ferret-scan 1.0.0

package/dist/reporters/SarifReporter.js

@@ -0,0 +1,117 @@
+/**
+ * SARIF Reporter - Static Analysis Results Interchange Format
+ * Generates SARIF 2.1.0 compliant output for IDE and CI integration
+ * Spec: https://docs.oasis-open.org/sarif/sarif/v2.1.0/sarif-v2.1.0.html
+ */
+/**
+ * Convert Ferret severity to SARIF level
+ */
+function severityToLevel(severity) {
+    switch (severity) {
+        case 'CRITICAL':
+        case 'HIGH':
+            return 'error';
+        case 'MEDIUM':
+            return 'warning';
+        case 'LOW':
+            return 'note';
+        case 'INFO':
+        default:
+            return 'info';
+    }
+}
+/**
+ * Generate SARIF rules from scan results
+ */
+function generateSarifRules(result) {
+    const rulesMap = new Map();
+    for (const finding of result.findings) {
+        if (!rulesMap.has(finding.ruleId)) {
+            rulesMap.set(finding.ruleId, {
+                id: finding.ruleId,
+                name: finding.ruleName,
+                shortDescription: {
+                    text: finding.ruleName,
+                },
+                defaultConfiguration: {
+                    level: severityToLevel(finding.severity),
+                },
+                properties: {
+                    category: finding.category,
+                    tags: [finding.category, finding.severity.toLowerCase()],
+                },
+            });
+        }
+    }
+    return Array.from(rulesMap.values()).sort((a, b) => a.id.localeCompare(b.id));
+}
+/**
+ * Generate SARIF results from scan findings
+ */
+function generateSarifResults(result) {
+    return result.findings.map((finding) => {
+        const matchLine = finding.context.find(ctx => ctx.isMatch);
+        return {
+            ruleId: finding.ruleId,
+            level: severityToLevel(finding.severity),
+            message: {
+                text: `${finding.ruleName}: ${finding.match}`,
+            },
+            locations: [{
+                    physicalLocation: {
+                        artifactLocation: {
+                            uri: finding.relativePath,
+                        },
+                        region: {
+                            startLine: finding.line,
+                            ...(finding.column && { startColumn: finding.column }),
+                            ...(matchLine && { snippet: { text: matchLine.content } }),
+                        },
+                    },
+                }],
+            properties: {
+                category: finding.category,
+                riskScore: finding.riskScore,
+                remediation: finding.remediation,
+            },
+        };
+    });
+}
+/**
+ * Generate SARIF document from scan results
+ */
+export function generateSarifReport(result) {
+    const rules = generateSarifRules(result);
+    const results = generateSarifResults(result);
+    return {
+        version: '2.1.0',
+        $schema: 'https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json',
+        runs: [{
+                tool: {
+                    driver: {
+                        name: 'ferret-scan',
+                        version: '1.0.0',
+                        informationUri: 'https://github.com/anthropics/ferret-scan',
+                        rules,
+                    },
+                },
+                results,
+                properties: {
+                    ferret: {
+                        scanDuration: result.duration,
+                        filesScanned: result.analyzedFiles,
+                        riskScore: result.overallRiskScore,
+                    },
+                },
+            }],
+    };
+}
+/**
+ * Format SARIF document as JSON string
+ */
+export function formatSarifReport(result) {
+    const document = generateSarifReport(result);
+    return JSON.stringify(document, null, 2);
+}
+export default { generateSarifReport, formatSarifReport };
+//# sourceMappingURL=SarifReporter.js.map

package/dist/rules/ai-specific.d.ts

@@ -0,0 +1,8 @@
+/**
+ * AI-Specific Threat Detection Rules
+ * Detects 2026 AI agent attack vectors specific to Claude and LLMs
+ */
+import type { Rule } from '../types.js';
+export declare const aiSpecificRules: Rule[];
+export default aiSpecificRules;
+//# sourceMappingURL=ai-specific.d.ts.map

