xploitscan 0.4.0

package/README.md

@@ -0,0 +1,148 @@
+# xploitscan
+
+AI security scanner for vibe-coded apps. Find vulnerabilities before attackers do.
+
+Built for solo devs and non-technical founders shipping AI-generated code via Cursor, Lovable, Bolt, Replit, and Claude Code.
+
+## Quick Start
+
+```bash
+npx xploitscan scan .
+```
+
+That's it. No config needed.
+
+## What It Catches
+
+| Rule | Vulnerability | Severity |
+|------|--------------|----------|
+| VC001 | Hardcoded API keys & secrets (AWS, Stripe, OpenAI, Supabase, DB URLs) | Critical |
+| VC002 | .env files with secrets committed to git | High |
+| VC003 | API routes missing authentication | High |
+| VC004 | Supabase service_role key in client code / RLS bypass | Critical |
+| VC005 | Stripe webhooks without signature verification | Critical |
+| VC006 | SQL injection via string interpolation | Critical |
+| VC007 | XSS (dangerouslySetInnerHTML, innerHTML, v-html) | High |
+| VC008 | Server without rate limiting | Medium |
+| VC009 | Wildcard CORS configuration | Medium |
+| VC010 | Client-side only authorization checks | High |
+
+Plus **AI-powered contextual analysis** that catches issues static rules miss.
+
+## Installation
+
+```bash
+# Run directly (no install)
+npx xploitscan scan .
+
+# Or install globally
+npm install -g xploitscan
+xploitscan scan .
+```
+
+## Usage
+
+```bash
+# Scan current directory
+xploitscan scan .
+
+# Scan a specific directory
+xploitscan scan ./my-project
+
+# Skip AI analysis (faster, no API key needed)
+xploitscan scan . --no-ai
+
+# JSON output (for CI pipelines)
+xploitscan scan . --format json
+
+# SARIF output (for GitHub Code Scanning)
+xploitscan scan . --format sarif
+
+# Verbose output (show per-scanner results)
+xploitscan scan . -v
+```
+
+## AI-Powered Analysis
+
+Set your Anthropic API key for deeper, contextual vulnerability analysis:
+
+```bash
+export ANTHROPIC_API_KEY=sk-ant-...
+xploitscan scan .
+```
+
+The AI analyzer understands your code in context and explains vulnerabilities in plain English with specific fix instructions.
+
+## CI Integration
+
+### GitHub Actions
+
+```yaml
+name: Security Scan
+on: [push, pull_request]
+
+jobs:
+  xploitscan:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: xploitscan/action@v1
+        with:
+          anthropic-api-key: ${{ secrets.ANTHROPIC_API_KEY }}
+```
+
+Results appear in the GitHub Security tab.
+
+### Any CI
+
+```bash
+npx xploitscan scan . --format sarif --no-ai > results.sarif
+```
+
+Exit code is 1 when critical or high severity issues are found.
+
+## Configuration
+
+Create a `.xploitscanrc.json` in your project root:
+
+```json
+{
+  "exclude": ["tests/**", "scripts/**"],
+  "ai": true,
+  "severity": "medium",
+  "disableRules": ["VC008"]
+}
+```
+
+## Optional: Deeper Scanning
+
+Install these tools for additional detection coverage:
+
+```bash
+# Semgrep - 2000+ community security rules
+pip install semgrep
+
+# Gitleaks - advanced secret detection
+brew install gitleaks
+```
+
+XploitScan automatically uses them if available.
+
+## Auth & Pro Plan
+
+```bash
+# Log in to sync scan history
+xploitscan auth login
+
+# Check your plan
+xploitscan auth whoami
+
+# Upgrade to Pro ($29/mo) for unlimited scans
+xploitscan upgrade
+```
+
+Free plan: 3 scans/day. Pro: unlimited scans, scan history, team features.
+
+## License
+
+MIT

package/dist/api-QTNXZY4O.js

@@ -0,0 +1,24 @@
+#!/usr/bin/env node
+import {
+  checkUsage,
+  clearToken,
+  getCheckoutUrl,
+  getStoredToken,
+  incrementUsage,
+  isAuthenticated,
+  storeToken,
+  syncUser,
+  uploadScanResults
+} from "./chunk-47X3TUVR.js";
+export {
+  checkUsage,
+  clearToken,
+  getCheckoutUrl,
+  getStoredToken,
+  incrementUsage,
+  isAuthenticated,
+  storeToken,
+  syncUser,
+  uploadScanResults
+};
+//# sourceMappingURL=api-QTNXZY4O.js.map

package/dist/api-QTNXZY4O.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":[],"sourcesContent":[],"mappings":"","names":[]}

