musubix2 0.5.34 → 0.5.36
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.claude/.musubix-managed +1 -1
- package/dist/assets/skills-manifest.json +1 -1
- package/dist/cli.d.ts +2 -0
- package/dist/cli.d.ts.map +1 -1
- package/dist/cli.js +276 -10
- package/dist/cli.js.map +1 -1
- package/dist/index.js +275 -10
- package/package.json +1 -1
package/.claude/.musubix-managed
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"generator":"musubix2","version":"0.5.
|
|
1
|
+
{"generator":"musubix2","version":"0.5.36","timestamp":"2026-07-09T23:23:30.681Z"}
|
package/dist/cli.d.ts
CHANGED
|
@@ -105,6 +105,8 @@ export declare function cgSubcommandHelp(sub: string | undefined): string;
|
|
|
105
105
|
export declare function handleCodegraph(sub: string | undefined, args: string[]): Promise<ExitCodeValue>;
|
|
106
106
|
/** Heuristic: does this path look like test / fixture code rather than production? */
|
|
107
107
|
export declare function isTestFile(file: string): boolean;
|
|
108
|
+
/** Third-party / generated files that shouldn't be audited as the user's code. */
|
|
109
|
+
export declare function isVendorOrMinified(file: string): boolean;
|
|
108
110
|
export declare function handleSecurity(filePath: string, failOn?: string, excludeTests?: boolean): Promise<ExitCodeValue>;
|
|
109
111
|
export declare function handleWorkflow(sub: string | undefined, args: string[]): Promise<ExitCodeValue>;
|
|
110
112
|
export declare function handleStatus(): Promise<ExitCodeValue>;
|
package/dist/cli.d.ts.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAY,KAAK,aAAa,EAAE,MAAM,gBAAgB,CAAC;AAgC9D,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,IAAI,EAAE,MAAM,EAAE,CAAC;IACf,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,CAAC;CACzC;AAED;;;GAGG;AACH,wBAAgB,SAAS,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,UAAU,CAmDpD;AAwGD;;;GAGG;AACH,wBAAgB,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,GAAG,MAAM,CAuBjD;AAID,MAAM,WAAW,UAAU;IACzB,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,WAAW,EAAE,MAAM,CAAC;QAAC,OAAO,CAAC,EAAE,OAAO,CAAA;KAAE,CAAC,CAAC;IAC1E,MAAM,EAAE,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC,CAAC;CAC1E;AAED,MAAM,WAAW,SAAS;IACxB,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,UAAU,EAAE,CAAC;CACxB;AAID,qBAAa,aAAa;IACxB,OAAO,CAAC,QAAQ,CAAsC;IACtD,OAAO,CAAC,MAAM,CAAY;gBAEd,MAAM,EAAE,SAAS;IAI7B,QAAQ,CAAC,OAAO,EAAE,UAAU,GAAG,IAAI;IAInC,aAAa,CAAC,QAAQ,EAAE,UAAU,EAAE,GAAG,IAAI;IAM3C,UAAU,CAAC,IAAI,EAAE,MAAM,GAAG,UAAU,GAAG,SAAS;IAIhD,YAAY,IAAI,UAAU,EAAE;IAItB,QAAQ,CACZ,WAAW,EAAE,MAAM,EACnB,IAAI,GAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAM,GACjC,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC;IAUhC,OAAO,IAAI,MAAM;IAajB,UAAU,IAAI,MAAM;IAIpB;;;OAGG;IACG,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,aAAa,CAAC;CA4ClD;AAID,OAAO,EAGL,KAAK,QAAQ,EAKd,MAAM,2BAA2B,CAAC;AAInC;;;GAGG;AACH,wBAAgB,aAAa,CAAC,OAAO,EAAE,MAAM,GAAG,QAAQ,EAAE,CAmBzD;AAWD,wBAAsB,mBAAmB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,CAAC,CAWlF;AAED,wBAAsB,eAAe,CAAC,QAAQ,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,CAAC,CAc/E;AAED,wBAAsB,gBAAgB,CAAC,QAAQ,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,CAAC,CAsBhF;AAMD,wBAAsB,UAAU,CAC9B,UAAU,GAAE,MAAY,EACxB,IAAI,CAAC,EAAE,MAAM,EACb,KAAK,CAAC,EAAE,OAAO,GACd,OAAO,CAAC,