npm - guardrail-security - Versions diffs - 1.0.2 → 2.0.0 - Mend

guardrail-security 1.0.2 → 2.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (60) hide show

package/dist/sbom/generator.d.ts +42 -0
package/dist/sbom/generator.d.ts.map +1 -1
package/dist/sbom/generator.js +168 -7
package/dist/secrets/allowlist.d.ts +38 -0
package/dist/secrets/allowlist.d.ts.map +1 -0
package/dist/secrets/allowlist.js +131 -0
package/dist/secrets/config-loader.d.ts +25 -0
package/dist/secrets/config-loader.d.ts.map +1 -0
package/dist/secrets/config-loader.js +103 -0
package/dist/secrets/contextual-risk.d.ts +19 -0
package/dist/secrets/contextual-risk.d.ts.map +1 -0
package/dist/secrets/contextual-risk.js +88 -0
package/dist/secrets/git-scanner.d.ts +29 -0
package/dist/secrets/git-scanner.d.ts.map +1 -0
package/dist/secrets/git-scanner.js +109 -0
package/dist/secrets/guardian.d.ts +70 -57
package/dist/secrets/guardian.d.ts.map +1 -1
package/dist/secrets/guardian.js +531 -258
package/dist/secrets/index.d.ts +4 -0
package/dist/secrets/index.d.ts.map +1 -1
package/dist/secrets/index.js +11 -1
package/dist/secrets/patterns.d.ts +39 -10
package/dist/secrets/patterns.d.ts.map +1 -1
package/dist/secrets/patterns.js +129 -71
package/dist/secrets/pre-commit.d.ts.map +1 -1
package/dist/secrets/pre-commit.js +1 -1
package/dist/secrets/vault-integration.d.ts.map +1 -1
package/dist/secrets/vault-integration.js +1 -0
package/dist/supply-chain/vulnerability-db.d.ts +89 -16
package/dist/supply-chain/vulnerability-db.d.ts.map +1 -1
package/dist/supply-chain/vulnerability-db.js +404 -115
package/dist/utils/semver.d.ts +37 -0
package/dist/utils/semver.d.ts.map +1 -0
package/dist/utils/semver.js +109 -0
package/package.json +17 -3
package/src/__tests__/license/engine.test.ts +0 -250
package/src/__tests__/supply-chain/typosquat.test.ts +0 -191
package/src/attack-surface/analyzer.ts +0 -153
package/src/attack-surface/index.ts +0 -5
package/src/index.ts +0 -21
package/src/languages/index.ts +0 -91
package/src/languages/java-analyzer.ts +0 -490
package/src/languages/python-analyzer.ts +0 -498
package/src/license/compatibility-matrix.ts +0 -366
package/src/license/engine.ts +0 -346
package/src/license/index.ts +0 -6
package/src/sbom/generator.ts +0 -355
package/src/sbom/index.ts +0 -5
package/src/secrets/guardian.ts +0 -468
package/src/secrets/index.ts +0 -10
package/src/secrets/patterns.ts +0 -186
package/src/secrets/pre-commit.ts +0 -158
package/src/secrets/vault-integration.ts +0 -360
package/src/secrets/vault-providers.ts +0 -446
package/src/supply-chain/detector.ts +0 -253
package/src/supply-chain/index.ts +0 -11
package/src/supply-chain/malicious-db.ts +0 -103
package/src/supply-chain/script-analyzer.ts +0 -194
package/src/supply-chain/typosquat.ts +0 -302
package/src/supply-chain/vulnerability-db.ts +0 -386

package/src/secrets/pre-commit.ts DELETED Viewed

@@ -1,158 +0,0 @@
-import { secretsGuardian } from './guardian';
-import { execSync } from 'child_process';
-import { writeFileSync } from 'fs';
-import { join } from 'path';
-/**
- * Staged file info
- */
-export interface StagedFile {
-  path: string;
-  content: string;
-}
-/**
- * Pre-commit scan result
- */
-export interface PreCommitScanResult {
-  passed: boolean;
-  detections: number;
-  files: string[];
-  message: string;
-}
-/**
- * Pre-Commit Hook for Secrets Detection
- */
-export class PreCommitHook {
-  /**
-   * Generate pre-commit hook script
-   */
-  generateHookScript(): string {
-    return `#!/bin/bash
-# Guardrail Secrets Detection Pre-Commit Hook
-echo "🔍 Scanning for secrets..."
