xploitscan 0.7.0 → 0.8.0

package/README.md

@@ -1,8 +1,11 @@
-# xploitscan
+# XploitScan
 
-AI security scanner for vibe-coded apps. Find vulnerabilities before attackers do.
+[![npm version](https://img.shields.io/npm/v/xploitscan.svg)](https://www.npmjs.com/package/xploitscan)
+[![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](https://opensource.org/licenses/MIT)
 
-Built for solo devs and non-technical founders shipping AI-generated code via Cursor, Lovable, Bolt, Replit, and Claude Code.
+**Security scanner for AI-generated code.** Find vulnerabilities before attackers do.
+
+Built for developers shipping code via Cursor, Lovable, Bolt, Replit, and Claude Code. 131 security rules. Plain-English results. Copy-paste fixes.
 
 ## Quick Start
 
@@ -10,29 +13,29 @@ Built for solo devs and non-technical founders shipping AI-generated code via Cu
 npx xploitscan scan .
 ```
 
-That's it. No config needed.
+No install, no config, no account required. Your code stays 100% local.
 
 ## What It Catches
 
-| Rule | Vulnerability | Severity |
-|------|--------------|----------|
-| VC001 | Hardcoded API keys & secrets (AWS, Stripe, OpenAI, Supabase, DB URLs) | Critical |
-| VC002 | .env files with secrets committed to git | High |
-| VC003 | API routes missing authentication | High |
-| VC004 | Supabase service_role key in client code / RLS bypass | Critical |
-| VC005 | Stripe webhooks without signature verification | Critical |
-| VC006 | SQL injection via string interpolation | Critical |
-| VC007 | XSS (dangerouslySetInnerHTML, innerHTML, v-html) | High |
-| VC008 | Server without rate limiting | Medium |
-| VC009 | Wildcard CORS configuration | Medium |
-| VC010 | Client-side only authorization checks | High |
-
-Plus **AI-powered contextual analysis** that catches issues static rules miss.
+131 rules across 15+ categories:
+
+| Category | Examples | Rules |
+|----------|---------|-------|
+| **Secrets** | Hardcoded API keys, .env files, OAuth secrets, Terraform state | 15+ |
+| **Injection** | SQL, XSS, SSRF, command injection, path traversal, XXE, SSTI | 20+ |
+| **Authentication** | Missing auth, weak JWT, insecure password reset, OAuth flaws | 15+ |
+| **Cryptography** | Weak RSA, deprecated TLS, ECB mode, hardcoded IVs | 10+ |
+| **Infrastructure** | Dockerfile, Kubernetes, Terraform, AWS IAM misconfigs | 10+ |
+| **Supply Chain** | Unpinned GitHub Actions, vulnerable dependencies | 5+ |
+| **Information Leakage** | PII in logs, unencrypted DB fields, exposed admin routes | 10+ |
+| **Code Quality** | Console.log in production, empty catch blocks, TODO/FIXME | 10+ |
+
+Every finding includes OWASP Top 10 and CWE compliance mappings.
 
 ## Installation
 
 ```bash
-# Run directly (no install)
+# Run directly (recommended — always latest version)
 npx xploitscan scan .
 
 # Or install globally
@@ -44,105 +47,102 @@ xploitscan scan .
 
 ```bash
 # Scan current directory
-xploitscan scan .
+npx xploitscan scan .
 
-# Scan a specific directory
-xploitscan scan ./my-project
+# Scan a specific folder
+npx xploitscan scan ./src
 
-# Skip AI analysis (faster, no API key needed)
-xploitscan scan . --no-ai
+# JSON output (for scripting/CI)
+npx xploitscan scan . --format json
 
-# JSON output (for CI pipelines)
-xploitscan scan . --format json
+# SARIF output (for GitHub Security tab)
+npx xploitscan scan . --format sarif
 
-# SARIF output (for GitHub Code Scanning)
-xploitscan scan . --format sarif
+# Scan only changed files vs main branch
+npx xploitscan scan . --diff
 
-# Verbose output (show per-scanner results)
-xploitscan scan . -v
+# Watch mode — re-scan on file changes
+npx xploitscan scan . --watch
 ```
 
-## AI-Powered Analysis
+## Output Formats
 
-Set your Anthropic API key for deeper, contextual vulnerability analysis:
+| Format | Use Case |
+|--------|----------|
+| `text` | Human-readable terminal output (default) |
+| `json` | Machine-readable JSON with all findings |
+| `sarif` | GitHub Security tab integration |
 
-```bash
-export ANTHROPIC_API_KEY=sk-ant-...
-xploitscan scan .
-```
-
-The AI analyzer understands your code in context and explains vulnerabilities in plain English with specific fix instructions.
+## GitHub Action
 
-## CI Integration
-
-### GitHub Actions
+Add automated scanning to every PR:
 
 ```yaml
 name: Security Scan
 on: [push, pull_request]
 
 jobs:
-  xploitscan:
+  security:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
-      - uses: xploitscan/action@v1
-        with:
-          anthropic-api-key: ${{ secrets.ANTHROPIC_API_KEY }}
-```
-
-Results appear in the GitHub Security tab.
 
-### Any CI
+      - name: Run XploitScan
+        uses: bgage72590/xploitscan@main
+        with:
+          path: '.'
+          format: 'sarif'
+          fail-on: 'critical'
 
-```bash
-npx xploitscan scan . --format sarif --no-ai > results.sarif
+      - name: Upload SARIF
+        if: always()
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: xploitscan-results.sarif
 ```
 
-Exit code is 1 when critical or high severity issues are found.
+Findings appear in the GitHub Security tab as code scanning alerts.
 
