ship-safe 3.1.0 → 4.0.0

package/cli/commands/red-team.js

@@ -0,0 +1,315 @@
+/**
+ * Red Team Command
+ * =================
+ *
+ * Run all security agents against the codebase.
+ * This is the main entry point for the multi-agent security audit.
+ *
+ * USAGE:
+ *   npx ship-safe red-team [path]           Full multi-agent audit
+ *   npx ship-safe red-team . --agents injection,auth  Run specific agents
+ *   npx ship-safe red-team . --json         JSON output
+ *   npx ship-safe red-team . --html report.html  Generate HTML report
+ *   npx ship-safe red-team . --sarif        SARIF output
+ */
+
+import fs from 'fs';
+import path from 'path';
+import chalk from 'chalk';
+import ora from 'ora';
+import { buildOrchestrator } from '../agents/index.js';
+import { ScoringEngine } from '../agents/scoring-engine.js';
+import { PolicyEngine } from '../agents/policy-engine.js';
+import { HTMLReporter } from '../agents/html-reporter.js';
+import { SBOMGenerator } from '../agents/sbom-generator.js';
+import { autoDetectProvider } from '../providers/llm-provider.js';
+import { runDepsAudit } from './deps.js';
+import * as output from '../utils/output.js';
+
+export async function redTeamCommand(targetPath = '.', options = {}) {
+  const absolutePath = path.resolve(targetPath);
+
+  if (!fs.existsSync(absolutePath)) {
+    output.error(`Path does not exist: ${absolutePath}`);
+    process.exit(1);
+  }
+
+  console.log();
+  output.header('Ship Safe v4.0 — Multi-Agent Security Audit');
+  console.log();
+
+  // ── 1. Run orchestrator ─────────────────────────────────────────────────────
+  const orchestrator = buildOrchestrator();
+
+  const agentFilter = options.agents
+    ? options.agents.split(',').map(a => a.trim())
+    : null;
+
+  const results = await orchestrator.runAll(absolutePath, {
+    verbose: options.verbose,
+    agents: agentFilter,
+  });
+
+  const { recon, findings, agentResults } = results;
+
+  // ── 2. Dependency audit ─────────────────────────────────────────────────────
+  let depVulns = [];
+  if (!options.noDeps) {
+    const depSpinner = ora({ text: 'Auditing dependencies...', color: 'cyan' }).start();
+    try {
+      const depResult = await runDepsAudit(absolutePath);
+      depVulns = depResult.vulns || [];
+      depSpinner.succeed(
+        depVulns.length === 0
+          ? chalk.green('Dependencies: clean')
+          : chalk.yellow(`Dependencies: ${depVulns.length} CVE(s)`)
+      );
+    } catch {
+      depSpinner.succeed(chalk.gray('Dependencies: skipped'));
+    }
+  }
+
+  // ── 3. Apply policy ─────────────────────────────────────────────────────────
+  const policy = PolicyEngine.load(absolutePath);
+  const filteredFindings = policy.applyPolicy(findings);
+
+  // ── 4. Score ────────────────────────────────────────────────────────────────
+  const scoringEngine = new ScoringEngine();
+  const scoreResult = scoringEngine.compute(filteredFindings, depVulns);
+  scoringEngine.saveToHistory(absolutePath, scoreResult);
+
+  // ── 5. AI classification (if provider available) ────────────────────────────
+  if (options.ai !== false) {
+    const provider = autoDetectProvider(absolutePath);
+    if (provider && filteredFindings.length > 0 && filteredFindings.length <= 50) {
+      const aiSpinner = ora({ text: `Classifying ${filteredFindings.length} finding(s) with ${provider.name}...`, color: 'cyan' }).start();
+      try {
+        const classifications = await provider.classify(filteredFindings);
+        // Merge classifications back into findings
+        for (const cl of classifications) {
+          const finding = filteredFindings.find(f => `${f.file}:${f.line}` === cl.id);
+          if (finding) {
+            finding.aiClassification = cl.classification;
+            finding.aiReason = cl.reason;
+            finding.aiFix = cl.fix;
+          }
+        }
+        aiSpinner.succeed(chalk.green(`AI classification complete (${provider.name})`));
+      } catch (err) {
+        aiSpinner.fail(chalk.yellow(`AI classification failed: ${err.message}`));
+      }
+    }
+  }
+
+  // ── 6. Output ───────────────────────────────────────────────────────────────
+  if (options.json) {
+    outputJSON(scoreResult, filteredFindings, recon, agentResults);
+  } else if (options.sarif) {
+    outputSARIF(filteredFindings, absolutePath);
