getdoorman 1.0.0

package/src/rules/security/secrets.js

@@ -0,0 +1,747 @@
+/**
+ * Doorman CLI - Secret Detection Rules
+ * SEC-SEC-001 through SEC-SEC-025
+ *
+ * Detects hardcoded secrets, API keys, tokens, and credentials
+ * across source files, configs, and CI pipelines.
+ */
+
+const JS_EXT = ['.js', '.jsx', '.ts', '.tsx', '.mjs', '.cjs'];
+const isJS = (f) => JS_EXT.some((ext) => f.endsWith(ext));
+const isConfig = (f) =>
+  f.endsWith('.json') ||
+  f.endsWith('.yml') ||
+  f.endsWith('.yaml') ||
+  f.endsWith('.toml');
+const isTestFile = (f) =>
+  f.includes('test') ||
+  f.includes('spec') ||
+  f.includes('mock') ||
+  f.includes('fixture') ||
+  f.includes('__tests__');
+
+// Lines to skip: comments, process.env refs, os.environ refs
+function shouldSkipLine(line) {
+  const trimmed = line.trim();
+  if (
+    trimmed.startsWith('//') ||
+    trimmed.startsWith('#') ||
+    trimmed.startsWith('*') ||
+    trimmed.startsWith('/*')
+  ) {
+    return true;
+  }
+  if (/process\.env/i.test(line) || /os\.environ/i.test(line)) {
+    return true;
+  }
+  return false;
+}
+
+// Files to skip for secret scanning
+function shouldSkipFile(filePath) {
+  const base = filePath.split('/').pop();
+  if (base.startsWith('.env')) return true;
+  if (isTestFile(filePath)) return true;
+  return false;
+}
+
+function scanLines(filePath, content, regex, makeMessage, confidence) {
+  const findings = [];
+  if (shouldSkipFile(filePath)) return findings;
+  if (!content) return findings;
+  const lines = content.split('\n');
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    if (shouldSkipLine(line)) continue;
+    if (regex.test(line)) {
+      findings.push({
+        file: filePath,
+        line: i + 1,
+        message: typeof makeMessage === 'function' ? makeMessage(line) : makeMessage,
+        confidence,
+        snippet: line.trim().substring(0, 120),
+      });
+    }
+  }
+  return findings;
+}
+
+const rules = [
+  // SEC-SEC-001: AWS Access Key
+  {
+    id: 'SEC-SEC-001',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'definite',
+    title: 'AWS access key detected',
+    check({ files }) {
+      const findings = [];
+      const pattern = /AKIA[0-9A-Z]{16}/;
+      for (const [filePath, content] of files) {
+        findings.push(
+          ...scanLines(filePath, content, pattern, 'AWS access key ID found in source code. Use environment variables or a secrets manager instead.', 'definite')
+        );
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SEC-002: AWS Secret Key
+  {
+    id: 'SEC-SEC-002',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'definite',
+    title: 'AWS secret key detected',
+    check({ files }) {
+      const findings = [];
+      const pattern = /(?:aws)?_?secret_?(?:access)?_?key.*[:=]\s*['"][A-Za-z0-9/+=]{40}['"]/i;
+      for (const [filePath, content] of files) {
+        findings.push(
+          ...scanLines(filePath, content, pattern, 'AWS secret access key found. Rotate this key immediately and use a secrets manager.', 'definite')
+        );
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SEC-003: Generic API key / high-entropy secret
+  {
+    id: 'SEC-SEC-003',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Generic API key or secret detected',
+    check({ files }) {
+      const findings = [];
+      const pattern = /(?:api[_-]?key|secret|token|password|passwd|auth[_-]?key|access[_-]?key)\s*[:=]\s*['"][A-Za-z0-9/+=_\-]{16,}['"]/i;
+      for (const [filePath, content] of files) {
+        if (shouldSkipFile(filePath)) continue;
+        if (!isJS(filePath) && !isConfig(filePath)) continue;
+        if (!content) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          const line = lines[i];
+          if (shouldSkipLine(line)) continue;
+          if (pattern.test(line)) {
+            // Exclude obvious placeholders
+            if (/['"](?:your[_-]|example|placeholder|changeme|xxx|TODO|REPLACE)/i.test(line)) continue;
+            findings.push({
+              file: filePath,
+              line: i + 1,
+              message: 'Potential hardcoded secret assigned to a sensitive variable name. Move to environment variables.',
+              confidence: 'likely',
+              snippet: line.trim().substring(0, 120),
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SEC-004: Database connection string with password
+  {
+    id: 'SEC-SEC-004',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'definite',
+    title: 'Database connection string with embedded password',
+    check({ files }) {
+      const findings = [];
+      const pattern = /(?:postgres|mysql|mongodb|redis):\/\/[^:]+:[^@]+@/;
+      for (const [filePath, content] of files) {
+        findings.push(
