@oculum/scanner 1.0.12 → 1.0.13

package/dist/detect/secrets/config-audit.js

@@ -0,0 +1,315 @@
+"use strict";
+/**
+ * Layer 1: Configuration Auditing
+ * Scans configuration files for security misconfigurations
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CONFIG_RULES = void 0;
+exports.auditConfiguration = auditConfiguration;
+// Base confidence for configuration audit findings
+const BASE_CONFIDENCE = 0.50;
+// Configuration audit rules
+exports.CONFIG_RULES = [
+    // Dockerfile rules
+    {
+        name: 'Docker running as root',
+        filePatterns: ['Dockerfile', '*.dockerfile'],
+        check: (content) => {
+            const violations = [];
+            const lines = content.split('\n');
+            // Check if USER instruction exists
+            const hasUserInstruction = lines.some(line => line.trim().toUpperCase().startsWith('USER '));
+            // Check for explicit root user
+            lines.forEach((line, index) => {
+                if (line.trim().toUpperCase() === 'USER ROOT') {
+                    violations.push({
+                        line: index + 1,
+                        lineContent: line.trim(),
+                        message: 'Container explicitly runs as root user',
+                        severity: 'high',
+                    });
+                }
+            });
+            // If no USER instruction at all, flag it
+            if (!hasUserInstruction && lines.length > 5) {
+                violations.push({
+                    line: 1,
+                    lineContent: 'Dockerfile',
+                    message: 'No USER instruction found - container will run as root by default',
+                    severity: 'medium',
+                });
+            }
+            return violations;
+        },
+    },
+    {
+        name: 'Hardcoded secrets in Docker build args',
+        filePatterns: ['Dockerfile', '*.dockerfile', 'docker-compose.yml', 'docker-compose.yaml'],
+        check: (content) => {
+            const violations = [];
+            const lines = content.split('\n');
+            // Pattern: ARG/ENV VAR_NAME="value" where value is NOT empty or a variable reference
+            // Skip: empty defaults (""), variable expansion ($VAR, ${VAR}), shell variable references
+            const sensitiveArgPattern = /ARG\s+\w*(PASSWORD|SECRET|KEY|TOKEN|CREDENTIAL)\w*\s*=\s*["']([^"'$]+)["']/i;
+            const sensitiveEnvPattern = /ENV\s+\w*(PASSWORD|SECRET|KEY|TOKEN|CREDENTIAL)\w*\s*=\s*["']([^"'$]+)["']/i;
+            const dockerComposePattern = /^\s*(PASSWORD|SECRET|KEY|TOKEN)\s*[:=]\s*["']?([^"'\s${\n]+)/i;
+            lines.forEach((line, index) => {
+                // Check ARG statements
+                const argMatch = line.match(sensitiveArgPattern);
+                if (argMatch) {
+                    const value = argMatch[2];
+                    // Skip if value is empty or looks like a placeholder instruction
+                    if (value && value.length > 0 && !/^(changeme|replace|your[_-]|xxx)/i.test(value)) {
+                        violations.push({
+                            line: index + 1,
+                            lineContent: line.trim(),
+                            message: 'Hardcoded sensitive value in build argument - use build-time secrets or runtime environment variables',
+                            severity: 'medium', // Downgraded from critical - these are defaults that should be overridden
+                        });
+                    }
+                    return;
+                }
+                // Skip ENV statements that just reference ARG variables (ENV VAR="$VAR")
+                if (/ENV\s+\w+\s*=\s*["']\$\w+["']/i.test(line)) {
+                    return;
+                }
+                // Check ENV statements with actual hardcoded values
+                const envMatch = line.match(sensitiveEnvPattern);
+                if (envMatch) {
+                    const value = envMatch[2];
+                    if (value && value.length > 0) {
+                        violations.push({
+                            line: index + 1,
+                            lineContent: line.trim(),
+                            message: 'Hardcoded sensitive value in environment variable',
+                            severity: 'high',
+                        });
+                    }
+                    return;
+                }
+                // Check docker-compose patterns
+                if (dockerComposePattern.test(line)) {
+                    const match = line.match(dockerComposePattern);
+                    if (match && match[2] && match[2].length > 0) {
+                        violations.push({
+                            line: index + 1,
+                            lineContent: line.trim(),
+                            message: 'Hardcoded sensitive value in docker-compose configuration',
+                            severity: 'high',
+                        });
+                    }
+                }
+            });
+            return violations;
+        },
+    },
+    // CORS configuration
+    {
+        name: 'Permissive CORS configuration',
+        filePatterns: ['*.ts', '*.js', '*.tsx', '*.jsx', 'next.config.*', 'vercel.json', '*.yaml', '*.yml'],
+        check: (content) => {
+            const violations = [];
+            const lines = content.split('\n');
+            const corsPatterns = [
+                /['"]Access-Control-Allow-Origin['"]\s*[,:]\s*['"]\*['"]/i,
+                /cors\s*\(\s*\{\s*origin\s*:\s*['"]\*['"]/i,
+                /origin\s*:\s*['"]\*['"]/i,
+                /allowedOrigins?\s*[=:]\s*\[\s*['"]\*['"]/i,
+                /Access-Control-Allow-Origin:\s*\*/i,
+            ];
+            lines.forEach((line, index) => {
