fivosense 0.1.5 → 0.2.0

package/src/rules/secrets.ts

@@ -1,5 +1,13 @@
 /**
- * Secret detection - finds hardcoded API keys, tokens, passwords
+ * FivoSense - AI Security Scanner
+ * Copyright (c) 2026 thevinsoni
+ * Licensed under the MIT License
+ * https://github.com/thevinsoni/sense
+ */
+
+/**
+ * Secret detection — finds hardcoded API keys, tokens, passwords
+ * 55+ patterns covering AI, cloud, SaaS, payments, databases, and dev tools
  */
 
 export interface SecretPattern {
@@ -9,46 +17,298 @@ export interface SecretPattern {
   severity: 'high' | 'medium';
 }
 
-/**
- * Common secret patterns
- */
 export const SECRET_PATTERNS: SecretPattern[] = [
+  // === AI / ML ===
   {
-    pattern: /['"][A-Za-z0-9_]{32,}['"]/,
-    type: 'generic_token',
-    description: 'Generic API token (32+ chars)',
+    pattern: /['"]sk-proj-[A-Za-z0-9_-]{20,}['"]/,
+    type: 'openai_project_key',
+    description: 'OpenAI Project API key',
     severity: 'high',
   },
   {
-    pattern: /['"]sk-[A-Za-z0-9]{48}['"]/,
+    pattern: /['"]sk-[A-Za-z0-9]{20,}['"]/,
     type: 'openai_key',
     description: 'OpenAI API key',
     severity: 'high',
   },
+  {
+    pattern: /['"]sk-ant-[A-Za-z0-9_-]{20,}['"]/,
+    type: 'anthropic_key',
+    description: 'Anthropic Claude API key',
+    severity: 'high',
+  },
   {
     pattern: /['"]AIza[A-Za-z0-9_-]{35}['"]/,
     type: 'google_api_key',
     description: 'Google API key',
     severity: 'high',
   },
+  {
+    pattern: /['"]ya29\.[A-Za-z0-9_-]+['"]/,
+    type: 'google_oauth_token',
+    description: 'Google OAuth access token',
+    severity: 'high',
+  },
+  {
+    pattern: /['"][0-9]+-[A-Za-z0-9_]{32}\.apps\.googleusercontent\.com['"]/,
+    type: 'google_oauth_client_id',
+    description: 'Google OAuth client ID',
+    severity: 'high',
+  },
+
+  // === Cloud Providers ===
   {
     pattern: /['"]AKIA[A-Z0-9]{16}['"]/,
     type: 'aws_access_key',
     description: 'AWS Access Key ID',
     severity: 'high',
   },
+  {
+    pattern: /['"]ASIA[A-Z0-9]{16}['"]/,
+    type: 'aws_temp_key',
+    description: 'AWS Temporary Access Key',
+    severity: 'high',
+  },
+  {
+    pattern: /aws[_-]?secret[_-]?access[_-]?key\s*[:=]\s*['"][A-Za-z0-9/+=]{40}['"]/i,
+    type: 'aws_secret_key',
+    description: 'AWS Secret Access Key',
+    severity: 'high',
+  },
+  {
+    pattern: /['"]arn:aws:[a-z0-9-]+:[a-z0-9-]*:[0-9]+:/,
+    type: 'aws_arn',
+    description: 'AWS ARN (resource identifier)',
+    severity: 'medium',
+  },
+  {
+    pattern: /AccountKey\s*=\s*[A-Za-z0-9+/=]{80,}/i,
+    type: 'azure_storage_key',
+    description: 'Azure Storage Account Key',
+    severity: 'high',
+  },
+  {
+    pattern: /['"][a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}['"]/,
+    type: 'azure_tenant_or_client',
+    description: 'Azure Tenant/Client UUID',
+    severity: 'medium',
+  },
+  {
+    pattern: /['"](?:AAAA)[A-Za-z0-9+/=]{40,}['"]/,
+    type: 'firebase_token',
+    description: 'Firebase authentication token',
+    severity: 'high',
+  },
+  {
+    pattern: /['"]SG\.[A-Za-z0-9_-]{22}\.[A-Za-z0-9_-]{43}['"]/,
+    type: 'sendgrid_key',
+    description: 'SendGrid API key',
+    severity: 'high',
+  },
+  {
+    pattern: /['"]service_account['"]\s*[:=]/i,