+          ...scanLines(filePath, content, pattern, 'Database connection string with embedded credentials. Use environment variables for connection strings.', 'definite')
+        );
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SEC-005: Private key file in repo
+  {
+    id: 'SEC-SEC-005',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'definite',
+    title: 'Private key file detected in repository',
+    check({ files }) {
+      const findings = [];
+      const keyExtensions = ['.pem', '.key', '.p12', '.pfx', '.jks'];
+      for (const [filePath, content] of files) {
+        if (isTestFile(filePath)) continue;
+        const lower = filePath.toLowerCase();
+        if (keyExtensions.some((ext) => lower.endsWith(ext))) {
+          findings.push({
+            file: filePath,
+            line: 1,
+            message: 'Private key file detected in repository. Remove it, add to .gitignore, and rotate the key.',
+            confidence: 'definite',
+            snippet: filePath,
+          });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SEC-006: .env file committed
+  {
+    id: 'SEC-SEC-006',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: '.env file committed to repository',
+    check({ files }) {
+      const findings = [];
+      for (const [filePath, content] of files) {
+        const base = filePath.split('/').pop();
+        if (base === '.env') {
+          findings.push({
+            file: filePath,
+            line: 1,
+            message: '.env file is committed to the repository. Remove it from version control and add .env to .gitignore.',
+            confidence: 'definite',
+            autofix: 'echo ".env" >> .gitignore && git rm --cached .env',
+            snippet: filePath,
+          });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SEC-007: .env not in .gitignore
+  {
+    id: 'SEC-SEC-007',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: '.env not listed in .gitignore',
+    check({ files }) {
+      const findings = [];
+      let gitignorePath = null;
+      let gitignoreContent = null;
+      for (const [filePath, content] of files) {
+        if (filePath.endsWith('.gitignore') && !filePath.includes('node_modules')) {
+          gitignorePath = filePath;
+          gitignoreContent = content;
+          break;
+        }
+      }
+      if (!gitignorePath || !gitignoreContent) {
+        findings.push({
+          file: '.gitignore',
+          line: 1,
+          message: 'No .gitignore found or .env is not listed. Ensure .env is in .gitignore to prevent accidental commits.',
+          confidence: 'suggestion',
+          snippet: '.gitignore missing or empty',
+        });
+        return findings;
+      }
+      const lines = gitignoreContent.split('\n').map((l) => l.trim());
+      const hasEnv = lines.some(
+        (l) => l === '.env' || l === '.env*' || l === '.env.*' || l === '*.env'
+      );
+      if (!hasEnv) {
+        findings.push({
+          file: gitignorePath,
+          line: 1,
+          message: '.env is not listed in .gitignore. Add .env to prevent accidental commits of secrets.',
+          confidence: 'suggestion',
+          snippet: 'Missing .env entry in .gitignore',
+        });
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SEC-008: Stripe secret key
+  {
+    id: 'SEC-SEC-008',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'definite',
+    title: 'Stripe secret key detected',
+    check({ files }) {
+      const findings = [];
+      const pattern = /sk_(?:live|test)_[a-zA-Z0-9]{20,}/;
+      for (const [filePath, content] of files) {
+        findings.push(
+          ...scanLines(filePath, content, pattern, 'Stripe secret key found. Rotate this key and use environment variables.', 'definite')
+        );
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SEC-009: GitHub token
+  {
+    id: 'SEC-SEC-009',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'definite',
+    title: 'GitHub personal access token detected',
+    check({ files }) {
+      const findings = [];
+      const pattern = /(?:ghp|github_pat)_[a-zA-Z0-9]{20,}/;
+      for (const [filePath, content] of files) {
+        findings.push(
+          ...scanLines(filePath, content, pattern, 'GitHub token found in source code. Revoke and regenerate, then store in a secrets manager.', 'definite')
+        );
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SEC-010: Google API key
+  {
+    id: 'SEC-SEC-010',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Google API key detected',
+    check({ files }) {
+      const findings = [];
+      const pattern = /AIza[0-9A-Za-z_-]{35}/;
+      for (const [filePath, content] of files) {
+        findings.push(
