kramscan 0.1.0

package/dist/commands/scan.js

@@ -0,0 +1,125 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.registerScanCommand = registerScanCommand;
+const chalk_1 = __importDefault(require("chalk"));
+const scanner_1 = require("../core/scanner");
+const logger_1 = require("../utils/logger");
+const promises_1 = __importDefault(require("fs/promises"));
+const path_1 = __importDefault(require("path"));
+const os_1 = __importDefault(require("os"));
+function registerScanCommand(program) {
+    program
+        .command("scan <url>")
+        .description("Scan a target URL for vulnerabilities")
+        .option("-d, --depth <number>", "Crawl depth", "2")
+        .option("-t, --timeout <ms>", "Request timeout", "30000")
+        .option("-o, --output <file>", "Save results to file")
+        .option("--headless", "Run in headless mode", true)
+        .action(async (url, options) => {
+        console.log("");
+        console.log(chalk_1.default.bold.cyan("🔍 Starting Security Scan"));
+        console.log(chalk_1.default.gray("─".repeat(50)));
+        console.log("");
+        // Validate URL
+        try {
+            new URL(url);
+        }
+        catch (error) {
+            logger_1.logger.error(`Invalid URL: ${url}`);
+            process.exit(1);
+        }
+        const spinner = logger_1.logger.spinner("Initializing scanner...");
+        try {
+            const scanner = new scanner_1.Scanner();
+            spinner.text = `Scanning ${url}...`;
+            const result = await scanner.scan(url, {
+                depth: parseInt(options.depth),
+                timeout: parseInt(options.timeout),
+                headless: options.headless,
+            });
+            spinner.succeed("Scan complete!");
+            // Save results
+            const scanDir = path_1.default.join(os_1.default.homedir(), ".kramscan", "scans");
+            await promises_1.default.mkdir(scanDir, { recursive: true });
+            const timestamp = new Date().toISOString().replace(/[:.]/g, "-");
+            const filename = options.output || `scan-${timestamp}.json`;
+            const filepath = path_1.default.isAbsolute(filename)
+                ? filename
+                : path_1.default.join(scanDir, filename);
+            await promises_1.default.writeFile(filepath, JSON.stringify(result, null, 2));
+            // Display summary
+            console.log("");
+            console.log(chalk_1.default.bold("📊 Scan Summary"));
+            console.log(chalk_1.default.gray("─".repeat(50)));
+            console.log("");
+            console.log(chalk_1.default.white("Target:"), chalk_1.default.cyan(result.target));
+            console.log(chalk_1.default.white("Duration:"), chalk_1.default.cyan(`${(result.duration / 1000).toFixed(2)}s`));
+            console.log(chalk_1.default.white("URLs Crawled:"), chalk_1.default.cyan(result.metadata.crawledUrls));
+            console.log(chalk_1.default.white("Forms Tested:"), chalk_1.default.cyan(result.metadata.testedForms));
+            console.log(chalk_1.default.white("Requests Made:"), chalk_1.default.cyan(result.metadata.requestsMade));
+            console.log("");
+            // Vulnerability summary
+            console.log(chalk_1.default.bold("🛡️  Vulnerabilities Found"));
+            console.log(chalk_1.default.gray("─".repeat(50)));
+            console.log("");
+            const { summary } = result;
+            if (summary.total === 0) {
+                console.log(chalk_1.default.green("✓ No vulnerabilities found!"));
+            }
+            else {
+                if (summary.critical > 0)
+                    console.log(chalk_1.default.red(`  ${summary.critical} Critical`), chalk_1.default.gray("- Immediate action required"));
+                if (summary.high > 0)
+                    console.log(chalk_1.default.red(`  ${summary.high} High`), chalk_1.default.gray("- Should be fixed soon"));
+                if (summary.medium > 0)
+                    console.log(chalk_1.default.yellow(`  ${summary.medium} Medium`), chalk_1.default.gray("- Fix when possible"));
+                if (summary.low > 0)
+                    console.log(chalk_1.default.blue(`  ${summary.low} Low`), chalk_1.default.gray("- Minor issues"));
+                if (summary.info > 0)
+                    console.log(chalk_1.default.gray(`  ${summary.info} Info`), chalk_1.default.gray("- Informational"));
+            }
+            console.log("");
+            console.log(chalk_1.default.gray("Results saved to:"), chalk_1.default.white(filepath));
+            console.log("");
+            // Show top vulnerabilities
+            if (result.vulnerabilities.length > 0) {
+                console.log(chalk_1.default.bold("🔴 Top Findings"));
+                console.log(chalk_1.default.gray("─".repeat(50)));
+                console.log("");
+                const topVulns = result.vulnerabilities
+                    .sort((a, b) => {
+                    const severityOrder = { critical: 0, high: 1, medium: 2, low: 3, info: 4 };
+                    return severityOrder[a.severity] - severityOrder[b.severity];
+                })
+                    .slice(0, 5);
+                for (const vuln of topVulns) {
+                    const severityColor = vuln.severity === "critical" || vuln.severity === "high"
+                        ? chalk_1.default.red
+                        : vuln.severity === "medium"
+                            ? chalk_1.default.yellow
+                            : chalk_1.default.blue;
+                    console.log(severityColor(`[${vuln.severity.toUpperCase()}]`), chalk_1.default.bold(vuln.title));
+                    console.log(chalk_1.default.gray(`  ${vuln.url}`));
+                    console.log(chalk_1.default.white(`  ${vuln.description}`));
+                    console.log("");
+                }
+                if (result.vulnerabilities.length > 5) {
+                    console.log(chalk_1.default.gray(`  ... and ${result.vulnerabilities.length - 5} more`));
+                    console.log("");
+                }
+            }
+            console.log(chalk_1.default.cyan("💡 Next steps:"));
+            console.log(chalk_1.default.white(`  1. Run ${chalk_1.default.cyan(`kramscan analyze ${filepath}`)} for AI-powered insights`));
+            console.log(chalk_1.default.white(`  2. Run ${chalk_1.default.cyan(`kramscan report ${filepath}`)} to generate a report`));
+            console.log("");
+        }
+        catch (error) {
+            spinner.fail("Scan failed");
+            logger_1.logger.error(error.message);
+            process.exit(1);
+        }
+    });
+}

