@intentsolutionsio/penetration-tester 2.0.0 → 3.0.4

package/skills/detecting-exposed-secrets-files/references/PLAYBOOK.md

@@ -0,0 +1,274 @@
+# Exposed-Files Remediation Playbook
+
+## Pattern 1 — Block dot-directories at the web server
+
+### nginx (location blocks)
+
+```nginx
+# Deny all dot-files / dot-directories
+location ~ /\. {
+    deny all;
+    access_log off;
+    log_not_found off;
+}
+
+# Belt-and-suspenders for specific high-value paths
+location ~ ^/(\.git|\.svn|\.hg|\.bzr|\.env|\.aws|\.ssh) {
+    deny all;
+    return 404;
+}
+```
+
+### Apache (vhost or .htaccess)
+
+```apache
+<DirectoryMatch "^\.|/\.">
+    Require all denied
+</DirectoryMatch>
+
+<Files ~ "^\.">
+    Require all denied
+</Files>
+```
+
+### Caddy
+
+Caddy denies dot-directories by default since v2.0. To explicitly
+assert:
+
+```caddy
+example.com {
+    @dot path */.git/* */.env */.aws/* */.ssh/* */.svn/*
+    respond @dot 404
+    file_server
+}
+```
+
+### AWS ALB / WAF
+
+Add a managed-rule-group or custom rule:
+
+```json
+{
+    "Name": "BlockDotPaths",
+    "Statement": {
+        "RegexMatchStatement": {
+            "FieldToMatch": {"UriPath": {}},
+            "RegexString": "/\\.(git|env|aws|ssh|svn|hg|bzr|idea|vscode)(\\b|/)",
+            "TextTransformations": [{"Priority": 0, "Type": "LOWERCASE"}]
+        }
+    },
+    "Action": {"Block": {}}
+}
+```
+
+### Cloudflare WAF
+
+```
+http.request.uri.path matches "/\\.(git|env|aws|ssh|svn|hg|bzr)"
+```
+
+Action: Block.
+
+## Pattern 2 — Block backup / dump file extensions
+
+### nginx
+
+```nginx
+location ~* \.(sql|bak|dump|swp|swo|orig|backup|tar\.gz|tar\.bz2|zip|7z|rar)$ {
+    deny all;
+    return 404;
+}
+```
+
+### Apache
+
+```apache
+<FilesMatch "\.(sql|bak|dump|swp|swo|orig|backup|tar\.gz|tar\.bz2|zip|7z|rar)$">
+    Require all denied
+</FilesMatch>
+```
+
+### Caddy
+
+```caddy
+@backups path *.sql *.bak *.dump *.swp *.tar.gz *.zip
+respond @backups 404
+```
+
+## Pattern 3 — Block private key extensions
+
+### nginx
+
+```nginx
+location ~* \.(pem|key|p12|pfx|jks|crt|cer|csr|kdb|kbx)$ {
+    deny all;
+    return 404;
+}
+```
+
+These extensions should never be reachable via the web; if a key needs
+to be served (e.g., a JWKS for OAuth), serve it at an explicit path
+with a content-type check rather than relying on the extension.
+
+## Pattern 4 — Block development metadata
+
+### nginx
+
+```nginx
+location ~* /(phpinfo|info|test)\.php$ {
+    deny all;
+    return 404;
+}
+
+location ~* /(composer\.json|package\.json|Dockerfile|docker-compose\.yml|requirements\.txt|Gemfile|build\.gradle)$ {
+    deny all;
+    return 404;
+}
+```
+
+`phpinfo.php` should be removed from any production environment.
+Detection of an active `phpinfo.php` on prod is an audit-flag-worthy
+operational gap; the fix is removal, not access control.
+
+## Pattern 5 — Block at the build / deploy layer
+
+The cleanest fix is preventing the files from getting deployed in
+the first place.
+
+### Dockerfile — multi-stage build with explicit copies
+
+```dockerfile
+# Build stage
+FROM node:20 AS build
+WORKDIR /build
+COPY package.json package-lock.json ./
+RUN npm ci
+COPY src/ ./src/
+RUN npm run build
+
+# Runtime stage — only copy the built artifact, NOT the build context
+FROM nginx:alpine
+COPY --from=build /build/dist /usr/share/nginx/html
+```
+
+Notice: no `COPY . .` anywhere. The build stage gets only what it
+needs; the runtime stage gets only the `dist/` artifact. `.git/`,
+`.env`, `node_modules/`, etc., never reach the runtime image.
