agent-security-scanner-mcp 3.7.0 → 3.9.0

package/pattern_matcher.py

@@ -430,6 +430,7 @@ class Finding:
     end_column: int = 0
     metavariables: Dict[str, str] = field(default_factory=dict)
     metadata: Dict[str, Any] = field(default_factory=dict)
+    confidence: str = "MEDIUM"
 
 
 class RuleEngine:

package/regex_fallback.py

@@ -9,10 +9,207 @@ from typing import List, Dict, Optional
 import re
 
 
+# Severity classification by vulnerability class
+SEVERITY_MAP = {
+    # ERROR - exploitable vulnerabilities (injection, RCE, deserialization)
+    'sql-injection': 'error',
+    'sql-injection-query': 'error',
+    'sql-injection-sprintf': 'error',
+    'sql-injection-where': 'error',
+    'sql-injection-order': 'error',
+    'sql-injection-raw': 'error',
+    'sql-injection-db-cursor': 'error',
+    'sql-injection-using-sqlalchemy': 'error',
+    'sql-injection-sqlcommand': 'error',
+    'sql-injection-sqlquery': 'error',
+    'sql-injection-concat': 'error',
+    'command-injection': 'error',
+    'command-injection-exec': 'error',
+    'command-injection-system': 'error',
+    'command-injection-open': 'error',
+    'command-injection-process-start': 'error',
+    'child-process-exec': 'error',
+    'spawn-shell': 'error',
+    'dangerous-subprocess-use': 'error',
+    'dangerous-system-call': 'error',
+    'eval-detected': 'error',
+    'eval-usage': 'error',
+    'exec-detected': 'error',
+    'pickle-load': 'error',
+    'unsafe-unserialize': 'error',
+    'unsafe-yaml-load': 'error',
+    'unsafe-marshal': 'error',
+    'yaml-load': 'error',
+    'file-inclusion': 'error',
+    'path-traversal': 'error',
+    'xss-echo': 'error',
+    'xss-raw': 'error',
+    'ssrf': 'error',
+    'open-redirect': 'error',
+    'backticks-exec': 'error',
+    'preg-code-exec': 'error',
+    'assert-usage': 'error',
+    'insecure-deserialization-binaryformatter': 'error',
+    'insecure-deserialization-xmlserializer': 'error',
+    'libc-system-call': 'error',
+    'format-string-printf': 'error',
+    'format-string-syslog': 'error',
+    'xss-innerhtml': 'error',
+    'xss-response-write': 'error',
+    'path-traversal-directory-delete': 'error',
+    'path-traversal-file-delete': 'error',
+    'path-traversal-file-read': 'error',
+
+    # WARNING - risky patterns requiring attention
+    'innerHTML': 'warning',
+    'outerHTML': 'warning',
+    'document-write': 'warning',
+    'insertAdjacentHTML': 'warning',
+    'dangerouslySetInnerHTML': 'warning',
+    'function-constructor': 'warning',
+    'setTimeout-string': 'warning',
+    'strcpy-usage': 'warning',
+    'strcat-usage': 'warning',
+    'sprintf-usage': 'warning',
+    'vsprintf-usage': 'warning',
+    'gets-usage': 'warning',
+    'system-usage': 'warning',
+    'popen-usage': 'warning',
+    'hardcoded-password': 'warning',
+    'hardcoded-secret': 'warning',
+    'hardcoded-api-key': 'warning',
+    'hardcoded-connection-string': 'warning',
+    'session-secret-hardcoded': 'warning',
+    'ssl-verify-disabled': 'warning',
+    'curl-ssl-disabled': 'warning',
+    'csrf-disabled': 'warning',
+    'mass-assignment-permit-all': 'warning',
+    'constantize': 'warning',
+    'render-inline': 'warning',
+    'privileged-container': 'warning',
+    'run-as-root': 'warning',
+    'allow-privilege-escalation': 'warning',
+    'host-network': 'warning',
+    'host-pid': 'warning',
+    'host-path': 'warning',
+    'secrets-in-env': 'warning',
+    'cluster-admin-binding': 'warning',
+    'capabilities-add': 'warning',
+    'no-readonly-root': 'warning',
+    'wildcard-rbac': 'warning',
+    's3-public-read': 'warning',
+    'security-group-open-ingress': 'warning',
+    'rds-public-access': 'warning',
+    'rds-encryption-disabled': 'warning',
+    'rds-deletion-protection': 'warning',
+    'cloudtrail-disabled': 'warning',
+    'kms-key-rotation': 'warning',
+    'ebs-encryption-disabled': 'warning',
+    'ec2-imdsv1': 'warning',
+    'phpinfo-exposure': 'warning',
+    'error-display': 'warning',
