npm - configsentry - Versions diffs - 0.0.13 → 0.0.17 - Mend

configsentry 0.0.13 → 0.0.17

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (14) hide show

package/README.md CHANGED Viewed

@@ -99,7 +99,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: alfredMorgenstern/configsentry@v0.0.13
+      - uses: alfredMorgenstern/configsentry@v0.0.17
         with:
           target: .
           # optional: baseline: .configsentry-baseline.json
@@ -111,7 +111,7 @@ jobs:
       #   security-events: write
 ```
-> Tip: pin to a tag (like `v0.0.8`) for reproducible builds.
+> Tip: pin to a tag (like `v0.0.13`) for reproducible builds.
 ## Exit codes
 - `0` no findings
@@ -125,7 +125,7 @@ node dist/cli.js ./example.docker-compose.yml
 ```
 ## Next steps
-- publish as `configsentry` on npm
-- GitHub Action wrapper
-- SARIF output
+- GitHub Marketplace listing (Action)
+- more rules (policy packs for common stacks)
+- PR annotations/comments (optional)
 - autofix mode (`--fix`) for safe transforms

package/dist/cli.js CHANGED Viewed

File without changes

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "configsentry",
-  "version": "0.0.13",
+  "version": "0.0.17",
   "description": "Developer-first guardrails for docker-compose.yml (security + ops footguns).",
   "type": "module",
   "license": "MIT",
@@ -18,7 +18,7 @@
   },
   "files": [
     "dist/",
-    "src/",
+    "!dist/**/*.test.js",
     "README.md",
     "LICENSE"
   ],
@@ -27,7 +27,7 @@
   },
   "scripts": {
     "test": "node --test dist/**/*.test.js",
-    "build": "tsc -p tsconfig.json",
+    "build": "node -e \"require('node:fs').rmSync('dist',{recursive:true,force:true})\" && tsc -p tsconfig.json",
     "prepack": "npm run build",
     "start": "node dist/cli.js",
     "dev": "node --loader ts-node/esm src/cli.ts",

package/dist/baseline.test.js DELETED Viewed

@@ -1,12 +0,0 @@
-import test from 'node:test';
-import assert from 'node:assert/strict';
-import { fingerprintFinding, applyBaseline } from './baseline.js';
-test('baseline suppression works', () => {
-    const f1 = { id: 'r1', title: 't', severity: 'low', message: 'm', service: 'svc', path: '/tmp/x#p' };
-    const f2 = { id: 'r2', title: 't', severity: 'low', message: 'm', service: 'svc', path: '/tmp/x#p2' };
-    const set = new Set([fingerprintFinding(f1)]);
-    const { kept, suppressed } = applyBaseline([f1, f2], set);
-    assert.equal(kept.length, 1);
-    assert.equal(suppressed.length, 1);
-    assert.equal(kept[0].id, 'r2');
-});