+
+### .dockerignore
+
+```
+.git
+.env*
+.aws
+.ssh
+*.pem
+*.key
+node_modules
+.DS_Store
+.idea
+.vscode
+backup.sql
+*.sql
+*.dump
+```
+
+### .gitlab-ci.yml / GitHub Actions — exclude sensitive paths from artifacts
+
+```yaml
+artifacts:
+  paths:
+    - dist/
+  exclude:
+    - "**/.git*"
+    - "**/.env*"
+    - "**/.aws/*"
+    - "**/.ssh/*"
+    - "**/*.pem"
+    - "**/*.key"
+    - "**/backup.*"
+    - "**/*.sql"
+```
+
+## Pattern 6 — Cloud Run / Lambda artifact builds
+
+Cloud Run and Lambda build the deployment artifact from your repo by
+default. To exclude:
+
+### Cloud Run via Cloud Build
+
+```yaml
+# cloudbuild.yaml
+steps:
+  - name: 'gcr.io/cloud-builders/docker'
+    args: ['build', '-t', 'gcr.io/$PROJECT_ID/app', '.']
+options:
+  ignoreFile: '.dockerignore'  # honored by Cloud Build
+```
+
+Combined with the `.dockerignore` above, this excludes the files.
+
+### Lambda via SAM / Serverless Framework
+
+```yaml
+package:
+  patterns:
+    - '!.git/**'
+    - '!.env*'
+    - '!.aws/**'
+    - '!.ssh/**'
+    - '!**/*.pem'
+    - '!**/*.key'
+    - '!backup.*'
+    - '!**/*.sql'
+```
+
+## Auditing existing deployments
+
+Run the scanner on every production endpoint:
+
+```bash
+for ENDPOINT in $(cat production-urls.txt); do
+    python3 plugins/security/penetration-tester/skills/detecting-exposed-secrets-files/scripts/probe_secrets.py \
+        "$ENDPOINT" --authorized --min-severity critical \
+        --format jsonl --output /dev/stdout
+done > exposure-audit.jsonl
+```
+
+Treat any CRITICAL finding as ship-same-hour. Document the
+remediation in the same PR as the audit (so the audit's grep target
+gets re-verified on commit).
+
+## After remediation — assume compromise
+
+If `.git/` was exposed, assume:
+
+- Every credential ever committed to the repo, including ones in past
+  commits that were later removed, is compromised. Rotate them all.
+- The full source code is in the attacker's hands. Treat any
+  authentication / authorization logic as if it had been read.
+
+If `.env` was exposed:
+
+- Rotate every credential in the file
+- Audit logs for any API call against those credentials in the
+  past window from when the deploy happened to when you rotated
+- Notify partners whose API keys you held
+
+If a backup `.sql` was exposed:
+
+- Assume the database is compromised in the state it was in when
+  the backup was taken
+- Trigger your data-breach response: regulator notification,
+  customer notification, credential rotation for anyone whose
+  data was in the dump
+
+## Verification after remediation
+
+```bash
+python3 ${CLAUDE_PLUGIN_ROOT}/skills/detecting-exposed-secrets-files/scripts/probe_secrets.py \
+    https://example.com --authorized --min-severity info
+```
+
+Expected: exit 0, zero findings of any severity.

package/skills/detecting-exposed-secrets-files/references/THEORY.md

@@ -0,0 +1,174 @@
+# Exposed-Files Theory
+
+## Why this probe class is the highest-value pentest call
+
+Most pentest findings are about chained conditions and threshold judgments.
+This one is binary: either the `.git/HEAD` is reachable or it's not. A
+single 200 response answers the question. The consequence of a true
+positive is direct: full repo history (with embedded credentials in old
+commits), live API keys (in `.env`), and direct database access (in
+`backup.sql`). No CVE chaining, no exploitation primitive needed.
+
+The reason these exposures keep happening is operational: web servers
+are designed to serve files from a directory tree, and deployment
+processes routinely deploy the whole tree, including dot-directories
+and config files the application never intended to expose. Modern
+frameworks ship "deny" defaults (Caddy, nginx with a security baseline,
+Cloud Run) but legacy stacks (LAMP on a shared host, hand-rolled
+nginx vhosts on a VM) default to "allow."
+
+## File-by-file: why each one matters
+
+### `.git/` — version control directory
+
+The `.git/` subdirectory contains the entire history of the repository.
