agent-security-scanner-mcp 3.4.0 → 3.5.1

package/src/cli/init.js

@@ -73,12 +73,6 @@ const CLIENT_CONFIGS = {
     configKey: 'mcpServers',
     configPath: () => join(vscodeBase(), 'Code', 'User', 'globalStorage', 'sourcegraph.cody-ai', 'mcp_settings.json'),
     buildEntry: () => ({ ...MCP_SERVER_ENTRY })
-  },
-  'openclaw': {
-    name: 'OpenClaw',
-    isSkillBased: true, // OpenClaw uses skills, not MCP config
-    skillPath: () => join(homedir(), '.openclaw', 'workspace', 'skills', 'security-scanner'),
-    configPath: () => join(homedir(), '.openclaw', 'workspace', 'skills', 'security-scanner', 'SKILL.md')
   }
 };
 
@@ -156,87 +150,6 @@ function printInitUsage() {
   console.log('    npx agent-security-scanner-mcp init cline --force --name my-scanner\n');
 }
 
-// Special installer for OpenClaw (skill-based)
-async function installOpenClawSkill(client, flags) {
-  const skillDir = client.skillPath();
-  const skillFile = client.configPath();
-
-  // Find the source skill file (bundled with the package)
-  const __dirname = dirname(new URL(import.meta.url).pathname);
-  const sourceSkill = join(__dirname, '..', '..', 'skills', 'openclaw', 'SKILL.md');
-
-  console.log(`\n  Client:  ${client.name}`);
-  console.log(`  Skill:   ${skillDir}`);
-  console.log(`  OS:      ${platform()} (${process.arch})\n`);
-
-  // Check if OpenClaw workspace exists
-  const openclawDir = join(homedir(), '.openclaw');
-  if (!existsSync(openclawDir)) {
-    console.log(`  OpenClaw not found at ${openclawDir}`);
-    console.log(`  Please install OpenClaw first: https://openclaw.ai\n`);
-    process.exit(1);
-  }
-
-  // Check if source skill exists
-  if (!existsSync(sourceSkill)) {
-    console.error(`  ERROR: Skill source not found at ${sourceSkill}`);
-    console.error(`  This may be a packaging issue. Please reinstall the package.\n`);
-    process.exit(1);
-  }
-
-  // Check if skill already exists
-  if (existsSync(skillFile)) {
-    const existing = readFileSync(skillFile, 'utf-8');
-    const source = readFileSync(sourceSkill, 'utf-8');
-    if (existing === source) {
-      console.log(`  Security scanner skill is already installed (identical).`);
-      console.log(`  Nothing to do.\n`);
-      process.exit(0);
-    }
-
-    console.log(`  Security scanner skill exists but differs.`);
-    if (!flags.force) {
-      if (flags.yes) {
-        console.log(`  Skipping (use --force to overwrite).\n`);
-        process.exit(0);
-      }
-      const rl = createInterface({ input: process.stdin, output: process.stdout });
-      const answer = await new Promise((resolve) => {
-        rl.question('  Overwrite? (y/N): ', (a) => { rl.close(); resolve(a); });
-      });
-      if (answer.toLowerCase() !== 'y') {
-        console.log('  Aborted.\n');
-        process.exit(0);
-      }
-    }
-  }
-
-  // Dry-run mode
-  if (flags.dryRun) {
-    console.log(`  [dry-run] Would create directory: ${skillDir}`);
-    console.log(`  [dry-run] Would copy skill from: ${sourceSkill}`);
-    console.log(`  [dry-run] Would write to: ${skillFile}`);
-    console.log(`  No changes made.\n`);
-    process.exit(0);
-  }
-
-  // Create skill directory
-  if (!existsSync(skillDir)) {
-    mkdirSync(skillDir, { recursive: true });
-    console.log(`  Created directory: ${skillDir}`);
-  }
-
-  // Copy skill file
-  copyFileSync(sourceSkill, skillFile);
-  console.log(`  Installed skill: ${skillFile}`);
-
-  console.log(`\n  OpenClaw security scanner skill installed successfully!`);
-  console.log(`\n  Usage in OpenClaw:`);
-  console.log(`    - The skill will be auto-discovered by OpenClaw`);
-  console.log(`    - Use /security-scanner to invoke it`);
-  console.log(`    - Or ask: "scan this prompt for security issues"\n`);
-}
-
 export async function runInit(args) {
   const flags = parseInitFlags(args);
   let clientName = flags.client;
@@ -258,12 +171,6 @@ export async function runInit(args) {
     process.exit(1);
   }
 
