@greenarmor/ges-audit-engine 0.1.0

package/src/scanners/auth-scanner.ts

@@ -0,0 +1,198 @@
+import type { Scanner, Finding, ScanContext } from "./types.js";
+
+const SCAN_EXTENSIONS = new Set([".ts", ".tsx", ".js", ".jsx", ".py", ".rb", ".go", ".java", ".php"]);
+
+export class AuthScanner implements Scanner {
+  name = "auth";
+
+  scan(ctx: ScanContext): Finding[] {
+    const findings: Finding[] = [];
+    const content = ctx.fileContents;
+
+    const hasAuthMiddleware = this.detectAuthMiddleware(content);
+    const routesWithoutAuth = this.detectRoutesWithoutAuth(content, hasAuthMiddleware);
+    const hasRateLimiting = this.detectRateLimiting(content);
+    const hasSessionConfig = this.detectSessionConfig(content);
+    const hasCORSSettings = this.detectCORSSettings(content);
+
+    if (routesWithoutAuth.length > 0) {
+      for (const route of routesWithoutAuth.slice(0, 20)) {
+        findings.push({
+          ruleId: "AUTH-001",
+          severity: "high",
+          category: "authentication",
+          title: "Route without authentication",
+          description: `Endpoint ${route.method} ${route.path} does not require authentication. All endpoints handling personal data must require auth.`,
+          file: route.file,
+          line: route.line,
+          evidence: route.evidence,
+          controlIds: ["GDPR-ART32-004", "OWASP-ASVS-003", "OWASP-ASVS-004"],
+          fix: "Add authentication middleware to this route or apply globally.",
+        });
+      }
+    }
+
+    if (!hasRateLimiting) {
+      findings.push({
+        ruleId: "AUTH-002",
+        severity: "high",
+        category: "authentication",
+        title: "No rate limiting detected",
+        description: "No rate limiting library or configuration found. Rate limiting is required on authentication endpoints and API routes.",
+        file: "project",
+        evidence: "No rate limiter (express-rate-limit, etc.) found in codebase",
+        controlIds: ["GDPR-ART32-004", "OWASP-ASVS-003"],
+        fix: "Install and configure rate limiting: npm install express-rate-limit",
+      });
+    }
+
+    if (!hasSessionConfig) {
+      findings.push({
+        ruleId: "AUTH-003",
+        severity: "medium",
+        category: "authentication",
+        title: "No session timeout configuration detected",
+        description: "No session expiration or timeout configuration found. Sessions must expire after a period of inactivity.",
+        file: "project",
+        evidence: "No session timeout configuration found",
+        controlIds: ["GDPR-ART32-005"],
+        fix: "Configure session expiration: maxAge, idle timeout, or JWT expiration.",
+      });
+    }
+
+    if (hasCORSSettings === "wildcard") {
+      findings.push({
+        ruleId: "AUTH-004",
+        severity: "high",
+        category: "security",
+        title: "CORS configured as wildcard (*)",
+        description: "CORS is set to allow all origins. This is insecure for production. Restrict to known origins.",
+        file: "project",
+        evidence: "cors({ origin: '*' }) or Access-Control-Allow-Origin: *",
+        controlIds: ["OWASP-ASVS-006"],
+        fix: "Restrict CORS to specific origins: cors({ origin: ['https://yourdomain.com'] })",
+      });
+    }
+
+    if (!this.detectMFA(content)) {
+      findings.push({
+        ruleId: "AUTH-005",
+        severity: "high",
+        category: "authentication",
+        title: "No MFA implementation detected",
+        description: "No multi-factor authentication implementation found. MFA is mandatory per GDPR Article 32.",
+        file: "project",
