coverme-scanner 1.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +227 -0
- package/commands/scan.md +317 -0
- package/dist/cli/index.d.ts +3 -0
- package/dist/cli/index.d.ts.map +1 -0
- package/dist/cli/index.js +39 -0
- package/dist/cli/index.js.map +1 -0
- package/dist/cli/init.d.ts +6 -0
- package/dist/cli/init.d.ts.map +1 -0
- package/dist/cli/init.js +636 -0
- package/dist/cli/init.js.map +1 -0
- package/dist/cli/scan.d.ts +11 -0
- package/dist/cli/scan.d.ts.map +1 -0
- package/dist/cli/scan.js +498 -0
- package/dist/cli/scan.js.map +1 -0
- package/dist/report/generator.d.ts +48 -0
- package/dist/report/generator.d.ts.map +1 -0
- package/dist/report/generator.js +368 -0
- package/dist/report/generator.js.map +1 -0
- package/dist/report/index.d.ts +35 -0
- package/dist/report/index.d.ts.map +1 -0
- package/dist/report/index.js +463 -0
- package/dist/report/index.js.map +1 -0
- package/dist/templates/report.html +796 -0
- package/dist/types.d.ts +94 -0
- package/dist/types.d.ts.map +1 -0
- package/dist/types.js +3 -0
- package/dist/types.js.map +1 -0
- package/package.json +48 -0
- package/src/cli/index.ts +43 -0
- package/src/cli/init.ts +611 -0
- package/src/cli/scan.ts +483 -0
- package/src/prompts/architecture-reviewer.md +171 -0
- package/src/prompts/consensus-builder.md +247 -0
- package/src/prompts/context-discovery.md +174 -0
- package/src/prompts/cross-validator.md +224 -0
- package/src/prompts/deep-dive-expert.md +224 -0
- package/src/prompts/dependency-auditor.md +190 -0
- package/src/prompts/performance-hunter.md +200 -0
- package/src/prompts/quality-analyzer.md +150 -0
- package/src/prompts/report-generator.md +285 -0
- package/src/prompts/security-scanner.md +180 -0
- package/src/report/generator.ts +382 -0
- package/src/report/index.ts +483 -0
- package/src/templates/report.html +796 -0
- package/src/types.ts +107 -0
- package/tsconfig.json +20 -0
package/dist/cli/scan.js
ADDED
|
@@ -0,0 +1,498 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
|
|
3
|
+
if (k2 === undefined) k2 = k;
|
|
4
|
+
var desc = Object.getOwnPropertyDescriptor(m, k);
|
|
5
|
+
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
|
|
6
|
+
desc = { enumerable: true, get: function() { return m[k]; } };
|
|
7
|
+
}
|
|
8
|
+
Object.defineProperty(o, k2, desc);
|
|
9
|
+
}) : (function(o, m, k, k2) {
|
|
10
|
+
if (k2 === undefined) k2 = k;
|
|
11
|
+
o[k2] = m[k];
|
|
12
|
+
}));
|
|
13
|
+
var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
|
|
14
|
+
Object.defineProperty(o, "default", { enumerable: true, value: v });
|
|
15
|
+
}) : function(o, v) {
|
|
16
|
+
o["default"] = v;
|
|
17
|
+
});
|
|
18
|
+
var __importStar = (this && this.__importStar) || (function () {
|
|
19
|
+
var ownKeys = function(o) {
|
|
20
|
+
ownKeys = Object.getOwnPropertyNames || function (o) {
|
|
21
|
+
var ar = [];
|
|
22
|
+
for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
|
|
23
|
+
return ar;
|
|
24
|
+
};
|
|
25
|
+
return ownKeys(o);
|
|
26
|
+
};
|
|
27
|
+
return function (mod) {
|
|
28
|
+
if (mod && mod.__esModule) return mod;
|
|
29
|
+
var result = {};
|
|
30
|
+
if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
|
|
31
|
+
__setModuleDefault(result, mod);
|
|
32
|
+
return result;
|
|
33
|
+
};
|
|
34
|
+
})();
|
|
35
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
36
|
+
exports.scan = scan;
|
|
37
|
+
const fs = __importStar(require("fs"));
|
|
38
|
+
const path = __importStar(require("path"));
|
|
39
|
+
async function scan(scanPath, options) {
|
|
40
|
+
const resolvedPath = path.resolve(scanPath);
|
|
41
|
+
if (!fs.existsSync(resolvedPath)) {
|
|
42
|
+
console.error(`Error: Path does not exist: ${resolvedPath}`);
|
|
43
|
+
process.exit(1);
|
|
44
|
+
}
|
|
45
|
+
const categories = options.categories === 'all'
|
|
46
|
+
? ['security', 'quality', 'architecture', 'dependencies', 'performance']
|
|
47
|
+
: options.categories.split(',');
|
|
48
|
+
const scanOptions = {
|
|
49
|
+
path: resolvedPath,
|
|
50
|
+
output: options.output,
|
|
51
|
+
outputPath: options.outputPath,
|
|
52
|
+
categories,
|
|
53
|
+
minSeverity: options.severity,
|
|
54
|
+
verbose: options.verbose,
|
|
55
|
+
parallel: parseInt(options.parallel, 10),
|
|
56
|
+
};
|
|
57
|
+
console.log(`
|
|
58
|
+
================================================================================
|
|
59
|
+
COVERME SECURITY SCANNER
|
|
60
|
+
10-Agent Deep Analysis System
|
|
61
|
+
================================================================================
|
|
62
|
+
|
|
63
|
+
Scan Target: ${resolvedPath}
|
|
64
|
+
Categories: ${categories.join(', ')}
|
|
65
|
+
Output: ${scanOptions.output}
|
|
66
|
+
Agents: 10 scanners + 3 validators
|
|
67
|
+
|
|
68
|
+
================================================================================
|
|
69
|
+
|
|
70
|
+
This scan runs FROM WITHIN Claude Code.
