itworksbut 0.3.0 → 0.4.0

package/README.md

@@ -197,7 +197,7 @@ Secret-like findings never print the full secret value. Findings report the file
 
 ## What It Detects
 
-The baseline includes 30 modular checks:
+The baseline includes 40 modular checks:
 
 - `git.gitignore-missing`
 - `git.gitignore-incomplete`
@@ -206,6 +206,7 @@ The baseline includes 30 modular checks:
 - `env.env-example-missing`
 - `env.possible-secret-in-code`
 - `env.frontend-secret-exposure`
+- `secrets.secrets-in-logs`
 - `dependencies.lockfile-missing`
 - `dependencies.multiple-lockfiles`
 - `dependencies.install-scripts-risk`
@@ -219,13 +220,22 @@ The baseline includes 30 modular checks:
 - `node.rate-limit-missing`
 - `node.helmet-missing`
 - `node.cors-wildcard`
+- `node.child-process-user-input`
 - `web.client-side-auth-only`
 - `web.dangerous-inner-html`
 - `web.missing-output-sanitization`
 - `api.missing-auth-on-routes`
 - `api.idor-risk`
+- `auth.jwt-secret-weak-or-fallback`
+- `auth.password-hashing-missing`
 - `database.raw-sql-interpolation`
 - `database.no-migrations`
+- `cookies.insecure-session-cookie`
+- `uploads.public-executable-upload`
+- `webhooks.missing-raw-body`
+- `llm.prompt-injection-risk`
+- `frontend.sourcemaps-production`
+- `config.debug-production`
 - `electron.node-integration-enabled`
 - `electron.context-isolation-disabled`
 - `tauri.dangerous-allowlist-or-capabilities`

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "itworksbut",
-    "version": "0.3.0",
+    "version": "0.4.0",
     "description": "Static CI checks for common security, repo, dependency, build, and deployment risks in JavaScript vibe coding projects.",
     "type": "module",
     "bin": {

package/src/checks/auth/jwt-secret-weak-or-fallback.js

@@ -0,0 +1,72 @@
+import { isCodeLikeFile, isEnvExampleFile, isLockfile } from "../helpers.js";
+
+const WEAK_JWT_VALUES = [
+  "secret",
+  "changeme",
+  "change-me",
+  "dev-secret",
+  "development",
+  "password",
+  "123456",
+  "jwt-secret",
+  "supersecret",
+  "test",
+  "local"
+];
+
+const WEAK_VALUE_RE = `(?:${WEAK_JWT_VALUES.map(escapeRegExp).join("|")})`;
+const DIRECT_JWT_RE = new RegExp(`\\bjwt\\.(?:sign|verify)\\s*\\([^\\n;]*?,\\s*["'\`]${WEAK_VALUE_RE}["'\`]`, "i");
+const FALLBACK_RE = new RegExp(`\\bprocess\\.env\\.JWT_SECRET\\s*(?:\\|\\||\\?\\?)\\s*["'\`]${WEAK_VALUE_RE}["'\`]`, "i");
+const ASSIGNMENT_RE = new RegExp(`\\bJWT_SECRET\\b\\s*(?:=|:)\\s*["'\`]${WEAK_VALUE_RE}["'\`]`, "i");
+
+export default {
+  id: "auth.jwt-secret-weak-or-fallback",
+  title: "JWT secrets should not use weak hardcoded values or fallbacks",
+  category: "auth",
+  severity: "high",
+  tags: ["auth", "jwt", "secrets", "heuristic"],
+  run: async (context) => {
+    const findings = [];
+
+    for (const file of context.textFiles) {
+      if (isLockfile(file) || isEnvExampleFile(file) || !isCodeLikeFile(file)) continue;
+      const content = await context.readFileSafe(file);
+      if (!content || !/\bJWT_SECRET\b|\bjwt\.(?:sign|verify)\b/i.test(content)) continue;
+
+      const lines = content.split(/\r?\n/);
+      for (let index = 0; index < lines.length; index += 1) {
+        const line = lines[index];
+
+        if (DIRECT_JWT_RE.test(line)) {
+          findings.push(jwtFinding(file, index + 1, "direct-hardcoded-jwt-secret", "critical"));
+        } else if (FALLBACK_RE.test(line)) {
+          findings.push(jwtFinding(file, index + 1, "environment-fallback", "high"));
+        } else if (ASSIGNMENT_RE.test(line)) {
+          findings.push(jwtFinding(file, index + 1, "weak-jwt-secret-assignment", "high"));
+        }
+      }
+    }
+
+    return findings.slice(0, 100);
+  }
+};
+
+function jwtFinding(file, line, pattern, severity) {
+  return {
+    severity,
+    message: "JWT signing or verification appears to use a weak hardcoded secret or a development fallback.",
+    file,
+    line,
+    recommendation:
+      "Require a strong JWT secret from the environment in production and fail startup if it is missing.",
+    heuristic: true,
+    metadata: {
+      pattern,
+      valueRedacted: true
+    }
+  };
+}
+
+function escapeRegExp(value) {
+  return value.replace(/[|\\{}()[\]^$+?.]/g, "\\$&");
+}