package/dist/rules.test.js DELETED Viewed

@@ -1,53 +0,0 @@
-import test from 'node:test';
-import assert from 'node:assert/strict';
-import { runRules } from './rules.js';
-test('detects privileged container', () => {
-    const compose = { services: { app: { privileged: true } } };
-    const findings = runRules(compose, 'docker-compose.yml');
-    assert.ok(findings.some((f) => f.id === 'compose.privileged' && f.service === 'app'));
-});
-test('detects sensitive port exposed', () => {
-    const compose = { services: { db: { ports: ['5432:5432'] } } };
-    const findings = runRules(compose, 'docker-compose.yml');
-    assert.ok(findings.some((f) => f.id === 'compose.exposed-sensitive-port' && f.service === 'db'));
-});
-test('detects docker socket mount', () => {
-    const compose = { services: { runner: { volumes: ['/var/run/docker.sock:/var/run/docker.sock'] } } };
-    const findings = runRules(compose, 'docker-compose.yml');
-    assert.ok(findings.some((f) => f.id === 'compose.docker-socket' && f.service === 'runner'));
-});
-test('detects cap_add: ALL', () => {
-    const compose = { services: { app: { cap_add: ['ALL'] } } };
-    const findings = runRules(compose, 'docker-compose.yml');
-    assert.ok(findings.some((f) => f.id === 'compose.cap-add-all' && f.service === 'app'));
-});
-test('detects network_mode: host', () => {
-    const compose = { services: { app: { network_mode: 'host' } } };
-    const findings = runRules(compose, 'docker-compose.yml');
-    assert.ok(findings.some((f) => f.id === 'compose.network-host' && f.service === 'app'));
-});
-test('detects pid: host', () => {
-    const compose = { services: { app: { pid: 'host' } } };
-    const findings = runRules(compose, 'docker-compose.yml');
-    assert.ok(findings.some((f) => f.id === 'compose.pid-host' && f.service === 'app'));
-});
-test('detects ipc: host', () => {
-    const compose = { services: { app: { ipc: 'host' } } };
-    const findings = runRules(compose, 'docker-compose.yml');
-    assert.ok(findings.some((f) => f.id === 'compose.ipc-host' && f.service === 'app'));
-});
-test('detects unconfined security_opt', () => {
-    const compose = { services: { app: { security_opt: ['seccomp=unconfined'] } } };
-    const findings = runRules(compose, 'docker-compose.yml');
-    assert.ok(findings.some((f) => f.id === 'compose.security-unconfined' && f.service === 'app'));
-});
-test('detects host /dev mount', () => {
-    const compose = { services: { app: { volumes: ['/dev:/dev'] } } };
-    const findings = runRules(compose, 'docker-compose.yml');
-    assert.ok(findings.some((f) => f.id === 'compose.host-dev-mount' && f.service === 'app'));
-});
-test('detects dangerous device mapping', () => {
-    const compose = { services: { app: { devices: ['/dev/kmsg:/dev/kmsg'] } } };
-    const findings = runRules(compose, 'docker-compose.yml');
-    assert.ok(findings.some((f) => f.id === 'compose.dangerous-device' && f.service === 'app'));
-});

package/src/baseline.test.ts DELETED Viewed

@@ -1,15 +0,0 @@
-import test from 'node:test';
-import assert from 'node:assert/strict';
-import { fingerprintFinding, applyBaseline } from './baseline.js';
-test('baseline suppression works', () => {
-  const f1 = { id: 'r1', title: 't', severity: 'low', message: 'm', service: 'svc', path: '/tmp/x#p' };
-  const f2 = { id: 'r2', title: 't', severity: 'low', message: 'm', service: 'svc', path: '/tmp/x#p2' };
-  const set = new Set([fingerprintFinding(f1 as any)]);
-  const { kept, suppressed } = applyBaseline([f1 as any, f2 as any], set);
-  assert.equal(kept.length, 1);
-  assert.equal(suppressed.length, 1);
-  assert.equal(kept[0].id, 'r2');
-});

package/src/baseline.ts DELETED Viewed

@@ -1,68 +0,0 @@
-import fs from 'node:fs/promises';
-import crypto from 'node:crypto';
-import type { Finding } from './types.js';
-export type BaselineEntry = {
-  fingerprint: string;
-  id: string;
-  service?: string;
-  path?: string;
-};
-export type BaselineFile = {
-  version: 1;
-  generatedAt: string;
-  tool: string;
-  entries: BaselineEntry[];
-};
-export function fingerprintFinding(f: Finding): string {
-  const h = crypto.createHash('sha256');
-  // Keep stable + minimal; avoid messages that could change wording.
-  h.update(String(f.id));
-  h.update('\n');
-  h.update(String(f.service ?? ''));
-  h.update('\n');
-  h.update(String(f.path ?? ''));
-  return h.digest('hex');
-}
-export async function writeBaseline(path: string, findings: Finding[]) {
-  const entries: BaselineEntry[] = findings.map((f) => ({
-    fingerprint: fingerprintFinding(f),
-    id: f.id,
-    service: f.service,
-    path: f.path,
-  }));
-  const file: BaselineFile = {
-    version: 1,
-    generatedAt: new Date().toISOString(),
-    tool: 'ConfigSentry',
-    entries,
-  };
-  await fs.writeFile(path, JSON.stringify(file, null, 2) + '\n', 'utf8');
-}
-export async function loadBaseline(path: string): Promise<Set<string>> {
-  const raw = await fs.readFile(path, 'utf8');
-  const json = JSON.parse(raw);
-  const entries: any[] = Array.isArray(json?.entries) ? json.entries : [];
-  const set = new Set<string>();
-  for (const e of entries) {
-    if (typeof e?.fingerprint === 'string') set.add(e.fingerprint);
-  }
-  return set;
-}
-export function applyBaseline(findings: Finding[], baselineFingerprints: Set<string>) {
-  const kept: Finding[] = [];
-  const suppressed: Finding[] = [];
-  for (const f of findings) {
-    const fp = fingerprintFinding(f);
-    if (baselineFingerprints.has(fp)) suppressed.push(f);
-    else kept.push(f);
-  }
-  return { kept, suppressed };
-}

