@capgo/capgo-sec 1.0.4

package/src/rules/android.ts

@@ -0,0 +1,392 @@
+import type { Rule, Finding } from '../types.js';
+
+export const androidRules: Rule[] = [
+  {
+    id: 'AND001',
+    name: 'Android Cleartext Traffic Allowed',
+    description: 'Detects usesCleartextTraffic enabled in Android manifest',
+    severity: 'critical',
+    category: 'android',
+    filePatterns: ['**/AndroidManifest.xml', '**/network_security_config.xml'],
+    check: (content: string, filePath: string): Finding[] => {
+      const findings: Finding[] = [];
+      const lines = content.split('\n');
+
+      if (filePath.includes('AndroidManifest.xml')) {
+        const cleartextPattern = /usesCleartextTraffic\s*=\s*["']true["']/i;
+        if (cleartextPattern.test(content)) {
+          const match = content.match(cleartextPattern);
+          if (match) {
+            const lineNum = content.substring(0, content.indexOf(match[0])).split('\n').length;
+            findings.push({
+              ruleId: 'AND001',
+              ruleName: 'Android Cleartext Traffic Allowed',
+              severity: 'critical',
+              category: 'android',
+              message: 'usesCleartextTraffic="true" allows unencrypted HTTP traffic',
+              filePath,
+              line: lineNum,
+              codeSnippet: lines[lineNum - 1]?.trim(),
+              remediation: 'Set usesCleartextTraffic="false" and use HTTPS exclusively.',
+              references: ['https://developer.android.com/guide/topics/manifest/application-element#usesCleartextTraffic']
+            });
+          }
+        }
+      }
+
+      if (filePath.includes('network_security_config.xml')) {
+        const cleartextDomainPattern = /cleartextTrafficPermitted\s*=\s*["']true["']/i;
+        if (cleartextDomainPattern.test(content)) {
+          const match = content.match(cleartextDomainPattern);
+          if (match) {
+            const lineNum = content.substring(0, content.indexOf(match[0])).split('\n').length;
+            findings.push({
+              ruleId: 'AND001',
+              ruleName: 'Android Cleartext Traffic Allowed',
+              severity: 'critical',
+              category: 'android',
+              message: 'Network security config allows cleartext traffic for specific domains',
+              filePath,
+              line: lineNum,
+              codeSnippet: lines[lineNum - 1]?.trim(),
+              remediation: 'Remove cleartext traffic permissions. Use HTTPS for all domains.',
+              references: ['https://developer.android.com/training/articles/security-config']
+            });
+          }
+        }
+      }
+
+      return findings;
+    },
+    remediation: 'Disable cleartext traffic and enforce HTTPS.'
+  },
+  {
+    id: 'AND002',
+    name: 'Android Debug Mode Enabled',
+    description: 'Detects debuggable flag enabled in Android manifest',
+    severity: 'critical',
+    category: 'android',
+    filePatterns: ['**/AndroidManifest.xml', '**/build.gradle', '**/build.gradle.kts'],
+    check: (content: string, filePath: string): Finding[] => {
+      const findings: Finding[] = [];
+      const lines = content.split('\n');
+
+      if (filePath.includes('AndroidManifest.xml')) {
+        const debugPattern = /android:debuggable\s*=\s*["']true["']/i;
+        if (debugPattern.test(content)) {
+          const match = content.match(debugPattern);
+          if (match) {
+            const lineNum = content.substring(0, content.indexOf(match[0])).split('\n').length;
+            findings.push({
+              ruleId: 'AND002',
+              ruleName: 'Android Debug Mode Enabled',
+              severity: 'critical',
+              category: 'android',
+              message: 'android:debuggable="true" allows debugging and code inspection',
+              filePath,
+              line: lineNum,
+              codeSnippet: lines[lineNum - 1]?.trim(),
+              remediation: 'Remove android:debuggable or set to false for release builds.',
+              references: ['https://developer.android.com/guide/topics/manifest/application-element#debug']
+            });
+          }
+        }
+      }
+
+      if (filePath.includes('build.gradle')) {
+        // Check for debuggable true in release build type
+        const releaseDebugPattern = /release\s*\{[^}]*debuggable\s*(?:=\s*)?true/i;
+        if (releaseDebugPattern.test(content)) {
+          const match = content.match(releaseDebugPattern);
+          if (match) {
+            const lineNum = content.substring(0, content.indexOf(match[0])).split('\n').length;
+            findings.push({
+              ruleId: 'AND002',
+              ruleName: 'Android Debug Mode Enabled',
+              severity: 'critical',
+              category: 'android',
+              message: 'Release build has debuggable=true enabled',
+              filePath,
+              line: lineNum,
+              codeSnippet: lines[lineNum - 1]?.trim(),
+              remediation: 'Set debuggable false for release build type.',
+              references: ['https://developer.android.com/studio/build/build-variants']
+            });
+          }
+        }
+      }
+
+      return findings;
+    },
+    remediation: 'Disable debugging in release builds.'
