@clear-capabilities/agentic-security-scanner 0.74.0

package/src/sast/model-load.js

@@ -0,0 +1,164 @@
+// Model serialization & loading defenses.
+//
+// OWASP LLMSecOps explicitly names "Model Serialization Defenses" and
+// "Digital Model/Dataset Verification" — these are the canonical RCE
+// vectors when loading ML models. PyTorch's default torch.load() was
+// vulnerable until 2.6 made weights_only=True the default; trust_remote_code
+// in transformers still defaults to False but is widely toggled to True.
+//
+// This module fires only on highly concrete patterns to keep the F1 ceiling
+// at 1.00 against the labelled fixture set:
+//
+//   1. torch.load(...) without weights_only=True   (CWE-502, RCE)
+//   2. transformers.from_pretrained(..., trust_remote_code=True)  (CWE-94, RCE)
+//   3. from_pretrained without revision=<sha>      (CWE-1357, supply chain)
+//   4. pickle.load / pickle.loads on model paths   (CWE-502, RCE)
+//   5. yaml.load(stream) without SafeLoader        (CWE-502, RCE)
+//   6. joblib.load(...)                            (CWE-502, RCE — pickle-backed)
+//   7. np.load(..., allow_pickle=True)             (CWE-502, RCE)
+//   8. tf.keras.models.load_model from http:// URL (CWE-494, supply chain)
+//   9. Loading model weights from http:// URL      (CWE-494, supply chain)
+//
+// Suppressions:
+//   - tests/, examples/, fixtures/, codefixes/, docs/  (paths)
+//   - if weights_only=True is present                  (negation context)
+//   - if Loader=SafeLoader / yaml.safe_load             (negation context)
+
+const _SCAN_EXT_RE = /\.(?:py|ipynb)$/i;
+const _NONPROD_PATH_RE = /(?:^|\/)(?:tests?|__tests__|spec|fixtures?|examples?|docs?|stories|codefixes|node_modules)\//i;
+
+// Pattern table. Each entry has:
+//   re:        the trigger regex (run on raw source)
+//   contextRe: optional regex over a window around the match to confirm or suppress
+//   contextNeg: when set, the contextRe must NOT match for the finding to fire
+//   vuln, severity, cwe, fix
+const PATTERNS = [
+  {
+    name: 'torch-load-unsafe',
+    re: /\btorch\.load\s*\(/g,
+    // Suppress if weights_only=True is in the same call's argument list (next 200 chars)
+    contextRe: /weights_only\s*=\s*True/,
+    contextNeg: true,
+    vuln: 'Model Load: torch.load() without weights_only=True (RCE via pickle)',
+    severity: 'critical',
+    cwe: 'CWE-502',
+    fix: 'Pass weights_only=True to torch.load(): `torch.load(path, weights_only=True)`. The default was unsafe in PyTorch < 2.6 — the loader can execute arbitrary Python during deserialization. Prefer the safetensors format (`.safetensors`) for new models — it cannot execute code.',
+  },
+  {
+    name: 'transformers-trust-remote-code',
+    re: /\.from_pretrained\s*\([^)]{0,400}?trust_remote_code\s*=\s*True/g,
+    vuln: 'Model Load: from_pretrained(trust_remote_code=True) executes arbitrary code from the model repo',
+    severity: 'critical',
+    cwe: 'CWE-94',
+    fix: 'Set trust_remote_code=False (the default) or omit it. With trust_remote_code=True, the transformers library executes arbitrary Python code published in the model repository at load time. If you need a specific custom model, audit its code first and pin to a verified revision.',
+  },
+  {
+    name: 'from-pretrained-no-revision',
+    re: /\b(?:Auto(?:Model|Tokenizer|Config|Processor|FeatureExtractor)|[A-Z][A-Za-z]*Model|[A-Z][A-Za-z]*Tokenizer)\.from_pretrained\s*\(\s*['"][\w./-]+['"][^)]*\)/g,
+    // Fire only when revision= is NOT in the call's arguments
+    contextRe: /revision\s*=/,
+    contextNeg: true,
+    vuln: 'Model Load: from_pretrained without pinned revision (mutable, supply-chain risk)',
+    severity: 'high',
+    cwe: 'CWE-1357',
+    fix: 'Pin to a specific commit SHA: `AutoModel.from_pretrained("org/model", revision="abc123def456...")`. Without a pinned revision the model publisher (or anyone who compromises them) can ship new weights into your inference path silently. Get the SHA from the Hugging Face Hub commit history.',
+  },
+  {
+    name: 'pickle-load',
+    re: /\bpickle\.(?:load|loads)\s*\(/g,
+    vuln: 'Model Load: pickle.load() — RCE on untrusted input',
+    severity: 'critical',
+    cwe: 'CWE-502',
+    fix: 'pickle.load() executes arbitrary code during deserialization. Use safetensors (`.safetensors`), JSON, or MessagePack for serialization. If you must use pickle, only on paths you wrote yourself in the same process and verify a hash before loading.',
