guardvibe 1.4.0 → 1.6.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/build/data/rules/api-security.d.ts.map +1 -1
- package/build/data/rules/api-security.js +1 -0
- package/build/data/rules/api-security.js.map +1 -1
- package/build/data/rules/auth.d.ts.map +1 -1
- package/build/data/rules/auth.js +1 -0
- package/build/data/rules/auth.js.map +1 -1
- package/build/data/rules/deployment.d.ts.map +1 -1
- package/build/data/rules/deployment.js +6 -0
- package/build/data/rules/deployment.js.map +1 -1
- package/build/data/rules/firebase.d.ts.map +1 -1
- package/build/data/rules/firebase.js +1 -0
- package/build/data/rules/firebase.js.map +1 -1
- package/build/data/rules/payments.d.ts.map +1 -1
- package/build/data/rules/payments.js +3 -0
- package/build/data/rules/payments.js.map +1 -1
- package/build/data/rules/react-native.d.ts.map +1 -1
- package/build/data/rules/react-native.js +3 -0
- package/build/data/rules/react-native.js.map +1 -1
- package/build/data/rules/services.d.ts.map +1 -1
- package/build/data/rules/services.js +5 -0
- package/build/data/rules/services.js.map +1 -1
- package/build/data/rules/web-security.d.ts.map +1 -1
- package/build/data/rules/web-security.js +8 -0
- package/build/data/rules/web-security.js.map +1 -1
- package/build/index.js +92 -1
- package/build/index.js.map +1 -1
- package/build/tools/check-command.d.ts +13 -0
- package/build/tools/check-command.d.ts.map +1 -0
- package/build/tools/check-command.js +227 -0
- package/build/tools/check-command.js.map +1 -0
- package/build/tools/explain-remediation.d.ts +15 -0
- package/build/tools/explain-remediation.d.ts.map +1 -0
- package/build/tools/explain-remediation.js +103 -0
- package/build/tools/explain-remediation.js.map +1 -0
- package/build/tools/fix-code.js +143 -51
- package/build/tools/fix-code.js.map +1 -1
- package/build/tools/policy-check.d.ts +3 -0
- package/build/tools/policy-check.d.ts.map +1 -0
- package/build/tools/policy-check.js +208 -0
- package/build/tools/policy-check.js.map +1 -0
- package/build/tools/repo-posture.d.ts +2 -0
- package/build/tools/repo-posture.d.ts.map +1 -0
- package/build/tools/repo-posture.js +178 -0
- package/build/tools/repo-posture.js.map +1 -0
- package/build/tools/review-pr.d.ts +3 -0
- package/build/tools/review-pr.d.ts.map +1 -0
- package/build/tools/review-pr.js +228 -0
- package/build/tools/review-pr.js.map +1 -0
- package/build/tools/scan-config-change.d.ts +12 -0
- package/build/tools/scan-config-change.d.ts.map +1 -0
- package/build/tools/scan-config-change.js +88 -0
- package/build/tools/scan-config-change.js.map +1 -0
- package/build/tools/scan-secrets-history.d.ts +9 -0
- package/build/tools/scan-secrets-history.d.ts.map +1 -0
- package/build/tools/scan-secrets-history.js +142 -0
- package/build/tools/scan-secrets-history.js.map +1 -0
- package/build/tools/taint-analysis.d.ts +23 -0
- package/build/tools/taint-analysis.d.ts.map +1 -0
- package/build/tools/taint-analysis.js +183 -0
- package/build/tools/taint-analysis.js.map +1 -0
- package/build/utils/config.d.ts +14 -0
- package/build/utils/config.d.ts.map +1 -1
- package/build/utils/config.js +7 -0
- package/build/utils/config.js.map +1 -1
- package/package.json +1 -1
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"api-security.d.ts","sourceRoot":"","sources":["../../../src/data/rules/api-security.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAI/C,eAAO,MAAM,gBAAgB,EAAE,YAAY,
|
|
1
|
+
{"version":3,"file":"api-security.d.ts","sourceRoot":"","sources":["../../../src/data/rules/api-security.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAI/C,eAAO,MAAM,gBAAgB,EAAE,YAAY,EAoK1C,CAAC"}
|
|
@@ -112,6 +112,7 @@ export const apiSecurityRules = [
|
|
|
112
112
|
pattern: /(?:deleteAccount|deleteUser|cancelSubscription|transferFunds|refund|terminat)\w*\s*(?:=\s*async|\([\s\S]*?\)\s*(?:=>|{))(?:(?!confirm|verify|reauthenticate|twoFactor|2fa|otp|challenge)[\s\S]){10,}?(?:delete|destroy|remove|cancel)\s*\(/gi,
|
|
113
113
|
languages: ["javascript", "typescript"],
|
|
114
114
|
fix: "Add a confirmation step or re-authentication before destructive operations.",
|
|
115
|
+
fixCode: '"use server";\nexport async function deleteAccount(confirmToken: string) {\n // Verify confirmation token (sent via email/SMS)\n const valid = await verifyConfirmationToken(confirmToken);\n if (!valid) throw new Error("Invalid confirmation");\n // Re-authenticate\n const { userId } = await auth();\n if (!userId) throw new Error("Unauthorized");\n await db.user.delete({ where: { id: userId } });\n}',
|
|
115
116
|
compliance: ["SOC2:CC6.6"],
|
|
116
117
|
},
|
|
117
118
|
// API8:2023 — Security Misconfiguration
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"api-security.js","sourceRoot":"","sources":["../../../src/data/rules/api-security.ts"],"names":[],"mappings":"AAEA,kCAAkC;AAClC,uCAAuC;AACvC,MAAM,CAAC,MAAM,gBAAgB,GAAmB;IAC9C,uDAAuD;IACvD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,uDAAuD;QAC7D,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,6CAA6C;QACpD,WAAW,EACT,uLAAuL;QACzL,OAAO,EACL,+JAA+J;QACjK,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,2HAA2H;QAChI,OAAO,EACL,8PAA8P;QAChQ,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,EAAE,mBAAmB,CAAC;KACrE;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,oDAAoD;QAC1D,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,6CAA6C;QACpD,WAAW,EACT,4JAA4J;QAC9J,OAAO,EACL,2NAA2N;QAC7N,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,gGAAgG;QACrG,OAAO,EACL,oKAAoK;QACtK,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,EAAE,mBAAmB,CAAC;KACrE;IAED,oCAAoC;IACpC;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,kCAAkC;QACxC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,iCAAiC;QACxC,WAAW,EACT,sIAAsI;QACxI,OAAO,EACL,sQAAsQ;QACxQ,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,mFAAmF;QACxF,OAAO,EACL,kNAAkN;QACpN,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;IAED,2EAA2E;IAC3E;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,uDAAuD;QAC7D,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,sDAAsD;QAC7D,WAAW,EACT,8KAA8K;QAChL,OAAO,EACL,2JAA2J;QAC7J,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,yJAAyJ;QAC9J,OAAO,EACL,gPAAgP;QAClP,UAAU,EAAE,CAAC,YAAY,EAAE,kBAAkB,CAAC;KAC/C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,gDAAgD;QACtD,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,sDAAsD;QAC7D,WAAW,EACT,2IAA2I;QAC7I,OAAO,EACL,sHAAsH;QACxH,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,iFAAiF;QACtF,OAAO,EACL,sJAAsJ;QACxJ,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IAED,gDAAgD;IAChD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,qCAAqC;QAC3C,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,6CAA6C;QACpD,WAAW,EACT,8JAA8J;QAChK,OAAO,EACL,qHAAqH;QACvH,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,iGAAiG;QACtG,OAAO,EACL,uLAAuL;QACzL,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,oCAAoC;QAC1C,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,6CAA6C;QACpD,WAAW,EACT,wLAAwL;QAC1L,OAAO,EACL,2NAA2N;QAC7N,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,yHAAyH;QAC9H,OAAO,EACL,mYAAmY;QACrY,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IAED,kDAAkD;IAClD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,0CAA0C;QAChD,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,+CAA+C;QACtD,WAAW,EACT,iKAAiK;QACnK,OAAO,EACL,+OAA+O;QACjP,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,0DAA0D;QAC/D,OAAO,EACL,oIAAoI;QACtI,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;IAED,8DAA8D;IAC9D;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,mDAAmD;QACzD,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,2DAA2D;QAClE,WAAW,EACT,yJAAyJ;QAC3J,OAAO,EACL,8OAA8O;QAChP,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,6EAA6E;QAClF,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IAED,wCAAwC;IACxC;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,+CAA+C;QACrD,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,qCAAqC;QAC5C,WAAW,EACT,sIAAsI;QACxI,OAAO,EACL,qLAAqL;QACvL,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,oFAAoF;QACzF,OAAO,EACL,oMAAoM;QACtM,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;CACF,CAAC"}
|
|
1
|
+
{"version":3,"file":"api-security.js","sourceRoot":"","sources":["../../../src/data/rules/api-security.ts"],"names":[],"mappings":"AAEA,kCAAkC;AAClC,uCAAuC;AACvC,MAAM,CAAC,MAAM,gBAAgB,GAAmB;IAC9C,uDAAuD;IACvD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,uDAAuD;QAC7D,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,6CAA6C;QACpD,WAAW,EACT,uLAAuL;QACzL,OAAO,EACL,+JAA+J;QACjK,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,2HAA2H;QAChI,OAAO,EACL,8PAA8P;QAChQ,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,EAAE,mBAAmB,CAAC;KACrE;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,oDAAoD;QAC1D,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,6CAA6C;QACpD,WAAW,EACT,4JAA4J;QAC9J,OAAO,EACL,2NAA2N;QAC7N,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,gGAAgG;QACrG,OAAO,EACL,oKAAoK;QACtK,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,EAAE,mBAAmB,CAAC;KACrE;IAED,oCAAoC;IACpC;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,kCAAkC;QACxC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,iCAAiC;QACxC,WAAW,EACT,sIAAsI;QACxI,OAAO,EACL,sQAAsQ;QACxQ,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,mFAAmF;QACxF,OAAO,EACL,kNAAkN;QACpN,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;IAED,2EAA2E;IAC3E;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,uDAAuD;QAC7D,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,sDAAsD;QAC7D,WAAW,EACT,8KAA8K;QAChL,OAAO,EACL,2JAA2J;QAC7J,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,yJAAyJ;QAC9J,OAAO,EACL,gPAAgP;QAClP,UAAU,EAAE,CAAC,YAAY,EAAE,kBAAkB,CAAC;KAC/C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,gDAAgD;QACtD,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,sDAAsD;QAC7D,WAAW,EACT,2IAA2I;QAC7I,OAAO,EACL,sHAAsH;QACxH,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,iFAAiF;QACtF,OAAO,EACL,sJAAsJ;QACxJ,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IAED,gDAAgD;IAChD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,qCAAqC;QAC3C,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,6CAA6C;QACpD,WAAW,EACT,8JAA8J;QAChK,OAAO,EACL,qHAAqH;QACvH,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,iGAAiG;QACtG,OAAO,EACL,uLAAuL;QACzL,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,oCAAoC;QAC1C,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,6CAA6C;QACpD,WAAW,EACT,wLAAwL;QAC1L,OAAO,EACL,2NAA2N;QAC7N,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,yHAAyH;QAC9H,OAAO,EACL,mYAAmY;QACrY,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IAED,kDAAkD;IAClD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,0CAA0C;QAChD,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,+CAA+C;QACtD,WAAW,EACT,iKAAiK;QACnK,OAAO,EACL,+OAA+O;QACjP,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,0DAA0D;QAC/D,OAAO,EACL,oIAAoI;QACtI,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;IAED,8DAA8D;IAC9D;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,mDAAmD;QACzD,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,2DAA2D;QAClE,WAAW,EACT,yJAAyJ;QAC3J,OAAO,EACL,8OAA8O;QAChP,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,6EAA6E;QAClF,OAAO,EACL,yZAAyZ;QAC3Z,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IAED,wCAAwC;IACxC;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,+CAA+C;QACrD,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,qCAAqC;QAC5C,WAAW,EACT,sIAAsI;QACxI,OAAO,EACL,qLAAqL;QACvL,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,oFAAoF;QACzF,OAAO,EACL,oMAAoM;QACtM,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;CACF,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../../src/data/rules/auth.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAG/C,eAAO,MAAM,SAAS,EAAE,YAAY,
