configsentry 0.0.25 → 0.0.27

package/README.md

@@ -15,7 +15,7 @@ npx configsentry ./docker-compose.yml
 ### GitHub Action (minimal)
 
 ```yml
-- uses: alfredMorgenstern/configsentry@v0.0.24
+- uses: alfredMorgenstern/configsentry@v0.0.25
   with:
     target: .
 ```
@@ -27,7 +27,7 @@ permissions:
   contents: read
   security-events: write
 
-- uses: alfredMorgenstern/configsentry@v0.0.24
+- uses: alfredMorgenstern/configsentry@v0.0.25
   with:
     target: .
     sarif: true
@@ -72,10 +72,16 @@ node dist/cli.js --target ./docker-compose.yml
 node dist/cli.js --target ./docker-compose.yml --format json
 ```
 
+Write JSON to a file (no shell redirection needed):
+
+```bash
+node dist/cli.js --target ./docker-compose.yml --format json --output configsentry.json
+```
+
 ### SARIF output (GitHub Code Scanning)
 
 ```bash
-node dist/cli.js --target ./docker-compose.yml --format sarif > configsentry.sarif.json
+node dist/cli.js --target ./docker-compose.yml --format sarif --output configsentry.sarif.json
 ```
 
 ## Baselines (incremental adoption)
@@ -146,7 +152,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: alfredMorgenstern/configsentry@v0.0.24
+      - uses: alfredMorgenstern/configsentry@v0.0.25
         with:
           target: .
           # optional: baseline: .configsentry-baseline.json
@@ -160,13 +166,23 @@ jobs:
 
 **Note (consumer repos):** your repo does **not** need a `package-lock.json`. The action installs/builds ConfigSentry from the action package itself.
 
-> Tip: pin to a tag (like `v0.0.18`) for reproducible builds.
+> Tip: pin to a tag (like `v0.0.25`) for reproducible builds.
 
 ## Exit codes
 - `0` no findings
 - `2` findings present
 - `1` error
 
+## CI: fail only on high severity (optional)
+
+If you want ConfigSentry to block builds only on high severity findings:
+
+```bash
+npx configsentry ./docker-compose.yml --severity-threshold high
+```
+
+This also works in GitHub Actions via `args:` (see `docs/action-usage.md`).
+
 ## Example
 
 ```bash

package/dist/cli.js

@@ -8,6 +8,9 @@ import { runRules } from './rules.js';
 import { findingsToSarif } from './sarif.js';
 import { resolveTargets } from './scan.js';
 import { applyBaseline, loadBaseline, writeBaseline } from './baseline.js';
+function severityRank(s) {
+    return s === 'low' ? 1 : s === 'medium' ? 2 : 3;
+}
 function parseArgs(argv) {
     const args = argv.slice(2);
     const help = args.includes('-h') || args.includes('--help');
@@ -29,6 +32,8 @@ function parseArgs(argv) {
     const baselinePath = baselineIdx >= 0 ? args[baselineIdx + 1] : undefined;
     const writeBaselineIdx = args.indexOf('--write-baseline');
     const writeBaselinePath = writeBaselineIdx >= 0 ? args[writeBaselineIdx + 1] : undefined;
+    const severityThresholdIdx = args.indexOf('--severity-threshold');
+    const severityThreshold = severityThresholdIdx >= 0 ? args[severityThresholdIdx + 1] : undefined;
     const outputIdx = args.indexOf('--output');
     const outputPath = outputIdx >= 0 ? args[outputIdx + 1] : undefined;
     // Prefer explicit flag (matches the GitHub Action input)
@@ -37,7 +42,7 @@ function parseArgs(argv) {
     // Back-compat: first positional arg
     const targetFromPositional = args.find((a) => !a.startsWith('-'));
     const target = targetFromFlag ?? targetFromPositional;
-    return { args, help, version, output, format, outputPath, baselinePath, writeBaselinePath, target };
+    return { args, help, version, output, format, outputPath, baselinePath, writeBaselinePath, severityThreshold, target };
 }
 function usage() {
     console.log(`ConfigSentry (MVP)
@@ -51,6 +56,8 @@ Output:
   --sarif                   SARIF 2.1.0 (for GitHub code scanning) (deprecated; use --format sarif)
   --format <pretty|json|sarif>
   --output <file>           write JSON/SARIF output to a file (use with --format)
+  --severity-threshold <low|medium|high>
+                            only report findings at/above this severity (affects exit code)
 
