guardvibe 1.4.0 → 1.5.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/build/data/rules/api-security.d.ts.map +1 -1
- package/build/data/rules/api-security.js +1 -0
- package/build/data/rules/api-security.js.map +1 -1
- package/build/data/rules/deployment.d.ts.map +1 -1
- package/build/data/rules/deployment.js +6 -0
- package/build/data/rules/deployment.js.map +1 -1
- package/build/data/rules/payments.d.ts.map +1 -1
- package/build/data/rules/payments.js +3 -0
- package/build/data/rules/payments.js.map +1 -1
- package/build/data/rules/react-native.d.ts.map +1 -1
- package/build/data/rules/react-native.js +3 -0
- package/build/data/rules/react-native.js.map +1 -1
- package/build/data/rules/services.d.ts.map +1 -1
- package/build/data/rules/services.js +5 -0
- package/build/data/rules/services.js.map +1 -1
- package/build/data/rules/web-security.d.ts.map +1 -1
- package/build/data/rules/web-security.js +8 -0
- package/build/data/rules/web-security.js.map +1 -1
- package/build/index.js +50 -1
- package/build/index.js.map +1 -1
- package/build/tools/policy-check.d.ts +3 -0
- package/build/tools/policy-check.d.ts.map +1 -0
- package/build/tools/policy-check.js +208 -0
- package/build/tools/policy-check.js.map +1 -0
- package/build/tools/review-pr.d.ts +3 -0
- package/build/tools/review-pr.d.ts.map +1 -0
- package/build/tools/review-pr.js +179 -0
- package/build/tools/review-pr.js.map +1 -0
- package/build/tools/scan-secrets-history.d.ts +9 -0
- package/build/tools/scan-secrets-history.d.ts.map +1 -0
- package/build/tools/scan-secrets-history.js +142 -0
- package/build/tools/scan-secrets-history.js.map +1 -0
- package/build/tools/taint-analysis.d.ts +23 -0
- package/build/tools/taint-analysis.d.ts.map +1 -0
- package/build/tools/taint-analysis.js +183 -0
- package/build/tools/taint-analysis.js.map +1 -0
- package/build/utils/config.d.ts +14 -0
- package/build/utils/config.d.ts.map +1 -1
- package/build/utils/config.js +7 -0
- package/build/utils/config.js.map +1 -1
- package/package.json +1 -1
|
@@ -0,0 +1,208 @@
|
|
|
1
|
+
import { readdirSync, readFileSync, statSync } from "fs";
|
|
2
|
+
import { join, extname, basename, resolve } from "path";
|
|
3
|
+
import { analyzeCode } from "./check-code.js";
|
|
4
|
+
import { loadConfig } from "../utils/config.js";
|
|
5
|
+
const EXTENSION_MAP = {
|
|
6
|
+
".js": "javascript", ".jsx": "javascript", ".mjs": "javascript", ".cjs": "javascript",
|
|
7
|
+
".ts": "typescript", ".tsx": "typescript", ".mts": "typescript", ".cts": "typescript",
|
|
8
|
+
".py": "python", ".go": "go", ".html": "html",
|
|
9
|
+
".sql": "sql", ".sh": "shell", ".bash": "shell",
|
|
10
|
+
".yml": "yaml", ".yaml": "yaml", ".tf": "terraform",
|
|
11
|
+
".toml": "toml", ".json": "json",
|
|
12
|
+
};
|
|
13
|
+
const CONFIG_FILE_MAP = {
|
|
14
|
+
"vercel.json": "vercel-config",
|
|
15
|
+
"next.config.js": "nextjs-config", "next.config.mjs": "nextjs-config", "next.config.ts": "nextjs-config",
|
|
16
|
+
"docker-compose.yml": "docker-compose", "docker-compose.yaml": "docker-compose",
|
|
17
|
+
};
|
|
18
|
+
const DEFAULT_EXCLUDES = new Set([
|
|
19
|
+
"node_modules", ".git", "build", "dist", "vendor", "__pycache__",
|
|
20
|
+
".next", ".nuxt", "coverage", ".turbo",
|
|
21
|
+
]);
|
|
22
|
+
function walkDir(dir, excludes, results) {
|
|
23
|
+
let entries;
|
|
24
|
+
try {
|
|
25
|
+
entries = readdirSync(dir, { withFileTypes: true });
|
|
26
|
+
}
|
|
27
|
+
catch {
|
|
28
|
+
return;
|
|
29
|
+
}
|
|
30
|
+
for (const entry of entries) {
|
|
31
|
+
if (excludes.has(entry.name))
|
|
32
|
+
continue;
|
|
33
|
+
const fullPath = join(dir, entry.name);
|
|
34
|
+
if (entry.isDirectory())
|
|
35
|
+
walkDir(fullPath, excludes, results);
|
|
36
|
+
else if (entry.isFile()) {
|
|
37
|
+
const ext = extname(entry.name).toLowerCase();
|
|
38
|
+
if (EXTENSION_MAP[ext] || entry.name.startsWith("Dockerfile") || CONFIG_FILE_MAP[entry.name]) {
|
|
39
|
+
results.push(fullPath);
|
|
40
|
+
}
|
|
41
|
+
}
|
|
42
|
+
}
|
|
43
|
+
}
|
|
44
|
+
function isExcepted(ruleId, filePath, exceptions) {
|
|
45
|
+
for (const exc of exceptions) {
|
|
46
|
+
if (exc.ruleId !== ruleId && exc.ruleId !== "*")
|
|
47
|
+
continue;
|
|
48
|
+
// Check expiration
|
|
49
|
+
if (exc.expiresAt) {
|
|
50
|
+
const expiry = new Date(exc.expiresAt);
|
|
51
|
+
if (expiry < new Date())
|
|
52
|
+
continue; // expired
|
|
53
|
+
}
|
|
54
|
+
// Check file scope
|
|
55
|
+
if (exc.files && exc.files.length > 0) {
|
|
56
|
+
const matches = exc.files.some(pattern => {
|
|
57
|
+
if (pattern.includes("*")) {
|
|
58
|
+
const regex = new RegExp(pattern.replace(/\*/g, ".*"));
|
|
59
|
+
return regex.test(filePath);
|
|
60
|
+
}
|
|
61
|
+
return filePath.includes(pattern);
|
|
62
|
+
});
|
|
63
|
+
if (!matches)
|
|
64
|
+
continue;
|
|
65
|
+
}
|
|
66
|
+
return exc;
|
|
67
|
+
}
|
|
68
|
+
return null;
|
|
69
|
+
}
|
|
70
|
+
function getControlsForRule(rule, frameworks) {
|
|
71
|
+
if (!rule.compliance)
|
|
72
|
+
return [];
|
|
73
|
+
return rule.compliance.filter(c => {
|
|
74
|
+
const prefix = c.split(":")[0].toUpperCase();
|
|
75
|
+
return frameworks.some(f => f.toUpperCase() === prefix || f.toUpperCase() === "ALL");
|
|
76
|
+
});
|
|
77
|
+
}
|
|
78
|
+
export function policyCheck(path, format = "markdown", rules) {
|
|
79
|
+
const scanRoot = resolve(path);
|
|
80
|
+
const config = loadConfig(scanRoot);
|
|
81
|
+
const policy = config.compliance;
|
|
82
|
+
if (!policy) {
|
|
83
|
+
const msg = "No compliance policy defined. Add a `compliance` section to .guardviberc.";
|
|
84
|
+
if (format === "json")
|
|
85
|
+
return JSON.stringify({ error: msg });
|
|
86
|
+
return `# GuardVibe Policy Check\n\n${msg}\n\nExample:\n\`\`\`json\n{\n "compliance": {\n "frameworks": ["SOC2", "GDPR"],\n "failOn": "high",\n "exceptions": [],\n "requiredControls": ["SOC2:CC6.1"]\n }\n}\n\`\`\``;
|
|
87
|
+
}
|
|
88
|
+
const excludes = new Set([...DEFAULT_EXCLUDES, ...config.scan.exclude]);
|
|
89
|
+
const filePaths = [];
|
|
90
|
+
walkDir(scanRoot, excludes, filePaths);
|
|
91
|
+
const policyFindings = [];
|
|
92
|
+
const severityOrder = { critical: 0, high: 1, medium: 2, low: 3, info: 4 };
|
|
93
|
+
const failLevel = severityOrder[policy.failOn] ?? 1;
|
|
94
|
+
for (const filePath of filePaths) {
|
|
95
|
+
try {
|
|
96
|
+
const stat = statSync(filePath);
|
|
97
|
+
if (stat.size > config.scan.maxFileSize)
|
|
98
|
+
continue;
|
|
99
|
+
const content = readFileSync(filePath, "utf-8");
|
|
100
|
+
const ext = extname(filePath).toLowerCase();
|
|
101
|
+
let language = EXTENSION_MAP[ext];
|
|
102
|
+
if (!language && basename(filePath).startsWith("Dockerfile"))
|
|
103
|
+
language = "dockerfile";
|
|
104
|
+
if (!language)
|
|
105
|
+
language = CONFIG_FILE_MAP[basename(filePath)];
|
|
106
|
+
if (!language)
|
|
107
|
+
continue;
|
|
108
|
+
