@clear-capabilities/agentic-security-scanner 0.74.0

package/src/sast/springboot-hardening.js

@@ -0,0 +1,186 @@
+// Spring Boot framework hardening.
+//
+// Extends the general Java SAST with Spring-specific annotation-level
+// audits. Targets controllers, security configurations, and the
+// application.properties / application.yml that ship with Spring Boot apps.
+//
+// Coverage:
+//   1. @RestController / @Controller class with mutating endpoints
+//      (POST/PUT/PATCH/DELETE) missing @PreAuthorize / @Secured / @RolesAllowed
+//   2. SecurityFilterChain with .permitAll() on /admin/** or /api/**
+//   3. @CrossOrigin(origins = "*") (or allow-all credentials combo)
+//   4. application.properties / application.yml with literal credentials
+//   5. application.properties spring.security.user.password=
+//   6. Missing @EnableMethodSecurity / @EnableGlobalMethodSecurity
+//   7. JWT filter that skips signature verification (decodes only)
+//   8. management.endpoints.web.exposure.include=* (Actuator exposed)
+
+const _JAVA_RE = /\.java$/i;
+const _SPRING_PROPS_RE = /(?:^|[\\/])application(?:[-.][\w-]+)?\.(?:properties|ya?ml)$/i;
+
+const _SPRING_CTL_ANN_RE = /@(?:RestController|Controller)\b/;
+const _SPRING_MAPPING_RE = /@(?:Get|Post|Put|Patch|Delete|Request)Mapping\b/;
+const _MUTATING_RE = /@(?:Post|Put|Patch|Delete)Mapping\b/;
+const _AUTHZ_ANN_RE = /@(?:PreAuthorize|PostAuthorize|Secured|RolesAllowed|PermitAll)\b/;
+
+function _line(raw, idx) {
+  return raw.slice(0, idx).split('\n').length;
+}
+
+function _isSpringJavaFile(raw) {
+  return /\bimport\s+org\.springframework\b/.test(raw) || /\b@SpringBoot|@RestController|@Controller|@Service|@Repository\b/.test(raw);
+}
+
+export function scanSpringbootHardening(file, raw) {
+  if (!file || !raw || typeof raw !== 'string') return [];
+  if (raw.length > 300_000) return [];
+
+  const findings = [];
+
+  // ── application.properties / .yml checks ────────────────────────────────
+  if (_SPRING_PROPS_RE.test(file)) {
+    // spring.security.user.password= literal (default in-memory user with a real password)
+    for (const m of raw.matchAll(/^\s*spring\.security\.user\.password\s*[=:]\s*(?!(?:\$\{|---|''|""|\s*$))(\S+)/gm)) {
+      findings.push({
+        id: `springboot:default-user-password:${file}:${_line(raw, m.index)}`,
+        file, line: _line(raw, m.index),
+        vuln: 'Spring Boot application.properties: spring.security.user.password set to a literal',
+        severity: 'critical',
+        family: 'springboot-hardcoded-credential',
+        cwe: 'CWE-798',
+        confidence: 0.9,
+        description: 'Spring Security\'s in-memory default user is enabled with a hardcoded password. Anyone who reads the property file gets admin access in dev/staging — and these files frequently ship to production by mistake.',
+        remediation: 'Use spring.security.user.password=${ADMIN_PASSWORD} pulled from env. Better: replace the default user with a real UserDetailsService backed by your identity store.',
+      });
+    }
+    // OIDC client secret literal
+    for (const m of raw.matchAll(/^\s*(?:quarkus\.oidc\.credentials\.secret|spring\.security\.oauth2\.client\.registration\.\w+\.client-secret)\s*[=:]\s*(\S{12,})/gm)) {
+      const val = m[1];
+      if (val.startsWith('${') || val === '""' || val === "''") continue;
+      findings.push({
+        id: `springboot:oidc-secret-literal:${file}:${_line(raw, m.index)}`,
+        file, line: _line(raw, m.index),
+        vuln: 'OIDC client secret in plaintext config',
+        severity: 'critical',
+        family: 'springboot-hardcoded-credential',
+        cwe: 'CWE-798',
+        confidence: 0.9,
+        description: 'An OIDC / OAuth2 client secret is in a config file checked into source control. Anyone with repo read can impersonate the application against the IdP.',
+        remediation: 'Replace with ${OIDC_CLIENT_SECRET} env-var reference. Rotate the leaked secret immediately at the IdP.',
+      });
+    }
+    // Actuator endpoints exposed via wildcard
+    if (/^\s*management\.endpoints\.web\.exposure\.include\s*[=:]\s*['"]?\*/.test(raw)) {
+      const m = /^\s*management\.endpoints\.web\.exposure\.include\s*[=:]\s*['"]?\*/.exec(raw);
+      findings.push({
+        id: `springboot:actuator-exposed:${file}:${_line(raw, m.index)}`,
+        file, line: _line(raw, m.index),
+        vuln: 'Spring Actuator endpoints exposed via wildcard (management.endpoints.web.exposure.include=*)',
+        severity: 'high',
+        family: 'springboot-actuator-exposed',
+        cwe: 'CWE-200',
+        confidence: 0.95,
+        description: 'Wildcard Actuator exposure makes /actuator/env, /heapdump, /threaddump, /loggers reachable. /env leaks process environment variables (including database passwords); /heapdump dumps the JVM heap.',
+        remediation: 'Set management.endpoints.web.exposure.include=health,info (or whatever specific ones you need). Bind Actuator to a separate port behind a private network.',
+      });
+    }
+    return findings;
+  }
+
+  // ── Java source checks ──────────────────────────────────────────────────
+  if (!_JAVA_RE.test(file)) return [];
+  if (!_isSpringJavaFile(raw)) return [];
+
+  // 1. Controllers with mutating endpoints missing authz annotation
+  if (_SPRING_CTL_ANN_RE.test(raw) && _MUTATING_RE.test(raw)) {
+    // Find each method annotated with mutating mapping; check if @PreAuthorize / @Secured / @RolesAllowed sits above it.
