secure-review-extension 1.0.0

package/CHANGELOG.md

@@ -0,0 +1,9 @@
+# Changelog
+
+## 1.0.0
+
+- Initial production-ready v1 packaging of the Secure Review extension
+- Deep static secure review workflows inside VS Code
+- Findings tree, diagnostics, quick fixes, and report webview
+- DOCX report export with structured security report formatting
+- Marketplace-ready metadata, packaging scripts, and release docs

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Your Organization
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,304 @@
+# Secure Review VS Code Extension
+
+Secure Review is a VS Code extension for internal engineering teams that runs deep static secure code reviews and Docker-based dynamic web security scans directly from VS Code.
+
+It can also run as a local terminal agent through the `secure-review` CLI.
+
+## Features
+
+- Static workspace scan with built-in review packs
+- Current-file scan command
+- Docker-based OWASP ZAP dynamic scan for local/test applications
+- Optional local external tool enrichment when available
+- Findings tree view in the VS Code activity bar
+- Inline diagnostics in the editor
+- Report webview with summary, findings, and evidence
+- DOCX security report export with project metadata prompts
+- Ignore findings for the current workspace session
+- Optional scan-on-save behavior
+
+## Installation
+
+### Visual Studio Marketplace
+
+1. Publish the extension with your real publisher identity.
+2. Search for `Secure Review` in VS Code Extensions.
+3. Click `Install`.
+
+### VSIX
+
+1. Package the extension:
+
+```bash
+npm run package
+```
+
+2. In VS Code, run `Extensions: Install from VSIX...`
+3. Select the generated `.vsix` file.
+
+### CLI Agent
+
+To use Secure Review as a terminal agent from this repo:
+
+```bash
+npm link
+```
+
+Then the `secure-review` command will be available on your machine:
+
+```bash
+secure-review help
+```
+
+To prepare the CLI package for distribution:
+
+```bash
+npm run verify
+npm run pack:cli:dry-run
+```
+
+To build the tarball you would share or publish:
+
+```bash
+npm run pack:cli
+```
+
+To publish to npm after setting the final package name and metadata:
+
+```bash
+npm run publish:npm
+```
+
+## Commands
+
+- `Secure Review: Scan Workspace`
+- `Secure Review: Scan Current File`
+- `Secure Review: Dynamic Scan Local App`
+- `Secure Review: Open Review Report`
+- `Secure Review: Export Findings Report`
+- `Secure Review: Clear Findings`
+- `Secure Review: Ignore Finding`
+
+## CLI Usage
+
+The terminal agent supports:
+
+```bash
+secure-review inspect /path/to/repo
+secure-review bootstrap /path/to/repo
+secure-review bootstrap /path/to/repo --run
+secure-review scan /path/to/repo --severity medium
+secure-review scan /path/to/repo --format html --out report.html
+secure-review scan /path/to/repo --format docx --out report.docx
+secure-review scan /path/to/repo --dynamic-url http://127.0.0.1:3001 --dynamic-mode baseline
+```
+
+Command summary:
+- `inspect`
+  Shows detected languages, frameworks, and recommended scanner tools for a workspace.
+- `bootstrap`
+  Prints the install plan for the workspace, or runs the supported install commands with `--run`.
+- `scan`
+  Runs static review, optionally adds a Docker-based ZAP dynamic scan, and can export text, JSON, HTML, Markdown, or DOCX output.
+
+## npm Publishing Notes
+
+Before publishing the CLI package for other users:
+- replace the placeholder npm package name in [package.json](/home/ankit.singh/CODE_REVIEW_TOOL/package.json) if needed
+- replace placeholder homepage, repository, and bugs URLs
+- make sure the package name is actually available on npm
+- run `npm run verify`
+- run `npm run pack:cli:dry-run`
+- run `npm run pack:cli`
+- test the generated tarball locally with `npm install -g ./<tarball>.tgz`
+- publish with `npm run publish:npm`
+
+## What The Extension Checks
+
+### Static checks
+
+- hard-coded secrets and credentials
+- weak crypto algorithms like `md5` and `sha1`
+- SQL injection style string concatenation
+- command execution sinks
+- dangerous HTML injection patterns
+- debug and verbose logging smells
+- unsafe eval-like execution
+
+### Review domains
+
+- security and vulnerability checks
+- dependency and supply-chain checks
+- code quality and maintainability
+- reliability and error handling
+- performance smells
+- outdated practices
+- testing gaps
+
+### Dynamic checks
+
+- ZAP baseline scan for passive web checks
+- ZAP full scan for active testing against local/test apps
+- missing headers
+- cookie issues
+- information disclosure
+- XSS and injection candidates surfaced by ZAP
+
+Dynamic scans are intended only for developer-controlled local or test URLs. Full scan mode is intrusive and requires explicit confirmation.
