devguard 0.2.0__py3-none-any.whl

devguard/scripts/auto_fix_recommendations.py

@@ -0,0 +1,145 @@
+#!/usr/bin/env python3
+"""Generate automated fix recommendations based on security analysis."""
+
+import json
+import subprocess
+from pathlib import Path
+from typing import Any
+
+
+def generate_fix_commands(
+    report_path: Path = Path("npm_security_report.json"),
+) -> list[dict[str, Any]]:
+    """Generate fix commands based on security report."""
+    if not report_path.exists():
+        print(f"Error: Report not found: {report_path}")
+        print("Run: uv run python devguard/scripts/generate_security_report.py")
+        return []
+
+    with open(report_path) as f:
+        report = json.load(f)
+
+    fixes = []
+
+    # Fix missing .npmignore
+    missing_npmignore = report["summary"]["total_findings"].get("missing_npmignore", 0)
+    if missing_npmignore > 0:
+        fixes.append(
+            {
+                "priority": "high",
+                "issue": "Missing .npmignore files",
+                "command": "uv run python devguard/scripts/generate_npmignore.py",
+                "description": f"Generate .npmignore files for {missing_npmignore} package(s)",
+            }
+        )
+
+    # Fix dependency vulnerabilities
+    dep_vulns = report["summary"]["total_findings"].get("dependency_vulnerabilities", 0)
+    if dep_vulns > 0:
+        fixes.append(
+            {
+                "priority": "high",
+                "issue": "Dependency vulnerabilities",
+                "command": "npm audit fix",
+                "description": f"Fix {dep_vulns} dependency vulnerabilities",
+                "note": "Review changes before committing",
+            }
+        )
+
+    # Review obfuscated code
+    obfuscated = report["summary"]["total_findings"].get("obfuscated_code", 0)
+    if obfuscated > 0:
+        fixes.append(
+            {
+                "priority": "medium",
+                "issue": "Obfuscated code patterns",
+                "command": "grep -r 'Function\\|atob\\|eval' --include='*.js' --include='*.mjs' --include='*.ts'",
+                "description": f"Review {obfuscated} obfuscated code patterns",
+                "manual": True,
+            }
+        )
+
+    return fixes
+
+
+def main():
+    """Main entry point."""
+    fixes = generate_fix_commands()
+
+    if not fixes:
+        print("No fixes needed or report not found.")
+        return
+
+    print("=" * 80)
+    print("AUTOMATED FIX RECOMMENDATIONS")
+    print("=" * 80)
+    print()
+
+    high_priority = [f for f in fixes if f["priority"] == "high"]
+    medium_priority = [f for f in fixes if f["priority"] == "medium"]
+    low_priority = [f for f in fixes if f["priority"] == "low"]
+
+    if high_priority:
+        print("🔴 HIGH PRIORITY FIXES:")
+        print()
+        for fix in high_priority:
+            print(f"  Issue: {fix['issue']}")
+            print(f"  Description: {fix['description']}")
+            print(f"  Command: {fix['command']}")
+            if "note" in fix:
+                print(f"  Note: {fix['note']}")
+            if fix.get("manual"):
+                print("  ⚠️  Manual review required")
+            print()
+
+    if medium_priority:
+        print("🟡 MEDIUM PRIORITY FIXES:")
+        print()
+        for fix in medium_priority:
+            print(f"  Issue: {fix['issue']}")
+            print(f"  Description: {fix['description']}")
+            if "command" in fix:
+                print(f"  Command: {fix['command']}")
+            if fix.get("manual"):
+                print("  ⚠️  Manual review required")
+            print()
+
+    if low_priority:
+        print("🟢 LOW PRIORITY FIXES:")
+        print()
+        for fix in low_priority:
+            print(f"  Issue: {fix['issue']}")
+            print(f"  Description: {fix['description']}")
+            print()
+
+    # Ask if user wants to apply fixes
+    print("=" * 80)
+    print("Apply fixes automatically? (y/n): ", end="")
+    try:
+        response = input().strip().lower()
+        if response == "y":
+            for fix in high_priority:
+                if not fix.get("manual"):
+                    print(f"\nRunning: {fix['command']}")
+                    try:
+                        result = subprocess.run(
+                            fix["command"].split(),
+                            capture_output=True,
+                            text=True,
+                            check=False,
+                        )
+                        if result.returncode == 0:
+                            print(f"✓ Success: {fix['issue']}")
+                        else:
+                            print(f"✗ Failed: {fix['issue']}")
+                            print(result.stderr)
+                    except Exception as e:
+                        print(f"✗ Error: {e}")
+        else:
+            print("Skipping automatic fixes. Run commands manually as needed.")
