sec-gate 0.1.7 → 0.1.9

package/README.md

@@ -126,6 +126,40 @@ doSomethingDangerous();
 
 ---
 
+## Configuration (optional)
+
+Create a `.sec-gate.yml` file in your project root to tune the scanner:
+
+```yaml
+# .sec-gate.yml
+
+# Only block commits on high/critical findings (medium/low are reported but don't block)
+severity_threshold: high
+
+# Exclude specific high-noise rules
+exclude_rules:
+  - path-join-resolve-traversal
+  - detect-non-literal-regexp
+  - detect-non-literal-fs-filename
+
+# Skip test/mock files
+exclude_paths:
+  - "**/__tests__/**"
+  - "**/*.test.js"
+  - "**/*.spec.ts"
+  - "**/mocks/**"
+
+# Disable SCA if you use Snyk/Dependabot separately
+sca: true
+
+# Disable custom rules
+custom_rules: true
+```
+
+A full example with all options is at `sec-gate.example.yml` inside the package.
+
+---
+
 ## Bypass (emergency only)
 
 ```bash

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "sec-gate",
-  "version": "0.1.7",
+  "version": "0.1.9",
   "description": "Pre-commit security gate for OWASP Top 10 2021 — SAST, SCA and misconfig checks for Node/Express, Go and React codebases",
   "author": {
     "name": "Sundram Bhardwaj",
@@ -50,6 +50,7 @@
     "scripts/",
     "rules/",
     "vendor-bin/.gitkeep",
-    "README.md"
+    "README.md",
+    "sec-gate.example.yml"
   ]
 }

package/sec-gate.example.yml

@@ -0,0 +1,39 @@
+# .sec-gate.yml — sec-gate configuration
+# Copy this file to your project root as .sec-gate.yml and customize.
+# All fields are optional. Defaults shown below.
+
+# Severity threshold — only block commits on findings at or above this level.
+# Options: all (default), critical, high, medium, low
+# Examples:
+#   severity_threshold: all       → block on any finding (most strict)
+#   severity_threshold: high      → block on high + critical only
+#   severity_threshold: critical  → block only on critical findings
+severity_threshold: all
+
+# Rule IDs to exclude globally (never report these, even if found).
+# The defaults below exclude the highest false-positive rules.
+# Set to [] to re-enable everything.
+exclude_rules:
+  - path-join-resolve-traversal
+  - detect-non-literal-regexp
+  - detect-non-literal-fs-filename
+
+# File paths/patterns to skip entirely (supports glob patterns).
+# Useful for test files, mocks, fixtures where dangerous patterns are intentional.
+exclude_paths:
+  - "**/__tests__/**"
+  - "**/*.test.js"
+  - "**/*.test.ts"
+  - "**/*.spec.js"
+  - "**/*.spec.ts"
+  - "**/test/**"
+  - "**/tests/**"
+  - "**/mocks/**"
+  - "**/fixtures/**"
+
+# Enable/disable dependency vulnerability scanning (SCA).
+# Disable if you manage dependencies with a separate tool (Snyk, Dependabot etc.)
+sca: true
+
+# Enable/disable custom security rules (hardcoded secrets, insecure random, etc.)
+custom_rules: true

package/src/commands/install.js

@@ -102,6 +102,11 @@ function standaloneHook() {
  * Returns the absolute path to the pre-commit hook file that git WILL execute.
  * This is the single source of truth — works regardless of which hook manager
  * set core.hooksPath.
+ *
+ * Special cases handled:
+ *  - .husky/_  → husky's internal bootstrap shim dir, read-only, never write here.
+ *                Fall back to .husky/pre-commit (the real hook file).
+ *  - .husky    → husky v6+ standard hooks dir, use .husky/pre-commit directly.
  */
 function resolveGitHookPath(repoRoot) {
   let hooksDir;
@@ -118,6 +123,15 @@ function resolveGitHookPath(repoRoot) {
       hooksDir = path.isAbsolute(configured)
         ? configured
         : path.join(repoRoot, configured);
+
+      // .husky/_ is husky's internal bootstrap shim directory — it is read-only
+      // and should never be written to. The actual user-editable hooks live in
+      // .husky/ (one level up). Redirect there.
