@oculum/scanner 1.0.9 → 1.0.11

package/src/layer2/ai-rag-safety.ts

@@ -9,7 +9,7 @@
  * - Context logging risks
  */
 
-import type { Vulnerability, VulnerabilitySeverity } from '../types'
+import type { Vulnerability, VulnerabilitySeverity, VulnerabilityCategory } from '../types'
 import {
   isComment,
   isTestOrMockFile,
@@ -220,7 +220,7 @@ function getSurroundingContext(content: string, lineIndex: number, windowSize: n
 interface RAGSafetyPattern {
   name: string
   pattern: RegExp
-  riskType: 'unscoped_retrieval' | 'context_exposure' | 'context_logging'
+  riskType: 'unscoped_retrieval' | 'context_exposure' | 'context_logging' | 'corpus_poisoning' | 'pii_leakage' | 'query_injection' | 'embedding_poisoning' | 'chunk_injection'
   baseSeverity: VulnerabilitySeverity
   description: string
   suggestedFix: string
@@ -382,10 +382,298 @@ const CONTEXT_LOGGING_PATTERNS: RAGSafetyPattern[] = [
   },
 ]
 
+// ============================================================================
+// AI Detection Roadmap Phase 1: Enhanced RAG Detection
+// ============================================================================
+
+/**
+ * Corpus Poisoning Patterns
+ * Detects user uploads directly embedded without sanitization
+ */
+const CORPUS_POISONING_PATTERNS: RAGSafetyPattern[] = [
+  // User content embedded directly
+  {
+    name: 'User content embedded directly',
+    pattern: /(?:embeddings?\.create|createEmbedding|embed)\s*\([^)]*(?:document\.content|user\.content|req\.body|req\.json|upload|file\.content)/gi,
+    riskType: 'corpus_poisoning',
+    baseSeverity: 'high',
+    description: 'User-provided content embedded directly without sanitization. Malicious instructions in uploads could poison the RAG corpus.',
+    suggestedFix: 'Sanitize user content before embedding: const sanitized = sanitizeForRAG(content); await embed(sanitized)',
+  },
+  // External content fetched and embedded
+  {
+    name: 'External content embedded without validation',
+    pattern: /(?:fetch|axios\.get|httpx\.get)\s*\([^)]+\)[^;]*(?:embed|addDocument|upsert|index)/gi,
+    riskType: 'corpus_poisoning',
+    baseSeverity: 'high',
+    description: 'External content fetched and embedded without validation. External sources could contain prompt injection payloads.',
+    suggestedFix: 'Validate and sanitize external content before embedding. Check source trustworthiness.',
+  },
+  // PDF/file content indexed without scanning
+  {
+    name: 'File content indexed without sanitization',
+    pattern: /(?:pdfParser|parse|readFile)[^;]*(?:addToCorpus|embedDocument|vectorStore\.add|index\.upsert)/gi,
+    riskType: 'corpus_poisoning',
+    baseSeverity: 'medium',
+    description: 'File content indexed without sanitization. PDFs and documents may contain hidden injection instructions.',
+    suggestedFix: 'Scan file content for injection patterns before indexing. Consider content classification.',
+  },
+  // User messages embedded
+  {
+    name: 'User messages embedded to corpus',
+    pattern: /(?:messages?|msg|chat)[^;]*(?:embedDocument|addToCorpus|vectorStore\.add)/gi,
+    riskType: 'corpus_poisoning',
+    baseSeverity: 'medium',
+    description: 'User messages being embedded into corpus. Messages could contain crafted injection payloads.',
+    suggestedFix: 'Filter user messages for instruction-like patterns. Use separate namespace for user content.',
+  },
+  // Direct upsert without sanitization
+  {
+    name: 'Direct vector upsert with user data',
+    pattern: /\.upsert\s*\(\s*\[\s*\{[^}]*content\s*:\s*(?:document|user|upload|req)/gi,
+    riskType: 'corpus_poisoning',
+    baseSeverity: 'high',
+    description: 'User data upserted directly to vector store. Content should be sanitized first.',
+    suggestedFix: 'Sanitize content before upserting: { content: sanitize(document.content), ... }',
+  },
+]
+
+/**
+ * PII Leakage Patterns
+ * Detects PII fields in embedded documents or retrieval responses
+ */
+const PII_LEAKAGE_PATTERNS: RAGSafetyPattern[] = [
+  // PII fields in metadata
+  {
+    name: 'PII in document metadata',
+    pattern: /metadata\s*:\s*\{[^}]*(?:email|ssn|phone(?:Number)?|fullName|dateOfBirth|dob|address|socialSecurity)/gi,
+    riskType: 'pii_leakage',
+    baseSeverity: 'high',
+    description: 'PII fields stored in document metadata. This data will be exposed when documents are retrieved.',
+    suggestedFix: 'Remove PII from metadata. Store only non-sensitive identifiers: { userId: user.id, category: doc.type }',
+  },
+  // SSN/financial data in embedded docs
+  {
+    name: 'Sensitive financial/identity data embedded',
+    pattern: /(?:metadata|doc|document)\s*[:{][^}]*(?:ssn|socialSecurity|cardNumber|cvv|accountNum|insuranceId)/gi,
+    riskType: 'pii_leakage',
+    baseSeverity: 'critical',
+    description: 'Highly sensitive data (SSN, financial) in embedded documents. This is a compliance violation.',
+    suggestedFix: 'Never embed SSN, card numbers, or financial account data. Use tokenized references instead.',