+    except (EOFError, KeyboardInterrupt):
+        print("\nSkipping automatic fixes.")
+
+
+if __name__ == "__main__":
+    main()

devguard/scripts/generate_npmignore.py

@@ -0,0 +1,175 @@
+#!/usr/bin/env python3
+"""Generate .npmignore files for npm packages based on best practices."""
+
+import json
+from pathlib import Path
+from typing import Any
+
+
+def generate_npmignore_content(
+    package_dir: Path, package_json: dict[str, Any] | None = None
+) -> str:
+    """Generate .npmignore content based on package structure and best practices."""
+    lines = [
+        "# .npmignore - Files excluded from npm package",
+        "# Generated based on npm best practices",
+        "",
+        "# Test files",
+        "test/",
+        "tests/",
+        "__tests__/",
+        "*.test.js",
+        "*.test.ts",
+        "*.test.mjs",
+        "*.spec.js",
+        "*.spec.ts",
+        "*.spec.mjs",
+        "",
+        "# Coverage reports",
+        "coverage/",
+        ".nyc_output/",
+        "*.lcov",
+        "",
+        "# Development configuration",
+        ".eslintrc*",
+        ".prettierrc*",
+        ".editorconfig",
+        ".mocharc*",
+        "jest.config.*",
+        "vitest.config.*",
+        "",
+        "# CI/CD configuration (may contain secrets)",
+        ".github/",
+        ".gitlab-ci.yml",
+        ".circleci/",
+        ".travis.yml",
+        ".drone.yml",
+        "azure-pipelines.yml",
+        "Jenkinsfile",
+        "",
+        "# Environment and secrets",
+        ".env",
+        ".env.*",
+        "*.env",
+        ".secrets",
+        "secrets.json",
+        "credentials.json",
+        "config.json",
+        "",
+        "# Lock files",
+        "package-lock.json",
+        "yarn.lock",
+        "pnpm-lock.yaml",
+        "",
+        "# Git",
+        ".git/",
+        ".gitignore",
+        ".gitattributes",
+        "",
+        "# IDE and editor files",
+        ".vscode/",
+        ".idea/",
+        "*.swp",
+        "*.swo",
+        "*~",
+        ".DS_Store",
+        "",
+        "# Build artifacts (if source is published)",
+        "dist/",
+        "build/",
+        "*.map",
+        "",
+        "# Documentation (optional - remove if you want docs in package)",
+        "# docs/",
+        "# *.md",
+        "# README.md is always included by npm",
+        "",
+        "# Temporary files",
+        "*.tmp",
+        "*.log",
+        "*.cache",
+        "",
+        "# Source files (if publishing compiled code only)",
+        "# Uncomment if you only publish compiled output:",
+        "# src/",
+        "# *.ts",
+        "# tsconfig.json",
+    ]
+
+    return "\n".join(lines) + "\n"
+
+
+def find_package_directories(base_path: Path) -> list[Path]:
+    """Find all package.json files to generate .npmignore for."""
+    packages = []
+    for pkg_json in base_path.rglob("package.json"):
+        # Skip node_modules
+        if "node_modules" in pkg_json.parts:
+            continue
+        packages.append(pkg_json.parent)
+    return packages
+
+
+def main():
+    """Main entry point."""
