node-protect 1.0.0

package/README.md

@@ -0,0 +1,121 @@
+# Node-Protect 🛡️
+
+A lightweight, zero-config security scanner for Node.js applications.  
+Detects vulnerabilities from the **OWASP Top 10** without blocking your workflow.
+
+![License: ISC](https://img.shields.io/badge/License-ISC-blue.svg)
+![Values: Warning Only](https://img.shields.io/badge/Mode-Warning%20Only-yellow)
+
+## 🚀 Key Features
+
+- **Non-blocking**: Runs in the background and warns you about issues. It **never crashes your app**.
+- **Zero Config**: Works out of the box. Just install and run.
+- **Comprehensive Coverage**: Checks for issues across the OWASP Top 10 (2021).
+
+### What it Checks
+
+| Category | Description |
+| :--- | :--- |
+| **A01 Broken Access Control** | Permissive CORS, hardcoded role checks |
+| **A02 Cryptographic Failures** | Weak hashing (MD5/SHA1), hardcoded IVs |
+| **A03 Injection** | `eval()`, `innerHTML`, unsafe SQL interpolation |
+| **A04 Insecure Design** | Leaky headers (`X-Powered-By`) |
+| **A05 Misconfiguration** | Debug mode on, hardcoded ports |
+| **A06 Vulnerable Components** | Wraps `npm audit` to check dependencies |
+| **A07 Authentication Failures** | **Hardcoded Secrets** (AWS keys, API tokens, passwords) |
+| **A08 Integrity Failures** | Missing SRI, integrity checks |
+| **A09 Logging Failures** | `console.log` usage, empty catch blocks |
+| **A10 SSRF** | Unsafe data fetching in axios/fetch |
+
+---
+
+## 📦 Installation
+
+Install as a development dependency:
+
+```bash
+npm install --save-dev node-protect
+```
+
+---
+
+## 💻 Usage
+
+### 1. As a CLI Tool
+
+Great for CI/CD pipelines or local checks.
+
+```bash
+# Scan current directory
+npx protect scan .
+
+# Scan specific folder
+npx protect scan ./src
+
+# Scan only for secrets and code issues (skip dependencies)
+npx protect scan . --type=secrets,code
+```
+
+### 2. As a Library (Programmatic)
+
+Perfect for adding a security check to your server startup sequence. It runs asynchronously ("fire-and-forget").
+
+**Example: Express Server Integration**
+
+```javascript
+/* index.js */
+const http = require('http');
+const { protect } = require('node-protect');
+
+console.log('--- Server Startup ---');
+
+// 1. Run security scan in background
+// It will log warnings if found, but won't stop the server
+protect();
+
+// 2. Start your server immediately
+http.createServer((req, res) => {
+    res.writeHead(200);
+    res.end('Hello Secure World!');
+}).listen(3000, () => {
+    console.log('Server running on port 3000');
+});
+```
+
+**Custom Handling**
+
+If you want to wait for results or handle them manually:
+
+```javascript
+const { protect, printReport } = require('node-protect');
+
+// Await the results
+protect(process.cwd(), { types: ['full'], log: false }).then(results => {
+  if (results.length > 0) {
+    console.error(`🚨 Found ${results.length} vulnerabilities!`);
+    printReport(results); // Pretty print to console
+    // process.exit(1); // Optional: Exit if you want to block
+  } else {
+    console.log('✅ App is secure.');
+  }
+});
+```
+
+---
+
+## 🛠️ Configuration
+
+The `protect()` function accepts an options object:
+
+```typescript
+interface ScanOptions {
+    log?: boolean;       // Default: true (Auto-print warnings to console)
+    types?: string[];    // Default: ['full']. Options: 'secrets', 'code', 'dependencies'
+}
+```
+
+---
+
+## 📝 License
+
+ISC

