deltarq-scan 0.1.0

package/README.md

@@ -0,0 +1,210 @@
+# deltarq-scan
+
+**Scan your startup's codebase and infrastructure for security gaps in 30 seconds.**
+
+[![License: MIT](https://img.shields.io/badge/License-MIT-6C5CE7.svg)](https://opensource.org/licenses/MIT)
+[![Node.js](https://img.shields.io/badge/Node.js-18%2B-339933.svg)](https://nodejs.org/)
+
+---
+
+```bash
+npx deltarq-scan
+```
+
+`deltarq-scan` is a **local-first, zero-install, read-only** CLI security audit tool. It scans your repository (configurations, environment variables, IAM policies, git history) for critical security gaps that block enterprise deals, fail SOC 2 audits, or expose you to immediate breach.
+
+---
+
+## What it checks
+
+| Rule | Severity | What it catches |
+|------|----------|----------------|
+| `IAM-001` | 🔴 CRITICAL | Wildcard IAM policies (`Action: *`, `Resource: *`) |
+| `DB-001` | 🔴 CRITICAL | Postgres with no SSL on public endpoints |
+| `INFRA-001` | 🔴 CRITICAL | Docker containers running as root |
+| `INFRA-004` | 🔴 CRITICAL | Insecure CI/CD workflow (Dangerous `pull_request_target` in GitHub Actions) |
+| `IAM-002` | 🟠 HIGH | Hardcoded Cloud/API Secrets (AWS, Stripe, Slack, GitHub keys in `.env`) |
+| `INFRA-002` | 🟠 HIGH | Database ports exposed to all interfaces |
+| `INFRA-003` | 🟠 HIGH | Missing package lockfile (Deterministic builds/SOC 2 control) |
+| `LOG-001` | 🟠 HIGH | No structured audit trail / logging |
+| `IAM-003` | 🟡 MEDIUM | No MFA on AWS root account |
+| `DB-002` | 🟡 MEDIUM | No connection pool limits |
+| `GIT-001` | 🟡 MEDIUM | Secrets leaked in git history |
+
+---
+
+## How it works
+
+1. **Runs entirely on your machine** — scans `.env`, `Dockerfile`, `docker-compose.yml`, IAM policies
+2. **Generates a security score** — 0-100 with grade (A-F) and enterprise readiness flag
+3. **Shows a rich terminal report** — color-coded findings with plain English explanations
+4. **Optionally uploads anonymous metadata** — only boolean pass/fail data, no secrets ever leave your machine
+
+```
+────────────────────────────────────────────────────────
+   DELTARQ Security Scanner v0.1.0
+   Scanning: /Users/you/my-startup
+────────────────────────────────────────────────────────
+
+   ✓ Detecting project type...           FastAPI + PostgreSQL
+   ⚠ Scanning configuration files...     3 issues found
+   ✓ Scanning IAM configuration...       1 issue found
+   ✓ Scanning database config...         No issues
+   ✓ Scanning git history...             Clean
+
+────────────────────────────────────────────────────────
+   YOUR SECURITY SCORE: 34/100   [F — Critical Exposure]
+────────────────────────────────────────────────────────
+
+   🔴 CRITICAL   IAM-001  Wildcard IAM policy detected
+                  → Any compromised service = full account takeover
+
+   🔴 CRITICAL   DB-001   Postgres unencrypted on public host
+                  → User data exposed to interception in transit
+
+   🟠 HIGH       LOG-001  No audit trail detected
+                  → You cannot detect or investigate a breach
+
+────────────────────────────────────────────────────────
+   ENTERPRISE READINESS: ✗ Not Ready
+   SOC 2 Gap Count: 3 controls failing
+────────────────────────────────────────────────────────
+```
+
+---
+
+## Usage
+
+```bash
+# Scan current directory
+npx deltarq-scan
+
+# Scan a specific project
+npx deltarq-scan ./my-project
+
+# Scan without upload prompt
+npx deltarq-scan --no-upload
+
+# Output JSON (for CI/CD pipelines)
+npx deltarq-scan --json
+
+# Verbose mode (see upload payload preview)
+npx deltarq-scan --verbose
+```
+
+---
+
+## What data is uploaded?