+
+## Report Export
+
+- Exported reports are generated as `.docx`
+- The export flow prompts for:
+  - project name
+  - report date
+  - scan type
+  - optional notes
+- Reports include:
+  - executive summary
+  - severity summary
+  - findings by category
+  - findings by review domain
+  - overview grouped by severity
+  - detailed findings with evidence, why-it-matters, remediation, and suggestions
+  - recommendations summary
+  - methodology, limitations, and scan configuration
+
+## Test In This Workspace
+
+1. Open this folder in VS Code.
+2. Press `Fn + F5` or use `Run and Debug` to launch the Extension Development Host.
+3. In the new VS Code window, open any code project.
+4. Run `Secure Review: Scan Workspace` from the Command Palette.
+5. Open the `Secure Review` activity bar icon to inspect findings.
+6. Run `Secure Review: Open Review Report` to see the webview report.
+7. Run `Secure Review: Export Findings Report` to create the Word report.
+
+This repo already includes a vulnerable sample in [sample-workspace/demo-app.js](/home/ankit.singh/CODE_REVIEW_TOOL/sample-workspace/demo-app.js), so scanning this workspace should immediately produce findings.
+
+## Test The CLI Agent
+
+1. From this repo, run:
+
+```bash
+npm link
+```
+
+2. Inspect a target workspace:
+
+```bash
+secure-review inspect /home/ankit.singh/netbox-history-platform
+```
+
+3. See which scanners should be installed:
+
+```bash
+secure-review bootstrap /home/ankit.singh/netbox-history-platform
+```
+
+4. Run the code review:
+
+```bash
+secure-review scan /home/ankit.singh/netbox-history-platform --severity low
+```
+
+5. Export a report if needed:
+
+```bash
+secure-review scan /home/ankit.singh/netbox-history-platform --format docx --out /home/ankit.singh/netbox-history-platform/review.docx
+```
+
+## Dynamic Scan Setup
+
+1. Install Docker and ensure it is running.
+2. Start a local test app or the included sample:
+
+```bash
+PORT=3001 node sample-workspace/dev-server.js
+```
+
+3. Set `Secure Review > Dynamic Base Url` to match the port you used, for example `http://127.0.0.1:3001`.
+4. Run `Secure Review: Dynamic Scan Local App`.
+5. Use `baseline` mode first; switch to `full` mode only for applications you control.
+
+## Bootstrap Scanner Tools
+
+If you want the workspace to prepare the matching external static-analysis tools before scanning, run:
+
+```bash
+npm run bootstrap:tools
+```
+
+That command inspects the current workspace and prints the install plan for tools such as:
+- `semgrep`
+- `eslint`
+- `bandit`
+- `pip-audit`
+- `spotbugs`
+- `gosec`
+- `govulncheck`
+- `cargo-audit`
+- `clippy`
+- `cppcheck`
+
+To actually execute the supported install commands:
+
+```bash
+npm run bootstrap:tools:run
+```
+
+The bootstrap is best-effort:
+- it detects the languages and frameworks present in the workspace
+- it chooses the matching scanner tools
+- it only auto-runs commands when there is a reasonable local install path
+- some tools, such as `SpotBugs`, may still need a manual install depending on your OS and package manager setup
+
+## Packaging And Release
+
+### Precheck
+
+```bash
+npm run verify
+```
+
+### Package
+
+```bash
+npm run package
+```
+
+### Marketplace publish
+
+```bash
+npm run publish:marketplace
+```
+
+Before publishing:
+- replace `your-publisher-id` in [package.json](/home/ankit.singh/CODE_REVIEW_TOOL/package.json)
+- replace placeholder repository, homepage, and bugs URLs
+- sign in to `vsce` with the publisher PAT for your Azure DevOps publisher
+
+## Security And Privacy Notes
+
+- This extension is self-contained and does not require external scanner binaries.
