npm - @critiq/rules - Versions diffs - 0.0.1 - Mend

@critiq/rules 0.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (121) hide show

package/catalog.yaml ADDED Viewed

@@ -0,0 +1,599 @@
+apiVersion: critiq.dev/v1alpha1
+kind: RuleCatalog
+rules:
+  - id: ts.logging.no-console-log
+    rulePath: ./rules/typescript/ts.logging.no-console-log.rule.yaml
+    presets:
+      - recommended
+      - strict
+  - id: ts.logging.no-console-error
+    rulePath: ./rules/typescript/ts.logging.no-console-error.rule.yaml
+    presets:
+      - recommended
+      - strict
+  - id: ts.runtime.no-debugger-statement
+    rulePath: ./rules/typescript/ts.runtime.no-debugger-statement.rule.yaml
+    presets:
+      - recommended
+      - strict
+  - id: ts.correctness.constant-condition
+    rulePath: ./rules/typescript/ts.correctness.constant-condition.rule.yaml
+    presets:
+      - recommended
+      - strict
+  - id: ts.correctness.missing-await-on-async-call
+    rulePath: ./rules/typescript/ts.correctness.missing-await-on-async-call.rule.yaml
+    presets:
+      - recommended
+      - strict
+  - id: ts.correctness.implicit-undefined-return
+    rulePath: ./rules/typescript/ts.correctness.implicit-undefined-return.rule.yaml
+    presets:
+      - recommended
+      - strict
+  - id: ts.correctness.unhandled-async-error
+    rulePath: ./rules/typescript/ts.correctness.unhandled-async-error.rule.yaml
+    presets:
+      - recommended
+      - strict
+      - security
+  - id: ts.correctness.incorrect-boolean-logic
+    rulePath: ./rules/typescript/ts.correctness.incorrect-boolean-logic.rule.yaml
+    presets:
+      - recommended
+      - strict
+  - id: ts.correctness.blocking-call-in-async-flow
+    rulePath: ./rules/typescript/ts.correctness.blocking-call-in-async-flow.rule.yaml
+    presets:
+      - recommended
+      - strict
+  - id: ts.correctness.missing-default-dispatch
+    rulePath: ./rules/typescript/ts.correctness.missing-default-dispatch.rule.yaml
+    presets:
+      - recommended
+      - strict
+  - id: ts.correctness.missing-timeout-on-external-call
+    rulePath: ./rules/typescript/ts.correctness.missing-timeout-on-external-call.rule.yaml
+    presets:
+      - recommended
+      - strict
+      - security
+  - id: ts.correctness.possible-null-dereference
+    rulePath: ./rules/typescript/ts.correctness.possible-null-dereference.rule.yaml
+    presets:
+      - recommended
+      - strict
+  - id: ts.correctness.nested-property-access-without-check
+    rulePath: ./rules/typescript/ts.correctness.nested-property-access-without-check.rule.yaml
+    presets:
+      - recommended
+      - strict
+  - id: ts.correctness.unchecked-map-key-access
+    rulePath: ./rules/typescript/ts.correctness.unchecked-map-key-access.rule.yaml
+    presets:
+      - recommended
+      - strict
+  - id: ts.correctness.optional-value-without-fallback
+    rulePath: ./rules/typescript/ts.correctness.optional-value-without-fallback.rule.yaml
+    presets:
+      - recommended
+      - strict
+  - id: ts.correctness.off-by-one-loop-boundary
+    rulePath: ./rules/typescript/ts.correctness.off-by-one-loop-boundary.rule.yaml
+    presets:
+      - recommended
+      - strict
+  - id: ts.correctness.shared-state-race
+    rulePath: ./rules/typescript/ts.correctness.shared-state-race.rule.yaml
+    presets:
+      - experimental
+  - id: ts.correctness.unreachable-statement
+    rulePath: ./rules/typescript/ts.correctness.unreachable-statement.rule.yaml
+    presets:
+      - recommended
+      - strict
+  - id: ts.quality.swallowed-error
+    rulePath: ./rules/typescript/ts.quality.swallowed-error.rule.yaml
+    presets:
+      - recommended
+      - strict
+  - id: ts.quality.function-too-large-or-complex
+    rulePath: ./rules/typescript/ts.quality.function-too-large-or-complex.rule.yaml
+    presets:
+      - strict
+  - id: ts.quality.duplicate-code-block
+    rulePath: ./rules/typescript/ts.quality.duplicate-code-block.rule.yaml
