@guardrail-ai/rules 0.1.0

package/dist/inefficient-loop.js

@@ -0,0 +1,104 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const traverse_1 = __importDefault(require("@babel/traverse"));
+/**
+ * Detects inefficient loop patterns:
+ *
+ *   1. Array.length accessed in loop condition (should be cached)
+ *      for (let i = 0; i < arr.length; i++)
+ *
+ *   2. await inside a loop body (should use Promise.all)
+ *      for (const item of items) { await fetch(item); }
+ */
+function checkAwaitInLoop(path, filePath, violations) {
+    path.traverse({
+        AwaitExpression(innerPath) {
+            let current = innerPath.parentPath;
+            while (current && current !== path) {
+                if (current.isFunctionDeclaration() ||
+                    current.isFunctionExpression() ||
+                    current.isArrowFunctionExpression()) {
+                    return;
+                }
+                current = current.parentPath;
+            }
+            violations.push({
+                ruleId: 'performance/inefficient-loop',
+                severity: 'warning',
+                message: 'Sequential await inside loop. Consider using Promise.all() for concurrent execution.',
+                location: {
+                    file: filePath,
+                    line: innerPath.node.loc?.start.line ?? 0,
+                    column: innerPath.node.loc?.start.column ?? 0,
+                },
+            });
+        },
+    });
+}
+const inefficientLoopRule = {
+    id: 'performance/inefficient-loop',
+    name: 'Inefficient Loop',
+    description: 'Detects performance anti-patterns in loops: uncached length, sequential awaits, expensive operations inside loops',
+    severity: 'warning',
+    category: 'performance',
+    detect(context) {
+        const violations = [];
+        const { ast, filePath } = context;
+        (0, traverse_1.default)(ast, {
+            ForStatement(path) {
+                // Pattern 1: uncached arr.length
+                const test = path.node.test;
+                if (test?.type === 'BinaryExpression' &&
+                    (test.operator === '<' || test.operator === '<=') &&
+                    test.right.type === 'MemberExpression' &&
+                    test.right.property.type === 'Identifier' &&
+                    test.right.property.name === 'length') {
+                    violations.push({
+                        ruleId: 'performance/inefficient-loop',
+                        severity: 'warning',
+                        message: 'Array .length is accessed on every iteration. Cache it in a variable for better performance.',
+                        location: {
+                            file: filePath,
+                            line: test.right.loc?.start.line ?? 0,
+                            column: test.right.loc?.start.column ?? 0,
+                        },
+                        fix: {
+                            description: 'Cache array length before loop',
+                            range: {
+                                start: {
+                                    line: path.node.loc?.start.line ?? 0,
+                                    column: path.node.loc?.start.column ?? 0,
+                                },
+                                end: {
+                                    line: path.node.loc?.start.line ?? 0,
+                                    column: path.node.loc?.end.column ?? 0,
+                                },
+                            },
+                            replacement: '',
+                        },
+                    });
+                }
+                // Pattern 2: await inside this for loop
+                checkAwaitInLoop(path, filePath, violations);
+            },
+            ForOfStatement(path) {
+                checkAwaitInLoop(path, filePath, violations);
+            },
+            ForInStatement(path) {
+                checkAwaitInLoop(path, filePath, violations);
+            },
+            WhileStatement(path) {
+                checkAwaitInLoop(path, filePath, violations);
+            },
+            DoWhileStatement(path) {
+                checkAwaitInLoop(path, filePath, violations);
+            },
+        });
+        return violations;
+    },
+};
+exports.default = inefficientLoopRule;
+//# sourceMappingURL=inefficient-loop.js.map