+    'permissive-cors': 'warning',
+    'mcrypt-deprecated': 'warning',
+    'aws-access-key-id': 'warning',
+    'aws-secret-access-key': 'warning',
+    'github-pat': 'warning',
+    'stripe-api-key': 'warning',
+    'private-key-rsa': 'warning',
+    'database-url': 'warning',
+    'jwt-token': 'warning',
+    'openai-api-key': 'warning',
+    'python.lang.security.audit.hardcoded-password': 'warning',
+    'python.lang.security.audit.hardcoded-api-key': 'warning',
+    'generic.secrets.security.hardcoded-password': 'warning',
+    'generic.secrets.security.hardcoded-api-key': 'warning',
+
+    # INFO - informational / hygiene / low-risk patterns
+    'weak-hash-md5': 'info',
+    'weak-hash-sha1': 'info',
+    'weak-hash': 'info',
+    'weak-cipher': 'info',
+    'weak-cipher-des': 'info',
+    'ecb-mode': 'info',
+    'weak-random': 'info',
+    'insecure-random': 'info',
+    'insecure-hash-md5': 'info',
+    'insecure-hash-sha1': 'info',
+    'insecure-memset': 'info',
+    'strtok-usage': 'info',
+    'insecure-tempfile': 'info',
+    'unchecked-return': 'info',
+    'unsafe-block': 'info',
+    'unwrap-usage': 'info',
+    'raw-pointer-deref': 'info',
+    'panic-usage': 'info',
+    'compile-detected': 'info',
+    'scanf-usage': 'info',
+}
+
+# Confidence classification by rule ID
+CONFIDENCE_MAP = {
+    # HIGH - very specific patterns, low false-positive rate
+    'sql-injection-db-cursor': 'HIGH',
+    'sql-injection-using-sqlalchemy': 'HIGH',
+    'sql-injection-sqlcommand': 'HIGH',
+    'sql-injection-sqlquery': 'HIGH',
+    'sql-injection-concat': 'HIGH',
+    'format-string-printf': 'HIGH',
+    'format-string-syslog': 'HIGH',
+    'pickle-load': 'HIGH',
+    'eval-detected': 'HIGH',
+    'eval-usage': 'HIGH',
+    'exec-detected': 'HIGH',
+    'child-process-exec': 'HIGH',
+    'dangerous-subprocess-use': 'HIGH',
+    'dangerous-system-call': 'HIGH',
+    'hardcoded-password': 'HIGH',
+    'hardcoded-connection-string': 'HIGH',
+    'aws-access-key-id': 'HIGH',
+    'github-pat': 'HIGH',
+    'stripe-api-key': 'HIGH',
+    'private-key-rsa': 'HIGH',
+    'openai-api-key': 'HIGH',
+    'unsafe-unserialize': 'HIGH',
+    'backticks-exec': 'HIGH',
+    'preg-code-exec': 'HIGH',
+    'file-inclusion': 'HIGH',
+    'gets-usage': 'HIGH',
+    'insecure-deserialization-binaryformatter': 'HIGH',
+    'insecure-deserialization-xmlserializer': 'HIGH',
+
+    # LOW - broad patterns with high false-positive rate
+    'compile-detected': 'LOW',
+    'unsafe-block': 'LOW',
+    'unwrap-usage': 'LOW',
+    'insecure-memset': 'LOW',
+    'strtok-usage': 'LOW',
+    'unchecked-return': 'LOW',
+    'scanf-usage': 'LOW',
+    'panic-usage': 'LOW',
+    'raw-pointer-deref': 'LOW',
+    'insecure-random': 'LOW',
+    'weak-random': 'LOW',
+    'insecure-hash-md5': 'LOW',
+    'insecure-hash-sha1': 'LOW',
+    'weak-hash-md5': 'LOW',
+    'weak-hash-sha1': 'LOW',
+    'weak-hash': 'LOW',
+    'database-url': 'LOW',
+
+    # Everything else defaults to MEDIUM
+}
+
+
 def _make_finding(rule_id: str, line_idx: int, line: str, col_start: int = 0, col_end: Optional[int] = None,
-                  message: Optional[str] = None, severity: str = "warning") -> Dict:
+                  message: Optional[str] = None, severity: Optional[str] = None,
+                  confidence: Optional[str] = None) -> Dict:
     if col_end is None:
         col_end = max(col_start + 1, len(line.rstrip("\n")))
+    if severity is None:
+        severity = SEVERITY_MAP.get(rule_id, "warning")
+    if confidence is None:
+        confidence = CONFIDENCE_MAP.get(rule_id, "MEDIUM")
     return {
         "ruleId": rule_id,
         "message": message or f"[Regex] {rule_id}",
@@ -22,6 +219,7 @@ def _make_finding(rule_id: str, line_idx: int, line: str, col_start: int = 0, co
         "endColumn": col_end,
         "length": max(0, col_end - col_start),
         "severity": severity,
+        "confidence": confidence,
         "metadata": {"source": "regex-fallback"},
         "metavariables": {},
     }

