npm - @oculum/scanner - Versions diffs - 1.0.10 → 1.0.12 - Mend

@oculum/scanner 1.0.10 → 1.0.12

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (520) hide show

package/dist/ai-context/index.d.ts +6 -0
package/dist/ai-context/index.d.ts.map +1 -0
package/dist/ai-context/index.js +13 -0
package/dist/ai-context/index.js.map +1 -0
package/dist/ai-context/manager.d.ts +67 -0
package/dist/ai-context/manager.d.ts.map +1 -0
package/dist/ai-context/manager.js +104 -0
package/dist/ai-context/manager.js.map +1 -0
package/dist/baseline/diff.d.ts +32 -0
package/dist/baseline/diff.d.ts.map +1 -0
package/dist/baseline/diff.js +119 -0
package/dist/baseline/diff.js.map +1 -0
package/dist/baseline/index.d.ts +9 -0
package/dist/baseline/index.d.ts.map +1 -0
package/dist/baseline/index.js +19 -0
package/dist/baseline/index.js.map +1 -0
package/dist/baseline/manager.d.ts +67 -0
package/dist/baseline/manager.d.ts.map +1 -0
package/dist/baseline/manager.js +180 -0
package/dist/baseline/manager.js.map +1 -0
package/dist/baseline/types.d.ts +91 -0
package/dist/baseline/types.d.ts.map +1 -0
package/dist/baseline/types.js +12 -0
package/dist/baseline/types.js.map +1 -0
package/dist/category-filter.d.ts +125 -0
package/dist/category-filter.d.ts.map +1 -0
package/dist/category-filter.js +360 -0
package/dist/category-filter.js.map +1 -0
package/dist/filtering/context-adjustments.d.ts +23 -0
package/dist/filtering/context-adjustments.d.ts.map +1 -0
package/dist/filtering/context-adjustments.js +100 -0
package/dist/filtering/context-adjustments.js.map +1 -0
package/dist/filtering/index.d.ts +3 -0
package/dist/filtering/index.d.ts.map +1 -0
package/dist/filtering/index.js +8 -0
package/dist/filtering/index.js.map +1 -0
package/dist/filtering/pipeline.d.ts +48 -0
package/dist/filtering/pipeline.d.ts.map +1 -0
package/dist/filtering/pipeline.js +76 -0
package/dist/filtering/pipeline.js.map +1 -0
package/dist/formatters/ai-context.d.ts +23 -0
package/dist/formatters/ai-context.d.ts.map +1 -0
package/dist/formatters/ai-context.js +238 -0
package/dist/formatters/ai-context.js.map +1 -0
package/dist/formatters/cli-terminal.d.ts +38 -0
package/dist/formatters/cli-terminal.d.ts.map +1 -1
package/dist/formatters/cli-terminal.js +365 -42
package/dist/formatters/cli-terminal.js.map +1 -1
package/dist/formatters/github-comment.d.ts +2 -2
package/dist/formatters/github-comment.d.ts.map +1 -1
package/dist/formatters/github-comment.js +77 -13
package/dist/formatters/github-comment.js.map +1 -1
package/dist/formatters/ide/claude-code.d.ts +17 -0
package/dist/formatters/ide/claude-code.d.ts.map +1 -0
package/dist/formatters/ide/claude-code.js +94 -0
package/dist/formatters/ide/claude-code.js.map +1 -0
package/dist/formatters/ide/cursor.d.ts +13 -0
package/dist/formatters/ide/cursor.d.ts.map +1 -0
package/dist/formatters/ide/cursor.js +125 -0
package/dist/formatters/ide/cursor.js.map +1 -0
package/dist/formatters/ide/index.d.ts +62 -0
package/dist/formatters/ide/index.d.ts.map +1 -0
package/dist/formatters/ide/index.js +184 -0
package/dist/formatters/ide/index.js.map +1 -0
package/dist/formatters/ide/windsurf.d.ts +13 -0
package/dist/formatters/ide/windsurf.d.ts.map +1 -0
package/dist/formatters/ide/windsurf.js +117 -0
package/dist/formatters/ide/windsurf.js.map +1 -0
package/dist/formatters/index.d.ts +3 -1
package/dist/formatters/index.d.ts.map +1 -1
package/dist/formatters/index.js +20 -1
package/dist/formatters/index.js.map +1 -1
package/dist/index.d.ts +11 -0
package/dist/index.d.ts.map +1 -1
package/dist/index.js +423 -56
package/dist/index.js.map +1 -1
package/dist/layer1/comments.d.ts +4 -1
package/dist/layer1/comments.d.ts.map +1 -1
package/dist/layer1/comments.js +1 -1
package/dist/layer1/comments.js.map +1 -1
package/dist/layer1/config-audit.d.ts +4 -1
package/dist/layer1/config-audit.d.ts.map +1 -1
package/dist/layer1/config-audit.js +65 -14
package/dist/layer1/config-audit.js.map +1 -1
package/dist/layer1/config-mcp-audit.d.ts +23 -0
package/dist/layer1/config-mcp-audit.d.ts.map +1 -0
package/dist/layer1/config-mcp-audit.js +239 -0
package/dist/layer1/config-mcp-audit.js.map +1 -0
package/dist/layer1/entropy.d.ts +4 -1
package/dist/layer1/entropy.d.ts.map +1 -1
package/dist/layer1/entropy.js +212 -1
package/dist/layer1/entropy.js.map +1 -1
package/dist/layer1/file-flags.d.ts +4 -1
package/dist/layer1/file-flags.d.ts.map +1 -1
package/dist/layer1/file-flags.js +12 -5
package/dist/layer1/file-flags.js.map +1 -1
package/dist/layer1/index.d.ts +1 -0
package/dist/layer1/index.d.ts.map +1 -1
package/dist/layer1/index.js +22 -19
package/dist/layer1/index.js.map +1 -1
package/dist/layer1/patterns.d.ts +4 -1
package/dist/layer1/patterns.d.ts.map +1 -1
package/dist/layer1/patterns.js +34 -4
package/dist/layer1/patterns.js.map +1 -1
package/dist/layer1/urls.d.ts +4 -1
package/dist/layer1/urls.d.ts.map +1 -1
package/dist/layer1/urls.js +162 -14
package/dist/layer1/urls.js.map +1 -1
package/dist/layer1/weak-crypto.d.ts +4 -1
package/dist/layer1/weak-crypto.d.ts.map +1 -1
package/dist/layer1/weak-crypto.js +144 -7
package/dist/layer1/weak-crypto.js.map +1 -1
package/dist/layer2/ai-agent-tools.d.ts +4 -1
package/dist/layer2/ai-agent-tools.d.ts.map +1 -1
package/dist/layer2/ai-agent-tools.js +964 -2
package/dist/layer2/ai-agent-tools.js.map +1 -1
package/dist/layer2/ai-endpoint-protection.d.ts +2 -0
package/dist/layer2/ai-endpoint-protection.d.ts.map +1 -1
package/dist/layer2/ai-endpoint-protection.js +18 -4
package/dist/layer2/ai-endpoint-protection.js.map +1 -1
package/dist/layer2/ai-execution-sinks.d.ts +4 -1
package/dist/layer2/ai-execution-sinks.d.ts.map +1 -1
package/dist/layer2/ai-execution-sinks.js +688 -29
package/dist/layer2/ai-execution-sinks.js.map +1 -1
