secure-push-check 1.0.0

package/src/scanners/secrets.js

@@ -0,0 +1,302 @@
+import path from "node:path";
+import { promises as fs } from "node:fs";
+import fg from "fast-glob";
+
+const DEFAULT_IGNORES = [
+  "**/.git/**",
+  "**/node_modules/**",
+  "**/dist/**",
+  "**/build/**",
+  "**/coverage/**"
+];
+
+const DEFAULT_SECRET_PATTERNS = [
+  {
+    name: "AWS Access Key ID",
+    regex: "\\b(?:AKIA|ASIA)[0-9A-Z]{16}\\b",
+    flags: "g",
+    severity: "critical"
+  },
+  {
+    name: "JWT Token",
+    regex: "\\beyJ[A-Za-z0-9_-]{10,}\\.[A-Za-z0-9._-]{10,}\\.[A-Za-z0-9._-]{10,}\\b",
+    flags: "g",
+    severity: "high"
+  },
+  {
+    name: "OpenAI Key",
+    regex: "\\bsk-(?:proj|live|test)?[A-Za-z0-9_-]{20,}\\b",
+    flags: "gi",
+    severity: "critical"
+  },
+  {
+    name: "Supabase Key",
+    regex: "\\bsb_(?:secret|publishable)_[A-Za-z0-9_-]{20,}\\b",
+    flags: "gi",
+    severity: "high"
+  },
+  {
+    name: "Private Access Token",
+    regex: "\\b(?:ghp_[A-Za-z0-9_]{20,}|github_pat_[A-Za-z0-9_]{20,}|glpat-[A-Za-z0-9_-]{20,}|xox[baprs]-[A-Za-z0-9-]{10,})\\b",
+    flags: "g",
+    severity: "critical"
+  },
+  {
+    name: "Generic API Key Assignment",
+    regex: "\\b(?:api[_-]?key|token|secret)\\b\\s*[:=]\\s*['\\\"][A-Za-z0-9_\\-]{16,}['\\\"]",
+    flags: "gi",
+    severity: "high"
+  }
+];
+
+const VALID_SEVERITIES = new Set(["low", "moderate", "high", "critical"]);
+
+/**
+ * @param {string} value
+ * @returns {string}
+ */
+function normalizeSeverity(value) {
+  const normalized = String(value || "").trim().toLowerCase();
+  return VALID_SEVERITIES.has(normalized) ? normalized : "high";
+}
+
+/**
+ * @param {string} value
+ * @returns {string}
+ */
+function escapeRegex(value) {
+  return value.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+}
+
+/**
+ * @param {string[]} allowPatterns
+ * @returns {RegExp[]}
+ */
+function compileAllowPatterns(allowPatterns) {
+  if (!Array.isArray(allowPatterns)) {
+    return [];
+  }
+
+  const matchers = [];
+  for (const rawPattern of allowPatterns) {
+    if (typeof rawPattern !== "string" || rawPattern.trim() === "") {
+      continue;
+    }
+
+    const trimmed = rawPattern.trim();
+    const regexLike = trimmed.match(/^\/(.+)\/([a-z]*)$/i);
+
+    try {
+      if (regexLike) {
+        matchers.push(new RegExp(regexLike[1], regexLike[2].replace(/g/g, "")));
+      } else {
+        matchers.push(new RegExp(escapeRegex(trimmed), "i"));
+      }
+    } catch {
+      // Ignore invalid allow patterns from config and continue scanning.
+    }
+  }
+
+  return matchers;
+}
+
+/**
+ * @param {Array<unknown>} customPatterns
+ * @returns {Array<{name: string, severity: string, regex: RegExp}>}
+ */
+function compileSecretPatterns(customPatterns) {
+  const output = [];
+
+  /**
+   * @param {string} name
+   * @param {string} regexText
+   * @param {string} flags
+   * @param {string} severity
+   */
+  const pushPattern = (name, regexText, flags, severity) => {
+    const normalizedFlags = flags.includes("g") ? flags : `${flags}g`;
+    try {
+      output.push({
+        name,
+        severity: normalizeSeverity(severity),
+        regex: new RegExp(regexText, normalizedFlags)
+      });
+    } catch {
+      // Ignore invalid configured patterns and keep built-in scanning active.
