@oculum/scanner 1.0.11 → 1.0.13

package/src/{layer3 → detect/config}/package-check.ts

@@ -11,7 +11,7 @@
  * - Package age and popularity analysis
  */
 
-import type { Vulnerability, VulnerabilitySeverity } from '../types'
+import type { Vulnerability, VulnerabilitySeverity } from '../../shared/types'
 import {
   fetchNPMMetadata,
   fetchPyPIMetadata,
@@ -23,7 +23,7 @@ import {
   type NPMPackageMetadata,
   type PyPIPackageMetadata,
   type ExtractedDependency,
-} from '../utils/registry-clients'
+} from '../../shared/registry-clients'
 
 // ============================================================================
 // Configuration
@@ -580,6 +580,7 @@ export async function checkPackages(
         suggestedFix: buildRiskSuggestedFix(risk),
         confidence: risk.totalScore >= 70 ? 'high' : 'medium',
         layer: 3,
+        source: 'config' as const,
         requiresAIValidation: risk.totalScore < 70, // High-confidence issues don't need AI validation
       })
     }

package/src/{layer1 → detect/config}/urls.ts

@@ -3,7 +3,19 @@
  * Detects hardcoded sensitive URLs that may indicate security issues
  */
 
-import type { Vulnerability } from '../types'
+import type { Vulnerability } from '../../shared/types'
+import type { ParsedFile } from '../../shared/parsed-file'
+import { isTestConfigFile, isPythonFile, isInsidePythonDocstring } from '../../parse/file-classifier'
+import {
+  getEnvironmentContext,
+  isInPlaceholderAttribute,
+  isDefaultParameterValue,
+  getLocalhostSeverity,
+} from '../../shared/environment-context'
+import { getRouteProtectionContext } from '../../model/route-hierarchy'
+
+const BASE_CONFIDENCE_WEBHOOK = 0.55
+const BASE_CONFIDENCE_LOCALHOST = 0.30
 
 // Check if file is documentation/README/example
 function isDocumentationFile(filePath: string): boolean {
@@ -26,6 +38,50 @@ function isDocumentationFile(filePath: string): boolean {
   return docPatterns.some(p => p.test(filePath))
 }
 
+/**
+ * Check if file path indicates it's inside an authenticated route group
+ * Modern frameworks use route groups/layouts that handle auth at the layout level
+ *
+ * Examples:
+ * - Next.js: (authenticated)/dashboard/page.tsx, (admin)/users/page.tsx
+ * - Remix: _authenticated+/dashboard.tsx
+ * - SvelteKit: (protected)/+page.svelte
+ */
+function isInsideAuthenticatedRouteGroup(filePath: string): boolean {
+  const authRoutePatterns = [
+    // Next.js App Router - route groups with auth-related names
+    /\/\(authenticated\)\//i,
+    /\/\(protected\)\//i,
+    /\/\(auth\)\//i,
+    /\/\(admin\)\//i,
+    /\/\(dashboard\)\//i,
+    /\/\(private\)\//i,
+    /\/\(secure\)\//i,
+    /\/\(user\)\//i,
+    /\/\(account\)\//i,
+    /\/\(settings\)\//i,
+    /\/\(app\)\//i,           // Common pattern for authenticated app routes
+
+    // Remix - authenticated route conventions
+    /\/_authenticated\+\//i,
+    /\/_protected\+\//i,
+    /\/_auth\+\//i,
+    /\/__authenticated\//i,
+
+    // Generic patterns that indicate auth-protected sections
+    /\/dashboard\//i,
+    /\/admin\//i,
+    /\/account\//i,
+    /\/settings\//i,
+    /\/profile\//i,
+    /\/my-/i,                 // /my-account/, /my-orders/
+    /\/user\//i,
+    /\/users\/\[/i,           // /users/[userId]/ - user-specific routes
+  ]
+
+  return authRoutePatterns.some(p => p.test(filePath))
+}
+
 // Check if file is a config/constants file where localhost is expected
 function isDevConfigFile(filePath: string): boolean {
   const devConfigPatterns = [
@@ -44,6 +100,37 @@ function isDevConfigFile(filePath: string): boolean {
   return devConfigPatterns.some(p => p.test(filePath))
 }
 
