npm - @oculum/scanner - Versions diffs - 1.0.0 - Mend

@oculum/scanner 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (281) hide show

package/dist/formatters/cli-terminal.d.ts +27 -0
package/dist/formatters/cli-terminal.d.ts.map +1 -0
package/dist/formatters/cli-terminal.js +412 -0
package/dist/formatters/cli-terminal.js.map +1 -0
package/dist/formatters/github-comment.d.ts +41 -0
package/dist/formatters/github-comment.d.ts.map +1 -0
package/dist/formatters/github-comment.js +306 -0
package/dist/formatters/github-comment.js.map +1 -0
package/dist/formatters/grouping.d.ts +52 -0
package/dist/formatters/grouping.d.ts.map +1 -0
package/dist/formatters/grouping.js +152 -0
package/dist/formatters/grouping.js.map +1 -0
package/dist/formatters/index.d.ts +9 -0
package/dist/formatters/index.d.ts.map +1 -0
package/dist/formatters/index.js +35 -0
package/dist/formatters/index.js.map +1 -0
package/dist/formatters/vscode-diagnostic.d.ts +103 -0
package/dist/formatters/vscode-diagnostic.d.ts.map +1 -0
package/dist/formatters/vscode-diagnostic.js +151 -0
package/dist/formatters/vscode-diagnostic.js.map +1 -0
package/dist/index.d.ts +52 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +648 -0
package/dist/index.js.map +1 -0
package/dist/layer1/comments.d.ts +8 -0
package/dist/layer1/comments.d.ts.map +1 -0
package/dist/layer1/comments.js +203 -0
package/dist/layer1/comments.js.map +1 -0
package/dist/layer1/config-audit.d.ts +8 -0
package/dist/layer1/config-audit.d.ts.map +1 -0
package/dist/layer1/config-audit.js +252 -0
package/dist/layer1/config-audit.js.map +1 -0
package/dist/layer1/entropy.d.ts +8 -0
package/dist/layer1/entropy.d.ts.map +1 -0
package/dist/layer1/entropy.js +500 -0
package/dist/layer1/entropy.js.map +1 -0
package/dist/layer1/file-flags.d.ts +7 -0
package/dist/layer1/file-flags.d.ts.map +1 -0
package/dist/layer1/file-flags.js +112 -0
package/dist/layer1/file-flags.js.map +1 -0
package/dist/layer1/index.d.ts +36 -0
package/dist/layer1/index.d.ts.map +1 -0
package/dist/layer1/index.js +132 -0
package/dist/layer1/index.js.map +1 -0
package/dist/layer1/patterns.d.ts +8 -0
package/dist/layer1/patterns.d.ts.map +1 -0
package/dist/layer1/patterns.js +482 -0
package/dist/layer1/patterns.js.map +1 -0
package/dist/layer1/urls.d.ts +8 -0
package/dist/layer1/urls.d.ts.map +1 -0
package/dist/layer1/urls.js +296 -0
package/dist/layer1/urls.js.map +1 -0
package/dist/layer1/weak-crypto.d.ts +7 -0
package/dist/layer1/weak-crypto.d.ts.map +1 -0
package/dist/layer1/weak-crypto.js +291 -0
package/dist/layer1/weak-crypto.js.map +1 -0
package/dist/layer2/ai-agent-tools.d.ts +19 -0
package/dist/layer2/ai-agent-tools.d.ts.map +1 -0
package/dist/layer2/ai-agent-tools.js +528 -0
package/dist/layer2/ai-agent-tools.js.map +1 -0
package/dist/layer2/ai-endpoint-protection.d.ts +36 -0
package/dist/layer2/ai-endpoint-protection.d.ts.map +1 -0
package/dist/layer2/ai-endpoint-protection.js +332 -0
package/dist/layer2/ai-endpoint-protection.js.map +1 -0
package/dist/layer2/ai-execution-sinks.d.ts +18 -0
package/dist/layer2/ai-execution-sinks.d.ts.map +1 -0
package/dist/layer2/ai-execution-sinks.js +496 -0
package/dist/layer2/ai-execution-sinks.js.map +1 -0
package/dist/layer2/ai-fingerprinting.d.ts +7 -0
package/dist/layer2/ai-fingerprinting.d.ts.map +1 -0
package/dist/layer2/ai-fingerprinting.js +654 -0
package/dist/layer2/ai-fingerprinting.js.map +1 -0
package/dist/layer2/ai-prompt-hygiene.d.ts +19 -0
package/dist/layer2/ai-prompt-hygiene.d.ts.map +1 -0
