getdoorman 1.0.0

package/src/rules/security/ssrf.js

@@ -0,0 +1,298 @@
+/**
+ * Server-Side Request Forgery (SSRF) Detection Rules (SEC-SSRF-001 through SEC-SSRF-010)
+ *
+ * Detects patterns where user-controlled input is used to construct
+ * URLs for server-side HTTP requests, potentially allowing access
+ * to internal services, cloud metadata, or localhost.
+ */
+
+const JS_EXT = ['.js', '.jsx', '.ts', '.tsx', '.mjs', '.cjs'];
+const isJS = (f) => JS_EXT.some(ext => f.endsWith(ext));
+
+const SKIP_PATH = /[/\\](test|tests|__tests__|__mocks__|mocks|fixtures|__fixtures__|spec|node_modules|vendor|dist|build)[/\\]/i;
+const COMMENT_LINE = /^\s*(\/\/|#|\/\*|\*)/;
+
+function scanLines(content, regex, file, rule) {
+  const findings = [];
+  const lines = content.split('\n');
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    if (COMMENT_LINE.test(line)) continue;
+    if (regex.test(line)) {
+      findings.push({
+        ruleId: rule.id,
+        category: rule.category,
+        severity: rule.severity,
+        title: rule.title,
+        description: rule.description,
+        confidence: rule.confidence,
+        file,
+        line: i + 1,
+        fix: rule.fix || null,
+      });
+    }
+  }
+  return findings;
+}
+
+const rules = [
+  // SEC-SSRF-001: fetch/axios/http.get with user-controlled URL
+  {
+    id: 'SEC-SSRF-001',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'likely',
+    title: 'HTTP Request with User-Controlled URL (SSRF)',
+    description:
+      'Server-side HTTP request (fetch/axios/http) using user-controlled URL allows SSRF attacks to access internal services, cloud metadata endpoints, or localhost.',
+    fix: { suggestion: 'Validate URLs against an allowlist of domains. Block private IP ranges and metadata endpoints (169.254.169.254).' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /(?:fetch|axios\.get|axios\.post|axios\.put|axios\.delete|axios\.request|axios\(|http\.get|http\.request|https\.get|https\.request|got\(|got\.get|request\(|needle\(|superagent\.get)\s*\(\s*(?:req\.body|req\.query|req\.params|userUrl|url|targetUrl|input)\b/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isJS(path)) {
+          findings.push(...scanLines(content, pattern, path, this));
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SSRF-002: URL construction with template literal from user input
+  {
+    id: 'SEC-SSRF-002',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'URL Constructed from User Input via Template Literal',
+    description:
+      'Building request URLs with template literals containing user input enables SSRF. Attackers can inject full URLs or path traversal to reach internal endpoints.',
+    fix: { suggestion: 'Use URL constructor to parse and validate the resulting URL. Block private and reserved IP ranges.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /(?:fetch|axios|http\.get|https\.get|got|request|needle)\s*\(\s*`[^`]*\$\{(?:req\.(?:body|query|params)|input|url|host|domain|target)/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isJS(path)) {
+          findings.push(...scanLines(content, pattern, path, this));
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SSRF-003: Cloud metadata endpoint access not blocked
+  {
+    id: 'SEC-SSRF-003',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'definite',
+    title: 'Cloud Metadata Endpoint URL in Code',
+    description:
+      'Reference to cloud metadata endpoint (169.254.169.254) found. Ensure SSRF protections block access to this endpoint to prevent credential theft.',
+    fix: { suggestion: 'Block requests to 169.254.169.254 and fd00:ec2::254. Use IMDSv2 on AWS (requires token header).' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /169\.254\.169\.254|metadata\.google\.internal|metadata\.azure\.com/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isJS(path)) {
+          findings.push(...scanLines(content, pattern, path, this));
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SSRF-004: URL string concatenation with user input
+  {
+    id: 'SEC-SSRF-004',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'URL Built via String Concatenation with User Input',
+    description:
+      'HTTP request URL built by concatenating user input allows SSRF. An attacker can override the protocol, host, or path.',
