guardrail-security 1.0.2 → 2.0.0

package/src/secrets/guardian.ts

@@ -1,468 +0,0 @@
-// Stub prisma for standalone use
-const prisma: any = null;
-
-// Local implementations of core utilities
-function calculateEntropy(str: string): number {
-  const len = str.length;
-  const charCounts: Record<string, number> = {};
-  for (const char of str) {
-    charCounts[char] = (charCounts[char] || 0) + 1;
-  }
-  let entropy = 0;
-  for (const count of Object.values(charCounts)) {
-    const p = count / len;
-    entropy -= p * Math.log2(p);
-  }
-  return entropy;
-}
-
-function maskSensitiveValue(value: string): string {
-  if (value.length <= 8) return '***';
-  return value.slice(0, 4) + '...' + value.slice(-4);
-}
-import { SECRET_PATTERNS, TEST_PATTERNS, FALSE_POSITIVE_VALUES, SecretPattern } from './patterns';
-import { readFileSync } from 'fs';
-import { glob } from 'glob';
-import { join } from 'path';
-
-// Define SecretType locally since it's not exported from database
-export enum SecretType {
-  API_KEY = 'api_key',
-  PASSWORD = 'password',
-  TOKEN = 'token',
-  CERTIFICATE = 'certificate',
-  PRIVATE_KEY = 'private_key',
-  DATABASE_URL = 'database_url',
-  JWT_SECRET = 'jwt_secret',
-  AWS_ACCESS_KEY = 'aws_access_key',
-  OTHER = 'other',
-  AWS_SECRET_KEY = 'aws_secret_key',
-  GITHUB_TOKEN = 'github_token',
-  GOOGLE_API_KEY = 'google_api_key',
-  STRIPE_KEY = 'stripe_key',
-  JWT_TOKEN = 'jwt_token',
-  SLACK_TOKEN = 'slack_token',
-  API_KEY_GENERIC = 'api_key_generic',
-  PASSWORD_GENERIC = 'password_generic'
-}
-
-/**
- * Secret detection result
- */
-export interface SecretDetection {
-  id?: string;
-  filePath: string;
-  secretType: SecretType;
-  maskedValue: string;
-  location: {
-    line: number;
-    column: number;
-    snippet: string;
-  };
-  confidence: number;
-  entropy: number;
-  isTest: boolean;
-  isRevoked: boolean;
-  recommendation: {
-    action: 'remove' | 'move_to_env' | 'use_vault' | 'revoke_and_rotate';
-    reason: string;
-    remediation: string;
-  };
-}
-
-/**
- * Scan options
- */
-export interface ScanOptions {
-  excludeTests?: boolean;
-  minConfidence?: number;
-  excludePatterns?: string[];
-}
-
-/**
- * Project scan report
- */
-export interface ProjectScanReport {
-  projectId: string;
-  totalFiles: number;
-  scannedFiles: number;
-  detections: SecretDetection[];
-  summary: {
-    totalSecrets: number;
-    byType: Record<string, number>;
-    byRisk: { high: number; medium: number; low: number };
-  };
-}
-
-/**
- * Secrets & Credential Guardian
- *
- * Detects exposed secrets and credentials in code
- */
-export class SecretsGuardian {
-  /**
-   * Scan content for secrets
-   */
-  async scanContent(
-    content: string,
-    filePath: string,
-    options: ScanOptions = {}
-  ): Promise<SecretDetection[]> {
-    const detections: SecretDetection[] = [];
-    const lines = content.split('\n');
-
-    for (const pattern of SECRET_PATTERNS) {
-      const matches = [...content.matchAll(new RegExp(pattern.pattern, 'g'))];
-
-      for (const match of matches) {
-        if (!match.index) continue;
-
-        // Extract the secret value (first capturing group)
-        const value = match[1] || match[0];
-
-        // Calculate entropy
-        const entropy = this.calculateEntropy(value);
-
-        // Check minimum entropy requirement
-        if (pattern.minEntropy && entropy < pattern.minEntropy) {
-          continue;
-        }
-
-        // Find line number and column
-        const beforeMatch = content.substring(0, match.index);
-        const lineNumber = beforeMatch.split('\n').length;
-        const lineStart = beforeMatch.lastIndexOf('\n') + 1;
