ghostpatch 1.0.0 → 1.0.1

package/.github/workflows/generator-generic-ossf-slsa3-publish.yml

@@ -0,0 +1,66 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# This workflow lets you generate SLSA provenance file for your project.
+# The generation satisfies level 3 for the provenance requirements - see https://slsa.dev/spec/v0.1/requirements
+# The project is an initiative of the OpenSSF (openssf.org) and is developed at
+# https://github.com/slsa-framework/slsa-github-generator.
+# The provenance file can be verified using https://github.com/slsa-framework/slsa-verifier.
+# For more information about SLSA and how it improves the supply-chain, visit slsa.dev.
+
+name: SLSA generic generator
+on:
+  workflow_dispatch:
+  release:
+    types: [created]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    outputs:
+      digests: ${{ steps.hash.outputs.digests }}
+
+    steps:
+      - uses: actions/checkout@v4
+
+      # ========================================================
+      #
+      # Step 1: Build your artifacts.
+      #
+      # ========================================================
+      - name: Build artifacts
+        run: |
+            # These are some amazing artifacts.
+            echo "artifact1" > artifact1
+            echo "artifact2" > artifact2
+
+      # ========================================================
+      #
+      # Step 2: Add a step to generate the provenance subjects
+      #         as shown below. Update the sha256 sum arguments
+      #         to include all binaries that you generate
+      #         provenance for.
+      #
+      # ========================================================
+      - name: Generate subject for provenance
+        id: hash
+        run: |
+          set -euo pipefail
+
+          # List the artifacts the provenance will refer to.
+          files=$(ls artifact*)
+          # Generate the subjects (base64 encoded).
+          echo "hashes=$(sha256sum $files | base64 -w0)" >> "${GITHUB_OUTPUT}"
+
+  provenance:
+    needs: [build]
+    permissions:
+      actions: read   # To read the workflow path.
+      id-token: write # To sign the provenance.
+      contents: write # To add assets to a release.
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.4.0
+    with:
+      base64-subjects: "${{ needs.build.outputs.digests }}"
+      upload-assets: true # Optional: Upload to a new release

