guardrail-security 1.0.0

package/dist/attack-surface/analyzer.d.ts

@@ -0,0 +1,50 @@
+export interface EntryPoint {
+    type: "http" | "graphql" | "websocket" | "grpc";
+    path: string;
+    method?: string;
+    file: string;
+    line: number;
+    authentication?: string;
+    rateLimit?: string;
+    parameters: ParameterInfo[];
+}
+export interface ParameterInfo {
+    name: string;
+    type: string;
+    required: boolean;
+    validated: boolean;
+}
+export interface APISecurityFinding {
+    category: string;
+    severity: "low" | "medium" | "high" | "critical";
+    endpoint: string;
+    description: string;
+    recommendation: string;
+}
+export interface AttackPath {
+    id: string;
+    entry: string;
+    steps: string[];
+    impact: string;
+    likelihood: "low" | "medium" | "high";
+}
+export interface AttackSurfaceAnalysisResult {
+    projectId: string;
+    summary: {
+        totalEntryPoints: number;
+        byType: Record<string, number>;
+        risksByLevel: Record<string, number>;
+    };
+    entryPoints: EntryPoint[];
+    attackPaths: AttackPath[];
+    apiFindings: APISecurityFinding[];
+}
+export declare class AttackSurfaceAnalyzer {
+    analyzeProject(projectPath: string, projectId: string): Promise<AttackSurfaceAnalysisResult>;
+    private scanHTTPEndpoints;
+    private analyzeEndpoints;
+    private buildAttackPaths;
+    generateVisualization(analysis: AttackSurfaceAnalysisResult): Promise<string>;
+}
+export declare const attackSurfaceAnalyzer: AttackSurfaceAnalyzer;
+//# sourceMappingURL=analyzer.d.ts.map

package/dist/attack-surface/analyzer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"analyzer.d.ts","sourceRoot":"","sources":["../../src/attack-surface/analyzer.ts"],"names":[],"mappings":"AAEA,MAAM,WAAW,UAAU;IACzB,IAAI,EAAE,MAAM,GAAG,SAAS,GAAG,WAAW,GAAG,MAAM,CAAC;IAChD,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,aAAa,EAAE,CAAC;CAC7B;AAED,MAAM,WAAW,aAAa;IAC5B,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,OAAO,CAAC;IAClB,SAAS,EAAE,OAAO,CAAC;CACpB;AAED,MAAM,WAAW,kBAAkB;IACjC,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,GAAG,UAAU,CAAC;IACjD,QAAQ,EAAE,MAAM,CAAC;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,cAAc,EAAE,MAAM,CAAC;CACxB;AAED,MAAM,WAAW,UAAU;IACzB,EAAE,EAAE,MAAM,CAAC;IACX,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,CAAC;CACvC;AAED,MAAM,WAAW,2BAA2B;IAC1C,SAAS,EAAE,MAAM,CAAC;IAClB,OAAO,EAAE;QACP,gBAAgB,EAAE,MAAM,CAAC;QACzB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAC/B,YAAY,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;KACtC,CAAC;IACF,WAAW,EAAE,UAAU,EAAE,CAAC;IAC1B,WAAW,EAAE,UAAU,EAAE,CAAC;IAC1B,WAAW,EAAE,kBAAkB,EAAE,CAAC;CACnC;AAED,qBAAa,qBAAqB;IAC1B,cAAc,CAClB,WAAW,EAAE,MAAM,EACnB,SAAS,EAAE,MAAM,GAChB,OAAO,CAAC,2BAA2B,CAAC;YA0CzB,iBAAiB;YAKjB,gBAAgB;YA8BhB,gBAAgB;IAOxB,qBAAqB,CACzB,QAAQ,EAAE,2BAA2B,GACpC,OAAO,CAAC,MAAM,CAAC;CAWnB;AAED,eAAO,MAAM,qBAAqB,uBAA8B,CAAC"}

