pinata-security-cli 0.6.0 → 0.6.1

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pinata-security-cli",
-  "version": "0.6.0",
+  "version": "0.6.1",
   "description": "AI-powered test coverage analysis and generation tool. Find security blind spots before attackers do.",
   "type": "module",
   "main": "dist/index.js",
@@ -78,17 +78,21 @@
     "@stryker-mutator/core": "^9.5.1",
     "@stryker-mutator/typescript-checker": "^9.5.1",
     "@stryker-mutator/vitest-runner": "^9.5.1",
+    "@types/express": "^5.0.6",
     "@types/js-yaml": "^4.0.9",
     "@types/minimatch": "^5.1.2",
     "@types/node": "^20.14.10",
+    "@types/supertest": "^7.2.0",
     "@typescript-eslint/eslint-plugin": "^7.16.0",
     "@typescript-eslint/parser": "^7.16.0",
     "@vitest/coverage-v8": "^4.0.18",
     "eslint": "^8.57.1",
     "eslint-config-prettier": "^9.1.0",
     "eslint-plugin-import": "^2.29.1",
+    "express": "^5.2.1",
     "fast-check": "^4.5.3",
     "prettier": "^3.3.3",
+    "supertest": "^7.2.2",
     "tsup": "^8.1.0",
     "tsx": "^4.21.0",
     "typescript": "^5.5.3",

package/src/categories/definitions/data/data-race.yml

@@ -60,9 +60,13 @@ detectionPatterns:
   - id: ts-non-atomic-update
     type: regex
     language: typescript
-    pattern: "\\w+\\s*=\\s*\\w+\\s*\\+\\s*1|\\w+\\+\\+"
+    pattern: "await.*\\w+\\s*=\\s*\\w+\\s*\\+\\s*1|await.*\\w+\\+\\+|\\w+\\+\\+.*await"
     confidence: medium
-    description: Detects non-atomic increment
+    description: Detects non-atomic increment in async context (potential race condition)
+    sources:
+      - "\\basync\\b"
+      - "\\bawait\\b"
+      - "\\bPromise\\b"
 
   - id: ts-database-upsert
     type: regex

package/src/categories/definitions/input/boundary-testing.yml

@@ -35,6 +35,13 @@ detectionPatterns:
     confidence: medium
     description: Detects array indexing with user-controlled input without bounds check
 
+  - id: python-no-length-check-slice
+    type: regex
+    language: python
+    pattern: "\\w+\\[.*:\\s*\\]\\s*(?!.*(?:len|if|assert))"
+    confidence: low
+    description: Detects array slicing without prior length validation that may cause unexpected empty results
+
 testTemplates:
   - id: pytest-boundary-testing
     language: python

package/src/categories/definitions/input/injection-fuzzing.yml

@@ -59,6 +59,12 @@ detectionPatterns:
     pattern: "eval\\(|new Function\\(|setTimeout\\(.*\\+"
     confidence: high
     description: Detects dynamic code evaluation
+    sources:
+      - "req\\.(body|params|query|headers)"
+      - "\\buser[Ii]nput\\b"
+      - "searchParams\\.get\\("
+      - "\\bprocess\\.argv"
+      - "\\breadline"
 
   - id: ts-innerhtml-input
     type: regex
@@ -66,6 +72,19 @@ detectionPatterns:
     pattern: "\\.innerHTML\\s*=|\\.outerHTML\\s*="
     confidence: high
     description: Detects innerHTML assignment
+    sources:
+      - "req\\.(body|params|query|headers)"
+      - "\\buser[Ii]nput\\b"
+      - "searchParams\\.get\\("
+      - "\\blocation\\.(hash|search|href)"
+      - "\\bwindow\\.location"
+      - "\\bURLSearchParams"
+    sanitizers:
+      - "DOMPurify\\.sanitize\\("
+      - "escapeHtml\\("
+      - "sanitizeHtml\\("
+      - "encodeURIComponent\\("
+      - "textContent\\s*="
 
   - id: ts-template-injection
     type: regex

package/src/categories/definitions/input/null-undefined.yml

@@ -27,6 +27,20 @@ detectionPatterns:
     confidence: high
     description: Detects non-null assertion operator (unsafe type narrowing bypass)
 
