codeslick-cli 1.3.0 → 1.4.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +50 -11
- package/dist/packages/cli/src/scanner/local-scanner.d.ts +2 -2
- package/dist/packages/cli/src/scanner/local-scanner.d.ts.map +1 -1
- package/dist/packages/cli/src/scanner/local-scanner.js +10 -1
- package/dist/packages/cli/src/scanner/local-scanner.js.map +1 -1
- package/dist/src/lib/analyzers/secrets/patterns/credentials.js +1 -1
- package/dist/src/lib/analyzers/secrets/patterns/credentials.js.map +1 -1
- package/dist/src/lib/analyzers/secrets/secrets-analyzer.d.ts +4 -0
- package/dist/src/lib/analyzers/secrets/secrets-analyzer.d.ts.map +1 -1
- package/dist/src/lib/analyzers/secrets/secrets-analyzer.js +48 -4
- package/dist/src/lib/analyzers/secrets/secrets-analyzer.js.map +1 -1
- package/dist/src/lib/analyzers/terraform/aws-checks.d.ts +71 -0
- package/dist/src/lib/analyzers/terraform/aws-checks.d.ts.map +1 -0
- package/dist/src/lib/analyzers/terraform/aws-checks.js +538 -0
- package/dist/src/lib/analyzers/terraform/aws-checks.js.map +1 -0
- package/dist/src/lib/analyzers/terraform/parser.d.ts +14 -0
- package/dist/src/lib/analyzers/terraform/parser.d.ts.map +1 -0
- package/dist/src/lib/analyzers/terraform/parser.js +237 -0
- package/dist/src/lib/analyzers/terraform/parser.js.map +1 -0
- package/dist/src/lib/analyzers/terraform/types.d.ts +70 -0
- package/dist/src/lib/analyzers/terraform/types.d.ts.map +1 -0
- package/dist/src/lib/analyzers/terraform/types.js +9 -0
- package/dist/src/lib/analyzers/terraform/types.js.map +1 -0
- package/dist/src/lib/analyzers/terraform-analyzer.d.ts +49 -0
- package/dist/src/lib/analyzers/terraform-analyzer.d.ts.map +1 -0
- package/dist/src/lib/analyzers/terraform-analyzer.js +140 -0
- package/dist/src/lib/analyzers/terraform-analyzer.js.map +1 -0
- package/dist/src/lib/analyzers/typescript/security-checks/type-security.d.ts.map +1 -1
- package/dist/src/lib/analyzers/typescript/security-checks/type-security.js +23 -8
- package/dist/src/lib/analyzers/typescript/security-checks/type-security.js.map +1 -1
- package/dist/src/lib/security/epss-service.d.ts.map +1 -1
- package/dist/src/lib/security/epss-service.js +64 -50
- package/dist/src/lib/security/epss-service.js.map +1 -1
- package/dist/src/lib/security/severity-scoring.d.ts.map +1 -1
- package/dist/src/lib/security/severity-scoring.js +116 -0
- package/dist/src/lib/security/severity-scoring.js.map +1 -1
- package/dist/src/lib/types/index.d.ts +1 -1
- package/dist/src/lib/types/index.d.ts.map +1 -1
- package/package.json +10 -7
- package/src/scanner/local-scanner.ts +13 -2
package/README.md
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
# @codeslick/cli
|
|
2
2
|
|
|
3
|
-
**CodeSlick CLI** - Pre-commit security scanner for JavaScript, TypeScript, Python, Java, and
|
|
3
|
+
**CodeSlick CLI** - Pre-commit security scanner for JavaScript, TypeScript, Python, Java, Go, and Terraform.
|
|
4
4
|
|
|
5
5
|
Catch security vulnerabilities before they enter your codebase with automated pre-commit scanning.
|
|
6
6
|
|
|
@@ -9,11 +9,12 @@ Catch security vulnerabilities before they enter your codebase with automated pr
|
|
|
9
9
|
- **Local Security Scanning** - No API calls required, fully offline
|
|
10
10
|
- **Pre-commit Hook Integration** - Automatically scans staged files before each commit
|
|
11
11
|
- **Fast Analysis** - <3s for 10 files using CodeSlick's analyzer engine
|
|
12
|
-
- **Multi-language Support** - JavaScript, TypeScript, Python, Java, Go
|
|
12
|
+
- **Multi-language Support** - JavaScript, TypeScript, Python, Java, Go, Terraform
|
|
13
|
+
- **IaC Security** - Detects AWS misconfigurations in Terraform (S3, IAM, and more)
|
|
13
14
|
- **Configurable Thresholds** - Block commits on CRITICAL, HIGH, MEDIUM, or LOW severity
|
|
14
15
|
- **Beautiful Terminal Output** - Color-coded results with CVSS scores and fix suggestions
|
|
15
16
|
- **CI/CD Ready** - JSON output mode for automation
|
|
16
|
-
- **OWASP Top 10:2025 Compliant** -
|
|
17
|
+
- **OWASP Top 10:2025 Compliant** - 304 comprehensive security checks
|
|
17
18
|
|
|
18
19
|
## Prerequisites
|
|
19
20
|
|
|
@@ -252,7 +253,7 @@ The `.codeslick.json` file controls how CodeSlick scans your code.
|
|
|
252
253
|
"**/test/**",
|
|
253
254
|
"**/tests/**"
|
|
254
255
|
],
|
|
255
|
-
"languages": ["javascript", "typescript", "python", "java", "go"],
|
|
256
|
+
"languages": ["javascript", "typescript", "python", "java", "go", "terraform"],
|
|
256
257
|
|
|
257
258
|
// NEW: Pass/Fail Thresholds (v1.3)
|
|
258
259
|
"thresholdEnabled": true,
|
|
@@ -276,7 +277,7 @@ The `.codeslick.json` file controls how CodeSlick scans your code.
|
|
|
276
277
|
| `severity` | string | `"critical"` | Severity threshold: `critical`, `high`, `medium`, `low` |
|
|
277
278
|
| `autofix` | boolean | `false` | Enable auto-fix (experimental) |
|
|
278
279
|
| `exclude` | string[] | See above | Glob patterns to exclude from scanning |
|
|
279
|
-
| `languages` | string[] | All | Languages to scan: `javascript`, `typescript`, `python`, `java`, `go` |
|
|
280
|
+
| `languages` | string[] | All | Languages to scan: `javascript`, `typescript`, `python`, `java`, `go`, `terraform` |
|
|
280
281
|
| `telemetry` | boolean | `true` | Enable anonymous usage analytics |
|
|
281
282
|
| **Thresholds (v1.3)** | | | |
|
|
282
283
|
| `thresholdEnabled` | boolean | `true` | Enable pass/fail threshold enforcement |
|
|
@@ -311,8 +312,9 @@ CodeSlick CLI uses the same analysis engine as the GitHub App and WebTool.
|
|
|
311
312
|
| **Python** | 47 checks | Django/Flask security, pickle, exec(), secrets |
|
|
312
313
|
| **Java** | 32 checks | Log4j, Spring Security, SQL injection, deserialization |
|
|
313
314
|
| **Go** | 26 checks | SQL injection, command injection, TLS misconfig, race conditions |
|
|
315
|
+
| **Terraform** | 10 checks | S3 public ACL, IAM wildcards, encryption, versioning, logging |
|
|
314
316
|
|
|
315
|
-
**Total**:
|
|
317
|
+
**Total**: 304 comprehensive security checks
|
|
316
318
|
|
|
317
319
|
### OWASP Top 10:2025 Compliance
|
|
318
320
|
|
|
@@ -559,6 +561,41 @@ MIT License - see [LICENSE](../../LICENSE) for details.