package/src/checks/auth/password-hashing-missing.js

@@ -0,0 +1,56 @@
+import { isCodeLikeFile, isEnvExampleFile, isLockfile, lineFromOffset } from "../helpers.js";
+
+const USER_CREATE_TERMS_RE = /\b(register|signup|createUser|users|INSERT\s+INTO\s+users|prisma\.user\.create|db\.user\.create)\b/i;
+const PASSWORD_TERM_RE = /\bpassword\b/i;
+const HASHING_RE = /\b(?:bcrypt|bcryptjs|argon2|scrypt|crypto\.scrypt|pbkdf2|hashPassword|passwordHash|hashedPassword)\b/i;
+
+const RISKY_PASSWORD_STORAGE_RE =
+  /\bpassword\s*:\s*(?:password|req\.body\.password|request\.body\.password|body\.password)|\bpassword\s*=\s*(?:password|req\.body\.password|request\.body\.password|body\.password)|INSERT\s+INTO\s+users\s*\([^)]*password|prisma\.user\.create\s*\(\s*{[\s\S]{0,800}?data\s*:\s*{[\s\S]{0,500}?password\s*:|db\.user\.create\s*\(\s*{[\s\S]{0,800}?password\s*:/gi;
+
+export default {
+  id: "auth.password-hashing-missing",
+  title: "User passwords should be hashed before storage",
+  category: "auth",
+  severity: "critical",
+  tags: ["auth", "passwords", "heuristic"],
+  run: async (context) => {
+    const findings = [];
+
+    for (const file of context.textFiles) {
+      if (isLockfile(file) || isEnvExampleFile(file) || !isCodeLikeFile(file)) continue;
+      const content = await context.readFileSafe(file);
+      if (!content || !PASSWORD_TERM_RE.test(content) || !USER_CREATE_TERMS_RE.test(content)) continue;
+
+      RISKY_PASSWORD_STORAGE_RE.lastIndex = 0;
+      let match;
+      while ((match = RISKY_PASSWORD_STORAGE_RE.exec(content)) !== null) {
+        const line = lineFromOffset(content, match.index);
+        const nearby = nearbyText(content, line, 10);
+        if (HASHING_RE.test(nearby)) continue;
+
+        findings.push({
+          message:
+            "This code appears to create users or store passwords without an obvious password hashing step.",
+          file,
+          line,
+          recommendation:
+            "Hash passwords with argon2, bcrypt, scrypt or PBKDF2 before storage. Never store raw passwords.",
+          heuristic: true,
+          metadata: {
+            pattern: "password-storage-without-nearby-hashing"
+          }
+        });
+        break;
+      }
+    }
+
+    return findings.slice(0, 100);
+  }
+};
+
+function nearbyText(content, line, radius) {
+  const lines = content.split(/\r?\n/);
+  const start = Math.max(0, line - radius - 1);
+  const end = Math.min(lines.length, line + radius);
+  return lines.slice(start, end).join("\n");
+}

package/src/checks/config/debug-production.js

@@ -0,0 +1,65 @@
+import { isCodeLikeFile, isEnvExampleFile, isLockfile, lineFromOffset } from "../helpers.js";
+
+const DEBUG_FLAG_RE =
+  /\b(?:debug|verbose|dev|exposeErrors|stackTrace|showStack)\s*:\s*true\b|\bapp\.set\s*\(\s*["'`]env["'`]\s*,\s*["'`]development["'`]\s*\)|\bNODE_ENV\s*=\s*["'`]development["'`]|\bdevtool\s*:\s*["'`](?:eval|eval-source-map|inline-source-map|cheap-module-source-map)["'`]/gi;
+
+export default {
+  id: "config.debug-production",
+  title: "Production configuration should not enable debug behavior",
+  category: "config",
+  severity: "medium",
+  tags: ["config", "debug", "heuristic"],
+  run: async (context) => {
+    const findings = [];
+
+    for (const file of context.textFiles) {
+      if (isLockfile(file) || isEnvExampleFile(file) || !isCodeLikeFile(file)) continue;
+      if (!isRiskyConfigFile(file)) continue;
+
+      const content = await context.readFileSafe(file);
+      if (!content) continue;
+
+      DEBUG_FLAG_RE.lastIndex = 0;
+      let match;
+      while ((match = DEBUG_FLAG_RE.exec(content)) !== null) {
+        const productionLike = isProductionLikeFile(file);
+        findings.push({
+          severity: productionLike ? "high" : "medium",
+          message: "Debug or development flags appear to be enabled in production-like configuration.",
+          file,
+          line: lineFromOffset(content, match.index),
+          recommendation:
+            "Disable verbose errors and debug flags in production. Avoid exposing stack traces, internal paths or development tooling.",
+          heuristic: true,
+          metadata: {
+            productionLike,
+            pattern: classifyDebugPattern(match[0])
+          }
+        });
+      }
+    }
+
+    return findings.slice(0, 100);
+  }
+};
+
+function isRiskyConfigFile(file) {
+  return (
+    isProductionLikeFile(file) ||
+    /^next\.config\.[cm]?[jt]s$/.test(file) ||
+    /^vite\.config\.[cm]?[jt]s$/.test(file) ||
+    /^webpack\.config\.[cm]?[jt]s$/.test(file) ||
+    /(^|\/)(server|app)\.[cm]?[jt]s$/.test(file)
+  );
+}
+
+function isProductionLikeFile(file) {
+  return /^config\/production\./.test(file) || /\.production\./.test(file);
+}
+
+function classifyDebugPattern(value) {
+  if (/devtool/i.test(value)) return "unsafe-devtool";
+  if (/NODE_ENV|app\.set/i.test(value)) return "development-environment";
+  if (/stack|showStack|exposeErrors/i.test(value)) return "verbose-errors";
+  return "debug-flag";
+}

