Package Vulnerability Scanner

{
  "hookConfig": {
    "hooks": {
      "postToolUse": {
        "script": "./.claude/hooks/package-vulnerability-scanner.sh",
        "matchers": [
          "write",
          "edit"
        ]
      }
    }
  },
  "scriptContent": "#!/usr/bin/env bash\n\n# Read the tool input from stdin\nINPUT=$(cat)\nTOOL_NAME=$(echo \"$INPUT\" | jq -r '.tool_name')\nFILE_PATH=$(echo \"$INPUT\" | jq -r '.tool_input.file_path // .tool_input.path // \"\"')\n\nif [ -z \"$FILE_PATH\" ]; then\n  exit 0\nfi\n\n# Check if this is a dependency or package file\nif [[ \"$FILE_PATH\" == *package.json ]] || [[ \"$FILE_PATH\" == *requirements.txt ]] || [[ \"$FILE_PATH\" == *Pipfile ]] || [[ \"$FILE_PATH\" == *Gemfile ]] || [[ \"$FILE_PATH\" == *go.mod ]] || [[ \"$FILE_PATH\" == *yarn.lock ]] || [[ \"$FILE_PATH\" == *package-lock.json ]] || [[ \"$FILE_PATH\" == *composer.json ]]; then\n  echo \"🔒 Package Vulnerability Scanner for: $(basename \"$FILE_PATH\")\" >&2\n  \n  # Initialize security counters\n  TOTAL_VULNERABILITIES=0\n  HIGH_SEVERITY=0\n  MEDIUM_SEVERITY=0\n  LOW_SEVERITY=0\n  CRITICAL_SEVERITY=0\n  FIXABLE_VULNERABILITIES=0\n  ERRORS=0\n  WARNINGS=0\n  \n  # Function to report security findings\n  report_security() {\n    local level=\"$1\"\n    local message=\"$2\"\n    \n    case \"$level\" in\n      \"CRITICAL\")\n        echo \"🚨 CRITICAL: $message\" >&2\n        ERRORS=$((ERRORS + 1))\n        ;;\n      \"ERROR\")\n        echo \"❌ ERROR: $message\" >&2\n        ERRORS=$((ERRORS + 1))\n        ;;\n      \"WARNING\")\n        echo \"⚠️ WARNING: $message\" >&2\n        WARNINGS=$((WARNINGS + 1))\n        ;;\n      \"INFO\")\n        echo \"ℹ️ INFO: $message\" >&2\n        ;;\n      \"PASS\")\n        echo \"✅ PASS: $message\" >&2\n        ;;\n    esac\n  }\n  \n  # Detect package manager and language\n  PACKAGE_MANAGER=\"\"\n  LANGUAGE=\"\"\n  SCAN_COMMAND=\"\"\n  \n  FILE_NAME=$(basename \"$FILE_PATH\")\n  FILE_DIR=$(dirname \"$FILE_PATH\")\n  \n  echo \"📊 Analyzing package file: $FILE_NAME\" >&2\n  \n  # Determine package manager and language\n  case \"$FILE_NAME\" in\n    \"package.json\")\n      PACKAGE_MANAGER=\"npm\"\n      LANGUAGE=\"Node.js\"\n      ;;\n    \"yarn.lock\")\n      PACKAGE_MANAGER=\"yarn\"\n      LANGUAGE=\"Node.js\"\n      ;;\n    \"package-lock.json\")\n      PACKAGE_MANAGER=\"npm\"\n      LANGUAGE=\"Node.js\"\n      ;;\n    \"requirements.txt\")\n      PACKAGE_MANAGER=\"pip\"\n      LANGUAGE=\"Python\"\n      ;;\n    \"Pipfile\")\n      PACKAGE_MANAGER=\"pipenv\"\n      LANGUAGE=\"Python\"\n      ;;\n    \"Gemfile\")\n      PACKAGE_MANAGER=\"bundler\"\n      LANGUAGE=\"Ruby\"\n      ;;\n    \"go.mod\")\n      PACKAGE_MANAGER=\"go\"\n      LANGUAGE=\"Go\"\n      ;;\n    \"composer.json\")\n      PACKAGE_MANAGER=\"composer\"\n      LANGUAGE=\"PHP\"\n      ;;\n    *)\n      report_security \"WARNING\" \"Unknown package file type: $FILE_NAME\"\n      exit 0\n      ;;\n  esac\n  \n  echo \"   🔧 Package Manager: $PACKAGE_MANAGER\" >&2\n  echo \"   📝 Language: $LANGUAGE\" >&2\n  \n  # 1. Node.js Security Scanning\n  if [[ \"$PACKAGE_MANAGER\" == \"npm\" ]] || [[ \"$PACKAGE_MANAGER\" == \"yarn\" ]]; then\n    echo \"📦 Node.js security scanning...