new gitignore functionality

Author: slowcoder360

.vibesafeignore

@@ -0,0 +1,2 @@
+# Ignore specific test files for self-scan
+test-data/config.js 

instructions.md

@@ -4,7 +4,7 @@
 
 **Problem:** Developers ship code quickly but often miss basic security checks (secrets, stale deps, known CVEs).  
 **Solution:** A zero‑config CLI that scans a repo for secrets, outdated packages, and CVEs, then generates an AI‑powered risk report.  
-**MVP Goal:** Enable any developer to run `vibesafe scan` and get a readable security summary—including file paths and line numbers—in under 60 s.
+**MVP Goal:** Enable any developer to run `vibesafe scan` and get a readable security summary—including file paths and line numbers—in under 60 s.
 
 ## 2. Personas & Use Cases
 
@@ -26,119 +26,102 @@
 - Automatic patching (`--fix`)  
 - Remote‑repo scanning  
 - Real‑time IDE plugins  
-- Telemetry collection (opt‑in only)
+- Telemetry collection (opt‑in only)  
 - TODO: Proactively check `.gitignore` for `.env` exclusion patterns
 
 ## 4. Success Metrics
 
-1. **Performance:** Full scan < 60 s on a 100 MB repo  
-2. **Coverage:** Detects ≥ 5 unique issues in standard test repos  
-3. **Adoption:** ≥ 10 installs in first week (npm/pip downloads)  
+1. **Performance:** Full scan < 60 s on a 100 MB repo  
+2. **Coverage:** Detects ≥ 5 unique issues in standard test repos  
+3. **Adoption:** ≥ 10 installs in first week (npm/pip downloads)  
 4. **Reliability:** CI exit code behavior consistent (HIGH → non-zero)
 
 ## 5. Phases & Atomic Tasks
 
-### Phase 1: Setup & CI Integration
+### Phase 1: Setup & CI Integration
 1. **Repo scaffold**  
    - [x] `mkdir vibesafe && cd vibesafe`  
    - [x] Initialize Git + add `.gitignore`, `LICENSE`, `README.md`  
-   - [x] Choose language: TypeScript (commander.js) ~~_or_ Python (argparse)~~  
+   - [x] Choose language: TypeScript (commander.js)  
    - [x] Add basic `vibesafe scan` command stub  
 2. **CI hook**  
    - [x] Write a GitHub Actions workflow that runs `vibesafe scan --high-only`  
    - [x] Ensure exit code propagates  
 
-### Phase 2: Secrets Scanner
+### Phase 2: Secrets Scanner
 1. **Regex & entropy engine**  
-   - [x] Define regex patterns for `.env`, AWS, JWT, SSH keys
-   - [x] Integrate an entropy checker (e.g., Shannon entropy > threshold)
+   - [x] Define regex patterns for `.env`, AWS, JWT, SSH keys  
+   - [x] Integrate an entropy checker (e.g., Shannon entropy > threshold)  
 2. **File traversal**  
-   - [x] Walk directory tree, skip default excludes (`node_modules`, `dist`, lockfiles, tsconfig.json, README.md)
-   - [x] Honor `.vibesafeignore` entries
+   - [x] Walk directory tree, skip default excludes (`node_modules`, `dist`, lockfiles, tsconfig.json, README.md)  
+   - [x] Honor `.vibesafeignore` entries  
 3. **Scoring & output**  
-   - [x] Assign Low/Med/High severity based on pattern + entropy
+   - [x] Assign Low/Med/High severity based on pattern + entropy  
    - [x] Emit JSON record per finding including `file`, `line`, `pattern`, and `severity`  
-   - [x] Added 'Info' severity for secrets in `.env` files (reduces noise)
+   - [x] Added 'Info' severity for secrets in `.env` files (reduces noise)  
 
-### Phase 3: Dependency & CVE Scanner
+### Phase 3: Dependency & CVE Scanner
 1. **Detect package manager**  
    - [x] Inspect files: `package.json`, `yarn.lock`, `requirements.txt`  
 2. **Parse deps**  
-   - [x] Extract name + version pairs  
+   - [x] Extract name + version pairs  
 3. **CVE lookup**  
    - [x] Call OSV.dev or NVD API with each dep  
    - [x] Capture CVE IDs, severity, published date  
 4. **Threshold filtering**  
-   - [x] Mark HIGH if any dep ≥ 7.0 severity  
+   - [x] Mark HIGH if any dep ≥ 7.0 severity  
 