 Baselines:
   --baseline <file>        suppress findings present in a baseline file
@@ -63,7 +70,7 @@ Exit codes:
 `);
 }
 async function main() {
-    const { args, help, version, output, format, outputPath, baselinePath, writeBaselinePath, target } = parseArgs(process.argv);
+    const { args, help, version, output, format, outputPath, baselinePath, writeBaselinePath, severityThreshold, target } = parseArgs(process.argv);
     if (version) {
         try {
             const here = path.dirname(fileURLToPath(import.meta.url));
@@ -97,6 +104,10 @@ async function main() {
         console.error('Error: --output requires machine output (use --format json or --format sarif)');
         process.exit(1);
     }
+    if (severityThreshold && severityThreshold !== 'low' && severityThreshold !== 'medium' && severityThreshold !== 'high') {
+        console.error(`Error: invalid --severity-threshold '${severityThreshold}'. Expected: low | medium | high`);
+        process.exit(1);
+    }
     if (!target) {
         usage();
         process.exit(1);
@@ -120,6 +131,14 @@ async function main() {
         findings = res.kept;
         suppressed = res.suppressed;
     }
+    // Severity threshold filtering (affects reporting + exit code)
+    if (severityThreshold) {
+        const min = severityRank(severityThreshold);
+        findings = findings.filter((f) => {
+            const sev = f.severity ?? 'low';
+            return severityRank(sev) >= min;
+        });
+    }
     // Baseline generation mode
     if (writeBaselinePath) {
         await writeBaseline(path.resolve(writeBaselinePath), allFindings);

