@clear-capabilities/agentic-security-scanner 0.77.0 → 0.79.0

package/src/posture/state-dir.js

@@ -0,0 +1,124 @@
+// Project-root resolver for .agentic-security/ state.
+//
+// BUG HISTORY: Previously, state-writing code used the pattern
+//   `path.join(scanRoot || process.cwd(), '.agentic-security', ...)`
+// When `scanRoot` was null/undefined and the scanner was invoked from
+// a subdirectory (e.g., migrations/, config/), this created
+// `.agentic-security/` folders inside those subdirectories — breaking
+// the user's build (one report: DB migration system saw the folder as
+// a migration file). One user uninstalled the plugin entirely.
+//
+// FIX: All state writes go through this module. process.cwd() is NEVER
+// trusted directly. We walk upward from cwd looking for project markers
+// (.git, package.json, etc.) and write state there. A safety check
+// refuses to write if no marker is found.
+
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+
+const PROJECT_MARKERS = [
+  '.git',
+  'package.json',
+  'pyproject.toml',
+  'go.mod',
+  'Cargo.toml',
+  'pom.xml',
+  'build.gradle',
+  'composer.json',
+  'Gemfile',
+  '.agentic-security',
+];
+
+function _findProjectRoot(startDir) {
+  let dir = path.resolve(startDir);
+  const visited = new Set();
+  while (dir && !visited.has(dir)) {
+    visited.add(dir);
+    for (const m of PROJECT_MARKERS) {
+      try {
+        if (fs.existsSync(path.join(dir, m))) return dir;
+      } catch { /* ignore */ }
+    }
+    const parent = path.dirname(dir);
+    if (parent === dir) break;
+    dir = parent;
+  }
+  return null;
+}
+
+export function resolveProjectRoot(scanRoot) {
+  // Prefer caller-provided scanRoot when it points to an existing directory
+  if (scanRoot && typeof scanRoot === 'string') {
+    try {
+      const resolved = path.resolve(scanRoot);
+      if (fs.existsSync(resolved) && fs.statSync(resolved).isDirectory()) {
+        return resolved;
+      }
+    } catch { /* fall through */ }
+  }
+  // Walk upward from cwd looking for project markers
+  const fromCwd = _findProjectRoot(process.cwd());
+  if (fromCwd) return fromCwd;
+  // No project markers found — return cwd but caller should check via isSafeStateDir
+  return process.cwd();
+}
+
+export function stateDir(scanRoot) {
+  return path.join(resolveProjectRoot(scanRoot), '.agentic-security');
+}
+
+export function statePath(scanRoot, ...parts) {
+  return path.join(stateDir(scanRoot), ...parts);
+}
+
+// Safety check: refuse to create .agentic-security/ unless the parent
+// directory has at least one project marker. Prevents littering when
+// resolution falls through to a non-project directory.
+export function isSafeStateDir(dir) {
+  if (!dir) return false;
+  const parent = path.dirname(dir);
+  for (const m of PROJECT_MARKERS) {
+    if (m === '.agentic-security') continue; // would be circular
+    try {
+      if (fs.existsSync(path.join(parent, m))) return true;
+    } catch { /* ignore */ }
+  }
+  return false;
+}
+
+// Safe mkdir: only creates .agentic-security/ if the parent has a project marker.
+// Returns the dir on success, null if refused. Logs a warning when refused.
+export function ensureStateDir(scanRoot) {
+  const dir = stateDir(scanRoot);
+  if (!isSafeStateDir(dir)) {
+    if (process.env.AGENTIC_SECURITY_DEBUG === '1') {
+      process.stderr.write(`[agentic-security] refusing to create state dir at ${dir} — no project marker in parent\n`);
+    }
+    return null;
+  }
+  try {
+    fs.mkdirSync(dir, { recursive: true });
+    return dir;
+  } catch {
+    return null;
+  }
+}
+
+// Safe write: only writes if isSafeStateDir(parent) returns true.
+// Returns true on success, false if refused or errored.
+export function safeWriteState(filePath, content) {
+  const dir = path.dirname(filePath);
+  if (!isSafeStateDir(dir)) {
+    if (process.env.AGENTIC_SECURITY_DEBUG === '1') {
+      process.stderr.write(`[agentic-security] refusing to write state file at ${filePath} — no project marker in parent of ${dir}\n`);
+    }
+    return false;
+  }
+  try {
+    fs.mkdirSync(dir, { recursive: true });
+    fs.writeFileSync(filePath, content);
+    return true;
+  } catch {
+    return false;
+  }
+}