+  },
+  {
+    id: 'AND003',
+    name: 'Insecure Android Permissions',
+    description: 'Detects dangerous or unnecessary Android permissions',
+    severity: 'high',
+    category: 'android',
+    filePatterns: ['**/AndroidManifest.xml'],
+    check: (content: string, filePath: string): Finding[] => {
+      const findings: Finding[] = [];
+      const lines = content.split('\n');
+
+      const dangerousPermissions = [
+        { name: 'READ_CONTACTS', severity: 'medium' as const },
+        { name: 'WRITE_CONTACTS', severity: 'medium' as const },
+        { name: 'READ_CALL_LOG', severity: 'high' as const },
+        { name: 'WRITE_CALL_LOG', severity: 'high' as const },
+        { name: 'READ_SMS', severity: 'high' as const },
+        { name: 'SEND_SMS', severity: 'high' as const },
+        { name: 'RECEIVE_SMS', severity: 'high' as const },
+        { name: 'RECORD_AUDIO', severity: 'high' as const },
+        { name: 'READ_EXTERNAL_STORAGE', severity: 'medium' as const },
+        { name: 'WRITE_EXTERNAL_STORAGE', severity: 'medium' as const },
+        { name: 'ACCESS_FINE_LOCATION', severity: 'medium' as const },
+        { name: 'ACCESS_BACKGROUND_LOCATION', severity: 'high' as const },
+        { name: 'CAMERA', severity: 'medium' as const },
+        { name: 'SYSTEM_ALERT_WINDOW', severity: 'high' as const },
+        { name: 'REQUEST_INSTALL_PACKAGES', severity: 'critical' as const },
+        { name: 'BIND_ACCESSIBILITY_SERVICE', severity: 'critical' as const }
+      ];
+
+      for (const perm of dangerousPermissions) {
+        const pattern = new RegExp(`uses-permission[^>]*android.permission.${perm.name}`, 'i');
+        if (pattern.test(content)) {
+          const match = content.match(pattern);
+          if (match) {
+            const lineNum = content.substring(0, content.indexOf(match[0])).split('\n').length;
+            findings.push({
+              ruleId: 'AND003',
+              ruleName: 'Insecure Android Permissions',
+              severity: perm.severity,
+              category: 'android',
+              message: `Dangerous permission ${perm.name} declared`,
+              filePath,
+              line: lineNum,
+              codeSnippet: lines[lineNum - 1]?.trim(),
+              remediation: 'Only request permissions that are strictly necessary. Review if this permission is required.',
+              references: ['https://developer.android.com/guide/topics/permissions/overview']
+            });
+          }
+        }
+      }
+
+      return findings;
+    },
+    remediation: 'Review and minimize permission requests to only what is necessary.'
+  },
+  {
+    id: 'AND004',
+    name: 'Android Backup Allowed',
+    description: 'Detects when Android auto-backup is enabled for app data',
+    severity: 'medium',
+    category: 'android',
+    filePatterns: ['**/AndroidManifest.xml'],
+    check: (content: string, filePath: string): Finding[] => {
+      const findings: Finding[] = [];
+      const lines = content.split('\n');
+
+      // Check if allowBackup is explicitly set to true or not set (defaults to true)
+      const allowBackupTrue = /android:allowBackup\s*=\s*["']true["']/i;
+      const allowBackupSet = /android:allowBackup\s*=\s*["'](?:true|false)["']/i;
+
+      if (allowBackupTrue.test(content)) {
+        const match = content.match(allowBackupTrue);
+        if (match) {
+          const lineNum = content.substring(0, content.indexOf(match[0])).split('\n').length;
+          findings.push({
+            ruleId: 'AND004',
+            ruleName: 'Android Backup Allowed',
+            severity: 'medium',
+            category: 'android',
+            message: 'android:allowBackup="true" allows backup of app data including sensitive information',
+            filePath,
+            line: lineNum,
+            codeSnippet: lines[lineNum - 1]?.trim(),
+            remediation: 'Set android:allowBackup="false" or configure backup_rules to exclude sensitive data.',
+            references: ['https://developer.android.com/guide/topics/data/autobackup']
+          });
+        }
+      } else if (!allowBackupSet.test(content) && content.includes('<application')) {
+        // Not set at all - defaults to true
+        findings.push({
+          ruleId: 'AND004',
+          ruleName: 'Android Backup Allowed',
+          severity: 'medium',
+          category: 'android',
+          message: 'android:allowBackup not set (defaults to true), allowing backup of app data',
+          filePath,
+          line: 1,
+          remediation: 'Explicitly set android:allowBackup="false" or configure backup rules.',
+          references: ['https://developer.android.com/guide/topics/data/autobackup']
+        });
+      }
+
+      return findings;
+    },
+    remediation: 'Disable auto-backup or configure backup rules to exclude sensitive data.'
