@clear-capabilities/agentic-security-scanner 0.76.1 → 0.78.0

package/src/sast/.agentic-security/scan-history.json

@@ -1,386 +1,6 @@
 [
   {
-    "timestamp": "2026-05-19T14:14:43.272Z",
-    "label": "scan",
-    "total": 10,
-    "critical": 0,
-    "high": 9,
-    "medium": 1,
-    "low": 0,
-    "kev": 0,
-    "ids": [
-      "authz:authz.js:33:AuthZ__jwt_verify_called_without_algorithms_allow_list",
-      "client-side:CLIENT_EVAL:client-side.js:135",
-      "client-side:CLIENT_EVAL:client-side.js:139",
-      "client-side:CLIENT_EVAL:client-side.js:140",
-      "llm-owasp:llm-owasp.js:180:llm01-dynamic-system:concat",
-      "llm-owasp:llm-owasp.js:181:llm01-dynamic-system:fstring",
-      "llm-owasp:llm-owasp.js:182:llm01-dynamic-system:template",
-      "llm-owasp:llm-owasp.js:183:llm10-no-token-budget",
-      "prompt-tpl:llm-owasp.js:125:Prompt_Template__user_input_interpolated_into_prompt_string_",
-      "zip-slip:zip-slip.js:192:node-entry"
-    ]
-  },
-  {
-    "timestamp": "2026-05-19T14:15:45.304Z",
-    "label": "scan",
-    "total": 10,
-    "critical": 0,
-    "high": 9,
-    "medium": 1,
-    "low": 0,
-    "kev": 0,
-    "ids": [
-      "authz:authz.js:33:AuthZ__jwt_verify_called_without_algorithms_allow_list",
-      "client-side:CLIENT_EVAL:client-side.js:135",
-      "client-side:CLIENT_EVAL:client-side.js:139",
-      "client-side:CLIENT_EVAL:client-side.js:140",
-      "llm-owasp:llm-owasp.js:180:llm01-dynamic-system:concat",
-      "llm-owasp:llm-owasp.js:181:llm01-dynamic-system:fstring",
-      "llm-owasp:llm-owasp.js:182:llm01-dynamic-system:template",
-      "llm-owasp:llm-owasp.js:183:llm10-no-token-budget",
-      "prompt-tpl:llm-owasp.js:125:Prompt_Template__user_input_interpolated_into_prompt_string_",
-      "zip-slip:zip-slip.js:192:node-entry"
-    ]
-  },
-  {
-    "timestamp": "2026-05-19T14:16:41.598Z",
-    "label": "scan",
-    "total": 10,
-    "critical": 0,
-    "high": 9,
-    "medium": 1,
-    "low": 0,
-    "kev": 0,
-    "ids": [
-      "authz:authz.js:33:AuthZ__jwt_verify_called_without_algorithms_allow_list",
-      "client-side:CLIENT_EVAL:client-side.js:135",
-      "client-side:CLIENT_EVAL:client-side.js:139",
-      "client-side:CLIENT_EVAL:client-side.js:140",
-      "llm-owasp:llm-owasp.js:180:llm01-dynamic-system:concat",
-      "llm-owasp:llm-owasp.js:181:llm01-dynamic-system:fstring",
-      "llm-owasp:llm-owasp.js:182:llm01-dynamic-system:template",
-      "llm-owasp:llm-owasp.js:183:llm10-no-token-budget",
-      "prompt-tpl:llm-owasp.js:125:Prompt_Template__user_input_interpolated_into_prompt_string_",
-      "zip-slip:zip-slip.js:192:node-entry"
-    ]
-  },
-  {
-    "timestamp": "2026-05-19T14:17:46.030Z",
-    "label": "scan",
-    "total": 10,
-    "critical": 0,
-    "high": 9,
-    "medium": 1,
-    "low": 0,
-    "kev": 0,
-    "ids": [
-      "authz:authz.js:33:AuthZ__jwt_verify_called_without_algorithms_allow_list",
-      "client-side:CLIENT_EVAL:client-side.js:135",
-      "client-side:CLIENT_EVAL:client-side.js:139",
-      "client-side:CLIENT_EVAL:client-side.js:140",
-      "llm-owasp:llm-owasp.js:180:llm01-dynamic-system:concat",
