@sun-asterisk/sunlint 1.3.7 → 1.3.9

package/rules/security/S054_no_default_accounts/analyzer.js

@@ -0,0 +1,792 @@
+const fs = require('fs');
+const path = require('path');
+const { CommentDetector } = require('../../utils/rule-helpers');
+
+/**
+ * S054 - Disallow Default/Built-in Accounts (admin/root/sa/...)
+ * Security Rule: Prevent use of default or shared accounts for better auditability and security
+ * 
+ * Detects:
+ * - SQL/Seeder: INSERT INTO users with blocked usernames
+ * - Code: createUser/createAccount with blocked usernames 
+ * - IaC: Terraform, Helm, Docker with default usernames
+ * - Docs: login credentials with blocked usernames
+ * - Config: Database/auth configs with default usernames
+ * - Password smells: Common weak passwords
+ */
+class S054NoDefaultAccountsAnalyzer {
+  constructor(ruleIdOrOptions = 'S054', verbose = false) {
+    // Handle both old and new constructor signatures
+    if (typeof ruleIdOrOptions === 'string') {
+      // Old format: constructor(ruleId, verbose)
+      this.ruleId = ruleIdOrOptions;
+      this.verbose = verbose;
+    } else if (typeof ruleIdOrOptions === 'object' && ruleIdOrOptions !== null) {
+      // New format: constructor(options)
+      this.ruleId = 'S054'; // Use default ruleId
+      this.verbose = ruleIdOrOptions.verbose || false;
+      this.semanticEngine = ruleIdOrOptions.semanticEngine || null;
+    } else {
+      // Fallback
+      this.ruleId = 'S054';
+      this.verbose = false;
+    }
+    
+    this.loadConfig();
+  }
+
+  loadConfig() {
+    try {
+      const configPath = path.join(__dirname, 'config.json');
+      const configContent = fs.readFileSync(configPath, 'utf8');
+      const config = JSON.parse(configContent);
+      
+      this.blockedUsernames = config.options.blockedUsernames || [];
+      this.codeCreationPatterns = config.options.codeCreationPatterns || [];
+      this.sqlInsertUserPatterns = config.options.sqlInsertUserPatterns || [];
+      this.infraPatterns = config.options.infraPatterns || {};
+      this.docPatterns = config.options.docPatterns || [];
+      this.passwordSmells = config.options.passwordSmells || [];
+      this.configFilePatterns = config.options.configFilePatterns || [];
+      this.policy = config.options.policy || {};
+      this.allowlist = config.options.allowlist || {};
+      this.thresholds = config.options.thresholds || {};
+      this.exemptions = config.options.exemptions || {};
+      
+      // Build unified regex patterns
+      this.blockedUsernamesRegex = new RegExp(`\\b(${this.blockedUsernames.join('|')})\\b`, 'gi');
+      this.passwordSmellsRegex = new RegExp(`\\b(${this.passwordSmells.join('|')})\\b`, 'gi');
+      
+      if (this.verbose) {
+        console.log(`[DEBUG] S054: Loaded config with ${this.blockedUsernames.length} blocked usernames, ${Object.keys(this.infraPatterns).length} infra patterns`);
+      }
+    } catch (error) {
+      console.warn(`[S054] Failed to load config: ${error.message}`);
+      this.initializeDefaultConfig();
+    }
+  }
+
+  initializeDefaultConfig() {
+    this.blockedUsernames = ['admin', 'root', 'sa', 'test', 'guest'];
+    this.codeCreationPatterns = [];
+    this.sqlInsertUserPatterns = [];
+    this.infraPatterns = {};
+    this.docPatterns = [];
+    this.passwordSmells = [];
+    this.configFilePatterns = [];
+    this.policy = {};
+    this.allowlist = { paths: [] };
+    this.thresholds = {};
+    this.exemptions = {};
+    this.blockedUsernamesRegex = /\\b(admin|root|sa|test|guest)\\b/gi;
+    this.passwordSmellsRegex = /\\b(password|123456|admin)\\b/gi;
+  }
+
+  analyze(files, language, options = {}) {
+    this.verbose = options.verbose || false;
+    const violations = [];
+
+    if (this.verbose) {
+      console.log(`[DEBUG] 🎯 S054 ANALYZE: Starting analysis with comment detection enabled`);
+      console.log(`[DEBUG] 🎯 S054: Language=${language}, Files=${files.length}, Options=`, options);
+    }
+
+    if (!Array.isArray(files)) {
+      files = [files];
+    }
+    
+    for (const filePath of files) {
+      if (this.verbose) {
+        console.log(`[DEBUG] 🎯 S054: Analyzing ${filePath.split('/').pop()}`);
+      }
+
+      try {
+        const content = fs.readFileSync(filePath, 'utf8');
+        const fileExtension = path.extname(filePath);
