guardvibe 0.9.5 → 0.11.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/build/data/rules/ai-security.d.ts +3 -0
- package/build/data/rules/ai-security.d.ts.map +1 -0
- package/build/data/rules/ai-security.js +52 -0
- package/build/data/rules/ai-security.js.map +1 -0
- package/build/data/rules/auth.d.ts.map +1 -1
- package/build/data/rules/auth.js +25 -0
- package/build/data/rules/auth.js.map +1 -1
- package/build/data/rules/core.js +5 -5
- package/build/data/rules/core.js.map +1 -1
- package/build/data/rules/database.d.ts.map +1 -1
- package/build/data/rules/database.js +12 -0
- package/build/data/rules/database.js.map +1 -1
- package/build/data/rules/firebase.d.ts +3 -0
- package/build/data/rules/firebase.d.ts.map +1 -0
- package/build/data/rules/firebase.js +86 -0
- package/build/data/rules/firebase.js.map +1 -0
- package/build/data/rules/index.d.ts.map +1 -1
- package/build/data/rules/index.js +14 -0
- package/build/data/rules/index.js.map +1 -1
- package/build/data/rules/nextjs.d.ts.map +1 -1
- package/build/data/rules/nextjs.js +15 -3
- package/build/data/rules/nextjs.js.map +1 -1
- package/build/data/rules/other-services.d.ts +3 -0
- package/build/data/rules/other-services.d.ts.map +1 -0
- package/build/data/rules/other-services.js +63 -0
- package/build/data/rules/other-services.js.map +1 -0
- package/build/data/rules/react-native.d.ts +3 -0
- package/build/data/rules/react-native.d.ts.map +1 -0
- package/build/data/rules/react-native.js +120 -0
- package/build/data/rules/react-native.js.map +1 -0
- package/build/data/rules/shell.d.ts +3 -0
- package/build/data/rules/shell.d.ts.map +1 -0
- package/build/data/rules/shell.js +63 -0
- package/build/data/rules/shell.js.map +1 -0
- package/build/data/rules/sql.d.ts +3 -0
- package/build/data/rules/sql.d.ts.map +1 -0
- package/build/data/rules/sql.js +51 -0
- package/build/data/rules/sql.js.map +1 -0
- package/build/data/rules/supply-chain.d.ts +3 -0
- package/build/data/rules/supply-chain.d.ts.map +1 -0
- package/build/data/rules/supply-chain.js +28 -0
- package/build/data/rules/supply-chain.js.map +1 -0
- package/build/data/secret-patterns.js +1 -1
- package/build/data/secret-patterns.js.map +1 -1
- package/build/index.js +2 -2
- package/build/index.js.map +1 -1
- package/build/tools/check-code.d.ts.map +1 -1
- package/build/tools/check-code.js +4 -3
- package/build/tools/check-code.js.map +1 -1
- package/build/tools/export-sarif.js +1 -1
- package/build/tools/export-sarif.js.map +1 -1
- package/package.json +2 -2
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"ai-security.d.ts","sourceRoot":"","sources":["../../../src/data/rules/ai-security.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAG/C,eAAO,MAAM,eAAe,EAAE,YAAY,EA6DzC,CAAC"}
|
|
@@ -0,0 +1,52 @@
|
|
|
1
|
+
// Security rules for AI/LLM applications (Vercel AI SDK, OpenAI, Anthropic)
|
|
2
|
+
export const aiSecurityRules = [
|
|
3
|
+
{
|
|
4
|
+
id: "VG850",
|
|
5
|
+
name: "AI Prompt Injection via User Input",
|
|
6
|
+
severity: "critical",
|
|
7
|
+
owasp: "A02:2025 Injection",
|
|
8
|
+
description: "User input interpolated directly into LLM system prompt. Attackers can manipulate AI behavior via prompt injection.",
|
|
9
|
+
pattern: /(?:system|systemPrompt|system_prompt|systemMessage)\s*[:=]\s*(?:`[^`]*\$\{|['"][^'"]*['"]\s*\+)/gi,
|
|
10
|
+
languages: ["javascript", "typescript"],
|
|
11
|
+
fix: "Never interpolate user input into system prompts. Pass user input as a separate user message.",
|
|
12
|
+
fixCode: '// WRONG: system: `You are a helper. Context: ${userInput}`\n// CORRECT: separate user input from system prompt\nconst result = await generateText({\n model,\n system: "You are a helpful assistant.",\n prompt: userInput, // user input in user message, not system\n});',
|
|
13
|
+
compliance: ["SOC2:CC7.1"],
|
|
14
|
+
},
|
|
15
|
+
{
|
|
16
|
+
id: "VG851",
|
|
17
|
+
name: "AI System Prompt Leaked in Error Response",
|
|
18
|
+
severity: "high",
|
|
19
|
+
owasp: "A07:2025 Sensitive Data Exposure",
|
|
20
|
+
description: "System prompt or AI configuration returned in error responses. This leaks proprietary instructions to users.",
|
|
21
|
+
pattern: /catch\s*\([^)]*\)\s*\{[\s\S]{0,500}?(?:Response\.json|res\.json|res\.send|return[\s\S]{0,30}?json)\s*\([\s\S]{0,200}?(?:system_?[Pp]rompt|SYSTEM_PROMPT|systemMessage)/g,
|
|
22
|
+
languages: ["javascript", "typescript"],
|
|
23
|
+
fix: "Never include system prompts in error responses. Return generic error messages.",
|
|
24
|
+
fixCode: 'catch (error) {\n console.error("AI error:", error);\n return Response.json({ error: "An error occurred" }, { status: 500 });\n}',
|
|
25
|
+
compliance: ["SOC2:CC6.1"],
|
|
26
|
+
},
|
|
27
|
+
{
|
|
28
|
+
id: "VG852",
|
|
29
|
+
name: "LLM Output Rendered as Unescaped HTML",
|
|
30
|
+
severity: "high",
|
|
31
|
+
owasp: "A02:2025 Injection",
|
|
32
|
+
description: "AI-generated content rendered via innerHTML without sanitization. LLMs can be tricked into generating malicious HTML/JavaScript. This is a security rule detector.",
|
|
33
|
+
pattern: /(?:useChat|useCompletion|message|completion|response|result)[\s\S]{0,300}?(?:dangerouslySetInnerHTML|\.innerHTML)\s*(?:=|:)/g,
|
|
34
|
+
languages: ["javascript", "typescript"],
|
|
35
|
+
fix: "Never render LLM output as raw HTML. Use a markdown renderer with XSS protection or sanitize with DOMPurify.",
|
|
36
|
+
fixCode: "// Use a safe markdown renderer\nimport ReactMarkdown from 'react-markdown';\n<ReactMarkdown>{message.content}</ReactMarkdown>",
|
|
37
|
+
compliance: ["SOC2:CC7.1", "PCI-DSS:Req6.5.7"],
|
|
38
|
+
},
|
|
39
|
+
{
|
|
40
|
+
id: "VG853",
|
|
41
|
+
name: "AI Tool Execute With Unsanitized Input",
|
|
42
|
+
severity: "critical",
|
|
43
|
+
owasp: "A02:2025 Injection",
|
|
44
|
+
description: "AI SDK tool execute function uses LLM-generated parameters in raw SQL queries or shell commands. The LLM controls these values, making injection attacks possible.",
|
|
45
|
+
pattern: /execute\s*:\s*(?:async\s*)?\(\s*\{[^}]*\}\s*\)\s*=>[\s\S]{0,300}?(?:query\s*\(\s*`[^`]*\$\{|exec\s*\(|os\.system|subprocess)/g,
|
|
46
|
+
languages: ["javascript", "typescript"],
|
|
47
|
+
fix: "Always use parameterized queries and validated inputs inside AI tool execute functions.",
|
|
48
|
+
fixCode: 'const tools = {\n getUser: tool({\n parameters: z.object({ id: z.string().uuid() }),\n execute: async ({ id }) => {\n return db.query("SELECT name FROM users WHERE id = $1", [id]);\n },\n }),\n};',
|
|
49
|
+
compliance: ["SOC2:CC7.1", "PCI-DSS:Req6.5.1"],
|
|
50
|
+
},
|
|
51
|
+
];
|
|
52
|
+
//# sourceMappingURL=ai-security.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"ai-security.js","sourceRoot":"","sources":["../../../src/data/rules/ai-security.ts"],"names":[],"mappings":"AAEA,4EAA4E;AAC5E,MAAM,CAAC,MAAM,eAAe,GAAmB;IAC7C;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,oCAAoC;QAC1C,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EACT,qHAAqH;QACvH,OAAO,EACL,mGAAmG;QACrG,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,+FAA+F;QACpG,OAAO,EACL,gRAAgR;QAClR,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,2CAA2C;QACjD,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,8GAA8G;QAChH,OAAO,EACL,yKAAyK;QAC3K,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,iFAAiF;QACtF,OAAO,EACL,oIAAoI;QACtI,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,uCAAuC;QAC7C,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EACT,oKAAoK;QACtK,OAAO,EACL,8HAA8H;QAChI,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,8GAA8G;QACnH,OAAO,EACL,gIAAgI;QAClI,UAAU,EAAE,CAAC,YAAY,EAAE,kBAAkB,CAAC;KAC/C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,wCAAwC;QAC9C,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EACT,oKAAoK;QACtK,OAAO,EACL,+HAA+H;QACjI,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,yFAAyF;QAC9F,OAAO,EACL,qNAAqN;QACvN,UAAU,EAAE,CAAC,YAAY,EAAE,kBAAkB,CAAC;KAC/C;CACF,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../../src/data/rules/auth.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAG/C,eAAO,MAAM,SAAS,EAAE,YAAY,
|
|
1
|
+
{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../../src/data/rules/auth.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAG/C,eAAO,MAAM,SAAS,EAAE,YAAY,EA0OnC,CAAC"}
|
package/build/data/rules/auth.js
CHANGED
|
@@ -87,6 +87,31 @@ export const authRules = [
|
|
|
87
87
|
fixCode: '// CORRECT: validates with Auth server\nconst { data: { user }, error } = await supabase.auth.getUser();\nif (error || !user) throw new Error("Unauthorized");',
|
|
88
88
|
compliance: ["SOC2:CC6.6"],
|
|
89
89
|
},
|
|
90
|
+
// Clerk-specific rules
|
|
91
|
+
{
|
|
92
|
+
id: "VG428",
|
|
93
|
+
name: "Clerk unsafeMetadata Used for Authorization",
|
|
94
|
+
severity: "high",
|
|
95
|
+
owasp: "A01:2025 Broken Access Control",
|
|
96
|
+
description: "unsafeMetadata is client-writable. Using it for role or permission checks allows users to escalate their own privileges.",
|
|
97
|
+
pattern: /unsafeMetadata\s*[\.\[]\s*["']?(?:role|admin|permission|isAdmin|access|level|tier)/gi,
|
|
98
|
+
languages: ["javascript", "typescript"],
|
|
99
|
+
fix: "Use publicMetadata (server-writable only) or Clerk Organizations for role-based access control.",
|
|
100
|
+
fixCode: '// WRONG: user.unsafeMetadata.role (client can modify!)\n// CORRECT: use publicMetadata (set server-side only)\nconst { user } = await currentUser();\nif (user.publicMetadata.role === "admin") { ... }\n\n// Or use Clerk Organizations\nconst { orgRole } = await auth();\nif (orgRole === "org:admin") { ... }',
|
|
101
|
+
compliance: ["SOC2:CC6.6"],
|
|
102
|
+
},
|
|
103
|
+
{
|
|
104
|
+
id: "VG429",
|
|
105
|
+
name: "Full Clerk User Object Passed to Client",
|
|
106
|
+
severity: "high",
|
|
107
|
+
owasp: "A07:2025 Sensitive Data Exposure",
|
|
108
|
+
description: "Full currentUser() object passed as prop to client component. This leaks privateMetadata and sensitive fields to the browser.",
|
|
109
|
+
pattern: /(?:await\s+)?currentUser\s*\(\s*\)[\s\S]{0,200}?<\w+[\s\S]{0,100}?user\s*=\s*\{/g,
|
|
110
|
+
languages: ["javascript", "typescript"],
|
|
111
|
+
fix: "Only pass specific safe fields to client components, never the full user object.",
|
|
112
|
+
fixCode: '// WRONG: <ClientComponent user={user} /> (leaks privateMetadata)\n// CORRECT: pick only needed fields\nconst user = await currentUser();\nconst safeUser = { id: user.id, name: user.firstName };\nreturn <ClientComponent user={safeUser} />;',
|
|
113
|
+
compliance: ["SOC2:CC6.1"],
|
|
114
|
+
},
|
|
90
115
|
// Supabase Auth specific rules
|
|
91
116
|
{
|
|
92
117
|
id: "VG440",
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"auth.js","sourceRoot":"","sources":["../../../src/data/rules/auth.ts"],"names":[],"mappings":"AAEA,+DAA+D;AAC/D,MAAM,CAAC,MAAM,SAAS,GAAmB;IACvC;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,2BAA2B;QACjC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,8FAA8F;QAChG,OAAO,EACL,kPAAkP;QACpP,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,kFAAkF;QACvF,OAAO,EACL,iOAAiO;QACnO,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,EAAE,mBAAmB,CAAC;KACrE;IACD,8EAA8E;IAC9E,mFAAmF;IACnF,uEAAuE;IACvE;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,kCAAkC;QACxC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,0GAA0G;QAC5G,OAAO,EAAE,mDAAmD;QAC5D,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,sFAAsF;QAC3F,OAAO,EACL,gIAAgI;QAClI,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,0BAA0B;QAChC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,2GAA2G;QAC7G,OAAO,EAAE,6DAA6D;QACtE,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,4EAA4E;QACjF,OAAO,EACL,yHAAyH;QAC3H,UAAU,EAAE,CAAC,YAAY,EAAE,gBAAgB,CAAC;KAC7C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,+BAA+B;QACrC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,8IAA8I;QAChJ,OAAO,EACL,4FAA4F;QAC9F,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,iFAAiF;QACtF,OAAO,EACL,iKAAiK;QACnK,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,6BAA6B;QACnC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,gIAAgI;QAClI,OAAO,EACL,6GAA6G;QAC/G,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,iEAAiE;QACtE,OAAO,EACL,+MAA+M;QACjN,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,mCAAmC;QACzC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,4EAA4E;QAC9E,OAAO,EACL,uNAAuN;QACzN,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,2DAA2D;QAChE,OAAO,EACL,8NAA8N;QAChO,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,wCAAwC;QAC9C,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,6JAA6J;QAC/J,OAAO,EAAE,kCAAkC;QAC3C,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,iDAAiD;QACtD,OAAO,EACL,gKAAgK;QAClK,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IAED,+BAA+B;IAC/B;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,iDAAiD;QACvD,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,gJAAgJ;QAClJ,OAAO,EAAE,8HAA8H;QACvI,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,4IAA4I;QACjJ,OAAO,EACL,wMAAwM;QAC1M,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,8CAA8C;QACpD,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,gJAAgJ;QAClJ,OAAO,EAAE,6HAA6H;QACtI,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,8DAA8D;QACnE,OAAO,EACL,4cAA4c;QAC9c,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,mDAAmD;QACzD,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,6KAA6K;QAC/K,OAAO,EAAE,yJAAyJ;QAClK,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,2GAA2G;QAChH,OAAO,EACL,yeAAye;QAC3e,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,4CAA4C;QAClD,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,yLAAyL;QAC3L,OAAO,EAAE,kEAAkE;QAC3E,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,qFAAqF;QAC1F,OAAO,EACL,wLAAwL;QAC1L,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,+BAA+B;QACrC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,yHAAyH;QAC3H,OAAO,EAAE,6GAA6G;QACtH,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,uEAAuE;QAC5E,UAAU,EAAE,CAAC,YAAY,EAAE,cAAc,CAAC;KAC3C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,4CAA4C;QAClD,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,iJAAiJ;QACnJ,OAAO,EAAE,qIAAqI;QAC9I,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,gHAAgH;QACrH,OAAO,EACL,sNAAsN;QACxN,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,kCAAkC;QACxC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,2KAA2K;QAC7K,OAAO,EAAE,sJAAsJ;QAC/J,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,kDAAkD;QACvD,OAAO,EACL,+ZAA+Z;QACja,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;CACF,CAAC"}
|
|
1
|
+
