${bump.to}`;
+    }
   }
+
+  writeFileSync(pkgPath, JSON.stringify(pkg, null, 2) + '\n');
 }
 
 export async function scanWithFixCommand(
@@ -52,72 +69,81 @@ export async function scanWithFixCommand(
 ): Promise<void> {
   console.log('');
   logger.printSeparator();
-  logger.logPhaseStart('git', 'Preparing to apply patches');
 
-  try {
-    // Check git repo exists
-    if (!checkGitRepo()) {
-      throw new GitError('Not a git repository. Run: git init');
-    }
+  const repoPath = path.resolve(args[0] || '.');
 
-    // Check git status
-    if (isGitDirty()) {
-      logger.logWarning('Git repository has uncommitted changes', 'Commit or stash first');
-      throw new GitError('Repository is dirty. Commit changes before applying patches.');
-    }
+  // Collect CVEs that have a known fixed version
+  const fixable = report.scan.cves.filter(
+    (cve) => cve.version_fixed && cve.version_fixed.trim() !== ''
+  );
 
-    // Filter for exploitable CVEs only
-    const exploitableCVEs = report.scan.cves.filter((cve) => cve.exploitable);
+  if (fixable.length === 0) {
+    console.log(chalk.yellow('⚠️  No CVEs with known fixes found.'));
+    console.log(chalk.dim('   All vulnerabilities are either unpatched or already on the latest version.'));
+    process.exit(EXIT_CODES.SUCCESS);
+  }
 
-    if (exploitableCVEs.length === 0) {
-      logger.logWarning('No exploitable CVEs found', 'Nothing to patch');
-      process.exit(EXIT_CODES.SUCCESS);
+  // Deduplicate: one bump per package (use highest fixed version)
+  const bumpMap = new Map<string, { from: string; to: string; cves: string[] }>();
+  for (const cve of fixable) {
+    const existing = bumpMap.get(cve.package);
+    if (!existing) {
+      bumpMap.set(cve.package, {
+        from: cve.version_vulnerable,
+        to: cve.version_fixed!,
+        cves: [cve.id],
+      });
+    } else {
+      existing.cves.push(cve.id);
     }
+  }
 
-    // Create feature branch
-    const timestamp = dayjs().format('YYYY-MM-DD-HHmmss');
-    const branchName = `codeprobe-fix-${timestamp}`;
+  const bumps = Array.from(bumpMap.entries()).map(([pkg, info]) => ({
+    package: pkg,
+    ...info,
+  }));
+
+  // Show what will be changed
+  console.log(chalk.bold(`\n📦 ${bumps.length} package(s) can be updated:\n`));
+  for (const b of bumps) {
+    console.log(
+      `  ${chalk.cyan(b.package)}: ${chalk.red(b.from)} → ${chalk.green(b.to)}`
+    );
+    console.log(chalk.dim(`    Fixes: ${b.cves.slice(0, 3).join(', ')}${b.cves.length > 3 ? ` +${b.cves.length - 3} more` : ''}`));
+  }
 
-    logger.logPhaseStart('git', `Creating branch: ${branchName}`);
-    createBranch(branchName);
-    logger.logPhaseComplete('git', `Branch created: ${branchName}`);
+  // Check git repo
+  if (!checkGitRepo()) {
+    console.log(chalk.yellow('\n⚠️  Not a git repository — applying fixes without committing.'));
+    applyVersionBumps(repoPath, bumps);
+    console.log(chalk.green('\n✓ package.json updated. Run your package manager to install.'));
+    process.exit(EXIT_CODES.SUCCESS);
+  }
 
-    // Apply patches
-    for (const cve of exploitableCVEs) {
-      if (!cve.patch_diff) continue;
+  if (isGitDirty()) {
+    console.log(chalk.yellow('\n⚠️  Uncommitted changes detected — applying fixes without committing.'));
+    applyVersionBumps(repoPath, bumps);
+    console.log(chalk.green('\n✓ package.json updated. Commit when ready.'));
+    process.exit(EXIT_CODES.SUCCESS);
+  }
 
-      logger.logPhaseStart('patch', `Applying patch for ${cve.id}`);
+  // Create branch and apply fixes
+  const branchName = `codeprobe-fix-${dayjs().format('YYYY-MM-DD-HHmmss')}`;
+  console.log(chalk.dim(`\nCreating branch: ${branchName}`));
+  createBranch(branchName);
 
-      // Mock: just log the patch
-      console.log(chalk.gray(`  Patch preview:\n${cve.patch_diff.split('\n').slice(0, 5).join('\n')}`));
+  applyVersionBumps(repoPath, bumps);
+  console.log(chalk.green('\n✓ package.json updated'));
 
-      // In production: apply patch using git apply or manual file updates
-      // For now: mock success
-      logger.logPhaseComplete('patch', `Patched ${cve.package}: ${cve.version_vulnerable} → ${cve.patch_version}`);
-    }
+  const commitMsg = `security: bump ${bumps.length} vulnerable package(s) via codeprobe\\n\\n${bumps.map(b => `- ${b.package}: ${b.from} -> ${b.to}`).join('\\n')}`;
+  commitAndPush(commitMsg, branchName);
 
-    // Commit with detailed message
-    const commitMsg =
-      `[CodeProbe] Fix ${exploitableCVEs.length} exploitable CVE(s)\n\n` +
-      exploitableCVEs
-        .map((cve) => `- ${cve.id} (${cve.package} ${cve.version_vulnerable} → ${cve.patch_version})`)
-        .join('\n');
-
-    logger.logPhaseStart('git', 'Committing patches');
-    commitChanges(commitMsg);
-    logger.logPhaseComplete('git', 'Changes committed');
-
-    // Show what to do next
-    console.log('');
-    console.log(chalk.green('✓ Patches applied successfully!'));
-    console.log(chalk.cyan(`\nNext steps:`));
-    console.log(chalk.cyan(`  1. Review changes: git diff main`));
-    console.log(chalk.cyan(`  2. Push branch: git push -u origin ${branchName}`));
-    console.log(chalk.cyan(`  3. Create PR on GitHub`));
-
-    logger.printSeparator();
-    process.exit(EXIT_CODES.SUCCESS);
-  } catch (error) {
-    handleError(error, logger, true);
-  }
+  console.log(chalk.bold.green(`\n✨ Done! Branch '${branchName}' created and pushed.\n`));
+  console.log(chalk.cyan('Next steps:'));
+  console.log(`  1. Run your package manager: ${chalk.white('bun install')} or ${chalk.white('npm install')}`);
+  console.log(`  2. Open a PR from branch: ${chalk.white(branchName)}`);
+  console.log('');
+
+  logger.printSeparator();
+  process.exit(EXIT_CODES.SUCCESS);
 }

package/src/engine/index.ts

@@ -61,10 +61,13 @@ export class CodeProbeEngine {
         }
       }
 
-      // Step 7: Generate patches (Nosana)
+      // Step 7: Generate patches for exploitable CVEs + any HIGH/CRITICAL with a known fix version
       console.log("\x1b[33m[Nosana]\x1b[0m 🔧 Generating patches with LLM...");
       await this.patcher.loadPrebakedPatches();
-      const patches = await this.patcher.generateAllPatches(matchedCves.filter((c) => c.exploitable));
+      const patchCandidates = matchedCves.filter((c) =>
+        c.exploitable || ((c.severity === "CRITICAL" || c.severity === "HIGH") && c.version_fixed)
+      );
+      const patches = await this.patcher.generateAllPatches(patchCandidates);
       for (const cve of matchedCves) {
         if (patches.has(cve.id)) {
           cve.patch_diff = patches.get(cve.id);