agent-security-scanner-mcp 3.2.0 → 3.4.0

package/src/cli/init-hooks.js

@@ -0,0 +1,164 @@
+// src/cli/init-hooks.js
+// CLI command: init-hooks
+// Installs Claude Code hooks for automatic security scanning on file write/edit.
+
+import { existsSync, readFileSync, writeFileSync, copyFileSync, mkdirSync } from 'fs';
+import { join } from 'path';
+
+const SCANNER_HOOK_MARKER = 'agent-security-scanner-mcp';
+
+function buildHooksConfig(withPromptGuard) {
+  const hooks = {
+    'post-tool-use': [
+      {
+        matcher: 'Write|Edit|MultiEdit',
+        command: `npx agent-security-scanner-mcp scan-security "$TOOL_INPUT_FILE_PATH" --verbosity minimal`,
+      },
+    ],
+  };
+
+  if (withPromptGuard) {
+    hooks['pre-tool-use'] = [
+      {
+        matcher: 'Bash',
+        command: `npx agent-security-scanner-mcp scan-prompt "$TOOL_INPUT_COMMAND" --verbosity minimal`,
+      },
+    ];
+  }
+
+  return hooks;
+}
+
+function backupTimestamp() {
+  const d = new Date();
+  const pad = (n) => String(n).padStart(2, '0');
+  return `${d.getFullYear()}${pad(d.getMonth() + 1)}${pad(d.getDate())}-${pad(d.getHours())}${pad(d.getMinutes())}${pad(d.getSeconds())}`;
+}
+
+function parseFlags(args) {
+  const flags = { dryRun: false, path: null, withPromptGuard: false };
+  let i = 0;
+  while (i < args.length) {
+    const arg = args[i];
+    if (arg === '--dry-run') flags.dryRun = true;
+    else if (arg === '--path' && i + 1 < args.length) flags.path = args[++i];
+    else if (arg === '--with-prompt-guard') flags.withPromptGuard = true;
+    i++;
+  }
+  return flags;
+}
+
+function containsScannerHook(hooksObj) {
+  if (!hooksObj || typeof hooksObj !== 'object') return false;
+  for (const eventHooks of Object.values(hooksObj)) {
+    if (!Array.isArray(eventHooks)) continue;
+    if (eventHooks.some(h => h.command && h.command.includes(SCANNER_HOOK_MARKER))) {
+      return true;
+    }
+  }
+  return false;
+}
+
+function mergeHooks(existingHooks, newHooks) {
+  const merged = { ...existingHooks };
+
+  for (const [event, hooks] of Object.entries(newHooks)) {
+    if (!merged[event]) {
+      merged[event] = hooks;
+      continue;
+    }
+
+    // Filter out existing scanner hooks for this event
+    const nonScanner = merged[event].filter(h =>
+      !h.command || !h.command.includes(SCANNER_HOOK_MARKER)
+    );
+
+    merged[event] = [...nonScanner, ...hooks];
+  }
+
+  return merged;
+}
+
+export async function runInitHooks(args) {
+  const flags = parseFlags(args);
+
+  console.log('\n  Agentic Security - Claude Code Hooks Setup\n');
+
+  const settingsDir = flags.path || join(process.cwd(), '.claude');
+  const settingsPath = join(settingsDir, 'settings.json');
+
+  console.log(`  Settings: ${settingsPath}`);
+  console.log(`  Prompt guard: ${flags.withPromptGuard ? 'enabled' : 'disabled (use --with-prompt-guard to enable)'}`);
+  console.log('');
+
+  const newHooks = buildHooksConfig(flags.withPromptGuard);
+
+  // Read existing settings
+  let existing = {};
+  let fileExisted = false;
+  if (existsSync(settingsPath)) {
+    fileExisted = true;
+    try {
+      existing = JSON.parse(readFileSync(settingsPath, 'utf-8'));
+    } catch (e) {
+      console.error(`  ERROR: Invalid JSON in ${settingsPath}`);
+      console.error(`  ${e.message}\n`);
+      process.exit(1);
+    }
+  }
+
+  if (containsScannerHook(existing.hooks)) {
+    console.log('  Scanner hooks already configured. Updating...');
+  }
+
+  // Merge hooks non-destructively
+  const mergedHooks = mergeHooks(existing.hooks || {}, newHooks);
+  const merged = { ...existing, hooks: mergedHooks };
+  const output = JSON.stringify(merged, null, 2) + '\n';
+
+  if (flags.dryRun) {
+    console.log('  [dry-run] Would write:\n');
+    console.log('  ' + output.split('\n').join('\n  '));
