ghostpatch 1.0.0

package/src/core/scanner.ts

@@ -0,0 +1,201 @@
+import * as fs from 'fs';
+import * as path from 'path';
+import { glob } from 'glob';
+import micromatch from 'micromatch';
+import { Finding, ScanResult, ScanSummary, ScanOptions, Severity, meetsMinSeverity } from './severity';
+import { detectLanguage, isSupportedFile, DEFAULT_EXCLUDE, isConfigFile } from '../utils/languages';
+import { loadConfig } from '../utils/config';
+import { deduplicateFindings } from '../utils/fingerprint';
+
+import * as injectionDetector from '../detectors/injection';
+import * as authDetector from '../detectors/auth';
+import * as cryptoDetector from '../detectors/crypto';
+import * as secretsDetector from '../detectors/secrets';
+import * as ssrfDetector from '../detectors/ssrf';
+import * as pathTraversalDetector from '../detectors/pathtraversal';
+import * as prototypeDetector from '../detectors/prototype';
+import * as deserializeDetector from '../detectors/deserialize';
+import * as dependencyDetector from '../detectors/dependency';
+import * as misconfigDetector from '../detectors/misconfig';
+import * as zerodayDetector from '../detectors/zeroday';
+
+const ALL_DETECTORS = [
+  injectionDetector,
+  authDetector,
+  cryptoDetector,
+  secretsDetector,
+  ssrfDetector,
+  pathTraversalDetector,
+  prototypeDetector,
+  deserializeDetector,
+  dependencyDetector,
+  misconfigDetector,
+];
+
+export async function scan(target: string, options: ScanOptions = {}): Promise<ScanResult> {
+  const startTime = new Date();
+  const resolvedTarget = path.resolve(target || '.');
+  const config = loadConfig(options.configPath, resolvedTarget);
+  const minSeverity = options.severity || config.severity || Severity.LOW;
+  const excludePatterns = options.exclude || config.exclude || DEFAULT_EXCLUDE;
+  const maxFileSize = options.maxFileSize || config.maxFileSize || 1048576;
+
+  let files: string[] = [];
+  const stat = fs.statSync(resolvedTarget);
+
+  if (stat.isFile()) {
+    files = [resolvedTarget];
+  } else if (stat.isDirectory()) {
+    const allFiles = await glob('**/*', {
+      cwd: resolvedTarget,
+      nodir: true,
+      absolute: true,
+      ignore: excludePatterns,
+    });
+    files = allFiles.filter(f => {
+      const relative = path.relative(resolvedTarget, f);
+      return !micromatch.isMatch(relative, excludePatterns);
+    });
+  }
+
+  // Filter by supported languages and file size
+  let filesScanned = 0;
+  let filesSkipped = 0;
+  let allFindings: Finding[] = [];
+
+  const scanPromises = files.map(async (filePath) => {
+    try {
+      const fileStat = fs.statSync(filePath);
+      if (fileStat.size > maxFileSize) {
+        filesSkipped++;
+        return [];
+      }
+
+      const language = detectLanguage(filePath);
+      const isConfig = isConfigFile(filePath);
+
+      if (!language && !isConfig) {
+        filesSkipped++;
+        return [];
+      }
+
+      filesScanned++;
+      const content = fs.readFileSync(filePath, 'utf-8');
+      return scanFile(filePath, content, language || 'generic');
+    } catch {
+      filesSkipped++;
+      return [];
+    }
+  });
+
+  const results = await Promise.all(scanPromises);
+  allFindings = results.flat();
+
+  // Run zero-day suspicious pattern detection
+  if (options.ai !== false) {
+    for (const filePath of files) {
+      try {
+        const language = detectLanguage(filePath);
+        if (!language) continue;
