npm - pr-checkmate - Versions diffs - 1.9.4 → 1.9.5 - Mend

pr-checkmate 1.9.4 → 1.9.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/README.md +2 -0
package/dist/config/constants.js +1 -0
package/dist/scripts/index.js +0 -1
package/dist/scripts/security.js +94 -19
package/package.json +2 -1

package/README.md CHANGED Viewed

@@ -40,6 +40,8 @@ npx pr-checkmate <job>
 | `prettier` | Format code using Prettier |
 | `deps`     | Check project dependencies |
 | `spellcheck` | Run spellcheck via cspell |
+| `security` | Run security scan for secrets |
 <br>
 ## 📦 Example GitHub Actions Workflow

package/dist/config/constants.js CHANGED Viewed

@@ -77,5 +77,6 @@ exports.DEFAULT_COMMANDS = {
     'npx pr-checkmate lint': 'Lint code using ESLint',
     'npx pr-checkmate prettier': 'Format code using Prettier',
     'npx pr-checkmate deps': 'Check project dependencies',
+    'npx pr-checkmate security': 'Security scan',
     'npx pr-checkmate spellcheck': 'Run spellcheck via cspell',
 };

package/dist/scripts/index.js CHANGED Viewed

@@ -33,7 +33,6 @@ async function runJob(jobName) {
             case 'all':
                 await (0, lint_1.runLint)();
                 await (0, dependency_check_1.runDependencyCheck)();
-                // await runSecurityScan();
                 try {
                     await (0, prettier_autoformat_1.runPrettier)();
                 }

