@rafter-security/cli 0.5.5 → 0.6.1

package/dist/commands/issues/index.js

@@ -0,0 +1,25 @@
+/**
+ * rafter issues — GitHub Issues integration.
+ *
+ * Subcommands:
+ *   rafter issues create --from-scan <id>     Create issues from backend scan results
+ *   rafter issues create --from-local <path>   Create issues from local scan JSON
+ *   rafter issues create --from-text           Create issue from natural text (stdin/file/inline)
+ */
+import { Command } from "commander";
+import { createFromScanCommand } from "./from-scan.js";
+import { createFromTextCommand } from "./from-text.js";
+export function createIssuesCommand() {
+    const issuesGroup = new Command("issues")
+        .description("GitHub Issues integration — create issues from scan results or text");
+    const createGroup = new Command("create")
+        .description("Create GitHub issues from scan findings or natural text");
+    createGroup.addCommand(createFromScanCommand());
+    createGroup.addCommand(createFromTextCommand());
+    // Default action for `rafter issues create` with no subcommand — show help
+    createGroup.action(() => {
+        createGroup.help();
+    });
+    issuesGroup.addCommand(createGroup);
+    return issuesGroup;
+}

package/dist/commands/issues/issue-builder.js

@@ -0,0 +1,101 @@
+/**
+ * Build structured GitHub issues from scan findings.
+ *
+ * Handles both:
+ * - Backend scan vulnerabilities (SAST/policy findings)
+ * - Local scan results (secret detection)
+ */
+import { fingerprint, embedFingerprint } from "./dedup.js";
+function severityLabel(level) {
+    const map = {
+        error: "critical",
+        critical: "critical",
+        warning: "high",
+        high: "high",
+        note: "medium",
+        medium: "medium",
+        low: "low",
+    };
+    return map[level.toLowerCase()] || "medium";
+}
+function severityEmoji(level) {
+    const sev = severityLabel(level);
+    const emojis = {
+        critical: "🔴",
+        high: "🟠",
+        medium: "🟡",
+        low: "🟢",
+    };
+    return emojis[sev] || "🟡";
+}
+export function buildFromBackendVulnerability(vuln) {
+    const sev = severityLabel(vuln.level);
+    const emoji = severityEmoji(vuln.level);
+    const fp = fingerprint(vuln.file, vuln.ruleId);
+    const title = `${emoji} [${sev.toUpperCase()}] ${vuln.ruleId}: ${truncate(vuln.message, 80)}`;
+    let body = `## Security Finding\n\n`;
+    body += `**Rule:** \`${vuln.ruleId}\`\n`;
+    body += `**Severity:** ${sev}\n`;
+    body += `**File:** \`${vuln.file}\``;
+    if (vuln.line)
+        body += ` (line ${vuln.line})`;
+    body += `\n\n`;
+    body += `### Description\n\n${vuln.message}\n\n`;
+    body += `### Remediation\n\nReview and fix the finding in \`${vuln.file}\`.\n`;
+    body += `\n---\n*Created by [Rafter CLI](https://rafter.so) — security for AI builders*\n`;
+    const labels = [
+        "security",
+        `severity:${sev}`,
+        `rule:${vuln.ruleId}`,
+    ];
+    return {
+        title,
+        body: embedFingerprint(body, fp),
+        labels,
+        fingerprint: fp,
+    };
+}
+export function buildFromLocalMatch(file, match) {
+    const sev = severityLabel(match.pattern.severity);
+    const emoji = severityEmoji(match.pattern.severity);
+    const fp = fingerprint(file, match.pattern.name);
+    const title = `${emoji} [${sev.toUpperCase()}] Secret detected: ${match.pattern.name} in ${basename(file)}`;
+    let body = `## Secret Detection\n\n`;
+    body += `**Pattern:** \`${match.pattern.name}\`\n`;
+    body += `**Severity:** ${sev}\n`;
+    body += `**File:** \`${file}\``;
+    if (match.line)
+        body += ` (line ${match.line})`;
+    body += `\n`;
+    if (match.redacted) {
+        body += `**Match:** \`${match.redacted}\`\n`;
+    }
+    body += `\n`;
+    if (match.pattern.description) {
+        body += `### Description\n\n${match.pattern.description}\n\n`;
+    }
+    body += `### Remediation\n\n`;
+    body += `1. Rotate the exposed credential immediately\n`;
+    body += `2. Remove the secret from source code\n`;
+    body += `3. Use environment variables or a secrets manager instead\n`;
+    body += `\n---\n*Created by [Rafter CLI](https://rafter.so) — security for AI builders*\n`;
+    const labels = [
+        "security",
+        "secret-detected",
+        `severity:${sev}`,
+    ];
+    return {
+        title,
+        body: embedFingerprint(body, fp),
+        labels,
+        fingerprint: fp,
+    };
+}
+function truncate(s, max) {
+    if (s.length <= max)
+        return s;
+    return s.slice(0, max - 3) + "...";
+}
+function basename(filepath) {
+    return filepath.split("/").pop() || filepath;
+}