+        const fileName = path.basename(filePath);
+        const fileViolations = this.analyzeFile(filePath, content, fileExtension, fileName);
+        violations.push(...fileViolations);
+      } catch (error) {
+        console.warn(`[S054] Error analyzing ${filePath}: ${error.message}`);
+      }
+    }
+
+    if (this.verbose) {
+      console.log(`[DEBUG] 🎯 S054: Found ${violations.length} default account violations`);
+    }
+
+    return violations;
+  }
+
+  // Alias method for engines that might call this
+  run(filePath, content, options = {}) {
+    this.verbose = options.verbose || false;
+    
+    if (this.verbose) {
+      console.log(`[DEBUG] 🎯 S054 RUN: Running comment-aware analysis on ${path.basename(filePath)}`);
+    }
+
+    const fileExtension = path.extname(filePath);
+    const fileName = path.basename(filePath);
+    return this.analyzeFile(filePath, content, fileExtension, fileName);
+  }
+
+  // Another possible entry point
+  runAnalysis(filePath, content, options = {}) {
+    return this.run(filePath, content, options);
+  }
+
+  // Entry point that engine might call
+  runEnhancedAnalysis(filePath, content, language, options = {}) {
+    this.verbose = options.verbose || false;
+    
+    if (this.verbose) {
+      console.log(`[DEBUG] 🎯 S054 runEnhancedAnalysis: Running comment-aware analysis on ${path.basename(filePath)}`);
+    }
+
+    const fileExtension = path.extname(filePath);
+    const fileName = path.basename(filePath);
+    return this.analyzeFile(filePath, content, fileExtension, fileName);
+  }
+
+  analyzeFile(filePath, content, fileExtension, fileName) {
+    const language = this.detectLanguage(fileExtension, fileName);
+    if (!language) {
+      return [];
+    }
+
+    // Check if file is exempted (test files, etc.)
+    const isExempted = this.isExemptedFile(filePath);
+    if (isExempted && this.verbose) {
+      console.log(`[DEBUG] 🔍 S054: Analyzing exempted file: ${fileName} (will still check for password smells)`);
+    }
+
+    return this.analyzeWithHeuristic(filePath, content, language, isExempted);
+  }
+
+  detectLanguage(fileExtension, fileName) {
+    const extensions = {
+      '.sql': 'sql',
+      '.ts': 'typescript',
+      '.tsx': 'typescript', 
+      '.js': 'javascript',
+      '.jsx': 'javascript',
+      '.mjs': 'javascript',
+      '.tf': 'terraform',
+      '.yaml': 'yaml',
+      '.yml': 'yaml',
+      '.json': 'json',
+      '.properties': 'properties',
+      '.conf': 'config',
+      '.config': 'config',
+      '.env': 'env',
+      '.md': 'markdown',
+      '.dockerfile': 'docker',
+      '.dockerignore': 'docker'
+    };
+
+    // Special file names
+    if (fileName.toLowerCase().includes('dockerfile')) return 'docker';
+    if (fileName.toLowerCase().includes('docker-compose')) return 'docker';
+    if (fileName.toLowerCase().includes('helm')) return 'helm';
+    if (fileName.toLowerCase().includes('values')) return 'helm';
+    
+    return extensions[fileExtension] || 'text';
+  }
+
+  isExemptedFile(filePath) {
+    const allowedPaths = this.allowlist.paths || [];
+    return allowedPaths.some(path => filePath.includes(path));
+  }
+
+  analyzeWithHeuristic(filePath, content, language, isExempted) {
+    const violations = [];
+    const lines = content.split('\n');
+
+    if (this.verbose) {
+      console.log(`[DEBUG] 🎯 S054: Starting analysis of ${lines.length} lines with comment detection`);
+    }
+
+    let inBlockComment = false;
+    let skippedCommentLines = 0;
+
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i];
+      const lineNumber = i + 1;
+
+      // Track block comments across lines
+      if (line.includes('/*')) {
+        inBlockComment = true;
+        if (this.verbose) {
+          console.log(`[DEBUG] 🎯 S054: Line ${lineNumber} starts block comment`);
+        }
+      }
+      if (line.includes('*/')) {
+        inBlockComment = false;
+        skippedCommentLines++;
+        if (this.verbose) {
+          console.log(`[DEBUG] 🎯 S054: Line ${lineNumber} ends block comment - skipping`);
+        }
+        continue; // Skip the closing line itself
+      }
+      if (inBlockComment) {
+        skippedCommentLines++;
+        if (this.verbose) {
+          console.log(`[DEBUG] 🎯 S054: Line ${lineNumber} inside block comment - skipping`);
