toolip 1.0.3 → 1.0.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +599 -0
- package/package.json +1 -1
- package/dist/src/commands/alternatives.d.ts +0 -2
- package/dist/src/commands/alternatives.js +0 -17
- package/dist/src/commands/alternatives.js.map +0 -1
- package/dist/src/commands/compare.d.ts +0 -2
- package/dist/src/commands/compare.js +0 -19
- package/dist/src/commands/compare.js.map +0 -1
- package/dist/src/commands/doctor.d.ts +0 -2
- package/dist/src/commands/doctor.js +0 -42
- package/dist/src/commands/doctor.js.map +0 -1
- package/dist/src/commands/git-audit.d.ts +0 -2
- package/dist/src/commands/git-audit.js +0 -37
- package/dist/src/commands/git-audit.js.map +0 -1
- package/dist/src/commands/hook.d.ts +0 -2
- package/dist/src/commands/hook.js +0 -16
- package/dist/src/commands/hook.js.map +0 -1
- package/dist/src/commands/inspect.d.ts +0 -2
- package/dist/src/commands/inspect.js +0 -24
- package/dist/src/commands/inspect.js.map +0 -1
- package/dist/src/commands/learn.d.ts +0 -2
- package/dist/src/commands/learn.js +0 -42
- package/dist/src/commands/learn.js.map +0 -1
- package/dist/src/commands/licenses.d.ts +0 -2
- package/dist/src/commands/licenses.js +0 -40
- package/dist/src/commands/licenses.js.map +0 -1
- package/dist/src/commands/pre-commit.d.ts +0 -2
- package/dist/src/commands/pre-commit.js +0 -37
- package/dist/src/commands/pre-commit.js.map +0 -1
- package/dist/src/commands/profile.d.ts +0 -2
- package/dist/src/commands/profile.js +0 -18
- package/dist/src/commands/profile.js.map +0 -1
- package/dist/src/commands/scan.d.ts +0 -2
- package/dist/src/commands/scan.js +0 -48
- package/dist/src/commands/scan.js.map +0 -1
- package/dist/src/commands/score.d.ts +0 -2
- package/dist/src/commands/score.js +0 -24
- package/dist/src/commands/score.js.map +0 -1
- package/dist/src/commands/self-test.d.ts +0 -2
- package/dist/src/commands/self-test.js +0 -63
- package/dist/src/commands/self-test.js.map +0 -1
- package/dist/src/commands/tree.d.ts +0 -2
- package/dist/src/commands/tree.js +0 -21
- package/dist/src/commands/tree.js.map +0 -1
- package/dist/src/commands/vault.d.ts +0 -2
- package/dist/src/commands/vault.js +0 -86
- package/dist/src/commands/vault.js.map +0 -1
- package/dist/src/config/version.d.ts +0 -6
- package/dist/src/config/version.js +0 -7
- package/dist/src/config/version.js.map +0 -1
- package/dist/src/core/alternatives.d.ts +0 -8
- package/dist/src/core/alternatives.js +0 -35
- package/dist/src/core/alternatives.js.map +0 -1
- package/dist/src/core/analyze-package.d.ts +0 -2
- package/dist/src/core/analyze-package.js +0 -49
- package/dist/src/core/analyze-package.js.map +0 -1
- package/dist/src/core/compare-packages.d.ts +0 -7
- package/dist/src/core/compare-packages.js +0 -19
- package/dist/src/core/compare-packages.js.map +0 -1
- package/dist/src/core/dependency-scan.d.ts +0 -17
- package/dist/src/core/dependency-scan.js +0 -70
- package/dist/src/core/dependency-scan.js.map +0 -1
- package/dist/src/core/dependency-tree.d.ts +0 -16
- package/dist/src/core/dependency-tree.js +0 -19
- package/dist/src/core/dependency-tree.js.map +0 -1
- package/dist/src/core/dependency-types.d.ts +0 -17
- package/dist/src/core/dependency-types.js +0 -2
- package/dist/src/core/dependency-types.js.map +0 -1
- package/dist/src/core/file-walker.d.ts +0 -6
- package/dist/src/core/file-walker.js +0 -27
- package/dist/src/core/file-walker.js.map +0 -1
- package/dist/src/core/git-audit.d.ts +0 -12
- package/dist/src/core/git-audit.js +0 -111
- package/dist/src/core/git-audit.js.map +0 -1
- package/dist/src/core/hooks.d.ts +0 -1
- package/dist/src/core/hooks.js +0 -14
- package/dist/src/core/hooks.js.map +0 -1
- package/dist/src/core/learn.d.ts +0 -11
- package/dist/src/core/learn.js +0 -163
- package/dist/src/core/learn.js.map +0 -1
- package/dist/src/core/license-analysis.d.ts +0 -18
- package/dist/src/core/license-analysis.js +0 -98
- package/dist/src/core/license-analysis.js.map +0 -1
- package/dist/src/core/load-toolip-ignore.d.ts +0 -5
- package/dist/src/core/load-toolip-ignore.js +0 -35
- package/dist/src/core/load-toolip-ignore.js.map +0 -1
- package/dist/src/core/npm-registry.d.ts +0 -3
- package/dist/src/core/npm-registry.js +0 -5
- package/dist/src/core/npm-registry.js.map +0 -1