+  },
+  {
+    id: 'AND005',
+    name: 'Exported Components Without Permission',
+    description: 'Detects exported activities/services/receivers without proper permission protection',
+    severity: 'high',
+    category: 'android',
+    filePatterns: ['**/AndroidManifest.xml'],
+    check: (content: string, filePath: string): Finding[] => {
+      const findings: Finding[] = [];
+      const lines = content.split('\n');
+
+      // Check for exported components without permission
+      const componentTypes = ['activity', 'service', 'receiver', 'provider'];
+
+      for (const type of componentTypes) {
+        const exportedPattern = new RegExp(`<${type}[^>]*android:exported\\s*=\\s*["']true["'][^>]*>`, 'gi');
+        let match;
+
+        while ((match = exportedPattern.exec(content)) !== null) {
+          const component = match[0];
+          const hasPermission = /android:permission\s*=/.test(component);
+
+          if (!hasPermission) {
+            const lineNum = content.substring(0, match.index).split('\n').length;
+            findings.push({
+              ruleId: 'AND005',
+              ruleName: 'Exported Components Without Permission',
+              severity: 'high',
+              category: 'android',
+              message: `Exported ${type} without permission protection`,
+              filePath,
+              line: lineNum,
+              codeSnippet: lines[lineNum - 1]?.trim(),
+              remediation: `Add android:permission to protect the exported ${type} or set exported="false" if external access is not needed.`,
+              references: ['https://developer.android.com/guide/components/intents-filters']
+            });
+          }
+        }
+      }
+
+      return findings;
+    },
+    remediation: 'Protect exported components with appropriate permissions.'
+  },
+  {
+    id: 'AND006',
+    name: 'WebView JavaScript Enabled Without Safeguards',
+    description: 'Detects WebView with JavaScript enabled but without proper security measures',
+    severity: 'high',
+    category: 'android',
+    filePatterns: ['**/*.java', '**/*.kt'],
+    check: (content: string, filePath: string): Finding[] => {
+      const findings: Finding[] = [];
+      const lines = content.split('\n');
+
+      const jsEnabledPattern = /setJavaScriptEnabled\s*\(\s*true\s*\)/g;
+
+      let match;
+      while ((match = jsEnabledPattern.exec(content)) !== null) {
+        const context = content.substring(Math.max(0, match.index - 500), match.index + 500);
+
+        // Check for security measures
+        const hasFileAccess = /setAllowFileAccess\s*\(\s*false\s*\)/.test(context);
+        const hasContentAccess = /setAllowContentAccess\s*\(\s*false\s*\)/.test(context);
+
+        if (!hasFileAccess || !hasContentAccess) {
+          const lineNum = content.substring(0, match.index).split('\n').length;
+          findings.push({
+            ruleId: 'AND006',
+            ruleName: 'WebView JavaScript Enabled Without Safeguards',
+            severity: 'high',
+            category: 'android',
+            message: 'WebView has JavaScript enabled without disabling file/content access',
+            filePath,
+            line: lineNum,
+            codeSnippet: lines[lineNum - 1]?.trim(),
+            remediation: 'Disable setAllowFileAccess(false) and setAllowContentAccess(false) when JavaScript is enabled.',
+            references: ['https://developer.android.com/reference/android/webkit/WebSettings']
+          });
+        }
+      }
+
+      return findings;
+    },
+    remediation: 'Disable file and content access in WebView when JavaScript is enabled.'
