secure-push-check 1.0.0

package/src/scanners/credentials.js

@@ -0,0 +1,207 @@
+import path from "node:path";
+import { promises as fs } from "node:fs";
+import fg from "fast-glob";
+import { parse } from "@babel/parser";
+
+const DEFAULT_IGNORES = [
+  "**/.git/**",
+  "**/node_modules/**",
+  "**/dist/**",
+  "**/build/**",
+  "**/coverage/**"
+];
+
+const CODE_GLOBS = ["**/*.js", "**/*.jsx", "**/*.ts", "**/*.tsx", "**/*.mjs", "**/*.cjs"];
+const CREDENTIAL_VAR_PATTERN = /(password|passwd|pwd|token|secret|api[_-]?key|access[_-]?token)/i;
+
+/**
+ * @param {string} value
+ * @returns {string}
+ */
+function escapeRegex(value) {
+  return value.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+
+/**
+ * @param {string[]} allowPatterns
+ * @returns {RegExp[]}
+ */
+function compileAllowMatchers(allowPatterns) {
+  if (!Array.isArray(allowPatterns)) {
+    return [];
+  }
+
+  const output = [];
+  for (const rawPattern of allowPatterns) {
+    if (typeof rawPattern !== "string" || rawPattern.trim() === "") {
+      continue;
+    }
+
+    const trimmed = rawPattern.trim();
+    const regexLike = trimmed.match(/^\/(.+)\/([a-z]*)$/i);
+
+    try {
+      if (regexLike) {
+        output.push(new RegExp(regexLike[1], regexLike[2].replace(/g/g, "")));
+      } else {
+        output.push(new RegExp(escapeRegex(trimmed), "i"));
+      }
+    } catch {
+      // Ignore invalid allow patterns.
+    }
+  }
+
+  return output;
+}
+
+/**
+ * @param {unknown} node
+ * @returns {string | null}
+ */
+function getStaticStringValue(node) {
+  if (!node || typeof node !== "object") {
+    return null;
+  }
+
+  if (node.type === "StringLiteral" && typeof node.value === "string") {
+    return node.value;
+  }
+
+  if (node.type === "TemplateLiteral" && Array.isArray(node.expressions) && node.expressions.length === 0) {
+    return node.quasis.map((item) => item.value.cooked || "").join("");
+  }
+
+  return null;
+}
+
+/**
+ * @param {unknown} node
+ * @param {(node: any) => void} visitor
+ * @returns {void}
+ */
+function walk(node, visitor) {
+  if (!node || typeof node !== "object") {
+    return;
+  }
+
+  visitor(node);
+
+  for (const key of Object.keys(node)) {
+    if (key === "loc" || key === "start" || key === "end") {
+      continue;
+    }
+
+    const value = node[key];
+    if (Array.isArray(value)) {
+      for (const child of value) {
+        walk(child, visitor);
+      }
+    } else if (value && typeof value === "object") {
+      walk(value, visitor);
+    }
+  }
+}
+
+/**
+ * Parse JS/TS files and detect hard-coded credentials in const declarations.
+ *
+ * @param {object} options
+ * @param {string} options.repoRoot
+ * @param {string[]} [options.ignoreGlobs]
+ * @param {string[]} [options.allowPatterns]
+ * @returns {Promise<object>}
+ */
+export async function scanHardcodedCredentials(options = {}) {
+  const { repoRoot, ignoreGlobs = [], allowPatterns = [] } = options;
+
+  if (!repoRoot) {
+    throw new Error("scanHardcodedCredentials requires a repoRoot.");
+  }
+
+  const files = await fg(CODE_GLOBS, {
+    cwd: repoRoot,
+    dot: true,
+    onlyFiles: true,
+    unique: true,
+    ignore: [...DEFAULT_IGNORES, ...ignoreGlobs]
+  });
+
+  const allowMatchers = compileAllowMatchers(allowPatterns);
+  const findings = [];
+
+  for (const relativePath of files) {
+    const fullPath = path.join(repoRoot, relativePath);
+    let source = "";
+
+    try {
+      source = await fs.readFile(fullPath, "utf8");
+    } catch (error) {
+      findings.push({
+        check: "credentials",
+        severity: "moderate",
+        message: `Unable to read source file during credential scan: ${error.message}`,
+        file: relativePath
+      });
+      continue;
+    }
+
+    let ast;
+    try {
+      ast = parse(source, {
+        sourceType: "unambiguous",
+        errorRecovery: true,
+        plugins: ["typescript", "jsx", "classProperties", "decorators-legacy"]
+      });
+    } catch (error) {
+      findings.push({
+        check: "credentials",
+        severity: "moderate",
+        message: `Unable to parse source file for AST scan: ${error.message}`,
+        file: relativePath
+      });
+      continue;
+    }
+
+    walk(ast, (node) => {
+      if (node.type !== "VariableDeclaration" || node.kind !== "const") {
+        return;
+      }
+
+      for (const declaration of node.declarations || []) {
+        const variableName = declaration?.id?.type === "Identifier" ? declaration.id.name : null;
+        if (!variableName || !CREDENTIAL_VAR_PATTERN.test(variableName)) {
+          continue;
+        }
+
+        const value = getStaticStringValue(declaration.init);
+        if (!value) {
+          continue;
+        }
+
+        const isAllowed = allowMatchers.some((matcher) => matcher.test(value));
+        if (isAllowed) {
+          continue;
+        }
+
+        findings.push({
+          check: "credentials",
+          severity: "high",
+          message: `Hardcoded credential in const '${variableName}'`,
+          file: relativePath,
+          line: declaration.loc?.start?.line,
+          column: declaration.loc?.start?.column ? declaration.loc.start.column + 1 : 1
+        });
+      }
+    });
+  }
+
+  return {
+    id: "hardcoded-credentials-scan",
+    name: "Hardcoded Credentials Scan",
+    status: findings.length > 0 ? "failed" : "passed",
+    findings,
+    stats: {
+      filesScanned: files.length
+    }
+  };
+}

