getdoorman 1.0.0

package/src/rules/security/supply-chain.js

@@ -0,0 +1,734 @@
+// Supply Chain Security Rules
+// Covers: package manager attacks, CI/CD pipeline attacks, source code integrity,
+// build system attacks, container supply chain, Git security, registry security
+
+const rules = [
+
+  // ─── PACKAGE MANAGER ──────────────────────────────────────────────────────
+
+  // SC-PKG-001: Malicious postinstall script
+  { id: 'SC-PKG-001', category: 'security', severity: 'high', title: 'postinstall Script — Supply Chain Attack Vector', confidence: 'likely',
+    check({ files }) {
+      const findings = [];
+      const pkg = files.get('package.json');
+      if (!pkg) return findings;
+      try {
+        const json = JSON.parse(pkg);
+        const scripts = json.scripts || {};
+        for (const hook of ['postinstall', 'preinstall', 'install', 'prepack', 'postpack', 'prepare']) {
+          if (scripts[hook]) {
+            findings.push({ ruleId: 'SC-PKG-001', category: 'security', severity: 'high',
+              title: `package.json "${hook}" script runs automatically on install — verify it is safe`,
+              description: `The "${hook}" lifecycle script executes on every npm install. This is the primary mechanism used in supply chain attacks (event-stream, node-ipc). Audit this script carefully and consider removing it if not essential.`,
+              file: 'package.json', fix: null });
+          }
+        }
+      } catch {}
+      return findings;
+    },
+  },
+
+  // SC-PKG-002: Dependency from git URL (no integrity check)
+  { id: 'SC-PKG-002', category: 'security', severity: 'high', title: 'Dependency Installed from Git URL', confidence: 'likely',
+    check({ files }) {
+      const findings = [];
+      const pkg = files.get('package.json');
+      if (!pkg) return findings;
+      try {
+        const json = JSON.parse(pkg);
+        for (const [name, version] of Object.entries({ ...json.dependencies, ...json.devDependencies })) {
+          if (typeof version === 'string' && (
+            version.startsWith('github:') || version.startsWith('git+') ||
+            version.startsWith('git://') || version.startsWith('bitbucket:') ||
+            version.startsWith('gitlab:') || /^[\w-]+\/[\w-]+/.test(version)
+          )) {
+            findings.push({ ruleId: 'SC-PKG-002', category: 'security', severity: 'high',
+              title: `Package "${name}" installed from git URL — no integrity verification, changes silently`,
+              description: 'Git URL dependencies bypass npm integrity checks. A compromised repo becomes a compromised dependency. Use published npm versions with lockfile integrity.',
+              file: 'package.json', fix: null });
+          }
+        }
+      } catch {}
+      return findings;
+    },
+  },
+
+  // SC-PKG-003: Dependency confusion — unscoped internal package names
+  { id: 'SC-PKG-003', category: 'security', severity: 'critical', title: 'Dependency Confusion Attack Risk', confidence: 'definite',
+    check({ files }) {
+      const findings = [];
+      const pkg = files.get('package.json');
+      if (!pkg) return findings;
+      try {
+        const json = JSON.parse(pkg);
+        const projectScope = (json.name || '').startsWith('@') ? json.name.split('/')[0] : null;
+        for (const depName of Object.keys({ ...json.dependencies, ...json.devDependencies })) {
+          if (!depName.startsWith('@') && (
+            depName.match(/internal|private|corp|shared|common|utils|lib/) ||
+            (projectScope && json.name && depName.includes(json.name.split('/').pop()?.split('-')[0]))
+          )) {
+            findings.push({ ruleId: 'SC-PKG-003', category: 'security', severity: 'critical',
+              title: `Unscoped package "${depName}" may be vulnerable to dependency confusion attack`,
+              description: 'An attacker can publish a higher-versioned package with the same name to the public npm registry, causing npm to pull the malicious version. Use scoped packages (@your-org/package-name) for all internal dependencies.',
+              file: 'package.json', fix: null });
+          }
+        }
+      } catch {}
+      return findings;
+    },
+  },
+
+  // SC-PKG-004: No lockfile — deterministic builds impossible
+  { id: 'SC-PKG-004', category: 'security', severity: 'high', title: 'No Lockfile — Dependency Resolution Non-Deterministic', confidence: 'likely',
+    check({ files, stack }) {
+      const findings = [];
+      if (stack.runtime !== 'node') return findings;
