omen-sec-cli 1.0.8 → 1.0.12

package/README.md

@@ -1,40 +1,117 @@
-# OMEN — AI Security Engine
+# <p align="center"> <img src="https://img.icons8.com/nolan/128/security-shield.png" width="100" /> <br> OMEN SEC-CLI </p>
 
-**OMEN** is a fully automated CLI tool designed to perform security audits and generate AI-ready outputs with minimal user interaction. It maps attack surfaces, scans endpoints, detects unsafe patterns, and prepares comprehensive reports.
+<p align="center">
+  <img src="https://img.shields.io/badge/Version-1.0.6-red?style=for-the-badge" />
+  <img src="https://img.shields.io/badge/AI--Powered-DevSecOps-000000?style=for-the-badge&logo=openai" />
+  <img src="https://img.shields.io/badge/License-MIT-green?style=for-the-badge" />
+</p>
 
-## Installation / Usage
+---
 
-Run OMEN directly without installation using `npx`:
+## 💀 O que é o OMEN?
 
+O **OMEN SEC-CLI** não é apenas um script de segurança; é um **Framework de Auditoria DevSecOps** projetado para elevar o nível de proteção das suas aplicações. Ele transforma sua IA local (Trae, Cursor, Copilot) em um **Arquiteto de Segurança de Elite**, capaz de auditar, detectar e corrigir vulnerabilidades em tempo real.
+
+Diferente de outras ferramentas, o OMEN utiliza o conceito de **Zero-Copy AI Handover**, onde a CLI "sequestra" o contexto da sua IA de desenvolvimento para realizar correções automáticas (Auto-Fix) baseadas em protocolos militares de segurança.
+
+---
+
+## ⚡ Funcionalidades Principais
+
+### 1. 🧠 AI Zero-Copy (Auto-Fix)
+Integração nativa com IAs locais. Ao rodar com a flag `--auto-fix`, o OMEN emite um protocolo de **Dual Personality (Auditor & Arquiteto)** que força sua IA a assumir o controle e corrigir o código sem que você precise copiar uma única linha.
+
+### 2. 🌐 Scan Remoto Inteligente (Spider & Fuzzer)
+Não olhamos apenas a superfície. Nosso scanner remoto possui:
+- **Spider/Crawler:** Mapeia todos os links internos para encontrar vulnerabilidades escondidas.
+- **Fuzzer de Caminhos:** Tenta localizar arquivos sensíveis (`.env`, `.git`, `/admin`, `/config`).
+- **Injection Tester:** Testes automatizados de XSS Refletido e SQL Injection.
+
+### 3. 🔍 Scan Local Profundo & CVEs Reais
+- **Integração OSV.dev (Google):** Consulta em tempo real o banco de dados de vulnerabilidades para suas dependências no `package.json`.
+- **SAST (Static Application Security Testing):** Detecta segredos hardcoded, uso de `eval()`, injeções de SQL e padrões inseguros no código fonte.
+
+### 4. 🛠️ Sistema de Plugins (Regras Customizadas)
+Crie suas próprias regras de segurança em um arquivo `omen-rules.yaml` na raiz do seu projeto. Defina padrões Regex, severidade e alertas personalizados que o OMEN deve seguir.
+
+### 5. 📊 Dashboard Local (Cyberpunk Web UI)
+Visualize seus relatórios de forma profissional. O OMEN sobe um servidor local com uma interface moderna para análise detalhada de scores e riscos.
+
+---
+
+## 🚀 Instalação e Uso
+
+Você pode instalar o OMEN globalmente ou rodar direto via `npx`:
+
+### Instalação Global
+```bash
+npm install -g omen-sec-cli
+```
+
+### Scan Remoto
 ```bash
-npx omen robotscan https://example.com
+npx omen-sec-cli robotscan https://seu-alvo.com
 ```
 
-### Options
+### Scan Local (Projeto Atual)
+```bash
+npx omen-sec-cli robotscan --local
+```
+
+### Modo de Auto-Correção com IA (Recomendado no Trae/Cursor)
+```bash
+npx omen-sec-cli robotscan --local --auto-fix
+```
 
+### Abrir Dashboard Web
 ```bash
-npx omen --help
+npx omen-sec-cli ui
 ```
 
-Available Commands:
-- `robotscan <target>`: Run full automated scan
-- `--local`: Scan local project
-- `--full`: Run all modules
-- `--ai`: Force AI output
-- `--export`: Select output format
-- `--silent`: Minimal output
-- `--version`: Show version
+---
+
+## ⚙️ Configuração de Regras Customizadas
 
