ship-safe 6.0.0 → 6.1.1

package/cli/utils/compliance-map.js

@@ -0,0 +1,125 @@
+/**
+ * Compliance Mapping Utility
+ * ===========================
+ *
+ * Maps CWE/OWASP findings to compliance frameworks:
+ *   - SOC 2 Type II (Trust Service Criteria)
+ *   - ISO 27001:2022 (Annex A controls)
+ *   - NIST AI Risk Management Framework (AI RMF 1.0)
+ */
+
+// =============================================================================
+// CWE → COMPLIANCE CONTROL MAPPING
+// =============================================================================
+
+const CWE_MAP = {
+  'CWE-74':  { soc2: ['CC6.1', 'CC7.1'], iso27001: ['A.8.28'], nistAiRmf: ['MAP 1.5', 'MEASURE 2.6'] },
+  'CWE-78':  { soc2: ['CC6.1', 'CC7.1'], iso27001: ['A.8.28'], nistAiRmf: ['MAP 1.5'] },
+  'CWE-79':  { soc2: ['CC6.1'], iso27001: ['A.8.28'], nistAiRmf: [] },
+  'CWE-89':  { soc2: ['CC6.1'], iso27001: ['A.8.28'], nistAiRmf: [] },
+  'CWE-94':  { soc2: ['CC6.1', 'CC7.1'], iso27001: ['A.8.28', 'A.8.9'], nistAiRmf: ['MAP 1.5'] },
+  'CWE-116': { soc2: ['CC6.1'], iso27001: ['A.8.28'], nistAiRmf: ['MEASURE 2.6'] },
+  'CWE-200': { soc2: ['CC6.5', 'CC6.1'], iso27001: ['A.8.11', 'A.5.33'], nistAiRmf: ['GOVERN 1.7', 'MAP 5.1'] },
+  'CWE-250': { soc2: ['CC6.3'], iso27001: ['A.8.2'], nistAiRmf: ['GOVERN 1.4'] },
+  'CWE-269': { soc2: ['CC6.3', 'CC6.1'], iso27001: ['A.8.2', 'A.5.15'], nistAiRmf: ['GOVERN 1.4'] },
+  'CWE-287': { soc2: ['CC6.1', 'CC6.2'], iso27001: ['A.8.5'], nistAiRmf: [] },
+  'CWE-306': { soc2: ['CC6.1', 'CC6.2'], iso27001: ['A.8.5'], nistAiRmf: ['GOVERN 1.4'] },
+  'CWE-311': { soc2: ['CC6.7'], iso27001: ['A.8.24'], nistAiRmf: [] },
+  'CWE-312': { soc2: ['CC6.7', 'CC6.1'], iso27001: ['A.8.24', 'A.5.33'], nistAiRmf: ['MAP 5.1'] },
+  'CWE-326': { soc2: ['CC6.7'], iso27001: ['A.8.24'], nistAiRmf: [] },
+  'CWE-327': { soc2: ['CC6.7'], iso27001: ['A.8.24'], nistAiRmf: [] },
+  'CWE-502': { soc2: ['CC6.1'], iso27001: ['A.8.28'], nistAiRmf: [] },
+  'CWE-522': { soc2: ['CC6.1', 'CC6.7'], iso27001: ['A.8.5', 'A.8.24'], nistAiRmf: [] },
+  'CWE-611': { soc2: ['CC6.1'], iso27001: ['A.8.28'], nistAiRmf: [] },
+  'CWE-668': { soc2: ['CC6.1', 'CC6.6'], iso27001: ['A.8.9', 'A.8.20'], nistAiRmf: ['GOVERN 1.4'] },
+  'CWE-798': { soc2: ['CC6.1', 'CC6.7'], iso27001: ['A.5.33', 'A.8.24'], nistAiRmf: [] },
+  'CWE-918': { soc2: ['CC6.1', 'CC6.6'], iso27001: ['A.8.20', 'A.8.28'], nistAiRmf: [] },
+};
+
+// OWASP Agentic → NIST AI RMF mapping (agent-specific)
