codeslick-cli 1.2.5 → 1.4.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +104 -11
- package/dist/packages/cli/src/scanner/local-scanner.d.ts +2 -2
- package/dist/packages/cli/src/scanner/local-scanner.d.ts.map +1 -1
- package/dist/packages/cli/src/scanner/local-scanner.js +10 -1
- package/dist/packages/cli/src/scanner/local-scanner.js.map +1 -1
- package/dist/src/lib/analyzers/secrets/patterns/credentials.js +1 -1
- package/dist/src/lib/analyzers/secrets/patterns/credentials.js.map +1 -1
- package/dist/src/lib/analyzers/secrets/secrets-analyzer.d.ts +4 -0
- package/dist/src/lib/analyzers/secrets/secrets-analyzer.d.ts.map +1 -1
- package/dist/src/lib/analyzers/secrets/secrets-analyzer.js +48 -4
- package/dist/src/lib/analyzers/secrets/secrets-analyzer.js.map +1 -1
- package/dist/src/lib/analyzers/terraform/aws-checks.d.ts +71 -0
- package/dist/src/lib/analyzers/terraform/aws-checks.d.ts.map +1 -0
- package/dist/src/lib/analyzers/terraform/aws-checks.js +538 -0
- package/dist/src/lib/analyzers/terraform/aws-checks.js.map +1 -0
- package/dist/src/lib/analyzers/terraform/parser.d.ts +14 -0
- package/dist/src/lib/analyzers/terraform/parser.d.ts.map +1 -0
- package/dist/src/lib/analyzers/terraform/parser.js +237 -0
- package/dist/src/lib/analyzers/terraform/parser.js.map +1 -0
- package/dist/src/lib/analyzers/terraform/types.d.ts +70 -0
- package/dist/src/lib/analyzers/terraform/types.d.ts.map +1 -0
- package/dist/src/lib/analyzers/terraform/types.js +9 -0
- package/dist/src/lib/analyzers/terraform/types.js.map +1 -0
- package/dist/src/lib/analyzers/terraform-analyzer.d.ts +49 -0
- package/dist/src/lib/analyzers/terraform-analyzer.d.ts.map +1 -0
- package/dist/src/lib/analyzers/terraform-analyzer.js +140 -0
- package/dist/src/lib/analyzers/terraform-analyzer.js.map +1 -0
- package/dist/src/lib/analyzers/typescript/security-checks/type-security.d.ts.map +1 -1
- package/dist/src/lib/analyzers/typescript/security-checks/type-security.js +23 -8
- package/dist/src/lib/analyzers/typescript/security-checks/type-security.js.map +1 -1
- package/dist/src/lib/security/epss-service.d.ts.map +1 -1
- package/dist/src/lib/security/epss-service.js +64 -50
- package/dist/src/lib/security/epss-service.js.map +1 -1
- package/dist/src/lib/security/severity-scoring.d.ts.map +1 -1
- package/dist/src/lib/security/severity-scoring.js +116 -0
- package/dist/src/lib/security/severity-scoring.js.map +1 -1
- package/dist/src/lib/types/index.d.ts +1 -1
- package/dist/src/lib/types/index.d.ts.map +1 -1
- package/package.json +10 -7
- package/src/scanner/local-scanner.ts +13 -2
package/README.md
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
# @codeslick/cli
|
|
2
2
|
|
|
3
|
-
**CodeSlick CLI** - Pre-commit security scanner for JavaScript, TypeScript, Python, Java, and
|
|
3
|
+
**CodeSlick CLI** - Pre-commit security scanner for JavaScript, TypeScript, Python, Java, Go, and Terraform.
|
|
4
4
|
|
|
5
5
|
Catch security vulnerabilities before they enter your codebase with automated pre-commit scanning.
|
|
6
6
|
|
|
@@ -9,11 +9,12 @@ Catch security vulnerabilities before they enter your codebase with automated pr
|
|
|
9
9
|
- **Local Security Scanning** - No API calls required, fully offline
|
|
10
10
|
- **Pre-commit Hook Integration** - Automatically scans staged files before each commit
|
|
11
11
|
- **Fast Analysis** - <3s for 10 files using CodeSlick's analyzer engine
|
|
12
|
-
- **Multi-language Support** - JavaScript, TypeScript, Python, Java, Go
|
|
12
|
+
- **Multi-language Support** - JavaScript, TypeScript, Python, Java, Go, Terraform
|
|
13
|
+
- **IaC Security** - Detects AWS misconfigurations in Terraform (S3, IAM, and more)
|
|
13
14
|
- **Configurable Thresholds** - Block commits on CRITICAL, HIGH, MEDIUM, or LOW severity
|
|
14
15
|
- **Beautiful Terminal Output** - Color-coded results with CVSS scores and fix suggestions
|
|
15
16
|
- **CI/CD Ready** - JSON output mode for automation
|
|
16
|
-
- **OWASP Top 10:2025 Compliant** -
|
|
17
|
+
- **OWASP Top 10:2025 Compliant** - 304 comprehensive security checks
|
|
17
18
|
|
|
18
19
|
## Prerequisites
|
|
19
20
|
|
|
@@ -155,6 +156,8 @@ codeslick scan [files...] [options]
|
|
|
155
156
|
- `--severity, -s <level>` - Override severity threshold (critical|high|medium|low)
|
|
156
157
|
- `--fix` - Auto-apply fixes where possible (experimental)
|
|
157
158
|
- `--json` - Output results as JSON (for CI/CD)
|
|
159
|
+
- `--verify` - **NEW**: Run security scan + tests (combined pass/fail) ⭐
|
|
160
|
+
- `--test-command <cmd>` - Custom test command (e.g., "npm test", "pytest")
|
|
158
161
|
|
|
159
162
|
**Default Behavior:** Scans only **staged files** for fast pre-commit feedback.
|
|
160
163
|
|
|
@@ -167,6 +170,10 @@ codeslick scan --verbose # Show all issues (including MEDIUM/LOW)
|
|
|
167
170
|
codeslick scan src/**/*.js # Scan specific files/patterns
|
|
168
171
|
codeslick scan --json # JSON output (for CI/CD)
|
|
169
172
|
codeslick scan --severity high # Temporarily override threshold
|
|
173
|
+
|
|
174
|
+
# NEW: Test Execution Integration (v1.3)
|
|
175
|
+
codeslick scan --verify # Run security scan + tests (both must pass)
|
|
176
|
+
codeslick scan --verify --test-command "pytest --cov" # Custom test command
|
|
170
177
|
```
|
|
171
178
|
|
|
172
179
|
---
|
|
@@ -246,7 +253,19 @@ The `.codeslick.json` file controls how CodeSlick scans your code.
|
|
|
246
253
|
"**/test/**",
|
|
247
254
|
"**/tests/**"
|
|
248
255
|
],
|
|
249
|
-
"languages": ["javascript", "typescript", "python", "java", "go"]
|
|
256
|
+
"languages": ["javascript", "typescript", "python", "java", "go", "terraform"],
|
|
257
|
+
|
|
258
|
+
// NEW: Pass/Fail Thresholds (v1.3)
|
|
259
|
+
"thresholdEnabled": true,
|
|
260
|
+
"thresholdBlockCritical": true,
|
|
261
|
+
"thresholdBlockHigh": false,
|
|
262
|
+
"thresholdMaxVulnerabilities": 50,
|
|
263
|
+
"thresholdMaxEpss": 70,
|
|
264
|
+
"thresholdExemptPaths": ["**/__tests__/**", "vendor/**"],
|
|
265
|
+
|
|
266
|
+
// NEW: Test Execution Integration (v1.3)
|
|
267
|
+
"testCommand": "npm test",
|
|
268
|
+
"testTimeout": 300000
|
|
250
269
|
}
|
|
251
270
|
```
|
|
252
271
|
|
|
@@ -258,8 +277,18 @@ The `.codeslick.json` file controls how CodeSlick scans your code.
