getdoorman 1.0.9 → 1.1.1

package/src/rules/data/index.js

@@ -6,7 +6,7 @@ const rules = [
   {
     id: 'DATA-001',
     category: 'data',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'definite',
     title: 'Weak Password Hashing',
     check({ files }) {
@@ -162,7 +162,7 @@ const rules = [
   },
 
   // DATA-ENC-002: ECB mode for AES
-  { id: 'DATA-ENC-002', category: 'data', severity: 'critical', confidence: 'definite', title: 'AES-ECB Mode — Insecure Encryption',
+  { id: 'DATA-ENC-002', category: 'data', severity: 'high', confidence: 'definite', title: 'AES-ECB Mode — Insecure Encryption',
     check({ files }) {
       const findings = [];
       for (const [fp, c] of files) {
@@ -180,7 +180,7 @@ const rules = [
   },
 
   // DATA-ENC-003: Hardcoded IV/nonce
-  { id: 'DATA-ENC-003', category: 'data', severity: 'critical', confidence: 'definite', title: 'Hardcoded IV or Nonce',
+  { id: 'DATA-ENC-003', category: 'data', severity: 'high', confidence: 'definite', title: 'Hardcoded IV or Nonce',
     check({ files }) {
       const findings = [];
       for (const [fp, c] of files) {
@@ -237,7 +237,7 @@ const rules = [
   },
 
   // DATA-PII-001: SSN pattern in code
-  { id: 'DATA-PII-001', category: 'data', severity: 'critical', confidence: 'definite', title: 'Social Security Number Handling',
+  { id: 'DATA-PII-001', category: 'data', severity: 'high', confidence: 'definite', title: 'Social Security Number Handling',
     check({ files }) {
       const findings = [];
       for (const [fp, c] of files) {
@@ -342,7 +342,7 @@ const rules = [
   },
 
   // DATA-STORE-001: S3 bucket with public read
-  { id: 'DATA-STORE-001', category: 'data', severity: 'critical', confidence: 'definite', title: 'S3 Bucket With Public Read Access',
+  { id: 'DATA-STORE-001', category: 'data', severity: 'high', confidence: 'definite', title: 'S3 Bucket With Public Read Access',
     check({ files }) {
       const findings = [];
       for (const [fp, c] of files) {
@@ -499,7 +499,7 @@ const rules = [
   },
 
   // DATA-ENC-009: Weak password hashing (MD5/SHA1)
-  { id: 'DATA-ENC-009', category: 'data', severity: 'critical', confidence: 'definite', title: 'Weak Password Hashing Algorithm',
+  { id: 'DATA-ENC-009', category: 'data', severity: 'high', confidence: 'definite', title: 'Weak Password Hashing Algorithm',
     check({ files }) {
       const findings = [];
       for (const [fp, c] of files) {
@@ -601,7 +601,7 @@ const rules = [
   },
 
   // DATA-PII-008: Credit card data in logs
-  { id: 'DATA-PII-008', category: 'data', severity: 'critical', confidence: 'definite', title: 'Payment Card Data in Logs',
+  { id: 'DATA-PII-008', category: 'data', severity: 'high', confidence: 'definite', title: 'Payment Card Data in Logs',
     check({ files }) {
       const findings = [];
       for (const [fp, c] of files) {
@@ -685,7 +685,7 @@ const rules = [
   },
 
   // DATA-STORE-005: Database connection string hardcoded
-  { id: 'DATA-STORE-005', category: 'data', severity: 'critical', confidence: 'definite', title: 'Database Connection String Hardcoded',
+  { id: 'DATA-STORE-005', category: 'data', severity: 'high', confidence: 'definite', title: 'Database Connection String Hardcoded',
     check({ files }) {
       const findings = [];
       for (const [fp, c] of files) {
@@ -729,7 +729,7 @@ const rules = [
   },
 
   // DATA-STORE-008: MongoDB without authentication
-  { id: 'DATA-STORE-008', category: 'data', severity: 'critical', confidence: 'definite', title: 'MongoDB Connection Without Authentication',
+  { id: 'DATA-STORE-008', category: 'data', severity: 'high', confidence: 'definite', title: 'MongoDB Connection Without Authentication',
     check({ files }) {
       const findings = [];
       for (const [fp, c] of files) {
@@ -763,7 +763,7 @@ const rules = [
   },
 
   // DATA-STORE-010: Path traversal risk in file operations
-  { id: 'DATA-STORE-010', category: 'data', severity: 'critical', confidence: 'definite', title: 'Path Traversal Risk in File Operations',
+  { id: 'DATA-STORE-010', category: 'data', severity: 'high', confidence: 'definite', title: 'Path Traversal Risk in File Operations',
     check({ files }) {
       const findings = [];
       for (const [fp, c] of files) {
@@ -979,7 +979,7 @@ const rules = [
   },
 
