@datahogo/core 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (153) hide show
  1. package/LICENSE +661 -0
  2. package/README.md +17 -0
  3. package/dist/engines/config.d.ts +3 -0
  4. package/dist/engines/config.d.ts.map +1 -0
  5. package/dist/engines/config.js +433 -0
  6. package/dist/engines/config.js.map +1 -0
  7. package/dist/engines/dast.d.ts +3 -0
  8. package/dist/engines/dast.d.ts.map +1 -0
  9. package/dist/engines/dast.js +167 -0
  10. package/dist/engines/dast.js.map +1 -0
  11. package/dist/engines/db-rules.d.ts +3 -0
  12. package/dist/engines/db-rules.d.ts.map +1 -0
  13. package/dist/engines/db-rules.js +166 -0
  14. package/dist/engines/db-rules.js.map +1 -0
  15. package/dist/engines/dependencies.d.ts +3 -0
  16. package/dist/engines/dependencies.d.ts.map +1 -0
  17. package/dist/engines/dependencies.js +167 -0
  18. package/dist/engines/dependencies.js.map +1 -0
  19. package/dist/engines/github-actions.d.ts +3 -0
  20. package/dist/engines/github-actions.d.ts.map +1 -0
  21. package/dist/engines/github-actions.js +215 -0
  22. package/dist/engines/github-actions.js.map +1 -0
  23. package/dist/engines/gitleaks.d.ts +3 -0
  24. package/dist/engines/gitleaks.d.ts.map +1 -0
  25. package/dist/engines/gitleaks.js +107 -0
  26. package/dist/engines/gitleaks.js.map +1 -0
  27. package/dist/engines/npm-audit.d.ts +3 -0
  28. package/dist/engines/npm-audit.d.ts.map +1 -0
  29. package/dist/engines/npm-audit.js +113 -0
  30. package/dist/engines/npm-audit.js.map +1 -0
  31. package/dist/engines/patterns.d.ts +3 -0
  32. package/dist/engines/patterns.d.ts.map +1 -0
  33. package/dist/engines/patterns.js +1330 -0
  34. package/dist/engines/patterns.js.map +1 -0
  35. package/dist/engines/secrets.d.ts +4 -0
  36. package/dist/engines/secrets.d.ts.map +1 -0
  37. package/dist/engines/secrets.js +260 -0
  38. package/dist/engines/secrets.js.map +1 -0
  39. package/dist/engines/semgrep.d.ts +3 -0
  40. package/dist/engines/semgrep.d.ts.map +1 -0
  41. package/dist/engines/semgrep.js +173 -0
  42. package/dist/engines/semgrep.js.map +1 -0
  43. package/dist/engines/types.d.ts +30 -0
  44. package/dist/engines/types.d.ts.map +1 -0
  45. package/dist/engines/types.js +3 -0
  46. package/dist/engines/types.js.map +1 -0
  47. package/dist/engines/url-scanner.d.ts +3 -0
  48. package/dist/engines/url-scanner.d.ts.map +1 -0
  49. package/dist/engines/url-scanner.js +469 -0
  50. package/dist/engines/url-scanner.js.map +1 -0
  51. package/dist/index.d.ts +8 -0
  52. package/dist/index.d.ts.map +1 -0
  53. package/dist/index.js +8 -0
  54. package/dist/index.js.map +1 -0
  55. package/dist/orchestrator.d.ts +32 -0
  56. package/dist/orchestrator.d.ts.map +1 -0
  57. package/dist/orchestrator.js +237 -0
  58. package/dist/orchestrator.js.map +1 -0
  59. package/dist/rules/.gitkeep +0 -0
  60. package/dist/rules/ai-llm-security.yaml +199 -0
  61. package/dist/rules/api-security.yaml +489 -0
  62. package/dist/rules/auth-patterns.yaml +406 -0
  63. package/dist/rules/crypto-patterns.yaml +227 -0
  64. package/dist/rules/database-cloud-security.yaml +169 -0
  65. package/dist/rules/general-security.yaml +588 -0
  66. package/dist/rules/injection-patterns.yaml +318 -0
  67. package/dist/rules/nextjs-security.yaml +532 -0