+        const content = fs.readFileSync(filePath, 'utf-8');
+        const suspiciousFindings = zerodayDetector.detectSuspiciousPatterns(content, filePath, language);
+        allFindings.push(...suspiciousFindings);
+      } catch {
+        // Skip files that can't be read
+      }
+    }
+  }
+
+  // Deduplicate
+  allFindings = deduplicateFindings(allFindings);
+
+  // Filter by severity
+  allFindings = allFindings.filter(f => meetsMinSeverity(f.severity, minSeverity));
+
+  // Sort by severity (critical first)
+  const severityOrder = { critical: 0, high: 1, medium: 2, low: 3, info: 4 };
+  allFindings.sort((a, b) => severityOrder[a.severity] - severityOrder[b.severity]);
+
+  const endTime = new Date();
+
+  return {
+    target: resolvedTarget,
+    startTime,
+    endTime,
+    durationMs: endTime.getTime() - startTime.getTime(),
+    filesScanned,
+    filesSkipped,
+    findings: allFindings,
+    summary: buildSummary(allFindings),
+    aiEnabled: options.ai || false,
+  };
+}
+
+export function scanFile(filePath: string, content: string, language: string): Finding[] {
+  const findings: Finding[] = [];
+
+  for (const detector of ALL_DETECTORS) {
+    try {
+      const detectorFindings = detector.detect(content, filePath, language);
+      findings.push(...detectorFindings);
+    } catch {
+      // Skip detector errors
+    }
+  }
+
+  return findings;
+}
+
+export async function scanWithAI(
+  findings: Finding[],
+  files: Map<string, string>,
+  provider: zerodayDetector.AIProvider,
+): Promise<Finding[]> {
+  const aiFindings: Finding[] = [];
+
+  for (const [filePath, content] of files) {
+    const language = detectLanguage(filePath);
+    if (!language) continue;
+
+    try {
+      const results = await zerodayDetector.analyzeWithAI(content, filePath, language, provider);
+      aiFindings.push(...results);
+    } catch {
+      // AI analysis failed for this file
+    }
+  }
+
+  return [...findings, ...aiFindings];
+}
+
+function buildSummary(findings: Finding[]): ScanSummary {
+  const bySeverity: Record<Severity, number> = {
+    [Severity.CRITICAL]: 0,
+    [Severity.HIGH]: 0,
+    [Severity.MEDIUM]: 0,
+    [Severity.LOW]: 0,
+    [Severity.INFO]: 0,
+  };
+
+  const byCategory: Record<string, number> = {};
+  const fileCount: Record<string, number> = {};
+
+  for (const f of findings) {
+    bySeverity[f.severity]++;
+    const cat = f.owasp || 'other';
+    byCategory[cat] = (byCategory[cat] || 0) + 1;
+    fileCount[f.filePath] = (fileCount[f.filePath] || 0) + 1;
+  }
+
+  const topFiles = Object.entries(fileCount)
+    .map(([file, count]) => ({ file, count }))
+    .sort((a, b) => b.count - a.count)
+    .slice(0, 10);
+
+  return {
+    total: findings.length,
+    bySeverity,
+    byCategory,
+    topFiles,
+  };
+}

package/src/core/severity.ts

@@ -0,0 +1,140 @@
+export enum Severity {
+  CRITICAL = 'critical',
+  HIGH = 'high',
+  MEDIUM = 'medium',
+  LOW = 'low',
+  INFO = 'info',
+}
+
+export const SEVERITY_ORDER: Record<Severity, number> = {
+  [Severity.CRITICAL]: 5,
+  [Severity.HIGH]: 4,
+  [Severity.MEDIUM]: 3,
+  [Severity.LOW]: 2,
+  [Severity.INFO]: 1,
+};
+
+export const SEVERITY_COLORS: Record<Severity, string> = {
+  [Severity.CRITICAL]: '\x1b[41m\x1b[37m',
+  [Severity.HIGH]: '\x1b[31m',
+  [Severity.MEDIUM]: '\x1b[33m',
+  [Severity.LOW]: '\x1b[36m',
+  [Severity.INFO]: '\x1b[90m',
+};
+
+export const SEVERITY_ICONS: Record<Severity, string> = {
+  [Severity.CRITICAL]: '[!!!]',