+Exposing it allows an attacker to clone the repo without needing
+authentication:
+
+```
+git clone https://example.com/.git/  ./reconstructed-source
+```
+
+History reveals:
+
+- API keys in old commits (before the `.env` was added to `.gitignore`)
+- Hardcoded credentials someone removed but didn't rebase out
+- Repo URL + branch names + commit messages → understanding the
+  deployment process
+- Database schemas if migrations are checked in
+- Source code (obviously) → static analysis targets
+
+Three minimal probes that confirm exposure:
+
+- `.git/HEAD` — should be a small text file starting with `ref:` or a
+  40-char hex SHA
+- `.git/config` — `[remote "origin"]` block reveals the upstream
+- `.git/index` — binary file starting with `DIRC` magic
+
+The `.git/` exposure is so common that there are off-the-shelf tools
+(GitDumper, git-dumper) that walk the exposed directory and reconstruct
+the repo. Once exposed, assume the full history is compromised.
+
+### `.env` — dotenv credentials
+
+Most modern stacks (Node.js with dotenv, Python with python-dotenv,
+Ruby with dotenv-rails, Laravel) load environment variables from a
+`.env` file at startup. The file's contents are typically the most
+sensitive thing the application has: API keys, database connection
+strings, signing secrets, third-party credentials.
+
+A leaked `.env`:
+
+- Lets an attacker authenticate as the app to upstream services
+  (Stripe, Twilio, OpenAI, etc.)
+- Reveals database credentials if `DATABASE_URL` is present
+- Discloses signing secrets for JWT / session tokens, enabling token
+  forgery without further effort
+
+Fingerprint: `KEY=VALUE` pattern on each line, often `[A-Z_]` keys.
+
+### `.aws/credentials`, `.aws/config`
+
+AWS SDK and CLI look in `~/.aws/credentials` by default. If a deploy
+process accidentally copies the user's home directory into the web
+root, AWS credentials are reachable.
+
+`[default]\naws_access_key_id = AKIA...` is the fingerprint. Once
+leaked, the credentials grant whatever permissions the IAM principal
+had — historically that's "Administrator" on dev/test accounts
+because the principle of least privilege is not the default.
+
+### Private keys (`id_rsa`, `*.pem`, `*.key`)
+
+SSH private keys, TLS private keys, or signing keys. Exposure means:
+
+- An attacker can authenticate as the server to other systems (lateral
+  movement)
+- An attacker can MITM TLS connections by presenting the leaked cert +
+  key combination
+- An attacker can sign tokens / artifacts as the system
+
+Fingerprint: any of `-----BEGIN RSA PRIVATE KEY-----`,
+`-----BEGIN OPENSSH PRIVATE KEY-----`, `-----BEGIN PRIVATE KEY-----`,
+`-----BEGIN EC PRIVATE KEY-----`, `-----BEGIN DSA PRIVATE KEY-----`.
+
+### Backup files (`backup.sql`, `dump.sql`, `*.tar.gz`)
+
+SQL dumps contain the entire database — schema and rows. A leaked
+backup is functionally equivalent to RCE on the database server.
+Common origins:
+
+- Operator made a backup before a migration and left it in the web root
+- Deploy script copies a tarball of the previous release into the web
+  root for rollback purposes
+- Cron job dumps a backup to a path the web server happens to serve
+
+Fingerprint: SQL dumps contain `CREATE TABLE`, `INSERT INTO`. Archive
+files (binary) get a no-fingerprint check — the path being reachable
+at 200 is the finding.
+
+### `.DS_Store`
+
+macOS Finder creates a `.DS_Store` in every directory it views,
+recording metadata about how the directory is displayed. The binary
+format includes the filenames of every file in the directory.
+
+Exposure is medium severity because it doesn't directly leak credentials
+or source code, but it enumerates the directory structure, including
+hidden files that wouldn't otherwise be discoverable by URL probing.
+
+Fingerprint: binary blob with `Bud1` magic at offset 4 or 0.
+
+### `phpinfo()` output
+
+PHP's `phpinfo()` function dumps the full PHP environment — every
+configuration directive, every environment variable, every loaded
+module. Common in `phpinfo.php`, `info.php`, `test.php` files left
+behind from initial server setup.
+
+Includes:
+
+- Document root path (informs directory traversal)
+- Loaded extensions (informs exploit selection)
+- Often: `SERVER` variables including request headers and cookies
+- Sometimes: `ENV` variables including secrets
+
+Fingerprint: HTML body containing `PHP Version` heading.