+  - id: python-none-attribute-access
+    type: regex
+    language: python
+    pattern: "(?:return|=)\\s+\\w+\\.\\w+.*(?!.*(?:if|is not None|is None))"
+    confidence: medium
+    description: Detects attribute access on a variable that may be None without a prior null check
+
+  - id: python-no-default-dict-access
+    type: regex
+    language: python
+    pattern: "\\w+\\[\\s*['\"]\\w+['\"]\\s*\\](?!.*\\.get)"
+    confidence: low
+    description: Detects direct dictionary bracket access without using .get() which raises KeyError on missing keys
+
 testTemplates:
   - id: pytest-null-undefined
     language: python

package/src/categories/definitions/network/connection-failure.yml

@@ -70,9 +70,15 @@ detectionPatterns:
   - id: ts-no-econnrefused
     type: regex
     language: typescript
-    pattern: "catch\\s*\\([^)]*\\)\\s*\\{(?!.*ECONNREFUSED|.*code)"
+    pattern: "(fetch|axios|got|request|http\\.get|https\\.get).*catch\\s*\\([^)]*\\)\\s*\\{(?!.*ECONNREFUSED|.*code|.*retry)"
     confidence: medium
-    description: Detects catch block not checking error codes
+    description: Detects network request catch block not checking error codes
+    sources:
+      - "\\bfetch\\("
+      - "\\baxios\\b"
+      - "\\bgot\\("
+      - "\\bhttp\\.get\\("
+      - "\\bhttps\\.get\\("
 
   - id: ts-socket-no-error-event
     type: regex

package/src/categories/definitions/resource/memory-leak.yml

@@ -77,9 +77,14 @@ detectionPatterns:
   - id: ts-array-push-unbounded
     type: regex
     language: typescript
-    pattern: "\\.push\\(.*\\)(?!.*slice|.*splice|.*shift|.*length\\s*=)"
+    pattern: "\\bmodule\\b.*\\.push\\(|\\bglobal\\b.*\\.push\\(|\\bthis\\.\\w+\\.push\\("
     confidence: low
-    description: Detects array growth without bounds
+    description: Detects unbounded growth on module/global/instance arrays (potential leak in long-running processes)
+    sources:
+      - "\\bsetInterval\\("
+      - "\\b\\.on\\("
+      - "\\bEventEmitter\\b"
+      - "\\bserver\\b"
 
 testTemplates:
   - id: pytest-memory-leak

package/src/categories/definitions/security/auth-failures.yml

@@ -118,6 +118,14 @@ detectionPatterns:
     description: |
       [REVIEW REQUIRED] User ID taken from request parameter.
       Verify ownership check exists before accessing resources.
+    sources:
+      - "req\\.(body|params|query|headers)"
+      - "searchParams\\.get\\("
+    sanitizers:
+      - "req\\.user\\.id\\s*===|req\\.user\\.id\\s*=="
+      - "ownershipCheck\\(|verifyOwnership\\("
+      - "isOwner\\("
+      - "req\\.user\\.id\\s*!==.*throw|req\\.user\\.id\\s*!=.*throw"
 
   - id: idor-direct-lookup
     type: regex

package/src/categories/definitions/security/command-injection.yml

@@ -77,6 +77,16 @@ detectionPatterns:
     pattern: "child_process\\.exec\\s*\\(|exec\\s*\\(`.*\\$\\{"
     confidence: high
     description: Detects child_process.exec with potential user input
+    sources:
+      - "req\\.(body|params|query|headers)"
+      - "\\buser[Ii]nput\\b"
+      - "searchParams\\.get\\("
+      - "\\bprocess\\.argv"
+    sanitizers:
+      - "\\bexecFile\\("
+      - "\\bspawnSync\\(.*\\["
+      - "\\bshellEscape\\("
+      - "\\bescapeShellArg\\("
 
   - id: ts-child-process-spawn-shell
     type: regex
@@ -84,6 +94,13 @@ detectionPatterns:
     pattern: "spawn\\s*\\(.*shell:\\s*true"
     confidence: high
     description: Detects spawn with shell option enabled
+    sources:
+      - "req\\.(body|params|query|headers)"
+      - "\\buser[Ii]nput\\b"
+      - "searchParams\\.get\\("
+    sanitizers:
+      - "\\bshellEscape\\("
+      - "\\bescapeShellArg\\("
 