+          ...scanLines(filePath, content, pattern, 'Google API key found. Restrict the key in Google Cloud Console and move to environment variables.', 'definite')
+        );
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SEC-011: Slack webhook URL
+  {
+    id: 'SEC-SEC-011',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Slack webhook URL detected',
+    check({ files }) {
+      const findings = [];
+      const pattern = /hooks\.slack\.com\/services\/T[a-zA-Z0-9_]+\/B[a-zA-Z0-9_]+\/[a-zA-Z0-9_]+/;
+      for (const [filePath, content] of files) {
+        findings.push(
+          ...scanLines(filePath, content, pattern, 'Slack webhook URL found. Store webhook URLs in environment variables to prevent abuse.', 'definite')
+        );
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SEC-012: SendGrid / Mailgun key
+  {
+    id: 'SEC-SEC-012',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'SendGrid or Mailgun API key detected',
+    check({ files }) {
+      const findings = [];
+      const sendgridPattern = /SG\.[a-zA-Z0-9_-]{22}\.[a-zA-Z0-9_-]{43}/;
+      const mailgunPattern = /key-[a-f0-9]{32}/;
+      for (const [filePath, content] of files) {
+        findings.push(
+          ...scanLines(filePath, content, sendgridPattern, 'SendGrid API key found. Rotate and move to environment variables.', 'definite')
+        );
+        findings.push(
+          ...scanLines(filePath, content, mailgunPattern, 'Mailgun API key found. Rotate and move to environment variables.', 'definite')
+        );
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SEC-013: Firebase config without security rules
+  {
+    id: 'SEC-SEC-013',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'Firebase config without security rules file',
+    check({ files }) {
+      const findings = [];
+      let hasFirebaseConfig = false;
+      let firebaseConfigPath = 'unknown';
+      let hasRulesFile = false;
+      for (const [filePath, content] of files) {
+        if (content && /firebaseConfig\s*=/.test(content) && /apiKey/.test(content)) {
+          hasFirebaseConfig = true;
+          firebaseConfigPath = filePath;
+        }
+        if (
+          filePath.includes('firestore.rules') ||
+          filePath.includes('database.rules') ||
+          filePath.includes('storage.rules') ||
+          filePath.endsWith('.rules')
+        ) {
+          hasRulesFile = true;
+        }
+      }
+      if (!hasFirebaseConfig) return findings;
+      if (!hasRulesFile) {
+        findings.push({
+          file: firebaseConfigPath,
+          line: 1,
+          message: 'Firebase config found but no security rules file detected. Add Firestore/Realtime Database security rules.',
+          confidence: 'suggestion',
+          snippet: 'firebaseConfig present without .rules file',
+        });
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SEC-014: OpenAI API key
+  {
+    id: 'SEC-SEC-014',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'definite',
+    title: 'OpenAI API key detected',
+    check({ files }) {
+      const findings = [];
+      // Match sk- followed by 20+ alphanumeric, but exclude sk_live/sk_test (Stripe) and sk-ant- (Anthropic)
+      const pattern = /sk-(?!ant-|live_|test_)[a-zA-Z0-9]{20,}/;
+      for (const [filePath, content] of files) {
+        findings.push(
+          ...scanLines(filePath, content, pattern, 'OpenAI API key found. Rotate this key and store in environment variables.', 'definite')
+        );
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SEC-015: Twilio credentials
+  {
+    id: 'SEC-SEC-015',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Twilio credentials detected',
+    check({ files }) {
+      const findings = [];
+      const pattern = /(?:AC|SK)[a-f0-9]{32}/;
+      for (const [filePath, content] of files) {
+        findings.push(
+          ...scanLines(filePath, content, pattern, 'Twilio Account SID or API key found. Use environment variables for Twilio credentials.', 'definite')
+        );
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SEC-016: SSH private key
+  {
+    id: 'SEC-SEC-016',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'definite',
+    title: 'SSH private key detected',
+    check({ files }) {
+      const findings = [];
+      const pattern = /-----BEGIN (?:RSA |DSA |EC |OPENSSH )?PRIVATE KEY-----/;
+      for (const [filePath, content] of files) {
+        findings.push(
+          ...scanLines(filePath, content, pattern, 'SSH private key found in source code. Remove immediately, revoke the key, and generate a new one.', 'definite')
+        );
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SEC-017: Hardcoded encryption key
+  {
+    id: 'SEC-SEC-017',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'definite',
