#!/usr/bin/env bash # setup.sh # Run once after cloning on any VM where you want security scanning active. set -euo pipefail SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" echo "=== Security Tools Setup ===" echo "" # ── Git config ──────────────────────────────────────────────────────────────── git -C "$SCRIPT_DIR" config pull.rebase false echo "Git pull strategy set to merge." # ── Telegram credentials ─────────────────────────────────────────────────────── if [[ -f "$SCRIPT_DIR/config.sh" ]]; then echo "config.sh already exists — skipping credential setup." else echo "Enter your Telegram bot token:" read -r BOT_TOKEN echo "Enter your Telegram chat ID:" read -r CHAT_ID cat > "$SCRIPT_DIR/config.sh" </dev/null || true) if echo "$EXISTING" | grep -qF "npm-security-check.sh"; then echo "Cron job for npm-security-check.sh already registered — skipping." else (echo "$EXISTING"; echo "$CRON_1") | crontab - echo "Cron job registered: npm-security-check.sh daily at 08:00." fi if echo "$EXISTING" | grep -qF "check-nextjs-rce.sh"; then echo "Cron job for check-nextjs-rce.sh already registered — skipping." else (crontab -l 2>/dev/null; echo "$CRON_2") | crontab - echo "Cron job registered: check-nextjs-rce.sh daily at 08:05." fi if echo "$EXISTING" | grep -qF "check-npm-sudo-config.sh"; then echo "Cron job for check-npm-sudo-config.sh already registered — skipping." else (crontab -l 2>/dev/null; echo "$CRON_3") | crontab - echo "Cron job registered: check-npm-sudo-config.sh daily at 08:10." fi if echo "$EXISTING" | grep -qF "logs -name '*.log'"; then echo "Log cleanup cron already registered — skipping." else (crontab -l 2>/dev/null; echo "$CRON_4") | crontab - echo "Cron job registered: log cleanup daily at 09:00 (60 day retention)." fi # ── Test Telegram ────────────────────────────────────────────────────────────── source "$SCRIPT_DIR/config.sh" HOSTNAME=$(hostname) echo "" echo "Sending test Telegram message..." RESPONSE=$(curl -s -X POST "https://api.telegram.org/bot${TELEGRAM_BOT_TOKEN}/sendMessage" \ -d chat_id="${TELEGRAM_CHAT_ID}" \ -d text="✅ Security Tools Active Host: ${HOSTNAME} Scripts registered and running daily at 08:00." \ -d parse_mode="HTML") if echo "$RESPONSE" | grep -q '"ok":true'; then echo "Test message sent to Telegram." else echo "Warning: Telegram message failed. Check your token and chat ID in config.sh." fi echo "" echo "Setup complete. Security scans will run daily at 08:00 on ${HOSTNAME}." # ── Initial scan ─────────────────────────────────────────────────────────────── echo "" echo "Running initial security scan..." bash "$SCRIPT_DIR/npm-security-check.sh" >> "$SCRIPT_DIR/logs/npm-security-check-$(date +%Y%m%d).log" 2>&1 && echo "npm-security-check: done." || echo "npm-security-check: issues found — check Telegram." bash "$SCRIPT_DIR/check-nextjs-rce.sh" >> "$SCRIPT_DIR/logs/check-nextjs-rce-$(date +%Y%m%d).log" 2>&1 && echo "check-nextjs-rce: done." || echo "check-nextjs-rce: issues found — check Telegram." NPM_SUDO_LOG="$SCRIPT_DIR/logs/check-npm-sudo-config-$(date +%Y%m%d).log" echo "" echo "--- npm sudo config audit results ---" bash "$SCRIPT_DIR/check-npm-sudo-config.sh" 2>&1 | tee -a "$NPM_SUDO_LOG" echo "-------------------------------------" echo "" echo "Initial scan complete. Check Telegram for any alerts."