-      "llm-owasp:llm-owasp.js:181:llm01-dynamic-system:fstring",
-      "llm-owasp:llm-owasp.js:182:llm01-dynamic-system:template",
-      "llm-owasp:llm-owasp.js:183:llm10-no-token-budget",
-      "prompt-tpl:llm-owasp.js:125:Prompt_Template__user_input_interpolated_into_prompt_string_",
-      "zip-slip:zip-slip.js:192:node-entry"
-    ]
-  },
-  {
-    "timestamp": "2026-05-19T14:18:37.970Z",
-    "label": "scan",
-    "total": 10,
-    "critical": 0,
-    "high": 9,
-    "medium": 1,
-    "low": 0,
-    "kev": 0,
-    "ids": [
-      "authz:authz.js:33:AuthZ__jwt_verify_called_without_algorithms_allow_list",
-      "client-side:CLIENT_EVAL:client-side.js:135",
-      "client-side:CLIENT_EVAL:client-side.js:139",
-      "client-side:CLIENT_EVAL:client-side.js:140",
-      "llm-owasp:llm-owasp.js:180:llm01-dynamic-system:concat",
-      "llm-owasp:llm-owasp.js:181:llm01-dynamic-system:fstring",
-      "llm-owasp:llm-owasp.js:182:llm01-dynamic-system:template",
-      "llm-owasp:llm-owasp.js:183:llm10-no-token-budget",
-      "prompt-tpl:llm-owasp.js:125:Prompt_Template__user_input_interpolated_into_prompt_string_",
-      "zip-slip:zip-slip.js:192:node-entry"
-    ]
-  },
-  {
-    "timestamp": "2026-05-19T14:19:36.932Z",
-    "label": "scan",
-    "total": 10,
-    "critical": 0,
-    "high": 9,
-    "medium": 1,
-    "low": 0,
-    "kev": 0,
-    "ids": [
-      "authz:authz.js:33:AuthZ__jwt_verify_called_without_algorithms_allow_list",
-      "client-side:CLIENT_EVAL:client-side.js:135",
-      "client-side:CLIENT_EVAL:client-side.js:139",
-      "client-side:CLIENT_EVAL:client-side.js:140",
-      "llm-owasp:llm-owasp.js:180:llm01-dynamic-system:concat",
-      "llm-owasp:llm-owasp.js:181:llm01-dynamic-system:fstring",
-      "llm-owasp:llm-owasp.js:182:llm01-dynamic-system:template",
-      "llm-owasp:llm-owasp.js:183:llm10-no-token-budget",
-      "prompt-tpl:llm-owasp.js:125:Prompt_Template__user_input_interpolated_into_prompt_string_",
-      "zip-slip:zip-slip.js:192:node-entry"
-    ]
-  },
-  {
-    "timestamp": "2026-05-19T14:20:31.950Z",
-    "label": "scan",
-    "total": 10,
-    "critical": 0,
-    "high": 9,
-    "medium": 1,
-    "low": 0,
-    "kev": 0,
-    "ids": [
-      "authz:authz.js:33:AuthZ__jwt_verify_called_without_algorithms_allow_list",
-      "client-side:CLIENT_EVAL:client-side.js:135",
-      "client-side:CLIENT_EVAL:client-side.js:139",
-      "client-side:CLIENT_EVAL:client-side.js:140",
-      "llm-owasp:llm-owasp.js:180:llm01-dynamic-system:concat",
-      "llm-owasp:llm-owasp.js:181:llm01-dynamic-system:fstring",
-      "llm-owasp:llm-owasp.js:182:llm01-dynamic-system:template",
-      "llm-owasp:llm-owasp.js:183:llm10-no-token-budget",
-      "prompt-tpl:llm-owasp.js:125:Prompt_Template__user_input_interpolated_into_prompt_string_",
-      "zip-slip:zip-slip.js:192:node-entry"
-    ]
-  },
-  {
-    "timestamp": "2026-05-19T14:21:03.047Z",
-    "label": "scan",
-    "total": 10,
-    "critical": 0,
-    "high": 9,
-    "medium": 1,
-    "low": 0,
-    "kev": 0,
-    "ids": [
-      "authz:authz.js:33:AuthZ__jwt_verify_called_without_algorithms_allow_list",
-      "client-side:CLIENT_EVAL:client-side.js:135",