package/src/cli.ts DELETED Viewed

@@ -1,123 +0,0 @@
-#!/usr/bin/env node
-import path from 'node:path';
-import process from 'node:process';
-import fs from 'node:fs/promises';
-import { fileURLToPath } from 'node:url';
-import { loadCompose } from './compose.js';
-import { runRules } from './rules.js';
-import { findingsToSarif } from './sarif.js';
-import { resolveTargets } from './scan.js';
-import { applyBaseline, loadBaseline, writeBaseline } from './baseline.js';
-function usage() {
-  console.log(`ConfigSentry (MVP)\n\nUsage:\n  configsentry <file-or-dir> [--json|--sarif] [--baseline <file>] [--write-baseline <file>]\n\nOutput:\n  --json           machine-readable findings\n  --sarif          SARIF 2.1.0 (for GitHub code scanning)\n\nBaselines:\n  --baseline <file>        suppress findings present in a baseline file\n  --write-baseline <file>  write baseline file for current findings and exit 0\n\nExit codes:\n  0 = no findings (after baseline suppression)
-  2 = findings present
-  1 = error
-`);
-}
-async function main() {
-  const args = process.argv.slice(2);
-  if (args.includes('-v') || args.includes('--version')) {
-    try {
-      const here = path.dirname(fileURLToPath(import.meta.url));
-      const pkgPath = path.resolve(here, '../package.json');
-      const raw = await fs.readFile(pkgPath, 'utf8');
-      const pkg = JSON.parse(raw);
-      console.log(pkg.version || 'unknown');
-    } catch {
-      console.log('unknown');
-    }
-    process.exit(0);
-  }
-  if (args.length === 0 || args.includes('-h') || args.includes('--help')) {
-    usage();
-    process.exit(0);
-  }
-  const json = args.includes('--json');
-  const sarif = args.includes('--sarif');
-  if (json && sarif) {
-    console.error('Error: choose only one output mode: --json or --sarif');
-    process.exit(1);
-  }
-  const baselineIdx = args.indexOf('--baseline');
-  const baselinePath = baselineIdx >= 0 ? args[baselineIdx + 1] : undefined;
-  const writeBaselineIdx = args.indexOf('--write-baseline');
-  const writeBaselinePath = writeBaselineIdx >= 0 ? args[writeBaselineIdx + 1] : undefined;
-  const target = args.find((a) => !a.startsWith('-'));
-  if (!target) {
-    usage();
-    process.exit(1);
-  }
-  const targetPaths = await resolveTargets(target);
-  if (targetPaths.length === 0) {
-    console.error(`No compose files found in: ${target}`);
-    process.exit(1);
-  }
-  let allFindings = [] as any[];
-  for (const targetPath of targetPaths) {
-    const { compose } = await loadCompose(targetPath);
-    allFindings = allFindings.concat(runRules(compose, targetPath));
-  }
-  // Baseline suppression
-  let suppressed: any[] = [];
-  let findings = allFindings;
-  if (baselinePath) {
-    const set = await loadBaseline(path.resolve(baselinePath));
-    const res = applyBaseline(allFindings, set);
-    findings = res.kept;
-    suppressed = res.suppressed;
-  }
-  // Baseline generation mode
-  if (writeBaselinePath) {
-    await writeBaseline(path.resolve(writeBaselinePath), allFindings);
-    console.log(`Wrote baseline: ${path.resolve(writeBaselinePath)} (${allFindings.length} finding(s))`);
-    process.exit(0);
-  }
-  if (json) {
-    console.log(JSON.stringify({ targetPaths, findings, suppressedCount: suppressed.length }, null, 2));
-  } else if (sarif) {
-    console.log(JSON.stringify(findingsToSarif(findings), null, 2));
-  } else {
-    const scope = targetPaths.length === 1 ? targetPaths[0] : `${targetPaths.length} file(s)`;
-    if (findings.length === 0) {
-      console.log(`✅ No findings for ${scope}`);
-      if (suppressed.length > 0) {
-        console.log(`(suppressed by baseline: ${suppressed.length})`);
-      }
-    } else {
-      console.log(`❌ ${findings.length} finding(s) for ${scope}`);
-      if (suppressed.length > 0) {
-        console.log(`(suppressed by baseline: ${suppressed.length})`);
-      }
-      console.log('');
-      for (const f of findings) {
-        console.log(`[${f.severity.toUpperCase()}] ${f.title}`);
-        console.log(`- service: ${f.service ?? '-'}
-- rule: ${f.id}
-- where: ${f.path ?? '-'}
-- msg: ${f.message}`);
-        if (f.suggestion) console.log(`- fix: ${f.suggestion}`);
-        console.log('');
-      }
-    }
-  }
-  process.exit(findings.length === 0 ? 0 : 2);
-}
-main().catch((err) => {
-  console.error('Error:', err);
-  process.exit(1);
-});