+// Check if file is a locale/i18n file where URLs are example placeholders
+function isLocaleFile(filePath: string): boolean {
+  const localePatterns = [
+    /\/locales?\//i,           // /locale/ or /locales/
+    /\/i18n\//i,               // /i18n/
+    /\/translations?\//i,      // /translation/ or /translations/
+    /\/lang\//i,               // /lang/
+    /\/languages?\//i,         // /language/ or /languages/
+    /\.\w{2}(-\w{2})?\.json$/i, // .en.json, .zh-CN.json, etc.
+  ]
+  return localePatterns.some(p => p.test(filePath))
+}
+
+// Check if line contains URL placeholder/example text
+function isUrlPlaceholderText(line: string): boolean {
+  const placeholderPatterns = [
+    /placeholder['"]\s*:/i,      // "placeholder": "http://..."
+    /example['"]\s*:/i,          // "example": "http://..."
+    /e\.g\./i,                   // e.g. http://localhost
+    /for\s+example/i,            // for example http://...
+    /such\s+as/i,                // such as http://localhost
+    /like\s+http/i,              // like http://localhost
+    /格式.*http/i,               // Chinese: format http://...
+    /例如.*http/i,               // Chinese: for example http://...
+    /beispiel.*http/i,           // German: example http://...
+    /ejemplo.*http/i,            // Spanish: example http://...
+    /exemple.*http/i,            // French: example http://...
+  ]
+  return placeholderPatterns.some(p => p.test(line))
+}
+
 // URL patterns that may indicate security issues
 const URL_PATTERNS = [
   // Internal/staging endpoints in production code
@@ -84,18 +171,20 @@ const URL_PATTERNS = [
     description: 'Hardcoded test environment URL found',
   },
 
-  // Admin/sensitive endpoints - downgraded to info (these are often intentional)
+  // Admin/sensitive endpoints - heavily downgraded
+  // In most modern frameworks, these are protected by middleware or layout auth
+  // Flagging them creates noise when they're inside authenticated route groups
   {
     pattern: /['"`]\/admin(?:\/|['"`])/gi,
     name: 'Admin Endpoint',
     severity: 'info' as const,
-    description: 'Admin endpoint path found - verify access control',
+    description: 'Admin endpoint path found - typically protected by auth middleware',
   },
   {
     pattern: /['"`]\/api\/admin/gi,
     name: 'Admin API Endpoint',
-    severity: 'low' as const,  // Downgraded from medium
-    description: 'Admin API endpoint found - verify access control',
+    severity: 'info' as const,  // Downgraded from low - usually behind middleware
+    description: 'Admin API endpoint found - typically protected by auth middleware',
   },
 
   // API keys in URLs
@@ -178,6 +267,33 @@ function isEnvVarReference(lineContent: string): boolean {
          lineContent.includes('import.meta.env')
 }
 
+/**
+ * Check if localhost URL is used as a fallback default value
+ * This is a common safe pattern in development:
+ * - process.env.API_URL || 'http://localhost:3000'
+ * - baseUrl ?? 'http://localhost:3000'
+ * - config.url || 'http://localhost'
+ * - config?.url ?? 'http://localhost'
+ */
+function isLocalhostFallback(lineContent: string): boolean {
+  const fallbackPatterns = [
+    // Logical OR fallback: something || 'http://localhost...'
+    /\|\|\s*['"`]https?:\/\/(localhost|127\.0\.0\.1)/i,
+    // Nullish coalescing fallback: something ?? 'http://localhost...'
+    /\?\?\s*['"`]https?:\/\/(localhost|127\.0\.0\.1)/i,
+    // Default parameter: = 'http://localhost...'
+    /=\s*['"`]https?:\/\/(localhost|127\.0\.0\.1)[^'"]*['"`]\s*(,|\)|$)/i,
+    // Ternary with env check: process.env.X ? ... : 'http://localhost'
+    /process\.env\.\w+\s*\?\s*[^:]+\s*:\s*['"`]https?:\/\/(localhost|127\.0\.0\.1)/i,
+    // Object property default: url: process.env.X || 'http://localhost'
+    /:\s*process\.env\.\w+\s*\|\|\s*['"`]https?:\/\/(localhost|127\.0\.0\.1)/i,
+    // Import.meta.env fallback
+    /import\.meta\.env\.\w+\s*\|\|\s*['"`]https?:\/\/(localhost|127\.0\.0\.1)/i,
+    /import\.meta\.env\.\w+\s*\?\?\s*['"`]https?:\/\/(localhost|127\.0\.0\.1)/i,
+  ]
+  return fallbackPatterns.some(p => p.test(lineContent))
+}
+
 // Get URL context for smarter detection
 function getURLContext(lineContent: string, filePath: string): {
   isDevOnly: boolean
@@ -240,7 +356,8 @@ export function aggregateLocalhostFindings(
 
 export function detectSensitiveURLs(
   content: string,
-  filePath: string
+  filePath: string,
+  options?: { parsed?: ParsedFile }
 ): Vulnerability[] {
   const vulnerabilities: Vulnerability[] = []
 