+  [Severity.HIGH]: '[!!]',
+  [Severity.MEDIUM]: '[!]',
+  [Severity.LOW]: '[~]',
+  [Severity.INFO]: '[i]',
+};
+
+export function severityFromString(s: string): Severity {
+  const lower = s.toLowerCase();
+  if (lower in Severity) return lower as Severity;
+  const map: Record<string, Severity> = {
+    crit: Severity.CRITICAL,
+    error: Severity.HIGH,
+    warn: Severity.MEDIUM,
+    warning: Severity.MEDIUM,
+    note: Severity.LOW,
+    information: Severity.INFO,
+  };
+  return map[lower] ?? Severity.MEDIUM;
+}
+
+export function meetsMinSeverity(severity: Severity, minSeverity: Severity): boolean {
+  return SEVERITY_ORDER[severity] >= SEVERITY_ORDER[minSeverity];
+}
+
+export interface Finding {
+  id: string;
+  ruleId: string;
+  title: string;
+  description: string;
+  severity: Severity;
+  confidence: 'high' | 'medium' | 'low';
+  filePath: string;
+  line: number;
+  column?: number;
+  endLine?: number;
+  endColumn?: number;
+  codeSnippet: string;
+  cwe?: string;
+  owasp?: string;
+  remediation?: string;
+  aiEnhanced?: boolean;
+  fingerprint: string;
+}
+
+export interface AIFinding {
+  title: string;
+  description: string;
+  severity: Severity;
+  confidence: 'high' | 'medium' | 'low';
+  line?: number;
+  cwe?: string;
+  remediation?: string;
+}
+
+export interface ScanResult {
+  target: string;
+  startTime: Date;
+  endTime: Date;
+  durationMs: number;
+  filesScanned: number;
+  filesSkipped: number;
+  findings: Finding[];
+  summary: ScanSummary;
+  aiEnabled: boolean;
+}
+
+export interface ScanSummary {
+  total: number;
+  bySeverity: Record<Severity, number>;
+  byCategory: Record<string, number>;
+  topFiles: Array<{ file: string; count: number }>;
+}
+
+export interface Rule {
+  id: string;
+  name: string;
+  severity: Severity;
+  confidence: 'high' | 'medium' | 'low';
+  cwe?: string;
+  owasp?: string;
+  pattern: RegExp;
+  antiPattern?: RegExp;
+  languages: string[];
+  description: string;
+  remediation: string;
+}
+
+export interface ScanOptions {
+  target?: string;
+  output?: 'terminal' | 'json' | 'sarif' | 'html';
+  severity?: Severity;
+  ai?: boolean;
+  provider?: 'huggingface' | 'anthropic' | 'openai';
+  fix?: boolean;
+  quiet?: boolean;
+  exclude?: string[];
+  maxFileSize?: number;
+  configPath?: string;
+}
+
+export interface GhostPatchConfig {
+  exclude: string[];
+  severity: Severity;
+  ai: {
+    provider: string;
+    model: string;
+  };
+  rules: {
+    disabled: string[];
+    custom: Rule[];
+  };
+  maxFileSize: number;
+  languages: string | string[];
+}

package/src/detectors/auth.ts

@@ -0,0 +1,152 @@
+import { Finding, Severity } from '../core/severity';
+import { generateFingerprint } from '../utils/fingerprint';
+
+interface DetectorPattern {
+  id: string;
+  name: string;
+  severity: Severity;
+  confidence: 'high' | 'medium' | 'low';
+  cwe: string;
+  pattern: RegExp;
+  antiPattern?: RegExp;
+  languages: string[];
+  description: string;
+  remediation: string;
+}
+
+const PATTERNS: DetectorPattern[] = [
+  {
+    id: 'AUTH-BYPASS-NONE-ALG', name: 'JWT None Algorithm', severity: Severity.CRITICAL, confidence: 'high',
+    cwe: 'CWE-345', pattern: /algorithms?\s*:\s*\[?\s*['"]none['"]/i,
+    languages: ['javascript', 'typescript'],
+    description: 'JWT accepts "none" algorithm, allowing signature bypass.',
+    remediation: 'Explicitly set allowed algorithms: algorithms: ["HS256"] or ["RS256"].',
+  },