package/dist/core/ai-client.d.ts

@@ -0,0 +1,12 @@
+export interface AIResponse {
+    content: string;
+    usage?: {
+        promptTokens: number;
+        completionTokens: number;
+        totalTokens: number;
+    };
+}
+export interface AIClient {
+    analyze(prompt: string): Promise<AIResponse>;
+}
+export declare function createAIClient(): AIClient;

package/dist/core/ai-client.js

@@ -0,0 +1,89 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createAIClient = createAIClient;
+const openai_1 = __importDefault(require("openai"));
+const sdk_1 = __importDefault(require("@anthropic-ai/sdk"));
+const config_1 = require("./config");
+class OpenAIClient {
+    client;
+    model;
+    constructor(apiKey, model) {
+        this.client = new openai_1.default({ apiKey });
+        this.model = model;
+    }
+    async analyze(prompt) {
+        const response = await this.client.chat.completions.create({
+            model: this.model,
+            messages: [
+                {
+                    role: "system",
+                    content: "You are a security expert analyzing web application vulnerabilities. Provide detailed, actionable insights.",
+                },
+                { role: "user", content: prompt },
+            ],
+            temperature: 0.3,
+        });
+        const content = response.choices[0]?.message?.content || "";
+        return {
+            content,
+            usage: {
+                promptTokens: response.usage?.prompt_tokens || 0,
+                completionTokens: response.usage?.completion_tokens || 0,
+                totalTokens: response.usage?.total_tokens || 0,
+            },
+        };
+    }
+}
+class AnthropicClient {
+    client;
+    model;
+    constructor(apiKey, model) {
+        this.client = new sdk_1.default({ apiKey });
+        this.model = model;
+    }
+    async analyze(prompt) {
+        const response = await this.client.messages.create({
+            model: this.model,
+            max_tokens: 4096,
+            messages: [
+                {
+                    role: "user",
+                    content: prompt,
+                },
+            ],
+            system: "You are a security expert analyzing web application vulnerabilities. Provide detailed, actionable insights.",
+        });
+        const content = response.content[0]?.type === "text" ? response.content[0].text : "";
+        return {
+            content,
+            usage: {
+                promptTokens: response.usage.input_tokens,
+                completionTokens: response.usage.output_tokens,
+                totalTokens: response.usage.input_tokens + response.usage.output_tokens,
+            },
+        };
+    }
+}
+function createAIClient() {
+    const config = (0, config_1.getConfig)();
+    if (!config.ai.enabled) {
+        throw new Error("AI analysis is not enabled. Run 'kramscan onboard' first.");
+    }
+    const provider = config.ai.provider;
+    const apiKey = config.ai.apiKey;
+    const model = config.ai.defaultModel;
+    if (!apiKey) {
+        throw new Error(`No API key configured for ${provider}. Run 'kramscan onboard' to set it up.`);
+    }
+    switch (provider) {
+        case "openai":
+            return new OpenAIClient(apiKey, model);
+        case "anthropic":
+            return new AnthropicClient(apiKey, model);
+        default:
+            throw new Error(`Unsupported AI provider: ${provider}`);
+    }
+}

