gnezim/clawsec
1
0
Fork 0
mirror of https://github.com/prompt-security/clawsec.git synced 2026-06-13 05:28:02 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
14623d8ed1e98ee2ebf90f7afa56a24a4e9062d0
clawsec/scripts/prepare-to-push.sh
T
davida-ps 073e771b73 Exploitability Context for CVE Advisories (#89) 
* feat(advisories): add exploitability context for CVE advisories

* fix(ci): align exploitability workflow with signing model

* docs(skills): add patch release changelog entries

* chore(clawsec-feed): bump version to 0.0.5

* chore(clawsec-suite): bump version to 0.1.4

* fix(clawsec-nanoclaw): align exploitability handling and nanoclaw integration

* chore(clawsec-nanoclaw): bump version to 0.0.2

* refactor(scripts): share feed path and mirror sync helpers

* refactor(utils): unify cvss vector parsing flow

* refactor(clawsec-nanoclaw): centralize advisory risk evaluation

* docs(exploitability): refresh release metadata dates

* fix(review): align feed signing and advisory dedupe

* chore(clawsec-feed): bump version to 0.0.6

* chore(clawsec-nanoclaw): bump version to 0.0.3

* fix(backfill): limit signing to target feed only

* fix(review): keep skill runtime verify-only and dedupe matching

* chore(clawsec-nanoclaw): bump version to 0.0.4

* chore(skills): align versions with published tags

* feat(feed): enrich local population with exploitability analysis

* docs(exploitability): mark backfill as historical flow
2026-03-01 18:43:24 +02:00