+  {
+    id: 'AUTH-HARDCODED-JWT', name: 'Hardcoded JWT Secret', severity: Severity.CRITICAL, confidence: 'high',
+    cwe: 'CWE-798', pattern: /(?:jwt|jsonwebtoken)\.(?:sign|verify)\s*\([^)]*,\s*['"][^'"]{4,}['"]/i,
+    languages: ['javascript', 'typescript'],
+    description: 'JWT signing secret hardcoded in source code.',
+    remediation: 'Use environment variables for JWT secrets.',
+  },
+  {
+    id: 'AUTH-NO-EXPIRY', name: 'JWT Without Expiration', severity: Severity.MEDIUM, confidence: 'medium',
+    cwe: 'CWE-613', pattern: /jwt\.sign\s*\(\s*\{[^}]*\}\s*,/,
+    antiPattern: /(?:expiresIn|exp\s*:|maxAge)/i,
+    languages: ['javascript', 'typescript'],
+    description: 'JWT created without expiration time.',
+    remediation: 'Set token expiration: jwt.sign(payload, secret, { expiresIn: "1h" }).',
+  },
+  {
+    id: 'AUTH-WEAK-PASSWORD', name: 'Weak Password Policy', severity: Severity.MEDIUM, confidence: 'medium',
+    cwe: 'CWE-521', pattern: /(?:password|passwd).*(?:min|length|minLength)\s*[:=<]\s*[1-7]\b/i,
+    languages: ['javascript', 'typescript', 'python', 'java', 'php', 'ruby', 'csharp', 'go'],
+    description: 'Password minimum length is too short.',
+    remediation: 'Enforce minimum 8-character passwords, ideally 12+.',
+  },
+  {
+    id: 'AUTH-PLAINTEXT-PASS', name: 'Password Stored Without Hashing', severity: Severity.CRITICAL, confidence: 'medium',
+    cwe: 'CWE-256', pattern: /(?:user|account).*(?:password|passwd)\s*[:=]\s*(?:req\.|request\.|input\.|body\.)/i,
+    antiPattern: /(?:hash|bcrypt|scrypt|argon|pbkdf|encrypt|crypt)/i,
+    languages: ['javascript', 'typescript', 'python', 'java', 'php', 'ruby'],
+    description: 'Password from user input may be stored without hashing.',
+    remediation: 'Hash passwords with bcrypt, scrypt, or argon2 before storage.',
+  },
+  {
+    id: 'AUTH-SESSION-FIXATION', name: 'Session Fixation', severity: Severity.HIGH, confidence: 'low',
+    cwe: 'CWE-384', pattern: /(?:login|authenticate|signIn)\s*(?:=|:|\().*(?:session|cookie)/i,
+    antiPattern: /(?:regenerate|destroy|invalidate|new.*session)/i,
+    languages: ['javascript', 'typescript', 'python', 'java', 'php'],
+    description: 'Login handler may not regenerate session ID.',
+    remediation: 'Regenerate session ID after successful authentication.',
+  },
+  {
+    id: 'AUTH-DEFAULT-CREDS', name: 'Default Credentials', severity: Severity.CRITICAL, confidence: 'high',
+    cwe: 'CWE-798', pattern: /(?:password|passwd|pwd)\s*[:=]\s*['"](?:admin|password|123456|root|default|test|guest|letmein|welcome|12345678|qwerty|abc123)['"]/i,
+    antiPattern: /(?:test|spec|mock|example|placeholder)/i,
+    languages: ['javascript', 'typescript', 'python', 'java', 'php', 'ruby', 'go', 'csharp'],
+    description: 'Default or commonly guessed password found in code.',
+    remediation: 'Remove hardcoded credentials. Use environment variables or secret management.',
+  },
+  {
+    id: 'AUTH-NO-LOCKOUT', name: 'Missing Account Lockout', severity: Severity.MEDIUM, confidence: 'low',
+    cwe: 'CWE-307', pattern: /(?:login|authenticate|signIn)\s*(?:=|:|\().*(?:password|credential)/i,
+    antiPattern: /(?:lockout|maxAttempts|failedAttempts|brute|throttle|rateLimit|delay)/i,
+    languages: ['javascript', 'typescript', 'python', 'java', 'php'],
+    description: 'Login function without brute force protection.',
+    remediation: 'Implement account lockout after N failed attempts.',
+  },
+  {