aAAa,CAAC,CAyDxB;AAOD,UAAU,aAAa;IACrB,cAAc,EAAE,MAAM,EAAE,CAAC;IACzB,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,KAAK,EAAE,KAAK,CAAC;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,OAAO,CAAA;KAAE,CAAC,CAAC;IACpE,SAAS,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;CAClC;AAED;;;;GAIG;AACH,wBAAgB,kBAAkB,CAAC,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,aAAa,CAoCnF;AASD,wBAAsB,WAAW,CAC/B,GAAG,EAAE,MAAM,GAAG,SAAS,EACvB,IAAI,EAAE,MAAM,EAAE,EACd,KAAK,GAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAM,GAClC,OAAO,CAAC,aAAa,CAAC,CA8CxB;AAID,wBAAsB,iBAAiB,CACrC,KAAK,GAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAM,GAClC,OAAO,CAAC,aAAa,CAAC,CAuBxB;AAID,wBAAsB,YAAY,CAChC,GAAG,EAAE,MAAM,GAAG,SAAS,EACvB,IAAI,EAAE,MAAM,EAAE,GACb,OAAO,CAAC,aAAa,CAAC,CA2CxB;AA+BD,wBAAsB,cAAc,CAClC,GAAG,EAAE,MAAM,GAAG,SAAS,EACvB,IAAI,GAAE,MAAM,EAAO,GAClB,OAAO,CAAC,aAAa,CAAC,CAuDxB;AAcD;;;;GAIG;AACH,wBAAgB,YAAY,CAAC,MAAM,EAAE,MAAM,EAAE,SAAS,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,OAAO,GAAG,MAAM,EAAE,CAmB3F;AAED;;;GAGG;AACH,wBAAgB,aAAa,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,MAAM,EAAE,CAYtF;AAED,4DAA4D;AAC5D,wBAAgB,YAAY,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAKjD;AA0WD,0EAA0E;AAC1E,wBAAgB,gBAAgB,CAAC,GAAG,EAAE,MAAM,GAAG,SAAS,GAAG,MAAM,CAQhE;AAED,wBAAsB,eAAe,CACnC,GAAG,EAAE,MAAM,GAAG,SAAS,EACvB,IAAI,EAAE,MAAM,EAAE,GACb,OAAO,CAAC,aAAa,CAAC,CA2wBxB;AAMD,sFAAsF;AACtF,wBAAgB,UAAU,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAQhD;AAED,wBAAsB,cAAc,CAClC,QAAQ,EAAE,MAAM,EAChB,MAAM,CAAC,EAAE,MAAM,EACf,YAAY,CAAC,EAAE,OAAO,GACrB,OAAO,CAAC,aAAa,CAAC,
|
|
1
|
+
{"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../src/cli.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,EAAY,KAAK,aAAa,EAAE,MAAM,gBAAgB,CAAC;AAgC9D,MAAM,WAAW,UAAU;IACzB,OAAO,EAAE,MAAM,CAAC;IAChB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,IAAI,EAAE,MAAM,EAAE,CAAC;IACf,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,OAAO,CAAC,CAAC;CACzC;AAED;;;GAGG;AACH,wBAAgB,SAAS,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,UAAU,CAmDpD;AAwGD;;;GAGG;AACH,wBAAgB,QAAQ,CAAC,OAAO,CAAC,EAAE,MAAM,GAAG,MAAM,CAuBjD;AAID,MAAM,WAAW,UAAU;IACzB,IAAI,EAAE,MAAM,CAAC;IACb,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,KAAK,CAAC;QAAE,IAAI,EAAE,MAAM,CAAC;QAAC,WAAW,EAAE,MAAM,CAAC;QAAC,OAAO,CAAC,EAAE,OAAO,CAAA;KAAE,CAAC,CAAC;IAC1E,MAAM,EAAE,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,KAAK,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC,CAAC;CAC1E;AAED,MAAM,WAAW,SAAS;IACxB,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,EAAE,MAAM,CAAC;IACpB,QAAQ,EAAE,UAAU,EAAE,CAAC;CACxB;AAID,qBAAa,aAAa;IACxB,OAAO,CAAC,QAAQ,CAAsC;IACtD,OAAO,CAAC,MAAM,CAAY;gBAEd,MAAM,EAAE,SAAS;IAI7B,QAAQ,CAAC,OAAO,EAAE,UAAU,GAAG,IAAI;IAInC,aAAa,CAAC,QAAQ,EAAE,UAAU,EAAE,GAAG,IAAI;IAM3C,UAAU,CAAC,IAAI,EAAE,MAAM,GAAG,UAAU,GAAG,SAAS;IAIhD,YAAY,IAAI,UAAU,EAAE;IAItB,QAAQ,CACZ,WAAW,EAAE,MAAM,EACnB,IAAI,GAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAM,GACjC,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC;IAUhC,OAAO,IAAI,MAAM;IAajB,UAAU,IAAI,MAAM;IAIpB;;;OAGG;IACG,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,aAAa,CAAC;CA4ClD;AAID,OAAO,EAGL,KAAK,QAAQ,EAKd,MAAM,2BAA2B,CAAC;AAInC;;;GAGG;AACH,wBAAgB,aAAa,CAAC,OAAO,EAAE,MAAM,GAAG,QAAQ,EAAE,CAmBzD;AAWD,wBAAsB,mBAAmB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,CAAC,CAWlF;AAED,wBAAsB,eAAe,CAAC,QAAQ,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,CAAC,CAc/E;AAED,wBAAsB,gBAAgB,CAAC,QAAQ,CAAC,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,CAAC,CAsBhF;AAMD,wBAAsB,UAAU,CAC9B,UAAU,GAAE,MAAY,EACxB,IAAI,CAAC,EAAE,MAAM,EACb,KAAK,CAAC,EAAE,OAAO,GACd,OAAO,CAAC,aAAa,CAAC,CAyDxB;AAOD,UAAU,aAAa;IACrB,cAAc,EAAE,MAAM,EAAE,CAAC;IACzB,OAAO,EAAE,MAAM,EAAE,CAAC;IAClB,KAAK,EAAE,KAAK,CAAC;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,MAAM,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,OAAO,CAAA;KAAE,CAAC,CAAC;IACpE,SAAS,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,EAAE,CAAC,CAAC;CAClC;AAED;;;;GAIG;AACH,wBAAgB,kBAAkB,CAAC,SAAS,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM,GAAG,aAAa,CAoCnF;AASD,wBAAsB,WAAW,CAC/B,GAAG,EAAE,MAAM,GAAG,SAAS,EACvB,IAAI,EAAE,MAAM,EAAE,EACd,KAAK,GAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAM,GAClC,OAAO,CAAC,aAAa,CAAC,CA8CxB;AAID,wBAAsB,iBAAiB,CACrC,KAAK,GAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAM,GAClC,OAAO,CAAC,aAAa,CAAC,CAuBxB;AAID,wBAAsB,YAAY,CAChC,GAAG,EAAE,MAAM,GAAG,SAAS,EACvB,IAAI,EAAE,MAAM,EAAE,GACb,OAAO,CAAC,aAAa,CAAC,CA2CxB;AA+BD,wBAAsB,cAAc,CAClC,GAAG,EAAE,MAAM,GAAG,SAAS,EACvB,IAAI,GAAE,MAAM,EAAO,GAClB,OAAO,CAAC,aAAa,CAAC,CAuDxB;AAcD;;;;GAIG;AACH,wBAAgB,YAAY,CAAC,MAAM,EAAE,MAAM,EAAE,SAAS,CAAC,EAAE,CAAC,GAAG,EAAE,MAAM,KAAK,OAAO,GAAG,MAAM,EAAE,CAmB3F;AAED;;;GAGG;AACH,wBAAgB,aAAa,CAAC,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,GAAG,MAAM,EAAE,CAYtF;AAED,4DAA4D;AAC5D,wBAAgB,YAAY,CAAC,IAAI,EAAE,MAAM,GAAG,MAAM,CAKjD;AA0WD,0EAA0E;AAC1E,wBAAgB,gBAAgB,CAAC,GAAG,EAAE,MAAM,GAAG,SAAS,GAAG,MAAM,CAQhE;AAED,wBAAsB,eAAe,CACnC,GAAG,EAAE,MAAM,GAAG,SAAS,EACvB,IAAI,EAAE,MAAM,EAAE,GACb,OAAO,CAAC,aAAa,CAAC,CA2wBxB;AAMD,sFAAsF;AACtF,wBAAgB,UAAU,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAQhD;AAED,kFAAkF;AAClF,wBAAgB,kBAAkB,CAAC,IAAI,EAAE,MAAM,GAAG,OAAO,CAOxD;AAED,wBAAsB,cAAc,CAClC,QAAQ,EAAE,MAAM,EAChB,MAAM,CAAC,EAAE,MAAM,EACf,YAAY,CAAC,EAAE,OAAO,GACrB,OAAO,CAAC,aAAa,CAAC,CAuExB;AAuBD,wBAAsB,cAAc,CAClC,GAAG,EAAE,MAAM,GAAG,SAAS,EACvB,IAAI,EAAE,MAAM,EAAE,GACb,OAAO,CAAC,aAAa,CAAC,CAgDxB;AAID,wBAAsB,YAAY,IAAI,OAAO,CAAC,aAAa,CAAC,CAiB3D;AAkBD,wBAAsB,iBAAiB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,CAAC,CAgDhF;AAED,wBAAsB,eAAe,IAAI,OAAO,CAAC,aAAa,CAAC,CAe9D;AASD,wBAAsB,kBAAkB,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,OAAO,CAAC,aAAa,CAAC,CAyG9F;AAED,wBAAsB,oBAAoB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,CAAC,CAwBnF;AAED,wBAAsB,cAAc,CAClC,QAAQ,EAAE,MAAM,EAChB,KAAK,GAAE,MAAkB,GACxB,OAAO,CAAC,aAAa,CAAC,CA2BxB;AAED,wBAAsB,kBAAkB,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,CAAC,CAyBjF;AAED,wBAAsB,aAAa,CACjC,IAAI,EAAE,MAAM,EACZ,IAAI,GAAE,MAAgB,GACrB,OAAO,CAAC,aAAa,CAAC,CAcxB;AAED,wBAAsB,aAAa,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,aAAa,CAAC,CA0B5E;AAID,wBAAsB,YAAY,CAChC,GAAG,EAAE,MAAM,GAAG,SAAS,EACvB,IAAI,EAAE,MAAM,EAAE,GACb,OAAO,CAAC,aAAa,CAAC,CA2DxB;AAID,wBAAsB,eAAe,CACnC,GAAG,EAAE,MAAM,GAAG,SAAS,EACvB,IAAI,EAAE,MAAM,EAAE,EACd,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAC7B,OAAO,CAAC,aAAa,CAAC,CA4GxB;AAID,wBAAsB,cAAc,CAClC,GAAG,EAAE,MAAM,GAAG,SAAS,EACvB,IAAI,EAAE,MAAM,EAAE,EACd,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAC7B,OAAO,CAAC,aAAa,CAAC,CAyFxB;AAID,wBAAsB,kBAAkB,CACtC,GAAG,EAAE,MAAM,GAAG,SAAS,EACvB,IAAI,EAAE,MAAM,EAAE,GACb,OAAO,CAAC,aAAa,CAAC,CAkDxB;AAID,wBAAsB,UAAU,IAAI,OAAO,CAAC,aAAa,CAAC,CAOzD;AAID,wBAAsB,cAAc,CAClC,GAAG,EAAE,MAAM,GAAG,SAAS,EACvB,IAAI,EAAE,MAAM,EAAE,GACb,OAAO,CAAC,aAAa,CAAC,CA0FxB;AAID,wBAAsB,aAAa,CACjC,KAAK,EAAE,MAAM,GAAG,SAAS,GACxB,OAAO,CAAC,aAAa,CAAC,CAgCxB;AAID,wBAAsB,WAAW,CAC/B,GAAG,EAAE,MAAM,GAAG,SAAS,EACvB,IAAI,EAAE,MAAM,EAAE,GACb,OAAO,CAAC,aAAa,CAAC,CAiExB;AAID,wBAAsB,eAAe,CACnC,GAAG,EAAE,MAAM,GAAG,SAAS,EACvB,IAAI,EAAE,MAAM,EAAE,EACd,KAAK,GAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAM,GAClC,OAAO,CAAC,aAAa,CAAC,CAyExB;AAID,wBAAsB,WAAW,CAC/B,OAAO,EAAE,MAAM,GAAG,SAAS,GAC1B,OAAO,CAAC,aAAa,CAAC,CAexB;AAID;;;;;;GAMG;AACH,wBAAgB,aAAa,CAAC,IAAI,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,KAAK,EAAE,MAAM,EAAE,GAAG,MAAM,GAAG,SAAS,CAUhG;AAiBD,wBAAgB,kBAAkB,IAAI,UAAU,EAAE,CAwejD;AAED,wBAAgB,mBAAmB,IAAI,aAAa,CASnD"}
|
package/dist/cli.js
CHANGED
|
@@ -8227,11 +8227,13 @@ __export(dist_exports5, {
|
|
|
8227
8227
|
SecretDetector: () => SecretDetector,
|
|
8228
8228
|
SecurityScanner: () => SecurityScanner,
|
|
8229
8229
|
TaintAnalyzer: () => TaintAnalyzer,
|
|
8230
|
+
blankNonCode: () => blankNonCode,
|
|
8230
8231
|
createComplianceChecker: () => createComplianceChecker,
|
|
8231
8232
|
createSecretDetector: () => createSecretDetector,
|
|
8232
8233
|
createSecurityScanner: () => createSecurityScanner,
|
|
8233
8234
|
isLikelySecret: () => isLikelySecret,
|
|
8234
|
-
isNotFormatMarker: () => isNotFormatMarker
|
|
8235
|
+
isNotFormatMarker: () => isNotFormatMarker,
|
|
8236
|
+
isNotUrlPlaceholder: () => isNotUrlPlaceholder
|
|
8235
8237
|
});
|
|
8236
8238
|
function getLineNumber(code, index) {
|
|
8237
8239
|
return code.substring(0, index).split("\n").length;
|
|
@@ -8253,10 +8255,29 @@ function shannonEntropy(s) {
|
|
|
8253
8255
|
}
|
|
8254
8256
|
return h;
|
|
8255
8257
|
}
|
|
8258
|
+
function hasSequentialRun(s, len = 6) {
|
|
8259
|
+
let run = 1;
|
|
8260
|
+
for (let i = 1; i < s.length; i++) {
|
|
8261
|
+
if (s.charCodeAt(i) === s.charCodeAt(i - 1) + 1) {
|
|
8262
|
+
if (++run >= len)
|
|
8263
|
+
return true;
|
|
8264
|
+
} else {
|
|
8265
|
+
run = 1;
|
|
8266
|
+
}
|
|
8267
|
+
}
|
|
8268
|
+
return false;
|
|
8269
|
+
}
|
|
8256
8270
|
function isLikelySecret(raw) {
|
|
8257
8271
|
const s = raw.replace(/^['"]|['"]$/g, "");
|
|
8258
|
-
|
|
8259
|
-
|
|
8272
|
+
if (!/[0-9]/.test(s) || !/[a-zA-Z]/.test(s))
|
|
8273
|
+
return false;
|
|
8274
|
+
if (shannonEntropy(s) < 3)
|
|
8275
|
+
return false;
|
|
8276
|
+
if (hasSequentialRun(s))
|
|
8277
|
+
return false;
|
|
8278
|
+
if (/^[0-9a-f]{32}$|^[0-9a-f]{40}$|^[0-9a-f]{64}$|^[0-9a-f]{128}$/.test(s))
|
|
8279
|
+
return false;
|
|
8280
|
+
return true;
|
|
8260
8281
|
}
|
|
8261
8282
|
function isNotFormatMarker(matchText) {
|
|
8262
8283
|
const lit = matchText.match(/['"]([^'"]*)['"]\s*$/)?.[1] ?? "";
|
|
@@ -8264,9 +8285,76 @@ function isNotFormatMarker(matchText) {
|
|
|
8264
8285
|
return false;
|
|
8265
8286
|
if (lit.trim().length < 3)
|
|
8266
8287
|
return false;
|
|
8288
|
+
if (/%\(?\w*\)?[sd]|%[sd]|\$\{[^}]*\}|#\{[^}]*\}|\{\d*\}|:\w+\b/.test(lit))
|
|
8289
|
+
return false;
|
|
8290
|
+
if (/^--?[\w-]+=?$/.test(lit.trim()))
|
|
8291
|
+
