coverme-scanner 1.0.6 → 1.0.8

package/dist/cli/index.js

@@ -5,11 +5,14 @@ const commander_1 = require("commander");
 const init_js_1 = require("./init.js");
 const scan_js_1 = require("./scan.js");
 const index_js_1 = require("../report/index.js");
+const fs_1 = require("fs");
+const path_1 = require("path");
+const pkg = JSON.parse((0, fs_1.readFileSync)((0, path_1.join)(__dirname, '..', '..', 'package.json'), 'utf-8'));
 const program = new commander_1.Command();
 program
-    .name('vibecode')
+    .name('coverme')
     .description('AI-powered code scanner with multi-agent verification for Claude Code')
-    .version('1.0.0');
+    .version(pkg.version);
 program
     .command('init')
     .description('Install vibecode slash commands into .claude/commands/')

package/dist/cli/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/cli/index.ts"],"names":[],"mappings":";;;AAEA,yCAAoC;AACpC,uCAAiC;AACjC,uCAAiC;AACjC,iDAAoD;AAEpD,MAAM,OAAO,GAAG,IAAI,mBAAO,EAAE,CAAC;AAE9B,OAAO;KACJ,IAAI,CAAC,UAAU,CAAC;KAChB,WAAW,CAAC,uEAAuE,CAAC;KACpF,OAAO,CAAC,OAAO,CAAC,CAAC;AAEpB,OAAO;KACJ,OAAO,CAAC,MAAM,CAAC;KACf,WAAW,CAAC,wDAAwD,CAAC;KACrE,MAAM,CAAC,cAAc,EAAE,yCAAyC,CAAC;KACjE,MAAM,CAAC,cAAI,CAAC,CAAC;AAEhB,OAAO;KACJ,OAAO,CAAC,MAAM,CAAC;KACf,WAAW,CAAC,gDAAgD,CAAC;KAC7D,QAAQ,CAAC,QAAQ,EAAE,cAAc,EAAE,GAAG,CAAC;KACvC,MAAM,CAAC,uBAAuB,EAAE,oCAAoC,EAAE,KAAK,CAAC;KAC5E,MAAM,CAAC,0BAA0B,EAAE,kBAAkB,CAAC;KACtD,MAAM,CAAC,yBAAyB,EAAE,qDAAqD,EAAE,KAAK,CAAC;KAC/F,MAAM,CAAC,wBAAwB,EAAE,iDAAiD,EAAE,KAAK,CAAC;KAC1F,MAAM,CAAC,eAAe,EAAE,gBAAgB,CAAC;KACzC,MAAM,CAAC,sBAAsB,EAAE,2BAA2B,EAAE,GAAG,CAAC;KAChE,MAAM,CAAC,cAAI,CAAC,CAAC;AAEhB,OAAO;KACJ,OAAO,CAAC,QAAQ,CAAC;KACjB,WAAW,CAAC,yCAAyC,CAAC;KACtD,QAAQ,CAAC,aAAa,EAAE