preflyt-check 1.0.0

package/README.md

@@ -0,0 +1,127 @@
+# preflyt-check
+
+Pre-deployment security scanner for your deploy pipeline. Scans your live site for exposed `.env` files, open database ports, missing security headers, and other misconfigurations -- in under 30 seconds, with zero dependencies.
+
+## Quick start
+
+```bash
+npx preflyt-check https://mysite.com
+```
+
+No install needed. No signup needed. 3 free scans.
+
+## With a Pro API key
+
+```bash
+npx preflyt-check https://mysite.com --key sk_live_xxx
+```
+
+Get your Pro key at [preflyt.dev/pricing](https://preflyt.dev/pricing) for unlimited scans.
+
+## Options
+
+| Flag | Description |
+|---|---|
+| `--key`, `-k` | Pro API key for unlimited scans |
+| `--fail` | Exit code 1 if issues found (default: off) |
+| `--fail-on <level>` | Minimum severity to fail on: `high`, `medium`, `low` (default: `high`) |
+| `--quiet`, `-q` | Minimal output, just pass/fail |
+| `--json` | Output raw JSON instead of formatted text |
+| `--timeout <sec>` | Scan timeout in seconds (default: 60) |
+| `--help`, `-h` | Show usage |
+
+## Exit codes
+
+Preflyt will never block your deploy due to our own errors. Exit code 1 only occurs when you explicitly use `--fail` and real issues are confirmed.
+
+| Exit code | When |
+|---|---|
+| `0` | Scan clean, scan errored, timed out, API unreachable, limit reached, or `--fail` not set |
+| `1` | `--fail` set AND scan succeeded AND findings match `--fail-on` severity |
+
+## Examples
+
+### Bare deploy script
+
+```bash
+#!/bin/bash
+# deploy.sh
+git push production main
+npx preflyt-check https://mysite.com
+```
+
+### package.json post-deploy
+
+```json
+{
+  "scripts": {
+    "deploy": "vercel --prod",
+    "postdeploy": "npx preflyt-check https://mysite.com"
+  }
+}
+```
+
+### GitHub Actions
+
+```yaml
+- name: Deploy
+  run: npm run deploy
+
+- name: Security check
+  run: npx preflyt-check https://mysite.com --fail --fail-on high
+  env:
+    # Optional: store key in GitHub Secrets
+    PREFLYT_KEY: ${{ secrets.PREFLYT_KEY }}
+  # Only fail on high-severity issues
+```
+
+### GitHub Actions (with Pro key)
+
+```yaml
+- name: Security check
+  run: npx preflyt-check https://mysite.com --key $PREFLYT_KEY --fail
+  env:
+    PREFLYT_KEY: ${{ secrets.PREFLYT_KEY }}
+```
+
+### Docker
+
+```dockerfile
+RUN npm install -g preflyt-check
+# In your entrypoint or health check:
+CMD ["sh", "-c", "preflyt-check https://mysite.com && node server.js"]
+```
+
+## Programmatic usage
+
+```javascript
+const { scan } = require("preflyt-check");
+
+const result = await scan("https://mysite.com", {
+  apiKey: "sk_live_xxx", // optional
+  timeout: 60,           // optional, seconds
+});
+
+console.log(result.status);       // "clean" | "issues_found" | "error"
+console.log(result.total_issues); // number
+console.log(result.findings);     // array of { title, severity, category }
+```
+
+## What it checks
+
+- Exposed .env, .git, backup files, source maps, phpinfo
+- Open database ports (MySQL, PostgreSQL, MongoDB, Redis)
+- Exposed dev servers and admin tools
+- Missing security headers (HSTS, CSP, X-Frame-Options)
+- CORS misconfiguration
+- Insecure cookies
+- Server version leakage
+
+## Zero dependencies
+
+This package uses only Node.js built-in modules. No `node_modules` tree, no supply chain risk, instant install.
+
+## Links
+
+- Website: [preflyt.dev](https://preflyt.dev)
+- Pricing: [preflyt.dev/pricing](https://preflyt.dev/pricing)

