sicario-red-team 3.0.0 → 3.1.1

package/README.md

@@ -1,63 +1,118 @@
-# 🎯 Sicario: Autonomous Red-Team Swarm
+# 🎯 Sicario: Developer-First Security Scanner
 
-**The AI Security Co-Founder for Modern Web Development.**
+**The developer-first security scanner for modern web applications.**
 
-AI coding assistants (**Cursor, v0, GitHub Copilot**) allow you to ship full-stack applications in hours. But while they write beautiful React components, they frequently hallucinate critical **Business Logic Vulnerabilities**—like allowing users to bypass paywalls, mutate cart prices, or escalate their own privileges.
+AI coding assistants (**Cursor, v0, GitHub Copilot**) allow you to ship full-stack applications in hours. But while they write beautiful code, they frequently introduce critical vulnerabilities — like hardcoded secrets, business logic bypasses, LLM injection vectors, and supply chain risks.
 
-Legacy vulnerability scanners (like Snyk or Burp Suite) are built for enterprise compliance, not rapid development. They read static code and output dense, 40-page PDFs.
+Legacy scanners (Snyk, Burp) are built for enterprise compliance, not rapid development. They output dense PDFs that nobody reads.
 
-**Sicario** is different. It is an autonomous, locally-running AI swarm that plays your application like a video game. It hunts the logic flaws your AI generated, and gives you the exact prompt to fix them.
+**Sicario** is different. It is a locally-running static analysis scanner that understands your code's semantic intent — parsing your source into an Abstract Syntax Tree to detect complex flaws that regex-based tools miss. Beautiful output. Interactive workflow. Fix with one command.
 
 ---
 
-## 🚀 Zero-Friction Quickstart
+## 🚀 Quickstart
 
-No configuration files. No heavy desktop apps. No credit card required.
+No API keys to copy. No configuration files to edit.
 
 ```bash
-# Launch a continuous background siege on your local dev server
-npx sicario-red-team@latest watch http://localhost:3000
+# Scan current directory (no install needed)
+npx sicario-red-team@latest
+
+# Or install globally
+npm install -g sicario-red-team
+
+# Link to cloud dashboard
+sicario login
+
+# Continuous scanning as you code
+sicario watch
+
+# AI fix + GitHub PR
+sicario fix --pr
 ```
 
 ---
 
-## 🔪 The Vanguard Features
+## ✨ Features
 
-### 1. Intent-Based Sieges
-Stop writing complex testing configurations. Just tell Sicario what you want it to steal in plain English, and the Swarm figures out how to execute the attack.
+- **AST-Based Scanning** — Parses TypeScript, JavaScript, Python, Go, and Rust into ASTs for deep semantic analysis
+- **Secrets Detection** — 30+ patterns including AWS keys, GitHub tokens, Stripe keys, and high-entropy strings
+- **LLM Vulnerability Detection** — Prompt injection, insecure output handling, unsafe model configurations
+- **Business Logic Analysis** — Missing auth checks, IDOR, mass assignment, rate limiting gaps
+- **Supply Chain Auditing** — OSV database queries, typosquatting detection, SBOM generation (`--sbom`)
+- **AI Auto-Fix (Scribe)** — Generates and applies code patches, or opens GitHub PRs with `sicario fix --pr`
+- **Cloud Dashboard** — Sync findings to Mission Control for team visibility and compliance reporting
+- **Beautiful Output** — Rich terminal UI with interactive post-scan menu, watch mode, and CI/CD integration
 
-```bash
-npx sicario-red-team hit --target http://localhost:3000 --intent "Try to manipulate the checkout payload to get the Pro Plan for free."
-```
+---
+
+## 🔧 Core Commands
+
+| Command | Description |
+|---|---|
+| `sicario scan [path]` | Scan a directory or file |
+| `sicario fix` | Apply AI-generated patches locally |
+| `sicario fix --pr` | Open a GitHub PR with the fix |
+| `sicario triage` | Launch the interactive TUI Mission Control |
+| `sicario login` | Authenticate with the cloud dashboard |
+| `sicario watch` | Continuous scanning as you code |
+| `sicario init` | Initialize a `.sicarioignore` config file |
+
+### Useful Flags
+
+| Flag | Description |
+|---|---|
+| `--sbom` | Generate a CycloneDX JSON Software Bill of Materials |
+| `--baseline <file>` | Suppress findings present in a saved baseline file |
+| `--fail-on <severity>` | Exit with code 1 at/above this severity (CI/CD gating) |
+| `--dry-run` | Preview what would be scanned/fixed without writing files |
+| `--incremental` | Scan only files changed since last Git commit |
+| `--format <fmt>` | Output format: `text`, `json`, `sarif`, `markdown` |
 
