ship-safe 1.0.0

package/cli/utils/patterns.js

@@ -0,0 +1,265 @@
+/**
+ * Secret Detection Patterns
+ * =========================
+ *
+ * These regex patterns detect common secret formats.
+ * Each pattern includes:
+ *   - name: Human-readable identifier
+ *   - pattern: Regular expression
+ *   - severity: 'critical' | 'high' | 'medium'
+ *   - description: Why this matters
+ *
+ * MAINTENANCE NOTES:
+ * - Patterns should have low false-positive rates
+ * - Test new patterns against real codebases before adding
+ * - Order doesn't matter (all patterns are checked)
+ */
+
+export const SECRET_PATTERNS = [
+  // =========================================================================
+  // CRITICAL: These are almost always real secrets
+  // =========================================================================
+  {
+    name: 'AWS Access Key ID',
+    pattern: /AKIA[0-9A-Z]{16}/g,
+    severity: 'critical',
+    description: 'AWS Access Keys can access your entire AWS account. Rotate immediately if exposed.'
+  },
+  {
+    name: 'AWS Secret Access Key',
+    pattern: /(?:aws_secret_access_key|aws_secret_key)[\s]*[=:][\s]*["']?([A-Za-z0-9/+=]{40})["']?/gi,
+    severity: 'critical',
+    description: 'AWS Secret Keys paired with Access Keys grant full AWS access.'
+  },
+  {
+    name: 'GitHub Personal Access Token',
+    pattern: /ghp_[a-zA-Z0-9]{36}/g,
+    severity: 'critical',
+    description: 'GitHub PATs can access repositories, create commits, and manage settings.'
+  },
+  {
+    name: 'GitHub OAuth Token',
+    pattern: /gho_[a-zA-Z0-9]{36}/g,
+    severity: 'critical',
+    description: 'GitHub OAuth tokens grant authorized application access.'
+  },
+  {
+    name: 'GitHub App Token',
+    pattern: /ghu_[a-zA-Z0-9]{36}|ghs_[a-zA-Z0-9]{36}/g,
+    severity: 'critical',
+    description: 'GitHub App tokens have installation-level access to repositories.'
+  },
+  {
+    name: 'Stripe Live Secret Key',
+    pattern: /sk_live_[a-zA-Z0-9]{24,}/g,
+    severity: 'critical',
+    description: 'Stripe live keys can process real payments and access customer data.'
+  },
+  {
+    name: 'Stripe Live Publishable Key',
+    pattern: /pk_live_[a-zA-Z0-9]{24,}/g,
+    severity: 'high',
+    description: 'Stripe publishable keys are less sensitive but should not be in server code.'
+  },
+  {
+    name: 'Private Key Block',
+    pattern: /-----BEGIN\s+(RSA\s+|EC\s+|DSA\s+|OPENSSH\s+)?PRIVATE\s+KEY-----/g,
+    severity: 'critical',
+    description: 'Private keys enable impersonation and decryption. Never commit these.'
+  },
+
+  // =========================================================================
+  // HIGH: Very likely to be secrets
+  // =========================================================================
+  {
+    name: 'OpenAI API Key',
+    pattern: /sk-[a-zA-Z0-9]{20,}/g,
+    severity: 'high',
+    description: 'OpenAI keys can rack up API charges and access your usage history.'
+  },
+  {
+    name: 'Anthropic API Key',
+    pattern: /sk-ant-[a-zA-Z0-9-]{32,}/g,
+    severity: 'high',
+    description: 'Anthropic API keys grant access to Claude and your usage quota.'
+  },
+  {
+    name: 'Slack Token',
+    pattern: /xox[baprs]-[0-9]{10,13}-[0-9]{10,13}[a-zA-Z0-9-]*/g,
+    severity: 'high',
+    description: 'Slack tokens can read messages, post content, and access workspace data.'
+  },
+  {
+    name: 'Slack Webhook',
+    pattern: /https:\/\/hooks\.slack\.com\/services\/T[a-zA-Z0-9_]+\/B[a-zA-Z0-9_]+\/[a-zA-Z0-9_]+/g,
+    severity: 'high',
+    description: 'Slack webhooks allow posting messages to channels.'
+  },
+  {
+    name: 'Discord Webhook',
+    pattern: /https:\/\/discord(?:app)?\.com\/api\/webhooks\/[0-9]+\/[a-zA-Z0-9_-]+/g,
+    severity: 'high',
+    description: 'Discord webhooks allow posting messages to channels.'