+
+**Only if you consent.** And only this:
+
+```json
+{
+  "scan_id": "uuid",
+  "score": 34,
+  "grade": "F",
+  "enterprise_ready": false,
+  "findings": [
+    { "rule": "IAM-001", "severity": "CRITICAL", "passed": false }
+  ]
+}
+```
+
+**What is NEVER uploaded:**
+- ❌ No `.env` values
+- ❌ No AWS keys or secrets  
+- ❌ No file contents
+- ❌ No IP addresses
+- ❌ No company name (unless you opt in on dashboard)
+
+---
+
+## Privacy & Security
+
+- **Open source** — read every line of code before running
+- **Read-only** — never modifies your files
+- **Local-first** — all scanning happens on your machine
+- **Consent-gated** — nothing leaves without your explicit `Y`
+- **MIT Licensed** — use it however you want
+
+---
+
+## Development & Local Testing
+
+### 1. Setup
+```bash
+# Clone the repository
+git clone https://github.com/deltarq/deltarq-scan.git
+cd deltarq-scan
+
+# Install dependencies
+npm install
+```
+
+### 2. Run Scanner Locally
+```bash
+# Scan the current directory
+node bin/deltarq-scan.js
+
+# Scan mock test fixtures (no upload prompt)
+node bin/deltarq-scan.js ./tests/fixtures --no-upload
+```
+
+### 3. Test Global CLI Command Locally (`npm link`)
+Before publishing to the npm registry, you can test the global `npx deltarq-scan` command in any directory on your computer by linking it:
+```bash
+# 1. In the deltarq-scan project root, run:
+npm link
+
+# 2. Go to any other directory/project folder and run:
+npx deltarq-scan
+# or simply:
+deltarq-scan
+```
+
+### 4. Test Full Upload Pipeline Locally
+You can spin up a local Express server and test uploader integration directly.
+
+**Terminal 1: Start Dashboard API Server**
+```bash
+npm run server
+```
+
+**Terminal 2: Run Scan & Upload to Local Server**
+* **Windows (PowerShell)**:
+  ```powershell
+  $env:DELTARQ_API_URL="http://localhost:3000/v1/scans"; $env:DELTARQ_DASHBOARD_URL="http://localhost:3000"; node bin/deltarq-scan.js ./tests/fixtures
+  ```
+* **Mac/Linux (Bash)**:
+  ```bash
+  DELTARQ_API_URL="http://localhost:3000/v1/scans" DELTARQ_DASHBOARD_URL="http://localhost:3000" node bin/deltarq-scan.js ./tests/fixtures
+  ```
+
+### 5. Run Automated Unit Tests
+```bash
+# Run Vitest test runner
+npm test
+```
+
+---
+
+## Production Deployment
+
+### 1. Database Setup (Supabase)
+Create a project on [Supabase](https://supabase.com) and copy the SQL code inside [supabase_schema.sql](supabase_schema.sql) into the **Supabase SQL Editor**, then click **Run**. This instantiates the `scans` and `leads` tables with pre-configured Row-Level Security (RLS) rules.
