securegit 0.8.5

# SecureGit Plugin Registry

## Official Community Plugins

### Secret Detection

**gitleaks**
- Description: Detect hardcoded secrets, passwords, and API keys
- Language: Go
- Wraps: gitleaks (https://github.com/gitleaks/gitleaks)
- Install: `securegit plugin install gitleaks`

**trufflehog**
- Description: Find secrets using entropy analysis and pattern matching
- Language: Go
- Wraps: trufflehog (https://github.com/trufflesecurity/trufflehog)
- Install: `securegit plugin install trufflehog`

**detect-secrets**
- Description: Enterprise secret scanner with baseline support
- Language: Python
- Wraps: detect-secrets (https://github.com/Yelp/detect-secrets)
- Install: `securegit plugin install detect-secrets`

### Language-Specific SAST

**bandit**
- Description: Python security issue scanner
- Language: Python
- Wraps: bandit (https://github.com/PyCQA/bandit)
- Detects: SQL injection, XSS, hardcoded passwords, weak crypto
- Install: `securegit plugin install bandit`

**gosec**
- Description: Go security scanner
- Language: Go
- Wraps: gosec (https://github.com/securego/gosec)
- Install: `securegit plugin install gosec`

**brakeman**
- Description: Ruby on Rails security scanner
- Language: Ruby
- Wraps: brakeman (https://brakemanscanner.org/)
- Install: `securegit plugin install brakeman`

**eslint-security**
- Description: JavaScript/TypeScript security rules
- Language: Node.js
- Wraps: eslint with security plugins
- Install: `securegit plugin install eslint-security`

**findsecbugs**
- Description: Java/Android security auditing
- Language: Java
- Wraps: Find Security Bugs
- Install: `securegit plugin install findsecbugs`

**safety**
- Description: Python dependency vulnerability scanner
- Language: Python
- Wraps: safety (https://github.com/pyupio/safety)
- Install: `securegit plugin install safety`

### Malware & Binary Analysis

**clamav**
- Description: Open source antivirus engine
- Language: Bash wrapper
- Wraps: ClamAV (40+ years of virus signatures)
- Install: `securegit plugin install clamav`

**yara-rules**
- Description: YARA malware pattern matching
- Language: Bash wrapper
- Wraps: YARA with community rules
- Requires: YARA rules repository
- Install: `securegit plugin install yara-rules`

**binwalk**
- Description: Firmware and binary analysis
- Language: Python
- Wraps: binwalk
- Install: `securegit plugin install binwalk`

### Container Security

**trivy**
- Description: Container vulnerability and misconfiguration scanner
- Language: Go wrapper
- Wraps: Trivy (https://github.com/aquasecurity/trivy)
- Install: `securegit plugin install trivy`

**grype**
- Description: Vulnerability scanner for containers and filesystems
- Language: Go wrapper
- Wraps: Grype (https://github.com/anchore/grype)
- Install: `securegit plugin install grype`

**hadolint**
- Description: Dockerfile linter with security rules
- Language: Bash wrapper
- Wraps: hadolint
- Install: `securegit plugin install hadolint`

### Infrastructure as Code

**tfsec**
- Description: Terraform static analysis
- Language: Go wrapper
- Wraps: tfsec (https://github.com/aquasecurity/tfsec)
- Install: `securegit plugin install tfsec`

**checkov**
- Description: Multi-cloud IaC security scanner
- Language: Python
- Wraps: checkov (Terraform, CloudFormation, Kubernetes)
- Install: `securegit plugin install checkov`

**terrascan**
- Description: Detect compliance and security violations in IaC
- Language: Go wrapper
- Wraps: terrascan
- Install: `securegit plugin install terrascan`

### License Compliance

**licensee**
- Description: GitHub's license detection tool
- Language: Ruby
- Wraps: licensee (https://github.com/licensee/licensee)
- Install: `securegit plugin install licensee`

**scancode**
- Description: Comprehensive license and copyright scanner
- Language: Python
- Wraps: ScanCode Toolkit
- Install: `securegit plugin install scancode`

**fossology**
- Description: Open source license compliance system
- Language: Bash wrapper
- Wraps: FOSSology
- Install: `securegit plugin install fossology`

### Classic Security Tools

**flawfinder**
- Description: C/C++ security vulnerability scanner (since 2001)
- Language: Python
- Wraps: flawfinder
- Install: `securegit plugin install flawfinder`

**rats**
- Description: Rough Auditing Tool for Security (C/C++/PHP/Python)
- Language: Bash wrapper
- Wraps: RATS
- Install: `securegit plugin install rats`

**lynis**
- Description: Security auditing tool for Unix/Linux systems
- Language: Bash wrapper
- Wraps: Lynis
- Install: `securegit plugin install lynis`

