ship-safe 4.0.0 → 4.2.0

package/cli/commands/doctor.js

@@ -0,0 +1,149 @@
+/**
+ * Doctor Command — Environment Diagnostics
+ * ==========================================
+ *
+ * Checks Node.js version, git, npm, API keys, ignore files,
+ * cache directory, and package version.
+ *
+ * USAGE:
+ *   npx ship-safe doctor
+ */
+
+import { execFileSync } from 'child_process';
+import fs from 'fs';
+import path from 'path';
+import chalk from 'chalk';
+import { readFileSync } from 'fs';
+import { fileURLToPath } from 'url';
+import { dirname, join } from 'path';
+
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = dirname(__filename);
+const PACKAGE_VERSION = JSON.parse(readFileSync(join(__dirname, '../../package.json'), 'utf8')).version;
+
+export async function doctorCommand() {
+  console.log();
+  console.log(chalk.cyan.bold('  Ship Safe Doctor'));
+  console.log(chalk.gray('  ' + '─'.repeat(50)));
+  console.log();
+
+  let allGood = true;
+
+  // 1. Node.js version
+  const nodeVersion = process.version;
+  const nodeMajor = parseInt(nodeVersion.slice(1), 10);
+  if (nodeMajor >= 18) {
+    pass(`Node.js ${nodeVersion} (requires ≥18)`);
+  } else {
+    fail(`Node.js ${nodeVersion} — requires ≥18`);
+    allGood = false;
+  }
+
+  // 2. Git
+  try {
+    const gitVersion = execFileSync('git', ['--version'], { encoding: 'utf-8' }).trim();
+    pass(gitVersion.replace('git version ', 'git v'));
+  } catch {
+    fail('git not found (needed for guard, git-history-scanner)');
+    allGood = false;
+  }
+
+  // 3. Package manager
+  const managers = ['npm', 'yarn', 'pnpm'];
+  let foundPm = false;
+  for (const pm of managers) {
+    try {
+      const ver = execFileSync(pm, ['--version'], { encoding: 'utf-8', shell: true }).trim();
+      pass(`${pm} v${ver}`);
+      foundPm = true;
+      break;
+    } catch { /* try next */ }
+  }
+  if (!foundPm) {
+    fail('No package manager found (npm/yarn/pnpm)');
+    allGood = false;
+  }
+
+  // 4. API keys
+  const apiKeys = [
+    { name: 'Anthropic API key', env: 'ANTHROPIC_API_KEY', required: false },
+    { name: 'OpenAI API key', env: 'OPENAI_API_KEY', required: false },
+    { name: 'Google AI API key', env: 'GOOGLE_API_KEY', required: false },
+  ];
+  for (const key of apiKeys) {
+    if (process.env[key.env]) {
+      pass(`${key.name} configured`);
+    } else {
+      info(`${key.name} not set (optional — for AI classification)`);
+    }
+  }
+
+  // 5. .ship-safeignore
+  const cwd = process.cwd();
+  const ignorePath = path.join(cwd, '.ship-safeignore');
+  if (fs.existsSync(ignorePath)) {
+    try {
+      const patterns = fs.readFileSync(ignorePath, 'utf-8')
+        .split('\n').filter(l => l.trim() && !l.startsWith('#')).length;
+      pass(`.ship-safeignore found (${patterns} patterns)`);
+    } catch {
+      pass('.ship-safeignore found');
+    }
+  } else {
+    info('.ship-safeignore not found (run: ship-safe init)');
+  }
+
+  // 6. Cache directory
+  const cacheDir = path.join(cwd, '.ship-safe');
+  if (fs.existsSync(cacheDir)) {
+    try {
+      const testFile = path.join(cacheDir, '.doctor-test');
+      fs.writeFileSync(testFile, 'test');
+      fs.unlinkSync(testFile);
+      pass('Cache directory writable');
+    } catch {
+      fail('Cache directory not writable');
+      allGood = false;
+    }
+  } else {
+    info('Cache directory does not exist yet (created on first scan)');
+  }
+
+  // 7. Version check
+  pass(`ship-safe v${PACKAGE_VERSION}`);
+  try {
+    const latest = execFileSync('npm', ['view', 'ship-safe', 'version'], {
+      encoding: 'utf-8', timeout: 5000, shell: true,
+    }).trim();
+    if (latest && latest !== PACKAGE_VERSION) {
+      const msg = ['v', latest, ' available (current: v', PACKAGE_VERSION, ')'].join('');
+      info(msg);
+    } else if (latest) {
+      pass('Up to date');
+    }
+  } catch {
+    // Skip version check if npm view fails
+  }
+
+  console.log();
+  if (allGood) {
+    console.log(chalk.green.bold('  All checks passed!'));
+  } else {
+    console.log(chalk.yellow.bold('  Some checks failed. See above for details.'));
+  }
+  console.log();
+}
+
+function pass(msg) {
+  console.log(chalk.green('  ✔ ') + chalk.white(msg));
+}
+
+function fail(msg) {
+  console.log(chalk.red('  ✗ ') + chalk.red(msg));
+}
+
+function info(msg) {
+  console.log(chalk.gray('  ○ ') + chalk.gray(msg));
+}
+
+export default doctorCommand;