+    console.log('  No changes made.\n');
+    return;
+  }
+
+  if (!existsSync(settingsDir)) {
+    mkdirSync(settingsDir, { recursive: true });
+    console.log(`  Created directory: ${settingsDir}`);
+  }
+
+  if (fileExisted) {
+    const backupPath = `${settingsPath}.bak-${backupTimestamp()}`;
+    copyFileSync(settingsPath, backupPath);
+    console.log(`  Backup: ${backupPath}`);
+  }
+
+  writeFileSync(settingsPath, output);
+  console.log(`  Wrote: ${settingsPath}\n`);
+
+  console.log('  Hooks installed:');
+  for (const [event, hooks] of Object.entries(newHooks)) {
+    for (const hook of hooks) {
+      console.log(`    - [${event}] Matcher: ${hook.matcher}`);
+    }
+  }
+
+  console.log('\n  Security scanning is now automatic for file writes and edits.');
+  console.log('  Restart Claude Code for hooks to take effect.\n');
+
+  if (!existsSync(join(process.cwd(), '.scannerrc.yaml')) &&
+      !existsSync(join(process.cwd(), '.scannerrc.yml')) &&
+      !existsSync(join(process.cwd(), '.scannerrc.json'))) {
+    console.log('  Tip: Create a .scannerrc.yaml to customize scanning:');
+    console.log('');
+    console.log('    version: 1');
+    console.log('    suppress:');
+    console.log('      - rule: "insecure-random"');
+    console.log('    exclude:');
+    console.log('      - "node_modules/**"');
+    console.log('      - "dist/**"');
+    console.log('    severity_threshold: "warning"');
+    console.log('');
+  }
+}

package/src/cli/init.js

@@ -73,6 +73,12 @@ const CLIENT_CONFIGS = {
     configKey: 'mcpServers',
     configPath: () => join(vscodeBase(), 'Code', 'User', 'globalStorage', 'sourcegraph.cody-ai', 'mcp_settings.json'),
     buildEntry: () => ({ ...MCP_SERVER_ENTRY })
+  },
+  'openclaw': {
+    name: 'OpenClaw',
+    isSkillBased: true, // OpenClaw uses skills, not MCP config
+    skillPath: () => join(homedir(), '.openclaw', 'workspace', 'skills', 'security-scanner'),
+    configPath: () => join(homedir(), '.openclaw', 'workspace', 'skills', 'security-scanner', 'SKILL.md')
   }
 };
 
@@ -150,6 +156,87 @@ function printInitUsage() {
   console.log('    npx agent-security-scanner-mcp init cline --force --name my-scanner\n');
 }
 
+// Special installer for OpenClaw (skill-based)
+async function installOpenClawSkill(client, flags) {
+  const skillDir = client.skillPath();
+  const skillFile = client.configPath();
+
+  // Find the source skill file (bundled with the package)
+  const __dirname = dirname(new URL(import.meta.url).pathname);
+  const sourceSkill = join(__dirname, '..', '..', 'skills', 'openclaw', 'SKILL.md');
+
+  console.log(`\n  Client:  ${client.name}`);
+  console.log(`  Skill:   ${skillDir}`);
+  console.log(`  OS:      ${platform()} (${process.arch})\n`);
+
+  // Check if OpenClaw workspace exists
+  const openclawDir = join(homedir(), '.openclaw');
+  if (!existsSync(openclawDir)) {
+    console.log(`  OpenClaw not found at ${openclawDir}`);
+    console.log(`  Please install OpenClaw first: https://openclaw.ai\n`);
+    process.exit(1);
+  }
+
+  // Check if source skill exists
+  if (!existsSync(sourceSkill)) {
+    console.error(`  ERROR: Skill source not found at ${sourceSkill}`);
+    console.error(`  This may be a packaging issue. Please reinstall the package.\n`);
+    process.exit(1);
+  }
+
+  // Check if skill already exists
+  if (existsSync(skillFile)) {
+    const existing = readFileSync(skillFile, 'utf-8');
+    const source = readFileSync(sourceSkill, 'utf-8');
+    if (existing === source) {
+      console.log(`  Security scanner skill is already installed (identical).`);
+      console.log(`  Nothing to do.\n`);
+      process.exit(0);
+    }
+
+    console.log(`  Security scanner skill exists but differs.`);
+    if (!flags.force) {
+      if (flags.yes) {
+        console.log(`  Skipping (use --force to overwrite).\n`);
