node-protect 1.0.0 → 1.1.0

package/dist/cli.js

@@ -9,11 +9,9 @@ const chalk_1 = __importDefault(require("chalk"));
 const path_1 = __importDefault(require("path"));
 const index_1 = require("./index");
 const program = new commander_1.Command();
+program.name('node-protect').description('CLI to check for project security risks (OWASP Top 10)').version('1.0.0');
 program
-    .name('node-protect')
-    .description('CLI to check for project security risks (OWASP Top 10)')
-    .version('1.0.0');
-program.command('scan')
+    .command('scan')
     .argument('[path]', 'Path to project to scan', '.')
     .option('-t, --type <type>', 'Type of scan: full, secrets, dependencies, code', 'full')
     .action(async (projectPath, options) => {
@@ -25,8 +23,7 @@ program.command('scan')
         // CLI handles its own printing/exit logic, so we disable internal logging
         const results = await (0, index_1.protect)(resolvedPath, { types, log: false });
         // Use the shared printReport function
-        const { printReport } = require('./index');
-        printReport(results);
+        (0, index_1.printReport)(results);
         if (results.length > 0) {
             console.log(chalk_1.default.yellow('\n⚠️  Security issues found. Please review the report above.'));
             // process.exit(1); // User requested warning only mode

package/dist/config.js

@@ -0,0 +1,19 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.loadConfig = loadConfig;
+const promises_1 = __importDefault(require("fs/promises"));
+const path_1 = __importDefault(require("path"));
+async function loadConfig(projectPath) {
+    const configPath = path_1.default.join(projectPath, '.protectrc');
+    try {
+        const content = await promises_1.default.readFile(configPath, 'utf-8');
+        return JSON.parse(content);
+    }
+    catch (error) {
+        // Return empty config if file doesn't exist or is invalid
+        return {};
+    }
+}

package/dist/index.js

@@ -12,24 +12,26 @@ const codeScanner_1 = require("./scanners/codeScanner");
 exports.scanners = {
     DependencyAuditor: dependencyAuditor_1.DependencyAuditor,
     SecretScanner: secretScanner_1.SecretScanner,
-    CodeScanner: codeScanner_1.CodeScanner
+    CodeScanner: codeScanner_1.CodeScanner,
 };
+const config_1 = require("./config");
 async function protect(projectPath = process.cwd(), options = {}) {
     const { log = true, types = ['full'] } = options;
     try {
+        const config = await (0, config_1.loadConfig)(projectPath);
         const results = [];
         const runAll = types.includes('full');
         if (runAll || types.includes('dependencies')) {
             const auditor = new dependencyAuditor_1.DependencyAuditor();
-            results.push(...await auditor.scan(projectPath));
+            results.push(...(await auditor.scan(projectPath)));
         }
         if (runAll || types.includes('secrets')) {
-            const secretScanner = new secretScanner_1.SecretScanner();
-            results.push(...await secretScanner.scan(projectPath));
+            const secretScanner = new secretScanner_1.SecretScanner(config);
+            results.push(...(await secretScanner.scan(projectPath)));
         }
         if (runAll || types.includes('code')) {
-            const codeScanner = new codeScanner_1.CodeScanner();
-            results.push(...await codeScanner.scan(projectPath));
+            const codeScanner = new codeScanner_1.CodeScanner(config);
+            results.push(...(await codeScanner.scan(projectPath)));
         }
         if (log) {
             printReport(results);
@@ -43,7 +45,7 @@ async function protect(projectPath = process.cwd(), options = {}) {
         if (log) {
             console.error(chalk_1.default.red('Security scan failed:'), error);
         }
-        // If logging is off, we rethrow so consumer can handle it. 
+        // If logging is off, we rethrow so consumer can handle it.
         // If logging is on, we suppress it to allow app flow to continue (as per request "not call then and catche")
         if (!log)
             throw error;

