guardvibe 0.4.0

package/build/data/rules/core.js

@@ -0,0 +1,245 @@
+// Security detection patterns - these RegExps match VULNERABLE code patterns
+// that VibeGuard flags to users. The patterns themselves are safe detectors.
+export const coreRules = [
+    {
+        id: "VG001",
+        name: "Hardcoded credentials",
+        severity: "critical",
+        owasp: "A01:2025 Broken Access Control",
+        description: "Hardcoded passwords, API keys, or secrets detected in source code.",
+        pattern: /(?:secret_?key|api_?key|api_?secret|private_?key|access_?key|password|passwd|pwd|secret|token|auth_?token)\w*\s*[:=]\s*['"][^'"]{3,}['"]/gi,
+        languages: ["javascript", "typescript", "python", "go", "java", "php", "ruby"],
+        fix: "Use environment variables (process.env.SECRET) or a secrets manager. Never commit credentials to source code.",
+    },
+    {
+        id: "VG003",
+        name: "Cloud provider API key",
+        severity: "critical",
+        owasp: "A01:2025 Broken Access Control",
+        description: "Cloud provider API key or token pattern detected in source code (AWS, GitHub, OpenAI, Stripe).",
+        pattern: /(?:AKIA[0-9A-Z]{16}|(?:ghp|gho|ghu|ghs|ghr)_[A-Za-z0-9_]{36,}|sk-[A-Za-z0-9]{20,}|sk_live_[A-Za-z0-9]{20,})/g,
+        languages: ["javascript", "typescript", "python", "go", "java", "php", "ruby", "html", "shell"],
+        fix: "Remove hardcoded keys immediately. Use environment variables or a secrets manager (AWS Secrets Manager, Vault). Rotate any compromised keys.",
+    },
+    {
+        id: "VG002",
+        name: "Missing authentication check",
+        severity: "high",
+        owasp: "A01:2025 Broken Access Control",
+        description: "API route handler without authentication middleware or auth check.",
+        pattern: /(?:app|router)\.(get|post|put|delete|patch)\s*\(\s*['"][^'"]*['"]\s*,\s*(?:async\s+)?\(?(?:req|request)/gi,
+        languages: ["javascript", "typescript"],
+        fix: "Add authentication middleware before route handlers: app.get('/api/data', authMiddleware, handler). Use frameworks like Passport.js, Clerk, or Auth0.",
+    },
+    {
+        id: "VG005",
+        name: "Missing authentication check",
+        severity: "high",
+        owasp: "A01:2025 Broken Access Control",
+        description: "Python API route without authentication dependency or decorator.",
+        pattern: /@app\.(?:get|post|put|delete|patch)\s*\(\s*['"]\/(?:api|users|admin|account|dashboard|settings|login)/gi,
+        languages: ["python"],
+        fix: "Add authentication dependency: async def route(user = Depends(get_current_user)). Use FastAPI's Depends() or Flask-Login for auth checks.",
+    },
+    {
+        id: "VG010",
+        name: "SQL injection risk",
+        severity: "critical",
+        owasp: "A02:2025 Injection",
+        description: "String concatenation, template literals, or f-strings used in SQL queries. This allows SQL injection attacks.",
+        pattern: /(?:query|execute|raw|sql)\s*\(\s*(?:`[^`]*\$\{|['"][^'"]*['"]\s*\+\s*|f"[^"]*\{|f'[^']*\{|['"][^'"]*['"]\s*%\s*|['"][^'"]*['"]\s*\.format\s*\(|['"][^'"]*['"]\s*,\s*(?:req\.|request\.|params\.|body\.|args))/gi,
+        languages: ["javascript", "typescript", "python", "go", "java", "php", "ruby"],
+        fix: "Use parameterized queries: db.query('SELECT * FROM users WHERE id = $1', [userId]). Python: cursor.execute('SELECT * FROM users WHERE id = %s', (user_id,)). Never concatenate user input into SQL strings.",
+    },
+    {
+        id: "VG011",
+        name: "Command injection risk",
+        severity: "critical",
+        owasp: "A02:2025 Injection",
+        description: "User input passed to shell command functions. This allows arbitrary command execution.",
+        pattern: /(?:exec(?:Sync)?|spawn(?:Sync)?|system|popen|subprocess\.(?:call|run|Popen))\s*\(\s*(?:`[^`]*\$\{|['"][^'"]*['"]\s*\+|f['"][^'"]*\{|.*(?:req\.|request\.|params\.|body\.|input|argv))/gi,
+        languages: ["javascript", "typescript", "python", "go", "java", "php", "ruby", "shell"],
+        fix: "Avoid shell commands with user input. Use allowlists and input validation. Prefer spawn() with array arguments. Python: use subprocess.run([...]) with list arguments, never shell=True with user input.",
+    },
+    {
+        id: "VG012",
+        name: "XSS via innerHTML",
+        severity: "high",
+        owasp: "A02:2025 Injection",
+        description: "Setting innerHTML with dynamic content enables Cross-Site Scripting (XSS) attacks.",
+        pattern: /(?:innerHTML|outerHTML|dangerouslySetInnerHTML)\s*(?:=|:)\s*(?!['"]<)/gi,