package/dist/layer2/ai-prompt-hygiene.js +356 -0
package/dist/layer2/ai-prompt-hygiene.js.map +1 -0
package/dist/layer2/ai-rag-safety.d.ts +21 -0
package/dist/layer2/ai-rag-safety.d.ts.map +1 -0
package/dist/layer2/ai-rag-safety.js +459 -0
package/dist/layer2/ai-rag-safety.js.map +1 -0
package/dist/layer2/ai-schema-validation.d.ts +25 -0
package/dist/layer2/ai-schema-validation.d.ts.map +1 -0
package/dist/layer2/ai-schema-validation.js +375 -0
package/dist/layer2/ai-schema-validation.js.map +1 -0
package/dist/layer2/auth-antipatterns.d.ts +20 -0
package/dist/layer2/auth-antipatterns.d.ts.map +1 -0
package/dist/layer2/auth-antipatterns.js +333 -0
package/dist/layer2/auth-antipatterns.js.map +1 -0
package/dist/layer2/byok-patterns.d.ts +12 -0
package/dist/layer2/byok-patterns.d.ts.map +1 -0
package/dist/layer2/byok-patterns.js +299 -0
package/dist/layer2/byok-patterns.js.map +1 -0
package/dist/layer2/dangerous-functions.d.ts +7 -0
package/dist/layer2/dangerous-functions.d.ts.map +1 -0
package/dist/layer2/dangerous-functions.js +1375 -0
package/dist/layer2/dangerous-functions.js.map +1 -0
package/dist/layer2/data-exposure.d.ts +16 -0
package/dist/layer2/data-exposure.d.ts.map +1 -0
package/dist/layer2/data-exposure.js +279 -0
package/dist/layer2/data-exposure.js.map +1 -0
package/dist/layer2/framework-checks.d.ts +7 -0
package/dist/layer2/framework-checks.d.ts.map +1 -0
package/dist/layer2/framework-checks.js +388 -0
package/dist/layer2/framework-checks.js.map +1 -0
package/dist/layer2/index.d.ts +58 -0
package/dist/layer2/index.d.ts.map +1 -0
package/dist/layer2/index.js +380 -0
package/dist/layer2/index.js.map +1 -0
package/dist/layer2/logic-gates.d.ts +7 -0
package/dist/layer2/logic-gates.d.ts.map +1 -0
package/dist/layer2/logic-gates.js +182 -0
package/dist/layer2/logic-gates.js.map +1 -0
package/dist/layer2/risky-imports.d.ts +7 -0
package/dist/layer2/risky-imports.d.ts.map +1 -0
package/dist/layer2/risky-imports.js +161 -0
package/dist/layer2/risky-imports.js.map +1 -0
package/dist/layer2/variables.d.ts +8 -0
package/dist/layer2/variables.d.ts.map +1 -0
package/dist/layer2/variables.js +152 -0
package/dist/layer2/variables.js.map +1 -0
package/dist/layer3/anthropic.d.ts +83 -0
package/dist/layer3/anthropic.d.ts.map +1 -0
package/dist/layer3/anthropic.js +1745 -0
package/dist/layer3/anthropic.js.map +1 -0
package/dist/layer3/index.d.ts +24 -0
package/dist/layer3/index.d.ts.map +1 -0
package/dist/layer3/index.js +119 -0
package/dist/layer3/index.js.map +1 -0
package/dist/layer3/openai.d.ts +25 -0
package/dist/layer3/openai.d.ts.map +1 -0
package/dist/layer3/openai.js +238 -0
package/dist/layer3/openai.js.map +1 -0
package/dist/layer3/package-check.d.ts +63 -0
package/dist/layer3/package-check.d.ts.map +1 -0
package/dist/layer3/package-check.js +508 -0
package/dist/layer3/package-check.js.map +1 -0
package/dist/modes/incremental.d.ts +66 -0
package/dist/modes/incremental.d.ts.map +1 -0
package/dist/modes/incremental.js +200 -0
package/dist/modes/incremental.js.map +1 -0
package/dist/tiers.d.ts +125 -0
package/dist/tiers.d.ts.map +1 -0
package/dist/tiers.js +234 -0
package/dist/tiers.js.map +1 -0
package/dist/types.d.ts +175 -0
package/dist/types.d.ts.map +1 -0
package/dist/types.js +50 -0
package/dist/types.js.map +1 -0
package/dist/utils/auth-helper-detector.d.ts +56 -0
package/dist/utils/auth-helper-detector.d.ts.map +1 -0
package/dist/utils/auth-helper-detector.js +360 -0
package/dist/utils/auth-helper-detector.js.map +1 -0
package/dist/utils/context-helpers.d.ts +96 -0
