getdoorman 1.1.0 → 1.2.0

package/src/rules/infrastructure/index.js

@@ -183,7 +183,7 @@ const rules = [
   {
     id: 'INFRA-007',
     category: 'infrastructure',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'definite',
     title: 'Sensitive Host Path Mounted in Docker Compose',
     check({ files }) {
@@ -245,7 +245,7 @@ const rules = [
   {
     id: 'INFRA-009',
     category: 'infrastructure',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'definite',
     title: 'Privileged Mode in Docker Compose',
     check({ files }) {
@@ -296,7 +296,7 @@ const rules = [
   },
 
   // INFRA-DOCKER-001: Secrets in ENV instruction
-  { id: 'INFRA-DOCKER-001', category: 'infrastructure', severity: 'critical', confidence: 'definite', title: 'Secrets in Dockerfile ENV Instruction',
+  { id: 'INFRA-DOCKER-001', category: 'infrastructure', severity: 'high', confidence: 'definite', title: 'Secrets in Dockerfile ENV Instruction',
     check({ files }) {
       const findings = [];
       for (const [fp, c] of files) {
@@ -315,7 +315,7 @@ const rules = [
   },
 
   // INFRA-DOCKER-002: curl|bash pattern
-  { id: 'INFRA-DOCKER-002', category: 'infrastructure', severity: 'critical', confidence: 'definite', title: 'Remote Script Execution in Dockerfile',
+  { id: 'INFRA-DOCKER-002', category: 'infrastructure', severity: 'high', confidence: 'definite', title: 'Remote Script Execution in Dockerfile',
     check({ files }) {
       const findings = [];
       for (const [fp, c] of files) {
@@ -398,7 +398,7 @@ const rules = [
   },
 
   // INFRA-K8S-003: Secrets in ConfigMap
-  { id: 'INFRA-K8S-003', category: 'infrastructure', severity: 'critical', confidence: 'definite', title: 'Secrets in Kubernetes ConfigMap',
+  { id: 'INFRA-K8S-003', category: 'infrastructure', severity: 'high', confidence: 'definite', title: 'Secrets in Kubernetes ConfigMap',
     check({ files }) {
       const findings = [];
       for (const [fp, c] of files) {
@@ -428,7 +428,7 @@ const rules = [
   },
 
   // INFRA-CLOUD-001: SSH open to all IPs
-  { id: 'INFRA-CLOUD-001', category: 'infrastructure', severity: 'critical', confidence: 'definite', title: 'SSH Port Open to Internet',
+  { id: 'INFRA-CLOUD-001', category: 'infrastructure', severity: 'high', confidence: 'definite', title: 'SSH Port Open to Internet',
     check({ files }) {
       const findings = [];
       for (const [fp, c] of files) {
@@ -444,7 +444,7 @@ const rules = [
   },
 
   // INFRA-CLOUD-002: Database publicly accessible
-  { id: 'INFRA-CLOUD-002', category: 'infrastructure', severity: 'critical', confidence: 'definite', title: 'Database Publicly Accessible',
+  { id: 'INFRA-CLOUD-002', category: 'infrastructure', severity: 'high', confidence: 'definite', title: 'Database Publicly Accessible',
     check({ files }) {
       const findings = [];
       for (const [fp, c] of files) {
@@ -460,7 +460,7 @@ const rules = [
   },
 
   // INFRA-CLOUD-003: Hardcoded creds in Terraform
-  { id: 'INFRA-CLOUD-003', category: 'infrastructure', severity: 'critical', confidence: 'definite', title: 'Hardcoded Credentials in Terraform',
+  { id: 'INFRA-CLOUD-003', category: 'infrastructure', severity: 'high', confidence: 'definite', title: 'Hardcoded Credentials in Terraform',
     check({ files }) {
       const findings = [];
       for (const [fp, c] of files) {
@@ -493,7 +493,7 @@ const rules = [
   },
 