package/src/posture/streak.js

@@ -11,6 +11,7 @@
 
 import * as fs from 'node:fs';
 import * as path from 'node:path';
+import { isSafeStateDir } from './state-dir.js';
 
 function _streakPath(stateDir) {
   return path.join(stateDir, 'streak.json');
@@ -115,6 +116,7 @@ function _computeAchievements(streak, scan) {
 
 // Public — invoked by the CLI after every full scan.
 export function recordScan(stateDir, scan) {
+  if (!isSafeStateDir(stateDir)) return null;
   try { fs.mkdirSync(stateDir, { recursive: true }); } catch {}
   const prev = loadStreak(stateDir);
   const today = _todayUTC();
@@ -182,6 +184,7 @@ export function recordScan(stateDir, scan) {
 
 // Mark "launch check passed 10/10" — called from /security-launch-check
 export function markLaunchCheckPassed(stateDir) {
+  if (!isSafeStateDir(stateDir)) return null;
   const prev = loadStreak(stateDir);
   const next = { ...prev, launchCheckPassedAt: new Date().toISOString() };
   next.achievements = _computeAchievements(next, { findings: [] });

package/src/posture/suppressions.js

@@ -8,9 +8,7 @@
 import * as fs from 'node:fs';
 import * as path from 'node:path';
 import * as yaml from 'js-yaml';
-
-const VIBECODER_PATH = '.agentic-security/accepted.json';
-const PRO_PATH = '.agentic-security/suppressions.yml';
+import { statePath, safeWriteState } from './state-dir.js';
 
 const MS_PER_DAY = 86400000;
 const SOFT_TTL_DAYS = 30;
@@ -22,7 +20,7 @@ function _dateOnly(iso) {
 }
 
 export function loadSoftAccepted(scanRoot) {
-  const fp = path.join(scanRoot || process.cwd(), VIBECODER_PATH);
+  const fp = statePath(scanRoot, 'accepted.json');
   if (!fs.existsSync(fp)) return [];
   try {
     const raw = JSON.parse(fs.readFileSync(fp, 'utf8'));
@@ -31,9 +29,8 @@ export function loadSoftAccepted(scanRoot) {
 }
 
 export function saveSoftAccepted(scanRoot, items) {
-  const fp = path.join(scanRoot || process.cwd(), VIBECODER_PATH);
-  fs.mkdirSync(path.dirname(fp), { recursive: true });
-  fs.writeFileSync(fp, JSON.stringify({ accepted: items }, null, 2));
+  const fp = statePath(scanRoot, 'accepted.json');
+  safeWriteState(fp, JSON.stringify({ accepted: items }, null, 2));
 }
 
 export function addSoftAcceptance(scanRoot, finding, reason) {
@@ -53,7 +50,7 @@ export function addSoftAcceptance(scanRoot, finding, reason) {
 }
 
 export function loadProSuppressions(scanRoot) {
-  const fp = path.join(scanRoot || process.cwd(), PRO_PATH);
+  const fp = statePath(scanRoot, 'suppressions.yml');
   if (!fs.existsSync(fp)) return [];
   try {
     const parsed = yaml.load(fs.readFileSync(fp, 'utf8'));

package/src/posture/triage.js

@@ -4,13 +4,12 @@
 
 import * as fs from 'node:fs';
 import * as path from 'node:path';
-
-const STORE_PATH = '.agentic-security/triage.json';
+import { statePath, safeWriteState } from './state-dir.js';
 
 export const STATES = ['open', 'in-progress', 'fixed', 'wont-fix', 'false-positive'];
 
 function _storePath(scanRoot) {
-  return path.join(scanRoot || process.cwd(), STORE_PATH);
+  return statePath(scanRoot, 'triage.json');
 }
 
 export function loadTriage(scanRoot) {
@@ -22,8 +21,7 @@ export function loadTriage(scanRoot) {
 
 function _save(scanRoot, data) {
   const fp = _storePath(scanRoot);
-  fs.mkdirSync(path.dirname(fp), { recursive: true });
-  fs.writeFileSync(fp, JSON.stringify(data, null, 2));
+  safeWriteState(fp, JSON.stringify(data, null, 2));
 }
 
