ship-safe 3.1.0 → 3.2.0

package/cli/utils/output.js

@@ -101,6 +101,21 @@ export function finding(file, line, patternName, severity, matched, description,
   console.log(`  ${chalk.gray('Why:')} ${description}`);
 }
 
+/**
+ * Print a vulnerability finding (code issue — show matched code, not masked)
+ */
+export function vulnerabilityFinding(file, line, patternName, severity, matched, description) {
+  const color = severityColors[severity] || chalk.white;
+  const icon = severityIcons[severity] || '';
+  const snippet = matched.length > 80 ? matched.slice(0, 80) + '…' : matched;
+
+  console.log();
+  console.log(chalk.white.bold(`${file}:${line}`));
+  console.log(`  ${icon}${color(`[${severity.toUpperCase()}]`)} ${chalk.white(patternName)}`);
+  console.log(`  ${chalk.gray('Code:')}  ${chalk.cyan(snippet)}`);
+  console.log(`  ${chalk.gray('Why:')}  ${description}`);
+}
+
 /**
  * Mask the middle of a secret for safe display
  */
@@ -113,15 +128,27 @@ export function maskSecret(secret) {
 
 /**
  * Print a summary box
+ *
+ * stats can include:
+ *   total, critical, high, medium, filesScanned
+ *   secretsTotal (optional), vulnsTotal (optional)
  */
 export function summary(stats) {
   console.log();
   console.log(chalk.cyan('='.repeat(60)));
 
   if (stats.total === 0) {
-    console.log(chalk.green.bold('  \u2714 No secrets detected!'));
+    console.log(chalk.green.bold('  \u2714 No issues detected!'));
   } else {
-    console.log(chalk.red.bold(`  \u26a0 Found ${stats.total} potential secret(s)`));
+    const secretsTotal = stats.secretsTotal ?? stats.total;
+    const vulnsTotal = stats.vulnsTotal ?? 0;
+
+    if (secretsTotal > 0) {
+      console.log(chalk.red.bold(`  \u26a0 Found ${secretsTotal} secret(s)`));
+    }
+    if (vulnsTotal > 0) {
+      console.log(chalk.yellow.bold(`  \u26a0 Found ${vulnsTotal} code vulnerability/vulnerabilities`));
+    }
 
     if (stats.critical > 0) {
       console.log(chalk.red(`    \u2022 Critical: ${stats.critical}`));
@@ -138,6 +165,19 @@ export function summary(stats) {
   console.log(chalk.cyan('='.repeat(60)));
 }
 
+/**
+ * Print recommended actions after finding code vulnerabilities
+ */
+export function vulnRecommendations() {
+  console.log();
+  console.log(chalk.yellow.bold('Code Vulnerability Actions:'));
+  console.log();
+  console.log(chalk.white('1.') + ' Fix the flagged code patterns (see "Why" descriptions above)');
+  console.log(chalk.white('2.') + ' Use  # ship-safe-ignore  on lines that are safe (e.g. internal tools, controlled input)');
+  console.log(chalk.white('3.') + ' Run  npx ship-safe checklist  for a full launch-day security review');
+  console.log();
+}
+
 /**
  * Print recommended actions after finding secrets
  */

package/cli/utils/patterns.js

@@ -392,6 +392,52 @@ export const SECRET_PATTERNS = [
     severity: 'medium',
     description: 'Supabase anon keys. Safe for frontend but verify RLS is enabled.'
   },
+  {
+    name: 'Stytch Secret Key',
+    pattern: /secret-(?:live|test)-[a-zA-Z0-9]{30,}/g,
+    severity: 'critical',
+    description: 'Stytch secret keys grant full access to your authentication system.'
+  },
+  {
+    name: 'Okta API Token',
+    pattern: /(?:okta|OKTA)[_-]?(?:api[_-]?)?token["']?\s*[:=]\s*["']?(00[a-zA-Z0-9_-]{38})["']?/gi,
+    severity: 'high',
+    description: 'Okta API tokens can manage your identity provider and user directory.'
+  },
+
+  // =========================================================================
+  // CRITICAL: Additional Cloud/Infra
+  // =========================================================================
+  {
+    name: 'Azure Storage Connection String',
+    pattern: /DefaultEndpointsProtocol=https;AccountName=[^;]{1,50};AccountKey=[a-zA-Z0-9+/=]{44,}/g,
+    severity: 'critical',
+    description: 'Azure Storage connection strings contain account keys with full storage access.'
+  },
+  {
+    name: 'AWS Session Token',
+    pattern: /(?:aws_session_token|aws_security_token)[\s]*[=:][\s]*["']?([A-Za-z0-9/+=]{100,})["']?/gi,
+    severity: 'critical',
+    description: 'AWS session tokens are temporary credentials that still grant account access.'
+  },
+  {
+    name: 'PlanetScale Service Token',
+    pattern: /pscale_tkn_[a-zA-Z0-9_-]{32,}/g,
+    severity: 'critical',
+    description: 'PlanetScale service tokens grant programmatic database branch access.'
+  },
+  {
+    name: 'Shopify Admin API Access Token',
+    pattern: /shpat_[a-fA-F0-9]{32}/g,
+    severity: 'critical',
+    description: 'Shopify admin tokens grant full store management access including orders and customers.'
+  },
+  {
+    name: 'Shopify Custom App Access Token',
+    pattern: /shpca_[a-fA-F0-9]{32}/g,
+    severity: 'critical',
+    description: 'Shopify custom app tokens provide scoped store admin access.'
+  },
 