package/dist/chunk-47X3TUVR.js

@@ -0,0 +1,128 @@
+#!/usr/bin/env node
+var __require = /* @__PURE__ */ ((x) => typeof require !== "undefined" ? require : typeof Proxy !== "undefined" ? new Proxy(x, {
+  get: (a, b) => (typeof require !== "undefined" ? require : a)[b]
+}) : x)(function(x) {
+  if (typeof require !== "undefined") return require.apply(this, arguments);
+  throw Error('Dynamic require of "' + x + '" is not supported');
+});
+
+// src/utils/api.ts
+import { readFileSync, writeFileSync, mkdirSync, existsSync, unlinkSync } from "fs";
+import { join } from "path";
+import { homedir } from "os";
+var CONFIG_DIR = join(homedir(), ".xploitscan");
+var TOKEN_FILE = join(CONFIG_DIR, "token.json");
+var API_BASE = process.env.XPLOITSCAN_API_URL ?? "https://api.xploitscan.com";
+if (API_BASE.startsWith("http://") && !API_BASE.includes("localhost") && !API_BASE.includes("127.0.0.1")) {
+  console.warn("WARNING: API URL is not using HTTPS. This is insecure.");
+}
+function getStoredToken() {
+  try {
+    if (!existsSync(TOKEN_FILE)) return null;
+    const data = JSON.parse(readFileSync(TOKEN_FILE, "utf-8"));
+    if (data.expiresAt && Date.now() > data.expiresAt) {
+      unlinkSync(TOKEN_FILE);
+      return null;
+    }
+    return data;
+  } catch {
+    return null;
+  }
+}
+function storeToken(data) {
+  mkdirSync(CONFIG_DIR, { recursive: true, mode: 448 });
+  writeFileSync(TOKEN_FILE, JSON.stringify(data, null, 2), { mode: 384 });
+}
+function clearToken() {
+  try {
+    if (existsSync(TOKEN_FILE)) {
+      unlinkSync(TOKEN_FILE);
+    }
+  } catch {
+  }
+}
+function isAuthenticated() {
+  return getStoredToken() !== null;
+}
+async function apiRequest(path, options = {}) {
+  const token = getStoredToken();
+  const headers = {
+    "Content-Type": "application/json",
+    ...options.headers
+  };
+  if (token) {
+    headers.Authorization = `Bearer ${token.token}`;
+  }
+  return fetch(`${API_BASE}${path}`, {
+    ...options,
+    headers
+  });
+}
+async function checkUsage() {
+  const token = getStoredToken();
+  if (!token) {
+    return { allowed: true, plan: "anonymous", remaining: -1, limit: -1 };
+  }
+  try {
+    const res = await apiRequest("/api/usage/check");
+    if (!res.ok) {
+      return { allowed: true, plan: "unknown", remaining: -1, limit: -1 };
+    }
+    return await res.json();
+  } catch {
+    return { allowed: true, plan: "offline", remaining: -1, limit: -1 };
+  }
+}
+async function incrementUsage() {
+  const token = getStoredToken();
+  if (!token) return;
+  try {
+    await apiRequest("/api/usage/increment", { method: "POST" });
+  } catch {
+  }
+}
+async function uploadScanResults(result) {
+  const token = getStoredToken();
+  if (!token) return;
+  try {
+    await apiRequest("/api/scans", {
+      method: "POST",
+      body: JSON.stringify(result)
+    });
+  } catch {
+  }
+}
+async function syncUser() {
+  try {
+    const res = await apiRequest("/api/users/sync", { method: "POST" });
+    if (!res.ok) return null;
+    const data = await res.json();
+    return data.user;
+  } catch {
+    return null;
+  }
+}
+async function getCheckoutUrl() {
+  try {
+    const res = await apiRequest("/api/billing/checkout", { method: "POST" });
+    if (!res.ok) return null;
+    const data = await res.json();
+    return data.url;
+  } catch {
+    return null;
+  }
+}
+
+export {
+  __require,
+  getStoredToken,
+  storeToken,
+  clearToken,
+  isAuthenticated,
+  checkUsage,
+  incrementUsage,
+  uploadScanResults,
+  syncUser,
+  getCheckoutUrl
+};
+//# sourceMappingURL=chunk-47X3TUVR.js.map