package/requirements.txt

@@ -11,3 +11,4 @@ tree-sitter-cpp>=0.23.0
 tree-sitter-c-sharp>=0.23.0
 tree-sitter-typescript>=0.23.0
 PyYAML>=6.0
+pytest>=8.0.0

package/rules/prompt-injection.security.yaml

@@ -454,11 +454,13 @@ rules:
     severity: ERROR
     message: "Prompt injection detected: Instruction override attempt trying to bypass system instructions."
     patterns:
-      - "(?i)ignore\\s+(all\\s+)?(previous|prior|above|earlier)\\s+(instructions?|prompts?|rules?|guidelines?)"
+      - "(?i)ignore\\s+(all\\s+)?(previous|prior|above|earlier)\\s+(instructions?|prompts?|rules?|guidelines?|directions?)"
+      - "(?i)ignore\\s+(all\\s+)?(the\\s+)?(instructions?|rules?|guidelines?|directions?|prompts?)\\b"
       - "(?i)disregard\\s+(all\\s+)?(previous|prior|above)\\s+(instructions?|prompts?)"
       - "(?i)forget\\s+(all\\s+)?(previous|prior|earlier)\\s+(instructions?|prompts?)"
       - "(?i)do\\s+not\\s+follow\\s+(the\\s+)?(previous|above|system)\\s+(instructions?|prompts?)"
       - "(?i)override\\s+(all\\s+)?(previous|system|original)\\s+(instructions?|prompts?)"
+      - "(?i)ignore\\s+the\\s+above\\s+\\w+\\s+and\\s+instead"
       - "(?i)ignore\\s+the\\s+above\\s+and\\s+instead"
       - "(?i)ignore\\s+above.{0,20}(output|print|say|write|return)"
       - "(?i)forget\\s+everything\\s+(above|before|previously)"
@@ -775,69 +777,299 @@ rules:
       action: BLOCK
 
   # ============================================================================
-  # CATEGORY 4: ADVANCED BYPASS DETECTION (Garak & PromptFoo inspired)
+  # INDIRECT INJECTION — Hidden instructions in file content, metadata, etc.
   # ============================================================================
 
