@kairosinternational/watchman 0.1.0

package/src/scanners/dependency-integrity/rules/hash-validation.rule.ts

@@ -0,0 +1,72 @@
+import { readFile } from 'node:fs/promises';
+import { basename } from 'node:path';
+import type { Rule, ScanContext } from '../../../types/index.js';
+
+interface PackageLockDep {
+  version?: string;
+  resolved?: string;
+  integrity?: string;
+  [key: string]: unknown;
+}
+
+export const hashValidationRule: Rule = {
+  id: 'hash-validation',
+  name: 'Lockfile Hash Validation',
+  description: 'Verifies that lockfile entries have integrity hashes and use secure algorithms',
+
+  async run(ctx: ScanContext): Promise<void> {
+    const lockfiles = ctx.files.filter((f) => basename(f) === 'package-lock.json');
+
+    for (const file of lockfiles) {
+      let content: string;
+      try {
+        content = await readFile(file, 'utf-8');
+      } catch {
+        continue;
+      }
+
+      let parsed: { packages?: Record<string, PackageLockDep> };
+      try {
+        parsed = JSON.parse(content);
+      } catch {
+        ctx.addFinding({
+          rule: 'hash-validation',
+          severity: 'high',
+          message: 'Lockfile is not valid JSON — may have been tampered with',
+          location: { file },
+        });
+        continue;
+      }
+
+      const packages = parsed.packages;
+      if (!packages) continue;
+
+      for (const [name, dep] of Object.entries(packages)) {
+        if (!name || name === '') continue; // root package
+
+        if (!dep.integrity) {
+          ctx.addFinding({
+            rule: 'hash-validation',
+            severity: 'high',
+            message: `Package "${name}" has no integrity hash in lockfile`,
+            location: { file },
+            suggestion: 'Run npm install to regenerate the lockfile with integrity hashes.',
+            metadata: { package: name, version: dep.version },
+          });
+          continue;
+        }
+
+        if (dep.integrity.startsWith('sha1-')) {
+          ctx.addFinding({
+            rule: 'hash-validation',
+            severity: 'medium',
+            message: `Package "${name}" uses weak SHA-1 integrity hash`,
+            location: { file },
+            suggestion: 'Regenerate lockfile to use SHA-512 integrity hashes.',
+            metadata: { package: name, version: dep.version },
+          });
+        }
+      }
+    }
+  },
+};

package/src/scanners/dependency-integrity/rules/transitive-drift.rule.ts

@@ -0,0 +1,71 @@
+import { readFile, access } from 'node:fs/promises';
+import { join, dirname, basename } from 'node:path';
+import type { Rule, ScanContext } from '../../../types/index.js';
+
+export const transitiveDriftRule: Rule = {
+  id: 'transitive-drift',
+  name: 'Transitive Dependency Drift',
+  description: 'Detects when package.json and lockfile are out of sync, indicating potential supply chain risk',
+
+  async run(ctx: ScanContext): Promise<void> {
+    const packageFiles = ctx.files.filter((f) => basename(f) === 'package.json');
+
+    for (const pkgFile of packageFiles) {
+      const dir = dirname(pkgFile);
+      const lockFile = join(dir, 'package-lock.json');
+
+      // Check if lockfile exists
+      try {
+        await access(lockFile);
+      } catch {
+        ctx.addFinding({
+          rule: 'transitive-drift',
+          severity: 'medium',
+          message: 'No lockfile found alongside package.json',
+          location: { file: pkgFile },
+          suggestion: 'Run npm install to generate a lockfile. Lockfiles pin transitive dependencies.',
+        });
+        continue;
+      }
+
+      let pkgContent: string;
+      let lockContent: string;
+      try {
+        pkgContent = await readFile(pkgFile, 'utf-8');
+        lockContent = await readFile(lockFile, 'utf-8');
+      } catch {
+        continue;
+      }
+
+      let pkg: { dependencies?: Record<string, string>; devDependencies?: Record<string, string> };
+      let lock: { packages?: Record<string, { version?: string }> };
+      try {
+        pkg = JSON.parse(pkgContent);
+        lock = JSON.parse(lockContent);
+      } catch {
+        continue;
+      }
+
+      if (!lock.packages) continue;
+
+      const declared = {
+        ...pkg.dependencies,
+        ...pkg.devDependencies,
+      };
+
+      for (const [name, range] of Object.entries(declared)) {
+        const lockEntry = lock.packages[`node_modules/${name}`];
+        if (!lockEntry) {
+          ctx.addFinding({
+            rule: 'transitive-drift',
+            severity: 'high',
+            message: `Package "${name}" declared in package.json but missing from lockfile`,
+            location: { file: pkgFile },
+            suggestion: 'Run npm install to sync the lockfile. Drift creates supply chain risk.',
+            metadata: { package: name, declaredRange: range },
+          });
+        }
+      }
+    }
+  },
+};