package/dist/cli.js

@@ -0,0 +1,40 @@
+#!/usr/bin/env node
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const commander_1 = require("commander");
+const chalk_1 = __importDefault(require("chalk"));
+const path_1 = __importDefault(require("path"));
+const index_1 = require("./index");
+const program = new commander_1.Command();
+program
+    .name('node-protect')
+    .description('CLI to check for project security risks (OWASP Top 10)')
+    .version('1.0.0');
+program.command('scan')
+    .argument('[path]', 'Path to project to scan', '.')
+    .option('-t, --type <type>', 'Type of scan: full, secrets, dependencies, code', 'full')
+    .action(async (projectPath, options) => {
+    const resolvedPath = path_1.default.resolve(projectPath);
+    console.log(chalk_1.default.blue(`Scanning project at: ${resolvedPath}`));
+    console.log(chalk_1.default.blue(`Scan type: ${options.type}`));
+    const types = options.type.split(',').map((t) => t.trim());
+    try {
+        // CLI handles its own printing/exit logic, so we disable internal logging
+        const results = await (0, index_1.protect)(resolvedPath, { types, log: false });
+        // Use the shared printReport function
+        const { printReport } = require('./index');
+        printReport(results);
+        if (results.length > 0) {
+            console.log(chalk_1.default.yellow('\n⚠️  Security issues found. Please review the report above.'));
+            // process.exit(1); // User requested warning only mode
+        }
+    }
+    catch (error) {
+        console.error(chalk_1.default.red('Error during scan:'), error);
+        process.exit(1);
+    }
+});
+program.parse();

package/dist/index.js

@@ -0,0 +1,72 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.scanners = void 0;
+exports.protect = protect;
+exports.printReport = printReport;
+const dependencyAuditor_1 = require("./scanners/dependencyAuditor");
+const secretScanner_1 = require("./scanners/secretScanner");
+const codeScanner_1 = require("./scanners/codeScanner");
+exports.scanners = {
+    DependencyAuditor: dependencyAuditor_1.DependencyAuditor,
+    SecretScanner: secretScanner_1.SecretScanner,
+    CodeScanner: codeScanner_1.CodeScanner
+};
+async function protect(projectPath = process.cwd(), options = {}) {
+    const { log = true, types = ['full'] } = options;
+    try {
+        const results = [];
+        const runAll = types.includes('full');
+        if (runAll || types.includes('dependencies')) {
+            const auditor = new dependencyAuditor_1.DependencyAuditor();
+            results.push(...await auditor.scan(projectPath));
+        }
+        if (runAll || types.includes('secrets')) {
+            const secretScanner = new secretScanner_1.SecretScanner();
+            results.push(...await secretScanner.scan(projectPath));
+        }
+        if (runAll || types.includes('code')) {
+            const codeScanner = new codeScanner_1.CodeScanner();
+            results.push(...await codeScanner.scan(projectPath));
+        }
+        if (log) {
+            printReport(results);
+            if (results.length > 0) {
+                console.warn(chalk_1.default.yellow('⚠️  Vulnerabilities detected. (Warning only)'));
+            }
+        }
+        return results;
+    }
+    catch (error) {
+        if (log) {
+            console.error(chalk_1.default.red('Security scan failed:'), error);
+        }
+        // If logging is off, we rethrow so consumer can handle it. 
+        // If logging is on, we suppress it to allow app flow to continue (as per request "not call then and catche")
+        if (!log)
+            throw error;
+        return [];
+    }
+}
+const chalk_1 = __importDefault(require("chalk"));
+function printReport(results) {
+    if (results.length === 0) {
+        console.log(chalk_1.default.green('\n✅ No issues found!'));
+        return;
+    }
+    console.log(chalk_1.default.bold.red(`\n❌ Found ${results.length} issues:\n`));
+    results.forEach((result, index) => {
+        const color = result.severity === 'CRITICAL' || result.severity === 'HIGH' ? chalk_1.default.red : chalk_1.default.yellow;
+        console.log(color(`[${index + 1}] [${result.severity}] ${result.category}`));
+        console.log(`    Description: ${result.description}`);
+        if (result.file)
+            console.log(`    File: ${result.file}:${result.line || 0}`);
+        if (result.snippet)
+            console.log(`    Snippet: ${chalk_1.default.gray(result.snippet)}`);
+        if (result.remediation)
+            console.log(`    Remediation: ${chalk_1.default.cyan(result.remediation)}`);
+        console.log('');
+    });
+}