   // DATA-PII-009: Health data stored without consent
-  { id: 'DATA-PII-009', category: 'data', severity: 'critical', confidence: 'definite', title: 'Health Data Collected Without Explicit Consent',
+  { id: 'DATA-PII-009', category: 'data', severity: 'high', confidence: 'definite', title: 'Health Data Collected Without Explicit Consent',
     check({ files }) {
       const findings = [];
       for (const [fp, c] of files) {
@@ -1015,7 +1015,7 @@ const rules = [
   },
 
   // DATA-STORE-012: Storing secrets in database as plain text
-  { id: 'DATA-STORE-012', category: 'data', severity: 'critical', confidence: 'definite', title: 'Secrets Stored as Plain Text in Database',
+  { id: 'DATA-STORE-012', category: 'data', severity: 'high', confidence: 'definite', title: 'Secrets Stored as Plain Text in Database',
     check({ files }) {
       const findings = [];
       for (const [fp, c] of files) {
@@ -1078,7 +1078,7 @@ const rules = [
   },
 
   // DATA-ENC-012: JWT with none algorithm
-  { id: 'DATA-ENC-012', category: 'data', severity: 'critical', confidence: 'definite', title: 'JWT Algorithm Set to None',
+  { id: 'DATA-ENC-012', category: 'data', severity: 'high', confidence: 'definite', title: 'JWT Algorithm Set to None',
     check({ files }) {
       const findings = [];
       for (const [fp, c] of files) {
@@ -1095,7 +1095,7 @@ const rules = [
   },
 
   // DATA-STORE-013: Using eval() to parse untrusted JSON
-  { id: 'DATA-STORE-013', category: 'data', severity: 'critical', confidence: 'definite', title: 'eval() Used to Parse JSON',
+  { id: 'DATA-STORE-013', category: 'data', severity: 'high', confidence: 'definite', title: 'eval() Used to Parse JSON',
     check({ files }) {
       const findings = [];
       for (const [fp, c] of files) {
@@ -1233,7 +1233,7 @@ const rules = [
     },
   },
   // DATA-STORE-015: Storing passwords as password_hash with MD5/SHA1
-  { id: 'DATA-STORE-015', category: 'data', severity: 'critical', confidence: 'definite', title: 'Weak Password Hashing Algorithm',
+  { id: 'DATA-STORE-015', category: 'data', severity: 'high', confidence: 'definite', title: 'Weak Password Hashing Algorithm',
     check({ files }) {
       const findings = [];
       for (const [fp, c] of files) {
@@ -1449,7 +1449,7 @@ const rules = [
     },
   },
   // DATA-STORE-019: Using eval to deserialize data from storage
-  { id: 'DATA-STORE-019', category: 'data', severity: 'critical', confidence: 'definite', title: 'eval() Used to Deserialize Stored Data',
+  { id: 'DATA-STORE-019', category: 'data', severity: 'high', confidence: 'definite', title: 'eval() Used to Deserialize Stored Data',
     check({ files }) {
       const findings = [];
       for (const [fp, c] of files) {
@@ -1468,7 +1468,7 @@ const rules = [
     },
   },
   // DATA-ENC-017: Hardcoded initialization vector (IV)
-  { id: 'DATA-ENC-017', category: 'data', severity: 'critical', confidence: 'definite', title: 'Hardcoded IV/Nonce for Encryption',
+  { id: 'DATA-ENC-017', category: 'data', severity: 'high', confidence: 'definite', title: 'Hardcoded IV/Nonce for Encryption',
     check({ files }) {
       const findings = [];
       for (const [fp, c] of files) {
@@ -1532,7 +1532,7 @@ const rules = [
     },
   },
   // DATA-ENC-018: Using DES or 3DES encryption
-  { id: 'DATA-ENC-018', category: 'data', severity: 'critical', confidence: 'definite', title: 'DES or 3DES Encryption Algorithm Used',
+  { id: 'DATA-ENC-018', category: 'data', severity: 'high', confidence: 'definite', title: 'DES or 3DES Encryption Algorithm Used',
     check({ files }) {
       const findings = [];
       for (const [fp, c] of files) {
@@ -1608,7 +1608,7 @@ const rules = [
     },
   },
   // DATA-PII-014: SSN or date-of-birth stored in plain text
-  { id: 'DATA-PII-014', category: 'data', severity: 'critical', confidence: 'definite', title: 'SSN or Date of Birth Stored in Plain Text',
+  { id: 'DATA-PII-014', category: 'data', severity: 'high', confidence: 'definite', title: 'SSN or Date of Birth Stored in Plain Text',
     check({ files }) {
       const findings = [];
       for (const [fp, c] of files) {
@@ -1668,7 +1668,7 @@ rules.push({
 
