npm - @oculum/scanner - Versions diffs - 1.0.0 - Mend

@oculum/scanner 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (281) hide show

package/dist/formatters/cli-terminal.d.ts +27 -0
package/dist/formatters/cli-terminal.d.ts.map +1 -0
package/dist/formatters/cli-terminal.js +412 -0
package/dist/formatters/cli-terminal.js.map +1 -0
package/dist/formatters/github-comment.d.ts +41 -0
package/dist/formatters/github-comment.d.ts.map +1 -0
package/dist/formatters/github-comment.js +306 -0
package/dist/formatters/github-comment.js.map +1 -0
package/dist/formatters/grouping.d.ts +52 -0
package/dist/formatters/grouping.d.ts.map +1 -0
package/dist/formatters/grouping.js +152 -0
package/dist/formatters/grouping.js.map +1 -0
package/dist/formatters/index.d.ts +9 -0
package/dist/formatters/index.d.ts.map +1 -0
package/dist/formatters/index.js +35 -0
package/dist/formatters/index.js.map +1 -0
package/dist/formatters/vscode-diagnostic.d.ts +103 -0
package/dist/formatters/vscode-diagnostic.d.ts.map +1 -0
package/dist/formatters/vscode-diagnostic.js +151 -0
package/dist/formatters/vscode-diagnostic.js.map +1 -0
package/dist/index.d.ts +52 -0
package/dist/index.d.ts.map +1 -0
package/dist/index.js +648 -0
package/dist/index.js.map +1 -0
package/dist/layer1/comments.d.ts +8 -0
package/dist/layer1/comments.d.ts.map +1 -0
package/dist/layer1/comments.js +203 -0
package/dist/layer1/comments.js.map +1 -0
package/dist/layer1/config-audit.d.ts +8 -0
package/dist/layer1/config-audit.d.ts.map +1 -0
package/dist/layer1/config-audit.js +252 -0
package/dist/layer1/config-audit.js.map +1 -0
package/dist/layer1/entropy.d.ts +8 -0
package/dist/layer1/entropy.d.ts.map +1 -0
package/dist/layer1/entropy.js +500 -0
package/dist/layer1/entropy.js.map +1 -0
package/dist/layer1/file-flags.d.ts +7 -0
package/dist/layer1/file-flags.d.ts.map +1 -0
package/dist/layer1/file-flags.js +112 -0
package/dist/layer1/file-flags.js.map +1 -0
package/dist/layer1/index.d.ts +36 -0
package/dist/layer1/index.d.ts.map +1 -0
package/dist/layer1/index.js +132 -0
package/dist/layer1/index.js.map +1 -0
package/dist/layer1/patterns.d.ts +8 -0
package/dist/layer1/patterns.d.ts.map +1 -0
package/dist/layer1/patterns.js +482 -0
package/dist/layer1/patterns.js.map +1 -0
package/dist/layer1/urls.d.ts +8 -0
package/dist/layer1/urls.d.ts.map +1 -0
package/dist/layer1/urls.js +296 -0
package/dist/layer1/urls.js.map +1 -0
package/dist/layer1/weak-crypto.d.ts +7 -0
package/dist/layer1/weak-crypto.d.ts.map +1 -0
package/dist/layer1/weak-crypto.js +291 -0
package/dist/layer1/weak-crypto.js.map +1 -0
package/dist/layer2/ai-agent-tools.d.ts +19 -0
package/dist/layer2/ai-agent-tools.d.ts.map +1 -0
package/dist/layer2/ai-agent-tools.js +528 -0
package/dist/layer2/ai-agent-tools.js.map +1 -0
package/dist/layer2/ai-endpoint-protection.d.ts +36 -0
package/dist/layer2/ai-endpoint-protection.d.ts.map +1 -0
package/dist/layer2/ai-endpoint-protection.js +332 -0
package/dist/layer2/ai-endpoint-protection.js.map +1 -0
package/dist/layer2/ai-execution-sinks.d.ts +18 -0
package/dist/layer2/ai-execution-sinks.d.ts.map +1 -0
package/dist/layer2/ai-execution-sinks.js +496 -0
package/dist/layer2/ai-execution-sinks.js.map +1 -0
package/dist/layer2/ai-fingerprinting.d.ts +7 -0
package/dist/layer2/ai-fingerprinting.d.ts.map +1 -0
package/dist/layer2/ai-fingerprinting.js +654 -0
package/dist/layer2/ai-fingerprinting.js.map +1 -0
package/dist/layer2/ai-prompt-hygiene.d.ts +19 -0
package/dist/layer2/ai-prompt-hygiene.d.ts.map +1 -0