+                for (const pattern of corsPatterns) {
+                    if (pattern.test(line)) {
+                        violations.push({
+                            line: index + 1,
+                            lineContent: line.trim(),
+                            message: 'Permissive CORS policy allows requests from any origin (*)',
+                            severity: 'medium',
+                        });
+                        break;
+                    }
+                }
+            });
+            return violations;
+        },
+    },
+    // GitHub Actions secrets exposure
+    {
+        name: 'GitHub Actions security issues',
+        filePatterns: ['.github/workflows/*.yml', '.github/workflows/*.yaml'],
+        check: (content) => {
+            const violations = [];
+            const lines = content.split('\n');
+            // Check for pull_request_target with checkout
+            const hasPRTarget = content.includes('pull_request_target');
+            const hasCheckout = content.includes('actions/checkout');
+            if (hasPRTarget && hasCheckout) {
+                const checkoutLine = lines.findIndex(l => l.includes('actions/checkout'));
+                violations.push({
+                    line: checkoutLine + 1,
+                    lineContent: lines[checkoutLine]?.trim() || '',
+                    message: 'Using actions/checkout with pull_request_target can expose secrets to untrusted code',
+                    severity: 'high',
+                });
+            }
+            // Check for hardcoded secrets
+            lines.forEach((line, index) => {
+                if (/env:\s*\w+\s*=\s*['"][^$]/.test(line) &&
+                    /(SECRET|TOKEN|KEY|PASSWORD)/i.test(line)) {
+                    violations.push({
+                        line: index + 1,
+                        lineContent: line.trim(),
+                        message: 'Potential hardcoded secret in GitHub Actions workflow',
+                        severity: 'critical',
+                    });
+                }
+            });
+            return violations;
+        },
+    },
+    // Next.js security config
+    {
+        name: 'Next.js security configuration',
+        filePatterns: ['next.config.js', 'next.config.ts', 'next.config.mjs'],
+        check: (content) => {
+            const violations = [];
+            const lines = content.split('\n');
+            // Only flag if poweredByHeader is explicitly set to true (not if missing)
+            if (content.includes('poweredByHeader: true') || content.includes('poweredByHeader:true')) {
+                const lineIndex = lines.findIndex(l => l.includes('poweredByHeader'));
+                violations.push({
+                    line: lineIndex >= 0 ? lineIndex + 1 : 1,
+                    lineContent: lines[lineIndex]?.trim() || 'poweredByHeader: true',
+                    message: 'poweredByHeader is enabled - consider setting to false to hide X-Powered-By header',
+                    severity: 'low',
+                });
+            }
+            // Check for exposed source maps in production
+            lines.forEach((line, index) => {
+                if (/productionBrowserSourceMaps\s*:\s*true/.test(line)) {
+                    violations.push({
+                        line: index + 1,
+                        lineContent: line.trim(),
+                        message: 'Production source maps are enabled - this exposes your source code',
+                        severity: 'medium',
+                    });
+                }
+            });
+            return violations;
+        },
+    },
+    // Package.json security
+    {
+        name: 'Package.json security issues',
+        filePatterns: ['package.json'],
+        check: (content) => {
+            const violations = [];
+            try {
+                const pkg = JSON.parse(content);
+                // Check for postinstall scripts that could be malicious
+                if (pkg.scripts?.postinstall || pkg.scripts?.preinstall) {
+                    const lines = content.split('\n');
+                    const scriptLine = lines.findIndex(l => l.includes('"postinstall"') || l.includes('"preinstall"'));
+                    violations.push({
+                        line: scriptLine + 1,
+                        lineContent: lines[scriptLine]?.trim() || '',
+                        message: 'Pre/post install scripts can execute arbitrary code - review carefully',
+                        severity: 'low',
+                    });
+                }
+                // Check for wildcard dependencies
+                const allDeps = { ...pkg.dependencies, ...pkg.devDependencies };
+                const lines = content.split('\n');
+                // Get the package's own npm scope to detect internal monorepo deps
+                const ownScope = pkg.name?.startsWith('@') ? pkg.name.split('/')[0] : null;
+                // Also detect common org scope from other dependencies (for packages without scoped names)
+                // If we see @org/foo and @org/bar in deps, @org is likely the monorepo's scope
+                const scopeCounts = {};
+                for (const depName of Object.keys(allDeps)) {
+                    if (depName.startsWith('@')) {
+                        const scope = depName.split('/')[0];
+                        scopeCounts[scope] = (scopeCounts[scope] || 0) + 1;
+                    }
+                }
+                // Find the most common scope (likely the monorepo's org scope)
+                const inferredScope = Object.entries(scopeCounts)
+                    .filter(([, count]) => count >= 2) // At least 2 deps from same scope
+                    .sort((a, b) => b[1] - a[1])[0]?.[0] || null;