\" >&2\n    \n    # Check if npm is available\n    if command -v npm &> /dev/null; then\n      echo \"   🔍 Running npm audit...\" >&2\n      \n      NPM_AUDIT_OUTPUT=\"/tmp/npm_audit_$$\"\n      \n      # Run npm audit with JSON output\n      if npm audit --json > \"$NPM_AUDIT_OUTPUT\" 2>&1; then\n        # Parse npm audit results\n        if command -v jq &> /dev/null; then\n          AUDIT_SUMMARY=$(jq -r '.metadata.vulnerabilities' \"$NPM_AUDIT_OUTPUT\" 2>/dev/null || echo '{}')\n          \n          if [ \"$AUDIT_SUMMARY\" != \"{}\" ] && [ \"$AUDIT_SUMMARY\" != \"null\" ]; then\n            # Extract vulnerability counts\n            CRITICAL_COUNT=$(echo \"$AUDIT_SUMMARY\" | jq -r '.critical // 0')\n            HIGH_COUNT=$(echo \"$AUDIT_SUMMARY\" | jq -r '.high // 0')\n            MODERATE_COUNT=$(echo \"$AUDIT_SUMMARY\" | jq -r '.moderate // 0')\n            LOW_COUNT=$(echo \"$AUDIT_SUMMARY\" | jq -r '.low // 0')\n            \n            TOTAL_VULNERABILITIES=$((CRITICAL_COUNT + HIGH_COUNT + MODERATE_COUNT + LOW_COUNT))\n            CRITICAL_SEVERITY=$CRITICAL_COUNT\n            HIGH_SEVERITY=$HIGH_COUNT\n            MEDIUM_SEVERITY=$MODERATE_COUNT\n            LOW_SEVERITY=$LOW_COUNT\n            \n            echo \"   📊 Vulnerability summary:\" >&2\n            echo \"     🚨 Critical: $CRITICAL_COUNT\" >&2\n            echo \"     🔴 High: $HIGH_COUNT\" >&2\n            echo \"     🟡 Moderate: $MODERATE_COUNT\" >&2\n            echo \"     🟢 Low: $LOW_COUNT\" >&2\n            \n            if [ \"$CRITICAL_COUNT\" -gt 0 ]; then\n              report_security \"CRITICAL\" \"$CRITICAL_COUNT critical vulnerabilities found\"\n            fi\n            \n            if [ \"$HIGH_COUNT\" -gt 0 ]; then\n              report_security \"ERROR\" \"$HIGH_COUNT high severity vulnerabilities found\"\n            fi\n            \n            if [ \"$MODERATE_COUNT\" -gt 0 ]; then\n              report_security \"WARNING\" \"$MODERATE_COUNT moderate severity vulnerabilities found\"\n            fi\n            \n            # Show top vulnerabilities\n            TOP_VULNS=$(jq -r '.vulnerabilities | to_entries | .[0:3] | .[] | \"     • \" + .key + \" (\" + .value.severity + \")\"' \"$NPM_AUDIT_OUTPUT\" 2>/dev/null || echo \"\")\n            \n            if [ -n \"$TOP_VULNS\" ]; then\n              echo \"   🎯 Top vulnerabilities:\" >&2\n              echo \"$TOP_VULNS\" >&2\n            fi\n          else\n            report_security \"PASS\" \"No vulnerabilities found in npm dependencies\"\n          fi\n        else\n          report_security \"WARNING\" \"jq not available - limited vulnerability parsing\"\n        fi\n      else\n        # npm audit failed, check if it's due to vulnerabilities\n        AUDIT_EXIT_CODE=$?