@oculum/scanner 1.0.14 → 1.0.15

package/src/detect/index.ts

@@ -11,40 +11,93 @@ import type {
   CancellationToken,
   DetectorContext,
   ProgressCallback,
-} from '../shared/types'
-import { runLayer1Scan, type Layer1Result } from './secrets'
-import { runLayer2Scan, type Layer2Result } from './structural'
-import { aggregateLocalhostFindings } from './config/urls'
-import type { MiddlewareAuthConfig } from '../model/middleware-detector'
-import type { FileAuthImports } from '../model/imported-auth-detector'
-import type { FilterPipeline } from '../postprocess/filtering/pipeline'
+} from "../shared/types";
+import { runLayer1Scan, type Layer1Result } from "./secrets";
+import { runLayer2Scan, type Layer2Result } from "./structural";
+import { aggregateLocalhostFindings } from "./config/urls";
+import type { MiddlewareAuthConfig } from "../model/middleware-detector";
+import type { FileAuthImports } from "../model/imported-auth-detector";
+import type { FilterPipeline } from "../postprocess/filtering/pipeline";
+import type { ParsedAST } from "../parse/ast";
+import { parseFiles } from "../parse/ast";
+import { runASTRulesOnFiles } from "./ast-rules";
+import type { TaintFinding } from "../taint/propagation-types";
+import {
+  setProjectFindings,
+  clearTaintFlowCache,
+} from "./ast-rules/taint-flow-ast";
+// Import AST rule modules so they self-register
+import "./ast-rules/weak-crypto-ast";
+import "./ast-rules/variables-ast";
+import "./ast-rules/risky-imports-ast";
+import "./ast-rules/secret-patterns-ast";
+import "./ast-rules/entropy-ast";
+import "./ast-rules/security-headers-ast";
+// Wave 2: Dangerous function detectors
+import "./ast-rules/dangerous-eval-ast";
+import "./ast-rules/dom-xss-ast";
+import "./ast-rules/json-parse-ast";
+import "./ast-rules/child-process-ast";
+import "./ast-rules/sql-injection-ast";
+import "./ast-rules/request-validation-ast";
+// Wave 3: Auth + framework detectors
+import "./ast-rules/auth-patterns-ast";
+import "./ast-rules/framework-checks-ast";
+import "./ast-rules/data-exposure-ast";
+import "./ast-rules/logic-gates-ast";
+// Wave 4: Taint-adjacent detectors
+import "./ast-rules/ssrf-ast";
+import "./ast-rules/xxe-ast";
+import "./ast-rules/log-injection-ast";
+import "./ast-rules/ai-fingerprinting-ast";
+// Wave 5: Python-specific detectors
+import "./ast-rules/flask-debug-ast";
+// Wave 5: AI-specific detectors
+import "./ast-rules/agent-tools-ast";
+import "./ast-rules/byok-ast";
+import "./ast-rules/endpoint-protection-ast";
+// execution-sinks-ast: removed in Phase 4, replaced by taint-engine LLM flow detection
+import "./ast-rules/mcp-security-ast";
+import "./ast-rules/model-supply-chain-ast";
+import "./ast-rules/package-hallucination-ast";
+import "./ast-rules/prompt-hygiene-ast";
+import "./ast-rules/rag-safety-ast";
+import "./ast-rules/schema-validation-ast";
+// Wave 6: Taint flow detection (v2 engine)
+import "./ast-rules/taint-flow-ast";
 
 export interface DetectorInput {
-  files: ScanFile[]
-  middlewareConfig?: MiddlewareAuthConfig
-  fileAuthImports?: Map<string, FileAuthImports>
-  detectorContext: DetectorContext
-  onProgress?: ProgressCallback
-  cancellationToken?: CancellationToken
-  filterPipeline: FilterPipeline
-  repoName: string
-  quiet: boolean
+  files: ScanFile[];
+  middlewareConfig?: MiddlewareAuthConfig;
+  fileAuthImports?: Map<string, FileAuthImports>;
+  detectorContext: DetectorContext;
+  onProgress?: ProgressCallback;
+  cancellationToken?: CancellationToken;
+  filterPipeline: FilterPipeline;
+  repoName: string;
+  quiet: boolean;
+  /** Pre-parsed ASTs from model build (avoids re-parsing + re-analyzing) */
+  precomputedASTs?: Map<string, ParsedAST>;
+  /** Pre-computed cross-file taint findings from model build */
+  precomputedTaintFindings?: TaintFinding[];
 }
 
 export interface DetectorOutput {
   /** Combined Layer 1 + Layer 2 findings (after localhost aggregation) */
-  findings: Vulnerability[]
+  findings: Vulnerability[];
   /** Phase timing */
-  phaseTiming: { layer1?: number; layer2?: number }
+  phaseTiming: { layer1?: number; layer2?: number };
 }
 