package/src/scanners/dependency-integrity/rules/typosquat-check.rule.ts

@@ -0,0 +1,100 @@
+import { readFile } from 'node:fs/promises';
+import { basename } from 'node:path';
+import type { Rule, ScanContext } from '../../../types/index.js';
+import { KNOWN_TYPOSQUATS, SUBSTITUTION_PAIRS } from '../patterns/known-typosquats.js';
+
+function normalize(name: string): string {
+  let n = name.toLowerCase();
+  for (const [from, to] of SUBSTITUTION_PAIRS) {
+    n = n.replaceAll(from, to);
+  }
+  return n;
+}
+
+function levenshtein(a: string, b: string): number {
+  const m = a.length;
+  const n = b.length;
+  const dp: number[][] = Array.from({ length: m + 1 }, (_, i) =>
+    Array.from({ length: n + 1 }, (_, j) => (i === 0 ? j : j === 0 ? i : 0)),
+  );
+  for (let i = 1; i <= m; i++) {
+    for (let j = 1; j <= n; j++) {
+      dp[i][j] = a[i - 1] === b[j - 1]
+        ? dp[i - 1][j - 1]
+        : 1 + Math.min(dp[i - 1][j], dp[i][j - 1], dp[i - 1][j - 1]);
+    }
+  }
+  return dp[m][n];
+}
+
+// Top npm packages to check typosquat distance against
+const POPULAR_PACKAGES = [
+  'react', 'express', 'lodash', 'axios', 'next', 'typescript',
+  'webpack', 'babel', 'eslint', 'prettier', 'jest', 'vitest',
+  'mongoose', 'sequelize', 'prisma', 'stripe', 'nodemailer',
+  'dotenv', 'cors', 'bcrypt', 'jsonwebtoken', 'chalk',
+];
+
+export const typosquatCheckRule: Rule = {
+  id: 'typosquat-check',
+  name: 'Typosquat Detection',
+  description: 'Checks dependencies against known typosquats and fuzzy-matches popular package names',
+
+  async run(ctx: ScanContext): Promise<void> {
+    const packageFiles = ctx.files.filter((f) => basename(f) === 'package.json');
+
+    for (const file of packageFiles) {
+      let content: string;
+      try {
+        content = await readFile(file, 'utf-8');
+      } catch {
+        continue;
+      }
+
+      let parsed: { dependencies?: Record<string, string>; devDependencies?: Record<string, string> };
+      try {
+        parsed = JSON.parse(content);
+      } catch {
+        continue;
+      }
+
+      const allDeps = [
+        ...Object.keys(parsed.dependencies ?? {}),
+        ...Object.keys(parsed.devDependencies ?? {}),
+      ];
+
+      for (const dep of allDeps) {
+        // Check known typosquats
+        const knownMatch = KNOWN_TYPOSQUATS.find((t) => t.malicious === dep);
+        if (knownMatch) {
+          ctx.addFinding({
+            rule: 'typosquat-check',
+            severity: 'critical',
+            message: `Known malicious package "${dep}" (typosquat of "${knownMatch.legitimate}")`,
+            location: { file },
+            suggestion: `Replace with the legitimate package: ${knownMatch.legitimate}`,
+            metadata: { technique: knownMatch.technique },
+          });
+          continue;
+        }
+
+        // Fuzzy match against popular packages
+        const normalized = normalize(dep);
+        for (const popular of POPULAR_PACKAGES) {
+          if (dep === popular) continue;
+          const dist = levenshtein(normalized, normalize(popular));
+          if (dist === 1) {
+            ctx.addFinding({
+              rule: 'typosquat-check',
+              severity: 'high',
+              message: `Package "${dep}" is 1 edit away from popular package "${popular}" — possible typosquat`,
+              location: { file },
+              suggestion: `Verify this is the intended package, not a typosquat of "${popular}".`,
+              metadata: { distance: dist, target: popular },
+            });
+          }
+        }
+      }
+    }
+  },
+};

