deltarq-scan 0.1.0

package/src/scanner/dbScanner.js

@@ -0,0 +1,67 @@
+/**
+ * Database Scanner — Analyzes database connection patterns for security issues
+ * No actual database connections are made — pattern matching only
+ */
+
+import path from 'path';
+import { readFileSafe, findFiles, parseEnvContent } from '../utils/fileUtils.js';
+
+/**
+ * Run database-specific security scans
+ * @param {string} targetDir - The project root directory
+ * @returns {Promise<Array<{ rule: string, severity: string, passed: boolean, detail: string }>>}
+ */
+export async function runDbScanner(targetDir) {
+  const findings = [];
+
+  // Scan all source files for database connection patterns
+  const sourceFiles = await findFiles(targetDir, [
+    '**/*.js',
+    '**/*.ts',
+    '**/*.py',
+    '**/*.rb',
+    '**/*.go',
+    '**/config/**',
+    '**/database.*',
+    '**/db.*',
+  ]);
+
+  for (const file of sourceFiles) {
+    const content = readFileSafe(file);
+    if (!content) continue;
+
+    const relPath = path.relative(targetDir, file);
+
+    // DB-002: Check for connection pool configuration in source code
+    const hasDbConnection = content.includes('createPool') ||
+                           content.includes('Pool(') ||
+                           content.includes('new Pool') ||
+                           content.includes('ConnectionPool') ||
+                           content.includes('pool') ||
+                           content.includes('create_engine') ||
+                           content.includes('Sequelize');
+
+    if (hasDbConnection) {
+      const hasPoolLimit = content.includes('max:') ||
+                          content.includes('max =') ||
+                          content.includes('pool_size') ||
+                          content.includes('maxConnections') ||
+                          content.includes('max_connections') ||
+                          content.includes('pool_max_size');
+
+      if (!hasPoolLimit) {
+        findings.push({
+          rule: 'DB-002',
+          severity: 'MEDIUM',
+          passed: false,
+          detail: `Database connection in ${relPath} may not have a pool size limit`,
+          file: relPath,
+        });
+        // Only report once
+        break;
+      }
+    }
+  }
+
+  return findings;
+}

package/src/scanner/fileScanner.js

@@ -0,0 +1,422 @@
+/**
+ * File Scanner — Scans .env, Dockerfile, docker-compose.yml for security issues
+ * This is the core scanner that checks local config files
+ */
+
+import path from 'path';
+import yaml from 'js-yaml';
+import { readFileSafe, findFiles, parseEnvContent, fileExists } from '../utils/fileUtils.js';
+
+/**
+ * Run all file-based scans on the target directory
+ * @param {string} targetDir - The project root directory
+ * @returns {Promise<Array<{ rule: string, severity: string, passed: boolean, detail: string }>>}
+ */
+export async function runFileScanner(targetDir) {
+  const findings = [];
+
+  // Scan .env files
+  const envFindings = await scanEnvFiles(targetDir);
+  findings.push(...envFindings);
+
+  // Scan Dockerfiles
+  const dockerFindings = await scanDockerfiles(targetDir);
+  findings.push(...dockerFindings);
+
+  // Scan docker-compose files
+  const composeFindings = await scanDockerCompose(targetDir);
+  findings.push(...composeFindings);
+
+  // Scan for audit logging patterns
+  const logFindings = await scanForAuditLogs(targetDir);
+  findings.push(...logFindings);
+
+  // Scan lockfiles (INFRA-003)
+  const lockFindings = await scanLockfiles(targetDir);
+  findings.push(...lockFindings);
+
+  // Scan CI pipelines (INFRA-004)
+  const ciFindings = await scanCIPipelines(targetDir);
+  findings.push(...ciFindings);
+
+  return findings;
+}
+
+/**
+ * Scan .env files for database and credential issues
+ */
+async function scanEnvFiles(targetDir) {
+  const findings = [];
+  const envFiles = await findFiles(targetDir, ['.env', '.env.*', '**/.env', '!.env.example']);
+
+  for (const envFile of envFiles) {
+    const content = readFileSafe(envFile);
+    if (!content) continue;
+
+    const parsed = parseEnvContent(content);