package/dist/layer2/ai-prompt-hygiene.js +356 -0
package/dist/layer2/ai-prompt-hygiene.js.map +1 -0
package/dist/layer2/ai-rag-safety.d.ts +21 -0
package/dist/layer2/ai-rag-safety.d.ts.map +1 -0
package/dist/layer2/ai-rag-safety.js +459 -0
package/dist/layer2/ai-rag-safety.js.map +1 -0
package/dist/layer2/ai-schema-validation.d.ts +25 -0
package/dist/layer2/ai-schema-validation.d.ts.map +1 -0
package/dist/layer2/ai-schema-validation.js +375 -0
package/dist/layer2/ai-schema-validation.js.map +1 -0
package/dist/layer2/auth-antipatterns.d.ts +20 -0
package/dist/layer2/auth-antipatterns.d.ts.map +1 -0
package/dist/layer2/auth-antipatterns.js +333 -0
package/dist/layer2/auth-antipatterns.js.map +1 -0
package/dist/layer2/byok-patterns.d.ts +12 -0
package/dist/layer2/byok-patterns.d.ts.map +1 -0
package/dist/layer2/byok-patterns.js +299 -0
package/dist/layer2/byok-patterns.js.map +1 -0
package/dist/layer2/dangerous-functions.d.ts +7 -0
package/dist/layer2/dangerous-functions.d.ts.map +1 -0
package/dist/layer2/dangerous-functions.js +1375 -0
package/dist/layer2/dangerous-functions.js.map +1 -0
package/dist/layer2/data-exposure.d.ts +16 -0
package/dist/layer2/data-exposure.d.ts.map +1 -0
package/dist/layer2/data-exposure.js +279 -0
package/dist/layer2/data-exposure.js.map +1 -0
package/dist/layer2/framework-checks.d.ts +7 -0
package/dist/layer2/framework-checks.d.ts.map +1 -0
package/dist/layer2/framework-checks.js +388 -0
package/dist/layer2/framework-checks.js.map +1 -0
package/dist/layer2/index.d.ts +58 -0
package/dist/layer2/index.d.ts.map +1 -0
package/dist/layer2/index.js +380 -0
package/dist/layer2/index.js.map +1 -0
package/dist/layer2/logic-gates.d.ts +7 -0
package/dist/layer2/logic-gates.d.ts.map +1 -0
package/dist/layer2/logic-gates.js +182 -0
package/dist/layer2/logic-gates.js.map +1 -0
package/dist/layer2/risky-imports.d.ts +7 -0
package/dist/layer2/risky-imports.d.ts.map +1 -0
package/dist/layer2/risky-imports.js +161 -0
package/dist/layer2/risky-imports.js.map +1 -0
package/dist/layer2/variables.d.ts +8 -0
package/dist/layer2/variables.d.ts.map +1 -0
package/dist/layer2/variables.js +152 -0
package/dist/layer2/variables.js.map +1 -0
package/dist/layer3/anthropic.d.ts +83 -0
package/dist/layer3/anthropic.d.ts.map +1 -0
package/dist/layer3/anthropic.js +1745 -0
package/dist/layer3/anthropic.js.map +1 -0
package/dist/layer3/index.d.ts +24 -0
package/dist/layer3/index.d.ts.map +1 -0
package/dist/layer3/index.js +119 -0
package/dist/layer3/index.js.map +1 -0
package/dist/layer3/openai.d.ts +25 -0
package/dist/layer3/openai.d.ts.map +1 -0
package/dist/layer3/openai.js +238 -0
package/dist/layer3/openai.js.map +1 -0
package/dist/layer3/package-check.d.ts +63 -0
package/dist/layer3/package-check.d.ts.map +1 -0
package/dist/layer3/package-check.js +508 -0
package/dist/layer3/package-check.js.map +1 -0
package/dist/modes/incremental.d.ts +66 -0
package/dist/modes/incremental.d.ts.map +1 -0
package/dist/modes/incremental.js +200 -0
package/dist/modes/incremental.js.map +1 -0
package/dist/tiers.d.ts +125 -0
package/dist/tiers.d.ts.map +1 -0
package/dist/tiers.js +234 -0
package/dist/tiers.js.map +1 -0
package/dist/types.d.ts +175 -0
package/dist/types.d.ts.map +1 -0
package/dist/types.js +50 -0
package/dist/types.js.map +1 -0
package/dist/utils/auth-helper-detector.d.ts +56 -0
package/dist/utils/auth-helper-detector.d.ts.map +1 -0
package/dist/utils/auth-helper-detector.js +360 -0
package/dist/utils/auth-helper-detector.js.map +1 -0
package/dist/utils/context-helpers.d.ts +96 -0
