supasec 1.0.4 → 1.0.5

package/dist/scanners/functions/analyzer.d.ts

@@ -0,0 +1,41 @@
+/**
+ * RPC Function Analyzer
+ * Scans for exposed RPC functions and analyzes their security
+ */
+import { Finding } from '../../models/finding.js';
+export interface RPCFunctionInfo {
+    name: string;
+    schema: string;
+    arguments: RPCArgument[];
+    returnType: string;
+    isSecurityDefiner: boolean;
+    owner: string;
+    description?: string;
+}
+export interface RPCArgument {
+    name: string;
+    type: string;
+    hasDefault: boolean;
+    defaultValue?: string;
+}
+export interface RPCScanOptions {
+    functions: RPCFunctionInfo[];
+    supabaseUrl: string;
+    anonKey?: string;
+    serviceKey?: string;
+}
+export interface RPCScanResult {
+    findings: Finding[];
+    functionsScanned: number;
+    exposedFunctions: number;
+    dangerousFunctions: number;
+}
+/**
+ * Analyze RPC functions for security issues
+ */
+export declare function analyzeRPCFunctions(options: RPCScanOptions): Promise<RPCScanResult>;
+/**
+ * Mock RPC functions for testing
+ */
+export declare function getMockRPCFunctions(): RPCFunctionInfo[];
+//# sourceMappingURL=analyzer.d.ts.map

package/dist/scanners/functions/analyzer.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"analyzer.d.ts","sourceRoot":"","sources":["../../../src/scanners/functions/analyzer.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,OAAO,EAAqB,MAAM,yBAAyB,CAAC;AAErE,MAAM,WAAW,eAAe;IAC9B,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,MAAM,CAAC;IACf,SAAS,EAAE,WAAW,EAAE,CAAC;IACzB,UAAU,EAAE,MAAM,CAAC;IACnB,iBAAiB,EAAE,OAAO,CAAC;IAC3B,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,CAAC,EAAE,MAAM,CAAC;CACtB;AAED,MAAM,WAAW,WAAW;IAC1B,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,UAAU,EAAE,OAAO,CAAC;IACpB,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED,MAAM,WAAW,cAAc;IAC7B,SAAS,EAAE,eAAe,EAAE,CAAC;IAC7B,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;CACrB;AAED,MAAM,WAAW,aAAa;IAC5B,QAAQ,EAAE,OAAO,EAAE,CAAC;IACpB,gBAAgB,EAAE,MAAM,CAAC;IACzB,gBAAgB,EAAE,MAAM,CAAC;IACzB,kBAAkB,EAAE,MAAM,CAAC;CAC5B;AAED;;GAEG;AACH,wBAAsB,mBAAmB,CAAC,OAAO,EAAE,cAAc,GAAG,OAAO,CAAC,aAAa,CAAC,CAsCzF;AA0TD;;GAEG;AACH,wBAAgB,mBAAmB,IAAI,eAAe,EAAE,CAgDvD"}

