@clear-capabilities/agentic-security-scanner 0.74.0

package/src/sast/env-hygiene.js

@@ -0,0 +1,125 @@
+// Environment hygiene checker.
+//
+// Vibecoders leak secrets through env files: .env committed to git,
+// NEXT_PUBLIC_ vars that expose private values, .env.example with real
+// credentials, and hardcoded fallback values that look real.
+//
+// Findings:
+//   ENV_NEXT_PUBLIC_SECRET     — NEXT_PUBLIC_ variable whose name implies it's secret
+//   ENV_EXAMPLE_REAL_VALUE     — .env.example / .env.sample with a real-looking value
+//   ENV_HARDCODED_FALLBACK     — process.env.X || "looks-real" fallback in source
+//   ENV_MISSING_GITIGNORE      — .env / .env.local present but not in .gitignore
+//   ENV_DOTENV_IN_SOURCE       — .env file content loaded via require/import in prod code
+
+const _ENV_FILE_RE = /^\.env(?:\.(?:local|development|production|test|staging))?$/i;
+const _NONPROD_RE = /(?:^|\/)(?:tests?|__tests__|spec|fixtures?|examples?|node_modules)\//i;
+
+// NEXT_PUBLIC_ variables whose name implies they are secrets
+const NEXT_PUBLIC_SENSITIVE_RE = /NEXT_PUBLIC_\w*(?:SECRET|KEY|TOKEN|PASSWORD|PASS|CREDENTIAL|API_KEY|PRIVATE|SIGNING|WEBHOOK|SALT|SEED)\w*/gi;
+
+// .env.example / .env.sample with non-placeholder values
+// A "real" value is: not empty, not "xxx...", not "your_...", not "<...>", not "changeme", not "placeholder"
+const ENV_EXAMPLE_RE = /^\.env\.(?:example|sample|template)$/i;
+const PLACEHOLDER_RE = /^(?:|xxx+|your[_-]|<[^>]+>|changeme|change[_-]?me|placeholder|todo|fixme|replace|dummy|fake|test|example|sample|n\/a|none|null|undefined|\$\{[^}]+\})$/i;
+const REAL_VALUE_RE = /^[a-zA-Z0-9+/=_\-]{8,}$/; // looks like an actual token/key
+
+// process.env.X || "fallback" where fallback looks real (not empty string, not "localhost", not "3000")
+const HARDCODED_FALLBACK_RE = /process\.env\.(\w+)\s*\|\|\s*['"`]([^'"`]{4,})['"`]/g;
+const BENIGN_FALLBACK_RE = /^(?:localhost|127\.0\.0\.1|0\.0\.0\.0|3000|8080|8000|production|development|test|info|debug|warn|error|true|false|\/|\.|\s*)$/i;
+
+// require('dotenv') / import dotenv in non-config files
+const DOTENV_IMPORT_RE = /(?:from|require)\s*\(?\s*['"`]dotenv['"`]/;
+const CONFIG_FILE_RE = /(?:^|\/)(?:config|env|\.env|setup|bootstrap|init|app)\.[cm]?[jt]s$/i;
+
+function _lineNumber(content, index) {
+  return content.slice(0, index).split('\n').length;
+}
+
+function scanEnvHygiene(file, content) {
+  if (_NONPROD_RE.test(file)) return [];
+  const findings = [];
+  const basename = file.split('/').pop();
+  const isEnvExample = ENV_EXAMPLE_RE.test(basename);
+  const isEnvFile = _ENV_FILE_RE.test(basename);
+  const isJsTs = /\.(?:js|jsx|ts|tsx|mjs|cjs)$/i.test(file);
+
+  // --- NEXT_PUBLIC_ with sensitive name ---
+  if (isEnvFile || isEnvExample || isJsTs) {
+    const matches = [...content.matchAll(new RegExp(NEXT_PUBLIC_SENSITIVE_RE.source, 'gi'))];
+    for (const m of matches) {
+      const lineNum = _lineNumber(content, m.index);
+      findings.push({
+        id: `env-hygiene:ENV_NEXT_PUBLIC_SECRET:${file}:${lineNum}`,
+        title: `NEXT_PUBLIC_ variable exposes a sensitive value client-side: ${m[0]}`,
+        severity: 'critical',
+        file, line: lineNum,
+        description: `${m[0]} is prefixed with NEXT_PUBLIC_, which means Next.js will bundle its value into the client-side JavaScript. Any visitor can read it from the page source. Variables named SECRET, KEY, TOKEN, or similar should never be public.`,
+        remediation: 'Remove the NEXT_PUBLIC_ prefix. Access this value only in Server Components, API Routes, or Server Actions where it stays on the server.',