,gCAAgC,CAAC;KACzD,MAAM,CAAC,qBAAqB,EAAE,kBAAkB,CAAC;KACjD,MAAM,CAAC,uBAAuB,EAAE,0BAA0B,EAAE,KAAK,CAAC;KAClE,MAAM,CAAC,KAAK,EAAE,QAAgB,EAAE,OAAqD,EAAE,EAAE;IACxF,MAAM,IAAA,yBAAc,EAAC,QAAQ,EAAE,OAAO,CAAC,MAAM,EAAE,OAAO,CAAC,MAAM,IAAI,KAAK,CAAC,CAAC;AAC1E,CAAC,CAAC,CAAC;AAEL,OAAO,CAAC,KAAK,EAAE,CAAC"}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/cli/index.ts"],"names":[],"mappings":";;;AAEA,yCAAoC;AACpC,uCAAiC;AACjC,uCAAiC;AACjC,iDAAoD;AACpD,2BAAkC;AAClC,+BAA4B;AAE5B,MAAM,GAAG,GAAG,IAAI,CAAC,KAAK,CAAC,IAAA,iBAAY,EAAC,IAAA,WAAI,EAAC,SAAS,EAAE,IAAI,EAAE,IAAI,EAAE,cAAc,CAAC,EAAE,OAAO,CAAC,CAAC,CAAC;AAE3F,MAAM,OAAO,GAAG,IAAI,mBAAO,EAAE,CAAC;AAE9B,OAAO;KACJ,IAAI,CAAC,SAAS,CAAC;KACf,WAAW,CAAC,uEAAuE,CAAC;KACpF,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC;AAExB,OAAO;KACJ,OAAO,CAAC,MAAM,CAAC;KACf,WAAW,CAAC,wDAAwD,CAAC;KACrE,MAAM,CAAC,cAAc,EAAE,yCAAyC,CAAC;KACjE,MAAM,CAAC,cAAI,CAAC,CAAC;AAEhB,OAAO;KACJ,OAAO,CAAC,MAAM,CAAC;KACf,WAAW,CAAC,gDAAgD,CAAC;KAC7D,QAAQ,CAAC,QAAQ,EAAE,cAAc,EAAE,GAAG,CAAC;KACvC,MAAM,CAAC,uBAAuB,EAAE,oCAAoC,EAAE,KAAK,CAAC;KAC5E,MAAM,CAAC,0BAA0B,EAAE,kBAAkB,CAAC;KACtD,MAAM,CAAC,yBAAyB,EAAE,qDAAqD,EAAE,KAAK,CAAC;KAC/F,MAAM,CAAC,wBAAwB,EAAE,iDAAiD,EAAE,KAAK,CAAC;KAC1F,MAAM,CAAC,eAAe,EAAE,gBAAgB,CAAC;KACzC,MAAM,CAAC,sBAAsB,EAAE,2BAA2B,EAAE,GAAG,CAAC;KAChE,MAAM,CAAC,cAAI,CAAC,CAAC;AAEhB,OAAO;KACJ,OAAO,CAAC,QAAQ,CAAC;KACjB,WAAW,CAAC,yCAAyC,CAAC;KACtD,QAAQ,CAAC,aAAa,EAAE,gCAAgC,CAAC;KACzD,MAAM,CAAC,qBAAqB,EAAE,kBAAkB,CAAC;KACjD,MAAM,CAAC,uBAAuB,EAAE,0BAA0B,EAAE,KAAK,CAAC;KAClE,MAAM,CAAC,KAAK,EAAE,QAAgB,EAAE,OAAqD,EAAE,EAAE;IACxF,MAAM,IAAA,yBAAc,EAAC,QAAQ,EAAE,OAAO,CAAC,MAAM,EAAE,OAAO,CAAC,MAAM,IAAI,KAAK,CAAC,CAAC;AAC1E,CAAC,CAAC,CAAC;AAEL,OAAO,CAAC,KAAK,EAAE,CAAC"}

