sertivibed 0.1.0

package/README.md

@@ -0,0 +1,209 @@
+# Sertivibed
+
+**Evidence-first security scanner for Supabase/React apps.**
+
+Sertivibed scans your codebase for common security issues and generates detailed reports with code evidence. No AI guessing — every finding is backed by actual code snippets.
+
+## Quick Start
+
+```bash
+# Scan current directory
+npx sertivibed scan .
+
+# Scan a specific project
+npx sertivibed scan ./my-app
+
+# Show detailed progress
+npx sertivibed scan . --verbose
+
+# Fail CI if HIGH+ issues found
+npx sertivibed scan . --fail-on high
+```
+
+## Installation
+
+```bash
+# Use with npx (no install needed)
+npx sertivibed scan .
+
+# Or install globally
+npm install -g sertivibed
+sertivibed scan .
+```
+
+## CLI Options
+
+| Flag | Description |
+|------|-------------|
+| `--verbose`, `-v` | Show detailed progress |
+| `--out <dir>` | Custom output directory (default: scanned project) |
+| `--fail-on <severity>` | Exit code 1 if issues >= threshold (`critical`, `high`, `medium`, `low`) |
+| `--json-only` | Only output JSON, skip markdown report |
+| `--quiet` | Minimal terminal output |
+| `--output <file>`, `-o` | Markdown report filename (default: `sertivibed-report.md`) |
+| `--json <file>`, `-j` | JSON output filename (default: `sertivibed-results.json`) |
+
+## Security Rules (12)
+
+### RLS (Row Level Security)
+
+| Rule | Severity | Description |
+|------|----------|-------------|
+| RLS001 | CRITICAL | RLS not enabled on table |
+| RLS002 | MEDIUM | Missing DELETE policy when `.delete()` is used |
+| RLS003 | HIGH | Policy missing ownership check (`auth.uid() = user_id`) |
+
+### Authentication & Authorization
+
+| Rule | Severity | Description |
+|------|----------|-------------|
+| AUTH001 | CRITICAL | Service role key in client code |
+
+### Privacy
+
+| Rule | Severity | Description |
+|------|----------|-------------|
+| PRIV001 | MEDIUM | Auth token in localStorage |
+| PRIV002 | MEDIUM | PII in console.log |
+
+### Secrets
+
+| Rule | Severity | Description |
+|------|----------|-------------|
+| SEC001 | HIGH | Hardcoded API key |
+
+### XSS (Cross-Site Scripting)
+
+| Rule | Severity | Description |
+|------|----------|-------------|
+| XSS001 | HIGH | `dangerouslySetInnerHTML` usage |
+| XSS002 | HIGH | Direct `innerHTML` assignment |
+
+### Storage
+
+| Rule | Severity | Description |
+|------|----------|-------------|
+| STOR001 | MEDIUM | File upload without validation |
+| STOR002 | MEDIUM | Public storage URL without signing |
+
+### Configuration
+
+| Rule | Severity | Description |
+|------|----------|-------------|
+| CONF001 | LOW | Missing Content Security Policy |
+
+## Output
+
+Sertivibed generates two files:
+
+- **`sertivibed-report.md`** — Human-readable report with code evidence
+- **`sertivibed-results.json`** — Machine-readable for CI/CD integration
+
+### Example Report
+
+```
+SERTIVIBED SIKKERHETSRAPPORT
+my-app
+10.1.2026
+
+Totalvurdering: BESTATT
+
+## Coverage
+
+Regler kjort:
+RLS001, RLS002, RLS003, AUTH001, PRIV001, PRIV002, SEC001, XSS001, XSS002
+
+## Sammendrag
+
+| Severity  | Antall |
+|-----------|--------|
+| CRITICAL  |  0 |
+| HIGH      |  0 |
+| MEDIUM    |  0 |
+| LOW       |  1 |
+```
+
+## CI/CD Integration
+
+### GitHub Actions
+
+```yaml
+name: Security Scan
+
+on: [push, pull_request]
+
+jobs:
+  security:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Run Sertivibed
+        run: npx sertivibed scan . --fail-on high --quiet
+
+      - name: Upload Report
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: security-report
+          path: sertivibed-report.md
+```
+
+### GitLab CI
+
+```yaml
+security-scan:
+  image: node:20
+  script:
+    - npx sertivibed scan . --fail-on high
+  artifacts:
+    paths:
+      - sertivibed-report.md
+    when: always
+```
+
+## Philosophy
+
+Sertivibed follows an **evidence-first** approach:
+
+1. **Every finding has code evidence** — No vague warnings. You see the exact file and line.
+2. **Verification steps included** — Each finding tells you how to manually verify it's real.
+3. **Smart detection** — Skips RLS checks for Prisma projects (they use different auth patterns).
+4. **No false confidence** — We only check what we can verify. Unknown stacks get honest "N/A".
+
+## Supported Stacks
+
+| Stack | Detection | RLS Rules |
+|-------|-----------|-----------|
+| Supabase | Auto-detected | Full support |
+| Prisma | Auto-detected | Skipped (check API routes instead) |
+| Next.js | Auto-detected | Full support |
+| Vite/React | Auto-detected | Full support |
+
+## Requirements
+
+- Node.js >= 18
+- ripgrep (rg) recommended for performance, falls back to grep
+
+### Install ripgrep
+
+```bash
+# macOS
+brew install ripgrep
+
+# Ubuntu/Debian
+sudo apt install ripgrep
+
+# Windows
+choco install ripgrep
+# or
+winget install BurntSushi.ripgrep.MSVC
+```
+
+## Contributing
+
+Issues and PRs welcome at [github.com/sertivibed/sertivibed-cli](https://github.com/sertivibed/sertivibed-cli).
+
+## License
+
+MIT - Hakon Haugen