|
|
|
258
277
|
| `severity` | string | `"critical"` | Severity threshold: `critical`, `high`, `medium`, `low` |
|
|
259
278
|
| `autofix` | boolean | `false` | Enable auto-fix (experimental) |
|
|
260
279
|
| `exclude` | string[] | See above | Glob patterns to exclude from scanning |
|
|
261
|
-
| `languages` | string[] | All | Languages to scan: `javascript`, `typescript`, `python`, `java`, `go` |
|
|
280
|
+
| `languages` | string[] | All | Languages to scan: `javascript`, `typescript`, `python`, `java`, `go`, `terraform` |
|
|
262
281
|
| `telemetry` | boolean | `true` | Enable anonymous usage analytics |
|
|
282
|
+
| **Thresholds (v1.3)** | | | |
|
|
283
|
+
| `thresholdEnabled` | boolean | `true` | Enable pass/fail threshold enforcement |
|
|
284
|
+
| `thresholdBlockCritical` | boolean | `true` | Block on CRITICAL vulnerabilities |
|
|
285
|
+
| `thresholdBlockHigh` | boolean | `false` | Block on HIGH severity vulnerabilities |
|
|
286
|
+
| `thresholdMaxVulnerabilities` | number | `50` | Max total vulnerabilities allowed |
|
|
287
|
+
| `thresholdMaxEpss` | number | `70` | Max EPSS score (0-100, exploitability %) |
|
|
288
|
+
| `thresholdExemptPaths` | string[] | `[]` | Glob patterns exempt from thresholds |
|
|
289
|
+
| **Test Execution (v1.3)** | | | |
|
|
290
|
+
| `testCommand` | string | Auto-detect | Test command to run with `--verify` flag |
|
|
291
|
+
| `testTimeout` | number | `300000` | Test execution timeout (milliseconds) |
|
|
263
292
|
|
|
264
293
|
### Severity Thresholds
|
|
265
294
|
|
|
@@ -283,8 +312,9 @@ CodeSlick CLI uses the same analysis engine as the GitHub App and WebTool.
|
|
|
283
312
|
| **Python** | 47 checks | Django/Flask security, pickle, exec(), secrets |
|
|
284
313
|
| **Java** | 32 checks | Log4j, Spring Security, SQL injection, deserialization |
|
|
285
314
|
| **Go** | 26 checks | SQL injection, command injection, TLS misconfig, race conditions |
|
|
315
|
+
| **Terraform** | 10 checks | S3 public ACL, IAM wildcards, encryption, versioning, logging |
|
|
286
316
|
|
|
287
|
-
**Total**:
|
|
317
|
+
**Total**: 304 comprehensive security checks
|
|
288
318
|
|
|
289
319
|
### OWASP Top 10:2025 Compliance
|
|
290
320
|
|
|
@@ -319,7 +349,13 @@ jobs:
|
|
|
319
349
|
- uses: actions/setup-node@v3
|
|
320
350
|
with:
|
|
321
351
|
node-version: 18
|
|
352
|
+
|
|
353
|
+
# Option 1: Security scan only
|
|
322
354
|
- run: npx codeslick-cli scan --json > results.json
|
|
355
|
+
|
|
356
|
+
# Option 2: Security scan + tests (v1.3) ⭐
|
|
357
|
+
- run: npx codeslick-cli scan --verify
|
|
358
|
+
|
|
323
359
|
- uses: actions/upload-artifact@v3
|
|
324
360
|
if: always()
|
|
325
361
|
with:
|
|
@@ -525,7 +561,61 @@ MIT License - see [LICENSE](../../LICENSE) for details.
|
|
|
525
561
|
- **Issues**: https://github.com/VitorLourenco/codeslick2/issues
|
|
526
562
|
- **Email**: support@codeslick.dev
|
|
527
563
|
|
|
528
|
-
## What's New in v1.
|
|
564
|
+
## What's New in v1.4 🚀
|
|
565
|
+
|
|
566
|
+
**Terraform IaC Security Scanning** (February 2026)
|
|
567
|
+
|
|
568
|
+
- **Terraform Language Support** - Full Infrastructure as Code security analysis
|
|
569
|
+
- **10 AWS Security Checks** - S3 buckets (public ACL, encryption, versioning, logging) + IAM policies (wildcard actions/resources, privilege escalation)
|
|
570
|
+
- **Multiline HCL Parsing** - Correctly handles multiline `jsonencode()` and nested objects
|
|
571
|
+
- **OWASP A01:2021 Compliance** - Detects Broken Access Control in cloud infrastructure
|
|
572
|
+
- **Pre-commit IaC Validation** - Block insecure Terraform before deployment
|
|
573
|
+
- **304 Total Security Checks** - Now supporting 6 languages
|
|
574
|
+
|
|
575
|
+
**Example:**
|
|
576
|
+
```bash
|
|
577
|
+
cs scan infrastructure/*.tf
|
|
578
|
+
# ✖ CRITICAL: S3 bucket has public ACL: "public-read"
|
|
579
|
+
# ✖ CRITICAL: IAM policy allows wildcard actions (Action: "*")
|
|
580
|
+
# ⚠ HIGH: S3 bucket does not have encryption enabled
|
|
581
|
+
# Exit code: 1 (blocked - 3 critical issues)
|
|
582
|
+
```
|
|
583
|
+
|
|
584
|
+
### Detected Terraform Vulnerabilities
|
|
585
|
+
|
|
586
|
+
| Check | Severity | OWASP | Description |
|
|
587
|
+
|-------|----------|-------|-------------|
|
|
588
|
+
| S3 Public ACL | CRITICAL | A01:2021 | Detects `acl = "public-read"` |
|
|
589
|
+
| S3 Encryption | HIGH | A02:2021 | Missing server-side encryption |
|
|
590
|
+
| S3 Versioning | MEDIUM | A09:2021 | No versioning enabled |
|
|
591
|
+
| S3 Logging | MEDIUM | A09:2021 | No access logs |
|
|
592
|
+
| IAM Wildcard Actions | CRITICAL | A01:2021 | `Action = "*"` detected |
|
|
593
|
+
| IAM Wildcard Resources | HIGH | A01:2021 | `Resource = "*"` detected |
|
|
594
|
+
| IAM Admin Policy | CRITICAL | A01:2021 | AdministratorAccess equivalent |
|
|
595
|
+
| IAM Privilege Escalation | CRITICAL | A01:2021 | Can grant self permissions |
|
|
596
|
+
|
|
597
|
+
---
|
|
598
|
+
|
|
599
|
+
## What's New in v1.3 ⭐
|
|
600
|
+
|
|
601
|
+
**Pass/Fail Thresholds + Test Execution Integration** (February 2026)
|
|
602
|
+
|
|
603
|
+
- **`--verify` Flag** - Run security scan + tests in one command (both must pass)
|
|
604
|
+
- **Granular Thresholds** - Configure exactly what blocks commits (CRITICAL only, HIGH+, max count, EPSS score)
|
|
605
|
+
- **Path Exemptions** - Exclude test files, vendor code, docs from threshold enforcement
|
|
606
|
+
- **Auto-Detect Test Frameworks** - Supports npm test, pytest, go test, maven, gradle
|
|
607
|
+
- **Combined Pass/Fail** - Exit code 0 only if BOTH security AND tests pass
|
|
608
|
+
- **CLI Default: Enabled** - Thresholds enforce by default (configurable in `.codeslick.json`)
|
|
609
|
+
|
|
610
|
+
**Example:**
|
|
611
|
+
```bash
|
|
612
|
+
cs scan --verify # Run security scan + tests
|
|
613
|
+
# ✓ Analyzed 50 files (0 CRITICAL)
|
|
614
|
+
# ✓ Tests passed (127 tests, 0 failures)
|
|
615
|
+
# Exit code: 0 (commit allowed)
|
|
616
|
+
```
|
|
617
|
+
|
|
618
|
+
### v1.2 Features
|
|
529
619
|
|
|
530
620
|
- **Go Language Support** - Added comprehensive Go security analysis with 26 security checks
|
|
531
621
|
- **AI-Generated Code Detection** - Detects AI hallucinations and code smells in Go code
|
|
@@ -550,10 +640,13 @@ MIT License - see [LICENSE](../../LICENSE) for details.