- package/dist/src/core/pre-commit.d.ts +0 -11
- package/dist/src/core/pre-commit.js +0 -22
- package/dist/src/core/pre-commit.js.map +0 -1
- package/dist/src/core/profile-project.d.ts +0 -23
- package/dist/src/core/profile-project.js +0 -119
- package/dist/src/core/profile-project.js.map +0 -1
- package/dist/src/core/read-dependencies.d.ts +0 -2
- package/dist/src/core/read-dependencies.js +0 -24
- package/dist/src/core/read-dependencies.js.map +0 -1
- package/dist/src/core/report-writer.d.ts +0 -5
- package/dist/src/core/report-writer.js +0 -61
- package/dist/src/core/report-writer.js.map +0 -1
- package/dist/src/core/report.d.ts +0 -34
- package/dist/src/core/report.js +0 -26
- package/dist/src/core/report.js.map +0 -1
- package/dist/src/core/risk-score.d.ts +0 -5
- package/dist/src/core/risk-score.js +0 -14
- package/dist/src/core/risk-score.js.map +0 -1
- package/dist/src/core/scanner-context.d.ts +0 -12
- package/dist/src/core/scanner-context.js +0 -27
- package/dist/src/core/scanner-context.js.map +0 -1
- package/dist/src/core/score.d.ts +0 -13
- package/dist/src/core/score.js +0 -44
- package/dist/src/core/score.js.map +0 -1
- package/dist/src/core/security-doctor.d.ts +0 -12
- package/dist/src/core/security-doctor.js +0 -106
- package/dist/src/core/security-doctor.js.map +0 -1
- package/dist/src/core/security-patterns.d.ts +0 -14
- package/dist/src/core/security-patterns.js +0 -130
- package/dist/src/core/security-patterns.js.map +0 -1
- package/dist/src/core/typosquat.d.ts +0 -6
- package/dist/src/core/typosquat.js +0 -50
- package/dist/src/core/typosquat.js.map +0 -1
- package/dist/src/core/vault.d.ts +0 -48
- package/dist/src/core/vault.js +0 -127
- package/dist/src/core/vault.js.map +0 -1
- package/dist/src/errors/toolip-error.d.ts +0 -8
- package/dist/src/errors/toolip-error.js +0 -11
- package/dist/src/errors/toolip-error.js.map +0 -1
- package/dist/src/index.d.ts +0 -2
- package/dist/src/index.js +0 -51
- package/dist/src/index.js.map +0 -1
- package/dist/src/utils/error-handler.d.ts +0 -1
- package/dist/src/utils/error-handler.js +0 -24
- package/dist/src/utils/error-handler.js.map +0 -1
- package/dist/src/utils/output.d.ts +0 -6
- package/dist/src/utils/output.js +0 -72
- package/dist/src/utils/output.js.map +0 -1
- package/dist/src/utils/package-output.d.ts +0 -4
- package/dist/src/utils/package-output.js +0 -40
- package/dist/src/utils/package-output.js.map +0 -1
package/README.md
ADDED
|
@@ -0,0 +1,599 @@
|
|
|
1
|
+
# Toolip
|
|
2
|
+
|
|
3
|
+
<p align="center">
|
|
4
|
+
<strong>Developer-First Supply Chain Security, Security Hygiene, and Secrets Management CLI</strong>
|
|
5
|
+
</p>
|
|
6
|
+
|
|
7
|
+
<p align="center">
|
|
8
|
+
Dependency Intelligence • Security Auditing • Secret Detection • Git Security • Learning Mode • Encrypted Vault
|
|
9
|
+
</p>
|
|
10
|
+
|
|
11
|
+
---
|
|
12
|
+
|
|
13
|
+
## Overview
|
|
14
|
+
|
|
15
|
+
Toolip is a TypeScript-powered developer security companion designed to help developers build safer software.
|
|
16
|
+
|
|
17
|
+
Modern development relies heavily on third-party packages, environment variables, cloud credentials, CI/CD pipelines, and Git workflows. While security tooling often targets enterprise security teams, developers are frequently left with tools that identify problems without explaining them.
|
|
18
|
+
|
|
19
|
+
Toolip takes a different approach.
|
|
20
|
+
|
|
21
|
+
Instead of simply reporting findings, Toolip focuses on education, remediation guidance, and practical developer workflows.
|
|
22
|
+
|
|
23
|
+
Toolip combines:
|
|
24
|
+
|
|
25
|
+
* Supply Chain Security
|
|
26
|
+
* Dependency Intelligence
|
|
27
|
+
* Developer Security Auditing
|
|
28
|
+
* Secret Detection
|
|
29
|
+
* Git Security
|
|
30
|
+
* Security Scorecards
|
|
31
|
+
* Encrypted Local Secret Storage
|
|
32
|
+
* Security Learning Resources
|
|
33
|
+
|
|
34
|
+
Everything runs locally.
|
|
35
|
+
|
|
36
|
+
No accounts.
|
|
37
|
+
|
|
38
|
+
No dashboards.
|
|
39
|
+
|
|
40
|
+
No SaaS.
|
|
41
|
+
|
|
42
|
+
No subscriptions.
|
|
43
|
+
|
|
44
|
+
---
|
|
45
|
+
|
|
46
|
+
## Why Toolip?
|
|
47
|
+
|
|
48
|
+
Most tools stop at:
|
|
49
|
+
|
|
50
|
+
```text
|
|
51
|
+
Security issue found.