package/dist/rules.js

@@ -0,0 +1,162 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.SECRET_RULES = exports.CODE_RULES = void 0;
+exports.CODE_RULES = [
+    // A01:2021-Broken Access Control
+    {
+        name: 'Permissive CORS',
+        regex: /Access-Control-Allow-Origin\s*:\s*\*/i,
+        category: 'A01:2021-Broken Access Control',
+        severity: 'HIGH',
+        remediation: 'Restrict CORS origin to specific domains.',
+    },
+    {
+        name: 'Hardcoded Role Check',
+        regex: /if\s*\(\s*user\.role\s*===\s*['"]admin['"]\s*\)/,
+        category: 'A01:2021-Broken Access Control',
+        severity: 'MEDIUM',
+        remediation: 'Use a centralized permission system (RBAC/ABAC).',
+    },
+    // A02:2021-Cryptographic Failures
+    {
+        name: 'Weak Hash (MD5)',
+        regex: /createHash\(['"]md5['"]\)/,
+        category: 'A02:2021-Cryptographic Failures',
+        severity: 'MEDIUM',
+        remediation: 'Use SHA-256 or stronger.',
+    },
+    {
+        name: 'Weak Hash (SHA1)',
+        regex: /createHash\(['"]sha1['"]\)/,
+        category: 'A02:2021-Cryptographic Failures',
+        severity: 'MEDIUM',
+        remediation: 'Use SHA-256 or stronger.',
+    },
+    {
+        name: 'Hardcoded IV',
+        regex: /createDecipheriv\([^,]+,\s*[^,]+,\s*['"]\w+['"]\)/,
+        category: 'A02:2021-Cryptographic Failures',
+        severity: 'HIGH',
+        remediation: 'Use a random IV.',
+    },
+    // A03:2021-Injection
+    {
+        name: 'Eval Usage',
+        regex: /eval\s*\(/,
+        category: 'A03:2021-Injection',
+        severity: 'HIGH',
+        remediation: 'Avoid using eval().',
+    },
+    {
+        name: 'InnerHTML Usage',
+        regex: /\.innerHTML\s*=/,
+        category: 'A03:2021-Injection',
+        severity: 'MEDIUM',
+        remediation: 'Use textContent or a sanitizer library.',
+    },
+    {
+        name: 'Unsafe SQL Interpolation',
+        regex: /query\s*\(\s*['"]select.*?\$\{/i,
+        category: 'A03:2021-Injection',
+        severity: 'HIGH',
+        remediation: 'Use parameterized queries.',
+    },
+    // A04:2021-Insecure Design
+    {
+        name: 'X-Powered-By Header',
+        regex: /res\.setHeader\(['"]X-Powered-By['"]/,
+        category: 'A04:2021-Insecure Design',
+        severity: 'LOW',
+        remediation: 'Disable X-Powered-By header to avoid leaking stack details.',
+    },
+    {
+        name: 'Disable X-Powered-By (Missing)',
+        regex: /app\.disable\(['"]x-powered-by['"]\)/,
+        category: 'A04:2021-Insecure Design',
+        severity: 'INFO',
+        remediation: 'Ensure you disable x-powered-by in Express.',
+    },
+    // A05:2021-Security Misconfiguration
+    {
+        name: 'Debug Mode Enabled',
+        regex: /DEBUG\s*=\s*true/i,
+        category: 'A05:2021-Security Misconfiguration',
+        severity: 'MEDIUM',
+        remediation: 'Ensure debug mode is disabled in production.',
+    },
+    {
+        name: 'Hardcoded Port 80',
