ship-safe 1.0.0

package/cli/commands/scan.js

@@ -0,0 +1,261 @@
+/**
+ * Scan Command
+ * ============
+ *
+ * Scans a directory for leaked secrets using pattern matching.
+ *
+ * USAGE:
+ *   ship-safe scan [path]     Scan specified path (default: current directory)
+ *   ship-safe scan . -v       Verbose mode (show files being scanned)
+ *   ship-safe scan . --json   Output as JSON (for CI integration)
+ *
+ * EXIT CODES:
+ *   0 - No secrets found
+ *   1 - Secrets found (or error)
+ *
+ * This allows CI pipelines to fail builds when secrets are detected.
+ */
+
+import fs from 'fs';
+import path from 'path';
+import { glob } from 'glob';
+import ora from 'ora';
+import chalk from 'chalk';
+import {
+  SECRET_PATTERNS,
+  SKIP_DIRS,
+  SKIP_EXTENSIONS,
+  MAX_FILE_SIZE
+} from '../utils/patterns.js';
+import * as output from '../utils/output.js';
+
+// =============================================================================
+// MAIN SCAN FUNCTION
+// =============================================================================
+
+export async function scanCommand(targetPath = '.', options = {}) {
+  const absolutePath = path.resolve(targetPath);
+
+  // Validate path exists
+  if (!fs.existsSync(absolutePath)) {
+    output.error(`Path does not exist: ${absolutePath}`);
+    process.exit(1);
+  }
+
+  // Start spinner
+  const spinner = ora({
+    text: 'Scanning for secrets...',
+    color: 'cyan'
+  }).start();
+
+  try {
+    // Find all files
+    const files = await findFiles(absolutePath, options.verbose);
+    spinner.text = `Scanning ${files.length} files...`;
+
+    // Scan each file
+    const results = [];
+    let scannedCount = 0;
+
+    for (const file of files) {
+      const findings = await scanFile(file);
+      if (findings.length > 0) {
+        results.push({ file, findings });
+      }
+
+      scannedCount++;
+      if (options.verbose) {
+        spinner.text = `Scanned ${scannedCount}/${files.length}: ${path.relative(absolutePath, file)}`;
+      }
+    }
+
+    spinner.stop();
+
+    // Output results
+    if (options.json) {
+      outputJSON(results, files.length);
+    } else {
+      outputPretty(results, files.length, absolutePath);
+    }
+
+    // Exit with appropriate code
+    const hasFindings = results.length > 0;
+    process.exit(hasFindings ? 1 : 0);
+
+  } catch (err) {
+    spinner.fail('Scan failed');
+    output.error(err.message);
+    process.exit(1);
+  }
+}
+
+// =============================================================================
+// FILE DISCOVERY
+// =============================================================================
+
+async function findFiles(rootPath, verbose = false) {
+  // Build ignore patterns from SKIP_DIRS
+  const ignorePatterns = Array.from(SKIP_DIRS).map(dir => `**/${dir}/**`);
+
+  // Find all files
+  const files = await glob('**/*', {
+    cwd: rootPath,
+    absolute: true,
+    nodir: true,
+    ignore: ignorePatterns,
+    dot: true  // Include dotfiles (but not .git which is ignored)
+  });
+
+  // Filter by extension and size
+  const filtered = [];
+
+  for (const file of files) {
+    // Skip by extension
+    const ext = path.extname(file).toLowerCase();
+    if (SKIP_EXTENSIONS.has(ext)) {
+      continue;
+    }
+
+    // Handle compound extensions like .min.js
+    const basename = path.basename(file);
+    if (basename.endsWith('.min.js') || basename.endsWith('.min.css')) {
+      continue;
+    }
+
+    // Skip by size