package/dist/scanners/functions/analyzer.js

@@ -0,0 +1,378 @@
+"use strict";
+/**
+ * RPC Function Analyzer
+ * Scans for exposed RPC functions and analyzes their security
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.analyzeRPCFunctions = analyzeRPCFunctions;
+exports.getMockRPCFunctions = getMockRPCFunctions;
+const finding_js_1 = require("../../models/finding.js");
+/**
+ * Analyze RPC functions for security issues
+ */
+async function analyzeRPCFunctions(options) {
+    const findings = [];
+    let findingCounter = 1;
+    let exposedCount = 0;
+    let dangerousCount = 0;
+    for (const func of options.functions) {
+        // Check if function is exposed (in public schema)
+        if (func.schema === 'public') {
+            exposedCount++;
+            // Check for dangerous function patterns
+            const dangerousFindings = checkDangerousPatterns(func, findingCounter);
+            findings.push(...dangerousFindings.findings);
+            findingCounter = dangerousFindings.nextCounter;
+            if (dangerousFindings.findings.length > 0) {
+                dangerousCount++;
+            }
+            // Check for missing security definer
+            if (!func.isSecurityDefiner) {
+                findings.push(createNoSecurityDefinerFinding(func, findingCounter++));
+            }
+            // Check for SQL injection vulnerabilities in arguments
+            const injectionFindings = checkSQLInjectionRisk(func, findingCounter);
+            findings.push(...injectionFindings.findings);
+            findingCounter = injectionFindings.nextCounter;
+        }
+    }
+    return {
+        findings,
+        functionsScanned: options.functions.length,
+        exposedFunctions: exposedCount,
+        dangerousFunctions: dangerousCount
+    };
+}
+/**
+ * Check for dangerous function name patterns
+ */
+function checkDangerousPatterns(func, startCounter) {
+    const findings = [];
+    let counter = startCounter;
+    const dangerousPatterns = [
+        {
+            pattern: /admin|superuser|root/i,
+            severity: 'CRITICAL',
+            description: 'Function name suggests administrative privileges'
+        },
+        {
+            pattern: /delete.*all|drop.*table|truncate/i,
+            severity: 'CRITICAL',
+            description: 'Function name suggests destructive operations'
+        },
+        {
+            pattern: /exec|execute|run|system/i,
+            severity: 'HIGH',
+            description: 'Function name suggests command execution capability'
+        },
+        {
+            pattern: /raw.*sql|query.*exec|dynamic.*sql/i,
+            severity: 'HIGH',
+            description: 'Function name suggests raw SQL execution'
+        },
+        {
+            pattern: /bypass|skip.*rls|ignore.*policy/i,
+            severity: 'CRITICAL',
+            description: 'Function name suggests RLS bypass capability'
+        }
+    ];
+    for (const { pattern, severity, description } of dangerousPatterns) {
+        if (pattern.test(func.name)) {
+            findings.push(createDangerousFunctionFinding(func, severity, description, counter++));
+        }
+    }
+    return { findings, nextCounter: counter };
+}
+/**
+ * Check for SQL injection risks in function arguments
+ */
+function checkSQLInjectionRisk(func, startCounter) {
+    const findings = [];
+    let counter = startCounter;
+    // Check for text/varchar parameters that might be used in dynamic SQL
+    const textParams = func.arguments.filter(arg => arg.type.toLowerCase().includes('text') ||
+        arg.type.toLowerCase().includes('varchar') ||
+        arg.type.toLowerCase().includes('char'));
+    if (textParams.length > 0 && func.name.toLowerCase().includes('query')) {
+        findings.push(createSQLInjectionRiskFinding(func, textParams, counter++));
+    }
+    return { findings, nextCounter: counter };
+}
+/**
+ * Create finding for dangerous function
+ */
+function createDangerousFunctionFinding(func, severity, description, counter) {
+    return {
+        finding_id: (0, finding_js_1.generateFindingId)('functions', counter),
+        timestamp: new Date().toISOString(),
+        severity,
+        category: 'functions',
+        subcategory: 'dangerous_function',
+        title: `Potentially dangerous RPC function '${func.name}'`,
+        description: `The RPC function '${func.name}' has a name pattern that suggests ${description.toLowerCase()}. This could allow unauthorized access or operations.`,
+        location: {
+            table: `${func.schema}.${func.name}`
+        },
+        evidence: {
+            function_name: func.name,
+            schema: func.schema,
+            return_type: func.returnType,
+            is_security_definer: func.isSecurityDefiner,
+            argument_count: func.arguments.length,