+    const relPath = path.relative(targetDir, envFile);
+
+    // DB-001: Check DATABASE_URL for sslmode=disable or public host
+    const dbUrl = parsed.DATABASE_URL || parsed.DB_URL || parsed.POSTGRES_URL;
+    if (dbUrl) {
+      const hasSSLDisabled = dbUrl.includes('sslmode=disable') || !dbUrl.includes('sslmode');
+      const isPublicHost = !isPrivateHost(dbUrl);
+
+      if (hasSSLDisabled && isPublicHost) {
+        findings.push({
+          rule: 'DB-001',
+          severity: 'CRITICAL',
+          passed: false,
+          detail: `Unencrypted DB connection on public host found in ${relPath}`,
+          file: relPath,
+        });
+      }
+    }
+
+    // Also check POSTGRES_HOST directly
+    const pgHost = parsed.POSTGRES_HOST || parsed.DB_HOST;
+    const pgSSL = parsed.POSTGRES_SSLMODE || parsed.DB_SSLMODE;
+    if (pgHost && !isPrivateHost(`host://${pgHost}`) && (!pgSSL || pgSSL === 'disable')) {
+      findings.push({
+        rule: 'DB-001',
+        severity: 'CRITICAL',
+        passed: false,
+        detail: `Postgres host "${pgHost}" appears publicly accessible without SSL in ${relPath}`,
+        file: relPath,
+      });
+    }
+
+    // IAM-002: Check for hardcoded Cloud/API Secrets (AWS, Stripe, Slack, GitHub)
+    const hasAccessKey = parsed.AWS_ACCESS_KEY_ID || parsed.AWS_ACCESS_KEY;
+    const hasSecretKey = parsed.AWS_SECRET_ACCESS_KEY || parsed.AWS_SECRET_KEY;
+    let foundSecret = null;
+
+    if (hasAccessKey && hasSecretKey) foundSecret = 'AWS credentials';
+
+    if (!foundSecret) {
+      // Check values against regex patterns
+      const stripePattern = /^sk_live_[a-zA-Z0-9]+$/;
+      const slackPattern = /^xox[bap]-[0-9A-Za-z\-]+$/;
+      const githubPattern = /^gh[po]_[a-zA-Z0-9]{36}$/;
+
+      for (const value of Object.values(parsed)) {
+        if (stripePattern.test(value)) { foundSecret = 'Stripe Live Secret'; break; }
+        if (slackPattern.test(value)) { foundSecret = 'Slack Token'; break; }
+        if (githubPattern.test(value)) { foundSecret = 'GitHub Token'; break; }
+      }
+    }
+
+    if (foundSecret) {
+      findings.push({
+        rule: 'IAM-002',
+        severity: 'HIGH',
+        passed: false,
+        detail: `Hardcoded ${foundSecret} found in ${relPath}`,
+        file: relPath,
+      });
+    }
+
+    // DB-002: Check for connection pool config
+    const hasPoolMax = parsed.DB_POOL_MAX || parsed.POOL_MAX || parsed.DB_POOL_SIZE;
+    if (dbUrl && !hasPoolMax) {
+      // Check if there's any pool config hint in the .env
+      const envContent = content.toLowerCase();
+      const hasPoolConfig = envContent.includes('pool_max') ||
+                           envContent.includes('pool_size') ||
+                           envContent.includes('max_connections');
+      if (!hasPoolConfig) {
+        findings.push({
+          rule: 'DB-002',
+          severity: 'MEDIUM',
+          passed: false,
+          detail: `No connection pool limit configured in ${relPath}`,
+          file: relPath,
+        });
+      }
+    }
+  }
+
+  return findings;
+}
+
+/**
+ * Scan Dockerfiles for security issues
+ */
+async function scanDockerfiles(targetDir) {
+  const findings = [];
+  const dockerfiles = await findFiles(targetDir, ['Dockerfile', 'Dockerfile.*', '**/Dockerfile']);
+
+  for (const dockerfile of dockerfiles) {
+    const content = readFileSafe(dockerfile);
+    if (!content) continue;
+
+    const relPath = path.relative(targetDir, dockerfile);
+
+    // INFRA-001: Check for USER directive
+    const lines = content.split('\n');
+    const hasUserDirective = lines.some(line => {
+      const trimmed = line.trim();
+      return trimmed.startsWith('USER ') && !trimmed.startsWith('#');
+    });
+
+    if (!hasUserDirective) {
+      findings.push({
+        rule: 'INFRA-001',
+        severity: 'CRITICAL',
+        passed: false,
+        detail: `No USER directive in ${relPath} — container runs as root`,
+        file: relPath,
+      });
+    }
+  }
+
+  return findings;
+}
+
+/**
+ * Scan docker-compose files for exposed ports
+ */
+async function scanDockerCompose(targetDir) {
