@datahogo/core 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (153) hide show
  1. package/LICENSE +661 -0
  2. package/README.md +17 -0
  3. package/dist/engines/config.d.ts +3 -0
  4. package/dist/engines/config.d.ts.map +1 -0
  5. package/dist/engines/config.js +433 -0
  6. package/dist/engines/config.js.map +1 -0
  7. package/dist/engines/dast.d.ts +3 -0
  8. package/dist/engines/dast.d.ts.map +1 -0
  9. package/dist/engines/dast.js +167 -0
  10. package/dist/engines/dast.js.map +1 -0
  11. package/dist/engines/db-rules.d.ts +3 -0
  12. package/dist/engines/db-rules.d.ts.map +1 -0
  13. package/dist/engines/db-rules.js +166 -0
  14. package/dist/engines/db-rules.js.map +1 -0
  15. package/dist/engines/dependencies.d.ts +3 -0
  16. package/dist/engines/dependencies.d.ts.map +1 -0
  17. package/dist/engines/dependencies.js +167 -0
  18. package/dist/engines/dependencies.js.map +1 -0
  19. package/dist/engines/github-actions.d.ts +3 -0
  20. package/dist/engines/github-actions.d.ts.map +1 -0
  21. package/dist/engines/github-actions.js +215 -0
  22. package/dist/engines/github-actions.js.map +1 -0
  23. package/dist/engines/gitleaks.d.ts +3 -0
  24. package/dist/engines/gitleaks.d.ts.map +1 -0
  25. package/dist/engines/gitleaks.js +107 -0
  26. package/dist/engines/gitleaks.js.map +1 -0
  27. package/dist/engines/npm-audit.d.ts +3 -0
  28. package/dist/engines/npm-audit.d.ts.map +1 -0
  29. package/dist/engines/npm-audit.js +113 -0
  30. package/dist/engines/npm-audit.js.map +1 -0
  31. package/dist/engines/patterns.d.ts +3 -0
  32. package/dist/engines/patterns.d.ts.map +1 -0
  33. package/dist/engines/patterns.js +1330 -0
  34. package/dist/engines/patterns.js.map +1 -0
  35. package/dist/engines/secrets.d.ts +4 -0
  36. package/dist/engines/secrets.d.ts.map +1 -0
  37. package/dist/engines/secrets.js +260 -0
  38. package/dist/engines/secrets.js.map +1 -0
  39. package/dist/engines/semgrep.d.ts +3 -0
  40. package/dist/engines/semgrep.d.ts.map +1 -0
  41. package/dist/engines/semgrep.js +173 -0
  42. package/dist/engines/semgrep.js.map +1 -0
  43. package/dist/engines/types.d.ts +30 -0
  44. package/dist/engines/types.d.ts.map +1 -0
  45. package/dist/engines/types.js +3 -0
  46. package/dist/engines/types.js.map +1 -0
  47. package/dist/engines/url-scanner.d.ts +3 -0
  48. package/dist/engines/url-scanner.d.ts.map +1 -0
  49. package/dist/engines/url-scanner.js +469 -0
  50. package/dist/engines/url-scanner.js.map +1 -0
  51. package/dist/index.d.ts +8 -0
  52. package/dist/index.d.ts.map +1 -0
  53. package/dist/index.js +8 -0
  54. package/dist/index.js.map +1 -0
  55. package/dist/orchestrator.d.ts +32 -0
  56. package/dist/orchestrator.d.ts.map +1 -0
  57. package/dist/orchestrator.js +237 -0
  58. package/dist/orchestrator.js.map +1 -0
  59. package/dist/rules/.gitkeep +0 -0
  60. package/dist/rules/ai-llm-security.yaml +199 -0
  61. package/dist/rules/api-security.yaml +489 -0
  62. package/dist/rules/auth-patterns.yaml +406 -0
  63. package/dist/rules/crypto-patterns.yaml +227 -0
  64. package/dist/rules/database-cloud-security.yaml +169 -0
  65. package/dist/rules/general-security.yaml +588 -0
  66. package/dist/rules/injection-patterns.yaml +318 -0
  67. package/dist/rules/nextjs-security.yaml +532 -0
  68. package/dist/rules/node-security.yaml +380 -0
  69. package/dist/rules/rules/.gitkeep +0 -0
  70. package/dist/rules/rules/ai-llm-security.yaml +199 -0
  71. package/dist/rules/rules/api-security.yaml +489 -0
  72. package/dist/rules/rules/auth-patterns.yaml +406 -0
  73. package/dist/rules/rules/crypto-patterns.yaml +227 -0
  74. package/dist/rules/rules/database-cloud-security.yaml +169 -0
  75. package/dist/rules/rules/general-security.yaml +588 -0
  76. package/dist/rules/rules/injection-patterns.yaml +318 -0
  77. package/dist/rules/rules/nextjs-security.yaml +532 -0
  78. package/dist/rules/rules/node-security.yaml +380 -0
  79. package/dist/rules/rules/supabase-security.yaml +387 -0
  80. package/dist/rules/supabase-security.yaml +387 -0
  81. package/dist/scanning/agents/csharp-agent.d.ts +12 -0
  82. package/dist/scanning/agents/csharp-agent.d.ts.map +1 -0
  83. package/dist/scanning/agents/csharp-agent.js +592 -0
  84. package/dist/scanning/agents/csharp-agent.js.map +1 -0
  85. package/dist/scanning/agents/go-agent.d.ts +14 -0
  86. package/dist/scanning/agents/go-agent.d.ts.map +1 -0
  87. package/dist/scanning/agents/go-agent.js +641 -0
  88. package/dist/scanning/agents/go-agent.js.map +1 -0
  89. package/dist/scanning/agents/java-agent.d.ts +8 -0
  90. package/dist/scanning/agents/java-agent.d.ts.map +1 -0
  91. package/dist/scanning/agents/java-agent.js +807 -0
  92. package/dist/scanning/agents/java-agent.js.map +1 -0
  93. package/dist/scanning/agents/javascript-agent.d.ts +8 -0
  94. package/dist/scanning/agents/javascript-agent.d.ts.map +1 -0
  95. package/dist/scanning/agents/javascript-agent.js +77 -0
  96. package/dist/scanning/agents/javascript-agent.js.map +1 -0
  97. package/dist/scanning/agents/mobile-agent.d.ts +8 -0
  98. package/dist/scanning/agents/mobile-agent.d.ts.map +1 -0
  99. package/dist/scanning/agents/mobile-agent.js +916 -0
  100. package/dist/scanning/agents/mobile-agent.js.map +1 -0
  101. package/dist/scanning/agents/php-agent.d.ts +8 -0
  102. package/dist/scanning/agents/php-agent.d.ts.map +1 -0
  103. package/dist/scanning/agents/php-agent.js +679 -0
  104. package/dist/scanning/agents/php-agent.js.map +1 -0
  105. package/dist/scanning/agents/python-agent.d.ts +8 -0
  106. package/dist/scanning/agents/python-agent.d.ts.map +1 -0
  107. package/dist/scanning/agents/python-agent.js +701 -0
  108. package/dist/scanning/agents/python-agent.js.map +1 -0
  109. package/dist/scanning/agents/supabase-agent.d.ts +8 -0
  110. package/dist/scanning/agents/supabase-agent.d.ts.map +1 -0
  111. package/dist/scanning/agents/supabase-agent.js +484 -0
  112. package/dist/scanning/agents/supabase-agent.js.map +1 -0
  113. package/dist/scanning/orchestrator.d.ts +29 -0
  114. package/dist/scanning/orchestrator.d.ts.map +1 -0
  115. package/dist/scanning/orchestrator.js +186 -0