+  } else if (options.html) {
+    const reporter = new HTMLReporter();
+    const htmlPath = typeof options.html === 'string' ? options.html : 'ship-safe-report.html';
+    reporter.generateToFile(scoreResult, filteredFindings, recon, absolutePath, htmlPath);
+    output.success(`HTML report saved to ${htmlPath}`);
+  } else {
+    printResults(scoreResult, filteredFindings, recon, agentResults, depVulns, absolutePath);
+  }
+
+  // ── 7. SBOM (if requested) ──────────────────────────────────────────────────
+  if (options.sbom) {
+    const sbomGen = new SBOMGenerator();
+    const sbomPath = typeof options.sbom === 'string' ? options.sbom : 'sbom.json';
+    sbomGen.generateToFile(absolutePath, sbomPath);
+    output.success(`SBOM saved to ${sbomPath}`);
+  }
+
+  // ── 8. Policy evaluation ────────────────────────────────────────────────────
+  const violations = policy.evaluate(scoreResult, filteredFindings);
+  if (violations.length > 0) {
+    console.log();
+    console.log(chalk.red.bold('  Policy Violations:'));
+    for (const v of violations.slice(0, 10)) {
+      console.log(chalk.red(`    ✗ ${v.message}`));
+    }
+    if (violations.length > 10) {
+      console.log(chalk.gray(`    ... and ${violations.length - 10} more`));
+    }
+  }
+
+  // ── 9. Trend ────────────────────────────────────────────────────────────────
+  const trend = scoringEngine.getTrend(absolutePath, scoreResult.score);
+  if (trend) {
+    const arrow = trend.diff > 0 ? chalk.green('↑') : trend.diff < 0 ? chalk.red('↓') : chalk.gray('→');
+    console.log();
+    console.log(chalk.gray(`  Trend: ${trend.previousScore} → ${trend.currentScore} ${arrow} (${trend.diff > 0 ? '+' : ''}${trend.diff})`));
+  }
+
+  console.log();
+
+  // Exit code
+  process.exit(scoreResult.score >= 75 ? 0 : 1);
+}
+
+// =============================================================================
+// OUTPUT FORMATTERS
+// =============================================================================
+
+function printResults(scoreResult, findings, recon, agentResults, depVulns, rootPath) {
+  const GRADE_COLOR = { A: chalk.green.bold, B: chalk.cyan.bold, C: chalk.yellow.bold, D: chalk.red, F: chalk.red.bold };
+  const SEV_COLOR = { critical: chalk.red.bold, high: chalk.yellow, medium: chalk.blue, low: chalk.gray };
+
+  // ── Score ───────────────────────────────────────────────────────────────────
+  console.log();
+  const gradeColor = GRADE_COLOR[scoreResult.grade.letter] || chalk.white;
+  const scoreColor = scoreResult.score >= 75 ? chalk.green.bold : scoreResult.score >= 60 ? chalk.yellow.bold : chalk.red.bold;
+
+  console.log(
+    chalk.white.bold('  Security Score: ') +
+    scoreColor(`${scoreResult.score}/100 `) +
+    gradeColor(scoreResult.grade.letter) +
+    chalk.gray(` — ${scoreResult.grade.label}`)
+  );
+  console.log(chalk.cyan('  ' + '─'.repeat(58)));
+  console.log();
+
+  // ── Category breakdown ──────────────────────────────────────────────────────
+  for (const [key, cat] of Object.entries(scoreResult.categories)) {
+    const count = Object.values(cat.counts).reduce((a, b) => a + b, 0);
+    const icon = count === 0 ? chalk.green('✔') : chalk.red('✘');
+    const status = count === 0 ? chalk.green('clean') : chalk.red(`${count} issue(s)`);
+    const deduction = cat.deduction > 0 ? chalk.red(`-${cat.deduction} pts`) : chalk.gray('+0');
+    console.log(`  ${icon}  ${chalk.white.bold(cat.label.padEnd(22))} ${status.padEnd(25)} ${deduction}`);
+  }
+
+  // Dependencies row
+  const depCount = depVulns.length;
+  const depIcon = depCount === 0 ? chalk.green('✔') : chalk.red('✘');
+  const depDeduction = scoreResult.categories.deps?.deduction || 0;
+  console.log(`  ${depIcon}  ${chalk.white.bold('Dependencies'.padEnd(22))} ${depCount === 0 ? chalk.green('clean') : chalk.red(`${depCount} CVE(s)`)}`);
+
+  // ── Top findings ────────────────────────────────────────────────────────────
+  if (findings.length > 0) {
+    console.log();
+    console.log(chalk.yellow.bold(`  Top Findings (${Math.min(findings.length, 20)} of ${findings.length})`));
+    console.log(chalk.yellow('  ' + '─'.repeat(58)));
+
+    for (const f of findings.slice(0, 20)) {
+      const relFile = path.relative(rootPath, f.file).replace(/\\/g, '/');