|
|
1
|
+
{"version":3,"file":"auth.d.ts","sourceRoot":"","sources":["../../../src/data/rules/auth.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAG/C,eAAO,MAAM,SAAS,EAAE,YAAY,EA4OnC,CAAC"}
|
package/build/data/rules/auth.js
CHANGED
|
@@ -170,6 +170,7 @@ export const authRules = [
|
|
|
170
170
|
pattern: /(?:signInWithPassword|signUp)[\s\S]{0,200}?(?:searchParams|query|req\.query|params)[\s\S]{0,100}?password/gi,
|
|
171
171
|
languages: ["javascript", "typescript"],
|
|
172
172
|
fix: "Always send passwords via POST request body, never in URL parameters.",
|
|
173
|
+
fixCode: '// Send password in request body, not URL:\nconst { data } = await supabase.auth.signInWithPassword({\n email,\n password, // from form body, not URL params\n});',
|
|
173
174
|
compliance: ["SOC2:CC6.1", "PCI-DSS:Req8"],
|
|
174
175
|
},
|
|
175
176
|
{
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"auth.js","sourceRoot":"","sources":["../../../src/data/rules/auth.ts"],"names":[],"mappings":"AAEA,+DAA+D;AAC/D,MAAM,CAAC,MAAM,SAAS,GAAmB;IACvC;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,2BAA2B;QACjC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,8FAA8F;QAChG,OAAO,EACL,kPAAkP;QACpP,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,kFAAkF;QACvF,OAAO,EACL,iOAAiO;QACnO,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,EAAE,mBAAmB,CAAC;KACrE;IACD,8EAA8E;IAC9E,mFAAmF;IACnF,uEAAuE;IACvE;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,kCAAkC;QACxC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,0GAA0G;QAC5G,OAAO,EAAE,mDAAmD;QAC5D,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,sFAAsF;QAC3F,OAAO,EACL,gIAAgI;QAClI,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,0BAA0B;QAChC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,2GAA2G;QAC7G,OAAO,EAAE,6DAA6D;QACtE,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,4EAA4E;QACjF,OAAO,EACL,yHAAyH;QAC3H,UAAU,EAAE,CAAC,YAAY,EAAE,gBAAgB,CAAC;KAC7C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,gCAAgC;QACtC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,uIAAuI;QACzI,OAAO,EACL,wKAAwK;QAC1K,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,iFAAiF;QACtF,OAAO,EACL,iKAAiK;QACnK,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,6BAA6B;QACnC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,gIAAgI;QAClI,OAAO,EACL,6GAA6G;QAC/G,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,iEAAiE;QACtE,OAAO,EACL,+MAA+M;QACjN,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,mCAAmC;QACzC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,4EAA4E;QAC9E,OAAO,EACL,uNAAuN;QACzN,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,2DAA2D;QAChE,OAAO,EACL,8NAA8N;QAChO,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,wCAAwC;QAC9C,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,6JAA6J;QAC/J,OAAO,EAAE,kCAAkC;QAC3C,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,iDAAiD;QACtD,OAAO,EACL,gKAAgK;QAClK,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IAED,uBAAuB;IACvB;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,6CAA6C;QACnD,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,0HAA0H;QAC5H,OAAO,EAAE,sFAAsF;QAC/F,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,iGAAiG;QACtG,OAAO,EACL,oTAAoT;QACtT,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,yCAAyC;QAC/C,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,+HAA+H;QACjI,OAAO,EAAE,kFAAkF;QAC3F,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,kFAAkF;QACvF,OAAO,EACL,iPAAiP;QACnP,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IAED,+BAA+B;IAC/B;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,iDAAiD;QACvD,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,gJAAgJ;QAClJ,OAAO,EAAE,8HAA8H;QACvI,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,4IAA4I;QACjJ,OAAO,EACL,wMAAwM;QAC1M,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,8CAA8C;QACpD,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,gJAAgJ;QAClJ,OAAO,EAAE,6HAA6H;QACtI,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,8DAA8D;QACnE,OAAO,EACL,4cAA4c;QAC9c,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,mDAAmD;QACzD,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,6KAA6K;QAC/K,OAAO,EAAE,yJAAyJ;QAClK,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,2GAA2G;QAChH,OAAO,EACL,yeAAye;QAC3e,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,4CAA4C;QAClD,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,yLAAyL;QAC3L,OAAO,EAAE,kEAAkE;QAC3E,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,qFAAqF;QAC1F,OAAO,EACL,wLAAwL;QAC1L,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,+BAA+B;QACrC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,yHAAyH;QAC3H,OAAO,EAAE,6GAA6G;QACtH,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,uEAAuE;QAC5E,UAAU,EAAE,CAAC,YAAY,EAAE,cAAc,CAAC;KAC3C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,4CAA4C;QAClD,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,iJAAiJ;QACnJ,OAAO,EAAE,qIAAqI;QAC9I,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,gHAAgH;QACrH,OAAO,EACL,sNAAsN;QACxN,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,kCAAkC;QACxC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,2KAA2K;QAC7K,OAAO,EAAE,qIAAqI;QAC9I,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,kDAAkD;QACvD,OAAO,EACL,+ZAA+Z;QACja,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;CACF,CAAC"}
|
|
1
|
+
{"version":3,"file":"auth.js","sourceRoot":"","sources":["../../../src/data/rules/auth.ts"],"names":[],"mappings":"AAEA,+DAA+D;AAC/D,MAAM,CAAC,MAAM,SAAS,GAAmB;IACvC;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,2BAA2B;QACjC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,8FAA8F;QAChG,OAAO,EACL,kPAAkP;QACpP,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,kFAAkF;QACvF,OAAO,EACL,iOAAiO;QACnO,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,EAAE,mBAAmB,CAAC;KACrE;IACD,8EAA8E;IAC9E,mFAAmF;IACnF,uEAAuE;IACvE;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,kCAAkC;QACxC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,0GAA0G;QAC5G,OAAO,EAAE,mDAAmD;QAC5D,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,sFAAsF;QAC3F,OAAO,EACL,gIAAgI;QAClI,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,0BAA0B;QAChC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,2GAA2G;QAC7G,OAAO,EAAE,6DAA6D;QACtE,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,4EAA4E;QACjF,OAAO,EACL,yHAAyH;QAC3H,UAAU,EAAE,CAAC,YAAY,EAAE,gBAAgB,CAAC;KAC7C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,gCAAgC;QACtC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,uIAAuI;QACzI,OAAO,EACL,wKAAwK;QAC1K,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,iFAAiF;QACtF,OAAO,EACL,iKAAiK;QACnK,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,6BAA6B;QACnC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,gIAAgI;QAClI,OAAO,EACL,6GAA6G;QAC/G,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,iEAAiE;QACtE,OAAO,EACL,+MAA+M;QACjN,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,mCAAmC;QACzC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,4EAA4E;QAC9E,OAAO,EACL,uNAAuN;QACzN,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,2DAA2D;QAChE,OAAO,EACL,8NAA8N;QAChO,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,wCAAwC;QAC9C,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,6JAA6J;QAC/J,OAAO,EAAE,kCAAkC;QAC3C,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,iDAAiD;QACtD,OAAO,EACL,gKAAgK;QAClK,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IAED,uBAAuB;IACvB;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,6CAA6C;QACnD,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,0HAA0H;QAC5H,OAAO,EAAE,sFAAsF;QAC/F,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,iGAAiG;QACtG,OAAO,EACL,oTAAoT;QACtT,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,yCAAyC;QAC/C,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,+HAA+H;QACjI,OAAO,EAAE,kFAAkF;QAC3F,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,kFAAkF;QACvF,OAAO,EACL,iPAAiP;QACnP,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IAED,+BAA+B;IAC/B;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,iDAAiD;QACvD,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,gJAAgJ;QAClJ,OAAO,EAAE,8HAA8H;QACvI,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,4IAA4I;QACjJ,OAAO,EACL,wMAAwM;QAC1M,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,8CAA8C;QACpD,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,gJAAgJ;QAClJ,OAAO,EAAE,6HAA6H;QACtI,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,8DAA8D;QACnE,OAAO,EACL,4cAA4c;QAC9c,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,mDAAmD;QACzD,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,6KAA6K;QAC/K,OAAO,EAAE,yJAAyJ;QAClK,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,2GAA2G;QAChH,OAAO,EACL,yeAAye;QAC3e,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,4CAA4C;QAClD,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,yLAAyL;QAC3L,OAAO,EAAE,kEAAkE;QAC3E,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,qFAAqF;QAC1F,OAAO,EACL,wLAAwL;QAC1L,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,+BAA+B;QACrC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,yHAAyH;QAC3H,OAAO,EAAE,6GAA6G;QACtH,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,uEAAuE;QAC5E,OAAO,EACL,qKAAqK;QACvK,UAAU,EAAE,CAAC,YAAY,EAAE,cAAc,CAAC;KAC3C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,4CAA4C;QAClD,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,iJAAiJ;QACnJ,OAAO,EAAE,qIAAqI;QAC9I,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,gHAAgH;QACrH,OAAO,EACL,sNAAsN;QACxN,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,kCAAkC;QACxC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,2KAA2K;QAC7K,OAAO,EAAE,qIAAqI;QAC9I,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,kDAAkD;QACvD,OAAO,EACL,+ZAA+Z;QACja,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;CACF,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"deployment.d.ts","sourceRoot":"","sources":["../../../src/data/rules/deployment.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAG/C,eAAO,MAAM,eAAe,EAAE,YAAY,