   - id: ts-execsync
     type: regex

package/src/categories/definitions/security/csrf.yml

@@ -64,6 +64,16 @@ detectionPatterns:
     confidence: low
     description: Detects Express state-changing routes without csrf middleware
     negativePattern: "csurf|csrf\\(|csrfProtection"
+    sources:
+      - "req\\.(body|params|query|headers)"
+      - "\\buser[Ii]nput\\b"
+    sanitizers:
+      - "csurf\\("
+      - "csrfProtection"
+      - "csrf\\("
+      - "SameSite=Strict|sameSite:\\s*[\"']strict[\"']"
+      - "SameSite=Lax|sameSite:\\s*[\"']lax[\"']"
+      - "lusca\\.csrf"
 
   - id: ts-fetch-no-credentials
     type: regex
@@ -72,6 +82,15 @@ detectionPatterns:
     confidence: low
     description: Detects fetch with state-changing methods (needs CSRF token)
     negativePattern: "X-CSRF|csrf|_token"
+    sources:
+      - "req\\.(body|params|query|headers)"
+      - "\\buser[Ii]nput\\b"
+    sanitizers:
+      - "X-CSRF-Token"
+      - "csrf[Tt]oken"
+      - "_csrf"
+      - "SameSite=Strict|sameSite:\\s*[\"']strict[\"']"
+      - "SameSite=Lax|sameSite:\\s*[\"']lax[\"']"
 
   - id: ts-axios-no-csrf
     type: regex

package/src/categories/definitions/security/data-exposure.yml

@@ -51,6 +51,13 @@ detectionPatterns:
       [REVIEW REQUIRED] API returns full user/account object.
       Verify sensitive fields (password, SSN, etc.) are excluded.
     negativePattern: "\\.omit\\(|\\.pick\\(|\\.select\\(|exclude|sanitize"
+    sanitizers:
+      - "\\.select\\("
+      - "\\.omit\\("
+      - "\\bpick\\("
+      - "\\bomit\\("
+      - "\\.exclude\\("
+      - "\\bsanitize(User|Response)\\("
 
   - id: returning-full-object-py
     type: regex
@@ -79,6 +86,11 @@ detectionPatterns:
     description: |
       [REVIEW REQUIRED] SELECT * query on user table.
       Select only required fields to prevent data leakage.
+    sanitizers:
+      - "\\.select\\("
+      - "SELECT\\s+(id|name|email|username)"
+      - "\\.omit\\("
+      - "\\bpick\\("
 
   # ORM without field selection
   - id: prisma-findmany-no-select
@@ -89,6 +101,11 @@ detectionPatterns:
     description: |
       [REVIEW REQUIRED] Prisma query without select clause.
       Returns all fields by default.
+    sanitizers:
+      - "select:"
+      - "\\.omit\\("
+      - "\\bpick\\("
+      - "exclude:"
 
   - id: sequelize-findall-no-attributes
     type: regex
@@ -134,6 +151,13 @@ detectionPatterns:
     description: |
       [REVIEW REQUIRED] Spreading user object in response.
       May include sensitive fields unintentionally.
+    sanitizers:
+      - "\\.select\\("
+      - "\\.omit\\("
+      - "\\bpick\\("
+      - "\\bomit\\("
+      - "\\bexclude\\("
+      - "const\\s*\\{\\s*password.*\\}\\s*=.*user"
 
 testTemplates:
   - id: pytest-data-exposure-review

package/src/categories/definitions/security/dependency-risks.yml

@@ -88,16 +88,16 @@ detectionPatterns:
   - id: lodash-typosquat
     type: regex
     language: typescript
-    pattern: "(l0dash|lodahs|1odash|lodassh|lodsh)(?![a-z])"
+    pattern: "(import|require).*[\"'](l0dash|lodahs|1odash|lodassh|lodsh)[\"']"
     confidence: high
-    description: Potential lodash typosquat detected
+    description: Potential lodash typosquat in import/require statement
 
   - id: express-typosquat
     type: regex
     language: typescript
-    pattern: "(expres(?!s)|expresss|3xpress)(?![a-z])"
+    pattern: "(import|require).*[\"'](expres|expresss|3xpress)[\"']"
     confidence: high
-    description: Potential express typosquat detected
+    description: Potential express typosquat in import/require statement
 