+
+### IDE configs (`.idea/`, `.vscode/`)
+
+Per-project IDE settings. Low severity but information disclosure:
+
+- Run configurations (database connection strings, env vars used during dev)
+- Recent file lists (informs which files the dev was working on)
+- Inspection scope (informs which directories have application code)
+
+### Dependency manifests on production root (`package.json`, etc.)
+
+Information disclosure: exposes exact versions of every dependency,
+enabling targeted CVE lookup. Not a vulnerability in itself, but a
+recon enabler.
+
+## Why fingerprint-checking matters
+
+SPAs (Single-Page Applications) using client-side routing return the
+app's `index.html` for any unknown route — including `/.git/HEAD`.
+Without fingerprint verification, every `/.git/*` probe returns 200
+and every `/.env` probe returns 200, all of them false positives.
+
+The fingerprint check inspects the response body. If a request for
+`.git/HEAD` returns 200 with body `<!DOCTYPE html>`, it's the SPA
+catching the route, not a real `.git/HEAD`. If the body starts with
+`ref:` or matches a 40-char hex SHA, it's the real file.
+
+The skill's `--check-only` mode skips fingerprint verification for
+cases where the operator wants to know about every 200, including
+the SPA false positives, and accepts noise as the cost.
+
+## Primary sources
+
+- [OWASP WSTG-INFO-02 — Fingerprint Web Server](https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/01-Information_Gathering/02-Fingerprint_Web_Server)
+- [OWASP WSTG-CONF-04 — Review Old Backup and Unreferenced Files](https://owasp.org/www-project-web-security-testing-guide/v42/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/04-Review_Old_Backup_and_Unreferenced_Files_for_Sensitive_Information)
+- [CWE-538 — File and Directory Information Exposure](https://cwe.mitre.org/data/definitions/538.html)
+- [CWE-200 — Information Exposure](https://cwe.mitre.org/data/definitions/200.html)
+- [NIST SP 800-53 SC-28 — Protection of Information at Rest](https://nvd.nist.gov/800-53/Rev5/control/SC-28)

package/skills/detecting-exposed-secrets-files/scripts/probe_secrets.py

@@ -0,0 +1,207 @@
+#!/usr/bin/env python3
+"""Probe for accidentally-served secret-bearing files in the web root.
+
+Companion to skill `detecting-exposed-secrets-files`. Sends a GET for
+each path in a curated 40+ probe set. For 200 responses, fingerprints
+the body to distinguish a real file from an SPA index page that 200s
+on any route.
+
+References:
+    OWASP WSTG v4.2 § 4.2.4 Enumerate Infrastructure / Application
+    NIST SP 800-53 SC-28 Protection of Information at Rest
+    CWE-538 File and Directory Information Exposure
+"""
+
+from __future__ import annotations
+
+import argparse
+import re
+import sys
+from pathlib import Path
+
+_PLUGIN_ROOT = Path(__file__).resolve().parents[3]
+if str(_PLUGIN_ROOT) not in sys.path:
+    sys.path.insert(0, str(_PLUGIN_ROOT))
+
+from lib.authz_check import require_authorization  # noqa: E402
+from lib.finding import Finding, Severity  # noqa: E402
+from lib.http_client import make_session, safe_get  # noqa: E402
+from lib.report import emit, exit_code  # noqa: E402
+
+SKILL_ID = "detecting-exposed-secrets-files"
+
+
+# Probe set. Each entry: (path, label, severity, body_fingerprint_regex_or_None, control)
+# fingerprint_regex applied case-insensitively against first 2 KiB of body.