+      const sevColor = SEV_COLOR[f.severity] || chalk.white;
+      const aiTag = f.aiClassification === 'FALSE_POSITIVE'
+        ? chalk.gray(' [FP]')
+        : f.aiClassification === 'REAL' ? chalk.red(' [REAL]') : '';
+
+      console.log(`  ${sevColor(`[${f.severity.toUpperCase()}]`.padEnd(12))} ${chalk.white(`${relFile}:${f.line}`)}${aiTag}`);
+      console.log(`  ${chalk.gray('           ')} ${f.title || f.rule}`);
+      if (f.aiFix || f.fix) {
+        console.log(`  ${chalk.gray('     Fix:')} ${chalk.green((f.aiFix || f.fix).slice(0, 80))}`);
+      }
+    }
+  }
+
+  // ── Attack surface summary ──────────────────────────────────────────────────
+  if (recon) {
+    console.log();
+    console.log(chalk.cyan('  Attack Surface:'));
+    if (recon.frameworks?.length) console.log(chalk.gray(`    Frameworks:  ${recon.frameworks.join(', ')}`));
+    if (recon.databases?.length) console.log(chalk.gray(`    Databases:   ${recon.databases.join(', ')}`));
+    if (recon.authPatterns?.length) console.log(chalk.gray(`    Auth:        ${recon.authPatterns.join(', ')}`));
+    if (recon.apiRoutes?.length) console.log(chalk.gray(`    API Routes:  ${recon.apiRoutes.length} discovered`));
+  }
+
+  // ── Next steps ──────────────────────────────────────────────────────────────
+  if (findings.length > 0) {
+    console.log();
+    console.log(chalk.yellow.bold('  Next steps:'));
+    console.log(chalk.gray('    1. Review and fix findings above'));
+    console.log(chalk.gray('    2. Run again: ') + chalk.cyan('npx ship-safe red-team .'));
+    console.log(chalk.gray('    3. Generate report: ') + chalk.cyan('npx ship-safe red-team . --html report.html'));
+    console.log(chalk.gray('    4. Set policy: ') + chalk.cyan('npx ship-safe policy init'));
+  } else {
+    console.log();
+    output.success('All agents report clean — safe to ship!');
+  }
+
+  console.log(chalk.cyan('  ' + '═'.repeat(58)));
+}
+
+function outputJSON(scoreResult, findings, recon, agentResults) {
+  console.log(JSON.stringify({
+    score: scoreResult.score,
+    grade: scoreResult.grade.letter,
+    gradeLabel: scoreResult.grade.label,
+    totalFindings: findings.length,
+    categories: Object.fromEntries(
+      Object.entries(scoreResult.categories).map(([k, v]) => [k, {
+        label: v.label,
+        findingCount: Object.values(v.counts).reduce((a, b) => a + b, 0),
+        deduction: v.deduction,
+        counts: v.counts,
+      }])
+    ),
+    findings: findings.map(f => ({
+      file: f.file,
+      line: f.line,
+      severity: f.severity,
+      category: f.category,
+      rule: f.rule,
+      title: f.title,
+      description: f.description,
+      fix: f.fix,
+      aiClassification: f.aiClassification,
+      aiFix: f.aiFix,
+    })),
+    recon,
+    agents: agentResults,
+  }, null, 2));
+}
+
+function outputSARIF(findings, rootPath) {
+  const rules = {};
+  for (const f of findings) {
+    if (!rules[f.rule]) {
+      rules[f.rule] = {
+        id: f.rule,
+        name: f.title || f.rule,
+        shortDescription: { text: f.title || f.rule },
+        fullDescription: { text: f.description || '' },
+        defaultConfiguration: {
+          level: ['critical', 'high'].includes(f.severity) ? 'error' : 'warning',
+        },
+        helpUri: 'https://github.com/asamassekou10/ship-safe',
+      };
+    }
+  }
+
+  const sarif = {
+    version: '2.1.0',
+    $schema: 'https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json',
+    runs: [{
+      tool: {
+        driver: {
+          name: 'ship-safe',
+          version: '4.0.0',
+          informationUri: 'https://github.com/asamassekou10/ship-safe',
+          rules: Object.values(rules),
+        }
+      },
+      results: findings.map(f => ({
+        ruleId: f.rule,
+        level: ['critical', 'high'].includes(f.severity) ? 'error' : 'warning',
+        message: { text: `${f.title}: ${f.description}` },
+        locations: [{
+          physicalLocation: {
+            artifactLocation: {
+              uri: path.relative(rootPath, f.file).replace(/\\/g, '/'),
+              uriBaseId: '%SRCROOT%',
+            },
+            region: { startLine: f.line, startColumn: f.column || 1 },
+          }
+        }],
+      })),
+    }],
+  };
+
+  console.log(JSON.stringify(sarif, null, 2));
+}