+      if (!files.has('package.json')) return findings;
+      const hasLock = files.has('package-lock.json') ||
+        [...files.keys()].some(f => f === 'yarn.lock' || f === 'pnpm-lock.yaml' || f === 'bun.lockb');
+      if (!hasLock) {
+        findings.push({ ruleId: 'SC-PKG-004', category: 'security', severity: 'high',
+          title: 'No lockfile found — builds may install different versions over time',
+          description: 'Without a lockfile, npm/yarn resolves ranges on every install, potentially pulling in compromised patch versions. Commit your lockfile and use `npm ci` in CI.',
+          fix: null });
+      }
+      return findings;
+    },
+  },
+
+  // SC-PKG-005: npm install instead of npm ci in CI
+  { id: 'SC-PKG-005', category: 'security', severity: 'medium', title: 'npm install in CI Instead of npm ci', confidence: 'likely',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.includes('.github/workflows') && !fp.includes('.gitlab-ci') && !fp.includes('.circleci')) continue;
+        if (c.match(/\bnpm install\b/) && !c.match(/\bnpm ci\b/)) {
+          findings.push({ ruleId: 'SC-PKG-005', category: 'security', severity: 'medium',
+            title: 'CI uses "npm install" instead of "npm ci"',
+            description: '"npm ci" strictly installs from the lockfile and fails if it does not match package.json — preventing surprise version changes. "npm install" can silently update the lockfile.',
+            file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SC-PKG-006: Wildcard version on security library
+  { id: 'SC-PKG-006', category: 'security', severity: 'high', title: 'Wildcard Version on Security-Critical Package', confidence: 'likely',
+    check({ files }) {
+      const findings = [];
+      const pkg = files.get('package.json');
+      if (!pkg) return findings;
+      try {
+        const json = JSON.parse(pkg);
+        const secPkgs = ['jsonwebtoken', 'bcrypt', 'bcryptjs', 'passport', 'helmet', 'express', 'crypto-js', 'node-forge', 'argon2'];
+        for (const [name, version] of Object.entries({ ...json.dependencies, ...json.devDependencies })) {
+          if (secPkgs.includes(name) && (version === '*' || version === 'latest' || version === 'x')) {
+            findings.push({ ruleId: 'SC-PKG-006', category: 'security', severity: 'high',
+              title: `Security package "${name}" uses wildcard version "${version}" — can silently pull compromised version`,
+              description: 'Pin security-critical packages to exact semver ranges. Wildcards bypass integrity protection in your lockfile.',
+              file: 'package.json', fix: null });
+          }
+        }
+      } catch {}
+      return findings;
+    },
+  },
+
+  // SC-PKG-007: No private registry configured
+  { id: 'SC-PKG-007', category: 'security', severity: 'medium', title: 'No Private Registry — Typosquatting Risk', confidence: 'likely',
+    check({ files }) {
+      const findings = [];
+      const npmrc = files.get('.npmrc') || [...files.entries()].find(([f]) => f.endsWith('.npmrc'))?.[1];
+      const hasScopedRegistry = npmrc && npmrc.match(/@[\w-]+:registry\s*=/);
+      const pkg = files.get('package.json');
+      if (!pkg) return findings;
+      try {
+        const json = JSON.parse(pkg);
+        const hasScoped = Object.keys({ ...json.dependencies, ...json.devDependencies }).some(d => d.startsWith('@'));
+        if (hasScoped && !hasScopedRegistry) {
+          findings.push({ ruleId: 'SC-PKG-007', category: 'security', severity: 'medium',
+            title: 'Scoped packages used but no private registry configured in .npmrc',
+            description: 'Configure your scoped packages to resolve from a private registry to prevent dependency confusion. Add @your-org:registry=https://your-registry in .npmrc.',
+            fix: null });
+        }
+      } catch {}
+      return findings;
+    },
+  },
+
+  // SC-PKG-008: No SBOM generation
+  { id: 'SC-PKG-008', category: 'security', severity: 'low', title: 'No Software Bill of Materials (SBOM)', confidence: 'suggestion',
+    check({ files }) {
+      const has = [...files.values()].some(c => c.match(/sbom|cyclonedx|spdx|syft|trivy.*sbom/i)) ||
+        [...files.keys()].some(f => f.match(/sbom|cyclonedx|spdx/i));
+      if (!has) {
+        return [{ ruleId: 'SC-PKG-008', category: 'security', severity: 'low',
+          title: 'No SBOM (Software Bill of Materials) generated',
+          description: 'Generate an SBOM with Syft or CycloneDX to inventory all dependencies. Required for NTIA compliance and enterprise customers.',
