sec-gate 0.1.0

package/README.md

@@ -0,0 +1,156 @@
+# sec-gate
+
+A pre-commit security gate that enforces **OWASP Top 10 (2021)** checks before every `git commit`.
+
+Covers:
+- **SAST** — static analysis of JS/TS/Go/React code via Semgrep (OWASP Top 10 rules + Express misconfig rules)
+- **SCA** — dependency vulnerability scanning via OSV-Scanner (pnpm) and govulncheck (Go)
+- **Misconfig** — CORS, headers, auth bypass patterns
+
+Supports **inline suppression** so developers can acknowledge known false positives with an explicit reason.
+
+---
+
+## Install — one command, everything is set up automatically
+
+```bash
+npm install -g sec-gate
+```
+
+That's it. This single command:
+
+1. Installs the `sec-gate` CLI globally
+2. Downloads the **osv-scanner** binary for your OS automatically
+3. Installs **govulncheck** via `go install` (if Go is available on your machine)
+4. **Installs the pre-commit hook** in your current git repo automatically
+
+No extra steps. No separate tool installs. Your next `git commit` is already security-checked.
+
+> **Note:** If you run `npm install -g sec-gate` from outside a git repo (e.g. your home directory), run `sec-gate install` once inside the repo afterwards.
+
+---
+
+## What happens on every `git commit`
+
+```
+git commit
+    ↓
+pre-commit hook fires automatically
+    ↓
+sec-gate scan --staged
+    ↓
+┌─────────────────────────────────────────────────────┐
+│  SAST   — Semgrep scans staged .js/.ts/.go files    │
+│           against OWASP Top 10 + Express rules      │
+├─────────────────────────────────────────────────────┤
+│  SCA    — OSV-Scanner checks pnpm-lock.yaml         │
+│           govulncheck checks go.mod                 │
+│           (only when those files are staged)        │
+└─────────────────────────────────────────────────────┘
+    ↓
+Inline suppression tags filtered out
+    ↓
+Any findings? → commit BLOCKED, findings printed
+No findings?  → commit proceeds
+```
+
+---
+
+## Commands
+
+```
+sec-gate --help
+
+  install   Installs the pre-commit hook in the current git repo
+  scan      Runs SAST/SCA checks
+              --staged   scan only staged files (used by pre-commit hook)
+              (no flag)  scan all tracked files
+```
+
+---
+
+## Inline suppression
+
+If a finding is a known false positive, add a comment **near the flagged line**:
+
+```js
+// security-scan: disable rule-id: javascript.express.security.cors-misconfiguration.cors-misconfiguration reason: internal-only API, safe
+app.use(cors({ origin: '*' }));
+```
+
+```go
+// security-scan: disable rule-id: go.lang.security.audit.dangerous-exec-command.dangerous-exec-command reason: input validated upstream
+exec.Command(cmd)
+```
+
+Use `rule-id: *` to suppress **all** findings near that line:
+
+```js
+// security-scan: disable rule-id: * reason: test fixture only
+doSomethingDangerous();
+```
+
+---
+
+## Bypass (emergency only)
+
+```bash
+SEC_GATE_SKIP=1 git commit -m "emergency fix"
+```
+
+---
+
+## Auto-setup for the whole team (optional but recommended)
+
+Add this to your **project's** `package.json` so every developer gets the hook automatically when they run `npm install`:
+
+```json
+"scripts": {
+  "prepare": "sec-gate install"
+}
+```
+
+Then the workflow for any new developer joining the team is:
+
+```bash
+npm install -g sec-gate   # global tool install (once per machine)
+npm install               # prepare script auto-installs the hook
+```
+
+---
+
+## GitHub Actions — CI gate + PR comments
+
+Copy `.github/workflows/security-gate.yml` from this repo into your project to get:
+- Full scan on every pull request
+- Automatic PR comment with findings output
+- PR check blocked if any findings remain
+
+---
+
+## OWASP Top 10 (2021) coverage
+
+| # | Category | How covered |
+|---|---|---|
+| A01 | Broken Access Control | Semgrep `owasp-top10` ruleset |
+| A02 | Cryptographic Failures | Semgrep `owasp-top10` ruleset |
+| A03 | Injection | Semgrep `owasp-top10` ruleset |
+| A04 | Insecure Design | Semgrep `owasp-top10` ruleset |
+| A05 | Security Misconfiguration | Semgrep `owasp-top10` + Express rules |
+| A06 | Vulnerable Components | OSV-Scanner (pnpm) + govulncheck (Go) |
+| A07 | Authentication Failures | Semgrep `owasp-top10` ruleset |
+| A08 | Software Integrity Failures | Semgrep `owasp-top10` ruleset |
+| A09 | Logging Failures | Semgrep `owasp-top10` ruleset |
+| A10 | Server-Side Request Forgery | Semgrep `owasp-top10` ruleset |
+
+---
+
+## Go SCA note
+
+`govulncheck` requires Go to be installed on the developer's machine. If Go is not present, Go SCA is skipped with a warning — the install never fails. To enable it:
+
+```bash
+# Install Go: https://go.dev/dl/
+# Then re-run:
+npm install -g sec-gate
+```

