sec-gate 0.1.1 → 0.1.3

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "sec-gate",
-  "version": "0.1.1",
+  "version": "0.1.3",
   "description": "Pre-commit security gate for OWASP Top 10 2021 — SAST, SCA and misconfig checks for Node/Express, Go and React codebases",
   "author": {
     "name": "Sundram Bhardwaj",
@@ -48,6 +48,7 @@
     "bin/",
     "src/",
     "scripts/",
+    "rules/",
     "vendor-bin/.gitkeep",
     "README.md"
   ]

package/rules/custom-security.js

@@ -0,0 +1,199 @@
+/**
+ * sec-gate custom security rules
+ *
+ * These rules cover patterns NOT caught by @pensar/semgrep-node's owasp-top10 ruleset:
+ *   1. Hardcoded secrets (API keys, passwords, JWT secrets)
+ *   2. Insecure randomness (Math.random for tokens/sessions)
+ *   3. Prototype pollution
+ *   4. Sensitive data in localStorage
+ *   5. console.log with passwords/secrets
+ *   6. new Function() with dynamic input
+ */
+
+const fs   = require('fs');
+const path = require('path');
+
+// ─────────────────────────────────────────────────────────
+// Rule definitions
+// Each rule: { id, description, owasp, severity, test(line, lineNum, allLines) }
+// Returns a finding object or null
+// ─────────────────────────────────────────────────────────
+
+const RULES = [
+
+  // ── 1. Hardcoded secrets ──────────────────────────────
+  {
+    id: 'hardcoded-secret-assignment',
+    description: 'Hardcoded secret detected. Secrets should be loaded from environment variables, not hardcoded in source code.',
+    owasp: 'A02:2021 Cryptographic Failures',
+    severity: 'critical',
+    test(line) {
+      // Match: const/let/var API_KEY = "...", DB_PASSWORD = '...', etc.
+      return /(?:const|let|var)\s+(?:\w*(?:key|secret|password|passwd|pwd|token|api_key|jwt|auth|credential|private_key)\w*)\s*=\s*["'`][^"'`\s]{6,}/i.test(line);
+    }
+  },
+
+  {
+    id: 'hardcoded-secret-object',
+    description: 'Hardcoded secret in object literal. Use environment variables instead.',
+    owasp: 'A02:2021 Cryptographic Failures',
+    severity: 'critical',
+    test(line) {
+      // Match: { password: "...", apiKey: "...", secret: "..." }
+      return /(?:password|passwd|pwd|secret|api_key|apikey|jwt_secret|private_key|auth_token)\s*:\s*["'`][^"'`\s]{6,}/i.test(line);
+    }
+  },
+
+  // ── 2. Insecure randomness ────────────────────────────
+  {
+    id: 'insecure-random-token',
+    // security-scan: disable rule-id: insecure-random-token reason: this is a rule description string, not actual Math.random() usage
+    description: 'Math.random() is not cryptographically secure. For tokens, session IDs or passwords use crypto.randomBytes() or crypto.getRandomValues() instead.',
+    owasp: 'A02:2021 Cryptographic Failures',
+    severity: 'high',
+    test(line) {
+      return /Math\.random\(\)/.test(line) &&
+        /(?:token|session|id|key|secret|password|nonce|salt|otp|code|csrf)/i.test(line);
+    }
+  },
+
+  {
+    id: 'insecure-random-standalone',
+    // security-scan: disable rule-id: insecure-random-standalone reason: rule description string, not actual usage
+    description: 'Math.random() used in a security-sensitive context. Use crypto.randomBytes() for cryptographic purposes.',
+    owasp: 'A02:2021 Cryptographic Failures',
+    severity: 'medium',
+    test(line, lineNum, allLines) {
+      if (!(/Math\.random\(\)/.test(line))) return false;
+      // Check surrounding 3 lines for security context
+      const ctx = allLines.slice(Math.max(0, lineNum - 3), lineNum + 3).join(' ');
+      return /(?:token|session|secret|key|auth|crypto|password|nonce|salt)/i.test(ctx);
+    }
+  },
+
+  // ── 3. Prototype pollution ────────────────────────────
+  {
+    id: 'prototype-pollution',
+    description: 'Possible prototype pollution: assigning to a bracket-notation property using a variable key. Validate or whitelist keys before assignment.',
+    owasp: 'A03:2021 Injection',
+    severity: 'high',
+    test(line) {
+      // obj[userKey] = value  or  target[key] = val where key is variable
+      return /\w+\[\s*\w+\s*\]\s*=/.test(line) &&
+        !/\/\//.test(line.split('=')[0]); // not in a comment
+    }
+  },
+
+  {
+    id: 'proto-direct-access',