+        cwe: 'CWE-522',
+      });
+    }
+  }
+
+  // --- .env.example with real values ---
+  if (isEnvExample) {
+    const lines = content.split('\n');
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i].trim();
+      if (!line || line.startsWith('#')) continue;
+      const eqIdx = line.indexOf('=');
+      if (eqIdx === -1) continue;
+      const value = line.slice(eqIdx + 1).trim().replace(/^['"`]|['"`]$/g, '');
+      if (value && !PLACEHOLDER_RE.test(value) && REAL_VALUE_RE.test(value)) {
+        findings.push({
+          id: `env-hygiene:ENV_EXAMPLE_REAL_VALUE:${file}:${i + 1}`,
+          title: '.env.example contains a real-looking credential value',
+          severity: 'high',
+          file, line: i + 1,
+          description: `Line ${i + 1} in ${basename} has a value that looks like a real secret rather than a placeholder. If this is an actual credential, it is now permanently in git history.`,
+          remediation: 'Replace real values with descriptive placeholders: `API_KEY=your_api_key_here` or `DATABASE_URL=postgres://user:pass@host/db`. Rotate the leaked credential immediately.',
+          cwe: 'CWE-798',
+        });
+      }
+    }
+  }
+
+  // --- process.env.X || "real-fallback" in source ---
+  if (isJsTs) {
+    let m;
+    const re = new RegExp(HARDCODED_FALLBACK_RE.source, 'g');
+    while ((m = re.exec(content)) !== null) {
+      const [, varName, fallback] = m;
+      if (BENIGN_FALLBACK_RE.test(fallback)) continue;
+      // Skip if the variable name is obviously benign
+      if (/^(?:NODE_ENV|PORT|HOST|LOG_LEVEL|TIMEOUT|DEBUG|NEXT_PUBLIC_APP_URL|APP_URL|BASE_URL|PUBLIC_URL)\b/.test(varName)) continue;
+      const lineNum = _lineNumber(content, m.index);
+      findings.push({
+        id: `env-hygiene:ENV_HARDCODED_FALLBACK:${file}:${lineNum}`,
+        title: `Hardcoded fallback for ${varName} looks like a real credential`,
+        severity: 'high',
+        file, line: lineNum,
+        description: `process.env.${varName} falls back to "${fallback.slice(0, 20)}${fallback.length > 20 ? '...' : ''}" when the env var is unset. If this value is a real secret, it is committed to source and will be used silently when the env var is misconfigured in production.`,
+        remediation: `Remove the fallback: throw an error at startup if ${varName} is unset. Use a config validation library like zod or @t3-oss/env-nextjs to enforce required env vars.`,
+        cwe: 'CWE-798',
+      });
+    }
+  }
+
+  // --- dotenv imported outside of config/entry files ---
+  if (isJsTs && !CONFIG_FILE_RE.test(file) && DOTENV_IMPORT_RE.test(content)) {
+    const lineNum = _lineNumber(content, content.search(DOTENV_IMPORT_RE));
+    findings.push({
+      id: `env-hygiene:ENV_DOTENV_IN_SOURCE:${file}:${lineNum}`,
+      title: 'dotenv loaded in non-entry file',
+      severity: 'low',
+      file, line: lineNum,
+      description: 'dotenv.config() in a non-entry module can silently load .env files in production, overriding real environment variables set by your platform. It also makes testing harder.',
+      remediation: 'Call dotenv.config() only once, in your application entry point (server.js, index.js). Better yet, use platform-native env management (Vercel env vars, Railway variables).',
+      cwe: 'CWE-665',
+    });
+  }
+
+  return findings;
+}
+
+export { scanEnvHygiene };

package/src/sast/fastapi-hardening.js

@@ -0,0 +1,145 @@
+// FastAPI framework hardening.