 // Sync the triage store with the latest scan: new findings become 'open',
@@ -144,3 +142,16 @@ export function trend(scanRoot, sinceDays = 30) {
     totalOpen: findings.filter(f => f.state === 'open' || f.state === 'in-progress').length,
   };
 }
+
+export function exportTriageMetrics(scanRoot) {
+  const triage = loadTriage(scanRoot);
+  const findings = Object.values(triage.findings || {});
+  const families = {};
+  for (const f of findings) {
+    const fam = f.family || 'unknown';
+    if (!families[fam]) families[fam] = { tp: 0, fp: 0 };
+    if (f.state === 'fixed' || f.state === 'open' || f.state === 'in-progress') families[fam].tp++;
+    else if (f.state === 'false-positive') families[fam].fp++;
+  }
+  return { families };
+}

package/src/posture/validator-metrics.js

@@ -24,11 +24,11 @@
 
 import * as fs from 'node:fs';
 import * as path from 'node:path';
+import { statePath, safeWriteState } from './state-dir.js';
 
-const FILE = '.agentic-security/validator-metrics.json';
 const HISTORY_CAP = 100;
 
-function _filePath(scanRoot) { return path.join(scanRoot || process.cwd(), FILE); }
+function _filePath(scanRoot) { return statePath(scanRoot, 'validator-metrics.json'); }
 
 function _read(scanRoot) {
   const fp = _filePath(scanRoot);
@@ -39,10 +39,7 @@ function _read(scanRoot) {
 
 function _write(scanRoot, data) {
   const fp = _filePath(scanRoot);
-  try {
-    fs.mkdirSync(path.dirname(fp), { recursive: true });
-    fs.writeFileSync(fp, JSON.stringify(data, null, 2));
-  } catch { /* swallow — telemetry is best-effort */ }
+  safeWriteState(fp, JSON.stringify(data, null, 2));
 }
 
 function _round(n) { return Math.round(n * 10000) / 10000; }

package/src/report/index.js

@@ -322,6 +322,7 @@ export function toJSON(scan, meta={}, opts={}){
     // threw and were skipped. The findings still ship; downstream consumers
     // see the gap.
     annotatorErrors: Array.isArray(scan.annotatorErrors) ? scan.annotatorErrors : [],
+    _scanMeta: scan._scanMeta || null,
   };
   if (opts.includeSuppressed) out.suppressed = scan.suppressions||[];
   return out;
@@ -560,11 +561,31 @@ export function toSARIF(scan, meta={}){
           ...(scan && scan._rulesetVersionMismatch ? { rulesetVersionMismatch: scan._rulesetVersionMismatch } : {}),
         },
       }],
-      results: findings.map(f => ({
+      results: findings.map(f => {
+        const chain = Array.isArray(f.chain) ? f.chain : [];
+        const codeFlows = chain.length >= 2 ? [{
+          threadFlows: [{
+            locations: chain.map((hop, idx) => ({
+              location: {
+                physicalLocation: {
+                  artifactLocation: { uri: hop.file || f.file },
+                  region: { startLine: Math.max(1, hop.line || 1) },
+                },
+                message: { text: hop.label || (idx === 0 ? 'source' : idx === chain.length - 1 ? 'sink' : 'propagation') },
+              },
+            })),
+          }],
+        }] : undefined;
+        const fixes = f.remediation ? [{
+          description: { text: f.remediation.slice(0, 500) },
+        }] : undefined;
+        return {
         ruleId: f.vuln ? f.vuln.replace(/[^a-zA-Z0-9]/g, '_') : 'unknown',
         level: SEV_TO_SARIF[f.severity] || 'warning',
         message: { text: f.fix?.description || f.vuln || 'Security finding' },
         locations: [{ physicalLocation: { artifactLocation: { uri: f.file }, region: { startLine: Math.max(1, f.line||1) } } }],
+        ...(codeFlows ? { codeFlows } : {}),
+        ...(fixes ? { fixes } : {}),
         // Phase-1 (Sentinel-parity) fingerprint: stableId persists across
         // refactors. Keep partialFingerprints intact for tools that key on
         // the line-hash; add a 'stableId' fingerprint for tools that respect
@@ -595,7 +616,7 @@ export function toSARIF(scan, meta={}){
           ...(f._unsigned ? { unsigned: true } : {}),
           ...(f._passThroughSigning ? { passThroughSigning: true } : {}),
         },
-      })),
+      };}),
     }],
   };
 }