package/bin/sec-gate.js

@@ -0,0 +1,9 @@
+#!/usr/bin/env node
+
+const { run } = require('../src/cli');
+
+run().catch((err) => {
+  // eslint-disable-next-line no-console
+  console.error(err && err.stack ? err.stack : err);
+  process.exit(1);
+});

package/package.json

@@ -0,0 +1,45 @@
+{
+  "name": "sec-gate",
+  "version": "0.1.0",
+  "description": "Pre-commit security gate for OWASP Top 10 2021 — SAST, SCA and misconfig checks for Node/Express, Go and React codebases",
+  "bin": {
+    "sec-gate": "bin/sec-gate.js"
+  },
+  "type": "commonjs",
+  "license": "MIT",
+  "engines": {
+    "node": ">=18"
+  },
+  "scripts": {
+    "postinstall": "node scripts/postinstall.js"
+  },
+  "dependencies": {
+    "@pensar/semgrep-node": "^1.2.4"
+  },
+  "keywords": [
+    "security",
+    "owasp",
+    "sast",
+    "sca",
+    "pre-commit",
+    "semgrep",
+    "osv-scanner",
+    "govulncheck",
+    "cli"
+  ],
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/SUNDRAMBHARDWAJ/sec-gate.git"
+  },
+  "homepage": "https://github.com/SUNDRAMBHARDWAJ/sec-gate#readme",
+  "bugs": {
+    "url": "https://github.com/SUNDRAMBHARDWAJ/sec-gate/issues"
+  },
+  "files": [
+    "bin/",
+    "src/",
+    "scripts/",
+    "vendor-bin/.gitkeep",
+    "README.md"
+  ]
+}