-      "client-side:CLIENT_EVAL:client-side.js:139",
-      "client-side:CLIENT_EVAL:client-side.js:140",
-      "llm-owasp:llm-owasp.js:180:llm01-dynamic-system:concat",
-      "llm-owasp:llm-owasp.js:181:llm01-dynamic-system:fstring",
-      "llm-owasp:llm-owasp.js:182:llm01-dynamic-system:template",
-      "llm-owasp:llm-owasp.js:183:llm10-no-token-budget",
-      "prompt-tpl:llm-owasp.js:125:Prompt_Template__user_input_interpolated_into_prompt_string_",
-      "zip-slip:zip-slip.js:192:node-entry"
-    ]
-  },
-  {
-    "timestamp": "2026-05-19T14:21:45.837Z",
-    "label": "scan",
-    "total": 10,
-    "critical": 0,
-    "high": 9,
-    "medium": 1,
-    "low": 0,
-    "kev": 0,
-    "ids": [
-      "authz:authz.js:33:AuthZ__jwt_verify_called_without_algorithms_allow_list",
-      "client-side:CLIENT_EVAL:client-side.js:135",
-      "client-side:CLIENT_EVAL:client-side.js:139",
-      "client-side:CLIENT_EVAL:client-side.js:140",
-      "llm-owasp:llm-owasp.js:180:llm01-dynamic-system:concat",
-      "llm-owasp:llm-owasp.js:181:llm01-dynamic-system:fstring",
-      "llm-owasp:llm-owasp.js:182:llm01-dynamic-system:template",
-      "llm-owasp:llm-owasp.js:183:llm10-no-token-budget",
-      "prompt-tpl:llm-owasp.js:125:Prompt_Template__user_input_interpolated_into_prompt_string_",
-      "zip-slip:zip-slip.js:192:node-entry"
-    ]
-  },
-  {
-    "timestamp": "2026-05-19T14:24:44.477Z",
-    "label": "scan",
-    "total": 10,
-    "critical": 0,
-    "high": 9,
-    "medium": 1,
-    "low": 0,
-    "kev": 0,
-    "ids": [
-      "authz:authz.js:33:AuthZ__jwt_verify_called_without_algorithms_allow_list",
-      "client-side:CLIENT_EVAL:client-side.js:135",
-      "client-side:CLIENT_EVAL:client-side.js:139",
-      "client-side:CLIENT_EVAL:client-side.js:140",
-      "llm-owasp:llm-owasp.js:180:llm01-dynamic-system:concat",
-      "llm-owasp:llm-owasp.js:181:llm01-dynamic-system:fstring",
-      "llm-owasp:llm-owasp.js:182:llm01-dynamic-system:template",
-      "llm-owasp:llm-owasp.js:183:llm10-no-token-budget",
-      "prompt-tpl:llm-owasp.js:125:Prompt_Template__user_input_interpolated_into_prompt_string_",
-      "zip-slip:zip-slip.js:192:node-entry"
-    ]
-  },
-  {
-    "timestamp": "2026-05-19T14:24:50.750Z",
-    "label": "scan",
-    "total": 10,
-    "critical": 0,
-    "high": 9,
-    "medium": 1,
-    "low": 0,
-    "kev": 0,
-    "ids": [
-      "authz:authz.js:33:AuthZ__jwt_verify_called_without_algorithms_allow_list",
-      "client-side:CLIENT_EVAL:client-side.js:135",
-      "client-side:CLIENT_EVAL:client-side.js:139",
-      "client-side:CLIENT_EVAL:client-side.js:140",
-      "llm-owasp:llm-owasp.js:180:llm01-dynamic-system:concat",
-      "llm-owasp:llm-owasp.js:181:llm01-dynamic-system:fstring",
-      "llm-owasp:llm-owasp.js:182:llm01-dynamic-system:template",
-      "llm-owasp:llm-owasp.js:183:llm10-no-token-budget",
-      "prompt-tpl:llm-owasp.js:125:Prompt_Template__user_input_interpolated_into_prompt_string_",
-      "zip-slip:zip-slip.js:192:node-entry"
-    ]
-  },
-  {
-    "timestamp": "2026-05-19T14:53:08.606Z",
-    "label": "scan",
-    "total": 10,
-    "critical": 0,