package/dist/utils/context-helpers.d.ts.map +1 -0
package/dist/utils/context-helpers.js +493 -0
package/dist/utils/context-helpers.js.map +1 -0
package/dist/utils/diff-detector.d.ts +53 -0
package/dist/utils/diff-detector.d.ts.map +1 -0
package/dist/utils/diff-detector.js +104 -0
package/dist/utils/diff-detector.js.map +1 -0
package/dist/utils/diff-parser.d.ts +80 -0
package/dist/utils/diff-parser.d.ts.map +1 -0
package/dist/utils/diff-parser.js +202 -0
package/dist/utils/diff-parser.js.map +1 -0
package/dist/utils/imported-auth-detector.d.ts +37 -0
package/dist/utils/imported-auth-detector.d.ts.map +1 -0
package/dist/utils/imported-auth-detector.js +251 -0
package/dist/utils/imported-auth-detector.js.map +1 -0
package/dist/utils/middleware-detector.d.ts +55 -0
package/dist/utils/middleware-detector.d.ts.map +1 -0
package/dist/utils/middleware-detector.js +260 -0
package/dist/utils/middleware-detector.js.map +1 -0
package/dist/utils/oauth-flow-detector.d.ts +41 -0
package/dist/utils/oauth-flow-detector.d.ts.map +1 -0
package/dist/utils/oauth-flow-detector.js +202 -0
package/dist/utils/oauth-flow-detector.js.map +1 -0
package/dist/utils/path-exclusions.d.ts +55 -0
package/dist/utils/path-exclusions.d.ts.map +1 -0
package/dist/utils/path-exclusions.js +222 -0
package/dist/utils/path-exclusions.js.map +1 -0
package/dist/utils/project-context-builder.d.ts +119 -0
package/dist/utils/project-context-builder.d.ts.map +1 -0
package/dist/utils/project-context-builder.js +534 -0
package/dist/utils/project-context-builder.js.map +1 -0
package/dist/utils/registry-clients.d.ts +93 -0
package/dist/utils/registry-clients.d.ts.map +1 -0
package/dist/utils/registry-clients.js +273 -0
package/dist/utils/registry-clients.js.map +1 -0
package/dist/utils/trpc-analyzer.d.ts +78 -0
package/dist/utils/trpc-analyzer.d.ts.map +1 -0
package/dist/utils/trpc-analyzer.js +297 -0
package/dist/utils/trpc-analyzer.js.map +1 -0
package/package.json +45 -0
package/src/__tests__/benchmark/fixtures/false-positives.ts +227 -0
package/src/__tests__/benchmark/fixtures/index.ts +68 -0
package/src/__tests__/benchmark/fixtures/layer1/config-audit.ts +364 -0
package/src/__tests__/benchmark/fixtures/layer1/hardcoded-secrets.ts +173 -0
package/src/__tests__/benchmark/fixtures/layer1/high-entropy.ts +234 -0
package/src/__tests__/benchmark/fixtures/layer1/index.ts +31 -0
package/src/__tests__/benchmark/fixtures/layer1/sensitive-urls.ts +90 -0
package/src/__tests__/benchmark/fixtures/layer1/weak-crypto.ts +197 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-agent-tools.ts +170 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-endpoint-protection.ts +418 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-execution-sinks.ts +189 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-fingerprinting.ts +316 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-prompt-hygiene.ts +178 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-rag-safety.ts +184 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-schema-validation.ts +434 -0
package/src/__tests__/benchmark/fixtures/layer2/auth-antipatterns.ts +159 -0
package/src/__tests__/benchmark/fixtures/layer2/byok-patterns.ts +112 -0
package/src/__tests__/benchmark/fixtures/layer2/dangerous-functions.ts +246 -0
package/src/__tests__/benchmark/fixtures/layer2/data-exposure.ts +168 -0
package/src/__tests__/benchmark/fixtures/layer2/framework-checks.ts +346 -0
package/src/__tests__/benchmark/fixtures/layer2/index.ts +67 -0
