@capgo/capgo-sec 1.0.4

package/src/rules/capacitor.ts

@@ -0,0 +1,435 @@
+import type { Rule, Finding } from '../types.js';
+
+export const capacitorRules: Rule[] = [
+  {
+    id: 'CAP001',
+    name: 'WebView Debug Mode Enabled',
+    description: 'Detects web debugging enabled in production Capacitor configuration',
+    severity: 'critical',
+    category: 'capacitor',
+    filePatterns: ['**/capacitor.config.ts', '**/capacitor.config.js', '**/capacitor.config.json'],
+    check: (content: string, filePath: string): Finding[] => {
+      const findings: Finding[] = [];
+      const lines = content.split('\n');
+
+      const debugPattern = /webContentsDebuggingEnabled\s*:\s*true/i;
+
+      if (debugPattern.test(content)) {
+        const match = content.match(debugPattern);
+        if (match) {
+          const lineNum = content.substring(0, content.indexOf(match[0])).split('\n').length;
+          findings.push({
+            ruleId: 'CAP001',
+            ruleName: 'WebView Debug Mode Enabled',
+            severity: 'critical',
+            category: 'capacitor',
+            message: 'WebView debugging is enabled, allowing remote code inspection',
+            filePath,
+            line: lineNum,
+            codeSnippet: lines[lineNum - 1]?.trim(),
+            remediation: 'Set webContentsDebuggingEnabled to false for production builds.',
+            references: ['https://capacitorjs.com/docs/config']
+          });
+        }
+      }
+
+      return findings;
+    },
+    remediation: 'Disable WebView debugging in production: webContentsDebuggingEnabled: false'
+  },
+  {
+    id: 'CAP002',
+    name: 'Insecure Plugin Configuration',
+    description: 'Detects insecure Capacitor plugin configurations',
+    severity: 'high',
+    category: 'capacitor',
+    filePatterns: ['**/capacitor.config.ts', '**/capacitor.config.js', '**/capacitor.config.json'],
+    check: (content: string, filePath: string): Finding[] => {
+      const findings: Finding[] = [];
+      const lines = content.split('\n');
+
+      // Check for AllowMixedContent on Android
+      if (/allowMixedContent\s*:\s*true/i.test(content)) {
+        const match = content.match(/allowMixedContent\s*:\s*true/i);
+        if (match) {
+          const lineNum = content.substring(0, content.indexOf(match[0])).split('\n').length;
+          findings.push({
+            ruleId: 'CAP002',
+            ruleName: 'Insecure Plugin Configuration',
+            severity: 'high',
+            category: 'capacitor',
+            message: 'allowMixedContent enables loading HTTP resources over HTTPS',
+            filePath,
+            line: lineNum,
+            codeSnippet: lines[lineNum - 1]?.trim(),
+            remediation: 'Remove allowMixedContent: true. All content should be served over HTTPS.',
+            references: ['https://capacitorjs.com/docs/config/android']
+          });
+        }
+      }
+
+      // Check for capture input (keyboard capture)
+      if (/captureInput\s*:\s*true/i.test(content)) {
+        const match = content.match(/captureInput\s*:\s*true/i);
+        if (match) {
+          const lineNum = content.substring(0, content.indexOf(match[0])).split('\n').length;
+          findings.push({
+            ruleId: 'CAP002',
+            ruleName: 'Insecure Plugin Configuration',
+            severity: 'medium',
+            category: 'capacitor',
+            message: 'captureInput is enabled, which captures all keyboard input',
+            filePath,
+            line: lineNum,
+            codeSnippet: lines[lineNum - 1]?.trim(),
+            remediation: 'Only enable captureInput if specifically required for your use case.',
+            references: ['https://capacitorjs.com/docs/config/android']
+          });
+        }
+      }
+
+      return findings;
+    },
+    remediation: 'Review and secure Capacitor plugin configurations.'
