opensecurity 0.1.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 eliophan
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,268 @@
+# OpenSecurity
+
+OpenSecurity is an open-source CLI for scanning codebases for security risks, with first-class static analysis for JavaScript/TypeScript and optional AI scanning for broader files.
+It combines:
+
+- Static analysis with AST-based taint rules (OWASP-focused).
+- Dependency scanning with CVE lookup (local cache or API).
+- Optional AI-assisted scanning for deeper findings.
+
+## Project Status
+
+Active. This repo is maintained and intended for open-source use. Contributions are welcome.
+
+## Scope
+
+- Target languages for static analysis: JavaScript and TypeScript.
+- Dependency scanning: npm and PyPI manifests.
+- AI scanning is optional and requires an API key (defaults to scanning all text files).
+
+## Non-Goals
+
+- This tool is not a full SAST replacement or compliance scanner.
+- It does not execute or sandbox code.
+- It does not guarantee complete coverage of all vulnerabilities.
+
+## Quick Start
+
+```bash
+npm install
+npm run dev -- scan --dry-run
+```
+
+Build the CLI:
+
+```bash
+npm run build
+./dist/cli.js scan --dry-run
+```
+
+## Install
+
+From source:
+
+```bash
+npm install
+npm run build
+npm link
+opensecurity scan --dry-run
+```
+
+## Supported Platforms
+
+- Node.js 20+
+- macOS, Linux, Windows
+
+## Features
+
+- AST taint engine with configurable sources/sinks/sanitizers.
+- OWASP-aligned default rules (injection, SSRF, path traversal, XSS templates, SQLi).
+- Pattern-based detectors (hardcoded secrets, insecure crypto, unsafe deserialization).
+- Dependency scanning for npm and PyPI (`package.json`, `package-lock.json`, `requirements.txt`).
+- Text, JSON, and SARIF output.
+- Optional AI scan (API key or OAuth flow) with multiple providers.
+- Configurable include/exclude filters and scan scope.
+
+## CLI
+
+### `scan`
+
+```bash
+opensecurity scan [options]
+```
+
+Common options:
+
+- `--format <format>`: `text|json|sarif` (default: `text`)
+- `--include <pattern...>` / `--exclude <pattern...>`: override project filters
+- `--rules <path>`: rules JSON override
+- `--cve-cache <path>`: CVE cache JSON
+- `--cve-api-url <url>`: CVE lookup API endpoint
+- `--simulate`: include payload + impact for dependency findings
+- `--provider <provider>`: `openai|anthropic|google|mistral|xai|cohere`
+- `--ai-all-text`: allow AI scan on all text files (non-JS/TS) (default)
+- `--ai-js-only`: limit AI scan to JS/TS only
+- `--path <path>`: scan a specific file or directory
+- `--diff-only`: scan only files changed in git
+- `--diff-base <ref>`: git base ref for diff-only (default: HEAD)
+- `--ai-multi-agent`: split AI scan into worker batches
+- `--ai-batch-size <n>`: files per AI worker batch (default: 25)
+- `--ai-batch-depth <n>`: path depth for AI batching (default: 2)
+- `--ai-cache`: enable AI per-file cache (default)
+- `--no-ai-cache`: disable AI per-file cache
+- `--ai-cache-path <path>`: path to AI cache file
+- `--dependency-only`: only run dependency scan
+- `--no-ai`: disable AI scanning
+- `--dry-run`: list matched files without scanning
+- `--fail-on <severity>`: exit 1 if findings >= severity
+- `--fail-on-high`: exit 1 if findings >= high
+- `--sarif-output <path>`: write SARIF alongside primary output
+- `--concurrency <n>`: parallel scan workers
+- `--max-chars <n>`: max chars per chunk for AI scanning
+
+Example commands:
+
+```bash
+opensecurity scan --no-ai
+opensecurity scan --format sarif --sarif-output reports/opensecurity.sarif
+opensecurity scan --provider anthropic --model claude-sonnet-4-20250514
+opensecurity scan --dependency-only --simulate
+```
+
+### `login`
+
+```bash
+opensecurity login --mode oauth
+opensecurity login --mode api_key
+opensecurity login --mode api_key --provider anthropic
+```
+
+Stores auth config in `~/.config/opensecurity/config.json`.
+
+### `proxy`
+
+```bash
+opensecurity proxy --port 8787
+```
+
+Runs a local OAuth proxy for the OAuth flow.