+        languages: ["javascript", "typescript", "html"],
+        fix: "Use textContent instead of innerHTML. Sanitize with DOMPurify if HTML rendering is needed. In React, avoid dangerouslySetInnerHTML.",
+    },
+    {
+        id: "VG015",
+        name: "XSS via server response",
+        severity: "high",
+        owasp: "A02:2025 Injection",
+        description: "User input embedded in HTML response via template literals or string concatenation enables Cross-Site Scripting.",
+        pattern: /res\.(?:send|write|end)\s*\(\s*(?:`[^`]*\$\{|['"][^'"]*['"]\s*\+)/gi,
+        languages: ["javascript", "typescript"],
+        fix: "Use a template engine with auto-escaping (EJS, Handlebars), or sanitize output with the 'escape-html' package. Never embed user input directly in HTML responses.",
+    },
+    {
+        id: "VG013",
+        name: "NoSQL injection risk",
+        severity: "high",
+        owasp: "A02:2025 Injection",
+        description: "User input passed directly to MongoDB/NoSQL query operators.",
+        pattern: /(?:find|findOne|updateOne|deleteOne|aggregate)\s*\(\s*\{[^}]*(?:req\.|request\.|body\.|params\.)/gi,
+        languages: ["javascript", "typescript"],
+        fix: "Validate and sanitize input before using in queries. Use mongoose schema validation. Reject objects where strings are expected.",
+    },
+    {
+        id: "VG014",
+        name: "Dynamic code execution",
+        severity: "critical",
+        owasp: "A02:2025 Injection",
+        description: "Dynamic code execution function detected. This can run arbitrary code and is a major security risk.",
+        pattern: /\beval\s*\(/gi,
+        languages: ["javascript", "typescript", "python", "php", "ruby"],
+        fix: "Avoid dynamic code execution. Use JSON.parse() for JSON data. Use a sandboxed environment if absolutely required.",
+    },
+    {
+        id: "VG020",
+        name: "Wildcard dependency version",
+        severity: "medium",
+        owasp: "A03:2025 Software Supply Chain Failures",
+        description: "Using '*' or overly broad version ranges in package.json allows untested dependency updates.",
+        pattern: /["']\*["']|["']>=\d/gi,
+        languages: ["javascript", "typescript"],
+        fix: "Pin dependencies to specific versions or use caret ranges (^1.2.3). Run npm audit regularly.",
+    },
+    {
+        id: "VG030",
+        name: "Missing rate limiting",
+        severity: "medium",
+        owasp: "A04:2025 Insecure Design",
+        description: "Authentication or API endpoints without rate limiting are vulnerable to brute force attacks.",
+        pattern: /(?:\/login|\/auth|\/api\/|\/signin|\/register|\/signup|\/forgot-password)/gi,
+        languages: ["javascript", "typescript", "python", "go", "java", "php", "ruby"],
+        fix: "Add rate limiting middleware. Express: npm install express-rate-limit. FastAPI: use slowapi. Apply stricter limits on auth endpoints (e.g. 5 requests/minute).",
+    },
+    {
+        id: "VG040",
+        name: "CORS wildcard",
+        severity: "high",
+        owasp: "A05:2025 Security Misconfiguration",
+        description: "CORS configured with wildcard (*) origin allows any website to make requests to your API.",
+        pattern: /(?:(?:cors|Access-Control-Allow-Origin)['"]?\]?\s*[:=(]\s*['"]?\s*\*|origin\s*:\s*['"]?\s*\*\s*['"]?|CORS_ORIGINS['"]?\]?\s*=\s*['"]?\s*\*)/gi,
+        languages: ["javascript", "typescript", "python", "go", "java", "php", "ruby"],
+        fix: "Set specific allowed origins: cors({ origin: ['https://myapp.com'] }). Never use wildcard with authentication.",
+    },
+    {
+        id: "VG041",
+        name: "Debug mode in production",
+        severity: "medium",
+        owasp: "A05:2025 Security Misconfiguration",
+        description: "Debug mode or verbose error messages exposed in production.",
+        pattern: /(?:DEBUG\s*[:=]\s*['"]?(?:true|\*)|console\.log\(.*(?:password|token|secret|key))/gi,
+        languages: ["javascript", "typescript", "python"],
+        fix: "Disable debug mode in production. Never expose stack traces to users.",
+    },
+    {
+        id: "VG042",
+        name: "Missing security headers",
+        severity: "medium",
+        owasp: "A05:2025 Security Misconfiguration",
+        description: "Express app without security headers (helmet).",
+        pattern: /(?:express\(\))|(?:createServer\s*\()/gi,
+        languages: ["javascript", "typescript"],
+        fix: "Use helmet middleware: npm install helmet, then app.use(helmet()).",
+    },
+    {
+        id: "VG060",
+        name: "Weak password hashing",
