dotguard/main.go at main · mturac/dotguard · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
package main

import (
	"flag"
	"fmt"
	"os"
)

var Version = "0.1.0"

func main() {
	if len(os.Args) < 2 {
		printUsage()
		os.Exit(1)
	}

	switch os.Args[1] {
	case "scan":
		cmdScan(os.Args[2:])
	case "init":
		cmdInit()
	case "hook":
		if len(os.Args) < 3 {
			fmt.Println("Usage: dotguard hook [install|uninstall]")
			os.Exit(1)
		}
		cmdHook(os.Args[2])
	case "ci":
		cmdCI(os.Args[2:])
	case "version":
		fmt.Printf("dotguard v%s\n", Version)
	case "help", "--help", "-h":
		printUsage()
	default:
		fmt.Printf("Unknown command: %s\n\n", os.Args[1])
		printUsage()
		os.Exit(1)
	}
}

func cmdScan(args []string) {
	fs := flag.NewFlagSet("scan", flag.ExitOnError)
	configPath := fs.String("config", ".dotguard.json", "Path to config file")
	ai := fs.Bool("ai", false, "Enable AI-powered analysis")
	verbose := fs.Bool("verbose", false, "Verbose output")
	staged := fs.Bool("staged", false, "Only scan git staged files")
	fs.Parse(args)

	cfg := LoadConfig(*configPath)
	scanPath := "."
	if fs.NArg() > 0 {
		scanPath = fs.Arg(0)
	}

	scanner := NewScanner(cfg, *verbose)
	var findings []Finding

	if *staged {
		files, err := GitStagedFiles()
		if err != nil {
			fmt.Printf("%s Could not get staged files: %v\n", colorRed("✗"), err)
			os.Exit(1)
		}
		findings = scanner.ScanFiles(files)
	} else {
		findings = scanner.ScanPath(scanPath)
	}

	if *ai && len(findings) > 0 {
		findings = AnalyzeWithAI(cfg, findings)
	}

	PrintFindings(findings, *verbose)

	if len(findings) > 0 {
		fmt.Printf("\n%s Found %d potential secret(s)\n", colorRed("✗"), len(findings))
		os.Exit(1)
	}

	fmt.Printf("\n%s No secrets found\n", colorGreen("✓"))
}

func cmdInit() {
	if _, err := os.Stat(".dotguard.json"); err == nil {
		fmt.Printf("%s .dotguard.json already exists\n", colorYellow("!"))
		return
	}

	err := os.WriteFile(".dotguard.json", []byte(DefaultConfig), 0644)
	if err != nil {
		fmt.Printf("%s Failed to create config: %v\n", colorRed("✗"), err)
		os.Exit(1)
	}

	fmt.Printf("%s Created .dotguard.json\n", colorGreen("✓"))
	fmt.Println("  Edit the file to customize scan rules and allowlist.")
}

func cmdHook(action string) {
	switch action {
	case "install":
		err := InstallHook()
		if err != nil {
			fmt.Printf("%s Failed to install hook: %v\n", colorRed("✗"), err)
			os.Exit(1)
		}
		fmt.Printf("%s Pre-commit hook installed\n", colorGreen("✓"))
	case "uninstall":
		err := UninstallHook()
		if err != nil {
			fmt.Printf("%s Failed to uninstall hook: %v\n", colorRed("✗"), err)
			os.Exit(1)
		}
		fmt.Printf("%s Pre-commit hook removed\n", colorGreen("✓"))
	default:
		fmt.Printf("Unknown hook action: %s\n", action)
		fmt.Println("Usage: dotguard hook [install|uninstall]")
		os.Exit(1)
	}
}

func cmdCI(args []string) {
	fs := flag.NewFlagSet("ci", flag.ExitOnError)
	configPath := fs.String("config", ".dotguard.json", "Path to config file")
	jsonOut := fs.Bool("json", false, "Output results as JSON")
	ai := fs.Bool("ai", false, "Enable AI-powered analysis")
	notify := fs.Bool("notify", false, "Send webhook notifications on findings")
	fs.Parse(args)

	cfg := LoadConfig(*configPath)
	scanner := NewScanner(cfg, false)
	findings := scanner.ScanPath(".")

	if *ai && len(findings) > 0 {
		findings = AnalyzeWithAI(cfg, findings)
	}

	if *jsonOut {
		PrintFindingsJSON(findings)
	} else {
		PrintFindings(findings, false)
	}

	if *notify && len(findings) > 0 {
		NotifyWebhooks(cfg, findings)
	}

	if len(findings) > 0 {
		fmt.Fprintf(os.Stderr, "dotguard: found %d potential secret(s)\n", len(findings))
		os.Exit(1)
	}
}

func printUsage() {
	fmt.Printf(`dotguard v%s — Catch secrets before they leak

Usage:
  dotguard <command> [options]

Commands:
  scan [path]       Scan files for secrets (default: current directory)
  init              Create .dotguard.json config file
  hook install      Install git pre-commit hook
  hook uninstall    Remove git pre-commit hook
  ci                CI/CD mode with exit codes
  version           Print version

Scan Options:
  -config string    Path to config file (default ".dotguard.json")
  -ai               Enable AI-powered secret analysis
  -verbose          Show detailed output
  -staged           Only scan git staged files

CI Options:
  -config string    Path to config file (default ".dotguard.json")
  -json             Output results as JSON
  -ai               Enable AI-powered secret analysis
  -notify           Send webhook notifications on findings

Examples:
  dotguard scan                     Scan current directory
  dotguard scan -staged             Scan only staged files
  dotguard scan -ai ./src           Scan with AI analysis
  dotguard ci -json -notify         CI mode with JSON + webhooks
  dotguard hook install             Set up pre-commit hook

`, Version)
}