-### Phase 4: AI Risk Report
+### Phase 4: AI Risk Report
 1. **Markdown skeleton**  
-   - [x] Build template:
-     ```md
-     # VibeSafe Report
-
-     ## Summary
-     - Total Issues: 5 (2 High, 2 Medium, 1 Low)
-
-     ## Details
-     | File               | Location   | Issue            | Severity | CVE/Pattern   |
-     | ------------------ | ---------- | ---------------- | -------- | ------------- |
-     | `.env`             | line 10    | AWS Key exposed  | High     | —             |
-     | `config/app.js`    | line 45    | JWT secret       | Medium   | —             |
-     | `package.json`     | line 23    | lodash 4.17      | Medium   | CVE-2024-123  |
-     | `requirements.txt` | line 12    | Django 2.2       | High     | CVE-2023-456  |
-     | `src/utils.ts`     | line 80    | Hardcoded token  | Low      | —             |
-
-     ## Fix Suggestions
-     1. Remove AWS keys from code; use environment variables and a secrets vault.  
-     2. Rotate JWT secret and move to env vars.  
-     3. Upgrade `lodash` to ≥ 4.17.21.  
-     4. Update Django to ≥ 3.2.  
-     5. Replace hardcoded tokens with secure storage.
-     ```
+   - [x] Build template  
 2. **LLM integration**  
-   - [x] Send JSON findings + skeleton to GPT‑4o-mini  
+   - [x] Send JSON findings + skeleton to GPT‑4o‑mini  
    - [x] Parse human‑readable summary & per‑issue suggestions  
    - [x] Merge into final MD  
 
-### Phase 5: CLI UX & Packaging
+### Phase 5: CLI UX & Packaging
 1. **Terminal polish**  
-   - [x] Colorize severities (e.g., red for High)
-   - [x] Add progress spinner during scans
+   - [x] Colorize severities (e.g., red for High)  
+   - [x] Add progress spinner during scans  
 2. **Flags & outputs**  
-   - [x] `--output <file.json>`
-   - [x] `--report <file.md>`
-   - [x] `--high-only` filter
+   - [x] `--output <file.json>`  
+   - [x] `--report <file.md>`  
+   - [x] `--high-only` filter  
 3. **Distribution**  
-   - [x] Set up npm `bin` entry_point
-   - [x] Test on macOS
-
-## 6. Timeline & Ownership
-
-| Week   | Focus                          | Owner        |
-| ------ | ------------------------------ | ------------ |
-| Week 1 | Phase 1 scaffold + CI          | @you         |
-| Week 2 | Phase 2 secrets scanner        | @security    |
-| Week 3 | Phase 3 dep & CVE scanner      | @sec‑lead    |
-| Week 4 | Phase 4 AI report & polish     | @AI‑engineer |
-| Week 5 | Phase 5 packaging & QA         | @release     |
-
-## 7. Risks & Mitigations
+   - [x] Set up npm `bin` entry_point  
+   - [x] Test on macOS  
+
+### Phase 6: Additional Common Checks
+1. **Insecure Default Configurations**  
+   - [ ] Scan config files (JSON/YAML) for flags like `DEBUG=true`, `devMode`, or permissive CORS (`*` origins)  
+2. **Unvalidated File Uploads**  
+   - [ ] Detect code handling file uploads (e.g., multer, busboy) without size/type restrictions  
+3. **Exposed Debug/Admin Endpoints**  
+   - [ ] Search for routes named `/debug`, `/admin`, `/console`  
+   - [ ] Flag those without authentication or middleware checks  
+4. **Lack of Rate‑Limiting**  
+   - [ ] Identify HTTP handlers or clients missing rate‑limiter middleware (e.g., express-rate-limit)  
+   - [ ] Flag missing throttle/retry settings in HTTP client code  
+5. **Insufficient Logging & Error Sanitization**  
+   - [ ] Find logging of full error objects or stack traces (e.g., `console.error(err)`)  
+   - [ ] Detect logging of PII or sensitive data in plain text  
+
+## 6. Risks & Mitigations
 
 - **API rate limits (OSV/NVD):** cache results locally; implement exponential back‑off  
 - **False positives (secrets):** tune regex & entropy thresholds; allow exclusions  
 - **LLM costs:** only call on `--report` mode; support a dry‑run without AI  
 
-## 8. In Cursor
+## 7. In Cursor
 
 - **Check progress:**  
-  > “What is the current status of Phase 2: Secrets Scanner?”  
+  > “What is the current status of Phase 6: Additional Common Checks?”  
 - **Mark tasks done:**  
-  > “Mark Phase 3.3 (CVE lookup) as complete.”  
+  > “Mark Insecure Default Configurations check as complete.”  
 