+            description
+        },
+        impact: {
+            severity_score: severity === 'CRITICAL' ? 9.5 : 7.5,
+            description: `${description}. Could lead to unauthorized data access or system compromise.`,
+            affected_resources: [`${func.schema}.${func.name}`],
+            compliance_violations: ['OWASP-A01-2021', 'SOC2-CC6.1']
+        },
+        remediation: {
+            summary: `Review and secure RPC function '${func.name}'`,
+            priority: severity === 'CRITICAL' ? 'IMMEDIATE' : 'HIGH',
+            effort: 'MEDIUM',
+            steps: [
+                {
+                    order: 1,
+                    action: 'Review function implementation for security issues',
+                    sql: `-- Review function definition
+\df+ ${func.schema}.${func.name}`
+                },
+                {
+                    order: 2,
+                    action: 'Add proper access controls and input validation',
+                    sql: `-- Example: Add security definer and validation
+CREATE OR REPLACE FUNCTION ${func.schema}.${func.name}(${func.arguments.map(a => `${a.name} ${a.type}`).join(', ')})
+RETURNS ${func.returnType}
+SECURITY DEFINER
+SET search_path = public
+AS $$
+BEGIN
+  -- Add validation logic here
+  -- Check user permissions
+  -- Validate inputs
+  
+  -- Original function logic
+END;
+$$ LANGUAGE plpgsql;`
+                },
+                {
+                    order: 3,
+                    action: 'Restrict function to authenticated users only',
+                    sql: `-- Revoke public access
+REVOKE EXECUTE ON FUNCTION ${func.schema}.${func.name}(${func.arguments.map(a => a.type).join(', ')}) FROM PUBLIC;
+
+-- Grant to authenticated users only
+GRANT EXECUTE ON FUNCTION ${func.schema}.${func.name}(${func.arguments.map(a => a.type).join(', ')}) TO authenticated;`
+                }
+            ],
+            auto_fixable: false
+        },
+        references: [
+            {
+                title: 'PostgreSQL Function Security',
+                url: 'https://www.postgresql.org/docs/current/sql-createfunction.html#SQL-CREATEFUNCTION-SECURITY'
+            },
+            {
+                title: 'Supabase RPC Security Best Practices',
+                url: 'https://supabase.com/docs/guides/database/functions#security'
+            }
+        ],
+        false_positive_likelihood: 'MEDIUM',
+        confidence: 0.75
+    };
+}
+/**
+ * Create finding for missing security definer
+ */
+function createNoSecurityDefinerFinding(func, counter) {
+    return {
+        finding_id: (0, finding_js_1.generateFindingId)('functions', counter),
+        timestamp: new Date().toISOString(),
+        severity: 'MEDIUM',
+        category: 'functions',
+        subcategory: 'no_security_definer',
+        title: `RPC function '${func.name}' lacks SECURITY DEFINER`,
+        description: `The RPC function '${func.name}' does not use SECURITY DEFINER. This means it executes with the privileges of the caller, which may allow privilege escalation or unauthorized access.`,
+        location: {
+            table: `${func.schema}.${func.name}`
+        },
+        evidence: {
+            function_name: func.name,
+            schema: func.schema,
+            is_security_definer: false,
+            owner: func.owner
+        },
+        impact: {
+            severity_score: 5.0,
+            description: 'Function executes with caller privileges - potential privilege escalation',
+            affected_resources: [`${func.schema}.${func.name}`]
+        },
+        remediation: {
+            summary: `Add SECURITY DEFINER to function '${func.name}'`,
+            priority: 'MEDIUM',
+            effort: 'LOW',
+            steps: [
+                {
+                    order: 1,
+                    action: 'Review if SECURITY DEFINER is appropriate',
+                    sql: `-- Check current function definition
+\df+ ${func.schema}.${func.name}`
+                },
+                {
+                    order: 2,
+                    action: 'Add SECURITY DEFINER if needed',
+                    sql: `-- Add security definer
+CREATE OR REPLACE FUNCTION ${func.schema}.${func.name}(${func.arguments.map(a => `${a.name} ${a.type}`).join(', ')})
+RETURNS ${func.returnType}
+SECURITY DEFINER
+SET search_path = public
+AS $$ 
+  -- Function body
+$$ LANGUAGE plpgsql;`
+                }
+            ],
+            auto_fixable: true
+        },
+        references: [
+            {
+                title: 'PostgreSQL SECURITY DEFINER',
+                url: 'https://www.postgresql.org/docs/current/sql-createfunction.html#SQL-CREATEFUNCTION-SECURITY'
+            }
+        ],
+        false_positive_likelihood: 'HIGH',
+        confidence: 0.6
+    };
+}
+/**
+ * Create finding for SQL injection risk