+
+### 2. Host Backend & Dashboard (Vercel)
+Deploy the unified Express server and static dashboard using the Vercel CLI from the root folder:
+```bash
+vercel --prod
+```
+Be sure to set the following **Environment Variables** on your Vercel Dashboard:
+- `DATA_LAYER_ENDPOINT` = your-supabase-project-url
+- `DATA_LAYER_ANON_KEY` = your-supabase-public-anon-key (or `DATA_LAYER_SERVICE_ROLE_KEY` for higher privilege)
+- `DELTARQ_DASHBOARD_URL` = your-deployed-vercel-domain (e.g. `https://deltarq-scan.vercel.app`)
+
+---
+
+## License
+
+MIT — [DELTARQ](https://deltarq.io)

package/bin/deltarq-scan.js

@@ -0,0 +1,198 @@
+#!/usr/bin/env node
+
+/**
+ * DELTARQ Security Scanner — CLI Entry Point
+ * 
+ * Usage:
+ *   npx deltarq-scan [target-dir] [options]
+ * 
+ * Options:
+ *   --no-upload    Skip the dashboard upload prompt
+ *   --json         Output raw JSON instead of terminal report
+ *   --verbose      Show detailed output including upload payload preview
+ *   --help         Show this help message
+ */
+
+import { resolveTargetDir } from '../src/utils/fileUtils.js';
+import { detectProjectType } from '../src/utils/detect.js';
+import { runFileScanner } from '../src/scanner/fileScanner.js';
+import { runGitScanner } from '../src/scanner/gitScanner.js';
+import { runDbScanner } from '../src/scanner/dbScanner.js';
+import { runAwsScanner } from '../src/scanner/awsScanner.js';
+import { calculateScore } from '../src/engine/aggregator.js';
+import { anonymizeScanResults } from '../src/engine/anonymizer.js';
+import { printBanner, printScanPhase, printReport } from '../src/output/terminal.js';
+import { uploadWithConsent } from '../src/output/uploader.js';
+import chalk from 'chalk';
+import ora from 'ora';
+import fs from 'fs';
+
+// Parse CLI arguments
+const args = process.argv.slice(2);
+const flags = {
+  noUpload: args.includes('--no-upload'),
+  json: args.includes('--json'),
+  verbose: args.includes('--verbose'),
+  help: args.includes('--help') || args.includes('-h'),
+};
+const targetArg = args.find(a => !a.startsWith('--') && !a.startsWith('-'));
+
+// Help message
+if (flags.help) {
+  console.log(`
+  ${chalk.hex('#6C5CE7').bold('DELTARQ Security Scanner')} ${chalk.dim('v0.1.0')}
+  
+  ${chalk.white('Local-first CLI security audit tool for startups.')}
+  ${chalk.white('Scans your infrastructure for SOC 2 readiness gaps.')}
+
+  ${chalk.white.bold('Usage:')}
+    npx deltarq-scan [target-dir] [options]
+
+  ${chalk.white.bold('Options:')}
+    ${chalk.green('--no-upload')}    Skip the dashboard upload prompt
+    ${chalk.green('--json')}         Output raw JSON instead of terminal report
+    ${chalk.green('--verbose')}      Show detailed output and upload payload preview
+    ${chalk.green('--help, -h')}     Show this help message
+
+  ${chalk.white.bold('Examples:')}
+    ${chalk.dim('npx deltarq-scan')}                  ${chalk.dim('# Scan current directory')}
+    ${chalk.dim('npx deltarq-scan ./my-project')}      ${chalk.dim('# Scan specific directory')}
+    ${chalk.dim('npx deltarq-scan --no-upload')}       ${chalk.dim('# Scan without upload prompt')}
+    ${chalk.dim('npx deltarq-scan --json')}            ${chalk.dim('# Output JSON report')}
+
+  ${chalk.dim('Learn more: https://github.com/deltarq/deltarq-scan')}
+`);
+  process.exit(0);
+}
+
+// Main scan flow
+async function main() {
+  const targetDir = resolveTargetDir(targetArg);
+  
+  if (!fs.existsSync(targetDir) || !fs.statSync(targetDir).isDirectory()) {