package/dist/scanners/codeScanner.js

@@ -0,0 +1,75 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CodeScanner = void 0;
+const promises_1 = __importDefault(require("fs/promises"));
+const glob_1 = require("glob");
+const path_1 = __importDefault(require("path"));
+class CodeScanner {
+    patterns = [
+        // A01:2021-Broken Access Control
+        { name: 'Permissive CORS', regex: /Access-Control-Allow-Origin\s*:\s*\*/i, category: 'A01:2021-Broken Access Control', severity: 'HIGH', remediation: 'Restrict CORS origin to specific domains.' },
+        { name: 'Hardcoded Role Check', regex: /if\s*\(\s*user\.role\s*===\s*['"]admin['"]\s*\)/, category: 'A01:2021-Broken Access Control', severity: 'MEDIUM', remediation: 'Use a centralized permission system (RBAC/ABAC).' },
+        // A02:2021-Cryptographic Failures
+        { name: 'Weak Hash (MD5)', regex: /createHash\(['"]md5['"]\)/, category: 'A02:2021-Cryptographic Failures', severity: 'MEDIUM', remediation: 'Use SHA-256 or stronger.' },
+        { name: 'Weak Hash (SHA1)', regex: /createHash\(['"]sha1['"]\)/, category: 'A02:2021-Cryptographic Failures', severity: 'MEDIUM', remediation: 'Use SHA-256 or stronger.' },
+        { name: 'Hardcoded IV', regex: /createDecipheriv\([^,]+,\s*[^,]+,\s*['"]\w+['"]\)/, category: 'A02:2021-Cryptographic Failures', severity: 'HIGH', remediation: 'Use a random IV.' },
+        // A03:2021-Injection
+        { name: 'Eval Usage', regex: /eval\s*\(/, category: 'A03:2021-Injection', severity: 'HIGH', remediation: 'Avoid using eval().' },
+        { name: 'InnerHTML Usage', regex: /\.innerHTML\s*=/, category: 'A03:2021-Injection', severity: 'MEDIUM', remediation: 'Use textContent or a sanitizer library.' },
+        { name: 'Unsafe SQL Interpolation', regex: /query\s*\(\s*['"]select.*?\$\{/i, category: 'A03:2021-Injection', severity: 'HIGH', remediation: 'Use parameterized queries.' },
+        // A04:2021-Insecure Design
+        { name: 'X-Powered-By Header', regex: /res\.setHeader\(['"]X-Powered-By['"]/, category: 'A04:2021-Insecure Design', severity: 'LOW', remediation: 'Disable X-Powered-By header to avoid leaking stack details.' },
+        { name: 'Disable X-Powered-By (Missing)', regex: /app\.disable\(['"]x-powered-by['"]\)/, category: 'A04:2021-Insecure Design', severity: 'INFO', remediation: 'Ensure you disable x-powered-by in Express.' },
+        // A05:2021-Security Misconfiguration
+        { name: 'Debug Mode Enabled', regex: /DEBUG\s*=\s*true/i, category: 'A05:2021-Security Misconfiguration', severity: 'MEDIUM', remediation: 'Ensure debug mode is disabled in production.' },
+        { name: 'Hardcoded Port 80', regex: /\.listen\(\s*80\s*\)/, category: 'A05:2021-Security Misconfiguration', severity: 'LOW', remediation: 'Use environment variables for ports and avoid privileged ports.' },
+        // A08:2021-Software and Data Integrity Failures
+        // This is hard to regex in code, usually checks for lockfiles usage or SRI in HTML
+        { name: 'Missing SRI', regex: /<script\s+src=['"]https?:\/\/[^'"]+['"](?!.*integrity)/, category: 'A08:2021-Software and Data Integrity Failures', severity: 'MEDIUM', remediation: 'Use Subresource Integrity (SRI) for external scripts.' },
+        // A09:2021-Security Logging and Monitoring Failures
+        { name: 'Console Log Usage', regex: /console\.log\s*\(/, category: 'A09:2021-Security Logging and Monitoring Failures', severity: 'LOW', remediation: 'Use a structured logger (like winston/pino) to ensure logs are centralized.' },
+        { name: 'Empty Catch Block', regex: /catch\s*\(\s*\w+\s*\)\s*\{\s*\}/, category: 'A09:2021-Security Logging and Monitoring Failures', severity: 'MEDIUM', remediation: 'Log all errors.' },
+        // A10:2021-Server-Side Request Forgery (SSRF)
+        { name: 'Unsafe Fetch with Request Data', regex: /fetch\s*\(\s*req\.(query|body|params)/, category: 'A10:2021-SSRF', severity: 'HIGH', remediation: 'Validate user input before using it in fetch/axios URLs.' },
+        { name: 'Unsafe Axios with Request Data', regex: /axios\.(get|post|put)\s*\(\s*req\.(query|body|params)/, category: 'A10:2021-SSRF', severity: 'HIGH', remediation: 'Validate user input before using it in fetch/axios URLs.' },
+    ];
+    async scan(projectPath) {
+        const results = [];
+        const files = await (0, glob_1.glob)('**/*.{ts,js}', {
+            cwd: projectPath,
+            ignore: ['node_modules/**', 'dist/**', '.git/**', '**/*.test.ts', '**/*.spec.ts'],
+            nodir: true
+        });
+        for (const file of files) {
+            const fullPath = path_1.default.join(projectPath, file);
+            try {
+                const content = await promises_1.default.readFile(fullPath, 'utf-8');
+                const lines = content.split('\n');
+                for (let i = 0; i < lines.length; i++) {
+                    const line = lines[i];
+                    for (const pattern of this.patterns) {
+                        if (pattern.regex.test(line)) {
+                            results.push({
+                                category: pattern.category,
+                                severity: pattern.severity,
+                                description: `Potential Security Issue: ${pattern.name}`,
+                                file: file,
+                                line: i + 1,
+                                snippet: line.trim(),
+                                remediation: pattern.remediation
+                            });
+                        }
+                    }
+                }
+            }
+            catch (err) {
+                // Ignore read errors
+            }
+        }
+        return results;
+    }
+}
+exports.CodeScanner = CodeScanner;