package/src/sast/cache-poisoning.js

@@ -0,0 +1,77 @@
+// Cache poisoning via tainted response headers.
+//
+// Detects reflected request headers in responses that CDNs/proxies key on.
+// X-Forwarded-Host, X-Forwarded-Proto, X-Original-URL reflected into
+// response headers or HTML body enables web cache poisoning attacks.
+
+function _line(raw, idx) { return raw.slice(0, idx).split('\n').length; }
+
+const CACHE_KEY_HEADERS = /x-forwarded-host|x-forwarded-proto|x-original-url|x-rewrite-url|x-forwarded-for|x-host/i;
+const TAINT_SOURCES = /req\.headers|request\.headers|request\.META|getHeader|get_header|\$_SERVER/;
+
+export function scanCachePoisoning(fp, raw) {
+  if (!fp || !raw || typeof raw !== 'string') return [];
+  if (raw.length > 500_000) return [];
+  if (!/\.(?:js|jsx|ts|tsx|mjs|cjs|py|go|rb|php|phtml)$/i.test(fp)) return [];
+
+  const findings = [];
+
+  // Pattern 1: Reflected cache-key header in response
+  // res.setHeader('X-Forwarded-Host', req.headers['x-forwarded-host'])
+  const headerReflectRe = /(?:setHeader|set|header|add_header|Header\.Set|Header\.Add)\s*\(\s*['"]([^'"]+)['"]\s*,\s*[^)]*(?:req\.headers|request\.headers|request\.META|\$_SERVER)/g;
+  for (const m of raw.matchAll(headerReflectRe)) {
+    const headerName = m[1];
+    if (!CACHE_KEY_HEADERS.test(headerName)) continue;
+    const line = _line(raw, m.index);
+    findings.push({
+      id: `cache-poison-reflect:${fp}:${line}`,
+      file: fp, line,
+      vuln: `Cache Poisoning — ${headerName} reflected from request to response`,
+      severity: 'high',
+      family: 'cache-poisoning',
+      cwe: 'CWE-349',
+      parser: 'CACHE-POISON',
+      confidence: 0.75,
+      description: `The ${headerName} request header is reflected in the response. If a CDN or reverse proxy caches this response, an attacker can poison the cache for all users by sending a crafted ${headerName} value.`,
+      remediation: `Don't reflect ${headerName} into the response. If you need the value for redirects, validate it against an allow-list of trusted hosts.`,
+    });
+  }
+
+  // Pattern 2: Cache-Control or Vary set from user input
+  const cacheControlTaintRe = /(?:Cache-Control|Vary)\s*['"]\s*,\s*[^)]*(?:req\.|request\.|params|query|body|\$_GET|\$_REQUEST)/g;
+  for (const m of raw.matchAll(cacheControlTaintRe)) {
+    const line = _line(raw, m.index);
+    findings.push({
+      id: `cache-poison-control:${fp}:${line}`,
+      file: fp, line,
+      vuln: 'Cache Poisoning — Cache-Control or Vary header set from user input',
+      severity: 'high',
+      family: 'cache-poisoning',
+      cwe: 'CWE-349',
+      parser: 'CACHE-POISON',
+      confidence: 0.65,
+      description: 'Cache-Control or Vary response header is derived from user input. An attacker can manipulate caching behavior to serve stale or poisoned content.',
+      remediation: 'Set Cache-Control and Vary headers from server-side constants, never from user input.',
+    });
+  }
+
+  // Pattern 3: Host header used in URL generation (redirect/link)
+  const hostRedirectRe = /(?:req\.headers\.host|request\.get_host|request\.host|request\.META\s*\[\s*['"]HTTP_HOST['"])\s*[^;\n]*(?:redirect|location|href|url|link)/gi;
+  for (const m of raw.matchAll(hostRedirectRe)) {
+    const line = _line(raw, m.index);
+    findings.push({
+      id: `cache-poison-host:${fp}:${line}`,
+      file: fp, line,
+      vuln: 'Cache Poisoning — Host header used in URL/redirect generation',
+      severity: 'medium',
+      family: 'cache-poisoning',
+      cwe: 'CWE-644',
+      parser: 'CACHE-POISON',
+      confidence: 0.60,
+      description: 'The Host request header is used to generate URLs or redirects. Combined with caching, an attacker can redirect all cached users to a malicious host.',
+      remediation: 'Use a server-configured base URL instead of the Host header. Validate Host against an allow-list.',
+    });
+  }
+
+  return findings;
+}