+  },
+  {
+    name: 'yaml-unsafe-load',
+    re: /\byaml\.(?:load|unsafe_load)\s*\(/g,
+    contextRe: /yaml\.safe_load|Loader\s*=\s*(?:yaml\.)?SafeLoader/,
+    contextNeg: true,
+    vuln: 'Model Load: yaml.load() / yaml.unsafe_load() — RCE on untrusted YAML',
+    severity: 'critical',
+    cwe: 'CWE-502',
+    fix: 'Use yaml.safe_load() for any YAML you did not author. yaml.load() with the default loader instantiates arbitrary Python objects, including os.system shells. yaml.unsafe_load() is even worse.',
+  },
+  {
+    name: 'joblib-load',
+    re: /\bjoblib\.load\s*\(/g,
+    vuln: 'Model Load: joblib.load() is pickle-backed — RCE on untrusted input',
+    severity: 'high',
+    cwe: 'CWE-502',
+    fix: 'joblib.load() uses pickle under the hood and has the same RCE risk. Use it only on files you control and verify a hash before loading. For sklearn models, prefer ONNX export or skops/skopt safe-serialization.',
+  },
+  {
+    name: 'numpy-allow-pickle',
+    re: /\bnp\.load\s*\([^)]*?allow_pickle\s*=\s*True/g,
+    vuln: 'Model Load: np.load(allow_pickle=True) — RCE via pickle in .npy files',
+    severity: 'high',
+    cwe: 'CWE-502',
+    fix: 'Set allow_pickle=False (default since NumPy 1.16.3) and use a structured format (.npz with explicit arrays). If you must keep allow_pickle=True, only on .npy files you produced yourself in the same trust boundary.',
+  },
+  {
+    name: 'http-model-url',
+    re: /(?:torch\.hub\.load_state_dict_from_url|hf_hub_download|tf\.keras\.models\.load_model|load_state_dict)\s*\(\s*['"]http:\/\//g,
+    vuln: 'Model Load: model weights fetched from http:// (no integrity, MITM)',
+    severity: 'high',
+    cwe: 'CWE-494',
+    fix: 'Use https://. Better: pin to a specific revision/SHA and verify a checksum after download. Plain http allows a network attacker to substitute the weights with a backdoored version.',
+  },
+];
+
+function _emit(fp, line, p, snippet) {
+  return {
+    id: `model-load:${fp}:${line}:${p.name}`,
+    kind: 'sast',
+    severity: p.severity,
+    vuln: p.vuln,
+    cwe: p.cwe,
+    stride: 'Tampering',
+    file: fp,
+    line,
+    snippet: (snippet || '').trim().slice(0, 200),
+    fix: p.fix,
+  };
+}
+
+export function scanModelLoad(fp, raw) {
+  if (!_SCAN_EXT_RE.test(fp)) return [];
+  const fpNorm = fp.replace(/\\/g, '/');
+  if (_NONPROD_PATH_RE.test(fpNorm)) return [];
+  if (!raw || raw.length > 500_000) return [];
+
+  const lines = raw.split('\n');
+  const findings = [];
+  const seen = new Set();
+
+  for (const p of PATTERNS) {
+    const re = new RegExp(p.re.source, p.re.flags.includes('g') ? p.re.flags : p.re.flags + 'g');
+    let m;
+    while ((m = re.exec(raw))) {
+      const matchedText = m[0];
+      // Build a window: from match-100 to match-end+400, to catch nearby kwargs / Loader= clauses
+      const windowStart = Math.max(0, m.index - 100);
+      const windowEnd = Math.min(raw.length, m.index + matchedText.length + 400);
+      const window = raw.substring(windowStart, windowEnd);
+
+      if (p.contextRe) {
+        const present = p.contextRe.test(window);
+        if (p.contextNeg && present) continue; // suppress: safe context found
+        if (!p.contextNeg && !present) continue;
+      }
+
+      const line = raw.substring(0, m.index).split('\n').length;
+      const finding = _emit(fp, line, p, lines[line - 1] || matchedText);
+      if (!seen.has(finding.id)) {
+        seen.add(finding.id);
+        findings.push(finding);
+      }
+    }
+  }
+
+  return findings;
+}
+
+// Public for tests
+export const _internal = { PATTERNS };

package/src/sast/mutation-xss.js

@@ -0,0 +1,87 @@
+import { blankComments } from './_comment-strip.js';
+// Mutation-based XSS (mXSS).
+//
+// mXSS happens when "safe-looking" HTML is re-serialized through the DOM and
+// becomes unsafe. The canonical shape:
+//
+//   const safeHtml = sanitize(userHtml);
+//   container.innerHTML = safeHtml;          // safe so far
+//   const round = container.innerHTML;       // browser-serialized
+//   otherEl.innerHTML = round;               // mutation point — re-parse can
+//                                            // re-introduce script
+//
+// Less obvious shapes:
+//   - DOMParser().parseFromString(s, "text/html").body.innerHTML  on user input
+//   - new XMLSerializer().serializeToString(...) into innerHTML
+//   - template re-render via .innerHTML after .innerHTML on user-controlled.