\n        \n        if [ $AUDIT_EXIT_CODE -eq 1 ]; then\n          # Exit code 1 means vulnerabilities found\n          report_security \"ERROR\" \"npm audit found vulnerabilities (exit code 1)\"\n          \n          # Try to extract basic info\n          VULN_COUNT=$(grep -o 'vulnerabilities' \"$NPM_AUDIT_OUTPUT\" 2>/dev/null | wc -l || echo \"0\")\n          if [ \"$VULN_COUNT\" -gt 0 ]; then\n            echo \"   ⚠️ Estimated vulnerabilities: $VULN_COUNT\" >&2\n          fi\n        else\n          report_security \"ERROR\" \"npm audit failed with exit code $AUDIT_EXIT_CODE\"\n        fi\n      fi\n      \n      rm -f \"$NPM_AUDIT_OUTPUT\"\n      \n      # Check for yarn if available\n      if [[ \"$PACKAGE_MANAGER\" == \"yarn\" ]] && command -v yarn &> /dev/null; then\n        echo \"   🧶 Running yarn audit...\" >&2\n        \n        YARN_AUDIT_OUTPUT=\"/tmp/yarn_audit_$$\"\n        \n        if yarn audit --json > \"$YARN_AUDIT_OUTPUT\" 2>&1; then\n          report_security \"PASS\" \"Yarn audit completed successfully\"\n        else\n          report_security \"WARNING\" \"Yarn audit found issues or failed\"\n        fi\n        \n        rm -f \"$YARN_AUDIT_OUTPUT\"\n      fi\n      \n    else\n      report_security \"WARNING\" \"npm not available - cannot perform Node.js security scan\"\n    fi\n  fi\n  \n  # 2. Python Security Scanning\n  if [[ \"$PACKAGE_MANAGER\" == \"pip\" ]] || [[ \"$PACKAGE_MANAGER\" == \"pipenv\" ]]; then\n    echo \"🐍 Python security scanning...\" >&2\n    \n    # Check for safety tool\n    if command -v safety &> /dev/null; then\n      echo \"   🔍 Running safety check...\" >&2\n      \n      SAFETY_OUTPUT=\"/tmp/safety_output_$$\"\n      \n      if safety check --json > \"$SAFETY_OUTPUT\" 2>&1; then\n        report_security \"PASS\" \"Safety check completed - no vulnerabilities found\"\n      else\n        # Safety found vulnerabilities\n        SAFETY_EXIT_CODE=$?\n        \n        if [ $SAFETY_EXIT_CODE -eq 64 ]; then\n          # Exit code 64 means vulnerabilities found\n          report_security \"ERROR\" \"Safety found vulnerabilities in Python dependencies\"\n          \n          # Try to parse vulnerabilities\n          if command -v jq &> /dev/null && [ -f \"$SAFETY_OUTPUT\" ]; then\n            VULN_COUNT=$(jq length \"$SAFETY_OUTPUT\" 2>/dev/null || echo \"0\")\n            \n            if [ \"$VULN_COUNT\" -gt 0 ]; then\n              echo \"   📊 Found $VULN_COUNT Python vulnerabilities\" >&2\n              TOTAL_VULNERABILITIES=$((TOTAL_VULNERABILITIES + VULN_COUNT))\n              \n              # Show first few vulnerabilities\n              jq -r '.[0:3] | .[] | \"     • \" + .package + \" (\" + .vulnerability_id + \")\"' \"$SAFETY_OUTPUT\" 2>/dev/null | while read line; do\n                echo \"$line\" >&2\n              done\n            fi\n          fi\n        else\n          report_security \"WARNING\" \"Safety check failed with exit code $SAFETY_EXIT_CODE\"\n        fi\n      fi\n      \n      rm -f \"$SAFETY_OUTPUT\"\n      \n    elif command -v pip &> /dev/null; then\n      echo \"   🔍 Safety not available, using pip-audit if available...