+  },
+  {
+    id: 'CAP003',
+    name: 'Verbose Logging in Production',
+    description: 'Detects verbose logging configuration that may expose sensitive data',
+    severity: 'medium',
+    category: 'capacitor',
+    filePatterns: ['**/capacitor.config.ts', '**/capacitor.config.js', '**/capacitor.config.json'],
+    check: (content: string, filePath: string): Finding[] => {
+      const findings: Finding[] = [];
+      const lines = content.split('\n');
+
+      const loggingPattern = /loggingBehavior\s*:\s*['"](?:debug|verbose)['"]/i;
+
+      if (loggingPattern.test(content)) {
+        const match = content.match(loggingPattern);
+        if (match) {
+          const lineNum = content.substring(0, content.indexOf(match[0])).split('\n').length;
+          findings.push({
+            ruleId: 'CAP003',
+            ruleName: 'Verbose Logging in Production',
+            severity: 'medium',
+            category: 'capacitor',
+            message: 'Verbose logging is enabled which may expose sensitive information',
+            filePath,
+            line: lineNum,
+            codeSnippet: lines[lineNum - 1]?.trim(),
+            remediation: 'Set loggingBehavior to "production" or "none" for production builds.',
+            references: ['https://capacitorjs.com/docs/config']
+          });
+        }
+      }
+
+      return findings;
+    },
+    remediation: 'Use production-appropriate logging levels.'
+  },
+  {
+    id: 'CAP004',
+    name: 'Insecure allowNavigation',
+    description: 'Detects overly permissive navigation allowlist',
+    severity: 'high',
+    category: 'capacitor',
+    filePatterns: ['**/capacitor.config.ts', '**/capacitor.config.js', '**/capacitor.config.json'],
+    check: (content: string, filePath: string): Finding[] => {
+      const findings: Finding[] = [];
+      const lines = content.split('\n');
+
+      // Check for wildcard or overly broad navigation patterns
+      const patterns = [
+        { pattern: /allowNavigation.*\*\.\*/, message: 'Wildcard navigation pattern allows any domain' },
+        { pattern: /allowNavigation.*http:\/\//, message: 'HTTP URLs in allowNavigation are insecure' },
+        { pattern: /allowNavigation.*\['"\*['"]/, message: 'Wildcard * allows navigation to any URL' }
+      ];
+
+      for (const { pattern, message } of patterns) {
+        if (pattern.test(content)) {
+          const match = content.match(pattern);
+          if (match) {
+            const lineNum = content.substring(0, content.indexOf(match[0])).split('\n').length;
+            findings.push({
+              ruleId: 'CAP004',
+              ruleName: 'Insecure allowNavigation',
+              severity: 'high',
+              category: 'capacitor',
+              message,
+              filePath,
+              line: lineNum,
+              codeSnippet: lines[lineNum - 1]?.trim(),
+              remediation: 'Specify exact HTTPS domains in allowNavigation.',
+              references: ['https://capacitorjs.com/docs/config']
+            });
+          }
+        }
+      }
+
+      return findings;
+    },
+    remediation: 'Use explicit domain allowlists for navigation.'
+  },
+  {
+    id: 'CAP005',
+    name: 'Native Bridge Exposure',
+    description: 'Detects potential exposure of native bridge to untrusted content',
+    severity: 'critical',
+    category: 'capacitor',
+    filePatterns: ['**/*.ts', '**/*.tsx', '**/*.js', '**/*.jsx'],
+    check: (content: string, filePath: string): Finding[] => {
+      const findings: Finding[] = [];
+      const lines = content.split('\n');
+
+      // Check for exposing Capacitor to window
+      const exposurePatterns = [
+        /window\.Capacitor\s*=/,
+        /globalThis\.Capacitor\s*=/,
+        /eval\s*\([^)]*Capacitor/,
+        /Function\s*\([^)]*Capacitor/
+      ];
+
+      for (const pattern of exposurePatterns) {
+        let match;
+        const regex = new RegExp(pattern.source, 'gi');
+        while ((match = regex.exec(content)) !== null) {
+          const lineNum = content.substring(0, match.index).split('\n').length;
+          findings.push({
+            ruleId: 'CAP005',
+            ruleName: 'Native Bridge Exposure',
+            severity: 'critical',
+            category: 'capacitor',
+            message: 'Capacitor native bridge may be exposed to untrusted code',
+            filePath,
+            line: lineNum,
+            codeSnippet: lines[lineNum - 1]?.trim(),
+            remediation: 'Never expose the Capacitor bridge to dynamically loaded or untrusted content.',
+            references: ['https://capacitor-sec.dev/docs/rules/native-bridge']
+          });
+        }
+      }
+
+      return findings;
+    },
+    remediation: 'Keep native bridge access restricted to trusted code only.'