 // DATA-017: SSN returned in API response
 rules.push({
-  id: 'DATA-017', category: 'data', severity: 'critical', confidence: 'definite', title: 'Full SSN returned in API response — data exposure',
+  id: 'DATA-017', category: 'data', severity: 'high', confidence: 'definite', title: 'Full SSN returned in API response — data exposure',
   check({ files }) {
     const findings = [];
     const p = /(?:res\.json|res\.send|return.*json)\s*\([^)]*(?:ssn|social_security|socialSecurity)/i;
@@ -1688,7 +1688,7 @@ rules.push({
 
 // DATA-018: Full card number in API response
 rules.push({
-  id: 'DATA-018', category: 'data', severity: 'critical', confidence: 'definite', title: 'Full card number returned in API response',
+  id: 'DATA-018', category: 'data', severity: 'high', confidence: 'definite', title: 'Full card number returned in API response',
   check({ files }) {
     const findings = [];
     const p = /(?:res\.json|res\.send|return.*json)\s*\([^)]*(?:cardNumber|card_number|pan|creditCard)/i;
@@ -1897,7 +1897,7 @@ rules.push({
 
 // DATA-028: Password stored with reversible encryption
 rules.push({
-  id: 'DATA-028', category: 'data', severity: 'critical', confidence: 'definite', title: 'Password stored with reversible encryption instead of one-way hash',
+  id: 'DATA-028', category: 'data', severity: 'high', confidence: 'definite', title: 'Password stored with reversible encryption instead of one-way hash',
   check({ files }) {
     const findings = [];
     const encryptPassword = /(?:encrypt|cipher|aes|des)\s*\([^)]*password|password\s*[:=]\s*(?:encrypt|cipher)/i;
@@ -1919,7 +1919,7 @@ rules.push({
 
 // DATA-029: PII transmitted over HTTP
 rules.push({
-  id: 'DATA-029', category: 'data', severity: 'critical', confidence: 'definite', title: 'PII data transmitted over insecure HTTP',
+  id: 'DATA-029', category: 'data', severity: 'high', confidence: 'definite', title: 'PII data transmitted over insecure HTTP',
   check({ files }) {
     const findings = [];
     for (const [fp, c] of files) {
@@ -2180,7 +2180,7 @@ rules.push({
 
 // DATA-043: Unmasked PAN in API response
 rules.push({
-  id: 'DATA-043', category: 'data', severity: 'critical', confidence: 'definite', title: 'Credit card PAN returned in API response without masking',
+  id: 'DATA-043', category: 'data', severity: 'high', confidence: 'definite', title: 'Credit card PAN returned in API response without masking',
   check({ files }) {
     const findings = [];
     for (const [fp, c] of files) {
@@ -2216,7 +2216,7 @@ rules.push({
 
 // DATA-045: Passwords stored with reversible hashing
 rules.push({
-  id: 'DATA-045', category: 'data', severity: 'critical', confidence: 'definite', title: 'Password hashed with reversible algorithm (MD5/SHA1)',
+  id: 'DATA-045', category: 'data', severity: 'high', confidence: 'definite', title: 'Password hashed with reversible algorithm (MD5/SHA1)',
   check({ files }) {
     const findings = [];
     for (const [fp, c] of files) {
@@ -2453,7 +2453,7 @@ rules.push({
 
 // DATA-059: Biometric data without special category treatment
 rules.push({
-  id: 'DATA-059', category: 'data', severity: 'critical', confidence: 'definite', title: 'Biometric data processed without GDPR special category controls',
+  id: 'DATA-059', category: 'data', severity: 'high', confidence: 'definite', title: 'Biometric data processed without GDPR special category controls',
   check({ files }) {
     const findings = [];
     for (const [fp, c] of files) {

package/src/rules/dependencies/index.js

@@ -317,7 +317,7 @@ const rules = [
   },
 
   // DEPS-016: Package with known typosquatting name
-  { id: 'DEPS-016', category: 'dependencies', severity: 'critical', confidence: 'definite', title: 'Suspected Typosquatting Package',
+  { id: 'DEPS-016', category: 'dependencies', severity: 'high', confidence: 'definite', title: 'Suspected Typosquatting Package',
     check({ stack }) {
       const findings = [];
       const typosquats = { 'crossenv': 'cross-env', 'lodash-express': 'lodash', 'expres': 'express', 'requets': 'request', 'coloers': 'colors', 'mongoos': 'mongoose', 'exress': 'express', 'node-uuid': 'uuid', 'nodemon-alternative': 'nodemon', 'react-devtools-core2': 'react-devtools-core' };
@@ -703,7 +703,7 @@ const rules = [
   },
 