+        regex: /\.listen\(\s*80\s*\)/,
+        category: 'A05:2021-Security Misconfiguration',
+        severity: 'LOW',
+        remediation: 'Use environment variables for ports and avoid privileged ports.',
+    },
+    // A08:2021-Software and Data Integrity Failures
+    {
+        name: 'Missing SRI',
+        regex: /<script\s+src=['"]https?:\/\/[^'"]+['"](?!.*integrity)/,
+        category: 'A08:2021-Software and Data Integrity Failures',
+        severity: 'MEDIUM',
+        remediation: 'Use Subresource Integrity (SRI) for external scripts.',
+    },
+    // A09:2021-Security Logging and Monitoring Failures
+    {
+        name: 'Console Log Usage',
+        regex: /console\.log\s*\(/,
+        category: 'A09:2021-Security Logging and Monitoring Failures',
+        severity: 'LOW',
+        remediation: 'Use a structured logger (like winston/pino) to ensure logs are centralized.',
+    },
+    {
+        name: 'Empty Catch Block',
+        regex: /catch\s*\(\s*\w+\s*\)\s*\{\s*\}/,
+        category: 'A09:2021-Security Logging and Monitoring Failures',
+        severity: 'MEDIUM',
+        remediation: 'Log all errors.',
+    },
+    // A10:2021-Server-Side Request Forgery (SSRF)
+    {
+        name: 'Unsafe Fetch with Request Data',
+        regex: /fetch\s*\(\s*req\.(query|body|params)/,
+        category: 'A10:2021-SSRF',
+        severity: 'HIGH',
+        remediation: 'Validate user input before using it in fetch/axios URLs.',
+    },
+    {
+        name: 'Unsafe Axios with Request Data',
+        regex: /axios\.(get|post|put)\s*\(\s*req\.(query|body|params)/,
+        category: 'A10:2021-SSRF',
+        severity: 'HIGH',
+        remediation: 'Validate user input before using it in fetch/axios URLs.',
+    },
+];
+exports.SECRET_RULES = [
+    {
+        name: 'AWS Access Key',
+        regex: /AKIA[0-9A-Z]{16}/,
+        category: 'A07:2021-Identification and Authentication Failures',
+        severity: 'HIGH',
+        remediation: 'Store secrets in environment variables or a secure vault. Do not commit them to repo.',
+    },
+    {
+        name: 'Private Key',
+        regex: /-----BEGIN PRIVATE KEY-----/,
+        category: 'A07:2021-Identification and Authentication Failures',
+        severity: 'CRITICAL',
+        remediation: 'Store secrets in environment variables or a secure vault. Do not commit them to repo.',
+    },
+    {
+        name: 'Generic API Key',
+        regex: /api_key\s*[:=]\s*['"][a-zA-Z0-9_-]{20,}['"]/,
+        category: 'A07:2021-Identification and Authentication Failures',
+        severity: 'HIGH',
+        remediation: 'Store secrets in environment variables or a secure vault. Do not commit them to repo.',
+    },
+    {
+        name: 'Generic Password',
+        regex: /password\s*[:=]\s*['"][a-zA-Z0-9_\-!@#$%^&*]{6,}['"]/,
+        category: 'A07:2021-Identification and Authentication Failures',
+        severity: 'MEDIUM',
+        remediation: 'Store secrets in environment variables or a secure vault. Do not commit them to repo.',
+    },
+];