+  },
+  {
+    id: 'CAP006',
+    name: 'Eval Usage with User Input',
+    description: 'Detects usage of eval() or similar functions that could execute arbitrary code',
+    severity: 'critical',
+    category: 'capacitor',
+    filePatterns: ['**/*.ts', '**/*.tsx', '**/*.js', '**/*.jsx'],
+    check: (content: string, filePath: string): Finding[] => {
+      const findings: Finding[] = [];
+      const lines = content.split('\n');
+
+      // Skip node_modules
+      if (filePath.includes('node_modules')) {
+        return findings;
+      }
+
+      const evalPatterns = [
+        /\beval\s*\(/g,
+        /new\s+Function\s*\(/g,
+        /setTimeout\s*\(\s*['"`][^'"`]+['"`]/g,
+        /setInterval\s*\(\s*['"`][^'"`]+['"`]/g
+      ];
+
+      for (const pattern of evalPatterns) {
+        let match;
+        while ((match = pattern.exec(content)) !== null) {
+          const lineNum = content.substring(0, match.index).split('\n').length;
+          findings.push({
+            ruleId: 'CAP006',
+            ruleName: 'Eval Usage with User Input',
+            severity: 'critical',
+            category: 'capacitor',
+            message: 'Usage of eval() or equivalent can lead to code injection attacks',
+            filePath,
+            line: lineNum,
+            codeSnippet: lines[lineNum - 1]?.trim(),
+            remediation: 'Avoid eval() and new Function(). Use safer alternatives like JSON.parse() for data.',
+            references: [
+              'https://owasp.org/www-community/attacks/Code_Injection',
+              'https://capacitor-sec.dev/docs/rules/eval'
+            ]
+          });
+        }
+      }
+
+      return findings;
+    },
+    remediation: 'Remove all usage of eval() and new Function(). Use JSON.parse() for data parsing.'
+  },
+  {
+    id: 'CAP007',
+    name: 'Missing Root/Jailbreak Detection',
+    description: 'No root or jailbreak detection found for sensitive operations',
+    severity: 'medium',
+    category: 'capacitor',
+    filePatterns: ['**/*.ts', '**/*.tsx', '**/*.js', '**/*.jsx'],
+    check: (content: string, filePath: string): Finding[] => {
+      const findings: Finding[] = [];
+
+      // Only check entry points or main files
+      if (!filePath.includes('App.') && !filePath.includes('main.') && !filePath.includes('index.')) {
+        return findings;
+      }
+
+      // Check for sensitive operations
+      const hasSensitiveOps = /(?:payment|banking|wallet|crypto|biometric|auth)/i.test(content);
+
+      // Check for root/jailbreak detection
+      const hasRootDetection = /(?:isRooted|isJailbroken|rootDetection|jailbreakDetection|freeRASP|appIntegrity)/i.test(content);
+
+      if (hasSensitiveOps && !hasRootDetection) {
+        findings.push({
+          ruleId: 'CAP007',
+          ruleName: 'Missing Root/Jailbreak Detection',
+          severity: 'medium',
+          category: 'capacitor',
+          message: 'Sensitive operations detected without root/jailbreak detection',
+          filePath,
+          line: 1,
+          remediation: 'Implement root/jailbreak detection for apps handling sensitive data. Consider using @niclas-niclas/capacitor-freerasp.',
+          references: [
+            'https://github.com/niclas-niclas/capacitor-freerasp',
+            'https://capacitor-sec.dev/docs/rules/root-detection'
+          ]
+        });
+      }
+
+      return findings;
+    },
+    remediation: 'Add root/jailbreak detection for sensitive applications.'
