supasec 1.0.3 → 1.0.5

package/dist/scanners/git/scanner.js

@@ -0,0 +1,531 @@
+"use strict";
+/**
+ * Git History Scanner
+ * Scans git history for secrets and sensitive data
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.scanGitHistory = scanGitHistory;
+const finding_js_1 = require("../../models/finding.js");
+const child_process_1 = require("child_process");
+const fs = __importStar(require("fs"));
+const path = __importStar(require("path"));
+/**
+ * Scan git history for secrets
+ */
+async function scanGitHistory(options) {
+    const findings = [];
+    let findingCounter = 1;
+    let commitsScanned = 0;
+    let branchesScanned = 0;
+    let secretsFound = 0;
+    // Check if .git directory exists
+    const gitDir = path.join(options.repoPath, '.git');
+    if (!fs.existsSync(gitDir)) {
+        return {
+            findings: [],
+            commitsScanned: 0,
+            branchesScanned: 0,
+            secretsFound: 0
+        };
+    }
+    try {
+        // Get list of commits
+        const commits = getCommits(options.repoPath, options.since, options.maxCommits);
+        commitsScanned = commits.length;
+        // Scan each commit
+        for (const commit of commits) {
+            // Check for secrets in commit message
+            const messageFindings = scanCommitMessage(commit, findingCounter);
+            findings.push(...messageFindings.findings);
+            findingCounter = messageFindings.nextCounter;
+            secretsFound += messageFindings.findings.length;
+            // Check for secrets in file changes
+            for (const file of commit.files) {
+                const fileFindings = scanFileInCommit(options.repoPath, commit.hash, file, findingCounter);
+                findings.push(...fileFindings.findings);
+                findingCounter = fileFindings.nextCounter;
+                secretsFound += fileFindings.findings.length;
+            }
+        }
+        // Scan branches if requested
+        if (options.scanBranches) {
+            const branches = getBranches(options.repoPath);
+            branchesScanned = branches.length;
+            for (const branch of branches) {
+                const branchFindings = scanBranch(options.repoPath, branch, findingCounter);
+                findings.push(...branchFindings.findings);
+                findingCounter = branchFindings.nextCounter;
+                secretsFound += branchFindings.findings.length;
+            }
+        }
+    }
+    catch (error) {
+        console.error('Error scanning git history:', error);
+    }
+    return {
+        findings,
+        commitsScanned,
+        branchesScanned,
+        secretsFound
+    };
+}
+/**
+ * Get list of commits from git log
+ */
+function getCommits(repoPath, since, maxCommits = 100) {
+    try {
+        const format = '%H|%an|%ad|%s';
+        let cmd = `git -C "${repoPath}" log --pretty=format:"${format}" --name-only`;
+        if (since) {
+            cmd += ` --since="${since}"`;
+        }
+        cmd += ` -n ${maxCommits}`;
+        const output = (0, child_process_1.execSync)(cmd, { encoding: 'utf-8' });
+        return parseGitLog(output);
+    }
+    catch {
+        return [];
+    }
+}
+/**
+ * Parse git log output
+ */
+function parseGitLog(output) {
+    const commits = [];
+    const lines = output.split('\n');
+    let currentCommit = null;
+    for (const line of lines) {
+        // Check if line is a commit header
+        if (line.includes('|')) {
+            if (currentCommit) {
+                commits.push(currentCommit);
+            }
+            const parts = line.split('|');
+            currentCommit = {
+                hash: parts[0],
+                author: parts[1],
+                date: parts[2],
+                message: parts[3] || '',
+                files: []
+            };
+        }
+        else if (currentCommit && line.trim()) {
+            // This is a file path
+            currentCommit.files.push(line.trim());
+        }
+    }
+    if (currentCommit) {
+        commits.push(currentCommit);
+    }
+    return commits;
+}
+/**
+ * Get list of branches