package/dist/utils/context-helpers.d.ts.map +1 -0
package/dist/utils/context-helpers.js +493 -0
package/dist/utils/context-helpers.js.map +1 -0
package/dist/utils/diff-detector.d.ts +53 -0
package/dist/utils/diff-detector.d.ts.map +1 -0
package/dist/utils/diff-detector.js +104 -0
package/dist/utils/diff-detector.js.map +1 -0
package/dist/utils/diff-parser.d.ts +80 -0
package/dist/utils/diff-parser.d.ts.map +1 -0
package/dist/utils/diff-parser.js +202 -0
package/dist/utils/diff-parser.js.map +1 -0
package/dist/utils/imported-auth-detector.d.ts +37 -0
package/dist/utils/imported-auth-detector.d.ts.map +1 -0
package/dist/utils/imported-auth-detector.js +251 -0
package/dist/utils/imported-auth-detector.js.map +1 -0
package/dist/utils/middleware-detector.d.ts +55 -0
package/dist/utils/middleware-detector.d.ts.map +1 -0
package/dist/utils/middleware-detector.js +260 -0
package/dist/utils/middleware-detector.js.map +1 -0
package/dist/utils/oauth-flow-detector.d.ts +41 -0
package/dist/utils/oauth-flow-detector.d.ts.map +1 -0
package/dist/utils/oauth-flow-detector.js +202 -0
package/dist/utils/oauth-flow-detector.js.map +1 -0
package/dist/utils/path-exclusions.d.ts +55 -0
package/dist/utils/path-exclusions.d.ts.map +1 -0
package/dist/utils/path-exclusions.js +222 -0
package/dist/utils/path-exclusions.js.map +1 -0
package/dist/utils/project-context-builder.d.ts +119 -0
package/dist/utils/project-context-builder.d.ts.map +1 -0
package/dist/utils/project-context-builder.js +534 -0
package/dist/utils/project-context-builder.js.map +1 -0
package/dist/utils/registry-clients.d.ts +93 -0
package/dist/utils/registry-clients.d.ts.map +1 -0
package/dist/utils/registry-clients.js +273 -0
package/dist/utils/registry-clients.js.map +1 -0
package/dist/utils/trpc-analyzer.d.ts +78 -0
package/dist/utils/trpc-analyzer.d.ts.map +1 -0
package/dist/utils/trpc-analyzer.js +297 -0
package/dist/utils/trpc-analyzer.js.map +1 -0
package/package.json +45 -0
package/src/__tests__/benchmark/fixtures/false-positives.ts +227 -0
package/src/__tests__/benchmark/fixtures/index.ts +68 -0
package/src/__tests__/benchmark/fixtures/layer1/config-audit.ts +364 -0
package/src/__tests__/benchmark/fixtures/layer1/hardcoded-secrets.ts +173 -0
package/src/__tests__/benchmark/fixtures/layer1/high-entropy.ts +234 -0
package/src/__tests__/benchmark/fixtures/layer1/index.ts +31 -0
package/src/__tests__/benchmark/fixtures/layer1/sensitive-urls.ts +90 -0
package/src/__tests__/benchmark/fixtures/layer1/weak-crypto.ts +197 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-agent-tools.ts +170 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-endpoint-protection.ts +418 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-execution-sinks.ts +189 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-fingerprinting.ts +316 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-prompt-hygiene.ts +178 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-rag-safety.ts +184 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-schema-validation.ts +434 -0
package/src/__tests__/benchmark/fixtures/layer2/auth-antipatterns.ts +159 -0
package/src/__tests__/benchmark/fixtures/layer2/byok-patterns.ts +112 -0
package/src/__tests__/benchmark/fixtures/layer2/dangerous-functions.ts +246 -0
package/src/__tests__/benchmark/fixtures/layer2/data-exposure.ts +168 -0
package/src/__tests__/benchmark/fixtures/layer2/framework-checks.ts +346 -0
package/src/__tests__/benchmark/fixtures/layer2/index.ts +67 -0