-# Run secrets scan via API or CLI
-npx Guardrail secrets scan-staged
-if [ $? -ne 0 ]; then
-  echo "❌ Secrets detected! Commit blocked."
-  echo "Please remove secrets or add to .gitignore"
-  exit 1
-fi
-echo "✅ No secrets detected"
-exit 0
-`;
-  }
-  /**
-   * Scan staged files
-   */
-  async scanStagedFiles(gitRoot: string): Promise<PreCommitScanResult> {
-    try {
-      // Get staged files
-      const stagedFiles = this.getStagedFiles(gitRoot);
-      if (stagedFiles.length === 0) {
-        return {
-          passed: true,
-          detections: 0,
-          files: [],
-          message: 'No files to scan',
-        };
-      }
-      // Scan each staged file
-      const allDetections: string[] = [];
-      for (const file of stagedFiles) {
-        const detections = await secretsGuardian.scanContent(
-          file.content,
-          file.path,
-          {
-            excludeTests: true,
-            minConfidence: 0.7,
-          }
-        );
-        if (detections.length > 0) {
-          allDetections.push(file.path);
-        }
-      }
-      const passed = allDetections.length === 0;
-      return {
-        passed,
-        detections: allDetections.length,
-        files: allDetections,
-        message: passed
-          ? 'No secrets detected in staged files'
-          : `Secrets detected in ${allDetections.length} file(s)`,
-      };
-    } catch (error) {
-      throw new Error(`Pre-commit scan failed: ${error instanceof Error ? error.message : 'Unknown error'}`);
-    }
-  }
-  /**
-   * Get staged files from git
-   */
-  private getStagedFiles(gitRoot: string): StagedFile[] {
-    try {
-      // Get list of staged files
-      const output = execSync('git diff --cached --name-only --diff-filter=ACM', {
-        cwd: gitRoot,
-        encoding: 'utf-8',
-      });
-      const filePaths = output.trim().split('\n').filter((f) => f);
-      // Read content of each staged file
-      const stagedFiles: StagedFile[] = [];
-      for (const filePath of filePaths) {
-        try {
-          // Get staged content (not working directory)
-          const content = execSync(`git show :${filePath}`, {
-            cwd: gitRoot,
-            encoding: 'utf-8',
-          });
-          stagedFiles.push({
-            path: filePath,
-            content,
-          });
-        } catch (error) {
-          // File might be deleted or binary, skip
-          continue;
-        }
-      }
-      return stagedFiles;
-    } catch (error) {
-      throw new Error(`Failed to get staged files: ${error instanceof Error ? error.message : 'Unknown error'}`);
-    }
-  }
-  /**
-   * Install pre-commit hook
-   */
-  installHook(gitRoot: string): void {
-    const hookPath = join(gitRoot, '.git', 'hooks', 'pre-commit');
-    const hookScript = this.generateHookScript();
-    try {
-      writeFileSync(hookPath, hookScript, { mode: 0o755 });
-      console.log('✅ Pre-commit hook installed successfully');
-    } catch (error) {
-      throw new Error(`Failed to install hook: ${error instanceof Error ? error.message : 'Unknown error'}`);
-    }
-  }
-}
-// Export singleton
-export const preCommitHook = new PreCommitHook();

package/src/secrets/vault-integration.ts DELETED Viewed

@@ -1,360 +0,0 @@
-import { SecretDetection } from './guardian';
-import { SecretType } from './patterns';
-import { createVaultProvider, VaultProvider, VaultProviderConfig, LocalEnvProvider } from './vault-providers';
-/**
- * Vault configuration
- */
-export interface VaultConfig {
-  type: 'aws_secrets_manager' | 'hashicorp_vault' | 'azure_keyvault' | 'gcp_secret_manager';
-  endpoint?: string;
-  region?: string;
-  credentials?: {
-    accessKeyId?: string;
-    secretAccessKey?: string;
-    token?: string;
-  };
-}
-/**
- * Migration result
- */
-export interface VaultMigrationResult {
-  secretId: string;
-  vaultId: string;
-  envVarName: string;
-  migrated: boolean;
-  error?: string;
-}
-/**
- * Vault Integration for Secrets
- *
- * Helps migrate hardcoded secrets to secure vaults.
