npm - @runsec/mcp - Versions diffs - 1.0.1 - Mend

@runsec/mcp 1.0.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (40) hide show

package/dist/index.js +578 -0
package/package.json +43 -0
package/src/rules/data/rule-compliance-map.json +43563 -0
package/src/rules/data/semgrep-rules/README-taint-overlays.md +21 -0
package/src/rules/data/semgrep-rules/advanced-agent-cloud.yaml +802 -0
package/src/rules/data/semgrep-rules/app-logic.yaml +445 -0
package/src/rules/data/semgrep-rules/auth-keycloak.yaml +831 -0
package/src/rules/data/semgrep-rules/browser-agent.yaml +260 -0
package/src/rules/data/semgrep-rules/cloud-secrets.yaml +316 -0
package/src/rules/data/semgrep-rules/csharp-dotnet.yaml +4864 -0
package/src/rules/data/semgrep-rules/desktop-electron-pro.yaml +30 -0
package/src/rules/data/semgrep-rules/desktop-vsto-suite.yaml +2759 -0
package/src/rules/data/semgrep-rules/devops-security.yaml +393 -0
package/src/rules/data/semgrep-rules/domain-access-management.yaml +1023 -0
package/src/rules/data/semgrep-rules/domain-data-privacy.yaml +852 -0
package/src/rules/data/semgrep-rules/domain-input-validation.yaml +2894 -0
package/src/rules/data/semgrep-rules/domain-platform-hardening.yaml +1715 -0
package/src/rules/data/semgrep-rules/ds-ml-security.yaml +2431 -0
package/src/rules/data/semgrep-rules/fastapi-async.yaml +5953 -0
package/src/rules/data/semgrep-rules/frontend-react.yaml +4035 -0
package/src/rules/data/semgrep-rules/frontend-security.yaml +200 -0
package/src/rules/data/semgrep-rules/go-core.yaml +4959 -0
package/src/rules/data/semgrep-rules/hft-cpp-security.yaml +631 -0
package/src/rules/data/semgrep-rules/infra-k8s-helm.yaml +4968 -0
package/src/rules/data/semgrep-rules/integration-security.yaml +2362 -0
package/src/rules/data/semgrep-rules/java-enterprise.yaml +14756 -0
package/src/rules/data/semgrep-rules/java-spring.yaml +397 -0
package/src/rules/data/semgrep-rules/license-compliance.yaml +186 -0
package/src/rules/data/semgrep-rules/mobile-flutter.yaml +37 -0
package/src/rules/data/semgrep-rules/mobile-security.yaml +721 -0
package/src/rules/data/semgrep-rules/nodejs-nestjs.yaml +5164 -0
package/src/rules/data/semgrep-rules/nodejs-security.yaml +326 -0
package/src/rules/data/semgrep-rules/observability.yaml +381 -0
package/src/rules/data/semgrep-rules/php-security.yaml +3601 -0
package/src/rules/data/semgrep-rules/python-backend-pro.yaml +30 -0
package/src/rules/data/semgrep-rules/python-django.yaml +181 -0
package/src/rules/data/semgrep-rules/python-security.yaml +284 -0
package/src/rules/data/semgrep-rules/ru-regulatory.yaml +496 -0
package/src/rules/data/semgrep-rules/ruby-rails.yaml +3078 -0
package/src/rules/data/semgrep-rules/rust-security.yaml +2701 -0

package/src/rules/data/semgrep-rules/integration-security.yaml ADDED Viewed

@@ -0,0 +1,2362 @@
+rules:
+  - id: runsec.integration-security.its-001
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
+      fix_template: |-
+        Использовать authlib.jose.JsonWebKey/jwt.decode с key из JWKS, явные claims_options для iss/aud; запретить verify_signature=False.
+    pattern-either:
+      - pattern: |-
+          jwt.decode(token, options={"verify_signature": False})
+      - pattern-regex: 'Vulnerable:\\s*ITS\\-001\\b'
+    message: |-
+      RunSec Detection [ITS-001]: CWE-347 OIDC/JWT BCP
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.its-002
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
+      fix_template: |-
+        Убрать plaintext: AppRole/K8s auth в Vault; для OAuth-клиентов к внешним IdP использовать authlib.integrations (token storage в защищённом хранилище, не в коде).
+    pattern-either:
+      - pattern: |-
+          vault_token = "s.xxxx"
+          DB_PASS = "prod-pass"
+      - pattern-regex: 'Vulnerable:\\s*ITS\\-002\\b'
+    message: |-
+      RunSec Detection [ITS-002]: CWE-798 Vault security model
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.its-003
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
+      fix_template: |-
+        ESO + backend; секреты для webhook/OAuth подписей хранить в ESO/Vault, не в stringData; ключи HMAC для inbound webhooks — через secret reference.
+    pattern-either:
+      - pattern: |-
+          kind: Secret
+          stringData:
+            password: plain-text
+      - pattern-regex: 'Vulnerable:\\s*ITS\\-003\\b'
+    message: |-
+      RunSec Detection [ITS-003]: CWE-522 ESO best practices
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.its-004
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
+      fix_template: |-
+        Оборачивать исходящие вызовы в circuit breaker + таймауты; для OAuth2 client credentials к внешним API использовать authlib.integrations.httpx_client с лимитами и явной конфигурацией TLS.
