@critiq/rules 0.3.0 → 0.4.0

package/rules/typescript/ts.react.no-this-state-in-set-state.rule.yaml

@@ -0,0 +1,38 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.react.no-this-state-in-set-state
+  title: Avoid this.state inside setState()
+  summary: Reading this.state inside setState() leads to stale state references because React batches updates asynchronously.
+  rationale: setState updates are asynchronous and may be batched; reading this.state directly inside the updater bypasses the guaranteed-latest state provided by the updater function parameter.
+  aliases:
+    - JS-0435
+  tags:
+    - react
+    - ui
+    - rules-catalog
+  stability: experimental
+  appliesTo: function
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: ui.react.this-state-in-set-state
+    bind: issue
+emit:
+  finding:
+    category: correctness.ui
+    severity: high
+    confidence: 0.85
+    tags:
+      - react
+      - ui
+  message:
+    title: Use updater function parameter instead of this.state
+    summary: "${captures.issue.text} reads this.state inside a setState call, which may use stale state."
+  remediation:
+    summary: >-
+      Replace this.setState({ key: this.state.key + 1 }) with
+      this.setState(prevState => ({ key: prevState.key + 1 })) to guarantee latest state.

package/rules/typescript/ts.react.no-unnecessary-fragment.rule.yaml

@@ -0,0 +1,36 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.react.no-unnecessary-fragment
+  title: Remove unnecessary React fragments
+  summary: Fragments wrapping a single child add runtime overhead without structural benefit.
+  rationale: A fragment with one element or text child can be replaced by the child itself, reducing render tree depth and making the component simpler.
+  aliases:
+    - JS-0424
+  tags:
+    - react
+    - ui
+    - rules-catalog
+  stability: experimental
+  appliesTo: function
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: ui.react.unnecessary-fragment
+    bind: issue
+emit:
+  finding:
+    category: correctness.ui
+    severity: low
+    confidence: 0.85
+    tags:
+      - react
+      - ui
+  message:
+    title: Replace unnecessary fragment with its single child
+    summary: "${captures.issue.text} wraps exactly one child element and can be removed."
+  remediation:
+    summary: Remove the wrapping fragment and keep only the single child element.

package/rules/typescript/ts.runtime.no-process-exit.rule.yaml

@@ -14,10 +14,13 @@ metadata:
     - kind: owasp
       title: Secure Configuration Cheat Sheet
       url: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Configuration_Cheat_Sheet.html
+  aliases:
+    - JS-0263
   tags:
     - runtime
     - node
     - rules-catalog
+    - public-directory-parity
   stability: stable
   appliesTo: block
 scope:

package/rules/typescript/ts.runtime.process-exit-control-flow.rule.yaml

@@ -0,0 +1,46 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.runtime.process-exit-control-flow
+  title: process.exit() in control flow
+  summary: "Avoid `process.exit()` in finally blocks or followed by reachable code."
+  rationale: "`process.exit()` in a finally block runs even after errors, and reachable code after exit creates dead code and logic errors."
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-16
+      title: Configuration
+    - kind: owasp
+      title: Secure Configuration Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Configuration_Cheat_Sheet.html
+  aliases:
+    - JS-0270
+  tags:
+    - runtime
+    - node
+    - rules-catalog
+    - public-directory-parity
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+match:
+  fact:
+    kind: runtime.process-exit-control-flow
+    bind: issue
+emit:
+  finding:
+    category: security.reliability
+    severity: high
+    confidence: 0.85
+    tags:
+      - runtime
+      - node
+  message:
+    title: Review process.exit() placement
+    summary: "`${captures.issue.text}` may terminate the process in an unexpected control flow context."
+  remediation:
+    summary: Use structured error handling (throw/try-catch) instead of process.exit() in finally blocks. Remove dead code after process.exit().