const findings = analyzeCode(content, language, undefined, filePath, scanRoot, rules);
|
|
109
|
+
for (const f of findings) {
|
|
110
|
+
const controls = getControlsForRule(f.rule, policy.frameworks);
|
|
111
|
+
if (controls.length === 0)
|
|
112
|
+
continue;
|
|
113
|
+
const exception = isExcepted(f.rule.id, filePath, policy.exceptions);
|
|
114
|
+
policyFindings.push({
|
|
115
|
+
rule: f.rule, match: f.match, line: f.line, filePath,
|
|
116
|
+
controls,
|
|
117
|
+
excepted: !!exception,
|
|
118
|
+
exceptionReason: exception?.reason,
|
|
119
|
+
});
|
|
120
|
+
}
|
|
121
|
+
}
|
|
122
|
+
catch { /* skip */ }
|
|
123
|
+
}
|
|
124
|
+
const activeFindings = policyFindings.filter(f => !f.excepted);
|
|
125
|
+
const exceptedFindings = policyFindings.filter(f => f.excepted);
|
|
126
|
+
const blockingFindings = activeFindings.filter(f => (severityOrder[f.rule.severity] ?? 4) <= failLevel);
|
|
127
|
+
// Required controls check
|
|
128
|
+
const controlStatus = {};
|
|
129
|
+
if (policy.requiredControls) {
|
|
130
|
+
for (const ctrl of policy.requiredControls) {
|
|
131
|
+
const violations = activeFindings.filter(f => f.controls.includes(ctrl));
|
|
132
|
+
controlStatus[ctrl] = violations.length === 0 ? "pass" : "fail";
|
|
133
|
+
}
|
|
134
|
+
}
|
|
135
|
+
const pass = blockingFindings.length === 0 && !Object.values(controlStatus).includes("fail");
|
|
136
|
+
const result = {
|
|
137
|
+
pass,
|
|
138
|
+
findings: activeFindings,
|
|
139
|
+
exceptions: exceptedFindings,
|
|
140
|
+
summary: {
|
|
141
|
+
total: policyFindings.length,
|
|
142
|
+
excepted: exceptedFindings.length,
|
|
143
|
+
blocking: blockingFindings.length,
|
|
144
|
+
frameworks: policy.frameworks,
|
|
145
|
+
failOn: policy.failOn,
|
|
146
|
+
requiredControlsStatus: controlStatus,
|
|
147
|
+
},
|
|
148
|
+
};
|
|
149
|
+
if (format === "json") {
|
|
150
|
+
return JSON.stringify({
|
|
151
|
+
pass: result.pass,
|
|
152
|
+
summary: result.summary,
|
|
153
|
+
findings: result.findings.map(f => ({
|
|
154
|
+
id: f.rule.id, name: f.rule.name, severity: f.rule.severity,
|
|
155
|
+
file: f.filePath, line: f.line, controls: f.controls,
|
|
156
|
+
fix: f.rule.fix,
|
|
157
|
+
})),
|
|
158
|
+
exceptions: result.exceptions.map(f => ({
|
|
159
|
+
id: f.rule.id, name: f.rule.name, severity: f.rule.severity,
|
|
160
|
+
file: f.filePath, line: f.line, reason: f.exceptionReason,
|
|
161
|
+
})),
|
|
162
|
+
});
|
|
163
|
+
}
|
|
164
|
+
// Markdown
|
|
165
|
+
const lines = [
|
|
166
|
+
`# GuardVibe Policy Check`,
|
|
167
|
+
``,
|
|
168
|
+
`**Result:** ${pass ? "PASS" : "FAIL"}`,
|
|
169
|
+
`**Frameworks:** ${policy.frameworks.join(", ")}`,
|
|
170
|
+
`**Fail threshold:** ${policy.failOn}`,
|
|
171
|
+
`**Directory:** ${scanRoot}`,
|
|
172
|
+
``,
|
|
173
|
+
`| Metric | Count |`,
|
|
174
|
+
`|--------|-------|`,
|
|
175
|
+
`| Total compliance findings | ${policyFindings.length} |`,
|
|
176
|
+
`| Excepted (accepted risk) | ${exceptedFindings.length} |`,
|
|
177
|
+
`| Blocking (above threshold) | ${blockingFindings.length} |`,
|
|
178
|
+
``,
|
|
179
|
+
];
|
|
180
|
+
// Required controls
|
|
181
|
+
if (Object.keys(controlStatus).length > 0) {
|
|
182
|
+
lines.push(`## Required Controls`, ``, `| Control | Status |`, `|---------|--------|`);
|
|
183
|
+
for (const [ctrl, status] of Object.entries(controlStatus)) {
|
|
184
|
+
lines.push(`| ${ctrl} | ${status === "pass" ? "PASS" : "**FAIL**"} |`);
|
|
185
|
+
}
|
|
186
|
+
lines.push(``);
|
|
187
|
+
}
|
|
188
|
+
// Blocking findings
|
|
189
|
+
if (blockingFindings.length > 0) {
|
|
190
|
+
lines.push(`## Blocking Findings`, ``);
|
|
191
|
+
for (const f of blockingFindings) {
|
|
192
|
+
lines.push(`- **[${f.rule.severity.toUpperCase()}]** ${f.rule.name} (${f.rule.id}) in \`${f.filePath}\`:${f.line}`, ` Controls: ${f.controls.join(", ")} | Fix: ${f.rule.fix}`, ``);
|
|
193
|
+
}
|
|
194
|
+
}
|
|
195
|
+
// Exceptions
|
|
196
|
+
if (exceptedFindings.length > 0) {
|
|
197
|
+
lines.push(`## Accepted Exceptions`, ``);
|
|
198
|
+
for (const f of exceptedFindings) {
|
|
199
|
+
lines.push(`- ~~${f.rule.name} (${f.rule.id})~~ in \`${f.filePath}\`:${f.line} — *${f.exceptionReason}*`);
|
|
200
|
+
}
|
|
201
|
+
lines.push(``);
|
|
202
|
+
}
|
|
203
|
+
if (pass && blockingFindings.length === 0) {
|
|
204
|
+
lines.push(`All compliance checks passed.`);
|
|
205
|
+
}
|
|
206
|
+
return lines.join("\n");
|
|
207
|
+
}
|
|
208
|
+
//# sourceMappingURL=policy-check.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"policy-check.js","sourceRoot":"","sources":["../../src/tools/policy-check.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,IAAI,CAAC;AACzD,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,MAAM,MAAM,CAAC;AACxD,OAAO,EAAE,WAAW,EAAgB,MAAM,iBAAiB,CAAC;AAC5D,OAAO,EAAE,UAAU,EAA+C,MAAM,oBAAoB,CAAC;AAG7F,MAAM,aAAa,GAA2B;IAC5C,KAAK,EAAE,YAAY,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,EAAE,YAAY;IACrF,KAAK,EAAE,YAAY,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,EAAE,YAAY;IACrF,KAAK,EAAE,QAAQ,EAAE,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM;IAC7C,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO;IAC/C,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,WAAW;IACnD,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM;CACjC,CAAC;AAEF,MAAM,eAAe,GAA2B;IAC9C,aAAa,EAAE,eAAe;IAC9B,gBAAgB,EAAE,eAAe,EAAE,iBAAiB,EAAE,eAAe,EAAE,gBAAgB,EAAE,eAAe;IACxG,oBAAoB,EAAE,gBAAgB,EAAE,qBAAqB,EAAE,gBAAgB;CAChF,CAAC;AAEF,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAC;IAC/B,cAAc,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,aAAa;IAChE,OAAO,EAAE,OAAO,EAAE,UAAU,EAAE,QAAQ;CACvC,CAAC,CAAC;AA0BH,SAAS,OAAO,CAAC,GAAW,EAAE,QAAqB,EAAE,OAAiB;IACpE,IAAI,OAAO,CAAC;IACZ,IAAI,CAAC;QAAC,OAAO,GAAG,WAAW,CAAC,GAAG,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC;IAAC,CAAC;IAAC,MAAM,CAAC;QAAC,OAAO;IAAC,CAAC;IAC9E,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;QAC5B,IAAI,QAAQ,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC;YAAE,SAAS;QACvC,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;QACvC,IAAI,KAAK,CAAC,WAAW,EAAE;YAAE,OAAO,CAAC,QAAQ,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC;aACzD,IAAI,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC;YACxB,MAAM,GAAG,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;YAC9C,IAAI,aAAa,CAAC,GAAG,CAAC,IAAI,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,YAAY,CAAC,IAAI,eAAe,CAAC,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC;gBAC7F,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YACzB,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC;AAED,SAAS,UAAU,CAAC,MAAc,EAAE,QAAgB,EAAE,UAA6B;IACjF,KAAK,MAAM,GAAG,IAAI,UAAU,EAAE,CAAC;QAC7B,IAAI,GAAG,CAAC,MAAM,KAAK,MAAM,IAAI,GAAG,CAAC,MAAM,KAAK,GAAG;YAAE,SAAS;QAE1D,mBAAmB;QACnB,IAAI,GAAG,CAAC,SAAS,EAAE,CAAC;YAClB,MAAM,MAAM,