+      const huskyShimDir = path.join(repoRoot, '.husky', '_');
+      if (hooksDir === huskyShimDir || hooksDir.startsWith(huskyShimDir + path.sep)) {
+        console.log('sec-gate: core.hooksPath points to .husky/_ (husky bootstrap shim) — redirecting to .husky/');
+        hooksDir = path.join(repoRoot, '.husky');
+      }
     }
   } catch {
     // core.hooksPath not set — use default

package/src/commands/scan.js

@@ -6,11 +6,18 @@ const { runOsvScanner } = require('../scanners/osv');
 const { runGovulncheck } = require('../scanners/govulncheck');
 const { applyInlineSuppressions } = require('../suppressions/inlineTag');
 const { scanFileWithCustomRules } = require('../../rules/custom-security');
+const { loadConfig, meetsThreshold, isExcludedPath } = require('../config/loader');
+const { getRepoRoot } = require('../git/repo');
+
+// ─────────────────────────────────────────────────────────────────────────────
+// Helpers
+// ─────────────────────────────────────────────────────────────────────────────
 
 function formatFinding(f) {
-  const loc = f.line ? `${f.path}:${f.line}` : f.path;
+  const loc  = f.line ? `${f.path}:${f.line}` : f.path;
   const owasp = f.owasp ? ` (${f.owasp})` : '';
-  return `- ${loc} [${f.checkId}]${owasp}\n  ${f.message}`;
+  const sev  = f.severity ? ` [${f.severity.toUpperCase()}]` : '';
+  return `- ${loc}${sev} [${f.checkId}]${owasp}\n  ${f.message}`;
 }
 
 const LOCKFILES = new Set([
@@ -22,61 +29,121 @@ const LOCKFILES = new Set([
   'go.sum'
 ]);
 
-function isSemgrepTargetPath(p) {
+function isSemgrepTargetPath(p, config) {
   if (!p) return false;
 
   const base = require('path').basename(p);
   if (LOCKFILES.has(base)) return false;
 
+  // Skip paths excluded in config
+  if (isExcludedPath(p, config.exclude_paths)) return false;
+
   return (
-    p.endsWith('.js') ||
+    p.endsWith('.js')  ||
     p.endsWith('.jsx') ||
     p.endsWith('.mjs') ||
     p.endsWith('.cjs') ||
-    p.endsWith('.ts') ||
+    p.endsWith('.ts')  ||
     p.endsWith('.tsx') ||
     p.endsWith('.go')
   );
 }
 
+// ─────────────────────────────────────────────────────────────────────────────
+// Apply config filters to findings list
+// ─────────────────────────────────────────────────────────────────────────────
+function applyConfigFilters(findings, config) {
+  const excludedRules  = new Set(config.exclude_rules || []);
+  const threshold      = config.severity_threshold || 'all';
+
+  const excluded  = [];
+  const belowThreshold = [];
+  const remaining = [];
+
+  for (const f of findings) {
+    // 1. Exclude by rule ID
+    if (excludedRules.has(f.checkId)) {
+      excluded.push(f);
+      continue;
+    }
+
+    // 2. Exclude by path
+    if (isExcludedPath(f.path || '', config.exclude_paths)) {
+      excluded.push(f);
+      continue;
+    }
+
+    // 3. Filter by severity threshold
+    if (!meetsThreshold(f.severity, threshold)) {
+      belowThreshold.push(f);
+      continue;
+    }
+
+    remaining.push(f);
+  }
+
+  return { remaining, excluded, belowThreshold };
+}
+
+// ─────────────────────────────────────────────────────────────────────────────
+// Main scan
+// ─────────────────────────────────────────────────────────────────────────────
 async function scan({ staged }) {
-  const files = staged ? getStagedFiles() : listTrackedFiles();
+  // Load per-repo config (.sec-gate.yml)
+  let repoRoot;
+  try { repoRoot = getRepoRoot(); } catch { repoRoot = process.cwd(); }
+  const config = loadConfig(repoRoot);
+
+  const files      = staged ? getStagedFiles() : listTrackedFiles();
   const depChanged = staged ? hasStagedDependencyFiles(files) : true;
 
   // eslint-disable-next-line no-console
   console.log(`sec-gate: scan started (${staged ? 'staged files' : 'tracked files'})`);
 
-  const allFindings = [];
-  const semgrepTargets = (files || []).filter(isSemgrepTargetPath);
+  // Print active config summary
+  if (config.severity_threshold !== 'all') {
+    // eslint-disable-next-line no-console
+    console.log(`sec-gate: severity threshold: ${config.severity_threshold} and above`);
+  }
+  if (config.exclude_rules.length > 0) {
+    // eslint-disable-next-line no-console
+    console.log(`sec-gate: excluding ${config.exclude_rules.length} high-noise rule(s)`);
+  }
 
+  const allFindings    = [];
+  const semgrepTargets = (files || []).filter((f) => isSemgrepTargetPath(f, config));
+
+  // ── SAST ──────────────────────────────────────────────────────────────────
   if (semgrepTargets.length > 0) {
-    // SAST — owasp-top10 via @pensar/semgrep-node
     const sast = await runSemgrep({ files: semgrepTargets });
     allFindings.push(...sast);
 
-    // Custom rules — patterns not covered by owasp-top10 ruleset
-    for (const filePath of semgrepTargets) {
-      const custom = scanFileWithCustomRules(filePath);