package/src/compose.ts DELETED Viewed

@@ -1,19 +0,0 @@
-import fs from 'node:fs/promises';
-import path from 'node:path';
-import YAML from 'yaml';
-export type ComposeFile = {
-  services?: Record<string, any>;
-};
-export async function loadCompose(filePath: string): Promise<{ compose: ComposeFile; raw: any }> {
-  const abs = path.resolve(filePath);
-  const text = await fs.readFile(abs, 'utf8');
-  // Support multi-document YAML (---). If multiple docs exist, Compose content is typically the first.
-  const docs = YAML.parseAllDocuments(text);
-  const first = docs[0];
-  const doc = first ? first.toJSON() : YAML.parse(text);
-  return { compose: doc as ComposeFile, raw: doc };
-}

package/src/rules.test.ts DELETED Viewed

@@ -1,63 +0,0 @@
-import test from 'node:test';
-import assert from 'node:assert/strict';
-import { runRules } from './rules.js';
-test('detects privileged container', () => {
-  const compose = { services: { app: { privileged: true } } };
-  const findings = runRules(compose, 'docker-compose.yml');
-  assert.ok(findings.some((f) => f.id === 'compose.privileged' && f.service === 'app'));
-});
-test('detects sensitive port exposed', () => {
-  const compose = { services: { db: { ports: ['5432:5432'] } } };
-  const findings = runRules(compose, 'docker-compose.yml');
-  assert.ok(findings.some((f) => f.id === 'compose.exposed-sensitive-port' && f.service === 'db'));
-});
-test('detects docker socket mount', () => {
-  const compose = { services: { runner: { volumes: ['/var/run/docker.sock:/var/run/docker.sock'] } } };
-  const findings = runRules(compose, 'docker-compose.yml');
-  assert.ok(findings.some((f) => f.id === 'compose.docker-socket' && f.service === 'runner'));
-});
-test('detects cap_add: ALL', () => {
-  const compose = { services: { app: { cap_add: ['ALL'] } } };
-  const findings = runRules(compose, 'docker-compose.yml');
-  assert.ok(findings.some((f) => f.id === 'compose.cap-add-all' && f.service === 'app'));
-});
-test('detects network_mode: host', () => {
-  const compose = { services: { app: { network_mode: 'host' } } };
-  const findings = runRules(compose, 'docker-compose.yml');
-  assert.ok(findings.some((f) => f.id === 'compose.network-host' && f.service === 'app'));
-});
-test('detects pid: host', () => {
-  const compose = { services: { app: { pid: 'host' } } };
-  const findings = runRules(compose, 'docker-compose.yml');
-  assert.ok(findings.some((f) => f.id === 'compose.pid-host' && f.service === 'app'));
-});
-test('detects ipc: host', () => {
-  const compose = { services: { app: { ipc: 'host' } } };
-  const findings = runRules(compose, 'docker-compose.yml');
-  assert.ok(findings.some((f) => f.id === 'compose.ipc-host' && f.service === 'app'));
-});
-test('detects unconfined security_opt', () => {
-  const compose = { services: { app: { security_opt: ['seccomp=unconfined'] } } };
-  const findings = runRules(compose, 'docker-compose.yml');
-  assert.ok(findings.some((f) => f.id === 'compose.security-unconfined' && f.service === 'app'));
-});
-test('detects host /dev mount', () => {
-  const compose = { services: { app: { volumes: ['/dev:/dev'] } } };
-  const findings = runRules(compose, 'docker-compose.yml');
-  assert.ok(findings.some((f) => f.id === 'compose.host-dev-mount' && f.service === 'app'));
-});
-test('detects dangerous device mapping', () => {
-  const compose = { services: { app: { devices: ['/dev/kmsg:/dev/kmsg'] } } };
-  const findings = runRules(compose, 'docker-compose.yml');
-  assert.ok(findings.some((f) => f.id === 'compose.dangerous-device' && f.service === 'app'));
-});