package/rules/typescript/ts.security.dangerous-insert-html.rule.yaml

@@ -25,6 +25,11 @@ scope:
   languages:
     - typescript
     - javascript
+  paths:
+    exclude:
+      - "**/build/**"
+      - "**/scripts/**"
+      - "**/docs/**"
 match:
   fact:
     kind: security.dangerous-insert-html

package/rules/typescript/ts.security.express-insecure-listen.rule.yaml

@@ -0,0 +1,52 @@
+apiVersion: critiq.dev/v1alpha1
+kind: Rule
+metadata:
+  id: ts.security.express-insecure-listen
+  title: Avoid insecure HTTP server bootstrap in production entrypoints
+  summary: Application servers should terminate TLS locally or document trusted edge termination before exposing plain HTTP listeners.
+  rationale: Bootstrapping Express, Fastify, Nest, or raw HTTP servers without HTTPS exposes traffic to interception and downgrade attacks when no compensating TLS layer exists.
+  detection:
+    kind: pattern
+  references:
+    - kind: cwe
+      id: CWE-319
+      title: Cleartext Transmission of Sensitive Information
+    - kind: owasp
+      title: Transport Layer Protection Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Transport_Layer_Protection_Cheat_Sheet.html
+  tags:
+    - security
+    - transport
+    - express
+    - rules-catalog
+  stability: stable
+  appliesTo: block
+scope:
+  languages:
+    - typescript
+    - javascript
+  paths:
+    exclude:
+      - "**/build/**"
+      - "**/scripts/**"
+      - "**/docs/**"
+      - "**/*.spec.*"
+      - "**/*.test.*"
+match:
+  fact:
+    kind: security.express-insecure-listen
+    bind: issue
+emit:
+  finding:
+    category: security.transport
+    severity: high
+    confidence: 0.85
+    tags:
+      - security
+      - transport
+      - express
+  message:
+    title: Protect `${captures.issue.text}` with TLS or documented edge termination
+    summary: "`${captures.issue.text}` starts a plain HTTP listener without local HTTPS bootstrap or a documented TLS termination guard."
+  remediation:
+    summary: Use `https.createServer` with valid credentials, terminate TLS at a trusted reverse proxy, or restrict the listener to explicit development-only guards.

package/rules/typescript/ts.security.express-nosql-injection.rule.yaml

@@ -2,18 +2,18 @@ apiVersion: critiq.dev/v1alpha1
 kind: Rule
 metadata:
   id: ts.security.express-nosql-injection
-  title: Avoid request-driven model queries
-  summary: Express handlers should not pass raw request objects into NoSQL filters, query helpers, or aggregation pipelines.
-  rationale: Request-shaped filters, operators, or pipelines can expand query scope and inject unintended behavior.
+  title: Request-driven NoSQL query or aggregation pipeline
+  summary: Express handlers should not pass raw request objects into NoSQL filters, query helpers, or aggregation pipelines to prevent injection attacks.
+  rationale: Passing unvalidated request data directly into NoSQL model queries can allow attackers to manipulate query scope, bypass access controls, or extract unintended data from MongoDB and similar databases.
   detection:
     kind: pattern
   references:
     - kind: cwe
-      id: CWE-89
-      title: SQL Injection
+      id: CWE-943
+      title: Improper Neutralization of Special Elements in Data Query Logic
     - kind: owasp
-      title: SQL Injection Prevention Cheat Sheet
-      url: https://cheatsheetseries.owasp.org/cheatsheets/SQL_Injection_Prevention_Cheat_Sheet.html
+      title: NoSQL Injection Prevention Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/NoSQL_Injection_Prevention_Cheat_Sheet.html
     - kind: url
       title: Node.js security best practices
       url: https://nodejs.org/en/learn/getting-started/security-best-practices
@@ -31,6 +31,11 @@ scope:
   languages:
     - typescript
     - javascript
+  paths:
+    exclude:
+      - "**/types/**/*-tests.ts"
+      - "**/types/**/*.test.*"
+      - "**/types/**/*.spec.*"
 match:
   fact:
     kind: security.express-nosql-injection
@@ -38,15 +43,15 @@ match:
 emit:
   finding:
     category: security.input-validation
-    severity: critical
+    severity: high
     confidence: 0.92
     tags:
       - security
       - injection
       - nosql
   message:
-    title: Narrow the query passed to `${captures.issue.text}`
-    summary: "`${captures.issue.text}` receives request-controlled query input without an allowlisted query or pipeline shape."
+    title: NoSQL injection via `${captures.issue.text}`
+    summary: "`${captures.issue.text}` passes unvalidated request data into a NoSQL model query, allowing attackers to manipulate query scope, bypass filters, or extract unauthorized data."
   remediation:
-    summary: Build the NoSQL query or aggregation pipeline from fixed fields or validated filter builders instead of passing request data directly.
+    summary: Restrict NoSQL queries to allowlisted field names and validated filter shapes. Use typed query builders (e.g., Mongoose `where` chaining, MongoDB aggregation pipeline validators) instead of passing raw request objects.
 