  116. package/dist/scanning/orchestrator.js.map +1 -0
  117. package/dist/scanning/tech-detector.d.ts +12 -0
  118. package/dist/scanning/tech-detector.d.ts.map +1 -0
  119. package/dist/scanning/tech-detector.js +252 -0
  120. package/dist/scanning/tech-detector.js.map +1 -0
  121. package/dist/scanning/types.d.ts +87 -0
  122. package/dist/scanning/types.d.ts.map +1 -0
  123. package/dist/scanning/types.js +5 -0
  124. package/dist/scanning/types.js.map +1 -0
  125. package/dist/utils/child-process.d.ts +2 -0
  126. package/dist/utils/child-process.d.ts.map +1 -0
  127. package/dist/utils/child-process.js +4 -0
  128. package/dist/utils/child-process.js.map +1 -0
  129. package/dist/utils/context-classifier.d.ts +11 -0
  130. package/dist/utils/context-classifier.d.ts.map +1 -0
  131. package/dist/utils/context-classifier.js +79 -0
  132. package/dist/utils/context-classifier.js.map +1 -0
  133. package/dist/utils/exec.d.ts +18 -0
  134. package/dist/utils/exec.d.ts.map +1 -0
  135. package/dist/utils/exec.js +51 -0
  136. package/dist/utils/exec.js.map +1 -0
  137. package/dist/utils/file-filter.d.ts +4 -0
  138. package/dist/utils/file-filter.d.ts.map +1 -0
  139. package/dist/utils/file-filter.js +68 -0
  140. package/dist/utils/file-filter.js.map +1 -0
  141. package/dist/utils/fs.d.ts +2 -0
  142. package/dist/utils/fs.d.ts.map +1 -0
  143. package/dist/utils/fs.js +5 -0
  144. package/dist/utils/fs.js.map +1 -0
  145. package/dist/utils/logger.d.ts +12 -0
  146. package/dist/utils/logger.d.ts.map +1 -0
  147. package/dist/utils/logger.js +27 -0
  148. package/dist/utils/logger.js.map +1 -0
  149. package/dist/utils/post-processor.d.ts +10 -0
  150. package/dist/utils/post-processor.d.ts.map +1 -0
  151. package/dist/utils/post-processor.js +183 -0
  152. package/dist/utils/post-processor.js.map +1 -0
  153. package/package.json +44 -0
@@ -0,0 +1,469 @@
1
+ // URL scanner engine - checks deployed app for security headers, SSL, cookies
2
+ // Makes HTTP requests to the target URL and analyzes the response
3
+ const HEADER_CHECKS = [
4
+ {
5
+ id: 63,
6
+ header: "content-security-policy",
7
+ name: "Missing Content Security Policy",
8
+ severity: "medium",
9
+ expectedPresent: true,
10
+ category: "headers",
11
+ },
12
+ {
13
+ id: 64,
14
+ header: "x-frame-options",
15
+ name: "Missing X-Frame-Options",
16
+ severity: "medium",
17
+ expectedPresent: true,
18
+ category: "headers",
19
+ },
20
+ {
21
+ id: 65,
22
+ header: "x-content-type-options",
23
+ name: "Missing X-Content-Type-Options",
24
+ severity: "low",
25
+ expectedPresent: true,
26
+ category: "headers",
27
+ },
28
+ {
29
+ id: 66,
30
+ header: "strict-transport-security",
31
+ name: "Missing HSTS Header",
32
+ severity: "medium",
33
+ expectedPresent: true,
34
+ category: "headers",
35
+ },
36
+ {
37
+ id: 251,
38
+ header: "referrer-policy",
39
+ name: "Missing Referrer-Policy Header",
40
+ severity: "low",
41
+ expectedPresent: true,
42
+ category: "headers",
43
+ },
44
+ ];
45
+ export async function scanUrl(appUrl) {
46
+ const findings = [];
47
+ try {
48
+ // Fetch the URL with a timeout
49
+ const controller = new AbortController();
50
+ const timeout = setTimeout(() => controller.abort(), 10000);
51
+ const response = await fetch(appUrl, {
52
+ method: "GET",
53
+ redirect: "follow",
54
+ signal: controller.signal,
55
+ headers: {
56
+ "User-Agent": "DataHogo-Scanner/1.0",
57
+ },
58
+ });
59
+ clearTimeout(timeout);
60
+ const body = (await response.text()).substring(0, 512_000);
61
+ const finalUrl = response.url || appUrl;
62
+ // Check security headers
63
+ for (const check of HEADER_CHECKS) {
64
+ const headerValue = response.headers.get(check.header);
65
+ if (check.expectedPresent && !headerValue) {
66
+ findings.push({
67
+ vulnerability_id: check.id,
68
+ severity: check.severity,
69
+ category: check.category,
70
+ title: check.name,
71
+ description_technical: `The ${check.header} header is not set on ${appUrl}`,
72
+ code_snippet: `Response headers missing: ${check.header}`,
73
+ status: "open",
74
+ });
75
+ }
76
+ if (headerValue && check.valuePredicate && !check.valuePredicate(headerValue)) {
77
+ findings.push({
78
+ vulnerability_id: check.id,
79
+ severity: check.severity,
80
+ category: check.category,
81
+ title: check.name,
82
+ description_technical: `The ${check.header} header has a weak value: ${headerValue}`,
83
+ code_snippet: `${check.header}: ${headerValue}`,
84
+ status: "open",
85
+ });
86
+ }
87
+ }
88
+ // Deep CSP analysis (when header IS present)
89
+ const csp = response.headers.get("content-security-policy");
90
+ if (csp) {
91
+ analyzeCspPolicy(csp, findings);
92
+ }
93
+ // Server version disclosure
94
+ const serverHeader = response.headers.get("server");
95
+ if (serverHeader && /\d+\.\d+/.test(serverHeader)) {
96
+ findings.push({
97
+ vulnerability_id: 4,
98
+ severity: "low",
99
+ category: "headers",
100
+ title: "Server Version Disclosed",
101
+ description_technical: `The Server header reveals version info: ${serverHeader}`,
102
+ code_snippet: `Server: ${serverHeader}`,
103
+ owasp_ref: "A05:2021",
104
+ status: "open",
105
+ });
106
+ }
107
+ // X-Powered-By disclosure
108
+ const poweredBy = response.headers.get("x-powered-by");
109
+ if (poweredBy) {
110
+ findings.push({
111
+ vulnerability_id: 4,
112
+ severity: "low",
113
+ category: "headers",
114
+ title: "X-Powered-By Header Disclosed",
115
+ description_technical: `The X-Powered-By header reveals technology: ${poweredBy}`,
116
+ code_snippet: `X-Powered-By: ${poweredBy}`,
117
+ owasp_ref: "A05:2021",
118
+ status: "open",
119
+ });
120
+ }
121
+ // Check cookies
122
+ const setCookieHeaders = response.headers.getSetCookie?.() ?? [];
123
+ for (const cookie of setCookieHeaders) {
124
+ // Extract just the cookie name (everything before the first '=')
125
+ const cookieName = cookie.split("=")[0].trim();
126
+ // Skip cookies managed by frameworks that intentionally omit HttpOnly because
127
+ // client-side JS must read them (Supabase Auth for session refresh, next-intl
128
+ // for locale sync via <Link>). Flagging these creates noise, not actionable findings.