+ */
+function getBranches(repoPath) {
+    try {
+        const output = (0, child_process_1.execSync)(`git -C "${repoPath}" branch -a`, { encoding: 'utf-8' });
+        return output
+            .split('\n')
+            .map(b => b.trim().replace(/^\*\s*/, ''))
+            .filter(b => b && !b.includes('HEAD'));
+    }
+    catch {
+        return [];
+    }
+}
+/**
+ * Scan commit message for secrets
+ */
+function scanCommitMessage(commit, startCounter) {
+    const findings = [];
+    let counter = startCounter;
+    // Patterns to check in commit messages
+    const patterns = [
+        { pattern: /password[:=]\s*(\S+)/i, type: 'password' },
+        { pattern: /api[_-]?key[:=]\s*(\S+)/i, type: 'api_key' },
+        { pattern: /secret[:=]\s*(\S+)/i, type: 'secret' },
+        { pattern: /token[:=]\s*(\S+)/i, type: 'token' },
+        { pattern: /sk-[a-zA-Z0-9]{48}/, type: 'stripe_key' },
+        { pattern: /eyJ[A-Za-z0-9-_]*\.eyJ[A-Za-z0-9-_]*\.[A-Za-z0-9-_]*/, type: 'jwt' }
+    ];
+    for (const { pattern, type } of patterns) {
+        const match = commit.message.match(pattern);
+        if (match) {
+            findings.push(createCommitSecretFinding(commit, type, match[0], counter++));
+        }
+    }
+    return { findings, nextCounter: counter };
+}
+/**
+ * Scan file content in a specific commit
+ */
+function scanFileInCommit(repoPath, commitHash, filePath, startCounter) {
+    const findings = [];
+    let counter = startCounter;
+    try {
+        // Get file content at this commit
+        const content = (0, child_process_1.execSync)(`git -C "${repoPath}" show ${commitHash}:"${filePath}"`, { encoding: 'utf-8' });
+        // Check for .env files
+        if (filePath.includes('.env') && !filePath.includes('.env.example')) {
+            findings.push(createEnvFileFinding(commitHash, filePath, counter++));
+        }
+        // Check for private keys
+        if (content.includes('-----BEGIN') && content.includes('PRIVATE KEY-----')) {
+            findings.push(createPrivateKeyFinding(commitHash, filePath, counter++));
+        }
+        // Check for common secret patterns
+        const secretPatterns = [
+            { pattern: /password[:=]\s*["']([^"']+)["']/i, type: 'password' },
+            { pattern: /api[_-]?key[:=]\s*["']([^"']+)["']/i, type: 'api_key' },
+            { pattern: /secret[:=]\s*["']([^"']+)["']/i, type: 'secret' },
+            { pattern: /sk-[a-zA-Z0-9]{48}/, type: 'stripe_key' },
+            { pattern: /AKIA[0-9A-Z]{16}/, type: 'aws_key' }
+        ];
+        for (const { pattern, type } of secretPatterns) {
+            if (pattern.test(content)) {
+                findings.push(createFileSecretFinding(commitHash, filePath, type, counter++));
+            }
+        }
+    }
+    catch {
+        // File might not exist in this commit
+    }
+    return { findings, nextCounter: counter };
+}
+/**
+ * Scan a branch for secrets
+ */
+function scanBranch(repoPath, branch, startCounter) {
+    const findings = [];
+    let counter = startCounter;
+    // Check for stashed secrets
+    try {
+        const stashList = (0, child_process_1.execSync)(`git -C "${repoPath}" stash list`, { encoding: 'utf-8' });
+        if (stashList.includes(branch)) {
+            findings.push(createStashFinding(branch, counter++));
+        }
+    }
+    catch {
+        // No stash or error
+    }
+    return { findings, nextCounter: counter };
+}
+/**
+ * Create finding for secret in commit message
+ */
+function createCommitSecretFinding(commit, type, match, counter) {
+    return {
+        finding_id: (0, finding_js_1.generateFindingId)('secrets', counter),
+        timestamp: new Date().toISOString(),
+        severity: 'HIGH',
+        category: 'secrets',
+        subcategory: 'git_commit_secret',
+        title: `Potential ${type} in commit message`,
+        description: `A potential ${type} was found in the commit message. Secrets in commit history are visible to anyone with repository access.`,
+        location: {
+            file: `commit:${commit.hash}`,
+            line: 1
+        },
+        evidence: {