package/src/rules.ts DELETED Viewed

@@ -1,242 +0,0 @@
-import type { Finding } from './types.js';
-const SENSITIVE_PORTS = new Set([5432, 3306, 6379, 27017, 9200]);
-function normalizePorts(ports: any): Array<{ hostIp?: string; hostPort?: number; containerPort?: number; raw: string }> {
-  if (!Array.isArray(ports)) return [];
-  const res: Array<{ hostIp?: string; hostPort?: number; containerPort?: number; raw: string }> = [];
-  for (const p of ports) {
-    if (typeof p === 'number') {
-      res.push({ containerPort: p, raw: String(p) });
-      continue;
-    }
-    if (typeof p !== 'string') continue;
-    // patterns:
-    // "8080:80"
-    // "127.0.0.1:8080:80"
-    // "5432:5432"
-    const parts = p.split(':');
-    if (parts.length === 2) {
-      const hostPort = Number(parts[0]);
-      const containerPort = Number(parts[1]);
-      res.push({ hostPort: Number.isFinite(hostPort) ? hostPort : undefined, containerPort: Number.isFinite(containerPort) ? containerPort : undefined, raw: p });
-    } else if (parts.length === 3) {
-      const hostIp = parts[0];
-      const hostPort = Number(parts[1]);
-      const containerPort = Number(parts[2]);
-      res.push({ hostIp, hostPort: Number.isFinite(hostPort) ? hostPort : undefined, containerPort: Number.isFinite(containerPort) ? containerPort : undefined, raw: p });
-    } else {
-      res.push({ raw: p });
-    }
-  }
-  return res;
-}
-export function runRules(compose: any, targetPath: string): Finding[] {
-  const findings: Finding[] = [];
-  const services: Record<string, any> = compose?.services ?? {};
-  for (const [serviceName, svc] of Object.entries(services)) {
-    // Rule: privileged
-    if (svc?.privileged === true) {
-      findings.push({
-        id: 'compose.privileged',
-        title: 'Privileged container',
-        severity: 'high',
-        message: `Service '${serviceName}' runs with privileged: true.`,
-        service: serviceName,
-        path: `${targetPath}#services.${serviceName}.privileged`,
-        suggestion: 'Remove privileged: true unless absolutely required; prefer adding only the needed capabilities.'
-      });
-    }
-    // Rule: cap_add: [ALL]
-    const capAdd: any[] = Array.isArray(svc?.cap_add) ? svc.cap_add : [];
-    if (capAdd.some((c) => String(c).toUpperCase() === 'ALL')) {
-      findings.push({
-        id: 'compose.cap-add-all',
-        title: 'Dangerous Linux capabilities (cap_add: ALL)',
-        severity: 'high',
-        message: `Service '${serviceName}' uses cap_add: [ALL], which is effectively privileged in many cases.`,
-        service: serviceName,
-        path: `${targetPath}#services.${serviceName}.cap_add`,
-        suggestion: 'Remove cap_add: ALL. Add only the specific capabilities required (e.g. NET_BIND_SERVICE) or redesign to avoid it.'
-      });
-    }
-    // Rule: host namespaces (network/pid/ipc)
-    if (svc?.network_mode === 'host') {
-      findings.push({
-        id: 'compose.network-host',
-        title: 'Host network namespace (network_mode: host)',
-        severity: 'high',
-        message: `Service '${serviceName}' uses network_mode: host, bypassing Docker network isolation.`,
-        service: serviceName,
-        path: `${targetPath}#services.${serviceName}.network_mode`,
-        suggestion: 'Avoid host networking. Prefer explicit port mappings or internal networks.'
-      });
-    }
-    if (svc?.pid === 'host') {
-      findings.push({
-        id: 'compose.pid-host',
-        title: 'Host PID namespace (pid: host)',
-        severity: 'high',