+const AGENTIC_MAP = {
+  'ASI01': { soc2: ['CC6.1', 'CC7.2'], iso27001: ['A.8.28', 'A.8.9'], nistAiRmf: ['MAP 1.5', 'MEASURE 2.6', 'MANAGE 2.2'] },
+  'ASI02': { soc2: ['CC6.1', 'CC6.3'], iso27001: ['A.8.2', 'A.8.9'], nistAiRmf: ['MAP 1.5', 'GOVERN 1.4', 'MANAGE 2.2'] },
+  'ASI03': { soc2: ['CC6.3'], iso27001: ['A.8.2', 'A.5.15'], nistAiRmf: ['GOVERN 1.4', 'MAP 3.4'] },
+  'ASI04': { soc2: ['CC6.6', 'CC7.1'], iso27001: ['A.5.19', 'A.5.21'], nistAiRmf: ['MAP 1.5', 'GOVERN 6.1'] },
+  'ASI05': { soc2: ['CC6.1', 'CC7.1'], iso27001: ['A.8.28', 'A.8.9'], nistAiRmf: ['MAP 1.5'] },
+  'ASI06': { soc2: ['CC6.1'], iso27001: ['A.8.11'], nistAiRmf: ['MEASURE 2.6', 'MANAGE 2.2'] },
+  'ASI07': { soc2: ['CC6.1', 'CC6.7'], iso27001: ['A.8.20', 'A.8.24'], nistAiRmf: ['MAP 1.5'] },
+  'ASI08': { soc2: ['CC7.4', 'CC7.5'], iso27001: ['A.5.30'], nistAiRmf: ['MANAGE 4.1'] },
+  'ASI09': { soc2: ['CC6.2'], iso27001: ['A.8.5', 'A.5.15'], nistAiRmf: ['GOVERN 1.7'] },
+  'ASI10': { soc2: ['CC7.2', 'CC7.4'], iso27001: ['A.8.9', 'A.5.30'], nistAiRmf: ['MANAGE 2.2', 'MANAGE 4.1'] },
+};
+
+// =============================================================================
+// PUBLIC API
+// =============================================================================
+
+/**
+ * Map a single finding to compliance controls.
+ * @param {object} finding - A finding with `cwe` and `owasp` fields.
+ * @returns {{ soc2: string[], iso27001: string[], nistAiRmf: string[] }}
+ */
+export function mapFindingToCompliance(finding) {
+  const result = { soc2: new Set(), iso27001: new Set(), nistAiRmf: new Set() };
+
+  // Map from CWE
+  const cwe = finding.cwe || finding.CWE;
+  if (cwe && CWE_MAP[cwe]) {
+    const m = CWE_MAP[cwe];
+    m.soc2.forEach(c => result.soc2.add(c));
+    m.iso27001.forEach(c => result.iso27001.add(c));
+    m.nistAiRmf.forEach(c => result.nistAiRmf.add(c));
+  }
+
+  // Map from OWASP Agentic
+  const owasp = finding.owasp || finding.OWASP;
+  if (owasp && AGENTIC_MAP[owasp]) {
+    const m = AGENTIC_MAP[owasp];
+    m.soc2.forEach(c => result.soc2.add(c));
+    m.iso27001.forEach(c => result.iso27001.add(c));
+    m.nistAiRmf.forEach(c => result.nistAiRmf.add(c));
+  }
+
+  return {
+    soc2: [...result.soc2].sort(),
+    iso27001: [...result.iso27001].sort(),
+    nistAiRmf: [...result.nistAiRmf].sort(),
+  };
+}
+
+/**
+ * Aggregate compliance mappings across all findings.
+ * @param {object[]} findings - Array of findings.