|
|
|
550
640
|
|
|
551
641
|
## Roadmap
|
|
552
642
|
|
|
553
|
-
### v1.
|
|
554
|
-
-
|
|
555
|
-
-
|
|
556
|
-
-
|
|
643
|
+
### v1.5 (Coming Q2 2026)
|
|
644
|
+
- **More Terraform Providers** - Azure (azurerm_), GCP (google_) resources
|
|
645
|
+
- **Expanded IaC Coverage** - EC2, RDS, Lambda, VPC security checks (15+ new)
|
|
646
|
+
- **Custom Rule Configuration** - Define your own security rules via YAML/JSON
|
|
647
|
+
- **IDE Integration** - VS Code extension with inline security hints
|
|
648
|
+
- **Enhanced Auto-fix** - More intelligent fix suggestions for complex issues
|
|
649
|
+
- **Smart Exemptions** - ML-based false positive detection
|
|
557
650
|
|
|
558
651
|
---
|
|
559
652
|
|
|
@@ -8,7 +8,7 @@
|
|
|
8
8
|
* - No API calls required (fully offline)
|
|
9
9
|
* - Fast scanning (<3s for 10 files)
|
|
10
10
|
* - Same analysis engine as GitHub App and WebTool
|
|
11
|
-
* - Supports JavaScript, TypeScript, Python, Java, Go
|
|
11
|
+
* - Supports JavaScript, TypeScript, Python, Java, Go, Terraform
|
|
12
12
|
*
|
|
13
13
|
* @module packages/cli/src/scanner/local-scanner
|
|
14
14
|
*/
|
|
@@ -16,7 +16,7 @@ import type { AnalyzerResult } from '../../../../src/lib/analyzers/types';
|
|
|
16
16
|
/**
|
|
17
17
|
* Supported programming languages
|
|
18
18
|
*/
|
|
19
|
-
export type SupportedLanguage = 'javascript' | 'typescript' | 'python' | 'java' | 'go';
|
|
19
|
+
export type SupportedLanguage = 'javascript' | 'typescript' | 'python' | 'java' | 'go' | 'terraform';
|
|
20
20
|
/**
|
|
21
21
|
* Result of scanning a single file
|
|
22
22
|
*/
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"local-scanner.d.ts","sourceRoot":"","sources":["../../../../../src/scanner/local-scanner.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAIH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,qCAAqC,CAAC;AAE1E;;GAEG;AACH,MAAM,MAAM,iBAAiB,GAAG,YAAY,GAAG,YAAY,GAAG,QAAQ,GAAG,MAAM,GAAG,IAAI,CAAC;
|
|
1
|
+
{"version":3,"file":"local-scanner.d.ts","sourceRoot":"","sources":["../../../../../src/scanner/local-scanner.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAIH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,qCAAqC,CAAC;AAE1E;;GAEG;AACH,MAAM,MAAM,iBAAiB,GAAG,YAAY,GAAG,YAAY,GAAG,QAAQ,GAAG,MAAM,GAAG,IAAI,GAAG,WAAW,CAAC;AAErG;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,EAAE,MAAM,CAAC;IACrB,QAAQ,EAAE,iBAAiB,CAAC;IAC5B,MAAM,EAAE,cAAc,CAAC;IACvB,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;IACf,GAAG,EAAE,MAAM,CAAC;CACb;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,iBAAiB,CAAC,EAAE,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAC;IAC3D,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,SAAS,CAAC,EAAE,OAAO,CAAC;CACrB;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,QAAQ,EAAE,MAAM,GAAG,iBAAiB,GAAG,IAAI,CA4BzE;AAED;;;GAGG;AACH,wBAAgB,aAAa,CAAC,QAAQ,EAAE,MAAM,EAAE,eAAe,EAAE,MAAM,EAAE,GAAG,OAAO,CAwBlF;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAAC,MAAM,EAAE,cAAc;;;;;EAS1D;AAED;;;;;;;;;;;;GAYG;AACH,wBAAsB,QAAQ,CAC5B,QAAQ,EAAE,MAAM,EAChB,MAAM,GAAE,aAAkB,GACzB,OAAO,CAAC,cAAc,GAAG,IAAI,CAAC,CAuFhC;AAED;;;;;;;;;;GAUG;AACH,wBAAsB,SAAS,CAC7B,SAAS,EAAE,MAAM,EAAE,EACnB,MAAM,GAAE,aAAkB,GACzB,OAAO,CAAC,cAAc,EAAE,CAAC,CAoC3B;AA0ED;;;;;;;;GAQG;AACH,wBAAgB,gBAAgB,CAC9B,OAAO,EAAE,cAAc,EAAE,EACzB,SAAS,EAAE,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,GAChD,OAAO,CAkBT"}
|
|
@@ -9,7 +9,7 @@
|
|
|
9
9
|
* - No API calls required (fully offline)
|
|
10
10
|
* - Fast scanning (<3s for 10 files)
|
|
11
11
|
* - Same analysis engine as GitHub App and WebTool
|
|
12
|
-
* - Supports JavaScript, TypeScript, Python, Java, Go
|
|
12
|
+
* - Supports JavaScript, TypeScript, Python, Java, Go, Terraform
|
|
13
13
|
*
|
|
14
14
|
* @module packages/cli/src/scanner/local-scanner
|
|
15
15
|
*/
|
|
@@ -75,6 +75,9 @@ function detectLanguage(filePath) {
|
|
|
75
75
|
if (ext.endsWith('.go')) {
|
|
76
76
|
return 'go';
|
|
77
77
|
}
|
|
78
|
+
if (ext.endsWith('.tf') || ext.endsWith('.tfvars')) {
|
|
79
|
+
return 'terraform';
|
|
80
|
+
}
|
|
78
81
|
return null;
|
|
79
82
|
}
|
|
80
83
|
/**
|
|
@@ -175,6 +178,12 @@ async function scanFile(filePath, config = {}) {
|
|
|
175
178
|
result = await analyzer.analyze({ code, filename: filePath, options: analyzerOptions });
|
|
176
179
|
break;
|
|
177
180
|
}
|
|
181
|
+
case 'terraform': {
|
|
182
|
+
const { TerraformAnalyzer } = await Promise.resolve().then(() => __importStar(require('../../../../src/lib/analyzers/terraform-analyzer')));
|
|
183
|
+
const analyzer = new TerraformAnalyzer();
|
|
184
|
+
result = await analyzer.analyze({ code, filename: filePath, options: analyzerOptions });
|
|
185
|
+
break;
|
|
186
|
+
}
|
|
178
187
|
default:
|
|
179
188
|
return null;
|
|
180
189
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"local-scanner.js","sourceRoot":"","sources":["../../../../../src/scanner/local-scanner.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;GAaG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAsCH,
|
|
1
|
+