package/src/__tests__/benchmark/fixtures/layer2/injection-vulnerabilities.ts +239 -0
package/src/__tests__/benchmark/fixtures/layer2/logic-gates.ts +246 -0
package/src/__tests__/benchmark/fixtures/layer2/risky-imports.ts +231 -0
package/src/__tests__/benchmark/fixtures/layer2/variables.ts +167 -0
package/src/__tests__/benchmark/index.ts +29 -0
package/src/__tests__/benchmark/run-benchmark.ts +144 -0
package/src/__tests__/benchmark/run-depth-validation.ts +206 -0
package/src/__tests__/benchmark/run-real-world-test.ts +243 -0
package/src/__tests__/benchmark/security-benchmark-script.ts +1737 -0
package/src/__tests__/benchmark/tier-integration-script.ts +177 -0
package/src/__tests__/benchmark/types.ts +144 -0
package/src/__tests__/benchmark/utils/test-runner.ts +475 -0
package/src/__tests__/regression/known-false-positives.test.ts +467 -0
package/src/__tests__/snapshots/__snapshots__/scan-depth.test.ts.snap +178 -0
package/src/__tests__/snapshots/scan-depth.test.ts +258 -0
package/src/__tests__/validation/analyze-results.ts +542 -0
package/src/__tests__/validation/extract-for-triage.ts +146 -0
package/src/__tests__/validation/fp-deep-analysis.ts +327 -0
package/src/__tests__/validation/run-validation.ts +364 -0
package/src/__tests__/validation/triage-template.md +132 -0
package/src/formatters/cli-terminal.ts +446 -0
package/src/formatters/github-comment.ts +382 -0
package/src/formatters/grouping.ts +190 -0
package/src/formatters/index.ts +47 -0
package/src/formatters/vscode-diagnostic.ts +243 -0
package/src/index.ts +823 -0
package/src/layer1/comments.ts +218 -0
package/src/layer1/config-audit.ts +289 -0
package/src/layer1/entropy.ts +583 -0
package/src/layer1/file-flags.ts +127 -0
package/src/layer1/index.ts +181 -0
package/src/layer1/patterns.ts +516 -0
package/src/layer1/urls.ts +334 -0
package/src/layer1/weak-crypto.ts +328 -0
package/src/layer2/ai-agent-tools.ts +601 -0
package/src/layer2/ai-endpoint-protection.ts +387 -0
package/src/layer2/ai-execution-sinks.ts +580 -0
package/src/layer2/ai-fingerprinting.ts +758 -0
package/src/layer2/ai-prompt-hygiene.ts +411 -0
package/src/layer2/ai-rag-safety.ts +511 -0
package/src/layer2/ai-schema-validation.ts +421 -0
package/src/layer2/auth-antipatterns.ts +394 -0
package/src/layer2/byok-patterns.ts +336 -0
package/src/layer2/dangerous-functions.ts +1563 -0
package/src/layer2/data-exposure.ts +315 -0
package/src/layer2/framework-checks.ts +433 -0
package/src/layer2/index.ts +473 -0
package/src/layer2/logic-gates.ts +206 -0
package/src/layer2/risky-imports.ts +186 -0
package/src/layer2/variables.ts +166 -0
package/src/layer3/anthropic.ts +2030 -0
package/src/layer3/index.ts +130 -0
package/src/layer3/package-check.ts +604 -0
package/src/modes/incremental.ts +293 -0
package/src/tiers.ts +318 -0
package/src/types.ts +284 -0
package/src/utils/auth-helper-detector.ts +443 -0
package/src/utils/context-helpers.ts +535 -0
package/src/utils/diff-detector.ts +135 -0
package/src/utils/diff-parser.ts +272 -0
package/src/utils/imported-auth-detector.ts +320 -0
package/src/utils/middleware-detector.ts +333 -0
package/src/utils/oauth-flow-detector.ts +246 -0
package/src/utils/path-exclusions.ts +266 -0
package/src/utils/project-context-builder.ts +707 -0
package/src/utils/registry-clients.ts +351 -0
package/src/utils/trpc-analyzer.ts +382 -0

package/src/__tests__/snapshots/scan-depth.test.ts ADDED Viewed

@@ -0,0 +1,258 @@
+/**
+ * Scan Depth Snapshot Tests
+ *
+ * Tests the scanner output at different depth levels to ensure consistent results.