+    console.error(chalk.red.bold(`\n  ✗ Error: Target path "${targetDir}" is not a valid directory.\n`));
+    process.exit(1);
+  }
+
+  const allFindings = [];
+
+  // Print banner (unless JSON mode)
+  if (!flags.json) {
+    printBanner(targetDir);
+  }
+
+  // Phase 1: Detect project type
+  const spinner = !flags.json ? ora({ text: 'Detecting project type...', indent: 3 }).start() : null;
+  const projectInfo = detectProjectType(targetDir);
+
+  if (!flags.json) {
+    spinner.stop();
+    printScanPhase('Detecting project type...', projectInfo.label, 'ok');
+  }
+
+  // Phase 2: File Scanner (IAM, DB, Docker, Logging)
+  if (!flags.json) {
+    const fileSpinner = ora({ text: 'Scanning configuration files...', indent: 3 }).start();
+    var fileFindings = await runFileScanner(targetDir);
+    fileSpinner.stop();
+
+    const fileIssues = fileFindings.filter(f => !f.passed).length;
+    printScanPhase(
+      'Scanning configuration files...',
+      fileIssues > 0 ? `${fileIssues} issue${fileIssues > 1 ? 's' : ''} found` : 'No issues',
+      fileIssues > 0 ? 'warning' : 'ok'
+    );
+  } else {
+    var fileFindings = await runFileScanner(targetDir);
+  }
+  allFindings.push(...fileFindings);
+
+  // Phase 3: AWS Scanner
+  if (!flags.json) {
+    const awsSpinner = ora({ text: 'Scanning IAM configuration...', indent: 3 }).start();
+    var { findings: awsFindings, awsConfigured } = await runAwsScanner(targetDir);
+    awsSpinner.stop();
+
+    if (!awsConfigured && awsFindings.length === 0) {
+      printScanPhase('Scanning IAM configuration...', 'AWS not configured — skipped cloud checks', 'skip');
+    } else {
+      const awsIssues = awsFindings.filter(f => !f.passed).length;
+      printScanPhase(
+        'Scanning IAM configuration...',
+        awsIssues > 0 ? `${awsIssues} issue${awsIssues > 1 ? 's' : ''} found` : 'No issues',
+        awsIssues > 0 ? 'warning' : 'ok'
+      );
+    }
+  } else {
+    var { findings: awsFindings } = await runAwsScanner(targetDir);
+  }
+  allFindings.push(...awsFindings);
+
+  // Phase 4: Database Scanner
+  if (!flags.json) {
+    const dbSpinner = ora({ text: 'Scanning database config...', indent: 3 }).start();
+    var dbFindings = await runDbScanner(targetDir);
+    dbSpinner.stop();
+
+    const dbIssues = dbFindings.filter(f => !f.passed).length;
+    printScanPhase(
+      'Scanning database config...',
+      dbIssues > 0 ? `${dbIssues} issue${dbIssues > 1 ? 's' : ''} found` : 'No issues',
+      dbIssues > 0 ? 'warning' : 'ok'
+    );
+  } else {
+    var dbFindings = await runDbScanner(targetDir);
+  }
+  allFindings.push(...dbFindings);
+
+  // Phase 5: Git Scanner
+  if (!flags.json) {
+    const gitSpinner = ora({ text: 'Scanning git repository...', indent: 3 }).start();
+    var gitFindings = await runGitScanner(targetDir);
+    gitSpinner.stop();
+
+    const gitIssues = gitFindings.filter(f => !f.passed).length;
+    printScanPhase(
+      'Scanning git repository...',
+      gitIssues > 0 ? 'Warning detected' : 'Clean',
+      gitIssues > 0 ? 'warning' : 'ok'
+    );
+  } else {
+    var gitFindings = await runGitScanner(targetDir);
+  }
+  allFindings.push(...gitFindings);
+
+  // Phase 6: Calculate score
+  const scoreResult = calculateScore(allFindings);
+
+  // JSON output mode
+  if (flags.json) {
+    const anonymous = anonymizeScanResults(allFindings, scoreResult, projectInfo);
+    console.log(JSON.stringify(anonymous, null, 2));
+    process.exit(scoreResult.score < 40 ? 1 : 0);
+    return;
