Feature/intercom token detection

.github/workflows/release.yml

@@ -0,0 +1,77 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        os: [ubuntu-latest, macos-latest, windows-latest]
+        goarch: [amd64, arm64]
+        goos: [linux, darwin, windows]
+        exclude:
+          - goos: windows
+            goarch: arm64
+          - goos: darwin
+            goarch: arm64
+            os: ubuntu-latest
+          - goos: linux
+            goarch: arm64
+            os: macos-latest
+          - goos: darwin
+            goarch: amd64
+            os: ubuntu-latest
+          - goos: linux
+            goarch: amd64
+            os: macos-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: 'go.mod'
+          with-cache: true
+
+      - name: Build
+        run: |
+          EXT=''
+          if [ "${{ matrix.goos }}" = "windows" ]; then
+            EXT='.exe'
+          fi
+          go build -o secure-push${EXT} ./cmd/secure-push
+
+      - name: Upload Artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: secure-push-${{ matrix.goos }}-${{ matrix.goarch }}
+          path: secure-push${{ matrix.goos === 'windows' && '.exe' || '' }}
+
+  release:
+    needs: build
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Download all artifacts
+        uses: actions/download-artifact@v4
+        with:
+          path: artifacts
+
+      - name: Create Release
+        uses: softprops/action-gh-release@v2
+        with:
+          files: |
+            artifacts/secure-push-linux-amd64/secure-push
+            artifacts/secure-push-darwin-amd64/secure-push
+            artifacts/secure-push-windows-amd64/secure-push.exe
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/scanner.yml

@@ -0,0 +1,28 @@
+name: Security Scanner
+
+on:
+  push:
+    branches: [main, develop]
+  pull_request:
+    branches: [main]
+
+jobs:
+  scan:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+
+      - name: Run Secure Push Scanner
+        uses: secure-push/secure-push-action@v1
+        with:
+          path: '.'
+          output: 'sarif'
+          sarif_file: 'results.sarif'
+
+      - name: Upload SARIF to GitHub Code Scanning
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: 'results.sarif'
+          category: 'secure-push'

.golangci.yml

@@ -64,6 +64,9 @@ linters:
     - unused
     - varcheck
     - whitespace
+    - wsl
+    - wrapcheck
+    - zerologlint
 
 issues:
   exclude-rules:

CHANGELOG.md

@@ -27,7 +27,32 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - GitHub Actions CI workflow
 - golangci-lint configuration
 - Makefile with testing and building targets
+- Slack token detector (xoxb, xoxa, xoxp, xoxr, xoxs)
+- Discord webhook URL detector
+- Telegram bot token detector
+- Azure Key Vault detector
+- Personal access token detector
+- Hardcoded password pattern detection
+- Connection string pattern detection
+- API key header pattern detection
+- Authorization header pattern detection
+- Webhook URL pattern detection
+- .envrc file detection
+- .env.sample file detection
+- SARIF output format reporter for CI/CD integration
+- Homebrew tap formula for installation
+- VS Code extension manifest
 
 ### Changed
 - Improved env.go with additional .env patterns and edge cases
 - Enhanced scanner with config integration
+- Updated main.go to support sarif output format
+- Added GitHub Actions release workflow
+
+### Fixed
+- Fixed .env.* file detection in config detector
+- Fixed duplicate test cases in env_test.go
+- Fixed integration test for multiple detectors
+
+### Security
+- Added comprehensive test coverage for all detectors

Formula/secure-push.rb

@@ -0,0 +1,41 @@
+# typed: false
+# frozen_string_literal: true
+
+class SecurePush < Formula
+  desc "Security scanner for your codebase"
+  homepage "https://github.com/secure-push/secure-push"
+  version "0.1.0"
+  license "MIT"
+
+  depends_on "go" => :build
+
+  on_macos do
+    on_intel do
+      url "https://github.com/secure-push/secure-push/releases/download/v0.1.0/secure-push_0.1.0_darwin_amd64.tar.gz"
+      sha256 "PLACEHOLDER"
+    end
+    on_arm do
+      url "https://github.com/secure-push/secure-push/releases/download/v0.1.0/secure-push_0.1.0_darwin_arm64.tar.gz"
+      sha256 "PLACEHOLDER"
+    end
+  end
+
+  on_linux do
+    on_intel do
+      url "https://github.com/secure-push/secure-push/releases/download/v0.1.0/secure-push_0.1.0_linux_amd64.tar.gz"
+      sha256 "PLACEHOLDER"
+    end
+    on_arm do
+      url "https://github.com/secure-push/secure-push/releases/download/v0.1.0/secure-push_0.1.0_linux_arm64.tar.gz"
+      sha256 "PLACEHOLDER"
+    end
+  end
+
+  def install
+    bin.install "secure-push"
+  end
+
+  test do
+    assert_match "secure-push version", shell_output("#{bin}/secure-push version")
+  end
+end

cmd/secure-push/main.go

@@ -7,11 +7,11 @@
 	"os/exec"
 	"strings"
 
