Feature/security scanner enhancements

cmd/secure-push/main.go

@@ -4,29 +4,75 @@
 	"flag"
 	"fmt"
 	"os"
+	"os/exec"
+	"strings"
 
 	"secure-push/internal/config"
 	"secure-push/internal/detectors"
 	"secure-push/internal/logger"
 	"secure-push/internal/reporters"
 	"secure-push/internal/scanner"
 )
 
 func main() {
-	configPath := flag.String("config", "", "Path to configuration file")
-	outputFormat := flag.String("output", "console", "Output format: console, json, github")
-	verbose := flag.Bool("verbose", false, "Enable verbose logging")
-	flag.Parse()
-
-	args := flag.Args()
-	if len(args) == 0 {
-		fmt.Fprintln(os.Stderr, "Usage: secure-push [options] <path>")
-		fmt.Fprintln(os.Stderr, "Options:")
-		flag.PrintDefaults()
+	if len(os.Args) < 2 {
+		printUsage()
 		os.Exit(1)
 	}
 
-	path := args[0]
+	subcommand := os.Args[1]
+
+	switch subcommand {
+	case "scan":
+		runScan(os.Args[2:])
+	case "pre-commit":
+		runPreCommit()
+	case "install":
+		runInstall()
+	case "version":
+		fmt.Println("secure-push version 0.1.0")
+	case "help", "-h", "--help":
+		printUsage()
+	default:
+		// Treat as scan with path argument
+		runScan(os.Args[1:])
+	}
+}
+
+func printUsage() {
+	fmt.Fprintln(os.Stderr, "Secure Push - Security scanner for your codebase")
+	fmt.Fprintln(os.Stderr, "")
+	fmt.Fprintln(os.Stderr, "Usage:")
+	fmt.Fprintln(os.Stderr, "  secure-push scan [options] <path>     Scan a directory for security issues")
+	fmt.Fprintln(os.Stderr, "  secure-push pre-commit              Run in pre-commit mode")
+	fmt.Fprintln(os.Stderr, "  secure-push install                 Install pre-commit hook")
+	fmt.Fprintln(os.Stderr, "  secure-push version                 Show version")
+	fmt.Fprintln(os.Stderr, "  secure-push help                    Show help")
+	fmt.Fprintln(os.Stderr, "")
+	fmt.Fprintln(os.Stderr, "Options:")
+	fmt.Fprintln(os.Stderr, "  -config string")
+	fmt.Fprintln(os.Stderr, "        Path to configuration file")
+	fmt.Fprintln(os.Stderr, "  -output string")
+	fmt.Fprintln(os.Stderr, "        Output format: console, json, github (default \"console\")")
+	fmt.Fprintln(os.Stderr, "  -verbose")
+	fmt.Fprintln(os.Stderr, "        Enable verbose logging")
+}
+
+func runScan(args []string) {
+	scanFlags := flag.NewFlagSet("scan", flag.ExitOnError)
+	configPath := scanFlags.String("config", "", "Path to configuration file")
+	outputFormat := scanFlags.String("output", "console", "Output format: console, json, github")
+	verbose := scanFlags.Bool("verbose", false, "Enable verbose logging")
+	scanFlags.Parse(args)
+
+	remainingArgs := scanFlags.Args()
+	if len(remainingArgs) == 0 {
+		fmt.Fprintln(os.Stderr, "Error: path argument required")
+		printUsage()
+		os.Exit(1)
+	}
+
+	path := remainingArgs[0]
 
 	logLevel := logger.Info
 	if *verbose {
@@ -62,6 +108,8 @@
 		reporter = &reporters.JSONReporter{}
 	case "github":
 		reporter = &reporters.GitHubReporter{}
+	case "csv":
+		reporter = reporters.NewCSVReporter("findings.csv")
 	default:
 		reporter = &reporters.ConsoleReporter{}
 	}
@@ -71,3 +119,100 @@
 		os.Exit(1)
 	}
 }
+
+func runPreCommit() {
+	log := logger.New(logger.Info)
+
+	// Get staged files from git
+	files, err := getStagedFiles()
+	if err != nil {
+		log.Error("Failed to get staged files: %v", err)
+		os.Exit(1)
+	}
+
+	if len(files) == 0 {
+		log.Info("No staged files to scan")
+		return
+	}
+
+	cfg, err := config.Load("")
+	if err != nil {
+		log.Error("Failed to load config: %v", err)
+		os.Exit(1)
+	}
+
+	detectorList := []detectors.Detector{
+		&detectors.EnvDetector{},
+		&detectors.SecretsDetector{},
+		&detectors.AuthDetector{},
+		&detectors.ConfigDetector{},
+	}
+
+	s := scanner.New(detectorList, cfg, log)
+
+	var allFindings []detectors.Finding
+	for _, file := range files {
+		findings, err := s.ScanFile(file)
+		if err != nil {
+			log.Error("Error scanning file %s: %v", file, err)
+			continue
+		}
+		allFindings = append(allFindings, findings...)
+	}
+
+	if len(allFindings) > 0 {
+		fmt.Fprintln(os.Stderr, "🚫 Commit blocked by Secure Push")
+		fmt.Fprintln(os.Stderr, "")
+		for _, f := range allFindings {
+			fmt.Fprintf(os.Stderr, "%s [%s] %s:%d\n", f.Rule, f.Severity, f.File, f.Line)
+			fmt.Fprintf(os.Stderr, "   %s\n", f.Message)
+		}
+		os.Exit(1)
+	}
+
+	fmt.Println("✓ No security issues found in staged files")
+}
+
+func runInstall() {
+	hookPath := ".git/hooks/pre-commit"
+
+	// Check if .git directory exists
+	if _, err := os.Stat(".git"); os.IsNotExist(err) {
+		fmt.Fprintln(os.Stderr, "Error: not a git repository")
+		os.Exit(1)
+	}
+
+	// Create hooks directory if it doesn't exist
+	if err := os.MkdirAll(".git/hooks", 0o755); err != nil {
+		fmt.Fprintf(os.Stderr, "Error creating hooks directory: %v\n", err)
+		os.Exit(1)
+	}
+
+	// Check if hook already exists
+	if _, err := os.Stat(hookPath); err == nil {
+		fmt.Fprintln(os.Stderr, "Warning: pre-commit hook already exists, skipping")
+		return
+	}
+
+	// Create the hook script
+	hookContent := `#!/bin/sh
+# Secure Push pre-commit hook
+secure-push pre-commit
+`
+	if err := os.WriteFile(hookPath, []byte(hookContent), 0o755); err != nil {
+		fmt.Fprintf(os.Stderr, "Error creating pre-commit hook: %v\n", err)
+		os.Exit(1)
+	}
+
+	fmt.Println("✓ Pre-commit hook installed successfully")
+}
+
+func getStagedFiles() ([]string, error) {
+	cmd := exec.Command("git", "diff", "--cached", "--name-only")
+	out, err := cmd.Output()
+	if err != nil {
+		return nil, err
+	}
+	files := strings.Fields(string(out))
+	return files, nil
+}