+    const methodRe = /(@(?:Post|Put|Patch|Delete)Mapping\b[^\n]*\n(?:[^\n]*\n){0,4})((?:[^{}]|\{[^{}]*\})*?)public\s+\w[\w<>,\s\[\]?]*\s+(\w+)\s*\(/g;
+    let mm;
+    while ((mm = methodRe.exec(raw))) {
+      const block = mm[0];
+      const methodName = mm[3];
+      const lineIdx = _line(raw, mm.index);
+      // Search 6 lines upward for an authz annotation
+      const above = raw.slice(Math.max(0, mm.index - 400), mm.index);
+      if (_AUTHZ_ANN_RE.test(above)) continue;
+      // Skip GET-style "list" methods that might legitimately be public.
+      // (We only matched mutating verbs anyway, so this is just for safety.)
+      findings.push({
+        id: `springboot:no-authz:${file}:${lineIdx}:${methodName}`,
+        file, line: lineIdx,
+        vuln: `Mutating endpoint ${methodName}() has no @PreAuthorize / @Secured / @RolesAllowed`,
+        severity: 'high',
+        family: 'springboot-missing-authz',
+        cwe: 'CWE-862',
+        confidence: 0.75,
+        description: 'A POST/PUT/PATCH/DELETE handler is exposed without any authorization annotation. Unless the entire URL prefix is gated by SecurityFilterChain (and explicitly), this endpoint is callable by anyone who reaches it.',
+        remediation: 'Add @PreAuthorize("hasRole(\'ADMIN\')") or @Secured("ROLE_ADMIN") above the method; or rely on a SecurityFilterChain rule and prove the path is covered.',
+      });
+      void block;
+    }
+  }
+
+  // 2. SecurityFilterChain with permitAll() on /admin/** or /api/**
+  for (const m of raw.matchAll(/\.requestMatchers\s*\(\s*['"]([^'"]*\/(?:admin|api|internal)\/[^'"]*)['"][^)]*\)[^)]*\.permitAll\s*\(\s*\)/g)) {
+    findings.push({
+      id: `springboot:permitAll-admin:${file}:${_line(raw, m.index)}`,
+      file, line: _line(raw, m.index),
+      vuln: `Spring Security permitAll() on a sensitive path: ${m[1]}`,
+      severity: 'critical',
+      family: 'springboot-permitall-sensitive',
+      cwe: 'CWE-862',
+      confidence: 0.9,
+      description: 'A path matcher that looks like an administrative or API surface is being permitAll-ed in the security filter chain. Anyone reaching it bypasses auth entirely.',
+      remediation: 'Replace .permitAll() with .hasRole(\'ADMIN\') (or whatever role applies). If the path is genuinely public, narrow the matcher so it cannot match real admin URLs.',
+    });
+  }
+
+  // 3. @CrossOrigin(origins = "*")
+  for (const m of raw.matchAll(/@CrossOrigin\s*\(\s*[^)]*origins\s*=\s*['"]?\*['"]?[^)]*\)/g)) {
+    findings.push({
+      id: `springboot:cors-wildcard:${file}:${_line(raw, m.index)}`,
+      file, line: _line(raw, m.index),
+      vuln: '@CrossOrigin(origins = "*") allows any origin',
+      severity: 'high',
+      family: 'springboot-cors-wildcard',
+      cwe: 'CWE-942',
+      confidence: 0.9,
+      description: 'Wildcard CORS combined with credentialed requests means any origin can read authenticated responses. Even without credentials, it broadens the API\'s exposure to scraping and abuse.',
+      remediation: 'Replace with origins = {"https://app.example.com"}. If credentials are involved, the wildcard is rejected by browsers anyway, so be explicit.',
+    });
+  }
+
+  // 4. Missing @EnableMethodSecurity in @Configuration class that uses @PreAuthorize elsewhere
+  if (/@Configuration\b/.test(raw) && _AUTHZ_ANN_RE.test(raw) &&
+      !/@EnableMethodSecurity|@EnableGlobalMethodSecurity/.test(raw)) {
+    const m = /@Configuration\b/.exec(raw);
+    findings.push({
+      id: `springboot:method-security-disabled:${file}:${_line(raw, m.index)}`,
+      file, line: _line(raw, m.index),
+      vuln: 'Spring @Configuration uses @PreAuthorize but @EnableMethodSecurity is not declared',
+      severity: 'high',
+      family: 'springboot-method-security-disabled',
+      cwe: 'CWE-862',
+      confidence: 0.6,