{"version":3,"file":"auth.js","sourceRoot":"","sources":["../../../src/data/rules/auth.ts"],"names":[],"mappings":"AAEA,+DAA+D;AAC/D,MAAM,CAAC,MAAM,SAAS,GAAmB;IACvC;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,2BAA2B;QACjC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,8FAA8F;QAChG,OAAO,EACL,kPAAkP;QACpP,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,kFAAkF;QACvF,OAAO,EACL,iOAAiO;QACnO,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,EAAE,mBAAmB,CAAC;KACrE;IACD,8EAA8E;IAC9E,mFAAmF;IACnF,uEAAuE;IACvE;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,kCAAkC;QACxC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,0GAA0G;QAC5G,OAAO,EAAE,mDAAmD;QAC5D,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,sFAAsF;QAC3F,OAAO,EACL,gIAAgI;QAClI,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,0BAA0B;QAChC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,2GAA2G;QAC7G,OAAO,EAAE,6DAA6D;QACtE,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,4EAA4E;QACjF,OAAO,EACL,yHAAyH;QAC3H,UAAU,EAAE,CAAC,YAAY,EAAE,gBAAgB,CAAC;KAC7C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,+BAA+B;QACrC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,8IAA8I;QAChJ,OAAO,EACL,4FAA4F;QAC9F,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,iFAAiF;QACtF,OAAO,EACL,iKAAiK;QACnK,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,6BAA6B;QACnC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,gIAAgI;QAClI,OAAO,EACL,6GAA6G;QAC/G,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,iEAAiE;QACtE,OAAO,EACL,+MAA+M;QACjN,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,mCAAmC;QACzC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,4EAA4E;QAC9E,OAAO,EACL,uNAAuN;QACzN,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,2DAA2D;QAChE,OAAO,EACL,8NAA8N;QAChO,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,wCAAwC;QAC9C,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,6JAA6J;QAC/J,OAAO,EAAE,kCAAkC;QAC3C,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,iDAAiD;QACtD,OAAO,EACL,gKAAgK;QAClK,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IAED,uBAAuB;IACvB;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,6CAA6C;QACnD,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,0HAA0H;QAC5H,OAAO,EAAE,sFAAsF;QAC/F,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,iGAAiG;QACtG,OAAO,EACL,oTAAoT;QACtT,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,yCAAyC;QAC/C,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,+HAA+H;QACjI,OAAO,EAAE,kFAAkF;QAC3F,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,kFAAkF;QACvF,OAAO,EACL,iPAAiP;QACnP,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IAED,+BAA+B;IAC/B;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,iDAAiD;QACvD,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,gJAAgJ;QAClJ,OAAO,EAAE,8HAA8H;QACvI,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,4IAA4I;QACjJ,OAAO,EACL,wMAAwM;QAC1M,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,8CAA8C;QACpD,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,gJAAgJ;QAClJ,OAAO,EAAE,6HAA6H;QACtI,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,8DAA8D;QACnE,OAAO,EACL,4cAA4c;QAC9c,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,mDAAmD;QACzD,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,6KAA6K;QAC/K,OAAO,EAAE,yJAAyJ;QAClK,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,2GAA2G;QAChH,OAAO,EACL,yeAAye;QAC3e,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,4CAA4C;QAClD,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,yLAAyL;QAC3L,OAAO,EAAE,kEAAkE;QAC3E,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,qFAAqF;QAC1F,OAAO,EACL,wLAAwL;QAC1L,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,+BAA+B;QACrC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,yHAAyH;QAC3H,OAAO,EAAE,6GAA6G;QACtH,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,uEAAuE;QAC5E,UAAU,EAAE,CAAC,YAAY,EAAE,cAAc,CAAC;KAC3C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,4CAA4C;QAClD,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,iJAAiJ;QACnJ,OAAO,EAAE,qIAAqI;QAC9I,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,gHAAgH;QACrH,OAAO,EACL,sNAAsN;QACxN,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,kCAAkC;QACxC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,2KAA2K;QAC7K,OAAO,EAAE,sJAAsJ;QAC/J,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,kDAAkD;QACvD,OAAO,EACL,+ZAA+Z;QACja,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;CACF,CAAC"}
|
package/build/data/rules/core.js
CHANGED
|
@@ -7,7 +7,7 @@ export const coreRules = [
|
|
|
7
7
|
severity: "critical",
|
|
8
8
|
owasp: "A01:2025 Broken Access Control",
|
|
9
9
|
description: "Hardcoded passwords, API keys, or secrets detected in source code.",
|
|
10
|
-
pattern: /(?:secret_?key|api_?key|api_?secret|private_?key|access_?key|password|passwd|pwd|auth_?token)\w*\s*[:=]\s*['"][^'"]{3,}['"]/gi,
|
|
10
|
+
pattern: /(?:secret_?key|api_?key|api_?secret|private_?key|access_?key|password|passwd|pwd|auth_?token|jwt_?secret|app_?secret|master_?key|signing_?key|encryption_?key)\w*\s*[:=]\s*['"][^'"]{3,}['"]/gi,
|
|
11
11
|
languages: ["javascript", "typescript", "python", "go"],
|
|
12
12
|
fix: "Use environment variables (process.env.SECRET) or a secrets manager. Never commit credentials to source code.",
|
|
13
13
|
fixCode: "// Use environment variables instead\nconst password = process.env.DB_PASSWORD;\nconst apiKey = process.env.API_KEY;",
|
|
@@ -19,7 +19,7 @@ export const coreRules = [
|
|
|
19
19
|
severity: "critical",
|
|
20
20
|
owasp: "A01:2025 Broken Access Control",
|
|
21
21
|
description: "Cloud provider API key or token pattern detected in source code (AWS, GitHub, OpenAI, Stripe).",
|
|
22
|
-
pattern: /(?:AKIA[0-9A-Z]{16}|(?:ghp|gho|ghu|ghs|ghr)_[A-Za-z0-9_]{36,}|sk-[A-Za-z0-9]{20,}|sk_live_[A-Za-z0-9]{
|
|
22
|
+
pattern: /(?:AKIA[0-9A-Z]{16}|(?:ghp|gho|ghu|ghs|ghr)_[A-Za-z0-9_]{36,}|sk-[A-Za-z0-9]{20,}|sk_live_[A-Za-z0-9]{5,}|rk_live_[A-Za-z0-9]{5,})/g,
|
|
23
23
|
languages: ["javascript", "typescript", "python", "go", "html", "shell"],
|
|
24
24
|
fix: "Remove hardcoded keys immediately. Use environment variables or a secrets manager (AWS Secrets Manager, Vault). Rotate any compromised keys.",
|
|
25
25
|
fixCode: "// Store keys in environment variables\nconst awsKey = process.env.AWS_ACCESS_KEY_ID;\nconst githubToken = process.env.GITHUB_TOKEN;",
|
|
@@ -116,7 +116,7 @@ export const coreRules = [
|
|
|
116
116
|
severity: "critical",
|
|
117
117
|
owasp: "A02:2025 Injection",
|
|
118
118
|
description: "Dynamic code execution function detected. This can run arbitrary code and is a major security risk.",
|
|
119
|
-
pattern:
|
|
119
|
+
pattern: /(?:\beval\s*\(|new\s+Function\s*\()/gi,
|
|
120
120
|
languages: ["javascript", "typescript", "python"],
|
|
121
121
|
fix: "Avoid dynamic code execution. Use JSON.parse() for JSON data. Use a sandboxed environment if absolutely required.",
|
|
122
122
|
fixCode: "// Use JSON.parse for data\nconst data = JSON.parse(input);\n// Alternatives: use a proper parser for your data format\n// const fn = new " + "Function('x', 'return x * 2'); // only if absolutely needed",
|
|
@@ -184,7 +184,7 @@ export const coreRules = [
|
|
|
184
184
|
severity: "critical",
|
|
185
185
|
owasp: "A07:2025 Auth Failures",
|
|
186
186
|
description: "Using MD5 or SHA-1 for password hashing. These are fast hashes, not designed for passwords.",
|
|
187
|
-
pattern: /(?:createHash\s*\(\s*['"](?:md5|sha1)['"]\s*\)|(?:md5|sha1)\s*\.\s*(?:new|update|digest|hexdigest|Sum|New)\s*\(|import\s+(?:md5|sha1)|require\s*\(\s*['"](?:md5|sha1)['"]\s*\))/gi,
|
|
187
|
+
pattern: /(?:createHash\s*\(\s*['"](?:md5|sha1)['"]\s*\)|(?:md5|sha1)\s*\.\s*(?:new|update|digest|hexdigest|Sum|New)\s*\(|import\s+(?:md5|sha1)|require\s*\(\s*['"](?:md5|sha1)['"]\s*\)|hashlib\.(?:md5|sha1)\s*\()/gi,
|
|
188
188
|
languages: ["javascript", "typescript", "python", "go"],
|
|
189
189
|
fix: "Use bcrypt, scrypt, or argon2 for password hashing. Use at least 12 salt rounds.",
|
|
190
190
|
fixCode: "// Use bcrypt for password hashing\nimport bcrypt from 'bcrypt';\nconst hash = await bcrypt.hash(password, 12);\nconst valid = await bcrypt.compare(input, hash);",
|
|
@@ -208,7 +208,7 @@ export const coreRules = [
|
|
|
208
208
|
severity: "high",
|
|
209
209
|
owasp: "A08:2025 Data Integrity Failures",
|
|
210
210
|
description: "Deserializing untrusted data can lead to remote code execution.",
|
|
211
|
-
pattern: /(?:JSON\.parse\s*\(\s*(?:req\.|request\.|body))/gi,
|
|
211
|
+
pattern: /(?:JSON\.parse\s*\(\s*(?:req\.|request\.|body)|pickle\.loads?\s*\(|yaml\.(?:load|unsafe_load)\s*\()/gi,
|
|
212
212
|
languages: ["javascript", "typescript", "python"],
|
|
213
213
|
fix: "Validate all deserialized data with a schema (zod, joi) before processing.",
|
|
214
214
|
fixCode: "// Validate with schema after parsing\nimport { z } from 'zod';\nconst schema = z.object({ name: z.string() });\nconst data = schema.parse(JSON.parse(req.body));",
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"core.js","sourceRoot":"","sources":["../../../src/data/rules/core.ts"],"names":[],"mappings":"AAEA,6EAA6E;AAC7E,6EAA6E;AAC7E,MAAM,CAAC,MAAM,SAAS,GAAmB;IACvC;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,uBAAuB;QAC7B,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EAAE,oEAAoE;QACjF,OAAO,EACL
|
|
1
|
+
{"version":3,"file":"core.js","sourceRoot":"","sources":["../../../src/data/rules/core.ts"],"names":[],"mappings":"AAEA,6EAA6E;AAC7E,6EAA6E;AAC7E,MAAM,CAAC,MAAM,SAAS,GAAmB;IACvC;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,uBAAuB;QAC7B,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EAAE,oEAAoE;QACjF,OAAO,EACL,gMAAgM;QAClM,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,EAAE,IAAI,CAAC;QACvD,GAAG,EAAE,+GAA+G;QACpH,OAAO,EAAE,sHAAsH;QAC/H,UAAU,EAAE,CAAC,YAAY,EAAE,gBAAgB,EAAE,cAAc,EAAE,mBAAmB,CAAC;KAClF;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,wBAAwB;QAC9B,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,gGAAgG;QAClG,OAAO,EACL,qIAAqI;QACvI,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE,OAAO,CAAC;QACxE,GAAG,EAAE,8IAA8I;QACnJ,OAAO,EAAE,sIAAsI;QAC/I,UAAU,EAAE,CAAC,YAAY,EAAE,gBAAgB,EAAE,mBAAmB,CAAC;KAClE;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,8BAA8B;QACpC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,oEAAoE;QACtE,OAAO,EACL,2GAA2G;QAC7G,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,uJAAuJ;QAC5J,OAAO,EAAE,2HAA2H;QACpI,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,EAAE,mBAAmB,CAAC;KACrE;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,8BAA8B;QACpC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,kEAAkE;QACpE,OAAO,EACL,yGAAyG;QAC3G,SAAS,EAAE,CAAC,QAAQ,CAAC;QACrB,GAAG,EAAE,2IAA2I;QAChJ,OAAO,EAAE,4GAA4G;QACrH,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,EAAE,mBAAmB,CAAC;KACrE;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,oBAAoB;QAC1B,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EACT,+GAA+G;QACjH,OAAO,EACL,gQAAgQ;QAClQ,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,EAAE,IAAI,CAAC;QACvD,GAAG,EAAE,6MAA6M;QAClN,OAAO,EAAE,oKAAoK;QAC7K,UAAU,EAAE,CAAC,YAAY,EAAE,kBAAkB,EAAE,mBAAmB,CAAC;KACpE;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,wBAAwB;QAC9B,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EAAE,wFAAwF;QACrG,OAAO,EACL,wRAAwR;QAC1R,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,EAAE,IAAI,EAAE,OAAO,CAAC;QAChE,GAAG,EAAE,0MAA0M;QAC/M,OAAO,EAAE,wHAAwH;QACjI,UAAU,EAAE,CAAC,YAAY,EAAE,kBAAkB,CAAC;KAC/C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,mBAAmB;QACzB,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EACT,oFAAoF;QACtF,OAAO,EAAE,yEAAyE;QAClF,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,MAAM,CAAC;QAC/C,GAAG,EAAE,qIAAqI;QAC1I,6FAA6F;QAC7F,OAAO,EAAE,qJAAqJ,GAAG,+CAA+C;QAChN,UAAU,EAAE,CAAC,YAAY,EAAE,kBAAkB,CAAC;KAC/C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,yBAAyB;QAC/B,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EACT,kHAAkH;QACpH,OAAO,EACL,qEAAqE;QACvE,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,mKAAmK;QACxK,OAAO,EAAE,sHAAsH;QAC/H,UAAU,EAAE,CAAC,YAAY,EAAE,kBAAkB,CAAC;KAC/C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,sBAAsB;QAC5B,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EACT,8DAA8D;QAChE,OAAO,EACL,oGAAoG;QACtG,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,iIAAiI;QACtI,OAAO,EAAE,+JAA+J;QACxK,UAAU,EAAE,CAAC,YAAY,EAAE,kBAAkB,CAAC;KAC/C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,wBAAwB;QAC9B,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EACT,qGAAqG;QACvG,OAAO,EAAE,uCAAuC;QAChD,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,CAAC;QACjD,GAAG,EAAE,mHAAmH;QACxH,OAAO,EAAE,4IAA4I,GAAG,6DAA6D;QACrN,UAAU,EAAE,CAAC,YAAY,EAAE,kBAAkB,CAAC;KAC/C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,6BAA6B;QACnC,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,yCAAyC;QAChD,WAAW,EACT,8FAA8F;QAChG,OAAO,EAAE,2DAA2D;QACpE,SAAS,EAAE,CAAC,MAAM,CAAC;QACnB,GAAG,EAAE,8FAA8F;QACnG,OAAO,EAAE,sGAAsG;KAChH;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,uBAAuB;QAC7B,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,0BAA0B;QACjC,WAAW,EACT,8FAA8F;QAChG,OAAO,EACL,qIAAqI;QACvI,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,EAAE,IAAI,CAAC;QACvD,GAAG,EAAE,gKAAgK;QACrK,OAAO,EAAE,6IAA6I;KACvJ;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,eAAe;QACrB,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EACT,2FAA2F;QAC7F,OAAO,EACL,+IAA+I;QACjJ,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,EAAE,IAAI,CAAC;QACvD,GAAG,EAAE,gHAAgH;QACrH,OAAO,EAAE,yGAAyG;QAClH,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,0BAA0B;QAChC,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EAAE,6DAA6D;QAC1E,OAAO,EACL,kHAAkH;QACpH,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,CAAC;QACjD,GAAG,EAAE,uEAAuE;QAC5E,OAAO,EAAE,uFAAuF;KACjG;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,0BAA0B;QAChC,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EAAE,gDAAgD;QAC7D,OAAO,EAAE,yCAAyC;QAClD,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,oEAAoE;QACzE,OAAO,EAAE,sFAAsF;KAChG;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,uBAAuB;QAC7B,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,wBAAwB;QAC/B,WAAW,EACT,6FAA6F;QAC/F,OAAO,EACL,8MAA8M;QAChN,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,EAAE,IAAI,CAAC;QACvD,GAAG,EAAE,kFAAkF;QACvF,OAAO,EAAE,mKAAmK;QAC5K,UAAU,EAAE,CAAC,YAAY,EAAE,gBAAgB,EAAE,kBAAkB,EAAE,mBAAmB,CAAC;KACtF;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,oBAAoB;QAC1B,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,wBAAwB;QAC/B,WAAW,EAAE,4CAA4C;QACzD,OAAO,EAAE,+CAA+C;QACxD,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,+EAA+E;QACpF,OAAO,EAAE,0FAA0F;QACnG,UAAU,EAAE,CAAC,YAAY,EAAE,cAAc,CAAC;KAC3C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,0BAA0B;QAChC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,iEAAiE;QACnE,OAAO,EAAE,uGAAuG;QAChH,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,CAAC;QACjD,GAAG,EAAE,4EAA4E;QACjF,OAAO,EAAE,mKAAmK;QAC5K,UAAU,EAAE,CAAC,YAAY,EAAE,kBAAkB,CAAC;KAC/C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,wBAAwB;QAC9B,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,2BAA2B;QAClC,WAAW,EACT,yEAAyE;QAC3E,OAAO,EACL,mGAAmG;QACrG,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,EAAE,IAAI,CAAC;QACvD,GAAG,EAAE,2EAA2E;QAChF,OAAO,EAAE,oHAAoH;QAC7H,UAAU,EAAE,CAAC,YAAY,EAAE,gBAAgB,EAAE,mBAAmB,CAAC;KAClE;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,WAAW;QACjB,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,eAAe;QACtB,WAAW,EACT,oFAAoF;QACtF,OAAO,EACL,6JAA6J;QAC/J,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,EAAE,IAAI,CAAC;QACvD,GAAG,EAAE,+EAA+E;QACpF,OAAO,EAAE,qLAAqL;QAC9L,UAAU,EAAE,CAAC,YAAY,EAAE,kBAAkB,CAAC;KAC/C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,+BAA+B;QACrC,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EAAE,0DAA0D;QACvE,OAAO,EACL,+FAA+F;QACjG,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,+EAA+E;QACpF,OAAO,EAAE,mHAAmH;QAC5H,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,sBAAsB;QAC5B,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EAAE,wDAAwD;QACrE,OAAO,EACL,yGAAyG;QAC3G,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,yFAAyF;QAC9F,OAAO,EAAE,wLAAwL;QACjM,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,0BAA0B;QAChC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EAAE,qDAAqD;QAClE,OAAO,EACL,iIAAiI;QACnI,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,EAAE,IAAI,CAAC;QACvD,GAAG,EAAE,gGAAgG;QACrG,OAAO,EAAE,yJAAyJ;QAClK,UAAU,EAAE,CAAC,YAAY,EAAE,kBAAkB,CAAC;KAC/C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,0BAA0B;QAChC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EACT,kFAAkF;QACpF,OAAO,EACL,sFAAsF;QACxF,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,oHAAoH;QACzH,OAAO,EAAE,2NAA2N;QACpO,UAAU,EAAE,CAAC,YAAY,EAAE,kBAAkB,CAAC;KAC/C;CACF,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"database.d.ts","sourceRoot":"","sources":["../../../src/data/rules/database.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAG/C,eAAO,MAAM,aAAa,EAAE,YAAY,
|
|
1