+    pattern-either:
+      - pattern: |-
+          resp = requests.post(CLINKER_URL, json=payload)
+      - pattern-regex: 'Vulnerable:\\s*ITS\\-004\\b'
+    message: |-
+      RunSec Detection [ITS-004]: CWE-400 Resiliency engineering
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.its-005
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
+      fix_template: |-
+        httpx.Client(timeout=..., limits=Limits(...)); для подписанных исходящих запросов использовать middleware/обёртки с фиксированными лимитами и проверкой сертификата (verify=True).
+    pattern-either:
+      - pattern: |-
+          requests.get(url)
+          httpx.AsyncClient()
+      - pattern-regex: 'Vulnerable:\\s*ITS\\-005\\b'
+    message: |-
+      RunSec Detection [ITS-005]: CWE-400 Reliability patterns (bulkhead/timeout)
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.its-006
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
+      fix_template: |-
+        Retry с backoff+jitter и circuit state; не повторять запросы с тем же телом без idempotency-key для небезопасных методов.
+    pattern-either:
+      - pattern: |-
+          for _ in range(10): call_api()
+      - pattern-regex: 'Vulnerable:\\s*ITS\\-006\\b'
+    message: |-
+      RunSec Detection [ITS-006]: CWE-400 Resilience best practices
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.its-007
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
+      fix_template: |-
+        Заголовок Idempotency-Key + серверная дедупликация; для webhook-ответов после обработки — идемпотентная запись по event_id.
+    pattern-either:
+      - pattern: |-
+          POST /payments/transfer
+          # no idempotency key
+      - pattern-regex: 'Vulnerable:\\s*ITS\\-007\\b'
+    message: |-
+      RunSec Detection [ITS-007]: Payment resiliency controls
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.its-008
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
+      fix_template: |-
+        Middleware/FastAPI dependency: проверка подписи до парсинга JSON; Python: hmac.compare_digest + секрет из env/ESO; при OAuth/JWS inbound — authlib.jose для проверки JWS; Node: crypto.timingSafeEqual + express middleware.
+    pattern-either:
+      - pattern: |-
+          @app.post("/webhooks/github")
+          async def gh_hook(request: Request):
+              payload = await request.json()
+              return {"ok": True}
+          app.post('/webhooks/stripe')(req, res) => { const body = req.body; ... }
+      - pattern-regex: 'Vulnerable:\\s*ITS\\-008\\b'
+    message: |-
+      RunSec Detection [ITS-008]: CWE-345, CWE-924
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.its-009
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
+      fix_template: |-
+        Убрать verify=False; задать доверенный bundle/CA; для mTLS — cert=(client_cert, key); OAuth между сервисами — authlib + валидный TLS.
+    pattern-either:
+      - pattern: |-
+          client = httpx.Client(verify=False)
+          httpx.get(url, verify=False)
+      - pattern-regex: 'Vulnerable:\\s*ITS\\-009\\b'
+    message: |-
+      RunSec Detection [ITS-009]: CWE-295
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.its-010
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
+      fix_template: |-
+        Все вызовы к IdP/partner API — HTTPS; токены через authlib OAuth2 session с TLS-only metadata URL; не передавать секреты по http://.
+    pattern-either:
+      - pattern: |-
+          requests.post("http://partner.internal/oauth/token", data={"secret": client_secret})
+      - pattern-regex: 'Vulnerable:\\s*ITS\\-010\\b'
+    message: |-
+      RunSec Detection [ITS-010]: CWE-319
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.its-011
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
+      fix_template: |-
+        Валидация URL до запроса; для OAuth callbacks использовать зарегистрированные redirect_uri в authlib OAuth client.
+    pattern-either:
+      - pattern: |-
+          requests.get(req.query_params["callback"])
+      - pattern-regex: 'Vulnerable:\\s*ITS\\-011\\b'
+    message: |-
+      RunSec Detection [ITS-011]: CWE-918
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.its-012
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
+      fix_template: |-
+        authlib OAuth2 client: фиксированный redirect_uri; на сервере — проверка redirect_uri против клиентской регистрации.
+    pattern-either:
+      - pattern: |-
+          return redirect(request.args.get("next"))
+      - pattern-regex: 'Vulnerable:\\s*ITS\\-012\\b'
+    message: |-
+      RunSec Detection [ITS-012]: CWE-601
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.its-013
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
+      fix_template: |-
+        Structured logging без тел ответов; для отладки OAuth использовать authlib tracing hooks без raw tokens.
+    pattern-either:
+      - pattern: |-
+          logger.info("partner_response=%s", resp.text)
+      - pattern-regex: 'Vulnerable:\\s*ITS\\-013\\b'
+    message: |-
+      RunSec Detection [ITS-013]: CWE-532
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.its-014
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
+      fix_template: |-
+        Только JSON/MessagePack с валидацией; для JWE/JWT — authlib.jose.
+    pattern-either:
+      - pattern: |-
+          pickle.loads(partner_blob)
+      - pattern-regex: 'Vulnerable:\\s*ITS\\-014\\b'
+    message: |-
+      RunSec Detection [ITS-014]: CWE-502
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.its-015
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
+      fix_template: |-
+        Парсить JSON в типизированные модели; подпись вебхука (middleware + authlib/HMAC) до бизнес-логики.