return false;
|
|
8292
|
+
if (/\$\w|\.\$/.test(lit))
|
|
8293
|
+
return false;
|
|
8267
8294
|
return true;
|
|
8268
8295
|
}
|
|
8269
|
-
function
|
|
8296
|
+
function isNotUrlPlaceholder(matchText) {
|
|
8297
|
+
const pass = matchText.match(/:\/\/[^:@/]+:([^:@/]+)@/)?.[1] ?? "";
|
|
8298
|
+
if (/^(pass(word)?|secret|changeme|example|xxx+|\*+|test)$/i.test(pass))
|
|
8299
|
+
return false;
|
|
8300
|
+
if (/[$#]\{|<|%s|:\w+$/.test(pass))
|
|
8301
|
+
return false;
|
|
8302
|
+
return true;
|
|
8303
|
+
}
|
|
8304
|
+
function blankNonCode(code, hashComments) {
|
|
8305
|
+
const out = code.split("");
|
|
8306
|
+
const n = code.length;
|
|
8307
|
+
const blank = (from, to) => {
|
|
8308
|
+
for (let k = from; k < to && k < n; k++)
|
|
8309
|
+
if (out[k] !== "\n")
|
|
8310
|
+
out[k] = " ";
|
|
8311
|
+
};
|
|
8312
|
+
let i = 0;
|
|
8313
|
+
while (i < n) {
|
|
8314
|
+
const c = code[i];
|
|
8315
|
+
const next = i + 1 < n ? code[i + 1] : "";
|
|
8316
|
+
if (c === "/" && next === "/") {
|
|
8317
|
+
let j = i;
|
|
8318
|
+
while (j < n && code[j] !== "\n")
|
|
8319
|
+
j++;
|
|
8320
|
+
blank(i, j);
|
|
8321
|
+
i = j;
|
|
8322
|
+
continue;
|
|
8323
|
+
}
|
|
8324
|
+
if (hashComments && c === "#") {
|
|
8325
|
+
let j = i;
|
|
8326
|
+
while (j < n && code[j] !== "\n")
|
|
8327
|
+
j++;
|
|
8328
|
+
blank(i, j);
|
|
8329
|
+
i = j;
|
|
8330
|
+
continue;
|
|
8331
|
+
}
|
|
8332
|
+
if (c === "/" && next === "*") {
|
|
8333
|
+
let j = i + 2;
|
|
8334
|
+
while (j < n && !(code[j] === "*" && code[j + 1] === "/"))
|
|
8335
|
+
j++;
|
|
8336
|
+
j = Math.min(j + 2, n);
|
|
8337
|
+
blank(i, j);
|
|
8338
|
+
i = j;
|
|
8339
|
+
continue;
|
|
8340
|
+
}
|
|
8341
|
+
if (c === '"' || c === "'" || c === "`") {
|
|
8342
|
+
const q = c;
|
|
8343
|
+
let j = i + 1;
|
|
8344
|
+
while (j < n && code[j] !== q) {
|
|
8345
|
+
if (code[j] === "\\")
|
|
8346
|
+
j++;
|
|
8347
|
+
j++;
|
|
8348
|
+
}
|
|
8349
|
+
blank(i + 1, j);
|
|
8350
|
+
i = j + 1;
|
|
8351
|
+
continue;
|
|
8352
|
+
}
|
|
8353
|
+
i++;
|
|
8354
|
+
}
|
|
8355
|
+
return out.join("");
|
|
8356
|
+
}
|
|
8357
|
+
function runPatterns(patterns, code, filePath, snippetSource = code) {
|
|
8270
8358
|
const findings = [];
|
|
8271
8359
|
for (const p of patterns) {
|
|
8272
8360
|
const regex = new RegExp(p.regex.source, p.regex.flags);
|
|
@@ -8281,7 +8369,7 @@ function runPatterns(patterns, code, filePath) {
|
|
|
8281
8369
|
location: {
|
|
8282
8370
|
file: filePath,
|
|
8283
8371
|
line,
|
|
8284
|
-
snippet: getSnippet(
|
|
8372
|
+
snippet: getSnippet(snippetSource, line)
|
|
8285
8373
|
},
|
|
8286
8374
|
description: p.description,
|
|
8287
8375
|
suggestion: p.suggestion,
|
|
@@ -8347,6 +8435,57 @@ var init_dist5 = __esm({
|
|
|
8347
8435
|
cweId: "CWE-798",
|
|
8348
8436
|
confidence: 0.85
|
|
8349
8437
|
},
|
|
8438
|
+
{
|
|
8439
|
+
// GitHub personal access / OAuth / server / refresh tokens.
|
|
8440
|
+
regex: /\bgh[pousr]_[A-Za-z0-9]{36,}\b/g,
|
|
8441
|
+
severity: "critical",
|
|
8442
|
+
type: "secret-leak",
|
|
8443
|
+
description: "GitHub token detected",
|
|
8444
|
+
suggestion: "Revoke the token and load it from a secrets manager",
|
|
8445
|
+
cweId: "CWE-798",
|
|
8446
|
+
confidence: 0.95
|
|
8447
|
+
},
|
|
8448
|
+
{
|
|
8449
|
+
// Slack tokens (bot/user/app/refresh/legacy).
