opstruth 0.1.3 → 0.2.0

package/src/lib/scan.js

@@ -1,10 +1,45 @@
 import path from 'node:path';
+import { execFile } from 'node:child_process';
+import { promisify } from 'node:util';
 import { walkFiles, readText, readJson, pathExists } from './fs.js';
 import { redact } from './redact.js';
 import { mergeIgnores } from './boundary.js';
 
+const execFileAsync = promisify(execFile);
+
 export const DEFAULT_SKIP_DIRS = mergeIgnores();
-export const RISK_PATTERNS = [/OPENAI_API_KEY/i, /SUPABASE_SERVICE_ROLE_KEY/i, /service_role/i, /access_token/i, /refresh_token/i, /client_secret/i, /private_key/i, /webhook_secret/i, /api_key/i, /bearer/i, /authorization/i];
+export const SECRET_CATEGORIES = [
+  'actionable_source_finding',
+  'documentation_reference',
+  'placeholder_or_example',
+  'local_only_file',
+  'generated_artifact',
+  'dependency_or_lockfile',
+  'ignored_binary',
+  'unknown_requires_review'
+];
+
+export const RISK_PATTERNS = [
+  { label: 'OPENAI_API_KEY', regex: /OPENAI_API_KEY/i },
+  { label: 'SUPABASE_SERVICE_ROLE_KEY', regex: /SUPABASE_SERVICE_ROLE_KEY/i },
+  { label: 'service_role', regex: /service_role/i },
+  { label: 'access_token', regex: /access_token/i },
+  { label: 'refresh_token', regex: /refresh_token/i },
+  { label: 'client_secret', regex: /client_secret/i },
+  { label: 'private_key', regex: /private_key/i },
+  { label: 'webhook_secret', regex: /webhook_secret/i },
+  { label: 'api_key', regex: /api_key/i },
+  { label: 'bearer', regex: /bearer/i },
+  { label: 'authorization', regex: /authorization/i },
+  { label: 'GH_TOKEN', regex: /GH_TOKEN/i },
+  { label: 'GITHUB_TOKEN', regex: /GITHUB_TOKEN/i },
+  { label: 'SUPABASE_ACCESS_TOKEN', regex: /SUPABASE_ACCESS_TOKEN/i },
+  { label: 'IMPORT_REDDIT_TIPS_SECRET', regex: /IMPORT_REDDIT_TIPS_SECRET/i },
+  { label: 'NPM_TOKEN', regex: /NPM_TOKEN/i },
+  { label: 'jwt_like', regex: /eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+/ },
+  { label: 'unknown_token_like', regex: /\b[A-Za-z0-9_-]{40,}\b/ }
+];
+
 const OPSTRUTH_SCANNER_FILES = new Set([
   'src/lib/redact.js',
   'src/lib/scan.js',
@@ -16,6 +51,7 @@ const OPSTRUTH_SCANNER_FILES = new Set([
   'cli/test/typescript-compatibility.test.js',
   'fixtures/risky-secret-app/src/config.js'
 ]);
+
 const FIXTURE_PACKAGE_NAMES = new Set([
   'plain-node-app',
   'vite-react-app',
@@ -30,23 +66,97 @@ const FIXTURE_PACKAGE_NAMES = new Set([
   'route-config-app'
 ]);
 
-export function isLikelyText(file) { return /\.(js|mjs|cjs|ts|tsx|jsx|json|jsonc|toml|yml|yaml|md|txt|env|sql|html|css)$/i.test(file) || !path.extname(file); }
+const LOCKFILE_NAMES = new Set(['package-lock.json', 'npm-shrinkwrap.json', 'pnpm-lock.yaml', 'yarn.lock', 'bun.lock', 'bun.lockb']);
+const GENERATED_PREFIXES = ['dist/', 'dist-ssr/', 'build/', '.next/', '.cache/', 'coverage/'];
+const DEPENDENCY_PREFIXES = ['node_modules/'];
+
+export function isLikelyText(file) {
+  return /\.(js|mjs|cjs|ts|tsx|jsx|json|jsonc|toml|yml|yaml|md|txt|env|sql|html|css)$/i.test(file) || !path.extname(file);
+}
 
 function matchesAllowlist(file, line, { allowlistPaths = [], allowlistPatterns = [] } = {}) {
   if (allowlistPaths.some((item) => file === item || file.startsWith(item.replace(/\/$/, '') + '/'))) return true;
   return allowlistPatterns.some((pattern) => {
-    try { return new RegExp(pattern).test(line) || new RegExp(pattern).test(file); } catch { return false; }
+    try {
+      return new RegExp(pattern).test(line) || new RegExp(pattern).test(file);
+    } catch {
+      return false;
+    }
   });
 }
 
