ship-safe 4.3.0 → 5.0.1

package/cli/commands/audit.js

@@ -29,6 +29,7 @@ import {
   SECURITY_PATTERNS,
   SKIP_DIRS,
   SKIP_EXTENSIONS,
+  SKIP_FILENAMES,
   MAX_FILE_SIZE,
   loadGitignorePatterns
 } from '../utils/patterns.js';
@@ -36,6 +37,7 @@ import { isHighEntropyMatch, getConfidence } from '../utils/entropy.js';
 import { CacheManager } from '../utils/cache-manager.js';
 import { filterBaseline } from './baseline.js';
 import { generatePDF, generatePrintHTML, isChromeAvailable } from '../utils/pdf-generator.js';
+import { SecretsVerifier } from '../utils/secrets-verifier.js';
 
 // =============================================================================
 // CONSTANTS
@@ -131,11 +133,39 @@ export async function auditCommand(targetPath = '.', options = {}) {
           description: f.description,
           matched: f.matched,
           confidence: f.confidence,
-          fix: `Move to environment variable or secrets manager`,
+          fix: file.match(/\.env(\..*)?$/)
+            ? `Ensure .env is in .gitignore and use a secrets manager for production`
+            : `Move to environment variable or secrets manager`,
         });
       }
     }
 
+    // Downgrade .env findings if the file is gitignored (properly managed)
+    const gitignoreContent = (() => {
+      try { return fs.readFileSync(path.join(absolutePath, '.gitignore'), 'utf-8'); } catch { return ''; }
+    })();
+    const envIsGitignored = gitignoreContent.split('\n')
+      .map(l => l.trim())
+      .some(l => /^\.env(\s|$)/.test(l) || l === '*.env' || l === '.env*' || l === '.env.local' || l === '.env.production');
+
+    if (envIsGitignored) {
+      for (const f of secretFindings) {
+        if (f.file.match(/\.env(\..*)?$/) && !f.file.includes('node_modules')) {
+          f.severity = 'low';
+          f.confidence = 'low';
+          f.fix = 'Already gitignored — ensure secrets manager is used for production deploys';
+        }
+      }
+    }
+
+    // Downgrade secrets in test files (intentional test fixtures)
+    const TEST_PATH = /(?:__tests__|\.test\.|\.spec\.|\/test\/|\/tests\/|\/fixtures?\/)/i;
+    for (const f of secretFindings) {
+      if (TEST_PATH.test(f.file)) {
+        f.confidence = 'low';
+      }
+    }
+
     // Merge with cached findings for unchanged files
     secretFindings = [...secretFindings, ...cachedSecretFindings];
 
@@ -153,16 +183,22 @@ export async function auditCommand(targetPath = '.', options = {}) {
   }
 
   // ── Phase 2: Agent Scan ───────────────────────────────────────────────────
-  const agentSpinner = machineOutput ? null : ora({ text: chalk.white('[Phase 2/4] Running 12 security agents...'), color: 'cyan' }).start();
+  const orchestrator = buildOrchestrator();
+  const registeredAgentCount = orchestrator.agents?.length || 15;
+  const agentSpinner = machineOutput ? null : ora({ text: chalk.white(`[Phase 2/4] Running ${registeredAgentCount} security agents...`), color: 'cyan' }).start();
   let agentFindings = [];
   let recon = null;
   let agentResults = [];
 
   try {
-    const orchestrator = buildOrchestrator();
     // Suppress individual agent spinners by using quiet mode
     // Pass changedFiles for incremental scanning if cache is valid
     const orchestratorOpts = { quiet: true };
+    if (options.deep) orchestratorOpts.deep = true;
+    if (options.local) orchestratorOpts.local = true;
+    if (options.model) orchestratorOpts.model = options.model;
+    if (options.budget) orchestratorOpts.budget = options.budget;
+    if (options.verbose) orchestratorOpts.verbose = true;
     if (cacheDiff && cacheDiff.changedFiles.length < allFiles.length) {
       orchestratorOpts.changedFiles = cacheDiff.changedFiles;
     }
@@ -287,6 +323,32 @@ export async function auditCommand(targetPath = '.', options = {}) {
     }
   }
 
