ship-safe 4.1.0 → 4.3.0

package/cli/commands/baseline.js

@@ -0,0 +1,192 @@
+/**
+ * Baseline Command
+ * =================
+ *
+ * Accept current findings as a baseline and only report new findings
+ * on subsequent scans. This is how teams adopt security scanners:
+ * baseline existing debt, focus on not making it worse.
+ *
+ * USAGE:
+ *   ship-safe baseline .          Create a new baseline from current scan
+ *   ship-safe baseline . --diff   Show what changed since baseline
+ *   ship-safe baseline . --clear  Remove the baseline
+ */
+
+import fs from 'fs';
+import path from 'path';
+import chalk from 'chalk';
+import ora from 'ora';
+import { buildOrchestrator } from '../agents/index.js';
+import { SECRET_PATTERNS, SKIP_DIRS, SKIP_EXTENSIONS, MAX_FILE_SIZE } from '../utils/patterns.js';
+import { isHighEntropyMatch } from '../utils/entropy.js';
+import fg from 'fast-glob';
+
+const BASELINE_FILE = '.ship-safe/baseline.json';
+
+/**
+ * Generate a fingerprint for a finding that survives line-number shifts.
+ * Uses rule + relative file path + first 40 chars of matched text.
+ */
+function fingerprint(finding, rootPath) {
+  const relFile = path.relative(rootPath, finding.file || '').replace(/\\/g, '/');
+  const matched = (finding.matched || '').slice(0, 40);
+  return `${finding.rule}:${relFile}:${matched}`;
+}
+
+/**
+ * Quick secret scan (same as audit Phase 1) to get current findings.
+ */
+async function quickScan(rootPath) {
+  const globIgnore = Array.from(SKIP_DIRS).map(dir => `**/${dir}/**`);
+  const files = await fg('**/*', {
+    cwd: rootPath, absolute: true, onlyFiles: true, ignore: globIgnore, dot: true,
+  });
+
+  const filtered = files.filter(f => {
+    const ext = path.extname(f).toLowerCase();
+    if (SKIP_EXTENSIONS.has(ext)) return false;
+    try { return fs.statSync(f).size <= MAX_FILE_SIZE; } catch { return false; }
+  });
+
+  const findings = [];
+  for (const file of filtered) {
+    try {
+      const content = fs.readFileSync(file, 'utf-8');
+      const lines = content.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (/ship-safe-ignore/i.test(lines[i])) continue;
+        for (const p of SECRET_PATTERNS) {
+          p.pattern.lastIndex = 0;
+          let m;
+          while ((m = p.pattern.exec(lines[i])) !== null) {
+            if (p.requiresEntropyCheck && !isHighEntropyMatch(m[0])) continue;
+            findings.push({ file, line: i + 1, rule: p.name, matched: m[0], severity: p.severity });
+          }
+        }
+      }
+    } catch { /* skip */ }
+  }
+
+  return { findings, files: filtered };
+}
+
+/**
+ * Run agents and combine with secret scan findings.
+ */
+async function fullScan(rootPath) {
+  const { findings: secretFindings, files } = await quickScan(rootPath);
+
+  const orchestrator = buildOrchestrator();
+  const { findings: agentFindings } = await orchestrator.runAll(rootPath, { quiet: true });
+
+  return [...secretFindings, ...agentFindings];
+}
+
+/**
+ * Load existing baseline from disk.
+ */
+function loadBaseline(rootPath) {
+  const baselinePath = path.join(rootPath, BASELINE_FILE);
+  if (!fs.existsSync(baselinePath)) return null;
+  try {
+    return JSON.parse(fs.readFileSync(baselinePath, 'utf-8'));
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Save baseline to disk.
+ */
+function saveBaseline(rootPath, fingerprints, findingCount) {
+  const baselinePath = path.join(rootPath, BASELINE_FILE);
+  const dir = path.dirname(baselinePath);
+  if (!fs.existsSync(dir)) fs.mkdirSync(dir, { recursive: true });
+
+  const baseline = {
+    version: '4.3.0',
+    createdAt: new Date().toISOString(),
+    fingerprints,
+    findingCount,
+  };
+
+  fs.writeFileSync(baselinePath, JSON.stringify(baseline, null, 2));
+  return baseline;
+}
+
+/**
+ * Filter out baselined findings. Returns only new findings.