+  },
+  // Patient/medical data in embeddings
+  {
+    name: 'PHI in embedded documents',
+    pattern: /(?:embed|metadata|doc)[^;]*(?:patientName|patientDob|patientSsn|medicalRecord|diagnosis)/gi,
+    riskType: 'pii_leakage',
+    baseSeverity: 'critical',
+    description: 'Protected Health Information (PHI) in embedded documents. HIPAA compliance violation.',
+    suggestedFix: 'Remove PHI before embedding. Use de-identification and tokenization for medical data.',
+  },
+  // Returning PII in search results
+  {
+    name: 'PII in retrieval response',
+    pattern: /return\s*(?:results\.map|docs\.map)[^}]*(?:email|phone|ssn|fullName|address)/gi,
+    riskType: 'pii_leakage',
+    baseSeverity: 'high',
+    description: 'PII fields returned in retrieval response. User PII may be exposed to unauthorized queries.',
+    suggestedFix: 'Filter PII from responses: return docs.map(d => ({ id: d.id, content: d.content })) // no PII',
+  },
+  // Direct metadata exposure with PII
+  {
+    name: 'Metadata with PII exposed in response',
+    pattern: /return\s*\{[^}]*metadata\.[^}]*(?:email|phone|ssn|name|address)/gi,
+    riskType: 'pii_leakage',
+    baseSeverity: 'high',
+    description: 'Document metadata containing PII exposed in response.',
+    suggestedFix: 'Filter metadata before returning. Only include non-sensitive fields.',
+  },
+]
+
+// ============================================================================
+// Phase 1 Enhancement Backlog: Advanced RAG Attack Detection
+// ============================================================================
+
+/**
+ * Query Injection Patterns
+ * Detects user queries used in retrieval without sanitization
+ */
+const QUERY_INJECTION_PATTERNS: RAGSafetyPattern[] = [
+  // User input directly in vector store query
+  {
+    name: 'User input directly in retrieval query',
+    pattern: /(?:vectorStore|retriever|index|collection)\.(?:query|invoke|search|similaritySearch)\s*\(\s*(?:req\.|user\.|input\.|body\.|params\.)/gi,
+    riskType: 'query_injection',
+    baseSeverity: 'high',
+    description: 'User input flows directly to vector store query without sanitization. Could manipulate retrieval results.',
+    suggestedFix: 'Validate and sanitize user queries: const sanitizedQuery = sanitizeQuery(userInput)',
+  },
+  // Query from request body without validation
+  {
+    name: 'Query from request body without validation',
+    pattern: /(?:const|let|var)\s*\{\s*query\s*\}.*(?:req\.body|req\.json|request\.body)[\s\S]{0,100}(?:search|query|retrieve|similaritySearch)/gi,
+    riskType: 'query_injection',
+    baseSeverity: 'medium',
+    description: 'Query destructured from request body and used in retrieval. Validate before use.',
+    suggestedFix: 'Add input validation: const { query } = validateSchema(req.body, querySchema)',
+  },
+  // Query template with user input interpolation
+  {
+    name: 'Query template with user input',
+    pattern: /(?:prompt|query|searchQuery)\s*=\s*[`'"].*\$\{.*(?:user|input|query|req).*\}.*[`'"]/gi,
+    riskType: 'query_injection',
+    baseSeverity: 'medium',
+    description: 'Query template interpolates user input. Could inject adversarial retrieval instructions.',
+    suggestedFix: 'Use parameterized queries or sanitize user input before interpolation.',
+  },
+  // Direct query passthrough in API
+  {
+    name: 'Query passthrough to vector store',
+    pattern: /app\.(?:post|get)\s*\([^)]+(?:search|query|retrieve)[^)]*\)[^{]*\{[^}]*(?:vectorStore|retriever)\.(?:query|search)\s*\(\s*(?:req|ctx)\.(?:body|query)/gi,
+    riskType: 'query_injection',
+    baseSeverity: 'high',
+    description: 'API endpoint passes request directly to vector store. No validation layer.',
+    suggestedFix: 'Add validation middleware. Sanitize and validate queries before retrieval.',
+  },
+  // No query length validation
+  {
+    name: 'Query without length validation',
+    pattern: /(?:query|search|retrieve)\s*\(\s*(?:userQuery|searchQuery|q)\s*\)(?![\s\S]{0,50}(?:\.length|\.trim\(\)|maxLength|minLength))/gi,
+    riskType: 'query_injection',
+    baseSeverity: 'low',
+    description: 'Query used without visible length validation. Consider adding bounds.',
+    suggestedFix: 'Add query length validation: if (query.length > MAX_QUERY_LENGTH) throw new Error("Query too long")',
+  },
+]
+
+/**
+ * Embedding Poisoning Patterns
+ * Detects adversarial document embedding vulnerabilities
+ */
+const EMBEDDING_POISONING_PATTERNS: RAGSafetyPattern[] = [
+  // User document embedded without validation
+  {
+    name: 'User document embedded without validation',
+    pattern: /(?:embed|embeddings?\.(?:create|embed|generate)|createEmbedding)[\s\S]{0,50}(?:user|req\.|upload|file)[\s\S]{0,80}(?:vectorStore|index)\.(?:add|upsert|insert)/gis,
+    riskType: 'embedding_poisoning',
+    baseSeverity: 'high',
+    description: 'User-provided documents embedded directly. Adversarial content could poison retrieval.',