-        const column = match.index - lineStart + 1;
-
-        // Get context
-        const snippet = lines[lineNumber - 1] || '';
-
-        // Check if it's a test value
-        const isTest = this.isTestValue(value, snippet);
-
-        // Check for false positives
-        const isFalsePositive = this.isFalsePositive(value, pattern.type, snippet);
-
-        if (isFalsePositive) {
-          continue;
-        }
-
-        // Calculate confidence
-        const confidence = this.calculateConfidence(value, pattern, entropy, isTest);
-
-        // Skip if below minimum confidence
-        if (options.minConfidence && confidence < options.minConfidence) {
-          continue;
-        }
-
-        // Skip if excluding tests
-        if (options.excludeTests && isTest) {
-          continue;
-        }
-
-        // Mask the value
-        const maskedValue = this.maskValue(value);
-
-        // Generate recommendation
-        const recommendation = this.generateRecommendation(pattern.type, isTest);
-
-        // Create detection object
-        const detection: SecretDetection = {
-          id: undefined, // Will be set when saved to database
-          filePath,
-          secretType: pattern.type,
-          maskedValue,
-          location: {
-            line: lineNumber,
-            column,
-            snippet: snippet.trim(),
-          },
-          confidence,
-          entropy,
-          isTest,
-          isRevoked: false,
-          recommendation,
-        };
-
-        detections.push(detection);
-      }
-    }
-
-    return detections;
-  }
-
-  /**
-   * Scan entire project
-   */
-  async scanProject(
-    projectPath: string,
-    projectId: string,
-    options: ScanOptions = {}
-  ): Promise<ProjectScanReport> {
-    const excludePatterns = [
-      '**/node_modules/**',
-      '**/dist/**',
-      '**/build/**',
-      '**/.git/**',
-      '**/coverage/**',
-      '**/*.min.js',
-      ...(options.excludePatterns || []),
-    ];
-
-    // Find all files to scan
-    const files = await glob('**/*', {
-      cwd: projectPath,
-      ignore: excludePatterns,
-      nodir: true,
-    });
-
-    const allDetections: SecretDetection[] = [];
-    let scannedFiles = 0;
-
-    for (const file of files) {
-      try {
-        const fullPath = join(projectPath, file);
-        const content = readFileSync(fullPath, 'utf-8');
-
-        const detections = await this.scanContent(content, file, options);
-
-        // Save to database
-        for (const detection of detections) {
-          try {
-            // @ts-ignore - secretDetection may not exist in schema yet
-      await prisma.secretDetection.create({
-              data: {
-                projectId: 'default',
-                filePath: detection.filePath
-              } as any
-            });
-          } catch (error) {
-            // Table may not exist - continue
-          }
-        }
-
-        allDetections.push(...detections);
-        scannedFiles++;
-      } catch (error) {
-        // Skip files that can't be read
-        continue;
-      }
-    }
-
-    // Generate summary
-    const byType: Record<string, number> = {};
-    const byRisk = { high: 0, medium: 0, low: 0 };
-
-    for (const detection of allDetections) {
-      byType[detection.secretType] = (byType[detection.secretType] || 0) + 1;
-
-      if (detection.confidence >= 0.8) {
-        byRisk.high++;
-      } else if (detection.confidence >= 0.5) {
-        byRisk.medium++;
-      } else {
-        byRisk.low++;
-      }
-    }
-
-    return {
-      projectId,
-      totalFiles: files.length,
-      scannedFiles,
-      detections: allDetections,