|
|
|
559
561
|
- **Issues**: https://github.com/VitorLourenco/codeslick2/issues
|
|
560
562
|
- **Email**: support@codeslick.dev
|
|
561
563
|
|
|
564
|
+
## What's New in v1.4 🚀
|
|
565
|
+
|
|
566
|
+
**Terraform IaC Security Scanning** (February 2026)
|
|
567
|
+
|
|
568
|
+
- **Terraform Language Support** - Full Infrastructure as Code security analysis
|
|
569
|
+
- **10 AWS Security Checks** - S3 buckets (public ACL, encryption, versioning, logging) + IAM policies (wildcard actions/resources, privilege escalation)
|
|
570
|
+
- **Multiline HCL Parsing** - Correctly handles multiline `jsonencode()` and nested objects
|
|
571
|
+
- **OWASP A01:2021 Compliance** - Detects Broken Access Control in cloud infrastructure
|
|
572
|
+
- **Pre-commit IaC Validation** - Block insecure Terraform before deployment
|
|
573
|
+
- **304 Total Security Checks** - Now supporting 6 languages
|
|
574
|
+
|
|
575
|
+
**Example:**
|
|
576
|
+
```bash
|
|
577
|
+
cs scan infrastructure/*.tf
|
|
578
|
+
# ✖ CRITICAL: S3 bucket has public ACL: "public-read"
|
|
579
|
+
# ✖ CRITICAL: IAM policy allows wildcard actions (Action: "*")
|
|
580
|
+
# ⚠ HIGH: S3 bucket does not have encryption enabled
|
|
581
|
+
# Exit code: 1 (blocked - 3 critical issues)
|
|
582
|
+
```
|
|
583
|
+
|
|
584
|
+
### Detected Terraform Vulnerabilities
|
|
585
|
+
|
|
586
|
+
| Check | Severity | OWASP | Description |
|
|
587
|
+
|-------|----------|-------|-------------|
|
|
588
|
+
| S3 Public ACL | CRITICAL | A01:2021 | Detects `acl = "public-read"` |
|
|
589
|
+
| S3 Encryption | HIGH | A02:2021 | Missing server-side encryption |
|
|
590
|
+
| S3 Versioning | MEDIUM | A09:2021 | No versioning enabled |
|
|
591
|
+
| S3 Logging | MEDIUM | A09:2021 | No access logs |
|
|
592
|
+
| IAM Wildcard Actions | CRITICAL | A01:2021 | `Action = "*"` detected |
|
|
593
|
+
| IAM Wildcard Resources | HIGH | A01:2021 | `Resource = "*"` detected |
|
|
594
|
+
| IAM Admin Policy | CRITICAL | A01:2021 | AdministratorAccess equivalent |
|
|
595
|
+
| IAM Privilege Escalation | CRITICAL | A01:2021 | Can grant self permissions |
|
|
596
|
+
|
|
597
|
+
---
|
|
598
|
+
|
|
562
599
|
## What's New in v1.3 ⭐
|
|
563
600
|
|
|
564
601
|
**Pass/Fail Thresholds + Test Execution Integration** (February 2026)
|
|
@@ -603,11 +640,13 @@ cs scan --verify # Run security scan + tests
|
|
|
603
640
|
|
|
604
641
|
## Roadmap
|
|
605
642
|
|
|
606
|
-
### v1.
|
|
607
|
-
-
|
|
608
|
-
-
|
|
609
|
-
-
|
|
610
|
-
-
|
|
643
|
+
### v1.5 (Coming Q2 2026)
|
|
644
|
+
- **More Terraform Providers** - Azure (azurerm_), GCP (google_) resources
|
|
645
|
+
- **Expanded IaC Coverage** - EC2, RDS, Lambda, VPC security checks (15+ new)
|
|
646
|
+
- **Custom Rule Configuration** - Define your own security rules via YAML/JSON
|
|
647
|
+
- **IDE Integration** - VS Code extension with inline security hints
|
|
648
|
+
- **Enhanced Auto-fix** - More intelligent fix suggestions for complex issues
|
|
649
|
+
- **Smart Exemptions** - ML-based false positive detection
|
|
611
650
|
|
|
612
651
|
---
|
|
613
652
|
|
|
@@ -8,7 +8,7 @@
|
|
|
8
8
|
* - No API calls required (fully offline)
|
|
9
9
|
* - Fast scanning (<3s for 10 files)
|
|
10
10
|
* - Same analysis engine as GitHub App and WebTool
|
|
11
|
-
* - Supports JavaScript, TypeScript, Python, Java, Go
|
|
11
|
+
* - Supports JavaScript, TypeScript, Python, Java, Go, Terraform
|
|
12
12
|
*
|
|
13
13
|
* @module packages/cli/src/scanner/local-scanner
|
|
14
14
|
*/
|
|
@@ -16,7 +16,7 @@ import type { AnalyzerResult } from '../../../../src/lib/analyzers/types';
|
|
|
16
16
|
/**
|
|
17
17
|
* Supported programming languages
|
|
18
18
|
*/
|
|
19
|
-
export type SupportedLanguage = 'javascript' | 'typescript' | 'python' | 'java' | 'go';
|
|
19
|
+
export type SupportedLanguage = 'javascript' | 'typescript' | 'python' | 'java' | 'go' | 'terraform';
|
|
20
20
|
/**
|
|
21
21
|
* Result of scanning a single file
|
|
22
22
|
*/
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"local-scanner.d.ts","sourceRoot":"","sources":["../../../../../src/scanner/local-scanner.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAIH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,qCAAqC,CAAC;AAE1E;;GAEG;AACH,MAAM,MAAM,iBAAiB,GAAG,YAAY,GAAG,YAAY,GAAG,QAAQ,GAAG,MAAM,GAAG,IAAI,CAAC;
|
|
1
|
+
