npm - @runsec/mcp - Versions diffs - 1.0.35 → 1.0.37 - Mend

@runsec/mcp 1.0.35 → 1.0.37

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (83) hide show

package/dist/data/.rag-cache.json +1 -0
package/dist/data/skills/_exploit_overrides.json +16 -0
package/dist/data/skills/advanced-agent-cloud/index.md +94 -0
package/dist/data/skills/advanced-agent-cloud/patterns.md +46 -0
package/dist/data/skills/advanced-agent-cloud/skill.json +38 -0
package/dist/data/skills/app-logic/index.md +69 -0
package/dist/data/skills/app-logic/patterns.md +23 -0
package/dist/data/skills/app-logic/skill.json +24 -0
package/dist/data/skills/auth-keycloak/index.md +69 -0
package/dist/data/skills/auth-keycloak/patterns.md +46 -0
package/dist/data/skills/auth-keycloak/skill.json +51 -0
package/dist/data/skills/browser-agent/index.md +58 -0
package/dist/data/skills/browser-agent/patterns.md +15 -0
package/dist/data/skills/browser-agent/skill.json +24 -0
package/dist/data/skills/cloud-secrets/index.md +66 -0
package/dist/data/skills/cloud-secrets/patterns.md +19 -0
package/dist/data/skills/cloud-secrets/skill.json +28 -0
package/dist/data/skills/csharp-dotnet/index.md +103 -0
package/dist/data/skills/csharp-dotnet/patterns.md +270 -0
package/dist/data/skills/csharp-dotnet/skill.json +27 -0
package/dist/data/skills/desktop-vsto-suite/index.md +202 -0
package/dist/data/skills/desktop-vsto-suite/patterns.md +154 -0
package/dist/data/skills/desktop-vsto-suite/skill.json +26 -0
package/dist/data/skills/devops-security/index.md +64 -0
package/dist/data/skills/devops-security/patterns.md +23 -0
package/dist/data/skills/devops-security/skill.json +42 -0
package/dist/data/skills/domain-access-management/index.md +123 -0
package/dist/data/skills/domain-access-management/patterns.md +58 -0
package/dist/data/skills/domain-access-management/skill.json +36 -0
package/dist/data/skills/domain-data-privacy/index.md +98 -0
package/dist/data/skills/domain-data-privacy/patterns.md +48 -0
package/dist/data/skills/domain-data-privacy/skill.json +36 -0
package/dist/data/skills/domain-input-validation/index.md +210 -0
package/dist/data/skills/domain-input-validation/patterns.md +158 -0
package/dist/data/skills/domain-input-validation/skill.json +24 -0
package/dist/data/skills/domain-platform-hardening/index.md +169 -0
package/dist/data/skills/domain-platform-hardening/patterns.md +96 -0
package/dist/data/skills/domain-platform-hardening/skill.json +27 -0
package/dist/data/skills/ds-ml-security/patterns.md +137 -0
package/dist/data/skills/fastapi-async/index.md +83 -0
package/dist/data/skills/fastapi-async/patterns.md +329 -0
package/dist/data/skills/fastapi-async/skill.json +32 -0
package/dist/data/skills/frontend-react/index.md +26 -0
package/dist/data/skills/frontend-react/patterns.md +226 -0
package/dist/data/skills/frontend-react/skill.json +24 -0
package/dist/data/skills/go-core/index.md +86 -0
package/dist/data/skills/go-core/patterns.md +272 -0
package/dist/data/skills/go-core/skill.json +22 -0
package/dist/data/skills/hft-cpp-security/patterns.md +37 -0
package/dist/data/skills/index.md +73 -0
package/dist/data/skills/infra-k8s-helm/index.md +138 -0
package/dist/data/skills/infra-k8s-helm/patterns.md +279 -0
package/dist/data/skills/infra-k8s-helm/skill.json +41 -0
package/dist/data/skills/integration-security/index.md +73 -0
package/dist/data/skills/integration-security/patterns.md +132 -0
package/dist/data/skills/integration-security/skill.json +30 -0
package/dist/data/skills/java-enterprise/index.md +31 -0
package/dist/data/skills/java-enterprise/patterns.md +816 -0
package/dist/data/skills/java-enterprise/skill.json +26 -0
package/dist/data/skills/java-spring/index.md +65 -0
package/dist/data/skills/java-spring/patterns.md +22 -0
package/dist/data/skills/java-spring/skill.json +23 -0
package/dist/data/skills/license-compliance/index.md +58 -0
package/dist/data/skills/license-compliance/patterns.md +12 -0
package/dist/data/skills/license-compliance/skill.json +28 -0
package/dist/data/skills/mobile-security/patterns.md +42 -0
package/dist/data/skills/nodejs-nestjs/index.md +71 -0
package/dist/data/skills/nodejs-nestjs/patterns.md +288 -0
package/dist/data/skills/nodejs-nestjs/skill.json +24 -0
package/dist/data/skills/observability/index.md +68 -0
package/dist/data/skills/observability/patterns.md +22 -0
package/dist/data/skills/observability/skill.json +26 -0
package/dist/data/skills/php-security/patterns.md +202 -0
package/dist/data/skills/ru-regulatory/index.md +72 -0
package/dist/data/skills/ru-regulatory/patterns.md +28 -0
package/dist/data/skills/ru-regulatory/skill.json +53 -0
package/dist/data/skills/ruby-rails/index.md +65 -0
package/dist/data/skills/ruby-rails/patterns.md +172 -0
package/dist/data/skills/ruby-rails/skill.json +24 -0
package/dist/data/skills/rust-security/patterns.md +152 -0
package/dist/data/trufflehog-config.yaml +407 -0
package/dist/index.js +3766 -372
package/package.json +1 -1

package/dist/data/skills/integration-security/index.md ADDED Viewed

@@ -0,0 +1,73 @@
+# Integration Security
+## Stack overview
+See [`patterns.md`](patterns.md) for Anti-Pattern / Safe-Pattern definitions for this domain.
+## Top threats
+- Map concrete rows from the pattern table to your architecture.
+## Pattern catalog
+Complete Anti-Pattern / Safe-Pattern definitions live in [`patterns.md`](patterns.md). The table below is a **table of contents** by metric ID.