package/dist/core/config.d.ts

@@ -0,0 +1,45 @@
+export type AiProviderName = "openai" | "anthropic";
+export type ReportFormat = "word" | "txt" | "json";
+export interface Config {
+    ai: {
+        provider: AiProviderName;
+        apiKey: string;
+        defaultModel: string;
+        enabled: boolean;
+    };
+    scan: {
+        defaultTimeout: number;
+        maxThreads: number;
+        userAgent: string;
+        followRedirects: boolean;
+        verifySSL: boolean;
+        rateLimitPerSecond: number;
+        strictScope: boolean;
+    };
+    report: {
+        defaultFormat: ReportFormat;
+        companyName: string;
+        includeScreenshots: boolean;
+        severityThreshold: "info" | "low" | "medium" | "high" | "critical";
+    };
+    skills: Record<string, {
+        enabled: boolean;
+        timeout?: number;
+    }>;
+    proxy?: string;
+}
+declare class ConfigStore {
+    private configPath;
+    private data;
+    constructor(projectName: string, defaultConfig: Config);
+    get store(): Config;
+    get(key: string): unknown;
+    set(key: string, value: unknown): void;
+    private save;
+}
+export declare function getConfigStore(): ConfigStore;
+export declare function getConfig(): Config;
+export declare function getConfigValue(key: string): unknown;
+export declare function setConfigValue(key: string, value: unknown): void;
+export declare function setConfig(config: Config): void;
+export {};

package/dist/core/config.js

@@ -0,0 +1,146 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.getConfigStore = getConfigStore;
+exports.getConfig = getConfig;
+exports.getConfigValue = getConfigValue;
+exports.setConfigValue = setConfigValue;
+exports.setConfig = setConfig;
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+const os = __importStar(require("os"));
+const defaults = {
+    ai: {
+        provider: "openai",
+        apiKey: "",
+        defaultModel: "gpt-4",
+        enabled: false,
+    },
+    scan: {
+        defaultTimeout: 60,
+        maxThreads: 5,
+        userAgent: "KramScan/0.1.0",
+        followRedirects: true,
+        verifySSL: true,
+        rateLimitPerSecond: 5,
+        strictScope: true
+    },
+    report: {
+        defaultFormat: "word",
+        companyName: "Your Company",
+        includeScreenshots: false,
+        severityThreshold: "low"
+    },
+    skills: {
+        sqli: { enabled: true, timeout: 120 },
+        xss: { enabled: true, timeout: 90 },
+        headers: { enabled: true },
+        csrf: { enabled: true },
+        idor: { enabled: true },
+        jwt: { enabled: true }
+    }
+};
+// Simple JSON-file config store (replaces ESM-only 'conf' package)
+class ConfigStore {
+    configPath;
+    data;
+    constructor(projectName, defaultConfig) {
+        const configDir = path.join(os.homedir(), `.${projectName}`);
+        if (!fs.existsSync(configDir)) {
+            fs.mkdirSync(configDir, { recursive: true });
+        }
+        this.configPath = path.join(configDir, "config.json");
+        if (fs.existsSync(this.configPath)) {
+            try {
+                const raw = fs.readFileSync(this.configPath, "utf-8");
+                this.data = { ...defaultConfig, ...JSON.parse(raw) };
+            }
+            catch {
+                this.data = { ...defaultConfig };
+            }
+        }
+        else {
+            this.data = { ...defaultConfig };
+        }
+    }
+    get store() {
+        return this.data;
+    }
+    get(key) {
+        const keys = key.split(".");
+        let current = this.data;
+        for (const k of keys) {
+            if (current && typeof current === "object" && k in current) {
+                current = current[k];
+            }
+            else {
+                return undefined;
+            }
+        }
+        return current;
+    }
+    set(key, value) {
+        const keys = key.split(".");
+        let current = this.data;
+        for (let i = 0; i < keys.length - 1; i++) {
+            if (!(keys[i] in current) || typeof current[keys[i]] !== "object") {
+                current[keys[i]] = {};
+            }
+            current = current[keys[i]];
+        }
+        current[keys[keys.length - 1]] = value;
+        this.save();
+    }
+    save() {
+        fs.writeFileSync(this.configPath, JSON.stringify(this.data, null, 2), "utf-8");
+    }
+}
+const store = new ConfigStore("kramscan", defaults);
+function getConfigStore() {
+    return store;
+}
+function getConfig() {
+    return store.store;
+}
+function getConfigValue(key) {
+    return store.get(key);
+}
+function setConfigValue(key, value) {
+    store.set(key, value);
+}
+function setConfig(config) {
+    Object.assign(store.store, config);
+    store.save();
+}