package/scripts/postinstall.js

@@ -0,0 +1,198 @@
+#!/usr/bin/env node
+
+/**
+ * Runs automatically after `npm install -g sec-gate`.
+ * Does three things:
+ *   1. Downloads osv-scanner binary for this platform
+ *   2. Installs govulncheck via `go install` (if Go is available)
+ *   3. Auto-installs the pre-commit hook in the current directory
+ *      if it is a git repo — so developers never need to run `sec-gate install` manually
+ */
+
+const fs   = require('fs');
+const path = require('path');
+const https = require('https');
+const { execSync, execFileSync } = require('child_process');
+
+const BIN_DIR = path.join(__dirname, '..', 'vendor-bin');
+fs.mkdirSync(BIN_DIR, { recursive: true });
+
+const platform = process.platform; // darwin, linux, win32
+const arch     = process.arch;     // x64, arm64
+
+// ─────────────────────────────────────────────────────────
+// 1. OSV-Scanner binary download
+// ─────────────────────────────────────────────────────────
+const OSV_VERSION = 'v2.3.5';
+
+function osvDownloadUrl() {
+  const os  = platform === 'darwin' ? 'darwin' : platform === 'win32' ? 'windows' : 'linux';
+  const a   = arch === 'arm64' ? 'arm64' : 'amd64';
+  const ext = platform === 'win32' ? '.exe' : '';
+  return `https://github.com/google/osv-scanner/releases/download/${OSV_VERSION}/osv-scanner_${os}_${a}${ext}`;
+}
+
+function downloadFile(url, dest) {
+  return new Promise((resolve, reject) => {
+    const file = fs.createWriteStream(dest);
+
+    function get(u) {
+      https.get(u, (res) => {
+        if (res.statusCode === 301 || res.statusCode === 302) {
+          return get(res.headers.location);
+        }
+        if (res.statusCode !== 200) {
+          return reject(new Error(`HTTP ${res.statusCode} for ${u}`));
+        }
+        res.pipe(file);
+        file.on('finish', () => file.close(resolve));
+        file.on('error', reject);
+      }).on('error', reject);
+    }
+
+    get(url);
+  });
+}
+
+async function installOsvScanner() {
+  const ext  = platform === 'win32' ? '.exe' : '';
+  const dest = path.join(BIN_DIR, `osv-scanner${ext}`);
+
+  if (fs.existsSync(dest)) {
+    console.log('sec-gate [1/3]: osv-scanner already present');
+    return;
+  }
+
+  const url = osvDownloadUrl();
+  console.log(`sec-gate [1/3]: downloading osv-scanner...`);
+
+  try {
+    await downloadFile(url, dest);
+    fs.chmodSync(dest, 0o755);
+    console.log('sec-gate [1/3]: osv-scanner ready');
+  } catch (err) {
+    console.warn(`sec-gate [1/3]: WARNING — osv-scanner download failed: ${err.message}`);
+    console.warn('                Node/pnpm SCA will be skipped until this is resolved.');
+  }
+}
+
+// ─────────────────────────────────────────────────────────
+// 2. govulncheck via `go install`
+// ─────────────────────────────────────────────────────────
+function installGovulncheck() {
+  const ext  = platform === 'win32' ? '.exe' : '';
+  const dest = path.join(BIN_DIR, `govulncheck${ext}`);
+
+  if (fs.existsSync(dest)) {
+    console.log('sec-gate [2/3]: govulncheck already present');
+    return;
+  }
+
+  try {
+    execSync('go version', { stdio: 'ignore' });
+  } catch {
+    console.warn('sec-gate [2/3]: WARNING — Go not found. Go SCA will be skipped.');
+    console.warn('                Install Go from https://go.dev/dl/ and re-run: npm i -g sec-gate');
+    return;
+  }
+
+  try {
+    console.log('sec-gate [2/3]: installing govulncheck...');
+    const gopath = execSync('go env GOPATH', { encoding: 'utf8' }).trim();
+    execSync('go install golang.org/x/vuln/cmd/govulncheck@latest', { stdio: 'inherit' });
+
+    const goSrc = path.join(gopath, 'bin', `govulncheck${ext}`);
+    if (fs.existsSync(goSrc)) {
+      fs.copyFileSync(goSrc, dest);
+      fs.chmodSync(dest, 0o755);
+      console.log('sec-gate [2/3]: govulncheck ready');
+    }
+  } catch (err) {
+    console.warn(`sec-gate [2/3]: WARNING — govulncheck install failed: ${err.message}`);
+    console.warn('                Go SCA will be skipped.');
+  }
+}
+
+// ─────────────────────────────────────────────────────────
+// 3. Auto-install pre-commit hook in the current git repo
+// ─────────────────────────────────────────────────────────
+const HOOK_MARKER = '# installed-by: sec-gate';
+
+function buildHookScript() {
+  return [
+    '#!/usr/bin/env sh',
+    HOOK_MARKER,
+    '',
+    '# Set SEC_GATE_SKIP=1 to bypass (emergency only)',
+    'if [ "$SEC_GATE_SKIP" = "1" ]; then',
+    '  echo "sec-gate: skipped (SEC_GATE_SKIP=1)"',
+    '  exit 0',
+    'fi',
+    '',
+    'ROOT_DIR=$(git rev-parse --show-toplevel) || exit 1',
+    'cd "$ROOT_DIR" || exit 1',
+    '',
+    'if command -v sec-gate >/dev/null 2>&1; then',
+    '  sec-gate scan --staged',
+    '  exit $?',
+    'else',
+    '  echo "sec-gate: not found in PATH. Run: npm install -g sec-gate"',
+    '  exit 1',
+    'fi',
+    ''
+  ].join('\n');
+}
+
+function autoInstallHook() {
+  let repoRoot;
+
+  try {
+    repoRoot = execSync('git rev-parse --show-toplevel', {
+      encoding: 'utf8',
+      stdio: ['ignore', 'pipe', 'ignore']
+    }).trim();
+  } catch {
+    // Not inside a git repo — skip silently (e.g., CI machines, temp dirs)
+    console.log('sec-gate [3/3]: not inside a git repo, skipping hook install');
+    return;
+  }
+
+  const hookDir  = path.join(repoRoot, '.git', 'hooks');
+  const hookPath = path.join(hookDir, 'pre-commit');
+
+  fs.mkdirSync(hookDir, { recursive: true });
+
+  // Already installed by us — nothing to do
+  if (fs.existsSync(hookPath)) {
+    const existing = fs.readFileSync(hookPath, 'utf8');
+    if (existing.includes(HOOK_MARKER)) {
+      console.log('sec-gate [3/3]: pre-commit hook already installed');
+      return;
+    }
+
+    // Back up a hook that belongs to something else
+    const backup = `${hookPath}.sec-gate.bak`;
+    fs.copyFileSync(hookPath, backup);
+    console.log(`sec-gate [3/3]: backed up existing hook → ${backup}`);
+  }
+
+  fs.writeFileSync(hookPath, buildHookScript(), { encoding: 'utf8', mode: 0o755 });
+  console.log(`sec-gate [3/3]: pre-commit hook installed in ${repoRoot}`);
+}
+
+// ─────────────────────────────────────────────────────────
+// Main
+// ─────────────────────────────────────────────────────────
+async function main() {
+  console.log('\nsec-gate: setting up...\n');
+  await installOsvScanner();
+  installGovulncheck();
+  autoInstallHook();
+  console.log('\nsec-gate: ready. Your commits are now security-checked.\n');
+}
+
+main().catch((err) => {
+  // Never fail the install — degraded mode is always better than a blocked install.
+  console.warn('sec-gate postinstall warning:', err.message);
+  process.exit(0);
+});