   // INFRA-CLOUD-005: IAM admin policy
-  { id: 'INFRA-CLOUD-005', category: 'infrastructure', severity: 'critical', confidence: 'definite', title: 'IAM Policy Grants Full Admin Access',
+  { id: 'INFRA-CLOUD-005', category: 'infrastructure', severity: 'high', confidence: 'definite', title: 'IAM Policy Grants Full Admin Access',
     check({ files }) {
       const findings = [];
       for (const [fp, c] of files) {
@@ -572,7 +572,7 @@ const rules = [
   },
 
   // INFRA-K8S-010: Privileged container
-  { id: 'INFRA-K8S-010', category: 'infrastructure', severity: 'critical', confidence: 'definite', title: 'Kubernetes Privileged Container',
+  { id: 'INFRA-K8S-010', category: 'infrastructure', severity: 'high', confidence: 'definite', title: 'Kubernetes Privileged Container',
     check({ files }) {
       const findings = [];
       for (const [fp, c] of files) {
@@ -837,7 +837,7 @@ const rules = [
   },
 
   // INFRA-CLOUD-011: RDS instance publicly accessible
-  { id: 'INFRA-CLOUD-011', category: 'infrastructure', severity: 'critical', confidence: 'definite', title: 'RDS Instance Publicly Accessible',
+  { id: 'INFRA-CLOUD-011', category: 'infrastructure', severity: 'high', confidence: 'definite', title: 'RDS Instance Publicly Accessible',
     check({ files }) {
       const findings = [];
       for (const [fp, c] of files) {
@@ -1274,7 +1274,7 @@ const rules = [
     },
   },
   // INFRA-TF-009: terraform.tfvars with secrets committed
-  { id: 'INFRA-TF-009', category: 'infrastructure', severity: 'critical', confidence: 'definite', title: 'Terraform Variables File With Secrets',
+  { id: 'INFRA-TF-009', category: 'infrastructure', severity: 'high', confidence: 'definite', title: 'Terraform Variables File With Secrets',
     check({ files }) {
       const findings = [];
       for (const [fp, c] of files) {
@@ -1290,7 +1290,7 @@ const rules = [
     },
   },
   // INFRA-NET-004: Security group ingress from 0.0.0.0 on database port
-  { id: 'INFRA-NET-004', category: 'infrastructure', severity: 'critical', confidence: 'definite', title: 'Database Port Open to Internet',
+  { id: 'INFRA-NET-004', category: 'infrastructure', severity: 'high', confidence: 'definite', title: 'Database Port Open to Internet',
     check({ files }) {
       const findings = [];
       for (const [fp, c] of files) {
@@ -1516,7 +1516,7 @@ const rules = [
     },
   },
   // INFRA-NET-006: Security group allows unrestricted database port
-  { id: 'INFRA-NET-006', category: 'infrastructure', severity: 'critical', confidence: 'definite', title: 'Security Group Exposes Database Port Publicly',
+  { id: 'INFRA-NET-006', category: 'infrastructure', severity: 'high', confidence: 'definite', title: 'Security Group Exposes Database Port Publicly',
     check({ files }) {
       const findings = [];
       for (const [fp, c] of files) {
@@ -1595,7 +1595,7 @@ const rules = [
     },
   },
   // INFRA-CLOUD-033: IAM role with AdministratorAccess
-  { id: 'INFRA-CLOUD-033', category: 'infrastructure', severity: 'critical', confidence: 'definite', title: 'IAM Role with AdministratorAccess Policy',
+  { id: 'INFRA-CLOUD-033', category: 'infrastructure', severity: 'high', confidence: 'definite', title: 'IAM Role with AdministratorAccess Policy',
     check({ files }) {
       const findings = [];
       for (const [fp, c] of files) {
@@ -1758,7 +1758,7 @@ rules.push({
 
