ship-safe 4.2.0 → 5.0.0

package/cli/commands/ci.js

@@ -0,0 +1,260 @@
+/**
+ * CI Command — Optimized for CI/CD Pipelines
+ * =============================================
+ *
+ * Single command for CI pipelines with:
+ *   - Exit code 1 if score < threshold (default 75)
+ *   - SARIF output for GitHub Code Scanning upload
+ *   - JSON output for custom integrations
+ *   - Compact summary for CI logs
+ *   - --fail-on flag for severity-based gating
+ *
+ * USAGE:
+ *   npx ship-safe ci .                         Default: fail if score < 75
+ *   npx ship-safe ci . --threshold 60          Custom score threshold
+ *   npx ship-safe ci . --fail-on critical      Only fail on critical findings
+ *   npx ship-safe ci . --sarif results.sarif   SARIF for GitHub Code Scanning
+ *   npx ship-safe ci . --baseline              Only check new findings
+ */
+
+import fs from 'fs';
+import path from 'path';
+import { buildOrchestrator } from '../agents/index.js';
+import { ScoringEngine } from '../agents/scoring-engine.js';
+import { PolicyEngine } from '../agents/policy-engine.js';
+import { runDepsAudit } from './deps.js';
+import { filterBaseline } from './baseline.js';
+import {
+  SECRET_PATTERNS,
+  SKIP_DIRS,
+  SKIP_EXTENSIONS,
+  MAX_FILE_SIZE,
+  loadGitignorePatterns
+} from '../utils/patterns.js';
+import { isHighEntropyMatch, getConfidence } from '../utils/entropy.js';
+import fg from 'fast-glob';
+
+// =============================================================================
+// MAIN COMMAND
+// =============================================================================
+
+export async function ciCommand(targetPath = '.', options = {}) {
+  const absolutePath = path.resolve(targetPath);
+  const threshold = options.threshold || 75;
+  const failOn = options.failOn || null;
+  const sarifPath = options.sarif || null;
+
+  if (!fs.existsSync(absolutePath)) {
+    console.error(`[ship-safe] Path does not exist: ${absolutePath}`);
+    process.exit(1);
+  }
+
+  const startTime = Date.now();
+
+  // ── Secret Scan ──────────────────────────────────────────────────────────
+  const allFiles = await findFiles(absolutePath);
+  const secretFindings = [];
+
+  for (const file of allFiles) {
+    try {
+      const content = fs.readFileSync(file, 'utf-8');
+      const lines = content.split('\n');
+      for (let lineNum = 0; lineNum < lines.length; lineNum++) {
+        const line = lines[lineNum];
+        if (/ship-safe-ignore/i.test(line)) continue;
+        for (const pattern of SECRET_PATTERNS) {
+          pattern.pattern.lastIndex = 0;
+          let match;
+          while ((match = pattern.pattern.exec(line)) !== null) {
+            if (pattern.requiresEntropyCheck && !isHighEntropyMatch(match[0])) continue;
+            secretFindings.push({
+              file, line: lineNum + 1, column: match.index + 1,
+              matched: match[0], severity: pattern.severity,
+              category: pattern.category || 'secrets',
+              rule: pattern.name, title: pattern.name.replace(/_/g, ' '),
+              description: pattern.description,
+              confidence: getConfidence(pattern, match[0]),
+              fix: 'Move to environment variable or secrets manager',
+            });
+          }
+        }
+      }
+    } catch { /* skip */ }
+  }
+
+  // ── Agent Scan ───────────────────────────────────────────────────────────
+  const orchestrator = buildOrchestrator();
+  const results = await orchestrator.runAll(absolutePath, { quiet: true });
+  const agentFindings = results.findings;
+
+  // ── Dependency Audit ─────────────────────────────────────────────────────
+  let depVulns = [];
+  if (options.deps !== false) {
+    try {
+      const depResult = await runDepsAudit(absolutePath);
+      depVulns = depResult.vulns || [];
+    } catch { /* skip */ }
+  }
+
+  // ── Merge & Deduplicate ──────────────────────────────────────────────────
+  const seen = new Set();
+  let allFindings = [...secretFindings, ...agentFindings].filter(f => {
+    const key = `${f.file}:${f.line}:${f.rule}`;
+    if (seen.has(key)) return false;
+    seen.add(key);
+    return true;
+  });
+
+  // Apply policy
+  const policy = PolicyEngine.load(absolutePath);
+  allFindings = policy.applyPolicy(allFindings);
+
+  // Apply baseline filter
+  if (options.baseline) {
+    allFindings = filterBaseline(allFindings, absolutePath);
+  }
+
+  // ── Score ────────────────────────────────────────────────────────────────
+  const scoringEngine = new ScoringEngine();
+  const scoreResult = scoringEngine.compute(allFindings, depVulns);
+  scoringEngine.saveToHistory(absolutePath, scoreResult);
+
+  const duration = ((Date.now() - startTime) / 1000).toFixed(1);
+
+  // ── SARIF Output ─────────────────────────────────────────────────────────
+  if (sarifPath) {
+    const sarif = buildSARIF(allFindings, absolutePath);
+    fs.writeFileSync(sarifPath, JSON.stringify(sarif, null, 2));