package/src/cli.js

@@ -0,0 +1,45 @@
+const path = require('path');
+
+function usage() {
+  // eslint-disable-next-line no-console
+  console.log(`sec-gate - OWASP Top 10 security gate\n\nUsage:\n  sec-gate install\n  sec-gate scan --staged\n\nCommands:\n  install   Installs the local git pre-commit hook for this repo\n  scan      Runs SAST/SCA checks (supports --staged)\n`);
+}
+
+function parseArgs(argv) {
+  const args = { _: [] };
+  for (const a of argv) {
+    if (a === '--staged') args.staged = true;
+    else if (a === '--help' || a === '-h') args.help = true;
+    else args._.push(a);
+  }
+  return args;
+}
+
+async function run() {
+  const argv = process.argv.slice(2);
+  const args = parseArgs(argv);
+
+  if (args.help || args._.length === 0) {
+    usage();
+    process.exit(0);
+  }
+
+  const cmd = args._[0];
+
+  if (cmd === 'install') {
+    const { installHook } = require('./commands/install');
+    await installHook();
+    return;
+  }
+
+  if (cmd === 'scan') {
+    const { scan } = require('./commands/scan');
+    await scan({ staged: !!args.staged });
+    return;
+  }
+
+  usage();
+  process.exit(1);
+}
+
+module.exports = { run };