package/dist/inefficient-loop.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"inefficient-loop.js","sourceRoot":"","sources":["../src/inefficient-loop.ts"],"names":[],"mappings":";;;;;AAAA,+DAAuC;AAGvC;;;;;;;;GAQG;AAEH,SAAS,gBAAgB,CACvB,IAAS,EACT,QAAgB,EAChB,UAAuB;IAEvB,IAAI,CAAC,QAAQ,CAAC;QACZ,eAAe,CAAC,SAAc;YAC5B,IAAI,OAAO,GAAG,SAAS,CAAC,UAAU,CAAC;YACnC,OAAO,OAAO,IAAI,OAAO,KAAK,IAAI,EAAE,CAAC;gBACnC,IACE,OAAO,CAAC,qBAAqB,EAAE;oBAC/B,OAAO,CAAC,oBAAoB,EAAE;oBAC9B,OAAO,CAAC,yBAAyB,EAAE,EACnC,CAAC;oBACD,OAAO;gBACT,CAAC;gBACD,OAAO,GAAG,OAAO,CAAC,UAAU,CAAC;YAC/B,CAAC;YAED,UAAU,CAAC,IAAI,CAAC;gBACd,MAAM,EAAE,8BAA8B;gBACtC,QAAQ,EAAE,SAAS;gBACnB,OAAO,EACL,sFAAsF;gBACxF,QAAQ,EAAE;oBACR,IAAI,EAAE,QAAQ;oBACd,IAAI,EAAE,SAAS,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC;oBACzC,MAAM,EAAE,SAAS,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,MAAM,IAAI,CAAC;iBAC9C;aACF,CAAC,CAAC;QACL,CAAC;KACF,CAAC,CAAC;AACL,CAAC;AAED,MAAM,mBAAmB,GAAS;IAChC,EAAE,EAAE,8BAA8B;IAClC,IAAI,EAAE,kBAAkB;IACxB,WAAW,EACT,mHAAmH;IACrH,QAAQ,EAAE,SAAS;IACnB,QAAQ,EAAE,aAAa;IAEvB,MAAM,CAAC,OAAoB;QACzB,MAAM,UAAU,GAAgB,EAAE,CAAC;QACnC,MAAM,EAAE,GAAG,EAAE,QAAQ,EAAE,GAAG,OAAO,CAAC;QAElC,IAAA,kBAAQ,EAAC,GAAG,EAAE;YACZ,YAAY,CAAC,IAAI;gBACf,iCAAiC;gBACjC,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC;gBAC5B,IACE,IAAI,EAAE,IAAI,KAAK,kBAAkB;oBACjC,CAAC,IAAI,CAAC,QAAQ,KAAK,GAAG,IAAI,IAAI,CAAC,QAAQ,KAAK,IAAI,CAAC;oBACjD,IAAI,CAAC,KAAK,CAAC,IAAI,KAAK,kBAAkB;oBACtC,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,KAAK,YAAY;oBACzC,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,KAAK,QAAQ,EACrC,CAAC;oBACD,UAAU,CAAC,IAAI,CAAC;wBACd,MAAM,EAAE,8BAA8B;wBACtC,QAAQ,EAAE,SAAS;wBACnB,OAAO,EACL,8FAA8F;wBAChG,QAAQ,EAAE;4BACR,IAAI,EAAE,QAAQ;4BACd,IAAI,EAAE,IAAI,CAAC,KAAK,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC;4BACrC,MAAM,EAAE,IAAI,CAAC,KAAK,CAAC,GAAG,EAAE,KAAK,CAAC,MAAM,IAAI,CAAC;yBAC1C;wBACD,GAAG,EAAE;4BACH,WAAW,EAAE,gCAAgC;4BAC7C,KAAK,EAAE;gCACL,KAAK,EAAE;oCACL,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC;oCACpC,MAAM,EAAE,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,MAAM,IAAI,CAAC;iCACzC;gCACD,GAAG,EAAE;oCACH,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC;oCACpC,MAAM,EAAE,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,CAAC,MAAM,IAAI,CAAC;iCACvC;6BACF;4BACD,WAAW,EAAE,EAAE;yBAChB;qBACF,CAAC,CAAC;gBACL,CAAC;gBAED,wCAAwC;gBACxC,gBAAgB,CAAC,IAAI,EAAE,QAAQ,EAAE,UAAU,CAAC,CAAC;YAC/C,CAAC;YAED,cAAc,CAAC,IAAI;gBACjB,gBAAgB,CAAC,IAAI,EAAE,QAAQ,EAAE,UAAU,CAAC,CAAC;YAC/C,CAAC;YAED,cAAc,CAAC,IAAI;gBACjB,gBAAgB,CAAC,IAAI,EAAE,QAAQ,EAAE,UAAU,CAAC,CAAC;YAC/C,CAAC;YAED,cAAc,CAAC,IAAI;gBACjB,gBAAgB,CAAC,IAAI,EAAE,QAAQ,EAAE,UAAU,CAAC,CAAC;YAC/C,CAAC;YAED,gBAAgB,CAAC,IAAI;gBACnB,gBAAgB,CAAC,IAAI,EAAE,QAAQ,EAAE,UAAU,CAAC,CAAC;YAC/C,CAAC;SACF,CAAC,CAAC;QAEH,OAAO,UAAU,CAAC;IACpB,CAAC;CACF,CAAC;AAEF,kBAAe,mBAAmB,CAAC"}

package/dist/insecure-cors.d.ts

@@ -0,0 +1,4 @@
+import type { Rule } from '@guardrail-ai/core';
+declare const insecureCorsRule: Rule;
+export default insecureCorsRule;
+//# sourceMappingURL=insecure-cors.d.ts.map

package/dist/insecure-cors.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"insecure-cors.d.ts","sourceRoot":"","sources":["../src/insecure-cors.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,IAAI,EAA0B,MAAM,oBAAoB,CAAC;AAEvE,QAAA,MAAM,gBAAgB,EAAE,IAgGvB,CAAC;AAEF,eAAe,gBAAgB,CAAC"}

package/dist/insecure-cors.js

@@ -0,0 +1,89 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const traverse_1 = __importDefault(require("@babel/traverse"));
+const insecureCorsRule = {
+    id: 'security/insecure-cors',
+    name: 'Insecure CORS',
+    description: 'Detects cors({ origin: "*" }) or cors() with no restrictions',
+    severity: 'high',
+    category: 'security',
+    detect(context) {
+        const violations = [];
+        const { ast, filePath } = context;
+        (0, traverse_1.default)(ast, {
+            CallExpression(path) {
+                const callee = path.node.callee;
+                // Match cors() or cors({...})
+                const isCorsCall = (callee.type === 'Identifier' && callee.name === 'cors') ||
+                    (callee.type === 'MemberExpression' &&
+                        callee.property.type === 'Identifier' &&
+                        callee.property.name === 'cors');
+                if (!isCorsCall)
+                    return;
+                const args = path.node.arguments;
+                // cors() with no arguments — allows all origins
+                if (args.length === 0) {
+                    violations.push({
+                        ruleId: 'security/insecure-cors',
+                        severity: 'high',
+                        message: 'cors() called with no arguments — allows all origins. Specify allowed origins explicitly.',
+                        location: {
+                            file: filePath,
+                            line: path.node.loc?.start.line ?? 0,
+                            column: path.node.loc?.start.column ?? 0,
+                        },
+                    });
+                    return;
+                }
+                // cors({ origin: '*' })
+                const firstArg = args[0];
+                if (firstArg.type === 'ObjectExpression') {
+                    for (const prop of firstArg.properties) {
+                        if (prop.type === 'ObjectProperty' &&
+                            prop.key.type === 'Identifier' &&
+                            prop.key.name === 'origin' &&
+                            prop.value.type === 'StringLiteral' &&
+                            prop.value.value === '*') {
+                            violations.push({
+                                ruleId: 'security/insecure-cors',
+                                severity: 'high',
+                                message: 'CORS origin set to "*" — allows all origins. Specify allowed origins explicitly.',
+                                location: {
+                                    file: filePath,
+                                    line: prop.loc?.start.line ?? 0,
+                                    column: prop.loc?.start.column ?? 0,
+                                },
+                            });
+                        }
+                    }
+                }
+            },
+            // Also check for Access-Control-Allow-Origin: * header
+            StringLiteral(path) {
+                if (path.node.value === 'Access-Control-Allow-Origin') {
+                    // Check if the next sibling/value is '*'
+                    if (path.parent.type === 'ObjectProperty' &&
+                        path.parent.value.type === 'StringLiteral' &&
+                        path.parent.value.value === '*') {
+                        violations.push({
+                            ruleId: 'security/insecure-cors',
+                            severity: 'high',
+                            message: 'Access-Control-Allow-Origin header set to "*". Restrict to specific origins.',
+                            location: {
+                                file: filePath,
+                                line: path.node.loc?.start.line ?? 0,
+                                column: path.node.loc?.start.column ?? 0,
+                            },
+                        });
+                    }
+                }
+            },
+        });
+        return violations;
+    },
+};
+exports.default = insecureCorsRule;
+//# sourceMappingURL=insecure-cors.js.map

