verifyos-cli 0.13.1

AI agent-friendly Rust CLI for scanning iOS app bundles for App Store rejection risks before submission.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98

use crate::rules::core::{
    AppStoreRule, ArtifactContext, RuleCategory, RuleError, RuleReport, RuleStatus, Severity,
};
use std::path::Path;

pub struct BundleResourceLeakageRule;

impl AppStoreRule for BundleResourceLeakageRule {
    fn id(&self) -> &'static str {
        "RULE_BUNDLE_RESOURCE_LEAKAGE"
    }

    fn name(&self) -> &'static str {
        "Sensitive Files in Bundle"
    }

    fn category(&self) -> RuleCategory {
        RuleCategory::Bundling
    }

    fn severity(&self) -> Severity {
        Severity::Error
    }

    fn recommendation(&self) -> &'static str {
        "Remove certificates, provisioning profiles, or env files from the app bundle before submission."
    }

    fn evaluate(&self, artifact: &ArtifactContext) -> Result<RuleReport, RuleError> {
        let offenders = scan_bundle_for_sensitive_files(artifact, 80);

        if offenders.is_empty() {
            return Ok(RuleReport {
                status: RuleStatus::Pass,
                message: Some("No sensitive files found in bundle".to_string()),
                evidence: None,
            });
        }

        Ok(RuleReport {
            status: RuleStatus::Fail,
            message: Some("Sensitive files found in bundle".to_string()),
            evidence: Some(offenders.join(" | ")),
        })
    }
}

fn scan_bundle_for_sensitive_files(artifact: &ArtifactContext, limit: usize) -> Vec<String> {
    let mut hits = Vec::new();

    for path in artifact.bundle_file_paths() {
        if is_sensitive_path(&path) {
            let display = match path.strip_prefix(artifact.app_bundle_path) {
                Ok(rel) => rel.display().to_string(),
                Err(_) => path.display().to_string(),
            };
            hits.push(display);
            if hits.len() >= limit {
                return hits;
            }
        }
    }

    hits
}

fn is_sensitive_path(path: &Path) -> bool {
    let name = path
        .file_name()
        .and_then(|n| n.to_str())
        .unwrap_or("")
        .to_ascii_lowercase();

    if name == ".env" || name.ends_with(".env") {
        return true;
    }

    if matches!(
        path.extension().and_then(|e| e.to_str()).map(|s| s.to_ascii_lowercase()),
        Some(ext) if ext == "p12" || ext == "pfx" || ext == "pem" || ext == "key"
    ) {
        return true;
    }

    if name == "embedded.mobileprovision" {
        return true;
    }

    if name.ends_with(".mobileprovision") {
        return true;
    }

    if name.contains("secret") || name.contains("apikey") || name.contains("api_key") {
        return true;
    }

    false
}