-        message: `Service '${serviceName}' uses pid: host, exposing host process namespace to the container.`,
-        service: serviceName,
-        path: `${targetPath}#services.${serviceName}.pid`,
-        suggestion: 'Avoid pid: host unless you are building low-level host tooling and understand the security implications.'
-      });
-    }
-    if (svc?.ipc === 'host') {
-      findings.push({
-        id: 'compose.ipc-host',
-        title: 'Host IPC namespace (ipc: host)',
-        severity: 'high',
-        message: `Service '${serviceName}' uses ipc: host, exposing host IPC namespace to the container.`,
-        service: serviceName,
-        path: `${targetPath}#services.${serviceName}.ipc`,
-        suggestion: 'Avoid ipc: host. Prefer explicit shared volumes or redesign if IPC sharing is required.'
-      });
-    }
-    // Rule: unconfined security profiles
-    const securityOpt: any[] = Array.isArray(svc?.security_opt) ? svc.security_opt : [];
-    const sec = securityOpt.map((x) => String(x).toLowerCase());
-    const hasUnconfined = sec.some((x) => x.includes('seccomp') && x.includes('unconfined')) || sec.some((x) => x.includes('apparmor') && x.includes('unconfined')) || sec.some((x) => x.includes('label:disable'));
-    if (hasUnconfined) {
-      findings.push({
-        id: 'compose.security-unconfined',
-        title: 'Security profile disabled (unconfined)',
-        severity: 'high',
-        message: `Service '${serviceName}' disables container security profiles via security_opt (${securityOpt.join(', ')}).`,
-        service: serviceName,
-        path: `${targetPath}#services.${serviceName}.security_opt`,
-        suggestion: 'Avoid unconfined security profiles. Remove the option or use a minimal custom seccomp/apparmor profile.'
-      });
-    }
-    // Rule: docker socket mount
-    const volumes: any[] = Array.isArray(svc?.volumes) ? svc.volumes : [];
-    for (const v of volumes) {
-      if (typeof v !== 'string') continue;
-      if (v.includes('/var/run/docker.sock')) {
-        findings.push({
-          id: 'compose.docker-socket',
-          title: 'Docker socket mounted',
-          severity: 'high',
-          message: `Service '${serviceName}' mounts /var/run/docker.sock which effectively grants root-on-host.`,
-          service: serviceName,
-          path: `${targetPath}#services.${serviceName}.volumes`,
-          suggestion: 'Avoid mounting the docker socket. If you need it, isolate the runner and treat it as privileged infrastructure.'
-        });
-      }
-      if (v.startsWith('/:') || v.startsWith('/:/')) {
-        findings.push({
-          id: 'compose.host-root-mount',
-          title: 'Host root mounted',
-          severity: 'high',
-          message: `Service '${serviceName}' appears to mount the host root filesystem ('${v}').`,
-          service: serviceName,
-          path: `${targetPath}#services.${serviceName}.volumes`,
-          suggestion: 'Avoid mounting /. Mount only specific directories required by the app.'
-        });
-      }
-      if (v.startsWith('/dev:/dev') || v.startsWith('/dev/:/dev')) {
-        findings.push({
-          id: 'compose.host-dev-mount',
-          title: 'Host /dev mounted into container',
-          severity: 'high',
-          message: `Service '${serviceName}' mounts host /dev into the container ('${v}'), which can enable device access and privilege escalation.`,
-          service: serviceName,
-          path: `${targetPath}#services.${serviceName}.volumes`,
-          suggestion: 'Avoid mounting /dev. If hardware access is required, map only the specific device(s) needed via devices:.'