   - id: requests-typosquat
     type: regex
@@ -130,7 +130,7 @@ detectionPatterns:
   - id: shai-hulud-packages
     type: regex
     language: typescript
-    pattern: "[\"'`](ngx-bootstrap|ng2-file-upload|@ctrl/tinycolor|valor-software/ngx-bootstrap)[\"'`]"
+    pattern: "(import|require|from).*[\"'`](ngx-bootstrap|ng2-file-upload|@ctrl/tinycolor)[\"'`]"
     confidence: high
     description: |
       CRITICAL: Package affected by Shai-Hulud supply chain attack (Sep 2025).
@@ -139,7 +139,7 @@ detectionPatterns:
   - id: compromised-packages-wave2
     type: regex
     language: typescript
-    pattern: "[\"'`](@acitons/artifact|huggingface-cli|react-dom-utils-helper)[\"'`]"
+    pattern: "(import|require|from).*[\"'`](@acitons/artifact|huggingface-cli|react-dom-utils-helper)[\"'`]"
     confidence: high
     description: |
       CRITICAL: Known malicious/typosquatted package.

package/src/categories/definitions/security/deserialization.yml

@@ -84,6 +84,18 @@ detectionPatterns:
     pattern: "serialize-javascript|js-yaml\\.load\\("
     confidence: medium
     description: Detects serialization libraries that may allow code execution
+    sources:
+      - "req\\.(body|params|query|headers)"
+      - "\\buser[Ii]nput\\b"
+      - "searchParams\\.get\\("
+      - "\\bprocess\\.argv"
+    sanitizers:
+      - "JSON\\.parse\\("
+      - "\\bz\\.(object|string|number|array)\\("
+      - "zod\\."
+      - "joi\\.validate\\("
+      - "Joi\\.(object|string)\\("
+      - "yaml\\.load\\(.*schema:\\s*yaml\\.JSON_SCHEMA"
 
   - id: ts-eval-json
     type: regex
@@ -91,6 +103,16 @@ detectionPatterns:
     pattern: "eval\\s*\\(.*JSON|Function\\s*\\([\"']return[\"']\\s*\\+"
     confidence: high
     description: Detects eval-based JSON parsing which allows code execution
+    sources:
+      - "req\\.(body|params|query|headers)"
+      - "\\buser[Ii]nput\\b"
+      - "searchParams\\.get\\("
+    sanitizers:
+      - "JSON\\.parse\\("
+      - "\\bz\\.(object|string|number|array)\\("
+      - "zod\\."
+      - "joi\\.validate\\("
+      - "Joi\\.(object|string)\\("
 
   - id: ts-node-serialize
     type: regex
@@ -98,6 +120,16 @@ detectionPatterns:
     pattern: "node-serialize|serialize-to-js"
     confidence: high
     description: Detects node-serialize which is vulnerable to RCE
+    sources:
+      - "req\\.(body|params|query|headers)"
+      - "\\buser[Ii]nput\\b"
+      - "searchParams\\.get\\("
+    sanitizers:
+      - "JSON\\.parse\\("
+      - "\\bz\\.(object|string|number|array)\\("
+      - "zod\\."
+      - "joi\\.validate\\("
+      - "Joi\\.(object|string)\\("
 
   - id: ts-vm-runinnewcontext
     type: regex
@@ -105,6 +137,18 @@ detectionPatterns:
     pattern: "vm\\.runInNewContext\\s*\\(|vm\\.runInThisContext\\s*\\("
     confidence: high
     description: Detects Node.js vm module with potential untrusted code
+    sources:
+      - "req\\.(body|params|query|headers)"
+      - "\\buser[Ii]nput\\b"
+      - "searchParams\\.get\\("
+      - "\\bprocess\\.argv"
+    sanitizers:
+      - "JSON\\.parse\\("
+      - "\\bz\\.(object|string|number|array)\\("
+      - "zod\\."
+      - "joi\\.validate\\("
+      - "Joi\\.(object|string)\\("
+      - "vm2|isolated-vm"
 
   - id: ts-unserialize
     type: regex

package/src/categories/definitions/security/file-upload.yml

@@ -46,6 +46,16 @@ detectionPatterns:
     pattern: "multer\\s*\\(\\s*\\{(?!.*fileFilter)"
     confidence: high
     description: Multer configured without fileFilter - accepts any file type
+    sources:
+      - "req\\.file"
+      - "req\\.files"
+      - "req\\.(body|params|query)"
+    sanitizers:
+      - "fileFilter"
+      - "mimetype"
+      - "file\\.mimetype"
+      - "path\\.extname\\("
+      - "path\\.basename\\("
 