+          fix: null }];
+      }
+      return [];
+    },
+  },
+
+  // ─── CI/CD PIPELINE ────────────────────────────────────────────────────────
+
+  // SC-CI-001: Third-party GitHub Actions not pinned to SHA
+  { id: 'SC-CI-001', category: 'security', severity: 'critical', title: 'GitHub Actions Not Pinned to Commit SHA', confidence: 'definite',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.includes('.github/workflows')) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          const m = lines[i].match(/uses:\s+([\w/-]+)@([\w./-]+)/);
+          if (m && !m[2].match(/^[0-9a-f]{40}$/) && !m[1].startsWith('actions/') ) {
+            findings.push({ ruleId: 'SC-CI-001', category: 'security', severity: 'critical',
+              title: `Third-party action "${m[1]}@${m[2]}" not pinned to commit SHA`,
+              description: 'Third-party GitHub Actions should be pinned to full commit SHA (uses: owner/action@sha256abc...). Tags and branches are mutable — maintainer account takeover can inject malicious code. The tj-actions/changed-files incident (2023) affected thousands of repos.',
+              file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SC-CI-002: pull_request_target with checkout of PR branch
+  { id: 'SC-CI-002', category: 'security', severity: 'critical', title: 'pull_request_target Checks Out Untrusted Code', confidence: 'definite',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.includes('.github/workflows')) continue;
+        if (c.includes('pull_request_target') && c.match(/actions\/checkout/) &&
+            c.match(/ref.*github\.head_ref|ref.*github\.event\.pull_request\.head/)) {
+          findings.push({ ruleId: 'SC-CI-002', category: 'security', severity: 'critical',
+            title: 'pull_request_target workflow checks out PR branch code with write permissions',
+            description: 'This allows untrusted fork PRs to run code with repository write token access. This is a critical GitHub Actions vulnerability. Never check out PR branch code in pull_request_target context.',
+            file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SC-CI-003: Workflow injection via user-controlled input
+  { id: 'SC-CI-003', category: 'security', severity: 'critical', title: 'GitHub Actions Workflow Injection', confidence: 'definite',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.includes('.github/workflows')) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/\$\{\{\s*github\.event\.(pull_request\.(title|body|head\.ref)|issue\.(title|body)|comment\.body)/)) {
+            const ctx = lines.slice(Math.max(0, i - 3), i + 3).join('\n');
+            if (ctx.match(/run:|echo|bash|sh\s/)) {
+              findings.push({ ruleId: 'SC-CI-003', category: 'security', severity: 'critical',
+                title: 'User-controlled GitHub context value interpolated in run: step — command injection',
+                description: 'PR titles, issue bodies, and comments can contain shell metacharacters. Assign to an env var and use that: env: TITLE: ${{ github.event.pull_request.title }}',
+                file: fp, line: i + 1, fix: null });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SC-CI-004: Secrets echoed in CI logs
+  { id: 'SC-CI-004', category: 'security', severity: 'critical', title: 'Secrets Echoed in CI Logs', confidence: 'definite',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.includes('.github/workflows') && !fp.includes('.gitlab-ci')) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/echo\s+\$\{\{.*secrets\.|print\s+.*secrets\./)) {
+            findings.push({ ruleId: 'SC-CI-004', category: 'security', severity: 'critical',
+              title: 'Secret value printed in CI run step — visible in build logs',
+              description: 'Never echo secrets. If you must verify a secret is set, check its length: echo ${#SECRET} > 0',
+              file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SC-CI-005: Self-hosted runners for public repo
+  { id: 'SC-CI-005', category: 'security', severity: 'high', title: 'Self-Hosted Runners for Public Repository', confidence: 'likely',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.includes('.github/workflows')) continue;
+        if (c.match(/runs-on:\s*self-hosted/) &&
+            (c.includes('pull_request:') || c.includes('pull_request_target:'))) {
+          findings.push({ ruleId: 'SC-CI-005', category: 'security', severity: 'high',