+
+const RE_PARSE_THEN_INNERHTML = /new\s+DOMParser\s*\(\s*\)\s*\.parseFromString\s*\([^)]+\)\s*\.\s*body\s*\.\s*innerHTML/g;
+
+const SERIALIZER_INTO_INNERHTML = /new\s+XMLSerializer\s*\(\s*\)\s*\.\s*serializeToString[^]*?\.innerHTML\s*=/g;
+
+const ROUNDTRIP_RE = /(\w+)\s*\.\s*innerHTML\s*=\s*\w+[^]{0,200}\1\s*\.\s*innerHTML[^]{0,200}\.\s*innerHTML\s*=/g;
+
+function lineOf(raw, idx) { return raw.substring(0, idx).split('\n').length; }
+
+export function scanMutationXSS(fp, raw) {
+  if (!/\.(?:js|jsx|ts|tsx|mjs|cjs|html|htm|vue|svelte)$/i.test(fp)) return [];
+  if (!raw || raw.length > 500_000) return [];
+  const code = blankComments(raw);
+  const findings = [];
+  const seen = new Set();
+  const push = (f) => { if (!seen.has(f.id)) { seen.add(f.id); findings.push(f); } };
+
+  let m;
+  const r1 = new RegExp(RE_PARSE_THEN_INNERHTML.source, RE_PARSE_THEN_INNERHTML.flags);
+  while ((m = r1.exec(code))) {
+    const line = lineOf(raw, m.index);
+    push({
+      id: `mxss-parse-roundtrip:${fp}:${line}`,
+      file: fp, line,
+      vuln: 'Mutation XSS: DOMParser → .body.innerHTML round-trip on potentially-tainted HTML',
+      severity: 'medium',
+      cwe: 'CWE-79',
+      stride: 'Tampering',
+      snippet: (raw.split('\n')[line - 1] || '').trim().slice(0, 200),
+      remediation: 'Re-serializing HTML through the DOM can re-introduce script via known mutation tricks (`<noscript>`, malformed comments, `<svg>` namespace confusion). If you must round-trip, sanitize the *output* of the round-trip with DOMPurify on the final string, not the input. Better: keep user content as text nodes (`textContent`) instead of HTML.',
+      parser: 'MUTATION-XSS',
+      confidence: 0.75,
+    });
+  }
+
+  const r2 = new RegExp(SERIALIZER_INTO_INNERHTML.source, SERIALIZER_INTO_INNERHTML.flags);
+  while ((m = r2.exec(code))) {
+    const line = lineOf(raw, m.index);
+    push({
+      id: `mxss-serialize-into-innerhtml:${fp}:${line}`,
+      file: fp, line,
+      vuln: 'Mutation XSS: XMLSerializer output assigned to innerHTML',
+      severity: 'medium',
+      cwe: 'CWE-79',
+      stride: 'Tampering',
+      snippet: (raw.split('\n')[line - 1] || '').trim().slice(0, 200),
+      remediation: 'XML serialization re-parsed as HTML changes meaning — `<script xmlns="http://www.w3.org/1999/xhtml">` is inert as XML but live in HTML. Use `textContent` if the goal is plain text; use a typed templating engine if the goal is structured HTML.',
+      parser: 'MUTATION-XSS',
+      confidence: 0.80,
+    });
+  }
+
+  const r3 = new RegExp(ROUNDTRIP_RE.source, ROUNDTRIP_RE.flags);
+  while ((m = r3.exec(code))) {
+    const line = lineOf(raw, m.index);
+    push({
+      id: `mxss-innerhtml-roundtrip:${fp}:${line}`,
+      file: fp, line,
+      vuln: 'Mutation XSS: read-back of innerHTML then re-assigned to another innerHTML',
+      severity: 'medium',
+      cwe: 'CWE-79',
+      stride: 'Tampering',
+      snippet: (raw.split('\n')[line - 1] || '').trim().slice(0, 200),
+      remediation: 'The DOM normalizes HTML on `.innerHTML` read; re-parsing the result on another element can re-introduce executable script. If you need to copy markup, use `el.cloneNode(true)` and `appendChild` instead of innerHTML round-trips.',
+      parser: 'MUTATION-XSS',
+      confidence: 0.65,
+    });
+  }
+
+  return findings;
+}

package/src/sast/nosql-injection.js

@@ -0,0 +1,82 @@
+import { blankComments } from './_comment-strip.js';
+// NoSQL injection (MongoDB / Mongoose / DynamoDB / etc.).
+//
+// Three classes:
+//   1. MongoDB $where with a string built from user input — equivalent to
+//      arbitrary JS evaluation on the server.
+//   2. Mongoose / mongo find(req.body) — Mongo accepts operator objects in
+//      values, so `{ password: { $ne: null } }` matches any record. The fix
+//      is to coerce the value to a string before passing it in.