+    import sys
+
+    if len(sys.argv) > 1:
+        base_path = Path(sys.argv[1])
+    else:
+        # Default to common dev locations
+        base_path = Path.home() / "Documents" / "dev"
+
+    if not base_path.exists():
+        print(f"Error: Path does not exist: {base_path}")
+        return
+
+    packages = find_package_directories(base_path)
+
+    if not packages:
+        print(f"No package.json files found in {base_path}")
+        return
+
+    print(f"Found {len(packages)} packages")
+    print()
+
+    for pkg_dir in packages:
+        npmignore_path = pkg_dir / ".npmignore"
+
+        # Check if package.json exists
+        pkg_json_path = pkg_dir / "package.json"
+        package_json = None
+        if pkg_json_path.exists():
+            try:
+                with open(pkg_json_path) as f:
+                    package_json = json.load(f)
+            except Exception:
+                pass
+
+        # Generate .npmignore
+        content = generate_npmignore_content(pkg_dir, package_json)
+
+        # Check if it already exists
+        if npmignore_path.exists():
+            existing = npmignore_path.read_text()
+            if existing.strip() == content.strip():
+                print(f"✓ {pkg_dir.name}: .npmignore already up to date")
+                continue
+            else:
+                print(f"⚠ {pkg_dir.name}: .npmignore exists but differs")
+                print("  Backup existing file? (y/n): ", end="")
+                # For automation, we'll create a backup
+                backup_path = npmignore_path.with_suffix(".npmignore.backup")
+                npmignore_path.rename(backup_path)
+                print(f"  Backed up to {backup_path.name}")
+
+        # Write new .npmignore
+        npmignore_path.write_text(content)
+        print(f"✓ {pkg_dir.name}: Created/updated .npmignore")
+
+    print()
+    print("Done! Review the generated .npmignore files and customize as needed.")
+
+
+if __name__ == "__main__":
+    main()

devguard/scripts/generate_security_report.py

@@ -0,0 +1,324 @@
+#!/usr/bin/env python3
+"""Generate a comprehensive security report from red team analysis."""
+
+import asyncio
+import json
+
+# Import the red team analysis
+import sys
+from datetime import UTC, datetime
+from pathlib import Path
+
+sys.path.insert(0, str(Path(__file__).parent.parent))
+
+from devguard.scripts.redteam_npm_packages import analyze_package
+
+
+async def generate_report(packages: list[str], versions: dict[str, str] | None = None) -> dict:
+    """Generate comprehensive security report."""
+    results = []
+
+    for package in packages:
+        try:
+            version = versions.get(package) if versions else None
+            result = await analyze_package(package, version)
+            results.append(result)
+        except Exception as e:
+            results.append(
+                {
+                    "package": package,
+                    "error": str(e),
+                }
+            )
+
+    # Calculate summary statistics
+    total_findings = {
+        "secrets": 0,
+        "sensitive_files": 0,
+        "obfuscated_code": 0,
+        "git_history": 0,
+        "lock_files": 0,
+        "ci_configs": 0,
+        "missing_npmignore": 0,
+        "suspicious_scripts": 0,
+        "placeholder_values": 0,
+        "dependency_vulnerabilities": 0,
+        "postinstall_scripts": 0,
+        "file_permissions": 0,
+        "suspicious_package_names": 0,
+    }
+
+    critical_issues = []
+    warnings = []
+    recommendations = []
+
+    for result in results:
+        if "error" in result or "findings" not in result:
+            continue
+
+        findings = result["findings"]
+
+        # Count findings
+        total_findings["secrets"] += len(findings.get("secrets", []))
+        total_findings["sensitive_files"] += len(findings.get("sensitive_files", []))
+        total_findings["obfuscated_code"] += len(findings.get("obfuscated_code", []))
+        if findings.get("git_history"):
+            total_findings["git_history"] += 1
+        total_findings["lock_files"] += len(findings.get("lock_files", []))
+        total_findings["ci_configs"] += len(findings.get("ci_configs", []))
+        if findings.get("npmignore_missing"):
+            total_findings["missing_npmignore"] += 1
+
+        pkg_issues = findings.get("package_json_issues", {})
+        total_findings["suspicious_scripts"] += len(pkg_issues.get("suspicious_scripts", []))
+        total_findings["placeholder_values"] += len(pkg_issues.get("placeholder_values", []))