+                for (const [name, version] of Object.entries(allDeps)) {
+                    if (version === '*' || version === 'latest') {
+                        // Skip internal monorepo packages:
+                        // 1. Same npm scope as the package itself
+                        // 2. Or same scope as other workspace packages (inferred from multiple deps)
+                        const depScope = name.startsWith('@') ? name.split('/')[0] : null;
+                        // Check if this is a workspace package
+                        const isWorkspacePackage = (ownScope && depScope === ownScope) ||
+                            (inferredScope && depScope === inferredScope && version === '*');
+                        if (isWorkspacePackage) {
+                            continue;
+                        }
+                        const depLine = lines.findIndex(l => l.includes(`"${name}"`));
+                        violations.push({
+                            line: depLine + 1,
+                            lineContent: lines[depLine]?.trim() || '',
+                            message: `Dependency "${name}" uses wildcard/latest version - pin to specific version`,
+                            severity: 'medium',
+                        });
+                    }
+                }
+            }
+            catch {
+                // Invalid JSON, skip
+            }
+            return violations;
+        },
+    },
+];
+// Check if file matches any of the patterns
+function matchesFilePattern(filePath, patterns) {
+    const fileName = filePath.split('/').pop() || '';
+    return patterns.some(pattern => {
+        if (pattern.includes('*')) {
+            const regex = new RegExp('^' + pattern.replace(/\*/g, '.*').replace(/\./g, '\\.') + '$', 'i');
+            return regex.test(fileName) || regex.test(filePath);
+        }
+        return fileName === pattern || filePath.endsWith(pattern);
+    });
+}
+function auditConfiguration(content, filePath, options) {
+    const vulnerabilities = [];
+    for (const rule of exports.CONFIG_RULES) {
+        if (matchesFilePattern(filePath, rule.filePatterns)) {
+            const violations = rule.check(content, filePath);
+            for (const violation of violations) {
+                vulnerabilities.push({
+                    id: `config-${filePath}-${violation.line}-${rule.name}`,
+                    filePath,
+                    lineNumber: violation.line,
+                    lineContent: violation.lineContent,
+                    severity: violation.severity,
+                    category: 'insecure_config',
+                    title: rule.name,
+                    description: violation.message,
+                    suggestedFix: getConfigFix(rule.name, violation),
+                    confidence: 'high',
+                    baseConfidence: BASE_CONFIDENCE,
+                    layer: 1,
+                    source: 'secrets',
+                });
+            }
+        }
+    }
+    return vulnerabilities;
+}
+function getConfigFix(ruleName, violation) {
+    const fixes = {
+        'Docker running as root': 'Add a USER instruction to run as a non-root user: USER node',
+        'Hardcoded secrets in Docker build args': 'Use Docker secrets or pass values at runtime via environment variables',
+        'Permissive CORS configuration': 'Specify allowed origins explicitly instead of using wildcard (*)',
+        'GitHub Actions security issues': 'Use secrets context (${{ secrets.NAME }}) for sensitive values',
+        'Next.js security configuration': 'Review Next.js security best practices and configure headers appropriately',
+        'Package.json security issues': 'Pin dependencies to specific versions and review install scripts',
+    };
+    return fixes[ruleName] || 'Review and fix the security configuration';
+}
+//# sourceMappingURL=config-audit.js.map

package/dist/detect/secrets/config-audit.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config-audit.js","sourceRoot":"","sources":["../../../src/detect/secrets/config-audit.ts"],"names":[],"mappings":";AAAA;;;GAGG;;;AA2TH,gDAgCC;AAtVD,mDAAmD;AACnD,MAAM,eAAe,GAAG,IAAI,CAAA;AAE5B,4BAA4B;AACf,QAAA,YAAY,GAAiB;IACxC,mBAAmB;IACnB;QACE,IAAI,EAAE,wBAAwB;QAC9B,YAAY,EAAE,CAAC,YAAY,EAAE,cAAc,CAAC;QAC5C,KAAK,EAAE,CAAC,OAAe,EAAqB,EAAE;YAC5C,MAAM,UAAU,GAAsB,EAAE,CAAA;YACxC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;YAEjC,mCAAmC;YACnC,MAAM,kBAAkB,GAAG,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAC3C,IAAI,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,CAAC,UAAU,CAAC,OAAO,CAAC,CAC9C,CAAA;YAED,+BAA+B;YAC/B,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;gBAC5B,IAAI,IAAI,CAAC,IAAI,EAAE,CAAC,WAAW,EAAE,KAAK,WAAW,EAAE,CAAC;oBAC9C,UAAU,CAAC,IAAI,CAAC;wBACd,IAAI,EAAE,KAAK,GAAG,CAAC;wBACf,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE;wBACxB,OAAO,EAAE,wCAAwC;wBACjD,QAAQ,EAAE,MAAM;qBACjB,CAAC,CAAA;gBACJ,CAAC;YACH,CAAC,CAAC,CAAA;YAEF,yCAAyC;YACzC,IAAI,CAAC,kBAAkB,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC5C,UAAU,CAAC,IAAI,CAAC;oBACd,IAAI,EAAE,CAAC;oBACP,WAAW,EAAE,YAAY;oBACzB,OAAO,EAAE,mEAAmE;oBAC5E,QAAQ,EAAE,QAAQ;iBACnB,CAAC,CAAA;YACJ,CAAC;YAED,OAAO,UAAU,CAAA;QACnB,CAAC;KACF;IACD;QACE,IAAI,EAAE,wCAAwC;QAC9C,YAAY,EAAE,CAAC,YAAY,EAAE,cAAc,EAAE,oBAAoB,EAAE,qBAAqB,CAAC;QACzF,KAAK,EAAE,CAAC,OAAe,EAAqB,EAAE;YAC5C,MAAM,UAAU,GAAsB,EAAE,CAAA;YACxC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;YAEjC,qFAAqF;YACrF,0FAA0F;YAC1F,MAAM,mBAAmB,GAAG,6EAA6E,CAAA;YACzG,MAAM,mBAAmB,GAAG,6EAA6E,CAAA;YACzG,MAAM,oBAAoB,GAAG,+DAA+D,CAAA;YAE5F,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;gBAC5B,uBAAuB;gBACvB,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,mBAAmB,CAAC,CAAA;gBAChD,IAAI,QAAQ,EAAE,CAAC;oBACb,MAAM,KAAK,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAA;oBACzB,iEAAiE;oBACjE,IAAI,KAAK,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,IAAI,CAAC,mCAAmC,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;wBAClF,UAAU,CAAC,IAAI,CAAC;4BACd,IAAI,EAAE,KAAK,GAAG,CAAC;4BACf,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE;4BACxB,OAAO,EAAE,uGAAuG;4BAChH,QAAQ,EAAE,QAAQ,EAAG,0EAA0E;yBAChG,CAAC,CAAA;oBACJ,CAAC;oBACD,OAAM;gBACR,CAAC;gBAED,yEAAyE;gBACzE,IAAI,gCAAgC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;oBAChD,OAAM;gBACR,CAAC;gBAED,oDAAoD;gBACpD,MAAM,QAAQ,GAAG,IAAI,CAAC,KAAK,CAAC,mBAAmB,CAAC,CAAA;gBAChD,IAAI,QAAQ,EAAE,CAAC;oBACb,MAAM,KAAK,GAAG,QAAQ,CAAC,CAAC,CAAC,CAAA;oBACzB,IAAI,KAAK,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;wBAC9B,UAAU,CAAC,IAAI,CAAC;4BACd,IAAI,EAAE,KAAK,GAAG,CAAC;4BACf,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE;4BACxB,OAAO,EAAE,mDAAmD;4BAC5D,QAAQ,EAAE,MAAM;yBACjB,CAAC,CAAA;oBACJ,CAAC;oBACD,OAAM;gBACR,CAAC;gBAED,gCAAgC;gBAChC,IAAI,oBAAoB,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;oBACpC,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,oBAAoB,CAAC,CAAA;oBAC9C,IAAI,KAAK,IAAI,KAAK,CAAC,CAAC,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;wBAC7C,UAAU,CAAC,IAAI,CAAC;4BACd,IAAI,EAAE,KAAK,GAAG,CAAC;4BACf,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE;4BACxB,OAAO,EAAE,2DAA2D;4BACpE,QAAQ,EAAE,MAAM;yBACjB,CAAC,CAAA;oBACJ,CAAC;gBACH,CAAC;YACH,CAAC,CAAC,CAAA;YAEF,OAAO,UAAU,CAAA;QACnB,CAAC;KACF;IACD,qBAAqB;IACrB;QACE,IAAI,EAAE,+BAA+B;QACrC,YAAY,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,eAAe,EAAE,aAAa,EAAE,QAAQ,EAAE,OAAO,CAAC;QACnG,KAAK,EAAE,CAAC,OAAe,EAAqB,EAAE;YAC5C,MAAM,UAAU,GAAsB,EAAE,CAAA;YACxC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;YAEjC,MAAM,YAAY,GAAG;gBACnB,0DAA0D;gBAC1D,2CAA2C;gBAC3C,0BAA0B;gBAC1B,2CAA2C;gBAC3C,oCAAoC;aACrC,CAAA;YAED,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;gBAC5B,KAAK,MAAM,OAAO,IAAI,YAAY,EAAE,CAAC;oBACnC,IAAI,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;wBACvB,UAAU,CAAC,IAAI,CAAC;4BACd,IAAI,EAAE,KAAK,GAAG,CAAC;4BACf,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE;4BACxB,OAAO,EAAE,4DAA4D;4BACrE,QAAQ,EAAE,QAAQ;yBACnB,CAAC,CAAA;wBACF,MAAK;oBACP,CAAC;gBACH,CAAC;YACH,CAAC,CAAC,CAAA;YAEF,OAAO,UAAU,CAAA;QACnB,CAAC;KACF;IACD,kCAAkC;IAClC;QACE,IAAI,EAAE,gCAAgC;QACtC,YAAY,EAAE,CAAC,yBAAyB,EAAE,0BAA0B,CAAC;QACrE,KAAK,EAAE,CAAC,OAAe,EAAqB,EAAE;YAC5C,MAAM,UAAU,GAAsB,EAAE,CAAA;YACxC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;YAEjC,8CAA8C;YAC9C,MAAM,WAAW,GAAG,OAAO,CAAC,QAAQ,CAAC,qBAAqB,CAAC,CAAA;YAC3D,MAAM,WAAW,GAAG,OAAO,CAAC,QAAQ,CAAC,kBAAkB,CAAC,CAAA;YAExD,IAAI,WAAW,IAAI,WAAW,EAAE,CAAC;gBAC/B,MAAM,YAAY,GAAG,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,kBAAkB,CAAC,CAAC,CAAA;gBACzE,UAAU,CAAC,IAAI,CAAC;oBACd,IAAI,EAAE,YAAY,GAAG,CAAC;oBACtB,WAAW,EAAE,KAAK,CAAC,YAAY,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE;oBAC9C,OAAO,EAAE,sFAAsF;oBAC/F,QAAQ,EAAE,MAAM;iBACjB,CAAC,CAAA;YACJ,CAAC;YAED,8BAA8B;YAC9B,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;gBAC5B,IAAI,2BAA2B,CAAC,IAAI,CAAC,IAAI,CAAC;oBACtC,8BAA8B,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;oBAC9C,UAAU,CAAC,IAAI,CAAC;wBACd,IAAI,EAAE,KAAK,GAAG,CAAC;wBACf,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE;wBACxB,OAAO,EAAE,uDAAuD;wBAChE,QAAQ,EAAE,UAAU;qBACrB,CAAC,CAAA;gBACJ,CAAC;YACH,CAAC,CAAC,CAAA;YAEF,OAAO,UAAU,CAAA;QACnB,CAAC;KACF;IACD,0BAA0B;IAC1B;QACE,IAAI,EAAE,gCAAgC;QACtC,YAAY,EAAE,CAAC,gBAAgB,EAAE,gBAAgB,EAAE,iBAAiB,CAAC;QACrE,KAAK,EAAE,CAAC,OAAe,EAAqB,EAAE;YAC5C,MAAM,UAAU,GAAsB,EAAE,CAAA;YACxC,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;YAEjC,0EAA0E;YAC1E,IAAI,OAAO,CAAC,QAAQ,CAAC,uBAAuB,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,sBAAsB,CAAC,EAAE,CAAC;gBAC1F,MAAM,SAAS,GAAG,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,iBAAiB,CAAC,CAAC,CAAA;gBACrE,UAAU,CAAC,IAAI,CAAC;oBACd,IAAI,EAAE,SAAS,IAAI,CAAC,CAAC,CAAC,CAAC,SAAS,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC;oBACxC,WAAW,EAAE,KAAK,CAAC,SAAS,CAAC,EAAE,IAAI,EAAE,IAAI,uBAAuB;oBAChE,OAAO,EAAE,oFAAoF;oBAC7F,QAAQ,EAAE,KAAK;iBAChB,CAAC,CAAA;YACJ,CAAC;YAED,8CAA8C;YAC9C,KAAK,CAAC,OAAO,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,EAAE;gBAC5B,IAAI,wCAAwC,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC;oBACxD,UAAU,CAAC,IAAI,CAAC;wBACd,IAAI,EAAE,KAAK,GAAG,CAAC;wBACf,WAAW,EAAE,IAAI,CAAC,IAAI,EAAE;wBACxB,OAAO,EAAE,oEAAoE;wBAC7E,QAAQ,EAAE,QAAQ;qBACnB,CAAC,CAAA;gBACJ,CAAC;YACH,CAAC,CAAC,CAAA;YAEF,OAAO,UAAU,CAAA;QACnB,CAAC;KACF;IACD,wBAAwB;IACxB;QACE,IAAI,EAAE,8BAA8B;QACpC,YAAY,EAAE,CAAC,cAAc,CAAC;QAC9B,KAAK,EAAE,CAAC,OAAe,EAAqB,EAAE;YAC5C,MAAM,UAAU,GAAsB,EAAE,CAAA;YAExC,IAAI,CAAC;gBACH,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAA;gBAE/B,wDAAwD;gBACxD,IAAI,GAAG,CAAC,OAAO,EAAE,WAAW,IAAI,GAAG,CAAC,OAAO,EAAE,UAAU,EAAE,CAAC;oBACxD,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;oBACjC,MAAM,UAAU,GAAG,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,CACrC,CAAC,CAAC,QAAQ,CAAC,eAAe,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,cAAc,CAAC,CAC1D,CAAA;oBACD,UAAU,CAAC,IAAI,CAAC;wBACd,IAAI,EAAE,UAAU,GAAG,CAAC;wBACpB,WAAW,EAAE,KAAK,CAAC,UAAU,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE;wBAC5C,OAAO,EAAE,wEAAwE;wBACjF,QAAQ,EAAE,KAAK;qBAChB,CAAC,CAAA;gBACJ,CAAC;gBAED,kCAAkC;gBAClC,MAAM,OAAO,GAAG,EAAE,GAAG,GAAG,CAAC,YAAY,EAAE,GAAG,GAAG,CAAC,eAAe,EAAE,CAAA;gBAC/D,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;gBAEjC,mEAAmE;gBACnE,MAAM,QAAQ,GAAG,GAAG,CAAC,IAAI,EAAE,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAA;gBAE1E,2FAA2F;gBAC3F,+EAA+E;gBAC/E,MAAM,WAAW,GAA2B,EAAE,CAAA;gBAC9C,KAAK,MAAM,OAAO,IAAI,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;oBAC3C,IAAI,OAAO,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;wBAC5B,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAA;wBACnC,WAAW,CAAC,KAAK,CAAC,GAAG,CAAC,WAAW,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAA;oBACpD,CAAC;gBACH,CAAC;gBACD,+DAA+D;gBAC/D,MAAM,aAAa,GAAG,MAAM,CAAC,OAAO,CAAC,WAAW,CAAC;qBAC9C,MAAM,CAAC,CAAC,CAAC,EAAE,KAAK,CAAC,EAAE,EAAE,CAAC,KAAK,IAAI,CAAC,CAAC,CAAC,kCAAkC;qBACpE,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,IAAI,CAAA;gBAE9C,KAAK,MAAM,CAAC,IAAI,EAAE,OAAO,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC;oBACtD,IAAI,OAAO,KAAK,GAAG,IAAI,OAAO,KAAK,QAAQ,EAAE,CAAC;wBAC5C,mCAAmC;wBACnC,0CAA0C;wBAC1C,6EAA6E;wBAC7E,MAAM,QAAQ,GAAG,IAAI,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAA;wBAEjE,uCAAuC;wBACvC,MAAM,kBAAkB,GACtB,CAAC,QAAQ,IAAI,QAAQ,KAAK,QAAQ,CAAC;4BACnC,CAAC,aAAa,IAAI,QAAQ,KAAK,aAAa,IAAI,OAAO,KAAK,GAAG,CAAC,CAAA;wBAElE,IAAI,kBAAkB,EAAE,CAAC;4BACvB,SAAQ;wBACV,CAAC;wBAED,MAAM,OAAO,GAAG,KAAK,CAAC,SAAS,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,CAAC,IAAI,IAAI,GAAG,CAAC,CAAC,CAAA;wBAC7D,UAAU,CAAC,IAAI,CAAC;4BACd,IAAI,EAAE,OAAO,GAAG,CAAC;4BACjB,WAAW,EAAE,KAAK,CAAC,OAAO,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE;4BACzC,OAAO,EAAE,eAAe,IAAI,0DAA0D;4BACtF,QAAQ,EAAE,QAAQ;yBACnB,CAAC,CAAA;oBACJ,CAAC;gBACH,CAAC;YACH,CAAC;YAAC,MAAM,CAAC;gBACP,qBAAqB;YACvB,CAAC;YAED,OAAO,UAAU,CAAA;QACnB,CAAC;KACF;CACF,CAAA;AAED,4CAA4C;AAC5C,SAAS,kBAAkB,CAAC,QAAgB,EAAE,QAAkB;IAC9D,MAAM,QAAQ,GAAG,QAAQ,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,EAAE,IAAI,EAAE,CAAA;IAEhD,OAAO,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE;QAC7B,IAAI,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YAC1B,MAAM,KAAK,GAAG,IAAI,MAAM,CACtB,GAAG,GAAG,OAAO,CAAC,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,CAAC,OAAO,CAAC,KAAK,EAAE,KAAK,CAAC,GAAG,GAAG,EAC9D,GAAG,CACJ,CAAA;YACD,OAAO,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,IAAI,KAAK,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAA;QACrD,CAAC;QACD,OAAO,QAAQ,KAAK,OAAO,IAAI,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAA;IAC3D,CAAC,CAAC,CAAA;AACJ,CAAC;AAED,SAAgB,kBAAkB,CAChC,OAAe,EACf,QAAgB,EAChB,OAAiC;IAEjC,MAAM,eAAe,GAAoB,EAAE,CAAA;IAE3C,KAAK,MAAM,IAAI,IAAI,oBAAY,EAAE,CAAC;QAChC,IAAI,kBAAkB,CAAC,QAAQ,EAAE,IAAI,CAAC,YAAY,CAAC,EAAE,CAAC;YACpD,MAAM,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAA;YAEhD,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE,CAAC;gBACnC,eAAe,CAAC,IAAI,CAAC;oBACnB,EAAE,EAAE,UAAU,QAAQ,IAAI,SAAS,CAAC,IAAI,IAAI,IAAI,CAAC,IAAI,EAAE;oBACvD,QAAQ;oBACR,UAAU,EAAE,SAAS,CAAC,IAAI;oBAC1B,WAAW,EAAE,SAAS,CAAC,WAAW;oBAClC,QAAQ,EAAE,SAAS,CAAC,QAAQ;oBAC5B,QAAQ,EAAE,iBAAiB;oBAC3B,KAAK,EAAE,IAAI,CAAC,IAAI;oBAChB,WAAW,EAAE,SAAS,CAAC,OAAO;oBAC9B,YAAY,EAAE,YAAY,CAAC,IAAI,CAAC,IAAI,EAAE,SAAS,CAAC;oBAChD,UAAU,EAAE,MAAM;oBAClB,cAAc,EAAE,eAAe;oBAC/B,KAAK,EAAE,CAAC;oBACV,MAAM,EAAE,SAAkB;iBACzB,CAAC,CAAA;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,eAAe,CAAA;AACxB,CAAC;AAED,SAAS,YAAY,CAAC,QAAgB,EAAE,SAA0B;IAChE,MAAM,KAAK,GAA2B;QACpC,wBAAwB,EAAE,6DAA6D;QACvF,wCAAwC,EAAE,wEAAwE;QAClH,+BAA+B,EAAE,kEAAkE;QACnG,gCAAgC,EAAE,gEAAgE;QAClG,gCAAgC,EAAE,4EAA4E;QAC9G,8BAA8B,EAAE,kEAAkE;KACnG,CAAA;IAED,OAAO,KAAK,CAAC,QAAQ,CAAC,IAAI,2CAA2C,CAAA;AACvE,CAAC"}

package/dist/detect/secrets/config-mcp-audit.d.ts

@@ -0,0 +1,23 @@
+/**
+ * Layer 1: MCP Configuration Audit
+ * Detects security issues in MCP configuration files
+ *
+ * Scans:
+ * - mcp.json, *.mcp.json
+ * - .mcp/config.json
+ * - mcpServers in package.json
+ *
+ * Detects:
+ * - Secrets in MCP config (API keys, tokens in args)
+ * - Overpermissive settings (disabled approval, infinite timeouts)
+ * - Insecure transport (http:// instead of https://)
+ */
+import type { Vulnerability } from '../../shared/types';
+import type { ParsedFile } from '../../shared/parsed-file';
+/**
+ * Main detection function for MCP configuration audit
+ */
+export declare function detectMCPConfigIssues(content: string, filePath: string, options?: {
+    parsed?: ParsedFile;
+}): Vulnerability[];
+//# sourceMappingURL=config-mcp-audit.d.ts.map

package/dist/detect/secrets/config-mcp-audit.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"config-mcp-audit.d.ts","sourceRoot":"","sources":["../../../src/detect/secrets/config-mcp-audit.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAgD,MAAM,oBAAoB,CAAA;AACrG,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,0BAA0B,CAAA;AA+K1D;;GAEG;AACH,wBAAgB,qBAAqB,CACnC,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE;IAAE,MAAM,CAAC,EAAE,UAAU,CAAA;CAAE,GAChC,aAAa,EAAE,CAoFjB"}

package/dist/detect/secrets/config-mcp-audit.js

@@ -0,0 +1,243 @@
+"use strict";
+/**
+ * Layer 1: MCP Configuration Audit
+ * Detects security issues in MCP configuration files
+ *
+ * Scans:
+ * - mcp.json, *.mcp.json
+ * - .mcp/config.json
+ * - mcpServers in package.json
+ *
+ * Detects:
+ * - Secrets in MCP config (API keys, tokens in args)
+ * - Overpermissive settings (disabled approval, infinite timeouts)
+ * - Insecure transport (http:// instead of https://)
+ */
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.detectMCPConfigIssues = detectMCPConfigIssues;
+const file_classifier_1 = require("../../parse/file-classifier");
+// Base confidence for MCP configuration audit findings
+const BASE_CONFIDENCE = 0.50;
+// ============================================================================
+// Configuration File Detection
+// ============================================================================
+/**
+ * Check if file is an MCP configuration file
+ */
+function isMCPConfigFile(filePath) {
+    const mcpConfigPatterns = [
+        /mcp\.json$/i,
+        /\.mcp\.json$/i,
+        /\.mcp\/config\.json$/i,
+        /mcp[-_]?config\.json$/i,
+        /claude[-_]?desktop[-_]?config\.json$/i,
+    ];
+    return mcpConfigPatterns.some(p => p.test(filePath));
+}
+/**
+ * Check if file might contain mcpServers configuration (package.json, etc.)