+ */
+function createSQLInjectionRiskFinding(func, textParams, counter) {
+    const paramNames = textParams.map(p => p.name).join(', ');
+    return {
+        finding_id: (0, finding_js_1.generateFindingId)('functions', counter),
+        timestamp: new Date().toISOString(),
+        severity: 'HIGH',
+        category: 'functions',
+        subcategory: 'sql_injection_risk',
+        title: `Potential SQL injection in RPC function '${func.name}'`,
+        description: `The RPC function '${func.name}' accepts text parameters (${paramNames}) and has a name suggesting query execution. This may be vulnerable to SQL injection if inputs are not properly sanitized.`,
+        location: {
+            table: `${func.schema}.${func.name}`
+        },
+        evidence: {
+            function_name: func.name,
+            schema: func.schema,
+            text_parameters: textParams.map(p => ({ name: p.name, type: p.type })),
+            argument_count: func.arguments.length
+        },
+        impact: {
+            severity_score: 8.0,
+            description: 'SQL injection vulnerability could allow arbitrary SQL execution',
+            affected_resources: [`${func.schema}.${func.name}`],
+            compliance_violations: ['OWASP-A03-2021', 'PCI-DSS-6.5.1']
+        },
+        remediation: {
+            summary: `Secure function '${func.name}' against SQL injection`,
+            priority: 'HIGH',
+            effort: 'MEDIUM',
+            steps: [
+                {
+                    order: 1,
+                    action: 'Review function implementation for dynamic SQL',
+                    sql: `-- Check function source code
+SELECT prosrc FROM pg_proc WHERE proname = '${func.name}';`
+                },
+                {
+                    order: 2,
+                    action: 'Use parameterized queries or proper escaping',
+                    sql: `-- Example: Use format() with proper escaping
+CREATE OR REPLACE FUNCTION ${func.schema}.${func.name}(query_text text)
+RETURNS TABLE (...) AS $$
+BEGIN
+  -- Use format() with %I for identifiers, %L for literals
+  RETURN QUERY EXECUTE format('SELECT * FROM %I WHERE id = %L', 
+    'my_table', 
+    query_text
+  );
+END;
+$$ LANGUAGE plpgsql SECURITY DEFINER;`
+                },
+                {
+                    order: 3,
+                    action: 'Add input validation',
+                    code: `-- Validate inputs before using in dynamic SQL
+IF query_text !~ '^[a-zA-Z0-9_]+$' THEN
+  RAISE EXCEPTION 'Invalid input format';
+END IF;`
+                }
+            ],
+            auto_fixable: false
+        },
+        references: [
+            {
+                title: 'OWASP SQL Injection Prevention',
+                url: 'https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html'
+            },
+            {
+                title: 'PostgreSQL Dynamic SQL',
+                url: 'https://www.postgresql.org/docs/current/plpgsql-statements.html#PLPGSQL-STATEMENTS-EXECUTING-DYN'
+            }
+        ],
+        false_positive_likelihood: 'MEDIUM',
+        confidence: 0.7
+    };
+}
+/**
+ * Mock RPC functions for testing
+ */
+function getMockRPCFunctions() {
+    return [
+        {
+            name: 'get_user_profile',
+            schema: 'public',
+            arguments: [
+                { name: 'user_id', type: 'uuid', hasDefault: false }
+            ],
+            returnType: 'json',
+            isSecurityDefiner: true,
+            owner: 'postgres',
+            description: 'Get user profile information'
+        },
+        {
+            name: 'admin_delete_user',
+            schema: 'public',
+            arguments: [
+                { name: 'target_user_id', type: 'uuid', hasDefault: false }
+            ],
+            returnType: 'boolean',
+            isSecurityDefiner: false,
+            owner: 'postgres',
+            description: 'Admin function to delete users'
+        },
+        {
+            name: 'execute_raw_query',
+            schema: 'public',
+            arguments: [
+                { name: 'sql_query', type: 'text', hasDefault: false }
+            ],
+            returnType: 'json',
+            isSecurityDefiner: true,
+            owner: 'postgres',
+            description: 'Execute arbitrary SQL query'
+        },
+        {
+            name: 'search_posts',
+            schema: 'public',
+            arguments: [
+                { name: 'search_term', type: 'text', hasDefault: false },
+                { name: 'limit_count', type: 'integer', hasDefault: true, defaultValue: '10' }
+            ],
+            returnType: 'json',
+            isSecurityDefiner: false,
+            owner: 'postgres',
+            description: 'Search posts by term'
+        }
+    ];
+}
+//# sourceMappingURL=analyzer.js.map