+            commit_hash: commit.hash,
+            commit_author: commit.author,
+            commit_date: commit.date,
+            commit_message: commit.message,
+            secret_type: type,
+            matched_text: match.substring(0, 20) + '...'
+        },
+        impact: {
+            severity_score: 7.5,
+            description: 'Secret exposed in git history - requires history rewrite to remove',
+            affected_resources: [`git:commit:${commit.hash}`],
+            compliance_violations: ['OWASP-A05-2021']
+        },
+        remediation: {
+            summary: 'Remove secret from git history',
+            priority: 'HIGH',
+            effort: 'HIGH',
+            steps: [
+                {
+                    order: 1,
+                    action: 'Rotate the exposed secret immediately',
+                    code: 'Change the password/API key in your service provider dashboard'
+                },
+                {
+                    order: 2,
+                    action: 'Remove from git history using git-filter-repo or BFG',
+                    code: `# Using git-filter-repo
+pip install git-filter-repo
+git filter-repo --replace-text <(echo '${match}==>REMOVED')`
+                },
+                {
+                    order: 3,
+                    action: 'Force push to remote (coordinate with team)',
+                    code: 'git push --force-with-lease origin main'
+                }
+            ],
+            auto_fixable: false
+        },
+        references: [
+            {
+                title: 'Removing sensitive data from GitHub',
+                url: 'https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/removing-sensitive-data-from-a-repository'
+            }
+        ],
+        false_positive_likelihood: 'MEDIUM',
+        confidence: 0.75
+    };
+}
+/**
+ * Create finding for .env file committed
+ */
+function createEnvFileFinding(commitHash, filePath, counter) {
+    return {
+        finding_id: (0, finding_js_1.generateFindingId)('secrets', counter),
+        timestamp: new Date().toISOString(),
+        severity: 'CRITICAL',
+        category: 'secrets',
+        subcategory: 'env_file_committed',
+        title: `.env file committed to repository`,
+        description: `A .env file (${filePath}) was committed to the repository. These files typically contain sensitive configuration and secrets.`,
+        location: {
+            file: filePath,
+            line: 1
+        },
+        evidence: {
+            commit_hash: commitHash,
+            file_path: filePath
+        },
+        impact: {
+            severity_score: 9.0,
+            description: 'Environment file with secrets committed to version control',
+            affected_resources: [`git:${filePath}`],
+            compliance_violations: ['OWASP-A05-2021', 'GDPR-Article-32']
+        },
+        remediation: {
+            summary: 'Remove .env file from repository and add to .gitignore',
+            priority: 'IMMEDIATE',
+            effort: 'MEDIUM',
+            steps: [
+                {
+                    order: 1,
+                    action: 'Add .env to .gitignore',
+                    code: 'echo ".env" >> .gitignore'
+                },
+                {
+                    order: 2,
+                    action: 'Remove from git history',
+                    code: `git rm --cached ${filePath}
+git commit -m "Remove .env file from repository"`
+                },
+                {
+                    order: 3,
+                    action: 'Rotate all secrets in the .env file',
+                    code: 'Change all passwords, API keys, and tokens that were in the file'
+                }
+            ],
+            auto_fixable: false
+        },
+        references: [
+            {
+                title: 'GitHub - Removing sensitive data',
+                url: 'https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/removing-sensitive-data-from-a-repository'
+            }
+        ],
+        false_positive_likelihood: 'VERY_LOW',
+        confidence: 0.95
+    };
+}
+/**
+ * Create finding for private key committed