+        process.exit(0);
+      }
+      const rl = createInterface({ input: process.stdin, output: process.stdout });
+      const answer = await new Promise((resolve) => {
+        rl.question('  Overwrite? (y/N): ', (a) => { rl.close(); resolve(a); });
+      });
+      if (answer.toLowerCase() !== 'y') {
+        console.log('  Aborted.\n');
+        process.exit(0);
+      }
+    }
+  }
+
+  // Dry-run mode
+  if (flags.dryRun) {
+    console.log(`  [dry-run] Would create directory: ${skillDir}`);
+    console.log(`  [dry-run] Would copy skill from: ${sourceSkill}`);
+    console.log(`  [dry-run] Would write to: ${skillFile}`);
+    console.log(`  No changes made.\n`);
+    process.exit(0);
+  }
+
+  // Create skill directory
+  if (!existsSync(skillDir)) {
+    mkdirSync(skillDir, { recursive: true });
+    console.log(`  Created directory: ${skillDir}`);
+  }
+
+  // Copy skill file
+  copyFileSync(sourceSkill, skillFile);
+  console.log(`  Installed skill: ${skillFile}`);
+
+  console.log(`\n  OpenClaw security scanner skill installed successfully!`);
+  console.log(`\n  Usage in OpenClaw:`);
+  console.log(`    - The skill will be auto-discovered by OpenClaw`);
+  console.log(`    - Use /security-scanner to invoke it`);
+  console.log(`    - Or ask: "scan this prompt for security issues"\n`);
+}
+
 export async function runInit(args) {
   const flags = parseInitFlags(args);
   let clientName = flags.client;
@@ -171,6 +258,12 @@ export async function runInit(args) {
     process.exit(1);
   }
 
+  // Special handling for OpenClaw (skill-based, not MCP config)
+  if (client.isSkillBased) {
+    await installOpenClawSkill(client, flags);
+    return;
+  }
+
   const configPath = flags.path || client.configPath();
   const serverName = flags.name;
   const entry = client.buildEntry();

package/src/config.js

@@ -0,0 +1,181 @@
+// .scannerrc configuration loading and filtering.
+// Supports YAML (.scannerrc.yaml/.yml) and JSON (.scannerrc.json) project configs.
+
+import { existsSync, readFileSync } from 'fs';
+import { dirname, join, resolve, sep } from 'path';
+import { execFileSync } from 'child_process';
+
+const DEFAULT_CONFIG = {
+  version: 1,
+  suppress: [],
+  exclude: ['node_modules/**', 'vendor/**', 'dist/**', '**/*.min.js'],
+  severity_threshold: 'info',
+  confidence_threshold: 'LOW',
+};
+
+const SEVERITY_ORDER = { info: 0, warning: 1, error: 2 };
+const CONFIDENCE_ORDER = { LOW: 0, MEDIUM: 1, HIGH: 2 };
+
+// Simple glob-to-regex converter (no external dependency)
+function globToRegex(pattern) {
+  let regex = '';
+  let i = 0;
+  while (i < pattern.length) {
+    const c = pattern[i];
+    if (c === '*') {
+      if (pattern[i + 1] === '*') {
+        if (pattern[i + 2] === '/') {
+          regex += '(?:.+/)?';
+          i += 3;
+          continue;
+        }
+        regex += '.*';
+        i += 2;
+        continue;
+      }
+      regex += '[^/]*';
+    } else if (c === '?') {
+      regex += '[^/]';
+    } else if (c === '{') {
+      regex += '(?:';
+    } else if (c === '}') {
+      regex += ')';
+    } else if (c === ',') {
+      regex += '|';
+    } else if ('.+^$|()[]\\'.includes(c)) {
+      regex += '\\' + c;
+    } else {
+      regex += c;
+    }
+    i++;
+  }
+  return new RegExp('^' + regex + '$');
+}
+
+export function matchGlob(filePath, pattern) {
+  // Normalize path separators
+  const normalized = filePath.replace(/\\/g, '/');
+  const re = globToRegex(pattern);
+  // Test against both full path and basename
+  return re.test(normalized) || re.test(normalized.split('/').pop());
+}
+
+// Walk up from filePath to find config file
+function findConfigFile(startPath) {
+  const names = ['.scannerrc.yaml', '.scannerrc.yml', '.scannerrc.json'];
+  let dir = resolve(dirname(startPath));