-const fid = (v: Pick<Vulnerability, 'filePath' | 'lineNumber' | 'category'>) =>
-  `${v.filePath}:${v.lineNumber}:${v.category}`
+const fid = (v: Pick<Vulnerability, "filePath" | "lineNumber" | "category">) =>
+  `${v.filePath}:${v.lineNumber}:${v.category}`;
 
 /**
  * Run all detectors (Layer 1 + Layer 2) and return combined raw findings.
  */
-export async function runDetectors(input: DetectorInput): Promise<DetectorOutput> {
+export async function runDetectors(
+  input: DetectorInput,
+): Promise<DetectorOutput> {
   const {
     files,
     middlewareConfig,
@@ -55,16 +108,16 @@ export async function runDetectors(input: DetectorInput): Promise<DetectorOutput
     filterPipeline,
     repoName,
     quiet,
-  } = input
+  } = input;
 
   const log = (message: string) => {
-    if (!quiet) console.log(message)
-  }
+    if (!quiet) console.log(message);
+  };
 
   const reportProgress = (
-    status: 'layer1' | 'layer2',
+    status: "layer1" | "layer2",
     message: string,
-    vulnerabilitiesFound: number = 0
+    vulnerabilitiesFound: number = 0,
   ) => {
     if (onProgress) {
       onProgress({
@@ -73,59 +126,100 @@ export async function runDetectors(input: DetectorInput): Promise<DetectorOutput
         filesProcessed: files.length,
         totalFiles: files.length,
         vulnerabilitiesFound,
-      })
+      });
     }
-  }
+  };
 
-  const phaseTiming: { layer1?: number; layer2?: number } = {}
+  const phaseTiming: { layer1?: number; layer2?: number } = {};
 
   // Layer 1: Surface Scan
-  const layer1Start = Date.now()
-  reportProgress('layer1', 'Running surface scan (patterns, entropy, config)...')
-  let layer1Result = await runLayer1Scan(files, onProgress, cancellationToken)
+  const layer1Start = Date.now();
+  reportProgress(
+    "layer1",
+    "Running surface scan (patterns, entropy, config)...",
+  );
+  let layer1Result = await runLayer1Scan(files, onProgress, cancellationToken);
 
   // Aggregate repeated localhost findings
-  const layer1RawCount = layer1Result.vulnerabilities.length
-  const layer1BeforeAggregation = layer1Result.vulnerabilities
+  const layer1RawCount = layer1Result.vulnerabilities.length;
+  const layer1BeforeAggregation = layer1Result.vulnerabilities;
   layer1Result = {
     ...layer1Result,
-    vulnerabilities: aggregateLocalhostFindings(layer1Result.vulnerabilities)
-  }
+    vulnerabilities: aggregateLocalhostFindings(layer1Result.vulnerabilities),
+  };
   if (filterPipeline.isEnabled) {
-    const afterIds = new Set(layer1Result.vulnerabilities.map(fid))
+    const afterIds = new Set(layer1Result.vulnerabilities.map(fid));
     for (const v of layer1BeforeAggregation) {
       if (!afterIds.has(fid(v))) {
-        filterPipeline.record(fid(v), { stage: 'localhost_aggregation', action: 'aggregated', reason: 'Aggregated repeated localhost finding' })
+        filterPipeline.record(fid(v), {
+          stage: "localhost_aggregation",
+          action: "aggregated",
+          reason: "Aggregated repeated localhost finding",
+        });
       }
     }
   }
-  phaseTiming.layer1 = Date.now() - layer1Start
-  log(`[Layer1] repo=${repoName} findings_raw=${layer1RawCount} findings_deduped=${layer1Result.vulnerabilities.length} duration=${phaseTiming.layer1}ms`)
+  phaseTiming.layer1 = Date.now() - layer1Start;
+  log(
+    `[Layer1] repo=${repoName} findings_raw=${layer1RawCount} findings_deduped=${layer1Result.vulnerabilities.length} duration=${phaseTiming.layer1}ms`,
+  );
 
