secure-review-extension 1.0.10 → 1.0.12

package/package.json

@@ -2,7 +2,7 @@
   "name": "secure-review-extension",
   "displayName": "Secure Review",
   "description": "Run deep static and Docker-based dynamic secure code reviews directly inside VS Code.",
-  "version": "1.0.10",
+  "version": "1.0.12",
   "publisher": "Ankit-QI",
   "icon": "media/shield.png",
   "license": "MIT",
@@ -272,6 +272,16 @@
           "default": true,
           "description": "If cppcheck is installed locally, include C and C++ static analysis findings."
         },
+        "secureReview.enableShellcheck": {
+          "type": "boolean",
+          "default": true,
+          "description": "If ShellCheck is installed locally, include shell script lint and safety findings."
+        },
+        "secureReview.enableAnsibleLint": {
+          "type": "boolean",
+          "default": true,
+          "description": "If ansible-lint is installed locally, include Ansible playbook findings."
+        },
         "secureReview.enableDotnetVuln": {
           "type": "boolean",
           "default": true,

package/src/scanners/bootstrap-tools.js

@@ -2,67 +2,95 @@ const fs = require("node:fs");
 const path = require("node:path");
 const os = require("node:os");
 const { execFileSync } = require("node:child_process");
+const { SHELL_EXTENSIONS, looksLikeAnsibleContent, looksLikeAnsiblePath } = require("./scan-targets");
 
 function detectWorkspace(workspaceRoot) {
   const manifestNames = new Set(walkFiles(workspaceRoot, 4).map((file) => path.relative(workspaceRoot, file)));
   const languages = new Set();
   const frameworks = new Set();
 
-  if (exists("package.json")) {
+  const packageJsonFiles = [...manifestNames].filter((file) => path.basename(file) === "package.json");
+  if (packageJsonFiles.length) {
     languages.add("javascript");
-    const packageJson = readJson(path.join(workspaceRoot, "package.json"));
-    const dependencies = {
-      ...(packageJson.dependencies || {}),
-      ...(packageJson.devDependencies || {}),
-      ...(packageJson.peerDependencies || {})
-    };
-
-    if (dependencies.react) frameworks.add("react");
-    if (dependencies.next) frameworks.add("nextjs");
-    if (dependencies.vue) frameworks.add("vue");
-    if (dependencies["@angular/core"]) frameworks.add("angular");
-    if (dependencies.express) frameworks.add("express");
-    if (dependencies["@nestjs/core"]) frameworks.add("nestjs");
-  }
-
-  if (exists("requirements.txt") || exists("pyproject.toml") || exists("Pipfile")) {
+    for (const packageJsonPath of packageJsonFiles) {
+      const packageJson = readJson(path.join(workspaceRoot, packageJsonPath));
+      const dependencies = {
+        ...(packageJson.dependencies || {}),
+        ...(packageJson.devDependencies || {}),
+        ...(packageJson.peerDependencies || {})
+      };
+
+      if (dependencies.react) frameworks.add("react");
+      if (dependencies.next) frameworks.add("nextjs");
+      if (dependencies.vue) frameworks.add("vue");
+      if (dependencies["@angular/core"]) frameworks.add("angular");
+      if (dependencies.express) frameworks.add("express");
+      if (dependencies["@nestjs/core"]) frameworks.add("nestjs");
+      if (dependencies.svelte) frameworks.add("svelte");
+      if (dependencies.koa) frameworks.add("koa");
+      if (dependencies.fastify) frameworks.add("fastify");
+    }
+  }
+
+  const pythonManifestFiles = [...manifestNames].filter((file) => {
+    const base = path.basename(file);
+    return base === "requirements.txt" || base === "pyproject.toml" || base === "Pipfile";
+  });
+  if (pythonManifestFiles.length) {
     languages.add("python");
-    const pythonText = readTextIfExists("requirements.txt") || readTextIfExists("pyproject.toml") || "";
-    if (/django/i.test(pythonText)) frameworks.add("django");
-    if (/flask/i.test(pythonText)) frameworks.add("flask");
-    if (/fastapi/i.test(pythonText)) frameworks.add("fastapi");
+    for (const manifestPath of pythonManifestFiles) {
+      const pythonText = readTextIfExists(manifestPath);
+      if (/django/i.test(pythonText)) frameworks.add("django");
+      if (/flask/i.test(pythonText)) frameworks.add("flask");
+      if (/fastapi/i.test(pythonText)) frameworks.add("fastapi");
+    }
   }
 
-  if (exists("go.mod")) {
+  const goModFiles = [...manifestNames].filter((file) => path.basename(file) === "go.mod");
+  if (goModFiles.length) {
     languages.add("go");
-    const goMod = readTextIfExists("go.mod");
-    if (/gin-gonic\/gin/i.test(goMod)) frameworks.add("gin");
-    if (/labstack\/echo/i.test(goMod)) frameworks.add("echo");
+    for (const goModPath of goModFiles) {
+      const goMod = readTextIfExists(goModPath);
+      if (/gin-gonic\/gin/i.test(goMod)) frameworks.add("gin");
+      if (/labstack\/echo/i.test(goMod)) frameworks.add("echo");
+      if (/gofiber\/fiber/i.test(goMod)) frameworks.add("fiber");
+    }
   }
 