+    presets:
+      - strict
+  - id: ts.quality.deep-nesting
+    rulePath: ./rules/typescript/ts.quality.deep-nesting.rule.yaml
+    presets:
+      - strict
+  - id: ts.quality.missing-error-context
+    rulePath: ./rules/typescript/ts.quality.missing-error-context.rule.yaml
+    presets:
+      - strict
+  - id: ts.quality.tight-module-coupling
+    rulePath: ./rules/typescript/ts.quality.tight-module-coupling.rule.yaml
+    presets:
+      - strict
+  - id: ts.quality.hardcoded-configuration-values
+    rulePath: ./rules/typescript/ts.quality.hardcoded-configuration-values.rule.yaml
+    presets:
+      - recommended
+      - strict
+  - id: ts.quality.magic-numbers-or-strings
+    rulePath: ./rules/typescript/ts.quality.magic-numbers-or-strings.rule.yaml
+    presets:
+      - strict
+  - id: ts.quality.missing-tests-for-critical-logic
+    rulePath: ./rules/typescript/ts.quality.missing-tests-for-critical-logic.rule.yaml
+    presets:
+      - strict
+  - id: ts.quality.logic-change-without-test-updates
+    rulePath: ./rules/typescript/ts.quality.logic-change-without-test-updates.rule.yaml
+    presets:
+      - strict
+  - id: ts.config.no-process-env-outside-config
+    rulePath: ./rules/typescript/ts.config.no-process-env-outside-config.rule.yaml
+    presets:
+      - strict
+  - id: ts.random.no-math-random-in-core
+    rulePath: ./rules/typescript/ts.random.no-math-random-in-core.rule.yaml
+    presets:
+      - strict
+  - id: ts.performance.sequential-async-calls
+    rulePath: ./rules/typescript/ts.performance.sequential-async-calls.rule.yaml
+    presets:
+      - recommended
+      - strict
+  - id: ts.performance.repeated-io-in-loop
+    rulePath: ./rules/typescript/ts.performance.repeated-io-in-loop.rule.yaml
+    presets:
+      - recommended
+      - strict
+  - id: ts.performance.repeated-expensive-computation
+    rulePath: ./rules/typescript/ts.performance.repeated-expensive-computation.rule.yaml
+    presets:
+      - recommended
+      - strict
+  - id: ts.performance.inefficient-data-structure-usage
+    rulePath: ./rules/typescript/ts.performance.inefficient-data-structure-usage.rule.yaml
+    presets:
+      - recommended
+      - strict
+  - id: ts.performance.nested-loops-hot-path
+    rulePath: ./rules/typescript/ts.performance.nested-loops-hot-path.rule.yaml
+    presets:
+      - strict
+  - id: ts.performance.missing-batch-operations
+    rulePath: ./rules/typescript/ts.performance.missing-batch-operations.rule.yaml
+    presets:
+      - strict
+  - id: ts.performance.large-payload-without-streaming
+    rulePath: ./rules/typescript/ts.performance.large-payload-without-streaming.rule.yaml
+    presets:
+      - strict
+  - id: ts.performance.unbounded-growth-memory-leak
+    rulePath: ./rules/typescript/ts.performance.unbounded-growth-memory-leak.rule.yaml
+    presets:
+      - strict
+  - id: ts.performance.retained-large-object
+    rulePath: ./rules/typescript/ts.performance.retained-large-object.rule.yaml
+    presets:
+      - experimental
+  - id: ts.performance.unnecessary-rerenders-from-state-misuse
+    rulePath: ./rules/typescript/ts.performance.unnecessary-rerenders-from-state-misuse.rule.yaml
+    presets:
+      - experimental
+  - id: ts.react.no-cascaded-effect-fetches
+    rulePath: ./rules/typescript/ts.react.no-cascaded-effect-fetches.rule.yaml
+    presets:
+      - strict
+  - id: ts.next.no-server-client-boundary-leaks
+    rulePath: ./rules/typescript/ts.next.no-server-client-boundary-leaks.rule.yaml
+    presets:
+      - strict
+  - id: security.no-sql-interpolation
+    rulePath: ./rules/shared/security.no-sql-interpolation.rule.yaml
+    presets:
+      - recommended
+      - strict
+      - security
+  - id: ts.security.no-dynamic-execution
+    rulePath: ./rules/typescript/ts.security.no-dynamic-execution.rule.yaml
+    presets:
+      - recommended
+      - strict
+      - security
+  - id: security.no-request-path-file-read