package/src/sast/comparison-safety.js

@@ -0,0 +1,73 @@
+// Timing-safe comparison and type-coercion safety detector.
+//
+// Flags:
+//   1. Direct === / == on HMAC/signature/token/OTP values (timing attack)
+//   2. Loose == in authorization checks (type coercion)
+//   3. Missing timingSafeEqual / hmac.compare_digest in verification functions
+
+const TIMING_SENSITIVE = /\b(hmac|signature|digest|hash|mac|checksum|token|otp|apiKey|api_key|secret_key|webhook_secret|signing_key)\b/i;
+const AUTH_CONTEXT = /\b(role|permission|isAdmin|is_admin|accessLevel|access_level|privilege|authorization|auth_level)\b/i;
+
+function _line(raw, idx) { return raw.slice(0, idx).split('\n').length; }
+
+export function scanComparisonSafety(fp, raw) {
+  if (!fp || !raw || typeof raw !== 'string') return [];
+  if (raw.length > 500_000) return [];
+  if (!/\.(?:js|jsx|ts|tsx|mjs|cjs|py|go)$/i.test(fp)) return [];
+
+  const findings = [];
+
+  // 1. Timing-unsafe comparison: x === y where x or y is named like a secret
+  for (const m of raw.matchAll(/(\w+)\s*===?\s*(\w+)/g)) {
+    const left = m[1], right = m[2];
+    if (!TIMING_SENSITIVE.test(left) && !TIMING_SENSITIVE.test(right)) continue;
+    const line = _line(raw, m.index);
+    const lineStart = raw.lastIndexOf('\n', m.index) + 1;
+    const lineText = raw.slice(lineStart, raw.indexOf('\n', m.index));
+    // Skip if timingSafeEqual or compare_digest is nearby
+    const context = raw.slice(Math.max(0, m.index - 200), m.index + 200);
+    if (/timingSafeEqual|compare_digest|ConstantTimeCompare|constant_time_compare/i.test(context)) continue;
+    // Skip if inside a comment
+    if (/^\s*\/\/|^\s*#|^\s*\*/.test(lineText)) continue;
+    findings.push({
+      id: `timing-unsafe:${fp}:${line}`,
+      file: fp, line,
+      vuln: 'Timing-Unsafe Comparison — secret/HMAC compared with === instead of timingSafeEqual',
+      severity: 'medium',
+      family: 'timing-attack',
+      cwe: 'CWE-208',
+      parser: 'COMPARISON',
+      confidence: 0.70,
+      description: `String === comparison on "${TIMING_SENSITIVE.exec(left + ' ' + right)?.[1] || 'secret'}" leaks timing information. An attacker can measure response times to guess the value byte-by-byte.`,
+      remediation: 'Use crypto.timingSafeEqual(Buffer.from(a), Buffer.from(b)) in Node.js, hmac.compare_digest(a, b) in Python, or subtle.ConstantTimeCompare(a, b) in Go.',
+      snippet: lineText.trim().slice(0, 100),
+    });
+  }
+
+  // 2. Loose equality == in auth context
+  for (const m of raw.matchAll(/(\w+)\s*==\s*(?!=)(\w+|['"][^'"]+['"])/g)) {
+    const left = m[1], right = m[2];
+    if (!AUTH_CONTEXT.test(left) && !AUTH_CONTEXT.test(right)) continue;
+    const line = _line(raw, m.index);
+    const lineStart = raw.lastIndexOf('\n', m.index) + 1;
+    const lineText = raw.slice(lineStart, raw.indexOf('\n', m.index));
+    if (/^\s*\/\/|^\s*#|^\s*\*/.test(lineText)) continue;
+    // Only flag JS/TS (Python and Go use == for equality, not coercion)
+    if (!/\.(?:js|jsx|ts|tsx|mjs|cjs)$/i.test(fp)) continue;
+    findings.push({
+      id: `loose-equality-auth:${fp}:${line}`,
+      file: fp, line,
+      vuln: 'Loose Equality in Auth Check — == allows type coercion bypass',
+      severity: 'high',
+      family: 'type-coercion',
+      cwe: 'CWE-697',
+      parser: 'COMPARISON',
+      confidence: 0.65,
+      description: `Loose equality (==) on "${AUTH_CONTEXT.exec(left + ' ' + right)?.[1] || 'auth field'}" allows type coercion. "1" == 1 is true; an attacker may bypass checks by sending a different type.`,
+      remediation: 'Use strict equality (===) for all authorization checks.',
+      snippet: lineText.trim().slice(0, 100),
+    });
+  }
+
+  return findings;
+}