   // =========================================================================
   // HIGH: Productivity & SaaS
@@ -421,6 +467,66 @@ export const SECRET_PATTERNS = [
     description: 'Figma PATs can access your design files and projects.'
   },
 
+  // =========================================================================
+  // HIGH: AI/ML Providers (2025-2026 additions)
+  // =========================================================================
+  {
+    name: 'xAI (Grok) API Key',
+    pattern: /xai-[A-Za-z0-9]{52,}/g,
+    severity: 'high',
+    description: 'xAI API keys grant access to Grok models and incur usage charges on your account.'
+  },
+  {
+    name: 'Tavily API Key',
+    pattern: /tvly-[a-zA-Z0-9]{32,}/g,
+    severity: 'high',
+    description: 'Tavily API keys grant access to their AI-powered search service.'
+  },
+  {
+    name: 'Cerebras API Key',
+    pattern: /csk-[a-zA-Z0-9]{48,}/g,
+    severity: 'high',
+    description: 'Cerebras API keys provide access to fast AI inference.'
+  },
+  {
+    name: 'Pinecone API Key',
+    pattern: /pcsk_[a-zA-Z0-9]{47}_[a-zA-Z0-9]{47}/g,
+    severity: 'high',
+    description: 'Pinecone API keys grant access to your vector database indexes.'
+  },
+  {
+    name: 'ElevenLabs API Key',
+    pattern: /(?:elevenlabs|ELEVENLABS)[_-]?(?:api[_-]?)?key["']?\s*[:=]\s*["']?([a-fA-F0-9]{32})["']?/gi,
+    severity: 'high',
+    description: 'ElevenLabs API keys grant access to their voice AI cloning and synthesis service.'
+  },
+  {
+    name: 'DeepSeek API Key',
+    pattern: /(?:deepseek|DEEPSEEK)[_-]?(?:api[_-]?)?key["']?\s*[:=]\s*["']?(sk-[a-zA-Z0-9]{32,})["']?/gi,
+    severity: 'high',
+    description: 'DeepSeek API keys grant access to their language models.'
+  },
+  {
+    name: 'Voyage AI API Key',
+    pattern: /(?:voyage|VOYAGE)[_-]?(?:ai[_-]?)?(?:api[_-]?)?key["']?\s*[:=]\s*["']?([a-zA-Z0-9]{32,})["']?/gi,
+    severity: 'high',
+    requiresEntropyCheck: true,
+    description: 'Voyage AI API keys provide access to their embedding and reranking models.'
+  },
+  {
+    name: 'Fireworks AI API Key',
+    pattern: /(?:fireworks|FIREWORKS)[_-]?(?:api[_-]?)?key["']?\s*[:=]\s*["']?([a-zA-Z0-9]{32,})["']?/gi,
+    severity: 'high',
+    requiresEntropyCheck: true,
+    description: 'Fireworks AI API keys grant access to fast open-source model inference.'
+  },
+  {
+    name: 'Anyscale API Key',
+    pattern: /esecret_[a-zA-Z0-9]{32,}/g,
+    severity: 'high',
+    description: 'Anyscale API keys grant access to their managed Ray and LLM endpoints.'
+  },
+
   // =========================================================================
   // HIGH: Payments (Additional)
   // =========================================================================
@@ -454,6 +560,99 @@ export const SECRET_PATTERNS = [
     severity: 'high',
     description: 'Paddle API keys can manage your subscriptions and payments.'
   },
+  {
+    name: 'Stripe Restricted Key',
+    pattern: /rk_(?:live|test)_[a-zA-Z0-9]{24,}/g,
+    severity: 'high',
+    description: 'Stripe restricted keys have scoped permissions but still grant API access.'
+  },
+  {
+    name: 'Square Access Token',
+    pattern: /EAAAl[0-9a-zA-Z_-]{50,}/g,
+    severity: 'high',
+    description: 'Square access tokens can process payments and manage store data.'