+    fix: { suggestion: 'Use the URL constructor to safely build URLs and validate the resulting hostname against an allowlist.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /(?:fetch|axios|http\.get|https\.get|got|request)\s*\(\s*(?:['"][^'"]*['"]\s*\+\s*(?:req\.|input|url|host|target)|(?:req\.|input|url|host|target)\w*\s*\+)/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isJS(path)) {
+          findings.push(...scanLines(content, pattern, path, this));
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SSRF-005: No URL validation before HTTP request
+  {
+    id: 'SEC-SSRF-005',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'HTTP Request with Dynamic URL Without Validation',
+    description:
+      'A variable URL is passed to an HTTP client without visible URL validation or allowlist check, creating SSRF risk.',
+    fix: { suggestion: 'Parse the URL with new URL(), validate the protocol (https only), and check the hostname against an allowlist.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /(?:fetch|axios|got|request|needle|superagent)\s*\(\s*(?:redirectUrl|callbackUrl|webhookUrl|proxyUrl|imageUrl|fileUrl|downloadUrl)\b/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isJS(path)) {
+          findings.push(...scanLines(content, pattern, path, this));
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SSRF-006: DNS rebinding vulnerability (no IP validation after DNS resolution)
+  {
+    id: 'SEC-SSRF-006',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'DNS Lookup Without IP Validation (DNS Rebinding Risk)',
+    description:
+      'Using dns.lookup or dns.resolve without validating the resolved IP against blocked ranges enables DNS rebinding attacks to bypass SSRF protections.',
+    fix: { suggestion: 'After DNS resolution, verify the IP is not in private ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.0/8, 169.254.0.0/16).' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /dns\.(?:lookup|resolve|resolve4|resolve6)\s*\(/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (!isJS(path)) continue;
+        if (pattern.test(content)) {
+          // Check if there is IP validation after DNS resolution
+          if (!/(?:isPrivate|isInternal|isReserved|blockList|ipRangeCheck|private.*ip|127\.|10\.|172\.16|192\.168)/.test(content)) {
+            findings.push({
+              ruleId: this.id,
+              category: this.category,
+              severity: this.severity,
+              title: this.title,
+              description: this.description,
+              confidence: this.confidence,
+              file: path,
+              fix: this.fix || null,
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SSRF-007: HTTP redirect following enabled
+  {
+    id: 'SEC-SSRF-007',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'HTTP Client Follows Redirects (SSRF Bypass)',
+    description:
+      'HTTP clients that follow redirects can be tricked into accessing internal resources via an open redirect. An attacker-controlled server can redirect to 127.0.0.1.',
+    fix: { suggestion: 'Disable automatic redirect following (redirect: "manual" for fetch, maxRedirects: 0 for axios) and validate redirect targets.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /(?:follow|maxRedirects|followRedirect)\s*:\s*(?:true|[1-9]\d*)/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (!isJS(path)) continue;
+        // Only flag if user-controlled URL is present in the same file
+        if (/(?:req\.body|req\.query|req\.params|userUrl|targetUrl|webhookUrl|callbackUrl)/.test(content)) {
+          findings.push(...scanLines(content, pattern, path, this));
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SSRF-008: Internal IP address in allowlist or bypass
+  {
+    id: 'SEC-SSRF-008',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Localhost or Internal IP Allowed in URL Validation',
+    description:
+      'URL validation allows localhost, 127.0.0.1, or 0.0.0.0 which can be used for SSRF to access internal services.',
+    fix: { suggestion: 'Block all private and loopback addresses in URL validation: 127.0.0.0/8, 0.0.0.0, ::1, 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /(?:allowedHosts|whitelist|allowlist|trustedHosts|validHosts).*(?:localhost|127\.0\.0\.1|0\.0\.0\.0|::1)/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isJS(path)) {