package/dist/attack-surface/analyzer.js

@@ -0,0 +1,83 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.attackSurfaceAnalyzer = exports.AttackSurfaceAnalyzer = void 0;
+const database_1 = require("@guardrail/database");
+class AttackSurfaceAnalyzer {
+    async analyzeProject(projectPath, projectId) {
+        const entryPoints = await this.scanHTTPEndpoints(projectPath);
+        const apiFindings = await this.analyzeEndpoints(entryPoints);
+        const attackPaths = await this.buildAttackPaths(entryPoints, apiFindings);
+        const byType = {};
+        const risksByLevel = {};
+        for (const ep of entryPoints) {
+            byType[ep.type] = (byType[ep.type] || 0) + 1;
+        }
+        for (const finding of apiFindings) {
+            risksByLevel[finding.severity] =
+                (risksByLevel[finding.severity] || 0) + 1;
+        }
+        const result = {
+            projectId,
+            summary: {
+                totalEntryPoints: entryPoints.length,
+                byType,
+                risksByLevel,
+            },
+            entryPoints,
+            attackPaths,
+            apiFindings,
+        };
+        await database_1.prisma.attackSurfaceAnalysis.create({
+            data: {
+                projectId,
+                summary: JSON.parse(JSON.stringify(result.summary)),
+                endpoints: JSON.parse(JSON.stringify(entryPoints)),
+                attackPaths: JSON.parse(JSON.stringify(attackPaths)),
+                apiFindings: JSON.parse(JSON.stringify(apiFindings)),
+            },
+        });
+        return result;
+    }
+    async scanHTTPEndpoints(_projectPath) {
+        // In production, would use AST parsing to find routes
+        return [];
+    }
+    async analyzeEndpoints(entryPoints) {
+        const findings = [];
+        for (const ep of entryPoints) {
+            if (!ep.authentication) {
+                findings.push({
+                    category: "Broken Authentication",
+                    severity: "high",
+                    endpoint: ep.path,
+                    description: "No authentication detected",
+                    recommendation: "Add authentication middleware",
+                });
+            }
+            if (!ep.rateLimit) {
+                findings.push({
+                    category: "Unrestricted Resource Consumption",
+                    severity: "medium",
+                    endpoint: ep.path,
+                    description: "No rate limiting detected",
+                    recommendation: "Add rate limiting middleware",
+                });
+            }
+        }
+        return findings;
+    }
+    async buildAttackPaths(_entryPoints, _findings) {
+        return [];
+    }
+    async generateVisualization(analysis) {
+        let mermaid = "graph TD\n";
+        mermaid += "  Start[External User]\n";
+        for (const ep of analysis.entryPoints) {
+            const epId = ep.path.replace(/[^a-zA-Z0-9]/g, "_");
+            mermaid += `  Start --> ${epId}[${ep.method} ${ep.path}]\n`;
+        }
+        return mermaid;
+    }
+}
+exports.AttackSurfaceAnalyzer = AttackSurfaceAnalyzer;
+exports.attackSurfaceAnalyzer = new AttackSurfaceAnalyzer();

package/dist/attack-surface/index.d.ts

@@ -0,0 +1,5 @@
+/**
+ * Attack Surface Analyzer
+ */
+export * from './analyzer';
+//# sourceMappingURL=index.d.ts.map

package/dist/attack-surface/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/attack-surface/index.ts"],"names":[],"mappings":"AAAA;;GAEG;AAEH,cAAc,YAAY,CAAC"}

package/dist/attack-surface/index.js

@@ -0,0 +1,20 @@
+"use strict";
+/**
+ * Attack Surface Analyzer
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./analyzer"), exports);

package/dist/index.d.ts

@@ -0,0 +1,15 @@
+/**
+ * Guardrail Security Package
+ *
+ * Comprehensive security layer including:
+ * - Secrets & Credential Guardian
+ * - Supply Chain Attack Detection
+ * - License Compliance Engine
+ * - Attack Surface Analyzer
+ */
+export * from './secrets';
+export * from './supply-chain';
+export * from './license';
+export * from './attack-surface';
+export { SBOMGenerator, sbomGenerator, type SBOMFormat, type SBOMGeneratorOptions, type SBOMDependency, } from './sbom';
+//# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,cAAc,WAAW,CAAC;AAC1B,cAAc,gBAAgB,CAAC;AAC/B,cAAc,WAAW,CAAC;AAC1B,cAAc,kBAAkB,CAAC;AACjC,OAAO,EACL,aAAa,EACb,aAAa,EACb,KAAK,UAAU,EACf,KAAK,oBAAoB,EACzB,KAAK,cAAc,GACpB,MAAM,QAAQ,CAAC"}

package/dist/index.js

@@ -0,0 +1,33 @@
+"use strict";
+/**
+ * Guardrail Security Package
+ *
+ * Comprehensive security layer including:
+ * - Secrets & Credential Guardian
+ * - Supply Chain Attack Detection
+ * - License Compliance Engine
+ * - Attack Surface Analyzer
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.sbomGenerator = exports.SBOMGenerator = void 0;
+__exportStar(require("./secrets"), exports);
+__exportStar(require("./supply-chain"), exports);
+__exportStar(require("./license"), exports);
+__exportStar(require("./attack-surface"), exports);
+var sbom_1 = require("./sbom");
+Object.defineProperty(exports, "SBOMGenerator", { enumerable: true, get: function () { return sbom_1.SBOMGenerator; } });
+Object.defineProperty(exports, "sbomGenerator", { enumerable: true, get: function () { return sbom_1.sbomGenerator; } });