{"version":3,"file":"local-scanner.d.ts","sourceRoot":"","sources":["../../../../../src/scanner/local-scanner.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAIH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,qCAAqC,CAAC;AAE1E;;GAEG;AACH,MAAM,MAAM,iBAAiB,GAAG,YAAY,GAAG,YAAY,GAAG,QAAQ,GAAG,MAAM,GAAG,IAAI,GAAG,WAAW,CAAC;AAErG;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,EAAE,MAAM,CAAC;IACrB,QAAQ,EAAE,iBAAiB,CAAC;IAC5B,MAAM,EAAE,cAAc,CAAC;IACvB,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;IACf,GAAG,EAAE,MAAM,CAAC;CACb;AAED;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,iBAAiB,CAAC,EAAE,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,CAAC;IAC3D,OAAO,CAAC,EAAE,MAAM,EAAE,CAAC;IACnB,OAAO,CAAC,EAAE,OAAO,CAAC;IAClB,SAAS,CAAC,EAAE,OAAO,CAAC;CACrB;AAED;;GAEG;AACH,wBAAgB,cAAc,CAAC,QAAQ,EAAE,MAAM,GAAG,iBAAiB,GAAG,IAAI,CA4BzE;AAED;;;GAGG;AACH,wBAAgB,aAAa,CAAC,QAAQ,EAAE,MAAM,EAAE,eAAe,EAAE,MAAM,EAAE,GAAG,OAAO,CAwBlF;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAAC,MAAM,EAAE,cAAc;;;;;EAS1D;AAED;;;;;;;;;;;;GAYG;AACH,wBAAsB,QAAQ,CAC5B,QAAQ,EAAE,MAAM,EAChB,MAAM,GAAE,aAAkB,GACzB,OAAO,CAAC,cAAc,GAAG,IAAI,CAAC,CAuFhC;AAED;;;;;;;;;;GAUG;AACH,wBAAsB,SAAS,CAC7B,SAAS,EAAE,MAAM,EAAE,EACnB,MAAM,GAAE,aAAkB,GACzB,OAAO,CAAC,cAAc,EAAE,CAAC,CAoC3B;AA0ED;;;;;;;;GAQG;AACH,wBAAgB,gBAAgB,CAC9B,OAAO,EAAE,cAAc,EAAE,EACzB,SAAS,EAAE,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,GAChD,OAAO,CAkBT"}
|
|
@@ -9,7 +9,7 @@
|
|
|
9
9
|
* - No API calls required (fully offline)
|
|
10
10
|
* - Fast scanning (<3s for 10 files)
|
|
11
11
|
* - Same analysis engine as GitHub App and WebTool
|
|
12
|
-
* - Supports JavaScript, TypeScript, Python, Java, Go
|
|
12
|
+
* - Supports JavaScript, TypeScript, Python, Java, Go, Terraform
|
|
13
13
|
*
|
|
14
14
|
* @module packages/cli/src/scanner/local-scanner
|
|
15
15
|
*/
|
|
@@ -75,6 +75,9 @@ function detectLanguage(filePath) {
|
|
|
75
75
|
if (ext.endsWith('.go')) {
|
|
76
76
|
return 'go';
|
|
77
77
|
}
|
|
78
|
+
if (ext.endsWith('.tf') || ext.endsWith('.tfvars')) {
|
|
79
|
+
return 'terraform';
|
|
80
|
+
}
|
|
78
81
|
return null;
|
|
79
82
|
}
|
|
80
83
|
/**
|
|
@@ -175,6 +178,12 @@ async function scanFile(filePath, config = {}) {
|
|
|
175
178
|
result = await analyzer.analyze({ code, filename: filePath, options: analyzerOptions });
|
|
176
179
|
break;
|
|
177
180
|
}
|
|
181
|
+
case 'terraform': {
|
|
182
|
+
const { TerraformAnalyzer } = await Promise.resolve().then(() => __importStar(require('../../../../src/lib/analyzers/terraform-analyzer')));
|
|
183
|
+
const analyzer = new TerraformAnalyzer();
|
|
184
|
+
result = await analyzer.analyze({ code, filename: filePath, options: analyzerOptions });
|
|
185
|
+
break;
|
|
186
|
+
}
|
|
178
187
|
default:
|
|
179
188
|
return null;
|
|
180
189
|
}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"local-scanner.js","sourceRoot":"","sources":["../../../../../src/scanner/local-scanner.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;GAaG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAsCH,
|
|
1
|
+
{"version":3,"file":"local-scanner.js","sourceRoot":"","sources":["../../../../../src/scanner/local-scanner.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;GAaG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAsCH,wCA4BC;AAMD,sCAwBC;AAKD,oDASC;AAeD,4BA0FC;AAaD,8BAuCC;AAmFD,4CAqBC;AAjXD,0CAAuC;AACvC,+BAAgC;AAgChC;;GAEG;AACH,SAAgB,cAAc,CAAC,QAAgB;IAC7C,MAAM,GAAG,GAAG,QAAQ,CAAC,WAAW,EAAE,CAAC;IAEnC,IAAI,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;QAChD,OAAO,YAAY,CAAC;IACtB,CAAC;IAED,IAAI,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;QAChD,OAAO,YAAY,CAAC;IACtB,CAAC;IAED,IAAI,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;QACxB,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,IAAI,GAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;QAC1B,OAAO,MAAM,CAAC;IAChB,CAAC;IAED,IAAI,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,EAAE,CAAC;QACxB,OAAO,IAAI,CAAC;IACd,CAAC;IAED,IAAI,GAAG,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,GAAG,CAAC,QAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;QACnD,OAAO,WAAW,CAAC;IACrB,CAAC;IAED,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;GAGG;AACH,SAAgB,aAAa,CAAC,QAAgB,EAAE,eAAyB;IACvE,MAAM,YAAY,GAAG,IAAA,eAAQ,EAAC,OAAO,CAAC,GAAG,EAAE,EAAE,QAAQ,CAAC,CAAC;IACvD,mEAAmE;IACnE,MAAM,cAAc,GAAG,YAAY,CAAC,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAC;IAExD,KAAK,MAAM,OAAO,IAAI,eAAe,EAAE,CAAC;QACtC,kDAAkD;QAClD,8DAA8D;QAC9D,MAAM,YAAY,GAAG,OAAO;aACzB,OAAO,CAAC,KAAK,EAAE,KAAK,CAAC,CAAW,cAAc;aAC9C,OAAO,CAAC,OAAO,EAAE,gBAAgB,CAAC,CAAE,0BAA0B;aAC9D,OAAO,CAAC,KAAK,EAAE,OAAO,CAAC,CAAS,8BAA8B;aAC9D,OAAO,CAAC,iBAAiB,EAAE,IAAI,CAAC,CAAC,kCAAkC;aACnE,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC,CAAa,wBAAwB;aACxD,OAAO,CAAC,cAAc,EAAE,CAAC,CAAC,EAAE,EAAE,EAAE,EAAE,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC,CAAC,iBAAiB;QAExF,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,GAAG,GAAG,YAAY,GAAG,GAAG,CAAC,CAAC;QAEnD,IAAI,KAAK,CAAC,IAAI,CAAC,cAAc,CAAC,IAAI,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC,EAAE,CAAC;YAC3D,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;GAEG;AACH,SAAgB,oBAAoB,CAAC,MAAsB;IACzD,MAAM,eAAe,GAAG,MAAM,CAAC,QAAQ,EAAE,eAAe,IAAI,EAAE,CAAC;IAE/D,OAAO;QACL,QAAQ,EAAE,eAAe,CAAC,MAAM,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,EAAE,KAAK,UAAU,CAAC,CAAC,MAAM;QAC5F,IAAI,EAAE,eAAe,CAAC,MAAM,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,EAAE,KAAK,MAAM,CAAC,CAAC,MAAM;QACpF,MAAM,EAAE,eAAe,CAAC,MAAM,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,EAAE,KAAK,QAAQ,CAAC,CAAC,MAAM;QACxF,GAAG,EAAE,eAAe,CAAC,MAAM,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