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;YACvC,IAAI,MAAM,GAAG,IAAI,IAAI,EAAE;gBAAE,SAAS,CAAC,UAAU;QAC/C,CAAC;QAED,mBAAmB;QACnB,IAAI,GAAG,CAAC,KAAK,IAAI,GAAG,CAAC,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACtC,MAAM,OAAO,GAAG,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE;gBACvC,IAAI,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;oBAC1B,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC,CAAC;oBACvD,OAAO,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;gBAC9B,CAAC;gBACD,OAAO,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAC;YACpC,CAAC,CAAC,CAAC;YACH,IAAI,CAAC,OAAO;gBAAE,SAAS;QACzB,CAAC;QAED,OAAO,GAAG,CAAC;IACb,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,SAAS,kBAAkB,CAAC,IAAkB,EAAE,UAAoB;IAClE,IAAI,CAAC,IAAI,CAAC,UAAU;QAAE,OAAO,EAAE,CAAC;IAChC,OAAO,IAAI,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE;QAChC,MAAM,MAAM,GAAG,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC;QAC7C,OAAO,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,WAAW,EAAE,KAAK,MAAM,IAAI,CAAC,CAAC,WAAW,EAAE,KAAK,KAAK,CAAC,CAAC;IACvF,CAAC,CAAC,CAAC;AACL,CAAC;AAED,MAAM,UAAU,WAAW,CACzB,IAAY,EACZ,SAA8B,UAAU,EACxC,KAAsB;IAEtB,MAAM,QAAQ,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC/B,MAAM,MAAM,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC;IACpC,MAAM,MAAM,GAAG,MAAM,CAAC,UAAU,CAAC;IAEjC,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,GAAG,GAAG,2EAA2E,CAAC;QACxF,IAAI,MAAM,KAAK,MAAM;YAAE,OAAO,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC,CAAC;QAC7D,OAAO,+BAA+B,GAAG,2LAA2L,CAAC;IACvO,CAAC;IAED,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,CAAC,GAAG,gBAAgB,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC;IACxE,MAAM,SAAS,GAAa,EAAE,CAAC;IAC/B,OAAO,CAAC,QAAQ,EAAE,QAAQ,EAAE,SAAS,CAAC,CAAC;IAEvC,MAAM,cAAc,GAAoB,EAAE,CAAC;IAC3C,MAAM,aAAa,GAA2B,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC;IACnG,MAAM,SAAS,GAAG,aAAa,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC;IAEpD,KAAK,MAAM,QAAQ,IAAI,SAAS,EAAE,CAAC;QACjC,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,QAAQ,CAAC,QAAQ,CAAC,CAAC;YAChC,IAAI,IAAI,CAAC,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,WAAW;gBAAE,SAAS;YAClD,MAAM,OAAO,GAAG,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;YAChD,MAAM,GAAG,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC,WAAW,EAAE,CAAC;YAC5C,IAAI,QAAQ,GAAG,aAAa,CAAC,GAAG,CAAC,CAAC;YAClC,IAAI,CAAC,QAAQ,IAAI,QAAQ,CAAC,QAAQ,CAAC,CAAC,UAAU,CAAC,YAAY,CAAC;gBAAE,QAAQ,GAAG,YAAY,CAAC;YACtF,IAAI,CAAC,QAAQ;gBAAE,QAAQ,GAAG,eAAe,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC;YAC9D,IAAI,CAAC,QAAQ;gBAAE,SAAS;YAExB,MAAM,QAAQ,GAAG,WAAW,CAAC,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,QAAQ,EAAE,QAAQ,EAAE,KAAK,CAAC,CAAC;YACtF,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;gBACzB,MAAM,QAAQ,GAAG,kBAAkB,CAAC,CAAC,CAAC,IAAI,EAAE,MAAM,CAAC,UAAU,CAAC,CAAC;gBAC/D,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC;oBAAE,SAAS;gBAEpC,MAAM,SAAS,GAAG,UAAU,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,EAAE,QAAQ,EAAE,MAAM,CAAC,UAAU,CAAC,CAAC;gBACrE,cAAc,CAAC,IAAI,CAAC;oBAClB,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,QAAQ;oBACpD,QAAQ;oBACR,QAAQ,EAAE,CAAC,CAAC,SAAS;oBACrB,eAAe,EAAE,SAAS,EAAE,MAAM;iBACnC,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAAC,MAAM,CAAC,CAAC,UAAU,CAAC,CAAC;IACxB,CAAC;IAED,MAAM,cAAc,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;IAC/D,MAAM,gBAAgB,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC;IAChE,MAAM,gBAAgB,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,IAAI,SAAS,CAAC,CAAC;IAExG,0BAA0B;IAC1B,MAAM,aAAa,GAAoC,EAAE,CAAC;IAC1D,IAAI,MAAM,CAAC,gBAAgB,EAAE,CAAC;QAC5B,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,gBAAgB,EAAE,CAAC;YAC3C,MAAM,UAAU,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC;YACzE,aAAa,CAAC,IAAI,CAAC,GAAG,UAAU,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC;QAClE,CAAC;IACH,CAAC;IAED,MAAM,IAAI,GAAG,gBAAgB,CAAC,MAAM,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;IAE7F,MAAM,MAAM,GAAiB;QAC3B,IAAI;QACJ,QAAQ,EAAE,cAAc;QACxB,UAAU,EAAE,gBAAgB;QAC5B,OAAO,EAAE;YACP,KAAK,EAAE,cAAc,CAAC,MAAM;YAC5B,QAAQ,EAAE,gBAAgB,CAAC,MAAM;YACjC,QAAQ,EAAE,gBAAgB,CAAC,MAAM;YACjC,UAAU,EAAE,MAAM,CAAC,UAAU;YAC7B,MAAM,EAAE,MAAM,CAAC,MAAM;YACrB,sBAAsB,EAAE,aAAa;SACtC;KACF,CAAC;IAEF,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;QACtB,OAAO,IAAI,CAAC,SAAS,CAAC;YACpB,IAAI,EAAE,MAAM,CAAC,IAAI;YACjB,OAAO,EAAE,MAAM,CAAC,OAAO;YACvB,QAAQ,EAAE,MAAM,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;gBAClC,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,EAAE,QAAQ,EAAE,CAAC,CAAC,IAAI,CAAC,QAAQ;gBAC3D,IAAI,EAAE,CAAC,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,QAAQ,EAAE,CAAC,CAAC,QAAQ;gBACpD,GAAG,EAAE,CAAC,CAAC,IAAI,CAAC,GAAG;aAChB,CAAC,CAAC;YACH,UAAU,EAAE,MAAM,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;gBACtC,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,EAAE,QAAQ,EAAE,CAAC,CAAC,IAAI,CAAC,QAAQ;gBAC3D,IAAI,EAAE,CAAC,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,MAAM,EAAE,CAAC,CAAC,eAAe;aAC1D,CAAC,CAAC;SACJ,CAAC,CAAC;IACL,CAAC;IAED,WAAW;IACX,MAAM,KAAK,GAAa;QACtB,0BAA0B;QAC1B,EAAE;QACF,eAAe,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,MAAM,EAAE;QACvC,mBAAmB,MAAM,CAAC,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;QACjD,uBAAuB,MAAM,CAAC,MAAM,EAAE;QACtC,kBAAkB,QAAQ,EAAE;QAC5B,EAAE;QACF,oBAAoB;QACpB,oBAAoB;QACpB,iCAAiC,cAAc,CAAC,MAAM,IAAI;QAC1D,gCAAgC,gBAAgB,CAAC,MAAM,IAAI;QAC3D,kCAAkC,gBAAgB,CAAC,MAAM,IAAI;QAC7D,EAAE;KACH,CAAC;IAEF,oBAAoB;IACpB,IAAI,MAAM,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC1C,KAAK,CAAC,IAAI,CAAC,sBAAsB,EAAE,EAAE,EAAE,sBAAsB,EAAE,sBAAsB,CAAC,CAAC;QACvF,KAAK,MAAM,CAAC,IAAI,EAAE,MAAM,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,aAAa,CAAC,EAAE,CAAC;YAC3D,KAAK,CAAC,IAAI,CAAC,KAAK,IAAI,MAAM,MAAM,KAAK,MAAM,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,UAAU,IAAI,CAAC,CAAC;QACzE,CAAC;QACD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACjB,CAAC;IAED,oBAAoB;IACpB,IAAI,gBAAgB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAChC,KAAK,CAAC,IAAI,CAAC,sBAAsB,EAAE,EAAE,CAAC,CAAC;QACvC,KAAK,MAAM,CAAC,IAAI,gBAAgB,EAAE,CAAC;YACjC,KAAK,CAAC,IAAI,CACR,QAAQ,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,WAAW,EAAE,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,KAAK,CAAC,CAAC,IAAI,CAAC,EAAE,UAAU,CAAC,CAAC,QAAQ,MAAM,CAAC,CAAC,IAAI,EAAE,EACvG,eAAe,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,EAC3D,EAAE,CACH,CAAC;QACJ,CAAC;IACH,CAAC;IAED,aAAa;IACb,IAAI,gBAAgB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAChC,KAAK,CAAC,IAAI,CAAC,wBAAwB,EAAE,EAAE,CAAC,CAAC;QACzC,KAAK,MAAM,CAAC,IAAI,gBAAgB,EAAE,CAAC;YACjC,KAAK,CAAC,IAAI,CACR,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,KAAK,CAAC,CAAC,IAAI,CAAC,EAAE,YAAY,CAAC,CAAC,QAAQ,MAAM,CAAC,CAAC,IAAI,OAAO,CAAC,CAAC,eAAe,GAAG,CAC9F,CAAC;QACJ,CAAC;QACD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACjB,CAAC;IAED,IAAI,IAAI,IAAI,gBAAgB,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC1C,KAAK,CAAC,IAAI,CAAC,+BAA+B,CAAC,CAAC;IAC9C,CAAC;IAED,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC"}
