ship-safe 1.0.1 → 3.0.0

package/cli/commands/fix.js

@@ -0,0 +1,216 @@
+/**
+ * Fix Command
+ * ===========
+ *
+ * Scans for secrets and generates a .env.example file with placeholder values.
+ * Also shows a summary of what to move to environment variables.
+ *
+ * USAGE:
+ *   ship-safe fix             Scan and generate .env.example
+ *   ship-safe fix --dry-run   Preview what would be generated (don't write file)
+ */
+
+import fs from 'fs';
+import path from 'path';
+import ora from 'ora';
+import chalk from 'chalk';
+import {
+  SECRET_PATTERNS,
+  SKIP_DIRS,
+  SKIP_EXTENSIONS,
+  TEST_FILE_PATTERNS,
+  MAX_FILE_SIZE
+} from '../utils/patterns.js';
+import { isHighEntropyMatch } from '../utils/entropy.js';
+import { glob } from 'glob';
+import * as output from '../utils/output.js';
+
+// =============================================================================
+// MAIN COMMAND
+// =============================================================================
+
+export async function fixCommand(options = {}) {
+  const cwd = process.cwd();
+
+  const spinner = ora({ text: 'Scanning for secrets...', color: 'cyan' }).start();
+
+  try {
+    const files = await findFiles(cwd);
+    const results = [];
+
+    for (const file of files) {
+      const findings = await scanFile(file);
+      if (findings.length > 0) {
+        results.push({ file, findings });
+      }
+    }
+
+    spinner.stop();
+
+    if (results.length === 0) {
+      output.success('No secrets found — nothing to fix!');
+      console.log(chalk.gray('\nYour codebase looks clean. Keep it that way with:'));
+      console.log(chalk.gray('  npx ship-safe guard   # Block pushes if secrets are found'));
+      return;
+    }
+
+    // Build env var suggestions from findings
+    const envVars = buildEnvVarSuggestions(results);
+
+    output.header('Fix Report');
+    printFindings(results, cwd);
+    printEnvExample(envVars, options.dryRun);
+
+  } catch (err) {
+    spinner.fail('Fix scan failed');
+    output.error(err.message);
+    process.exit(1);
+  }
+}
+
+// =============================================================================
+// SCAN (same logic as scan command, reused here)
+// =============================================================================
+
+async function findFiles(rootPath) {
+  const globIgnore = Array.from(SKIP_DIRS).map(dir => `**/${dir}/**`);
+  const files = await glob('**/*', {
+    cwd: rootPath, absolute: true, nodir: true, ignore: globIgnore, dot: true
+  });
+
+  const filtered = [];
+  for (const file of files) {
+    const ext = path.extname(file).toLowerCase();
+    if (SKIP_EXTENSIONS.has(ext)) continue;
+    const basename = path.basename(file);
+    if (basename.endsWith('.min.js') || basename.endsWith('.min.css')) continue;
+    if (TEST_FILE_PATTERNS.some(p => p.test(file))) continue;
+    if (basename === '.env.example') continue; // Don't scan example files
+    try {
+      const stats = fs.statSync(file);
+      if (stats.size > MAX_FILE_SIZE) continue;
+    } catch { continue; }
+    filtered.push(file);
+  }
+  return filtered;
+}
+
+async function scanFile(filePath) {
+  const findings = [];
+  try {
+    const content = fs.readFileSync(filePath, 'utf-8');
+    const lines = content.split('\n');
+
+    for (let lineNum = 0; lineNum < lines.length; lineNum++) {
+      const line = lines[lineNum];
+      if (/ship-safe-ignore/i.test(line)) continue;
+
+      for (const pattern of SECRET_PATTERNS) {
+        pattern.pattern.lastIndex = 0;
+        let match;
+        while ((match = pattern.pattern.exec(line)) !== null) {
+          if (pattern.requiresEntropyCheck && !isHighEntropyMatch(match[0])) continue;
+          findings.push({
+            line: lineNum + 1,
+            matched: match[0],
+            patternName: pattern.name,
+            severity: pattern.severity,
+          });
+        }
+      }
+    }
+  } catch {}
+  return findings;
+}
+
+// =============================================================================
+// ENV VAR GENERATION
+// =============================================================================
+
+function buildEnvVarSuggestions(results) {
+  const seen = new Set();
+  const vars = [];
+
+  for (const { findings } of results) {
+    for (const f of findings) {
+      const varName = patternToEnvVar(f.patternName);
+      if (!seen.has(varName)) {
+        seen.add(varName);
+        vars.push({ name: varName, comment: f.patternName });
+      }
+    }
+  }
+
+  return vars;
+}
+
+/**
+ * Convert a pattern name to a sensible env var name.
