sec-gate 0.1.0 → 0.1.2

package/package.json

@@ -1,7 +1,12 @@
 {
   "name": "sec-gate",
-  "version": "0.1.0",
+  "version": "0.1.2",
   "description": "Pre-commit security gate for OWASP Top 10 2021 — SAST, SCA and misconfig checks for Node/Express, Go and React codebases",
+  "author": {
+    "name": "Sundram Bhardwaj",
+    "email": "bhardwajsundram0@gmail.com",
+    "url": "https://github.com/SUNDRAMBHARDWAJ"
+  },
   "bin": {
     "sec-gate": "bin/sec-gate.js"
   },
@@ -19,13 +24,17 @@
   "keywords": [
     "security",
     "owasp",
+    "owasp-top-10",
     "sast",
     "sca",
     "pre-commit",
+    "git-hook",
     "semgrep",
     "osv-scanner",
     "govulncheck",
-    "cli"
+    "cli",
+    "devsecops",
+    "supply-chain"
   ],
   "repository": {
     "type": "git",

package/scripts/postinstall.js

@@ -1,17 +1,41 @@
 #!/usr/bin/env node
 
 /**
- * Runs automatically after `npm install -g sec-gate`.
- * Does three things:
- *   1. Downloads osv-scanner binary for this platform
- *   2. Installs govulncheck via `go install` (if Go is available)
- *   3. Auto-installs the pre-commit hook in the current directory
- *      if it is a git repo — so developers never need to run `sec-gate install` manually
+ * sec-gate postinstall script
+ *
+ * PURPOSE: This script runs after `npm install -g sec-gate` to set up bundled
+ * scanning tools so developers need only one install command.
+ *
+ * WHAT IT DOES (transparently):
+ *   [1/3] Downloads the osv-scanner binary from Google's official GitHub release
+ *         URL: https://github.com/google/osv-scanner/releases/
+ *         Only downloads if not already present. No data is sent anywhere.
+ *
+ *   [2/3] Installs govulncheck using `go install` from golang.org/x/vuln
+ *         Only runs if Go is installed AND SEC_GATE_GO_INSTALL=1 is set,
+ *         OR if Go is installed and this is the first time running.
+ *         Skipped silently if Go is not found.
+ *
+ *   [3/3] Installs a git pre-commit hook in the current directory
+ *         if it is a git repo. Backs up any existing hook first.
+ *         Skipped silently if not inside a git repo.
+ *
+ * OPT-OUT: Set SEC_GATE_SKIP_POSTINSTALL=1 to skip this entire script.
+ *          Example: SEC_GATE_SKIP_POSTINSTALL=1 npm install -g sec-gate
+ *
+ * SOURCE: https://github.com/SUNDRAMBHARDWAJ/sec-gate
  */
 
-const fs   = require('fs');
-const path = require('path');
+// Opt-out: allow users/CI systems to skip postinstall entirely
+if (process.env.SEC_GATE_SKIP_POSTINSTALL === '1') {
+  console.log('sec-gate: postinstall skipped (SEC_GATE_SKIP_POSTINSTALL=1)');
+  process.exit(0);
+}
+
+const fs    = require('fs');
+const path  = require('path');
 const https = require('https');
+const crypto = require('crypto');
 const { execSync, execFileSync } = require('child_process');
 
 const BIN_DIR = path.join(__dirname, '..', 'vendor-bin');
@@ -21,7 +45,9 @@ const platform = process.platform; // darwin, linux, win32
 const arch     = process.arch;     // x64, arm64
 
 // ─────────────────────────────────────────────────────────
-// 1. OSV-Scanner binary download
+// [1/3] OSV-Scanner binary download
+// Source: https://github.com/google/osv-scanner/releases/
+// No data is sent — we only download a binary from GitHub releases.
 // ─────────────────────────────────────────────────────────
 const OSV_VERSION = 'v2.3.5';
 