+    type: 'gcp_service_account',
+    description: 'GCP service account',
+    severity: 'high',
+  },
+  {
+    pattern: /['"]type['"]\s*[:=]\s*['"]service_account['"]/i,
+    type: 'gcp_sa_json',
+    description: 'GCP service account JSON',
+    severity: 'high',
+  },
+
+  // === GitHub / Git ===
   {
     pattern: /['"]ghp_[A-Za-z0-9]{36}['"]/,
-    type: 'github_token',
-    description: 'GitHub Personal Access Token',
+    type: 'github_pat',
+    description: 'GitHub Personal Access Token (classic)',
+    severity: 'high',
+  },
+  {
+    pattern: /['"]github_pat_[A-Za-z0-9_]{22,}['"]/,
+    type: 'github_fine_grained_pat',
+    description: 'GitHub Fine-Grained PAT',
+    severity: 'high',
+  },
+  {
+    pattern: /['"]gho_[A-Za-z0-9]{36}['"]/,
+    type: 'github_oauth',
+    description: 'GitHub OAuth token',
     severity: 'high',
   },
+  {
+    pattern: /['"]ghs_[A-Za-z0-9]{36}['"]/,
+    type: 'github_app_token',
+    description: 'GitHub App installation token',
+    severity: 'high',
+  },
+  {
+    pattern: /['"]ghr_[A-Za-z0-9]{36}['"]/,
+    type: 'github_refresh',
+    description: 'GitHub refresh token',
+    severity: 'high',
+  },
+  {
+    pattern: /['"]glpat-[A-Za-z0-9_-]{20,}['"]/,
+    type: 'gitlab_pat',
+    description: 'GitLab Personal Access Token',
+    severity: 'high',
+  },
+
+  // === Communication ===
   {
     pattern: /['"]xox[baprs]-[A-Za-z0-9-]{10,}['"]/,
     type: 'slack_token',
     description: 'Slack Token',
     severity: 'high',
   },
+  {
+    pattern: /['"]https:\/\/hooks\.slack\.com\/services\/T[A-Z0-9]+\/B[A-Z0-9]+\/[A-Za-z0-9]+['"]/,
+    type: 'slack_webhook',
+    description: 'Slack Webhook URL',
+    severity: 'high',
+  },
+  {
+    pattern: /['"][0-9]+:AA[A-Za-z0-9_-]{30,}['"]/,
+    type: 'telegram_bot_token',
+    description: 'Telegram Bot Token',
+    severity: 'high',
+  },
+  {
+    pattern: /['"]discord(app)?\.com\/api\/webhooks\/[0-9]+\/[A-Za-z0-9_-]+['"]/,
+    type: 'discord_webhook',
+    description: 'Discord Webhook URL',
+    severity: 'high',
+  },
+
+  // === Payment ===
+  {
+    pattern: /['"]sk_live_[A-Za-z0-9]{20,}['"]/,
+    type: 'stripe_secret_live',
+    description: 'Stripe Secret Key (LIVE)',
+    severity: 'high',
+  },
+  {
+    pattern: /['"]sk_test_[A-Za-z0-9]{20,}['"]/,
+    type: 'stripe_secret_test',
+    description: 'Stripe Secret Key (test)',
+    severity: 'high',
+  },
+  {
+    pattern: /['"]rk_live_[A-Za-z0-9]{20,}['"]/,
+    type: 'stripe_restricted_live',
+    description: 'Stripe Restricted Key (LIVE)',
+    severity: 'high',
+  },
+  {
+    pattern: /['"]rk_test_[A-Za-z0-9]{20,}['"]/,
+    type: 'stripe_restricted_test',
+    description: 'Stripe Restricted Key (test)',
+    severity: 'high',
+  },
+  {
+    pattern: /['"]sq0csp-[A-Za-z0-9_-]{22,}['"]/,
+    type: 'square_key',
+    description: 'Square OAuth secret',
+    severity: 'high',
+  },
+
+  // === SaaS / Dev Tools ===
+  {
+    pattern: /['"]npm_[A-Za-z0-9]{36}['"]/,
+    type: 'npm_token',
+    description: 'npm access token',
+    severity: 'high',
+  },
+  {
+    pattern: /['"]pypi-[A-Za-z0-9_-]{50,}['"]/,
+    type: 'pypi_token',
+    description: 'PyPI API token',
+    severity: 'high',
+  },
+  {