|
|
52
|
+
```
|
|
53
|
+
|
|
54
|
+
Toolip goes further:
|
|
55
|
+
|
|
56
|
+
* What is wrong?
|
|
57
|
+
* Why does it matter?
|
|
58
|
+
* How risky is it?
|
|
59
|
+
* How do you fix it?
|
|
60
|
+
* What alternatives exist?
|
|
61
|
+
* How can you prevent it in future?
|
|
62
|
+
|
|
63
|
+
The goal is to help developers understand security while improving security posture.
|
|
64
|
+
|
|
65
|
+
---
|
|
66
|
+
|
|
67
|
+
## Installation
|
|
68
|
+
|
|
69
|
+
### npm
|
|
70
|
+
|
|
71
|
+
```bash
|
|
72
|
+
npm install -g toolip
|
|
73
|
+
```
|
|
74
|
+
|
|
75
|
+
Verify installation:
|
|
76
|
+
|
|
77
|
+
```bash
|
|
78
|
+
toolip --version
|
|
79
|
+
```
|
|
80
|
+
|
|
81
|
+
---
|
|
82
|
+
|
|
83
|
+
## Quick Start
|
|
84
|
+
|
|
85
|
+
Analyze a project:
|
|
86
|
+
|
|
87
|
+
```bash
|
|
88
|
+
toolip profile
|
|
89
|
+
|
|
90
|
+
toolip scan
|
|
91
|
+
|
|
92
|
+
toolip doctor
|
|
93
|
+
|
|
94
|
+
toolip score
|
|
95
|
+
```
|
|
96
|
+
|
|
97
|
+
Review Git hygiene:
|
|
98
|
+
|
|
99
|
+
```bash
|
|
100
|
+
toolip git-audit
|
|
101
|
+
|
|
102
|
+
toolip pre-commit
|
|
103
|
+
```
|
|
104
|
+
|
|
105
|
+
Inspect packages:
|
|
106
|
+
|
|
107
|
+
```bash
|
|
108
|
+
toolip inspect express
|
|
109
|
+
|
|
110
|
+
toolip compare axios got
|
|
111
|
+
|
|
112
|
+
toolip alternatives request
|
|
113
|
+
```
|
|
114
|
+
|
|
115
|
+
Manage secrets:
|
|
116
|
+
|
|
117
|
+
```bash
|
|
118
|
+
toolip vault init
|
|
119
|
+
|
|
120
|
+
toolip vault set DATABASE_URL
|
|
121
|
+
|
|
122
|
+
toolip vault get DATABASE_URL
|
|
123
|
+
```
|
|
124
|
+
|
|
125
|
+
---
|
|
126
|
+
|
|
127
|
+
# Features
|
|
128
|
+
|
|
129
|
+
---
|
|
130
|
+
|
|
131
|
+
## Project Fingerprinting
|
|
132
|
+
|
|
133
|
+
```bash
|
|
134
|
+
toolip profile
|
|
135
|
+
```
|
|
136
|
+
|
|
137
|
+
Detects technologies used within a project.
|
|
138
|
+
|
|
139
|
+
Examples:
|
|
140
|
+
|
|
141
|
+
* Node.js
|
|
142
|
+
* TypeScript
|
|
143
|
+
* Fastify
|
|
144
|
+
* Express
|
|
145
|
+
* React
|
|
146
|
+
* PostgreSQL
|
|
147
|
+
* MongoDB
|
|
148
|
+
* Redis
|
|
149
|
+
|
|
150
|
+
Provides technology-aware recommendations.
|
|
151
|
+
|
|
152
|
+
---
|
|
153
|
+
|
|
154
|
+
## Dependency Scanning
|
|
155
|
+
|
|
156
|
+
```bash
|
|
157
|
+
toolip scan
|
|
158
|
+
```
|
|
159
|
+
|
|
160
|
+
Analyzes project dependencies.
|
|
161
|
+
|
|
162
|
+
Detects:
|
|
163
|
+
|
|
164
|
+
* Deprecated packages
|
|
165
|
+
* Outdated packages
|
|
166
|
+
* High-risk packages
|
|
167
|
+
* Dependency bloat
|
|
168
|
+
* Supply chain concerns
|
|
169
|
+
|
|
170
|
+
Provides actionable recommendations.
|
|
171
|
+
|
|
172
|
+
---
|
|
173
|
+
|
|
174
|
+
## Package Inspection
|
|
175
|
+
|
|
176
|
+
```bash
|
|
177
|
+
toolip inspect express
|
|
178
|
+
```
|
|
179
|
+
|
|
180
|
+
Displays:
|
|
181
|
+
|
|
182
|
+
* Latest version
|
|
183
|
+
* Maintainer information
|
|
184
|
+
* Deprecation status
|
|
185
|
+
* Package metadata
|
|
186
|
+
* Risk score
|
|
187
|
+
|
|
188
|
+
Useful when evaluating new dependencies.