-      summary: {
-        totalSecrets: allDetections.length,
-        byType,
-        byRisk,
-      },
-    };
-  }
-
-  /**
-   * Calculate entropy for randomness detection
-   */
-  private calculateEntropy(str: string): number {
-    return calculateEntropy(str);
-  }
-
-  /**
-   * Check if likely test/example value
-   */
-  private isTestValue(value: string, context: string): boolean {
-    const lowerValue = value.toLowerCase();
-    const lowerContext = context.toLowerCase();
-
-    // Check value itself
-    for (const pattern of TEST_PATTERNS) {
-      if (pattern.test(lowerValue)) {
-        return true;
-      }
-    }
-
-    // Check context
-    if (
-      lowerContext.includes('test') ||
-      lowerContext.includes('example') ||
-      lowerContext.includes('demo') ||
-      lowerContext.includes('fixture') ||
-      lowerContext.includes('mock')
-    ) {
-      return true;
-    }
-
-    return false;
-  }
-
-  /**
-   * Check for false positives
-   */
-  private isFalsePositive(value: string, type: SecretType, _context: string): boolean {
-    const lowerValue = value.toLowerCase();
-
-    // Check against known false positives
-    if (FALSE_POSITIVE_VALUES.has(lowerValue)) {
-      return true;
-    }
-
-    // Check for placeholder patterns
-    if (/^(x+|0+|1+|a+)$/i.test(value)) {
-      return true;
-    }
-
-    // Check for repeated characters (likely placeholder)
-    if (/(.)\1{10,}/.test(value)) {
-      return true;
-    }
-
-    // JWT-specific false positive checks
-    if (type === SecretType.JWT_TOKEN) {
-      // Very simple/short payload might be example
-      try {
-        const parts = value.split('.');
-        if (parts.length === 3 && parts[1]) {
-          const payload = Buffer.from(parts[1], 'base64').toString();
-          if (payload.length < 20) {
-            return true;
-          }
-        }
-      } catch {
-        // Invalid JWT, might be false positive
-        return true;
-      }
-    }
-
-    return false;
-  }
-
-  /**
-   * Calculate confidence score
-   */
-  private calculateConfidence(
-    value: string,
-    pattern: SecretPattern,
-    entropy: number,
-    isTest: boolean
-  ): number {
-    let confidence = 0.7; // Base confidence
-
-    // Increase confidence for high entropy
-    if (entropy > 4.5) {
-      confidence += 0.2;
-    } else if (entropy > 4.0) {
-      confidence += 0.1;
-    }
-
-    // Decrease confidence for test values
-    if (isTest) {
-      confidence -= 0.3;
-    }
-
-    // Pattern-specific adjustments
-    if (pattern.type === SecretType.AWS_ACCESS_KEY && value.startsWith('AKIA')) {
-      confidence += 0.1;
-    }
-
-    if (pattern.type === SecretType.GITHUB_TOKEN && /^gh[pos]_/.test(value)) {
-      confidence += 0.1;
-    }
-
-    return Math.max(0, Math.min(1, confidence));
-  }
-
-  /**
-   * Mask secret for safe logging
-   */
-  private maskValue(value: string): string {
-    return maskSensitiveValue(value);
-  }
-
-  /**
-   * Generate recommendation
-   */
-  private generateRecommendation(
-    type: SecretType,
-    isTest: boolean
-  ): {
-    action: 'remove' | 'move_to_env' | 'use_vault' | 'revoke_and_rotate';
-    reason: string;
-    remediation: string;
-  } {
-    if (isTest) {
-      return {
-        action: 'remove',
-        reason: 'Test credential detected in code',
-        remediation: 'Remove test credentials and use mocking instead',
-      };
-    }
-
-    // High-risk secrets require rotation
-    const highRiskTypes: SecretType[] = [
-      'AWS_SECRET_KEY' as SecretType,
-      'GITHUB_TOKEN' as SecretType,
-      'STRIPE_KEY' as SecretType,