+  // ── Secrets Verification (optional, --verify flag) ─────────────────────
+  if (options.verify) {
+    const verifySpinner = machineOutput ? null : ora({ text: 'Verifying leaked secrets against provider APIs...', color: 'cyan' }).start();
+    try {
+      const verifier = new SecretsVerifier();
+      const verifyResults = await verifier.verify(filteredFindings);
+      const activeCount = verifyResults.filter(r => r.result.active === true).length;
+      const inactiveCount = verifyResults.filter(r => r.result.active === false).length;
+      if (verifySpinner) {
+        verifySpinner.succeed(chalk.green(
+          `Secrets verified: ${activeCount} active, ${inactiveCount} inactive, ${verifyResults.length - activeCount - inactiveCount} unknown`
+        ));
+      }
+      // Show active secrets warning
+      if (activeCount > 0 && !machineOutput) {
+        console.log(chalk.red.bold('  ⚠ ACTIVE SECRETS DETECTED — rotate immediately:'));
+        for (const r of verifyResults.filter(r => r.result.active === true)) {
+          const rel = path.relative(absolutePath, r.finding.file).replace(/\\/g, '/');
+          console.log(chalk.red(`    ${r.result.provider}: ${rel}:${r.finding.line} — ${r.result.info}`));
+        }
+      }
+    } catch (err) {
+      if (verifySpinner) verifySpinner.fail(chalk.yellow(`Secrets verification failed: ${err.message}`));
+    }
+  }
+
   // ── Save Cache ──────────────────────────────────────────────────────────
   if (useCache) {
     try {
@@ -383,14 +445,47 @@ function buildRemediationPlan(findings, depVulns, rootPath) {
   const plan = [];
   let priority = 1;
 
+  // Exclude low-confidence findings (test files, docs, comments) from remediation plan
+  const actionable = findings.filter(f => f.confidence !== 'low');
+
   // Priority order: secrets first, then by severity
-  const secretFindings = findings.filter(f => f.category === 'secrets' || f.category === 'secret');
-  const otherFindings = findings.filter(f => f.category !== 'secrets' && f.category !== 'secret');
+  const secretFindings = actionable.filter(f => f.category === 'secrets' || f.category === 'secret');
+  const otherFindings = actionable.filter(f => f.category !== 'secrets' && f.category !== 'secret');
 
   // Group and sort
   for (const sev of SEV_ORDER) {
-    // Secrets at this severity
-    for (const f of secretFindings.filter(s => s.severity === sev)) {
+    // Secrets at this severity — group .env findings by file
+    const sevSecrets = secretFindings.filter(s => s.severity === sev);
+    const envGroups = new Map();
+    const nonEnvSecrets = [];
+
+    for (const f of sevSecrets) {
+      const relFile = path.relative(rootPath, f.file).replace(/\\/g, '/');
+      if (f.file.match(/\.env(\..*)?$/)) {
+        if (!envGroups.has(relFile)) envGroups.set(relFile, []);
+        envGroups.get(relFile).push(f);
+      } else {
+        nonEnvSecrets.push(f);
+      }
+    }
+
+    // One plan item per .env file
+    for (const [relFile, envFindings] of envGroups) {
+      const names = envFindings.map(f => f.title || f.rule).join(', ');
+      plan.push({
+        priority: priority++,
+        severity: sev,
+        category: 'secrets',
+        categoryLabel: 'SECRETS',
+        title: `${envFindings.length} secret${envFindings.length > 1 ? 's' : ''} in ${relFile} (${names})`,
+        file: relFile,
+        action: envFindings[0].fix || 'Ensure .env is in .gitignore and use a secrets manager for production',
+        effort: 'low',
+      });
+    }
+
+    // Individual items for non-.env secrets
+    for (const f of nonEnvSecrets) {
       plan.push({
         priority: priority++,
         severity: sev,
@@ -662,6 +757,7 @@ async function findFiles(rootPath) {
   return files.filter(file => {
     const ext = path.extname(file).toLowerCase();
     if (SKIP_EXTENSIONS.has(ext)) return false;
+    if (SKIP_FILENAMES.has(path.basename(file))) return false;
     if (path.basename(file).endsWith('.min.js') || path.basename(file).endsWith('.min.css')) return false;
     try { if (fs.statSync(file).size > MAX_FILE_SIZE) return false; } catch { return false; }
     return true;