- * Supports AWS Secrets Manager, HashiCorp Vault, Azure Key Vault, and GCP Secret Manager.
- */
-export class VaultIntegration {
-  private providerCache: Map<string, VaultProvider> = new Map();
-  /**
-   * Get or create a vault provider
-   */
-  private getProvider(vaultConfig: VaultConfig): VaultProvider {
-    const cacheKey = `${vaultConfig.type}_${vaultConfig.endpoint || 'default'}`;
-    if (!this.providerCache.has(cacheKey)) {
-      const providerConfig: VaultProviderConfig = {
-        type: vaultConfig.type,
-        region: vaultConfig.region,
-        endpoint: vaultConfig.endpoint,
-        credentials: vaultConfig.credentials,
-      };
-      try {
-        const provider = createVaultProvider(providerConfig);
-        this.providerCache.set(cacheKey, provider);
-      } catch (error) {
-        console.warn(`Failed to create vault provider, falling back to local: ${error}`);
-        this.providerCache.set(cacheKey, new LocalEnvProvider());
-      }
-    }
-    return this.providerCache.get(cacheKey)!;
-  }
-  /**
-   * Test vault connection
-   */
-  async testConnection(vaultConfig: VaultConfig): Promise<{ connected: boolean; error?: string }> {
-    try {
-      const provider = this.getProvider(vaultConfig);
-      const connected = await provider.testConnection();
-      return { connected };
-    } catch (error) {
-      return {
-        connected: false,
-        error: error instanceof Error ? error.message : 'Unknown error'
-      };
-    }
-  }
-  /**
-   * Migrate secrets to vault
-   * Now uses real vault providers instead of simulation
-   */
-  async migrateToVault(
-    detections: SecretDetection[],
-    vaultConfig: VaultConfig
-  ): Promise<VaultMigrationResult[]> {
-    const results: VaultMigrationResult[] = [];
-    const provider = this.getProvider(vaultConfig);
-    // Test connection first
-    const connectionTest = await this.testConnection(vaultConfig);
-    if (!connectionTest.connected) {
-      return detections.map(detection => ({
-        secretId: detection.id || '',
-        vaultId: '',
-        envVarName: this.generateEnvVarName(detection),
-        migrated: false,
-        error: `Vault connection failed: ${connectionTest.error}`,
-      }));
-    }
-    for (const detection of detections) {
-      try {
-        const envVarName = this.generateEnvVarName(detection);
-        // Extract the actual secret value from detection
-        // Note: For security, the actual value should be extracted during scan
-        // maskedValue contains the masked version, snippet contains context
-        const secretValue = (detection as any).rawValue || detection.location.snippet || '';
-        if (!secretValue) {
-          results.push({
-            secretId: detection.id || '',
-            vaultId: '',
-            envVarName,
-            migrated: false,
-            error: 'No secret value found in detection',
-          });
-          continue;
-        }
-        // Upload to real vault
-        const vaultId = await provider.createSecret(envVarName, secretValue);
-        results.push({
-          secretId: detection.id || '',
-          vaultId,
-          envVarName,
-          migrated: true,
-        });
-      } catch (error) {
-        results.push({
-          secretId: detection.id || '',
-          vaultId: '',
-          envVarName: this.generateEnvVarName(detection),