+  },
+  {
+    id: 'AND007',
+    name: 'Insecure WebView addJavascriptInterface',
+    description: 'Detects addJavascriptInterface usage which can be exploited on older Android versions',
+    severity: 'high',
+    category: 'android',
+    filePatterns: ['**/*.java', '**/*.kt'],
+    check: (content: string, filePath: string): Finding[] => {
+      const findings: Finding[] = [];
+      const lines = content.split('\n');
+
+      const jsInterfacePattern = /addJavascriptInterface\s*\(/g;
+
+      let match;
+      while ((match = jsInterfacePattern.exec(content)) !== null) {
+        const lineNum = content.substring(0, match.index).split('\n').length;
+        findings.push({
+          ruleId: 'AND007',
+          ruleName: 'Insecure WebView addJavascriptInterface',
+          severity: 'high',
+          category: 'android',
+          message: 'addJavascriptInterface can be exploited for code injection on Android < 4.2',
+          filePath,
+          line: lineNum,
+          codeSnippet: lines[lineNum - 1]?.trim(),
+          remediation: 'Ensure minSdkVersion is >= 17 (Android 4.2) or use @JavascriptInterface annotation.',
+          references: ['https://developer.android.com/reference/android/webkit/WebView#addJavascriptInterface']
+        });
+      }
+
+      return findings;
+    },
+    remediation: 'Use @JavascriptInterface annotation and ensure minSdkVersion >= 17.'
+  },
+  {
+    id: 'AND008',
+    name: 'Hardcoded Signing Key',
+    description: 'Detects hardcoded signing key passwords or keystores in build files',
+    severity: 'critical',
+    category: 'android',
+    filePatterns: ['**/build.gradle', '**/build.gradle.kts'],
+    check: (content: string, filePath: string): Finding[] => {
+      const findings: Finding[] = [];
+      const lines = content.split('\n');
+
+      // Check for hardcoded signing config
+      const patterns = [
+        /storePassword\s*(?:=|:)\s*['"][^'"]+['"]/i,
+        /keyPassword\s*(?:=|:)\s*['"][^'"]+['"]/i,
+        /storeFile\s*(?:=|:)\s*file\s*\(['"][^'"]+\.jks['"]\)/i
+      ];
+
+      for (const pattern of patterns) {
+        const matches = content.match(pattern);
+        if (matches) {
+          const match = matches[0];
+          const lineNum = content.substring(0, content.indexOf(match)).split('\n').length;
+          findings.push({
+            ruleId: 'AND008',
+            ruleName: 'Hardcoded Signing Key',
+            severity: 'critical',
+            category: 'android',
+            message: 'Signing key credentials appear to be hardcoded in build file',
+            filePath,
+            line: lineNum,
+            codeSnippet: lines[lineNum - 1]?.trim().replace(/['"][^'"]{5,}['"]/g, '"***REDACTED***"'),
+            remediation: 'Use environment variables or keystore.properties file excluded from version control.',
+            references: ['https://developer.android.com/studio/publish/app-signing']
+          });
+        }
+      }
+
+      return findings;
+    },
+    remediation: 'Move signing credentials to environment variables or excluded properties files.'
+  }
+];

package/src/rules/authentication.ts

@@ -0,0 +1,261 @@
+import type { Rule, Finding } from '../types.js';
+
+export const authenticationRules: Rule[] = [
+  {
+    id: 'AUTH001',
+    name: 'Weak JWT Validation',
+    description: 'Detects JWT handling without proper validation',
+    severity: 'high',
+    category: 'authentication',
+    filePatterns: ['**/*.ts', '**/*.tsx', '**/*.js', '**/*.jsx'],
+    check: (content: string, filePath: string): Finding[] => {
+      const findings: Finding[] = [];
+      const lines = content.split('\n');
+
+      // Check for JWT decode without verify
+      const jwtDecodePattern = /jwt\.decode\s*\(|jwtDecode\s*\(|atob\s*\([^)]*\.split\s*\(['"]\.['"]|JSON\.parse.*base64/gi;
+
+      let match;
+      while ((match = jwtDecodePattern.exec(content)) !== null) {
+        const context = content.substring(match.index, Math.min(content.length, match.index + 300));
+        const hasVerify = /verify|validate|check.*signature/i.test(context);
+
+        if (!hasVerify) {
+          const lineNum = content.substring(0, match.index).split('\n').length;
+          findings.push({
+            ruleId: 'AUTH001',
+            ruleName: 'Weak JWT Validation',
+            severity: 'high',
+            category: 'authentication',
+            message: 'JWT decoded without signature verification',
+            filePath,
+            line: lineNum,
+            codeSnippet: lines[lineNum - 1]?.trim(),
+            remediation: 'Always verify JWT signature before trusting claims. Use jwt.verify() instead of jwt.decode().',
+            references: [
+              'https://capacitor-sec.dev/docs/rules/jwt',
+              'https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/06-Session_Management_Testing/10-Testing_JSON_Web_Tokens'
+            ]
+          });
+        }
+      }
+
+      return findings;
+    },
+    remediation: 'Verify JWT signature on the backend. Never trust client-side JWT validation alone.'