package/dist/commands/mcp/server.js

@@ -7,6 +7,9 @@ import { GitleaksScanner } from "../../scanners/gitleaks.js";
 import { CommandInterceptor } from "../../core/command-interceptor.js";
 import { AuditLogger } from "../../core/audit-logger.js";
 import { ConfigManager } from "../../core/config-manager.js";
+import { createRequire } from "module";
+const _require = createRequire(import.meta.url);
+const { version: CLI_VERSION } = _require("../../../package.json");
 function formatScanResults(results) {
     return results.map(r => ({
         file: r.file,
@@ -25,7 +28,7 @@ function errorResult(message) {
     return { content: [{ type: "text", text: JSON.stringify({ error: message }) }], isError: true };
 }
 function createServer() {
-    const server = new Server({ name: "rafter", version: "0.5.0" }, { capabilities: { tools: {}, resources: {} } });
+    const server = new Server({ name: "rafter", version: CLI_VERSION }, { capabilities: { tools: {}, resources: {} } });
     // ── Tools ───────────────────────────────────────────────────────────
     server.setRequestHandler(ListToolsRequestSchema, async () => ({
         tools: [

package/dist/commands/policy/export.js

@@ -54,9 +54,14 @@ function generateCodexConfig() {
     const policy = cfg.agent?.commandPolicy;
     const blocked = policy?.blockedPatterns || [];
     const approval = policy?.requireApproval || [];
-    let toml = `# Rafter security policy for OpenAI Codex
+    let toml = `# Rafter security policy for OpenAI Codex CLI
 # Generated by: rafter policy export --format codex
-# Docs: https://docs.rafter.so/cli/pretool-hooks
+#
+# Usage: Save this file to your project root as codex-policy.toml
+# then reference it in your Codex sandbox configuration.
+#
+# For full Codex integration, run: rafter agent init
+# This auto-detects Codex CLI and installs skills to ~/.agents/skills/
 
 `;
     if (blocked.length > 0) {

package/dist/commands/scan/index.js

@@ -0,0 +1,45 @@
+/**
+ * rafter scan — top-level scan command group.
+ *
+ * Default (no subcommand): remote backend scan (same as `rafter run`)
+ * rafter scan remote:       explicit alias for remote backend scan
+ * rafter scan local [path]: local secret scanner (was `rafter agent scan`)
+ */
+import { Command } from "commander";
+import { runRemoteScan } from "../backend/run.js";
+import { createScanCommand as createLocalScanCommand } from "../agent/scan.js";
+export function createScanGroupCommand() {
+    // "local" subcommand — reuses agent/scan.ts logic, renamed
+    const localCmd = createLocalScanCommand();
+    localCmd.name("local");
+    localCmd.description("Scan files or directories for secrets (local)");
+    // "remote" subcommand — same handler as `rafter run`
+    const remoteCmd = new Command("remote")
+        .description("Trigger a remote backend security scan (explicit alias for 'rafter run')")
+        .option("-r, --repo <repo>", "org/repo (default: current)")
+        .option("-b, --branch <branch>", "branch (default: current else main)")
+        .option("-k, --api-key <key>", "API key or RAFTER_API_KEY env var")
+        .option("-f, --format <format>", "json | md", "md")
+        .option("--skip-interactive", "do not wait for scan to complete")
+        .option("--quiet", "suppress status messages")
+        .action(async (opts) => {
+        await runRemoteScan(opts);
+    });
+    // Root scan group — default action is remote backend scan
+    const scanGroup = new Command("scan")
+        .description("Scan for security issues. Default: remote backend scan. Use 'scan local' for local secret scanning.")
+        .enablePositionalOptions()
+        .option("-r, --repo <repo>", "org/repo (default: current)")
+        .option("-b, --branch <branch>", "branch (default: current else main)")
+        .option("-k, --api-key <key>", "API key or RAFTER_API_KEY env var")
+        .option("-f, --format <format>", "json | md", "md")
+        .option("--skip-interactive", "do not wait for scan to complete")
+        .option("--quiet", "suppress status messages");
+    scanGroup.addCommand(localCmd);
+    scanGroup.addCommand(remoteCmd);
+    // When invoked with no subcommand, run remote backend scan
+    scanGroup.action(async (opts) => {
+        await runRemoteScan(opts);
+    });
+    return scanGroup;
+}