  68. package/dist/rules/node-security.yaml +380 -0
  69. package/dist/rules/rules/.gitkeep +0 -0
  70. package/dist/rules/rules/ai-llm-security.yaml +199 -0
  71. package/dist/rules/rules/api-security.yaml +489 -0
  72. package/dist/rules/rules/auth-patterns.yaml +406 -0
  73. package/dist/rules/rules/crypto-patterns.yaml +227 -0
  74. package/dist/rules/rules/database-cloud-security.yaml +169 -0
  75. package/dist/rules/rules/general-security.yaml +588 -0
  76. package/dist/rules/rules/injection-patterns.yaml +318 -0
  77. package/dist/rules/rules/nextjs-security.yaml +532 -0
  78. package/dist/rules/rules/node-security.yaml +380 -0
  79. package/dist/rules/rules/supabase-security.yaml +387 -0
  80. package/dist/rules/supabase-security.yaml +387 -0
  81. package/dist/scanning/agents/csharp-agent.d.ts +12 -0
  82. package/dist/scanning/agents/csharp-agent.d.ts.map +1 -0
  83. package/dist/scanning/agents/csharp-agent.js +592 -0
  84. package/dist/scanning/agents/csharp-agent.js.map +1 -0
  85. package/dist/scanning/agents/go-agent.d.ts +14 -0
  86. package/dist/scanning/agents/go-agent.d.ts.map +1 -0
  87. package/dist/scanning/agents/go-agent.js +641 -0
  88. package/dist/scanning/agents/go-agent.js.map +1 -0
  89. package/dist/scanning/agents/java-agent.d.ts +8 -0
  90. package/dist/scanning/agents/java-agent.d.ts.map +1 -0
  91. package/dist/scanning/agents/java-agent.js +807 -0
  92. package/dist/scanning/agents/java-agent.js.map +1 -0
  93. package/dist/scanning/agents/javascript-agent.d.ts +8 -0
  94. package/dist/scanning/agents/javascript-agent.d.ts.map +1 -0
  95. package/dist/scanning/agents/javascript-agent.js +77 -0
  96. package/dist/scanning/agents/javascript-agent.js.map +1 -0
  97. package/dist/scanning/agents/mobile-agent.d.ts +8 -0
  98. package/dist/scanning/agents/mobile-agent.d.ts.map +1 -0
  99. package/dist/scanning/agents/mobile-agent.js +916 -0
  100. package/dist/scanning/agents/mobile-agent.js.map +1 -0
  101. package/dist/scanning/agents/php-agent.d.ts +8 -0
  102. package/dist/scanning/agents/php-agent.d.ts.map +1 -0
  103. package/dist/scanning/agents/php-agent.js +679 -0
  104. package/dist/scanning/agents/php-agent.js.map +1 -0
  105. package/dist/scanning/agents/python-agent.d.ts +8 -0
  106. package/dist/scanning/agents/python-agent.d.ts.map +1 -0
  107. package/dist/scanning/agents/python-agent.js +701 -0
  108. package/dist/scanning/agents/python-agent.js.map +1 -0
  109. package/dist/scanning/agents/supabase-agent.d.ts +8 -0
  110. package/dist/scanning/agents/supabase-agent.d.ts.map +1 -0
  111. package/dist/scanning/agents/supabase-agent.js +484 -0
  112. package/dist/scanning/agents/supabase-agent.js.map +1 -0
  113. package/dist/scanning/orchestrator.d.ts +29 -0
  114. package/dist/scanning/orchestrator.d.ts.map +1 -0
  115. package/dist/scanning/orchestrator.js +186 -0
  116. package/dist/scanning/orchestrator.js.map +1 -0
  117. package/dist/scanning/tech-detector.d.ts +12 -0
  118. package/dist/scanning/tech-detector.d.ts.map +1 -0
  119. package/dist/scanning/tech-detector.js +252 -0
  120. package/dist/scanning/tech-detector.js.map +1 -0
  121. package/dist/scanning/types.d.ts +87 -0
  122. package/dist/scanning/types.d.ts.map +1 -0