+ */
+export function filterBaseline(findings, rootPath) {
+  const baseline = loadBaseline(rootPath);
+  if (!baseline) return findings;
+
+  const baseSet = new Set(baseline.fingerprints);
+  return findings.filter(f => !baseSet.has(fingerprint(f, rootPath)));
+}
+
+/**
+ * Main baseline command.
+ */
+export async function baselineCommand(targetPath = '.', options = {}) {
+  const rootPath = path.resolve(targetPath);
+
+  if (options.clear) {
+    const baselinePath = path.join(rootPath, BASELINE_FILE);
+    if (fs.existsSync(baselinePath)) {
+      fs.unlinkSync(baselinePath);
+      console.log(chalk.green('  Baseline removed.'));
+    } else {
+      console.log(chalk.gray('  No baseline found.'));
+    }
+    return;
+  }
+
+  if (options.diff) {
+    const baseline = loadBaseline(rootPath);
+    if (!baseline) {
+      console.log(chalk.yellow('  No baseline found. Run `ship-safe baseline .` first.'));
+      return;
+    }
+
+    const spinner = ora({ text: 'Scanning for comparison...', color: 'cyan' }).start();
+    const findings = await fullScan(rootPath);
+    spinner.stop();
+
+    const currentFingerprints = new Set(findings.map(f => fingerprint(f, rootPath)));
+    const baseSet = new Set(baseline.fingerprints);
+
+    const newFindings = findings.filter(f => !baseSet.has(fingerprint(f, rootPath)));
+    const resolvedCount = baseline.fingerprints.filter(fp => !currentFingerprints.has(fp)).length;
+
+    console.log(chalk.cyan.bold('\n  Baseline Comparison'));
+    console.log(chalk.gray(`  Baseline: ${baseline.findingCount} findings (${baseline.createdAt.slice(0, 10)})`));
+    console.log(chalk.gray(`  Current:  ${findings.length} findings`));
+    console.log();
+    if (newFindings.length > 0) {
+      console.log(chalk.red(`  + ${newFindings.length} new finding(s)`));
+    }
+    if (resolvedCount > 0) {
+      console.log(chalk.green(`  - ${resolvedCount} resolved finding(s)`));
+    }
+    if (newFindings.length === 0 && resolvedCount === 0) {
+      console.log(chalk.green('  No changes since baseline.'));
+    }
+    return;
+  }
+
+  // Default: create/update baseline
+  const spinner = ora({ text: 'Running full scan for baseline...', color: 'cyan' }).start();
+  const findings = await fullScan(rootPath);
+  spinner.stop();
+
+  const fingerprints = [...new Set(findings.map(f => fingerprint(f, rootPath)))];
+  const baseline = saveBaseline(rootPath, fingerprints, findings.length);
+
+  console.log(chalk.green.bold('\n  Baseline created'));
+  console.log(chalk.gray(`  Findings baselined: ${findings.length}`));
+  console.log(chalk.gray(`  Unique fingerprints: ${fingerprints.length}`));
+  console.log(chalk.gray(`  Saved to: ${BASELINE_FILE}`));
+  console.log();
+  console.log(chalk.gray('  Run `ship-safe audit . --baseline` to only see new findings.'));
+}

package/cli/commands/doctor.js

@@ -0,0 +1,149 @@
+/**
+ * Doctor Command — Environment Diagnostics
+ * ==========================================
+ *
+ * Checks Node.js version, git, npm, API keys, ignore files,
+ * cache directory, and package version.