package/src/scanners/deps.js

@@ -0,0 +1,160 @@
+import path from "node:path";
+import { execFile } from "node:child_process";
+import { promises as fs } from "node:fs";
+import { promisify } from "node:util";
+
+const execFileAsync = promisify(execFile);
+const TARGET_SEVERITIES = ["critical", "high", "moderate"];
+
+/**
+ * @param {Record<string, unknown>} report
+ * @returns {{critical: number, high: number, moderate: number, low: number}}
+ */
+function extractVulnerabilityCounts(report) {
+  const fallback = { critical: 0, high: 0, moderate: 0, low: 0 };
+  const metadataCounts = report?.metadata?.vulnerabilities;
+  if (metadataCounts && typeof metadataCounts === "object") {
+    return {
+      critical: Number(metadataCounts.critical || 0),
+      high: Number(metadataCounts.high || 0),
+      moderate: Number(metadataCounts.moderate || 0),
+      low: Number(metadataCounts.low || 0)
+    };
+  }
+
+  const vulnerabilities = report?.vulnerabilities;
+  if (!vulnerabilities || typeof vulnerabilities !== "object") {
+    return fallback;
+  }
+
+  const counts = { ...fallback };
+  for (const value of Object.values(vulnerabilities)) {
+    if (!value || typeof value !== "object") {
+      continue;
+    }
+    const severity = String(value.severity || "").toLowerCase();
+    if (Object.prototype.hasOwnProperty.call(counts, severity)) {
+      counts[severity] += 1;
+    }
+  }
+  return counts;
+}
+
+/**
+ * Run npm audit and parse severity counts.
+ *
+ * @param {object} options
+ * @param {string} options.repoRoot
+ * @returns {Promise<object>}
+ */
+export async function scanDependencies(options = {}) {
+  const { repoRoot } = options;
+
+  if (!repoRoot) {
+    throw new Error("scanDependencies requires a repoRoot.");
+  }
+
+  const packageJsonPath = path.join(repoRoot, "package.json");
+  try {
+    await fs.access(packageJsonPath);
+  } catch {
+    return {
+      id: "dependency-vulnerability-check",
+      name: "Dependency Vulnerability Check",
+      status: "skipped",
+      findings: [],
+      meta: {
+        reason: "No package.json found in repository root."
+      }
+    };
+  }
+
+  let stdout = "";
+  let stderr = "";
+
+  try {
+    const result = await execFileAsync("npm", ["audit", "--json"], {
+      cwd: repoRoot,
+      maxBuffer: 20 * 1024 * 1024
+    });
+    stdout = result.stdout;
+    stderr = result.stderr;
+  } catch (error) {
+    if (error.code === "ENOENT") {
+      return {
+        id: "dependency-vulnerability-check",
+        name: "Dependency Vulnerability Check",
+        status: "failed",
+        findings: [
+          {
+            check: "dependencies",
+            severity: "moderate",
+            message: "npm command is not available. Unable to run npm audit.",
+            file: "package.json"
+          }
+        ]
+      };
+    }
+    stdout = typeof error.stdout === "string" ? error.stdout : "";
+    stderr = typeof error.stderr === "string" ? error.stderr : "";
+  }
+
+  if (!stdout || stdout.trim() === "") {
+    const errorSummary = stderr.split(/\r?\n/u).find((line) => line.trim() !== "") || "Unknown npm audit error.";
+    return {
+      id: "dependency-vulnerability-check",
+      name: "Dependency Vulnerability Check",
+      status: "failed",
+      findings: [
+        {
+          check: "dependencies",
+          severity: "moderate",