+        evidence: "No MFA/2FA/OTP/TOTP library found in dependencies or code",
+        controlIds: ["GDPR-ART32-004"],
+        fix: "Implement MFA using TOTP (otpauth, speakeasy) or WebAuthn.",
+      });
+    }
+
+    return findings;
+  }
+
+  private detectAuthMiddleware(content: Map<string, string>): boolean {
+    const authIndicators = [
+      /jwt\.verify|jsonwebtoken|jwtDecode/i,
+      /passport\.use|passport\.authenticate/i,
+      /authMiddleware|authGuard|requireAuth|isAuthenticated/i,
+      /session\s*\(\s*{/i,
+      /bearer\s+token/i,
+      /firebase.*auth/i,
+      /nextAuth|next-auth/i,
+      /supabase.*auth/i,
+      /clerk/i,
+      /auth0/i,
+    ];
+    return this.searchPatterns(content, authIndicators);
+  }
+
+  private detectRoutesWithoutAuth(
+    content: Map<string, string>,
+    hasGlobalAuth: boolean,
+  ): Array<{ method: string; path: string; file: string; line: number; evidence: string }> {
+    const routes: Array<{ method: string; path: string; file: string; line: number; evidence: string }> = [];
+
+    if (hasGlobalAuth) return routes;
+
+    const routePattern = /(?:app|router|route)\s*\.\s*(get|post|put|delete|patch)\s*\(\s*['"`]([^'"`]*)/gi;
+
+    for (const [filePath, fileContent] of content) {
+      const ext = filePath.substring(filePath.lastIndexOf("."));
+      if (!SCAN_EXTENSIONS.has(ext)) continue;
+
+      const lines = fileContent.split("\n");
+      for (let i = 0; i < lines.length; i++) {
+        routePattern.lastIndex = 0;
+        const match = routePattern.exec(lines[i]);
+        if (match) {
+          const path = match[2];
+          const publicPaths = ["/", "/health", "/healthz", "/status", "/ping", "/ready", "/readiness", "/version", "/public"];
+          if (!publicPaths.some(p => path === p)) {
+            routes.push({
+              method: match[1].toUpperCase(),
+              path,
+              file: filePath,
+              line: i + 1,
+              evidence: lines[i].trim(),
+            });
+          }
+        }
+      }
+    }
+
+    return routes;
+  }
+
+  private detectRateLimiting(content: Map<string, string>): boolean {
+    return this.searchPatterns(content, [
+      /rate.?limit/i,
+      /rateLimit|rate-limit/i,
+      /express-rate-limit/i,
+      /throttl/i,
+    ]);
+  }
+
+  private detectSessionConfig(content: Map<string, string>): boolean {
+    return this.searchPatterns(content, [
+      /session\s*\(\s*{[^}]*maxAge/i,
+      /maxAge\s*[:=]/i,
+      /expiresIn\s*[:=]/i,
+      /expires\s*[:=]/i,
+      /cookie\s*:\s*{[^}]*maxAge/i,
+      /idleTimeout/i,
+    ]);
+  }
+
+  private detectCORSSettings(content: Map<string, string>): "wildcard" | "configured" | "none" {
+    for (const [, fileContent] of content) {
+      if (/cors\s*\(\s*{[^}]*origin\s*:\s*['"]\*['"]/s.test(fileContent) ||
+          /Access-Control-Allow-Origin\s*:\s*\*/i.test(fileContent)) {
+        return "wildcard";
+      }
+      if (/cors\s*\(/i.test(fileContent) || /Access-Control-Allow/i.test(fileContent)) {
+        return "configured";
+      }
+    }
+    return "none";
+  }
+
+  private detectMFA(content: Map<string, string>): boolean {
+    return this.searchPatterns(content, [
+      /mfa|multi.?factor|2fa|two.?factor/i,
+      /totp|otpauth|speakeasy|otplib/i,
+      /webauthn|fido2|passkey/i,
+      /authenticator/i,
+    ]);
+  }
+
+  private searchPatterns(content: Map<string, string>, patterns: RegExp[]): boolean {
+    for (const [, fileContent] of content) {
+      for (const pattern of patterns) {
+        pattern.lastIndex = 0;
+        if (pattern.test(fileContent)) return true;
+      }
+    }
+    return false;
+  }
+}