 ---
 
 **Next Steps:**  
-1. Review personas & success metrics.  
-2. Assign owners & adjust timeline as needed.  
-3. Kick off Week 1!  
+1. Tackle Phase 6 atomic tasks in order.  
+2. Validate each check against representative repos.  
+3. Prepare to expand into “Most Dangerous” vulnerability scans once Phase 6 is done.  

src/index.ts

@@ -6,7 +6,7 @@ import 'dotenv/config';
 import { Command } from 'commander';
 import { scanFileForSecrets, SecretFinding } from './scanners/secrets';
 import { detectPackageManagers, parseDependencies, lookupCves, DependencyInfo, DependencyFinding, FindingSeverity } from './scanners/dependencies';
-import { getFilesToScan } from './utils/fileTraversal';
+import { getFilesToScan, checkGitignoreStatus, GitignoreWarning } from './utils/fileTraversal';
 import { generateMarkdownReport } from './reporting/markdown';
 import path from 'path';
 import fs from 'fs';
@@ -52,6 +52,10 @@ program.command('scan')
         console.log(`Markdown report will be written to: ${options.report}`);
     }
 
+    // --- Moved: Check .gitignore Status --- 
+    // We will call checkGitignoreStatus later, just declare the variable here
+    let gitignoreWarnings: GitignoreWarning[] = [];
+
     // --- Findings Aggregation ---
     let allSecretFindings: SecretFinding[] = [];
     let allDependencyFindings: DependencyFinding[] = [];
@@ -102,6 +106,9 @@ program.command('scan')
       ? allDependencyFindings.filter(dep => (dep.maxSeverity === 'High' || dep.maxSeverity === 'Critical')) // Exclude errors when highOnly
       : allDependencyFindings.filter(dep => dep.vulnerabilities.length > 0 || dep.error);
 
+    // --- NOW Check Gitignore Status --- 
+    gitignoreWarnings = checkGitignoreStatus(rootDir);
+
     // --- Output Generation ---
     const reportData = { 
         secretFindings: reportSecretFindings, // Report only standard secrets
@@ -137,6 +144,16 @@ program.command('scan')
 
     // Print to console ONLY if neither JSON nor Markdown output was specified
     if (!options.output && !options.report) {
+        
+        // Print Configuration Warnings FIRST (after scans, before results)
+        if (gitignoreWarnings.length > 0) {
+            console.log(chalk.yellow.bold('\n⚠️ Configuration Warnings:')); // Added emoji
+            gitignoreWarnings.forEach(warning => {
+                const emoji = warning.type === 'MISSING' ? '❓' : '❗'; // Different emojis
+                console.log(chalk.yellow(`  ${emoji} ${warning.message}`));
+            });
+        }
+
         // Handle Info findings first
         if (infoSecretFindings.length > 0) {
             console.log(chalk.blue.bold('\nInfo:'));
@@ -147,34 +164,43 @@ program.command('scan')
             });
         }
 
-        // Print standard secrets to console
-        if (reportSecretFindings.length > 0) {
-            console.log(chalk.bold('\nPotential Secrets Found:'));
-            reportSecretFindings.forEach(finding => {
-                console.log(`  - [${colorSeverity(finding.severity)}] ${finding.type} in ${chalk.cyan(finding.file)}:${chalk.yellow(String(finding.line))}`);
-            });
-        } else if (allSecretFindings.length === 0) {
-            // Only print "no secrets" if no standard *or* info secrets were found
-            console.log('No potential secrets found in scanned files.');
-        }
+        // Check if any standard findings exist
+        const hasStandardSecrets = reportSecretFindings.length > 0;
+        const hasDependencyIssues = reportDependencyFindings.length > 0;
+
+        if (hasStandardSecrets || hasDependencyIssues) {
+            // Print standard secrets to console if found
+            if (hasStandardSecrets) {
+                console.log(chalk.bold('\nPotential Secrets Found:'));
+                reportSecretFindings.forEach(finding => {
+                    console.log(`  - [${colorSeverity(finding.severity)}] ${finding.type} in ${chalk.cyan(finding.file)}:${chalk.yellow(String(finding.line))}`);
+                });
+            }
 