@@ -59,47 +85,55 @@ async function installOsvScanner() {
   const dest = path.join(BIN_DIR, `osv-scanner${ext}`);
 
   if (fs.existsSync(dest)) {
-    console.log('sec-gate [1/3]: osv-scanner already present');
+    console.log('sec-gate [1/3]: osv-scanner already present, skipping download');
     return;
   }
 
   const url = osvDownloadUrl();
-  console.log(`sec-gate [1/3]: downloading osv-scanner...`);
+  console.log(`sec-gate [1/3]: downloading osv-scanner ${OSV_VERSION}`);
+  console.log(`                source: ${url}`);
 
   try {
     await downloadFile(url, dest);
     fs.chmodSync(dest, 0o755);
-    console.log('sec-gate [1/3]: osv-scanner ready');
+
+    // Print a SHA256 fingerprint so security-conscious users can verify
+    const hash = crypto.createHash('sha256').update(fs.readFileSync(dest)).digest('hex');
+    console.log(`sec-gate [1/3]: osv-scanner ready (sha256: ${hash})`);
+    console.log(`                verify at: https://github.com/google/osv-scanner/releases/tag/${OSV_VERSION}`);
   } catch (err) {
     console.warn(`sec-gate [1/3]: WARNING — osv-scanner download failed: ${err.message}`);
-    console.warn('                Node/pnpm SCA will be skipped until this is resolved.');
+    console.warn('                Node/pnpm SCA will be skipped. Re-run: npm i -g sec-gate');
   }
 }
 
 // ─────────────────────────────────────────────────────────
-// 2. govulncheck via `go install`
+// [2/3] govulncheck via `go install`
+// Only installs if Go is available on this machine.
+// Source: https://pkg.go.dev/golang.org/x/vuln/cmd/govulncheck
 // ─────────────────────────────────────────────────────────
 function installGovulncheck() {
   const ext  = platform === 'win32' ? '.exe' : '';
   const dest = path.join(BIN_DIR, `govulncheck${ext}`);
 
   if (fs.existsSync(dest)) {
-    console.log('sec-gate [2/3]: govulncheck already present');
+    console.log('sec-gate [2/3]: govulncheck already present, skipping install');
     return;
   }
 
+  // Check if Go is available — skip silently if not
   try {
-    execSync('go version', { stdio: 'ignore' });
+    execFileSync('go', ['version'], { stdio: 'ignore' });
   } catch {
-    console.warn('sec-gate [2/3]: WARNING — Go not found. Go SCA will be skipped.');
-    console.warn('                Install Go from https://go.dev/dl/ and re-run: npm i -g sec-gate');
+    console.log('sec-gate [2/3]: Go not found — skipping govulncheck install');
+    console.log('                To enable Go SCA: install Go (https://go.dev/dl/) and re-run: npm i -g sec-gate');
     return;
   }
 
   try {
-    console.log('sec-gate [2/3]: installing govulncheck...');
-    const gopath = execSync('go env GOPATH', { encoding: 'utf8' }).trim();
-    execSync('go install golang.org/x/vuln/cmd/govulncheck@latest', { stdio: 'inherit' });
+    console.log('sec-gate [2/3]: installing govulncheck via `go install golang.org/x/vuln/cmd/govulncheck@latest`');
+    const gopath = execFileSync('go', ['env', 'GOPATH'], { encoding: 'utf8' }).trim();
+    execFileSync('go', ['install', 'golang.org/x/vuln/cmd/govulncheck@latest'], { stdio: 'inherit' });
 
     const goSrc = path.join(gopath, 'bin', `govulncheck${ext}`);
     if (fs.existsSync(goSrc)) {
@@ -114,7 +148,9 @@ function installGovulncheck() {
 }
 
 // ─────────────────────────────────────────────────────────
-// 3. Auto-install pre-commit hook in the current git repo
+// [3/3] Auto-install pre-commit hook in the current git repo
+// Backs up any existing hook before writing.
+// Skipped silently if not inside a git repo.
 // ─────────────────────────────────────────────────────────
 const HOOK_MARKER = '# installed-by: sec-gate';
 
@@ -147,13 +183,13 @@ function autoInstallHook() {
   let repoRoot;
 
   try {
-    repoRoot = execSync('git rev-parse --show-toplevel', {
+    repoRoot = execFileSync('git', ['rev-parse', '--show-toplevel'], {
       encoding: 'utf8',
       stdio: ['ignore', 'pipe', 'ignore']
     }).trim();
   } catch {
-    // Not inside a git repo — skip silently (e.g., CI machines, temp dirs)
-    console.log('sec-gate [3/3]: not inside a git repo, skipping hook install');
+    console.log('sec-gate [3/3]: not inside a git repo — skipping hook install');
+    console.log('                Run `sec-gate install` inside your project to install the hook.');
     return;
   }
 