-    "high": 9,
-    "medium": 1,
-    "low": 0,
-    "kev": 0,
-    "ids": [
-      "authz:authz.js:33:AuthZ__jwt_verify_called_without_algorithms_allow_list",
-      "client-side:CLIENT_EVAL:client-side.js:135",
-      "client-side:CLIENT_EVAL:client-side.js:139",
-      "client-side:CLIENT_EVAL:client-side.js:140",
-      "llm-owasp:llm-owasp.js:180:llm01-dynamic-system:concat",
-      "llm-owasp:llm-owasp.js:181:llm01-dynamic-system:fstring",
-      "llm-owasp:llm-owasp.js:182:llm01-dynamic-system:template",
-      "llm-owasp:llm-owasp.js:183:llm10-no-token-budget",
-      "prompt-tpl:llm-owasp.js:125:Prompt_Template__user_input_interpolated_into_prompt_string_",
-      "zip-slip:zip-slip.js:192:node-entry"
-    ]
-  },
-  {
-    "timestamp": "2026-05-19T21:18:42.442Z",
-    "label": "scan",
-    "total": 17,
-    "critical": 0,
-    "high": 0,
-    "medium": 2,
-    "low": 15,
-    "kev": 0,
-    "ids": [
-      "authz:authz.js:33:AuthZ__jwt_verify_called_without_algorithms_allow_list",
-      "client-side:CLIENT_EVAL:client-side.js:135",
-      "client-side:CLIENT_EVAL:client-side.js:139",
-      "client-side:CLIENT_EVAL:client-side.js:140",
-      "llm-owasp:llm-owasp.js:180:llm01-dynamic-system:concat",
-      "llm-owasp:llm-owasp.js:181:llm01-dynamic-system:fstring",
-      "llm-owasp:llm-owasp.js:182:llm01-dynamic-system:template",
-      "llm-owasp:llm-owasp.js:183:llm10-no-token-budget",
-      "prompt-tpl:llm-owasp.js:125:Prompt_Template__user_input_interpolated_into_prompt_string_",
-      "spec-drift:rate-limit-impl:rate-limit.js:34",
-      "spec-drift:rate-limit-impl:rate-limit.js:77",
-      "ssrf-meta-hardcoded:go-extended.js:39",
-      "ssrf-meta-hardcoded:python-sinks.js:186",
-      "ssrf-meta-hardcoded:ssrf-cloud-metadata.js:15",
-      "ssrf-meta-hardcoded:ssrf-cloud-metadata.js:48",
-      "ssrf-meta-hardcoded:ssrf-cloud-metadata.js:73",
-      "zip-slip:zip-slip.js:192:node-entry"
-    ]
-  },
-  {
-    "timestamp": "2026-05-20T12:47:36.689Z",
-    "label": "scan",
-    "total": 17,
-    "critical": 0,
-    "high": 0,
-    "medium": 2,
-    "low": 15,
-    "kev": 0,
-    "ids": [
-      "authz:authz.js:33:AuthZ__jwt_verify_called_without_algorithms_allow_list",
-      "client-side:CLIENT_EVAL:client-side.js:135",
-      "client-side:CLIENT_EVAL:client-side.js:139",
-      "client-side:CLIENT_EVAL:client-side.js:140",
-      "llm-owasp:llm-owasp.js:180:llm01-dynamic-system:concat",
-      "llm-owasp:llm-owasp.js:181:llm01-dynamic-system:fstring",
-      "llm-owasp:llm-owasp.js:182:llm01-dynamic-system:template",
-      "llm-owasp:llm-owasp.js:183:llm10-no-token-budget",
-      "prompt-tpl:llm-owasp.js:125:Prompt_Template__user_input_interpolated_into_prompt_string_",
-      "spec-drift:rate-limit-impl:rate-limit.js:34",
-      "spec-drift:rate-limit-impl:rate-limit.js:77",
-      "ssrf-meta-hardcoded:go-extended.js:39",
-      "ssrf-meta-hardcoded:python-sinks.js:186",
-      "ssrf-meta-hardcoded:ssrf-cloud-metadata.js:15",
-      "ssrf-meta-hardcoded:ssrf-cloud-metadata.js:48",
-      "ssrf-meta-hardcoded:ssrf-cloud-metadata.js:73",
-      "zip-slip:zip-slip.js:192:node-entry"
-    ]
-  },
-  {