|
|
8450
|
+
regex: /\bxox[baprs]-[A-Za-z0-9-]{10,}\b/g,
|
|
8451
|
+
severity: "critical",
|
|
8452
|
+
type: "secret-leak",
|
|
8453
|
+
description: "Slack token detected",
|
|
8454
|
+
suggestion: "Revoke the token and load it from a secrets manager",
|
|
8455
|
+
cweId: "CWE-798",
|
|
8456
|
+
confidence: 0.9
|
|
8457
|
+
},
|
|
8458
|
+
{
|
|
8459
|
+
// Stripe / similar `sk_live_` / `rk_live_` secret keys.
|
|
8460
|
+
regex: /\b[sr]k_live_[A-Za-z0-9]{16,}\b/g,
|
|
8461
|
+
severity: "critical",
|
|
8462
|
+
type: "secret-leak",
|
|
8463
|
+
description: "Stripe live secret key detected",
|
|
8464
|
+
suggestion: "Revoke the key and load it from a secrets manager",
|
|
8465
|
+
cweId: "CWE-798",
|
|
8466
|
+
confidence: 0.95
|
|
8467
|
+
},
|
|
8468
|
+
{
|
|
8469
|
+
// Google API key.
|
|
8470
|
+
regex: /\bAIza[A-Za-z0-9_\-]{35}\b/g,
|
|
8471
|
+
severity: "high",
|
|
8472
|
+
type: "secret-leak",
|
|
8473
|
+
description: "Google API key detected",
|
|
8474
|
+
suggestion: "Restrict/revoke the key and load it from a secrets manager",
|
|
8475
|
+
cweId: "CWE-798",
|
|
8476
|
+
confidence: 0.9
|
|
8477
|
+
},
|
|
8478
|
+
{
|
|
8479
|
+
// Credentials embedded in a connection URL: scheme://user:pass@host.
|
|
8480
|
+
regex: /\b[a-z][a-z0-9+.-]*:\/\/[^\s:'"@/]+:[^\s:'"@/]+@[^\s'"/]+/g,
|
|
8481
|
+
severity: "high",
|
|
8482
|
+
type: "hardcoded-credential",
|
|
8483
|
+
description: "Credentials in a connection string / URL detected",
|
|
8484
|
+
suggestion: "Move the username/password out of the URL into a secrets manager",
|
|
8485
|
+
cweId: "CWE-798",
|
|
8486
|
+
confidence: 0.75,
|
|
8487
|
+
validate: isNotUrlPlaceholder
|
|
8488
|
+
},
|
|
8350
8489
|
{
|
|
8351
8490
|
regex: /['"][A-Za-z0-9]{32,}['"]/g,
|
|
8352
8491
|
severity: "medium",
|
|
@@ -8367,7 +8506,10 @@ var init_dist5 = __esm({
|
|
|
8367
8506
|
TaintAnalyzer = class {
|
|
8368
8507
|
patterns = [
|
|
8369
8508
|
{
|
|
8370
|
-
|
|
8509
|
+
// Bare builtin eval( only — not member access `x.eval` / `x->eval` /
|
|
8510
|
+
// `X::eval` (method calls, e.g. Redis `->eval`), nor `def`/`function`
|
|
8511
|
+
// definitions of one's own eval.
|
|
8512
|
+
regex: /(?<![.\w>:])(?<!\bdef\s)(?<!\bfunction\s)(?<!\bfn\s)eval\s*\(/g,
|
|
8371
8513
|
severity: "critical",
|
|
8372
8514
|
type: "injection",
|
|
8373
8515
|
description: "Use of eval() detected \u2014 potential code injection",
|
|
@@ -8376,7 +8518,9 @@ var init_dist5 = __esm({
|
|
|
8376
8518
|
confidence: 0.9
|
|
8377
8519
|
},
|
|
8378
8520
|
{
|
|
8379
|
-
|
|
8521
|
+
// Flag dynamic assignments only — `innerHTML = "static"` / `= ''` (clearing
|
|
8522
|
+
// or a constant) is not an XSS sink; a variable/expression RHS is.
|
|
8523
|
+
regex: /\.innerHTML\s*=\s*[^\s'"=]/g,
|
|
8380
8524
|
severity: "high",
|
|
8381
8525
|
type: "xss",
|
|
8382
8526
|
description: "Direct innerHTML assignment \u2014 potential XSS vulnerability",
|
|
@@ -8394,7 +8538,9 @@ var init_dist5 = __esm({
|
|
|
8394
8538
|
confidence: 0.85
|
|
8395
8539
|
},
|
|
8396
8540
|
{
|
|
8397
|
-
|
|
8541
|
+
// Bare exec( only — not member access `re.exec` / `$schedule->exec` /
|
|
8542
|
+
// `X::exec` (method calls) nor `def exec(...)` definitions.