   - id: multer-no-limits
     type: regex
@@ -122,6 +132,16 @@ detectionPatterns:
     description: |
       [REVIEW] File processed without extension validation.
       Verify allowed file types are checked.
+    sources:
+      - "req\\.file"
+      - "req\\.files"
+    sanitizers:
+      - "path\\.extname\\("
+      - "\\.endsWith\\("
+      - "\\.match\\("
+      - "fileFilter"
+      - "allowedExtensions"
+      - "path\\.basename\\("
 
   - id: no-mimetype-check
     type: regex
@@ -131,6 +151,16 @@ detectionPatterns:
     description: |
       [REVIEW] File processed without MIME type check.
       Content-type can be spoofed, combine with magic number check.
+    sources:
+      - "req\\.file"
+      - "req\\.files"
+    sanitizers:
+      - "mimetype"
+      - "content-type"
+      - "file-type"
+      - "magic-bytes"
+      - "fileFilter"
+      - "path\\.basename\\("
 
   # Path traversal in filename
   - id: path-traversal-filename
@@ -141,6 +171,15 @@ detectionPatterns:
     description: |
       Filename from request used in path.join without sanitization.
       Path traversal attack possible (../../etc/passwd).
+    sources:
+      - "req\\.file\\.originalname"
+      - "req\\.file\\.filename"
+      - "req\\.(body|params|query)"
+    sanitizers:
+      - "path\\.basename\\("
+      - "sanitizeFilename\\("
+      - "secure_filename\\("
+      - "\\.\\..*reject|\\.\\..*throw"
 
 testTemplates:
   - id: pytest-file-upload

package/src/categories/definitions/security/ldap-injection.yml

@@ -77,6 +77,14 @@ detectionPatterns:
     pattern: "ldap.*client\\.search\\(.*\\+|ldapClient\\.search.*`.*\\$\\{"
     confidence: high
     description: Detects ldapjs search with string interpolation
+    sources:
+      - "req\\.(body|params|query|headers)"
+      - "\\buser[Ii]nput\\b"
+      - "searchParams\\.get\\("
+    sanitizers:
+      - "ldap\\.escape\\("
+      - "escapeLdap\\("
+      - "sanitizeFilter\\("
 
   - id: ts-ldap-filter-template
     type: regex
@@ -84,6 +92,12 @@ detectionPatterns:
     pattern: "ldap.*filter.*=.*`.*\\$\\{|ldapFilter.*\\$\\{"
     confidence: high
     description: Detects LDAP filter with template literal interpolation
+    sources:
+      - "req\\.(body|params|query|headers)"
+      - "\\buser[Ii]nput\\b"
+    sanitizers:
+      - "ldap\\.escape\\("
+      - "escapeLdap\\("
 
   - id: ts-activedirectory
     type: regex
@@ -91,6 +105,12 @@ detectionPatterns:
     pattern: "activedirectory.*find.*\\+|ad\\.find.*`.*\\$\\{"
     confidence: medium
     description: Detects ActiveDirectory library with user input
+    sources:
+      - "req\\.(body|params|query|headers)"
+      - "\\buser[Ii]nput\\b"
+    sanitizers:
+      - "ldap\\.escape\\("
+      - "escapeLdap\\("
 
   - id: ts-ldap-escape-missing
     type: regex
@@ -99,6 +119,9 @@ detectionPatterns:
     confidence: medium
     description: Detects LDAP search operations
     negativePattern: "ldap\\.escape|escape.*filter|sanitize"
+    sources:
+      - "req\\.(body|params|query|headers)"
+      - "\\buser[Ii]nput\\b"
 
 testTemplates:
   - id: pytest-ldap-injection

package/src/categories/definitions/security/path-traversal.yml

@@ -80,12 +80,25 @@ detectionPatterns:
     pattern: "fs\\.(readFile|readFileSync|createReadStream)\\s*\\(.*\\+|fs\\.(readFile|readFileSync)\\s*\\(`.*\\$\\{"
     confidence: high
     description: Detects fs.readFile with string concatenation or template literal
+    sources:
+      - "req\\.(body|params|query|headers)"
+      - "\\buser[Ii]nput\\b"
+      - "searchParams\\.get\\("
+    sanitizers:
+      - "path\\.resolve\\(.*path\\.normalize"
+      - "\\.startsWith\\("
+      - "path\\.relative\\(.*\\.startsWith"
+      - "\\brealpath"
 