+          findings.push(...scanLines(content, pattern, path, this));
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SSRF-009: Image/file proxy without URL validation
+  {
+    id: 'SEC-SSRF-009',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Image/File Proxy Endpoint Without URL Validation',
+    description:
+      'Proxy endpoints that fetch remote images or files based on user-provided URLs are common SSRF vectors.',
+    fix: { suggestion: 'Validate and restrict proxy target URLs to allowed domains and public IP ranges only.' },
+    check({ files }) {
+      const findings = [];
+      const routePattern = /(?:app|router)\.(?:get|post)\s*\(\s*['"].*(?:proxy|image|fetch|download|thumbnail|preview)/;
+      const fetchPattern = /(?:fetch|axios|got|request|http\.get|https\.get)\s*\(/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (!isJS(path)) continue;
+        if (routePattern.test(content) && fetchPattern.test(content)) {
+          if (!/(?:allowlist|whitelist|allowedDomains|validateUrl|isAllowed|blockPrivate)/.test(content)) {
+            findings.push({
+              ruleId: this.id,
+              category: this.category,
+              severity: this.severity,
+              title: this.title,
+              description: this.description,
+              confidence: this.confidence,
+              file: path,
+              fix: this.fix || null,
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SSRF-010: Webhook URL not validated
+  {
+    id: 'SEC-SSRF-010',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Webhook URL Sent Without Validation',
+    description:
+      'Webhook endpoints that accept user-provided callback URLs and make server-side requests to them are SSRF vectors.',
+    fix: { suggestion: 'Validate webhook URLs: require HTTPS, check against domain allowlist, block private IPs, and resolve DNS before making the request.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /(?:webhook|callback)(?:Url|URL|_url|Uri)\s*=\s*(?:req\.body|req\.query|req\.params)\b/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isJS(path)) {
+          findings.push(...scanLines(content, pattern, path, this));
+        }
+      }
+      return findings;
+    },
+  },
+];
+
+export default rules;

package/src/rules/security/supply-chain-advanced.js

@@ -0,0 +1,393 @@
+/**
+ * Advanced Supply Chain Security Rules (SEC-SCA-001 through SEC-SCA-010)
+ *
+ * Detects additional supply chain attack vectors including postinstall
+ * binary execution, dependency confusion, install hook abuse, and
+ * suspicious package patterns.
+ */
+
+const JS_EXT = ['.js', '.jsx', '.ts', '.tsx', '.mjs', '.cjs'];
+const isJS = (f) => JS_EXT.some(ext => f.endsWith(ext));
+
+const SKIP_PATH = /[/\\](node_modules|vendor|dist|build)[/\\]/i;
+const COMMENT_LINE = /^\s*(\/\/|#|\/\*|\*)/;
+
+function scanLines(content, regex, file, rule) {
+  const findings = [];
+  const lines = content.split('\n');
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i];
+    if (COMMENT_LINE.test(line)) continue;
+    if (regex.test(line)) {
+      findings.push({
+        ruleId: rule.id,
+        category: rule.category,
+        severity: rule.severity,
+        title: rule.title,
+        description: rule.description,
+        confidence: rule.confidence,
+        file,
+        line: i + 1,
+        fix: rule.fix || null,
+      });
+    }
+  }
+  return findings;
+}
+
+const rules = [
+  // SEC-SCA-001: postinstall script executes binary/shell
+  {
+    id: 'SEC-SCA-001',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'definite',
+    title: 'Postinstall Script Executes Binary or Shell Command',
+    description:
+      'A postinstall script that runs a binary, shell script, or node command is the primary attack vector in supply chain attacks (event-stream, node-ipc). Audit carefully.',
+    fix: { suggestion: 'Remove postinstall scripts that execute binaries. Use prepare for build steps and document manual setup steps.' },
+    check({ files }) {
+      const findings = [];
+      const pkg = files.get('package.json');
+      if (!pkg) return findings;
+      try {
