ngx-security-audit 1.0.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 noredinebahri
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,385 @@
+# 🛡️ ngx-security-audit
+
+[![npm version](https://img.shields.io/npm/v/ngx-security-audit.svg)](https://www.npmjs.com/package/ngx-security-audit)
+[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](https://opensource.org/licenses/MIT)
+[![Node.js](https://img.shields.io/badge/node-%3E%3D14.0.0-brightgreen.svg)](https://nodejs.org/)
+[![OWASP](https://img.shields.io/badge/OWASP-Top%2010%20Aligned-orange.svg)](https://owasp.org/www-project-top-ten/)
+
+**Enterprise-grade Angular security auditing tool.** Static analysis scanner that detects XSS, CSRF, injection, sensitive data exposure, misconfigurations, and **34+ security vulnerabilities** in Angular projects. Generates detailed reports with severity levels for CI/CD pipeline integration.
+
+---
+
+## ✨ Features
+
+- 🔍 **34+ Security Rules** — Comprehensive checks across 7 security categories
+- 🎯 **Angular-Specific** — Deep understanding of Angular's security model, DomSanitizer, route guards, interceptors
+- 📊 **4 Report Formats** — Console (colored), JSON (machine), HTML (stakeholders), SARIF (GitHub/Azure DevOps)
+- 🏗️ **CI/CD Ready** — Exit codes, threshold configuration, pipeline examples for GitHub Actions, Azure DevOps, GitLab CI
+- 📈 **Security Scoring** — 0-100 score with A-F grades for easy tracking over time
+- ⚙️ **Configurable** — .ngsecurityrc.json support, rule overrides, custom include/exclude patterns
+- 🌐 **OWASP Aligned** — Every rule mapped to OWASP Top 10 2021 and CWE identifiers
+- 🚀 **Zero Config** — Works out of the box on any Angular project
+
+---
+
+## 📦 Installation
+
+```bash
+# Global installation (recommended for CLI usage)
+npm install -g ngx-security-audit
+
+# Local installation (for project integration)
+npm install --save-dev ngx-security-audit
+```
+
+---
+
+## 🚀 Quick Start
+
+```bash
+# Scan current Angular project
+ngx-security-audit scan
+
+# Scan a specific path
+ngx-security-audit scan /path/to/angular/project
+
+# Generate HTML report
+ngx-security-audit scan --format html --output report.html
+
+# Use in CI/CD with exit code
+ngx-security-audit scan --threshold high
+```
+
+---
+
+## 📋 Commands
+
+### `scan` — Run security audit
+
+```bash
+ngx-security-audit scan [path] [options]
+```
+
+| Option | Description | Default |
+|--------|-------------|---------|
+| `-f, --format <format>` | Report format: `console`, `json`, `html`, `sarif` | `console` |
+| `-o, --output <file>` | Write report to file | stdout |
+| `-t, --threshold <level>` | Fail threshold: `critical`, `high`, `medium`, `low`, `info` | `high` |
+| `-v, --verbose` | Enable verbose output | `false` |
+| `--disable-rules <rules>` | Comma-separated rule IDs to disable | none |
+| `--include <patterns>` | Comma-separated glob patterns to include | `src/**/*.ts,src/**/*.html` |
+| `--exclude <patterns>` | Comma-separated glob patterns to exclude | none |
+
+### `rules` — List available rules
+
+```bash
+# List all rules
+ngx-security-audit rules
+
+# Filter by category
+ngx-security-audit rules --category XSS
+
+# Output as JSON
+ngx-security-audit rules --json
+```
+
+### `init` — Create config file
+
+```bash
+ngx-security-audit init
+```
+
+---
+
+## 🔒 Security Rules (34 Rules)
+
+### XSS — Cross-Site Scripting (4 rules)
+
+| Rule ID | Severity | Description |
+|---------|----------|-------------|
+| `xss/bypass-security-trust` | 🔴 CRITICAL | Detects `bypassSecurityTrustHtml/Script/Style/Url/ResourceUrl` usage |
+| `xss/inner-html-binding` | 🟡 MEDIUM | Detects `[innerHTML]` bindings in templates |
