npm - ship-safe - Versions diffs - 6.1.1 → 6.2.0 - Mend

ship-safe 6.1.1 → 6.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (47) hide show

package/README.md +735 -641
package/cli/agents/api-fuzzer.js +345 -345
package/cli/agents/auth-bypass-agent.js +348 -348
package/cli/agents/base-agent.js +272 -272
package/cli/agents/cicd-scanner.js +236 -201
package/cli/agents/config-auditor.js +521 -521
package/cli/agents/deep-analyzer.js +6 -2
package/cli/agents/git-history-scanner.js +170 -170
package/cli/agents/html-reporter.js +568 -568
package/cli/agents/index.js +84 -84
package/cli/agents/injection-tester.js +500 -500
package/cli/agents/llm-redteam.js +251 -251
package/cli/agents/mobile-scanner.js +231 -231
package/cli/agents/orchestrator.js +322 -322
package/cli/agents/pii-compliance-agent.js +301 -301
package/cli/agents/scoring-engine.js +248 -248
package/cli/agents/supabase-rls-agent.js +154 -154
package/cli/agents/supply-chain-agent.js +650 -507
package/cli/bin/ship-safe.js +452 -426
package/cli/commands/agent.js +608 -608
package/cli/commands/audit.js +986 -980
package/cli/commands/baseline.js +193 -193
package/cli/commands/ci.js +342 -342
package/cli/commands/deps.js +516 -516
package/cli/commands/doctor.js +159 -159
package/cli/commands/fix.js +218 -218
package/cli/commands/hooks.js +268 -0
package/cli/commands/init.js +407 -407
package/cli/commands/mcp.js +304 -304
package/cli/commands/red-team.js +7 -1
package/cli/commands/remediate.js +798 -798
package/cli/commands/rotate.js +571 -571
package/cli/commands/scan.js +569 -569
package/cli/commands/score.js +449 -449
package/cli/commands/watch.js +281 -281
package/cli/hooks/patterns.js +313 -0
package/cli/hooks/post-tool-use.js +140 -0
package/cli/hooks/pre-tool-use.js +186 -0
package/cli/index.js +73 -69
package/cli/providers/llm-provider.js +397 -287
package/cli/utils/autofix-rules.js +74 -74
package/cli/utils/cache-manager.js +311 -311
package/cli/utils/output.js +230 -230
package/cli/utils/patterns.js +1121 -1121
package/cli/utils/pdf-generator.js +94 -94
package/package.json +69 -69
package/configs/supabase/rls-templates.sql +0 -242