package/src/scanners/code-security-scanner.ts

@@ -0,0 +1,102 @@
+import type { Scanner, Finding, ScanContext } from "./types.js";
+
+const SQL_INJECTION_PATTERNS = [
+  { pattern: /(?:query|execute|raw|sql)\s*\(\s*[`"'].*\+\s*(?:req|params|query|body|input|request)/gi, desc: "SQL query with string concatenation from user input" },
+  { pattern: /(?:query|execute|raw|sql)\s*\(\s*[`"'].*\$\{(?:req|params|query|body)/gi, desc: "SQL query with template literal injection" },
+  { pattern: /SELECT\s+.*\s+FROM\s+.*\s+WHERE\s+.*\+\s*(?:req|params|query|body)/gi, desc: "SQL SELECT with concatenated user input" },
+  { pattern: /INSERT\s+INTO\s+.*VALUES\s*\(.*\+\s*(?:req|params|query|body)/gi, desc: "SQL INSERT with concatenated user input" },
+  { pattern: /DELETE\s+FROM\s+.*WHERE\s+.*\+\s*(?:req|params|query|body)/gi, desc: "SQL DELETE with concatenated user input" },
+  { pattern: /UPDATE\s+.*SET\s+.*\+\s*(?:req|params|query|body)/gi, desc: "SQL UPDATE with concatenated user input" },
+];
+
+const XSS_PATTERNS = [
+  { pattern: /innerHTML\s*=\s*(?:req|params|query|body|input)/gi, desc: "Direct innerHTML assignment from user input" },
+  { pattern: /document\.write\s*\(\s*(?:req|params|query|body)/gi, desc: "document.write with user input" },
+  { pattern: /v-html\s*=\s*(?:req|params|query|body|input)/gi, desc: "Vue v-html with user input" },
+  { pattern: /dangerouslySetInnerHTML\s*=\s*\{.*(?:req|params|query|body)/gi, desc: "React dangerouslySetInnerHTML with user input" },
+  { pattern: /\.html\s*\(\s*(?:req|params|query|body)/gi, desc: "jQuery .html() with user input" },
+];
+
+const INPUT_VALIDATION_PATTERNS = [
+  { pattern: /(?:parseInt|parseFloat|Number)\s*\(\s*req\.(?:body|params|query)/gi, desc: "Unvalidated number parsing from request" },
+  { pattern: /eval\s*\(\s*(?:req|params|query|body|input)/gi, desc: "eval() with user input - critical RCE risk" },
+  { pattern: /Function\s*\(\s*(?:req|params|query|body)/gi, desc: "Function constructor with user input" },
+  { pattern: /exec\s*\(\s*(?:req|params|query|body)/gi, desc: "Command execution with user input" },
+  { pattern: /child_process.*(?:req|params|query|body)/gi, desc: "Child process with user input" },
+];
+
+const SCAN_EXTENSIONS = new Set([".ts", ".tsx", ".js", ".jsx", ".py", ".rb", ".go", ".java", ".php"]);
+
+export class CodeSecurityScanner implements Scanner {
+  name = "code-security";
+
+  scan(ctx: ScanContext): Finding[] {
+    const findings: Finding[] = [];
+
+    for (const [filePath, content] of ctx.fileContents) {
+      const ext = filePath.substring(filePath.lastIndexOf("."));
+      if (!SCAN_EXTENSIONS.has(ext)) continue;
+
+      const lines = content.split("\n");
+      for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+
+        for (const { pattern, desc } of SQL_INJECTION_PATTERNS) {
+          pattern.lastIndex = 0;
+          if (pattern.test(line)) {
+            findings.push({
+              ruleId: "INJECT-001",
+              severity: "critical",
+              category: "injection",
+              title: "SQL Injection vulnerability",
+              description: desc + ". Use parameterized queries or an ORM.",
+              file: filePath,
+              line: i + 1,
+              evidence: line.trim(),
+              controlIds: ["OWASP-ASVS-001", "GDPR-ART5-006"],
+              fix: "Use parameterized queries: db.query('SELECT * FROM users WHERE id = $1', [req.query.id])",
+            });
+          }
+        }
+
+        for (const { pattern, desc } of XSS_PATTERNS) {
+          pattern.lastIndex = 0;
+          if (pattern.test(line)) {
+            findings.push({
+              ruleId: "INJECT-002",