|
|
71
|
+
Run: /coverme
|
|
72
|
+
|
|
73
|
+
================================================================================
|
|
74
|
+
`);
|
|
75
|
+
// Output the orchestration prompt for Claude Code
|
|
76
|
+
console.log(generateOrchestrationPrompt(scanOptions));
|
|
77
|
+
}
|
|
78
|
+
function generateOrchestrationPrompt(options) {
|
|
79
|
+
const projectPath = options.path;
|
|
80
|
+
const dateStr = new Date().toISOString().split('T')[0];
|
|
81
|
+
return `
|
|
82
|
+
## CoverMe Multi-Agent Scan Orchestration
|
|
83
|
+
|
|
84
|
+
Execute this 10-agent security scan with cross-validation.
|
|
85
|
+
|
|
86
|
+
**CRITICAL OUTPUT FORMAT:**
|
|
87
|
+
Every finding MUST include ALL these fields for the report to work:
|
|
88
|
+
\`\`\`json
|
|
89
|
+
{
|
|
90
|
+
"id": "PREFIX-XXX",
|
|
91
|
+
"title": "Short descriptive title",
|
|
92
|
+
"severity": "critical|high|medium|low|info",
|
|
93
|
+
"category": "Category name",
|
|
94
|
+
"file": "exact/path/to/file.ts",
|
|
95
|
+
"line": 123,
|
|
96
|
+
"code": "the vulnerable/problematic code snippet",
|
|
97
|
+
"description": "What is wrong - the specific problem found",
|
|
98
|
+
"why": "Why this matters - security impact, what an attacker could do, business risk",
|
|
99
|
+
"context": "Code context - what this code is trying to do, surrounding logic, dependencies",
|
|
100
|
+
"checkBefore": "What to verify before fixing - tests to run, dependencies to check, potential breaking changes",
|
|
101
|
+
"recommendation": "Exact steps to fix this issue with code example if applicable",
|
|
102
|
+
"cwe": "CWE-XXX (if applicable)",
|
|
103
|
+
"confidence": 85
|
|
104
|
+
}
|
|
105
|
+
\`\`\`
|
|
106
|
+
|
|
107
|
+
**FIELD GUIDELINES:**
|
|
108
|
+
- **why**: Explain the real-world impact. Example: "An attacker could steal session tokens and impersonate any user"
|
|
109
|
+
- **context**: Reference specific code. Example: "This function handles user uploads and is called from the /api/upload endpoint"
|
|
110
|
+
- **checkBefore**: CRITICAL - Always check for existing solutions first! Include:
|
|
111
|
+
|
|
112
|
+
EXISTING SOLUTIONS TO CHECK:
|
|
113
|
+
- Search for: sanitize, validate, escape functions in utils/
|
|
114
|
+
- Check if library already imported (e.g., DOMPurify, validator.js)
|
|
115
|
+
- Look at how other files handle this pattern
|
|
116
|
+
|
|
117
|
+
BEFORE IMPLEMENTING:
|
|
118
|
+
1. Run existing tests
|
|
119
|
+
2. Check for duplicate fixes needed elsewhere
|
|
120
|
+
3. Verify no breaking changes
|
|
121
|
+
|
|
122
|
+
---
|
|
123
|
+
|
|
124
|
+
### PHASE 1: PARALLEL DISCOVERY (Launch ALL 10 agents simultaneously)
|
|
125
|
+
|
|
126
|
+
---
|
|
127
|
+
|
|
128
|
+
**AGENT 1: Security Core Scanner** (ID prefix: SEC)
|
|
129
|
+
\`\`\`
|
|
130
|
+
Scan ${projectPath} for OWASP Top 10 and core security vulnerabilities.