+        }
+        continue; // Skip lines inside block comments
+      }
+
+      // Skip lines that are entirely single-line comments
+      const trimmedLine = line.trim();
+      if (trimmedLine.startsWith('//') || trimmedLine.startsWith('#')) {
+        skippedCommentLines++;
+        if (this.verbose) {
+          console.log(`[DEBUG] 🎯 S054: Line ${lineNumber} is single-line comment - skipping`);
+        }
+        continue;
+      }
+
+      // Use CommentDetector to clean line and get comment ranges
+      const { cleanLine, commentRanges } = CommentDetector.cleanLineForMatching(line);
+
+      if (this.verbose && commentRanges.length > 0) {
+        console.log(`[DEBUG] 🎯 S054: Line ${lineNumber} has ${commentRanges.length} comment ranges:`, commentRanges);
+      }
+
+      // Helper function to check if a position is in a comment
+      const isInComment = (position) => {
+        return commentRanges.some(range => position >= range.start && position < range.end);
+      };
+
+      // Always check for password smells (even in exempted files)
+      const passwordViolations = this.checkPasswordSmellsWithComments(cleanLine, lineNumber, filePath, isInComment);
+      if (this.verbose && passwordViolations.length > 0) {
+        console.log(`[DEBUG] 🎯 S054: Line ${lineNumber} password violations:`, passwordViolations.length);
+      }
+      violations.push(...passwordViolations);
+
+      // Skip other checks for exempted files unless policy requires it
+      if (isExempted && !this.policy.requireCheckEvenInTests) {
+        continue;
+      }
+
+      // Check based on language/file type using cleaned line
+      switch (language) {
+        case 'sql':
+          const sqlViolations = this.checkSQLPatternsWithComments(cleanLine, lineNumber, filePath, isInComment);
+          if (this.verbose && sqlViolations.length > 0) {
+            console.log(`[DEBUG] 🎯 S054: Line ${lineNumber} SQL violations:`, sqlViolations.length);
+          }
+          violations.push(...sqlViolations);
+          break;
+        case 'typescript':
+        case 'javascript':
+          const codeViolations = this.checkCodePatternsWithComments(cleanLine, lineNumber, filePath, isInComment);
+          const configViolations = this.checkConfigPatternsWithComments(cleanLine, lineNumber, filePath, isInComment);
+          if (this.verbose && (codeViolations.length > 0 || configViolations.length > 0)) {
+            console.log(`[DEBUG] 🎯 S054: Line ${lineNumber} code violations: ${codeViolations.length}, config: ${configViolations.length}`);
+          }
+          violations.push(...codeViolations);
+          violations.push(...configViolations);
+          break;
+        case 'terraform':
+          violations.push(...this.checkTerraformPatternsWithComments(cleanLine, lineNumber, filePath, isInComment));
+          break;
+        case 'yaml':
+        case 'helm':
+          violations.push(...this.checkHelmYamlPatternsWithComments(cleanLine, lineNumber, filePath, isInComment));
+          violations.push(...this.checkKubernetesPatternsWithComments(cleanLine, lineNumber, filePath, isInComment));
+          break;
+        case 'docker':
+          violations.push(...this.checkDockerPatternsWithComments(cleanLine, lineNumber, filePath, isInComment));
+          break;
+        case 'json':
+        case 'properties':
+        case 'config':
+        case 'env':
+          violations.push(...this.checkConfigPatternsWithComments(cleanLine, lineNumber, filePath, isInComment));
+          break;
+        case 'markdown':
+          violations.push(...this.checkDocumentationPatternsWithComments(cleanLine, lineNumber, filePath, isInComment));
+          break;
+        default:
+          // Generic text checks
+          violations.push(...this.checkGenericPatternsWithComments(cleanLine, lineNumber, filePath, isInComment));
+      }
+    }
+
+    if (this.verbose) {
+      console.log(`[DEBUG] 🎯 S054: Skipped ${skippedCommentLines} comment lines, found ${violations.length} violations`);
+    }
+
+    return violations;
+  }
+
+  checkPasswordSmellsWithComments(cleanLine, lineNumber, filePath, isInComment) {
+    const violations = [];
+    
+    // Skip decorator lines (@Controller, @ApiTags, etc.)
