shieldops-cli 1.0.0__py3-none-any.whl

shieldops_cli/__init__.py

@@ -0,0 +1,3 @@
+"""ShieldOps AI CLI — Security scanner for Docker, Kubernetes, Compose, SBOM, and more."""
+
+__version__ = "1.0.0"

shieldops_cli/api_client.py

@@ -0,0 +1,102 @@
+"""Thin wrapper around /api/ext/run and other endpoints."""
+from __future__ import annotations
+import requests
+from shieldops_cli import config
+
+_TIMEOUT = 120  # seconds
+
+
+class ApiError(Exception):
+    def __init__(self, status: int, code: str, message: str = ""):
+        self.status = status
+        self.code = code
+        self.message = message
+        super().__init__(f"[{status}] {code}: {message}")
+
+
+class ShieldOpsClient:
+    def __init__(self, api_url: str | None = None, api_key: str | None = None):
+        self.api_url = (api_url or config.get_api_url()).rstrip("/")
+        self.api_key = api_key or config.get_api_key()
+
+    @property
+    def _headers(self) -> dict:
+        h = {"Content-Type": "application/json"}
+        if self.api_key:
+            h["X-ShieldOps-Extension-Key"] = self.api_key
+        return h
+
+    # ── Core: run task ──────────────────────────────────
+    def run_task(
+        self,
+        task: str,
+        content: str,
+        filename: str = "untitled",
+        options: dict | None = None,
+    ) -> dict:
+        """POST /api/ext/run — runs any supported task."""
+        body = {
+            "task": task,
+            "content": content,
+            "filename": filename,
+        }
+        if options:
+            body["options"] = options
+
+        resp = requests.post(
+            f"{self.api_url}/api/ext/run",
+            json=body,
+            headers=self._headers,
+            timeout=_TIMEOUT,
+        )
+        is_json = resp.headers.get("content-type", "").startswith("application/json")
+        data = resp.json() if is_json else {}
+
+        if resp.status_code == 403:
+            raise ApiError(403, data.get("error", "access_denied"),
+                           "Invalid or missing API key. Run: shieldops login --key <YOUR_KEY>")
+        if resp.status_code == 429:
+            raise ApiError(429, "rate_limit",
+                           f"Daily limit reached. Upgrade at {self.api_url}/pricing")
+        if resp.status_code == 413:
+            raise ApiError(413, "content_too_large", "File too large (max 250KB).")
+        if resp.status_code >= 400:
+            if not is_json:
+                raise ApiError(resp.status_code, "server_error",
+                               f"Server error ({resp.status_code}) while generating report.")
+            raise ApiError(resp.status_code,
+                           data.get("error", "unknown"),
+                           data.get("details", resp.text[:200]))
+        return data
+
+    # ── Capabilities ────────────────────────────────────
+    def capabilities(self) -> dict:
+        """GET /api/ext/capabilities — returns plan features and limits."""
+        resp = requests.get(
+            f"{self.api_url}/api/ext/capabilities",
+            headers=self._headers,
+            timeout=30,
+        )
+        if resp.status_code != 200:
+            return {}
+        return resp.json()
+
+    # ── Account info ────────────────────────────────────
+    def whoami(self) -> dict:
+        """GET /api/ext/account — returns current user info."""
+        resp = requests.get(
+            f"{self.api_url}/api/ext/account",
+            headers=self._headers,
+            timeout=15,
+        )
+        if resp.status_code != 200:
+            return {"error": "not_authenticated"}
+        return resp.json()
+
+    # ── Health check ────────────────────────────────────
+    def ping(self) -> bool:
+        try:
+            resp = requests.get(f"{self.api_url}/api/ext/health", timeout=5)
+            return resp.status_code == 200
+        except Exception:
+            return False