+  const findings = [];
+  const composeFiles = await findFiles(targetDir, [
+    'docker-compose.yml',
+    'docker-compose.yaml',
+    'docker-compose.*.yml',
+    'docker-compose.*.yaml',
+    'compose.yml',
+    'compose.yaml',
+  ]);
+
+  for (const composeFile of composeFiles) {
+    const content = readFileSafe(composeFile);
+    if (!content) continue;
+
+    const relPath = path.relative(targetDir, composeFile);
+
+    try {
+      const compose = yaml.load(content);
+      if (!compose || !compose.services) continue;
+
+      for (const [serviceName, service] of Object.entries(compose.services)) {
+        if (!service.ports) continue;
+
+        for (const portMapping of service.ports) {
+          const portStr = String(portMapping);
+
+          // INFRA-002: Check if DB ports are exposed to all interfaces
+          const dbPorts = ['5432', '3306', '27017', '6379', '1433'];
+          const isDBPort = dbPorts.some(p => portStr.includes(p));
+          const isBoundToAll = !portStr.startsWith('127.0.0.1:') &&
+                               !portStr.startsWith('localhost:');
+
+          if (isDBPort && isBoundToAll) {
+            findings.push({
+              rule: 'INFRA-002',
+              severity: 'HIGH',
+              passed: false,
+              detail: `Service "${serviceName}" exposes port ${portStr} to all interfaces in ${relPath}`,
+              file: relPath,
+            });
+          }
+        }
+      }
+    } catch {
+      // YAML parse error — skip this file
+    }
+  }
+
+  return findings;
+}
+
+/**
+ * Scan source files for audit logging patterns
+ */
+async function scanForAuditLogs(targetDir) {
+  const findings = [];
+
+  // Look for common logging config files/patterns
+  const sourceFiles = await findFiles(targetDir, [
+    '**/*.js',
+    '**/*.ts',
+    '**/*.py',
+    '**/logging.conf',
+    '**/logger.*',
+  ]);
+
+  // Only run the audit trail checks if the project actually contains source code or manifest files
+  const hasCodeFiles = sourceFiles.length > 0 ||
+                       fileExists(path.join(targetDir, 'package.json')) ||
+                       fileExists(path.join(targetDir, 'requirements.txt')) ||
+                       fileExists(path.join(targetDir, 'pyproject.toml')) ||
+                       fileExists(path.join(targetDir, 'go.mod')) ||
+                       fileExists(path.join(targetDir, 'Gemfile')) ||
+                       fileExists(path.join(targetDir, 'Dockerfile'));
+
+  if (!hasCodeFiles) {
+    return findings;
+  }
+
+  // Known audit/logging library patterns
+  const auditPatterns = [
+    'winston',
+    'morgan',
+    'pino',
+    'bunyan',
+    'log4js',
+    'audit',
+    'access.log',
+    'structlog',
+    'loguru',
+    'logging.config',
+    'AuditLog',
+    'auditLog',
+    'audit_log',
+  ];
+
+  let foundAuditLog = false;
+
+  for (const file of sourceFiles) {
+    const content = readFileSafe(file);
+    if (!content) continue;
+
+    for (const pattern of auditPatterns) {
+      if (content.includes(pattern)) {
+        foundAuditLog = true;
+        break;
+      }
+    }
+    if (foundAuditLog) break;
+  }
+
+  // Also check package.json for logging dependencies
+  if (!foundAuditLog) {
+    const pkgJson = readFileSafe(path.join(targetDir, 'package.json'));
+    if (pkgJson) {
+      try {
+        const pkg = JSON.parse(pkgJson);
+        const allDeps = {
+          ...pkg.dependencies,
+          ...pkg.devDependencies,
+        };
+        for (const pattern of auditPatterns) {
+          if (allDeps[pattern]) {
+            foundAuditLog = true;
+            break;
+          }
+        }
+      } catch {
+        // JSON parse error
+      }
+    }
+  }
+
+  // Check requirements.txt for Python projects
+  if (!foundAuditLog) {
+    const reqTxt = readFileSafe(path.join(targetDir, 'requirements.txt'));
+    if (reqTxt) {
+      for (const pattern of auditPatterns) {
+        if (reqTxt.toLowerCase().includes(pattern)) {
+          foundAuditLog = true;
+          break;
+        }
+      }
+    }
+  }
+