+    const trimmedLine = cleanLine.trim();
+    if (trimmedLine.startsWith('@')) {
+      return violations;
+    }
+    
+    // Skip class/interface declarations
+    if (trimmedLine.match(/^(class|interface|export class|export interface)\s+\w*admin\w*/i)) {
+      return violations;
+    }
+    
+    // Skip import statements
+    if (trimmedLine.startsWith('import ') || trimmedLine.includes('from ')) {
+      return violations;
+    }
+    
+    this.passwordSmells.forEach(smell => {
+      // More specific pattern for password detection - must be in password context
+      const pattern = new RegExp(`password\\s*[=:]\\s*['"]${smell}['"]|['"]${smell}['"]\\s*[=:].*password`, 'gi');
+      const matches = [...cleanLine.matchAll(pattern)];
+      
+      // For "secret" - only flag if it's actually a hardcoded secret, not OTP/auth variables
+      if (smell === 'secret') {
+        // Skip if it's OTP/authentication related
+        if (cleanLine.match(/(generateSecret|hotp|totp|authenticator|otp)/i)) {
+          return;
+        }
+        // Skip if it's variable assignment (const secret = ...)
+        if (cleanLine.match(/(const|let|var)\s+secret\s*=/) || cleanLine.match(/\.secret\s*=/) || cleanLine.match(/\{\s*secret\s*\}/)) {
+          return;
+        }
+      }
+      
+      matches.forEach(match => {
+        // Skip if this match is within a comment
+        if (isInComment(match.index)) {
+          return;
+        }
+
+        // Skip if it's just a service/method name (e.g., adminService)
+        if (smell === 'admin' && cleanLine.match(/\w*Service\.\w+/)) {
+          return;
+        }
+
+        violations.push({
+          ruleId: this.ruleId,
+          message: `Password smell detected: "${smell}" - use strong, unique passwords`,
+          severity: 'error',
+          line: lineNumber,
+          column: match.index + 1,
+          filePath: filePath,
+          context: {
+            violationType: 'password_smell',
+            evidence: match[0],
+            recommendation: 'Use strong, randomly generated passwords and store securely'
+          }
+        });
+      });
+    });
+    
+    return violations;
+  }
+
+  checkCodePatternsWithComments(cleanLine, lineNumber, filePath, isInComment) {
+    const violations = [];
+    
+    // Skip decorator lines (@Controller, @ApiTags, etc.)
