reposec 0.1.0

package/lib/scoring.ts

@@ -0,0 +1,58 @@
+import type { Finding, ScoreBand, Severity } from "./types";
+import { SEVERITY_WEIGHT } from "./rules";
+
+export const SCORE_START = 100;
+
+export function calculateScore(findings: Finding[]): number {
+  const total = findings.reduce(
+    (acc, f) => acc + (SEVERITY_WEIGHT[f.severity] ?? 0),
+    0,
+  );
+  return Math.max(0, Math.min(SCORE_START, SCORE_START - total));
+}
+
+export function scoreBand(score: number): ScoreBand {
+  if (score >= 90) return "excellent";
+  if (score >= 75) return "good";
+  if (score >= 55) return "fair";
+  if (score >= 30) return "weak";
+  return "critical";
+}
+
+export const BAND_LABELS: Record<ScoreBand, string> = {
+  excellent: "Excellent",
+  good: "Good",
+  fair: "Fair",
+  weak: "Weak",
+  critical: "Critical",
+};
+
+export const BAND_DESCRIPTIONS: Record<ScoreBand, string> = {
+  excellent: "Repository hygiene is strong. Keep the rules running on every PR.",
+  good: "Most hygiene rules pass. Address the high and medium items to reach excellent.",
+  fair: "Several gaps to close. Tackle the high-severity findings first.",
+  weak: "Many hygiene gaps detected. Treat the critical and high items as urgent.",
+  critical: "Hygiene is failing on several fronts. Stop new work and fix the high-risk items first.",
+};
+
+export const SEVERITY_ORDER: Severity[] = [
+  "critical",
+  "high",
+  "medium",
+  "low",
+  "info",
+];
+
+export function groupBySeverity(
+  findings: Finding[],
+): Record<Severity, Finding[]> {
+  const grouped: Record<Severity, Finding[]> = {
+    critical: [],
+    high: [],
+    medium: [],
+    low: [],
+    info: [],
+  };
+  for (const f of findings) grouped[f.severity].push(f);
+  return grouped;
+}

package/lib/types.ts

@@ -0,0 +1,133 @@
+export type Severity = "critical" | "high" | "medium" | "low" | "info";
+export type FindingConfidence = "verified" | "high" | "medium" | "low";
+
+export type FindingCategory =
+  | "environment"
+  | "documentation"
+  | "package"
+  | "github"
+  | "secret"
+  | "docker"
+  | "community"
+  | "ci"
+  | "metadata"
+  | "code"
+  | "dependencies";
+
+export interface Finding {
+  id: string;
+  title: string;
+  description: string;
+  severity: Severity;
+  category: FindingCategory;
+  confidence?: FindingConfidence;
+  fingerprint?: string;
+  verified?: boolean;
+  file?: string;
+  line?: number;
+  evidence?: string;
+  fix: string;
+  fixPrompt?: string;
+}
+
+export interface RepoFile {
+  path: string;
+  content: string;
+}
+
+export interface RepoMetadata {
+  owner: string;
+  repo: string;
+  defaultBranch: string;
+  description?: string | null;
+  stars?: number;
+  forks?: number;
+  openIssues?: number;
+  isPrivate: boolean;
+  htmlUrl: string;
+  homepageUrl?: string | null;
+  topics?: string[];
+  archived?: boolean;
+  isTemplate?: boolean;
+  language?: string | null;
+  sizeKb?: number;
+  pushedAt?: string;
+  updatedAt?: string;
+  createdAt?: string;
+  licenseSpdxId?: string | null;
+  licenseName?: string | null;
+}
+
+export interface RepoData {
+  metadata: RepoMetadata;
+  files: RepoFile[];
+  fileTree: string[];
+  workflows: string[];
+  hasDependabot: boolean;
+  hasWorkflows: boolean;
+  hasIssueTemplate: boolean;
+  hasCodeowners: boolean;
+  hasPullRequestTemplate: boolean;
+  hasDockerfile: boolean;
+  hasDockerignore: boolean;
+  hasChangelog: boolean;
+  hasContributing: boolean;
+  hasCodeOfConduct: boolean;
+  primaryLockfile: string | null;
+  extraLockfiles: string[];
+}
+
+export type CheckStatus = "pass" | "fail" | "warn" | "missing" | "info" | "skip";
+
+export interface CheckResult {
+  id: string;
+  category: FindingCategory;
+  title: string;
+  status: CheckStatus;
+  message: string;
+  file?: string;
+  line?: number;
+}
+
+export interface CategoryBreakdown {
+  total: number;
+  passed: number;
+  failed: number;
+}
+
+export interface ScanSummary {
+  totalChecks: number;
+  passed: number;
+  failed: number;
+  totalFindings: number;
+  filesChecked: number;
+  filesMissing: string[];
+  byCategory: Record<FindingCategory, CategoryBreakdown>;
+  checks: CheckResult[];
+}
+
+export interface FileGroup {
+  path: string;
+  findings: Finding[];
+  counts: Record<Severity, number>;
+}
+
+export interface ScanReport {
+  repo: RepoMetadata;
+  score: number;
+  scoreBand: ScoreBand;
+  summary: ScanSummary;
+  findings: Finding[];
+  filesChecked: string[];
+  fileGroups: FileGroup[];
+  scannedAt: string;
+  durationMs: number;
+}
+
+export type ScoreBand = "excellent" | "good" | "fair" | "weak" | "critical";
+
+export interface ParsedRepoUrl {
+  owner: string;
+  repo: string;
+  url: string;
+}