+//
+// Coverage:
+//   1. app.run(host="0.0.0.0", debug=True) or uvicorn run with debug=True
+//   2. CORSMiddleware(allow_origins=["*"]) with allow_credentials=True
+//   3. @app.<verb>("...") without Depends(security_dep) on mutating endpoints
+//   4. JWT decode without signature verification (jwt.decode(token, options={"verify_signature": False}))
+//   5. Pydantic Settings with literal API key default
+//   6. HTTPBearer used without auto_error checks
+//   7. app.add_middleware(TrustedHostMiddleware, allowed_hosts=["*"])
+
+const _PY_RE = /\.py$/i;
+
+function _line(raw, idx) {
+  return raw.slice(0, idx).split('\n').length;
+}
+
+function _isFastApi(raw) {
+  return /\bfrom\s+fastapi\b/.test(raw) || /\bimport\s+fastapi\b/.test(raw);
+}
+
+export function scanFastapiHardening(file, raw) {
+  if (!file || !raw || typeof raw !== 'string') return [];
+  if (!_PY_RE.test(file)) return [];
+  if (!_isFastApi(raw)) return [];
+  if (raw.length > 200_000) return [];
+
+  const findings = [];
+
+  // 1. debug=True on app run
+  for (const m of raw.matchAll(/\b(?:app\.run|uvicorn\.run)\s*\([^)]*\bdebug\s*=\s*True\b/g)) {
+    findings.push({
+      id: `fastapi:debug-true:${file}:${_line(raw, m.index)}`,
+      file, line: _line(raw, m.index),
+      vuln: 'FastAPI / uvicorn run with debug=True',
+      severity: 'high',
+      family: 'fastapi-debug-enabled',
+      cwe: 'CWE-489',
+      confidence: 0.95,
+      description: 'debug=True enables hot-reload and detailed tracebacks on errors. In a deployed environment this leaks stack traces with line-level file paths and the request body.',
+      remediation: 'Remove debug=True from production entry points. Use `uvicorn app:app --reload` only on local dev.',
+    });
+  }
+
+  // 2. Wildcard CORS with credentials — matches both direct instantiation
+  // `CORSMiddleware(...)` and `add_middleware(CORSMiddleware, ...)` shapes.
+  for (const m of raw.matchAll(/CORSMiddleware[^)]*\)/g)) {
+    const block = m[0];
+    const hasWildcard = /allow_origins\s*=\s*\[\s*['"]\*['"]\s*\]/.test(block);
+    const hasCreds = /allow_credentials\s*=\s*True\b/.test(block);
+    if (hasWildcard && hasCreds) {
+      findings.push({
+        id: `fastapi:cors-wildcard-credentials:${file}:${_line(raw, m.index)}`,
+        file, line: _line(raw, m.index),
+        vuln: 'FastAPI CORS allow_origins=["*"] combined with allow_credentials=True',
+        severity: 'critical',
+        family: 'fastapi-cors-wildcard',
+        cwe: 'CWE-942',
+        confidence: 0.95,
+        description: 'Browsers block this combination — but FastAPI still emits Access-Control-Allow-Origin: * which most reverse-proxies and SDKs interpret as "any origin can read credentialed responses." Some browsers no longer enforce; libraries and middleboxes do not.',
+        remediation: 'Use an explicit allow-list: allow_origins=["https://app.example.com"]. Never combine wildcard with credentials.',
+      });
+    } else if (hasWildcard) {
+      findings.push({
+        id: `fastapi:cors-wildcard:${file}:${_line(raw, m.index)}`,
+        file, line: _line(raw, m.index),
+        vuln: 'FastAPI CORS allow_origins=["*"]',
+        severity: 'medium',
+        family: 'fastapi-cors-wildcard',
+        cwe: 'CWE-942',
+        confidence: 0.85,
+        description: 'Wildcard CORS broadens the API\'s exposure to scraping and CSRF-like abuse.',
+        remediation: 'Use an explicit allow-list: allow_origins=["https://app.example.com"].',
+      });
+    }
+  }
+
+  // 3. Mutating endpoint without Depends() injecting security
+  const mutatingRouteRe = /@\s*(?:app|router)\.(?:post|put|patch|delete)\s*\(\s*['"][^'"]+['"][^)]*\)\s*(?:async\s+)?def\s+(\w+)\s*\(([^)]*)\)/g;
+  for (const m of raw.matchAll(mutatingRouteRe)) {
+    const params = m[2];
+    // Look for Security(...) or Depends(...) pointing at an auth dep, or a current_user param.