+    pattern: /['"]do_[a-zA-Z0-9]{64}['"]/,
+    type: 'digitalocean_token',
+    description: 'DigitalOcean API token',
+    severity: 'high',
+  },
+  {
+    pattern: /['"]dop_v1_[a-f0-9]{64}['"]/,
+    type: 'doppler_token',
+    description: 'Doppler service token',
+    severity: 'high',
+  },
+  {
+    pattern: /['"]NRAK-[A-Z0-9]{27}['"]/,
+    type: 'newrelic_key',
+    description: 'New Relic API key',
+    severity: 'high',
+  },
+  {
+    pattern: /['"]shpat_[a-fA-F0-9]{32}['"]/,
+    type: 'shopify_key',
+    description: 'Shopify Private App Access Token',
+    severity: 'high',
+  },
+  {
+    pattern: /['"]shpss_[a-fA-F0-9]{32}['"]/,
+    type: 'shopify_secret',
+    description: 'Shopify Shared Secret',
+    severity: 'high',
+  },
+  {
+    pattern: /['"]Bearer\s+[A-Za-z0-9_-]{20,}['"]/,
+    type: 'bearer_token',
+    description: 'Bearer authentication token',
+    severity: 'high',
+  },
+  {
+    pattern: /['"]Basic\s+[A-Za-z0-9+/=]{20,}['"]/,
+    type: 'basic_auth',
+    description: 'Basic authentication header',
+    severity: 'high',
+  },
+
+  // === Database Connection Strings ===
+  {
+    pattern: /['"]mongodb(\+srv)?:\/\/[^'"]+['"]/,
+    type: 'mongodb_uri',
+    description: 'MongoDB connection string',
+    severity: 'high',
+  },
+  {
+    pattern: /['"]postgres(ql)?:\/\/[^'"]+['"]/,
+    type: 'postgres_uri',
+    description: 'PostgreSQL connection string',
+    severity: 'high',
+  },
+  {
+    pattern: /['"]mysql:\/\/[^'"]+['"]/,
+    type: 'mysql_uri',
+    description: 'MySQL connection string',
+    severity: 'high',
+  },
+  {
+    pattern: /['"]redis:\/\/[^'"]+['"]/,
+    type: 'redis_uri',
+    description: 'Redis connection string',
+    severity: 'high',
+  },
+  {
+    pattern: /['"]amqps?:\/\/[^'"]+['"]/,
+    type: 'amqp_uri',
+    description: 'AMQP connection string',
+    severity: 'high',
+  },
+  {
+    pattern: /['"]jdbc:[^'"]+['"]/,
+    type: 'jdbc_uri',
+    description: 'JDBC connection string',
+    severity: 'high',
+  },
+
+  // === Generic Hardcoded Credentials ===
   {
     pattern: /password\s*[:=]\s*['"][^'"]+['"]/i,
     type: 'password',
@@ -67,6 +327,42 @@ export const SECRET_PATTERNS: SecretPattern[] = [
     description: 'Hardcoded secret',
     severity: 'high',
   },
+  {
+    pattern: /token\s*[:=]\s*['"][^'"]{20,}['"]/i,
+    type: 'token',
+    description: 'Hardcoded token',
+    severity: 'high',
+  },
+  {
+    pattern: /private[_-]?key\s*[:=]\s*['"][^'"]+['"]/i,
+    type: 'private_key',
+    description: 'Hardcoded private key',
+    severity: 'high',
+  },
+  {
+    pattern: /access[_-]?key\s*[:=]\s*['"][^'"]+['"]/i,
+    type: 'access_key',
+    description: 'Hardcoded access key',
+    severity: 'high',
+  },
+  {
+    pattern: /auth[_-]?token\s*[:=]\s*['"][^'"]+['"]/i,
+    type: 'auth_token',
+    description: 'Hardcoded auth token',
+    severity: 'high',
+  },
+  {
+    pattern: /client[_-]?secret\s*[:=]\s*['"][^'"]+['"]/i,
+    type: 'client_secret',
+    description: 'Hardcoded client secret',
+    severity: 'high',
+  },
+  {
+    pattern: /['"][A-Za-z0-9_]{32,}['"]/,
+    type: 'generic_token',
+    description: 'Generic high-entropy token (32+ chars)',
+    severity: 'medium',
+  },
 ];
 