-      'PRIVATE_KEY' as SecretType,
-    ];
-
-    if (highRiskTypes.includes(type)) {
-      return {
-        action: 'revoke_and_rotate',
-        reason: 'High-risk credential exposed in code',
-        remediation: 'Immediately revoke this credential and rotate to a new one. Store in secure vault or environment variables.',
-      };
-    }
-
-    // Medium-risk can use env vars
-    return {
-      action: 'move_to_env',
-      reason: 'Credential should not be hardcoded',
-      remediation: 'Move to environment variables or secure vault (e.g., AWS Secrets Manager, HashiCorp Vault)',
-    };
-  }
-
-  /**
-   * Get project secrets report
-   */
-  async getProjectReport(projectId: string): Promise<SecretDetection[]> {
-    // @ts-ignore - secretDetection may not exist in schema yet
-    const detections = await prisma.secretDetection.findMany({
-      where: { projectId },
-      orderBy: { createdAt: 'desc' },
-    });
-
-    return detections.map((s: any) => ({
-      id: s.id,
-      filePath: s.filePath,
-      secretType: s.secretType as SecretType,
-      maskedValue: s.maskedValue,
-      location: s.location as any,
-      confidence: s.confidence,
-      entropy: s.entropy,
-      isTest: s.isTest,
-      isRevoked: s.isRevoked,
-      recommendation: s.recommendation as any,
-    }));
-  }
-}
-
-// Export singleton
-export const secretsGuardian = new SecretsGuardian();

package/src/secrets/index.ts

@@ -1,10 +0,0 @@
-/**
- * Secrets & Credential Guardian
- *
- * Detects and prevents exposure of secrets and credentials
- */
-
-export * from './patterns';
-export { secretsGuardian, SecretsGuardian } from './guardian';
-export { preCommitHook } from './pre-commit';
-export { vaultIntegration } from './vault-integration';

package/src/secrets/patterns.ts

@@ -1,186 +0,0 @@
-// Define SecretType locally since it's not exported from database
-export enum SecretType {
-  API_KEY = 'api_key',
-  PASSWORD = 'password',
-  TOKEN = 'token',
-  CERTIFICATE = 'certificate',
-  PRIVATE_KEY = 'private_key',
-  DATABASE_URL = 'database_url',
-  JWT_SECRET = 'jwt_secret',
-  AWS_ACCESS_KEY = 'aws_access_key',
-  OTHER = 'other',
-  AWS_SECRET_KEY = 'aws_secret_key',
-  GITHUB_TOKEN = 'github_token',
-  GOOGLE_API_KEY = 'google_api_key',
-  STRIPE_KEY = 'stripe_key',
-  JWT_TOKEN = 'jwt_token',
-  SLACK_TOKEN = 'slack_token',
-  API_KEY_GENERIC = 'api_key_generic',
-}
-
-/**
- * Secret detection pattern
- */
-export interface SecretPattern {
-  type: SecretType;
-  name: string;
-  pattern: RegExp;
-  minEntropy?: number;
-  description: string;
-  examples: string[];
-}
-
-/**
- * Comprehensive secret detection patterns
- */
-export const SECRET_PATTERNS: SecretPattern[] = [
-  // AWS Access Keys
-  {
-    type: 'AWS_ACCESS_KEY' as SecretType,
-    name: 'AWS Access Key ID',
-    pattern: /(AKIA[0-9A-Z]{16})/,
-    minEntropy: 3.5,
-    description: 'AWS Access Key ID (starts with AKIA)',
-    examples: ['AKIAIOSFODNN7EXAMPLE'],
-  },
-
-  // AWS Secret Keys
-  {
-    type: 'AWS_SECRET_KEY' as SecretType,
-    name: 'AWS Secret Access Key',
-    pattern: /aws[_\s]*secret[_\s]*access[_\s]*key[_\s]*[=:]\s*['"]?([A-Za-z0-9/+=]{40})['"]?/i,
-    minEntropy: 4.5,
-    description: 'AWS Secret Access Key (40 characters)',
-    examples: ['aws_secret_access_key = wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY'],
-  },
-
-  // GitHub Personal Access Tokens
-  {
-    type: 'GITHUB_TOKEN' as SecretType,
-    name: 'GitHub Personal Access Token',
-    pattern: /(ghp_[a-zA-Z0-9]{36}|gho_[a-zA-Z0-9]{36}|ghu_[a-zA-Z0-9]{36}|ghs_[a-zA-Z0-9]{36}|ghr_[a-zA-Z0-9]{36})/,
-    description: 'GitHub Personal Access Token (ghp_, gho_, ghu_, ghs_, ghr_)',