package/src/commands/install.js

@@ -0,0 +1,97 @@
+const fs = require('fs');
+const path = require('path');
+const { getRepoRoot } = require('../git/repo');
+
+const HOOK_MARKER = '# installed-by: sec-gate';
+
+function getHookPath(repoRoot) {
+  return path.join(repoRoot, '.git', 'hooks', 'pre-commit');
+}
+
+function buildHookScript() {
+  return [
+    '#!/usr/bin/env sh',
+    HOOK_MARKER,
+    '',
+    '# Set SEC_GATE_SKIP=1 to bypass (emergency only)',
+    'if [ "$SEC_GATE_SKIP" = "1" ]; then',
+    '  echo "sec-gate: skipped (SEC_GATE_SKIP=1)"',
+    '  exit 0',
+    'fi',
+    '',
+    'ROOT_DIR=$(git rev-parse --show-toplevel) || exit 1',
+    'cd "$ROOT_DIR" || exit 1',
+    '',
+    'if command -v sec-gate >/dev/null 2>&1; then',
+    '  sec-gate scan --staged',
+    '  exit $?',
+    'else',
+    '  echo "sec-gate: not found in PATH. Install it: npm install -g sec-gate"',
+    '  exit 1',
+    'fi',
+    ''
+  ].join('\n');
+}
+
+function isAlreadyInstalled(hookPath) {
+  if (!fs.existsSync(hookPath)) return false;
+  const content = fs.readFileSync(hookPath, 'utf8');
+  return content.includes(HOOK_MARKER);
+}
+
+function suggestPrepareScript(repoRoot) {
+  const pkgPath = path.join(repoRoot, 'package.json');
+  if (!fs.existsSync(pkgPath)) return;
+
+  let pkg;
+  try {
+    pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf8'));
+  } catch {
+    return;
+  }
+
+  const hasPrepare = pkg.scripts && pkg.scripts.prepare && pkg.scripts.prepare.includes('sec-gate install');
+
+  if (!hasPrepare) {
+    console.log('');
+    console.log('  TIP: To auto-install this hook for every developer on your team,');
+    console.log('  add this to your repo\'s package.json "scripts":');
+    console.log('');
+    console.log('    "prepare": "sec-gate install"');
+    console.log('');
+    console.log('  Then any developer who runs `npm install` in this repo');
+    console.log('  gets the pre-commit hook automatically — no manual step needed.');
+    console.log('');
+  }
+}
+
+async function installHook() {
+  const repoRoot = getRepoRoot();
+  const hookPath = getHookPath(repoRoot);
+
+  if (!fs.existsSync(path.join(repoRoot, '.git'))) {
+    throw new Error('sec-gate install: .git directory not found. Run this inside a git repository.');
+  }
+
+  fs.mkdirSync(path.dirname(hookPath), { recursive: true });
+
+  if (isAlreadyInstalled(hookPath)) {
+    console.log('sec-gate: pre-commit hook is already installed.');
+    suggestPrepareScript(repoRoot);
+    return;
+  }
+
+  // Backup any existing hook that wasn't installed by us
+  if (fs.existsSync(hookPath)) {
+    const backupPath = `${hookPath}.sec-gate.bak`;
+    fs.copyFileSync(hookPath, backupPath);
+    console.log(`sec-gate: backed up existing hook to ${backupPath}`);
+  }
+
+  fs.writeFileSync(hookPath, buildHookScript(), { encoding: 'utf8', mode: 0o755 });
+  console.log(`sec-gate: pre-commit hook installed at ${hookPath}`);
+
+  suggestPrepareScript(repoRoot);
+}
+
+module.exports = { installHook };

package/src/commands/scan.js

@@ -0,0 +1,86 @@
+const { getStagedFiles, hasStagedDependencyFiles } = require('../git/stagedFiles');
+const { listTrackedFiles } = require('../git/trackedFiles');
+const { runSemgrep } = require('../scanners/semgrep');
+const { runOsvScanner } = require('../scanners/osv');
+const { runGovulncheck } = require('../scanners/govulncheck');
+const { applyInlineSuppressions } = require('../suppressions/inlineTag');
+
+function formatFinding(f) {
+  const loc = f.line ? `${f.path}:${f.line}` : f.path;
+  return `- ${loc} [${f.checkId}] ${f.message}`;
+}
+
+function isSemgrepTargetPath(p) {
+  if (!p) return false;
+  if (p.endsWith('pnpm-lock.yaml')) return false;
+  if (p === 'go.mod' || p === 'go.sum') return false;
+
+  return (
+    p.endsWith('.js') ||
+    p.endsWith('.jsx') ||
+    p.endsWith('.mjs') ||
+    p.endsWith('.cjs') ||
+    p.endsWith('.ts') ||
+    p.endsWith('.tsx') ||
+    p.endsWith('.go')
+  );
+}
+
+async function scan({ staged }) {
+  const files = staged ? getStagedFiles() : listTrackedFiles();
+  const depChanged = staged ? hasStagedDependencyFiles(files) : true;
+
+  // eslint-disable-next-line no-console
+  console.log(`sec-gate: scan started (${staged ? 'staged files' : 'tracked files'})`);
+
+  const allFindings = [];
+
+  const semgrepTargets = (files || []).filter(isSemgrepTargetPath);
+
+  // SAST / misconfig
+  if (semgrepTargets.length > 0) {
+    const sast = await runSemgrep({ files: semgrepTargets });
+    allFindings.push(...sast);
+  } else {
+    // eslint-disable-next-line no-console
+    console.log('sec-gate: no relevant staged/tracked source files for Semgrep; skipping SAST');
+  }
+
+  // SCA (only when dependency lockfiles or go module files are staged)
+  if (staged && !depChanged) {
+    // eslint-disable-next-line no-console
+    console.log('sec-gate: dependency files not staged; skipping SCA');
+  } else {
+    const fs = require('fs');
+
+    if (fs.existsSync('pnpm-lock.yaml')) {
+      const scaOsv = await runOsvScanner({ lockfile: 'pnpm-lock.yaml' });
+      allFindings.push(...scaOsv);
+    } else {
+      // eslint-disable-next-line no-console
+      console.log('sec-gate: pnpm-lock.yaml not found; skipping OSV-Scanner');
+    }
+
+    if (fs.existsSync('go.mod')) {
+      const scaGo = await runGovulncheck({ pattern: './...' });
+      allFindings.push(...scaGo);
+    } else {
+      // eslint-disable-next-line no-console
+      console.log('sec-gate: go.mod not found; skipping govulncheck');
+    }
+  }
+
+  const filtered = applyInlineSuppressions({ findings: allFindings });
+
+  if (filtered.length > 0) {
+    // eslint-disable-next-line no-console
+    console.log('\nsec-gate: SECURITY FINDINGS (commit blocked):');
+    for (const f of filtered) console.log(formatFinding(f));
+    process.exit(1);
+  }
+
+  // eslint-disable-next-line no-console
+  console.log('sec-gate: no findings after inline suppression');
+}
+
+module.exports = { scan };