|
+
{"version":3,"file":"database.d.ts","sourceRoot":"","sources":["../../../src/data/rules/database.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAG/C,eAAO,MAAM,aAAa,EAAE,YAAY,EAqHvC,CAAC"}
|
|
@@ -87,5 +87,17 @@ export const databaseRules = [
|
|
|
87
87
|
fixCode: '// Server-side only\n"use server";\nconst adminClient = createClient(url, process.env.SUPABASE_SERVICE_ROLE_KEY!);',
|
|
88
88
|
compliance: ["SOC2:CC6.1", "HIPAA:§164.312(a)"],
|
|
89
89
|
},
|
|
90
|
+
{
|
|
91
|
+
id: "VG438",
|
|
92
|
+
name: "Supabase Public Storage Bucket",
|
|
93
|
+
severity: "high",
|
|
94
|
+
owasp: "A01:2025 Broken Access Control",
|
|
95
|
+
description: "Supabase storage bucket created with public: true. Without proper RLS policies, all files are accessible to anyone.",
|
|
96
|
+
pattern: /createBucket\s*\(\s*['"][^'"]+['"]\s*,\s*\{[\s\S]{0,200}?public\s*:\s*true/g,
|
|
97
|
+
languages: ["javascript", "typescript"],
|
|
98
|
+
fix: "Add storage RLS policies in Supabase Dashboard. Limit file types and sizes.",
|
|
99
|
+
fixCode: '// Create bucket with auth requirement\nconst { data } = await supabase.storage.createBucket("avatars", {\n public: false, // require auth\n fileSizeLimit: 5 * 1024 * 1024, // 5MB\n allowedMimeTypes: ["image/png", "image/jpeg"],\n});',
|
|
100
|
+
compliance: ["SOC2:CC6.1"],
|
|
101
|
+
},
|
|
90
102
|
];
|
|
91
103
|
//# sourceMappingURL=database.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"database.js","sourceRoot":"","sources":["../../../src/data/rules/database.ts"],"names":[],"mappings":"AAEA,uDAAuD;AACvD,MAAM,CAAC,MAAM,aAAa,GAAmB;IAC3C;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,6BAA6B;QACnC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,4GAA4G;QAC9G,OAAO,EAAE,6EAA6E;QACtF,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,4FAA4F;QACjG,OAAO,EACL,kJAAkJ;QACpJ,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;IACD,2EAA2E;IAC3E,uFAAuF;IACvF,iFAAiF;IACjF;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,4BAA4B;QAClC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EACT,gIAAgI;QAClI,OAAO,EAAE,oDAAoD;QAC7D,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,2DAA2D;QAChE,OAAO,EACL,gJAAgJ;QAClJ,UAAU,EAAE,CAAC,YAAY,EAAE,kBAAkB,CAAC;KAC/C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,6BAA6B;QACnC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EACT,2HAA2H;QAC7H,OAAO,EAAE,+CAA+C;QACxD,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,0DAA0D;QAC/D,OAAO,EACL,oGAAoG;QACtG,UAAU,EAAE,CAAC,YAAY,EAAE,kBAAkB,CAAC;KAC/C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,kCAAkC;QACxC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EACT,kHAAkH;QACpH,OAAO,EAAE,+DAA+D;QACxE,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,8DAA8D;QACnE,OAAO,EACL,+JAA+J;QACjK,UAAU,EAAE,CAAC,YAAY,EAAE,kBAAkB,CAAC;KAC/C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,8BAA8B;QACpC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,0HAA0H;QAC5H,OAAO,EAAE,4EAA4E;QACrF,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,uFAAuF;QAC5F,OAAO,EACL,qLAAqL;QACvL,UAAU,EAAE,CAAC,YAAY,EAAE,gBAAgB,EAAE,mBAAmB,CAAC;KAClE;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,0BAA0B;QAChC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,+EAA+E;QACjF,OAAO,EACL,mFAAmF;QACrF,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,OAAO,CAAC;QAChD,GAAG,EAAE,qEAAqE;QAC1E,OAAO,EACL,uIAAuI;QACzI,UAAU,EAAE,CAAC,YAAY,EAAE,gBAAgB,EAAE,mBAAmB,CAAC;KAClE;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,qCAAqC;QAC3C,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,mHAAmH;QACrH,OAAO,EAAE,6EAA6E;QACtF,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,gDAAgD;QACrD,OAAO,EACL,oHAAoH;QACtH,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;CACF,CAAC"}
|
|
1
|
+
{"version":3,"file":"database.js","sourceRoot":"","sources":["../../../src/data/rules/database.ts"],"names":[],"mappings":"AAEA,uDAAuD;AACvD,MAAM,CAAC,MAAM,aAAa,GAAmB;IAC3C;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,6BAA6B;QACnC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,4GAA4G;QAC9G,OAAO,EAAE,6EAA6E;QACtF,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,4FAA4F;QACjG,OAAO,EACL,kJAAkJ;QACpJ,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;IACD,2EAA2E;IAC3E,uFAAuF;IACvF,iFAAiF;IACjF;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,4BAA4B;QAClC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EACT,gIAAgI;QAClI,OAAO,EAAE,oDAAoD;QAC7D,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,2DAA2D;QAChE,OAAO,EACL,gJAAgJ;QAClJ,UAAU,EAAE,CAAC,YAAY,EAAE,kBAAkB,CAAC;KAC/C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,6BAA6B;QACnC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EACT,2HAA2H;QAC7H,OAAO,EAAE,+CAA+C;QACxD,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,0DAA0D;QAC/D,OAAO,EACL,oGAAoG;QACtG,UAAU,EAAE,CAAC,YAAY,EAAE,kBAAkB,CAAC;KAC/C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,kCAAkC;QACxC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EACT,kHAAkH;QACpH,OAAO,EAAE,+DAA+D;QACxE,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,8DAA8D;QACnE,OAAO,EACL,+JAA+J;QACjK,UAAU,EAAE,CAAC,YAAY,EAAE,kBAAkB,CAAC;KAC/C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,8BAA8B;QACpC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,0HAA0H;QAC5H,OAAO,EAAE,4EAA4E;QACrF,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,uFAAuF;QAC5F,OAAO,EACL,qLAAqL;QACvL,UAAU,EAAE,CAAC,YAAY,EAAE,gBAAgB,EAAE,mBAAmB,CAAC;KAClE;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,0BAA0B;QAChC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,+EAA+E;QACjF,OAAO,EACL,mFAAmF;QACrF,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,OAAO,CAAC;QAChD,GAAG,EAAE,qEAAqE;QAC1E,OAAO,EACL,uIAAuI;QACzI,UAAU,EAAE,CAAC,YAAY,EAAE,gBAAgB,EAAE,mBAAmB,CAAC;KAClE;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,qCAAqC;QAC3C,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,mHAAmH;QACrH,OAAO,EAAE,6EAA6E;QACtF,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,gDAAgD;QACrD,OAAO,EACL,oHAAoH;QACtH,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,gCAAgC;QACtC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,qHAAqH;QACvH,OAAO,EAAE,6EAA6E;QACtF,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,6EAA6E;QAClF,OAAO,EACL,8OAA8O;QAChP,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;CACF,CAAC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"firebase.d.ts","sourceRoot":"","sources":["../../../src/data/rules/firebase.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAE/C,eAAO,MAAM,aAAa,EAAE,YAAY,EAoFvC,CAAC"}
|
|
@@ -0,0 +1,86 @@
|
|
|
1
|
+
export const firebaseRules = [
|
|
2
|
+
{
|
|
3
|
+
id: "VG750",
|
|
4
|
+
name: "Insecure Firestore Rules",
|
|
5
|
+
severity: "critical",
|
|
6
|
+
owasp: "A01:2025 Broken Access Control",
|
|
7
|
+
description: "Firestore security rules allow unrestricted read/write. Anyone can read or modify your entire database.",
|
|
8
|
+
pattern: /(?:allow\s+(?:read|write|get|list|create|update|delete)\s*:\s*if\s+true|match\s+\/\{document=\*\*\}\s*\{[\s\S]{0,100}?allow\s+read\s*,\s*write)/g,
|
|
9
|
+
languages: ["firestore"],
|
|
10
|
+
fix: "Always restrict Firestore rules. Require authentication and validate data.",
|
|
11
|
+
fixCode: 'rules_version = \'2\';\nservice cloud.firestore {\n match /databases/{database}/documents {\n match /users/{userId} {\n allow read, write: if request.auth != null && request.auth.uid == userId;\n }\n }\n}',
|
|
12
|
+
compliance: ["SOC2:CC6.1"],
|
|
13
|
+
},
|
|
14
|
+
{
|
|
15
|
+
id: "VG751",
|
|
16
|
+
name: "Firebase Admin SDK Client Exposure",
|
|
17
|
+
severity: "critical",
|
|
18
|
+
owasp: "A07:2025 Sensitive Data Exposure",
|
|
19
|
+
description: "Firebase Admin SDK or service account credentials exposed in client-side code. Admin SDK has full unrestricted access to all Firebase services.",
|
|
20
|
+
pattern: /["']use client["'][\s\S]{0,500}?(?:firebase-admin|@google-cloud\/firestore|serviceAccountKey|FIREBASE_SERVICE_ACCOUNT|FIREBASE_ADMIN)/g,
|
|
21
|
+
languages: ["javascript", "typescript"],
|
|
22
|
+
fix: "Firebase Admin SDK must only be used server-side. Never import it in client components.",
|
|
23
|
+
fixCode: '// Server-side only (API route or Server Action)\nimport { initializeApp, cert } from "firebase-admin/app";\ninitializeApp({ credential: cert(JSON.parse(process.env.FIREBASE_SERVICE_ACCOUNT_KEY!)) });',
|
|
24
|
+
compliance: ["SOC2:CC6.1"],
|
|
25
|
+
},
|
|
26
|
+
{
|
|
27
|
+
id: "VG752",
|
|
28
|
+
name: "Firebase Service Account Key Hardcoded",
|
|
29
|
+
severity: "critical",
|
|
30
|
+
owasp: "A07:2025 Sensitive Data Exposure",
|
|
31
|
+
description: "Firebase service account key or credentials JSON hardcoded in source code.",
|
|
32
|
+
pattern: /(?:service_account|serviceAccount|credential|cert)\s*[\(=:]\s*\{[\s\S]{0,500}?(?:"type"\s*:\s*"service_account"|"private_key"\s*:\s*"-----BEGIN)/g,
|
|
33
|
+
languages: ["javascript", "typescript", "json"],
|
|
34
|
+
fix: "Store service account JSON in environment variable and parse at runtime.",
|
|
35
|
+
fixCode: '// Store as env var (base64 or JSON string)\nconst serviceAccount = JSON.parse(process.env.FIREBASE_SERVICE_ACCOUNT_KEY!);\ninitializeApp({ credential: cert(serviceAccount) });',
|
|
36
|
+
compliance: ["SOC2:CC6.1"],
|
|
37
|
+
},
|
|
38
|
+
{
|
|
39
|
+
id: "VG753",
|
|
40
|
+
name: "Insecure Firebase Storage Rules",
|
|
41
|
+
severity: "critical",
|
|
42
|
+
owasp: "A01:2025 Broken Access Control",
|
|
43
|
+
description: "Firebase Storage rules allow unrestricted public access. Anyone can read/write/delete files.",
|
|
44
|
+
pattern: /(?:allow\s+read\s*,\s*write\s*:\s*if\s+true|match\s+\/\{allPaths=\*\*\}\s*\{[\s\S]{0,100}?allow\s+read\s*,\s*write)/g,
|
|
45
|
+
languages: ["firestore"],
|
|
46
|
+
fix: "Restrict Firebase Storage rules. Require authentication and limit file types/sizes.",
|
|
47
|
+
fixCode: 'service firebase.storage {\n match /b/{bucket}/o {\n match /users/{userId}/{allPaths=**} {\n allow read: if request.auth != null;\n allow write: if request.auth != null \n && request.auth.uid == userId\n && request.resource.size < 5 * 1024 * 1024;\n }\n }\n}',
|
|
48
|
+
compliance: ["SOC2:CC6.1"],
|
|
49
|
+
},
|
|
50
|
+
{
|
|
51
|
+
id: "VG754",
|
|
52
|
+
name: "Firebase Config Hardcoded",
|
|
53
|
+
severity: "medium",
|
|
54
|
+
owasp: "A05:2025 Security Misconfiguration",
|
|
55
|
+
description: "Firebase config object hardcoded with all values inline. While Firebase API keys are designed to be public, hardcoding makes it hard to manage across environments.",
|
|
56
|
+
pattern: /(?:firebaseConfig|firebase\.initializeApp)\s*[\(=]\s*\{[\s\S]{0,500}?apiKey\s*:\s*["']AIza[A-Za-z0-9_-]{30,}["']/g,
|
|
57
|
+
languages: ["javascript", "typescript"],
|
|
58
|
+
fix: "Use environment variables for Firebase config to manage different environments.",
|
|
59
|
+
fixCode: 'const firebaseConfig = {\n apiKey: process.env.NEXT_PUBLIC_FIREBASE_API_KEY,\n authDomain: process.env.NEXT_PUBLIC_FIREBASE_AUTH_DOMAIN,\n projectId: process.env.NEXT_PUBLIC_FIREBASE_PROJECT_ID,\n};',
|
|
60
|
+
compliance: ["SOC2:CC6.1"],
|
|
61
|
+
},
|
|
62
|
+
{
|
|
63
|
+
id: "VG755",
|
|
64
|
+
name: "NEXT_PUBLIC Firebase Service Account",
|
|
65
|
+
severity: "critical",
|
|
66
|
+
owasp: "A07:2025 Sensitive Data Exposure",
|
|
67
|
+
description: "Firebase service account key or admin credentials exposed via NEXT_PUBLIC_ prefix.",
|
|
68
|
+
pattern: /NEXT_PUBLIC_\w*(?:FIREBASE_SERVICE_ACCOUNT|FIREBASE_ADMIN|FIREBASE_PRIVATE|FIREBASE_SECRET)\w*\s*=/gi,
|
|
69
|
+
languages: ["javascript", "typescript", "shell"],
|
|
70
|
+
fix: "Remove NEXT_PUBLIC_ prefix from Firebase admin/service account credentials. These must be server-side only.",
|
|
71
|
+
compliance: ["SOC2:CC6.1"],
|
|
72
|
+
},
|
|
73
|
+
{
|
|
74
|
+
id: "VG756",
|
|
75
|
+
name: "signInWithCustomToken Without Validation",
|
|
76
|
+
severity: "high",
|
|
77
|
+
owasp: "A07:2025 Identification and Authentication Failures",
|
|
78
|
+
description: "signInWithCustomToken used with unvalidated token source. Custom tokens must be generated and verified server-side.",
|
|
79
|
+
pattern: /signInWithCustomToken\s*\(\s*\w*\s*,\s*(?:req\.body|request\.body|params\.|searchParams|query\.|formData|url\.)/gi,
|
|
80
|
+
languages: ["javascript", "typescript"],
|
|
81
|
+
fix: "Generate custom tokens server-side with Firebase Admin SDK. Never accept custom tokens from client input.",
|
|
82
|
+
fixCode: '// Server-side: generate custom token\nimport { getAuth } from "firebase-admin/auth";\nconst customToken = await getAuth().createCustomToken(uid);\n\n// Client-side: only use tokens from your own server\nconst res = await fetch("/api/auth/custom-token");\nconst { token } = await res.json();\nawait signInWithCustomToken(auth, token);',
|
|
83
|
+
compliance: ["SOC2:CC6.1"],
|
|
84
|
+
},
|
|
85
|
+
];
|
|
86
|
+
//# sourceMappingURL=firebase.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"firebase.js","sourceRoot":"","sources":["../../../src/data/rules/firebase.ts"],"names":[],"mappings":"AAEA,MAAM,CAAC,MAAM,aAAa,GAAmB;IAC3C;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,0BAA0B;QAChC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EAAE,yGAAyG;QACtH,OAAO,EAAE,kJAAkJ;QAC3J,SAAS,EAAE,CAAC,WAAW,CAAC;QACxB,GAAG,EAAE,4EAA4E;QACjF,OAAO,EAAE,2NAA2N;QACpO,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,oCAAoC;QAC1C,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,iJAAiJ;QAC9J,OAAO,EAAE,wIAAwI;QACjJ,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,yFAAyF;QAC9F,OAAO,EAAE,0MAA0M;QACnN,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,wCAAwC;QAC9C,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,4EAA4E;QACzF,OAAO,EAAE,mJAAmJ;QAC5J,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,MAAM,CAAC;QAC/C,GAAG,EAAE,0EAA0E;QAC/E,OAAO,EAAE,kLAAkL;QAC3L,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,iCAAiC;QACvC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EAAE,8FAA8F;QAC3G,OAAO,EAAE,sHAAsH;QAC/H,SAAS,EAAE,CAAC,WAAW,CAAC;QACxB,GAAG,EAAE,qFAAqF;QAC1F,OAAO,EAAE,oSAAoS;QAC7S,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,2BAA2B;QACjC,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EAAE,qKAAqK;QAClL,OAAO,EAAE,mHAAmH;QAC5H,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,iFAAiF;QACtF,OAAO,EAAE,2MAA2M;QACpN,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,sCAAsC;QAC5C,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,oFAAoF;QACjG,OAAO,EAAE,sGAAsG;QAC/G,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,OAAO,CAAC;QAChD,GAAG,EAAE,6GAA6G;QAClH,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,0CAA0C;QAChD,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,qDAAqD;QAC5D,WAAW,EAAE,qHAAqH;QAClI,OAAO,EAAE,mHAAmH;QAC5H,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,2GAA2G;QAChH,OAAO,EAAE,gVAAgV;QACzV,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;CACF,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/data/rules/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;
|
|
1
|
+
{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/data/rules/index.ts"],"names":[],"mappings":"AAAA,YAAY,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAqB/C,eAAO,MAAM,UAAU,qCAoBtB,CAAC;AAGF,eAAO,MAAM,YAAY,qCAAa,CAAC"}
|
|
@@ -10,6 +10,13 @@ import { deploymentRules } from "./deployment.js";
|
|
|
10
10
|
import { paymentRules } from "./payments.js";
|
|
11
11
|
import { serviceRules } from "./services.js";
|
|
12
12
|
import { webSecurityRules } from "./web-security.js";
|
|
13
|
+
import { reactNativeRules } from "./react-native.js";
|
|
14
|
+
import { firebaseRules } from "./firebase.js";
|
|
15
|
+
import { otherServiceRules } from "./other-services.js";
|
|
16
|
+
import { shellRules } from "./shell.js";
|
|
17
|
+
import { sqlRules } from "./sql.js";
|
|
18
|
+
import { aiSecurityRules } from "./ai-security.js";