+      description: 'Method-level authorization annotations (@PreAuthorize / @Secured / @RolesAllowed) are NO-OPS unless @EnableMethodSecurity (Spring Security 6+) or @EnableGlobalMethodSecurity (older) is on a @Configuration class.',
+      remediation: 'Add @EnableMethodSecurity (Spring Security 6+) on a @Configuration class.',
+    });
+  }
+
+  // 5. JWT decode without verify — JWT.decode(token) instead of JWT.require(...).build().verify(token)
+  for (const m of raw.matchAll(/\bJWT\s*\.\s*decode\s*\(/g)) {
+    findings.push({
+      id: `springboot:jwt-decode-only:${file}:${_line(raw, m.index)}`,
+      file, line: _line(raw, m.index),
+      vuln: 'JWT.decode() used — does NOT verify the signature',
+      severity: 'critical',
+      family: 'springboot-jwt-no-verify',
+      cwe: 'CWE-347',
+      confidence: 0.85,
+      description: 'JWT.decode() returns the decoded claims without verifying the signature. An attacker can craft a token with any claims they want — including elevated roles — and it will be accepted.',
+      remediation: 'Use JWT.require(Algorithm.HMAC256(secret)).build().verify(token), or Spring Security\'s JwtDecoder / JwtAuthenticationToken.',
+    });
+  }
+
+  return findings;
+}

package/src/sast/ssrf-cloud-metadata.js

@@ -0,0 +1,80 @@
+import { blankComments } from './_comment-strip.js';
+// SSRF cloud-metadata awareness.
+//
+// Two layers:
+//   1. Hardcoded fetches of cloud metadata endpoints (likely intentional, but
+//      flag for review — these endpoints leak instance credentials).
+//   2. User-controlled URL into an HTTP client with no allow-list — separately
+//      flagged by the general SSRF rule. This module adds a +severity bump
+//      and a specific remediation note when the codebase shows no evidence of
+//      blocking 169.254.169.254 / fd00:ec2:: / metadata.google.internal /
+//      Azure IMDS in any allow-list / proxy / fetch wrapper.
+
+const METADATA_LITERALS = [
+  /169\.254\.169\.254/,           // AWS, Azure
+  /fd00:ec2::254/i,               // AWS IPv6
+  /metadata\.google\.internal/i,  // GCP
+  /metadata\.azure\.com/i,        // Azure
+];
+
+const SSRF_CLIENT_RE = /\b(?:fetch|axios\.\w+|requests\.\w+|http\.get|http\.request|urllib\.request\.urlopen|new\s+URL\s*\(|HttpClient\.\w+)\s*\(\s*[^)]*?(req|request|ctx\.request|input|userInput|url)\s*\.\s*(?:body|query|params|url|host)/g;
+
+const METADATA_GUARD_RE = /(?:169\.254\.169\.254|169\.254\.|metadata\.google\.internal|metadata\.azure\.com|fd00:ec2|metadata\.aws\.amazon)/i;
+
+function lineOf(raw, idx) { return raw.substring(0, idx).split('\n').length; }
+
+export function scanSSRFCloudMetadata(fp, raw) {
+  if (!raw || raw.length > 500_000) return [];
+  const code = blankComments(raw);
+
+  const findings = [];
+  const seen = new Set();
+  const push = (f) => { if (!seen.has(f.id)) { seen.add(f.id); findings.push(f); } };
+
+  // 1. Hardcoded reference to a metadata endpoint.
+  for (const re of METADATA_LITERALS) {
+    const r = new RegExp(re.source, (re.flags || '') + 'g');
+    let m;
+    while ((m = r.exec(code))) {
+      const line = lineOf(raw, m.index);
+      push({
+        id: `ssrf-meta-hardcoded:${fp}:${line}`,
+        file: fp, line,
+        vuln: 'SSRF: explicit reference to cloud instance-metadata endpoint',
+        severity: 'medium',
+        cwe: 'CWE-918',
+        stride: 'Information Disclosure',
+        snippet: (raw.split('\n')[line - 1] || '').trim().slice(0, 200),
+        remediation: 'Cloud metadata endpoints (169.254.169.254 for AWS/Azure, metadata.google.internal for GCP) expose instance credentials and tokens. Calls *to* these endpoints are sometimes legitimate (the workload retrieving its own creds), but exposure *via* user-controlled requests is a primary cloud-takeover path. If this call is intentional, gate it behind a startup-only path. If not, drop it.',
+        parser: 'SSRF-METADATA',
+        confidence: 0.70,
+      });
+    }
+  }
+
+  // 2. User-controlled URL into an HTTP client, with no metadata guard nearby.