+PROBES = [
+    # Critical - direct credential / source / data exposure
+    (
+        ".git/HEAD",
+        "Git repository .git/HEAD exposed",
+        Severity.CRITICAL,
+        r"^(ref:\s*refs/|[0-9a-f]{40})",
+        "NIST 800-53 SC-28",
+    ),
+    (
+        ".git/config",
+        "Git repository .git/config exposed (may include remote credentials)",
+        Severity.CRITICAL,
+        r"\[remote\b",
+        "NIST 800-53 SC-28",
+    ),
+    (".git/index", "Git repository .git/index exposed", Severity.CRITICAL, r"^DIRC", "NIST 800-53 SC-28"),
+    (
+        ".git/logs/HEAD",
+        "Git repository ref log exposed",
+        Severity.CRITICAL,
+        r"[0-9a-f]{40}\s+[0-9a-f]{40}",
+        "NIST 800-53 SC-28",
+    ),
+    (
+        ".env",
+        ".env file exposed (likely contains API keys, DB credentials)",
+        Severity.CRITICAL,
+        r"^[A-Z_][A-Z0-9_]*\s*=",
+        "OWASP A05:2021",
+    ),
+    (".env.production", ".env.production exposed", Severity.CRITICAL, r"^[A-Z_][A-Z0-9_]*\s*=", "OWASP A05:2021"),
+    (".env.local", ".env.local exposed", Severity.CRITICAL, r"^[A-Z_][A-Z0-9_]*\s*=", "OWASP A05:2021"),
+    (
+        ".aws/credentials",
+        "AWS credentials file exposed",
+        Severity.CRITICAL,
+        r"\[default\]|aws_access_key_id",
+        "CWE-200",
+    ),
+    (".aws/config", "AWS config file exposed", Severity.CRITICAL, r"\[default\]|region\s*=", "CWE-200"),
+    ("id_rsa", "SSH private key exposed", Severity.CRITICAL, r"BEGIN\s+(RSA|OPENSSH|EC|DSA)?\s*PRIVATE KEY", "CWE-321"),
+    ("id_ed25519", "SSH ed25519 private key exposed", Severity.CRITICAL, r"BEGIN\s+OPENSSH\s+PRIVATE KEY", "CWE-321"),
+    ("server.pem", "Server PEM key exposed", Severity.CRITICAL, r"BEGIN\s+(RSA\s+)?PRIVATE KEY", "CWE-321"),
+    ("backup.sql", "SQL backup exposed", Severity.CRITICAL, r"CREATE\s+TABLE|INSERT\s+INTO", "CWE-538"),
+    ("dump.sql", "SQL dump exposed", Severity.CRITICAL, r"CREATE\s+TABLE|INSERT\s+INTO", "CWE-538"),
+    ("database.sql", "Database SQL exposed", Severity.CRITICAL, r"CREATE\s+TABLE|INSERT\s+INTO", "CWE-538"),
+    ("backup.zip", "Archive backup.zip exposed", Severity.CRITICAL, None, "CWE-538"),
+    ("backup.tar.gz", "Archive backup.tar.gz exposed", Severity.CRITICAL, None, "CWE-538"),
+    ("dump.tar.gz", "Archive dump.tar.gz exposed", Severity.CRITICAL, None, "CWE-538"),
+    # High - VCS metadata (less direct than .git but still source-of-truth-leaking)
+    (".svn/entries", "Subversion .svn/entries exposed", Severity.HIGH, r"^\d+\s|^svn:", "NIST 800-53 SC-28"),
+    (".svn/wc.db", "Subversion working copy DB exposed", Severity.HIGH, r"^SQLite", "NIST 800-53 SC-28"),
+    (".hg/store/00manifest.i", "Mercurial repo manifest exposed", Severity.HIGH, None, "NIST 800-53 SC-28"),
+    (".bzr/branch-format", "Bazaar branch format exposed", Severity.HIGH, r"Bazaar", "NIST 800-53 SC-28"),
+    # Medium - useful enumeration for attacker
+    (
+        ".DS_Store",
+        "macOS .DS_Store exposed (reveals directory structure)",
+        Severity.MEDIUM,
+        r"^Bud1|^\x00\x00\x00\x01Bud1",
+        "CWE-538",
+    ),
+    ("Thumbs.db", "Windows Thumbs.db exposed", Severity.MEDIUM, None, "CWE-538"),
+    ("phpinfo.php", "phpinfo() output exposed", Severity.MEDIUM, r"PHP Version|phpinfo\(\)", "CWE-200"),
+    ("info.php", "PHP info exposed", Severity.MEDIUM, r"PHP Version|phpinfo\(\)", "CWE-200"),
+    ("test.php", "Test PHP file exposed", Severity.MEDIUM, r"PHP Version|phpinfo\(\)", "CWE-200"),
+    # Low - infrastructure metadata
+    (".idea/workspace.xml", "JetBrains IDE config exposed", Severity.LOW, r"<project", "CWE-200"),
+    (".vscode/settings.json", "VS Code config exposed", Severity.LOW, r"^\s*\{", "CWE-200"),
+    (".gitlab-ci.yml", "GitLab CI config exposed", Severity.LOW, r"stages:|script:", "CWE-200"),
+    (".github/workflows/", "GitHub Actions workflows dir exposed", Severity.LOW, None, "CWE-200"),
+    ("Dockerfile", "Dockerfile exposed", Severity.LOW, r"^FROM\s+", "CWE-200"),
+    ("docker-compose.yml", "docker-compose.yml exposed", Severity.LOW, r"^version:|services:", "CWE-200"),
+    ("composer.json", "PHP composer.json exposed on web root", Severity.LOW, r'"name":\s*"', "CWE-200"),
+    ("package.json", "Node package.json exposed on web root", Severity.LOW, r'"name":\s*"', "CWE-200"),
+    ("requirements.txt", "Python requirements.txt exposed", Severity.LOW, r"^[a-zA-Z][a-zA-Z0-9_.-]*[=<>]", "CWE-200"),
+    ("Gemfile", "Ruby Gemfile exposed", Severity.LOW, r"^source\s+['\"]https", "CWE-200"),
+    ("config.yml", "Generic config.yml exposed", Severity.LOW, None, "CWE-200"),
+    ("config.json", "Generic config.json exposed", Severity.LOW, r"^\s*\{", "CWE-200"),
+    ("README.md", "README.md exposed on production web root", Severity.LOW, r"^#\s+", "CWE-200"),
+]
+
+
+def _verify_fingerprint(body_text: str, fingerprint_re: str | None, content_type: str) -> bool:
+    """Return True if response body looks like the expected file type."""