 export interface SecretMatch {
@@ -77,15 +373,11 @@ export interface SecretMatch {
   match: string;
 }
 
-/**
- * Detect secrets in code
- */
 export function detectSecrets(code: string): SecretMatch[] {
   const lines = code.split('\n');
   const matches: SecretMatch[] = [];
 
   lines.forEach((line, index) => {
-    // Skip comments
     if (line.trim().startsWith('//') || line.trim().startsWith('*')) {
       return;
     }
@@ -107,9 +399,6 @@ export function detectSecrets(code: string): SecretMatch[] {
   return matches;
 }
 
-/**
- * Check if specific line contains a secret
- */
 export function isSecretLine(line: string): SecretPattern | null {
   for (const pattern of SECRET_PATTERNS) {
     if (pattern.pattern.test(line)) {

package/vscode-extension/CHANGELOG.md

@@ -1,5 +1,18 @@
 # Changelog
 
+## [0.1.1] - 2026-06-27
+
+### Fixed
+- Fixed vulnerability reporting structure (location.line instead of line)
+- Fixed secret detection output
+- Fixed destructive command reporting
+- Updated to fivosense v0.1.6
+
+### Changed
+- Separate handling for vulnerabilities, secrets, and destructive commands
+- Improved taint-trace proof display
+- Better error messages
+
 ## [0.1.0] - 2026-06-26
 
 ### Added
@@ -15,7 +28,6 @@
 - Configurable severity levels
 
 ### Features
-- Neuro-symbolic taint analysis
-- Research-backed accuracy (F1 0.91-0.95)
+- AST-based taint analysis
 - Zero false negatives for critical vulnerabilities
 - Detailed evidence with data-flow traces

package/vscode-extension/LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2026 Fivo Sense Contributors
+Copyright (c) 2026 FivoSense / thevinsoni
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

package/vscode-extension/README.md

@@ -13,15 +13,18 @@ Real-time security vulnerability detection for JavaScript and TypeScript with AI
 
 ## Installation
 
-### From Marketplace
-1. Open VS Code
-2. Go to Extensions (Ctrl+Shift+X)
-3. Search for "FivoSense"
-4. Click Install
-
 ### From .vsix
 ```bash
-code --install-extension fivosense-vscode-0.1.0.vsix
+code --install-extension fivosense-vscode-0.1.1.vsix
+```
+
+### From Source
+```bash
+git clone https://github.com/thevinsoni/sense.git
+cd sense/vscode-extension
+npm install
+npm run package
+code --install-extension fivosense-vscode-0.1.1.vsix
 ```
 
 ## Usage
@@ -80,14 +83,13 @@ const apiKey = process.env.OPENAI_API_KEY;
 
 ## How It Works
 
-FivoSense uses **neuro-symbolic taint analysis**:
-
-1. **Graph Builder**: Parses code into data-flow graph
-2. **Taint Tracker**: Traces untrusted input to dangerous sinks
-3. **AI Judge**: Determines if paths are exploitable (coming soon)
-4. **Proof Generator**: Creates exact evidence of vulnerability
+FivoSense uses **AST-based taint analysis**:
 