|
|
19
|
+
import { supplyChainRules } from "./supply-chain.js";
|
|
13
20
|
export const owaspRules = [
|
|
14
21
|
...coreRules,
|
|
15
22
|
...goRules,
|
|
@@ -23,6 +30,13 @@ export const owaspRules = [
|
|
|
23
30
|
...paymentRules,
|
|
24
31
|
...serviceRules,
|
|
25
32
|
...webSecurityRules,
|
|
33
|
+
...reactNativeRules,
|
|
34
|
+
...firebaseRules,
|
|
35
|
+
...otherServiceRules,
|
|
36
|
+
...shellRules,
|
|
37
|
+
...sqlRules,
|
|
38
|
+
...aiSecurityRules,
|
|
39
|
+
...supplyChainRules,
|
|
26
40
|
];
|
|
27
41
|
// Alias for clarity — these are the built-in rules without plugins
|
|
28
42
|
export const builtinRules = owaspRules;
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/data/rules/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAClD,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAChD,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AAC9C,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAClD,OAAO,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAC7C,OAAO,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAC7C,OAAO,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AAErD,MAAM,CAAC,MAAM,UAAU,GAAG;IACxB,GAAG,SAAS;IACZ,GAAG,OAAO;IACV,GAAG,eAAe;IAClB,GAAG,SAAS;IACZ,GAAG,cAAc;IACjB,GAAG,WAAW;IACd,GAAG,SAAS;IACZ,GAAG,aAAa;IAChB,GAAG,eAAe;IAClB,GAAG,YAAY;IACf,GAAG,YAAY;IACf,GAAG,gBAAgB;CACpB,CAAC;AAEF,mEAAmE;AACnE,MAAM,CAAC,MAAM,YAAY,GAAG,UAAU,CAAC"}
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../../../src/data/rules/index.ts"],"names":[],"mappings":"AACA,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,OAAO,EAAE,MAAM,SAAS,CAAC;AAClC,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAClD,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,cAAc,EAAE,MAAM,gBAAgB,CAAC;AAChD,OAAO,EAAE,WAAW,EAAE,MAAM,aAAa,CAAC;AAC1C,OAAO,EAAE,SAAS,EAAE,MAAM,WAAW,CAAC;AACtC,OAAO,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AAC9C,OAAO,EAAE,eAAe,EAAE,MAAM,iBAAiB,CAAC;AAClD,OAAO,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAC7C,OAAO,EAAE,YAAY,EAAE,MAAM,eAAe,CAAC;AAC7C,OAAO,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AACrD,OAAO,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AACrD,OAAO,EAAE,aAAa,EAAE,MAAM,eAAe,CAAC;AAC9C,OAAO,EAAE,iBAAiB,EAAE,MAAM,qBAAqB,CAAC;AACxD,OAAO,EAAE,UAAU,EAAE,MAAM,YAAY,CAAC;AACxC,OAAO,EAAE,QAAQ,EAAE,MAAM,UAAU,CAAC;AACpC,OAAO,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AACnD,OAAO,EAAE,gBAAgB,EAAE,MAAM,mBAAmB,CAAC;AAErD,MAAM,CAAC,MAAM,UAAU,GAAG;IACxB,GAAG,SAAS;IACZ,GAAG,OAAO;IACV,GAAG,eAAe;IAClB,GAAG,SAAS;IACZ,GAAG,cAAc;IACjB,GAAG,WAAW;IACd,GAAG,SAAS;IACZ,GAAG,aAAa;IAChB,GAAG,eAAe;IAClB,GAAG,YAAY;IACf,GAAG,YAAY;IACf,GAAG,gBAAgB;IACnB,GAAG,gBAAgB;IACnB,GAAG,aAAa;IAChB,GAAG,iBAAiB;IACpB,GAAG,UAAU;IACb,GAAG,QAAQ;IACX,GAAG,eAAe;IAClB,GAAG,gBAAgB;CACpB,CAAC;AAEF,mEAAmE;AACnE,MAAM,CAAC,MAAM,YAAY,GAAG,UAAU,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"nextjs.d.ts","sourceRoot":"","sources":["../../../src/data/rules/nextjs.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAG/C,eAAO,MAAM,WAAW,EAAE,YAAY,
|
|
1
|
+
{"version":3,"file":"nextjs.d.ts","sourceRoot":"","sources":["../../../src/data/rules/nextjs.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAG/C,eAAO,MAAM,WAAW,EAAE,YAAY,EAiMrC,CAAC"}
|
|
@@ -18,7 +18,7 @@ export const nextjsRules = [
|
|
|
18
18
|
severity: "high",
|
|
19
19
|
owasp: "A03:2025 Injection",
|
|
20
20
|
description: "Server Action processes form data without schema validation. Unvalidated input can lead to injection attacks.",
|
|
21
|
-
pattern: /["']use server["'][\s\S]{0,500}?formData\.get\s*\(/g,
|
|
21
|
+
pattern: /["']use server["'](?![\s\S]{0,500}?(?:z\.object|schema\.parse|\.safeParse|yup\.object|valibot\.|\.validate\s*\())[\s\S]{0,500}?formData\.get\s*\(/g,
|
|
22
22
|
languages: ["javascript", "typescript"],
|
|
23
23
|
fix: "Validate all inputs with a schema library (zod, yup, valibot) before processing.",
|
|
24
24
|
fixCode: '"use server";\nimport { z } from "zod";\n\nconst schema = z.object({ name: z.string().min(1), email: z.string().email() });\n\nexport async function createUser(formData: FormData) {\n const data = schema.parse(Object.fromEntries(formData));\n}',
|
|
@@ -30,7 +30,7 @@ export const nextjsRules = [
|
|
|
30
30
|
severity: "critical",
|
|
31
31
|
owasp: "A01:2025 Broken Access Control",
|
|
32
32
|
description: "Server Action performs data mutations without verifying user authentication. Anyone can invoke Server Actions directly via POST request.",
|
|
33
|
-
pattern: /["']use server["'][\s\S]{0,
|
|
33
|
+
pattern: /["']use server["'][\s\S]{0,500}?export\s+async\s+function\s+\w+\s*\([^)]*\)\s*\{(?![\s\S]{0,800}?(?:auth\s*\(|getServerSession|currentUser|getUser|requireAuth|clerkClient))/g,
|
|
34
34
|
languages: ["javascript", "typescript"],
|
|
35
35
|
fix: "Always verify authentication at the start of every Server Action.",
|
|
36
36
|
fixCode: '"use server";\nimport { auth } from "@clerk/nextjs/server";\n\nexport async function deleteItem(id: string) {\n const { userId } = await auth();\n if (!userId) throw new Error("Unauthorized");\n}',
|
|
@@ -138,11 +138,23 @@ export const nextjsRules = [
|
|
|
138
138
|
severity: "critical",
|
|
139
139
|
owasp: "A07:2025 Sensitive Data Exposure",
|
|
140
140
|
description: "Environment variable prefixed with NEXT_PUBLIC_ contains a secret keyword (SECRET, KEY, PASSWORD, TOKEN). NEXT_PUBLIC_ variables are embedded in the client bundle and visible to anyone.",
|
|
141
|
-
pattern: /NEXT_PUBLIC_\w*(?:SECRET|_KEY|PASSWORD|TOKEN|PRIVATE|CREDENTIAL)\w*\s*=/gi,
|
|
141
|
+
pattern: /NEXT_PUBLIC_(?!\w*PUBLISHABLE)\w*(?:SECRET|_KEY|PASSWORD|TOKEN|PRIVATE|CREDENTIAL)\w*\s*=/gi,
|
|
142
142
|
languages: ["javascript", "typescript", "shell"],
|
|
143
143
|
fix: "Remove NEXT_PUBLIC_ prefix from secret variables. Access them only server-side.",
|
|
144
144
|
fixCode: "# .env.local — WRONG\n# NEXT_PUBLIC_SECRET_KEY=sk_live_xxx\n\n# .env.local — CORRECT\nSECRET_KEY=sk_live_xxx\n# Access server-side only: process.env.SECRET_KEY",
|
|
145
145
|
compliance: ["SOC2:CC6.1", "PCI-DSS:Req2.3", "HIPAA:§164.312(a)"],
|
|
146
146
|
},
|
|
147
|
+
{
|
|
148
|
+
id: "VG412",
|
|
149
|
+
name: "Server Action Returns Full Database Object",
|
|
150
|
+
severity: "high",
|
|
151
|
+
owasp: "A01:2025 Broken Access Control",
|
|
152
|
+
description: "Server Action returns a full database query result without field selection. Sensitive fields (passwordHash, internalNotes) get serialized to the client.",
|
|
153
|
+
pattern: /["']use server["'][\s\S]{0,800}?(?:findUnique|findFirst|findMany)\s*\([^)]*\)\s*;?\s*\n\s*return/g,
|
|
154
|
+
languages: ["javascript", "typescript"],
|
|
155
|
+
fix: "Always use select to return only needed fields from Server Actions.",
|
|
156
|
+
fixCode: '"use server";\nexport async function getUser(id: string) {\n return prisma.user.findUnique({\n where: { id },\n select: { id: true, name: true, email: true },\n });\n}',
|
|
157
|
+
compliance: ["SOC2:CC6.1", "HIPAA:§164.312(a)"],
|
|
158
|
+
},
|
|
147
159
|
];
|
|
148
160
|
//# sourceMappingURL=nextjs.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"nextjs.js","sourceRoot":"","sources":["../../../src/data/rules/nextjs.ts"],"names":[],"mappings":"AAEA,iDAAiD;AACjD,MAAM,CAAC,MAAM,WAAW,GAAmB;IACzC;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,kCAAkC;QACxC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,4KAA4K;QAC9K,OAAO,EAAE,oEAAoE;QAC7E,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,sIAAsI;QAC3I,OAAO,EACL,uLAAuL;QACzL,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,wCAAwC;QAC9C,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EACT,+GAA+G;QACjH,OAAO,EACL,
|
|
1
|
+
{"version":3,"file":"nextjs.js","sourceRoot":"","sources":["../../../src/data/rules/nextjs.ts"],"names":[],"mappings":"AAEA,iDAAiD;AACjD,MAAM,CAAC,MAAM,WAAW,GAAmB;IACzC;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,kCAAkC;QACxC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,4KAA4K;QAC9K,OAAO,EAAE,oEAAoE;QAC7E,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,sIAAsI;QAC3I,OAAO,EACL,uLAAuL;QACzL,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,wCAAwC;QAC9C,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EACT,+GAA+G;QACjH,OAAO,EACL,oJAAoJ;QACtJ,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,kFAAkF;QACvF,OAAO,EACL,sPAAsP;QACxP,UAAU,EAAE,CAAC,YAAY,EAAE,kBAAkB,CAAC;KAC/C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,kCAAkC;QACxC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,0IAA0I;QAC5I,OAAO,EACL,+KAA+K;QACjL,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,mEAAmE;QACxE,OAAO,EACL,uMAAuM;QACzM,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,EAAE,mBAAmB,CAAC;KACrE;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,6BAA6B;QACnC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,uHAAuH;QACzH,OAAO,EACL,4GAA4G;QAC9G,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,gEAAgE;QACrE,OAAO,EACL,kLAAkL;QACpL,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,6BAA6B;QACnC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,yGAAyG;QAC3G,OAAO,EAAE,yDAAyD;QAClE,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,2DAA2D;QAChE,OAAO,EACL,4GAA4G;QAC9G,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,yCAAyC;QAC/C,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EACT,0HAA0H;QAC5H,OAAO,EACL,6EAA6E;QAC/E,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,4DAA4D;QACjE,OAAO,EACL,mTAAmT;QACrT,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,kCAAkC;QACxC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EACT,yHAAyH;QAC3H,OAAO,EACL,4JAA4J;QAC9J,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,qFAAqF;QAC1F,OAAO,EACL,+RAA+R;QACjS,UAAU,EAAE,CAAC,YAAY,EAAE,kBAAkB,CAAC;KAC/C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,wCAAwC;QAC9C,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,+GAA+G;QACjH,OAAO,EACL,2FAA2F;QAC7F,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,oFAAoF;QACzF,OAAO,EACL,yNAAyN;QAC3N,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,wBAAwB;QAC9B,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EACT,uLAAuL;QACzL,OAAO,EAAE,qDAAqD;QAC9D,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,oFAAoF;QACzF,OAAO,EACL,oOAAoO;QACtO,UAAU,EAAE,CAAC,YAAY,EAAE,kBAAkB,CAAC;KAC/C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,8BAA8B;QACpC,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,qIAAqI;QACvI,OAAO,EACL,qFAAqF;QACvF,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,iEAAiE;QACtE,OAAO,EACL,+RAA+R;QACjS,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,iCAAiC;QACvC,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,yIAAyI;QAC3I,OAAO,EACL,0IAA0I;QAC5I,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,uEAAuE;QAC5E,OAAO,EACL,oRAAoR;QACtR,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,0BAA0B;QAChC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,2LAA2L;QAC7L,OAAO,EACL,6FAA6F;QAC/F,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,OAAO,CAAC;QAChD,GAAG,EAAE,iFAAiF;QACtF,OAAO,EACL,iKAAiK;QACnK,UAAU,EAAE,CAAC,YAAY,EAAE,gBAAgB,EAAE,mBAAmB,CAAC;KAClE;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,4CAA4C;QAClD,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,0JAA0J;QAC5J,OAAO,EACL,mGAAmG;QACrG,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,qEAAqE;QAC1E,OAAO,EACL,iLAAiL;QACnL,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;CACF,CAAC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"other-services.d.ts","sourceRoot":"","sources":["../../../src/data/rules/other-services.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAE/C,eAAO,MAAM,iBAAiB,EAAE,YAAY,EA6D3C,CAAC"}
|
|
@@ -0,0 +1,63 @@
|
|
|
1
|
+
export const otherServiceRules = [
|
|
2
|
+
{
|
|
3
|
+
id: "VG800",
|
|
4
|
+
name: "Sentry Auth Token Exposure",
|
|
5
|
+
severity: "critical",
|
|
6
|
+
owasp: "A07:2025 Sensitive Data Exposure",
|
|
7
|
+
description: "Sentry auth token exposed in client-side code or committed to source. Auth tokens grant full org access. Note: Sentry DSN is safe to expose publicly.",
|
|
8
|
+
pattern: /(?:SENTRY_AUTH_TOKEN\s*[:=]\s*["']?\w{10,}|["']sntrys_[A-Za-z0-9]{20,}["'])/g,
|
|
9
|
+
languages: ["javascript", "typescript", "shell"],
|
|
10
|
+
fix: "Use SENTRY_AUTH_TOKEN only in CI/CD environment. DSN is safe to be public.",
|
|
11
|
+
fixCode: '# .env.local (server only, for source maps upload)\nSENTRY_AUTH_TOKEN=sntrys_xxx\n\n# Safe to expose (DSN)\nNEXT_PUBLIC_SENTRY_DSN=https://abc@sentry.io/123',
|
|
12
|
+
compliance: ["SOC2:CC6.1"],
|
|
13
|
+
},
|
|
14
|
+
{
|
|
15
|
+
id: "VG801",
|
|
16
|
+
name: "Twilio Auth Token Exposure",
|
|
17
|
+
severity: "critical",
|
|
18
|
+
owasp: "A07:2025 Sensitive Data Exposure",
|
|
19
|
+
description: "Twilio auth token or API key hardcoded or exposed in client-side code. This allows sending SMS/calls from your account.",
|
|
20
|
+
pattern: /(?:["']use client["'][\s\S]{0,500}?(?:TWILIO_AUTH_TOKEN|TWILIO_API_SECRET)|(?:authToken|apiSecret)\s*[:=]\s*["'][a-f0-9]{32}["'])/g,
|
|
21
|
+
languages: ["javascript", "typescript"],
|
|
22
|
+
fix: "Use Twilio credentials server-side only. Validate phone numbers to prevent SMS injection.",
|
|
23
|
+
fixCode: '// Server-side only\nimport twilio from "twilio";\nconst client = twilio(process.env.TWILIO_ACCOUNT_SID, process.env.TWILIO_AUTH_TOKEN);\n\n// Validate phone number before sending\nconst phoneRegex = /^\\+[1-9]\\d{1,14}$/;\nif (!phoneRegex.test(to)) throw new Error("Invalid phone");',
|
|
24
|
+
compliance: ["SOC2:CC6.1"],
|
|
25
|
+
},
|
|
26
|
+
{
|
|
27
|
+
id: "VG802",
|
|
28
|
+
name: "Neon/Postgres Connection String Exposure",
|
|
29
|
+
severity: "critical",
|
|
30
|
+
owasp: "A07:2025 Sensitive Data Exposure",
|
|
31
|
+
description: "Neon or PostgreSQL connection string hardcoded in source code. Contains hostname, credentials, and database name.",
|
|
32
|
+
pattern: /(?:DATABASE_URL|connectionString|connection_string|pgConnectionString)\s*[:=]\s*["']postgres(?:ql)?:\/\/[^"'\s]{10,}["']/gi,
|
|
33
|
+
languages: ["javascript", "typescript"],
|
|
34
|
+
fix: "Use DATABASE_URL environment variable. Never hardcode connection strings.",
|
|
35
|
+
fixCode: 'import { neon } from "@neondatabase/serverless";\nconst sql = neon(process.env.DATABASE_URL!);',
|
|
36
|
+
compliance: ["SOC2:CC6.1"],
|
|
37
|
+
},
|
|
38
|
+
{
|
|
39
|
+
id: "VG803",
|
|
40
|
+
name: "Convex Deploy Key Exposure",
|
|
41
|
+
severity: "critical",
|
|
42
|
+
owasp: "A07:2025 Sensitive Data Exposure",
|
|
43
|
+
description: "Convex deploy key or admin key hardcoded or exposed in client-side code. Deploy keys grant write access to your Convex backend.",
|
|
44
|
+
pattern: /(?:CONVEX_DEPLOY_KEY|["']use client["'][\s\S]{0,500}?CONVEX_ADMIN_KEY|(?:deployKey|adminKey)\s*[:=]\s*["'](?:prod|dev):[\w]+:[\w]+["'])/g,
|
|
45
|
+
languages: ["javascript", "typescript", "shell"],
|
|
46
|
+
fix: "Use CONVEX_DEPLOY_KEY only in CI/CD. Client-side should only use the public CONVEX_URL.",
|
|
47
|
+
fixCode: '# Client-safe\nNEXT_PUBLIC_CONVEX_URL=https://xxx.convex.cloud\n\n# Server/CI only\nCONVEX_DEPLOY_KEY=prod:xxx:yyy',
|
|
48
|
+
compliance: ["SOC2:CC6.1"],
|
|
49
|
+
},
|
|
50
|
+
{
|
|
51
|
+
id: "VG804",
|
|
52
|
+
name: "MongoDB Connection String Exposure",
|
|
53
|
+
severity: "critical",
|
|
54
|
+
owasp: "A07:2025 Sensitive Data Exposure",
|
|
55
|
+
description: "MongoDB connection string hardcoded in source code. Contains credentials and cluster information.",
|
|
56
|
+
pattern: /(?:MONGODB_URI|MONGO_URL|mongoUri|mongoUrl|connectionString)\s*[:=]\s*["']mongodb(?:\+srv)?:\/\/[^"'\s]{10,}["']/gi,
|
|
57
|
+
languages: ["javascript", "typescript"],
|
|
58
|
+
fix: "Use MONGODB_URI environment variable. Never hardcode connection strings.",
|
|
59
|
+
fixCode: 'import { MongoClient } from "mongodb";\nconst client = new MongoClient(process.env.MONGODB_URI!);',