+            title: 'Self-hosted runner used for pull_request trigger in potentially public repo',
+            description: 'Anyone can fork a public repo and trigger workflows on your self-hosted runner, potentially accessing internal network and data. Use GitHub-hosted runners for untrusted code.',
+            file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SC-CI-006: No required reviewers for production deployment
+  { id: 'SC-CI-006', category: 'security', severity: 'high', title: 'Production Deployment Without Required Reviewers', confidence: 'likely',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.includes('.github/workflows')) continue;
+        if (c.match(/production|prod/i) && c.match(/deploy/i)) {
+          if (!c.match(/environment:|reviewers:|required_reviewers/i)) {
+            findings.push({ ruleId: 'SC-CI-006', category: 'security', severity: 'high',
+              title: 'Production deployment workflow without required reviewers/environment protection',
+              description: 'Configure a "production" environment in GitHub with required reviewers. This prevents automated or accidental production deployments.',
+              file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SC-CI-007: OIDC not used for cloud auth
+  { id: 'SC-CI-007', category: 'security', severity: 'high', title: 'Long-Lived Cloud Credentials in CI', confidence: 'likely',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.includes('.github/workflows')) continue;
+        if ((c.includes('AWS_ACCESS_KEY_ID') || c.includes('AWS_SECRET_ACCESS_KEY') || c.includes('GOOGLE_APPLICATION_CREDENTIALS')) &&
+            !c.match(/id-token.*write|oidc|aws-actions\/configure-aws-credentials/i)) {
+          findings.push({ ruleId: 'SC-CI-007', category: 'security', severity: 'high',
+            title: 'Long-lived AWS/GCP credentials instead of OIDC short-lived tokens',
+            description: 'Use GitHub Actions OIDC (permissions: id-token: write) with aws-actions/configure-aws-credentials. Long-lived keys in secrets are a persistent leak risk.',
+            file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SC-CI-008: No CODEOWNERS file
+  { id: 'SC-CI-008', category: 'security', severity: 'medium', title: 'No CODEOWNERS File', confidence: 'likely',
+    check({ files }) {
+      const has = [...files.keys()].some(f => f.match(/CODEOWNERS/) || f.match(/\.github\/CODEOWNERS/));
+      if (!has) {
+        return [{ ruleId: 'SC-CI-008', category: 'security', severity: 'medium',
+          title: 'No CODEOWNERS file — anyone can approve changes to any file',
+          description: 'Add a CODEOWNERS file to require specific team members to review changes to security-sensitive files (auth, payments, CI workflows).',
+          fix: null }];
+      }
+      return [];
+    },
+  },
+
+  // ─── SOURCE CODE INTEGRITY ─────────────────────────────────────────────────
+
+  // SC-SRC-001: Unicode bidirectional control characters (Trojan Source)
+  { id: 'SC-SRC-001', category: 'security', severity: 'critical', title: 'Unicode Bidirectional Control Characters (Trojan Source)', confidence: 'definite',
+    check({ files }) {
+      const findings = [];
+      // CVE-2021-42574: Bidirectional text characters can make code appear different from what it does
+      const bidiChars = /[\u202a-\u202e\u2066-\u2069\u200f\u061c]/;
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.(js|ts|jsx|tsx|py|go|rs|java|c|cpp|rb|php)$/)) continue;
+        if (bidiChars.test(c)) {
+          findings.push({ ruleId: 'SC-SRC-001', category: 'security', severity: 'critical',
+            title: 'Unicode bidirectional control characters found in source code (CVE-2021-42574 — Trojan Source)',
+            description: 'Bidirectional Unicode characters can make malicious code appear as comments or benign strings. Remove all bidirectional control characters from source files.',
+            file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SC-SRC-002: Zero-width characters in source code
+  { id: 'SC-SRC-002', category: 'security', severity: 'high', title: 'Zero-Width Characters in Source Code', confidence: 'likely',
+    check({ files }) {
+      const findings = [];
+      const zeroWidth = /[\u200b\u200c\u200d\ufeff\u00ad]/;
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.(js|ts|jsx|tsx|py|go|rs)$/)) continue;
+        if (zeroWidth.test(c)) {
+          findings.push({ ruleId: 'SC-SRC-002', category: 'security', severity: 'high',
+            title: 'Zero-width Unicode characters found in source code',