,WAAW,EAAE,KAAK,KAAK,CAAC,CAAC,MAAM;KACnF,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;;GAYG;AACI,KAAK,UAAU,QAAQ,CAC5B,QAAgB,EAChB,SAAwB,EAAE;IAE1B,IAAI,CAAC;QACH,kBAAkB;QAClB,MAAM,QAAQ,GAAG,cAAc,CAAC,QAAQ,CAAC,CAAC;QAC1C,IAAI,CAAC,QAAQ,EAAE,CAAC;YACd,OAAO,IAAI,CAAC,CAAC,wBAAwB;QACvC,CAAC;QAED,mBAAmB;QACnB,IAAI,MAAM,CAAC,OAAO,IAAI,aAAa,CAAC,QAAQ,EAAE,MAAM,CAAC,OAAO,CAAC,EAAE,CAAC;YAC9D,OAAO,IAAI,CAAC,CAAC,2BAA2B;QAC1C,CAAC;QAED,oBAAoB;QACpB,MAAM,IAAI,GAAG,MAAM,IAAA,mBAAQ,EAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;QAE/C,gDAAgD;QAChD,wDAAwD;QACxD,MAAM,eAAe,GAAG,EAAE,SAAS,EAAE,MAAM,CAAC,SAAS,IAAI,KAAK,EAAE,CAAC;QACjE,IAAI,MAAsB,CAAC;QAE3B,QAAQ,QAAQ,EAAE,CAAC;YACjB,KAAK,YAAY,CAAC,CAAC,CAAC;gBAClB,MAAM,EAAE,kBAAkB,EAAE,GAAG,wDAC7B,mDAAmD,GACpD,CAAC;gBACF,MAAM,QAAQ,GAAG,IAAI,kBAAkB,EAAE,CAAC;gBAC1C,MAAM,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,QAAQ,EAAE,OAAO,EAAE,eAAe,EAAE,CAAC,CAAC;gBACxF,MAAM;YACR,CAAC;YAED,KAAK,YAAY,CAAC,CAAC,CAAC;gBAClB,MAAM,EAAE,kBAAkB,EAAE,GAAG,wDAC7B,mDAAmD,GACpD,CAAC;gBACF,MAAM,QAAQ,GAAG,IAAI,kBAAkB,EAAE,CAAC;gBAC1C,MAAM,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,QAAQ,EAAE,OAAO,EAAE,eAAe,EAAE,CAAC,CAAC;gBACxF,MAAM;YACR,CAAC;YAED,KAAK,QAAQ,CAAC,CAAC,CAAC;gBACd,MAAM,EAAE,cAAc,EAAE,GAAG,wDAAa,+CAA+C,GAAC,CAAC;gBACzF,MAAM,QAAQ,GAAG,IAAI,cAAc,EAAE,CAAC;gBACtC,MAAM,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,QAAQ,EAAE,OAAO,EAAE,eAAe,EAAE,CAAC,CAAC;gBACxF,MAAM;YACR,CAAC;YAED,KAAK,MAAM,CAAC,CAAC,CAAC;gBACZ,MAAM,EAAE,YAAY,EAAE,GAAG,wDAAa,6CAA6C,GAAC,CAAC;gBACrF,MAAM,QAAQ,GAAG,IAAI,YAAY,EAAE,CAAC;gBACpC,MAAM,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,QAAQ,EAAE,OAAO,EAAE,eAAe,EAAE,CAAC,CAAC;gBACxF,MAAM;YACR,CAAC;YAED,KAAK,IAAI,CAAC,CAAC,CAAC;gBACV,MAAM,EAAE,UAAU,EAAE,GAAG,wDAAa,2CAA2C,GAAC,CAAC;gBACjF,MAAM,QAAQ,GAAG,IAAI,UAAU,EAAE,CAAC;gBAClC,MAAM,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,QAAQ,EAAE,OAAO,EAAE,eAAe,EAAE,CAAC,CAAC;gBACxF,MAAM;YACR,CAAC;YAED,KAAK,WAAW,CAAC,CAAC,CAAC;gBACjB,MAAM,EAAE,iBAAiB,EAAE,GAAG,wDAAa,kDAAkD,GAAC,CAAC;gBAC/F,MAAM,QAAQ,GAAG,IAAI,iBAAiB,EAAE,CAAC;gBACzC,MAAM,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,QAAQ,EAAE,OAAO,EAAE,eAAe,EAAE,CAAC,CAAC;gBACxF,MAAM;YACR,CAAC;YAED;gBACE,OAAO,IAAI,CAAC;QAChB,CAAC;QAED,oCAAoC;QACpC,MAAM,MAAM,GAAG,oBAAoB,CAAC,MAAM,CAAC,CAAC;QAE5C,OAAO;YACL,QAAQ;YACR,YAAY,EAAE,IAAA,eAAQ,EAAC,OAAO,CAAC,GAAG,EAAE,EAAE,QAAQ,CAAC;YAC/C,QAAQ;YACR,MAAM;YACN,GAAG,MAAM;SACV,CAAC;IACJ,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,8CAA8C;QAC9C,OAAO,CAAC,KAAK,CAAC,kBAAkB,QAAQ,GAAG,EAAE,KAAK,CAAC,CAAC;QACpD,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED;;;;;;;;;;GAUG;AACI,KAAK,UAAU,SAAS,CAC7B,SAAmB,EACnB,SAAwB,EAAE;IAE1B,6DAA6D;IAC7D,MAAM,OAAO,GAAa,EAAE,CAAC;IAC7B,MAAM,UAAU,GAAa,EAAE,CAAC;IAEhC,KAAK,MAAM,QAAQ,IAAI,SAAS,EAAE,CAAC;QACjC,MAAM,QAAQ,GAAG,cAAc,CAAC,QAAQ,CAAC,CAAC;QAC1C,IAAI,QAAQ,KAAK,YAAY,EAAE,CAAC;YAC9B,0CAA0C;YAC1C,IAAI,CAAC,MAAM,CAAC,OAAO,IAAI,CAAC,aAAa,CAAC,QAAQ,EAAE,MAAM,CAAC,OAAO,CAAC,EAAE,CAAC;gBAChE,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YACzB,CAAC;QACH,CAAC;aAAM,IAAI,QAAQ,EAAE,CAAC;YACpB,UAAU,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;QAC5B,CAAC;IACH,CAAC;IAED,MAAM,OAAO,GAAqB,EAAE,CAAC;IAErC,8CAA8C;IAC9C,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,SAAS,EAAE,CAAC;QAC5C,MAAM,YAAY,GAAG,MAAM,mBAAmB,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QAChE,OAAO,CAAC,IAAI,CAAC,GAAG,YAAY,CAAC,CAAC;IAChC,CAAC;SAAM,IAAI,OAAO,CAAC,MAAM,GAAG,CAAC,IAAI,MAAM,CAAC,SAAS,EAAE,CAAC;QAClD,0DAA0D;QAC1D,MAAM,SAAS,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC;QACnF,OAAO,CAAC,IAAI,CAAC,GAAG,SAAS,CAAC,MAAM,CAAC,CAAC,CAAC,EAAuB,EAAE,CAAC,CAAC,KAAK,IAAI,CAAC,CAAC,CAAC;IAC5E,CAAC;IAED,qDAAqD;IACrD,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC1B,MAAM,YAAY,GAAG,MAAM,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,QAAQ,CAAC,IAAI,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC;QACzF,OAAO,CAAC,IAAI,CAAC,GAAG,YAAY,CAAC,MAAM,CAAC,CAAC,CAAC,EAAuB,EAAE,CAAC,CAAC,KAAK,IAAI,CAAC,CAAC,CAAC;IAC/E,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;;GAGG;AACH,KAAK,UAAU,mBAAmB,CAChC,SAAmB,EACnB,UAAyB,EAAE;IAE3B,MAAM,EAAE,QAAQ,EAAE,GAAG,wDAAa,aAAa,GAAC,CAAC;IACjD,MAAM,EAAE,QAAQ,EAAE,GAAG,wDAAa,MAAM,GAAC,CAAC;IAE1C,oCAAoC;IACpC,MAAM,EAAE,6BAA6B,EAAE,0BAA0B,EAAE,GAAG,wDACpE,uDAAuD,GACxD,CAAC;IAEF,yDAAyD;IACzD,MAAM,WAAW,GAAG,6BAA6B,CAAC,SAAS,CAAC,CAAC;IAE7D,mEAAmE;IACnE,MAAM,EAAE,kBAAkB,EAAE,GAAG,wDAC7B,mDAAmD,GACpD,CAAC;IAEF,MAAM,OAAO,GAAqB,EAAE,CAAC;IAErC,KAAK,MAAM,QAAQ,IAAI,SAAS,EAAE,CAAC;QACjC,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,MAAM,QAAQ,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;YAE/C,4CAA4C;YAC5C,MAAM,QAAQ,GAAG,IAAI,kBAAkB,EAAE,CAAC;YAC1C,0EAA0E;YAC1E,MAAM,MAAM,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC,EAAE,IAAI,EAAE,QAAQ,EAAE,QAAQ,EAAE,OAAO,EAAE,EAAE,SAAS,EAAE,IAAI,EAAE,EAAE,CAAC,CAAC;YAElG,2CAA2C;YAC3C,MAAM,eAAe,GAAG,WAAW,CAAC,WAAW,