+    suggestedFix: 'Validate and sanitize user documents before embedding. Implement content classification.',
+  },
+  // Retrieval without similarity threshold
+  {
+    name: 'Retrieval without similarity threshold',
+    pattern: /similaritySearch\s*\(\s*[^,)]+\s*,\s*\d+\s*\)(?![\s\S]{0,50}(?:filter|threshold|score\s*>|minScore|scoreThreshold))/gi,
+    riskType: 'embedding_poisoning',
+    baseSeverity: 'medium',
+    description: 'Vector search without similarity threshold. Low-relevance adversarial content may be retrieved.',
+    suggestedFix: 'Add similarity threshold: similaritySearch(query, k, { scoreThreshold: 0.7 })',
+  },
+  // Batch embedding without deduplication
+  {
+    name: 'Batch embedding without duplicate detection',
+    pattern: /(?:for|forEach|map)\s*\([^)]+\)[\s\S]{0,100}(?:vectorStore|index)\.(?:add|upsert)(?![\s\S]{0,80}(?:exists|duplicate|similar|dedup))/gis,
+    riskType: 'embedding_poisoning',
+    baseSeverity: 'low',
+    description: 'Batch document embedding without duplicate detection. Attackers could flood corpus.',
+    suggestedFix: 'Check for duplicate or near-duplicate documents before embedding.',
+  },
+  // Dynamic embedding model selection
+  {
+    name: 'Dynamic embedding model from config',
+    pattern: /(?:embeddingModel|embeddings?)\s*=\s*(?:new\s+)?(?:config|options|params)\[?\s*['".]?(?:model|embedding)/gi,
+    riskType: 'embedding_poisoning',
+    baseSeverity: 'medium',
+    description: 'Embedding model selected from configuration. Malicious config could use compromised model.',
+    suggestedFix: 'Use hardcoded embedding model or validate against allowlist.',
+  },
+  // External URL content embedded
+  {
+    name: 'External URL content embedded directly',
+    pattern: /(?:fetch|axios\.get|httpx\.get)\s*\([^)]+\)[\s\S]{0,150}(?:embed|vectorStore\.add|index\.upsert)/gis,
+    riskType: 'embedding_poisoning',
+    baseSeverity: 'high',
+    description: 'Content from external URLs embedded without validation. Source could be compromised.',
+    suggestedFix: 'Validate URL source against allowlist. Sanitize fetched content before embedding.',
+  },
+]
+
+/**
+ * Chunk Boundary Exploitation Patterns
+ * Detects cross-chunk injection vulnerabilities
+ */
+const CHUNK_INJECTION_PATTERNS: RAGSafetyPattern[] = [
+  // User content chunked without per-chunk validation
+  {
+    name: 'User content chunked without validation',
+    pattern: /(?:splitter|textSplitter|chunker)\.(?:split|createDocuments|chunk)[\s\S]{0,50}(?:user|upload|req)[\s\S]{0,100}(?:vectorStore|index)\.(?:add|upsert)(?![\s\S]{0,50}(?:sanitize|validate|filter))/gis,
+    riskType: 'chunk_injection',
+    baseSeverity: 'medium',
+    description: 'User content split and embedded without per-chunk validation. Injection could span chunks.',
+    suggestedFix: 'Validate each chunk before embedding: chunks.map(c => sanitizeChunk(c))',
+  },
+  // Context joined without separators
+  {
+    name: 'Context chunks joined without separators',
+    pattern: /\.map\s*\([^)]*(?:pageContent|content|text)[^)]*\)\.join\s*\(\s*['"]['"]\s*\)/gi,
+    riskType: 'chunk_injection',
+    baseSeverity: 'low',
+    description: 'Retrieved chunks joined without separators. Adjacent chunk content could be misinterpreted.',
+    suggestedFix: 'Use clear separators: chunks.map(c => c.content).join("\\n---\\n")',
+  },
+  // Chunk metadata from user input
+  {
+    name: 'Chunk metadata from user input',
+    pattern: /(?:vectorStore|index)\.(?:add|upsert)[\s\S]{0,100}metadata\s*:\s*(?:user|req\.|input\.|body\.)/gi,
+    riskType: 'chunk_injection',
+    baseSeverity: 'medium',
+    description: 'Chunk metadata derived from user input. Could inject malicious metadata for filtering.',
+    suggestedFix: 'Generate metadata server-side. Validate any user-provided metadata fields.',
+  },
+  // No chunk size limits
+  {
+    name: 'Chunking without size validation',
+    pattern: /(?:splitter|textSplitter)\.(?:split|createDocuments)\s*\(\s*(?:content|text|document)(?![\s\S]{0,50}(?:maxChunkSize|chunkSize|maxLength))/gi,
+    riskType: 'chunk_injection',
+    baseSeverity: 'low',
+    description: 'Text splitting without explicit size limits. Very long inputs could cause issues.',
+    suggestedFix: 'Configure chunk size limits: new TextSplitter({ chunkSize: 1000, chunkOverlap: 200 })',
+  },
+  // Overlapping chunks with user content
+  {
+    name: 'Large chunk overlap with user content',
+    pattern: /(?:chunkOverlap|overlap)\s*[:=]\s*(?:\d{3,}|[a-zA-Z])[\s\S]{0,100}(?:user|upload)/gi,
+    riskType: 'chunk_injection',
+    baseSeverity: 'low',
+    description: 'Large chunk overlap configured. User-injected content could appear in multiple chunks.',
+    suggestedFix: 'Use reasonable overlap (10-20% of chunk size). Validate user content before chunking.',
+  },
+]
+
 // ============================================================================
 // Main Detection Function
 // ============================================================================
 