+| `xss/dom-manipulation` | 🟠 HIGH | Direct DOM manipulation via `nativeElement`, `document.write` |
+| `xss/unsafe-template-concat` | 🔴 CRITICAL | Dynamic template construction enabling template injection |
+
+### Injection (4 rules)
+
+| Rule ID | Severity | Description |
+|---------|----------|-------------|
+| `injection/eval-usage` | 🔴 CRITICAL | `eval()` usage detection |
+| `injection/function-constructor` | 🔴 CRITICAL | `new Function()` constructor usage |
+| `injection/settimeout-string` | 🟠 HIGH | `setTimeout/setInterval` with string argument |
+| `injection/script-tag-in-template` | 🟠 HIGH | `<script>` tags in Angular templates |
+
+### Authentication & Authorization (4 rules)
+
+| Rule ID | Severity | Description |
+|---------|----------|-------------|
+| `auth/missing-route-guards` | 🟠 HIGH | Sensitive routes without `canActivate/canMatch/canLoad` guards |
+| `auth/missing-auth-interceptor` | 🟡 MEDIUM | Missing HTTP authentication interceptor |
+| `auth/jwt-in-localstorage` | 🟠 HIGH | JWT/auth tokens stored in localStorage |
+| `auth/hardcoded-roles` | 🟡 MEDIUM | Hardcoded role checks in templates |
+
+### Sensitive Data (4 rules)
+
+| Rule ID | Severity | Description |
+|---------|----------|-------------|
+| `sensitive/hardcoded-secrets` | 🔴 CRITICAL | Hardcoded API keys, passwords, tokens in source code |
+| `sensitive/environment-secrets` | 🟠 HIGH | Secrets in `environment.ts` files |
+| `sensitive/console-log` | 🔵 LOW | Console statements that may leak sensitive data |
+| `sensitive/local-storage-sensitive` | 🟡 MEDIUM | Sensitive data in browser storage |
+
+### HTTP Security (4 rules)
+
+| Rule ID | Severity | Description |
+|---------|----------|-------------|
+| `http/missing-xsrf-protection` | 🟠 HIGH | Missing or disabled XSRF/CSRF protection |
+| `http/insecure-url` | 🟡 MEDIUM | Insecure HTTP URLs (non-localhost) |
+| `http/cors-wildcard` | 🟡 MEDIUM | CORS wildcard `*` configuration |
+| `http/missing-error-handler` | 🔵 LOW | Missing global HTTP error handler |
+
+### Angular Configuration (7 rules)
+
+| Rule ID | Severity | Description |
+|---------|----------|-------------|
+| `config/aot-disabled` | 🟠 HIGH | AOT compilation disabled (enables template injection) |
+| `config/source-maps-prod` | 🟡 MEDIUM | Source maps enabled in production |
+| `config/strict-mode` | 🔵 LOW | TypeScript strict mode not enabled |
+| `config/outdated-angular` | 🟡 MEDIUM | Outdated Angular version without security patches |
+| `config/budget-check` | ⚪ INFO | Missing bundle budgets in production config |
+| `config/csp-meta-tag` | 🟡 MEDIUM | Missing Content Security Policy |
+| `config/allowed-hosts-ssr` | 🟠 HIGH | SSR app without `allowedHosts` (SSRF risk) |
+
+### Best Practices (7 rules)
+
+| Rule ID | Severity | Description |
+|---------|----------|-------------|
+| `best-practice/noopener-noreferrer` | 🔵 LOW | Missing `rel="noopener"` on external links |
+| `best-practice/trusted-types` | ⚪ INFO | Trusted Types not configured |
+| `best-practice/production-mode` | 🔵 LOW | Production mode not enabled |
+| `best-practice/dependency-audit` | 🟠 HIGH | Known vulnerable npm packages |
+| `best-practice/form-autocomplete` | 🔵 LOW | Sensitive fields without `autocomplete="off"` |
+| `best-practice/iframe-sandbox` | 🟡 MEDIUM | Unsandboxed iframes |
+| `best-practice/postmessage-origin` | 🟠 HIGH | `postMessage` without origin validation |
+
+---
+
+## 📊 Report Formats
+
+### Console Output
+
+Beautiful colored terminal output with code snippets and recommendations:
+
+```bash
+ngx-security-audit scan
+```
+
+### JSON Report
+
+Machine-readable format for CI/CD pipelines:
+
+```bash