package/dist/core/audit-logger.js

@@ -1,8 +1,104 @@
+import { randomBytes } from "crypto";
+import dns from "dns/promises";
 import fs from "fs";
+import net from "net";
 import path from "path";
 import { getAuditLogPath } from "./config-defaults.js";
 import { ConfigManager } from "./config-manager.js";
 import { assessCommandRisk } from "./risk-rules.js";
+/**
+ * Validate a webhook URL to prevent SSRF attacks.
+ * Rejects non-HTTP(S) schemes and URLs that resolve to private/internal IPs.
+ */
+export async function validateWebhookUrl(rawUrl) {
+    let parsed;
+    try {
+        parsed = new URL(rawUrl);
+    }
+    catch {
+        throw new Error(`Invalid webhook URL: ${rawUrl}`);
+    }
+    if (parsed.protocol !== "https:" && parsed.protocol !== "http:") {
+        throw new Error(`Webhook URL must use http or https, got ${parsed.protocol}`);
+    }
+    // URL.hostname keeps brackets for IPv6 (e.g. "[::1]") — strip them
+    let hostname = parsed.hostname;
+    if (hostname.startsWith("[") && hostname.endsWith("]")) {
+        hostname = hostname.slice(1, -1);
+    }
+    // If the hostname is already an IP, check it directly
+    if (net.isIP(hostname)) {
+        if (isPrivateIp(hostname)) {
+            throw new Error(`Webhook URL must not point to a private/internal address: ${hostname}`);
+        }
+        return;
+    }
+    // Resolve hostname and check all resulting IPs
+    let addresses;
+    try {
+        const results = await dns.resolve(hostname);
+        addresses = results;
+    }
+    catch {
+        throw new Error(`Could not resolve webhook hostname: ${hostname}`);
+    }
+    for (const addr of addresses) {
+        if (isPrivateIp(addr)) {
+            throw new Error(`Webhook URL must not point to a private/internal address: ${hostname} resolved to ${addr}`);
+        }
+    }
+}
+/**
+ * Check if an IP address belongs to a private, loopback, link-local, or
+ * cloud-metadata range.
+ */
+function isPrivateIp(ip) {
+    // IPv4 checks
+    if (net.isIPv4(ip)) {
+        const parts = ip.split(".").map(Number);
+        const [a, b] = parts;
+        // 127.0.0.0/8 — loopback
+        if (a === 127)
+            return true;
+        // 10.0.0.0/8 — private
+        if (a === 10)
+            return true;
+        // 172.16.0.0/12 — private
+        if (a === 172 && b >= 16 && b <= 31)
+            return true;
+        // 192.168.0.0/16 — private
+        if (a === 192 && b === 168)
+            return true;
+        // 169.254.0.0/16 — link-local / cloud metadata
+        if (a === 169 && b === 254)
+            return true;
+        // 0.0.0.0
+        if (a === 0)
+            return true;
+        return false;
+    }
+    // IPv6 checks
+    const lower = ip.toLowerCase();
+    // ::1 — loopback
+    if (lower === "::1")
+        return true;
+    // :: — unspecified
+    if (lower === "::")
+        return true;
+    // fe80::/10 — link-local
+    if (lower.startsWith("fe80:"))
+        return true;
+    // fc00::/7 — unique local (ULA)
+    if (lower.startsWith("fc") || lower.startsWith("fd"))
+        return true;
+    // ::ffff:127.0.0.1 etc — IPv4-mapped IPv6
+    if (lower.startsWith("::ffff:")) {
+        const mapped = lower.slice(7);
+        if (net.isIPv4(mapped))
+            return isPrivateIp(mapped);
+    }
+    return false;
+}
 export const RISK_SEVERITY = {
     low: 0,
     medium: 1,
@@ -17,7 +113,7 @@ export class AuditLogger {
         // Ensure log directory exists