{"version":3,"file":"local-scanner.js","sourceRoot":"","sources":["../../../../../src/scanner/local-scanner.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;GAaG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAsCH,wCA4BC;AAMD,sCAwBC;AAKD,oDASC;AAeD,4BA0FC;AAaD,8BAuCC;AAmFD,4CAqBC;AAjXD,0CAAuC;AACvC,+BAAgC;AAgChC;;GAEG;AACH,SAAgB,cAAc,CAAC,QAAgB;IAC7C,MAAM,GAAG,GAAG,QAAQ,CAAC,WAAW,EAAE,CAAC;IAEnC,IAAI,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;QAChD,OAAO,YAAY,CAAC;IACtB,CAAC;IAED,IAAI,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;QAChD,OAAO,YAAY,CAAC;IACtB,CAAC;IAED,IAAI,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;QACxB,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,IAAI,GAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;QAC1B,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,IAAI,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;QACxB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;QACnD,OAAO,WAAW,CAAC;IACrB,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;GAGG;AACH,SAAgB,aAAa,CAAC,QAAgB,EAAE,eAAyB;IACvE,MAAM,YAAY,GAAG,IAAA,eAAQ,EAAC,OAAO,CAAC,GAAG,EAAE,EAAE,QAAQ,CAAC,CAAC;IACvD,mEAAmE;IACnE,MAAM,cAAc,GAAG,YAAY,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IAExD,KAAK,MAAM,OAAO,IAAI,eAAe,EAAE,CAAC;QACtC,kDAAkD;QAClD,8DAA8D;QAC9D,MAAM,YAAY,GAAG,OAAO;aACzB,OAAO,CAAC,KAAK,EAAE,KAAK,CAAC,CAAW,cAAc;aAC9C,OAAO,CAAC,OAAO,EAAE,gBAAgB,CAAC,CAAE,0BAA0B;aAC9D,OAAO,CAAC,KAAK,EAAE,OAAO,CAAC,CAAS,8BAA8B;aAC9D,OAAO,CAAC,iBAAiB,EAAE,IAAI,CAAC,CAAC,kCAAkC;aACnE,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAa,wBAAwB;aACxD,OAAO,CAAC,cAAc,EAAE,CAAC,CAAC,EAAE,EAAE,EAAE,EAAE,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,iBAAiB;QAExF,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,GAAG,GAAG,YAAY,GAAG,GAAG,CAAC,CAAC;QAEnD,IAAI,KAAK,CAAC,IAAI,CAAC,cAAc,CAAC,IAAI,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC,EAAE,CAAC;YAC3D,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;GAEG;AACH,SAAgB,oBAAoB,CAAC,MAAsB;IACzD,MAAM,eAAe,GAAG,MAAM,CAAC,QAAQ,EAAE,eAAe,IAAI,EAAE,CAAC;IAE/D,OAAO;QACL,QAAQ,EAAE,eAAe,CAAC,MAAM,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,EAAE,KAAK,UAAU,CAAC,CAAC,MAAM;QAC5F,IAAI,EAAE,eAAe,CAAC,MAAM,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,EAAE,KAAK,MAAM,CAAC,CAAC,MAAM;QACpF,MAAM,EAAE,eAAe,CAAC,MAAM,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,EAAE,KAAK,QAAQ,CAAC,CAAC,MAAM;QACxF,GAAG,EAAE,eAAe,CAAC,MAAM,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,EAAE,KAAK,KAAK,CAAC,CAAC,MAAM;KACnF,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;;GAYG;AACI,KAAK,UAAU,QAAQ,CAC5B,QAAgB,EAChB,SAAwB,EAAE;IAE1B,IAAI,CAAC;QACH,kBAAkB;QAClB,MAAM,QAAQ,GAAG,cAAc,CAAC,QAAQ,CAAC,CAAC;QAC1C,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,OAAO,IAAI,CAAC,CAAC,wBAAwB;QACvC,CAAC;QAED,mBAAmB;QACnB,IAAI,MAAM,CAAC,OAAO,IAAI,aAAa,CAAC,QAAQ,EAAE,MAAM,CAAC,OAAO,CAAC,EAAE,CAAC;YAC9D,OAAO,IAAI,CAAC,CAAC,2BAA2B;QAC1C,CAAC;QAED,oBAAoB;QACpB,MAAM,IAAI,GAAG,MAAM,IAAA,mBAAQ,EAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QAE/C,gDAAgD;QAChD,wDAAwD;QACxD,MAAM,eAAe,GAAG,EAAE,SAAS,EAAE,MAAM,CAAC,SAAS,IAAI,KAAK,EAAE,CAAC;QACjE,IAAI,MAAsB,CAAC;QAE3B,QAAQ,QAAQ,EAAE,CAAC;YACjB,KAAK,YAAY,CAAC,CAAC,CAAC;gBAClB,MAAM,EAAE,kBAAkB,EAAE,GAAG,wDAC7B,mDAAmD,GACpD,CAAC;gBACF,MAAM,QAAQ,GAAG,IAAI,kBAAkB,EAAE,CAAC;gBAC1C,MAAM,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,QAAQ,EAAE,OAAO,EAAE,eAAe,EAAE,CAAC,CAAC;gBACxF,MAAM;YACR,CAAC;YAED,KAAK,YAAY,CAAC,CAAC,CAAC;gBAClB,MAAM,EAAE,kBAAkB,EAAE,GAAG,wDAC7B,mDAAmD,GACpD,CAAC;gBACF,MAAM,QAAQ,GAAG,IAAI,kBAAkB,EAAE,CAAC;gBAC1C,MAAM,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,QAAQ,EAAE,OAAO,EAAE,eAAe,EAAE,CAAC,CAAC;gBACxF,MAAM;YACR,CAAC;YAED,KAAK,QAAQ,CAAC,CAAC,CAAC;gBACd,MAAM,EAAE,cAAc,EAAE,GAAG,wDAAa,+CAA+C,GAAC,CAAC;gBACzF,MAAM,QAAQ,GAAG,IAAI,cAAc,EAAE,CAAC;gBACtC,MAAM,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,QAAQ,EAAE,OAAO,EAAE,eAAe,EAAE,CAAC,CAAC;gBACxF,MAAM;YACR,CAAC;YAED,KAAK,MAAM,CAAC,CAAC,CAAC;gBACZ,MAAM,EAAE,YAAY,EAAE,GAAG,wDAAa,6CAA6C,GAAC,CAAC;gBACrF,MAAM,QAAQ,GAAG,IAAI,YAAY,EAAE,CAAC;gBACpC,MAAM,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,QAAQ,EAAE,OAAO,EAAE,eAAe,EAAE,CAAC,CAAC;gBACxF,MAAM;YACR,CAAC;YAED,KAAK,IAAI,CAAC,CAAC,CAAC;gBACV,MAAM,EAAE,UAAU,EAAE,GAAG,wDAAa,2CAA2C,GAAC,CAAC;gBACjF,MAAM,QAAQ,GAAG,IAAI,UAAU,EAAE,CAAC;gBAClC,MAAM,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,QAAQ,EAAE,OAAO,EAAE,eAAe,EAAE,CAAC,CAAC;gBACxF,MAAM;YACR,CAAC;YAED,KAAK,WAAW,CAAC,CAAC,CAAC;gBACjB,MAAM,EAAE,iBAAiB,EAAE,GAAG,wDAAa,kDAAkD,GAAC,CAAC;gBAC/F,MAAM,QAAQ,GAAG,IAAI,iBAAiB,EAAE,CAAC;gBACzC,MAAM,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,QAAQ,EAAE,OAAO,EAAE,eAAe,EAAE,CAAC,CAAC;gBACxF,MAAM;YACR,CAAC;YAED;gBACE,OAAO,IAAI,CAAC;QAChB,CAAC;QAED,oCAAoC;QACpC,MAAM,MAAM,GAAG,oBAAoB,CAAC,MAAM,CAAC,CAAC;QAE5C,OAAO;YACL,QAAQ;YACR,YAAY,EAAE,IAAA,eAAQ,EAAC,OAAO,CAAC,GAAG,EAAE,EAAE,QAAQ,CAAC;YAC/C,QAAQ;YACR,MAAM;YACN,GAAG,MAAM;SACV,CAAC;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,8CAA8C;QAC9C,OAAO,CAAC,KAAK,CAAC,kBAAkB,QAAQ,GAAG,EAAE,KAAK,CAAC,CAAC;QACpD,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;;;;;;;GAUG;AACI,KAAK,UAAU,SAAS,CAC7B,SAAmB,EACnB,SAAwB,EAAE;IAE1B,6DAA6D;IAC7D,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,MAAM,UAAU,GAAa,EAAE,CAAC;IAEhC,KAAK,MAAM,QAAQ,IAAI,SAAS,EAAE,CAAC;QACjC,MAAM,QAAQ,GAAG,cAAc,CAAC,QAAQ,CAAC,CAAC;QAC1C,IAAI,QAAQ,KAAK,YAAY,EAAE,CAAC;YAC9B,0CAA0C;YAC1C,IAAI,CAAC,MAAM,CAAC,OAAO,IAAI,CAAC,aAAa,CAAC,QAAQ,EAAE,MAAM,CAAC,OAAO,CAAC,EAAE,CAAC;gBAChE,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YACzB,CAAC;QACH,CAAC;aAAM,IAAI,QAAQ,EAAE,CAAC;YACpB,UAAU,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAC5B,CAAC;IACH,CAAC;IAED,MAAM,OAAO,GAAqB,EAAE,CAAC;IAErC,8CAA8C;IAC9C,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;QAC5C,MAAM,YAAY,GAAG,MAAM,mBAAmB,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QAChE,OAAO,CAAC,IAAI,CAAC,GAAG,YAAY,CAAC,CAAC;IAChC,CAAC;SAAM,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;QAClD,0DAA0D;QAC1D,MAAM,SAAS,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC;QACnF,OAAO,CAAC,IAAI,CAAC,GAAG,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,EAAuB,EAAE,CAAC,CAAC,KAAK,IAAI,CAAC,CAAC,CAAC;IAC5E,CAAC;IAED,qDAAqD;IACrD,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC1B,MAAM,YAAY,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC;QACzF,OAAO,CAAC,IAAI,CAAC,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC,EAAuB,EAAE,CAAC,CAAC,KAAK,IAAI,CAAC,CAAC,CAAC;IAC/E,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;;GAGG;AACH,KAAK,UAAU,mBAAmB,CAChC,SAAmB,EACnB,UAAyB,EAAE;IAE3B,MAAM,EAAE,QAAQ,EAAE,GAAG,wDAAa,aAAa,GAAC,CAAC;IACjD,MAAM,EAAE,QAAQ,EAAE,GAAG,wDAAa,MAAM,GAAC,CAAC;IAE1C,oCAAoC;IACpC,MAAM,EAAE,6BAA6B,EAAE,0BAA0B,EAAE,GAAG,wDACpE,uDAAuD,GACxD,CAAC;IAEF,yDAAyD;IACzD,MAAM,WAAW,GAAG,6BAA6B,CAAC,SAAS,CAAC,CAAC;IAE7D,mEAAmE;IACnE,MAAM,EAAE,kBAAkB,EAAE,GAAG,wDAC7B,mDAAmD,GACpD,CAAC;IAEF,MAAM,OAAO,GAAqB,EAAE,CAAC;IAErC,KAAK,MAAM,QAAQ,IAAI,SAAS,EAAE,CAAC;QACjC,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;YAE/C,4CAA4C;YAC5C,MAAM,QAAQ,GAAG,IAAI,kBAAkB,EAAE,CAAC;YAC1C,0EAA0E;YAC1E,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,QAAQ,EAAE,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,EAAE,CAAC,CAAC;YAElG,2CAA2C;YAC3C,MAAM,eAAe,GAAG,WAAW,CAAC,WAAW,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;YACpE,IAAI,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC/B,MAAM,UAAU,GAAG,0BAA0B,CAAC,eAAe,CAAC,CAAC;gBAC/D,MAAM,mBAAmB,GAAG,UAAU,CAAC,GAAG,CAAC,CAAC,KAAU,EAAE,EAAE,CAAC,CAAC;oBAC1D,QAAQ,EAAE,KAAK,CAAC,QAAQ;oBACxB,OAAO,EAAE,KAAK,CAAC,OAAO;oBACtB,IAAI,EAAE,KAAK,CAAC,IAAI;oBAChB,UAAU,EAAE,KAAK,CAAC,UAAU;oBAC5B,QAAQ,EAAE,eAAe;oBACzB,SAAS,EAAE,KAAK,CAAC,SAAS;oBAC1B,iBAAiB,EAAE,KAAK,CAAC,iBAAiB;oBAC1C,MAAM,EAAE,KAAK,CAAC,MAAM;oBACpB,KAAK,EAAE,KAAK,CAAC,KAAK;oBAClB,GAAG,EAAE,KAAK,CAAC,GAAG;iBACf,CAAC,CAAC,CAAC;gBACJ,MAAM,CAAC,QAAQ,CAAC,eAAe,CAAC,IAAI,CAAC,GAAG,mBAAmB,CAAC,CAAC;YAC/D,CAAC;YAED,wBAAwB;YACxB,MAAM,MAAM,GAAG,oBAAoB,CAAC,MAAM,CAAC,CAAC;YAE5C,OAAO,CAAC,IAAI,CAAC;gBACX,QAAQ;gBACR,YAAY,EAAE,QAAQ,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,QAAQ,CAAC;gBAC/C,QAAQ,EAAE,YAAY;gBACtB,MAAM;gBACN,GAAG,MAAM;aACV,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,KAAK,CAAC,kBAAkB,QAAQ,GAAG,EAAE,KAAK,CAAC,CAAC;QACtD,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;;;;;;;GAQG;AACH,SAAgB,gBAAgB,CAC9B,OAAyB,EACzB,SAAiD;IAEjD,MAAM,aAAa,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,GAAG,GAAG,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC;IACtE,MAAM,SAAS,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,GAAG,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;IAC9D,MAAM,WAAW,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,GAAG,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;IAClE,MAAM,QAAQ,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,GAAG,GAAG,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;IAE5D,QAAQ,SAAS,EAAE,CAAC;QAClB,KAAK,UAAU;YACb,OAAO,aAAa,GAAG,CAAC,CAAC;QAC3B,KAAK,MAAM;YACT,OAAO,aAAa,GAAG,CAAC,IAAI,SAAS,GAAG,CAAC,CAAC;QAC5C,KAAK,QAAQ;YACX,OAAO,aAAa,GAAG,CAAC,IAAI,SAAS,GAAG,CAAC,IAAI,WAAW,GAAG,CAAC,CAAC;QAC/D,KAAK,KAAK;YACR,OAAO,aAAa,GAAG,CAAC,IAAI,SAAS,GAAG,CAAC,IAAI,WAAW,GAAG,CAAC,IAAI,QAAQ,GAAG,CAAC,CAAC;QAC/E;YACE,OAAO,aAAa,GAAG,CAAC,CAAC;IAC7B,CAAC;AACH,CAAC"}
|
|
@@ -30,7 +30,7 @@ exports.CREDENTIAL_PATTERNS = [
|
|
|
30
30
|
pattern: /(?:password|passwd|pwd)\s*[:=]\s*['"]([^'"]{8,})['"]/i,
|
|
31
31
|
minEntropy: 3.0,
|
|
32
32
|
description: 'Password hardcoded in source code',
|
|
33
|
-
severity: '
|
|
33
|
+
severity: 'critical', // OWASP 2021/2025 A07 - Hardcoded credentials are CRITICAL (CVSS 9.1)
|
|
34
34
|
owaspCategory: 'A07:2021 - Identification and Authentication Failures',
|
|
35
35
|
cwe: 'CWE-798',
|
|
36
36
|
},
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"credentials.js","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/secrets/patterns/credentials.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;GAWG;;;AAIU,QAAA,mBAAmB,GAAoB;IAClD;QACE,EAAE,EAAE,mBAAmB;QACvB,IAAI,EAAE,mBAAmB;QACzB,OAAO,EAAE,yEAAyE;QAClF,UAAU,EAAE,GAAG;QACf,WAAW,EAAE,4CAA4C;QACzD,QAAQ,EAAE,UAAU;QACpB,aAAa,EAAE,uDAAuD;QACtE,GAAG,EAAE,SAAS;KACf;IACD;QACE,EAAE,EAAE,kBAAkB;QACtB,IAAI,EAAE,kBAAkB;QACxB,OAAO,EAAE,uDAAuD;QAChE,UAAU,EAAE,GAAG;QACf,WAAW,EAAE,mCAAmC;QAChD,QAAQ,EAAE,
|
|
1
|
+
{"version":3,"file":"credentials.js","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/secrets/patterns/credentials.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;GAWG;;;AAIU,QAAA,mBAAmB,GAAoB;IAClD;QACE,EAAE,EAAE,mBAAmB;QACvB,IAAI,EAAE,mBAAmB;QACzB,OAAO,EAAE,yEAAyE;QAClF,UAAU,EAAE,GAAG;QACf,WAAW,EAAE,4CAA4C;QACzD,QAAQ,EAAE,UAAU;QACpB,aAAa,EAAE,uDAAuD;QACtE,GAAG,EAAE,SAAS;KACf;IACD;QACE,EAAE,EAAE,kBAAkB;QACtB,IAAI,EAAE,kBAAkB;QACxB,OAAO,EAAE,uDAAuD;QAChE,UAAU,EAAE,GAAG;QACf,WAAW,EAAE,mCAAmC;QAChD,QAAQ,EAAE,UAAU,EAAE,sEAAsE;QAC5F,aAAa,EAAE,uDAAuD;QACtE,GAAG,EAAE,SAAS;KACf;IACD;QACE,EAAE,EAAE,YAAY;QAChB,IAAI,EAAE,YAAY;QAClB,OAAO,EAAE,oEAAoE;QAC7E,UAAU,EAAE,GAAG;QACf,WAAW,EAAE,6CAA6C;QAC1D,QAAQ,EAAE,UAAU;QACpB,aAAa,EAAE,mCAAmC;QAClD,GAAG,EAAE,SAAS;KACf;IACD;QACE,EAAE,EAAE,4BAA4B;QAChC,IAAI,EAAE,4BAA4B;QAClC,OAAO,EAAE,8CAA8C;QACvD,UAAU,EAAE,GAAG;QACf,WAAW,EAAE,6CAA6C;QAC1D,QAAQ,EAAE,UAAU;QACpB,aAAa,EAAE,uDAAuD;QACtE,GAAG,EAAE,SAAS;KACf;IACD;QACE,EAAE,EAAE,gBAAgB;QACpB,IAAI,EAAE,gBAAgB;QACtB,OAAO,EAAE,gFAAgF;QACzF,UAAU,EAAE,GAAG;QACf,WAAW,EAAE,yCAAyC;QACtD,QAAQ,EAAE,UAAU;QACpB,aAAa,EAAE,mCAAmC;QAClD,GAAG,EAAE,SAAS;KACf;CACF,CAAC"}