+    const trimmedLine = cleanLine.trim();
+    if (trimmedLine.startsWith('@')) {
+      return violations;
+    }
+    
+    // Skip import statements
+    if (trimmedLine.startsWith('import ') || trimmedLine.includes('from ')) {
+      return violations;
+    }
+    
+    this.codeCreationPatterns.forEach(pattern => {
+      const regex = new RegExp(pattern, 'gi');
+      const match = cleanLine.match(regex);
+      
+      if (match) {
+        // Check if the line contains blocked usernames in actual user creation context
+        const usernameMatches = [...cleanLine.matchAll(this.blockedUsernamesRegex)];
+        usernameMatches.forEach(userMatch => {
+          // Skip if this match is within a comment
+          if (isInComment(userMatch.index)) {
+            return;
+          }
+
+          const matchedTerm = userMatch[1].toLowerCase();
+          
+          // Skip TypeScript/JavaScript type annotations (e.g., ): User => {, : User, <User>)
+          if (cleanLine.match(/:\s*User\s*(=>|\s*[,\)\{\}]|$)/) && matchedTerm === 'user') {
+            return;
+          }
+          
+          // Skip function parameters with types (e.g., (user: User))
+          if (cleanLine.match(/\(\s*\w*\s*:\s*User\s*\)/) && matchedTerm === 'user') {
+            return;
+          }
+          
+          // Skip variable declarations with types (e.g., const user: User)
+          if (cleanLine.match(/(const|let|var)\s+\w+\s*:\s*User/) && matchedTerm === 'user') {
+            return;
+          }
+          
+          // Skip generic type usage (e.g., Array<User>, Promise<User>)
+          if (cleanLine.match(/<\s*User\s*>/) && matchedTerm === 'user') {
+            return;
+          }
+          
+          // Skip API documentation examples (e.g., example: 'admin', example: 'example')
+          if (cleanLine.match(/example\s*:\s*['"]/)) {
+            return;
+          }
+          
+          // Skip schema/swagger documentation
+          if (cleanLine.match(/(type|format|nullable|properties)\s*:/)) {
+            return;
+          }
+
+          // Skip if it's destructuring from request object (e.g., { user })
+          if (cleanLine.match(/[{,]\s*user\s*[,}]/) && matchedTerm === 'user') {
+            return;
+          }
+
+          // Skip if it's object property access (e.g., user.userName, user.property, admin.userName)
+          if (cleanLine.match(/\b(user|admin|root|guest|test)\.[a-zA-Z_$][a-zA-Z0-9_$]*/) && ['user', 'admin', 'root', 'guest', 'test'].includes(matchedTerm)) {
+            return;
+          }
+
+          // Skip if it's property assignment from object (e.g., userName: user.userName)
+          if (cleanLine.match(/\w+\s*:\s*(user|admin|root|guest|test)\.[a-zA-Z_$][a-zA-Z0-9_$]*/) && ['user', 'admin', 'root', 'guest', 'test'].includes(matchedTerm)) {
+            return;
+          }
+
+          // Skip if it's variable assignment from object (e.g., const userName = user.userName)
+          if (cleanLine.match(/(const|let|var)\s+\w+\s*=\s*(user|admin|root|guest|test)\.[a-zA-Z_$][a-zA-Z0-9_$]*/) && ['user', 'admin', 'root', 'guest', 'test'].includes(matchedTerm)) {
+            return;
+          }
+          
+          // Skip property assignment inside object literal (e.g., { userName: userData.uniqueUsername })
+          if (cleanLine.match(/\{\s*\w+\s*:\s*\w+\.\w+/) && matchedTerm === 'user') {
+            return;
+          }
+          
+          // Skip return statement with object literal
+          if (cleanLine.match(/return\s*\{[\s\w:,\.]*\}/) && matchedTerm === 'user') {
+            return;
+          }
+          
+          // Skip method visibility modifiers
+          if (cleanLine.match(/\b(public|private|protected)\s/) && matchedTerm === 'public') {
+            return;
+          }
+
+          // Skip if it's a service method call (e.g., adminService.method)
+          if (cleanLine.match(/\w*Service\.\w+/) && ['admin', 'user'].includes(matchedTerm)) {
+            return;
+          }
+
+          // Skip if it's in route path or controller name
+          if (trimmedLine.includes('@Controller') || trimmedLine.includes('@ApiTags')) {
+            return;
+          }
+          
+          // Skip interface/class definitions
+          if (cleanLine.match(/(interface|class|type)\s+\w*User\w*/) && matchedTerm === 'user') {
+            return;
+          }
+
+          violations.push({
+            ruleId: this.ruleId,
+            message: `Default account "${userMatch[1]}" found in user creation code - use named accounts`,
+            severity: 'error',
+            line: lineNumber,