+/**
+ * Map risk type to vulnerability category
+ */
+function mapRiskTypeToCategory(riskType: RAGSafetyPattern['riskType']): VulnerabilityCategory {
+  switch (riskType) {
+    case 'corpus_poisoning':
+      return 'ai_rag_corpus_poisoning'
+    case 'pii_leakage':
+      return 'ai_rag_pii_leakage'
+    case 'query_injection':
+      return 'ai_rag_query_injection'
+    case 'embedding_poisoning':
+      return 'ai_rag_embedding_poisoning'
+    case 'chunk_injection':
+      return 'ai_rag_chunk_injection'
+    default:
+      return 'ai_rag_exfiltration'
+  }
+}
+
 /**
  * Main detection function for RAG data safety issues
  */
@@ -415,6 +703,13 @@ export function detectRAGSafetyIssues(
     ...UNSCOPED_RETRIEVAL_PATTERNS,
     ...CONTEXT_EXPOSURE_PATTERNS,
     ...CONTEXT_LOGGING_PATTERNS,
+    // AI Detection Roadmap Phase 1
+    ...CORPUS_POISONING_PATTERNS,
+    ...PII_LEAKAGE_PATTERNS,
+    // Phase 1 Enhancement Backlog
+    ...QUERY_INJECTION_PATTERNS,
+    ...EMBEDDING_POISONING_PATTERNS,
+    ...CHUNK_INJECTION_PATTERNS,
   ]
 