@@ -249,9 +366,18 @@ export function detectSensitiveURLs(
     return vulnerabilities
   }
 
-  const lines = content.split('\n')
+  // Get environment context for smart handling
+  const envContext = getEnvironmentContext(filePath)
+
+  // Get route protection context
+  const routeHierarchy = getRouteProtectionContext(filePath)
+
+  const lines = options?.parsed?.lines ?? content.split('\n')
   const inTestFile = isTestFile(filePath)
   const inDevConfig = isDevConfigFile(filePath)
+  const inTestConfig = isTestConfigFile(filePath)
+  const isPython = isPythonFile(filePath)
+  const inAuthRoute = isInsideAuthenticatedRouteGroup(filePath) || routeHierarchy.isInProtectedHierarchy
 
   for (let i = 0; i < lines.length; i++) {
     const line = lines[i]
@@ -259,6 +385,11 @@ export function detectSensitiveURLs(
     // Skip comments
     if (isComment(line)) continue
 
+    // Skip Python docstrings - they often contain example URLs
+    if (isPython && isInsidePythonDocstring(lines, i)) {
+      continue
+    }
+
     // Get context for this line
     const context = getURLContext(line, filePath)
 
@@ -275,14 +406,50 @@ export function detectSensitiveURLs(
 
         // Special handling for localhost URLs
         if (/localhost|127\.0\.0\.1/i.test(url)) {
-          // Skip localhost in test files, dev-only contexts, or dev config files
-          if (context.isTestFile || context.isDevOnly || inDevConfig) {
+          // Skip localhost as fallback/default values - this is standard practice
+          // e.g., process.env.API_URL || 'http://localhost:3000'
+          if (isLocalhostFallback(line)) {
+            continue
+          }
+
+          // Use environment context for smarter handling
+          // Skip localhost in environments where it's expected (templates, tests, tooling)
+          if (envContext.allowsLocalhostDefaults) {
+            continue
+          }
+
+          // Skip localhost in test files, dev-only contexts, test config files, or dev config files
+          if (context.isTestFile || context.isDevOnly || inDevConfig || inTestConfig) {
+            continue
+          }
+
+          // Skip localhost in placeholder attributes (placeholder="https://localhost...")
+          if (isInPlaceholderAttribute(line)) {
             continue
           }
 
-          // Only flag localhost in production env files as high, otherwise info
-          const isProduction = filePath.includes('.env.production')
-          const adjustedSeverity = isProduction ? 'high' as const : 'info' as const
+          // Skip localhost when used as default parameter value
+          if (isDefaultParameterValue(line)) {
+            continue
+          }
+
+          // Skip localhost in locale/i18n files - these are example placeholders for users
+          if (isLocaleFile(filePath)) {
+            continue
+          }
+
+          // Skip localhost in placeholder/example text (e.g., "e.g. http://localhost")
+          if (isUrlPlaceholderText(line)) {
+            continue
+          }
+
+          // Use smart severity determination based on context
+          const adjustedSeverity = getLocalhostSeverity(filePath, line)
+
+          // Skip info-level findings in non-production contexts
+          if (adjustedSeverity === 'info' && !filePath.includes('.env.production')) {
+            continue
+          }
 
           vulnerabilities.push({
             id: `url-${filePath}-${i + 1}-${name}`,
@@ -292,19 +459,31 @@ export function detectSensitiveURLs(
             severity: adjustedSeverity,
             category: 'sensitive_url',
             title: name,
-            description: description + (isProduction ? ' (in production config!)' : ' (in dev/config file)'),
+            description: description + (adjustedSeverity === 'high' ? ' (in production config!)' : ' (in dev/config file)'),
             suggestedFix: 'Move URLs to environment variables or configuration files. Use process.env.API_URL pattern.',
-            confidence: isProduction ? 'high' : 'low',
+            confidence: adjustedSeverity === 'high' ? 'high' : 'low',
+            baseConfidence: BASE_CONFIDENCE_LOCALHOST,
             layer: 1,
+        source: 'config' as const,
           })
         } else {
           // Normal URL handling (non-localhost)
           // Lower severity for test files - downgrade more aggressively
           let adjustedSeverity = severity
+          let contextNote = ''
+
           if (inTestFile) {
             if (severity === 'critical') adjustedSeverity = 'high'
             else if (severity === 'high') adjustedSeverity = 'low'
             else adjustedSeverity = 'info'
+            contextNote = ' (in test file)'
+          }
+
+          // Downgrade admin/sensitive endpoint findings inside authenticated route groups
+          // These routes are already protected by layout/middleware auth
+          if (inAuthRoute && (name === 'Admin Endpoint' || name === 'Admin API Endpoint')) {
+            adjustedSeverity = 'info'
+            contextNote = ' (inside authenticated route group)'
           }
 