-Research-backed accuracy: F1 0.91-0.95
+1. **Graph Builder**: Parses code into data-flow graph using Babel parser
+2. **Taint Tracker**: Traces untrusted input from source to dangerous sink
+3. **Sanitization Check**: Detects if input is already sanitized (parseInt, execFile, etc.)
+4. **AI Judge**: Verifies exploitability using OpenAI/Claude/Ollama (optional)
+5. **Proof Generator**: Creates exact evidence with line numbers and CWE references
 
 ## Requirements
 
@@ -106,13 +108,14 @@ Configure in VS Code settings (File > Preferences > Settings):
 }
 ```
 
-## Known Issues
-
-- Real-time scanning may have slight delay on large files
-- Python support coming soon
-
 ## Release Notes
 
+### 0.1.1
+- Fixed vulnerability reporting structure
+- Improved secret detection
+- Added proper taint-trace proofs
+- Updated to fivosense v0.1.6
+
 ### 0.1.0
 - Initial release
 - Real-time scanning for JS/TS
@@ -122,16 +125,18 @@ Configure in VS Code settings (File > Preferences > Settings):
 
 ## Contributing
 
-See [CONTRIBUTING.md](https://github.com/itsvinsoni/sense/blob/main/CONTRIBUTING.md)
+See [CONTRIBUTING.md](https://github.com/thevinsoni/sense/blob/main/CONTRIBUTING.md)
 
 ## License
 
-MIT - See [LICENSE](https://github.com/itsvinsoni/sense/blob/main/LICENSE)
+MIT License - Copyright © 2026 thevinsoni
+
+See [LICENSE](https://github.com/thevinsoni/sense/blob/main/LICENSE)
 
 ## Support
 
-- Issues: https://github.com/itsvinsoni/sense/issues
-- Discussions: https://github.com/itsvinsoni/sense/discussions
+- Issues: https://github.com/thevinsoni/sense/issues
+- Discussions: https://github.com/thevinsoni/sense/discussions
 
 ---
 

package/vscode-extension/package-lock.json

@@ -1,15 +1,15 @@
 {
   "name": "fivosense-vscode",
-  "version": "0.1.0",
+  "version": "0.1.1",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "fivosense-vscode",
-      "version": "0.1.0",
+      "version": "0.1.1",
       "license": "MIT",
       "dependencies": {
-        "fivosense": "^0.1.3"
+        "fivosense": "^0.1.6"
       },
       "devDependencies": {
         "@types/node": "^20.11.0",
@@ -1224,9 +1224,9 @@
       }
     },
     "node_modules/fivosense": {
-      "version": "0.1.3",
-      "resolved": "https://registry.npmjs.org/fivosense/-/fivosense-0.1.3.tgz",
-      "integrity": "sha512-qAQ8h16jL5L1zSSYTl3iHvq614Yd5Vk6PZZ01rGj2ibaS1KNkmr8UOrjX7wAduZIS0ygPY0IOCyy7a9GdMTtmQ==",
+      "version": "0.1.6",
+      "resolved": "https://registry.npmjs.org/fivosense/-/fivosense-0.1.6.tgz",
+      "integrity": "sha512-i5LAYS8c4adMRPXlN/lFbBZr4JwUJonECu//Uc8tEWQ3RZJbzI1IkApaly+ABqmUlblNSpQCMVMFh63pAr8zDw==",
       "license": "MIT",
       "dependencies": {
         "@babel/parser": "^7.23.0",

package/vscode-extension/package.json

@@ -2,8 +2,8 @@
   "name": "fivosense-vscode",
   "displayName": "FivoSense Security Scanner",
   "description": "Real-time security vulnerability detection with AI-powered taint analysis",
-  "version": "0.1.0",
-  "publisher": "fivosense",
+  "version": "0.1.1",
+  "publisher": "thevinsoni",
   "engines": {
     "vscode": "^1.80.0"
   },
@@ -81,14 +81,16 @@
     "typescript": "^5.3.3"
   },
   "dependencies": {
-    "fivosense": "^0.1.3"
+    "fivosense": "^0.1.6"
   },
   "repository": {
     "type": "git",
-    "url": "https://github.com/itsvinsoni/sense.git"
+    "url": "https://github.com/thevinsoni/sense.git"
   },
   "bugs": {
-    "url": "https://github.com/itsvinsoni/sense/issues"
+    "url": "https://github.com/thevinsoni/sense/issues"
   },