package/dist/rules/ai-specific.js

@@ -0,0 +1,221 @@
+/**
+ * AI-Specific Threat Detection Rules
+ * Detects 2026 AI agent attack vectors specific to Claude and LLMs
+ */
+export const aiSpecificRules = [
+    {
+        id: 'AI-001',
+        name: 'System Prompt Extraction',
+        category: 'ai-specific',
+        severity: 'HIGH',
+        description: 'Detects attempts to extract or reveal system prompts',
+        patterns: [
+            /reveal\s+(your|the)\s+system\s+prompt/gi,
+            /show\s+(me\s+)?(your|the)\s+(system\s+)?instructions/gi,
+            /what\s+(are|is)\s+your\s+(system\s+)?prompt/gi,
+            /print\s+(your|the)\s+system\s+(prompt|instructions)/gi,
+            /output\s+(your|the)\s+initial\s+instructions/gi,
+        ],
+        fileTypes: ['md'],
+        components: ['skill', 'agent', 'ai-config-md'],
+        remediation: 'Remove prompt extraction attempts. System prompts should remain confidential.',
+        references: [],
+        enabled: true,
+    },
+    {
+        id: 'AI-002',
+        name: 'Agent Impersonation',
+        category: 'ai-specific',
+        severity: 'HIGH',
+        description: 'Detects attempts to make Claude impersonate other entities',
+        patterns: [
+            /pretend\s+(to\s+be|you\s+are)\s+.*(anthropic|openai|google|microsoft)/gi,
+            /you\s+are\s+(now\s+)?(an?\s+)?(anthropic|openai)\s+(employee|staff|system)/gi,
+            /impersonate\s+.*(admin|moderator|system|support)/gi,
+        ],
+        fileTypes: ['md'],
+        components: ['skill', 'agent', 'ai-config-md'],
+        remediation: 'Remove impersonation instructions. Claude should not impersonate other entities.',
+        references: [],
+        enabled: true,
+    },
+    {
+        id: 'AI-003',
+        name: 'Capability Escalation',
+        category: 'ai-specific',
+        severity: 'CRITICAL',
+        description: 'Detects attempts to unlock hidden capabilities or bypass limitations',
+        patterns: [
+            /unlock\s+(hidden|secret|admin)\s+(capabilities|features|mode)/gi,
+            /enable\s+(developer|admin|root|god)\s+mode/gi,
+            /access\s+(hidden|restricted|admin)\s+functions/gi,
+            /you\s+have\s+(no\s+)?unlimited\s+(power|access|capabilities)/gi,
+        ],
+        fileTypes: ['md'],
+        components: ['skill', 'agent', 'ai-config-md'],
+        remediation: 'Remove capability escalation attempts.',
+        references: [],
+        enabled: true,
+    },
+    {
+        id: 'AI-004',
+        name: 'Context Pollution',
+        category: 'ai-specific',
+        severity: 'MEDIUM',
+        description: 'Detects attempts to pollute or manipulate the context window',
+        patterns: [
+            /inject\s+into\s+(context|memory|conversation)/gi,
+            /add\s+to\s+(your|the)\s+(context|memory)/gi,
+            /remember\s+(this|that)\s+forever/gi,
+            /store\s+in\s+(your|permanent)\s+memory/gi,
+        ],
+        fileTypes: ['md'],
+        components: ['skill', 'agent', 'ai-config-md'],
+        remediation: 'Review context manipulation instructions.',
+        references: [],
+        enabled: true,
+    },
+    {
+        id: 'AI-005',
+        name: 'Multi-Step Attack Setup',
+        category: 'ai-specific',
+        severity: 'HIGH',
+        description: 'Detects setup for multi-step attacks that unfold over time',
+        patterns: [
+            /on\s+the\s+next\s+(message|turn|response)\s+.*(execute|attack|inject|exfiltrate)/gi,
+            /when\s+the\s+user\s+says\s+.*(trigger|activate|execute)\s+.*(attack|payload|exploit)/gi,
+            /wait\s+for\s+(signal|trigger|command)\s+to\s+(attack|execute|inject)/gi,
+            /phase\s+\d+\s*:\s*(attack|exploit|inject|exfiltrate|payload)/gi,
+            /step\s+\d+\s*:\s*(gain|escalate|exfiltrate|compromise)/gi,
+        ],
+        fileTypes: ['md'],
+        components: ['skill', 'agent', 'ai-config-md'],
+        remediation: 'Remove multi-step attack instructions.',
+        references: [],
+        enabled: true,
+        // Exclude documentation headers and implementation plans
+        excludePatterns: [
+            /phase\s+\d+\s*:\s*(core|implementation|setup|testing|deployment|documentation)/gi,
+            /phase\s+\d+\s*:\s*(completed|done|finished|in\s+progress)/gi,
+            /###.*phase/gi, // Markdown headers
+            /##.*phase/gi, // Markdown headers
+            /\*\*.*phase/gi, // Bold text