+| ID | Metric | Stack |
+|---|---|---|
+| `ITS-001` | Keycloak JWT: отключена проверка подписи/issuer/audience | Использовать `authlib.jose.JsonWebKey`/`jwt.decode` с `key` из JWKS, явные `claims_options` для `iss`/`aud`; запретить `verify_signature=False`. |
+| `ITS-002` | Vault: хардкод секретов/токенов в коде и конфиге | Убрать plaintext: AppRole/K8s auth в Vault; для OAuth-клиентов к внешним IdP использовать `authlib.integrations` (token storage в защищённом хранилище, не в коде). |
+| `ITS-003` | K8s интеграции без External Secrets Operator | ESO + backend; секреты для webhook/OAuth подписей хранить в ESO/Vault, не в `stringData`; ключи HMAC для inbound webhooks — через secret reference. |
+| `ITS-004` | Circuit Breaker: голые вызовы Клинкера/API без предохранителей | Оборачивать исходящие вызовы в circuit breaker + таймауты; для OAuth2 client credentials к внешним API использовать `authlib.integrations.httpx_client` с лимитами и явной конфигурацией TLS. |
+| `ITS-005` | Bulkhead & Timeouts: HTTP-вызовы без timeout и без лимитов пула | `httpx.Client(timeout=..., limits=Limits(...))`; для подписанных исходящих запросов использовать middleware/обёртки с фиксированными лимитами и проверкой сертификата (`verify=True`). |
+| `ITS-006` | Retry Storm: без retry budget и jitter | Retry с backoff+jitter и circuit state; не повторять запросы с тем же телом без idempotency-key для небезопасных методов. |
+| `ITS-007` | Idempotency Gap: платежные API без idempotency ключей | Заголовок `Idempotency-Key` + серверная дедупликация; для webhook-ответов после обработки — идемпотентная запись по `event_id`. |
+| `ITS-008` | Webhook endpoint без проверки HMAC/подписи входящего запроса (CWE-345, CWE-924) | Middleware/FastAPI dependency: проверка подписи до парсинга JSON; Python: `hmac.compare_digest` + секрет из env/ESO; при OAuth/JWS inbound — `authlib.jose` для проверки JWS; Node: `crypto.timingSafeEqual` + express middleware. |
+| `ITS-009` | Межсервисный httpx с отключенной проверкой TLS (`verify=False`) | Убрать `verify=False`; задать доверенный bundle/CA; для mTLS — `cert=(client_cert, key)`; OAuth между сервисами — `authlib` + валидный TLS. |
+| `ITS-010` | Интеграционный вызов по HTTP без TLS (утечка токена/секрета по сети) | Все вызовы к IdP/partner API — HTTPS; токены через `authlib` OAuth2 session с TLS-only `metadata` URL; не передавать секреты по `http://`. |
+| `ITS-011` | Исходящий HTTP-запрос на URL из пользовательского ввода (SSRF в интеграции) | Валидация URL до запроса; для OAuth callbacks использовать зарегистрированные redirect_uri в `authlib` OAuth client. |
+| `ITS-012` | OAuth/OIDC `redirect_uri` / `return_to` без строгого allowlist | `authlib` OAuth2 client: фиксированный `redirect_uri`; на сервере — проверка `redirect_uri` против клиентской регистрации. |
+| `ITS-013` | Логирование сырого ответа внешнего API с токенами/PII | Structured logging без тел ответов; для отладки OAuth использовать `authlib` tracing hooks без raw tokens. |
+| `ITS-014` | Десериализация недоверенного payload от партнёра (pickle) | Только JSON/MessagePack с валидацией; для JWE/JWT — `authlib.jose`. |
+| `ITS-015` | Динамический `eval`/`exec` над данными интеграционного вебхука | Парсить JSON в типизированные модели; подпись вебхука (middleware + `authlib`/HMAC) до бизнес-логики. |
+| `ITS-016` | `subprocess` с аргументами из payload партнёра/вебхука | После проверки подписи вебхука маппить `action` на фиксированные команды; не передавать raw input в `subprocess`. |
+| `ITS-017` | Парсинг XML от партнёра без `defusedxml`/безопасных настроек | Безопасный XML-парсер; для SAML/OIDC metadata — `authlib` loaders с проверкой подписи. |
+| `ITS-018` | FastAPI: `Security(oauth2_scheme)` без `scopes` на интеграционном эндпоинте (CWE-285) | Явно задавать `scopes=[...]` в `Security(...)` / `OAuth2AuthorizationCodeBearer(..., scopes=...)`; проверять scope в dependency до бизнес-логики; для machine-to-machine — `authlib.integrations` + зарегистрированные scopes. |
+| `ITS-019` | Токен/API-ключ в query/`params` вместо заголовков (CWE-598) | Перенести секреты в headers; для OAuth2 — `authlib` OAuth2 client с token в Authorization; отключить логирование полных URL. |
+| `ITS-020` | Nginx/Squid: webhook location без лимита размера тела (CWE-770) | Задать лимит тела для webhook path; комбинировать с таймаутами; для подписанных тел — всё равно ограничивать размер до парсинга. |
+| `ITS-021` | JWT/OAuth: время жизни access token > 24h или декод без проверки `iss` (CWE-613) | Короткий access TTL, обязательный `iss`/`aud`; `authlib.jose.JWTClaims` с `claims_options` для issuer. |
+| `ITS-022` | SSRF: исходящий запрос к metadata IP `169.254.169.254` (CWE-918) | Единый egress wrapper с denylist IP (169.254.0.0/16, …); `authlib` только для зарегистрированных partner URL. |
+| `ITS-023` | SSRF Python: `httpx` к AWS metadata (CWE-918) | Общий egress-клиент с denylist metadata CIDR; `authlib` redirect только на зарегистрированные URI. |
+| `ITS-024` | SSRF Python: `urllib` к GCP metadata host (CWE-918) | DNS/IP validation + denylist cloud metadata hostnames. |
+| `ITS-025` | SSRF Node: `axios` к Alibaba metadata (CWE-918) | Центральный HTTP-клиент с blocklist облачных metadata адресов. |
+| `ITS-026` | SSRF Node: `fetch` к Azure IMDS (CWE-918) | Denylist + SDK вместо raw fetch к IMDS. |
+| `ITS-027` | SSRF Python: конкатенация URL с пользовательским путём к metadata (CWE-918) | Строгий URL parser + denylist перед `requests`. |
+| `ITS-028` | SSRF JS: IPv6 link-local metadata (CWE-918) | Egress allowlist + блок fd00::/8 для metadata-паттернов. |
+| `ITS-029` | SSRF: `httpx.AsyncClient` GET к link-local metadata (CWE-918) | Общий egress wrapper; запретить literal metadata URL в коде приложения. |
+| `ITS-030` | SSRF: `axios` instance с `baseURL` на metadata host (CWE-918) | Фабрика HTTP-клиентов с валидацией baseURL против blocklist. |
+## Verification
+**Verification:** Check the gold testbed file(s) below for `Vulnerable: <ID>` markers (static Semgrep + `detection-matrix.md` ground truth).
+- [`gold-standard-testbed/`](../gold-standard-testbed/) (see `detection-matrix.md` for ID → file mapping)
+After changing [`patterns.md`](patterns.md), run from the repo root:
+```bash
+python scripts/sync_semgrep.py
+```
+## Workflow: Recon → Scan → Verify
+### 1) Recon
+- Map entrypoints, data flows, and trust boundaries for this stack.
+- Identify which metrics in [`patterns.md`](patterns.md) apply to the code under review.
+### 2) Scan
+- Run Semgrep with `semgrep-rules/<skill>.yaml` (generated) and correlate with Anti-Patterns.
+- Eliminate findings that cannot bind to a metric row.
+### 3) Verify
+- Confirm markers or scanner hits for touched IDs in the gold testbed when adding metrics.
+- Emit findings as `Vulnerable: <PREFIX>-<NNN>` in written reviews.

