Bump setup.sh to v1.1

.gitignore

@@ -1,2 +1,3 @@
 config.sh
+whitelist.conf
 logs/

README.md

@@ -55,6 +55,33 @@ After cloning, run `setup.sh` once. It will:
 - Send a test Telegram message confirming the VM is active
 - Create a `logs/` folder — logs are kept for 60 days then auto-deleted
 
+## Whitelisting Known-Safe Findings
+
+If a script flags something you know is safe, add it to `whitelist.conf` on that VM to suppress it in future scans. This file is VM-specific and never committed to git.
+
+Add a package name:
+```bash
+echo "ua-parser-js" >> ~/security-tools/whitelist.conf
+```
+
+Add a file path:
+```bash
+echo "/tmp/my-known-script.sh" >> ~/security-tools/whitelist.conf
+```
+
+View or edit the whitelist:
+```bash
+nano ~/security-tools/whitelist.conf
+```
+
+## Checking Script Versions
+
+To see which version of a script is running on a VM:
+```bash
+head -2 ~/security-tools/npm-security-check.sh
+head -2 ~/security-tools/check-nextjs-rce.sh
+```
+
 ## Updating an Existing VM
 
 When changes are pushed to this repo, update any VM by running:

check-nextjs-rce.sh

@@ -1,4 +1,5 @@
 #!/bin/bash
+# check-nextjs-rce.sh v1.0
 # Next.js CVE-2025-66478 / CVE-2025-55182 Vulnerability Checker
 # Checks if Next.js installations are vulnerable to critical RCE
 

npm-security-check.sh

@@ -1,5 +1,5 @@
 #!/usr/bin/env bash
-# npm-security-check.sh
+# npm-security-check.sh v1.0
 # Scans for NPM/Node.js malware indicators on this VM.
 
 set -euo pipefail
@@ -18,6 +18,11 @@ send_telegram() {
 HOSTNAME=$(hostname)
 DATE=$(date)
 LOGFILE="${1:-npm_security_check_${HOSTNAME}_$(date +%Y%m%d_%H%M%S).log}"
+WHITELIST="$SCRIPT_DIR/whitelist.conf"
+
+is_whitelisted() {
+    [[ -f "$WHITELIST" ]] && grep -qF "$1" "$WHITELIST" 2>/dev/null
+}
 
 RED='\033[0;31m'
 YELLOW='\033[1;33m'
@@ -85,6 +90,10 @@ else
     COUNT=$(echo "$LOCKFILES" | wc -l)
     log "Scanning $COUNT lock file(s)..."
     for pkg in "${BAD_PKGS[@]}"; do
+        if is_whitelisted "$pkg"; then
+            ok "$pkg is whitelisted — skipping"
+            continue
+        fi
         MATCHES=$(echo "$LOCKFILES" | xargs grep -l "\"$pkg\"" 2>/dev/null || true)
         if [[ -n "$MATCHES" ]]; then
             fail "Found '$pkg' in: $MATCHES"
@@ -206,12 +215,14 @@ for dir in /tmp /dev/shm /var/tmp; do
     EXEC_FILES=$(find "$dir" -type f -executable 2>/dev/null | head -20 || true)
     JS_FILES=$(find "$dir" -name "*.js" -o -name "*.mjs" 2>/dev/null | head -10 || true)
     if [[ -n "$EXEC_FILES" ]]; then
-        warn "Executable files in $dir:"
-        log "$EXEC_FILES"
+        while IFS= read -r f; do
+            is_whitelisted "$f" && ok "$f is whitelisted — skipping" || { warn "Executable file in $dir: $f"; }
+        done <<< "$EXEC_FILES"
     fi
     if [[ -n "$JS_FILES" ]]; then
-        warn "JS files in $dir:"
-        log "$JS_FILES"
+        while IFS= read -r f; do
+            is_whitelisted "$f" && ok "$f is whitelisted — skipping" || { warn "JS file in $dir: $f"; }
+        done <<< "$JS_FILES"
     fi
 done
 ok "Temp directory scan complete"

setup.sh

@@ -1,5 +1,5 @@
 #!/usr/bin/env bash
-# setup.sh
+# setup.sh v1.1
 # Run once after cloning on any VM where you want security scanning active.
 
 set -euo pipefail
@@ -35,6 +35,25 @@ chmod +x "$SCRIPT_DIR/check-nextjs-rce.sh"
 # ── Create logs directory ──────────────────────────────────────────────────────
 mkdir -p "$SCRIPT_DIR/logs"
 
+# ── Create whitelist if absent ─────────────────────────────────────────────────
+if [[ ! -f "$SCRIPT_DIR/whitelist.conf" ]]; then
+    cat > "$SCRIPT_DIR/whitelist.conf" <<'EOF'
+# whitelist.conf — one entry per line, exact match against package names or file paths
+# Example:
+#   ua-parser-js
+#   /tmp/my-known-safe-script.sh
+EOF
+    echo "whitelist.conf created — add known-safe items to suppress false positives."
+fi
+
+# ── Ensure cron is available ──────────────────────────────────────────────────
+if ! command -v crontab &>/dev/null; then
+    echo "cron not found — installing..."
+    apt install cron -y
+    systemctl enable cron
+    systemctl start cron
+fi
+
 # ── Cron jobs ──────────────────────────────────────────────────────────────────
 CRON_1="0 8 * * * $SCRIPT_DIR/npm-security-check.sh >> $SCRIPT_DIR/logs/npm-security-check-\$(date +\%Y\%m\%d).log 2>&1"
 CRON_2="5 8 * * * $SCRIPT_DIR/check-nextjs-rce.sh >> $SCRIPT_DIR/logs/check-nextjs-rce-\$(date +\%Y\%m\%d).log 2>&1"