package/src/checks/cookies/insecure-session-cookie.js

@@ -0,0 +1,69 @@
+import { isCodeLikeFile, isEnvExampleFile, isLockfile, readNearby } from "../helpers.js";
+
+const COOKIE_CALL_RE =
+  /\b(?:res\.cookie|cookies\(\)\.set|response\.cookies\.set|setCookie|serialize)\s*\(\s*["'`]([^"'`]+)["'`]/g;
+const AUTH_COOKIE_NAME_RE = /\b(session|auth|token|jwt)\b/i;
+
+export default {
+  id: "cookies.insecure-session-cookie",
+  title: "Session cookies should use secure attributes",
+  category: "cookies",
+  severity: "high",
+  tags: ["cookies", "auth", "heuristic"],
+  run: async (context) => {
+    const findings = [];
+
+    for (const file of context.textFiles) {
+      if (isLockfile(file) || isEnvExampleFile(file) || !isCodeLikeFile(file)) continue;
+      const content = await context.readFileSafe(file);
+      if (!content || !/cookie|setCookie|serialize/i.test(content)) continue;
+      const lines = content.split(/\r?\n/);
+
+      for (let index = 0; index < lines.length; index += 1) {
+        COOKIE_CALL_RE.lastIndex = 0;
+        let match;
+        while ((match = COOKIE_CALL_RE.exec(lines[index])) !== null) {
+          const cookieName = match[1] || "";
+          const nearby = await readNearby(context, file, index + 1, 6);
+          if (hasSecureCookieAttributes(nearby)) continue;
+
+          findings.push({
+            severity: AUTH_COOKIE_NAME_RE.test(cookieName) ? "high" : "medium",
+            message: "A session or auth cookie appears to be set without secure cookie attributes.",
+            file,
+            line: index + 1,
+            recommendation:
+              "Set httpOnly, secure and sameSite for session cookies. Use secure: true in production.",
+            heuristic: true,
+            metadata: {
+              cookieName: redactCookieName(cookieName),
+              missingAttributes: missingAttributes(nearby)
+            }
+          });
+        }
+      }
+    }
+
+    return findings.slice(0, 100);
+  }
+};
+
+function hasSecureCookieAttributes(value) {
+  return (
+    /\bhttpOnly\s*:\s*true\b/i.test(value) &&
+    /\bsecure\s*:\s*true\b/i.test(value) &&
+    /\bsameSite\s*:\s*["'`]?(?:lax|strict|none)["'`]?/i.test(value)
+  );
+}
+
+function missingAttributes(value) {
+  const missing = [];
+  if (!/\bhttpOnly\s*:\s*true\b/i.test(value)) missing.push("httpOnly");
+  if (!/\bsecure\s*:\s*true\b/i.test(value)) missing.push("secure");
+  if (!/\bsameSite\s*:\s*["'`]?(?:lax|strict|none)["'`]?/i.test(value)) missing.push("sameSite");
+  return missing;
+}
+
+function redactCookieName(cookieName) {
+  return AUTH_COOKIE_NAME_RE.test(cookieName) ? cookieName : "non-auth-cookie";
+}

package/src/checks/frontend/sourcemaps-production.js

@@ -0,0 +1,90 @@
+import fs from "node:fs/promises";
+import path from "node:path";
+import { isCodeLikeFile, isEnvExampleFile, isLockfile, lineFromOffset } from "../helpers.js";
+import { normalizeRelativePath } from "../../utils/path.js";
+
+const SOURCEMAP_CONFIG_RE =
+  /\b(?:sourcemap|productionBrowserSourceMaps)\s*:\s*true\b|\bGENERATE_SOURCEMAP\s*=\s*true\b|\bdevtool\s*:\s*["'`](?:source-map|inline-source-map|eval-source-map)["'`]/gi;
+const SOURCEMAP_DIRS = ["dist", "build", ".next", "out"];
+const MAX_SOURCEMAP_FILES = 100;
+
+export default {
+  id: "frontend.sourcemaps-production",
+  title: "Production source maps should not be served publicly by accident",
+  category: "frontend",
+  severity: "medium",
+  tags: ["frontend", "sourcemaps", "heuristic"],
+  run: async (context) => {
+    const findings = [];
+
+    for (const file of context.textFiles) {
+      if (isLockfile(file) || isEnvExampleFile(file) || !isCodeLikeFile(file)) continue;
+      const content = await context.readFileSafe(file);
+      if (!content) continue;
+
+      SOURCEMAP_CONFIG_RE.lastIndex = 0;
+      let match;
+      while ((match = SOURCEMAP_CONFIG_RE.exec(content)) !== null) {
+        findings.push(sourceMapFinding(file, lineFromOffset(content, match.index), "sourcemap-config-enabled"));
+      }
+    }
+
+    const mapFiles = await collectGeneratedSourceMaps(context.rootPath);
+    for (const file of mapFiles) {
+      findings.push(sourceMapFinding(file, undefined, "generated-map-file"));
+    }
+
+    return findings.slice(0, 100);
+  }
+};
+
+function sourceMapFinding(file, line, pattern) {
+  return {
+    message: "Production source maps appear to be enabled or generated.",
+    file,
+    line,
+    recommendation:
+      "Disable public production source maps unless intentionally needed. If needed, upload them privately to error tracking instead of serving them publicly.",
+    heuristic: true,
+    metadata: {
+      pattern
+    }
+  };
+}
+
+async function collectGeneratedSourceMaps(rootPath) {
+  const results = [];
+
+  for (const directory of SOURCEMAP_DIRS) {
+    await visit(path.join(rootPath, directory), rootPath, results);
+    if (results.length >= MAX_SOURCEMAP_FILES) break;
+  }
+
+  return results.slice(0, MAX_SOURCEMAP_FILES);
+}
+
+async function visit(directory, rootPath, results) {
+  if (results.length >= MAX_SOURCEMAP_FILES) return;
+
+  let entries;
+  try {
+    entries = await fs.readdir(directory, { withFileTypes: true });
+  } catch {
+    return;
+  }
+
+  for (const entry of entries) {
+    if (results.length >= MAX_SOURCEMAP_FILES) return;
+    if (entry.name === "node_modules") continue;
+
+    const absolutePath = path.join(directory, entry.name);
+    if (entry.isDirectory()) {
+      await visit(absolutePath, rootPath, results);
+      continue;
+    }
+
+    if (entry.isFile() && entry.name.endsWith(".map")) {
+      results.push(normalizeRelativePath(path.relative(rootPath, absolutePath)));
+    }
+  }
+}