package/dist/layer2/ai-fingerprinting.d.ts +4 -1
package/dist/layer2/ai-fingerprinting.d.ts.map +1 -1
package/dist/layer2/ai-fingerprinting.js +28 -32
package/dist/layer2/ai-fingerprinting.js.map +1 -1
package/dist/layer2/ai-mcp-security.d.ts +20 -0
package/dist/layer2/ai-mcp-security.d.ts.map +1 -0
package/dist/layer2/ai-mcp-security.js +877 -0
package/dist/layer2/ai-mcp-security.js.map +1 -0
package/dist/layer2/ai-package-hallucination.d.ts +22 -0
package/dist/layer2/ai-package-hallucination.d.ts.map +1 -0
package/dist/layer2/ai-package-hallucination.js +828 -0
package/dist/layer2/ai-package-hallucination.js.map +1 -0
package/dist/layer2/ai-prompt-hygiene.d.ts +4 -1
package/dist/layer2/ai-prompt-hygiene.d.ts.map +1 -1
package/dist/layer2/ai-prompt-hygiene.js +817 -17
package/dist/layer2/ai-prompt-hygiene.js.map +1 -1
package/dist/layer2/ai-rag-safety.d.ts +4 -1
package/dist/layer2/ai-rag-safety.d.ts.map +1 -1
package/dist/layer2/ai-rag-safety.js +454 -3
package/dist/layer2/ai-rag-safety.js.map +1 -1
package/dist/layer2/ai-schema-validation.d.ts +4 -1
package/dist/layer2/ai-schema-validation.d.ts.map +1 -1
package/dist/layer2/ai-schema-validation.js +2 -2
package/dist/layer2/ai-schema-validation.js.map +1 -1
package/dist/layer2/auth-antipatterns.d.ts +2 -0
package/dist/layer2/auth-antipatterns.d.ts.map +1 -1
package/dist/layer2/auth-antipatterns.js +209 -20
package/dist/layer2/auth-antipatterns.js.map +1 -1
package/dist/layer2/byok-patterns.d.ts +4 -1
package/dist/layer2/byok-patterns.d.ts.map +1 -1
package/dist/layer2/byok-patterns.js +5 -2
package/dist/layer2/byok-patterns.js.map +1 -1
package/dist/layer2/dangerous-functions/child-process.d.ts +16 -0
package/dist/layer2/dangerous-functions/child-process.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/child-process.js +74 -0
package/dist/layer2/dangerous-functions/child-process.js.map +1 -0
package/dist/layer2/dangerous-functions/dom-xss.d.ts +34 -0
package/dist/layer2/dangerous-functions/dom-xss.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/dom-xss.js +230 -0
package/dist/layer2/dangerous-functions/dom-xss.js.map +1 -0
package/dist/layer2/dangerous-functions/index.d.ts +16 -0
package/dist/layer2/dangerous-functions/index.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/index.js +1152 -0
package/dist/layer2/dangerous-functions/index.js.map +1 -0
package/dist/layer2/dangerous-functions/json-parse.d.ts +31 -0
package/dist/layer2/dangerous-functions/json-parse.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/json-parse.js +319 -0
package/dist/layer2/dangerous-functions/json-parse.js.map +1 -0
package/dist/layer2/dangerous-functions/math-random.d.ts +111 -0
package/dist/layer2/dangerous-functions/math-random.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/math-random.js +684 -0
package/dist/layer2/dangerous-functions/math-random.js.map +1 -0
package/dist/layer2/dangerous-functions/patterns.d.ts +21 -0
package/dist/layer2/dangerous-functions/patterns.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/patterns.js +163 -0
package/dist/layer2/dangerous-functions/patterns.js.map +1 -0
package/dist/layer2/dangerous-functions/request-validation.d.ts +13 -0
package/dist/layer2/dangerous-functions/request-validation.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/request-validation.js +119 -0
package/dist/layer2/dangerous-functions/request-validation.js.map +1 -0
package/dist/layer2/dangerous-functions/utils/control-flow.d.ts +24 -0
package/dist/layer2/dangerous-functions/utils/control-flow.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/utils/control-flow.js +70 -0
package/dist/layer2/dangerous-functions/utils/control-flow.js.map +1 -0
package/dist/layer2/dangerous-functions/utils/helpers.d.ts +31 -0
package/dist/layer2/dangerous-functions/utils/helpers.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/utils/helpers.js +147 -0
package/dist/layer2/dangerous-functions/utils/helpers.js.map +1 -0
package/dist/layer2/dangerous-functions/utils/index.d.ts +9 -0
package/dist/layer2/dangerous-functions/utils/index.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/utils/index.js +23 -0
package/dist/layer2/dangerous-functions/utils/index.js.map +1 -0
package/dist/layer2/dangerous-functions/utils/schema-validation.d.ts +22 -0
package/dist/layer2/dangerous-functions/utils/schema-validation.d.ts.map +1 -0
package/dist/layer2/dangerous-functions/utils/schema-validation.js +102 -0
package/dist/layer2/dangerous-functions/utils/schema-validation.js.map +1 -0
package/dist/layer2/data-exposure.d.ts +4 -1
package/dist/layer2/data-exposure.d.ts.map +1 -1
package/dist/layer2/data-exposure.js +14 -38
package/dist/layer2/data-exposure.js.map +1 -1
package/dist/layer2/framework-checks.d.ts +4 -1
package/dist/layer2/framework-checks.d.ts.map +1 -1
package/dist/layer2/framework-checks.js +5 -2
package/dist/layer2/framework-checks.js.map +1 -1
package/dist/layer2/index.d.ts +12 -1
package/dist/layer2/index.d.ts.map +1 -1
package/dist/layer2/index.js +110 -45
package/dist/layer2/index.js.map +1 -1
package/dist/layer2/logic-gates.d.ts +4 -1
package/dist/layer2/logic-gates.d.ts.map +1 -1
package/dist/layer2/logic-gates.js +58 -20
package/dist/layer2/logic-gates.js.map +1 -1
package/dist/layer2/model-supply-chain.d.ts +23 -0
package/dist/layer2/model-supply-chain.d.ts.map +1 -0
package/dist/layer2/model-supply-chain.js +444 -0
package/dist/layer2/model-supply-chain.js.map +1 -0
package/dist/layer2/risky-imports.d.ts +4 -1
package/dist/layer2/risky-imports.d.ts.map +1 -1
package/dist/layer2/risky-imports.js +6 -2
package/dist/layer2/risky-imports.js.map +1 -1
package/dist/layer2/variables.d.ts +4 -1