-  # ----------------------------------------------------------------------------
-  # Whitespace Fragmentation Attacks
-  # ----------------------------------------------------------------------------
-  - id: generic.prompt.security.whitespace-fragmentation
+  - id: generic.prompt.security.indirect-html-comment
+    languages: [generic]
+    severity: ERROR
+    message: "Indirect injection via HTML comment: Instructions hidden in <!-- --> comments that target AI agents."
+    patterns:
+      - "<!--\\s*(?:ignore|forget|disregard|override|new instruction|system prompt|you are now)"
+      - "<!--[^>]*(?:execute|run|fetch|curl|wget|eval|send|exfil)[^>]*-->"
+      - "<!--[^>]*(?:admin|root|sudo|superuser|bypass|disable)[^>]*instruction[^>]*-->"
+    metadata:
+      cwe: "CWE-94"
+      owasp: "LLM01 - Prompt Injection"
+      confidence: HIGH
+      category: "prompt-injection-content"
+      risk_score: "90"
+      action: BLOCK
+
+  - id: generic.prompt.security.indirect-markdown-hidden
+    languages: [generic]
+    severity: ERROR
+    message: "Indirect injection via hidden markdown: Instructions concealed using zero-width characters or markdown formatting tricks."
+    patterns:
+      - "\\[\\s*\\]\\([^)]*(?:ignore|forget|override|new instruction|system prompt)"
+      - "\\[\\!\\[[^\\]]*\\]\\([^)]*(?:ignore|override|execute)"
+      - "(?:\\u200b|\\u200c|\\u200d|\\ufeff).{0,5}(?:ignore|forget|override)"
+    metadata:
+      cwe: "CWE-94"
+      owasp: "LLM01 - Prompt Injection"
+      confidence: HIGH
+      category: "prompt-injection-content"
+      risk_score: "85"
+      action: BLOCK
+
+  - id: generic.prompt.security.indirect-file-content-injection
+    languages: [generic]
+    severity: ERROR
+    message: "Indirect injection via file content: Text file or document contains AI-targeting instructions."
+    patterns:
+      - "(?i)\\bAI\\s*(?:assistant|agent|model)\\s*[:;,]\\s*(?:ignore|forget|disregard|override)"
+      - "(?i)\\bnote\\s+to\\s+(?:AI|assistant|model|agent)\\s*[:;]"
+      - "(?i)\\bhidden\\s+instruction\\s*[:;]"
+      - "(?i)\\bif\\s+you\\s+are\\s+(?:an?\\s+)?(?:AI|LLM|language\\s+model|GPT|Claude|assistant)"
+    metadata:
+      cwe: "CWE-94"
+      owasp: "LLM01 - Prompt Injection"
+      confidence: HIGH
+      category: "prompt-injection-content"
+      risk_score: "85"
+      action: WARN
+
+  - id: generic.prompt.security.indirect-image-metadata
     languages: [generic]
     severity: WARNING
-    message: "Potential whitespace fragmentation attack: keywords may be letter-spaced to evade detection."
+    message: "Indirect injection via image metadata: EXIF or metadata fields containing AI-targeting instructions."
     patterns:
-      - "i\\s+g\\s+n\\s+o\\s+r\\s+e\\s+.{0,20}p\\s*r\\s*e\\s*v\\s*i\\s*o\\s*u\\s*s"
-      - "o\\s+v\\s+e\\s+r\\s+r\\s+i\\s+d\\s+e\\s+.{0,20}s\\s*a\\s*f\\s*e\\s*t\\s*y"
-      - "d\\s+i\\s+s\\s+r\\s+e\\s+g\\s+a\\s+r\\s+d\\s+.{0,20}i\\s*n\\s*s\\s*t\\s*r\\s*u\\s*c\\s*t"
+      - "(?i)(?:exif|metadata|iptc|xmp)\\s*[:=].*(?:ignore|forget|override|execute)"
+      - "(?i)(?:comment|description|title)\\s*[:=].*(?:ignore previous|new instruction|system prompt)"
+      - "(?i)alt\\s*=\\s*[\"'][^\"']*(?:ignore|forget|override|execute)[^\"']*[\"']"
     metadata:
-      cwe: "CWE-77"
+      cwe: "CWE-94"
       owasp: "LLM01 - Prompt Injection"
       confidence: MEDIUM
-      category: "obfuscation"
-      risk_score: "65"
+      category: "prompt-injection-content"
+      risk_score: "70"
       action: WARN
 
-  # NOTE: Unicode tag character detection (U+E0000-U+E007F) is handled at runtime
-  # in scan-prompt.js via TAG_CHAR_REGEX with the /u flag, since JS regex without
-  # the u flag cannot represent supplementary plane codepoints in character classes.
+  - id: generic.prompt.security.indirect-url-payload
+    languages: [generic]
+    severity: ERROR
+    message: "Indirect injection via URL content: URL containing encoded instructions targeting AI agents."
+    patterns:
+      - "(?i)(?:https?://|url\\().*(?:%69%67%6e%6f%72%65|%66%6f%72%67%65%74|%6f%76%65%72%72%69%64%65)"
+      - "(?i)(?:https?://|url\\().*(?:ignore.*instruction|new.*system.*prompt)"
+      - "(?i)fetch\\s+(?:https?://)?\\S+.*then.*(?:execute|eval|run)"
+    metadata:
+      cwe: "CWE-94"
+      owasp: "LLM01 - Prompt Injection"
+      confidence: HIGH
+      category: "prompt-injection-content"
+      risk_score: "85"
+      action: BLOCK
+
+  - id: generic.prompt.security.indirect-json-injection
+    languages: [generic]
+    severity: ERROR
+    message: "Indirect injection via JSON/data payload: Structured data containing AI-targeting instructions in string values."
+    patterns:
+      - "(?i)[\"']\\s*(?:ignore|forget|disregard)\\s+(?:all\\s+)?(?:previous|prior|above)\\s+(?:instructions|rules|guidelines)"
+      - "(?i)[\"']\\s*(?:you\\s+are\\s+now|new\\s+role|switch\\s+to|act\\s+as)\\s+[^\"']{5,}"
+      - "(?i)\\{[^}]*(?:system_prompt|instructions)\\s*:\\s*[\"'][^\"']*(?:override|bypass|ignore)"
+    metadata:
+      cwe: "CWE-94"
+      owasp: "LLM01 - Prompt Injection"
+      confidence: HIGH
+      category: "prompt-injection-content"
+      risk_score: "90"
+      action: BLOCK
+
+  # ============================================================================
+  # ADVANCED JAILBREAK & MANIPULATION PATTERNS
+  # ============================================================================
 