+    }
+  };
+
+  for (const pattern of DEFAULT_SECRET_PATTERNS) {
+    pushPattern(pattern.name, pattern.regex, pattern.flags, pattern.severity);
+  }
+
+  if (!Array.isArray(customPatterns)) {
+    return output;
+  }
+
+  for (const pattern of customPatterns) {
+    if (typeof pattern === "string" && pattern.trim() !== "") {
+      pushPattern("Custom Secret Pattern", pattern, "gi", "high");
+      continue;
+    }
+
+    if (typeof pattern === "object" && pattern !== null) {
+      const name = typeof pattern.name === "string" ? pattern.name : "Custom Secret Pattern";
+      const regexText = typeof pattern.regex === "string" ? pattern.regex : "";
+      const flags = typeof pattern.flags === "string" ? pattern.flags : "gi";
+      const severity = typeof pattern.severity === "string" ? pattern.severity : "high";
+      if (regexText.trim() !== "") {
+        pushPattern(name, regexText, flags, severity);
+      }
+    }
+  }
+
+  return output;
+}
+
+/**
+ * @param {Buffer} buffer
+ * @returns {boolean}
+ */
+function isProbablyBinary(buffer) {
+  const sample = buffer.subarray(0, Math.min(buffer.length, 8000));
+  let suspicious = 0;
+
+  for (const byte of sample) {
+    if (byte === 0) {
+      return true;
+    }
+
+    const isControl = byte < 7 || (byte > 13 && byte < 32);
+    if (isControl) {
+      suspicious += 1;
+    }
+  }
+
+  return sample.length > 0 && suspicious / sample.length > 0.3;
+}
+
+/**
+ * @param {string} value
+ * @returns {string}
+ */
+function redactMatch(value) {
+  if (value.length <= 8) {
+    return "***";
+  }
+  return `${value.slice(0, 4)}...${value.slice(-4)}`;
+}
+
+/**
+ * @param {string} line
+ * @param {string} matchedText
+ * @param {RegExp[]} allowMatchers
+ * @returns {boolean}
+ */
+function isAllowed(line, matchedText, allowMatchers) {
+  for (const matcher of allowMatchers) {
+    if (matcher.test(line) || matcher.test(matchedText)) {
+      return true;
+    }
+  }
+  return false;
+}
+
+/**
+ * Scan all text files for hard-coded secret patterns.
+ *
+ * @param {object} options
+ * @param {string} options.repoRoot
+ * @param {string[]} [options.ignoreGlobs]
+ * @param {string[]} [options.allowPatterns]
+ * @param {Array<unknown>} [options.secretPatterns]
+ * @returns {Promise<object>}
+ */
+export async function scanSecrets(options = {}) {
+  const { repoRoot, ignoreGlobs = [], allowPatterns = [], secretPatterns = [] } = options;
+
+  if (!repoRoot) {
+    throw new Error("scanSecrets requires a repoRoot.");
+  }
+
+  const findings = [];
+  const files = await fg(["**/*"], {
+    cwd: repoRoot,
+    dot: true,
+    onlyFiles: true,
+    unique: true,
+    ignore: [...DEFAULT_IGNORES, ...ignoreGlobs]
+  });
+
+  const allowMatchers = compileAllowPatterns(allowPatterns);
+  const patterns = compileSecretPatterns(secretPatterns);
+
+  for (const relativePath of files) {
+    const fullPath = path.join(repoRoot, relativePath);
+    let buffer;
+    try {
+      buffer = await fs.readFile(fullPath);
+    } catch (error) {
+      findings.push({
+        check: "secrets",
+        severity: "moderate",
+        message: `Unable to read file during secret scan: ${error.message}`,
+        file: relativePath
+      });
+      continue;
+    }
+
+    if (isProbablyBinary(buffer)) {
+      continue;
+    }
+
+    const content = buffer.toString("utf8");
+    const lines = content.split(/\r?\n/u);
+
+    for (let index = 0; index < lines.length; index += 1) {
+      const line = lines[index];
+      for (const pattern of patterns) {
+        pattern.regex.lastIndex = 0;
+
+        let match;
+        while ((match = pattern.regex.exec(line)) !== null) {
+          const matchedText = match[0];
+
+          if (isAllowed(line, matchedText, allowMatchers)) {
+            if (pattern.regex.lastIndex === match.index) {
+              pattern.regex.lastIndex += 1;
+            }
+            continue;
+          }
+
+          findings.push({
+            check: "secrets",
+            rule: pattern.name,
+            severity: pattern.severity,
+            message: `Potential ${pattern.name} detected`,
+            file: relativePath,
+            line: index + 1,
+            column: match.index + 1,
+            excerpt: redactMatch(matchedText)
+          });
+
+          if (pattern.regex.lastIndex === match.index) {
+            pattern.regex.lastIndex += 1;
+          }
+        }
+      }
+    }
+  }
+
+  return {
+    id: "secrets-detection",
+    name: "Secrets Detection",
+    status: findings.length > 0 ? "failed" : "passed",
+    findings,
+    stats: {
+      filesScanned: files.length
+    }
+  };
+}
+
+export { DEFAULT_SECRET_PATTERNS };