-    "timestamp": "2026-05-20T12:48:13.459Z",
-    "label": "scan",
-    "total": 17,
-    "critical": 0,
-    "high": 0,
-    "medium": 2,
-    "low": 15,
-    "kev": 0,
-    "ids": [
-      "authz:authz.js:33:AuthZ__jwt_verify_called_without_algorithms_allow_list",
-      "client-side:CLIENT_EVAL:client-side.js:135",
-      "client-side:CLIENT_EVAL:client-side.js:139",
-      "client-side:CLIENT_EVAL:client-side.js:140",
-      "llm-owasp:llm-owasp.js:180:llm01-dynamic-system:concat",
-      "llm-owasp:llm-owasp.js:181:llm01-dynamic-system:fstring",
-      "llm-owasp:llm-owasp.js:182:llm01-dynamic-system:template",
-      "llm-owasp:llm-owasp.js:183:llm10-no-token-budget",
-      "prompt-tpl:llm-owasp.js:125:Prompt_Template__user_input_interpolated_into_prompt_string_",
-      "spec-drift:rate-limit-impl:rate-limit.js:34",
-      "spec-drift:rate-limit-impl:rate-limit.js:77",
-      "ssrf-meta-hardcoded:go-extended.js:39",
-      "ssrf-meta-hardcoded:python-sinks.js:186",
-      "ssrf-meta-hardcoded:ssrf-cloud-metadata.js:15",
-      "ssrf-meta-hardcoded:ssrf-cloud-metadata.js:48",
-      "ssrf-meta-hardcoded:ssrf-cloud-metadata.js:73",
-      "zip-slip:zip-slip.js:192:node-entry"
-    ]
-  },
-  {
-    "timestamp": "2026-05-20T12:49:02.792Z",
-    "label": "scan",
-    "total": 17,
-    "critical": 0,
-    "high": 0,
-    "medium": 2,
-    "low": 15,
-    "kev": 0,
-    "ids": [
-      "authz:authz.js:33:AuthZ__jwt_verify_called_without_algorithms_allow_list",
-      "client-side:CLIENT_EVAL:client-side.js:135",
-      "client-side:CLIENT_EVAL:client-side.js:139",
-      "client-side:CLIENT_EVAL:client-side.js:140",
-      "llm-owasp:llm-owasp.js:180:llm01-dynamic-system:concat",
-      "llm-owasp:llm-owasp.js:181:llm01-dynamic-system:fstring",
-      "llm-owasp:llm-owasp.js:182:llm01-dynamic-system:template",
-      "llm-owasp:llm-owasp.js:183:llm10-no-token-budget",
-      "prompt-tpl:llm-owasp.js:125:Prompt_Template__user_input_interpolated_into_prompt_string_",
-      "spec-drift:rate-limit-impl:rate-limit.js:34",
-      "spec-drift:rate-limit-impl:rate-limit.js:77",
-      "ssrf-meta-hardcoded:go-extended.js:39",
-      "ssrf-meta-hardcoded:python-sinks.js:186",
-      "ssrf-meta-hardcoded:ssrf-cloud-metadata.js:15",
-      "ssrf-meta-hardcoded:ssrf-cloud-metadata.js:48",
-      "ssrf-meta-hardcoded:ssrf-cloud-metadata.js:73",
-      "zip-slip:zip-slip.js:192:node-entry"
-    ]
-  },
-  {
-    "timestamp": "2026-05-20T12:49:42.738Z",
+    "timestamp": "2026-05-26T16:30:07.351Z",
     "label": "scan",
     "total": 17,
     "critical": 0,
@@ -409,7 +29,7 @@
     ]
   },
   {
-    "timestamp": "2026-05-20T12:51:21.872Z",
+    "timestamp": "2026-05-26T16:34:28.797Z",
     "label": "scan",
     "total": 17,
     "critical": 0,
@@ -438,7 +58,7 @@
     ]
   },
   {
-    "timestamp": "2026-05-20T12:51:36.006Z",
+    "timestamp": "2026-05-27T01:10:20.082Z",
     "label": "scan",
     "total": 17,
     "critical": 0,
@@ -467,7 +87,7 @@
     ]
   },
   {
-    "timestamp": "2026-05-20T12:52:34.978Z",
+    "timestamp": "2026-05-27T03:05:16.971Z",
     "label": "scan",
     "total": 17,
     "critical": 0,
@@ -496,7 +116,7 @@