+  },
+  {
+    id: 'AUTH002',
+    name: 'Insecure Biometric Implementation',
+    description: 'Detects weak biometric authentication implementation',
+    severity: 'high',
+    category: 'authentication',
+    filePatterns: ['**/*.ts', '**/*.tsx', '**/*.js', '**/*.jsx'],
+    check: (content: string, filePath: string): Finding[] => {
+      const findings: Finding[] = [];
+      const lines = content.split('\n');
+
+      // Check for biometric without proper cryptographic backing
+      const biometricPattern = /(?:NativeBiometric|BiometricAuth|FingerprintAIO)\.(?:verifyIdentity|authenticate)/gi;
+
+      let match;
+      while ((match = biometricPattern.exec(content)) !== null) {
+        const context = content.substring(match.index, Math.min(content.length, match.index + 500));
+
+        // Check for cryptographic operations after biometric
+        const hasCryptoOp = /getCredentials|decrypt|sign|keychain|keystore/i.test(context);
+
+        if (!hasCryptoOp) {
+          const lineNum = content.substring(0, match.index).split('\n').length;
+          findings.push({
+            ruleId: 'AUTH002',
+            ruleName: 'Insecure Biometric Implementation',
+            severity: 'high',
+            category: 'authentication',
+            message: 'Biometric auth not backed by cryptographic operation',
+            filePath,
+            line: lineNum,
+            codeSnippet: lines[lineNum - 1]?.trim(),
+            remediation: 'Back biometric authentication with cryptographic keys stored in secure enclave.',
+            references: ['https://capacitor-sec.dev/docs/rules/biometric']
+          });
+        }
+      }
+
+      return findings;
+    },
+    remediation: 'Use cryptographically-backed biometric authentication.'
+  },
+  {
+    id: 'AUTH003',
+    name: 'Weak Random Number Generation',
+    description: 'Detects use of Math.random() for security-sensitive operations',
+    severity: 'high',
+    category: 'authentication',
+    filePatterns: ['**/*.ts', '**/*.tsx', '**/*.js', '**/*.jsx'],
+    check: (content: string, filePath: string): Finding[] => {
+      const findings: Finding[] = [];
+      const lines = content.split('\n');
+
+      // Skip test files
+      if (filePath.includes('.test.') || filePath.includes('.spec.')) {
+        return findings;
+      }
+
+      // Check for Math.random in security context
+      const randomPattern = /Math\.random\s*\(\)/g;
+
+      let match;
+      while ((match = randomPattern.exec(content)) !== null) {
+        const context = content.substring(Math.max(0, match.index - 200), match.index + 200);
+        const securityContext = /(?:token|key|secret|nonce|salt|iv|session|auth|password|otp|code)/i.test(context);
+
+        if (securityContext) {
+          const lineNum = content.substring(0, match.index).split('\n').length;
+          findings.push({
+            ruleId: 'AUTH003',
+            ruleName: 'Weak Random Number Generation',
+            severity: 'high',
+            category: 'authentication',
+            message: 'Math.random() used in security context - not cryptographically secure',
+            filePath,
+            line: lineNum,
+            codeSnippet: lines[lineNum - 1]?.trim(),
+            remediation: 'Use crypto.getRandomValues() or crypto.randomUUID() for security-sensitive operations.',
+            references: ['https://developer.mozilla.org/en-US/docs/Web/API/Crypto/getRandomValues']
+          });
+        }
+      }
+
+      return findings;
+    },
+    remediation: 'Use crypto.getRandomValues() for secure random number generation.'
