feat(scan): add vtk scan credentials for security incident response (#68)

* feat(scan): add vtk scan credentials for security incident response

Adds a credential audit command that checks for credentials present on
the machine and provides rotation instructions. Useful after any
security incident.

Checks:
- NPM: ~/.npmrc, $NPM_TOKEN, $NPM_CONFIG_TOKEN
- AWS: ~/.aws/credentials, ~/.aws/config, env vars
- GCP: ADC, $GOOGLE_APPLICATION_CREDENTIALS
- Azure: ~/.azure/, $AZURE_CLIENT_SECRET
- GitHub: ~/.config/gh/hosts.yml, $GITHUB_TOKEN, $GH_TOKEN
- SSH: Private keys in ~/.ssh/
- Docker: ~/.docker/config.json
- Kubernetes: ~/.kube/config
- Environment: Sensitive env vars

Exit codes: 0 = no credentials, 1 = credentials found

Closes: va.ghe.com/software/eert/issues/95

* fix: move constant above private to fix RuboCop warning

Author: ericboehs

README.md

@@ -100,6 +100,41 @@ $ vtk scan machine --quiet && echo "Clean" || echo "Check machine!"
 
 ---
 
+```
+$ vtk scan credentials
+```
+
+The **credentials subcommand** audits which credentials are present on your machine and provides rotation instructions for each. Run this after a suspected or confirmed security incident.
+
+**What it checks:**
+- **NPM**: `~/.npmrc`, `$NPM_TOKEN`, `$NPM_CONFIG_TOKEN`
+- **AWS**: `~/.aws/credentials`, `~/.aws/config`, `$AWS_ACCESS_KEY_ID`, `$AWS_SECRET_ACCESS_KEY`
+- **GCP**: `~/.config/gcloud/application_default_credentials.json`, `$GOOGLE_APPLICATION_CREDENTIALS`
+- **Azure**: `~/.azure/` directory, `$AZURE_CLIENT_SECRET`
+- **GitHub**: `~/.config/gh/hosts.yml`, `$GITHUB_TOKEN`, `$GH_TOKEN`, `~/.git-credentials`
+- **SSH**: Private keys in `~/.ssh/`
+- **Docker**: `~/.docker/config.json`
+- **Kubernetes**: `~/.kube/config`
+- **Environment**: Sensitive env vars (token, secret, password, etc.)
+
+**Exit codes:**
+- `0` - No credentials found
+- `1` - Credentials found (rotation recommended)
+
+**Options:**
+- `--verbose` / `-v` - Show all checks including clean ones
+- `--json` / `-j` - JSON output format
+
+Example:
+```
+$ vtk scan credentials --json | jq -r '.credentials[].service' | sort -u
+AWS
+GitHub
+SSH
+```
+
+---
+
 ### Help
 
 For helpful information about commands and subcommands run the following:

lib/vtk/commands/scan.rb

@@ -54,9 +54,22 @@ def repo(path = nil)
         end
       end
 
-      # Future subcommands:
-      # desc 'repos', 'Scan all Node.js projects in common directories'
-      # desc 'credentials', 'Inventory credentials that may need rotation'
+      desc 'credentials', 'Audit credentials that may need rotation after a security incident'
+      method_option :help, aliases: '-h', type: :boolean,
+                           desc: 'Display usage information'
+      method_option :verbose, aliases: '-v', type: :boolean,
+                              desc: 'Show all checks including clean ones'
+      method_option :json, aliases: '-j', type: :boolean,
+                           desc: 'Output results as JSON'
+      def credentials
+        if options[:help]
+          invoke :help, ['credentials']
+        else
+          require_relative 'scan/credentials'
+          exit_status = Vtk::Commands::Scan::Credentials.new(options).execute
+          exit exit_status
+        end
+      end
     end
   end
 end

lib/vtk/commands/scan/credentials.rb

@@ -0,0 +1,59 @@
+# frozen_string_literal: true
+
+require 'English'
+require_relative '../../command'
+
+module Vtk
+  module Commands
+    class Scan
+      # Audit credentials that may have been accessed by Shai-Hulud malware
+      class Credentials < Vtk::Command
+        attr_reader :options
+
+        def initialize(options)
+          @options = options
+          super()
+        end
+
+        OPTION_FLAGS = {
+          verbose: '--verbose',
+          json: '--json'
+        }.freeze
+
+        def execute(output: $stdout)
+          @output = output
+
+          script_path, gem_root = find_script
+          return script_not_found(output, gem_root) unless script_path
+
+          run_script(script_path)
+        end
+
+        private
+
+        def script_not_found(output, gem_root)
+          output.puts 'ERROR: Could not find credential-audit.sh script'
+          output.puts "Expected at: #{gem_root}/scripts/credential-audit.sh"
+          1
+        end
+
+        def run_script(script_path)
+          cmd = ['bash', script_path]
+          cmd += OPTION_FLAGS.filter_map { |key, flag| flag if options[key] }
+
+          system(*cmd)
+          $CHILD_STATUS.exitstatus
+        end
+
+        def find_script
+          gem_root = File.expand_path('../../../..', __dir__)
+          script_path = File.join(gem_root, 'scripts', 'credential-audit.sh')
+
+          return [script_path, gem_root] if File.exist?(script_path)
+
+          [nil, gem_root]
+        end
+      end
+    end
+  end
+end