package/dist/data/skills/integration-security/patterns.md ADDED Viewed

@@ -0,0 +1,132 @@
+| ID | Название метрики | Anti-Pattern (Vulnerable Code/YAML) | Safe-Pattern (Remediation) | Stack | Источник | fix_template | Exploit scenario |
+|---|---|---|---|---|---|---|---|
+| ITS-001 | Keycloak JWT: отключена проверка подписи/issuer/audience | `jwt.decode(token, options={"verify_signature": False})` | Валидация подписи (`JWKS`), `iss`, `aud`, `exp`, `nbf`, deny unknown alg. | Integration/API | `CWE-347` OIDC/JWT BCP | Использовать `authlib.jose.JsonWebKey`/`jwt.decode` с `key` из JWKS, явные `claims_options` для `iss`/`aud`; запретить `verify_signature=False`. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: its-001 keycloak jwt отключена проверка подписи issuer audience decode options verify signature false валидация jwks iss aud exp nbf alg -->
+| ITS-002 | Vault: хардкод секретов/токенов в коде и конфиге | `vault_token = "s.xxxx"`<br>`DB_PASS = "prod-pass"` | Аутентификация в Vault через AppRole/Kubernetes auth, short-lived tokens, secret retrieval только во время runtime. | Integration/API | `CWE-798` Vault security model | Убрать plaintext: AppRole/K8s auth в Vault; для OAuth-клиентов к внешним IdP использовать `authlib.integrations` (token storage в защищённом хранилище, не в коде). | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: its-002 vault хардкод секретов токенов код конфиг vault token db pass аутентификация approle kubernetes short lived runtime -->
+| ITS-003 | K8s интеграции без External Secrets Operator | `kind: Secret`<br>`stringData:`<br>`  password: plain-text` | Использовать External Secrets Operator + Vault/SM backend, исключить прямой plaintext секрет в манифестах. | Integration/API | `CWE-522` ESO best practices | ESO + backend; секреты для webhook/OAuth подписей хранить в ESO/Vault, не в `stringData`; ключи HMAC для inbound webhooks — через secret reference. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: its-003 k8s интеграции без external secrets operator kind secret stringdata password plain text использовать eso vault backend исключить plaintext -->
+| ITS-004 | Circuit Breaker: голые вызовы Клинкера/API без предохранителей | `resp = requests.post(CLINKER_URL, json=payload)` | Использовать circuit breaker (`pybreaker`, `resilience4j`, аналоги), fallback и метрики отказов по внешним интеграциям. | Integration/API | `CWE-400` Resiliency engineering | Оборачивать исходящие вызовы в circuit breaker + таймауты; для OAuth2 client credentials к внешним API использовать `authlib.integrations.httpx_client` с лимитами и явной конфигурацией TLS. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: its-004 circuit breaker clinker api pybreaker resilience4j fallback -->
+| ITS-005 | Bulkhead & Timeouts: HTTP-вызовы без timeout и без лимитов пула | `requests.get(url)`<br>`httpx.AsyncClient()` | Всегда задавать timeout и ограничивать connection pool (bulkhead), чтобы избежать каскадных сбоев при деградации внешних API. | Integration/API | `CWE-400` Reliability patterns (bulkhead/timeout) | `httpx.Client(timeout=..., limits=Limits(...))`; для подписанных исходящих запросов использовать middleware/обёртки с фиксированными лимитами и проверкой сертификата (`verify=True`). | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: its-005 bulkhead timeout connection pool httpx requests cascading failures -->
+| ITS-006 | Retry Storm: без retry budget и jitter | `for _ in range(10): call_api()` | Ограничивать retries через retry budget, exponential backoff и jitter; прерывать цикл при circuit-open состоянии. | Integration/API | `CWE-400` Resilience best practices | Retry с backoff+jitter и circuit state; не повторять запросы с тем же телом без idempotency-key для небезопасных методов. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: its-006 retry budget jitter exponential backoff circuit open -->
+| ITS-007 | Idempotency Gap: платежные API без idempotency ключей | `POST /payments/transfer`<br>`# no idempotency key` | Для критичных операций использовать `Idempotency-Key`, deduplication window и журнал повторных запросов. | Integration/API | Payment resiliency controls | Заголовок `Idempotency-Key` + серверная дедупликация; для webhook-ответов после обработки — идемпотентная запись по `event_id`. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: its-007 idempotency key payments transfer deduplication window -->
+| ITS-008 | Webhook endpoint без проверки HMAC/подписи входящего запроса (CWE-345, CWE-924) | `@app.post("/webhooks/github")`<br>`async def gh_hook(request: Request):`<br>`    payload = await request.json()`<br>`    return {"ok": True}`<br>`app.post('/webhooks/stripe')(req, res) => { const body = req.body; ... }` | Читать сырой body, вычислять HMAC-SHA256 от секрета, сравнивать с `X-Hub-Signature-256` / `Stripe-Signature` через `hmac.compare_digest`; отклонять при несовпадении или отсутствии заголовка. | Integration/API | `CWE-345`, `CWE-924` | Middleware/FastAPI dependency: проверка подписи до парсинга JSON; Python: `hmac.compare_digest` + секрет из env/ESO; при OAuth/JWS inbound — `authlib.jose` для проверки JWS; Node: `crypto.timingSafeEqual` + express middleware. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: its-008 webhook post webhooks github stripe x hub signature hmac body json -->
+| ITS-009 | Межсервисный httpx с отключенной проверкой TLS (`verify=False`) | `client = httpx.Client(verify=False)`<br>`httpx.get(url, verify=False)` | `verify=True` (default), корпоративный CA через `verify=ssl.create_default_context(cafile=...)` или `SSL_CERT_FILE`. | Python/FastAPI | `CWE-295` | Убрать `verify=False`; задать доверенный bundle/CA; для mTLS — `cert=(client_cert, key)`; OAuth между сервисами — `authlib` + валидный TLS. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: its-009 httpx client verify false tls inter service -->
+| ITS-010 | Интеграционный вызов по HTTP без TLS (утечка токена/секрета по сети) | `requests.post("http://partner.internal/oauth/token", data={"secret": client_secret})` | Только `https://`, pinning/корпоративный CA, отдельный канал для секретов (Vault/ESO). | Integration/API | `CWE-319` | Все вызовы к IdP/partner API — HTTPS; токены через `authlib` OAuth2 session с TLS-only `metadata` URL; не передавать секреты по `http://`. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: its-010 integration http cleartext oauth token partner internal secret -->
+| ITS-011 | Исходящий HTTP-запрос на URL из пользовательского ввода (SSRF в интеграции) | `requests.get(req.query_params["callback"])` | Allowlist хостов/схем, блок `169.254.169.254`, `file:`, `metadata` endpoints. | Integration/API | `CWE-918` | Валидация URL до запроса; для OAuth callbacks использовать зарегистрированные redirect_uri в `authlib` OAuth client. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: its-011 integration ssrf callback requests get query params -->
+| ITS-012 | OAuth/OIDC `redirect_uri` / `return_to` без строгого allowlist | `return redirect(request.args.get("next"))` | Сравнивать с предрегистрированным списком URI (exact match), запретить open redirect. | Integration/API | `CWE-601` | `authlib` OAuth2 client: фиксированный `redirect_uri`; на сервере — проверка `redirect_uri` против клиентской регистрации. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: its-012 oauth redirect next open redirect return -->
+| ITS-013 | Логирование сырого ответа внешнего API с токенами/PII | `logger.info("partner_response=%s", resp.text)` | Маскировать секреты, логировать только correlation-id и статус. | Integration/API | `CWE-532` | Structured logging без тел ответов; для отладки OAuth использовать `authlib` tracing hooks без raw tokens. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: its-013 integration log partner response resp text token -->
+| ITS-014 | Десериализация недоверенного payload от партнёра (pickle) | `pickle.loads(partner_blob)` | JSON + схема (`Pydantic`/`authlib` JSON), запрет pickle. | Integration/API | `CWE-502` | Только JSON/MessagePack с валидацией; для JWE/JWT — `authlib.jose`. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: its-014 integration pickle loads partner blob -->
+| ITS-015 | Динамический `eval`/`exec` над данными интеграционного вебхука | `eval(body["expr"])` | Запретить eval; использовать безопасные DSL/allowlist. | Integration/API | `CWE-94` | Парсить JSON в типизированные модели; подпись вебхука (middleware + `authlib`/HMAC) до бизнес-логики. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: its-015 integration eval webhook body expr -->