package/dist/rules.js

@@ -1,4 +1,43 @@
 const SENSITIVE_PORTS = new Set([5432, 3306, 6379, 27017, 9200]);
+const SECRET_KEY_RE = /(pass(word)?|secret|token|api[_-]?key|private[_-]?key)/i;
+const PLACEHOLDER_VALUE_RE = /^(changeme|change-me|password|secret|token|example|example_password|yourpassword|your_password|replace_me|replace-me|TODO)$/i;
+function extractEnv(svc) {
+    const env = svc?.environment;
+    const res = [];
+    // environment:
+    //   KEY: value
+    // or
+    // environment:
+    //   - KEY=value
+    //   - KEY
+    if (env && typeof env === 'object' && !Array.isArray(env)) {
+        for (const [k, v] of Object.entries(env)) {
+            if (typeof k !== 'string')
+                continue;
+            if (v == null)
+                continue;
+            res.push({ key: k, value: String(v), raw: `${k}=${String(v)}` });
+        }
+        return res;
+    }
+    if (Array.isArray(env)) {
+        for (const item of env) {
+            if (typeof item !== 'string')
+                continue;
+            const idx = item.indexOf('=');
+            if (idx === -1) {
+                // KEY (value from environment at runtime) — not a hardcoded secret
+                continue;
+            }
+            const key = item.slice(0, idx);
+            const value = item.slice(idx + 1);
+            if (!key)
+                continue;
+            res.push({ key, value, raw: item });
+        }
+    }
+    return res;
+}
 function normalizePorts(ports) {
     if (!Array.isArray(ports))
         return [];
@@ -261,6 +300,27 @@ export function runRules(compose, targetPath) {
                 suggestion: 'Set user: "1000:1000" (or a dedicated UID/GID) and ensure the image supports running unprivileged.'
             });
         }
+        // Rule: hardcoded secrets in environment
+        for (const { key, value, raw } of extractEnv(svc)) {
+            if (!SECRET_KEY_RE.test(key))
+                continue;
+            const v = String(value).trim();
+            if (v.length === 0)
+                continue;
+            // ${VAR} / ${VAR:-default} / ${VAR?err}
+            if (v.startsWith('${') && v.endsWith('}'))
+                continue;
+            const placeholder = PLACEHOLDER_VALUE_RE.test(v) || v.toLowerCase().includes('changeme');
+            findings.push({
+                id: 'compose.hardcoded-secret',
+                title: 'Possible hardcoded secret in compose environment',
+                severity: placeholder ? 'medium' : 'high',
+                message: `Service '${serviceName}' sets '${key}' to a literal value in environment ('${raw}').`,
+                service: serviceName,
+                path: `${targetPath}#services.${serviceName}.environment`,
+                suggestion: 'Avoid committing secrets in docker-compose.yml. Prefer ${VAR} with a .env file (gitignored) or Docker secrets where supported.'
+            });
+        }
         // Rule: filesystem not read-only (hardening)
         // Low severity because many images expect write access unless explicitly designed for read-only.
         if (svc?.read_only !== true) {
@@ -274,6 +334,41 @@ export function runRules(compose, targetPath) {
                 suggestion: 'Consider setting read_only: true + add explicit writable mounts (e.g. tmpfs:/tmp or a data volume) if the app supports it.'
             });
         }
+        // Rule: floating / unpinned image tags
+        const image = svc?.image;
+        if (typeof image === 'string' && image.trim() !== '') {
+            // If pinned by digest, it's reproducible.
+            if (!image.includes('@')) {
+                const lastSlash = image.lastIndexOf('/');
+                const lastColon = image.lastIndexOf(':');
+                const hasTag = lastColon > lastSlash;
+                if (!hasTag) {
+                    findings.push({
+                        id: 'compose.image-floating-tag',
+                        title: 'Image tag not pinned',
+                        severity: 'medium',
+                        message: `Service '${serviceName}' uses an image without an explicit tag ('${image}').`,
+                        service: serviceName,
+                        path: `${targetPath}#services.${serviceName}.image`,
+                        suggestion: "Pin the image to a version tag (e.g. 'nginx:1.27') or a digest (e.g. 'nginx@sha256:...') for reproducible deployments."
+                    });
+                }
+                else {
+                    const tag = image.slice(lastColon + 1).trim();
+                    if (tag.toLowerCase() === 'latest') {
+                        findings.push({
+                            id: 'compose.image-floating-tag',
+                            title: 'Image tag not pinned',
+                            severity: 'medium',
+                            message: `Service '${serviceName}' uses a floating image tag ('${image}').`,
+                            service: serviceName,
+                            path: `${targetPath}#services.${serviceName}.image`,
+                            suggestion: "Pin the image to a version tag (e.g. 'nginx:1.27') or a digest (e.g. 'nginx@sha256:...') for reproducible deployments."
+                        });
+                    }
+                }
+            }
+        }
         // Rule: exposed sensitive ports
         const ports = normalizePorts(svc?.ports);
         for (const p of ports) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "configsentry",
-  "version": "0.0.25",
+  "version": "0.0.27",
   "description": "Developer-first guardrails for docker-compose.yml (security + ops footguns).",
   "type": "module",
   "license": "MIT",
@@ -31,7 +31,9 @@
     "prepack": "npm run build",
     "start": "node dist/cli.js",
     "dev": "node --loader ts-node/esm src/cli.ts",
-    "lint:example": "node dist/cli.js ./example.docker-compose.yml"
+    "lint:example": "node dist/cli.js ./example.docker-compose.yml",
+    "demo": "node dist/cli.js --target ./docs/demo/docker-compose.demo.yml",
+    "demo:json": "node dist/cli.js --target ./docs/demo/docker-compose.demo.yml --format json --output /tmp/configsentry-demo.json"
   },
   "keywords": [
     "docker",