package/lib/utils.ts

@@ -0,0 +1,24 @@
+import { clsx, type ClassValue } from "clsx";
+import { twMerge } from "tailwind-merge";
+
+export function cn(...inputs: ClassValue[]) {
+  return twMerge(clsx(inputs));
+}
+
+export function formatNumber(value: number): string {
+  return new Intl.NumberFormat("en-US").format(value);
+}
+
+export function truncate(value: string, max = 80): string {
+  if (value.length <= max) return value;
+  return value.slice(0, max - 1) + "\u2026";
+}
+
+export function maskSecret(value: string): string {
+  if (!value) return "";
+  const trimmed = value.trim();
+  if (trimmed.length <= 8) return "****";
+  const start = trimmed.slice(0, 4);
+  const end = trimmed.slice(-4);
+  return `${start}${"*".repeat(Math.max(4, trimmed.length - 8))}${end}`;
+}

package/lib/verification.ts

@@ -0,0 +1,67 @@
+import type { Finding } from "./types";
+import type { SecretCandidate } from "./scanner";
+
+const VERIFY_TIMEOUT_MS = 6_000;
+
+async function fetchWithTimeout(url: string, init: RequestInit): Promise<Response> {
+  const controller = new AbortController();
+  const timeout = setTimeout(() => controller.abort(), VERIFY_TIMEOUT_MS);
+  try {
+    return await fetch(url, { ...init, signal: controller.signal });
+  } finally {
+    clearTimeout(timeout);
+  }
+}
+
+async function verifyCandidate(candidate: SecretCandidate): Promise<boolean | null> {
+  const name = candidate.patternName.toLowerCase();
+  const value = candidate.value.trim();
+
+  try {
+    if (name.includes("github token")) {
+      const res = await fetchWithTimeout("https://api.github.com/user", {
+        headers: {
+          Authorization: `Bearer ${value}`,
+          "User-Agent": "RepoSec-Secret-Verifier",
+        },
+      });
+      return res.status === 200;
+    }
+
+    if (name.includes("stripe")) {
+      const res = await fetchWithTimeout("https://api.stripe.com/v1/account", {
+        headers: { Authorization: `Bearer ${value}` },
+      });
+      return res.status === 200;
+    }
+
+    if (name.includes("huggingface")) {
+      const res = await fetchWithTimeout("https://huggingface.co/api/whoami-v2", {
+        headers: { Authorization: `Bearer ${value}` },
+      });
+      return res.status === 200;
+    }
+  } catch {
+    return null;
+  }
+
+  return null;
+}
+
+export async function verifyFindings(
+  findings: Finding[],
+  candidates: SecretCandidate[] | undefined,
+): Promise<void> {
+  if (!candidates || candidates.length === 0) return;
+  const byId = new Map(findings.map((finding) => [finding.id, finding]));
+
+  for (const candidate of candidates.slice(0, 25)) {
+    const finding = byId.get(candidate.findingId);
+    if (!finding) continue;
+    const verified = await verifyCandidate(candidate);
+    if (verified !== true) continue;
+    finding.verified = true;
+    finding.confidence = "verified";
+    finding.description = `${finding.description} The token was verified live by RepoSec's opt-in verifier.`;
+  }
+}