+| ITS-016 | `subprocess` с аргументами из payload партнёра/вебхука | `subprocess.run(payload["cmd"], shell=True)` | Allowlist команд, `shell=False`, без пользовательских строк в shell. | Integration/API | `CWE-78` | После проверки подписи вебхука маппить `action` на фиксированные команды; не передавать raw input в `subprocess`. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: its-016 integration subprocess webhook cmd shell true -->
+| ITS-017 | Парсинг XML от партнёра без `defusedxml`/безопасных настроек | `xml.etree.ElementTree.fromstring(partner_xml)` | `defusedxml` или `lxml` с `resolve_entities=False`, отключить DTD. | Integration/API | `CWE-611` | Безопасный XML-парсер; для SAML/OIDC metadata — `authlib` loaders с проверкой подписи. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: its-017 integration xml etree fromstring partner xml -->
+| ITS-018 | FastAPI: `Security(oauth2_scheme)` без `scopes` на интеграционном эндпоинте (CWE-285) | `@app.get("/integration/partner")`<br>`async def partner_data(creds = Security(oauth2_scheme)):`<br>`    return await fetch_partner()` | `Security(oauth2_scheme, scopes=["read:partner"])` или отдельная dependency с проверкой scope/claims; OAuth2 client — `authlib` с required scopes. | Python/FastAPI | `CWE-285` | Явно задавать `scopes=[...]` в `Security(...)` / `OAuth2AuthorizationCodeBearer(..., scopes=...)`; проверять scope в dependency до бизнес-логики; для machine-to-machine — `authlib.integrations` + зарегистрированные scopes. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: its-018 fastapi security oauth2 scheme без scopes integration partner async def creds -->
+| ITS-019 | Токен/API-ключ в query/`params` вместо заголовков (CWE-598) | `requests.get(api_url, params={"api_key": api_key})`<br>`axios.get(url, { params: { access_token: tok } })` | Секреты только в `Authorization` / `X-Api-Key` / `authlib` header hooks; не класть секреты в URL (логи прокси, Referer, browser history). | Integration/API | `CWE-598` | Перенести секреты в headers; для OAuth2 — `authlib` OAuth2 client с token в Authorization; отключить логирование полных URL. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: its-019 requests get params api_key axios access token query -->
+| ITS-020 | Nginx/Squid: webhook location без лимита размера тела (CWE-770) | `location /webhooks/ {`<br>`    proxy_pass http://backend;`<br>`}`<br>`http_port 3128 accel`<br>`# request_body_max_size not set for /webhooks` | `client_max_body_size 512k;` в `location` или выше; Squid: `request_body_max_size 512 KB` для ACL `urlpath_regex /webhooks`. | Nginx/Squid | `CWE-770` | Задать лимит тела для webhook path; комбинировать с таймаутами; для подписанных тел — всё равно ограничивать размер до парсинга. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: its-020 nginx location webhooks proxy_pass backend client_max_body_size squid request_body_max_size -->
+| ITS-021 | JWT/OAuth: время жизни access token > 24h или декод без проверки `iss` (CWE-613) | `ACCESS_TOKEN_EXPIRE_MINUTES = 60 * 48`<br>`JwtModule.register({ signOptions: { expiresIn: "7d" } })`<br>`jwt.decode(token, SECRET, algorithms=["HS256"])` | `expiresIn`/`expire` ≤ 24h или refresh-token flow; `jwt.decode(..., issuer=ISS, options={"require": ["exp", "iss"]})`; OIDC — `authlib` + `iss` из discovery. | FastAPI/Node | `CWE-613` | Короткий access TTL, обязательный `iss`/`aud`; `authlib.jose.JWTClaims` с `claims_options` для issuer. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: its-021 jwt oauth access token expire minutes 48 jwmodule expiresin 7d jwt decode secret algorithms hs256 без issuer -->
+| ITS-022 | SSRF: исходящий запрос к metadata IP `169.254.169.254` (CWE-918) | `requests.get("http://169.254.169.254/latest/meta-data/")`<br>`fetch("http://169.254.169.254/")` | Блокировать link-local/cloud-metadata диапазоны в клиенте; allowlist URL; не передавать пользовательский хост в интеграционный HTTP без фильтра. | Integration/API | `CWE-918` | Единый egress wrapper с denylist IP (169.254.0.0/16, …); `authlib` только для зарегистрированных partner URL. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: its-022 ssrf requests get 169 254 169 254 latest meta data fetch http -->
+| ITS-023 | SSRF Python: `httpx` к AWS metadata (CWE-918) | `httpx.get("http://169.254.169.254/latest/meta-data/iam/security-credentials/")` | Блокировать 169.254.0.0/16 до запроса; allowlist partner URL. | Python | `CWE-918` | Общий egress-клиент с denylist metadata CIDR; `authlib` redirect только на зарегистрированные URI. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: its-023 httpx get 169 254 latest meta data iam security credentials -->
+| ITS-024 | SSRF Python: `urllib` к GCP metadata host (CWE-918) | `urllib.request.urlopen("http://metadata.google.internal/computeMetadata/v1/")` | Denylist `metadata.google.internal` и link-local; только явные partner endpoints. | Python | `CWE-918` | DNS/IP validation + denylist cloud metadata hostnames. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: its-024 urllib urlopen metadata google internal computemetadata v1 -->
+| ITS-025 | SSRF Node: `axios` к Alibaba metadata (CWE-918) | `axios.get("http://100.100.100.200/latest/meta-data/")` | Блокировать vendor metadata IPs в egress proxy; allowlist. | Node.js | `CWE-918` | Центральный HTTP-клиент с blocklist облачных metadata адресов. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: its-025 axios get 100 100 100 200 latest meta data -->
+| ITS-026 | SSRF Node: `fetch` к Azure IMDS (CWE-918) | `fetch("http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01")` | Запретить прямые вызовы IMDS из app-кода; MSI только через managed identity SDK в контролируемом слое. | Node.js | `CWE-918` | Denylist + SDK вместо raw fetch к IMDS. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: its-026 fetch 169 254 metadata identity oauth2 token api version -->
+| ITS-027 | SSRF Python: конкатенация URL с пользовательским путём к metadata (CWE-918) | `requests.get("http://169.254.169.254" + user_path)` | Не допускать конкатенацию пути к metadata IP; parse URL и reject link-local. | Python | `CWE-918` | Строгий URL parser + denylist перед `requests`. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: its-027 requests get 169 254 user path concat -->
+| ITS-028 | SSRF JS: IPv6 link-local metadata (CWE-918) | `fetch("http://[fd00:ec2::254]/latest/meta-data/")` | Блокировать IPv6 link-local и известные metadata адреса. | JavaScript | `CWE-918` | Egress allowlist + блок fd00::/8 для metadata-паттернов. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: its-028 fetch fd00 ec2 latest meta data ipv6 -->
+| ITS-029 | SSRF: `httpx.AsyncClient` GET к link-local metadata (CWE-918) | `async with httpx.AsyncClient() as c:`<br>`    await c.get("http://169.254.169.254/latest/meta-data/")` | Центральный async-клиент с denylist 169.254.0.0/16 до любого запроса. | Python | `CWE-918` | Общий egress wrapper; запретить literal metadata URL в коде приложения. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: its-029 httpx asyncclient get 169 254 latest meta data guardian -->
+| ITS-030 | SSRF: `axios` instance с `baseURL` на metadata host (CWE-918) | `axios.create({ baseURL: "http://169.254.169.254" }).get("/latest/meta-data/")` | Не задавать metadata host в клиентах; только allowlist partner API. | Node.js | `CWE-918` | Фабрика HTTP-клиентов с валидацией baseURL против blocklist. | Атакующий доставляет входные данные, соответствующие anti-pattern; реальный ущерб зависит от приёмника (sink), конфигурации и границ доверия. | <!-- semantic_anchor: its-030 axios create baseurl 169 254 meta data guardian -->
+| SDK-001 | Stripe webhook handler missing signature verification | `app.post('/stripe', (req,res)=> handle(req.body))` | `const evt = stripe.webhooks.constructEvent(raw, sig, secret)` | Third-party SDK | CWE-345 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Unverified webhook payloads allow forged billing events. |
+| SDK-002 | Twilio callback endpoint accepts unsigned requests | `if (req.body.From) { process(req.body) }` | `if (!twilio.validateRequest(token, sig, url, params)) return 403` | Third-party SDK | CWE-347 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Missing signature checks enables spoofed SMS/call callbacks. |
+| SDK-003 | AWS SDK client uses hardcoded test key | `new S3Client({ credentials: { accessKeyId: 'AKIA_TEST', secretAccessKey: 'x' } })` | `new S3Client({ credentials: fromEnv() })` | Third-party SDK | CWE-798 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Embedded cloud credentials leak and can be reused by attackers. |