+  if (!foundAuditLog) {
+    findings.push({
+      rule: 'LOG-001',
+      severity: 'HIGH',
+      passed: false,
+      detail: 'No structured audit trail or logging library detected in project',
+      file: null,
+    });
+  }
+
+  return findings;
+}
+
+/**
+ * Scan for missing lockfiles (Supply Chain Security)
+ */
+async function scanLockfiles(targetDir) {
+  const findings = [];
+  const hasPkgJson = fileExists(path.join(targetDir, 'package.json'));
+
+  if (hasPkgJson) {
+    const hasNpmLock = fileExists(path.join(targetDir, 'package-lock.json'));
+    const hasYarnLock = fileExists(path.join(targetDir, 'yarn.lock'));
+    const hasPnpmLock = fileExists(path.join(targetDir, 'pnpm-lock.yaml'));
+
+    if (!hasNpmLock && !hasYarnLock && !hasPnpmLock) {
+      findings.push({
+        rule: 'INFRA-003',
+        severity: 'HIGH',
+        passed: false,
+        detail: 'package.json exists but no lockfile found — builds are non-deterministic',
+        file: 'package.json',
+      });
+    }
+  }
+  return findings;
+}
+
+/**
+ * Scan CI/CD pipelines for dangerous triggers
+ */
+async function scanCIPipelines(targetDir) {
+  const findings = [];
+  const workflows = await findFiles(targetDir, ['.github/workflows/*.yml', '.github/workflows/*.yaml']);
+
+  for (const workflow of workflows) {
+    const content = readFileSafe(workflow);
+    if (!content) continue;
+
+    const relPath = path.relative(targetDir, workflow);
+    if (content.includes('pull_request_target:')) {
+      findings.push({
+        rule: 'INFRA-004',
+        severity: 'CRITICAL',
+        passed: false,
+        detail: `Dangerous "pull_request_target" trigger used in ${relPath}`,
+        file: relPath,
+      });
+    }
+  }
+  return findings;
+}
+
+/**
+ * Check if a host in a connection URL is private (localhost, 127.0.0.1, etc.)
+ */
+function isPrivateHost(url) {
+  const privatePatterns = [
+    '127.0.0.1',
+    'localhost',
+    '0.0.0.0',
+    '10.',
+    '172.16.',
+    '172.17.',
+    '172.18.',
+    '172.19.',
+    '172.20.',
+    '172.21.',
+    '172.22.',
+    '172.23.',
+    '172.24.',
+    '172.25.',
+    '172.26.',
+    '172.27.',
+    '172.28.',
+    '172.29.',
+    '172.30.',
+    '172.31.',
+    '192.168.',
+    '.internal',
+    '.local',
+    'rds.amazonaws.com',  // RDS endpoints are private within VPC
+  ];
+
+  const urlLower = url.toLowerCase();
+  return privatePatterns.some(p => urlLower.includes(p));
+}

package/src/scanner/gitScanner.js

@@ -0,0 +1,115 @@
+/**
+ * Git Scanner — Checks .gitignore config and git history for secret leaks
+ * All operations are local-only, read-only
+ */
+
+import path from 'path';
+import { execSync } from 'child_process';
+import { readFileSafe, fileExists } from '../utils/fileUtils.js';
+
+/**
+ * Run git-related security scans
+ * @param {string} targetDir - The project root directory
+ * @returns {Promise<Array<{ rule: string, severity: string, passed: boolean, detail: string }>>}
+ */
+export async function runGitScanner(targetDir) {
+  const findings = [];
+
+  // Check if this is a git repo
+  const isGitRepo = fileExists(path.join(targetDir, '.git'));
+  if (!isGitRepo) {
+    return findings; // Not a git repo, skip git checks
+  }
+
+  // GIT-001: Check .gitignore for .env exclusion
+  const gitignoreFinding = checkGitignore(targetDir);
+  if (gitignoreFinding) findings.push(gitignoreFinding);
+
+  // GIT-001 extension: Check if .env was ever committed
+  const historyFinding = checkGitHistory(targetDir);
+  if (historyFinding) findings.push(historyFinding);
+
+  return findings;
+}
+
+/**
+ * Check if .gitignore properly excludes sensitive files
+ */
+function checkGitignore(targetDir) {
+  const gitignorePath = path.join(targetDir, '.gitignore');
+  const content = readFileSafe(gitignorePath);
+
+  if (!content) {
+    // No .gitignore at all
+    return {
+      rule: 'GIT-001',
+      severity: 'MEDIUM',
+      passed: false,
+      detail: 'No .gitignore file found — .env and secrets may be tracked by git',
+      file: null,
+    };
+  }
+
+  const lines = content.split('\n').map(l => l.trim());