129
+ const isFrameworkCookie = cookieName.startsWith("sb-") ||
130
+ cookieName.startsWith("__supabase") ||
131
+ cookieName === "NEXT_LOCALE";
132
+ if (isFrameworkCookie)
133
+ continue;
134
+ if (!cookie.toLowerCase().includes("secure")) {
135
+ findings.push({
136
+ vulnerability_id: 67,
137
+ severity: "medium",
138
+ category: "headers",
139
+ title: "Cookie Without Secure Flag",
140
+ code_snippet: maskCookieValue(cookie),
141
+ status: "open",
142
+ });
143
+ }
144
+ if (!cookie.toLowerCase().includes("httponly")) {
145
+ findings.push({
146
+ vulnerability_id: 68,
147
+ severity: "medium",
148
+ category: "headers",
149
+ title: "Cookie Without HttpOnly Flag",
150
+ code_snippet: maskCookieValue(cookie),
151
+ status: "open",
152
+ });
153
+ }
154
+ if (!cookie.toLowerCase().includes("samesite")) {
155
+ findings.push({
156
+ vulnerability_id: 69,
157
+ severity: "medium",
158
+ category: "headers",
159
+ title: "Cookie Without SameSite Attribute",
160
+ code_snippet: maskCookieValue(cookie),
161
+ status: "open",
162
+ });
163
+ }
164
+ }
165
+ // Check if source maps are accessible
166
+ await checkSourceMaps(appUrl, findings);
167
+ // Check for exposed API docs
168
+ await checkExposedEndpoints(appUrl, findings);
169
+ // Check HTTP to HTTPS redirect
170
+ if (appUrl.startsWith("https://")) {
171
+ const httpUrl = appUrl.replace("https://", "http://");
172
+ try {
173
+ const httpResponse = await fetch(httpUrl, {
174
+ method: "HEAD",
175
+ redirect: "manual",
176
+ signal: AbortSignal.timeout(5000),
177
+ });
178
+ const location = httpResponse.headers.get("location");
179
+ if (!location || !location.startsWith("https://")) {
180
+ findings.push({
181
+ vulnerability_id: 66,
182
+ severity: "medium",
183
+ category: "headers",
184
+ title: "HTTP Does Not Redirect to HTTPS",
185
+ description_technical: `${httpUrl} does not redirect to HTTPS`,
186
+ status: "open",
187
+ });
188
+ }
189
+ }
190
+ catch {
191
+ // HTTP not accessible - that's fine
192
+ }
193
+ }
194
+ // Mixed Content (ID 252) — HTTPS page loading HTTP subresources
195
+ if (finalUrl.startsWith("https://")) {
196
+ const mixedMatches = [...body.matchAll(/(src|href|action)\s*=\s*["']http:\/\/[^"']+["']/gi)]
197
+ .filter((m) => !m[0].includes("http://www.w3.org") && !m[0].includes("http://xmlns"))
198
+ .slice(0, 3);
199
+ if (mixedMatches.length > 0) {
200
+ findings.push({
201
+ vulnerability_id: 252,
202
+ severity: "medium",
203
+ category: "headers",
204
+ title: "Mixed Content Detected",
205
+ description_technical: `HTTPS page loads subresources over HTTP, exposing them to interception`,
206
+ code_snippet: mixedMatches.map((m) => m[0]).join("\n"),
207
+ owasp_ref: "A05:2021",
208
+ status: "open",
209
+ });
210
+ }
211
+ }
212
+ // Form Action Insecure (ID 253) — forms posting over HTTP from an HTTPS page
213
+ if (finalUrl.startsWith("https://")) {
214
+ const formMatches = [...body.matchAll(/<form[^>]*action\s*=\s*["']http:\/\/[^"']+["'][^>]*>/gi)]
215
+ .slice(0, 3);
216
+ if (formMatches.length > 0) {
217
+ findings.push({
218
+ vulnerability_id: 253,
219
+ severity: "medium",
220
+ category: "headers",
221
+ title: "Form Action Uses Insecure HTTP URL",
222
+ description_technical: `One or more HTML forms post data to an HTTP URL, exposing submitted data in transit`,
223
+ code_snippet: formMatches.map((m) => m[0]).join("\n"),
224
+ status: "open",
225
+ });
226
+ }
227
+ }
228
+ // Protocol-Relative Links (ID 254)
229
+ const protoRelativeMatches = [...body.matchAll(/(src|href)\s*=\s*["']\/\/[^"']+["']/gi)]
230
+ .slice(0, 3);
231
+ if (protoRelativeMatches.length > 0) {
232
+ findings.push({
233
+ vulnerability_id: 254,
234
+ severity: "low",
235
+ category: "headers",
236
+ title: "Protocol-Relative Links Detected",
237
+ description_technical: `Page uses protocol-relative URLs (//example.com), which inherit the page protocol and can load resources over HTTP`,
238
+ code_snippet: protoRelativeMatches.map((m) => m[0]).join("\n"),
239
+ status: "open",
240
+ });
241
+ }
242
+ // Bad Content-Type (ID 255)
243
+ const contentType = response.headers.get("content-type");
244
+ const urlPath = (() => {
245
+ try {
246
+ return new URL(finalUrl).pathname;
247
+ }
248
+ catch {
249
+ return finalUrl;
250
+ }
251
+ })();
252
+ const isLikelyHtmlPage = urlPath === "/" ||
253
+ urlPath === "" ||
254
+ urlPath.endsWith(".html") ||
255
+ urlPath.endsWith(".htm") ||
256
+ !urlPath.includes(".");
257
+ if (isLikelyHtmlPage) {
258
+ if (!contentType) {
259
+ findings.push({
260
+ vulnerability_id: 255,
261
+ severity: "low",
262
+ category: "headers",
263
+ title: "Missing Content-Type Header",
264
+ description_technical: `The response does not include a Content-Type header, leaving browsers to sniff the content type`,
265
+ code_snippet: `Content-Type header absent for ${finalUrl}`,
266
+ status: "open",
267
+ });
268
+ }
269
+ else if (!contentType.includes("text/html")) {
270
+ findings.push({
271
+ vulnerability_id: 255,
272
+ severity: "low",
273
+ category: "headers",
274
+ title: "Unexpected Content-Type for Web Page",
275
+ description_technical: `Expected text/html for this URL but received: ${contentType}`,
276