|
|
@@ -0,0 +1,3 @@
|
|
|
1
|
+
import type { SecurityRule } from "../data/rules/types.js";
|
|
2
|
+
export declare function reviewPr(cwd?: string, base?: string, format?: "markdown" | "json" | "annotations", diffOnly?: boolean, failOn?: "critical" | "high" | "medium" | "low" | "none", rules?: SecurityRule[]): string;
|
|
3
|
+
//# sourceMappingURL=review-pr.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"review-pr.d.ts","sourceRoot":"","sources":["../../src/tools/review-pr.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,wBAAwB,CAAC;AA0F3D,wBAAgB,QAAQ,CACtB,GAAG,GAAE,MAAsB,EAC3B,IAAI,GAAE,MAAe,EACrB,MAAM,GAAE,UAAU,GAAG,MAAM,GAAG,aAA0B,EACxD,QAAQ,GAAE,OAAc,EACxB,MAAM,GAAE,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,GAAG,MAAe,EAChE,KAAK,CAAC,EAAE,YAAY,EAAE,GACrB,MAAM,CA8HR"}
|
|
@@ -0,0 +1,179 @@
|
|
|
1
|
+
import { execFileSync } from "child_process";
|
|
2
|
+
import { extname, basename } from "path";
|
|
3
|
+
import { analyzeCode } from "./check-code.js";
|
|
4
|
+
const EXTENSION_MAP = {
|
|
5
|
+
".js": "javascript", ".jsx": "javascript", ".mjs": "javascript", ".cjs": "javascript",
|
|
6
|
+
".ts": "typescript", ".tsx": "typescript", ".mts": "typescript", ".cts": "typescript",
|
|
7
|
+
".py": "python", ".go": "go", ".html": "html",
|
|
8
|
+
".sql": "sql", ".sh": "shell", ".bash": "shell",
|
|
9
|
+
".yml": "yaml", ".yaml": "yaml", ".tf": "terraform",
|
|
10
|
+
".toml": "toml", ".json": "json",
|
|
11
|
+
};
|
|
12
|
+
const CONFIG_FILE_MAP = {
|
|
13
|
+
"vercel.json": "vercel-config",
|
|
14
|
+
"next.config.js": "nextjs-config", "next.config.mjs": "nextjs-config", "next.config.ts": "nextjs-config",
|
|
15
|
+
"docker-compose.yml": "docker-compose", "docker-compose.yaml": "docker-compose",
|
|
16
|
+
};
|
|
17
|
+
function execGit(args, cwd) {
|
|
18
|
+
try {
|
|
19
|
+
return execFileSync("git", args, { cwd, encoding: "utf-8", timeout: 15000 });
|
|
20
|
+
}
|
|
21
|
+
catch {
|
|
22
|
+
return "";
|
|
23
|
+
}
|
|
24
|
+
}
|
|
25
|
+
function getChangedFiles(cwd, base) {
|
|
26
|
+
const output = execGit(["diff", "--name-only", base], cwd);
|
|
27
|
+
return output.trim().split("\n").filter(Boolean);
|
|
28
|
+
}
|
|
29
|
+
function getDiffHunks(cwd, base, file) {
|
|
30
|
+
const output = execGit(["diff", "-U0", base, "--", file], cwd);
|
|
31
|
+
const hunks = [];
|
|
32
|
+
const hunkPattern = /@@\s+-\d+(?:,\d+)?\s+\+(\d+)(?:,(\d+))?\s+@@/g;
|
|
33
|
+
let match;
|
|
34
|
+
while ((match = hunkPattern.exec(output)) !== null) {
|
|
35
|
+
const start = parseInt(match[1], 10);
|
|
36
|
+
const count = match[2] ? parseInt(match[2], 10) : 1;
|
|
37
|
+
hunks.push({ startLine: start, lineCount: count });
|
|
38
|
+
}
|
|
39
|
+
return hunks;
|
|
40
|
+
}
|
|
41
|
+
function getFileContent(cwd, file) {
|
|
42
|
+
try {
|
|
43
|
+
return execFileSync("git", ["show", `HEAD:${file}`], { cwd, encoding: "utf-8", timeout: 10000 });
|
|
44
|
+
}
|
|
45
|
+
catch {
|
|
46
|
+
return null;
|
|
47
|
+
}
|
|
48
|
+
}
|
|
49
|
+
function isLineInDiff(line, hunks) {
|
|
50
|
+
return hunks.some(h => line >= h.startLine && line < h.startLine + h.lineCount);
|
|
51
|
+
}
|
|
52
|
+
function detectLanguage(filePath) {
|
|
53
|
+
const ext = extname(filePath).toLowerCase();
|
|
54
|
+
if (EXTENSION_MAP[ext])
|
|
55
|
+
return EXTENSION_MAP[ext];
|
|
56
|
+
if (basename(filePath).startsWith("Dockerfile") || ext === ".dockerfile")
|
|
57
|
+
return "dockerfile";
|
|
58
|
+
return CONFIG_FILE_MAP[basename(filePath)] ?? null;
|
|
59
|
+
}
|
|
60
|
+
function severityToLevel(severity) {
|
|
61
|
+
if (severity === "critical" || severity === "high")
|
|
62
|
+
return "failure";
|
|
63
|
+
if (severity === "medium")
|
|
64
|
+
return "warning";
|
|
65
|
+
return "notice";
|
|
66
|
+
}
|
|
67
|
+
export function reviewPr(cwd = process.cwd(), base = "main", format = "markdown", diffOnly = true, failOn = "high", rules) {
|
|
68
|
+
const changedFiles = getChangedFiles(cwd, base);
|
|
69
|
+
if (changedFiles.length === 0) {
|
|
70
|
+
if (format === "json")
|
|
71
|
+
return JSON.stringify({ summary: { total: 0, files: 0 }, findings: [] });
|
|
72
|
+
if (format === "annotations")
|
|
73
|
+
return JSON.stringify([]);
|
|
74
|
+
return "# GuardVibe PR Review\n\nNo changed files found.";
|
|
75
|
+
}
|
|
76
|
+
const allFindings = [];
|
|
77
|
+
const scannedFiles = [];
|
|
78
|
+
for (const file of changedFiles) {
|
|
79
|
+
const language = detectLanguage(file);
|
|
80
|
+
if (!language)
|
|
81
|
+
continue;
|
|
82
|
+
const content = getFileContent(cwd, file);
|
|
83
|
+
if (!content)
|
|
84
|
+
continue;
|
|
85
|
+
scannedFiles.push(file);
|
|
86
|
+
const hunks = getDiffHunks(cwd, base, file);
|
|
87
|
+
const findings = analyzeCode(content, language, undefined, file, cwd, rules);
|
|
88
|
+
for (const f of findings) {
|
|
89
|
+
const inDiff = isLineInDiff(f.line, hunks);
|
|
90
|
+
allFindings.push({ rule: f.rule, match: f.match, line: f.line, file, inDiff });
|
|
91
|
+
}
|
|
92
|
+
}
|
|
93
|
+
const reportFindings = diffOnly ? allFindings.filter(f => f.inDiff) : allFindings;
|
|
94
|
+
const critical = reportFindings.filter(f => f.rule.severity === "critical").length;
|
|
95
|
+
const high = reportFindings.filter(f => f.rule.severity === "high").length;
|
|
96
|
+
const medium = reportFindings.filter(f => f.rule.severity === "medium").length;
|
|
97
|
+
const total = reportFindings.length;
|
|
98
|
+
const failThresholds = { critical: 0, high: 1, medium: 2, low: 3 };
|
|
99
|
+
const failLevel = failThresholds[failOn] ?? -1;
|
|
100
|
+
const severityOrder = { critical: 0, high: 1, medium: 2, low: 3, info: 4 };
|
|
101
|
+
const blocked = failLevel >= 0 && reportFindings.some(f => (severityOrder[f.rule.severity] ?? 4) <= failLevel);
|
|
102
|
+
// --- ANNOTATIONS FORMAT (for GitHub Check Runs) ---
|
|
103
|
+
if (format === "annotations") {
|
|
104
|
+
const annotations = reportFindings.map(f => ({
|
|
105
|
+
path: f.file,
|
|
106
|
+
start_line: f.line,
|
|
107
|
+
end_line: f.line,
|
|
108
|
+
annotation_level: severityToLevel(f.rule.severity),
|
|
109
|
+
message: `${f.rule.description}\n\nFix: ${f.rule.fix}${f.rule.fixCode ? "\n\n" + f.rule.fixCode : ""}`,
|
|
110
|
+
title: `[${f.rule.severity.toUpperCase()}] ${f.rule.name} (${f.rule.id})`,
|
|
111
|
+
}));
|
|
112
|
+
return JSON.stringify(annotations);
|
|
113
|
+
}
|
|
114
|
+
// --- JSON FORMAT ---
|
|
115
|
+
if (format === "json") {
|
|
116
|
+
return JSON.stringify({
|
|
117
|
+
summary: {
|
|
118
|
+
total, critical, high, medium,
|
|
119
|
+
