itworksbut 0.1.1

package/src/checks/dependencies/lockfile-missing.js

@@ -0,0 +1,21 @@
+const LOCKFILES = ["package-lock.json", "pnpm-lock.yaml", "yarn.lock"];
+
+export default {
+  id: "dependencies.lockfile-missing",
+  title: "Package lockfile should be committed",
+  category: "dependencies",
+  severity: "medium",
+  tags: ["dependencies", "reproducibility", "ci"],
+  run: async (context) => {
+    if (!context.packageJson) return [];
+    if (LOCKFILES.some((file) => context.allFiles.includes(file))) return [];
+
+    return [
+      {
+        message: "package.json exists, but no package-lock.json, pnpm-lock.yaml, or yarn.lock was found.",
+        file: "package.json",
+        recommendation: "Commit exactly one lockfile so local and CI installs resolve the same dependency graph."
+      }
+    ];
+  }
+};

package/src/checks/dependencies/multiple-lockfiles.js

@@ -0,0 +1,21 @@
+const LOCKFILES = ["package-lock.json", "pnpm-lock.yaml", "yarn.lock"];
+
+export default {
+  id: "dependencies.multiple-lockfiles",
+  title: "Only one JavaScript package lockfile should be committed",
+  category: "dependencies",
+  severity: "medium",
+  tags: ["dependencies", "reproducibility", "ci"],
+  run: async (context) => {
+    const present = LOCKFILES.filter((file) => context.allFiles.includes(file));
+    if (present.length <= 1) return [];
+
+    return [
+      {
+        message: `Multiple package lockfiles were found: ${present.join(", ")}.`,
+        recommendation: "Keep the lockfile for the package manager used by the project and remove the others.",
+        metadata: { lockfiles: present }
+      }
+    ];
+  }
+};

package/src/checks/electron/context-isolation-disabled.js

@@ -0,0 +1,51 @@
+import { hasText, lineFromOffset } from "../helpers.js";
+
+const WEB_PREFERENCES_RE = /webPreferences\s*:\s*{([\s\S]{0,800}?)}\s*[,}]/g;
+
+export default {
+  id: "electron.context-isolation-disabled",
+  title: "Electron contextIsolation should be explicitly enabled",
+  category: "electron",
+  severity: "high",
+  tags: ["electron", "desktop", "xss"],
+  run: async (context) => {
+    const electronDetected = context.hasDependency("electron") || (await hasText(context, /\bfrom\s+["']electron["']|\brequire\(["']electron["']\)/g));
+    if (!electronDetected) return [];
+
+    const findings = [];
+    const disabled = await context.grep(/contextIsolation\s*:\s*false/g, {
+      include: ["*.js", "*.ts", "*.mjs", "*.cjs"],
+      maxMatches: 100
+    });
+    for (const match of disabled) {
+      findings.push({
+        message: "Electron BrowserWindow webPreferences disables contextIsolation.",
+        file: match.file,
+        line: match.line,
+        column: match.column,
+        recommendation: "Set contextIsolation: true and expose narrow, validated APIs from preload."
+      });
+    }
+
+    for (const file of context.textFiles) {
+      if (!/\.[cm]?[jt]s$/.test(file)) continue;
+      const content = await context.readFileSafe(file);
+      if (!content || !/new\s+BrowserWindow\s*\(/.test(content)) continue;
+
+      WEB_PREFERENCES_RE.lastIndex = 0;
+      let match;
+      while ((match = WEB_PREFERENCES_RE.exec(content)) !== null) {
+        if (/contextIsolation\s*:/.test(match[1])) continue;
+        findings.push({
+          message: "Electron BrowserWindow webPreferences appears to omit contextIsolation.",
+          file,
+          line: lineFromOffset(content, match.index),
+          recommendation: "Set contextIsolation: true explicitly and review preload exposure.",
+          heuristic: true
+        });
+      }
+    }
+
+    return findings.slice(0, 100);
+  }
+};

