feat: implement user-aware executor for correct command context and enhance brew and python scanning

Author: shubham-stepsecurity

internal/detector/brewscan.go

@@ -3,6 +3,7 @@ package detector
 import (
 	"context"
 	"encoding/base64"
+	"strings"
 	"time"
 
 	"github.com/step-security/dev-machine-guard/internal/executor"
@@ -23,6 +24,7 @@ func NewBrewScanner(exec executor.Executor, log *progress.Logger) *BrewScanner {
 // ScanFormulae runs `brew list --formula --versions` and returns raw base64-encoded output.
 func (s *BrewScanner) ScanFormulae(ctx context.Context) (model.BrewScanResult, bool) {
 	if _, err := s.exec.LookPath("brew"); err != nil {
+		s.log.Progress("  brew not found in PATH for formulae scan")
 		return model.BrewScanResult{}, false
 	}
 
@@ -34,8 +36,15 @@ func (s *BrewScanner) ScanFormulae(ctx context.Context) (model.BrewScanResult, b
 	errMsg := ""
 	if exitCode != 0 {
 		errMsg = "brew list --formula --versions failed"
+		s.log.Progress("  Brew formulae scan failed: exit_code=%d stderr=%s", exitCode, stderr)
 	}
 
+	lineCount := len(strings.Split(strings.TrimSpace(stdout), "\n"))
+	if strings.TrimSpace(stdout) == "" {
+		lineCount = 0
+	}
+	s.log.Progress("  Brew formulae scan complete: %d lines, exit_code=%d, duration=%dms", lineCount, exitCode, duration)
+
 	return model.BrewScanResult{
 		ScanType:        "formulae",
 		RawStdoutBase64: base64.StdEncoding.EncodeToString([]byte(stdout)),
@@ -49,6 +58,7 @@ func (s *BrewScanner) ScanFormulae(ctx context.Context) (model.BrewScanResult, b
 // ScanCasks runs `brew list --cask --versions` and returns raw base64-encoded output.
 func (s *BrewScanner) ScanCasks(ctx context.Context) (model.BrewScanResult, bool) {
 	if _, err := s.exec.LookPath("brew"); err != nil {
+		s.log.Progress("  brew not found in PATH for casks scan")
 		return model.BrewScanResult{}, false
 	}
 
@@ -60,7 +70,14 @@ func (s *BrewScanner) ScanCasks(ctx context.Context) (model.BrewScanResult, bool
 	errMsg := ""
 	if exitCode != 0 {
 		errMsg = "brew list --cask --versions failed"
+		s.log.Progress("  Brew casks scan failed: exit_code=%d stderr=%s", exitCode, stderr)
+	}
+
+	lineCount := len(strings.Split(strings.TrimSpace(stdout), "\n"))
+	if strings.TrimSpace(stdout) == "" {
+		lineCount = 0
 	}
+	s.log.Progress("  Brew casks scan complete: %d lines, exit_code=%d, duration=%dms", lineCount, exitCode, duration)
 
 	return model.BrewScanResult{
 		ScanType:        "casks",

internal/detector/pythonproject.go

@@ -111,6 +111,25 @@ func (d *PythonProjectDetector) listInDir(dir string) []model.ProjectInfo {
 				(strings.HasPrefix(name, ".") && name != ".venv") {
 				return filepath.SkipDir
 			}
+
+			// Detect directories that contain a venv even without a marker file.
+			// A venv/ or .venv/ subdirectory is itself evidence of a Python project.
+			if !seen[path] {
+				if pipPath := d.findVenvPip(path); pipPath != "" {
+					seen[path] = true
+					pm := d.detectPM(path)
+					pkgs := d.listVenvPackages(ctx, pipPath)
+					projects = append(projects, model.ProjectInfo{
+						Path:           path,
+						PackageManager: pm,
+						Packages:       pkgs,
+					})
+					if len(projects) >= maxPythonProjects {
+						return filepath.SkipAll
+					}
+				}
+			}
+
 			return nil
 		}
 		if pythonMarkerFiles[entry.Name()] {
@@ -120,20 +139,13 @@ func (d *PythonProjectDetector) listInDir(dir string) []model.ProjectInfo {
 			}
 			seen[projectDir] = true
 