+ */
+function createPrivateKeyFinding(commitHash, filePath, counter) {
+    return {
+        finding_id: (0, finding_js_1.generateFindingId)('secrets', counter),
+        timestamp: new Date().toISOString(),
+        severity: 'CRITICAL',
+        category: 'secrets',
+        subcategory: 'private_key_committed',
+        title: `Private key committed to repository`,
+        description: `A private key file was committed to the repository at ${filePath}. Private keys should never be committed to version control.`,
+        location: {
+            file: filePath,
+            line: 1
+        },
+        evidence: {
+            commit_hash: commitHash,
+            file_path: filePath
+        },
+        impact: {
+            severity_score: 9.5,
+            description: 'Private key exposed - complete security compromise possible',
+            affected_resources: [`git:${filePath}`],
+            compliance_violations: ['OWASP-A05-2021', 'GDPR-Article-32']
+        },
+        remediation: {
+            summary: 'Remove private key and generate new one',
+            priority: 'IMMEDIATE',
+            effort: 'HIGH',
+            steps: [
+                {
+                    order: 1,
+                    action: 'Generate new private key',
+                    code: 'ssh-keygen -t rsa -b 4096 -f new_key'
+                },
+                {
+                    order: 2,
+                    action: 'Remove old key from git history',
+                    code: `git filter-repo --path ${filePath} --invert-paths`
+                },
+                {
+                    order: 3,
+                    action: 'Add key files to .gitignore',
+                    code: `echo "*.pem" >> .gitignore
+echo "*.key" >> .gitignore`
+                }
+            ],
+            auto_fixable: false
+        },
+        references: [
+            {
+                title: 'GitHub - Removing sensitive data',
+                url: 'https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/removing-sensitive-data-from-a-repository'
+            }
+        ],
+        false_positive_likelihood: 'VERY_LOW',
+        confidence: 0.98
+    };
+}
+/**
+ * Create finding for secret in file
+ */
+function createFileSecretFinding(commitHash, filePath, type, counter) {
+    return {
+        finding_id: (0, finding_js_1.generateFindingId)('secrets', counter),
+        timestamp: new Date().toISOString(),
+        severity: 'HIGH',
+        category: 'secrets',
+        subcategory: 'file_secret',
+        title: `Potential ${type} in ${path.basename(filePath)}`,
+        description: `A potential ${type} was found in ${filePath} at commit ${commitHash.substring(0, 7)}.`,
+        location: {
+            file: filePath,
+            line: 1
+        },
+        evidence: {
+            commit_hash: commitHash,
+            file_path: filePath,
+            secret_type: type
+        },
+        impact: {
+            severity_score: 7.5,
+            description: 'Secret committed to version control',
+            affected_resources: [`git:${filePath}`]
+        },
+        remediation: {
+            summary: 'Remove secret from file and history',
+            priority: 'HIGH',
+            effort: 'HIGH',
+            steps: [
+                {
+                    order: 1,
+                    action: 'Rotate the exposed secret'
+                },
+                {
+                    order: 2,
+                    action: 'Remove from git history',
+                    code: 'git filter-repo --replace-text <(echo "OLD_SECRET==>NEW_SECRET")'
+                }
+            ],
+            auto_fixable: false
+        },
+        references: [
+            {
+                title: 'Removing sensitive data from GitHub',
+                url: 'https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/removing-sensitive-data-from-a-repository'
+            }
+        ],
+        false_positive_likelihood: 'MEDIUM',
+        confidence: 0.75
+    };
+}
+/**
+ * Create finding for secrets in stash
+ */
+function createStashFinding(branch, counter) {