-    examples: ['ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'],
-  },
-
-  // Google API Keys
-  {
-    type: 'GOOGLE_API_KEY' as SecretType,
-    name: 'Google API Key',
-    pattern: /(AIza[0-9A-Za-z\-_]{35})/,
-    description: 'Google API Key (starts with AIza)',
-    examples: ['AIzaSyDaGmWKa4JsXZ-HjGw7ISLn_3namBGewQe'],
-  },
-
-  // Stripe API Keys
-  {
-    type: 'STRIPE_KEY' as SecretType,
-    name: 'Stripe API Key',
-    pattern: /(sk_live_[0-9a-zA-Z]{24,}|pk_live_[0-9a-zA-Z]{24,}|rk_live_[0-9a-zA-Z]{24,})/,
-    description: 'Stripe Live API Key',
-    examples: ['sk_live_1234567890abcdefghijklmn'],
-  },
-
-  // JWT Tokens
-  {
-    type: 'JWT_TOKEN' as SecretType,
-    name: 'JWT Token',
-    pattern: /(eyJ[a-zA-Z0-9_-]*\.eyJ[a-zA-Z0-9_-]*\.[a-zA-Z0-9_-]+)/,
-    minEntropy: 4.0,
-    description: 'JSON Web Token (JWT)',
-    examples: ['eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIn0.dozjgNryP4J3jVmNHl0w5N_XgL0n3I9PlFUP0THsR8U'],
-  },
-
-  // Private Keys
-  {
-    type: 'PRIVATE_KEY' as SecretType,
-    name: 'Private Key',
-    pattern: /(-----BEGIN (RSA |EC |OPENSSH |DSA )?PRIVATE KEY-----[\s\S]*?-----END (RSA |EC |OPENSSH |DSA )?PRIVATE KEY-----)/,
-    description: 'Private Key (RSA, EC, OpenSSH, DSA)',
-    examples: ['-----BEGIN PRIVATE KEY-----\\nMIIEvQIBADANBgk...\\n-----END PRIVATE KEY-----'],
-  },
-
-  // Database URLs with credentials
-  {
-    type: 'DATABASE_URL' as SecretType,
-    name: 'Database URL with Password',
-    pattern: /(postgres|mysql|mongodb|redis):\/\/[a-zA-Z0-9_-]+:([a-zA-Z0-9!@#$%^&*()_+\-=\[\]{};':"\\|,.<>\/?]+)@[a-zA-Z0-9.-]+:[0-9]+/,
-    minEntropy: 3.0,
-    description: 'Database connection string with embedded password',
-    examples: ['postgresql://user:password123@localhost:5432/dbname'],
-  },
-
-  // Slack Tokens
-  {
-    type: 'SLACK_TOKEN' as SecretType,
-    name: 'Slack Token',
-    pattern: /(xox[pboa]-[0-9]{10,13}-[0-9]{10,13}-[0-9]{10,13}-[a-z0-9]{32})/,
-    description: 'Slack Bot/User/App Token',
-    examples: ['xoxb-0000000000-0000000000-0000000000-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'],
-  },
-
-  // Generic API Keys (high entropy)
-  {
-    type: 'API_KEY_GENERIC' as SecretType,
-    name: 'Generic API Key',
-    pattern: /(?:api[_\s-]?key|apikey|access[_\s-]?token|auth[_\s-]?token|secret[_\s-]?key)[_\s]*[=:]\s*['"]?([a-zA-Z0-9_\-]{32,})['"]?/i,
-    minEntropy: 4.0,
-    description: 'Generic API key or access token (high entropy)',
-    examples: ['api_key = abcdef1234567890abcdef1234567890'],
-  },
-
-  // Generic Passwords
-  {
-    type: 'PASSWORD_GENERIC' as SecretType,
-    name: 'Generic Password',
-    pattern: /(?:password|passwd|pwd)[_\s]*[=:]\s*['"]([^'"]{8,})['"]|(?:password|passwd|pwd)[_\s]*[=:]\s*([^\s]{8,})/i,
-    minEntropy: 3.0,
-    description: 'Generic password in configuration',
-    examples: ['password = "MySecretP@ssw0rd"'],
-  },
-];
-
-/**
- * Test/example value patterns (to exclude false positives)
- */
-export const TEST_PATTERNS = [
-  /test/i,
-  /example/i,
-  /sample/i,
-  /demo/i,
-  /fake/i,
-  /dummy/i,
-  /placeholder/i,
-  /\*{3,}/,
-  /x{3,}/i,
-  /0{5,}/,
-  /1{5,}/,
-  /abc{3,}/i,
-  /qwerty/i,
-  /password123/i,
-  /changeme/i,
-  /your[_-]?key/i,
-  /your[_-]?secret/i,
-];
-
-/**
- * Common false positive values
- */
-export const FALSE_POSITIVE_VALUES = new Set([
-  'example',
-  'test',
-  'sample',
-  'demo',
-  'placeholder',
-  'your_key_here',
-  'your_secret_here',
-  'xxx',
-  'yyy',
-  'zzz',
-  '***',
-  '000000000000',
-  '111111111111',
-  'abcdefghijklmnopqrstuvwxyz',
-  'ABCDEFGHIJKLMNOPQRSTUVWXYZ',
-  '1234567890',
-]);