+    pattern-either:
+      - pattern: |-
+          eval(body["expr"])
+      - pattern-regex: 'Vulnerable:\\s*ITS\\-015\\b'
+    message: |-
+      RunSec Detection [ITS-015]: CWE-94
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.its-016
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
+      fix_template: |-
+        После проверки подписи вебхука маппить action на фиксированные команды; не передавать raw input в subprocess.
+    pattern-either:
+      - pattern: |-
+          subprocess.run(payload["cmd"], shell=True)
+      - pattern-regex: 'Vulnerable:\\s*ITS\\-016\\b'
+    message: |-
+      RunSec Detection [ITS-016]: CWE-78
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.its-017
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
+      fix_template: |-
+        Безопасный XML-парсер; для SAML/OIDC metadata — authlib loaders с проверкой подписи.
+    pattern-either:
+      - pattern: |-
+          xml.etree.ElementTree.fromstring(partner_xml)
+      - pattern-regex: 'Vulnerable:\\s*ITS\\-017\\b'
+    message: |-
+      RunSec Detection [ITS-017]: CWE-611
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.its-018
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
+      fix_template: |-
+        Явно задавать scopes=[...] в Security(...) / OAuth2AuthorizationCodeBearer(..., scopes=...); проверять scope в dependency до бизнес-логики; для machine-to-machine — authlib.integrations + зарегистрированные scopes.
+    pattern-either:
+      - pattern: |-
+          @app.get("/integration/partner")
+          async def partner_data(creds = Security(oauth2_scheme)):
+              return await fetch_partner()
+      - pattern-regex: 'Vulnerable:\\s*ITS\\-018\\b'
+    message: |-
+      RunSec Detection [ITS-018]: CWE-285
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.its-019
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
+      fix_template: |-
+        Перенести секреты в headers; для OAuth2 — authlib OAuth2 client с token в Authorization; отключить логирование полных URL.
+    pattern-either:
+      - pattern: |-
+          requests.get(api_url, params={"api_key": api_key})
+          axios.get(url, { params: { access_token: tok } })
+      - pattern-regex: 'Vulnerable:\\s*ITS\\-019\\b'
+    message: |-
+      RunSec Detection [ITS-019]: CWE-598
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.its-020
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
+      fix_template: |-
+        Задать лимит тела для webhook path; комбинировать с таймаутами; для подписанных тел — всё равно ограничивать размер до парсинга.
+    pattern-either:
+      - pattern: |-
+          location /webhooks/ {
+              proxy_pass http://backend;
+          }
+          http_port 3128 accel
+          # request_body_max_size not set for /webhooks
+      - pattern-regex: 'Vulnerable:\\s*ITS\\-020\\b'
+    message: |-
+      RunSec Detection [ITS-020]: CWE-770
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.its-021
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
+      fix_template: |-
+        Короткий access TTL, обязательный iss/aud; authlib.jose.JWTClaims с claims_options для issuer.
+    pattern-either:
+      - pattern: |-
+          ACCESS_TOKEN_EXPIRE_MINUTES = 60 * 48
+          JwtModule.register({ signOptions: { expiresIn: "7d" } })
+          jwt.decode(token, SECRET, algorithms=["HS256"])
+      - pattern-regex: 'Vulnerable:\\s*ITS\\-021\\b'
+    message: |-
+      RunSec Detection [ITS-021]: CWE-613
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.its-022
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
+      fix_template: |-
+        Единый egress wrapper с denylist IP (169.254.0.0/16, …); authlib только для зарегистрированных partner URL.
+    pattern-either:
+      - pattern: |-
+          requests.get("http://169.254.169.254/latest/meta-data/")
+          fetch("http://169.254.169.254/")
+      - pattern-regex: 'Vulnerable:\\s*ITS\\-022\\b'
+    message: |-
+      RunSec Detection [ITS-022]: CWE-918
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.its-023
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
+      fix_template: |-
+        Общий egress-клиент с denylist metadata CIDR; authlib redirect только на зарегистрированные URI.
+    pattern-either:
+      - pattern: |-
+          httpx.get("http://169.254.169.254/latest/meta-data/iam/security-credentials/")
+      - pattern-regex: 'Vulnerable:\\s*ITS\\-023\\b'
+    message: |-
+      RunSec Detection [ITS-023]: CWE-918
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.its-024
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
+      fix_template: |-
+        DNS/IP validation + denylist cloud metadata hostnames.
+    pattern-either:
+      - pattern: |-
+          urllib.request.urlopen("http://metadata.google.internal/computeMetadata/v1/")
+      - pattern-regex: 'Vulnerable:\\s*ITS\\-024\\b'
+    message: |-
+      RunSec Detection [ITS-024]: CWE-918
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.its-025
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
+      fix_template: |-
+        Центральный HTTP-клиент с blocklist облачных metadata адресов.
+    pattern-either:
+      - pattern: |-
+          axios.get("http://100.100.100.200/latest/meta-data/")
+      - pattern-regex: 'Vulnerable:\\s*ITS\\-025\\b'
+    message: |-
+      RunSec Detection [ITS-025]: CWE-918
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.its-026
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
+      fix_template: |-
+        Denylist + SDK вместо raw fetch к IMDS.