   // Layer 2: Structural Scan
-  const layer2Start = Date.now()
-  reportProgress('layer2', 'Running structural scan (variables, logic gates)...', layer1Result.vulnerabilities.length)
+  const layer2Start = Date.now();
+  reportProgress(
+    "layer2",
+    "Running structural scan (variables, logic gates)...",
+    layer1Result.vulnerabilities.length,
+  );
   const layer2Result = await runLayer2Scan(
     files,
     { middlewareConfig, fileAuthImports, detectorContext },
     onProgress,
-    cancellationToken
-  )
+    cancellationToken,
+  );
 
   // Format heuristic breakdown for logging
   const heuristicBreakdown = Object.entries(layer2Result.stats.raw)
     .filter(([, count]) => count > 0)
     .map(([name, count]) => `${name}:${count}`)
-    .join(',')
-  phaseTiming.layer2 = Date.now() - layer2Start
-  log(`[Layer2] repo=${repoName} findings_raw=${Object.values(layer2Result.stats.raw).reduce((a, b) => a + b, 0)} findings_deduped=${layer2Result.vulnerabilities.length} duration=${phaseTiming.layer2}ms heuristic_breakdown={${heuristicBreakdown}}`)
+    .join(",");
+  phaseTiming.layer2 = Date.now() - layer2Start;
+  log(
+    `[Layer2] repo=${repoName} findings_raw=${Object.values(layer2Result.stats.raw).reduce((a, b) => a + b, 0)} findings_deduped=${layer2Result.vulnerabilities.length} duration=${phaseTiming.layer2}ms heuristic_breakdown={${heuristicBreakdown}}`,
+  );
+
+  // AST-based detection — reuse pre-computed ASTs + taint findings from model build
+  const astStart = Date.now();
+  const asts =
+    input.precomputedASTs ??
+    parseFiles(files.map((f) => ({ path: f.path, content: f.content })));
+
+  // Populate taint flow cache for AST rules
+  clearTaintFlowCache();
+  const projectFindings = input.precomputedTaintFindings ?? [];
+  setProjectFindings(projectFindings);
+
+  const astFindings = runASTRulesOnFiles(
+    asts,
+    files.map((f) => ({ path: f.path, content: f.content })),
+  );
+  const astDuration = Date.now() - astStart;
+  if (astFindings.length > 0 || asts.size > 0) {
+    log(
+      `[AST] repo=${repoName} parsed=${asts.size}/${files.length} ast_findings=${astFindings.length} cross_file_taint=${projectFindings.length} duration=${astDuration}ms`,
+    );
+  }
 
-  // Combine Layer 1 and Layer 2 findings
-  const findings = [...layer1Result.vulnerabilities, ...layer2Result.vulnerabilities]
+  // Combine Layer 1 + Layer 2 + AST findings
+  const findings = [
+    ...layer1Result.vulnerabilities,
+    ...layer2Result.vulnerabilities,
+    ...astFindings,
+  ];
 
-  return { findings, phaseTiming }
+  return { findings, phaseTiming };
 }
 
 // Re-export layer results for external consumers
-export { runLayer1Scan, type Layer1Result } from './secrets'
-export { runLayer2Scan, type Layer2Result } from './structural'
+export { runLayer1Scan, type Layer1Result } from "./secrets";
+export { runLayer2Scan, type Layer2Result } from "./structural";

package/src/detect/secrets/config-audit.ts

@@ -52,7 +52,7 @@ export const CONFIG_RULES: ConfigRule[] = [
   },
   {
     name: 'Hardcoded secrets in Docker build args',
-    filePatterns: ['Dockerfile', '*.dockerfile', 'docker-compose.yml', 'docker-compose.yaml'],
+    filePatterns: ['Dockerfile', '*.dockerfile', '*docker-compose*.yml', '*docker-compose*.yaml'],
     check: (content: string): ConfigViolation[] => {
       const violations: ConfigViolation[] = []
       const lines = content.split('\n')
@@ -296,6 +296,40 @@ export const CONFIG_RULES: ConfigRule[] = [
         // Invalid JSON, skip
       }
 