+ * Snapshots help detect unintended changes to scanner behavior.
+ *
+ * Run: npx jest src/__tests__/snapshots/scan-depth.test.ts
+ * Update snapshots: npx jest --updateSnapshot
+ */
+import { runLayer1Scan } from '../../layer1'
+import { runLayer2Scan } from '../../layer2'
+import type { ScanFile, Vulnerability } from '../../types'
+// Helper to normalize vulnerability output for snapshot comparison
+// Removes volatile fields like timestamps and IDs
+function normalizeVulnerabilities(vulns: Vulnerability[]): object[] {
+  return vulns
+    .map(v => ({
+      category: v.category,
+      severity: v.severity,
+      confidence: v.confidence,
+      layer: v.layer,
+      title: v.title,
+      lineNumber: v.lineNumber,
+      // Normalize line content to avoid whitespace issues
+      lineContent: v.lineContent?.trim(),
+    }))
+    .sort((a, b) => {
+      // Sort by line number, then category for consistent ordering
+      if (a.lineNumber !== b.lineNumber) return (a.lineNumber || 0) - (b.lineNumber || 0)
+      return a.category.localeCompare(b.category)
+    })
+}
+// Helper to run a cheap scan (Layer 1 only, no AI)
+async function runCheapScan(file: ScanFile): Promise<object[]> {
+  const layer1Result = await runLayer1Scan([file])
+  return normalizeVulnerabilities(layer1Result.vulnerabilities)
+}
+// Helper to run a full scan (Layer 1 + Layer 2, no AI validation)
+async function runFullScan(file: ScanFile): Promise<object[]> {
+  const [layer1Result, layer2Result] = await Promise.all([
+    runLayer1Scan([file]),
+    runLayer2Scan([file]),
+  ])
+  return normalizeVulnerabilities([...layer1Result.vulnerabilities, ...layer2Result.vulnerabilities])
+}
+describe('Scan Depth Snapshots', () => {
+  describe('Clean File - No Findings Expected', () => {
+    const cleanFile: ScanFile = {
+      path: 'src/utils/helpers.ts',
+      content: `
+/**
+ * Safe utility functions
+ */
+export function formatDate(date: Date): string {
+  return date.toISOString()
+}
+export function capitalize(str: string): string {
+  return str.charAt(0).toUpperCase() + str.slice(1)
+}
+export function clamp(value: number, min: number, max: number): number {
+  return Math.min(Math.max(value, min), max)
+}
+`,
+      language: 'typescript',
+      size: 300,
+    }
+    it('cheap scan should produce no findings', async () => {
+      const results = await runCheapScan(cleanFile)
+      expect(results).toMatchSnapshot()
+    })
+    it('full scan should produce no findings', async () => {
+      const results = await runFullScan(cleanFile)
+      expect(results).toMatchSnapshot()
+    })
+  })
+  describe('Hardcoded Secrets - Critical Findings', () => {
+    const secretsFile: ScanFile = {
+      path: 'src/config/api-keys.ts',
+      content: `
+// API Keys - CRITICAL
+const OPENAI_API_KEY = "sk-proj-abc123def456ghi789jkl012mno345pqr678stu901vwx"
+const AWS_ACCESS_KEY_ID = "AKIAIOSFODNN7EXAMPLE"
+const AWS_SECRET_ACCESS_KEY = "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"
+`,
+      language: 'typescript',
+      size: 250,
+    }
+    it('cheap scan should detect hardcoded secrets', async () => {
+      const results = await runCheapScan(secretsFile)
+      expect(results).toMatchSnapshot()
+    })
+    it('full scan should detect hardcoded secrets', async () => {
+      const results = await runFullScan(secretsFile)
+      expect(results).toMatchSnapshot()
+    })
+  })
+  describe('Mixed Severity - Multiple Issue Types', () => {
+    const mixedFile: ScanFile = {
+      path: 'src/api/handler.ts',
+      content: `
+import express from 'express'
+const app = express()
+// Hardcoded secret - CRITICAL
+const API_KEY = "sk-live-1234567890abcdef"
+// CORS wildcard - MEDIUM