-  // Special handling for OpenClaw (skill-based, not MCP config)
-  if (client.isSkillBased) {
-    await installOpenClawSkill(client, flags);
-    return;
-  }
-
   const configPath = flags.path || client.configPath();
   const serverName = flags.name;
   const entry = client.buildEntry();

package/src/fix-patterns.js

@@ -63,56 +63,20 @@ export const FIX_TEMPLATES = {
   // COMMAND INJECTION
   // ===========================================
   "child-process-exec": {
-    description: "Use execFile() with separate command and arguments array",
-    fix: (line) => {
-      // Match: exec("cmd " + arg) -> execFile("cmd", [arg])
-      const concatMatch = line.match(/\bexec\s*\(\s*["'](\S+)\s+["']\s*\+\s*(\w+)/);
-      if (concatMatch) {
-        return line.replace(/\bexec\s*\(\s*["'](\S+)\s+["']\s*\+\s*(\w+)\s*\)/, 'execFile("$1", [$2])');
-      }
-      // Match: exec(`cmd ${arg}`) -> execFile("cmd", [arg])
-      const templateMatch = line.match(/\bexec\s*\(\s*`(\S+)\s+\$\{(\w+)\}`/);
-      if (templateMatch) {
-        return line.replace(/\bexec\s*\(\s*`(\S+)\s+\$\{(\w+)\}`\s*\)/, 'execFile("$1", [$2])');
-      }
-      // Match: exec(variable) -> execFile with guidance
-      const varMatch = line.match(/\bexec\s*\(\s*(\w+)\s*\)/);
-      if (varMatch) {
-        return line.replace(/\bexec\s*\(\s*(\w+)\s*\)/, 'execFile($1.split(" ")[0], $1.split(" ").slice(1))');
-      }
-      // Fallback: comment with guidance
-      return '// SECURITY: Use execFile(command, [args]) instead of exec() - ' + line.trim();
-    }
+    description: "Use execFile() or spawn() with shell: false",
+    fix: (line) => line.replace(/\bexec\s*\(/, 'execFile(')
   },
   "spawn-shell": {
     description: "Use spawn with shell: false",
     fix: (line) => line.replace(/shell\s*:\s*true/i, 'shell: false')
   },
   "dangerous-subprocess": {
-    description: "Use subprocess.run with list arguments and shell=False",
-    fix: (line) => {
-      // Replace shell=True with shell=False
-      let fixed = line.replace(/shell\s*=\s*True/, 'shell=False');
-      // Replace string command with shlex.split() for safe list form
-      fixed = fixed.replace(
-        /subprocess\.(call|run|Popen)\s*\(\s*["'](.+?)["']/,
-        'subprocess.$1(shlex.split("$2")'
-      );
-      return fixed;
-    }
+    description: "Use subprocess.run with list arguments",
+    fix: (line) => line.replace(/subprocess\.(call|run|Popen)\s*\(\s*["'](.+?)["']\s*,\s*shell\s*=\s*True/, 'subprocess.$1(["$2".split()], shell=False')
   },
   "dangerous-system-call": {
     description: "Use subprocess.run instead of os.system",
-    fix: (line) => {
-      const match = line.match(/os\.system\s*\(\s*(.+?)\s*\)/);
-      if (match) {
-        return line.replace(
-          /os\.system\s*\(\s*(.+?)\s*\)/,
-          'subprocess.run(shlex.split($1), shell=False)'
-        );
-      }
-      return '# SECURITY: Replace os.system() with subprocess.run(shlex.split(cmd), shell=False)\n# ' + line.trim();
-    }
+    fix: (line) => line.replace(/os\.system\s*\(/, 'subprocess.run([')
   },
   "command-injection-exec": {
     description: "Use exec.Command with separate arguments",
@@ -233,11 +197,8 @@ export const FIX_TEMPLATES = {
   // INSECURE DESERIALIZATION
   // ===========================================
   "pickle": {
-    description: "Use JSON instead of pickle for untrusted data",
-    fix: (line) => {
-      const fixed = line.replace(/pickle\.(load|loads)\s*\(/, 'json.$1(');
-      return fixed + '  # NOTE: data must be JSON-formatted';
-    }
+    description: "Use JSON instead of pickle",
+    fix: (line) => line.replace(/pickle\.(load|loads)\s*\(/, 'json.$1(')
   },
   "yaml-load": {
     description: "Use yaml.safe_load()",
@@ -248,8 +209,8 @@ export const FIX_TEMPLATES = {
     fix: (line) => line.replace(/marshal\.(load|loads)\s*\(/, 'json.$1(')
   },
   "shelve": {
-    description: "Use JSON or SQLite instead of shelve for safe storage",
-    fix: (line) => '# SECURITY: Replace shelve with json or sqlite3 for safe storage\n# ' + line.trim()
+    description: "Use JSON or SQLite instead of shelve",
+    fix: (line) => line.replace(/shelve\.open\s*\(/, 'json.load(open(')
   },
   "node-serialize": {
     description: "Use JSON.parse instead of node-serialize",
@@ -296,12 +257,12 @@ export const FIX_TEMPLATES = {
   // PATH TRAVERSAL
   // ===========================================
   "path-traversal": {
-    description: "Resolve real path and validate prefix to prevent traversal",
+    description: "Sanitize file paths and use basename",
     fix: (line, lang) => {
-      if (lang === 'python') return line.replace(/open\s*\(\s*(\w+)/, 'open(os.path.realpath($1)  # TODO: validate path prefix');
-      if (lang === 'go') return line.replace(/os\.Open\s*\(\s*(\w+)/, 'os.Open(filepath.Clean($1)  // TODO: validate path prefix');
-      if (lang === 'java') return line.replace(/new File\s*\(\s*(\w+)/, 'new File($1).getCanonicalFile(  // TODO: validate path prefix');
-      return line.replace(/readFileSync\s*\(\s*(\w+)/, 'readFileSync(path.resolve($1)  // TODO: validate path prefix');
+      if (lang === 'python') return line.replace(/open\s*\(\s*(\w+)/, 'open(os.path.basename($1)');
+      if (lang === 'go') return line.replace(/os\.Open\s*\(\s*(\w+)/, 'os.Open(filepath.Base($1)');
+      if (lang === 'java') return line.replace(/new File\s*\(\s*(\w+)/, 'new File(new File($1).getName()');
+      return line.replace(/readFileSync\s*\(\s*(\w+)/, 'readFileSync(path.basename($1)');
     }
   },
 