 // INFRA-K8S-028: Privileged container
 rules.push({
-  id: 'INFRA-K8S-028', category: 'infrastructure', severity: 'critical', confidence: 'definite', title: 'Kubernetes container running as privileged',
+  id: 'INFRA-K8S-028', category: 'infrastructure', severity: 'high', confidence: 'definite', title: 'Kubernetes container running as privileged',
   check({ files }) {
     const findings = [];
     for (const [fp, c] of files) {
@@ -1832,7 +1832,7 @@ rules.push({
 
 // INFRA-DC-027: Secrets in Docker Compose environment
 rules.push({
-  id: 'INFRA-DC-027', category: 'infrastructure', severity: 'critical', confidence: 'definite', title: 'Hardcoded secret in Docker Compose environment section',
+  id: 'INFRA-DC-027', category: 'infrastructure', severity: 'high', confidence: 'definite', title: 'Hardcoded secret in Docker Compose environment section',
   check({ files }) {
     const findings = [];
     for (const [fp, c] of files) {
@@ -1897,7 +1897,7 @@ rules.push({
 
 // INFRA-TF-028: Open security group (0.0.0.0/0 ingress)
 rules.push({
-  id: 'INFRA-TF-028', category: 'infrastructure', severity: 'critical', confidence: 'definite', title: 'Terraform security group with unrestricted ingress (0.0.0.0/0)',
+  id: 'INFRA-TF-028', category: 'infrastructure', severity: 'high', confidence: 'definite', title: 'Terraform security group with unrestricted ingress (0.0.0.0/0)',
   check({ files }) {
     const findings = [];
     for (const [fp, c] of files) {
@@ -1962,7 +1962,7 @@ rules.push({
 
 // INFRA-K8S-033: Sensitive hostPath mount
 rules.push({
-  id: 'INFRA-K8S-033', category: 'infrastructure', severity: 'critical', confidence: 'definite', title: 'Kubernetes pod mounts sensitive host path',
+  id: 'INFRA-K8S-033', category: 'infrastructure', severity: 'high', confidence: 'definite', title: 'Kubernetes pod mounts sensitive host path',
   check({ files }) {
     const findings = [];
     for (const [fp, c] of files) {
@@ -2101,7 +2101,7 @@ rules.push({
 
 // INFRA-TF-036: RDS not in private subnet
 rules.push({
-  id: 'INFRA-TF-036', category: 'infrastructure', severity: 'critical', confidence: 'definite', title: 'RDS instance publicly accessible',
+  id: 'INFRA-TF-036', category: 'infrastructure', severity: 'high', confidence: 'definite', title: 'RDS instance publicly accessible',
   check({ files }) {
     const findings = [];
     for (const [fp, c] of files) {
@@ -2178,7 +2178,7 @@ rules.push({
 
 // INFRA-K8S-037: ConfigMap used for secrets
 rules.push({
-  id: 'INFRA-K8S-037', category: 'infrastructure', severity: 'critical', confidence: 'definite', title: 'Kubernetes ConfigMap storing secret values',
+  id: 'INFRA-K8S-037', category: 'infrastructure', severity: 'high', confidence: 'definite', title: 'Kubernetes ConfigMap storing secret values',
   check({ files }) {
     const findings = [];
     for (const [fp, c] of files) {
@@ -2212,7 +2212,7 @@ rules.push({
 
 // INFRA-TF-040: AWS account root user access key
 rules.push({
-  id: 'INFRA-TF-040', category: 'infrastructure', severity: 'critical', confidence: 'definite', title: 'AWS root account access key configured',
+  id: 'INFRA-TF-040', category: 'infrastructure', severity: 'high', confidence: 'definite', title: 'AWS root account access key configured',
   check({ files }) {
     const findings = [];
     for (const [fp, c] of files) {
@@ -2307,7 +2307,7 @@ rules.push({
 