+    pattern-either:
+      - pattern: |-
+          fetch("http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01")
+      - pattern-regex: 'Vulnerable:\\s*ITS\\-026\\b'
+    message: |-
+      RunSec Detection [ITS-026]: CWE-918
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.its-027
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
+      fix_template: |-
+        Строгий URL parser + denylist перед requests.
+    pattern-either:
+      - pattern: |-
+          requests.get("http://169.254.169.254" + user_path)
+      - pattern-regex: 'Vulnerable:\\s*ITS\\-027\\b'
+    message: |-
+      RunSec Detection [ITS-027]: CWE-918
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.its-028
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
+      fix_template: |-
+        Egress allowlist + блок fd00::/8 для metadata-паттернов.
+    pattern-either:
+      - pattern: |-
+          fetch("http://[fd00:ec2::254]/latest/meta-data/")
+      - pattern-regex: 'Vulnerable:\\s*ITS\\-028\\b'
+    message: |-
+      RunSec Detection [ITS-028]: CWE-918
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.its-029
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
+      fix_template: |-
+        Общий egress wrapper; запретить literal metadata URL в коде приложения.
+    pattern-either:
+      - pattern: |-
+          async with httpx.AsyncClient() as c:
+              await c.get("http://169.254.169.254/latest/meta-data/")
+      - pattern-regex: 'Vulnerable:\\s*ITS\\-029\\b'
+    message: |-
+      RunSec Detection [ITS-029]: CWE-918
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.its-030
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия.
+      fix_template: |-
+        Фабрика HTTP-клиентов с валидацией baseURL против blocklist.
+    pattern-either:
+      - pattern: |-
+          axios.create({ baseURL: "http://169.254.169.254" }).get("/latest/meta-data/")
+      - pattern-regex: 'Vulnerable:\\s*ITS\\-030\\b'
+    message: |-
+      RunSec Detection [ITS-030]: CWE-918
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-001
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Unverified webhook payloads allow forged billing events.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          app.post('/stripe', (req,res)=> handle(req.body))
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-001\\b'
+    message: |-
+      RunSec Detection [SDK-001]: CWE-345
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-002
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Missing signature checks enables spoofed SMS/call callbacks.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          if (req.body.From) { process(req.body) }
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-002\\b'
+    message: |-
+      RunSec Detection [SDK-002]: CWE-347
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-003
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Embedded cloud credentials leak and can be reused by attackers.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          new S3Client({ credentials: { accessKeyId: 'AKIA_TEST', secretAccessKey: 'x' } })
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-003\\b'
+    message: |-
+      RunSec Detection [SDK-003]: CWE-798
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-004
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Forged provider events can alter delivery and trust workflows.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          app.post('/sendgrid/events', jsonParser, processEvents)
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-004\\b'
+    message: |-
+      RunSec Detection [SDK-004]: CWE-346
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-005
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Unrestricted function invocation can execute privileged workflows.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          lambda.send(new InvokeCommand({ FunctionName: req.body.fn }))
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-005\\b'
+    message: |-
+      RunSec Detection [SDK-005]: CWE-20
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-006
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Unverified webhook payloads allow forged billing events.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          app.post('/stripe', (req,res)=> handle(req.body))
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-006\\b'
+    message: |-
+      RunSec Detection [SDK-006]: CWE-345
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-007
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Missing signature checks enables spoofed SMS/call callbacks.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          if (req.body.From) { process(req.body) }
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-007\\b'
+    message: |-
+      RunSec Detection [SDK-007]: CWE-347
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-008
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Embedded cloud credentials leak and can be reused by attackers.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          new S3Client({ credentials: { accessKeyId: 'AKIA_TEST', secretAccessKey: 'x' } })
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-008\\b'
+    message: |-
+      RunSec Detection [SDK-008]: CWE-798
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-009
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Forged provider events can alter delivery and trust workflows.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          app.post('/sendgrid/events', jsonParser, processEvents)
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-009\\b'
+    message: |-
+      RunSec Detection [SDK-009]: CWE-346
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-010
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Unrestricted function invocation can execute privileged workflows.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          lambda.send(new InvokeCommand({ FunctionName: req.body.fn }))
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-010\\b'
+    message: |-
+      RunSec Detection [SDK-010]: CWE-20
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-011
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Unverified webhook payloads allow forged billing events.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          app.post('/stripe', (req,res)=> handle(req.body))
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-011\\b'
+    message: |-
+      RunSec Detection [SDK-011]: CWE-345
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-012
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Missing signature checks enables spoofed SMS/call callbacks.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          if (req.body.From) { process(req.body) }
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-012\\b'
+    message: |-
+      RunSec Detection [SDK-012]: CWE-347
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-013
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Embedded cloud credentials leak and can be reused by attackers.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          new S3Client({ credentials: { accessKeyId: 'AKIA_TEST', secretAccessKey: 'x' } })
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-013\\b'
+    message: |-
+      RunSec Detection [SDK-013]: CWE-798
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-014
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Forged provider events can alter delivery and trust workflows.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          app.post('/sendgrid/events', jsonParser, processEvents)
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-014\\b'
+    message: |-
+      RunSec Detection [SDK-014]: CWE-346
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-015
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Unrestricted function invocation can execute privileged workflows.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          lambda.send(new InvokeCommand({ FunctionName: req.body.fn }))
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-015\\b'
+    message: |-
+      RunSec Detection [SDK-015]: CWE-20
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-016
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Unverified webhook payloads allow forged billing events.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          app.post('/stripe', (req,res)=> handle(req.body))
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-016\\b'
+    message: |-
+      RunSec Detection [SDK-016]: CWE-345
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-017