+  const root = resolve('/');
+
+  for (let i = 0; i < 50; i++) {
+    for (const name of names) {
+      const candidate = join(dir, name);
+      if (existsSync(candidate)) return candidate;
+    }
+    const parent = dirname(dir);
+    if (parent === dir || dir === root) break;
+    dir = parent;
+  }
+  return null;
+}
+
+function parseYaml(filePath) {
+  try {
+    const result = execFileSync('python3', [
+      '-c',
+      'import yaml,json,sys; print(json.dumps(yaml.safe_load(open(sys.argv[1]))))',
+      filePath,
+    ], { encoding: 'utf-8', timeout: 5000 });
+    return JSON.parse(result.trim());
+  } catch {
+    // Fallback: try simple key-value parsing for basic configs
+    return null;
+  }
+}
+
+export function loadConfig(filePath) {
+  const configFile = findConfigFile(filePath);
+  if (!configFile) return { ...DEFAULT_CONFIG };
+
+  try {
+    let parsed;
+    if (configFile.endsWith('.json')) {
+      parsed = JSON.parse(readFileSync(configFile, 'utf-8'));
+    } else {
+      parsed = parseYaml(configFile);
+    }
+
+    if (!parsed || typeof parsed !== 'object') return { ...DEFAULT_CONFIG };
+
+    return {
+      version: parsed.version || DEFAULT_CONFIG.version,
+      suppress: Array.isArray(parsed.suppress) ? parsed.suppress : DEFAULT_CONFIG.suppress,
+      exclude: Array.isArray(parsed.exclude) ? parsed.exclude : DEFAULT_CONFIG.exclude,
+      severity_threshold: parsed.severity_threshold || DEFAULT_CONFIG.severity_threshold,
+      confidence_threshold: parsed.confidence_threshold || DEFAULT_CONFIG.confidence_threshold,
+    };
+  } catch {
+    return { ...DEFAULT_CONFIG };
+  }
+}
+
+export function shouldExcludeFile(filePath, config) {
+  if (!config.exclude || config.exclude.length === 0) return false;
+  const normalized = filePath.replace(/\\/g, '/');
+  return config.exclude.some(pattern => matchGlob(normalized, pattern));
+}
+
+export function shouldSuppressRule(ruleId, filePath, config) {
+  if (!config.suppress || config.suppress.length === 0) return false;
+
+  for (const entry of config.suppress) {
+    const rule = typeof entry === 'string' ? entry : entry.rule;
+    if (!rule) continue;
+
+    // Check if rule pattern matches
+    const ruleMatches = matchGlob(ruleId, rule);
+    if (!ruleMatches) continue;
+
+    // Check path restriction if present
+    if (entry.paths && Array.isArray(entry.paths)) {
+      const normalized = filePath.replace(/\\/g, '/');
+      const pathMatches = entry.paths.some(p => matchGlob(normalized, p));
+      if (!pathMatches) continue;
+    }
+
+    return true;
+  }
+
+  return false;
+}
+
+export function meetsSeverityThreshold(severity, config) {
+  const threshold = config.severity_threshold || 'info';
+  const severityLevel = SEVERITY_ORDER[severity] ?? 0;
+  const thresholdLevel = SEVERITY_ORDER[threshold] ?? 0;
+  return severityLevel >= thresholdLevel;
+}
+
+export function meetsConfidenceThreshold(confidence, config) {
+  const threshold = config.confidence_threshold || 'LOW';
+  const confidenceLevel = CONFIDENCE_ORDER[confidence] ?? 0;
+  const thresholdLevel = CONFIDENCE_ORDER[threshold] ?? 0;
+  return confidenceLevel >= thresholdLevel;
+}
+
+export function applyConfig(findings, filePath, config) {
+  if (!Array.isArray(findings)) return findings;
+  if (!config) return findings;
+
+  return findings.filter(finding => {
+    // Check rule suppression
+    if (shouldSuppressRule(finding.ruleId, filePath, config)) return false;
+
+    // Check severity threshold
+    if (!meetsSeverityThreshold(finding.severity, config)) return false;
+
+    // Check confidence threshold
+    if (!meetsConfidenceThreshold(finding.confidence || 'MEDIUM', config)) return false;
+
+    return true;
+  });
+}

package/src/context.js

@@ -0,0 +1,228 @@
+// Context-aware filtering to reduce false positives.