+    // security-scan: disable rule-id: proto-direct-access reason: description string contains __proto__ as text only, not as code
+    description: 'Direct __proto__ access detected. This can lead to prototype pollution.',
+    owasp: 'A03:2021 Injection',
+    severity: 'critical',
+    test(line) {
+      // security-scan: disable rule-id: proto-direct-access reason: __proto__ is inside a regex literal used as a detection pattern, not actual prototype access
+      return /__proto__/.test(line);
+    }
+  },
+
+  // ── 4. Sensitive data in localStorage ────────────────
+  {
+    id: 'localstorage-sensitive-data',
+    description: 'Sensitive data stored in localStorage. localStorage is accessible to any JS on the page (XSS). Use httpOnly cookies for tokens and passwords.',
+    owasp: 'A02:2021 Cryptographic Failures',
+    severity: 'high',
+    test(line) {
+      return /localStorage\.setItem\s*\(/.test(line) &&
+        /(?:password|passwd|pwd|token|secret|key|auth|jwt|session|credential)/i.test(line);
+    }
+  },
+
+  {
+    id: 'sessionstorage-sensitive-data',
+    description: 'Sensitive data stored in sessionStorage. sessionStorage is accessible to XSS attacks. Use httpOnly cookies instead.',
+    owasp: 'A02:2021 Cryptographic Failures',
+    severity: 'high',
+    test(line) {
+      return /sessionStorage\.setItem\s*\(/.test(line) &&
+        /(?:password|passwd|pwd|token|secret|key|auth|jwt|credential)/i.test(line);
+    }
+  },
+
+  // ── 5. console.log with sensitive data ───────────────
+  {
+    id: 'console-log-sensitive',
+    description: 'Possible logging of sensitive data. Passwords, tokens and secrets should never be logged as they appear in log files and monitoring tools.',
+    owasp: 'A09:2021 Security Logging and Monitoring Failures',
+    severity: 'high',
+    test(line) {
+      return /console\.\s*(?:log|info|warn|error|debug)\s*\(/.test(line) &&
+        /(?:password|passwd|pwd|secret|token|api_?key|jwt|credential|private)/i.test(line);
+    }
+  },
+
+  // ── 6. new Function() with dynamic input ─────────────
+  {
+    id: 'new-function-injection',
+    // security-scan: disable rule-id: new-function-injection reason: this is a rule description string, not actual new Function() usage
+    description: 'new Function() with dynamic input is equivalent to eval(). An attacker can execute arbitrary JavaScript. Use a safe alternative.',
+    owasp: 'A03:2021 Injection',
+    severity: 'critical',
+    test(line) {
+      // new Function(variable) or new Function("..." + variable)
+      return /new\s+Function\s*\(/.test(line) &&
+        !/new\s+Function\s*\(\s*["'`][^"'`]*["'`]\s*\)/.test(line); // not pure string literal
+    }
+  },
+
+];
+
+// ─────────────────────────────────────────────────────────
+// Scanner: run all rules against a file
+// ─────────────────────────────────────────────────────────
+function scanFileWithCustomRules(filePath) {
+  let content;
+  try {
+    // security-scan: disable rule-id: detect-non-literal-fs-filename reason: filePath comes from `git diff --cached --name-only`, not from user input
+    content = fs.readFileSync(filePath, 'utf8');
+  } catch {
+    return [];
+  }
+
+  const lines = content.split(/\r?\n/);
+  const findings = [];
+
+  for (let i = 0; i < lines.length; i++) {
+    const line     = lines[i];
+    const lineNum  = i + 1;
+    const trimmed  = line.trim();
+
+    // Skip blank lines and pure comments
+    if (!trimmed || trimmed.startsWith('//') || trimmed.startsWith('*')) continue;
+
+    // Skip lines with suppression tag
+    if (/security-scan:\s*disable/i.test(line)) continue;
+
+    // Also check the line immediately above for suppression
+    const prevLine = i > 0 ? lines[i - 1] : '';
+    if (/security-scan:\s*disable/i.test(prevLine)) continue;
+
+    for (const rule of RULES) {
+      if (rule.test(line, i, lines)) {
+        findings.push({
+          checkId:  rule.id,
+          path:     filePath,
+          line:     lineNum,
+          message:  rule.description,
+          severity: rule.severity,
+          owasp:    rule.owasp,
+          raw:      { line: trimmed }
+        });
+        break; // one finding per line per pass — avoid duplicates
+      }
+    }
+  }
+
+  return findings;
+}
+
+module.exports = { scanFileWithCustomRules, RULES };