|
|
131
|
+
|
|
132
|
+
CHECK FOR:
|
|
133
|
+
- SQL/NoSQL Injection (parameterized queries missing)
|
|
134
|
+
- XSS (reflected, stored, DOM-based)
|
|
135
|
+
- Command Injection (shell commands with user input)
|
|
136
|
+
- Path Traversal (../ in file operations)
|
|
137
|
+
- SSRF (user-controlled URLs in fetch/axios)
|
|
138
|
+
- XXE (XML parsing without disabling entities)
|
|
139
|
+
- Insecure Deserialization (JSON.parse on untrusted data)
|
|
140
|
+
- Hardcoded Secrets (API keys, passwords, tokens in code)
|
|
141
|
+
- Weak Cryptography (MD5, SHA1 for passwords, ECB mode)
|
|
142
|
+
- Insecure Random (Math.random for security purposes)
|
|
143
|
+
|
|
144
|
+
For EACH finding, output the FULL JSON format above.
|
|
145
|
+
\`\`\`
|
|
146
|
+
|
|
147
|
+
---
|
|
148
|
+
|
|
149
|
+
**AGENT 2: Auth & Session Scanner** (ID prefix: AUTH)
|
|
150
|
+
\`\`\`
|
|
151
|
+
Scan ${projectPath} for authentication and session vulnerabilities.
|
|
152
|
+
|
|
153
|
+
CHECK FOR:
|
|
154
|
+
- SSO/OAuth Open Redirect (return_url, redirect_uri without validation)
|
|
155
|
+
- PKCE missing in OAuth flows
|
|
156
|
+
- JWT issues (alg:none, weak secrets, missing expiry)
|
|
157
|
+
- Session fixation (session not regenerated after login)
|
|
158
|
+
- Cookie security (missing HttpOnly, Secure, SameSite)
|
|
159
|
+
- Password reset flaws (predictable tokens, no expiry)
|
|
160
|
+
- MFA bypass paths
|
|
161
|
+
- Remember-me token weaknesses
|
|
162
|
+
- Account enumeration (different responses for valid/invalid users)
|
|
163
|
+
- Brute force protection missing
|
|
164
|
+
|
|
165
|
+
For EACH finding, output the FULL JSON format.
|
|
166
|
+
\`\`\`
|
|
167
|
+
|
|
168
|
+
---
|
|
169
|
+
|
|
170
|
+
**AGENT 3: API Security Scanner** (ID prefix: API)
|
|
171
|
+
\`\`\`
|
|
172
|
+
Scan ${projectPath} for API security issues.
|
|
173
|
+
|
|
174
|
+
CHECK FOR:
|
|
175
|
+
- Missing authentication on endpoints
|
|
176
|
+
- Broken authorization (IDOR, privilege escalation)
|
|
177
|
+
- Input validation missing (Zod/Joi schemas)
|
|
178
|
+
- Rate limiting issues (non-atomic INCR+EXPIRE in Redis)
|
|
179
|
+
- CORS misconfiguration (Access-Control-Allow-Origin: *)
|
|
180
|
+
- Mass assignment (spreading req.body into DB)
|
|
181
|
+
- Webhook signature verification missing (HMAC)
|
|
182
|
+
- GraphQL introspection enabled in production
|
|
183
|
+
- API versioning issues
|
|
184
|
+
- Excessive data exposure in responses
|
|
185
|
+
|
|
186
|
+
For EACH finding, output the FULL JSON format.
|
|
187
|
+
\`\`\`
|
|
188
|
+
|
|
189
|
+
---
|
|
190
|
+
|
|
191
|
+
**AGENT 4: Infrastructure Scanner** (ID prefix: INFRA)
|
|
192
|
+
\`\`\`
|
|
193
|
+
Scan ${projectPath} for infrastructure and DevOps issues.
|
|
194
|
+
|
|
195
|
+
CHECK FOR:
|
|
196
|
+
- Secrets in git-tracked files (Helm values, K8s manifests, .env committed)
|
|
197
|
+
- Real IPs/hostnames committed to repo
|
|
198
|
+
- Docker issues (running as root, secrets in layers)
|
|
199
|
+
- K8s pod security context missing
|
|
200
|
+
- CI/CD pipeline security (missing quality gates)
|
|
201
|
+
- Missing security headers in server config
|
|
202
|
+
- TLS/SSL configuration issues
|
|
203
|
+
- Debug mode enabled in production configs
|
|
204
|
+
- Exposed internal ports
|
|
205
|
+
- Missing resource limits
|
|
206
|
+
|
|
207
|
+
For EACH finding, output the FULL JSON format.
|
|
208
|
+
\`\`\`
|
|
209
|
+
|
|
210
|
+
---
|
|
211
|
+
|
|
212
|
+
**AGENT 5: Data & Privacy Scanner** (ID prefix: DATA)
|
|
213
|
+
\`\`\`
|
|
214
|
+
Scan ${projectPath} for data protection and privacy issues.