+ *
+ * USAGE:
+ *   npx ship-safe doctor
+ */
+
+import { execFileSync } from 'child_process';
+import fs from 'fs';
+import path from 'path';
+import chalk from 'chalk';
+import { readFileSync } from 'fs';
+import { fileURLToPath } from 'url';
+import { dirname, join } from 'path';
+
+const __filename = fileURLToPath(import.meta.url);
+const __dirname = dirname(__filename);
+const PACKAGE_VERSION = JSON.parse(readFileSync(join(__dirname, '../../package.json'), 'utf8')).version;
+
+export async function doctorCommand() {
+  console.log();
+  console.log(chalk.cyan.bold('  Ship Safe Doctor'));
+  console.log(chalk.gray('  ' + '─'.repeat(50)));
+  console.log();
+
+  let allGood = true;
+
+  // 1. Node.js version
+  const nodeVersion = process.version;
+  const nodeMajor = parseInt(nodeVersion.slice(1), 10);
+  if (nodeMajor >= 18) {
+    pass(`Node.js ${nodeVersion} (requires ≥18)`);
+  } else {
+    fail(`Node.js ${nodeVersion} — requires ≥18`);
+    allGood = false;
+  }
+
+  // 2. Git
+  try {
+    const gitVersion = execFileSync('git', ['--version'], { encoding: 'utf-8' }).trim();
+    pass(gitVersion.replace('git version ', 'git v'));
+  } catch {
+    fail('git not found (needed for guard, git-history-scanner)');
+    allGood = false;
+  }
+
+  // 3. Package manager
+  const managers = ['npm', 'yarn', 'pnpm'];
+  let foundPm = false;
+  for (const pm of managers) {
+    try {
+      const ver = execFileSync(pm, ['--version'], { encoding: 'utf-8', shell: true }).trim();
+      pass(`${pm} v${ver}`);
+      foundPm = true;
+      break;
+    } catch { /* try next */ }
+  }
+  if (!foundPm) {
+    fail('No package manager found (npm/yarn/pnpm)');
+    allGood = false;
+  }
+
+  // 4. API keys
+  const apiKeys = [
+    { name: 'Anthropic API key', env: 'ANTHROPIC_API_KEY', required: false },
+    { name: 'OpenAI API key', env: 'OPENAI_API_KEY', required: false },
+    { name: 'Google AI API key', env: 'GOOGLE_API_KEY', required: false },
+  ];
+  for (const key of apiKeys) {
+    if (process.env[key.env]) {
+      pass(`${key.name} configured`);
+    } else {
+      info(`${key.name} not set (optional — for AI classification)`);
+    }
+  }
+
+  // 5. .ship-safeignore
+  const cwd = process.cwd();
+  const ignorePath = path.join(cwd, '.ship-safeignore');
+  if (fs.existsSync(ignorePath)) {
+    try {
+      const patterns = fs.readFileSync(ignorePath, 'utf-8')
+        .split('\n').filter(l => l.trim() && !l.startsWith('#')).length;
+      pass(`.ship-safeignore found (${patterns} patterns)`);
+    } catch {
+      pass('.ship-safeignore found');
+    }
+  } else {
+    info('.ship-safeignore not found (run: ship-safe init)');
+  }
+
+  // 6. Cache directory
+  const cacheDir = path.join(cwd, '.ship-safe');
+  if (fs.existsSync(cacheDir)) {
+    try {
+      const testFile = path.join(cacheDir, '.doctor-test');
+      fs.writeFileSync(testFile, 'test');
+      fs.unlinkSync(testFile);
+      pass('Cache directory writable');
+    } catch {
+      fail('Cache directory not writable');
+      allGood = false;
+    }
+  } else {
+    info('Cache directory does not exist yet (created on first scan)');
+  }
+
+  // 7. Version check
+  pass(`ship-safe v${PACKAGE_VERSION}`);
+  try {
+    const latest = execFileSync('npm', ['view', 'ship-safe', 'version'], {
+      encoding: 'utf-8', timeout: 5000, shell: true,
+    }).trim();
+    if (latest && latest !== PACKAGE_VERSION) {
+      const msg = ['v', latest, ' available (current: v', PACKAGE_VERSION, ')'].join('');
+      info(msg);
+    } else if (latest) {
+      pass('Up to date');
+    }
+  } catch {
+    // Skip version check if npm view fails
+  }
+
+  console.log();
+  if (allGood) {
+    console.log(chalk.green.bold('  All checks passed!'));
+  } else {
+    console.log(chalk.yellow.bold('  Some checks failed. See above for details.'));
+  }
+  console.log();
+}
+
+function pass(msg) {
+  console.log(chalk.green('  ✔ ') + chalk.white(msg));
+}
+
+function fail(msg) {
+  console.log(chalk.red('  ✗ ') + chalk.red(msg));
+}
+
+function info(msg) {
+  console.log(chalk.gray('  ○ ') + chalk.gray(msg));
+}
+
+export default doctorCommand;

package/cli/commands/remediate.js

@@ -34,7 +34,7 @@ import fs from 'fs';
 import path from 'path';
 import os from 'os';