+// Suppresses findings on import-only lines for known standard/popular modules.
+
+import { existsSync, readFileSync } from 'fs';
+import { dirname, join } from 'path';
+
+// Known safe standard library and popular modules per language
+const KNOWN_MODULES = {
+  javascript: new Set([
+    // Node.js builtins
+    'assert', 'buffer', 'child_process', 'cluster', 'crypto', 'dgram',
+    'dns', 'events', 'fs', 'http', 'http2', 'https', 'net', 'os',
+    'path', 'perf_hooks', 'process', 'querystring', 'readline', 'stream',
+    'string_decoder', 'timers', 'tls', 'tty', 'url', 'util', 'v8',
+    'vm', 'worker_threads', 'zlib',
+    // Popular frameworks/libraries
+    'express', 'koa', 'fastify', 'hapi', 'next', 'nuxt',
+    'react', 'react-dom', 'vue', 'angular', 'svelte',
+    'lodash', 'underscore', 'ramda',
+    'axios', 'node-fetch', 'got', 'superagent',
+    'moment', 'dayjs', 'date-fns', 'luxon',
+    'winston', 'morgan', 'pino', 'bunyan',
+    'helmet', 'cors', 'body-parser', 'cookie-parser', 'compression',
+    'passport', 'jsonwebtoken', 'bcrypt', 'bcryptjs',
+    'jest', 'mocha', 'chai', 'vitest', 'sinon', 'tape',
+    'typescript', 'webpack', 'vite', 'esbuild', 'rollup', 'parcel',
+    'mysql', 'mysql2', 'pg', 'mongodb', 'mongoose', 'redis', 'ioredis',
+    'sequelize', 'knex', 'prisma', 'typeorm', 'drizzle-orm',
+    'zod', 'joi', 'yup', 'ajv',
+    'dotenv', 'config', 'commander', 'yargs',
+    'chalk', 'debug', 'uuid', 'nanoid',
+    'socket.io', 'ws',
+  ]),
+  typescript: new Set([
+    // Same as JavaScript - TS shares the same ecosystem
+    'assert', 'buffer', 'child_process', 'cluster', 'crypto', 'dgram',
+    'dns', 'events', 'fs', 'http', 'http2', 'https', 'net', 'os',
+    'path', 'process', 'querystring', 'readline', 'stream', 'tls',
+    'url', 'util', 'worker_threads', 'zlib',
+    'express', 'koa', 'fastify', 'next', 'nuxt',
+    'react', 'react-dom', 'vue', 'angular', 'svelte',
+    'lodash', 'axios', 'node-fetch',
+    'helmet', 'cors', 'body-parser',
+    'jest', 'mocha', 'vitest',
+    'typescript', 'webpack', 'vite', 'esbuild',
+    'mysql', 'mysql2', 'pg', 'mongodb', 'mongoose', 'redis',
+    'sequelize', 'knex', 'prisma', 'typeorm',
+    'zod', 'joi',
+  ]),
+  python: new Set([
+    // Standard library
+    'os', 'sys', 'json', 'math', 'datetime', 'collections', 're',
+    'pathlib', 'typing', 'abc', 'io', 'subprocess', 'shutil',
+    'hashlib', 'hmac', 'secrets', 'sqlite3', 'csv', 'xml',
+    'urllib', 'http', 'socket', 'ssl', 'email', 'logging',
+    'unittest', 'argparse', 'configparser', 'functools', 'itertools',
+    'contextlib', 'dataclasses', 'enum', 'struct', 'copy', 'pprint',
+    'textwrap', 'string', 'codecs', 'base64', 'binascii',
+    'threading', 'multiprocessing', 'asyncio', 'concurrent',
+    'pickle', 'shelve', 'marshal', 'dbm',
+    'tempfile', 'glob', 'fnmatch', 'stat',
+    'time', 'calendar', 'locale', 'gettext',
+    'random', 'statistics',
+    // Popular packages