+      return violations
+    },
+  },
+  // .env file hardcoded secrets
+  {
+    name: 'Hardcoded secrets in .env file',
+    filePatterns: ['.env', '.env.*'],
+    check: (content: string): ConfigViolation[] => {
+      const violations: ConfigViolation[] = []
+      const lines = content.split('\n')
+      const sensitiveKeys = /^(PASSWORD|SECRET|TOKEN|CREDENTIAL|API_KEY|PRIVATE_KEY|AUTH|DB_PASSWORD|SECRET_KEY|ACCESS_KEY)/i
+
+      lines.forEach((line, index) => {
+        const trimmed = line.trim()
+        if (trimmed.startsWith('#') || !trimmed.includes('=')) return
+
+        const eqIndex = trimmed.indexOf('=')
+        const key = trimmed.slice(0, eqIndex).trim()
+        const value = trimmed.slice(eqIndex + 1).trim().replace(/^["']|["']$/g, '')
+
+        if (!sensitiveKeys.test(key)) return
+        // Skip empty, variable references, placeholders
+        if (!value || /^\$/.test(value) || /^<.*>$/.test(value)) return
+        if (/^(changeme|replace|your[-_]?\w*[-_]?here|TODO|FIXME|xxx+)$/i.test(value)) return
+
+        violations.push({
+          line: index + 1,
+          lineContent: trimmed,
+          message: `Hardcoded ${key} value in .env file — use environment-specific injection instead`,
+          severity: 'high',
+          category: 'hardcoded_secret',
+        })
+      })
+
       return violations
     },
   },
@@ -308,7 +342,7 @@ function matchesFilePattern(filePath: string, patterns: string[]): boolean {
   return patterns.some(pattern => {
     if (pattern.includes('*')) {
       const regex = new RegExp(
-        '^' + pattern.replace(/\*/g, '.*').replace(/\./g, '\\.') + '$',
+        '^' + pattern.replace(/\./g, '\\.').replace(/\*/g, '.*') + '$',
         'i'
       )
       return regex.test(fileName) || regex.test(filePath)
@@ -335,7 +369,7 @@ export function auditConfiguration(
           lineNumber: violation.line,
           lineContent: violation.lineContent,
           severity: violation.severity,
-          category: 'insecure_config',
+          category: violation.category ?? 'insecure_config',
           title: rule.name,
           description: violation.message,
           suggestedFix: getConfigFix(rule.name, violation),

package/src/detect/secrets/entropy.ts

@@ -69,6 +69,11 @@ function extractStringLiterals(content: string): Array<{ value: string; line: nu
   return strings
 }
 
+// Check if line is a package.json metadata field (author, description, etc.) — not secrets
+function isPackageJsonMetadataField(lineContent: string): boolean {
+  return /^\s*"(author|description|license|homepage|keywords|repository|bugs|funding|contributors|maintainers|engines|os|cpu)"/.test(lineContent)
+}
+
 // Check if string looks like a known safe pattern (URLs, paths, etc.)
 function isSafePattern(str: string): boolean {
   const safePatterns = [
@@ -420,6 +425,121 @@ function isSQLQuery(value: string, lineContent: string): boolean {
   )
 }
 