+            column: userMatch.index + 1,
+            filePath: filePath,
+            context: {
+              violationType: 'code_default_account',
+              evidence: cleanLine.trim(),
+              recommendation: 'Implement proper user registration with unique usernames'
+            }
+          });
+        });
+      }
+    });
+    
+    return violations;
+  }
+
+  checkSQLPatternsWithComments(cleanLine, lineNumber, filePath, isInComment) {
+    const violations = [];
+    
+    this.sqlInsertUserPatterns.forEach(pattern => {
+      const regex = new RegExp(pattern, 'gi');
+      const match = cleanLine.match(regex);
+      
+      if (match) {
+        // Check if the line contains blocked usernames
+        const usernameMatches = [...cleanLine.matchAll(this.blockedUsernamesRegex)];
+        usernameMatches.forEach(userMatch => {
+          // Skip if this match is within a comment
+          if (isInComment(userMatch.index)) {
+            return;
+          }
+
+          violations.push({
+            ruleId: this.ruleId,
+            message: `Default account "${userMatch[1]}" found in SQL statement - use named user accounts`,
+            severity: 'error',
+            line: lineNumber,
+            column: userMatch.index + 1,
+            filePath: filePath,
+            context: {
+              violationType: 'sql_default_account',
+              evidence: cleanLine.trim(),
+              recommendation: 'Create individual user accounts with appropriate permissions'
+          
+            }
+          });
+        });
+      }
+    });
+    
+    return violations;
+  }
+
+  checkTerraformPatternsWithComments(cleanLine, lineNumber, filePath, isInComment) {
+    const violations = [];
+    
+    (this.infraPatterns.terraform || []).forEach(pattern => {
+      const regex = new RegExp(pattern, 'gi');
+      const matches = [...cleanLine.matchAll(regex)];
+      
+      matches.forEach(match => {
+        // Skip if this match is within a comment
+        if (isInComment(match.index)) {
+          return;
+        }
+
+        violations.push({
+            ruleId: this.ruleId,
+            message: `Default account "${match[1] || 'detected'}" found in Terraform config - use named accounts`,
+            severity: 'error',
+            line: lineNumber,
+            column: match.index + 1,
+            filePath: filePath,
+            context: {
+              violationType: 'terraform_default_account',
+              evidence: cleanLine.trim(),
+              recommendation: 'Use variables or data sources for user account names'
+        
+            }
+          });
+      });
+    });
+    
+    return violations;
+  }
+
+  checkHelmYamlPatternsWithComments(cleanLine, lineNumber, filePath, isInComment) {
+    const violations = [];
+    
+    (this.infraPatterns.helmValues || []).forEach(pattern => {
+      const regex = new RegExp(pattern, 'gi');
+      const matches = [...cleanLine.matchAll(regex)];
+      
+      matches.forEach(match => {
+        // Skip if this match is within a comment
+        if (isInComment(match.index)) {
+          return;
+        }
+
+        violations.push({
+            ruleId: this.ruleId,
+            message: `Default account configuration "${match[0]}" found in Helm values - use configurable accounts`,
+            severity: 'error',
+            line: lineNumber,
+            column: match.index + 1,
+            filePath: filePath,
+            context: {
+              violationType: 'helm_default_account',
+              evidence: cleanLine.trim(),
+              recommendation: 'Make user accounts configurable through values.yaml'
+        
+            }
+          });
+      });
+    });
+    
+    return violations;
+  }
+
+  checkKubernetesPatternsWithComments(cleanLine, lineNumber, filePath, isInComment) {
+    const violations = [];
+    
+    (this.infraPatterns.kubernetes || []).forEach(pattern => {
+      const regex = new RegExp(pattern, 'gi');
+      const matches = [...cleanLine.matchAll(regex)];
+      
+      matches.forEach(match => {
+        // Skip if this match is within a comment
+        if (isInComment(match.index)) {
+          return;
+        }
+
+        violations.push({
+            ruleId: this.ruleId,
+            message: `Default Kubernetes account configuration found - avoid using default accounts`,
+            severity: 'error',
+            line: lineNumber,
+            column: match.index + 1,
+            filePath: filePath,
+            context: {
+              violationType: 'kubernetes_default_account',
