UNPKG

carrot-scan

Version:

Command-line tool for detecting vulnerabilities in files and directories.

github.com/SonoTommy/carrot-scan

SonoTommy/carrot-scan

232 lines (166 loc) 7 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
# carrot-scan <p align="center"> <img src="https://raw.githubusercontent.com/SonoTommy/carrot-scan/refs/heads/main/img/logo.svg" width="200" height="179" alt=""> <br><strong>Command-line tool for detecting vulnerabilities in files and directories.</strong> <br><a href="https://github.com/SonoTommy/carrot-scan">GitHub Repository</a> </p> [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://raw.githubusercontent.com/SonoTommy/carrot-scan/refs/heads/main/LICENSE) [![GitHub issues](https://img.shields.io/github/issues/SonoTommy/carrot-scan.svg)](https://github.com/SonoTommy/carrot-scan/issues) [![GitHub stars](https://img.shields.io/github/stars/SonoTommy/carrot-scan.svg?style=social&label=Stars)](https://github.com/SonoTommy/carrot-scan/stargazers) [![Downloads](https://img.shields.io/npm/dt/carrot-scan.svg)](https://www.npmjs.com/package/carrot-scan) A **fast**, **extensible**, and **plugin-driven** code scanner for JavaScript, TypeScript, and any other file in your project. It evaluates code quality, complexity, security vulnerabilities, and more, producing a **single aggregated score** (0–100) and actionable feedback. ## Table of Contents - [Features](#features) - [Installation](#installation) - [Usage](#usage) - [Plugin Management](#plugin-management) - [API](#api) - [Plugin Development](#plugin-development) - [Configuration](#configuration) - [Contributing](#contributing) - [Support](#support) - [License](#license) ## Features - 🧠 **AI-powered scanning**: Uses a lightweight, local AI model to detect potentially malicious code. - Datenbank für Exploits **Exploit-DB-Integration**: Sucht in der OSV-Datenbank nach bekannten Schwachstellen in Ihren Abhängigkeiten. - 🛡️ **Critical patterns**: Immediately fails on destructive or remote‐execution hooks (`rm -rf`, `include()`, `eval()`, etc.). - 📏 **ESLint integration**: Runs ESLint (v9+) with recommended rules on JS/TS files. - 🔢 **Cyclomatic complexity**: Uses `typhonjs-escomplex` to penalize high-complexity code. - 🔍 **AST-based security**: Leverages `@nodesecure/js-x-ray` to detect injection patterns. - 🌐 **Multi-language rules**: Integrates Semgrep OWASP Top Ten rules for 35+ languages. - 🔎 **Heuristic scanning**: Regex-based patterns for generic vulnerabilities across all file types. - 🛠️ **Dependency audit**: Runs `npm audit` and scores known CVEs. - ⚙️ **Plugin architecture**: Easily add or remove checks by dropping in plugins under `plugins/`. - 🐳 **Dockerfile scanning**: Checks for common misconfigurations in `Dockerfile`. ## Recent Improvements - **Enhanced CLI**: Added a new `outdated` command to check for outdated dependencies. - **New Plugin**: Added a new `dockerfile` plugin to check for common misconfigurations in `Dockerfile`. - **Performance Boost**: Parallelized plugin execution and implemented file content caching to improve performance. - **CI/CD Pipeline**: Implemented a GitHub Actions workflow to automatically test and lint the code. - **Code Refactoring**: Refactored the code for better maintainability and readability. ## Installation Install globally via npm: ```bash npm install -g carrot-scan ``` During development: ```bash git clone https://github.com/SonoTommy/carrot-scan.git cd carrot-scan npm install npm link ``` ## Usage ```bash carrot-scan [options] <target> ``` - `<target>`: File or directory to scan (defaults to current folder). - `-f, --fast` : Quick scan (ESLint + heuristics only). - `-c, --complete` : Full scan (all checks). - `-j, --json` : Output machine-readable JSON. - `-v, --version` : Show the installed version of carrot-scan. - `--verbose`: Output detailed logs during scanning. ### Examples ```bash # Fast lint + heuristics on current folder carrot-scan -f # Full scan on src/ directory carrot-scan src/ -c # JSON output for CI pipelines carrot-scan . -c --json > report.json ``` ### Supply-Chain (SBOM) Generation Generate a Software Bill of Materials (SBOM) with embedded vulnerability information from the OSV public API. Supports CycloneDX XML and SARIF formats. ```bash # Generate CycloneDX SBOM for the current directory (default) carrot-scan sbom . # Generate SARIF output instead of XML carrot-scan sbom . --sarif ``` ### Doctor Command Check for potential issues with your `carrot-scan` setup. ```bash carrot-scan doctor ``` ### Outdated Command Check for outdated dependencies. ```bash carrot-scan outdated ``` ## Plugin Management `carrot-scan` provides commands to manage its plugins: - `list`: List all available plugins. - `enable <plugin-name>`: Enable a plugin. - `disable <plugin-name>`: Disable a plugin. - `create <plugin-name>`: Create a new plugin from a template. ## API ### Programmatic Usage Use `carrot-scan` programmatically in your own projects. ```js import { scan } from 'carrot-scan'; (async () => { const result = await scan('src/', { mode: 'complete' }); console.log(result); })(); ``` ### REST API The REST API allows you to run scans via HTTP. - **POST /scan**: Run a scan. - **Body**: `{ "target": "./src", "mode": "fast" }` - **GET /scan/stream**: Get real-time scan results using Server-Sent Events. - **Query Params**: `target`, `mode` For more details, see the [OpenAPI specification](.github/openapi.yaml). ## Plugin Development Plugins are the core of `carrot-scan`. To create a new plugin, run: ```bash carrot-scan plugin create my-plugin ``` This will generate a new plugin file in the `plugins/` directory. A plugin is a class that extends `Plugin` and implements two methods: - `applies(file: string)`: A static method that returns `true` if the plugin should be run on the given file. - `run(file: string, context: object)`: An async method that performs the scan and returns an array of issues. See the existing plugins for examples. ## Configuration Create a `carrot-scan.config.js` file in your project root to customize `carrot-scan`. ```js // carrot-scan.config.js export default { weights: { eslint: 1.5, xray: 10, }, thresholds: { complexity: 12, }, plugins: { semgrep: { enabled: false }, }, }; ``` ## Contributing Contributions are welcome! Please open an issue or submit a pull request. ### Development To get started with development: 1. Clone the repository: ```bash git clone https://github.com/SonoTommy/carrot-scan.git ``` 2. Install dependencies: ```bash cd carrot-scan npm install ``` 3. Link the package to use the `carrot-scan` command globally: ```bash npm link ``` ### Pull Requests When submitting a pull request, please make sure to: - Follow the existing code style. - Add tests for your changes. - Update the documentation if necessary. - Run `npm test` and `npm run lint` before submitting. ## Support If you find `carrot-scan` useful, please consider [supporting the project](https://ko-fi.com/sonotommy). ## License [MIT](LICENSE)