+  },
+  {
+    name: 'Square OAuth Token',
+    pattern: /sq0[a-z]tp-[a-zA-Z0-9_-]{22}/g,
+    severity: 'high',
+    description: 'Square OAuth tokens authorize Square API access for a merchant account.'
+  },
+  {
+    name: 'Shopify Shared Secret',
+    pattern: /shpss_[a-fA-F0-9]{32}/g,
+    severity: 'high',
+    description: 'Shopify shared secrets validate webhook payload signatures.'
+  },
+  {
+    name: 'Braintree Access Token',
+    pattern: /access_token\$(?:production|sandbox)\$[a-z0-9]{16}\$[a-f0-9]{32}/g,
+    severity: 'critical',
+    description: 'Braintree access tokens grant full payment processing access.'
+  },
+
+  // =========================================================================
+  // HIGH: Realtime & Messaging
+  // =========================================================================
+  {
+    name: 'Pusher App Secret',
+    pattern: /(?:pusher|PUSHER)[_-]?(?:app[_-]?)?secret["']?\s*[:=]\s*["']?([a-f0-9]{32})["']?/gi,
+    severity: 'high',
+    description: 'Pusher app secrets authenticate private and presence channel subscriptions.'
+  },
+  {
+    name: 'Ably API Key',
+    pattern: /(?:ably|ABLY)[_-]?(?:api[_-]?)?key["']?\s*[:=]\s*["']?([a-zA-Z0-9_-]{8}\.[a-zA-Z0-9_-]{6}:[a-zA-Z0-9+/=_-]{43,})["']?/gi,
+    severity: 'high',
+    description: 'Ably API keys grant full publish and subscribe access to your realtime channels.'
+  },
+  {
+    name: 'Mapbox Access Token',
+    pattern: /pk\.eyJ1[a-zA-Z0-9._-]{40,}/g,
+    severity: 'medium',
+    description: 'Mapbox tokens can incur charges if abused. Restrict token scope and allowed URLs.'
+  },
+
+  // =========================================================================
+  // HIGH: DevOps & CI/CD
+  // =========================================================================
+  {
+    name: 'CircleCI Personal API Token',
+    pattern: /CCIPAT_[a-zA-Z0-9]{40,}/g,
+    severity: 'high',
+    description: 'CircleCI API tokens can trigger builds, read logs, and access pipeline data.'
+  },
+  {
+    name: 'Sentry Auth Token',
+    pattern: /sntrys_[a-zA-Z0-9_]{64,}/g,
+    severity: 'high',
+    description: 'Sentry auth tokens provide full API access to your error data and project settings.'
+  },
+  {
+    name: 'Terraform Cloud Token',
+    pattern: /(?:terraform|TFC)[_-]?(?:api[_-]?)?token["']?\s*[:=]\s*["']?([a-zA-Z0-9]{14}\.atlasv1\.[a-zA-Z0-9_-]{67,})["']?/gi,
+    severity: 'high',
+    description: 'Terraform Cloud tokens can read and apply infrastructure state.'
+  },
+  {
+    name: 'Cloudinary API Secret',
+    pattern: /(?:cloudinary|CLOUDINARY)[_-]?(?:api[_-]?)?secret["']?\s*[:=]\s*["']?([a-zA-Z0-9_-]{27,})["']?/gi,
+    severity: 'high',
+    requiresEntropyCheck: true,
+    description: 'Cloudinary API secrets grant access to your media library and transformations.'
+  },
+  {
+    name: 'Algolia Admin API Key',
+    pattern: /(?:algolia|ALGOLIA)[_-]?(?:admin[_-]?)?(?:api[_-]?)?key["']?\s*[:=]\s*["']?([a-f0-9]{32})["']?/gi,
+    severity: 'high',
+    description: 'Algolia admin keys can modify indices and change search configuration.'
+  },
+  {
+    name: 'LaunchDarkly SDK Key',
+    pattern: /sdk-[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}/g,
+    severity: 'high',
+    description: 'LaunchDarkly SDK keys can read all feature flags and user data.'
+  },
 