+              severity: "critical",
+              category: "xss",
+              title: "Cross-Site Scripting (XSS) vulnerability",
+              description: desc + ". Sanitize all user input before rendering.",
+              file: filePath,
+              line: i + 1,
+              evidence: line.trim(),
+              controlIds: ["OWASP-ASVS-002", "GDPR-ART5-006"],
+              fix: "Use textContent instead of innerHTML, or sanitize input with a library like DOMPurify.",
+            });
+          }
+        }
+
+        for (const { pattern, desc } of INPUT_VALIDATION_PATTERNS) {
+          pattern.lastIndex = 0;
+          if (pattern.test(line)) {
+            findings.push({
+              ruleId: "INJECT-003",
+              severity: "critical",
+              category: "injection",
+              title: "Code injection risk",
+              description: desc + ". Never pass user input to code execution functions.",
+              file: filePath,
+              line: i + 1,
+              evidence: line.trim(),
+              controlIds: ["OWASP-ASVS-001"],
+              fix: "Remove eval/exec usage with user input. Use safe alternatives.",
+            });
+          }
+        }
+      }
+    }
+
+    return findings;
+  }
+}

package/src/scanners/config-scanner.ts

@@ -0,0 +1,224 @@
+import type { Scanner, Finding, ScanContext } from "./types.js";
+
+export class ConfigScanner implements Scanner {
+  name = "config";
+
+  scan(ctx: ScanContext): Finding[] {
+    const findings: Finding[] = [];
+
+    this.checkPackageJson(ctx, findings);
+    this.checkEnvFiles(ctx, findings);
+    this.checkDockerConfig(ctx, findings);
+    this.checkTLSConfig(ctx, findings);
+    this.checkGitignore(ctx, findings);
+    this.checkLoggingConfig(ctx, findings);
+
+    return findings;
+  }
+
+  private checkPackageJson(ctx: ScanContext, findings: Finding[]): void {
+    const pkgContent = ctx.fileContents.get("package.json");
+    if (!pkgContent) return;
+
+    try {
+      const pkg = JSON.parse(pkgContent);
+      const deps = { ...pkg.dependencies, ...pkg.devDependencies };
+
+      if (deps.helmet === undefined && (deps.express || deps.koa || deps.fastify)) {
+        findings.push({
+          ruleId: "CONFIG-001",
+          severity: "high",
+          category: "security",
+          title: "Missing security headers (no helmet)",
+          description: "No helmet middleware detected for HTTP framework. Security headers protect against XSS, clickjacking, and other attacks.",
+          file: "package.json",
+          evidence: "helmet not in dependencies",
+          controlIds: ["OWASP-ASVS-002", "OWASP-ASVS-006"],
+          fix: "npm install helmet && app.use(helmet())",
+        });
+      }
+
+      if (deps.cors === undefined && (deps.express || deps.fastify)) {
+        findings.push({
+          ruleId: "CONFIG-002",
+          severity: "medium",
+          category: "security",
+          title: "No CORS configuration",
+          description: "No CORS package found. Unrestricted CORS can expose your API to cross-origin attacks.",
+          file: "package.json",
+          evidence: "cors not in dependencies",
+          controlIds: ["OWASP-ASVS-006"],
+          fix: "npm install cors and configure allowed origins explicitly.",
+        });
+      }
+
+      const auditDeps = ["express", "lodash", "axios", "underscore"];
+      for (const dep of auditDeps) {
+        if (deps[dep]) {
+          findings.push({
+            ruleId: "CONFIG-003",
+            severity: "medium",
+            category: "dependencies",
+            title: `Dependency review needed: ${dep}`,