+  }
+
+  // Phase 7: Print the report
+  printReport(allFindings, scoreResult, projectInfo);
+
+  // Phase 8: Upload prompt
+  const anonymousPayload = anonymizeScanResults(allFindings, scoreResult, projectInfo);
+  await uploadWithConsent(anonymousPayload, {
+    noUpload: flags.noUpload,
+    verbose: flags.verbose,
+  });
+
+  // Exit with non-zero if critical exposure
+  process.exit(scoreResult.score < 40 ? 1 : 0);
+}
+
+// Run
+main().catch((err) => {
+  console.error(chalk.red.bold('\n  ✗ Scanner encountered an error:\n'));
+  console.error(chalk.red(`    ${err.message}`));
+  if (flags.verbose) {
+    console.error(chalk.dim(`\n    ${err.stack}`));
+  }
+  process.exit(2);
+});

package/package.json

@@ -0,0 +1,50 @@
+{
+  "name": "deltarq-scan",
+  "version": "0.1.0",
+  "description": "Local-first CLI security audit tool for startups — scan your infrastructure for SOC 2 readiness gaps",
+  "type": "module",
+  "bin": {
+    "deltarq-scan": "bin/deltarq-scan.js"
+  },
+  "main": "bin/deltarq-scan.js",
+  "scripts": {
+    "scan": "node bin/deltarq-scan.js",
+    "test": "vitest run",
+    "server": "node server.js"
+  },
+  "keywords": [
+    "security",
+    "audit",
+    "soc2",
+    "compliance",
+    "scanner",
+    "cli",
+    "devops",
+    "infrastructure"
+  ],
+  "author": "DELTARQ",
+  "license": "MIT",
+  "dependencies": {
+    "@supabase/supabase-js": "^2.108.2",
+    "chalk": "^5.3.0",
+    "cli-table3": "^0.6.5",
+    "clsx": "^2.1.1",
+    "cors": "^2.8.6",
+    "dotenv": "^17.4.2",
+    "express": "^5.2.1",
+    "framer-motion": "^12.40.0",
+    "glob": "^10.4.5",
+    "js-yaml": "^4.1.0",
+    "lucide-react": "^1.21.0",
+    "ora": "^8.1.1",
+    "recharts": "^3.8.1",
+    "tailwind-merge": "^3.6.0",
+    "uuid": "^10.0.0"
+  },
+  "devDependencies": {
+    "vitest": "^2.1.0"
+  },
+  "engines": {
+    "node": ">=18.0.0"
+  }
+}

package/src/engine/aggregator.js

@@ -0,0 +1,96 @@
+/**
+ * Scoring Engine — Aggregates scan findings into a security score
+ * Weighted scoring: CRITICAL=40, HIGH=20, MEDIUM=10, DRIFT=5
+ */
+
+const SEVERITY_WEIGHTS = {
+  CRITICAL: 40,
+  HIGH: 20,
+  MEDIUM: 10,
+  DRIFT: 5,
+};
+
+/**
+ * Calculate the overall security score from findings
+ * @param {Array<{ rule: string, severity: string, passed: boolean }>} findings
+ * @returns {{ score: number, grade: string, label: string, enterpriseReady: boolean, breakdown: Object }}
+ */
+export function calculateScore(findings) {
+  const failedFindings = findings.filter(f => !f.passed);
+
+  let deductions = 0;
+  const breakdown = {
+    CRITICAL: 0,
+    HIGH: 0,
+    MEDIUM: 0,
+    DRIFT: 0,
+  };
+
+  // Deduplicate by rule ID — only count each rule once
+  const seenRules = new Set();
+  for (const f of failedFindings) {
+    if (seenRules.has(f.rule)) continue;
+    seenRules.add(f.rule);
+
+    const weight = SEVERITY_WEIGHTS[f.severity] || 0;
+    deductions += weight;
+    breakdown[f.severity] = (breakdown[f.severity] || 0) + 1;
+  }
+
+  const score = Math.max(0, 100 - deductions);
+
+  let grade, label;
+  if (score >= 90) {
+    grade = 'A';
+    label = 'Excellent';
+  } else if (score >= 80) {
+    grade = 'B';
+    label = 'Acceptable';
+  } else if (score >= 60) {
+    grade = 'C';
+    label = 'At Risk';
+  } else if (score >= 40) {
+    grade = 'D';
+    label = 'Vulnerable';
+  } else {
+    grade = 'F';
+    label = 'Critical Exposure';
+  }
+
+  const criticalCount = breakdown.CRITICAL || 0;
+  const enterpriseReady = score >= 85 && criticalCount === 0;