+  },
+  {
+    name: 'Discord Bot Token',
+    pattern: /[MN][A-Za-z\d]{23,}\.[\w-]{6}\.[\w-]{27}/g,
+    severity: 'high',
+    description: 'Discord bot tokens grant full control over your bot.'
+  },
+  {
+    name: 'Twilio API Key',
+    pattern: /SK[a-f0-9]{32}/g,
+    severity: 'high',
+    description: 'Twilio keys can send SMS/calls and access account data.'
+  },
+  {
+    name: 'SendGrid API Key',
+    pattern: /SG\.[a-zA-Z0-9_-]{22}\.[a-zA-Z0-9_-]{43}/g,
+    severity: 'high',
+    description: 'SendGrid keys can send emails from your account.'
+  },
+  {
+    name: 'Mailgun API Key',
+    pattern: /key-[a-zA-Z0-9]{32}/g,
+    severity: 'high',
+    description: 'Mailgun keys can send emails and access logs.'
+  },
+  {
+    name: 'Firebase/Google Service Account',
+    pattern: /"type":\s*"service_account"/g,
+    severity: 'high',
+    description: 'Service account JSON files grant broad GCP/Firebase access.'
+  },
+  {
+    name: 'Supabase Service Role Key',
+    pattern: /eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9\.[a-zA-Z0-9_-]+\.[a-zA-Z0-9_-]+/g,
+    severity: 'high',
+    description: 'Supabase service role keys bypass Row Level Security. Keep server-side only.'
+  },
+  {
+    name: 'Vercel Token',
+    pattern: /vercel_[a-zA-Z0-9]{24}/gi,
+    severity: 'high',
+    description: 'Vercel tokens can deploy and manage your projects.'
+  },
+  {
+    name: 'NPM Token',
+    pattern: /npm_[a-zA-Z0-9]{36}/g,
+    severity: 'high',
+    description: 'NPM tokens can publish packages under your account.'
+  },
+  {
+    name: 'Heroku API Key',
+    pattern: /[hH]eroku.*[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}/g,
+    severity: 'high',
+    description: 'Heroku API keys can manage apps and dynos.'
+  },
+  {
+    name: 'DigitalOcean Token',
+    pattern: /dop_v1_[a-f0-9]{64}/g,
+    severity: 'high',
+    description: 'DigitalOcean tokens can manage droplets and resources.'
+  },
+
+  // =========================================================================
+  // MEDIUM: Likely secrets, but may have false positives
+  // =========================================================================
+  {
+    name: 'Generic API Key',
+    pattern: /["']?(?:api[_-]?key|apikey)["']?\s*[:=]\s*["']([a-zA-Z0-9_\-]{16,})["']/gi,
+    severity: 'medium',
+    description: 'Hardcoded API keys should be moved to environment variables.'
+  },
+  {
+    name: 'Generic Secret',
+    pattern: /["']?(?:secret|secret[_-]?key)["']?\s*[:=]\s*["']([a-zA-Z0-9_\-]{16,})["']/gi,
+    severity: 'medium',
+    description: 'Hardcoded secrets should be moved to environment variables.'
+  },
+  {
+    name: 'Password Assignment',
+    pattern: /["']?password["']?\s*[:=]\s*["']([^"']{8,})["']/gi,
+    severity: 'medium',
+    description: 'Hardcoded passwords are a critical vulnerability.'
+  },
+  {
+    name: 'Database URL with Credentials',
+    pattern: /(mongodb|postgres|postgresql|mysql|redis):\/\/[^:]+:[^@]+@[^\s"']+/gi,
+    severity: 'medium',
+    description: 'Database URLs with embedded passwords expose your database.'
+  },
+  {
+    name: 'Bearer Token',
+    pattern: /["']Bearer\s+[a-zA-Z0-9_\-\.=]{20,}["']/gi,
+    severity: 'medium',
+    description: 'Hardcoded bearer tokens should not be in source code.'
+  },
+  {
+    name: 'JWT Token',
+    pattern: /["']?jwt["']?\s*[:=]\s*["']?(eyJ[a-zA-Z0-9_-]*\.eyJ[a-zA-Z0-9_-]*\.[a-zA-Z0-9_-]*)["']?/gi,
+    severity: 'medium',
+    description: 'JWTs in source code may be test tokens, but verify they\'re not production.'