|
|
215
|
+
|
|
216
|
+
CHECK FOR:
|
|
217
|
+
- PII logging (emails, IPs, names in logs)
|
|
218
|
+
- GDPR deletion bugs (incomplete data removal)
|
|
219
|
+
- Encryption at rest missing for sensitive fields
|
|
220
|
+
- Data residency violations
|
|
221
|
+
- Backup encryption missing
|
|
222
|
+
- Sensitive data in URLs/query params
|
|
223
|
+
- Missing data classification
|
|
224
|
+
- Retention policy not enforced
|
|
225
|
+
- Export functionality exposing too much data
|
|
226
|
+
- Cross-tenant data leakage
|
|
227
|
+
|
|
228
|
+
For EACH finding, output the FULL JSON format.
|
|
229
|
+
\`\`\`
|
|
230
|
+
|
|
231
|
+
---
|
|
232
|
+
|
|
233
|
+
**AGENT 6: AI/LLM Security Scanner** (ID prefix: AI)
|
|
234
|
+
\`\`\`
|
|
235
|
+
Scan ${projectPath} for AI/LLM specific vulnerabilities.
|
|
236
|
+
|
|
237
|
+
CHECK FOR:
|
|
238
|
+
- Prompt injection (user input directly in prompts)
|
|
239
|
+
- Content filter fail-open (errors bypass safety)
|
|
240
|
+
- CDN imports without SRI (integrity hashes missing)
|
|
241
|
+
- Model output not sanitized before use
|
|
242
|
+
- Sensitive data sent to external AI APIs
|
|
243
|
+
- AI decision logging insufficient for audit
|
|
244
|
+
- Rate limiting on AI endpoints
|
|
245
|
+
- Cost controls missing
|
|
246
|
+
- Jailbreak prevention missing
|
|
247
|
+
- PII in training data/prompts
|
|
248
|
+
|
|
249
|
+
For EACH finding, output the FULL JSON format.
|
|
250
|
+
\`\`\`
|
|
251
|
+
|
|
252
|
+
---
|
|
253
|
+
|
|
254
|
+
**AGENT 7: Performance & DoS Scanner** (ID prefix: PERF)
|
|
255
|
+
\`\`\`
|
|
256
|
+
Scan ${projectPath} for performance and denial-of-service issues.
|
|
257
|
+
|
|
258
|
+
CHECK FOR:
|
|
259
|
+
- N+1 query patterns
|
|
260
|
+
- ReDoS (regex denial of service)
|
|
261
|
+
- Memory leaks (event listeners not removed, growing caches)
|
|
262
|
+
- Unbounded data structures
|
|
263
|
+
- Missing pagination
|
|
264
|
+
- SSE/WebSocket buffering entire streams
|
|
265
|
+
- Heavy computation blocking event loop
|
|
266
|
+
- Missing connection pooling
|
|
267
|
+
- Resource exhaustion (no limits on uploads, requests)
|
|
268
|
+
- Synchronous operations that should be async
|
|
269
|
+
|
|
270
|
+
For EACH finding, output the FULL JSON format.
|
|
271
|
+
\`\`\`
|
|
272
|
+
|
|
273
|
+
---
|
|
274
|
+
|
|
275
|
+
**AGENT 8: Business Logic Scanner** (ID prefix: BIZ)
|
|
276
|
+
\`\`\`
|
|
277
|
+
Scan ${projectPath} for business logic vulnerabilities.
|
|
278
|
+
|
|
279
|
+
CHECK FOR:
|
|
280
|
+
- Race conditions (TOCTOU, double-spend)
|
|
281
|
+
- Workflow bypass (skipping required steps)
|
|
282
|
+
- Price/quantity manipulation
|
|
283
|
+
- Negative value attacks
|
|
284
|
+
- State machine violations
|
|
285
|
+
- Time-based attacks (timing side channels)
|
|
286
|
+
- Non-constant-time comparisons for secrets
|
|
287
|
+
- Duplicate request handling (missing idempotency)
|
|
288
|
+
- Business rule bypass
|
|
289
|
+
- Inconsistent validation between client/server
|
|
290
|
+
|
|
291
|
+
For EACH finding, output the FULL JSON format.
|
|
292
|
+
\`\`\`
|
|
293
|
+
|
|
294
|
+
---
|
|
295
|
+
|
|
296
|
+
**AGENT 9: Code Quality Scanner** (ID prefix: QUAL)
|
|
297
|
+
\`\`\`
|
|
298
|
+
Scan ${projectPath} for code quality issues that affect security/reliability.