@@ -446,14 +407,7 @@ export const FIX_TEMPLATES = {
   // ===========================================
   "prototype-pollution": {
     description: "Validate object keys before assignment",
-    fix: (line) => {
-      // Only fix simple single-line assignments like: obj[key] = value
-      // Reject lines with multiple bracket accesses or chained assignments
-      if (/^\s*\w+\[\w+\]\s*=\s*[^[=]+$/.test(line)) {
-        return line.replace(/(\w+)\[(\w+)\]\s*=/, 'if (!["__proto__", "constructor", "prototype"].includes($2)) $1[$2] =');
-      }
-      return '// SECURITY: Validate key is not __proto__/constructor/prototype before assignment\n// ' + line.trim();
-    }
+    fix: (line) => line.replace(/(\w+)\[(\w+)\]\s*=/, 'if (!["__proto__", "constructor", "prototype"].includes($2)) $1[$2] =')
   },
 
   // ===========================================
@@ -489,7 +443,7 @@ export const FIX_TEMPLATES = {
   // ===========================================
   "helmet-missing": {
     description: "Add helmet middleware for security headers",
-    fix: (line) => '// TODO: Add app.use(helmet()) after Express app initialization\n' + line
+    fix: (line) => 'app.use(helmet()); // Add security headers\n' + line
   },
 
   // ===========================================
@@ -541,10 +495,7 @@ export const FIX_TEMPLATES = {
   },
   "run-shell-form": {
     description: "Use exec form for RUN commands",
-    fix: (line) => line.replace(/RUN\s+(.+)$/, (_, cmd) => {
-      const escaped = cmd.replace(/"/g, '\\"');
-      return `RUN ["/bin/sh", "-c", "${escaped}"]`;
-    })
+    fix: (line) => line.replace(/RUN\s+(.+)$/, 'RUN ["/bin/sh", "-c", "$1"]')
   },
   "sudo-in-dockerfile": {
     description: "Avoid sudo in Dockerfile - use USER directive",

package/src/tools/fix-security.js

@@ -2,9 +2,6 @@
 import { z } from "zod";
 import { existsSync, readFileSync } from "fs";
 import { detectLanguage, runAnalyzer, generateFix } from '../utils.js';
-import { deduplicateFindings } from '../dedup.js';
-import { applyContextFilter, detectFrameworks, applyFrameworkAdjustments } from '../context.js';
-import { loadConfig, shouldExcludeFile, applyConfig } from '../config.js';
 
 export const fixSecuritySchema = {
   file_path: z.string().describe("Path to the file to fix"),
@@ -50,48 +47,24 @@ export async function fixSecurity({ file_path, verbosity }) {
     };
   }
 