|
|
60
|
+
compliance: ["SOC2:CC6.1"],
|
|
61
|
+
},
|
|
62
|
+
];
|
|
63
|
+
//# sourceMappingURL=other-services.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"other-services.js","sourceRoot":"","sources":["../../../src/data/rules/other-services.ts"],"names":[],"mappings":"AAEA,MAAM,CAAC,MAAM,iBAAiB,GAAmB;IAC/C;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,4BAA4B;QAClC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,uJAAuJ;QACpK,OAAO,EAAE,8EAA8E;QACvF,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,OAAO,CAAC;QAChD,GAAG,EAAE,4EAA4E;QACjF,OAAO,EAAE,8JAA8J;QACvK,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,4BAA4B;QAClC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,yHAAyH;QACtI,OAAO,EAAE,oIAAoI;QAC7I,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,2FAA2F;QAChG,OAAO,EAAE,6RAA6R;QACtS,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,0CAA0C;QAChD,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,mHAAmH;QAChI,OAAO,EAAE,4HAA4H;QACrI,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,2EAA2E;QAChF,OAAO,EAAE,gGAAgG;QACzG,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,4BAA4B;QAClC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,iIAAiI;QAC9I,OAAO,EAAE,0IAA0I;QACnJ,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,OAAO,CAAC;QAChD,GAAG,EAAE,yFAAyF;QAC9F,OAAO,EAAE,oHAAoH;QAC7H,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,oCAAoC;QAC1C,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,mGAAmG;QAChH,OAAO,EAAE,oHAAoH;QAC7H,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,0EAA0E;QAC/E,OAAO,EAAE,mGAAmG;QAC5G,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;CACF,CAAC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"react-native.d.ts","sourceRoot":"","sources":["../../../src/data/rules/react-native.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAE/C,eAAO,MAAM,gBAAgB,EAAE,YAAY,EAsH1C,CAAC"}
|
|
@@ -0,0 +1,120 @@
|
|
|
1
|
+
export const reactNativeRules = [
|
|
2
|
+
{
|
|
3
|
+
id: "VG700",
|
|
4
|
+
name: "AsyncStorage Sensitive Data",
|
|
5
|
+
severity: "critical",
|
|
6
|
+
owasp: "A07:2025 Sensitive Data Exposure",
|
|
7
|
+
description: "Storing secrets, tokens, or passwords in AsyncStorage. AsyncStorage is unencrypted plain text on device. Use expo-secure-store or react-native-keychain instead.",
|
|
8
|
+
pattern: /AsyncStorage\s*\.\s*(?:setItem|multiSet)\s*\(\s*["'][^"']*(?:token|secret|password|jwt|session|auth|apiKey|api_key|credential|refresh)["']/gi,
|
|
9
|
+
languages: ["javascript", "typescript"],
|
|
10
|
+
fix: "Use expo-secure-store (Expo) or react-native-keychain (bare RN) for sensitive data.",
|
|
11
|
+
fixCode: 'import * as SecureStore from "expo-secure-store";\nawait SecureStore.setItemAsync("authToken", token);',
|
|
12
|
+
compliance: ["SOC2:CC6.1", "HIPAA:§164.312(a)"],
|
|
13
|
+
},
|
|
14
|
+
{
|
|
15
|
+
id: "VG701",
|
|
16
|
+
name: "Deep Link Auth Bypass",
|
|
17
|
+
severity: "high",
|
|
18
|
+
owasp: "A07:2025 Identification and Authentication Failures",
|
|
19
|
+
description: "Deep link handler processes authentication parameters (token, code, session) without validation. Attackers can craft malicious deep links to bypass auth.",
|
|
20
|
+
pattern: /(?:Linking\.addEventListener|useURL|createURL|expo-linking)[\s\S]{0,500}?(?:url|event)[\s\S]{0,300}?(?:token|code|session|auth)/gi,
|
|
21
|
+
languages: ["javascript", "typescript"],
|
|
22
|
+
fix: "Validate deep link origin, verify tokens server-side, and never trust URL parameters for auth state.",
|
|
23
|
+
fixCode: '// Validate token from deep link server-side\nconst { token } = parseURL(url);\nconst res = await fetch("/api/verify-token", { method: "POST", body: JSON.stringify({ token }) });\nif (!res.ok) throw new Error("Invalid deep link token");',
|
|
24
|
+
compliance: ["SOC2:CC6.1"],
|
|
25
|
+
},
|
|
26
|
+
{
|
|
27
|
+
id: "VG702",
|
|
28
|
+
name: "Expo Push Token Exposure",
|
|
29
|
+
severity: "high",
|
|
30
|
+
owasp: "A07:2025 Sensitive Data Exposure",
|
|
31
|
+
description: "Expo push token logged or sent to client-side analytics. Push tokens can be abused to send spam notifications.",
|
|
32
|
+
pattern: /(?:console\.\w+|analytics|posthog|capture|track)\s*[\.\(][\s\S]{0,200}?(?:ExpoPushToken|expoPushToken|pushToken)/gi,
|
|
33
|
+
languages: ["javascript", "typescript"],
|
|
34
|
+
fix: "Never log push tokens. Send them only to your own server over HTTPS.",
|
|
35
|
+
fixCode: '// Send push token securely to your server\nawait fetch("/api/register-push", {\n method: "POST",\n headers: { Authorization: `Bearer ${authToken}` },\n body: JSON.stringify({ pushToken }),\n});',
|
|
36
|
+
compliance: ["SOC2:CC6.1"],
|
|
37
|
+
},
|
|
38
|
+
{
|
|
39
|
+
id: "VG703",
|
|
40
|
+
name: "Hardcoded Secrets in EAS Config",
|
|
41
|
+
severity: "critical",
|
|
42
|
+
owasp: "A07:2025 Sensitive Data Exposure",
|
|
43
|
+
description: "Hardcoded secrets, API keys, or tokens in eas.json or eas.config. These end up in version control.",
|
|
44
|
+
pattern: /(?:"env"|env\s*:\s*\{)[\s\S]{0,300}?(?:SECRET|TOKEN|API_KEY|PASSWORD|PRIVATE)\s*["']?\s*[:=]\s*["'][^"']{8,}["']/gi,
|
|
45
|
+
languages: ["json", "javascript", "typescript"],
|
|
46
|
+
fix: "Use EAS Secrets (eas secret:create) instead of hardcoding in eas.json.",
|
|
47
|
+
fixCode: '# Set secrets via EAS CLI\neas secret:create --name API_KEY --value "your-key" --scope project\n\n# Reference in eas.json\n{ "build": { "production": { "env": { "API_KEY": "eas-secret" } } } }',
|
|
48
|
+
compliance: ["SOC2:CC6.1"],
|
|
49
|
+
},
|
|
50
|
+
{
|
|
51
|
+
id: "VG704",
|
|
52
|
+
name: "WebView JavaScript Injection",
|
|
53
|
+
severity: "critical",
|
|
54
|
+
owasp: "A03:2025 Injection",
|
|
55
|
+
description: "WebView loading untrusted URLs or injecting unvalidated JavaScript. This allows XSS and data theft from the app context.",
|
|
56
|
+
pattern: /(?:WebView|webview)\s*[\s\S]{0,300}?(?:injectedJavaScript|source\s*=\s*\{\s*\{\s*uri\s*:\s*(?:user|params|route|input|req|data|body)[\s\S]{0,100}?\}|javaScriptEnabled\s*=\s*\{?\s*true)/gi,
|
|
57
|
+
languages: ["javascript", "typescript"],
|
|
58
|
+
fix: "Validate WebView URLs against an allowlist. Avoid injecting dynamic JavaScript. Disable JavaScript if not needed.",
|
|
59
|
+
fixCode: 'const ALLOWED_HOSTS = ["example.com", "docs.example.com"];\nconst url = new URL(inputUrl);\nif (!ALLOWED_HOSTS.includes(url.hostname)) throw new Error("Blocked URL");\n\n<WebView source={{ uri: url.toString() }} javaScriptEnabled={false} />',
|
|
60
|
+
compliance: ["SOC2:CC7.1"],
|
|
61
|
+
},
|
|
62
|
+
{
|
|
63
|
+
id: "VG705",
|
|
64
|
+
name: "Missing Certificate Pinning",
|
|
65
|
+
severity: "medium",
|
|
66
|
+
owasp: "A07:2025 Sensitive Data Exposure",
|
|
67
|
+
description: "Network requests to API without certificate pinning. On mobile, this allows man-in-the-middle attacks on compromised networks.",
|
|
68
|
+
pattern: /(?:fetch|axios|http)\s*[\.\(][\s\S]{0,200}?(?:api\.|\/api\/)[\s\S]{0,300}?(?:Authorization|Bearer|token)/gi,
|
|
69
|
+
languages: ["javascript", "typescript"],
|
|
70
|
+
fix: "Implement certificate pinning using react-native-ssl-pinning or expo-certificate-transparency.",
|
|
71
|
+
compliance: ["SOC2:CC6.1", "PCI-DSS:Req4"],
|
|
72
|
+
},
|
|
73
|
+
{
|
|
74
|
+
id: "VG706",
|
|
75
|
+
name: "Hardcoded API URL",
|
|
76
|
+
severity: "medium",
|
|
77
|
+
owasp: "A05:2025 Security Misconfiguration",
|
|
78
|
+
description: "API base URL hardcoded directly in source. This makes it hard to switch environments and may expose staging/internal endpoints.",
|
|
79
|
+
pattern: /(?:baseURL|apiUrl|API_URL|apiBase|BASE_URL)\s*[:=]\s*["']https?:\/\/(?!localhost)[^"']{5,}["']/gi,
|
|
80
|
+
languages: ["javascript", "typescript"],
|
|
81
|
+
fix: "Use environment variables or app config for API URLs.",
|
|
82
|
+
fixCode: 'import Constants from "expo-constants";\nconst API_URL = Constants.expoConfig?.extra?.apiUrl ?? process.env.EXPO_PUBLIC_API_URL;',
|
|
83
|
+
compliance: ["SOC2:CC6.1"],
|
|
84
|
+
},
|
|
85
|
+
{
|
|
86
|
+
id: "VG707",
|
|
87
|
+
name: "Disabled App Transport Security",
|
|
88
|
+
severity: "high",
|
|
89
|
+
owasp: "A05:2025 Security Misconfiguration",
|
|
90
|
+
description: "App Transport Security (ATS) disabled in iOS config, allowing insecure HTTP connections.",
|
|
91
|
+
pattern: /NSAppTransportSecurity[\s\S]{0,200}?NSAllowsArbitraryLoads[\s\S]{0,50}?(?:true|YES|<true\s*\/>)/gi,
|
|
92
|
+
languages: ["xml", "json", "javascript", "typescript"],
|
|
93
|
+
fix: "Do not disable ATS. If specific domains need HTTP, use NSExceptionDomains instead of blanket allow.",
|
|
94
|
+
compliance: ["SOC2:CC6.1", "PCI-DSS:Req4"],
|
|
95
|
+
},
|
|
96
|
+
{
|
|
97
|
+
id: "VG708",
|
|
98
|
+
name: "Sensitive Data in Expo Config",
|
|
99
|
+
severity: "critical",
|
|
100
|
+
owasp: "A07:2025 Sensitive Data Exposure",
|
|
101
|
+
description: "Secrets or API keys hardcoded in app.json, app.config.js, or app.config.ts. These are embedded in the app bundle and visible to anyone who decompiles the app.",
|
|
102
|
+
pattern: /(?:app\.json|app\.config\.[jt]s)[\s\S]{0,50}|(?:"extra"|extra\s*:\s*\{)[\s\S]{0,500}?(?:SECRET|PRIVATE_KEY|API_SECRET|DATABASE_URL|SERVICE_ACCOUNT)\s*[:=]\s*["'][^"']{8,}["']/gi,
|
|
103
|
+
languages: ["json", "javascript", "typescript"],
|
|
104
|
+
fix: "Use EXPO_PUBLIC_ prefix only for truly public values. Keep secrets server-side or in EAS Secrets.",
|
|
105
|
+
fixCode: '// app.config.ts — only public values in extra\nexport default {\n extra: {\n apiUrl: process.env.EXPO_PUBLIC_API_URL, // OK: public\n // NEVER: apiSecret: process.env.API_SECRET\n },\n};',
|
|
106
|
+
compliance: ["SOC2:CC6.1"],
|
|
107
|
+
},
|
|
108
|
+
{
|
|
109
|
+
id: "VG709",
|
|
110
|
+
name: "React Native Bridge Sensitive Data",
|
|
111
|
+
severity: "high",
|
|
112
|
+
owasp: "A07:2025 Sensitive Data Exposure",
|
|
113
|
+
description: "Sensitive data (tokens, keys, passwords) passed through React Native bridge/NativeModules without encryption. Bridge data can be intercepted on rooted/jailbroken devices.",
|
|
114
|
+
pattern: /NativeModules\.\w+\.\w+\s*\([\s\S]{0,200}?(?:token|secret|password|key|credential|jwt|session)/gi,
|
|
115
|
+
languages: ["javascript", "typescript"],
|
|
116
|
+
fix: "Encrypt sensitive data before passing through the bridge. Use native secure storage instead.",
|
|
117
|
+
compliance: ["SOC2:CC6.1"],
|
|
118
|
+
},
|
|
119
|
+
];
|
|
120
|
+
//# sourceMappingURL=react-native.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"react-native.js","sourceRoot":"","sources":["../../../src/data/rules/react-native.ts"],"names":[],"mappings":"AAEA,MAAM,CAAC,MAAM,gBAAgB,GAAmB;IAC9C;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,6BAA6B;QACnC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,kKAAkK;QAC/K,OAAO,EAAE,8IAA8I;QACvJ,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,qFAAqF;QAC1F,OAAO,EAAE,wGAAwG;QACjH,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,uBAAuB;QAC7B,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,qDAAqD;QAC5D,WAAW,EAAE,2JAA2J;QACxK,OAAO,EAAE,mIAAmI;QAC5I,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,sGAAsG;QAC3G,OAAO,EAAE,8OAA8O;QACvP,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,0BAA0B;QAChC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,gHAAgH;QAC7H,OAAO,EAAE,oHAAoH;QAC7H,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,sEAAsE;QAC3E,OAAO,EAAE,uMAAuM;QAChN,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,iCAAiC;QACvC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,oGAAoG;QACjH,OAAO,EAAE,oHAAoH;QAC7H,SAAS,EAAE,CAAC,MAAM,EAAE,YAAY,EAAE,YAAY,CAAC;QAC/C,GAAG,EAAE,wEAAwE;QAC7E,OAAO,EAAE,kMAAkM;QAC3M,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,8BAA8B;QACpC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EAAE,0HAA0H;QACvI,OAAO,EAAE,4LAA4L;QACrM,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,mHAAmH;QACxH,OAAO,EAAE,kPAAkP;QAC3P,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,6BAA6B;QACnC,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,gIAAgI;QAC7I,OAAO,EAAE,4GAA4G;QACrH,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,gGAAgG;QACrG,UAAU,EAAE,CAAC,YAAY,EAAE,cAAc,CAAC;KAC3C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,mBAAmB;QACzB,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EAAE,iIAAiI;QAC9I,OAAO,EAAE,kGAAkG;QAC3G,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,uDAAuD;QAC5D,OAAO,EAAE,kIAAkI;QAC3I,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,iCAAiC;QACvC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EAAE,0FAA0F;QACvG,OAAO,EAAE,mGAAmG;QAC5G,SAAS,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,YAAY,EAAE,YAAY,CAAC;QACtD,GAAG,EAAE,qGAAqG;QAC1G,UAAU,EAAE,CAAC,YAAY,EAAE,cAAc,CAAC;KAC3C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,+BAA+B;QACrC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,gKAAgK;QAC7K,OAAO,EAAE,kLAAkL;QAC3L,SAAS,EAAE,CAAC,MAAM,EAAE,YAAY,EAAE,YAAY,CAAC;QAC/C,GAAG,EAAE,mGAAmG;QACxG,OAAO,EAAE,qMAAqM;QAC9M,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,oCAAoC;QAC1C,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,4KAA4K;QACzL,OAAO,EAAE,kGAAkG;QAC3G,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,8FAA8F;QACnG,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;CACF,CAAC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"shell.d.ts","sourceRoot":"","sources":["../../../src/data/rules/shell.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAE/C,eAAO,MAAM,UAAU,EAAE,YAAY,EAuEpC,CAAC"}
|
|
@@ -0,0 +1,63 @@
|
|
|
1
|
+
export const shellRules = [
|
|
2
|
+
{
|
|
3
|
+
id: "VG500",
|
|
4
|
+
name: "Pipe to shell execution",
|
|
5
|
+
severity: "critical",
|
|
6
|
+
owasp: "A02:2025 Injection",
|
|
7
|
+
description: "Piping downloaded content directly to a shell interpreter (curl|bash, wget|sh) executes arbitrary remote code without inspection.",
|
|
8
|
+
pattern: /(?:curl|wget)\s+[^|]*\|\s*(?:bash|sh|zsh|ksh|dash|source\s+\/dev\/stdin)|base64\s+(?:-d|--decode)\s+[^|]*\|\s*(?:bash|sh)/gi,
|
|
9
|
+
languages: ["shell"],
|
|
10
|
+
fix: "Download the script first, inspect it, then execute: curl -o script.sh URL && chmod +x script.sh && ./script.sh",
|
|
11
|
+
fixCode: "# Download first, inspect, then run\ncurl -fsSL https://example.com/install.sh -o install.sh\ncat install.sh # inspect it\nchmod +x install.sh\n./install.sh",
|
|
12
|
+
compliance: ["SOC2:CC7.1", "PCI-DSS:Req6.5.1"],
|
|
13
|
+
},
|
|
14
|
+
{
|
|
15
|
+
id: "VG501",
|
|
16
|
+
name: "Dangerous file permissions",
|
|
17
|
+
severity: "high",
|
|
18
|
+
owasp: "A01:2025 Broken Access Control",
|
|
19
|
+
description: "chmod 777 or overly permissive permissions (o+w) make files world-writable, creating a security risk.",
|
|
20
|
+
pattern: /chmod\s+(?:777|666|a\+w|o\+w)\s+/gi,
|
|
21
|
+
languages: ["shell"],
|
|
22
|
+
fix: "Use least-privilege permissions. Typical: 755 for executables, 644 for files, 700 for private dirs.",
|
|
23
|
+
fixCode: "# Use restrictive permissions\nchmod 755 script.sh # owner rwx, others rx\nchmod 644 config.txt # owner rw, others r\nchmod 700 ~/.ssh # owner only",
|
|
24
|
+
compliance: ["SOC2:CC6.1", "PCI-DSS:Req7"],
|
|
25
|
+
},
|
|
26
|
+
{
|
|
27
|
+
id: "VG502",
|
|
28
|
+
name: "Destructive rm command",
|
|
29
|
+
severity: "critical",
|
|
30
|
+
owasp: "A05:2025 Security Misconfiguration",
|
|
31
|
+
description: "rm -rf on root or system directories can destroy the entire filesystem.",
|
|
32
|
+
pattern: /rm\s+-[a-zA-Z]*r[a-zA-Z]*f[a-zA-Z]*\s+(?:\/\s|\/\*|\/etc|\/usr|\/var|\/home|\/boot|\/sys|\/proc|\$\{?\w*\}?\s*\/)/gi,
|
|
33
|
+
languages: ["shell"],
|
|
34
|
+
fix: "Never rm -rf system directories. Use safeguards: check variables are non-empty before deletion.",
|
|
35
|
+
fixCode: '# Always guard rm -rf with variable checks\nif [ -n "$DIR" ] && [ "$DIR" != "/" ]; then\n rm -rf "$DIR"\nfi\n\n# Or use safe-rm: apt install safe-rm',