+        total_findings["dependency_vulnerabilities"] += len(
+            findings.get("dependency_vulnerabilities", [])
+        )
+        total_findings["postinstall_scripts"] += len(findings.get("postinstall_scripts", []))
+        total_findings["file_permissions"] += len(findings.get("file_permissions", []))
+        total_findings["suspicious_package_names"] += len(
+            findings.get("suspicious_package_names", [])
+        )
+
+        # Categorize issues
+        if findings.get("secrets"):
+            critical_issues.append(
+                {
+                    "package": result["package"],
+                    "type": "secrets",
+                    "count": len(findings["secrets"]),
+                }
+            )
+
+        if findings.get("git_history"):
+            critical_issues.append(
+                {
+                    "package": result["package"],
+                    "type": "git_history",
+                    "message": ".git directory found in published package",
+                }
+            )
+
+        if findings.get("npmignore_missing"):
+            warnings.append(
+                {
+                    "package": result["package"],
+                    "type": "missing_npmignore",
+                    "message": "No .npmignore file found",
+                }
+            )
+
+        if findings.get("obfuscated_code"):
+            warnings.append(
+                {
+                    "package": result["package"],
+                    "type": "obfuscated_code",
+                    "count": len(findings["obfuscated_code"]),
+                }
+            )
+
+    # Generate recommendations
+    if total_findings["missing_npmignore"] > 0:
+        recommendations.append(
+            {
+                "priority": "high",
+                "action": "Add .npmignore files",
+                "packages_affected": total_findings["missing_npmignore"],
+                "command": "uv run python devguard/scripts/generate_npmignore.py",
+            }
+        )
+
+    if total_findings["obfuscated_code"] > 0:
+        recommendations.append(
+            {
+                "priority": "medium",
+                "action": "Review obfuscated code patterns",
+                "count": total_findings["obfuscated_code"],
+                "note": "Ensure Function(), atob(), etc. are used legitimately",
+            }
+        )
+
+    if total_findings["lock_files"] > 0:
+        recommendations.append(
+            {
+                "priority": "low",
+                "action": "Remove lock files from published packages",
+                "count": total_findings["lock_files"],
+            }
+        )
+
+    if total_findings["dependency_vulnerabilities"] > 0:
+        critical_dep_vulns = sum(
+            1
+            for r in results
+            if "findings" in r
+            for v in r["findings"].get("dependency_vulnerabilities", [])
+            if v.get("severity") in ["CRITICAL", "HIGH"]
+        )
+        priority = "high" if critical_dep_vulns > 0 else "medium"
+        recommendations.append(
+            {
+                "priority": priority,
+                "action": "Fix dependency vulnerabilities",
+                "count": total_findings["dependency_vulnerabilities"],
+                "critical_count": critical_dep_vulns,
+                "command": "npm audit fix",
+                "note": "Review changes before committing"
+                if critical_dep_vulns > 0
+                else "Update vulnerable dependencies",
+            }
+        )
+
+    if total_findings["postinstall_scripts"] > 0:
+        recommendations.append(
+            {
+                "priority": "medium",
+                "action": "Review install scripts for security risks",
+                "count": total_findings["postinstall_scripts"],
+                "note": "Install scripts can be supply chain attack vectors",
+            }
+        )
+
+    report = {
+        "generated_at": datetime.now(UTC).isoformat(),
+        "packages_analyzed": len(packages),
+        "summary": {
+            "critical_issues": len(critical_issues),
+            "warnings": len(warnings),
+            "total_findings": total_findings,
+        },
+        "critical_issues": critical_issues,
+        "warnings": warnings,
+        "recommendations": recommendations,
+        "detailed_results": results,
+    }
+
+    return report
+
+
+def generate_markdown_report(report: dict) -> str:
+    """Generate markdown report from JSON report."""