+        severity: "critical",
+        owasp: "A07:2025 Auth Failures",
+        description: "Using MD5 or SHA-1 for password hashing. These are fast hashes, not designed for passwords.",
+        pattern: /(?:md5|sha1|sha-1|createHash\s*\(\s*['"](?:md5|sha1)['"]\s*\))/gi,
+        languages: ["javascript", "typescript", "python", "go", "java", "php", "ruby"],
+        fix: "Use bcrypt, scrypt, or argon2 for password hashing. Use at least 12 salt rounds.",
+    },
+    {
+        id: "VG061",
+        name: "JWT without expiry",
+        severity: "high",
+        owasp: "A07:2025 Auth Failures",
+        description: "JWT token created without expiration time.",
+        pattern: /jwt\.sign\s*\([^)]*(?!\bexpiresIn\b)[^)]*\)/gi,
+        languages: ["javascript", "typescript"],
+        fix: "Always set token expiration: jwt.sign(payload, secret, { expiresIn: '15m' }).",
+    },
+    {
+        id: "VG070",
+        name: "Insecure deserialization",
+        severity: "high",
+        owasp: "A08:2025 Data Integrity Failures",
+        description: "Deserializing untrusted data can lead to remote code execution.",
+        pattern: /(?:JSON\.parse\s*\(\s*(?:req\.|request\.|body))/gi,
+        languages: ["javascript", "typescript", "python"],
+        fix: "Validate all deserialized data with a schema (zod, joi) before processing.",
+    },
+    {
+        id: "VG080",
+        name: "Sensitive data in logs",
+        severity: "medium",
+        owasp: "A09:2025 Logging Failures",
+        description: "Logging sensitive information like passwords, tokens, or personal data.",
+        pattern: /(?:console\.log|logger\.\w+|print)\s*\([^)]*(?:password|token|secret|ssn|credit.?card|api.?key)/gi,
+        languages: ["javascript", "typescript", "python", "go", "java", "php", "ruby"],
+        fix: "Never log sensitive data. Redact or mask sensitive fields before logging.",
+    },
+    {
+        id: "VG090",
+        name: "SSRF risk",
+        severity: "high",
+        owasp: "A10:2025 SSRF",
+        description: "User-supplied URLs passed to fetch/request functions can be used for SSRF attacks.",
+        pattern: /(?:fetch|axios|request|http\.get|urllib|requests\.get)\s*\(\s*(?:req\.|request\.|body\.|params\.|query\.|input|url|href)/gi,
+        languages: ["javascript", "typescript", "python", "go", "java", "php", "ruby"],
+        fix: "Validate and allowlist URLs before making requests. Block internal IP ranges.",
+    },
+    {
+        id: "VG100",
+        name: "Insecure cookie configuration",
+        severity: "medium",
+        owasp: "A05:2025 Security Misconfiguration",
+        description: "Cookies set without secure, httpOnly, or sameSite flags.",
+        pattern: /(?:cookie|setCookie|set-cookie|res\.cookie)\s*\([^)]*(?!(?:.*secure|.*httpOnly|.*sameSite))/gi,
+        languages: ["javascript", "typescript"],
+        fix: "Set all security flags: { secure: true, httpOnly: true, sameSite: 'strict' }.",
+    },
+    {
+        id: "VG101",
+        name: "Unvalidated redirect",
+        severity: "medium",
+        owasp: "A01:2025 Broken Access Control",
+        description: "Redirect URL taken from user input without validation.",
+        pattern: /(?:redirect|location\.href|window\.location)\s*(?:=|\()\s*(?:req\.|request\.|params\.|query\.|body\.)/gi,
+        languages: ["javascript", "typescript"],
+        fix: "Validate redirect URLs against an allowlist. Use relative paths for internal redirects.",
+    },
+    {
+        id: "VG102",
+        name: "File path traversal risk",
+        severity: "high",
+        owasp: "A01:2025 Broken Access Control",
+        description: "User input used in file paths without sanitization.",
+        pattern: /(?:readFile|readFileSync|createReadStream|open|path\.join|path\.resolve)\s*\([^)]*(?:req\.|request\.|params\.|body\.|query\.)/gi,
+        languages: ["javascript", "typescript", "python", "go", "java", "php", "ruby"],
+        fix: "Sanitize file paths: remove ../ sequences, verify the result is within the expected directory.",
+    },
+    {
+        id: "VG103",
+        name: "Prototype pollution risk",
+        severity: "high",
+        owasp: "A02:2025 Injection",
+        description: "Deep merge or object assignment from user input can lead to prototype pollution.",
+        pattern: /(?:Object\.assign|merge|deepMerge|extend)\s*\([^)]*(?:req\.|request\.|body|params)/gi,
+        languages: ["javascript", "typescript"],
+        fix: "Use Object.create(null) for lookup objects. Validate that keys don't include __proto__, constructor, or prototype.",
+    },
+];
+//# sourceMappingURL=core.js.map