package/rules/typescript/ts.security.express-static-dotfiles-allow.rule.yaml

@@ -31,6 +31,11 @@ scope:
   languages:
     - typescript
     - javascript
+  paths:
+    exclude:
+      - "**/lib/**"
+      - "**/node_modules/**"
+      - "**/vendor/**"
 match:
   fact:
     kind: security.express-static-dotfiles-allow

package/rules/typescript/ts.security.iframe-missing-sandbox-attribute.rule.yaml

@@ -2,9 +2,17 @@ apiVersion: critiq.dev/v1alpha1
 kind: Rule
 metadata:
   id: ts.security.iframe-missing-sandbox-attribute
-  title: Add a sandbox attribute to iframes
-  summary: Intrinsic iframe elements should declare a sandbox attribute to reduce blast radius.
-  rationale: Sandboxed iframes limit scripts, forms, and top-level navigation when embedded third-party content is compromised.
+  title: Iframe without sandbox attribute
+  summary: Intrinsic iframe elements embedding untrusted third-party content should declare a sandbox attribute to reduce blast radius.
+  rationale: |
+    The sandbox attribute restricts what the embedded document can do — forms,
+    scripts, navigation, and plugin access are blocked by default. Iframes
+    loading untrusted third-party content without sandbox protection expose
+    users to clickjacking, credential theft, and XSS via the embedded context.
+    However, some iframes intentionally embed trusted services (payment gateways,
+    app marketplaces, developer tools) and may not need sandboxing. If the iframe
+    has `allowFullScreen` or `allow` attributes, the developer has explicitly
+    granted permissions — these are assumed to be trusted embeds.
   detection:
     kind: pattern
   references:
@@ -25,6 +33,10 @@ scope:
   languages:
     - typescript
     - javascript
+  paths:
+    exclude:
+      - "**/DefinitelyTyped/**"
+      - "**/types/**/*-tests.*"
 match:
   fact:
     kind: security.iframe-missing-sandbox-attribute
@@ -38,8 +50,8 @@ emit:
       - security
       - react
   message:
-    title: "Add sandbox to ${captures.issue.text}"
-    summary: "${captures.issue.text} is missing a sandbox attribute."
+    title: "Iframe missing sandbox attribute"
+    summary: "${captures.issue.text} loads external content without sandbox restrictions. If the content is untrusted, add sandbox to prevent clickjacking and XSS. If the iframe loads a trusted service (payment gateway, app marketplace, developer tool), add allowFullScreen or allow to signal explicit trust."
   remediation:
-    summary: Add the most restrictive sandbox token set that still allows required behavior, and combine with a strict CSP.
+    summary: Add the most restrictive sandbox token set that still allows required behavior (e.g., `sandbox="allow-scripts"` for scripts only). If the iframe embeds a trusted external service that cannot be sandboxed (payment gateway, app marketplace), add `allowFullScreen` or `allow` to signal intentional trust.
 