package/src/checks/index.js

@@ -5,6 +5,7 @@ import envFileTracked from "./env/env-file-tracked.js";
 import envExampleMissing from "./env/env-example-missing.js";
 import possibleSecretInCode from "./env/possible-secret-in-code.js";
 import frontendSecretExposure from "./env/frontend-secret-exposure.js";
+import secretsInLogs from "./secrets/secrets-in-logs.js";
 import lockfileMissing from "./dependencies/lockfile-missing.js";
 import multipleLockfiles from "./dependencies/multiple-lockfiles.js";
 import installScriptsRisk from "./dependencies/install-scripts-risk.js";
@@ -18,13 +19,22 @@ import expressJsonLimitMissing from "./node/express-json-limit-missing.js";
 import rateLimitMissing from "./node/rate-limit-missing.js";
 import helmetMissing from "./node/helmet-missing.js";
 import corsWildcard from "./node/cors-wildcard.js";
+import childProcessUserInput from "./node/child-process-user-input.js";
 import clientSideAuthOnly from "./web/client-side-auth-only.js";
 import dangerousInnerHtml from "./web/dangerous-inner-html.js";
 import missingOutputSanitization from "./web/missing-output-sanitization.js";
 import missingAuthOnRoutes from "./auth/missing-auth-on-routes.js";
 import idorRisk from "./auth/idor-risk.js";
+import jwtSecretWeakOrFallback from "./auth/jwt-secret-weak-or-fallback.js";
+import passwordHashingMissing from "./auth/password-hashing-missing.js";
 import rawSqlInterpolation from "./database/raw-sql-interpolation.js";
 import noMigrations from "./database/no-migrations.js";
+import insecureSessionCookie from "./cookies/insecure-session-cookie.js";
+import publicExecutableUpload from "./uploads/public-executable-upload.js";
+import missingRawBody from "./webhooks/missing-raw-body.js";
+import promptInjectionRisk from "./llm/prompt-injection-risk.js";
+import sourceMapsProduction from "./frontend/sourcemaps-production.js";
+import debugProduction from "./config/debug-production.js";
 import electronNodeIntegrationEnabled from "./electron/node-integration-enabled.js";
 import electronContextIsolationDisabled from "./electron/context-isolation-disabled.js";
 import tauriDangerousAllowlistOrCapabilities from "./tauri/dangerous-allowlist-or-capabilities.js";
@@ -37,6 +47,7 @@ export default [
   envExampleMissing,
   possibleSecretInCode,
   frontendSecretExposure,
+  secretsInLogs,
   lockfileMissing,
   multipleLockfiles,
   installScriptsRisk,
@@ -50,13 +61,22 @@ export default [
   rateLimitMissing,
   helmetMissing,
   corsWildcard,
+  childProcessUserInput,
   clientSideAuthOnly,
   dangerousInnerHtml,
   missingOutputSanitization,
   missingAuthOnRoutes,
   idorRisk,
+  jwtSecretWeakOrFallback,
+  passwordHashingMissing,
   rawSqlInterpolation,
   noMigrations,
+  insecureSessionCookie,
+  publicExecutableUpload,
+  missingRawBody,
+  promptInjectionRisk,
+  sourceMapsProduction,
+  debugProduction,
   electronNodeIntegrationEnabled,
   electronContextIsolationDisabled,
   tauriDangerousAllowlistOrCapabilities