   for (const pattern of allPatterns) {
@@ -464,6 +759,90 @@ export function detectRAGSafetyIssues(
         }
       }
 
+      // Corpus poisoning - check for sanitization
+      if (pattern.riskType === 'corpus_poisoning') {
+        // Check for content sanitization in context
+        if (/sanitize|validate|filter|clean|strip/i.test(context)) {
+          severity = 'info'
+          notes.push('Content sanitization detected nearby')
+        }
+        // Check for content classification/scanning
+        if (/classify|scan|detect|check.*injection/i.test(context)) {
+          severity = 'info'
+          notes.push('Content scanning detected')
+        }
+      }
+
+      // PII leakage - critical data types remain high severity
+      if (pattern.riskType === 'pii_leakage') {
+        // Check for PII redaction/masking
+        if (/redact|mask|anonymize|deidentify|tokenize/i.test(context)) {
+          severity = 'info'
+          notes.push('PII redaction detected')
+        }
+        // SSN, CVV, and PHI patterns remain critical regardless of context
+        if (/ssn|cvv|patient/i.test(pattern.name.toLowerCase())) {
+          // Keep severity high/critical for these
+        }
+      }
+
+      // Query injection - check for input validation
+      if (pattern.riskType === 'query_injection') {
+        // Check for input validation/sanitization
+        if (/sanitize|validate|clean|escape|zod|schema\.parse|safeParse/i.test(context)) {
+          severity = 'low'
+          notes.push('Input validation detected nearby')
+        }
+        // Check for query length/bounds validation
+        if (/maxLength|minLength|\.length\s*[<>]|slice\s*\(\s*0/i.test(context)) {
+          if (severity === 'high') severity = 'medium'
+          notes.push('Length validation detected')
+        }
+        // Check for rate limiting
+        if (/rateLimit|throttle|limiter/i.test(context)) {
+          if (severity === 'high') severity = 'medium'
+          notes.push('Rate limiting detected')
+        }
+      }
+
+      // Embedding poisoning - check for content validation
+      if (pattern.riskType === 'embedding_poisoning') {
+        // Check for content sanitization
+        if (/sanitize|validate|filter|clean|strip|scan/i.test(context)) {
+          severity = 'low'
+          notes.push('Content validation detected nearby')
+        }
+        // Check for content classification
+        if (/classify|moderation|detect.*injection|contentFilter/i.test(context)) {
+          severity = 'info'
+          notes.push('Content classification detected')
+        }
+        // Check for similarity threshold
+        if (/threshold|scoreThreshold|minScore|score\s*>/i.test(context)) {
+          if (severity === 'medium') severity = 'low'
+          notes.push('Similarity threshold configured')
+        }
+      }
+
+      // Chunk injection - check for chunk validation
+      if (pattern.riskType === 'chunk_injection') {
+        // Check for per-chunk validation
+        if (/chunks?\.map\s*\([^)]*sanitize|validate.*chunk|chunk.*validate/i.test(context)) {
+          severity = 'info'
+          notes.push('Chunk validation detected')
+        }
+        // Check for separator usage
+        if (/separator|delimiter|join\s*\(\s*['"][^'"]{2,}['"]\s*\)/i.test(context)) {
+          if (severity === 'low') severity = 'info'
+          notes.push('Chunk separators detected')
+        }
+        // Check for metadata sanitization
+        if (/metadata\s*[:=]\s*\{[^}]*(?:id|type|source)[^}]*\}/i.test(context)) {
+          if (severity === 'medium') severity = 'low'
+          notes.push('Server-generated metadata pattern')
+        }
+      }
+
       // Downgrade test files
       if (isTestFile) {
         severity = 'info'
@@ -493,7 +872,7 @@ export function detectRAGSafetyIssues(
         lineNumber,
         lineContent,
         severity,
-        category: 'ai_rag_exfiltration',
+        category: mapRiskTypeToCategory(pattern.riskType),
         title: pattern.name,
         description,
         suggestedFix: pattern.suggestedFix,