package/cli/commands/baseline.js

@@ -17,7 +17,7 @@ import path from 'path';
 import chalk from 'chalk';
 import ora from 'ora';
 import { buildOrchestrator } from '../agents/index.js';
-import { SECRET_PATTERNS, SKIP_DIRS, SKIP_EXTENSIONS, MAX_FILE_SIZE } from '../utils/patterns.js';
+import { SECRET_PATTERNS, SKIP_DIRS, SKIP_EXTENSIONS, SKIP_FILENAMES, MAX_FILE_SIZE } from '../utils/patterns.js';
 import { isHighEntropyMatch } from '../utils/entropy.js';
 import fg from 'fast-glob';
 
@@ -45,6 +45,7 @@ async function quickScan(rootPath) {
   const filtered = files.filter(f => {
     const ext = path.extname(f).toLowerCase();
     if (SKIP_EXTENSIONS.has(ext)) return false;
+    if (SKIP_FILENAMES.has(path.basename(f))) return false;
     try { return fs.statSync(f).size <= MAX_FILE_SIZE; } catch { return false; }
   });
 

package/cli/commands/ci.js

@@ -0,0 +1,262 @@
+/**
+ * CI Command — Optimized for CI/CD Pipelines
+ * =============================================
+ *
+ * Single command for CI pipelines with:
+ *   - Exit code 1 if score < threshold (default 75)
+ *   - SARIF output for GitHub Code Scanning upload
+ *   - JSON output for custom integrations
+ *   - Compact summary for CI logs
+ *   - --fail-on flag for severity-based gating
+ *
+ * USAGE:
+ *   npx ship-safe ci .                         Default: fail if score < 75
+ *   npx ship-safe ci . --threshold 60          Custom score threshold
+ *   npx ship-safe ci . --fail-on critical      Only fail on critical findings
+ *   npx ship-safe ci . --sarif results.sarif   SARIF for GitHub Code Scanning
+ *   npx ship-safe ci . --baseline              Only check new findings
+ */
+
+import fs from 'fs';
+import path from 'path';
+import { buildOrchestrator } from '../agents/index.js';
+import { ScoringEngine } from '../agents/scoring-engine.js';
+import { PolicyEngine } from '../agents/policy-engine.js';
+import { runDepsAudit } from './deps.js';
+import { filterBaseline } from './baseline.js';
+import {
+  SECRET_PATTERNS,
+  SKIP_DIRS,
+  SKIP_EXTENSIONS,
+  SKIP_FILENAMES,
+  MAX_FILE_SIZE,
+  loadGitignorePatterns
+} from '../utils/patterns.js';
+import { isHighEntropyMatch, getConfidence } from '../utils/entropy.js';
+import fg from 'fast-glob';
+
+// =============================================================================
+// MAIN COMMAND
+// =============================================================================
+
+export async function ciCommand(targetPath = '.', options = {}) {
+  const absolutePath = path.resolve(targetPath);
+  const threshold = options.threshold || 75;
+  const failOn = options.failOn || null;
+  const sarifPath = options.sarif || null;
+
+  if (!fs.existsSync(absolutePath)) {
+    console.error(`[ship-safe] Path does not exist: ${absolutePath}`);
+    process.exit(1);
+  }
+
+  const startTime = Date.now();
+
+  // ── Secret Scan ──────────────────────────────────────────────────────────
+  const allFiles = await findFiles(absolutePath);
+  const secretFindings = [];
+
+  for (const file of allFiles) {
+    try {
+      const content = fs.readFileSync(file, 'utf-8');
+      const lines = content.split('\n');
+      for (let lineNum = 0; lineNum < lines.length; lineNum++) {
+        const line = lines[lineNum];
+        if (/ship-safe-ignore/i.test(line)) continue;
+        for (const pattern of SECRET_PATTERNS) {
+          pattern.pattern.lastIndex = 0;
+          let match;
+          while ((match = pattern.pattern.exec(line)) !== null) {
+            if (pattern.requiresEntropyCheck && !isHighEntropyMatch(match[0])) continue;