package/package.json

@@ -0,0 +1,66 @@
+{
+  "name": "reposec",
+  "version": "0.1.0",
+  "description": "Read-only security hygiene scanner for public GitHub repositories and local source trees.",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/zanesense/reposec.git"
+  },
+  "bugs": {
+    "url": "https://github.com/zanesense/reposec/issues"
+  },
+  "homepage": "https://reposec.zanesense.dev",
+  "bin": {
+    "reposec": "bin/reposec.mjs"
+  },
+  "files": [
+    "bin/",
+    "lib/",
+    "scripts/reposec-cli.mts",
+    "README.md",
+    "LICENSE",
+    "SECURITY.md"
+  ],
+  "engines": {
+    "node": ">=18"
+  },
+  "scripts": {
+    "dev": "next dev",
+    "build": "next build",
+    "start": "next start",
+    "lint": "eslint",
+    "typecheck": "tsc --noEmit",
+    "clean": "node -e \"const fs=require('fs');for (const p of ['.next','tsconfig.tsbuildinfo']) { try { fs.rmSync(p,{recursive:true,force:true}); } catch {} } console.log('cleaned')\"",
+    "screenshots": "node scripts/capture-screenshots.mjs",
+    "test:scanner": "tsx scripts/test-scanner.mts && tsx scripts/test-client-bundle.mts",
+    "scan:local": "tsx scripts/reposec-cli.mts"
+  },
+  "dependencies": {
+    "@radix-ui/react-slot": "^1.2.4",
+    "class-variance-authority": "^0.7.1",
+    "clsx": "^2.1.1",
+    "lucide-react": "^0.490.0",
+    "next": "16.2.7",
+    "react": "19.2.4",
+    "react-dom": "19.2.4",
+    "sonner": "^2.0.7",
+    "tailwind-merge": "^3.6.0",
+    "tw-animate-css": "^1.4.0",
+    "tsx": "^4.22.4"
+  },
+  "devDependencies": {
+    "@tailwindcss/postcss": "^4",
+    "@types/node": "^20",
+    "@types/react": "^19",
+    "@types/react-dom": "^19",
+    "eslint": "^9",
+    "eslint-config-next": "16.2.7",
+    "playwright": "^1.60.0",
+    "tailwindcss": "^4",
+    "typescript": "^5"
+  },
+  "overrides": {
+    "csstype": "3.2.2"
+  }
+}