+            description: 'Zero-width characters are invisible but affect string comparisons. They can be used to bypass security checks or introduce subtle bugs. Remove all zero-width characters.',
+            file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SC-SRC-003: No commit signing configured
+  { id: 'SC-SRC-003', category: 'security', severity: 'low', title: 'No Commit Signing Policy', confidence: 'suggestion',
+    check({ files }) {
+      const has = [...files.values()].some(c => c.match(/commit.*sign|gpg.*sign|sigstore|gitsign|vigilant.*mode/i)) ||
+        [...files.keys()].some(f => f.includes('.gitconfig') || f.includes('branch-protection'));
+      if (!has) {
+        return [{ ruleId: 'SC-SRC-003', category: 'security', severity: 'low',
+          title: 'No commit signing policy detected',
+          description: 'Enable signed commits (GPG or SSH signing) to verify commit authorship. Without signing, commit authorship can be spoofed trivially.',
+          fix: null }];
+      }
+      return [];
+    },
+  },
+
+  // ─── BUILD SYSTEM ──────────────────────────────────────────────────────────
+
+  // SC-BUILD-001: curl|bash in scripts
+  { id: 'SC-BUILD-001', category: 'security', severity: 'critical', title: 'Remote Script Execution Without Integrity Check', confidence: 'definite',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/curl.*\|\s*(?:bash|sh)|wget.*\|\s*(?:bash|sh)/)) {
+            findings.push({ ruleId: 'SC-BUILD-001', category: 'security', severity: 'critical',
+              title: 'Remote script piped directly to shell — no integrity verification',
+              description: 'curl|bash allows a compromised server or MITM to execute arbitrary code. Download the script, verify its SHA256 checksum, then execute.',
+              file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SC-BUILD-002: Build script downloads from internet without checksum
+  { id: 'SC-BUILD-002', category: 'security', severity: 'high', title: 'Downloaded Tool Without Checksum Verification', confidence: 'likely',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/Makefile|\.sh$|Dockerfile|\.yml$|\.yaml$/)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/curl.*-[oOL]|wget\s+/) && !lines[i].match(/sha256|sha512|checksum|gpg.*verify/)) {
+            const ctx = lines.slice(i, Math.min(i + 5, lines.length)).join('\n');
+            if (!ctx.match(/sha256|sha512|md5sum|gpg/)) {
+              findings.push({ ruleId: 'SC-BUILD-002', category: 'security', severity: 'high',
+                title: 'File downloaded in build script without checksum verification',
+                description: 'Verify SHA256 checksums for all downloaded tools and binaries in build scripts to prevent tampered downloads.',
+                file: fp, line: i + 1, fix: null });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SC-BUILD-003: Build artifact not signed
+  { id: 'SC-BUILD-003', category: 'security', severity: 'medium', title: 'Build Artifacts Not Signed', confidence: 'likely',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.includes('.github/workflows')) continue;
+        if (c.match(/npm publish|docker.*push|release.*assets/i)) {
+          if (!c.match(/sigstore|cosign|gpg.*sign|slsa|attest|provenance/i)) {
+            findings.push({ ruleId: 'SC-BUILD-003', category: 'security', severity: 'medium',
+              title: 'Published artifacts not signed or attested',
+              description: 'Sign published npm packages or container images with Sigstore/Cosign to provide verifiable provenance. SLSA Level 2+ requires signed provenance.',
+              file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // ─── CONTAINER SUPPLY CHAIN ────────────────────────────────────────────────
+
+  // SC-CONT-001: Base image from Docker Hub without digest
+  { id: 'SC-CONT-001', category: 'security', severity: 'high', title: 'Docker Base Image Not Pinned to Digest', confidence: 'likely',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.endsWith('Dockerfile') && !fp.match(/Dockerfile\.\w+$/)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          if (lines[i].match(/^\s*FROM\s+/) && !lines[i].match(/@sha256:/) && !lines[i].match(/scratch/)) {
+            findings.push({ ruleId: 'SC-CONT-001', category: 'security', severity: 'high',
+              title: 'Docker base image not pinned to SHA256 digest — tag can be replaced',
+              description: 'Pin base images to their digest: FROM node:20@sha256:abc123... Tags are mutable and can be silently replaced with malicious images.',