   // DEPS-040: High severity npm audit findings
-  { id: 'DEPS-040', category: 'dependencies', severity: 'critical', confidence: 'definite', title: 'Known High Severity CVE in Dependency',
+  { id: 'DEPS-040', category: 'dependencies', severity: 'high', confidence: 'definite', title: 'Known High Severity CVE in Dependency',
     check({ stack }) {
       const findings = [];
       const knownVulnerable = {
@@ -740,7 +740,7 @@ const rules = [
   },
 
   // DEPS-042: Production app without lockfile
-  { id: 'DEPS-042', category: 'dependencies', severity: 'critical', confidence: 'definite', title: 'No Lockfile in Repository',
+  { id: 'DEPS-042', category: 'dependencies', severity: 'high', confidence: 'definite', title: 'No Lockfile in Repository',
     check({ files }) {
       const findings = [];
       const hasPackageJson = [...files.keys()].some(f => f.endsWith('package.json') && !f.includes('node_modules'));
@@ -1592,7 +1592,7 @@ rules.push({
 
 // DEPS-095: vm2 package (abandoned, RCE vulnerabilities)
 rules.push({
-  id: 'DEPS-095', category: 'dependencies', severity: 'critical', confidence: 'definite', title: 'vm2 package is abandoned and has multiple RCE vulnerabilities',
+  id: 'DEPS-095', category: 'dependencies', severity: 'high', confidence: 'definite', title: 'vm2 package is abandoned and has multiple RCE vulnerabilities',
   check({ files, stack }) {
     const findings = [];
     if (stack.dependencies?.['vm2']) {
@@ -1605,7 +1605,7 @@ rules.push({
 
 // DEPS-096: jsonwebtoken < 9.0.0
 rules.push({
-  id: 'DEPS-096', category: 'dependencies', severity: 'critical', confidence: 'definite', title: 'jsonwebtoken < 9.0.0 — CVE-2022-23529 vulnerability',
+  id: 'DEPS-096', category: 'dependencies', severity: 'high', confidence: 'definite', title: 'jsonwebtoken < 9.0.0 — CVE-2022-23529 vulnerability',
   check({ files, stack }) {
     const findings = [];
     const ver = stack.dependencies?.['jsonwebtoken'];

package/src/rules/deployment/index.js

@@ -152,7 +152,7 @@ const rules = [
   {
     id: 'DEPLOY-005',
     category: 'deployment',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'definite',
     title: 'Hardcoded Secrets in CI Config',
     check({ files }) {
@@ -420,7 +420,7 @@ const rules = [
   },
 
   // DEPLOY-SEC-002: pull_request_target with checkout
-  { id: 'DEPLOY-SEC-002', category: 'deployment', severity: 'critical', confidence: 'definite', title: 'pull_request_target With Untrusted Code Checkout',
+  { id: 'DEPLOY-SEC-002', category: 'deployment', severity: 'high', confidence: 'definite', title: 'pull_request_target With Untrusted Code Checkout',
     check({ files }) {
       const findings = [];
       for (const [fp, c] of files) {
@@ -436,7 +436,7 @@ const rules = [
   },
 
   // DEPLOY-SEC-003: Workflow injection via PR title/body
-  { id: 'DEPLOY-SEC-003', category: 'deployment', severity: 'critical', confidence: 'definite', title: 'Workflow Injection via PR Title/Body',
+  { id: 'DEPLOY-SEC-003', category: 'deployment', severity: 'high', confidence: 'definite', title: 'Workflow Injection via PR Title/Body',
     check({ files }) {
       const findings = [];
       for (const [fp, c] of files) {
@@ -453,7 +453,7 @@ const rules = [
   },
 
   // DEPLOY-SEC-004: Secrets in CI logs
-  { id: 'DEPLOY-SEC-004', category: 'deployment', severity: 'critical', confidence: 'definite', title: 'Secrets Potentially Exposed in CI Logs',
+  { id: 'DEPLOY-SEC-004', category: 'deployment', severity: 'high', confidence: 'definite', title: 'Secrets Potentially Exposed in CI Logs',
     check({ files }) {
       const findings = [];
       for (const [fp, c] of files) {
@@ -566,7 +566,7 @@ const rules = [
   },
 