-        // Print dependency findings to console
-        if (reportDependencyFindings.length > 0) {
-            console.log(chalk.bold('\nDependencies with Issues Found:'));
-            reportDependencyFindings.sort((a, b) => severityToSortOrder(b.maxSeverity) - severityToSortOrder(a.maxSeverity));
-
-            reportDependencyFindings.forEach(dep => {
-                if (dep.error) {
-                    console.log(`  - [${chalk.red.bold('ERROR')}] ${chalk.magenta(dep.name)}@${chalk.gray(dep.version)}: (${dep.error})`);
-                } else if (dep.vulnerabilities.length > 0) {
-                    const cveIds = dep.vulnerabilities.map(v => v.id).slice(0,3).join(', ');
-                    const moreCvEs = dep.vulnerabilities.length > 3 ? '...' : '';
-                    // Apply color to severity and dependency name/version
-                    console.log(`  - [${colorSeverity(dep.maxSeverity)}] ${chalk.magenta(dep.name)}@${chalk.gray(dep.version)}: ${dep.vulnerabilities.length} vulnerabilities (${chalk.dim(cveIds)}${moreCvEs})`);
-                }
-            });
-        } else if (dependencyInfoList.length > 0 && !options.highOnly) {
-             console.log('\nNo vulnerabilities found matching criteria in scanned dependencies.');
+            // Print dependency findings to console if found
+            if (hasDependencyIssues) {
+                console.log(chalk.bold('\nDependencies with Issues Found:'));
+                reportDependencyFindings.sort((a, b) => severityToSortOrder(b.maxSeverity) - severityToSortOrder(a.maxSeverity));
+                reportDependencyFindings.forEach(dep => {
+                    if (dep.error) {
+                        console.log(`  - [${chalk.red.bold('ERROR')}] ${chalk.magenta(dep.name)}@${chalk.gray(dep.version)}: (${dep.error})`);
+                    } else if (dep.vulnerabilities.length > 0) {
+                        const cveIds = dep.vulnerabilities.map(v => v.id).slice(0,3).join(', ');
+                        const moreCvEs = dep.vulnerabilities.length > 3 ? '...' : '';
+                        // Apply color to severity and dependency name/version
+                        console.log(`  - [${colorSeverity(dep.maxSeverity)}] ${chalk.magenta(dep.name)}@${chalk.gray(dep.version)}: ${dep.vulnerabilities.length} vulnerabilities (${chalk.dim(cveIds)}${moreCvEs})`);
+                    }
+                });
+            }
+        } else {
+            // All Clear! Print positive message.
+            // Check if we actually scanned for dependencies before saying no vulns found
+            const scannedDeps = dependencyInfoList.length > 0;
+            console.log(chalk.green.bold('\n✅ No issues found! Keep up the good vibes! 😎'));
+            // Optionally add context:
+            if (!scannedDeps) {
+                 console.log(chalk.gray('  (Dependency vulnerability scan skipped as no supported package manager was detected)'));
+            }
         }
     }
 

src/utils/fileTraversal.ts

@@ -24,6 +24,67 @@ const DEFAULT_IGNORE_PATTERNS = [
 
 const VIBESAFE_IGNORE_FILE = '.vibesafeignore';
 
+// --- .gitignore Check --- 
+
+// Patterns we want to ensure are typically ignored by users
+const SENSITIVE_PATTERNS_TO_CHECK = [
+    '.env',
+    '.env.*',       // Catch .env.local, .env.development etc.
+    '*.env',       // Catch other potential env files
+    // Add other common sensitive file patterns here if needed later
+    // e.g., '*.pem', '*.key'?
+];
+
+export interface GitignoreWarning {
+    type: 'MISSING' | 'PATTERN_NOT_IGNORED';
+    message: string;
+    pattern?: string; // The pattern that wasn't ignored
+}
+
+/**
+ * Checks if .gitignore exists and if it ignores common sensitive patterns.
+ * @param rootDir The root directory of the project.
+ * @returns An array of warning objects.
+ */
+export function checkGitignoreStatus(rootDir: string): GitignoreWarning[] {
+    const warnings: GitignoreWarning[] = [];
+    const gitignorePath = path.join(rootDir, '.gitignore');
+
+    if (!fs.existsSync(gitignorePath)) {
+        warnings.push({
+            type: 'MISSING',
+            message: '.gitignore file not found. Recommend creating one and adding sensitive files (like .env*, *.log) to prevent accidental commits.'
+        });
+        return warnings; // No point checking patterns if the file doesn't exist
+    }
+
+    try {
+        const gitignoreContent = fs.readFileSync(gitignorePath, 'utf-8');
+        const ig = ignore().add(gitignoreContent);
+
+        SENSITIVE_PATTERNS_TO_CHECK.forEach(pattern => {
+            // Use a common example filename that matches the pattern
+            // Note: This check isn't perfect, complex patterns could behave differently,
+            // but it covers common cases like direct filenames or *.ext.
+            const testFileName = pattern.includes('*') ? pattern.replace('*.', 'example.') : pattern;
+            
+            if (!ig.ignores(testFileName)) {
+                warnings.push({
+                    type: 'PATTERN_NOT_IGNORED',
+                    message: `Pattern "${pattern}" is not covered by .gitignore. Consider adding it to prevent committing sensitive files.`, 
+                    pattern: pattern
+                });
+            }
+        });
+
+    } catch (error: any) {
+        console.warn(`Error reading or parsing .gitignore: ${error.message}`);
+        // Don't block the scan, just warn about the check failure
+    }
+
+    return warnings;
+}
+
 /**
  * Reads ignore patterns from .vibesafeignore file if it exists.
  * @param rootDir The root directory of the project.