package/cli/commands/remediate.js

@@ -39,7 +39,7 @@ import chalk from 'chalk';
 import ora from 'ora';
 import pkg from 'write-file-atomic';
 const { writeFile: writeFileAtomic } = pkg;
-import { glob } from 'glob';
+import fg from 'fast-glob';
 import {
   SECRET_PATTERNS,
   SKIP_DIRS,
@@ -415,7 +415,7 @@ function stageFiles(files, rootPath) {
   if (files.length === 0) return;
   try {
     const quoted = files.map(f => `"${f}"`).join(' ');
-    execSync(`git add ${quoted}`, { cwd: rootPath, stdio: 'inherit' });
+    execSync(`git add ${quoted}`, { cwd: rootPath, stdio: 'inherit' }); // ship-safe-ignore — paths come from our own file scan
     output.success(`Staged ${files.length} file(s) with git add`);
   } catch {
     output.warning('Could not stage files — run git add manually.');
@@ -428,8 +428,8 @@ function stageFiles(files, rootPath) {
 
 async function findFiles(rootPath) {
   const globIgnore = Array.from(SKIP_DIRS).map(dir => `**/${dir}/**`);
-  const files = await glob('**/*', {
-    cwd: rootPath, absolute: true, nodir: true, ignore: globIgnore, dot: true
+  const files = await fg('**/*', {
+    cwd: rootPath, absolute: true, onlyFiles: true, ignore: globIgnore, dot: true
   });
 
   const filtered = [];