package/dist/languages/index.d.ts

@@ -0,0 +1,21 @@
+/**
+ * Multi-Language Security Analysis
+ *
+ * Provides security analysis for multiple programming languages
+ */
+export * from "./python-analyzer";
+export * from "./java-analyzer";
+export type SupportedLanguage = "javascript" | "typescript" | "python" | "java" | "go" | "rust";
+export interface LanguageDetectionResult {
+    primaryLanguage: SupportedLanguage;
+    languages: {
+        language: SupportedLanguage;
+        percentage: number;
+    }[];
+    buildTools: string[];
+}
+/**
+ * Detect project languages
+ */
+export declare function detectProjectLanguages(projectPath: string): LanguageDetectionResult;
+//# sourceMappingURL=index.d.ts.map

package/dist/languages/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/languages/index.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,cAAc,mBAAmB,CAAC;AAClC,cAAc,iBAAiB,CAAC;AAEhC,MAAM,MAAM,iBAAiB,GACzB,YAAY,GACZ,YAAY,GACZ,QAAQ,GACR,MAAM,GACN,IAAI,GACJ,MAAM,CAAC;AAEX,MAAM,WAAW,uBAAuB;IACtC,eAAe,EAAE,iBAAiB,CAAC;IACnC,SAAS,EAAE;QAAE,QAAQ,EAAE,iBAAiB,CAAC;QAAC,UAAU,EAAE,MAAM,CAAA;KAAE,EAAE,CAAC;IACjE,UAAU,EAAE,MAAM,EAAE,CAAC;CACtB;AAED;;GAEG;AACH,wBAAgB,sBAAsB,CACpC,WAAW,EAAE,MAAM,GAClB,uBAAuB,CA8DzB"}

package/dist/languages/index.js

@@ -0,0 +1,78 @@
+"use strict";
+/**
+ * Multi-Language Security Analysis
+ *
+ * Provides security analysis for multiple programming languages
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.detectProjectLanguages = detectProjectLanguages;
+__exportStar(require("./python-analyzer"), exports);
+__exportStar(require("./java-analyzer"), exports);
+/**
+ * Detect project languages
+ */
+function detectProjectLanguages(projectPath) {
+    const { existsSync } = require("fs");
+    const { join } = require("path");
+    const languages = [];
+    const buildTools = [];
+    // Check for JavaScript/TypeScript
+    if (existsSync(join(projectPath, "package.json"))) {
+        if (existsSync(join(projectPath, "tsconfig.json"))) {
+            languages.push({ language: "typescript", percentage: 0 });
+            buildTools.push("npm/yarn/pnpm");
+        }
+        else {
+            languages.push({ language: "javascript", percentage: 0 });
+            buildTools.push("npm/yarn/pnpm");
+        }
+    }
+    // Check for Python
+    if (existsSync(join(projectPath, "requirements.txt")) ||
+        existsSync(join(projectPath, "pyproject.toml")) ||
+        existsSync(join(projectPath, "Pipfile"))) {
+        languages.push({ language: "python", percentage: 0 });
+        buildTools.push("pip/poetry/pipenv");
+    }
+    // Check for Java
+    if (existsSync(join(projectPath, "pom.xml"))) {
+        languages.push({ language: "java", percentage: 0 });
+        buildTools.push("maven");
+    }
+    if (existsSync(join(projectPath, "build.gradle")) ||
+        existsSync(join(projectPath, "build.gradle.kts"))) {
+        languages.push({ language: "java", percentage: 0 });
+        buildTools.push("gradle");
+    }
+    // Check for Go
+    if (existsSync(join(projectPath, "go.mod"))) {
+        languages.push({ language: "go", percentage: 0 });
+        buildTools.push("go");
+    }
+    // Check for Rust
+    if (existsSync(join(projectPath, "Cargo.toml"))) {
+        languages.push({ language: "rust", percentage: 0 });
+        buildTools.push("cargo");
+    }
+    // Determine primary language (first detected)
+    const primaryLanguage = languages.length > 0 && languages[0] ? languages[0].language : "javascript";
+    return {
+        primaryLanguage,
+        languages,
+        buildTools: [...new Set(buildTools)],
+    };
+}