package/src/checks/llm/prompt-injection-risk.js

@@ -0,0 +1,57 @@
+import { isCodeLikeFile, isEnvExampleFile, isLockfile, lineFromOffset } from "../helpers.js";
+
+const LLM_USAGE_RE =
+  /\b(?:openai\.chat\.completions\.create|openai\.responses\.create|anthropic\.messages\.create|generateText|streamText|ollama|langchain|aiOutput|completion|modelOutput|llmResponse)\b/i;
+const LLM_OUTPUT_RE = /\b(?:aiOutput|completion|modelOutput|llmResponse|llmResult|modelResponse)\b/i;
+const DANGEROUS_USE_RE =
+  /\b(?:eval|exec|execSync|spawn|spawnSync|db\.query|JSON\.parse|fetch)\s*\(\s*([^)\n;]+)|\bnew\s+Function\s*\(\s*([^)\n;]+)|\bprisma\.\$queryRawUnsafe\s*\(\s*([^)\n;]+)|\binnerHTML\s*=\s*([^;\n]+)|dangerouslySetInnerHTML\s*=\s*{{[\s\S]{0,200}?__html\s*:\s*([^}\n]+)|\bfs\.writeFile\s*\([^,\n]+,\s*([^)\n;]+)/gi;
+
+export default {
+  id: "llm.prompt-injection-risk",
+  title: "LLM output should not flow directly into dangerous actions",
+  category: "llm",
+  severity: "high",
+  tags: ["llm", "prompt-injection", "heuristic"],
+  run: async (context) => {
+    const findings = [];
+
+    for (const file of context.textFiles) {
+      if (isLockfile(file) || isEnvExampleFile(file) || !isCodeLikeFile(file)) continue;
+      const content = await context.readFileSafe(file);
+      if (!content || !LLM_USAGE_RE.test(content)) continue;
+
+      DANGEROUS_USE_RE.lastIndex = 0;
+      let match;
+      while ((match = DANGEROUS_USE_RE.exec(content)) !== null) {
+        const argument = match.slice(1).find(Boolean) || "";
+        if (!LLM_OUTPUT_RE.test(argument)) continue;
+
+        findings.push({
+          message:
+            "LLM output appears to flow into code execution, shell commands, HTML injection, database queries, file writes or network requests.",
+          file,
+          line: lineFromOffset(content, match.index),
+          recommendation:
+            "Treat model output as untrusted input. Validate with schemas, use allowlists, require human approval for dangerous actions, and never execute raw model output.",
+          heuristic: true,
+          metadata: {
+            pattern: classifyDangerousUse(match[0])
+          }
+        });
+      }
+    }
+
+    return findings.slice(0, 100);
+  }
+};
+
+function classifyDangerousUse(value) {
+  if (/\beval\b|\bFunction\b/.test(value)) return "code-execution";
+  if (/\bexec|spawn/.test(value)) return "shell-command";
+  if (/innerHTML|dangerouslySetInnerHTML/.test(value)) return "html-injection";
+  if (/query/.test(value)) return "database-query";
+  if (/writeFile/.test(value)) return "file-write";
+  if (/fetch/.test(value)) return "network-request";
+  if (/JSON\.parse/.test(value)) return "unvalidated-json-parse";
+  return "dangerous-llm-output-use";
+}

package/src/checks/node/child-process-user-input.js

@@ -0,0 +1,54 @@
+import { isCodeLikeFile, isEnvExampleFile, isLockfile, lineFromOffset } from "../helpers.js";
+
+const CHILD_PROCESS_RE = /\b(?:exec|execSync|spawn|spawnSync|fork)\s*\(([^;\n]*)/gi;
+const CHILD_PROCESS_IMPORT_RE = /\bchild_process\b|\bfrom\s+["'`]node:child_process["'`]|\brequire\s*\(\s*["'`](?:node:)?child_process["'`]\s*\)/i;
+const USER_INPUT_RE =
+  /\b(?:req\.(?:body|query|params)|request\.body|searchParams|process\.argv|formData|userInput|input|filename|branch|url)\b/i;
+const ALLOWLIST_RE = /\b(?:allowlist|allowed|whitelist|safeList|zod|schema|validate|validator|assertAllowed)\b/i;
+
+export default {
+  id: "node.child-process-user-input",
+  title: "Child process commands should not trust user input",
+  category: "node",
+  severity: "critical",
+  tags: ["node", "command-injection", "heuristic"],
+  run: async (context) => {
+    const findings = [];
+
+    for (const file of context.textFiles) {
+      if (isLockfile(file) || isEnvExampleFile(file) || !isCodeLikeFile(file)) continue;
+      const content = await context.readFileSafe(file);
+      if (!content || !CHILD_PROCESS_IMPORT_RE.test(content)) continue;
+
+      CHILD_PROCESS_RE.lastIndex = 0;
+      let match;
+      while ((match = CHILD_PROCESS_RE.exec(content)) !== null) {
+        const line = lineFromOffset(content, match.index);
+        const nearby = nearbyText(content, line, 8);
+        if (!USER_INPUT_RE.test(match[1] || nearby)) continue;
+        if (ALLOWLIST_RE.test(nearby)) continue;
+
+        findings.push({
+          message: "User-controlled input appears to flow into a child process command.",
+          file,
+          line,
+          recommendation:
+            "Avoid shell execution with user input. Use spawn with fixed command and argument arrays, validate against allowlists, and never concatenate shell strings.",
+          heuristic: true,
+          metadata: {
+            pattern: "child-process-user-input"
+          }
+        });
+      }
+    }
+
+    return findings.slice(0, 100);
+  }
+};
+
+function nearbyText(content, line, radius) {
+  const lines = content.split(/\r?\n/);
+  const start = Math.max(0, line - radius - 1);
+  const end = Math.min(lines.length, line + radius);
+  return lines.slice(start, end).join("\n");
+}