+            /implementation\s+(plan|phase|roadmap)/gi,
+            /development\s+phase/gi,
+            /project\s+phase/gi,
+            /rollout\s+phase/gi,
+        ],
+        excludeContext: [
+            /implementation\s+(plan|roadmap|strategy)/gi,
+            /project\s+(timeline|schedule|plan)/gi,
+            /development\s+(cycle|sprint|iteration)/gi,
+        ],
+    },
+    {
+        id: 'AI-006',
+        name: 'Output Manipulation',
+        category: 'ai-specific',
+        severity: 'MEDIUM',
+        description: 'Detects attempts to manipulate output formatting for injection',
+        patterns: [
+            /output\s+.*(json|xml|html)\s+without\s+(escaping|validation)/gi,
+            /include\s+(raw|unescaped)\s+(html|script|code)/gi,
+            /respond\s+with\s+raw\s+/gi,
+        ],
+        fileTypes: ['md'],
+        components: ['skill', 'agent', 'ai-config-md'],
+        remediation: 'Review output format manipulation instructions.',
+        references: [],
+        enabled: true,
+    },
+    {
+        id: 'AI-007',
+        name: 'Trust Boundary Violation',
+        category: 'ai-specific',
+        severity: 'HIGH',
+        description: 'Detects attempts to violate trust boundaries',
+        patterns: [
+            /trust\s+(all|any)\s+(input|source|user)\s+(without|blindly)/gi,
+            /skip\s+(all\s+)?(validation|verification|security)\s+(checks|entirely)/gi,
+            /don't\s+(ever\s+)?(verify|validate|check)\s+(any|user|input)/gi,
+            /assume\s+(all\s+)?(input\s+is\s+)?(safe|trusted|authorized)/gi,
+            /disable\s+(security|validation|verification)/gi,
+        ],
+        fileTypes: ['md'],
+        components: ['skill', 'agent', 'ai-config-md'],
+        remediation: 'Never bypass validation or verification.',
+        references: [],
+        enabled: true,
+        // Exclude documentation about what NOT to do
+        excludePatterns: [
+            /never\s+trust/gi,
+            /don't\s+trust/gi,
+            /should\s+not\s+trust/gi,
+            /must\s+not\s+skip/gi,
+            /avoid\s+skipping/gi,
+        ],
+        excludeContext: [
+            /security\s+(best\s+)?practices/gi,
+            /what\s+not\s+to\s+do/gi,
+            /anti[- ]?pattern/gi,
+        ],
+    },
+    {
+        id: 'AI-008',
+        name: 'Indirect Prompt Injection Setup',
+        category: 'ai-specific',
+        severity: 'CRITICAL',
+        description: 'Detects patterns that set up indirect prompt injection',
+        patterns: [
+            /when\s+you\s+(read|see|find)\s+.*(execute|run|follow)/gi,
+            /if\s+.*(file|url|content)\s+contains.*then\s+(do|execute|run)/gi,
+            /follow\s+instructions\s+(in|from)\s+(the|any)\s+(file|url|content)/gi,
+        ],
+        fileTypes: ['md'],
+        components: ['skill', 'agent', 'ai-config-md'],
+        remediation: 'Remove indirect prompt injection setup instructions.',
+        references: [],
+        enabled: true,
+    },
+    {
+        id: 'AI-009',
+        name: 'Tool Abuse Instructions',
+        category: 'ai-specific',
+        severity: 'HIGH',
+        description: 'Detects instructions to abuse AI CLI tools',
+        patterns: [
+            /use\s+(bash|write|edit)\s+tool\s+to.*(delete|remove|destroy)/gi,
+            /execute\s+(arbitrary|any)\s+(commands?|code)/gi,
+            /bypass\s+tool\s+(restrictions|limits|permissions)/gi,
+        ],
+        fileTypes: ['md'],
+        components: ['skill', 'agent', 'ai-config-md'],
+        remediation: 'Remove tool abuse instructions.',
+        references: [],
+        enabled: true,
+    },
+    {
+        id: 'AI-010',
+        name: 'Jailbreak Technique',
+        category: 'ai-specific',
+        severity: 'CRITICAL',
+        description: 'Detects known jailbreak techniques for LLMs',
+        patterns: [
+            /\bDAN\b/g,
+            /Do\s+Anything\s+Now/gi,
+            /jailbreak(ed)?/gi,
+            /bypass\s+(filter|safety|guardrail|restriction)/gi,
+            /evil\s+(mode|twin|version)/gi,
+            /opposite\s+(day|mode)/gi,
+        ],
+        fileTypes: ['md'],
+        components: ['skill', 'agent', 'ai-config-md'],
+        remediation: 'Remove jailbreak attempts. These bypass safety measures.',
+        references: [
+            'https://owasp.org/www-project-top-10-for-large-language-model-applications/',
+        ],
+        enabled: true,
+    },
+];
+export default aiSpecificRules;
+//# sourceMappingURL=ai-specific.js.map