+  },
+  {
+    name: 'Basic Auth Header',
+    pattern: /["']Basic\s+[A-Za-z0-9+/=]{10,}["']/gi,
+    severity: 'medium',
+    description: 'Basic auth headers contain base64-encoded credentials.'
+  }
+];
+
+// =============================================================================
+// FILES AND DIRECTORIES TO SKIP
+// =============================================================================
+
+export const SKIP_DIRS = new Set([
+  'node_modules',
+  '.git',
+  'venv',
+  'env',
+  '.venv',
+  '__pycache__',
+  '.next',
+  '.nuxt',
+  'dist',
+  'build',
+  'out',
+  '.output',
+  'coverage',
+  '.nyc_output',
+  'vendor',
+  '.bundle',
+  '.cache',
+  '.parcel-cache',
+  '.turbo',
+  'bower_components',
+  'jspm_packages',
+  '.vercel',
+  '.netlify',
+  '.serverless'
+]);
+
+export const SKIP_EXTENSIONS = new Set([
+  // Images
+  '.png', '.jpg', '.jpeg', '.gif', '.svg', '.ico', '.webp', '.bmp', '.tiff',
+  // Fonts
+  '.woff', '.woff2', '.ttf', '.eot', '.otf',
+  // Media
+  '.mp3', '.mp4', '.wav', '.avi', '.mov', '.webm', '.ogg',
+  // Archives
+  '.zip', '.tar', '.gz', '.rar', '.7z', '.bz2',
+  // Documents
+  '.pdf', '.doc', '.docx', '.xls', '.xlsx', '.ppt', '.pptx',
+  // Lock files (usually very large and auto-generated)
+  '.lock',
+  // Minified files
+  '.min.js', '.min.css',
+  // Binaries
+  '.exe', '.dll', '.so', '.dylib', '.bin', '.o', '.a',
+  // Maps
+  '.map'
+]);
+
+// Maximum file size to scan (1MB)
+export const MAX_FILE_SIZE = 1_000_000;

package/configs/nextjs-security-headers.js

@@ -0,0 +1,220 @@
+/**
+ * Ship Safe - Next.js Security Headers Configuration
+ * ===================================================
+ *
+ * Drop this into your next.config.js to add essential security headers.
+ *
+ * WHY THESE HEADERS MATTER:
+ * Without security headers, your app is vulnerable to:
+ * - Clickjacking (your site loaded in malicious iframes)
+ * - XSS attacks (malicious scripts injected into your pages)
+ * - MIME sniffing (browsers misinterpreting file types)
+ * - Protocol downgrade attacks (HTTPS -> HTTP)
+ *
+ * HOW TO USE:
+ * 1. Copy this file to your Next.js project root
+ * 2. Import and spread into your next.config.js (see example at bottom)
+ *
+ * TEST YOUR HEADERS:
+ * After deploying, check your score at: https://securityheaders.com
+ */
+
+const securityHeaders = [
+  // ==========================================================================
+  // CLICKJACKING PROTECTION
+  // ==========================================================================
+  {
+    key: 'X-Frame-Options',
+    value: 'DENY'
+    // WHAT: Prevents your site from being embedded in iframes
+    // WHY: Attackers could overlay invisible buttons on your site (clickjacking)
+    // OPTIONS:
+    //   'DENY' - Never allow framing (most secure)
+    //   'SAMEORIGIN' - Only allow framing by your own site
+    // NOTE: Use 'SAMEORIGIN' if you need iframes for your own features
+  },
+
+  // ==========================================================================
+  // XSS PROTECTION
+  // ==========================================================================
+  {
+    key: 'X-XSS-Protection',
+    value: '1; mode=block'
+    // WHAT: Enables browser's built-in XSS filter
+    // WHY: Adds a layer of defense against reflected XSS attacks
+    // NOTE: Modern browsers use CSP instead, but this helps older browsers
+  },
+  {
+    key: 'X-Content-Type-Options',
+    value: 'nosniff'
+    // WHAT: Prevents browsers from MIME-sniffing (guessing file types)
+    // WHY: Attackers could trick browsers into executing malicious content
+    //      by serving scripts with incorrect MIME types
+  },
+
+  // ==========================================================================
+  // HTTPS ENFORCEMENT
+  // ==========================================================================
+  {
+    key: 'Strict-Transport-Security',
+    value: 'max-age=31536000; includeSubDomains; preload'
+    // WHAT: Forces browsers to always use HTTPS for your site
+    // WHY: Prevents protocol downgrade attacks and cookie hijacking
+    // BREAKDOWN:
+    //   max-age=31536000 - Remember for 1 year (in seconds)
+    //   includeSubDomains - Apply to all subdomains too
+    //   preload - Allow inclusion in browser's HSTS preload list
+    // WARNING: Only enable 'preload' if you're CERTAIN all subdomains support HTTPS
+  },
+
+  // ==========================================================================
+  // REFERRER POLICY
+  // ==========================================================================
+  {
+    key: 'Referrer-Policy',
+    value: 'strict-origin-when-cross-origin'
+    // WHAT: Controls how much referrer info is sent to other sites
+    // WHY: Prevents leaking sensitive URLs (with tokens, user IDs, etc.)