 // INFRA-K8S-040: Container with all capabilities
 rules.push({
-  id: 'INFRA-K8S-040', category: 'infrastructure', severity: 'critical', confidence: 'definite', title: 'Kubernetes container with all capabilities added',
+  id: 'INFRA-K8S-040', category: 'infrastructure', severity: 'high', confidence: 'definite', title: 'Kubernetes container with all capabilities added',
   check({ files }) {
     const findings = [];
     for (const [fp, c] of files) {
@@ -2474,7 +2474,7 @@ rules.push({
 
 // INFRA-K8S-044: Service account with cluster-admin role
 rules.push({
-  id: 'INFRA-K8S-044', category: 'infrastructure', severity: 'critical', confidence: 'definite', title: 'Kubernetes service account bound to cluster-admin role',
+  id: 'INFRA-K8S-044', category: 'infrastructure', severity: 'high', confidence: 'definite', title: 'Kubernetes service account bound to cluster-admin role',
   check({ files }) {
     const findings = [];
     for (const [fp, c] of files) {
@@ -2576,7 +2576,7 @@ rules.push({
 
 // INFRA-057: Kubernetes container running as privileged
 rules.push({
-  id: 'INFRA-057', category: 'infrastructure', severity: 'critical', confidence: 'definite', title: 'Kubernetes privileged container',
+  id: 'INFRA-057', category: 'infrastructure', severity: 'high', confidence: 'definite', title: 'Kubernetes privileged container',
   check({ files }) {
     const findings = [];
     for (const [fp, c] of files) {
@@ -2692,7 +2692,7 @@ rules.push({
 
 // INFRA-066: Database publicly accessible
 rules.push({
-  id: 'INFRA-066', category: 'infrastructure', severity: 'critical', confidence: 'definite', title: 'RDS instance publicly accessible',
+  id: 'INFRA-066', category: 'infrastructure', severity: 'high', confidence: 'definite', title: 'RDS instance publicly accessible',
   check({ files }) {
     const findings = [];
     for (const [fp, c] of files) {
@@ -2717,7 +2717,7 @@ rules.push({
 
 // INFRA-068: Security group with 0.0.0.0/0 SSH
 rules.push({
-  id: 'INFRA-068', category: 'infrastructure', severity: 'critical', confidence: 'definite', title: 'SSH open to the world',
+  id: 'INFRA-068', category: 'infrastructure', severity: 'high', confidence: 'definite', title: 'SSH open to the world',
   check({ files }) {
     const findings = [];
     for (const [fp, c] of files) {
@@ -2857,7 +2857,7 @@ rules.push({
 
 // INFRA-079: Docker socket mounted
 rules.push({
-  id: 'INFRA-079', category: 'infrastructure', severity: 'critical', confidence: 'definite', title: 'Docker socket mounted in container',
+  id: 'INFRA-079', category: 'infrastructure', severity: 'high', confidence: 'definite', title: 'Docker socket mounted in container',
   check({ files }) {
     const findings = [];
     for (const [fp, c] of files) {

package/src/rules/performance/index.js

@@ -2350,7 +2350,7 @@ const rules = [
     },
   },
   // PERF-CACHE-010: Redis KEYS command in production
-  { id: 'PERF-CACHE-010', category: 'performance', severity: 'critical', confidence: 'definite', title: 'Redis KEYS Command Used in Production',
+  { id: 'PERF-CACHE-010', category: 'performance', severity: 'high', confidence: 'definite', title: 'Redis KEYS Command Used in Production',
     check({ files }) {
       const findings = [];
       for (const [fp, c] of files) {

package/src/rules/reliability/index.js

@@ -683,7 +683,7 @@ const rules = [
   {
     id: 'REL-RES-001',
     category: 'reliability',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'definite',
     title: 'Payment API Call Without Idempotency Key',
     check({ files }) {