-  if (exists("Cargo.toml")) {
+  const cargoTomlFiles = [...manifestNames].filter((file) => path.basename(file) === "Cargo.toml");
+  if (cargoTomlFiles.length) {
     languages.add("rust");
-    const cargoToml = readTextIfExists("Cargo.toml");
-    if (/actix-web/i.test(cargoToml)) frameworks.add("actix-web");
-    if (/\baxum\b/i.test(cargoToml)) frameworks.add("axum");
+    for (const cargoTomlPath of cargoTomlFiles) {
+      const cargoToml = readTextIfExists(cargoTomlPath);
+      if (/actix-web/i.test(cargoToml)) frameworks.add("actix-web");
+      if (/\baxum\b/i.test(cargoToml)) frameworks.add("axum");
+      if (/rocket/i.test(cargoToml)) frameworks.add("rocket");
+    }
   }
 
-  if (exists("pom.xml") || exists("build.gradle") || exists("build.gradle.kts")) {
+  const javaManifestFiles = [...manifestNames].filter((file) => {
+    const base = path.basename(file);
+    return base === "pom.xml" || base === "build.gradle" || base === "build.gradle.kts";
+  });
+  if (javaManifestFiles.length) {
     languages.add("java");
-    const javaText = readTextIfExists("pom.xml") || readTextIfExists("build.gradle") || readTextIfExists("build.gradle.kts") || "";
-    if (/spring/i.test(javaText)) frameworks.add("spring");
+    for (const manifestPath of javaManifestFiles) {
+      const javaText = readTextIfExists(manifestPath);
+      if (/spring/i.test(javaText)) frameworks.add("spring");
+      if (/quarkus/i.test(javaText)) frameworks.add("quarkus");
+    }
   }
 
-  if (exists("CMakeLists.txt") || exists("Makefile")) {
+  if (manifestNames.has("CMakeLists.txt") || manifestNames.has("Makefile")) {
     languages.add("c");
     languages.add("cpp");
   }
 
-  if (exists("composer.json")) {
+  if ([...manifestNames].some((file) => path.basename(file) === "composer.json")) {
     languages.add("php");
   }
 
-  if (exists("Gemfile")) {
+  if ([...manifestNames].some((file) => path.basename(file) === "Gemfile")) {
     languages.add("ruby");
     frameworks.add("rails");
   }
@@ -71,6 +99,10 @@ function detectWorkspace(workspaceRoot) {
     languages.add("csharp");
   }
 
+  if ([...manifestNames].some((file) => path.basename(file) === "ansible.cfg")) {
+    frameworks.add("ansible");
+  }
+
   for (const file of manifestNames) {
     const ext = path.extname(file).toLowerCase();
     if ([".c", ".h"].includes(ext)) languages.add("c");
@@ -82,7 +114,9 @@ function detectWorkspace(workspaceRoot) {
     if (ext === ".php") languages.add("php");
     if (ext === ".rb") languages.add("ruby");
     if (ext === ".cs") languages.add("csharp");
+    if (SHELL_EXTENSIONS.has(ext)) languages.add("shell");
     if ([".js", ".jsx", ".ts", ".tsx", ".mjs", ".cjs"].includes(ext)) languages.add("javascript");
+    if ([".yml", ".yaml"].includes(ext) && looksLikeAnsibleFile(workspaceRoot, file)) frameworks.add("ansible");
   }
 
   return {
@@ -202,6 +236,24 @@ function buildInstallPlan(profile) {
     });
   }
 
+  if (hasAny(profile.languages, ["shell"])) {
+    addTool(plan, seen, {
+      tool: "ShellCheck",
+      requiredFor: ["Shell scripts"],
+      install: resolveShellcheckInstall(),
+      verify: ["shellcheck", "--version"]
+    });
+  }
+
+  if (hasAny(profile.frameworks, ["ansible"])) {
+    addTool(plan, seen, {
+      tool: "ansible-lint",
+      requiredFor: ["Ansible / playbooks"],
+      install: resolvePythonInstall("ansible-lint"),
+      verify: ["ansible-lint", "--version"]
+    });
+  }
+
   if (hasAny(profile.languages, ["csharp"])) {
     addTool(plan, seen, {
       tool: ".NET package audit",
@@ -294,6 +346,13 @@ function resolveCppcheckInstall() {
   return { kind: "manual", note: "Install cppcheck with your system package manager." };
 }
 
+function resolveShellcheckInstall() {
+  if (hasCommand("shellcheck")) return { kind: "already-installed" };
+  if (os.platform() === "linux") return { kind: "command", command: ["sudo", "apt-get", "install", "-y", "shellcheck"] };
+  if (hasCommand("brew")) return { kind: "command", command: ["brew", "install", "shellcheck"] };
+  return { kind: "manual", note: "Install shellcheck with your system package manager." };
+}
+
 function resolveSpotBugsInstall() {
   if (hasCommand("spotbugs")) return { kind: "already-installed" };
   if (hasCommand("brew")) return { kind: "command", command: ["brew", "install", "spotbugs"] };
@@ -354,6 +413,23 @@ function readJson(filePath) {
   }
 }
 
+function looksLikeAnsibleFile(workspaceRoot, relativePath) {
+  if (looksLikeAnsiblePath(relativePath)) {
+    return true;
+  }
+
+  const fullPath = path.join(workspaceRoot, relativePath);
+  if (!fs.existsSync(fullPath)) {
+    return false;
+  }
+
+  try {
+    return looksLikeAnsibleContent(fs.readFileSync(fullPath, "utf8"));
+  } catch {
+    return false;
+  }
+}
+
 module.exports = {
   detectWorkspace,
   buildInstallPlan,