|
|
299
|
+
|
|
300
|
+
CHECK FOR:
|
|
301
|
+
- Error handling swallowing exceptions silently
|
|
302
|
+
- Missing error boundaries
|
|
303
|
+
- Inconsistent error responses
|
|
304
|
+
- Dead code with security implications
|
|
305
|
+
- DRY violations in security code
|
|
306
|
+
- Complex functions (high cyclomatic complexity)
|
|
307
|
+
- Any/unknown types masking issues
|
|
308
|
+
- Missing null checks
|
|
309
|
+
- Callback hell making auditing hard
|
|
310
|
+
- Anti-patterns (god objects, tight coupling)
|
|
311
|
+
|
|
312
|
+
For EACH finding, output the FULL JSON format.
|
|
313
|
+
\`\`\`
|
|
314
|
+
|
|
315
|
+
---
|
|
316
|
+
|
|
317
|
+
**AGENT 10: Testing & Reliability Scanner** (ID prefix: TEST)
|
|
318
|
+
\`\`\`
|
|
319
|
+
Scan ${projectPath} for testing and reliability gaps.
|
|
320
|
+
|
|
321
|
+
CHECK FOR:
|
|
322
|
+
- Missing tests for security-critical paths
|
|
323
|
+
- No CI quality gates
|
|
324
|
+
- Missing health checks
|
|
325
|
+
- No graceful shutdown handling
|
|
326
|
+
- Circuit breakers missing
|
|
327
|
+
- Retry logic without exponential backoff
|
|
328
|
+
- Missing observability (logging, metrics, tracing)
|
|
329
|
+
- Feature flags without cleanup
|
|
330
|
+
- Database migrations without rollback
|
|
331
|
+
- No chaos/failure testing evidence
|
|
332
|
+
|
|
333
|
+
For EACH finding, output the FULL JSON format.
|
|
334
|
+
\`\`\`
|
|
335
|
+
|
|
336
|
+
---
|
|
337
|
+
|
|
338
|
+
### PHASE 2: DUPLICATE & EXISTING SOLUTIONS CHECK
|
|
339
|
+
|
|
340
|
+
**AGENT 11: Duplicate & Existing Solutions Scanner** (ID prefix: DUP)
|
|
341
|
+
\`\`\`
|
|
342
|
+
CRITICAL: Before recommending ANY fix, check if a solution ALREADY EXISTS in the codebase.
|
|
343
|
+
|
|
344
|
+
For EVERY finding from Phase 1, search the codebase for:
|
|
345
|
+
|
|
346
|
+
1. **Existing utilities/helpers that solve this**:
|
|
347
|
+
- Search for similar function names (sanitize, validate, escape, hash, encrypt)
|
|
348
|
+
- Check utils/, helpers/, lib/, common/ folders
|
|
349
|
+
- Look for imported libraries that handle this
|
|
350
|
+
|
|
351
|
+
2. **Existing patterns in the codebase**:
|
|
352
|
+
- How do OTHER files handle the same issue?
|
|
353
|
+
- Is there a project-wide convention?
|
|
354
|
+
- Are there shared middleware/decorators?
|
|
355
|
+
|
|
356
|
+
3. **Configuration that already exists**:
|
|
357
|
+
- Check if there's a config for this (CSP headers, CORS, rate limits)
|
|
358
|
+
- Look in config/, .env files, infrastructure code
|
|
359
|
+
|
|
360
|
+
4. **Duplicate findings**:
|
|
361
|
+
- Is this the same issue reported multiple times?
|
|
362
|
+
- Are multiple findings actually ONE root cause?
|
|
363
|
+
|
|
364
|
+
For EACH finding, add to the checkBefore field:
|
|
365
|
+
- "EXISTING: Found sanitizeHtml() in src/utils/security.ts - use this instead of creating new"
|
|
366
|
+
- "PATTERN: Other files use zod.string().email() for validation - follow same pattern"
|
|
367
|
+
- "DUPLICATE: This is same root cause as SEC-003, fix once in middleware"
|
|
368
|
+
- "CONFIG: Rate limiting already configured in src/middleware/rateLimit.ts line 15"
|
|
369
|
+
|
|
370
|
+
If NO existing solution found, state: "VERIFIED: No existing solution found, new implementation needed"
|
|
371
|
+
|
|
372
|
+
Output for each finding:
|
|
373
|
+
{
|
|
374
|
+
"findingId": "SEC-001",
|
|
375
|
+
"existingSolution": "Found: src/utils/sanitize.ts exports sanitizeUserInput()",
|
|
376
|
+
"duplicateOf": null | "SEC-003",
|
|
377
|
+
"suggestedApproach": "Import and use existing sanitizeUserInput() instead of creating new function",
|
|
378
|
+
"checkBefore": "1. Verify sanitizeUserInput() handles this case 2. Check if it's already imported"
|
|
379
|
+
}
|
|
380
|
+
\`\`\`
|
|
381
|
+
|
|
382
|
+
---
|
|
383
|
+
|
|
384
|
+
### PHASE 3: CROSS-VALIDATION (After Phase 2 completes)
|
|
385
|
+
|
|
386
|
+
Launch 3 validators IN PARALLEL:
|
|
387
|
+
|
|
388
|
+
**Validator A: False Positive & Duplicate Hunter**
|
|
389
|
+
\`\`\`
|
|
390
|
+
Review ALL findings from Phase 1 + Phase 2 duplicate analysis.
