npm - sec-gate - Versions diffs - 0.1.1 → 0.1.2 - Mend

sec-gate 0.1.1 → 0.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "sec-gate",
-  "version": "0.1.1",
+  "version": "0.1.2",
   "description": "Pre-commit security gate for OWASP Top 10 2021 — SAST, SCA and misconfig checks for Node/Express, Go and React codebases",
   "author": {
     "name": "Sundram Bhardwaj",

package/src/cli.js CHANGED Viewed

@@ -2,7 +2,16 @@ const path = require('path');
 function usage() {
   // eslint-disable-next-line no-console
-  console.log(`sec-gate - OWASP Top 10 security gate\n\nUsage:\n  sec-gate install\n  sec-gate scan --staged\n\nCommands:\n  install   Installs the local git pre-commit hook for this repo\n  scan      Runs SAST/SCA checks (supports --staged)\n`);
+  console.log([
+    'sec-gate - OWASP Top 10 security gate',
+    '',
+    'Usage:',
+    '  sec-gate install        Install the pre-commit hook in this repo',
+    '  sec-gate scan           Scan all tracked files',
+    '  sec-gate scan --staged  Scan only staged files (used by pre-commit hook)',
+    '  sec-gate doctor         Check all components are installed and working',
+    ''
+  ].join('\n'));
 }
 function parseArgs(argv) {
@@ -38,6 +47,12 @@ async function run() {
     return;
   }
+  if (cmd === 'doctor') {
+    const { doctor } = require('./commands/doctor');
+    await doctor();
+    return;
+  }
   usage();
   process.exit(1);
 }

package/src/commands/doctor.js ADDED Viewed

@@ -0,0 +1,103 @@
+const fs = require('fs');
+const path = require('path');
+const { execFileSync } = require('child_process');
+function check(label, fn) {
+  try {
+    const result = fn();
+    console.log(`  [OK]  ${label}${result ? ': ' + result : ''}`);
+    return true;
+  } catch (err) {
+    console.log(`  [FAIL] ${label}: ${err.message}`);
+    return false;
+  }
+}
+async function doctor() {
+  console.log('\nsec-gate doctor — checking all components\n');
+  // 1. sec-gate itself
+  check('sec-gate CLI', () => {
+    const pkg = require('../../package.json');
+    return `v${pkg.version}`;
+  });
+  // 2. @pensar/semgrep-node
+  console.log('\n--- SAST (Semgrep) ---');
+  const semgrepOk = check('@pensar/semgrep-node installed', () => {
+    const pkg = require('@pensar/semgrep-node');
+    return 'found';
+  });
+  if (semgrepOk) {
+    // Try actually loading the binary by doing a tiny scan on a temp file
+    await (async () => {
+      try {
+        const os = require('os');
+        const tmpFile = path.join(os.tmpdir(), 'sec-gate-test.js');
+        fs.writeFileSync(tmpFile, '// test\nconst x = 1;\n');
+        const scan = require('@pensar/semgrep-node').default;
+        await scan(tmpFile, { language: 'js', ruleSets: ['owasp-top10'] });
+        fs.unlinkSync(tmpFile);
+        console.log('  [OK]  semgrep binary: working');
+      } catch (err) {
+        console.log(`  [FAIL] semgrep binary: ${err.message}`);
+        console.log('         Fix: the semgrep binary may not be downloaded yet.');
+        console.log('         Try running `sec-gate scan` on a JS file once to trigger download.');
+      }
+    })();
+  }
+  // 3. osv-scanner
+  console.log('\n--- SCA: Node/pnpm (OSV-Scanner) ---');
+  const ext = process.platform === 'win32' ? '.exe' : '';
+  const vendorOsv = path.join(__dirname, '..', '..', 'vendor-bin', `osv-scanner${ext}`);
+  check('osv-scanner binary (vendor-bin)', () => {
+    if (fs.existsSync(vendorOsv)) return vendorOsv;
+    throw new Error('not found in vendor-bin');
+  });
+  check('osv-scanner executable', () => {
+    if (!fs.existsSync(vendorOsv)) throw new Error('binary missing');
+    const out = execFileSync(vendorOsv, ['--version'], { encoding: 'utf8' }).trim();
+    return out;
+  });
+  // 4. govulncheck
+  console.log('\n--- SCA: Go (govulncheck) ---');
+  const vendorGo = path.join(__dirname, '..', '..', 'vendor-bin', `govulncheck${ext}`);
+  check('govulncheck binary (vendor-bin)', () => {
+    if (fs.existsSync(vendorGo)) return vendorGo;
+    throw new Error('not found — Go SCA will be skipped (Go may not be installed)');
+  });
+  // 5. git hook
+  console.log('\n--- Pre-commit hook ---');
+  check('git available', () => {
+    execFileSync('git', ['--version'], { stdio: ['ignore', 'pipe', 'ignore'] });
+    return 'found';
+  });
+  try {
+    const repoRoot = execFileSync('git', ['rev-parse', '--show-toplevel'], {
+      encoding: 'utf8',
+      stdio: ['ignore', 'pipe', 'ignore']
+    }).trim();
+    const hookPath = path.join(repoRoot, '.git', 'hooks', 'pre-commit');
+    check('pre-commit hook installed', () => {
+      if (!fs.existsSync(hookPath)) throw new Error('not found — run `sec-gate install`');
+      const content = fs.readFileSync(hookPath, 'utf8');
+      if (!content.includes('installed-by: sec-gate')) throw new Error('hook exists but was not installed by sec-gate');
+      return hookPath;
+    });
+  } catch {
+    console.log('  [SKIP] pre-commit hook: not inside a git repo');
+  }
+  console.log('\nsec-gate doctor done.\n');
+}
+module.exports = { doctor };

package/src/scanners/semgrep.js CHANGED Viewed

@@ -34,24 +34,37 @@ async function runSemgrep({ files }) {
   for (const filePath of files) {
     const lang = getLanguage(filePath);
+    // security-scan: disable rule-id: path-join-resolve-traversal reason: filePath comes from `git diff --cached --name-only` output, not from user input
     const absPath = path.resolve(filePath);
     try {
-      // Scan with OWASP Top 10 rules bundled inside @pensar/semgrep-node
+      // eslint-disable-next-line no-console
+      console.log(`sec-gate: scanning ${filePath} (${lang}) with owasp-top10 rules...`);
       const issues = await semgrepScan(absPath, {
         language: lang,
         ruleSets: ['owasp-top10']
       });
+      if (issues.length > 0) {
+        // eslint-disable-next-line no-console
+        console.log(`sec-gate: found ${issues.length} finding(s) in ${filePath}`);
+      }
       for (const issue of issues) {
         allFindings.push(normalizeSemgrepNodeFinding(issue, filePath));
       }
     } catch (err) {
-      // If semgrep binary not yet downloaded for this platform, warn but don't crash.
       if (err && err.message && err.message.includes('ENOENT')) {
-        console.warn(`sec-gate: semgrep binary not ready for ${lang}; skipping ${filePath}`);
+        // eslint-disable-next-line no-console
+        console.warn(`sec-gate: WARNING — semgrep binary not found for language "${lang}"`);
+        // eslint-disable-next-line no-console
+        console.warn('          The semgrep binary needs to be downloaded by @pensar/semgrep-node.');
+        // eslint-disable-next-line no-console
+        console.warn('          Run `sec-gate doctor` to diagnose, or re-install: npm i -g sec-gate');
       } else {
-        throw err;
+        // eslint-disable-next-line no-console
+        console.warn(`sec-gate: WARNING — semgrep scan failed for ${filePath}: ${err.message}`);
       }
     }
   }