feat: add ek scan

[SiebeBaree]

Summary by CodeRabbit

• New Features
  • Added a new scan command to detect exposed secrets and sensitive data in your codebase.
  • Automatic management of the scanner tool: checks for presence, offers install with progress, and runs scans.
  • Rich terminal reporting: formatted scan results, masked secrets, remediation steps, and exit codes for CI use.
  • Small CLI spinner/UX improvements during install and long-running steps.
• Chores
  • Package version bumped to 0.4.0.

[coderabbitai]

Walkthrough

This PR adds a new scan CLI command that integrates the external betterleaks secret scanner. The feature bumps the package version to 0.4.0, extends the analytics initialization to conditionally skip auth lookup for the scan command, implements betterleaks binary discovery and installation, adds error catalog entries for scan failures, provides terminal UI components for progress and report display, and orchestrates the full scan workflow with analytics tracking, file targeting, and exit code management.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• Enkryptify/cli#68: Modifies analytics initialization and shutdown flow in src/cli.ts and src/lib/analytics.ts, overlapping with the main PR's conditional analytics changes for the scan command.
• Enkryptify/cli#42: Introduces the PostHog/analytics integration wiring and analytics.init() flow that this PR builds upon with the skipAuthLookup parameter.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 52.38% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'feat: add ek scan' clearly and concisely describes the main change: adding a new 'scan' command to the CLI, which aligns with the primary additions of src/cmd/scan.ts and related scanning infrastructure.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/romantic-pasteur-b53720

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

ESLint skipped: no ESLint configuration detected in root package.json. To enable, add eslint to devDependencies.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/lib/betterleaks.ts`:
- Around line 80-82: Replace the two execSync(...) invocations with
execFileSync('tar', args, { stdio: "pipe" }) to avoid shell interpolation; for
the non-gzip branch use args = ['-xf', archivePath, '-C', tmpDir] and for the
gzip branch use args = ['-xzf', archivePath, '-C', tmpDir], keeping the same
stdio option and any existing error handling around those calls (referencing the
existing execSync calls and the archivePath/tmpDir variables).
- Around line 76-93: Update BETTERLEAKS_VERSION to "v1.2.0" and add checksum
verification for the downloaded archive before extracting and installing: after
building downloadUrl and saving to archivePath (symbols: downloadUrl,
archivePath) fetch or construct the expected checksum for that release (from the
release checksum file or hardcoded map for v1.2.0), compute the archive's digest
(e.g., SHA-256) and compare it to the expected value; if the checksum does not
match, throw CLIError.from("SCAN_INSTALL_FAILED") and abort; only proceed to
extract (tar commands referencing tmpDir and BINARY_NAME) and copy to
LOCAL_BINARY_PATH/INSTALL_DIR and chmod when verification passes.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 98f50ed3-6214-4b56-a41b-7c225f4250ca

📥 Commits

Reviewing files that changed from the base of the PR and between 8702826 and bc82c90.

📒 Files selected for processing (10)

• package.json
• src/cli.ts
• src/cmd/index.ts
• src/cmd/scan.ts
• src/lib/analytics.ts
• src/lib/betterleaks.ts
• src/lib/config.ts
• src/lib/errors.ts
• src/ui/ScanReport.tsx
• src/ui/Spinner.tsx

[coderabbitai]

♻️ Duplicate comments (1)

src/lib/betterleaks.ts (1)

76-82: ⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Verify the archive before extracting it.

This block still installs a network-fetched executable without checking its digest first. If the release asset is ever tampered with, the CLI will persist and later run that binary locally. Please fail closed on a checksum/signature mismatch before either tar invocation.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/lib/betterleaks.ts` around lines 76 - 82, Download currently writes the
asset to archivePath and extracts it with execFileSync without verifying
integrity; add a checksum/signature verification step before either tar
invocation. After receiving the response (the axios.get into response/data and
before fs.writeFileSync or immediately after), compute the archive digest (e.g.
crypto.createHash('sha256') over the Buffer from response.data or the saved
file) and compare it to the expected checksum/signature fetched from the release
metadata or a detached signature; if the check fails, delete archivePath, throw
an error and do not call execFileSync("tar", ...) — only proceed to extract (for
both the .zip and non-.zip branches) when the digest/signature verification
succeeds. Ensure error messages reference archivePath and the expected vs actual
digest for diagnostics.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In `@src/lib/betterleaks.ts`:
- Around line 76-82: Download currently writes the asset to archivePath and
extracts it with execFileSync without verifying integrity; add a
checksum/signature verification step before either tar invocation. After
receiving the response (the axios.get into response/data and before
fs.writeFileSync or immediately after), compute the archive digest (e.g.
crypto.createHash('sha256') over the Buffer from response.data or the saved
file) and compare it to the expected checksum/signature fetched from the release
metadata or a detached signature; if the check fails, delete archivePath, throw
an error and do not call execFileSync("tar", ...) — only proceed to extract (for
both the .zip and non-.zip branches) when the digest/signature verification
succeeds. Ensure error messages reference archivePath and the expected vs actual
digest for diagnostics.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 30c86150-3db7-4700-9052-d6495f3ceeee

📥 Commits

Reviewing files that changed from the base of the PR and between bc82c90 and 0b531e1.

📒 Files selected for processing (1)

• src/lib/betterleaks.ts