+  const fileHasMetadataGuard = METADATA_GUARD_RE.test(code);
+  const r = new RegExp(SSRF_CLIENT_RE.source, SSRF_CLIENT_RE.flags);
+  let m;
+  while ((m = r.exec(code))) {
+    const line = lineOf(raw, m.index);
+    // Skip if a guard appears in ±10 lines.
+    const lines = raw.split('\n');
+    const window = lines.slice(Math.max(0, line - 11), line + 10).join(' ');
+    if (METADATA_GUARD_RE.test(window) || fileHasMetadataGuard) continue;
+    push({
+      id: `ssrf-meta-usercontrolled:${fp}:${line}`,
+      file: fp, line,
+      vuln: 'SSRF (metadata-aware): user-controlled URL into HTTP client without metadata allow-deny',
+      severity: 'high',
+      cwe: 'CWE-918',
+      stride: 'Information Disclosure',
+      snippet: (raw.split('\n')[line - 1] || '').trim().slice(0, 200),
+      remediation: 'Reject hostnames that resolve into RFC1918 ranges (`10.0.0.0/8`, `172.16.0.0/12`, `192.168.0.0/16`), loopback (`127.0.0.1`, `::1`), link-local (`169.254.0.0/16`), and cloud-metadata DNS names (`metadata.google.internal`, `metadata.azure.com`). Resolve DNS yourself and re-check after the resolution — DNS rebinding will swap a public IP for `169.254.169.254` between resolution and connect. Use a vetted SSRF guard like `ssrf-req-filter` or a per-call HTTP proxy that enforces the allow-list.',
+      parser: 'SSRF-METADATA',
+      confidence: 0.75,
+    });
+  }
+
+  return findings;
+}

package/src/sast/ssti.js

@@ -0,0 +1,116 @@
+// Server-Side Template Injection (CWE-94 / OWASP A03).
+//
+// Pattern: user-controlled string fed to a template-engine compile or
+// from_string. The attacker controls the template body, so they can
+// invoke the language's expression-evaluation surface (often equivalent
+// to code execution via Jinja2's `__class__.__bases__` / Handlebars's
+// helpers / EJS's `<% %>`).
+//
+// We catch the high-confidence shapes — when the template body is built
+// from a user-derived source (req.body, request.args, params.<x>, …) or
+// the body has obvious concatenation/interpolation. We do NOT flag the
+// pattern with a constant string body — that's the secure form.
+//
+// Engines covered (v1):
+//   - Jinja2 (Python):       Environment.from_string(x), Template(x)
+//   - Handlebars (JS):       Handlebars.compile(x)
+//   - EJS (JS):              ejs.compile(x), ejs.render(x)
+//   - Mustache (JS):         Mustache.render(x, …)  when x is non-literal
+//   - Twig (PHP):            $twig->createTemplate($x)
+//   - Pug (JS, no AST):      pug.compile(x)
+//   - Velocity (Java):       Velocity.evaluate(ctx, w, log, x) when x is non-literal
+//
+// Severity: critical (template-injection → RCE in most engines).
+
+import { blankComments } from './_comment-strip.js';
+
+const TAINT_HINT_RE =
+  /\b(?:req\.|request\.|params\.|query\.|body\.|ctx\.query|ctx\.request|c\.Query|r\.URL\.Query|_GET|_POST|_REQUEST|process\.argv|getenv|environ)\b|`[^`]*\$\{|"[^"]*"\s*\+\s*\w|'[^']*'\s*\+\s*\w|\bf['"]/;
+
+// PATTERNS: [lang, regex, engine]. Each captures the call's first arg
+// region in group 1 so we can test for taint hints.
+const PATTERNS = [
+  // Jinja2 from_string — most common SSTI shape. Accept any `<ident>.from_string`
+  // because the Environment is often stored in a local (e.g. `env = Environment()`).
+  ['py',  /\b(?:[A-Za-z_][\w]*|\w+\([^)]*\))\s*\.\s*from_string\s*\(\s*([^)]*?)\s*\)/g, 'Jinja2'],
+  // Plain `Template(x)` import — risky enough to flag with a taint hint.
+  ['py',  /\bTemplate\s*\(\s*((?:request|params|body|query|f["']|[a-z_][\w]*\s*\+)[^)]*)\)/g, 'Jinja2/Template'],
+  // Handlebars.compile (Node).
+  ['js',  /\bHandlebars\s*\.\s*compile\s*\(\s*([^)]*?)\s*\)/g, 'Handlebars'],
+  // EJS compile/render.
+  ['js',  /\bejs\s*\.\s*(?:compile|render)\s*\(\s*([^)]*?)\s*\)/g, 'EJS'],
+  // Mustache render — only when first arg is dynamic.
+  ['js',  /\bMustache\s*\.\s*render\s*\(\s*((?:req\.|request\.|params\.|query\.|body\.|ctx\.|`[^`]*\$\{)[^,)]*)/g, 'Mustache'],
+  // Pug compile.
