securegit 0.8.5

# Git-Based Plugin Update System

## Leveraging Built-in Git Client

SecureGit already includes a full Git client for repository acquisition. This same functionality can manage plugin updates efficiently without additional dependencies.

## Simple Git-Based Plugin Registry

Instead of complex package management, plugins are Git repositories:

```
~/.config/securegit/plugins/
├── gitleaks/              # Git repository
│   ├── .git/
│   ├── plugin.json
│   ├── gitleaks           # Executable wrapper
│   └── README.md
├── trivy-config/          # Git repository
│   ├── .git/
│   ├── plugin.json
│   ├── trivy-config       # Executable wrapper
│   └── README.md
└── semgrep/               # Git repository
    ├── .git/
    ├── plugin.json
    ├── semgrep-wrapper    # Executable wrapper
    └── README.md
```

## Installation as Git Clone

### Install Plugin

```bash
# Install from Git repository
securegit plugin install https://github.com/securegit-plugins/gitleaks.git

# Internally runs:
# git clone https://github.com/securegit-plugins/gitleaks.git ~/.config/securegit/plugins/gitleaks
# chmod +x ~/.config/securegit/plugins/gitleaks/gitleaks
```

**Output:**
```
Installing plugin from https://github.com/securegit-plugins/gitleaks.git

Cloning into '~/.config/securegit/plugins/gitleaks'...
remote: Enumerating objects: 15, done.
remote: Counting objects: 100% (15/15), done.
Receiving objects: 100% (15/15), 12.45 KiB | 2.49 MiB/s, done.

Reading plugin.json...
  Name: gitleaks
  Version: 8.22.0
  Description: Detect hardcoded secrets using gitleaks

Installing dependencies...
  Downloading gitleaks binary v8.22.0... ✓
  Verifying checksum... ✓

✓ Plugin 'gitleaks' installed successfully
  Location: ~/.config/securegit/plugins/gitleaks
  Version: 8.22.0
  Commit: a1b2c3d (2026-01-28)
```

## Update Checking via Git

### Check for Updates

```bash
securegit plugin check-updates
```

**Implementation:**
```rust
for plugin_dir in list_plugin_dirs() {
    // Use built-in git client
    let repo = Repository::open(plugin_dir)?;

    // Fetch from origin
    repo.fetch("origin")?;

    // Get current HEAD
    let local_commit = repo.head()?.peel_to_commit()?;

    // Get remote HEAD
    let remote_commit = repo.find_reference("refs/remotes/origin/HEAD")?
        .peel_to_commit()?;

    if local_commit.id() != remote_commit.id() {
        // Update available!
        let commits_behind = count_commits_behind(repo, local_commit, remote_commit)?;
        println!("Update available: {} commits behind", commits_behind);
    }
}
```

**Output:**
```
Checking for plugin updates...

✓ gitleaks (8.22.0) - Up to date (commit: a1b2c3d)

⚠ trivy-config (0.58.2) - Update available
  Current:  0.58.2 (commit: d4e5f6g, 15 days old)
  Latest:   0.60.0 (commit: h7i8j9k, 2 days old)
  Behind:   12 commits
  Changes:
    • Added Kubernetes 1.30 support (commit: h7i8j9k)
    • Fixed Terraform false positives (commit: g6h7i8j)
    • Performance improvements (commit: f5g6h7i)

🚨 semgrep (1.45.0) - CRITICAL UPDATE REQUIRED
  Current:  1.45.0 (commit: k9l0m1n, 45 days old)
  Latest:   1.52.0 (commit: o2p3q4r, 1 day old)
  Behind:   87 commits
  Security: CVE-2026-1234 fixed in v1.50.0
  Changes:  [Run 'securegit plugin changelog semgrep' for full details]

2 updates available (1 security-critical)
```

## Changelog from Git History

### View Changelog

```bash
# Show changelog between current and latest
securegit plugin changelog semgrep

# Show specific version range
securegit plugin changelog semgrep 1.45.0..1.52.0
```

**Implementation uses git log:**
```rust
// Get commits between versions
let range = format!("{}..{}", current_version, latest_version);
let commits = repo.log(&range)?;

// Parse commit messages
for commit in commits {
    if is_security_commit(&commit) {
        security_fixes.push(parse_commit(&commit));
    } else if is_feature_commit(&commit) {
        features.push(parse_commit(&commit));
    } else if is_fix_commit(&commit) {
        bug_fixes.push(parse_commit(&commit));
    }
}
```