+              file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SC-CONT-002: No image vulnerability scanning
+  { id: 'SC-CONT-002', category: 'security', severity: 'high', title: 'Container Images Not Scanned for Vulnerabilities', confidence: 'likely',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.includes('.github/workflows') && !fp.includes('.gitlab-ci')) continue;
+        if (c.match(/docker.*build|build.*docker/i)) {
+          if (!c.match(/trivy|grype|snyk.*container|docker.*scan|anchore|clair|scout/i)) {
+            findings.push({ ruleId: 'SC-CONT-002', category: 'security', severity: 'high',
+              title: 'Container image built without vulnerability scanning',
+              description: 'Add Trivy or Grype to scan images in CI. Container vulnerabilities (Log4Shell in base images, etc.) are a major attack surface.',
+              file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SC-CONT-003: No image signing
+  { id: 'SC-CONT-003', category: 'security', severity: 'medium', title: 'Container Images Not Signed', confidence: 'likely',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.includes('.github/workflows')) continue;
+        if (c.match(/docker.*push|ecr.*push/i) && !c.match(/cosign|notary|sigstore|docker.*trust/i)) {
+          findings.push({ ruleId: 'SC-CONT-003', category: 'security', severity: 'medium',
+            title: 'Container images pushed without signing (Cosign/Notary)',
+            description: 'Sign container images with Cosign so consumers can verify they were built by your CI and not tampered with in the registry.',
+            file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SC-CONT-004: Using Docker Hub for private images
+  { id: 'SC-CONT-004', category: 'security', severity: 'medium', title: 'Using Docker Hub for Private Images', confidence: 'likely',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.endsWith('Dockerfile') && !fp.match(/Dockerfile\.\w+$/) && !fp.match(/\.(yaml|yml)$/)) continue;
+        if (c.match(/^\s*FROM\s+(?!node:|python:|alpine:|ubuntu:|debian:|scratch)[\w]+\/[\w]+/m)) {
+          if (!c.match(/ecr\.|gcr\.io|ghcr\.io|azurecr\.io|registry\./)) {
+            findings.push({ ruleId: 'SC-CONT-004', category: 'security', severity: 'medium',
+              title: 'Image pulled from Docker Hub — consider using a private or mirrored registry',
+              description: 'Docker Hub images can be deleted, tampered with, or subject to rate limiting. Use ECR, GHCR, or a private registry for production workloads.',
+              file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // ─── GIT SECURITY ──────────────────────────────────────────────────────────
+
+  // SC-GIT-001: Git submodules from untrusted sources
+  { id: 'SC-GIT-001', category: 'security', severity: 'high', title: 'Git Submodules from Untrusted Sources', confidence: 'likely',
+    check({ files }) {
+      const findings = [];
+      const gitmodules = files.get('.gitmodules');
+      if (!gitmodules) return findings;
+      const lines = gitmodules.split('\n');
+      for (let i = 0; i < lines.length; i++) {
+        if (lines[i].match(/url\s*=/) && !lines[i].match(/github\.com\/(?:your-org)|gitlab\.com\/(?:your-org)/)) {
+          if (lines[i].match(/https?:\/\/|git@/)) {
+            findings.push({ ruleId: 'SC-GIT-001', category: 'security', severity: 'high',
+              title: 'Git submodule pointing to external repository',
+              description: 'Submodules from external repos can change without your knowledge. Pin submodules to specific commits and audit the submodule code.',
+              file: '.gitmodules', line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SC-GIT-002: Git hooks in repository (can execute on clone)
+  { id: 'SC-GIT-002', category: 'security', severity: 'medium', title: 'Git Hooks Committed to Repository', confidence: 'likely',
+    check({ files }) {
+      const findings = [];
+      for (const [fp] of files) {
+        if (fp.includes('.git/hooks/') && !fp.includes('.git/hooks/.')) {
+          const hookName = fp.split('/').pop();
+          if (!hookName?.startsWith('.')) {
+            findings.push({ ruleId: 'SC-GIT-002', category: 'security', severity: 'medium',
+              title: `Git hook "${hookName}" committed to repository — auditors cannot easily inspect`,
+              description: 'Git hooks committed to .git/hooks execute automatically. Prefer husky/lefthook for hooks that are versioned, visible, and auditable.',