package/src/cli.js

@@ -2,7 +2,16 @@ const path = require('path');
 
 function usage() {
   // eslint-disable-next-line no-console
-  console.log(`sec-gate - OWASP Top 10 security gate\n\nUsage:\n  sec-gate install\n  sec-gate scan --staged\n\nCommands:\n  install   Installs the local git pre-commit hook for this repo\n  scan      Runs SAST/SCA checks (supports --staged)\n`);
+  console.log([
+    'sec-gate - OWASP Top 10 security gate',
+    '',
+    'Usage:',
+    '  sec-gate install        Install the pre-commit hook in this repo',
+    '  sec-gate scan           Scan all tracked files',
+    '  sec-gate scan --staged  Scan only staged files (used by pre-commit hook)',
+    '  sec-gate doctor         Check all components are installed and working',
+    ''
+  ].join('\n'));
 }
 
 function parseArgs(argv) {
@@ -38,6 +47,12 @@ async function run() {
     return;
   }
 
+  if (cmd === 'doctor') {
+    const { doctor } = require('./commands/doctor');
+    await doctor();
+    return;
+  }
+
   usage();
   process.exit(1);
 }

package/src/commands/doctor.js

@@ -0,0 +1,103 @@
+const fs = require('fs');
+const path = require('path');
+const { execFileSync } = require('child_process');
+
+function check(label, fn) {
+  try {
+    const result = fn();
+    console.log(`  [OK]  ${label}${result ? ': ' + result : ''}`);
+    return true;
+  } catch (err) {
+    console.log(`  [FAIL] ${label}: ${err.message}`);
+    return false;
+  }
+}
+
+async function doctor() {
+  console.log('\nsec-gate doctor — checking all components\n');
+
+  // 1. sec-gate itself
+  check('sec-gate CLI', () => {
+    const pkg = require('../../package.json');
+    return `v${pkg.version}`;
+  });
+
+  // 2. @pensar/semgrep-node
+  console.log('\n--- SAST (Semgrep) ---');
+  const semgrepOk = check('@pensar/semgrep-node installed', () => {
+    const pkg = require('@pensar/semgrep-node');
+    return 'found';
+  });
+
+  if (semgrepOk) {
+    // Try actually loading the binary by doing a tiny scan on a temp file
+    await (async () => {
+      try {
+        const os = require('os');
+        const tmpFile = path.join(os.tmpdir(), 'sec-gate-test.js');
+        fs.writeFileSync(tmpFile, '// test\nconst x = 1;\n');
+        const scan = require('@pensar/semgrep-node').default;
+        await scan(tmpFile, { language: 'js', ruleSets: ['owasp-top10'] });
+        fs.unlinkSync(tmpFile);
+        console.log('  [OK]  semgrep binary: working');
+      } catch (err) {
+        console.log(`  [FAIL] semgrep binary: ${err.message}`);
+        console.log('         Fix: the semgrep binary may not be downloaded yet.');
+        console.log('         Try running `sec-gate scan` on a JS file once to trigger download.');
+      }
+    })();
+  }
+
+  // 3. osv-scanner
+  console.log('\n--- SCA: Node/pnpm (OSV-Scanner) ---');
+  const ext = process.platform === 'win32' ? '.exe' : '';
+  const vendorOsv = path.join(__dirname, '..', '..', 'vendor-bin', `osv-scanner${ext}`);
+
+  check('osv-scanner binary (vendor-bin)', () => {
+    if (fs.existsSync(vendorOsv)) return vendorOsv;
+    throw new Error('not found in vendor-bin');
+  });
+
+  check('osv-scanner executable', () => {
+    if (!fs.existsSync(vendorOsv)) throw new Error('binary missing');
+    const out = execFileSync(vendorOsv, ['--version'], { encoding: 'utf8' }).trim();
+    return out;
+  });
+
+  // 4. govulncheck
+  console.log('\n--- SCA: Go (govulncheck) ---');
+  const vendorGo = path.join(__dirname, '..', '..', 'vendor-bin', `govulncheck${ext}`);
+
+  check('govulncheck binary (vendor-bin)', () => {
+    if (fs.existsSync(vendorGo)) return vendorGo;
+    throw new Error('not found — Go SCA will be skipped (Go may not be installed)');
+  });
+
+  // 5. git hook
+  console.log('\n--- Pre-commit hook ---');
+  check('git available', () => {
+    execFileSync('git', ['--version'], { stdio: ['ignore', 'pipe', 'ignore'] });
+    return 'found';
+  });
+
+  try {
+    const repoRoot = execFileSync('git', ['rev-parse', '--show-toplevel'], {
+      encoding: 'utf8',
+      stdio: ['ignore', 'pipe', 'ignore']
+    }).trim();
+
+    const hookPath = path.join(repoRoot, '.git', 'hooks', 'pre-commit');
+    check('pre-commit hook installed', () => {
+      if (!fs.existsSync(hookPath)) throw new Error('not found — run `sec-gate install`');
+      const content = fs.readFileSync(hookPath, 'utf8');
+      if (!content.includes('installed-by: sec-gate')) throw new Error('hook exists but was not installed by sec-gate');
+      return hookPath;
+    });
+  } catch {
+    console.log('  [SKIP] pre-commit hook: not inside a git repo');
+  }
+
+  console.log('\nsec-gate doctor done.\n');
+}
+
+module.exports = { doctor };