   // DEPLOY-ENV-001: Shared database between environments
-  { id: 'DEPLOY-ENV-001', category: 'deployment', severity: 'critical', confidence: 'definite', title: 'Shared Database Between Environments',
+  { id: 'DEPLOY-ENV-001', category: 'deployment', severity: 'high', confidence: 'definite', title: 'Shared Database Between Environments',
     check({ files }) {
       const findings = [];
       const prodDbUrl = [...files.values()].some(c => c.match(/DATABASE_URL.*prod|production.*DATABASE_URL/i));
@@ -1206,7 +1206,7 @@ const rules = [
     },
   },
   // DEPLOY-PROC-033: Using curl | sh pattern in CI
-  { id: 'DEPLOY-PROC-033', category: 'deployment', severity: 'critical', confidence: 'definite', title: 'Downloading and Executing Scripts via curl | sh',
+  { id: 'DEPLOY-PROC-033', category: 'deployment', severity: 'high', confidence: 'definite', title: 'Downloading and Executing Scripts via curl | sh',
     check({ files }) {
       const findings = [];
       for (const [fp, c] of files) {
@@ -1548,7 +1548,7 @@ rules.push({
 
 // DEPLOY-055: Environment variables hardcoded in CI config
 rules.push({
-  id: 'DEPLOY-055', category: 'deployment', severity: 'critical', confidence: 'definite', title: 'Hardcoded secret in CI/CD configuration file',
+  id: 'DEPLOY-055', category: 'deployment', severity: 'high', confidence: 'definite', title: 'Hardcoded secret in CI/CD configuration file',
   check({ files }) {
     const findings = [];
     for (const [fp, c] of files) {

package/src/rules/infrastructure/index.js

@@ -183,7 +183,7 @@ const rules = [
   {
     id: 'INFRA-007',
     category: 'infrastructure',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'definite',
     title: 'Sensitive Host Path Mounted in Docker Compose',
     check({ files }) {
@@ -245,7 +245,7 @@ const rules = [
   {
     id: 'INFRA-009',
     category: 'infrastructure',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'definite',
     title: 'Privileged Mode in Docker Compose',
     check({ files }) {
@@ -296,7 +296,7 @@ const rules = [
   },
 
   // INFRA-DOCKER-001: Secrets in ENV instruction
-  { id: 'INFRA-DOCKER-001', category: 'infrastructure', severity: 'critical', confidence: 'definite', title: 'Secrets in Dockerfile ENV Instruction',
+  { id: 'INFRA-DOCKER-001', category: 'infrastructure', severity: 'high', confidence: 'definite', title: 'Secrets in Dockerfile ENV Instruction',
     check({ files }) {
       const findings = [];
       for (const [fp, c] of files) {
@@ -315,7 +315,7 @@ const rules = [
   },
 
   // INFRA-DOCKER-002: curl|bash pattern
-  { id: 'INFRA-DOCKER-002', category: 'infrastructure', severity: 'critical', confidence: 'definite', title: 'Remote Script Execution in Dockerfile',
+  { id: 'INFRA-DOCKER-002', category: 'infrastructure', severity: 'high', confidence: 'definite', title: 'Remote Script Execution in Dockerfile',
     check({ files }) {
       const findings = [];
       for (const [fp, c] of files) {
@@ -398,7 +398,7 @@ const rules = [
   },
 
   // INFRA-K8S-003: Secrets in ConfigMap
-  { id: 'INFRA-K8S-003', category: 'infrastructure', severity: 'critical', confidence: 'definite', title: 'Secrets in Kubernetes ConfigMap',
+  { id: 'INFRA-K8S-003', category: 'infrastructure', severity: 'high', confidence: 'definite', title: 'Secrets in Kubernetes ConfigMap',
     check({ files }) {
       const findings = [];
       for (const [fp, c] of files) {
@@ -428,7 +428,7 @@ const rules = [
   },
 
   // INFRA-CLOUD-001: SSH open to all IPs
-  { id: 'INFRA-CLOUD-001', category: 'infrastructure', severity: 'critical', confidence: 'definite', title: 'SSH Port Open to Internet',
+  { id: 'INFRA-CLOUD-001', category: 'infrastructure', severity: 'high', confidence: 'definite', title: 'SSH Port Open to Internet',
     check({ files }) {
       const findings = [];
       for (const [fp, c] of files) {
@@ -444,7 +444,7 @@ const rules = [
   },
 
   // INFRA-CLOUD-002: Database publicly accessible
-  { id: 'INFRA-CLOUD-002', category: 'infrastructure', severity: 'critical', confidence: 'definite', title: 'Database Publicly Accessible',
+  { id: 'INFRA-CLOUD-002', category: 'infrastructure', severity: 'high', confidence: 'definite', title: 'Database Publicly Accessible',
     check({ files }) {
       const findings = [];
       for (const [fp, c] of files) {
@@ -460,7 +460,7 @@ const rules = [
   },
 