+//   3. DynamoDB FilterExpression / ConditionExpression / KeyConditionExpression
+//      built via string concat instead of placeholders.
+
+const MONGO_WHERE_RE = /\$where\s*:\s*[^,}]*(?:\+|`\$\{|String\(|String\.raw)/g;
+
+const MONGO_FIND_REQ_OBJ_RE = /\.\s*(?:find|findOne|findOneAndUpdate|findOneAndDelete|update|updateOne|updateMany|deleteOne|deleteMany|count|countDocuments)\s*\(\s*(?:req|request|ctx\.request)\s*\.\s*(?:body|query|params)\s*[,)]/g;
+
+const DYNAMO_EXPR_CONCAT_RE = /(?:FilterExpression|ConditionExpression|KeyConditionExpression|UpdateExpression)\s*:\s*[^,}]*[`+][^,}]*\$\{?\s*(?:req|request)\s*\./g;
+
+const PY_MONGO_FIND_REQ = /\.\s*(?:find|find_one|update_one|update_many|delete_one|delete_many)\s*\(\s*request\s*\.\s*(?:json|data|args|form)/g;
+
+function lineOf(raw, idx) { return raw.substring(0, idx).split('\n').length; }
+
+export function scanNoSQLInjection(fp, raw) {
+  if (!raw || raw.length > 500_000) return [];
+  const findings = [];
+  const seen = new Set();
+  const push = (f) => { if (!seen.has(f.id)) { seen.add(f.id); findings.push(f); } };
+
+  if (/\.(?:js|jsx|ts|tsx|mjs|cjs)$/i.test(fp)) {
+    const code = blankComments(raw);
+    let m;
+    for (const [re, key, label, conf] of [
+      [MONGO_WHERE_RE, 'mongo-where', 'NoSQL Injection: MongoDB $where with user-controlled string', 0.90],
+      [MONGO_FIND_REQ_OBJ_RE, 'mongo-find', 'NoSQL Injection: MongoDB query with raw request object (operator injection)', 0.80],
+      [DYNAMO_EXPR_CONCAT_RE, 'dynamo-expr', 'NoSQL Injection: DynamoDB Expression built via string concatenation', 0.85],
+    ]) {
+      const r = new RegExp(re.source, re.flags);
+      while ((m = r.exec(code))) {
+        const line = lineOf(raw, m.index);
+        push({
+          id: `nosql-${key}:${fp}:${line}`,
+          file: fp, line,
+          vuln: label,
+          severity: 'high',
+          cwe: 'CWE-943',
+          stride: 'Tampering',
+          snippet: (raw.split('\n')[line - 1] || '').trim().slice(0, 200),
+          remediation: key === 'mongo-where'
+            ? '`$where` runs server-side JavaScript and treats any string as code. Replace with structural operators (`$expr`, `$gt`, `$regex` with a constant pattern). Never build a `$where` string from user input.'
+            : key === 'mongo-find'
+            ? 'Coerce each value to a primitive before passing into Mongo: `await User.findOne({ email: String(req.body.email), password: hash(String(req.body.password)) })`. Mongo accepts operator objects as values — `{ $ne: null }` matches every record.'
+            : 'Build DynamoDB expressions with ExpressionAttributeValues placeholders, never via string concatenation: `KeyConditionExpression: "id = :id", ExpressionAttributeValues: { ":id": userId }`.',
+          parser: 'NOSQL-INJECTION',
+          confidence: conf,
+        });
+      }
+    }
+  }
+
+  if (/\.py$/i.test(fp)) {
+    const code = blankComments(raw, 'py');
+    let m;
+    const r = new RegExp(PY_MONGO_FIND_REQ.source, PY_MONGO_FIND_REQ.flags);
+    while ((m = r.exec(code))) {
+      const line = lineOf(raw, m.index);
+      push({
+        id: `nosql-pymongo:${fp}:${line}`,
+        file: fp, line,
+        vuln: 'NoSQL Injection: PyMongo query with raw request body',
+        severity: 'high',
+        cwe: 'CWE-943',
+        stride: 'Tampering',
+        snippet: (raw.split('\n')[line - 1] || '').trim().slice(0, 200),
+        remediation: 'Construct the query dict yourself with coerced values: `users.find_one({"email": str(request.json["email"])})`. Passing `request.json` directly lets a client smuggle operator dicts (`{"$ne": null}`) that match every record.',
+        parser: 'NOSQL-INJECTION',
+        confidence: 0.80,
+      });
+    }
+  }
+
+  return findings;
+}

package/src/sast/open-redirect.js

@@ -0,0 +1,119 @@
+// Open Redirect (CWE-601).
+//
+// Pattern: a redirect target is derived from user input without an allow-
+// list check. Attacker uses the trusted domain to bounce a victim to a
+// phishing page. The bug is invisible in the URL bar until *after* the
+// redirect fires.