|
|
189
|
+
|
|
190
|
+
---
|
|
191
|
+
|
|
192
|
+
## Package Comparison
|
|
193
|
+
|
|
194
|
+
```bash
|
|
195
|
+
toolip compare axios got
|
|
196
|
+
```
|
|
197
|
+
|
|
198
|
+
Compare multiple packages based on:
|
|
199
|
+
|
|
200
|
+
* Dependency count
|
|
201
|
+
* Risk indicators
|
|
202
|
+
* Maintenance activity
|
|
203
|
+
* General package health
|
|
204
|
+
|
|
205
|
+
Useful when choosing between alternatives.
|
|
206
|
+
|
|
207
|
+
---
|
|
208
|
+
|
|
209
|
+
## Package Alternatives
|
|
210
|
+
|
|
211
|
+
```bash
|
|
212
|
+
toolip alternatives request
|
|
213
|
+
```
|
|
214
|
+
|
|
215
|
+
Suggests safer or more modern replacements for packages that are:
|
|
216
|
+
|
|
217
|
+
* Deprecated
|
|
218
|
+
* Legacy
|
|
219
|
+
* Poorly maintained
|
|
220
|
+
|
|
221
|
+
---
|
|
222
|
+
|
|
223
|
+
## Dependency Tree Analysis
|
|
224
|
+
|
|
225
|
+
```bash
|
|
226
|
+
toolip tree
|
|
227
|
+
```
|
|
228
|
+
|
|
229
|
+
Provides visibility into dependency structure.
|
|
230
|
+
|
|
231
|
+
Displays:
|
|
232
|
+
|
|
233
|
+
* Dependency hierarchy
|
|
234
|
+
* Dependency depth
|
|
235
|
+
* Transitive relationships
|
|
236
|
+
|
|
237
|
+
Useful when investigating package risk.
|
|
238
|
+
|
|
239
|
+
---
|
|
240
|
+
|
|
241
|
+
## License Analysis
|
|
242
|
+
|
|
243
|
+
```bash
|
|
244
|
+
toolip licenses
|
|
245
|
+
```
|
|
246
|
+
|
|
247
|
+
Analyzes project licensing.
|
|
248
|
+
|
|
249
|
+
Provides:
|
|
250
|
+
|
|
251
|
+
* License inventory
|
|
252
|
+
* License distribution
|
|
253
|
+
* Restrictive license warnings
|
|
254
|
+
|
|
255
|
+
---
|
|
256
|
+
|
|
257
|
+
# Security Doctor
|
|
258
|
+
|
|
259
|
+
```bash
|
|
260
|
+
toolip doctor
|
|
261
|
+
```
|
|
262
|
+
|
|
263
|
+
Runs a comprehensive project security audit.
|
|
264
|
+
|
|
265
|
+
Checks for:
|
|
266
|
+
|
|
267
|
+
### Secret Exposure
|
|
268
|
+
|
|
269
|
+
Detects:
|
|
270
|
+
|
|
271
|
+
* GitHub tokens
|
|
272
|
+
* API keys
|
|
273
|
+
* JWT secrets
|
|
274
|
+
* AWS credentials
|
|
275
|
+
* Private keys
|
|
276
|
+
* Hardcoded passwords
|
|
277
|
+
|
|
278
|
+
### Dangerous Code Patterns
|
|
279
|
+
|
|
280
|
+
Detects:
|
|
281
|
+
|
|
282
|
+
* eval()
|
|
283
|
+
* Function constructor usage
|
|
284
|
+
* Unsafe shell execution
|
|
285
|
+
* Dangerous runtime patterns
|
|
286
|
+
|
|
287
|
+
### Configuration Risks
|
|
288
|
+
|
|
289
|
+
Checks for:
|
|
290
|
+
|
|
291
|
+
* Open CORS policies
|
|
292
|
+
* Insecure configuration patterns
|
|
293
|
+
* Weak environment practices
|
|
294
|
+
|
|
295
|
+
### Security Headers
|
|
296
|
+
|
|
297
|
+
Identifies missing:
|
|
298
|
+
|
|
299
|
+
* Content-Security-Policy
|
|
300
|
+
* X-Frame-Options
|
|
301
|
+
* X-Content-Type-Options
|
|
302
|
+
* Strict-Transport-Security
|
|
303
|
+
|
|
304
|
+
---
|
|
305
|
+
|
|
306
|
+
# Git Security
|
|
307
|
+
|
|
308
|
+
---
|
|
309
|
+
|
|
310
|
+
## Git Audit
|
|
311
|
+
|
|
312
|
+
```bash
|
|
313
|
+
toolip git-audit
|
|
314
|
+
```
|
|
315
|
+
|
|
316
|
+
Analyzes Git hygiene.
|
|
317
|
+
|
|
318
|
+
Checks for:
|
|
319
|
+
|
|
320
|
+
* Sensitive files
|
|
321
|
+
* Weak ignore rules
|
|
322
|
+
* Dangerous artifacts
|
|
323
|
+
* Common security mistakes
|
|
324
|
+
|
|
325
|
+
---
|
|
326
|
+
|
|
327
|
+
## Pre-Commit Checks
|
|
328
|
+
|
|
329
|
+
```bash
|
|
330
|
+
toolip pre-commit
|
|
331
|
+
```
|
|
332
|
+
|
|
333
|
+
Runs blocking security checks before commits.
|
|
334
|
+
|
|
335
|
+
Detects:
|
|
336
|
+
|
|
337
|
+
* Secrets
|
|
338
|
+
* Credentials
|
|
339
|
+
* Security violations
|
|
340
|
+
* Dangerous files
|
|
341
|
+
|
|
342
|
+
Designed to stop mistakes before they reach Git history.
