@datahogo/core 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +661 -0
- package/README.md +17 -0
- package/dist/engines/config.d.ts +3 -0
- package/dist/engines/config.d.ts.map +1 -0
- package/dist/engines/config.js +433 -0
- package/dist/engines/config.js.map +1 -0
- package/dist/engines/dast.d.ts +3 -0
- package/dist/engines/dast.d.ts.map +1 -0
- package/dist/engines/dast.js +167 -0
- package/dist/engines/dast.js.map +1 -0
- package/dist/engines/db-rules.d.ts +3 -0
- package/dist/engines/db-rules.d.ts.map +1 -0
- package/dist/engines/db-rules.js +166 -0
- package/dist/engines/db-rules.js.map +1 -0
- package/dist/engines/dependencies.d.ts +3 -0
- package/dist/engines/dependencies.d.ts.map +1 -0
- package/dist/engines/dependencies.js +167 -0
- package/dist/engines/dependencies.js.map +1 -0
- package/dist/engines/github-actions.d.ts +3 -0
- package/dist/engines/github-actions.d.ts.map +1 -0
- package/dist/engines/github-actions.js +215 -0
- package/dist/engines/github-actions.js.map +1 -0
- package/dist/engines/gitleaks.d.ts +3 -0
- package/dist/engines/gitleaks.d.ts.map +1 -0
- package/dist/engines/gitleaks.js +107 -0
- package/dist/engines/gitleaks.js.map +1 -0
- package/dist/engines/npm-audit.d.ts +3 -0
- package/dist/engines/npm-audit.d.ts.map +1 -0
- package/dist/engines/npm-audit.js +113 -0
- package/dist/engines/npm-audit.js.map +1 -0
- package/dist/engines/patterns.d.ts +3 -0
- package/dist/engines/patterns.d.ts.map +1 -0
- package/dist/engines/patterns.js +1330 -0
- package/dist/engines/patterns.js.map +1 -0
- package/dist/engines/secrets.d.ts +4 -0
- package/dist/engines/secrets.d.ts.map +1 -0
- package/dist/engines/secrets.js +260 -0
- package/dist/engines/secrets.js.map +1 -0
- package/dist/engines/semgrep.d.ts +3 -0
- package/dist/engines/semgrep.d.ts.map +1 -0
- package/dist/engines/semgrep.js +173 -0
- package/dist/engines/semgrep.js.map +1 -0
- package/dist/engines/types.d.ts +30 -0
- package/dist/engines/types.d.ts.map +1 -0
- package/dist/engines/types.js +3 -0
- package/dist/engines/types.js.map +1 -0
- package/dist/engines/url-scanner.d.ts +3 -0
- package/dist/engines/url-scanner.d.ts.map +1 -0
- package/dist/engines/url-scanner.js +469 -0
- package/dist/engines/url-scanner.js.map +1 -0
- package/dist/index.d.ts +8 -0
- package/dist/index.d.ts.map +1 -0
- package/dist/index.js +8 -0
- package/dist/index.js.map +1 -0
- package/dist/orchestrator.d.ts +32 -0
- package/dist/orchestrator.d.ts.map +1 -0
- package/dist/orchestrator.js +237 -0
- package/dist/orchestrator.js.map +1 -0
- package/dist/rules/.gitkeep +0 -0
- package/dist/rules/ai-llm-security.yaml +199 -0
- package/dist/rules/api-security.yaml +489 -0
- package/dist/rules/auth-patterns.yaml +406 -0
- package/dist/rules/crypto-patterns.yaml +227 -0
- package/dist/rules/database-cloud-security.yaml +169 -0
- package/dist/rules/general-security.yaml +588 -0
- package/dist/rules/injection-patterns.yaml +318 -0
- package/dist/rules/nextjs-security.yaml +532 -0
- package/dist/rules/node-security.yaml +380 -0
- package/dist/rules/rules/.gitkeep +0 -0
- package/dist/rules/rules/ai-llm-security.yaml +199 -0
- package/dist/rules/rules/api-security.yaml +489 -0
- package/dist/rules/rules/auth-patterns.yaml +406 -0
- package/dist/rules/rules/crypto-patterns.yaml +227 -0
- package/dist/rules/rules/database-cloud-security.yaml +169 -0
- package/dist/rules/rules/general-security.yaml +588 -0
- package/dist/rules/rules/injection-patterns.yaml +318 -0
- package/dist/rules/rules/nextjs-security.yaml +532 -0
- package/dist/rules/rules/node-security.yaml +380 -0
- package/dist/rules/rules/supabase-security.yaml +387 -0
- package/dist/rules/supabase-security.yaml +387 -0
- package/dist/scanning/agents/csharp-agent.d.ts +12 -0
- package/dist/scanning/agents/csharp-agent.d.ts.map +1 -0
- package/dist/scanning/agents/csharp-agent.js +592 -0
- package/dist/scanning/agents/csharp-agent.js.map +1 -0
- package/dist/scanning/agents/go-agent.d.ts +14 -0