+    if (/\b(?:Security\s*\(|Depends\s*\(\s*(?:get_current_user|require_auth|verify_jwt|require_admin|oauth2_scheme))/.test(params)) continue;
+    if (/\b(?:current_user|user\s*:\s*User|token\s*:\s*str\s*=\s*Depends)/.test(params)) continue;
+    findings.push({
+      id: `fastapi:no-auth-dep:${file}:${_line(raw, m.index)}:${m[1]}`,
+      file, line: _line(raw, m.index),
+      vuln: `FastAPI mutating endpoint ${m[1]}() has no Security() / Depends() auth dependency`,
+      severity: 'high',
+      family: 'fastapi-missing-auth',
+      cwe: 'CWE-862',
+      confidence: 0.7,
+      description: 'A POST/PUT/PATCH/DELETE handler is declared without a Security(...) or Depends(get_current_user) parameter. Unless a global middleware enforces auth (rare), this endpoint is callable anonymously.',
+      remediation: 'Add: current_user: User = Depends(get_current_user) — or Security(oauth2_scheme, scopes=["admin"]) — as a parameter to the route handler.',
+    });
+  }
+
+  // 4. JWT decode without signature verification
+  for (const m of raw.matchAll(/\bjwt\.decode\s*\([^)]*verify_signature\s*['"]?\s*:?\s*False/g)) {
+    findings.push({
+      id: `fastapi:jwt-no-verify:${file}:${_line(raw, m.index)}`,
+      file, line: _line(raw, m.index),
+      vuln: 'jwt.decode called with verify_signature=False',
+      severity: 'critical',
+      family: 'fastapi-jwt-no-verify',
+      cwe: 'CWE-347',
+      confidence: 0.95,
+      description: 'jwt.decode with verify_signature=False reads claims without verifying the token. An attacker can forge any claims (including admin roles) and the token will be accepted.',
+      remediation: 'Remove verify_signature=False. Always verify against the public key / shared secret.',
+    });
+  }
+
+  // 5. Pydantic Settings with literal API-key-shaped default
+  for (const m of raw.matchAll(/\b(?:[Aa]pi_?[Kk]ey|secret_key|jwt_secret)\s*:\s*str\s*=\s*['"]([A-Za-z0-9!@#$%^&*_+\-=]{12,})['"]/g)) {
+    if (/your[-_]?key|change[-_]?me|placeholder|example|TODO/i.test(m[1])) continue;
+    findings.push({
+      id: `fastapi:hardcoded-default-secret:${file}:${_line(raw, m.index)}`,
+      file, line: _line(raw, m.index),
+      vuln: 'Pydantic Settings (or similar) has a hardcoded default secret',
+      severity: 'critical',
+      family: 'fastapi-hardcoded-credential',
+      cwe: 'CWE-798',
+      confidence: 0.85,
+      description: 'A real secret value is the literal default for a config field. Anyone who reads the source has the key.',
+      remediation: 'Set the field with no default (forcing env-var provision) or default to None and raise if missing at startup.',
+    });
+  }
+
+  // 6. TrustedHostMiddleware with wildcard
+  for (const m of raw.matchAll(/TrustedHostMiddleware\s*[^)]*allowed_hosts\s*=\s*\[\s*['"]\*['"]\s*\]/g)) {
+    findings.push({
+      id: `fastapi:trusted-host-wildcard:${file}:${_line(raw, m.index)}`,
+      file, line: _line(raw, m.index),
+      vuln: 'TrustedHostMiddleware allowed_hosts=["*"]',
+      severity: 'medium',
+      family: 'fastapi-trusted-host-wildcard',
+      cwe: 'CWE-20',
+      confidence: 0.9,
+      description: 'Disables Host header validation. Combined with downstream URL generation (password-reset emails, OAuth callbacks), attackers can route victims through their own hostnames.',
+      remediation: 'Provide an explicit allow-list of your real hostnames.',
+    });
+  }
+
+  return findings;
+}

package/src/sast/go-extended.js

@@ -0,0 +1,84 @@
+// Go SAST — extensions to the existing Go coverage in engine.js.
+//
+// Adds:
+//   - text/template misuse           imported instead of html/template for HTML
+//   - exec.Command shell-form        exec.Command("sh", "-c", <var>) vs argv-form
+//   - http.Client custom-transport   http.Get(<var>) or http.NewRequest with
+//                                    user-controlled URL and no allowlist
+//
+// These patterns are narrow and complement the existing regex-based Go rules
+// (GORM raw SQL, source patterns for net/http, Echo, Chi, Gin).