package/dist/layer2/variables.d.ts.map +1 -1
package/dist/layer2/variables.js +6 -2
package/dist/layer2/variables.js.map +1 -1
package/dist/layer3/anthropic/auto-dismiss.d.ts +24 -0
package/dist/layer3/anthropic/auto-dismiss.d.ts.map +1 -0
package/dist/layer3/anthropic/auto-dismiss.js +199 -0
package/dist/layer3/anthropic/auto-dismiss.js.map +1 -0
package/dist/layer3/anthropic/clients.d.ts +44 -0
package/dist/layer3/anthropic/clients.d.ts.map +1 -0
package/dist/layer3/anthropic/clients.js +81 -0
package/dist/layer3/anthropic/clients.js.map +1 -0
package/dist/layer3/anthropic/index.d.ts +41 -0
package/dist/layer3/anthropic/index.d.ts.map +1 -0
package/dist/layer3/anthropic/index.js +141 -0
package/dist/layer3/anthropic/index.js.map +1 -0
package/dist/layer3/anthropic/prompts/index.d.ts +8 -0
package/dist/layer3/anthropic/prompts/index.d.ts.map +1 -0
package/dist/layer3/anthropic/prompts/index.js +14 -0
package/dist/layer3/anthropic/prompts/index.js.map +1 -0
package/dist/layer3/anthropic/prompts/semantic-analysis.d.ts +15 -0
package/dist/layer3/anthropic/prompts/semantic-analysis.d.ts.map +1 -0
package/dist/layer3/anthropic/prompts/semantic-analysis.js +169 -0
package/dist/layer3/anthropic/prompts/semantic-analysis.js.map +1 -0
package/dist/layer3/anthropic/prompts/validation.d.ts +12 -0
package/dist/layer3/anthropic/prompts/validation.d.ts.map +1 -0
package/dist/layer3/anthropic/prompts/validation.js +421 -0
package/dist/layer3/anthropic/prompts/validation.js.map +1 -0
package/dist/layer3/anthropic/providers/anthropic.d.ts +21 -0
package/dist/layer3/anthropic/providers/anthropic.d.ts.map +1 -0
package/dist/layer3/anthropic/providers/anthropic.js +266 -0
package/dist/layer3/anthropic/providers/anthropic.js.map +1 -0
package/dist/layer3/anthropic/providers/index.d.ts +8 -0
package/dist/layer3/anthropic/providers/index.d.ts.map +1 -0
package/dist/layer3/anthropic/providers/index.js +15 -0
package/dist/layer3/anthropic/providers/index.js.map +1 -0
package/dist/layer3/anthropic/providers/openai.d.ts +18 -0
package/dist/layer3/anthropic/providers/openai.d.ts.map +1 -0
package/dist/layer3/anthropic/providers/openai.js +340 -0
package/dist/layer3/anthropic/providers/openai.js.map +1 -0
package/dist/layer3/anthropic/request-builder.d.ts +20 -0
package/dist/layer3/anthropic/request-builder.d.ts.map +1 -0
package/dist/layer3/anthropic/request-builder.js +134 -0
package/dist/layer3/anthropic/request-builder.js.map +1 -0
package/dist/layer3/anthropic/types.d.ts +88 -0
package/dist/layer3/anthropic/types.d.ts.map +1 -0
package/dist/layer3/anthropic/types.js +38 -0
package/dist/layer3/anthropic/types.js.map +1 -0
package/dist/layer3/anthropic/utils/index.d.ts +9 -0
package/dist/layer3/anthropic/utils/index.d.ts.map +1 -0
package/dist/layer3/anthropic/utils/index.js +24 -0
package/dist/layer3/anthropic/utils/index.js.map +1 -0
package/dist/layer3/anthropic/utils/path-helpers.d.ts +21 -0
package/dist/layer3/anthropic/utils/path-helpers.d.ts.map +1 -0
package/dist/layer3/anthropic/utils/path-helpers.js +69 -0
package/dist/layer3/anthropic/utils/path-helpers.js.map +1 -0
package/dist/layer3/anthropic/utils/response-parser.d.ts +40 -0
package/dist/layer3/anthropic/utils/response-parser.d.ts.map +1 -0
package/dist/layer3/anthropic/utils/response-parser.js +285 -0
package/dist/layer3/anthropic/utils/response-parser.js.map +1 -0
package/dist/layer3/anthropic/utils/retry.d.ts +15 -0
package/dist/layer3/anthropic/utils/retry.d.ts.map +1 -0
package/dist/layer3/anthropic/utils/retry.js +62 -0
package/dist/layer3/anthropic/utils/retry.js.map +1 -0
package/dist/layer3/index.d.ts +1 -0
package/dist/layer3/index.d.ts.map +1 -1
package/dist/layer3/index.js +16 -6
package/dist/layer3/index.js.map +1 -1
package/dist/layer3/osv-check.d.ts +75 -0
package/dist/layer3/osv-check.d.ts.map +1 -0
package/dist/layer3/osv-check.js +308 -0
package/dist/layer3/osv-check.js.map +1 -0
package/dist/modes/incremental.js +1 -1
package/dist/rules/framework-fixes.d.ts +48 -0
package/dist/rules/framework-fixes.d.ts.map +1 -0
package/dist/rules/framework-fixes.js +439 -0
package/dist/rules/framework-fixes.js.map +1 -0
package/dist/rules/index.d.ts +8 -0
package/dist/rules/index.d.ts.map +1 -0
package/dist/rules/index.js +18 -0
package/dist/rules/index.js.map +1 -0
package/dist/rules/metadata.d.ts +43 -0
package/dist/rules/metadata.d.ts.map +1 -0
package/dist/rules/metadata.js +734 -0
package/dist/rules/metadata.js.map +1 -0
package/dist/suppression/config-loader.d.ts +74 -0
package/dist/suppression/config-loader.d.ts.map +1 -0
package/dist/suppression/config-loader.js +424 -0
package/dist/suppression/config-loader.js.map +1 -0
package/dist/suppression/hash.d.ts +48 -0
package/dist/suppression/hash.d.ts.map +1 -0
package/dist/suppression/hash.js +88 -0
package/dist/suppression/hash.js.map +1 -0
package/dist/suppression/index.d.ts +11 -0
package/dist/suppression/index.d.ts.map +1 -0
package/dist/suppression/index.js +39 -0
package/dist/suppression/index.js.map +1 -0
package/dist/suppression/inline-parser.d.ts +39 -0
package/dist/suppression/inline-parser.d.ts.map +1 -0
package/dist/suppression/inline-parser.js +218 -0
package/dist/suppression/inline-parser.js.map +1 -0
package/dist/suppression/manager.d.ts +94 -0
package/dist/suppression/manager.d.ts.map +1 -0
package/dist/suppression/manager.js +292 -0
package/dist/suppression/manager.js.map +1 -0
package/dist/suppression/types.d.ts +151 -0
package/dist/suppression/types.d.ts.map +1 -0
package/dist/suppression/types.js +28 -0
package/dist/suppression/types.js.map +1 -0
package/dist/tiers.d.ts +3 -3
package/dist/tiers.d.ts.map +1 -1
package/dist/tiers.js +34 -7
package/dist/tiers.js.map +1 -1
package/dist/types.d.ts +140 -9