+            description: `${dep} is a commonly exploited dependency. Ensure you are running the latest version with no known vulnerabilities.`,
+            file: "package.json",
+            evidence: `${dep}: ${deps[dep]}`,
+            controlIds: ["CIS-004", "OWASP-ASVS-005"],
+            fix: "Run npm audit regularly. Update to latest version. Consider automated dependency scanning.",
+          });
+        }
+      }
+    } catch {
+      // not valid JSON
+    }
+  }
+
+  private checkEnvFiles(ctx: ScanContext, findings: Finding[]): void {
+    for (const [filePath, content] of ctx.fileContents) {
+      if (filePath !== ".env" && !filePath.endsWith("/.env") && !filePath.startsWith(".env.")) continue;
+      if (filePath.includes("example") || filePath.includes("template")) continue;
+
+      const lines = content.split("\n");
+      for (let i = 0; i < lines.length; i++) {
+        const line = lines[i].trim();
+        if (!line || line.startsWith("#")) continue;
+
+        if (/\b(PASSWORD|SECRET|KEY|TOKEN|PRIVATE)\b.*=\s*[^\s]/i.test(line) &&
+            !line.includes("your_") && !line.includes("changeme") && !line.includes("xxx")) {
+          findings.push({
+            ruleId: "CONFIG-004",
+            severity: "critical",
+            category: "secrets",
+            title: "Secret with value in .env file",
+            description: "A .env file contains actual secret values. Ensure .env files are in .gitignore and never committed.",
+            file: filePath,
+            line: i + 1,
+            evidence: line.split("=")[0] + "=***",
+            controlIds: ["OWASP-ASVS-005", "GDPR-ART32-002"],
+            fix: "Ensure .env is in .gitignore. Use a secrets management solution for production.",
+          });
+        }
+      }
+    }
+  }
+
+  private checkDockerConfig(ctx: ScanContext, findings: Finding[]): void {
+    const dockerfile = ctx.fileContents.get("Dockerfile");
+    if (dockerfile) {
+      if (/USER\s+root/i.test(dockerfile) || (!/USER\s+/i.test(dockerfile))) {
+        findings.push({
+          ruleId: "CONFIG-005",
+          severity: "medium",
+          category: "infrastructure",
+          title: "Docker running as root",
+          description: "Container may be running as root. Use a non-root user for security.",
+          file: "Dockerfile",
+          evidence: "No non-root USER directive found",
+          controlIds: ["CIS-003"],
+          fix: "Add: USER node (or other non-root user) to your Dockerfile.",
+        });
+      }
+
+      if (/\bENV\b.*(?:PASSWORD|SECRET|KEY|TOKEN)\s*=\s*\S+/i.test(dockerfile)) {
+        findings.push({
+          ruleId: "CONFIG-006",
+          severity: "critical",
+          category: "secrets",
+          title: "Secret in Dockerfile ENV",
+          description: "Secrets must not be baked into Docker images.",
+          file: "Dockerfile",
+          evidence: "ENV with secret value",
+          controlIds: ["OWASP-ASVS-005"],
+          fix: "Use Docker secrets or environment variables at runtime instead.",
+        });
+      }
+    }
+  }
+
+  private checkTLSConfig(ctx: ScanContext, findings: Finding[]): void {
+    for (const [filePath, content] of ctx.fileContents) {
+      if (!filePath.includes(".env") && !filePath.includes("config")) continue;
+
+      if (/\bNODE_TLS_REJECT_UNAUTHORIZED\s*=\s*['"]?0['"]?/i.test(content)) {
+        findings.push({
+          ruleId: "CONFIG-007",
+          severity: "critical",
+          category: "encryption",
+          title: "TLS verification disabled",
+          description: "NODE_TLS_REJECT_UNAUTHORIZED=0 disables TLS certificate verification, enabling MITM attacks.",