package/build/data/rules/core.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"core.js","sourceRoot":"","sources":["../../../src/data/rules/core.ts"],"names":[],"mappings":"AAEA,6EAA6E;AAC7E,6EAA6E;AAC7E,MAAM,CAAC,MAAM,SAAS,GAAmB;IACvC;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,uBAAuB;QAC7B,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EAAE,oEAAoE;QACjF,OAAO,EACL,4IAA4I;QAC9I,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,CAAC;QAC9E,GAAG,EAAE,+GAA+G;KACrH;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,wBAAwB;QAC9B,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,gGAAgG;QAClG,OAAO,EACL,8GAA8G;QAChH,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,MAAM,EAAE,OAAO,CAAC;QAC/F,GAAG,EAAE,8IAA8I;KACpJ;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,8BAA8B;QACpC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,oEAAoE;QACtE,OAAO,EACL,2GAA2G;QAC7G,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,uJAAuJ;KAC7J;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,8BAA8B;QACpC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,kEAAkE;QACpE,OAAO,EACL,yGAAyG;QAC3G,SAAS,EAAE,CAAC,QAAQ,CAAC;QACrB,GAAG,EAAE,2IAA2I;KACjJ;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,oBAAoB;QAC1B,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EACT,+GAA+G;QACjH,OAAO,EACL,iNAAiN;QACnN,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,CAAC;QAC9E,GAAG,EAAE,6MAA6M;KACnN;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,wBAAwB;QAC9B,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EAAE,wFAAwF;QACrG,OAAO,EACL,yLAAyL;QAC3L,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,CAAC;QACvF,GAAG,EAAE,0MAA0M;KAChN;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,mBAAmB;QACzB,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EACT,oFAAoF;QACtF,OAAO,EAAE,yEAAyE;QAClF,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,MAAM,CAAC;QAC/C,GAAG,EAAE,qIAAqI;KAC3I;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,yBAAyB;QAC/B,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EACT,kHAAkH;QACpH,OAAO,EACL,qEAAqE;QACvE,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,mKAAmK;KACzK;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,sBAAsB;QAC5B,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EACT,8DAA8D;QAChE,OAAO,EACL,oGAAoG;QACtG,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,iIAAiI;KACvI;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,wBAAwB;QAC9B,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EACT,qGAAqG;QACvG,OAAO,EAAE,eAAe;QACxB,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,EAAE,KAAK,EAAE,MAAM,CAAC;QAChE,GAAG,EAAE,mHAAmH;KACzH;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,6BAA6B;QACnC,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,yCAAyC;QAChD,WAAW,EACT,8FAA8F;QAChG,OAAO,EAAE,uBAAuB;QAChC,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,8FAA8F;KACpG;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,uBAAuB;QAC7B,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,0BAA0B;QACjC,WAAW,EACT,8FAA8F;QAChG,OAAO,EACL,6EAA6E;QAC/E,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,CAAC;QAC9E,GAAG,EAAE,gKAAgK;KACtK;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,eAAe;QACrB,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EACT,2FAA2F;QAC7F,OAAO,EACL,+IAA+I;QACjJ,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,CAAC;QAC9E,GAAG,EAAE,gHAAgH;KACtH;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,0BAA0B;QAChC,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EAAE,6DAA6D;QAC1E,OAAO,EACL,qFAAqF;QACvF,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,CAAC;QACjD,GAAG,EAAE,uEAAuE;KAC7E;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,0BAA0B;QAChC,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EAAE,gDAAgD;QAC7D,OAAO,EAAE,yCAAyC;QAClD,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,oEAAoE;KAC1E;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,uBAAuB;QAC7B,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,wBAAwB;QAC/B,WAAW,EACT,6FAA6F;QAC/F,OAAO,EACL,kEAAkE;QACpE,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,CAAC;QAC9E,GAAG,EAAE,kFAAkF;KACxF;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,oBAAoB;QAC1B,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,wBAAwB;QAC/B,WAAW,EAAE,4CAA4C;QACzD,OAAO,EAAE,+CAA+C;QACxD,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,+EAA+E;KACrF;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,0BAA0B;QAChC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,iEAAiE;QACnE,OAAO,EAAE,mDAAmD;QAC5D,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,CAAC;QACjD,GAAG,EAAE,4EAA4E;KAClF;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,wBAAwB;QAC9B,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,2BAA2B;QAClC,WAAW,EACT,yEAAyE;QAC3E,OAAO,EACL,mGAAmG;QACrG,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,CAAC;QAC9E,GAAG,EAAE,2EAA2E;KACjF;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,WAAW;QACjB,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,eAAe;QACtB,WAAW,EACT,oFAAoF;QACtF,OAAO,EACL,4HAA4H;QAC9H,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,CAAC;QAC9E,GAAG,EAAE,+EAA+E;KACrF;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,+BAA+B;QACrC,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EAAE,0DAA0D;QACvE,OAAO,EACL,+FAA+F;QACjG,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,+EAA+E;KACrF;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,sBAAsB;QAC5B,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EAAE,wDAAwD;QACrE,OAAO,EACL,yGAAyG;QAC3G,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,yFAAyF;KAC/F;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,0BAA0B;QAChC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EAAE,qDAAqD;QAClE,OAAO,EACL,iIAAiI;QACnI,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,CAAC;QAC9E,GAAG,EAAE,gGAAgG;KACtG;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,0BAA0B;QAChC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EACT,kFAAkF;QACpF,OAAO,EACL,sFAAsF;QACxF,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,oHAAoH;KAC1H;CACF,CAAC"}