+ * @returns {{ soc2: object, iso27001: object, nistAiRmf: object, summary: object }}
+ */
+export function getComplianceSummary(findings) {
+  const soc2 = {};
+  const iso27001 = {};
+  const nistAiRmf = {};
+
+  for (const f of findings) {
+    const mapped = mapFindingToCompliance(f);
+
+    for (const ctrl of mapped.soc2) {
+      soc2[ctrl] = (soc2[ctrl] || 0) + 1;
+    }
+    for (const ctrl of mapped.iso27001) {
+      iso27001[ctrl] = (iso27001[ctrl] || 0) + 1;
+    }
+    for (const ctrl of mapped.nistAiRmf) {
+      nistAiRmf[ctrl] = (nistAiRmf[ctrl] || 0) + 1;
+    }
+  }
+
+  return {
+    soc2,
+    iso27001,
+    nistAiRmf,
+    summary: {
+      soc2Controls: Object.keys(soc2).length,
+      iso27001Controls: Object.keys(iso27001).length,
+      nistAiRmfControls: Object.keys(nistAiRmf).length,
+      totalFindings: findings.length,
+    },
+  };
+}

package/cli/utils/output.js

@@ -1,229 +1,230 @@
-/**
- * Output Utilities
- * ================
- *
- * Consistent, pretty terminal output for the CLI.
- * Uses chalk for colors and provides helper functions
- * for common output patterns.
- */
-
-import chalk from 'chalk';
-
-// =============================================================================
-// SEVERITY COLORS
-// =============================================================================
-
-export const severityColors = {
-  critical: chalk.bgRed.white.bold,
-  high: chalk.red.bold,
-  medium: chalk.yellow,
-  low: chalk.blue
-};
-
-export const severityIcons = {
-  critical: '\u2620\ufe0f ',  // skull
-  high: '\u26a0\ufe0f ',      // warning
-  medium: '\u26a1',           // lightning
-  low: '\u2139\ufe0f '        // info
-};
-
-// =============================================================================
-// OUTPUT HELPERS
-// =============================================================================
-
-/**
- * Print a section header
- */
-export function header(text) {
-  console.log();
-  console.log(chalk.cyan.bold('='.repeat(60)));
-  console.log(chalk.cyan.bold(`  ${text}`));
-  console.log(chalk.cyan.bold('='.repeat(60)));
-}
-
-/**
- * Print a subheader
- */
-export function subheader(text) {
-  console.log();
-  console.log(chalk.white.bold(text));
-  console.log(chalk.gray('-'.repeat(text.length)));
-}
-
-/**
- * Print a success message
- */
-export function success(text) {
-  console.log(chalk.green('\u2714 ') + text);
-}
-
-/**
- * Print a warning message
- */
-export function warning(text) {
-  console.log(chalk.yellow('\u26a0 ') + text);
-}
-
-/**
- * Print an error message
- */
-export function error(text) {
-  console.log(chalk.red('\u2718 ') + text);
-}
-
-/**
- * Print an info message
- */
-export function info(text) {
-  console.log(chalk.blue('\u2139 ') + text);
-}
-
-const confidenceColors = {
-  high:   chalk.red,
-  medium: chalk.yellow,
-  low:    chalk.gray,
-};
-
-/**
- * Print a finding (secret detected)
- */
-export function finding(file, line, patternName, severity, matched, description, confidence) {
-  const color = severityColors[severity] || chalk.white;
-  const icon = severityIcons[severity] || '';
-  const confColor = confidenceColors[confidence] || chalk.gray;
-  const confLabel = confidence ? `  ${chalk.gray('Confidence:')} ${confColor(confidence)}` : '';
-
-  console.log();
-  console.log(chalk.white.bold(`${file}:${line}`));
-  console.log(`  ${icon}${color(`[${severity.toUpperCase()}]`)} ${chalk.white(patternName)}`);
-  console.log(`  ${chalk.gray('Found:')} ${chalk.yellow(maskSecret(matched))}`);
-  if (confLabel) console.log(confLabel);
-  console.log(`  ${chalk.gray('Why:')} ${description}`);
-}
-
-/**
- * Print a vulnerability finding (code issue — show matched code, not masked)
- */
-export function vulnerabilityFinding(file, line, patternName, severity, matched, description) {
-  const color = severityColors[severity] || chalk.white;
-  const icon = severityIcons[severity] || '';
-  const snippet = matched.length > 80 ? matched.slice(0, 80) + '…' : matched;
-
-  console.log();