+          file: filePath,
+          evidence: "NODE_TLS_REJECT_UNAUTHORIZED=0",
+          controlIds: ["GDPR-ART32-003", "OWASP-ASVS-006"],
+          fix: "Remove NODE_TLS_REJECT_UNAUTHORIZED=0. Fix the certificate issue instead.",
+        });
+      }
+    }
+  }
+
+  private checkGitignore(ctx: ScanContext, findings: Finding[]): void {
+    const gitignore = ctx.fileContents.get(".gitignore");
+    if (!gitignore) {
+      findings.push({
+        ruleId: "CONFIG-008",
+        severity: "high",
+        category: "security",
+        title: "No .gitignore file",
+        description: "No .gitignore found. Secrets and build artifacts may be committed accidentally.",
+        file: ".gitignore",
+        evidence: "File not found",
+        controlIds: ["OWASP-ASVS-005"],
+        fix: "Create .gitignore with node_modules/, .env, dist/, *.key, etc.",
+      });
+      return;
+    }
+
+    const required = [".env", "node_modules"];
+    for (const pattern of required) {
+      if (!gitignore.includes(pattern)) {
+        findings.push({
+          ruleId: "CONFIG-009",
+          severity: "high",
+          category: "security",
+          title: `.gitignore missing ${pattern}`,
+          description: `${pattern} should be in .gitignore to prevent accidental commits.`,
+          file: ".gitignore",
+          evidence: `${pattern} not found in .gitignore`,
+          controlIds: ["OWASP-ASVS-005"],
+          fix: `Add ${pattern} to .gitignore.`,
+        });
+      }
+    }
+  }
+
+  private checkLoggingConfig(ctx: ScanContext, findings: Finding[]): void {
+    const hasLogging = this.searchContent(ctx, [
+      /winston|pino|bunyan|morgan|helmet/i,
+      /logging|logger/i,
+      /auditLog|audit_log/i,
+    ]);
+
+    if (!hasLogging) {
+      findings.push({
+        ruleId: "CONFIG-010",
+        severity: "high",
+        category: "audit",
+        title: "No logging framework detected",
+        description: "No logging library or audit logging found. Audit logging is mandatory for GDPR compliance.",
+        file: "project",
+        evidence: "No logging library (winston, pino, etc.) found",
+        controlIds: ["GDPR-ART32-006", "OWASP-ASVS-004"],
+        fix: "Install a logging library (winston or pino) and implement structured audit logging.",
+      });
+    }
+  }
+
+  private searchContent(ctx: ScanContext, patterns: RegExp[]): boolean {
+    for (const [, content] of ctx.fileContents) {
+      for (const pattern of patterns) {
+        pattern.lastIndex = 0;
+        if (pattern.test(content)) return true;
+      }
+    }
+    return false;
+  }
+}

package/src/scanners/crypto-scanner.ts

@@ -0,0 +1,103 @@
+import type { Scanner, Finding, ScanContext } from "./types.js";
+
+const WEAK_HASH_PATTERNS = [
+  { pattern: /\bmd5\s*\(/gi, algo: "MD5" },
+  { pattern: /\bsha1\s*\(/gi, algo: "SHA1" },
+  { pattern: /\bcreateHash\s*\(\s*['"]md5['"]\s*\)/gi, algo: "MD5 (Node.js crypto)" },
+  { pattern: /\bcreateHash\s*\(\s*['"]sha1['"]\s*\)/gi, algo: "SHA1 (Node.js crypto)" },
+  { pattern: /\.digest\s*\(\s*['"]md5['"]\s*\)/gi, algo: "MD5 digest" },
+  { pattern: /hashlib\.md5\(/gi, algo: "MD5 (Python)" },
+  { pattern: /hashlib\.sha1\(/gi, algo: "SHA1 (Python)" },
+];
+
+const WEAK_CRYPTO_PATTERNS = [
+  { pattern: /\bDES\b|\b3DES\b|\bBlowfish\b/g, algo: "Weak encryption algorithm" },
+  { pattern: /\bcreateCipheriv\s*\(\s*['"]aes-128/gi, algo: "AES-128 (use AES-256)" },
+  { pattern: /\bcreateCipher\b\s*\(/g, algo: "Deprecated createCipher (use createCipheriv)" },
+  { pattern: /\btc_aes_encrypt\b/gi, algo: "AES-128 (use AES-256)" },