   // INFRA-CLOUD-003: Hardcoded creds in Terraform
-  { id: 'INFRA-CLOUD-003', category: 'infrastructure', severity: 'critical', confidence: 'definite', title: 'Hardcoded Credentials in Terraform',
+  { id: 'INFRA-CLOUD-003', category: 'infrastructure', severity: 'high', confidence: 'definite', title: 'Hardcoded Credentials in Terraform',
     check({ files }) {
       const findings = [];
       for (const [fp, c] of files) {
@@ -493,7 +493,7 @@ const rules = [
   },
 
   // INFRA-CLOUD-005: IAM admin policy
-  { id: 'INFRA-CLOUD-005', category: 'infrastructure', severity: 'critical', confidence: 'definite', title: 'IAM Policy Grants Full Admin Access',
+  { id: 'INFRA-CLOUD-005', category: 'infrastructure', severity: 'high', confidence: 'definite', title: 'IAM Policy Grants Full Admin Access',
     check({ files }) {
       const findings = [];
       for (const [fp, c] of files) {
@@ -572,7 +572,7 @@ const rules = [
   },
 
   // INFRA-K8S-010: Privileged container
-  { id: 'INFRA-K8S-010', category: 'infrastructure', severity: 'critical', confidence: 'definite', title: 'Kubernetes Privileged Container',
+  { id: 'INFRA-K8S-010', category: 'infrastructure', severity: 'high', confidence: 'definite', title: 'Kubernetes Privileged Container',
     check({ files }) {
       const findings = [];
       for (const [fp, c] of files) {
@@ -837,7 +837,7 @@ const rules = [
   },
 
   // INFRA-CLOUD-011: RDS instance publicly accessible
-  { id: 'INFRA-CLOUD-011', category: 'infrastructure', severity: 'critical', confidence: 'definite', title: 'RDS Instance Publicly Accessible',
+  { id: 'INFRA-CLOUD-011', category: 'infrastructure', severity: 'high', confidence: 'definite', title: 'RDS Instance Publicly Accessible',
     check({ files }) {
       const findings = [];
       for (const [fp, c] of files) {
@@ -1274,7 +1274,7 @@ const rules = [
     },
   },
   // INFRA-TF-009: terraform.tfvars with secrets committed
-  { id: 'INFRA-TF-009', category: 'infrastructure', severity: 'critical', confidence: 'definite', title: 'Terraform Variables File With Secrets',
+  { id: 'INFRA-TF-009', category: 'infrastructure', severity: 'high', confidence: 'definite', title: 'Terraform Variables File With Secrets',
     check({ files }) {
       const findings = [];
       for (const [fp, c] of files) {
@@ -1290,7 +1290,7 @@ const rules = [
     },
   },
   // INFRA-NET-004: Security group ingress from 0.0.0.0 on database port
-  { id: 'INFRA-NET-004', category: 'infrastructure', severity: 'critical', confidence: 'definite', title: 'Database Port Open to Internet',
+  { id: 'INFRA-NET-004', category: 'infrastructure', severity: 'high', confidence: 'definite', title: 'Database Port Open to Internet',
     check({ files }) {
       const findings = [];
       for (const [fp, c] of files) {
@@ -1516,7 +1516,7 @@ const rules = [
     },
   },
   // INFRA-NET-006: Security group allows unrestricted database port
-  { id: 'INFRA-NET-006', category: 'infrastructure', severity: 'critical', confidence: 'definite', title: 'Security Group Exposes Database Port Publicly',
+  { id: 'INFRA-NET-006', category: 'infrastructure', severity: 'high', confidence: 'definite', title: 'Security Group Exposes Database Port Publicly',
     check({ files }) {
       const findings = [];
       for (const [fp, c] of files) {
@@ -1595,7 +1595,7 @@ const rules = [
     },
   },
   // INFRA-CLOUD-033: IAM role with AdministratorAccess
-  { id: 'INFRA-CLOUD-033', category: 'infrastructure', severity: 'critical', confidence: 'definite', title: 'IAM Role with AdministratorAccess Policy',
+  { id: 'INFRA-CLOUD-033', category: 'infrastructure', severity: 'high', confidence: 'definite', title: 'IAM Role with AdministratorAccess Policy',
     check({ files }) {
       const findings = [];
       for (const [fp, c] of files) {
@@ -1758,7 +1758,7 @@ rules.push({
 