 ## Configuration
 
-Create a `.xploitscanrc.json` in your project root:
+Create a `.xploitscanrc` file in your project root:
 
 ```json
 {
-  "exclude": ["tests/**", "scripts/**"],
-  "ai": true,
-  "severity": "medium",
-  "disableRules": ["VC008"]
+  "rules": {
+    "include": ["VC001-VC131"],
+    "exclude": ["VC042"]
+  },
+  "format": "json",
+  "fail-on": "high",
+  "ignore": ["node_modules", "dist", ".git"]
 }
 ```
 
-## Optional: Deeper Scanning
+## Web Dashboard
 
-Install these tools for additional detection coverage:
+Scan via the web at [xploitscan.com](https://xploitscan.com):
 
-```bash
-# Semgrep - 2000+ community security rules
-pip install semgrep
+- Drag-and-drop file/ZIP upload
+- GitHub URL scanning
+- Scan history and score trends
+- PDF security reports
+- SOC2/ISO27001 compliance mapping
+- Slack and Discord webhook notifications
 
-# Gitleaks - advanced secret detection
-brew install gitleaks
-```
-
-XploitScan automatically uses them if available.
+**Free**: 5 scans/day, 30 core rules. **Pro** ($29/mo): unlimited scans, all 131 rules, and all dashboard features.
 
-## Auth & Pro Plan
+## Supported Languages
 
-```bash
-# Log in to sync scan history
-xploitscan auth login
+JavaScript, TypeScript, Python, Ruby, Go, Rust, Java, PHP, Swift, Kotlin, C#, Dart, C/C++, and configuration files (Dockerfile, Terraform, Kubernetes, GitHub Actions, .env).
 
-# Check your plan
-xploitscan auth whoami
-
-# Upgrade to Pro ($29/mo) for unlimited scans
-xploitscan upgrade
-```
+## Links
 
-Free plan: 3 scans/day. Pro: unlimited scans, scan history, team features.
+- **Website**: [xploitscan.com](https://xploitscan.com)
+- **Documentation**: [xploitscan.com/docs](https://xploitscan.com/docs)
+- **Changelog**: [xploitscan.com/changelog](https://xploitscan.com/changelog)
+- **Email**: admin@xploitscan.com
 
 ## License
 
-MIT
+MIT -- [Cipherline LLC](https://xploitscan.com)

package/dist/index.js

@@ -6011,10 +6011,16 @@ async function scanCommand(directory, options) {
   const config = await loadConfig(dir);
   const useAI = (options.aiAnalysis ?? config.ai ?? true) && !!process.env.ANTHROPIC_API_KEY;
   const isSilent = format !== "terminal";
+  let tier = "free";
+  let userPlan = "anonymous";
   if (isAuthenticated()) {
     const usage = await checkUsage();
+    userPlan = usage.plan;
+    if (usage.plan === "pro") {
+      tier = "pro";
+    }
     if (!usage.allowed) {
-      console.log(chalk2.red("\nDaily scan limit reached (3/3 scans used)."));
+      console.log(chalk2.red("\nDaily scan limit reached."));
       console.log(chalk2.yellow("Upgrade to Pro for unlimited scans: ") + chalk2.bold("xploitscan upgrade"));
       console.log(chalk2.gray(`Resets tomorrow. Plan: ${usage.plan}
 `));
@@ -6065,7 +6071,7 @@ async function scanCommand(directory, options) {
     fileContentsForAnalysis.push({ path: filePath, content });
     const astCtx = buildASTContext(content, filePath);
     if (astCtx.isScannerFile) continue;
-    const findings = runCustomRules(content, filePath, config.disableRules);
+    const findings = runCustomRules(content, filePath, config.disableRules, tier);
     for (const f of findings) {
       if (astCtx.isTestFile) {
         f.confidence = "low";
@@ -6205,6 +6211,15 @@ async function scanCommand(directory, options) {
       renderTerminalReport(result, fileContentsForAnalysis);
       break;
   }
+  if (tier === "free" && !isSilent) {
+    console.log("");
+    if (userPlan === "anonymous") {
+      console.log(chalk2.gray("  Scanned with 30 free rules.") + chalk2.cyan(" Log in to unlock all 131 rules \u2192") + chalk2.bold(" xploitscan auth login"));
+    } else {
+      console.log(chalk2.gray("  Scanned with 30 rules.") + chalk2.cyan(" Upgrade to Pro for all 131 rules \u2192") + chalk2.bold(" xploitscan upgrade"));
+    }
+    console.log("");
+  }
   if (isAuthenticated()) {
     await Promise.allSettled([
       incrementUsage(),
@@ -6417,7 +6432,7 @@ Open this URL in your browser to log in:`));
 var program = new Command();
 program.name("xploitscan").description(
   "AI security scanner for vibe-coded apps. Find vulnerabilities before attackers do."
-).version("0.7.0");
+).version("0.8.0");
 program.command("scan").description("Scan a directory for security vulnerabilities").argument("[directory]", "Directory to scan", ".").option("--no-ai", "Skip AI-powered analysis").option("-f, --format <format>", "Output format: terminal, json, sarif", "terminal").option("-v, --verbose", "Show detailed output", false).option("--diff [base]", "Scan only files changed vs base branch (default: main)").option("-w, --watch", "Watch for file changes and re-scan automatically", false).action(async (directory, opts) => {
   await scanCommand(directory, {
     directory,