package/dist/insecure-cors.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"insecure-cors.js","sourceRoot":"","sources":["../src/insecure-cors.ts"],"names":[],"mappings":";;;;;AAAA,+DAAuC;AAGvC,MAAM,gBAAgB,GAAS;IAC7B,EAAE,EAAE,wBAAwB;IAC5B,IAAI,EAAE,eAAe;IACrB,WAAW,EAAE,8DAA8D;IAC3E,QAAQ,EAAE,MAAM;IAChB,QAAQ,EAAE,UAAU;IAEpB,MAAM,CAAC,OAAoB;QACzB,MAAM,UAAU,GAAgB,EAAE,CAAC;QACnC,MAAM,EAAE,GAAG,EAAE,QAAQ,EAAE,GAAG,OAAO,CAAC;QAElC,IAAA,kBAAQ,EAAC,GAAG,EAAE;YACZ,cAAc,CAAC,IAAI;gBACjB,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC;gBAEhC,8BAA8B;gBAC9B,MAAM,UAAU,GACd,CAAC,MAAM,CAAC,IAAI,KAAK,YAAY,IAAI,MAAM,CAAC,IAAI,KAAK,MAAM,CAAC;oBACxD,CAAC,MAAM,CAAC,IAAI,KAAK,kBAAkB;wBACjC,MAAM,CAAC,QAAQ,CAAC,IAAI,KAAK,YAAY;wBACrC,MAAM,CAAC,QAAQ,CAAC,IAAI,KAAK,MAAM,CAAC,CAAC;gBAErC,IAAI,CAAC,UAAU;oBAAE,OAAO;gBAExB,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC;gBAEjC,gDAAgD;gBAChD,IAAI,IAAI,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;oBACtB,UAAU,CAAC,IAAI,CAAC;wBACd,MAAM,EAAE,wBAAwB;wBAChC,QAAQ,EAAE,MAAM;wBAChB,OAAO,EACL,2FAA2F;wBAC7F,QAAQ,EAAE;4BACR,IAAI,EAAE,QAAQ;4BACd,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC;4BACpC,MAAM,EAAE,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,MAAM,IAAI,CAAC;yBACzC;qBACF,CAAC,CAAC;oBACH,OAAO;gBACT,CAAC;gBAED,wBAAwB;gBACxB,MAAM,QAAQ,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC;gBACzB,IAAI,QAAQ,CAAC,IAAI,KAAK,kBAAkB,EAAE,CAAC;oBACzC,KAAK,MAAM,IAAI,IAAI,QAAQ,CAAC,UAAU,EAAE,CAAC;wBACvC,IACE,IAAI,CAAC,IAAI,KAAK,gBAAgB;4BAC9B,IAAI,CAAC,GAAG,CAAC,IAAI,KAAK,YAAY;4BAC9B,IAAI,CAAC,GAAG,CAAC,IAAI,KAAK,QAAQ;4BAC1B,IAAI,CAAC,KAAK,CAAC,IAAI,KAAK,eAAe;4BACnC,IAAI,CAAC,KAAK,CAAC,KAAK,KAAK,GAAG,EACxB,CAAC;4BACD,UAAU,CAAC,IAAI,CAAC;gCACd,MAAM,EAAE,wBAAwB;gCAChC,QAAQ,EAAE,MAAM;gCAChB,OAAO,EACL,kFAAkF;gCACpF,QAAQ,EAAE;oCACR,IAAI,EAAE,QAAQ;oCACd,IAAI,EAAE,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC;oCAC/B,MAAM,EAAE,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,MAAM,IAAI,CAAC;iCACpC;6BACF,CAAC,CAAC;wBACL,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;YAED,uDAAuD;YACvD,aAAa,CAAC,IAAI;gBAChB,IAAI,IAAI,CAAC,IAAI,CAAC,KAAK,KAAK,6BAA6B,EAAE,CAAC;oBACtD,yCAAyC;oBACzC,IACE,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,gBAAgB;wBACrC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,IAAI,KAAK,eAAe;wBAC1C,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,KAAK,KAAK,GAAG,EAC/B,CAAC;wBACD,UAAU,CAAC,IAAI,CAAC;4BACd,MAAM,EAAE,wBAAwB;4BAChC,QAAQ,EAAE,MAAM;4BAChB,OAAO,EACL,8EAA8E;4BAChF,QAAQ,EAAE;gCACR,IAAI,EAAE,QAAQ;gCACd,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC;gCACpC,MAAM,EAAE,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,MAAM,IAAI,CAAC;6BACzC;yBACF,CAAC,CAAC;oBACL,CAAC;gBACH,CAAC;YACH,CAAC;SACF,CAAC,CAAC;QAEH,OAAO,UAAU,CAAC;IACpB,CAAC;CACF,CAAC;AAEF,kBAAe,gBAAgB,CAAC"}

package/dist/magic-numbers.d.ts

@@ -0,0 +1,4 @@
+import type { Rule } from '@guardrail-ai/core';
+declare const magicNumbersRule: Rule;
+export default magicNumbersRule;
+//# sourceMappingURL=magic-numbers.d.ts.map

package/dist/magic-numbers.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"magic-numbers.d.ts","sourceRoot":"","sources":["../src/magic-numbers.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,IAAI,EAA0B,MAAM,oBAAoB,CAAC;AAIvE,QAAA,MAAM,gBAAgB,EAAE,IA+CvB,CAAC;AAEF,eAAe,gBAAgB,CAAC"}