+    id: 'AUTH-PASS-IN-URL', name: 'Password in URL', severity: Severity.HIGH, confidence: 'high',
+    cwe: 'CWE-598', pattern: /(?:url|href|redirect|link|location).*[?&](?:password|passwd|pwd|secret|token)=/i,
+    languages: ['javascript', 'typescript', 'python', 'java', 'php', 'ruby', 'go', 'csharp'],
+    description: 'Sensitive credential sent in URL query parameter.',
+    remediation: 'Send credentials in request body or headers.',
+  },
+  {
+    id: 'AUTH-MISSING-MIDDLEWARE', name: 'Route Without Auth Middleware', severity: Severity.HIGH, confidence: 'medium',
+    cwe: 'CWE-862', pattern: /(?:app|router)\.(get|post|put|delete|patch)\s*\(\s*['"]\/(?:admin|api\/admin|dashboard|settings|users?\/\w|account)/i,
+    antiPattern: /(?:auth|protect|guard|session|verify|middleware|isAuthenticated|requireAuth|passport)/i,
+    languages: ['javascript', 'typescript'],
+    description: 'Sensitive route may lack authentication middleware.',
+    remediation: 'Add authentication middleware before the route handler.',
+  },
+  {
+    id: 'AUTH-PRIVILEGE-ESCALATION', name: 'Privilege Escalation Risk', severity: Severity.CRITICAL, confidence: 'medium',
+    cwe: 'CWE-269', pattern: /(?:role|isAdmin|is_admin|permission|privilege)\s*=\s*(?:req\.|request\.|params|body|query|input)/i,
+    languages: ['javascript', 'typescript', 'python', 'java', 'php'],
+    description: 'User role or admin status set from user-controlled input.',
+    remediation: 'Derive roles from server-side session data, never from user input.',
+  },
+];
+
+export function detect(content: string, filePath: string, language: string): Finding[] {
+  const findings: Finding[] = [];
+  const lines = content.split('\n');
+
+  for (const pat of PATTERNS) {
+    if (!pat.languages.includes(language)) continue;
+
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i];
+      if (pat.pattern.test(line)) {
+        if (pat.antiPattern) {
+          const contextStart = Math.max(0, i - 5);
+          const contextEnd = Math.min(lines.length, i + 6);
+          const context = lines.slice(contextStart, contextEnd).join('\n');
+          if (pat.antiPattern.test(context)) continue;
+        }
+
+        findings.push({
+          id: `${pat.id}-${filePath}:${i + 1}`,
+          ruleId: pat.id,
+          title: pat.name,
+          description: pat.description,
+          severity: pat.severity,
+          confidence: pat.confidence,
+          filePath,
+          line: i + 1,
+          codeSnippet: getSnippet(lines, i),
+          cwe: pat.cwe,
+          owasp: 'A07',
+          remediation: pat.remediation,
+          fingerprint: generateFingerprint(pat.id, filePath, line.trim()),
+        });
+      }
+    }
+  }
+
+  return findings;
+}
+
+function getSnippet(lines: string[], index: number, context: number = 2): string {
+  const start = Math.max(0, index - context);
+  const end = Math.min(lines.length, index + context + 1);
+  return lines.slice(start, end)
+    .map((l, i) => {
+      const lineNum = start + i + 1;
+      const marker = (start + i === index) ? '>' : ' ';
+      return `${marker} ${lineNum} | ${l}`;
+    })
+    .join('\n');
+}

package/src/detectors/crypto.ts

@@ -0,0 +1,128 @@
+import { Finding, Severity } from '../core/severity';
+import { generateFingerprint } from '../utils/fingerprint';
+
+const PATTERNS = [
+  {
+    id: 'CRYPTO-MD5', name: 'Weak Hash (MD5)', severity: Severity.HIGH, confidence: 'high' as const,