+/**
+ * Check if string is a DynamoDB/NoSQL expression (not a secret)
+ * DynamoDB expressions have high entropy due to placeholder syntax and mixed-case keywords
+ */
+function isNoSQLExpression(value: string, lineContent: string): boolean {
+  // DynamoDB expression keywords
+  const dynamoKeywords = [
+    /\bKeyConditionExpression\b/,
+    /\bFilterExpression\b/,
+    /\bProjectionExpression\b/,
+    /\bConditionExpression\b/,
+    /\bUpdateExpression\b/,
+    /\bExpressionAttributeNames\b/,
+    /\bExpressionAttributeValues\b/,
+  ]
+
+  // DynamoDB expression syntax patterns
+  const dynamoSyntax = [
+    /:[a-zA-Z_]\w*/,              // :placeholder patterns
+    /#[a-zA-Z_]\w*/,              // #attribute patterns
+    /\bbegins_with\s*\(/i,
+    /\battribute_exists\s*\(/i,
+    /\battribute_not_exists\s*\(/i,
+    /\bcontains\s*\(/i,
+  ]
+
+  // DynamoDB key construction patterns (PK/SK/GSI with interpolation)
+  const keyConstructionPatterns = [
+    /\b(PK|SK|GSI)\b.*\$\{/,
+    /\$\{.*\b(PK|SK|GSI)\b/,
+    /['"`].*\b(PK|SK|GSI)[#|_].*['"`]/,
+  ]
+
+  // Repository/Data-access file context
+  const dataAccessFilePatterns = [
+    /Repository\.(cs|ts|js)$/i,
+    /Repository\./i,
+    /DynamoDB/i,
+    /dynamo/i,
+  ]
+
+  const combined = value + ' ' + lineContent
+
+  // Check for DynamoDB keywords in the line context
+  if (dynamoKeywords.some(p => p.test(lineContent))) return true
+
+  // Check for DynamoDB expression syntax in the value
+  const syntaxMatches = dynamoSyntax.filter(p => p.test(value)).length
+  if (syntaxMatches >= 2) return true
+
+  // Check for key construction patterns
+  if (keyConstructionPatterns.some(p => p.test(combined))) return true
+
+  // Single syntax match in a data-access file context
+  if (syntaxMatches >= 1 && dataAccessFilePatterns.some(p => p.test(lineContent))) return true
+
+  return false
+}
+
+/**
+ * Check if string is a DateTime format or format string (not a secret)
+ * Date/time format strings and .NET/Python format placeholders have high entropy
+ */
+function isDateTimeOrFormatString(value: string, lineContent: string): boolean {
+  // ISO date format patterns
+  const dateFormatPatterns = [
+    /yyyy[-/]MM[-/]dd/,
+    /MM[-/]dd[-/]yyyy/,
+    /dd[-/]MM[-/]yyyy/,
+    /HH:mm:ss/,
+    /hh:mm:ss/,
+    /\.ToString\s*\(\s*["']/i,
+  ]
+
+  // C# DateTime formatting
+  const csharpDateTimePatterns = [
+    /\{0:yyyy/,
+    /\{0:dd/,
+    /\{0:MM/,
+    /\{0:HH/,
+    /\bDateTime\.Parse\b/,
+    /\bDateTime\.TryParse\b/,
+    /\bDateTimeOffset\b/,
+    /\bDateTime\.Now\b/,
+    /\bDateTime\.UtcNow\b/,
+  ]
+
+  // Python format strings
+  const pythonFormatPatterns = [
+    /\.strftime\s*\(/,
+    /\.strptime\s*\(/,
+    /%Y[-%]%m[-%]%d/,
+    /%H:%M:%S/,
+    /%d\/%m\/%Y/,
+  ]
+
+  // .NET format placeholders: {0}, {1}, {2}
+  const formatPlaceholderPattern = /\{\d+\}/g
+  const placeholderMatches = value.match(formatPlaceholderPattern)
+  if (placeholderMatches && placeholderMatches.length >= 3) return true
+
+  // General format specifiers: %s, %d, %f mixed in
+  const generalFormatPattern = /%[sdifFeEgGxXocrpn%]/g
+  const generalMatches = value.match(generalFormatPattern)
+  if (generalMatches && generalMatches.length >= 3) return true
+
+  const combined = value + ' ' + lineContent
+
+  return (
+    dateFormatPatterns.some(p => p.test(combined)) ||
+    csharpDateTimePatterns.some(p => p.test(combined)) ||
+    pythonFormatPatterns.some(p => p.test(combined))
+  )
+}
+
 /**
  * Check if string is an i18n/translation string (not a secret)
  * Internationalization strings can have high entropy
@@ -694,6 +814,52 @@ function isMinifiedFile(filePath: string): boolean {
   return minifiedPatterns.some(p => p.test(filePath))
 }
 