package/dist/magic-numbers.js

@@ -0,0 +1,53 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const traverse_1 = __importDefault(require("@babel/traverse"));
+const ALLOWED_NUMBERS = new Set([0, 1, -1, 2, 10, 100, 1000, 24, 60, 1024]);
+const magicNumbersRule = {
+    id: 'ai-codegen/magic-numbers',
+    name: 'Magic Numbers',
+    description: 'Detects unnamed numeric literals in logic that should be extracted to named constants',
+    severity: 'info',
+    category: 'ai-codegen',
+    detect(context) {
+        const violations = [];
+        const { ast, filePath } = context;
+        (0, traverse_1.default)(ast, {
+            NumericLiteral(path) {
+                const value = path.node.value;
+                if (ALLOWED_NUMBERS.has(value))
+                    return;
+                // Skip if it's in a variable declaration (i.e., it IS being named)
+                if (path.parent.type === 'VariableDeclarator')
+                    return;
+                // Skip array indices
+                if (path.parent.type === 'MemberExpression' && path.parent.computed)
+                    return;
+                // Skip default parameter values
+                if (path.parent.type === 'AssignmentPattern')
+                    return;
+                // Skip object property values (often config objects)
+                if (path.parent.type === 'ObjectProperty')
+                    return;
+                // Skip return statements with simple values
+                if (path.parent.type === 'ReturnStatement')
+                    return;
+                violations.push({
+                    ruleId: 'ai-codegen/magic-numbers',
+                    severity: 'info',
+                    message: `Magic number ${value} — extract to a named constant for readability.`,
+                    location: {
+                        file: filePath,
+                        line: path.node.loc?.start.line ?? 0,
+                        column: path.node.loc?.start.column ?? 0,
+                    },
+                });
+            },
+        });
+        return violations;
+    },
+};
+exports.default = magicNumbersRule;
+//# sourceMappingURL=magic-numbers.js.map

package/dist/magic-numbers.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"magic-numbers.js","sourceRoot":"","sources":["../src/magic-numbers.ts"],"names":[],"mappings":";;;;;AAAA,+DAAuC;AAGvC,MAAM,eAAe,GAAG,IAAI,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE,EAAE,EAAE,EAAE,IAAI,CAAC,CAAC,CAAC;AAE5E,MAAM,gBAAgB,GAAS;IAC7B,EAAE,EAAE,0BAA0B;IAC9B,IAAI,EAAE,eAAe;IACrB,WAAW,EACT,uFAAuF;IACzF,QAAQ,EAAE,MAAM;IAChB,QAAQ,EAAE,YAAY;IAEtB,MAAM,CAAC,OAAoB;QACzB,MAAM,UAAU,GAAgB,EAAE,CAAC;QACnC,MAAM,EAAE,GAAG,EAAE,QAAQ,EAAE,GAAG,OAAO,CAAC;QAElC,IAAA,kBAAQ,EAAC,GAAG,EAAE;YACZ,cAAc,CAAC,IAAI;gBACjB,MAAM,KAAK,GAAG,IAAI,CAAC,IAAI,CAAC,KAAK,CAAC;gBAC9B,IAAI,eAAe,CAAC,GAAG,CAAC,KAAK,CAAC;oBAAE,OAAO;gBAEvC,mEAAmE;gBACnE,IAAI,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,oBAAoB;oBAAE,OAAO;gBAEtD,qBAAqB;gBACrB,IAAI,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,kBAAkB,IAAI,IAAI,CAAC,MAAM,CAAC,QAAQ;oBAAE,OAAO;gBAE5E,gCAAgC;gBAChC,IAAI,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,mBAAmB;oBAAE,OAAO;gBAErD,qDAAqD;gBACrD,IAAI,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,gBAAgB;oBAAE,OAAO;gBAElD,4CAA4C;gBAC5C,IAAI,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,iBAAiB;oBAAE,OAAO;gBAEnD,UAAU,CAAC,IAAI,CAAC;oBACd,MAAM,EAAE,0BAA0B;oBAClC,QAAQ,EAAE,MAAM;oBAChB,OAAO,EAAE,gBAAgB,KAAK,iDAAiD;oBAC/E,QAAQ,EAAE;wBACR,IAAI,EAAE,QAAQ;wBACd,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC;wBACpC,MAAM,EAAE,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,MAAM,IAAI,CAAC;qBACzC;iBACF,CAAC,CAAC;YACL,CAAC;SACF,CAAC,CAAC;QAEH,OAAO,UAAU,CAAC;IACpB,CAAC;CACF,CAAC;AAEF,kBAAe,gBAAgB,CAAC"}

package/dist/n-plus-one-query.d.ts

@@ -0,0 +1,4 @@
+import type { Rule } from '@guardrail-ai/core';
+declare const nPlusOneQueryRule: Rule;
+export default nPlusOneQueryRule;
+//# sourceMappingURL=n-plus-one-query.d.ts.map

package/dist/n-plus-one-query.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"n-plus-one-query.d.ts","sourceRoot":"","sources":["../src/n-plus-one-query.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,IAAI,EAA0B,MAAM,oBAAoB,CAAC;AAyCvE,QAAA,MAAM,iBAAiB,EAAE,IAwDxB,CAAC;AAEF,eAAe,iBAAiB,CAAC"}