|
|
343
|
+
|
|
344
|
+
---
|
|
345
|
+
|
|
346
|
+
## Git Hook Installation
|
|
347
|
+
|
|
348
|
+
```bash
|
|
349
|
+
toolip hook install
|
|
350
|
+
```
|
|
351
|
+
|
|
352
|
+
Installs Toolip-powered Git hooks.
|
|
353
|
+
|
|
354
|
+
Allows security checks to run automatically before commits.
|
|
355
|
+
|
|
356
|
+
---
|
|
357
|
+
|
|
358
|
+
# Security Scorecards
|
|
359
|
+
|
|
360
|
+
```bash
|
|
361
|
+
toolip score
|
|
362
|
+
```
|
|
363
|
+
|
|
364
|
+
Calculates a security score based on:
|
|
365
|
+
|
|
366
|
+
* Dependency Health
|
|
367
|
+
* Secret Hygiene
|
|
368
|
+
* Configuration Security
|
|
369
|
+
* Git Safety
|
|
370
|
+
|
|
371
|
+
Example:
|
|
372
|
+
|
|
373
|
+
```text
|
|
374
|
+
Dependency Health .... 91
|
|
375
|
+
Secret Hygiene ....... 84
|
|
376
|
+
Configuration ........ 88
|
|
377
|
+
Git Safety ........... 95
|
|
378
|
+
|
|
379
|
+
Overall Score ........ 89
|
|
380
|
+
Grade ................ A
|
|
381
|
+
```
|
|
382
|
+
|
|
383
|
+
---
|
|
384
|
+
|
|
385
|
+
# Learning Mode
|
|
386
|
+
|
|
387
|
+
One of Toolip's signature features.
|
|
388
|
+
|
|
389
|
+
```bash
|
|
390
|
+
toolip learn cors
|
|
391
|
+
```
|
|
392
|
+
|
|
393
|
+
Toolip teaches while it scans.
|
|
394
|
+
|
|
395
|
+
Available topics include:
|
|
396
|
+
|
|
397
|
+
* CORS
|
|
398
|
+
* JWT
|
|
399
|
+
* XSS
|
|
400
|
+
* CSRF
|
|
401
|
+
* Authentication
|
|
402
|
+
* Authorization
|
|
403
|
+
* Secrets Management
|
|
404
|
+
* Dependency Security
|
|
405
|
+
|
|
406
|
+
Each lesson includes:
|
|
407
|
+
|
|
408
|
+
* Explanation
|
|
409
|
+
* Risks
|
|
410
|
+
* Common mistakes
|
|
411
|
+
* Secure examples
|
|
412
|
+
* Best practices
|
|
413
|
+
|
|
414
|
+
Designed for developers learning secure software engineering.
|
|
415
|
+
|
|
416
|
+
---
|
|
417
|
+
|
|
418
|
+
# Toolip Vault
|
|
419
|
+
|
|
420
|
+
Toolip includes a lightweight encrypted local secrets manager.
|
|
421
|
+
|
|
422
|
+
---
|
|
423
|
+
|
|
424
|
+
## Initialize Vault
|
|
425
|
+
|
|
426
|
+
```bash
|
|
427
|
+
toolip vault init
|
|
428
|
+
```
|
|
429
|
+
|
|
430
|
+
Creates an encrypted local vault.
|
|
431
|
+
|
|
432
|
+
---
|
|
433
|
+
|
|
434
|
+
## Store Secrets
|
|
435
|
+
|
|
436
|
+
```bash
|
|
437
|
+
toolip vault set DATABASE_URL
|
|
438
|
+
```
|
|
439
|
+
|
|
440
|
+
Stores secrets securely.
|
|
441
|
+
|
|
442
|
+
---
|
|
443
|
+
|
|
444
|
+
## Retrieve Secrets
|
|
445
|
+
|
|
446
|
+
```bash
|
|
447
|
+
toolip vault get DATABASE_URL
|
|
448
|
+
```
|
|
449
|
+
|
|
450
|
+
Returns decrypted values after authentication.
|
|
451
|
+
|
|
452
|
+
---
|
|
453
|
+
|
|
454
|
+
## List Secrets
|
|
455
|
+
|
|
456
|
+
```bash
|
|
457
|
+
toolip vault list
|
|
458
|
+
```
|
|
459
|
+
|
|
460
|
+
Displays secret names without revealing values.
|
|
461
|
+
|
|
462
|
+
---
|
|
463
|
+
|
|
464
|
+
## Delete Secrets
|
|
465
|
+
|
|
466
|
+
```bash
|
|
467
|
+
toolip vault delete DATABASE_URL
|
|
468
|
+
```
|
|
469
|
+
|
|
470
|
+
Removes stored secrets.
|
|
471
|
+
|
|
472
|
+
---
|
|
473
|
+
|
|
474
|
+
## Export Environment Variables
|
|
475
|
+
|
|
476
|
+
```bash
|
|
477
|
+
toolip vault export --env development
|
|
478
|
+
```
|
|
479
|
+
|
|
480
|
+
Supports:
|
|
481
|
+
|
|
482
|
+
* development
|
|
483
|
+
* staging
|
|
484
|
+
* production
|
|
485
|
+
|
|
486
|
+
---
|
|
487
|
+
|
|
488
|
+
## Vault Security Features
|
|
489
|
+
|
|
490
|
+
* AES-256 Encryption
|
|
491
|
+
* Password Protection
|
|
492
|
+
* Local Storage Only
|
|
493
|
+
* Offline Operation
|
|
494
|
+
|
|
495
|
+
No cloud storage.