package/src/__tests__/benchmark/fixtures/layer2/injection-vulnerabilities.ts +239 -0
package/src/__tests__/benchmark/fixtures/layer2/logic-gates.ts +246 -0
package/src/__tests__/benchmark/fixtures/layer2/risky-imports.ts +231 -0
package/src/__tests__/benchmark/fixtures/layer2/variables.ts +167 -0
package/src/__tests__/benchmark/index.ts +29 -0
package/src/__tests__/benchmark/run-benchmark.ts +144 -0
package/src/__tests__/benchmark/run-depth-validation.ts +206 -0
package/src/__tests__/benchmark/run-real-world-test.ts +243 -0
package/src/__tests__/benchmark/security-benchmark-script.ts +1737 -0
package/src/__tests__/benchmark/tier-integration-script.ts +177 -0
package/src/__tests__/benchmark/types.ts +144 -0
package/src/__tests__/benchmark/utils/test-runner.ts +475 -0
package/src/__tests__/regression/known-false-positives.test.ts +467 -0
package/src/__tests__/snapshots/__snapshots__/scan-depth.test.ts.snap +178 -0
package/src/__tests__/snapshots/scan-depth.test.ts +258 -0
package/src/__tests__/validation/analyze-results.ts +542 -0
package/src/__tests__/validation/extract-for-triage.ts +146 -0
package/src/__tests__/validation/fp-deep-analysis.ts +327 -0
package/src/__tests__/validation/run-validation.ts +364 -0
package/src/__tests__/validation/triage-template.md +132 -0
package/src/formatters/cli-terminal.ts +446 -0
package/src/formatters/github-comment.ts +382 -0
package/src/formatters/grouping.ts +190 -0
package/src/formatters/index.ts +47 -0
package/src/formatters/vscode-diagnostic.ts +243 -0
package/src/index.ts +823 -0
package/src/layer1/comments.ts +218 -0
package/src/layer1/config-audit.ts +289 -0
package/src/layer1/entropy.ts +583 -0
package/src/layer1/file-flags.ts +127 -0
package/src/layer1/index.ts +181 -0
package/src/layer1/patterns.ts +516 -0
package/src/layer1/urls.ts +334 -0
package/src/layer1/weak-crypto.ts +328 -0
package/src/layer2/ai-agent-tools.ts +601 -0
package/src/layer2/ai-endpoint-protection.ts +387 -0
package/src/layer2/ai-execution-sinks.ts +580 -0
package/src/layer2/ai-fingerprinting.ts +758 -0
package/src/layer2/ai-prompt-hygiene.ts +411 -0
package/src/layer2/ai-rag-safety.ts +511 -0
package/src/layer2/ai-schema-validation.ts +421 -0
package/src/layer2/auth-antipatterns.ts +394 -0
package/src/layer2/byok-patterns.ts +336 -0
package/src/layer2/dangerous-functions.ts +1563 -0
package/src/layer2/data-exposure.ts +315 -0
package/src/layer2/framework-checks.ts +433 -0
package/src/layer2/index.ts +473 -0
package/src/layer2/logic-gates.ts +206 -0
package/src/layer2/risky-imports.ts +186 -0
package/src/layer2/variables.ts +166 -0
package/src/layer3/anthropic.ts +2030 -0
package/src/layer3/index.ts +130 -0
package/src/layer3/package-check.ts +604 -0
package/src/modes/incremental.ts +293 -0
package/src/tiers.ts +318 -0
package/src/types.ts +284 -0
package/src/utils/auth-helper-detector.ts +443 -0
package/src/utils/context-helpers.ts +535 -0
package/src/utils/diff-detector.ts +135 -0
package/src/utils/diff-parser.ts +272 -0
package/src/utils/imported-auth-detector.ts +320 -0
package/src/utils/middleware-detector.ts +333 -0
package/src/utils/oauth-flow-detector.ts +246 -0
package/src/utils/path-exclusions.ts +266 -0
package/src/utils/project-context-builder.ts +707 -0
package/src/utils/registry-clients.ts +351 -0
package/src/utils/trpc-analyzer.ts +382 -0

package/src/layer2/framework-checks.ts ADDED Viewed

@@ -0,0 +1,433 @@
+/**
+ * Layer 2: Framework-Specific Security Checks
+ * Detects security issues specific to popular frameworks (Next.js, Express, React, etc.)