package/src/commands/scan.js

@@ -4,10 +4,12 @@ const { runSemgrep } = require('../scanners/semgrep');
 const { runOsvScanner } = require('../scanners/osv');
 const { runGovulncheck } = require('../scanners/govulncheck');
 const { applyInlineSuppressions } = require('../suppressions/inlineTag');
+const { scanFileWithCustomRules } = require('../../rules/custom-security');
 
 function formatFinding(f) {
   const loc = f.line ? `${f.path}:${f.line}` : f.path;
-  return `- ${loc} [${f.checkId}] ${f.message}`;
+  const owasp = f.owasp ? ` (${f.owasp})` : '';
+  return `- ${loc} [${f.checkId}]${owasp}\n  ${f.message}`;
 }
 
 function isSemgrepTargetPath(p) {
@@ -34,16 +36,21 @@ async function scan({ staged }) {
   console.log(`sec-gate: scan started (${staged ? 'staged files' : 'tracked files'})`);
 
   const allFindings = [];
-
   const semgrepTargets = (files || []).filter(isSemgrepTargetPath);
 
-  // SAST / misconfig
   if (semgrepTargets.length > 0) {
+    // SAST — owasp-top10 via @pensar/semgrep-node
     const sast = await runSemgrep({ files: semgrepTargets });
     allFindings.push(...sast);
+
+    // Custom rules — patterns not covered by owasp-top10 ruleset
+    for (const filePath of semgrepTargets) {
+      const custom = scanFileWithCustomRules(filePath);
+      allFindings.push(...custom);
+    }
   } else {
     // eslint-disable-next-line no-console
-    console.log('sec-gate: no relevant staged/tracked source files for Semgrep; skipping SAST');
+    console.log('sec-gate: no relevant staged/tracked source files; skipping SAST');
   }
 
   // SCA (only when dependency lockfiles or go module files are staged)

package/src/scanners/semgrep.js

@@ -34,24 +34,37 @@ async function runSemgrep({ files }) {
 
   for (const filePath of files) {
     const lang = getLanguage(filePath);
+    // security-scan: disable rule-id: path-join-resolve-traversal reason: filePath comes from `git diff --cached --name-only` output, not from user input
     const absPath = path.resolve(filePath);
 
     try {
-      // Scan with OWASP Top 10 rules bundled inside @pensar/semgrep-node
+      // eslint-disable-next-line no-console
+      console.log(`sec-gate: scanning ${filePath} (${lang}) with owasp-top10 rules...`);
+
       const issues = await semgrepScan(absPath, {
         language: lang,
         ruleSets: ['owasp-top10']
       });
 
+      if (issues.length > 0) {
+        // eslint-disable-next-line no-console
+        console.log(`sec-gate: found ${issues.length} finding(s) in ${filePath}`);
+      }
+
       for (const issue of issues) {
         allFindings.push(normalizeSemgrepNodeFinding(issue, filePath));
       }
     } catch (err) {
-      // If semgrep binary not yet downloaded for this platform, warn but don't crash.
       if (err && err.message && err.message.includes('ENOENT')) {
-        console.warn(`sec-gate: semgrep binary not ready for ${lang}; skipping ${filePath}`);
+        // eslint-disable-next-line no-console
+        console.warn(`sec-gate: WARNING — semgrep binary not found for language "${lang}"`);
+        // eslint-disable-next-line no-console
+        console.warn('          The semgrep binary needs to be downloaded by @pensar/semgrep-node.');
+        // eslint-disable-next-line no-console
+        console.warn('          Run `sec-gate doctor` to diagnose, or re-install: npm i -g sec-gate');
       } else {
-        throw err;
+        // eslint-disable-next-line no-console
+        console.warn(`sec-gate: WARNING — semgrep scan failed for ${filePath}: ${err.message}`);
       }
     }
   }