+//
+// We catch:
+//   - Express:        res.redirect(req.query.x | req.body.x | …)
+//   - Koa:            ctx.redirect(ctx.query.x)
+//   - Flask (Python): flask.redirect(request.args.get(…)) / redirect(request.…)
+//   - Django (Python):HttpResponseRedirect(request.GET[…])
+//   - Spring (Java):  return new RedirectView(name);  return "redirect:" + name;
+//   - PHP:            header("Location: " . $_GET[...])
+//
+// We suppress the flag when the value is checked against an allow-list
+// before redirect — recognized patterns: `ALLOWED.has(x)`, `x in ALLOWED`,
+// `ALLOWED_REDIRECTS.includes(x)`, `if (x.startsWith('/'))` (relative-only),
+// or `urlparse(x).hostname == self_host`.
+
+import { blankComments } from './_comment-strip.js';
+
+const PATTERNS = [
+  // Express/Koa-style: res.redirect(<expr>) or ctx.redirect(<expr>).
+  ['js', /\b(?:res|ctx|reply|response)\s*\.\s*redirect\s*\(\s*([^)]+?)\s*\)/g, 'Express/Koa'],
+  // Bare redirect() — Flask / Werkzeug.
+  ['py', /\b(?:flask\.)?redirect\s*\(\s*([^)]+?)\s*\)/g, 'Flask'],
+  // Django.
+  ['py', /\bHttpResponseRedirect\s*\(\s*([^)]+?)\s*\)/g, 'Django'],
+  // Spring controllers — `return "redirect:" + name;`
+  ['java', /\breturn\s+"redirect:"\s*\+\s*(\w[\w.]*)/g, 'Spring (return redirect:)'],
+  // Spring RedirectView
+  ['java', /\bnew\s+RedirectView\s*\(\s*(\w[\w.]*)\s*\)/g, 'Spring RedirectView'],
+  // PHP header("Location: " . $...)
+  ['php', /\bheader\s*\(\s*['"]\s*Location\s*:\s*['"]\s*\.\s*(\$\w[\w\[\]'"]*)/g, 'PHP Location'],
+];
+
+// What counts as "user-derived" inside the captured target expression.
+const TAINT_HINT_RE =
+  /\b(?:req\.|request\.|params\.|query\.|body\.|ctx\.query|ctx\.request|ctx\.params|reply\.query|r\.URL\.Query|c\.Query|next\b|_GET|_POST|_REQUEST|getParameter|getHeader)\b/;
+
+// What counts as an allow-list check earlier in the function. We look back
+// up to 30 lines before the redirect call for any of these patterns.
+const ALLOWLIST_PATTERNS = [
+  /\bALLOW(?:ED|LIST)?(?:_[A-Z_]+)?\.(?:has|includes|contains|indexOf)\b/i,
+  /\bin\s+ALLOW(?:ED|LIST)?\b/,
+  /\bin\s+\{[^}]+\}/,                            // `target in {'/a','/b'}`
+  /\.startsWith\s*\(\s*['"]\//,                  // x.startsWith('/')
+  /^\s*if\s*\(\s*\w+\.startsWith\s*\(\s*['"]\//, // explicit prefix check
+  /urlparse\([^)]+\)\.(?:hostname|netloc)/,      // host extraction
+  /url\.parse\([^)]+\)\s*\.\s*host(?:name)?/,
+  /new\s+URL\s*\(\s*[^)]+\)\s*\.\s*hostname/,
+  /\bvalid_redirect_url\b/,                      // common helper name
+  /allowedRedirectTargets/i,
+  /\babort\s*\(\s*4\d\d/,                        // any abort(4xx) earlier
+  /\bres\s*\.\s*status\s*\(\s*4\d\d\b/,
+];
+
+function _lineOf(raw, idx) { return raw.substring(0, idx).split('\n').length; }
+function _lang(fp) {
+  if (/\.(?:js|jsx|ts|tsx|mjs|cjs)$/i.test(fp)) return 'js';
+  if (/\.py$/i.test(fp)) return 'py';
+  if (/\.java$/i.test(fp)) return 'java';
+  if (/\.php$/i.test(fp)) return 'php';
+  return null;
+}
+
+function _allowListedPrior(raw, callLine, target) {
+  const lines = raw.split('\n');
+  const lo = Math.max(0, callLine - 30);
+  const before = lines.slice(lo, callLine).join('\n');
+  // Strip the target out of `before` so the regex isn't fooled by the
+  // target literal itself appearing in an allow-list match.
+  for (const p of ALLOWLIST_PATTERNS) if (p.test(before)) return true;
+  return false;
+}
+
+export function scanOpenRedirect(fp, raw) {
+  if (!raw || raw.length > 500_000) return [];
+  const lang = _lang(fp);
+  if (!lang) return [];
+  const code = blankComments(raw, lang === 'py' ? 'py' : undefined);
+  if (!/\bredirect\b|RedirectView|HttpResponseRedirect|Location\s*:/i.test(code)) return [];
+  const findings = [];
+  const seen = new Set();
+  for (const [plang, pat, framework] of PATTERNS) {
+    if (plang !== lang) continue;
+    const re = new RegExp(pat.source, pat.flags);
+    let m;
+    while ((m = re.exec(code))) {
+      const target = (m[1] || '').trim();
+      if (!target) continue;
+      if (!TAINT_HINT_RE.test(target)) continue;
+      const line = _lineOf(raw, m.index);
+      // Suppress if an allow-list check appears in the preceding window.