package/scripts/reposec-cli.mts

@@ -0,0 +1,195 @@
+#!/usr/bin/env node
+import { writeFile } from "node:fs/promises";
+import path from "node:path";
+import { loadLocalRepo } from "../lib/local-repo.ts";
+import { runScan } from "../lib/scanner.ts";
+import { calculateScore, scoreBand } from "../lib/scoring.ts";
+import {
+  generateJsonReport,
+  generateMarkdownReport,
+  generateSarifReport,
+} from "../lib/exporters.ts";
+import type { ScanReport } from "../lib/types.ts";
+import { verifyFindings } from "../lib/verification.ts";
+
+type ColorName = "red" | "yellow" | "blue" | "cyan" | "green" | "gray" | "bold";
+
+const ANSI: Record<ColorName | "reset", string> = {
+  reset: "\x1b[0m",
+  bold: "\x1b[1m",
+  red: "\x1b[31m",
+  yellow: "\x1b[33m",
+  blue: "\x1b[34m",
+  cyan: "\x1b[36m",
+  green: "\x1b[32m",
+  gray: "\x1b[90m",
+};
+
+function color(text: string, name: ColorName, enabled: boolean): string {
+  return enabled ? `${ANSI[name]}${text}${ANSI.reset}` : text;
+}
+
+function scoreColor(score: number): ColorName {
+  if (score >= 85) return "green";
+  if (score >= 70) return "cyan";
+  if (score >= 50) return "yellow";
+  return "red";
+}
+
+function severityColor(severity: string): ColorName {
+  switch (severity.toLowerCase()) {
+    case "critical":
+    case "high":
+      return "red";
+    case "medium":
+      return "yellow";
+    case "low":
+      return "blue";
+    default:
+      return "gray";
+  }
+}
+
+function colorizeMarkdownReport(output: string, report: ScanReport, enabled: boolean): string {
+  if (!enabled) return output;
+
+  const lines = output.split("\n");
+  return lines
+    .map((line, index) => {
+      if (line.startsWith("# ")) return color(line, "bold", true);
+      if (/^-{3,}$/.test(line)) return color(line, "gray", true);
+      if (
+        /^[A-Za-z].*$/.test(line) &&
+        /^-+$/.test(lines[index + 1] ?? "") &&
+        !line.startsWith("-") &&
+        !line.includes(":")
+      ) {
+        return color(line, "cyan", true);
+      }
+      if (line.startsWith("**Score:**")) {
+        return line.replace(
+          `${report.score} / 100`,
+          color(`${report.score} / 100`, scoreColor(report.score), true),
+        );
+      }
+      return line
+        .replace(
+          /^- (Critical|High|Medium|Low|Info):/i,
+          (match, severity: string) => `- ${color(`${severity}:`, severityColor(severity), true)}`,
+        )
+        .replace(
+          /\((Critical|High|Medium|Low|Info)([,)]?)/g,
+          (_match, severity: string, suffix: string) =>
+            `(${color(severity, severityColor(severity), true)}${suffix}`,
+        )
+        .replace(/\b(pass|passed)\b/gi, (match) => color(match, "green", true))
+        .replace(/\b(fail|failed)\b/gi, (match) => color(match, "red", true))
+        .replace(/\b(warn|warning)\b/gi, (match) => color(match, "yellow", true))
+        .replace(/\b(info)\b/gi, (match) => color(match, "blue", true));
+    })
+    .join("\n");
+}
+
+function usage(useColor = shouldUseColor("auto", "markdown", null)): never {
+  console.log(`${color("RepoSec CLI", "bold", useColor)}
+
+Usage:
+  reposec [path] [--history] [--format markdown|json|sarif] [--out file] [--verify]
+
+Options:
+  --history          Include recent git history blobs in the scan.
+  --format <kind>    Output format. Defaults to markdown.
+  --out <file>       Write output to a file instead of stdout.
+  --verify           Opt in to safe provider verification where supported.
+  --color            Force colored terminal output for markdown reports.
+  --no-color         Disable colored terminal output.
+`);
+  process.exit(1);
+}
+
+function shouldUseColor(
+  colorMode: "auto" | "always" | "never",
+  format: "markdown" | "json" | "sarif",
+  outFile: string | null,
+): boolean {
+  if (format !== "markdown" || outFile) return false;
+  if (colorMode === "always") return true;
+  if (colorMode === "never" || process.env.NO_COLOR) return false;
+  return Boolean(process.stdout.isTTY || process.env.FORCE_COLOR);
+}
+
+const args = process.argv.slice(2);
+let root = ".";
+let includeHistory = false;
+let format: "markdown" | "json" | "sarif" = "markdown";
+let outFile: string | null = null;
+let verify = false;
+let colorMode: "auto" | "always" | "never" = "auto";
+
+for (let i = 0; i < args.length; i++) {
+  const arg = args[i];
+  if (arg === "--help" || arg === "-h") usage(shouldUseColor(colorMode, "markdown", null));
+  if (arg === "--history") {
+    includeHistory = true;
+    continue;
+  }
+  if (arg === "--verify") {
+    verify = true;
+    continue;
+  }
+  if (arg === "--color") {
+    colorMode = "always";
+    continue;
+  }
+  if (arg === "--no-color") {
+    colorMode = "never";
+    continue;
+  }
+  if (arg === "--format") {
+    const next = args[++i];
+    if (next !== "markdown" && next !== "json" && next !== "sarif") {
+      usage(shouldUseColor(colorMode, "markdown", null));
+    }
+    format = next;
+    continue;
+  }
+  if (arg === "--out") {
+    outFile = args[++i] ?? null;
+    if (!outFile) usage(shouldUseColor(colorMode, format, outFile));
+    continue;
+  }
+  if (arg.startsWith("--")) usage(shouldUseColor(colorMode, format, outFile));
+  root = arg;
+}
+
+const started = Date.now();
+const repo = await loadLocalRepo(root, { includeHistory });
+const result = runScan(repo, { collectSecretCandidates: verify });
+if (verify) {
+  await verifyFindings(result.findings, result.secretCandidates);
+}
+const score = calculateScore(result.findings);
+const report: ScanReport = {
+  repo: repo.metadata,
+  score,
+  scoreBand: scoreBand(score),
+  summary: result.summary,
+  findings: result.findings,
+  filesChecked: result.filesChecked,
+  fileGroups: result.fileGroups,
+  scannedAt: new Date().toISOString(),
+  durationMs: Date.now() - started,
+};
+
+const output =
+  format === "json"
+    ? generateJsonReport(report)
+    : format === "sarif"
+      ? generateSarifReport(report)
+      : generateMarkdownReport(report);
+
+if (outFile) {
+  await writeFile(path.resolve(outFile), output, "utf8");
+} else {
+  console.log(colorizeMarkdownReport(output, report, shouldUseColor(colorMode, format, outFile)));
+}