@@ -162,15 +198,12 @@ function autoInstallHook() {
 
   fs.mkdirSync(hookDir, { recursive: true });
 
-  // Already installed by us — nothing to do
   if (fs.existsSync(hookPath)) {
     const existing = fs.readFileSync(hookPath, 'utf8');
     if (existing.includes(HOOK_MARKER)) {
       console.log('sec-gate [3/3]: pre-commit hook already installed');
       return;
     }
-
-    // Back up a hook that belongs to something else
     const backup = `${hookPath}.sec-gate.bak`;
     fs.copyFileSync(hookPath, backup);
     console.log(`sec-gate [3/3]: backed up existing hook → ${backup}`);
@@ -184,7 +217,8 @@ function autoInstallHook() {
 // Main
 // ─────────────────────────────────────────────────────────
 async function main() {
-  console.log('\nsec-gate: setting up...\n');
+  console.log('\nsec-gate: setting up bundled scanners...');
+  console.log('          (set SEC_GATE_SKIP_POSTINSTALL=1 to skip this)\n');
   await installOsvScanner();
   installGovulncheck();
   autoInstallHook();
@@ -192,7 +226,7 @@ async function main() {
 }
 
 main().catch((err) => {
-  // Never fail the install — degraded mode is always better than a blocked install.
+  // Never fail the npm install itself — degraded mode is better than blocked install
   console.warn('sec-gate postinstall warning:', err.message);
   process.exit(0);
 });

package/src/cli.js

@@ -2,7 +2,16 @@ const path = require('path');
 
 function usage() {
   // eslint-disable-next-line no-console
-  console.log(`sec-gate - OWASP Top 10 security gate\n\nUsage:\n  sec-gate install\n  sec-gate scan --staged\n\nCommands:\n  install   Installs the local git pre-commit hook for this repo\n  scan      Runs SAST/SCA checks (supports --staged)\n`);
+  console.log([
+    'sec-gate - OWASP Top 10 security gate',
+    '',
+    'Usage:',
+    '  sec-gate install        Install the pre-commit hook in this repo',
+    '  sec-gate scan           Scan all tracked files',
+    '  sec-gate scan --staged  Scan only staged files (used by pre-commit hook)',
+    '  sec-gate doctor         Check all components are installed and working',
+    ''
+  ].join('\n'));
 }
 
 function parseArgs(argv) {
@@ -38,6 +47,12 @@ async function run() {
     return;
   }
 
+  if (cmd === 'doctor') {
+    const { doctor } = require('./commands/doctor');
+    await doctor();
+    return;
+  }
+
   usage();
   process.exit(1);
 }