-      allFindings.push(...custom);
+    if (config.custom_rules !== false) {
+      for (const filePath of semgrepTargets) {
+        const custom = scanFileWithCustomRules(filePath);
+        allFindings.push(...custom);
+      }
     }
   } else {
     // eslint-disable-next-line no-console
     console.log('sec-gate: no relevant staged/tracked source files; skipping SAST');
   }
 
-  // SCA (only when dependency lockfiles or go module files are staged)
-  if (staged && !depChanged) {
+  // ── SCA ───────────────────────────────────────────────────────────────────
+  if (config.sca === false) {
+    // eslint-disable-next-line no-console
+    console.log('sec-gate: SCA disabled in config; skipping');
+  } else if (staged && !depChanged) {
     // eslint-disable-next-line no-console
     console.log('sec-gate: dependency files not staged; skipping SCA');
   } else {
     const fs = require('fs');
 
-    // Detect which Node lockfile exists — support npm, pnpm and yarn
     const nodeLockfiles = [
-      'pnpm-lock.yaml',      // pnpm
-      'package-lock.json',   // npm
-      'npm-shrinkwrap.json', // npm (legacy)
-      'yarn.lock'            // yarn
+      'pnpm-lock.yaml',
+      'package-lock.json',
+      'npm-shrinkwrap.json',
+      'yarn.lock'
     ];
     const foundLockfile = nodeLockfiles.find((lf) => fs.existsSync(lf));
 
@@ -87,7 +154,7 @@ async function scan({ staged }) {
       allFindings.push(...scaOsv);
     } else {
       // eslint-disable-next-line no-console
-      console.log('sec-gate: no Node lockfile found (pnpm-lock.yaml / package-lock.json / yarn.lock); skipping OSV-Scanner');
+      console.log('sec-gate: no Node lockfile found; skipping OSV-Scanner');
     }
 
     if (fs.existsSync('go.mod')) {
@@ -99,21 +166,43 @@ async function scan({ staged }) {
     }
   }
 
-  const filtered = applyInlineSuppressions({ findings: allFindings });
+  // ── Apply inline suppressions ─────────────────────────────────────────────
+  const afterSuppressions = applyInlineSuppressions({ findings: allFindings });
+
+  // ── Apply config filters (excluded rules, paths, severity threshold) ──────
+  const { remaining, excluded, belowThreshold } = applyConfigFilters(afterSuppressions, config);
+
+  // Report what was filtered (only in verbose — summarised in one line)
+  if (excluded.length > 0) {
+    // eslint-disable-next-line no-console
+    console.log(`sec-gate: filtered ${excluded.length} finding(s) by excluded rules/paths`);
+  }
+  if (belowThreshold.length > 0) {
+    // eslint-disable-next-line no-console
+    console.log(`sec-gate: filtered ${belowThreshold.length} finding(s) below severity threshold (${config.severity_threshold})`);
+  }
 
-  if (filtered.length > 0) {
+  // ── Block or pass ─────────────────────────────────────────────────────────
+  if (remaining.length > 0) {
     // eslint-disable-next-line no-console
     console.log('\nsec-gate: SECURITY FINDINGS (commit blocked):');
-    for (const f of filtered) console.log(formatFinding(f));
+    for (const f of remaining) console.log(formatFinding(f));
+
+    // Show hint about severity threshold if there are lower-severity findings
+    if (belowThreshold.length > 0 && config.severity_threshold === 'all') {
+      // eslint-disable-next-line no-console
+      console.log('\n  TIP: Set severity_threshold in .sec-gate.yml to only block on high/critical.');
+    }
+
     process.exit(1);
   }
 
-  // ── Success summary ────────────────────────────────────────────────────────
+  // ── Success summary ───────────────────────────────────────────────────────
   const checks = [];
   if (semgrepTargets.length > 0) {
     checks.push(`SAST (${semgrepTargets.length} file${semgrepTargets.length > 1 ? 's' : ''})`);
   }
-  if (depChanged || !staged) {
+  if (config.sca !== false && (depChanged || !staged)) {
     const fs = require('fs');
     const nodeLockfilesCheck = ['pnpm-lock.yaml', 'package-lock.json', 'npm-shrinkwrap.json', 'yarn.lock'];
     const foundLock = nodeLockfilesCheck.find((lf) => fs.existsSync(lf));

package/src/config/loader.js

@@ -0,0 +1,214 @@
+'use strict';
+
+// security-scan: disable rule-id: path-join-resolve-traversal reason: repoRoot comes from git rev-parse, not user input
+// security-scan: disable rule-id: detect-non-literal-fs-filename reason: repoRoot comes from git rev-parse, not user input
+// security-scan: disable rule-id: detect-non-literal-regexp reason: patterns come from the config file written by the developer, not from end users
+// security-scan: disable rule-id: prototype-pollution reason: result[key] assignment is parsing a config file where keys are validated against a known whitelist of fields
+
+/**
+ * sec-gate config loader
+ *
+ * Reads .sec-gate.yml (or .sec-gate.yaml / sec-gate.config.js) from the
+ * repo root and merges it with built-in defaults.