package/dist/cli.d.ts

@@ -0,0 +1,13 @@
+#!/usr/bin/env node
+/**
+ * Sertivibed CLI
+ *
+ * Evidence-first security screening for Supabase/React apps.
+ *
+ * Usage:
+ *   npx sertivibed scan              # Scan current directory
+ *   npx sertivibed scan ./my-app     # Scan specific directory
+ *   npx sertivibed scan --verbose    # Show progress
+ *   npx sertivibed scan --fail-on=high  # Exit 1 if HIGH+ found
+ */
+export {};

package/dist/cli.js

@@ -0,0 +1,167 @@
+#!/usr/bin/env node
+"use strict";
+/**
+ * Sertivibed CLI
+ *
+ * Evidence-first security screening for Supabase/React apps.
+ *
+ * Usage:
+ *   npx sertivibed scan              # Scan current directory
+ *   npx sertivibed scan ./my-app     # Scan specific directory
+ *   npx sertivibed scan --verbose    # Show progress
+ *   npx sertivibed scan --fail-on=high  # Exit 1 if HIGH+ found
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+const commander_1 = require("commander");
+const fs_1 = require("fs");
+const path_1 = require("path");
+const scan_1 = require("./scan");
+const md_1 = require("./reporters/md");
+const json_1 = require("./reporters/json");
+const types_1 = require("./types");
+// ============================================
+// CLI SETUP
+// ============================================
+const program = new commander_1.Command();
+program
+    .name("sertivibed")
+    .description("Evidence-first security screening for Supabase/React apps")
+    .version("0.1.0");
+// ============================================
+// SCAN COMMAND
+// ============================================
+program
+    .command("scan")
+    .description("Scan a project for security issues")
+    .argument("[path]", "Path to project (default: current directory)", ".")
+    .option("-v, --verbose", "Show detailed progress")
+    .option("-o, --output <file>", "Output markdown report to file", "sertivibed-report.md")
+    .option("-j, --json <file>", "Output JSON results to file", "sertivibed-results.json")
+    .option("--out <dir>", "Custom output directory (default: scanned project dir)")
+    .option("--fail-on <severity>", "Exit with code 1 if severity >= threshold (critical|high|medium|low)")
+    .option("--json-only", "Only output JSON, skip markdown report")
+    .option("--quiet", "Minimal terminal output")
+    .option("--no-report", "Skip generating markdown report")
+    .option("--no-json", "Skip generating JSON output")
+    .action(async (path, options) => {
+    const targetPath = (0, path_1.resolve)(path);
+    const quiet = options.quiet || false;
+    // Validate path exists
+    if (!(0, fs_1.existsSync)(targetPath)) {
+        console.error(`❌ Path not found: ${targetPath}`);
+        process.exit(1);
+    }
+    // Determine output directory
+    const outputDir = options.out ? (0, path_1.resolve)(options.out) : targetPath;
+    if (options.out && !(0, fs_1.existsSync)(outputDir)) {
+        (0, fs_1.mkdirSync)(outputDir, { recursive: true });
+    }
+    if (!quiet) {
+        console.log(`
+╔═══════════════════════════════════════════════════════════════╗
+║                    SERTIVIBED SCANNER v0.1                    ║
+║           Evidence-first Security Screening                   ║
+╚═══════════════════════════════════════════════════════════════╝
+`);
+    }
+    // Determine what to output
+    const skipMarkdown = options.jsonOnly || !options.report;
+    const skipJson = !options.json;
+    const config = {
+        targetPath,
+        verbose: options.verbose && !quiet,
+        outputMd: skipMarkdown ? undefined : options.output,
+        outputJson: skipJson ? undefined : options.json,
+        failOn: options.failOn?.toUpperCase(),
+        quiet,
+    };
+    try {
+        // Run scan
+        if (!quiet) {
+            console.log(`📁 Scanning: ${targetPath}`);
+            console.log("");
+        }
+        const result = await (0, scan_1.scan)(config);
+        // Display summary
+        if (!quiet) {
+            console.log("═══════════════════════════════════════════════════════════════");
+            console.log("                         SUMMARY                                ");
+            console.log("═══════════════════════════════════════════════════════════════");
+            console.log("");
+            console.log(`  🔴 Critical:  ${result.summary.bySeverity.CRITICAL}`);
+            console.log(`  🟠 High:      ${result.summary.bySeverity.HIGH}`);
+            console.log(`  🟡 Medium:    ${result.summary.bySeverity.MEDIUM}`);
+            console.log(`  🟢 Low:       ${result.summary.bySeverity.LOW}`);
+            console.log(`  ⚪ Info:      ${result.summary.bySeverity.INFO}`);
+            console.log("");
+            console.log(`  Total issues: ${result.summary.total}`);
+            console.log(`  Rules checked: ${result.rulesChecked.length}`);
+            console.log(`  Scan time: ${result.meta.scanDurationMs}ms`);
+            console.log("");
+        }
+        // Generate outputs
+        if (config.outputJson) {
+            const jsonPath = (0, path_1.join)(outputDir, config.outputJson);
+            (0, fs_1.writeFileSync)(jsonPath, (0, json_1.generateJsonReport)(result));
+            if (!quiet)
+                console.log(`📄 JSON saved: ${config.outputJson}`);
+        }
+        if (config.outputMd) {
+            const mdPath = (0, path_1.join)(outputDir, config.outputMd);
+            (0, fs_1.writeFileSync)(mdPath, (0, md_1.generateMarkdownReport)(result));
+            if (!quiet)
+                console.log(`📋 Report saved: ${config.outputMd}`);
+        }
+        if (!quiet)
+            console.log("");
+        // Check fail threshold
+        if (config.failOn) {
+            const threshold = types_1.SEVERITY_ORDER[config.failOn];
+            const hasFailure = result.claims.some(c => types_1.SEVERITY_ORDER[c.severity] >= threshold);
+            if (hasFailure) {
+                if (!quiet)
+                    console.log(`❌ Found issues at or above ${config.failOn} severity`);
+                process.exit(1);
+            }
+        }
+        // Final verdict
+        if (!quiet) {
+            const hasCritical = result.summary.bySeverity.CRITICAL > 0;
+            const hasHigh = result.summary.bySeverity.HIGH > 0;
+            if (hasCritical || hasHigh) {
+                console.log("⚠️  Issues found that should be addressed before production.");
+            }
+            else if (result.summary.total > 0) {
+                console.log("ℹ️  Some issues found. Review the report for details.");
+            }
+            else {
+                console.log("✅ No security issues found!");
+            }
+        }
+    }
+    catch (error) {
+        console.error(`❌ Scan failed: ${error}`);
+        process.exit(1);
+    }
+});
+// ============================================
+// LIST RULES COMMAND
+// ============================================
+program
+    .command("rules")
+    .description("List all security rules")
+    .action(() => {
+    const { RULES } = require("./rules/index");
+    console.log("\nSertivibed Security Rules v0.1\n");
+    console.log("═══════════════════════════════════════════════════════════════\n");
+    for (const rule of RULES) {
+        console.log(`${rule.id}: ${rule.title}`);
+        console.log(`  Category: ${rule.category} | Severity: ${rule.severity}`);
+        console.log(`  ${rule.rationale}`);
+        console.log("");
+    }
+});
+// ============================================
+// RUN
+// ============================================
+program.parse();