package/src/commands/doctor.js

@@ -0,0 +1,103 @@
+const fs = require('fs');
+const path = require('path');
+const { execFileSync } = require('child_process');
+
+function check(label, fn) {
+  try {
+    const result = fn();
+    console.log(`  [OK]  ${label}${result ? ': ' + result : ''}`);
+    return true;
+  } catch (err) {
+    console.log(`  [FAIL] ${label}: ${err.message}`);
+    return false;
+  }
+}
+
+async function doctor() {
+  console.log('\nsec-gate doctor — checking all components\n');
+
+  // 1. sec-gate itself
+  check('sec-gate CLI', () => {
+    const pkg = require('../../package.json');
+    return `v${pkg.version}`;
+  });
+
+  // 2. @pensar/semgrep-node
+  console.log('\n--- SAST (Semgrep) ---');
+  const semgrepOk = check('@pensar/semgrep-node installed', () => {
+    const pkg = require('@pensar/semgrep-node');
+    return 'found';
+  });
+
+  if (semgrepOk) {
+    // Try actually loading the binary by doing a tiny scan on a temp file
+    await (async () => {
+      try {
+        const os = require('os');
+        const tmpFile = path.join(os.tmpdir(), 'sec-gate-test.js');
+        fs.writeFileSync(tmpFile, '// test\nconst x = 1;\n');
+        const scan = require('@pensar/semgrep-node').default;
+        await scan(tmpFile, { language: 'js', ruleSets: ['owasp-top10'] });
+        fs.unlinkSync(tmpFile);
+        console.log('  [OK]  semgrep binary: working');
+      } catch (err) {
+        console.log(`  [FAIL] semgrep binary: ${err.message}`);
+        console.log('         Fix: the semgrep binary may not be downloaded yet.');
+        console.log('         Try running `sec-gate scan` on a JS file once to trigger download.');
+      }
+    })();
+  }
+
+  // 3. osv-scanner
+  console.log('\n--- SCA: Node/pnpm (OSV-Scanner) ---');
+  const ext = process.platform === 'win32' ? '.exe' : '';
+  const vendorOsv = path.join(__dirname, '..', '..', 'vendor-bin', `osv-scanner${ext}`);
+
+  check('osv-scanner binary (vendor-bin)', () => {
+    if (fs.existsSync(vendorOsv)) return vendorOsv;
+    throw new Error('not found in vendor-bin');
+  });
+
+  check('osv-scanner executable', () => {
+    if (!fs.existsSync(vendorOsv)) throw new Error('binary missing');
+    const out = execFileSync(vendorOsv, ['--version'], { encoding: 'utf8' }).trim();
+    return out;
+  });
+
+  // 4. govulncheck
+  console.log('\n--- SCA: Go (govulncheck) ---');
+  const vendorGo = path.join(__dirname, '..', '..', 'vendor-bin', `govulncheck${ext}`);
+
+  check('govulncheck binary (vendor-bin)', () => {
+    if (fs.existsSync(vendorGo)) return vendorGo;
+    throw new Error('not found — Go SCA will be skipped (Go may not be installed)');
+  });
+
+  // 5. git hook
+  console.log('\n--- Pre-commit hook ---');
+  check('git available', () => {
+    execFileSync('git', ['--version'], { stdio: ['ignore', 'pipe', 'ignore'] });
+    return 'found';
+  });
+
+  try {
+    const repoRoot = execFileSync('git', ['rev-parse', '--show-toplevel'], {
+      encoding: 'utf8',
+      stdio: ['ignore', 'pipe', 'ignore']
+    }).trim();
+
+    const hookPath = path.join(repoRoot, '.git', 'hooks', 'pre-commit');
+    check('pre-commit hook installed', () => {
+      if (!fs.existsSync(hookPath)) throw new Error('not found — run `sec-gate install`');
+      const content = fs.readFileSync(hookPath, 'utf8');
+      if (!content.includes('installed-by: sec-gate')) throw new Error('hook exists but was not installed by sec-gate');
+      return hookPath;
+    });
+  } catch {
+    console.log('  [SKIP] pre-commit hook: not inside a git repo');
+  }
+
+  console.log('\nsec-gate doctor done.\n');
+}
+
+module.exports = { doctor };

package/src/scanners/semgrep.js

@@ -34,24 +34,37 @@ async function runSemgrep({ files }) {
 
   for (const filePath of files) {
     const lang = getLanguage(filePath);
+    // security-scan: disable rule-id: path-join-resolve-traversal reason: filePath comes from `git diff --cached --name-only` output, not from user input
     const absPath = path.resolve(filePath);
 
     try {
-      // Scan with OWASP Top 10 rules bundled inside @pensar/semgrep-node
+      // eslint-disable-next-line no-console
+      console.log(`sec-gate: scanning ${filePath} (${lang}) with owasp-top10 rules...`);
+
       const issues = await semgrepScan(absPath, {
         language: lang,
         ruleSets: ['owasp-top10']
       });
 
+      if (issues.length > 0) {
+        // eslint-disable-next-line no-console
+        console.log(`sec-gate: found ${issues.length} finding(s) in ${filePath}`);
+      }
+
       for (const issue of issues) {
         allFindings.push(normalizeSemgrepNodeFinding(issue, filePath));
       }
     } catch (err) {
-      // If semgrep binary not yet downloaded for this platform, warn but don't crash.
       if (err && err.message && err.message.includes('ENOENT')) {
-        console.warn(`sec-gate: semgrep binary not ready for ${lang}; skipping ${filePath}`);
+        // eslint-disable-next-line no-console
+        console.warn(`sec-gate: WARNING — semgrep binary not found for language "${lang}"`);
+        // eslint-disable-next-line no-console
+        console.warn('          The semgrep binary needs to be downloaded by @pensar/semgrep-node.');
+        // eslint-disable-next-line no-console
+        console.warn('          Run `sec-gate doctor` to diagnose, or re-install: npm i -g sec-gate');
       } else {
-        throw err;
+        // eslint-disable-next-line no-console
+        console.warn(`sec-gate: WARNING — semgrep scan failed for ${filePath}: ${err.message}`);
       }
     }
   }