-          migrated: false,
-          error: error instanceof Error ? error.message : 'Unknown error',
-        });
-      }
-    }
-    return results;
-  }
-  /**
-   * Retrieve a secret from vault
-   */
-  async getSecret(vaultConfig: VaultConfig, secretName: string): Promise<string | null> {
-    const provider = this.getProvider(vaultConfig);
-    return provider.getSecret(secretName);
-  }
-  /**
-   * List all secrets in vault
-   */
-  async listSecrets(vaultConfig: VaultConfig): Promise<string[]> {
-    const provider = this.getProvider(vaultConfig);
-    return provider.listSecrets();
-  }
-  /**
-   * Delete a secret from vault
-   */
-  async deleteSecret(vaultConfig: VaultConfig, secretName: string): Promise<boolean> {
-    const provider = this.getProvider(vaultConfig);
-    return provider.deleteSecret(secretName);
-  }
-  /**
-   * Generate environment variable name
-   */
-  generateEnvVarName(detection: SecretDetection): string {
-    const typeMap: Record<SecretType, string> = {
-      [SecretType.AWS_ACCESS_KEY]: 'AWS_ACCESS_KEY_ID',
-      [SecretType.AWS_SECRET_KEY]: 'AWS_SECRET_ACCESS_KEY',
-      [SecretType.GITHUB_TOKEN]: 'GITHUB_TOKEN',
-      [SecretType.GOOGLE_API_KEY]: 'GOOGLE_API_KEY',
-      [SecretType.STRIPE_KEY]: 'STRIPE_SECRET_KEY',
-      [SecretType.JWT_TOKEN]: 'JWT_SECRET',
-      [SecretType.PRIVATE_KEY]: 'PRIVATE_KEY',
-      [SecretType.DATABASE_URL]: 'DATABASE_URL',
-      [SecretType.SLACK_TOKEN]: 'SLACK_TOKEN',
-      [SecretType.API_KEY_GENERIC]: 'API_KEY',
-      [SecretType.API_KEY]: 'API_KEY',
-      [SecretType.TOKEN]: 'TOKEN',
-      [SecretType.CERTIFICATE]: 'CERTIFICATE',
-      [SecretType.JWT_SECRET]: 'JWT_SECRET',
-      [SecretType.PASSWORD]: 'PASSWORD',
-      [SecretType.OTHER]: 'SECRET'
-    };
-    const baseName = typeMap[detection.secretType as SecretType] || 'SECRET';
-    // Add file-based suffix if multiple of same type
-    const fileName = detection.filePath.split('/').pop()?.replace(/[^a-zA-Z0-9]/g, '_').toUpperCase();
-    return `${baseName}_${fileName}`;
-  }
-  /**
-   * Generate code snippet for accessing secret from vault
-   */
-  generateCodeSnippet(vaultConfig: VaultConfig, envVarName: string): string {
-    switch (vaultConfig.type) {
-      case 'aws_secrets_manager':
-        return `
-// AWS Secrets Manager
-import { SecretsManagerClient, GetSecretValueCommand } from "@aws-sdk/client-secrets-manager";
-const client = new SecretsManagerClient({ region: "${vaultConfig.region || 'us-east-1'}" });
-const response = await client.send(
-  new GetSecretValueCommand({ SecretId: "${envVarName}" })
-);
-const secret = response.SecretString;
-`;
-      case 'hashicorp_vault':
-        return `
-// HashiCorp Vault
-import vault from "node-vault";
-const vaultClient = vault({
-  endpoint: "${vaultConfig.endpoint || 'http://127.0.0.1:8200'}",
-  token: process.env.VAULT_TOKEN
-});
-const { data } = await vaultClient.read("secret/data/${envVarName}");
-const secret = data.data.value;
-`;
-      case 'azure_keyvault':
-        return `
-// Azure Key Vault
-import { SecretClient } from "@azure/keyvault-secrets";
-import { DefaultAzureCredential } from "@azure/identity";
-const credential = new DefaultAzureCredential();
-const client = new SecretClient("${vaultConfig.endpoint}", credential);
-const secret = await client.getSecret("${envVarName}");