+ code_snippet: `Content-Type: ${contentType}`,
277
+ status: "open",
278
+ });
279
+ }
280
+ }
281
+ }
282
+ catch (error) {
283
+ // URL unreachable - not a finding, just means we can't scan
284
+ // The caller should handle this gracefully
285
+ }
286
+ return findings;
287
+ }
288
+ async function checkSourceMaps(baseUrl, findings) {
289
+ const mapPaths = [
290
+ "/_next/static/chunks/main.js.map",
291
+ "/static/js/main.js.map",
292
+ "/bundle.js.map",
293
+ ];
294
+ for (const path of mapPaths) {
295
+ try {
296
+ const response = await fetch(`${baseUrl}${path}`, {
297
+ method: "HEAD",
298
+ signal: AbortSignal.timeout(5000),
299
+ });
300
+ if (response.ok) {
301
+ findings.push({
302
+ vulnerability_id: 49,
303
+ severity: "medium",
304
+ category: "react-nextjs",
305
+ title: "Source Maps Accessible in Production",
306
+ description_technical: `Source map file accessible at ${path}`,
307
+ code_snippet: `GET ${path} → ${response.status}`,
308
+ status: "open",
309
+ });
310
+ break; // One finding is enough
311
+ }
312
+ }
313
+ catch {
314
+ // Not accessible - good
315
+ }
316
+ }
317
+ }
318
+ async function checkExposedEndpoints(baseUrl, findings) {
319
+ const endpoints = [
320
+ { path: "/swagger", id: 94, severity: "low" },
321
+ { path: "/api-docs", id: 94, severity: "low" },
322
+ { path: "/swagger-ui.html", id: 94, severity: "low" },
323
+ { path: "/graphql", id: 95, severity: "low" },
324
+ { path: "/debug", id: 116, severity: "medium" },
325
+ { path: "/_debug", id: 116, severity: "medium" },
326
+ { path: "/.env", id: 62, severity: "critical" },
327
+ { path: "/.git/HEAD", id: 62, severity: "critical" },
328
+ { path: "/.git/config", id: 62, severity: "critical" },
329
+ { path: "/server-status", id: 116, severity: "medium" },
330
+ { path: "/server-info", id: 116, severity: "medium" },
331
+ { path: "/actuator", id: 116, severity: "medium" },
332
+ { path: "/actuator/health", id: 116, severity: "low" },
333
+ { path: "/phpinfo.php", id: 116, severity: "medium" },
334
+ { path: "/wp-admin", id: 116, severity: "low" },
335
+ { path: "/wp-login.php", id: 116, severity: "low" },
336
+ { path: "/.DS_Store", id: 99, severity: "low" },
337
+ { path: "/robots.txt", id: 99, severity: "info" },
338
+ ];
339
+ for (const endpoint of endpoints) {
340
+ try {
341
+ const response = await fetch(`${baseUrl}${endpoint.path}`, {
342
+ method: "GET",
343
+ signal: AbortSignal.timeout(5000),
344
+ headers: { "User-Agent": "DataHogo-Scanner/1.0" },
345
+ });
346
+ if (response.ok) {
347
+ findings.push({
348
+ vulnerability_id: endpoint.id,
349
+ severity: endpoint.severity,
350
+ category: endpoint.id === 62 ? "vibecoding" : endpoint.id === 95 ? "api" : "config",
351
+ title: `Exposed Endpoint: ${endpoint.path}`,
352
+ description_technical: `${endpoint.path} is publicly accessible and returned HTTP ${response.status}`,
353
+ code_snippet: `GET ${endpoint.path} → ${response.status} OK`,
354
+ owasp_ref: endpoint.id === 62 ? "A07:2021" : "A05:2021",
355
+ status: "open",
356
+ });
357
+ }
358
+ }
359
+ catch {
360
+ // Not accessible - fine
361
+ }
362
+ }
363
+ // CORS preflight test — check if server reflects arbitrary origins
364
+ await checkCorsPreflight(baseUrl, findings);
365
+ }
366
+ function maskCookieValue(cookie) {
367
+ // Mask the cookie value, keep the name and attributes
368
+ return cookie.replace(/=([^;]{10,})/, "=***REDACTED***");
369
+ }
370
+ function analyzeCspPolicy(csp, findings) {
371
+ const directives = csp.split(";").map((d) => d.trim().toLowerCase());
372
+ for (const directive of directives) {
373
+ // Check for unsafe-inline in script-src
374
+ if (directive.startsWith("script-src") && directive.includes("'unsafe-inline'")) {
375
+ findings.push({
376
+ vulnerability_id: 63,
377
+ severity: "medium",
378
+ category: "headers",
379
+ title: "CSP Allows unsafe-inline Scripts",
380
+ description_technical: "Content-Security-Policy script-src includes 'unsafe-inline', enabling inline script execution",
381
+ code_snippet: directive,
382
+ owasp_ref: "A05:2021",
383
+ status: "open",
384
+ });
385
+ }
386
+ // Check for unsafe-eval in script-src
387
+ if (directive.startsWith("script-src") && directive.includes("'unsafe-eval'")) {
388
+ findings.push({
389
+ vulnerability_id: 63,
390
+ severity: "high",
391
+ category: "headers",
392
+ title: "CSP Allows unsafe-eval Scripts",
393
+ description_technical: "Content-Security-Policy script-src includes 'unsafe-eval', enabling eval() execution",
394
+ code_snippet: directive,
395
+ owasp_ref: "A05:2021",
396
+ status: "open",
397
+ });
398
+ }
399
+ // Check for wildcard in any source directive
400
+ if (directive.includes(" *") && !directive.includes("*.")) {
401
+ findings.push({
402
+ vulnerability_id: 63,
403
+ severity: "medium",
404
+ category: "headers",
405
+ title: "CSP Contains Wildcard Source",
406
+ description_technical: "Content-Security-Policy contains a wildcard (*) source, allowing resources from any origin",
407
+ code_snippet: directive,
408
+ owasp_ref: "A05:2021",
409
+ status: "open",
410
+ });
411
+ }
412
+ }
413
+ // Check for missing frame-ancestors (clickjacking protection)
414