+ */
+import type { Vulnerability, VulnerabilitySeverity } from '../types'
+import {
+  isComment,
+  isServerOnlyFile,
+  isEnvVarReference,
+  getServiceRoleKeyContext,
+  isTestOrMockFile,
+} from '../utils/context-helpers'
+interface FrameworkPattern {
+  name: string
+  pattern: RegExp
+  severity: VulnerabilitySeverity
+  description: string
+  suggestedFix: string
+  framework: string
+}
+const FRAMEWORK_PATTERNS: FrameworkPattern[] = [
+  // ==================== Next.js ====================
+  {
+    name: 'Next.js API route without auth',
+    pattern: /export\s+(default\s+)?(async\s+)?function\s+handler\s*\(/gi,
+    severity: 'medium',
+    description: 'Next.js API route handler - ensure authentication is implemented',
+    suggestedFix: 'Add authentication check at the start of the handler',
+    framework: 'nextjs',
+  },
+  {
+    name: 'Next.js getServerSideProps without auth',
+    pattern: /export\s+(async\s+)?function\s+getServerSideProps/gi,
+    severity: 'low',
+    description: 'Server-side props function - verify auth for protected pages',
+    suggestedFix: 'Check authentication and redirect if needed',
+    framework: 'nextjs',
+  },
+  {
+    name: 'Next.js exposed server action',
+    pattern: /['"]use server['"]\s*;?\s*\n\s*export\s+(async\s+)?function/gi,
+    severity: 'medium',
+    description: 'Server action is publicly accessible - ensure proper validation',
+    suggestedFix: 'Add authentication and input validation to server actions',
+    framework: 'nextjs',
+  },
+  {
+    name: 'Next.js revalidate with user input',
+    pattern: /revalidatePath\s*\(\s*(req|request|params|searchParams)/gi,
+    severity: 'high',
+    description: 'revalidatePath with user input could allow cache poisoning',
+    suggestedFix: 'Validate and sanitize paths before revalidation',
+    framework: 'nextjs',
+  },
+  {
+    name: 'Next.js redirect with user input',
+    pattern: /redirect\s*\(\s*(req|request|params|searchParams|url)/gi,
+    severity: 'high',
+    description: 'Redirect with user input can lead to open redirect vulnerability',
+    suggestedFix: 'Validate redirect URLs against an allowlist',
+    framework: 'nextjs',
+  },
+  {
+    name: 'Next.js unstable_cache without tags',
+    pattern: /unstable_cache\s*\([^)]*\)(?!.*tags)/gi,
+    severity: 'low',
+    description: 'unstable_cache without tags makes invalidation difficult',
+    suggestedFix: 'Add cache tags for proper cache invalidation',
+    framework: 'nextjs',
+  },
+  // ==================== Express ====================
+  {
+    name: 'Express without helmet',
+    pattern: /express\s*\(\s*\)(?![\s\S]*helmet)/gi,
+    severity: 'medium',
+    description: 'Express app may lack security headers (helmet middleware)',
+    suggestedFix: 'Add helmet middleware: app.use(helmet())',
+    framework: 'express',
+  },
+  {
+    name: 'Express CORS allow all',
+    pattern: /cors\s*\(\s*\{[^}]*origin\s*:\s*['"]\*['"]/gi,
+    severity: 'high',
+    description: 'CORS configured to allow all origins',
+    suggestedFix: 'Restrict CORS to specific trusted origins',
+    framework: 'express',
+  },
+  {
+    name: 'Express body parser limit',
+    pattern: /bodyParser\.(json|urlencoded)\s*\(\s*\)(?!.*limit)/gi,
+    severity: 'low',
+    description: 'Body parser without size limit can lead to DoS',
+    suggestedFix: 'Add limit option: bodyParser.json({ limit: "100kb" })',
+    framework: 'express',
+  },
+  {
+    name: 'Express trust proxy',
+    pattern: /app\.set\s*\(\s*['"]trust proxy['"]\s*,\s*true\s*\)/gi,
+    severity: 'medium',
+    description: 'Trust proxy enabled - ensure this is intentional',