**Output:**
```
Changelog: semgrep 1.45.0 → 1.52.0 (87 commits)

🚨 SECURITY FIXES (2):
  v1.50.0 (2026-01-25) - CVE-2026-1234: Fixed code execution via malicious rules
    Commit: abc1234
    Author: Security Team

  v1.48.0 (2026-01-20) - CVE-2026-1235: Fixed path traversal in rule loading
    Commit: def5678
    Author: Security Team

✨ NEW FEATURES (8):
  v1.52.0 - Added 60 new JavaScript security rules
  v1.51.0 - Introduced parallel scanning (60% faster)
  v1.49.0 - Added Python 3.12 support
  v1.47.0 - New Java Spring Boot rules
  [...]

🐛 BUG FIXES (15):
  v1.52.0 - Fixed false positives in React hooks
  v1.51.0 - Corrected regex matching edge cases
  v1.50.0 - Fixed crash on binary files
  [...]

⚡ PERFORMANCE (3):
  v1.51.0 - 60% faster on large codebases
  v1.49.0 - 35% reduction in memory usage
  v1.46.0 - Optimized rule matching algorithm

Full git log:
  git -C ~/.config/securegit/plugins/semgrep log v1.45.0..v1.52.0
```

## Update via Git Pull

### Update Plugin

```bash
# Update single plugin
securegit plugin update semgrep

# Update all plugins
securegit plugin update --all
```

**Implementation:**
```rust
fn update_plugin(plugin_name: &str) -> Result<()> {
    let plugin_path = get_plugin_path(plugin_name);
    let repo = Repository::open(&plugin_path)?;

    // Read current version from plugin.json
    let current_version = read_plugin_manifest(&plugin_path)?.version;

    // Fetch latest changes
    repo.fetch("origin")?;

    // Check if update needed
    if !has_updates(&repo)? {
        println!("Already up to date");
        return Ok(());
    }

    // Show what will change
    show_changelog(&repo, &current_version)?;

    // Confirm with user
    if !confirm_update()? {
        return Ok(());
    }

    // Pull changes
    repo.pull("origin", "main")?;

    // Re-read plugin.json for new version
    let new_version = read_plugin_manifest(&plugin_path)?.version;

    // Run post-update script if exists
    if plugin_path.join("install.sh").exists() {
        run_install_script(&plugin_path)?;
    }

    println!("✓ Updated {} from {} to {}", plugin_name, current_version, new_version);

    Ok(())
}
```

**Output:**
```
Updating semgrep...

Changes to be applied (87 commits):
  🚨 Security fix: CVE-2026-1234
  ✨ 60 new JavaScript rules
  ⚡ 60% performance improvement

Current: 1.45.0 → Latest: 1.52.0

Proceed with update? [Y/n]: y

Fetching from origin...
Pulling changes...
Running post-update script...
  Downloading semgrep binary v1.52.0... ✓
  Updating rule database... ✓

✓ Successfully updated semgrep to 1.52.0

Test the update:
  securegit scan --plugin semgrep /path/to/test/file
```

## Security Advisory Detection via Git

### Detect Security Commits

Parse commit messages for security keywords:

```rust
fn is_security_commit(commit: &Commit) -> bool {
    let message = commit.message().to_lowercase();

    SECURITY_KEYWORDS.iter().any(|keyword| message.contains(keyword))
}

const SECURITY_KEYWORDS: &[&str] = &[
    "cve-",
    "security",
    "vulnerability",
    "exploit",
    "xss",
    "sql injection",
    "code execution",
    "privilege escalation",
    "dos",
    "denial of service",
];
```

### Parse CVE from Commits

```rust
fn extract_cves(commit: &Commit) -> Vec<String> {
    let message = commit.message();
    let cve_regex = Regex::new(r"CVE-\d{4}-\d{4,}").unwrap();

    cve_regex.find_iter(message)
        .map(|m| m.as_str().to_string())
        .collect()
}
```

**Detection Example:**
```
Commit: abc1234
Author: Security Team <security@semgrep.com>
Date:   2026-01-25

    SECURITY: Fix CVE-2026-1234 code execution vulnerability

    Malicious rule files could execute arbitrary code during parsing.
    This fixes the vulnerability by sandboxing rule evaluation.

    Severity: HIGH
    CVSS: 8.1
    CWE: CWE-94 (Improper Control of Generation of Code)

    All users should upgrade immediately.

🚨 SECURITY ALERT TRIGGERED
  CVE-2026-1234 detected in commit abc1234
  Plugin: semgrep
  Fixed in: v1.50.0
  You are running: v1.45.0 (vulnerable)

  ACTION REQUIRED: Update immediately
```