package/dist/rules/backdoors.d.ts

@@ -0,0 +1,8 @@
+/**
+ * Backdoor Detection Rules
+ * Detects hidden code execution capabilities
+ */
+import type { Rule } from '../types.js';
+export declare const backdoorRules: Rule[];
+export default backdoorRules;
+//# sourceMappingURL=backdoors.d.ts.map

package/dist/rules/backdoors.js

@@ -0,0 +1,134 @@
+/**
+ * Backdoor Detection Rules
+ * Detects hidden code execution capabilities
+ */
+export const backdoorRules = [
+    {
+        id: 'BACK-001',
+        name: 'Shell Execution via eval',
+        category: 'backdoors',
+        severity: 'CRITICAL',
+        description: 'Detects eval usage which can execute arbitrary code',
+        patterns: [
+            /eval\s*\(/gi,
+            /eval\s+"\$\(/gi,
+            /eval\s+['"`]/gi,
+        ],
+        fileTypes: ['sh', 'bash', 'zsh', 'md'],
+        components: ['hook', 'skill', 'agent', 'ai-config-md', 'plugin'],
+        remediation: 'Remove eval statements. Eval can execute arbitrary code and is a security risk.',
+        references: [],
+        enabled: true,
+    },
+    {
+        id: 'BACK-002',
+        name: 'Reverse Shell Pattern',
+        category: 'backdoors',
+        severity: 'CRITICAL',
+        description: 'Detects patterns commonly used to establish reverse shells',
+        patterns: [
+            /\/bin\/(ba)?sh\s+-i/gi,
+            /bash\s+-i\s+>&/gi,
+            /nc\s+.*-e\s+\/bin/gi,
+            /python.*socket.*connect/gi,
+            /perl.*socket.*INET/gi,
+            /ruby.*TCPSocket/gi,
+        ],
+        fileTypes: ['sh', 'bash', 'zsh', 'md'],
+        components: ['hook', 'skill', 'agent', 'ai-config-md', 'plugin'],
+        remediation: 'Remove reverse shell patterns. These are used to establish remote access.',
+        references: [],
+        enabled: true,
+    },
+    {
+        id: 'BACK-003',
+        name: 'Remote Code Execution',
+        category: 'backdoors',
+        severity: 'CRITICAL',
+        description: 'Detects patterns that download and execute remote code',
+        patterns: [
+            /curl\s+.*\|\s*(ba)?sh/gi,
+            /wget\s+.*\|\s*(ba)?sh/gi,
+            /curl\s+.*\|\s*python/gi,
+            /wget\s+.*-O\s*-\s*\|\s*(ba)?sh/gi,
+        ],
+        fileTypes: ['sh', 'bash', 'zsh', 'md'],
+        components: ['hook', 'skill', 'agent', 'ai-config-md', 'plugin'],
+        remediation: 'Never pipe downloaded content directly to a shell. This enables remote code execution.',
+        references: [],
+        enabled: true,
+    },
+    {
+        id: 'BACK-004',
+        name: 'Arbitrary File Write',
+        category: 'backdoors',
+        severity: 'HIGH',
+        description: 'Detects patterns that write to sensitive system locations',
+        patterns: [
+            />\s*\/etc\//gi,
+            />\s*~\/\.(bash|zsh|profile)/gi,