+/**
+ * Check if file is in a static asset directory (images, fonts, etc.)
+ * These files contain resource hashes/names, not secrets
+ */
+function isStaticAssetDirectory(filePath: string): boolean {
+  return /\/(assets|public|static|resources|images|img|fonts|icons|media)\//i.test(filePath)
+}
+
+/**
+ * Check if file is in an educational/challenge directory
+ * CTF challenges and hacking tutorials contain intentional secrets
+ */
+function isEducationalOrChallengeDirectory(filePath: string): boolean {
+  return /\/(challenges?|hacking[-_]?instructor|ctf|capture-the-flag|vulnerable-apps?|attack[-_]lab)\//i.test(filePath)
+}
+
+/**
+ * Check if value is an alphabet/charset constant (sequential chars used for encoding)
+ */
+function isAlphabetOrCharsetConstant(value: string, lineContent: string): boolean {
+  // Variable name contains alphabet/chars/charset etc.
+  if (/\b(alphabet|chars|charset|charSet|characters|base64[_-]?chars|allowed[_-]?chars|valid[_-]?chars|char[_-]?set|char[_-]?pool|key[_-]?space|hex[_-]?chars|alphanum)\b/i.test(lineContent)) return true
+  // Value contains sequential alpha/digit runs (ABCDEFGHIJKLMNOPQRSTUVWXYZabc... or 0123456789)
+  if (/abcdefghij|ABCDEFGHIJ|0123456789/.test(value) && /^[A-Za-z0-9+/=_-]+$/.test(value)) return true
+  return false
+}
+
+/**
+ * Check if value is a public OAuth client ID (not a secret)
+ * Google OAuth client IDs (*.apps.googleusercontent.com) are public identifiers
+ */
+function isPublicOAuthClientID(value: string): boolean {
+  return /\.apps\.googleusercontent\.com$/.test(value)
+}
+
+/**
+ * Check if value is an SPDX license expression or license text (not a secret)
+ */
+function isLicenseOrSPDX(value: string, lineContent: string): boolean {
+  if (/\bSPDX-License-Identifier\b/i.test(lineContent)) return true
+  if (/^(MIT|Apache-2\.0|GPL-[23]\.0|BSD-[23]-Clause|ISC|MPL-2\.0|LGPL|AGPL|Unlicense)(\s+(OR|AND|WITH)\s+\w+)*$/i.test(value)) return true
+  if (/\b(Permission is hereby granted|THE SOFTWARE IS PROVIDED|WITHOUT WARRANTY|all rights reserved)\b/i.test(value)) return true
+  if (/["'](license|licence|spdx)["']\s*:/i.test(lineContent)) return true
+  return false
+}
+
 export function detectHighEntropyStrings(
   content: string,
   filePath: string,
@@ -706,6 +872,16 @@ export function detectHighEntropyStrings(
     return vulnerabilities
   }
 
+  // Skip static asset directories (images, fonts, etc.)
+  if (isStaticAssetDirectory(filePath)) {
+    return vulnerabilities
+  }
+
+  // Skip educational/challenge directories (intentional secrets)
+  if (isEducationalOrChallengeDirectory(filePath)) {
+    return vulnerabilities
+  }
+
   // Skip scanner/fixture files to avoid self-detection
   if (isScannerOrFixtureFile(filePath)) {
     return vulnerabilities
@@ -731,9 +907,13 @@ export function detectHighEntropyStrings(
     return vulnerabilities
   }
 
+  const isPackageJson = filePath.endsWith('package.json')
   const strings = extractStringLiterals(content)
 
   for (const { value, line, lineContent } of strings) {
+    // Skip package.json metadata fields (author, description, etc.)
+    if (isPackageJson && isPackageJsonMetadataField(lineContent)) continue
+
     // Skip comments
     if (isComment(lineContent)) continue
 
@@ -776,6 +956,12 @@ export function detectHighEntropyStrings(
     // Skip SQL queries (SELECT, INSERT, etc. have high entropy but aren't secrets)
     if (isSQLQuery(value, lineContent)) continue
 
+    // Skip DynamoDB/NoSQL expressions (placeholder syntax creates high entropy)
+    if (isNoSQLExpression(value, lineContent)) continue
+
+    // Skip DateTime format strings and .NET/Python format placeholders
+    if (isDateTimeOrFormatString(value, lineContent)) continue
+
     // Skip i18n/translation strings
     if (isI18nString(value, lineContent)) continue
 
@@ -809,6 +995,15 @@ export function detectHighEntropyStrings(
     // Skip natural language strings (high ratio of common English words)
     if (isNaturalLanguage(value)) continue
 
+    // Skip alphabet/charset constants (sequential chars for encoding)
+    if (isAlphabetOrCharsetConstant(value, lineContent)) continue
+
+    // Skip public OAuth client IDs (not secrets)
+    if (isPublicOAuthClientID(value)) continue
+
+    // Skip SPDX license expressions and license text
+    if (isLicenseOrSPDX(value, lineContent)) continue
+
     // Calculate entropy
     const entropy = calculateEntropy(value)