package/src/git/repo.js

@@ -0,0 +1,11 @@
+const { execSync } = require('child_process');
+
+function getRepoRoot() {
+  try {
+    return execSync('git rev-parse --show-toplevel', { encoding: 'utf8' }).trim();
+  } catch {
+    throw new Error('sec-gate: run this command inside a git repository');
+  }
+}
+
+module.exports = { getRepoRoot };

package/src/git/stagedFiles.js

@@ -0,0 +1,24 @@
+const { execSync } = require('child_process');
+
+function getStagedFiles() {
+  // Includes added/copied/modified/renamed/typed.
+  const out = execSync('git diff --cached --name-only --diff-filter=ACMRTUXB', {
+    encoding: 'utf8',
+    stdio: ['ignore', 'pipe', 'ignore']
+  });
+
+  const files = out
+    .split(/\r?\n/)
+    .map((s) => s.trim())
+    .filter(Boolean);
+
+  return files;
+}
+
+function hasStagedDependencyFiles(files) {
+  if (!files || files.length === 0) return false;
+  const depNames = new Set(['pnpm-lock.yaml', 'go.mod', 'go.sum']);
+  return files.some((f) => depNames.has(f));
+}
+
+module.exports = { getStagedFiles, hasStagedDependencyFiles };

package/src/git/trackedFiles.js

@@ -0,0 +1,15 @@
+const { execSync } = require('child_process');
+
+function listTrackedFiles() {
+  const out = execSync('git ls-files', {
+    encoding: 'utf8',
+    stdio: ['ignore', 'pipe', 'ignore']
+  });
+
+  return out
+    .split(/\r?\n/)
+    .map((s) => s.trim())
+    .filter(Boolean);
+}
+
+module.exports = { listTrackedFiles };