package/cli/commands/rotate.js

@@ -24,7 +24,7 @@ import path from 'path';
 import { execSync } from 'child_process';
 import chalk from 'chalk';
 import ora from 'ora';
-import { glob } from 'glob';
+import fg from 'fast-glob';
 import {
   SECRET_PATTERNS,
   SKIP_DIRS,
@@ -390,9 +390,9 @@ async function revokeGitHubToken(token) {
 function openBrowser(url) {
   try {
     const platform = process.platform;
-    if (platform === 'win32') execSync(`start "" "${url}"`, { stdio: 'ignore' });
-    else if (platform === 'darwin') execSync(`open "${url}"`, { stdio: 'ignore' });
-    else execSync(`xdg-open "${url}"`, { stdio: 'ignore' });
+    if (platform === 'win32') execSync(`start "" "${url}"`, { stdio: 'ignore' }); // ship-safe-ignore — url is hardcoded provider dashboard URL
+    else if (platform === 'darwin') execSync(`open "${url}"`, { stdio: 'ignore' }); // ship-safe-ignore
+    else execSync(`xdg-open "${url}"`, { stdio: 'ignore' }); // ship-safe-ignore
     return true;
   } catch {
     return false;
@@ -405,8 +405,8 @@ function openBrowser(url) {
 
 async function findFiles(rootPath) {
   const globIgnore = Array.from(SKIP_DIRS).map(dir => `**/${dir}/**`);
-  const files = await glob('**/*', {
-    cwd: rootPath, absolute: true, nodir: true, ignore: globIgnore, dot: true
+  const files = await fg('**/*', {
+    cwd: rootPath, absolute: true, onlyFiles: true, ignore: globIgnore, dot: true
   });
   const filtered = [];
   for (const file of files) {

package/cli/commands/scan.js

@@ -21,11 +21,12 @@
 
 import fs from 'fs';
 import path from 'path';
-import { glob } from 'glob';
+import fg from 'fast-glob';
 import ora from 'ora';
 import chalk from 'chalk';
 import {
   SECRET_PATTERNS,
+  SECURITY_PATTERNS,
   SKIP_DIRS,
   SKIP_EXTENSIONS,
   TEST_FILE_PATTERNS,
@@ -94,7 +95,7 @@ export async function scanCommand(targetPath = '.', options = {}) {
 
   // Load custom patterns from .ship-safe.json
   const customPatterns = loadCustomPatterns(absolutePath);
-  const allPatterns = [...SECRET_PATTERNS, ...customPatterns];
+  const allPatterns = [...SECRET_PATTERNS, ...SECURITY_PATTERNS, ...customPatterns];
 
   if (customPatterns.length > 0 && options.verbose) {
     output.info(`Loaded ${customPatterns.length} custom pattern(s) from .ship-safe.json`);
@@ -102,7 +103,7 @@ export async function scanCommand(targetPath = '.', options = {}) {
 
   // Start spinner
   const spinner = ora({
-    text: 'Scanning for secrets...',
+    text: 'Scanning for secrets and vulnerabilities...',
     color: 'cyan'
   }).start();
 
@@ -204,10 +205,10 @@ async function findFiles(rootPath, ignorePatterns, options = {}) {
   const globIgnore = Array.from(SKIP_DIRS).map(dir => `**/${dir}/**`);
 
   // Find all files
-  const files = await glob('**/*', {
+  const files = await fg('**/*', {
     cwd: rootPath,
     absolute: true,
-    nodir: true,
+    onlyFiles: true,
     ignore: globIgnore,
     dot: true
   });
@@ -284,7 +285,8 @@ async function scanFile(filePath, patterns = SECRET_PATTERNS) {
             patternName: pattern.name,
             severity: pattern.severity,
             confidence,
-            description: pattern.description
+            description: pattern.description,
+            category: pattern.category || 'secret'
           });
         }
       }
@@ -293,7 +295,17 @@ async function scanFile(filePath, patterns = SECRET_PATTERNS) {
     // Skip files that can't be read (binary, permissions, etc.)
   }
 
-  return findings;
+  // Deduplicate: multiple patterns can match the same secret on the same line
+  // (e.g. Stripe and Clerk both match sk_live_...). Keep one finding per
+  // unique (line, matched-text) pair — first match wins (patterns are ordered
+  // by severity: critical → high → medium).
+  const seen = new Set();
+  return findings.filter(f => {
+    const key = `${f.line}:${f.matched}`;
+    if (seen.has(key)) return false;
+    seen.add(key);
+    return true;
+  });
 }
 