package/dist/scanners/dependencyAuditor.js

@@ -0,0 +1,57 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DependencyAuditor = void 0;
+const child_process_1 = require("child_process");
+const util_1 = __importDefault(require("util"));
+const execPromise = util_1.default.promisify(child_process_1.exec);
+class DependencyAuditor {
+    async scan(projectPath) {
+        try {
+            // npm audit usually returns non-zero exit code if vulnerabilities are found
+            // so we catch the error to process the output
+            await execPromise('npm audit --json', { cwd: projectPath });
+            return []; // No vulnerabilities found
+        }
+        catch (error) {
+            // If it's a real error (not just vulnerabilities found), rethrow
+            if (!error.stdout) {
+                console.error("Error running npm audit:", error);
+                return [];
+            }
+            try {
+                const auditReport = JSON.parse(error.stdout);
+                return this.parseAuditReport(auditReport);
+            }
+            catch (parseError) {
+                console.error("Failed to parse npm audit output", parseError);
+                return [];
+            }
+        }
+    }
+    parseAuditReport(report) {
+        const results = [];
+        // Check for errors in report (npm audit sometimes returns error structure)
+        if (report.error) {
+            return [];
+        }
+        if (report.vulnerabilities) {
+            for (const [name, detail] of Object.entries(report.vulnerabilities)) {
+                const vulnerability = detail;
+                if (vulnerability.severity) {
+                    results.push({
+                        category: "A06:2021-Vulnerable and Outdated Components",
+                        severity: vulnerability.severity.toUpperCase(),
+                        description: `Package '${name}' has a ${vulnerability.severity} vulnerability.`,
+                        file: 'package.json',
+                        remediation: vulnerability.fixAvailable ? "Run 'npm audit fix'" : "Update dependency manually"
+                    });
+                }
+            }
+        }
+        return results;
+    }
+}
+exports.DependencyAuditor = DependencyAuditor;