+
+### `telemetry`
+
+```bash
+opensecurity telemetry on
+opensecurity telemetry off
+```
+
+## Configuration
+
+### Precedence
+
+1. CLI flags
+2. Project config (`.opensecurity.json`)
+3. Global config (`~/.config/opensecurity/config.json`)
+4. Built-in defaults
+
+Project config: `.opensecurity.json`
+
+```json
+{
+  "include": ["**/*.ts", "**/*.tsx"],
+  "exclude": ["**/*.test.ts"],
+  "rulesPath": "rules.json",
+  "cveCachePath": "cve-cache.json",
+  "cveApiUrl": "https://example.com/osv",
+  "dataSensitivity": "medium",
+  "maxChars": 4000,
+  "concurrency": 2
+}
+```
+
+Global config: `~/.config/opensecurity/config.json`
+
+```json
+{
+  "provider": "openai",
+  "apiKey": "sk-...",
+  "baseUrl": "https://api.openai.com/v1/responses",
+  "model": "gpt-4o-mini",
+  "apiType": "responses",
+  "authMode": "api_key",
+  "authProfileId": "codex",
+  "oauthProvider": "proxy",
+  "providerApiKey": "..."
+}
+```
+
+## Rules
+
+Default rules are in `src/rules/defaultRules.ts`.
+You can override with a JSON file (`--rules` or `rulesPath`).
+
+Pattern-based detectors run alongside rules (hardcoded secrets, insecure crypto, unsafe deserialization).
+
+Rule schema (simplified):
+
+```json
+{
+  "id": "rule-id",
+  "name": "Human name",
+  "severity": "low|medium|high|critical",
+  "owasp": "A03:2021 Injection",
+  "sources": [{ "id": "src", "name": "getUserInput", "matcher": { "callee": "getUserInput" } }],
+  "sinks": [{ "id": "sink", "name": "eval", "matcher": { "callee": "eval" } }],
+  "sanitizers": [{ "id": "san", "name": "escape", "matcher": { "callee": "escape" } }]
+}
+```
+
+## Output
+
+- **Text**: grouped by severity
+- **JSON**: machine-readable, includes `schemaVersion`
+- **SARIF**: for CI and code scanning tools
+
+## Language Support
+
+- Static analysis: JavaScript and TypeScript
+- Dependency scanning: npm and PyPI manifests
+
+## Security Notes
+
+- Do not commit secrets.
+- AI scanning sends code chunks to the configured API endpoint.
+- Use `--no-ai` if you want purely local scanning.
+- This tool provides best-effort findings and should be validated in your environment.
+
+## Providers
+
+Supported providers for AI scanning:
+
+- OpenAI (Responses or Chat Completions)
+- Anthropic Messages API
+- Google Gemini API
+- Mistral Chat Completions API
+- xAI Chat Completions API
+- Cohere Chat API
+
+API keys can be stored via `opensecurity login --mode api_key --provider <provider>` or set via environment:
+
+- `OPENAI_API_KEY`
+- `ANTHROPIC_API_KEY`
+- `GEMINI_API_KEY`
+- `MISTRAL_API_KEY`
+- `XAI_API_KEY`
+- `COHERE_API_KEY`
+
+When an API key is available, the model picker will try to fetch a live model list for the provider.
+
+## Contributing
+
+- Run `npm test`, `npm run lint`, and `npm run build` before submitting changes.
+- Keep changes focused and add tests for new behavior.
+- Do not add or log real secrets.
+- For large changes, open an issue first to align on scope.
+
+See `CONTRIBUTING.md` for full guidelines.
+
+## Security
+
+If you discover a vulnerability:
+
+- Prefer opening a private **Security Advisory** on GitHub (if enabled), or
+- Open a minimal public issue without sensitive details and request private follow‑up.
+
+## Support
+
+For questions or help, open a GitHub issue with clear reproduction steps.
+
+## Development
+
+```bash
+npm install
+npm run dev -- scan --dry-run
+npm test
+```
+
+## License
+
+MIT (see `LICENSE`).