files: scannedFiles.length, changedFiles: changedFiles.length,
|
|
120
|
+
diffOnly, blocked, failOn, base,
|
|
121
|
+
},
|
|
122
|
+
findings: reportFindings.map(f => ({
|
|
123
|
+
id: f.rule.id, name: f.rule.name, severity: f.rule.severity,
|
|
124
|
+
owasp: f.rule.owasp, file: f.file, line: f.line, match: f.match,
|
|
125
|
+
inDiff: f.inDiff, fix: f.rule.fix, fixCode: f.rule.fixCode,
|
|
126
|
+
compliance: f.rule.compliance,
|
|
127
|
+
})),
|
|
128
|
+
});
|
|
129
|
+
}
|
|
130
|
+
// --- MARKDOWN FORMAT (for PR comment) ---
|
|
131
|
+
const existingFindings = diffOnly ? allFindings.filter(f => !f.inDiff) : [];
|
|
132
|
+
const lines = [
|
|
133
|
+
`## GuardVibe PR Security Review`,
|
|
134
|
+
``,
|
|
135
|
+
`**Base:** ${base} | **Files changed:** ${changedFiles.length} | **Scanned:** ${scannedFiles.length}`,
|
|
136
|
+
`**Mode:** ${diffOnly ? "diff-only (new code)" : "full file"}`,
|
|
137
|
+
``,
|
|
138
|
+
];
|
|
139
|
+
if (blocked) {
|
|
140
|
+
lines.push(`> **BLOCKED** — ${failOn}-severity or above findings detected.`, ``);
|
|
141
|
+
}
|
|
142
|
+
if (total === 0) {
|
|
143
|
+
lines.push(`**No security issues in ${diffOnly ? "changed lines" : "changed files"}.** All clear!`);
|
|
144
|
+
if (existingFindings.length > 0) {
|
|
145
|
+
lines.push(``, `*Note: ${existingFindings.length} pre-existing issue(s) in unchanged code.*`);
|
|
146
|
+
}
|
|
147
|
+
return lines.join("\n");
|
|
148
|
+
}
|
|
149
|
+
lines.push(`| Severity | Count |`, `|----------|-------|`);
|
|
150
|
+
if (critical > 0)
|
|
151
|
+
lines.push(`| Critical | ${critical} |`);
|
|
152
|
+
if (high > 0)
|
|
153
|
+
lines.push(`| High | ${high} |`);
|
|
154
|
+
if (medium > 0)
|
|
155
|
+
lines.push(`| Medium | ${medium} |`);
|
|
156
|
+
lines.push(``);
|
|
157
|
+
const byFile = new Map();
|
|
158
|
+
for (const f of reportFindings) {
|
|
159
|
+
const existing = byFile.get(f.file) ?? [];
|
|
160
|
+
existing.push(f);
|
|
161
|
+
byFile.set(f.file, existing);
|
|
162
|
+
}
|
|
163
|
+
for (const [file, findings] of byFile) {
|
|
164
|
+
lines.push(`### \`${file}\``, ``);
|
|
165
|
+
for (const f of findings) {
|
|
166
|
+
const badge = f.rule.severity.toUpperCase();
|
|
167
|
+
lines.push(`- **[${badge}]** ${f.rule.name} (${f.rule.id}) — line ${f.line}`, ` ${f.rule.fix}`);
|
|
168
|
+
if (f.rule.fixCode) {
|
|
169
|
+
lines.push(` \`\`\``, ` ${f.rule.fixCode.split("\n")[0]}`, ` \`\`\``);
|
|
170
|
+
}
|
|
171
|
+
lines.push(``);
|
|
172
|
+
}
|
|
173
|
+
}
|
|
174
|
+
if (existingFindings.length > 0) {
|
|
175
|
+
lines.push(`---`, ``, `*${existingFindings.length} pre-existing issue(s) in unchanged code (not shown).*`);
|
|
176
|
+
}
|
|
177
|
+
return lines.join("\n");
|
|
178
|
+
}
|
|
179
|
+
//# sourceMappingURL=review-pr.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"review-pr.js","sourceRoot":"","sources":["../../src/tools/review-pr.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAC7C,OAAO,EAAE,OAAO,EAAE,QAAQ,EAAE,MAAM,MAAM,CAAC;AACzC,OAAO,EAAE,WAAW,EAAgB,MAAM,iBAAiB,CAAC;AAG5D,MAAM,aAAa,GAA2B;IAC5C,KAAK,EAAE,YAAY,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,EAAE,YAAY;IACrF,KAAK,EAAE,YAAY,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,EAAE,YAAY;IACrF,KAAK,EAAE,QAAQ,EAAE,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM;IAC7C,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO;IAC/C,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,WAAW;IACnD,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM;CACjC,CAAC;AAEF,MAAM,eAAe,GAA2B;IAC9C,aAAa,EAAE,eAAe;IAC9B,gBAAgB,EAAE,eAAe,EAAE,iBAAiB,EAAE,eAAe,EAAE,gBAAgB,EAAE,eAAe;IACxG,oBAAoB,EAAE,gBAAgB,EAAE,qBAAqB,EAAE,gBAAgB;CAChF,CAAC;AAwBF,SAAS,OAAO,CAAC,IAAc,EAAE,GAAW;IAC1C,IAAI,CAAC;QACH,OAAO,YAAY,CAAC,KAAK,EAAE,IAAI,EAAE,EAAE,GAAG,EAAE,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC;IAC/E,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED,SAAS,eAAe,CAAC,GAAW,EAAE,IAAY;IAChD,MAAM,MAAM,GAAG,OAAO,CAAC,CAAC,MAAM,EAAE,aAAa,EAAE,IAAI,CAAC,EAAE,GAAG,CAAC,CAAC;IAC3D,OAAO,MAAM,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;AACnD,CAAC;AAED,SAAS,YAAY,CAAC,GAAW,EAAE,IAAY,EAAE,IAAY;IAC3D,MAAM,MAAM,GAAG,OAAO,CAAC,CAAC,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,IAAI,EAAE,IAAI,CAAC,EAAE,GAAG,CAAC,CAAC;IAC/D,MAAM,KAAK,GAAe,EAAE,CAAC;IAC7B,MAAM,WAAW,GAAG,+CAA+C,CAAC;IACpE,IAAI,KAAK,CAAC;IACV,OAAO,CAAC,KAAK,GAAG,WAAW,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;QACnD,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QACrC,MAAM,KAAK,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QACpD,KAAK,CAAC,IAAI,CAAC,EAAE,SAAS,EAAE,KAAK,EAAE,SAAS,EAAE,KAAK,EAAE,CAAC,CAAC;IACrD,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,cAAc,CAAC,GAAW,EAAE,IAAY;IAC/C,IAAI,CAAC;QACH,OAAO,YAAY,CAAC,KAAK,EAAE,CAAC,MAAM,EAAE,QAAQ,IAAI,EAAE,CAAC,EAAE,EAAE,GAAG,EAAE,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC;IACnG,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,SAAS,YAAY,CAAC,IAAY,EAAE,KAAiB;IACnD,OAAO,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,IAAI,IAAI,CAAC,CAAC,SAAS,IAAI,IAAI,GAAG,CAAC,CAAC,SAAS,GAAG,CAAC,CAAC,SAAS,CAAC,CAAC;AAClF,CAAC;AAED,SAAS,cAAc,CAAC,QAAgB;IACtC,MAAM,GAAG,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC,WAAW,EAAE,CAAC;IAC5C,IAAI,aAAa,CAAC,GAAG,CAAC;QAAE,OAAO,aAAa,CAAC,GAAG,CAAC,CAAC;IAClD,IAAI,QAAQ,CAAC,QAAQ,CAAC,CAAC,UAAU,CAAC,YAAY,CAAC,IAAI,GAAG,KAAK,aAAa;QAAE,OAAO,YAAY,CAAC;IAC9F,OAAO,eAAe,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,IAAI,IAAI,CAAC;AACrD,CAAC;AAED,SAAS,eAAe,CAAC,QAAgB;IACvC,IAAI,QAAQ,KAAK,UAAU,IAAI,QAAQ,KAAK,MAAM;QAAE,OAAO,SAAS,CAAC;IACrE,IAAI,QAAQ,KAAK,QAAQ;QAAE,OAAO,SAAS,CAAC;IAC5C,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,MAAM,UAAU,QAAQ,CACtB,MAAc,OAAO,CAAC,GAAG,EAAE,EAC3B,OAAe,MAAM,EACrB,SAA8C,UAAU,EACxD,WAAoB,IAAI,EACxB,SAA0D,MAAM,EAChE,KAAsB;IAEtB,MAAM,YAAY,GAAG,eAAe,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;IAChD,IAAI,YAAY,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC9B,IAAI,MAAM,KAAK,MAAM;YAAE,OAAO,IAAI,CAAC,SAAS,CAAC,EAAE,OAAO,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE,KAAK,EAAE,CAAC,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE,CAAC,CAAC;QAChG,IAAI,MAAM,KAAK,aAAa;YAAE,OAAO,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC;QACxD,OAAO,kDAAkD,CAAC;IAC5D,CAAC;IAED,MAAM,WAAW,GAAgB,EAAE,CAAC;IACpC,MAAM,YAAY,GAAa,EAAE,CAAC;IAElC,KAAK,MAAM,IAAI,IAAI,YAAY,EAAE,CAAC;QAChC,MAAM,QAAQ,GAAG,cAAc,CAAC,IAAI,CAAC,CAAC;QACtC,IAAI,CAAC,QAAQ;YAAE,SAAS;QAExB,MAAM,OAAO,GAAG,cAAc,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;QAC1C,IAAI,CAAC,OAAO;YAAE,SAAS;QAEvB,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACxB,MAAM,KAAK,GAAG,YAAY,CAAC,GAAG,EAAE,IAAI,EAAE,IAAI,CAAC,CAAC;QAC5C,MAAM,QAAQ,GAAG,WAAW,CAAC,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,IAAI,EAAE,GAAG,EAAE,KAAK,CAAC,CAAC;QAE7E,