 // INFRA-K8S-028: Privileged container
 rules.push({
-  id: 'INFRA-K8S-028', category: 'infrastructure', severity: 'critical', confidence: 'definite', title: 'Kubernetes container running as privileged',
+  id: 'INFRA-K8S-028', category: 'infrastructure', severity: 'high', confidence: 'definite', title: 'Kubernetes container running as privileged',
   check({ files }) {
     const findings = [];
     for (const [fp, c] of files) {
@@ -1832,7 +1832,7 @@ rules.push({
 
 // INFRA-DC-027: Secrets in Docker Compose environment
 rules.push({
-  id: 'INFRA-DC-027', category: 'infrastructure', severity: 'critical', confidence: 'definite', title: 'Hardcoded secret in Docker Compose environment section',
+  id: 'INFRA-DC-027', category: 'infrastructure', severity: 'high', confidence: 'definite', title: 'Hardcoded secret in Docker Compose environment section',
   check({ files }) {
     const findings = [];
     for (const [fp, c] of files) {
@@ -1897,7 +1897,7 @@ rules.push({
 
 // INFRA-TF-028: Open security group (0.0.0.0/0 ingress)
 rules.push({
-  id: 'INFRA-TF-028', category: 'infrastructure', severity: 'critical', confidence: 'definite', title: 'Terraform security group with unrestricted ingress (0.0.0.0/0)',
+  id: 'INFRA-TF-028', category: 'infrastructure', severity: 'high', confidence: 'definite', title: 'Terraform security group with unrestricted ingress (0.0.0.0/0)',
   check({ files }) {
     const findings = [];
     for (const [fp, c] of files) {
@@ -1962,7 +1962,7 @@ rules.push({
 
 // INFRA-K8S-033: Sensitive hostPath mount
 rules.push({
-  id: 'INFRA-K8S-033', category: 'infrastructure', severity: 'critical', confidence: 'definite', title: 'Kubernetes pod mounts sensitive host path',
+  id: 'INFRA-K8S-033', category: 'infrastructure', severity: 'high', confidence: 'definite', title: 'Kubernetes pod mounts sensitive host path',
   check({ files }) {
     const findings = [];
     for (const [fp, c] of files) {
@@ -2101,7 +2101,7 @@ rules.push({
 
 // INFRA-TF-036: RDS not in private subnet
 rules.push({
-  id: 'INFRA-TF-036', category: 'infrastructure', severity: 'critical', confidence: 'definite', title: 'RDS instance publicly accessible',
+  id: 'INFRA-TF-036', category: 'infrastructure', severity: 'high', confidence: 'definite', title: 'RDS instance publicly accessible',
   check({ files }) {
     const findings = [];
     for (const [fp, c] of files) {
@@ -2178,7 +2178,7 @@ rules.push({
 
 // INFRA-K8S-037: ConfigMap used for secrets
 rules.push({
-  id: 'INFRA-K8S-037', category: 'infrastructure', severity: 'critical', confidence: 'definite', title: 'Kubernetes ConfigMap storing secret values',
+  id: 'INFRA-K8S-037', category: 'infrastructure', severity: 'high', confidence: 'definite', title: 'Kubernetes ConfigMap storing secret values',
   check({ files }) {
     const findings = [];
     for (const [fp, c] of files) {
@@ -2212,7 +2212,7 @@ rules.push({
 
 // INFRA-TF-040: AWS account root user access key
 rules.push({
-  id: 'INFRA-TF-040', category: 'infrastructure', severity: 'critical', confidence: 'definite', title: 'AWS root account access key configured',
+  id: 'INFRA-TF-040', category: 'infrastructure', severity: 'high', confidence: 'definite', title: 'AWS root account access key configured',
   check({ files }) {
     const findings = [];
     for (const [fp, c] of files) {
@@ -2307,7 +2307,7 @@ rules.push({
 
 // INFRA-K8S-040: Container with all capabilities
 rules.push({
-  id: 'INFRA-K8S-040', category: 'infrastructure', severity: 'critical', confidence: 'definite', title: 'Kubernetes container with all capabilities added',
+  id: 'INFRA-K8S-040', category: 'infrastructure', severity: 'high', confidence: 'definite', title: 'Kubernetes container with all capabilities added',
   check({ files }) {
     const findings = [];
     for (const [fp, c] of files) {
@@ -2474,7 +2474,7 @@ rules.push({
 
 // INFRA-K8S-044: Service account with cluster-admin role
 rules.push({
-  id: 'INFRA-K8S-044', category: 'infrastructure', severity: 'critical', confidence: 'definite', title: 'Kubernetes service account bound to cluster-admin role',
+  id: 'INFRA-K8S-044', category: 'infrastructure', severity: 'high', confidence: 'definite', title: 'Kubernetes service account bound to cluster-admin role',
   check({ files }) {
     const findings = [];
     for (const [fp, c] of files) {
@@ -2576,7 +2576,7 @@ rules.push({
 