+    rulePath: ./rules/shared/security.no-request-path-file-read.rule.yaml
+    presets:
+      - recommended
+      - strict
+      - security
+  - id: security.no-command-execution-with-request-input
+    rulePath: ./rules/shared/security.no-command-execution-with-request-input.rule.yaml
+    presets:
+      - recommended
+      - strict
+      - security
+  - id: ts.security.dangerous-insert-html
+    rulePath: ./rules/typescript/ts.security.dangerous-insert-html.rule.yaml
+    presets:
+      - recommended
+      - strict
+      - security
+  - id: ts.security.dangerously-set-inner-html
+    rulePath: ./rules/typescript/ts.security.dangerously-set-inner-html.rule.yaml
+    presets:
+      - recommended
+      - strict
+      - security
+  - id: ts.security.no-innerhtml-assignment
+    rulePath: ./rules/typescript/ts.security.no-innerhtml-assignment.rule.yaml
+    presets:
+      - recommended
+      - strict
+      - security
+  - id: security.no-hardcoded-credentials
+    rulePath: ./rules/shared/security.no-hardcoded-credentials.rule.yaml
+    presets:
+      - recommended
+      - strict
+      - security
+  - id: ts.security.missing-authorization-before-sensitive-action
+    rulePath: ./rules/typescript/ts.security.missing-authorization-before-sensitive-action.rule.yaml
+    presets:
+      - strict
+      - security
+  - id: ts.security.missing-ownership-validation
+    rulePath: ./rules/typescript/ts.security.missing-ownership-validation.rule.yaml
+    presets:
+      - strict
+      - security
+  - id: ts.security.frontend-only-authorization
+    rulePath: ./rules/typescript/ts.security.frontend-only-authorization.rule.yaml
+    presets:
+      - experimental
+  - id: ts.security.token-or-session-not-validated
+    rulePath: ./rules/typescript/ts.security.token-or-session-not-validated.rule.yaml
+    presets:
+      - recommended
+      - strict
+      - security
+  - id: ts.security.insecure-auth-cookie-flags
+    rulePath: ./rules/typescript/ts.security.insecure-auth-cookie-flags.rule.yaml
+    presets:
+      - recommended
+      - strict
+      - security
+  - id: ts.security.jwt-sensitive-claims
+    rulePath: ./rules/typescript/ts.security.jwt-sensitive-claims.rule.yaml
+    presets:
+      - recommended
+      - strict
+      - security
+  - id: ts.security.browser-token-storage
+    rulePath: ./rules/typescript/ts.security.browser-token-storage.rule.yaml
+    presets:
+      - recommended
+      - strict
+      - security
+  - id: security.tls-verification-disabled
+    rulePath: ./rules/shared/security.tls-verification-disabled.rule.yaml
+    presets:
+      - recommended
+      - strict
+      - security
+  - id: security.insecure-http-transport
+    rulePath: ./rules/shared/security.insecure-http-transport.rule.yaml
+    presets:
+      - recommended
+      - strict
+      - security
+  - id: ts.security.weak-tls-version
+    rulePath: ./rules/typescript/ts.security.weak-tls-version.rule.yaml
+    presets:
+      - recommended
+      - strict
+      - security
+  - id: ts.security.open-redirect
+    rulePath: ./rules/typescript/ts.security.open-redirect.rule.yaml
+    presets:
+      - recommended
+      - strict
+      - security
+  - id: ts.security.sensitive-data-egress
+    rulePath: ./rules/typescript/ts.security.sensitive-data-egress.rule.yaml
+    presets:
+      - strict
+      - security
+  - id: security.no-sensitive-data-in-logs-and-telemetry
+    rulePath: ./rules/shared/security.no-sensitive-data-in-logs-and-telemetry.rule.yaml
+    presets:
+      - strict
+      - security
+  - id: ts.security.ssrf
+    rulePath: ./rules/typescript/ts.security.ssrf.rule.yaml
+    presets:
+      - recommended
+      - strict
+      - security
+  - id: ts.security.bind-to-all-interfaces
+    rulePath: ./rules/typescript/ts.security.bind-to-all-interfaces.rule.yaml
+    presets:
+      - recommended
+      - strict
+      - security
+  - id: security.weak-hash-algorithm