- package/dist/scanning/agents/go-agent.d.ts.map +1 -0
- package/dist/scanning/agents/go-agent.js +641 -0
- package/dist/scanning/agents/go-agent.js.map +1 -0
- package/dist/scanning/agents/java-agent.d.ts +8 -0
- package/dist/scanning/agents/java-agent.d.ts.map +1 -0
- package/dist/scanning/agents/java-agent.js +807 -0
- package/dist/scanning/agents/java-agent.js.map +1 -0
- package/dist/scanning/agents/javascript-agent.d.ts +8 -0
- package/dist/scanning/agents/javascript-agent.d.ts.map +1 -0
- package/dist/scanning/agents/javascript-agent.js +77 -0
- package/dist/scanning/agents/javascript-agent.js.map +1 -0
- package/dist/scanning/agents/mobile-agent.d.ts +8 -0
- package/dist/scanning/agents/mobile-agent.d.ts.map +1 -0
- package/dist/scanning/agents/mobile-agent.js +916 -0
- package/dist/scanning/agents/mobile-agent.js.map +1 -0
- package/dist/scanning/agents/php-agent.d.ts +8 -0
- package/dist/scanning/agents/php-agent.d.ts.map +1 -0
- package/dist/scanning/agents/php-agent.js +679 -0
- package/dist/scanning/agents/php-agent.js.map +1 -0
- package/dist/scanning/agents/python-agent.d.ts +8 -0
- package/dist/scanning/agents/python-agent.d.ts.map +1 -0
- package/dist/scanning/agents/python-agent.js +701 -0
- package/dist/scanning/agents/python-agent.js.map +1 -0
- package/dist/scanning/agents/supabase-agent.d.ts +8 -0
- package/dist/scanning/agents/supabase-agent.d.ts.map +1 -0
- package/dist/scanning/agents/supabase-agent.js +484 -0
- package/dist/scanning/agents/supabase-agent.js.map +1 -0
- package/dist/scanning/orchestrator.d.ts +29 -0
- package/dist/scanning/orchestrator.d.ts.map +1 -0
- package/dist/scanning/orchestrator.js +186 -0
- package/dist/scanning/orchestrator.js.map +1 -0
- package/dist/scanning/tech-detector.d.ts +12 -0
- package/dist/scanning/tech-detector.d.ts.map +1 -0
- package/dist/scanning/tech-detector.js +252 -0
- package/dist/scanning/tech-detector.js.map +1 -0
- package/dist/scanning/types.d.ts +87 -0
- package/dist/scanning/types.d.ts.map +1 -0
- package/dist/scanning/types.js +5 -0
- package/dist/scanning/types.js.map +1 -0
- package/dist/utils/child-process.d.ts +2 -0
- package/dist/utils/child-process.d.ts.map +1 -0
- package/dist/utils/child-process.js +4 -0
- package/dist/utils/child-process.js.map +1 -0
- package/dist/utils/context-classifier.d.ts +11 -0
- package/dist/utils/context-classifier.d.ts.map +1 -0
- package/dist/utils/context-classifier.js +79 -0
- package/dist/utils/context-classifier.js.map +1 -0
- package/dist/utils/exec.d.ts +18 -0
- package/dist/utils/exec.d.ts.map +1 -0
- package/dist/utils/exec.js +51 -0
- package/dist/utils/exec.js.map +1 -0
- package/dist/utils/file-filter.d.ts +4 -0
- package/dist/utils/file-filter.d.ts.map +1 -0
- package/dist/utils/file-filter.js +68 -0
- package/dist/utils/file-filter.js.map +1 -0
- package/dist/utils/fs.d.ts +2 -0
- package/dist/utils/fs.d.ts.map +1 -0
- package/dist/utils/fs.js +5 -0
- package/dist/utils/fs.js.map +1 -0
- package/dist/utils/logger.d.ts +12 -0
- package/dist/utils/logger.d.ts.map +1 -0
- package/dist/utils/logger.js +27 -0
- package/dist/utils/logger.js.map +1 -0
- package/dist/utils/post-processor.d.ts +10 -0
- package/dist/utils/post-processor.d.ts.map +1 -0
- package/dist/utils/post-processor.js +183 -0
- package/dist/utils/post-processor.js.map +1 -0
- package/package.json +44 -0
|
@@ -0,0 +1,169 @@
|
|
|
1
|
+
rules:
|
|
2
|
+
# =============================================
|
|
3
|
+
# Database Connection Security — Advanced
|
|
4
|
+
# =============================================
|
|
5
|
+
|
|
6
|
+
- id: datahogo-db-no-pool-limit
|
|
7
|
+
patterns:
|
|
8
|
+
- pattern: |
|
|
9
|
+
new Pool({...})
|
|
10
|
+
- pattern-not: |
|
|
11
|
+
new Pool({..., max: $N, ...})
|
|
12
|
+
message: >
|
|
13
|
+
Database connection pool created without max connection limit. This can lead to pool exhaustion
|
|
14
|
+
under load. Set max to an appropriate value (e.g., 20 for web apps).