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;YACpE,IAAI,eAAe,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC/B,MAAM,UAAU,GAAG,0BAA0B,CAAC,eAAe,CAAC,CAAC;gBAC/D,MAAM,mBAAmB,GAAG,UAAU,CAAC,GAAG,CAAC,CAAC,KAAU,EAAE,EAAE,CAAC,CAAC;oBAC1D,QAAQ,EAAE,KAAK,CAAC,QAAQ;oBACxB,OAAO,EAAE,KAAK,CAAC,OAAO;oBACtB,IAAI,EAAE,KAAK,CAAC,IAAI;oBAChB,UAAU,EAAE,KAAK,CAAC,UAAU;oBAC5B,QAAQ,EAAE,eAAe;oBACzB,SAAS,EAAE,KAAK,CAAC,SAAS;oBAC1B,iBAAiB,EAAE,KAAK,CAAC,iBAAiB;oBAC1C,MAAM,EAAE,KAAK,CAAC,MAAM;oBACpB,KAAK,EAAE,KAAK,CAAC,KAAK;oBAClB,GAAG,EAAE,KAAK,CAAC,GAAG;iBACf,CAAC,CAAC,CAAC;gBACJ,MAAM,CAAC,QAAQ,CAAC,eAAe,CAAC,IAAI,CAAC,GAAG,mBAAmB,CAAC,CAAC;YAC/D,CAAC;YAED,wBAAwB;YACxB,MAAM,MAAM,GAAG,oBAAoB,CAAC,MAAM,CAAC,CAAC;YAE5C,OAAO,CAAC,IAAI,CAAC;gBACX,QAAQ;gBACR,YAAY,EAAE,QAAQ,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,QAAQ,CAAC;gBAC/C,QAAQ,EAAE,YAAY;gBACtB,MAAM;gBACN,GAAG,MAAM;aACV,CAAC,CAAC;QACL,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,OAAO,CAAC,KAAK,CAAC,kBAAkB,QAAQ,GAAG,EAAE,KAAK,CAAC,CAAC;QACtD,CAAC;IACH,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;;;;;;;GAQG;AACH,SAAgB,gBAAgB,CAC9B,OAAyB,EACzB,SAAiD;IAEjD,MAAM,aAAa,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,GAAG,GAAG,CAAC,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC;IACtE,MAAM,SAAS,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,GAAG,GAAG,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC;IAC9D,MAAM,WAAW,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,GAAG,GAAG,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;IAClE,MAAM,QAAQ,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,GAAG,EAAE,CAAC,EAAE,EAAE,CAAC,GAAG,GAAG,CAAC,CAAC,GAAG,EAAE,CAAC,CAAC,CAAC;IAE5D,QAAQ,SAAS,EAAE,CAAC;QAClB,KAAK,UAAU;YACb,OAAO,aAAa,GAAG,CAAC,CAAC;QAC3B,KAAK,MAAM;YACT,OAAO,aAAa,GAAG,CAAC,IAAI,SAAS,GAAG,CAAC,CAAC;QAC5C,KAAK,QAAQ;YACX,OAAO,aAAa,GAAG,CAAC,IAAI,SAAS,GAAG,CAAC,IAAI,WAAW,GAAG,CAAC,CAAC;QAC/D,KAAK,KAAK;YACR,OAAO,aAAa,GAAG,CAAC,IAAI,SAAS,GAAG,CAAC,IAAI,WAAW,GAAG,CAAC,IAAI,QAAQ,GAAG,CAAC,CAAC;QAC/E;YACE,OAAO,aAAa,GAAG,CAAC,CAAC;IAC7B,CAAC;AACH,CAAC"}
|
|
@@ -30,7 +30,7 @@ exports.CREDENTIAL_PATTERNS = [
|
|
|
30
30
|
pattern: /(?:password|passwd|pwd)\s*[:=]\s*['"]([^'"]{8,})['"]/i,
|
|
31
31
|
minEntropy: 3.0,
|
|
32
32
|
description: 'Password hardcoded in source code',
|
|
33
|
-
severity: '
|
|
33
|
+
severity: 'critical', // OWASP 2021/2025 A07 - Hardcoded credentials are CRITICAL (CVSS 9.1)
|
|
34
34
|
owaspCategory: 'A07:2021 - Identification and Authentication Failures',
|
|
35
35
|
cwe: 'CWE-798',
|
|
36
36
|
},
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"credentials.js","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/secrets/patterns/credentials.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;GAWG;;;AAIU,QAAA,mBAAmB,GAAoB;IAClD;QACE,EAAE,EAAE,mBAAmB;QACvB,IAAI,EAAE,mBAAmB;QACzB,OAAO,EAAE,yEAAyE;QAClF,UAAU,EAAE,GAAG;QACf,WAAW,EAAE,4CAA4C;QACzD,QAAQ,EAAE,UAAU;QACpB,aAAa,EAAE,uDAAuD;QACtE,GAAG,EAAE,SAAS;KACf;IACD;QACE,EAAE,EAAE,kBAAkB;QACtB,IAAI,EAAE,kBAAkB;QACxB,OAAO,EAAE,uDAAuD;QAChE,UAAU,EAAE,GAAG;QACf,WAAW,EAAE,mCAAmC;QAChD,QAAQ,EAAE,
|
|
1
|
+
{"version":3,"file":"credentials.js","sourceRoot":"","sources":["../../../../../../../../src/lib/analyzers/secrets/patterns/credentials.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;GAWG;;;AAIU,QAAA,mBAAmB,GAAoB;IAClD;QACE,EAAE,EAAE,mBAAmB;QACvB,IAAI,EAAE,mBAAmB;QACzB,OAAO,EAAE,yEAAyE;QAClF,UAAU,EAAE,GAAG;QACf,WAAW,EAAE,4CAA4C;QACzD,QAAQ,EAAE,UAAU;QACpB,aAAa,EAAE,uDAAuD;QACtE,GAAG,EAAE,SAAS;KACf;IACD;QACE,EAAE,EAAE,kBAAkB;QACtB,IAAI,EAAE,kBAAkB;QACxB,OAAO,EAAE,uDAAuD;QAChE,UAAU,EAAE,GAAG;QACf,WAAW,EAAE,mCAAmC;QAChD,QAAQ,EAAE,UAAU,EAAE,sEAAsE;QAC5F,aAAa,EAAE,uDAAuD;QACtE,GAAG,EAAE,SAAS;KACf;IACD;QACE,EAAE,EAAE,YAAY;QAChB,IAAI,EAAE,YAAY;QAClB,OAAO,EAAE,oEAAoE;QAC7E,UAAU,EAAE,GAAG;QACf,WAAW,EAAE,6CAA6C;QAC1D,QAAQ,EAAE,UAAU;QACpB,aAAa,EAAE,mCAAmC;QAClD,GAAG,EAAE,SAAS;KACf;IACD;QACE,EAAE,EAAE,4BAA4B;QAChC,IAAI,EAAE,4BAA4B;QAClC,OAAO,EAAE,8CAA8C;QACvD,UAAU,EAAE,GAAG;QACf,WAAW,EAAE,6CAA6C;QAC1D,QAAQ,EAAE,UAAU;QACpB,aAAa,EAAE,uDAAuD;QACtE,GAAG,EAAE,SAAS;KACf;IACD;QACE,EAAE,EAAE,gBAAgB;QACpB,IAAI,EAAE,gBAAgB;QACtB,OAAO,EAAE,gFAAgF;QACzF,UAAU,EAAE,GAAG;QACf,WAAW,EAAE,yCAAyC;QACtD,QAAQ,EAAE,UAAU;QACpB,aAAa,EAAE,mCAAmC;QAClD,GAAG,EAAE,SAAS;KACf;CACF,CAAC"}
|
|
@@ -76,6 +76,10 @@ export declare class SecretsAnalyzer {
|
|
|
76
76
|
* Get fix recommendation based on secret type and language
|
|
77
77
|
*/
|
|
78
78
|
private getRecommendation;
|
|
79
|
+
/**
|
|
80
|
+
* Get code fix example based on language
|
|
81
|
+
*/
|
|
82
|
+
private getFixExample;
|
|
79
83
|
/**
|
|
80
84
|
* Calculate confidence score (0-100) based on entropy and context
|
|
81
85
|
*/
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"secrets-analyzer.d.ts","sourceRoot":"","sources":["../../../../../../../src/lib/analyzers/secrets/secrets-analyzer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EAAE,qBAAqB,EAAE,MAAM,UAAU,CAAC;
|
|
1
|
+