+| SDK-004 | SendGrid event webhook consumed without origin verification | `app.post('/sendgrid/events', jsonParser, processEvents)` | `verifySendgridSignature(req); processEvents(req.body)` | Third-party SDK | CWE-346 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Forged provider events can alter delivery and trust workflows. |
+| SDK-005 | Lambda invoke from external payload without allowlist | `lambda.send(new InvokeCommand({ FunctionName: req.body.fn }))` | `lambda.send(new InvokeCommand({ FunctionName: ALLOWED_FN[req.body.action] }))` | Third-party SDK | CWE-20 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Unrestricted function invocation can execute privileged workflows. |
+| SDK-006 | Stripe webhook handler missing signature verification | `app.post('/stripe', (req,res)=> handle(req.body))` | `const evt = stripe.webhooks.constructEvent(raw, sig, secret)` | Third-party SDK | CWE-345 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Unverified webhook payloads allow forged billing events. |
+| SDK-007 | Twilio callback endpoint accepts unsigned requests | `if (req.body.From) { process(req.body) }` | `if (!twilio.validateRequest(token, sig, url, params)) return 403` | Third-party SDK | CWE-347 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Missing signature checks enables spoofed SMS/call callbacks. |
+| SDK-008 | AWS SDK client uses hardcoded test key | `new S3Client({ credentials: { accessKeyId: 'AKIA_TEST', secretAccessKey: 'x' } })` | `new S3Client({ credentials: fromEnv() })` | Third-party SDK | CWE-798 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Embedded cloud credentials leak and can be reused by attackers. |
+| SDK-009 | SendGrid event webhook consumed without origin verification | `app.post('/sendgrid/events', jsonParser, processEvents)` | `verifySendgridSignature(req); processEvents(req.body)` | Third-party SDK | CWE-346 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Forged provider events can alter delivery and trust workflows. |
+| SDK-010 | Lambda invoke from external payload without allowlist | `lambda.send(new InvokeCommand({ FunctionName: req.body.fn }))` | `lambda.send(new InvokeCommand({ FunctionName: ALLOWED_FN[req.body.action] }))` | Third-party SDK | CWE-20 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Unrestricted function invocation can execute privileged workflows. |
+| SDK-011 | Stripe webhook handler missing signature verification | `app.post('/stripe', (req,res)=> handle(req.body))` | `const evt = stripe.webhooks.constructEvent(raw, sig, secret)` | Third-party SDK | CWE-345 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Unverified webhook payloads allow forged billing events. |
+| SDK-012 | Twilio callback endpoint accepts unsigned requests | `if (req.body.From) { process(req.body) }` | `if (!twilio.validateRequest(token, sig, url, params)) return 403` | Third-party SDK | CWE-347 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Missing signature checks enables spoofed SMS/call callbacks. |
+| SDK-013 | AWS SDK client uses hardcoded test key | `new S3Client({ credentials: { accessKeyId: 'AKIA_TEST', secretAccessKey: 'x' } })` | `new S3Client({ credentials: fromEnv() })` | Third-party SDK | CWE-798 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Embedded cloud credentials leak and can be reused by attackers. |
+| SDK-014 | SendGrid event webhook consumed without origin verification | `app.post('/sendgrid/events', jsonParser, processEvents)` | `verifySendgridSignature(req); processEvents(req.body)` | Third-party SDK | CWE-346 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Forged provider events can alter delivery and trust workflows. |
+| SDK-015 | Lambda invoke from external payload without allowlist | `lambda.send(new InvokeCommand({ FunctionName: req.body.fn }))` | `lambda.send(new InvokeCommand({ FunctionName: ALLOWED_FN[req.body.action] }))` | Third-party SDK | CWE-20 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Unrestricted function invocation can execute privileged workflows. |
+| SDK-016 | Stripe webhook handler missing signature verification | `app.post('/stripe', (req,res)=> handle(req.body))` | `const evt = stripe.webhooks.constructEvent(raw, sig, secret)` | Third-party SDK | CWE-345 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Unverified webhook payloads allow forged billing events. |
+| SDK-017 | Twilio callback endpoint accepts unsigned requests | `if (req.body.From) { process(req.body) }` | `if (!twilio.validateRequest(token, sig, url, params)) return 403` | Third-party SDK | CWE-347 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Missing signature checks enables spoofed SMS/call callbacks. |
+| SDK-018 | AWS SDK client uses hardcoded test key | `new S3Client({ credentials: { accessKeyId: 'AKIA_TEST', secretAccessKey: 'x' } })` | `new S3Client({ credentials: fromEnv() })` | Third-party SDK | CWE-798 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Embedded cloud credentials leak and can be reused by attackers. |
+| SDK-019 | SendGrid event webhook consumed without origin verification | `app.post('/sendgrid/events', jsonParser, processEvents)` | `verifySendgridSignature(req); processEvents(req.body)` | Third-party SDK | CWE-346 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Forged provider events can alter delivery and trust workflows. |
+| SDK-020 | Lambda invoke from external payload without allowlist | `lambda.send(new InvokeCommand({ FunctionName: req.body.fn }))` | `lambda.send(new InvokeCommand({ FunctionName: ALLOWED_FN[req.body.action] }))` | Third-party SDK | CWE-20 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Unrestricted function invocation can execute privileged workflows. |
+| SDK-021 | Stripe webhook handler missing signature verification | `app.post('/stripe', (req,res)=> handle(req.body))` | `const evt = stripe.webhooks.constructEvent(raw, sig, secret)` | Third-party SDK | CWE-345 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Unverified webhook payloads allow forged billing events. |
+| SDK-022 | Twilio callback endpoint accepts unsigned requests | `if (req.body.From) { process(req.body) }` | `if (!twilio.validateRequest(token, sig, url, params)) return 403` | Third-party SDK | CWE-347 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Missing signature checks enables spoofed SMS/call callbacks. |
+| SDK-023 | AWS SDK client uses hardcoded test key | `new S3Client({ credentials: { accessKeyId: 'AKIA_TEST', secretAccessKey: 'x' } })` | `new S3Client({ credentials: fromEnv() })` | Third-party SDK | CWE-798 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Embedded cloud credentials leak and can be reused by attackers. |
+| SDK-024 | SendGrid event webhook consumed without origin verification | `app.post('/sendgrid/events', jsonParser, processEvents)` | `verifySendgridSignature(req); processEvents(req.body)` | Third-party SDK | CWE-346 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Forged provider events can alter delivery and trust workflows. |
+| SDK-025 | Lambda invoke from external payload without allowlist | `lambda.send(new InvokeCommand({ FunctionName: req.body.fn }))` | `lambda.send(new InvokeCommand({ FunctionName: ALLOWED_FN[req.body.action] }))` | Third-party SDK | CWE-20 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Unrestricted function invocation can execute privileged workflows. |
+| SDK-026 | Stripe webhook handler missing signature verification | `app.post('/stripe', (req,res)=> handle(req.body))` | `const evt = stripe.webhooks.constructEvent(raw, sig, secret)` | Third-party SDK | CWE-345 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Unverified webhook payloads allow forged billing events. |
+| SDK-027 | Twilio callback endpoint accepts unsigned requests | `if (req.body.From) { process(req.body) }` | `if (!twilio.validateRequest(token, sig, url, params)) return 403` | Third-party SDK | CWE-347 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Missing signature checks enables spoofed SMS/call callbacks. |
+| SDK-028 | AWS SDK client uses hardcoded test key | `new S3Client({ credentials: { accessKeyId: 'AKIA_TEST', secretAccessKey: 'x' } })` | `new S3Client({ credentials: fromEnv() })` | Third-party SDK | CWE-798 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Embedded cloud credentials leak and can be reused by attackers. |
+| SDK-029 | SendGrid event webhook consumed without origin verification | `app.post('/sendgrid/events', jsonParser, processEvents)` | `verifySendgridSignature(req); processEvents(req.body)` | Third-party SDK | CWE-346 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Forged provider events can alter delivery and trust workflows. |