           // Non-critical URL findings require AI validation
@@ -318,10 +497,12 @@ export function detectSensitiveURLs(
             severity: adjustedSeverity,
             category: 'sensitive_url',
             title: name,
-            description: description + (inTestFile ? ' (in test file)' : ''),
+            description: description + contextNote,
             suggestedFix: 'Move URLs to environment variables or configuration files. Use process.env.API_URL pattern.',
             confidence: inTestFile ? 'low' : 'medium',
+            baseConfidence: BASE_CONFIDENCE_WEBHOOK,
             layer: 1,
+        source: 'config' as const,
             requiresAIValidation,
           })
         }

package/src/detect/index.ts

@@ -0,0 +1,131 @@
+/**
+ * Detection Stage — Runs Layer 1 + Layer 2 detectors and handles localhost aggregation.
+ *
+ * Returns raw findings before noisy aggregation/enrichment (those are called
+ * by the orchestrator to keep stage boundaries clean).
+ */
+
+import type {
+  ScanFile,
+  Vulnerability,
+  CancellationToken,
+  DetectorContext,
+  ProgressCallback,
+} from '../shared/types'
+import { runLayer1Scan, type Layer1Result } from './secrets'
+import { runLayer2Scan, type Layer2Result } from './structural'
+import { aggregateLocalhostFindings } from './config/urls'
+import type { MiddlewareAuthConfig } from '../model/middleware-detector'
+import type { FileAuthImports } from '../model/imported-auth-detector'
+import type { FilterPipeline } from '../postprocess/filtering/pipeline'
+
+export interface DetectorInput {
+  files: ScanFile[]
+  middlewareConfig?: MiddlewareAuthConfig
+  fileAuthImports?: Map<string, FileAuthImports>
+  detectorContext: DetectorContext
+  onProgress?: ProgressCallback
+  cancellationToken?: CancellationToken
+  filterPipeline: FilterPipeline
+  repoName: string
+  quiet: boolean
+}
+
+export interface DetectorOutput {
+  /** Combined Layer 1 + Layer 2 findings (after localhost aggregation) */
+  findings: Vulnerability[]
+  /** Phase timing */
+  phaseTiming: { layer1?: number; layer2?: number }
+}
+
+const fid = (v: Pick<Vulnerability, 'filePath' | 'lineNumber' | 'category'>) =>
+  `${v.filePath}:${v.lineNumber}:${v.category}`
+
+/**
+ * Run all detectors (Layer 1 + Layer 2) and return combined raw findings.
+ */
+export async function runDetectors(input: DetectorInput): Promise<DetectorOutput> {
+  const {
+    files,
+    middlewareConfig,
+    fileAuthImports,
+    detectorContext,
+    onProgress,
+    cancellationToken,
+    filterPipeline,
+    repoName,
+    quiet,
+  } = input
+
+  const log = (message: string) => {
+    if (!quiet) console.log(message)
+  }
+
+  const reportProgress = (
+    status: 'layer1' | 'layer2',
+    message: string,
+    vulnerabilitiesFound: number = 0
+  ) => {
+    if (onProgress) {
+      onProgress({
+        status,
+        message,
+        filesProcessed: files.length,
+        totalFiles: files.length,
+        vulnerabilitiesFound,
+      })
+    }
+  }
+
+  const phaseTiming: { layer1?: number; layer2?: number } = {}
+
+  // Layer 1: Surface Scan
+  const layer1Start = Date.now()
+  reportProgress('layer1', 'Running surface scan (patterns, entropy, config)...')
+  let layer1Result = await runLayer1Scan(files, onProgress, cancellationToken)
+
+  // Aggregate repeated localhost findings
+  const layer1RawCount = layer1Result.vulnerabilities.length
+  const layer1BeforeAggregation = layer1Result.vulnerabilities
+  layer1Result = {
+    ...layer1Result,
+    vulnerabilities: aggregateLocalhostFindings(layer1Result.vulnerabilities)
+  }
+  if (filterPipeline.isEnabled) {
+    const afterIds = new Set(layer1Result.vulnerabilities.map(fid))
+    for (const v of layer1BeforeAggregation) {
+      if (!afterIds.has(fid(v))) {
+        filterPipeline.record(fid(v), { stage: 'localhost_aggregation', action: 'aggregated', reason: 'Aggregated repeated localhost finding' })
+      }
+    }
+  }
+  phaseTiming.layer1 = Date.now() - layer1Start
+  log(`[Layer1] repo=${repoName} findings_raw=${layer1RawCount} findings_deduped=${layer1Result.vulnerabilities.length} duration=${phaseTiming.layer1}ms`)
+
+  // Layer 2: Structural Scan
+  const layer2Start = Date.now()
+  reportProgress('layer2', 'Running structural scan (variables, logic gates)...', layer1Result.vulnerabilities.length)
+  const layer2Result = await runLayer2Scan(
+    files,
+    { middlewareConfig, fileAuthImports, detectorContext },
+    onProgress,
+    cancellationToken
+  )
+
+  // Format heuristic breakdown for logging
+  const heuristicBreakdown = Object.entries(layer2Result.stats.raw)
+    .filter(([, count]) => count > 0)
+    .map(([name, count]) => `${name}:${count}`)
+    .join(',')
+  phaseTiming.layer2 = Date.now() - layer2Start
+  log(`[Layer2] repo=${repoName} findings_raw=${Object.values(layer2Result.stats.raw).reduce((a, b) => a + b, 0)} findings_deduped=${layer2Result.vulnerabilities.length} duration=${phaseTiming.layer2}ms heuristic_breakdown={${heuristicBreakdown}}`)
+
+  // Combine Layer 1 and Layer 2 findings
+  const findings = [...layer1Result.vulnerabilities, ...layer2Result.vulnerabilities]
+
+  return { findings, phaseTiming }
+}
+
+// Re-export layer results for external consumers
+export { runLayer1Scan, type Layer1Result } from './secrets'
+export { runLayer2Scan, type Layer2Result } from './structural'