package/src/layer2/auth-antipatterns.ts

@@ -14,6 +14,7 @@ import { isRouteProtectedByMiddleware, getRoutePathFromFile } from '../utils/mid
 import type { AuthHelper, AuthHelperContext } from '../utils/auth-helper-detector'
 import { hasAuthHelperCallBefore, isUserIdAlreadyValidated } from '../utils/auth-helper-detector'
 import type { FileAuthImports } from '../utils/imported-auth-detector'
+import { isScannerOrFixtureFile } from '../utils/context-helpers'
 
 interface AuthAntiPattern {
   name: string
@@ -263,6 +264,10 @@ export function detectAuthAntipatterns(
 ): Vulnerability[] {
   const { middlewareConfig, authHelpers, fileAuthImports } = options
   const vulnerabilities: Vulnerability[] = []
+
+  // Skip scanner/fixture files to avoid self-detection
+  if (isScannerOrFixtureFile(filePath)) return vulnerabilities
+
   const lines = content.split('\n')
   const isAuthFile = isAuthRelatedFile(filePath)
 

package/src/layer2/byok-patterns.ts

@@ -6,7 +6,7 @@
 
 import type { Vulnerability, VulnerabilitySeverity } from '../types'
 import type { MiddlewareAuthConfig } from '../utils/middleware-detector'
-import { isComment, isTestOrMockFile, isExampleFile, isPlaceholderValue } from '../utils/context-helpers'
+import { isComment, isTestOrMockFile, isExampleFile, isPlaceholderValue, isScannerOrFixtureFile } from '../utils/context-helpers'
 import { isRouteProtectedByMiddleware, getRoutePathFromFile, detectUserScopingPatterns } from '../utils/middleware-detector'
 
 /**
@@ -224,6 +224,10 @@ export function detectBYOKPatterns(
   middlewareConfig?: MiddlewareAuthConfig
 ): Vulnerability[] {
   const vulnerabilities: Vulnerability[] = []
+
+  // Skip scanner/fixture files to avoid self-detection
+  if (isScannerOrFixtureFile(filePath)) return vulnerabilities
+
   const lines = content.split('\n')
   const isTestFile = isTestOrMockFile(filePath)
 