|
|
1
|
+
{"version":3,"file":"deployment.d.ts","sourceRoot":"","sources":["../../../src/data/rules/deployment.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAG/C,eAAO,MAAM,eAAe,EAAE,YAAY,EA2OzC,CAAC"}
|
|
@@ -22,6 +22,7 @@ export const deploymentRules = [
|
|
|
22
22
|
pattern: /["']rewrites["']\s*:\s*\[[\s\S]*?["']destination["']\s*:\s*["']https?:\/\/(?:localhost|127\.0\.0\.1|10\.|172\.(?:1[6-9]|2\d|3[01])\.|192\.168\.)/g,
|
|
23
23
|
languages: ["vercel-config", "json"],
|
|
24
24
|
fix: "Do not rewrite to internal network addresses. Use Vercel environment variables for service URLs.",
|
|
25
|
+
fixCode: '// Use environment variable for backend URL\n{\n "rewrites": [{\n "source": "/api/:path*",\n "destination": "https://api.yourdomain.com/:path*"\n }]\n}',
|
|
25
26
|
compliance: ["SOC2:CC6.6"],
|
|
26
27
|
},
|
|
27
28
|
{
|
|
@@ -45,6 +46,7 @@ export const deploymentRules = [
|
|
|
45
46
|
pattern: /["']maxDuration["']\s*:\s*(?:[3-9]\d{2}|[1-9]\d{3,})/g,
|
|
46
47
|
languages: ["vercel-config", "json"],
|
|
47
48
|
fix: "Set maxDuration to the minimum required. Default 300s is sufficient for most use cases.",
|
|
49
|
+
fixCode: '// Set reasonable maxDuration\nexport const maxDuration = 60; // seconds — adjust to actual need',
|
|
48
50
|
},
|
|
49
51
|
{
|
|
50
52
|
id: "VG506",
|
|
@@ -55,6 +57,7 @@ export const deploymentRules = [
|
|
|
55
57
|
pattern: /["'](?:SECRET|KEY|TOKEN|PASSWORD|CREDENTIAL)\w*["']\s*:\s*["'][A-Za-z0-9_\-]{12,}["']/gi,
|
|
56
58
|
languages: ["vercel-config", "json"],
|
|
57
59
|
fix: "Use Vercel environment variables (vercel env add) instead of hardcoding in config files.",
|
|
60
|
+
fixCode: '# Store secrets as Vercel env vars\nvercel env add SECRET_KEY production\n\n# Reference in code\nconst key = process.env.SECRET_KEY;',
|
|
58
61
|
compliance: ["SOC2:CC6.1", "PCI-DSS:Req2.3"],
|
|
59
62
|
},
|
|
60
63
|
// next.config
|
|
@@ -90,6 +93,7 @@ export const deploymentRules = [
|
|
|
90
93
|
pattern: /headers\s*\(\s*\)\s*\{[\s\S]*?Access-Control-Allow-Origin[\s\S]*?["']\*["']/g,
|
|
91
94
|
languages: ["nextjs-config", "javascript", "typescript"],
|
|
92
95
|
fix: "Restrict CORS to specific trusted origins.",
|
|
96
|
+
fixCode: '// Restrict to specific origins\nheaders: [\n { key: "Access-Control-Allow-Origin", value: "https://yourdomain.com" }\n]',
|
|
93
97
|
compliance: ["SOC2:CC6.6"],
|
|
94
98
|
},
|
|
95
99
|
{
|
|
@@ -175,6 +179,7 @@ export const deploymentRules = [
|
|
|
175
179
|
pattern: /internal_port\s*=\s*(?:5432|3306|6379|27017|9200|2379)/g,
|
|
176
180
|
languages: ["fly-config", "toml"],
|
|
177
181
|
fix: "Don't expose database or cache ports publicly. Use internal networking.",
|
|
182
|
+
fixCode: '# fly.toml — only expose your app port\n[[services]]\n internal_port = 3000 # app port only\n\n# Access database via internal Fly DNS\n# DATABASE_URL=postgres://db.internal:5432/mydb',
|
|
178
183
|
compliance: ["SOC2:CC6.6"],
|
|
179
184
|
},
|
|
180
185
|
{
|
|
@@ -186,6 +191,7 @@ export const deploymentRules = [
|
|
|
186
191
|
pattern: /force_https\s*=\s*false/g,
|
|
187
192
|
languages: ["fly-config", "toml"],
|
|
188
193
|
fix: "Enable force_https to redirect all HTTP traffic to HTTPS.",
|
|
194
|
+
fixCode: '# fly.toml\n[[services]]\n [services.concurrency]\n hard_limit = 25\n [[services.ports]]\n force_https = true\n port = 80',
|
|
189
195
|
compliance: ["SOC2:CC6.1", "PCI-DSS:Req4.1"],
|
|
190
196
|
},
|
|
191
197
|
];
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"deployment.js","sourceRoot":"","sources":["../../../src/data/rules/deployment.ts"],"names":[],"mappings":"AAEA,6CAA6C;AAC7C,MAAM,CAAC,MAAM,eAAe,GAAmB;IAC7C,0BAA0B;IAC1B;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,sBAAsB;QAC5B,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,wGAAwG;QAC1G,OAAO,EAAE,wDAAwD;QACjE,SAAS,EAAE,CAAC,eAAe,EAAE,MAAM,CAAC;QACpC,GAAG,EAAE,4CAA4C;QACjD,OAAO,EACL,uKAAuK;QACzK,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,kCAAkC;QACxC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,sEAAsE;QACxE,OAAO,EACL,mJAAmJ;QACrJ,SAAS,EAAE,CAAC,eAAe,EAAE,MAAM,CAAC;QACpC,GAAG,EAAE,kGAAkG;QACvG,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,yCAAyC;QAC/C,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,wHAAwH;QAC1H,OAAO,EACL,kEAAkE;QACpE,SAAS,EAAE,CAAC,eAAe,EAAE,MAAM,CAAC;QACpC,GAAG,EAAE,sDAAsD;QAC3D,OAAO,EACL,qQAAqQ;QACvQ,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,6BAA6B;QACnC,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EACT,kGAAkG;QACpG,OAAO,EAAE,uDAAuD;QAChE,SAAS,EAAE,CAAC,eAAe,EAAE,MAAM,CAAC;QACpC,GAAG,EAAE,yFAAyF;
|
|
1
|
+
{"version":3,"file":"deployment.js","sourceRoot":"","sources":["../../../src/data/rules/deployment.ts"],"names":[],"mappings":"AAEA,6CAA6C;AAC7C,MAAM,CAAC,MAAM,eAAe,GAAmB;IAC7C,0BAA0B;IAC1B;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,sBAAsB;QAC5B,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,wGAAwG;QAC1G,OAAO,EAAE,wDAAwD;QACjE,SAAS,EAAE,CAAC,eAAe,EAAE,MAAM,CAAC;QACpC,GAAG,EAAE,4CAA4C;QACjD,OAAO,EACL,uKAAuK;QACzK,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,kCAAkC;QACxC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,sEAAsE;QACxE,OAAO,EACL,mJAAmJ;QACrJ,SAAS,EAAE,CAAC,eAAe,EAAE,MAAM,CAAC;QACpC,GAAG,EAAE,kGAAkG;QACvG,OAAO,EACL,iKAAiK;QACnK,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,yCAAyC;QAC/C,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,wHAAwH;QAC1H,OAAO,EACL,kEAAkE;QACpE,SAAS,EAAE,CAAC,eAAe,EAAE,MAAM,CAAC;QACpC,GAAG,EAAE,sDAAsD;QAC3D,OAAO,EACL,qQAAqQ;QACvQ,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,6BAA6B;QACnC,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EACT,kGAAkG;QACpG,OAAO,EAAE,uDAAuD;QAChE,SAAS,EAAE,CAAC,eAAe,EAAE,MAAM,CAAC;QACpC,GAAG,EAAE,yFAAyF;QAC9F,OAAO,EACL,kGAAkG;KACrG;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,mCAAmC;QACzC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,4EAA4E;QAC9E,OAAO,EACL,yFAAyF;QAC3F,SAAS,EAAE,CAAC,eAAe,EAAE,MAAM,CAAC;QACpC,GAAG,EAAE,0FAA0F;QAC/F,OAAO,EACL,sIAAsI;QACxI,UAAU,EAAE,CAAC,YAAY,EAAE,gBAAgB,CAAC;KAC7C;IAED,cAAc;IACd;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,+BAA+B;QACrC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EACT,wFAAwF;QAC1F,OAAO,EAAE,oEAAoE;QAC7E,SAAS,EAAE,CAAC,eAAe,EAAE,YAAY,EAAE,YAAY,CAAC;QACxD,GAAG,EAAE,wDAAwD;QAC7D,OAAO,EACL,uHAAuH;QACzH,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,2BAA2B;QACjC,QAAQ,EAAE,KAAK;QACf,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EACT,mGAAmG;QACrG,OAAO,EAAE,6BAA6B;QACtC,SAAS,EAAE,CAAC,eAAe,EAAE,YAAY,EAAE,YAAY,CAAC;QACxD,GAAG,EAAE,iDAAiD;QACtD,OAAO,EAAE,oEAAoE;KAC9E;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,2BAA2B;QACjC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,4EAA4E;QAC9E,OAAO,EACL,8EAA8E;QAChF,SAAS,EAAE,CAAC,eAAe,EAAE,YAAY,EAAE,YAAY,CAAC;QACxD,GAAG,EAAE,4CAA4C;QACjD,OAAO,EACL,2HAA2H;QAC7H,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,2BAA2B;QACjC,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EACT,6EAA6E;QAC/E,OAAO,EACL,wEAAwE;QAC1E,SAAS,EAAE,CAAC,eAAe,EAAE,YAAY,EAAE,YAAY,CAAC;QACxD,GAAG,EAAE,oCAAoC;QACzC,OAAO,EACL,gFAAgF;QAClF,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IAED,qBAAqB;IACrB;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,oCAAoC;QAC1C,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EACT,sEAAsE;QACxE,OAAO,EAAE,yCAAyC;QAClD,SAAS,EAAE,CAAC,gBAAgB,EAAE,MAAM,CAAC;QACrC,GAAG,EAAE,0CAA0C;QAC/C,OAAO,EAAE,6DAA6D;QACtE,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,iCAAiC;QACvC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,0FAA0F;QAC5F,OAAO,EACL,oHAAoH;QACtH,SAAS,EAAE,CAAC,gBAAgB,EAAE,MAAM,CAAC;QACrC,GAAG,EAAE,oEAAoE;QACzE,OAAO,EACL,iEAAiE;QACnE,UAAU,EAAE,CAAC,YAAY,EAAE,gBAAgB,CAAC;KAC7C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,qCAAqC;QAC3C,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EACT,0FAA0F;QAC5F,OAAO,EAAE,wBAAwB;QACjC,SAAS,EAAE,CAAC,gBAAgB,EAAE,MAAM,CAAC;QACrC,GAAG,EAAE,yEAAyE;QAC9E,OAAO,EACL,8GAA8G;QAChH,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,kCAAkC;QACxC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EACT,2EAA2E;QAC7E,OAAO,EAAE,qEAAqE;QAC9E,SAAS,EAAE,CAAC,gBAAgB,EAAE,MAAM,CAAC;QACrC,GAAG,EAAE,4DAA4D;QACjE,OAAO,EACL,4DAA4D;QAC9D,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IAED,wCAAwC;IACxC;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,kCAAkC;QACxC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,wFAAwF;QAC1F,OAAO,EACL,6FAA6F;QAC/F,SAAS,EAAE,CAAC,YAAY,EAAE,eAAe,EAAE,gBAAgB,EAAE,MAAM,CAAC;QACpE,GAAG,EAAE,+FAA+F;QACpG,OAAO,EACL,kHAAkH;QACpH,UAAU,EAAE,CAAC,YAAY,EAAE,gBAAgB,CAAC;KAC7C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,gCAAgC;QACtC,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EACT,8DAA8D;QAChE,OAAO,EAAE,yDAAyD;QAClE,SAAS,EAAE,CAAC,YAAY,EAAE,MAAM,CAAC;QACjC,GAAG,EAAE,yEAAyE;QAC9E,OAAO,EACL,0LAA0L;QAC5L,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,wBAAwB;QAC9B,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EACT,wEAAwE;QAC1E,OAAO,EAAE,0BAA0B;QACnC,SAAS,EAAE,CAAC,YAAY,EAAE,MAAM,CAAC;QACjC,GAAG,EAAE,2DAA2D;QAChE,OAAO,EACL,sIAAsI;QACxI,UAAU,EAAE,CAAC,YAAY,EAAE,gBAAgB,CAAC;KAC7C;CACF,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"firebase.d.ts","sourceRoot":"","sources":["../../../src/data/rules/firebase.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAE/C,eAAO,MAAM,aAAa,EAAE,YAAY,
|
|
1
|
+
{"version":3,"file":"firebase.d.ts","sourceRoot":"","sources":["../../../src/data/rules/firebase.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAE/C,eAAO,MAAM,aAAa,EAAE,YAAY,EAsFvC,CAAC"}
|
|
@@ -68,6 +68,7 @@ export const firebaseRules = [
|
|
|
68
68
|
pattern: /NEXT_PUBLIC_\w*(?:FIREBASE_SERVICE_ACCOUNT|FIREBASE_ADMIN|FIREBASE_PRIVATE|FIREBASE_SECRET)\w*\s*=/gi,
|
|
69
69
|
languages: ["javascript", "typescript", "shell"],
|
|
70
70
|
fix: "Remove NEXT_PUBLIC_ prefix from Firebase admin/service account credentials. These must be server-side only.",
|
|
71
|
+
fixCode: "# .env.local — WRONG\n# NEXT_PUBLIC_FIREBASE_SERVICE_ACCOUNT=...\n\n# CORRECT — server-side only\nFIREBASE_SERVICE_ACCOUNT=...\n# Use in API routes: admin.initializeApp({ credential: cert(JSON.parse(process.env.FIREBASE_SERVICE_ACCOUNT!)) })",
|
|
71
72
|
compliance: ["SOC2:CC6.1"],
|
|
72
73
|
},
|
|
73
74
|
{