+              evidence: cleanLine.trim(),
+              recommendation: 'Create dedicated service accounts with minimal required permissions'
+        
+            }
+          });
+      });
+    });
+    
+    return violations;
+  }
+
+  checkDockerPatternsWithComments(cleanLine, lineNumber, filePath, isInComment) {
+    const violations = [];
+    
+    (this.infraPatterns.docker || []).forEach(pattern => {
+      const regex = new RegExp(pattern, 'gi');
+      const matches = [...cleanLine.matchAll(regex)];
+      
+      matches.forEach(match => {
+        // Skip if this match is within a comment
+        if (isInComment(match.index)) {
+          return;
+        }
+
+        violations.push({
+            ruleId: this.ruleId,
+            message: `Default account in Docker configuration - use named accounts`,
+            severity: 'error',
+            line: lineNumber,
+            column: match.index + 1,
+            filePath: filePath,
+            context: {
+              violationType: 'docker_default_account',
+              evidence: cleanLine.trim(),
+              recommendation: 'Use environment variables for database credentials'
+        
+            }
+          });
+      });
+    });
+    
+    return violations;
+  }
+
+  checkConfigPatternsWithComments(cleanLine, lineNumber, filePath, isInComment) {
+    const violations = [];
+    
+    this.configFilePatterns.forEach(pattern => {
+      const regex = new RegExp(pattern, 'gi');
+      const matches = [...cleanLine.matchAll(regex)];
+      
+      matches.forEach(match => {
+        // Skip if this match is within a comment
+        if (isInComment(match.index)) {
+          return;
+        }
+
+        violations.push({
+            ruleId: this.ruleId,
+            message: `Default account in configuration file - use named accounts`,
+            severity: 'error',
+            line: lineNumber,
+            column: match.index + 1,
+            filePath: filePath,
+            context: {
+              violationType: 'config_default_account',
+              evidence: cleanLine.trim(),
+              recommendation: 'Use environment variables or secure configuration management'
+        
+            }
+          });
+      });
+    });
+    
+    return violations;
+  }
+
+  checkDocumentationPatternsWithComments(cleanLine, lineNumber, filePath, isInComment) {
+    const violations = [];
+    
+    this.docPatterns.forEach(pattern => {
+      const regex = new RegExp(pattern, 'gi');
+      const matches = [...cleanLine.matchAll(regex)];
+      
+      matches.forEach(match => {
+        // Skip if this match is within a comment
+        if (isInComment(match.index)) {
+          return;
+        }
+
+        violations.push({
+            ruleId: this.ruleId,
+            message: `Default credentials in documentation - avoid exposing default accounts`,
+            severity: 'warning',
+            line: lineNumber,
+            column: match.index + 1,
+            filePath: filePath,
+            context: {
+              violationType: 'doc_default_account',
+              evidence: cleanLine.trim(),
+              recommendation: 'Use placeholder examples like "your-username" or "example-user"'
+        
+            }
+          });
+      });
+    });
+    
+    return violations;
+  }
+
+  checkGenericPatternsWithComments(cleanLine, lineNumber, filePath, isInComment) {
+    const violations = [];
+    
+    // Generic check for blocked usernames in any context
+    const usernameMatches = [...cleanLine.matchAll(this.blockedUsernamesRegex)];
+    usernameMatches.forEach(match => {
+      // Skip if this match is within a comment
+      if (isInComment(match.index)) {
+        return;
+      }
+
+      // Skip if it's just a comment or documentation
+      if (cleanLine.trim().startsWith('//') || cleanLine.trim().startsWith('#') || cleanLine.trim().startsWith('*')) {
+        return;
+      }
+      
+      violations.push({
+            ruleId: this.ruleId,
+            message: `Potential default account "${match[1]}" detected - verify this is intentional`,
+            severity: 'warning',
+            line: lineNumber,
+            column: match.index + 1,
+            filePath: filePath,
+            context: {
+              violationType: 'generic_default_account',
+              evidence: cleanLine.trim(),
+              recommendation: 'Use named user accounts or verify this usage is appropriate'
+      
+            }
+          });
+    });
+    
+    return violations;
+  }
+}
+
+module.exports = S054NoDefaultAccountsAnalyzer;