package/dist/types.d.ts.map +1 -1
package/dist/types.js +34 -0
package/dist/types.js.map +1 -1
package/dist/utils/code-analysis.d.ts +39 -0
package/dist/utils/code-analysis.d.ts.map +1 -0
package/dist/utils/code-analysis.js +159 -0
package/dist/utils/code-analysis.js.map +1 -0
package/dist/utils/comment-analyzer.d.ts +38 -0
package/dist/utils/comment-analyzer.d.ts.map +1 -0
package/dist/utils/comment-analyzer.js +218 -0
package/dist/utils/comment-analyzer.js.map +1 -0
package/dist/utils/context-helpers.d.ts +112 -1
package/dist/utils/context-helpers.d.ts.map +1 -1
package/dist/utils/context-helpers.js +364 -11
package/dist/utils/context-helpers.js.map +1 -1
package/dist/utils/environment-context.d.ts +76 -0
package/dist/utils/environment-context.d.ts.map +1 -0
package/dist/utils/environment-context.js +271 -0
package/dist/utils/environment-context.js.map +1 -0
package/dist/utils/intent-detector.d.ts +66 -0
package/dist/utils/intent-detector.d.ts.map +1 -0
package/dist/utils/intent-detector.js +282 -0
package/dist/utils/intent-detector.js.map +1 -0
package/dist/utils/parsed-file.d.ts +51 -0
package/dist/utils/parsed-file.d.ts.map +1 -0
package/dist/utils/parsed-file.js +95 -0
package/dist/utils/parsed-file.js.map +1 -0
package/dist/utils/route-hierarchy.d.ts +50 -0
package/dist/utils/route-hierarchy.d.ts.map +1 -0
package/dist/utils/route-hierarchy.js +226 -0
package/dist/utils/route-hierarchy.js.map +1 -0
package/dist/utils/schema-semantics.d.ts +45 -0
package/dist/utils/schema-semantics.d.ts.map +1 -0
package/dist/utils/schema-semantics.js +193 -0
package/dist/utils/schema-semantics.js.map +1 -0
package/package.json +4 -2
package/src/__tests__/benchmark/fixtures/layer1/mcp-config-audit.json +31 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-execution-sinks.ts +1489 -82
package/src/__tests__/benchmark/fixtures/layer2/ai-mcp-security.ts +495 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-package-hallucination.ts +255 -0
package/src/__tests__/benchmark/fixtures/layer2/ai-prompt-hygiene.ts +300 -1
package/src/__tests__/benchmark/fixtures/layer2/ai-rag-safety.ts +139 -0
package/src/__tests__/benchmark/fixtures/layer2/byok-patterns.ts +7 -0
package/src/__tests__/benchmark/fixtures/layer2/data-exposure.ts +63 -0
package/src/__tests__/benchmark/fixtures/layer2/excessive-agency.ts +221 -0
package/src/__tests__/benchmark/fixtures/layer2/index.ts +30 -0
package/src/__tests__/benchmark/fixtures/layer2/model-supply-chain.ts +204 -0
package/src/__tests__/benchmark/fixtures/layer2/phase1-enhancements.ts +157 -0
package/src/__tests__/benchmark/fixtures/layer2/phase5-excessive-agency.ts +580 -0
package/src/__tests__/benchmark/fixtures/layer2/sprint6-ai-enhancements.ts +515 -0
package/src/__tests__/benchmark/run-depth-validation.ts +9 -9
package/src/__tests__/category-filter.test.ts +478 -0
package/src/__tests__/regression/known-false-positives.test.ts +490 -0
package/src/__tests__/snapshots/__snapshots__/anthropic-validation-refactor.test.ts.snap +762 -0
package/src/__tests__/snapshots/__snapshots__/dangerous-functions-refactor.test.ts.snap +503 -0
package/src/__tests__/snapshots/__snapshots__/scan-depth.test.ts.snap +0 -9
package/src/__tests__/snapshots/anthropic-validation-refactor.test.ts +321 -0
package/src/__tests__/snapshots/dangerous-functions-refactor.test.ts +439 -0
package/src/__tests__/validation/run-validation.ts +7 -7
package/src/ai-context/__tests__/manager.test.ts +193 -0
package/src/ai-context/index.ts +15 -0
package/src/ai-context/manager.ts +145 -0
package/src/baseline/__tests__/diff.test.ts +261 -0
package/src/baseline/__tests__/manager.test.ts +225 -0
package/src/baseline/diff.ts +135 -0
package/src/baseline/index.ts +29 -0
package/src/baseline/manager.ts +230 -0
package/src/baseline/types.ts +97 -0
package/src/category-filter.ts +400 -0
package/src/filtering/__tests__/pipeline.test.ts +134 -0
package/src/filtering/context-adjustments.ts +111 -0
package/src/filtering/index.ts +10 -0
package/src/filtering/pipeline.ts +130 -0
package/src/formatters/__tests__/ai-context.test.ts +254 -0
package/src/formatters/ai-context.ts +302 -0
package/src/formatters/cli-terminal.ts +444 -41
package/src/formatters/github-comment.ts +82 -14
package/src/formatters/ide/__tests__/ide.test.ts +319 -0
package/src/formatters/ide/claude-code.ts +110 -0
package/src/formatters/ide/cursor.ts +147 -0
package/src/formatters/ide/index.ts +216 -0
package/src/formatters/ide/windsurf.ts +135 -0
package/src/formatters/index.ts +28 -0
package/src/index.ts +506 -45
package/src/layer1/comments.ts +3 -1
package/src/layer1/config-audit.ts +74 -14
package/src/layer1/config-mcp-audit.ts +278 -0
package/src/layer1/entropy.ts +234 -1
package/src/layer1/file-flags.ts +17 -6
package/src/layer1/index.ts +29 -23
package/src/layer1/patterns.ts +42 -4
package/src/layer1/urls.ts +188 -14
package/src/layer1/weak-crypto.ts +168 -16
package/src/layer2/ai-agent-tools.ts +1043 -2
package/src/layer2/ai-endpoint-protection.ts +19 -4
package/src/layer2/ai-execution-sinks.ts +755 -29
package/src/layer2/ai-fingerprinting.ts +33 -33
package/src/layer2/ai-mcp-security.ts +933 -0
package/src/layer2/ai-package-hallucination.ts +940 -0
package/src/layer2/ai-prompt-hygiene.ts +898 -17
package/src/layer2/ai-rag-safety.ts +467 -5
package/src/layer2/ai-schema-validation.ts +4 -2
package/src/layer2/auth-antipatterns.ts +235 -20
package/src/layer2/byok-patterns.ts +9 -3
package/src/layer2/dangerous-functions/child-process.ts +98 -0
package/src/layer2/dangerous-functions/dom-xss.ts +292 -0
package/src/layer2/dangerous-functions/index.ts +1533 -0
package/src/layer2/dangerous-functions/json-parse.ts +385 -0
package/src/layer2/dangerous-functions/math-random.ts +789 -0