+ * e.g. "OpenAI API Key" → "OPENAI_API_KEY"
+ */
+function patternToEnvVar(patternName) {
+  return patternName
+    .toUpperCase()
+    .replace(/[^A-Z0-9\s]/g, '')
+    .trim()
+    .replace(/\s+/g, '_');
+}
+
+// =============================================================================
+// OUTPUT
+// =============================================================================
+
+function printFindings(results, rootPath) {
+  const total = results.reduce((sum, r) => sum + r.findings.length, 0);
+  console.log(chalk.red.bold(`\n  Found ${total} secret(s) across ${results.length} file(s)\n`));
+
+  for (const { file, findings } of results) {
+    const relPath = path.relative(rootPath, file);
+    console.log(chalk.white.bold(`  ${relPath}`));
+    for (const f of findings) {
+      console.log(chalk.gray(`    Line ${f.line}: `) + chalk.yellow(f.patternName));
+    }
+  }
+}
+
+function printEnvExample(envVars, dryRun) {
+  const lines = [
+    '# .env.example',
+    '# Generated by ship-safe — replace placeholder values with your actual secrets.',
+    '# Copy this file to .env and fill in the values.',
+    '# NEVER commit .env — only commit .env.example',
+    '',
+  ];
+
+  for (const { name, comment } of envVars) {
+    lines.push(`# ${comment}`);
+    lines.push(`${name}=your_${name.toLowerCase()}_here`);
+    lines.push('');
+  }
+
+  const content = lines.join('\n');
+
+  output.header(dryRun ? '.env.example Preview (dry run)' : 'Generated .env.example');
+  console.log();
+  console.log(chalk.gray(content));
+
+  if (!dryRun) {
+    const envExamplePath = path.join(process.cwd(), '.env.example');
+
+    if (fs.existsSync(envExamplePath)) {
+      output.warning('.env.example already exists — skipping. Use --force to overwrite.');
+    } else {
+      fs.writeFileSync(envExamplePath, content);
+      output.success('Created .env.example');
+    }
+
+    console.log();
+    console.log(chalk.cyan.bold('Next steps:'));
+    console.log(chalk.white('1.') + chalk.gray(' Copy .env.example to .env'));
+    console.log(chalk.white('2.') + chalk.gray(' Replace placeholder values with your real secrets'));
+    console.log(chalk.white('3.') + chalk.gray(' Remove the hardcoded values from your source code'));
+    console.log(chalk.white('4.') + chalk.gray(' Verify .env is in your .gitignore'));
+    console.log(chalk.white('5.') + chalk.gray(' Run npx ship-safe scan . to confirm clean'));
+    console.log();
+  }
+}

package/cli/commands/guard.js

@@ -0,0 +1,297 @@
+/**
+ * Guard Command
+ * =============
+ *
+ * Installs a git pre-push hook that runs ship-safe scan before every push.
+ * If secrets are found, the push is blocked.
+ *
+ * USAGE:
+ *   ship-safe guard                    Install pre-push hook
+ *   ship-safe guard --pre-commit       Install pre-commit hook instead
+ *   ship-safe guard remove             Remove installed hooks
+ *
+ * HUSKY SUPPORT:
+ *   If a .husky/ directory is detected, the hook is added there instead.
+ *   Otherwise it goes directly into .git/hooks/.
+ */
+
+import fs from 'fs';
+import path from 'path';
+import chalk from 'chalk';
+import * as output from '../utils/output.js';
+
+// =============================================================================
+// HOOK SCRIPTS
+// =============================================================================
+
+const PRE_PUSH_HOOK = `#!/bin/sh
+# ship-safe pre-push hook
+# Scans for leaked secrets before every git push.
+# Remove this hook with: npx ship-safe guard remove
+
+echo ""
+echo "🔍 ship-safe: Scanning for secrets before push..."
+
+npx --yes ship-safe scan . --json > /tmp/ship-safe-scan.json 2>/dev/null
+
+if [ $? -ne 0 ]; then
+  echo ""
+  echo "❌ ship-safe: Secrets detected! Push blocked."
+  echo ""
+  echo "Run 'npx ship-safe scan .' to see details."
+  echo "Fix the issues, then push again."