package/dist/scanners/functions/analyzer.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"analyzer.js","sourceRoot":"","sources":["../../../src/scanners/functions/analyzer.ts"],"names":[],"mappings":";AAAA;;;GAGG;;AAsCH,kDAsCC;AA6TD,kDAgDC;AAvbD,wDAAqE;AAiCrE;;GAEG;AACI,KAAK,UAAU,mBAAmB,CAAC,OAAuB;IAC/D,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,IAAI,cAAc,GAAG,CAAC,CAAC;IACvB,IAAI,YAAY,GAAG,CAAC,CAAC;IACrB,IAAI,cAAc,GAAG,CAAC,CAAC;IAEvB,KAAK,MAAM,IAAI,IAAI,OAAO,CAAC,SAAS,EAAE,CAAC;QACrC,kDAAkD;QAClD,IAAI,IAAI,CAAC,MAAM,KAAK,QAAQ,EAAE,CAAC;YAC7B,YAAY,EAAE,CAAC;YAEf,wCAAwC;YACxC,MAAM,iBAAiB,GAAG,sBAAsB,CAAC,IAAI,EAAE,cAAc,CAAC,CAAC;YACvE,QAAQ,CAAC,IAAI,CAAC,GAAG,iBAAiB,CAAC,QAAQ,CAAC,CAAC;YAC7C,cAAc,GAAG,iBAAiB,CAAC,WAAW,CAAC;YAE/C,IAAI,iBAAiB,CAAC,QAAQ,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC1C,cAAc,EAAE,CAAC;YACnB,CAAC;YAED,qCAAqC;YACrC,IAAI,CAAC,IAAI,CAAC,iBAAiB,EAAE,CAAC;gBAC5B,QAAQ,CAAC,IAAI,CAAC,8BAA8B,CAAC,IAAI,EAAE,cAAc,EAAE,CAAC,CAAC,CAAC;YACxE,CAAC;YAED,uDAAuD;YACvD,MAAM,iBAAiB,GAAG,qBAAqB,CAAC,IAAI,EAAE,cAAc,CAAC,CAAC;YACtE,QAAQ,CAAC,IAAI,CAAC,GAAG,iBAAiB,CAAC,QAAQ,CAAC,CAAC;YAC7C,cAAc,GAAG,iBAAiB,CAAC,WAAW,CAAC;QACjD,CAAC;IACH,CAAC;IAED,OAAO;QACL,QAAQ;QACR,gBAAgB,EAAE,OAAO,CAAC,SAAS,CAAC,MAAM;QAC1C,gBAAgB,EAAE,YAAY;QAC9B,kBAAkB,EAAE,cAAc;KACnC,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAS,sBAAsB,CAC7B,IAAqB,EACrB,YAAoB;IAEpB,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,IAAI,OAAO,GAAG,YAAY,CAAC;IAE3B,MAAM,iBAAiB,GAAG;QACxB;YACE,OAAO,EAAE,uBAAuB;YAChC,QAAQ,EAAE,UAAmB;YAC7B,WAAW,EAAE,kDAAkD;SAChE;QACD;YACE,OAAO,EAAE,mCAAmC;YAC5C,QAAQ,EAAE,UAAmB;YAC7B,WAAW,EAAE,+CAA+C;SAC7D;QACD;YACE,OAAO,EAAE,0BAA0B;YACnC,QAAQ,EAAE,MAAe;YACzB,WAAW,EAAE,qDAAqD;SACnE;QACD;YACE,OAAO,EAAE,oCAAoC;YAC7C,QAAQ,EAAE,MAAe;YACzB,WAAW,EAAE,0CAA0C;SACxD;QACD;YACE,OAAO,EAAE,kCAAkC;YAC3C,QAAQ,EAAE,UAAmB;YAC7B,WAAW,EAAE,8CAA8C;SAC5D;KACF,CAAC;IAEF,KAAK,MAAM,EAAE,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,IAAI,iBAAiB,EAAE,CAAC;QACnE,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;YAC5B,QAAQ,CAAC,IAAI,CAAC,8BAA8B,CAAC,IAAI,EAAE,QAAQ,EAAE,WAAW,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC;QACxF,CAAC;IACH,CAAC;IAED,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,OAAO,EAAE,CAAC;AAC5C,CAAC;AAED;;GAEG;AACH,SAAS,qBAAqB,CAC5B,IAAqB,EACrB,YAAoB;IAEpB,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,IAAI,OAAO,GAAG,YAAY,CAAC;IAE3B,sEAAsE;IACtE,MAAM,UAAU,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,CAAC,GAAG,CAAC,EAAE,CAC7C,GAAG,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC;QACvC,GAAG,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,SAAS,CAAC;QAC1C,GAAG,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,MAAM,CAAC,CACxC,CAAC;IAEF,IAAI,UAAU,CAAC,MAAM,GAAG,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;QACvE,QAAQ,CAAC,IAAI,CAAC,6BAA6B,CAAC,IAAI,EAAE,UAAU,EAAE,OAAO,EAAE,CAAC,CAAC,CAAC;IAC5E,CAAC;IAED,OAAO,EAAE,QAAQ,EAAE,WAAW,EAAE,OAAO,EAAE,CAAC;AAC5C,CAAC;AAED;;GAEG;AACH,SAAS,8BAA8B,CACrC,IAAqB,EACrB,QAA6B,EAC7B,WAAmB,EACnB,OAAe;IAEf,OAAO;QACL,UAAU,EAAE,IAAA,8BAAiB,EAAC,WAAW,EAAE,OAAO,CAAC;QACnD,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACnC,QAAQ;QACR,QAAQ,EAAE,WAAW;QACrB,WAAW,EAAE,oBAAoB;QACjC,KAAK,EAAE,uCAAuC,IAAI,CAAC,IAAI,GAAG;QAC1D,WAAW,EAAE,qBAAqB,IAAI,CAAC,IAAI,sCAAsC,WAAW,CAAC,WAAW,EAAE,uDAAuD;QACjK,QAAQ,EAAE;YACR,KAAK,EAAE,GAAG,IAAI,CAAC,MAAM,IAAI,IAAI,CAAC,IAAI,EAAE;SACrC;QACD,QAAQ,EAAE;YACR,aAAa,EAAE,IAAI,CAAC,IAAI;YACxB,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,WAAW,EAAE,IAAI,CAAC,UAAU;YAC5B,mBAAmB,EAAE,IAAI,CAAC,iBAAiB;YAC3C,cAAc,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM;YACrC,WAAW;SACZ;QACD,MAAM,EAAE;YACN,cAAc,EAAE,QAAQ,KAAK,UAAU,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,GAAG;YACnD,WAAW,EAAE,GAAG,WAAW,gEAAgE;YAC3F,kBAAkB,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;YACnD,qBAAqB,EAAE,CAAC,gBAAgB,EAAE,YAAY,CAAC;SACxD;QACD,WAAW,EAAE;YACX,OAAO,EAAE,mCAAmC,IAAI,CAAC,IAAI,GAAG;YACxD,QAAQ,EAAE,QAAQ,KAAK,UAAU,CAAC,CAAC,CAAC,WAAW,CAAC,CAAC,CAAC,MAAM;YACxD,MAAM,EAAE,QAAQ;YAChB,KAAK,EAAE;gBACL;oBACE,KAAK,EAAE,CAAC;oBACR,MAAM,EAAE,oDAAoD;oBAC5D,GAAG,EAAE;OACR,IAAI,CAAC,MAAM,IAAI,IAAI,CAAC,IAAI,EAAE;iBACxB;gBACD;oBACE,KAAK,EAAE,CAAC;oBACR,MAAM,EAAE,iDAAiD;oBACzD,GAAG,EAAE;6BACc,IAAI,CAAC,MAAM,IAAI,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC;UACxG,IAAI,CAAC,UAAU;;;;;;;;;;;qBAWJ;iBACZ;gBACD;oBACE,KAAK,EAAE,CAAC;oBACR,MAAM,EAAE,+CAA+C;oBACvD,GAAG,EAAE;6BACc,IAAI,CAAC,MAAM,IAAI,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC;;;4BAGvE,IAAI,CAAC,MAAM,IAAI,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,qBAAqB;iBAC9G;aACF;YACD,YAAY,EAAE,KAAK;SACpB;QACD,UAAU,EAAE;YACV;gBACE,KAAK,EAAE,8BAA8B;gBACrC,GAAG,EAAE,6FAA6F;aACnG;YACD;gBACE,KAAK,EAAE,sCAAsC;gBAC7C,GAAG,EAAE,8DAA8D;aACpE;SACF;QACD,yBAAyB,EAAE,QAAQ;QACnC,UAAU,EAAE,IAAI;KACjB,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAS,8BAA8B,CACrC,IAAqB,EACrB,OAAe;IAEf,OAAO;QACL,UAAU,EAAE,IAAA,8BAAiB,EAAC,WAAW,EAAE,OAAO,CAAC;QACnD,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACnC,QAAQ,EAAE,QAAQ;QAClB,QAAQ,EAAE,WAAW;QACrB,WAAW,EAAE,qBAAqB;QAClC,KAAK,EAAE,iBAAiB,IAAI,CAAC,IAAI,0BAA0B;QAC3D,WAAW,EAAE,qBAAqB,IAAI,CAAC,IAAI,yJAAyJ;QACpM,QAAQ,EAAE;YACR,KAAK,EAAE,GAAG,IAAI,CAAC,MAAM,IAAI,IAAI,CAAC,IAAI,EAAE;SACrC;QACD,QAAQ,EAAE;YACR,aAAa,EAAE,IAAI,CAAC,IAAI;YACxB,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,mBAAmB,EAAE,KAAK;YAC1B,KAAK,EAAE,IAAI,CAAC,KAAK;SAClB;QACD,MAAM,EAAE;YACN,cAAc,EAAE,GAAG;YACnB,WAAW,EAAE,2EAA2E;YACxF,kBAAkB,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;SACpD;QACD,WAAW,EAAE;YACX,OAAO,EAAE,qCAAqC,IAAI,CAAC,IAAI,GAAG;YAC1D,QAAQ,EAAE,QAAQ;YAClB,MAAM,EAAE,KAAK;YACb,KAAK,EAAE;gBACL;oBACE,KAAK,EAAE,CAAC;oBACR,MAAM,EAAE,2CAA2C;oBACnD,GAAG,EAAE;OACR,IAAI,CAAC,MAAM,IAAI,IAAI,CAAC,IAAI,EAAE;iBACxB;gBACD;oBACE,KAAK,EAAE,CAAC;oBACR,MAAM,EAAE,gCAAgC;oBACxC,GAAG,EAAE;6BACc,IAAI,CAAC,MAAM,IAAI,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