+  ['js',  /\bpug\s*\.\s*compile\s*\(\s*([^)]*?)\s*\)/g, 'Pug'],
+  // Twig dynamic template.
+  ['php', /->\s*createTemplate\s*\(\s*([^)]*?)\s*\)/g, 'Twig'],
+  // Velocity dynamic template evaluation.
+  ['java', /\bVelocity\s*\.\s*evaluate\s*\([^,]+,[^,]+,[^,]+,\s*([^)]+)\s*\)/g, 'Velocity'],
+];
+
+function _lineOf(raw, idx) { return raw.substring(0, idx).split('\n').length; }
+
+function _lang(fp) {
+  if (/\.(?:js|jsx|ts|tsx|mjs|cjs)$/i.test(fp)) return 'js';
+  if (/\.py$/i.test(fp)) return 'py';
+  if (/\.php$/i.test(fp)) return 'php';
+  if (/\.java$/i.test(fp)) return 'java';
+  return null;
+}
+
+export function scanSSTI(fp, raw) {
+  if (!raw || raw.length > 500_000) return [];
+  const lang = _lang(fp);
+  if (!lang) return [];
+  const code = blankComments(raw, lang === 'py' ? 'py' : undefined);
+  // Cheap pre-filter so we don't pay regex cost on files that don't
+  // mention any template engine.
+  if (!/\b(?:Jinja|jinja|Template|Handlebars|ejs|Mustache|pug|Twig|Velocity|createTemplate|from_string)\b/.test(code)) return [];
+  const findings = [];
+  const seen = new Set();
+  const rawLines = raw.split('\n');
+  for (const [plang, pat, engine] of PATTERNS) {
+    if (plang !== lang) continue;
+    const re = new RegExp(pat.source, pat.flags);
+    let m;
+    while ((m = re.exec(code))) {
+      const firstArg = (m[1] || '').trim();
+      const literalConst = /^\s*(['"`])(?:[^'"`\\]|\\.)*\1\s*$/.test(firstArg);
+      if (literalConst) continue;        // const template body is safe
+      const line = _lineOf(raw, m.index);
+      // Direct taint hint inline? Or a hint in the preceding 10 lines that
+      // assigns to the same identifier name we're about to feed the engine?
+      let tainted = TAINT_HINT_RE.test(firstArg);
+      if (!tainted && /^[a-z_][\w]*$/i.test(firstArg)) {
+        const lo = Math.max(0, line - 11);
+        const before = rawLines.slice(lo, line - 1).join('\n');
+        const assignRe = new RegExp(`\\b${firstArg}\\s*=\\s*[^;\\n]*(?:${TAINT_HINT_RE.source})`);
+        if (assignRe.test(before)) tainted = true;
+      }
+      if (!tainted) continue;
+      const id = `ssti:${fp}:${line}:${engine}`;
+      if (seen.has(id)) continue;
+      seen.add(id);
+      findings.push({
+        id,
+        file: fp, line,
+        vuln: `Server-Side Template Injection (${engine})`,
+        severity: 'critical',
+        cwe: 'CWE-94',
+        family: 'ssti',
+        stride: 'Elevation of Privilege',
+        snippet: (raw.split('\n')[line - 1] || '').trim().slice(0, 200),
+        remediation:
+          'Never compile a template from user input. Pre-register templates and pass user values as variables. ' +
+          'Jinja2: load templates with `jinja2.FileSystemLoader` + `env.get_template("name.html")`, then `.render(name=user_value)`. ' +
+          'Handlebars: pre-compile the template; pass user values via the context object. ' +
+          'EJS: same — `ejs.render(template_string_from_disk, { name: user_value })`. ' +
+          'Mustache: never pass user input as the template body argument.',
+        parser: 'SSTI',
+        confidence: 0.85,
+      });
+    }
+  }
+  return findings;
+}

package/src/sast/swift.js

@@ -0,0 +1,162 @@
+// Swift / iOS application security audit.
+//
+// Covers the canonical Swift/iOS bugs from the rules/swift/security.md
+// guidance:
+//   1. UserDefaults used for secret storage (should be Keychain)
+//   2. App Transport Security (ATS) disabled — looking for the code-side
+//      `URLSession` patterns; the Info.plist bypass is caught by
+//      mobile-manifest.js.