package/rules/typescript/ts.security.import-using-user-input.rule.yaml

@@ -2,18 +2,18 @@ apiVersion: critiq.dev/v1alpha1
 kind: Rule
 metadata:
   id: ts.security.import-using-user-input
-  title: Constrain module-loading trust boundaries
+  title: Constrain module-loading to trusted allowlists
   summary: "`require()` and dynamic `import()` should not resolve modules from untrusted input."
-  rationale: Untrusted module paths let attackers steer module-loading boundaries toward unintended files, packages, or plugins.
+  rationale: Untrusted module paths let attackers steer module-loading boundaries toward unintended files, packages, or plugins. Only flag when the module path is derived from request or event data — static string literals and allowlist-validated paths are intentionally excluded. Test, bundled, and tutorial files are excluded because they contain static or intentionally simplified imports.
   detection:
     kind: pattern
   references:
     - kind: cwe
-      id: CWE-78
-      title: OS Command Injection
+      id: CWE-73
+      title: External Control of File Name or Path
     - kind: owasp
-      title: OS Command Injection Defense Cheat Sheet
-      url: https://cheatsheetseries.owasp.org/cheatsheets/OS_Command_Injection_Defense_Cheat_Sheet.html
+      title: Input Validation Cheat Sheet
+      url: https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html
   tags:
     - security
     - execution
@@ -25,6 +25,24 @@ scope:
   languages:
     - typescript
     - javascript
+  paths:
+    exclude:
+      - "**/*.test.*"
+      - "**/*.spec.*"
+      - "**/__tests__/**"
+      - "**/__mocks__/**"
+      - "**/tests/**"
+      - "**/test/**"
+      - "**/e2e/**"
+      - "**/integration-tests/**"
+      - "**/.yarn/releases/**"
+      - "**/*-bundle.*"
+      - "**/*.min.*"
+      - "**/tutorials/**"
+      - "**/content/tutorials/**"
+      - "**/types/**/*-tests.*"
+      - "**/types/**/*.test.*"
+      - "**/types/**/*.spec.*"
 match:
   fact:
     kind: security.import-using-user-input
@@ -32,15 +50,49 @@ match:
 emit:
   finding:
     category: security.execution
-    severity: high
+    severity: medium
     confidence: 0.92
     tags:
       - security
       - execution
       - module-loading
   message:
-    title: Resolve `${captures.issue.text}` from a trusted module map
-    summary: "`${captures.issue.text}` crosses a module-loading trust boundary with untrusted input."
+    title: Resolve modules from a trusted allowlist instead of `${captures.issue.text}`
+    summary: "`${captures.issue.text}` resolves a module using request- or event-derived input. Untrusted module paths can load arbitrary files or packages, bypassing intended security boundaries."
   remediation:
-    summary: Resolve modules from a fixed allowlist or explicit dispatcher instead of untrusted request or event data.
+    summary: |-
+      Replace dynamic module paths with a fixed allowlist or validated dispatcher:
+
+      ### Unsafe — dynamic path from request input
+      ```typescript
+      const plugin = require(req.query.plugin);
+      await import(req.body.moduleName);
+      ```
+
+      ### Safe — allowlist dispatch
+      ```typescript
+      const ALLOWED_PLUGINS: Record<string, string> = {
+        analytics: './plugins/analytics',
+        auth: './plugins/auth',
+      };
+      const pluginPath = ALLOWED_PLUGINS[req.query.plugin];
+      if (pluginPath) {
+        const plugin = require(pluginPath);
+      }
+      ```
+
+      ### Safe — validation before import
+      ```typescript
+      function isValidModule(modName: string): boolean {
+        return /^[a-z-]+$/u.test(modName);
+      }
+      const moduleName = req.query.module;
+      if (isValidModule(moduleName)) {
+        const mod = require('./modules/' + moduleName);
+      }
+      ```
+
+      ### References
+      - CWE-73: External Control of File Name or Path
+      - OWASP Input Validation Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Input_Validation_Cheat_Sheet.html
 

package/rules/typescript/ts.security.insecure-auth-cookie-flags.rule.yaml

@@ -25,6 +25,14 @@ scope:
   languages:
     - typescript
     - javascript
+  paths:
+    exclude:
+      - "**/test/**"
+      - "**/tests/**"
+      - "**/__tests__/**"
+      - "**/*.test.*"
+      - "**/*.spec.*"
+      - "**/types/**/*-tests.*"
 match:
   fact:
     kind: ts.security.insecure-auth-cookie-flags
@@ -32,16 +40,16 @@ match:
 emit:
   finding:
     category: security.authentication
-    severity: high
+    severity: medium
     confidence: 0.9
     tags:
       - security
       - authentication
       - cookies
   message:
-    title: Harden `${captures.issue.text}` for auth cookies
-    summary: "`${captures.issue.text}` sets an auth-bearing cookie without the expected protections."
+    title: Auth cookie `${captures.issue.text}` missing security flags
+    summary: "`${captures.issue.text}` sets a cookie with an auth-signaling name without HttpOnly, Secure, or SameSite protections. Missing these flags makes the cookie vulnerable to session theft via XSS, MITM, or CSRF."
   remediation:
-    summary: Add `HttpOnly`, `Secure`, and an explicit `SameSite` policy before the cookie is used for session or auth state.
+    summary: "Add `HttpOnly`, `Secure`, and an explicit `SameSite` policy (preferably `Lax` or `Strict`) before the cookie is used for session or auth state. For example: `{ httpOnly: true, secure: true, sameSite: 'lax' }`."
 