package/dist/n-plus-one-query.js

@@ -0,0 +1,95 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const traverse_1 = __importDefault(require("@babel/traverse"));
+const QUERY_METHODS = new Set([
+    'query',
+    'execute',
+    'findOne',
+    'findById',
+    'findFirst',
+    'findUnique',
+    'findMany',
+    'find',
+    'get',
+    'fetch',
+    'select',
+    'delete',
+    'update',
+    'create',
+    'insert',
+    'remove',
+    'count',
+    'aggregate',
+]);
+// Objects that commonly hold DB methods
+const DB_OBJECTS = new Set([
+    'db',
+    'database',
+    'connection',
+    'conn',
+    'pool',
+    'client',
+    'prisma',
+    'knex',
+    'sequelize',
+    'mongoose',
+    'Model',
+    'collection',
+    'repository',
+    'repo',
+]);
+const nPlusOneQueryRule = {
+    id: 'performance/n-plus-one-query',
+    name: 'N+1 Query',
+    description: 'Detects database query calls inside loops, indicating potential N+1 query problems',
+    severity: 'high',
+    category: 'performance',
+    detect(context) {
+        const violations = [];
+        const { ast, filePath } = context;
+        (0, traverse_1.default)(ast, {
+            'ForStatement|ForOfStatement|ForInStatement|WhileStatement|DoWhileStatement'(loopPath) {
+                loopPath.traverse({
+                    CallExpression(callPath) {
+                        const callee = callPath.node.callee;
+                        if (callee.type !== 'MemberExpression')
+                            return;
+                        if (callee.property.type !== 'Identifier')
+                            return;
+                        const method = callee.property.name;
+                        if (!QUERY_METHODS.has(method))
+                            return;
+                        // Check if the object looks like a DB object
+                        const obj = callee.object;
+                        let objName = '';
+                        if (obj.type === 'Identifier') {
+                            objName = obj.name;
+                        }
+                        else if (obj.type === 'MemberExpression' &&
+                            obj.property.type === 'Identifier') {
+                            objName = obj.property.name;
+                        }
+                        if (objName && DB_OBJECTS.has(objName.toLowerCase())) {
+                            violations.push({
+                                ruleId: 'performance/n-plus-one-query',
+                                severity: 'high',
+                                message: `Database call "${objName}.${method}()" inside a loop — potential N+1 query problem. Batch the query outside the loop.`,
+                                location: {
+                                    file: filePath,
+                                    line: callPath.node.loc?.start.line ?? 0,
+                                    column: callPath.node.loc?.start.column ?? 0,
+                                },
+                            });
+                        }
+                    },
+                });
+            },
+        });
+        return violations;
+    },
+};
+exports.default = nPlusOneQueryRule;
+//# sourceMappingURL=n-plus-one-query.js.map

package/dist/n-plus-one-query.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"n-plus-one-query.js","sourceRoot":"","sources":["../src/n-plus-one-query.ts"],"names":[],"mappings":";;;;;AAAA,+DAAuC;AAGvC,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC;IAC5B,OAAO;IACP,SAAS;IACT,SAAS;IACT,UAAU;IACV,WAAW;IACX,YAAY;IACZ,UAAU;IACV,MAAM;IACN,KAAK;IACL,OAAO;IACP,QAAQ;IACR,QAAQ;IACR,QAAQ;IACR,QAAQ;IACR,QAAQ;IACR,QAAQ;IACR,OAAO;IACP,WAAW;CACZ,CAAC,CAAC;AAEH,wCAAwC;AACxC,MAAM,UAAU,GAAG,IAAI,GAAG,CAAC;IACzB,IAAI;IACJ,UAAU;IACV,YAAY;IACZ,MAAM;IACN,MAAM;IACN,QAAQ;IACR,QAAQ;IACR,MAAM;IACN,WAAW;IACX,UAAU;IACV,OAAO;IACP,YAAY;IACZ,YAAY;IACZ,MAAM;CACP,CAAC,CAAC;AAEH,MAAM,iBAAiB,GAAS;IAC9B,EAAE,EAAE,8BAA8B;IAClC,IAAI,EAAE,WAAW;IACjB,WAAW,EACT,oFAAoF;IACtF,QAAQ,EAAE,MAAM;IAChB,QAAQ,EAAE,aAAa;IAEvB,MAAM,CAAC,OAAoB;QACzB,MAAM,UAAU,GAAgB,EAAE,CAAC;QACnC,MAAM,EAAE,GAAG,EAAE,QAAQ,EAAE,GAAG,OAAO,CAAC;QAElC,IAAA,kBAAQ,EAAC,GAAG,EAAE;YACZ,4EAA4E,CAC1E,QAAQ;gBAER,QAAQ,CAAC,QAAQ,CAAC;oBAChB,cAAc,CAAC,QAAQ;wBACrB,MAAM,MAAM,GAAG,QAAQ,CAAC,IAAI,CAAC,MAAM,CAAC;wBACpC,IAAI,MAAM,CAAC,IAAI,KAAK,kBAAkB;4BAAE,OAAO;wBAC/C,IAAI,MAAM,CAAC,QAAQ,CAAC,IAAI,KAAK,YAAY;4BAAE,OAAO;wBAElD,MAAM,MAAM,GAAG,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC;wBACpC,IAAI,CAAC,aAAa,CAAC,GAAG,CAAC,MAAM,CAAC;4BAAE,OAAO;wBAEvC,6CAA6C;wBAC7C,MAAM,GAAG,GAAG,MAAM,CAAC,MAAM,CAAC;wBAC1B,IAAI,OAAO,GAAG,EAAE,CAAC;wBACjB,IAAI,GAAG,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;4BAC9B,OAAO,GAAG,GAAG,CAAC,IAAI,CAAC;wBACrB,CAAC;6BAAM,IACL,GAAG,CAAC,IAAI,KAAK,kBAAkB;4BAC/B,GAAG,CAAC,QAAQ,CAAC,IAAI,KAAK,YAAY,EAClC,CAAC;4BACD,OAAO,GAAG,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC;wBAC9B,CAAC;wBAED,IAAI,OAAO,IAAI,UAAU,CAAC,GAAG,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC,EAAE,CAAC;4BACrD,UAAU,CAAC,IAAI,CAAC;gCACd,MAAM,EAAE,8BAA8B;gCACtC,QAAQ,EAAE,MAAM;gCAChB,OAAO,EAAE,kBAAkB,OAAO,IAAI,MAAM,oFAAoF;gCAChI,QAAQ,EAAE;oCACR,IAAI,EAAE,QAAQ;oCACd,IAAI,EAAE,QAAQ,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC;oCACxC,MAAM,EAAE,QAAQ,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,MAAM,IAAI,CAAC;iCAC7C;6BACF,CAAC,CAAC;wBACL,CAAC;oBACH,CAAC;iBACF,CAAC,CAAC;YACL,CAAC;SACF,CAAC,CAAC;QAEH,OAAO,UAAU,CAAC;IACpB,CAAC;CACF,CAAC;AAEF,kBAAe,iBAAiB,CAAC"}

package/dist/no-eval.d.ts

@@ -0,0 +1,4 @@
+import type { Rule } from '@guardrail-ai/core';
+declare const noEvalRule: Rule;
+export default noEvalRule;
+//# sourceMappingURL=no-eval.d.ts.map