|
|
15
|
+
severity: INFO
|
|
16
|
+
languages: [typescript, javascript]
|
|
17
|
+
metadata:
|
|
18
|
+
datahogo_id: 216
|
|
19
|
+
category: database-connection
|
|
20
|
+
|
|
21
|
+
- id: datahogo-db-no-timeout
|
|
22
|
+
patterns:
|
|
23
|
+
- pattern-either:
|
|
24
|
+
- patterns:
|
|
25
|
+
- pattern: |
|
|
26
|
+
new Pool({...})
|
|
27
|
+
- pattern-not: |
|
|
28
|
+
new Pool({..., connectionTimeoutMillis: $N, ...})
|
|
29
|
+
- patterns:
|
|
30
|
+
- pattern: |
|
|
31
|
+
new Client({...})
|
|
32
|
+
- pattern-not: |
|
|
33
|
+
new Client({..., connectionTimeoutMillis: $N, ...})
|
|
34
|
+
message: >
|
|
35
|
+
Database connection created without timeout. Queries or connections that hang indefinitely
|
|
36
|
+
can exhaust resources. Set connectionTimeoutMillis and statement_timeout.
|
|
37
|
+
severity: INFO
|
|
38
|
+
languages: [typescript, javascript]
|
|
39
|
+
metadata:
|
|
40
|
+
datahogo_id: 217
|
|
41
|
+
category: database-connection
|
|
42
|
+
|
|
43
|
+
- id: datahogo-mongodb-no-auth
|
|
44
|
+
patterns:
|
|
45
|
+
- pattern-regex: "mongodb://[^:@]+(?::\\d+)?/"
|
|
46
|
+
- pattern-not-regex: "mongodb://[^:]+:[^@]+@"
|
|
47
|
+
- pattern-not-regex: "mongodb://localhost"
|
|
48
|
+
- pattern-not-regex: "mongodb://127\\.0\\.0\\.1"
|
|
49
|
+
message: >
|
|
50
|
+
MongoDB connection string does not include authentication credentials and connects to a
|
|
51
|
+
non-localhost host. Ensure MongoDB requires authentication in production.
|
|
52
|
+
severity: ERROR
|
|
53
|
+
languages: [typescript, javascript]
|
|
54
|
+
metadata:
|
|
55
|
+
datahogo_id: 213
|
|
56
|
+
category: database-connection
|
|
57
|
+
|
|
58
|
+
- id: datahogo-redis-no-auth
|
|
59
|
+
patterns:
|
|
60
|
+
- pattern-either:
|
|
61
|
+
- patterns:
|
|
62
|
+
- pattern: |
|
|
63
|
+
new Redis({...})
|
|
64
|
+
- pattern-not: |
|
|
65
|
+
new Redis({..., password: $P, ...})
|
|
66
|
+
- patterns:
|
|
67
|
+
- pattern: |
|
|
68
|
+
createClient({...})
|
|
69
|
+
- pattern-not: |
|
|
70
|
+
createClient({..., password: $P, ...})
|
|
71
|
+
message: >
|
|
72
|
+
Redis client created without password authentication. Redis should always require a password,
|
|
73
|
+
especially when accessible over a network.