package/src/checks/electron/node-integration-enabled.js

@@ -0,0 +1,26 @@
+import { hasText } from "../helpers.js";
+
+export default {
+  id: "electron.node-integration-enabled",
+  title: "Electron nodeIntegration should be disabled",
+  category: "electron",
+  severity: "high",
+  tags: ["electron", "desktop", "xss"],
+  run: async (context) => {
+    const electronDetected = context.hasDependency("electron") || (await hasText(context, /\bfrom\s+["']electron["']|\brequire\(["']electron["']\)/g));
+    if (!electronDetected) return [];
+
+    const matches = await context.grep(/nodeIntegration\s*:\s*true/g, {
+      include: ["*.js", "*.ts", "*.mjs", "*.cjs"],
+      maxMatches: 100
+    });
+
+    return matches.map((match) => ({
+      message: "Electron BrowserWindow webPreferences enables nodeIntegration.",
+      file: match.file,
+      line: match.line,
+      column: match.column,
+      recommendation: "Set nodeIntegration: false, keep contextIsolation: true, and expose only minimal APIs through a strict preload script."
+    }));
+  }
+};

package/src/checks/env/env-example-missing.js

@@ -0,0 +1,28 @@
+import { isEnvFile } from "../helpers.js";
+
+export default {
+  id: "env.env-example-missing",
+  title: ".env.example should document required environment variables",
+  category: "env",
+  severity: "medium",
+  tags: ["env", "developer-experience", "deployment"],
+  run: async (context) => {
+    if (await context.fileExists(".env.example")) return [];
+
+    const envFilePresent = context.allFiles.some((file) => isEnvFile(file));
+    const envUsage = await context.grep(/\b(process\.env|import\.meta\.env|Deno\.env)\b/, {
+      include: ["*.js", "*.ts", "*.jsx", "*.tsx", "*.mjs", "*.cjs"],
+      maxMatches: 1
+    });
+
+    if (!envFilePresent && envUsage.length === 0) return [];
+
+    return [
+      {
+        message: "Environment variable usage appears to exist, but .env.example is missing.",
+        recommendation: "Add .env.example with variable names and safe placeholder values so CI and contributors know what must be configured.",
+        heuristic: true
+      }
+    ];
+  }
+};

package/src/checks/env/env-file-tracked.js

@@ -0,0 +1,20 @@
+import { isEnvExampleFile, isEnvFile } from "../helpers.js";
+
+export default {
+  id: "env.env-file-tracked",
+  title: "Environment files must not be tracked",
+  category: "env",
+  severity: "critical",
+  tags: ["secrets", "git", "node"],
+  run: async (context) => {
+    if (!context.gitAvailable) return [];
+
+    return context.gitTrackedFiles
+      .filter((file) => isEnvFile(file) && !isEnvExampleFile(file))
+      .map((file) => ({
+        message: `${file} appears to be tracked by git. Secrets may be exposed.`,
+        file,
+        recommendation: "Remove it from git with git rm --cached, rotate any exposed secrets, and commit .env.example instead."
+      }));
+  }
+};

package/src/checks/env/frontend-secret-exposure.js

@@ -0,0 +1,44 @@
+import { isCodeLikeFile, isLockfile } from "../helpers.js";
+
+const PUBLIC_SECRET_RE = /\b((?:VITE_|NEXT_PUBLIC_|PUBLIC_)[A-Z0-9_]*(?:SECRET|TOKEN|PRIVATE|KEY|SERVICE_ROLE|DATABASE_URL)[A-Z0-9_]*)\b/g;
+
+export default {
+  id: "env.frontend-secret-exposure",
+  title: "Frontend-public environment variables should not look secret",
+  category: "env",
+  severity: "high",
+  tags: ["secrets", "frontend", "env"],
+  run: async (context) => {
+    const findings = [];
+    const seen = new Set();
+
+    for (const file of context.textFiles) {
+      if (isLockfile(file) || !isCodeLikeFile(file)) continue;
+      const content = await context.readFileSafe(file);
+      if (!content) continue;
+
+      const lines = content.split(/\r?\n/);
+      for (let index = 0; index < lines.length; index += 1) {
+        PUBLIC_SECRET_RE.lastIndex = 0;
+        let match;
+        while ((match = PUBLIC_SECRET_RE.exec(lines[index])) !== null) {
+          const envName = match[1];
+          if (/_RE$|_REGEX$/.test(envName)) continue;
+          const key = `${file}:${index + 1}:${envName}`;
+          if (seen.has(key)) continue;
+          seen.add(key);
+          findings.push({
+            message: `Potential frontend-exposed secret-like environment variable ${envName} appears in client-visible code or config.`,
+            file,
+            line: index + 1,
+            recommendation: "Do not expose secrets through VITE_, NEXT_PUBLIC_, or PUBLIC_ variables. Move secret operations to server-side code.",
+            heuristic: true,
+            metadata: { envName }
+          });
+        }
+      }
+    }
+
+    return findings.slice(0, 100);
+  }
+};