+- If local tools like `semgrep`, `npm audit`, or `pip-audit` are available, the extension can enrich static review results with them.
+- Static scans operate only on files in the open workspace.
+- Dynamic scans use OWASP ZAP via Docker and should only target developer-controlled local or test applications.
+- The extension does not send findings to remote services.
+- The rule engine is intentionally local and portable so it can be tested immediately in this workspace.
+
+## Troubleshooting
+
+- `F5 changes brightness`
+  - Use `Fn + F5` or `Run and Debug`.
+- `No findings appear`
+  - Lower `Secure Review > Minimum Severity` and confirm excluded globs are not hiding your files.
+  - Check whether built-in rules or external-tool integrations are disabled in settings.
+- `Dynamic scan failed`
+  - Confirm Docker is installed and running.
+  - Confirm the target host is listed in `Secure Review > Dynamic Allow Hosts`.
+  - For localhost targets, confirm the app is reachable from Docker.
+- `DOCX export opens incorrectly`
+  - Re-export after a fresh scan and test in Word or LibreOffice.
+- `Marketplace package fails`
+  - Confirm your publisher ID, PAT, and repository metadata are set correctly.

package/bin/secure-review.js

@@ -0,0 +1,269 @@
+#!/usr/bin/env node
+
+const path = require("node:path");
+const { spawnSync } = require("node:child_process");
+const { detectWorkspace, buildInstallPlan, formatInstallPlan } = require("../src/scanners/bootstrap-tools");
+const { scanWorkspaceAtPath } = require("../src/scanners/static-scan");
+const { runDockerZapScanWithOptions } = require("../src/scanners/dynamic-scan");
+const { buildReportModel, renderReportHtml, renderMarkdown, exportDocx } = require("../src/report");
+
+const severityRank = {
+  low: 0,
+  medium: 1,
+  high: 2,
+  critical: 3
+};
+
+main().catch((error) => {
+  console.error(`secure-review failed: ${error.message}`);
+  process.exitCode = 1;
+});
+
+async function main() {
+  const { command, workspaceArg, flags } = parseArguments(process.argv.slice(2));
+  const workspaceRoot = path.resolve(workspaceArg || process.cwd());
+
+  switch (command) {
+    case "inspect":
+      inspectWorkspace(workspaceRoot);
+      return;
+    case "bootstrap":
+      bootstrapWorkspace(workspaceRoot, flags.run);
+      return;
+    case "scan":
+      await scanWorkspace(workspaceRoot, flags);
+      return;
+    case "help":
+    default:
+      printHelp();
+  }
+}
+
+function parseArguments(argv) {
+  const command = argv[0] || "help";
+  const flags = {};
+  let workspaceArg;
+
+  for (let index = 1; index < argv.length; index += 1) {
+    const token = argv[index];
+    if (!token.startsWith("--")) {
+      workspaceArg = workspaceArg || token;
+      continue;
+    }
+
+    const key = token.slice(2);
+    const next = argv[index + 1];
+    if (!next || next.startsWith("--")) {
+      flags[key] = true;
+      continue;
+    }
+
+    flags[key] = next;
+    index += 1;
+  }
+
+  return { command, workspaceArg, flags };
+}
+
+function inspectWorkspace(workspaceRoot) {
+  const profile = detectWorkspace(workspaceRoot);
+  const plan = buildInstallPlan(profile);
+  console.log(formatInstallPlan(profile, plan));
+}
+
+function bootstrapWorkspace(workspaceRoot, shouldRun) {
+  const profile = detectWorkspace(workspaceRoot);
+  const plan = buildInstallPlan(profile);
+  console.log(formatInstallPlan(profile, plan));
+
+  if (!shouldRun) {
+    console.log("");
+    console.log("Dry run only. Re-run with `--run` to execute supported install commands.");