package/src/sast/db-taint.js

@@ -76,6 +76,30 @@ function _lang(fp) {
  * Walk the file once collecting WRITE pairs (model, field, line) where the
  * written value is a user source.
  */
+function _buildModelTableMap(code, lang) {
+  const map = new Map();
+  if (lang === 'js') {
+    for (const m of code.matchAll(/(?:sequelize\.define|\.init)\s*\(\s*['"](\w+)['"][\s\S]*?tableName\s*:\s*['"](\w+)['"]/g))
+      map.set(m[1], m[2]);
+    for (const m of code.matchAll(/class\s+(\w+)\s+extends\s+Model[\s\S]*?tableName\s*:\s*['"](\w+)['"]/g))
+      map.set(m[1], m[2]);
+    for (const m of code.matchAll(/@@map\s*\(\s*['"](\w+)['"]\s*\)/g))
+      map.set('_prisma_', m[1]);
+  } else if (lang === 'py') {
+    for (const m of code.matchAll(/class\s+(\w+)[\s\S]*?class\s+Meta[\s\S]*?db_table\s*=\s*['"](\w+)['"]/g))
+      map.set(m[1], m[2]);
+    for (const m of code.matchAll(/__tablename__\s*=\s*['"](\w+)['"]/g))
+      map.set('_sqla_', m[1]);
+  }
+  return map;
+}
+
+function _resolveTableName(model, tableMap) {
+  if (!model) return model;
+  if (tableMap.has(model)) return tableMap.get(model);
+  return model.toLowerCase() + 's';
+}
+
 function _findTaintedWrites(code, lang) {
   const writes = [];
   const patterns = lang === 'js' ? WRITE_PATTERNS_JS : WRITE_PATTERNS_PY;
@@ -213,3 +237,57 @@ export function scanDbTaint(fp, raw) {
   }
   return findings;
 }
+
+// ── Cross-file stored injection ────────────────────────────────────────────
+//
+// Extends the same-file detector to work across all files in the project.
+// Collects ORM writes and render-of-reads across all files, then matches
+// by field name to find stored XSS / stored injection paths.
+
+export function scanDbTaintCrossFile(fileContents) {
+  if (!fileContents || typeof fileContents !== 'object') return [];
+  const allWrites = [];
+  const allReads = [];
+  for (const [fp, raw] of Object.entries(fileContents)) {
+    if (!raw || typeof raw !== 'string' || raw.length > 500_000) continue;
+    const lang = _lang(fp);
+    if (!lang) continue;
+    const code = blankComments(raw, lang === 'py' ? 'py' : undefined);
+    const writes = _findTaintedWrites(code, lang);
+    for (const w of writes) allWrites.push({ ...w, file: fp });
+    const reads = _findRendersOfReads(code, lang);
+    for (const r of reads) allReads.push({ ...r, file: fp });
+  }
+  const findings = [];
+  const seen = new Set();
+  for (const w of allWrites) {
+    for (const r of allReads) {
+      if (w.file === r.file) continue;
+      if (w.field !== r.field) continue;
+      const id = `db-taint-xfile:${w.file}:${w.line}->${r.file}:${r.line}:${w.field}`;
+      if (seen.has(id)) continue;
+      seen.add(id);
+      findings.push({
+        id,
+        file: r.file, line: r.line,
+        vuln: `Stored XSS via DB round-trip — cross-file (${w.model || '?'}.${w.field})`,
+        severity: 'high',
+        cwe: 'CWE-79',
+        family: 'stored-xss',
+        stride: 'Tampering',
+        remediation:
+          `User content written to ${w.model || '?'}.${w.field} at ${w.file}:${w.line} is later read at ${r.file}:${r.line} and rendered. ` +
+          'Sanitize at write time (HTML-escape), escape at render time, and use CSP to block inline scripts.',
+        parser: 'DB-TAINT-XFILE',
+        confidence: 0.60,
+        source: { file: w.file, line: w.line, label: `${w.model || '?'}.${w.field} write` },
+        sink: { file: r.file, line: r.line, label: `${w.field} render` },
+        trace: [
+          { file: w.file, line: w.line, kind: 'db-write', sourceLabel: `${w.model || '?'}.${w.field} ← user input` },
+          { file: r.file, line: r.line, kind: 'db-read',  sourceLabel: `${w.field} → render sink` },
+        ],
+      });
+    }
+  }
+  return findings;
+}