|
|
@@ -76,6 +76,10 @@ export declare class SecretsAnalyzer {
|
|
|
76
76
|
* Get fix recommendation based on secret type and language
|
|
77
77
|
*/
|
|
78
78
|
private getRecommendation;
|
|
79
|
+
/**
|
|
80
|
+
* Get code fix example based on language
|
|
81
|
+
*/
|
|
82
|
+
private getFixExample;
|
|
79
83
|
/**
|
|
80
84
|
* Calculate confidence score (0-100) based on entropy and context
|
|
81
85
|
*/
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"secrets-analyzer.d.ts","sourceRoot":"","sources":["../../../../../../../src/lib/analyzers/secrets/secrets-analyzer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EAAE,qBAAqB,EAAE,MAAM,UAAU,CAAC;
|
|
1
|
+
{"version":3,"file":"secrets-analyzer.d.ts","sourceRoot":"","sources":["../../../../../../../src/lib/analyzers/secrets/secrets-analyzer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EAAE,qBAAqB,EAAE,MAAM,UAAU,CAAC;AAUjD;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,kEAAkE;IAClE,EAAE,EAAE,MAAM,CAAC;IACX,0BAA0B;IAC1B,IAAI,EAAE,MAAM,CAAC;IACb,wCAAwC;IACxC,OAAO,EAAE,MAAM,CAAC;IAChB,qEAAqE;IACrE,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,qCAAqC;IACrC,WAAW,EAAE,MAAM,CAAC;IACpB,6CAA6C;IAC7C,QAAQ,EAAE,UAAU,GAAG,MAAM,GAAG,QAAQ,CAAC;IACzC,0BAA0B;IAC1B,aAAa,EAAE,MAAM,CAAC;IACtB,qBAAqB;IACrB,GAAG,EAAE,MAAM,CAAC;CACb;AAED;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B,OAAO,EAAE,aAAa,CAAC;IACvB,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;CACjB;AAED;;GAEG;AACH,qBAAa,eAAe;IAC1B,OAAO,CAAC,QAAQ,CAAkB;;IAYlC;;;;;;;OAOG;IACI,WAAW,CAChB,IAAI,EAAE,MAAM,EACZ,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,YAAY,GAAG,QAAQ,GAAG,MAAM,GAAG,YAAY,GAAG,IAAI,GAC/D,qBAAqB,EAAE;IAiC1B;;OAEG;IACH,OAAO,CAAC,WAAW;IA4BnB;;OAEG;IACH,OAAO,CAAC,mBAAmB;IAwC3B;;OAEG;IACH,OAAO,CAAC,UAAU;IASlB;;OAEG;IACH,OAAO,CAAC,iBAAiB;IAiBzB;;OAEG;IACH,OAAO,CAAC,aAAa;IAerB;;OAEG;IACH,OAAO,CAAC,mBAAmB;CAiB5B;AAED;;GAEG;AACH,wBAAgB,qBAAqB,IAAI,eAAe,CAEvD"}
|
|
@@ -22,6 +22,8 @@ const credentials_1 = require("./patterns/credentials");
|
|
|
22
22
|
const tokens_1 = require("./patterns/tokens");
|
|
23
23
|
const entropy_checker_1 = require("./validators/entropy-checker");
|
|
24
24
|
const context_checker_1 = require("./validators/context-checker");
|
|
25
|
+
const severity_scoring_1 = require("../../security/severity-scoring");
|
|
26
|
+
const compliance_mapping_1 = require("../../security/compliance-mapping");
|
|
25
27
|
/**
|
|
26
28
|
* Main secrets analyzer class
|
|
27
29
|
*/
|
|
@@ -95,14 +97,37 @@ class SecretsAnalyzer {
|
|
|
95
97
|
* Create a security vulnerability from a secret match
|
|
96
98
|
*/
|
|
97
99
|
createVulnerability(match, filePath, language) {
|
|
100
|
+
// Use centralized scoring system for consistent CVSS scores
|
|
101
|
+
const category = `hardcoded-secret-${match.pattern.id}`;
|
|
102
|
+
const scoring = (0, severity_scoring_1.calculateSeverityScore)(category);
|
|
103
|
+
const compliance = (0, compliance_mapping_1.getComplianceMapping)(category);
|
|
98
104
|
return {
|
|
99
|
-
severity:
|
|
105
|
+
severity: scoring.severity,
|
|
100
106
|
message: `Hardcoded secret detected: ${match.pattern.name} - ${this.maskSecret(match.value)}`,
|
|
101
107
|
line: match.line,
|
|
102
108
|
suggestion: this.getRecommendation(match.pattern, language),
|
|
103
|
-
category
|
|
104
|
-
|
|
105
|
-
|
|
109
|
+
category,
|
|
110
|
+
cvssScore: scoring.cvssScore,
|
|
111
|
+
exploitLikelihood: scoring.exploitLikelihood,
|
|
112
|
+
impact: scoring.impact,
|
|
113
|
+
owasp: compliance.owasp || match.pattern.owaspCategory,
|
|
114
|
+
cwe: compliance.cwe || match.pattern.cwe,
|
|
115
|
+
pciDss: compliance.pciDss,
|
|
116
|
+
attackVector: {
|
|
117
|
+
description: `Hardcoded ${match.pattern.name.toLowerCase()} exposed in source code. Visible to anyone with repository access.`,
|
|
118
|
+
exploitExample: `Attacker with code access can extract: ${this.maskSecret(match.value)}`,
|
|
119
|
+
realWorldImpact: [
|
|
120
|
+
'Unauthorized access to systems',
|
|
121
|
+
'Cannot rotate without code deployment',
|
|
122
|
+
'Persists in Git history forever',
|
|
123
|
+
'PCI-DSS, SOC 2, ISO 27001 violations',
|
|
124
|
+
],
|
|
125
|
+
},
|
|
126
|
+
remediation: {
|
|
127
|
+
before: match.context,
|
|
128
|
+
after: this.getFixExample(match.pattern, language),
|
|
129
|
+
explanation: this.getRecommendation(match.pattern, language),
|
|
130
|
+
},
|
|
106
131
|
};
|
|
107
132
|
}
|
|
108
133
|
/**
|
|
@@ -133,6 +158,25 @@ class SecretsAnalyzer {
|
|
|
133
158
|
`4. Add to .gitignore if stored in config file\n` +
|
|
134
159
|
`5. Rotate the exposed secret immediately`;
|
|
135
160
|
}
|
|
161
|
+
/**
|
|
162
|
+
* Get code fix example based on language
|
|
163
|
+
*/
|
|
164
|
+
getFixExample(pattern, language) {
|
|
165
|
+
const varName = pattern.id.toUpperCase().replace(/-/g, '_');
|
|
166
|
+
if (language === 'python') {
|
|
167
|
+
return `import os\n${varName} = os.environ.get("${varName}") # Store in .env file`;
|
|
168
|
+
}
|
|
169
|
+
else if (language === 'java') {