package/src/rules/security/ai-api.js

@@ -329,6 +329,7 @@ const rules = [
       for (const [path, content] of files) {
         if (SKIP_PATH.test(path)) continue;
         if (!path.endsWith('.env') && !path.match(/\.env\.\w+$/)) continue;
+        if (/\.env\.(example|sample|template|defaults|dev\.example)$/i.test(path)) continue;
         findings.push(...scanLines(content, envKeyPattern, path, this));
       }
       return findings;

package/src/rules/security/auth.js

@@ -309,7 +309,7 @@ const rules = [
   {
     id: 'SEC-AUTH-007',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'suggestion',
     title: 'API route missing authentication middleware',
     check({ files }) {
@@ -366,7 +366,7 @@ const rules = [
   {
     id: 'SEC-AUTH-008',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'suggestion',
     title: 'Admin route missing role/permission check',
     check({ files }) {

package/src/rules/security/cors.js

@@ -32,7 +32,7 @@ const rules = [
 
   // SEC-CORS-002
   {
-    id: 'SEC-CORS-002', category: 'security', severity: 'critical', confidence: 'definite',
+    id: 'SEC-CORS-002', category: 'security', severity: 'high', confidence: 'definite',
     title: 'CORS reflects Origin header',
     check({ files }) {
       const findings = [];
@@ -56,7 +56,7 @@ const rules = [
 
   // SEC-CORS-003
   {
-    id: 'SEC-CORS-003', category: 'security', severity: 'critical', confidence: 'definite',
+    id: 'SEC-CORS-003', category: 'security', severity: 'high', confidence: 'definite',
     title: 'CORS allows credentials with wildcard origin',
     check({ files }) {
       const findings = [];

package/src/rules/security/crypto.js

@@ -259,7 +259,7 @@ export default rules;
 
 // SEC-CRY-011: Hardcoded encryption key
 rules.push({
-  id: 'SEC-CRY-011', category: 'security', severity: 'critical', confidence: 'definite',
+  id: 'SEC-CRY-011', category: 'security', severity: 'high', confidence: 'definite',
   title: 'Hardcoded encryption key or IV',
   check({ files }) {
     const findings = [];
@@ -467,7 +467,7 @@ rules.push({
 
 // SEC-CRY-021: Hardcoded salt
 rules.push({
-  id: 'SEC-CRY-021', category: 'security', severity: 'critical', confidence: 'definite',
+  id: 'SEC-CRY-021', category: 'security', severity: 'high', confidence: 'definite',
   title: 'Hardcoded salt for password hashing',
   check({ files }) {
     const findings = [];

package/src/rules/security/csharp.js

@@ -132,7 +132,7 @@ const rules = [
   {
     id: 'SEC-CS-006',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'definite',
     title: 'Insecure Deserialization: BinaryFormatter',
     description: 'BinaryFormatter is inherently insecure and can execute arbitrary code during deserialization.',
@@ -603,7 +603,7 @@ const rules = [
   {
     id: 'SEC-CS-035',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'definite',
     title: 'CORS: Credentials with Any Origin',
     description: 'AllowCredentials with AllowAnyOrigin is a severe misconfiguration.',
@@ -731,7 +731,7 @@ const rules = [
   {
     id: 'SEC-CS-043',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'definite',
     title: 'TLS Certificate Validation Disabled',
     description: 'Disabling certificate validation allows man-in-the-middle attacks.',

package/src/rules/security/csrf.js

@@ -34,7 +34,7 @@ const rules = [
 
   // SEC-CSRF-002
   {
-    id: 'SEC-CSRF-002', category: 'security', severity: 'critical', confidence: 'definite',
+    id: 'SEC-CSRF-002', category: 'security', severity: 'high', confidence: 'definite',
     title: 'CSRF token not validated on server',
     check({ files }) {
       const findings = [];

package/src/rules/security/file-upload.js

@@ -95,7 +95,7 @@ const rules = [
 
   // SEC-UPL-005
   {
-    id: 'SEC-UPL-005', category: 'security', severity: 'critical', confidence: 'definite',
+    id: 'SEC-UPL-005', category: 'security', severity: 'high', confidence: 'definite',
     title: 'Executable file upload allowed',
     check({ files }) {
       const findings = [];