-function classifySecretLine(line) {
-  if (/[=:]\s*["']?[^"'\s;]+/.test(line)) return 'secret-like value';
+function isDocumentationFile(file) {
+  return file === 'README.md' || file.endsWith('/README.md') || file.startsWith('docs/') || file.startsWith('cli/docs/') || /\.md$/i.test(file);
+}
+
+function isGeneratedPath(file) {
+  return GENERATED_PREFIXES.some((prefix) => file.startsWith(prefix));
+}
+
+function isDependencyPath(file) {
+  return DEPENDENCY_PREFIXES.some((prefix) => file.startsWith(prefix));
+}
+
+function isLockfile(file) {
+  return LOCKFILE_NAMES.has(path.basename(file));
+}
+
+function isEnvFile(file) {
+  return path.basename(file).startsWith('.env');
+}
+
+const SECRET_ASSIGNMENT_RE = /\b(?:const\s+|let\s+|var\s+|export\s+)?(?:OPENAI_API_KEY|SUPABASE_SERVICE_ROLE_KEY|GH_TOKEN|GITHUB_TOKEN|SUPABASE_ACCESS_TOKEN|IMPORT_REDDIT_TIPS_SECRET|NPM_TOKEN|service_role|access_token|refresh_token|client_secret|private_key|webhook_secret|api_key|authorization|bearer)\b\s*[:=]\s*["']?([^"'\s;]+)/i;
+
+function hasAssignment(line) {
+  return SECRET_ASSIGNMENT_RE.test(line);
+}
+
+function assignedValue(line) {
+  const match = line.match(SECRET_ASSIGNMENT_RE);
+  return match?.[1] || '';
+}
+
+function isPlaceholderValue(line) {
+  const value = assignedValue(line).trim();
+  return /^(YOUR_[A-Z0-9_]+_HERE|__REDACTED_VALUE__|<[^>]*secret[^>]*>|example-only|\[REDACTED\]|REDACTED|\*{3,}|xxx+|placeholder)$/i.test(value);
+}
+
+function classifyKind(line) {
+  if (hasAssignment(line)) return 'secret-like value';
   return 'secret reference';
 }
 
+export function classifySecretReference({ file, line = '', pattern = '', tracked = false, rootContext = 'source file' } = {}) {
+  if (!isLikelyText(file)) {
+    return { category: 'ignored_binary', severity: 'skipped', status: 'skipped', kind: 'ignored binary', context: 'binary file' };
+  }
+  if (isDependencyPath(file) || isLockfile(file)) {
+    return { category: 'dependency_or_lockfile', severity: 'skipped', status: 'skipped', kind: 'ignored dependency/lockfile', context: 'dependency or lockfile' };
+  }
+  if (isGeneratedPath(file)) {
+    return { category: 'generated_artifact', severity: 'skipped', status: 'skipped', kind: 'ignored generated artifact', context: 'generated artifact' };
+  }
+  if (isEnvFile(file) && !tracked) {
+    return { category: 'local_only_file', severity: 'skipped', status: 'skipped', kind: 'local-only env file', context: 'local-only file' };
+  }
+  if (isPlaceholderValue(line)) {
+    return { category: 'placeholder_or_example', severity: 'info', status: 'info', kind: 'placeholder/example', context: classifySourceContext(file, rootContext) };
+  }
+  if (pattern === 'unknown_token_like') {
+    return { category: 'unknown_requires_review', severity: 'review', status: 'warn', kind: 'unknown token-like content', context: classifySourceContext(file, rootContext) };
+  }
+  if (isDocumentationFile(file) && !hasAssignment(line)) {
+    return { category: 'documentation_reference', severity: 'info', status: 'info', kind: 'documentation reference', context: 'documentation reference' };
+  }
+  if (isEnvFile(file) && tracked) {
+    return { category: 'actionable_source_finding', severity: 'review', status: 'warn', kind: classifyKind(line), context: 'tracked env file' };
+  }
+  return { category: 'actionable_source_finding', severity: 'review', status: 'warn', kind: classifyKind(line), context: classifySourceContext(file, rootContext) };
+}
+
 function classifySourceContext(file, rootContext = 'source file') {
   if (file.startsWith('fixtures/') || file.startsWith('cli/fixtures/')) return 'fixture/demo file';
-  if (file.startsWith('docs/') || file.startsWith('cli/docs/')) return 'documentation reference';
+  if (isDocumentationFile(file)) return 'documentation reference';
   return rootContext;
 }
 