+  { pattern: /\bAES.*ECB\b/gi, algo: "AES ECB mode (use GCM or CBC)" },
+  { pattern: /Cipher\s*\(\s*['"]des/gi, algo: "DES cipher (deprecated)" },
+  { pattern: /\btls\.connect\s*\([^)]*rejectUnauthorized\s*:\s*false/gi, algo: "TLS with certificate verification disabled" },
+  { pattern: /process\.env\.NODE_TLS_REJECT_UNAUTHORIZED\s*=\s*['"]0['"]/gi, algo: "TLS verification globally disabled" },
+];
+
+const INSECURE_PASSWORD_PATTERNS = [
+  { pattern: /\.compare\s*\(.*,\s*.*\)|bcrypt\.compare|argon2\.verify/gi, check: false, desc: "Secure password comparison" },
+  { pattern: /password\s*===?\s*|password\s*!==?\s*|\.equals\s*\(\s*password/gi, check: true, desc: "Plaintext password comparison (use Argon2id/bcrypt)" },
+];
+
+const SCAN_EXTENSIONS = new Set([".ts", ".tsx", ".js", ".jsx", ".py", ".rb", ".go", ".java", ".php", ".cs"]);
+
+export class CryptoScanner implements Scanner {
+  name = "crypto";
+
+  scan(ctx: ScanContext): Finding[] {
+    const findings: Finding[] = [];
+
+    for (const [filePath, content] of ctx.fileContents) {
+      const ext = filePath.substring(filePath.lastIndexOf("."));
+      if (!SCAN_EXTENSIONS.has(ext)) continue;
+
+      const lines = content.split("\n");
+      for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+
+        for (const { pattern, algo } of WEAK_HASH_PATTERNS) {
+          pattern.lastIndex = 0;
+          if (pattern.test(line)) {
+            findings.push({
+              ruleId: "CRYPTO-001",
+              severity: "critical",
+              category: "authentication",
+              title: `Weak hashing algorithm: ${algo}`,
+              description: `${algo} is cryptographically broken and must not be used for passwords or security-sensitive operations. Use Argon2id for passwords, SHA-256+ for general hashing.`,
+              file: filePath,
+              line: i + 1,
+              evidence: line.trim(),
+              controlIds: ["GDPR-ART32-004", "OWASP-ASVS-003"],
+              fix: `Replace ${algo} with Argon2id (passwords) or SHA-256+ (general hashing).`,
+            });
+          }
+        }
+
+        for (const { pattern, algo } of WEAK_CRYPTO_PATTERNS) {
+          pattern.lastIndex = 0;
+          if (pattern.test(line)) {
+            findings.push({
+              ruleId: "CRYPTO-002",
+              severity: "high",
+              category: "encryption",
+              title: `Insecure encryption: ${algo}`,
+              description: `${algo} is not approved for use. Use AES-256-GCM or ChaCha20-Poly1305.`,
+              file: filePath,
+              line: i + 1,
+              evidence: line.trim(),
+              controlIds: ["GDPR-ART32-002", "GDPR-ART32-003"],
+              fix: "Replace with AES-256-GCM or ChaCha20-Poly1305 for data at rest, TLS 1.3 for data in transit.",
+            });
+          }
+        }
+
+        for (const { pattern, check, desc } of INSECURE_PASSWORD_PATTERNS) {
+          pattern.lastIndex = 0;
+          if (check && pattern.test(line)) {
+            findings.push({
+              ruleId: "CRYPTO-003",
+              severity: "critical",
+              category: "authentication",
+              title: desc,
+              description: "Passwords must be hashed using Argon2id before comparison. Never compare plaintext passwords.",
+              file: filePath,
+              line: i + 1,
+              evidence: line.trim(),
+              controlIds: ["GDPR-ART32-004", "OWASP-ASVS-003"],
+              fix: "Use argon2.verify(hashedPassword, inputPassword) for password comparison.",
+            });
+          }
+        }
+      }
+    }
+
+    return findings;
+  }
+}