package/src/sast/graphql.js

@@ -0,0 +1,127 @@
+// GraphQL security detector.
+//
+// Coverage:
+//   1. Query injection — string-concat/template building GraphQL queries from user input
+//   2. Depth/complexity DoS — ApolloServer/express-graphql without depth limiting
+//   3. Introspection in production — introspection enabled or not explicitly disabled
+//   4. Batching DoS — missing batch-size limits
+//   5. Field suggestions — error messages leaking field names
+
+function _line(raw, idx) {
+  return raw.slice(0, idx).split('\n').length;
+}
+
+export function scanGraphQL(fp, raw) {
+  if (!fp || !raw || typeof raw !== 'string') return [];
+  if (raw.length > 500_000) return [];
+  if (!/\.(?:js|jsx|ts|tsx|mjs|cjs|py|go|rb)$/i.test(fp)) return [];
+
+  const findings = [];
+
+  // 1. Query injection: string concat/template into GraphQL query strings
+  const queryConcat = /(?:query|mutation)\s*[:=]\s*(?:`[^`]*\$\{[^}]*\}|["'][^"']*["']\s*\+\s*\w)/g;
+  for (const m of raw.matchAll(queryConcat)) {
+    const ln = _line(raw, m.index);
+    const after = raw.slice(m.index, m.index + 300);
+    if (/\b(?:gql|graphql|\.query|\.mutate)\b/i.test(after) || /\b(?:query|mutation)\s*\{/.test(after)) {
+      findings.push({
+        id: `graphql-injection:${fp}:${ln}`,
+        file: fp, line: ln,
+        vuln: 'GraphQL Query Injection — user input concatenated into query string',
+        severity: 'high',
+        family: 'graphql-injection',
+        cwe: 'CWE-943',
+        parser: 'GRAPHQL',
+        confidence: 0.75,
+        description: 'GraphQL query is built via string concatenation or template interpolation with variables that may contain user input. An attacker can inject additional fields, aliases, or mutations.',
+        remediation: 'Use parameterized GraphQL queries with variables: `query GetUser($id: ID!) { user(id: $id) { name } }` and pass variables separately.',
+      });
+    }
+  }
+
+  // 2. Depth/complexity DoS: ApolloServer/createYoga/express-graphql without depth limit
+  if (/\b(?:ApolloServer|createYoga|graphqlHTTP|makeExecutableSchema)\b/.test(raw)) {
+    if (!/\b(?:depthLimit|graphql-depth-limit|graphql-validation-complexity|costAnalysis|maxDepth|queryDepthLimit)\b/.test(raw)) {
+      const m = raw.match(/\b(ApolloServer|createYoga|graphqlHTTP)\b/);
+      if (m) {
+        findings.push({
+          id: `graphql-depth-dos:${fp}:${_line(raw, m.index)}`,
+          file: fp, line: _line(raw, m.index),
+          vuln: 'GraphQL Depth/Complexity DoS — no depth limiting configured',
+          severity: 'medium',
+          family: 'graphql-dos',
+          cwe: 'CWE-400',
+          parser: 'GRAPHQL',
+          confidence: 0.70,
+          description: 'GraphQL server is configured without query depth or complexity limits. An attacker can send deeply nested queries that exhaust server resources.',
+          remediation: 'Add graphql-depth-limit or graphql-query-complexity to validationRules: new ApolloServer({ validationRules: [depthLimit(10)] }).',