+    rulePath: ./rules/shared/security.weak-hash-algorithm.rule.yaml
+    presets:
+      - recommended
+      - strict
+      - security
+  - id: ts.security.weak-cipher-or-mode
+    rulePath: ./rules/typescript/ts.security.weak-cipher-or-mode.rule.yaml
+    presets:
+      - recommended
+      - strict
+      - security
+  - id: ts.security.predictable-token-generation
+    rulePath: ./rules/typescript/ts.security.predictable-token-generation.rule.yaml
+    presets:
+      - recommended
+      - strict
+      - security
+  - id: ts.security.insufficiently-random-values
+    rulePath: ./rules/typescript/ts.security.insufficiently-random-values.rule.yaml
+    presets:
+      - recommended
+      - strict
+      - security
+  - id: ts.security.weak-key-strength
+    rulePath: ./rules/typescript/ts.security.weak-key-strength.rule.yaml
+    presets:
+      - recommended
+      - strict
+      - security
+  - id: ts.security.missing-integrity-check
+    rulePath: ./rules/typescript/ts.security.missing-integrity-check.rule.yaml
+    presets:
+      - recommended
+      - strict
+      - security
+  - id: ts.security.unvalidated-external-input
+    rulePath: ./rules/typescript/ts.security.unvalidated-external-input.rule.yaml
+    presets:
+      - strict
+      - security
+  - id: security.unsafe-deserialization
+    rulePath: ./rules/shared/security.unsafe-deserialization.rule.yaml
+    presets:
+      - recommended
+      - strict
+      - security
+  - id: ts.security.missing-request-timeout-or-retry
+    rulePath: ./rules/typescript/ts.security.missing-request-timeout-or-retry.rule.yaml
+    presets:
+      - strict
+      - security
+  - id: ts.security.datadog-browser-track-user-interactions
+    rulePath: ./rules/typescript/ts.security.datadog-browser-track-user-interactions.rule.yaml
+    presets:
+      - strict
+      - security
+  - id: ts.security.dynamodb-query-injection
+    rulePath: ./rules/typescript/ts.security.dynamodb-query-injection.rule.yaml
+    presets:
+      - recommended
+      - strict
+      - security
+  - id: ts.security.hardcoded-auth-secret
+    rulePath: ./rules/typescript/ts.security.hardcoded-auth-secret.rule.yaml
+    presets:
+      - recommended
+      - strict
+      - security
+  - id: ts.security.import-using-user-input
+    rulePath: ./rules/typescript/ts.security.import-using-user-input.rule.yaml
+    presets:
+      - recommended
+      - strict
+      - security
+  - id: ts.security.insecure-allow-origin
+    rulePath: ./rules/typescript/ts.security.insecure-allow-origin.rule.yaml
+    presets:
+      - recommended
+      - strict
+      - security
+  - id: ts.security.permissive-allow-origin
+    rulePath: ./rules/typescript/ts.security.permissive-allow-origin.rule.yaml
+    presets:
+      - recommended
+      - strict
+      - security
+  - id: ts.security.express-insecure-cookie
+    rulePath: ./rules/typescript/ts.security.express-insecure-cookie.rule.yaml
+    presets:
+      - recommended
+      - strict
+      - security
+  - id: ts.security.express-cookie-missing-http-only
+    rulePath: ./rules/typescript/ts.security.express-cookie-missing-http-only.rule.yaml
+    presets:
+      - recommended
+      - strict
+      - security
+  - id: ts.security.insecure-password-hash-configuration
+    rulePath: ./rules/typescript/ts.security.insecure-password-hash-configuration.rule.yaml
+    presets:
+      - recommended
+      - strict
+      - security
+  - id: ts.security.insecure-websocket-transport
+    rulePath: ./rules/typescript/ts.security.insecure-websocket-transport.rule.yaml
+    presets:
+      - recommended
+      - strict
+      - security
+  - id: ts.security.jwt-not-revoked
+    rulePath: ./rules/typescript/ts.security.jwt-not-revoked.rule.yaml
+    presets:
+      - recommended
+      - strict
+      - security
+  - id: ts.security.handlebars-no-escape
+    rulePath: ./rules/typescript/ts.security.handlebars-no-escape.rule.yaml
+    presets:
+      - recommended