|
|
496
|
+
|
|
497
|
+
No synchronization.
|
|
498
|
+
|
|
499
|
+
No accounts.
|
|
500
|
+
|
|
501
|
+
No remote services.
|
|
502
|
+
|
|
503
|
+
---
|
|
504
|
+
|
|
505
|
+
# Command Reference
|
|
506
|
+
|
|
507
|
+
| Command | Description |
|
|
508
|
+
| ------------------- | ---------------------------------- |
|
|
509
|
+
| toolip profile | Fingerprint project technologies |
|
|
510
|
+
| toolip scan | Analyze dependencies |
|
|
511
|
+
| toolip doctor | Perform security audit |
|
|
512
|
+
| toolip score | Generate security scorecard |
|
|
513
|
+
| toolip inspect | Inspect package metadata |
|
|
514
|
+
| toolip compare | Compare packages |
|
|
515
|
+
| toolip alternatives | Suggest replacements |
|
|
516
|
+
| toolip licenses | Analyze licenses |
|
|
517
|
+
| toolip tree | Analyze dependency hierarchy |
|
|
518
|
+
| toolip git-audit | Audit Git hygiene |
|
|
519
|
+
| toolip pre-commit | Run pre-commit security checks |
|
|
520
|
+
| toolip hook install | Install Git hooks |
|
|
521
|
+
| toolip learn | Security education mode |
|
|
522
|
+
| toolip vault | Encrypted local secrets management |
|
|
523
|
+
|
|
524
|
+
---
|
|
525
|
+
|
|
526
|
+
# Design Principles
|
|
527
|
+
|
|
528
|
+
Toolip follows several guiding principles:
|
|
529
|
+
|
|
530
|
+
* Developer First
|
|
531
|
+
* CLI First
|
|
532
|
+
* Security Education
|
|
533
|
+
* Local Development Friendly
|
|
534
|
+
* CI/CD Friendly
|
|
535
|
+
* Framework Agnostic
|
|
536
|
+
* Actionable Guidance
|
|
537
|
+
* Secure by Default
|
|
538
|
+
|
|
539
|
+
---
|
|
540
|
+
|
|
541
|
+
# Technology Stack
|
|
542
|
+
|
|
543
|
+
Built with:
|
|
544
|
+
|
|
545
|
+
* TypeScript
|
|
546
|
+
* Node.js
|
|
547
|
+
* Commander.js
|
|
548
|
+
* Vitest
|
|
549
|
+
* Chalk
|
|
550
|
+
* Ora
|
|
551
|
+
* Zod
|
|
552
|
+
* npm Registry APIs
|
|
553
|
+
* Git Integration
|
|
554
|
+
* Node Crypto APIs
|
|
555
|
+
|
|
556
|
+
---
|
|
557
|
+
|
|
558
|
+
# Use Cases
|
|
559
|
+
|
|
560
|
+
Toolip is useful for:
|
|
561
|
+
|
|
562
|
+
* Backend Engineers
|
|
563
|
+
* Platform Engineers
|
|
564
|
+
* DevOps Engineers
|
|
565
|
+
* Open Source Maintainers
|
|
566
|
+
* Startup Teams
|
|
567
|
+
* Full Stack Developers
|
|
568
|
+
* Students Learning Security
|
|
569
|
+
|
|
570
|
+
---
|
|
571
|
+
|
|
572
|
+
# Portfolio Positioning
|
|
573
|
+
|
|
574
|
+
Toolip demonstrates experience with:
|
|
575
|
+
|
|
576
|
+
* TypeScript Engineering
|
|
577
|
+
* CLI Development
|
|
578
|
+
* Security Engineering Concepts
|
|
579
|
+
* Supply Chain Security
|
|
580
|
+
* Secret Management
|
|
581
|
+
* Static Analysis
|
|
582
|
+
* Git Integration
|
|
583
|
+
* Risk Scoring Systems
|
|
584
|
+
* Developer Experience Design
|
|
585
|
+
* Secure Development Workflows
|
|
586
|
+
|
|
587
|
+
---
|
|
588
|
+
|
|
589
|
+
# Author
|
|
590
|
+
|
|
591
|
+
**Ashibuogwu Williams (wbizmo)**
|
|
592
|
+
|
|
593
|
+
GitHub: https://github.com/wbizmo
|
|
594
|
+
|
|
595
|
+
---
|
|
596
|
+
|
|
597
|
+
# License
|
|
598
|
+
|
|
599
|
+
MIT License
|
package/package.json
CHANGED
|
@@ -1,17 +0,0 @@
|
|
|
1
|
-
import chalk from 'chalk';
|
|
2
|
-
import { findAlternatives } from '../core/alternatives.js';
|
|
3
|
-
export function registerAlternativesCommand(program) {
|
|
4
|
-
program
|
|
5
|
-
.command('alternatives <package>')
|
|
6
|
-
.description('Suggest safer or better-maintained package alternatives.')