package/src/{layer1 → detect/secrets}/config-audit.ts

@@ -3,7 +3,11 @@
  * Scans configuration files for security misconfigurations
  */
 
-import type { ConfigRule, ConfigViolation, Vulnerability } from '../types'
+import type { ConfigRule, ConfigViolation, Vulnerability } from '../../shared/types'
+import type { ParsedFile } from '../../shared/parsed-file'
+
+// Base confidence for configuration audit findings
+const BASE_CONFIDENCE = 0.50
 
 // Configuration audit rules
 export const CONFIG_RULES: ConfigRule[] = [
@@ -52,22 +56,59 @@ export const CONFIG_RULES: ConfigRule[] = [
       const violations: ConfigViolation[] = []
       const lines = content.split('\n')
 
-      const sensitivePatterns = [
-        /ARG\s+\w*(PASSWORD|SECRET|KEY|TOKEN|CREDENTIAL)\w*\s*=\s*[^\s$]/i,
-        /ENV\s+\w*(PASSWORD|SECRET|KEY|TOKEN|CREDENTIAL)\w*\s*=\s*[^\s$]/i,
-        /environment:[\s\S]*?(PASSWORD|SECRET|KEY|TOKEN)\s*[:=]\s*[^\s${\n]/i,
-      ]
+      // Pattern: ARG/ENV VAR_NAME="value" where value is NOT empty or a variable reference
+      // Skip: empty defaults (""), variable expansion ($VAR, ${VAR}), shell variable references
+      const sensitiveArgPattern = /ARG\s+\w*(PASSWORD|SECRET|KEY|TOKEN|CREDENTIAL)\w*\s*=\s*["']([^"'$]+)["']/i
+      const sensitiveEnvPattern = /ENV\s+\w*(PASSWORD|SECRET|KEY|TOKEN|CREDENTIAL)\w*\s*=\s*["']([^"'$]+)["']/i
+      const dockerComposePattern = /^\s*(PASSWORD|SECRET|KEY|TOKEN)\s*[:=]\s*["']?([^"'\s${\n]+)/i
 