{"version":3,"file":"secrets-analyzer.d.ts","sourceRoot":"","sources":["../../../../../../../src/lib/analyzers/secrets/secrets-analyzer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EAAE,qBAAqB,EAAE,MAAM,UAAU,CAAC;AAUjD;;GAEG;AACH,MAAM,WAAW,aAAa;IAC5B,kEAAkE;IAClE,EAAE,EAAE,MAAM,CAAC;IACX,0BAA0B;IAC1B,IAAI,EAAE,MAAM,CAAC;IACb,wCAAwC;IACxC,OAAO,EAAE,MAAM,CAAC;IAChB,qEAAqE;IACrE,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,qCAAqC;IACrC,WAAW,EAAE,MAAM,CAAC;IACpB,6CAA6C;IAC7C,QAAQ,EAAE,UAAU,GAAG,MAAM,GAAG,QAAQ,CAAC;IACzC,0BAA0B;IAC1B,aAAa,EAAE,MAAM,CAAC;IACtB,qBAAqB;IACrB,GAAG,EAAE,MAAM,CAAC;CACb;AAED;;GAEG;AACH,MAAM,WAAW,WAAW;IAC1B,OAAO,EAAE,aAAa,CAAC;IACvB,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;IAChB,OAAO,EAAE,MAAM,CAAC;CACjB;AAED;;GAEG;AACH,qBAAa,eAAe;IAC1B,OAAO,CAAC,QAAQ,CAAkB;;IAYlC;;;;;;;OAOG;IACI,WAAW,CAChB,IAAI,EAAE,MAAM,EACZ,QAAQ,EAAE,MAAM,EAChB,QAAQ,EAAE,YAAY,GAAG,QAAQ,GAAG,MAAM,GAAG,YAAY,GAAG,IAAI,GAC/D,qBAAqB,EAAE;IAiC1B;;OAEG;IACH,OAAO,CAAC,WAAW;IA4BnB;;OAEG;IACH,OAAO,CAAC,mBAAmB;IAwC3B;;OAEG;IACH,OAAO,CAAC,UAAU;IASlB;;OAEG;IACH,OAAO,CAAC,iBAAiB;IAiBzB;;OAEG;IACH,OAAO,CAAC,aAAa;IAerB;;OAEG;IACH,OAAO,CAAC,mBAAmB;CAiB5B;AAED;;GAEG;AACH,wBAAgB,qBAAqB,IAAI,eAAe,CAEvD"}
|
|
@@ -22,6 +22,8 @@ const credentials_1 = require("./patterns/credentials");
|
|
|
22
22
|
const tokens_1 = require("./patterns/tokens");
|
|
23
23
|
const entropy_checker_1 = require("./validators/entropy-checker");
|
|
24
24
|
const context_checker_1 = require("./validators/context-checker");
|
|
25
|
+
const severity_scoring_1 = require("../../security/severity-scoring");
|
|
26
|
+
const compliance_mapping_1 = require("../../security/compliance-mapping");
|
|
25
27
|
/**
|
|
26
28
|
* Main secrets analyzer class
|
|
27
29
|
*/
|
|
@@ -95,14 +97,37 @@ class SecretsAnalyzer {
|
|
|
95
97
|
* Create a security vulnerability from a secret match
|
|
96
98
|
*/
|
|
97
99
|
createVulnerability(match, filePath, language) {
|
|
100
|
+
// Use centralized scoring system for consistent CVSS scores
|
|
101
|
+
const category = `hardcoded-secret-${match.pattern.id}`;
|
|
102
|
+
const scoring = (0, severity_scoring_1.calculateSeverityScore)(category);
|
|
103
|
+
const compliance = (0, compliance_mapping_1.getComplianceMapping)(category);
|
|
98
104
|
return {
|
|
99
|
-
severity:
|
|
105
|
+
severity: scoring.severity,
|
|
100
106
|
message: `Hardcoded secret detected: ${match.pattern.name} - ${this.maskSecret(match.value)}`,
|
|
101
107
|
line: match.line,
|
|
102
108
|
suggestion: this.getRecommendation(match.pattern, language),
|
|
103
|
-
category
|
|
104
|
-
|
|
105
|
-
|
|
109
|
+
category,
|
|
110
|
+
cvssScore: scoring.cvssScore,
|
|
111
|
+
exploitLikelihood: scoring.exploitLikelihood,
|
|
112
|
+
impact: scoring.impact,
|
|
113
|
+
owasp: compliance.owasp || match.pattern.owaspCategory,
|
|
114
|
+
cwe: compliance.cwe || match.pattern.cwe,
|
|
115
|
+
pciDss: compliance.pciDss,
|
|
116
|
+
attackVector: {
|
|
117
|
+
description: `Hardcoded ${match.pattern.name.toLowerCase()} exposed in source code. Visible to anyone with repository access.`,
|
|
118
|
+
exploitExample: `Attacker with code access can extract: ${this.maskSecret(match.value)}`,
|
|
119
|
+
realWorldImpact: [
|
|
120
|
+
'Unauthorized access to systems',
|
|
121
|
+
'Cannot rotate without code deployment',
|
|
122
|
+
'Persists in Git history forever',
|
|
123
|
+
'PCI-DSS, SOC 2, ISO 27001 violations',
|
|
124
|
+
],
|
|
125
|
+
},
|
|
126
|
+
remediation: {
|
|
127
|
+
before: match.context,
|
|
128
|
+
after: this.getFixExample(match.pattern, language),
|
|
129
|
+
explanation: this.getRecommendation(match.pattern, language),
|
|
130
|
+
},
|
|
106
131
|
};
|
|
107
132
|
}
|
|
108
133
|
/**
|
|
@@ -133,6 +158,25 @@ class SecretsAnalyzer {
|
|
|
133
158
|
`4. Add to .gitignore if stored in config file\n` +
|
|
134
159
|
`5. Rotate the exposed secret immediately`;
|
|
135
160
|
}
|
|
161
|
+
/**
|
|
162
|
+
* Get code fix example based on language
|
|
163
|
+
*/
|
|
164
|
+
getFixExample(pattern, language) {
|
|
165
|
+
const varName = pattern.id.toUpperCase().replace(/-/g, '_');
|
|
166
|
+
if (language === 'python') {
|
|
167
|
+
return `import os\n${varName} = os.environ.get("${varName}") # Store in .env file`;
|
|
168
|
+
}
|
|
169
|
+
else if (language === 'java') {
|
|
170
|
+
return `String ${varName.toLowerCase()} = System.getenv("${varName}");`;
|
|
171
|
+
}
|
|
172
|
+
else if (language === 'go') {
|
|
173
|
+
return `import "os"\n${varName.toLowerCase()} := os.Getenv("${varName}")`;
|
|
174
|
+
}
|
|
175
|
+
else {
|
|
176
|
+
// JavaScript/TypeScript
|
|
177
|
+
return `const ${varName.toLowerCase()} = process.env.${varName}; // Store in .env file`;
|
|
178
|
+
}
|
|
179
|
+
}
|
|
136
180
|
/**
|
|
137
181
|
* Calculate confidence score (0-100) based on entropy and context
|
|
138
182
|
*/
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"secrets-analyzer.js","sourceRoot":"","sources":["../../../../../../../src/lib/analyzers/secrets/secrets-analyzer.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;GAaG;;;