+  }
+
+  // ── JSON Output ──────────────────────────────────────────────────────────
+  if (options.json) {
+    console.log(JSON.stringify({
+      score: scoreResult.score,
+      grade: scoreResult.grade.letter,
+      totalFindings: allFindings.length,
+      totalDepVulns: depVulns.length,
+      critical: allFindings.filter(f => f.severity === 'critical').length,
+      high: allFindings.filter(f => f.severity === 'high').length,
+      medium: allFindings.filter(f => f.severity === 'medium').length,
+      low: allFindings.filter(f => f.severity === 'low').length,
+      threshold,
+      pass: determinePass(scoreResult, allFindings, threshold, failOn),
+      duration: `${duration}s`,
+    }, null, 2));
+  } else {
+    // ── Compact CI Summary ───────────────────────────────────────────────
+    const critical = allFindings.filter(f => f.severity === 'critical').length;
+    const high = allFindings.filter(f => f.severity === 'high').length;
+    const medium = allFindings.filter(f => f.severity === 'medium').length;
+
+    console.log(`[ship-safe] Score: ${scoreResult.score}/100 (${scoreResult.grade.letter}) | Findings: ${allFindings.length} (${critical}C ${high}H ${medium}M) | CVEs: ${depVulns.length} | ${duration}s`);
+
+    if (critical > 0) {
+      console.log(`[ship-safe] Critical findings:`);
+      for (const f of allFindings.filter(f => f.severity === 'critical').slice(0, 5)) {
+        const rel = path.relative(absolutePath, f.file).replace(/\\/g, '/');
+        console.log(`  - ${f.rule} at ${rel}:${f.line}`);
+      }
+    }
+
+    if (sarifPath) {
+      console.log(`[ship-safe] SARIF: ${sarifPath}`);
+    }
+  }
+
+  // ── Exit Code ────────────────────────────────────────────────────────────
+  const pass = determinePass(scoreResult, allFindings, threshold, failOn);
+  if (!pass) {
+    if (!options.json) {
+      if (failOn) {
+        console.log(`[ship-safe] FAIL: Found ${failOn}-severity findings`);
+      } else {
+        console.log(`[ship-safe] FAIL: Score ${scoreResult.score} < threshold ${threshold}`);
+      }
+    }
+    process.exit(1);
+  } else {
+    if (!options.json) {
+      console.log(`[ship-safe] PASS`);
+    }
+    process.exit(0);
+  }
+}
+
+// =============================================================================
+// HELPERS
+// =============================================================================
+
+function determinePass(scoreResult, findings, threshold, failOn) {
+  if (failOn) {
+    const sevOrder = ['critical', 'high', 'medium', 'low'];
+    const failIndex = sevOrder.indexOf(failOn);
+    if (failIndex === -1) return scoreResult.score >= threshold;
+    const blockingSevs = sevOrder.slice(0, failIndex + 1);
+    return !findings.some(f => blockingSevs.includes(f.severity));
+  }
+  return scoreResult.score >= threshold;
+}
+
+function buildSARIF(findings, rootPath) {
+  const rules = {};
+  for (const f of findings) {
+    if (!rules[f.rule]) {
+      rules[f.rule] = {
+        id: f.rule, name: f.title || f.rule,
+        shortDescription: { text: f.title || f.rule },
+        fullDescription: { text: f.description || '' },
+        defaultConfiguration: {
+          level: ['critical', 'high'].includes(f.severity) ? 'error' : 'warning',
+        },
+      };
+    }
+  }
+
+  return {
+    version: '2.1.0',
+    $schema: 'https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json',
+    runs: [{
+      tool: {
+        driver: {
+          name: 'ship-safe', version: '5.0.0',
+          informationUri: 'https://github.com/asamassekou10/ship-safe',
+          rules: Object.values(rules),
+        },
+      },
+      results: findings.map(f => ({
+        ruleId: f.rule,
+        level: ['critical', 'high'].includes(f.severity) ? 'error' : 'warning',
+        message: { text: `${f.title}: ${f.description}` },
+        locations: [{
+          physicalLocation: {
+            artifactLocation: {
+              uri: path.relative(rootPath, f.file).replace(/\\/g, '/'),
+              uriBaseId: '%SRCROOT%',
+            },
+            region: { startLine: f.line, startColumn: f.column || 1 },
+          },
+        }],
+      })),
+    }],
+  };
+}
+
+async function findFiles(rootPath) {
+  const globIgnore = Array.from(SKIP_DIRS).map(dir => `**/${dir}/**`);
+  const gitignoreGlobs = loadGitignorePatterns(rootPath);
+  globIgnore.push(...gitignoreGlobs);
+
+  const files = await fg('**/*', {
+    cwd: rootPath, absolute: true, onlyFiles: true, ignore: globIgnore, dot: true,
+  });
+
+  return files.filter(file => {
+    const ext = path.extname(file).toLowerCase();
+    if (SKIP_EXTENSIONS.has(ext)) return false;
+    if (path.basename(file).endsWith('.min.js') || path.basename(file).endsWith('.min.css')) return false;
+    try { if (fs.statSync(file).size > MAX_FILE_SIZE) return false; } catch { return false; }
+    return true;
+  });
+}