+ngx-security-audit scan --format json --output report.json
+```
+
+### HTML Report
+
+Stunning dark-themed report for stakeholders with charts and code snippets:
+
+```bash
+ngx-security-audit scan --format html --output report.html
+```
+
+### SARIF Report
+
+[SARIF 2.1.0](https://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html) format for GitHub Code Scanning and Azure DevOps:
+
+```bash
+ngx-security-audit scan --format sarif --output results.sarif
+```
+
+---
+
+## 🏗️ CI/CD Integration
+
+### GitHub Actions
+
+```yaml
+name: Angular Security Audit
+on: [push, pull_request]
+
+jobs:
+  security:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+        with:
+          node-version: '20'
+      - run: npm ci
+      - run: npm install -g ngx-security-audit
+      - run: ngx-security-audit scan . --threshold high
+      - run: ngx-security-audit scan . --format sarif --output results.sarif
+        if: always()
+      - uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: results.sarif
+```
+
+### Azure DevOps
+
+```yaml
+steps:
+  - script: npm ci
+  - script: npm install -g ngx-security-audit
+  - script: ngx-security-audit scan . --threshold high
+  - script: ngx-security-audit scan . --format html --output $(Build.ArtifactStagingDirectory)/report.html
+    condition: always()
+  - task: PublishBuildArtifacts@1
+    condition: always()
+    inputs:
+      artifactName: 'SecurityReport'
+```
+
+### GitLab CI
+
+```yaml
+security_scan:
+  image: node:20-alpine
+  script:
+    - npm ci
+    - npm install -g ngx-security-audit
+    - ngx-security-audit scan . --threshold high
+  artifacts:
+    paths:
+      - security-report.html
+```
+
+---
+
+## ⚙️ Configuration
+
+Create a `.ngsecurityrc.json` in your project root:
+
+```json
+{
+  "threshold": "high",
+  "format": "console",
+  "include": ["src/**/*.ts", "src/**/*.html", "src/**/*.js"],
+  "exclude": ["**/*.spec.ts", "**/*.test.ts"],
+  "disabledRules": ["sensitive/console-log"],
+  "ruleOverrides": {
+    "xss/inner-html-binding": "low"
+  },
+  "verbose": false
+}
+```
+
+Or add to `package.json`:
+
+```json
+{
+  "ngxSecurityAudit": {
+    "threshold": "high",
+    "disabledRules": ["sensitive/console-log"]
+  }
+}
+```
+
+---
+
+## 📚 Programmatic API
+
+```javascript
+const { audit, generateReport, listRules } = require('ngx-security-audit');
+
+// Run audit
+const result = await audit('/path/to/angular/project', {
+  threshold: 'high',
+  format: 'console',
+});
+
+console.log(`Score: ${result.score}/100 (Grade: ${result.grade})`);
+console.log(`Total findings: ${result.summary.total}`);
+console.log(`Passed: ${result.passed}`);
+
+// Generate different report formats
+const htmlReport = generateReport(result, 'html');
+const sarifReport = generateReport(result, 'sarif');
+
+// List available rules
+const rules = listRules();
+```
+
+---
+
+## 🎯 Exit Codes
+
+| Code | Meaning |
+|------|---------|
+| `0` | Audit passed — no findings at or above threshold |
+| `1` | Audit failed — findings found at or above threshold |
+| `2` | Error — invalid project, configuration error, etc. |
+
+---
+
+## 🔥 Severity Levels
+
+| Level | Weight | Description |
+|-------|--------|-------------|
+| 🔴 **CRITICAL** | -20 pts | Immediate exploitation risk. Fix before deployment. |
+| 🟠 **HIGH** | -10 pts | Significant security risk. Fix as priority. |
+| 🟡 **MEDIUM** | -5 pts | Moderate risk. Plan to fix soon. |
+| 🔵 **LOW** | -2 pts | Minor risk. Fix when convenient. |
+| ⚪ **INFO** | 0 pts | Informational. Consider for hardening. |
+
+**Security Score:** Start at 100, deduct per finding based on severity weight. Minimum score is 0.