-        });
-      }
-    }
-    // Rule: dangerous device mappings
-    const devices: any[] = Array.isArray(svc?.devices) ? svc.devices : [];
-    for (const d of devices) {
-      if (typeof d !== 'string') continue;
-      const lower = d.toLowerCase();
-      if (lower.includes('/dev/mem') || lower.includes('/dev/kmem') || lower.includes('/dev/kmsg')) {
-        findings.push({
-          id: 'compose.dangerous-device',
-          title: 'Dangerous device mapped into container',
-          severity: 'high',
-          message: `Service '${serviceName}' maps a sensitive device into the container ('${d}').`,
-          service: serviceName,
-          path: `${targetPath}#services.${serviceName}.devices`,
-          suggestion: 'Avoid mapping kernel/memory/log devices into containers. If absolutely required, isolate the host and restrict container privileges.'
-        });
-      }
-    }
-    // Rule: restart policy
-    if (svc?.restart == null) {
-      findings.push({
-        id: 'compose.missing-restart',
-        title: 'Missing restart policy',
-        severity: 'medium',
-        message: `Service '${serviceName}' has no restart policy.`,
-        service: serviceName,
-        path: `${targetPath}#services.${serviceName}.restart`,
-        suggestion: "Set restart: unless-stopped (or on-failure) to improve resilience."
-      });
-    }
-    // Rule: healthcheck
-    if (svc?.healthcheck == null) {
-      findings.push({
-        id: 'compose.missing-healthcheck',
-        title: 'Missing healthcheck',
-        severity: 'medium',
-        message: `Service '${serviceName}' has no healthcheck.`,
-        service: serviceName,
-        path: `${targetPath}#services.${serviceName}.healthcheck`,
-        suggestion: 'Add a healthcheck so orchestrators can detect broken containers (and dependent services can wait on healthy state).'
-      });
-    }
-    // Rule: runs as root
-    const user = svc?.user;
-    if (user == null || user === '0' || user === 0 || user === 'root') {
-      findings.push({
-        id: 'compose.runs-as-root',
-        title: 'Container likely runs as root',
-        severity: 'high',
-        message: `Service '${serviceName}' does not specify a non-root user (user:).`,
-        service: serviceName,
-        path: `${targetPath}#services.${serviceName}.user`,
-        suggestion: 'Set user: "1000:1000" (or a dedicated UID/GID) and ensure the image supports running unprivileged.'
-      });
-    }
-    // Rule: exposed sensitive ports
-    const ports = normalizePorts(svc?.ports);
-    for (const p of ports) {
-      const hostIp = p.hostIp;
-      const hostPort = p.hostPort;
-      const containerPort = p.containerPort;
-      const checkPort = containerPort ?? hostPort;
-      if (checkPort == null) continue;
-      if (!SENSITIVE_PORTS.has(checkPort)) continue;
-      const bindsAll = hostIp == null || hostIp === '0.0.0.0' || hostIp === '';
-      if (bindsAll) {
-        findings.push({
-          id: 'compose.exposed-sensitive-port',
-          title: 'Sensitive port exposed publicly',
-          severity: 'high',
-          message: `Service '${serviceName}' exposes a commonly sensitive port (${checkPort}) on all interfaces (ports: '${p.raw}').`,
-          service: serviceName,
-          path: `${targetPath}#services.${serviceName}.ports`,
-          suggestion: `Bind to 127.0.0.1 (e.g. '127.0.0.1:${hostPort ?? checkPort}:${containerPort ?? checkPort}') or remove the port and use an internal network.`
-        });
-      }
-    }
-  }
-  return findings;
-}