+      if (_allowListedPrior(raw, line, target)) continue;
+      const id = `open-redirect:${fp}:${line}:${framework}`;
+      if (seen.has(id)) continue;
+      seen.add(id);
+      findings.push({
+        id,
+        file: fp, line,
+        vuln: `Open Redirect (${framework})`,
+        severity: 'medium',
+        cwe: 'CWE-601',
+        family: 'open-redirect',
+        stride: 'Spoofing',
+        snippet: (raw.split('\n')[line - 1] || '').trim().slice(0, 200),
+        remediation:
+          'Validate the redirect target against a server-side allow-list of paths or hosts before redirecting. ' +
+          'Restrict to relative paths starting with a single `/` (and rejecting `//`), or check the hostname against an explicit allow-list set. ' +
+          'Never round-trip an attacker-supplied URL through `res.redirect` / `flask.redirect` / `HttpResponseRedirect` / `Location: …` without that check.',
+        parser: 'OPEN-REDIRECT',
+        confidence: 0.8,
+      });
+    }
+  }
+  return findings;
+}

package/src/sast/php.js

@@ -0,0 +1,91 @@
+// PHP-specific detectors. Covers the canonical PHP foot-guns:
+//
+//   - $_REQUEST / $_GET / $_POST flowing into eval / system / exec / passthru / shell_exec / `` / popen / proc_open
+//   - unserialize() on user input
+//   - include / require with user-controlled path (LFI / RFI)
+//   - mysql_query with concatenated user input
+//   - extract($_REQUEST) — direct variable injection
+//   - md5/sha1 used for password hashing
+//   - phpinfo() exposed in production code
+//   - assert with string argument
+
+const RE = {
+  dangerCall: /\b(?:eval|assert|system|exec|passthru|shell_exec|popen|proc_open|pcntl_exec)\s*\(\s*[^)]*\$(?:_(?:REQUEST|GET|POST|COOKIE|FILES|SERVER)|HTTP_)/g,
+  backtickInterp: /`[^`]*\$(?:_(?:REQUEST|GET|POST|COOKIE)|[A-Z_a-z][\w]*)[^`]*`/g,
+  unserialize: /\bunserialize\s*\(\s*\$(?:_(?:REQUEST|GET|POST|COOKIE)|HTTP_)/g,
+  includeUser: /\b(?:include|include_once|require|require_once)\s*[(\s]+\$(?:_(?:REQUEST|GET|POST|COOKIE)|HTTP_)/g,
+  mysqlConcat: /\bmysql(?:i)?_(?:query|real_query)\s*\(\s*[^)]*['"]\s*\.\s*\$(?:_(?:REQUEST|GET|POST)|HTTP_)/g,
+  extractRequest: /\bextract\s*\(\s*\$(?:_REQUEST|_GET|_POST|HTTP_GET_VARS|HTTP_POST_VARS)\s*[,)]/g,
+  passwordHashMd5: /\b(?:md5|sha1)\s*\(\s*\$(?:_(?:REQUEST|GET|POST)|password|passwd|pwd|hash_input)/gi,
+  phpinfo: /\bphpinfo\s*\(/g,
+};
+
+function lineOf(raw, idx) { return raw.substring(0, idx).split('\n').length; }
+
+export function scanPhp(fp, raw) {
+  if (!/\.(?:php|phtml|phar)$/i.test(fp)) return [];
+  if (!raw || raw.length > 500_000) return [];
+  const findings = [];
+  const seen = new Set();
+  const push = (f) => { if (!seen.has(f.id)) { seen.add(f.id); findings.push(f); } };
+
+  for (const [key, re] of Object.entries(RE)) {
+    const r = new RegExp(re.source, re.flags);
+    let m;
+    while ((m = r.exec(raw))) {
+      const line = lineOf(raw, m.index);
+      const meta = {
+        dangerCall: {
+          vuln: 'Command/Code Injection: dangerous function call with user input ($_REQUEST/$_GET/$_POST)',
+          severity: 'critical', cwe: 'CWE-78',
+          remediation: 'Never pass $_REQUEST/$_GET/$_POST into eval, system, exec, passthru, shell_exec, popen, or assert with a string. Use escapeshellarg() if you absolutely must, but prefer an array-form exec via proc_open. The right answer is usually: don\'t shell out at all; call a library.',
+        },
+        backtickInterp: {
+          vuln: 'Command Injection: backtick command interpolates a PHP variable',
+          severity: 'critical', cwe: 'CWE-78',
+          remediation: 'Backticks invoke the shell. Use `proc_open` with an array form so the shell never parses your input.',
+        },
+        unserialize: {
+          vuln: 'Insecure Deserialization: unserialize() on user input',
+          severity: 'critical', cwe: 'CWE-502',
+          remediation: 'PHP unserialize() will call __destruct / __wakeup on every class in the serialized graph — a gadget chain in the codebase becomes RCE. Replace with json_decode for any input crossing a trust boundary.',
+        },
+        includeUser: {