+        const json = JSON.parse(pkg);
+        const scripts = json.scripts || {};
+        for (const hook of ['postinstall', 'preinstall', 'install']) {
+          const cmd = scripts[hook];
+          if (cmd && /(?:node\s|sh\s|bash\s|\.\/|\.exe|chmod|curl|wget|python|ruby)/.test(cmd)) {
+            findings.push({
+              ruleId: this.id,
+              category: this.category,
+              severity: this.severity,
+              title: `"${hook}" script runs binary/shell: "${cmd.substring(0, 80)}"`,
+              description: this.description,
+              confidence: this.confidence,
+              file: 'package.json',
+              fix: this.fix || null,
+            });
+          }
+        }
+      } catch {}
+      return findings;
+    },
+  },
+
+  // SEC-SCA-002: Install script downloads and executes remote code
+  {
+    id: 'SEC-SCA-002',
+    category: 'security',
+    severity: 'critical',
+    confidence: 'definite',
+    title: 'Install Hook Downloads and Executes Remote Code',
+    description:
+      'An install lifecycle script that downloads and executes code from the internet is a critical supply chain risk.',
+    fix: { suggestion: 'Remove remote code execution from install hooks. Bundle required binaries or use optional dependencies.' },
+    check({ files }) {
+      const findings = [];
+      const pkg = files.get('package.json');
+      if (!pkg) return findings;
+      try {
+        const json = JSON.parse(pkg);
+        const scripts = json.scripts || {};
+        for (const hook of ['postinstall', 'preinstall', 'install', 'prepare']) {
+          const cmd = scripts[hook];
+          if (cmd && /(?:curl|wget|fetch|http).*(?:\|\s*(?:bash|sh|node)|>\s*\w+\.(?:js|sh))/.test(cmd)) {
+            findings.push({
+              ruleId: this.id,
+              category: this.category,
+              severity: this.severity,
+              title: `"${hook}" script downloads and executes remote code`,
+              description: this.description,
+              confidence: this.confidence,
+              file: 'package.json',
+              fix: this.fix || null,
+            });
+          }
+        }
+      } catch {}
+      return findings;
+    },
+  },
+
+  // SEC-SCA-003: Dependency version uses dist-tag instead of semver
+  {
+    id: 'SEC-SCA-003',
+    category: 'security',
+    severity: 'high',
+    confidence: 'definite',
+    title: 'Dependency Uses Dist-Tag Instead of Semver Range',
+    description:
+      'Using dist-tags like "latest", "next", or "canary" means the resolved version can change at any time, including to a compromised version.',
+    fix: { suggestion: 'Pin dependencies to specific semver ranges and use a lockfile for reproducible installs.' },
+    check({ files }) {
+      const findings = [];
+      const pkg = files.get('package.json');
+      if (!pkg) return findings;
+      try {
+        const json = JSON.parse(pkg);
+        const allDeps = { ...json.dependencies, ...json.devDependencies };
+        for (const [name, version] of Object.entries(allDeps)) {
+          if (typeof version === 'string' && /^(latest|next|canary|beta|alpha|rc|dev|nightly|experimental|\*)$/.test(version)) {
+            findings.push({
+              ruleId: this.id,
+              category: this.category,
+              severity: this.severity,
+              title: `Package "${name}" pinned to dist-tag "${version}" — version can change unpredictably`,
+              description: this.description,
+              confidence: this.confidence,
+              file: 'package.json',
+              fix: this.fix || null,
+            });
+          }
+        }
+      } catch {}
+      return findings;
+    },
+  },
+
+  // SEC-SCA-004: Dependency with HTTP (non-HTTPS) registry URL
+  {
+    id: 'SEC-SCA-004',
+    category: 'security',
+    severity: 'high',
+    confidence: 'definite',
+    title: 'Dependency from HTTP (Non-HTTPS) Registry',
+    description:
+      'Using HTTP instead of HTTPS for package registries allows man-in-the-middle attacks to inject malicious packages.',
+    fix: { suggestion: 'Always use HTTPS URLs for package registries in .npmrc and package.json.' },