         const dir = path.dirname(this.logPath);
         if (!fs.existsSync(dir)) {
-            fs.mkdirSync(dir, { recursive: true });
+            fs.mkdirSync(dir, { recursive: true, mode: 0o700 });
         }
     }
     /**
@@ -36,7 +132,7 @@ export class AuditLogger {
         };
         // Append to log file
         const line = JSON.stringify(fullEntry) + "\n";
-        fs.appendFileSync(this.logPath, line, "utf-8");
+        fs.appendFileSync(this.logPath, line, { encoding: "utf-8", mode: 0o600 });
         // Send webhook notification if configured and risk meets threshold
         this.sendNotification(fullEntry, config);
     }
@@ -64,13 +160,16 @@ export class AuditLogger {
             content: `[rafter] ${eventRisk}-risk event: ${entry.eventType}${entry.action?.command ? ` — ${entry.action.command}` : ""}`,
         };
         // Fire-and-forget POST — never block audit logging
-        fetch(webhookUrl, {
+        // Validate URL to prevent SSRF before making the request
+        validateWebhookUrl(webhookUrl)
+            .then(() => fetch(webhookUrl, {
             method: "POST",
             headers: { "Content-Type": "application/json" },
             body: JSON.stringify(payload),
             signal: AbortSignal.timeout(5000),
-        }).catch(() => {
-            // Silently ignore webhook failures
+        }))
+            .catch(() => {
+            // Silently ignore webhook failures (including validation rejections)
         });
     }
     /**
@@ -196,13 +295,13 @@ export class AuditLogger {
         const filtered = entries.filter(e => new Date(e.timestamp) >= cutoffDate);
         // Rewrite log file with only retained entries
         const content = filtered.map(e => JSON.stringify(e)).join("\n") + "\n";
-        fs.writeFileSync(this.logPath, content, "utf-8");
+        fs.writeFileSync(this.logPath, content, { encoding: "utf-8", mode: 0o600 });
     }
     /**
      * Generate a unique session ID
      */
     generateSessionId() {
-        return `${Date.now()}-${Math.random().toString(36).substring(7)}`;
+        return `${Date.now()}-${randomBytes(8).toString("hex")}`;
     }
     /**
      * Assess risk level of a command

package/dist/core/config-defaults.js

@@ -19,6 +19,30 @@ export function getDefaultConfig() {
                 claudeCode: {
                     enabled: false,
                     mcpPath: path.join(os.homedir(), ".claude", "mcp", "rafter-security.json")
+                },
+                codex: {
+                    enabled: false,
+                    skillsDir: path.join(os.homedir(), ".agents", "skills")
+                },
+                gemini: {
+                    enabled: false,
+                    configPath: path.join(os.homedir(), ".gemini", "settings.json")
+                },
+                aider: {
+                    enabled: false,
+                    configPath: path.join(os.homedir(), ".aider.conf.yml")
+                },
+                cursor: {
+                    enabled: false,
+                    mcpPath: path.join(os.homedir(), ".cursor", "mcp.json")
+                },
+                windsurf: {
+                    enabled: false,
+                    mcpPath: path.join(os.homedir(), ".codeium", "windsurf", "mcp_config.json")
+                },
+                continueDev: {
+                    enabled: false,
+                    configPath: path.join(os.homedir(), ".continue", "config.json")
                 }
             },
             skills: {