+    cwe: 'CWE-328', pattern: /(?:md5|MD5)\s*[\(.<]/,
+    languages: ['javascript', 'typescript', 'python', 'java', 'go', 'php', 'ruby', 'csharp', 'c', 'cpp'],
+    description: 'MD5 is cryptographically broken.', remediation: 'Use SHA-256+ for integrity, bcrypt/argon2 for passwords.',
+  },
+  {
+    id: 'CRYPTO-SHA1', name: 'Weak Hash (SHA-1)', severity: Severity.MEDIUM, confidence: 'high' as const,
+    cwe: 'CWE-328', pattern: /(?:sha-?1|SHA-?1)\s*[\(.<'"]/,
+    languages: ['javascript', 'typescript', 'python', 'java', 'go', 'php', 'ruby', 'csharp'],
+    description: 'SHA-1 is deprecated for security use.', remediation: 'Use SHA-256 or stronger.',
+  },
+  {
+    id: 'CRYPTO-WEAK-CIPHER', name: 'Weak Cipher Algorithm', severity: Severity.HIGH, confidence: 'high' as const,
+    cwe: 'CWE-327', pattern: /(?:createCipher(?:iv)?\s*\(\s*['"](?:des|rc4|rc2|blowfish)|DES(?:ede)?|RC4|Blowfish)\b/i,
+    languages: ['javascript', 'typescript', 'python', 'java', 'go', 'csharp'],
+    description: 'Weak or broken cipher algorithm.', remediation: 'Use AES-256-GCM or ChaCha20-Poly1305.',
+  },
+  {
+    id: 'CRYPTO-ECB', name: 'ECB Mode', severity: Severity.HIGH, confidence: 'high' as const,
+    cwe: 'CWE-327', pattern: /(?:aes.*ecb|ECB|\.ECB|mode.*ecb|ecb.*mode)/i,
+    languages: ['javascript', 'typescript', 'python', 'java', 'go', 'csharp'],
+    description: 'ECB mode does not provide semantic security.', remediation: 'Use GCM or CBC with HMAC.',
+  },
+  {
+    id: 'CRYPTO-MATH-RANDOM', name: 'Insecure Random (Math.random)', severity: Severity.HIGH, confidence: 'high' as const,
+    cwe: 'CWE-330', pattern: /Math\.random\s*\(\)/,
+    antiPattern: /(?:test|mock|sample|example|demo|shuffle|color|animation|ui|css|game|placeholder)/i,
+    languages: ['javascript', 'typescript'],
+    description: 'Math.random() is not cryptographically secure.', remediation: 'Use crypto.randomBytes() or crypto.getRandomValues().',
+  },
+  {
+    id: 'CRYPTO-HARDCODED-KEY', name: 'Hardcoded Encryption Key', severity: Severity.CRITICAL, confidence: 'high' as const,
+    cwe: 'CWE-321', pattern: /(?:(?:encryption|encrypt|cipher|aes|secret)[-_]?key)\s*[:=]\s*['"][^'"]{8,}['"]/i,
+    antiPattern: /(?:process\.env|os\.environ|config\.|env\[|example|placeholder|your_)/i,
+    languages: ['javascript', 'typescript', 'python', 'java', 'go', 'php', 'ruby', 'csharp'],
+    description: 'Hardcoded encryption key in source code.', remediation: 'Use environment variables or key management service.',
+  },
+  {
+    id: 'CRYPTO-HARDCODED-IV', name: 'Hardcoded IV/Nonce', severity: Severity.HIGH, confidence: 'medium' as const,
+    cwe: 'CWE-329', pattern: /(?:iv|nonce|IV|NONCE)\s*[:=]\s*(?:['"][^'"]{8,}['"]|Buffer\.from\s*\(\s*['"])/,
+    languages: ['javascript', 'typescript', 'python', 'java', 'go'],
+    description: 'Hardcoded initialization vector.', remediation: 'Generate unique random IV per encryption operation.',
+  },
+  {
+    id: 'CRYPTO-TLS-DISABLED', name: 'TLS Verification Disabled', severity: Severity.CRITICAL, confidence: 'high' as const,
+    cwe: 'CWE-295', pattern: /(?:rejectUnauthorized\s*:\s*false|verify\s*=\s*False|InsecureSkipVerify\s*:\s*true|SSL_VERIFY_NONE|check_hostname\s*=\s*False)/,
+    languages: ['javascript', 'typescript', 'python', 'java', 'go', 'ruby'],
+    description: 'TLS certificate verification disabled.', remediation: 'Always verify TLS certificates in production.',
+  },
+  {