+          vuln: 'Local/Remote File Inclusion: include/require with user-controlled path',
+          severity: 'critical', cwe: 'CWE-98',
+          remediation: 'Never include() / require() a user-controlled path. If you need a dispatch table, build it as `$pages = ["home" => "home.php", ...]; include $pages[$_GET["page"]] ?? "404.php";` with an explicit whitelist.',
+        },
+        mysqlConcat: {
+          vuln: 'SQL Injection: mysql(i)_query with concatenated $_REQUEST/$_GET/$_POST',
+          severity: 'critical', cwe: 'CWE-89',
+          remediation: 'Use prepared statements: `$stmt = $mysqli->prepare("SELECT ... WHERE id = ?"); $stmt->bind_param("i", $id);`. The mysql_* family was deprecated in PHP 5.5 and removed in 7.0 — migrate to mysqli or PDO.',
+        },
+        extractRequest: {
+          vuln: 'Variable Injection: extract($_REQUEST) creates arbitrary local variables from request',
+          severity: 'critical', cwe: 'CWE-915',
+          remediation: 'Never call `extract()` on a user-controlled array — it overwrites local variables, including `$is_admin`, `$auth_user`, etc. Read the specific fields you want explicitly.',
+        },
+        passwordHashMd5: {
+          vuln: 'Weak password hashing — md5/sha1 are not password-hashing functions',
+          severity: 'high', cwe: 'CWE-916',
+          remediation: 'Use password_hash($pwd, PASSWORD_ARGON2ID) and password_verify(). md5 and sha1 are too fast for password storage — modern GPUs crack the full keyspace of an 8-char alphanumeric in hours.',
+        },
+        phpinfo: {
+          vuln: 'phpinfo() exposes environment, headers, paths, and INI settings',
+          severity: 'high', cwe: 'CWE-200',
+          remediation: 'Delete phpinfo() before deploy. It leaks the PHP version, loaded extensions, environment variables, document root, and request headers — a one-shot recon page for an attacker.',
+        },
+      }[key];
+      push({
+        id: `php-${key}:${fp}:${line}`,
+        file: fp, line,
+        vuln: meta.vuln, severity: meta.severity, cwe: meta.cwe,
+        snippet: (raw.split('\n')[line - 1] || '').trim().slice(0, 200),
+        remediation: meta.remediation,
+        parser: 'PHP',
+        confidence: 0.85,
+      });
+    }
+  }
+  return findings;
+}

package/src/sast/pipeline.js

@@ -0,0 +1,122 @@
+// 0.7.0 Feat-9: Pipeline / GitHub Actions integrity detector with PBOM emitter.
+//
+// Catches the canonical CI/CD security mistakes:
+//   - Floating action tags (uses: foo/bar@main)        — supply-chain hijack vector
+//   - Third-party action without SHA pinning           — same threat
+//   - Excessive permissions (write-all)                — token-blast-radius
+//   - Secret echoed in run: step                       — leakage
+//   - OIDC id-token: write without aud restriction     — token theft / re-use
+//   - script-injection in github.event.<...>           — RCE in workflow
+//
+// Same finding shape as scanIaC; produced separately so the rule set is small and tunable.
+
+const _GH_WORKFLOW_RE = /(?:^|\/)\.github\/workflows\/.*\.ya?ml$/i;
+const _NONPROD_RE = /(?:^|\/)(?:tests?|examples?|fixtures?)\//i;
+
+const PIPELINE_PATTERNS = [
+  {
+    re: /\buses\s*:\s*[\w-]+\/[\w-]+@(?:main|master|latest)\b/g,
+    vuln: 'Pipeline: GitHub Action pinned to floating tag',
+    sev: 'medium', cwe: 'CWE-1357',
+    fix: 'Pin third-party actions to a 40-char commit SHA. The tag can be re-pointed by the publisher (or an attacker who compromises them) without your knowledge.',
+  },
+  {
+    re: /\buses\s*:\s*(?!actions\/)[\w-]+\/[\w-]+@v?\d+(?!\.\d+\.\d+)\b/g,
+    vuln: 'Pipeline: Third-party action pinned to major-version tag (mutable)',
+    sev: 'medium', cwe: 'CWE-1357',
+    fix: 'Tag like @v3 is mutable. For first-party `actions/*` it is generally safe. For any third-party action, pin to a full SHA.',
+  },
+  {
+    re: /\bpermissions\s*:\s*write-all\b/g,
+    vuln: 'Pipeline: permissions set to write-all (excessive scope)',
+    sev: 'high', cwe: 'CWE-272',
+    fix: 'Replace `permissions: write-all` with the minimum required permissions block, e.g. `contents: read` + the specific scopes the workflow needs.',
