ship-safe 6.1.1 → 6.2.0

package/cli/utils/pdf-generator.js

@@ -1,94 +1,94 @@
-/**
- * PDF Generator
- * ==============
- *
- * Zero-dependency PDF generation via Chrome/Chromium headless mode.
- * Falls back to generating a print-optimized HTML file if Chrome is not found.
- */
-
-import fs from 'fs';
-import path from 'path';
-import { execFileSync } from 'child_process';
-
-/**
- * Well-known Chrome/Chromium paths by platform.
- */
-function findChrome() {
-  const candidates = process.platform === 'win32'
-    ? [
-        process.env.CHROME_PATH,
-        'C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe',
-        'C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe',
-        process.env.LOCALAPPDATA && path.join(process.env.LOCALAPPDATA, 'Google\\Chrome\\Application\\chrome.exe'),
-      ]
-    : process.platform === 'darwin'
-    ? [
-        process.env.CHROME_PATH,
-        '/Applications/Google Chrome.app/Contents/MacOS/Google Chrome',
-        '/Applications/Chromium.app/Contents/MacOS/Chromium',
-      ]
-    : [
-        process.env.CHROME_PATH,
-        '/usr/bin/google-chrome',
-        '/usr/bin/google-chrome-stable',
-        '/usr/bin/chromium',
-        '/usr/bin/chromium-browser',
-        '/snap/bin/chromium',
-      ];
-
-  for (const c of candidates) {
-    if (c && fs.existsSync(c)) return c;
-  }
-  return null;
-}
-
-/**
- * Check if Chrome is available.
- */
-export function isChromeAvailable() {
-  return findChrome() !== null;
-}
-
-/**
- * Generate PDF from an HTML file using Chrome headless.
- * Returns the output path, or null if Chrome is not available.
- */
-export function generatePDF(htmlPath, outputPath) {
-  const chrome = findChrome();
-  if (!chrome) return null;
-
-  try {
-    const args = [
-      '--headless',
-      '--disable-gpu',
-      '--no-sandbox',
-      `--print-to-pdf=${outputPath}`,
-      '--print-to-pdf-no-header',
-      htmlPath,
-    ];
-    execFileSync(chrome, args, { timeout: 30000, stdio: 'pipe' }); // ship-safe-ignore — execFileSync with fixed chrome binary path; no user input in command
-    return outputPath;
-  } catch {
-    return null;
-  }
-}
-
-/**
- * Generate a print-optimized HTML file as PDF fallback.
- */
-export function generatePrintHTML(htmlPath, outputPath) {
-  let html = fs.readFileSync(htmlPath, 'utf-8');
-  // Add print-optimized styles
-  const printCSS = `
-<style media="print">
-  body { background: #fff !important; color: #1e293b !important; }
-  .score-card, .stat, .summary-card, .toc { background: #f8fafc !important; border: 1px solid #e2e8f0 !important; }
-  table, th, td { border: 1px solid #e2e8f0 !important; }
-  code { background: #f1f5f9 !important; color: #0f172a !important; }
-  pre { background: #f1f5f9 !important; }
-  a { color: #0369a1 !important; }
-</style>`;
-  html = html.replace('</head>', printCSS + '\n</head>');
-  fs.writeFileSync(outputPath, html);
-  return outputPath;
-}
+/**
+ * PDF Generator
+ * ==============
+ *
+ * Zero-dependency PDF generation via Chrome/Chromium headless mode.
+ * Falls back to generating a print-optimized HTML file if Chrome is not found.
+ */
+
+import fs from 'fs';
+import path from 'path';
+import { execFileSync } from 'child_process';
+
+/**
+ * Well-known Chrome/Chromium paths by platform.
+ */
+function findChrome() {
+  const candidates = process.platform === 'win32'
+    ? [
+        process.env.CHROME_PATH,
+        'C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe',
+        'C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe',
+        process.env.LOCALAPPDATA && path.join(process.env.LOCALAPPDATA, 'Google\\Chrome\\Application\\chrome.exe'),
+      ]
+    : process.platform === 'darwin'
+    ? [
+        process.env.CHROME_PATH,
+        '/Applications/Google Chrome.app/Contents/MacOS/Google Chrome',
+        '/Applications/Chromium.app/Contents/MacOS/Chromium',
+      ]
+    : [
+        process.env.CHROME_PATH,
+        '/usr/bin/google-chrome',
+        '/usr/bin/google-chrome-stable',
+        '/usr/bin/chromium',
+        '/usr/bin/chromium-browser',
+        '/snap/bin/chromium',
+      ];
+
+  for (const c of candidates) {
+    if (c && fs.existsSync(c)) return c;
+  }
+  return null;
+}
+
+/**
+ * Check if Chrome is available.