+  "homepage": "https://github.com/thevinsoni/sense#readme",
+  "author": "thevinsoni",
   "license": "MIT"
 }

package/vscode-extension/src/extension.ts

@@ -90,30 +90,35 @@ async function scanDocument(document: vscode.TextDocument) {
     const result = await auditFile(document.uri.fsPath);
     const diagnostics: vscode.Diagnostic[] = [];
 
-    // Convert findings to VS Code diagnostics
-    const allFindings = [...result.vulnerabilities, ...result.secrets, ...result.destructive];
-    for (const finding of allFindings) {
-      const severity = getSeverity(finding.severity);
+    // Convert vulnerabilities to VS Code diagnostics
+    for (const vuln of result.vulnerabilities) {
+      const severity = getSeverity(vuln.severity);
+      const line = vuln.location?.line || 1;
       const range = new vscode.Range(
-        finding.line - 1, 0,
-        finding.line - 1, 1000
+        line - 1, 0,
+        line - 1, 1000
       );
 
+      const evidenceText = vuln.evidence
+        ?.filter((e: any) => e.line)
+        .map((e: any) => `${e.type} at line ${e.line}`)
+        .join(', ') || 'No evidence';
+
       const diagnostic = new vscode.Diagnostic(
         range,
-        `[${finding.type}] ${finding.message}\n${finding.evidence}`,
+        `[${vuln.category}] ${vuln.finding}\n${evidenceText}`,
         severity
       );
 
-      diagnostic.code = finding.cwe;
+      diagnostic.code = vuln.cwe;
       diagnostic.source = 'FivoSense';
       
-      // Add fix as code action
-      if (finding.fix) {
+      // Add taint path as related info
+      if (vuln.path && vuln.path.length > 0) {
         diagnostic.relatedInformation = [
           new vscode.DiagnosticRelatedInformation(
             new vscode.Location(document.uri, range),
-            `Fix: ${finding.fix}`
+            `Taint path: ${vuln.path.join(' → ')}`
           )
         ];
       }
@@ -121,6 +126,55 @@ async function scanDocument(document: vscode.TextDocument) {
       diagnostics.push(diagnostic);
     }
 
+    // Convert secrets to VS Code diagnostics
+    for (const secret of result.secrets) {
+      const range = new vscode.Range(
+        secret.line - 1, 0,
+        secret.line - 1, 1000
+      );
+
+      const diagnostic = new vscode.Diagnostic(
+        range,
+        `[Secret] ${secret.type} detected: ${secret.match}`,
+        vscode.DiagnosticSeverity.Warning
+      );
+
+      diagnostic.code = 'CWE-798';
+      diagnostic.source = 'FivoSense';
+      diagnostic.relatedInformation = [
+        new vscode.DiagnosticRelatedInformation(
+          new vscode.Location(document.uri, range),
+          'Fix: Use environment variables instead of hardcoded secrets'
+        )
+      ];
+
+      diagnostics.push(diagnostic);
+    }
+
+    // Convert destructive commands to VS Code diagnostics
+    for (const cmd of result.destructive) {
+      const range = new vscode.Range(
+        cmd.line - 1, 0,
+        cmd.line - 1, 1000
+      );
+
+      const diagnostic = new vscode.Diagnostic(
+        range,
+        `[Destructive] ${cmd.command} - ${cmd.reason}`,
+        vscode.DiagnosticSeverity.Error
+      );
+
+      diagnostic.source = 'FivoSense';
+      diagnostic.relatedInformation = [
+        new vscode.DiagnosticRelatedInformation(
+          new vscode.Location(document.uri, range),
+          `Suggestion: ${cmd.suggestion}`
+        )
+      ];
+
+      diagnostics.push(diagnostic);
+    }
+
     diagnosticCollection.set(document.uri, diagnostics);
 
     // Update status bar