+
+| Grade | Score Range |
+|-------|-------------|
+| A | 90-100 |
+| B | 80-89 |
+| C | 70-79 |
+| D | 60-69 |
+| F | 0-59 |
+
+---
+
+## 🌐 OWASP Top 10 Coverage
+
+| OWASP Category | Rules |
+|----------------|-------|
+| A01: Broken Access Control | Route guards, postMessage origin, hardcoded roles |
+| A02: Cryptographic Failures | Hardcoded secrets, environment secrets, insecure HTTP, browser storage |
+| A03: Injection | XSS (bypass trust, innerHTML, DOM), eval, Function constructor, template injection |
+| A04: Insecure Design | Strict mode, noopener, form autocomplete, iframe sandbox |
+| A05: Security Misconfiguration | CSRF, AOT, source maps, CSP |
+| A06: Vulnerable Components | Outdated Angular, known vulnerable packages |
+| A07: Auth Failures | Auth interceptor, JWT in localStorage |
+| A09: Logging Failures | Console statements, error handlers |
+| A10: SSRF | SSR allowed hosts |
+
+---
+
+## 🤝 Contributing
+
+Contributions are welcome! To add a new security rule:
+
+1. Create your rule in the appropriate file under `src/rules/`
+2. Follow the existing rule structure with `id`, `name`, `description`, `category`, `severity`, `owasp`, `cwe`, and `check` function
+3. Add tests in `test/run-tests.js`
+4. Submit a PR
+
+---
+
+## 📄 License
+
+MIT © [noredinebahri](https://github.com/noredinebahri)
+
+---
+
+<p align="center">
+  <strong>Built with ❤️ for the Angular community</strong><br>
+  <em>Secure your Angular applications. Protect your users.</em>
+</p>

package/bin/ngx-security-audit.js

@@ -0,0 +1,192 @@
+#!/usr/bin/env node
+'use strict';
+
+const { Command } = require('commander');
+const path = require('path');
+const fs = require('fs');
+const { audit, generateReport, listRules } = require('../src/index');
+
+const pkg = require('../package.json');
+
+const program = new Command();
+
+program
+  .name('ngx-security-audit')
+  .description('Enterprise-grade Angular security auditing tool. Detect XSS, CSRF, injection, and 30+ vulnerabilities with OWASP-aligned severity levels.')
+  .version(pkg.version);
+
+program
+  .command('scan')
+  .alias('s')
+  .description('Scan an Angular project for security vulnerabilities')
+  .argument('[path]', 'Path to Angular project root', '.')
+  .option('-f, --format <format>', 'Report format: console, json, html, sarif', 'console')
+  .option('-o, --output <file>', 'Write report to file')
+  .option('-t, --threshold <level>', 'Fail threshold: critical, high, medium, low, info', 'high')
+  .option('--no-color', 'Disable colored output')
+  .option('-v, --verbose', 'Enable verbose output')
+  .option('--disable-rules <rules>', 'Comma-separated list of rule IDs to disable')
+  .option('--include <patterns>', 'Comma-separated glob patterns to include')
+  .option('--exclude <patterns>', 'Comma-separated glob patterns to exclude')
+  .action(async (projectPath, options) => {
+    try {
+      const resolvedPath = path.resolve(projectPath);
+
+      // Build config from CLI options
+      const config = {
+        threshold: options.threshold,
+        format: options.format,
+        verbose: options.verbose || false,
+      };
+
+      if (options.disableRules) {
+        config.disabledRules = options.disableRules.split(',').map((r) => r.trim());
+      }
+
+      if (options.include) {
+        config.include = options.include.split(',').map((p) => p.trim());
+      }
+
+      if (options.exclude) {
+        config.exclude = options.exclude.split(',').map((p) => p.trim());
+      }
+
+      // Show spinner for console output
+      let spinner;
+      if (options.format === 'console') {
+        try {
+          const ora = require('ora');
+          spinner = ora({
+            text: 'Scanning Angular project for security vulnerabilities...',
+            spinner: 'dots12',
+          }).start();
+        } catch {
+          console.log('Scanning Angular project for security vulnerabilities...');
+        }
+      }
+
+      const result = await audit(resolvedPath, config);
+
+      if (spinner) spinner.stop();
+
+      if (!result.success) {
+        console.error(`Error: ${result.error}`);
+        process.exit(2);
+      }
+
+      // Generate report
+      const report = generateReport(result, options.format);
+
+      // Output
+      if (options.output) {
+        const outputPath = path.resolve(options.output);
+        fs.mkdirSync(path.dirname(outputPath), { recursive: true });
+        fs.writeFileSync(outputPath, report, 'utf-8');
+        if (options.format === 'console') {
+          console.log(report);
+        }
+        console.log(`\nReport saved to: ${outputPath}`);
+      } else {
+        console.log(report);
+      }
+
+      // Exit code based on threshold
+      process.exit(result.passed ? 0 : 1);
+    } catch (error) {