+    id: 'CRYPTO-WEAK-PASS-HASH', name: 'Plain Hash for Password', severity: Severity.HIGH, confidence: 'high' as const,
+    cwe: 'CWE-916', pattern: /(?:createHash\s*\(\s*['"](?:md5|sha1|sha256)['"]|hashlib\.(?:md5|sha1|sha256))\s*[(.]/,
+    antiPattern: /(?:hmac|pbkdf2|checksum|file.*hash|integrity|verify)/i,
+    languages: ['javascript', 'typescript', 'python'],
+    description: 'Plain hash used for password storage.', remediation: 'Use bcrypt, scrypt, or argon2 for password hashing.',
+  },
+  {
+    id: 'CRYPTO-SMALL-KEY', name: 'Insufficient Key Length', severity: Severity.MEDIUM, confidence: 'medium' as const,
+    cwe: 'CWE-326', pattern: /(?:generateKeyPair|RSA|keySize|modulusLength)\s*[:(]\s*(?:512|768|1024)\b/,
+    languages: ['javascript', 'typescript', 'python', 'java', 'go', 'csharp'],
+    description: 'RSA key length below 2048 bits.', remediation: 'Use at least 2048-bit RSA keys.',
+  },
+  {
+    id: 'CRYPTO-HTTP', name: 'Unencrypted HTTP', severity: Severity.MEDIUM, confidence: 'medium' as const,
+    cwe: 'CWE-319', pattern: /['"]http:\/\/(?!localhost|127\.0\.0\.1|0\.0\.0\.0|::1|example\.com)[^'"]+['"]/,
+    languages: ['javascript', 'typescript', 'python', 'java', 'go', 'php', 'ruby', 'csharp'],
+    description: 'Unencrypted HTTP URL for non-local endpoint.', remediation: 'Use HTTPS for all external communications.',
+  },
+  {
+    id: 'CRYPTO-TIMING', name: 'Timing Attack Vulnerable Comparison', severity: Severity.MEDIUM, confidence: 'low' as const,
+    cwe: 'CWE-208', pattern: /(?:===?\s*(?:password|token|secret|apiKey|hash)|(?:password|token|secret|apiKey|hash)\s*===?)/i,
+    antiPattern: /(?:timingSafe|constantTime|hmac\.compare|secrets\.compare_digest)/i,
+    languages: ['javascript', 'typescript', 'python', 'java', 'go'],
+    description: 'String comparison for secrets vulnerable to timing attacks.', remediation: 'Use crypto.timingSafeEqual() for secret comparison.',
+  },
+];
+
+export function detect(content: string, filePath: string, language: string): Finding[] {
+  const findings: Finding[] = [];
+  const lines = content.split('\n');
+
+  for (const pat of PATTERNS) {
+    if (!pat.languages.includes(language)) continue;
+
+    for (let i = 0; i < lines.length; i++) {
+      const line = lines[i];
+      if (pat.pattern.test(line)) {
+        if (pat.antiPattern) {
+          const cs = Math.max(0, i - 3);
+          const ce = Math.min(lines.length, i + 4);
+          const ctx = lines.slice(cs, ce).join('\n');
+          if (pat.antiPattern.test(ctx)) continue;
+        }
+
+        findings.push({
+          id: `${pat.id}-${filePath}:${i + 1}`,
+          ruleId: pat.id,
+          title: pat.name,
+          description: pat.description,
+          severity: pat.severity,
+          confidence: pat.confidence,
+          filePath, line: i + 1,
+          codeSnippet: getSnippet(lines, i),
+          cwe: pat.cwe, owasp: 'A02',
+          remediation: pat.remediation,
+          fingerprint: generateFingerprint(pat.id, filePath, line.trim()),
+        });
+      }
+    }
+  }
+  return findings;
+}
+
+function getSnippet(lines: string[], index: number, context = 2): string {
+  const start = Math.max(0, index - context);
+  const end = Math.min(lines.length, index + context + 1);
+  return lines.slice(start, end)
+    .map((l, i) => {
+      const lineNum = start + i + 1;
+      const marker = (start + i === index) ? '>' : ' ';
+      return `${marker} ${lineNum} | ${l}`;
+    }).join('\n');
+}