package/src/checks/secrets/secrets-in-logs.js

@@ -0,0 +1,86 @@
+import { isCodeLikeFile, isEnvExampleFile, isLockfile } from "../helpers.js";
+
+const LOG_CALL_RE = /\b(?:console\.(?:log|error|debug|info|warn)|logger\.(?:info|debug|error|warn|trace))\s*\(([^)]*)\)/g;
+const SECRET_TERMS = [
+  "SECRET",
+  "TOKEN",
+  "KEY",
+  "PASSWORD",
+  "DATABASE_URL",
+  "PRIVATE",
+  "SERVICE_ROLE",
+  "OPENAI_API_KEY",
+  "STRIPE_SECRET_KEY",
+  "JWT_SECRET",
+  "GITHUB_TOKEN",
+  "AWS_SECRET_ACCESS_KEY"
+];
+
+export default {
+  id: "secrets.secrets-in-logs",
+  title: "Logs should not include secrets or sensitive request data",
+  category: "secrets",
+  severity: "high",
+  tags: ["secrets", "logging", "heuristic"],
+  run: async (context) => {
+    const findings = [];
+
+    for (const file of context.textFiles) {
+      if (isLockfile(file) || isEnvExampleFile(file) || !isCodeLikeFile(file)) continue;
+      const content = await context.readFileSafe(file);
+      if (!content) continue;
+      const lines = content.split(/\r?\n/);
+
+      for (let index = 0; index < lines.length; index += 1) {
+        const line = lines[index];
+        LOG_CALL_RE.lastIndex = 0;
+
+        let match;
+        while ((match = LOG_CALL_RE.exec(line)) !== null) {
+          const args = match[1] || "";
+          if (!containsSensitiveLogTarget(args)) continue;
+
+          findings.push({
+            message:
+              "Logging environment variables, headers, request bodies or secret-like config values may expose sensitive data.",
+            file,
+            line: index + 1,
+            recommendation:
+              "Remove sensitive logging, mask secrets, and log only explicit non-sensitive fields.",
+            heuristic: true,
+            metadata: {
+              secretType: detectSecretType(args),
+              valueRedacted: true
+            }
+          });
+          break;
+        }
+      }
+    }
+
+    return findings.slice(0, 100);
+  }
+};
+
+function containsSensitiveLogTarget(value) {
+  return (
+    /\bprocess\.env(?:\.[A-Z0-9_]+)?\b/.test(value) ||
+    /\b(?:req|request)\.(?:headers|body)\b/.test(value) ||
+    /\bconfig\b/i.test(value) ||
+    SECRET_TERMS.some((term) => new RegExp(`\\b${escapeRegExp(term)}\\b`, "i").test(value))
+  );
+}
+
+function detectSecretType(value) {
+  const match = SECRET_TERMS.find((term) => new RegExp(`\\b${escapeRegExp(term)}\\b`, "i").test(value));
+  if (match) return match;
+  if (/\bprocess\.env\b/.test(value)) return "ENVIRONMENT";
+  if (/\b(?:req|request)\.headers\b/.test(value)) return "REQUEST_HEADERS";
+  if (/\b(?:req|request)\.body\b/.test(value)) return "REQUEST_BODY";
+  if (/\bconfig\b/i.test(value)) return "CONFIG";
+  return "UNKNOWN";
+}
+
+function escapeRegExp(value) {
+  return value.replace(/[|\\{}()[\]^$+?.]/g, "\\$&");
+}

package/src/checks/uploads/public-executable-upload.js

@@ -0,0 +1,63 @@
+import { isCodeLikeFile, isEnvExampleFile, isLockfile, lineFromOffset } from "../helpers.js";
+
+const PUBLIC_UPLOAD_PATH_RE = /(?:public|static|dist|build|\.next\/static)\/(?:uploads|files)/i;
+const PUBLIC_UPLOAD_PATTERNS = [
+  /multer\s*\(\s*{[\s\S]{0,500}?dest\s*:\s*["'`](?:public|static|dist|build|\.next\/static)\/(?:uploads|files)["'`]/gi,
+  /\b(?:uploadDir|uploadsDir|destination)\b\s*=\s*["'`](?:public|static|dist|build|\.next\/static)\/(?:uploads|files)["'`]/gi,
+  /path\.join\s*\([^)]*["'`](?:public|static|dist|build)["'`]\s*,\s*["'`](?:uploads|files)["'`]/gi,
+  /fs\.writeFile\s*\(\s*["'`](?:public|static|dist|build|\.next\/static)\/(?:uploads|files)\//gi,
+  /app\.use\s*\(\s*["'`]\/(?:uploads|files)["'`]\s*,\s*express\.static\s*\(/gi,
+  /express\.static\s*\(\s*["'`](?:public|static)["'`]\s*\)/gi
+];
+const VALIDATION_RE = /\b(?:fileFilter|limits\s*:\s*{[\s\S]{0,120}?fileSize|limits\.fileSize|mimetype|allowedTypes|allowedMimeTypes)\b/i;
+
+export default {
+  id: "uploads.public-executable-upload",
+  title: "Uploads should not be stored directly in public web roots",
+  category: "uploads",
+  severity: "high",
+  tags: ["uploads", "static-files", "heuristic"],
+  run: async (context) => {
+    const findings = [];
+
+    for (const file of context.textFiles) {
+      if (isLockfile(file) || isEnvExampleFile(file) || !isCodeLikeFile(file)) continue;
+      const content = await context.readFileSafe(file);
+      if (!content || !/(upload|multer|express\.static|writeFile|public\/|static\/)/i.test(content)) continue;
+
+      for (const regex of PUBLIC_UPLOAD_PATTERNS) {
+        regex.lastIndex = 0;
+        let match;
+        while ((match = regex.exec(content)) !== null) {
+          if (!PUBLIC_UPLOAD_PATH_RE.test(match[0]) && !/\/(?:uploads|files)/i.test(match[0])) continue;
+          const line = lineFromOffset(content, match.index);
+          const validationMissing = !VALIDATION_RE.test(nearbyText(content, line, 12));
+
+          findings.push({
+            message:
+              "Uploaded files appear to be stored in a public directory, possibly without strict file type and size validation.",
+            file,
+            line,
+            recommendation:
+              "Store uploads outside the public web root, validate MIME type and extension, enforce file size limits, and serve files through controlled routes.",
+            heuristic: true,
+            metadata: {
+              validationMissing
+            }
+          });
+          break;
+        }
+        if (findings.some((finding) => finding.file === file)) break;
+      }
+    }
+
+    return findings.slice(0, 100);
+  }
+};
+
+function nearbyText(content, line, radius) {
+  const lines = content.split(/\r?\n/);
+  const start = Math.max(0, line - radius - 1);
+  const end = Math.min(lines.length, line + radius);
+  return lines.slice(start, end).join("\n");
+}