-  # ----------------------------------------------------------------------------
-  # Crescendo Escalation Setup (PromptFoo-inspired)
-  # ----------------------------------------------------------------------------
-  - id: generic.prompt.security.crescendo-setup
+  - id: generic.prompt.security.jailbreak-developer-mode
+    languages: [generic]
+    severity: ERROR
+    message: "Developer/debug mode jailbreak: Attempt to unlock restricted capabilities via fake mode activation."
+    patterns:
+      - "(?i)(?:enable|activate|enter|switch\\s+to)\\s+(?:developer|debug|admin|god|unrestricted|unfiltered)\\s+mode"
+      - "(?i)(?:developer|debug|admin)\\s+mode\\s+(?:enabled|activated|on)"
+      - "(?i)you\\s+(?:now\\s+)?have\\s+(?:no|zero)\\s+(?:restrictions|limitations|filters|guardrails)"
+    metadata:
+      cwe: "CWE-284"
+      owasp: "LLM01 - Prompt Injection"
+      confidence: HIGH
+      category: "prompt-injection-jailbreak"
+      risk_score: "90"
+      action: BLOCK
+
+  - id: generic.prompt.security.jailbreak-token-smuggling
+    languages: [generic]
+    severity: ERROR
+    message: "Token smuggling: Attempt to bypass filters using character splitting, homoglyphs, or Unicode tricks."
+    patterns:
+      - "(?i)s\\s*y\\s*s\\s*t\\s*e\\s*m\\s*\\.?\\s*p\\s*r\\s*o\\s*m\\s*p\\s*t"
+      - "(?i)i\\s*g\\s*n\\s*o\\s*r\\s*e\\s+p\\s*r\\s*e\\s*v\\s*i\\s*o\\s*u\\s*s"
+      - "(?i)(?:ign[o0]re|f[o0]rget|disreg[a@]rd)\\s+(?:previ[o0]us|pri[o0]r|[a@]bove)"
+      - "(?i)(?:\u0456|\u0433|\u043d|\u043e\u0440\u0435).*(?:ignore|forget)"
+    metadata:
+      cwe: "CWE-116"
+      owasp: "LLM01 - Prompt Injection"
+      confidence: HIGH
+      category: "prompt-injection-encoded"
+      risk_score: "85"
+      action: BLOCK
+
+  - id: generic.prompt.security.urgency-manipulation
     languages: [generic]
     severity: WARNING
-    message: "Crescendo attack setup: language establishing persistent behavioral rules for later exploitation."
+    message: "Urgency manipulation: Creating false time pressure to bypass safety checks."
     patterns:
-      - "(?i)for\\s+the\\s+(rest|remainder)\\s+of\\s+(this|our)\\s+conversation"
-      - "(?i)in\\s+all\\s+(future|subsequent)\\s+(messages?|responses?|replies?)"
-      - "(?i)always\\s+respond\\s+(by|with|as)\\s+.{0,30}(regardless|no\\s+matter)"
-      - "(?i)never\\s+(refuse|reject|decline)\\s+(any|a)\\s+(request|instruction)"
-      - "(?i)you\\s+(must|will|shall)\\s+always\\s+comply"
-      - "(?i)no\\s+matter\\s+what\\s+(i|anyone)\\s+(ask|say|request)"
+      - "(?i)(?:urgent|emergency|critical|immediately)\\s*[!:].{0,40}(?:skip|bypass|ignore|disable)\\s+(?:safety|security|check|verification)"
+      - "(?i)(?:no\\s+time|hurry|quick|asap).{0,30}(?:skip|bypass|ignore)\\s+(?:normal|standard|usual)\\s+(?:procedure|process|check)"
+      - "(?i)(?:lives?|people|patients?)\\s+(?:at\\s+)?(?:stake|risk|danger).{0,30}(?:override|bypass|skip)"
     metadata:
-      cwe: "CWE-77"
+      cwe: "CWE-284"
       owasp: "LLM01 - Prompt Injection"
       confidence: MEDIUM
-      category: "prompt-injection-multi-turn"
+      category: "social-engineering"
+      risk_score: "60"
+      action: WARN
+
+  - id: generic.prompt.security.authority-impersonation
+    languages: [generic]
+    severity: WARNING
+    message: "Authority impersonation: Claiming to be an admin, developer, or privileged user to gain elevated access."
+    patterns:
+      - "(?i)(?:i\\s+am|i'm|this\\s+is)\\s+(?:the|an?|your)\\s+(?:admin|administrator|developer|owner|creator|CEO|CTO)"
+      - "(?i)(?:as\\s+(?:the|an?|your)\\s+)?(?:admin|administrator|developer|owner)\\s*,?\\s+(?:i\\s+)?(?:authorize|grant|allow|permit|approve)"
+      - "(?i)(?:my|the)\\s+(?:admin|root|superuser)\\s+(?:credentials|access|privilege)"
+    metadata:
+      cwe: "CWE-284"
+      owasp: "LLM01 - Prompt Injection"
+      confidence: MEDIUM
+      category: "social-engineering"
       risk_score: "65"
       action: WARN
 