|
|
74
|
+
severity: WARNING
|
|
75
|
+
languages: [typescript, javascript]
|
|
76
|
+
metadata:
|
|
77
|
+
datahogo_id: 214
|
|
78
|
+
category: database-connection
|
|
79
|
+
|
|
80
|
+
# =============================================
|
|
81
|
+
# Cloud Storage & Services
|
|
82
|
+
# =============================================
|
|
83
|
+
|
|
84
|
+
- id: datahogo-s3-no-encryption
|
|
85
|
+
patterns:
|
|
86
|
+
- pattern-either:
|
|
87
|
+
- patterns:
|
|
88
|
+
- pattern: |
|
|
89
|
+
new s3.Bucket({...})
|
|
90
|
+
- pattern-not: |
|
|
91
|
+
new s3.Bucket({..., encryption: $E, ...})
|
|
92
|
+
- pattern: |
|
|
93
|
+
ServerSideEncryptionConfiguration: []
|
|
94
|
+
message: >
|
|
95
|
+
S3 bucket created without server-side encryption. Enable AES-256 or KMS encryption
|
|
96
|
+
to protect data at rest.
|
|
97
|
+
severity: INFO
|
|
98
|
+
languages: [typescript, javascript]
|
|
99
|
+
metadata:
|
|
100
|
+
datahogo_id: 227
|
|
101
|
+
category: cloud
|
|
102
|
+
|
|
103
|
+
- id: datahogo-cloud-function-no-auth
|
|
104
|
+
patterns:
|
|
105
|
+
- pattern-either:
|
|
106
|
+
- pattern: |
|
|
107
|
+
--allow-unauthenticated
|
|
108
|
+
- pattern: |
|
|
109
|
+
authorizationType: "NONE"
|
|
110
|
+
- pattern: |
|
|
111
|
+
FunctionUrlAuthType.NONE
|
|
112
|
+
message: >
|
|
113
|
+
Cloud function configured without authentication. This exposes the function publicly.
|
|
114
|
+
Use IAM authentication or API Gateway with auth for production functions.
|
|
115
|
+
severity: WARNING
|
|
116
|
+
languages: [typescript, javascript]
|
|
117
|
+
metadata:
|
|
118
|
+
datahogo_id: 226
|
|
119
|
+
category: cloud
|
|
120
|
+
|
|
121
|
+
# =============================================
|
|
122
|
+
# CI/CD Pipeline Security
|
|
123
|
+
# =============================================
|
|
124
|
+
|
|
125
|
+
- id: datahogo-gha-unpinned-action
|
|
126
|
+
pattern-regex: "uses:\\s+[\\w-]+/[\\w-]+@(?:main|master|latest|v\\d+)\\s*$"
|
|
127
|
+
message: >
|
|
128
|
+
GitHub Action uses an unpinned version (branch name or major version tag).
|
|
129
|
+
Pin to a full SHA to prevent supply chain attacks.
|
|
130
|
+
severity: WARNING
|
|
131
|
+
languages: [generic]
|
|
132
|
+
paths:
|
|
133
|
+
include:
|
|
134
|
+
- ".github/workflows/*.yml"
|
|
135
|
+
- ".github/workflows/*.yaml"
|
|
136
|
+
metadata:
|
|
137
|
+
datahogo_id: 241
|
|
138
|
+
category: cicd
|
|
139
|
+
|
|
140
|
+
- id: datahogo-gha-script-injection
|
|
141
|
+
pattern-regex: "run:.*\\$\\{\\{\\s*github\\.event\\.(?:issue|pull_request|comment|review|discussion)\\.(?:title|body|head\\.ref)"
|
|
142
|
+
message: >
|
|
143
|
+
GitHub Actions workflow injects untrusted event data directly into a shell command.
|
|
144
|
+
This enables arbitrary code execution. Use an intermediate environment variable instead.
|
|
145
|
+
severity: ERROR
|
|
146
|
+
languages: [generic]
|
|
147
|
+
paths:
|
|
148
|
+
include:
|
|
149
|
+
- ".github/workflows/*.yml"
|
|
150
|
+
- ".github/workflows/*.yaml"
|
|
151
|
+
metadata:
|
|
152
|
+
datahogo_id: 242
|
|
153
|
+
owasp: "A03:2021"
|
|
154
|
+
category: cicd
|
|
155
|
+
|
|
156
|
+
- id: datahogo-gha-permissions-too-broad
|
|
157
|
+
pattern-regex: "permissions:\\s*write-all"
|
|
158
|
+
message: >
|
|
159
|
+
Workflow uses write-all permissions. Follow least-privilege — specify only needed permissions
|
|
160
|
+
(e.g., contents: read, pull-requests: write).
|
|
161
|
+
severity: WARNING
|
|
162
|
+
languages: [generic]
|
|
163
|
+
paths:
|
|
164
|
+
include:
|
|
165
|
+
- ".github/workflows/*.yml"
|
|
166
|
+
- ".github/workflows/*.yaml"
|
|
167
|
+
metadata:
|
|
168
|
+
datahogo_id: 245
|
|
169
|
+
category: cicd
|