+    return;
+  }
+
+  console.log("");
+  for (const item of plan) {
+    if (item.install.kind === "already-installed") {
+      console.log(`Skipping ${item.tool}: already available.`);
+      continue;
+    }
+    if (item.install.kind !== "command") {
+      console.log(`Skipping ${item.tool}: ${item.install.note}`);
+      continue;
+    }
+
+    console.log(`Running ${item.install.command.join(" ")}`);
+    const result = spawnSync(item.install.command[0], item.install.command.slice(1), {
+      cwd: workspaceRoot,
+      stdio: "inherit"
+    });
+
+    if (result.status !== 0) {
+      console.log(`Install failed for ${item.tool}.`);
+    }
+  }
+}
+
+async function scanWorkspace(workspaceRoot, flags) {
+  const findings = await scanWorkspaceAtPath(workspaceRoot, buildStaticConfig(flags));
+
+  if (flags["dynamic-url"]) {
+    const dynamicFindings = await runDockerZapScanWithOptions({
+      workspaceRoot,
+      target: flags["dynamic-url"],
+      scanMode: flags["dynamic-mode"] || "baseline",
+      allowHosts: splitCsv(flags["dynamic-allow-hosts"]) || ["127.0.0.1", "localhost"],
+      spiderMinutes: Number(flags["dynamic-spider-minutes"] || 1),
+      useAjaxSpider: Boolean(flags["dynamic-ajax"]),
+      dockerImage: flags["zap-image"] || "ghcr.io/zaproxy/zaproxy:stable"
+    });
+    findings.push(...dynamicFindings);
+  }
+
+  const filtered = filterBySeverity(findings, flags.severity || "low");
+
+  if (flags.format === "json" && !flags.out) {
+    console.log(JSON.stringify(filtered, null, 2));
+    return;
+  }
+
+  if (flags.format && flags.format !== "text") {
+    await writeReport(filtered, workspaceRoot, flags);
+    return;
+  }
+
+  printScanSummary(filtered, workspaceRoot);
+}
+
+function buildStaticConfig(flags) {
+  return {
+    excludeGlobs: [],
+    maxFiles: Number(flags["max-files"] || 400),
+    enableBuiltInRules: !isFalse(flags["built-in-rules"]),
+    enableSemgrep: !isFalse(flags.semgrep),
+    enableEslint: !isFalse(flags.eslint),
+    enableNpmAudit: !isFalse(flags["npm-audit"]),
+    enableBandit: !isFalse(flags.bandit),
+    enablePipAudit: !isFalse(flags["pip-audit"]),
+    enableSpotBugs: !isFalse(flags.spotbugs),
+    enableGosec: !isFalse(flags.gosec),
+    enableGovulncheck: !isFalse(flags.govulncheck),
+    enableCargoAudit: !isFalse(flags["cargo-audit"]),
+    enableClippy: !isFalse(flags.clippy),
+    enableCppcheck: !isFalse(flags.cppcheck)
+  };
+}
+
+function filterBySeverity(findings, minimumSeverity) {
+  const threshold = severityRank[minimumSeverity] ?? severityRank.low;
+  return findings.filter((finding) => (severityRank[finding.severity] ?? 0) >= threshold);
+}
+
+async function writeReport(findings, workspaceRoot, flags) {
+  const format = flags.format || "html";
+  const projectName = flags.project || path.basename(workspaceRoot);
+  const scanType = flags["dynamic-url"] ? "Static + Dynamic Analysis" : "Static Analysis";
+  const reportModel = buildReportModel(findings, {
+    projectName,
+    reportDate: flags.date || new Date(),
+    scanType,
+    notes: flags.notes || "",
+    scanConfiguration: buildScanConfiguration(flags)
+  });
+
+  const extension = format === "docx" ? "docx" : format === "md" ? "md" : format === "json" ? "json" : "html";
+  const outPath = path.resolve(flags.out || path.join(workspaceRoot, `${slugify(projectName)}-secure-review-report.${extension}`));
+
+  if (format === "docx") {
+    await exportDocx(reportModel, outPath);
+  } else if (format === "md") {
+    await require("node:fs/promises").writeFile(outPath, renderMarkdown(reportModel), "utf8");