shieldops_cli/auth.py

@@ -0,0 +1,64 @@
+"""Authentication commands."""
+import click
+from rich.console import Console
+from shieldops_cli import config as cfg
+from shieldops_cli.api_client import ShieldOpsClient
+
+console = Console()
+
+
+@click.command()
+@click.option("--key", prompt="API Key", hide_input=True,
+              help="API key from https://shieldops-ai.onrender.com/settings/api-keys")
+@click.option("--url", default=None, help="Override API base URL.")
+def login(key, url):
+    """Authenticate with your ShieldOps API key."""
+    cfg.set_key("api_key", key.strip())
+    if url:
+        cfg.set_key("api_url", url.strip().rstrip("/"))
+
+    # Verify the key
+    client = ShieldOpsClient(api_key=key.strip())
+    info = client.whoami()
+    if "error" in info:
+        console.print("[yellow]\u26a0  Key saved but could not verify. Check it at:[/yellow]")
+        console.print(f"   {cfg.get_api_url()}/settings/api-keys")
+    else:
+        plan = info.get("plan", "free").title()
+        name = info.get("name", info.get("email", "User"))
+        console.print(f"[green]\u2705 Authenticated as [bold]{name}[/bold] ({plan} plan)[/green]")
+
+
+@click.command()
+def logout():
+    """Remove stored credentials."""
+    cfg.set_key("api_key", "")
+    console.print("[green]\u2705 Logged out. API key removed.[/green]")
+
+
+@click.command()
+def whoami():
+    """Show current account info and plan."""
+    api_key = cfg.get_api_key()
+    if not api_key:
+        console.print("[yellow]Not authenticated. Run: shieldops login[/yellow]")
+        return
+
+    client = ShieldOpsClient()
+    info = client.whoami()
+    if "error" in info:
+        console.print("[red]Could not fetch account info. Check your API key.[/red]")
+        return
+
+    console.print(f"[bold]Name:[/bold]  {info.get('name', '\u2014')}")
+    console.print(f"[bold]Email:[/bold] {info.get('email', '\u2014')}")
+    console.print(f"[bold]Plan:[/bold]  {info.get('plan', 'free').title()}")
+
+    caps = client.capabilities()
+    limits = caps.get("limits", {})
+    used = limits.get("daily_ai_used", 0)
+    total = limits.get("daily_ai_requests")
+    if total:
+        console.print(f"[bold]Usage:[/bold] {used}/{total} requests today")
+    else:
+        console.print("[bold]Usage:[/bold] Unlimited")

shieldops_cli/commands/__init__.py

@@ -0,0 +1 @@
+"""ShieldOps CLI commands."""

shieldops_cli/commands/analyze.py

@@ -0,0 +1,107 @@
+"""shieldops analyze — Dockerfile analysis."""
+import sys
+import click
+from pathlib import Path
+from rich.console import Console
+
+from shieldops_cli.api_client import ShieldOpsClient, ApiError
+from shieldops_cli.formatters import format_result
+
+console = Console()
+
+SEVERITY_ORDER = {"critical": 0, "high": 1, "medium": 2, "low": 3}
+
+
+@click.command()
+@click.argument("file", type=click.Path(exists=True))
+@click.option("-f", "--format", "fmt", type=click.Choice(["table", "json", "sarif", "summary"]),
+              default=None, help="Output format. Default: from config or 'table'.")
+@click.option("-o", "--output", type=click.Path(), default=None,
+              help="Write output to file instead of stdout.")
+@click.option("--open-report", is_flag=True, default=False,
+              help="Open the full report in browser after scan.")
+@click.option("--fail-on", type=click.Choice(["critical", "high", "medium", "low", "none"]),
+              default="none", help="Exit with code 1 if issues >= severity (for CI/CD).")
+def analyze(file, fmt, output, open_report, fail_on):
+    """Analyze a Dockerfile for security and best-practice issues.
+
+    \b
+    Examples:
+      shieldops analyze Dockerfile
+      shieldops analyze Dockerfile --format json --output report.json
+      shieldops analyze Dockerfile --fail-on high    # CI/CD gate
+      shieldops analyze Dockerfile --open-report
+    """
+    path = Path(file)
+    content = path.read_text(encoding="utf-8")
+    filename = path.name
+
+    client = ShieldOpsClient()
+
+    with console.status("[bold blue]Analyzing...", spinner="dots"):
+        try:
+            payload = client.run_task("analyze", content, filename)
+        except ApiError as e:
+            console.print(f"[red]Error: {e.message}[/red]")
+            sys.exit(2)
+
+    result = payload.get("result", {})
+
+    # ── Format output ──
+    formatted = format_result("analyze", result, fmt=fmt or "table")
+
+    if output:
+        Path(output).write_text(formatted, encoding="utf-8")
+        console.print(f"[green]\u2705 Report saved to {output}[/green]")
+    else:
+        console.print(formatted)
+
+    # ── Report URL (canonical: result.report_url → top-level route → scan_id fallback) ──
+    report_url = (
+        result.get("report_url")
+        or payload.get("route")
+    )
+    if not report_url:
+        scan_id = result.get("scan_id") or payload.get("scan_id") or ""
+        if scan_id:
+            report_url = f"/analyze/report_view?scan_id={scan_id}&origin=extension"
+
+    if report_url:
+        base = client.api_url
+        full_url = report_url if report_url.startswith("http") else f"{base}{report_url}"
+        print(f"\nFull report: {full_url}")
+
+        if open_report:
+            import webbrowser
+            webbrowser.open(full_url)
+    else:
+        print("\nNo report URL returned for this scan.")
+
+    # ── CI/CD exit code ──
+    if fail_on != "none":
+        if check_severity_gate(result, fail_on):
+            console.print(f"\n[red]\u274c Issues found at {fail_on.upper()} or above. Failing.[/red]")
+            sys.exit(1)
+
+
+def check_severity_gate(result: dict, threshold: str) -> bool:
+    """Return True if any finding meets or exceeds threshold severity."""
+    threshold_level = SEVERITY_ORDER.get(threshold, 3)
+
+    # Try report_contract first
+    contract = result.get("report_contract", {})
+    if contract:
+        for sev in SEVERITY_ORDER:
+            if SEVERITY_ORDER[sev] <= threshold_level:
+                count = int(contract.get(f"{sev}_count", 0) or 0)
+                if count > 0:
+                    return True
+        return False
+
+    # Fallback: check raw findings
+    findings = result.get("findings", result.get("results", []))
+    for f in findings:
+        sev = str(f.get("severity", "")).lower()
+        if SEVERITY_ORDER.get(sev, 99) <= threshold_level:
+            return True
+    return False