package/dist/core/executor.d.ts

@@ -0,0 +1,2 @@
+import { ScanOptions, ScanResult } from "./types";
+export declare function executeScan(targetUrl: string, options: ScanOptions): Promise<ScanResult>;

package/dist/core/executor.js

@@ -0,0 +1,74 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.executeScan = executeScan;
+const scanner_1 = require("./scanner");
+const builtin_1 = require("../skills/builtin");
+const registry_1 = require("./registry");
+const logger_1 = require("./logger");
+async function executeScan(targetUrl, options) {
+    const logger = (0, logger_1.createLogger)();
+    const startedAt = new Date().toISOString();
+    const skills = (0, registry_1.listSkills)();
+    const selectedSkills = skills
+        .map((skill) => skill.id)
+        .filter((skillId) => {
+        if (options.skills && options.skills.length > 0) {
+            return options.skills.includes(skillId);
+        }
+        return true;
+    })
+        .filter((skillId) => {
+        if (options.excludeSkills && options.excludeSkills.length > 0) {
+            return !options.excludeSkills.includes(skillId);
+        }
+        return true;
+    });
+    const scanner = await (0, scanner_1.createScannerClient)({
+        userAgent: "OpenScan/0.1.0",
+        timeoutSeconds: options.timeoutSeconds,
+        proxy: options.proxy,
+        verifySSL: true,
+        followRedirects: true,
+        enableBrowser: options.deep
+    });
+    const findings = [];
+    for (const skillId of selectedSkills) {
+        const runner = builtin_1.builtinSkillRunners[skillId];
+        if (!runner) {
+            logger.warn(`No runner available for skill ${skillId}.`);
+            continue;
+        }
+        try {
+            const result = await runner({
+                targetUrl,
+                timeoutSeconds: options.timeoutSeconds,
+                logger,
+                http: {
+                    get: async (url) => {
+                        const response = await scanner.http.get(url);
+                        return {
+                            data: response.data,
+                            headers: response.headers
+                        };
+                    }
+                }
+            });
+            findings.push(...result.findings);
+        }
+        catch (error) {
+            logger.error(`Skill ${skillId} failed: ${error.message}`);
+        }
+    }
+    await scanner.close();
+    const finishedAt = new Date().toISOString();
+    const result = {
+        id: `scan-${Date.now()}`,
+        startedAt,
+        finishedAt,
+        target: { url: targetUrl },
+        options,
+        skillsRun: selectedSkills,
+        findings
+    };
+    return result;
+}

