npm - pinata-security-cli - Versions diffs - 0.2.3 → 0.4.1 - Mend

pinata-security-cli 0.2.3 → 0.4.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

package/README.md +75 -12
package/dist/cli/index.js +1403 -29
package/dist/cli/index.js.map +1 -1
package/dist/index.d.ts +1 -1
package/dist/index.js +1 -1
package/dist/index.js.map +1 -1
package/package.json +1 -1
package/src/categories/definitions/security/dependency-risks.yml +70 -0
package/src/categories/definitions/security/hardcoded-secrets.yml +43 -0
package/src/categories/definitions/security/prompt-injection.yml +384 -0
package/src/categories/definitions/security/sql-injection.yml +29 -0

package/README.md CHANGED Viewed

@@ -1,6 +1,6 @@
 # Pinata
-AI-powered security scanner that finds vulnerabilities hiding in your codebase. 45 detection categories across security, data integrity, concurrency, and performance domains.
+AI-powered security scanner that finds vulnerabilities hiding in your codebase. 47 detection categories across security, data integrity, concurrency, and performance domains.
 ## Quick Start
@@ -42,20 +42,21 @@ pinata analyze .
 ```bash
 pinata analyze .                    # Fast scan
 pinata analyze . --verify           # AI-verified scan
+pinata analyze . --execute          # Dynamic execution (requires Docker)
+pinata analyze . --execute --dry-run  # Preview tests without running
 pinata analyze . --confidence low   # Include all matches
 pinata analyze . --output json      # JSON output
 pinata analyze . --output sarif     # SARIF for GitHub
 pinata generate --gaps              # Generate tests for gaps
-pinata explain sql-injection src/db.ts:45   # AI explanation
-pinata dashboard                    # Interactive TUI
+pinata audit-deps                   # Check npm dependencies
 pinata config set anthropic-api-key sk-ant-xxx
 ```
 ## Detection Categories
-45 categories across 7 risk domains:
+47 categories across 7 risk domains:
-**Security (16)** - SQL injection, XSS, command injection, path traversal, SSRF, XXE, CSRF, deserialization, hardcoded secrets, LDAP injection, timing attacks, auth failures, file upload, data exposure, rate limiting, dependency risks
+**Security (17)** - SQL injection, XSS, command injection, path traversal, SSRF, XXE, CSRF, deserialization, hardcoded secrets, LDAP injection, timing attacks, auth failures, file upload, data exposure, rate limiting, dependency risks, prompt injection
 **Data (8)** - Data race, truncation, precision loss, validation, null handling, encoding, schema migration, bulk operations
@@ -85,9 +86,12 @@ dist/
 ```bash
 --verify              # AI verification (requires API key)
+--execute             # Dynamic test execution (requires Docker)
+--dry-run             # Preview generated tests without running
 --confidence <level>  # high (default), medium, low
 --output <format>     # terminal, json, sarif, junit, markdown
---domain <domain>     # security, data, concurrency, etc.
+--output-file <path>  # Write results to file (for SARIF upload)
+--domains <domains>   # security, data, concurrency, etc.
 --severity <level>    # critical, high, medium, low
 --exclude <dirs>      # Comma-separated directories to skip
 ```
@@ -114,23 +118,82 @@ pinata analyze . --verify
 **Performance:** ~2.5 minutes for 350 matches (batched 10/request, 3 concurrent)
+## Dynamic Execution (Layer 5)
+The `--execute` flag runs generated exploit tests in a Docker sandbox to **prove** vulnerabilities exist:
+```bash
+# Requires Docker
+pinata analyze . --execute
+# Preview tests without running
+pinata analyze . --execute --dry-run
+```
+**How it works:**
+- Generates exploit tests for each vulnerability
+- Runs tests in isolated Docker container (no network, limited resources)
+- Reports **CONFIRMED** vs **POTENTIAL** vulnerabilities
+- Evidence includes payload and actual exploit result
+**Testable vulnerability types:**
+- SQL injection (boolean blind, UNION attacks)
+- XSS (script injection, innerHTML)
+- Command injection (shell metacharacters)
+- Path traversal (../ attacks)
+**Security constraints:**
+- Network disabled (no exfiltration)
+- 1 CPU, 512MB RAM, 30s timeout
+- Read-only filesystem, unprivileged user
+- No capabilities
 ## CI/CD Integration
-**GitHub Actions**
+**GitHub Action (recommended)**
 ```yaml
 name: Security Scan
 on: [push, pull_request]
 jobs:
-  pinata:
+  security:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
     steps:
       - uses: actions/checkout@v4
-      - name: Run Pinata
-        run: npx --yes pinata-security-cli@latest analyze . --output sarif > results.sarif
-      - uses: github/codeql-action/upload-sarif@v3
+      - uses: christiancattaneo/pinata-security@v1
         with:
-          sarif_file: results.sarif
+          confidence: high
+          sarif-output: pinata.sarif
+      # Optional: AI verification
+      # with:
+      #   verify: true
+      # env:
+      #   ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
+```
+**Action inputs:**
+- `path` - Directory to scan (default: `.`)
+- `confidence` - high, medium, low (default: `high`)
+- `domains` - Comma-separated domains to scan
+- `verify` - Enable AI verification (default: `false`)
+- `fail-on-gaps` - Fail if gaps found (default: `true`)
+- `sarif-output` - Path for SARIF file (auto-uploads to GitHub Security)
+**Action outputs:**
+- `score` - Pinata score (0-100)
+- `gaps` - Number of gaps found
+- `sarif-file` - Path to SARIF file
+**Manual workflow (any CI)**
+```yaml
+- run: npx --yes pinata-security-cli@latest analyze . --output sarif --output-file results.sarif
+- uses: github/codeql-action/upload-sarif@v3
+  with:
+    sarif_file: results.sarif
 ```
 **GitLab CI**