package/src/checks/webhooks/missing-raw-body.js

@@ -0,0 +1,82 @@
+import { isCodeLikeFile, isEnvExampleFile, isLockfile, lineFromOffset } from "../helpers.js";
+
+const PROVIDER_RE =
+  /\b(?:stripe\.webhooks\.constructEvent|github webhook signature|x-hub-signature|svix|clerk|lemon\s*squeezy|lemonsqueezy|polar|paddle|webhook signature)\b/i;
+const PARSED_BODY_SIGNATURE_RE = /\b(?:stripe\.webhooks\.)?constructEvent\s*\(\s*req\.body\b/gi;
+const RAW_BODY_RE = /\b(?:express\.raw\s*\(|bodyParser\.raw\s*\(|rawBody|req\.rawBody|buffer)\b/i;
+const GLOBAL_JSON_RE = /\bapp\.use\s*\(\s*express\.json\s*\(/i;
+const WEBHOOK_ROUTE_RE = /\bapp\.(?:post|put|patch)\s*\(\s*["'`][^"'`]*webhook/i;
+
+export default {
+  id: "webhooks.missing-raw-body",
+  title: "Signed webhooks should verify the exact raw body",
+  category: "webhooks",
+  severity: "high",
+  tags: ["webhooks", "signatures", "heuristic"],
+  run: async (context) => {
+    const findings = [];
+
+    for (const file of context.textFiles) {
+      if (isLockfile(file) || isEnvExampleFile(file) || !isCodeLikeFile(file)) continue;
+      const content = await context.readFileSafe(file);
+      if (!content || !PROVIDER_RE.test(content)) continue;
+
+      PARSED_BODY_SIGNATURE_RE.lastIndex = 0;
+      let match;
+      while ((match = PARSED_BODY_SIGNATURE_RE.exec(content)) !== null) {
+        const line = lineFromOffset(content, match.index);
+        if (RAW_BODY_RE.test(nearbyText(content, line, 12))) continue;
+        findings.push(webhookFinding(file, line, "parsed-body-signature-check"));
+      }
+
+      const jsonLine = firstLineMatching(content, GLOBAL_JSON_RE);
+      const routeLine = firstLineMatching(content, WEBHOOK_ROUTE_RE);
+      if (jsonLine && routeLine && jsonLine < routeLine && !RAW_BODY_RE.test(content)) {
+        findings.push(webhookFinding(file, jsonLine, "json-parser-before-webhook-route"));
+      }
+    }
+
+    return dedupe(findings).slice(0, 100);
+  }
+};
+
+function webhookFinding(file, line, pattern) {
+  return {
+    message:
+      "Webhook signature verification appears to use a parsed request body. Some providers require the exact raw body.",
+    file,
+    line,
+    recommendation:
+      "Use a raw body parser for signed webhook routes and register it before JSON parsing middleware.",
+    heuristic: true,
+    metadata: {
+      pattern
+    }
+  };
+}
+
+function firstLineMatching(content, regex) {
+  const lines = content.split(/\r?\n/);
+  for (let index = 0; index < lines.length; index += 1) {
+    regex.lastIndex = 0;
+    if (regex.test(lines[index])) return index + 1;
+  }
+  return null;
+}
+
+function nearbyText(content, line, radius) {
+  const lines = content.split(/\r?\n/);
+  const start = Math.max(0, line - radius - 1);
+  const end = Math.min(lines.length, line + radius);
+  return lines.slice(start, end).join("\n");
+}
+
+function dedupe(findings) {
+  const seen = new Set();
+  return findings.filter((finding) => {
+    const key = `${finding.file}:${finding.line}:${finding.metadata.pattern}`;
+    if (seen.has(key)) return false;
+    seen.add(key);
+    return true;
+  });
+}