+    lines = [
+        "# NPM Package Security Report",
+        "",
+        f"**Generated:** {report['generated_at']}",
+        f"**Packages Analyzed:** {report['packages_analyzed']}",
+        "",
+        "## Summary",
+        "",
+        f"- **Critical Issues:** {report['summary']['critical_issues']}",
+        f"- **Warnings:** {report['summary']['warnings']}",
+        "",
+        "### Findings",
+        "",
+    ]
+
+    for key, value in report["summary"]["total_findings"].items():
+        if value > 0:
+            lines.append(f"- **{key.replace('_', ' ').title()}:** {value}")
+
+    if report["critical_issues"]:
+        lines.extend(
+            [
+                "",
+                "## Critical Issues",
+                "",
+            ]
+        )
+        for issue in report["critical_issues"]:
+            lines.append(f"### {issue['package']}")
+            lines.append(f"- **Type:** {issue['type']}")
+            if "count" in issue:
+                lines.append(f"- **Count:** {issue['count']}")
+            if "message" in issue:
+                lines.append(f"- **Message:** {issue['message']}")
+            lines.append("")
+
+    if report["warnings"]:
+        lines.extend(
+            [
+                "## Warnings",
+                "",
+            ]
+        )
+        for warning in report["warnings"]:
+            lines.append(f"- **{warning['package']}:** {warning.get('message', warning['type'])}")
+        lines.append("")
+
+    if report["recommendations"]:
+        lines.extend(
+            [
+                "## Recommendations",
+                "",
+            ]
+        )
+        for rec in report["recommendations"]:
+            priority_emoji = {"high": "🔴", "medium": "🟡", "low": "🟢"}.get(rec["priority"], "•")
+            lines.append(f"{priority_emoji} **[{rec['priority'].upper()}]** {rec['action']}")
+            if "packages_affected" in rec:
+                lines.append(f"  - Affects {rec['packages_affected']} package(s)")
+            if "count" in rec:
+                lines.append(f"  - Count: {rec['count']}")
+            if "command" in rec:
+                lines.append(f"  - Command: `{rec['command']}`")
+            if "note" in rec:
+                lines.append(f"  - Note: {rec['note']}")
+            lines.append("")
+
+    return "\n".join(lines)
+
+
+async def main():
+    """Main entry point."""
+
+    # Replace with your own packages to audit
+    packages = [
+        "example-package",
+    ]
+
+    versions = {
+        "example-package": "1.0.0",
+    }
+
+    print("Generating comprehensive security report...")
+    report = await generate_report(packages, versions)
+
+    # Save JSON report
+    json_path = Path("npm_security_report.json")
+    with open(json_path, "w") as f:
+        json.dump(report, f, indent=2)
+
+    print(f"\n✓ JSON report saved to {json_path}")
+
+    # Generate and save markdown report
+    markdown = generate_markdown_report(report)
+    md_path = Path("npm_security_report.md")
+    md_path.write_text(markdown)
+
+    print(f"✓ Markdown report saved to {md_path}")
+
+    # Print summary
+    print("\n" + "=" * 80)
+    print("SECURITY REPORT SUMMARY")
+    print("=" * 80)
+    print(f"Packages analyzed: {report['packages_analyzed']}")
+    print(f"Critical issues: {report['summary']['critical_issues']}")
+    print(f"Warnings: {report['summary']['warnings']}")
+    print("\nFindings:")
+    for key, value in report["summary"]["total_findings"].items():
+        if value > 0:
+            print(f"  • {key}: {value}")
+
+    if report["recommendations"]:
+        print("\nRecommendations:")
+        for rec in report["recommendations"]:
+            print(f"  [{rec['priority'].upper()}] {rec['action']}")
+            if "packages_affected" in rec:
+                print(f"    Affects {rec['packages_affected']} package(s)")
+            if "command" in rec:
+                print(f"    Run: {rec['command']}")
+
+
+if __name__ == "__main__":
+    asyncio.run(main())

devguard/scripts/prepublish_check.sh

@@ -0,0 +1,29 @@
+#!/bin/bash
+# Pre-publish security check hook for npm packages
+# Add to package.json: "prepublishOnly": "./devguard/scripts/prepublish_check.sh"
+
+set -e
+
+echo "🔍 Running pre-publish security checks..."
+
+# Check if devguard scripts are available
+if ! command -v python3 &> /dev/null; then
+    echo "⚠️  Python3 not found, skipping security checks"
+    exit 0
+fi
+
+# Run red team analysis
+if [ -f "devguard/scripts/redteam_npm_packages.py" ]; then
+    echo "Running security analysis..."
+    python3 devguard/scripts/redteam_npm_packages.py || {
+        echo "❌ Security checks failed!"
+        echo "Review the findings above before publishing."
+        exit 1
+    }
+else
+    echo "⚠️  Security scripts not found, skipping checks"
+fi
+
+echo "✅ Pre-publish checks passed!"
+
+