,GAAG,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC;UACxG,IAAI,CAAC,UAAU;;;;;qBAKJ;iBACZ;aACF;YACD,YAAY,EAAE,IAAI;SACnB;QACD,UAAU,EAAE;YACV;gBACE,KAAK,EAAE,6BAA6B;gBACpC,GAAG,EAAE,6FAA6F;aACnG;SACF;QACD,yBAAyB,EAAE,MAAM;QACjC,UAAU,EAAE,GAAG;KAChB,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAS,6BAA6B,CACpC,IAAqB,EACrB,UAAyB,EACzB,OAAe;IAEf,MAAM,UAAU,GAAG,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAE1D,OAAO;QACL,UAAU,EAAE,IAAA,8BAAiB,EAAC,WAAW,EAAE,OAAO,CAAC;QACnD,SAAS,EAAE,IAAI,IAAI,EAAE,CAAC,WAAW,EAAE;QACnC,QAAQ,EAAE,MAAM;QAChB,QAAQ,EAAE,WAAW;QACrB,WAAW,EAAE,oBAAoB;QACjC,KAAK,EAAE,4CAA4C,IAAI,CAAC,IAAI,GAAG;QAC/D,WAAW,EAAE,qBAAqB,IAAI,CAAC,IAAI,8BAA8B,UAAU,4HAA4H;QAC/M,QAAQ,EAAE;YACR,KAAK,EAAE,GAAG,IAAI,CAAC,MAAM,IAAI,IAAI,CAAC,IAAI,EAAE;SACrC;QACD,QAAQ,EAAE;YACR,aAAa,EAAE,IAAI,CAAC,IAAI;YACxB,MAAM,EAAE,IAAI,CAAC,MAAM;YACnB,eAAe,EAAE,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC;YACtE,cAAc,EAAE,IAAI,CAAC,SAAS,CAAC,MAAM;SACtC;QACD,MAAM,EAAE;YACN,cAAc,EAAE,GAAG;YACnB,WAAW,EAAE,iEAAiE;YAC9E,kBAAkB,EAAE,CAAC,GAAG,IAAI,CAAC,MAAM,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC;YACnD,qBAAqB,EAAE,CAAC,gBAAgB,EAAE,eAAe,CAAC;SAC3D;QACD,WAAW,EAAE;YACX,OAAO,EAAE,oBAAoB,IAAI,CAAC,IAAI,yBAAyB;YAC/D,QAAQ,EAAE,MAAM;YAChB,MAAM,EAAE,QAAQ;YAChB,KAAK,EAAE;gBACL;oBACE,KAAK,EAAE,CAAC;oBACR,MAAM,EAAE,gDAAgD;oBACxD,GAAG,EAAE;8CAC+B,IAAI,CAAC,IAAI,IAAI;iBAClD;gBACD;oBACE,KAAK,EAAE,CAAC;oBACR,MAAM,EAAE,8CAA8C;oBACtD,GAAG,EAAE;6BACc,IAAI,CAAC,MAAM,IAAI,IAAI,CAAC,IAAI;;;;;;;;;sCASf;iBAC7B;gBACD;oBACE,KAAK,EAAE,CAAC;oBACR,MAAM,EAAE,sBAAsB;oBAC9B,IAAI,EAAE;;;QAGR;iBACC;aACF;YACD,YAAY,EAAE,KAAK;SACpB;QACD,UAAU,EAAE;YACV;gBACE,KAAK,EAAE,gCAAgC;gBACvC,GAAG,EAAE,0FAA0F;aAChG;YACD;gBACE,KAAK,EAAE,wBAAwB;gBAC/B,GAAG,EAAE,kGAAkG;aACxG;SACF;QACD,yBAAyB,EAAE,QAAQ;QACnC,UAAU,EAAE,GAAG;KAChB,CAAC;AACJ,CAAC;AAED;;GAEG;AACH,SAAgB,mBAAmB;IACjC,OAAO;QACL;YACE,IAAI,EAAE,kBAAkB;YACxB,MAAM,EAAE,QAAQ;YAChB,SAAS,EAAE;gBACT,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,KAAK,EAAE;aACrD;YACD,UAAU,EAAE,MAAM;YAClB,iBAAiB,EAAE,IAAI;YACvB,KAAK,EAAE,UAAU;YACjB,WAAW,EAAE,8BAA8B;SAC5C;QACD;YACE,IAAI,EAAE,mBAAmB;YACzB,MAAM,EAAE,QAAQ;YAChB,SAAS,EAAE;gBACT,EAAE,IAAI,EAAE,gBAAgB,EAAE,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,KAAK,EAAE;aAC5D;YACD,UAAU,EAAE,SAAS;YACrB,iBAAiB,EAAE,KAAK;YACxB,KAAK,EAAE,UAAU;YACjB,WAAW,EAAE,gCAAgC;SAC9C;QACD;YACE,IAAI,EAAE,mBAAmB;YACzB,MAAM,EAAE,QAAQ;YAChB,SAAS,EAAE;gBACT,EAAE,IAAI,EAAE,WAAW,EAAE,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,KAAK,EAAE;aACvD;YACD,UAAU,EAAE,MAAM;YAClB,iBAAiB,EAAE,IAAI;YACvB,KAAK,EAAE,UAAU;YACjB,WAAW,EAAE,6BAA6B;SAC3C;QACD;YACE,IAAI,EAAE,cAAc;YACpB,MAAM,EAAE,QAAQ;YAChB,SAAS,EAAE;gBACT,EAAE,IAAI,EAAE,aAAa,EAAE,IAAI,EAAE,MAAM,EAAE,UAAU,EAAE,KAAK,EAAE;gBACxD,EAAE,IAAI,EAAE,aAAa,EAAE,IAAI,EAAE,SAAS,EAAE,UAAU,EAAE,IAAI,EAAE,YAAY,EAAE,IAAI,EAAE;aAC/E;YACD,UAAU,EAAE,MAAM;YAClB,iBAAiB,EAAE,KAAK;YACxB,KAAK,EAAE,UAAU;YACjB,WAAW,EAAE,sBAAsB;SACpC;KACF,CAAC;AACJ,CAAC"}

