feat(llm-security-copilot): port llm-security v5.1.0 to GitHub Copilot CLI
Full port of llm-security plugin for internal use on Windows with GitHub Copilot CLI. Protocol translation layer (copilot-hook-runner.mjs) normalizes Copilot camelCase I/O to Claude Code snake_case format — all original hook scripts run unmodified. - 8 hooks with protocol translation (stdin/stdout/exit code) - 18 SKILL.md skills (Agent Skills Open Standard) - 6 .agent.md agent definitions - 20 scanners + 14 scanner lib modules (unchanged) - 14 knowledge files (unchanged) - 39 test files including copilot-port-verify.mjs (17 tests) - Windows-ready: node:path, os.tmpdir(), process.execPath, no bash Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Kjell Tore Guttormsen
parent
901bf0ae12
commit
f418a8fe08
169 changed files with 37631 additions and 0 deletions
98
plugins/llm-security-copilot/tests/scanners/entropy.test.mjs
Normal file
98
plugins/llm-security-copilot/tests/scanners/entropy.test.mjs
Normal file
|
|
@ -0,0 +1,98 @@
|
|||
// entropy.test.mjs — Integration tests for the entropy-scanner
|
||||
// Tests against the evil-project-health fixture which contains:
|
||||
// - ENCODED_CONFIG: base64 blob in SKILL.fixture.md
|
||||
// - auth_credential: high-entropy hardcoded credential in telemetry.mjs
|
||||
|
||||
import { describe, it, beforeEach } from 'node:test';
|
||||
import assert from 'node:assert/strict';
|
||||
import { resolve } from 'node:path';
|
||||
import { fileURLToPath } from 'node:url';
|
||||
import { resetCounter } from '../../scanners/lib/output.mjs';
|
||||
import { discoverFiles } from '../../scanners/lib/file-discovery.mjs';
|
||||
import { scan } from '../../scanners/entropy-scanner.mjs';
|
||||
|
||||
const __dirname = fileURLToPath(new URL('.', import.meta.url));
|
||||
const FIXTURE = resolve(__dirname, '../../examples/malicious-skill-demo/evil-project-health');
|
||||
|
||||
describe('entropy-scanner integration', () => {
|
||||
let discovery;
|
||||
|
||||
beforeEach(async () => {
|
||||
resetCounter();
|
||||
discovery = await discoverFiles(FIXTURE);
|
||||
});
|
||||
|
||||
it('returns status ok', async () => {
|
||||
const result = await scan(FIXTURE, discovery);
|
||||
assert.equal(result.status, 'ok', `Expected status 'ok', got '${result.status}'`);
|
||||
});
|
||||
|
||||
it('scans at least one file', async () => {
|
||||
const result = await scan(FIXTURE, discovery);
|
||||
assert.ok(result.files_scanned >= 1, `Expected files_scanned >= 1, got ${result.files_scanned}`);
|
||||
});
|
||||
|
||||
it('detects at least 1 high-entropy string (base64 payload in telemetry.mjs)', async () => {
|
||||
// The scanner suppresses fixture/ and test/ paths, so only telemetry.mjs is live-scanned.
|
||||
// The base64 ENCODED_CONFIG (len=84, H≈5.18) triggers a HIGH finding.
|
||||
// The auth_credential (len=32) is below the 40-char MEDIUM minimum length threshold.
|
||||
const result = await scan(FIXTURE, discovery);
|
||||
assert.ok(
|
||||
result.findings.length >= 1,
|
||||
`Expected >= 1 high-entropy finding, got ${result.findings.length}. ` +
|
||||
`Findings: ${result.findings.map(f => `${f.file}:${f.line} ${f.evidence}`).join('; ')}`
|
||||
);
|
||||
});
|
||||
|
||||
it('reports findings with HIGH or CRITICAL severity', async () => {
|
||||
const result = await scan(FIXTURE, discovery);
|
||||
const highOrCritical = result.findings.filter(
|
||||
f => f.severity === 'high' || f.severity === 'critical'
|
||||
);
|
||||
assert.ok(
|
||||
highOrCritical.length >= 1,
|
||||
`Expected at least 1 HIGH or CRITICAL entropy finding, got ${highOrCritical.length}`
|
||||
);
|
||||
});
|
||||
|
||||
it('assigns correct scanner prefix ENT to all findings', async () => {
|
||||
const result = await scan(FIXTURE, discovery);
|
||||
const wrongPrefix = result.findings.filter(f => !f.id.startsWith('DS-ENT-'));
|
||||
assert.equal(
|
||||
wrongPrefix.length, 0,
|
||||
`All findings should have DS-ENT- prefix. Wrong: ${wrongPrefix.map(f => f.id).join(', ')}`
|
||||
);
|
||||
});
|
||||
|
||||
it('finding IDs are sequential starting from DS-ENT-001 after reset', async () => {
|
||||
const result = await scan(FIXTURE, discovery);
|
||||
if (result.findings.length === 0) return;
|
||||
assert.equal(result.findings[0].id, 'DS-ENT-001');
|
||||
});
|
||||
|
||||
it('all findings include entropy value in evidence', async () => {
|
||||
const result = await scan(FIXTURE, discovery);
|
||||
for (const f of result.findings) {
|
||||
assert.ok(
|
||||
f.evidence && f.evidence.includes('H='),
|
||||
`Finding ${f.id} evidence should include H= entropy value, got: ${f.evidence}`
|
||||
);
|
||||
}
|
||||
});
|
||||
|
||||
it('all findings map to LLM01 or LLM03 owasp category', async () => {
|
||||
const result = await scan(FIXTURE, discovery);
|
||||
for (const f of result.findings) {
|
||||
assert.ok(
|
||||
f.owasp === 'LLM01' || f.owasp === 'LLM03',
|
||||
`Finding ${f.id} owasp should be LLM01 or LLM03, got: ${f.owasp}`
|
||||
);
|
||||
}
|
||||
});
|
||||
|
||||
it('duration_ms is a non-negative number', async () => {
|
||||
const result = await scan(FIXTURE, discovery);
|
||||
assert.ok(typeof result.duration_ms === 'number', 'duration_ms should be a number');
|
||||
assert.ok(result.duration_ms >= 0, 'duration_ms should be >= 0');
|
||||
});
|
||||
});
|
||||
Loading…
Add table
Add a link
Reference in a new issue