-  // Load project configuration
-  const config = loadConfig(file_path);
+  const issues = runAnalyzer(file_path);
 
-  // Check file exclusion
-  if (shouldExcludeFile(file_path, config)) {
-    return {
-      content: [{ type: "text", text: JSON.stringify({ file: file_path, message: "File excluded by configuration", fixes_applied: 0 }) }]
-    };
-  }
-
-  const rawIssues = runAnalyzer(file_path);
-
-  if (rawIssues.error || !Array.isArray(rawIssues) || rawIssues.length === 0) {
+  if (issues.error || !Array.isArray(issues) || issues.length === 0) {
     return {
       content: [{
         type: "text",
         text: JSON.stringify({
-          message: rawIssues.error ? "Error scanning file" : "No security issues found",
-          details: rawIssues
+          message: issues.error ? "Error scanning file" : "No security issues found",
+          details: issues
         })
       }]
     };
   }
 
-  // Cross-engine deduplication
-  const dedupedIssues = deduplicateFindings(rawIssues);
-
   // Read and fix the file
   const content = readFileSync(file_path, 'utf-8');
   const lines = content.split('\n');
   const language = detectLanguage(file_path);
-
-  // Context-aware filtering (suppress known module imports)
-  const contextFiltered = applyContextFilter(dedupedIssues, file_path, language);
-
-  // Framework-aware severity adjustment
-  const frameworks = detectFrameworks(file_path, language);
-  const frameworkAdjusted = applyFrameworkAdjustments(contextFiltered, frameworks);
-
-  // Apply .scannerrc configuration (rule suppression, severity/confidence thresholds)
-  const issues = applyConfig(frameworkAdjusted, file_path, config);
-
   const fixes = [];
 
   // Apply fixes (process in reverse order to preserve line numbers)

package/src/tools/scan-prompt.js

@@ -39,12 +39,6 @@ const CATEGORY_WEIGHTS = {
   "prompt-injection-privilege": 0.85,
   "prompt-injection-multi-turn": 0.7,
   "prompt-injection-output": 0.9,
-  // OpenClaw-specific categories
-  "data_exfiltration": 1.0,
-  "messaging_abuse": 0.95,
-  "credential_theft": 1.0,
-  "autonomous_harm": 0.9,
-  "service_attack": 0.95,
   "unknown": 0.5
 };
 
@@ -195,69 +189,6 @@ function loadPromptInjectionRules() {
   }
 }
 
-// Load OpenClaw-specific rules
-function loadOpenClawRules() {
-  try {
-    const rulesPath = join(__dirname, '..', '..', 'rules', 'openclaw.security.yaml');
-    if (!existsSync(rulesPath)) {
-      return [];
-    }
-
-    const yaml = readFileSync(rulesPath, 'utf-8');
-    const rules = [];
-
-    const ruleBlocks = yaml.split(/^  - id:/m).slice(1);
-
-    for (const block of ruleBlocks) {
-      const lines = ('  - id:' + block).split('\n');
-      const rule = {
-        id: '',
-        severity: 'WARNING',
-        message: '',
-        patterns: [],
-        metadata: {}
-      };
-
-      let inPatterns = false;
-
-      for (const line of lines) {
-        if (line.match(/^\s+- id:\s*/)) {
-          rule.id = line.replace(/^\s+- id:\s*/, '').trim();
-        } else if (line.match(/^\s+severity:\s*/)) {
-          rule.severity = line.replace(/^\s+severity:\s*/, '').trim();
-        } else if (line.match(/^\s+category:\s*/)) {
-          rule.metadata.category = line.replace(/^\s+category:\s*/, '').trim();
-        } else if (line.match(/^\s+action:\s*/)) {
-          rule.metadata.action = line.replace(/^\s+action:\s*/, '').trim();
-        } else if (line.match(/^\s+message:\s*/)) {
-          rule.message = line.replace(/^\s+message:\s*["']?/, '').replace(/["']$/, '').trim();
-        } else if (line.match(/^\s+patterns:\s*$/)) {
-          inPatterns = true;
-        } else if (inPatterns && line.match(/^\s+- /)) {
-          let pattern = line.replace(/^\s+- /, '').trim();
-          pattern = pattern.replace(/^["']|["']$/g, '');
-          pattern = pattern.replace(/\\\\/g, '\\');
-          if (pattern) rule.patterns.push(pattern);
-        } else if (line.match(/^\s+\w+:/) && !line.match(/^\s+- /)) {
-          inPatterns = false;
-        }
-      }
-
-      if (rule.id && rule.patterns.length > 0) {
-        // Set confidence and risk score based on severity
-        rule.metadata.confidence = rule.severity === 'CRITICAL' ? 'HIGH' : 'MEDIUM';
-        rule.metadata.risk_score = rule.severity === 'CRITICAL' ? '90' : '70';
-        rules.push(rule);
-      }
-    }
-
-    return rules;
-  } catch (error) {
-    console.error("Error loading OpenClaw rules:", error.message);
-    return [];
-  }
-}
-
 // Calculate risk score from findings
 function calculateRiskScore(findings, context) {
   if (findings.length === 0) return 0;
@@ -446,8 +377,7 @@ export async function scanAgentPrompt({ prompt_text, context, verbosity }) {
   // Load rules
   const agentRules = loadAgentAttackRules();
   const promptRules = loadPromptInjectionRules();
-  const openclawRules = loadOpenClawRules();
-  const allRules = [...agentRules, ...promptRules, ...openclawRules];
+  const allRules = [...agentRules, ...promptRules];
 