+ */
+function mightContainMCPConfig(filePath, content) {
+    if (filePath.endsWith('package.json')) {
+        return content.includes('mcpServers') || content.includes('mcp');
+    }
+    if (filePath.endsWith('.json')) {
+        return content.includes('mcpServers') || content.includes('"command"') ||
+            content.includes('"args"') || content.includes('"url"');
+    }
+    return false;
+}
+/**
+ * MCP Configuration Security Patterns
+ */
+const MCP_CONFIG_PATTERNS = [
+    // Secrets in args array
+    {
+        name: 'API key in MCP server args',
+        pattern: /"args"\s*:\s*\[[^\]]*(?:api[_-]?key|API[_-]?KEY|apiKey)[=:]["'][^"']+["'][^\]]*\]/gi,
+        category: 'ai_mcp_config_secrets',
+        baseSeverity: 'critical',
+        description: 'API key found in MCP server arguments. Secrets should not be stored in configuration files.',
+        suggestedFix: 'Use environment variables for secrets: ["--api-key", "${ANTHROPIC_API_KEY}"] or use a secrets manager.',
+    },
+    // Secret/token in args
+    {
+        name: 'Secret token in MCP server args',
+        pattern: /"args"\s*:\s*\[[^\]]*(?:secret|token|password|credential|auth)[=:]["'][^"']+["'][^\]]*\]/gi,
+        category: 'ai_mcp_config_secrets',
+        baseSeverity: 'critical',
+        description: 'Secret or token found in MCP server arguments. This could be exposed in logs or version control.',
+        suggestedFix: 'Move secrets to environment variables or a secrets manager.',
+    },
+    // Hardcoded bearer token
+    {
+        name: 'Bearer token in MCP config',
+        pattern: /"(?:auth|authorization|header)"\s*:\s*["'][Bb]earer\s+[A-Za-z0-9_-]+["']/gi,
+        category: 'ai_mcp_config_secrets',
+        baseSeverity: 'critical',
+        description: 'Bearer token hardcoded in MCP configuration. This is a security risk.',
+        suggestedFix: 'Use environment variable reference: "Bearer ${MCP_TOKEN}"',
+    },
+    // Environment variable with actual value (not reference)
+    {
+        name: 'Environment variable with hardcoded value',
+        pattern: /"env"\s*:\s*\{[^}]*(?:KEY|TOKEN|SECRET|PASSWORD)\s*"\s*:\s*"(?!\$\{)[^"]+"/gi,
+        category: 'ai_mcp_config_secrets',
+        baseSeverity: 'high',
+        description: 'Environment variable set to hardcoded secret value in MCP config.',
+        suggestedFix: 'Set environment variables outside the config file or use a secrets manager.',
+    },
+    // Disabled approval requirement
+    {
+        name: 'Tool approval disabled',
+        pattern: /"requireApproval"\s*:\s*false/gi,
+        category: 'ai_mcp_config_permissions',
+        baseSeverity: 'medium',
+        description: 'Tool approval is disabled. AI can execute tools without user confirmation.',
+        suggestedFix: 'Enable tool approval for sensitive operations: "requireApproval": true',
+    },
+    // Auto-approve all
+    {
+        name: 'Auto-approve all tools',
+        pattern: /"autoApprove"\s*:\s*(?:true|"\*"|"all"|\["\*"\])/gi,
+        category: 'ai_mcp_config_permissions',
+        baseSeverity: 'high',
+        description: 'All tools are auto-approved. This bypasses user confirmation for all operations.',
+        suggestedFix: 'Limit auto-approval to specific safe tools: "autoApprove": ["read_file", "list_files"]',
+    },
+    // Infinite or very long timeout
+    {
+        name: 'Unlimited tool timeout',
+        pattern: /"(?:toolTimeout|timeout)"\s*:\s*(?:0|null|"infinite"|999999+)/gi,
+        category: 'ai_mcp_config_permissions',
+        baseSeverity: 'medium',
+        description: 'Tool timeout is disabled or very long. Tools could run indefinitely.',
+        suggestedFix: 'Set a reasonable timeout: "toolTimeout": 30000 (30 seconds)',
+    },
+    // HTTP URL (not HTTPS)
+    {
+        name: 'Insecure HTTP transport',
+        pattern: /"(?:url|endpoint|server)"\s*:\s*"http:\/\/(?!localhost|127\.0\.0\.1)[^"]+"/gi,
+        category: 'ai_mcp_config_permissions',
+        baseSeverity: 'medium',
+        description: 'MCP server uses insecure HTTP transport. Data could be intercepted.',
+        suggestedFix: 'Use HTTPS for MCP server URLs: "url": "https://..."',
+    },
+    // Wildcard allowed tools
+    {
+        name: 'Wildcard tool permissions',
+        pattern: /"(?:allowedTools|tools|permissions)"\s*:\s*(?:\["\*"\]|"\*"|"all")/gi,
+        category: 'ai_mcp_config_permissions',
+        baseSeverity: 'medium',
+        description: 'All tools are allowed without restriction. Consider limiting to specific tools.',
+        suggestedFix: 'Explicitly list allowed tools: "allowedTools": ["search", "read_file"]',
+    },
+    // Privileged mode enabled
+    {
+        name: 'Privileged mode enabled',
+        pattern: /"(?:privileged|sudo|admin|root)"\s*:\s*true/gi,
+        category: 'ai_mcp_config_permissions',
+        baseSeverity: 'high',
+        description: 'MCP server running in privileged mode. This grants elevated permissions.',
+        suggestedFix: 'Disable privileged mode unless absolutely necessary. Apply principle of least privilege.',
+    },
+    // Disabled security features
+    {
+        name: 'Security feature disabled',
+        pattern: /"(?:secure|tls|verify|validation|sandbox)"\s*:\s*false/gi,
+        category: 'ai_mcp_config_permissions',
+        baseSeverity: 'medium',
+        description: 'Security feature is explicitly disabled in MCP configuration.',
+        suggestedFix: 'Enable security features: "secure": true, "validation": true',