+          message: `npm audit did not return JSON output: ${errorSummary}`,
+          file: "package.json"
+        }
+      ]
+    };
+  }
+
+  let report;
+  try {
+    report = JSON.parse(stdout);
+  } catch (error) {
+    return {
+      id: "dependency-vulnerability-check",
+      name: "Dependency Vulnerability Check",
+      status: "failed",
+      findings: [
+        {
+          check: "dependencies",
+          severity: "moderate",
+          message: `Unable to parse npm audit JSON: ${error.message}`,
+          file: "package.json"
+        }
+      ]
+    };
+  }
+
+  const counts = extractVulnerabilityCounts(report);
+  const findings = [];
+
+  for (const severity of TARGET_SEVERITIES) {
+    const count = counts[severity];
+    if (count > 0) {
+      findings.push({
+        check: "dependencies",
+        severity,
+        message: `npm audit found ${count} ${severity} vulnerabilit${count === 1 ? "y" : "ies"}.`,
+        file: "package-lock.json"
+      });
+    }
+  }
+
+  return {
+    id: "dependency-vulnerability-check",
+    name: "Dependency Vulnerability Check",
+    status: findings.length > 0 ? "failed" : "passed",
+    findings,
+    stats: counts
+  };
+}

package/src/scanners/files.js

@@ -0,0 +1,88 @@
+import { execFile } from "node:child_process";
+import { promisify } from "node:util";
+import fg from "fast-glob";
+
+const execFileAsync = promisify(execFile);
+
+const DEFAULT_IGNORES = [
+  "**/.git/**",
+  "**/node_modules/**",
+  "**/dist/**",
+  "**/build/**",
+  "**/coverage/**"
+];
+
+const SENSITIVE_FILE_GLOBS = [
+  "**/.env",
+  "**/.env.local",
+  "**/id_rsa",
+  "**/*.pem",
+  "**/config.prod.json",
+  "**/secrets.json"
+];
+
+/**
+ * @param {string} repoRoot
+ * @param {string} relativePath
+ * @returns {Promise<boolean>}
+ */
+async function isIgnoredByGit(repoRoot, relativePath) {
+  try {
+    await execFileAsync("git", ["check-ignore", relativePath], { cwd: repoRoot });
+    return true;
+  } catch (error) {
+    if (error && typeof error.code === "number" && error.code === 1) {
+      return false;
+    }
+    return false;
+  }
+}
+
+/**
+ * Detect sensitive files that exist locally and are not ignored by Git.
+ *
+ * @param {object} options
+ * @param {string} options.repoRoot
+ * @param {string[]} [options.ignoreGlobs]
+ * @returns {Promise<object>}
+ */
+export async function scanSensitiveFiles(options = {}) {
+  const { repoRoot, ignoreGlobs = [] } = options;
+
+  if (!repoRoot) {
+    throw new Error("scanSensitiveFiles requires a repoRoot.");
+  }
+
+  const matches = await fg(SENSITIVE_FILE_GLOBS, {
+    cwd: repoRoot,
+    dot: true,
+    onlyFiles: true,
+    unique: true,
+    ignore: [...DEFAULT_IGNORES, ...ignoreGlobs]
+  });
+
+  const findings = [];
+  for (const file of matches) {
+    const ignored = await isIgnoredByGit(repoRoot, file);
+    if (!ignored) {
+      findings.push({
+        check: "sensitive-files",
+        severity: "critical",
+        message: "Sensitive file exists and is not ignored by Git",
+        file
+      });
+    }
+  }
+
+  return {
+    id: "sensitive-files-detection",
+    name: "Sensitive Files Detection",
+    status: findings.length > 0 ? "failed" : "passed",
+    findings,
+    stats: {
+      filesFound: matches.length
+    }
+  };
+}
+
+export { SENSITIVE_FILE_GLOBS };