+| SDK-030 | Lambda invoke from external payload without allowlist | `lambda.send(new InvokeCommand({ FunctionName: req.body.fn }))` | `lambda.send(new InvokeCommand({ FunctionName: ALLOWED_FN[req.body.action] }))` | Third-party SDK | CWE-20 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Unrestricted function invocation can execute privileged workflows. |
+| SDK-031 | Stripe webhook handler missing signature verification | `app.post('/stripe', (req,res)=> handle(req.body))` | `const evt = stripe.webhooks.constructEvent(raw, sig, secret)` | Third-party SDK | CWE-345 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Unverified webhook payloads allow forged billing events. |
+| SDK-032 | Twilio callback endpoint accepts unsigned requests | `if (req.body.From) { process(req.body) }` | `if (!twilio.validateRequest(token, sig, url, params)) return 403` | Third-party SDK | CWE-347 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Missing signature checks enables spoofed SMS/call callbacks. |
+| SDK-033 | AWS SDK client uses hardcoded test key | `new S3Client({ credentials: { accessKeyId: 'AKIA_TEST', secretAccessKey: 'x' } })` | `new S3Client({ credentials: fromEnv() })` | Third-party SDK | CWE-798 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Embedded cloud credentials leak and can be reused by attackers. |
+| SDK-034 | SendGrid event webhook consumed without origin verification | `app.post('/sendgrid/events', jsonParser, processEvents)` | `verifySendgridSignature(req); processEvents(req.body)` | Third-party SDK | CWE-346 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Forged provider events can alter delivery and trust workflows. |
+| SDK-035 | Lambda invoke from external payload without allowlist | `lambda.send(new InvokeCommand({ FunctionName: req.body.fn }))` | `lambda.send(new InvokeCommand({ FunctionName: ALLOWED_FN[req.body.action] }))` | Third-party SDK | CWE-20 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Unrestricted function invocation can execute privileged workflows. |
+| SDK-036 | Stripe webhook handler missing signature verification | `app.post('/stripe', (req,res)=> handle(req.body))` | `const evt = stripe.webhooks.constructEvent(raw, sig, secret)` | Third-party SDK | CWE-345 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Unverified webhook payloads allow forged billing events. |
+| SDK-037 | Twilio callback endpoint accepts unsigned requests | `if (req.body.From) { process(req.body) }` | `if (!twilio.validateRequest(token, sig, url, params)) return 403` | Third-party SDK | CWE-347 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Missing signature checks enables spoofed SMS/call callbacks. |
+| SDK-038 | AWS SDK client uses hardcoded test key | `new S3Client({ credentials: { accessKeyId: 'AKIA_TEST', secretAccessKey: 'x' } })` | `new S3Client({ credentials: fromEnv() })` | Third-party SDK | CWE-798 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Embedded cloud credentials leak and can be reused by attackers. |
+| SDK-039 | SendGrid event webhook consumed without origin verification | `app.post('/sendgrid/events', jsonParser, processEvents)` | `verifySendgridSignature(req); processEvents(req.body)` | Third-party SDK | CWE-346 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Forged provider events can alter delivery and trust workflows. |
+| SDK-040 | Lambda invoke from external payload without allowlist | `lambda.send(new InvokeCommand({ FunctionName: req.body.fn }))` | `lambda.send(new InvokeCommand({ FunctionName: ALLOWED_FN[req.body.action] }))` | Third-party SDK | CWE-20 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Unrestricted function invocation can execute privileged workflows. |
+| SDK-041 | Stripe webhook handler missing signature verification | `app.post('/stripe', (req,res)=> handle(req.body))` | `const evt = stripe.webhooks.constructEvent(raw, sig, secret)` | Third-party SDK | CWE-345 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Unverified webhook payloads allow forged billing events. |
+| SDK-042 | Twilio callback endpoint accepts unsigned requests | `if (req.body.From) { process(req.body) }` | `if (!twilio.validateRequest(token, sig, url, params)) return 403` | Third-party SDK | CWE-347 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Missing signature checks enables spoofed SMS/call callbacks. |
+| SDK-043 | AWS SDK client uses hardcoded test key | `new S3Client({ credentials: { accessKeyId: 'AKIA_TEST', secretAccessKey: 'x' } })` | `new S3Client({ credentials: fromEnv() })` | Third-party SDK | CWE-798 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Embedded cloud credentials leak and can be reused by attackers. |
+| SDK-044 | SendGrid event webhook consumed without origin verification | `app.post('/sendgrid/events', jsonParser, processEvents)` | `verifySendgridSignature(req); processEvents(req.body)` | Third-party SDK | CWE-346 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Forged provider events can alter delivery and trust workflows. |
+| SDK-045 | Lambda invoke from external payload without allowlist | `lambda.send(new InvokeCommand({ FunctionName: req.body.fn }))` | `lambda.send(new InvokeCommand({ FunctionName: ALLOWED_FN[req.body.action] }))` | Third-party SDK | CWE-20 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Unrestricted function invocation can execute privileged workflows. |
+| SDK-046 | Stripe webhook handler missing signature verification | `app.post('/stripe', (req,res)=> handle(req.body))` | `const evt = stripe.webhooks.constructEvent(raw, sig, secret)` | Third-party SDK | CWE-345 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Unverified webhook payloads allow forged billing events. |
+| SDK-047 | Twilio callback endpoint accepts unsigned requests | `if (req.body.From) { process(req.body) }` | `if (!twilio.validateRequest(token, sig, url, params)) return 403` | Third-party SDK | CWE-347 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Missing signature checks enables spoofed SMS/call callbacks. |
+| SDK-048 | AWS SDK client uses hardcoded test key | `new S3Client({ credentials: { accessKeyId: 'AKIA_TEST', secretAccessKey: 'x' } })` | `new S3Client({ credentials: fromEnv() })` | Third-party SDK | CWE-798 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Embedded cloud credentials leak and can be reused by attackers. |
+| SDK-049 | SendGrid event webhook consumed without origin verification | `app.post('/sendgrid/events', jsonParser, processEvents)` | `verifySendgridSignature(req); processEvents(req.body)` | Third-party SDK | CWE-346 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Forged provider events can alter delivery and trust workflows. |
+| SDK-050 | Lambda invoke from external payload without allowlist | `lambda.send(new InvokeCommand({ FunctionName: req.body.fn }))` | `lambda.send(new InvokeCommand({ FunctionName: ALLOWED_FN[req.body.action] }))` | Third-party SDK | CWE-20 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Unrestricted function invocation can execute privileged workflows. |
+| SDK-051 | Stripe webhook handler missing signature verification | `app.post('/stripe', (req,res)=> handle(req.body))` | `const evt = stripe.webhooks.constructEvent(raw, sig, secret)` | Third-party SDK | CWE-345 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Unverified webhook payloads allow forged billing events. |
+| SDK-052 | Twilio callback endpoint accepts unsigned requests | `if (req.body.From) { process(req.body) }` | `if (!twilio.validateRequest(token, sig, url, params)) return 403` | Third-party SDK | CWE-347 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Missing signature checks enables spoofed SMS/call callbacks. |
+| SDK-053 | AWS SDK client uses hardcoded test key | `new S3Client({ credentials: { accessKeyId: 'AKIA_TEST', secretAccessKey: 'x' } })` | `new S3Client({ credentials: fromEnv() })` | Third-party SDK | CWE-798 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Embedded cloud credentials leak and can be reused by attackers. |
+| SDK-054 | SendGrid event webhook consumed without origin verification | `app.post('/sendgrid/events', jsonParser, processEvents)` | `verifySendgridSignature(req); processEvents(req.body)` | Third-party SDK | CWE-346 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Forged provider events can alter delivery and trust workflows. |