package/src/scanners/dependency-integrity/scanner.ts

@@ -0,0 +1,25 @@
+import type { Scanner, ScanContext, Rule } from '../../types/index.js';
+import { hashValidationRule } from './rules/hash-validation.rule.js';
+import { typosquatCheckRule } from './rules/typosquat-check.rule.js';
+import { transitiveDriftRule } from './rules/transitive-drift.rule.js';
+
+const rules: Rule[] = [
+  hashValidationRule,
+  typosquatCheckRule,
+  transitiveDriftRule,
+];
+
+export const dependencyIntegrityScanner: Scanner = {
+  id: 'dependency-integrity',
+  name: 'Dependency Integrity',
+  description: 'Validates dependency hashes, detects typosquatting, and flags transitive drift',
+  rules,
+
+  async scan(ctx: ScanContext): Promise<void> {
+    for (const rule of rules) {
+      const ruleConfig = ctx.scannerConfig.rules?.[rule.id];
+      if (ruleConfig?.enabled === false) continue;
+      await rule.run(ctx);
+    }
+  },
+};

package/src/scanners/runtime-monitor/index.ts

@@ -0,0 +1 @@
+export { runtimeMonitorScanner } from './scanner.js';

package/src/scanners/runtime-monitor/patterns/known-bad-destinations.ts

@@ -0,0 +1,55 @@
+export interface BadDestination {
+  pattern: RegExp;
+  label: string;
+  category: 'c2' | 'exfiltration' | 'cryptominer' | 'suspicious';
+}
+
+// Patterns for known malicious or suspicious network destinations
+export const KNOWN_BAD_DESTINATIONS: BadDestination[] = [
+  {
+    pattern: /ngrok\.io/i,
+    label: 'ngrok-tunnel',
+    category: 'suspicious',
+  },
+  {
+    pattern: /requestbin\.com|pipedream\.net|webhook\.site|hookbin\.com/i,
+    label: 'request-catcher',
+    category: 'exfiltration',
+  },
+  {
+    pattern: /pastebin\.com\/api|ghostbin\.com|hastebin\.com/i,
+    label: 'paste-service',
+    category: 'exfiltration',
+  },
+  {
+    pattern: /coinhive\.min\.js|coin-hive|cryptonight\.wasm/i,
+    label: 'cryptominer',
+    category: 'cryptominer',
+  },
+  {
+    pattern: /raw\.githubusercontent\.com\/[^/]+\/[^/]+\/[^/]+\/.*\.(sh|ps1|bat|exe)/i,
+    label: 'github-raw-script',
+    category: 'suspicious',
+  },
+  {
+    pattern: /\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}:\d{4,5}\b/,
+    label: 'raw-ip-with-port',
+    category: 'suspicious',
+  },
+  {
+    pattern: /(?:transfer\.sh|file\.io|0x0\.st)\/\w+/i,
+    label: 'ephemeral-file-host',
+    category: 'exfiltration',
+  },
+];
+
+// Suspicious outbound ports
+export const SUSPICIOUS_PORTS = new Set([
+  4444,  // Metasploit default
+  5555,  // Common reverse shell
+  6666,  // IRC / backdoor
+  8888,  // Alternative HTTP / C2
+  9001,  // Tor
+  9050,  // Tor SOCKS
+  31337, // Back Orifice
+]);