+    },
+    // Command injection risk in args
+    {
+        name: 'Shell command in MCP args',
+        pattern: /"args"\s*:\s*\[[^\]]*(?:sh\s+-c|bash\s+-c|cmd\s+\/c|powershell)[^\]]*\]/gi,
+        category: 'ai_mcp_config_permissions',
+        baseSeverity: 'high',
+        description: 'MCP server args contain shell command execution. This is a command injection risk.',
+        suggestedFix: 'Avoid shell command execution in MCP args. Use direct command invocation.',
+    },
+];
+// ============================================================================
+// Main Detection Function
+// ============================================================================
+/**
+ * Main detection function for MCP configuration audit
+ */
+function detectMCPConfigIssues(content, filePath, options) {
+    const vulnerabilities = [];
+    // Skip non-applicable files
+    if ((0, file_classifier_1.isScannerOrFixtureFile)(filePath))
+        return vulnerabilities;
+    if ((0, file_classifier_1.isDocumentationFile)(filePath))
+        return vulnerabilities;
+    // Only scan MCP config files or files that might contain MCP config
+    if (!isMCPConfigFile(filePath) && !mightContainMCPConfig(filePath, content)) {
+        return vulnerabilities;
+    }
+    const lines = options?.parsed?.lines ?? content.split('\n');
+    const isTestFile = (0, file_classifier_1.isTestOrMockFile)(filePath);
+    const isExample = (0, file_classifier_1.isExampleDirectory)(filePath);
+    // Track findings to avoid duplicates
+    const seenFindings = new Set();
+    for (const pattern of MCP_CONFIG_PATTERNS) {
+        const regex = new RegExp(pattern.pattern.source, pattern.pattern.flags);
+        let match;
+        while ((match = regex.exec(content)) !== null) {
+            const lineNumber = content.substring(0, match.index).split('\n').length;
+            const lineContent = lines[lineNumber - 1]?.trim() || '';
+            // Skip comments
+            if ((0, file_classifier_1.isComment)(lineContent))
+                continue;
+            // Create dedup key
+            const dedupKey = `${filePath}:${lineNumber}:${pattern.category}`;
+            if (seenFindings.has(dedupKey))
+                continue;
+            seenFindings.add(dedupKey);
+            let severity = pattern.baseSeverity;
+            let description = pattern.description;
+            const notes = [];
+            // Check if value is an environment variable reference (safer)
+            if (/\$\{[A-Z_]+\}|\$[A-Z_]+/.test(lineContent)) {
+                if (pattern.category === 'ai_mcp_config_secrets') {
+                    severity = 'low';
+                    notes.push('Uses environment variable reference (safer pattern)');
+                }
+            }
+            // Downgrade test files
+            if (isTestFile) {
+                severity = 'info';
+                notes.push('in test file');
+            }
+            // Downgrade example/demo directories
+            if (isExample && severity !== 'info') {
+                severity = 'info';
+                notes.push('in example/demo directory');
+            }
+            // Build final description
+            if (notes.length > 0) {
+                description += ` (${notes.join('; ')})`;
+            }
+            vulnerabilities.push({
+                id: `mcp-config-${filePath}-${lineNumber}-${pattern.name.replace(/\s+/g, '-')}`,
+                filePath,
+                lineNumber,
+                lineContent,
+                severity,
+                category: pattern.category,
+                title: pattern.name,
+                description,
+                suggestedFix: pattern.suggestedFix,
+                confidence: pattern.category === 'ai_mcp_config_secrets' ? 'high' : 'medium',
+                baseConfidence: BASE_CONFIDENCE,
+                layer: 1,
+                source: 'secrets',
+                requiresAIValidation: severity !== 'info' && severity !== 'low',
+            });
+        }
+    }
+    return vulnerabilities;
+}
+//# sourceMappingURL=config-mcp-audit.js.map

package/dist/detect/secrets/config-mcp-audit.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"config-mcp-audit.js","sourceRoot":"","sources":["../../../src/detect/secrets/config-mcp-audit.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;GAaG;;AAqLH,sDAwFC;AAzQD,iEAMoC;AAEpC,uDAAuD;AACvD,MAAM,eAAe,GAAG,IAAI,CAAA;AAE5B,+EAA+E;AAC/E,+BAA+B;AAC/B,+EAA+E;AAE/E;;GAEG;AACH,SAAS,eAAe,CAAC,QAAgB;IACvC,MAAM,iBAAiB,GAAG;QACxB,aAAa;QACb,eAAe;QACf,uBAAuB;QACvB,wBAAwB;QACxB,uCAAuC;KACxC,CAAA;IACD,OAAO,iBAAiB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAA;AACtD,CAAC;AAED;;GAEG;AACH,SAAS,qBAAqB,CAAC,QAAgB,EAAE,OAAe;IAC9D,IAAI,QAAQ,CAAC,QAAQ,CAAC,cAAc,CAAC,EAAE,CAAC;QACtC,OAAO,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,KAAK,CAAC,CAAA;IAClE,CAAC;IACD,IAAI,QAAQ,CAAC,QAAQ,CAAC,OAAO,CAAC,EAAE,CAAC;QAC/B,OAAO,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAC;YAC/D,OAAO,CAAC,QAAQ,CAAC,QAAQ,CAAC,IAAI,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAC,CAAA;IAChE,CAAC;IACD,OAAO,KAAK,CAAA;AACd,CAAC;AAeD;;GAEG;AACH,MAAM,mBAAmB,GAAuB;IAC9C,wBAAwB;IACxB;QACE,IAAI,EAAE,4BAA4B;QAClC,OAAO,EAAE,qFAAqF;QAC9F,QAAQ,EAAE,uBAAuB;QACjC,YAAY,EAAE,UAAU;QACxB,WAAW,EAAE,6FAA6F;QAC1G,YAAY,EAAE,wGAAwG;KACvH;IACD,uBAAuB;IACvB;QACE,IAAI,EAAE,iCAAiC;QACvC,OAAO,EAAE,4FAA4F;QACrG,QAAQ,EAAE,uBAAuB;QACjC,YAAY,EAAE,UAAU;QACxB,