+ *
+ * Config file example (.sec-gate.yml):
+ * ─────────────────────────────────────
+ * severity_threshold: high       # block only on: critical, high, medium, low, all (default: all)
+ * exclude_rules:                 # rule IDs to never report
+ *   - path-join-resolve-traversal
+ *   - detect-non-literal-regexp
+ * exclude_paths:                 # glob patterns to skip
+ *   - "**\/__tests__\/**"
+ *   - "**\/mocks\/**"
+ *   - "**\/fixtures\/**"
+ * sca: true                      # enable/disable SCA (default: true)
+ * custom_rules: true             # enable/disable custom rules (default: true)
+ */
+
+const fs   = require('fs');
+const path = require('path');
+
+// ─────────────────────────────────────────────────────────────────────────────
+// Severity ordering — higher index = more severe
+// ─────────────────────────────────────────────────────────────────────────────
+const SEVERITY_ORDER = ['low', 'medium', 'high', 'critical'];
+
+// ─────────────────────────────────────────────────────────────────────────────
+// Built-in defaults
+// ─────────────────────────────────────────────────────────────────────────────
+const DEFAULTS = {
+  // Block commit on any finding regardless of severity
+  severity_threshold: 'all',
+
+  // Rules excluded by default — these have very high false positive rates
+  // and rarely indicate real vulnerabilities in typical codebases.
+  // Developers can re-enable them by setting exclude_rules: [] in their config.
+  exclude_rules: [
+    'path-join-resolve-traversal',       // flags ANY variable in path.join — ~75% FP rate
+    'detect-non-literal-regexp',         // flags RegExp(var) even with hardcoded sources
+    'detect-non-literal-fs-filename'     // flags ANY variable in fs calls — ~70% FP rate
+  ],
+
+  // Paths excluded from scanning by default
+  exclude_paths: [
+    '**/__tests__/**',
+    '**/*.test.js',
+    '**/*.test.ts',
+    '**/*.spec.js',
+    '**/*.spec.ts',
+    '**/test/**',
+    '**/tests/**',
+    '**/mocks/**',
+    '**/fixtures/**',
+    '**/vendor/**',
+    '**/node_modules/**'
+  ],
+
+  sca: true,
+  custom_rules: true
+};
+
+// ─────────────────────────────────────────────────────────────────────────────
+// Simple YAML parser (only handles the subset we need — no external dep)
+// Supports: string values, boolean values, string arrays
+// ─────────────────────────────────────────────────────────────────────────────
+function parseYaml(text) {
+  const result = {};
+  let currentKey = null;
+  let currentArray = null;
+
+  for (const raw of text.split('\n')) {
+    const line = raw.replace(/#.*$/, '').trimEnd(); // strip comments
+    if (!line.trim()) continue;
+
+    // Array item: "  - value"
+    if (/^\s+-\s+/.test(line) && currentKey && currentArray !== null) {
+      const val = line.replace(/^\s+-\s+/, '').replace(/^['"]|['"]$/g, '').trim();
+      currentArray.push(val);
+      continue;
+    }
+
+    // Key-value: "key: value" or "key:" (start of array)
+    const kvMatch = line.match(/^(\w+):\s*(.*)?$/);
+    if (kvMatch) {
+      if (currentKey && currentArray !== null) {
+        result[currentKey] = currentArray;
+      }
+      currentKey = kvMatch[1].trim();
+      const rawVal = (kvMatch[2] || '').trim().replace(/^['"]|['"]$/g, '');
+
+      if (rawVal === '') {
+        // Start of array block
+        currentArray = [];
+      } else if (rawVal === 'true') {
+        result[currentKey] = true;
+        currentKey = null;
+        currentArray = null;
+      } else if (rawVal === 'false') {
+        result[currentKey] = false;
+        currentKey = null;