     ]
   },
   {
-    "timestamp": "2026-05-20T12:52:49.358Z",
+    "timestamp": "2026-05-27T03:18:22.550Z",
     "label": "scan",
     "total": 17,
     "critical": 0,
@@ -525,7 +145,7 @@
     ]
   },
   {
-    "timestamp": "2026-05-20T12:54:08.915Z",
+    "timestamp": "2026-05-27T09:09:50.637Z",
     "label": "scan",
     "total": 17,
     "critical": 0,
@@ -554,7 +174,7 @@
     ]
   },
   {
-    "timestamp": "2026-05-20T15:30:14.990Z",
+    "timestamp": "2026-05-27T09:10:10.121Z",
     "label": "scan",
     "total": 17,
     "critical": 0,
@@ -583,7 +203,7 @@
     ]
   },
   {
-    "timestamp": "2026-05-20T15:30:55.692Z",
+    "timestamp": "2026-05-27T09:12:25.348Z",
     "label": "scan",
     "total": 17,
     "critical": 0,
@@ -612,7 +232,7 @@
     ]
   },
   {
-    "timestamp": "2026-05-20T15:31:40.849Z",
+    "timestamp": "2026-05-27T09:17:13.165Z",
     "label": "scan",
     "total": 17,
     "critical": 0,
@@ -641,7 +261,7 @@
     ]
   },
   {
-    "timestamp": "2026-05-20T15:33:07.999Z",
+    "timestamp": "2026-05-27T09:21:04.965Z",
     "label": "scan",
     "total": 17,
     "critical": 0,
@@ -670,7 +290,7 @@
     ]
   },
   {
-    "timestamp": "2026-05-20T17:05:28.913Z",
+    "timestamp": "2026-05-27T09:21:46.189Z",
     "label": "scan",
     "total": 17,
     "critical": 0,
@@ -699,7 +319,7 @@
     ]
   },
   {
-    "timestamp": "2026-05-20T17:06:53.366Z",
+    "timestamp": "2026-05-27T09:24:34.687Z",
     "label": "scan",
     "total": 17,
     "critical": 0,
@@ -728,7 +348,7 @@
     ]
   },
   {
-    "timestamp": "2026-05-20T17:07:18.341Z",
+    "timestamp": "2026-05-27T09:43:08.807Z",
     "label": "scan",
     "total": 17,
     "critical": 0,
@@ -757,7 +377,7 @@
     ]
   },
   {
-    "timestamp": "2026-05-20T17:07:59.605Z",
+    "timestamp": "2026-05-27T09:43:30.205Z",
     "label": "scan",
     "total": 17,
     "critical": 0,

package/src/sast/.agentic-security/streak.json

@@ -1,23 +1,20 @@
 {
-  "firstScanDate": "2026-05-13T13:02:38.907Z",
-  "lastScanDate": "2026-05-20T17:07:59.655Z",
-  "totalScans": 203,
-  "daysCleanCritical": 4,
-  "lastCleanDate": "2026-05-20",
+  "firstScanDate": "2026-05-26T16:30:07.386Z",
+  "lastScanDate": "2026-05-27T09:43:30.233Z",
+  "totalScans": 14,
+  "daysCleanCritical": 2,
+  "lastCleanDate": "2026-05-27",
   "lastCriticalDate": null,
   "hasEverHadCritical": false,
-  "bestDaysCleanCritical": 4,
-  "totalFindingsAtFirstScan": 11,
-  "totalFindingsAtLastScan": 27,
-  "totalFixesInferred": 1,
+  "bestDaysCleanCritical": 2,
+  "totalFindingsAtFirstScan": 27,
+  "totalFindingsAtLastScan": 28,
+  "totalFixesInferred": 0,
   "lastGrade": "A-",
   "bestGrade": "A-",
   "launchCheckPassedAt": null,
   "achievements": [
-    "first-fix",
-    "first-scan",
-    "scan-veteran-100",
-    "scan-veteran-25"
+    "first-scan"
   ],
   "previousGrade": "A-"
 }

package/src/sast/cache-poisoning.js

@@ -0,0 +1,77 @@
+// Cache poisoning via tainted response headers.
+//
+// Detects reflected request headers in responses that CDNs/proxies key on.
+// X-Forwarded-Host, X-Forwarded-Proto, X-Original-URL reflected into
+// response headers or HTML body enables web cache poisoning attacks.