package/src/rules/security/go.js

@@ -258,7 +258,7 @@ const rules = [
   {
     id: 'SEC-GO-014',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'definite',
     title: 'Insecure TLS: Certificate Verification Disabled',
     description: 'Setting InsecureSkipVerify to true disables TLS certificate validation, enabling MITM attacks.',
@@ -450,7 +450,7 @@ const rules = [
   {
     id: 'SEC-GO-026',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'definite',
     title: 'CORS Allow Credentials with Wildcard Origin',
     description: 'Allowing credentials with wildcard origin is a severe misconfiguration enabling credential theft.',
@@ -482,7 +482,7 @@ const rules = [
   {
     id: 'SEC-GO-028',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'definite',
     title: 'JWT None Algorithm Accepted',
     description: 'Not validating the JWT signing method allows attackers to use the "none" algorithm to forge tokens.',

package/src/rules/security/misconfiguration.js

@@ -59,7 +59,7 @@ const rules = [
   {
     id: 'SEC-MISC-001',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'definite',
     title: 'Public S3 bucket configuration detected',
     check({ files }) {
@@ -82,7 +82,7 @@ const rules = [
   {
     id: 'SEC-MISC-002',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'definite',
     title: 'Database bound to all network interfaces',
     check({ files }) {
@@ -268,7 +268,7 @@ const rules = [
   {
     id: 'SEC-MISC-007',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'definite',
     title: 'Permissive database security rules',
     check({ files }) {
@@ -592,7 +592,7 @@ const rules = [
   {
     id: 'SEC-MISC-015',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'definite',
     title: 'Overly permissive IAM policy detected',
     check({ files }) {

package/src/rules/security/oauth-jwt.js

@@ -39,7 +39,7 @@ const rules = [
   {
     id: 'SEC-JWT-001',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'definite',
     title: 'JWT Algorithm "none" Allowed',
     description:
@@ -108,7 +108,7 @@ const rules = [
   {
     id: 'SEC-JWT-004',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'definite',
     title: 'Weak JWT Signing Secret',
     description:
@@ -241,10 +241,13 @@ const rules = [
       const findings = [];
       const callbackPattern = /(?:\/callback|\/oauth\/callback|\/auth\/callback)/;
       const tokenExchange = /(?:getToken|requestToken|exchangeCode|code.*token|grant_type.*authorization_code)/;
+      // Check if ANY file in the project validates OAuth state (cross-file check)
+      const projectHasStateValidation = [...files.values()].some(c => /(?:state|csrf|nonce).*(?:verify|validate|check|compare|match|===)/i.test(c));
       for (const [path, content] of files) {
         if (SKIP_PATH.test(path)) continue;
         if (!isJS(path)) continue;
         if (callbackPattern.test(content) && tokenExchange.test(content)) {
+          if (projectHasStateValidation) continue; // State is validated somewhere in the project
           if (!/(?:state|csrf|nonce)/.test(content)) {
             findings.push({
               ruleId: this.id,

package/src/rules/security/prototype-pollution.js

@@ -39,7 +39,7 @@ const rules = [
   {
     id: 'SEC-PP-001',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'definite',
     title: 'Direct __proto__ Property Access',
     description:
@@ -108,7 +108,7 @@ const rules = [
   {
     id: 'SEC-PP-004',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'definite',
     title: 'Constructor Prototype Access Pattern',
     description:

package/src/rules/security/rate-limiting.js

@@ -30,7 +30,7 @@ const rules = [
 
   // SEC-RL-002
   {
-    id: 'SEC-RL-002', category: 'security', severity: 'critical', confidence: 'definite',
+    id: 'SEC-RL-002', category: 'security', severity: 'high', confidence: 'definite',
     title: 'No rate limiting on login endpoint',
     check({ files, stack }) {
       const findings = [];