+    title: 'Hardcoded encryption key detected',
+    check({ files }) {
+      const findings = [];
+      const cipherPattern = /crypto\.(?:createCipher|createCipheriv)\s*\(/;
+      for (const [filePath, content] of files) {
+        if (shouldSkipFile(filePath)) continue;
+        if (!isJS(filePath)) continue;
+        if (!content) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          const line = lines[i];
+          if (shouldSkipLine(line)) continue;
+          if (cipherPattern.test(line)) {
+            // Check if the key argument is a string literal rather than a variable from env
+            if (/createCipher(?:iv)?\s*\(\s*['"][^'"]+['"]\s*,\s*['"]/.test(line)) {
+              findings.push({
+                file: filePath,
+                line: i + 1,
+                message: 'Encryption key is hardcoded as a string literal. Derive keys from a KMS or environment variable.',
+                confidence: 'definite',
+                snippet: line.trim().substring(0, 120),
+              });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SEC-018: .env.local / .env.production committed
+  {
+    id: 'SEC-SEC-018',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Environment-specific .env file committed',
+    check({ files }) {
+      const findings = [];
+      const envFiles = ['.env.local', '.env.production', '.env.staging', '.env.development'];
+      for (const [filePath, content] of files) {
+        const base = filePath.split('/').pop();
+        if (envFiles.includes(base)) {
+          findings.push({
+            file: filePath,
+            line: 1,
+            message: `${base} is committed to the repository. Remove from version control and add to .gitignore.`,
+            confidence: 'definite',
+            snippet: filePath,
+          });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SEC-019: Secrets in CI config
+  {
+    id: 'SEC-SEC-019',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'definite',
+    title: 'Hardcoded secrets in CI/CD configuration',
+    check({ files }) {
+      const findings = [];
+      const sensitiveVarPattern = /(?:password|secret|token|api_key|auth|credentials)\s*[:=]\s*(?!.*\$\{\{\s*secrets\.)/i;
+      for (const [filePath, content] of files) {
+        if (
+          !filePath.includes('.github/workflows/') ||
+          (!filePath.endsWith('.yml') && !filePath.endsWith('.yaml'))
+        ) continue;
+        if (!content) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          const line = lines[i];
+          if (shouldSkipLine(line)) continue;
+          if (sensitiveVarPattern.test(line)) {
+            if (/\$\{\{\s*secrets\./.test(line)) continue;
+            if (/[:=]\s*['"]?\s*['"]?\s*$/.test(line)) continue;
+            findings.push({
+              file: filePath,
+              line: i + 1,
+              message: 'Potential hardcoded secret in CI config. Use GitHub Actions secrets (${{ secrets.NAME }}) instead.',
+              confidence: 'likely',
+              snippet: line.trim().substring(0, 120),
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SEC-020: Sensitive data in error messages
+  {
+    id: 'SEC-SEC-020',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'Sensitive error data exposed in response',
+    check({ files }) {
+      const findings = [];
+      const responsePattern = /res\.(?:json|send|status\(\d+\)\.(?:json|send))\s*\(/;
+      // err.stack leaks internals (file paths, line numbers); err.message is often intentionally surfaced
+      const sensitivePattern = /err(?:or)?\.stack\b/;
+      for (const [filePath, content] of files) {
+        if (shouldSkipFile(filePath)) continue;
+        if (!isJS(filePath)) continue;
+        if (!content) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          const line = lines[i];
+          if (shouldSkipLine(line)) continue;
+          if (responsePattern.test(line) && sensitivePattern.test(line)) {
+            findings.push({
+              file: filePath,
+              line: i + 1,
+              message: 'Error details (stack trace or message) sent in HTTP response. Use generic error messages in production.',
+              confidence: 'likely',
+              snippet: line.trim().substring(0, 120),
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SEC-021: Sensitive data logged
+  {
+    id: 'SEC-SEC-021',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'Sensitive data written to logs',
+    check({ files }) {
+      const findings = [];
+      const logPattern = /(?:console\.(?:log|info|warn|error|debug)|logger\.(?:log|info|warn|error|debug))\s*\(/;
+      const sensitivePattern = /(?:password|passwd|token|secret|creditcard|credit_card|ssn|social_security)/i;