+  },
+  {
+    id: 'CAP008',
+    name: 'Insecure Plugin Import',
+    description: 'Detects import of known insecure or deprecated Capacitor plugins',
+    severity: 'medium',
+    category: 'capacitor',
+    filePatterns: ['**/*.ts', '**/*.tsx', '**/*.js', '**/*.jsx', '**/package.json'],
+    check: (content: string, filePath: string): Finding[] => {
+      const findings: Finding[] = [];
+      const lines = content.split('\n');
+
+      // List of deprecated or insecure plugins
+      const insecurePlugins = [
+        { name: '@capacitor/browser', check: /webview|iframe/i, message: 'Using Browser plugin for sensitive content may be insecure' },
+        { name: 'cordova-plugin-', check: /cordova-plugin-/i, message: 'Cordova plugins may have security issues in Capacitor context' }
+      ];
+
+      for (const plugin of insecurePlugins) {
+        if (plugin.check.test(content)) {
+          const match = content.match(plugin.check);
+          if (match) {
+            const lineNum = content.substring(0, content.indexOf(match[0])).split('\n').length;
+            findings.push({
+              ruleId: 'CAP008',
+              ruleName: 'Insecure Plugin Import',
+              severity: 'low',
+              category: 'capacitor',
+              message: plugin.message,
+              filePath,
+              line: lineNum,
+              codeSnippet: lines[lineNum - 1]?.trim(),
+              remediation: 'Review plugin security implications. Prefer Capacitor-native plugins.',
+              references: ['https://capacitor-sec.dev/docs/rules/plugins']
+            });
+          }
+        }
+      }
+
+      return findings;
+    },
+    remediation: 'Use official Capacitor plugins when available.'
+  },
+  {
+    id: 'CAP009',
+    name: 'Live Update Security',
+    description: 'Detects insecure live update configurations',
+    severity: 'high',
+    category: 'capacitor',
+    filePatterns: ['**/capacitor.config.ts', '**/capacitor.config.js', '**/capacitor.config.json', '**/*.ts', '**/*.tsx'],
+    check: (content: string, filePath: string): Finding[] => {
+      const findings: Finding[] = [];
+      const lines = content.split('\n');
+
+      // Check for Capgo/live update without encryption
+      const liveUpdatePattern = /(?:@capgo\/capacitor-updater|CapacitorUpdater)/i;
+
+      if (liveUpdatePattern.test(content)) {
+        // Check for encryption configuration
+        const hasEncryption = /privateKey|encryptionKey|signatureKey/i.test(content);
+
+        if (!hasEncryption) {
+          const match = content.match(liveUpdatePattern);
+          if (match) {
+            const lineNum = content.substring(0, content.indexOf(match[0])).split('\n').length;
+            findings.push({
+              ruleId: 'CAP009',
+              ruleName: 'Live Update Security',
+              severity: 'high',
+              category: 'capacitor',
+              message: 'Live update configured without encryption',
+              filePath,
+              line: lineNum,
+              codeSnippet: lines[lineNum - 1]?.trim(),
+              remediation: 'Enable encryption for live updates to prevent tampering. Use Capgo end-to-end encryption.',
+              references: [
+                'https://capgo.app/docs/plugin/cloud-mode/hybrid-update/',
+                'https://capacitor-sec.dev/docs/rules/live-update'
+              ]
+            });
+          }
+        }
+      }
+
+      return findings;
+    },
+    remediation: 'Enable end-to-end encryption for live updates with Capgo.'