package/dist/scanners/codeScanner.js

@@ -7,41 +7,22 @@ exports.CodeScanner = void 0;
 const promises_1 = __importDefault(require("fs/promises"));
 const glob_1 = require("glob");
 const path_1 = __importDefault(require("path"));
+const rules_1 = require("../rules");
 class CodeScanner {
-    patterns = [
-        // A01:2021-Broken Access Control
-        { name: 'Permissive CORS', regex: /Access-Control-Allow-Origin\s*:\s*\*/i, category: 'A01:2021-Broken Access Control', severity: 'HIGH', remediation: 'Restrict CORS origin to specific domains.' },
-        { name: 'Hardcoded Role Check', regex: /if\s*\(\s*user\.role\s*===\s*['"]admin['"]\s*\)/, category: 'A01:2021-Broken Access Control', severity: 'MEDIUM', remediation: 'Use a centralized permission system (RBAC/ABAC).' },
-        // A02:2021-Cryptographic Failures
-        { name: 'Weak Hash (MD5)', regex: /createHash\(['"]md5['"]\)/, category: 'A02:2021-Cryptographic Failures', severity: 'MEDIUM', remediation: 'Use SHA-256 or stronger.' },
-        { name: 'Weak Hash (SHA1)', regex: /createHash\(['"]sha1['"]\)/, category: 'A02:2021-Cryptographic Failures', severity: 'MEDIUM', remediation: 'Use SHA-256 or stronger.' },
-        { name: 'Hardcoded IV', regex: /createDecipheriv\([^,]+,\s*[^,]+,\s*['"]\w+['"]\)/, category: 'A02:2021-Cryptographic Failures', severity: 'HIGH', remediation: 'Use a random IV.' },
-        // A03:2021-Injection
-        { name: 'Eval Usage', regex: /eval\s*\(/, category: 'A03:2021-Injection', severity: 'HIGH', remediation: 'Avoid using eval().' },
-        { name: 'InnerHTML Usage', regex: /\.innerHTML\s*=/, category: 'A03:2021-Injection', severity: 'MEDIUM', remediation: 'Use textContent or a sanitizer library.' },
-        { name: 'Unsafe SQL Interpolation', regex: /query\s*\(\s*['"]select.*?\$\{/i, category: 'A03:2021-Injection', severity: 'HIGH', remediation: 'Use parameterized queries.' },
-        // A04:2021-Insecure Design
-        { name: 'X-Powered-By Header', regex: /res\.setHeader\(['"]X-Powered-By['"]/, category: 'A04:2021-Insecure Design', severity: 'LOW', remediation: 'Disable X-Powered-By header to avoid leaking stack details.' },
-        { name: 'Disable X-Powered-By (Missing)', regex: /app\.disable\(['"]x-powered-by['"]\)/, category: 'A04:2021-Insecure Design', severity: 'INFO', remediation: 'Ensure you disable x-powered-by in Express.' },
-        // A05:2021-Security Misconfiguration
-        { name: 'Debug Mode Enabled', regex: /DEBUG\s*=\s*true/i, category: 'A05:2021-Security Misconfiguration', severity: 'MEDIUM', remediation: 'Ensure debug mode is disabled in production.' },
-        { name: 'Hardcoded Port 80', regex: /\.listen\(\s*80\s*\)/, category: 'A05:2021-Security Misconfiguration', severity: 'LOW', remediation: 'Use environment variables for ports and avoid privileged ports.' },
-        // A08:2021-Software and Data Integrity Failures
-        // This is hard to regex in code, usually checks for lockfiles usage or SRI in HTML
-        { name: 'Missing SRI', regex: /<script\s+src=['"]https?:\/\/[^'"]+['"](?!.*integrity)/, category: 'A08:2021-Software and Data Integrity Failures', severity: 'MEDIUM', remediation: 'Use Subresource Integrity (SRI) for external scripts.' },
-        // A09:2021-Security Logging and Monitoring Failures
-        { name: 'Console Log Usage', regex: /console\.log\s*\(/, category: 'A09:2021-Security Logging and Monitoring Failures', severity: 'LOW', remediation: 'Use a structured logger (like winston/pino) to ensure logs are centralized.' },
-        { name: 'Empty Catch Block', regex: /catch\s*\(\s*\w+\s*\)\s*\{\s*\}/, category: 'A09:2021-Security Logging and Monitoring Failures', severity: 'MEDIUM', remediation: 'Log all errors.' },
-        // A10:2021-Server-Side Request Forgery (SSRF)
-        { name: 'Unsafe Fetch with Request Data', regex: /fetch\s*\(\s*req\.(query|body|params)/, category: 'A10:2021-SSRF', severity: 'HIGH', remediation: 'Validate user input before using it in fetch/axios URLs.' },
-        { name: 'Unsafe Axios with Request Data', regex: /axios\.(get|post|put)\s*\(\s*req\.(query|body|params)/, category: 'A10:2021-SSRF', severity: 'HIGH', remediation: 'Validate user input before using it in fetch/axios URLs.' },
-    ];
+    config;
+    constructor(config) {
+        this.config = config;
+    }
     async scan(projectPath) {
         const results = [];
+        const ignorePatterns = ['node_modules/**', 'dist/**', '.git/**', '**/*.test.ts', '**/*.spec.ts'];
+        if (this.config?.ignore) {
+            ignorePatterns.push(...this.config.ignore);
+        }
         const files = await (0, glob_1.glob)('**/*.{ts,js}', {
             cwd: projectPath,
-            ignore: ['node_modules/**', 'dist/**', '.git/**', '**/*.test.ts', '**/*.spec.ts'],
-            nodir: true
+            ignore: ignorePatterns,
+            nodir: true,
         });
         for (const file of files) {
             const fullPath = path_1.default.join(projectPath, file);
@@ -50,22 +31,22 @@ class CodeScanner {
                 const lines = content.split('\n');
                 for (let i = 0; i < lines.length; i++) {
                     const line = lines[i];
-                    for (const pattern of this.patterns) {
-                        if (pattern.regex.test(line)) {
+                    for (const rule of rules_1.CODE_RULES) {
+                        if (rule.regex.test(line)) {
                             results.push({
-                                category: pattern.category,
-                                severity: pattern.severity,
-                                description: `Potential Security Issue: ${pattern.name}`,
+                                category: rule.category,
+                                severity: rule.severity,
+                                description: `Potential Security Issue: ${rule.name}`,
                                 file: file,
                                 line: i + 1,
                                 snippet: line.trim(),
-                                remediation: pattern.remediation
+                                remediation: rule.remediation || '',
                             });
                         }
                     }
                 }
             }
-            catch (err) {
+            catch (_err) {
                 // Ignore read errors
             }
         }