+  },
+  {
+    id: 'AUTH004',
+    name: 'Missing Session Timeout',
+    description: 'Detects authentication without session timeout handling',
+    severity: 'medium',
+    category: 'authentication',
+    filePatterns: ['**/*.ts', '**/*.tsx', '**/*.js', '**/*.jsx'],
+    check: (content: string, filePath: string): Finding[] => {
+      const findings: Finding[] = [];
+
+      // Only check auth-related files
+      if (!/auth|login|session/i.test(filePath) && !/auth|login|session/i.test(content)) {
+        return findings;
+      }
+
+      const hasLogin = /(?:login|signIn|authenticate)\s*\(/i.test(content);
+      const hasTimeout = /(?:timeout|expire|ttl|maxAge|expiresIn|expiresAt)/i.test(content);
+
+      if (hasLogin && !hasTimeout) {
+        findings.push({
+          ruleId: 'AUTH004',
+          ruleName: 'Missing Session Timeout',
+          severity: 'medium',
+          category: 'authentication',
+          message: 'Authentication flow without apparent session timeout',
+          filePath,
+          line: 1,
+          remediation: 'Implement session timeouts with automatic logout for inactive sessions.',
+          references: ['https://capacitor-sec.dev/docs/rules/session-timeout']
+        });
+      }
+
+      return findings;
+    },
+    remediation: 'Implement session timeout and automatic logout.'
+  },
+  {
+    id: 'AUTH005',
+    name: 'OAuth State Parameter Missing',
+    description: 'Detects OAuth flows without state parameter for CSRF protection',
+    severity: 'high',
+    category: 'authentication',
+    filePatterns: ['**/*.ts', '**/*.tsx', '**/*.js', '**/*.jsx'],
+    check: (content: string, filePath: string): Finding[] => {
+      const findings: Finding[] = [];
+      const lines = content.split('\n');
+
+      // Check for OAuth URLs without state parameter
+      const oauthPattern = /(?:authorize|oauth|auth).*(?:client_id|response_type)/gi;
+
+      let match;
+      while ((match = oauthPattern.exec(content)) !== null) {
+        const context = content.substring(match.index, Math.min(content.length, match.index + 300));
+        const hasState = /state\s*[:=]/.test(context);
+
+        if (!hasState) {
+          const lineNum = content.substring(0, match.index).split('\n').length;
+          findings.push({
+            ruleId: 'AUTH005',
+            ruleName: 'OAuth State Parameter Missing',
+            severity: 'high',
+            category: 'authentication',
+            message: 'OAuth flow without state parameter for CSRF protection',
+            filePath,
+            line: lineNum,
+            codeSnippet: lines[lineNum - 1]?.trim(),
+            remediation: 'Always include a unique state parameter in OAuth flows and validate it on callback.',
+            references: ['https://tools.ietf.org/html/rfc6749#section-10.12']
+          });
+        }
+      }
+
+      return findings;
+    },
+    remediation: 'Add state parameter to OAuth flows for CSRF protection.'
+  },
+  {
+    id: 'AUTH006',
+    name: 'Hardcoded Credentials in Auth',
+    description: 'Detects hardcoded credentials in authentication code',
+    severity: 'critical',
+    category: 'authentication',
+    filePatterns: ['**/*.ts', '**/*.tsx', '**/*.js', '**/*.jsx'],
+    check: (content: string, filePath: string): Finding[] => {
+      const findings: Finding[] = [];
+      const lines = content.split('\n');
+
+      // Skip test files
+      if (filePath.includes('.test.') || filePath.includes('.spec.') || filePath.includes('__mocks__')) {
+        return findings;
+      }
+
+      // Check for hardcoded auth credentials
+      const patterns = [
+        /password\s*[:=]\s*['"][^'"]{4,}['"]/gi,
+        /username\s*[:=]\s*['"][^'"@]+['"]/gi,
+        /clientSecret\s*[:=]\s*['"][^'"]{8,}['"]/gi
+      ];
+
+      for (const pattern of patterns) {
+        let match;
+        while ((match = pattern.exec(content)) !== null) {
+          // Skip obvious examples/placeholders
+          if (/example|placeholder|your|xxx|changeme/i.test(match[0])) {
+            continue;
+          }
+
+          const lineNum = content.substring(0, match.index).split('\n').length;
+          findings.push({
+            ruleId: 'AUTH006',
+            ruleName: 'Hardcoded Credentials in Auth',
+            severity: 'critical',
+            category: 'authentication',
+            message: 'Hardcoded credentials detected in authentication code',
+            filePath,
+            line: lineNum,
+            codeSnippet: lines[lineNum - 1]?.trim().replace(/['"][^'"]+['"]/g, '"***REDACTED***"'),
+            remediation: 'Remove hardcoded credentials. Use secure configuration or environment variables.',
+            references: ['https://capacitor-sec.dev/docs/rules/hardcoded-creds']
+          });
+        }
+      }
+
+      return findings;
+    },
+    remediation: 'Remove hardcoded credentials and use secure configuration.'
+  }
+];