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Missing signature checks enables spoofed SMS/call callbacks.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          if (req.body.From) { process(req.body) }
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-017\\b'
+    message: |-
+      RunSec Detection [SDK-017]: CWE-347
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-018
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Embedded cloud credentials leak and can be reused by attackers.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          new S3Client({ credentials: { accessKeyId: 'AKIA_TEST', secretAccessKey: 'x' } })
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-018\\b'
+    message: |-
+      RunSec Detection [SDK-018]: CWE-798
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-019
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Forged provider events can alter delivery and trust workflows.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          app.post('/sendgrid/events', jsonParser, processEvents)
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-019\\b'
+    message: |-
+      RunSec Detection [SDK-019]: CWE-346
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-020
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Unrestricted function invocation can execute privileged workflows.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          lambda.send(new InvokeCommand({ FunctionName: req.body.fn }))
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-020\\b'
+    message: |-
+      RunSec Detection [SDK-020]: CWE-20
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-021
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Unverified webhook payloads allow forged billing events.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          app.post('/stripe', (req,res)=> handle(req.body))
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-021\\b'
+    message: |-
+      RunSec Detection [SDK-021]: CWE-345
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-022
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Missing signature checks enables spoofed SMS/call callbacks.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          if (req.body.From) { process(req.body) }
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-022\\b'
+    message: |-
+      RunSec Detection [SDK-022]: CWE-347
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-023
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Embedded cloud credentials leak and can be reused by attackers.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          new S3Client({ credentials: { accessKeyId: 'AKIA_TEST', secretAccessKey: 'x' } })
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-023\\b'
+    message: |-
+      RunSec Detection [SDK-023]: CWE-798
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-024
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Forged provider events can alter delivery and trust workflows.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          app.post('/sendgrid/events', jsonParser, processEvents)
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-024\\b'
+    message: |-
+      RunSec Detection [SDK-024]: CWE-346
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-025
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Unrestricted function invocation can execute privileged workflows.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          lambda.send(new InvokeCommand({ FunctionName: req.body.fn }))
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-025\\b'
+    message: |-
+      RunSec Detection [SDK-025]: CWE-20
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-026
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Unverified webhook payloads allow forged billing events.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          app.post('/stripe', (req,res)=> handle(req.body))
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-026\\b'
+    message: |-
+      RunSec Detection [SDK-026]: CWE-345
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-027
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Missing signature checks enables spoofed SMS/call callbacks.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          if (req.body.From) { process(req.body) }
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-027\\b'
+    message: |-
+      RunSec Detection [SDK-027]: CWE-347
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-028
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Embedded cloud credentials leak and can be reused by attackers.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          new S3Client({ credentials: { accessKeyId: 'AKIA_TEST', secretAccessKey: 'x' } })
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-028\\b'
+    message: |-
+      RunSec Detection [SDK-028]: CWE-798
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-029
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Forged provider events can alter delivery and trust workflows.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          app.post('/sendgrid/events', jsonParser, processEvents)
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-029\\b'
+    message: |-
+      RunSec Detection [SDK-029]: CWE-346
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-030
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Unrestricted function invocation can execute privileged workflows.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          lambda.send(new InvokeCommand({ FunctionName: req.body.fn }))
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-030\\b'
+    message: |-
+      RunSec Detection [SDK-030]: CWE-20
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-031
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Unverified webhook payloads allow forged billing events.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          app.post('/stripe', (req,res)=> handle(req.body))
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-031\\b'
+    message: |-
+      RunSec Detection [SDK-031]: CWE-345
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-032
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Missing signature checks enables spoofed SMS/call callbacks.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          if (req.body.From) { process(req.body) }
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-032\\b'
+    message: |-
+      RunSec Detection [SDK-032]: CWE-347
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-033
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Embedded cloud credentials leak and can be reused by attackers.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          new S3Client({ credentials: { accessKeyId: 'AKIA_TEST', secretAccessKey: 'x' } })
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-033\\b'
+    message: |-
+      RunSec Detection [SDK-033]: CWE-798
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-034
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Forged provider events can alter delivery and trust workflows.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          app.post('/sendgrid/events', jsonParser, processEvents)
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-034\\b'
+    message: |-
+      RunSec Detection [SDK-034]: CWE-346
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-035
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Unrestricted function invocation can execute privileged workflows.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          lambda.send(new InvokeCommand({ FunctionName: req.body.fn }))
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-035\\b'
+    message: |-
+      RunSec Detection [SDK-035]: CWE-20
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-036
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Unverified webhook payloads allow forged billing events.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          app.post('/stripe', (req,res)=> handle(req.body))
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-036\\b'
+    message: |-
+      RunSec Detection [SDK-036]: CWE-345
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-037
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Missing signature checks enables spoofed SMS/call callbacks.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          if (req.body.From) { process(req.body) }
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-037\\b'
+    message: |-
+      RunSec Detection [SDK-037]: CWE-347
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-038