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;YACzB,MAAM,MAAM,GAAG,YAAY,CAAC,CAAC,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;YAC3C,WAAW,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,CAAC;QACjF,CAAC;IACH,CAAC;IAED,MAAM,cAAc,GAAG,QAAQ,CAAC,CAAC,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,WAAW,CAAC;IAElF,MAAM,QAAQ,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,KAAK,UAAU,CAAC,CAAC,MAAM,CAAC;IACnF,MAAM,IAAI,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC,MAAM,CAAC;IAC3E,MAAM,MAAM,GAAG,cAAc,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,MAAM,CAAC;IAC/E,MAAM,KAAK,GAAG,cAAc,CAAC,MAAM,CAAC;IAEpC,MAAM,cAAc,GAA2B,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,CAAC;IAC3F,MAAM,SAAS,GAAG,cAAc,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC;IAC/C,MAAM,aAAa,GAA2B,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC;IACnG,MAAM,OAAO,GAAG,SAAS,IAAI,CAAC,IAAI,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,aAAa,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,IAAI,SAAS,CAAC,CAAC;IAE/G,qDAAqD;IACrD,IAAI,MAAM,KAAK,aAAa,EAAE,CAAC;QAC7B,MAAM,WAAW,GAAuB,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;YAC/D,IAAI,EAAE,CAAC,CAAC,IAAI;YACZ,UAAU,EAAE,CAAC,CAAC,IAAI;YAClB,QAAQ,EAAE,CAAC,CAAC,IAAI;YAChB,gBAAgB,EAAE,eAAe,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC;YAClD,OAAO,EAAE,GAAG,CAAC,CAAC,IAAI,CAAC,WAAW,YAAY,CAAC,CAAC,IAAI,CAAC,GAAG,GAAG,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,EAAE,EAAE;YACtG,KAAK,EAAE,IAAI,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,WAAW,EAAE,KAAK,CAAC,CAAC,IAAI,CAAC,IAAI,KAAK,CAAC,CAAC,IAAI,CAAC,EAAE,GAAG;SAC1E,CAAC,CAAC,CAAC;QACJ,OAAO,IAAI,CAAC,SAAS,CAAC,WAAW,CAAC,CAAC;IACrC,CAAC;IAED,sBAAsB;IACtB,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;QACtB,OAAO,IAAI,CAAC,SAAS,CAAC;YACpB,OAAO,EAAE;gBACP,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM;gBAC7B,KAAK,EAAE,YAAY,CAAC,MAAM,EAAE,YAAY,EAAE,YAAY,CAAC,MAAM;gBAC7D,QAAQ,EAAE,OAAO,EAAE,MAAM,EAAE,IAAI;aAChC;YACD,QAAQ,EAAE,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;gBACjC,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,EAAE,QAAQ,EAAE,CAAC,CAAC,IAAI,CAAC,QAAQ;gBAC3D,KAAK,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC,KAAK;gBAC/D,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,GAAG,EAAE,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,OAAO,EAAE,CAAC,CAAC,IAAI,CAAC,OAAO;gBAC1D,UAAU,EAAE,CAAC,CAAC,IAAI,CAAC,UAAU;aAC9B,CAAC,CAAC;SACJ,CAAC,CAAC;IACL,CAAC;IAED,2CAA2C;IAC3C,MAAM,gBAAgB,GAAG,QAAQ,CAAC,CAAC,CAAC,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IAE5E,MAAM,KAAK,GAAa;QACtB,iCAAiC;QACjC,EAAE;QACF,aAAa,IAAI,yBAAyB,YAAY,CAAC,MAAM,mBAAmB,YAAY,CAAC,MAAM,EAAE;QACrG,aAAa,QAAQ,CAAC,CAAC,CAAC,sBAAsB,CAAC,CAAC,CAAC,WAAW,EAAE;QAC9D,EAAE;KACH,CAAC;IAEF,IAAI,OAAO,EAAE,CAAC;QACZ,KAAK,CAAC,IAAI,CAAC,mBAAmB,MAAM,uCAAuC,EAAE,EAAE,CAAC,CAAC;IACnF,CAAC;IAED,IAAI,KAAK,KAAK,CAAC,EAAE,CAAC;QAChB,KAAK,CAAC,IAAI,CAAC,2BAA2B,QAAQ,CAAC,CAAC,CAAC,eAAe,CAAC,CAAC,CAAC,eAAe,gBAAgB,CAAC,CAAC;QACpG,IAAI,gBAAgB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAChC,KAAK,CAAC,IAAI,CAAC,EAAE,EAAE,UAAU,gBAAgB,CAAC,MAAM,4CAA4C,CAAC,CAAC;QAChG,CAAC;QACD,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC1B,CAAC;IAED,KAAK,CAAC,IAAI,CAAC,sBAAsB,EAAE,sBAAsB,CAAC,CAAC;IAC3D,IAAI,QAAQ,GAAG,CAAC;QAAE,KAAK,CAAC,IAAI,CAAC,gBAAgB,QAAQ,IAAI,CAAC,CAAC;IAC3D,IAAI,IAAI,GAAG,CAAC;QAAE,KAAK,CAAC,IAAI,CAAC,YAAY,IAAI,IAAI,CAAC,CAAC;IAC/C,IAAI,MAAM,GAAG,CAAC;QAAE,KAAK,CAAC,IAAI,CAAC,cAAc,MAAM,IAAI,CAAC,CAAC;IACrD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAEf,MAAM,MAAM,GAAG,IAAI,GAAG,EAAuB,CAAC;IAC9C,KAAK,MAAM,CAAC,IAAI,cAAc,EAAE,CAAC;QAC/B,MAAM,QAAQ,GAAG,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC;QAC1C,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACjB,MAAM,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,QAAQ,CAAC,CAAC;IAC/B,CAAC;IAED,KAAK,MAAM,CAAC,IAAI,EAAE,QAAQ,CAAC,IAAI,MAAM,EAAE,CAAC;QACtC,KAAK,CAAC,IAAI,CAAC,SAAS,IAAI,IAAI,EAAE,EAAE,CAAC,CAAC;QAClC,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;YACzB,MAAM,KAAK,GAAG,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC;YAC5C,KAAK,CAAC,IAAI,CACR,QAAQ,KAAK,OAAO,CAAC,CAAC,IAAI,CAAC,IAAI,KAAK,CAAC,CAAC,IAAI,CAAC,EAAE,YAAY,CAAC,CAAC,IAAI,EAAE,EACjE,KAAK,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,CAClB,CAAC;YACF,IAAI,CAAC,CAAC,IAAI,CAAC,OAAO,EAAE,CAAC;gBACnB,KAAK,CAAC,IAAI,CAAC,UAAU,EAAE,KAAK,CAAC,CAAC,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE,UAAU,CAAC,CAAC;YAC3E,CAAC;YACD,KAAK,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QACjB,CAAC;IACH,CAAC;IAED,IAAI,gBAAgB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAChC,KAAK,CAAC,IAAI,CAAC,KAAK,EAAE,EAAE,EAAE,IAAI,gBAAgB,CAAC,MAAM,wDAAwD,CAAC,CAAC;IAC7G,CAAC;IAED,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC"}
|
|
@@ -0,0 +1,9 @@
|
|
|
1
|
+
import { type SecretFinding } from "./scan-secrets.js";
|
|
2
|
+
export interface HistorySecretFinding extends SecretFinding {
|
|
3
|
+
commit: string;
|
|
4
|
+
commitDate: string;
|
|
5
|
+
author: string;
|
|
6
|
+
status: "active" | "removed";
|
|
7
|
+
}
|
|
8
|
+
export declare function scanSecretsHistory(path: string, maxCommits?: number, format?: "markdown" | "json"): string;
|
|
9
|
+
//# sourceMappingURL=scan-secrets-history.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"scan-secrets-history.d.ts","sourceRoot":"","sources":["../../src/tools/scan-secrets-history.ts"],"names":[],"mappings":"AAEA,OAAO,EAAe,KAAK,aAAa,EAAE,MAAM,mBAAmB,CAAC;AAEpE,MAAM,WAAW,oBAAqB,SAAQ,aAAa;IACzD,MAAM,EAAE,MAAM,CAAC;IACf,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,QAAQ,GAAG,SAAS,CAAC;CAC9B;AAsDD,wBAAgB,kBAAkB,CAChC,IAAI,EAAE,MAAM,EACZ,UAAU,GAAE,MAAY,EACxB,MAAM,GAAE,UAAU,GAAG,MAAmB,GACvC,MAAM,CAoHR"}
|
|
@@ -0,0 +1,142 @@
|
|
|
1
|
+
import { execFileSync } from "child_process";
|
|
2
|
+
import { resolve } from "path";
|
|
3
|
+
import { scanContent } from "./scan-secrets.js";
|
|
4
|
+
function execGit(args, cwd) {
|
|
5
|
+
try {
|
|
6
|
+
return execFileSync("git", args, { cwd, encoding: "utf-8", timeout: 30000 });
|
|
7
|
+
}
|
|
8
|
+
catch {
|
|
9
|
+
return "";
|
|
10
|
+
}
|
|
11
|
+
}
|
|
12
|
+
function getCommitList(cwd, maxCommits) {
|
|
13
|
+
const output = execGit(["log", `--max-count=${maxCommits}`, "--format=%H|||%aI|||%an", "--all"], cwd);
|
|
14
|
+
return output.trim().split("\n").filter(Boolean).map(line => {
|
|
15
|
+
const [hash, date, author] = line.split("|||");
|
|
16
|
+
return { hash, date, author };
|
|
17
|
+
});
|
|
18
|
+
}
|
|
19
|
+
function getCommitDiff(cwd, commitHash) {
|
|
20
|
+
return execGit(["diff-tree", "--no-commit-id", "-r", "--diff-filter=ACMR", "--name-only", commitHash], cwd);
|
|
21
|
+
}
|
|
22
|
+
function getFileAtCommit(cwd, commitHash, filePath) {
|
|
23
|
+
try {
|
|
24
|
+