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.endsWith('.npmrc') && !fp.endsWith('package.json') && !fp.endsWith('.yarnrc') && !fp.endsWith('.yarnrc.yml')) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (/registry\s*=?\s*['"]?http:\/\//.test(lines[i])) {
+            findings.push({
+              ruleId: this.id,
+              category: this.category,
+              severity: this.severity,
+              title: 'Package registry configured with HTTP instead of HTTPS',
+              description: this.description,
+              confidence: this.confidence,
+              file: fp,
+              line: i + 1,
+              fix: this.fix || null,
+            });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SCA-005: exec/spawn in postinstall-referenced script
+  {
+    id: 'SEC-SCA-005',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'child_process Usage in Install Script File',
+    description:
+      'A file referenced by install hooks that uses child_process (exec, spawn, execSync) can execute arbitrary system commands during npm install.',
+    fix: { suggestion: 'Audit all files executed during install hooks. Avoid child_process in install-time scripts.' },
+    check({ files }) {
+      const findings = [];
+      const pkg = files.get('package.json');
+      if (!pkg) return findings;
+      try {
+        const json = JSON.parse(pkg);
+        const scripts = json.scripts || {};
+        const installScripts = ['postinstall', 'preinstall', 'install', 'prepare']
+          .map(h => scripts[h])
+          .filter(Boolean);
+        // Find referenced JS files
+        const referencedFiles = [];
+        for (const cmd of installScripts) {
+          const match = cmd.match(/node\s+(\S+\.js)/);
+          if (match) referencedFiles.push(match[1]);
+        }
+        for (const [fp, c] of files) {
+          if (!referencedFiles.some(ref => fp.endsWith(ref))) continue;
+          if (/(?:child_process|execSync|spawnSync|exec\s*\(|spawn\s*\()/.test(c)) {
+            findings.push({
+              ruleId: this.id,
+              category: this.category,
+              severity: this.severity,
+              title: `Install script "${fp}" uses child_process — can execute system commands`,
+              description: this.description,
+              confidence: this.confidence,
+              file: fp,
+              fix: this.fix || null,
+            });
+          }
+        }
+      } catch {}
+      return findings;
+    },
+  },
+
+  // SEC-SCA-006: Dependency confusion — publishConfig missing scope registry
+  {
+    id: 'SEC-SCA-006',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Scoped Package Without publishConfig Registry',
+    description:
+      'A scoped package without publishConfig.registry may accidentally publish to the public npm registry, leaking private code.',
+    fix: { suggestion: 'Add publishConfig.registry pointing to your private registry, or set "private": true.' },
+    check({ files }) {
+      const findings = [];
+      const pkg = files.get('package.json');
+      if (!pkg) return findings;
+      try {
+        const json = JSON.parse(pkg);
+        if (json.name && json.name.startsWith('@') && !json.private) {
+          if (!json.publishConfig || !json.publishConfig.registry) {
+            findings.push({
+              ruleId: this.id,
+              category: this.category,
+              severity: this.severity,
+              title: `Scoped package "${json.name}" without publishConfig.registry`,
+              description: this.description,
+              confidence: this.confidence,
+              file: 'package.json',
+              fix: this.fix || null,
+            });
+          }
+        }
+      } catch {}
+      return findings;
+    },
+  },
+
+  // SEC-SCA-007: Package with too many transitive dependencies
+  {
+    id: 'SEC-SCA-007',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'Excessive Dependency Count Increases Attack Surface',
+    description:
+      'Projects with a very large number of direct dependencies have a larger supply chain attack surface. Each dependency is a potential compromise vector.',
+    fix: { suggestion: 'Audit and reduce dependencies. Replace large utility packages with native implementations where possible.' },
+    check({ files }) {
+      const findings = [];