+    suggestedFix: 'Only enable trust proxy behind a known reverse proxy',
+    framework: 'express',
+  },
+  {
+    name: 'Express error handler exposes stack',
+    pattern: /res\.(json|send)\s*\(\s*\{[^}]*stack|err\.stack/gi,
+    severity: 'high',
+    description: 'Error stack trace may be exposed to clients',
+    suggestedFix: 'Only expose stack traces in development mode',
+    framework: 'express',
+  },
+  // ==================== React ====================
+  {
+    name: 'React useEffect with async',
+    pattern: /useEffect\s*\(\s*async\s*\(/gi,
+    severity: 'low',
+    description: 'useEffect with async function can cause memory leaks',
+    suggestedFix: 'Define async function inside useEffect and call it',
+    framework: 'react',
+  },
+  {
+    name: 'React state with sensitive data',
+    pattern: /useState\s*\(\s*['"]?(password|secret|token|apiKey|api_key)/gi,
+    severity: 'medium',
+    description: 'Sensitive data in React state may be exposed in dev tools',
+    suggestedFix: 'Avoid storing sensitive data in client-side state',
+    framework: 'react',
+  },
+  {
+    name: 'React href javascript:',
+    pattern: /href\s*=\s*[{'"]*javascript:/gi,
+    severity: 'high',
+    description: 'javascript: URLs can lead to XSS vulnerabilities',
+    suggestedFix: 'Use onClick handlers instead of javascript: URLs',
+    framework: 'react',
+  },
+  {
+    name: 'React uncontrolled input with defaultValue',
+    pattern: /defaultValue\s*=\s*\{[^}]*(password|secret|token)/gi,
+    severity: 'medium',
+    description: 'Sensitive data in defaultValue may persist in DOM',
+    suggestedFix: 'Use controlled inputs for sensitive data',
+    framework: 'react',
+  },
+  // ==================== Vue ====================
+  {
+    name: 'Vue v-html directive',
+    pattern: /v-html\s*=\s*['"]/gi,
+    severity: 'high',
+    description: 'v-html can lead to XSS if content is not sanitized',
+    suggestedFix: 'Sanitize HTML content or use v-text for plain text',
+    framework: 'vue',
+  },
+  {
+    name: 'Vue computed with side effects',
+    pattern: /computed\s*:\s*\{[^}]*\b(fetch|axios|http|api)\b/gi,
+    severity: 'low',
+    description: 'Computed properties with side effects can cause issues',
+    suggestedFix: 'Move API calls to methods or lifecycle hooks',
+    framework: 'vue',
+  },
+  // ==================== Django ====================
+  {
+    name: 'Django DEBUG in production',
+    pattern: /DEBUG\s*=\s*True/gi,
+    severity: 'critical',
+    description: 'Django DEBUG mode should be disabled in production',
+    suggestedFix: 'Set DEBUG = False in production settings',
+    framework: 'django',
+  },
+  {
+    name: 'Django ALLOWED_HOSTS wildcard',
+    pattern: /ALLOWED_HOSTS\s*=\s*\[\s*['"]\*['"]/gi,
+    severity: 'high',
+    description: 'ALLOWED_HOSTS with wildcard allows any host',
+    suggestedFix: 'Specify exact allowed hostnames',
+    framework: 'django',
+  },
+  {
+    name: 'Django SECRET_KEY hardcoded',
+    pattern: /SECRET_KEY\s*=\s*['"][^'"]+['"]/gi,
+    severity: 'critical',
+    description: 'Django SECRET_KEY should not be hardcoded',
+    suggestedFix: 'Load SECRET_KEY from environment variable',
+    framework: 'django',
+  },
+  // ==================== Flask ====================
+  {
+    name: 'Flask debug mode',
+    pattern: /app\.run\s*\([^)]*debug\s*=\s*True/gi,
+    severity: 'critical',
+    description: 'Flask debug mode should be disabled in production',
+    suggestedFix: 'Set debug=False in production',
+    framework: 'flask',
+  },
+  {
+    name: 'Flask secret key hardcoded',
+    pattern: /app\.secret_key\s*=\s*['"][^'"]+['"]/gi,
+    severity: 'critical',