+ const hasFrameAncestors = directives.some((d) => d.startsWith("frame-ancestors"));
415
+ if (!hasFrameAncestors) {
416
+ findings.push({
417
+ vulnerability_id: 64,
418
+ severity: "low",
419
+ category: "headers",
420
+ title: "CSP Missing frame-ancestors Directive",
421
+ description_technical: "Content-Security-Policy does not include frame-ancestors, relying on X-Frame-Options for clickjacking protection",
422
+ code_snippet: `CSP: ${csp.substring(0, 200)}${csp.length > 200 ? "..." : ""}`,
423
+ status: "open",
424
+ });
425
+ }
426
+ }
427
+ async function checkCorsPreflight(baseUrl, findings) {
428
+ try {
429
+ const response = await fetch(baseUrl, {
430
+ method: "OPTIONS",
431
+ signal: AbortSignal.timeout(5000),
432
+ headers: {
433
+ "User-Agent": "DataHogo-Scanner/1.0",
434
+ Origin: "https://evil-attacker.com",
435
+ "Access-Control-Request-Method": "GET",
436
+ },
437
+ });
438
+ const allowOrigin = response.headers.get("access-control-allow-origin");
439
+ if (allowOrigin === "*" || allowOrigin === "https://evil-attacker.com") {
440
+ findings.push({
441
+ vulnerability_id: 4,
442
+ severity: "medium",
443
+ category: "headers",
444
+ title: "CORS Reflects Arbitrary Origins",
445
+ description_technical: `Server reflects arbitrary Origin in Access-Control-Allow-Origin: ${allowOrigin}`,
446
+ code_snippet: `OPTIONS ${baseUrl}\nOrigin: https://evil-attacker.com\n→ Access-Control-Allow-Origin: ${allowOrigin}`,
447
+ owasp_ref: "A05:2021",
448
+ status: "open",
449
+ });
450
+ }
451
+ const allowCredentials = response.headers.get("access-control-allow-credentials");
452
+ if (allowCredentials === "true" && (allowOrigin === "*" || allowOrigin === "https://evil-attacker.com")) {
453
+ findings.push({
454
+ vulnerability_id: 4,
455
+ severity: "high",
456
+ category: "headers",
457
+ title: "CORS Allows Credentials from Any Origin",
458
+ description_technical: "Server allows credentials (cookies) from arbitrary origins — critical cross-origin data theft risk",
459
+ code_snippet: `Access-Control-Allow-Origin: ${allowOrigin}\nAccess-Control-Allow-Credentials: true`,
460
+ owasp_ref: "A05:2021",
461
+ status: "open",
462
+ });
463
+ }
464
+ }
465
+ catch {
466
+ // CORS preflight not supported or request failed — fine
467
+ }
468
+ }
469
+ //# sourceMappingURL=url-scanner.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"url-scanner.js","sourceRoot":"","sources":["../../src/engines/url-scanner.ts"],"names":[],"mappings":"AAAA,8EAA8E;AAC9E,kEAAkE;AAclE,MAAM,aAAa,GAAkB;IACnC;QACE,EAAE,EAAE,EAAE;QACN,MAAM,EAAE,yBAAyB;QACjC,IAAI,EAAE,iCAAiC;QACvC,QAAQ,EAAE,QAAQ;QAClB,eAAe,EAAE,IAAI;QACrB,QAAQ,EAAE,SAAS;KACpB;IACD;QACE,EAAE,EAAE,EAAE;QACN,MAAM,EAAE,iBAAiB;QACzB,IAAI,EAAE,yBAAyB;QAC/B,QAAQ,EAAE,QAAQ;QAClB,eAAe,EAAE,IAAI;QACrB,QAAQ,EAAE,SAAS;KACpB;IACD;QACE,EAAE,EAAE,EAAE;QACN,MAAM,EAAE,wBAAwB;QAChC,IAAI,EAAE,gCAAgC;QACtC,QAAQ,EAAE,KAAK;QACf,eAAe,EAAE,IAAI;QACrB,QAAQ,EAAE,SAAS;KACpB;IACD;QACE,EAAE,EAAE,EAAE;QACN,MAAM,EAAE,2BAA2B;QACnC,IAAI,EAAE,qBAAqB;QAC3B,QAAQ,EAAE,QAAQ;QAClB,eAAe,EAAE,IAAI;QACrB,QAAQ,EAAE,SAAS;KACpB;IACD;QACE,EAAE,EAAE,GAAG;QACP,MAAM,EAAE,iBAAiB;QACzB,IAAI,EAAE,gCAAgC;QACtC,QAAQ,EAAE,KAAK;QACf,eAAe,EAAE,IAAI;QACrB,QAAQ,EAAE,SAAS;KACpB;CACF,CAAC;AAEF,MAAM,CAAC,KAAK,UAAU,OAAO,CAAC,MAAc;IAC1C,MAAM,QAAQ,GAAkB,EAAE,CAAC;IAEnC,IAAI,CAAC;QACH,+BAA+B;QAC/B,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;QACzC,MAAM,OAAO,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,KAAK,CAAC,CAAC;QAE5D,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,MAAM,EAAE;YACnC,MAAM,EAAE,KAAK;YACb,QAAQ,EAAE,QAAQ;YAClB,MAAM,EAAE,UAAU,CAAC,MAAM;YACzB,OAAO,EAAE;gBACP,YAAY,EAAE,sBAAsB;aACrC;SACF,CAAC,CAAC;QAEH,YAAY,CAAC,OAAO,CAAC,CAAC;QAEtB,MAAM,IAAI,GAAG,CAAC,MAAM,QAAQ,CAAC,IAAI,EAAE,CAAC,CAAC,SAAS,CAAC,CAAC,EAAE,OAAO,CAAC,CAAC;QAC3D,MAAM,QAAQ,GAAG,QAAQ,CAAC,GAAG,IAAI,MAAM,CAAC;QAExC,yBAAyB;QACzB,KAAK,MAAM,KAAK,IAAI,aAAa,EAAE,CAAC;YAClC,MAAM,WAAW,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC;YAEvD,IAAI,KAAK,CAAC,eAAe,IAAI,CAAC,WAAW,EAAE,CAAC;gBAC1C,QAAQ,CAAC,IAAI,CAAC;oBACZ,gBAAgB,EAAE,KAAK,CAAC,EAAE;oBAC1B,QAAQ,EAAE,KAAK,CAAC,QAAQ;oBACxB,QAAQ,EAAE,KAAK,CAAC,QAAQ;oBACxB,KAAK,EAAE,KAAK,CAAC,IAAI;oBACjB,qBAAqB,EAAE,OAAO,KAAK,CAAC,MAAM,yBAAyB,MAAM,EAAE;oBAC3E,YAAY,EAAE,6BAA6B,KAAK,CAAC,MAAM,EAAE;oBACzD,MAAM,EAAE,MAAM;iBACf,CAAC,CAAC;YACL,CAAC;YAED,IAAI,WAAW,IAAI,KAAK,CAAC,cAAc,IAAI,CAAC,KAAK,CAAC,cAAc,CAAC,WAAW,CAAC,EAAE,CAAC;gBAC9E,QAAQ,CAAC,IAAI,CAAC;oBACZ,gBAAgB,EAAE,KAAK,CAAC,EAAE;oBAC1B,QAAQ,EAAE,KAAK,CAAC,QAAQ;oBACxB,QAAQ,EAAE,KAAK,CAAC,QAAQ;oBACxB,KAAK,EAAE,KAAK,CAAC,IAAI;oBACjB,qBAAqB,EAAE,OAAO,KAAK,CAAC,MAAM,6BAA6B,WAAW,EAAE;oBACpF,YAAY,EAAE,GAAG,KAAK,CAAC,MAAM,KAAK,WAAW,EAAE;oBAC/C,MAAM,EAAE,MAAM;iBACf,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,6CAA6C;QAC7C,MAAM,GAAG,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,yBAAyB,CAAC,CAAC;QAC5D,IAAI,GAAG,EAAE,CAAC;YACR,gBAAgB,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;QAClC,CAAC;QAED,4BAA4B;QAC5B,MAAM,YAAY,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;QACpD,IAAI,YAAY,IAAI,UAAU,CAAC,IAAI,CAAC,YAAY,CAAC,EAAE,CAAC;YAClD,QAAQ,CAAC,IAAI,CAAC;gBACZ,gBAAgB,EAAE,CAAC;gBACnB,QAAQ,EAAE,KAAK;gBACf,QAAQ,EAAE,SAAS;gBACnB,KAAK,EAAE,0BAA0B;