package/bin/preflyt-check.js

@@ -0,0 +1,354 @@
+#!/usr/bin/env node
+"use strict";
+
+// ── Zero-dependency CLI for Preflyt security scanning ────────────────────────
+// Uses only Node.js built-in modules. No node_modules required.
+
+var https = require("https");
+var http = require("http");
+var URL = require("url").URL;
+
+var API_URL = "https://api.preflyt.dev/api/scan/cli";
+var VERSION = "1.0.0";
+
+var SEVERITY_RANK = { critical: 4, high: 3, medium: 2, low: 1, info: 0 };
+
+// ── Arg parsing ──────────────────────────────────────────────────────────────
+
+function parseArgs(argv) {
+  var args = {
+    url: null,
+    key: null,
+    fail: false,
+    failOn: "high",
+    quiet: false,
+    json: false,
+    timeout: 60,
+    help: false,
+  };
+
+  var i = 2; // skip node + script
+  while (i < argv.length) {
+    var arg = argv[i];
+
+    if (arg === "--help" || arg === "-h") {
+      args.help = true;
+    } else if (arg === "--fail") {
+      args.fail = true;
+    } else if (arg === "--quiet" || arg === "-q") {
+      args.quiet = true;
+    } else if (arg === "--json") {
+      args.json = true;
+    } else if (arg === "--key" || arg === "-k") {
+      i++;
+      args.key = argv[i] || null;
+    } else if (arg === "--fail-on") {
+      i++;
+      args.failOn = argv[i] || "high";
+    } else if (arg === "--timeout") {
+      i++;
+      args.timeout = parseInt(argv[i], 10) || 60;
+    } else if (!arg.startsWith("-") && !args.url) {
+      args.url = arg;
+    }
+    i++;
+  }
+
+  return args;
+}
+
+// ── Output helpers ───────────────────────────────────────────────────────────
+
+var CATEGORY_LABELS = {
+  file_exposure: "File & Code Exposure",
+  server_network: "Server & Network Security",
+  http_hardening: "HTTP Hardening",
+};
+
+var SEVERITY_LABELS = {
+  critical: "CRIT",
+  high: "HIGH",
+  medium: "MEDIUM",
+  low: "LOW",
+  info: "INFO",
+};
+
+function padRight(str, len) {
+  while (str.length < len) str += " ";
+  return str;
+}
+
+function printHelp() {
+  console.log("");
+  console.log("  preflyt-check <url> [options]");
+  console.log("");
+  console.log("  Pre-deployment security scanner. Checks your live site for");
+  console.log("  exposed secrets, open ports, and misconfigurations.");
+  console.log("");
+  console.log("  Options:");
+  console.log("    --key, -k <key>     Pro API key for unlimited scans");
+  console.log("    --fail              Exit code 1 if issues found");
+  console.log("    --fail-on <level>   Minimum severity to fail on (high, medium, low)");
+  console.log("    --quiet, -q         Minimal output, just pass/fail");
+  console.log("    --json              Output raw JSON");
+  console.log("    --timeout <sec>     Scan timeout in seconds (default: 60)");
+  console.log("    --help, -h          Show this help");
+  console.log("");
+  console.log("  Examples:");
+  console.log("    npx preflyt-check https://mysite.com");
+  console.log("    npx preflyt-check https://mysite.com --key sk_live_xxx");
+  console.log("    npx preflyt-check https://mysite.com --fail --fail-on medium");
+  console.log("");
+  console.log("  https://preflyt.dev");
+  console.log("");
+}
+
+function printResults(data, args) {
+  // JSON mode — raw output
+  if (args.json) {
+    console.log(JSON.stringify(data, null, 2));
+    return;
+  }
+
+  var timeStr = data.scan_time_seconds ? "(" + data.scan_time_seconds + "s)" : "";
+
+  // Limit reached
+  if (data.status === "limit_reached") {
+    console.log("");
+    console.log("  \u24D8 Free scan limit reached (3/3 used).");
+    console.log("");
+    console.log("  Get unlimited CLI scans with Pro - $9.99/mo");
+    console.log("  https://preflyt.dev/pricing");
+    console.log("");
+    console.log("  Tip: Add --key YOUR_KEY for unlimited scans.");
+    console.log("");
+    console.log("  Deploy continues. No issues blocked.");
+    console.log("");
+    return;
+  }
+
+  // Error
+  if (data.status === "error") {
+    console.log("");
+    console.log("  \u26A0\uFE0F  Scan could not complete: " + (data.message || "unknown error"));
+    console.log("");
+    console.log("  Deploy continues. No issues blocked.");
+    console.log("");
+    return;
+  }
+
+  // Quiet mode
+  if (args.quiet) {
+    if (data.status === "clean") {
+      console.log("  \u2705 All clear. " + timeStr);
+    } else {
+      console.log("  \u26A0\uFE0F  " + data.total_issues + " issue" + (data.total_issues !== 1 ? "s" : "") + " found. " + timeStr);
+    }
+    return;
+  }
+
+  // Full output — category summary
+  console.log("");
+  var cats = data.categories || {};
+  var order = ["file_exposure", "server_network", "http_hardening"];
+
+  for (var c = 0; c < order.length; c++) {
+    var key = order[c];
+    var cat = cats[key];
+    var label = CATEGORY_LABELS[key] || key;
+    if (!cat || cat.status === "clean") {
+      console.log("  \u2713 " + padRight(label, 28) + " - clean");
+    } else {
+      console.log("  \u2717 " + padRight(label, 28) + " - " + cat.count + " issue" + (cat.count !== 1 ? "s" : ""));
+    }
+  }
+
+  // Clean
+  if (data.status === "clean") {
+    console.log("");