package/src/checks/env/possible-secret-in-code.js

@@ -0,0 +1,72 @@
+import { isCodeLikeFile, isEnvExampleFile, isLockfile } from "../helpers.js";
+
+const SECRET_NAMES = [
+  "OPENAI_API_KEY",
+  "STRIPE_SECRET_KEY",
+  "GITHUB_TOKEN",
+  "JWT_SECRET",
+  "PRIVATE_KEY",
+  "DATABASE_URL",
+  "SUPABASE_SERVICE_ROLE_KEY",
+  "AWS_SECRET_ACCESS_KEY"
+];
+
+const PLACEHOLDER_RE = /^(your_|example|changeme|change_me|todo|test|dummy|xxx|placeholder|<|""|''|null|undefined)/i;
+
+export default {
+  id: "env.possible-secret-in-code",
+  title: "Possible hardcoded secrets should not appear in source",
+  category: "env",
+  severity: "critical",
+  tags: ["secrets", "static-analysis"],
+  run: async (context) => {
+    const findings = [];
+
+    for (const file of context.textFiles) {
+      if (isLockfile(file) || isEnvExampleFile(file) || !isCodeLikeFile(file)) continue;
+
+      const content = await context.readFileSafe(file);
+      if (!content) continue;
+      const lines = content.split(/\r?\n/);
+
+      for (let index = 0; index < lines.length; index += 1) {
+        const line = lines[index];
+
+        if (/-----BEGIN [A-Z ]*PRIVATE KEY-----/.test(line)) {
+          findings.push(secretFinding(file, index + 1, "PRIVATE_KEY"));
+          continue;
+        }
+
+        for (const secretName of SECRET_NAMES) {
+          const regex = new RegExp(`(?:^|[\\s{,;])["']?(${escapeRegExp(secretName)})["']?\\s*(?:=|:)\\s*["']?([^"'\\s,;]+)`, "i");
+          const match = line.match(regex);
+          if (!match) continue;
+
+          const possibleValue = match[2] || "";
+          if (PLACEHOLDER_RE.test(possibleValue) || /process\.env|import\.meta\.env/i.test(possibleValue)) continue;
+          findings.push(secretFinding(file, index + 1, secretName));
+        }
+      }
+    }
+
+    return findings.slice(0, 100);
+  }
+};
+
+function secretFinding(file, line, secretType) {
+  return {
+    message: `A possible ${secretType} value appears to be hardcoded. The value was not printed.`,
+    file,
+    line,
+    recommendation: "Move the secret to a secure runtime secret store or CI secret, rotate it if it was committed, and keep only safe placeholders in examples.",
+    heuristic: true,
+    metadata: {
+      secretType,
+      valueRedacted: true
+    }
+  };
+}
+
+function escapeRegExp(value) {
+  return value.replace(/[|\\{}()[\]^$+?.]/g, "\\$&");
+}

package/src/checks/git/gitignore-incomplete.js

@@ -0,0 +1,47 @@
+const REQUIRED_ENTRIES = [
+  "node_modules/",
+  ".env",
+  ".env.*",
+  "dist/",
+  "build/",
+  ".next/",
+  "coverage/",
+  "*.log",
+  "*.sqlite",
+  "*.db",
+  ".DS_Store"
+];
+
+export default {
+  id: "git.gitignore-incomplete",
+  title: ".gitignore should cover common generated and secret files",
+  category: "git",
+  severity: "medium",
+  tags: ["git", "repo-hygiene", "secrets"],
+  run: async (context) => {
+    const content = await context.readFileSafe(".gitignore");
+    if (!content) return [];
+
+    const lines = content
+      .split(/\r?\n/)
+      .map((line) => line.trim())
+      .filter((line) => line && !line.startsWith("#") && !line.startsWith("!"));
+
+    const missing = REQUIRED_ENTRIES.filter((entry) => !hasEquivalentEntry(lines, entry));
+    if (missing.length === 0) return [];
+
+    return [
+      {
+        message: `.gitignore appears to be missing common entries: ${missing.join(", ")}.`,
+        file: ".gitignore",
+        recommendation: "Add the missing ignore patterns so local secrets, dependencies, logs, databases, and build output are not committed.",
+        metadata: { missing }
+      }
+    ];
+  }
+};
+
+function hasEquivalentEntry(lines, entry) {
+  const variants = new Set([entry, entry.replace(/\/$/, ""), entry.endsWith("/") ? `${entry}**` : entry]);
+  return lines.some((line) => variants.has(line));
+}