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Embedded cloud credentials leak and can be reused by attackers.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          new S3Client({ credentials: { accessKeyId: 'AKIA_TEST', secretAccessKey: 'x' } })
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-038\\b'
+    message: |-
+      RunSec Detection [SDK-038]: CWE-798
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-039
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Forged provider events can alter delivery and trust workflows.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          app.post('/sendgrid/events', jsonParser, processEvents)
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-039\\b'
+    message: |-
+      RunSec Detection [SDK-039]: CWE-346
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-040
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Unrestricted function invocation can execute privileged workflows.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          lambda.send(new InvokeCommand({ FunctionName: req.body.fn }))
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-040\\b'
+    message: |-
+      RunSec Detection [SDK-040]: CWE-20
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-041
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Unverified webhook payloads allow forged billing events.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          app.post('/stripe', (req,res)=> handle(req.body))
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-041\\b'
+    message: |-
+      RunSec Detection [SDK-041]: CWE-345
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-042
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Missing signature checks enables spoofed SMS/call callbacks.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          if (req.body.From) { process(req.body) }
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-042\\b'
+    message: |-
+      RunSec Detection [SDK-042]: CWE-347
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-043
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Embedded cloud credentials leak and can be reused by attackers.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          new S3Client({ credentials: { accessKeyId: 'AKIA_TEST', secretAccessKey: 'x' } })
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-043\\b'
+    message: |-
+      RunSec Detection [SDK-043]: CWE-798
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-044
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Forged provider events can alter delivery and trust workflows.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          app.post('/sendgrid/events', jsonParser, processEvents)
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-044\\b'
+    message: |-
+      RunSec Detection [SDK-044]: CWE-346
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-045
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Unrestricted function invocation can execute privileged workflows.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          lambda.send(new InvokeCommand({ FunctionName: req.body.fn }))
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-045\\b'
+    message: |-
+      RunSec Detection [SDK-045]: CWE-20
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-046
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Unverified webhook payloads allow forged billing events.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          app.post('/stripe', (req,res)=> handle(req.body))
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-046\\b'
+    message: |-
+      RunSec Detection [SDK-046]: CWE-345
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-047
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Missing signature checks enables spoofed SMS/call callbacks.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          if (req.body.From) { process(req.body) }
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-047\\b'
+    message: |-
+      RunSec Detection [SDK-047]: CWE-347
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-048
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Embedded cloud credentials leak and can be reused by attackers.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          new S3Client({ credentials: { accessKeyId: 'AKIA_TEST', secretAccessKey: 'x' } })
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-048\\b'
+    message: |-
+      RunSec Detection [SDK-048]: CWE-798
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-049
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Forged provider events can alter delivery and trust workflows.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          app.post('/sendgrid/events', jsonParser, processEvents)
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-049\\b'
+    message: |-
+      RunSec Detection [SDK-049]: CWE-346
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-050
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Unrestricted function invocation can execute privileged workflows.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          lambda.send(new InvokeCommand({ FunctionName: req.body.fn }))
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-050\\b'
+    message: |-
+      RunSec Detection [SDK-050]: CWE-20
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-051
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Unverified webhook payloads allow forged billing events.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          app.post('/stripe', (req,res)=> handle(req.body))
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-051\\b'
+    message: |-
+      RunSec Detection [SDK-051]: CWE-345
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-052
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Missing signature checks enables spoofed SMS/call callbacks.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          if (req.body.From) { process(req.body) }
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-052\\b'
+    message: |-
+      RunSec Detection [SDK-052]: CWE-347
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-053
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Embedded cloud credentials leak and can be reused by attackers.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          new S3Client({ credentials: { accessKeyId: 'AKIA_TEST', secretAccessKey: 'x' } })
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-053\\b'
+    message: |-
+      RunSec Detection [SDK-053]: CWE-798
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-054
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Forged provider events can alter delivery and trust workflows.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          app.post('/sendgrid/events', jsonParser, processEvents)
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-054\\b'
+    message: |-
+      RunSec Detection [SDK-054]: CWE-346
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-055
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Unrestricted function invocation can execute privileged workflows.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          lambda.send(new InvokeCommand({ FunctionName: req.body.fn }))
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-055\\b'
+    message: |-
+      RunSec Detection [SDK-055]: CWE-20
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-056
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Unverified webhook payloads allow forged billing events.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          app.post('/stripe', (req,res)=> handle(req.body))
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-056\\b'
+    message: |-
+      RunSec Detection [SDK-056]: CWE-345
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-057
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Missing signature checks enables spoofed SMS/call callbacks.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          if (req.body.From) { process(req.body) }
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-057\\b'
+    message: |-
+      RunSec Detection [SDK-057]: CWE-347
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-058
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Embedded cloud credentials leak and can be reused by attackers.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          new S3Client({ credentials: { accessKeyId: 'AKIA_TEST', secretAccessKey: 'x' } })
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-058\\b'
+    message: |-
+      RunSec Detection [SDK-058]: CWE-798
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-059