package/dist/scanners/functions/index.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Functions Scanner Module
+ * Export all RPC function analysis functionality
+ */
+export * from './analyzer.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/scanners/functions/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/scanners/functions/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,cAAc,eAAe,CAAC"}

package/dist/scanners/functions/index.js

@@ -0,0 +1,22 @@
+"use strict";
+/**
+ * Functions Scanner Module
+ * Export all RPC function analysis functionality
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./analyzer.js"), exports);
+//# sourceMappingURL=index.js.map

package/dist/scanners/functions/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/scanners/functions/index.ts"],"names":[],"mappings":";AAAA;;;GAGG;;;;;;;;;;;;;;;;AAEH,gDAA8B"}

package/dist/scanners/git/index.d.ts

@@ -0,0 +1,6 @@
+/**
+ * Git Scanner Module
+ * Export all git history scanning functionality
+ */
+export * from './scanner.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/scanners/git/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/scanners/git/index.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,cAAc,cAAc,CAAC"}

package/dist/scanners/git/index.js

@@ -0,0 +1,22 @@
+"use strict";
+/**
+ * Git Scanner Module
+ * Export all git history scanning functionality
+ */
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __exportStar = (this && this.__exportStar) || function(m, exports) {
+    for (var p in m) if (p !== "default" && !Object.prototype.hasOwnProperty.call(exports, p)) __createBinding(exports, m, p);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+__exportStar(require("./scanner.js"), exports);
+//# sourceMappingURL=index.js.map

package/dist/scanners/git/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/scanners/git/index.ts"],"names":[],"mappings":";AAAA;;;GAGG;;;;;;;;;;;;;;;;AAEH,+CAA6B"}

package/dist/scanners/git/scanner.d.ts

@@ -0,0 +1,22 @@
+/**
+ * Git History Scanner
+ * Scans git history for secrets and sensitive data
+ */
+import { Finding } from '../../models/finding.js';
+export interface GitScanOptions {
+    repoPath: string;
+    since?: string;
+    maxCommits?: number;
+    scanBranches?: boolean;
+}
+export interface GitScanResult {
+    findings: Finding[];
+    commitsScanned: number;
+    branchesScanned: number;
+    secretsFound: number;
+}
+/**
+ * Scan git history for secrets
+ */
+export declare function scanGitHistory(options: GitScanOptions): Promise<GitScanResult>;
+//# sourceMappingURL=scanner.d.ts.map

package/dist/scanners/git/scanner.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"scanner.d.ts","sourceRoot":"","sources":["../../../src/scanners/git/scanner.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,EAAE,OAAO,EAAqB,MAAM,yBAAyB,CAAC;AAKrE,MAAM,WAAW,cAAc;IAC7B,QAAQ,EAAE,MAAM,CAAC;IACjB,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,YAAY,CAAC,EAAE,OAAO,CAAC;CACxB;AAED,MAAM,WAAW,aAAa;IAC5B,QAAQ,EAAE,OAAO,EAAE,CAAC;IACpB,cAAc,EAAE,MAAM,CAAC;IACvB,eAAe,EAAE,MAAM,CAAC;IACxB,YAAY,EAAE,MAAM,CAAC;CACtB;AAUD;;GAEG;AACH,wBAAsB,cAAc,CAAC,OAAO,EAAE,cAAc,GAAG,OAAO,CAAC,aAAa,CAAC,CA+DpF"}