+      - strict
+      - security
+  - id: ts.security.manual-html-sanitization
+    rulePath: ./rules/typescript/ts.security.manual-html-sanitization.rule.yaml
+    presets:
+      - strict
+      - security
+  - id: ts.security.missing-message-origin-check
+    rulePath: ./rules/typescript/ts.security.missing-message-origin-check.rule.yaml
+    presets:
+      - recommended
+      - strict
+      - security
+  - id: ts.security.express-nosql-injection
+    rulePath: ./rules/typescript/ts.security.express-nosql-injection.rule.yaml
+    presets:
+      - recommended
+      - strict
+      - security
+  - id: ts.security.observable-timing-discrepancy
+    rulePath: ./rules/typescript/ts.security.observable-timing-discrepancy.rule.yaml
+    presets:
+      - recommended
+      - strict
+      - security
+  - id: ts.security.external-file-upload
+    rulePath: ./rules/typescript/ts.security.external-file-upload.rule.yaml
+    presets:
+      - recommended
+      - strict
+      - security
+  - id: ts.security.file-generation
+    rulePath: ./rules/typescript/ts.security.file-generation.rule.yaml
+    presets:
+      - recommended
+      - strict
+      - security
+  - id: ts.security.non-literal-fs-filename
+    rulePath: ./rules/typescript/ts.security.non-literal-fs-filename.rule.yaml
+    presets:
+      - recommended
+      - strict
+      - security
+  - id: ts.security.permissive-file-permissions
+    rulePath: ./rules/typescript/ts.security.permissive-file-permissions.rule.yaml
+    presets:
+      - recommended
+      - strict
+      - security
+  - id: ts.security.postmessage-wildcard-origin
+    rulePath: ./rules/typescript/ts.security.postmessage-wildcard-origin.rule.yaml
+    presets:
+      - recommended
+      - strict
+      - security
+  - id: ts.security.raw-html-using-user-input
+    rulePath: ./rules/typescript/ts.security.raw-html-using-user-input.rule.yaml
+    presets:
+      - recommended
+      - strict
+      - security
+  - id: ts.security.sensitive-data-in-exception
+    rulePath: ./rules/typescript/ts.security.sensitive-data-in-exception.rule.yaml
+    presets:
+      - recommended
+      - strict
+      - security
+  - id: ts.security.sensitive-data-written-to-file
+    rulePath: ./rules/typescript/ts.security.sensitive-data-written-to-file.rule.yaml
+    presets:
+      - recommended
+      - strict
+      - security
+  - id: ts.security.information-leakage
+    rulePath: ./rules/typescript/ts.security.information-leakage.rule.yaml
+    presets:
+      - recommended
+      - strict
+      - security
+  - id: ts.security.ui-redress
+    rulePath: ./rules/typescript/ts.security.ui-redress.rule.yaml
+    presets:
+      - recommended
+      - strict
+      - security
+  - id: ts.security.format-string-using-user-input
+    rulePath: ./rules/typescript/ts.security.format-string-using-user-input.rule.yaml
+    presets:
+      - recommended
+      - strict
+      - security
+  - id: ts.security.user-controlled-sendfile
+    rulePath: ./rules/typescript/ts.security.user-controlled-sendfile.rule.yaml
+    presets:
+      - recommended
+      - strict
+      - security
+  - id: ts.security.user-controlled-view-render
+    rulePath: ./rules/typescript/ts.security.user-controlled-view-render.rule.yaml
+    presets:
+      - strict
+      - security
+  - id: ts.security.exposed-directory-listing
+    rulePath: ./rules/typescript/ts.security.exposed-directory-listing.rule.yaml
+    presets:
+      - recommended
+      - strict
+      - security
+  - id: ts.security.express-default-session-config
+    rulePath: ./rules/typescript/ts.security.express-default-session-config.rule.yaml
+    presets:
+      - strict
+      - security
+  - id: ts.security.express-default-cookie-config
+    rulePath: ./rules/typescript/ts.security.express-default-cookie-config.rule.yaml
+    presets:
+      - strict
+      - security
+  - id: ts.security.express-permissive-cookie-config