-			// Only include projects that have a virtual environment
+			// Only include marker-based projects that have a virtual environment
 			pipPath := d.findVenvPip(projectDir)
 			if pipPath == "" {
 				return nil
 			}
 
-			pm := pythonPMFromMarker[entry.Name()]
-			if d.exec.FileExists(filepath.Join(projectDir, "poetry.lock")) {
-				pm = "poetry"
-			} else if d.exec.FileExists(filepath.Join(projectDir, "Pipfile.lock")) {
-				pm = "pipenv"
-			} else if d.exec.FileExists(filepath.Join(projectDir, "uv.lock")) {
-				pm = "uv"
-			}
+			pm := d.detectPM(projectDir)
 
 			pkgs := d.listVenvPackages(ctx, pipPath)
 
@@ -150,3 +162,22 @@ func (d *PythonProjectDetector) listInDir(dir string) []model.ProjectInfo {
 	})
 	return projects
 }
+
+// detectPM determines the package manager for a project directory based on lock/marker files.
+func (d *PythonProjectDetector) detectPM(projectDir string) string {
+	if d.exec.FileExists(filepath.Join(projectDir, "poetry.lock")) {
+		return "poetry"
+	}
+	if d.exec.FileExists(filepath.Join(projectDir, "Pipfile.lock")) {
+		return "pipenv"
+	}
+	if d.exec.FileExists(filepath.Join(projectDir, "uv.lock")) {
+		return "uv"
+	}
+	for marker, pm := range pythonPMFromMarker {
+		if d.exec.FileExists(filepath.Join(projectDir, marker)) {
+			return pm
+		}
+	}
+	return "pip"
+}