+    description: 'Flask secret_key should not be hardcoded',
+    suggestedFix: 'Load secret_key from environment variable',
+    framework: 'flask',
+  },
+  // ==================== Supabase ====================
+  {
+    name: 'Supabase service role key exposed',
+    pattern: /supabaseServiceRole|service_role|SUPABASE_SERVICE_ROLE/gi,
+    severity: 'critical',
+    description: 'Supabase service role key should never be exposed to client',
+    suggestedFix: 'Only use service role key in server-side code',
+    framework: 'supabase',
+  },
+  {
+    name: 'Supabase RLS bypass',
+    pattern: /\.rpc\s*\(\s*['"][^'"]+['"]\s*,\s*\{[^}]*\}\s*,\s*\{[^}]*count/gi,
+    severity: 'medium',
+    description: 'RPC call may bypass Row Level Security',
+    suggestedFix: 'Ensure RPC functions have proper security checks',
+    framework: 'supabase',
+  },
+]
+// Detect framework from file content and path
+function detectFramework(content: string, filePath: string): string[] {
+  const frameworks: string[] = []
+  // Next.js
+  if (content.includes('next/') || content.includes('from "next"') ||
+      filePath.includes('/app/') || filePath.includes('/pages/')) {
+    frameworks.push('nextjs')
+  }
+  // Express
+  if (content.includes('express()') || content.includes('from "express"') ||
+      content.includes("require('express')")) {
+    frameworks.push('express')
+  }
+  // React
+  if (content.includes('from "react"') || content.includes("from 'react'") ||
+      content.includes('useState') || content.includes('useEffect')) {
+    frameworks.push('react')
+  }
+  // Vue
+  if (content.includes('from "vue"') || content.includes('Vue.component') ||
+      filePath.endsWith('.vue')) {
+    frameworks.push('vue')
+  }
+  // Django
+  if (content.includes('from django') || content.includes('import django') ||
+      filePath.includes('settings.py')) {
+    frameworks.push('django')
+  }
+  // Flask
+  if (content.includes('from flask') || content.includes('Flask(__name__)')) {
+    frameworks.push('flask')
+  }
+  // Supabase
+  if (content.includes('supabase') || content.includes('@supabase/')) {
+    frameworks.push('supabase')
+  }
+  return frameworks
+}
+export function detectFrameworkIssues(
+  content: string,
+  filePath: string
+): Vulnerability[] {
+  const vulnerabilities: Vulnerability[] = []
+  const lines = content.split('\n')
+  const detectedFrameworks = detectFramework(content, filePath)
+  const isTestFile = isTestOrMockFile(filePath)
+  lines.forEach((line, index) => {
+    // Skip comment lines
+    if (isComment(line)) return
+    for (const pattern of FRAMEWORK_PATTERNS) {
+      // Only check patterns for detected frameworks (or check all if none detected)
+      if (detectedFrameworks.length > 0 && !detectedFrameworks.includes(pattern.framework)) {
+        continue
+      }
+      const regex = new RegExp(pattern.pattern.source, pattern.pattern.flags)
+      if (regex.test(line)) {
+        // Special handling for Supabase service role key
+        if (pattern.name === 'Supabase service role key exposed') {
+          // Check if this is a proper Supabase client setup pattern
+          // Expected safe pattern:
+          // - Variable named supabaseServiceRoleKey (or similar)
+          // - Loaded from process.env.SUPABASE_SERVICE_ROLE_KEY
+          // - Used in server-only file (lib/supabase/server.ts, /api/, etc.)
+          const isServerFile = isServerOnlyFile(filePath)
+          const usesEnvVar = isEnvVarReference(line)
+          // Check if this line is just a variable declaration from env var
+          // e.g., const supabaseServiceRoleKey = process.env.SUPABASE_SERVICE_ROLE_KEY!