package/dist/scanners/dependencyAuditor.js

@@ -6,19 +6,25 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.DependencyAuditor = void 0;
 const child_process_1 = require("child_process");
 const util_1 = __importDefault(require("util"));
+const promises_1 = __importDefault(require("fs/promises"));
+const path_1 = __importDefault(require("path"));
 const execPromise = util_1.default.promisify(child_process_1.exec);
 class DependencyAuditor {
     async scan(projectPath) {
+        let command = 'npm audit --json';
         try {
-            // npm audit usually returns non-zero exit code if vulnerabilities are found
-            // so we catch the error to process the output
-            await execPromise('npm audit --json', { cwd: projectPath });
-            return []; // No vulnerabilities found
+            const hasPnpmLock = await this.fileExists(projectPath, 'pnpm-lock.yaml');
+            const hasPackageLock = await this.fileExists(projectPath, 'package-lock.json');
+            if (hasPnpmLock && !hasPackageLock) {
+                command = 'pnpm audit --json';
+            }
+            await execPromise(command, { cwd: projectPath });
+            return [];
         }
         catch (error) {
-            // If it's a real error (not just vulnerabilities found), rethrow
             if (!error.stdout) {
-                console.error("Error running npm audit:", error);
+                // If checking lockfiles failed, default to npm and swallow errors if it fails early
+                // console.error(`Error running ${command}:`, error);
                 return [];
             }
             try {
@@ -26,11 +32,20 @@ class DependencyAuditor {
                 return this.parseAuditReport(auditReport);
             }
             catch (parseError) {
-                console.error("Failed to parse npm audit output", parseError);
+                // console.error(`Failed to parse ${command} output`, parseError);
                 return [];
             }
         }
     }
+    async fileExists(dir, file) {
+        try {
+            await promises_1.default.access(path_1.default.join(dir, file));
+            return true;
+        }
+        catch {
+            return false;
+        }
+    }
     parseAuditReport(report) {
         const results = [];
         // Check for errors in report (npm audit sometimes returns error structure)
@@ -42,11 +57,11 @@ class DependencyAuditor {
                 const vulnerability = detail;
                 if (vulnerability.severity) {
                     results.push({
-                        category: "A06:2021-Vulnerable and Outdated Components",
+                        category: 'A06:2021-Vulnerable and Outdated Components',
                         severity: vulnerability.severity.toUpperCase(),
                         description: `Package '${name}' has a ${vulnerability.severity} vulnerability.`,
                         file: 'package.json',
-                        remediation: vulnerability.fixAvailable ? "Run 'npm audit fix'" : "Update dependency manually"
+                        remediation: vulnerability.fixAvailable ? "Run 'npm audit fix'" : 'Update dependency manually',
                     });
                 }
             }