-### 2. The Scribe (Prompt-to-Patch)
-When Sicario confirms an exploit, it doesn't just give you a stack trace. The **Scribe Node** automatically generates a natural-language "Cursor-ready" prompt. Just copy and paste the Scribe's output back into your AI IDE, and it will write the patch for you.
+---
+
+## ☁️ Cloud Dashboard
 
-### 3. Continuous Localhost Protection (The Lazy Watcher)
-Run `sicario watch` in the background. Sicario uses a zero-cost local DOM-diffing engine to monitor your app. The moment you hit "Save" on a new form or feature, the Swarm wakes up, micro-sieges the new code for logic flaws, and goes back to sleep.
+After running `sicario login`, scan results automatically sync to your Mission Control dashboard at [usesicario.xyz/dashboard](https://usesicario.xyz/dashboard).
 
-### 4. DOM Supremacy
-Modern web apps aren't static HTML pages. Sicario utilizes a headless Chromium engine to intercept asynchronous fetch requests, wait for React hydration, and pierce Web Component Shadow DOMs. It attacks your app exactly how a real human would.
+The dashboard provides:
+- Scan history and finding trends over time
+- Severity distribution and OWASP category breakdown
+- Compliance report export (OWASP, PCI-DSS, HIPAA)
+- Remote AI remediation for GitHub-connected repositories
+
+```bash
+# Authenticate once — all future scans sync automatically
+sicario login
+```
 
 ---
 
-## 🛡️ Swarm Architecture & Safety
+## 🛡️ Detection Engines
+
+Sicario runs 4 detection engines on every scan:
 
-Sicario runs locally on your machine. By default, it operates in **SHADOW TIER** (Dry-Run mode), meaning it maps your application and simulates attacks without mutating your database.
+1. **Secrets Engine** — Detects hardcoded credentials, API keys, and high-entropy strings
+2. **LLM Guard** — Identifies prompt injection, unsafe AI output handling, and insecure model configs
+3. **Business Logic Engine** — Finds auth bypasses, IDOR, mass assignment, and missing rate limits
+4. **Supply Chain Engine** — Audits dependencies against the OSV database, detects typosquatting
 
-To authorize active database mutations and live POST/PUT exploits on your local environment, pass the `--live-fire` flag.
+**Supported Languages:** TypeScript · JavaScript · Python · Go · Rust
 
 ---
 
-## 💎 Sicario Operator Tier
+## 💎 Pricing
 
-The free NPM package is powered by a rate-limited, free-tier Critic Cascade.
+| Tier | Price | Includes |
+|---|---|---|
+| **Hacker** | Free | Full AST scanning, SARIF/JSON/Markdown reports, watch mode, CI/CD integration, cloud dashboard |
+| **Pro** | Paid | Everything in Hacker + AI auto-fix, GitHub PR creation, SBOM generation, remote fix from dashboard |
+| **Enterprise** | Coming Soon | SSO, custom SLAs, dedicated support |
 
-For professional engineering teams that require:
+Upgrade at [usesicario.xyz](https://usesicario.xyz).
+
+---
 
-*   **Unlimited Tokens** & Zero Rate Limits
-*   **Enterprise Auth Vaulting** (Bypass Okta/Auth0)
-*   **Unredacted Swarm Reasoning Logs**
-*   **CI/CD Pipeline Integration**
+## 📄 License
 
-Upgrade your license at [sicario-red-team.com](https://sicario-red-team.com).
+See [LICENSE](./LICENSE) for details.

