PyPI - github-guardian - Versions diffs - 1.0.1__tar.gz → 1.0.3__tar.gz - Mend

github-guardian 1.0.1tar.gz → 1.0.3tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (14) hide show

{github_guardian-1.0.1 → github_guardian-1.0.3}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: github-guardian
-Version: 1.0.1
+Version: 1.0.3
 Summary: Deep Forensic Security Audit Engine & Pre-Commit Shield
 Author: GitHub Guardian Team
 Requires-Dist: typer>=0.9.0

{github_guardian-1.0.1 → github_guardian-1.0.3}/core/scanner.py RENAMED Viewed

@@ -1,17 +1,47 @@
 import os
 import re
+import math
 from rich.table import Table
-# Re-using the professional-grade patterns from the backend
+# Robust set of enterprise-grade patterns
 SECRET_PATTERNS = {
-    "AWS Access Key": r'AKIA[0-9A-Z]{16}',
-    "GitHub Token": r'ghp_[0-9a-zA-Z]{36}',
+    "AWS Access Key ID": r'AKIA[0-9A-Z]{16}',
+    "AWS Secret Key": r'(?i)aws_secret_access_key\s*[:=]\s*["\']?([A-Za-z0-9/+=]{40})["\']?',
+    "GitHub Token": r'gh[pousr]_[0-9a-zA-Z]{36}|github_pat_[0-9a-zA-Z]{82}',
     "Slack Webhook": r'https://hooks\.slack\.com/services/T[0-9A-Z]{8}/B[0-9A-Z]{8}/[0-9a-zA-Z]{24}',
-    "Stripe API Key": r'sk_live_[0-9a-zA-Z]{24}',
-    "Private Key": r'-----BEGIN (?:RSA|OPENSSH) PRIVATE KEY-----',
-    "Google API Key": r'AIza[0-9A-Za-z\-_]{35}'
+    "Slack Token": r'xox[bapr]-[0-9a-zA-Z]{10,48}',
+    "Stripe API Key": r'[rs]k_(?:live|test)_[0-9a-zA-Z]{24,32}',
+    "Google API Key": r'AIza[0-9A-Za-z\-_]{35}',
+    "OpenAI API Key": r'sk-[a-zA-Z0-9]{20,}|sk\s*-\s*[a-zA-Z0-9\-_]{40,}',
+    "Twilio Account SID": r'AC[0-9a-fA-F]{32}',
+    "Twilio Auth Token": r'(?i)twilio_auth_token\s*[:=]\s*["\']?([0-9a-fA-F]{32})["\']?',
+    "Discord Webhook": r'https://discord(?:app)?\.com/api/webhooks/[0-9]+/[0-9a-zA-Z_-]+',
+    "Discord Bot Token": r'[MN][A-Za-z0-9_]{23}\.[A-Za-z0-9_]{6}\.[A-Za-z0-9_]{27}',
+    "Telegram Bot Token": r'[0-9]{9,10}:[a-zA-Z0-9_-]{35}',
+    "Heroku API Key": r'[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}',
+    "Mailgun API Key": r'key-[0-9a-zA-Z]{32}',
+    "SendGrid API Key": r'SG\.[0-9a-zA-Z_-]{22}\.[0-9a-zA-Z_-]{43}',
+    "Facebook Access Token": r'EAACEdEose0c[0-9A-Za-z]+',
+    "Database URL": r'(?:mongodb(?:\+srv)?|postgres|postgresql|mysql|mssql|redis):\/\/[^:\s]+:[^@\s]+@[^@\s]+',
+    "Private Key": r'-----BEGIN (?:RSA|OPENSSH|DSA|EC|PGP)? PRIVATE KEY-----',
+    "JWT": r'eyJ[a-zA-Z0-9_-]+\.eyJ[a-zA-Z0-9_-]+\.[a-zA-Z0-9_-]+',
+    "NPM Token": r'npm_[0-9a-zA-Z]{36}'
 }
+GENERIC_ASSIGNMENT_PATTERN = re.compile(
+    r"(?i)\b['\"]?([a-z0-9_\-\.]*(?:key|secret|token|password|passwd|pw|auth|cred|pass|db|uri|url)[a-z0-9_\-\.]*)['\"]?\s*[:=]\s*['\"]([a-zA-Z0-9_\-\.\/\+=]{16,})['\"]"
+)
+def calculate_entropy(s: str) -> float:
+    if not s:
+        return 0.0
+    entropy = 0.0
+    for x in range(256):
+        p_x = float(s.count(chr(x))) / len(s)
+        if p_x > 0:
+            entropy += - p_x * math.log(p_x, 2)
+    return entropy
 SAST_PATTERNS = {
     "SQL Injection (Raw Query)": r"\.execute\(\".*%\s*\"",
     "Insecure Rendering (XSS)": r"dangerouslySetInnerHTML",
@@ -36,7 +66,8 @@ def run_local_scan(path: str, console, hook_mode: bool = False) -> bool:
     for root, _, files in os.walk(path):
         # Ignore common build/dependency directories
-        if any(x in root for x in [".git", "node_modules", "venv", "__pycache__"]):
+        split_dirs = root.split(os.sep)
+        if any(x in split_dirs for x in [".git", "node_modules", "venv", ".venv", "build_env", "dist", "build", "__pycache__"]):
             continue
         for file in files:
             ext = os.path.splitext(file)[1]
@@ -54,9 +85,20 @@ def run_local_scan(path: str, console, hook_mode: bool = False) -> bool:
                 for line_idx, line in enumerate(lines, 1):
                     # Check for Secrets
+                    matched_any = False
                     for name, pat in SECRET_PATTERNS.items():
                         if re.search(pat, line):
                             findings.append((filepath, line_idx, "SECRET LEAK", name))
+                            matched_any = True
+                    # If no specific patterns matched, check for generic high-entropy assignments
+                    if not matched_any:
+                        gen_match = GENERIC_ASSIGNMENT_PATTERN.search(line)
+                        if gen_match:
+                            val = gen_match.group(2)
+                            # Only alert if value has high entropy
+                            if calculate_entropy(val) >= 3.2:
+                                findings.append((filepath, line_idx, "SECRET LEAK", f"High-Entropy Secret ({gen_match.group(1)})"))
                     # Check for Semantic vulnerabilities
                     for name, pat in SAST_PATTERNS.items():

{github_guardian-1.0.1 → github_guardian-1.0.3}/github_guardian.egg-info/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: github-guardian
-Version: 1.0.1
+Version: 1.0.3
 Summary: Deep Forensic Security Audit Engine & Pre-Commit Shield
 Author: GitHub Guardian Team
 Requires-Dist: typer>=0.9.0

{github_guardian-1.0.1 → github_guardian-1.0.3}/setup.py RENAMED Viewed

@@ -2,7 +2,7 @@ from setuptools import setup, find_packages
 setup(
     name="github-guardian",
-    version="1.0.1",
+    version="1.0.3",
     description="Deep Forensic Security Audit Engine & Pre-Commit Shield",
     author="GitHub Guardian Team",
     packages=find_packages(),