   // =========================================================================
   // HIGH: Analytics & Monitoring
@@ -566,7 +765,24 @@ export const SKIP_DIRS = new Set([
   'jspm_packages',
   '.vercel',
   '.netlify',
-  '.serverless'
+  '.serverless',
+  // Additional build/tooling output
+  '.yarn',
+  'storybook-static',
+  'playwright-report',
+  '.playwright',
+  '.gradle',
+  'target',           // Maven/Gradle build output
+  '.pytest_cache',
+  '.mypy_cache',
+  '.ruff_cache',
+  '.tox',
+  'site-packages',
+  '.pnpm',
+  'jspm_packages',
+  '.expo',
+  '.docusaurus',
+  '.storybook',
 ]);
 
 export const SKIP_EXTENSIONS = new Set([
@@ -593,6 +809,182 @@ export const SKIP_EXTENSIONS = new Set([
 // Maximum file size to scan (1MB)
 export const MAX_FILE_SIZE = 1_000_000;
 
+// =============================================================================
+// SECURITY VULNERABILITY PATTERNS
+// =============================================================================
+//
+// These patterns detect insecure code patterns (OWASP Top 10, misconfigs, etc.)
+// They are distinct from SECRET_PATTERNS:
+//   - Secrets    → move to env vars, rotate if exposed
+//   - Vulns      → fix the code pattern, can't just rotate
+//
+// Each pattern includes category: 'vulnerability' to separate output sections.
+
+export const SECURITY_PATTERNS = [
+
+  // =========================================================================
+  // XSS — Cross-Site Scripting
+  // =========================================================================
+  {
+    name: 'XSS: dangerouslySetInnerHTML',
+    pattern: /dangerouslySetInnerHTML\s*=\s*\{\s*\{/g,
+    severity: 'high',
+    category: 'vulnerability',
+    description: 'dangerouslySetInnerHTML can introduce XSS if the value contains user input. Sanitize with DOMPurify or restructure to avoid it.'
+  },
+  {
+    name: 'XSS: innerHTML Assignment',
+    pattern: /\.innerHTML\s*=/g,
+    severity: 'medium',
+    category: 'vulnerability',
+    description: 'innerHTML set to user-controlled data leads to XSS. Use textContent for plain text or DOMPurify to sanitize HTML.'
+  },
+  {
+    name: 'XSS: document.write',
+    pattern: /\bdocument\.write\s*\(/g,
+    severity: 'medium',
+    category: 'vulnerability',
+    description: 'document.write() is deprecated and can introduce XSS. Use DOM manipulation (createElement, appendChild) instead.'
+  },
+
+  // =========================================================================
+  // Code Injection
+  // =========================================================================
+  {
+    name: 'Code Injection: eval()',
+    pattern: /\beval\s*\(/g,
+    severity: 'high',
+    category: 'vulnerability',
+    description: 'eval() executes arbitrary JavaScript and is a serious attack vector. Replace with JSON.parse(), Function calls, or safer alternatives.'
+  },
+  {
+    name: 'Code Injection: new Function()',
+    pattern: /\bnew\s+Function\s*\(/g,
+    severity: 'high',
+    category: 'vulnerability',
+    description: 'new Function() is functionally equivalent to eval() and can execute arbitrary code. Avoid dynamic code generation.'
+  },
+
+  // =========================================================================
+  // SQL Injection
+  // =========================================================================
+  {
+    name: 'SQL Injection: Template Literal Query',
+    pattern: /`(?:SELECT|INSERT|UPDATE|DELETE|DROP\s+TABLE|ALTER\s+TABLE)[^`]*\$\{/gi,
+    severity: 'critical',
+    category: 'vulnerability',
+    description: 'SQL queries with interpolated template variables are vulnerable to injection. Use parameterized queries or a query builder.'
+  },
+  {
+    name: 'SQL Injection: String Concatenation Query',
+    pattern: /["'](?:SELECT|INSERT|UPDATE|DELETE)\s+[^"']{4,}["']\s*\+/gi,
+    severity: 'high',
+    category: 'vulnerability',
+    description: 'Building SQL with string concatenation is vulnerable to SQL injection. Use parameterized queries (?, $1) or an ORM.'
+  },
+
+  // =========================================================================
+  // Command Injection
+  // =========================================================================
+  {
+    name: 'Command Injection: exec with Template Literal',
+    pattern: /\bexec(?:Sync)?\s*\(\s*`[^`]*\$\{/g,
+    severity: 'critical',
+    category: 'vulnerability',
+    description: 'Running shell commands with interpolated values can lead to command injection. Validate all inputs or use execFile() with argument arrays.'
+  },
+  {
+    name: 'Command Injection: shell: true',
+    pattern: /\bspawn(?:Sync)?\s*\([^)]*\bshell\s*:\s*true/g,