246 lines
6.7 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env bash
#
# prepare-to-push.sh - Run all checks before pushing to ensure CI will pass
#
# Usage: ./scripts/prepare-to-push.sh [--fix]
#
# Options:
# --fix Attempt to auto-fix issues where possible
#
set -euo pipefail
# Ensure Homebrew tools are in PATH (macOS)
if [[ -d "/opt/homebrew/bin" ]]; then
export PATH="/opt/homebrew/bin:$PATH"
fi
# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m' # No Color
# Track failures
FAILURES=0
# Parse arguments
FIX_MODE=false
if [[ "${1:-}" == "--fix" ]]; then
FIX_MODE=true
echo -e "${BLUE}🔧 Running in fix mode - will attempt to auto-fix issues${NC}\n"
fi
# Helper functions
print_header() {
echo -e "\n${BLUE}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
echo -e "${BLUE}$1${NC}"
echo -e "${BLUE}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
}
check_pass() {
echo -e "${GREEN}$1${NC}"
}
check_fail() {
echo -e "${RED}$1${NC}"
FAILURES=$((FAILURES + 1))
}
check_warn() {
echo -e "${YELLOW}$1${NC}"
}
check_skip() {
echo -e "${YELLOW}$1 (skipped - tool not installed)${NC}"
}
# Change to repo root
cd "$(dirname "$0")/.."
REPO_ROOT=$(pwd)
echo -e "${BLUE}📁 Repository: ${REPO_ROOT}${NC}"
# ============================================================================
# TypeScript / React Checks
# ============================================================================
print_header "TypeScript / React"
# Check if node_modules exists
if [ ! -d "node_modules" ]; then
echo "Installing npm dependencies..."
npm ci
fi
# ESLint
echo -e "\n${YELLOW}Running ESLint...${NC}"
if $FIX_MODE; then
if npx eslint . --ext .ts,.tsx,.js,.jsx,.mjs --ignore-pattern '.auto-claude/**' --fix; then
check_pass "ESLint (with auto-fix)"
else
check_fail "ESLint found unfixable issues"
fi
else
if npx eslint . --ext .ts,.tsx,.js,.jsx,.mjs --ignore-pattern '.auto-claude/**' --max-warnings 0; then
check_pass "ESLint"
else
check_fail "ESLint found issues (run with --fix to auto-fix)"
fi
fi
# TypeScript
echo -e "\n${YELLOW}Running TypeScript type check...${NC}"
if npx tsc --noEmit; then
check_pass "TypeScript type check"
else
check_fail "TypeScript type errors found"
fi
# Build
echo -e "\n${YELLOW}Running build...${NC}"
if npm run build; then
check_pass "Vite build"
else
check_fail "Build failed"
fi
# ============================================================================
# Python Checks
# ============================================================================
print_header "Python"
# Check for Python files
if [ -d "utils" ] && ls utils/*.py 1> /dev/null 2>&1; then
# Ruff
if command -v ruff &> /dev/null; then
echo -e "\n${YELLOW}Running Ruff...${NC}"
if $FIX_MODE; then
if ruff check utils/ --fix; then
check_pass "Ruff (with auto-fix)"
else
check_fail "Ruff found unfixable issues"
fi
else
if ruff check utils/; then
check_pass "Ruff"
else
check_fail "Ruff found issues (run with --fix to auto-fix)"
fi
fi
else
check_skip "Ruff"
echo " Install with: pip install ruff"
fi
# Bandit
if command -v bandit &> /dev/null; then
echo -e "\n${YELLOW}Running Bandit security scan...${NC}"
if bandit -r utils/ -ll; then
check_pass "Bandit security scan"
else
check_fail "Bandit found security issues"
fi
else
check_skip "Bandit"
echo " Install with: pip install bandit"
fi
else
check_warn "No Python files found in utils/"
fi
# ============================================================================
# Shell Script Checks
# ============================================================================
print_header "Shell Scripts"
if command -v shellcheck &> /dev/null; then
echo -e "\n${YELLOW}Running ShellCheck...${NC}"
SHELL_ERRORS=0
for script in scripts/*.sh; do
if [ -f "$script" ]; then
if shellcheck -S warning "$script"; then
echo -e " ${GREEN}${NC} $script"
else
echo -e " ${RED}${NC} $script"
SHELL_ERRORS=$((SHELL_ERRORS + 1))
fi
fi
done
if [ $SHELL_ERRORS -eq 0 ]; then
check_pass "ShellCheck"
else
check_fail "ShellCheck found issues in $SHELL_ERRORS file(s)"
fi
else
check_skip "ShellCheck"
echo " Install with: brew install shellcheck"
fi
# ============================================================================
# Security Scans
# ============================================================================
print_header "Security"
# Trivy FS Scan
if command -v trivy &> /dev/null; then
echo -e "\n${YELLOW}Running Trivy filesystem scan...${NC}"
if trivy fs . --severity CRITICAL,HIGH --exit-code 1 --ignore-unfixed --skip-dirs .auto-claude --skip-files clawsec-signing-private.pem; then
check_pass "Trivy filesystem scan"
else
check_fail "Trivy found CRITICAL/HIGH vulnerabilities"
fi
echo -e "\n${YELLOW}Running Trivy config scan...${NC}"
# Suppress info/warnings about missing config files (expected for non-IaC projects)
if trivy config . --severity CRITICAL,HIGH --exit-code 1 --quiet 2>&1 | grep -v "Supported files for scanner(s) not found"; then
check_pass "Trivy config scan"
else
check_fail "Trivy found CRITICAL/HIGH config issues"
fi
else
check_skip "Trivy"
echo " Install with: brew install trivy"
fi
# Gitleaks (scans git history to match CI)
if command -v gitleaks &> /dev/null; then
echo -e "\n${YELLOW}Running Gitleaks secrets scan...${NC}"
if gitleaks detect --source . --verbose; then
check_pass "Gitleaks secrets scan"
else
check_fail "Gitleaks found potential secrets"
fi
else
check_skip "Gitleaks"
echo " Install with: brew install gitleaks"
fi
# npm audit (use public registry since private registries like CodeArtifact don't support audit)
echo -e "\n${YELLOW}Running npm audit...${NC}"
if npm audit --audit-level=high --registry=https://registry.npmjs.org; then
check_pass "npm audit"
else
check_warn "npm audit found vulnerabilities (run 'npm audit fix')"
fi
# ============================================================================
# Summary
# ============================================================================
print_header "Summary"
if [ $FAILURES -eq 0 ]; then
echo -e "\n${GREEN}🎉 All checks passed! Ready to push.${NC}\n"
exit 0
else
echo -e "\n${RED}$FAILURES check(s) failed. Please fix before pushing.${NC}"
echo -e "${YELLOW}💡 Tip: Run with --fix to auto-fix some issues${NC}\n"
exit 1
fi
Reference in New Issue View Git Blame Copy Permalink