package/src/scanners/runtime-monitor/rules/filesystem-access.rule.ts

@@ -0,0 +1,74 @@
+import { readFile } from 'node:fs/promises';
+import type { Rule, ScanContext } from '../../../types/index.js';
+
+const CODE_EXTENSIONS = new Set(['.ts', '.tsx', '.js', '.jsx', '.mjs', '.cjs']);
+
+function isCodeFile(file: string): boolean {
+  const dot = file.lastIndexOf('.');
+  return dot !== -1 && CODE_EXTENSIONS.has(file.slice(dot).toLowerCase());
+}
+
+const SENSITIVE_PATH_PATTERNS = [
+  { pattern: /(?:\/etc\/passwd|\/etc\/shadow|\/etc\/hosts)/g, label: 'system-file' },
+  { pattern: /(?:\.ssh\/|\.gnupg\/|\.aws\/credentials)/g, label: 'credential-file' },
+  { pattern: /(?:\.env(?:\.local)?|\.env\.production)/g, label: 'env-file' },
+  { pattern: /(?:\/proc\/|\/sys\/)/g, label: 'proc-sys' },
+];
+
+const FS_WITH_USER_INPUT = [
+  { pattern: /(?:readFile|writeFile|readdir|unlink|rmdir)\s*\(\s*(?:req\.|params\.|query\.|body\.|args\.)/g, label: 'user-input-fs' },
+  { pattern: /(?:createReadStream|createWriteStream)\s*\(\s*(?:req\.|params\.|query\.|body\.)/g, label: 'user-input-stream' },
+  { pattern: /path\.join\s*\([^)]*(?:req\.|params\.|query\.|body\.)/g, label: 'user-input-path-join' },
+];
+
+export const filesystemAccessRule: Rule = {
+  id: 'filesystem-access',
+  name: 'Filesystem Access Detection',
+  description: 'Flags access to sensitive paths and user-controlled filesystem operations',
+
+  async run(ctx: ScanContext): Promise<void> {
+    const codeFiles = ctx.files.filter(isCodeFile);
+
+    for (const file of codeFiles) {
+      let content: string;
+      try {
+        content = await readFile(file, 'utf-8');
+      } catch {
+        continue;
+      }
+
+      const lines = content.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+
+        for (const { pattern, label } of SENSITIVE_PATH_PATTERNS) {
+          pattern.lastIndex = 0;
+          if (pattern.test(line)) {
+            ctx.addFinding({
+              rule: 'filesystem-access',
+              severity: label === 'credential-file' ? 'high' : 'medium',
+              message: `Access to sensitive path detected: ${label}`,
+              location: { file, line: i + 1 },
+              evidence: line.trim().slice(0, 200),
+              suggestion: 'Review whether this file access is necessary and properly secured.',
+            });
+          }
+        }
+
+        for (const { pattern, label } of FS_WITH_USER_INPUT) {
+          pattern.lastIndex = 0;
+          if (pattern.test(line)) {
+            ctx.addFinding({
+              rule: 'filesystem-access',
+              severity: 'critical',
+              message: `User input flows into filesystem operation: ${label}`,
+              location: { file, line: i + 1 },
+              evidence: line.trim().slice(0, 200),
+              suggestion: 'CRITICAL: Path traversal vulnerability. Validate and sanitize all user-supplied paths.',
+            });
+          }
+        }
+      }
+    }
+  },
+};

package/src/scanners/runtime-monitor/rules/outbound-network.rule.ts

@@ -0,0 +1,67 @@
+import { readFile } from 'node:fs/promises';
+import type { Rule, ScanContext } from '../../../types/index.js';
+import { KNOWN_BAD_DESTINATIONS, SUSPICIOUS_PORTS } from '../patterns/known-bad-destinations.js';
+
+const CODE_EXTENSIONS = new Set(['.ts', '.tsx', '.js', '.jsx', '.mjs', '.cjs']);
+
+function isCodeFile(file: string): boolean {
+  const dot = file.lastIndexOf('.');
+  return dot !== -1 && CODE_EXTENSIONS.has(file.slice(dot).toLowerCase());
+}
+
+const PORT_PATTERN = /:\s*(\d{4,5})\b/g;
+
+export const outboundNetworkRule: Rule = {
+  id: 'outbound-network',
+  name: 'Outbound Network Detection',
+  description: 'Flags connections to known malicious destinations and suspicious ports',
+
+  async run(ctx: ScanContext): Promise<void> {
+    const codeFiles = ctx.files.filter(isCodeFile);
+
+    for (const file of codeFiles) {
+      let content: string;
+      try {
+        content = await readFile(file, 'utf-8');
+      } catch {
+        continue;
+      }
+
+      const lines = content.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+
+        // Check known bad destinations
+        for (const dest of KNOWN_BAD_DESTINATIONS) {
+          if (dest.pattern.test(line)) {
+            ctx.addFinding({
+              rule: 'outbound-network',
+              severity: dest.category === 'c2' ? 'critical' : dest.category === 'exfiltration' ? 'high' : 'medium',
+              message: `Connection to suspicious destination: ${dest.label} (${dest.category})`,
+              location: { file, line: i + 1 },
+              evidence: line.trim().slice(0, 200),
+              suggestion: 'Review this network destination. It matches a known suspicious pattern.',
+            });
+          }
+        }
+
+        // Check suspicious ports
+        PORT_PATTERN.lastIndex = 0;
+        let portMatch: RegExpExecArray | null;
+        while ((portMatch = PORT_PATTERN.exec(line)) !== null) {
+          const port = parseInt(portMatch[1], 10);
+          if (SUSPICIOUS_PORTS.has(port)) {
+            ctx.addFinding({
+              rule: 'outbound-network',
+              severity: 'high',
+              message: `Connection to suspicious port ${port} — commonly used for ${port === 9001 || port === 9050 ? 'Tor' : 'reverse shells/C2'}`,
+              location: { file, line: i + 1 },
+              evidence: line.trim().slice(0, 200),
+              suggestion: 'This port is associated with malicious tools. Verify this is legitimate.',
+            });
+          }
+        }
+      }
+    }
+  },
+};