       lines.forEach((line, index) => {
-        for (const pattern of sensitivePatterns) {
-          if (pattern.test(line)) {
+        // Check ARG statements
+        const argMatch = line.match(sensitiveArgPattern)
+        if (argMatch) {
+          const value = argMatch[2]
+          // Skip if value is empty or looks like a placeholder instruction
+          if (value && value.length > 0 && !/^(changeme|replace|your[_-]|xxx)/i.test(value)) {
             violations.push({
               line: index + 1,
               lineContent: line.trim(),
-              message: 'Hardcoded sensitive value in build argument or environment variable',
-              severity: 'critical',
+              message: 'Hardcoded sensitive value in build argument - use build-time secrets or runtime environment variables',
+              severity: 'medium',  // Downgraded from critical - these are defaults that should be overridden
+            })
+          }
+          return
+        }
+
+        // Skip ENV statements that just reference ARG variables (ENV VAR="$VAR")
+        if (/ENV\s+\w+\s*=\s*["']\$\w+["']/i.test(line)) {
+          return
+        }
+
+        // Check ENV statements with actual hardcoded values
+        const envMatch = line.match(sensitiveEnvPattern)
+        if (envMatch) {
+          const value = envMatch[2]
+          if (value && value.length > 0) {
+            violations.push({
+              line: index + 1,
+              lineContent: line.trim(),
+              message: 'Hardcoded sensitive value in environment variable',
+              severity: 'high',
+            })
+          }
+          return
+        }
+
+        // Check docker-compose patterns
+        if (dockerComposePattern.test(line)) {
+          const match = line.match(dockerComposePattern)
+          if (match && match[2] && match[2].length > 0) {
+            violations.push({
+              line: index + 1,
+              lineContent: line.trim(),
+              message: 'Hardcoded sensitive value in docker-compose configuration',
+              severity: 'high',
             })
-            break
           }
         }
       })
@@ -277,7 +318,8 @@ function matchesFilePattern(filePath: string, patterns: string[]): boolean {
 
 export function auditConfiguration(
   content: string,
-  filePath: string
+  filePath: string,
+  options?: { parsed?: ParsedFile }
 ): Vulnerability[] {
   const vulnerabilities: Vulnerability[] = []
 
@@ -297,7 +339,9 @@ export function auditConfiguration(
           description: violation.message,
           suggestedFix: getConfigFix(rule.name, violation),
           confidence: 'high',
+          baseConfidence: BASE_CONFIDENCE,
           layer: 1,
+        source: 'secrets' as const,
         })
       }
     }

package/src/{layer1 → detect/secrets}/config-mcp-audit.ts

@@ -13,14 +13,18 @@
  * - Insecure transport (http:// instead of https://)
  */
 
-import type { Vulnerability, VulnerabilitySeverity, VulnerabilityCategory } from '../types'
+import type { Vulnerability, VulnerabilitySeverity, VulnerabilityCategory } from '../../shared/types'
+import type { ParsedFile } from '../../shared/parsed-file'
 import {
   isComment,
   isTestOrMockFile,
   isDocumentationFile,
   isScannerOrFixtureFile,
   isExampleDirectory,
-} from '../utils/context-helpers'
+} from '../../parse/file-classifier'
+
+// Base confidence for MCP configuration audit findings
+const BASE_CONFIDENCE = 0.50
 
 // ============================================================================
 // Configuration File Detection
@@ -190,7 +194,8 @@ const MCP_CONFIG_PATTERNS: MCPConfigPattern[] = [
  */
 export function detectMCPConfigIssues(
   content: string,
-  filePath: string
+  filePath: string,
+  options?: { parsed?: ParsedFile }
 ): Vulnerability[] {
   const vulnerabilities: Vulnerability[] = []
 
@@ -203,7 +208,7 @@ export function detectMCPConfigIssues(
     return vulnerabilities
   }
 
-  const lines = content.split('\n')
+  const lines = options?.parsed?.lines ?? content.split('\n')
   const isTestFile = isTestOrMockFile(filePath)
   const isExample = isExampleDirectory(filePath)
 
@@ -266,7 +271,9 @@ export function detectMCPConfigIssues(
         description,
         suggestedFix: pattern.suggestedFix,
         confidence: pattern.category === 'ai_mcp_config_secrets' ? 'high' : 'medium',
+        baseConfidence: BASE_CONFIDENCE,
         layer: 1,
+        source: 'secrets' as const,
         requiresAIValidation: severity !== 'info' && severity !== 'low',
       })
     }