|
|
391
|
+
For each finding determine if it's FALSE POSITIVE or DUPLICATE:
|
|
392
|
+
- Is the code actually reachable?
|
|
393
|
+
- Are there mitigating controls elsewhere?
|
|
394
|
+
- Is the context misunderstood?
|
|
395
|
+
- Is it already handled by a framework?
|
|
396
|
+
- Is this a DUPLICATE of another finding? (same root cause)
|
|
397
|
+
- Does an EXISTING SOLUTION already exist in the codebase?
|
|
398
|
+
|
|
399
|
+
If existing solution found, mark as "use_existing" not "fix_new".
|
|
400
|
+
|
|
401
|
+
Output:
|
|
402
|
+
{
|
|
403
|
+
"confirmed": ["SEC-001", "AUTH-002", ...],
|
|
404
|
+
"useExisting": [
|
|
405
|
+
{"id": "SEC-005", "existingSolution": "src/utils/sanitize.ts", "reason": "sanitizeHtml() already exists"}
|
|
406
|
+
],
|
|
407
|
+
"duplicates": [
|
|
408
|
+
{"id": "SEC-007", "duplicateOf": "SEC-003", "reason": "Same XSS issue, fix once in shared component"}
|
|
409
|
+
],
|
|
410
|
+
"falsePositives": [
|
|
411
|
+
{"id": "API-003", "reason": "Input is validated by Zod schema at line 45"}
|
|
412
|
+
]
|
|
413
|
+
}
|
|
414
|
+
\`\`\`
|
|
415
|
+
|
|
416
|
+
**Validator B: Evidence Challenger**
|
|
417
|
+
\`\`\`
|
|
418
|
+
For every HIGH and CRITICAL finding:
|
|
419
|
+
- Read the actual code files
|
|
420
|
+
- Trace complete data flow
|
|
421
|
+
- Verify exploit scenario is realistic
|
|
422
|
+
- Check if exploitable in production context
|
|
423
|
+
|
|
424
|
+
Output same format as Validator A.
|
|
425
|
+
\`\`\`
|
|
426
|
+
|
|
427
|
+
**Validator C: Missing Issues Hunter**
|
|
428
|
+
\`\`\`
|
|
429
|
+
Look for issues Phase 1 agents MISSED:
|
|
430
|
+
- Edge cases
|
|
431
|
+
- Combination attacks
|
|
432
|
+
- Business logic flaws specific to this codebase
|
|
433
|
+
- Configuration issues
|
|
434
|
+
- Integration points
|
|
435
|
+
|
|
436
|
+
Output:
|
|
437
|
+
{
|
|
438
|
+
"missedIssues": [{full finding object}]
|
|
439
|
+
}
|
|
440
|
+
\`\`\`
|
|
441
|
+
|
|
442
|
+
---
|
|
443
|
+
|
|
444
|
+
### PHASE 3: POSITIVE OBSERVATIONS
|
|
445
|
+
|
|
446
|
+
Scan for good practices to include in the report:
|
|
447
|
+
- Security controls that work well
|
|
448
|
+
- Good patterns (input validation, parameterized queries)
|
|
449
|
+
- Proper error handling
|
|
450
|
+
- Good test coverage areas
|
|
451
|
+
- Well-implemented auth flows
|
|
452
|
+
|
|
453
|
+
Output as list of strings.