+    // THIS SETTING: Send origin only (not full URL) for cross-origin requests
+    // OPTIONS:
+    //   'no-referrer' - Never send referrer (most private, may break analytics)
+    //   'strict-origin' - Only send origin, never on HTTP downgrade
+    //   'strict-origin-when-cross-origin' - Full URL same-site, origin cross-site
+  },
+
+  // ==========================================================================
+  // PERMISSIONS POLICY (formerly Feature-Policy)
+  // ==========================================================================
+  {
+    key: 'Permissions-Policy',
+    value: 'camera=(), microphone=(), geolocation=(), interest-cohort=()'
+    // WHAT: Disables browser features you don't need
+    // WHY: Reduces attack surface; malicious scripts can't access these APIs
+    // THIS SETTING: Disables camera, mic, location, and FLoC tracking
+    // CUSTOMIZE: If you need camera/mic (e.g., for video chat), update this:
+    //   camera=(self) - Allow camera only from your own origin
+    //   microphone=(self "https://trusted-site.com") - Allow from specific origins
+  },
+
+  // ==========================================================================
+  // CONTENT SECURITY POLICY (CSP)
+  // ==========================================================================
+  // CSP is your most powerful defense against XSS attacks.
+  // It tells the browser exactly which resources are allowed to load.
+  //
+  // WARNING: CSP can break your site if misconfigured!
+  // Start with 'Content-Security-Policy-Report-Only' to test without blocking.
+  {
+    key: 'Content-Security-Policy',
+    value: [
+      // DEFAULT: Block everything not explicitly allowed
+      "default-src 'self'",
+
+      // SCRIPTS: Only from your domain + inline scripts (needed for Next.js)
+      // NOTE: 'unsafe-inline' is needed for Next.js. For maximum security,
+      // use nonces instead (requires custom server setup)
+      "script-src 'self' 'unsafe-inline' 'unsafe-eval'",
+
+      // STYLES: Your domain + inline styles (needed for most CSS-in-JS)
+      "style-src 'self' 'unsafe-inline'",
+
+      // IMAGES: Your domain + data URIs + common CDNs
+      // ADD your image CDN here if needed (e.g., images.unsplash.com)
+      "img-src 'self' data: blob: https:",
+
+      // FONTS: Your domain + Google Fonts
+      "font-src 'self' https://fonts.gstatic.com",
+
+      // CONNECTIONS (fetch, WebSocket, etc.): Your domain + your API
+      // ADD your API domains here
+      "connect-src 'self' https://api.openai.com https://api.anthropic.com",
+
+      // FRAMES: Block all iframes by default
+      // Change to 'self' if you need iframes from your own domain
+      "frame-src 'none'",
+
+      // PREVENT your site from being framed
+      "frame-ancestors 'none'",
+
+      // FORMS: Only submit to your own domain
+      "form-action 'self'",
+
+      // BASE URI: Prevent base tag injection
+      "base-uri 'self'",
+
+      // UPGRADE insecure requests to HTTPS
+      "upgrade-insecure-requests",
+    ].join('; ')
+    //
+    // DEBUGGING CSP:
+    // 1. Open browser DevTools > Console
+    // 2. Look for "Refused to load..." errors
+    // 3. Add the blocked domain to the appropriate directive
+    //
+    // COMMON ADDITIONS:
+    // - Google Analytics: Add to script-src and connect-src
+    //   script-src: https://www.googletagmanager.com
+    //   connect-src: https://www.google-analytics.com
+    // - Stripe:
+    //   script-src: https://js.stripe.com
+    //   frame-src: https://js.stripe.com
+  },
+];
+
+/**
+ * Export the headers configuration for next.config.js
+ *
+ * USAGE IN next.config.js:
+ *
+ * const { securityHeadersConfig } = require('./nextjs-security-headers');
+ *
+ * module.exports = {
+ *   ...securityHeadersConfig,
+ *   // your other config options...
