synchronizer-cli/security-scan.sh at main · multisynq/synchronizer-cli · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
#!/bin/bash

# security-scan.sh
#
# Description: Comprehensive security vulnerability scanner for the synchronizer-cli project
# Purpose: Detect potential secrets, API keys, passwords, and other sensitive data before publishing
#
# Usage: ./security-scan.sh
#
# Features:
# - Scans only files that will be published (index.js, README.md, package.json)
# - Detects multiple patterns: API keys, tokens, passwords, AWS credentials, JWT tokens
# - Whitelist mechanism for known safe patterns
# - Color-coded output for easy identification
# - Returns non-zero exit code if issues found
#
# Exit codes:
# - 0: No security issues found
# - 1: Potential sensitive data detected

echo "🔒 Running comprehensive security scan..."
echo "========================================"

# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m' # No Color

# Files to scan (only the ones that will be published)
FILES_TO_SCAN="index.js README.md package.json"

# Extended patterns to search for
declare -a PATTERNS=(
    # API Keys and Tokens
    "api[_-]?key"
    "apikey"
    "access[_-]?token"
    "auth[_-]?token"
    "authentication[_-]?token"
    "private[_-]?key"
    "secret[_-]?key"

    # Credentials
    "password"
    "passwd"
    "pwd"
    "credential"
    "username.*:.*password"

    # AWS
    "aws[_-]?access[_-]?key"
    "aws[_-]?secret"
    "AKIA[0-9A-Z]{16}"

    # URLs with embedded credentials
    "https?://[^:]+:[^@]+@"

    # Private keys
    "BEGIN.*PRIVATE KEY"
    "BEGIN.*RSA.*KEY"

    # Environment variables that might contain secrets
    "process\.env\.[A-Z_]*KEY"
    "process\.env\.[A-Z_]*SECRET"
    "process\.env\.[A-Z_]*TOKEN"

    # Base64 encoded secrets (common patterns)
    "ey[A-Za-z0-9+/]{20,}={0,2}"

    # Hex encoded secrets (32+ chars)
    "[0-9a-fA-F]{32,}"

    # JWT tokens
    "eyJ[A-Za-z0-9-_]+\.[A-Za-z0-9-_]+\.[A-Za-z0-9-_]+"
)

# Whitelist patterns (things we know are safe)
declare -a WHITELIST=(
    "crypto.randomBytes"
    "config.secret"
    "generateSyncHash"
    "sha256"
)

echo "Scanning files: $FILES_TO_SCAN"
echo ""

FOUND_ISSUES=0

for file in $FILES_TO_SCAN; do
    if [ -f "$file" ]; then
        echo "Scanning $file..."

        for pattern in "${PATTERNS[@]}"; do
            # Use grep with case-insensitive search
            matches=$(grep -inE "$pattern" "$file" 2>/dev/null || true)

            if [ ! -z "$matches" ]; then
                # Check if match is whitelisted
                is_whitelisted=false
                while IFS= read -r line; do
                    for whitelist in "${WHITELIST[@]}"; do
                        if echo "$line" | grep -q "$whitelist"; then
                            is_whitelisted=true
                            break
                        fi
                    done

                    if [ "$is_whitelisted" = false ]; then
                        echo -e "${YELLOW}  ⚠️  Potential sensitive data (pattern: $pattern):${NC}"
                        echo "     $line"
                        FOUND_ISSUES=$((FOUND_ISSUES + 1))
                    fi
                done <<< "$matches"
            fi
        done

        # Special check for long strings that might be keys
        long_strings=$(grep -E "['\"][a-zA-Z0-9+/=-]{40,}['\"]" "$file" 2>/dev/null || true)
        if [ ! -z "$long_strings" ]; then
            echo -e "${YELLOW}  ⚠️  Found long strings that might be keys:${NC}"
            echo "$long_strings" | head -5
        fi

        echo -e "${GREEN}  ✓ Completed scanning $file${NC}"
        echo ""
    fi
done

# Check for common secret files that shouldn't exist
echo "Checking for secret files that shouldn't be present..."
SECRET_FILES=(".env" ".env.local" ".env.production" "config.json" "secrets.json" "credentials.json" ".npmrc")

for secret_file in "${SECRET_FILES[@]}"; do
    if [ -f "$secret_file" ]; then
        echo -e "${RED}  ❌ Found potentially sensitive file: $secret_file${NC}"
        FOUND_ISSUES=$((FOUND_ISSUES + 1))
    fi
done

echo ""
echo "========================================"
if [ $FOUND_ISSUES -eq 0 ]; then
    echo -e "${GREEN}✅ Security scan complete. No issues found!${NC}"
else
    echo -e "${RED}❌ Security scan found $FOUND_ISSUES potential issues. Please review above.${NC}"
    exit 1
fi