+ */
+export function isChromeAvailable() {
+  return findChrome() !== null;
+}
+
+/**
+ * Generate PDF from an HTML file using Chrome headless.
+ * Returns the output path, or null if Chrome is not available.
+ */
+export function generatePDF(htmlPath, outputPath) {
+  const chrome = findChrome();
+  if (!chrome) return null;
+
+  try {
+    const args = [
+      '--headless',
+      '--disable-gpu',
+      '--no-sandbox',
+      `--print-to-pdf=${outputPath}`,
+      '--print-to-pdf-no-header',
+      htmlPath,
+    ];
+    execFileSync(chrome, args, { timeout: 30000, stdio: 'pipe' }); // ship-safe-ignore — execFileSync with fixed chrome binary path; no user input in command
+    return outputPath;
+  } catch {
+    return null;
+  }
+}
+
+/**
+ * Generate a print-optimized HTML file as PDF fallback.
+ */
+export function generatePrintHTML(htmlPath, outputPath) {
+  let html = fs.readFileSync(htmlPath, 'utf-8');
+  // Add print-optimized styles
+  const printCSS = `
+<style media="print">
+  body { background: #fff !important; color: #1e293b !important; }
+  .score-card, .stat, .summary-card, .toc { background: #f8fafc !important; border: 1px solid #e2e8f0 !important; }
+  table, th, td { border: 1px solid #e2e8f0 !important; }
+  code { background: #f1f5f9 !important; color: #0f172a !important; }
+  pre { background: #f1f5f9 !important; }
+  a { color: #0369a1 !important; }
+</style>`;
+  html = html.replace('</head>', printCSS + '\n</head>');
+  fs.writeFileSync(outputPath, html);
+  return outputPath;
+}

package/package.json

@@ -1,69 +1,69 @@
-{
-  "name": "ship-safe",
-  "version": "6.1.1",
-  "description": "AI-powered multi-agent security platform. 18 agents scan 80+ attack classes with LLM-powered deep analysis. Red team your code before attackers do.",
-  "main": "cli/index.js",
-  "bin": {
-    "ship-safe": "cli/bin/ship-safe.js"
-  },
-  "type": "module",
-  "scripts": {
-    "test": "node --test cli/__tests__/*.test.js",
-    "lint": "eslint cli/",
-    "ship-safe": "node cli/bin/ship-safe.js"
-  },
-  "keywords": [
-    "security",
-    "secrets",
-    "scanner",
-    "sast",
-    "devsecops",
-    "red-team",
-    "penetration-testing",
-    "vulnerability-scanner",
-    "sbom",
-    "owasp",
-    "sql-injection",
-    "xss",
-    "ssrf",
-    "supply-chain",
-    "llm-security",
-    "prompt-injection",
-    "api-security",
-    "docker-security",
-    "kubernetes",
-    "cicd-security",
-    "mobile-security",
-    "jwt",
-    "cors",
-    "cli"
-  ],
-  "author": "ship-safe contributors",
-  "license": "MIT",
-  "repository": {
-    "type": "git",
-    "url": "git+https://github.com/asamassekou10/ship-safe.git"
-  },
-  "bugs": {
-    "url": "https://github.com/asamassekou10/ship-safe/issues"
-  },
-  "homepage": "https://github.com/asamassekou10/ship-safe#readme",
-  "engines": {
-    "node": ">=18.0.0"
-  },
-  "files": [
-    "cli/",
-    "!cli/__tests__/",
-    "checklists/",
-    "configs/",
-    "snippets/",
-    "ai-defense/"
-  ],
-  "dependencies": {
-    "chalk": "^5.3.0",
-    "commander": "^12.1.0",
-    "fast-glob": "^3.3.3",
-    "ora": "^8.0.1",
-    "write-file-atomic": "^7.0.0"
-  }
-}
+{
+  "name": "ship-safe",
+  "version": "6.2.0",
+  "description": "AI-powered multi-agent security platform. 18 agents scan 80+ attack classes with LLM-powered deep analysis. Red team your code before attackers do.",
+  "main": "cli/index.js",
+  "bin": {
+    "ship-safe": "cli/bin/ship-safe.js"
+  },
+  "type": "module",
+  "scripts": {
+    "test": "node --test cli/__tests__/*.test.js",
+    "lint": "eslint cli/",
+    "ship-safe": "node cli/bin/ship-safe.js"
+  },
+  "keywords": [
+    "security",
+    "secrets",
+    "scanner",
+    "sast",
+    "devsecops",
+    "red-team",
+    "penetration-testing",
+    "vulnerability-scanner",
+    "sbom",
+    "owasp",
+    "sql-injection",
+    "xss",
+    "ssrf",
+    "supply-chain",
+    "llm-security",
+    "prompt-injection",
+    "api-security",
+    "docker-security",
+    "kubernetes",
+    "cicd-security",
+    "mobile-security",
+    "jwt",
+    "cors",
+    "cli"
+  ],
+  "author": "ship-safe contributors",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/asamassekou10/ship-safe.git"
+  },
+  "bugs": {