WAAW,EAAE,kGAAkG;QAC/G,YAAY,EAAE,6DAA6D;KAC5E;IACD,yBAAyB;IACzB;QACE,IAAI,EAAE,4BAA4B;QAClC,OAAO,EAAE,4EAA4E;QACrF,QAAQ,EAAE,uBAAuB;QACjC,YAAY,EAAE,UAAU;QACxB,WAAW,EAAE,uEAAuE;QACpF,YAAY,EAAE,2DAA2D;KAC1E;IACD,yDAAyD;IACzD;QACE,IAAI,EAAE,2CAA2C;QACjD,OAAO,EAAE,8EAA8E;QACvF,QAAQ,EAAE,uBAAuB;QACjC,YAAY,EAAE,MAAM;QACpB,WAAW,EAAE,mEAAmE;QAChF,YAAY,EAAE,6EAA6E;KAC5F;IACD,gCAAgC;IAChC;QACE,IAAI,EAAE,wBAAwB;QAC9B,OAAO,EAAE,iCAAiC;QAC1C,QAAQ,EAAE,2BAA2B;QACrC,YAAY,EAAE,QAAQ;QACtB,WAAW,EAAE,4EAA4E;QACzF,YAAY,EAAE,wEAAwE;KACvF;IACD,mBAAmB;IACnB;QACE,IAAI,EAAE,wBAAwB;QAC9B,OAAO,EAAE,oDAAoD;QAC7D,QAAQ,EAAE,2BAA2B;QACrC,YAAY,EAAE,MAAM;QACpB,WAAW,EAAE,kFAAkF;QAC/F,YAAY,EAAE,wFAAwF;KACvG;IACD,gCAAgC;IAChC;QACE,IAAI,EAAE,wBAAwB;QAC9B,OAAO,EAAE,iEAAiE;QAC1E,QAAQ,EAAE,2BAA2B;QACrC,YAAY,EAAE,QAAQ;QACtB,WAAW,EAAE,sEAAsE;QACnF,YAAY,EAAE,6DAA6D;KAC5E;IACD,uBAAuB;IACvB;QACE,IAAI,EAAE,yBAAyB;QAC/B,OAAO,EAAE,8EAA8E;QACvF,QAAQ,EAAE,2BAA2B;QACrC,YAAY,EAAE,QAAQ;QACtB,WAAW,EAAE,qEAAqE;QAClF,YAAY,EAAE,qDAAqD;KACpE;IACD,yBAAyB;IACzB;QACE,IAAI,EAAE,2BAA2B;QACjC,OAAO,EAAE,sEAAsE;QAC/E,QAAQ,EAAE,2BAA2B;QACrC,YAAY,EAAE,QAAQ;QACtB,WAAW,EAAE,iFAAiF;QAC9F,YAAY,EAAE,wEAAwE;KACvF;IACD,0BAA0B;IAC1B;QACE,IAAI,EAAE,yBAAyB;QAC/B,OAAO,EAAE,+CAA+C;QACxD,QAAQ,EAAE,2BAA2B;QACrC,YAAY,EAAE,MAAM;QACpB,WAAW,EAAE,0EAA0E;QACvF,YAAY,EAAE,0FAA0F;KACzG;IACD,6BAA6B;IAC7B;QACE,IAAI,EAAE,2BAA2B;QACjC,OAAO,EAAE,0DAA0D;QACnE,QAAQ,EAAE,2BAA2B;QACrC,YAAY,EAAE,QAAQ;QACtB,WAAW,EAAE,+DAA+D;QAC5E,YAAY,EAAE,8DAA8D;KAC7E;IACD,iCAAiC;IACjC;QACE,IAAI,EAAE,2BAA2B;QACjC,OAAO,EAAE,2EAA2E;QACpF,QAAQ,EAAE,2BAA2B;QACrC,YAAY,EAAE,MAAM;QACpB,WAAW,EAAE,oFAAoF;QACjG,YAAY,EAAE,2EAA2E;KAC1F;CACF,CAAA;AAED,+EAA+E;AAC/E,0BAA0B;AAC1B,+EAA+E;AAE/E;;GAEG;AACH,SAAgB,qBAAqB,CACnC,OAAe,EACf,QAAgB,EAChB,OAAiC;IAEjC,MAAM,eAAe,GAAoB,EAAE,CAAA;IAE3C,4BAA4B;IAC5B,IAAI,IAAA,wCAAsB,EAAC,QAAQ,CAAC;QAAE,OAAO,eAAe,CAAA;IAC5D,IAAI,IAAA,qCAAmB,EAAC,QAAQ,CAAC;QAAE,OAAO,eAAe,CAAA;IAEzD,oEAAoE;IACpE,IAAI,CAAC,eAAe,CAAC,QAAQ,CAAC,IAAI,CAAC,qBAAqB,CAAC,QAAQ,EAAE,OAAO,CAAC,EAAE,CAAC;QAC5E,OAAO,eAAe,CAAA;IACxB,CAAC;IAED,MAAM,KAAK,GAAG,OAAO,EAAE,MAAM,EAAE,KAAK,IAAI,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAA;IAC3D,MAAM,UAAU,GAAG,IAAA,kCAAgB,EAAC,QAAQ,CAAC,CAAA;IAC7C,MAAM,SAAS,GAAG,IAAA,oCAAkB,EAAC,QAAQ,CAAC,CAAA;IAE9C,qCAAqC;IACrC,MAAM,YAAY,GAAG,IAAI,GAAG,EAAU,CAAA;IAEtC,KAAK,MAAM,OAAO,IAAI,mBAAmB,EAAE,CAAC;QAC1C,MAAM,KAAK,GAAG,IAAI,MAAM,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,OAAO,CAAC,OAAO,CAAC,KAAK,CAAC,CAAA;QACvE,IAAI,KAAK,CAAA;QAET,OAAO,CAAC,KAAK,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YAC9C,MAAM,UAAU,GAAG,OAAO,CAAC,SAAS,CAAC,CAAC,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAA;YACvE,MAAM,WAAW,GAAG,KAAK,CAAC,UAAU,GAAG,CAAC,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,CAAA;YAEvD,gBAAgB;YAChB,IAAI,IAAA,2BAAS,EAAC,WAAW,CAAC;gBAAE,SAAQ;YAEpC,mBAAmB;YACnB,MAAM,QAAQ,GAAG,GAAG,QAAQ,IAAI,UAAU,IAAI,OAAO,CAAC,QAAQ,EAAE,CAAA;YAChE,IAAI,YAAY,CAAC,GAAG,CAAC,QAAQ,CAAC;gBAAE,SAAQ;YACxC,YAAY,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;YAE1B,IAAI,QAAQ,GAAG,OAAO,CAAC,YAAY,CAAA;YACnC,IAAI,WAAW,GAAG,OAAO,CAAC,WAAW,CAAA;YACrC,MAAM,KAAK,GAAa,EAAE,CAAA;YAE1B,8DAA8D;YAC9D,IAAI,yBAAyB,CAAC,IAAI,CAAC,WAAW,CAAC,EAAE,CAAC;gBAChD,IAAI,OAAO,CAAC,QAAQ,KAAK,uBAAuB,EAAE,CAAC;oBACjD,QAAQ,GAAG,KAAK,CAAA;oBAChB,KAAK,CAAC,IAAI,CAAC,qDAAqD,CAAC,CAAA;gBACnE,CAAC;YACH,CAAC;YAED,uBAAuB;YACvB,IAAI,UAAU,EAAE,CAAC;gBACf,QAAQ,GAAG,MAAM,CAAA;gBACjB,KAAK,CAAC,IAAI,CAAC,cAAc,CAAC,CAAA;YAC5B,CAAC;YAED,qCAAqC;YACrC,IAAI,SAAS,IAAI,QAAQ,KAAK,MAAM,EAAE,CAAC;gBACrC,QAAQ,GAAG,MAAM,CAAA;gBACjB,KAAK,CAAC,IAAI,CAAC,2BAA2B,CAAC,CAAA;YACzC,CAAC;YAED,0BAA0B;YAC1B,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBACrB,WAAW,IAAI,KAAK,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,GAAG,CAAA;YACzC,CAAC;YAED,eAAe,CAAC,IAAI,CAAC;gBACnB,EAAE,EAAE,cAAc,QAAQ,IAAI,UAAU,IAAI,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,GAAG,CAAC,EAAE;gBAC/E,QAAQ;gBACR,UAAU;gBACV,WAAW;gBACX,QAAQ;gBACR,QAAQ,EAAE,OAAO,CAAC,QAAQ;gBAC1B,KAAK,EAAE,OAAO,CAAC,IAAI;gBACnB,WAAW;gBACX,YAAY,EAAE,OAAO,CAAC,YAAY;gBAClC,UAAU,EAAE,OAAO,CAAC,QAAQ,KAAK,uBAAuB,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,QAAQ;gBAC5E,cAAc,EAAE,eAAe;gBAC/B,KAAK,EAAE,CAAC;gBACR,MAAM,EAAE,SAAkB;gBAC1B,oBAAoB,EAAE,QAAQ,KAAK,MAAM,IAAI,QAAQ,KAAK,KAAK;aAChE,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;IAED,OAAO,eAAe,CAAA;AACxB,CAAC"}

package/dist/detect/secrets/entropy.d.ts

@@ -0,0 +1,11 @@
+/**
+ * Layer 1: High-Entropy String Detection
+ * Uses Shannon entropy to detect potential secrets that don't match known patterns
+ */
+import type { Vulnerability } from '../../shared/types';
+import type { ParsedFile } from '../../shared/parsed-file';
+export declare function calculateEntropy(str: string): number;
+export declare function detectHighEntropyStrings(content: string, filePath: string, options?: {
+    parsed?: ParsedFile;
+}): Vulnerability[];
+//# sourceMappingURL=entropy.d.ts.map

package/dist/detect/secrets/entropy.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"entropy.d.ts","sourceRoot":"","sources":["../../../src/detect/secrets/entropy.ts"],"names":[],"mappings":"AAAA;;;GAGG;AAEH,OAAO,KAAK,EAAE,aAAa,EAAE,MAAM,oBAAoB,CAAA;AACvD,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,0BAA0B,CAAA;AAc1D,wBAAgB,gBAAgB,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAgBpD;AAopBD,wBAAgB,wBAAwB,CACtC,OAAO,EAAE,MAAM,EACf,QAAQ,EAAE,MAAM,EAChB,OAAO,CAAC,EAAE;IAAE,MAAM,CAAC,EAAE,UAAU,CAAA;CAAE,GAChC,aAAa,EAAE,CAmKjB"}