+    return {
+        finding_id: (0, finding_js_1.generateFindingId)('secrets', counter),
+        timestamp: new Date().toISOString(),
+        severity: 'MEDIUM',
+        category: 'secrets',
+        subcategory: 'stash_secret',
+        title: `Potential secrets in git stash on ${branch}`,
+        description: `There are stashed changes on branch ${branch}. Stashes may contain uncommitted secrets.`,
+        location: {
+            file: `stash:${branch}`
+        },
+        evidence: {
+            branch
+        },
+        impact: {
+            severity_score: 5.0,
+            description: 'Stashed changes may contain secrets',
+            affected_resources: [`git:stash:${branch}`]
+        },
+        remediation: {
+            summary: 'Review and clear git stash',
+            priority: 'MEDIUM',
+            effort: 'LOW',
+            steps: [
+                {
+                    order: 1,
+                    action: 'Review stash contents',
+                    code: 'git stash show -p'
+                },
+                {
+                    order: 2,
+                    action: 'Clear stash if not needed',
+                    code: 'git stash clear'
+                }
+            ],
+            auto_fixable: false
+        },
+        references: [],
+        false_positive_likelihood: 'HIGH',
+        confidence: 0.5
+    };
+}
+//# sourceMappingURL=scanner.js.map

package/dist/scanners/git/scanner.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"scanner.js","sourceRoot":"","sources":["../../../src/scanners/git/scanner.ts"],"names":[],"mappings":";AAAA;;;GAGG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAgCH,wCA+DC;AA7FD,wDAAqE;AACrE,iDAAyC;AACzC,uCAAyB;AACzB,2CAA6B;AAwB7B;;GAEG;AACI,KAAK,UAAU,cAAc,CAAC,OAAuB;IAC1D,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,IAAI,cAAc,GAAG,CAAC,CAAC;IACvB,IAAI,cAAc,GAAG,CAAC,CAAC;IACvB,IAAI,eAAe,GAAG,CAAC,CAAC;IACxB,IAAI,YAAY,GAAG,CAAC,CAAC;IAErB,iCAAiC;IACjC,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;IACnD,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,MAAM,CAAC,EAAE,CAAC;QAC3B,OAAO;YACL,QAAQ,EAAE,EAAE;YACZ,cAAc,EAAE,CAAC;YACjB,eAAe,EAAE,CAAC;YAClB,YAAY,EAAE,CAAC;SAChB,CAAC;IACJ,CAAC;IAED,IAAI,CAAC;QACH,sBAAsB;QACtB,MAAM,OAAO,GAAG,UAAU,CAAC,OAAO,CAAC,QAAQ,EAAE,OAAO,CAAC,KAAK,EAAE,OAAO,CAAC,UAAU,CAAC,CAAC;QAChF,cAAc,GAAG,OAAO,CAAC,MAAM,CAAC;QAEhC,mBAAmB;QACnB,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;YAC7B,sCAAsC;YACtC,MAAM,eAAe,GAAG,iBAAiB,CAAC,MAAM,EAAE,cAAc,CAAC,CAAC;YAClE,QAAQ,CAAC,IAAI,CAAC,GAAG,eAAe,CAAC,QAAQ,CAAC,CAAC;YAC3C,cAAc,GAAG,eAAe,CAAC,WAAW,CAAC;YAC7C,YAAY,IAAI,eAAe,CAAC,QAAQ,CAAC,MAAM,CAAC;YAEhD,oCAAoC;YACpC,KAAK,MAAM,IAAI,IAAI,MAAM,CAAC,KAAK,EAAE,CAAC;gBAChC,MAAM,YAAY,GAAG,gBAAgB,CAAC,OAAO,CAAC,QAAQ,EAAE,MAAM,CAAC,IAAI,EAAE,IAAI,EAAE,cAAc,CAAC,CAAC;gBAC3F,QAAQ,CAAC,IAAI,CAAC,GAAG,YAAY,CAAC,QAAQ,CAAC,CAAC;gBACxC,cAAc,GAAG,YAAY,CAAC,WAAW,CAAC;gBAC1C,YAAY,IAAI,YAAY,CAAC,QAAQ,CAAC,MAAM,CAAC;YAC/C,CAAC;QACH,CAAC;QAED,6BAA6B;QAC7B,IAAI,OAAO,CAAC,YAAY,EAAE,CAAC;YACzB,MAAM,QAAQ,GAAG,WAAW,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;YAC/C,eAAe,GAAG,QAAQ,CAAC,MAAM,CAAC;YAElC,KAAK,MAAM,MAAM,IAAI,QAAQ,EAAE,CAAC;gBAC9B,MAAM,cAAc,GAAG,UAAU,CAAC,OAAO,CAAC,QAAQ,EAAE,MAAM,EAAE,cAAc,CAAC,CAAC;gBAC5E,QAAQ,CAAC,IAAI,CAAC,GAAG,cAAc,CAAC,QAAQ,CAAC,CAAC;gBAC1C,cAAc,GAAG,cAAc,CAAC,WAAW,CAAC;gBAC5C,YAAY,IAAI,cAAc,CAAC,QAAQ,CAAC,MAAM,CAAC;YACjD,CAAC;QACH,CAAC;IAEH,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,OAAO,CAAC,KAAK,CAAC,6BAA6B,EAAE,KAAK,CAAC,CAAC;IACtD,CAAC;IAED,OAAO;QACL,QAAQ;QACR,cAAc;QACd,eAAe;QACf,YAAY;KACb,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAS,UAAU,CAAC,QAAgB,EAAE,KAAc,EAAE,aAAqB,GAAG;IAC5E,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,eAAe,CAAC;QAC/B,IAAI,GAAG,GAAG,WAAW,QAAQ,0BAA0B,MAAM,eAAe,CAAC;QAE7E,IAAI,KAAK,EAAE,CAAC;YACV,GAAG,IAAI,aAAa,KAAK,GAAG,CAAC;QAC/B,CAAC;QAED,GAAG,IAAI,OAAO,UAAU,EAAE,CAAC;QAE3B,MAAM,MAAM,GAAG,IAAA,wBAAQ,EAAC,GAAG,EAAE,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC,CAAC;QACpD,OAAO,WAAW,CAAC,MAAM,CAAC,CAAC;IAC7B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