package/src/checks/git/gitignore-missing.js

@@ -0,0 +1,16 @@
+export default {
+  id: "git.gitignore-missing",
+  title: ".gitignore should exist",
+  category: "git",
+  severity: "medium",
+  tags: ["git", "repo-hygiene"],
+  run: async (context) => {
+    if (await context.fileExists(".gitignore")) return [];
+    return [
+      {
+        message: "The repository appears to be missing a .gitignore file.",
+        recommendation: "Add a .gitignore that excludes dependencies, build output, local env files, logs, and local databases."
+      }
+    ];
+  }
+};

package/src/checks/git/ignored-files-tracked.js

@@ -0,0 +1,38 @@
+import { matchesAnyGlob } from "../../utils/path.js";
+import { isEnvExampleFile } from "../helpers.js";
+
+const RISKY_TRACKED_PATTERNS = [
+  ".env",
+  ".env.*",
+  "node_modules/**",
+  "dist/**",
+  "build/**",
+  ".next/**",
+  "coverage/**",
+  "*.sqlite",
+  "*.db",
+  "*.log"
+];
+
+export default {
+  id: "git.ignored-files-tracked",
+  title: "Ignored files should not be tracked by git",
+  category: "git",
+  severity: "high",
+  tags: ["git", "repo-hygiene", "secrets"],
+  run: async (context) => {
+    if (!context.gitAvailable) return [];
+
+    const candidates = new Set(context.gitIgnoredTrackedFiles || []);
+    for (const file of context.gitTrackedFiles) {
+      if (isEnvExampleFile(file)) continue;
+      if (matchesAnyGlob(file, RISKY_TRACKED_PATTERNS)) candidates.add(file);
+    }
+
+    return [...candidates].slice(0, 50).map((file) => ({
+      message: `${file} appears to be tracked even though it matches an ignore or high-risk generated-file pattern.`,
+      file,
+      recommendation: "Remove generated or local-only files from git with git rm --cached, then commit the corrected .gitignore."
+    }));
+  }
+};

package/src/checks/helpers.js

@@ -0,0 +1,122 @@
+import path from "node:path";
+import { matchesGlob } from "../utils/path.js";
+
+export const CODE_FILE_EXTENSIONS = new Set([
+  ".js",
+  ".jsx",
+  ".mjs",
+  ".cjs",
+  ".ts",
+  ".tsx",
+  ".vue",
+  ".svelte",
+  ".astro",
+  ".html",
+  ".css",
+  ".json",
+  ".yml",
+  ".yaml",
+  ".env"
+]);
+
+export function isCodeLikeFile(file) {
+  if (isLockfile(file)) return false;
+  const extension = path.extname(file);
+  return CODE_FILE_EXTENSIONS.has(extension) || file.includes(".env");
+}
+
+export function isLockfile(file) {
+  return ["package-lock.json", "pnpm-lock.yaml", "yarn.lock"].includes(file);
+}
+
+export function isEnvFile(file) {
+  const base = path.basename(file);
+  return base === ".env" || (base.startsWith(".env.") && !isEnvExampleFile(file));
+}
+
+export function isEnvExampleFile(file) {
+  const base = path.basename(file);
+  return [".env.example", ".env.sample", ".env.template", ".env.defaults"].includes(base);
+}
+
+export function isExpressProject(context) {
+  return context.hasDependency("express") || context.textFiles.some((file) => file.endsWith(".js") || file.endsWith(".ts"));
+}
+
+export async function hasText(context, regex, options = {}) {
+  const files = options.files || context.textFiles;
+  for (const file of files) {
+    const content = await context.readFileSafe(file);
+    if (content && regex.test(content)) {
+      regex.lastIndex = 0;
+      return true;
+    }
+    regex.lastIndex = 0;
+  }
+  return false;
+}
+
+export async function collectCiFiles(context) {
+  return context.textFiles.filter((file) => {
+    return (
+      matchesGlob(file, ".github/workflows/*.yml") ||
+      matchesGlob(file, ".github/workflows/*.yaml") ||
+      file === ".gitlab-ci.yml" ||
+      file === ".circleci/config.yml" ||
+      file === "Jenkinsfile" ||
+      file.startsWith("ci/") ||
+      file.startsWith(".buildkite/")
+    );
+  });
+}
+
+export async function readNearby(context, file, line, radius = 6) {
+  const content = await context.readFileSafe(file);
+  if (!content) return "";
+  const lines = content.split(/\r?\n/);
+  const start = Math.max(0, line - radius - 1);
+  const end = Math.min(lines.length, line + radius);
+  return lines.slice(start, end).join("\n");
+}
+
+export function hasAuthKeyword(text) {
+  return /\b(auth|authenticate|authenticated|authorization|authorize|requireAuth|requireUser|session|passport|jwt|bearer|getServerSession|clerk|supabase\.auth|currentUser|isAuthenticated)\b/i.test(
+    text
+  );
+}
+
+export function hasOwnerKeyword(text) {
+  return /\b(userId|ownerId|accountId|tenantId|orgId|organizationId|workspaceId|teamId|createdBy|authorId)\b/i.test(text);
+}
+
+export function lineFromOffset(content, offset) {
+  return content.slice(0, offset).split(/\r?\n/).length;
+}
+
+export function isFrontendFile(file) {
+  return /\.(jsx|tsx|vue|svelte|astro)$/.test(file) || file.startsWith("src/components/") || file.startsWith("src/pages/");
+}
+
+export function isServerOrApiFile(file) {
+  return (
+    file.includes("/api/") ||
+    file.includes("/routes/") ||
+    file.includes("/server/") ||
+    file.includes("/middleware") ||
+    file.startsWith("pages/api/") ||
+    file.startsWith("app/api/") ||
+    /server\.[cm]?[jt]s$/.test(file) ||
+    /app\.[cm]?[jt]s$/.test(file)
+  );
+}
+
+export function parseJsonWithComments(content) {
+  try {
+    return JSON.parse(content);
+  } catch {
+    const withoutComments = content
+      .replace(/\/\*[\s\S]*?\*\//g, "")
+      .replace(/(^|\s)\/\/.*$/gm, "$1");
+    return JSON.parse(withoutComments);
+  }
+}