package/src/layer2/dangerous-functions/patterns.ts +176 -0
package/src/layer2/dangerous-functions/request-validation.ts +145 -0
package/src/layer2/dangerous-functions/utils/control-flow.ts +35 -0
package/src/layer2/dangerous-functions/utils/helpers.ts +170 -0
package/src/layer2/dangerous-functions/utils/index.ts +25 -0
package/src/layer2/dangerous-functions/utils/schema-validation.ts +106 -0
package/src/layer2/data-exposure.ts +18 -39
package/src/layer2/framework-checks.ts +9 -2
package/src/layer2/index.ts +124 -43
package/src/layer2/logic-gates.ts +64 -22
package/src/layer2/model-supply-chain.ts +531 -0
package/src/layer2/risky-imports.ts +9 -2
package/src/layer2/variables.ts +9 -2
package/src/layer3/__tests__/osv-check.test.ts +384 -0
package/src/layer3/anthropic/auto-dismiss.ts +223 -0
package/src/layer3/anthropic/clients.ts +84 -0
package/src/layer3/anthropic/index.ts +170 -0
package/src/layer3/anthropic/prompts/index.ts +14 -0
package/src/layer3/anthropic/prompts/semantic-analysis.ts +173 -0
package/src/layer3/anthropic/prompts/validation.ts +419 -0
package/src/layer3/anthropic/providers/anthropic.ts +310 -0
package/src/layer3/anthropic/providers/index.ts +8 -0
package/src/layer3/anthropic/providers/openai.ts +384 -0
package/src/layer3/anthropic/request-builder.ts +150 -0
package/src/layer3/anthropic/types.ts +148 -0
package/src/layer3/anthropic/utils/index.ts +26 -0
package/src/layer3/anthropic/utils/path-helpers.ts +68 -0
package/src/layer3/anthropic/utils/response-parser.ts +322 -0
package/src/layer3/anthropic/utils/retry.ts +75 -0
package/src/layer3/index.ts +18 -5
package/src/layer3/osv-check.ts +420 -0
package/src/modes/incremental.ts +1 -1
package/src/rules/__tests__/framework-fixes.test.ts +689 -0
package/src/rules/__tests__/metadata.test.ts +218 -0
package/src/rules/framework-fixes.ts +470 -0
package/src/rules/index.ts +21 -0
package/src/rules/metadata.ts +831 -0
package/src/suppression/__tests__/config-loader.test.ts +382 -0
package/src/suppression/__tests__/hash.test.ts +166 -0
package/src/suppression/__tests__/inline-parser.test.ts +212 -0
package/src/suppression/__tests__/manager.test.ts +415 -0
package/src/suppression/config-loader.ts +462 -0
package/src/suppression/hash.ts +95 -0
package/src/suppression/index.ts +51 -0
package/src/suppression/inline-parser.ts +273 -0
package/src/suppression/manager.ts +379 -0
package/src/suppression/types.ts +174 -0
package/src/tiers.ts +45 -9
package/src/types.ts +212 -8
package/src/utils/__tests__/code-analysis.test.ts +165 -0
package/src/utils/__tests__/parsed-file.test.ts +124 -0
package/src/utils/code-analysis.ts +179 -0
package/src/utils/comment-analyzer.ts +249 -0
package/src/utils/context-helpers.ts +421 -11
package/src/utils/environment-context.ts +304 -0
package/src/utils/intent-detector.ts +318 -0
package/src/utils/parsed-file.ts +103 -0
package/src/utils/route-hierarchy.ts +250 -0
package/src/utils/schema-semantics.ts +233 -0
package/dist/layer2/dangerous-functions.d.ts +0 -7
package/dist/layer2/dangerous-functions.d.ts.map +0 -1
package/dist/layer2/dangerous-functions.js +0 -1701
package/dist/layer2/dangerous-functions.js.map +0 -1
package/dist/layer3/anthropic.d.ts +0 -87
package/dist/layer3/anthropic.d.ts.map +0 -1
package/dist/layer3/anthropic.js +0 -1948
package/dist/layer3/anthropic.js.map +0 -1
package/dist/layer3/openai.d.ts +0 -25
package/dist/layer3/openai.d.ts.map +0 -1
package/dist/layer3/openai.js +0 -238
package/dist/layer3/openai.js.map +0 -1
package/src/layer2/dangerous-functions.ts +0 -1940
package/src/layer3/anthropic.ts +0 -2257

package/src/layer2/auth-antipatterns.ts CHANGED Viewed

@@ -9,11 +9,16 @@
  */
 import type { Vulnerability, VulnerabilitySeverity } from '../types'
+import type { ParsedFile } from '../utils/parsed-file'
 import type { MiddlewareAuthConfig } from '../utils/middleware-detector'
 import { isRouteProtectedByMiddleware, getRoutePathFromFile } from '../utils/middleware-detector'
 import type { AuthHelper, AuthHelperContext } from '../utils/auth-helper-detector'
 import { hasAuthHelperCallBefore, isUserIdAlreadyValidated } from '../utils/auth-helper-detector'
 import type { FileAuthImports } from '../utils/imported-auth-detector'
+import { isScannerOrFixtureFile } from '../utils/context-helpers'
+import { getRouteProtectionContext, isAuthenticatedOnlyComponent } from '../utils/route-hierarchy'
+import { is2FAOrValidation } from '../utils/schema-semantics'
+import { isPasswordErrorCode, hasPasswordValueInError } from '../utils/intent-detector'
 interface AuthAntiPattern {
   name: string
@@ -78,13 +83,10 @@ const AUTH_ANTIPATTERNS: AuthAntiPattern[] = [
     description: 'Session configuration may lack secure flag',
     suggestedFix: 'Set secure: true for cookies in production',
   },
-  {
-    name: 'Cookie without httpOnly',
-    pattern: /cookie\s*\(\s*['"][^'"]+['"]\s*,[^)]*(?!httpOnly)[^)]*\)|setCookie\s*\([^)]*(?!httpOnly)/gi,
-    severity: 'medium',
-    description: 'Cookie set without httpOnly flag',
-    suggestedFix: 'Add httpOnly: true to prevent XSS access to cookies',
-  },
+  // NOTE: Cookie httpOnly detection removed - causes false positives
+  // Client-side code (document.cookie) cannot set httpOnly - it's a server-only flag
+  // Server-side cookie libraries have proper defaults
+  // The pattern was triggering on client-side cookie access which is conceptually wrong
   // Authorization issues
   // NOTE: We intentionally do NOT flag "if (!user)" or "if (!userId)" patterns as issues
@@ -122,12 +124,17 @@ const AUTH_ANTIPATTERNS: AuthAntiPattern[] = [
   },
   // OAuth/Social auth issues
+  // NOTE: OAuth detection narrowed significantly to reduce false positives.