package/build/data/rules/go.d.ts

@@ -0,0 +1,3 @@
+import type { SecurityRule } from "./types.js";
+export declare const goRules: SecurityRule[];
+//# sourceMappingURL=go.d.ts.map

package/build/data/rules/go.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"go.d.ts","sourceRoot":"","sources":["../../../src/data/rules/go.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAG/C,eAAO,MAAM,OAAO,EAAE,YAAY,EAmEjC,CAAC"}

package/build/data/rules/go.js

@@ -0,0 +1,64 @@
+// === Go-specific rules ===
+export const goRules = [
+    {
+        id: "VG110",
+        name: "Go SQL injection via fmt.Sprintf",
+        severity: "critical",
+        owasp: "A02:2025 Injection",
+        description: "Using fmt.Sprintf to build SQL queries allows SQL injection attacks.",
+        pattern: /(?:db\.(?:Query|Exec|QueryRow)|\.Query|\.Exec)\s*\(\s*fmt\.Sprintf/gi,
+        languages: ["go"],
+        fix: "Use parameterized queries: db.Query('SELECT * FROM users WHERE id = $1', id). Never use fmt.Sprintf for SQL.",
+    },
+    {
+        id: "VG111",
+        name: "Go command injection via os/exec",
+        severity: "critical",
+        owasp: "A02:2025 Injection",
+        description: "User input passed to os/exec command functions allows arbitrary command execution.",
+        pattern: /exec\.Command\s*\(\s*(?:fmt\.Sprintf|[^")\s]+\s*\+|[^")]*\+)/gi,
+        languages: ["go"],
+        fix: "Validate and sanitize all input before passing to exec.Command. Use an allowlist of permitted commands.",
+    },
+    {
+        id: "VG112",
+        name: "Go unescaped HTML template",
+        severity: "high",
+        owasp: "A02:2025 Injection",
+        description: "Using template.HTML() bypasses Go's automatic HTML escaping, enabling XSS.",
+        pattern: /template\.HTML\s*\(/gi,
+        languages: ["go"],
+        fix: "Avoid template.HTML() with user input. Use html/template which auto-escapes by default.",
+    },
+    {
+        id: "VG113",
+        name: "Go HTTP handler without auth",
+        severity: "high",
+        owasp: "A01:2025 Broken Access Control",
+        description: "HTTP handler registered without authentication middleware.",
+        pattern: /(?:http\.HandleFunc|mux\.HandleFunc|\.HandleFunc)\s*\(\s*['"]\/(?:api|admin|users|account|dashboard)/gi,
+        languages: ["go"],
+        fix: "Wrap handlers with authentication middleware: http.Handle('/api/', authMiddleware(handler)).",
+    },
+    {
+        id: "VG114",
+        name: "Go weak hashing",
+        severity: "critical",
+        owasp: "A07:2025 Auth Failures",
+        description: "Using md5 or sha1 for hashing. These are cryptographically broken for security purposes.",
+        pattern: /(?:md5\.New|sha1\.New|md5\.Sum|sha1\.Sum)\s*\(/gi,
+        languages: ["go"],
+        fix: "Use crypto/sha256 or golang.org/x/crypto/bcrypt for password hashing.",
+    },
+    {
+        id: "VG115",
+        name: "Go CORS wildcard",
+        severity: "high",
+        owasp: "A05:2025 Security Misconfiguration",
+        description: "CORS configured with wildcard origin allows any website to access your API.",
+        pattern: /(?:Access-Control-Allow-Origin|AllowOrigins|allowOrigins)['"]?\]?\s*[:=,]\s*['"]?\s*\*/gi,
+        languages: ["go"],
+        fix: "Set specific allowed origins instead of wildcard '*'.",
+    },
+];
+//# sourceMappingURL=go.js.map

package/build/data/rules/go.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"go.js","sourceRoot":"","sources":["../../../src/data/rules/go.ts"],"names":[],"mappings":"AAEA,4BAA4B;AAC5B,MAAM,CAAC,MAAM,OAAO,GAAmB;IACrC;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,kCAAkC;QACxC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EACT,sEAAsE;QACxE,OAAO,EAAE,sEAAsE;QAC/E,SAAS,EAAE,CAAC,IAAI,CAAC;QACjB,GAAG,EAAE,8GAA8G;KACpH;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,kCAAkC;QACxC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EACT,oFAAoF;QACtF,OAAO,EAAE,gEAAgE;QACzE,SAAS,EAAE,CAAC,IAAI,CAAC;QACjB,GAAG,EAAE,yGAAyG;KAC/G;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,4BAA4B;QAClC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EACT,4EAA4E;QAC9E,OAAO,EAAE,uBAAuB;QAChC,SAAS,EAAE,CAAC,IAAI,CAAC;QACjB,GAAG,EAAE,yFAAyF;KAC/F;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,8BAA8B;QACpC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,4DAA4D;QAC9D,OAAO,EAAE,wGAAwG;QACjH,SAAS,EAAE,CAAC,IAAI,CAAC;QACjB,GAAG,EAAE,8FAA8F;KACpG;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,iBAAiB;QACvB,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,wBAAwB;QAC/B,WAAW,EACT,0FAA0F;QAC5F,OAAO,EAAE,kDAAkD;QAC3D,SAAS,EAAE,CAAC,IAAI,CAAC;QACjB,GAAG,EAAE,uEAAuE;KAC7E;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,kBAAkB;QACxB,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EACT,6EAA6E;QAC/E,OAAO,EAAE,0FAA0F;QACnG,SAAS,EAAE,CAAC,IAAI,CAAC;QACjB,GAAG,EAAE,uDAAuD;KAC7D;CACF,CAAC"}

package/build/data/rules/index.d.ts

@@ -0,0 +1,3 @@
+export type { SecurityRule } from "./types.js";
+export declare const owaspRules: import("./types.js").SecurityRule[];
+//# sourceMappingURL=index.d.ts.map

package/build/data/rules/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/data/rules/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAO/C,eAAO,MAAM,UAAU,qCAMtB,CAAC"}

package/build/data/rules/index.js

@@ -0,0 +1,13 @@
+import { coreRules } from "./core.js";
+import { goRules } from "./go.js";
+import { javaRules } from "./java.js";
+import { phpRules } from "./php.js";
+import { rubyRules } from "./ruby.js";
+export const owaspRules = [
+    ...coreRules,
+    ...goRules,
+    ...javaRules,
+    ...phpRules,
+    ...rubyRules,
+];
+//# sourceMappingURL=index.js.map

package/build/data/rules/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/data/rules/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,QAAQ,EAAE,MAAM,UAAU,CAAC;AACpC,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AAEtC,MAAM,CAAC,MAAM,UAAU,GAAG;IACxB,GAAG,SAAS;IACZ,GAAG,OAAO;IACV,GAAG,SAAS;IACZ,GAAG,QAAQ;IACX,GAAG,SAAS;CACb,CAAC"}

package/build/data/rules/java.d.ts

@@ -0,0 +1,3 @@
+import type { SecurityRule } from "./types.js";
+export declare const javaRules: SecurityRule[];
+//# sourceMappingURL=java.d.ts.map

package/build/data/rules/java.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"java.d.ts","sourceRoot":"","sources":["../../../src/data/rules/java.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAG/C,eAAO,MAAM,SAAS,EAAE,YAAY,EAmEnC,CAAC"}