 import { createInterface } from 'readline';
-import { execSync } from 'child_process';
+import { execSync, execFileSync } from 'child_process';
 import chalk from 'chalk';
 import ora from 'ora';
 import pkg from 'write-file-atomic';
@@ -270,6 +270,11 @@ function createBackupDir(rootPath) {
 function backupFile(filePath, backupDir, rootPath) {
   const rel = path.relative(rootPath, filePath);
   const dest = path.join(backupDir, rel);
+  const resolvedDest = path.resolve(dest);
+  const resolvedBackupDir = path.resolve(backupDir);
+  if (!resolvedDest.startsWith(resolvedBackupDir + path.sep) && resolvedDest !== resolvedBackupDir) {
+    throw new Error(`Path traversal detected: ${rel} escapes backup directory`);
+  }
   fs.mkdirSync(path.dirname(dest), { recursive: true });
   fs.copyFileSync(filePath, dest);
 }
@@ -414,8 +419,7 @@ function checkPublicRepo(rootPath) {
 function stageFiles(files, rootPath) {
   if (files.length === 0) return;
   try {
-    const quoted = files.map(f => `"${f}"`).join(' ');
-    execSync(`git add ${quoted}`, { cwd: rootPath, stdio: 'inherit' }); // ship-safe-ignore — paths come from our own file scan
+    execFileSync('git', ['add', ...files], { cwd: rootPath, stdio: 'inherit' });
     output.success(`Staged ${files.length} file(s) with git add`);
   } catch {
     output.warning('Could not stage files — run git add manually.');

package/cli/index.js

@@ -1,53 +1,60 @@
-/**
- * Ship Safe CLI - Module Entry Point
- * ===================================
- *
- * This file exports the CLI commands and agents for programmatic use.
- * For normal CLI usage, run: npx ship-safe
- */
-
-// ── Core Commands ─────────────────────────────────────────────────────────────
-export { scanCommand } from './commands/scan.js';
-export { checklistCommand } from './commands/checklist.js';
-export { initCommand } from './commands/init.js';
-export { agentCommand } from './commands/agent.js';
-export { depsCommand, runDepsAudit } from './commands/deps.js';
-export { scoreCommand } from './commands/score.js';
-
-// ── v4.0 Commands ─────────────────────────────────────────────────────────────
-export { auditCommand } from './commands/audit.js';
-export { redTeamCommand } from './commands/red-team.js';
-export { watchCommand } from './commands/watch.js';
-
-// ── Patterns ──────────────────────────────────────────────────────────────────
-export { SECRET_PATTERNS, SECURITY_PATTERNS, SKIP_DIRS, SKIP_EXTENSIONS } from './utils/patterns.js';
-
-// ── Agent Framework ───────────────────────────────────────────────────────────
-export { BaseAgent, createFinding } from './agents/base-agent.js';
-export { Orchestrator } from './agents/orchestrator.js';
-export { buildOrchestrator } from './agents/index.js';
-
-// ── Individual Agents ─────────────────────────────────────────────────────────
-export { ReconAgent } from './agents/recon-agent.js';
-export { InjectionTester } from './agents/injection-tester.js';
-export { AuthBypassAgent } from './agents/auth-bypass-agent.js';
-export { SSRFProber } from './agents/ssrf-prober.js';
-export { SupplyChainAudit } from './agents/supply-chain-agent.js';
-export { ConfigAuditor } from './agents/config-auditor.js';
-export { LLMRedTeam } from './agents/llm-redteam.js';
-export { MobileScanner } from './agents/mobile-scanner.js';
-export { GitHistoryScanner } from './agents/git-history-scanner.js';
-export { CICDScanner } from './agents/cicd-scanner.js';
-export { APIFuzzer } from './agents/api-fuzzer.js';
-
-// ── Supporting Modules ────────────────────────────────────────────────────────
-export { ScoringEngine, GRADES, CATEGORIES } from './agents/scoring-engine.js';
-export { SBOMGenerator } from './agents/sbom-generator.js';
-export { PolicyEngine } from './agents/policy-engine.js';
-export { HTMLReporter } from './agents/html-reporter.js';
-
-// ── Caching ──────────────────────────────────────────────────────────────────
-export { CacheManager } from './utils/cache-manager.js';
-
-// ── LLM Providers ─────────────────────────────────────────────────────────────
-export { createProvider, autoDetectProvider } from './providers/llm-provider.js';
+/**
+ * Ship Safe CLI - Module Entry Point
+ * ===================================
+ *
+ * This file exports the CLI commands and agents for programmatic use.