 

package/rules/typescript/ts.security.missing-request-timeout-or-retry.rule.yaml

@@ -2,9 +2,9 @@ apiVersion: critiq.dev/v1alpha1
 kind: Rule
 metadata:
   id: ts.security.missing-request-timeout-or-retry
-  title: Missing request timeout or retry protection
-  summary: External calls should define timeout, cancellation, or retry behavior before they enter security-sensitive flows.
-  rationale: Authentication and dependency calls that have neither timeout nor retry protection fail unpredictably under network stress.
+  title: "[DEPRECATED] Use ts.correctness.missing-timeout-on-external-call instead"
+  summary: "DEPRECATED: This rule is consolidated into ts.correctness.missing-timeout-on-external-call. External calls should define timeout, cancellation, or retry behavior."
+  rationale: "DEPRECATED: Consolidated with the correctness variant. See ts.correctness.missing-timeout-on-external-call for the current rule."
   detection:
     kind: pattern
   references:
@@ -19,6 +19,7 @@ metadata:
     - resilience
     - rules-catalog
     - crq-sec-030
+    - deprecated
   stability: stable
   appliesTo: block
 scope:
@@ -37,9 +38,10 @@ emit:
     tags:
       - security
       - resilience
+      - deprecated
   message:
-    title: Add timeout or retry protection to external calls
-    summary: "`${captures.issue.text}` performs an external call without timeout, cancellation, or retry handling."
+    title: "[DEPRECATED] Add timeout or retry protection to external calls"
+    summary: "DEPRECATED — Consolidated into ts.correctness.missing-timeout-on-external-call. `${captures.issue.text}` performs an external call without timeout, cancellation, or retry handling."
   remediation:
-    summary: Add explicit timeout or cancellation support, wrap the call in retry handling, or do both when the dependency is critical.
+    summary: "This rule is deprecated. Use ts.correctness.missing-timeout-on-external-call instead. Add explicit timeout or cancellation support, wrap the call in retry handling, or do both when the dependency is critical."
 

package/rules/typescript/ts.security.no-assign-mutable-export.rule.yaml

@@ -14,6 +14,8 @@ metadata:
     - kind: owasp
       title: Secure Configuration Cheat Sheet
       url: https://cheatsheetseries.owasp.org/cheatsheets/Secure_Configuration_Cheat_Sheet.html
+  aliases:
+    - JS-E1009
   tags:
     - security
     - express

package/rules/typescript/ts.security.no-dynamic-execution.rule.yaml

@@ -4,7 +4,7 @@ metadata:
   id: ts.security.no-dynamic-execution
   title: Eval or dynamic code execution
   summary: Eval-like helpers, `vm` execution APIs, and string-evaluated timers should not execute dynamic code.
-  rationale: Dynamic execution turns data into code, widens the attack surface, and bypasses normal control flow.
+  rationale: Dynamic execution turns data into code and widens the attack surface. Without taint tracking, this rule fires on legitimate library and template code patterns where the input is fully controlled.
   detection:
     kind: pattern
   references:
@@ -31,8 +31,8 @@ match:
 emit:
   finding:
     category: security.execution
-    severity: high
-    confidence: 0.95
+    severity: low
+    confidence: 0.55
     tags:
       - security
       - execution