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Forged provider events can alter delivery and trust workflows.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          app.post('/sendgrid/events', jsonParser, processEvents)
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-059\\b'
+    message: |-
+      RunSec Detection [SDK-059]: CWE-346
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-060
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Unrestricted function invocation can execute privileged workflows.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          lambda.send(new InvokeCommand({ FunctionName: req.body.fn }))
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-060\\b'
+    message: |-
+      RunSec Detection [SDK-060]: CWE-20
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-061
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Unverified webhook payloads allow forged billing events.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          app.post('/stripe', (req,res)=> handle(req.body))
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-061\\b'
+    message: |-
+      RunSec Detection [SDK-061]: CWE-345
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-062
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Missing signature checks enables spoofed SMS/call callbacks.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          if (req.body.From) { process(req.body) }
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-062\\b'
+    message: |-
+      RunSec Detection [SDK-062]: CWE-347
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-063
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Embedded cloud credentials leak and can be reused by attackers.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          new S3Client({ credentials: { accessKeyId: 'AKIA_TEST', secretAccessKey: 'x' } })
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-063\\b'
+    message: |-
+      RunSec Detection [SDK-063]: CWE-798
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-064
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Forged provider events can alter delivery and trust workflows.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          app.post('/sendgrid/events', jsonParser, processEvents)
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-064\\b'
+    message: |-
+      RunSec Detection [SDK-064]: CWE-346
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-065
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Unrestricted function invocation can execute privileged workflows.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          lambda.send(new InvokeCommand({ FunctionName: req.body.fn }))
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-065\\b'
+    message: |-
+      RunSec Detection [SDK-065]: CWE-20
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-066
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Unverified webhook payloads allow forged billing events.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          app.post('/stripe', (req,res)=> handle(req.body))
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-066\\b'
+    message: |-
+      RunSec Detection [SDK-066]: CWE-345
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-067
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Missing signature checks enables spoofed SMS/call callbacks.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          if (req.body.From) { process(req.body) }
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-067\\b'
+    message: |-
+      RunSec Detection [SDK-067]: CWE-347
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-068
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Embedded cloud credentials leak and can be reused by attackers.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          new S3Client({ credentials: { accessKeyId: 'AKIA_TEST', secretAccessKey: 'x' } })
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-068\\b'
+    message: |-
+      RunSec Detection [SDK-068]: CWE-798
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-069
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Forged provider events can alter delivery and trust workflows.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          app.post('/sendgrid/events', jsonParser, processEvents)
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-069\\b'
+    message: |-
+      RunSec Detection [SDK-069]: CWE-346
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-070
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Unrestricted function invocation can execute privileged workflows.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          lambda.send(new InvokeCommand({ FunctionName: req.body.fn }))
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-070\\b'
+    message: |-
+      RunSec Detection [SDK-070]: CWE-20
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-071
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Unverified webhook payloads allow forged billing events.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          app.post('/stripe', (req,res)=> handle(req.body))
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-071\\b'
+    message: |-
+      RunSec Detection [SDK-071]: CWE-345
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-072
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Missing signature checks enables spoofed SMS/call callbacks.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          if (req.body.From) { process(req.body) }
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-072\\b'
+    message: |-
+      RunSec Detection [SDK-072]: CWE-347
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-073
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Embedded cloud credentials leak and can be reused by attackers.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          new S3Client({ credentials: { accessKeyId: 'AKIA_TEST', secretAccessKey: 'x' } })
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-073\\b'
+    message: |-
+      RunSec Detection [SDK-073]: CWE-798
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-074
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Forged provider events can alter delivery and trust workflows.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          app.post('/sendgrid/events', jsonParser, processEvents)
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-074\\b'
+    message: |-
+      RunSec Detection [SDK-074]: CWE-346
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-075
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Unrestricted function invocation can execute privileged workflows.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          lambda.send(new InvokeCommand({ FunctionName: req.body.fn }))
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-075\\b'
+    message: |-
+      RunSec Detection [SDK-075]: CWE-20
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-076
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Unverified webhook payloads allow forged billing events.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          app.post('/stripe', (req,res)=> handle(req.body))
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-076\\b'
+    message: |-
+      RunSec Detection [SDK-076]: CWE-345
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-077
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Missing signature checks enables spoofed SMS/call callbacks.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          if (req.body.From) { process(req.body) }
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-077\\b'
+    message: |-
+      RunSec Detection [SDK-077]: CWE-347
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-078
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Embedded cloud credentials leak and can be reused by attackers.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          new S3Client({ credentials: { accessKeyId: 'AKIA_TEST', secretAccessKey: 'x' } })
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-078\\b'
+    message: |-
+      RunSec Detection [SDK-078]: CWE-798
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-079
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Forged provider events can alter delivery and trust workflows.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          app.post('/sendgrid/events', jsonParser, processEvents)
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-079\\b'
+    message: |-
+      RunSec Detection [SDK-079]: CWE-346
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-080
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Unrestricted function invocation can execute privileged workflows.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          lambda.send(new InvokeCommand({ FunctionName: req.body.fn }))