+      console.error(`Fatal error: ${error.message}`);
+      if (options.verbose) {
+        console.error(error.stack);
+      }
+      process.exit(2);
+    }
+  });
+
+program
+  .command('rules')
+  .description('List all available security rules')
+  .option('--json', 'Output as JSON')
+  .option('-c, --category <category>', 'Filter by category')
+  .action((options) => {
+    let rules = listRules();
+
+    if (options.category) {
+      rules = rules.filter((r) => r.category.toLowerCase().includes(options.category.toLowerCase()));
+    }
+
+    if (options.json) {
+      console.log(JSON.stringify(rules, null, 2));
+      return;
+    }
+
+    const chalk = require('chalk');
+    console.log('');
+    console.log(chalk.bold.cyan('  NGX Security Audit - Available Rules'));
+    console.log(chalk.bold.cyan('  ════════════════════════════════════════'));
+    console.log('');
+
+    const categories = [...new Set(rules.map((r) => r.category))];
+    for (const category of categories) {
+      console.log(chalk.bold.white(`  📋 ${category}`));
+      const catRules = rules.filter((r) => r.category === category);
+      for (const rule of catRules) {
+        const severityColor = {
+          critical: 'red',
+          high: 'redBright',
+          medium: 'yellow',
+          low: 'cyan',
+          info: 'gray',
+        }[rule.severity] || 'white';
+
+        console.log(
+          `    ${chalk[severityColor](`[${rule.severity.toUpperCase()}]`.padEnd(12))}` +
+          `${chalk.white(rule.id.padEnd(35))}` +
+          `${chalk.gray(rule.name)}`
+        );
+      }
+      console.log('');
+    }
+
+    console.log(chalk.gray(`  Total: ${rules.length} rules`));
+    console.log('');
+  });
+
+program
+  .command('init')
+  .description('Create a .ngsecurityrc.json configuration file')
+  .action(() => {
+    const configPath = path.resolve('.ngsecurityrc.json');
+    if (fs.existsSync(configPath)) {
+      console.log('Configuration file already exists: .ngsecurityrc.json');
+      return;
+    }
+
+    const defaultConfig = {
+      threshold: 'high',
+      format: 'console',
+      include: ['src/**/*.ts', 'src/**/*.html', 'src/**/*.js'],
+      exclude: [],
+      disabledRules: [],
+      ruleOverrides: {},
+      verbose: false,
+    };
+
+    fs.writeFileSync(configPath, JSON.stringify(defaultConfig, null, 2), 'utf-8');
+    console.log('Created .ngsecurityrc.json with default configuration.');
+  });
+
+// Default command - scan current directory
+program
+  .argument('[path]', 'Path to Angular project (shorthand for "scan" command)')
+  .option('-f, --format <format>', 'Report format', 'console')
+  .option('-o, --output <file>', 'Write report to file')
+  .option('-t, --threshold <level>', 'Fail threshold', 'high')
+  .option('-v, --verbose', 'Verbose output')
+  .action(async (projectPath, options) => {
+    // If no subcommand, run scan
+    if (projectPath && !['scan', 'rules', 'init'].includes(projectPath)) {
+      await program.commands.find((c) => c.name() === 'scan')
+        .parseAsync([process.argv[0], process.argv[1], 'scan', projectPath, ...process.argv.slice(3)]);
+    }
+  });
+
+program.parse();

package/package.json

@@ -0,0 +1,63 @@
+{
+  "name": "ngx-security-audit",
+  "version": "1.0.0",
+  "description": "Enterprise-grade Angular security auditing tool. Static analysis scanner that detects XSS, CSRF, injection, sensitive data exposure, misconfigurations and 40+ security vulnerabilities in Angular projects. Generates detailed reports with severity levels for CI/CD pipeline integration.",
+  "main": "src/index.js",
+  "bin": {
+    "ngx-security-audit": "bin/ngx-security-audit.js"
+  },
+  "scripts": {
+    "test": "node test/run-tests.js",
+    "lint": "node bin/ngx-security-audit.js .",
+    "prepublishOnly": "node test/run-tests.js"
+  },
+  "keywords": [
+    "angular",
+    "security",
+    "audit",
+    "scanner",
+    "xss",
+    "csrf",
+    "owasp",
+    "vulnerability",
+    "static-analysis",
+    "devops",
+    "ci-cd",
+    "pipeline",
+    "security-report",
+    "angular-security",
+    "ngx",
+    "sast",
+    "code-analysis",
+    "devsecops",
+    "appsec",
+    "penetration-testing"
+  ],
+  "author": "noredinebahri",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/noredinebahri/ngx-security-audit.git"
+  },
+  "bugs": {
+    "url": "https://github.com/noredinebahri/ngx-security-audit/issues"
+  },
+  "homepage": "https://noredinebahri.github.io/ngx-security-audit",
+  "engines": {
+    "node": ">=14.0.0"
+  },
+  "dependencies": {
+    "chalk": "^4.1.2",
+    "commander": "^11.1.0",
+    "glob": "^10.3.10",
+    "ora": "^5.4.1"
+  },
+  "devDependencies": {},
+  "files": [
+    "bin/",
+    "src/",
+    "templates/",
+    "README.md",
+    "LICENSE"
+  ]
+}