docs/configuration.md

@@ -25,6 +25,12 @@ allowlist:
 custom_rules:
   - path: rules/custom-secrets.yaml
     severity: CRITICAL
+
+max_file_size: 10485760
+
+enable_detectors:
+  - ENV_FILE
+  - SECRETS
 ```
 
 ## Configuration Options
@@ -79,6 +85,33 @@ custom_rules:
     severity: CRITICAL
 ```
 
+### max_file_size
+
+Maximum file size in bytes to scan. Files larger than this are skipped.
+
+```yaml
+max_file_size: 10485760  # 10MB
+```
+
+### enable_detectors
+
+List of specific detectors to enable. If set, only these detectors will run.
+
+```yaml
+enable_detectors:
+  - ENV_FILE
+  - SECRETS
+```
+
+### disable_detectors
+
+List of specific detectors to disable.
+
+```yaml
+disable_detectors:
+  - CONFIG_FILE
+```
+
 ## Environment Variables
 
 | Variable | Description | Default |
@@ -93,3 +126,32 @@ custom_rules:
 2. Environment variables
 3. `.secure-push.yaml` config file
 4. Default values
+
+## Common Configuration Patterns
+
+### Minimal Configuration
+
+```yaml
+severity_threshold: HIGH
+ignore_paths:
+  - vendor/
+  - node_modules/
+```
+
+### Development Environment
+
+```yaml
+severity_threshold: MEDIUM
+ignore_rules:
+  - GENERIC_API_KEY
+allowlist:
+  - testdata/
+```
+
+### CI/CD Configuration
+
+```yaml
+severity_threshold: CRITICAL
+ignore_paths:
+  - "**/*.min.js"
+  - "**/*.map"

docs/detectors.md

@@ -22,6 +22,8 @@ type Detector interface {
 | AWS_SECRET_KEY | CRITICAL | Detects AWS secret keys |
 | GENERIC_API_KEY | HIGH | Detects generic API keys |
 | HARDCODED_PASSWORD | CRITICAL | Detects hardcoded passwords |
+| AUTH_CREDENTIALS | CRITICAL | Detects various auth credentials (GitHub tokens, SSH keys, etc.) |
+| CONFIG_FILE | HIGH | Detects config files that may contain sensitive data |
 
 ## Creating a Custom Detector
 
@@ -109,3 +111,10 @@ func TestGenericAPIKeyDetector(t *testing.T) {
     }
 }
 ```
+
+## Detector Best Practices
+
+- Keep patterns specific to reduce false positives
+- Test with real-world code samples
+- Document the patterns used in comments
+- Consider performance for large files

docs/reporters.md

@@ -19,6 +19,7 @@ type Reporter interface {
 | Console | Human-readable terminal output | Local development |
 | JSON | Machine-readable JSON | CI/CD pipelines |
 | GitHub | GitHub Actions annotation format | GitHub Actions |
+| CSV | Comma-separated values | Data analysis, spreadsheets |
 
 ## Creating a Custom Reporter
 
@@ -77,3 +78,44 @@ func (r *CSVReporter) Report(findings []detectors.Finding) error {
     return nil
 }
 ```
+
+## Reporter Output Examples
+
+### Console Output
+
+```
+✗ Found 2 potential security issues:
+
+1. 🔴 [CRITICAL] .env:1
+   Rule: ENV_FILE
+   .env file should not be committed
+```
+
+### JSON Output
+
+```json
+{
+  "total": 2,
+  "findings": [
+    {
+      "severity": "CRITICAL",
+      "rule": "ENV_FILE",
+      "file": ".env",
+      "line": 1,
+      "message": ".env file should not be committed"
+    }
+  ]
+}
+```
+
+### GitHub Output
+
+```
+::error file=.env,line=1,title=ENV_FILE [CRITICAL]::.env file should not be committed
+```
+
+### CSV Output
+
+```csv
+Rule,Severity,File,Line,Message
+ENV_FILE,CRITICAL,.env,1,.env file should not be committed

go.mod

@@ -1,8 +1,5 @@
-module github.com/stephenjarso/secure-push
+module secure-push
 
 go 1.21
 
-require (
-	golang.org/x/sync v0.20.0
-	gopkg.in/yaml.v3 v3.0.1
-)
+require gopkg.in/yaml.v3 v3.0.1

go.sum

@@ -1,5 +1,3 @@
-golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4=
-golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=