## Git Tags as Version Markers

### Semantic Versioning via Tags

```bash
# List available versions
securegit plugin versions semgrep
```

**Implementation:**
```rust
fn list_versions(plugin_name: &str) -> Result<Vec<Version>> {
    let repo = open_plugin_repo(plugin_name)?;

    // Get all tags
    let tags = repo.tag_names(None)?;

    // Parse semantic versions
    let mut versions: Vec<Version> = tags
        .iter()
        .filter_map(|tag| tag.and_then(parse_semver))
        .collect();

    // Sort by version
    versions.sort();
    versions.reverse();

    Ok(versions)
}
```

**Output:**
```
Available versions for semgrep:

  v1.52.0 (latest)  2026-01-28  commit: o2p3q4r
  v1.51.0           2026-01-24  commit: n1o2p3q
  v1.50.0           2026-01-25  commit: m0n1o2p  [SECURITY FIX]
  v1.49.0           2026-01-22  commit: l9m0n1o
  v1.48.0           2026-01-20  commit: k8l9m0n  [SECURITY FIX]
  v1.47.0           2026-01-18  commit: j7k8l9m
  v1.46.0           2026-01-15  commit: i6j7k8l
  v1.45.0 (current) 2026-01-14  commit: h5i6j7k
  [...]

Your version (1.45.0) is 7 releases behind.
2 security fixes available in newer versions.
```

### Checkout Specific Version

```bash
# Install/update to specific version
securegit plugin install semgrep --version 1.52.0

# Rollback to previous version
securegit plugin rollback semgrep --to 1.50.0
```

**Implementation:**
```rust
fn checkout_version(plugin_name: &str, version: &str) -> Result<()> {
    let repo = open_plugin_repo(plugin_name)?;

    // Find tag for version
    let tag = format!("v{}", version);
    let reference = repo.find_reference(&format!("refs/tags/{}", tag))?;
    let commit = reference.peel_to_commit()?;

    // Checkout tag
    repo.set_head_detached(commit.id())?;
    repo.checkout_head(Some(CheckoutBuilder::new().force()))?;

    // Update working directory
    repo.reset(commit.as_object(), ResetType::Hard, None)?;

    println!("✓ Checked out {} version {}", plugin_name, version);

    Ok(())
}
```

## Automatic Update Checks

### Git Fetch on Startup

```rust
async fn check_plugin_updates_background() {
    tokio::spawn(async {
        let plugin_dirs = list_plugin_dirs().await?;

        for dir in plugin_dirs {
            if let Ok(repo) = Repository::open(&dir) {
                // Non-blocking git fetch
                let _ = repo.fetch("origin").await;

                // Check if behind
                if let Ok(behind) = commits_behind(&repo).await {
                    if behind > 0 {
                        // Store in update registry
                        mark_update_available(&dir, behind).await;
                    }
                }
            }
        }
    });
}
```

**On startup:**
```
SecureGit v0.1.0

Checking for plugin updates in background...

[After 2 seconds]
ℹ 1 plugin update available (semgrep: 87 commits behind)
  Run 'securegit plugin check-updates' for details
```

## Git-Based Update Notification

### Commit Hook for Notifications

Plugin repositories can include a `.securegit/update-message.txt`:

```
v1.52.0 Release - IMPORTANT UPDATE

🚨 This release includes a critical security fix for CVE-2026-1234

What's New:
• Security: Fixed code execution vulnerability
• Performance: 60% faster scanning
• Features: 60 new JavaScript security rules

Breaking Changes: None

Please update as soon as possible:
  securegit plugin update semgrep

For full changelog:
  https://github.com/semgrep/semgrep/releases/tag/v1.52.0
```

When update detected:
```
⚠ semgrep has an important update available

v1.52.0 Release - IMPORTANT UPDATE

🚨 This release includes a critical security fix for CVE-2026-1234
[...]

Update now: securegit plugin update semgrep
```

## Git Submodules for Dependencies

Plugins can use git submodules for tool binaries:

```
~/.config/securegit/plugins/gitleaks/
├── .git/
├── .gitmodules          # Submodule configuration
├── plugin.json
├── gitleaks             # Wrapper script
├── bin/                 # Git submodule → gitleaks binary repo
│   └── gitleaks
└── README.md
```

**Update pulls submodule automatically:**
```bash
securegit plugin update gitleaks
# Internally runs:
# git pull
# git submodule update --init --recursive
```