+ * };
+ *
+ * OR for ES modules (next.config.mjs):
+ *
+ * import { securityHeadersConfig } from './nextjs-security-headers.js';
+ *
+ * export default {
+ *   ...securityHeadersConfig,
+ *   // your other config options...
+ * };
+ */
+const securityHeadersConfig = {
+  async headers() {
+    return [
+      {
+        // Apply to all routes
+        source: '/:path*',
+        headers: securityHeaders,
+      },
+    ];
+  },
+};
+
+// =============================================================================
+// COMPLETE EXAMPLE: next.config.js
+// =============================================================================
+/*
+// next.config.js (CommonJS)
+const { securityHeadersConfig } = require('./nextjs-security-headers');
+
+module.exports = {
+  ...securityHeadersConfig,
+  reactStrictMode: true,
+  // ... your other config
+};
+
+// OR next.config.mjs (ES Modules)
+import { securityHeadersConfig } from './nextjs-security-headers.js';
+
+export default {
+  ...securityHeadersConfig,
+  reactStrictMode: true,
+  // ... your other config
+};
+*/
+
+module.exports = { securityHeaders, securityHeadersConfig };

package/package.json

@@ -0,0 +1,54 @@
+{
+  "name": "ship-safe",
+  "version": "1.0.0",
+  "description": "Security toolkit for vibe coders and indie hackers. Secure your MVP in 5 minutes.",
+  "main": "cli/index.js",
+  "bin": {
+    "ship-safe": "cli/bin/ship-safe.js"
+  },
+  "type": "module",
+  "scripts": {
+    "test": "node --test",
+    "lint": "eslint cli/",
+    "ship-safe": "node cli/bin/ship-safe.js"
+  },
+  "keywords": [
+    "security",
+    "secrets",
+    "scanner",
+    "devops",
+    "devsecops",
+    "api-keys",
+    "gitignore",
+    "indie-hacker",
+    "vibe-coding",
+    "mvp",
+    "cli"
+  ],
+  "author": "",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/asamassekou10/ship-safe.git"
+  },
+  "bugs": {
+    "url": "https://github.com/asamassekou10/ship-safe/issues"
+  },
+  "homepage": "https://github.com/asamassekou10/ship-safe#readme",
+  "engines": {
+    "node": ">=18.0.0"
+  },
+  "files": [
+    "cli/",
+    "checklists/",
+    "configs/",
+    "snippets/",
+    "ai-defense/"
+  ],
+  "dependencies": {
+    "chalk": "^5.3.0",
+    "commander": "^12.1.0",
+    "glob": "^10.3.10",
+    "ora": "^8.0.1"
+  }
+}

package/snippets/README.md

@@ -0,0 +1,58 @@
+# Security Snippets
+
+**Copy-paste code blocks for common security patterns.**
+
+This folder contains drop-in code snippets for securing your application. Each snippet is heavily commented to explain *why* it works.
+
+---
+
+## Coming Soon
+
+- **Rate Limiting**
+  - Express.js middleware
+  - Next.js API route wrapper
+  - Upstash Redis implementation
+
+- **Authentication**
+  - Secure session configuration
+  - JWT validation middleware
+  - OAuth state parameter handling
+
+- **Input Validation**
+  - Zod schemas for common patterns
+  - SQL injection prevention
+  - XSS sanitization
+
+- **API Security**
+  - CORS configuration
+  - API key validation
+  - Webhook signature verification (Stripe, GitHub)
+
+---
+
+## Contributing
+
+Have a security snippet that saved your app? Add it here!
+
+1. Create a new file: `snippets/your-snippet-name.{js,ts,py}`
+2. Add extensive comments explaining:
+   - What attack this prevents
+   - How to integrate it
+   - Common gotchas
+3. Open a PR
+
+---
+
+## Usage Pattern
+
+Each snippet follows this format:
+
+```
+// =============================================================================
+// WHAT: Brief description
+// WHY: What attack/vulnerability this prevents
+// HOW: Integration instructions
+// =============================================================================
+
+[actual code with inline comments]
+```