 	"secure-push/internal/config"
 	"secure-push/internal/detectors"
 	"secure-push/internal/logger"
 	"secure-push/internal/reporters"
 	"secure-push/internal/scanner"
 )
 
 func main() {
@@ -53,7 +53,7 @@
 	fmt.Fprintln(os.Stderr, "  -config string")
 	fmt.Fprintln(os.Stderr, "        Path to configuration file")
 	fmt.Fprintln(os.Stderr, "  -output string")
-	fmt.Fprintln(os.Stderr, "        Output format: console, json, github (default \"console\")")
+	fmt.Fprintln(os.Stderr, "        Output format: console, json, github, sarif, csv (default \"console\")")
 	fmt.Fprintln(os.Stderr, "  -verbose")
 	fmt.Fprintln(os.Stderr, "        Enable verbose logging")
 }
@@ -63,7 +63,7 @@
 	configPath := scanFlags.String("config", "", "Path to configuration file")
 	outputFormat := scanFlags.String("output", "console", "Output format: console, json, github")
 	verbose := scanFlags.Bool("verbose", false, "Enable verbose logging")
 	scanFlags.Parse(args)
 
 	remainingArgs := scanFlags.Args()
 	if len(remainingArgs) == 0 {
@@ -108,6 +108,8 @@
 		reporter = &reporters.JSONReporter{}
 	case "github":
 		reporter = &reporters.GitHubReporter{}
+	case "sarif":
+		reporter = &reporters.SARIFReporter{}
 	case "csv":
 		reporter = reporters.NewCSVReporter("findings.csv")
 	default:

docs/configuration.md

@@ -112,6 +112,19 @@ disable_detectors:
   - CONFIG_FILE
 ```
 
+### output_format
+
+Output format for scan results.
+
+- `console` - Human-readable console output (default)
+- `json` - JSON format for programmatic processing
+- `csv` - CSV format for spreadsheet import
+- `sarif` - SARIF format for CI/CD integration
+
+```yaml
+output_format: sarif
+```
+
 ## Environment Variables
 
 | Variable | Description | Default |

docs/detectors.md

@@ -18,13 +18,44 @@ type Detector interface {
 
 | Detector | Severity | Description |
 |----------|----------|-------------|
-| ENV_FILE | CRITICAL | Detects committed `.env` files |
+| ENV_FILE | CRITICAL | Detects committed `.env` files and `.envrc` files |
 | AWS_SECRET_KEY | CRITICAL | Detects AWS secret keys |
 | GENERIC_API_KEY | HIGH | Detects generic API keys |
 | HARDCODED_PASSWORD | CRITICAL | Detects hardcoded passwords |
 | AUTH_CREDENTIALS | CRITICAL | Detects various auth credentials (GitHub tokens, SSH keys, etc.) |
 | CONFIG_FILE | HIGH | Detects config files that may contain sensitive data |
 
+### Auth Credentials Detector
+
+The `AUTH_CREDENTIALS` detector identifies various authentication tokens and credentials:
+
+- **AWS Access Keys**: `AKIAIOSFODNN7EXAMPLE`
+- **GitHub Tokens**: `ghp_...`, `gho_...`, `ghu_...`, `ghs_...`, `ghr_...`
+- **GitLab Tokens**: `glpat-...`
+- **Google API Keys**: `AIza...`
+- **Slack Tokens**: `xoxb-...`, `xoxa-...`, `xoxp-...`, `xoxr-...`, `xoxs-...`
+- **Discord Webhooks**: `https://discord.com/api/webhooks/...`
+- **Telegram Bot Tokens**: `1234567890:...`
+- **Azure Key Vault**: `-----BEGIN AZURE KEY VAULT-----`
+- **Personal Access Tokens**: Various formats
+- **SSH/PGP Keys**: Private key headers
+- **JWT Tokens**: JSON Web Tokens
+- **Bearer Tokens**: Authorization headers
+- **Basic Auth**: Base64 encoded credentials
+
+### Secrets Detector
+
+The `SECRETS` detector identifies:
+
+- **Passwords**: `password = '...'`, `passwd = '...'`, `pwd = '...'`
+- **API Keys**: `api_key = '...'`, `apikey = '...'`
+- **Tokens**: `token = '...'`, `access_token = '...'`
+- **Secrets**: `secret = '...'`, `client_secret = '...'`
+- **Database URLs**: `postgres://...`, `mysql://...`, `mongodb://...`, `redis://...`, `mssql://...`, `oracle://...`
+- **Connection Strings**: `server = '...'`, `data source = '...'`
+- **High Entropy Strings**: Base64-like strings that may be secrets
+- **Webhooks**: `webhook = 'https://...'`
+
 ## Creating a Custom Detector
 
 1. Create a new file in `internal/detectors/`

docs/reporters.md

@@ -20,6 +20,7 @@ type Reporter interface {
 | JSON | Machine-readable JSON | CI/CD pipelines |
 | GitHub | GitHub Actions annotation format | GitHub Actions |
 | CSV | Comma-separated values | Data analysis, spreadsheets |
+| SARIF | Static Analysis Results Interchange Format | CI/CD, GitHub Code Scanning, IDEs |
 
 ## Creating a Custom Reporter
 
@@ -119,3 +120,57 @@ func (r *CSVReporter) Report(findings []detectors.Finding) error {
 ```csv
 Rule,Severity,File,Line,Message
 ENV_FILE,CRITICAL,.env,1,.env file should not be committed
+```
+
+### SARIF Output
+
+```json
+{
+  "version": "2.1.0",
+  "runs": [
+    {
+      "tool": {
+        "driver": {
+          "name": "Secure Push",
+          "version": "0.1.0",
+          "rules": [
+            {
+              "id": "ENV_FILE",
+              "shortDescription": {
+                "text": "ENV_FILE security issue detected"
+              },
+              "defaultConfiguration": {
+                "level": "error"
+              }
+            }
+          ]
+        }
+      },
+      "results": [
+        {
+          "ruleId": "ENV_FILE",
+          "message": {
+            "text": ".env file should not be committed"
+          },
+          "locations": [
+            {
+              "id": 1,
+              "uri": ".env",
+              "properties": {
+                "line": 1
+              }
+            }
+          ]
+        }
+      ]
+    }
+  ]
+}
+```
+
+SARIF is the industry standard format for static analysis tools. It's supported by:
+- GitHub Code Scanning
+- Azure DevOps
+- GitLab
+- VS Code
+- Many other CI/CD and IDE tools