+ * For normal CLI usage, run: npx ship-safe
+ */
+
+// ── Core Commands ─────────────────────────────────────────────────────────────
+export { scanCommand } from './commands/scan.js';
+export { checklistCommand } from './commands/checklist.js';
+export { initCommand } from './commands/init.js';
+export { agentCommand } from './commands/agent.js';
+export { depsCommand, runDepsAudit } from './commands/deps.js';
+export { scoreCommand } from './commands/score.js';
+
+// ── v4.0 Commands ─────────────────────────────────────────────────────────────
+export { auditCommand } from './commands/audit.js';
+export { redTeamCommand } from './commands/red-team.js';
+export { watchCommand } from './commands/watch.js';
+
+// ── v4.2 Commands ─────────────────────────────────────────────────────────────
+export { doctorCommand } from './commands/doctor.js';
+
+// ── v4.3 Commands ─────────────────────────────────────────────────────────────
+export { baselineCommand } from './commands/baseline.js';
+
+// ── Patterns ──────────────────────────────────────────────────────────────────
+export { SECRET_PATTERNS, SECURITY_PATTERNS, SKIP_DIRS, SKIP_EXTENSIONS } from './utils/patterns.js';
+
+// ── Agent Framework ───────────────────────────────────────────────────────────
+export { BaseAgent, createFinding } from './agents/base-agent.js';
+export { Orchestrator } from './agents/orchestrator.js';
+export { buildOrchestrator } from './agents/index.js';
+
+// ── Individual Agents ─────────────────────────────────────────────────────────
+export { ReconAgent } from './agents/recon-agent.js';
+export { InjectionTester } from './agents/injection-tester.js';
+export { AuthBypassAgent } from './agents/auth-bypass-agent.js';
+export { SSRFProber } from './agents/ssrf-prober.js';
+export { SupplyChainAudit } from './agents/supply-chain-agent.js';
+export { ConfigAuditor } from './agents/config-auditor.js';
+export { LLMRedTeam } from './agents/llm-redteam.js';
+export { MobileScanner } from './agents/mobile-scanner.js';
+export { GitHistoryScanner } from './agents/git-history-scanner.js';
+export { CICDScanner } from './agents/cicd-scanner.js';
+export { APIFuzzer } from './agents/api-fuzzer.js';
+export { SupabaseRLSAgent } from './agents/supabase-rls-agent.js';
+
+// ── Supporting Modules ────────────────────────────────────────────────────────
+export { ScoringEngine, GRADES, CATEGORIES } from './agents/scoring-engine.js';
+export { SBOMGenerator } from './agents/sbom-generator.js';
+export { PolicyEngine } from './agents/policy-engine.js';
+export { HTMLReporter } from './agents/html-reporter.js';
+
+// ── Caching ──────────────────────────────────────────────────────────────────
+export { CacheManager } from './utils/cache-manager.js';
+
+// ── LLM Providers ─────────────────────────────────────────────────────────────
+export { createProvider, autoDetectProvider } from './providers/llm-provider.js';