+
+  return {
+    score,
+    grade,
+    label,
+    enterpriseReady,
+    breakdown,
+    totalFindings: failedFindings.length,
+    uniqueRules: seenRules.size,
+    deductions,
+  };
+}
+
+/**
+ * Get the SOC 2 compliance gap count
+ * Each failed unique rule = 1 control gap
+ */
+export function getComplianceGapCount(findings) {
+  const failedRules = new Set(
+    findings.filter(f => !f.passed).map(f => f.rule)
+  );
+  return failedRules.size;
+}
+
+/**
+ * Estimate remediation effort based on findings
+ */
+export function estimateRemediationEffort(findings) {
+  const gaps = getComplianceGapCount(findings);
+  if (gaps === 0) return 'None needed';
+  if (gaps <= 2) return '1–2 days';
+  if (gaps <= 5) return '3–5 days without guidance';
+  if (gaps <= 8) return '1–2 weeks without guidance';
+  return '2+ weeks — consider professional audit';
+}

package/src/engine/anonymizer.js

@@ -0,0 +1,79 @@
+/**
+ * Anonymizer — Strips all sensitive data from scan findings
+ * Outputs only boolean pass/fail metadata + scores
+ * NEVER includes raw values, secrets, file contents, or IPs
+ */
+
+import { v4 as uuidv4 } from 'uuid';
+
+/**
+ * Create an anonymous scan report from raw findings
+ * @param {Array} findings - Raw scan findings
+ * @param {{ score: number, grade: string, enterpriseReady: boolean }} scoreResult - Score calculation
+ * @param {{ type: string }} projectInfo - Detected project type
+ * @returns {Object} Anonymous JSON safe for upload
+ */
+export function anonymizeScanResults(findings, scoreResult, projectInfo) {
+  // Deduplicate findings by rule ID (keep first occurrence)
+  const seenRules = new Set();
+  const uniqueFindings = [];
+  for (const f of findings) {
+    if (!seenRules.has(f.rule)) {
+      seenRules.add(f.rule);
+      uniqueFindings.push(f);
+    }
+  }
+
+  return {
+    scan_id: uuidv4(),
+    timestamp: new Date().toISOString(),
+    scanner_version: '0.1.0',
+    project_type: projectInfo.type || 'unknown',
+
+    // Score metadata only
+    score: scoreResult.score,
+    grade: scoreResult.grade,
+    enterprise_ready: scoreResult.enterpriseReady,
+
+    // Findings — ONLY rule ID, severity, and pass/fail boolean
+    // NO file paths, NO secret values, NO detail strings
+    findings: uniqueFindings.map(f => ({
+      rule: f.rule,
+      severity: f.severity,
+      passed: f.passed,
+    })),
+
+    // Aggregate stats
+    drift_detected: uniqueFindings.some(f => f.severity === 'DRIFT' && !f.passed),
+    compliance_gap_count: uniqueFindings.filter(f => !f.passed).length,
+  };
+}
+
+/**
+ * Validate that the anonymous payload contains no secrets
+ * Extra safety check before upload
+ */
+export function validateNoSecrets(payload) {
+  const json = JSON.stringify(payload);
+
+  // Pattern checks — these should NEVER appear in upload payload
+  const forbiddenPatterns = [
+    /AKIA[0-9A-Z]{16}/,           // AWS Access Key ID
+    /[0-9a-zA-Z/+]{40}/,          // AWS Secret Key (40 char base64)
+    /-----BEGIN.*PRIVATE KEY-----/, // PEM private keys
+    /postgres:\/\//,               // DB connection strings
+    /mysql:\/\//,
+    /mongodb:\/\//,
+    /password\s*[:=]\s*\S+/i,     // Password patterns
+  ];
+
+  for (const pattern of forbiddenPatterns) {
+    if (pattern.test(json)) {
+      throw new Error(
+        `SAFETY CHECK FAILED: Upload payload may contain sensitive data matching pattern: ${pattern.source}. Upload aborted.`
+      );
+    }
+  }
+
+  return true;
+}