@@ -78,37 +188,93 @@ async function isOpstruthRoot(root) {
   return false;
 }
 
-export async function scanRiskyReferences(root, { skipDirs = DEFAULT_SKIP_DIRS, allowlistPaths = [], allowlistPatterns = [] } = {}) {
+async function trackedFiles(root) {
+  try {
+    const { stdout } = await execFileAsync('git', ['ls-files'], { cwd: root });
+    return new Set(stdout.split(/\r?\n/).filter(Boolean).map((file) => file.replaceAll('\\', '/')));
+  } catch {
+    return new Set();
+  }
+}
+
+function emptySummary() {
+  return Object.fromEntries(SECRET_CATEGORIES.map((category) => [category, 0]));
+}
+
+function summaryText(summary) {
+  return [
+    `Actionable findings: ${summary.actionable_source_finding || 0}`,
+    `Documentation references: ${summary.documentation_reference || 0}`,
+    `Placeholders/examples: ${summary.placeholder_or_example || 0}`,
+    `Local-only files: ${summary.local_only_file || 0}`,
+    `Generated artifacts: ${summary.generated_artifact || 0}`,
+    `Dependency/lockfile paths: ${summary.dependency_or_lockfile || 0}`,
+    `Ignored binaries: ${summary.ignored_binary || 0}`,
+    `Unknown requiring review: ${summary.unknown_requires_review || 0}`
+  ].join('; ');
+}
+
+export function formatSecretSummary(summary = emptySummary()) {
+  return summaryText(summary);
+}
+
+export async function scanRiskyReferencesDetailed(root, { skipDirs = DEFAULT_SKIP_DIRS, allowlistPaths = [], allowlistPatterns = [] } = {}) {
   const files = await walkFiles(root, { skipDirs: mergeIgnores(skipDirs) });
+  const records = [];
   const findings = [];
+  const summary = emptySummary();
   const suppressInternalScannerDefinitions = await isOpstruthRoot(root);
   const rootContext = await classifyRootContext(root);
+  const tracked = await trackedFiles(root);
+
+  function record(item) {
+    summary[item.category] = (summary[item.category] || 0) + 1;
+    records.push(item);
+    if (item.status === 'warn' || item.status === 'fail') findings.push(item);
+  }
+
   for (const file of files) {
     if (suppressInternalScannerDefinitions && OPSTRUTH_SCANNER_FILES.has(file.rel)) continue;
+    const isTracked = tracked.has(file.rel);
+    const pathOnly = classifySecretReference({ file: file.rel, line: '', tracked: isTracked, rootContext });
+    if (pathOnly.category === 'ignored_binary' || pathOnly.category === 'dependency_or_lockfile' || pathOnly.category === 'generated_artifact') {
+      record({ file: file.rel, line: null, pattern: 'path', match: 'path', preview: '', excerpt: '', ...pathOnly });
+      continue;
+    }
+    if (pathOnly.category === 'local_only_file') {
+      record({ file: file.rel, line: null, pattern: 'env_file', match: 'env_file', preview: '', excerpt: '', ...pathOnly });
+      continue;
+    }
     if (!isLikelyText(file.rel)) continue;
-    if (path.basename(file.rel).startsWith('.env')) continue;
     let text = '';
-    try { text = await readText(file.full); } catch { continue; }
+    try {
+      text = await readText(file.full);
+    } catch {
+      continue;
+    }
     const lines = text.split(/\r?\n/);
     lines.forEach((line, index) => {
       if (matchesAllowlist(file.rel, line, { allowlistPaths, allowlistPatterns })) return;
-      for (const pattern of RISK_PATTERNS) {
-        if (pattern.test(line)) {
-          findings.push({
+      for (const matcher of RISK_PATTERNS) {
+        if (matcher.regex.test(line)) {
+          const classification = classifySecretReference({ file: file.rel, line, pattern: matcher.label, tracked: isTracked, rootContext });
+          record({
             file: file.rel,
             line: index + 1,
-            pattern: pattern.source.replaceAll('\\', ''),
-            match: pattern.source.replaceAll('\\', ''),
-            kind: classifySecretLine(line),
-            context: classifySourceContext(file.rel, rootContext),
+            pattern: matcher.label,
+            match: matcher.label,
             preview: redact(line.trim()).slice(0, 160),
             excerpt: redact(line.trim()).slice(0, 160),
-            severity: 'review'
+            ...classification
           });
           break;
         }
       }
     });
   }
-  return findings;
+  return { findings, records, summary, summaryText: summaryText(summary) };
+}
+
+export async function scanRiskyReferences(root, options = {}) {
+  return (await scanRiskyReferencesDetailed(root, options)).findings;
 }