+
+import { blankComments } from './_comment-strip.js';
+
+const FINDINGS = [
+  {
+    id: 'go-text-template-html', severity: 'high', cwe: 'CWE-79', family: 'xss',
+    // import "text/template" AND ResponseWriter.Write in the same file
+    re: /\b"text\/template"/g,
+    vuln: 'XSS — text/template package used in an HTTP handler (no auto-escaping)',
+    remediation: 'For HTML output, import `"html/template"` instead. text/template does not escape HTML — any user value placed in the template renders as raw HTML. The two packages have nearly identical APIs; the switch is usually one import line.',
+    // Only fire when the file looks like an HTTP handler.
+    requiresContext: /\bhttp\.(?:ResponseWriter|HandleFunc|Handler)\b|\bw\s*\.\s*Write\b|\bgin\.|\becho\.|\bchi\./,
+    fileSafe: /\b"html\/template"/,
+  },
+  {
+    id: 'go-exec-shell-form', severity: 'critical', cwe: 'CWE-78', family: 'command-injection',
+    // exec.Command("sh", "-c", varExpr) — the explicit shell-invocation shape
+    re: /\bexec\.Command\s*\(\s*"(?:sh|bash|zsh|\/bin\/sh|\/bin\/bash)"\s*,\s*"-c"\s*,\s*(?!"[^"]*"\s*\))/g,
+    vuln: 'Command Injection — exec.Command shell-form with dynamic argument',
+    remediation: 'Replace the shell form with the argv form: `exec.Command("ls", "-l", userDir)`. The shell form (`sh -c "<cmd>"`) interprets `;`, `&&`, `|`, `$()` etc. in user input.',
+  },
+  {
+    id: 'go-http-user-url', severity: 'high', cwe: 'CWE-918', family: 'ssrf',
+    // http.Get(varExpr) or http.NewRequest(method, varExpr, body) where the URL is a variable.
+    // Already covered for fetch/axios in the engine, but the Go-specific shape
+    // gets missed because the engine's pattern doesn't include http.Get/Post.
+    re: /\bhttp\.(?:Get|Post|Head|PostForm)\s*\(\s*(?!"[^"]*"\s*\))[a-zA-Z_]\w*/g,
+    vuln: 'SSRF — http.Get/Post with variable URL',
+    remediation: 'Allowlist the destination host before any net/http call. Use `net/url.Parse(target)` then check `parsed.Host` against an explicit allowlist. Reject RFC1918 (10/8, 172.16/12, 192.168/16) and the cloud metadata addresses (169.254.169.254, fd00:ec2::254).',
+  },
+  {
+    id: 'go-newrequest-user-url', severity: 'high', cwe: 'CWE-918', family: 'ssrf',
+    re: /\bhttp\.NewRequest(?:WithContext)?\s*\(\s*[^,]+,\s*(?!"[^"]*"\s*[,)])[a-zA-Z_]\w*/g,
+    vuln: 'SSRF — http.NewRequest with variable URL',
+    remediation: 'Validate the URL before building the request. The standard pattern: `u, err := url.Parse(target); if err != nil || !allowlist[u.Host] { return forbidden }`. Reject schemes other than http/https up front.',
+  },
+];
+
+function lineOf(raw, idx) { return raw.substring(0, idx).split('\n').length; }
+
+export function scanGoExtended(fp, raw) {
+  if (!/\.go$/i.test(fp)) return [];
+  if (!raw || raw.length > 500_000) return [];
+  const code = blankComments(raw);
+  const out = [];
+  const seen = new Set();
+  for (const rule of FINDINGS) {
+    if (rule.fileSafe && rule.fileSafe.test(code)) continue;
+    if (rule.requiresContext && !rule.requiresContext.test(code)) continue;
+    const re = new RegExp(rule.re.source, rule.re.flags);
+    let m;
+    while ((m = re.exec(code))) {
+      const line = lineOf(raw, m.index);
+      const id = `${rule.id}:${fp}:${line}`;
+      if (seen.has(id)) continue;
+      seen.add(id);
+      out.push({
+        id, file: fp, line,
+        vuln: rule.vuln,
+        severity: rule.severity,
+        cwe: rule.cwe,
+        stride: rule.family === 'xss' ? 'Tampering'
+              : rule.family === 'command-injection' ? 'Elevation of Privilege'
+              : rule.family === 'ssrf' ? 'Spoofing'
+              : 'Tampering',
+        snippet: (raw.split('\n')[line - 1] || '').trim().slice(0, 200),
+        remediation: rule.remediation,
+        confidence: 0.85,
+        parser: 'GO',
+      });
+    }
+  }
+  return out;
+}

package/src/sast/host-header.js

@@ -0,0 +1,106 @@
+// Host header attack detection.