+    console.log("  \u2705 All clear. Ship it.  " + timeStr);
+    console.log("");
+    return;
+  }
+
+  // Issues
+  console.log("");
+  console.log("  \u26A0\uFE0F  " + data.total_issues + " issue" + (data.total_issues !== 1 ? "s" : "") + " found:");
+  console.log("");
+
+  var findings = data.findings || [];
+  // Sort by severity descending
+  findings.sort(function (a, b) {
+    return (SEVERITY_RANK[b.severity] || 0) - (SEVERITY_RANK[a.severity] || 0);
+  });
+
+  for (var f = 0; f < findings.length; f++) {
+    var finding = findings[f];
+    var sevLabel = SEVERITY_LABELS[finding.severity] || finding.severity.toUpperCase();
+    console.log("  " + padRight(sevLabel, 8) + finding.title);
+  }
+
+  console.log("");
+  console.log("  Details: https://preflyt.dev  " + timeStr);
+  console.log("");
+}
+
+// ── HTTP request ─────────────────────────────────────────────────────────────
+
+function doScan(url, apiKey, timeoutSec) {
+  return new Promise(function (resolve, reject) {
+    var payload = JSON.stringify({
+      url: url,
+      api_key: apiKey || null,
+    });
+
+    var parsed = new URL(API_URL);
+    var reqModule = parsed.protocol === "https:" ? https : http;
+
+    var reqOpts = {
+      hostname: parsed.hostname,
+      port: parsed.port || (parsed.protocol === "https:" ? 443 : 80),
+      path: parsed.pathname,
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        "Content-Length": Buffer.byteLength(payload),
+        "User-Agent": "preflyt-check/" + VERSION,
+      },
+    };
+
+    var timeoutMs = timeoutSec * 1000;
+
+    var timer = setTimeout(function () {
+      req.destroy();
+      reject(new Error("timeout"));
+    }, timeoutMs);
+
+    var req = reqModule.request(reqOpts, function (res) {
+      var chunks = [];
+      res.on("data", function (chunk) {
+        chunks.push(chunk);
+      });
+      res.on("end", function () {
+        clearTimeout(timer);
+        var body = Buffer.concat(chunks).toString();
+        if (res.statusCode !== 200) {
+          try {
+            var errData = JSON.parse(body);
+            reject(new Error(errData.detail || errData.message || "HTTP " + res.statusCode));
+          } catch (_e) {
+            reject(new Error("HTTP " + res.statusCode));
+          }
+          return;
+        }
+        try {
+          resolve(JSON.parse(body));
+        } catch (_e) {
+          reject(new Error("Invalid JSON response"));
+        }
+      });
+    });
+
+    req.on("error", function (err) {
+      clearTimeout(timer);
+      reject(err);
+    });
+
+    req.write(payload);
+    req.end();
+  });
+}
+
+// ── Exit code logic ──────────────────────────────────────────────────────────
+
+function shouldFail(data, args) {
+  // Exit 1 ONLY when ALL conditions are true:
+  // 1. --fail flag explicitly set
+  // 2. Scan completed successfully (status is clean or issues_found)
+  // 3. At least one finding meets or exceeds --fail-on severity
+  if (!args.fail) return false;
+  if (data.status !== "issues_found") return false;
+
+  var threshold = SEVERITY_RANK[args.failOn] || SEVERITY_RANK.high;
+  var findings = data.findings || [];
+
+  for (var i = 0; i < findings.length; i++) {
+    var rank = SEVERITY_RANK[findings[i].severity] || 0;
+    if (rank >= threshold) return true;
+  }
+
+  return false;
+}
+
+// ── Main ─────────────────────────────────────────────────────────────────────
+
+async function main() {
+  var args = parseArgs(process.argv);
+
+  if (args.help) {
+    printHelp();
+    process.exit(0);
+  }
+
+  if (!args.url) {
+    printHelp();
+    process.exit(0);
+  }
+
+  // Basic URL validation
+  try {
+    var parsed = new URL(args.url);
+    if (parsed.protocol !== "http:" && parsed.protocol !== "https:") {
+      console.log("");
+      console.log("  URL must start with http:// or https://");
+      console.log("");
+      process.exit(0);
+    }
+  } catch (_e) {
+    console.log("");
+    console.log("  Invalid URL: " + args.url);
+    console.log("  URL must start with http:// or https://");
+    console.log("");
+    process.exit(0);
+  }
+
+  if (!args.json) {
+    console.log("");
+    console.log("\uD83D\uDD0D Preflyt scanning " + args.url + "...");
+  }
+
+  try {
+    var data = await doScan(args.url, args.key, args.timeout);
+    printResults(data, args);
+
+    if (shouldFail(data, args)) {
+      process.exit(1);
+    }
+    process.exit(0);
+  } catch (err) {
+    if (!args.json) {
+      console.log("");
+      console.log("  \u26A0\uFE0F  Scan could not complete: " + err.message);
+      console.log("");
+      console.log("  Deploy continues. No issues blocked.");
+      console.log("");
+    } else {
+      console.log(JSON.stringify({
+        status: "error",
+        url: args.url,
+        message: err.message,
+      }));
+    }
+    // Always exit 0 on errors — never block a deploy due to our own failures
+    process.exit(0);
+  }
+}
+
+// Wrap everything — any uncaught exception exits 0
+try {
+  main();
+} catch (err) {
+  console.error("  Preflyt encountered an unexpected error: " + err.message);
+  console.error("  Deploy continues. No issues blocked.");
+  process.exit(0);
+}