+  // Previously matched any line containing "oauth" which flagged variable names, imports, etc.
+  // Now only matches actual OAuth authorization URL construction.
   {
     name: 'OAuth state parameter missing',
-    pattern: /oauth|authorize\?.*(?!state=)/gi,
+    // Only match actual OAuth authorization URL construction without state parameter
+    // Must have: authorize endpoint + client_id/redirect_uri but missing state
+    pattern: /['"`]https?:\/\/[^'"]*\/(?:oauth|authorize|auth)[^'"]*client_id=[^'"]*(?!.*state=)/gi,
     severity: 'medium',
-    description: 'OAuth flow may lack state parameter for CSRF protection',
-    suggestedFix: 'Include a random state parameter in OAuth requests',
+    description: 'OAuth authorization URL may lack state parameter for CSRF protection',
+    suggestedFix: 'Include a random state parameter in OAuth authorization requests',
   },
   // Password handling issues
@@ -138,13 +145,10 @@ const AUTH_ANTIPATTERNS: AuthAntiPattern[] = [
     description: 'Password may be logged to console',
     suggestedFix: 'Never log passwords or sensitive credentials',
   },
-  {
-    name: 'Password in error message',
-    pattern: /throw\s+new\s+Error\s*\([^)]*password|Error\s*\([^)]*password/gi,
-    severity: 'high',
-    description: 'Password may be included in error message',
-    suggestedFix: 'Never include passwords in error messages',
-  },
+  // NOTE: 'Password in error message' pattern now uses smart intent detection
+  // Error CODES like 'SAME_PASSWORD' are not flagged (they're codes, not values)
+  // Only actual password values concatenated into errors are flagged
+  // This is handled specially in detectAuthAntipatterns() below
   // Rate limiting
   {
@@ -183,6 +187,37 @@ function isAuthRelatedFile(filePath: string): boolean {
   return authKeywords.some(keyword => lowerPath.includes(keyword))
 }
+/**
+ * Check if file is an auth implementation/library file
+ * These files ARE the auth system - flagging them for "missing auth" is wrong
+ *
+ * Examples:
+ * - packages/auth/src/handlers.ts
+ * - lib/auth/middleware.ts
+ * - services/authentication/index.ts
+ */
+function isAuthImplementationFile(filePath: string): boolean {
+  const authImplPatterns = [
+    /\/packages\/auth\//i,
+    /\/lib\/auth\//i,
+    /\/utils\/auth\//i,
+    /\/services\/auth/i,
+    /\/authentication\//i,
+    /\/auth-provider/i,
+    /\/auth-helpers/i,
+    /\/auth-utils/i,
+    /\/passport-/i,              // Passport.js strategy files
+    /\/next-auth\//i,            // NextAuth config
+    /\/lucia\//i,                // Lucia auth
+    /\/better-auth\//i,          // Better Auth
+    /\/supabase\/auth/i,         // Supabase auth
+    /\/clerk\//i,                // Clerk auth
+    /\/auth0\//i,                // Auth0
+    /\/keycloak\//i,             // Keycloak
+  ]
+  return authImplPatterns.some(p => p.test(filePath))
+}
 // Check if endpoint is a known public endpoint (health checks, webhooks, cron)
 function isKnownPublicEndpoint(lineContent: string, filePath: string): boolean {
   const PUBLIC_ENDPOINTS = [
@@ -193,20 +228,60 @@ function isKnownPublicEndpoint(lineContent: string, filePath: string): boolean {
     /\/live\b/i,
     /\/ping\b/i,
     /\/status\b/i,
+    /\/_health/i,
     // Webhooks (receive external calls)
     /\/webhook\b/i,
     /\/webhooks\//i,
     /\/callback\b/i,
+    /\/stripe\/webhook/i,
+    /\/clerk\/webhook/i,
+    /\/svix\//i,
     // Cron/scheduled tasks
     /\/cron\//i,
     /\/scheduled\//i,
     /\/tasks\//i,
+    /\/jobs?\//i,
-    // Public APIs
+    // Public APIs - intentionally unauthenticated
     /\/public\//i,
+    /\/openpage/i,        // OpenPage API pattern (intentionally public)
+    /\/open-api\//i,
+    /\/api\/public\//i,
+    /\/api\/v\d+\/public\//i,
     /\bGET\b.*\/api\/\w+\/\[id\]/i,  // Public resource reads with ID param
+    // Auth endpoints (must be public for users to authenticate)
+    /\/api\/auth\//i,
+    /\/auth\//i,
+    /\/login\b/i,
+    /\/signup\b/i,
+    /\/register\b/i,
+    /\/forgot-password/i,
+    /\/reset-password/i,
+    /\/verify-email/i,
+    /\/magic-link/i,
+    /\/oauth\//i,
+    // RSS/Atom feeds (typically public)
+    /\/feed\b/i,
+    /\/rss\b/i,
+    /\/atom\b/i,
+    // Sitemap/robots (always public)
+    /\/sitemap/i,
+    /\/robots/i,
+    // OpenGraph/meta endpoints
+    /\/og\//i,
+    /\/opengraph/i,
+    /\/meta\//i,
+    // Share/embed endpoints
+    /\/share\//i,
+    /\/embed\//i,
+    /\/widget\//i,
   ]
   return PUBLIC_ENDPOINTS.some(pattern =>
@@ -243,6 +318,47 @@ function hasAuthCheckNearby(lines: string[], lineIndex: number): boolean {
     /userApiKey|user_api_key|clientApiKey/i,
     /req\.body\.(?:apiKey|api_key|openaiKey|anthropicKey)/i,
     /headers\[['"`]x-(?:openai|api|anthropic)-key['"`]\]/i,
+    // Next.js / React auth patterns (expanded)
+    /const\s+session\s*=\s*await\s+auth\s*\(\)/,          // const session = await auth()
+    /const\s+\{\s*session\s*\}\s*=\s*await\s+auth\s*\(\)/, // const { session } = await auth()
+    /if\s*\(\s*!session\?\.user/,                          // if (!session?.user)
+    /if\s*\(\s*!session\s*\)/,                             // if (!session)
+    /session\s*\?\.\s*user/,                               // session?.user
+    /getServerSession\s*\(\s*authOptions/,                 // getServerSession(authOptions)
+    /getServerSession\s*\(\s*req\s*,\s*res/,              // getServerSession(req, res, ...)