-  console.log(chalk.white.bold(`${file}:${line}`));
-  console.log(`  ${icon}${color(`[${severity.toUpperCase()}]`)} ${chalk.white(patternName)}`);
-  console.log(`  ${chalk.gray('Code:')}  ${chalk.cyan(snippet)}`);
-  console.log(`  ${chalk.gray('Why:')}  ${description}`);
-}
-
-/**
- * Mask the middle of a secret for safe display
- */
-export function maskSecret(secret) {
-  if (secret.length <= 6) {
-    return '***';
-  }
-  if (secret.length <= 12) {
-    return secret.substring(0, 3) + '***';
-  }
-  return secret.substring(0, 4) + '***' + secret.substring(secret.length - 4);
-}
-
-/**
- * Print a summary box
- *
- * stats can include:
- *   total, critical, high, medium, filesScanned
- *   secretsTotal (optional), vulnsTotal (optional)
- */
-export function summary(stats) {
-  console.log();
-  console.log(chalk.cyan('='.repeat(60)));
-
-  if (stats.total === 0) {
-    console.log(chalk.green.bold('  \u2714 No issues detected!'));
-  } else {
-    const secretsTotal = stats.secretsTotal ?? stats.total;
-    const vulnsTotal = stats.vulnsTotal ?? 0;
-
-    if (secretsTotal > 0) {
-      console.log(chalk.red.bold(`  \u26a0 Found ${secretsTotal} secret(s)`));
-    }
-    if (vulnsTotal > 0) {
-      console.log(chalk.yellow.bold(`  \u26a0 Found ${vulnsTotal} code vulnerability/vulnerabilities`));
-    }
-
-    if (stats.critical > 0) {
-      console.log(chalk.red(`    \u2022 Critical: ${stats.critical}`));
-    }
-    if (stats.high > 0) {
-      console.log(chalk.red(`    \u2022 High: ${stats.high}`));
-    }
-    if (stats.medium > 0) {
-      console.log(chalk.yellow(`    \u2022 Medium: ${stats.medium}`));
-    }
-  }
-
-  console.log(chalk.gray(`  Files scanned: ${stats.filesScanned}`));
-  console.log(chalk.cyan('='.repeat(60)));
-}
-
-/**
- * Print recommended actions after finding code vulnerabilities
- */
-export function vulnRecommendations() {
-  console.log();
-  console.log(chalk.yellow.bold('Code Vulnerability Actions:'));
-  console.log();
-  console.log(chalk.white('1.') + ' Fix the flagged code patterns (see "Why" descriptions above)');
-  console.log(chalk.white('2.') + ' Use  # ship-safe-ignore  on lines that are safe (e.g. internal tools, controlled input)');
-  console.log(chalk.white('3.') + ' Run  npx ship-safe checklist  for a full launch-day security review');
-  console.log();
-}
-
-/**
- * Print recommended actions after finding secrets
- */
-export function recommendations() {
-  console.log();
-  console.log(chalk.cyan.bold('Recommended Actions:'));
-  console.log();
-  console.log(chalk.white('1.') + ' Move secrets to environment variables (.env file)');
-  console.log(chalk.white('2.') + ' Add .env to your .gitignore');
-  console.log(chalk.white('3.') + chalk.yellow(' If already committed:'));
-  console.log(chalk.gray('   \u2022 Rotate the compromised credentials immediately'));
-  console.log(chalk.gray('   \u2022 Use git-filter-repo or BFG Repo-Cleaner to remove from history'));
-  console.log(chalk.gray('   \u2022 Remember: deleting doesn\'t remove git history!'));
-  console.log();
-  console.log(chalk.white('4.') + ' Set up pre-commit hooks to catch this automatically:');
-  console.log(chalk.gray('   npm install --save-dev husky'));
-  console.log(chalk.gray('   npx husky add .husky/pre-commit "npx ship-safe scan ."'));
-  console.log();
-}
-
-/**
- * Print a checklist item
- */
-export function checklistItem(number, title, checked = null) {
-  const checkbox = checked === null
-    ? chalk.gray('[ ]')
-    : checked
-      ? chalk.green('[\u2714]')
-      : chalk.red('[\u2718]');
-
-  console.log(`${checkbox} ${chalk.white.bold(`${number}.`)} ${title}`);
-}
-
-/**
- * Print progress (for verbose mode)
- */
-export function progress(text) {
-  process.stdout.write(chalk.gray(`\r${text}`));
-}
-
-/**
- * Clear the current line
- */
-export function clearLine() {
-  process.stdout.write('\r' + ' '.repeat(80) + '\r');
-}
+/**
+ * Output Utilities
+ * ================
+ *
+ * Consistent, pretty terminal output for the CLI.