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"firebase.js","sourceRoot":"","sources":["../../../src/data/rules/firebase.ts"],"names":[],"mappings":"AAEA,MAAM,CAAC,MAAM,aAAa,GAAmB;IAC3C;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,0BAA0B;QAChC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EAAE,yGAAyG;QACtH,OAAO,EAAE,kJAAkJ;QAC3J,SAAS,EAAE,CAAC,WAAW,CAAC;QACxB,GAAG,EAAE,4EAA4E;QACjF,OAAO,EAAE,2NAA2N;QACpO,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,oCAAoC;QAC1C,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,iJAAiJ;QAC9J,OAAO,EAAE,wIAAwI;QACjJ,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,yFAAyF;QAC9F,OAAO,EAAE,0MAA0M;QACnN,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,wCAAwC;QAC9C,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,4EAA4E;QACzF,OAAO,EAAE,mJAAmJ;QAC5J,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,MAAM,CAAC;QAC/C,GAAG,EAAE,0EAA0E;QAC/E,OAAO,EAAE,kLAAkL;QAC3L,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,iCAAiC;QACvC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EAAE,8FAA8F;QAC3G,OAAO,EAAE,sHAAsH;QAC/H,SAAS,EAAE,CAAC,WAAW,CAAC;QACxB,GAAG,EAAE,qFAAqF;QAC1F,OAAO,EAAE,oSAAoS;QAC7S,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,2BAA2B;QACjC,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EAAE,qKAAqK;QAClL,OAAO,EAAE,mHAAmH;QAC5H,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,iFAAiF;QACtF,OAAO,EAAE,2MAA2M;QACpN,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,sCAAsC;QAC5C,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,oFAAoF;QACjG,OAAO,EAAE,sGAAsG;QAC/G,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,OAAO,CAAC;QAChD,GAAG,EAAE,6GAA6G;QAClH,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,0CAA0C;QAChD,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,qDAAqD;QAC5D,WAAW,EAAE,qHAAqH;QAClI,OAAO,EAAE,mHAAmH;QAC5H,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,2GAA2G;QAChH,OAAO,EAAE,gVAAgV;QACzV,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;CACF,CAAC"}
|
|
1
|
+
{"version":3,"file":"firebase.js","sourceRoot":"","sources":["../../../src/data/rules/firebase.ts"],"names":[],"mappings":"AAEA,MAAM,CAAC,MAAM,aAAa,GAAmB;IAC3C;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,0BAA0B;QAChC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EAAE,yGAAyG;QACtH,OAAO,EAAE,kJAAkJ;QAC3J,SAAS,EAAE,CAAC,WAAW,CAAC;QACxB,GAAG,EAAE,4EAA4E;QACjF,OAAO,EAAE,2NAA2N;QACpO,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,oCAAoC;QAC1C,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,iJAAiJ;QAC9J,OAAO,EAAE,wIAAwI;QACjJ,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,yFAAyF;QAC9F,OAAO,EAAE,0MAA0M;QACnN,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,wCAAwC;QAC9C,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,4EAA4E;QACzF,OAAO,EAAE,mJAAmJ;QAC5J,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,MAAM,CAAC;QAC/C,GAAG,EAAE,0EAA0E;QAC/E,OAAO,EAAE,kLAAkL;QAC3L,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,iCAAiC;QACvC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EAAE,8FAA8F;QAC3G,OAAO,EAAE,sHAAsH;QAC/H,SAAS,EAAE,CAAC,WAAW,CAAC;QACxB,GAAG,EAAE,qFAAqF;QAC1F,OAAO,EAAE,oSAAoS;QAC7S,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,2BAA2B;QACjC,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EAAE,qKAAqK;QAClL,OAAO,EAAE,mHAAmH;QAC5H,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,iFAAiF;QACtF,OAAO,EAAE,2MAA2M;QACpN,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,sCAAsC;QAC5C,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,oFAAoF;QACjG,OAAO,EAAE,sGAAsG;QAC/G,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,OAAO,CAAC;QAChD,GAAG,EAAE,6GAA6G;QAClH,OAAO,EACL,mPAAmP;QACrP,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,0CAA0C;QAChD,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,qDAAqD;QAC5D,WAAW,EAAE,qHAAqH;QAClI,OAAO,EAAE,mHAAmH;QAC5H,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,2GAA2G;QAChH,OAAO,EAAE,gVAAgV;QACzV,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;CACF,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"payments.d.ts","sourceRoot":"","sources":["../../../src/data/rules/payments.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAE/C,eAAO,MAAM,YAAY,EAAE,YAAY,
|
|
1
|
+
{"version":3,"file":"payments.d.ts","sourceRoot":"","sources":["../../../src/data/rules/payments.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAE/C,eAAO,MAAM,YAAY,EAAE,YAAY,EAuItC,CAAC"}
|
|
@@ -70,6 +70,7 @@ export const paymentRules = [
|
|
|
70
70
|
pattern: /["']use client["'][\s\S]{0,500}?(?:LEMONSQUEEZY_API_KEY|LEMON_SQUEEZY_API_KEY)/g,
|
|
71
71
|
languages: ["javascript", "typescript"],
|
|
72
72
|
fix: "Use LemonSqueezy API key only in server-side code.",
|
|
73
|
+
fixCode: '// Server-side only (API route)\nimport { lemonSqueezySetup } from "@lemonsqueezy/lemonsqueezy.js";\nlemonSqueezySetup({ apiKey: process.env.LEMONSQUEEZY_API_KEY! });',
|
|
73
74
|
compliance: ["SOC2:CC6.1"],
|
|
74
75
|
},
|
|
75
76
|
{
|
|
@@ -94,6 +95,7 @@ export const paymentRules = [
|
|
|
94
95
|
pattern: /["']use client["'][\s\S]{0,500}?(?:POLAR_ACCESS_TOKEN|POLAR_API_KEY|polar.*(?:access_token|api_key))/gi,
|
|
95
96
|
languages: ["javascript", "typescript"],
|
|
96
97
|
fix: "Use Polar API keys only in server-side code.",
|
|
98
|
+
fixCode: '// Server-side only\nimport { Polar } from "@polar-sh/sdk";\nconst polar = new Polar({ accessToken: process.env.POLAR_ACCESS_TOKEN! });',
|
|
97
99
|
compliance: ["SOC2:CC6.1"],
|
|
98
100
|
},
|
|
99
101
|
{
|
|
@@ -105,6 +107,7 @@ export const paymentRules = [
|
|
|
105
107
|
pattern: /(?:\/api\/webhook|\/api\/payment|\/api\/checkout)[\s\S]*?export\s+(?:async\s+)?function\s+POST\s*\([^)]*\)\s*\{(?:(?!verify|signature|constructEvent|hmac|crypto\.createHmac|webhookSecret)[\s\S])*?\}/g,
|
|
106
108
|
languages: ["javascript", "typescript"],
|
|
107
109
|
fix: "Always verify webhook signatures before processing payment events.",
|
|
110
|
+
fixCode: "// Verify webhook signature\nimport crypto from 'crypto';\nconst sig = request.headers.get('x-webhook-signature');\nconst expected = crypto.createHmac('sha256', process.env.WEBHOOK_SECRET!)\n .update(body).digest('hex');\nif (sig !== expected) return new Response('Unauthorized', { status: 401 });",
|
|
108
111
|
compliance: ["SOC2:CC6.6", "PCI-DSS:Req6.5.10"],
|
|
109
112
|
},
|
|
110
113
|
];
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"payments.js","sourceRoot":"","sources":["../../../src/data/rules/payments.ts"],"names":[],"mappings":"AAEA,MAAM,CAAC,MAAM,YAAY,GAAmB;IAC1C,SAAS;IACT;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,mCAAmC;QACzC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,mHAAmH;QACrH,OAAO,EAAE,oDAAoD;QAC7D,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,uFAAuF;QAC5F,OAAO,EACL,4IAA4I;QAC9I,UAAU,EAAE,CAAC,YAAY,EAAE,gBAAgB,CAAC;KAC7C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,+CAA+C;QACrD,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,wHAAwH;QAC1H,OAAO,EACL,kLAAkL;QACpL,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,iFAAiF;QACtF,OAAO,EACL,wLAAwL;QAC1L,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,iCAAiC;QACvC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,0BAA0B;QACjC,WAAW,EACT,uGAAuG;QACzG,OAAO,EACL,sHAAsH;QACxH,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,6HAA6H;QAClI,OAAO,EACL,mMAAmM;QACrM,UAAU,EAAE,CAAC,kBAAkB,CAAC;KACjC;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,sBAAsB;QAC5B,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,0EAA0E;QAC5E,OAAO,EAAE,qEAAqE;QAC9E,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,4CAA4C;QACjD,OAAO,EAAE,4DAA4D;QACrE,UAAU,EAAE,CAAC,YAAY,EAAE,gBAAgB,CAAC;KAC7C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,+BAA+B;QACrC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,qGAAqG;QACvG,OAAO,EAAE,kCAAkC;QAC3C,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,OAAO,CAAC;QAChD,GAAG,EAAE,8GAA8G;QACnH,OAAO,EACL,sIAAsI;QACxI,UAAU,EAAE,CAAC,YAAY,EAAE,gBAAgB,CAAC;KAC7C;IAED,eAAe;IACf;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,+BAA+B;QACrC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,mDAAmD;QAChE,OAAO,EACL,iFAAiF;QACnF,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,oDAAoD;QACzD,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,wCAAwC;QAC9C,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,iFAAiF;QACnF,OAAO,EACL,wJAAwJ;QAC1J,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,2EAA2E;QAChF,OAAO,EACL,wSAAwS;QAC1S,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IAED,WAAW;IACX;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,wBAAwB;QAC9B,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,+DAA+D;QAC5E,OAAO,EACL,wGAAwG;QAC1G,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,8CAA8C;QACnD,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,8BAA8B;QACpC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,qHAAqH;QACvH,OAAO,EACL,yMAAyM;QAC3M,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,oEAAoE;QACzE,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;CACF,CAAC"}
|
|
1
|
+
{"version":3,"file":"payments.js","sourceRoot":"","sources":["../../../src/data/rules/payments.ts"],"names":[],"mappings":"AAEA,MAAM,CAAC,MAAM,YAAY,GAAmB;IAC1C,SAAS;IACT;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,mCAAmC;QACzC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,mHAAmH;QACrH,OAAO,EAAE,oDAAoD;QAC7D,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,uFAAuF;QAC5F,OAAO,EACL,4IAA4I;QAC9I,UAAU,EAAE,CAAC,YAAY,EAAE,gBAAgB,CAAC;KAC7C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,+CAA+C;QACrD,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,wHAAwH;QAC1H,OAAO,EACL,kLAAkL;QACpL,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,iFAAiF;QACtF,OAAO,EACL,wLAAwL;QAC1L,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,iCAAiC;QACvC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,0BAA0B;QACjC,WAAW,EACT,uGAAuG;QACzG,OAAO,EACL,sHAAsH;QACxH,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,6HAA6H;QAClI,OAAO,EACL,mMAAmM;QACrM,UAAU,EAAE,CAAC,kBAAkB,CAAC;KACjC;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,sBAAsB;QAC5B,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,0EAA0E;QAC5E,OAAO,EAAE,qEAAqE;QAC9E,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,4CAA4C;QACjD,OAAO,EAAE,4DAA4D;QACrE,UAAU,EAAE,CAAC,YAAY,EAAE,gBAAgB,CAAC;KAC7C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,+BAA+B;QACrC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EACT,qGAAqG;QACvG,OAAO,EAAE,kCAAkC;QAC3C,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,OAAO,CAAC;QAChD,GAAG,EAAE,8GAA8G;QACnH,OAAO,EACL,sIAAsI;QACxI,UAAU,EAAE,CAAC,YAAY,EAAE,gBAAgB,CAAC;KAC7C;IAED,eAAe;IACf;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,+BAA+B;QACrC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,mDAAmD;QAChE,OAAO,EACL,iFAAiF;QACnF,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,oDAAoD;QACzD,OAAO,EACL,wKAAwK;QAC1K,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,wCAAwC;QAC9C,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,iFAAiF;QACnF,OAAO,EACL,wJAAwJ;QAC1J,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,2EAA2E;QAChF,OAAO,EACL,wSAAwS;QAC1S,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IAED,WAAW;IACX;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,wBAAwB;QAC9B,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,+DAA+D;QAC5E,OAAO,EACL,wGAAwG;QAC1G,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,8CAA8C;QACnD,OAAO,EACL,yIAAyI;QAC3I,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,8BAA8B;QACpC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EACT,qHAAqH;QACvH,OAAO,EACL,yMAAyM;QAC3M,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,oEAAoE;QACzE,OAAO,EACL,4SAA4S;QAC9S,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;CACF,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"react-native.d.ts","sourceRoot":"","sources":["../../../src/data/rules/react-native.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAE/C,eAAO,MAAM,gBAAgB,EAAE,YAAY,