+        currentArray = null;
+      } else {
+        result[currentKey] = rawVal;
+        currentKey = null;
+        currentArray = null;
+      }
+      continue;
+    }
+  }
+
+  // Flush last array
+  if (currentKey && currentArray !== null) {
+    result[currentKey] = currentArray;
+  }
+
+  return result;
+}
+
+// ─────────────────────────────────────────────────────────────────────────────
+// Load and merge config
+// ─────────────────────────────────────────────────────────────────────────────
+function loadConfig(repoRoot) {
+  const candidates = [
+    path.join(repoRoot, '.sec-gate.yml'),
+    path.join(repoRoot, '.sec-gate.yaml'),
+    path.join(repoRoot, 'sec-gate.config.yml')
+  ];
+
+  let userConfig = {};
+
+  for (const candidate of candidates) {
+    if (fs.existsSync(candidate)) {
+      try {
+        const text = fs.readFileSync(candidate, 'utf8');
+        userConfig = parseYaml(text);
+        // eslint-disable-next-line no-console
+        console.log(`sec-gate: loaded config from ${path.basename(candidate)}`);
+        break;
+      } catch (err) {
+        // eslint-disable-next-line no-console
+        console.warn(`sec-gate: warning — could not parse ${candidate}: ${err.message}`);
+      }
+    }
+  }
+
+  // Merge: user config overrides defaults
+  // For arrays, user config REPLACES defaults (not merges), so teams have full control
+  const merged = {
+    severity_threshold: userConfig.severity_threshold || DEFAULTS.severity_threshold,
+    exclude_rules: Array.isArray(userConfig.exclude_rules)
+      ? userConfig.exclude_rules
+      : DEFAULTS.exclude_rules,
+    exclude_paths: Array.isArray(userConfig.exclude_paths)
+      ? userConfig.exclude_paths
+      : DEFAULTS.exclude_paths,
+    sca: userConfig.sca !== undefined ? userConfig.sca : DEFAULTS.sca,
+    custom_rules: userConfig.custom_rules !== undefined
+      ? userConfig.custom_rules
+      : DEFAULTS.custom_rules
+  };
+
+  return merged;
+}
+
+// ─────────────────────────────────────────────────────────────────────────────
+// Severity check — should this finding be blocked given the threshold?
+// ─────────────────────────────────────────────────────────────────────────────
+function meetsThreshold(findingSeverity, threshold) {
+  if (threshold === 'all') return true;
+
+  const findingLevel = SEVERITY_ORDER.indexOf((findingSeverity || 'low').toLowerCase());
+  const thresholdLevel = SEVERITY_ORDER.indexOf((threshold || 'all').toLowerCase());
+
+  if (thresholdLevel === -1) return true; // unknown threshold → block everything
+  if (findingLevel === -1) return true;   // unknown severity → be safe, block it
+
+  return findingLevel >= thresholdLevel;
+}
+
+// ─────────────────────────────────────────────────────────────────────────────
+// Path exclusion check
+// ─────────────────────────────────────────────────────────────────────────────
+function isExcludedPath(filePath, excludePatterns) {
+  if (!excludePatterns || excludePatterns.length === 0) return false;
+
+  const normalized = filePath.replace(/\\/g, '/');
+
+  for (const pattern of excludePatterns) {
+    // Convert glob to simple regex:
+    // **/ matches any directory depth
+    // * matches anything except /
+    const regexStr = pattern
+      .replace(/\\/g, '/')
+      .replace(/\./g, '\\.')
+      .replace(/\*\*\//g, '(?:.+/)?')
+      .replace(/\*/g, '[^/]*');
+
+    const re = new RegExp(`(^|/)${regexStr}(/|$)`);
+    if (re.test(normalized)) return true;
+  }
+
+  return false;
+}
+
+module.exports = { loadConfig, meetsThreshold, isExcludedPath, SEVERITY_ORDER };