+  const sensitivePatterns = ['.env', '.env.*', '*.pem', '*.key'];
+  const envExcluded = lines.some(line =>
+    line === '.env' || line === '.env*' || line === '.env.*' || line === '*.env'
+  );
+
+  if (!envExcluded) {
+    return {
+      rule: 'GIT-001',
+      severity: 'MEDIUM',
+      passed: false,
+      detail: '.env is not excluded in .gitignore — secrets may be in your repository',
+      file: '.gitignore',
+    };
+  }
+
+  return null;
+}
+
+/**
+ * Check git history for leaked secrets (local git log only)
+ */
+function checkGitHistory(targetDir) {
+  const secretPatterns = [
+    'AWS_SECRET_ACCESS_KEY',
+    'AWS_ACCESS_KEY_ID',
+    'PRIVATE_KEY',
+    'DATABASE_URL',
+    'DB_PASSWORD',
+    'SECRET_KEY',
+    'API_KEY',
+    'STRIPE_SECRET',
+  ];
+
+  try {
+    for (const pattern of secretPatterns) {
+      const result = execSync(
+        `git log --oneline --all --grep="${pattern}" -n 1`,
+        {
+          cwd: targetDir,
+          encoding: 'utf-8',
+          timeout: 5000,
+          stdio: ['pipe', 'pipe', 'pipe'],
+        }
+      ).trim();
+
+      if (result.length > 0) {
+        return {
+          rule: 'GIT-001',
+          severity: 'MEDIUM',
+          passed: false,
+          detail: `Secret pattern "${pattern}" found in git commit history — even deleted files are recoverable`,
+          file: null,
+        };
+      }
+    }
+  } catch {
+    // Git command failed — might not have git installed or not a repo
+    // Silently skip
+  }
+
+  return null;
+}

package/src/utils/detect.js

@@ -0,0 +1,90 @@
+import { fileExists } from './fileUtils.js';
+import path from 'path';
+
+/**
+ * Auto-detect the project type based on marker files
+ * @param {string} targetDir - The project root directory
+ * @returns {{ type: string, label: string, markers: string[] }}
+ */
+export function detectProjectType(targetDir) {
+  const checks = [
+    {
+      type: 'fastapi',
+      label: 'FastAPI (Python)',
+      markers: ['requirements.txt', 'pyproject.toml', 'main.py', 'app/main.py'],
+      keywords: ['fastapi', 'uvicorn'],
+    },
+    {
+      type: 'django',
+      label: 'Django (Python)',
+      markers: ['manage.py', 'settings.py'],
+      keywords: ['django'],
+    },
+    {
+      type: 'express',
+      label: 'Express / Node.js',
+      markers: ['package.json', 'server.js', 'app.js', 'index.js'],
+      keywords: ['express'],
+    },
+    {
+      type: 'nextjs',
+      label: 'Next.js',
+      markers: ['next.config.js', 'next.config.mjs', 'next.config.ts'],
+      keywords: ['next'],
+    },
+    {
+      type: 'golang',
+      label: 'Go',
+      markers: ['go.mod', 'go.sum'],
+      keywords: [],
+    },
+    {
+      type: 'ruby',
+      label: 'Ruby on Rails',
+      markers: ['Gemfile', 'config/routes.rb'],
+      keywords: ['rails'],
+    },
+    {
+      type: 'dotnet',
+      label: '.NET',
+      markers: ['*.csproj', '*.sln', 'Program.cs'],
+      keywords: [],
+    },
+  ];
+
+  const foundMarkers = [];
+
+  for (const check of checks) {
+    for (const marker of check.markers) {
+      const fullPath = path.join(targetDir, marker);
+      if (fileExists(fullPath)) {
+        foundMarkers.push(marker);
+        // Check for keyword matches in package.json or requirements.txt for more accuracy
+        return {
+          type: check.type,
+          label: check.label,
+          markers: [marker],
+        };
+      }
+    }
+  }
+
+  // Check for Docker/infrastructure
+  const hasDocker = fileExists(path.join(targetDir, 'Dockerfile')) ||
+                    fileExists(path.join(targetDir, 'docker-compose.yml')) ||
+                    fileExists(path.join(targetDir, 'docker-compose.yaml'));
+
+  const hasPostgres = fileExists(path.join(targetDir, '.env'));
+
+  let label = 'Unknown Project';
+  const detectedParts = [];
+  if (hasDocker) detectedParts.push('Docker');
+  if (hasPostgres) detectedParts.push('PostgreSQL (likely)');
+  if (detectedParts.length > 0) label = detectedParts.join(' + ');
+
+  return {
+    type: 'unknown',
+    label,
+    markers: foundMarkers,
+  };
+}