+    rulePath: ./rules/typescript/ts.security.express-permissive-cookie-config.rule.yaml
+    presets:
+      - strict
+      - security
+  - id: ts.security.express-static-assets-after-session
+    rulePath: ./rules/typescript/ts.security.express-static-assets-after-session.rule.yaml
+    presets:
+      - strict
+      - security
+  - id: ts.security.express-missing-helmet
+    rulePath: ./rules/typescript/ts.security.express-missing-helmet.rule.yaml
+    presets:
+      - strict
+      - security
+  - id: ts.security.express-reduce-fingerprint
+    rulePath: ./rules/typescript/ts.security.express-reduce-fingerprint.rule.yaml
+    presets:
+      - strict
+      - security
+  - id: ts.security.debug-mode-enabled
+    rulePath: ./rules/typescript/ts.security.debug-mode-enabled.rule.yaml
+    presets:
+      - recommended
+      - strict
+      - security
+  - id: ts.security.unsanitized-http-response
+    rulePath: ./rules/typescript/ts.security.unsanitized-http-response.rule.yaml
+    presets:
+      - recommended
+      - strict
+      - security

package/package.json ADDED Viewed

@@ -0,0 +1,21 @@
+{
+  "name": "@critiq/rules",
+  "version": "0.0.1",
+  "private": false,
+  "description": "Public OSS Critiq rule catalog with catalog metadata, shipped rule YAML files, and preset membership.",
+  "type": "commonjs",
+  "main": "./src/index.js",
+  "types": "./src/index.d.ts",
+  "exports": {
+    ".": {
+      "types": "./src/index.d.ts",
+      "default": "./src/index.js"
+    }
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "dependencies": {
+    "tslib": "^2.3.0"
+  }
+}

package/rules/shared/security.insecure-http-transport.rule.yaml ADDED Viewed

@@ -0,0 +1,42 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: security.insecure-http-transport
+  title: Insecure HTTP transport
+  summary: Outbound transport should not use plain HTTP for sensitive requests.
+  rationale: Plain HTTP exposes traffic to interception and tampering.
+  tags:
+    - security
+    - transport
+    - network
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+    - go
+    - python
+    - java
+    - php
+    - ruby
+    - rust
+match:
+  fact:
+    kind: security.insecure-http-transport
+    bind: issue
+emit:
+  finding:
+    category: security.transport
+    severity: high
+    confidence: 0.9
+    tags:
+      - security
+      - transport
+      - network
+  message:
+    title: Avoid plain HTTP transport in `${captures.issue.text}`
+    summary: "`${captures.issue.text}` sends an outbound request over plain HTTP."
+  remediation:
+    summary: Use HTTPS or a trusted local-development exception for non-production endpoints.

package/rules/shared/security.no-command-execution-with-request-input.rule.yaml ADDED Viewed

@@ -0,0 +1,42 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: security.no-command-execution-with-request-input
+  title: Command execution using untrusted input
+  summary: Process execution helpers must not receive request-controlled executables or shell-interpreted arguments.
+  rationale: Request-controlled process execution can become remote code execution when attackers choose the binary or influence shell parsing.
+  tags:
+    - security
+    - injection
+    - command-execution
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+    - go
+    - python
+    - java
+    - php
+    - ruby
+    - rust
+match:
+  fact:
+    kind: security.command-execution-with-request-input
+    bind: execCall
+emit:
+  finding:
+    category: security.injection
+    severity: critical
+    confidence: 0.9
+    tags:
+      - security
+      - injection
+      - command-execution
+  message:
+    title: Avoid request-controlled command execution in `${captures.execCall.text}`
+    summary: "`${captures.execCall.text}` executes a process using request-controlled command data."
+  remediation:
+    summary: Dispatch only allowlisted binaries, keep shell mode disabled, and validate or constrain subcommands before execution.