+//
+// req.headers.host / req.host is attacker-controlled (HTTP/1.1 lets clients
+// set whatever Host they want; even with allowlisted hostnames, reverse
+// proxies often forward whatever they receive). When used to build:
+//   - password-reset / email-verification URLs   → Account-takeover via
+//                                                    poisoned reset link
+//   - server-side redirects (Location header)    → Open redirect / phishing
+//   - cache keys                                  → Cache poisoning
+// the attacker controls the URL embedded in security-sensitive emails or in
+// downstream caches.
+//
+// Patterns:
+//   `https://${req.headers.host}/reset?token=...`
+//   `'http://' + req.headers.host + '/verify?token=...'`
+//   res.redirect(req.headers.host + ...)
+//
+// Safe shapes (file-level suppression of a finding):
+//   - An ALLOWED_HOSTS/TRUSTED_HOSTS array compared against the header
+
+const HOST_SOURCE_RE = /\b(?:req|request|ctx)\s*\.\s*(?:headers\s*(?:\.|\[\s*['"])\s*host\s*['"]?\s*\]?|host(?![A-Za-z_]))/g;
+const HOST_X_FORWARDED_RE = /\b(?:req|request|ctx)\s*\.\s*(?:headers\s*(?:\.|\[\s*['"])\s*x-forwarded-host\s*['"]?\s*\]?)/g;
+
+// Reset / verify URL pattern: hostSource concatenated/interpolated with reset/verify path.
+const RESET_URL_TEMPLATE_RE = /`[^`]*\$\{[^}]*\b(?:req|request|ctx)\s*\.\s*(?:headers\s*(?:\.|\[\s*['"])\s*(?:host|x-forwarded-host)\s*['"]?\s*\]?|host(?![A-Za-z_]))[^}]*\}[^`]*(?:reset|verify|confirm|invite|onboard|password|token|auth|magic)[^`]*`/gi;
+const RESET_URL_CONCAT_RE = /['"][^'"]*(?:https?:\/\/|^\/|^)['"][^;]{0,80}?(?:req|request|ctx)\s*\.\s*(?:headers\.host|host|headers\[['"]host['"]\])[^;]{0,200}?(?:reset|verify|confirm|invite|password|token|auth|magic)/gi;
+
+// Direct redirect using host header
+const HOST_IN_REDIRECT_RE = /\b(?:res|response)\s*\.\s*(?:redirect|location)\s*\([^)]*\b(?:req|request|ctx)\s*\.\s*(?:headers\.host|host|headers\[['"]host['"]\])/g;
+
+const TRUSTED_HOSTS_RE = /\b(?:ALLOWED_HOSTS|TRUSTED_HOSTS|allowedHosts|trustedHosts|hostAllowlist|hostnameAllowlist|validHosts)\b/;
+
+import { blankComments } from './_comment-strip.js';
+
+function _lineOf(raw, idx) { return raw.substring(0, idx).split('\n').length; }
+
+export function scanHostHeader(fp, raw) {
+  if (!/\.(?:js|jsx|ts|tsx|mjs|cjs|py)$/i.test(fp)) return [];
+  if (!raw || raw.length > 500_000) return [];
+  // Blank out comments while preserving character indices.