|
|
8543
|
+
regex: /(?<![.\w>:])(?<!\bdef\s)(?<!\bfunction\s)(?<!\bfn\s)exec\s*\(/g,
|
|
8398
8544
|
severity: "critical",
|
|
8399
8545
|
type: "injection",
|
|
8400
8546
|
description: "Use of exec() detected \u2014 potential command injection",
|
|
@@ -8428,10 +8574,125 @@ var init_dist5 = __esm({
|
|
|
8428
8574
|
suggestion: "Use parameterized queries instead of template literals",
|
|
8429
8575
|
cweId: "CWE-89",
|
|
8430
8576
|
confidence: 0.75
|
|
8577
|
+
},
|
|
8578
|
+
// --- Command injection ---------------------------------------------------
|
|
8579
|
+
{
|
|
8580
|
+
regex: /\bos\.system\s*\(/g,
|
|
8581
|
+
severity: "critical",
|
|
8582
|
+
type: "injection",
|
|
8583
|
+
description: "Use of os.system() \u2014 potential command injection",
|
|
8584
|
+
suggestion: "Use subprocess with an argument list and shell=False",
|
|
8585
|
+
cweId: "CWE-78",
|
|
8586
|
+
confidence: 0.85
|
|
8587
|
+
},
|
|
8588
|
+
{
|
|
8589
|
+
regex: /\bsubprocess\.\w+\([^)]*shell\s*=\s*True/g,
|
|
8590
|
+
severity: "high",
|
|
8591
|
+
type: "injection",
|
|
8592
|
+
description: "subprocess call with shell=True \u2014 potential command injection",
|
|
8593
|
+
suggestion: "Pass an argument list and use shell=False",
|
|
8594
|
+
cweId: "CWE-78",
|
|
8595
|
+
confidence: 0.8
|
|
8596
|
+
},
|
|
8597
|
+
{
|
|
8598
|
+
regex: /(?<![.\w>:])(?:shell_exec|passthru|proc_open|popen)\s*\(/g,
|
|
8599
|
+
severity: "critical",
|
|
8600
|
+
type: "injection",
|
|
8601
|
+
description: "Use of a shell-execution function \u2014 potential command injection",
|
|
8602
|
+
suggestion: "Avoid shell execution of untrusted input; use safe APIs with argument arrays",
|
|
8603
|
+
cweId: "CWE-78",
|
|
8604
|
+
confidence: 0.8
|
|
8605
|
+
},
|
|
8606
|
+
{
|
|
8607
|
+
regex: /(?<![.\w>:])(?<!\bdef\s)(?<!\bfunction\s)system\s*\(/g,
|
|
8608
|
+
severity: "high",
|
|
8609
|
+
type: "injection",
|
|
8610
|
+
description: "Use of system() \u2014 potential command injection",
|
|
8611
|
+
suggestion: "Avoid passing untrusted input to system(); use safe execution APIs",
|
|
8612
|
+
cweId: "CWE-78",
|
|
8613
|
+
confidence: 0.65
|
|
8614
|
+
},
|
|
8615
|
+
{
|
|
8616
|
+
regex: /Runtime\.getRuntime\(\)\s*\.\s*exec\s*\(/g,
|
|
8617
|
+
severity: "critical",
|
|
8618
|
+
type: "injection",
|
|
8619
|
+
description: "Runtime.exec() \u2014 potential command injection",
|
|
8620
|
+
suggestion: "Use ProcessBuilder with an argument list and validate inputs",
|
|
8621
|
+
cweId: "CWE-78",
|
|
8622
|
+
confidence: 0.8
|
|
8623
|
+
},
|
|
8624
|
+
// --- SQL injection (formatting/concatenation in DB calls) ----------------
|
|
8625
|
+
{
|
|
8626
|
+
regex: /\b(?:execute|query|raw|prepare|executemany)\s*\(\s*f['"]/g,
|
|
8627
|
+
severity: "high",
|
|
8628
|
+
type: "injection",
|
|
8629
|
+
description: "Potential SQL injection \u2014 f-string in a database call",
|
|
8630
|
+
suggestion: "Use parameterized queries; never build SQL with f-strings",
|
|
8631
|
+
cweId: "CWE-89",
|
|
8632
|
+
confidence: 0.75
|
|
8633
|
+
},
|
|
8634
|
+
{
|
|
8635
|
+
regex: /\b(?:execute|query|raw|prepare)\s*\([^)]*\.format\s*\(/g,
|
|
8636
|
+
severity: "high",
|
|
8637
|
+
type: "injection",
|
|
8638
|
+
description: "Potential SQL injection \u2014 .format() building a query",
|
|
8639
|
+
suggestion: "Use parameterized queries instead of str.format()",
|
|
8640
|
+
cweId: "CWE-89",
|
|
8641
|
+
confidence: 0.7
|
|
8642
|
+
},
|
|
8643
|
+
{
|
|
8644
|
+
regex: /\b(?:execute|query|raw)\s*\([^)]*\+/g,
|
|
8645
|
+
severity: "high",
|
|
8646
|
+
type: "injection",
|
|
8647
|
+
description: "Potential SQL injection \u2014 string concatenation in a query call",
|
|
8648
|
+
suggestion: "Use parameterized queries instead of string concatenation",
|
|
8649
|
+
cweId: "CWE-89",
|
|
8650
|
+
confidence: 0.7
|
|
8651
|
+
},
|
|
8652
|
+
// --- Insecure deserialization -------------------------------------------
|
|