package/dist/chunk-47X3TUVR.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/utils/api.ts"],"sourcesContent":["import { readFileSync, writeFileSync, mkdirSync, existsSync, unlinkSync } from \"node:fs\";\nimport { join } from \"node:path\";\nimport { homedir } from \"node:os\";\n\nconst CONFIG_DIR = join(homedir(), \".xploitscan\");\nconst TOKEN_FILE = join(CONFIG_DIR, \"token.json\");\n\nconst API_BASE = process.env.XPLOITSCAN_API_URL ?? \"https://api.xploitscan.com\";\n\nif (API_BASE.startsWith(\"http://\") && !API_BASE.includes(\"localhost\") && !API_BASE.includes(\"127.0.0.1\")) {\n  console.warn(\"WARNING: API URL is not using HTTPS. This is insecure.\");\n}\n\ninterface TokenData {\n  token: string;\n  userId: string;\n  email: string;\n  expiresAt?: number;\n}\n\nexport function getStoredToken(): TokenData | null {\n  try {\n    if (!existsSync(TOKEN_FILE)) return null;\n    const data = JSON.parse(readFileSync(TOKEN_FILE, \"utf-8\"));\n    if (data.expiresAt && Date.now() > data.expiresAt) {\n      // Token expired\n      unlinkSync(TOKEN_FILE);\n      return null;\n    }\n    return data;\n  } catch {\n    return null;\n  }\n}\n\nexport function storeToken(data: TokenData): void {\n  mkdirSync(CONFIG_DIR, { recursive: true, mode: 0o700 });\n  writeFileSync(TOKEN_FILE, JSON.stringify(data, null, 2), { mode: 0o600 });\n}\n\nexport function clearToken(): void {\n  try {\n    if (existsSync(TOKEN_FILE)) {\n      unlinkSync(TOKEN_FILE);\n    }\n  } catch {\n    // ignore\n  }\n}\n\nexport function isAuthenticated(): boolean {\n  return getStoredToken() !== null;\n}\n\nasync function apiRequest(\n  path: string,\n  options: RequestInit = {},\n): Promise<Response> {\n  const token = getStoredToken();\n  const headers: Record<string, string> = {\n    \"Content-Type\": \"application/json\",\n    ...(options.headers as Record<string, string>),\n  };\n\n  if (token) {\n    headers.Authorization = `Bearer ${token.token}`;\n  }\n\n  return fetch(`${API_BASE}${path}`, {\n    ...options,\n    headers,\n  });\n}\n\nexport async function checkUsage(): Promise<{\n  allowed: boolean;\n  plan: string;\n  remaining: number;\n  limit: number;\n}> {\n  const token = getStoredToken();\n  if (!token) {\n    // Unauthenticated users get limited local scans\n    return { allowed: true, plan: \"anonymous\", remaining: -1, limit: -1 };\n  }\n\n  try {\n    const res = await apiRequest(\"/api/usage/check\");\n    if (!res.ok) {\n      // API error — allow scan to proceed locally\n      return { allowed: true, plan: \"unknown\", remaining: -1, limit: -1 };\n    }\n    return await res.json();\n  } catch {\n    // Network error — allow local scan\n    return { allowed: true, plan: \"offline\", remaining: -1, limit: -1 };\n  }\n}\n\nexport async function incrementUsage(): Promise<void> {\n  const token = getStoredToken();\n  if (!token) return;\n\n  try {\n    await apiRequest(\"/api/usage/increment\", { method: \"POST\" });\n  } catch {\n    // Silent fail — don't block scan\n  }\n}\n\nexport async function uploadScanResults(result: {\n  directory: string;\n  filesScanned: number;\n  