+//   3. Force-unwrap on URL(string:) / URL.init(string:) → crash + bypass
+//   4. WKWebView with JavaScript enabled and no navigation delegate
+//   5. Deep-link handling without scheme / host / path allow-list
+//   6. Cleartext HTTP in URLRequest URL string
+//   7. Hardcoded API key / token literal
+
+const _SWIFT_RE = /\.swift$/i;
+
+function _line(raw, idx) {
+  return raw.slice(0, idx).split('\n').length;
+}
+
+const _CRED_RE = [
+  { re: /\bsk-ant-[A-Za-z0-9_-]{20,}\b/, label: 'Anthropic API key' },
+  { re: /\bsk-[A-Za-z0-9]{32,}\b/, label: 'OpenAI-style key' },
+  { re: /\bghp_[A-Za-z0-9]{36}\b/, label: 'GitHub PAT' },
+  { re: /\bAKIA[0-9A-Z]{16}\b/, label: 'AWS access key' },
+  { re: /\bxox[abprs]-[A-Za-z0-9-]{10,}\b/, label: 'Slack token' },
+];
+
+export function scanSwift(file, raw) {
+  if (!file || !raw || typeof raw !== 'string') return [];
+  if (!_SWIFT_RE.test(file)) return [];
+  if (raw.length > 200_000) return [];
+
+  const findings = [];
+
+  // 1. UserDefaults for secrets — the variable name on the LHS is the clue.
+  const udSecretRe = /\bUserDefaults(?:\.standard)?\.(?:set|setValue|setObject)\s*\([^)]*?\b(?:[tT]oken|[pP]assword|[aA]pi[kK]ey|apiKey|api_key|jwt|bearer|secret|credential|session[kK]ey)\b/g;
+  for (const m of raw.matchAll(udSecretRe)) {
+    findings.push({
+      id: `swift:userdefaults-secret:${file}:${_line(raw, m.index)}`,
+      file, line: _line(raw, m.index),
+      vuln: 'UserDefaults used to store a secret (token / password / key)',
+      severity: 'high',
+      family: 'swift-insecure-storage',
+      cwe: 'CWE-922',
+      confidence: 0.8,
+      description: 'UserDefaults stores values in plist files in the app sandbox; they\'re trivially extracted by anyone with the device or a backup. Keychain Services is the correct vault on iOS — encrypted-at-rest with hardware-backed access control on modern devices.',
+      remediation: 'Use Keychain Services (Security.framework) — e.g., KeychainAccess library or the SecItemAdd/SecItemCopyMatching APIs directly. Set kSecAttrAccessible to kSecAttrAccessibleWhenUnlockedThisDeviceOnly for tokens.',
+      snippet: m[0].slice(0, 80),
+    });
+  }
+
+  // 2. URL force-unwrap — URL(string: ...)! pattern
+  for (const m of raw.matchAll(/\bURL\s*\(\s*string\s*:\s*[^)]+\)\s*!/g)) {
+    findings.push({
+      id: `swift:url-force-unwrap:${file}:${_line(raw, m.index)}`,
+      file, line: _line(raw, m.index),
+      vuln: 'URL force-unwrap (URL(string:)! ) — crash or attacker-controlled URL',
+      severity: 'medium',
+      family: 'swift-force-unwrap',
+      cwe: 'CWE-755',
+      confidence: 0.75,
+      description: 'Force-unwrapping URL(string:) crashes the app on a malformed URL. If the input comes from a deep link, the attacker can either crash the app or — paired with downstream logic — supply a URL the developer assumed would be validated.',
+      remediation: 'Use guard let url = URL(string: input), url.scheme == "https" else { return } with explicit scheme/host validation.',
+      snippet: m[0],
+    });
+  }
+
+  // 3. WKWebView with JS enabled, no navigationDelegate visible
+  if (/\bWKWebView\b/.test(raw) || /\bWKWebViewConfiguration\b/.test(raw)) {
+    // Detect explicit `configuration.preferences.javaScriptEnabled = true` or
+    // `defaultWebpagePreferences.allowsContentJavaScript = true` without
+    // a corresponding navigationDelegate assignment in the file.
+    const jsEnabledRe = /\b(?:javaScriptEnabled\s*=\s*true|allowsContentJavaScript\s*=\s*true)\b/;
+    const hasNavDelegate = /\b(?:webView\.navigationDelegate\s*=|navigationDelegate\s*:\s*)/.test(raw);
+    if (jsEnabledRe.test(raw) && !hasNavDelegate) {
+      const m = jsEnabledRe.exec(raw);
+      findings.push({
+        id: `swift:webview-js-no-delegate:${file}:${_line(raw, m.index)}`,
+        file, line: _line(raw, m.index),
+        vuln: 'WKWebView with JavaScript enabled and no navigationDelegate to validate URLs',
+        severity: 'high',
+        family: 'swift-webview-unsafe',
+        cwe: 'CWE-829',
+        confidence: 0.7,
+        description: 'WKWebView with JS enabled and no navigationDelegate accepts navigation to any URL. Deep-link or message-passing attacks can pivot the WebView to attacker pages and execute JS that bridges back to native via WKScriptMessageHandler.',
+        remediation: 'Assign a navigationDelegate that vets webView(_:decidePolicyFor:decisionHandler:); allow-list the host and reject everything else with .cancel.',
+      });
+    }
+  }
+
+  // 4. Deep-link / universal-link handler without allow-list
+  // Look for application(_:open:options:) or scene(_:openURLContexts:) that doesn't validate
+  for (const m of raw.matchAll(/func\s+(?:application\s*\([^)]*open[^)]*\)|scene\s*\([^)]*openURLContexts[^)]*\))[^{]*\{([\s\S]{0,800}?)(?=\n\s*func\s|\}\n)/g)) {
+    const body = m[1];
+    if (!body) continue;
+    // Skip if body validates host/scheme/path against allow-list constants.