+    "url": "https://github.com/asamassekou10/ship-safe/issues"
+  },
+  "homepage": "https://github.com/asamassekou10/ship-safe#readme",
+  "engines": {
+    "node": ">=18.0.0"
+  },
+  "files": [
+    "cli/",
+    "!cli/__tests__/",
+    "checklists/",
+    "configs/",
+    "snippets/",
+    "ai-defense/"
+  ],
+  "dependencies": {
+    "chalk": "^5.3.0",
+    "commander": "^12.1.0",
+    "fast-glob": "^3.3.3",
+    "ora": "^8.0.1",
+    "write-file-atomic": "^7.0.0"
+  }
+}

package/configs/supabase/rls-templates.sql

@@ -1,242 +0,0 @@
--- =============================================================================
--- SUPABASE ROW LEVEL SECURITY (RLS) TEMPLATES
--- =============================================================================
---
--- Copy-paste these policies to secure your Supabase tables.
---
--- WHY RLS MATTERS:
--- Without RLS, anyone with your anon key can read/write ALL data.
--- 83% of exposed Supabase databases have RLS misconfigurations.
--- Source: https://byteiota.com/supabase-security-flaw-170-apps-exposed-by-missing-rls/
---
--- HOW TO USE:
--- 1. Enable RLS on your table: ALTER TABLE your_table ENABLE ROW LEVEL SECURITY;
--- 2. Copy the relevant policy below
--- 3. Replace 'your_table' with your actual table name
--- 4. Test with different user contexts
---
--- =============================================================================
-
-
--- =============================================================================
--- STEP 1: ALWAYS ENABLE RLS FIRST
--- =============================================================================
-
--- Enable RLS on a table (REQUIRED before adding policies)
-ALTER TABLE your_table ENABLE ROW LEVEL SECURITY;
-
--- Force RLS for table owners too (recommended for security)
-ALTER TABLE your_table FORCE ROW LEVEL SECURITY;
-
-
--- =============================================================================
--- PATTERN 1: USER OWNS THEIR DATA
--- =============================================================================
--- Use when: Each user should only see/edit their own records
--- Example tables: profiles, settings, user_preferences
-
--- Users can only SELECT their own rows
-CREATE POLICY "Users can view own data"
-ON your_table
-FOR SELECT
-USING (auth.uid() = user_id);
-
--- Users can only INSERT rows with their own user_id
-CREATE POLICY "Users can insert own data"
-ON your_table
-FOR INSERT
-WITH CHECK (auth.uid() = user_id);
-
--- Users can only UPDATE their own rows
-CREATE POLICY "Users can update own data"
-ON your_table
-FOR UPDATE
-USING (auth.uid() = user_id)
-WITH CHECK (auth.uid() = user_id);
-
--- Users can only DELETE their own rows
-CREATE POLICY "Users can delete own data"
-ON your_table
-FOR DELETE
-USING (auth.uid() = user_id);
-
--- COMBINED: All operations for own data (simpler but less granular)
-CREATE POLICY "Users manage own data"
-ON your_table
-FOR ALL
-USING (auth.uid() = user_id)
-WITH CHECK (auth.uid() = user_id);
-
-
--- =============================================================================
--- PATTERN 2: ORGANIZATION/TEAM BASED ACCESS
--- =============================================================================
--- Use when: Users belong to orgs and should see all org data
--- Example tables: projects, documents, team_settings
-
--- First, create a helper function to get user's org
-CREATE OR REPLACE FUNCTION get_user_org_id()
-RETURNS UUID AS $$
-  SELECT org_id FROM profiles WHERE id = auth.uid()
-$$ LANGUAGE SQL SECURITY DEFINER;
-
--- Users can view all data in their organization
-CREATE POLICY "Org members can view org data"
-ON your_table
-FOR SELECT
-USING (org_id = get_user_org_id());
-
--- Users can insert data into their organization
-CREATE POLICY "Org members can insert org data"
-ON your_table
-FOR INSERT
-WITH CHECK (org_id = get_user_org_id());
-
--- Only allow updates to org data
-CREATE POLICY "Org members can update org data"
-ON your_table
-FOR UPDATE
-USING (org_id = get_user_org_id())
-WITH CHECK (org_id = get_user_org_id());
-
-
--- =============================================================================
--- PATTERN 3: ROLE-BASED ACCESS CONTROL (RBAC)
--- =============================================================================