+            /tee\s+\/etc\//gi,
+            /echo.*>>\s*~\/\.(bash|zsh)/gi,
+        ],
+        fileTypes: ['sh', 'bash', 'zsh', 'md'],
+        components: ['hook', 'skill', 'agent', 'ai-config-md', 'plugin'],
+        remediation: 'Avoid writing to sensitive system files or shell configuration files.',
+        references: [],
+        enabled: true,
+    },
+    {
+        id: 'BACK-005',
+        name: 'Process Spawning',
+        category: 'backdoors',
+        severity: 'HIGH',
+        description: 'Detects Node.js process spawning which can execute arbitrary commands',
+        patterns: [
+            /child_process/gi,
+            /require\s*\(\s*['"]child_process['"]\s*\)/gi,
+            /spawn\s*\(/gi,
+            /execFile\s*\(/gi,
+        ],
+        fileTypes: ['md', 'json'],
+        components: ['skill', 'agent', 'ai-config-md', 'mcp', 'plugin'],
+        remediation: 'Review process spawning code carefully. This can be used to execute arbitrary commands.',
+        references: [],
+        enabled: true,
+    },
+    {
+        id: 'BACK-006',
+        name: 'Background Process Creation',
+        category: 'backdoors',
+        severity: 'MEDIUM',
+        description: 'Detects creation of background processes or daemons',
+        patterns: [
+            /nohup\s+.*&/gi,
+            /disown/gi,
+            /setsid/gi,
+            /&\s*$/gm,
+        ],
+        fileTypes: ['sh', 'bash', 'zsh'],
+        components: ['hook', 'plugin'],
+        remediation: 'Review background process creation. Ensure processes are intentional and monitored.',
+        references: [],
+        enabled: true,
+    },
+    {
+        id: 'BACK-007',
+        name: 'Encoded Command Execution',
+        category: 'backdoors',
+        severity: 'CRITICAL',
+        description: 'Detects execution of base64 or otherwise encoded commands',
+        patterns: [
+            /echo\s+.*\|\s*base64\s+-d\s*\|\s*(ba)?sh/gi,
+            /base64\s+-d.*\|\s*(ba)?sh/gi,
+            /python\s+-c\s+['"]import\s+base64/gi,
+        ],
+        fileTypes: ['sh', 'bash', 'zsh', 'md'],
+        components: ['hook', 'skill', 'agent', 'ai-config-md', 'plugin'],
+        remediation: 'Never execute decoded content. This pattern is used to hide malicious commands.',
+        references: [],
+        enabled: true,
+    },
+];
+export default backdoorRules;
+//# sourceMappingURL=backdoors.js.map

package/dist/rules/correlationRules.d.ts

@@ -0,0 +1,8 @@
+/**
+ * Correlation Security Rules - Multi-file attack pattern detection
+ * These rules detect sophisticated attacks that span multiple configuration files
+ */
+import type { Rule } from '../types.js';
+export declare const correlationRules: Rule[];
+export default correlationRules;
+//# sourceMappingURL=correlationRules.d.ts.map