-  # ----------------------------------------------------------------------------
-  # Leetspeak/Character Substitution (Garak encoding probes inspired)
-  # ----------------------------------------------------------------------------
-  - id: generic.prompt.security.leetspeak-injection
+  - id: generic.prompt.security.output-manipulation
+    languages: [generic]
+    severity: ERROR
+    message: "Output manipulation: Attempting to control AI output format to embed malicious content in responses."
+    patterns:
+      - "(?i)(?:start|begin)\\s+(?:your|every|all)\\s+(?:response|reply|output|answer)\\s+with\\b"
+      - "(?i)(?:always|must|shall)\\s+(?:include|prepend|append|add)\\s+.{0,30}(?:to\\s+)?(?:your|every|all)\\s+(?:response|reply|output)"
+      - "(?i)(?:format|structure)\\s+(?:your|the)\\s+(?:response|output)\\s+(?:as|to\\s+include|with).{0,30}(?:script|iframe|img|src=)"
+    metadata:
+      cwe: "CWE-94"
+      owasp: "LLM01 - Prompt Injection"
+      confidence: HIGH
+      category: "prompt-injection-output"
+      risk_score: "80"
+      action: WARN
+
+  - id: generic.prompt.security.recursive-prompt
     languages: [generic]
     severity: WARNING
-    message: "Potential leetspeak/character-substitution obfuscation of injection keywords."
+    message: "Recursive/self-referential prompt: Attempt to make the AI modify its own instructions or behavior recursively."
     patterns:
-      - "(?i)[i1!|][g9][n][0o][r][e3]\\s+.{0,20}[p][r][e3][v][i1!|][0o][u][s5]"
-      - "(?i)[s5][y][s5][t7][e3][m]\\s*[:\\-]\\s*[0o][v][e3][r][r][i1][d][e3]"
-      - "(?i)[d][!1i][s5][r][e3][g9][a@][r][d]\\s+.{0,20}[i1!][n][s5][t7][r][u][c][t7]"
+      - "(?i)(?:update|modify|change|rewrite|edit)\\s+(?:your|the)\\s+(?:system\\s+)?(?:prompt|instructions|rules|guidelines)"
+      - "(?i)(?:add|append|insert)\\s+.{0,30}(?:to|into)\\s+(?:your|the)\\s+(?:system\\s+)?(?:prompt|instructions|rules)"
+      - "(?i)(?:from\\s+now\\s+on|going\\s+forward|permanently)\\s*,?\\s+(?:ignore|forget|override|replace)"
     metadata:
-      cwe: "CWE-77"
+      cwe: "CWE-284"
       owasp: "LLM01 - Prompt Injection"
-      confidence: LOW
+      confidence: MEDIUM
+      category: "prompt-injection-context"
+      risk_score: "75"
+      action: WARN
+
+  - id: generic.prompt.security.multi-language-obfuscation
+    languages: [generic]
+    severity: WARNING
+    message: "Multi-language obfuscation: Switching languages mid-prompt to evade detection filters."
+    patterns:
+      - "(?i)(?:traduce|traduire|traduzca|bersetze)\\s*.{0,30}(?:ignore|forget|override|system)"
+      - "(?i)(?:en\\s+espa.ol|auf\\s+deutsch|en\\s+fran.ais)\\s*[:;,].{0,30}(?:ignore|forget|bypass)"
+      - "(?i)(?:respond|reply|answer)\\s+(?:in|using)\\s+(?:a\\s+)?(?:different|another|new)\\s+language.{0,30}(?:to\\s+)?(?:avoid|bypass|evade)"
+    metadata:
+      cwe: "CWE-116"
+      owasp: "LLM01 - Prompt Injection"
+      confidence: MEDIUM
       category: "obfuscation"
-      risk_score: "55"
-      action: LOG
+      risk_score: "65"
+      action: WARN
+
+  - id: generic.prompt.security.nostalgia-manipulation
+    languages: [generic]
+    severity: WARNING
+    message: "Nostalgia manipulation: Using emotional narratives about deceased relatives or nostalgic scenarios to extract restricted information."
+    patterns:
+      - "(?i)(?:act|pretend|roleplay)\\s+(?:as|like)\\s+(?:my|a)\\s+(?:deceased|dead|late)\\s+(?:grandmother|grandma|grandfather|grandpa|mother|father|relative|uncle|aunt)"