shieldops_cli/commands/autofix.py

@@ -0,0 +1,64 @@
+"""shieldops autofix — AI-powered Dockerfile auto-fix."""
+import sys
+import click
+from pathlib import Path
+from rich.console import Console
+
+from shieldops_cli.api_client import ShieldOpsClient, ApiError
+from shieldops_cli.formatters import format_result
+
+console = Console()
+
+
+@click.command()
+@click.argument("file", type=click.Path(exists=True))
+@click.option("-f", "--format", "fmt", type=click.Choice(["table", "json", "summary"]),
+              default=None, help="Output format.")
+@click.option("-o", "--output", type=click.Path(), default=None,
+              help="Write output to file.")
+@click.option("--apply", is_flag=True, default=False,
+              help="Apply the fix directly to the original file (creates .bak backup).")
+def autofix(file, fmt, output, apply):
+    """Auto-fix a Dockerfile using AI.
+
+    \b
+    Examples:
+      shieldops autofix Dockerfile
+      shieldops autofix Dockerfile --format json -o fixed.json
+      shieldops autofix Dockerfile --apply
+    """
+    path = Path(file)
+    content = path.read_text(encoding="utf-8")
+
+    client = ShieldOpsClient()
+
+    with console.status("[bold blue]Generating fix...", spinner="dots"):
+        try:
+            payload = client.run_task("autofix", content, path.name)
+        except ApiError as e:
+            console.print(f"[red]Error: {e.message}[/red]")
+            sys.exit(2)
+
+    result = payload.get("result", {})
+    fixed_content = result.get("fixed_content", "")
+
+    if apply and fixed_content:
+        # Create backup
+        backup = path.with_suffix(path.suffix + ".bak")
+        backup.write_text(content, encoding="utf-8")
+        path.write_text(fixed_content, encoding="utf-8")
+        console.print(f"[green]\u2705 Fix applied to {path}. Backup at {backup}[/green]")
+        return
+
+    formatted = format_result("autofix", result, fmt=fmt or "table")
+
+    if output:
+        Path(output).write_text(formatted, encoding="utf-8")
+        console.print(f"[green]\u2705 Report saved to {output}[/green]")
+    else:
+        console.print(formatted)
+
+    report_url = result.get("report_url")
+    if report_url:
+        full_url = report_url if report_url.startswith("http") else f"{client.api_url}{report_url}"
+        print(f"\nFull report: {full_url}")