-const value = secret.value;
-`;
-      case 'gcp_secret_manager':
-        return `
-// GCP Secret Manager
-import { SecretManagerServiceClient } from '@google-cloud/secret-manager';
-const client = new SecretManagerServiceClient();
-const [version] = await client.accessSecretVersion({
-  name: 'projects/PROJECT_ID/secrets/${envVarName}/versions/latest',
-});
-const secret = version.payload?.data?.toString();
-`;
-      default:
-        return `// Use environment variable: process.env.${envVarName}`;
-    }
-  }
-  /**
-   * Generate migration guide
-   */
-  generateMigrationGuide(results: VaultMigrationResult[]): string {
-    let guide = '# Secrets Migration Guide\n\n';
-    guide += '## Detected Secrets\n\n';
-    for (const result of results) {
-      guide += `### ${result.envVarName}\n`;
-      guide += `- Vault ID: ${result.vaultId}\n`;
-      guide += `- Status: ${result.migrated ? '✅ Migrated' : '❌ Failed'}\n`;
-      if (result.error) {
-        guide += `- Error: ${result.error}\n`;
-      }
-      guide += '\n';
-    }
-    guide += '## Next Steps\n\n';
-    guide += '1. Update your code to fetch secrets from vault\n';
-    guide += '2. Remove hardcoded secrets from source code\n';
-    guide += '3. Update CI/CD pipelines to use vault credentials\n';
-    guide += '4. Test the integration\n';
-    guide += '5. Commit and push changes\n';
-    return guide;
-  }
-  /**
-   * Verify a secret exists in vault
-   */
-  async verifySecret(vaultConfig: VaultConfig, secretName: string): Promise<boolean> {
-    const secret = await this.getSecret(vaultConfig, secretName);
-    return secret !== null;
-  }
-  /**
-   * Batch migrate with progress callback
-   */
-  async migrateWithProgress(
-    detections: SecretDetection[],
-    vaultConfig: VaultConfig,
-    onProgress?: (completed: number, total: number, current: string) => void
-  ): Promise<VaultMigrationResult[]> {
-    const results: VaultMigrationResult[] = [];
-    const provider = this.getProvider(vaultConfig);
-    const total = detections.length;
-    for (let i = 0; i < detections.length; i++) {
-      const detection = detections[i];
-      if (!detection) continue;
-      const envVarName = this.generateEnvVarName(detection);
-      if (onProgress) {
-        onProgress(i, total, envVarName);
-      }
-      try {
-        const secretValue = (detection as any).rawValue || detection.location.snippet || '';
-        if (!secretValue) {
-          results.push({
-            secretId: detection.id || '',
-            vaultId: '',
-            envVarName,
-            migrated: false,
-            error: 'No secret value found',
-          });
-          continue;
-        }
-        const vaultId = await provider.createSecret(envVarName, secretValue);
-        results.push({
-          secretId: detection.id || '',
-          vaultId,
-          envVarName,
-          migrated: true,
-        });
-      } catch (error) {
-        results.push({
-          secretId: detection.id || '',
-          vaultId: '',
-          envVarName,
-          migrated: false,
-          error: error instanceof Error ? error.message : 'Unknown error',
-        });
-      }
-    }
-    if (onProgress) {
-      onProgress(total, total, 'Complete');
-    }
-    return results;
-  }
-}
-// Export singleton
-export const vaultIntegration = new VaultIntegration();