-## Output Files
+Crie um arquivo `omen-rules.yaml` para estender o poder do OMEN:
+
+```yaml
+rules:
+  - pattern: "senha_banco"
+    type: "Sensitive Keyword"
+    severity: "Critical"
+    description: "Palavra proibida detectada no código!"
+    cwe: "CWE-798"
+  - pattern: "localStorage\\.set"
+    type: "Insecure Storage"
+    severity: "Medium"
+    description: "Evite salvar dados sensíveis no localStorage."
+```
 
-After a scan is completed, OMEN generates the following files in your current directory:
-- `omen-report.json`: Structured security data.
-- `omen-report.txt`: Human-readable summary of the security audit.
-- `omen-ai.txt`: A pre-formatted AI prompt designed for AI engineers to immediately address the vulnerabilities.
+---
 
-## Open Source Project
+## 📂 Estrutura de Relatórios
+
+Após cada scan, o OMEN gera uma pasta `omen-reports/` com:
+- `omen-report.json`: Dados brutos para integração.
+- `omen-report.txt`: Resumo legível para humanos.
+- `omen-ai.txt`: Super Prompt pronto para qualquer IA externa.
+
+---
+
+## 🛡️ Protocolo OMEN PRIME
+
+Quando o OMEN detecta uma IA ativa, ele ativa o protocolo **OMEN PRIME**, dividindo a inteligência em:
+1. **O AUDITOR:** Analisa falhas caractere por caractere.
+2. **O ARQUITETO:** Implementa correções prontas para produção.
+
+---
+
+## 🤝 Comunidade e Suporte
 
-Support the project:
 - **Donate**: [GitHub Sponsors](https://github.com/sponsors/omen)
-- **Community**: [Discord](https://discord.gg/omen-security)
-- **Contact**: [GitHub](https://github.com/omen)
+- **Discord**: [Join our Community](https://discord.gg/omen-security)
+- **GitHub**: [Report a Bug](https://github.com/omen)
+
+<p align="center">
+  <i>Desenvolvido para desenvolvedores que levam a segurança a sério.</i>
+</p>

package/core/local-scanner.js

@@ -121,12 +121,34 @@ export async function scanLocalProject() {
           vulnerabilities.push({
             id: `LOC-VULN-${Date.now()}-5`,
             type: 'SQL Injection',
-            severity: 'High',
-            description: `Potential SQL Injection (raw string concatenation) in ${path.basename(file)} at line ${index + 1}`,
+            severity: 'Critical',
+            description: `Critical SQL Injection vulnerability (raw string concatenation) in ${path.basename(file)} at line ${index + 1}. Attacker can bypass authentication or dump the entire database.`,
             cwe: 'CWE-89'
           });
         }
 
+        // Regra 6: Local File Inclusion (LFI) via require/import dinâmico
+        if (/(require|import)\s*\(['"]?.*(\+|`|\${)/i.test(line)) {
+          vulnerabilities.push({
+            id: `LOC-VULN-${Date.now()}-6`,
+            type: 'Local File Inclusion',
+            severity: 'High',
+            description: `Potential LFI detected in ${path.basename(file)} at line ${index + 1}. Dynamic loading of files based on user input can lead to sensitive data exposure.`,
+            cwe: 'CWE-22'
+          });
+        }
+
+        // Regra 7: Insecure Prototype Extension
+        if (/\.prototype\.[a-zA-Z0-9_]+\s*=\s*/.test(line)) {
+          vulnerabilities.push({
+            id: `LOC-VULN-${Date.now()}-7`,
+            type: 'Prototype Pollution Risk',
+            severity: 'Medium',
+            description: `Direct prototype modification in ${path.basename(file)} at line ${index + 1}. This can lead to Prototype Pollution if user input reaches this assignment.`,
+            cwe: 'CWE-1321'
+          });
+        }
+
         // --- Custom Rules Integration ---
         customRules.forEach((rule, ruleIndex) => {
           try {

package/core/remote-scanner.js

@@ -6,42 +6,53 @@ export async function scanRemoteTarget(targetUrl) {
   const headers_analysis = {};
   let serverStatus = 'Unknown';
   let discoveredLinks = new Set();
+  let discoveredForms = [];
+  let discoveredParams = new Set();
+  let techStack = [];
 
   try {
     // 1. Initial GET to analyze headers and page content
     const response = await axios.get(targetUrl, {
-      timeout: 10000,
-      validateStatus: () => true
+      timeout: 15000,
+      validateStatus: () => true,
+      headers: { 'User-Agent': 'OMEN-SEC-CLI/1.0.6 (Security Audit)' }
     });
 
     serverStatus = response.status;
     const headers = response.headers;
     const html = response.data;
 