   - id: ts-path-join-req
     type: regex
     language: typescript
     pattern: "path\\.join\\s*\\(.*req\\.(params|query|body)"
     confidence: medium
+    sanitizers:
+      - "\\.startsWith\\("
+      - "path\\.relative\\(.*\\.startsWith"
+      - "\\brealpath"
     description: Detects path.join with request parameters
     negativePattern: "path\\.resolve.*includes\\(|\\.\\.\\/'"
 

package/src/categories/definitions/security/prompt-injection.yml

@@ -44,6 +44,14 @@ detectionPatterns:
     description: |
       CRITICAL: User input concatenated into AI prompt.
       Attacker can inject instructions to manipulate AI behavior.
+    sources:
+      - "req\\.(body|params|query|headers)"
+      - "\\buser[Ii]nput\\b"
+      - "searchParams\\.get\\("
+    sanitizers:
+      - "sanitizePrompt\\("
+      - "stripInstructions\\("
+      - "encodeForPrompt\\("
 
   - id: prompt-user-input-template
     type: regex
@@ -53,6 +61,12 @@ detectionPatterns:
     description: |
       CRITICAL: User input interpolated into prompt template.
       Use parameterized prompts or sanitize input.
+    sources:
+      - "req\\.(body|params|query|headers)"
+      - "\\buser[Ii]nput\\b"
+    sanitizers:
+      - "sanitizePrompt\\("
+      - "stripInstructions\\("
 
   - id: python-prompt-fstring
     type: regex

package/src/categories/definitions/security/sql-injection.yml

@@ -88,6 +88,16 @@ detectionPatterns:
     pattern: "(query|execute|run)\\s*\\(\\s*`.*\\$\\{"
     confidence: high
     description: Detects database query with template literal interpolation
+    sources:
+      - "req\\.(body|params|query|headers)"
+      - "\\buser[Ii]nput\\b"
+      - "searchParams\\.get\\("
+      - "\\bargs\\b"
+    sanitizers:
+      - "\\$queryRaw\\s*`"
+      - "\\bescapeSql\\("
+      - "\\bsqlstring\\.escape\\("
+      - "\\bpg\\.escapeLiteral\\("
 
   - id: ts-concat-query
     type: regex
@@ -95,6 +105,16 @@ detectionPatterns:
     pattern: "(query|execute|run)\\s*\\(.*\\s*\\+\\s*"
     confidence: medium
     description: Detects database query with string concatenation
+    sources:
+      - "req\\.(body|params|query|headers)"
+      - "\\buser[Ii]nput\\b"
+      - "searchParams\\.get\\("
+    sanitizers:
+      - "\\bescapeSql\\("
+      - "\\bsqlstring\\.escape\\("
+      - "\\bpg\\.escapeLiteral\\("
+      - "parseInt\\("
+      - "Number\\("
 
   - id: ts-prisma-raw-unsafe
     type: regex
@@ -102,6 +122,13 @@ detectionPatterns:
     pattern: "\\$queryRawUnsafe\\s*\\(|\\$executeRawUnsafe\\s*\\("
     confidence: high
     description: Detects Prisma unsafe raw query methods
+    sources:
+      - "req\\.(body|params|query|headers)"
+      - "\\buser[Ii]nput\\b"
+      - "searchParams\\.get\\("
+    sanitizers:
+      - "\\$queryRaw\\s*`"
+      - "\\$executeRaw\\s*`"
 
   - id: ts-sequelize-literal
     type: regex
@@ -109,6 +136,9 @@ detectionPatterns:
     pattern: "sequelize\\.literal\\s*\\(\\s*`.*\\$\\{"
     confidence: high
     description: Detects Sequelize literal with interpolation
+    sources:
+      - "req\\.(body|params|query|headers)"
+      - "\\buser[Ii]nput\\b"
 
   # Generic template literal SQL patterns
   - id: ts-template-sql-select