package/build/data/rules/java.js

@@ -0,0 +1,64 @@
+// === Java-specific rules ===
+export const javaRules = [
+    {
+        id: "VG120",
+        name: "Java SQL injection via string concat",
+        severity: "critical",
+        owasp: "A02:2025 Injection",
+        description: "String concatenation in SQL queries allows SQL injection attacks.",
+        pattern: /(?:executeQuery|executeUpdate|prepareStatement|createQuery|createNativeQuery)\s*\(\s*['"][^'"]*['"]\s*\+/gi,
+        languages: ["java"],
+        fix: "Use PreparedStatement with parameter binding: stmt.setString(1, userInput). Never concatenate strings into SQL.",
+    },
+    {
+        id: "VG121",
+        name: "Java command injection",
+        severity: "critical",
+        owasp: "A02:2025 Injection",
+        description: "User input passed to Runtime.exec() allows arbitrary command execution.",
+        pattern: /Runtime\.getRuntime\(\)\.exec\s*\(\s*(?:[^")]*\+|.*(?:request|param|input|args))/gi,
+        languages: ["java"],
+        fix: "Use ProcessBuilder with a list of arguments. Validate input against an allowlist.",
+    },
+    {
+        id: "VG122",
+        name: "Java XSS via JSP",
+        severity: "high",
+        owasp: "A02:2025 Injection",
+        description: "Unescaped output in JSP pages enables Cross-Site Scripting attacks.",
+        pattern: /<%=\s*(?:request\.getParameter|session\.getAttribute)/gi,
+        languages: ["java"],
+        fix: "Use JSTL <c:out> tag or fn:escapeXml() for output encoding. Never use <%= with user input.",
+    },
+    {
+        id: "VG123",
+        name: "Java endpoint without auth annotation",
+        severity: "high",
+        owasp: "A01:2025 Broken Access Control",
+        description: "Spring endpoint without security annotation may be publicly accessible.",
+        pattern: /@(?:RequestMapping|GetMapping|PostMapping|PutMapping|DeleteMapping)\s*\([^)]*(?:\/api|\/admin|\/users|\/account)/gi,
+        languages: ["java"],
+        fix: "Add @PreAuthorize, @Secured, or @RolesAllowed annotation to protect endpoints.",
+    },
+    {
+        id: "VG124",
+        name: "Java weak hashing",
+        severity: "critical",
+        owasp: "A07:2025 Auth Failures",
+        description: "Using MessageDigest with MD5 or SHA-1. These are cryptographically weak for passwords.",
+        pattern: /MessageDigest\.getInstance\s*\(\s*['"](?:MD5|SHA-?1)['"]\s*\)/gi,
+        languages: ["java"],
+        fix: "Use BCryptPasswordEncoder or Argon2PasswordEncoder for password hashing.",
+    },
+    {
+        id: "VG125",
+        name: "Java CORS wildcard",
+        severity: "high",
+        owasp: "A05:2025 Security Misconfiguration",
+        description: "Spring @CrossOrigin with wildcard allows any website to access your API.",
+        pattern: /@CrossOrigin\s*\(\s*(?:origins\s*=\s*)?['"]?\s*\*/gi,
+        languages: ["java"],
+        fix: "Set specific allowed origins in @CrossOrigin annotation.",
+    },
+];
+//# sourceMappingURL=java.js.map

package/build/data/rules/java.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"java.js","sourceRoot":"","sources":["../../../src/data/rules/java.ts"],"names":[],"mappings":"AAEA,8BAA8B;AAC9B,MAAM,CAAC,MAAM,SAAS,GAAmB;IACvC;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,sCAAsC;QAC5C,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EACT,mEAAmE;QACrE,OAAO,EAAE,4GAA4G;QACrH,SAAS,EAAE,CAAC,MAAM,CAAC;QACnB,GAAG,EAAE,iHAAiH;KACvH;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,wBAAwB;QAC9B,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EACT,yEAAyE;QAC3E,OAAO,EAAE,oFAAoF;QAC7F,SAAS,EAAE,CAAC,MAAM,CAAC;QACnB,GAAG,EAAE,mFAAmF;KACzF;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,kBAAkB;QACxB,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EACT,qEAAqE;QACvE,OAAO,EAAE,yDAAyD;QAClE,SAAS,EAAE,CAAC,MAAM,CAAC;QACnB,GAAG,EAAE,4FAA4F;KAClG;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,uCAAuC;QAC7C,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,yEAAyE;QAC3E,OAAO,EAAE,oHAAoH;QAC7H,SAAS,EAAE,CAAC,MAAM,CAAC;QACnB,GAAG,EAAE,gFAAgF;KACtF;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,mBAAmB;QACzB,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,wBAAwB;QAC/B,WAAW,EACT,wFAAwF;QAC1F,OAAO,EAAE,iEAAiE;QAC1E,SAAS,EAAE,CAAC,MAAM,CAAC;QACnB,GAAG,EAAE,0EAA0E;KAChF;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,oBAAoB;QAC1B,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EACT,0EAA0E;QAC5E,OAAO,EAAE,qDAAqD;QAC9D,SAAS,EAAE,CAAC,MAAM,CAAC;QACnB,GAAG,EAAE,0DAA0D;KAChE;CACF,CAAC"}

package/build/data/rules/php.d.ts

@@ -0,0 +1,3 @@
+import type { SecurityRule } from "./types.js";
+export declare const phpRules: SecurityRule[];
+//# sourceMappingURL=php.d.ts.map

package/build/data/rules/php.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"php.d.ts","sourceRoot":"","sources":["../../../src/data/rules/php.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAG/C,eAAO,MAAM,QAAQ,EAAE,YAAY,EAwDlC,CAAC"}