gBACjC,qBAAqB,EAAE,2CAA2C,YAAY,EAAE;gBAChF,YAAY,EAAE,WAAW,YAAY,EAAE;gBACvC,SAAS,EAAE,UAAU;gBACrB,MAAM,EAAE,MAAM;aACf,CAAC,CAAC;QACL,CAAC;QAED,0BAA0B;QAC1B,MAAM,SAAS,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;QACvD,IAAI,SAAS,EAAE,CAAC;YACd,QAAQ,CAAC,IAAI,CAAC;gBACZ,gBAAgB,EAAE,CAAC;gBACnB,QAAQ,EAAE,KAAK;gBACf,QAAQ,EAAE,SAAS;gBACnB,KAAK,EAAE,+BAA+B;gBACtC,qBAAqB,EAAE,+CAA+C,SAAS,EAAE;gBACjF,YAAY,EAAE,iBAAiB,SAAS,EAAE;gBAC1C,SAAS,EAAE,UAAU;gBACrB,MAAM,EAAE,MAAM;aACf,CAAC,CAAC;QACL,CAAC;QAED,gBAAgB;QAChB,MAAM,gBAAgB,GAAG,QAAQ,CAAC,OAAO,CAAC,YAAY,EAAE,EAAE,IAAI,EAAE,CAAC;QACjE,KAAK,MAAM,MAAM,IAAI,gBAAgB,EAAE,CAAC;YACtC,iEAAiE;YACjE,MAAM,UAAU,GAAG,MAAM,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YAE/C,8EAA8E;YAC9E,8EAA8E;YAC9E,sFAAsF;YACtF,MAAM,iBAAiB,GACrB,UAAU,CAAC,UAAU,CAAC,KAAK,CAAC;gBAC5B,UAAU,CAAC,UAAU,CAAC,YAAY,CAAC;gBACnC,UAAU,KAAK,aAAa,CAAC;YAE/B,IAAI,iBAAiB;gBAAE,SAAS;YAEhC,IAAI,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;gBAC7C,QAAQ,CAAC,IAAI,CAAC;oBACZ,gBAAgB,EAAE,EAAE;oBACpB,QAAQ,EAAE,QAAQ;oBAClB,QAAQ,EAAE,SAAS;oBACnB,KAAK,EAAE,4BAA4B;oBACnC,YAAY,EAAE,eAAe,CAAC,MAAM,CAAC;oBACrC,MAAM,EAAE,MAAM;iBACf,CAAC,CAAC;YACL,CAAC;YAED,IAAI,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;gBAC/C,QAAQ,CAAC,IAAI,CAAC;oBACZ,gBAAgB,EAAE,EAAE;oBACpB,QAAQ,EAAE,QAAQ;oBAClB,QAAQ,EAAE,SAAS;oBACnB,KAAK,EAAE,8BAA8B;oBACrC,YAAY,EAAE,eAAe,CAAC,MAAM,CAAC;oBACrC,MAAM,EAAE,MAAM;iBACf,CAAC,CAAC;YACL,CAAC;YACD,IAAI,CAAC,MAAM,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;gBAC/C,QAAQ,CAAC,IAAI,CAAC;oBACZ,gBAAgB,EAAE,EAAE;oBACpB,QAAQ,EAAE,QAAQ;oBAClB,QAAQ,EAAE,SAAS;oBACnB,KAAK,EAAE,mCAAmC;oBAC1C,YAAY,EAAE,eAAe,CAAC,MAAM,CAAC;oBACrC,MAAM,EAAE,MAAM;iBACf,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,sCAAsC;QACtC,MAAM,eAAe,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;QAExC,6BAA6B;QAC7B,MAAM,qBAAqB,CAAC,MAAM,EAAE,QAAQ,CAAC,CAAC;QAE9C,+BAA+B;QAC/B,IAAI,MAAM,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;YAClC,MAAM,OAAO,GAAG,MAAM,CAAC,OAAO,CAAC,UAAU,EAAE,SAAS,CAAC,CAAC;YACtD,IAAI,CAAC;gBACH,MAAM,YAAY,GAAG,MAAM,KAAK,CAAC,OAAO,EAAE;oBACxC,MAAM,EAAE,MAAM;oBACd,QAAQ,EAAE,QAAQ;oBAClB,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC;iBAClC,CAAC,CAAC;gBACH,MAAM,QAAQ,GAAG,YAAY,CAAC,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,CAAC;gBACtD,IAAI,CAAC,QAAQ,IAAI,CAAC,QAAQ,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;oBAClD,QAAQ,CAAC,IAAI,CAAC;wBACZ,gBAAgB,EAAE,EAAE;wBACpB,QAAQ,EAAE,QAAQ;wBAClB,QAAQ,EAAE,SAAS;wBACnB,KAAK,EAAE,iCAAiC;wBACxC,qBAAqB,EAAE,GAAG,OAAO,6BAA6B;wBAC9D,MAAM,EAAE,MAAM;qBACf,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;YAAC,MAAM,CAAC;gBACP,oCAAoC;YACtC,CAAC;QACH,CAAC;QAED,gEAAgE;QAChE,IAAI,QAAQ,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;YACpC,MAAM,YAAY,GAAG,CAAC,GAAG,IAAI,CAAC,QAAQ,CAAC,mDAAmD,CAAC,CAAC;iBACzF,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,mBAAmB,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,cAAc,CAAC,CAAC;iBACpF,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;YACf,IAAI,YAAY,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC5B,QAAQ,CAAC,IAAI,CAAC;oBACZ,gBAAgB,EAAE,GAAG;oBACrB,QAAQ,EAAE,QAAQ;oBAClB,QAAQ,EAAE,SAAS;oBACnB,KAAK,EAAE,wBAAwB;oBAC/B,qBAAqB,EAAE,wEAAwE;oBAC/F,YAAY,EAAE,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC;oBACtD,SAAS,EAAE,UAAU;oBACrB,MAAM,EAAE,MAAM;iBACf,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,6EAA6E;QAC7E,IAAI,QAAQ,CAAC,UAAU,CAAC,UAAU,CAAC,EAAE,CAAC;YACpC,MAAM,WAAW,GAAG,CAAC,GAAG,IAAI,CAAC,QAAQ,CAAC,wDAAwD,CAAC,CAAC;iBAC7F,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;YACf,IAAI,WAAW,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC3B,QAAQ,CAAC,IAAI,CAAC;oBACZ,gBAAgB,EAAE,GAAG;oBACrB,QAAQ,EAAE,QAAQ;oBAClB,QAAQ,EAAE,SAAS;oBACnB,KAAK,EAAE,oCAAoC;oBAC3C,qBAAqB,EAAE,qFAAqF;oBAC5G,YAAY,EAAE,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC;oBACrD,MAAM,EAAE,MAAM;iBACf,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAED,mCAAmC;QACnC,MAAM,oBAAoB,GAAG,CAAC,GAAG,IAAI,CAAC,QAAQ,CAAC,uCAAuC,CAAC,CAAC;aACrF,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;QACf,IAAI,oBAAoB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACpC,QAAQ,CAAC,IAAI,CAAC;gBACZ,gBAAgB,EAAE,GAAG;gBACrB,QAAQ,EAAE,KAAK;gBACf,QAAQ,EAAE,SAAS;gBACnB,KAAK,EAAE,kCAAkC;gBACzC,qBAAqB,EAAE,oHAAoH;gBAC3I,YAAY,EAAE,oBAAoB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC;gBAC9D,MAAM,EAAE,MAAM;aACf,CAAC,CAAC;QACL,CAAC;QAED,4BAA4B;QAC5B,MAAM,WAAW,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,CAAC;QACzD,MAAM,OAAO,GAAG,CAAC,GAAG,EAAE;YACpB,IAAI,CAAC;gBACH,OAAO,IAAI,GAAG,CAAC,QAAQ,CAAC,CAAC,QAAQ,CAAC;YACpC,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,QAAQ,CAAC;YAClB,CAAC;QACH,CAAC,CAAC,EAAE,CAAC;QACL,MAAM,gBAAgB,GACpB,OAAO,KAAK,GAAG;YACf,OAAO,KAAK,EAAE;YACd,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC;YACzB,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAC;YACxB,CAAC,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC;QACzB,IAAI,gBAAgB,EAAE,CAAC;YACrB,IAAI,CAAC,WAAW,EAAE,CAAC;gBACjB,QAAQ,CAAC,IAAI,CAAC;oBACZ,gBAAgB,EAAE,GAAG;oBACrB,QAAQ,EAAE,KAAK;oBACf,QAAQ,EAAE,SAAS;oBACnB,KAAK,EAAE,6BAA6B;oBACpC,qBAAqB,EAAE,iGAAiG;oBACxH,