package/dist/reporters/json.d.ts

@@ -0,0 +1,12 @@
+/**
+ * JSON Reporter
+ *
+ * Eksporterer scan-resultat som JSON for maskinlesing
+ * eller videre prosessering (f.eks. LLM enrichment).
+ */
+import { ScanResult } from "../types";
+export declare function generateJsonReport(result: ScanResult): string;
+/**
+ * Kompakt versjon for API-kall / LLM
+ */
+export declare function generateCompactJson(result: ScanResult): string;

package/dist/reporters/json.js

@@ -0,0 +1,39 @@
+"use strict";
+/**
+ * JSON Reporter
+ *
+ * Eksporterer scan-resultat som JSON for maskinlesing
+ * eller videre prosessering (f.eks. LLM enrichment).
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.generateJsonReport = generateJsonReport;
+exports.generateCompactJson = generateCompactJson;
+function generateJsonReport(result) {
+    return JSON.stringify(result, null, 2);
+}
+/**
+ * Kompakt versjon for API-kall / LLM
+ */
+function generateCompactJson(result) {
+    const compact = {
+        project: result.meta.projectName,
+        stack: result.meta.stack,
+        summary: {
+            total: result.summary.total,
+            critical: result.summary.bySeverity.CRITICAL,
+            high: result.summary.bySeverity.HIGH,
+            medium: result.summary.bySeverity.MEDIUM,
+            low: result.summary.bySeverity.LOW,
+        },
+        findings: result.claims.map(c => ({
+            id: c.ruleId,
+            title: c.title,
+            severity: c.severity,
+            impact: c.impactType,
+            statement: c.statement,
+            files: c.evidence.map(e => e.path),
+            fix: c.fixHint,
+        })),
+    };
+    return JSON.stringify(compact, null, 2);
+}

package/dist/reporters/md.d.ts

@@ -0,0 +1,8 @@
+/**
+ * Markdown Reporter
+ *
+ * Genererer profesjonell rapport UTEN LLM.
+ * Alt er deterministisk og basert på claims + evidence.
+ */
+import { ScanResult } from "../types";
+export declare function generateMarkdownReport(result: ScanResult): string;