+  },
+  {
+    id: 'CAP010',
+    name: 'Insecure postMessage Handler',
+    description: 'Detects insecure postMessage handlers that could accept malicious messages',
+    severity: 'high',
+    category: 'capacitor',
+    filePatterns: ['**/*.ts', '**/*.tsx', '**/*.js', '**/*.jsx'],
+    check: (content: string, filePath: string): Finding[] => {
+      const findings: Finding[] = [];
+      const lines = content.split('\n');
+
+      // Check for postMessage listener without origin validation
+      const postMessagePattern = /addEventListener\s*\(\s*['"]message['"]/g;
+
+      let match;
+      while ((match = postMessagePattern.exec(content)) !== null) {
+        const context = content.substring(match.index, Math.min(content.length, match.index + 500));
+        const hasOriginCheck = /event\.origin|e\.origin|origin\s*[!=]==?\s*['"]/.test(context);
+
+        if (!hasOriginCheck) {
+          const lineNum = content.substring(0, match.index).split('\n').length;
+          findings.push({
+            ruleId: 'CAP010',
+            ruleName: 'Insecure postMessage Handler',
+            severity: 'high',
+            category: 'capacitor',
+            message: 'postMessage handler without origin validation',
+            filePath,
+            line: lineNum,
+            codeSnippet: lines[lineNum - 1]?.trim(),
+            remediation: 'Always validate event.origin before processing postMessage data.',
+            references: ['https://capacitor-sec.dev/docs/rules/postmessage']
+          });
+        }
+      }
+
+      return findings;
+    },
+    remediation: 'Validate message origin before processing postMessage events.'
+  }
+];

package/src/rules/cryptography.ts

@@ -0,0 +1,190 @@
+import type { Rule, Finding } from '../types.js';
+
+export const cryptographyRules: Rule[] = [
+  {
+    id: 'CRY001',
+    name: 'Weak Cryptographic Algorithm',
+    description: 'Detects usage of weak or deprecated cryptographic algorithms',
+    severity: 'high',
+    category: 'cryptography',
+    filePatterns: ['**/*.ts', '**/*.tsx', '**/*.js', '**/*.jsx'],
+    check: (content: string, filePath: string): Finding[] => {
+      const findings: Finding[] = [];
+      const lines = content.split('\n');
+
+      const weakAlgorithms = [
+        { pattern: /md5|['"]MD5['"]/gi, name: 'MD5', message: 'MD5 is cryptographically broken' },
+        { pattern: /sha1|['"]SHA-?1['"]/gi, name: 'SHA-1', message: 'SHA-1 is deprecated and vulnerable to collision attacks' },
+        { pattern: /des|['"]DES['"]/gi, name: 'DES', message: 'DES uses 56-bit keys, too weak for modern security' },
+        { pattern: /rc4|['"]RC4['"]/gi, name: 'RC4', message: 'RC4 has known biases and should not be used' },
+        { pattern: /blowfish/gi, name: 'Blowfish', message: 'Blowfish has a small block size, prefer AES' },
+        { pattern: /ECB/g, name: 'ECB mode', message: 'ECB mode does not hide data patterns' }
+      ];
+
+      for (const { pattern, name, message } of weakAlgorithms) {
+        let match;
+        const regex = new RegExp(pattern.source, pattern.flags);
+        while ((match = regex.exec(content)) !== null) {
+          // Skip if it's in a comment
+          const lineStart = content.lastIndexOf('\n', match.index) + 1;
+          const lineContent = content.substring(lineStart, match.index);
+          if (/\/\/|\/\*|\*/.test(lineContent)) continue;
+
+          const lineNum = content.substring(0, match.index).split('\n').length;
+          findings.push({
+            ruleId: 'CRY001',
+            ruleName: 'Weak Cryptographic Algorithm',
+            severity: 'high',
+            category: 'cryptography',
+            message: `${name}: ${message}`,
+            filePath,
+            line: lineNum,
+            codeSnippet: lines[lineNum - 1]?.trim(),
+            remediation: 'Use AES-256-GCM for encryption, SHA-256 or SHA-3 for hashing, and Argon2 for password hashing.',
+            references: [
+              'https://capacitor-sec.dev/docs/rules/weak-crypto',
+              'https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/09-Testing_for_Weak_Cryptography'
+            ]
+          });
+        }
+      }
+
+      return findings;
+    },
+    remediation: 'Use modern algorithms: AES-256-GCM, SHA-256/SHA-3, Argon2.'