package/build/data/rules/php.js

@@ -0,0 +1,54 @@
+// === PHP-specific rules ===
+export const phpRules = [
+    {
+        id: "VG130",
+        name: "PHP SQL injection via user input",
+        severity: "critical",
+        owasp: "A02:2025 Injection",
+        description: "User input ($_GET, $_POST, $_REQUEST) directly used in SQL queries enables SQL injection.",
+        pattern: /(?:mysql_query|mysqli_query|->query|->exec)\s*\([^)]*(?:\$_GET|\$_POST|\$_REQUEST|\$_COOKIE)/gi,
+        languages: ["php"],
+        fix: "Use prepared statements: $stmt = $pdo->prepare('SELECT * FROM users WHERE id = ?'); $stmt->execute([$id]);",
+    },
+    {
+        id: "VG131",
+        name: "PHP command injection",
+        severity: "critical",
+        owasp: "A02:2025 Injection",
+        description: "User input passed to shell execution functions allows arbitrary command execution.",
+        pattern: /(?:shell_exec|passthru|popen|proc_open)\s*\([^)]*(?:\$_GET|\$_POST|\$_REQUEST|\$_COOKIE|\$(?:input|cmd|command))/gi,
+        languages: ["php"],
+        fix: "Use escapeshellarg() and escapeshellcmd() for any shell input. Prefer built-in PHP functions over shell commands.",
+    },
+    {
+        id: "VG132",
+        name: "PHP XSS via echo",
+        severity: "high",
+        owasp: "A02:2025 Injection",
+        description: "Echoing user input without escaping enables Cross-Site Scripting.",
+        pattern: /(?:echo|print)\s+(?:\$_GET|\$_POST|\$_REQUEST|\$_COOKIE)/gi,
+        languages: ["php"],
+        fix: "Use htmlspecialchars($input, ENT_QUOTES, 'UTF-8') before outputting user data.",
+    },
+    {
+        id: "VG133",
+        name: "PHP weak hashing",
+        severity: "critical",
+        owasp: "A07:2025 Auth Failures",
+        description: "Using md5() or sha1() for password hashing. These are not secure for passwords.",
+        pattern: /(?:md5|sha1)\s*\(\s*\$/gi,
+        languages: ["php"],
+        fix: "Use password_hash($password, PASSWORD_BCRYPT) and password_verify() for passwords.",
+    },
+    {
+        id: "VG134",
+        name: "PHP dynamic code execution",
+        severity: "critical",
+        owasp: "A02:2025 Injection",
+        description: "eval() with user input allows arbitrary code execution.",
+        pattern: /eval\s*\([^)]*(?:\$_GET|\$_POST|\$_REQUEST|\$_COOKIE|\$(?:input|data|code))/gi,
+        languages: ["php"],
+        fix: "Never use eval() with user input. Refactor to use safe alternatives.",
+    },
+];
+//# sourceMappingURL=php.js.map

package/build/data/rules/php.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"php.js","sourceRoot":"","sources":["../../../src/data/rules/php.ts"],"names":[],"mappings":"AAEA,6BAA6B;AAC7B,MAAM,CAAC,MAAM,QAAQ,GAAmB;IACtC;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,kCAAkC;QACxC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EACT,2FAA2F;QAC7F,OAAO,EAAE,gGAAgG;QACzG,SAAS,EAAE,CAAC,KAAK,CAAC;QAClB,GAAG,EAAE,4GAA4G;KAClH;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,uBAAuB;QAC7B,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EACT,oFAAoF;QACtF,OAAO,EAAE,oHAAoH;QAC7H,SAAS,EAAE,CAAC,KAAK,CAAC;QAClB,GAAG,EAAE,mHAAmH;KACzH;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,kBAAkB;QACxB,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EACT,mEAAmE;QACrE,OAAO,EAAE,4DAA4D;QACrE,SAAS,EAAE,CAAC,KAAK,CAAC;QAClB,GAAG,EAAE,gFAAgF;KACtF;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,kBAAkB;QACxB,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,wBAAwB;QAC/B,WAAW,EACT,iFAAiF;QACnF,OAAO,EAAE,0BAA0B;QACnC,SAAS,EAAE,CAAC,KAAK,CAAC;QAClB,GAAG,EAAE,oFAAoF;KAC1F;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,4BAA4B;QAClC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EACT,yDAAyD;QAC3D,OAAO,EAAE,+EAA+E;QACxF,SAAS,EAAE,CAAC,KAAK,CAAC;QAClB,GAAG,EAAE,sEAAsE;KAC5E;CACF,CAAC"}

package/build/data/rules/ruby.d.ts

@@ -0,0 +1,3 @@
+import type { SecurityRule } from "./types.js";
+export declare const rubyRules: SecurityRule[];
+//# sourceMappingURL=ruby.d.ts.map

package/build/data/rules/ruby.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"ruby.d.ts","sourceRoot":"","sources":["../../../src/data/rules/ruby.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAG/C,eAAO,MAAM,SAAS,EAAE,YAAY,EAwDnC,CAAC"}