|
|
1
|
+
{"version":3,"file":"secrets-analyzer.js","sourceRoot":"","sources":["../../../../../../../src/lib/analyzers/secrets/secrets-analyzer.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;GAaG;;;AAgQH,sDAEC;AA/PD,kDAAuD;AACvD,0DAA+D;AAC/D,wDAA6D;AAC7D,8CAAmD;AACnD,kEAAgE;AAChE,kEAAqE;AACrE,sEAAyE;AACzE,0EAAyE;AAoCzE;;GAEG;AACH,MAAa,eAAe;IAG1B;QACE,iDAAiD;QACjD,IAAI,CAAC,QAAQ,GAAG;YACd,GAAG,2BAAgB;YACnB,GAAG,mCAAoB;YACvB,GAAG,iCAAmB;YACtB,GAAG,uBAAc;SAClB,CAAC;IACJ,CAAC;IAED;;;;;;;OAOG;IACI,WAAW,CAChB,IAAY,EACZ,QAAgB,EAChB,QAAgE;QAEhE,MAAM,eAAe,GAA4B,EAAE,CAAC;QACpD,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;QAE/B,6BAA6B;QAC7B,KAAK,IAAI,SAAS,GAAG,CAAC,EAAE,SAAS,GAAG,KAAK,CAAC,MAAM,EAAE,SAAS,EAAE,EAAE,CAAC;YAC9D,MAAM,IAAI,GAAG,KAAK,CAAC,SAAS,CAAC,CAAC;YAC9B,MAAM,UAAU,GAAG,SAAS,GAAG,CAAC,CAAC;YAEjC,6BAA6B;YAC7B,KAAK,MAAM,OAAO,IAAI,IAAI,CAAC,QAAQ,EAAE,CAAC;gBACpC,MAAM,OAAO,GAAG,IAAI,CAAC,WAAW,CAAC,IAAI,EAAE,OAAO,EAAE,UAAU,CAAC,CAAC;gBAE5D,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;oBAC5B,+BAA+B;oBAC/B,IAAI,OAAO,CAAC,UAAU,IAAI,KAAK,CAAC,OAAO,GAAG,OAAO,CAAC,UAAU,EAAE,CAAC;wBAC7D,SAAS,CAAC,2BAA2B;oBACvC,CAAC;oBAED,4BAA4B;oBAC5B,IAAI,IAAA,uCAAqB,EAAC,KAAK,CAAC,KAAK,EAAE,KAAK,CAAC,OAAO,EAAE,QAAQ,CAAC,EAAE,CAAC;wBAChE,SAAS,CAAC,8BAA8B;oBAC1C,CAAC;oBAED,uBAAuB;oBACvB,eAAe,CAAC,IAAI,CAAC,IAAI,CAAC,mBAAmB,CAAC,KAAK,EAAE,QAAQ,EAAE,QAAQ,CAAC,CAAC,CAAC;gBAC5E,CAAC;YACH,CAAC;QACH,CAAC;QAED,OAAO,eAAe,CAAC;IACzB,CAAC;IAED;;OAEG;IACK,WAAW,CACjB,IAAY,EACZ,OAAsB,EACtB,UAAkB;QAElB,MAAM,OAAO,GAAkB,EAAE,CAAC;QAClC,IAAI,KAA6B,CAAC;QAElC,sCAAsC;QACtC,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC,CAAC;QAEtD,OAAO,CAAC,KAAK,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YAC3C,MAAM,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC;YACvB,MAAM,OAAO,GAAG,IAAA,kCAAgB,EAAC,KAAK,CAAC,CAAC;YAExC,OAAO,CAAC,IAAI,CAAC;gBACX,OAAO;gBACP,KAAK;gBACL,IAAI,EAAE,UAAU;gBAChB,MAAM,EAAE,KAAK,CAAC,KAAK;gBACnB,OAAO;gBACP,OAAO,EAAE,IAAI,CAAC,IAAI,EAAE;aACrB,CAAC,CAAC;QACL,CAAC;QAED,OAAO,OAAO,CAAC;IACjB,CAAC;IAED;;OAEG;IACK,mBAAmB,CACzB,KAAkB,EAClB,QAAgB,EAChB,QAAgB;QAEhB,4DAA4D;QAC5D,MAAM,QAAQ,GAAG,oBAAoB,KAAK,CAAC,OAAO,CAAC,EAAE,EAAE,CAAC;QACxD,MAAM,OAAO,GAAG,IAAA,yCAAsB,EAAC,QAAQ,CAAC,CAAC;QACjD,MAAM,UAAU,GAAG,IAAA,yCAAoB,EAAC,QAAQ,CAAC,CAAC;QAElD,OAAO;YACL,QAAQ,EAAE,OAAO,CAAC,QAAQ;YAC1B,OAAO,EAAE,8BAA8B,KAAK,CAAC,OAAO,CAAC,IAAI,MAAM,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,KAAK,CAAC,EAAE;YAC7F,IAAI,EAAE,KAAK,CAAC,IAAI;YAChB,UAAU,EAAE,IAAI,CAAC,iBAAiB,CAAC,KAAK,CAAC,OAAO,EAAE,QAAQ,CAAC;YAC3D,QAAQ;YACR,SAAS,EAAE,OAAO,CAAC,SAAS;YAC5B,iBAAiB,EAAE,OAAO,CAAC,iBAAiB;YAC5C,MAAM,EAAE,OAAO,CAAC,MAAM;YACtB,KAAK,EAAE,UAAU,CAAC,KAAK,IAAI,KAAK,CAAC,OAAO,CAAC,aAAa;YACtD,GAAG,EAAE,UAAU,CAAC,GAAG,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG;YACxC,MAAM,EAAE,UAAU,CAAC,MAAM;YACzB,YAAY,EAAE;gBACZ,WAAW,EAAE,aAAa,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,WAAW,EAAE,oEAAoE;gBAC9H,cAAc,EAAE,0CAA0C,IAAI,CAAC,UAAU,CAAC,KAAK,CAAC,KAAK,CAAC,EAAE;gBACxF,eAAe,EAAE;oBACf,gCAAgC;oBAChC,uCAAuC;oBACvC,iCAAiC;oBACjC,sCAAsC;iBACvC;aACF;YACD,WAAW,EAAE;gBACX,MAAM,EAAE,KAAK,CAAC,OAAO;gBACrB,KAAK,EAAE,IAAI,CAAC,aAAa,CAAC,KAAK,CAAC,OAAO,EAAE,QAAQ,CAAC;gBAClD,WAAW,EAAE,IAAI,CAAC,iBAAiB,CAAC,KAAK,CAAC,OAAO,EAAE,QAAQ,CAAC;aAC7D;SACF,CAAC;IACJ,CAAC;IAED;;OAEG;IACK,UAAU,CAAC,KAAa;QAC9B,IAAI,KAAK,CAAC,MAAM,IAAI,CAAC,EAAE,CAAC;YACtB,OAAO,KAAK,CAAC;QACf,CAAC;QACD,MAAM,KAAK,GAAG,KAAK,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;QACpC,MAAM,IAAI,GAAG,KAAK,CAAC,SAAS,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC;QAC/C,OAAO,GAAG,KAAK,MAAM,IAAI,EAAE,CAAC;IAC9B,CAAC;IAED;;OAEG;IACK,iBAAiB,CAAC,OAAsB,EAAE,QAAgB;QAChE,MAAM,kBAAkB,GAAG,OAAO,CAAC,WAAW,CAAC;QAE/C,MAAM,aAAa,GAAG,QAAQ,KAAK,QAAQ;YACzC,CAAC,CAAC,2BAA2B;YAC7B,CAAC,CAAC,QAAQ,KAAK,MAAM;gBACrB,CAAC,CAAC,0BAA0B;gBAC5B,CAAC,CAAC,qBAAqB,CAAC;QAE1B,OAAO,GAAG,kBAAkB,wBAAwB;YAClD,0CAA0C;YAC1C,oEAAoE;YACpE,WAAW,aAAa,IAAI;YAC5B,iDAAiD;YACjD,0CAA0C,CAAC;IAC/C,CAAC;IAED;;OAEG;IACK,aAAa,CAAC,OAAsB,EAAE,QAAgB;QAC5D,MAAM,OAAO,GAAG,OAAO,CAAC,EAAE,CAAC,WAAW,EAAE,CAAC,OAAO,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;QAE5D,IAAI,QAAQ,KAAK,QAAQ,EAAE,CAAC;YAC1B,OAAO,cAAc,OAAO,sBAAsB,OAAO,0BAA0B,CAAC;QACtF,CAAC;aAAM,IAAI,QAAQ,KAAK,MAAM,EAAE,CAAC;YAC/B,OAAO,UAAU,OAAO,CAAC,WAAW,EAAE,qBAAqB,OAAO,KAAK,CAAC;QAC1E,CAAC;aAAM,IAAI,QAAQ,KAAK,IAAI,EAAE,CAAC;YAC7B,OAAO,gBAAgB,OAAO,CAAC,WAAW,EAAE,kBAAkB,OAAO,IAAI,CAAC;QAC5E,CAAC;aAAM,CAAC;YACN,wBAAwB;YACxB,OAAO,SAAS,OAAO,CAAC,WAAW,EAAE,kBAAkB,OAAO,0BAA0B,CAAC;QAC3F,CAAC;IACH,CAAC;IAED;;OAEG;IACK,mBAAmB,CAAC,KAAkB;QAC5C,IAAI,UAAU,GAAG,EAAE,CAAC,CAAC,kBAAkB;QAEvC,qCAAqC;QACrC,IAAI,KAAK,CAAC,OAAO,GAAG,GAAG,EAAE,CAAC;YACxB,UAAU,IAAI,EAAE,CAAC;QACnB,CAAC;aAAM,IAAI,KAAK,CAAC,OAAO,GAAG,GAAG,EAAE,CAAC;YAC/B,UAAU,IAAI,EAAE,CAAC;QACnB,CAAC;QAED,8CAA8C;QAC9C,IAAI,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC,OAAO,CAAC,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC5E,UAAU,IAAI,EAAE,CAAC;QACnB,CAAC;QAED,OAAO,IAAI,CAAC,GAAG,CAAC,UAAU,EAAE,GAAG,CAAC,CAAC;IACnC,CAAC;CACF;AA1MD,0CA0MC;AAED;;GAEG;AACH,SAAgB,qBAAqB;IACnC,OAAO,IAAI,eAAe,EAAE,CAAC;AAC/B,CAAC"}