|
|
36
|
+
compliance: ["SOC2:CC7.1"],
|
|
37
|
+
},
|
|
38
|
+
{
|
|
39
|
+
id: "VG503",
|
|
40
|
+
name: "Password in command line",
|
|
41
|
+
severity: "critical",
|
|
42
|
+
owasp: "A07:2025 Auth Failures",
|
|
43
|
+
description: "Passing passwords via echo/pipe to sudo or as command-line arguments exposes them in process lists and shell history.",
|
|
44
|
+
pattern: /(?:echo\s+['"]?[^'"|\n]+['"]?\s*\|\s*sudo\s+-[Ss]|(?:mysql|psql|mongosh?)\s+.*-p\s*['"]?\w+['"]?)/gi,
|
|
45
|
+
languages: ["shell"],
|
|
46
|
+
fix: "Use SSH keys, sudo NOPASSWD for CI, or credential files instead of inline passwords.",
|
|
47
|
+
fixCode: "# Use sudoers NOPASSWD for CI\n# visudo: user ALL=(ALL) NOPASSWD: /usr/bin/apt\n\n# Use .pgpass for PostgreSQL\necho 'host:5432:db:user:pass' > ~/.pgpass\nchmod 600 ~/.pgpass\n\n# Use mysql_config_editor for MySQL\nmysql_config_editor set --login-path=local --password",
|
|
48
|
+
compliance: ["SOC2:CC6.1", "PCI-DSS:Req8", "HIPAA:§164.312(a)"],
|
|
49
|
+
},
|
|
50
|
+
{
|
|
51
|
+
id: "VG504",
|
|
52
|
+
name: "Unsafe eval/exec in shell",
|
|
53
|
+
severity: "high",
|
|
54
|
+
owasp: "A02:2025 Injection",
|
|
55
|
+
description: "Using eval with variables in shell scripts can lead to code injection if the variable contains malicious input.",
|
|
56
|
+
pattern: /\beval\s+['"]?\$[\{(]?\w+/gi,
|
|
57
|
+
languages: ["shell"],
|
|
58
|
+
fix: "Avoid eval with variables. Use arrays or direct execution instead.",
|
|
59
|
+
fixCode: '# Instead of: eval "$cmd"\n# Use arrays:\ncmd=(ls -la /tmp)\n"${cmd[@]}"\n\n# Or case-based dispatch:\ncase "$action" in\n start) start_service ;;\n stop) stop_service ;;\nesac',
|
|
60
|
+
compliance: ["SOC2:CC7.1", "PCI-DSS:Req6.5.1"],
|
|
61
|
+
},
|
|
62
|
+
];
|
|
63
|
+
//# sourceMappingURL=shell.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"shell.js","sourceRoot":"","sources":["../../../src/data/rules/shell.ts"],"names":[],"mappings":"AAEA,MAAM,CAAC,MAAM,UAAU,GAAmB;IACxC;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,yBAAyB;QAC/B,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EACT,mIAAmI;QACrI,OAAO,EAAE,6HAA6H;QACtI,SAAS,EAAE,CAAC,OAAO,CAAC;QACpB,GAAG,EAAE,iHAAiH;QACtH,OAAO,EACL,+JAA+J;QACjK,UAAU,EAAE,CAAC,YAAY,EAAE,kBAAkB,CAAC;KAC/C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,4BAA4B;QAClC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,uGAAuG;QACzG,OAAO,EAAE,oCAAoC;QAC7C,SAAS,EAAE,CAAC,OAAO,CAAC;QACpB,GAAG,EAAE,qGAAqG;QAC1G,OAAO,EACL,gKAAgK;QAClK,UAAU,EAAE,CAAC,YAAY,EAAE,cAAc,CAAC;KAC3C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,wBAAwB;QAC9B,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EACT,yEAAyE;QAC3E,OAAO,EAAE,qHAAqH;QAC9H,SAAS,EAAE,CAAC,OAAO,CAAC;QACpB,GAAG,EAAE,iGAAiG;QACtG,OAAO,EACL,uJAAuJ;QACzJ,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,0BAA0B;QAChC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,wBAAwB;QAC/B,WAAW,EACT,uHAAuH;QACzH,OAAO,EAAE,qGAAqG;QAC9G,SAAS,EAAE,CAAC,OAAO,CAAC;QACpB,GAAG,EAAE,sFAAsF;QAC3F,OAAO,EACL,8QAA8Q;QAChR,UAAU,EAAE,CAAC,YAAY,EAAE,cAAc,EAAE,mBAAmB,CAAC;KAChE;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,2BAA2B;QACjC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EACT,iHAAiH;QACnH,OAAO,EAAE,6BAA6B;QACtC,SAAS,EAAE,CAAC,OAAO,CAAC;QACpB,GAAG,EAAE,oEAAoE;QACzE,OAAO,EACL,oLAAoL;QACtL,UAAU,EAAE,CAAC,YAAY,EAAE,kBAAkB,CAAC;KAC/C;CACF,CAAC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"sql.d.ts","sourceRoot":"","sources":["../../../src/data/rules/sql.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAE/C,eAAO,MAAM,QAAQ,EAAE,YAAY,EAyDlC,CAAC"}
|
|
@@ -0,0 +1,51 @@
|
|
|
1
|
+
export const sqlRules = [
|
|
2
|
+
{
|
|
3
|
+
id: "VG510",
|
|
4
|
+
name: "Destructive DDL statement",
|
|
5
|
+
severity: "critical",
|
|
6
|
+
owasp: "A01:2025 Broken Access Control",
|
|
7
|
+
description: "DROP TABLE/DATABASE in SQL can permanently destroy data. Ensure this is intentional and authorized.",
|
|
8
|
+
pattern: /\b(?:DROP\s+(?:TABLE|DATABASE|SCHEMA|INDEX|VIEW)\s+(?:IF\s+EXISTS\s+)?)/gi,
|
|
9
|
+
languages: ["sql"],
|
|
10
|
+
fix: "Use migrations for schema changes. Restrict DROP privileges to admin roles only. Always backup before destructive DDL.",
|
|
11
|
+
fixCode: "-- Use migrations instead of raw DROP\n-- In a migration file:\nALTER TABLE users RENAME TO users_backup;\n\n-- Restrict privileges\nREVOKE DROP ON SCHEMA public FROM app_user;",
|
|
12
|
+
compliance: ["SOC2:CC6.1", "PCI-DSS:Req7"],
|
|
13
|
+
},
|
|
14
|
+
{
|
|
15
|
+
id: "VG511",
|
|
16
|
+
name: "Dangerous GRANT statement",
|
|
17
|
+
severity: "critical",
|
|
18
|
+
owasp: "A01:2025 Broken Access Control",
|
|
19
|
+
description: "GRANT ALL PRIVILEGES or GRANT with wildcard grants excessive permissions. Follow the principle of least privilege.",
|
|
20
|
+
pattern: /\bGRANT\s+ALL\s+(?:PRIVILEGES\s+)?ON\s+/gi,
|
|
21
|
+
languages: ["sql"],
|
|
22
|
+
fix: "Grant only the specific privileges needed: GRANT SELECT, INSERT ON table TO role.",
|
|
23
|
+
fixCode: "-- Least privilege: grant only what's needed\nGRANT SELECT, INSERT ON users TO app_role;\n\n-- Never: GRANT ALL PRIVILEGES ON *.* TO 'user'@'%';",
|
|
24
|
+
compliance: ["SOC2:CC6.1", "PCI-DSS:Req7", "HIPAA:§164.312(a)"],
|
|
25
|
+
},
|
|
26
|
+
{
|
|
27
|
+
id: "VG512",
|
|
28
|
+
name: "DELETE/UPDATE without WHERE",
|
|
29
|
+
severity: "high",
|
|
30
|
+
owasp: "A01:2025 Broken Access Control",
|
|
31
|
+
description: "DELETE or UPDATE without a WHERE clause affects all rows in the table, which is almost always unintentional.",
|
|
32
|
+
pattern: /\b(?:DELETE\s+FROM\s+\w+\s*;|UPDATE\s+\w+\s+SET\s+(?:(?!WHERE)[^;])*;)/gi,
|
|
33
|
+
languages: ["sql"],
|
|
34
|
+
fix: "Always include a WHERE clause. For bulk operations, use explicit WHERE 1=1 to show intent.",
|
|
35
|
+
fixCode: "-- Always include WHERE\nDELETE FROM sessions WHERE expired_at < NOW();\n\n-- If you really want all rows, be explicit\nDELETE FROM temp_data WHERE 1=1; -- explicit intent",
|
|
36
|
+
compliance: ["SOC2:CC7.1"],
|
|
37
|
+
},
|
|
38
|
+
{
|
|
39
|
+
id: "VG513",
|
|
40
|
+
name: "SQL comment injection / stacked queries",
|
|
41
|
+
severity: "high",
|
|
42
|
+
owasp: "A02:2025 Injection",
|
|
43
|
+
description: "SQL comment markers (--) or stacked queries (;) combined with suspicious keywords suggest SQL injection payload.",
|
|
44
|
+
pattern: /;\s*(?:DROP|DELETE|INSERT|UPDATE|ALTER|GRANT|REVOKE|EXEC|EXECUTE|UNION)\b/gi,
|
|
45
|
+
languages: ["sql"],
|
|
46
|
+
fix: "Use parameterized queries. Never concatenate user input into SQL. Use an ORM where possible.",
|
|
47
|
+
fixCode: "-- Use parameterized queries in application code\n-- Node.js: db.query('SELECT * FROM users WHERE id = $1', [id])\n-- Python: cursor.execute('SELECT * FROM users WHERE id = %s', (id,))",
|
|
48
|
+
compliance: ["SOC2:CC7.1", "PCI-DSS:Req6.5.1"],
|
|
49
|
+
},
|
|
50
|
+
];
|
|
51
|
+
//# sourceMappingURL=sql.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"sql.js","sourceRoot":"","sources":["../../../src/data/rules/sql.ts"],"names":[],"mappings":"AAEA,MAAM,CAAC,MAAM,QAAQ,GAAmB;IACtC;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,2BAA2B;QACjC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,qGAAqG;QACvG,OAAO,EAAE,2EAA2E;QACpF,SAAS,EAAE,CAAC,KAAK,CAAC;QAClB,GAAG,EAAE,wHAAwH;QAC7H,OAAO,EACL,kLAAkL;QACpL,UAAU,EAAE,CAAC,YAAY,EAAE,cAAc,CAAC;KAC3C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,2BAA2B;QACjC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,oHAAoH;QACtH,OAAO,EAAE,2CAA2C;QACpD,SAAS,EAAE,CAAC,KAAK,CAAC;QAClB,GAAG,EAAE,mFAAmF;QACxF,OAAO,EACL,kJAAkJ;QACpJ,UAAU,EAAE,CAAC,YAAY,EAAE,cAAc,EAAE,mBAAmB,CAAC;KAChE;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,6BAA6B;QACnC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,8GAA8G;QAChH,OAAO,EAAE,0EAA0E;QACnF,SAAS,EAAE,CAAC,KAAK,CAAC;QAClB,GAAG,EAAE,4FAA4F;QACjG,OAAO,EACL,8KAA8K;QAChL,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,yCAAyC;QAC/C,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EACT,kHAAkH;QACpH,OAAO,EAAE,6EAA6E;QACtF,SAAS,EAAE,CAAC,KAAK,CAAC;QAClB,GAAG,EAAE,8FAA8F;QACnG,OAAO,EACL,0LAA0L;QAC5L,UAAU,EAAE,CAAC,YAAY,EAAE,kBAAkB,CAAC;KAC/C;CACF,CAAC"}
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"supply-chain.d.ts","sourceRoot":"","sources":["../../../src/data/rules/supply-chain.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAG/C,eAAO,MAAM,gBAAgB,EAAE,YAAY,EA+B1C,CAAC"}
|
|
@@ -0,0 +1,28 @@
|
|
|
1
|
+
// Supply chain and package security rules
|
|
2
|
+
export const supplyChainRules = [
|
|
3
|
+
{
|
|
4
|
+
id: "VG860",
|
|
5
|
+
name: "Malicious postinstall Script",
|
|
6
|
+
severity: "critical",
|
|
7
|
+
owasp: "A03:2025 Software Supply Chain Failures",
|
|
8
|
+
description: "postinstall or preinstall script contains network requests, eval, or exec. This is the #1 npm supply chain attack vector.",
|
|
9
|
+
pattern: /["'](?:post|pre)install["']\s*:\s*["'][^"']*(?:curl|wget|http|https|eval|exec|node\s+-e|sh\s+-c|bash\s+-c)/gi,
|
|
10
|
+
languages: ["json"],
|
|
11
|
+
fix: "Review postinstall scripts carefully. Remove or replace packages with suspicious install scripts.",
|
|
12
|
+
fixCode: '// Safe: no network/exec in install scripts\n"scripts": {\n "postinstall": "prisma generate"\n}\n\n// DANGEROUS: network calls in install\n// "postinstall": "node -e \\"require(\'https\').get(...)\\""',
|
|
13
|
+
compliance: ["SOC2:CC7.1"],
|
|
14
|
+
},
|
|
15
|
+
{
|
|
16
|
+
id: "VG861",
|
|
17
|
+
name: "GitHub Actions persist-credentials Not Disabled",
|
|
18
|
+
severity: "medium",
|
|
19
|
+
owasp: "A01:2025 Broken Access Control",
|
|
20
|
+
description: "actions/checkout with persist-credentials enabled (default: true) leaves Git credentials on the runner. Third-party actions in later steps can push to your repository.",
|
|
21
|
+
pattern: /uses:\s*actions\/checkout@[\s\S]{0,200}?uses:\s*(?!actions\/)[^\s]+@/g,
|
|
22
|
+
languages: ["yaml"],
|
|
23
|
+
fix: "Add persist-credentials: false to actions/checkout when using third-party actions.",
|
|
24
|
+
fixCode: "- uses: actions/checkout@v4\n with:\n persist-credentials: false",
|
|
25
|
+
compliance: ["SOC2:CC6.1"],
|
|
26
|
+
},
|
|
27
|
+
];
|
|
28
|
+
//# sourceMappingURL=supply-chain.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"supply-chain.js","sourceRoot":"","sources":["../../../src/data/rules/supply-chain.ts"],"names":[],"mappings":"AAEA,0CAA0C;AAC1C,MAAM,CAAC,MAAM,gBAAgB,GAAmB;IAC9C;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,8BAA8B;QACpC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,yCAAyC;QAChD,WAAW,EACT,2HAA2H;QAC7H,OAAO,EACL,8GAA8G;QAChH,SAAS,EAAE,CAAC,MAAM,CAAC;QACnB,GAAG,EAAE,mGAAmG;QACxG,OAAO,EACL,2MAA2M;QAC7M,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,iDAAiD;QACvD,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,yKAAyK;QAC3K,OAAO,EACL,uEAAuE;QACzE,SAAS,EAAE,CAAC,MAAM,CAAC;QACnB,GAAG,EAAE,oFAAoF;QACzF,OAAO,EACL,sEAAsE;QACxE,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;CACF,CAAC"}
|
|
@@ -67,7 +67,7 @@ export const secretPatterns = [
|
|
|
67
67
|
},
|
|
68
68
|
{
|
|
69
69
|
provider: "NEXT_PUBLIC_ Secret Exposure",
|
|
70
|
-
pattern: /NEXT_PUBLIC_[A-Z_]*(?:SECRET|
|
|
70
|
+
pattern: /NEXT_PUBLIC_[A-Z_]*(?:SECRET|PRIVATE_KEY|SERVICE_ROLE|PASSWORD|CREDENTIAL)[A-Z_]*\s*=/gi,
|
|
71
71
|
severity: "high",
|
|
72
72
|
fix: "Remove NEXT_PUBLIC_ prefix — it exposes the value to the browser. Use server-side environment variables instead.",
|
|
73
73
|
},
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"secret-patterns.js","sourceRoot":"","sources":["../../src/data/secret-patterns.ts"],"names":[],"mappings":"AAOA,MAAM,CAAC,MAAM,cAAc,GAAoB;IAC7C;QACE,QAAQ,EAAE,gBAAgB;QAC1B,OAAO,EAAE,mBAAmB;QAC5B,QAAQ,EAAE,UAAU;QACpB,GAAG,EAAE,wGAAwG;KAC9G;IACD;QACE,QAAQ,EAAE,gBAAgB;QAC1B,OAAO,EAAE,+EAA+E;QACxF,QAAQ,EAAE,UAAU;QACpB,GAAG,EAAE,wEAAwE;KAC9E;IACD;QACE,QAAQ,EAAE,cAAc;QACxB,OAAO,EAAE,4CAA4C;QACrD,QAAQ,EAAE,UAAU;QACpB,GAAG,EAAE,0FAA0F;KAChG;IACD;QACE,QAAQ,EAAE,gBAAgB;QAC1B,OAAO,EAAE,sBAAsB;QAC/B,QAAQ,EAAE,UAAU;QACpB,GAAG,EAAE,4EAA4E;KAClF;IACD;QACE,QAAQ,EAAE,iBAAiB;QAC3B,OAAO,EAAE,2BAA2B;QACpC,QAAQ,EAAE,UAAU;QACpB,GAAG,EAAE,yEAAyE;KAC/E;IACD;QACE,QAAQ,EAAE,6BAA6B;QACvC,OAAO,EAAE,2BAA2B;QACpC,QAAQ,EAAE,QAAQ;QAClB,GAAG,EAAE,mFAAmF;KACzF;IACD;QACE,QAAQ,EAAE,gBAAgB;QAC1B,OAAO,EAAE,wBAAwB;QACjC,QAAQ,EAAE,MAAM;QAChB,GAAG,EAAE,sEAAsE;KAC5E;IACD;QACE,QAAQ,EAAE,aAAa;QACvB,OAAO,EAAE,+BAA+B;QACxC,QAAQ,EAAE,UAAU;QACpB,GAAG,EAAE,0EAA0E;KAChF;IACD;QACE,QAAQ,EAAE,gBAAgB;QAC1B,OAAO,EAAE,oBAAoB;QAC7B,QAAQ,EAAE,MAAM;QAChB,GAAG,EAAE,uCAAuC;KAC7C;IACD;QACE,QAAQ,EAAE,kBAAkB;QAC5B,OAAO,EAAE,2CAA2C;QACpD,QAAQ,EAAE,UAAU;QACpB,GAAG,EAAE,mDAAmD;KACzD;IACD;QACE,QAAQ,EAAE,aAAa;QACvB,OAAO,EAAE,gDAAgD;QACzD,QAAQ,EAAE,UAAU;QACpB,GAAG,EAAE,wEAAwE;KAC9E;IACD;QACE,QAAQ,EAAE,8BAA8B;QACxC,OAAO,EAAE,
|
|
1
|
+
{"version":3,"file":"secret-patterns.js","sourceRoot":"","sources":["../../src/data/secret-patterns.ts"],"names":[],"mappings":"AAOA,MAAM,CAAC,MAAM,cAAc,GAAoB;IAC7C;QACE,QAAQ,EAAE,gBAAgB;QAC1B,OAAO,EAAE,mBAAmB;QAC5B,QAAQ,EAAE,UAAU;QACpB,GAAG,EAAE,wGAAwG;KAC9G;IACD;QACE,QAAQ,EAAE,gBAAgB;QAC1B,OAAO,EAAE,+EAA+E;QACxF,QAAQ,EAAE,UAAU;QACpB,GAAG,EAAE,wEAAwE;KAC9E;IACD;QACE,QAAQ,EAAE,cAAc;QACxB,OAAO,EAAE,4CAA4C;QACrD,QAAQ,EAAE,UAAU;QACpB,GAAG,EAAE,0FAA0F;KAChG;IACD;QACE,QAAQ,EAAE,gBAAgB;QAC1B,OAAO,EAAE,sBAAsB;QAC/B,QAAQ,EAAE,UAAU;QACpB,GAAG,EAAE,4EAA4E;KAClF;IACD;QACE,QAAQ,EAAE,iBAAiB;QAC3B,OAAO,EAAE,2BAA2B;QACpC,QAAQ,EAAE,UAAU;QACpB,GAAG,EAAE,yEAAyE;KAC/E;IACD;QACE,QAAQ,EAAE,6BAA6B;QACvC,OAAO,EAAE,2BAA2B;QACpC,QAAQ,EAAE,QAAQ;QAClB,GAAG,EAAE,mFAAmF;KACzF;IACD;QACE,QAAQ,EAAE,gBAAgB;QAC1B,OAAO,EAAE,wBAAwB;QACjC,QAAQ,EAAE,MAAM;QAChB,GAAG,EAAE,sEAAsE;KAC5E;IACD;QACE,QAAQ,EAAE,aAAa;QACvB,OAAO,EAAE,+BAA+B;QACxC,QAAQ,EAAE,UAAU;QACpB,GAAG,EAAE,0EAA0E;KAChF;IACD;QACE,QAAQ,EAAE,gBAAgB;QAC1B,OAAO,EAAE,oBAAoB;QAC7B,QAAQ,EAAE,MAAM;QAChB,GAAG,EAAE,uCAAuC;KAC7C;IACD;QACE,QAAQ,EAAE,kBAAkB;QAC5B,OAAO,EAAE,2CAA2C;QACpD,QAAQ,EAAE,UAAU;QACpB,GAAG,EAAE,mDAAmD;KACzD;IACD;QACE,QAAQ,EAAE,aAAa;QACvB,OAAO,EAAE,gDAAgD;QACzD,QAAQ,EAAE,UAAU;QACpB,GAAG,EAAE,wEAAwE;KAC9E;IACD;QACE,QAAQ,EAAE,8BAA8B;QACxC,OAAO,EAAE,yFAAyF;QAClG,QAAQ,EAAE,MAAM;QAChB,GAAG,EAAE,kHAAkH;KACxH;CACF,CAAC;AAEF,MAAM,UAAU,gBAAgB,CAAC,GAAW;IAC1C,MAAM,IAAI,GAAG,IAAI,GAAG,EAAkB,CAAC;IACvC,KAAK,MAAM,EAAE,IAAI,GAAG,EAAE,CAAC;QACrB,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC;IACxC,CAAC;IACD,IAAI,OAAO,GAAG,CAAC,CAAC;IAChB,KAAK,MAAM,KAAK,IAAI,IAAI,CAAC,MAAM,EAAE,EAAE,CAAC;QAClC,MAAM,CAAC,GAAG,KAAK,GAAG,GAAG,CAAC,MAAM,CAAC;QAC7B,OAAO,IAAI,CAAC,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;IAC9B,CAAC;IACD,OAAO,OAAO,CAAC;AACjB,CAAC"}
|
package/build/index.js
CHANGED
|
@@ -18,13 +18,13 @@ import { builtinRules } from "./data/rules/index.js";
|
|
|
18
18
|
import { loadConfig } from "./utils/config.js";
|
|
19
19
|
const server = new McpServer({
|
|
20
20
|
name: "guardvibe",
|
|
21
|
-
version: "0.
|
|
21
|
+
version: "0.11.0",
|
|
22
22
|
});
|
|
23
23
|
// Tool 1: Analyze code for security vulnerabilities
|
|
24
24
|
server.tool("check_code", "Analyze code for security vulnerabilities (OWASP Top 10, XSS, SQL injection, insecure patterns). Use this when reviewing or writing code to catch security issues early.", {
|
|
25
25
|
code: z.string().describe("The code snippet to analyze"),
|
|
26
26
|
language: z
|
|
27
|
-
.enum(["javascript", "typescript", "python", "go", "dockerfile", "html", "sql", "shell", "yaml", "terraform"])
|
|
27
|
+
.enum(["javascript", "typescript", "python", "go", "dockerfile", "html", "sql", "shell", "yaml", "terraform", "firestore"])
|
|
28
28
|
.describe("Programming language of the code"),
|
|
29
29
|
framework: z
|
|
30
30
|
.string()
|