package/dist/prompts/orchestration.md

@@ -17,12 +17,38 @@ Every finding MUST include ALL these fields for the report to work:
   "code": "the vulnerable/problematic code snippet",
   "description": "What is wrong - the specific problem found",
   "impact": "Security impact - what an attacker could exploit, potential damage, real-world risk",
+  "attackChain": "Step-by-step exploitation: 1. Attacker does X, 2. System responds with Y, 3. Attacker gains Z",
   "recommendation": "Exact steps to fix this issue with code example if applicable",
   "cwe": "CWE-XXX (if applicable)",
-  "confidence": 85
+  "confidence": 85,
+  "dpiead": {
+    "damage": 8,
+    "reproducibility": 9,
+    "exploitability": 7,
+    "affectedUsers": 10,
+    "discoverability": 6,
+    "score": 8.0
+  }
 }
 ```
 
+## DREAD SCORING (for HIGH and CRITICAL findings)
+
+Calculate DREAD score (1-10 for each, average for final score):
+
+- **Damage**: How severe is the impact? (10 = full system compromise, 1 = minimal)
+- **Reproducibility**: How easy to reproduce? (10 = always works, 1 = rare conditions)
+- **Exploitability**: How easy to exploit? (10 = script kiddie, 1 = expert + physical access)
+- **Affected Users**: How many users impacted? (10 = all users, 1 = single admin)
+- **Discoverability**: How easy to find? (10 = obvious, 1 = requires source code)
+
+**Score interpretation**:
+- 9.0-10.0 = CRITICAL (exploit immediately)
+- 7.0-8.9 = HIGH (fix within days)
+- 5.0-6.9 = MEDIUM (fix within sprint)
+- 3.0-4.9 = LOW (backlog)
+- 1.0-2.9 = INFO (document only)
+
 ## FIELD GUIDELINES
 
 ### impact (REQUIRED)
@@ -57,6 +83,21 @@ CHECK FOR:
 - Weak Cryptography (MD5, SHA1 for passwords, ECB mode)
 - Insecure Random (Math.random for security purposes)
 
+**DATABASE-SPECIFIC DANGEROUS FUNCTIONS** (check for ANY database):
+- DuckDB: read_text(), read_blob(), read_csv_auto(), read_parquet(), glob(), getenv(), httpfs
+- SQLite: load_extension(), readfile(), writefile()
+- PostgreSQL: pg_read_file(), pg_ls_dir(), COPY TO/FROM
+- MySQL: LOAD_FILE(), INTO OUTFILE, INTO DUMPFILE
+- MongoDB: $where with user input, mapReduce with user functions
+- Redis: EVAL/EVALSHA with user input, CONFIG, DEBUG commands
+
+**BLOCKLIST BYPASS PATTERNS**:
+- Keyword blocklists that miss database-specific functions
+- Case sensitivity bypass (READ_TEXT vs read_text)
+- Unicode homoglyph bypass
+- Comment injection (SELECT/**/read_text)
+- Encoding bypass (hex, base64, URL encoding)
+
 For EACH finding, output the FULL JSON format above.
 
 ---
@@ -77,6 +118,24 @@ CHECK FOR:
 - Account enumeration (different responses for valid/invalid users)
 - Brute force protection missing
 
+**MEMORY SAFETY FOR SECRETS**:
+- Cryptographic keys not zeroed after use (persist in heap/memory)
+- Passwords stored in String instead of char[] (immutable, stays in memory)
+- Session tokens not cleared on logout (memory leak of credentials)
+- Private keys in JavaScript objects (V8 heap, not securely cleared)
+- Sensitive data in logs or error messages that persist
+
+Look for:
+- `delete obj.secretKey` (doesn't zero memory, just removes reference)
+- Missing explicit buffer.fill(0) before releasing crypto keys
+- Session/token caches without secure cleanup on expiry
+- Garbage collection dependency for secret cleanup (insecure)
+
+**TIMING ATTACKS**:
+- Non-constant-time string comparison for tokens/secrets
+- Early return on auth failure leaking valid usernames
+- Different response times for valid vs invalid credentials
+
 For EACH finding, output the FULL JSON format.
 
 ---
@@ -97,6 +156,27 @@ CHECK FOR:
 - API versioning issues
 - Excessive data exposure in responses
 
+**FAIL-OPEN vs FAIL-CLOSED PATTERNS** (CRITICAL):
+- IP whitelist empty/missing = allow all (should deny all)
+- Auth middleware errors = request passes through (should block)
+- Rate limiter Redis down = no limiting (should block or use fallback)
+- Config missing = insecure defaults (should fail startup)
+- Feature flag missing = feature enabled (should be disabled)
+- RBAC role not found = access granted (should deny)
+
+Look for patterns like:
+```
+if (whitelist.length > 0) { check() }  // FAIL-OPEN: empty whitelist bypasses
+if (!config.AUTH_REQUIRED) { next() }  // FAIL-OPEN: missing config = no auth
+catch(e) { next() }                     // FAIL-OPEN: error = proceed
+```
+
+**ADMIN/INTERNAL API EXPOSURE**:
+- Admin APIs bound to 0.0.0.0 instead of 127.0.0.1
+- Internal ports exposed without auth
+- Debug endpoints in production
+- Metrics/health endpoints exposing sensitive data
+
 For EACH finding, output the FULL JSON format.
 
 ---
@@ -117,6 +197,27 @@ CHECK FOR:
 - Exposed internal ports
 - Missing resource limits
 
+**SECRETS IN CONFIGURATION FILES** (check ALL config formats):
+- Helm values.yaml / values-*.yaml with hardcoded secrets
+- Kubernetes secrets not using external secrets manager
+- Docker Compose with hardcoded passwords
+- Terraform tfvars with credentials
+- Ansible vault passwords in plaintext
+- CI/CD pipeline secrets in yaml files (.github/workflows, .gitlab-ci.yml)