findings: unknown[];\n  duration: number;\n}): Promise<void> {\n  const token = getStoredToken();\n  if (!token) return;\n\n  try {\n    await apiRequest(\"/api/scans\", {\n      method: \"POST\",\n      body: JSON.stringify(result),\n    });\n  } catch {\n    // Silent fail\n  }\n}\n\nexport async function syncUser(): Promise<{ plan: string; email: string } | null> {\n  try {\n    const res = await apiRequest(\"/api/users/sync\", { method: \"POST\" });\n    if (!res.ok) return null;\n    const data = await res.json();\n    return data.user;\n  } catch {\n    return null;\n  }\n}\n\nexport async function getCheckoutUrl(): Promise<string | null> {\n  try {\n    const res = await apiRequest(\"/api/billing/checkout\", { method: \"POST\" });\n    if (!res.ok) return null;\n    const data = await res.json();\n    return data.url;\n  } catch {\n    return null;\n  }\n}\n"],"mappings":";;;;;;;;;AAAA,SAAS,cAAc,eAAe,WAAW,YAAY,kBAAkB;AAC/E,SAAS,YAAY;AACrB,SAAS,eAAe;AAExB,IAAM,aAAa,KAAK,QAAQ,GAAG,aAAa;AAChD,IAAM,aAAa,KAAK,YAAY,YAAY;AAEhD,IAAM,WAAW,QAAQ,IAAI,sBAAsB;AAEnD,IAAI,SAAS,WAAW,SAAS,KAAK,CAAC,SAAS,SAAS,WAAW,KAAK,CAAC,SAAS,SAAS,WAAW,GAAG;AACxG,UAAQ,KAAK,wDAAwD;AACvE;AASO,SAAS,iBAAmC;AACjD,MAAI;AACF,QAAI,CAAC,WAAW,UAAU,EAAG,QAAO;AACpC,UAAM,OAAO,KAAK,MAAM,aAAa,YAAY,OAAO,CAAC;AACzD,QAAI,KAAK,aAAa,KAAK,IAAI,IAAI,KAAK,WAAW;AAEjD,iBAAW,UAAU;AACrB,aAAO;AAAA,IACT;AACA,WAAO;AAAA,EACT,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEO,SAAS,WAAW,MAAuB;AAChD,YAAU,YAAY,EAAE,WAAW,MAAM,MAAM,IAAM,CAAC;AACtD,gBAAc,YAAY,KAAK,UAAU,MAAM,MAAM,CAAC,GAAG,EAAE,MAAM,IAAM,CAAC;AAC1E;AAEO,SAAS,aAAmB;AACjC,MAAI;AACF,QAAI,WAAW,UAAU,GAAG;AAC1B,iBAAW,UAAU;AAAA,IACvB;AAAA,EACF,QAAQ;AAAA,EAER;AACF;AAEO,SAAS,kBAA2B;AACzC,SAAO,eAAe,MAAM;AAC9B;AAEA,eAAe,WACb,MACA,UAAuB,CAAC,GACL;AACnB,QAAM,QAAQ,eAAe;AAC7B,QAAM,UAAkC;AAAA,IACtC,gBAAgB;AAAA,IAChB,GAAI,QAAQ;AAAA,EACd;AAEA,MAAI,OAAO;AACT,YAAQ,gBAAgB,UAAU,MAAM,KAAK;AAAA,EAC/C;AAEA,SAAO,MAAM,GAAG,QAAQ,GAAG,IAAI,IAAI;AAAA,IACjC,GAAG;AAAA,IACH;AAAA,EACF,CAAC;AACH;AAEA,eAAsB,aAKnB;AACD,QAAM,QAAQ,eAAe;AAC7B,MAAI,CAAC,OAAO;AAEV,WAAO,EAAE,SAAS,MAAM,MAAM,aAAa,WAAW,IAAI,OAAO,GAAG;AAAA,EACtE;AAEA,MAAI;AACF,UAAM,MAAM,MAAM,WAAW,kBAAkB;AAC/C,QAAI,CAAC,IAAI,IAAI;AAEX,aAAO,EAAE,SAAS,MAAM,MAAM,WAAW,WAAW,IAAI,OAAO,GAAG;AAAA,IACpE;AACA,WAAO,MAAM,IAAI,KAAK;AAAA,EACxB,QAAQ;AAEN,WAAO,EAAE,SAAS,MAAM,MAAM,WAAW,WAAW,IAAI,OAAO,GAAG;AAAA,EACpE;AACF;AAEA,eAAsB,iBAAgC;AACpD,QAAM,QAAQ,eAAe;AAC7B,MAAI,CAAC,MAAO;AAEZ,MAAI;AACF,UAAM,WAAW,wBAAwB,EAAE,QAAQ,OAAO,CAAC;AAAA,EAC7D,QAAQ;AAAA,EAER;AACF;AAEA,eAAsB,kBAAkB,QAKtB;AAChB,QAAM,QAAQ,eAAe;AAC7B,MAAI,CAAC,MAAO;AAEZ,MAAI;AACF,UAAM,WAAW,cAAc;AAAA,MAC7B,QAAQ;AAAA,MACR,MAAM,KAAK,UAAU,MAAM;AAAA,IAC7B,CAAC;AAAA,EACH,QAAQ;AAAA,EAER;AACF;AAEA,eAAsB,WAA4D;AAChF,MAAI;AACF,UAAM,MAAM,MAAM,WAAW,mBAAmB,EAAE,QAAQ,OAAO,CAAC;AAClE,QAAI,CAAC,IAAI,GAAI,QAAO;AACpB,UAAM,OAAO,MAAM,IAAI,KAAK;AAC5B,WAAO,KAAK;AAAA,EACd,QAAQ;AACN,WAAO;AAAA,EACT;AACF;AAEA,eAAsB,iBAAyC;AAC7D,MAAI;AACF,UAAM,MAAM,MAAM,WAAW,yBAAyB,EAAE,QAAQ,OAAO,CAAC;AACxE,QAAI,CAAC,IAAI,GAAI,QAAO;AACpB,UAAM,OAAO,MAAM,IAAI,KAAK;AAC5B,WAAO,KAAK;AAAA,EACd,QAAQ;AACN,WAAO;AAAA,EACT;AACF;","names":[]}