+    if (/\b(?:host\s*==|scheme\s*==|allowedHosts|allowedSchemes|allowedPaths)\b/.test(body)) continue;
+    findings.push({
+      id: `swift:deeplink-no-validate:${file}:${_line(raw, m.index)}`,
+      file, line: _line(raw, m.index),
+      vuln: 'Deep-link / universal-link handler does not validate URL scheme / host / path',
+      severity: 'high',
+      family: 'swift-deeplink-unsafe',
+      cwe: 'CWE-20',
+      confidence: 0.65,
+      description: 'An openURL handler accepts the incoming URL without checking scheme / host / path against an allow-list. Attackers can route the app to internal screens, trigger sensitive flows, or chain into XSS via WebView.',
+      remediation: 'Add guard let host = url.host, allowedHosts.contains(host), let path = ..., allowedPaths.contains(path) else { return false } at the top of the handler.',
+    });
+  }
+
+  // 5. Cleartext HTTP URL literal
+  for (const m of raw.matchAll(/\bURL\s*\(\s*string\s*:\s*['"]http:\/\/(?!localhost|127\.0\.0\.1)[^'"]+['"]/g)) {
+    findings.push({
+      id: `swift:cleartext-http:${file}:${_line(raw, m.index)}`,
+      file, line: _line(raw, m.index),
+      vuln: 'Cleartext HTTP URL literal in Swift source',
+      severity: 'medium',
+      family: 'swift-cleartext-http',
+      cwe: 'CWE-319',
+      confidence: 0.85,
+      description: 'A hard-coded http:// URL ships cleartext on the wire. Even if ATS is enabled, this is an explicit bypass.',
+      remediation: 'Use https://. If the endpoint genuinely lacks TLS, set up your own TLS-terminating proxy.',
+      snippet: m[0].slice(0, 80),
+    });
+  }
+
+  // 6. Hardcoded API keys
+  for (const { re, label } of _CRED_RE) {
+    const m = re.exec(raw);
+    if (!m) continue;
+    findings.push({
+      id: `swift:hardcoded-${label.toLowerCase().replace(/\s+/g, '-')}:${file}:${_line(raw, m.index)}`,
+      file, line: _line(raw, m.index),
+      vuln: `Hardcoded ${label} in Swift source`,
+      severity: 'critical',
+      family: 'swift-hardcoded-credential',
+      cwe: 'CWE-798',
+      confidence: 0.95,
+      description: 'Decompiling a Swift binary is trivial — `strings`, `class-dump`, Ghidra all extract literal credentials in seconds. Hardcoded keys in mobile apps are routinely scraped at scale.',
+      remediation: 'Read from ProcessInfo.processInfo.environment["API_KEY"] (with .xcconfig for build-time config). For runtime secrets, fetch from a backend service authenticated by the user\'s session.',
+      snippet: m[0].slice(0, 8) + '...' + m[0].slice(-4),
+    });
+  }
+
+  // 7. NSAllowsArbitraryLoads = true in code (Info.plist is handled in mobile-manifest)
+  for (const m of raw.matchAll(/NSAllowsArbitraryLoads\s*[:=]\s*true\b/g)) {
+    findings.push({
+      id: `swift:ats-bypass-code:${file}:${_line(raw, m.index)}`,
+      file, line: _line(raw, m.index),
+      vuln: 'NSAllowsArbitraryLoads = true — App Transport Security bypassed in code',
+      severity: 'high',
+      family: 'swift-ats-disabled',
+      cwe: 'CWE-319',
+      confidence: 0.95,
+      description: 'NSAllowsArbitraryLoads=true disables ATS, allowing the app to make plaintext HTTP calls to arbitrary hosts.',
+      remediation: 'Remove the bypass. If a specific domain needs HTTP, scope it via NSExceptionDomains in Info.plist; never use NSAllowsArbitraryLoads globally.',
+    });
+  }
+
+  return findings;
+}

package/src/sast/toctou.js

@@ -0,0 +1,95 @@
+import { blankComments } from './_comment-strip.js';
+// TOCTOU — time-of-check / time-of-use races.
+//
+// Two dominant shapes:
+//   1. Filesystem race:  fs.access(p) → fs.open(p)
+//                        os.access(p) → open(p)
+//                        os.path.exists(p) → open(p)
+//      The classic CWE-367. Whatever the check learned about `p` may not hold
+//      by the time the use happens; an attacker who can swap symlinks wins.
+//
+//   2. Auth race:        if (!user.isAdmin) return; doSensitiveThing(user)
+//                        if user.role != 'admin': return; do_sensitive(user)
+//      Less concrete — these are gated on the check happening *first* — but
+//      when the check value can be mutated by a concurrent request, we flag
+//      it. Heuristic: between the guard and the use, the code awaits
+//      something. The await is the race window.