internal/executor/user_aware.go

@@ -0,0 +1,86 @@
+package executor
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"os/user"
+	"strings"
+	"time"
+)
+
+// UserAwareExecutor wraps an Executor and delegates LookPath and RunWithTimeout
+// to the logged-in user when the process is running as root. This ensures that
+// commands like "brew list", "pip3 list", "npm --version" etc. execute in the
+// correct user context, since many tools refuse to run as root or return
+// different results for different users.
+//
+// All other Executor methods are forwarded unchanged.
+type UserAwareExecutor struct {
+	inner    Executor
+	username string // logged-in user to delegate to; empty = no delegation
+}
+
+// NewUserAwareExecutor returns a wrapped executor that delegates command execution
+// to the given user when running as root on Unix. If username is empty or the
+// process is not root, all calls pass through to the inner executor unchanged.
+func NewUserAwareExecutor(inner Executor, username string) Executor {
+	if username == "" || !inner.IsRoot() || inner.GOOS() == "windows" {
+		return inner // no wrapping needed
+	}
+	return &UserAwareExecutor{inner: inner, username: username}
+}
+
+func (e *UserAwareExecutor) Run(ctx context.Context, name string, args ...string) (string, string, int, error) {
+	cmd := name
+	for _, a := range args {
+		cmd += " " + a
+	}
+	stdout, err := e.inner.RunAsUser(ctx, e.username, cmd)
+	if err != nil {
+		return stdout, err.Error(), 1, err
+	}
+	return stdout, "", 0, nil
+}
+
+func (e *UserAwareExecutor) RunWithTimeout(ctx context.Context, timeout time.Duration, name string, args ...string) (string, string, int, error) {
+	ctx, cancel := context.WithTimeout(ctx, timeout)
+	defer cancel()
+	stdout, stderr, code, err := e.Run(ctx, name, args...)
+	if ctx.Err() == context.DeadlineExceeded {
+		return stdout, stderr, 124, fmt.Errorf("command timed out after %s", timeout)
+	}
+	return stdout, stderr, code, err
+}
+
+func (e *UserAwareExecutor) RunAsUser(ctx context.Context, username, command string) (string, error) {
+	return e.inner.RunAsUser(ctx, username, command)
+}
+
+func (e *UserAwareExecutor) LookPath(name string) (string, error) {
+	stdout, err := e.inner.RunAsUser(context.Background(), e.username, "which "+name)
+	if err != nil || strings.TrimSpace(stdout) == "" {
+		return "", fmt.Errorf("%s not found in user PATH", name)
+	}
+	return strings.TrimSpace(stdout), nil
+}
+
+// --- Pass-through methods ---
+
+func (e *UserAwareExecutor) FileExists(path string) bool         { return e.inner.FileExists(path) }
+func (e *UserAwareExecutor) DirExists(path string) bool          { return e.inner.DirExists(path) }
+func (e *UserAwareExecutor) ReadFile(path string) ([]byte, error) { return e.inner.ReadFile(path) }
+func (e *UserAwareExecutor) ReadDir(path string) ([]os.DirEntry, error) {
+	return e.inner.ReadDir(path)
+}
+func (e *UserAwareExecutor) Stat(path string) (os.FileInfo, error) { return e.inner.Stat(path) }
+func (e *UserAwareExecutor) Hostname() (string, error)             { return e.inner.Hostname() }
+func (e *UserAwareExecutor) Getenv(key string) string              { return e.inner.Getenv(key) }
+func (e *UserAwareExecutor) IsRoot() bool                          { return e.inner.IsRoot() }
+func (e *UserAwareExecutor) CurrentUser() (*user.User, error)      { return e.inner.CurrentUser() }
+func (e *UserAwareExecutor) HomeDir(username string) (string, error) {
+	return e.inner.HomeDir(username)
+}
+func (e *UserAwareExecutor) Glob(pattern string) ([]string, error) { return e.inner.Glob(pattern) }
+func (e *UserAwareExecutor) LoggedInUser() (*user.User, error)     { return e.inner.LoggedInUser() }
+func (e *UserAwareExecutor) GOOS() string                          { return e.inner.GOOS() }

internal/telemetry/telemetry.go

@@ -120,6 +120,13 @@ func Run(exec executor.Executor, log *progress.Logger, cfg *cli.Config) error {
 		loggedInUsername = u.Username
 	}
 
+	// Create a user-aware executor that delegates commands to the logged-in user
+	// when running as root. This ensures tools like brew, pip3, npm etc. execute
+	// in the correct user context (many refuse to run as root or return different
+	// results). File-based detectors (IDE, extensions, MCP) use the original exec
+	// since file operations don't need user delegation.
+	userExec := executor.NewUserAwareExecutor(exec, loggedInUsername)
+
 	// Resolve search dirs
 	searchDirs := resolveSearchDirs(exec, cfg.SearchDirs)
 	fmt.Fprintln(os.Stderr)
@@ -148,7 +155,7 @@ func Run(exec executor.Executor, log *progress.Logger, cfg *cli.Config) error {
 	fmt.Fprintln(os.Stderr)
 
 	log.Progress("Detecting AI CLI tools...")
-	cliTools := detector.NewAICLIDetector(exec).Detect(ctx)
+	cliTools := detector.NewAICLIDetector(userExec).Detect(ctx)
 	for _, t := range cliTools {
 		log.Progress("  Found: %s (%s) v%s at %s", t.Name, t.Vendor, t.Version, t.BinaryPath)
 	}
@@ -158,7 +165,7 @@ func Run(exec executor.Executor, log *progress.Logger, cfg *cli.Config) error {
 	fmt.Fprintln(os.Stderr)
 