shieldops_cli/commands/compose_gen.py

@@ -0,0 +1,54 @@
+"""shieldops compose-generate — Generate Docker Compose from Dockerfile."""
+import sys
+import click
+from pathlib import Path
+from rich.console import Console
+
+from shieldops_cli.api_client import ShieldOpsClient, ApiError
+from shieldops_cli.formatters import format_result
+
+console = Console()
+
+
+@click.command("compose-generate")
+@click.argument("file", type=click.Path(exists=True))
+@click.option("-f", "--format", "fmt", type=click.Choice(["table", "json", "summary"]),
+              default=None, help="Output format.")
+@click.option("-o", "--output", type=click.Path(), default=None,
+              help="Write generated compose to file.")
+def compose_generate(file, fmt, output):
+    """Generate a Docker Compose file from a Dockerfile.
+
+    \b
+    Examples:
+      shieldops compose-generate Dockerfile
+      shieldops compose-generate Dockerfile -o docker-compose.yml
+    """
+    path = Path(file)
+    content = path.read_text(encoding="utf-8")
+
+    client = ShieldOpsClient()
+
+    with console.status("[bold blue]Generating Compose file...", spinner="dots"):
+        try:
+            payload = client.run_task("compose_generator", content, path.name)
+        except ApiError as e:
+            console.print(f"[red]Error: {e.message}[/red]")
+            sys.exit(2)
+
+    result = payload.get("result", {})
+    generated = result.get("compose_content", "")
+
+    if output and generated:
+        Path(output).write_text(generated, encoding="utf-8")
+        console.print(f"[green]\u2705 Compose file saved to {output}[/green]")
+    elif output:
+        formatted = format_result("compose_generator", result, fmt=fmt or "json")
+        Path(output).write_text(formatted, encoding="utf-8")
+        console.print(f"[green]\u2705 Output saved to {output}[/green]")
+    else:
+        if generated:
+            console.print(generated)
+        else:
+            formatted = format_result("compose_generator", result, fmt=fmt or "table")
+            console.print(formatted)

shieldops_cli/commands/compose_scan.py

@@ -0,0 +1,55 @@
+"""shieldops compose-scan — Docker Compose file scanner."""
+import sys
+import click
+from pathlib import Path
+from rich.console import Console
+
+from shieldops_cli.api_client import ShieldOpsClient, ApiError
+from shieldops_cli.formatters import format_result
+
+console = Console()
+
+
+@click.command("compose-scan")
+@click.argument("file", type=click.Path(exists=True))
+@click.option("-f", "--format", "fmt", type=click.Choice(["table", "json", "sarif", "summary"]),
+              default=None, help="Output format.")
+@click.option("-o", "--output", type=click.Path(), default=None,
+              help="Write output to file.")
+@click.option("--fail-on", type=click.Choice(["critical", "high", "medium", "low", "none"]),
+              default="none", help="Exit with code 1 if issues >= severity.")
+def compose_scan(file, fmt, output, fail_on):
+    """Scan a Docker Compose file for security and configuration issues.
+
+    \b
+    Examples:
+      shieldops compose-scan docker-compose.yml
+      shieldops compose-scan docker-compose.yml --format json
+      shieldops compose-scan docker-compose.yml --fail-on high
+    """
+    path = Path(file)
+    content = path.read_text(encoding="utf-8")
+
+    client = ShieldOpsClient()
+
+    with console.status("[bold blue]Scanning Compose file...", spinner="dots"):
+        try:
+            payload = client.run_task("compose", content, path.name)
+        except ApiError as e:
+            console.print(f"[red]Error: {e.message}[/red]")
+            sys.exit(2)
+
+    result = payload.get("result", {})
+    formatted = format_result("compose", result, fmt=fmt or "table")
+
+    if output:
+        Path(output).write_text(formatted, encoding="utf-8")
+        console.print(f"[green]\u2705 Report saved to {output}[/green]")
+    else:
+        console.print(formatted)
+
+    if fail_on != "none":
+        from shieldops_cli.commands.analyze import check_severity_gate
+        if check_severity_gate(result, fail_on):
+            console.print(f"\n[red]\u274c Issues at {fail_on.upper()} or above. Failing.[/red]")
+            sys.exit(1)

shieldops_cli/commands/config_cmd.py

@@ -0,0 +1,46 @@
+"""shieldops config — manage CLI settings."""
+import click
+from rich.console import Console
+from rich.table import Table
+from shieldops_cli import config as cfg
+
+console = Console()
+
+
+@click.group("config")
+def config_group():
+    """View or change CLI configuration."""
+    pass
+
+
+@config_group.command("list")
+def config_list():
+    """Show all configuration values."""
+    data = cfg.load()
+    table = Table(title="ShieldOps CLI Configuration")
+    table.add_column("Key", style="bold")
+    table.add_column("Value")
+    for k, v in sorted(data.items()):
+        display = "***" if k == "api_key" and v else str(v)
+        table.add_row(k, display)
+    console.print(table)
+
+
+@config_group.command("set")
+@click.argument("key")
+@click.argument("value")
+def config_set(key, value):
+    """Set a configuration value. E.g.: shieldops config set default_format json"""
+    cfg.set_key(key, value)
+    console.print(f"[green]\u2705 {key} = {value}[/green]")
+
+
+@config_group.command("get")
+@click.argument("key")
+def config_get(key):
+    """Get a configuration value."""
+    val = cfg.get(key)
+    if val is None:
+        console.print(f"[yellow]Key '{key}' not found.[/yellow]")
+    else:
+        console.print(str(val))