package/dist/languages/java-analyzer.d.ts

@@ -0,0 +1,72 @@
+/**
+ * Java Language Analyzer
+ *
+ * Security analysis for Java projects including:
+ * - Maven pom.xml / Gradle build.gradle parsing
+ * - Import analysis for detecting dangerous classes
+ * - Secret detection patterns specific to Java
+ * - Common vulnerability patterns (SQL injection, XXE, deserialization, etc.)
+ */
+export interface JavaDependency {
+    groupId: string;
+    artifactId: string;
+    version: string;
+    scope?: string;
+    source: "maven" | "gradle";
+}
+export interface JavaSecurityIssue {
+    type: "vulnerability" | "secret" | "dangerous_import" | "code_pattern";
+    severity: "low" | "medium" | "high" | "critical";
+    file: string;
+    line?: number;
+    message: string;
+    recommendation: string;
+    cwe?: string;
+}
+export interface JavaAnalysisResult {
+    projectPath: string;
+    javaVersion?: string;
+    buildTool: "maven" | "gradle" | "unknown";
+    dependencies: JavaDependency[];
+    securityIssues: JavaSecurityIssue[];
+    summary: {
+        totalDependencies: number;
+        issuesBySeverity: Record<string, number>;
+    };
+}
+export declare class JavaAnalyzer {
+    /**
+     * Analyze a Java project
+     */
+    analyze(projectPath: string): Promise<JavaAnalysisResult>;
+    /**
+     * Detect build tool
+     */
+    private detectBuildTool;
+    /**
+     * Extract dependencies
+     */
+    private extractDependencies;
+    /**
+     * Parse Maven pom.xml
+     */
+    private parseMavenPom;
+    /**
+     * Parse Gradle build file
+     */
+    private parseGradleBuild;
+    /**
+     * Find all Java files
+     */
+    private findJavaFiles;
+    /**
+     * Scan a Java file for security issues
+     */
+    private scanFile;
+    /**
+     * Detect Java version
+     */
+    private detectJavaVersion;
+}
+export declare const javaAnalyzer: JavaAnalyzer;
+//# sourceMappingURL=java-analyzer.d.ts.map

package/dist/languages/java-analyzer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"java-analyzer.d.ts","sourceRoot":"","sources":["../../src/languages/java-analyzer.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAKH,MAAM,WAAW,cAAc;IAC7B,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,EAAE,MAAM,CAAC;IACnB,OAAO,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,OAAO,GAAG,QAAQ,CAAC;CAC5B;AAED,MAAM,WAAW,iBAAiB;IAChC,IAAI,EAAE,eAAe,GAAG,QAAQ,GAAG,kBAAkB,GAAG,cAAc,CAAC;IACvE,QAAQ,EAAE,KAAK,GAAG,QAAQ,GAAG,MAAM,GAAG,UAAU,CAAC;IACjD,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,OAAO,EAAE,MAAM,CAAC;IAChB,cAAc,EAAE,MAAM,CAAC;IACvB,GAAG,CAAC,EAAE,MAAM,CAAC;CACd;AAED,MAAM,WAAW,kBAAkB;IACjC,WAAW,EAAE,MAAM,CAAC;IACpB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,SAAS,EAAE,OAAO,GAAG,QAAQ,GAAG,SAAS,CAAC;IAC1C,YAAY,EAAE,cAAc,EAAE,CAAC;IAC/B,cAAc,EAAE,iBAAiB,EAAE,CAAC;IACpC,OAAO,EAAE;QACP,iBAAiB,EAAE,MAAM,CAAC;QAC1B,gBAAgB,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;KAC1C,CAAC;CACH;AA4ID,qBAAa,YAAY;IACvB;;OAEG;IACG,OAAO,CAAC,WAAW,EAAE,MAAM,GAAG,OAAO,CAAC,kBAAkB,CAAC;IA0C/D;;OAEG;IACH,OAAO,CAAC,eAAe;IAavB;;OAEG;YACW,mBAAmB;IAajC;;OAEG;IACH,OAAO,CAAC,aAAa;IA+BrB;;OAEG;IACH,OAAO,CAAC,gBAAgB;IAsCxB;;OAEG;IACH,OAAO,CAAC,aAAa;IA4CrB;;OAEG;IACH,OAAO,CAAC,QAAQ;IAsEhB;;OAEG;IACH,OAAO,CAAC,iBAAiB;CA6B1B;AAGD,eAAO,MAAM,YAAY,cAAqB,CAAC"}