package/dist/no-eval.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"no-eval.d.ts","sourceRoot":"","sources":["../src/no-eval.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,IAAI,EAA0B,MAAM,oBAAoB,CAAC;AAIvE,QAAA,MAAM,UAAU,EAAE,IAmDjB,CAAC;AAEF,eAAe,UAAU,CAAC"}

package/dist/no-eval.js

@@ -0,0 +1,53 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const traverse_1 = __importDefault(require("@babel/traverse"));
+const DANGEROUS_GLOBALS = new Set(['eval', 'Function']);
+const noEvalRule = {
+    id: 'security/no-eval',
+    name: 'No Eval',
+    description: 'Detects usage of eval() and new Function() which can lead to code injection',
+    severity: 'critical',
+    category: 'security',
+    detect(context) {
+        const violations = [];
+        const { ast, filePath } = context;
+        (0, traverse_1.default)(ast, {
+            CallExpression(path) {
+                if (path.node.callee.type === 'Identifier' &&
+                    path.node.callee.name === 'eval') {
+                    violations.push({
+                        ruleId: 'security/no-eval',
+                        severity: 'critical',
+                        message: 'eval() is dangerous and can lead to code injection. Use safer alternatives.',
+                        location: {
+                            file: filePath,
+                            line: path.node.loc?.start.line ?? 0,
+                            column: path.node.loc?.start.column ?? 0,
+                        },
+                    });
+                }
+            },
+            NewExpression(path) {
+                if (path.node.callee.type === 'Identifier' &&
+                    path.node.callee.name === 'Function') {
+                    violations.push({
+                        ruleId: 'security/no-eval',
+                        severity: 'critical',
+                        message: 'new Function() is equivalent to eval() and can lead to code injection.',
+                        location: {
+                            file: filePath,
+                            line: path.node.loc?.start.line ?? 0,
+                            column: path.node.loc?.start.column ?? 0,
+                        },
+                    });
+                }
+            },
+        });
+        return violations;
+    },
+};
+exports.default = noEvalRule;
+//# sourceMappingURL=no-eval.js.map

package/dist/no-eval.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"no-eval.js","sourceRoot":"","sources":["../src/no-eval.ts"],"names":[],"mappings":";;;;;AAAA,+DAAuC;AAGvC,MAAM,iBAAiB,GAAG,IAAI,GAAG,CAAC,CAAC,MAAM,EAAE,UAAU,CAAC,CAAC,CAAC;AAExD,MAAM,UAAU,GAAS;IACvB,EAAE,EAAE,kBAAkB;IACtB,IAAI,EAAE,SAAS;IACf,WAAW,EAAE,6EAA6E;IAC1F,QAAQ,EAAE,UAAU;IACpB,QAAQ,EAAE,UAAU;IAEpB,MAAM,CAAC,OAAoB;QACzB,MAAM,UAAU,GAAgB,EAAE,CAAC;QACnC,MAAM,EAAE,GAAG,EAAE,QAAQ,EAAE,GAAG,OAAO,CAAC;QAElC,IAAA,kBAAQ,EAAC,GAAG,EAAE;YACZ,cAAc,CAAC,IAAI;gBACjB,IACE,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,YAAY;oBACtC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,MAAM,EAChC,CAAC;oBACD,UAAU,CAAC,IAAI,CAAC;wBACd,MAAM,EAAE,kBAAkB;wBAC1B,QAAQ,EAAE,UAAU;wBACpB,OAAO,EAAE,6EAA6E;wBACtF,QAAQ,EAAE;4BACR,IAAI,EAAE,QAAQ;4BACd,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC;4BACpC,MAAM,EAAE,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,MAAM,IAAI,CAAC;yBACzC;qBACF,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;YAED,aAAa,CAAC,IAAI;gBAChB,IACE,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,YAAY;oBACtC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,UAAU,EACpC,CAAC;oBACD,UAAU,CAAC,IAAI,CAAC;wBACd,MAAM,EAAE,kBAAkB;wBAC1B,QAAQ,EAAE,UAAU;wBACpB,OAAO,EAAE,wEAAwE;wBACjF,QAAQ,EAAE;4BACR,IAAI,EAAE,QAAQ;4BACd,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC;4BACpC,MAAM,EAAE,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,MAAM,IAAI,CAAC;yBACzC;qBACF,CAAC,CAAC;gBACL,CAAC;YACH,CAAC;SACF,CAAC,CAAC;QAEH,OAAO,UAAU,CAAC;IACpB,CAAC;CACF,CAAC;AAEF,kBAAe,UAAU,CAAC"}

package/dist/no-rate-limiting.d.ts

@@ -0,0 +1,4 @@
+import type { Rule } from '@guardrail-ai/core';
+declare const noRateLimitingRule: Rule;
+export default noRateLimitingRule;
+//# sourceMappingURL=no-rate-limiting.d.ts.map

package/dist/no-rate-limiting.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"no-rate-limiting.d.ts","sourceRoot":"","sources":["../src/no-rate-limiting.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,IAAI,EAA0B,MAAM,oBAAoB,CAAC;AAUvE,QAAA,MAAM,kBAAkB,EAAE,IAkEzB,CAAC;AAEF,eAAe,kBAAkB,CAAC"}

package/dist/no-rate-limiting.js

@@ -0,0 +1,72 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const traverse_1 = __importDefault(require("@babel/traverse"));
+const RATE_LIMIT_PACKAGES = new Set([
+    'express-rate-limit',
+    'rate-limiter-flexible',
+    'express-slow-down',
+    'express-brute',
+    'koa-ratelimit',
+]);
+const noRateLimitingRule = {
+    id: 'security/no-rate-limiting',
+    name: 'No Rate Limiting',
+    description: 'Detects Express/HTTP server apps without rate limiting middleware',
+    severity: 'info',
+    category: 'security',
+    detect(context) {
+        const violations = [];
+        const { ast, filePath } = context;
+        let hasExpress = false;
+        let hasRateLimiting = false;
+        let expressLine = 0;
+        let expressColumn = 0;
+        (0, traverse_1.default)(ast, {
+            ImportDeclaration(path) {
+                const source = path.node.source.value;
+                if (source === 'express' || source === 'koa') {
+                    hasExpress = true;
+                    expressLine = path.node.loc?.start.line ?? 0;
+                    expressColumn = path.node.loc?.start.column ?? 0;
+                }
+                if (RATE_LIMIT_PACKAGES.has(source)) {
+                    hasRateLimiting = true;
+                }
+            },
+            CallExpression(path) {
+                if (path.node.callee.type === 'Identifier' &&
+                    path.node.callee.name === 'require' &&
+                    path.node.arguments.length === 1 &&
+                    path.node.arguments[0].type === 'StringLiteral') {
+                    const source = path.node.arguments[0].value;
+                    if (source === 'express' || source === 'koa') {
+                        hasExpress = true;
+                        expressLine = path.node.loc?.start.line ?? 0;
+                        expressColumn = path.node.loc?.start.column ?? 0;
+                    }
+                    if (RATE_LIMIT_PACKAGES.has(source)) {
+                        hasRateLimiting = true;
+                    }
+                }
+            },
+        });
+        if (hasExpress && !hasRateLimiting) {
+            violations.push({
+                ruleId: 'security/no-rate-limiting',
+                severity: 'info',
+                message: 'Express/HTTP server without rate limiting. Consider adding express-rate-limit or similar.',
+                location: {
+                    file: filePath,
+                    line: expressLine,
+                    column: expressColumn,
+                },
+            });
+        }
+        return violations;
+    },
+};
+exports.default = noRateLimitingRule;
+//# sourceMappingURL=no-rate-limiting.js.map

package/dist/no-rate-limiting.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"no-rate-limiting.js","sourceRoot":"","sources":["../src/no-rate-limiting.ts"],"names":[],"mappings":";;;;;AAAA,+DAAuC;AAGvC,MAAM,mBAAmB,GAAG,IAAI,GAAG,CAAC;IAClC,oBAAoB;IACpB,uBAAuB;IACvB,mBAAmB;IACnB,eAAe;IACf,eAAe;CAChB,CAAC,CAAC;AAEH,MAAM,kBAAkB,GAAS;IAC/B,EAAE,EAAE,2BAA2B;IAC/B,IAAI,EAAE,kBAAkB;IACxB,WAAW,EACT,mEAAmE;IACrE,QAAQ,EAAE,MAAM;IAChB,QAAQ,EAAE,UAAU;IAEpB,MAAM,CAAC,OAAoB;QACzB,MAAM,UAAU,GAAgB,EAAE,CAAC;QACnC,MAAM,EAAE,GAAG,EAAE,QAAQ,EAAE,GAAG,OAAO,CAAC;QAElC,IAAI,UAAU,GAAG,KAAK,CAAC;QACvB,IAAI,eAAe,GAAG,KAAK,CAAC;QAC5B,IAAI,WAAW,GAAG,CAAC,CAAC;QACpB,IAAI,aAAa,GAAG,CAAC,CAAC;QAEtB,IAAA,kBAAQ,EAAC,GAAG,EAAE;YACZ,iBAAiB,CAAC,IAAI;gBACpB,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC;gBACtC,IAAI,MAAM,KAAK,SAAS,IAAI,MAAM,KAAK,KAAK,EAAE,CAAC;oBAC7C,UAAU,GAAG,IAAI,CAAC;oBAClB,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC,CAAC;oBAC7C,aAAa,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,MAAM,IAAI,CAAC,CAAC;gBACnD,CAAC;gBACD,IAAI,mBAAmB,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;oBACpC,eAAe,GAAG,IAAI,CAAC;gBACzB,CAAC;YACH,CAAC;YAED,cAAc,CAAC,IAAI;gBACjB,IACE,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,YAAY;oBACtC,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC,IAAI,KAAK,SAAS;oBACnC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,MAAM,KAAK,CAAC;oBAChC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,IAAI,KAAK,eAAe,EAC/C,CAAC;oBACD,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC;oBAC5C,IAAI,MAAM,KAAK,SAAS,IAAI,MAAM,KAAK,KAAK,EAAE,CAAC;wBAC7C,UAAU,GAAG,IAAI,CAAC;wBAClB,WAAW,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC,CAAC;wBAC7C,aAAa,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,MAAM,IAAI,CAAC,CAAC;oBACnD,CAAC;oBACD,IAAI,mBAAmB,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;wBACpC,eAAe,GAAG,IAAI,CAAC;oBACzB,CAAC;gBACH,CAAC;YACH,CAAC;SACF,CAAC,CAAC;QAEH,IAAI,UAAU,IAAI,CAAC,eAAe,EAAE,CAAC;YACnC,UAAU,CAAC,IAAI,CAAC;gBACd,MAAM,EAAE,2BAA2B;gBACnC,QAAQ,EAAE,MAAM;gBAChB,OAAO,EACL,2FAA2F;gBAC7F,QAAQ,EAAE;oBACR,IAAI,EAAE,QAAQ;oBACd,IAAI,EAAE,WAAW;oBACjB,MAAM,EAAE,aAAa;iBACtB;aACF,CAAC,CAAC;QACL,CAAC;QAED,OAAO,UAAU,CAAC;IACpB,CAAC;CACF,CAAC;AAEF,kBAAe,kBAAkB,CAAC"}

package/dist/no-secrets-in-logs.d.ts

@@ -0,0 +1,4 @@
+import type { Rule } from '@guardrail-ai/core';
+declare const noSecretsInLogsRule: Rule;
+export default noSecretsInLogsRule;
+//# sourceMappingURL=no-secrets-in-logs.d.ts.map

package/dist/no-secrets-in-logs.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"no-secrets-in-logs.d.ts","sourceRoot":"","sources":["../src/no-secrets-in-logs.ts"],"names":[],"mappings":"AACA,OAAO,KAAK,EAAE,IAAI,EAA0B,MAAM,oBAAoB,CAAC;AAKvE,QAAA,MAAM,mBAAmB,EAAE,IAgD1B,CAAC;AAmBF,eAAe,mBAAmB,CAAC"}