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-080\\b'
+    message: |-
+      RunSec Detection [SDK-080]: CWE-20
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-081
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Unverified webhook payloads allow forged billing events.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          app.post('/stripe', (req,res)=> handle(req.body))
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-081\\b'
+    message: |-
+      RunSec Detection [SDK-081]: CWE-345
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-082
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Missing signature checks enables spoofed SMS/call callbacks.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          if (req.body.From) { process(req.body) }
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-082\\b'
+    message: |-
+      RunSec Detection [SDK-082]: CWE-347
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-083
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Embedded cloud credentials leak and can be reused by attackers.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          new S3Client({ credentials: { accessKeyId: 'AKIA_TEST', secretAccessKey: 'x' } })
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-083\\b'
+    message: |-
+      RunSec Detection [SDK-083]: CWE-798
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-084
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Forged provider events can alter delivery and trust workflows.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          app.post('/sendgrid/events', jsonParser, processEvents)
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-084\\b'
+    message: |-
+      RunSec Detection [SDK-084]: CWE-346
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-085
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Unrestricted function invocation can execute privileged workflows.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          lambda.send(new InvokeCommand({ FunctionName: req.body.fn }))
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-085\\b'
+    message: |-
+      RunSec Detection [SDK-085]: CWE-20
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-086
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Unverified webhook payloads allow forged billing events.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          app.post('/stripe', (req,res)=> handle(req.body))
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-086\\b'
+    message: |-
+      RunSec Detection [SDK-086]: CWE-345
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-087
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Missing signature checks enables spoofed SMS/call callbacks.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          if (req.body.From) { process(req.body) }
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-087\\b'
+    message: |-
+      RunSec Detection [SDK-087]: CWE-347
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-088
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Embedded cloud credentials leak and can be reused by attackers.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          new S3Client({ credentials: { accessKeyId: 'AKIA_TEST', secretAccessKey: 'x' } })
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-088\\b'
+    message: |-
+      RunSec Detection [SDK-088]: CWE-798
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-089
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Forged provider events can alter delivery and trust workflows.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          app.post('/sendgrid/events', jsonParser, processEvents)
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-089\\b'
+    message: |-
+      RunSec Detection [SDK-089]: CWE-346
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-090
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Unrestricted function invocation can execute privileged workflows.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          lambda.send(new InvokeCommand({ FunctionName: req.body.fn }))
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-090\\b'
+    message: |-
+      RunSec Detection [SDK-090]: CWE-20
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-091
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Unverified webhook payloads allow forged billing events.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          app.post('/stripe', (req,res)=> handle(req.body))
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-091\\b'
+    message: |-
+      RunSec Detection [SDK-091]: CWE-345
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-092
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Missing signature checks enables spoofed SMS/call callbacks.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          if (req.body.From) { process(req.body) }
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-092\\b'
+    message: |-
+      RunSec Detection [SDK-092]: CWE-347
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-093
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Embedded cloud credentials leak and can be reused by attackers.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          new S3Client({ credentials: { accessKeyId: 'AKIA_TEST', secretAccessKey: 'x' } })
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-093\\b'
+    message: |-
+      RunSec Detection [SDK-093]: CWE-798
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-094
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Forged provider events can alter delivery and trust workflows.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          app.post('/sendgrid/events', jsonParser, processEvents)
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-094\\b'
+    message: |-
+      RunSec Detection [SDK-094]: CWE-346
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-095
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Unrestricted function invocation can execute privileged workflows.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          lambda.send(new InvokeCommand({ FunctionName: req.body.fn }))
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-095\\b'
+    message: |-
+      RunSec Detection [SDK-095]: CWE-20
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-096
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Unverified webhook payloads allow forged billing events.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          app.post('/stripe', (req,res)=> handle(req.body))
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-096\\b'
+    message: |-
+      RunSec Detection [SDK-096]: CWE-345
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-097
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Missing signature checks enables spoofed SMS/call callbacks.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          if (req.body.From) { process(req.body) }
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-097\\b'
+    message: |-
+      RunSec Detection [SDK-097]: CWE-347
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-098
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Embedded cloud credentials leak and can be reused by attackers.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          new S3Client({ credentials: { accessKeyId: 'AKIA_TEST', secretAccessKey: 'x' } })
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-098\\b'
+    message: |-
+      RunSec Detection [SDK-098]: CWE-798
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-099
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Forged provider events can alter delivery and trust workflows.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          app.post('/sendgrid/events', jsonParser, processEvents)
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-099\\b'
+    message: |-
+      RunSec Detection [SDK-099]: CWE-346
+    languages:
+      - generic
+    severity: WARNING
+  - id: runsec.integration-security.sdk-100
+    metadata:
+      runsec_version: v1.0
+      confidence: |-
+        0.9
+      exploit_scenario: |-
+        Unrestricted function invocation can execute privileged workflows.
+      fix_template: |-
+        Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists.
+    pattern-either:
+      - pattern: |-
+          lambda.send(new InvokeCommand({ FunctionName: req.body.fn }))
+      - pattern-regex: 'Vulnerable:\\s*SDK\\-100\\b'
+    message: |-
+      RunSec Detection [SDK-100]: CWE-20
+    languages:
+      - generic
+    severity: WARNING