## Lightweight Plugin Registry

Central registry is just a Git repository:

```
https://github.com/securegit-plugins/registry
├── plugins/
│   ├── gitleaks.json
│   ├── semgrep.json
│   ├── trivy.json
│   └── [...]
└── README.md
```

**Plugin metadata (gitleaks.json):**
```json
{
  "name": "gitleaks",
  "description": "Detect hardcoded secrets",
  "repository": "https://github.com/securegit-plugins/gitleaks.git",
  "author": "SecureGit Community",
  "tags": ["secrets", "credentials"],
  "verified": true,
  "downloads": 15420,
  "rating": 4.8,
  "latest_version": "8.22.0",
  "security_advisories": []
}
```

**Search registry:**
```bash
securegit plugin search secrets

# Internally:
# git clone https://github.com/securegit-plugins/registry /tmp/registry
# grep -r "secrets" /tmp/registry/plugins/*.json
```

## Benefits of Git-Based Approach

### Advantages

1. **No Additional Dependencies**
   - Reuse existing Git client code
   - No package manager infrastructure needed

2. **Distributed and Resilient**
   - Any Git hosting works (GitHub, GitLab, self-hosted)
   - No central server required
   - Works offline with local clones

3. **Full Version History**
   - Complete changelog via git log
   - Easy rollback to any version
   - Audit trail of all changes

4. **Developer Familiar**
   - Standard Git workflow
   - Known tooling (branches, tags, PRs)
   - Easy contribution model

5. **Security Built-in**
   - Git commit signing
   - Repository verification
   - Cryptographic integrity

6. **Bandwidth Efficient**
   - Delta compression
   - Shallow clones for large repos
   - Incremental fetches

### Implementation Complexity

**Simple Git-based approach:**
- Clone: `git clone <repo> <path>`
- Update check: `git fetch && git status`
- Update: `git pull`
- Changelog: `git log v1..v2`
- Rollback: `git checkout <tag>`

**vs Complex package manager:**
- Dependency resolution
- Package signing infrastructure
- Central registry servers
- Custom download protocols
- Database of package metadata

## Git Hooks for Plugin Lifecycle

Plugins can include git hooks:

```
~/.config/securegit/plugins/semgrep/
├── .git/
│   └── hooks/
│       ├── post-merge       # Run after update
│       └── post-checkout    # Run after version change
├── plugin.json
└── semgrep-wrapper
```

**post-merge hook:**
```bash
#!/bin/bash
# Auto-run after git pull

echo "Post-update tasks for semgrep..."

# Download new binary if version changed
if version_changed; then
    ./install.sh
fi

# Update rule database
./update-rules.sh

echo "✓ semgrep updated successfully"
```

## Complete Update Workflow Example

```bash
# User runs update check
securegit plugin check-updates

# Internal flow:
# 1. For each plugin directory
cd ~/.config/securegit/plugins/semgrep

# 2. Fetch from origin
git fetch origin

# 3. Compare local vs remote
LOCAL=$(git rev-parse HEAD)
REMOTE=$(git rev-parse origin/HEAD)

if [ "$LOCAL" != "$REMOTE" ]; then
    # 4. Count commits behind
    BEHIND=$(git rev-list --count HEAD..origin/HEAD)

    # 5. Check for security commits
    SECURITY=$(git log HEAD..origin/HEAD --grep="CVE-\|security" --oneline)

    # 6. Get latest tag/version
    LATEST=$(git describe --tags origin/HEAD)

    # 7. Display to user
    echo "Update available: $BEHIND commits behind"
    echo "Latest version: $LATEST"
    if [ -n "$SECURITY" ]; then
        echo "🚨 SECURITY UPDATE AVAILABLE"
    fi
fi
```

**User updates:**
```bash
securegit plugin update semgrep

# Internal flow:
# 1. Show changes
git log HEAD..origin/HEAD --oneline

# 2. User confirms
read -p "Proceed? [Y/n] " confirm

# 3. Pull changes
git pull origin main

# 4. Post-merge hook runs automatically
# (downloads new binary, updates rules)

# 5. Verify
./semgrep-wrapper --version
```

## Conclusion

Leveraging SecureGit's existing Git client for plugin management provides a simple, robust, and familiar update system. Developers already understand Git workflows, and the implementation complexity is minimal compared to custom package management.

The Git-based approach enables:
- Easy updates (`git pull`)
- Version history (`git log`)
- Rollbacks (`git checkout`)
- Security advisories (commit messages)
- Distributed hosting (any Git server)

This is developer-friendly, maintenance-friendly, and leverages battle-tested Git infrastructure.