+      - "(?i)(?:my|a)\\s+(?:deceased|dead|late)\\s+(?:grandmother|grandma|grandfather|grandpa|mother|father|relative).{0,80}(?:used\\s+to|would)\\s+(?:tell|show|teach|explain|describe|read)"
+      - "(?i)(?:grandm(?:a|other)|grandpa|grandf(?:ather)).{0,60}(?:recipe|steps|instructions?|process|procedure|formula).{0,40}(?:fall\\s+asleep|bedtime|sleep|lullaby)"
+      - "(?i)(?:grandm(?:a|other)|grandf(?:ather)|mother|father).{0,40}(?:worked|engineer|scientist|chemist|expert).{0,60}(?:napalm|explosive|weapon|drug|poison|chemical)"
+    metadata:
+      cwe: "CWE-284"
+      owasp: "LLM01 - Prompt Injection"
+      confidence: MEDIUM
+      category: "prompt-injection-jailbreak"
+      risk_score: "75"
+      action: WARN
+
+  - id: generic.prompt.security.fictional-framing
+    languages: [generic]
+    severity: WARNING
+    message: "Fictional framing: Using storytelling or fictional scenarios to extract restricted information."
+    patterns:
+      - "(?i)(?:write|tell|create)\\s+(?:a|me\\s+a)\\s+(?:story|fiction|tale|novel|screenplay).{0,40}(?:hack|exploit|bypass|attack|credential|password)"
+      - "(?i)(?:imagine|pretend|suppose|let's\\s+say)\\s+(?:you\\s+are|you're|there's)\\s+(?:a|an)\\s+(?:hacker|attacker|criminal|villain)"
+      - "(?i)(?:in\\s+(?:this|a)\\s+(?:fictional|hypothetical)\\s+(?:world|scenario|story)).{0,40}(?:there\\s+are\\s+no|without\\s+any)\\s+(?:rules|restrictions|limits)"
+    metadata:
+      cwe: "CWE-284"
+      owasp: "LLM01 - Prompt Injection"
+      confidence: MEDIUM
+      category: "prompt-injection-jailbreak"
+      risk_score: "60"
+      action: WARN
+
+  - id: generic.prompt.security.tool-abuse-instruction
+    languages: [generic]
+    severity: ERROR
+    message: "Tool abuse instruction: Directing the AI to misuse its tools (file access, code execution, network) for malicious purposes."
+    patterns:
+      - "(?i)(?:use|call|invoke|execute)\\s+(?:the|your)\\s+(?:tool|function|command|bash|terminal).{0,30}(?:to\\s+)?(?:delete|destroy|remove|wipe|format|encrypt)"
+      - "(?i)(?:use|call)\\s+(?:the|your)\\s+(?:file|write|edit)\\s+(?:tool|access|capability).{0,30}(?:to\\s+)?(?:modify|overwrite|inject|backdoor)"
+      - "(?i)(?:use|call)\\s+(?:the|your)\\s+(?:network|http|fetch|curl)\\s+(?:tool|access).{0,30}(?:to\\s+)?(?:send|upload|post|exfiltrate)"
+    metadata:
+      cwe: "CWE-78"
+      owasp: "LLM01 - Prompt Injection"
+      confidence: HIGH
+      category: "prompt-injection-privilege"
+      risk_score: "90"
+      action: BLOCK
+
+  - id: generic.prompt.security.hex-encoded-injection
+    languages: [generic]
+    severity: WARNING
+    message: "Hex-encoded injection: Instructions potentially encoded in hexadecimal to evade detection."
+    patterns:
+      - "(?:\\\\x[0-9a-fA-F]{2}){8,}"
+      - "(?:0x[0-9a-fA-F]{2}\\s*,?\\s*){8,}"
+      - "(?i)\\bdecode\\s+(?:this|the\\s+following)\\s+hex"
+    metadata:
+      cwe: "CWE-116"
+      owasp: "LLM01 - Prompt Injection"
+      confidence: MEDIUM
+      category: "prompt-injection-encoded"
+      risk_score: "70"
+      action: WARN
+
+  - id: generic.prompt.security.rot13-encoded-injection
+    languages: [generic]
+    severity: WARNING
+    message: "ROT13/Caesar cipher injection: Instructions potentially encoded using simple substitution ciphers."
+    patterns:
+      - "(?i)(?:decode|decipher|decrypt|apply)\\s+(?:this\\s+)?(?:rot13|rot-13|caesar|caesar\\s+cipher)"
+      - "(?i)(?:rot13|caesar)\\s*[:=]"
+    metadata:
+      cwe: "CWE-116"
+      owasp: "LLM01 - Prompt Injection"
+      confidence: MEDIUM
+      category: "prompt-injection-encoded"
+      risk_score: "65"
+      action: WARN