package/dist/no-secrets-in-logs.js

@@ -0,0 +1,71 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const traverse_1 = __importDefault(require("@babel/traverse"));
+const SENSITIVE_PATTERNS = /(?:password|secret|token|key|auth|credential|private|ssn|credit.?card)/i;
+const LOG_METHODS = new Set(['log', 'info', 'debug', 'warn', 'error', 'trace']);
+const noSecretsInLogsRule = {
+    id: 'security/no-secrets-in-logs',
+    name: 'No Secrets in Logs',
+    description: 'Detects potentially sensitive variable names being passed to logging functions',
+    severity: 'high',
+    category: 'security',
+    detect(context) {
+        const violations = [];
+        const { ast, filePath } = context;
+        (0, traverse_1.default)(ast, {
+            CallExpression(path) {
+                const callee = path.node.callee;
+                if (callee.type !== 'MemberExpression' ||
+                    callee.object.type !== 'Identifier' ||
+                    callee.object.name !== 'console' ||
+                    callee.property.type !== 'Identifier' ||
+                    !LOG_METHODS.has(callee.property.name)) {
+                    return;
+                }
+                for (const arg of path.node.arguments) {
+                    if (arg.type === 'SpreadElement')
+                        continue;
+                    const names = extractIdentifierNames(arg);
+                    for (const name of names) {
+                        if (SENSITIVE_PATTERNS.test(name)) {
+                            violations.push({
+                                ruleId: 'security/no-secrets-in-logs',
+                                severity: 'high',
+                                message: `Variable "${name}" may contain sensitive data and is being logged. Redact before logging.`,
+                                location: {
+                                    file: filePath,
+                                    line: path.node.loc?.start.line ?? 0,
+                                    column: path.node.loc?.start.column ?? 0,
+                                },
+                            });
+                            break;
+                        }
+                    }
+                }
+            },
+        });
+        return violations;
+    },
+};
+function extractIdentifierNames(node) {
+    const names = [];
+    if (!node)
+        return names;
+    if (node.type === 'Identifier') {
+        names.push(node.name);
+    }
+    else if (node.type === 'MemberExpression' && node.property?.type === 'Identifier') {
+        names.push(node.property.name);
+    }
+    else if (node.type === 'TemplateLiteral') {
+        for (const expr of node.expressions || []) {
+            names.push(...extractIdentifierNames(expr));
+        }
+    }
+    return names;
+}
+exports.default = noSecretsInLogsRule;
+//# sourceMappingURL=no-secrets-in-logs.js.map

package/dist/no-secrets-in-logs.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"no-secrets-in-logs.js","sourceRoot":"","sources":["../src/no-secrets-in-logs.ts"],"names":[],"mappings":";;;;;AAAA,+DAAuC;AAGvC,MAAM,kBAAkB,GAAG,yEAAyE,CAAC;AACrG,MAAM,WAAW,GAAG,IAAI,GAAG,CAAC,CAAC,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,CAAC,CAAC,CAAC;AAEhF,MAAM,mBAAmB,GAAS;IAChC,EAAE,EAAE,6BAA6B;IACjC,IAAI,EAAE,oBAAoB;IAC1B,WAAW,EAAE,gFAAgF;IAC7F,QAAQ,EAAE,MAAM;IAChB,QAAQ,EAAE,UAAU;IAEpB,MAAM,CAAC,OAAoB;QACzB,MAAM,UAAU,GAAgB,EAAE,CAAC;QACnC,MAAM,EAAE,GAAG,EAAE,QAAQ,EAAE,GAAG,OAAO,CAAC;QAElC,IAAA,kBAAQ,EAAC,GAAG,EAAE;YACZ,cAAc,CAAC,IAAI;gBACjB,MAAM,MAAM,GAAG,IAAI,CAAC,IAAI,CAAC,MAAM,CAAC;gBAChC,IACE,MAAM,CAAC,IAAI,KAAK,kBAAkB;oBAClC,MAAM,CAAC,MAAM,CAAC,IAAI,KAAK,YAAY;oBACnC,MAAM,CAAC,MAAM,CAAC,IAAI,KAAK,SAAS;oBAChC,MAAM,CAAC,QAAQ,CAAC,IAAI,KAAK,YAAY;oBACrC,CAAC,WAAW,CAAC,GAAG,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,EACtC,CAAC;oBACD,OAAO;gBACT,CAAC;gBAED,KAAK,MAAM,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC;oBACtC,IAAI,GAAG,CAAC,IAAI,KAAK,eAAe;wBAAE,SAAS;oBAC3C,MAAM,KAAK,GAAG,sBAAsB,CAAC,GAAG,CAAC,CAAC;oBAC1C,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;wBACzB,IAAI,kBAAkB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;4BAClC,UAAU,CAAC,IAAI,CAAC;gCACd,MAAM,EAAE,6BAA6B;gCACrC,QAAQ,EAAE,MAAM;gCAChB,OAAO,EAAE,aAAa,IAAI,0EAA0E;gCACpG,QAAQ,EAAE;oCACR,IAAI,EAAE,QAAQ;oCACd,IAAI,EAAE,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC;oCACpC,MAAM,EAAE,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,MAAM,IAAI,CAAC;iCACzC;6BACF,CAAC,CAAC;4BACH,MAAM;wBACR,CAAC;oBACH,CAAC;gBACH,CAAC;YACH,CAAC;SACF,CAAC,CAAC;QAEH,OAAO,UAAU,CAAC;IACpB,CAAC;CACF,CAAC;AAEF,SAAS,sBAAsB,CAAC,IAAS;IACvC,MAAM,KAAK,GAAa,EAAE,CAAC;IAC3B,IAAI,CAAC,IAAI;QAAE,OAAO,KAAK,CAAC;IAExB,IAAI,IAAI,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;QAC/B,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACxB,CAAC;SAAM,IAAI,IAAI,CAAC,IAAI,KAAK,kBAAkB,IAAI,IAAI,CAAC,QAAQ,EAAE,IAAI,KAAK,YAAY,EAAE,CAAC;QACpF,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC;IACjC,CAAC;SAAM,IAAI,IAAI,CAAC,IAAI,KAAK,iBAAiB,EAAE,CAAC;QAC3C,KAAK,MAAM,IAAI,IAAI,IAAI,CAAC,WAAW,IAAI,EAAE,EAAE,CAAC;YAC1C,KAAK,CAAC,IAAI,CAAC,GAAG,sBAAsB,CAAC,IAAI,CAAC,CAAC,CAAC;QAC9C,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED,kBAAe,mBAAmB,CAAC"}