package/dist/OWASP_black_logo.svg

@@ -0,0 +1,97 @@
+<?xml version="1.0" standalone="no"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 20010904//EN"
+ "http://www.w3.org/TR/2001/REC-SVG-20010904/DTD/svg10.dtd">
+<svg version="1.0" xmlns="http://www.w3.org/2000/svg"
+ width="1736.000000pt" height="514.000000pt" viewBox="0 0 1736.000000 514.000000"
+ preserveAspectRatio="xMidYMid meet">
+<metadata>
+Created by potrace 1.16, written by Peter Selinger 2001-2019
+</metadata>
+<g transform="translate(0.000000,514.000000) scale(0.100000,-0.100000)"
+fill="#000000" stroke="none">
+<path d="M2280 5129 c-382 -43 -780 -184 -1089 -385 -549 -359 -913 -844
+-1091 -1459 -117 -403 -131 -859 -40 -1279 152 -698 622 -1328 1256 -1683 262
+-147 597 -258 904 -300 182 -24 568 -25 718 0 365 59 649 159 928 324 811 482
+1274 1296 1274 2239 0 505 -143 982 -418 1394 -116 174 -201 278 -337 416
+-395 397 -921 654 -1484 724 -175 21 -473 26 -621 9z m572 -405 c976 -125
+1749 -903 1873 -1884 32 -250 13 -557 -50 -807 -151 -598 -566 -1114 -1123
+-1397 -864 -437 -1882 -260 -2555 444 -333 347 -535 789 -588 1285 -16 148 -6
+417 20 565 89 500 326 927 700 1263 318 286 726 473 1157 531 140 20 416 19
+566 0z"/>
+<path d="M3495 4140 c-3 -9 10 -46 30 -84 28 -53 35 -79 35 -122 0 -53 -33
+-154 -50 -154 -4 0 -12 11 -18 25 -27 59 -133 71 -169 19 -20 -29 -30 -38 -90
+-90 -63 -53 -75 -120 -48 -251 l7 -31 -43 10 c-24 5 -72 7 -105 4 l-61 -6 -52
+79 -53 80 12 115 c19 185 -6 202 -34 23 -21 -131 -20 -163 9 -241 14 -37 25
+-69 25 -71 0 -8 -82 35 -102 52 -9 9 -35 70 -58 137 -43 128 -55 155 -66 144
+-11 -12 54 -287 76 -318 l20 -29 -28 9 c-51 14 -73 30 -160 119 -88 90 -117
+97 -61 14 77 -112 146 -170 251 -212 61 -25 87 -46 72 -61 -5 -4 -154 17 -344
+50 -584 102 -818 124 -1255 123 -298 -2 -462 -13 -495 -33 -25 -15 5 -56 82
+-113 130 -95 266 -177 391 -237 232 -111 370 -145 587 -145 162 0 132 -9 341
+102 67 35 67 35 369 65 167 16 306 26 311 21 4 -4 20 -34 34 -66 l25 -58 -22
+8 c-13 4 -57 8 -98 8 -100 0 -167 -33 -320 -158 -262 -213 -437 -421 -622
+-737 -90 -153 -278 -536 -278 -566 0 -16 48 5 300 130 424 210 685 397 918
+659 238 268 286 374 238 524 l-7 22 58 -25 c32 -14 62 -29 67 -34 4 -4 1 -81
+-8 -172 -9 -89 -20 -216 -26 -281 -12 -137 -35 -213 -91 -303 -54 -85 -69
+-139 -69 -249 0 -98 34 -297 73 -420 50 -163 283 -568 367 -638 42 -36 57 -34
+70 10 18 62 32 385 26 583 -13 378 -38 604 -122 1110 -30 179 -54 337 -54 353
+0 53 25 26 74 -78 48 -104 49 -104 145 -180 53 -41 99 -75 104 -75 22 0 -2 33
+-74 102 -61 58 -85 88 -100 128 l-20 52 31 -22 c33 -24 304 -89 317 -77 12 12
+-13 24 -149 69 l-127 42 -27 49 c-14 26 -24 51 -21 54 3 3 40 -6 81 -20 81
+-27 103 -27 274 4 110 20 84 31 -65 27 l-139 -3 -71 49 -71 48 1 105 c0 101 1
+104 21 98 12 -3 51 -9 88 -12 85 -7 146 19 186 81 15 22 31 43 37 45 5 2 22
+17 37 32 45 45 32 128 -26 159 -14 7 -26 16 -26 19 0 9 141 61 163 61 9 0 53
+-18 97 -40 44 -22 86 -40 95 -40 42 0 -7 43 -97 85 -73 34 -131 33 -221 -6
+l-72 -30 -25 33 c-30 40 -84 95 -127 128 l-32 25 29 70 c38 92 38 147 1 228
+-36 79 -67 119 -76 97z"/>
+<path d="M6261 3774 c-57 -8 -144 -28 -193 -44 -191 -64 -286 -163 -323 -336
+-21 -101 -22 -1386 0 -1487 54 -254 218 -358 630 -398 132 -13 425 -7 565 11
+236 30 402 117 473 248 62 115 62 109 62 872 0 746 -1 759 -52 868 -35 74