|
|
170
|
+
return `String ${varName.toLowerCase()} = System.getenv("${varName}");`;
|
|
171
|
+
}
|
|
172
|
+
else if (language === 'go') {
|
|
173
|
+
return `import "os"\n${varName.toLowerCase()} := os.Getenv("${varName}")`;
|
|
174
|
+
}
|
|
175
|
+
else {
|
|
176
|
+
// JavaScript/TypeScript
|
|
177
|
+
return `const ${varName.toLowerCase()} = process.env.${varName}; // Store in .env file`;
|
|
178
|
+
}
|
|
179
|
+
}
|
|
136
180
|
/**
|
|
137
181
|
* Calculate confidence score (0-100) based on entropy and context
|
|
138
182
|
*/
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"secrets-analyzer.js","sourceRoot":"","sources":["../../../../../../../src/lib/analyzers/secrets/secrets-analyzer.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;GAaG;;;
|
|
1
|
+
{"version":3,"file":"secrets-analyzer.js","sourceRoot":"","sources":["../../../../../../../src/lib/analyzers/secrets/secrets-analyzer.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;GAaG;;;AAgQH,sDAEC;AA/PD,kDAAuD;AACvD,0DAA+D;AAC/D,wDAA6D;AAC7D,8CAAmD;AACnD,kEAAgE;AAChE,kEAAqE;AACrE,sEAAyE;AACzE,0EAAyE;AAoCzE;;GAEG;AACH,MAAa,eAAe;IAG1B;QACE,iDAAiD;QACjD,IAAI,CAAC,QAAQ,GAAG;YACd,GAAG,2BAAgB;YACnB,GAAG,mCAAoB;YACvB,GAAG,iCAAmB;YACtB,GAAG,uBAAc;SAClB,CAAC;IACJ,CAAC;IAED;;;;;;;OAOG;IACI,WAAW,CAChB,IAAY,EACZ,QAAgB,EAChB,QAAgE;QAEhE,MAAM,eAAe,GAA4B,EAAE,CAAC;QACpD,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAE/B,6BAA6B;QAC7B,KAAK,IAAI,SAAS,GAAG,CAAC,EAAE,SAAS,GAAG,KAAK,CAAC,MAAM,EAAE,SAAS,EAAE,EAAE,CAAC;YAC9D,MAAM,IAAI,GAAG,KAAK,CAAC,SAAS,CAAC,CAAC;YAC9B,MAAM,UAAU,GAAG,SAAS,GAAG,CAAC,CAAC;YAEjC,6BAA6B;YAC7B,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACpC,MAAM,OAAO,GAAG,IAAI,CAAC,WAAW,CAAC,IAAI,EAAE,OAAO,EAAE,UAAU,CAAC,CAAC;gBAE5D,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;oBAC5B,+BAA+B;oBAC/B,IAAI,OAAO,CAAC,UAAU,IAAI,KAAK,CAAC,OAAO,GAAG,OAAO,CAAC,UAAU,EAAE,CAAC;wBAC7D,SAAS,CAAC,2BAA2B;oBACvC,CAAC;oBAED,4BAA4B;oBAC5B,IAAI,IAAA,uCAAqB,EAAC,KAAK,CAAC,KAAK,EAAE,KAAK,CAAC,OAAO,EAAE,QAAQ,CAAC,EAAE,CAAC;wBAChE,SAAS,CAAC,8BAA8B;oBAC1C,CAAC;oBAED,uBAAuB;oBACvB,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,mBAAmB,CAAC,KAAK,EAAE,QAAQ,EAAE,QAAQ,CAAC,CAAC,CAAC;gBAC5E,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,eAAe,CAAC;IACzB,CAAC;IAED;;OAEG;IACK,WAAW,CACjB,IAAY,EACZ,OAAsB,EACtB,UAAkB;QAElB,MAAM,OAAO,GAAkB,EAAE,CAAC;QAClC,IAAI,KAA6B,CAAC;QAElC,sCAAsC;QACtC,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;QAEtD,OAAO,CAAC,KAAK,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YAC3C,MAAM,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YACvB,MAAM,OAAO,GAAG,IAAA,kCAAgB,EAAC,KAAK,CAAC,CAAC;YAExC,OAAO,CAAC,IAAI,CAAC;gBACX,OAAO;gBACP,KAAK;gBACL,IAAI,EAAE,UAAU;gBAChB,MAAM,EAAE,KAAK,CAAC,KAAK;gBACnB,OAAO;gBACP,OAAO,EAAE,IAAI,CAAC,IAAI,EAAE;aACrB,CAAC,CAAC;QACL,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;IAED;;OAEG;IACK,mBAAmB,CACzB,KAAkB,EAClB,QAAgB,EAChB,QAAgB;QAEhB,4DAA4D;QAC5D,MAAM,QAAQ,GAAG,oBAAoB,KAAK,CAAC,OAAO,CAAC,EAAE,EAAE,CAAC;QACxD,MAAM,OAAO,GAAG,IAAA,yCAAsB,EAAC,QAAQ,CAAC,CAAC;QACjD,MAAM,UAAU,GAAG,IAAA,yCAAoB,EAAC,QAAQ,CAAC,CAAC;QAElD,OAAO;YACL,QAAQ,EAAE,OAAO,CAAC,QAAQ;YAC1B,OAAO,EAAE,8BAA8B,KAAK,CAAC,OAAO,CAAC,IAAI,MAAM,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,KAAK,CAAC,EAAE;YAC7F,IAAI,EAAE,KAAK,CAAC,IAAI;YAChB,UAAU,EAAE,IAAI,CAAC,iBAAiB,CAAC,KAAK,CAAC,OAAO,EAAE,QAAQ,CAAC;YAC3D,QAAQ;YACR,SAAS,EAAE,OAAO,CAAC,SAAS;YAC5B,iBAAiB,EAAE,OAAO,CAAC,iBAAiB;YAC5C,MAAM,EAAE,OAAO,CAAC,MAAM;YACtB,KAAK,EAAE,UAAU,CAAC,KAAK,IAAI,KAAK,CAAC,OAAO,CAAC,aAAa;YACtD,GAAG,EAAE,UAAU,CAAC,GAAG,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG;YACxC,MAAM,EAAE,UAAU,CAAC,MAAM;YACzB,YAAY,EAAE;gBACZ,WAAW,EAAE,aAAa,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,WAAW,EAAE,oEAAoE;gBAC9H,cAAc,EAAE,0CAA0C,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,KAAK,CAAC,EAAE;gBACxF,eAAe,EAAE;oBACf,gCAAgC;oBAChC,uCAAuC;oBACvC,iCAAiC;oBACjC,sCAAsC;iBACvC;aACF;YACD,WAAW,EAAE;gBACX,MAAM,EAAE,KAAK,CAAC,OAAO;gBACrB,KAAK,EAAE,IAAI,CAAC,aAAa,CAAC,KAAK,CAAC,OAAO,EAAE,QAAQ,CAAC;gBAClD,WAAW,EAAE,IAAI,CAAC,iBAAiB,CAAC,KAAK,CAAC,OAAO,EAAE,QAAQ,CAAC;aAC7D;SACF,CAAC;IACJ,CAAC;IAED;;OAEG;IACK,UAAU,CAAC,KAAa;QAC9B,IAAI,KAAK,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;YACtB,OAAO,KAAK,CAAC;QACf,CAAC;QACD,MAAM,KAAK,GAAG,KAAK,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;QACpC,MAAM,IAAI,GAAG,KAAK,CAAC,SAAS,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;QAC/C,OAAO,GAAG,KAAK,MAAM,IAAI,EAAE,CAAC;IAC9B,CAAC;IAED;;OAEG;IACK,iBAAiB,CAAC,OAAsB,EAAE,QAAgB;QAChE,MAAM,kBAAkB,GAAG,OAAO,CAAC,WAAW,CAAC;QAE/C,MAAM,aAAa,GAAG,QAAQ,KAAK,QAAQ;YACzC,CAAC,CAAC,2BAA2B;YAC7B,CAAC,CAAC,QAAQ,KAAK,MAAM;gBACrB,CAAC,CAAC,0BAA0B;gBAC5B,CAAC,CAAC,qBAAqB,CAAC;QAE1B,OAAO,GAAG,kBAAkB,wBAAwB;YAClD,0CAA0C;YAC1C,oEAAoE;YACpE,WAAW,aAAa,IAAI;YAC5B,iDAAiD;YACjD,0CAA0C,CAAC;IAC/C,CAAC;IAED;;OAEG;IACK,aAAa,CAAC,OAAsB,EAAE,QAAgB;QAC5D,MAAM,OAAO,GAAG,OAAO,CAAC,EAAE,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;QAE5D,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;YAC1B,OAAO,cAAc,OAAO,sBAAsB,OAAO,0BAA0B,CAAC;QACtF,CAAC;aAAM,IAAI,QAAQ,KAAK,MAAM,EAAE,CAAC;YAC/B,OAAO,UAAU,OAAO,CAAC,WAAW,EAAE,qBAAqB,OAAO,KAAK,CAAC;QAC1E,CAAC;aAAM,IAAI,QAAQ,KAAK,IAAI,EAAE,CAAC;YAC7B,OAAO,gBAAgB,OAAO,CAAC,WAAW,EAAE,kBAAkB,OAAO,IAAI,CAAC;QAC5E,CAAC;aAAM,CAAC;YACN,wBAAwB;YACxB,OAAO,SAAS,OAAO,CAAC,WAAW,EAAE,kBAAkB,OAAO,0BAA0B,CAAC;QAC3F,CAAC;IACH,CAAC;IAED;;OAEG;IACK,mBAAmB,CAAC,KAAkB;QAC5C,IAAI,UAAU,GAAG,EAAE,CAAC,CAAC,kBAAkB;QAEvC,qCAAqC;QACrC,IAAI,KAAK,CAAC,OAAO,GAAG,GAAG,EAAE,CAAC;YACxB,UAAU,IAAI,EAAE,CAAC;QACnB,CAAC;aAAM,IAAI,KAAK,CAAC,OAAO,GAAG,GAAG,EAAE,CAAC;YAC/B,UAAU,IAAI,EAAE,CAAC;QACnB,CAAC;QAED,8CAA8C;QAC9C,IAAI,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC5E,UAAU,IAAI,EAAE,CAAC;QACnB,CAAC;QAED,OAAO,IAAI,CAAC,GAAG,CAAC,UAAU,EAAE,GAAG,CAAC,CAAC;IACnC,CAAC;CACF;AA1MD,0CA0MC;AAED;;GAEG;AACH,SAAgB,qBAAqB;IACnC,OAAO,IAAI,eAAe,EAAE,CAAC;AAC/B,CAAC"}