+
+**PRIVILEGE ESCALATION RISKS**:
+- Containers/processes running as root
+- Missing securityContext in K8s (runAsNonRoot, readOnlyRootFilesystem)
+- Privileged containers
+- Host path mounts to sensitive directories
+- Missing capability drops (drop: ALL)
+- Service accounts with excessive permissions
+
+**CONFIGURATION THAT SHOULD FAIL AT STARTUP**:
+- Required environment variables not validated at startup
+- Missing config = silent fallback to insecure defaults
+- No validation of secret strength/format at startup
+
 For EACH finding, output the FULL JSON format.
 
 ---
@@ -157,6 +258,25 @@ CHECK FOR:
 - Jailbreak prevention missing
 - PII in training data/prompts
 
+**LLM OUTPUT → CODE EXECUTION CHAINS**:
+- LLM generates SQL that gets executed (SQL injection via prompt injection)
+- LLM generates code that gets eval'd
+- LLM generates shell commands that get executed
+- LLM generates file paths that get accessed
+- LLM output used in template rendering (SSTI)
+
+**VALIDATION OF LLM OUTPUT**:
+- Is there ANY validation between LLM output and dangerous operations?
+- Are blocklists/allowlists applied to LLM-generated content?
+- Can the blocklist be bypassed? (check for completeness)
+- Is validation case-insensitive?
+- Does validation handle encoded input?
+
+**PROMPT SANITIZATION WEAKNESSES**:
+- Regex-based filtering (easily bypassed with synonyms, encoding, whitespace)
+- Literal string matching (bypass with Unicode homoglyphs)
+- Missing: base64 encoded payloads, ROT13, leetspeak variations
+
 For EACH finding, output the FULL JSON format.
 
 ---
@@ -177,6 +297,20 @@ CHECK FOR:
 - Resource exhaustion (no limits on uploads, requests)
 - Synchronous operations that should be async
 
+**DANGEROUS DATABASE OPERATIONS IN HOT PATHS**:
+- Redis KEYS command (blocks entire server, O(n) scan)
+- MongoDB find() without limit
+- SQL SELECT without LIMIT on large tables
+- Full table scans in request handlers
+- Aggregations without indexes
+
+**BLOCKING OPERATIONS**:
+- Synchronous file I/O in request handlers
+- crypto.pbkdf2Sync / crypto.scryptSync in hot paths
+- JSON.parse on unbounded input
+- Regex on user input without timeout
+- DNS lookups without caching
+
 For EACH finding, output the FULL JSON format.
 
 ---
@@ -217,6 +351,25 @@ CHECK FOR:
 - Callback hell making auditing hard
 - Anti-patterns (god objects, tight coupling)
 
+**DEAD CODE WITH SECURITY IMPLICATIONS** (CRITICAL):
+- Old/commented code that has BETTER security than current code
+- Deprecated functions with security controls not ported to replacement
+- Legacy validation code that was more thorough
+- Backup implementations with different (better) security model
+- TODO/FIXME comments about security issues never addressed
+
+Look for patterns:
+- `// OLD: validated input here` followed by code that doesn't
+- Functions named `*_secure`, `*_safe`, `*_v2` that are unused
+- Commented-out security checks with no explanation
+- Multiple implementations where one is more secure but unused
+
+**SECURITY-CRITICAL CODE WITHOUT TESTS**:
+- Authentication/authorization code with 0% test coverage
+- Input validation functions without unit tests
+- Cryptographic operations without test vectors
+- Rate limiting logic without integration tests
+
 For EACH finding, output the FULL JSON format.
 
 ---

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "coverme-scanner",
-  "version": "1.0.6",
+  "version": "1.0.8",
   "description": "AI-powered code scanner with multi-agent verification for Claude Code. One command scans everything.",
   "main": "dist/index.js",
   "bin": {

package/src/cli/index.ts

@@ -4,13 +4,17 @@ import { Command } from 'commander';
 import { init } from './init.js';
 import { scan } from './scan.js';
 import { generateReport } from '../report/index.js';
+import { readFileSync } from 'fs';
+import { join } from 'path';
+
+const pkg = JSON.parse(readFileSync(join(__dirname, '..', '..', 'package.json'), 'utf-8'));
 
 const program = new Command();
 
 program
-  .name('vibecode')
+  .name('coverme')
   .description('AI-powered code scanner with multi-agent verification for Claude Code')
-  .version('1.0.0');
+  .version(pkg.version);
 
 program
   .command('init')

package/src/prompts/orchestration.md

@@ -17,12 +17,38 @@ Every finding MUST include ALL these fields for the report to work:
   "code": "the vulnerable/problematic code snippet",
   "description": "What is wrong - the specific problem found",
   "impact": "Security impact - what an attacker could exploit, potential damage, real-world risk",
+  "attackChain": "Step-by-step exploitation: 1. Attacker does X, 2. System responds with Y, 3. Attacker gains Z",
   "recommendation": "Exact steps to fix this issue with code example if applicable",
   "cwe": "CWE-XXX (if applicable)",
-  "confidence": 85
+  "confidence": 85,
+  "dpiead": {
+    "damage": 8,
+    "reproducibility": 9,
+    "exploitability": 7,
+    "affectedUsers": 10,
+    "discoverability": 6,
+    "score": 8.0
+  }
 }
 ```
 