+            secretFindings.push({
+              file, line: lineNum + 1, column: match.index + 1,
+              matched: match[0], severity: pattern.severity,
+              category: pattern.category || 'secrets',
+              rule: pattern.name, title: pattern.name.replace(/_/g, ' '),
+              description: pattern.description,
+              confidence: getConfidence(pattern, match[0]),
+              fix: 'Move to environment variable or secrets manager',
+            });
+          }
+        }
+      }
+    } catch { /* skip */ }
+  }
+
+  // ── Agent Scan ───────────────────────────────────────────────────────────
+  const orchestrator = buildOrchestrator();
+  const results = await orchestrator.runAll(absolutePath, { quiet: true });
+  const agentFindings = results.findings;
+
+  // ── Dependency Audit ─────────────────────────────────────────────────────
+  let depVulns = [];
+  if (options.deps !== false) {
+    try {
+      const depResult = await runDepsAudit(absolutePath);
+      depVulns = depResult.vulns || [];
+    } catch { /* skip */ }
+  }
+
+  // ── Merge & Deduplicate ──────────────────────────────────────────────────
+  const seen = new Set();
+  let allFindings = [...secretFindings, ...agentFindings].filter(f => {
+    const key = `${f.file}:${f.line}:${f.rule}`;
+    if (seen.has(key)) return false;
+    seen.add(key);
+    return true;
+  });
+
+  // Apply policy
+  const policy = PolicyEngine.load(absolutePath);
+  allFindings = policy.applyPolicy(allFindings);
+
+  // Apply baseline filter
+  if (options.baseline) {
+    allFindings = filterBaseline(allFindings, absolutePath);
+  }
+
+  // ── Score ────────────────────────────────────────────────────────────────
+  const scoringEngine = new ScoringEngine();
+  const scoreResult = scoringEngine.compute(allFindings, depVulns);
+  scoringEngine.saveToHistory(absolutePath, scoreResult);
+
+  const duration = ((Date.now() - startTime) / 1000).toFixed(1);
+
+  // ── SARIF Output ─────────────────────────────────────────────────────────
+  if (sarifPath) {
+    const sarif = buildSARIF(allFindings, absolutePath);
+    fs.writeFileSync(sarifPath, JSON.stringify(sarif, null, 2));
+  }
+
+  // ── JSON Output ──────────────────────────────────────────────────────────
+  if (options.json) {
+    console.log(JSON.stringify({
+      score: scoreResult.score,
+      grade: scoreResult.grade.letter,
+      totalFindings: allFindings.length,
+      totalDepVulns: depVulns.length,
+      critical: allFindings.filter(f => f.severity === 'critical').length,
+      high: allFindings.filter(f => f.severity === 'high').length,
+      medium: allFindings.filter(f => f.severity === 'medium').length,
+      low: allFindings.filter(f => f.severity === 'low').length,
+      threshold,
+      pass: determinePass(scoreResult, allFindings, threshold, failOn),
+      duration: `${duration}s`,
+    }, null, 2));
+  } else {
+    // ── Compact CI Summary ───────────────────────────────────────────────
+    const critical = allFindings.filter(f => f.severity === 'critical').length;
+    const high = allFindings.filter(f => f.severity === 'high').length;
+    const medium = allFindings.filter(f => f.severity === 'medium').length;
+
+    console.log(`[ship-safe] Score: ${scoreResult.score}/100 (${scoreResult.grade.letter}) | Findings: ${allFindings.length} (${critical}C ${high}H ${medium}M) | CVEs: ${depVulns.length} | ${duration}s`);
+
+    if (critical > 0) {
+      console.log(`[ship-safe] Critical findings:`);
+      for (const f of allFindings.filter(f => f.severity === 'critical').slice(0, 5)) {