-    // --- Header Analysis (Existing) ---
-    // ... (rest of header analysis will be kept below)
+    // --- TECHNOLOGY FINGERPRINTING ---
+    if (headers['x-powered-by']) techStack.push(headers['x-powered-by']);
+    if (headers['server']) techStack.push(headers['server']);
+    if (html.includes('next-head')) techStack.push('Next.js');
+    if (html.includes('_next/static')) techStack.push('Next.js');
+    if (html.includes('react-root') || html.includes('data-react')) techStack.push('React');
+    if (html.includes('wp-content')) techStack.push('WordPress');
+    if (html.includes('nuxt')) techStack.push('Nuxt.js');
+
+    // --- Header Analysis (Existing - Refined Descriptions) ---
     if (!headers['strict-transport-security']) {
       headers_analysis["Strict-Transport-Security"] = "Missing";
       vulnerabilities.push({
         id: `REM-VULN-${Date.now()}-1`,
         type: 'Security Misconfiguration',
         severity: 'Medium',
-        description: `Missing HSTS Header. Site is vulnerable to SSL Stripping.`,
+        description: `HSTS Header is missing. This lacks forced HTTPS enforcement for browsers that have already visited the site.`,
         cwe: 'CWE-319'
       });
     } else {
       headers_analysis["Strict-Transport-Security"] = headers['strict-transport-security'];
     }
 
-    // 2. Analisar Content-Security-Policy (CSP)
     if (!headers['content-security-policy']) {
       headers_analysis["Content-Security-Policy"] = "Missing";
       vulnerabilities.push({
         id: `REM-VULN-${Date.now()}-2`,
         type: 'Security Misconfiguration',
-        severity: 'Medium',
-        description: `Missing Content-Security-Policy header. Increases risk of XSS.`,
-        cwe: 'CWE-16'
+        severity: 'High',
+        description: `CSP header is missing. Without a strict Content-Security-Policy, the application is highly vulnerable to Cross-Site Scripting (XSS) and data injection attacks.`,
+        cwe: 'CWE-1022'
       });
     } else {
       headers_analysis["Content-Security-Policy"] = headers['content-security-policy'];
@@ -95,9 +106,11 @@ export async function scanRemoteTarget(targetUrl) {
       });
     }
 
-    // --- SPIDER / CRAWLER ---
+    // --- SPIDER / CRAWLER (DEEP) ---
     if (typeof html === 'string') {
       const $ = cheerio.load(html);
+      
+      // Discover Links & Params
       $('a').each((i, link) => {
         const href = $(link).attr('href');
         if (href && !href.startsWith('#') && !href.startsWith('mailto:')) {
@@ -105,85 +118,105 @@ export async function scanRemoteTarget(targetUrl) {
             const absoluteUrl = new URL(href, targetUrl).href;
             if (absoluteUrl.startsWith(targetUrl)) {
               discoveredLinks.add(absoluteUrl);
+              
+              // Extract query parameters
+              const urlObj = new URL(absoluteUrl);
+              urlObj.searchParams.forEach((value, name) => discoveredParams.add(name));
             }
-          } catch (e) {
-            // Invalid URL
-          }
+          } catch (e) {}
         }
       });
+
+      // Discover Forms
+      $('form').each((i, form) => {
+        const action = $(form).attr('action') || '';
+        const method = ($(form).attr('method') || 'GET').toUpperCase();
+        const inputs = [];
+        $(form).find('input, textarea, select').each((j, input) => {
+          const name = $(input).attr('name');
+          if (name) inputs.push(name);
+        });
+        discoveredForms.push({ action, method, inputs });
+      });
     }
 
-    // --- FUZZER (Path Discovery) ---
-    const commonPaths = [
-      '/.env',
-      '/.git/config',
-      '/admin',
-      '/wp-admin',
-      '/config.php',
-      '/.vscode/settings.json',
-      '/phpinfo.php',
-      '/api/v1/users',
-      '/robots.txt'
+    // --- FUZZER (Path Discovery - Aggressive) ---
+    const aggressivePaths = [
+      '/.env', '/.git/config', '/admin', '/wp-admin', '/config.php', '/.vscode/settings.json', 
+      '/phpinfo.php', '/api/v1/users', '/robots.txt', '/.env.local', '/.env.production',
+      '/server-status', '/_next/static/chunks/pages/index.js', '/package.json',
+      '/api/auth/session', '/api/graphql', '/actuator/health', '/.ssh/id_rsa'
     ];
 