+## DREAD SCORING (for HIGH and CRITICAL findings)
+
+Calculate DREAD score (1-10 for each, average for final score):
+
+- **Damage**: How severe is the impact? (10 = full system compromise, 1 = minimal)
+- **Reproducibility**: How easy to reproduce? (10 = always works, 1 = rare conditions)
+- **Exploitability**: How easy to exploit? (10 = script kiddie, 1 = expert + physical access)
+- **Affected Users**: How many users impacted? (10 = all users, 1 = single admin)
+- **Discoverability**: How easy to find? (10 = obvious, 1 = requires source code)
+
+**Score interpretation**:
+- 9.0-10.0 = CRITICAL (exploit immediately)
+- 7.0-8.9 = HIGH (fix within days)
+- 5.0-6.9 = MEDIUM (fix within sprint)
+- 3.0-4.9 = LOW (backlog)
+- 1.0-2.9 = INFO (document only)
+
 ## FIELD GUIDELINES
 
 ### impact (REQUIRED)
@@ -57,6 +83,21 @@ CHECK FOR:
 - Weak Cryptography (MD5, SHA1 for passwords, ECB mode)
 - Insecure Random (Math.random for security purposes)
 
+**DATABASE-SPECIFIC DANGEROUS FUNCTIONS** (check for ANY database):
+- DuckDB: read_text(), read_blob(), read_csv_auto(), read_parquet(), glob(), getenv(), httpfs
+- SQLite: load_extension(), readfile(), writefile()
+- PostgreSQL: pg_read_file(), pg_ls_dir(), COPY TO/FROM
+- MySQL: LOAD_FILE(), INTO OUTFILE, INTO DUMPFILE
+- MongoDB: $where with user input, mapReduce with user functions
+- Redis: EVAL/EVALSHA with user input, CONFIG, DEBUG commands
+
+**BLOCKLIST BYPASS PATTERNS**:
+- Keyword blocklists that miss database-specific functions
+- Case sensitivity bypass (READ_TEXT vs read_text)
+- Unicode homoglyph bypass
+- Comment injection (SELECT/**/read_text)
+- Encoding bypass (hex, base64, URL encoding)
+
 For EACH finding, output the FULL JSON format above.
 
 ---
@@ -77,6 +118,24 @@ CHECK FOR:
 - Account enumeration (different responses for valid/invalid users)
 - Brute force protection missing
 
+**MEMORY SAFETY FOR SECRETS**:
+- Cryptographic keys not zeroed after use (persist in heap/memory)
+- Passwords stored in String instead of char[] (immutable, stays in memory)
+- Session tokens not cleared on logout (memory leak of credentials)
+- Private keys in JavaScript objects (V8 heap, not securely cleared)
+- Sensitive data in logs or error messages that persist
+
+Look for:
+- `delete obj.secretKey` (doesn't zero memory, just removes reference)
+- Missing explicit buffer.fill(0) before releasing crypto keys
+- Session/token caches without secure cleanup on expiry
+- Garbage collection dependency for secret cleanup (insecure)
+
+**TIMING ATTACKS**:
+- Non-constant-time string comparison for tokens/secrets
+- Early return on auth failure leaking valid usernames
+- Different response times for valid vs invalid credentials
+
 For EACH finding, output the FULL JSON format.
 
 ---
@@ -97,6 +156,27 @@ CHECK FOR:
 - API versioning issues
 - Excessive data exposure in responses
 
+**FAIL-OPEN vs FAIL-CLOSED PATTERNS** (CRITICAL):
+- IP whitelist empty/missing = allow all (should deny all)
+- Auth middleware errors = request passes through (should block)
+- Rate limiter Redis down = no limiting (should block or use fallback)
+- Config missing = insecure defaults (should fail startup)
+- Feature flag missing = feature enabled (should be disabled)
+- RBAC role not found = access granted (should deny)
+
+Look for patterns like:
+```
+if (whitelist.length > 0) { check() }  // FAIL-OPEN: empty whitelist bypasses
+if (!config.AUTH_REQUIRED) { next() }  // FAIL-OPEN: missing config = no auth
+catch(e) { next() }                     // FAIL-OPEN: error = proceed
+```
+
+**ADMIN/INTERNAL API EXPOSURE**:
+- Admin APIs bound to 0.0.0.0 instead of 127.0.0.1
+- Internal ports exposed without auth
+- Debug endpoints in production
+- Metrics/health endpoints exposing sensitive data
+
 For EACH finding, output the FULL JSON format.
 