package/src/scanners/gitignore.js

@@ -0,0 +1,112 @@
+import path from "node:path";
+import { promises as fs } from "node:fs";
+
+const REQUIRED_PATTERNS = [
+  ".env",
+  ".env.local",
+  "id_rsa",
+  "*.pem",
+  "config.prod.json",
+  "secrets.json"
+];
+
+/**
+ * @param {string} value
+ * @returns {string}
+ */
+function normalizeEntry(value) {
+  return value.trim().replace(/\\/g, "/").replace(/^\.\/+/, "").replace(/^\/+/, "");
+}
+
+/**
+ * @param {string} required
+ * @param {Set<string>} entries
+ * @returns {boolean}
+ */
+function isPatternCovered(required, entries) {
+  if (entries.has(required) || entries.has(`**/${required}`)) {
+    return true;
+  }
+
+  if (required === ".env") {
+    return entries.has(".env*") || entries.has("*.env");
+  }
+
+  if (required === ".env.local") {
+    return entries.has(".env*") || entries.has("*.env.local") || entries.has("*.env*");
+  }
+
+  if (required === "id_rsa") {
+    return entries.has("*id_rsa*");
+  }
+
+  if (required === "*.pem") {
+    return entries.has("**/*.pem") || entries.has("*.pem*");
+  }
+
+  return false;
+}
+
+/**
+ * Validate whether .gitignore protects sensitive file patterns.
+ *
+ * @param {object} options
+ * @param {string} options.repoRoot
+ * @returns {Promise<object>}
+ */
+export async function validateGitignore(options = {}) {
+  const { repoRoot } = options;
+
+  if (!repoRoot) {
+    throw new Error("validateGitignore requires a repoRoot.");
+  }
+
+  const gitignorePath = path.join(repoRoot, ".gitignore");
+  let content = "";
+
+  try {
+    content = await fs.readFile(gitignorePath, "utf8");
+  } catch (error) {
+    if (error.code === "ENOENT") {
+      return {
+        id: "gitignore-validation",
+        name: "Gitignore Validation",
+        status: "failed",
+        findings: [
+          {
+            check: "gitignore",
+            severity: "high",
+            message: ".gitignore file is missing",
+            file: ".gitignore"
+          }
+        ]
+      };
+    }
+    throw error;
+  }
+
+  const entries = new Set(
+    content
+      .split(/\r?\n/u)
+      .map((line) => line.trim())
+      .filter((line) => line !== "" && !line.startsWith("#"))
+      .map((line) => normalizeEntry(line))
+  );
+
+  const missing = REQUIRED_PATTERNS.filter((pattern) => !isPatternCovered(pattern, entries));
+  const findings = missing.map((pattern) => ({
+    check: "gitignore",
+    severity: "high",
+    message: `Missing sensitive ignore pattern: ${pattern}`,
+    file: ".gitignore"
+  }));
+
+  return {
+    id: "gitignore-validation",
+    name: "Gitignore Validation",
+    status: findings.length > 0 ? "failed" : "passed",
+    findings
+  };
+}
+
+export { REQUIRED_PATTERNS };