+    if fingerprint_re is None:
+        # No fingerprint check requested (e.g. binary archives) — trust the 200
+        return True
+    # Inspect first 2 KiB
+    sample = body_text[:2048]
+    if re.search(fingerprint_re, sample, re.MULTILINE | re.IGNORECASE):
+        return True
+    # If server claimed it's HTML / SPA, treat as false positive
+    if "text/html" in content_type.lower():
+        return False
+    return False
+
+
+def main(argv: list[str] | None = None) -> int:
+    parser = argparse.ArgumentParser(description="Probe for exposed secrets files")
+    parser.add_argument("url")
+    parser.add_argument("--authorized", action="store_true")
+    parser.add_argument("--output", default=None)
+    parser.add_argument("--format", choices=("json", "jsonl", "markdown"), default="markdown")
+    parser.add_argument("--min-severity", choices=("critical", "high", "medium", "low", "info"), default="info")
+    parser.add_argument("--timeout", type=float, default=10.0)
+    parser.add_argument("--paths-file", default=None, help="Custom probe set (one path per line); replaces default")
+    parser.add_argument(
+        "--check-only", action="store_true", help="Skip body fingerprint check (treat any 200 as a finding)"
+    )
+    args = parser.parse_args(argv)
+
+    require_authorization(args.url, args.authorized)
+
+    base = args.url.rstrip("/") + "/"
+    sess = make_session(timeout=args.timeout)
+    findings: list[Finding] = []
+
+    if args.paths_file:
+        paths = Path(args.paths_file).read_text().splitlines()
+        probe_set = [
+            (p.strip(), f"Custom path exposed: {p.strip()}", Severity.MEDIUM, None, "custom")
+            for p in paths
+            if p.strip()
+        ]
+    else:
+        probe_set = PROBES
+
+    for path, title, sev, fingerprint, control in probe_set:
+        url = base + path.lstrip("/")
+        resp = safe_get(sess, url, timeout=args.timeout, allow_redirects=False)
+        if resp is None or resp.status_code != 200:
+            continue
+        body = resp.text or ""
+        ctype = resp.headers.get("Content-Type", "")
+        if not args.check_only and not _verify_fingerprint(body, fingerprint, ctype):
+            continue
+        evidence = (("status_code", 200), ("content_length", len(resp.content or b"")), ("content_type", ctype))
+        findings.append(
+            Finding(
+                skill_id=SKILL_ID,
+                title=title,
+                severity=sev,
+                target=url,
+                detail=(
+                    f"GET {url} returned 200 with content matching the expected "
+                    f"signature of {path!r}. The file is publicly reachable "
+                    "and likely contains sensitive data."
+                ),
+                remediation=(
+                    f"Configure the web server to deny requests to {path!r} and "
+                    "the directory it lives in. See references/PLAYBOOK.md for "
+                    "nginx / Apache / Caddy / ALB snippets per category."
+                ),
+                cwe_id=None,
+                affected_control=control,
+                evidence=evidence,
+            )
+        )
+
+    # Severity floor
+    floor = Severity(args.min_severity)
+    findings = [f for f in findings if f.severity.numeric >= floor.numeric]
+
+    target_display = args.url
+    emit(findings, args.output, args.format, target_display)
+    return exit_code(findings)
+
+
+if __name__ == "__main__":
+    sys.exit(main())