+      for (const [filePath, content] of files) {
+        if (shouldSkipFile(filePath)) continue;
+        if (!isJS(filePath)) continue;
+        if (!content) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          const line = lines[i];
+          if (shouldSkipLine(line)) continue;
+          if (logPattern.test(line) && sensitivePattern.test(line)) {
+            findings.push({
+              file: filePath,
+              line: i + 1,
+              message: 'Sensitive data (password/token/secret/creditcard) is being logged. Remove or redact before logging.',
+              confidence: 'likely',
+              snippet: line.trim().substring(0, 120),
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SEC-022: Docker build with secrets in ARG
+  {
+    id: 'SEC-SEC-022',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Secrets passed via Docker ARG instruction',
+    check({ files }) {
+      const findings = [];
+      const argPattern = /^\s*ARG\s+(\w*(?:password|secret|token|key|api_key|credentials|auth)\w*)/i;
+      for (const [filePath, content] of files) {
+        if (!filePath.endsWith('Dockerfile') && !filePath.includes('Dockerfile.')) continue;
+        if (!content) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          const line = lines[i];
+          const match = argPattern.exec(line);
+          if (match) {
+            findings.push({
+              file: filePath,
+              line: i + 1,
+              message: `Docker ARG "${match[1]}" appears to contain a secret. ARG values are visible in image history. Use --secret flag or multi-stage builds.`,
+              confidence: 'likely',
+              snippet: line.trim().substring(0, 120),
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SEC-023: Anthropic API key
+  {
+    id: 'SEC-SEC-023',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'definite',
+    title: 'Anthropic API key detected',
+    check({ files }) {
+      const findings = [];
+      const pattern = /sk-ant-[a-zA-Z0-9_-]{20,}/;
+      for (const [filePath, content] of files) {
+        findings.push(
+          ...scanLines(filePath, content, pattern, 'Anthropic API key found. Rotate this key and store in environment variables.', 'definite')
+        );
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SEC-024: Supabase service_role key in client-side code
+  {
+    id: 'SEC-SEC-024',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'definite',
+    title: 'Supabase service_role key in non-server file',
+    check({ files }) {
+      const findings = [];
+      const serviceKeyPattern = /(?:service_role|service_key|serviceRole|serviceKey)\s*[:=]/i;
+      const serverPaths = ['/server/', '/api/', '/backend/', '/lib/server/', '/pages/api/', '/app/api/'];
+      for (const [filePath, content] of files) {
+        if (shouldSkipFile(filePath)) continue;
+        if (!isJS(filePath)) continue;
+        if (!content) continue;
+        // Only flag if NOT in a server-side path
+        const isServerFile = serverPaths.some((p) => filePath.includes(p));
+        if (isServerFile) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          const line = lines[i];
+          if (shouldSkipLine(line)) continue;
+          if (serviceKeyPattern.test(line)) {
+            findings.push({
+              file: filePath,
+              line: i + 1,
+              message: 'Supabase service_role key referenced in a non-server file. This key bypasses RLS and must only be used server-side.',
+              confidence: 'likely',
+              snippet: line.trim().substring(0, 120),
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SEC-025: Hardcoded private/internal IPs
+  {
+    id: 'SEC-SEC-025',
+    category: 'security',
+    severity: 'low',
+    confidence: 'suggestion',
+    title: 'Hardcoded internal IP address detected',
+    check({ files }) {
+      const findings = [];
+      const pattern = /\b(?:10|172\.(?:1[6-9]|2\d|3[01])|192\.168)\.\d{1,3}\.\d{1,3}\b/;
+      for (const [filePath, content] of files) {
+        if (shouldSkipFile(filePath)) continue;
+        if (!isJS(filePath) && !isConfig(filePath)) continue;
+        if (!content) continue;
+        const lines = content.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          const line = lines[i];
+          if (shouldSkipLine(line)) continue;
+          if (pattern.test(line)) {
+            findings.push({
+              file: filePath,
+              line: i + 1,
+              message: 'Hardcoded internal IP address found. Use configuration or DNS-based service discovery instead.',
+              confidence: 'likely',
+              snippet: line.trim().substring(0, 120),
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+];
+
+export default rules;