package/dist/analysis/ast.js

@@ -0,0 +1,20 @@
+import { parse } from "@babel/parser";
+export function parseSource(code, filePath, options = {}) {
+    const ast = parse(code, {
+        sourceType: options.sourceType ?? "module",
+        sourceFilename: filePath,
+        allowReturnOutsideFunction: true,
+        errorRecovery: true,
+        plugins: [
+            "typescript",
+            "jsx",
+            "classProperties",
+            "classPrivateProperties",
+            "decorators-legacy",
+            "dynamicImport",
+            "importMeta",
+            "topLevelAwait"
+        ]
+    });
+    return { filePath, code, ast };
+}

package/dist/analysis/graphs.js

@@ -0,0 +1,295 @@
+import traverseImport from "@babel/traverse";
+import * as t from "@babel/types";
+export function buildImportGraph(ast, filePath) {
+    const traverse = normalizeTraverse(traverseImport);
+    const graph = new Map();
+    graph.set(filePath, new Set());
+    traverse(ast, {
+        ImportDeclaration(path) {
+            const source = path.node.source.value;
+            graph.get(filePath)?.add(source);
+        },
+        CallExpression(path) {
+            const callee = path.node.callee;
+            if (!t.isIdentifier(callee) || callee.name !== "require")
+                return;
+            const arg = path.node.arguments[0];
+            if (!t.isStringLiteral(arg))
+                return;
+            graph.get(filePath)?.add(arg.value);
+        }
+    });
+    return graph;
+}
+export function buildFunctionMap(ast, filePath) {
+    const traverse = normalizeTraverse(traverseImport);
+    const map = new Map();
+    const registerFunction = (name, node, kind) => {
+        const loc = node.loc?.start ? { line: node.loc.start.line, column: node.loc.start.column } : undefined;
+        const params = node.params.map((param) => (t.isIdentifier(param) ? param.name : "<pattern>"));
+        const id = `${filePath}:${name}:${loc?.line ?? 0}`;
+        map.set(id, {
+            id,
+            name,
+            file: filePath,
+            loc,
+            params,
+            isAsync: Boolean(node.async),
+            kind
+        });
+    };
+    const moduleId = `${filePath}:<module>:0`;
+    map.set(moduleId, {
+        id: moduleId,
+        name: "<module>",
+        file: filePath,
+        loc: { line: 0, column: 0 },
+        params: [],
+        isAsync: false,
+        kind: "module"
+    });
+    traverse(ast, {
+        FunctionDeclaration(path) {
+            const name = path.node.id?.name ?? "<anonymous>";
+            registerFunction(name, path.node, "function");
+        },
+        FunctionExpression(path) {
+            const name = inferFunctionName(path) ?? "<anonymous>";
+            registerFunction(name, path.node, "function");
+        },
+        ArrowFunctionExpression(path) {
+            const name = inferFunctionName(path) ?? "<anonymous>";
+            registerFunction(name, path.node, "arrow");
+        },
+        ObjectMethod(path) {
+            const name = getPropertyName(path.node.key) ?? "<anonymous>";
+            registerFunction(name, path.node, "method");
+        },
+        ClassMethod(path) {
+            const name = getPropertyName(path.node.key) ?? "<anonymous>";
+            registerFunction(name, path.node, "method");
+        }
+    });
+    return map;
+}
+export function buildCallGraph(ast, filePath, functions) {
+    const traverse = normalizeTraverse(traverseImport);
+    const graph = new Map();
+    const fnStack = [];
+    const ensure = (id) => {
+        if (!graph.has(id))
+            graph.set(id, new Set());
+    };
+    const moduleId = [...functions.values()].find((f) => f.kind === "module" && f.file === filePath)?.id;
+    const rootId = moduleId ?? `${filePath}:<module>:0`;
+    const pushFn = (id) => {
+        fnStack.push(id);
+        ensure(id);
+    };
+    const popFn = () => {
+        fnStack.pop();
+    };
+    const currentFn = () => fnStack[fnStack.length - 1] ?? rootId;
+    traverse(ast, {
+        Program: {
+            enter() {
+                pushFn(rootId);
+            },
+            exit() {
+                popFn();
+            }
+        },
+        FunctionDeclaration: {
+            enter(path) {
+                const name = path.node.id?.name ?? "<anonymous>";
+                const id = findFunctionId(functions, filePath, name, path.node.loc?.start.line);
+                pushFn(id ?? `${filePath}:${name}:${path.node.loc?.start.line ?? 0}`);
+            },
+            exit() {
+                popFn();
+            }
+        },
+        FunctionExpression: {
+            enter(path) {
+                const name = inferFunctionName(path) ?? "<anonymous>";
+                const id = findFunctionId(functions, filePath, name, path.node.loc?.start.line);
+                pushFn(id ?? `${filePath}:${name}:${path.node.loc?.start.line ?? 0}`);
+            },
+            exit() {
+                popFn();
+            }
+        },
+        ArrowFunctionExpression: {
+            enter(path) {
+                const name = inferFunctionName(path) ?? "<anonymous>";
+                const id = findFunctionId(functions, filePath, name, path.node.loc?.start.line);
+                pushFn(id ?? `${filePath}:${name}:${path.node.loc?.start.line ?? 0}`);
+            },