+-109 145 -196 186 -148 71 -316 96 -637 95 -133 -1 -268 -7 -329 -15z m619
+-220 c166 -26 248 -75 293 -172 22 -47 22 -48 22 -737 0 -770 4 -721 -71 -805
+-104 -114 -526 -160 -843 -91 -149 33 -211 77 -254 181 l-22 55 0 655 c0 590
+2 660 17 710 43 138 149 194 418 220 108 11 325 3 440 -16z"/>
+<path d="M11590 3784 c-216 -26 -329 -56 -416 -112 -98 -63 -157 -152 -184
+-272 -17 -79 -26 -1845 -9 -1866 16 -20 241 -20 258 -1 7 10 12 139 13 413 l3
+399 585 0 585 0 3 -399 c1 -274 6 -403 13 -413 17 -19 242 -19 258 1 9 11 11
+237 8 918 -4 1012 -2 980 -76 1095 -74 115 -193 180 -401 219 -61 12 -158 17
+-345 19 -143 2 -276 1 -295 -1z m510 -225 c160 -21 247 -70 295 -163 l30 -60
+0 -370 0 -371 -565 -3 c-311 -1 -575 0 -588 3 l-23 6 3 367 c3 347 4 369 24
+412 54 118 157 167 390 189 106 10 327 5 434 -10z"/>
+<path d="M13790 3783 c-338 -32 -485 -90 -581 -230 -61 -88 -72 -138 -77 -357
+-5 -230 5 -288 68 -384 43 -67 90 -109 169 -150 84 -43 139 -56 581 -127 223
+-36 427 -73 454 -83 65 -23 129 -80 154 -140 28 -65 37 -178 23 -287 -26 -190
+-77 -238 -301 -286 -192 -41 -494 -29 -688 27 -60 17 -124 69 -152 124 -27 53
+-40 140 -40 271 0 68 -4 119 -10 121 -5 2 -66 2 -135 0 l-125 -3 0 -152 c0
+-170 8 -235 40 -319 26 -71 102 -156 173 -197 66 -37 189 -76 297 -93 117 -18
+595 -18 710 1 313 51 465 178 500 419 15 104 12 347 -5 420 -37 157 -139 261
+-311 317 -45 15 -254 54 -503 95 -234 39 -448 77 -474 86 -71 23 -121 76 -142
+148 -14 48 -16 84 -12 190 3 72 11 149 19 171 19 58 92 128 158 153 247 91
+759 68 901 -41 66 -50 90 -108 101 -246 5 -64 12 -119 17 -124 4 -4 64 -6 132
+-5 l124 3 3 94 c4 117 -18 236 -58 317 -76 154 -251 236 -565 263 -111 10
+-363 12 -445 4z"/>
+<path d="M7914 3758 c-5 -7 -7 -416 -6 -908 4 -967 4 -974 58 -1083 34 -71
+107 -144 179 -181 121 -61 321 -92 530 -83 225 10 355 58 478 178 l68 66 67
+-67 c78 -78 173 -128 297 -157 63 -14 119 -18 260 -17 205 0 331 21 442 74 75
+35 151 108 188 180 54 107 54 110 55 1088 1 496 -2 907 -5 912 -9 15 -238 13
+-253 -2 -9 -9 -12 -214 -12 -863 0 -537 -4 -873 -10 -914 -25 -151 -94 -211
+-285 -246 -146 -28 -358 -8 -460 42 -50 25 -94 74 -118 132 l-22 56 -3 889
+c-2 624 -6 894 -14 903 -15 19 -241 18 -257 0 -7 -10 -11 -278 -13 -908 l-3
+-894 -24 -53 c-30 -66 -94 -123 -163 -146 -92 -30 -235 -41 -356 -28 -148 15
+-206 36 -264 93 -87 87 -82 30 -88 1049 l-5 895 -127 3 c-94 2 -128 -1 -134
+-10z"/>
+<path d="M15297 3763 c-4 -3 -7 -507 -7 -1119 l0 -1114 23 -5 c12 -3 72 -5
+132 -3 l110 3 3 309 c1 208 6 314 13 323 9 10 92 13 423 13 408 0 517 6 632
+35 196 50 333 189 376 380 19 85 18 685 -1 770 -22 98 -59 164 -130 235 -103
+102 -219 149 -412 170 -104 11 -1152 14 -1162 3z m1146 -227 c161 -31 258
+-117 286 -256 7 -30 15 -136 18 -235 6 -205 -7 -368 -38 -450 -23 -61 -80
+-125 -138 -155 -96 -48 -132 -52 -562 -57 -296 -4 -412 -2 -427 6 l-22 12 0
+568 c0 312 3 571 7 574 3 4 185 7 404 7 304 0 415 -3 472 -14z"/>
+<path d="M16750 1840 c0 -17 6 -20 50 -20 l50 0 0 -150 c0 -143 1 -150 20
+-150 19 0 20 7 20 150 l0 150 56 0 c47 0 55 3 52 18 -3 15 -18 17 -126 20
+-117 2 -122 2 -122 -18z"/>
+<path d="M17040 1690 c0 -163 1 -170 20 -170 19 0 20 7 21 143 l0 142 48 -135
+c42 -121 50 -135 71 -135 20 0 27 14 69 135 l46 135 3 -142 c2 -135 4 -143 22
+-143 19 0 20 7 20 170 l0 170 -34 0 -35 0 -43 -130 c-23 -71 -45 -130 -48
+-130 -3 0 -25 59 -48 130 l-43 130 -35 0 -34 0 0 -170z"/>
+</g>
+</svg>