|
|
1
|
+
{"version":3,"file":"react-native.d.ts","sourceRoot":"","sources":["../../../src/data/rules/react-native.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAE/C,eAAO,MAAM,gBAAgB,EAAE,YAAY,EA4H1C,CAAC"}
|
|
@@ -68,6 +68,7 @@ export const reactNativeRules = [
|
|
|
68
68
|
pattern: /(?:fetch|axios|http)\s*[\.\(][\s\S]{0,200}?(?:api\.|\/api\/)[\s\S]{0,300}?(?:Authorization|Bearer|token)/gi,
|
|
69
69
|
languages: ["javascript", "typescript"],
|
|
70
70
|
fix: "Implement certificate pinning using react-native-ssl-pinning or expo-certificate-transparency.",
|
|
71
|
+
fixCode: '// Use react-native-ssl-pinning\nimport { fetch } from "react-native-ssl-pinning";\nconst res = await fetch("https://api.example.com/data", {\n sslPinning: { certs: ["api-cert"] },\n headers: { Authorization: `Bearer ${token}` },\n});',
|
|
71
72
|
compliance: ["SOC2:CC6.1", "PCI-DSS:Req4"],
|
|
72
73
|
},
|
|
73
74
|
{
|
|
@@ -91,6 +92,7 @@ export const reactNativeRules = [
|
|
|
91
92
|
pattern: /NSAppTransportSecurity[\s\S]{0,200}?NSAllowsArbitraryLoads[\s\S]{0,50}?(?:true|YES|<true\s*\/>)/gi,
|
|
92
93
|
languages: ["xml", "json", "javascript", "typescript"],
|
|
93
94
|
fix: "Do not disable ATS. If specific domains need HTTP, use NSExceptionDomains instead of blanket allow.",
|
|
95
|
+
fixCode: "<!-- Info.plist — allow HTTP only for specific domains -->\n<key>NSAppTransportSecurity</key>\n<dict>\n <key>NSExceptionDomains</key>\n <dict>\n <key>legacy-api.example.com</key>\n <dict>\n <key>NSTemporaryExceptionAllowsInsecureHTTPLoads</key>\n <true/>\n </dict>\n </dict>\n</dict>",
|
|
94
96
|
compliance: ["SOC2:CC6.1", "PCI-DSS:Req4"],
|
|
95
97
|
},
|
|
96
98
|
{
|
|
@@ -114,6 +116,7 @@ export const reactNativeRules = [
|
|
|
114
116
|
pattern: /NativeModules\.\w+\.\w+\s*\([\s\S]{0,200}?(?:token|secret|password|key|credential|jwt|session)/gi,
|
|
115
117
|
languages: ["javascript", "typescript"],
|
|
116
118
|
fix: "Encrypt sensitive data before passing through the bridge. Use native secure storage instead.",
|
|
119
|
+
fixCode: '// Use secure storage instead of passing through bridge\nimport * as SecureStore from "expo-secure-store";\nawait SecureStore.setItemAsync("authToken", token);\n\n// Read securely\nconst token = await SecureStore.getItemAsync("authToken");',
|
|
117
120
|
compliance: ["SOC2:CC6.1"],
|
|
118
121
|
},
|
|
119
122
|
];
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"react-native.js","sourceRoot":"","sources":["../../../src/data/rules/react-native.ts"],"names":[],"mappings":"AAEA,MAAM,CAAC,MAAM,gBAAgB,GAAmB;IAC9C;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,6BAA6B;QACnC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,kKAAkK;QAC/K,OAAO,EAAE,8IAA8I;QACvJ,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,qFAAqF;QAC1F,OAAO,EAAE,wGAAwG;QACjH,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,uBAAuB;QAC7B,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,qDAAqD;QAC5D,WAAW,EAAE,2JAA2J;QACxK,OAAO,EAAE,mIAAmI;QAC5I,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,sGAAsG;QAC3G,OAAO,EAAE,8OAA8O;QACvP,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,0BAA0B;QAChC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,gHAAgH;QAC7H,OAAO,EAAE,oHAAoH;QAC7H,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,sEAAsE;QAC3E,OAAO,EAAE,uMAAuM;QAChN,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,iCAAiC;QACvC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,oGAAoG;QACjH,OAAO,EAAE,oHAAoH;QAC7H,SAAS,EAAE,CAAC,MAAM,EAAE,YAAY,EAAE,YAAY,CAAC;QAC/C,GAAG,EAAE,wEAAwE;QAC7E,OAAO,EAAE,kMAAkM;QAC3M,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,8BAA8B;QACpC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EAAE,0HAA0H;QACvI,OAAO,EAAE,4LAA4L;QACrM,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,mHAAmH;QACxH,OAAO,EAAE,kPAAkP;QAC3P,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,6BAA6B;QACnC,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,gIAAgI;QAC7I,OAAO,EAAE,4GAA4G;QACrH,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,gGAAgG;QACrG,UAAU,EAAE,CAAC,YAAY,EAAE,cAAc,CAAC;KAC3C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,mBAAmB;QACzB,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EAAE,iIAAiI;QAC9I,OAAO,EAAE,kGAAkG;QAC3G,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,uDAAuD;QAC5D,OAAO,EAAE,kIAAkI;QAC3I,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,iCAAiC;QACvC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EAAE,0FAA0F;QACvG,OAAO,EAAE,mGAAmG;QAC5G,SAAS,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,YAAY,EAAE,YAAY,CAAC;QACtD,GAAG,EAAE,qGAAqG;QAC1G,UAAU,EAAE,CAAC,YAAY,EAAE,cAAc,CAAC;KAC3C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,+BAA+B;QACrC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,gKAAgK;QAC7K,OAAO,EAAE,kLAAkL;QAC3L,SAAS,EAAE,CAAC,MAAM,EAAE,YAAY,EAAE,YAAY,CAAC;QAC/C,GAAG,EAAE,mGAAmG;QACxG,OAAO,EAAE,qMAAqM;QAC9M,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,oCAAoC;QAC1C,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,4KAA4K;QACzL,OAAO,EAAE,kGAAkG;QAC3G,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,8FAA8F;QACnG,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;CACF,CAAC"}
|
|
1
|
+
{"version":3,"file":"react-native.js","sourceRoot":"","sources":["../../../src/data/rules/react-native.ts"],"names":[],"mappings":"AAEA,MAAM,CAAC,MAAM,gBAAgB,GAAmB;IAC9C;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,6BAA6B;QACnC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,kKAAkK;QAC/K,OAAO,EAAE,8IAA8I;QACvJ,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,qFAAqF;QAC1F,OAAO,EAAE,wGAAwG;QACjH,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,uBAAuB;QAC7B,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,qDAAqD;QAC5D,WAAW,EAAE,2JAA2J;QACxK,OAAO,EAAE,mIAAmI;QAC5I,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,sGAAsG;QAC3G,OAAO,EAAE,8OAA8O;QACvP,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,0BAA0B;QAChC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,gHAAgH;QAC7H,OAAO,EAAE,oHAAoH;QAC7H,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,sEAAsE;QAC3E,OAAO,EAAE,uMAAuM;QAChN,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,iCAAiC;QACvC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,oGAAoG;QACjH,OAAO,EAAE,oHAAoH;QAC7H,SAAS,EAAE,CAAC,MAAM,EAAE,YAAY,EAAE,YAAY,CAAC;QAC/C,GAAG,EAAE,wEAAwE;QAC7E,OAAO,EAAE,kMAAkM;QAC3M,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,8BAA8B;QACpC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EAAE,0HAA0H;QACvI,OAAO,EAAE,4LAA4L;QACrM,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,mHAAmH;QACxH,OAAO,EAAE,kPAAkP;QAC3P,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,6BAA6B;QACnC,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,gIAAgI;QAC7I,OAAO,EAAE,4GAA4G;QACrH,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,gGAAgG;QACrG,OAAO,EACL,8OAA8O;QAChP,UAAU,EAAE,CAAC,YAAY,EAAE,cAAc,CAAC;KAC3C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,mBAAmB;QACzB,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EAAE,iIAAiI;QAC9I,OAAO,EAAE,kGAAkG;QAC3G,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,uDAAuD;QAC5D,OAAO,EAAE,kIAAkI;QAC3I,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,iCAAiC;QACvC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EAAE,0FAA0F;QACvG,OAAO,EAAE,mGAAmG;QAC5G,SAAS,EAAE,CAAC,KAAK,EAAE,MAAM,EAAE,YAAY,EAAE,YAAY,CAAC;QACtD,GAAG,EAAE,qGAAqG;QAC1G,OAAO,EACL,mTAAmT;QACrT,UAAU,EAAE,CAAC,YAAY,EAAE,cAAc,CAAC;KAC3C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,+BAA+B;QACrC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,gKAAgK;QAC7K,OAAO,EAAE,kLAAkL;QAC3L,SAAS,EAAE,CAAC,MAAM,EAAE,YAAY,EAAE,YAAY,CAAC;QAC/C,GAAG,EAAE,mGAAmG;QACxG,OAAO,EAAE,qMAAqM;QAC9M,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,oCAAoC;QAC1C,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,4KAA4K;QACzL,OAAO,EAAE,kGAAkG;QAC3G,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,8FAA8F;QACnG,OAAO,EACL,iPAAiP;QACnP,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;CACF,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"services.d.ts","sourceRoot":"","sources":["../../../src/data/rules/services.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAE/C,eAAO,MAAM,YAAY,EAAE,YAAY,
|
|
1
|
+
{"version":3,"file":"services.d.ts","sourceRoot":"","sources":["../../../src/data/rules/services.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAE/C,eAAO,MAAM,YAAY,EAAE,YAAY,EAmJtC,CAAC"}
|
|
@@ -58,6 +58,7 @@ export const serviceRules = [
|
|
|
58
58
|
pattern: /(?:redis|Redis|upstash)[\s\S]{0,100}?(?:url|token)\s*[:=]\s*["'](?:https?:\/\/|redis:\/\/|rediss:\/\/)[^"']{10,}["']/gi,
|
|
59
59
|
languages: ["javascript", "typescript"],
|
|
60
60
|
fix: "Use environment variables for Redis connection details.",
|
|
61
|
+
fixCode: '// Use environment variables\nimport { Redis } from "@upstash/redis";\nconst redis = new Redis({\n url: process.env.UPSTASH_REDIS_REST_URL!,\n token: process.env.UPSTASH_REDIS_REST_TOKEN!,\n});',
|
|
61
62
|
compliance: ["SOC2:CC6.1"],
|
|
62
63
|
},
|
|
63
64
|
{
|
|
@@ -69,6 +70,7 @@ export const serviceRules = [
|
|
|
69
70
|
pattern: /NEXT_PUBLIC_\w*(?:REDIS|UPSTASH|KV)\w*(?:URL|TOKEN|SECRET)\s*=/gi,
|
|
70
71
|
languages: ["javascript", "typescript", "shell"],
|
|
71
72
|
fix: "Remove NEXT_PUBLIC_ prefix from Redis credentials. Access them only server-side.",
|
|
73
|
+
fixCode: "# .env.local — WRONG\n# NEXT_PUBLIC_UPSTASH_REDIS_REST_URL=https://...\n\n# CORRECT — server-side only\nUPSTASH_REDIS_REST_URL=https://...\nUPSTASH_REDIS_REST_TOKEN=...",
|
|
72
74
|
compliance: ["SOC2:CC6.1"],
|
|
73
75
|
},
|
|
74
76
|
// Pinecone
|
|
@@ -81,6 +83,7 @@ export const serviceRules = [
|
|
|
81
83
|
pattern: /["']use client["'][\s\S]{0,500}?PINECONE_API_KEY/g,
|
|
82
84
|
languages: ["javascript", "typescript"],
|
|
83
85
|
fix: "Use Pinecone API key only in server-side code.",
|
|
86
|
+
fixCode: '// Server-side only\nimport { Pinecone } from "@pinecone-database/pinecone";\nconst pc = new Pinecone({ apiKey: process.env.PINECONE_API_KEY! });',
|
|
84
87
|
compliance: ["SOC2:CC6.1"],
|
|
85
88
|
},
|
|
86
89
|
{
|
|
@@ -92,6 +95,7 @@ export const serviceRules = [
|
|
|
92
95
|
pattern: /NEXT_PUBLIC_\w*PINECONE\w*(?:KEY|SECRET|TOKEN)\s*=/gi,
|
|
93
96
|
languages: ["javascript", "typescript", "shell"],
|
|
94
97
|
fix: "Remove NEXT_PUBLIC_ prefix. Pinecone keys must be server-side only.",
|
|
98
|
+
fixCode: "# .env.local — WRONG\n# NEXT_PUBLIC_PINECONE_API_KEY=pc-xxx\n\n# CORRECT\nPINECONE_API_KEY=pc-xxx",