+  },
+  {
+    id: 'CRY002',
+    name: 'Hardcoded Encryption Key',
+    description: 'Detects hardcoded encryption keys or IVs in source code',
+    severity: 'critical',
+    category: 'cryptography',
+    filePatterns: ['**/*.ts', '**/*.tsx', '**/*.js', '**/*.jsx'],
+    check: (content: string, filePath: string): Finding[] => {
+      const findings: Finding[] = [];
+      const lines = content.split('\n');
+
+      // Skip test files
+      if (filePath.includes('.test.') || filePath.includes('.spec.')) {
+        return findings;
+      }
+
+      const keyPatterns = [
+        /(?:encrypt(?:ion)?Key|aesKey|secretKey|privateKey)\s*[:=]\s*['"][A-Za-z0-9+/=]{16,}['"]/gi,
+        /(?:iv|initVector|initialVector)\s*[:=]\s*['"][A-Za-z0-9+/=]{12,}['"]/gi,
+        /Buffer\.from\s*\(\s*['"][A-Fa-f0-9]{32,}['"]/g
+      ];
+
+      for (const pattern of keyPatterns) {
+        let match;
+        while ((match = pattern.exec(content)) !== null) {
+          const lineNum = content.substring(0, match.index).split('\n').length;
+          findings.push({
+            ruleId: 'CRY002',
+            ruleName: 'Hardcoded Encryption Key',
+            severity: 'critical',
+            category: 'cryptography',
+            message: 'Hardcoded encryption key or IV detected',
+            filePath,
+            line: lineNum,
+            codeSnippet: lines[lineNum - 1]?.trim().replace(/['"][A-Za-z0-9+/=]{8,}['"]/g, '"***KEY***"'),
+            remediation: 'Generate keys securely at runtime. Store keys in secure storage (Keychain/Keystore).',
+            references: ['https://capacitor-sec.dev/docs/rules/hardcoded-keys']
+          });
+        }
+      }
+
+      return findings;
+    },
+    remediation: 'Never hardcode encryption keys. Use secure key derivation and storage.'
+  },
+  {
+    id: 'CRY003',
+    name: 'Insecure Random IV Generation',
+    description: 'Detects non-random or predictable IV generation',
+    severity: 'high',
+    category: 'cryptography',
+    filePatterns: ['**/*.ts', '**/*.tsx', '**/*.js', '**/*.jsx'],
+    check: (content: string, filePath: string): Finding[] => {
+      const findings: Finding[] = [];
+      const lines = content.split('\n');
+
+      // Check for static or predictable IVs
+      const staticIvPatterns = [
+        { pattern: /iv\s*[:=]\s*(?:new\s+Uint8Array\s*\(\s*\d+\s*\)|Buffer\.alloc\s*\()/, message: 'IV initialized with zeros - must be random' },
+        { pattern: /iv\s*[:=]\s*['"][0-9a-fA-F]+['"]/, message: 'Static IV detected - IV must be unique per encryption' }
+      ];
+
+      for (const { pattern, message } of staticIvPatterns) {
+        let match;
+        const regex = new RegExp(pattern.source, 'gi');
+        while ((match = regex.exec(content)) !== null) {
+          const lineNum = content.substring(0, match.index).split('\n').length;
+          findings.push({
+            ruleId: 'CRY003',
+            ruleName: 'Insecure Random IV Generation',
+            severity: 'high',
+            category: 'cryptography',
+            message,
+            filePath,
+            line: lineNum,
+            codeSnippet: lines[lineNum - 1]?.trim(),
+            remediation: 'Use crypto.getRandomValues() to generate a unique IV for each encryption operation.',
+            references: ['https://capacitor-sec.dev/docs/rules/iv-generation']
+          });
+        }
+      }
+
+      return findings;
+    },
+    remediation: 'Generate unique random IVs using crypto.getRandomValues().'