### Specialized Scanners

**semgrep**
- Description: Fast, customizable static analysis
- Language: Python
- Wraps: Semgrep with security rules
- Install: `securegit plugin install semgrep`

**sqlmap**
- Description: SQL injection detection and exploitation
- Language: Python
- Wraps: sqlmap (use responsibly)
- Install: `securegit plugin install sqlmap`

**npm-audit**
- Description: Node.js dependency vulnerability scanner
- Language: Node.js
- Wraps: npm audit
- Install: `securegit plugin install npm-audit`

**bundler-audit**
- Description: Ruby gem vulnerability scanner
- Language: Ruby
- Wraps: bundler-audit
- Install: `securegit plugin install bundler-audit`

**cargo-audit**
- Description: Rust dependency security scanner
- Language: Rust
- Wraps: cargo-audit
- Install: `securegit plugin install cargo-audit`

## Plugin Categories

### By Scan Phase
- **Pre-Extract**: Scan before archive extraction (archive validation)
- **Post-Extract**: Scan file contents (most common)
- **Git-Internals**: Scan .git directory for threats
- **Pre-Commit**: Scan staged changes before commit
- **Pre-Push**: Scan commits before push

### By Threat Type
- **Secrets**: API keys, passwords, tokens
- **Vulnerabilities**: Code-level security flaws
- **Malware**: Viruses, trojans, backdoors
- **Compliance**: Licenses, policies, standards
- **Dependencies**: Known CVEs in third-party code
- **Configuration**: Misconfigurations in IaC/containers
- **Binary**: Suspicious binary files

## Installation Methods

### From Registry
```bash
securegit plugin install <plugin-name>
```

### From URL
```bash
securegit plugin install https://github.com/user/plugin-repo
```

### From Local Path
```bash
securegit plugin install ./my-plugin
```

### Manual Installation
```bash
cp plugin-script ~/.config/securegit/plugins/
chmod +x ~/.config/securegit/plugins/plugin-script
```

## Plugin Management

### List Installed
```bash
securegit plugin list
```

### Update Plugins
```bash
securegit plugin update --all
securegit plugin update <plugin-name>
```

### Enable/Disable
```bash
securegit plugin enable <plugin-name>
securegit plugin disable <plugin-name>
```

### Remove
```bash
securegit plugin remove <plugin-name>
```

### Configuration
```bash
securegit plugin config <plugin-name>
```

## Creating Custom Organizational Plugins

Example: Company-specific policy scanner

```bash
#!/bin/bash
# ~/.config/securegit/plugins/company-policy

FILE="$1"

# Company policy: No TODO/FIXME in main branch
if [[ "$FILE" =~ \.(py|js|go|rs)$ ]]; then
    grep -n "TODO\|FIXME" "$FILE" | \
    jq -R -s -c '
        split("\n") | map(select(length > 0)) | map(
            split(":") | {
                id: "COMPANY_TODO",
                title: "TODO/FIXME found in code",
                description: "Company policy requires resolving TODOs before merge",
                severity: "low",
                file_path: "'$FILE'",
                line_start: (.[0] | tonumber),
                evidence: (.[1:] | join(":"))
            }
        ) | {
            plugin_name: "company-policy",
            findings: .
        }
    '
else
    echo '{"plugin_name":"company-policy","findings":[]}'
fi
```

## Recommended Plugin Sets

### Basic Security
```bash
securegit plugin install secrets patterns entropy binary
```

### Web Application Security
```bash
securegit plugin install bandit gosec eslint-security semgrep
```

### Container & Cloud
```bash
securegit plugin install trivy tfsec checkov hadolint
```

### Comprehensive Scan
```bash
securegit plugin install gitleaks trufflehog bandit gosec \
    clamav yara-rules trivy licensee semgrep
```

### Enterprise Compliance
```bash
securegit plugin install detect-secrets licensee scancode \
    company-policy audit-logger
```

## Contributing Plugins

### Submission Process

1. Create plugin following developer guide
2. Test plugin thoroughly
3. Create repository with standard structure
4. Add plugin.json metadata
5. Submit PR to securegit-plugins repository

### Plugin Requirements

- Must output valid JSON
- Must handle errors gracefully
- Must include README with usage examples
- Must specify dependencies
- Must include test cases
- Should provide remediation guidance

### Quality Standards

- Fast execution (< 1 second for small files)
- Low false positive rate
- Clear, actionable findings
- Proper severity classification
- Comprehensive documentation

## Support & Resources

- Plugin Development Guide: `/docs/PLUGIN_DEVELOPMENT.md`
- Example Plugins: https://github.com/armyknifelabs-tools/securegit-plugins/examples
- Issue Tracker: https://github.com/armyknifelabs-tools/securegit/issues
- Community Discussions: https://github.com/armyknifelabs-tools/securegit/discussions