  123. package/dist/scanning/types.js +5 -0
  124. package/dist/scanning/types.js.map +1 -0
  125. package/dist/utils/child-process.d.ts +2 -0
  126. package/dist/utils/child-process.d.ts.map +1 -0
  127. package/dist/utils/child-process.js +4 -0
  128. package/dist/utils/child-process.js.map +1 -0
  129. package/dist/utils/context-classifier.d.ts +11 -0
  130. package/dist/utils/context-classifier.d.ts.map +1 -0
  131. package/dist/utils/context-classifier.js +79 -0
  132. package/dist/utils/context-classifier.js.map +1 -0
  133. package/dist/utils/exec.d.ts +18 -0
  134. package/dist/utils/exec.d.ts.map +1 -0
  135. package/dist/utils/exec.js +51 -0
  136. package/dist/utils/exec.js.map +1 -0
  137. package/dist/utils/file-filter.d.ts +4 -0
  138. package/dist/utils/file-filter.d.ts.map +1 -0
  139. package/dist/utils/file-filter.js +68 -0
  140. package/dist/utils/file-filter.js.map +1 -0
  141. package/dist/utils/fs.d.ts +2 -0
  142. package/dist/utils/fs.d.ts.map +1 -0
  143. package/dist/utils/fs.js +5 -0
  144. package/dist/utils/fs.js.map +1 -0
  145. package/dist/utils/logger.d.ts +12 -0
  146. package/dist/utils/logger.d.ts.map +1 -0
  147. package/dist/utils/logger.js +27 -0
  148. package/dist/utils/logger.js.map +1 -0
  149. package/dist/utils/post-processor.d.ts +10 -0
  150. package/dist/utils/post-processor.d.ts.map +1 -0
  151. package/dist/utils/post-processor.js +183 -0
  152. package/dist/utils/post-processor.js.map +1 -0
  153. package/package.json +44 -0
@@ -0,0 +1,169 @@
1
+ rules:
2
+ # =============================================
3
+ # Database Connection Security — Advanced
4
+ # =============================================
5
+
6
+ - id: datahogo-db-no-pool-limit
7
+ patterns:
8
+ - pattern: |
9
+ new Pool({...})
10
+ - pattern-not: |
11
+ new Pool({..., max: $N, ...})
12
+ message: >
13
+ Database connection pool created without max connection limit. This can lead to pool exhaustion
14
+ under load. Set max to an appropriate value (e.g., 20 for web apps).
15
+ severity: INFO
16
+ languages: [typescript, javascript]
17
+ metadata:
18
+ datahogo_id: 216
19
+ category: database-connection
20
+
21
+ - id: datahogo-db-no-timeout
22
+ patterns:
23
+ - pattern-either:
24
+ - patterns:
25
+ - pattern: |
26
+ new Pool({...})
27
+ - pattern-not: |
28
+ new Pool({..., connectionTimeoutMillis: $N, ...})
29
+ - patterns:
30
+ - pattern: |
31
+ new Client({...})
32
+ - pattern-not: |
33
+ new Client({..., connectionTimeoutMillis: $N, ...})
34
+ message: >
35
+ Database connection created without timeout. Queries or connections that hang indefinitely
36
+ can exhaust resources. Set connectionTimeoutMillis and statement_timeout.
37
+ severity: INFO
38
+ languages: [typescript, javascript]
39
+ metadata:
40
+ datahogo_id: 217
41
+ category: database-connection
42
+
43
+ - id: datahogo-mongodb-no-auth
44
+ patterns:
45
+ - pattern-regex: "mongodb://[^:@]+(?::\\d+)?/"
46
+ - pattern-not-regex: "mongodb://[^:]+:[^@]+@"
47
+ - pattern-not-regex: "mongodb://localhost"
48
+ - pattern-not-regex: "mongodb://127\\.0\\.0\\.1"
49
+ message: >
50
+ MongoDB connection string does not include authentication credentials and connects to a
51
+ non-localhost host. Ensure MongoDB requires authentication in production.