package/README.md

@@ -208,6 +208,67 @@ Professional standalone report with severity charts, finding details, and remedi
     sarif_file: results.sarif
 ```
 
+## Contributing
+
+We welcome contributions! Here's how to get involved:
+
+### Reporting Issues
+
+Found a bug or have a feature request? [Open an issue](https://github.com/NeuralRays/ghostpatch/issues/new) with:
+- A clear description of the problem or suggestion
+- Steps to reproduce (for bugs)
+- Expected vs actual behavior
+- Your environment (OS, Node.js version)
+
+### Submitting Pull Requests
+
+1. **Fork** the repository
+2. **Create** a feature branch: `git checkout -b feature/my-feature`
+3. **Make** your changes and add tests
+4. **Run** tests: `npm test`
+5. **Build** to verify: `npm run build`
+6. **Commit** your changes: `git commit -m "Add my feature"`
+7. **Push** to your fork: `git push origin feature/my-feature`
+8. **Open** a [Pull Request](https://github.com/NeuralRays/ghostpatch/pulls) against `master`
+
+### Development Setup
+
+```bash
+git clone https://github.com/NeuralRays/ghostpatch.git
+cd ghostpatch
+npm install
+npm run build
+npm test
+```
+
+### What We're Looking For
+
+- New security detection rules and patterns
+- Support for additional programming languages
+- Improved AI prompt engineering for better analysis
+- Bug fixes and false positive reductions
+- Documentation improvements
+- CI/CD integration examples
+
+### Code of Conduct
+
+Please be respectful and constructive in all interactions. We are committed to providing a welcoming and inclusive experience for everyone.
+
+## Security
+
+If you discover a security vulnerability within GhostPatch, please report it responsibly by emailing **neuralsoft@injectedsecurity.pro** instead of opening a public issue.
+
+## Creator & Maintainer
+
+**NeuralRays** — [GitHub](https://github.com/NeuralRays) | [neuralsoft@injectedsecurity.pro](mailto:neuralsoft@injectedsecurity.pro)
+
 ## License
 
-MIT
+MIT License — see [LICENSE](LICENSE) for details.
+
+---
+
+<p align="center">
+  <strong>GhostPatch</strong> — Scan. Detect. Secure.<br>
+  <sub>Built with TypeScript. Powered by AI.</sub>
+</p>

package/package.json

@@ -1,53 +1,61 @@
-{
-  "name": "ghostpatch",
-  "version": "1.0.0",
-  "description": "AI-powered security vulnerability scanner — like SonarQube but runs locally via npm with zero infrastructure. Uses free HuggingFace models by default.",
-  "main": "dist/index.js",
-  "types": "dist/index.d.ts",
-  "bin": {
-    "ghostpatch": "dist/cli/index.js",
-    "gp": "dist/cli/index.js"
-  },
-  "scripts": {
-    "build": "tsc",
-    "dev": "tsc --watch",
-    "test": "vitest run",
-    "test:watch": "vitest",
-    "start": "node dist/cli/index.js",
-    "scan": "node dist/cli/index.js scan",
-    "serve": "node dist/cli/index.js serve",
-    "prepublishOnly": "npm run build"
-  },
-  "keywords": [
-    "security",
-    "scanner",
-    "vulnerability",
-    "sast",
-    "ai",
-    "sonarqube",
-    "owasp",
-    "mcp",
-    "static-analysis"
-  ],
-  "author": "",
-  "license": "MIT",
-  "engines": {
-    "node": ">=18.0.0"
-  },
-  "dependencies": {
-    "commander": "^14.0.3",
-    "glob": "^13.0.1",
-    "micromatch": "^4.0.8",
-    "chokidar": "^4.0.3"
-  },
-  "optionalDependencies": {
-    "@anthropic-ai/sdk": "^0.39.0",
-    "openai": "^4.80.0"
-  },
-  "devDependencies": {
-    "@types/micromatch": "^4.0.9",
-    "@types/node": "^22.12.0",
-    "typescript": "^5.7.3",
-    "vitest": "^3.2.4"
-  }
-}
+{
+  "name": "ghostpatch",
+  "version": "1.0.1",
+  "description": "AI-powered security vulnerability scanner that runs locally via npm with zero infrastructure. Uses free HuggingFace models by default.",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "bin": {
+    "ghostpatch": "dist/cli/index.js",
+    "gp": "dist/cli/index.js"
+  },
+  "scripts": {
+    "build": "tsc",
+    "dev": "tsc --watch",
+    "test": "vitest run",
+    "test:watch": "vitest",
+    "start": "node dist/cli/index.js",
+    "scan": "node dist/cli/index.js scan",
+    "serve": "node dist/cli/index.js serve",
+    "prepublishOnly": "npm run build"
+  },
+  "keywords": [
+    "security",
+    "scanner",
+    "vulnerability",
+    "sast",
+    "ai",
+    "sonarqube",
+    "owasp",
+    "mcp",
+    "static-analysis"
+  ],
+  "author": "NeuralRays <neuralsoft@injectedsecurity.pro>",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/NeuralRays/ghostpatch.git"
+  },
+  "homepage": "https://github.com/NeuralRays/ghostpatch",
+  "bugs": {
+    "url": "https://github.com/NeuralRays/ghostpatch/issues"
+  },
+  "license": "MIT",
+  "engines": {
+    "node": ">=18.0.0"
+  },
+  "dependencies": {
+    "commander": "^14.0.3",
+    "glob": "^13.0.1",
+    "micromatch": "^4.0.8",
+    "chokidar": "^4.0.3"
+  },
+  "optionalDependencies": {
+    "@anthropic-ai/sdk": "^0.74.0",
+    "openai": "^6.18.0"
+  },
+  "devDependencies": {
+    "@types/micromatch": "^4.0.9",
+    "@types/node": "^22.12.0",
+    "typescript": "^5.7.3",
+    "vitest": "^3.2.4"
+  }
+}