+  } else if (format === "json") {
+    await require("node:fs/promises").writeFile(outPath, JSON.stringify({ findings, report: reportModel }, null, 2), "utf8");
+  } else {
+    await require("node:fs/promises").writeFile(outPath, renderReportHtml(reportModel), "utf8");
+  }
+
+  console.log(`Report written to ${outPath}`);
+}
+
+function buildScanConfiguration(flags) {
+  return [
+    `Minimum Severity: ${flags.severity || "low"}`,
+    `Built-In Rules: ${isFalse(flags["built-in-rules"]) ? "Disabled" : "Enabled"}`,
+    `Semgrep: ${isFalse(flags.semgrep) ? "Disabled" : "Enabled"}`,
+    `ESLint: ${isFalse(flags.eslint) ? "Disabled" : "Enabled"}`,
+    `Bandit: ${isFalse(flags.bandit) ? "Disabled" : "Enabled"}`,
+    `npm audit: ${isFalse(flags["npm-audit"]) ? "Disabled" : "Enabled"}`,
+    `pip-audit: ${isFalse(flags["pip-audit"]) ? "Disabled" : "Enabled"}`,
+    `SpotBugs: ${isFalse(flags.spotbugs) ? "Disabled" : "Enabled"}`,
+    `gosec: ${isFalse(flags.gosec) ? "Disabled" : "Enabled"}`,
+    `govulncheck: ${isFalse(flags.govulncheck) ? "Disabled" : "Enabled"}`,
+    `cargo-audit: ${isFalse(flags["cargo-audit"]) ? "Disabled" : "Enabled"}`,
+    `Clippy: ${isFalse(flags.clippy) ? "Disabled" : "Enabled"}`,
+    `cppcheck: ${isFalse(flags.cppcheck) ? "Disabled" : "Enabled"}`,
+    flags["dynamic-url"] ? `Dynamic URL: ${flags["dynamic-url"]}` : null,
+    flags["dynamic-mode"] ? `Dynamic Mode: ${flags["dynamic-mode"]}` : null
+  ].filter(Boolean).join("; ");
+}
+
+function printScanSummary(findings, workspaceRoot) {
+  console.log(`Secure Review scan completed for ${workspaceRoot}`);
+  console.log(`Total findings: ${findings.length}`);
+
+  const counts = ["critical", "high", "medium", "low"]
+    .map((severity) => `${severity}: ${findings.filter((item) => item.severity === severity).length}`)
+    .join(" | ");
+  console.log(`Severity summary: ${counts}`);
+  console.log("");
+
+  for (const finding of findings.slice(0, 25)) {
+    const location = finding.relativePath
+      ? `${finding.relativePath}:${finding.line || 1}`
+      : finding.targetUrl || "unknown-location";
+    console.log(`[${String(finding.severity || "low").toUpperCase()}] ${finding.title} :: ${location}`);
+  }
+
+  if (findings.length > 25) {
+    console.log("");
+    console.log(`Showing first 25 findings. Re-run with --format json or --format html --out <path> for full output.`);
+  }
+}
+
+function splitCsv(value) {
+  if (!value) {
+    return null;
+  }
+  return String(value).split(",").map((item) => item.trim()).filter(Boolean);
+}
+
+function isFalse(value) {
+  return value === "false" || value === false;
+}
+
+function slugify(value) {
+  return String(value || "secure-review")
+    .toLowerCase()
+    .replace(/[^a-z0-9]+/g, "-")
+    .replace(/^-+|-+$/g, "")
+    || "secure-review";
+}
+
+function printHelp() {
+  console.log(`secure-review
+
+Commands:
+  secure-review inspect [workspace]
+  secure-review bootstrap [workspace] [--run]
+  secure-review scan [workspace] [--severity low|medium|high|critical] [--format text|json|html|md|docx] [--out <path>]
+  secure-review scan [workspace] --dynamic-url <url> [--dynamic-mode baseline|full]
+
+Examples:
+  secure-review inspect /path/to/repo
+  secure-review bootstrap /path/to/repo --run
+  secure-review scan /path/to/repo --severity medium
+  secure-review scan /path/to/repo --format docx --out review.docx
+  secure-review scan /path/to/repo --dynamic-url http://127.0.0.1:3001 --format html --out report.html
+`);
+}