YAAY,EAAE,kCAAkC,QAAQ,EAAE;oBAC1D,MAAM,EAAE,MAAM;iBACf,CAAC,CAAC;YACL,CAAC;iBAAM,IAAI,CAAC,WAAW,CAAC,QAAQ,CAAC,WAAW,CAAC,EAAE,CAAC;gBAC9C,QAAQ,CAAC,IAAI,CAAC;oBACZ,gBAAgB,EAAE,GAAG;oBACrB,QAAQ,EAAE,KAAK;oBACf,QAAQ,EAAE,SAAS;oBACnB,KAAK,EAAE,sCAAsC;oBAC7C,qBAAqB,EAAE,iDAAiD,WAAW,EAAE;oBACrF,YAAY,EAAE,iBAAiB,WAAW,EAAE;oBAC5C,MAAM,EAAE,MAAM;iBACf,CAAC,CAAC;YACL,CAAC;QACH,CAAC;IAEH,CAAC;IAAC,OAAO,KAAK,EAAE,CAAC;QACf,4DAA4D;QAC5D,2CAA2C;IAC7C,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,KAAK,UAAU,eAAe,CAAC,OAAe,EAAE,QAAuB;IACrE,MAAM,QAAQ,GAAG;QACf,kCAAkC;QAClC,wBAAwB;QACxB,gBAAgB;KACjB,CAAC;IAEF,KAAK,MAAM,IAAI,IAAI,QAAQ,EAAE,CAAC;QAC5B,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,OAAO,GAAG,IAAI,EAAE,EAAE;gBAChD,MAAM,EAAE,MAAM;gBACd,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC;aAClC,CAAC,CAAC;YACH,IAAI,QAAQ,CAAC,EAAE,EAAE,CAAC;gBAChB,QAAQ,CAAC,IAAI,CAAC;oBACZ,gBAAgB,EAAE,EAAE;oBACpB,QAAQ,EAAE,QAAQ;oBAClB,QAAQ,EAAE,cAAc;oBACxB,KAAK,EAAE,sCAAsC;oBAC7C,qBAAqB,EAAE,iCAAiC,IAAI,EAAE;oBAC9D,YAAY,EAAE,OAAO,IAAI,MAAM,QAAQ,CAAC,MAAM,EAAE;oBAChD,MAAM,EAAE,MAAM;iBACf,CAAC,CAAC;gBACH,MAAM,CAAC,wBAAwB;YACjC,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,wBAAwB;QAC1B,CAAC;IACH,CAAC;AACH,CAAC;AAED,KAAK,UAAU,qBAAqB,CAAC,OAAe,EAAE,QAAuB;IAC3E,MAAM,SAAS,GAAG;QAChB,EAAE,IAAI,EAAE,UAAU,EAAE,EAAE,EAAE,EAAE,EAAE,QAAQ,EAAE,KAAc,EAAE;QACtD,EAAE,IAAI,EAAE,WAAW,EAAE,EAAE,EAAE,EAAE,EAAE,QAAQ,EAAE,KAAc,EAAE;QACvD,EAAE,IAAI,EAAE,kBAAkB,EAAE,EAAE,EAAE,EAAE,EAAE,QAAQ,EAAE,KAAc,EAAE;QAC9D,EAAE,IAAI,EAAE,UAAU,EAAE,EAAE,EAAE,EAAE,EAAE,QAAQ,EAAE,KAAc,EAAE;QACtD,EAAE,IAAI,EAAE,QAAQ,EAAE,EAAE,EAAE,GAAG,EAAE,QAAQ,EAAE,QAAiB,EAAE;QACxD,EAAE,IAAI,EAAE,SAAS,EAAE,EAAE,EAAE,GAAG,EAAE,QAAQ,EAAE,QAAiB,EAAE;QACzD,EAAE,IAAI,EAAE,OAAO,EAAE,EAAE,EAAE,EAAE,EAAE,QAAQ,EAAE,UAAmB,EAAE;QACxD,EAAE,IAAI,EAAE,YAAY,EAAE,EAAE,EAAE,EAAE,EAAE,QAAQ,EAAE,UAAmB,EAAE;QAC7D,EAAE,IAAI,EAAE,cAAc,EAAE,EAAE,EAAE,EAAE,EAAE,QAAQ,EAAE,UAAmB,EAAE;QAC/D,EAAE,IAAI,EAAE,gBAAgB,EAAE,EAAE,EAAE,GAAG,EAAE,QAAQ,EAAE,QAAiB,EAAE;QAChE,EAAE,IAAI,EAAE,cAAc,EAAE,EAAE,EAAE,GAAG,EAAE,QAAQ,EAAE,QAAiB,EAAE;QAC9D,EAAE,IAAI,EAAE,WAAW,EAAE,EAAE,EAAE,GAAG,EAAE,QAAQ,EAAE,QAAiB,EAAE;QAC3D,EAAE,IAAI,EAAE,kBAAkB,EAAE,EAAE,EAAE,GAAG,EAAE,QAAQ,EAAE,KAAc,EAAE;QAC/D,EAAE,IAAI,EAAE,cAAc,EAAE,EAAE,EAAE,GAAG,EAAE,QAAQ,EAAE,QAAiB,EAAE;QAC9D,EAAE,IAAI,EAAE,WAAW,EAAE,EAAE,EAAE,GAAG,EAAE,QAAQ,EAAE,KAAc,EAAE;QACxD,EAAE,IAAI,EAAE,eAAe,EAAE,EAAE,EAAE,GAAG,EAAE,QAAQ,EAAE,KAAc,EAAE;QAC5D,EAAE,IAAI,EAAE,YAAY,EAAE,EAAE,EAAE,EAAE,EAAE,QAAQ,EAAE,KAAc,EAAE;QACxD,EAAE,IAAI,EAAE,aAAa,EAAE,EAAE,EAAE,EAAE,EAAE,QAAQ,EAAE,MAAe,EAAE;KAC3D,CAAC;IAEF,KAAK,MAAM,QAAQ,IAAI,SAAS,EAAE,CAAC;QACjC,IAAI,CAAC;YACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,OAAO,GAAG,QAAQ,CAAC,IAAI,EAAE,EAAE;gBACzD,MAAM,EAAE,KAAK;gBACb,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC;gBACjC,OAAO,EAAE,EAAE,YAAY,EAAE,sBAAsB,EAAE;aAClD,CAAC,CAAC;YACH,IAAI,QAAQ,CAAC,EAAE,EAAE,CAAC;gBAChB,QAAQ,CAAC,IAAI,CAAC;oBACZ,gBAAgB,EAAE,QAAQ,CAAC,EAAE;oBAC7B,QAAQ,EAAE,QAAQ,CAAC,QAAQ;oBAC3B,QAAQ,EAAE,QAAQ,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,YAAY,CAAC,CAAC,CAAC,QAAQ,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,QAAQ;oBACnF,KAAK,EAAE,qBAAqB,QAAQ,CAAC,IAAI,EAAE;oBAC3C,qBAAqB,EAAE,GAAG,QAAQ,CAAC,IAAI,6CAA6C,QAAQ,CAAC,MAAM,EAAE;oBACrG,YAAY,EAAE,OAAO,QAAQ,CAAC,IAAI,MAAM,QAAQ,CAAC,MAAM,KAAK;oBAC5D,SAAS,EAAE,QAAQ,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,UAAU;oBACvD,MAAM,EAAE,MAAM;iBACf,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;YACP,wBAAwB;QAC1B,CAAC;IACH,CAAC;IAED,mEAAmE;IACnE,MAAM,kBAAkB,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC;AAC9C,CAAC;AAED,SAAS,eAAe,CAAC,MAAc;IACrC,sDAAsD;IACtD,OAAO,MAAM,CAAC,OAAO,CAAC,cAAc,EAAE,iBAAiB,CAAC,CAAC;AAC3D,CAAC;AAED,SAAS,gBAAgB,CAAC,GAAW,EAAE,QAAuB;IAC5D,MAAM,UAAU,GAAG,GAAG,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC,CAAC;IAErE,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;QACnC,wCAAwC;QACxC,IAAI,SAAS,CAAC,UAAU,CAAC,YAAY,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,iBAAiB,CAAC,EAAE,CAAC;YAChF,QAAQ,CAAC,IAAI,CAAC;gBACZ,gBAAgB,EAAE,EAAE;gBACpB,QAAQ,EAAE,QAAQ;gBAClB,QAAQ,EAAE,SAAS;gBACnB,KAAK,EAAE,kCAAkC;gBACzC,qBAAqB,EAAE,+FAA+F;gBACtH,YAAY,EAAE,SAAS;gBACvB,SAAS,EAAE,UAAU;gBACrB,MAAM,EAAE,MAAM;aACf,CAAC,CAAC;QACL,CAAC;QAED,sCAAsC;QACtC,IAAI,SAAS,CAAC,UAAU,CAAC,YAAY,CAAC,IAAI,SAAS,CAAC,QAAQ,CAAC,eAAe,CAAC,EAAE,CAAC;YAC9E,QAAQ,CAAC,IAAI,CAAC;gBACZ,gBAAgB,EAAE,EAAE;gBACpB,QAAQ,EAAE,MAAM;gBAChB,QAAQ,EAAE,SAAS;gBACnB,KAAK,EAAE,gCAAgC;gBACvC,qBAAqB,EAAE,sFAAsF;gBAC7G,YAAY,EAAE,SAAS;gBACvB,SAAS,EAAE,UAAU;gBACrB,MAAM,EAAE,MAAM;aACf,CAAC,CAAC;QACL,CAAC;QAED,6CAA6C;QAC7C,IAAI,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAC1D,QAAQ,CAAC,IAAI,CAAC;gBACZ,gBAAgB,EAAE,EAAE;gBACpB,QAAQ,EAAE,QAAQ;gBAClB,QAAQ,EAAE,SAAS;gBACnB,KAAK,EAAE,8BAA8B;gBACrC,qBAAqB,EAAE,4FAA4F;gBACnH,YAAY,EAAE,SAAS;gBACvB,SAAS,EAAE,UAAU;gBACrB,MAAM,EAAE,MAAM;aACf,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,8DAA8D;IAC9D,MAAM,iBAAiB,GAAG,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,UAAU,CAAC,iBAAiB,CAAC,CAAC,CAAC;IAClF,IAAI,CAAC,iBAAiB,EAAE,CAAC;QACvB,QAAQ,CAAC,IAAI,CAAC;YACZ,gBAAgB,EAAE,EAAE;YACpB,QAAQ,EAAE,KAAK;YACf,QAAQ,EAAE,SAAS