+    try {
+      const stats = fs.statSync(file);
+      if (stats.size > MAX_FILE_SIZE) {
+        if (verbose) {
+          console.log(chalk.gray(`  Skipping (too large): ${file}`));
+        }
+        continue;
+      }
+    } catch {
+      continue;
+    }
+
+    filtered.push(file);
+  }
+
+  return filtered;
+}
+
+// =============================================================================
+// FILE SCANNING
+// =============================================================================
+
+async function scanFile(filePath) {
+  const findings = [];
+
+  try {
+    const content = fs.readFileSync(filePath, 'utf-8');
+    const lines = content.split('\n');
+
+    // Check each pattern against each line
+    for (let lineNum = 0; lineNum < lines.length; lineNum++) {
+      const line = lines[lineNum];
+
+      for (const pattern of SECRET_PATTERNS) {
+        // Reset regex state (important for global regexes)
+        pattern.pattern.lastIndex = 0;
+
+        let match;
+        while ((match = pattern.pattern.exec(line)) !== null) {
+          findings.push({
+            line: lineNum + 1,
+            column: match.index + 1,
+            matched: match[0],
+            patternName: pattern.name,
+            severity: pattern.severity,
+            description: pattern.description
+          });
+        }
+      }
+    }
+  } catch (err) {
+    // Skip files that can't be read (binary, permissions, etc.)
+  }
+
+  return findings;
+}
+
+// =============================================================================
+// OUTPUT FORMATTING
+// =============================================================================
+
+function outputPretty(results, filesScanned, rootPath) {
+  // Calculate stats
+  const stats = {
+    total: 0,
+    critical: 0,
+    high: 0,
+    medium: 0,
+    filesScanned
+  };
+
+  for (const { findings } of results) {
+    for (const f of findings) {
+      stats.total++;
+      stats[f.severity]++;
+    }
+  }
+
+  // Print header
+  output.header('Scan Results');
+
+  if (results.length === 0) {
+    output.success('No secrets detected in your codebase!');
+    console.log();
+    console.log(chalk.gray('Note: This scanner uses pattern matching and may miss some secrets.'));
+    console.log(chalk.gray('Consider also using: gitleaks, trufflehog, or detect-secrets'));
+  } else {
+    // Print findings grouped by file
+    for (const { file, findings } of results) {
+      const relPath = path.relative(rootPath, file);
+
+      for (const f of findings) {
+        output.finding(
+          relPath,
+          f.line,
+          f.patternName,
+          f.severity,
+          f.matched,
+          f.description
+        );
+      }
+    }
+
+    // Print recommendations
+    output.recommendations();
+  }
+
+  // Print summary
+  output.summary(stats);
+}
+
+function outputJSON(results, filesScanned) {
+  const jsonOutput = {
+    success: results.length === 0,
+    filesScanned,
+    totalFindings: 0,
+    findings: []
+  };
+
+  for (const { file, findings } of results) {
+    for (const f of findings) {
+      jsonOutput.totalFindings++;
+      jsonOutput.findings.push({
+        file,
+        line: f.line,
+        column: f.column,
+        severity: f.severity,
+        type: f.patternName,
+        matched: output.maskSecret(f.matched),
+        description: f.description
+      });
+    }
+  }
+
+  console.log(JSON.stringify(jsonOutput, null, 2));
+}