package/dist/core/config-manager.js

@@ -2,6 +2,101 @@ import fs from "fs";
 import path from "path";
 import { getDefaultConfig, getConfigPath, getRafterDir, CONFIG_VERSION } from "./config-defaults.js";
 import { loadPolicy } from "./policy-loader.js";
+const VALID_RISK_LEVELS = new Set(["minimal", "moderate", "aggressive"]);
+const VALID_COMMAND_MODES = new Set(["allow-all", "approve-dangerous", "deny-list"]);
+const VALID_LOG_LEVELS = new Set(["debug", "info", "warn", "error"]);
+/**
+ * Validate a parsed config JSON object, warning and falling back to defaults for invalid fields.
+ */
+function validateConfig(raw) {
+    if (!raw || typeof raw !== "object") {
+        console.error("Warning: config file is not a JSON object — using defaults.");
+        return getDefaultConfig();
+    }
+    const defaults = getDefaultConfig();
+    // Top-level scalars
+    if (raw.version !== undefined && typeof raw.version !== "string") {
+        console.error('Warning: config "version" must be a string — using default.');
+        raw.version = defaults.version;
+    }
+    if (raw.initialized !== undefined && typeof raw.initialized !== "string") {
+        console.error('Warning: config "initialized" must be a string — using default.');
+        raw.initialized = defaults.initialized;
+    }
+    const agent = raw.agent;
+    if (agent && typeof agent === "object") {
+        // riskLevel
+        if (agent.riskLevel !== undefined && !VALID_RISK_LEVELS.has(agent.riskLevel)) {
+            console.error(`Warning: config "agent.riskLevel" must be one of: minimal, moderate, aggressive — using default.`);
+            agent.riskLevel = defaults.agent.riskLevel;
+        }
+        // commandPolicy
+        const cp = agent.commandPolicy;
+        if (cp && typeof cp === "object") {
+            if (cp.mode !== undefined && !VALID_COMMAND_MODES.has(cp.mode)) {
+                console.error(`Warning: config "agent.commandPolicy.mode" must be one of: allow-all, approve-dangerous, deny-list — using default.`);
+                cp.mode = defaults.agent.commandPolicy.mode;
+            }
+            if (cp.blockedPatterns !== undefined && (!Array.isArray(cp.blockedPatterns) || !cp.blockedPatterns.every((v) => typeof v === "string"))) {
+                console.error('Warning: config "agent.commandPolicy.blockedPatterns" must be an array of strings — using default.');
+                cp.blockedPatterns = [...defaults.agent.commandPolicy.blockedPatterns];
+            }
+            if (cp.requireApproval !== undefined && (!Array.isArray(cp.requireApproval) || !cp.requireApproval.every((v) => typeof v === "string"))) {
+                console.error('Warning: config "agent.commandPolicy.requireApproval" must be an array of strings — using default.');
+                cp.requireApproval = [...defaults.agent.commandPolicy.requireApproval];
+            }
+        }
+        // audit
+        const audit = agent.audit;
+        if (audit && typeof audit === "object") {
+            if (audit.retentionDays !== undefined && (typeof audit.retentionDays !== "number" || isNaN(audit.retentionDays))) {
+                console.error('Warning: config "agent.audit.retentionDays" must be a number — using default.');
+                audit.retentionDays = defaults.agent.audit.retentionDays;
+            }
+            if (audit.logLevel !== undefined && !VALID_LOG_LEVELS.has(audit.logLevel)) {
+                console.error(`Warning: config "agent.audit.logLevel" must be one of: debug, info, warn, error — using default.`);
+                audit.logLevel = defaults.agent.audit.logLevel;
+            }
+        }
+        // outputFiltering
+        const of = agent.outputFiltering;
+        if (of && typeof of === "object") {