 ---
@@ -117,6 +197,27 @@ CHECK FOR:
 - Exposed internal ports
 - Missing resource limits
 
+**SECRETS IN CONFIGURATION FILES** (check ALL config formats):
+- Helm values.yaml / values-*.yaml with hardcoded secrets
+- Kubernetes secrets not using external secrets manager
+- Docker Compose with hardcoded passwords
+- Terraform tfvars with credentials
+- Ansible vault passwords in plaintext
+- CI/CD pipeline secrets in yaml files (.github/workflows, .gitlab-ci.yml)
+
+**PRIVILEGE ESCALATION RISKS**:
+- Containers/processes running as root
+- Missing securityContext in K8s (runAsNonRoot, readOnlyRootFilesystem)
+- Privileged containers
+- Host path mounts to sensitive directories
+- Missing capability drops (drop: ALL)
+- Service accounts with excessive permissions
+
+**CONFIGURATION THAT SHOULD FAIL AT STARTUP**:
+- Required environment variables not validated at startup
+- Missing config = silent fallback to insecure defaults
+- No validation of secret strength/format at startup
+
 For EACH finding, output the FULL JSON format.
 
 ---
@@ -157,6 +258,25 @@ CHECK FOR:
 - Jailbreak prevention missing
 - PII in training data/prompts
 
+**LLM OUTPUT → CODE EXECUTION CHAINS**:
+- LLM generates SQL that gets executed (SQL injection via prompt injection)
+- LLM generates code that gets eval'd
+- LLM generates shell commands that get executed
+- LLM generates file paths that get accessed
+- LLM output used in template rendering (SSTI)
+
+**VALIDATION OF LLM OUTPUT**:
+- Is there ANY validation between LLM output and dangerous operations?
+- Are blocklists/allowlists applied to LLM-generated content?
+- Can the blocklist be bypassed? (check for completeness)
+- Is validation case-insensitive?
+- Does validation handle encoded input?
+
+**PROMPT SANITIZATION WEAKNESSES**:
+- Regex-based filtering (easily bypassed with synonyms, encoding, whitespace)
+- Literal string matching (bypass with Unicode homoglyphs)
+- Missing: base64 encoded payloads, ROT13, leetspeak variations
+
 For EACH finding, output the FULL JSON format.
 
 ---
@@ -177,6 +297,20 @@ CHECK FOR:
 - Resource exhaustion (no limits on uploads, requests)
 - Synchronous operations that should be async
 
+**DANGEROUS DATABASE OPERATIONS IN HOT PATHS**:
+- Redis KEYS command (blocks entire server, O(n) scan)
+- MongoDB find() without limit
+- SQL SELECT without LIMIT on large tables
+- Full table scans in request handlers
+- Aggregations without indexes
+
+**BLOCKING OPERATIONS**:
+- Synchronous file I/O in request handlers
+- crypto.pbkdf2Sync / crypto.scryptSync in hot paths
+- JSON.parse on unbounded input
+- Regex on user input without timeout
+- DNS lookups without caching
+
 For EACH finding, output the FULL JSON format.
 
 ---
@@ -217,6 +351,25 @@ CHECK FOR:
 - Callback hell making auditing hard
 - Anti-patterns (god objects, tight coupling)
 
+**DEAD CODE WITH SECURITY IMPLICATIONS** (CRITICAL):
+- Old/commented code that has BETTER security than current code
+- Deprecated functions with security controls not ported to replacement
+- Legacy validation code that was more thorough
+- Backup implementations with different (better) security model
+- TODO/FIXME comments about security issues never addressed
+
+Look for patterns:
+- `// OLD: validated input here` followed by code that doesn't
+- Functions named `*_secure`, `*_safe`, `*_v2` that are unused
+- Commented-out security checks with no explanation
+- Multiple implementations where one is more secure but unused
+
+**SECURITY-CRITICAL CODE WITHOUT TESTS**:
+- Authentication/authorization code with 0% test coverage
+- Input validation functions without unit tests
+- Cryptographic operations without test vectors
+- Rate limiting logic without integration tests
+
 For EACH finding, output the FULL JSON format.
 
 ---