+              file: fp, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SC-GIT-003: No branch protection documented
+  { id: 'SC-GIT-003', category: 'security', severity: 'medium', title: 'No Branch Protection Rules', confidence: 'likely',
+    check({ files }) {
+      const has = [...files.values()].some(c => c.match(/branch.*protection|protected.*branch|require.*review|status.*check.*required/i)) ||
+        [...files.keys()].some(f => f.match(/branch-protection|repo-settings/i));
+      if (!has) {
+        return [{ ruleId: 'SC-GIT-003', category: 'security', severity: 'medium',
+          title: 'No branch protection rules documented',
+          description: 'Enable branch protection on main/master: require PR reviews, require status checks, disallow force push. This prevents accidental or malicious direct pushes.',
+          fix: null }];
+      }
+      return [];
+    },
+  },
+
+  // ─── REGISTRY SECURITY ─────────────────────────────────────────────────────
+
+  // SC-REG-001: npm publish without 2FA
+  { id: 'SC-REG-001', category: 'security', severity: 'high', title: 'npm Package Published Without 2FA Requirement', confidence: 'likely',
+    check({ files }) {
+      const pkg = files.get('package.json');
+      if (!pkg) return [];
+      try {
+        const json = JSON.parse(pkg);
+        if (json.publishConfig && !json.publishConfig['2fa'] && !json.private) {
+          return [{ ruleId: 'SC-REG-001', category: 'security', severity: 'high',
+            title: 'npm package published without 2FA enforcement',
+            description: 'Enable 2FA for npm publishing (npm profile enable-2fa auth-and-publish). Account takeover without 2FA allows immediate publication of malicious versions.',
+            fix: null }];
+        }
+      } catch {}
+      return [];
+    },
+  },
+
+  // SC-REG-002: Package.json missing private field
+  { id: 'SC-REG-002', category: 'security', severity: 'high', title: 'Internal Package Missing "private: true"', confidence: 'likely',
+    check({ files }) {
+      const pkg = files.get('package.json');
+      if (!pkg) return [];
+      try {
+        const json = JSON.parse(pkg);
+        if (!json.private && !json.publishConfig && (json.name || '').match(/internal|private|corp/i)) {
+          return [{ ruleId: 'SC-REG-002', category: 'security', severity: 'high',
+            title: 'Internal package without "private": true — may be accidentally published to npm',
+            description: 'Add "private": true to package.json for internal packages to prevent accidental npm publish and potential secret leakage.',
+            fix: null }];
+        }
+      } catch {}
+      return [];
+    },
+  },
+  // SC-PKG-009: Known malicious/compromised packages
+  { id: 'SC-PKG-009', category: 'security', severity: 'critical', title: 'Known Compromised or Malicious Package in Dependencies', confidence: 'definite',
+    check({ files }) {
+      const findings = [];
+      const pkg = files.get('package.json');
+      if (!pkg) return findings;
+      // Packages with confirmed supply chain attacks or deliberate sabotage
+      const COMPROMISED = {
+        'event-stream': 'Malicious code injected in 2018 targeting bitcoin wallet (flatmap-stream incident)',
+        'node-ipc': 'Deliberate sabotage in 2022 (v10.1.1/10.1.2) that overwrote files on Russian/Belarusian IPs',
+        'colors': 'Deliberate sabotage in 2022 (v1.4.44-liberty-2) that printed infinite garbage output',
+        'faker': 'Deliberate sabotage in 2022 (v6.6.6) by same author as colors',
+        'ua-parser-js': 'Hijacked in 2021 (v0.7.29/0.8.0/1.0.0) to install crypto-miners and trojans',
+        'coa': 'Hijacked in 2021 (v2.0.3/2.0.4/3.1.3/3.1.4) same campaign as ua-parser-js',
+        'rc': 'Hijacked in 2021 (v1.2.9) same campaign as ua-parser-js',
+        'node-netmask': 'SSRF/RCE vulnerability used as supply chain vector (CVE-2021-28918)',
+        'crossenv': 'Typosquatting attack against cross-env (2017) — installs coin miner',
+        'cross-env.js': 'Typosquatting attack against cross-env',
+        'd3.js': 'Typosquatting attack against d3',
+        'jquery.js': 'Typosquatting attack against jquery',
+        'socket.io.js': 'Typosquatting attack against socket.io',
+        'lodash.js': 'Typosquatting attack against lodash',
+      };
+      try {
+        const json = JSON.parse(pkg);
+        const allDeps = { ...json.dependencies, ...json.devDependencies, ...json.peerDependencies };