\" >&2\n      \n      if command -v pip-audit &> /dev/null; then\n        PIP_AUDIT_OUTPUT=\"/tmp/pip_audit_$$\"\n        \n        if pip-audit --format=json > \"$PIP_AUDIT_OUTPUT\" 2>&1; then\n          report_security \"PASS\" \"pip-audit completed - no vulnerabilities found\"\n        else\n          report_security \"ERROR\" \"pip-audit found vulnerabilities in Python dependencies\"\n        fi\n        \n        rm -f \"$PIP_AUDIT_OUTPUT\"\n      else\n        report_security \"WARNING\" \"No Python security tools available (safety, pip-audit)\"\n      fi\n    else\n      report_security \"WARNING\" \"Python/pip not available - cannot perform Python security scan\"\n    fi\n  fi\n  \n  # 3. Ruby Security Scanning\n  if [[ \"$PACKAGE_MANAGER\" == \"bundler\" ]]; then\n    echo \"💎 Ruby security scanning...\" >&2\n    \n    if command -v bundler-audit &> /dev/null; then\n      echo \"   🔍 Running bundler-audit...\" >&2\n      \n      BUNDLER_AUDIT_OUTPUT=\"/tmp/bundler_audit_$$\"\n      \n      if bundler-audit check > \"$BUNDLER_AUDIT_OUTPUT\" 2>&1; then\n        report_security \"PASS\" \"bundler-audit completed - no vulnerabilities found\"\n      else\n        report_security \"ERROR\" \"bundler-audit found vulnerabilities in Ruby dependencies\"\n        \n        # Count vulnerabilities\n        RUBY_VULNS=$(grep -c 'Vulnerability found' \"$BUNDLER_AUDIT_OUTPUT\" 2>/dev/null || echo \"0\")\n        if [ \"$RUBY_VULNS\" -gt 0 ]; then\n          echo \"   📊 Found $RUBY_VULNS Ruby vulnerabilities\" >&2\n          TOTAL_VULNERABILITIES=$((TOTAL_VULNERABILITIES + RUBY_VULNS))\n        fi\n      fi\n      \n      rm -f \"$BUNDLER_AUDIT_OUTPUT\"\n    else\n      report_security \"WARNING\" \"bundler-audit not available - install with 'gem install bundler-audit'\"\n    fi\n  fi\n  \n  # 4. Go Security Scanning\n  if [[ \"$PACKAGE_MANAGER\" == \"go\" ]]; then\n    echo \"🐹 Go security scanning...\" >&2\n    \n    if command -v govulncheck &> /dev/null; then\n      echo \"   🔍 Running govulncheck...\" >&2\n      \n      GOVULN_OUTPUT=\"/tmp/govuln_output_$$\"\n      \n      if govulncheck ./... > \"$GOVULN_OUTPUT\" 2>&1; then\n        report_security \"PASS\" \"govulncheck completed - no vulnerabilities found\"\n      else\n        report_security \"ERROR\" \"govulncheck found vulnerabilities in Go dependencies\"\n        \n        # Count vulnerabilities\n        GO_VULNS=$(grep -c 'Vulnerability' \"$GOVULN_OUTPUT\" 2>/dev/null || echo \"0\")\n        if [ \"$GO_VULNS\" -gt 0 ]; then\n          echo \"   📊 Found $GO_VULNS Go vulnerabilities\" >&2\n          TOTAL_VULNERABILITIES=$((TOTAL_VULNERABILITIES + GO_VULNS))\n        fi\n      fi\n      \n      rm -f \"$GOVULN_OUTPUT\"\n    else\n      report_security \"WARNING\" \"govulncheck not available - install with 'go install golang.org/x/vuln/cmd/govulncheck@latest'\"\n    fi\n  fi\n  \n  # 5. PHP Security Scanning\n  if [[ \"$PACKAGE_MANAGER\" == \"composer\" ]]; then\n    echo \"🐘 PHP security scanning...\" >&2\n    \n    if command -v composer &> /dev/null; then\n      echo \"   🔍 Running composer audit...\" >&2\n      \n      COMPOSER_AUDIT_OUTPUT=\"/tmp/composer_audit_$$\"\n      \n      if composer audit > \"$COMPOSER_AUDIT_OUTPUT\" 2>&1; then\n        report_security \"PASS\" \"Composer audit completed - no vulnerabilities found\"\n      else\n        report_security \"ERROR\" \"Composer audit found vulnerabilities in PHP dependencies\"\n        \n        # Count vulnerabilities\n        PHP_VULNS=$(grep -c 'vulnerability' \"$COMPOSER_AUDIT_OUTPUT\" 2>/dev/null || echo \"0\")\n        if [ \"$PHP_VULNS\" -gt 0 ]; then\n          echo \"   📊 Found $PHP_VULNS PHP vulnerabilities\" >&2\n          TOTAL_VULNERABILITIES=$((TOTAL_VULNERABILITIES + PHP_VULNS))\n        fi\n      fi\n      \n      rm -f \"$COMPOSER_AUDIT_OUTPUT\"\n    else\n      report_security \"WARNING\" \"Composer not available - cannot perform PHP security scan\"\n    fi\n  fi\n  \n  # 6. License Compliance Check\n  echo \"📋 License compliance checking...