+  echo ""
+  echo "To skip this check (not recommended):"
+  echo "  git push --no-verify"
+  echo ""
+  rm -f /tmp/ship-safe-scan.json
+  exit 1
+fi
+
+echo "✅ ship-safe: No secrets detected. Pushing..."
+rm -f /tmp/ship-safe-scan.json
+exit 0
+`;
+
+const PRE_COMMIT_HOOK = `#!/bin/sh
+# ship-safe pre-commit hook
+# Scans staged files for leaked secrets before every commit.
+# Remove this hook with: npx ship-safe guard remove
+
+echo ""
+echo "🔍 ship-safe: Scanning for secrets before commit..."
+
+npx --yes ship-safe scan . --json > /tmp/ship-safe-scan.json 2>/dev/null
+
+if [ $? -ne 0 ]; then
+  echo ""
+  echo "❌ ship-safe: Secrets detected! Commit blocked."
+  echo ""
+  echo "Run 'npx ship-safe scan .' to see details."
+  echo "Fix the issues, then commit again."
+  echo ""
+  echo "To skip this check (not recommended):"
+  echo "  git commit --no-verify"
+  echo ""
+  rm -f /tmp/ship-safe-scan.json
+  exit 1
+fi
+
+echo "✅ ship-safe: No secrets detected. Committing..."
+rm -f /tmp/ship-safe-scan.json
+exit 0
+`;
+
+const HUSKY_PRE_PUSH = `#!/usr/bin/env sh
+. "$(dirname -- "$0")/_/husky.sh"
+
+echo ""
+echo "🔍 ship-safe: Scanning for secrets before push..."
+
+npx ship-safe scan . --json > /tmp/ship-safe-scan.json 2>/dev/null
+
+if [ $? -ne 0 ]; then
+  echo ""
+  echo "❌ ship-safe: Secrets detected! Push blocked."
+  echo "Run 'npx ship-safe scan .' to see details."
+  rm -f /tmp/ship-safe-scan.json
+  exit 1
+fi
+
+echo "✅ ship-safe: No secrets detected."
+rm -f /tmp/ship-safe-scan.json
+`;
+
+const HUSKY_PRE_COMMIT = `#!/usr/bin/env sh
+. "$(dirname -- "$0")/_/husky.sh"
+
+echo ""
+echo "🔍 ship-safe: Scanning for secrets before commit..."
+
+npx ship-safe scan . --json > /tmp/ship-safe-scan.json 2>/dev/null
+
+if [ $? -ne 0 ]; then
+  echo ""
+  echo "❌ ship-safe: Secrets detected! Commit blocked."
+  echo "Run 'npx ship-safe scan .' to see details."
+  rm -f /tmp/ship-safe-scan.json
+  exit 1
+fi
+
+echo "✅ ship-safe: No secrets detected."
+rm -f /tmp/ship-safe-scan.json
+`;
+
+// =============================================================================
+// MAIN COMMAND
+// =============================================================================
+
+export async function guardCommand(action, options = {}) {
+  const cwd = process.cwd();
+
+  // Verify this is a git repo
+  const gitDir = findGitDir(cwd);
+  if (!gitDir) {
+    output.error('Not a git repository. Run this from your project root.');
+    process.exit(1);
+  }
+
+  if (action === 'remove') {
+    return removeHooks(gitDir, cwd);
+  }
+
+  return installHook(gitDir, cwd, options);
+}
+
+// =============================================================================
+// INSTALL
+// =============================================================================
+
+function installHook(gitDir, cwd, options) {
+  const hookType = options.preCommit ? 'pre-commit' : 'pre-push';
+  const hookScript = options.preCommit ? PRE_COMMIT_HOOK : PRE_PUSH_HOOK;
+  const huskyScript = options.preCommit ? HUSKY_PRE_COMMIT : HUSKY_PRE_PUSH;
+
+  output.header('Installing ship-safe Guard');
+
+  // Check for Husky
+  const huskyDir = path.join(cwd, '.husky');
+  const useHusky = fs.existsSync(huskyDir);
+
+  if (useHusky) {
+    installHuskyHook(huskyDir, hookType, huskyScript);
+  } else {
+    installGitHook(gitDir, hookType, hookScript);
+  }
+
+  console.log();
+  console.log(chalk.gray('What happens now:'));
+  console.log(chalk.gray(`  Every git ${hookType === 'pre-push' ? 'push' : 'commit'} will run ship-safe scan`));
+  console.log(chalk.gray('  If secrets are found, the operation is blocked'));
+  console.log(chalk.gray('  Use --no-verify to skip (not recommended)'));
+  console.log();
+  console.log(chalk.gray('To remove: npx ship-safe guard remove'));
+}
+
+function installGitHook(gitDir, hookType, script) {
+  const hooksDir = path.join(gitDir, 'hooks');
+  const hookPath = path.join(hooksDir, hookType);