+        });
+      }
+    }
+  }
+
+  // 3. Introspection in production
+  if (/\bintrospection\s*:\s*true\b/.test(raw)) {
+    const m = raw.match(/\bintrospection\s*:\s*true\b/);
+    if (m) {
+      findings.push({
+        id: `graphql-introspection:${fp}:${_line(raw, m.index)}`,
+        file: fp, line: _line(raw, m.index),
+        vuln: 'GraphQL Introspection Enabled — schema exposed to clients',
+        severity: 'medium',
+        family: 'graphql-introspection',
+        cwe: 'CWE-200',
+        parser: 'GRAPHQL',
+        confidence: 0.80,
+        description: 'Introspection is explicitly enabled. Attackers can query __schema to discover all types, fields, and mutations — accelerating further attacks.',
+        remediation: 'Disable introspection in production: new ApolloServer({ introspection: process.env.NODE_ENV !== "production" }).',
+      });
+    }
+  }
+
+  // 4. Batching DoS: missing batch limits
+  if (/\b(?:ApolloServer|ApolloGateway)\b/.test(raw)) {
+    if (!/\b(?:allowBatchedHttpRequests\s*:\s*false|maxBatchSize|batching\s*:\s*false)\b/.test(raw)) {
+      const m = raw.match(/\b(ApolloServer|ApolloGateway)\b/);
+      if (m) {
+        const after = raw.slice(m.index, m.index + 500);
+        if (/allowBatchedHttpRequests\s*:\s*true/.test(after) && !/maxBatchSize/.test(after)) {
+          findings.push({
+            id: `graphql-batch-dos:${fp}:${_line(raw, m.index)}`,
+            file: fp, line: _line(raw, m.index),
+            vuln: 'GraphQL Batch DoS — batching enabled without size limit',
+            severity: 'medium',
+            family: 'graphql-dos',
+            cwe: 'CWE-400',
+            parser: 'GRAPHQL',
+            confidence: 0.65,
+            description: 'Batched HTTP requests are enabled without a maxBatchSize limit. Attackers can send thousands of operations in a single HTTP request.',
+            remediation: 'Set allowBatchedHttpRequests: false, or add maxBatchSize: 10 to limit batch size.',
+          });
+        }
+      }
+    }
+  }
+
+  // 5. Field suggestions leaking schema info
+  if (/\b(?:includeStacktraceInErrorResponses|formatError|debug\s*:\s*true)\b/.test(raw)) {
+    if (/\b(?:ApolloServer|graphqlHTTP)\b/.test(raw)) {
+      for (const m of raw.matchAll(/\bdebug\s*:\s*true\b/g)) {
+        findings.push({
+          id: `graphql-debug:${fp}:${_line(raw, m.index)}`,
+          file: fp, line: _line(raw, m.index),
+          vuln: 'GraphQL Debug Mode — error details exposed to clients',
+          severity: 'low',
+          family: 'graphql-introspection',
+          cwe: 'CWE-209',
+          parser: 'GRAPHQL',
+          confidence: 0.70,
+          description: 'Debug mode exposes stack traces and field suggestion in error responses, leaking internal schema structure.',
+          remediation: 'Set debug: false or includeStacktraceInErrorResponses: false in production.',
+        });
+      }
+    }
+  }
+
+  return findings;
+}