+ * Uses chalk for colors and provides helper functions
+ * for common output patterns.
+ */
+
+import chalk from 'chalk';
+
+// =============================================================================
+// SEVERITY COLORS
+// =============================================================================
+
+export const severityColors = {
+  critical: chalk.bgRed.white.bold,
+  high: chalk.red.bold,
+  medium: chalk.yellow,
+  low: chalk.blue
+};
+
+export const severityIcons = {
+  critical: '\u2620\ufe0f ',  // skull
+  high: '\u26a0\ufe0f ',      // warning
+  medium: '\u26a1',           // lightning
+  low: '\u2139\ufe0f '        // info
+};
+
+// =============================================================================
+// OUTPUT HELPERS
+// =============================================================================
+
+/**
+ * Print a section header
+ */
+export function header(text) {
+  console.log();
+  console.log(chalk.cyan.bold('='.repeat(60)));
+  console.log(chalk.cyan.bold(`  ${text}`));
+  console.log(chalk.cyan.bold('='.repeat(60)));
+}
+
+/**
+ * Print a subheader
+ */
+export function subheader(text) {
+  console.log();
+  console.log(chalk.white.bold(text));
+  console.log(chalk.gray('-'.repeat(text.length)));
+}
+
+/**
+ * Print a success message
+ */
+export function success(text) {
+  console.log(chalk.green('\u2714 ') + text);
+}
+
+/**
+ * Print a warning message
+ */
+export function warning(text) {
+  console.log(chalk.yellow('\u26a0 ') + text);
+}
+
+/**
+ * Print an error message
+ */
+export function error(text) {
+  console.log(chalk.red('\u2718 ') + text);
+}
+
+/**
+ * Print an info message
+ */
+export function info(text) {
+  console.log(chalk.blue('\u2139 ') + text);
+}
+
+const confidenceColors = {
+  high:   chalk.red,
+  medium: chalk.yellow,
+  low:    chalk.gray,
+};
+
+/**
+ * Print a finding (secret detected)
+ */
+export function finding(file, line, patternName, severity, matched, description, confidence) {
+  const color = severityColors[severity] || chalk.white;
+  const icon = severityIcons[severity] || '';
+  const confColor = confidenceColors[confidence] || chalk.gray;
+  const confLabel = confidence ? `  ${chalk.gray('Confidence:')} ${confColor(confidence)}` : '';
+
+  console.log();
+  console.log(chalk.white.bold(`${file}:${line}`));
+  console.log(`  ${icon}${color(`[${severity.toUpperCase()}]`)} ${chalk.white(patternName)}`);
+  console.log(`  ${chalk.gray('Found:')} ${chalk.yellow(maskSecret(matched))}`);
+  if (confLabel) console.log(confLabel);
+  console.log(`  ${chalk.gray('Why:')} ${description}`);
+}
+
+/**
+ * Print a vulnerability finding (code issue — show matched code, not masked)
+ */
+export function vulnerabilityFinding(file, line, patternName, severity, matched, description) {
+  const color = severityColors[severity] || chalk.white;
+  const icon = severityIcons[severity] || '';
+  const snippet = matched.length > 80 ? matched.slice(0, 80) + '…' : matched;
+
+  console.log();
+  console.log(chalk.white.bold(`${file}:${line}`));
+  console.log(`  ${icon}${color(`[${severity.toUpperCase()}]`)} ${chalk.white(patternName)}`);
+  console.log(`  ${chalk.gray('Code:')}  ${chalk.cyan(snippet)}`);
+  console.log(`  ${chalk.gray('Why:')}  ${description}`);
+}
+
+/**
+ * Mask the middle of a secret for safe display
+ */
+export function maskSecret(secret) {
+  if (secret.length <= 6) {
+    return '***';
+  }
+  if (secret.length <= 12) {
+    return secret.substring(0, 3) + '***';
+  }