package/build/data/rules/ruby.js

@@ -0,0 +1,54 @@
+// === Ruby-specific rules ===
+export const rubyRules = [
+    {
+        id: "VG140",
+        name: "Ruby SQL injection via interpolation",
+        severity: "critical",
+        owasp: "A02:2025 Injection",
+        description: "String interpolation in SQL queries allows SQL injection attacks.",
+        pattern: /(?:where|find_by_sql|execute|select|order)\s*\(\s*["'][^"']*#\{/gi,
+        languages: ["ruby"],
+        fix: "Use parameterized queries: User.where('name = ?', user_input) or User.where(name: user_input).",
+    },
+    {
+        id: "VG141",
+        name: "Ruby command injection",
+        severity: "critical",
+        owasp: "A02:2025 Injection",
+        description: "User input in system/backtick commands allows arbitrary command execution.",
+        pattern: /(?:`[^`]*#\{|%x\{[^}]*#\{|IO\.popen|Open3)/gi,
+        languages: ["ruby"],
+        fix: "Use array form of system(): system('cmd', arg1, arg2). Validate input against an allowlist.",
+    },
+    {
+        id: "VG142",
+        name: "Ruby XSS via html_safe/raw",
+        severity: "high",
+        owasp: "A02:2025 Injection",
+        description: "Using .html_safe or raw() with user input bypasses Rails' auto-escaping.",
+        pattern: /(?:\.html_safe|raw\s*\()\s*/gi,
+        languages: ["ruby"],
+        fix: "Avoid .html_safe and raw() with user data. Use sanitize() helper for HTML content.",
+    },
+    {
+        id: "VG143",
+        name: "Ruby route without auth",
+        severity: "high",
+        owasp: "A01:2025 Broken Access Control",
+        description: "Rails route without before_action authentication filter.",
+        pattern: /(?:get|post|put|patch|delete)\s+['"]\/(?:api|admin|users|account|dashboard)/gi,
+        languages: ["ruby"],
+        fix: "Add before_action :authenticate_user! to controllers handling sensitive routes.",
+    },
+    {
+        id: "VG144",
+        name: "Ruby weak hashing",
+        severity: "critical",
+        owasp: "A07:2025 Auth Failures",
+        description: "Using Digest::MD5 or Digest::SHA1 for hashing. These are not suitable for passwords.",
+        pattern: /Digest::(?:MD5|SHA1)\.(?:hexdigest|digest|base64digest)/gi,
+        languages: ["ruby"],
+        fix: "Use BCrypt::Password.create(password) from the bcrypt gem for password hashing.",
+    },
+];
+//# sourceMappingURL=ruby.js.map

package/build/data/rules/ruby.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"ruby.js","sourceRoot":"","sources":["../../../src/data/rules/ruby.ts"],"names":[],"mappings":"AAEA,8BAA8B;AAC9B,MAAM,CAAC,MAAM,SAAS,GAAmB;IACvC;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,sCAAsC;QAC5C,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EACT,mEAAmE;QACrE,OAAO,EAAE,mEAAmE;QAC5E,SAAS,EAAE,CAAC,MAAM,CAAC;QACnB,GAAG,EAAE,gGAAgG;KACtG;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,wBAAwB;QAC9B,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EACT,4EAA4E;QAC9E,OAAO,EAAE,8CAA8C;QACvD,SAAS,EAAE,CAAC,MAAM,CAAC;QACnB,GAAG,EAAE,6FAA6F;KACnG;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,4BAA4B;QAClC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EACT,0EAA0E;QAC5E,OAAO,EAAE,+BAA+B;QACxC,SAAS,EAAE,CAAC,MAAM,CAAC;QACnB,GAAG,EAAE,oFAAoF;KAC1F;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,yBAAyB;QAC/B,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,0DAA0D;QAC5D,OAAO,EAAE,+EAA+E;QACxF,SAAS,EAAE,CAAC,MAAM,CAAC;QACnB,GAAG,EAAE,iFAAiF;KACvF;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,mBAAmB;QACzB,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,wBAAwB;QAC/B,WAAW,EACT,sFAAsF;QACxF,OAAO,EAAE,2DAA2D;QACpE,SAAS,EAAE,CAAC,MAAM,CAAC;QACnB,GAAG,EAAE,iFAAiF;KACvF;CACF,CAAC"}

package/build/data/rules/types.d.ts

@@ -0,0 +1,11 @@
+export interface SecurityRule {
+    id: string;
+    name: string;
+    severity: "critical" | "high" | "medium" | "low" | "info";
+    owasp: string;
+    description: string;
+    pattern: RegExp;
+    languages: string[];
+    fix: string;
+}
+//# sourceMappingURL=types.d.ts.map

package/build/data/rules/types.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../src/data/rules/types.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,YAAY;IAC3B,EAAE,EAAE,MAAM,CAAC;IACX,IAAI,EAAE,MAAM,CAAC;IACb,QAAQ,EAAE,UAAU,GAAG,MAAM,GAAG,QAAQ,GAAG,KAAK,GAAG,MAAM,CAAC;IAC1D,KAAK,EAAE,MAAM,CAAC;IACd,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,EAAE,CAAC;IACpB,GAAG,EAAE,MAAM,CAAC;CACb"}

package/build/data/rules/types.js

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=types.js.map

package/build/data/rules/types.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"types.js","sourceRoot":"","sources":["../../../src/data/rules/types.ts"],"names":[],"mappings":""}

package/build/data/secret-patterns.d.ts

@@ -0,0 +1,9 @@
+export interface SecretPattern {
+    provider: string;
+    pattern: RegExp;
+    severity: "critical" | "high" | "medium";
+    fix: string;
+}
+export declare const secretPatterns: SecretPattern[];
+export declare function calculateEntropy(str: string): number;
+//# sourceMappingURL=secret-patterns.d.ts.map

package/build/data/secret-patterns.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"secret-patterns.d.ts","sourceRoot":"","sources":["../../src/data/secret-patterns.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,aAAa;IAC5B,QAAQ,EAAE,MAAM,CAAC;IACjB,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,UAAU,GAAG,MAAM,GAAG,QAAQ,CAAC;IACzC,GAAG,EAAE,MAAM,CAAC;CACb;AAED,eAAO,MAAM,cAAc,EAAE,aAAa,EAyEzC,CAAC;AAEF,wBAAgB,gBAAgB,CAAC,GAAG,EAAE,MAAM,GAAG,MAAM,CAWpD"}