package/cli/commands/remediate.js

@@ -34,7 +34,7 @@ import fs from 'fs';
 import path from 'path';
 import os from 'os';
 import { createInterface } from 'readline';
-import { execSync } from 'child_process';
+import { execSync, execFileSync } from 'child_process';
 import chalk from 'chalk';
 import ora from 'ora';
 import pkg from 'write-file-atomic';
@@ -270,6 +270,11 @@ function createBackupDir(rootPath) {
 function backupFile(filePath, backupDir, rootPath) {
   const rel = path.relative(rootPath, filePath);
   const dest = path.join(backupDir, rel);
+  const resolvedDest = path.resolve(dest);
+  const resolvedBackupDir = path.resolve(backupDir);
+  if (!resolvedDest.startsWith(resolvedBackupDir + path.sep) && resolvedDest !== resolvedBackupDir) {
+    throw new Error(`Path traversal detected: ${rel} escapes backup directory`);
+  }
   fs.mkdirSync(path.dirname(dest), { recursive: true });
   fs.copyFileSync(filePath, dest);
 }
@@ -414,8 +419,7 @@ function checkPublicRepo(rootPath) {
 function stageFiles(files, rootPath) {
   if (files.length === 0) return;
   try {
-    const quoted = files.map(f => `"${f}"`).join(' ');
-    execSync(`git add ${quoted}`, { cwd: rootPath, stdio: 'inherit' }); // ship-safe-ignore — paths come from our own file scan
+    execFileSync('git', ['add', ...files], { cwd: rootPath, stdio: 'inherit' });
     output.success(`Staged ${files.length} file(s) with git add`);
   } catch {
     output.warning('Could not stage files — run git add manually.');

package/cli/commands/scan.js

@@ -30,10 +30,12 @@ import {
   SKIP_DIRS,
   SKIP_EXTENSIONS,
   TEST_FILE_PATTERNS,
-  MAX_FILE_SIZE
+  MAX_FILE_SIZE,
+  loadGitignorePatterns
 } from '../utils/patterns.js';
 import { isHighEntropyMatch, getConfidence } from '../utils/entropy.js';
 import * as output from '../utils/output.js';
+import { CacheManager } from '../utils/cache-manager.js';
 
 // =============================================================================
 // CUSTOM PATTERNS (.ship-safe.json)
@@ -110,13 +112,49 @@ export async function scanCommand(targetPath = '.', options = {}) {
   try {
     // Find all files
     const files = await findFiles(absolutePath, ignorePatterns, options);
-    spinner.text = `Scanning ${files.length} files...`;
+
+    // Cache: determine which files changed
+    const useCache = options.cache !== false;
+    const cache = new CacheManager(absolutePath);
+    const cacheData = useCache ? cache.load() : null;
+    let filesToScan = files;
+    let cacheDiff = null;
+    const cachedResults = [];
+
+    if (cacheData) {
+      cacheDiff = cache.diff(files);
+      filesToScan = cacheDiff.changedFiles;
+
+      // Group cached findings by file
+      const cachedByFile = {};
+      for (const f of cacheDiff.cachedFindings) {
+        if (!cachedByFile[f.file]) cachedByFile[f.file] = [];
+        cachedByFile[f.file].push({
+          line: f.line,
+          column: f.column,
+          matched: f.matched,
+          patternName: f.rule || f.title,
+          severity: f.severity,
+          confidence: f.confidence,
+          description: f.description,
+          category: f.category,
+        });
+      }
+      for (const [file, findings] of Object.entries(cachedByFile)) {
+        cachedResults.push({ file, findings });
+      }
+    }
+
+    const cacheNote = cacheDiff && filesToScan.length < files.length
+      ? ` (${filesToScan.length} changed, ${cacheDiff.unchangedCount} cached)`
+      : '';
+    spinner.text = `Scanning ${filesToScan.length} files${cacheNote}...`;
 