package/cli/utils/autofix-rules.js CHANGED Viewed

@@ -1,74 +1,74 @@
-/**
- * Auto-Fix Rules
- * ================
- *
- * Pure functions that transform a source line to fix a security issue.
- * Each rule maps to a finding rule name from the agents.
- *
- * Used by `ship-safe remediate --all` to auto-fix agent-detected issues
- * beyond just secrets.
- */
-export const AUTOFIX_RULES = [
-  {
-    rule: 'TLS_REJECT_UNAUTHORIZED',
-    match: /rejectUnauthorized\s*:\s*false/g,
-    replace: (line) => line.replace(/rejectUnauthorized\s*:\s*false/, 'rejectUnauthorized: true // TODO: configure proper CA bundle'),
-    description: 'Enable TLS certificate verification',
-  },
-  {
-    rule: 'DOCKER_LATEST_TAG',
-    match: /FROM\s+(\S+):latest/gi,
-    replace: (line) => {
-      return line.replace(/FROM\s+(\S+):latest/i, (_, image) => {
-        const pinned = { node: 'node:20-alpine', python: 'python:3.12-slim', nginx: 'nginx:1.25-alpine', ruby: 'ruby:3.3-slim' };
-        return `FROM ${pinned[image] || image + ':latest'} # TODO: pin to specific version`;
-      });
-    },
-    description: 'Pin Docker base image to a specific version',
-  },
-  {
-    rule: 'DEBUG_MODE_PRODUCTION',
-    match: /(?:DEBUG|debug)\s*[:=]\s*(?:true|True|1|['"]true['"])/g,
-    replace: (line) => line
-      .replace(/DEBUG\s*=\s*True/, 'DEBUG = False')
-      .replace(/DEBUG\s*=\s*true/, 'DEBUG = false')
-      .replace(/debug\s*:\s*true/, 'debug: false')
-      .replace(/debug\s*=\s*['"]true['"]/, "debug = 'false'"),
-    description: 'Disable debug mode for production',
-  },
-  {
-    rule: 'XSS_DANGEROUS_INNER_HTML',
-    match: /dangerouslySetInnerHTML\s*=\s*\{\s*\{\s*__html\s*:\s*([^}]+)\}\s*\}/g, // ship-safe-ignore: autofix pattern
-    replace: (line) => {
-      return line.replace(
-        /dangerouslySetInnerHTML\s*=\s*\{\s*\{\s*__html\s*:\s*([^}]+)\}\s*\}/,
-        (_, value) => `dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(${value.trim()}) }}` // ship-safe-ignore: replacement template
-      );
-    },
-    description: 'Wrap dangerouslySetInnerHTML value in DOMPurify.sanitize()',
-  },
-  {
-    rule: 'CMD_INJECTION_SHELL_TRUE',
-    match: /shell\s*:\s*true/g,
-    replace: (line) => line.replace(/shell\s*:\s*true/, 'shell: false // TODO: ensure command works without shell'),
-    description: 'Disable shell execution in spawn/exec',
-  },
-];
-/**
- * Check if a finding's rule has an autofix available.
- */
-export function hasAutofix(rule) {
-  return AUTOFIX_RULES.some(r => r.rule === rule);
-}
-/**
- * Apply an autofix rule to a line.
- * Returns the fixed line, or the original if no rule matches.
- */
-export function applyAutofix(rule, line) {
-  const fixRule = AUTOFIX_RULES.find(r => r.rule === rule);
-  if (!fixRule) return line;
-  return fixRule.replace(line);
-}
+/**
+ * Auto-Fix Rules
+ * ================
+ *
+ * Pure functions that transform a source line to fix a security issue.
+ * Each rule maps to a finding rule name from the agents.
+ *
+ * Used by `ship-safe remediate --all` to auto-fix agent-detected issues
+ * beyond just secrets.
+ */
+export const AUTOFIX_RULES = [
+  {
+    rule: 'TLS_REJECT_UNAUTHORIZED',
+    match: /rejectUnauthorized\s*:\s*false/g,
+    replace: (line) => line.replace(/rejectUnauthorized\s*:\s*false/, 'rejectUnauthorized: true // TODO: configure proper CA bundle'),
+    description: 'Enable TLS certificate verification',
+  },
+  {
+    rule: 'DOCKER_LATEST_TAG',
+    match: /FROM\s+(\S+):latest/gi,
+    replace: (line) => {
+      return line.replace(/FROM\s+(\S+):latest/i, (_, image) => {
+        const pinned = { node: 'node:20-alpine', python: 'python:3.12-slim', nginx: 'nginx:1.25-alpine', ruby: 'ruby:3.3-slim' };
+        return `FROM ${pinned[image] || image + ':latest'} # TODO: pin to specific version`;
+      });
+    },
+    description: 'Pin Docker base image to a specific version',
+  },
+  {
+    rule: 'DEBUG_MODE_PRODUCTION',
+    match: /(?:DEBUG|debug)\s*[:=]\s*(?:true|True|1|['"]true['"])/g,
+    replace: (line) => line
+      .replace(/DEBUG\s*=\s*True/, 'DEBUG = False')
+      .replace(/DEBUG\s*=\s*true/, 'DEBUG = false')
+      .replace(/debug\s*:\s*true/, 'debug: false')
+      .replace(/debug\s*=\s*['"]true['"]/, "debug = 'false'"),
+    description: 'Disable debug mode for production',
+  },
+  {
+    rule: 'XSS_DANGEROUS_INNER_HTML',
+    match: /dangerouslySetInnerHTML\s*=\s*\{\s*\{\s*__html\s*:\s*([^}]+)\}\s*\}/g, // ship-safe-ignore: autofix pattern
+    replace: (line) => {
+      return line.replace(
+        /dangerouslySetInnerHTML\s*=\s*\{\s*\{\s*__html\s*:\s*([^}]+)\}\s*\}/,
+        (_, value) => `dangerouslySetInnerHTML={{ __html: DOMPurify.sanitize(${value.trim()}) }}` // ship-safe-ignore: replacement template
+      );
+    },
+    description: 'Wrap dangerouslySetInnerHTML value in DOMPurify.sanitize()',
+  },
+  {
+    rule: 'CMD_INJECTION_SHELL_TRUE',
+    match: /shell\s*:\s*true/g,
+    replace: (line) => line.replace(/shell\s*:\s*true/, 'shell: false // TODO: ensure command works without shell'),
+    description: 'Disable shell execution in spawn/exec',
+  },
+];
+/**
+ * Check if a finding's rule has an autofix available.
+ */
+export function hasAutofix(rule) {
+  return AUTOFIX_RULES.some(r => r.rule === rule);
+}
+/**
+ * Apply an autofix rule to a line.
+ * Returns the fixed line, or the original if no rule matches.
+ */
+export function applyAutofix(rule, line) {
+  const fixRule = AUTOFIX_RULES.find(r => r.rule === rule);
+  if (!fixRule) return line;
+  return fixRule.replace(line);
+}