+app.use(cors({ origin: '*' }))
+// Weak crypto - HIGH
+const hash = crypto.createHash('md5')
+// innerHTML with user input - HIGH
+element.innerHTML = userInput
+// Debug logging - LOW
+console.log('Debug:', sensitiveData)
+`,
+      language: 'typescript',
+      size: 400,
+    }
+    it('cheap scan should detect Layer 1 issues', async () => {
+      const results = await runCheapScan(mixedFile)
+      expect(results).toMatchSnapshot()
+    })
+    it('full scan should detect all issues', async () => {
+      const results = await runFullScan(mixedFile)
+      expect(results).toMatchSnapshot()
+    })
+  })
+  describe('AI-Era Patterns - Modern Security Issues', () => {
+    const aiEraFile: ScanFile = {
+      path: 'src/ai/chat-handler.ts',
+      content: `
+import OpenAI from 'openai'
+// User API key in request - transient BYOK
+export async function handleChat(req: Request) {
+  const openai = new OpenAI({ apiKey: req.body.userApiKey })
+  // User input directly in prompt - prompt injection risk
+  const response = await openai.chat.completions.create({
+    model: 'gpt-4',
+    messages: [{ role: 'user', content: req.body.message }],
+  })
+  return response.choices[0].message
+}
+`,
+      language: 'typescript',
+      size: 400,
+    }
+    it('cheap scan should detect Layer 1 patterns', async () => {
+      const results = await runCheapScan(aiEraFile)
+      expect(results).toMatchSnapshot()
+    })
+    it('full scan should detect AI-era security patterns', async () => {
+      const results = await runFullScan(aiEraFile)
+      expect(results).toMatchSnapshot()
+    })
+  })
+  describe('Auth Patterns - Missing Authentication', () => {
+    const authFile: ScanFile = {
+      path: 'src/app/api/users/route.ts',
+      content: `
+import { NextResponse } from 'next/server'
+import { db } from '@/lib/db'
+// API route without auth check
+export async function GET(request: Request) {
+  const users = await db.user.findMany()
+  return NextResponse.json(users)
+}
+export async function DELETE(request: Request) {
+  const { id } = await request.json()
+  await db.user.delete({ where: { id } })
+  return NextResponse.json({ success: true })
+}
+`,
+      language: 'typescript',
+      size: 350,
+    }
+    it('cheap scan should detect basic patterns', async () => {
+      const results = await runCheapScan(authFile)
+      expect(results).toMatchSnapshot()
+    })
+    it('full scan should detect missing auth patterns', async () => {
+      const results = await runFullScan(authFile)
+      expect(results).toMatchSnapshot()
+    })
+  })
+  describe('Safe File - No False Positives', () => {
+    const safeFile: ScanFile = {
+      path: 'src/components/Dashboard.tsx',
+      content: `
+import { useState, useEffect } from 'react'
+// CSS classes - should NOT be flagged as high entropy
+const styles = 'flex items-center justify-between p-4 bg-gray-100'
+// Environment variable reference - should NOT be flagged
+const apiUrl = process.env.API_URL
+// UUID - should NOT be flagged as secret
+const sessionId = 'a1b2c3d4-e5f6-7890-abcd-ef1234567890'
+export function Dashboard() {
+  const [data, setData] = useState(null)
+  useEffect(() => {
+    fetch(apiUrl + '/data')
+      .then(res => res.json())
+      .then(setData)
+  }, [])
+  return <div className={styles}>{data}</div>
+}
+`,
+      language: 'typescript',
+      size: 500,
+    }
+    it('cheap scan should produce minimal findings', async () => {
+      const results = await runCheapScan(safeFile)
+      expect(results).toMatchSnapshot()
+    })
+    it('full scan should produce minimal findings', async () => {
+      const results = await runFullScan(safeFile)
+      expect(results).toMatchSnapshot()
+    })
+  })
+})