+    'pytest', 'mock', 'coverage',
+    'flask', 'django', 'fastapi', 'starlette', 'uvicorn', 'gunicorn',
+    'requests', 'httpx', 'aiohttp', 'urllib3',
+    'sqlalchemy', 'alembic', 'psycopg2', 'pymongo',
+    'celery', 'redis', 'boto3', 'botocore',
+    'numpy', 'pandas', 'scipy', 'matplotlib',
+    'pydantic', 'marshmallow', 'attrs',
+    'click', 'typer', 'rich',
+    'yaml', 'toml', 'dotenv',
+  ]),
+  ruby: new Set([
+    'rails', 'sinatra', 'rack', 'puma', 'unicorn',
+    'bundler', 'rake', 'rspec', 'minitest',
+    'activerecord', 'activesupport', 'actionpack',
+    'devise', 'pundit', 'cancancan',
+    'json', 'yaml', 'csv', 'net/http', 'uri', 'openssl',
+    'fileutils', 'pathname', 'tempfile', 'logger',
+  ]),
+  go: new Set([
+    'fmt', 'os', 'io', 'net', 'net/http', 'encoding/json',
+    'encoding/xml', 'crypto', 'crypto/tls', 'database/sql',
+    'sync', 'context', 'errors', 'strings', 'strconv',
+    'path', 'path/filepath', 'log', 'testing', 'time',
+    'math', 'sort', 'regexp', 'reflect', 'bufio',
+  ]),
+};
+
+// Patterns that identify import-only lines (no actual code execution)
+const IMPORT_ONLY_PATTERNS = [
+  // JS/TS require
+  /^\s*(const|let|var)\s+\w+\s*=\s*require\s*\(\s*['"][^'"]+['"]\s*\)\s*;?\s*$/,
+  /^\s*(const|let|var)\s+\{[^}]+\}\s*=\s*require\s*\(\s*['"][^'"]+['"]\s*\)\s*;?\s*$/,
+  // JS/TS import
+  /^\s*import\s+.*\s+from\s+['"][^'"]+['"]\s*;?\s*$/,
+  /^\s*import\s+['"][^'"]+['"]\s*;?\s*$/,
+  /^\s*import\s+\w+\s*$/,
+  // Python import
+  /^\s*import\s+[a-zA-Z_][\w.]*\s*(,\s*[a-zA-Z_][\w.]*)*\s*$/,
+  /^\s*from\s+[a-zA-Z_][\w.]*\s+import\s+/,
+  // Ruby require
+  /^\s*require\s+['"][^'"]+['"]\s*$/,
+  /^\s*require_relative\s+['"][^'"]+['"]\s*$/,
+  // Go import (single line)
+  /^\s*"[a-zA-Z_][\w/.]*"\s*$/,
+];
+
+export function isImportOnly(line) {
+  let trimmed = line.trim();
+  if (!trimmed) return false;
+  // Strip trailing single-line comments (JS/Python/Ruby)
+  trimmed = trimmed.replace(/\s*\/\/.*$/, '').replace(/\s*#(?!!).*$/, '').trim();
+  if (!trimmed) return false;
+  return IMPORT_ONLY_PATTERNS.some(p => p.test(trimmed));
+}
+
+export function isKnownModule(moduleName, language) {
+  const modules = KNOWN_MODULES[language];
+  if (!modules) return false;
+  // Handle scoped packages (@org/pkg -> check full name)
+  // Handle subpath imports (child_process -> child_process)
+  const baseName = moduleName.split('/')[0];
+  return modules.has(moduleName) || modules.has(baseName);
+}
+
+// Extract module name from a line of code
+function extractModuleName(line) {
+  // JS/TS: require("module") or require('module')
+  const requireMatch = line.match(/require\s*\(\s*['"]([^'"]+)['"]\s*\)/);
+  if (requireMatch) return requireMatch[1];
+
+  // JS/TS: import ... from "module"
+  const importFromMatch = line.match(/from\s+['"]([^'"]+)['"]/);
+  if (importFromMatch) return importFromMatch[1];
+
+  // Python: import module or from module import ...