|
|
95
99
|
compliance: ["SOC2:CC6.1"],
|
|
96
100
|
},
|
|
97
101
|
// PostHog
|
|
@@ -129,6 +133,7 @@ export const serviceRules = [
|
|
|
129
133
|
pattern: /(?:gtag|ga|dataLayer\.push)\s*\([\s\S]{0,300}?(?:email|user_email|phone|ssn|password)/gi,
|
|
130
134
|
languages: ["javascript", "typescript"],
|
|
131
135
|
fix: "Never send PII to Google Analytics. Use anonymous IDs.",
|
|
136
|
+
fixCode: "// Use anonymous IDs, never PII\ngtag('event', 'purchase', {\n user_id: hashedUserId, // hashed, not email\n value: 29.99,\n currency: 'USD',\n});",
|
|
132
137
|
compliance: ["SOC2:CC6.1"],
|
|
133
138
|
},
|
|
134
139
|
];
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"services.js","sourceRoot":"","sources":["../../../src/data/rules/services.ts"],"names":[],"mappings":"AAEA,MAAM,CAAC,MAAM,YAAY,GAAmB;IAC1C,eAAe;IACf;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,gCAAgC;QACtC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,kGAAkG;QAC/G,OAAO,EAAE,yEAAyE;QAClF,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,6EAA6E;QAClF,OAAO,EAAE,yGAAyG;QAClH,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,0BAA0B;QAChC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,0CAA0C;QACvD,OAAO,EAAE,uDAAuD;QAChE,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,8CAA8C;QACnD,OAAO,EAAE,wDAAwD;QACjE,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,yBAAyB;QAC/B,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EAAE,kIAAkI;QAC/I,OAAO,EAAE,0IAA0I;QACnJ,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,+FAA+F;QACpG,OAAO,EAAE,mLAAmL;QAC5L,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IAED,gBAAgB;IAChB;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,mCAAmC;QACzC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,6GAA6G;QAC1H,OAAO,EAAE,wHAAwH;QACjI,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,6CAA6C;QAClD,OAAO,EAAE,8HAA8H;QACvI,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,mCAAmC;QACzC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,yDAAyD;QACtE,OAAO,EAAE,wHAAwH;QACjI,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,yDAAyD;QAC9D,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,+BAA+B;QACrC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,oDAAoD;QACjE,OAAO,EAAE,kEAAkE;QAC3E,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,OAAO,CAAC;QAChD,GAAG,EAAE,kFAAkF;QACvF,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IAED,WAAW;IACX;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,kCAAkC;QACxC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,+FAA+F;QAC5G,OAAO,EAAE,mDAAmD;QAC5D,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,gDAAgD;QACrD,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,0BAA0B;QAChC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,mDAAmD;QAChE,OAAO,EAAE,sDAAsD;QAC/D,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,OAAO,CAAC;QAChD,GAAG,EAAE,qEAAqE;QAC1E,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IAED,UAAU;IACV;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,iCAAiC;QACvC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,8IAA8I;QAC3J,OAAO,EAAE,oFAAoF;QAC7F,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,sHAAsH;QAC3H,OAAO,EAAE,wIAAwI;QACjJ,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,6BAA6B;QACnC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,qIAAqI;QAClJ,OAAO,EAAE,sKAAsK;QAC/K,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,kEAAkE;QACvE,OAAO,EAAE,iJAAiJ;QAC1J,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;IAED,mBAAmB;IACnB;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,+BAA+B;QACrC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,wFAAwF;QACrG,OAAO,EAAE,yFAAyF;QAClG,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,wDAAwD;QAC7D,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;CACF,CAAC"}
|
|
1
|
+
{"version":3,"file":"services.js","sourceRoot":"","sources":["../../../src/data/rules/services.ts"],"names":[],"mappings":"AAEA,MAAM,CAAC,MAAM,YAAY,GAAmB;IAC1C,eAAe;IACf;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,gCAAgC;QACtC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,kGAAkG;QAC/G,OAAO,EAAE,yEAAyE;QAClF,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,6EAA6E;QAClF,OAAO,EAAE,yGAAyG;QAClH,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,0BAA0B;QAChC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,0CAA0C;QACvD,OAAO,EAAE,uDAAuD;QAChE,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,8CAA8C;QACnD,OAAO,EAAE,wDAAwD;QACjE,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,yBAAyB;QAC/B,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,oBAAoB;QAC3B,WAAW,EAAE,kIAAkI;QAC/I,OAAO,EAAE,0IAA0I;QACnJ,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,+FAA+F;QACpG,OAAO,EAAE,mLAAmL;QAC5L,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IAED,gBAAgB;IAChB;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,mCAAmC;QACzC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,6GAA6G;QAC1H,OAAO,EAAE,wHAAwH;QACjI,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,6CAA6C;QAClD,OAAO,EAAE,8HAA8H;QACvI,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,mCAAmC;QACzC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,yDAAyD;QACtE,OAAO,EAAE,wHAAwH;QACjI,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,yDAAyD;QAC9D,OAAO,EACL,qMAAqM;QACvM,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,+BAA+B;QACrC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,oDAAoD;QACjE,OAAO,EAAE,kEAAkE;QAC3E,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,OAAO,CAAC;QAChD,GAAG,EAAE,kFAAkF;QACvF,OAAO,EACL,0KAA0K;QAC5K,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IAED,WAAW;IACX;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,kCAAkC;QACxC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,+FAA+F;QAC5G,OAAO,EAAE,mDAAmD;QAC5D,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,gDAAgD;QACrD,OAAO,EACL,mJAAmJ;QACrJ,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,0BAA0B;QAChC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,mDAAmD;QAChE,OAAO,EAAE,sDAAsD;QAC/D,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,OAAO,CAAC;QAChD,GAAG,EAAE,qEAAqE;QAC1E,OAAO,EACL,mGAAmG;QACrG,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IAED,UAAU;IACV;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,iCAAiC;QACvC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,8IAA8I;QAC3J,OAAO,EAAE,oFAAoF;QAC7F,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,sHAAsH;QAC3H,OAAO,EAAE,wIAAwI;QACjJ,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,6BAA6B;QACnC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,qIAAqI;QAClJ,OAAO,EAAE,sKAAsK;QAC/K,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,kEAAkE;QACvE,OAAO,EAAE,iJAAiJ;QAC1J,UAAU,EAAE,CAAC,YAAY,EAAE,mBAAmB,CAAC;KAChD;IAED,mBAAmB;IACnB;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,+BAA+B;QACrC,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,wFAAwF;QACrG,OAAO,EAAE,yFAAyF;QAClG,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,wDAAwD;QAC7D,OAAO,EACL,wJAAwJ;QAC1J,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;CACF,CAAC"}
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"web-security.d.ts","sourceRoot":"","sources":["../../../src/data/rules/web-security.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAE/C,eAAO,MAAM,gBAAgB,EAAE,YAAY,
|
|
1
|
+
{"version":3,"file":"web-security.d.ts","sourceRoot":"","sources":["../../../src/data/rules/web-security.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,YAAY,CAAC;AAE/C,eAAO,MAAM,gBAAgB,EAAE,YAAY,EA4L1C,CAAC"}
|
|
@@ -21,6 +21,7 @@ export const webSecurityRules = [
|
|
|
21
21
|
pattern: /(?:webhook_?secret|signing_?secret|whsec_)\s*[:=]\s*["'][A-Za-z0-9_\-]{12,}["']/gi,
|
|
22
22
|
languages: ["javascript", "typescript"],
|
|
23
23
|
fix: "Use environment variables for webhook secrets.",
|
|
24
|
+
fixCode: "// Use environment variable\nconst webhookSecret = process.env.WEBHOOK_SECRET!;\n\n// .env.local\nWEBHOOK_SECRET=whsec_your_secret_here",
|
|
24
25
|
compliance: ["SOC2:CC6.1"],
|
|
25
26
|
},
|
|
26
27
|
// .env Security
|
|
@@ -33,6 +34,7 @@ export const webSecurityRules = [
|
|
|
33
34
|
pattern: /NEXT_PUBLIC_\w*(?:SECRET|PRIVATE|SERVICE_ROLE|API_KEY|ACCESS_TOKEN|AUTH_TOKEN|SIGNING|WEBHOOK)\w*\s*=/gi,
|
|
34
35
|
languages: ["shell", "javascript", "typescript"],
|
|
35
36
|
fix: "Remove NEXT_PUBLIC_ prefix from sensitive credentials. Access them only in server-side code.",
|
|
37
|
+
fixCode: "# .env.local — WRONG\n# NEXT_PUBLIC_API_KEY=sk_live_xxx\n\n# CORRECT — server-side only\nAPI_KEY=sk_live_xxx\n# Access via process.env.API_KEY in Server Components/Actions",
|
|
36
38
|
compliance: ["SOC2:CC6.1", "PCI-DSS:Req2.3"],
|
|
37
39
|
},
|
|
38
40
|
{
|
|
@@ -69,6 +71,7 @@ export const webSecurityRules = [
|
|
|
69
71
|
pattern: /(?:meta.*?(?:refresh|og:url)|(?:openGraph|twitter)[\s\S]{0,200}?url)\s*[:=]\s*(?:params|searchParams|query|req\.|request\.)/gi,
|
|
70
72
|
languages: ["javascript", "typescript"],
|
|
71
73
|
fix: "Validate and sanitize URLs used in meta tags. Use allowlists for domains.",
|
|
74
|
+
fixCode: '// Validate URL before using in meta tags\nconst ALLOWED_HOSTS = ["example.com"];\nconst url = new URL(input, "https://example.com");\nif (!ALLOWED_HOSTS.includes(url.hostname)) url.href = "https://example.com";\n\nexport const metadata = { openGraph: { url: url.href } };',
|
|
72
75
|
compliance: ["SOC2:CC6.6"],
|
|
73
76
|
},
|
|
74
77
|
{
|
|
@@ -80,6 +83,7 @@ export const webSecurityRules = [
|
|
|
80
83
|
pattern: /Disallow:\s*\/(?:admin|dashboard|internal|staging|debug|phpMyAdmin|\.env|backup|api\/internal)/gi,
|
|
81
84
|
languages: ["shell"],
|
|
82
85
|
fix: "Don't rely on robots.txt for security. Use authentication to protect sensitive paths. robots.txt is publicly readable.",
|
|
86
|
+
fixCode: "# robots.txt — keep it simple, don't list sensitive paths\nUser-agent: *\nDisallow:\n\n# Protect paths with authentication instead\n# middleware.ts → clerkMiddleware() for /admin/*",
|
|
83
87
|
compliance: ["SOC2:CC6.6"],
|
|
84
88
|
},
|
|
85
89
|
{
|
|
@@ -104,6 +108,7 @@ export const webSecurityRules = [
|
|
|
104
108
|
pattern: /(?:github_?token|gh_?token|GITHUB_TOKEN)\s*[:=]\s*["'](?:ghp_|gho_|ghu_|ghs_|ghr_|github_pat_)[A-Za-z0-9_]{10,}["']/gi,
|
|
105
109
|
languages: ["javascript", "typescript", "python", "shell"],
|
|
106
110
|
fix: "Use environment variables for GitHub tokens.",
|
|
111
|
+
fixCode: "// Use environment variable\nconst token = process.env.GITHUB_TOKEN;\n\n// .env.local\nGITHUB_TOKEN=ghp_your_token_here",
|
|
107
112
|
compliance: ["SOC2:CC6.1"],
|
|
108
113
|
},
|
|
109
114
|
// Cloudflare
|
|
@@ -116,6 +121,7 @@ export const webSecurityRules = [
|
|
|
116
121
|
pattern: /["']use client["'][\s\S]{0,500}?(?:CLOUDFLARE_API_TOKEN|CF_API_TOKEN|CLOUDFLARE_API_KEY)/g,
|
|
117
122
|
languages: ["javascript", "typescript"],
|
|
118
123
|