+  const code = /\.py$/i.test(fp) ? blankComments(raw, 'py') : blankComments(raw);
+  const findings = [];
+  const seen = new Set();
+  const push = (f) => { if (!seen.has(f.id)) { seen.add(f.id); findings.push(f); } };
+  const hasAllowlist = TRUSTED_HOSTS_RE.test(code);
+
+  // 1. Template literal with host + reset/verify keyword
+  const tre = new RegExp(RESET_URL_TEMPLATE_RE.source, RESET_URL_TEMPLATE_RE.flags);
+  let m;
+  while ((m = tre.exec(code))) {
+    if (hasAllowlist) continue;
+    const line = _lineOf(raw, m.index);
+    push({
+      id: `host-header:${fp}:${line}:reset-tpl`,
+      file: fp, line,
+      vuln: 'Host Header Attack: password-reset / verify URL built from req.headers.host',
+      severity: 'high',
+      cwe: 'CWE-20',
+      stride: 'Spoofing',
+      snippet: (raw.split('\n')[line - 1] || '').trim().slice(0, 200),
+      remediation: 'An attacker can set the Host header to a domain they control; if your reset email then embeds that host, the recipient clicks a link pointing at attacker-controlled infrastructure that captures the token. Use a server-side constant (process.env.PUBLIC_HOST) for any URL that lands in an email, or validate req.headers.host against an explicit allowlist of canonical hostnames.',
+      confidence: 0.85,
+      parser: 'HOST-HEADER',
+    });
+  }
+
+  // 2. String concatenation form (looser shape)
+  const cre = new RegExp(RESET_URL_CONCAT_RE.source, RESET_URL_CONCAT_RE.flags);
+  while ((m = cre.exec(code))) {
+    if (hasAllowlist) continue;
+    const line = _lineOf(raw, m.index);
+    push({
+      id: `host-header:${fp}:${line}:reset-concat`,
+      file: fp, line,
+      vuln: 'Host Header Attack: reset/verify URL concatenates req.headers.host',
+      severity: 'high',
+      cwe: 'CWE-20',
+      stride: 'Spoofing',
+      snippet: (raw.split('\n')[line - 1] || '').trim().slice(0, 200),
+      remediation: 'Replace req.headers.host with process.env.PUBLIC_HOST (or equivalent server-side constant). For multi-tenant apps that legitimately need request-derived hosts, validate against a per-tenant allowlist.',
+      confidence: 0.7,
+      parser: 'HOST-HEADER',
+    });
+  }
+
+  // 3. Redirect using host header
+  const rre = new RegExp(HOST_IN_REDIRECT_RE.source, HOST_IN_REDIRECT_RE.flags);
+  while ((m = rre.exec(code))) {
+    if (hasAllowlist) continue;
+    const line = _lineOf(raw, m.index);
+    push({
+      id: `host-header:${fp}:${line}:redirect`,
+      file: fp, line,
+      vuln: 'Host Header Attack: redirect target uses req.headers.host',
+      severity: 'high',
+      cwe: 'CWE-601',
+      stride: 'Spoofing',
+      snippet: (raw.split('\n')[line - 1] || '').trim().slice(0, 200),
+      remediation: 'A server-side redirect to req.headers.host lets the attacker pick the destination. Use a fixed canonical URL or an explicit per-tenant allowlist.',
+      confidence: 0.85,
+      parser: 'HOST-HEADER',
+    });
+  }
+
+  return findings;
+}

package/src/sast/index.js

@@ -0,0 +1,17 @@
+// SAST submodule view of the engine — file-level static analysis.
+export {
+  performAnalysis, performASTAnalysis, performRegexAnalysis,
+  scanRoutes, scanLogicVulns, scanStructuralVulns, scanExtraStructural,
+  scanReDoS, scanCiphers, scanGraphQL,
+  buildImportGraph, crossFileTaint, buildStoredTaintRegistry, crossStoredTaint,
+  crossSessionTaint, buildCallGraph, annotateReachability, detectGuardsForFinding,
+  inferSanitizers, applyLearnedSanitizers, applySanitizerEffectiveness,
+  crossFindingChain, classifyOrphans, classifyField, classifyEndpoint,
+  scoreTriage, dedupeFindingsWithEvidence,
+  SOURCE_PATTERNS, SINK_PATTERNS, SANITIZER_PATTERNS, ROUTE_PATTERNS,
+  LOGIC_PATTERNS, STRUCTURAL_VULN_PATTERNS, EXTRA_STRUCTURAL_PATTERNS,
+  CHAIN_RULES, GRAPHQL_VULN_PATTERNS, GUARD_PATTERNS,
+  SANITIZER_EFFECTIVENESS, SEVERITY_SCORE,
+  CIPHER_REST_PATTERNS, CIPHER_TRANSIT_PATTERNS,
+  DATA_CLASSES,
+} from '../engine.js';