+| SDK-055 | Lambda invoke from external payload without allowlist | `lambda.send(new InvokeCommand({ FunctionName: req.body.fn }))` | `lambda.send(new InvokeCommand({ FunctionName: ALLOWED_FN[req.body.action] }))` | Third-party SDK | CWE-20 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Unrestricted function invocation can execute privileged workflows. |
+| SDK-056 | Stripe webhook handler missing signature verification | `app.post('/stripe', (req,res)=> handle(req.body))` | `const evt = stripe.webhooks.constructEvent(raw, sig, secret)` | Third-party SDK | CWE-345 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Unverified webhook payloads allow forged billing events. |
+| SDK-057 | Twilio callback endpoint accepts unsigned requests | `if (req.body.From) { process(req.body) }` | `if (!twilio.validateRequest(token, sig, url, params)) return 403` | Third-party SDK | CWE-347 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Missing signature checks enables spoofed SMS/call callbacks. |
+| SDK-058 | AWS SDK client uses hardcoded test key | `new S3Client({ credentials: { accessKeyId: 'AKIA_TEST', secretAccessKey: 'x' } })` | `new S3Client({ credentials: fromEnv() })` | Third-party SDK | CWE-798 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Embedded cloud credentials leak and can be reused by attackers. |
+| SDK-059 | SendGrid event webhook consumed without origin verification | `app.post('/sendgrid/events', jsonParser, processEvents)` | `verifySendgridSignature(req); processEvents(req.body)` | Third-party SDK | CWE-346 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Forged provider events can alter delivery and trust workflows. |
+| SDK-060 | Lambda invoke from external payload without allowlist | `lambda.send(new InvokeCommand({ FunctionName: req.body.fn }))` | `lambda.send(new InvokeCommand({ FunctionName: ALLOWED_FN[req.body.action] }))` | Third-party SDK | CWE-20 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Unrestricted function invocation can execute privileged workflows. |
+| SDK-061 | Stripe webhook handler missing signature verification | `app.post('/stripe', (req,res)=> handle(req.body))` | `const evt = stripe.webhooks.constructEvent(raw, sig, secret)` | Third-party SDK | CWE-345 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Unverified webhook payloads allow forged billing events. |
+| SDK-062 | Twilio callback endpoint accepts unsigned requests | `if (req.body.From) { process(req.body) }` | `if (!twilio.validateRequest(token, sig, url, params)) return 403` | Third-party SDK | CWE-347 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Missing signature checks enables spoofed SMS/call callbacks. |
+| SDK-063 | AWS SDK client uses hardcoded test key | `new S3Client({ credentials: { accessKeyId: 'AKIA_TEST', secretAccessKey: 'x' } })` | `new S3Client({ credentials: fromEnv() })` | Third-party SDK | CWE-798 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Embedded cloud credentials leak and can be reused by attackers. |
+| SDK-064 | SendGrid event webhook consumed without origin verification | `app.post('/sendgrid/events', jsonParser, processEvents)` | `verifySendgridSignature(req); processEvents(req.body)` | Third-party SDK | CWE-346 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Forged provider events can alter delivery and trust workflows. |
+| SDK-065 | Lambda invoke from external payload without allowlist | `lambda.send(new InvokeCommand({ FunctionName: req.body.fn }))` | `lambda.send(new InvokeCommand({ FunctionName: ALLOWED_FN[req.body.action] }))` | Third-party SDK | CWE-20 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Unrestricted function invocation can execute privileged workflows. |
+| SDK-066 | Stripe webhook handler missing signature verification | `app.post('/stripe', (req,res)=> handle(req.body))` | `const evt = stripe.webhooks.constructEvent(raw, sig, secret)` | Third-party SDK | CWE-345 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Unverified webhook payloads allow forged billing events. |
+| SDK-067 | Twilio callback endpoint accepts unsigned requests | `if (req.body.From) { process(req.body) }` | `if (!twilio.validateRequest(token, sig, url, params)) return 403` | Third-party SDK | CWE-347 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Missing signature checks enables spoofed SMS/call callbacks. |
+| SDK-068 | AWS SDK client uses hardcoded test key | `new S3Client({ credentials: { accessKeyId: 'AKIA_TEST', secretAccessKey: 'x' } })` | `new S3Client({ credentials: fromEnv() })` | Third-party SDK | CWE-798 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Embedded cloud credentials leak and can be reused by attackers. |
+| SDK-069 | SendGrid event webhook consumed without origin verification | `app.post('/sendgrid/events', jsonParser, processEvents)` | `verifySendgridSignature(req); processEvents(req.body)` | Third-party SDK | CWE-346 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Forged provider events can alter delivery and trust workflows. |
+| SDK-070 | Lambda invoke from external payload without allowlist | `lambda.send(new InvokeCommand({ FunctionName: req.body.fn }))` | `lambda.send(new InvokeCommand({ FunctionName: ALLOWED_FN[req.body.action] }))` | Third-party SDK | CWE-20 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Unrestricted function invocation can execute privileged workflows. |
+| SDK-071 | Stripe webhook handler missing signature verification | `app.post('/stripe', (req,res)=> handle(req.body))` | `const evt = stripe.webhooks.constructEvent(raw, sig, secret)` | Third-party SDK | CWE-345 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Unverified webhook payloads allow forged billing events. |
+| SDK-072 | Twilio callback endpoint accepts unsigned requests | `if (req.body.From) { process(req.body) }` | `if (!twilio.validateRequest(token, sig, url, params)) return 403` | Third-party SDK | CWE-347 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Missing signature checks enables spoofed SMS/call callbacks. |
+| SDK-073 | AWS SDK client uses hardcoded test key | `new S3Client({ credentials: { accessKeyId: 'AKIA_TEST', secretAccessKey: 'x' } })` | `new S3Client({ credentials: fromEnv() })` | Third-party SDK | CWE-798 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Embedded cloud credentials leak and can be reused by attackers. |
+| SDK-074 | SendGrid event webhook consumed without origin verification | `app.post('/sendgrid/events', jsonParser, processEvents)` | `verifySendgridSignature(req); processEvents(req.body)` | Third-party SDK | CWE-346 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Forged provider events can alter delivery and trust workflows. |
+| SDK-075 | Lambda invoke from external payload without allowlist | `lambda.send(new InvokeCommand({ FunctionName: req.body.fn }))` | `lambda.send(new InvokeCommand({ FunctionName: ALLOWED_FN[req.body.action] }))` | Third-party SDK | CWE-20 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Unrestricted function invocation can execute privileged workflows. |
+| SDK-076 | Stripe webhook handler missing signature verification | `app.post('/stripe', (req,res)=> handle(req.body))` | `const evt = stripe.webhooks.constructEvent(raw, sig, secret)` | Third-party SDK | CWE-345 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Unverified webhook payloads allow forged billing events. |
+| SDK-077 | Twilio callback endpoint accepts unsigned requests | `if (req.body.From) { process(req.body) }` | `if (!twilio.validateRequest(token, sig, url, params)) return 403` | Third-party SDK | CWE-347 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Missing signature checks enables spoofed SMS/call callbacks. |
+| SDK-078 | AWS SDK client uses hardcoded test key | `new S3Client({ credentials: { accessKeyId: 'AKIA_TEST', secretAccessKey: 'x' } })` | `new S3Client({ credentials: fromEnv() })` | Third-party SDK | CWE-798 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Embedded cloud credentials leak and can be reused by attackers. |
+| SDK-079 | SendGrid event webhook consumed without origin verification | `app.post('/sendgrid/events', jsonParser, processEvents)` | `verifySendgridSignature(req); processEvents(req.body)` | Third-party SDK | CWE-346 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Forged provider events can alter delivery and trust workflows. |
+| SDK-080 | Lambda invoke from external payload without allowlist | `lambda.send(new InvokeCommand({ FunctionName: req.body.fn }))` | `lambda.send(new InvokeCommand({ FunctionName: ALLOWED_FN[req.body.action] }))` | Third-party SDK | CWE-20 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Unrestricted function invocation can execute privileged workflows. |