package/src/reporters/consoleStyle.js

@@ -7,6 +7,7 @@ const EDGY_TITLES = {
     'env.env-file-tracked': 'It works, but your .env is tracked.',
     'env.possible-secret-in-code': 'It works, but your repo may be leaking secrets.',
     'env.frontend-secret-exposure': 'It works, but your frontend env variable smells like a backend secret.',
+    'secrets.secrets-in-logs': 'It works, but your logs may be leaking secrets.',
     'git.gitignore-missing': 'It works, but your repo forgot what not to commit.',
     'git.gitignore-incomplete': 'It works, but your .gitignore has holes.',
     'git.ignored-files-tracked': 'It works, but Git is already tracking files you meant to ignore.',
@@ -19,11 +20,20 @@ const EDGY_TITLES = {
     'node.rate-limit-missing': 'It works, but your endpoints have no brakes.',
     'node.helmet-missing': 'It works, but your HTTP headers are underdressed.',
     'node.cors-wildcard': 'It works, but CORS is holding the door open.',
+    'node.child-process-user-input': 'It works, but your shell command trusts the internet.',
     'web.dangerous-inner-html': 'It works, but your frontend is injecting HTML with sharp edges.',
     'api.missing-auth-on-routes': 'It works, but this API route appears to trust strangers.',
     'api.idor-risk': 'It works, but this ID lookup may belong to someone else.',
+    'auth.jwt-secret-weak-or-fallback': 'It works, but your JWT secret has a fallback key.',
+    'auth.password-hashing-missing': 'It works, but your passwords may be stored too honestly.',
     'database.raw-sql-interpolation': 'It works, but your SQL query is one template string away from pain.',
     'database.no-migrations': 'It works, but your database schema has no paper trail.',
+    'cookies.insecure-session-cookie': 'It works, but your session cookie is dressed for localhost.',
+    'uploads.public-executable-upload': 'It works, but your uploads are sitting in the front window.',
+    'webhooks.missing-raw-body': 'It works, but your webhook signature check may be checking the wrong body.',
+    'llm.prompt-injection-risk': 'It works, but your AI output has admin energy.',
+    'frontend.sourcemaps-production': 'It works, but your source code may be shipping with the app.',
+    'config.debug-production': 'It works, but production still thinks it is a dev server.',
     'electron.node-integration-enabled': 'It works, but Electron is holding the Node.js door open.',
     'electron.context-isolation-disabled': 'It works, but your renderer and backend are sharing a room.',
     'tauri.dangerous-allowlist-or-capabilities': 'It works, but your Tauri permissions look too generous.',
@@ -44,6 +54,8 @@ const FIX_PROMPT_ACTIONS = {
         'Move hardcoded secret material into a runtime secret store or CI secret, replace committed values with placeholders, and avoid printing secret values anywhere.',
     'env.frontend-secret-exposure':
         'Move secret-like frontend environment variables to server-side code and keep only intentionally public values behind public prefixes.',
+    'secrets.secrets-in-logs':
+        'Remove sensitive logging, mask secrets, and log only explicit non-sensitive fields.',
     'git.gitignore-missing':
         'Add a project-appropriate .gitignore for dependencies, local env files, build output, logs, databases, OS files, and coverage artifacts.',
     'git.gitignore-incomplete':
@@ -73,6 +85,8 @@ const FIX_PROMPT_ACTIONS = {
         'Install and apply Helmet or equivalent security headers early in the Express middleware stack.',
     'node.cors-wildcard':
         'Restrict CORS origins to trusted application origins and avoid wildcard or credentials-unsafe configurations.',
+    'node.child-process-user-input':
+        'Avoid shell execution with user input. Use spawn with fixed command and argument arrays, validate against allowlists, and never concatenate shell strings.',
     'web.client-side-auth-only':
         'Move authorization enforcement to server-side API or route handlers and keep frontend checks as UI-only hints.',
     'web.dangerous-inner-html':
@@ -82,9 +96,25 @@ const FIX_PROMPT_ACTIONS = {
         'Add explicit authentication and authorization to the route, or document why the route is intentionally public.',
     'api.idor-risk':
         'Scope object access by authenticated user, owner, tenant, account, or organization in addition to object id.',
+    'auth.jwt-secret-weak-or-fallback':
+        'Require a strong JWT secret from the environment in production and fail startup if it is missing.',
+    'auth.password-hashing-missing':
+        'Hash passwords with argon2, bcrypt, scrypt or PBKDF2 before storage. Never store raw passwords.',
     'database.raw-sql-interpolation':
         'Replace SQL string interpolation or concatenation with parameterized queries, prepared statements, or a safe ORM query builder.',
     'database.no-migrations': 'Add versioned database migrations that match the detected ORM or database stack.',
+    'cookies.insecure-session-cookie':
+        'Set httpOnly, secure and sameSite for session cookies. Use secure: true in production.',
+    'uploads.public-executable-upload':
+        'Store uploads outside the public web root, validate MIME type and extension, enforce file size limits, and serve files through controlled routes.',
+    'webhooks.missing-raw-body':
+        'Use a raw body parser for signed webhook routes and register it before JSON parsing middleware.',
+    'llm.prompt-injection-risk':
+        'Treat model output as untrusted input. Validate with schemas, use allowlists, require human approval for dangerous actions, and never execute raw model output.',
+    'frontend.sourcemaps-production':
+        'Disable public production source maps unless intentionally needed. If needed, upload them privately to error tracking instead of serving them publicly.',
+    'config.debug-production':
+        'Disable verbose errors and debug flags in production. Avoid exposing stack traces, internal paths or development tooling.',
     'electron.node-integration-enabled':
         'Set nodeIntegration to false and expose only narrowly scoped APIs through preload.',
     'electron.context-isolation-disabled':