package/cli/commands/red-team.js

@@ -45,10 +45,16 @@ export async function redTeamCommand(targetPath = '.', options = {}) {
     ? options.agents.split(',').map(a => a.trim())
     : null;
 
-  const results = await orchestrator.runAll(absolutePath, {
+  const orchestratorOpts = {
     verbose: options.verbose,
     agents: agentFilter,
-  });
+  };
+  if (options.deep) orchestratorOpts.deep = true;
+  if (options.local) orchestratorOpts.local = true;
+  if (options.model) orchestratorOpts.model = options.model;
+  if (options.budget) orchestratorOpts.budget = options.budget;
+
+  const results = await orchestrator.runAll(absolutePath, orchestratorOpts);
 
   const { recon, findings, agentResults } = results;
 

package/cli/index.js

@@ -22,6 +22,9 @@ export { watchCommand } from './commands/watch.js';
 // ── v4.2 Commands ─────────────────────────────────────────────────────────────
 export { doctorCommand } from './commands/doctor.js';
 
+// ── v4.3 Commands ─────────────────────────────────────────────────────────────
+export { baselineCommand } from './commands/baseline.js';
+
 // ── Patterns ──────────────────────────────────────────────────────────────────
 export { SECRET_PATTERNS, SECURITY_PATTERNS, SKIP_DIRS, SKIP_EXTENSIONS } from './utils/patterns.js';
 
@@ -42,6 +45,7 @@ export { MobileScanner } from './agents/mobile-scanner.js';
 export { GitHistoryScanner } from './agents/git-history-scanner.js';
 export { CICDScanner } from './agents/cicd-scanner.js';
 export { APIFuzzer } from './agents/api-fuzzer.js';
+export { SupabaseRLSAgent } from './agents/supabase-rls-agent.js';
 
 // ── Supporting Modules ────────────────────────────────────────────────────────
 export { ScoringEngine, GRADES, CATEGORIES } from './agents/scoring-engine.js';

package/cli/utils/autofix-rules.js

@@ -0,0 +1,74 @@
+/**
+ * Auto-Fix Rules
+ * ================
+ *
+ * Pure functions that transform a source line to fix a security issue.
+ * Each rule maps to a finding rule name from the agents.
+ *
+ * Used by `ship-safe remediate --all` to auto-fix agent-detected issues
+ * beyond just secrets.
+ */
+
+export const AUTOFIX_RULES = [
+  {
+    rule: 'TLS_REJECT_UNAUTHORIZED',
+    match: /rejectUnauthorized\s*:\s*false/g,
+    replace: (line) => line.replace(/rejectUnauthorized\s*:\s*false/, 'rejectUnauthorized: true // TODO: configure proper CA bundle'),
+    description: 'Enable TLS certificate verification',
+  },
+  {
+    rule: 'DOCKER_LATEST_TAG',
+    match: /FROM\s+(\S+):latest/gi,
+    replace: (line) => {
+      return line.replace(/FROM\s+(\S+):latest/i, (_, image) => {
+        const pinned = { node: 'node:20-alpine', python: 'python:3.12-slim', nginx: 'nginx:1.25-alpine', ruby: 'ruby:3.3-slim' };
+        return `FROM ${pinned[image] || image + ':latest'} # TODO: pin to specific version`;
+      });
+    },
+    description: 'Pin Docker base image to a specific version',
+  },
+  {
+    rule: 'DEBUG_MODE_PRODUCTION',
+    match: /(?:DEBUG|debug)\s*[:=]\s*(?:true|True|1|['"]true['"])/g,
+    replace: (line) => line
+      .replace(/DEBUG\s*=\s*True/, 'DEBUG = False')
+      .replace(/DEBUG\s*=\s*true/, 'DEBUG = false')
+      .replace(/debug\s*:\s*true/, 'debug: false')
+      .replace(/debug\s*=\s*['"]true['"]/, "debug = 'false'"),
+    description: 'Disable debug mode for production',
+  },
+  {
+    rule: 'XSS_DANGEROUS_INNER_HTML',
+    match: /dangerouslySetInnerHTML\s*=\s*\{\s*\{\s*__html\s*:\s*([^}]+)\}\s*\}/g, // ship-safe-ignore: autofix pattern
+    replace: (line) => {
+      return line.replace(
+        /dangerouslySetInnerHTML\s*=\s*\{\s*\{\s*__html\s*:\s*([^}]+)\}\s*\}/,
+        (_, value) => `dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(${value.trim()}) }}` // ship-safe-ignore: replacement template
+      );
+    },
+    description: 'Wrap dangerouslySetInnerHTML value in DOMPurify.sanitize()',
+  },
+  {
+    rule: 'CMD_INJECTION_SHELL_TRUE',
+    match: /shell\s*:\s*true/g,
+    replace: (line) => line.replace(/shell\s*:\s*true/, 'shell: false // TODO: ensure command works without shell'),
+    description: 'Disable shell execution in spawn/exec',
+  },
+];
+
+/**
+ * Check if a finding's rule has an autofix available.
+ */
+export function hasAutofix(rule) {
+  return AUTOFIX_RULES.some(r => r.rule === rule);
+}
+
+/**
+ * Apply an autofix rule to a line.
+ * Returns the fixed line, or the original if no rule matches.
+ */
+export function applyAutofix(rule, line) {
+  const fixRule = AUTOFIX_RULES.find(r => r.rule === rule);
+  if (!fixRule) return line;
+  return fixRule.replace(line);
+}