\" >&2\n  \n  # Basic license check for Node.js projects\n  if [[ \"$PACKAGE_MANAGER\" == \"npm\" ]] && command -v npx &> /dev/null; then\n    if npx license-checker --summary >/dev/null 2>&1; then\n      LICENSE_SUMMARY=$(npx license-checker --summary 2>/dev/null | head -10)\n      echo \"   📄 License summary available\" >&2\n    else\n      report_security \"INFO\" \"license-checker not available for license compliance\"\n    fi\n  fi\n  \n  # 7. Generate Security Report\n  echo \"\" >&2\n  echo \"📋 Security Scan Summary:\" >&2\n  echo \"=========================\" >&2\n  echo \"   📄 File: $FILE_NAME\" >&2\n  echo \"   🔧 Package Manager: $PACKAGE_MANAGER\" >&2\n  echo \"   📝 Language: $LANGUAGE\" >&2\n  echo \"   🔒 Total Vulnerabilities: $TOTAL_VULNERABILITIES\" >&2\n  \n  if [ \"$CRITICAL_SEVERITY\" -gt 0 ]; then\n    echo \"   🚨 Critical: $CRITICAL_SEVERITY\" >&2\n  fi\n  \n  if [ \"$HIGH_SEVERITY\" -gt 0 ]; then\n    echo \"   🔴 High: $HIGH_SEVERITY\" >&2\n  fi\n  \n  if [ \"$MEDIUM_SEVERITY\" -gt 0 ]; then\n    echo \"   🟡 Medium: $MEDIUM_SEVERITY\" >&2\n  fi\n  \n  if [ \"$LOW_SEVERITY\" -gt 0 ]; then\n    echo \"   🟢 Low: $LOW_SEVERITY\" >&2\n  fi\n  \n  echo \"   ⚠️ Warnings: $WARNINGS\" >&2\n  echo \"   ❌ Errors: $ERRORS\" >&2\n  \n  # Security status assessment\n  if [ \"$CRITICAL_SEVERITY\" -gt 0 ]; then\n    echo \"   🚨 Status: CRITICAL - Immediate action required\" >&2\n  elif [ \"$HIGH_SEVERITY\" -gt 0 ]; then\n    echo \"   🔴 Status: HIGH RISK - Update dependencies soon\" >&2\n  elif [ \"$MEDIUM_SEVERITY\" -gt 0 ]; then\n    echo \"   🟡 Status: MODERATE RISK - Plan updates\" >&2\n  elif [ \"$LOW_SEVERITY\" -gt 0 ]; then\n    echo \"   🟢 Status: LOW RISK - Monitor and update when convenient\" >&2\n  elif [ \"$TOTAL_VULNERABILITIES\" -eq 0 ] && [ \"$ERRORS\" -eq 0 ]; then\n    echo \"   ✅ Status: SECURE - No known vulnerabilities\" >&2\n  else\n    echo \"   ⚠️ Status: UNKNOWN - Scan completed with issues\" >&2\n  fi\n  \n  echo \"\" >&2\n  echo \"💡 Security Best Practices:\" >&2\n  echo \"   • Run security scans regularly (weekly/monthly)\" >&2\n  echo \"   • Keep dependencies up to date\" >&2\n  echo \"   • Use dependency pinning for critical applications\" >&2\n  echo \"   • Review security advisories for your dependencies\" >&2\n  echo \"   • Consider using automated dependency update tools\" >&2\n  echo \"   • Implement security scanning in CI/CD pipelines\" >&2\n  \n  # Exit with error if critical or high severity vulnerabilities found\n  if [ \"$CRITICAL_SEVERITY\" -gt 0 ] || [ \"$HIGH_SEVERITY\" -gt 0 ]; then\n    echo \"⚠️ Security scan completed with high-priority vulnerabilities\" >&2\n    exit 1\n  fi\n  \nelse\n  # Not a package file, exit silently\n  exit 0\nfi\n\nexit 0"
}