shieldops_cli/commands/k8s_scan.py

@@ -0,0 +1,68 @@
+"""shieldops k8s-scan — Kubernetes manifest scanner."""
+import sys
+import click
+from pathlib import Path
+from rich.console import Console
+
+from shieldops_cli.api_client import ShieldOpsClient, ApiError
+from shieldops_cli.formatters import format_result
+
+console = Console()
+
+
+@click.command("k8s-scan")
+@click.argument("file", type=click.Path(exists=True))
+@click.option("-f", "--format", "fmt", type=click.Choice(["table", "json", "sarif", "summary"]),
+              default=None, help="Output format.")
+@click.option("-o", "--output", type=click.Path(), default=None,
+              help="Write output to file.")
+@click.option("--open-report", is_flag=True, default=False,
+              help="Open the full report in browser.")
+@click.option("--fail-on", type=click.Choice(["critical", "high", "medium", "low", "none"]),
+              default="none", help="Exit with code 1 if issues >= severity.")
+def k8s_scan(file, fmt, output, open_report, fail_on):
+    """Scan a Kubernetes manifest (YAML) for misconfigurations.
+
+    \b
+    Examples:
+      shieldops k8s-scan deployment.yaml
+      shieldops k8s-scan k8s/ --format sarif --output k8s-report.sarif
+      shieldops k8s-scan pod.yaml --fail-on high
+    """
+    path = Path(file)
+    content = path.read_text(encoding="utf-8")
+
+    client = ShieldOpsClient()
+
+    with console.status("[bold blue]Scanning Kubernetes manifest...", spinner="dots"):
+        try:
+            payload = client.run_task("k8s", content, path.name)
+        except ApiError as e:
+            console.print(f"[red]Error: {e.message}[/red]")
+            sys.exit(2)
+
+    result = payload.get("result", {})
+    formatted = format_result("k8s", result, fmt=fmt or "table")
+
+    if output:
+        Path(output).write_text(formatted, encoding="utf-8")
+        console.print(f"[green]\u2705 Report saved to {output}[/green]")
+    else:
+        console.print(formatted)
+
+    report_url = result.get("report_url")
+    if report_url:
+        base = client.api_url
+        full_url = report_url if report_url.startswith("http") else f"{base}{report_url}"
+        print(f"\nFull report: {full_url}")
+
+    if open_report and report_url:
+        import webbrowser
+        full_url = report_url if report_url.startswith("http") else f"{client.api_url}{report_url}"
+        webbrowser.open(full_url)
+
+    if fail_on != "none":
+        from shieldops_cli.commands.analyze import check_severity_gate
+        if check_severity_gate(result, fail_on):
+            console.print(f"\n[red]\u274c Issues at {fail_on.upper()} or above. Failing.[/red]")
+            sys.exit(1)

shieldops_cli/commands/sbom.py

@@ -0,0 +1,46 @@
+"""shieldops sbom — Generate Software Bill of Materials."""
+import sys
+import click
+from pathlib import Path
+from rich.console import Console
+
+from shieldops_cli.api_client import ShieldOpsClient, ApiError
+from shieldops_cli.formatters import format_result
+
+console = Console()
+
+
+@click.command()
+@click.argument("file", type=click.Path(exists=True))
+@click.option("-f", "--format", "fmt", type=click.Choice(["table", "json", "summary"]),
+              default=None, help="Output format.")
+@click.option("-o", "--output", type=click.Path(), default=None,
+              help="Write output to file.")
+def sbom(file, fmt, output):
+    """Generate SBOM (Software Bill of Materials) from a Dockerfile or dependency file.
+
+    \b
+    Examples:
+      shieldops sbom Dockerfile
+      shieldops sbom requirements.txt -f json -o sbom.json
+    """
+    path = Path(file)
+    content = path.read_text(encoding="utf-8")
+
+    client = ShieldOpsClient()
+
+    with console.status("[bold blue]Generating SBOM...", spinner="dots"):
+        try:
+            payload = client.run_task("sbom", content, path.name)
+        except ApiError as e:
+            console.print(f"[red]Error: {e.message}[/red]")
+            sys.exit(2)
+
+    result = payload.get("result", {})
+    formatted = format_result("sbom", result, fmt=fmt or "table")
+
+    if output:
+        Path(output).write_text(formatted, encoding="utf-8")
+        console.print(f"[green]\u2705 SBOM saved to {output}[/green]")
+    else:
+        console.print(formatted)