package/src/checks/index.js

@@ -0,0 +1,63 @@
+import gitignoreMissing from "./git/gitignore-missing.js";
+import gitignoreIncomplete from "./git/gitignore-incomplete.js";
+import ignoredFilesTracked from "./git/ignored-files-tracked.js";
+import envFileTracked from "./env/env-file-tracked.js";
+import envExampleMissing from "./env/env-example-missing.js";
+import possibleSecretInCode from "./env/possible-secret-in-code.js";
+import frontendSecretExposure from "./env/frontend-secret-exposure.js";
+import lockfileMissing from "./dependencies/lockfile-missing.js";
+import multipleLockfiles from "./dependencies/multiple-lockfiles.js";
+import installScriptsRisk from "./dependencies/install-scripts-risk.js";
+import auditScriptMissing from "./dependencies/audit-script-missing.js";
+import packageScriptsMissing from "./package/scripts-missing.js";
+import noCiConfig from "./ci/no-ci-config.js";
+import npmInstallInsteadOfNpmCi from "./ci/npm-install-instead-of-npm-ci.js";
+import noBuildStep from "./ci/no-build-step.js";
+import noTestStep from "./ci/no-test-step.js";
+import expressJsonLimitMissing from "./node/express-json-limit-missing.js";
+import rateLimitMissing from "./node/rate-limit-missing.js";
+import helmetMissing from "./node/helmet-missing.js";
+import corsWildcard from "./node/cors-wildcard.js";
+import clientSideAuthOnly from "./web/client-side-auth-only.js";
+import dangerousInnerHtml from "./web/dangerous-inner-html.js";
+import missingOutputSanitization from "./web/missing-output-sanitization.js";
+import missingAuthOnRoutes from "./auth/missing-auth-on-routes.js";
+import idorRisk from "./auth/idor-risk.js";
+import rawSqlInterpolation from "./database/raw-sql-interpolation.js";
+import noMigrations from "./database/no-migrations.js";
+import electronNodeIntegrationEnabled from "./electron/node-integration-enabled.js";
+import electronContextIsolationDisabled from "./electron/context-isolation-disabled.js";
+import tauriDangerousAllowlistOrCapabilities from "./tauri/dangerous-allowlist-or-capabilities.js";
+
+export default [
+  gitignoreMissing,
+  gitignoreIncomplete,
+  ignoredFilesTracked,
+  envFileTracked,
+  envExampleMissing,
+  possibleSecretInCode,
+  frontendSecretExposure,
+  lockfileMissing,
+  multipleLockfiles,
+  installScriptsRisk,
+  auditScriptMissing,
+  packageScriptsMissing,
+  noCiConfig,
+  npmInstallInsteadOfNpmCi,
+  noBuildStep,
+  noTestStep,
+  expressJsonLimitMissing,
+  rateLimitMissing,
+  helmetMissing,
+  corsWildcard,
+  clientSideAuthOnly,
+  dangerousInnerHtml,
+  missingOutputSanitization,
+  missingAuthOnRoutes,
+  idorRisk,
+  rawSqlInterpolation,
+  noMigrations,
+  electronNodeIntegrationEnabled,
+  electronContextIsolationDisabled,
+  tauriDangerousAllowlistOrCapabilities
+];