 // =============================================================================
@@ -301,11 +313,24 @@ async function scanFile(filePath, patterns = SECRET_PATTERNS) {
 // =============================================================================
 
 function outputPretty(results, filesScanned, rootPath) {
+  // Separate findings into secrets and code vulnerabilities
+  const secretResults = [];
+  const vulnResults = [];
+
+  for (const { file, findings } of results) {
+    const secrets = findings.filter(f => f.category !== 'vulnerability');
+    const vulns = findings.filter(f => f.category === 'vulnerability');
+    if (secrets.length > 0) secretResults.push({ file, findings: secrets });
+    if (vulns.length > 0) vulnResults.push({ file, findings: vulns });
+  }
+
   const stats = {
     total: 0,
     critical: 0,
     high: 0,
     medium: 0,
+    secretsTotal: 0,
+    vulnsTotal: 0,
     filesScanned
   };
 
@@ -313,31 +338,45 @@ function outputPretty(results, filesScanned, rootPath) {
     for (const f of findings) {
       stats.total++;
       stats[f.severity] = (stats[f.severity] || 0) + 1;
+      if (f.category === 'vulnerability') stats.vulnsTotal++;
+      else stats.secretsTotal++;
     }
   }
 
   output.header('Scan Results');
 
   if (results.length === 0) {
-    output.success('No secrets detected in your codebase!');
+    output.success('No secrets or vulnerabilities detected in your codebase!');
     console.log();
     console.log(chalk.gray('Note: Uses pattern matching + entropy scoring. Test files excluded by default.'));
     console.log(chalk.gray('Tip:  Run with --include-tests to also scan test files.'));
     console.log(chalk.gray('Tip:  Add a .ship-safeignore file to exclude paths.'));
   } else {
-    for (const { file, findings } of results) {
-      const relPath = path.relative(rootPath, file);
-
-      for (const f of findings) {
-        output.finding(
-          relPath,
-          f.line,
-          f.patternName,
-          f.severity,
-          f.matched,
-          f.description,
-          f.confidence
-        );
+    // ── Secrets section ────────────────────────────────────────────────────
+    if (secretResults.length > 0) {
+      console.log();
+      console.log(chalk.red.bold(`  Secrets (${stats.secretsTotal})`));
+      console.log(chalk.red('  ' + '─'.repeat(58)));
+
+      for (const { file, findings } of secretResults) {
+        const relPath = path.relative(rootPath, file);
+        for (const f of findings) {
+          output.finding(relPath, f.line, f.patternName, f.severity, f.matched, f.description, f.confidence);
+        }
+      }
+    }
+
+    // ── Code Vulnerabilities section ───────────────────────────────────────
+    if (vulnResults.length > 0) {
+      console.log();
+      console.log(chalk.yellow.bold(`  Code Vulnerabilities (${stats.vulnsTotal})`));
+      console.log(chalk.yellow('  ' + '─'.repeat(58)));
+
+      for (const { file, findings } of vulnResults) {
+        const relPath = path.relative(rootPath, file);
+        for (const f of findings) {
+          output.vulnerabilityFinding(relPath, f.line, f.patternName, f.severity, f.matched, f.description);
+        }
       }
     }
 
@@ -346,7 +385,8 @@ function outputPretty(results, filesScanned, rootPath) {
     console.log(chalk.gray('Suppress a finding: add  # ship-safe-ignore  as a comment on that line'));
     console.log(chalk.gray('Exclude a path:     add it to .ship-safeignore'));
 
-    output.recommendations();
+    if (secretResults.length > 0) output.recommendations();
+    if (vulnResults.length > 0) output.vulnRecommendations();
   }
 
   output.summary(stats);
@@ -367,10 +407,11 @@ function outputJSON(results, filesScanned) {
         file,
         line: f.line,
         column: f.column,
+        category: f.category || 'secret',
         severity: f.severity,
         confidence: f.confidence,
         type: f.patternName,
-        matched: output.maskSecret(f.matched),
+        matched: f.category === 'vulnerability' ? f.matched : output.maskSecret(f.matched),
         description: f.description
       });
     }