     // Scan each file
     const results = [];
     let scannedCount = 0;
 
-    for (const file of files) {
+    for (const file of filesToScan) {
       const findings = await scanFile(file, allPatterns);
       if (findings.length > 0) {
         results.push({ file, findings });
@@ -124,7 +162,36 @@ export async function scanCommand(targetPath = '.', options = {}) {
 
       scannedCount++;
       if (options.verbose) {
-        spinner.text = `Scanned ${scannedCount}/${files.length}: ${path.relative(absolutePath, file)}`;
+        spinner.text = `Scanned ${scannedCount}/${filesToScan.length}: ${path.relative(absolutePath, file)}`;
+      }
+    }
+
+    // Merge with cached results
+    const allResults = [...results, ...cachedResults];
+
+    // Save cache
+    if (useCache) {
+      try {
+        const allFindings = [];
+        for (const { file, findings } of allResults) {
+          for (const f of findings) {
+            allFindings.push({
+              file,
+              line: f.line,
+              column: f.column,
+              severity: f.severity,
+              category: f.category || 'secrets',
+              rule: f.patternName,
+              title: f.patternName,
+              description: f.description,
+              matched: f.matched,
+              confidence: f.confidence,
+            });
+          }
+        }
+        cache.save(files, allFindings, null, null);
+      } catch {
+        // Silent
       }
     }
 
@@ -132,15 +199,15 @@ export async function scanCommand(targetPath = '.', options = {}) {
 
     // Output results
     if (options.sarif) {
-      outputSARIF(results, absolutePath);
+      outputSARIF(allResults, absolutePath);
     } else if (options.json) {
-      outputJSON(results, files.length);
+      outputJSON(allResults, files.length);
     } else {
-      outputPretty(results, files.length, absolutePath);
+      outputPretty(allResults, files.length, absolutePath);
     }
 
     // Exit with appropriate code
-    const hasFindings = results.length > 0;
+    const hasFindings = allResults.length > 0;
     process.exit(hasFindings ? 1 : 0);
 
   } catch (err) {
@@ -204,6 +271,10 @@ async function findFiles(rootPath, ignorePatterns, options = {}) {
   // Build ignore patterns from SKIP_DIRS
   const globIgnore = Array.from(SKIP_DIRS).map(dir => `**/${dir}/**`);
 
+  // Respect .gitignore patterns
+  const gitignoreGlobs = loadGitignorePatterns(rootPath);
+  globIgnore.push(...gitignoreGlobs);
+
   // Find all files
   const files = await fg('**/*', {
     cwd: rootPath,