+    /useSession\s*\(\)/,                                   // useSession()
+    /signIn\s*\(/,                                         // signIn()
+    /signOut\s*\(/,                                        // signOut()
+    // Clerk auth patterns
+    /currentUser\s*\(\)/,                                  // currentUser()
+    /auth\s*\(\)\s*\.\s*protect/,                         // auth().protect
+    /auth\s*\(\)\s*\.\s*userId/,                          // auth().userId
+    /clerkClient/i,
+    /getAuth\s*\(/,
+    /ClerkProvider/,
+    // Supabase auth patterns
+    /supabase\s*\.\s*auth\s*\.\s*getUser/,               // supabase.auth.getUser()
+    /supabase\s*\.\s*auth\s*\.\s*getSession/,            // supabase.auth.getSession()
+    /createServerClient/,                                  // Supabase server client
+    /createRouteHandlerClient/,
+    // Lucia auth patterns
+    /lucia\s*\.\s*validateSession/,
+    /validateRequest/,
+    // Better Auth patterns
+    /betterAuth/,
+    /auth\.api\./,
+    // Throwing auth helpers (if these are called, route is authenticated)
+    /throw\s+new\s+Error\s*\(\s*['"]unauthorized/i,
+    /throw\s+new\s+Error\s*\(\s*['"]unauthenticated/i,
+    /ChatSDKError\s*\(\s*['"]unauthorized/i,
+    /return\s+new\s+Response\s*\(\s*.*401/,
+    /return\s+NextResponse\s*\.\s*json\s*\(\s*.*401/,
   ]
   return searchWindow.some(line =>
@@ -254,6 +370,7 @@ export interface AuthAntipatternOptions {
   middlewareConfig?: MiddlewareAuthConfig
   authHelpers?: AuthHelperContext
   fileAuthImports?: Map<string, FileAuthImports>
+  parsed?: ParsedFile
 }
 export function detectAuthAntipatterns(
@@ -261,10 +378,18 @@ export function detectAuthAntipatterns(
   filePath: string,
   options: AuthAntipatternOptions = {}
 ): Vulnerability[] {
-  const { middlewareConfig, authHelpers, fileAuthImports } = options
+  const { middlewareConfig, authHelpers, fileAuthImports, parsed } = options
   const vulnerabilities: Vulnerability[] = []
-  const lines = content.split('\n')
+  // Skip scanner/fixture files to avoid self-detection
+  if (isScannerOrFixtureFile(filePath)) return vulnerabilities
+  const lines = parsed?.lines ?? content.split('\n')
   const isAuthFile = isAuthRelatedFile(filePath)
+  const isAuthImpl = isAuthImplementationFile(filePath)
+  // Check framework route hierarchy protection (Remix, Next.js route groups)
+  const routeHierarchy = getRouteProtectionContext(filePath)
   // Check if this route is protected by global middleware
   const routePath = getRoutePathFromFile(filePath)
@@ -279,6 +404,9 @@ export function detectAuthAntipatterns(
   // Check if file uses throwing auth helpers
   const helpersList = authHelpers?.helpers || []
+  // Check if this is a component only used in authenticated contexts
+  const isAuthOnlyComponent = isAuthenticatedOnlyComponent(filePath)
   lines.forEach((line, index) => {
     // Skip comment lines
     if (isComment(line)) return
@@ -291,6 +419,12 @@ export function detectAuthAntipatterns(
         if (pattern.name === 'Unprotected API route' ||
             pattern.name === 'Express route without auth middleware') {
+          // PRIORITY -1: Skip auth implementation files entirely
+          // These files ARE the auth system - flagging them for "missing auth" is conceptually wrong
+          if (isAuthImpl) {
+            break // Skip this pattern
+          }
           // PRIORITY 0: Check if this is actually a route file
           // In Next.js, routes must be in `route.ts/js` files. Files like `handlers.ts`,
           // `safe-handlers.ts`, `utils.ts` etc. are NOT actual API routes even if they
@@ -308,6 +442,32 @@ export function detectAuthAntipatterns(
             break
           }
+          // PRIORITY 0.5: Check if route is in a protected route hierarchy
+          // Framework route conventions (Remix _authenticated+, Next.js route groups)
+          if (routeHierarchy.isInProtectedHierarchy) {
+            // Route is in a protected hierarchy - cap severity at info
+            vulnerabilities.push({
+              id: `auth-antipattern-${filePath}-${index + 1}-${pattern.name}`,
+              filePath,
+              lineNumber: index + 1,
+              lineContent: line.trim(),
+              severity: 'info',
+              category: 'missing_auth',
+              title: pattern.name + ' (in protected route hierarchy)',
+              description: `This route is within a protected route hierarchy (${routeHierarchy.protectionSource.join(', ')}). Authentication is likely handled by parent layout/middleware.`,
+              suggestedFix: 'Verify parent layout enforces authentication. If not, add auth check here.',
+              confidence: 'low',
+              layer: 2,
+            })
+            break // Only report once per line
+          }
+          // PRIORITY 0.75: Check if this is a component only used in authenticated contexts
+          if (isAuthOnlyComponent) {
+            // Component is in admin/dashboard/etc - skip entirely
+            break
+          }
           // PRIORITY 1: Check if route is protected by global middleware
           // This is the STRONGEST signal - if middleware protects the route, suppress entirely
           if (middlewareProtection.isProtected) {
@@ -390,5 +550,60 @@ export function detectAuthAntipatterns(
     }
   })
+  // Special handling: Password in error message with smart intent detection
+  // Only flag actual password VALUES, not error CODES like 'SAME_PASSWORD'
+  const passwordErrorPattern = /throw\s+new\s+Error\s*\([^)]*password|Error\s*\([^)]*password/gi
+  lines.forEach((line, index) => {
+    if (isComment(line)) return
+    if (passwordErrorPattern.test(line)) {
+      // Reset regex state
+      passwordErrorPattern.lastIndex = 0
+      // Skip if this is an error CODE, not a VALUE
+      if (isPasswordErrorCode(line)) {
+        return // This is fine - 'SAME_PASSWORD' is a code, not a value
+      }
+      // Only flag if actual password value is in the error
+      if (hasPasswordValueInError(line)) {
+        vulnerabilities.push({
+          id: `auth-antipattern-${filePath}-${index + 1}-password-in-error`,
+          filePath,
+          lineNumber: index + 1,
+          lineContent: line.trim(),
+          severity: 'high',