-    for (const path of commonPaths) {
+    for (const path of aggressivePaths) {
       try {
         const fuzzUrl = new URL(path, targetUrl).href;
         const fuzzRes = await axios.get(fuzzUrl, {
           timeout: 5000,
-          validateStatus: (status) => status === 200
+          validateStatus: (status) => status === 200 || status === 403
         });
 
         if (fuzzRes.status === 200) {
           vulnerabilities.push({
             id: `REM-FUZZ-${Date.now()}-${path.replace(/\//g, '-')}`,
             type: 'Sensitive Path Exposed',
-            severity: path.includes('.env') || path.includes('.git') ? 'Critical' : 'Medium',
-            description: `Exposed sensitive path discovered via fuzzing: ${fuzzUrl}`,
+            severity: path.includes('.env') || path.includes('.git') || path.includes('.ssh') ? 'Critical' : 'High',
+            description: `Exposed sensitive path discovered: ${fuzzUrl}. This path reveals internal configurations or credentials.`,
             cwe: 'CWE-200'
           });
+        } else if (fuzzRes.status === 403) {
+          vulnerabilities.push({
+            id: `REM-FUZZ-${Date.now()}-${path.replace(/\//g, '-')}`,
+            type: 'Potential Sensitive Path',
+            severity: 'Low',
+            description: `Path discovered but access forbidden (403): ${fuzzUrl}. Might indicate internal structure exposure.`,
+            cwe: 'CWE-204'
+          });
         }
-      } catch (e) {
-        // Path not found or error, skip
-      }
+      } catch (e) {}
     }
 
-    // --- BASIC INJECTION FUZZING (on discovered links) ---
+    // --- OFFENSIVE PARAMETER FUZZING ---
     const injectionPayloads = [
-      { type: 'SQLi', param: "?id=1' OR '1'='1", severity: 'High' },
-      { type: 'XSS', param: "?q=<script>alert('OMEN')</script>", severity: 'High' }
+      { type: 'SQLi', param: "' OR 1=1--", severity: 'Critical' },
+      { type: 'XSS', param: "<script>alert('OMEN')</script>", severity: 'High' },
+      { type: 'LFI', param: "/etc/passwd", severity: 'Critical' }
     ];
 
-    const linksToTest = Array.from(discoveredLinks).slice(0, 3); // Test first 3 links to keep it fast
-    for (const link of linksToTest) {
+    // Combine params from links and forms
+    const allParams = Array.from(discoveredParams);
+    discoveredForms.forEach(f => f.inputs.forEach(i => allParams.push(i)));
+    
+    const uniqueParams = [...new Set(allParams)].slice(0, 5); // Fuzz top 5 params
+
+    for (const param of uniqueParams) {
       for (const payload of injectionPayloads) {
         try {
-          const testUrl = link.includes('?') ? `${link}&${payload.param.slice(1)}` : `${link}${payload.param}`;
-          const res = await axios.get(testUrl, { timeout: 5000, validateStatus: () => true });
+          const testUrl = new URL(targetUrl);
+          testUrl.searchParams.append(param, payload.param);
           
-          // Simple heuristic: if payload is reflected in response, potential XSS
-          if (payload.type === 'XSS' && typeof res.data === 'string' && res.data.includes("<script>alert('OMEN')</script>")) {
+          const res = await axios.get(testUrl.href, { timeout: 5000, validateStatus: () => true });
+          
+          if (payload.type === 'XSS' && typeof res.data === 'string' && res.data.includes(payload.param)) {
             vulnerabilities.push({
               id: `REM-INJ-${Date.now()}-XSS`,
               type: 'Reflected XSS',
-              severity: payload.severity,
-              description: `Potential XSS vulnerability detected at ${link}. Payload was reflected in response.`,
+              severity: 'High',
+              description: `Confirmed XSS at ${targetUrl} via parameter '${param}'. Payload was reflected in HTML.`,
               cwe: 'CWE-79'
             });
           }
-          // Simple heuristic: 500 error on SQLi payload might indicate vulnerability
-          if (payload.type === 'SQLi' && res.status === 500) {
+          
+          if (payload.type === 'SQLi' && (res.status === 500 || (typeof res.data === 'string' && /SQL|database|syntax/i.test(res.data)))) {
             vulnerabilities.push({
               id: `REM-INJ-${Date.now()}-SQLI`,
-              type: 'Potential SQL Injection',
-              severity: payload.severity,
-              description: `Potential SQLi detected at ${link}. Server returned 500 Error when testing payload.`,
+              type: 'SQL Injection',
+              severity: 'Critical',
+              description: `Potential SQLi detected via parameter '${param}'. Server showed error patterns on payload.`,
               cwe: 'CWE-89'
             });
           }
-        } catch (e) {
-          // Skip
-        }
+        } catch (e) {}
       }
     }
 