package/src/orchestrator.js

@@ -1,4 +1,3 @@
-import path from 'node:path';
 import { runRepo } from './commands/repo.js';
 import { runSecrets } from './commands/secrets.js';
 import { runQuality } from './commands/quality.js';
@@ -6,11 +5,11 @@ import { runSupabase } from './commands/supabase.js';
 import { runCloudflare } from './commands/cloudflare.js';
 import { runRoutes } from './commands/routes.js';
 import { runLocal } from './commands/local.js';
+import { runGitHubCi } from './commands/github-ci.js';
 import { runEvidence } from './commands/evidence.js';
 import { createResult, finalizeStatus, worstStatus } from './lib/result.js';
 import { detectStack, hasSupabase, hasCloudflare } from './lib/detect.js';
-import { findDefaultRoutesConfig } from './lib/config.js';
-import { pathExists } from './lib/fs.js';
+import { findDefaultRoutesConfig, loadOpstruthConfig } from './lib/config.js';
 import { resolveProjectBoundary } from './lib/boundary.js';
 import { selectProbes } from './lib/probes.js';
 
@@ -48,12 +47,19 @@ function probeJson(probe) {
   };
 }
 
+function hasConfigLocalInputs(loadedConfig) {
+  if (loadedConfig.warning) return true;
+  const configLocal = loadedConfig.config?.local || {};
+  return Array.isArray(configLocal.ports) && configLocal.ports.length > 0;
+}
+
 export async function runOrchestrator(options = {}) {
   const startCwd = options.cwd || process.cwd();
   const boundary = await resolveProjectBoundary(startCwd);
   const cwd = boundary.root;
   const stack = await detectStack(cwd);
   const probeSelection = await selectProbes({ root: cwd, stack, boundary, options });
+  const loadedConfig = await loadOpstruthConfig(cwd);
   options = { ...options, cwd };
   const skip = new Set(options.skip || []);
   const childResults = [];
@@ -68,11 +74,14 @@ export async function runOrchestrator(options = {}) {
   else childResults.push(skippedResult('supabase', 'Supabase checks skipped because no supabase directory was detected.', 'Supabase database exposure was not checked'));
   if (await hasCloudflare(cwd)) await maybe('cloudflare', () => runCloudflare(options));
   else childResults.push(skippedResult('cloudflare', 'Cloudflare checks skipped because no Wrangler config was detected.', 'Cloudflare deployment configuration was not checked'));
+  const githubCiConfig = loadedConfig.config?.github?.ci || {};
+  if (options.githubCi || githubCiConfig.enabled === true) {
+    await maybe('github-ci', () => runGitHubCi({ ...options, workflow: options.workflow || githubCiConfig.workflow }));
+  }
   const routeConfig = await findDefaultRoutesConfig(cwd);
   if (options.baseUrl || options.routesFile || routeConfig) await maybe('routes', () => runRoutes(options));
   else childResults.push(skippedResult('routes', 'Route checks skipped because no base URL or routes config was provided.', 'Production/public route availability was not checked'));
-  const hasLocalConfig = await pathExists(path.join(cwd, 'opstruth.local.json'));
-  if (options.port?.length || options.healthProvided || options.process || options.service || hasLocalConfig) await maybe('local', () => runLocal(options));
+  if (options.port?.length || options.healthProvided || options.process || options.service || hasConfigLocalInputs(loadedConfig)) await maybe('local', () => runLocal(options));
   else childResults.push(skippedResult('local', 'Local runtime checks skipped because no port, health path, process, or service was provided.', 'Local runtime liveness was not checked'));
   const aggregate = createResult('opstruth', worstStatus(childResults.map((item) => item.status)), {
     summary: 'One-command read-only proof run completed.',