+        const rel = path.relative(absolutePath, f.file).replace(/\\/g, '/');
+        console.log(`  - ${f.rule} at ${rel}:${f.line}`);
+      }
+    }
+
+    if (sarifPath) {
+      console.log(`[ship-safe] SARIF: ${sarifPath}`);
+    }
+  }
+
+  // ── Exit Code ────────────────────────────────────────────────────────────
+  const pass = determinePass(scoreResult, allFindings, threshold, failOn);
+  if (!pass) {
+    if (!options.json) {
+      if (failOn) {
+        console.log(`[ship-safe] FAIL: Found ${failOn}-severity findings`);
+      } else {
+        console.log(`[ship-safe] FAIL: Score ${scoreResult.score} < threshold ${threshold}`);
+      }
+    }
+    process.exit(1);
+  } else {
+    if (!options.json) {
+      console.log(`[ship-safe] PASS`);
+    }
+    process.exit(0);
+  }
+}
+
+// =============================================================================
+// HELPERS
+// =============================================================================
+
+function determinePass(scoreResult, findings, threshold, failOn) {
+  if (failOn) {
+    const sevOrder = ['critical', 'high', 'medium', 'low'];
+    const failIndex = sevOrder.indexOf(failOn);
+    if (failIndex === -1) return scoreResult.score >= threshold;
+    const blockingSevs = sevOrder.slice(0, failIndex + 1);
+    return !findings.some(f => blockingSevs.includes(f.severity));
+  }
+  return scoreResult.score >= threshold;
+}
+
+function buildSARIF(findings, rootPath) {
+  const rules = {};
+  for (const f of findings) {
+    if (!rules[f.rule]) {
+      rules[f.rule] = {
+        id: f.rule, name: f.title || f.rule,
+        shortDescription: { text: f.title || f.rule },
+        fullDescription: { text: f.description || '' },
+        defaultConfiguration: {
+          level: ['critical', 'high'].includes(f.severity) ? 'error' : 'warning',
+        },
+      };
+    }
+  }
+
+  return {
+    version: '2.1.0',
+    $schema: 'https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json',
+    runs: [{
+      tool: {
+        driver: {
+          name: 'ship-safe', version: '5.0.0',
+          informationUri: 'https://github.com/asamassekou10/ship-safe',
+          rules: Object.values(rules),
+        },
+      },
+      results: findings.map(f => ({
+        ruleId: f.rule,
+        level: ['critical', 'high'].includes(f.severity) ? 'error' : 'warning',
+        message: { text: `${f.title}: ${f.description}` },
+        locations: [{
+          physicalLocation: {
+            artifactLocation: {
+              uri: path.relative(rootPath, f.file).replace(/\\/g, '/'),
+              uriBaseId: '%SRCROOT%',
+            },
+            region: { startLine: f.line, startColumn: f.column || 1 },
+          },
+        }],
+      })),
+    }],
+  };
+}
+
+async function findFiles(rootPath) {
+  const globIgnore = Array.from(SKIP_DIRS).map(dir => `**/${dir}/**`);
+  const gitignoreGlobs = loadGitignorePatterns(rootPath);
+  globIgnore.push(...gitignoreGlobs);
+
+  const files = await fg('**/*', {
+    cwd: rootPath, absolute: true, onlyFiles: true, ignore: globIgnore, dot: true,
+  });
+
+  return files.filter(file => {
+    const ext = path.extname(file).toLowerCase();
+    if (SKIP_EXTENSIONS.has(ext)) return false;
+    if (SKIP_FILENAMES.has(path.basename(file))) return false;
+    if (path.basename(file).endsWith('.min.js') || path.basename(file).endsWith('.min.css')) return false;
+    try { if (fs.statSync(file).size > MAX_FILE_SIZE) return false; } catch { return false; }
+    return true;
+  });
+}