package/src/scanners/govulncheck.js

@@ -0,0 +1,77 @@
+const fs = require('fs');
+const path = require('path');
+const { execFileSync } = require('child_process');
+
+// Path to the binary installed by postinstall via `go install`
+const ext = process.platform === 'win32' ? '.exe' : '';
+const VENDOR_BIN = path.join(__dirname, '..', '..', 'vendor-bin', `govulncheck${ext}`);
+
+function getGovulncheckBinary() {
+  if (fs.existsSync(VENDOR_BIN)) return VENDOR_BIN;
+
+  // Fallback: check PATH
+  try {
+    const found = execFileSync('which', ['govulncheck'], {
+      stdio: ['ignore', 'pipe', 'ignore']
+    }).toString().trim();
+    if (found) return 'govulncheck';
+  } catch {}
+
+  return null;
+}
+
+function parseGovulncheckOutput(stdout) {
+  const trimmed = (stdout || '').trim();
+  if (!trimmed) return [];
+
+  // govulncheck streams newline-delimited JSON objects.
+  const findings = [];
+
+  const lines = trimmed.split(/\n+/).map((l) => l.trim()).filter(Boolean);
+
+  for (const line of lines) {
+    let obj;
+    try { obj = JSON.parse(line); } catch { continue; }
+
+    // Each message has a `finding` key when a vulnerability is detected.
+    if (obj && obj.finding) {
+      const f = obj.finding;
+      findings.push({
+        checkId: `GOVULN:${f.osv || f.trace && f.trace[0] && f.trace[0].function || 'unknown'}`,
+        path: (f.trace && f.trace[0] && f.trace[0].position && f.trace[0].position.filename) || 'go.mod',
+        line: (f.trace && f.trace[0] && f.trace[0].position && f.trace[0].position.line) || undefined,
+        message: `${f.osv || 'vulnerability'}: ${f.trace && f.trace[0] && f.trace[0].function ? `called via ${f.trace[0].function}` : 'vulnerable module in use'}`,
+        severity: undefined,
+        raw: f
+      });
+    }
+  }
+
+  return findings;
+}
+
+async function runGovulncheck({ pattern }) {
+  const bin = getGovulncheckBinary();
+
+  if (!bin) {
+    console.warn(
+      'sec-gate: govulncheck not found. Go dependency SCA will be skipped.\n' +
+      '  Install Go and run: go install golang.org/x/vuln/cmd/govulncheck@latest'
+    );
+    return [];
+  }
+
+  try {
+    const stdout = execFileSync(bin, ['-json', pattern], {
+      encoding: 'utf8',
+      stdio: ['ignore', 'pipe', 'pipe']
+    });
+    return parseGovulncheckOutput(stdout);
+  } catch (e) {
+    // exit code 3 = vulnerabilities found — parse stdout anyway
+    const stdout = e && e.stdout ? e.stdout.toString('utf8') : '';
+    return parseGovulncheckOutput(stdout);
+  }
+}
+
+module.exports = { runGovulncheck };

package/src/scanners/osv.js

@@ -0,0 +1,75 @@
+const fs = require('fs');
+const os = require('os');
+const path = require('path');
+const { execFileSync } = require('child_process');
+
+// Path to the binary downloaded by postinstall
+const ext = process.platform === 'win32' ? '.exe' : '';
+const VENDOR_BIN = path.join(__dirname, '..', '..', 'vendor-bin', `osv-scanner${ext}`);
+
+function getOsvBinary() {
+  if (fs.existsSync(VENDOR_BIN)) return VENDOR_BIN;
+
+  // Fallback: check PATH (manual installs)
+  try {
+    const found = execFileSync('which', ['osv-scanner'], {
+      stdio: ['ignore', 'pipe', 'ignore']
+    }).toString().trim();
+    if (found) return 'osv-scanner';
+  } catch {}
+
+  return null;
+}
+
+async function runOsvScanner({ lockfile }) {
+  const bin = getOsvBinary();
+
+  if (!bin) {
+    console.warn(
+      'sec-gate: osv-scanner not found. Node/pnpm dependency SCA will be skipped.\n' +
+      '  Run `npm i -g sec-gate` again, or install manually: https://google.github.io/osv-scanner/installation'
+    );
+    return [];
+  }
+
+  if (!fs.existsSync(lockfile)) {
+    return [];
+  }
+
+  const out = path.join(os.tmpdir(), `sec-gate-osv-${Date.now()}.json`);
+
+  const args = ['scan', '-L', lockfile, '--format', 'json', '--output-file', out];
+
+  try {
+    execFileSync(bin, args, { stdio: ['ignore', 'pipe', 'pipe'] });
+  } catch {
+    // exit code 1 = vulnerabilities found — expected, not an error
+  }
+
+  if (!fs.existsSync(out)) return [];
+  const text = fs.readFileSync(out, 'utf8');
+  if (!text) return [];
+
+  const parsed = JSON.parse(text);
+  const results = parsed.results || [];
+
+  const findings = [];
+  for (const result of results) {
+    for (const pkg of result.packages || []) {
+      for (const vuln of pkg.vulnerabilities || []) {
+        findings.push({
+          checkId: `OSV:${vuln.id || 'unknown'}`,
+          path: lockfile,
+          line: undefined,
+          message: `${pkg.package && pkg.package.name ? pkg.package.name : 'dependency'}: ${vuln.summary || vuln.id}`,
+          severity: undefined,
+          raw: vuln
+        });
+      }
+    }
+  }
+
+  return findings;
+}
+
+module.exports = { runOsvScanner };