   // 2.7: Extract content from code blocks and append to scan text
   let expandedText = prompt_text;

package/src/tools/scan-security.js

@@ -2,15 +2,11 @@
 import { z } from "zod";
 import { existsSync, readFileSync } from "fs";
 import { detectLanguage, runAnalyzer, generateFix, toSarif } from '../utils.js';
-import { deduplicateFindings } from '../dedup.js';
-import { applyContextFilter, detectFrameworks, applyFrameworkAdjustments } from '../context.js';
-import { loadConfig, shouldExcludeFile, applyConfig } from '../config.js';
 
 export const scanSecuritySchema = {
   file_path: z.string().describe("Path to the file to scan"),
   output_format: z.enum(['json', 'sarif']).optional().describe("Output format: 'json' (default) or 'sarif' for GitHub/GitLab integration"),
-  verbosity: z.enum(['minimal', 'compact', 'full']).optional().describe("Response detail level: 'minimal' (counts only), 'compact' (default, actionable info), 'full' (complete metadata)"),
-  engine: z.enum(['auto', 'ast', 'regex']).optional().describe("Analysis engine: 'auto' (default, AST with regex fallback), 'ast' (tree-sitter only), 'regex' (regex only)")
+  verbosity: z.enum(['minimal', 'compact', 'full']).optional().describe("Response detail level: 'minimal' (counts only), 'compact' (default, actionable info), 'full' (complete metadata)")
 };
 
 // Verbosity formatters
@@ -39,7 +35,6 @@ function formatCompact(file_path, language, issues) {
       line: i.line + 1,
       ruleId: i.ruleId,
       severity: i.severity,
-      confidence: i.confidence || 'MEDIUM',
       message: i.message,
       fix: i.suggested_fix?.fixed ? i.suggested_fix.fixed.trim() : null
     }))
@@ -55,49 +50,26 @@ function formatFull(file_path, language, issues) {
   };
 }
 
-export async function scanSecurity({ file_path, output_format, verbosity, engine }) {
+export async function scanSecurity({ file_path, output_format, verbosity }) {
   if (!existsSync(file_path)) {
     return {
       content: [{ type: "text", text: JSON.stringify({ error: "File not found" }) }]
     };
   }
 
-  // Load project configuration
-  const config = loadConfig(file_path);
+  const issues = runAnalyzer(file_path);
 
-  // Check file exclusion
-  if (shouldExcludeFile(file_path, config)) {
+  if (issues.error) {
     return {
-      content: [{ type: "text", text: JSON.stringify({ file: file_path, message: "File excluded by configuration", issues_count: 0 }) }]
+      content: [{ type: "text", text: JSON.stringify(issues) }]
     };
   }
 
-  const rawIssues = runAnalyzer(file_path, engine || 'auto');
-
-  if (rawIssues.error) {
-    return {
-      content: [{ type: "text", text: JSON.stringify(rawIssues) }]
-    };
-  }
-
-  // Cross-engine deduplication
-  const dedupedIssues = deduplicateFindings(rawIssues);
-
   // Read file content for fix suggestions
   const content = readFileSync(file_path, 'utf-8');
   const lines = content.split('\n');
   const language = detectLanguage(file_path);
 