@@ -192,7 +225,7 @@ export async function scanRemoteTarget(targetUrl) {
       id: `REM-ERR-${Date.now()}`,
       type: 'Availability',
       severity: 'Info',
-      description: `Failed to reach target ${targetUrl}. Error: ${err.message}`,
+      description: `Target ${targetUrl} connection error: ${err.message}`,
       cwe: 'N/A'
     });
   }
@@ -200,6 +233,10 @@ export async function scanRemoteTarget(targetUrl) {
   return {
     serverStatus,
     headers_analysis,
+    techStack,
+    discoveredLinks: Array.from(discoveredLinks),
+    discoveredForms,
+    discoveredParams: Array.from(discoveredParams),
     vulnerabilities
   };
 }

package/core/scanner.js

@@ -32,7 +32,10 @@ export async function runScannerSteps(target, flags) {
       const remoteData = await scanRemoteTarget(target);
       headers_analysis = remoteData.headers_analysis;
       allVulnerabilities.push(...remoteData.vulnerabilities);
-      attack_surface.endpoints_discovered += 1; // Base endpoint
+      attack_surface.endpoints_discovered = remoteData.discoveredLinks.length;
+      attack_surface.parameters_extracted = remoteData.discoveredParams.length;
+      attack_surface.forms_detected = remoteData.discoveredForms.length;
+      attack_surface.tech_stack = remoteData.techStack;
     }
 
     if (step.text === 'Scanning endpoints...' && flags.local) {

package/core/ui-server.js

@@ -40,7 +40,7 @@ export async function startUIServer() {
                   </div>
               </header>
 
-              <div class="grid grid-cols-1 md:grid-cols-3 gap-6 mb-8">
+              <div class="grid grid-cols-1 md:grid-cols-4 gap-6 mb-8">
                   <div class="card p-6 rounded-lg shadow-xl">
                       <h3 class="text-gray-400 mb-2">Security Score</h3>
                       <p class="text-5xl font-bold ${report.score < 50 ? 'critical' : report.score < 75 ? 'high' : 'low'}">${report.score}/100</p>
@@ -53,6 +53,12 @@ export async function startUIServer() {
                       <h3 class="text-gray-400 mb-2">Vulnerabilities</h3>
                       <p class="text-5xl font-bold text-white">${report.vulnerabilities.length}</p>
                   </div>
+                  <div class="card p-6 rounded-lg shadow-xl">
+                      <h3 class="text-gray-400 mb-2">Attack Surface</h3>
+                      <p class="text-sm text-gray-400">Endpoints: ${report.attack_surface.endpoints_discovered}</p>
+                      <p class="text-sm text-gray-400">Forms: ${report.attack_surface.forms_detected}</p>
+                      <p class="text-sm text-gray-400">Tech: ${(report.attack_surface.tech_stack || []).join(', ')}</p>
+                  </div>
               </div>
 
               <div class="card p-6 rounded-lg shadow-xl mb-8">

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "omen-sec-cli",
-  "version": "1.0.8",
+  "version": "1.0.12",
   "description": "OMEN — AI Security Engine",
   "main": "bin/index.js",
   "type": "module",

package/utils/args.js

@@ -25,6 +25,8 @@ export function parseArgs(argv) {
     if (args[1] && !args[1].startsWith('--')) {
       result.target = args[1];
     }
+  } else if (args[0] === 'ui') {
+    result.command = 'ui';
   } else if (args[0] === '--help' || args[0] === '-h') {
     result.flags.help = true;
   } else if (args[0] === '--version' || args[0] === '-v') {
@@ -36,6 +38,7 @@ export function parseArgs(argv) {
     if (arg === '--local') result.flags.local = true;
     if (arg === '--full') result.flags.full = true;
     if (arg === '--ai') result.flags.ai = true;
+    if (arg === '--auto-fix') result.flags['auto-fix'] = true;
     if (arg === '--export') result.flags.export = true;
     if (arg === '--silent') result.flags.silent = true;
     if (arg === '--help') result.flags.help = true;