+
+const FS_CHECK_THEN_OPEN_JS = /\bfs\s*\.\s*(?:access|exists|stat|statSync|existsSync)\s*\(\s*([^,)]+?)\s*[,)][^]*?\bfs\s*\.\s*(?:open|openSync|readFile|readFileSync|writeFile|writeFileSync|createReadStream|createWriteStream)\s*\(\s*\1/g;
+
+const FS_CHECK_THEN_OPEN_PY = /\b(?:os\.access|os\.path\.exists|os\.path\.isfile|os\.stat)\s*\(\s*([^,)]+?)\s*\)[^]*?\b(?:open|os\.open|shutil\.copy|shutil\.move)\s*\(\s*\1/g;
+
+const AUTH_CHECK_AWAIT_USE_JS = /\bif\s*\(\s*!?\s*\w+\s*(?:\.|->)\s*(?:isAdmin|isOwner|hasRole|role)\b[^)]*\)\s*[^]*?\bawait\b[^]*?\b(?:save|update|create|destroy|delete|withdraw|transfer|approve|grant)\s*\(/g;
+
+function lineOf(raw, idx) { return raw.substring(0, idx).split('\n').length; }
+
+export function scanTOCTOU(fp, raw) {
+  if (!raw || raw.length > 500_000) return [];
+  const findings = [];
+  const seen = new Set();
+  const push = (f) => { if (!seen.has(f.id)) { seen.add(f.id); findings.push(f); } };
+
+  if (/\.(?:js|jsx|ts|tsx|mjs|cjs)$/i.test(fp)) {
+    const code = blankComments(raw);
+    let m;
+    const r = new RegExp(FS_CHECK_THEN_OPEN_JS.source, FS_CHECK_THEN_OPEN_JS.flags);
+    while ((m = r.exec(code))) {
+      const line = lineOf(raw, m.index);
+      push({
+        id: `toctou-fs:${fp}:${line}`,
+        file: fp, line,
+        vuln: 'TOCTOU: file existence/permission check before open',
+        severity: 'medium',
+        cwe: 'CWE-367',
+        stride: 'Tampering',
+        snippet: (raw.split('\n')[line - 1] || '').trim().slice(0, 200),
+        remediation: 'Drop the existence/permission check and rely on `open()` to fail atomically — handle the resulting error. The check-then-open pattern is a TOCTOU race: an attacker who can swap symlinks between the check and the open wins. If you need a permission test, do it on the `open()` result\'s `fstat`, not on the path before opening.',
+        parser: 'TOCTOU',
+        confidence: 0.70,
+      });
+    }
+    const ar = new RegExp(AUTH_CHECK_AWAIT_USE_JS.source, AUTH_CHECK_AWAIT_USE_JS.flags);
+    while ((m = ar.exec(code))) {
+      const block = m[0];
+      // Heuristic: only flag if the guard variable is potentially re-read after await.
+      // Approximation: guard uses `await` *between* check and side effect.
+      if (!/await/.test(block)) continue;
+      const line = lineOf(raw, m.index);
+      push({
+        id: `toctou-auth:${fp}:${line}`,
+        file: fp, line,
+        vuln: 'TOCTOU: auth check then await then sensitive action',
+        severity: 'medium',
+        cwe: 'CWE-367',
+        stride: 'Elevation of Privilege',
+        snippet: (raw.split('\n')[line - 1] || '').trim().slice(0, 200),
+        remediation: 'Re-fetch and re-check the authorization right before the sensitive action, ideally inside the same transaction. If the user\'s role can be revoked or downgraded mid-request, the check at the top of the handler is not load-bearing. Pattern: `BEGIN TX → SELECT FOR UPDATE → check role → side effect → COMMIT`.',
+        parser: 'TOCTOU',
+        confidence: 0.55,
+      });
+    }
+  }
+
+  if (/\.py$/i.test(fp)) {
+    const code = blankComments(raw, 'py');
+    let m;
+    const r = new RegExp(FS_CHECK_THEN_OPEN_PY.source, FS_CHECK_THEN_OPEN_PY.flags);
+    while ((m = r.exec(code))) {
+      const line = lineOf(raw, m.index);
+      push({
+        id: `toctou-fs:${fp}:${line}`,
+        file: fp, line,
+        vuln: 'TOCTOU: file existence/permission check before open',
+        severity: 'medium',
+        cwe: 'CWE-367',
+        stride: 'Tampering',
+        snippet: (raw.split('\n')[line - 1] || '').trim().slice(0, 200),
+        remediation: 'Use `try: open(...) except OSError` instead of the `if os.path.exists(...)` pre-check. The pre-check creates a TOCTOU window an attacker who can swap symlinks can exploit. For permission tests, use `os.open(path, os.O_RDONLY | os.O_NOFOLLOW)` then `os.fstat()`.',
+        parser: 'TOCTOU',
+        confidence: 0.70,
+      });
+    }
+  }
+
+  return findings;
+}