package/dist/scanners/secretScanner.js

@@ -7,19 +7,22 @@ exports.SecretScanner = void 0;
 const promises_1 = __importDefault(require("fs/promises"));
 const glob_1 = require("glob");
 const path_1 = __importDefault(require("path"));
+const rules_1 = require("../rules");
 class SecretScanner {
-    patterns = [
-        { name: 'AWS Access Key', regex: /AKIA[0-9A-Z]{16}/, severity: 'HIGH' },
-        { name: 'Private Key', regex: /-----BEGIN PRIVATE KEY-----/, severity: 'CRITICAL' },
-        { name: 'Generic API Key', regex: /api_key\s*[:=]\s*['"][a-zA-Z0-9_\-]{20,}['"]/, severity: 'HIGH' },
-        { name: 'Generic Password', regex: /password\s*[:=]\s*['"][a-zA-Z0-9_\-!@#$%^&*]{6,}['"]/, severity: 'MEDIUM' },
-    ];
+    config;
+    constructor(config) {
+        this.config = config;
+    }
     async scan(projectPath) {
         const results = [];
+        const ignorePatterns = ['node_modules/**', 'dist/**', '.git/**'];
+        if (this.config?.ignore) {
+            ignorePatterns.push(...this.config.ignore);
+        }
         const files = await (0, glob_1.glob)('**/*.{ts,js,json,env,txt,yml,yaml}', {
             cwd: projectPath,
-            ignore: ['node_modules/**', 'dist/**', '.git/**'],
-            nodir: true
+            ignore: ignorePatterns,
+            nodir: true,
         });
         for (const file of files) {
             const fullPath = path_1.default.join(projectPath, file);
@@ -28,22 +31,22 @@ class SecretScanner {
                 const lines = content.split('\n');
                 for (let i = 0; i < lines.length; i++) {
                     const line = lines[i];
-                    for (const pattern of this.patterns) {
-                        if (pattern.regex.test(line)) {
+                    for (const rule of rules_1.SECRET_RULES) {
+                        if (rule.regex.test(line)) {
                             results.push({
-                                category: "A07:2021-Identification and Authentication Failures",
-                                severity: pattern.severity,
-                                description: `Potential ${pattern.name} found`,
+                                category: rule.category,
+                                severity: rule.severity,
+                                description: `Potential ${rule.name} found`,
                                 file: file,
                                 line: i + 1,
                                 snippet: line.trim().substring(0, 100), // Truncate lengthy lines
-                                remediation: "Store secrets in environment variables or a secure vault. Do not commit them to repo."
+                                remediation: rule.remediation || '',
                             });
                         }
                     }
                 }
             }
-            catch (err) {
+            catch (_err) {
                 // Ignore read errors
             }
         }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "node-protect",
-  "version": "1.0.0",
+  "version": "1.1.0",
   "description": "Security scanner for Node.js projects checking for OWASP Top 10 risks",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -13,7 +13,9 @@
   "scripts": {
     "build": "tsc",
     "prepublishOnly": "npm run build",
-    "test": "jest"
+    "test": "jest",
+    "lint": "eslint 'src/**/*.ts' 'tests/**/*.ts'",
+    "format": "prettier --write 'src/**/*.ts' 'tests/**/*.ts'"
   },
   "keywords": [
     "security",
@@ -30,11 +32,19 @@
     "glob": "^13.0.0"
   },
   "devDependencies": {
+    "@eslint/js": "^9.39.2",
     "@types/jest": "^30.0.0",
     "@types/node": "^25.0.10",
+    "@typescript-eslint/eslint-plugin": "^8.54.0",
+    "@typescript-eslint/parser": "^8.54.0",
+    "eslint": "^9.39.2",
+    "eslint-config-prettier": "^10.1.8",
+    "eslint-plugin-prettier": "^5.5.5",
     "jest": "^30.2.0",
-    "listr2": "^10.1.0",
+    "prettier": "^3.8.1",
+    "ts-jest": "^29.4.6",
     "ts-node": "^10.9.2",
-    "typescript": "^5.9.3"
+    "typescript": "^5.9.3",
+    "typescript-eslint": "^8.54.0"
   }
-}
+}