|
|
@@ -0,0 +1,71 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Terraform AWS Security Checks
|
|
3
|
+
*
|
|
4
|
+
* WR3 Day 1-2: AWS S3 and IAM security misconfigurations
|
|
5
|
+
*
|
|
6
|
+
* Current: 10 checks (S3: 5, IAM: 5)
|
|
7
|
+
* Future: Will expand to EC2, RDS, Lambda (25 total AWS checks)
|
|
8
|
+
*/
|
|
9
|
+
import { SecurityVulnerability } from '../types';
|
|
10
|
+
import { TerraformResource } from './types';
|
|
11
|
+
/**
|
|
12
|
+
* Check 1: S3 Bucket with Public ACL (CRITICAL)
|
|
13
|
+
* OWASP: A01:2021 - Broken Access Control
|
|
14
|
+
* CWE: CWE-732 (Incorrect Permission Assignment)
|
|
15
|
+
*/
|
|
16
|
+
export declare function checkS3PublicACL(resource: TerraformResource): SecurityVulnerability | null;
|
|
17
|
+
/**
|
|
18
|
+
* Check 2: S3 Bucket Without Encryption (HIGH)
|
|
19
|
+
* OWASP: A02:2021 - Cryptographic Failures
|
|
20
|
+
* CWE: CWE-311 (Missing Encryption of Sensitive Data)
|
|
21
|
+
*/
|
|
22
|
+
export declare function checkS3Encryption(resource: TerraformResource): SecurityVulnerability | null;
|
|
23
|
+
/**
|
|
24
|
+
* Check 3: S3 Bucket Versioning Disabled (MEDIUM)
|
|
25
|
+
* OWASP: A09:2021 - Security Logging and Monitoring Failures
|
|
26
|
+
* CWE: CWE-778 (Insufficient Logging)
|
|
27
|
+
*/
|
|
28
|
+
export declare function checkS3Versioning(resource: TerraformResource): SecurityVulnerability | null;
|
|
29
|
+
/**
|
|
30
|
+
* Check 4: S3 Bucket Logging Disabled (MEDIUM)
|
|
31
|
+
* OWASP: A09:2021 - Security Logging and Monitoring Failures
|
|
32
|
+
* CWE: CWE-778 (Insufficient Logging)
|
|
33
|
+
*/
|
|
34
|
+
export declare function checkS3Logging(resource: TerraformResource): SecurityVulnerability | null;
|
|
35
|
+
/**
|
|
36
|
+
* Check 5: S3 Bucket Public Access Block Missing (CRITICAL)
|
|
37
|
+
* OWASP: A01:2021 - Broken Access Control
|
|
38
|
+
* CWE: CWE-732 (Incorrect Permission Assignment)
|
|
39
|
+
*/
|
|
40
|
+
export declare function checkS3PublicAccessBlock(resource: TerraformResource): SecurityVulnerability | null;
|
|
41
|
+
/**
|
|
42
|
+
* Check 6: IAM Policy with Wildcard Actions (CRITICAL)
|
|
43
|
+
* OWASP: A01:2021 - Broken Access Control
|
|
44
|
+
* CWE: CWE-269 (Improper Privilege Management)
|
|
45
|
+
*/
|
|
46
|
+
export declare function checkIAMWildcardActions(resource: TerraformResource): SecurityVulnerability | null;
|
|
47
|
+
/**
|
|
48
|
+
* Check 7: IAM Policy with Wildcard Resources (HIGH)
|
|
49
|
+
* OWASP: A01:2021 - Broken Access Control
|
|
50
|
+
* CWE: CWE-269 (Improper Privilege Management)
|
|
51
|
+
*/
|
|
52
|
+
export declare function checkIAMWildcardResources(resource: TerraformResource): SecurityVulnerability | null;
|
|
53
|
+
/**
|
|
54
|
+
* Check 8: IAM Policy with Admin Permissions (HIGH)
|
|
55
|
+
* OWASP: A01:2021 - Broken Access Control
|
|
56
|
+
* CWE: CWE-269 (Improper Privilege Management)
|
|
57
|
+
*/
|
|
58
|
+
export declare function checkIAMAdminPolicy(resource: TerraformResource): SecurityVulnerability | null;
|
|
59
|
+
/**
|
|
60
|
+
* Check 9: IAM Policy Allows Privilege Escalation (CRITICAL)
|
|
61
|
+
* OWASP: A01:2021 - Broken Access Control
|
|
62
|
+
* CWE: CWE-269 (Improper Privilege Management)
|
|
63
|
+
*/
|
|
64
|
+
export declare function checkIAMPrivilegeEscalation(resource: TerraformResource): SecurityVulnerability | null;
|
|
65
|
+
/**
|
|
66
|
+
* Check 10: IAM Role with Overly Permissive Assume Role Policy (MEDIUM)
|
|
67
|
+
* OWASP: A01:2021 - Broken Access Control
|
|
68
|
+
* CWE: CWE-732 (Incorrect Permission Assignment)
|
|
69
|
+
*/
|
|
70
|
+
export declare function checkIAMAssumeRolePolicy(resource: TerraformResource): SecurityVulnerability | null;
|
|
71
|
+
//# sourceMappingURL=aws-checks.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"aws-checks.d.ts","sourceRoot":"","sources":["../../../../../../../src/lib/analyzers/terraform/aws-checks.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAEH,OAAO,EAAE,qBAAqB,EAAE,MAAM,UAAU,CAAC;AACjD,OAAO,EAAE,iBAAiB,EAAE,MAAM,SAAS,CAAC;AAO5C;;;;GAIG;AACH,wBAAgB,gBAAgB,CAAC,QAAQ,EAAE,iBAAiB,GAAG,qBAAqB,GAAG,IAAI,CAqC1F;AAED;;;;GAIG;AACH,wBAAgB,iBAAiB,CAAC,QAAQ,EAAE,iBAAiB,GAAG,qBAAqB,GAAG,IAAI,CAoC3F;AAED;;;;GAIG;AACH,wBAAgB,iBAAiB,CAAC,QAAQ,EAAE,iBAAiB,GAAG,qBAAqB,GAAG,IAAI,CAmC3F;AAED;;;;GAIG;AACH,wBAAgB,cAAc,CAAC,QAAQ,EAAE,iBAAiB,GAAG,qBAAqB,GAAG,IAAI,CAoCxF;AAED;;;;GAIG;AACH,wBAAgB,wBAAwB,CAAC,QAAQ,EAAE,iBAAiB,GAAG,qBAAqB,GAAG,IAAI,CA6ClG;AAMD;;;;GAIG;AACH,wBAAgB,uBAAuB,CAAC,QAAQ,EAAE,iBAAiB,GAAG,qBAAqB,GAAG,IAAI,CA0DjG;AAED;;;;GAIG;AACH,wBAAgB,yBAAyB,CAAC,QAAQ,EAAE,iBAAiB,GAAG,qBAAqB,GAAG,IAAI,CAwDnG;AAED;;;;GAIG;AACH,wBAAgB,mBAAmB,CAAC,QAAQ,EAAE,iBAAiB,GAAG,qBAAqB,GAAG,IAAI,CAqC7F;AAED;;;;GAIG;AACH,wBAAgB,2BAA2B,CAAC,QAAQ,EAAE,iBAAiB,GAAG,qBAAqB,GAAG,IAAI,CA4ErG;AAED;;;;GAIG;AACH,wBAAgB,wBAAwB,CAAC,QAAQ,EAAE,iBAAiB,GAAG,qBAAqB,GAAG,IAAI,CAwDlG"}
|