package/src/scanners/runtime-monitor/rules/process-spawn.rule.ts

@@ -0,0 +1,58 @@
+import { readFile } from 'node:fs/promises';
+import type { Rule, ScanContext } from '../../../types/index.js';
+
+const CODE_EXTENSIONS = new Set(['.ts', '.tsx', '.js', '.jsx', '.mjs', '.cjs']);
+
+function isCodeFile(file: string): boolean {
+  const dot = file.lastIndexOf('.');
+  return dot !== -1 && CODE_EXTENSIONS.has(file.slice(dot).toLowerCase());
+}
+
+const SPAWN_PATTERNS = [
+  { pattern: /child_process.*(?:exec|execSync|spawn|spawnSync|fork)\s*\(/g, label: 'child_process' },
+  { pattern: /\bexec\s*\(\s*['"`]/g, label: 'exec-string' },
+  { pattern: /\beval\s*\(\s*[^)]/g, label: 'eval' },
+  { pattern: /new\s+Function\s*\(/g, label: 'Function-constructor' },
+  { pattern: /child_process.*\bexec\s*\(\s*(?:req\.|params\.|query\.|body\.)/g, label: 'user-input-exec' },
+  { pattern: /\.exec\s*\(\s*`[^`]*\$\{/g, label: 'template-exec' },
+];
+
+export const processSpawnRule: Rule = {
+  id: 'process-spawn',
+  name: 'Process Spawn Detection',
+  description: 'Flags shell command execution and dynamic code evaluation patterns',
+
+  async run(ctx: ScanContext): Promise<void> {
+    const codeFiles = ctx.files.filter(isCodeFile);
+
+    for (const file of codeFiles) {
+      let content: string;
+      try {
+        content = await readFile(file, 'utf-8');
+      } catch {
+        continue;
+      }
+
+      const lines = content.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        for (const { pattern, label } of SPAWN_PATTERNS) {
+          pattern.lastIndex = 0;
+          if (pattern.test(line)) {
+            const isUserInput = label === 'user-input-exec' || label === 'template-exec';
+            ctx.addFinding({
+              rule: 'process-spawn',
+              severity: isUserInput ? 'critical' : 'medium',
+              message: `Process spawn/eval detected: ${label}`,
+              location: { file, line: i + 1 },
+              evidence: line.trim().slice(0, 200),
+              suggestion: isUserInput
+                ? 'CRITICAL: User input flows into shell execution. This is a command injection vulnerability.'
+                : 'Review whether this shell execution is necessary. Prefer native Node.js APIs.',
+            });
+          }
+        }
+      }
+    }
+  },
+};