 // INFRA-057: Kubernetes container running as privileged
 rules.push({
-  id: 'INFRA-057', category: 'infrastructure', severity: 'critical', confidence: 'definite', title: 'Kubernetes privileged container',
+  id: 'INFRA-057', category: 'infrastructure', severity: 'high', confidence: 'definite', title: 'Kubernetes privileged container',
   check({ files }) {
     const findings = [];
     for (const [fp, c] of files) {
@@ -2692,7 +2692,7 @@ rules.push({
 
 // INFRA-066: Database publicly accessible
 rules.push({
-  id: 'INFRA-066', category: 'infrastructure', severity: 'critical', confidence: 'definite', title: 'RDS instance publicly accessible',
+  id: 'INFRA-066', category: 'infrastructure', severity: 'high', confidence: 'definite', title: 'RDS instance publicly accessible',
   check({ files }) {
     const findings = [];
     for (const [fp, c] of files) {
@@ -2717,7 +2717,7 @@ rules.push({
 
 // INFRA-068: Security group with 0.0.0.0/0 SSH
 rules.push({
-  id: 'INFRA-068', category: 'infrastructure', severity: 'critical', confidence: 'definite', title: 'SSH open to the world',
+  id: 'INFRA-068', category: 'infrastructure', severity: 'high', confidence: 'definite', title: 'SSH open to the world',
   check({ files }) {
     const findings = [];
     for (const [fp, c] of files) {
@@ -2857,7 +2857,7 @@ rules.push({
 
 // INFRA-079: Docker socket mounted
 rules.push({
-  id: 'INFRA-079', category: 'infrastructure', severity: 'critical', confidence: 'definite', title: 'Docker socket mounted in container',
+  id: 'INFRA-079', category: 'infrastructure', severity: 'high', confidence: 'definite', title: 'Docker socket mounted in container',
   check({ files }) {
     const findings = [];
     for (const [fp, c] of files) {

package/src/rules/performance/index.js

@@ -2350,7 +2350,7 @@ const rules = [
     },
   },
   // PERF-CACHE-010: Redis KEYS command in production
-  { id: 'PERF-CACHE-010', category: 'performance', severity: 'critical', confidence: 'definite', title: 'Redis KEYS Command Used in Production',
+  { id: 'PERF-CACHE-010', category: 'performance', severity: 'high', confidence: 'definite', title: 'Redis KEYS Command Used in Production',
     check({ files }) {
       const findings = [];
       for (const [fp, c] of files) {

package/src/rules/reliability/index.js

@@ -683,7 +683,7 @@ const rules = [
   {
     id: 'REL-RES-001',
     category: 'reliability',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'definite',
     title: 'Payment API Call Without Idempotency Key',
     check({ files }) {

package/src/rules/security/ai-api.js

@@ -329,6 +329,7 @@ const rules = [
       for (const [path, content] of files) {
         if (SKIP_PATH.test(path)) continue;
         if (!path.endsWith('.env') && !path.match(/\.env\.\w+$/)) continue;
+        if (/\.env\.(example|sample|template|defaults|dev\.example)$/i.test(path)) continue;
         findings.push(...scanLines(content, envKeyPattern, path, this));
       }
       return findings;

package/src/rules/security/auth.js

@@ -309,7 +309,7 @@ const rules = [
   {
     id: 'SEC-AUTH-007',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'suggestion',
     title: 'API route missing authentication middleware',
     check({ files }) {
@@ -366,7 +366,7 @@ const rules = [
   {
     id: 'SEC-AUTH-008',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'suggestion',
     title: 'Admin route missing role/permission check',
     check({ files }) {

package/src/rules/security/cors.js

@@ -32,7 +32,7 @@ const rules = [
 
   // SEC-CORS-002
   {
-    id: 'SEC-CORS-002', category: 'security', severity: 'critical', confidence: 'definite',
+    id: 'SEC-CORS-002', category: 'security', severity: 'high', confidence: 'definite',
     title: 'CORS reflects Origin header',
     check({ files }) {
       const findings = [];
@@ -56,7 +56,7 @@ const rules = [
 
   // SEC-CORS-003
   {
-    id: 'SEC-CORS-003', category: 'security', severity: 'critical', confidence: 'definite',
+    id: 'SEC-CORS-003', category: 'security', severity: 'high', confidence: 'definite',
     title: 'CORS allows credentials with wildcard origin',
     check({ files }) {
       const findings = [];