+            if (of.redactSecrets !== undefined && typeof of.redactSecrets !== "boolean") {
+                console.error('Warning: config "agent.outputFiltering.redactSecrets" must be a boolean — using default.');
+                of.redactSecrets = defaults.agent.outputFiltering.redactSecrets;
+            }
+            if (of.blockPatterns !== undefined && typeof of.blockPatterns !== "boolean") {
+                console.error('Warning: config "agent.outputFiltering.blockPatterns" must be a boolean — using default.');
+                of.blockPatterns = defaults.agent.outputFiltering.blockPatterns;
+            }
+        }
+        // scan.customPatterns — validate regex compilation
+        const scan = agent.scan;
+        if (scan && typeof scan === "object") {
+            if (scan.excludePaths !== undefined && (!Array.isArray(scan.excludePaths) || !scan.excludePaths.every((v) => typeof v === "string"))) {
+                console.error('Warning: config "agent.scan.excludePaths" must be an array of strings — using default.');
+                delete scan.excludePaths;
+            }
+            if (Array.isArray(scan.customPatterns)) {
+                scan.customPatterns = scan.customPatterns.filter((p) => {
+                    if (!p || typeof p !== "object" || typeof p.name !== "string" || !p.name || typeof p.regex !== "string" || !p.regex) {
+                        console.error(`Warning: skipping malformed scan.customPatterns entry — must have name and regex.`);
+                        return false;
+                    }
+                    try {
+                        new RegExp(p.regex);
+                    }
+                    catch {
+                        console.error(`Warning: skipping custom pattern "${p.name}" — invalid regex.`);
+                        return false;
+                    }
+                    return true;
+                });
+            }
+        }
+    }
+    return raw;
+}
 export class ConfigManager {
     constructor(configPath) {
         this.configPath = configPath || getConfigPath();
@@ -15,7 +110,8 @@ export class ConfigManager {
         }
         try {
             const content = fs.readFileSync(this.configPath, "utf-8");
-            const config = JSON.parse(content);
+            const parsed = JSON.parse(content);
+            const config = validateConfig(parsed);
             // Migrate config if needed
             return this.migrate(config);
         }
@@ -179,10 +275,27 @@ export class ConfigManager {
      * Migrate config to latest version
      */
     migrate(config) {
-        // For now, just ensure version is current
-        // In future, handle version-specific migrations
+        let dirty = false;
         if (config.version !== CONFIG_VERSION) {
             config.version = CONFIG_VERSION;
+            dirty = true;
+        }
+        // Fix overly broad curl/wget pipe-to-shell patterns.
+        // Old pattern: "curl.*\|.*sh" — matches any command containing "sh" after a pipe
+        // (e.g. `grep "curl\|sh"` or `git push`). Replace with word-bounded shell names.
+        const badToGood = {
+            "curl.*\\|.*sh": "curl.*\\|\\s*(bash|sh|zsh|dash)\\b",
+            "wget.*\\|.*sh": "wget.*\\|\\s*(bash|sh|zsh|dash)\\b",
+        };
+        const approval = config.agent?.commandPolicy?.requireApproval;
+        if (Array.isArray(approval)) {
+            const fixed = approval.map(p => badToGood[p] ?? p);
+            if (fixed.some((p, i) => p !== approval[i])) {
+                config.agent.commandPolicy.requireApproval = fixed;
+                dirty = true;
+            }
+        }
+        if (dirty) {
             this.save(config);
         }
         return config;