fix: "Use Cloudflare API tokens only in server-side code.",
|
|
124
|
+
fixCode: "// Server-side only (API route or Server Action)\nconst cf = new Cloudflare({ apiToken: process.env.CLOUDFLARE_API_TOKEN! });",
|
|
119
125
|
compliance: ["SOC2:CC6.1"],
|
|
120
126
|
},
|
|
121
127
|
{
|
|
@@ -127,6 +133,7 @@ export const webSecurityRules = [
|
|
|
127
133
|
pattern: /NEXT_PUBLIC_\w*(?:CLOUDFLARE|CF)\w*(?:API|TOKEN|KEY|SECRET)\s*=/gi,
|
|
128
134
|
languages: ["javascript", "typescript", "shell"],
|
|
129
135
|
fix: "Remove NEXT_PUBLIC_ prefix from Cloudflare credentials.",
|
|
136
|
+
fixCode: "# .env.local — WRONG\n# NEXT_PUBLIC_CF_API_TOKEN=xxx\n\n# CORRECT\nCLOUDFLARE_API_TOKEN=xxx",
|
|
130
137
|
compliance: ["SOC2:CC6.1"],
|
|
131
138
|
},
|
|
132
139
|
// OpenAI / AI Keys
|
|
@@ -151,6 +158,7 @@ export const webSecurityRules = [
|
|
|
151
158
|
pattern: /NEXT_PUBLIC_\w*(?:OPENAI|ANTHROPIC|GOOGLE_AI|GEMINI|COHERE|REPLICATE)\w*(?:KEY|TOKEN|SECRET)\s*=/gi,
|
|
152
159
|
languages: ["javascript", "typescript", "shell"],
|
|
153
160
|
fix: "Remove NEXT_PUBLIC_ prefix from AI API keys. Route AI requests through server-side API routes.",
|
|
161
|
+
fixCode: "# .env.local — WRONG\n# NEXT_PUBLIC_OPENAI_API_KEY=sk-xxx\n\n# CORRECT — server-side only\nOPENAI_API_KEY=sk-xxx\n# Use in API route: const openai = new OpenAI();",
|
|
154
162
|
compliance: ["SOC2:CC6.1"],
|
|
155
163
|
},
|
|
156
164
|
{
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"web-security.js","sourceRoot":"","sources":["../../../src/data/rules/web-security.ts"],"names":[],"mappings":"AAEA,MAAM,CAAC,MAAM,gBAAgB,GAAmB;IAC9C,mBAAmB;IACnB;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,wCAAwC;QAC9C,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EAAE,uHAAuH;QACpI,OAAO,EAAE,6KAA6K;QACtL,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,4DAA4D;QACjE,OAAO,EAAE,4SAA4S;QACrT,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,0BAA0B;QAChC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,kDAAkD;QAC/D,OAAO,EAAE,mFAAmF;QAC5F,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,gDAAgD;QACrD,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IAED,gBAAgB;IAChB;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,kCAAkC;QACxC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,yIAAyI;QACtJ,OAAO,EAAE,yGAAyG;QAClH,SAAS,EAAE,CAAC,OAAO,EAAE,YAAY,EAAE,YAAY,CAAC;QAChD,GAAG,EAAE,8FAA8F;QACnG,UAAU,EAAE,CAAC,YAAY,EAAE,gBAAgB,CAAC;KAC7C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,4BAA4B;QAClC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,qGAAqG;QAClH,OAAO,EAAE,4KAA4K;QACrL,SAAS,EAAE,CAAC,OAAO,CAAC;QACpB,GAAG,EAAE,kEAAkE;QACvE,OAAO,EAAE,uDAAuD;QAChE,UAAU,EAAE,CAAC,YAAY,EAAE,gBAAgB,EAAE,mBAAmB,CAAC;KAClE;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,oCAAoC;QAC1C,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,2FAA2F;QACxG,OAAO,EAAE,8GAA8G;QACvH,SAAS,EAAE,CAAC,OAAO,CAAC;QACpB,GAAG,EAAE,wDAAwD;QAC7D,OAAO,EAAE,6GAA6G;QACtH,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IAED,sBAAsB;IACtB;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,4BAA4B;QAClC,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EAAE,qGAAqG;QAClH,OAAO,EAAE,+HAA+H;QACxI,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,2EAA2E;QAChF,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,8BAA8B;QACpC,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EAAE,iHAAiH;QAC9H,OAAO,EAAE,kGAAkG;QAC3G,SAAS,EAAE,CAAC,OAAO,CAAC;QACpB,GAAG,EAAE,wHAAwH;QAC7H,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,gCAAgC;QACtC,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EAAE,iFAAiF;QAC9F,OAAO,EAAE,yCAAyC;QAClD,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,0DAA0D;QAC/D,OAAO,EAAE,kFAAkF;QAC3F,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IAED,wBAAwB;IACxB;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,wBAAwB;QAC9B,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,qEAAqE;QAClF,OAAO,EAAE,uHAAuH;QAChI,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,EAAE,OAAO,CAAC;QAC1D,GAAG,EAAE,8CAA8C;QACnD,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IAED,aAAa;IACb;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,sCAAsC;QAC5C,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,0DAA0D;QACvE,OAAO,EAAE,2FAA2F;QACpG,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,qDAAqD;QAC1D,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,oCAAoC;QAC1C,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,6DAA6D;QAC1E,OAAO,EAAE,mEAAmE;QAC5E,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,OAAO,CAAC;QAChD,GAAG,EAAE,yDAAyD;QAC9D,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IAED,mBAAmB;IACnB;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,4BAA4B;QAClC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,2HAA2H;QACxI,OAAO,EAAE,sHAAsH;QAC/H,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,gFAAgF;QACrF,OAAO,EAAE,8HAA8H;QACvI,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,wBAAwB;QAC9B,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,sFAAsF;QACnG,OAAO,EAAE,oGAAoG;QAC7G,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,OAAO,CAAC;QAChD,GAAG,EAAE,gGAAgG;QACrG,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,sBAAsB;QAC5B,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,+CAA+C;QAC5D,OAAO,EAAE,2GAA2G;QACpH,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,4CAA4C;QACjD,OAAO,EAAE,8EAA8E;QACvF,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;CACF,CAAC"}
|
|
1
|
+
{"version":3,"file":"web-security.js","sourceRoot":"","sources":["../../../src/data/rules/web-security.ts"],"names":[],"mappings":"AAEA,MAAM,CAAC,MAAM,gBAAgB,GAAmB;IAC9C,mBAAmB;IACnB;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,wCAAwC;QAC9C,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EAAE,uHAAuH;QACpI,OAAO,EAAE,6KAA6K;QACtL,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,4DAA4D;QACjE,OAAO,EAAE,4SAA4S;QACrT,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,0BAA0B;QAChC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,kDAAkD;QAC/D,OAAO,EAAE,mFAAmF;QAC5F,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,gDAAgD;QACrD,OAAO,EACL,yIAAyI;QAC3I,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IAED,gBAAgB;IAChB;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,kCAAkC;QACxC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,yIAAyI;QACtJ,OAAO,EAAE,yGAAyG;QAClH,SAAS,EAAE,CAAC,OAAO,EAAE,YAAY,EAAE,YAAY,CAAC;QAChD,GAAG,EAAE,8FAA8F;QACnG,OAAO,EACL,6KAA6K;QAC/K,UAAU,EAAE,CAAC,YAAY,EAAE,gBAAgB,CAAC;KAC7C;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,4BAA4B;QAClC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,qGAAqG;QAClH,OAAO,EAAE,4KAA4K;QACrL,SAAS,EAAE,CAAC,OAAO,CAAC;QACpB,GAAG,EAAE,kEAAkE;QACvE,OAAO,EAAE,uDAAuD;QAChE,UAAU,EAAE,CAAC,YAAY,EAAE,gBAAgB,EAAE,mBAAmB,CAAC;KAClE;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,oCAAoC;QAC1C,QAAQ,EAAE,MAAM;QAChB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,2FAA2F;QACxG,OAAO,EAAE,8GAA8G;QACvH,SAAS,EAAE,CAAC,OAAO,CAAC;QACpB,GAAG,EAAE,wDAAwD;QAC7D,OAAO,EAAE,6GAA6G;QACtH,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IAED,sBAAsB;IACtB;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,4BAA4B;QAClC,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,gCAAgC;QACvC,WAAW,EAAE,qGAAqG;QAClH,OAAO,EAAE,+HAA+H;QACxI,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,2EAA2E;QAChF,OAAO,EACL,kRAAkR;QACpR,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,8BAA8B;QACpC,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EAAE,iHAAiH;QAC9H,OAAO,EAAE,kGAAkG;QAC3G,SAAS,EAAE,CAAC,OAAO,CAAC;QACpB,GAAG,EAAE,wHAAwH;QAC7H,OAAO,EACL,sLAAsL;QACxL,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,gCAAgC;QACtC,QAAQ,EAAE,QAAQ;QAClB,KAAK,EAAE,oCAAoC;QAC3C,WAAW,EAAE,iFAAiF;QAC9F,OAAO,EAAE,yCAAyC;QAClD,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,0DAA0D;QAC/D,OAAO,EAAE,kFAAkF;QAC3F,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IAED,wBAAwB;IACxB;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,wBAAwB;QAC9B,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,qEAAqE;QAClF,OAAO,EAAE,uHAAuH;QAChI,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,QAAQ,EAAE,OAAO,CAAC;QAC1D,GAAG,EAAE,8CAA8C;QACnD,OAAO,EACL,yHAAyH;QAC3H,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IAED,aAAa;IACb;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,sCAAsC;QAC5C,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,0DAA0D;QACvE,OAAO,EAAE,2FAA2F;QACpG,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,qDAAqD;QAC1D,OAAO,EACL,+HAA+H;QACjI,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,oCAAoC;QAC1C,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,6DAA6D;QAC1E,OAAO,EAAE,mEAAmE;QAC5E,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,OAAO,CAAC;QAChD,GAAG,EAAE,yDAAyD;QAC9D,OAAO,EACL,6FAA6F;QAC/F,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IAED,mBAAmB;IACnB;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,4BAA4B;QAClC,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,2HAA2H;QACxI,OAAO,EAAE,sHAAsH;QAC/H,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,gFAAgF;QACrF,OAAO,EAAE,8HAA8H;QACvI,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,wBAAwB;QAC9B,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,sFAAsF;QACnG,OAAO,EAAE,oGAAoG;QAC7G,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,EAAE,OAAO,CAAC;QAChD,GAAG,EAAE,gGAAgG;QACrG,OAAO,EACL,oKAAoK;QACtK,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;IACD;QACE,EAAE,EAAE,OAAO;QACX,IAAI,EAAE,sBAAsB;QAC5B,QAAQ,EAAE,UAAU;QACpB,KAAK,EAAE,kCAAkC;QACzC,WAAW,EAAE,+CAA+C;QAC5D,OAAO,EAAE,2GAA2G;QACpH,SAAS,EAAE,CAAC,YAAY,EAAE,YAAY,CAAC;QACvC,GAAG,EAAE,4CAA4C;QACjD,OAAO,EAAE,8EAA8E;QACvF,UAAU,EAAE,CAAC,YAAY,CAAC;KAC3B;CACF,CAAC"}
|
package/build/index.js
CHANGED
|
@@ -16,12 +16,20 @@ import { checkPackageHealth } from "./tools/check-package-health.js";
|
|
|
16
16
|
import { fixCode } from "./tools/fix-code.js";
|
|
17
17
|
import { auditConfig } from "./tools/audit-config.js";
|
|
18
18
|
import { generatePolicy } from "./tools/generate-policy.js";
|
|
19
|
+
import { reviewPr } from "./tools/review-pr.js";
|
|
20
|
+
import { scanSecretsHistory } from "./tools/scan-secrets-history.js";
|
|
21
|
+
import { policyCheck } from "./tools/policy-check.js";
|
|
22
|
+
import { analyzeTaint, formatTaintFindings } from "./tools/taint-analysis.js";
|
|
23
|
+
import { checkCommand } from "./tools/check-command.js";
|
|
24
|
+
import { scanConfigChange } from "./tools/scan-config-change.js";
|
|
25
|
+
import { repoSecurityPosture } from "./tools/repo-posture.js";
|
|
26
|
+
import { explainRemediation } from "./tools/explain-remediation.js";
|
|
19
27
|
import { discoverPlugins } from "./plugins/loader.js";
|
|
20
28
|
import { builtinRules } from "./data/rules/index.js";
|
|
21
29
|
import { loadConfig } from "./utils/config.js";
|
|
22
30
|
const server = new McpServer({
|
|
23
31
|
name: "guardvibe",
|
|
24
|
-
version: "1.