;YACnB,KAAK,EAAE,uCAAuC;YAC9C,qBAAqB,EAAE,kHAAkH;YACzI,YAAY,EAAE,QAAQ,GAAG,CAAC,SAAS,CAAC,CAAC,EAAE,GAAG,CAAC,GAAG,GAAG,CAAC,MAAM,GAAG,GAAG,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE;YAC7E,MAAM,EAAE,MAAM;SACf,CAAC,CAAC;IACL,CAAC;AACH,CAAC;AAED,KAAK,UAAU,kBAAkB,CAAC,OAAe,EAAE,QAAuB;IACxE,IAAI,CAAC;QACH,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,OAAO,EAAE;YACpC,MAAM,EAAE,SAAS;YACjB,MAAM,EAAE,WAAW,CAAC,OAAO,CAAC,IAAI,CAAC;YACjC,OAAO,EAAE;gBACP,YAAY,EAAE,sBAAsB;gBACpC,MAAM,EAAE,2BAA2B;gBACnC,+BAA+B,EAAE,KAAK;aACvC;SACF,CAAC,CAAC;QAEH,MAAM,WAAW,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,6BAA6B,CAAC,CAAC;QACxE,IAAI,WAAW,KAAK,GAAG,IAAI,WAAW,KAAK,2BAA2B,EAAE,CAAC;YACvE,QAAQ,CAAC,IAAI,CAAC;gBACZ,gBAAgB,EAAE,CAAC;gBACnB,QAAQ,EAAE,QAAQ;gBAClB,QAAQ,EAAE,SAAS;gBACnB,KAAK,EAAE,iCAAiC;gBACxC,qBAAqB,EAAE,oEAAoE,WAAW,EAAE;gBACxG,YAAY,EAAE,WAAW,OAAO,uEAAuE,WAAW,EAAE;gBACpH,SAAS,EAAE,UAAU;gBACrB,MAAM,EAAE,MAAM;aACf,CAAC,CAAC;QACL,CAAC;QAED,MAAM,gBAAgB,GAAG,QAAQ,CAAC,OAAO,CAAC,GAAG,CAAC,kCAAkC,CAAC,CAAC;QAClF,IAAI,gBAAgB,KAAK,MAAM,IAAI,CAAC,WAAW,KAAK,GAAG,IAAI,WAAW,KAAK,2BAA2B,CAAC,EAAE,CAAC;YACxG,QAAQ,CAAC,IAAI,CAAC;gBACZ,gBAAgB,EAAE,CAAC;gBACnB,QAAQ,EAAE,MAAM;gBAChB,QAAQ,EAAE,SAAS;gBACnB,KAAK,EAAE,yCAAyC;gBAChD,qBAAqB,EAAE,oGAAoG;gBAC3H,YAAY,EAAE,gCAAgC,WAAW,0CAA0C;gBACnG,SAAS,EAAE,UAAU;gBACrB,MAAM,EAAE,MAAM;aACf,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,wDAAwD;IAC1D,CAAC;AACH,CAAC"}
@@ -0,0 +1,8 @@
1
+ export { runScan } from "./orchestrator.js";
2
+ export type { ScanParams, ScanResult } from "./orchestrator.js";
3
+ export type { Severity, FindingContext, FindingConfidence, FindingData, EngineResult, } from "./engines/types.js";
4
+ export { isRelevantFile, filterFiles } from "./utils/file-filter.js";
5
+ export { detectTechnologies } from "./scanning/tech-detector.js";
6
+ export type { TechDetectionResult } from "./scanning/tech-detector.js";
7
+ export type { Technology, ScanLog } from "./scanning/types.js";
8
+ //# sourceMappingURL=index.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAKA,OAAO,EAAE,OAAO,EAAE,MAAM,mBAAmB,CAAC;AAC5C,YAAY,EAAE,UAAU,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAEhE,YAAY,EACV,QAAQ,EACR,cAAc,EACd,iBAAiB,EACjB,WAAW,EACX,YAAY,GACb,MAAM,oBAAoB,CAAC;AAE5B,OAAO,EAAE,cAAc,EAAE,WAAW,EAAE,MAAM,wBAAwB,CAAC;AACrE,OAAO,EAAE,kBAAkB,EAAE,MAAM,6BAA6B,CAAC;AACjE,YAAY,EAAE,mBAAmB,EAAE,MAAM,6BAA6B,CAAC;AACvE,YAAY,EAAE,UAAU,EAAE,OAAO,EAAE,MAAM,qBAAqB,CAAC"}
package/dist/index.js ADDED
@@ -0,0 +1,8 @@
1
+ // @datahogo/core — public API.
2
+ // The scan engine takes a map of file paths to contents (plus an optional
3
+ // directory on disk to enable the external-binary engines) and returns
4
+ // findings, a security score, and per-engine results.
5
+ export { runScan } from "./orchestrator.js";
6
+ export { isRelevantFile, filterFiles } from "./utils/file-filter.js";
7
+ export { detectTechnologies } from "./scanning/tech-detector.js";
8
+ //# sourceMappingURL=index.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,+BAA+B;AAC/B,0EAA0E;AAC1E,uEAAuE;AACvE,sDAAsD;AAEtD,OAAO,EAAE,OAAO,EAAE,MAAM,mBAAmB,CAAC;AAW5C,OAAO,EAAE,cAAc,EAAE,WAAW,EAAE,MAAM,wBAAwB,CAAC;AACrE,OAAO,EAAE,kBAAkB,EAAE,MAAM,6BAA6B,CAAC"}
@@ -0,0 +1,32 @@
1
+ import type { FindingData, EngineResult } from "./engines/types.js";
2
+ import type { ScanLog } from "./scanning/types.js";
3
+ export interface ScanParams {
4
+ files: Map<string, string>;
5
+ repoDir?: string;
6
+ appUrl?: string;
7
+ dbRulesInput?: string;
8
+ }
9
+ export interface ScanResult {
10
+ findings: FindingData[];
11
+ engineResults: EngineResult[];
12
+ score: number;
13
+ summary: {
14
+ total: number;
15
+ critical: number;
16
+ high: number;
17
+ medium: number;
18
+ low: number;
19
+ info: number;
20
+ allFindings: number;
21
+ production: number;
22
+ nonProduction: number;
23
+ byContext: Record<string, number>;
24
+ actionable: number;
25
+ informational: number;
26
+ };
27
+ failedEngines: string[];
28
+ durationMs: number;
29
+ scanLog?: ScanLog;
30
+ }
31
+ export declare function runScan(params: ScanParams): Promise<ScanResult>;
32
+ //# sourceMappingURL=orchestrator.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"orchestrator.d.ts","sourceRoot":"","sources":["../src/orchestrator.ts"],"names":[],"mappings":"AAaA,OAAO,KAAK,EAAE,WAAW,EAAqC,YAAY,EAAY,MAAM,oBAAoB,CAAC;AACjH,OAAO,KAAK,EAAE,OAAO,EAAiC,MAAM,qBAAqB,CAAC;AAMlF,MAAM,WAAW,UAAU;IACzB,KAAK,EAAE,GAAG,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAC3B,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB;AAED,MAAM,WAAW,UAAU;IACzB,QAAQ,EAAE,WAAW,EAAE,CAAC;IACxB,aAAa,EAAE,YAAY,EAAE,CAAC;IAC9B,KAAK,EAAE,MAAM,CAAC;IACd,OAAO,EAAE;QAEP,KAAK,EAAE,MAAM,CAAC;QACd,QAAQ,EAAE,MAAM,CAAC;QACjB,IAAI,EAAE,MAAM,CAAC;QACb,MAAM,EAAE,MAAM,CAAC;QACf,GAAG,EAAE,MAAM,CAAC;QACZ,IAAI,EAAE,MAAM,CAAC;QAEb,WAAW,EAAE,MAAM,CAAC;QACpB,UAAU,EAAE,MAAM,CAAC;QACnB,aAAa,EAAE,MAAM,CAAC;QACtB,SAAS,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAElC,UAAU,EAAE,MAAM,CAAC;QACnB,aAAa,EAAE,MAAM,CAAC;KACvB,CAAC;IACF,aAAa,EAAE,MAAM,EAAE,CAAC;IACxB,UAAU,EAAE,MAAM,CAAC;IACnB,OAAO,CAAC,EAAE,OAAO,CAAC;CACnB;AAED,wBAAsB,OAAO,CAAC,MAAM,EAAE,UAAU,GAAG,OAAO,CAAC,UAAU,CAAC,CA2FrE"}