package/dist/scripts/security.js CHANGED Viewed

@@ -1,35 +1,110 @@
 "use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.runSecurityScan = runSecurityScan;
 const execa_1 = require("execa");
 const utils_1 = require("../utils");
-const fs_1 = require("fs");
-const child_process_1 = require("child_process");
+const node_fs_1 = require("node:fs");
+const node_child_process_1 = require("node:child_process");
+const node_path_1 = __importDefault(require("node:path"));
+/**
+ * Get HEAD SHA from git
+ */
+function getHeadSha() {
+    try {
+        return (0, node_child_process_1.execSync)('git rev-parse HEAD', { encoding: 'utf-8' }).trim();
+    }
+    catch (err) {
+        utils_1.logger.warn(`⚠️ Could not determine HEAD SHA from git\n${err}`);
+        return null;
+    }
+}
+/**
+ * Get BASE SHA (for PR) or parent commit (for push)
+ */
+function getBaseSha() {
+    const eventName = process.env.GITHUB_EVENT_NAME;
+    const eventPath = process.env.GITHUB_EVENT_PATH;
+    try {
+        if (eventName === 'pull_request' && eventPath && (0, node_fs_1.existsSync)(eventPath)) {
+            // For PR: use pull_request.base.sha from GitHub event
+            const fs = require('node:fs');
+            const event = JSON.parse(fs.readFileSync(eventPath, 'utf-8'));
+            const baseSha = event?.pull_request?.base?.sha;
+            if (baseSha) {
+                utils_1.logger.info(`[getBaseSha]: ℹ️ Using PR base SHA: ${baseSha}`);
+                return baseSha;
+            }
+        }
+    }
+    catch (err) {
+        utils_1.logger.warn(`[getBaseSha]: ⚠️ Could not read GitHub event, trying git parent commit
+      ${err}`);
+    }
+    // For push: use parent commit
+    try {
+        return (0, node_child_process_1.execSync)('git rev-parse HEAD^', { encoding: 'utf-8' }).trim();
+    }
+    catch (err) {
+        utils_1.logger.warn(`⚠️ Could not determine BASE SHA (might be first commit)\n${err}`);
+        return null;
+    }
+}
+/**
+ * Check if gitleaks-secret-scanner is installed locally
+ */
+function getGitleaksCommand() {
+    const localPath = node_path_1.default.join(process.cwd(), 'node_modules', '.bin', 'gitleaks-secret-scanner');
+    if ((0, node_fs_1.existsSync)(localPath)) {
+        utils_1.logger.info('[getGitleaksCommand]: 📦 Using local gitleaks-secret-scanner');
+        return localPath;
+    }
+    utils_1.logger.info('[getGitleaksCommand]: 📥 Using npx gitleaks-secret-scanner');
+    return 'npx';
+}
+/**
+ * Run security scan for secrets
+ */
 async function runSecurityScan() {
-    utils_1.logger.info('🔐 Running secret scan with gitleaks-secret-scanner...');
+    utils_1.logger.info('🔐 Running security scan with gitleaks-secret-scanner...');
     try {
-        let headSha = process.env.HEAD_SHA;
+        // Set up environment variables
+        const headSha = getHeadSha();
         if (!headSha) {
-            try {
-                headSha = (0, child_process_1.execSync)('git rev-parse HEAD').toString().trim();
-                process.env.HEAD_SHA = headSha;
-                utils_1.logger.info(`ℹ️ Detected HEAD_SHA=${headSha}`);
-            }
-            catch {
-                utils_1.logger.warn('⚠️ Could not determine HEAD SHA, skipping diff-mode ci');
-            }
+            utils_1.logger.warn('⚠️ Could not determine HEAD SHA, security scan may not work properly');
         }
-        const cmd = (0, fs_1.existsSync)('node_modules/.bin/gitleaks-secret-scanner')
-            ? './node_modules/.bin/gitleaks-secret-scanner'
-            : 'npx gitleaks-secret-scanner';
-        await (0, execa_1.execa)(cmd, ['--diff-mode', 'ci', '--html-report', 'gitleaks-report.html'], {
+        const baseSha = getBaseSha();
+        if (!baseSha) {
+            utils_1.logger.warn('⚠️ Could not determine BASE SHA, will scan all commits');
+        }
+        // Prepare environment
+        const env = {
+            ...process.env,
+            ...(headSha && { HEAD_SHA: headSha }),
+            ...(baseSha && { BASE_SHA: baseSha }),
+        };
+        // Get gitleaks command
+        const cmd = getGitleaksCommand();
+        const args = cmd === 'npx' ? ['gitleaks-secret-scanner', '--diff-mode', 'ci'] : ['--diff-mode', 'ci'];
+        utils_1.logger.info(`Running: ${cmd} ${args.join(' ')}`);
+        utils_1.logger.info(`HEAD_SHA=${env.HEAD_SHA || 'auto-detect'}, BASE_SHA=${env.BASE_SHA || 'auto-detect'}`);
+        await (0, execa_1.execa)(cmd, args, {
             stdio: 'inherit',
-            env: process.env,
+            env,
         });
-        utils_1.logger.info('✅ Secret scan completed');
+        utils_1.logger.info('✅ Security scan completed successfully');
     }
     catch (err) {
-        utils_1.logger.error('❌ Secrets found or scan failed');
+        // gitleaks returns exit code 1 if secrets are found
+        // This is expected behavior, we should inform but not necessarily crash
+        if (err instanceof Error && 'exitCode' in err && err.exitCode === 1) {
+            utils_1.logger.warn('⚠️ gitleaks found potential secrets - please review gitleaks-report.html');
+            utils_1.logger.warn('💡 If this is a false positive, add it to .gitleaksignore');
+            throw err; // Still throw to fail the CI
+        }
+        utils_1.logger.error('[runSecurityScan]: ❌ Security scan failed');
         throw err;
     }
 }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
     "name": "pr-checkmate",
-    "version": "1.9.4",
+    "version": "1.9.5",
     "description": "Automated PR quality checks: linting, formatting, dependency analysis, and spellcheck",
     "keywords": [
         "github-actions",
@@ -37,6 +37,7 @@
         "spellcheck": "cspell '**/*.{ts,tsx,js,jsx,md,json}' --no-progress",
         "scan:secrets": "gitleaks-secret-scanner --diff-mode ci --html-report gitleaks-report.html",
         "test": "echo 'Tests coming soon'",
+        "security-scan": "npx pr-checkmate security",
         "clean": "rm -rf dist",
         "release": "standard-version"
     },