+
+function _line(raw, idx) { return raw.slice(0, idx).split('\n').length; }
+
+const CACHE_KEY_HEADERS = /x-forwarded-host|x-forwarded-proto|x-original-url|x-rewrite-url|x-forwarded-for|x-host/i;
+const TAINT_SOURCES = /req\.headers|request\.headers|request\.META|getHeader|get_header|\$_SERVER/;
+
+export function scanCachePoisoning(fp, raw) {
+  if (!fp || !raw || typeof raw !== 'string') return [];
+  if (raw.length > 500_000) return [];
+  if (!/\.(?:js|jsx|ts|tsx|mjs|cjs|py|go|rb|php|phtml)$/i.test(fp)) return [];
+
+  const findings = [];
+
+  // Pattern 1: Reflected cache-key header in response
+  // res.setHeader('X-Forwarded-Host', req.headers['x-forwarded-host'])
+  const headerReflectRe = /(?:setHeader|set|header|add_header|Header\.Set|Header\.Add)\s*\(\s*['"]([^'"]+)['"]\s*,\s*[^)]*(?:req\.headers|request\.headers|request\.META|\$_SERVER)/g;
+  for (const m of raw.matchAll(headerReflectRe)) {
+    const headerName = m[1];
+    if (!CACHE_KEY_HEADERS.test(headerName)) continue;
+    const line = _line(raw, m.index);
+    findings.push({
+      id: `cache-poison-reflect:${fp}:${line}`,
+      file: fp, line,
+      vuln: `Cache Poisoning — ${headerName} reflected from request to response`,
+      severity: 'high',
+      family: 'cache-poisoning',
+      cwe: 'CWE-349',
+      parser: 'CACHE-POISON',
+      confidence: 0.75,
+      description: `The ${headerName} request header is reflected in the response. If a CDN or reverse proxy caches this response, an attacker can poison the cache for all users by sending a crafted ${headerName} value.`,
+      remediation: `Don't reflect ${headerName} into the response. If you need the value for redirects, validate it against an allow-list of trusted hosts.`,
+    });
+  }
+
+  // Pattern 2: Cache-Control or Vary set from user input
+  const cacheControlTaintRe = /(?:Cache-Control|Vary)\s*['"]\s*,\s*[^)]*(?:req\.|request\.|params|query|body|\$_GET|\$_REQUEST)/g;
+  for (const m of raw.matchAll(cacheControlTaintRe)) {
+    const line = _line(raw, m.index);
+    findings.push({
+      id: `cache-poison-control:${fp}:${line}`,
+      file: fp, line,
+      vuln: 'Cache Poisoning — Cache-Control or Vary header set from user input',
+      severity: 'high',
+      family: 'cache-poisoning',
+      cwe: 'CWE-349',
+      parser: 'CACHE-POISON',
+      confidence: 0.65,
+      description: 'Cache-Control or Vary response header is derived from user input. An attacker can manipulate caching behavior to serve stale or poisoned content.',
+      remediation: 'Set Cache-Control and Vary headers from server-side constants, never from user input.',
+    });
+  }
+
+  // Pattern 3: Host header used in URL generation (redirect/link)
+  const hostRedirectRe = /(?:req\.headers\.host|request\.get_host|request\.host|request\.META\s*\[\s*['"]HTTP_HOST['"])\s*[^;\n]*(?:redirect|location|href|url|link)/gi;
+  for (const m of raw.matchAll(hostRedirectRe)) {
+    const line = _line(raw, m.index);
+    findings.push({
+      id: `cache-poison-host:${fp}:${line}`,
+      file: fp, line,
+      vuln: 'Cache Poisoning — Host header used in URL/redirect generation',
+      severity: 'medium',
+      family: 'cache-poisoning',
+      cwe: 'CWE-644',
+      parser: 'CACHE-POISON',
+      confidence: 0.60,
+      description: 'The Host request header is used to generate URLs or redirects. Combined with caching, an attacker can redirect all cached users to a malicious host.',
+      remediation: 'Use a server-configured base URL instead of the Host header. Validate Host against an allow-list.',
+    });
+  }
+
+  return findings;
+}

package/src/sast/comparison-safety.js

@@ -0,0 +1,73 @@
+// Timing-safe comparison and type-coercion safety detector.