package/cli/index.js

@@ -1,50 +1,56 @@
-/**
- * Ship Safe CLI - Module Entry Point
- * ===================================
- *
- * This file exports the CLI commands and agents for programmatic use.
- * For normal CLI usage, run: npx ship-safe
- */
-
-// ── Core Commands ─────────────────────────────────────────────────────────────
-export { scanCommand } from './commands/scan.js';
-export { checklistCommand } from './commands/checklist.js';
-export { initCommand } from './commands/init.js';
-export { agentCommand } from './commands/agent.js';
-export { depsCommand, runDepsAudit } from './commands/deps.js';
-export { scoreCommand } from './commands/score.js';
-
-// ── v4.0 Commands ─────────────────────────────────────────────────────────────
-export { auditCommand } from './commands/audit.js';
-export { redTeamCommand } from './commands/red-team.js';
-export { watchCommand } from './commands/watch.js';
-
-// ── Patterns ──────────────────────────────────────────────────────────────────
-export { SECRET_PATTERNS, SECURITY_PATTERNS, SKIP_DIRS, SKIP_EXTENSIONS } from './utils/patterns.js';
-
-// ── Agent Framework ───────────────────────────────────────────────────────────
-export { BaseAgent, createFinding } from './agents/base-agent.js';
-export { Orchestrator } from './agents/orchestrator.js';
-export { buildOrchestrator } from './agents/index.js';
-
-// ── Individual Agents ─────────────────────────────────────────────────────────
-export { ReconAgent } from './agents/recon-agent.js';
-export { InjectionTester } from './agents/injection-tester.js';
-export { AuthBypassAgent } from './agents/auth-bypass-agent.js';
-export { SSRFProber } from './agents/ssrf-prober.js';
-export { SupplyChainAudit } from './agents/supply-chain-agent.js';
-export { ConfigAuditor } from './agents/config-auditor.js';
-export { LLMRedTeam } from './agents/llm-redteam.js';
-export { MobileScanner } from './agents/mobile-scanner.js';
-export { GitHistoryScanner } from './agents/git-history-scanner.js';
-export { CICDScanner } from './agents/cicd-scanner.js';
-export { APIFuzzer } from './agents/api-fuzzer.js';
-
-// ── Supporting Modules ────────────────────────────────────────────────────────
-export { ScoringEngine, GRADES, CATEGORIES } from './agents/scoring-engine.js';
-export { SBOMGenerator } from './agents/sbom-generator.js';
-export { PolicyEngine } from './agents/policy-engine.js';
-export { HTMLReporter } from './agents/html-reporter.js';
-
-// ── LLM Providers ─────────────────────────────────────────────────────────────
-export { createProvider, autoDetectProvider } from './providers/llm-provider.js';
+/**
+ * Ship Safe CLI - Module Entry Point
+ * ===================================
+ *
+ * This file exports the CLI commands and agents for programmatic use.
+ * For normal CLI usage, run: npx ship-safe
+ */
+
+// ── Core Commands ─────────────────────────────────────────────────────────────
+export { scanCommand } from './commands/scan.js';
+export { checklistCommand } from './commands/checklist.js';
+export { initCommand } from './commands/init.js';
+export { agentCommand } from './commands/agent.js';
+export { depsCommand, runDepsAudit } from './commands/deps.js';
+export { scoreCommand } from './commands/score.js';
+
+// ── v4.0 Commands ─────────────────────────────────────────────────────────────
+export { auditCommand } from './commands/audit.js';
+export { redTeamCommand } from './commands/red-team.js';
+export { watchCommand } from './commands/watch.js';
+
+// ── v4.2 Commands ─────────────────────────────────────────────────────────────
+export { doctorCommand } from './commands/doctor.js';
+
+// ── Patterns ──────────────────────────────────────────────────────────────────
+export { SECRET_PATTERNS, SECURITY_PATTERNS, SKIP_DIRS, SKIP_EXTENSIONS } from './utils/patterns.js';
+
+// ── Agent Framework ───────────────────────────────────────────────────────────
+export { BaseAgent, createFinding } from './agents/base-agent.js';
+export { Orchestrator } from './agents/orchestrator.js';
+export { buildOrchestrator } from './agents/index.js';
+
+// ── Individual Agents ─────────────────────────────────────────────────────────
+export { ReconAgent } from './agents/recon-agent.js';
+export { InjectionTester } from './agents/injection-tester.js';
+export { AuthBypassAgent } from './agents/auth-bypass-agent.js';
+export { SSRFProber } from './agents/ssrf-prober.js';
+export { SupplyChainAudit } from './agents/supply-chain-agent.js';
+export { ConfigAuditor } from './agents/config-auditor.js';
+export { LLMRedTeam } from './agents/llm-redteam.js';
+export { MobileScanner } from './agents/mobile-scanner.js';
+export { GitHistoryScanner } from './agents/git-history-scanner.js';
+export { CICDScanner } from './agents/cicd-scanner.js';
+export { APIFuzzer } from './agents/api-fuzzer.js';
+
+// ── Supporting Modules ────────────────────────────────────────────────────────
+export { ScoringEngine, GRADES, CATEGORIES } from './agents/scoring-engine.js';
+export { SBOMGenerator } from './agents/sbom-generator.js';
+export { PolicyEngine } from './agents/policy-engine.js';
+export { HTMLReporter } from './agents/html-reporter.js';
+
+// ── Caching ──────────────────────────────────────────────────────────────────
+export { CacheManager } from './utils/cache-manager.js';
+
+// ── LLM Providers ─────────────────────────────────────────────────────────────
+export { createProvider, autoDetectProvider } from './providers/llm-provider.js';