+  return secret.substring(0, 4) + '***' + secret.substring(secret.length - 4);
+}
+
+/**
+ * Print a summary box
+ *
+ * stats can include:
+ *   total, critical, high, medium, filesScanned
+ *   secretsTotal (optional), vulnsTotal (optional)
+ */
+export function summary(stats) {
+  console.log();
+  console.log(chalk.cyan('='.repeat(60)));
+
+  if (stats.total === 0) {
+    console.log(chalk.green.bold('  \u2714 No issues detected!'));
+  } else {
+    const secretsTotal = stats.secretsTotal ?? stats.total;
+    const vulnsTotal = stats.vulnsTotal ?? 0;
+
+    if (secretsTotal > 0) {
+      console.log(chalk.red.bold(`  \u26a0 Found ${secretsTotal} secret(s)`));
+    }
+    if (vulnsTotal > 0) {
+      console.log(chalk.yellow.bold(`  \u26a0 Found ${vulnsTotal} code vulnerability/vulnerabilities`));
+    }
+
+    if (stats.critical > 0) {
+      console.log(chalk.red(`    \u2022 Critical: ${stats.critical}`));
+    }
+    if (stats.high > 0) {
+      console.log(chalk.red(`    \u2022 High: ${stats.high}`));
+    }
+    if (stats.medium > 0) {
+      console.log(chalk.yellow(`    \u2022 Medium: ${stats.medium}`));
+    }
+  }
+
+  console.log(chalk.gray(`  Files scanned: ${stats.filesScanned}`));
+  console.log(chalk.cyan('='.repeat(60)));
+  console.log(chalk.gray(`  Cloud dashboard & team scanning: `) + chalk.cyan('https://shipsafecli.com'));
+}
+
+/**
+ * Print recommended actions after finding code vulnerabilities
+ */
+export function vulnRecommendations() {
+  console.log();
+  console.log(chalk.yellow.bold('Code Vulnerability Actions:'));
+  console.log();
+  console.log(chalk.white('1.') + ' Fix the flagged code patterns (see "Why" descriptions above)');
+  console.log(chalk.white('2.') + ' Use  # ship-safe-ignore  on lines that are safe (e.g. internal tools, controlled input)');
+  console.log(chalk.white('3.') + ' Run  npx ship-safe checklist  for a full launch-day security review');
+  console.log();
+}
+
+/**
+ * Print recommended actions after finding secrets
+ */
+export function recommendations() {
+  console.log();
+  console.log(chalk.cyan.bold('Recommended Actions:'));
+  console.log();
+  console.log(chalk.white('1.') + ' Move secrets to environment variables (.env file)');
+  console.log(chalk.white('2.') + ' Add .env to your .gitignore');
+  console.log(chalk.white('3.') + chalk.yellow(' If already committed:'));
+  console.log(chalk.gray('   \u2022 Rotate the compromised credentials immediately'));
+  console.log(chalk.gray('   \u2022 Use git-filter-repo or BFG Repo-Cleaner to remove from history'));
+  console.log(chalk.gray('   \u2022 Remember: deleting doesn\'t remove git history!'));
+  console.log();
+  console.log(chalk.white('4.') + ' Set up pre-commit hooks to catch this automatically:');
+  console.log(chalk.gray('   npm install --save-dev husky'));
+  console.log(chalk.gray('   npx husky add .husky/pre-commit "npx ship-safe scan ."'));
+  console.log();
+}
+
+/**
+ * Print a checklist item
+ */
+export function checklistItem(number, title, checked = null) {
+  const checkbox = checked === null
+    ? chalk.gray('[ ]')
+    : checked
+      ? chalk.green('[\u2714]')
+      : chalk.red('[\u2718]');
+
+  console.log(`${checkbox} ${chalk.white.bold(`${number}.`)} ${title}`);
+}
+
+/**
+ * Print progress (for verbose mode)
+ */
+export function progress(text) {
+  process.stdout.write(chalk.gray(`\r${text}`));
+}
+
+/**
+ * Clear the current line
+ */
+export function clearLine() {
+  process.stdout.write('\r' + ' '.repeat(80) + '\r');
+}