package/dist/scanners/secretScanner.js

@@ -0,0 +1,53 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SecretScanner = void 0;
+const promises_1 = __importDefault(require("fs/promises"));
+const glob_1 = require("glob");
+const path_1 = __importDefault(require("path"));
+class SecretScanner {
+    patterns = [
+        { name: 'AWS Access Key', regex: /AKIA[0-9A-Z]{16}/, severity: 'HIGH' },
+        { name: 'Private Key', regex: /-----BEGIN PRIVATE KEY-----/, severity: 'CRITICAL' },
+        { name: 'Generic API Key', regex: /api_key\s*[:=]\s*['"][a-zA-Z0-9_\-]{20,}['"]/, severity: 'HIGH' },
+        { name: 'Generic Password', regex: /password\s*[:=]\s*['"][a-zA-Z0-9_\-!@#$%^&*]{6,}['"]/, severity: 'MEDIUM' },
+    ];
+    async scan(projectPath) {
+        const results = [];
+        const files = await (0, glob_1.glob)('**/*.{ts,js,json,env,txt,yml,yaml}', {
+            cwd: projectPath,
+            ignore: ['node_modules/**', 'dist/**', '.git/**'],
+            nodir: true
+        });
+        for (const file of files) {
+            const fullPath = path_1.default.join(projectPath, file);
+            try {
+                const content = await promises_1.default.readFile(fullPath, 'utf-8');
+                const lines = content.split('\n');
+                for (let i = 0; i < lines.length; i++) {
+                    const line = lines[i];
+                    for (const pattern of this.patterns) {
+                        if (pattern.regex.test(line)) {
+                            results.push({
+                                category: "A07:2021-Identification and Authentication Failures",
+                                severity: pattern.severity,
+                                description: `Potential ${pattern.name} found`,
+                                file: file,
+                                line: i + 1,
+                                snippet: line.trim().substring(0, 100), // Truncate lengthy lines
+                                remediation: "Store secrets in environment variables or a secure vault. Do not commit them to repo."
+                            });
+                        }
+                    }
+                }
+            }
+            catch (err) {
+                // Ignore read errors
+            }
+        }
+        return results;
+    }
+}
+exports.SecretScanner = SecretScanner;

package/dist/types.js

@@ -0,0 +1,2 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });

package/package.json

@@ -0,0 +1,40 @@
+{
+  "name": "node-protect",
+  "version": "1.0.0",
+  "description": "Security scanner for Node.js projects checking for OWASP Top 10 risks",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "bin": {
+    "protect": "./dist/cli.js"
+  },
+  "files": [
+    "dist"
+  ],
+  "scripts": {
+    "build": "tsc",
+    "prepublishOnly": "npm run build",
+    "test": "jest"
+  },
+  "keywords": [
+    "security",
+    "owasp",
+    "scanner",
+    "audit",
+    "sast"
+  ],
+  "author": "",
+  "license": "ISC",
+  "dependencies": {
+    "chalk": "^5.6.2",
+    "commander": "^14.0.2",
+    "glob": "^13.0.0"
+  },
+  "devDependencies": {
+    "@types/jest": "^30.0.0",
+    "@types/node": "^25.0.10",
+    "jest": "^30.2.0",
+    "listr2": "^10.1.0",
+    "ts-node": "^10.9.2",
+    "typescript": "^5.9.3"
+  }
+}