+    severity: 'high',
+    category: 'vulnerability',
+    description: 'shell: true in spawn/spawnSync enables shell expansion and can lead to command injection. Remove shell: true and pass arguments as an array.'
+  },
+
+  // =========================================================================
+  // Weak Cryptography
+  // =========================================================================
+  {
+    name: 'Weak Crypto: MD5',
+    pattern: /createHash\s*\(\s*['"]md5['"]\s*\)/gi,
+    severity: 'medium',
+    category: 'vulnerability',
+    description: 'MD5 is cryptographically broken and must not be used for security purposes. Use SHA-256 (createHash("sha256")) or SHA-3.'
+  },
+  {
+    name: 'Weak Crypto: SHA-1',
+    pattern: /createHash\s*\(\s*['"]sha1['"]\s*\)/gi,
+    severity: 'medium',
+    category: 'vulnerability',
+    description: 'SHA-1 is cryptographically weak and collision-prone. Use SHA-256 (createHash("sha256")) or SHA-3 instead.'
+  },
+
+  // =========================================================================
+  // TLS / SSL Bypass
+  // =========================================================================
+  {
+    name: 'TLS Bypass: NODE_TLS_REJECT_UNAUTHORIZED=0',
+    pattern: /NODE_TLS_REJECT_UNAUTHORIZED\s*[=:]\s*['"]?0['"]?/g,
+    severity: 'critical',
+    category: 'vulnerability',
+    description: 'Setting NODE_TLS_REJECT_UNAUTHORIZED=0 disables TLS certificate validation and exposes your app to MITM attacks. Never use in production.'
+  },
+  {
+    name: 'TLS Bypass: rejectUnauthorized false',
+    pattern: /\brejectUnauthorized\s*:\s*false\b/g,
+    severity: 'high',
+    category: 'vulnerability',
+    description: 'rejectUnauthorized: false disables TLS certificate checking and enables man-in-the-middle attacks. Remove it or use a proper CA bundle.'
+  },
+  {
+    name: 'TLS Bypass: verify=False (Python)',
+    pattern: /\brequests\.\w+\s*\([^)]*\bverify\s*=\s*False\b/g,
+    severity: 'high',
+    category: 'vulnerability',
+    description: 'verify=False in Python requests disables SSL certificate verification. Remove this or pass verify="/path/to/ca-bundle.crt".'
+  },
+
+  // =========================================================================
+  // Unsafe Deserialization
+  // =========================================================================
+  {
+    name: 'Unsafe Deserialization: pickle.loads',
+    pattern: /\bpickle\.loads?\s*\(/g,
+    severity: 'high',
+    category: 'vulnerability',
+    description: 'pickle.loads() on untrusted data can execute arbitrary Python code (RCE). Use JSON or another safe format for data from untrusted sources.'
+  },
+  {
+    name: 'Unsafe Deserialization: yaml.load',
+    pattern: /\byaml\.load\s*\(/g,
+    severity: 'medium',
+    category: 'vulnerability',
+    description: 'yaml.load() can execute arbitrary code with certain YAML tags. Use yaml.safe_load() for untrusted input.'
+  },
+
+  // =========================================================================
+  // Security Misconfigurations
+  // =========================================================================
+  {
+    name: 'Security Config: CORS Wildcard',
+    pattern: /\borigin\s*:\s*['"]?\*['"]?/g,
+    severity: 'medium',
+    category: 'vulnerability',
+    description: 'CORS wildcard (*) allows any origin to make credentialed requests to your API. Use a specific allowlist of trusted origins.'
+  },
+
+  // =========================================================================
+  // Deprecated / Insecure Node.js APIs
+  // =========================================================================
+  {
+    name: 'Deprecated API: new Buffer()',
+    pattern: /\bnew\s+Buffer\s*\(/g,
+    severity: 'medium',
+    category: 'vulnerability',
+    description: 'new Buffer() is deprecated since Node.js 6 and has security implications. Use Buffer.from(), Buffer.alloc(), or Buffer.allocUnsafe().'
+  },
+];
+
 // =============================================================================
 // TEST FILE PATTERNS (skipped by default, override with --include-tests)
 // =============================================================================

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ship-safe",
-  "version": "3.1.0",
+  "version": "3.2.0",
   "description": "Security toolkit for vibe coders and indie hackers. Secure your MVP in 5 minutes.",
   "main": "cli/index.js",
   "bin": {
@@ -57,7 +57,7 @@
   "dependencies": {
     "chalk": "^5.3.0",
     "commander": "^12.1.0",
-    "glob": "^10.3.10",
+    "fast-glob": "^3.3.3",
     "ora": "^8.0.1",
     "write-file-atomic": "^7.0.0"
   }