package/scripts/postinstall.js

@@ -0,0 +1,60 @@
+#!/usr/bin/env node
+/**
+ * postinstall.js - Attempt to install Python dependencies for tree-sitter AST engine.
+ * If installation fails, the scanner gracefully falls back to regex-only mode.
+ */
+import { execFileSync } from "child_process";
+import { join, dirname } from "path";
+import { fileURLToPath } from "url";
+
+const __dirname = dirname(fileURLToPath(import.meta.url));
+const requirementsPath = join(__dirname, "..", "requirements.txt");
+
+// Check if Python 3 is available
+function findPython() {
+  for (const cmd of ["python3", "python"]) {
+    try {
+      const ver = execFileSync(cmd, ["--version"], { encoding: "utf-8", timeout: 5000, stdio: ["pipe", "pipe", "pipe"] }).trim();
+      if (ver.includes("3.")) return cmd;
+    } catch { /* not found */ }
+  }
+  return null;
+}
+
+// Check if tree-sitter is already installed
+function isTreeSitterInstalled(pythonCmd) {
+  try {
+    execFileSync(pythonCmd, ["-c", "import tree_sitter; print(tree_sitter.__version__)"], {
+      encoding: "utf-8", timeout: 5000, stdio: ["pipe", "pipe", "pipe"]
+    });
+    return true;
+  } catch {
+    return false;
+  }
+}
+
+const pythonCmd = findPython();
+
+if (!pythonCmd) {
+  console.log(
+    "[postinstall] Python 3 not found. The scanner will run in regex-only mode.\n" +
+    "             Install Python 3 and run: pip install -r requirements.txt"
+  );
+} else if (isTreeSitterInstalled(pythonCmd)) {
+  console.log("[postinstall] tree-sitter already installed — AST engine enabled.");
+} else {
+  try {
+    execFileSync(pythonCmd, ["-m", "pip", "install", "-r", requirementsPath, "--user", "--quiet"], {
+      timeout: 120000,
+      stdio: "inherit",
+    });
+    console.log("[postinstall] Python dependencies installed — AST engine enabled.");
+  } catch {
+    console.log(
+      "[postinstall] Could not install Python dependencies (tree-sitter).\n" +
+      "             The scanner will run in regex-only mode, which still catches common vulnerabilities.\n" +
+      "             To enable AST analysis later, run: python3 -m pip install -r requirements.txt\n" +
+      "             Or run: npx agent-security-scanner-mcp doctor --fix"
+    );
+  }
+}