|
|
@@ -0,0 +1,71 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Terraform AWS Security Checks
|
|
3
|
+
*
|
|
4
|
+
* WR3 Day 1-2: AWS S3 and IAM security misconfigurations
|
|
5
|
+
*
|
|
6
|
+
* Current: 10 checks (S3: 5, IAM: 5)
|
|
7
|
+
* Future: Will expand to EC2, RDS, Lambda (25 total AWS checks)
|
|
8
|
+
*/
|
|
9
|
+
import { SecurityVulnerability } from '../types';
|
|
10
|
+
import { TerraformResource } from './types';
|
|
11
|
+
/**
|
|
12
|
+
* Check 1: S3 Bucket with Public ACL (CRITICAL)
|
|
13
|
+
* OWASP: A01:2021 - Broken Access Control
|
|
14
|
+
* CWE: CWE-732 (Incorrect Permission Assignment)
|
|
15
|
+
*/
|
|
16
|
+
export declare function checkS3PublicACL(resource: TerraformResource): SecurityVulnerability | null;
|
|
17
|
+
/**
|
|
18
|
+
* Check 2: S3 Bucket Without Encryption (HIGH)
|
|
19
|
+
* OWASP: A02:2021 - Cryptographic Failures
|
|
20
|
+
* CWE: CWE-311 (Missing Encryption of Sensitive Data)
|
|
21
|
+
*/
|
|
22
|
+
export declare function checkS3Encryption(resource: TerraformResource): SecurityVulnerability | null;
|
|
23
|
+
/**
|
|
24
|
+
* Check 3: S3 Bucket Versioning Disabled (MEDIUM)
|
|
25
|
+
* OWASP: A09:2021 - Security Logging and Monitoring Failures
|
|
26
|
+
* CWE: CWE-778 (Insufficient Logging)
|
|
27
|
+
*/
|
|
28
|
+
export declare function checkS3Versioning(resource: TerraformResource): SecurityVulnerability | null;
|
|
29
|
+
/**
|
|
30
|
+
* Check 4: S3 Bucket Logging Disabled (MEDIUM)
|
|
31
|
+
* OWASP: A09:2021 - Security Logging and Monitoring Failures
|
|
32
|
+
* CWE: CWE-778 (Insufficient Logging)
|
|
33
|
+
*/
|
|
34
|
+
export declare function checkS3Logging(resource: TerraformResource): SecurityVulnerability | null;
|
|
35
|
+
/**
|
|
36
|
+
* Check 5: S3 Bucket Public Access Block Missing (CRITICAL)
|
|
37
|
+
* OWASP: A01:2021 - Broken Access Control
|
|
38
|
+
* CWE: CWE-732 (Incorrect Permission Assignment)
|
|
39
|
+
*/
|
|
40
|
+
export declare function checkS3PublicAccessBlock(resource: TerraformResource): SecurityVulnerability | null;
|
|
41
|
+
/**
|
|
42
|
+
* Check 6: IAM Policy with Wildcard Actions (CRITICAL)
|
|
43
|
+
* OWASP: A01:2021 - Broken Access Control
|
|
44
|
+
* CWE: CWE-269 (Improper Privilege Management)
|
|
45
|
+
*/
|
|
46
|
+
export declare function checkIAMWildcardActions(resource: TerraformResource): SecurityVulnerability | null;
|
|
47
|
+
/**
|
|
48
|
+
* Check 7: IAM Policy with Wildcard Resources (HIGH)
|
|
49
|
+
* OWASP: A01:2021 - Broken Access Control
|
|
50
|
+
* CWE: CWE-269 (Improper Privilege Management)
|
|
51
|
+
*/
|
|
52
|
+
export declare function checkIAMWildcardResources(resource: TerraformResource): SecurityVulnerability | null;
|
|
53
|
+
/**
|
|
54
|
+
* Check 8: IAM Policy with Admin Permissions (HIGH)
|
|
55
|
+
* OWASP: A01:2021 - Broken Access Control
|
|
56
|
+
* CWE: CWE-269 (Improper Privilege Management)
|
|
57
|
+
*/
|
|
58
|
+
export declare function checkIAMAdminPolicy(resource: TerraformResource): SecurityVulnerability | null;
|
|
59
|
+
/**
|
|
60
|
+
* Check 9: IAM Policy Allows Privilege Escalation (CRITICAL)
|
|
61
|
+
* OWASP: A01:2021 - Broken Access Control
|
|
62
|
+
* CWE: CWE-269 (Improper Privilege Management)
|
|
63
|
+
*/
|
|
64
|
+
export declare function checkIAMPrivilegeEscalation(resource: TerraformResource): SecurityVulnerability | null;
|
|
65
|
+
/**
|
|
66
|
+
* Check 10: IAM Role with Overly Permissive Assume Role Policy (MEDIUM)
|
|
67
|
+
* OWASP: A01:2021 - Broken Access Control
|
|
68
|
+
* CWE: CWE-732 (Incorrect Permission Assignment)
|
|
69
|
+
*/
|
|
70
|
+
export declare function checkIAMAssumeRolePolicy(resource: TerraformResource): SecurityVulnerability | null;
|
|
71
|
+
//# sourceMappingURL=aws-checks.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"aws-checks.d.ts","sourceRoot":"","sources":["../../../../../../../src/lib/analyzers/terraform/aws-checks.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,qBAAqB,EAAE,MAAM,UAAU,CAAC;AACjD,OAAO,EAAE,iBAAiB,EAAE,MAAM,SAAS,CAAC;AAO5C;;;;GAIG;AACH,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,iBAAiB,GAAG,qBAAqB,GAAG,IAAI,CAqC1F;AAED;;;;GAIG;AACH,wBAAgB,iBAAiB,CAAC,QAAQ,EAAE,iBAAiB,GAAG,qBAAqB,GAAG,IAAI,CAoC3F;AAED;;;;GAIG;AACH,wBAAgB,iBAAiB,CAAC,QAAQ,EAAE,iBAAiB,GAAG,qBAAqB,GAAG,IAAI,CAmC3F;AAED;;;;GAIG;AACH,wBAAgB,cAAc,CAAC,QAAQ,EAAE,iBAAiB,GAAG,qBAAqB,GAAG,IAAI,CAoCxF;AAED;;;;GAIG;AACH,wBAAgB,wBAAwB,CAAC,QAAQ,EAAE,iBAAiB,GAAG,qBAAqB,GAAG,IAAI,CA6ClG;AAMD;;;;GAIG;AACH,wBAAgB,uBAAuB,CAAC,QAAQ,EAAE,iBAAiB,GAAG,qBAAqB,GAAG,IAAI,CA0DjG;AAED;;;;GAIG;AACH,wBAAgB,yBAAyB,CAAC,QAAQ,EAAE,iBAAiB,GAAG,qBAAqB,GAAG,IAAI,CAwDnG;AAED;;;;GAIG;AACH,wBAAgB,mBAAmB,CAAC,QAAQ,EAAE,iBAAiB,GAAG,qBAAqB,GAAG,IAAI,CAqC7F;AAED;;;;GAIG;AACH,wBAAgB,2BAA2B,CAAC,QAAQ,EAAE,iBAAiB,GAAG,qBAAqB,GAAG,IAAI,CA4ErG;AAED;;;;GAIG;AACH,wBAAgB,wBAAwB,CAAC,QAAQ,EAAE,iBAAiB,GAAG,qBAAqB,GAAG,IAAI,CAwDlG"}
|