package/package.json

@@ -0,0 +1,17 @@
+{
+  "name": "preflyt-check",
+  "version": "1.0.0",
+  "description": "Pre-deployment security scanner. Checks your live site for exposed secrets, open ports, and misconfigurations.",
+  "bin": {
+    "preflyt-check": "./bin/preflyt-check.js"
+  },
+  "main": "src/index.js",
+  "keywords": ["security", "deployment", "scanner", "preflyt", "env", "exposed", "ports"],
+  "author": "Preflyt",
+  "license": "MIT",
+  "homepage": "https://preflyt.dev",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/doureios39/preflyt-check"
+  }
+}

package/src/index.js

@@ -0,0 +1,83 @@
+"use strict";
+
+const https = require("https");
+const http = require("http");
+const { URL } = require("url");
+
+const API_URL = "https://api.preflyt.dev/api/scan/cli";
+
+/**
+ * Run a Preflyt scan programmatically.
+ *
+ * @param {string} url - The URL to scan.
+ * @param {object} [opts] - Options.
+ * @param {string} [opts.apiKey] - Pro API key for unlimited scans.
+ * @param {number} [opts.timeout] - Timeout in seconds (default 60).
+ * @returns {Promise<object>} The scan result.
+ */
+function scan(url, opts) {
+  opts = opts || {};
+  var timeout = (opts.timeout || 60) * 1000;
+
+  return new Promise(function (resolve, reject) {
+    var payload = JSON.stringify({
+      url: url,
+      api_key: opts.apiKey || null,
+    });
+
+    var parsed = new URL(API_URL);
+    var reqModule = parsed.protocol === "https:" ? https : http;
+
+    var reqOpts = {
+      hostname: parsed.hostname,
+      port: parsed.port || (parsed.protocol === "https:" ? 443 : 80),
+      path: parsed.pathname,
+      method: "POST",
+      headers: {
+        "Content-Type": "application/json",
+        "Content-Length": Buffer.byteLength(payload),
+        "User-Agent": "preflyt-check/1.0.0",
+      },
+    };
+
+    var timer = setTimeout(function () {
+      req.destroy();
+      reject(new Error("timeout"));
+    }, timeout);
+
+    var req = reqModule.request(reqOpts, function (res) {
+      var chunks = [];
+      res.on("data", function (chunk) {
+        chunks.push(chunk);
+      });
+      res.on("end", function () {
+        clearTimeout(timer);
+        var body = Buffer.concat(chunks).toString();
+        if (res.statusCode !== 200) {
+          try {
+            var errData = JSON.parse(body);
+            reject(new Error(errData.detail || errData.message || "HTTP " + res.statusCode));
+          } catch (_e) {
+            reject(new Error("HTTP " + res.statusCode));
+          }
+          return;
+        }
+        try {
+          resolve(JSON.parse(body));
+        } catch (_e) {
+          reject(new Error("Invalid JSON response"));
+        }
+      });
+    });
+
+    req.on("error", function (err) {
+      clearTimeout(timer);
+      reject(err);
+    });
+
+    req.write(payload);
+    req.end();
+  });
+}
+
+module.exports = { scan: scan };