+  },
+  {
+    id: 'CRY004',
+    name: 'Weak Password Hashing',
+    description: 'Detects weak password hashing schemes',
+    severity: 'critical',
+    category: 'cryptography',
+    filePatterns: ['**/*.ts', '**/*.tsx', '**/*.js', '**/*.jsx'],
+    check: (content: string, filePath: string): Finding[] => {
+      const findings: Finding[] = [];
+      const lines = content.split('\n');
+
+      // Check for password with weak hashing
+      const passwordContext = /password/i.test(content);
+
+      if (passwordContext) {
+        const weakPatterns = [
+          { pattern: /(?:sha256|sha512|createHash).*password/gi, message: 'Using raw SHA for password hashing - use bcrypt/argon2' },
+          { pattern: /password.*(?:sha256|sha512|createHash)/gi, message: 'Using raw SHA for password hashing - use bcrypt/argon2' },
+          { pattern: /md5.*password|password.*md5/gi, message: 'MD5 is completely unsuitable for password hashing' }
+        ];
+
+        for (const { pattern, message } of weakPatterns) {
+          let match;
+          while ((match = pattern.exec(content)) !== null) {
+            const lineNum = content.substring(0, match.index).split('\n').length;
+            findings.push({
+              ruleId: 'CRY004',
+              ruleName: 'Weak Password Hashing',
+              severity: 'critical',
+              category: 'cryptography',
+              message,
+              filePath,
+              line: lineNum,
+              codeSnippet: lines[lineNum - 1]?.trim(),
+              remediation: 'Use Argon2, bcrypt, or scrypt for password hashing with appropriate work factors.',
+              references: [
+                'https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html',
+                'https://capacitor-sec.dev/docs/rules/password-hashing'
+              ]
+            });
+          }
+        }
+      }
+
+      return findings;
+    },
+    remediation: 'Use Argon2id, bcrypt, or scrypt for password hashing.'
+  }
+];

package/src/rules/index.ts

@@ -0,0 +1,56 @@
+import type { Rule } from '../types.js';
+
+import { secretsRules } from './secrets.js';
+import { storageRules } from './storage.js';
+import { networkRules } from './network.js';
+import { capacitorRules } from './capacitor.js';
+import { androidRules } from './android.js';
+import { iosRules } from './ios.js';
+import { authenticationRules } from './authentication.js';
+import { webviewRules } from './webview.js';
+import { loggingRules, debugRules } from './logging.js';
+import { cryptographyRules } from './cryptography.js';
+
+export const allRules: Rule[] = [
+  ...secretsRules,
+  ...storageRules,
+  ...networkRules,
+  ...capacitorRules,
+  ...androidRules,
+  ...iosRules,
+  ...authenticationRules,
+  ...webviewRules,
+  ...loggingRules,
+  ...debugRules,
+  ...cryptographyRules
+];
+
+export const rulesByCategory = {
+  secrets: secretsRules,
+  storage: storageRules,
+  network: networkRules,
+  capacitor: capacitorRules,
+  android: androidRules,
+  ios: iosRules,
+  authentication: authenticationRules,
+  webview: webviewRules,
+  logging: loggingRules,
+  debug: debugRules,
+  cryptography: cryptographyRules
+};
+
+export const ruleCount = allRules.length;
+
+export {
+  secretsRules,
+  storageRules,
+  networkRules,
+  capacitorRules,
+  androidRules,
+  iosRules,
+  authenticationRules,
+  webviewRules,
+  loggingRules,
+  debugRules,
+  cryptographyRules
+};