|
|
7
|
-
.action((packageName) => {
|
|
8
|
-
const result = findAlternatives(packageName);
|
|
9
|
-
console.log(chalk.bold(`Alternatives for ${result.package}`));
|
|
10
|
-
console.log('');
|
|
11
|
-
for (const alternative of result.alternatives) {
|
|
12
|
-
console.log(`${chalk.green('✓')} ${chalk.bold(alternative.name)}`);
|
|
13
|
-
console.log(` ${alternative.reason}`);
|
|
14
|
-
}
|
|
15
|
-
});
|
|
16
|
-
}
|
|
17
|
-
//# sourceMappingURL=alternatives.js.map
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"alternatives.js","sourceRoot":"","sources":["../../../src/commands/alternatives.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,MAAM,OAAO,CAAC;AAC1B,OAAO,EAAE,gBAAgB,EAAE,MAAM,yBAAyB,CAAC;AAE3D,MAAM,UAAU,2BAA2B,CAAC,OAAgB;IAC1D,OAAO;SACJ,OAAO,CAAC,wBAAwB,CAAC;SACjC,WAAW,CAAC,0DAA0D,CAAC;SACvE,MAAM,CAAC,CAAC,WAAmB,EAAE,EAAE;QAC9B,MAAM,MAAM,GAAG,gBAAgB,CAAC,WAAW,CAAC,CAAC;QAE7C,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,oBAAoB,MAAM,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;QAC9D,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAEhB,KAAK,MAAM,WAAW,IAAI,MAAM,CAAC,YAAY,EAAE,CAAC;YAC9C,OAAO,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,IAAI,KAAK,CAAC,IAAI,CAAC,WAAW,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;YACnE,OAAO,CAAC,GAAG,CAAC,KAAK,WAAW,CAAC,MAAM,EAAE,CAAC,CAAC;QACzC,CAAC;IACH,CAAC,CAAC,CAAC;AACP,CAAC"}
|
|
@@ -1,19 +0,0 @@
|
|
|
1
|
-
import { comparePackages } from '../core/compare-packages.js';
|
|
2
|
-
import { printPackageComparison } from '../utils/package-output.js';
|
|
3
|
-
import { ToolipError } from '../errors/toolip-error.js';
|
|
4
|
-
export function registerCompareCommand(program) {
|
|
5
|
-
program
|
|
6
|
-
.command('compare <packages...>')
|
|
7
|
-
.description('Compare npm packages by maintenance and risk signals.')
|
|
8
|
-
.action(async (packageNames) => {
|
|
9
|
-
if (packageNames.length < 2) {
|
|
10
|
-
throw new ToolipError('Please provide at least two packages to compare.', {
|
|
11
|
-
code: 'COMPARE_REQUIRES_TWO_PACKAGES',
|
|
12
|
-
exitCode: 1
|
|
13
|
-
});
|
|
14
|
-
}
|
|
15
|
-
const comparison = await comparePackages(packageNames);
|
|
16
|
-
printPackageComparison(comparison);
|
|
17
|
-
});
|
|
18
|
-
}
|
|
19
|
-
//# sourceMappingURL=compare.js.map
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"compare.js","sourceRoot":"","sources":["../../../src/commands/compare.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,eAAe,EAAE,MAAM,6BAA6B,CAAC;AAC9D,OAAO,EAAE,sBAAsB,EAAE,MAAM,4BAA4B,CAAC;AACpE,OAAO,EAAE,WAAW,EAAE,MAAM,2BAA2B,CAAC;AAExD,MAAM,UAAU,sBAAsB,CAAC,OAAgB;IACrD,OAAO;SACJ,OAAO,CAAC,uBAAuB,CAAC;SAChC,WAAW,CAAC,uDAAuD,CAAC;SACpE,MAAM,CAAC,KAAK,EAAE,YAAsB,EAAE,EAAE;QACvC,IAAI,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC5B,MAAM,IAAI,WAAW,CAAC,kDAAkD,EAAE;gBACxE,IAAI,EAAE,+BAA+B;gBACrC,QAAQ,EAAE,CAAC;aACZ,CAAC,CAAC;QACL,CAAC;QAED,MAAM,UAAU,GAAG,MAAM,eAAe,CAAC,YAAY,CAAC,CAAC;QACvD,sBAAsB,CAAC,UAAU,CAAC,CAAC;IACrC,CAAC,CAAC,CAAC;AACP,CAAC"}
|
|
@@ -1,42 +0,0 @@
|
|
|
1
|
-
import chalk from 'chalk';
|
|
2
|
-
import { createScannerContext } from '../core/scanner-context.js';
|
|
3
|
-
import { createReport } from '../core/report.js';
|
|
4
|
-
import { writeReport } from '../core/report-writer.js';
|
|
5
|
-
import { runSecurityDoctor } from '../core/security-doctor.js';
|
|
6
|
-
import { TOOLIP_VERSION } from '../config/version.js';
|
|
7
|
-
import { printReportSummary, printScannerContext } from '../utils/output.js';
|
|
8
|
-
export function registerDoctorCommand(program) {
|
|
9
|
-
program
|
|
10
|
-
.command('doctor')
|
|
11
|
-
.description('Run a full project security hygiene audit.')