+  const pyImportMatch = line.match(/^\s*import\s+([a-zA-Z_][\w]*)/);
+  if (pyImportMatch) return pyImportMatch[1];
+
+  const pyFromMatch = line.match(/^\s*from\s+([a-zA-Z_][\w]*)/);
+  if (pyFromMatch) return pyFromMatch[1];
+
+  return null;
+}
+
+// Filter findings based on context awareness
+export function applyContextFilter(findings, filePath, language) {
+  if (!Array.isArray(findings) || findings.length === 0) return findings;
+
+  let lines = [];
+  try {
+    if (existsSync(filePath)) {
+      lines = readFileSync(filePath, 'utf-8').split('\n');
+    }
+  } catch {
+    return findings;
+  }
+
+  return findings.filter(finding => {
+    const line = lines[finding.line] || '';
+
+    // Only filter import-only lines
+    if (!isImportOnly(line)) return true;
+
+    // Check if the module is known/safe
+    const moduleName = extractModuleName(line);
+    if (moduleName && isKnownModule(moduleName, language)) {
+      return false; // Suppress finding on known module import
+    }
+
+    return true;
+  });
+}
+
+// Framework/middleware detection patterns
+const FRAMEWORK_PATTERNS = {
+  helmet: { pattern: /require\s*\(\s*['"]helmet['"]\s*\)|from\s+['"]helmet['"]|import\s+.*helmet/, languages: ['javascript', 'typescript'] },
+  dompurify: { pattern: /require\s*\(\s*['"](?:dompurify|isomorphic-dompurify)['"]\s*\)|from\s+['"](?:dompurify|isomorphic-dompurify)['"]|import\s+.*(?:dompurify|DOMPurify)/, languages: ['javascript', 'typescript'] },
+  csurf: { pattern: /require\s*\(\s*['"]csurf['"]\s*\)|from\s+['"]csurf['"]/, languages: ['javascript', 'typescript'] },
+  cors: { pattern: /require\s*\(\s*['"]cors['"]\s*\)|from\s+['"]cors['"]/, languages: ['javascript', 'typescript'] },
+  prisma: { pattern: /from\s+prisma|import\s+prisma|@prisma\/client/, languages: ['javascript', 'typescript', 'python'] },
+  bcrypt: { pattern: /import\s+bcrypt|from\s+bcrypt|require\s*\(\s*['"]bcryptjs?['"]\s*\)/, languages: ['javascript', 'typescript', 'python'] },
+};
+
+// Maps framework -> which rule categories it mitigates -> downgraded severity
+const SEVERITY_DOWNGRADE = {
+  helmet: { mitigates: ['xss', 'innerhtml', 'outerhtml', 'document-write', 'cors-wildcard'], to: 'warning' },
+  dompurify: { mitigates: ['xss', 'innerhtml', 'outerhtml', 'dangerouslysetinnerhtml', 'insertadjacenthtml', 'document-write'], to: 'warning' },
+  csurf: { mitigates: ['csrf'], to: 'warning' },
+  cors: { mitigates: ['cors-wildcard'], to: 'info' },
+  prisma: { mitigates: ['sql-injection', 'nosql-injection', 'raw-query'], to: 'warning' },
+  bcrypt: { mitigates: ['md5', 'sha1', 'weak-hash', 'weak-cipher'], to: 'info' },
+};
+
+export function detectFrameworks(filePath, language) {
+  const detected = [];
+  try {
+    if (!existsSync(filePath)) return detected;
+    const content = readFileSync(filePath, 'utf-8');
+    for (const [name, config] of Object.entries(FRAMEWORK_PATTERNS)) {
+      if (config.languages.includes(language) && config.pattern.test(content)) {
+        detected.push(name);
+      }
+    }
+  } catch {
+    // Ignore read errors
+  }
+  return detected;
+}
+
+export function applyFrameworkAdjustments(findings, frameworks) {
+  if (!Array.isArray(findings) || findings.length === 0 || frameworks.length === 0) return findings;
+
+  return findings.map(finding => {
+    const ruleId = finding.ruleId?.toLowerCase() || '';
+    for (const fw of frameworks) {
+      const downgrade = SEVERITY_DOWNGRADE[fw];
+      if (!downgrade) continue;
+      if (downgrade.mitigates.some(m => ruleId.includes(m))) {
+        return { ...finding, severity: downgrade.to, frameworkMitigated: fw };
+      }
+    }
+    return finding;
+  });
+}