return execFileSync("git", ["show", `${commitHash}:${filePath}`], {
|
|
25
|
+
cwd, encoding: "utf-8", timeout: 10000,
|
|
26
|
+
});
|
|
27
|
+
}
|
|
28
|
+
catch {
|
|
29
|
+
return null;
|
|
30
|
+
}
|
|
31
|
+
}
|
|
32
|
+
function fileExistsAtHead(cwd, filePath) {
|
|
33
|
+
const result = execGit(["cat-file", "-e", `HEAD:${filePath}`], cwd);
|
|
34
|
+
// cat-file -e returns empty on success, error message on failure
|
|
35
|
+
return result === "";
|
|
36
|
+
}
|
|
37
|
+
function getFileAtHead(cwd, filePath) {
|
|
38
|
+
try {
|
|
39
|
+
return execFileSync("git", ["show", `HEAD:${filePath}`], {
|
|
40
|
+
cwd, encoding: "utf-8", timeout: 10000,
|
|
41
|
+
});
|
|
42
|
+
}
|
|
43
|
+
catch {
|
|
44
|
+
return null;
|
|
45
|
+
}
|
|
46
|
+
}
|
|
47
|
+
export function scanSecretsHistory(path, maxCommits = 100, format = "markdown") {
|
|
48
|
+
const cwd = resolve(path);
|
|
49
|
+
const commits = getCommitList(cwd, maxCommits);
|
|
50
|
+
if (commits.length === 0) {
|
|
51
|
+
if (format === "json")
|
|
52
|
+
return JSON.stringify({ summary: { total: 0, commits: 0 }, findings: [] });
|
|
53
|
+
return "# GuardVibe Git History Secret Scan\n\nNo git history found.";
|
|
54
|
+
}
|
|
55
|
+
const allFindings = [];
|
|
56
|
+
const seenKeys = new Set();
|
|
57
|
+
// Scan secrets introduced in each commit's changed files
|
|
58
|
+
for (const commit of commits) {
|
|
59
|
+
const changedFiles = getCommitDiff(cwd, commit.hash).trim().split("\n").filter(Boolean);
|
|
60
|
+
for (const file of changedFiles) {
|
|
61
|
+
// Only scan files likely to contain secrets
|
|
62
|
+
if (/\.(png|jpg|gif|ico|woff|ttf|eot|svg|mp4|webm|zip|tar|gz|lock)$/i.test(file))
|
|
63
|
+
continue;
|
|
64
|
+
const content = getFileAtCommit(cwd, commit.hash, file);
|
|
65
|
+
if (!content || content.length > 500_000)
|
|
66
|
+
continue;
|
|
67
|
+
const findings = scanContent(content, file);
|
|
68
|
+
for (const f of findings) {
|
|
69
|
+
const key = `${f.provider}:${file}:${f.match}`;
|
|
70
|
+
if (seenKeys.has(key))
|
|
71
|
+
continue;
|
|
72
|
+
seenKeys.add(key);
|
|
73
|
+
// Check if this secret still exists at HEAD
|
|
74
|
+
const headContent = getFileAtHead(cwd, file);
|
|
75
|
+
const stillPresent = headContent ? headContent.includes(f.match.replace("...", "")) : false;
|
|
76
|
+
allFindings.push({
|
|
77
|
+
...f,
|
|
78
|
+
commit: commit.hash.substring(0, 8),
|
|
79
|
+
commitDate: commit.date,
|
|
80
|
+
author: commit.author,
|
|
81
|
+
status: stillPresent ? "active" : "removed",
|
|
82
|
+
});
|
|
83
|
+
}
|
|
84
|
+
}
|
|
85
|
+
}
|
|
86
|
+
// Sort: active first, then by severity
|
|
87
|
+
const severityOrder = { critical: 0, high: 1, medium: 2 };
|
|
88
|
+
allFindings.sort((a, b) => {
|
|
89
|
+
if (a.status !== b.status)
|
|
90
|
+
return a.status === "active" ? -1 : 1;
|
|
91
|
+
return (severityOrder[a.severity] ?? 3) - (severityOrder[b.severity] ?? 3);
|
|
92
|
+
});
|
|
93
|
+
const activeCount = allFindings.filter(f => f.status === "active").length;
|
|
94
|
+
const removedCount = allFindings.filter(f => f.status === "removed").length;
|
|
95
|
+
if (format === "json") {
|
|
96
|
+
return JSON.stringify({
|
|
97
|
+
summary: {
|
|
98
|
+
total: allFindings.length,
|
|
99
|
+
active: activeCount,
|
|
100
|
+
removed: removedCount,
|
|
101
|
+
commitsScanned: commits.length,
|
|
102
|
+
critical: allFindings.filter(f => f.severity === "critical").length,
|
|
103
|
+
high: allFindings.filter(f => f.severity === "high").length,
|
|
104
|
+
},
|
|
105
|
+
findings: allFindings.map(f => ({
|
|
106
|
+
provider: f.provider, severity: f.severity, file: f.file,
|
|
107
|
+
line: f.line, match: f.match, fix: f.fix,
|
|
108
|
+
commit: f.commit, commitDate: f.commitDate, author: f.author,
|
|
109
|
+
status: f.status,
|
|
110
|
+
})),
|
|
111
|
+
});
|
|
112
|
+
}
|
|
113
|
+
const lines = [
|
|
114
|
+
`# GuardVibe Git History Secret Scan`,
|
|
115
|
+
``,
|
|
116
|
+
`Commits scanned: ${commits.length}`,
|
|
117
|
+
`Secrets found: ${allFindings.length}`,
|
|
118
|
+
`Active (still in code): ${activeCount}`,
|
|
119
|
+
`Removed (in git history only): ${removedCount}`,
|
|
120
|
+
``,
|
|
121
|
+
];
|
|
122
|
+
if (allFindings.length === 0) {
|
|
123
|
+
lines.push(`No secrets found in git history. Clean!`);
|
|
124
|
+
return lines.join("\n");
|
|
125
|
+
}
|
|
126
|
+
if (activeCount > 0) {
|
|
127
|
+
lines.push(`## Active Secrets (URGENT — still in codebase)`, ``);
|
|
128
|
+
for (const f of allFindings.filter(f => f.status === "active")) {
|
|
129
|
+
lines.push(`### [${f.severity.toUpperCase()}] ${f.provider}`, `**File:** ${f.file}:${f.line}`, `**Match:** \`${f.match}\``, `**Introduced:** ${f.commit} (${f.commitDate.split("T")[0]}) by ${f.author}`, `**Fix:** ${f.fix}`, ``);
|
|
130
|
+
}
|
|
131
|
+
}
|
|
132
|
+
if (removedCount > 0) {
|
|
133
|
+
lines.push(`## Removed Secrets (still in git history — rotate these!)`, ``);
|
|
134
|
+
lines.push(`> These secrets were removed from the codebase but remain in git history.`);
|
|
135
|
+
lines.push(`> Anyone with repo access can find them. **Rotate all of these immediately.**`, ``);
|
|
136
|
+
for (const f of allFindings.filter(f => f.status === "removed")) {
|
|
137
|
+
lines.push(`- **[${f.severity.toUpperCase()}] ${f.provider}** in \`${f.file}\` — commit ${f.commit} (${f.commitDate.split("T")[0]})`, ` Match: \`${f.match}\` | Fix: ${f.fix}`, ``);
|
|
138
|
+
}
|
|
139
|
+
}
|
|
140
|
+
return lines.join("\n");
|
|
141
|
+
}
|
|
142
|
+
//# sourceMappingURL=scan-secrets-history.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"scan-secrets-history.js","sourceRoot":"","sources":["../../src/tools/scan-secrets-history.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAC7C,OAAO,EAAE,OAAO,EAAE,MAAM,MAAM,CAAC;AAC/B,OAAO,EAAE,WAAW,EAAsB,MAAM,mBAAmB,CAAC;AAepE,SAAS,OAAO,CAAC,IAAc,EAAE,GAAW;IAC1C,IAAI,CAAC;QACH,OAAO,YAAY,CAAC,KAAK,EAAE,IAAI,EAAE,EAAE,GAAG,EAAE,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,CAAC,CAAC;IAC/E,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED,SAAS,aAAa,CAAC,GAAW,EAAE,UAAkB;IACpD,MAAM,MAAM,GAAG,OAAO,CAAC,CAAC,KAAK,EAAE,eAAe,UAAU,EAAE,EAAE,yBAAyB,EAAE,OAAO,CAAC,EAAE,GAAG,CAAC,CAAC;IACtG,OAAO,MAAM,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE;QAC1D,MAAM,CAAC,IAAI,EAAE,IAAI,EAAE,MAAM,CAAC,GAAG,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;QAC/C,OAAO,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;IAChC,CAAC,CAAC,CAAC;AACL,CAAC;AAED,SAAS,aAAa,CAAC,GAAW,EAAE,UAAkB;IACpD,OAAO,OAAO,CAAC,CAAC,WAAW,EAAE,gBAAgB,EAAE,IAAI,EAAE,oBAAoB,EAAE,aAAa,EAAE,UAAU,CAAC,EAAE,GAAG,CAAC,CAAC;AAC9G,CAAC;AAED,SAAS,eAAe,CAAC,GAAW,EAAE,UAAkB,EAAE,QAAgB;IACxE,IAAI,CAAC;QACH,OAAO,YAAY,CAAC,KAAK,EAAE,CAAC,MAAM,EAAE,GAAG,UAAU,IAAI,QAAQ,EAAE,CAAC,EAAE;YAChE,GAAG,EAAE,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,KAAK;SACvC,CAAC,CAAC;IACL,