+          category: 'missing_auth',
+          title: 'Password value in error message',
+          description: 'Actual password value may be included in error message, exposing sensitive data.',
+          suggestedFix: 'Never include actual password values in error messages. Use error codes instead.',
+          confidence: 'high',
+          layer: 2,
+        })
+      }
+    }
+  })
+  // Special handling: 2FA optional fields with OR validation
+  // Don't flag .optional() on 2FA fields if there's .refine() enforcing OR logic
+  const twoFAOptionalPattern = /\.(totp|otp|backupCode|recoveryCode|twoFactor|2fa|mfa).*\.optional\s*\(\)/gi
+  lines.forEach((line, index) => {
+    if (isComment(line)) return
+    if (twoFAOptionalPattern.test(line)) {
+      // Reset regex state
+      twoFAOptionalPattern.lastIndex = 0
+      // Check if this is legitimate OR validation (either TOTP or backup code required)
+      if (is2FAOrValidation(content, index)) {
+        // This is legitimate OR validation - skip or report as info
+        return
+      }
+      // Only flag if this truly allows bypassing 2FA
+      // Most cases with .refine() are fine - this is handled by schema-semantics.ts
+    }
+  })
   return vulnerabilities
 }

package/src/layer2/byok-patterns.ts CHANGED Viewed

@@ -5,8 +5,9 @@
  */
 import type { Vulnerability, VulnerabilitySeverity } from '../types'
+import type { ParsedFile } from '../utils/parsed-file'
 import type { MiddlewareAuthConfig } from '../utils/middleware-detector'
-import { isComment, isTestOrMockFile, isExampleFile, isPlaceholderValue } from '../utils/context-helpers'
+import { isComment, isTestOrMockFile, isExampleFile, isPlaceholderValue, isScannerOrFixtureFile } from '../utils/context-helpers'
 import { isRouteProtectedByMiddleware, getRoutePathFromFile, detectUserScopingPatterns } from '../utils/middleware-detector'
 /**
@@ -221,10 +222,15 @@ function isKeyLogged(content: string, lineNumber: number): boolean {
 export function detectBYOKPatterns(
   content: string,
   filePath: string,
-  middlewareConfig?: MiddlewareAuthConfig
+  middlewareConfig?: MiddlewareAuthConfig,
+  options?: { parsed?: ParsedFile }
 ): Vulnerability[] {
   const vulnerabilities: Vulnerability[] = []
-  const lines = content.split('\n')
+  // Skip scanner/fixture files to avoid self-detection
+  if (isScannerOrFixtureFile(filePath)) return vulnerabilities
+  const lines = options?.parsed?.lines ?? content.split('\n')
   const isTestFile = isTestOrMockFile(filePath)
   // Skip example/demo files entirely - they contain placeholder credentials by design

package/src/layer2/dangerous-functions/child-process.ts ADDED Viewed

@@ -0,0 +1,98 @@
+/**
+ * Child Process Detection
+ *
+ * Detection logic for child_process functions (exec, spawn, execFile, etc.)
+ * that can lead to command injection vulnerabilities.
+ */
+/**
+ * Check if exec() call is from child_process (dangerous) vs RegExp.exec (safe)
+ * Returns true if this is a child_process exec call that should be flagged
+ */
+export function isChildProcessExec(content: string, lineContent: string): boolean {
+  // Check for child_process import
+  const hasChildProcessImport =
+    /require\s*\(\s*['"]child_process['"]\s*\)/.test(content) ||
+    /from\s+['"]child_process['"]/.test(content) ||
+    /import\s+.*child_process/.test(content) ||
+    /require\s*\(\s*['"]node:child_process['"]\s*\)/.test(content) ||
+    /from\s+['"]node:child_process['"]/.test(content)
+  // If no child_process import, this is likely RegExp.exec or similar
+  if (!hasChildProcessImport) {
+    return false
+  }
+  // Check if this specific line is RegExp.exec pattern
+  // RegExp.exec is called as: regex.exec(string) or /pattern/.exec(string)
+  const isRegExpExec =
+    /\.\s*exec\s*\(/.test(lineContent) && // Method call on an object
+    !/\bexec\s*\(/.test(lineContent.replace(/\.\s*exec\s*\(/, '')) // Not a standalone exec()
+  // Also check for common RegExp patterns
+  const isRegExpPattern =
+    /\/[^/]+\/[gimsuy]*\.exec\s*\(/.test(lineContent) || // /pattern/.exec()
+    /new\s+RegExp\s*\([^)]+\)\.exec\s*\(/.test(lineContent) || // new RegExp().exec()
+    /regex\.exec\s*\(/i.test(lineContent) || // regex.exec()
+    /pattern\.exec\s*\(/i.test(lineContent) || // pattern.exec()
+    /match\.exec\s*\(/i.test(lineContent) || // match.exec()
+    /re\.exec\s*\(/i.test(lineContent) // re.exec()
+  if (isRegExpExec || isRegExpPattern) {
+    return false
+  }
+  // Check if exec is imported/destructured from child_process
+  const execImported =
+    /\{\s*[^}]*\bexec\b[^}]*\}\s*=\s*require\s*\(\s*['"]child_process['"]/.test(
+      content
+    ) ||
+    /\{\s*[^}]*\bexec\b[^}]*\}\s*=\s*require\s*\(\s*['"]node:child_process['"]/.test(
+      content
+    ) ||
+    /import\s+\{\s*[^}]*\bexec\b[^}]*\}\s+from\s+['"]child_process['"]/.test(
+      content
+    ) ||
+    /import\s+\{\s*[^}]*\bexec\b[^}]*\}\s+from\s+['"]node:child_process['"]/.test(
+      content
+    )
+  // If exec is directly imported from child_process, standalone exec() is dangerous
+  if (execImported && /\bexec\s*\(/.test(lineContent)) {
+    return true
+  }
+  // Check for child_process.exec() pattern
+  if (
+    /child_process\.exec\s*\(/.test(lineContent) ||
+    /cp\.exec\s*\(/.test(lineContent) ||
+    /childProcess\.exec\s*\(/.test(lineContent)
+  ) {
+    return true
+  }
+  // If we have child_process import but can't determine usage, be conservative
+  // Only flag if it looks like a standalone exec() call
+  return /\bexec\s*\(/.test(lineContent) && !/\.\s*exec\s*\(/.test(lineContent)
+}
+/**
+ * Check if spawn/execFile/execSync is from child_process
+ */
+export function isChildProcessSpawn(content: string, lineContent: string): boolean {
+  // Check for child_process import
+  const hasChildProcessImport =
+    /require\s*\(\s*['"]child_process['"]\s*\)/.test(content) ||
+    /from\s+['"]child_process['"]/.test(content) ||
+    /require\s*\(\s*['"]node:child_process['"]\s*\)/.test(content) ||
+    /from\s+['"]node:child_process['"]/.test(content)
+  if (!hasChildProcessImport) {
+    return false
+  }
+  // These functions are always from child_process when that module is imported
+  return /\b(spawn|spawnSync|execSync|execFile|execFileSync)\s*\(/.test(
+    lineContent
+  )
+}