package/src/sarif.ts DELETED Viewed

@@ -1,74 +0,0 @@
-import type { Finding } from './types.js';
-// Minimal SARIF 2.1.0 generator for GitHub code scanning.
-// Docs: https://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html
-function level(sev: string): 'error' | 'warning' | 'note' {
-  const s = String(sev || '').toLowerCase();
-  if (s === 'high' || s === 'critical' || s === 'error') return 'error';
-  if (s === 'medium' || s === 'warn' || s === 'warning') return 'warning';
-  return 'note';
-}
-export function findingsToSarif(findings: Finding[], opts: { toolName?: string; repoRoot?: string } = {}) {
-  const toolName = opts.toolName || 'ConfigSentry';
-  const rulesById = new Map<string, any>();
-  for (const f of findings) {
-    if (!rulesById.has(f.id)) {
-      rulesById.set(f.id, {
-        id: f.id,
-        name: f.id,
-        shortDescription: { text: f.title },
-        fullDescription: { text: f.message },
-        help: { text: f.suggestion ? `${f.message}\n\nFix: ${f.suggestion}` : f.message },
-        defaultConfiguration: { level: level(f.severity) },
-      });
-    }
-  }
-  const results = findings.map((f) => {
-    const res: any = {
-      ruleId: f.id,
-      level: level(f.severity),
-      message: { text: f.suggestion ? `${f.message} Fix: ${f.suggestion}` : f.message },
-      properties: {
-        severity: f.severity,
-        service: f.service ?? undefined,
-      },
-    };
-    // Best-effort location: we store a pseudo "where" path today.
-    // If it contains "file#pointer", split it; else treat it as a file uri.
-    if (f.path) {
-      const [file, fragment] = String(f.path).split('#');
-      res.locations = [
-        {
-          physicalLocation: {
-            artifactLocation: { uri: file },
-            region: fragment ? { snippet: { text: fragment } } : undefined,
-          },
-        },
-      ];
-    }
-    return res;
-  });
-  return {
-    version: '2.1.0',
-    $schema: 'https://json.schemastore.org/sarif-2.1.0.json',
-    runs: [
-      {
-        tool: {
-          driver: {
-            name: toolName,
-            informationUri: 'https://github.com/alfredMorgenstern/configsentry',
-            rules: Array.from(rulesById.values()),
-          },
-        },
-        results,
-      },
-    ],
-  };
-}

package/src/scan.ts DELETED Viewed

@@ -1,47 +0,0 @@
-import fs from 'node:fs/promises';
-import path from 'node:path';
-const COMPOSE_FILENAMES = new Set([
-  'docker-compose.yml',
-  'docker-compose.yaml',
-  'compose.yml',
-  'compose.yaml',
-]);
-async function isFile(p: string) {
-  try {
-    return (await fs.stat(p)).isFile();
-  } catch {
-    return false;
-  }
-}
-async function isDir(p: string) {
-  try {
-    return (await fs.stat(p)).isDirectory();
-  } catch {
-    return false;
-  }
-}
-export async function resolveTargets(input: string): Promise<string[]> {
-  const abs = path.resolve(input);
-  if (await isFile(abs)) return [abs];
-  if (await isDir(abs)) {
-    const entries = await fs.readdir(abs);
-    const hits: string[] = [];
-    for (const e of entries) {
-      if (COMPOSE_FILENAMES.has(e)) hits.push(path.join(abs, e));
-      // Common pattern: docker-compose.prod.yml etc.
-      if (/^docker-compose\..+\.ya?ml$/i.test(e)) hits.push(path.join(abs, e));
-      if (/^compose\..+\.ya?ml$/i.test(e)) hits.push(path.join(abs, e));
-    }
-    // de-dupe
-    return Array.from(new Set(hits)).sort();
-  }
-  // Not a file/dir: treat as a path anyway (will fail later with a nice error)
-  return [abs];
-}

package/src/types.ts DELETED Viewed

@@ -1,16 +0,0 @@
-export type Severity = 'low' | 'medium' | 'high';
-export type Finding = {
-  id: string;
-  title: string;
-  severity: Severity;
-  message: string;
-  service?: string;
-  path?: string;
-  suggestion?: string;
-};
-export type Report = {
-  targetPath: string;
-  findings: Finding[];
-};