 	log.Progress("Detecting general-purpose AI agents...")
-	agents := detector.NewAgentDetector(exec).Detect(ctx, searchDirs)
+	agents := detector.NewAgentDetector(userExec).Detect(ctx, searchDirs)
 	for _, a := range agents {
 		log.Progress("  Found: %s (%s) at %s", a.Name, a.Vendor, a.InstallPath)
 	}
@@ -168,7 +175,7 @@ func Run(exec executor.Executor, log *progress.Logger, cfg *cli.Config) error {
 	fmt.Fprintln(os.Stderr)
 
 	log.Progress("Detecting AI frameworks and runtimes...")
-	frameworks := detector.NewFrameworkDetector(exec).Detect(ctx)
+	frameworks := detector.NewFrameworkDetector(userExec).Detect(ctx)
 	for _, f := range frameworks {
 		running := "false"
 		if f.IsRunning != nil && *f.IsRunning {
@@ -206,17 +213,24 @@ func Run(exec executor.Executor, log *progress.Logger, cfg *cli.Config) error {
 
 	if brewEnabled {
 		log.Progress("Detecting Homebrew...")
-		brewDetector := detector.NewBrewDetector(exec)
+		brewDetector := detector.NewBrewDetector(userExec)
 		brewPkgMgr = brewDetector.DetectBrew(ctx)
 		if brewPkgMgr != nil {
 			log.Progress("  Found: Homebrew v%s at %s", brewPkgMgr.Version, brewPkgMgr.Path)
-			brewScanner := detector.NewBrewScanner(exec, log)
+			brewScanner := detector.NewBrewScanner(userExec, log)
 			if r, ok := brewScanner.ScanFormulae(ctx); ok {
 				brewScans = append(brewScans, r)
+				log.Progress("  Formulae scan: exit_code=%d, error=%q, raw_len=%d", r.ExitCode, r.Error, len(r.RawStdoutBase64))
+			} else {
+				log.Progress("  Formulae scan: skipped (brew not in PATH)")
 			}
 			if r, ok := brewScanner.ScanCasks(ctx); ok {
 				brewScans = append(brewScans, r)
+				log.Progress("  Casks scan: exit_code=%d, error=%q, raw_len=%d", r.ExitCode, r.Error, len(r.RawStdoutBase64))
+			} else {
+				log.Progress("  Casks scan: skipped (brew not in PATH)")
 			}
+			log.Progress("  Total brew scans: %d", len(brewScans))
 		} else {
 			log.Progress("  Homebrew not found")
 		}
@@ -238,7 +252,7 @@ func Run(exec executor.Executor, log *progress.Logger, cfg *cli.Config) error {
 
 	if pythonEnabled {
 		log.Progress("Detecting Python package managers...")
-		pyDetector := detector.NewPythonPMDetector(exec)
+		pyDetector := detector.NewPythonPMDetector(userExec)
 		pythonPkgManagers = pyDetector.DetectManagers(ctx)
 		for _, pm := range pythonPkgManagers {
 			log.Progress("  Found: %s v%s at %s", pm.Name, pm.Version, pm.Path)
@@ -248,7 +262,7 @@ func Run(exec executor.Executor, log *progress.Logger, cfg *cli.Config) error {
 		}
 
 		log.Progress("Scanning Python global packages...")
-		pyScanner := detector.NewPythonScanner(exec, log)
+		pyScanner := detector.NewPythonScanner(userExec, log)
 		pythonGlobalPkgs = pyScanner.ScanGlobalPackages(ctx)
 		log.Progress("  Found %d Python global package source(s)", len(pythonGlobalPkgs))
 
@@ -277,7 +291,7 @@ func Run(exec executor.Executor, log *progress.Logger, cfg *cli.Config) error {
 		log.Progress("Node.js package scanning is ENABLED")
 
 		log.Progress("Detecting Node.js package managers...")
-		npmDetector := detector.NewNodePMDetector(exec)
+		npmDetector := detector.NewNodePMDetector(userExec)
 		pkgManagers = npmDetector.DetectManagers(ctx)
 		for _, pm := range pkgManagers {
 			log.Progress("  Found: %s v%s at %s", pm.Name, pm.Version, pm.Path)