|
|
12
|
-
.option('-p, --path <path>', 'Project path to audit.', process.cwd())
|
|
13
|
-
.option('-o, --output <file>', 'Write doctor report to JSON or Markdown.')
|
|
14
|
-
.action(async (options) => {
|
|
15
|
-
console.log(chalk.bold('Toolip Doctor'));
|
|
16
|
-
console.log('');
|
|
17
|
-
const context = await createScannerContext(options.path);
|
|
18
|
-
printScannerContext(context);
|
|
19
|
-
const doctor = await runSecurityDoctor(context.root);
|
|
20
|
-
const report = createReport({
|
|
21
|
-
version: TOOLIP_VERSION,
|
|
22
|
-
command: 'doctor',
|
|
23
|
-
root: context.root,
|
|
24
|
-
findings: doctor.findings
|
|
25
|
-
});
|
|
26
|
-
console.log('');
|
|
27
|
-
console.log(chalk.bold('Security Hygiene'));
|
|
28
|
-
console.log(`${chalk.dim('Files Scanned:')} ${doctor.summary.filesScanned}`);
|
|
29
|
-
console.log(`${chalk.dim('Secrets:')} ${doctor.summary.secrets}`);
|
|
30
|
-
console.log(`${chalk.dim('Dangerous Code:')} ${doctor.summary.dangerousCode}`);
|
|
31
|
-
console.log(`${chalk.dim('Configuration:')} ${doctor.summary.configuration}`);
|
|
32
|
-
console.log(`${chalk.dim('Security Headers:')} ${doctor.summary.headers}`);
|
|
33
|
-
console.log('');
|
|
34
|
-
printReportSummary(report);
|
|
35
|
-
if (options.output) {
|
|
36
|
-
await writeReport(options.output, report);
|
|
37
|
-
console.log('');
|
|
38
|
-
console.log(`${chalk.green('✓')} Report written to ${options.output}`);
|
|
39
|
-
}
|
|
40
|
-
});
|
|
41
|
-
}
|
|
42
|
-
//# sourceMappingURL=doctor.js.map
|
|
@@ -1 +0,0 @@
|
|
|
1
|
-
{"version":3,"file":"doctor.js","sourceRoot":"","sources":["../../../src/commands/doctor.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,MAAM,OAAO,CAAC;AAC1B,OAAO,EAAE,oBAAoB,EAAE,MAAM,4BAA4B,CAAC;AAClE,OAAO,EAAE,YAAY,EAAE,MAAM,mBAAmB,CAAC;AACjD,OAAO,EAAE,WAAW,EAAE,MAAM,0BAA0B,CAAC;AACvD,OAAO,EAAE,iBAAiB,EAAE,MAAM,4BAA4B,CAAC;AAC/D,OAAO,EAAE,cAAc,EAAE,MAAM,sBAAsB,CAAC;AACtD,OAAO,EAAE,kBAAkB,EAAE,mBAAmB,EAAE,MAAM,oBAAoB,CAAC;AAE7E,MAAM,UAAU,qBAAqB,CAAC,OAAgB;IACpD,OAAO;SACJ,OAAO,CAAC,QAAQ,CAAC;SACjB,WAAW,CAAC,4CAA4C,CAAC;SACzD,MAAM,CAAC,mBAAmB,EAAE,wBAAwB,EAAE,OAAO,CAAC,GAAG,EAAE,CAAC;SACpE,MAAM,CAAC,qBAAqB,EAAE,0CAA0C,CAAC;SACzE,MAAM,CAAC,KAAK,EAAE,OAA0C,EAAE,EAAE;QAC3D,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC,CAAC;QACzC,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAEhB,MAAM,OAAO,GAAG,MAAM,oBAAoB,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QACzD,mBAAmB,CAAC,OAAO,CAAC,CAAC;QAE7B,MAAM,MAAM,GAAG,MAAM,iBAAiB,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QAErD,MAAM,MAAM,GAAG,YAAY,CAAC;YAC1B,OAAO,EAAE,cAAc;YACvB,OAAO,EAAE,QAAQ;YACjB,IAAI,EAAE,OAAO,CAAC,IAAI;YAClB,QAAQ,EAAE,MAAM,CAAC,QAAQ;SAC1B,CAAC,CAAC;QAEH,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAChB,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,kBAAkB,CAAC,CAAC,CAAC;QAC5C,OAAO,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC,GAAG,CAAC,gBAAgB,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,YAAY,EAAE,CAAC,CAAC;QAC7E,OAAO,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC,CAAC;QAClE,OAAO,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC,GAAG,CAAC,iBAAiB,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,aAAa,EAAE,CAAC,CAAC;QAC/E,OAAO,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC,GAAG,CAAC,gBAAgB,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,aAAa,EAAE,CAAC,CAAC;QAC9E,OAAO,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC,GAAG,CAAC,mBAAmB,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC,CAAC;QAE3E,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAChB,kBAAkB,CAAC,MAAM,CAAC,CAAC;QAE3B,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;YACnB,MAAM,WAAW,CAAC,OAAO,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;YAC1C,OAAO,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;YAChB,OAAO,CAAC,GAAG,CAAC,GAAG,KAAK,CAAC,KAAK,CAAC,GAAG,CAAC,sBAAsB,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;QACzE,CAAC;IACH,CAAC,CAAC,CAAC;AACP,CAAC"}
|