--- Use when: Different users have different permission levels
--- Example: admin, editor, viewer roles
-
--- Helper function to check user role
-CREATE OR REPLACE FUNCTION get_user_role()
-RETURNS TEXT AS $$
-  SELECT role FROM profiles WHERE id = auth.uid()
-$$ LANGUAGE SQL SECURITY DEFINER;
-
--- Anyone authenticated can view (public within app)
-CREATE POLICY "Authenticated users can view"
-ON your_table
-FOR SELECT
-USING (auth.role() = 'authenticated');
-
--- Only admins and editors can insert
-CREATE POLICY "Admins and editors can insert"
-ON your_table
-FOR INSERT
-WITH CHECK (get_user_role() IN ('admin', 'editor'));
-
--- Only admins can delete
-CREATE POLICY "Only admins can delete"
-ON your_table
-FOR DELETE
-USING (get_user_role() = 'admin');
-
-
--- =============================================================================
--- PATTERN 4: PUBLIC READ, AUTHENTICATED WRITE
--- =============================================================================
--- Use when: Content is public but only logged-in users can contribute
--- Example tables: blog_posts, comments, public_profiles
-
--- Anyone can read (including anonymous)
-CREATE POLICY "Public read access"
-ON your_table
-FOR SELECT
-USING (true);
-
--- Only authenticated users can insert
-CREATE POLICY "Authenticated users can insert"
-ON your_table
-FOR INSERT
-WITH CHECK (auth.role() = 'authenticated');
-
--- Users can only update their own posts
-CREATE POLICY "Users can update own posts"
-ON your_table
-FOR UPDATE
-USING (auth.uid() = author_id)
-WITH CHECK (auth.uid() = author_id);
-
-
--- =============================================================================
--- PATTERN 5: PRIVATE BY DEFAULT (Explicit sharing)
--- =============================================================================
--- Use when: Data is private unless explicitly shared
--- Example tables: documents, files with sharing
-
--- Owner can always access
-CREATE POLICY "Owner full access"
-ON documents
-FOR ALL
-USING (auth.uid() = owner_id)
-WITH CHECK (auth.uid() = owner_id);
-
--- Shared users can view (requires a shares table)
-CREATE POLICY "Shared users can view"
-ON documents
-FOR SELECT
-USING (
-  auth.uid() = owner_id
-  OR
-  EXISTS (
-    SELECT 1 FROM document_shares
-    WHERE document_shares.document_id = documents.id
-    AND document_shares.user_id = auth.uid()
-  )
-);
-
-
--- =============================================================================
--- PATTERN 6: TIME-BASED ACCESS
--- =============================================================================
--- Use when: Content has publish dates or expiration
--- Example tables: scheduled_posts, limited_offers
-
--- Only show published content
-CREATE POLICY "Show only published content"
-ON posts
-FOR SELECT
-USING (
-  published_at IS NOT NULL
-  AND published_at <= NOW()
-  AND (expires_at IS NULL OR expires_at > NOW())
-);
-
--- Authors can always see their drafts
-CREATE POLICY "Authors see own drafts"
-ON posts
-FOR SELECT
-USING (auth.uid() = author_id);
-
-
--- =============================================================================
--- ANTI-PATTERNS: DON'T DO THIS
--- =============================================================================
-
--- BAD: Allows anyone to read everything
--- CREATE POLICY "bad_policy" ON users FOR SELECT USING (true);
-
--- BAD: No WITH CHECK means users could insert data for other users
--- CREATE POLICY "bad_insert" ON posts FOR INSERT WITH CHECK (true);
-
--- BAD: Missing USING clause on UPDATE allows updating any row
--- CREATE POLICY "bad_update" ON posts FOR UPDATE WITH CHECK (auth.uid() = user_id);
-
-
--- =============================================================================
--- TESTING YOUR POLICIES
--- =============================================================================
-
--- Test as a specific user (in SQL editor)
--- SET request.jwt.claim.sub = 'user-uuid-here';
--- SELECT * FROM your_table;
-
--- Check existing policies on a table
-SELECT * FROM pg_policies WHERE tablename = 'your_table';
-
--- List all tables without RLS enabled (DANGER!)
-SELECT schemaname, tablename
-FROM pg_tables
-WHERE schemaname = 'public'
-AND tablename NOT IN (
-  SELECT tablename FROM pg_policies
-);