+//
+// Flags:
+//   1. Direct === / == on HMAC/signature/token/OTP values (timing attack)
+//   2. Loose == in authorization checks (type coercion)
+//   3. Missing timingSafeEqual / hmac.compare_digest in verification functions
+
+const TIMING_SENSITIVE = /\b(hmac|signature|digest|hash|mac|checksum|token|otp|apiKey|api_key|secret_key|webhook_secret|signing_key)\b/i;
+const AUTH_CONTEXT = /\b(role|permission|isAdmin|is_admin|accessLevel|access_level|privilege|authorization|auth_level)\b/i;
+
+function _line(raw, idx) { return raw.slice(0, idx).split('\n').length; }
+
+export function scanComparisonSafety(fp, raw) {
+  if (!fp || !raw || typeof raw !== 'string') return [];
+  if (raw.length > 500_000) return [];
+  if (!/\.(?:js|jsx|ts|tsx|mjs|cjs|py|go)$/i.test(fp)) return [];
+
+  const findings = [];
+
+  // 1. Timing-unsafe comparison: x === y where x or y is named like a secret
+  for (const m of raw.matchAll(/(\w+)\s*===?\s*(\w+)/g)) {
+    const left = m[1], right = m[2];
+    if (!TIMING_SENSITIVE.test(left) && !TIMING_SENSITIVE.test(right)) continue;
+    const line = _line(raw, m.index);
+    const lineStart = raw.lastIndexOf('\n', m.index) + 1;
+    const lineText = raw.slice(lineStart, raw.indexOf('\n', m.index));
+    // Skip if timingSafeEqual or compare_digest is nearby
+    const context = raw.slice(Math.max(0, m.index - 200), m.index + 200);
+    if (/timingSafeEqual|compare_digest|ConstantTimeCompare|constant_time_compare/i.test(context)) continue;
+    // Skip if inside a comment
+    if (/^\s*\/\/|^\s*#|^\s*\*/.test(lineText)) continue;
+    findings.push({
+      id: `timing-unsafe:${fp}:${line}`,
+      file: fp, line,
+      vuln: 'Timing-Unsafe Comparison — secret/HMAC compared with === instead of timingSafeEqual',
+      severity: 'medium',
+      family: 'timing-attack',
+      cwe: 'CWE-208',
+      parser: 'COMPARISON',
+      confidence: 0.70,
+      description: `String === comparison on "${TIMING_SENSITIVE.exec(left + ' ' + right)?.[1] || 'secret'}" leaks timing information. An attacker can measure response times to guess the value byte-by-byte.`,
+      remediation: 'Use crypto.timingSafeEqual(Buffer.from(a), Buffer.from(b)) in Node.js, hmac.compare_digest(a, b) in Python, or subtle.ConstantTimeCompare(a, b) in Go.',
+      snippet: lineText.trim().slice(0, 100),
+    });
+  }
+
+  // 2. Loose equality == in auth context
+  for (const m of raw.matchAll(/(\w+)\s*==\s*(?!=)(\w+|['"][^'"]+['"])/g)) {
+    const left = m[1], right = m[2];
+    if (!AUTH_CONTEXT.test(left) && !AUTH_CONTEXT.test(right)) continue;
+    const line = _line(raw, m.index);
+    const lineStart = raw.lastIndexOf('\n', m.index) + 1;
+    const lineText = raw.slice(lineStart, raw.indexOf('\n', m.index));
+    if (/^\s*\/\/|^\s*#|^\s*\*/.test(lineText)) continue;
+    // Only flag JS/TS (Python and Go use == for equality, not coercion)
+    if (!/\.(?:js|jsx|ts|tsx|mjs|cjs)$/i.test(fp)) continue;
+    findings.push({
+      id: `loose-equality-auth:${fp}:${line}`,
+      file: fp, line,
+      vuln: 'Loose Equality in Auth Check — == allows type coercion bypass',
+      severity: 'high',
+      family: 'type-coercion',
+      cwe: 'CWE-697',
+      parser: 'COMPARISON',
+      confidence: 0.65,
+      description: `Loose equality (==) on "${AUTH_CONTEXT.exec(left + ' ' + right)?.[1] || 'auth field'}" allows type coercion. "1" == 1 is true; an attacker may bypass checks by sending a different type.`,
+      remediation: 'Use strict equality (===) for all authorization checks.',
+      snippet: lineText.trim().slice(0, 100),
+    });
+  }
+
+  return findings;
+}