+        for (const [name] of Object.entries(allDeps)) {
+          if (COMPROMISED[name]) {
+            findings.push({ ruleId: 'SC-PKG-009', category: 'security', severity: 'critical',
+              title: `Compromised package "${name}" in dependencies`,
+              description: COMPROMISED[name] + '. Remove or replace this package immediately.',
+              file: 'package.json', fix: null });
+          }
+        }
+      } catch {}
+      return findings;
+    },
+  },
+
+  // SC-PKG-010: .npmrc with hardcoded auth token
+  { id: 'SC-PKG-010', category: 'security', severity: 'critical', title: 'Hardcoded npm Auth Token in .npmrc', confidence: 'definite',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.endsWith('.npmrc')) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          // Match _authToken=<literal value> (not env var reference)
+          if (lines[i].match(/_authToken\s*=\s*(?!\$\{)[^\s$]/) || lines[i].match(/\/\/.*:_auth\s*=\s*(?!\$\{)[^\s$]/)) {
+            findings.push({ ruleId: 'SC-PKG-010', category: 'security', severity: 'critical',
+              title: 'Hardcoded npm auth token in .npmrc',
+              description: 'Use environment variable reference instead: //registry.npmjs.org/:_authToken=${NPM_TOKEN}. Committed tokens grant publish access to your packages.',
+              file: fp, line: i + 1, fix: null });
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SC-CI-009: ACTIONS_ALLOW_UNSECURE_COMMANDS enables legacy injection vector
+  { id: 'SC-CI-009', category: 'security', severity: 'critical', title: 'ACTIONS_ALLOW_UNSECURE_COMMANDS Enables Legacy Command Injection', confidence: 'definite',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.github\/workflows\/.*\.ya?ml$/)) continue;
+        if (c.match(/ACTIONS_ALLOW_UNSECURE_COMMANDS\s*:\s*true/)) {
+          findings.push({ ruleId: 'SC-CI-009', category: 'security', severity: 'critical',
+            title: 'ACTIONS_ALLOW_UNSECURE_COMMANDS=true re-enables deprecated injection vector',
+            description: 'The set-env and add-path workflow commands were disabled in Nov 2020 due to environment injection vulnerabilities. Setting ACTIONS_ALLOW_UNSECURE_COMMANDS=true re-enables them, allowing any step to poison the environment for subsequent steps.',
+            file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SC-BUILD-004: Build artifact uploaded to untrusted registry
+  { id: 'SC-BUILD-004', category: 'security', severity: 'high', title: 'Docker Image Pushed to Unauthenticated or Public Registry', confidence: 'likely',
+    check({ files }) {
+      const findings = [];
+      for (const [fp, c] of files) {
+        if (!fp.match(/\.github\/workflows\/.*\.ya?ml$/)) continue;
+        const lines = c.split('\n');
+        for (let i = 0; i < lines.length; i++) {
+          // docker push to docker.io without explicit auth step
+          if (lines[i].match(/docker\s+push\s+[^\s]+/) && !lines[i].match(/\$\{\{/)) {
+            // Check there's a docker login in the surrounding workflow
+            if (!c.match(/docker\s+login|docker\/login-action/)) {
+              findings.push({ ruleId: 'SC-BUILD-004', category: 'security', severity: 'high',
+                title: 'Docker push without explicit registry authentication step',
+                description: 'Authenticate to the registry before pushing (docker/login-action or docker login with secrets). Unauthenticated pushes may silently succeed with ambient credentials or fail insecurely.',
+                file: fp, line: i + 1, fix: null });
+            }
+          }
+        }
+      }
+      return findings;
+    },
+  },
+
+  // SC-SRC-004: .env file accidentally committed
+  { id: 'SC-SRC-004', category: 'security', severity: 'critical', title: '.env File Committed to Repository', confidence: 'definite',
+    check({ files }) {
+      const findings = [];
+      for (const [fp] of files) {
+        if (fp.match(/(^|\/)\.(env|env\.(local|dev|prod|staging|test|development|production))$/) && !fp.includes('node_modules')) {
+          findings.push({ ruleId: 'SC-SRC-004', category: 'security', severity: 'critical',
+            title: `.env file committed to repository: ${fp}`,
+            description: '.env files often contain API keys, database passwords, and tokens. Add .env to .gitignore and rotate any secrets present. Use a secrets manager or CI environment variables instead.',
+            file: fp, fix: null });
+        }
+      }
+      return findings;
+    },
+  },
+];
+
+export default rules;