,WAAW,CAAC,MAAc;IACjC,MAAM,OAAO,GAAiB,EAAE,CAAC;IACjC,MAAM,KAAK,GAAG,MAAM,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAEjC,IAAI,aAAa,GAAsB,IAAI,CAAC;IAE5C,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,mCAAmC;QACnC,IAAI,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YACvB,IAAI,aAAa,EAAE,CAAC;gBAClB,OAAO,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;YAC9B,CAAC;YAED,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YAC9B,aAAa,GAAG;gBACd,IAAI,EAAE,KAAK,CAAC,CAAC,CAAC;gBACd,MAAM,EAAE,KAAK,CAAC,CAAC,CAAC;gBAChB,IAAI,EAAE,KAAK,CAAC,CAAC,CAAC;gBACd,OAAO,EAAE,KAAK,CAAC,CAAC,CAAC,IAAI,EAAE;gBACvB,KAAK,EAAE,EAAE;aACV,CAAC;QACJ,CAAC;aAAM,IAAI,aAAa,IAAI,IAAI,CAAC,IAAI,EAAE,EAAE,CAAC;YACxC,sBAAsB;YACtB,aAAa,CAAC,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,EAAE,CAAC,CAAC;QACxC,CAAC;IACH,CAAC;IAED,IAAI,aAAa,EAAE,CAAC;QAClB,OAAO,CAAC,IAAI,CAAC,aAAa,CAAC,CAAC;IAC9B,CAAC;IAED,OAAO,OAAO,CAAC;AACjB,CAAC;AAED;;GAEG;AACH,SAAS,WAAW,CAAC,QAAgB;IACnC,IAAI,CAAC;QACH,MAAM,MAAM,GAAG,IAAA,wBAAQ,EACrB,WAAW,QAAQ,aAAa,EAChC,EAAE,QAAQ,EAAE,OAAO,EAAE,CACtB,CAAC;QACF,OAAO,MAAM;aACV,KAAK,CAAC,IAAI,CAAC;aACX,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,OAAO,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC;aACxC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC;IAC3C,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,CAAC;IACZ,CAAC;AACH,CAAC;AAED;;GAEG;AACH,SAAS,iBAAiB,CACxB,MAAkB,EAClB,YAAoB;IAEpB,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,IAAI,OAAO,GAAG,YAAY,CAAC;IAE3B,uCAAuC;IACvC,MAAM,QAAQ,GAAG;QACf,EAAE,OAAO,EAAE,uBAAuB,EAAE,IAAI,EAAE,UAAU,EAAE;QACtD,EAAE,OAAO,EAAE,0BAA0B,EAAE,IAAI,EAAE,SAAS,EAAE;QACxD,EAAE,OAAO,EAAE,qBAAqB,EAAE,IAAI,EAAE,QAAQ,EAAE;QAClD,EAAE,OAAO,EAAE,oBAAoB,EAAE,IAAI,EAAE,OAAO,EAAE;QAChD,EAAE,OAAO,EAAE,oBAAoB,EAAE,IAAI,EAAE,YAAY,EAAE;QACrD,EAAE,OAAO,EAAE,sDAAsD,EAAE,IAAI,EAAE,KAAK,EAAE;KACjF,CAAC;IAEF,KAAK,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,QAAQ,EAAE,CAAC;QACzC,MAAM,KAAK,GAAG,MAAM,CAAC,OAAO,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QAC5C,IAAI,KAAK,EAAE,CAAC;YACV,QAAQ,CAAC,IAAI,CAAC,yBAAyB,CAAC,MAAM,EAAE,IAAI,EAAE,KAAK,CAAC,CAAC,CAAC,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC;QAC9E,CAAC;IACH,CAAC;IAED,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,OAAO,EAAE,CAAC;AAC5C,CAAC;AAED;;GAEG;AACH,SAAS,gBAAgB,CACvB,QAAgB,EAChB,UAAkB,EAClB,QAAgB,EAChB,YAAoB;IAEpB,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,IAAI,OAAO,GAAG,YAAY,CAAC;IAE3B,IAAI,CAAC;QACH,kCAAkC;QAClC,MAAM,OAAO,GAAG,IAAA,wBAAQ,EACtB,WAAW,QAAQ,UAAU,UAAU,KAAK,QAAQ,GAAG,EACvD,EAAE,QAAQ,EAAE,OAAO,EAAE,CACtB,CAAC;QAEF,uBAAuB;QACvB,IAAI,QAAQ,CAAC,QAAQ,CAAC,MAAM,CAAC,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,cAAc,CAAC,EAAE,CAAC;YACpE,QAAQ,CAAC,IAAI,CAAC,oBAAoB,CAAC,UAAU,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC;QACvE,CAAC;QAED,yBAAyB;QACzB,IAAI,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,kBAAkB,CAAC,EAAE,CAAC;YAC3E,QAAQ,CAAC,IAAI,CAAC,uBAAuB,CAAC,UAAU,EAAE,QAAQ,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC;QAC1E,CAAC;QAED,mCAAmC;QACnC,MAAM,cAAc,GAAG;YACrB,EAAE,OAAO,EAAE,kCAAkC,EAAE,IAAI,EAAE,UAAU,EAAE;YACjE,EAAE,OAAO,EAAE,qCAAqC,EAAE,IAAI,EAAE,SAAS,EAAE;YACnE,EAAE,OAAO,EAAE,gCAAgC,EAAE,IAAI,EAAE,QAAQ,EAAE;YAC7D,EAAE,OAAO,EAAE,oBAAoB,EAAE,IAAI,EAAE,YAAY,EAAE;YACrD,EAAE,OAAO,EAAE,kBAAkB,EAAE,IAAI,EAAE,SAAS,EAAE;SACjD,CAAC;QAEF,KAAK,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,IAAI,cAAc,EAAE,CAAC;YAC/C,IAAI,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;gBAC1B,QAAQ,CAAC,IAAI,CAAC,uBAAuB,CAAC,UAAU,EAAE,QAAQ,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC;YAChF,CAAC;QACH,CAAC;IAEH,CAAC;IAAC,MAAM,CAAC;QACP,sCAAsC;IACxC,CAAC;IAED,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,OAAO,EAAE,CAAC;AAC5C,CAAC;AAED;;GAEG;AACH,SAAS,UAAU,CACjB,QAAgB,EAChB,MAAc,EACd,YAAoB;IAEpB,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,IAAI,OAAO,GAAG,YAAY,CAAC;IAE3B,4BAA4B;IAC5B,IAAI,CAAC;QACH,MAAM,SAAS,GAAG,IAAA,wBAAQ,EACxB,WAAW,QAAQ,cAAc,EACjC,EAAE,QAAQ,EAAE,OAAO,EAAE,CACtB,CAAC;QAEF,IAAI,SAAS,CAAC,QAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