8653
|
+
// --- Insecure deserialization (low severity: real but commonly intentional
|
|
8654
|
+
// in framework internals; triage with --fail-on) ------------------------
|
|
8655
|
+
{
|
|
8656
|
+
regex: /\bpickle\.loads?\s*\(/g,
|
|
8657
|
+
severity: "low",
|
|
8658
|
+
type: "injection",
|
|
8659
|
+
description: "Insecure deserialization \u2014 pickle.load(s) (unsafe on untrusted data)",
|
|
8660
|
+
suggestion: "Never unpickle untrusted data; use a safe format such as JSON",
|
|
8661
|
+
cweId: "CWE-502",
|
|
8662
|
+
confidence: 0.6
|
|
8663
|
+
},
|
|
8664
|
+
{
|
|
8665
|
+
regex: /\byaml\.load\s*\(/g,
|
|
8666
|
+
severity: "low",
|
|
8667
|
+
type: "injection",
|
|
8668
|
+
description: "Insecure deserialization \u2014 yaml.load() without SafeLoader",
|
|
8669
|
+
suggestion: "Use yaml.safe_load() instead of yaml.load()",
|
|
8670
|
+
cweId: "CWE-502",
|
|
8671
|
+
confidence: 0.6
|
|
8672
|
+
},
|
|
8673
|
+
{
|
|
8674
|
+
regex: /(?<![.\w>:])unserialize\s*\(/g,
|
|
8675
|
+
severity: "low",
|
|
8676
|
+
type: "injection",
|
|
8677
|
+
description: "Insecure deserialization \u2014 unserialize() (unsafe on untrusted data)",
|
|
8678
|
+
suggestion: "Avoid unserialize() on untrusted input; use JSON",
|
|
8679
|
+
cweId: "CWE-502",
|
|
8680
|
+
confidence: 0.6
|
|
8681
|
+
},
|
|
8682
|
+
// --- Weak cryptography (low: often used for non-security checksums) -------
|
|
8683
|
+
{
|
|
8684
|
+
regex: /\bhashlib\.(?:md5|sha1)\s*\(|createHash\s*\(\s*['"](?:md5|sha1)['"]/g,
|
|
8685
|
+
severity: "low",
|
|
8686
|
+
type: "injection",
|
|
8687
|
+
description: "Weak cryptographic hash (MD5/SHA-1) detected",
|
|
8688
|
+
suggestion: "Use SHA-256+ (or bcrypt/argon2 for passwords) instead of MD5/SHA-1",
|
|
8689
|
+
cweId: "CWE-327",
|
|
8690
|
+
confidence: 0.5
|
|
8431
8691
|
}
|
|
8432
8692
|
];
|
|
8433
8693
|
analyze(code, filePath) {
|
|
8434
|
-
|
|
8694
|
+
const hashComments = /\.(py|rb|sh|php|pl|yaml|yml|r)$/i.test(filePath);
|
|
8695
|
+
return runPatterns(this.patterns, blankNonCode(code, hashComments), filePath, code);
|
|
8435
8696
|
}
|
|
8436
8697
|
};
|
|
8437
8698
|
DependencyScanner = class {
|
|
@@ -17683,6 +17944,10 @@ function isTestFile(file) {
|
|
|
17683
17944
|
const p = file.replace(/\\/g, "/").toLowerCase();
|
|
17684
17945
|
return /(^|\/)(tests?|__tests__|spec|specs|fixtures?|phpunit|behat)(\/|$)/.test(p) || /(\.|_)(test|spec)\.[a-z]+$/.test(p) || /(^|\/)[a-z0-9_-]*_test\.[a-z]+$/.test(p) || /(^|\/)test[a-z0-9_-]*\.[a-z]+$/.test(p);
|
|
17685
17946
|
}
|
|
17947
|
+
function isVendorOrMinified(file) {
|
|
17948
|
+
const p = file.replace(/\\/g, "/").toLowerCase();
|
|
17949
|
+
return /\.min\.(js|css|mjs)$/.test(p) || /\.bundle\.(js|css)$/.test(p) || /(^|\/)(node_modules|vendor|third_party|third-party|bower_components|dist|build)(\/)/.test(p);
|
|
17950
|
+
}
|
|
17686
17951
|
async function handleSecurity(filePath, failOn, excludeTests) {
|
|
17687
17952
|
try {
|
|
17688
17953
|
if (!existsSync11(filePath)) {
|
|
@@ -17692,7 +17957,7 @@ async function handleSecurity(filePath, failOn, excludeTests) {
|
|
|
17692
17957
|
const secrets = createSecretDetector();
|
|
17693
17958
|
const taint = new TaintAnalyzer();
|
|
17694
17959
|
const deps = new DependencyScanner();
|
|
17695
|
-
const allFiles = collectFiles(filePath, (ext) => ext in EXT_TO_LANG);
|
|
17960
|
+
const allFiles = collectFiles(filePath, (ext) => ext in EXT_TO_LANG).filter((f) => !isVendorOrMinified(f));
|
|
17696
17961
|
const files = excludeTests ? allFiles.filter((f) => !isTestFile(f)) : allFiles;
|
|
17697
17962
|
const skipped = allFiles.length - files.length;
|
|
17698
17963
|
const findings = [];
|
|
@@ -19250,6 +19515,7 @@ export {
|
|
|
19250
19515
|
handleWatch,
|
|
19251
19516
|
handleWorkflow,
|
|
19252
19517
|
isTestFile,
|
|
19518
|
+
isVendorOrMinified,
|
|
19253
19519
|
parseArgs,
|
|
19254
19520
|
parseTaskFile,
|
|
19255
19521
|
resolveTarget,
|