package/src/layer2/dangerous-functions/child-process.ts

@@ -0,0 +1,98 @@
+/**
+ * Child Process Detection
+ *
+ * Detection logic for child_process functions (exec, spawn, execFile, etc.)
+ * that can lead to command injection vulnerabilities.
+ */
+
+/**
+ * Check if exec() call is from child_process (dangerous) vs RegExp.exec (safe)
+ * Returns true if this is a child_process exec call that should be flagged
+ */
+export function isChildProcessExec(content: string, lineContent: string): boolean {
+  // Check for child_process import
+  const hasChildProcessImport =
+    /require\s*\(\s*['"]child_process['"]\s*\)/.test(content) ||
+    /from\s+['"]child_process['"]/.test(content) ||
+    /import\s+.*child_process/.test(content) ||
+    /require\s*\(\s*['"]node:child_process['"]\s*\)/.test(content) ||
+    /from\s+['"]node:child_process['"]/.test(content)
+
+  // If no child_process import, this is likely RegExp.exec or similar
+  if (!hasChildProcessImport) {
+    return false
+  }
+
+  // Check if this specific line is RegExp.exec pattern
+  // RegExp.exec is called as: regex.exec(string) or /pattern/.exec(string)
+  const isRegExpExec =
+    /\.\s*exec\s*\(/.test(lineContent) && // Method call on an object
+    !/\bexec\s*\(/.test(lineContent.replace(/\.\s*exec\s*\(/, '')) // Not a standalone exec()
+
+  // Also check for common RegExp patterns
+  const isRegExpPattern =
+    /\/[^/]+\/[gimsuy]*\.exec\s*\(/.test(lineContent) || // /pattern/.exec()
+    /new\s+RegExp\s*\([^)]+\)\.exec\s*\(/.test(lineContent) || // new RegExp().exec()
+    /regex\.exec\s*\(/i.test(lineContent) || // regex.exec()
+    /pattern\.exec\s*\(/i.test(lineContent) || // pattern.exec()
+    /match\.exec\s*\(/i.test(lineContent) || // match.exec()
+    /re\.exec\s*\(/i.test(lineContent) // re.exec()
+
+  if (isRegExpExec || isRegExpPattern) {
+    return false
+  }
+
+  // Check if exec is imported/destructured from child_process
+  const execImported =
+    /\{\s*[^}]*\bexec\b[^}]*\}\s*=\s*require\s*\(\s*['"]child_process['"]/.test(
+      content
+    ) ||
+    /\{\s*[^}]*\bexec\b[^}]*\}\s*=\s*require\s*\(\s*['"]node:child_process['"]/.test(
+      content
+    ) ||
+    /import\s+\{\s*[^}]*\bexec\b[^}]*\}\s+from\s+['"]child_process['"]/.test(
+      content
+    ) ||
+    /import\s+\{\s*[^}]*\bexec\b[^}]*\}\s+from\s+['"]node:child_process['"]/.test(
+      content
+    )
+
+  // If exec is directly imported from child_process, standalone exec() is dangerous
+  if (execImported && /\bexec\s*\(/.test(lineContent)) {
+    return true
+  }
+
+  // Check for child_process.exec() pattern
+  if (
+    /child_process\.exec\s*\(/.test(lineContent) ||
+    /cp\.exec\s*\(/.test(lineContent) ||
+    /childProcess\.exec\s*\(/.test(lineContent)
+  ) {
+    return true
+  }
+
+  // If we have child_process import but can't determine usage, be conservative
+  // Only flag if it looks like a standalone exec() call
+  return /\bexec\s*\(/.test(lineContent) && !/\.\s*exec\s*\(/.test(lineContent)
+}
+
+/**
+ * Check if spawn/execFile/execSync is from child_process
+ */
+export function isChildProcessSpawn(content: string, lineContent: string): boolean {
+  // Check for child_process import
+  const hasChildProcessImport =
+    /require\s*\(\s*['"]child_process['"]\s*\)/.test(content) ||
+    /from\s+['"]child_process['"]/.test(content) ||
+    /require\s*\(\s*['"]node:child_process['"]\s*\)/.test(content) ||
+    /from\s+['"]node:child_process['"]/.test(content)
+
+  if (!hasChildProcessImport) {
+    return false
+  }
+
+  // These functions are always from child_process when that module is imported
+  return /\b(spawn|spawnSync|execSync|execFile|execFileSync)\s*\(/.test(
+    lineContent
+  )
+}