oauthlint 0.2.1 → 0.2.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/README.md +146 -17
  2. package/package.json +1 -1
package/README.md CHANGED
@@ -1,46 +1,155 @@
1
+ <div align="center">
2
+
3
+ <img src="https://raw.githubusercontent.com/Auspeo/oauthlint/main/docs/public/logo.svg" width="76" alt="oauthlint logo" />
4
+
1
5
  # oauthlint
2
6
 
3
- > Catch the OAuth/OIDC/JWT anti-patterns AI coding tools systematically produce.
7
+ **Catch the OAuth / OIDC / JWT anti-patterns AI coding tools systematically produce.**
4
8
 
5
- CLI wrapper around [`oauthlint-rules`](../oauthlint-rules) a Semgrep
6
- rule pack curated by an IAM engineer.
9
+ 90 Semgrep rules · JS/TS · Python · Go · Java · Rust · CLI + GitHub Action + VS Code · free & MIT
7
10
 
8
- ## Quick start
11
+ [![npm](https://img.shields.io/npm/v/oauthlint.svg)](https://www.npmjs.com/package/oauthlint)
12
+ [![npm downloads](https://img.shields.io/npm/dm/oauthlint.svg)](https://www.npmjs.com/package/oauthlint)
13
+ [![CI](https://github.com/Auspeo/oauthlint/actions/workflows/ci.yml/badge.svg)](https://github.com/Auspeo/oauthlint/actions/workflows/ci.yml)
14
+ [![license](https://img.shields.io/badge/license-MIT-blue.svg)](https://github.com/Auspeo/oauthlint/blob/main/LICENSE)
15
+ [![docs](https://img.shields.io/badge/docs-oauthlint.dev-2f6feb.svg)](https://oauthlint.dev)
16
+
17
+ </div>
9
18
 
10
19
  ```bash
11
20
  npx oauthlint scan ./src
12
21
  ```
13
22
 
14
- You need [Semgrep](https://semgrep.dev/docs/getting-started/) installed
15
- (`pipx install semgrep` or `brew install semgrep`). The CLI invokes it
16
- under the hood and normalises the output for humans and CI.
23
+ > Requires [Semgrep](https://semgrep.dev/docs/getting-started/) on the machine running the scan (`pipx install semgrep` or `brew install semgrep`). The CLI invokes it under the hood and normalises the output for humans and CI.
24
+
25
+ 📖 **Full documentation & rule catalogue [oauthlint.dev](https://oauthlint.dev)**
26
+
27
+ ---
28
+
29
+ ## The problem
30
+
31
+ LLM coding assistants — Cursor, Claude, GitHub Copilot, Gemini — ship the *same*
32
+ OAuth/JWT mistakes across every project they touch:
33
+
34
+ - a JWT verified with `alg: none` accepted
35
+ - `client_secret` hard-coded in source
36
+ - an OAuth flow with no `state` and no PKCE
37
+ - a token written to `localStorage`, readable by any XSS
38
+ - `redirect_uri` allow-listed with a `*` wildcard
39
+ - a `/login` POST with no rate limiting
40
+ - a password persisted in plaintext
41
+ - `Math.random()` used for a CSRF token
42
+
43
+ oauthlint is the layer between generic SAST and an enterprise IAM program:
44
+ **free, focused, developer-first.** Every finding names the rule, the exact
45
+ `file:line`, *why* it's dangerous, and *how* to fix it — with CWE/OWASP mappings.
46
+
47
+ <div align="center">
48
+
49
+ ![oauthlint scanning a project and flagging JWT auth issues](https://raw.githubusercontent.com/Auspeo/oauthlint/main/docs/public/demo.gif)
50
+
51
+ </div>
52
+
53
+ ## Why oauthlint, and not just Semgrep?
54
+
55
+ Honest answer: nothing stops you from writing these rules yourself. Semgrep is
56
+ open source — it's the engine we run — and a capable engineer could reproduce a
57
+ lot of this. There's no technical moat and we won't pretend otherwise. What
58
+ oauthlint gives you is the work most people never do:
59
+
60
+ - **Low false positives, validated against real auth libraries.** The rules are
61
+ run against `jose`, NextAuth, PyJWT, Authlib, `golang/oauth2`, `oauth2-rs`,
62
+ Spring Security and more. Anything that fires on mature library source goes to
63
+ a triage queue, not to you — 90 rules × ~9,400 files, **zero false positives**
64
+ on the clean auth libraries ([validation report](https://oauthlint.dev/VALIDATION)).
65
+ - **One coherent product across five languages.** Same concepts, same ID scheme,
66
+ same docs — not a patchwork of community rules with mismatched styles.
67
+ - **Every finding teaches.** All 90 rules link to a fix page with CWE and OWASP
68
+ mappings. It's a lesson, not a grep hit.
69
+ - **The angle the registry doesn't have:** oauthlint specifically targets the
70
+ auth bugs AI coding tools ship on repeat, encoded in each rule's
71
+ `llm-prevalence` metadata and measured by a [reproducible benchmark](https://github.com/Auspeo/oauthlint/tree/main/benchmark).
72
+
73
+ Use oauthlint when you'd rather not write and maintain an auth rule pack
74
+ yourself. That's the whole pitch.
75
+
76
+ ## Quick start
77
+
78
+ ```bash
79
+ # one-shot scan, no install
80
+ npx oauthlint scan ./src
81
+
82
+ # fail CI on HIGH severity and above
83
+ npx oauthlint scan ./src --fail-on HIGH
84
+
85
+ # machine-readable output
86
+ npx oauthlint scan ./src --json
87
+
88
+ # GitHub Code Scanning
89
+ npx oauthlint scan ./src --format sarif > oauthlint.sarif
90
+
91
+ # auto-apply safe fixes (e.g. cookie flags)
92
+ npx oauthlint scan ./src --fix
93
+ ```
17
94
 