|
|
32
|
+
version: "1.6.0",
|
|
25
33
|
});
|
|
26
34
|
// Tool 1: Analyze code for security vulnerabilities
|
|
27
35
|
server.tool("check_code", "Analyze code for security vulnerabilities (OWASP Top 10, XSS, SQL injection, insecure patterns). Use this when reviewing or writing code to catch security issues early.", {
|
|
@@ -193,6 +201,89 @@ server.tool("generate_policy", "Scan a project to detect its stack (Next.js, Sup
|
|
|
193
201
|
const results = generatePolicy(path, format);
|
|
194
202
|
return { content: [{ type: "text", text: results }] };
|
|
195
203
|
});
|
|
204
|
+
// Tool 15: PR Security Review — diff-only scanning with annotations
|
|
205
|
+
server.tool("review_pr", "Review a pull request for security issues. Scans only changed lines (diff-only mode) and produces output for GitHub Check Runs, PR comments, or inline annotations. Supports severity gating to block PRs.", {
|
|
206
|
+
path: z.string().default(".").describe("Repository root path"),
|
|
207
|
+
base: z.string().default("main").describe("Base branch to diff against"),
|
|
208
|
+
format: z.enum(["markdown", "json", "annotations"]).default("markdown").describe("Output: markdown (PR comment), json (structured), annotations (GitHub Check Runs)"),
|
|
209
|
+
diff_only: z.boolean().default(true).describe("Only report findings in changed lines (true) or all findings in changed files (false)"),
|
|
210
|
+
fail_on: z.enum(["critical", "high", "medium", "low", "none"]).default("high").describe("Block PR if findings at this severity or above exist"),
|
|
211
|
+
}, async ({ path, base, format, diff_only, fail_on }) => {
|
|
212
|
+
const rules = globalThis.__guardvibe_rules;
|
|
213
|
+
const results = reviewPr(path, base, format, diff_only, fail_on, rules);
|
|
214
|
+
return { content: [{ type: "text", text: results }] };
|
|
215
|
+
});
|
|
216
|
+
// Tool 16: Git History Secret Scan
|
|
217
|
+
server.tool("scan_secrets_history", "Scan git history for leaked secrets. Finds secrets that were committed in the past — even if they were later removed. Marks each finding as 'active' (still in code) or 'removed' (in git history only, needs rotation).", {
|
|
218
|
+
path: z.string().describe("Repository root path"),
|
|
219
|
+
max_commits: z.number().default(100).describe("Maximum number of commits to scan"),
|
|
220
|
+
format: z.enum(["markdown", "json"]).default("markdown").describe("Output format"),
|
|
221
|
+
}, async ({ path, max_commits, format }) => {
|
|
222
|
+
const results = scanSecretsHistory(path, max_commits, format);
|
|
223
|
+
return { content: [{ type: "text", text: results }] };
|
|
224
|
+
});
|
|
225
|
+
// Tool 17: Compliance Policy Check
|
|
226
|
+
server.tool("policy_check", "Check project against compliance policies defined in .guardviberc. Supports custom frameworks, severity thresholds, required controls, and risk exceptions. Returns pass/fail with details.", {
|
|
227
|
+
path: z.string().describe("Project root directory"),
|
|
228
|
+
format: z.enum(["markdown", "json"]).default("markdown").describe("Output format"),
|
|
229
|
+
}, async ({ path, format }) => {
|
|
230
|
+
const rules = globalThis.__guardvibe_rules;
|
|
231
|
+
const results = policyCheck(path, format, rules);
|
|
232
|
+
return { content: [{ type: "text", text: results }] };
|
|
233
|
+
});
|
|
234
|
+
// Tool 18: Taint/Dataflow Analysis
|
|
235
|
+
server.tool("analyze_dataflow", "Track user input (request body, URL params, form data) flowing into dangerous sinks (SQL queries, eval, file operations, redirects). Detects injection vulnerabilities that regex rules miss by following variable assignments through code.", {
|
|
236
|
+
code: z.string().describe("Code to analyze for tainted data flows"),
|
|
237
|
+
language: z.enum(["javascript", "typescript"]).describe("Language (JS/TS only)"),
|
|
238
|
+
format: z.enum(["markdown", "json"]).default("markdown").describe("Output format"),
|
|
239
|
+
}, async ({ code, language, format }) => {
|
|
240
|
+
const findings = analyzeTaint(code, language);
|
|
241
|
+
if (findings.length === 0) {
|
|
242
|
+
if (format === "json")
|
|
243
|
+
return { content: [{ type: "text", text: JSON.stringify({ summary: { total: 0 }, findings: [] }) }] };
|
|
244
|
+
return { content: [{ type: "text", text: "No tainted data flows detected." }] };
|
|
245
|
+
}
|
|
246
|
+
const results = formatTaintFindings(findings, format);
|
|
247
|
+
return { content: [{ type: "text", text: results }] };
|
|
248
|
+
});
|
|
249
|
+
// Tool 19: Shell Command Risk Analyzer
|
|
250
|
+
server.tool("check_command", "Analyze a shell command for security risks before execution. Returns allow/ask/deny verdict with blast radius, safer alternatives, and context-aware risk assessment. Detects: destructive ops, git history rewrites, secret exposure, data exfiltration, deploy triggers, privilege escalation, database drops.", {
|
|
251
|
+
command: z.string().describe("Shell command to analyze"),
|
|
252
|
+
cwd: z.string().default(".").describe("Current working directory"),
|
|
253
|
+
branch: z.string().optional().describe("Current git branch (for branch-specific risk)"),
|
|
254
|
+
format: z.enum(["markdown", "json"]).default("json").describe("Output format"),
|
|
255
|
+
}, async ({ command, cwd, branch, format }) => {
|
|
256
|
+
const results = checkCommand(command, cwd, branch, format);
|
|
257
|
+
return { content: [{ type: "text", text: results }] };
|
|
258
|
+
});
|
|
259
|
+
// Tool 20: Config Change Security Analyzer
|
|
260
|
+
server.tool("scan_config_change", "Compare before/after versions of a config file to detect security downgrades: CORS relaxation, CSP weakening, HSTS removal, debug mode, cookie flag changes, TLS disabling, new hardcoded secrets, removed security headers.", {
|
|
261
|
+
before: z.string().describe("Previous config file content"),
|
|
262
|
+
after: z.string().describe("New config file content"),
|
|
263
|
+
file_path: z.string().default("config").describe("Config file path for context"),
|
|
264
|
+
format: z.enum(["markdown", "json"]).default("json").describe("Output format"),
|
|
265
|
+
}, async ({ before, after, file_path, format }) => {
|
|
266
|
+
const results = scanConfigChange(before, after, file_path, format);
|
|
267
|
+
return { content: [{ type: "text", text: results }] };
|
|
268
|
+
});
|
|
269
|
+
// Tool 21: Repository Security Posture
|
|
270
|
+
server.tool("repo_security_posture", "Analyze a repository's overall security posture. Maps sensitive areas (auth, payments, PII, admin, API, infrastructure), identifies high-risk workflows, recommends guard mode, and lists priority fixes.", {
|
|
271
|
+
path: z.string().describe("Repository root path"),
|
|
272
|
+
format: z.enum(["markdown", "json"]).default("markdown").describe("Output format"),
|
|
273
|
+
}, async ({ path, format }) => {
|
|
274
|
+
const results = repoSecurityPosture(path, format);
|
|
275
|
+
return { content: [{ type: "text", text: results }] };
|
|
276
|
+
});
|
|
277
|
+
// Tool 22: Explain Remediation
|
|
278
|
+
server.tool("explain_remediation", "Deep explanation of a security finding: why it's risky, real-world impact, exploit scenario, minimum fix, secure alternative, breaking risk assessment, and test strategy. Helps agents apply fixes correctly.", {
|
|
279
|
+
rule_id: z.string().describe("GuardVibe rule ID (e.g. VG001, VG402)"),
|
|
280
|
+
code: z.string().optional().describe("Affected code snippet for context"),
|
|
281
|
+
format: z.enum(["markdown", "json"]).default("markdown").describe("Output format"),
|
|
282
|
+
}, async ({ rule_id, code, format }) => {
|
|
283
|
+
const rules = globalThis.__guardvibe_rules;
|
|
284
|
+
const results = explainRemediation(rule_id, code, format, rules);
|
|
285
|
+
return { content: [{ type: "text", text: results }] };
|
|
286
|
+
});
|
|
196
287
|
async function main() {
|
|
197
288
|
// Load plugins
|
|
198
289
|
const config = loadConfig(process.cwd());
|