package/cli/index.js

@@ -0,0 +1,12 @@
+/**
+ * Ship Safe CLI - Module Entry Point
+ * ===================================
+ *
+ * This file exports the CLI commands for programmatic use.
+ * For normal CLI usage, run: npx ship-safe
+ */
+
+export { scanCommand } from './commands/scan.js';
+export { checklistCommand } from './commands/checklist.js';
+export { initCommand } from './commands/init.js';
+export { SECRET_PATTERNS, SKIP_DIRS, SKIP_EXTENSIONS } from './utils/patterns.js';

package/cli/utils/output.js

@@ -0,0 +1,177 @@
+/**
+ * Output Utilities
+ * ================
+ *
+ * Consistent, pretty terminal output for the CLI.
+ * Uses chalk for colors and provides helper functions
+ * for common output patterns.
+ */
+
+import chalk from 'chalk';
+
+// =============================================================================
+// SEVERITY COLORS
+// =============================================================================
+
+export const severityColors = {
+  critical: chalk.bgRed.white.bold,
+  high: chalk.red.bold,
+  medium: chalk.yellow,
+  low: chalk.blue
+};
+
+export const severityIcons = {
+  critical: '\u2620\ufe0f ',  // skull
+  high: '\u26a0\ufe0f ',      // warning
+  medium: '\u26a1',           // lightning
+  low: '\u2139\ufe0f '        // info
+};
+
+// =============================================================================
+// OUTPUT HELPERS
+// =============================================================================
+
+/**
+ * Print a section header
+ */
+export function header(text) {
+  console.log();
+  console.log(chalk.cyan.bold('='.repeat(60)));
+  console.log(chalk.cyan.bold(`  ${text}`));
+  console.log(chalk.cyan.bold('='.repeat(60)));
+}
+
+/**
+ * Print a subheader
+ */
+export function subheader(text) {
+  console.log();
+  console.log(chalk.white.bold(text));
+  console.log(chalk.gray('-'.repeat(text.length)));
+}
+
+/**
+ * Print a success message
+ */
+export function success(text) {
+  console.log(chalk.green('\u2714 ') + text);
+}
+
+/**
+ * Print a warning message
+ */
+export function warning(text) {
+  console.log(chalk.yellow('\u26a0 ') + text);
+}
+
+/**
+ * Print an error message
+ */
+export function error(text) {
+  console.log(chalk.red('\u2718 ') + text);
+}
+
+/**
+ * Print an info message
+ */
+export function info(text) {
+  console.log(chalk.blue('\u2139 ') + text);
+}
+
+/**
+ * Print a finding (secret detected)
+ */
+export function finding(file, line, patternName, severity, matched, description) {
+  const color = severityColors[severity] || chalk.white;
+  const icon = severityIcons[severity] || '';
+
+  console.log();
+  console.log(chalk.white.bold(`${file}:${line}`));
+  console.log(`  ${icon}${color(`[${severity.toUpperCase()}]`)} ${chalk.white(patternName)}`);
+  console.log(`  ${chalk.gray('Found:')} ${chalk.yellow(maskSecret(matched))}`);
+  console.log(`  ${chalk.gray('Why:')} ${description}`);
+}
+
+/**
+ * Mask the middle of a secret for safe display
+ */
+export function maskSecret(secret) {
+  if (secret.length <= 10) {
+    return secret.substring(0, 3) + '***';
+  }
+  return secret.substring(0, 6) + '***' + secret.substring(secret.length - 4);
+}
+
+/**
+ * Print a summary box
+ */
+export function summary(stats) {
+  console.log();
+  console.log(chalk.cyan('='.repeat(60)));
+
+  if (stats.total === 0) {
+    console.log(chalk.green.bold('  \u2714 No secrets detected!'));
+  } else {
+    console.log(chalk.red.bold(`  \u26a0 Found ${stats.total} potential secret(s)`));
+
+    if (stats.critical > 0) {
+      console.log(chalk.red(`    \u2022 Critical: ${stats.critical}`));
+    }
+    if (stats.high > 0) {
+      console.log(chalk.red(`    \u2022 High: ${stats.high}`));
+    }
+    if (stats.medium > 0) {
+      console.log(chalk.yellow(`    \u2022 Medium: ${stats.medium}`));
+    }
+  }
+
+  console.log(chalk.gray(`  Files scanned: ${stats.filesScanned}`));
+  console.log(chalk.cyan('='.repeat(60)));
+}
+
+/**
+ * Print recommended actions after finding secrets
+ */
+export function recommendations() {
+  console.log();
+  console.log(chalk.cyan.bold('Recommended Actions:'));
+  console.log();
+  console.log(chalk.white('1.') + ' Move secrets to environment variables (.env file)');
+  console.log(chalk.white('2.') + ' Add .env to your .gitignore');
+  console.log(chalk.white('3.') + chalk.yellow(' If already committed:'));
+  console.log(chalk.gray('   \u2022 Rotate the compromised credentials immediately'));
+  console.log(chalk.gray('   \u2022 Use git-filter-repo or BFG Repo-Cleaner to remove from history'));
+  console.log(chalk.gray('   \u2022 Remember: deleting doesn\'t remove git history!'));
+  console.log();
+  console.log(chalk.white('4.') + ' Set up pre-commit hooks to catch this automatically:');
+  console.log(chalk.gray('   npm install --save-dev husky'));
+  console.log(chalk.gray('   npx husky add .husky/pre-commit "npx ship-safe scan ."'));
+  console.log();
+}
+
+/**
+ * Print a checklist item
+ */
+export function checklistItem(number, title, checked = null) {
+  const checkbox = checked === null
+    ? chalk.gray('[ ]')
+    : checked
+      ? chalk.green('[\u2714]')
+      : chalk.red('[\u2718]');
+
+  console.log(`${checkbox} ${chalk.white.bold(`${number}.`)} ${title}`);
+}
+
+/**
+ * Print progress (for verbose mode)
+ */
+export function progress(text) {
+  process.stdout.write(chalk.gray(`\r${text}`));
+}
+
+/**
+ * Clear the current line
+ */
+export function clearLine() {
+  process.stdout.write('\r' + ' '.repeat(80) + '\r');
+}