;YAC/B,QAAQ,CAAC,IAAI,CAAC,kBAAkB,CAAC,MAAM,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC;QACvD,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,oBAAoB;IACtB,CAAC;IAED,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,OAAO,EAAE,CAAC;AAC5C,CAAC;AAED;;GAEG;AACH,SAAS,yBAAyB,CAChC,MAAkB,EAClB,IAAY,EACZ,KAAa,EACb,OAAe;IAEf,OAAO;QACL,UAAU,EAAE,IAAA,8BAAiB,EAAC,SAAS,EAAE,OAAO,CAAC;QACjD,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACnC,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,SAAS;QACnB,WAAW,EAAE,mBAAmB;QAChC,KAAK,EAAE,aAAa,IAAI,oBAAoB;QAC5C,WAAW,EAAE,eAAe,IAAI,2GAA2G;QAC3I,QAAQ,EAAE;YACR,IAAI,EAAE,UAAU,MAAM,CAAC,IAAI,EAAE;YAC7B,IAAI,EAAE,CAAC;SACR;QACD,QAAQ,EAAE;YACR,WAAW,EAAE,MAAM,CAAC,IAAI;YACxB,aAAa,EAAE,MAAM,CAAC,MAAM;YAC5B,WAAW,EAAE,MAAM,CAAC,IAAI;YACxB,cAAc,EAAE,MAAM,CAAC,OAAO;YAC9B,WAAW,EAAE,IAAI;YACjB,YAAY,EAAE,KAAK,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,KAAK;SAC7C;QACD,MAAM,EAAE;YACN,cAAc,EAAE,GAAG;YACnB,WAAW,EAAE,oEAAoE;YACjF,kBAAkB,EAAE,CAAC,cAAc,MAAM,CAAC,IAAI,EAAE,CAAC;YACjD,qBAAqB,EAAE,CAAC,gBAAgB,CAAC;SAC1C;QACD,WAAW,EAAE;YACX,OAAO,EAAE,gCAAgC;YACzC,QAAQ,EAAE,MAAM;YAChB,MAAM,EAAE,MAAM;YACd,KAAK,EAAE;gBACL;oBACE,KAAK,EAAE,CAAC;oBACR,MAAM,EAAE,uCAAuC;oBAC/C,IAAI,EAAE,gEAAgE;iBACvE;gBACD;oBACE,KAAK,EAAE,CAAC;oBACR,MAAM,EAAE,sDAAsD;oBAC9D,IAAI,EAAE;;yCAEyB,KAAK,cAAc;iBACnD;gBACD;oBACE,KAAK,EAAE,CAAC;oBACR,MAAM,EAAE,6CAA6C;oBACrD,IAAI,EAAE,yCAAyC;iBAChD;aACF;YACD,YAAY,EAAE,KAAK;SACpB;QACD,UAAU,EAAE;YACV;gBACE,KAAK,EAAE,qCAAqC;gBAC5C,GAAG,EAAE,0HAA0H;aAChI;SACF;QACD,yBAAyB,EAAE,QAAQ;QACnC,UAAU,EAAE,IAAI;KACjB,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAS,oBAAoB,CAC3B,UAAkB,EAClB,QAAgB,EAChB,OAAe;IAEf,OAAO;QACL,UAAU,EAAE,IAAA,8BAAiB,EAAC,SAAS,EAAE,OAAO,CAAC;QACjD,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACnC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,SAAS;QACnB,WAAW,EAAE,oBAAoB;QACjC,KAAK,EAAE,mCAAmC;QAC1C,WAAW,EAAE,gBAAgB,QAAQ,uGAAuG;QAC5I,QAAQ,EAAE;YACR,IAAI,EAAE,QAAQ;YACd,IAAI,EAAE,CAAC;SACR;QACD,QAAQ,EAAE;YACR,WAAW,EAAE,UAAU;YACvB,SAAS,EAAE,QAAQ;SACpB;QACD,MAAM,EAAE;YACN,cAAc,EAAE,GAAG;YACnB,WAAW,EAAE,4DAA4D;YACzE,kBAAkB,EAAE,CAAC,OAAO,QAAQ,EAAE,CAAC;YACvC,qBAAqB,EAAE,CAAC,gBAAgB,EAAE,iBAAiB,CAAC;SAC7D;QACD,WAAW,EAAE;YACX,OAAO,EAAE,wDAAwD;YACjE,QAAQ,EAAE,WAAW;YACrB,MAAM,EAAE,QAAQ;YAChB,KAAK,EAAE;gBACL;oBACE,KAAK,EAAE,CAAC;oBACR,MAAM,EAAE,wBAAwB;oBAChC,IAAI,EAAE,2BAA2B;iBAClC;gBACD;oBACE,KAAK,EAAE,CAAC;oBACR,MAAM,EAAE,yBAAyB;oBACjC,IAAI,EAAE,mBAAmB,QAAQ;iDACM;iBACxC;gBACD;oBACE,KAAK,EAAE,CAAC;oBACR,MAAM,EAAE,qCAAqC;oBAC7C,IAAI,EAAE,kEAAkE;iBACzE;aACF;YACD,YAAY,EAAE,KAAK;SACpB;QACD,UAAU,EAAE;YACV;gBACE,KAAK,EAAE,kCAAkC;gBACzC,GAAG,EAAE,0HAA0H;aAChI;SACF;QACD,yBAAyB,EAAE,UAAU;QACrC,UAAU,EAAE,IAAI;KACjB,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAS,uBAAuB,CAC9B,UAAkB,EAClB,QAAgB,EAChB,OAAe;IAEf,OAAO;QACL,UAAU,EAAE,IAAA,8BAAiB,EAAC,SAAS,EAAE,OAAO,CAAC;QACjD,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACnC,QAAQ,EAAE,UAAU;QACpB,QAAQ,EAAE,SAAS;QACnB,WAAW,EAAE,uBAAuB;QACpC,KAAK,EAAE,qCAAqC;QAC5C,WAAW,EAAE,yDAAyD,QAAQ,8DAA8D;QAC5I,QAAQ,EAAE;YACR,IAAI,EAAE,QAAQ;YACd,IAAI,EAAE,CAAC;SACR;QACD,QAAQ,EAAE;YACR,WAAW,EAAE,UAAU;YACvB,SAAS,EAAE,QAAQ;SACpB;QACD,MAAM,EAAE;YACN,cAAc,EAAE,GAAG;YACnB,WAAW,EAAE,6DAA6D;YAC1E,kBAAkB,EAAE,CAAC,OAAO,QAAQ,EAAE,CAAC;YACvC,qBAAqB,EAAE,CAAC,gBAAgB,EAAE,iBAAiB,CAAC;SAC7D;QACD,WAAW,EAAE;YACX,OAAO,EAAE,yCAAyC;YAClD,QAAQ,EAAE,WAAW;YACrB,MAAM,EAAE,MAAM;YACd,KAAK,EAAE;gBACL;oBACE,KAAK,EAAE,CAAC;oBACR,MAAM,EAAE,0BAA0B;oBAClC,IAAI,EAAE,sCAAsC;iBAC7C;gBACD;oBACE,KAAK,EAAE,CAAC;oBACR,MAAM,EAAE,iCAAiC;oBACzC,IAAI,EAAE,0BAA0B,QAAQ,iBAAiB;iBAC1D;gBACD;oBACE,KAAK,EAAE,CAAC;oBACR,MAAM,EAAE,6BAA6B;oBACrC,IAAI,EAAE;2BACW;iBAClB;aACF;YACD,YAAY,EAAE,KAAK;SACpB;QACD,UAAU,EAAE;YACV;gBACE,KAAK,EAAE,kCAAkC;gBACzC,GAAG,EAAE,0HAA0H;aAChI;SACF;QACD,yBAAyB,EAAE,UAAU;QACrC,UAAU,EAAE,IAAI;KACjB,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAS,uBAAuB,CAC9B,UAAkB,EAClB,QAAgB,EAChB,IAAY,EACZ,OAAe;IAEf,OAAO;QACL,UAAU,EAAE,IAAA,8BAAiB,EAAC,SAAS,EAAE,OAAO,CAAC;QACjD,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACnC,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