package/src/scanners/semgrep.js

@@ -0,0 +1,62 @@
+const path = require('path');
+
+// Language detection for @pensar/semgrep-node
+function getLanguage(filePath) {
+  if (filePath.endsWith('.go')) return 'go';
+  if (filePath.endsWith('.py')) return 'python';
+  if (filePath.endsWith('.ts') || filePath.endsWith('.tsx')) return 'ts';
+  return 'js';
+}
+
+function normalizeSemgrepNodeFinding(issue, filePath) {
+  return {
+    checkId: issue.issueId || issue.rule || 'semgrep',
+    path: filePath,
+    line: issue.startLineNumber,
+    message: issue.message,
+    severity: issue.severity,
+    owasp: issue.owasp || [],
+    raw: issue
+  };
+}
+
+async function runSemgrep({ files }) {
+  let semgrepScan;
+  try {
+    semgrepScan = require('@pensar/semgrep-node').default;
+  } catch {
+    throw new Error(
+      'sec-gate: @pensar/semgrep-node not found. Run `npm i -g sec-gate` again to reinstall.'
+    );
+  }
+
+  const allFindings = [];
+
+  for (const filePath of files) {
+    const lang = getLanguage(filePath);
+    const absPath = path.resolve(filePath);
+
+    try {
+      // Scan with OWASP Top 10 rules bundled inside @pensar/semgrep-node
+      const issues = await semgrepScan(absPath, {
+        language: lang,
+        ruleSets: ['owasp-top10']
+      });
+
+      for (const issue of issues) {
+        allFindings.push(normalizeSemgrepNodeFinding(issue, filePath));
+      }
+    } catch (err) {
+      // If semgrep binary not yet downloaded for this platform, warn but don't crash.
+      if (err && err.message && err.message.includes('ENOENT')) {
+        console.warn(`sec-gate: semgrep binary not ready for ${lang}; skipping ${filePath}`);
+      } else {
+        throw err;
+      }
+    }
+  }
+
+  return allFindings;
+}
+
+module.exports = { runSemgrep };

package/src/suppressions/inlineTag.js

@@ -0,0 +1,78 @@
+const fs = require('fs');
+
+function parseSuppressionLine(line) {
+  // Supported tag (JS/TS/Go):
+  // // security-scan: disable rule-id: <CHECK_ID> reason: <text>
+  // Use `rule-id: *` to suppress all findings in the local window.
+  const re = /security-scan:\s*disable\s+rule-id:\s*([^\s]+)\s+reason:\s*(.+)$/i;
+  const m = line.match(re);
+  if (!m) return null;
+  return { ruleId: m[1].trim(), reason: m[2].trim() };
+}
+
+function hasInlineSuppressionNearLine({ fileText, findingLine, checkId, window = 5 }) {
+  if (!fileText || typeof findingLine !== 'number') return false;
+
+  const lines = fileText.split(/\r?\n/);
+  const start = Math.max(1, findingLine - window);
+  const end = Math.min(lines.length, findingLine + window);
+
+  for (let i = start; i <= end; i++) {
+    const s = parseSuppressionLine(lines[i - 1]);
+    if (!s) continue;
+    if (s.ruleId === '*' || s.ruleId === String(checkId)) return true;
+  }
+
+  return false;
+}
+
+function hasInlineSuppressionAnywhere({ fileText, checkId }) {
+  if (!fileText) return false;
+
+  const lines = fileText.split(/\r?\n/);
+  for (const line of lines) {
+    const s = parseSuppressionLine(line);
+    if (!s) continue;
+    if (s.ruleId === '*' || s.ruleId === String(checkId)) return true;
+  }
+
+  return false;
+}
+
+function applyInlineSuppressions({ findings }) {
+  const remaining = [];
+
+  for (const f of findings) {
+    if (!f.path) {
+      remaining.push(f);
+      continue;
+    }
+
+    try {
+      const text = fs.readFileSync(f.path, 'utf8');
+
+      let suppressed = false;
+
+      if (typeof f.line === 'number') {
+        suppressed = hasInlineSuppressionNearLine({
+          fileText: text,
+          findingLine: f.line,
+          checkId: f.checkId
+        });
+      } else {
+        // SCA findings often lack line numbers; allow suppression anywhere in the file.
+        suppressed = hasInlineSuppressionAnywhere({ fileText: text, checkId: f.checkId });
+      }
+
+      if (suppressed) continue;
+    } catch {
+      // If file can't be read, don't suppress.
+    }
+
+    remaining.push(f);
+  }
+
+  return remaining;
+}
+
+module.exports = { applyInlineSuppressions };