package/dist/core/custom-patterns.js

@@ -4,6 +4,7 @@
  */
 import fs from "fs";
 import path from "path";
+import { minimatch } from "minimatch";
 import { getRafterDir } from "./config-defaults.js";
 // ---------------------------------------------------------------------------
 // Custom pattern loading
@@ -69,12 +70,24 @@ function loadJsonPatterns(file) {
             return [];
         const patterns = [];
         for (const entry of data) {
-            if (typeof entry.pattern !== "string")
+            if (typeof entry.pattern !== "string" || !entry.pattern)
                 continue;
+            try {
+                new RegExp(entry.pattern);
+            }
+            catch {
+                console.error(`Warning: skipping custom pattern in ${path.basename(file)} — invalid regex: ${entry.pattern}`);
+                continue;
+            }
+            const severity = entry.severity ?? "high";
+            if (!["low", "medium", "high", "critical"].includes(severity)) {
+                console.error(`Warning: skipping custom pattern in ${path.basename(file)} — invalid severity: ${severity}`);
+                continue;
+            }
             patterns.push({
                 name: entry.name ?? `Custom (${path.basename(file, ".json")})`,
                 regex: entry.pattern,
-                severity: entry.severity ?? "high",
+                severity: severity,
                 description: entry.description,
             });
         }
@@ -135,23 +148,13 @@ export function isSuppressed(filePath, patternName, suppressions) {
     return false;
 }
 /**
- * Minimal glob matcher: supports * (within segment) and ** (cross-segment).
- * Not full micromatch — covers the 90% case for .rafterignore.
+ * Match a file path against a glob pattern using minimatch.
+ *
+ * Uses `matchBase` so bare patterns like "*.env" match against the basename
+ * (e.g. "config/.env"), and `dot` so dotfiles are included.
  */
 function matchGlob(glob, filePath) {
-    // Normalise separators
     const g = glob.replace(/\\/g, "/");
     const f = filePath.replace(/\\/g, "/");
-    // Escape regex special chars except * which we handle specially
-    const escaped = g
-        .replace(/[.+^${}()|[\]\\]/g, "\\$&")
-        .replace(/\*\*/g, "\x00") // placeholder for **
-        .replace(/\*/g, "[^/]*") // * = anything within one segment
-        .replace(/\x00/g, ".*"); // ** = anything including /
-    try {
-        return new RegExp(`(^|/)${escaped}(/|$)`).test(f);
-    }
-    catch {
-        return false;
-    }
+    return minimatch(f, g, { dot: true, matchBase: true });
 }

package/dist/core/pattern-engine.js

@@ -1,3 +1,7 @@
+const GENERIC_PATTERN_NAMES = new Set(["Generic API Key", "Generic Secret"]);
+const VARIABLE_NAME_RE = /^[A-Z][A-Z0-9]*(?:_[A-Z0-9]+)+$/;
+const LOWERCASE_IDENT_RE = /^[a-z][a-z0-9]*(?:_[a-z0-9]+)+$/;
+const QUOTED_VALUE_RE = /['"]([^'"]+)['"]/;
 export class PatternEngine {
     constructor(patterns) {
         this.patterns = patterns;
@@ -11,6 +15,8 @@ export class PatternEngine {
             const regex = this.createRegex(pattern.regex);
             let match;
             while ((match = regex.exec(text)) !== null) {
+                if (this.isFalsePositive(pattern, match[0]))
+                    continue;
                 matches.push({
                     pattern,
                     match: match[0],
@@ -32,6 +38,8 @@ export class PatternEngine {
                 const regex = this.createRegex(pattern.regex);
                 let match;
                 while ((match = regex.exec(line)) !== null) {
+                    if (this.isFalsePositive(pattern, match[0]))
+                        continue;
                     matches.push({
                         pattern,
                         match: match[0],
@@ -51,7 +59,7 @@ export class PatternEngine {
         let redacted = text;
         for (const pattern of this.patterns) {
             const regex = this.createRegex(pattern.regex);
-            redacted = redacted.replace(regex, (match) => this.redact(match));
+            redacted = redacted.replace(regex, (match) => this.isFalsePositive(pattern, match) ? match : this.redact(match));
         }
         return redacted;
     }
@@ -67,6 +75,23 @@ export class PatternEngine {
     getPatternsBySeverity(severity) {
         return this.patterns.filter(p => p.severity === severity);
     }
+    /**
+     * Check if a match from a generic pattern looks like a variable name
+     * rather than an actual secret value.
+     */
+    isFalsePositive(pattern, matchText) {
+        if (!GENERIC_PATTERN_NAMES.has(pattern.name))
+            return false;
+        const m = QUOTED_VALUE_RE.exec(matchText);
+        if (!m)
+            return false;
+        const value = m[1];
+        if (VARIABLE_NAME_RE.test(value))
+            return true;
+        if (LOWERCASE_IDENT_RE.test(value))
+            return true;
+        return false;
+    }
     /**
      * Create RegExp from pattern string, extracting inline flags
      */