package/src/scanners/runtime-monitor/rules/resource-anomaly.rule.ts

@@ -0,0 +1,79 @@
+import { readFile } from 'node:fs/promises';
+import type { Rule, ScanContext } from '../../../types/index.js';
+
+const CODE_EXTENSIONS = new Set(['.ts', '.tsx', '.js', '.jsx', '.mjs', '.cjs']);
+
+function isCodeFile(file: string): boolean {
+  const dot = file.lastIndexOf('.');
+  return dot !== -1 && CODE_EXTENSIONS.has(file.slice(dot).toLowerCase());
+}
+
+const ANOMALY_PATTERNS = [
+  {
+    pattern: /while\s*\(\s*true\s*\)/g,
+    label: 'infinite-loop',
+    severity: 'medium' as const,
+    message: 'Infinite loop detected — potential denial of service',
+  },
+  {
+    pattern: /setInterval\s*\([^,]+,\s*\d{1,3}\s*\)/g,
+    label: 'tight-interval',
+    severity: 'medium' as const,
+    message: 'Very short setInterval (< 1s) — potential resource exhaustion',
+  },
+  {
+    pattern: /Buffer\.alloc(?:Unsafe)?\s*\(\s*(?:\d{8,}|[a-zA-Z_$][\w$]*\s*\*\s*[a-zA-Z_$][\w$]*)\s*\)/g,
+    label: 'large-buffer',
+    severity: 'medium' as const,
+    message: 'Large buffer allocation — potential memory exhaustion attack',
+  },
+  {
+    pattern: /new\s+RegExp\s*\(\s*(?:req\.|params\.|query\.|body\.|args\.)/g,
+    label: 'user-regex',
+    severity: 'high' as const,
+    message: 'User input used in RegExp constructor — ReDoS vulnerability',
+  },
+  {
+    pattern: /crypto\.(?:pbkdf2|scrypt).*(?:iterations|cost)\s*[:=]\s*(?:req\.|params\.|query\.|body\.)/g,
+    label: 'user-controlled-crypto',
+    severity: 'high' as const,
+    message: 'User input controls crypto parameters — potential algorithmic complexity attack',
+  },
+];
+
+export const resourceAnomalyRule: Rule = {
+  id: 'resource-anomaly',
+  name: 'Resource Anomaly Detection',
+  description: 'Detects patterns that could cause resource exhaustion or denial of service',
+
+  async run(ctx: ScanContext): Promise<void> {
+    const codeFiles = ctx.files.filter(isCodeFile);
+
+    for (const file of codeFiles) {
+      let content: string;
+      try {
+        content = await readFile(file, 'utf-8');
+      } catch {
+        continue;
+      }
+
+      const lines = content.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        const line = lines[i];
+        for (const anomaly of ANOMALY_PATTERNS) {
+          anomaly.pattern.lastIndex = 0;
+          if (anomaly.pattern.test(line)) {
+            ctx.addFinding({
+              rule: 'resource-anomaly',
+              severity: anomaly.severity,
+              message: anomaly.message,
+              location: { file, line: i + 1 },
+              evidence: line.trim().slice(0, 200),
+              suggestion: 'Review this pattern for potential resource exhaustion.',
+            });
+          }
+        }
+      }
+    }
+  },
+};

package/src/scanners/runtime-monitor/scanner.ts

@@ -0,0 +1,27 @@
+import type { Scanner, ScanContext, Rule } from '../../types/index.js';
+import { processSpawnRule } from './rules/process-spawn.rule.js';
+import { filesystemAccessRule } from './rules/filesystem-access.rule.js';
+import { outboundNetworkRule } from './rules/outbound-network.rule.js';
+import { resourceAnomalyRule } from './rules/resource-anomaly.rule.js';
+
+const rules: Rule[] = [
+  processSpawnRule,
+  filesystemAccessRule,
+  outboundNetworkRule,
+  resourceAnomalyRule,
+];
+
+export const runtimeMonitorScanner: Scanner = {
+  id: 'runtime-monitor',
+  name: 'Runtime Monitor',
+  description: 'Detects suspicious runtime behavior: process spawning, filesystem access, network calls, resource anomalies',
+  rules,
+
+  async scan(ctx: ScanContext): Promise<void> {
+    for (const rule of rules) {
+      const ruleConfig = ctx.scannerConfig.rules?.[rule.id];
+      if (ruleConfig?.enabled === false) continue;
+      await rule.run(ctx);
+    }
+  },
+};

package/src/scanners/secrets-exposure/index.ts

@@ -0,0 +1 @@
+export { secretsExposureScanner } from './scanner.js';