-  // Context-aware filtering (suppress known module imports)
-  const contextFiltered = applyContextFilter(dedupedIssues, file_path, language);
-
-  // Framework-aware severity adjustment
-  const frameworks = detectFrameworks(file_path, language);
-  const frameworkAdjusted = applyFrameworkAdjustments(contextFiltered, frameworks);
-
-  // Apply .scannerrc configuration (rule suppression, severity/confidence thresholds)
-  const issues = applyConfig(frameworkAdjusted, file_path, config);
-
   // Enhance issues with fix suggestions
   const enhancedIssues = issues.map(issue => {
     const line = lines[issue.line] || '';

package/src/utils.js

@@ -36,14 +36,10 @@ export function detectLanguage(filePath) {
 }
 
 // Run the Python analyzer
-export function runAnalyzer(filePath, engine = 'auto') {
+export function runAnalyzer(filePath) {
   try {
     const analyzerPath = join(__dirname, '..', 'analyzer.py');
-    const args = [analyzerPath, filePath];
-    if (engine !== 'auto') {
-      args.push('--engine', engine);
-    }
-    const result = execFileSync('python3', args, {
+    const result = execFileSync('python3', [analyzerPath, filePath], {
       encoding: 'utf-8',
       timeout: 30000
     });
@@ -53,62 +49,17 @@ export function runAnalyzer(filePath, engine = 'auto') {
   }
 }
 
-// Validate that a fix produces syntactically reasonable output
-export function validateFix(original, fixed) {
-  if (!fixed || fixed === original) return false;
-
-  // Strip escaped quotes for bracket/quote counting
-  const unescaped = fixed.replace(/\\["'`]/g, '');
-
-  // Check balanced quotes (single pass)
-  const singleQ = (unescaped.match(/'/g) || []).length;
-  const doubleQ = (unescaped.match(/"/g) || []).length;
-  const backtickQ = (unescaped.match(/`/g) || []).length;
-  if (singleQ % 2 !== 0 || doubleQ % 2 !== 0 || backtickQ % 2 !== 0) return false;
-
-  // Check balanced brackets
-  const brackets = { '(': 0, '[': 0, '{': 0 };
-  const closers = { ')': '(', ']': '[', '}': '{' };
-  for (const char of unescaped) {
-    if (brackets[char] !== undefined) brackets[char]++;
-    if (closers[char]) {
-      brackets[closers[char]]--;
-      if (brackets[closers[char]] < 0) return false;
-    }
-  }
-  if (Object.values(brackets).some(v => v !== 0)) return false;
-
-  return true;
-}
-
 // Generate fix suggestion for an issue
 export function generateFix(issue, line, language) {
   const ruleId = issue.ruleId.toLowerCase();
 
   for (const [pattern, template] of Object.entries(FIX_TEMPLATES)) {
     if (ruleId.includes(pattern)) {
-      try {
-        const fixed = template.fix(line, language);
-        // Validate the fix produces reasonable output
-        if (fixed && !validateFix(line, fixed)) {
-          return {
-            description: template.description + " (manual fix required)",
-            original: line,
-            fixed: null
-          };
-        }
-        return {
-          description: template.description,
-          original: line,
-          fixed: fixed
-        };
-      } catch {
-        return {
-          description: template.description + " (manual fix required)",
-          original: line,
-          fixed: null
-        };
-      }
+      return {
+        description: template.description,
+        original: line,
+        fixed: template.fix(line, language)
+      };
     }
   }
 
@@ -119,26 +70,6 @@ export function generateFix(issue, line, language) {
   };
 }
 
-// Run cross-file taint analysis
-export function runCrossFileAnalyzer(filePaths) {
-  try {
-    const analyzerPath = join(__dirname, '..', 'cross_file_analyzer.py');
-    if (!existsSync(analyzerPath)) return [];
-    const result = execFileSync('python3', [analyzerPath, ...filePaths], {
-      encoding: 'utf-8',
-      timeout: 120000,
-      maxBuffer: 10 * 1024 * 1024
-    });
-    const parsed = JSON.parse(result);
-    // Return only cross-file warnings (per-file findings are handled by scanSecurity)
-    return Array.isArray(parsed)
-      ? parsed.filter(f => f.ruleId === 'cross-file-taint-warning')
-      : [];
-  } catch {
-    return [];
-  }
-}
-
 // Convert issues to SARIF 2.1.0 format
 export function toSarif(file_path, language, issues) {
   const severityToLevel = {