package/src/checks/node/cors-wildcard.js

@@ -0,0 +1,35 @@
+export default {
+  id: "node.cors-wildcard",
+  title: "CORS should not be broadly open by default",
+  category: "node",
+  severity: "high",
+  tags: ["node", "cors", "api"],
+  run: async (context) => {
+    const findings = [];
+    const patterns = [
+      { regex: /origin\s*:\s*["']\*["']/g, label: "origin: \"*\"" },
+      { regex: /Access-Control-Allow-Origin["']?\s*,\s*["']\*["']/g, label: "Access-Control-Allow-Origin: *" },
+      { regex: /\bcors\s*\(\s*\)/g, label: "cors() with default open origin" },
+      { regex: /origin\s*:\s*true/g, label: "origin: true" }
+    ];
+
+    for (const pattern of patterns) {
+      const matches = await context.grep(pattern.regex, {
+        include: ["*.js", "*.ts", "*.mjs", "*.cjs"],
+        maxMatches: 100
+      });
+      for (const match of matches) {
+        findings.push({
+          message: `CORS configuration appears broadly open (${pattern.label}).`,
+          file: match.file,
+          line: match.line,
+          column: match.column,
+          recommendation: "Restrict CORS origins to the exact trusted application origins and handle credentials carefully.",
+          heuristic: true
+        });
+      }
+    }
+
+    return findings;
+  }
+};

package/src/checks/node/express-json-limit-missing.js

@@ -0,0 +1,30 @@
+import { hasText } from "../helpers.js";
+
+export default {
+  id: "node.express-json-limit-missing",
+  title: "express.json should set a body size limit",
+  category: "node",
+  severity: "medium",
+  tags: ["node", "express", "availability"],
+  run: async (context) => {
+    const expressDetected = context.hasDependency("express") || (await hasText(context, /\bfrom\s+["']express["']|\brequire\(["']express["']\)/g));
+    if (!expressDetected) return [];
+
+    const findings = [];
+    for (const match of await context.grep(/express\.json\s*\(([^)]*)\)/g, {
+      include: ["*.js", "*.ts", "*.mjs", "*.cjs"],
+      maxMatches: 100
+    })) {
+      const args = match.match[1] || "";
+      if (/\blimit\s*:/.test(args)) continue;
+      findings.push({
+        message: "express.json() appears to be used without an explicit request body size limit.",
+        file: match.file,
+        line: match.line,
+        column: match.column,
+        recommendation: "Set a conservative limit, for example express.json({ limit: '100kb' }), and tune it per route when needed."
+      });
+    }
+    return findings;
+  }
+};

package/src/checks/node/helmet-missing.js

@@ -0,0 +1,22 @@
+import { hasText } from "../helpers.js";
+
+export default {
+  id: "node.helmet-missing",
+  title: "Express apps should use Helmet or equivalent security headers",
+  category: "node",
+  severity: "medium",
+  tags: ["node", "express", "headers"],
+  run: async (context) => {
+    const expressDetected = context.hasDependency("express") || (await hasText(context, /\bfrom\s+["']express["']|\brequire\(["']express["']\)/g));
+    if (!expressDetected) return [];
+    if (context.hasDependency("helmet") || context.hasDevDependency("helmet")) return [];
+    if (await hasText(context, /\bhelmet\s*\(/g)) return [];
+
+    return [
+      {
+        message: "Express appears to be used, but Helmet was not detected.",
+        recommendation: "Install and use helmet() early in the middleware stack, or document equivalent security header handling."
+      }
+    ];
+  }
+};