package/dist/core/logger.d.ts

@@ -0,0 +1,12 @@
+export interface Logger {
+    info(message: string): void;
+    warn(message: string): void;
+    error(message: string): void;
+    success(message: string): void;
+    spinner(message: string): {
+        stop: () => void;
+        succeed: (msg?: string) => void;
+        fail: (msg?: string) => void;
+    };
+}
+export declare function createLogger(): Logger;

package/dist/core/logger.js

@@ -0,0 +1,51 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.createLogger = createLogger;
+// ANSI color helpers (replaces ESM-only chalk)
+const c = {
+    reset: "\x1b[0m",
+    cyan: "\x1b[36m",
+    yellow: "\x1b[33m",
+    red: "\x1b[31m",
+    green: "\x1b[32m",
+    gray: "\x1b[90m",
+    bold: "\x1b[1m",
+};
+function createLogger() {
+    return {
+        info(message) {
+            console.log(`${c.cyan}ℹ ${message}${c.reset}`);
+        },
+        warn(message) {
+            console.log(`${c.yellow}⚠ ${message}${c.reset}`);
+        },
+        error(message) {
+            console.error(`${c.red}✖ ${message}${c.reset}`);
+        },
+        success(message) {
+            console.log(`${c.green}✔ ${message}${c.reset}`);
+        },
+        spinner(message) {
+            const frames = ["⠋", "⠙", "⠹", "⠸", "⠼", "⠴", "⠦", "⠧", "⠇", "⠏"];
+            let i = 0;
+            const id = setInterval(() => {
+                process.stdout.write(`\r${c.cyan}${frames[i % frames.length]}${c.reset} ${message}`);
+                i++;
+            }, 80);
+            return {
+                stop() {
+                    clearInterval(id);
+                    process.stdout.write("\r\x1b[K"); // Clear line
+                },
+                succeed(msg) {
+                    clearInterval(id);
+                    console.log(`\r${c.green}✔${c.reset} ${msg || message}`);
+                },
+                fail(msg) {
+                    clearInterval(id);
+                    console.log(`\r${c.red}✖${c.reset} ${msg || message}`);
+                },
+            };
+        },
+    };
+}

package/dist/core/registry.d.ts

@@ -0,0 +1,3 @@
+import { SkillMetadata } from "../skills/types";
+export declare function listSkills(): SkillMetadata[];
+export declare function getSkillMetadata(skillId: string): SkillMetadata | undefined;

package/dist/core/registry.js

@@ -0,0 +1,35 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.listSkills = listSkills;
+exports.getSkillMetadata = getSkillMetadata;
+const fs_1 = __importDefault(require("fs"));
+const path_1 = __importDefault(require("path"));
+const loader_1 = require("../skills/loader");
+function getSkillsRoot() {
+    return path_1.default.resolve(process.cwd(), "skills");
+}
+function listSkills() {
+    const skillsRoot = getSkillsRoot();
+    if (!fs_1.default.existsSync(skillsRoot)) {
+        return [];
+    }
+    const entries = fs_1.default.readdirSync(skillsRoot, { withFileTypes: true });
+    const skills = [];
+    for (const entry of entries) {
+        if (!entry.isDirectory()) {
+            continue;
+        }
+        const skillDir = path_1.default.join(skillsRoot, entry.name);
+        const meta = (0, loader_1.loadSkillMetadata)(skillDir);
+        if (meta) {
+            skills.push(meta);
+        }
+    }
+    return skills;
+}
+function getSkillMetadata(skillId) {
+    return listSkills().find((skill) => skill.id === skillId);
+}

package/dist/core/scanner.d.ts

@@ -0,0 +1,24 @@
+import { ScanResult } from "./vulnerability-detector";
+export interface ScanOptions {
+    depth?: number;
+    timeout?: number;
+    headless?: boolean;
+}
+export declare class Scanner {
+    private browser;
+    private detector;
+    private visitedUrls;
+    private crawledUrls;
+    private testedForms;
+    private requestsMade;
+    constructor();
+    initialize(options?: ScanOptions): Promise<void>;
+    scan(targetUrl: string, options?: ScanOptions): Promise<ScanResult>;
+    private crawl;
+    private testForms;
+    private testXSS;
+    private testSQLi;
+    private buildTestUrl;
+    private extractLinks;
+    close(): Promise<void>;
+}