+            exit() {
+                popFn();
+            }
+        },
+        ObjectMethod: {
+            enter(path) {
+                const name = getPropertyName(path.node.key) ?? "<anonymous>";
+                const id = findFunctionId(functions, filePath, name, path.node.loc?.start.line);
+                pushFn(id ?? `${filePath}:${name}:${path.node.loc?.start.line ?? 0}`);
+            },
+            exit() {
+                popFn();
+            }
+        },
+        ClassMethod: {
+            enter(path) {
+                const name = getPropertyName(path.node.key) ?? "<anonymous>";
+                const id = findFunctionId(functions, filePath, name, path.node.loc?.start.line);
+                pushFn(id ?? `${filePath}:${name}:${path.node.loc?.start.line ?? 0}`);
+            },
+            exit() {
+                popFn();
+            }
+        },
+        CallExpression(path) {
+            const caller = currentFn();
+            const callee = getCalleeName(path.node);
+            if (!callee)
+                return;
+            ensure(caller);
+            graph.get(caller)?.add(callee);
+        }
+    });
+    return graph;
+}
+export function buildDataFlowGraph(ast, filePath) {
+    const traverse = normalizeTraverse(traverseImport);
+    const nodes = [];
+    const edges = [];
+    const scopes = [];
+    const pushScope = () => scopes.push(new Map());
+    const popScope = () => scopes.pop();
+    const currentScope = () => scopes[scopes.length - 1];
+    const recordDef = (name, node) => {
+        const loc = node.loc?.start ? { line: node.loc.start.line, column: node.loc.start.column } : undefined;
+        const dataNode = {
+            id: `${filePath}:${name}:${loc?.line ?? 0}:${loc?.column ?? 0}`,
+            name,
+            file: filePath,
+            loc
+        };
+        nodes.push(dataNode);
+        currentScope()?.set(name, dataNode);
+    };
+    const recordUse = (name, node) => {
+        const loc = node.loc?.start ? { line: node.loc.start.line, column: node.loc.start.column } : undefined;
+        const useNode = {
+            id: `${filePath}:${name}:${loc?.line ?? 0}:${loc?.column ?? 0}:use`,
+            name,
+            file: filePath,
+            loc
+        };
+        nodes.push(useNode);
+        const defNode = currentScope()?.get(name);
+        if (defNode) {
+            edges.push({ from: defNode, to: useNode, kind: "data" });
+        }
+    };
+    traverse(ast, {
+        Program: {
+            enter() {
+                pushScope();
+            },
+            exit() {
+                popScope();
+            }
+        },
+        Function: {
+            enter() {
+                pushScope();
+            },
+            exit() {
+                popScope();
+            }
+        },
+        VariableDeclarator(path) {
+            const id = path.node.id;
+            if (t.isIdentifier(id)) {
+                recordDef(id.name, id);
+            }
+        },
+        AssignmentExpression(path) {
+            const left = path.node.left;
+            if (t.isIdentifier(left)) {
+                recordDef(left.name, left);
+            }
+        },
+        UpdateExpression(path) {
+            const arg = path.node.argument;
+            if (t.isIdentifier(arg)) {
+                recordUse(arg.name, arg);
+                recordDef(arg.name, arg);
+            }
+        },
+        Identifier(path) {
+            if (!path.isReferencedIdentifier())
+                return;
+            recordUse(path.node.name, path.node);
+        }
+    });
+    return { nodes, edges };
+}
+function getCalleeName(node) {
+    const callee = node.callee;
+    if (t.isIdentifier(callee))
+        return callee.name;
+    if (t.isMemberExpression(callee))
+        return memberExpressionToString(callee);
+    return null;
+}
+function memberExpressionToString(node) {
+    if (node.computed)
+        return null;
+    const object = node.object;
+    const property = node.property;
+    const objectName = t.isIdentifier(object)
+        ? object.name
+        : t.isMemberExpression(object)
+            ? memberExpressionToString(object)
+            : null;
+    if (!objectName)
+        return null;
+    if (!t.isIdentifier(property))
+        return null;
+    return `${objectName}.${property.name}`;
+}
+function inferFunctionName(path) {
+    const parent = path.parentPath;
+    if (parent?.isVariableDeclarator() && t.isIdentifier(parent.node.id))
+        return parent.node.id.name;
+    if (parent?.isAssignmentExpression() && t.isIdentifier(parent.node.left))
+        return parent.node.left.name;
+    if (parent?.isObjectProperty())
+        return getPropertyName(parent.node.key);
+    return null;
+}
+function getPropertyName(key) {
+    if (t.isIdentifier(key))
+        return key.name;
+    if (t.isStringLiteral(key))
+        return key.value;
+    return null;
+}
+function findFunctionId(functions, filePath, name, line) {
+    for (const info of functions.values()) {
+        if (info.file !== filePath)
+            continue;
+        if (info.name !== name)
+            continue;
+        if (line && info.loc?.line !== line)
+            continue;
+        return info.id;
+    }
+    return null;
+}
+function normalizeTraverse(value) {
+    return value.default ?? value;
+}