+      const pkg = files.get('package.json');
+      if (!pkg) return findings;
+      try {
+        const json = JSON.parse(pkg);
+        const depCount = Object.keys(json.dependencies || {}).length;
+        if (depCount > 50) {
+          findings.push({
+            ruleId: this.id,
+            category: this.category,
+            severity: this.severity,
+            title: `${depCount} direct dependencies — large attack surface`,
+            description: this.description,
+            confidence: this.confidence,
+            file: 'package.json',
+            fix: this.fix || null,
+          });
+        }
+      } catch {}
+      return findings;
+    },
+  },
+
+  // SEC-SCA-008: Dynamic require/import with variable
+  {
+    id: 'SEC-SCA-008',
+    category: 'security',
+    severity: 'high',
+    confidence: 'likely',
+    title: 'Dynamic require/import with Variable Path',
+    description:
+      'Dynamic require() or import() with a variable path can load arbitrary modules, enabling code injection if the path is user-controlled.',
+    fix: { suggestion: 'Use a static allowlist of module names and map user input to the allowlist.' },
+    check({ files }) {
+      const findings = [];
+      const pattern = /(?:require|import)\s*\(\s*(?:req\.body|req\.query|req\.params|moduleName|pluginName|input|userModule)\b/;
+      for (const [path, content] of files) {
+        if (SKIP_PATH.test(path)) continue;
+        if (isJS(path)) {
+          findings.push(...scanLines(content, pattern, path, this));
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SEC-SCA-009: Overridden package resolution (resolutions/overrides)
+  {
+    id: 'SEC-SCA-009',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'Package Resolution Override May Mask Vulnerabilities',
+    description:
+      'Using npm overrides or yarn resolutions to force package versions can mask known vulnerabilities or introduce incompatible versions.',
+    fix: { suggestion: 'Document why each override exists and periodically review if they are still needed.' },
+    check({ files }) {
+      const findings = [];
+      const pkg = files.get('package.json');
+      if (!pkg) return findings;
+      try {
+        const json = JSON.parse(pkg);
+        if (json.overrides || json.resolutions) {
+          const overrideCount = Object.keys(json.overrides || json.resolutions || {}).length;
+          if (overrideCount > 0) {
+            findings.push({
+              ruleId: this.id,
+              category: this.category,
+              severity: this.severity,
+              title: `${overrideCount} package resolution override(s) found — may mask vulnerabilities`,
+              description: this.description,
+              confidence: this.confidence,
+              file: 'package.json',
+              fix: this.fix || null,
+            });
+          }
+        }
+      } catch {}
+      return findings;
+    },
+  },
+
+  // SEC-SCA-010: Bundled dependencies with no integrity check
+  {
+    id: 'SEC-SCA-010',
+    category: 'security',
+    severity: 'medium',
+    confidence: 'likely',
+    title: 'Bundled Dependencies Without Integrity Verification',
+    description:
+      'bundledDependencies or bundleDependencies include packages in the published tarball. These bypass registry integrity checks and can be tampered with.',
+    fix: { suggestion: 'Prefer normal dependencies over bundled ones. If bundled, verify their integrity in CI.' },
+    check({ files }) {
+      const findings = [];
+      const pkg = files.get('package.json');
+      if (!pkg) return findings;
+      try {
+        const json = JSON.parse(pkg);
+        const bundled = json.bundledDependencies || json.bundleDependencies;
+        if (bundled && Array.isArray(bundled) && bundled.length > 0) {
+          findings.push({
+            ruleId: this.id,
+            category: this.category,
+            severity: this.severity,
+            title: `${bundled.length} bundled dependencies bypass registry integrity checks`,
+            description: this.description,
+            confidence: this.confidence,
+            file: 'package.json',
+            fix: this.fix || null,
+          });
+        }
+      } catch {}
+      return findings;
+    },
+  },
+];
+
+export default rules;