+          const isEnvVarDeclaration = /(?:const|let|var)\s+\w*(?:service.*role|supabase.*key)\w*\s*=\s*process\.env\./i.test(line)
+          // Check if this is a createClient call with variable reference (not hardcoded)
+          // e.g., createClient(supabaseUrl, supabaseServiceRoleKey, {...})
+          const isCreateClientWithVar = /createClient\s*\(\s*\w+\s*,\s*\w*(?:service.*role|key)\w*\s*[,)]/i.test(line)
+          // If server file + env var pattern OR server file + createClient with variable reference, it's safe
+          if (isServerFile) {
+            if (isEnvVarDeclaration || usesEnvVar) {
+              // Safe: declaring/loading from env var in server file
+              continue
+            }
+            if (isCreateClientWithVar && !/"[a-zA-Z0-9._-]{20,}"/.test(line)) {
+              // Safe: using variable (not hardcoded string) in createClient
+              // Check surrounding content for env var loading
+              const fileHasEnvVarLoading = content.includes('process.env.SUPABASE_SERVICE_ROLE_KEY')
+              if (fileHasEnvVarLoading) {
+                continue
+              }
+            }
+          }
+          const serviceRoleContext = getServiceRoleKeyContext(line, filePath)
+          // Double-check: Server-only file using env var = safe, skip entirely
+          if (serviceRoleContext === 'safe_server') {
+            continue
+          }
+          // Determine severity and whether AI validation is needed
+          let adjustedSeverity = pattern.severity
+          let adjustedDescription = pattern.description
+          let requiresAIValidation = false
+          let adjustedConfidence: 'high' | 'medium' | 'low' = 'medium'
+          if (serviceRoleContext === 'client_exposure') {
+            // Client exposure = critical
+            adjustedSeverity = 'critical'
+            adjustedDescription = 'Supabase service role key may be exposed to client - this bypasses RLS'
+            requiresAIValidation = true
+            adjustedConfidence = 'high'
+          } else {
+            // needs_review
+            if (isEnvVarReference(line)) {
+              // Using env var in non-server file - needs review
+              adjustedSeverity = 'medium'
+              adjustedDescription = 'Supabase service role key usage - verify this is server-only code'
+              requiresAIValidation = true
+            } else if (isServerOnlyFile(filePath)) {
+              // Hardcoded in server file - bad practice but not critical
+              adjustedSeverity = 'high'
+              adjustedDescription = 'Supabase service role key should use environment variable'
+              requiresAIValidation = true
+            } else {
+              // Unknown context - flag for review
+              adjustedSeverity = 'high'
+              requiresAIValidation = true
+            }
+          }
+          // Downgrade test file severity
+          if (isTestFile) {
+            adjustedSeverity = 'low'
+            adjustedConfidence = 'low'
+            adjustedDescription = `${adjustedDescription} (in test file)`
+          }
+          vulnerabilities.push({
+            id: `framework-${filePath}-${index + 1}-${pattern.name}`,
+            filePath,
+            lineNumber: index + 1,
+            lineContent: line.trim(),
+            severity: adjustedSeverity,
+            category: 'insecure_config',
+            title: `[${pattern.framework}] ${pattern.name}`,
+            description: adjustedDescription,
+            suggestedFix: pattern.suggestedFix,
+            confidence: adjustedConfidence,
+            layer: 2,
+            requiresAIValidation,
+          })
+          break
+        }
+        // Standard handling for other patterns
+        let severity = pattern.severity
+        let confidence: 'high' | 'medium' | 'low' = 'medium'
+        // Downgrade test file severity
+        if (isTestFile) {
+          if (severity === 'critical') {
+            severity = 'medium'
+          } else if (severity === 'high') {
+            severity = 'low'
+          } else {
+            severity = 'info'
+          }
+          confidence = 'low'
+        }
+        vulnerabilities.push({
+          id: `framework-${filePath}-${index + 1}-${pattern.name}`,
+          filePath,
+          lineNumber: index + 1,
+          lineContent: line.trim(),
+          severity,
+          category: 'insecure_config',
+          title: `[${pattern.framework}] ${pattern.name}`,
+          description: isTestFile ? `${pattern.description} (in test file)` : pattern.description,
+          suggestedFix: pattern.suggestedFix,
+          confidence,
+          layer: 2,
+        })
+        break // Only report once per line
+      }
+    }
+  })
+  return vulnerabilities
+}