+
+  // Ensure hooks directory exists
+  if (!fs.existsSync(hooksDir)) {
+    fs.mkdirSync(hooksDir, { recursive: true });
+  }
+
+  // Check if hook already exists (not from ship-safe)
+  if (fs.existsSync(hookPath)) {
+    const existing = fs.readFileSync(hookPath, 'utf-8');
+    if (!existing.includes('ship-safe')) {
+      output.warning(`Existing ${hookType} hook found. Appending ship-safe check.`);
+      fs.appendFileSync(hookPath, '\n' + script);
+      output.success(`Appended to .git/hooks/${hookType}`);
+      return;
+    }
+    output.warning(`ship-safe guard already installed in .git/hooks/${hookType}`);
+    return;
+  }
+
+  fs.writeFileSync(hookPath, script);
+  // Make executable (chmod +x)
+  try {
+    fs.chmodSync(hookPath, '755');
+  } catch {
+    // Windows doesn't support chmod, but hooks still run via git
+  }
+
+  output.success(`Hook installed at .git/hooks/${hookType}`);
+}
+
+function installHuskyHook(huskyDir, hookType, script) {
+  const hookPath = path.join(huskyDir, hookType);
+
+  if (fs.existsSync(hookPath)) {
+    const existing = fs.readFileSync(hookPath, 'utf-8');
+    if (!existing.includes('ship-safe')) {
+      output.warning(`Existing Husky ${hookType} found. Appending ship-safe check.`);
+      fs.appendFileSync(hookPath, '\n# ship-safe\n' + script.split('\n').slice(3).join('\n'));
+      output.success(`Appended to .husky/${hookType}`);
+      return;
+    }
+    output.warning(`ship-safe guard already installed in .husky/${hookType}`);
+    return;
+  }
+
+  fs.writeFileSync(hookPath, script);
+  try {
+    fs.chmodSync(hookPath, '755');
+  } catch {}
+
+  output.success(`Hook installed at .husky/${hookType} (Husky detected)`);
+}
+
+// =============================================================================
+// REMOVE
+// =============================================================================
+
+function removeHooks(gitDir, cwd) {
+  output.header('Removing ship-safe Guard');
+
+  let removed = 0;
+
+  // Check .git/hooks
+  const hookTypes = ['pre-push', 'pre-commit'];
+  for (const hookType of hookTypes) {
+    const hookPath = path.join(gitDir, 'hooks', hookType);
+    if (fs.existsSync(hookPath)) {
+      const content = fs.readFileSync(hookPath, 'utf-8');
+      if (content.includes('ship-safe')) {
+        if (content.trim() === PRE_PUSH_HOOK.trim() || content.trim() === PRE_COMMIT_HOOK.trim()) {
+          // Ship-safe is the only hook — delete the file
+          fs.unlinkSync(hookPath);
+          output.success(`Removed .git/hooks/${hookType}`);
+        } else {
+          // Other hooks exist — only remove ship-safe lines
+          const cleaned = content
+            .replace(/# ship-safe[\s\S]*?exit 0\n/g, '')
+            .trimEnd() + '\n';
+          fs.writeFileSync(hookPath, cleaned);
+          output.success(`Removed ship-safe from .git/hooks/${hookType}`);
+        }
+        removed++;
+      }
+    }
+
+    // Check .husky
+    const huskyHookPath = path.join(cwd, '.husky', hookType);
+    if (fs.existsSync(huskyHookPath)) {
+      const content = fs.readFileSync(huskyHookPath, 'utf-8');
+      if (content.includes('ship-safe')) {
+        fs.unlinkSync(huskyHookPath);
+        output.success(`Removed .husky/${hookType}`);
+        removed++;
+      }
+    }
+  }
+
+  if (removed === 0) {
+    output.warning('No ship-safe hooks found.');
+  }
+}
+
+// =============================================================================
+// UTILITIES
+// =============================================================================
+
+function findGitDir(startPath) {
+  let current = startPath;
+
+  while (true) {
+    const gitPath = path.join(current, '.git');
+    if (fs.existsSync(gitPath)) {
+      return gitPath;
+    }
+    const parent = path.dirname(current);
+    if (parent === current) return null; // Reached filesystem root
+    current = parent;
+  }
+}