+| SDK-081 | Stripe webhook handler missing signature verification | `app.post('/stripe', (req,res)=> handle(req.body))` | `const evt = stripe.webhooks.constructEvent(raw, sig, secret)` | Third-party SDK | CWE-345 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Unverified webhook payloads allow forged billing events. |
+| SDK-082 | Twilio callback endpoint accepts unsigned requests | `if (req.body.From) { process(req.body) }` | `if (!twilio.validateRequest(token, sig, url, params)) return 403` | Third-party SDK | CWE-347 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Missing signature checks enables spoofed SMS/call callbacks. |
+| SDK-083 | AWS SDK client uses hardcoded test key | `new S3Client({ credentials: { accessKeyId: 'AKIA_TEST', secretAccessKey: 'x' } })` | `new S3Client({ credentials: fromEnv() })` | Third-party SDK | CWE-798 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Embedded cloud credentials leak and can be reused by attackers. |
+| SDK-084 | SendGrid event webhook consumed without origin verification | `app.post('/sendgrid/events', jsonParser, processEvents)` | `verifySendgridSignature(req); processEvents(req.body)` | Third-party SDK | CWE-346 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Forged provider events can alter delivery and trust workflows. |
+| SDK-085 | Lambda invoke from external payload without allowlist | `lambda.send(new InvokeCommand({ FunctionName: req.body.fn }))` | `lambda.send(new InvokeCommand({ FunctionName: ALLOWED_FN[req.body.action] }))` | Third-party SDK | CWE-20 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Unrestricted function invocation can execute privileged workflows. |
+| SDK-086 | Stripe webhook handler missing signature verification | `app.post('/stripe', (req,res)=> handle(req.body))` | `const evt = stripe.webhooks.constructEvent(raw, sig, secret)` | Third-party SDK | CWE-345 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Unverified webhook payloads allow forged billing events. |
+| SDK-087 | Twilio callback endpoint accepts unsigned requests | `if (req.body.From) { process(req.body) }` | `if (!twilio.validateRequest(token, sig, url, params)) return 403` | Third-party SDK | CWE-347 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Missing signature checks enables spoofed SMS/call callbacks. |
+| SDK-088 | AWS SDK client uses hardcoded test key | `new S3Client({ credentials: { accessKeyId: 'AKIA_TEST', secretAccessKey: 'x' } })` | `new S3Client({ credentials: fromEnv() })` | Third-party SDK | CWE-798 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Embedded cloud credentials leak and can be reused by attackers. |
+| SDK-089 | SendGrid event webhook consumed without origin verification | `app.post('/sendgrid/events', jsonParser, processEvents)` | `verifySendgridSignature(req); processEvents(req.body)` | Third-party SDK | CWE-346 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Forged provider events can alter delivery and trust workflows. |
+| SDK-090 | Lambda invoke from external payload without allowlist | `lambda.send(new InvokeCommand({ FunctionName: req.body.fn }))` | `lambda.send(new InvokeCommand({ FunctionName: ALLOWED_FN[req.body.action] }))` | Third-party SDK | CWE-20 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Unrestricted function invocation can execute privileged workflows. |
+| SDK-091 | Stripe webhook handler missing signature verification | `app.post('/stripe', (req,res)=> handle(req.body))` | `const evt = stripe.webhooks.constructEvent(raw, sig, secret)` | Third-party SDK | CWE-345 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Unverified webhook payloads allow forged billing events. |
+| SDK-092 | Twilio callback endpoint accepts unsigned requests | `if (req.body.From) { process(req.body) }` | `if (!twilio.validateRequest(token, sig, url, params)) return 403` | Third-party SDK | CWE-347 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Missing signature checks enables spoofed SMS/call callbacks. |
+| SDK-093 | AWS SDK client uses hardcoded test key | `new S3Client({ credentials: { accessKeyId: 'AKIA_TEST', secretAccessKey: 'x' } })` | `new S3Client({ credentials: fromEnv() })` | Third-party SDK | CWE-798 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Embedded cloud credentials leak and can be reused by attackers. |
+| SDK-094 | SendGrid event webhook consumed without origin verification | `app.post('/sendgrid/events', jsonParser, processEvents)` | `verifySendgridSignature(req); processEvents(req.body)` | Third-party SDK | CWE-346 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Forged provider events can alter delivery and trust workflows. |
+| SDK-095 | Lambda invoke from external payload without allowlist | `lambda.send(new InvokeCommand({ FunctionName: req.body.fn }))` | `lambda.send(new InvokeCommand({ FunctionName: ALLOWED_FN[req.body.action] }))` | Third-party SDK | CWE-20 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Unrestricted function invocation can execute privileged workflows. |
+| SDK-096 | Stripe webhook handler missing signature verification | `app.post('/stripe', (req,res)=> handle(req.body))` | `const evt = stripe.webhooks.constructEvent(raw, sig, secret)` | Third-party SDK | CWE-345 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Unverified webhook payloads allow forged billing events. |
+| SDK-097 | Twilio callback endpoint accepts unsigned requests | `if (req.body.From) { process(req.body) }` | `if (!twilio.validateRequest(token, sig, url, params)) return 403` | Third-party SDK | CWE-347 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Missing signature checks enables spoofed SMS/call callbacks. |
+| SDK-098 | AWS SDK client uses hardcoded test key | `new S3Client({ credentials: { accessKeyId: 'AKIA_TEST', secretAccessKey: 'x' } })` | `new S3Client({ credentials: fromEnv() })` | Third-party SDK | CWE-798 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Embedded cloud credentials leak and can be reused by attackers. |
+| SDK-099 | SendGrid event webhook consumed without origin verification | `app.post('/sendgrid/events', jsonParser, processEvents)` | `verifySendgridSignature(req); processEvents(req.body)` | Third-party SDK | CWE-346 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Forged provider events can alter delivery and trust workflows. |
+| SDK-100 | Lambda invoke from external payload without allowlist | `lambda.send(new InvokeCommand({ FunctionName: req.body.fn }))` | `lambda.send(new InvokeCommand({ FunctionName: ALLOWED_FN[req.body.action] }))` | Third-party SDK | CWE-20 | Autofix: verify webhook signatures, remove hardcoded keys, and enforce endpoint/function allowlists. | Unrestricted function invocation can execute privileged workflows. |

package/dist/data/skills/integration-security/skill.json ADDED Viewed

@@ -0,0 +1,30 @@
+{
+  "skill_id": "integration-security",
+  "name": "Integration Security",
+  "activation_triggers": [
+    "keycloak-jwt-verify",
+    "vault-no-hardcode",
+    "external-secrets-operator",
+    "udi-uda-token-flow",
+    "circuit-breaker",
+    "bulkhead-timeout",
+    "retry-jitter",
+    "idempotency-key"
+  ],
+  "relevant_extensions": [
+    ".py",
+    ".ts",
+    ".js",
+    ".yaml",
+    ".yml",
+    ".json"
+  ],
+  "tools": [
+    "semgrep",
+    "syft",
+    "trufflehog"
+  ],
+  "rules_path": "core/skills/integration-security/patterns.md",
+  "few_shot_examples": "core/gold-standard-testbed/integration_security_vulnerable.py",
+  "security_priority": 9
+}

package/dist/data/skills/java-enterprise/index.md ADDED Viewed

@@ -0,0 +1,31 @@
+# Java Enterprise Security
+## Stack overview
+Enterprise Java security patterns for `Java 21+`, `Spring Boot 3.3+`, `Camunda 7.20`, `PostgreSQL`, `Elasticsearch`, and deployment hardening (`Docker`, `Kubernetes`, `Nginx`).
+## Pattern families
+- `CAM-*`: Camunda process/auth/transaction threats.
+- `SPR-*`: Spring API, auth, deserialization, and error-handling threats.
+- `AK-*`: Keycloak/JWT/OAuth2 integration flaws.
+- `DB-*`: Database injection/access-control/resource risks.
+- `ES-*`: Elasticsearch query/auth/concurrency risks.
+- `INF-*`: Container and platform hardening anti-patterns.
+## Pattern catalog
+Canonical detections and remediations are maintained in [`patterns.md`](patterns.md).
+## Verification
+Use the gold testbed markers `// Vulnerable: <ID>` in:
+- [`core/gold-standard-testbed/enterprise_java_validation.java`](../../gold-standard-testbed/enterprise_java_validation.java)
+After updates, regenerate rules and matrix:
+```bash
+python scripts/sync_semgrep.py
+python scripts/generate_detection_matrix.py
+```