ship-safe 9.2.3 → 9.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (35) hide show
  1. package/README.md +1 -1
  2. package/cli/agents/agent-attestation-agent.js +1 -1
  3. package/cli/agents/agent-config-scanner.js +1 -0
  4. package/cli/agents/agentic-supply-chain-agent.js +1 -1
  5. package/cli/agents/cicd-scanner.js +2 -2
  6. package/cli/agents/deep-analyzer.js +1 -1
  7. package/cli/agents/hermes-security-agent.js +173 -0
  8. package/cli/agents/index.js +1 -1
  9. package/cli/agents/legal-risk-agent.js +1 -1
  10. package/cli/agents/mcp-security-agent.js +10 -6
  11. package/cli/agents/memory-poisoning-agent.js +1 -0
  12. package/cli/agents/mobile-scanner.js +1 -1
  13. package/cli/agents/pii-compliance-agent.js +1 -1
  14. package/cli/agents/swarm-orchestrator.js +1 -1
  15. package/cli/bin/ship-safe.js +2 -2
  16. package/cli/commands/agent-fix.js +7 -6
  17. package/cli/commands/agent.js +1 -1
  18. package/cli/commands/audit.js +2 -2
  19. package/cli/commands/ci.js +2 -2
  20. package/cli/commands/init.js +3 -4
  21. package/cli/commands/live-advisories.js +4 -1
  22. package/cli/commands/openclaw.js +1 -1
  23. package/cli/commands/red-team.js +2 -2
  24. package/cli/commands/remediate.js +1 -1
  25. package/cli/commands/scan-mcp.js +1 -1
  26. package/cli/commands/scan-skill.js +1 -1
  27. package/cli/commands/team-report.js +4 -3
  28. package/cli/commands/undo.js +1 -1
  29. package/cli/commands/watch.js +2 -2
  30. package/cli/hooks/patterns.js +1 -1
  31. package/cli/utils/patterns.js +3 -3
  32. package/cli/utils/secrets-verifier.js +1 -1
  33. package/package.json +7 -1
  34. package/cli/.ship-safe/context.json +0 -8157
  35. package/cli/.ship-safe/history.json +0 -190
package/cli/utils/patterns.js CHANGED
@@ -691,14 +691,14 @@ export const SECRET_PATTERNS = [
691
691
  // =========================================================================
692
692
  {
693
693
  name: 'Generic API Key Assignment',
694
- pattern: /["']?(?:api[_-]?key|apikey)["']?\s*[:=]\s*["']([a-zA-Z0-9_\-]{20,})["']/gi,
694
+ pattern: /["']?(?:api[_-]?key|apikey)["']?\s*[:=]\s*["']([a-zA-Z0-9_-]{20,})["']/gi,
695
695
  severity: 'medium',
696
696
  requiresEntropyCheck: true,
697
697
  description: 'Hardcoded API keys should be moved to environment variables.'
698
698
  },
699
699
  {
700
700
  name: 'Generic Secret Assignment',
701
- pattern: /["']?(?:secret|secret[_-]?key)["']?\s*[:=]\s*["']([a-zA-Z0-9_\-]{20,})["']/gi,
701
+ pattern: /["']?(?:secret|secret[_-]?key)["']?\s*[:=]\s*["']([a-zA-Z0-9_-]{20,})["']/gi,
702
702
  severity: 'medium',
703
703
  requiresEntropyCheck: true,
704
704
  description: 'Hardcoded secrets should be moved to environment variables.'
@@ -719,7 +719,7 @@ export const SECRET_PATTERNS = [
719
719
  },
720
720
  {
721
721
  name: 'Bearer Token in Code',
722
- pattern: /["']Bearer\s+[a-zA-Z0-9_\-\.=]{20,}["']/gi,
722
+ pattern: /["']Bearer\s+[a-zA-Z0-9_\-.=]{20,}["']/gi,
723
723
  severity: 'medium',
724
724
  requiresEntropyCheck: true,
725
725
  description: 'Hardcoded bearer tokens should not be in source code.'
package/cli/utils/secrets-verifier.js CHANGED
@@ -238,7 +238,7 @@ export class SecretsVerifier {
238
238
  if (assigned) return assigned[1];
239
239
 
240
240
  // If the match itself looks like a token, use it
241
- if (/^[a-zA-Z0-9_\-]{20,}$/.test(matched)) return matched;
241
+ if (/^[a-zA-Z0-9_-]{20,}$/.test(matched)) return matched;
242
242
 
243
243
  return null;
244
244
  }
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "ship-safe",
3
- "version": "9.2.3",
3
+ "version": "9.3.0",
4
4
  "description": "AI-powered multi-agent security platform. 23 agents scan 80+ attack classes including AI integration supply chain (Vercel-class attacks), Hermes Agent deployments (ASI-01–ASI-10), tool registry poisoning, function-call injection, skill permission drift, and agent attestation. Ship Safe × Hermes Agent.",
5
5
  "main": "cli/index.js",
6
6
  "bin": {
@@ -10,6 +10,7 @@
10
10
  "scripts": {
11
11
  "test": "node --test cli/__tests__/*.test.js",
12
12
  "lint": "eslint cli/",
13
+ "lint:fix": "eslint cli/ --fix",
13
14
  "ship-safe": "node cli/bin/ship-safe.js"
14
15
  },
15
16
  "keywords": [
@@ -65,5 +66,10 @@
65
66
  "fast-glob": "^3.3.3",
66
67
  "ora": "^8.0.1",
67
68
  "write-file-atomic": "^7.0.0"
69
+ },
70
+ "devDependencies": {
71
+ "@eslint/js": "^10.0.1",
72
+ "eslint": "^10.3.0",
73
+ "globals": "^17.6.0"
68
74
  }
69
75
  }