|
|
454
|
+
|
|
455
|
+
---
|
|
456
|
+
|
|
457
|
+
### PHASE 4: BUILD CONSENSUS & GENERATE OUTPUT
|
|
458
|
+
|
|
459
|
+
1. Calculate confidence: (confirmations / total_validators) * 100
|
|
460
|
+
2. Remove findings with confidence < 50%
|
|
461
|
+
3. Add missed issues from Validator C
|
|
462
|
+
4. Sort: severity DESC, confidence DESC
|
|
463
|
+
|
|
464
|
+
**SAVE OUTPUT AS JSON:**
|
|
465
|
+
\`\`\`json
|
|
466
|
+
{
|
|
467
|
+
"projectName": "project-name",
|
|
468
|
+
"scanDate": "${new Date().toISOString()}",
|
|
469
|
+
"summary": {
|
|
470
|
+
"total": X,
|
|
471
|
+
"critical": X,
|
|
472
|
+
"high": X,
|
|
473
|
+
"medium": X,
|
|
474
|
+
"low": X,
|
|
475
|
+
"info": X
|
|
476
|
+
},
|
|
477
|
+
"findings": [
|
|
478
|
+
{all findings with full fields}
|
|
479
|
+
],
|
|
480
|
+
"positiveObservations": [
|
|
481
|
+
"Good pattern 1",
|
|
482
|
+
"Good pattern 2"
|
|
483
|
+
],
|
|
484
|
+
"falsePositives": [
|
|
485
|
+
{"id": "...", "reason": "..."}
|
|
486
|
+
],
|
|
487
|
+
"agentsUsed": ["Security Core", "Auth & Session", ...],
|
|
488
|
+
"scanDuration": X
|
|
489
|
+
}
|
|
490
|
+
\`\`\`
|
|
491
|
+
|
|
492
|
+
Save as: coverme-scan.json
|
|
493
|
+
|
|
494
|
+
Then generate HTML report:
|
|
495
|
+
\`coverme report coverme-scan.json -f html -o coverme-report.html\`
|
|
496
|
+
`;
|
|
497
|
+
}
|
|
498
|
+
//# sourceMappingURL=scan.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"scan.js","sourceRoot":"","sources":["../../src/cli/scan.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAaA,oBA+CC;AA5DD,uCAAyB;AACzB,2CAA6B;AAYtB,KAAK,UAAU,IAAI,CACxB,QAAgB,EAChB,OAA2B;IAE3B,MAAM,YAAY,GAAG,IAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IAE5C,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;QACjC,OAAO,CAAC,KAAK,CAAC,+BAA+B,YAAY,EAAE,CAAC,CAAC;QAC7D,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,MAAM,UAAU,GACd,OAAO,CAAC,UAAU,KAAK,KAAK;QAC1B,CAAC,CAAC,CAAC,UAAU,EAAE,SAAS,EAAE,cAAc,EAAE,cAAc,EAAE,aAAa,CAAC;QACxE,CAAC,CAAE,OAAO,CAAC,UAAU,CAAC,KAAK,CAAC,GAAG,CAAgB,CAAC;IAEpD,MAAM,WAAW,GAAgB;QAC/B,IAAI,EAAE,YAAY;QAClB,MAAM,EAAE,OAAO,CAAC,MAAwC;QACxD,UAAU,EAAE,OAAO,CAAC,UAAU;QAC9B,UAAU;QACV,WAAW,EAAE,OAAO,CAAC,QAAoB;QACzC,OAAO,EAAE,OAAO,CAAC,OAAO;QACxB,QAAQ,EAAE,QAAQ,CAAC,OAAO,CAAC,QAAQ,EAAE,EAAE,CAAC;KACzC,CAAC;IAEF,OAAO,CAAC,GAAG,CAAC;;;;;;gBAME,YAAY;gBACZ,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC;gBACrB,WAAW,CAAC,MAAM;;;;;;;;;CASjC,CAAC,CAAC;IAED,kDAAkD;IAClD,OAAO,CAAC,GAAG,CAAC,2BAA2B,CAAC,WAAW,CAAC,CAAC,CAAC;AACxD,CAAC;AAED,SAAS,2BAA2B,CAAC,OAAoB;IACvD,MAAM,WAAW,GAAG,OAAO,CAAC,IAAI,CAAC;IACjC,MAAM,OAAO,GAAG,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;IAEvD,OAAO;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;OAiDF,WAAW;;;;;;;;;;;;;;;;;;;;;OAqBX,WAAW;;;;;;;;;;;;;;;;;;;;;OAqBX,WAAW;;;;;;;;;;;;;;;;;;;;;OAqBX,WAAW;;;;;;;;;;;;;;;;;;;;;OAqBX,WAAW;;;;;;;;;;;;;;;;;;;;;OAqBX,WAAW;;;;;;;;;;;;;;;;;;;;;OAqBX,WAAW;;;;;;;;;;;;;;;;;;;;;OAqBX,WAAW;;;;;;;;;;;;;;;;;;;;;OAqBX,WAAW;;;;;;;;;;;;;;;;;;;;;OAqBX,WAAW;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;iBAqJD,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;;;;;;;;;;;;;;;;;;;;;;;;;;;;CA4BxC,CAAC;AACF,CAAC"}
|
|
@@ -0,0 +1,48 @@
|
|
|
1
|
+
import type { ScanResult, ConsensusFinding } from '../types.js';
|
|
2
|
+
interface ReportData {
|
|
3
|
+
projectName: string;
|
|
4
|
+
scanDate: string;
|
|
5
|
+
scoreGrade: string;
|
|
6
|