18
95
  ## Commands
19
96
 
20
97
  ```
21
98
  oauthlint scan [path] Scan a directory (default: current dir)
22
99
  oauthlint scan --json Emit machine-readable JSON
100
+ oauthlint scan --format sarif Emit SARIF for GitHub Code Scanning
23
101
  oauthlint scan --severity HIGH Only show findings ≥ HIGH
24
102
  oauthlint scan --fail-on off Never fail the build (CI dry-run)
103
+ oauthlint scan --fix Auto-apply safe fixes
25
104
  oauthlint list List every shipped rule
26
105
  oauthlint list --json Same, as JSON
27
106
  oauthlint init Generate .oauthlintrc.yml at cwd
28
107
  oauthlint init --force Overwrite an existing config
108
+ oauthlint doctor Check your setup (Semgrep, config, …)
29
109
  ```
30
110
 
31
- ## Exit codes
111
+ ## Use it in CI
32
112
 
33
- | Code | When |
34
- |------|------|
35
- | 0 | No findings ≥ `failOn` threshold |
36
- | 1 | At least one HIGH finding |
37
- | 2 | At least one CRITICAL finding |
38
- | 127 | Semgrep is not installed |
113
+ Run the CLI in a workflow and upload SARIF to **GitHub Code Scanning** so
114
+ findings appear inline on the PR:
115
+
116
+ ```yaml
117
+ # .github/workflows/oauthlint.yml
118
+ jobs:
119
+ oauthlint:
120
+ runs-on: ubuntu-latest
121
+ steps:
122
+ - uses: actions/checkout@v4
123
+ - run: pipx install semgrep # the engine oauthlint runs
124
+ - run: npx oauthlint scan ./src --format sarif > oauthlint.sarif
125
+ - uses: github/codeql-action/upload-sarif@v3
126
+ with:
127
+ sarif_file: oauthlint.sarif
128
+ ```
129
+
130
+ Or just fail the build on HIGH findings: `npx oauthlint scan ./src --fail-on HIGH`.
131
+
132
+ > A dedicated **GitHub Action** and a **VS Code extension** (inline diagnostics +
133
+ > Quick Fix suppressions) are on the way — follow the [repo](https://github.com/Auspeo/oauthlint) for releases.
134
+
135
+ ## What it catches
136
+
137
+ 90 rules across OAuth 2.0, OIDC, JWT, cookies, CORS, secrets and session
138
+ hygiene — each mapped to CWE & OWASP, each with a documentation page.
139
+
140
+ | Language | Rules |
141
+ |----------|:-----:|
142
+ | JavaScript / TypeScript | 42 |
143
+ | Python (PyJWT, requests, Flask, Django) | 12 |
144
+ | Java (Spring Security, jjwt, nimbus-jose-jwt) | 12 |
145
+ | Go (golang-jwt, crypto/tls, net/http) | 12 |
146
+ | Rust (jsonwebtoken, reqwest, actix/tower) | 12 |
147
+
148
+ 👉 **Browse the full catalogue at [oauthlint.dev/rules](https://oauthlint.dev/rules/).**
39
149
 
40
150
  ## Configuration
41
151
 
42
- Create a `.oauthlintrc.yml` at your repo root with `oauthlint init`. The
43
- file follows the schema in [`src/core/config.ts`](./src/core/config.ts).
152
+ Generate a `.oauthlintrc.yml` at your repo root with `oauthlint init`:
44
153
 
45
154
  ```yaml
46
155
  version: 1
@@ -54,6 +163,26 @@ rules:
54
163
  failOn: HIGH
55
164
  ```
56
165
 
166
+ ### Inline suppression
167
+
168
+ ```ts
169
+ // oauthlint-disable-next-line auth.jwt.alg-none -- legacy code, replaced in Q2
170
+ return jwt.verify(token, key, { algorithms: ['RS256', 'none'] });
171
+ ```
172
+
173
+ Wholesale silencing (`oauthlint-disable-file *`) is intentionally unsupported —
174
+ the next reviewer needs to see exactly which lines opted out, and why.
175
+
176
+ ## Exit codes
177
+
178
+ | Code | When |
179
+ |:----:|------|
180
+ | `0` | No finding at or above the `--fail-on` threshold |
181
+ | `1` | At least one **HIGH** finding |
182
+ | `2` | At least one **CRITICAL** finding, or a scan whose output could not be parsed (it never silently exits clean) |
183
+ | `127` | Semgrep is not installed |
184
+
57
185
  ## License
58
186
 
59
- MIT — see [LICENSE](../../LICENSE).
187
+ MIT — see [LICENSE](https://github.com/Auspeo/oauthlint/blob/main/LICENSE). Built
188
+ by [Maurice Anney](https://github.com/Mauriceanney), an IAM engineer.
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "oauthlint",
3
- "version": "0.2.1",
3
+ "version": "0.2.2",
4
4
  "description": "Catch the OAuth/OIDC/JWT anti-patterns AI coding tools systematically produce. CLI wrapper around the oauthlint-rules Semgrep rule pack.",
5
5
  "type": "module",
6
6
  "main": "./dist/index.js",