+  },
+  {
+    re: /run\s*:\s*[\s\S]*?echo\s+[^\n]*\$\{?\s*\{?\s*secrets\.[A-Z0-9_]+/g,
+    vuln: 'Pipeline: secret echoed to logs',
+    sev: 'high', cwe: 'CWE-532',
+    fix: 'Never echo a `${{ secrets.* }}` value to step output. Use `::add-mask::` if you must reference it, and prefer reading the secret directly into a tool that doesn\'t print it.',
+  },
+  {
+    re: /\$\{\{\s*github\.event\.(?:issue\.title|issue\.body|pull_request\.title|pull_request\.body|comment\.body|head_commit\.message|inputs\.[A-Za-z_][\w]*)\s*\}\}/g,
+    vuln: 'Pipeline: untrusted github.event input interpolated into shell context',
+    sev: 'critical', cwe: 'CWE-78',
+    fix: 'Pipe untrusted github.event values through an environment variable instead of interpolating into the shell, e.g. `env: TITLE: ${{ github.event.issue.title }}` then use `"$TITLE"` in the run script.',
+  },
+  {
+    re: /\bid-token\s*:\s*write\b/g,
+    vuln: 'Pipeline: OIDC id-token: write without explicit aud restriction',
+    sev: 'medium', cwe: 'CWE-1188',
+    fix: 'When granting `id-token: write`, configure the cloud-side trust policy to require a specific `aud` claim and `sub` pattern. Otherwise any workflow on the repo can mint a token usable against this trust policy.',
+    contextRe: /\b(?:aud|audience)\s*:/, contextNeg: true, // fire only if NO aud/audience configured
+  },
+];
+
+export function scanPipeline(fp, raw) {
+  if (!_GH_WORKFLOW_RE.test(fp.replace(/\\/g, '/'))) return [];
+  if (_NONPROD_RE.test(fp.replace(/\\/g, '/'))) return [];
+  if (!raw || raw.length > 200_000) return [];
+  const lines = raw.split('\n');
+  const findings = [];
+  const seen = new Set();
+  for (const p of PIPELINE_PATTERNS) {
+    if (p.contextRe) {
+      const present = p.contextRe.test(raw);
+      if (p.contextNeg && present) continue; // suppress: required context exists
+      if (!p.contextNeg && !present) continue;
+    }
+    const re = new RegExp(p.re.source, p.re.flags.includes('g') ? p.re.flags : p.re.flags + 'g');
+    let m;
+    while ((m = re.exec(raw))) {
+      const line = raw.substring(0, m.index).split('\n').length;
+      const id = `pipeline:${fp}:${line}:${p.vuln.replace(/\s/g, '_').slice(0, 48)}`;
+      if (seen.has(id)) continue;
+      seen.add(id);
+      findings.push({
+        id, kind: 'iac', severity: p.sev, vuln: p.vuln,
+        cwe: p.cwe, stride: 'Tampering',
+        file: fp, line, snippet: (lines[line - 1] || '').trim(),
+        fix: p.fix,
+      });
+    }
+  }
+  return findings;
+}
+
+// PBOM emitter: a Pipeline Bill of Materials. Lists every workflow file, every
+// `uses:` step with its pin (SHA or tag), every secret reference, every
+// permissions block. The PBOM is meant to be stored alongside the SBOM and
+// produced from the same scan.
+export function toPBOM(fileContents, meta = {}) {
+  const workflows = [];
+  for (const [fp, raw] of Object.entries(fileContents || {})) {
+    if (!_GH_WORKFLOW_RE.test(fp.replace(/\\/g, '/'))) continue;
+    const usesArr = [];
+    const usesRe = /\buses\s*:\s*([\w-]+\/[\w-]+)@([^\s]+)/g;
+    let m;
+    while ((m = usesRe.exec(raw))) {
+      usesArr.push({
+        action: m[1],
+        pin: m[2],
+        pinned: /^[a-f0-9]{40}$/.test(m[2]),
+      });
+    }
+    const secretRefs = Array.from(new Set([...(raw.match(/\bsecrets\.[A-Z0-9_]+/g) || [])]));
+    const permsBlock = (raw.match(/\bpermissions\s*:[^\n]*(?:\n\s+[^\n]*)*/g) || []).map(s => s.trim());
+    const idToken = /\bid-token\s*:\s*write\b/.test(raw);
+    workflows.push({ file: fp, uses: usesArr, secretsReferenced: secretRefs, permissions: permsBlock, oidcEnabled: idToken });
+  }
+  return {
+    pbomFormat: 'agentic-security PBOM',
+    version: '1',
+    generatedAt: meta.startedAt || new Date().toISOString(),
+    workflows,
+    summary: {
+      totalWorkflows: workflows.length,
+      totalActions: workflows.reduce((n, w) => n + w.uses.length, 0),
+      pinnedActions: workflows.reduce((n, w) => n + w.uses.filter(u => u.pinned).length, 0),
+      oidcWorkflows: workflows.filter(w => w.oidcEnabled).length,
+    },
+  };
+}