package/cli/utils/pdf-generator.js

@@ -0,0 +1,94 @@
+/**
+ * PDF Generator
+ * ==============
+ *
+ * Zero-dependency PDF generation via Chrome/Chromium headless mode.
+ * Falls back to generating a print-optimized HTML file if Chrome is not found.
+ */
+
+import fs from 'fs';
+import path from 'path';
+import { execFileSync } from 'child_process';
+
+/**
+ * Well-known Chrome/Chromium paths by platform.
+ */
+function findChrome() {
+  const candidates = process.platform === 'win32'
+    ? [
+        process.env.CHROME_PATH,
+        'C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe',
+        'C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe',
+        process.env.LOCALAPPDATA && path.join(process.env.LOCALAPPDATA, 'Google\\Chrome\\Application\\chrome.exe'),
+      ]
+    : process.platform === 'darwin'
+    ? [
+        process.env.CHROME_PATH,
+        '/Applications/Google Chrome.app/Contents/MacOS/Google Chrome',
+        '/Applications/Chromium.app/Contents/MacOS/Chromium',
+      ]
+    : [
+        process.env.CHROME_PATH,
+        '/usr/bin/google-chrome',
+        '/usr/bin/google-chrome-stable',
+        '/usr/bin/chromium',
+        '/usr/bin/chromium-browser',
+        '/snap/bin/chromium',
+      ];
+
+  for (const c of candidates) {
+    if (c && fs.existsSync(c)) return c;
+  }
+  return null;
+}
+
+/**
+ * Check if Chrome is available.
+ */
+export function isChromeAvailable() {
+  return findChrome() !== null;
+}
+
+/**
+ * Generate PDF from an HTML file using Chrome headless.
+ * Returns the output path, or null if Chrome is not available.
+ */
+export function generatePDF(htmlPath, outputPath) {
+  const chrome = findChrome();
+  if (!chrome) return null;
+
+  try {
+    const args = [
+      '--headless',
+      '--disable-gpu',
+      '--no-sandbox',
+      `--print-to-pdf=${outputPath}`,
+      '--print-to-pdf-no-header',
+      htmlPath,
+    ];
+    execFileSync(chrome, args, { timeout: 30000, stdio: 'pipe' });
+    return outputPath;
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Generate a print-optimized HTML file as PDF fallback.
+ */
+export function generatePrintHTML(htmlPath, outputPath) {
+  let html = fs.readFileSync(htmlPath, 'utf-8');
+  // Add print-optimized styles
+  const printCSS = `
+<style media="print">
+  body { background: #fff !important; color: #1e293b !important; }
+  .score-card, .stat, .summary-card, .toc { background: #f8fafc !important; border: 1px solid #e2e8f0 !important; }
+  table, th, td { border: 1px solid #e2e8f0 !important; }
+  code { background: #f1f5f9 !important; color: #0f172a !important; }
+  pre { background: #f1f5f9 !important; }
+  a { color: #0369a1 !important; }
+</style>`;
+  html = html.replace('</head>', printCSS + '\n</head>');
+  fs.writeFileSync(outputPath, html);
+  return outputPath;
+}