package/build/index.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAEA,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AACpE,OAAO,EAAE,oBAAoB,EAAE,MAAM,2CAA2C,CAAC;AACjF,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,SAAS,EAAE,MAAM,uBAAuB,CAAC;AAClD,OAAO,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AACxD,OAAO,EAAE,eAAe,EAAE,MAAM,8BAA8B,CAAC;AAC/D,OAAO,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAC1D,OAAO,EAAE,aAAa,EAAE,MAAM,2BAA2B,CAAC;AAC1D,OAAO,EAAE,gBAAgB,EAAE,MAAM,8BAA8B,CAAC;AAChE,OAAO,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAC;AACtD,OAAO,EAAE,UAAU,EAAE,MAAM,wBAAwB,CAAC;AACpD,OAAO,EAAE,gBAAgB,EAAE,MAAM,8BAA8B,CAAC;AAChE,OAAO,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAC;AACtD,OAAO,EAAE,kBAAkB,EAAE,MAAM,iCAAiC,CAAC;AACrE,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AACtD,OAAO,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AAErD,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAE/C,MAAM,MAAM,GAAG,IAAI,SAAS,CAAC;IAC3B,IAAI,EAAE,WAAW;IACjB,OAAO,EAAE,
|
|
1
|
+
{"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":";AAEA,OAAO,EAAE,SAAS,EAAE,MAAM,yCAAyC,CAAC;AACpE,OAAO,EAAE,oBAAoB,EAAE,MAAM,2CAA2C,CAAC;AACjF,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,SAAS,EAAE,MAAM,uBAAuB,CAAC;AAClD,OAAO,EAAE,YAAY,EAAE,MAAM,0BAA0B,CAAC;AACxD,OAAO,EAAE,eAAe,EAAE,MAAM,8BAA8B,CAAC;AAC/D,OAAO,EAAE,iBAAiB,EAAE,MAAM,uBAAuB,CAAC;AAC1D,OAAO,EAAE,aAAa,EAAE,MAAM,2BAA2B,CAAC;AAC1D,OAAO,EAAE,gBAAgB,EAAE,MAAM,8BAA8B,CAAC;AAChE,OAAO,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAC;AACtD,OAAO,EAAE,UAAU,EAAE,MAAM,wBAAwB,CAAC;AACpD,OAAO,EAAE,gBAAgB,EAAE,MAAM,8BAA8B,CAAC;AAChE,OAAO,EAAE,WAAW,EAAE,MAAM,yBAAyB,CAAC;AACtD,OAAO,EAAE,kBAAkB,EAAE,MAAM,iCAAiC,CAAC;AACrE,OAAO,EAAE,eAAe,EAAE,MAAM,qBAAqB,CAAC;AACtD,OAAO,EAAE,YAAY,EAAE,MAAM,uBAAuB,CAAC;AAErD,OAAO,EAAE,UAAU,EAAE,MAAM,mBAAmB,CAAC;AAE/C,MAAM,MAAM,GAAG,IAAI,SAAS,CAAC;IAC3B,IAAI,EAAE,WAAW;IACjB,OAAO,EAAE,QAAQ;CAClB,CAAC,CAAC;AAEH,oDAAoD;AACpD,MAAM,CAAC,IAAI,CACT,YAAY,EACZ,0KAA0K,EAC1K;IACE,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,6BAA6B,CAAC;IACxD,QAAQ,EAAE,CAAC;SACR,IAAI,CAAC,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,EAAE,IAAI,EAAE,YAAY,EAAE,MAAM,EAAE,KAAK,EAAE,OAAO,EAAE,MAAM,EAAE,WAAW,EAAE,WAAW,CAAC,CAAC;SAC1H,QAAQ,CAAC,kCAAkC,CAAC;IAC/C,SAAS,EAAE,CAAC;SACT,MAAM,EAAE;SACR,QAAQ,EAAE;SACV,QAAQ,CAAC,kEAAkE,CAAC;IAC/E,MAAM,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,QAAQ,CAAC,uEAAuE,CAAC;CAC3I,EACD,KAAK,EAAE,EAAE,IAAI,EAAE,QAAQ,EAAE,SAAS,EAAE,MAAM,EAAE,EAAE,EAAE;IAC9C,MAAM,KAAK,GAAI,UAAkB,CAAC,iBAA+C,CAAC;IAClF,MAAM,OAAO,GAAG,SAAS,CAAC,IAAI,EAAE,QAAQ,EAAE,SAAS,EAAE,SAAS,EAAE,SAAS,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC;IAC1F,OAAO;QACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;KAC3C,CAAC;AACJ,CAAC,CACF,CAAC;AAEF,2DAA2D;AAC3D,MAAM,CAAC,IAAI,CACT,eAAe,EACf,iKAAiK,EACjK;IACE,KAAK,EAAE,CAAC;SACL,KAAK,CACJ,CAAC,CAAC,MAAM,CAAC;QACP,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,sCAAsC,CAAC;QACjE,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,kBAAkB,CAAC;KACjD,CAAC,CACH;SACA,QAAQ,CAAC,0CAA0C,CAAC;IACvD,MAAM,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,QAAQ,CAAC,uEAAuE,CAAC;CAC3I,EACD,KAAK,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,EAAE,EAAE;IAC1B,MAAM,KAAK,GAAI,UAAkB,CAAC,iBAA+C,CAAC;IAClF,MAAM,OAAO,GAAG,YAAY,CAAC,KAAK,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC;IACnD,OAAO;QACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;KAC3C,CAAC;AACJ,CAAC,CACF,CAAC;AAEF,iFAAiF;AACjF,MAAM,CAAC,IAAI,CACT,mBAAmB,EACnB,8IAA8I,EAC9I;IACE,KAAK,EAAE,CAAC;SACL,MAAM,EAAE;SACR,QAAQ,CACP,mIAAmI,CACpI;CACJ,EACD,KAAK,EAAE,EAAE,KAAK,EAAE,EAAE,EAAE;IAClB,MAAM,IAAI,GAAG,eAAe,CAAC,KAAK,CAAC,CAAC;IACpC,OAAO;QACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,IAAI,EAAE,CAAC;KACxC,CAAC;AACJ,CAAC,CACF,CAAC;AAEF,uDAAuD;AACvD,MAAM,aAAa,GAAG,CAAC,CAAC,MAAM,CAAC;IAC7B,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,6CAA6C,CAAC;IACxE,OAAO,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,gCAAgC,CAAC;IAC9D,SAAS,EAAE,CAAC;SACT,IAAI,CAAC,CAAC,KAAK,EAAE,MAAM,EAAE,IAAI,CAAC,CAAC;SAC3B,OAAO,CAAC,KAAK,CAAC;SACd,QAAQ,CAAC,mBAAmB,CAAC;CACjC,CAAC,CAAC;AAEH,MAAM,CAAC,IAAI,CACT,oBAAoB,EACpB,sKAAsK,EACtK;IACE,QAAQ,EAAE,CAAC,CAAC,UAAU,CACpB,CAAC,GAAG,EAAE,EAAE;QACN,IAAI,OAAO,GAAG,KAAK,QAAQ,EAAE,CAAC;YAC5B,IAAI,CAAC;gBACH,OAAO,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;YACzB,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,GAAG,CAAC;YACb,CAAC;QACH,CAAC;QACD,OAAO,GAAG,CAAC;IACb,CAAC,EACD,CAAC,CAAC,KAAK,CAAC,aAAa,CAAC,CACvB,CAAC,QAAQ,CAAC,yDAAyD,CAAC;CACtE,EACD,KAAK,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE;IACrB,MAAM,OAAO,GAAG,MAAM,iBAAiB,CAAC,QAAQ,CAAC,CAAC;IAClD,OAAO;QACL,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC;KAC3C,CAAC;AACJ,CAAC,CACF,CAAC;AAEF,0EAA0E;AAC1E,MAAM,CAAC,IAAI,CACT,gBAAgB,EAChB,gMAAgM,EAChM;IACE,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,4CAA4C,CAAC;IACvE,SAAS,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,qBAAqB,CAAC;IAC/E,OAAO,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC,QAAQ,CAAC,mCAAmC,CAAC;IACjG,MAAM,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,QAAQ,CAAC,uEAAuE,CAAC;CAC3I,EACD,KAAK,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,EAAE,EAAE,EAAE;IAC7C,MAAM,KAAK,GAAI,UAAkB,CAAC,iBAA+C,CAAC;IAClF,MAAM,OAAO,GAAG,aAAa,CAAC,IAAI,EAAE,SAAS,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC;IACvE,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,EAAE,CAAC;AACxD,CAAC,CACF,CAAC;AAEF,gEAAgE;AAChE,MAAM,CAAC,IAAI,CACT,mBAAmB,EACnB,mLAAmL,EACnL;IACE,aAAa,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,2EAA2E,CAAC;IAC/G,MAAM,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,QAAQ,CAAC,uEAAuE,CAAC;CAC3I,EACD,KAAK,EAAE,EAAE,aAAa,EAAE,MAAM,EAAE,EAAE,EAAE;IAClC,MAAM,OAAO,GAAG,MAAM,gBAAgB,CAAC,aAAa,EAAE,MAAM,CAAC,CAAC;IAC9D,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,EAAE,CAAC;AACxD,CAAC,CACF,CAAC;AAEF,6DAA6D;AAC7D,MAAM,CAAC,IAAI,CACT,cAAc,EACd,mKAAmK,EACnK;IACE,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,gCAAgC,CAAC;IAC3D,SAAS,EAAE,CAAC,CAAC,OAAO,EAAE,CAAC,QAAQ,EAAE,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,QAAQ,CAAC,qBAAqB,CAAC;IAC/E,MAAM,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,QAAQ,CAAC,uEAAuE,CAAC;CAC3I,EACD,KAAK,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,EAAE,EAAE;IACpC,MAAM,OAAO,GAAG,WAAW,CAAC,IAAI,EAAE,SAAS,EAAE,MAAM,CAAC,CAAC;IACrD,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,EAAE,CAAC;AACxD,CAAC,CACF,CAAC;AAEF,kDAAkD;AAClD,MAAM,CAAC,IAAI,CACT,aAAa,EACb,+KAA+K,EAC/K;IACE,MAAM,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,QAAQ,CAAC,uEAAuE,CAAC;CAC3I,EACD,KAAK,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE;IACnB,MAAM,KAAK,GAAI,UAAkB,CAAC,iBAA+C,CAAC;IAClF,MAAM,OAAO,GAAG,UAAU,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC;IACzD,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,EAAE,CAAC;AACxD,CAAC,CACF,CAAC;AAEF,sDAAsD;AACtD,MAAM,CAAC,IAAI,CACT,mBAAmB,EACnB,wJAAwJ,EACxJ;IACE,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,mBAAmB,CAAC;IAC9C,SAAS,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,MAAM,EAAE,SAAS,EAAE,OAAO,EAAE,KAAK,CAAC,CAAC,CAAC,QAAQ,CAAC,sBAAsB,CAAC;IACvF,MAAM,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,QAAQ,CAAC,uEAAuE,CAAC;CAC3I,EACD,KAAK,EAAE,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,EAAE,EAAE;IACpC,MAAM,KAAK,GAAI,UAAkB,CAAC,iBAA+C,CAAC;IAClF,MAAM,OAAO,GAAG,gBAAgB,CAAC,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,KAAK,CAAC,CAAC;IACjE,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,EAAE,CAAC;AACxD,CAAC,CACF,CAAC;AAEF,sDAAsD;AACtD,MAAM,CAAC,IAAI,CACT,cAAc,EACd,uIAAuI,EACvI;IACE,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,mBAAmB,CAAC;CAC/C,EACD,KAAK,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE;IACjB,MAAM,KAAK,GAAI,UAAkB,CAAC,iBAA+C,CAAC;IAClF,MAAM,OAAO,GAAG,WAAW,CAAC,IAAI,EAAE,KAAK,CAAC,CAAC;IACzC,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,EAAE,CAAC;AACxD,CAAC,CACF,CAAC;AAEF,mDAAmD;AACnD,MAAM,CAAC,IAAI,CACT,sBAAsB,EACtB,8KAA8K,EAC9K;IACE,QAAQ,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC,CAAC,QAAQ,CAAC,2EAA2E,CAAC;IACnH,MAAM,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,UAAU,EAAE,MAAM,CAAC,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,QAAQ,CAAC,uEAAuE,CAAC;CAC3I,EACD,KAAK,EAAE,EAAE,QAAQ,EAAE,MAAM,EAAE,EAAE,EAAE;IAC7B,MAAM,OAAO,GAAG,MAAM,kBAAkB,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;IAC3D,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,CAAC,EAAE,CAAC;AACxD,CAAC,CACF,CAAC;AAEF,KAAK,UAAU,IAAI;IACjB,eAAe;IACf,MAAM,MAAM,GAAG,UAAU,CAAC,OAAO,CAAC,GAAG,EAAE,CAAC,CAAC;IACzC,MAAM,OAAO,GAAG,MAAM,eAAe,CAAC,OAAO,CAAC,GAAG,EAAE,EAAE,MAAM,CAAC,OAAO,CAAC,CAAC;IAErE,IAAI,OAAO,CAAC,MAAM,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QAC9B,OAAO,CAAC,KAAK,CAAC,sBAAsB,OAAO,CAAC,MAAM,CAAC,MAAM,eAAe,OAAO,CAAC,MAAM,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IACvG,CAAC;IACD,KAAK,MAAM,GAAG,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;QACjC,OAAO,CAAC,KAAK,CAAC,+BAA+B,GAAG,EAAE,CAAC,CAAC;IACtD,CAAC;IAED,gCAAgC;IAChC,MAAM,QAAQ,GAAmB,CAAC,GAAG,YAAY,EAAE,GAAG,OAAO,CAAC,KAAK,CAAC,CAAC;IAErE,wBAAwB;IACxB,KAAK,MAAM,IAAI,IAAI,OAAO,CAAC,KAAK,EAAE,CAAC;QACjC,MAAM,CAAC,IAAI,CACT,IAAI,CAAC,IAAI,EACT,IAAI,CAAC,WAAW,EAChB,IAAI,CAAC,MAAa,EAClB,KAAK,EAAE,KAAU,EAAE,EAAE;YACnB,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,KAAK,CAAC,CAAC;YACzC,OAAO,EAAE,OAAO,EAAE,CAAC,EAAE,IAAI,EAAE,MAAe,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,EAAE,CAAC;QAChE,CAAC,CACF,CAAC;IACJ,CAAC;IAED,uCAAuC;IACtC,UAAkB,CAAC,iBAAiB,GAAG,QAAQ,CAAC;IAEjD,MAAM,SAAS,GAAG,IAAI,oBAAoB,EAAE,CAAC;IAC7C,MAAM,MAAM,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC;IAChC,OAAO,CAAC,KAAK,CAAC,gDAAgD,CAAC,CAAC;AAClE,CAAC;AAED,IAAI,EAAE,CAAC,KAAK,CAAC,CAAC,KAAK,EAAE,EAAE;IACrB,OAAO,CAAC,KAAK,CAAC,cAAc,EAAE,KAAK,CAAC,CAAC;IACrC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC;AAClB,CAAC,CAAC,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"check-code.d.ts","sourceRoot":"","sources":["../../src/tools/check-code.ts"],"names":[],"mappings":"AAAA,OAAO,EAAc,KAAK,YAAY,EAAE,MAAM,wBAAwB,CAAC;AAGvE,MAAM,WAAW,OAAO;IACtB,IAAI,EAAE,YAAY,CAAC;IACnB,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;CACd;AAgCD,wBAAgB,WAAW,CACzB,IAAI,EAAE,MAAM,EACZ,QAAQ,EAAE,MAAM,EAChB,SAAS,CAAC,EAAE,MAAM,EAClB,QAAQ,CAAC,EAAE,MAAM,EACjB,SAAS,CAAC,EAAE,MAAM,EAClB,KAAK,CAAC,EAAE,YAAY,EAAE,GACrB,OAAO,EAAE,
|
|
1
|
+
{"version":3,"file":"check-code.d.ts","sourceRoot":"","sources":["../../src/tools/check-code.ts"],"names":[],"mappings":"AAAA,OAAO,EAAc,KAAK,YAAY,EAAE,MAAM,wBAAwB,CAAC;AAGvE,MAAM,WAAW,OAAO;IACtB,IAAI,EAAE,YAAY,CAAC;IACnB,KAAK,EAAE,MAAM,CAAC;IACd,IAAI,EAAE,MAAM,CAAC;CACd;AAgCD,wBAAgB,WAAW,CACzB,IAAI,EAAE,MAAM,EACZ,QAAQ,EAAE,MAAM,EAChB,SAAS,CAAC,EAAE,MAAM,EAClB,QAAQ,CAAC,EAAE,MAAM,EACjB,SAAS,CAAC,EAAE,MAAM,EAClB,KAAK,CAAC,EAAE,YAAY,EAAE,GACrB,OAAO,EAAE,CAyCX;AAED,wBAAgB,kBAAkB,CAAC,QAAQ,EAAE,OAAO,EAAE,EAAE,KAAK,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,MAAM,CAkB/F;AAED,wBAAgB,SAAS,CACvB,IAAI,EAAE,MAAM,EACZ,QAAQ,EAAE,MAAM,EAChB,SAAS,CAAC,EAAE,MAAM,EAClB,QAAQ,CAAC,EAAE,MAAM,EACjB,SAAS,CAAC,EAAE,MAAM,EAClB,MAAM,GAAE,UAAU,GAAG,MAAmB,EACxC,KAAK,CAAC,EAAE,YAAY,EAAE,GACrB,MAAM,CAYR"}
|
|
@@ -33,11 +33,12 @@ export function analyzeCode(code, language, framework, filePath, configDir, rule
|
|
|
33
33
|
// Config: skip disabled rules
|
|
34
34
|
if (config.rules.disable.includes(rule.id))
|
|
35
35
|
continue;
|
|
36
|
-
// Skip CI/CD rules
|
|
36
|
+
// Skip CI/CD rules: when filePath is given, require .github/workflows path.
|
|
37
|
+
// When no filePath (MCP call), allow if language is yaml.
|
|
37
38
|
if (rule.id.startsWith("VG21") && filePath && !filePath.includes(".github/workflows"))
|
|
38
39
|
continue;
|
|
39
|
-
if (rule.id.startsWith("VG21") && !filePath)
|
|
40
|
-
continue;
|
|
40
|
+
if (rule.id.startsWith("VG21") && !filePath && language !== "yaml")
|
|
41
|
+
continue;
|
|
41
42
|
rule.pattern.lastIndex = 0;
|
|
42
43
|
// Apply severity override from config
|
|
43
44
|
const effectiveRule = config.rules.severity[rule.id]
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"check-code.js","sourceRoot":"","sources":["../../src/tools/check-code.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAqB,MAAM,wBAAwB,CAAC;AACvE,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAahD,SAAS,yBAAyB,CAAC,KAAe;IAChD,MAAM,YAAY,GAAkB,EAAE,CAAC;IACvC,MAAM,OAAO,GAAG,0EAA0E,CAAC;IAE3F,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,KAAK,GAAG,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;QACrC,IAAI,CAAC,KAAK;YAAE,SAAS;QAErB,MAAM,MAAM,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC;QAChC,MAAM,UAAU,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,4BAA4B,CAAC,CAAC;QAEnE,IAAI,UAAU,EAAE,CAAC;YACf,YAAY,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,CAAC,GAAG,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC,wBAAwB;QACtE,CAAC;aAAM,CAAC;YACN,YAAY,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,CAAC,GAAG,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC,wBAAwB;QACtE,CAAC;IACH,CAAC;IAED,OAAO,YAAY,CAAC;AACtB,CAAC;AAED,SAAS,gBAAgB,CAAC,YAA2B,EAAE,IAAY,EAAE,MAAc;IACjF,OAAO,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,IAAI,IAAI,CAAC,CAAC,CAAC,MAAM,KAAK,IAAI,IAAI,CAAC,CAAC,MAAM,KAAK,MAAM,CAAC,CAAC,CAAC;AAC/F,CAAC;AAED,MAAM,UAAU,WAAW,CACzB,IAAY,EACZ,QAAgB,EAChB,SAAkB,EAClB,QAAiB,EACjB,SAAkB,EAClB,KAAsB;IAEtB,MAAM,MAAM,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC;IACrC,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC/B,MAAM,YAAY,GAAG,yBAAyB,CAAC,KAAK,CAAC,CAAC;IAEtD,MAAM,cAAc,GAAG,KAAK,IAAI,UAAU,CAAC;IAE3C,KAAK,MAAM,IAAI,IAAI,cAAc,EAAE,CAAC;QAClC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC;YAAE,SAAS;QAEjD,8BAA8B;QAC9B,IAAI,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAAE,SAAS;QAErD,
|
|
1
|
+