package/rules/typescript/ts.security.no-javascript-url.rule.yaml

@@ -2,9 +2,9 @@ apiVersion: critiq.dev/v1alpha1
 kind: Rule
 metadata:
   id: ts.security.no-javascript-url
-  title: Avoid `javascript:` URLs
-  summary: Do not use `javascript:` URLs in string literals, template literals, or JSX link attributes.
-  rationale: "`javascript:` URLs execute attacker-controlled code when used as navigation targets."
+  title: "Avoid `javascript:` URLs in href, src, or navigation attributes"
+  summary: "`javascript:` URLs can execute arbitrary script when used as navigation targets in href, src, or action attributes."
+  rationale: "`javascript:` URLs execute attacker-controlled code when used as navigation targets. Only flag when the URL appears in contexts that could reach a browser — test assertions, sanitizer inputs, and type-test files are intentionally excluded."
   detection:
     kind: pattern
   references:
@@ -14,6 +14,8 @@ metadata:
     - kind: owasp
       title: Cross Site Scripting Prevention Cheat Sheet
       url: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
+  aliases:
+    - JS-0421
   tags:
     - security
     - xss
@@ -24,6 +26,16 @@ scope:
   languages:
     - typescript
     - javascript
+  paths:
+    exclude:
+      - "**/*.test.*"
+      - "**/*.spec.*"
+      - "**/__tests__/**"
+      - "**/__mocks__/**"
+      - "**/tests/**"
+      - "**/test/**"
+      - "**/.github/actions/**"
+      - "**/types/**/*-tests.*"
 match:
   fact:
     kind: security.javascript-url
@@ -31,14 +43,36 @@ match:
 emit:
   finding:
     category: security.output-encoding
-    severity: high
-    confidence: 0.94
+    severity: medium
+    confidence: 0.85
     tags:
       - security
       - xss
   message:
-    title: "Avoid `javascript:` URLs"
-    summary: "`${captures.issue.text}` uses a `javascript:` URL that can execute arbitrary script."
+    title: "Avoid `javascript:` URLs in link attributes"
+    summary: "${captures.issue.text} uses a `javascript:` URL. When assigned to `href`, `src`, or `action` attributes, `javascript:` URLs execute arbitrary code in the user's browser and enable XSS attacks."
   remediation:
-    summary: "Use safe HTTPS links, in-app handlers, or explicit event callbacks instead of `javascript:` URLs."
+    summary: |-
+      Replace `javascript:` URLs with safe alternatives:
+      - Use `https://` links for external navigation
+      - Use in-app route handlers for internal navigation (e.g., React Router, Next.js `Link`)
+      - Use explicit event handlers (`onClick`, `onSubmit`) instead of `javascript:` in href
+
+      ### Unsafe example
+
+      ```html
+      <a href="javascript:doSomething()">click</a>
+      ```
+
+      ### Safe alternatives
+
+      ```tsx
+      <a href="https://example.com">External link</a>
+      <button onClick={() => doSomething()}>Click me</button>
+      <Link to="/path">Internal link</Link>
+      ```
+
+      ### References
+      - CWE-79: Cross-site Scripting (XSS)
+      - OWASP XSS Prevention Cheat Sheet: https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
 

package/rules/typescript/ts.security.no-native-prototype-extension.rule.yaml

@@ -24,6 +24,18 @@ scope:
   languages:
     - typescript
     - javascript
+  paths:
+    exclude:
+      - "**/test/**"
+      - "**/tests/**"
+      - "**/__tests__/**"
+      - "**/*.test.*"
+      - "**/*.spec.*"
+      - "**/e2e/**"
+      - "**/zone.js/**"
+      - "**/polyfill*/**"
+      - "**/shim*/**"
+      - "**/types/**/*-tests.ts"
 match:
   fact:
     kind: security.native-prototype-extension
@@ -31,7 +43,7 @@ match:
 emit:
   finding:
     category: security.language
-    severity: high
+    severity: low
     confidence: 0.96
     tags:
       - security

package/rules/typescript/ts.security.non-literal-fs-filename.rule.yaml

@@ -25,6 +25,18 @@ scope:
   languages:
     - typescript
     - javascript
+  paths:
+    exclude:
+      - "**/sandbox/**"
+      - "**/tests/setup/**"
+      - "**/tests/smoke/**"
+      - "**/e2e/**"
+      - "**/*.test.*"
+      - "**/*.spec.*"
+      - "**/__tests__/**"
+      - "**/test/**"
+      - "**/tests/**"
+      - "**/spec/**"
 match:
   fact:
     kind: security.non-literal-fs-filename
@@ -32,7 +44,7 @@ match:
 emit:
   finding:
     category: security.filesystem
-    severity: high
+    severity: medium
     confidence: 0.9
     tags:
       - security