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,SAAS,gBAAgB,CAAC,GAAW,EAAE,QAAgB;IACrD,MAAM,MAAM,GAAG,OAAO,CAAC,CAAC,UAAU,EAAE,IAAI,EAAE,QAAQ,QAAQ,EAAE,CAAC,EAAE,GAAG,CAAC,CAAC;IACpE,iEAAiE;IACjE,OAAO,MAAM,KAAK,EAAE,CAAC;AACvB,CAAC;AAED,SAAS,aAAa,CAAC,GAAW,EAAE,QAAgB;IAClD,IAAI,CAAC;QACH,OAAO,YAAY,CAAC,KAAK,EAAE,CAAC,MAAM,EAAE,QAAQ,QAAQ,EAAE,CAAC,EAAE;YACvD,GAAG,EAAE,QAAQ,EAAE,OAAO,EAAE,OAAO,EAAE,KAAK;SACvC,CAAC,CAAC;IACL,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC;IACd,CAAC;AACH,CAAC;AAED,MAAM,UAAU,kBAAkB,CAChC,IAAY,EACZ,aAAqB,GAAG,EACxB,SAA8B,UAAU;IAExC,MAAM,GAAG,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC1B,MAAM,OAAO,GAAG,aAAa,CAAC,GAAG,EAAE,UAAU,CAAC,CAAC;IAE/C,IAAI,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzB,IAAI,MAAM,KAAK,MAAM;YAAE,OAAO,IAAI,CAAC,SAAS,CAAC,EAAE,OAAO,EAAE,EAAE,KAAK,EAAE,CAAC,EAAE,OAAO,EAAE,CAAC,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE,CAAC,CAAC;QAClG,OAAO,8DAA8D,CAAC;IACxE,CAAC;IAED,MAAM,WAAW,GAA2B,EAAE,CAAC;IAC/C,MAAM,QAAQ,GAAG,IAAI,GAAG,EAAU,CAAC;IAEnC,yDAAyD;IACzD,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;QAC7B,MAAM,YAAY,GAAG,aAAa,CAAC,GAAG,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QAExF,KAAK,MAAM,IAAI,IAAI,YAAY,EAAE,CAAC;YAChC,4CAA4C;YAC5C,IAAI,iEAAiE,CAAC,IAAI,CAAC,IAAI,CAAC;gBAAE,SAAS;YAE3F,MAAM,OAAO,GAAG,eAAe,CAAC,GAAG,EAAE,MAAM,CAAC,IAAI,EAAE,IAAI,CAAC,CAAC;YACxD,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,MAAM,GAAG,OAAO;gBAAE,SAAS;YAEnD,MAAM,QAAQ,GAAG,WAAW,CAAC,OAAO,EAAE,IAAI,CAAC,CAAC;YAC5C,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;gBACzB,MAAM,GAAG,GAAG,GAAG,CAAC,CAAC,QAAQ,IAAI,IAAI,IAAI,CAAC,CAAC,KAAK,EAAE,CAAC;gBAC/C,IAAI,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC;oBAAE,SAAS;gBAChC,QAAQ,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;gBAElB,4CAA4C;gBAC5C,MAAM,WAAW,GAAG,aAAa,CAAC,GAAG,EAAE,IAAI,CAAC,CAAC;gBAC7C,MAAM,YAAY,GAAG,WAAW,CAAC,CAAC,CAAC,WAAW,CAAC,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC;gBAE5F,WAAW,CAAC,IAAI,CAAC;oBACf,GAAG,CAAC;oBACJ,MAAM,EAAE,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC,CAAC;oBACnC,UAAU,EAAE,MAAM,CAAC,IAAI;oBACvB,MAAM,EAAE,MAAM,CAAC,MAAM;oBACrB,MAAM,EAAE,YAAY,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS;iBAC5C,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IACH,CAAC;IAED,uCAAuC;IACvC,MAAM,aAAa,GAA2B,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,CAAC;IAClF,WAAW,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE;QACxB,IAAI,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,MAAM;YAAE,OAAO,CAAC,CAAC,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QACjE,OAAO,CAAC,aAAa,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,aAAa,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC;IAC7E,CAAC,CAAC,CAAC;IAEH,MAAM,WAAW,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,QAAQ,CAAC,CAAC,MAAM,CAAC;IAC1E,MAAM,YAAY,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,SAAS,CAAC,CAAC,MAAM,CAAC;IAE5E,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;QACtB,OAAO,IAAI,CAAC,SAAS,CAAC;YACpB,OAAO,EAAE;gBACP,KAAK,EAAE,WAAW,CAAC,MAAM;gBACzB,MAAM,EAAE,WAAW;gBACnB,OAAO,EAAE,YAAY;gBACrB,cAAc,EAAE,OAAO,CAAC,MAAM;gBAC9B,QAAQ,EAAE,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,UAAU,CAAC,CAAC,MAAM;gBACnE,IAAI,EAAE,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC,MAAM;aAC5D;YACD,QAAQ,EAAE,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;gBAC9B,QAAQ,EAAE,CAAC,CAAC,QAAQ,EAAE,QAAQ,EAAE,CAAC,CAAC,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI;gBACxD,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC,KAAK,EAAE,GAAG,EAAE,CAAC,CAAC,GAAG;gBACxC,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE,UAAU,EAAE,CAAC,CAAC,UAAU,EAAE,MAAM,EAAE,CAAC,CAAC,MAAM;gBAC5D,MAAM,EAAE,CAAC,CAAC,MAAM;aACjB,CAAC,CAAC;SACJ,CAAC,CAAC;IACL,CAAC;IAED,MAAM,KAAK,GAAa;QACtB,qCAAqC;QACrC,EAAE;QACF,oBAAoB,OAAO,CAAC,MAAM,EAAE;QACpC,kBAAkB,WAAW,CAAC,MAAM,EAAE;QACtC,2BAA2B,WAAW,EAAE;QACxC,kCAAkC,YAAY,EAAE;QAChD,EAAE;KACH,CAAC;IAEF,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC7B,KAAK,CAAC,IAAI,CAAC,yCAAyC,CAAC,CAAC;QACtD,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC1B,CAAC;IAED,IAAI,WAAW,GAAG,CAAC,EAAE,CAAC;QACpB,KAAK,CAAC,IAAI,CAAC,gDAAgD,EAAE,EAAE,CAAC,CAAC;QACjE,KAAK,MAAM,CAAC,IAAI,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,QAAQ,CAAC,EAAE,CAAC;YAC/D,KAAK,CAAC,IAAI,CACR,QAAQ,CAAC,CAAC,QAAQ,CAAC,WAAW,EAAE,KAAK,CAAC,CAAC,QAAQ,EAAE,EACjD,aAAa,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,IAAI,EAAE,EAC/B,gBAAgB,CAAC,CAAC,KAAK,IAAI,EAC3B,mBAAmB,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,MAAM,EAAE,EAC5E,YAAY,CAAC,CAAC,GAAG,EAAE,EACnB,EAAE,CACH,CAAC;QACJ,CAAC;IACH,CAAC;IAED,IAAI,YAAY,GAAG,CAAC,EAAE,CAAC;QACrB,KAAK,CAAC,IAAI,CAAC,2DAA2D,EAAE,EAAE,CAAC,CAAC;QAC5E,KAAK,CAAC,IAAI,CAAC,2EAA2E,CAAC,CAAC;QACxF,KAAK,CAAC,IAAI,CAAC,+EAA+E,EAAE,EAAE,CAAC,CAAC;QAChG,KAAK,MAAM,CAAC,IAAI,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,SAAS,CAAC,EAAE,CAAC;YAChE,KAAK,CAAC,IAAI,CACR,QAAQ,CAAC,CAAC,QAAQ,CAAC,WAAW,EAAE,KAAK,CAAC,CAAC,QAAQ,WAAW,CAAC,CAAC,IAAI,eAAe,CAAC,CAAC,MAAM,KAAK,CAAC,CAAC,UAAU,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,EACzH,cAAc,CAAC,CAAC,KAAK,aAAa,CAAC,CAAC,GAAG,EAAE,EACzC,EAAE,CACH,CAAC;QACJ,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC"}
|
|
@@ -0,0 +1,23 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Basic taint analysis — tracks user input flowing into dangerous sinks.
|
|
3
|
+
* Not a full AST/CFG analysis, but follows variable assignments through lines.
|
|
4
|
+
*/
|
|
5
|
+
export interface TaintFinding {
|
|
6
|
+
source: {
|
|
7
|
+
type: string;
|
|
8
|
+
line: number;
|
|
9
|
+
variable: string;
|
|
10
|
+
};
|
|
11
|
+
sink: {
|
|
12
|
+
type: string;
|
|
13
|
+
line: number;
|
|
14
|
+
code: string;
|
|
15
|
+
};
|
|
16
|
+
chain: string[];
|
|
17
|
+
severity: "critical" | "high" | "medium";
|
|
18
|
+
description: string;
|
|
19
|
+
fix: string;
|
|
20
|
+
}
|
|
21
|
+
export declare function analyzeTaint(code: string, language: string): TaintFinding[];
|
|
22
|
+
export declare function formatTaintFindings(findings: TaintFinding[], format: "markdown" | "json"): string;
|
|
23
|
+
//# sourceMappingURL=taint-analysis.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"taint-analysis.d.ts","sourceRoot":"","sources":["../../src/tools/taint-analysis.ts"],"names":[],"mappings":"AACA;;;GAGG;AAEH,MAAM,WAAW,YAAY;IAC3B,MAAM,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAE,CAAC;IACzD,IAAI,EAAE;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC;IACnD,KAAK,EAAE,MAAM,EAAE,CAAC;IAChB,QAAQ,EAAE,UAAU,GAAG,MAAM,GAAG,QAAQ,CAAC;IACzC,WAAW,EAAE,MAAM,CAAC;IACpB,GAAG,EAAE,MAAM,CAAC;CACb;AAqGD,wBAAgB,YAAY,CAAC,IAAI,EAAE,MAAM,EAAE,QAAQ,EAAE,MAAM,GAAG,YAAY,EAAE,CAsE3E;AAED,wBAAgB,mBAAmB,CAAC,QAAQ,EAAE,YAAY,EAAE,EAAE,MAAM,EAAE,UAAU,GAAG,MAAM,GAAG,MAAM,CAyCjG"}
|