package/src/rules/security/rust.js

@@ -274,7 +274,7 @@ const rules = [
   {
     id: 'SEC-RS-015',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'definite',
     title: 'TLS Certificate Validation Disabled',
     description: 'Disabling TLS certificate validation allows man-in-the-middle attacks.',
@@ -290,7 +290,7 @@ const rules = [
   {
     id: 'SEC-RS-016',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'definite',
     title: 'TLS Hostname Validation Disabled',
     description: 'Disabling hostname validation in TLS allows certificate substitution attacks.',
@@ -549,7 +549,7 @@ const rules = [
   {
     id: 'SEC-RS-032',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'definite',
     title: 'Hardcoded Private Key',
     description: 'Private keys embedded in source code can be extracted and used to impersonate the service.',

package/src/rules/security/ssrf.js

@@ -96,7 +96,7 @@ const rules = [
   {
     id: 'SEC-SSRF-003',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'definite',
     title: 'Cloud Metadata Endpoint URL in Code',
     description:
@@ -105,14 +105,18 @@ const rules = [
     check({ files }) {
       const findings = [];
       const pattern = /169\.254\.169\.254|metadata\.google\.internal|metadata\.azure\.com/;
-      const blocklistContext = /block|deny|forbidden|not.?allowed|invalid|reject|blacklist|safelist|denylist|disallow|banned|BLOCKED/i;
+      const safeContext = /block|deny|forbidden|not.?allowed|invalid|reject|blacklist|safelist|denylist|disallow|banned|BLOCKED|isAllowed|validate|security|guard|check|filter|protect/i;
       for (const [path, content] of files) {
         if (SKIP_PATH.test(path)) continue;
         if (isJS(path)) {
           const lines = content.split('\n');
           for (let i = 0; i < lines.length; i++) {
-            if (pattern.test(lines[i]) && !blocklistContext.test(lines[i])) {
-              findings.push({ ruleId: this.id, category: this.category, severity: this.severity, title: this.title, description: this.description, confidence: this.confidence, file: path, line: i + 1, fix: this.fix });
+            if (pattern.test(lines[i])) {
+              // Check ±5 lines for security/validation context
+              const ctx = lines.slice(Math.max(0, i - 5), i + 5).join(' ');
+              if (!safeContext.test(ctx)) {
+                findings.push({ ruleId: this.id, category: this.category, severity: this.severity, title: this.title, description: this.description, confidence: this.confidence, file: path, line: i + 1, fix: this.fix });
+              }
             }
           }
         }

package/src/rules/security/supply-chain-advanced.js

@@ -40,7 +40,7 @@ const rules = [
   {
     id: 'SEC-SCA-001',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'definite',
     title: 'Postinstall Script Executes Binary or Shell Command',
     description:
@@ -77,7 +77,7 @@ const rules = [
   {
     id: 'SEC-SCA-002',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'definite',
     title: 'Install Hook Downloads and Executes Remote Code',
     description:

package/src/rules/security/xss.js

@@ -230,7 +230,7 @@ const rules = [
   {
     id: 'SEC-XSS-007',
     category: 'security',
-    severity: 'critical',
+    severity: 'high',
     confidence: 'definite',
     title: 'javascript: protocol in href/src attributes',
     check({ files }) {
@@ -498,7 +498,7 @@ const rules = [
     },
   },
   // SEC-XSS-013: Server-side reflected XSS via res.send/res.write
-  { id: 'SEC-XSS-013', category: 'security', severity: 'critical', confidence: 'definite', title: 'Server-Side Reflected XSS via res.send()',
+  { id: 'SEC-XSS-013', category: 'security', severity: 'high', confidence: 'definite', title: 'Server-Side Reflected XSS via res.send()',
     check({ files }) {
       const findings = [];
       for (const [fp, c] of files) {