+
scoreValue: number;
|
|
7
|
+
criticalCount: number;
|
|
8
|
+
highCount: number;
|
|
9
|
+
mediumCount: number;
|
|
10
|
+
lowCount: number;
|
|
11
|
+
infoCount: number;
|
|
12
|
+
executiveSummary: string;
|
|
13
|
+
criticalFindings: ConsensusFinding[];
|
|
14
|
+
highFindings: ConsensusFinding[];
|
|
15
|
+
mediumFindings: ConsensusFinding[];
|
|
16
|
+
lowFindings: ConsensusFinding[];
|
|
17
|
+
falsePositives: Array<{
|
|
18
|
+
id: string;
|
|
19
|
+
title: string;
|
|
20
|
+
file?: string;
|
|
21
|
+
rejectionReason: string;
|
|
22
|
+
}>;
|
|
23
|
+
falsePositiveCount: number;
|
|
24
|
+
lowInfoCount: number;
|
|
25
|
+
positiveObservations: string[];
|
|
26
|
+
scanDuration: string;
|
|
27
|
+
agentCount: number;
|
|
28
|
+
}
|
|
29
|
+
export declare function calculateScore(result: ScanResult): {
|
|
30
|
+
grade: string;
|
|
31
|
+
value: number;
|
|
32
|
+
};
|
|
33
|
+
export declare function generateExecutiveSummary(result: ScanResult): string;
|
|
34
|
+
export declare function renderTemplate(templateHtml: string, data: ReportData): string;
|
|
35
|
+
export declare function generatePdfReport(result: ScanResult, outputPath: string, falsePositives?: Array<{
|
|
36
|
+
id: string;
|
|
37
|
+
title: string;
|
|
38
|
+
file?: string;
|
|
39
|
+
rejectionReason: string;
|
|
40
|
+
}>): Promise<void>;
|
|
41
|
+
export declare function generateHtmlReport(result: ScanResult, outputPath: string, falsePositives?: Array<{
|
|
42
|
+
id: string;
|
|
43
|
+
title: string;
|
|
44
|
+
file?: string;
|
|
45
|
+
rejectionReason: string;
|
|
46
|
+
}>): Promise<void>;
|
|
47
|
+
export {};
|
|
48
|
+
//# sourceMappingURL=generator.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"generator.d.ts","sourceRoot":"","sources":["../../src/report/generator.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,UAAU,EAAE,gBAAgB,EAAY,MAAM,aAAa,CAAC;AAE1E,UAAU,UAAU;IAClB,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,MAAM,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;IACnB,aAAa,EAAE,MAAM,CAAC;IACtB,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,MAAM,CAAC;IACjB,SAAS,EAAE,MAAM,CAAC;IAClB,gBAAgB,EAAE,MAAM,CAAC;IACzB,gBAAgB,EAAE,gBAAgB,EAAE,CAAC;IACrC,YAAY,EAAE,gBAAgB,EAAE,CAAC;IACjC,cAAc,EAAE,gBAAgB,EAAE,CAAC;IACnC,WAAW,EAAE,gBAAgB,EAAE,CAAC;IAChC,cAAc,EAAE,KAAK,CAAC;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,KAAK,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,CAAC;QAAC,eAAe,EAAE,MAAM,CAAA;KAAE,CAAC,CAAC;IAC7F,kBAAkB,EAAE,MAAM,CAAC;IAC3B,YAAY,EAAE,MAAM,CAAC;IACrB,oBAAoB,EAAE,MAAM,EAAE,CAAC;IAC/B,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC;CACpB;AAED,wBAAgB,cAAc,CAAC,MAAM,EAAE,UAAU,GAAG;IAAE,KAAK,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,CAwBnF;AAED,wBAAgB,wBAAwB,CAAC,MAAM,EAAE,UAAU,GAAG,MAAM,CAkBnE;AAqDD,wBAAgB,cAAc,CAAC,YAAY,EAAE,MAAM,EAAE,IAAI,EAAE,UAAU,GAAG,MAAM,CA8I7E;AAED,wBAAsB,iBAAiB,CACrC,MAAM,EAAE,UAAU,EAClB,UAAU,EAAE,MAAM,EAClB,cAAc,GAAE,KAAK,CAAC;IAAE,EAAE,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAC;IAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IAAC,eAAe,EAAE,MAAM,CAAA;CAAE,CAAM,GAChG,OAAO,CAAC,IAAI,CAAC,CA4Df;AAED,wBAAsB,kBAAkB,CACtC,MAAM,EAAE,UAAU,EAClB,UAAU,EAAE,MAAM,EAClB,cAAc,GAAE,KAAK,CAAC;IAAE,EAAE,EAAE,MAAM,CAAC;IAAC,KAAK,EAAE,MAAM,CAAC;IAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IAAC,eAAe,EAAE,MAAM,CAAA;CAAE,CAAM,GAChG,OAAO,CAAC,IAAI,CAAC,CA0Cf"}
|