,SAAS;QACnB,WAAW,EAAE,aAAa;QAC1B,KAAK,EAAE,aAAa,IAAI,OAAO,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE;QACxD,WAAW,EAAE,eAAe,IAAI,iBAAiB,QAAQ,cAAc,UAAU,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG;QACpG,QAAQ,EAAE;YACR,IAAI,EAAE,QAAQ;YACd,IAAI,EAAE,CAAC;SACR;QACD,QAAQ,EAAE;YACR,WAAW,EAAE,UAAU;YACvB,SAAS,EAAE,QAAQ;YACnB,WAAW,EAAE,IAAI;SAClB;QACD,MAAM,EAAE;YACN,cAAc,EAAE,GAAG;YACnB,WAAW,EAAE,qCAAqC;YAClD,kBAAkB,EAAE,CAAC,OAAO,QAAQ,EAAE,CAAC;SACxC;QACD,WAAW,EAAE;YACX,OAAO,EAAE,qCAAqC;YAC9C,QAAQ,EAAE,MAAM;YAChB,MAAM,EAAE,MAAM;YACd,KAAK,EAAE;gBACL;oBACE,KAAK,EAAE,CAAC;oBACR,MAAM,EAAE,2BAA2B;iBACpC;gBACD;oBACE,KAAK,EAAE,CAAC;oBACR,MAAM,EAAE,yBAAyB;oBACjC,IAAI,EAAE,kEAAkE;iBACzE;aACF;YACD,YAAY,EAAE,KAAK;SACpB;QACD,UAAU,EAAE;YACV;gBACE,KAAK,EAAE,qCAAqC;gBAC5C,GAAG,EAAE,0HAA0H;aAChI;SACF;QACD,yBAAyB,EAAE,QAAQ;QACnC,UAAU,EAAE,IAAI;KACjB,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAS,kBAAkB,CACzB,MAAc,EACd,OAAe;IAEf,OAAO;QACL,UAAU,EAAE,IAAA,8BAAiB,EAAC,SAAS,EAAE,OAAO,CAAC;QACjD,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACnC,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,SAAS;QACnB,WAAW,EAAE,cAAc;QAC3B,KAAK,EAAE,qCAAqC,MAAM,EAAE;QACpD,WAAW,EAAE,uCAAuC,MAAM,4CAA4C;QACtG,QAAQ,EAAE;YACR,IAAI,EAAE,SAAS,MAAM,EAAE;SACxB;QACD,QAAQ,EAAE;YACR,MAAM;SACP;QACD,MAAM,EAAE;YACN,cAAc,EAAE,GAAG;YACnB,WAAW,EAAE,qCAAqC;YAClD,kBAAkB,EAAE,CAAC,aAAa,MAAM,EAAE,CAAC;SAC5C;QACD,WAAW,EAAE;YACX,OAAO,EAAE,4BAA4B;YACrC,QAAQ,EAAE,QAAQ;YAClB,MAAM,EAAE,KAAK;YACb,KAAK,EAAE;gBACL;oBACE,KAAK,EAAE,CAAC;oBACR,MAAM,EAAE,uBAAuB;oBAC/B,IAAI,EAAE,mBAAmB;iBAC1B;gBACD;oBACE,KAAK,EAAE,CAAC;oBACR,MAAM,EAAE,2BAA2B;oBACnC,IAAI,EAAE,iBAAiB;iBACxB;aACF;YACD,YAAY,EAAE,KAAK;SACpB;QACD,UAAU,EAAE,EAAE;QACd,yBAAyB,EAAE,MAAM;QACjC,UAAU,EAAE,GAAG;KAChB,CAAC;AACJ,CAAC"}

package/dist/scanners/https/analyzer.d.ts

@@ -0,0 +1,42 @@
+/**
+ * HTTPS/TLS Security Analyzer
+ *
+ * Performs real HTTPS enforcement checks:
+ * - Verifies HTTPS is actually used
+ * - Checks TLS version and cipher suites
+ * - Tests for HSTS headers
+ * - Detects mixed content
+ * - Checks certificate details
+ */
+import { Finding, Category } from '../../models/finding.js';
+export interface PassedCheck {
+    check_id: string;
+    category: Category;
+    title: string;
+    description: string;
+}
+export interface HTTPSCheckResult {
+    httpsEnabled: boolean;
+    tlsVersion: string | null;
+    hstsEnabled: boolean;
+    hstsMaxAge: number | null;
+    mixedContent: boolean;
+    certificateValid: boolean;
+    certificateExpiry: Date | null;
+    cipherSuites: string[];
+    vulnerabilities: string[];
+}
+/**
+ * Analyze HTTPS/TLS configuration for a target URL
+ */
+export declare function analyzeHTTPS(targetUrl: string): Promise<{
+    findings: Finding[];
+    passedChecks: PassedCheck[];
+    httpsInfo: HTTPSCheckResult;
+}>;
+/**
+ * Check for mixed content on the page
+ */
+export declare function checkMixedContent(htmlContent: string, baseUrl: string): Promise<Finding[]>;
+export default analyzeHTTPS;
+//# sourceMappingURL=analyzer.d.ts.map

package/dist/scanners/https/analyzer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"analyzer.d.ts","sourceRoot":"","sources":["../../../src/scanners/https/analyzer.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAGH,OAAO,EAAE,OAAO,EAAY,QAAQ,EAAsD,MAAM,yBAAyB,CAAC;AAE1H,MAAM,WAAW,WAAW;IAC1B,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,QAAQ,CAAC;IACnB,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,gBAAgB;IAC/B,YAAY,EAAE,OAAO,CAAC;IACtB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,WAAW,EAAE,OAAO,CAAC;IACrB,UAAU,EAAE,MAAM,GAAG,IAAI,CAAC;IAC1B,YAAY,EAAE,OAAO,CAAC;IACtB,gBAAgB,EAAE,OAAO,CAAC;IAC1B,iBAAiB,EAAE,IAAI,GAAG,IAAI,CAAC;IAC/B,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,eAAe,EAAE,MAAM,EAAE,CAAC;CAC3B;AAED;;GAEG;AAEH,wBAAsB,YAAY,CAAC,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC;IAC7D,QAAQ,EAAE,OAAO,EAAE,CAAC;IACpB,YAAY,EAAE,WAAW,EAAE,CAAC;IAC5B,SAAS,EAAE,gBAAgB,CAAC;CAC7B,CAAC,CA+SD;AAsJD;;GAEG;AACH,wBAAsB,iBAAiB,CAAC,WAAW,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC,CAqChG;AAED,eAAe,YAAY,CAAC"}