52
+ severity: ERROR
53
+ languages: [typescript, javascript]
54
+ metadata:
55
+ datahogo_id: 213
56
+ category: database-connection
57
+
58
+ - id: datahogo-redis-no-auth
59
+ patterns:
60
+ - pattern-either:
61
+ - patterns:
62
+ - pattern: |
63
+ new Redis({...})
64
+ - pattern-not: |
65
+ new Redis({..., password: $P, ...})
66
+ - patterns:
67
+ - pattern: |
68
+ createClient({...})
69
+ - pattern-not: |
70
+ createClient({..., password: $P, ...})
71
+ message: >
72
+ Redis client created without password authentication. Redis should always require a password,
73
+ especially when accessible over a network.
74
+ severity: WARNING
75
+ languages: [typescript, javascript]
76
+ metadata:
77
+ datahogo_id: 214
78
+ category: database-connection
79
+
80
+ # =============================================
81
+ # Cloud Storage & Services
82
+ # =============================================
83
+
84
+ - id: datahogo-s3-no-encryption
85
+ patterns:
86
+ - pattern-either:
87
+ - patterns:
88
+ - pattern: |
89
+ new s3.Bucket({...})
90
+ - pattern-not: |
91
+ new s3.Bucket({..., encryption: $E, ...})
92
+ - pattern: |
93
+ ServerSideEncryptionConfiguration: []
94
+ message: >
95
+ S3 bucket created without server-side encryption. Enable AES-256 or KMS encryption
96
+ to protect data at rest.
97
+ severity: INFO
98
+ languages: [typescript, javascript]
99
+ metadata:
100
+ datahogo_id: 227
101
+ category: cloud
102
+
103
+ - id: datahogo-cloud-function-no-auth
104
+ patterns:
105
+ - pattern-either:
106
+ - pattern: |
107
+ --allow-unauthenticated
108
+ - pattern: |
109
+ authorizationType: "NONE"
110
+ - pattern: |
111
+ FunctionUrlAuthType.NONE
112
+ message: >
113
+ Cloud function configured without authentication. This exposes the function publicly.
114
+ Use IAM authentication or API Gateway with auth for production functions.
115
+ severity: WARNING
116
+ languages: [typescript, javascript]
117
+ metadata:
118
+ datahogo_id: 226
119
+ category: cloud
120
+
121
+ # =============================================
122
+ # CI/CD Pipeline Security
123
+ # =============================================
124
+
125
+ - id: datahogo-gha-unpinned-action
126
+ pattern-regex: "uses:\\s+[\\w-]+/[\\w-]+@(?:main|master|latest|v\\d+)\\s*$"
127
+ message: >
128
+ GitHub Action uses an unpinned version (branch name or major version tag).
129
+ Pin to a full SHA to prevent supply chain attacks.
130
+ severity: WARNING
131
+ languages: [generic]
132
+ paths:
133
+ include:
134
+ - ".github/workflows/*.yml"
135
+ - ".github/workflows/*.yaml"
136
+ metadata:
137
+ datahogo_id: 241
138
+ category: cicd
139
+
140
+ - id: datahogo-gha-script-injection
141
+ pattern-regex: "run:.*\\$\\{\\{\\s*github\\.event\\.(?:issue|pull_request|comment|review|discussion)\\.(?:title|body|head\\.ref)"
142
+ message: >
143
+ GitHub Actions workflow injects untrusted event data directly into a shell command.
144
+ This enables arbitrary code execution. Use an intermediate environment variable instead.
145
+ severity: ERROR
146
+ languages: [generic]
147
+ paths:
148
+ include:
149
+ - ".github/workflows/*.yml"
150
+ - ".github/workflows/*.yaml"
151
+ metadata:
152
+ datahogo_id: 242
153
+ owasp: "A03:2021"
154
+ category: cicd
155
+
156
+ - id: datahogo-gha-permissions-too-broad
157
+ pattern-regex: "permissions:\\s*write-all"
158
+ message: >
159
+ Workflow uses write-all permissions. Follow least-privilege — specify only needed permissions
160
+ (e.g., contents: read, pull-requests: write).
161
+ severity: WARNING
162
+ languages: [generic]
163
+ paths:
164
+ include:
165
+ - ".github/workflows/*.yml"
166
+ - ".github/workflows/*.yaml"
167
+ metadata:
168
+ datahogo_id: 245
169
+ category: cicd