{"version":3,"file":"check-code.js","sourceRoot":"","sources":["../../src/tools/check-code.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,UAAU,EAAqB,MAAM,wBAAwB,CAAC;AACvE,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAahD,SAAS,yBAAyB,CAAC,KAAe;IAChD,MAAM,YAAY,GAAkB,EAAE,CAAC;IACvC,MAAM,OAAO,GAAG,0EAA0E,CAAC;IAE3F,KAAK,IAAI,CAAC,GAAG,CAAC,EAAE,CAAC,GAAG,KAAK,CAAC,MAAM,EAAE,CAAC,EAAE,EAAE,CAAC;QACtC,MAAM,KAAK,GAAG,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;QACrC,IAAI,CAAC,KAAK;YAAE,SAAS;QAErB,MAAM,MAAM,GAAG,KAAK,CAAC,CAAC,CAAC,IAAI,IAAI,CAAC;QAChC,MAAM,UAAU,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,4BAA4B,CAAC,CAAC;QAEnE,IAAI,UAAU,EAAE,CAAC;YACf,YAAY,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,CAAC,GAAG,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC,wBAAwB;QACtE,CAAC;aAAM,CAAC;YACN,YAAY,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,CAAC,GAAG,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC,CAAC,wBAAwB;QACtE,CAAC;IACH,CAAC;IAED,OAAO,YAAY,CAAC;AACtB,CAAC;AAED,SAAS,gBAAgB,CAAC,YAA2B,EAAE,IAAY,EAAE,MAAc;IACjF,OAAO,YAAY,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,KAAK,IAAI,IAAI,CAAC,CAAC,CAAC,MAAM,KAAK,IAAI,IAAI,CAAC,CAAC,MAAM,KAAK,MAAM,CAAC,CAAC,CAAC;AAC/F,CAAC;AAED,MAAM,UAAU,WAAW,CACzB,IAAY,EACZ,QAAgB,EAChB,SAAkB,EAClB,QAAiB,EACjB,SAAkB,EAClB,KAAsB;IAEtB,MAAM,MAAM,GAAG,UAAU,CAAC,SAAS,CAAC,CAAC;IACrC,MAAM,QAAQ,GAAc,EAAE,CAAC;IAC/B,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC/B,MAAM,YAAY,GAAG,yBAAyB,CAAC,KAAK,CAAC,CAAC;IAEtD,MAAM,cAAc,GAAG,KAAK,IAAI,UAAU,CAAC;IAE3C,KAAK,MAAM,IAAI,IAAI,cAAc,EAAE,CAAC;QAClC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,QAAQ,CAAC,QAAQ,CAAC;YAAE,SAAS;QAEjD,8BAA8B;QAC9B,IAAI,MAAM,CAAC,KAAK,CAAC,OAAO,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAAE,SAAS;QAErD,4EAA4E;QAC5E,0DAA0D;QAC1D,IAAI,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,MAAM,CAAC,IAAI,QAAQ,IAAI,CAAC,QAAQ,CAAC,QAAQ,CAAC,mBAAmB,CAAC;YAAE,SAAS;QAChG,IAAI,IAAI,CAAC,EAAE,CAAC,UAAU,CAAC,MAAM,CAAC,IAAI,CAAC,QAAQ,IAAI,QAAQ,KAAK,MAAM;YAAE,SAAS;QAC7E,IAAI,CAAC,OAAO,CAAC,SAAS,GAAG,CAAC,CAAC;QAE3B,sCAAsC;QACtC,MAAM,aAAa,GAAG,MAAM,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAC;YAClD,CAAC,CAAC,EAAE,GAAG,IAAI,EAAE,QAAQ,EAAE,MAAM,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,EAAE,CAAQ,EAAE;YAC9D,CAAC,CAAC,IAAI,CAAC;QAET,IAAI,KAA6B,CAAC;QAClC,OAAO,CAAC,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC,KAAK,IAAI,EAAE,CAAC;YAClD,MAAM,WAAW,GAAG,IAAI,CAAC,SAAS,CAAC,CAAC,EAAE,KAAK,CAAC,KAAK,CAAC,CAAC;YACnD,MAAM,UAAU,GAAG,WAAW,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,MAAM,CAAC;YAElD,IAAI,gBAAgB,CAAC,YAAY,EAAE,UAAU,EAAE,IAAI,CAAC,EAAE,CAAC;gBAAE,SAAS;YAElE,QAAQ,CAAC,IAAI,CAAC;gBACZ,IAAI,EAAE,aAAa;gBACnB,KAAK,EAAE,KAAK,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,EAAE,EAAE,CAAC;gBAChC,IAAI,EAAE,UAAU;aACjB,CAAC,CAAC;QACL,CAAC;IACH,CAAC;IAED,OAAO,QAAQ,CAAC;AAClB,CAAC;AAED,MAAM,UAAU,kBAAkB,CAAC,QAAmB,EAAE,KAA+B;IACrF,MAAM,QAAQ,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,KAAK,UAAU,CAAC,CAAC,MAAM,CAAC;IAC7E,MAAM,IAAI,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC,MAAM,CAAC;IACrE,MAAM,MAAM,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,MAAM,CAAC;IACzE,MAAM,GAAG,GAAG,QAAQ,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,KAAK,KAAK,CAAC,CAAC,MAAM,CAAC;IAEnE,OAAO,IAAI,CAAC,SAAS,CAAC;QACpB,OAAO,EAAE;YACP,KAAK,EAAE,QAAQ,CAAC,MAAM,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE,GAAG;YACnD,OAAO,EAAE,QAAQ,GAAG,CAAC,IAAI,IAAI,GAAG,CAAC;YACjC,GAAG,KAAK;SACT;QACD,QAAQ,EAAE,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;YAC3B,EAAE,EAAE,CAAC,CAAC,IAAI,CAAC,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,EAAE,QAAQ,EAAE,CAAC,CAAC,IAAI,CAAC,QAAQ;YAC3D,KAAK,EAAE,CAAC,CAAC,IAAI,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,CAAC,CAAC,KAAK;YACjD,GAAG,EAAE,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE,OAAO,EAAE,CAAC,CAAC,IAAI,CAAC,OAAO,EAAE,UAAU,EAAE,CAAC,CAAC,IAAI,CAAC,UAAU;SACxE,CAAC,CAAC;KACJ,CAAC,CAAC;AACL,CAAC;AAED,MAAM,UAAU,SAAS,CACvB,IAAY,EACZ,QAAgB,EAChB,SAAkB,EAClB,QAAiB,EACjB,SAAkB,EAClB,SAA8B,UAAU,EACxC,KAAsB;IAEtB,MAAM,QAAQ,GAAG,WAAW,CAAC,IAAI,EAAE,QAAQ,EAAE,SAAS,EAAE,QAAQ,EAAE,SAAS,EAAE,KAAK,CAAC,CAAC;IAEpF,IAAI,MAAM,KAAK,MAAM,EAAE,CAAC;QACtB,OAAO,kBAAkB,CAAC,QAAQ,CAAC,CAAC;IACtC,CAAC;IAED,IAAI,QAAQ,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC1B,OAAO,iBAAiB,CAAC,QAAQ,EAAE,SAAS,CAAC,CAAC;IAChD,CAAC;IAED,OAAO,YAAY,CAAC,QAAQ,EAAE,QAAQ,EAAE,SAAS,CAAC,CAAC;AACrD,CAAC;AAED,SAAS,iBAAiB,CAAC,QAAgB,EAAE,SAAkB;IAC7D,MAAM,GAAG,GAAG,SAAS,CAAC,CAAC,CAAC,KAAK,SAAS,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;IAC/C,OAAO;QACL,6BAA6B;QAC7B,EAAE;QACF,iBAAiB,QAAQ,GAAG,GAAG,EAAE;QACjC,yCAAyC;QACzC,EAAE;QACF,mDAAmD;QACnD,6CAA6C;QAC7C,mDAAmD;QACnD,yCAAyC;QACzC,sCAAsC;KACvC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AACf,CAAC;AAED,SAAS,YAAY,CACnB,QAAmB,EACnB,QAAgB,EAChB,SAAkB;IAElB,MAAM,GAAG,GAAG,SAAS,CAAC,CAAC,CAAC,KAAK,SAAS,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC;IAE/C,oBAAoB;IACpB,MAAM,aAAa,GAAG,EAAE,QAAQ,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,GAAG,EAAE,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,CAAC;IAE3E,4BAA4B;IAC5B,MAAM,OAAO,GAAG,IAAI,GAAG,EAAqB,CAAC;IAC7C,KAAK,MAAM,OAAO,IAAI,QAAQ,EAAE,CAAC;QAC/B,MAAM,QAAQ,GAAG,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;QAC9C,IAAI,QAAQ,EAAE,CAAC;YACb,QAAQ,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QACzB,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,EAAE,CAAC,OAAO,CAAC,CAAC,CAAC;QAC1C,CAAC;IACH,CAAC;IAED,2CAA2C;IAC3C,MAAM,YAAY,GAAG,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,SAAS,CAAC,EAAE,CAAC,EAAE,SAAS,CAAC,EAAE,EAAE;QACvF,OAAO,aAAa,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,GAAG,aAAa,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IAC/F,CAAC,CAAC,CAAC;IAEH,+EAA+E;IAC/E,MAAM,WAAW,GAAG,QAAQ,CAAC;IAC7B,MAAM,aAAa,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,KAAK,UAAU,CAAC,CAAC,MAAM,CAAC;IACvF,MAAM,SAAS,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,KAAK,MAAM,CAAC,CAAC,MAAM,CAAC;IAC/E,MAAM,WAAW,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,MAAM,CAAC;IAEnF,MAAM,KAAK,GAAG;QACZ,6BAA6B;QAC7B,EAAE;QACF,iBAAiB,QAAQ,GAAG,GAAG,EAAE;QACjC,qBAAqB,WAAW,CAAC,MAAM,EAAE;QACzC,kBAAkB,aAAa,cAAc,SAAS,UAAU,WAAW,SAAS;QACpF,EAAE;QACF,KAAK;QACL,EAAE;KACH,CAAC;IAEF,KAAK,MAAM,CAAC,EAAE,aAAa,CAAC,IAAI,YAAY,EAAE,CAAC;QAC7C,MAAM,KAAK,GAAG,aAAa,CAAC,CAAC,CAAC,CAAC;QAC/B,MAAM,IAAI,GACR,KAAK,CAAC,IAAI,CAAC,QAAQ,KAAK,UAAU;YAChC,CAAC,CAAC,UAAU;YACZ,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,QAAQ,KAAK,MAAM;gBAC9B,CAAC,CAAC,MAAM;gBACR,CAAC,CAAC,KAAK,CAAC,IAAI,CAAC,QAAQ,KAAK,QAAQ;oBAChC,CAAC,CAAC,QAAQ;oBACV,CAAC,CAAC,KAAK,CAAC;QAEhB,IAAI,aAAa,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAC7B,8BAA8B;YAC9B,MAAM,QAAQ,GAAG,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACnE,KAAK,CAAC,IAAI,CACR,OAAO,IAAI,KAAK,KAAK,CAAC,IAAI,CAAC,IAAI,KAAK,KAAK,CAAC,IAAI,CAAC,EAAE,GAAG,EACpD,EAAE,EACF,cAAc,KAAK,CAAC,IAAI,CAAC,KAAK,EAAE,EAChC,oBAAoB,aAAa,CAAC,MAAM,YAAY,QAAQ,GAAG,EAC/D,wBAAwB,KAAK,CAAC,KAAK,IAAI,EACvC,EAAE,EACF,KAAK,CAAC,IAAI,CAAC,WAAW,EACtB,EAAE,EACF,YAAY,KAAK,CAAC,IAAI,CAAC,GAAG,EAAE,EAC5B,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE,kBAAkB,EAAE,QAAQ,EAAE,KAAK,CAAC,IAAI,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,EAC/F,EAAE,EACF,KAAK,EACL,EAAE,CACH,CAAC;QACJ,CAAC;aAAM,CAAC;YACN,oCAAoC;YACpC,KAAK,MAAM,OAAO,IAAI,aAAa,EAAE,CAAC;gBACpC,KAAK,CAAC,IAAI,CACR,OAAO,IAAI,KAAK,OAAO,CAAC,IAAI,CAAC,IAAI,KAAK,OAAO,CAAC,IAAI,CAAC,EAAE,GAAG,EACxD,EAAE,EACF,cAAc,OAAO,CAAC,IAAI,CAAC,KAAK,EAAE,EAClC,cAAc,OAAO,CAAC,IAAI,EAAE,EAC5B,gBAAgB,OAAO,CAAC,KAAK,IAAI,EACjC,EAAE,EACF,OAAO,CAAC,IAAI,CAAC,WAAW,EACxB,EAAE,EACF,YAAY,OAAO,CAAC,IAAI,CAAC,GAAG,EAAE,EAC9B,GAAG,CAAC,OAAO,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,EAAE,EAAE,kBAAkB,EAAE,QAAQ,EAAE,OAAO,CAAC,IAAI,CAAC,OAAO,EAAE,QAAQ,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC,EACnG,EAAE,EACF,KAAK,EACL,EAAE,CACH,CAAC;YACJ,CAAC;QACH,CAAC;IACH,CAAC;IAED,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;AAC1B,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"export-sarif.js","sourceRoot":"","sources":["../../src/tools/export-sarif.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,IAAI,CAAC;AACzD,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,MAAM,MAAM,CAAC;AACxD,OAAO,EAAE,WAAW,EAAgB,MAAM,iBAAiB,CAAC;AAC5D,OAAO,EAAE,UAAU,EAAE,MAAM,wBAAwB,CAAC;AACpD,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAGhD,MAAM,aAAa,GAA2B;IAC5C,KAAK,EAAE,YAAY,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,EAAE,YAAY;IACrF,KAAK,EAAE,YAAY,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,EAAE,YAAY;IACrF,KAAK,EAAE,QAAQ,EAAE,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM;IAC7C,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO;IAC/C,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,WAAW;CACpD,CAAC;AAEF,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAC;IAC/B,cAAc,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,aAAa;IAChE,OAAO,EAAE,OAAO,EAAE,UAAU,EAAE,QAAQ;CACvC,CAAC,CAAC;AAEH,SAAS,OAAO,CAAC,GAAW,EAAE,QAAqB,EAAE,OAAiB;IACpE,IAAI,OAAO,CAAC;IACZ,IAAI,CAAC;QAAC,OAAO,GAAG,WAAW,CAAC,GAAG,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC;IAAC,CAAC;IAAC,MAAM,CAAC;QAAC,OAAO;IAAC,CAAC;IAC9E,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;QAC5B,IAAI,QAAQ,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC;YAAE,SAAS;QACvC,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;QACvC,IAAI,KAAK,CAAC,WAAW,EAAE,EAAE,CAAC;YACxB,OAAO,CAAC,QAAQ,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC;QACvC,CAAC;aAAM,IAAI,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC;YAC1B,MAAM,GAAG,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;YAC9C,IAAI,aAAa,CAAC,GAAG,CAAC,IAAI,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;gBAC9D,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YACzB,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC;AAcD,SAAS,eAAe,CAAC,QAAgB;IACvC,IAAI,QAAQ,KAAK,UAAU,IAAI,QAAQ,KAAK,MAAM;QAAE,OAAO,OAAO,CAAC;IACnE,IAAI,QAAQ,KAAK,QAAQ;QAAE,OAAO,SAAS,CAAC;IAC5C,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,MAAM,UAAU,WAAW,CAAC,IAAY,EAAE,KAAsB;IAC9D,MAAM,QAAQ,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC/B,MAAM,MAAM,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC;IACpC,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,CAAC,GAAG,gBAAgB,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC;IACxE,MAAM,SAAS,GAAa,EAAE,CAAC;IAC/B,OAAO,CAAC,QAAQ,EAAE,QAAQ,EAAE,SAAS,CAAC,CAAC;IAEvC,MAAM,UAAU,GAAkB,EAAE,CAAC;IAErC,KAAK,MAAM,QAAQ,IAAI,SAAS,EAAE,CAAC;QACjC,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,QAAQ,CAAC,QAAQ,CAAC,CAAC;YAChC,IAAI,IAAI,CAAC,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,WAAW;gBAAE,SAAS;YAClD,MAAM,OAAO,GAAG,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;YAChD,MAAM,GAAG,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC,WAAW,EAAE,CAAC;YAC5C,IAAI,QAAQ,GAAG,aAAa,CAAC,GAAG,CAAC,CAAC;YAClC,IAAI,CAAC,QAAQ,IAAI,QAAQ,CAAC,QAAQ,CAAC,CAAC,UAAU,CAAC,YAAY,CAAC;gBAAE,QAAQ,GAAG,YAAY,CAAC;YACtF,IAAI,CAAC,QAAQ;gBAAE,SAAS;YAExB,MAAM,QAAQ,GAAG,WAAW,CAAC,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,QAAQ,EAAE,QAAQ,EAAE,KAAK,CAAC,CAAC;YAEtF,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;gBACzB,UAAU,CAAC,IAAI,CAAC;oBACd,MAAM,EAAE,CAAC,CAAC,IAAI,CAAC,EAAE;oBACjB,KAAK,EAAE,eAAe,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC;oBACvC,OAAO,EAAE;wBACP,IAAI,EAAE,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,KAAK,CAAC,CAAC,IAAI,CAAC,WAAW,SAAS,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE;qBACjE;oBACD,SAAS,EAAE,CAAC;4BACV,gBAAgB,EAAE;gCAChB,gBAAgB,EAAE,EAAE,GAAG,EAAE,QAAQ,EAAE;gCACnC,MAAM,EAAE,EAAE,SAAS,EAAE,CAAC,CAAC,IAAI,EAAE;6BAC9B;yBACF,CAAC;iBACH,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAAC,MAAM,CAAC,CAAC,UAAU,CAAC,CAAC;IACxB,CAAC;IAED,qEAAqE;IACrE,MAAM,YAAY,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC;IAC5D,MAAM,UAAU,GAAG,UAAU;SAC1B,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;SACnC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;QACT,EAAE,EAAE,CAAC,CAAC,EAAE;QACR,IAAI,EAAE,CAAC,CAAC,IAAI;QACZ,gBAAgB,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE;QAClC,eAAe,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE;QACxC,OAAO,EAAE,uBAAuB;QAChC,UAAU,EAAE;YACV,IAAI,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC;YACf,GAAG,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,UAAU,EAAE,CAAC,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACtD;KACF,CAAC,CAAC,CAAC;IAEN,MAAM,KAAK,GAAG;QACZ,OAAO,EAAE,sGAAsG;QAC/G,OAAO,EAAE,OAAO;QAChB,IAAI,EAAE,CAAC;gBACL,IAAI,EAAE;oBACJ,MAAM,EAAE;wBACN,IAAI,EAAE,WAAW;wBACjB,OAAO,EAAE,
|
|
1
|
+
{"version":3,"file":"export-sarif.js","sourceRoot":"","sources":["../../src/tools/export-sarif.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,WAAW,EAAE,YAAY,EAAE,QAAQ,EAAE,MAAM,IAAI,CAAC;AACzD,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,EAAE,OAAO,EAAE,MAAM,MAAM,CAAC;AACxD,OAAO,EAAE,WAAW,EAAgB,MAAM,iBAAiB,CAAC;AAC5D,OAAO,EAAE,UAAU,EAAE,MAAM,wBAAwB,CAAC;AACpD,OAAO,EAAE,UAAU,EAAE,MAAM,oBAAoB,CAAC;AAGhD,MAAM,aAAa,GAA2B;IAC5C,KAAK,EAAE,YAAY,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,EAAE,YAAY;IACrF,KAAK,EAAE,YAAY,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,EAAE,YAAY;IACrF,KAAK,EAAE,QAAQ,EAAE,KAAK,EAAE,IAAI,EAAE,OAAO,EAAE,MAAM;IAC7C,MAAM,EAAE,KAAK,EAAE,KAAK,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO;IAC/C,MAAM,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,EAAE,WAAW;CACpD,CAAC;AAEF,MAAM,gBAAgB,GAAG,IAAI,GAAG,CAAC;IAC/B,cAAc,EAAE,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,QAAQ,EAAE,aAAa;IAChE,OAAO,EAAE,OAAO,EAAE,UAAU,EAAE,QAAQ;CACvC,CAAC,CAAC;AAEH,SAAS,OAAO,CAAC,GAAW,EAAE,QAAqB,EAAE,OAAiB;IACpE,IAAI,OAAO,CAAC;IACZ,IAAI,CAAC;QAAC,OAAO,GAAG,WAAW,CAAC,GAAG,EAAE,EAAE,aAAa,EAAE,IAAI,EAAE,CAAC,CAAC;IAAC,CAAC;IAAC,MAAM,CAAC;QAAC,OAAO;IAAC,CAAC;IAC9E,KAAK,MAAM,KAAK,IAAI,OAAO,EAAE,CAAC;QAC5B,IAAI,QAAQ,CAAC,GAAG,CAAC,KAAK,CAAC,IAAI,CAAC;YAAE,SAAS;QACvC,MAAM,QAAQ,GAAG,IAAI,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,CAAC,CAAC;QACvC,IAAI,KAAK,CAAC,WAAW,EAAE,EAAE,CAAC;YACxB,OAAO,CAAC,QAAQ,EAAE,QAAQ,EAAE,OAAO,CAAC,CAAC;QACvC,CAAC;aAAM,IAAI,KAAK,CAAC,MAAM,EAAE,EAAE,CAAC;YAC1B,MAAM,GAAG,GAAG,OAAO,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;YAC9C,IAAI,aAAa,CAAC,GAAG,CAAC,IAAI,KAAK,CAAC,IAAI,CAAC,UAAU,CAAC,YAAY,CAAC,EAAE,CAAC;gBAC9D,OAAO,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;YACzB,CAAC;QACH,CAAC;IACH,CAAC;AACH,CAAC;AAcD,SAAS,eAAe,CAAC,QAAgB;IACvC,IAAI,QAAQ,KAAK,UAAU,IAAI,QAAQ,KAAK,MAAM;QAAE,OAAO,OAAO,CAAC;IACnE,IAAI,QAAQ,KAAK,QAAQ;QAAE,OAAO,SAAS,CAAC;IAC5C,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,MAAM,UAAU,WAAW,CAAC,IAAY,EAAE,KAAsB;IAC9D,MAAM,QAAQ,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAC/B,MAAM,MAAM,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC;IACpC,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC,CAAC,GAAG,gBAAgB,EAAE,GAAG,MAAM,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC;IACxE,MAAM,SAAS,GAAa,EAAE,CAAC;IAC/B,OAAO,CAAC,QAAQ,EAAE,QAAQ,EAAE,SAAS,CAAC,CAAC;IAEvC,MAAM,UAAU,GAAkB,EAAE,CAAC;IAErC,KAAK,MAAM,QAAQ,IAAI,SAAS,EAAE,CAAC;QACjC,IAAI,CAAC;YACH,MAAM,IAAI,GAAG,QAAQ,CAAC,QAAQ,CAAC,CAAC;YAChC,IAAI,IAAI,CAAC,IAAI,GAAG,MAAM,CAAC,IAAI,CAAC,WAAW;gBAAE,SAAS;YAClD,MAAM,OAAO,GAAG,YAAY,CAAC,QAAQ,EAAE,OAAO,CAAC,CAAC;YAChD,MAAM,GAAG,GAAG,OAAO,CAAC,QAAQ,CAAC,CAAC,WAAW,EAAE,CAAC;YAC5C,IAAI,QAAQ,GAAG,aAAa,CAAC,GAAG,CAAC,CAAC;YAClC,IAAI,CAAC,QAAQ,IAAI,QAAQ,CAAC,QAAQ,CAAC,CAAC,UAAU,CAAC,YAAY,CAAC;gBAAE,QAAQ,GAAG,YAAY,CAAC;YACtF,IAAI,CAAC,QAAQ;gBAAE,SAAS;YAExB,MAAM,QAAQ,GAAG,WAAW,CAAC,OAAO,EAAE,QAAQ,EAAE,SAAS,EAAE,QAAQ,EAAE,QAAQ,EAAE,KAAK,CAAC,CAAC;YAEtF,KAAK,MAAM,CAAC,IAAI,QAAQ,EAAE,CAAC;gBACzB,UAAU,CAAC,IAAI,CAAC;oBACd,MAAM,EAAE,CAAC,CAAC,IAAI,CAAC,EAAE;oBACjB,KAAK,EAAE,eAAe,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC;oBACvC,OAAO,EAAE;wBACP,IAAI,EAAE,GAAG,CAAC,CAAC,IAAI,CAAC,IAAI,KAAK,CAAC,CAAC,IAAI,CAAC,WAAW,SAAS,CAAC,CAAC,IAAI,CAAC,GAAG,EAAE;qBACjE;oBACD,SAAS,EAAE,CAAC;4BACV,gBAAgB,EAAE;gCAChB,gBAAgB,EAAE,EAAE,GAAG,EAAE,QAAQ,EAAE;gCACnC,MAAM,EAAE,EAAE,SAAS,EAAE,CAAC,CAAC,IAAI,EAAE;6BAC9B;yBACF,CAAC;iBACH,CAAC,CAAC;YACL,CAAC;QACH,CAAC;QAAC,MAAM,CAAC,CAAC,UAAU,CAAC,CAAC;IACxB,CAAC;IAED,qEAAqE;IACrE,MAAM,YAAY,GAAG,IAAI,GAAG,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC;IAC5D,MAAM,UAAU,GAAG,UAAU;SAC1B,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;SACnC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;QACT,EAAE,EAAE,CAAC,CAAC,EAAE;QACR,IAAI,EAAE,CAAC,CAAC,IAAI;QACZ,gBAAgB,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,IAAI,EAAE;QAClC,eAAe,EAAE,EAAE,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE;QACxC,OAAO,EAAE,uBAAuB;QAChC,UAAU,EAAE;YACV,IAAI,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC;YACf,GAAG,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,EAAE,UAAU,EAAE,CAAC,CAAC,UAAU,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;SACtD;KACF,CAAC,CAAC,CAAC;IAEN,MAAM,KAAK,GAAG;QACZ,OAAO,EAAE,sGAAsG;QAC/G,OAAO,EAAE,OAAO;QAChB,IAAI,EAAE,CAAC;gBACL,IAAI,EAAE;oBACJ,MAAM,EAAE;wBACN,IAAI,EAAE,WAAW;wBACjB,OAAO,EAAE,QAAQ;wBACjB,cAAc,EAAE,uBAAuB;wBACvC,KAAK,EAAE,UAAU;qBAClB;iBACF;gBACD,OAAO,EAAE,UAAU;aACpB,CAAC;KACH,CAAC;IAEF,OAAO,IAAI,CAAC,SAAS,CAAC,KAAK,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;AACxC,CAAC"}
|
package/package.json
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "guardvibe",
|
|
3
|
-
"version": "0.
|
|
4
|
-
"description": "Security MCP for vibe coding.
|
|
3
|
+
"version": "0.11.0",
|
|
4
|
+
"description": "Security MCP for vibe coding. 170+ rules for Next.js, React Native, Expo, Firebase, Supabase, Stripe, Clerk, Prisma, Vercel, and the full AI-generated web + mobile stack.",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"bin": {
|
|
7
7
|
"guardvibe": "build/index.js",
|