redgun-security 1.0.0

package/src/core/reporter/html.js

@@ -0,0 +1,105 @@
+import { writeFileSync, mkdirSync, existsSync } from 'fs';
+import { join } from 'path';
+import { getFindings, getSeverityCounts } from '../findings.js';
+import { calculateScore, getGrade, getGradeColor } from '../score.js';
+
+export function exportHtml(outputDir = './scans') {
+  if (!existsSync(outputDir)) {
+    mkdirSync(outputDir, { recursive: true });
+  }
+
+  const timestamp = new Date().toISOString().replace(/[:.]/g, '-');
+  const filepath = join(outputDir, `redgun-${timestamp}.html`);
+
+  const score = calculateScore();
+  const grade = getGrade(score);
+  const gradeColor = getGradeColor(grade);
+  const counts = getSeverityCounts();
+  const findings = getFindings();
+
+  const grouped = {};
+  for (const f of findings) {
+    if (!grouped[f.severity]) grouped[f.severity] = [];
+    grouped[f.severity].push(f);
+  }
+
+  const severityOrder = ['CRITICAL', 'HIGH', 'MEDIUM', 'LOW', 'INFO'];
+  const severityColors = {
+    CRITICAL: '#f44336',
+    HIGH: '#ff5722',
+    MEDIUM: '#ff9800',
+    LOW: '#2196f3',
+    INFO: '#9e9e9e',
+  };
+
+  let findingsHtml = '';
+  for (const sev of severityOrder) {
+    if (!grouped[sev] || grouped[sev].length === 0) continue;
+    findingsHtml += `<h3 style="color:${severityColors[sev]}">${sev} (${grouped[sev].length})</h3>`;
+    for (const f of grouped[sev]) {
+      findingsHtml += `
+        <div class="finding" style="border-left:4px solid ${severityColors[sev]}">
+          <strong>[${f.module}]</strong> ${escapeHtml(f.title)}
+          ${f.details ? `<p class="details">${escapeHtml(f.details)}</p>` : ''}
+          ${f.fix ? `<p class="fix"><strong>Fix:</strong> ${escapeHtml(f.fix)}</p>` : ''}
+        </div>`;
+    }
+  }
+
+  const html = `<!DOCTYPE html>
+<html lang="en">
+<head>
+  <meta charset="UTF-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1.0">
+  <title>RedGun Security Report</title>
+  <style>
+    * { margin: 0; padding: 0; box-sizing: border-box; }
+    body { font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', sans-serif; background: #0d1117; color: #c9d1d9; padding: 2rem; }
+    .container { max-width: 900px; margin: 0 auto; }
+    h1 { color: #ff4444; font-size: 2rem; margin-bottom: 0.5rem; }
+    h2 { color: #58a6ff; margin: 1.5rem 0 1rem; }
+    h3 { margin: 1.5rem 0 0.5rem; }
+    .score-card { background: #161b22; border-radius: 12px; padding: 2rem; margin: 1.5rem 0; text-align: center; }
+    .score { font-size: 4rem; font-weight: bold; color: ${gradeColor}; }
+    .grade { font-size: 1.5rem; color: ${gradeColor}; }
+    .counts { display: flex; justify-content: center; gap: 1.5rem; margin-top: 1rem; flex-wrap: wrap; }
+    .count-item { text-align: center; }
+    .count-num { font-size: 1.5rem; font-weight: bold; }
+    .finding { background: #161b22; border-radius: 8px; padding: 1rem; margin: 0.5rem 0; }
+    .details { color: #8b949e; margin-top: 0.5rem; font-size: 0.9rem; }
+    .fix { color: #3fb950; margin-top: 0.5rem; font-size: 0.9rem; }
+    .footer { text-align: center; margin-top: 3rem; color: #484f58; }
+  </style>
+</head>
+<body>
+  <div class="container">
+    <h1>RedGun Security Report</h1>
+    <p style="color:#8b949e">Generated: ${new Date().toLocaleString()}</p>
+    <div class="score-card">
+      <div class="score">${score}/100</div>
+      <div class="grade">Grade: ${grade}</div>
+      <div class="counts">
+        <div class="count-item"><div class="count-num" style="color:#f44336">${counts.critical}</div>Critical</div>
+        <div class="count-item"><div class="count-num" style="color:#ff5722">${counts.high}</div>High</div>
+        <div class="count-item"><div class="count-num" style="color:#ff9800">${counts.medium}</div>Medium</div>
+        <div class="count-item"><div class="count-num" style="color:#2196f3">${counts.low}</div>Low</div>
+        <div class="count-item"><div class="count-num" style="color:#9e9e9e">${counts.info}</div>Info</div>
+      </div>
+    </div>
+    <h2>Findings (${findings.length} total)</h2>
+    ${findingsHtml}
+    <div class="footer">
+      <p>RedGun Security Scanner v1.0.0 | HackTricks Enhanced</p>
+    </div>
+  </div>
+</body>
+</html>`;
+
+  writeFileSync(filepath, html);
+  return filepath;
+}
+
+function escapeHtml(str) {
+  if (!str) return '';
+  return str.replace(/&/g, '&amp;').replace(/</g, '&lt;').replace(/>/g, '&gt;').replace(/"/g, '&quot;');
+}

package/src/core/reporter/json.js

@@ -0,0 +1,66 @@
+import { writeFileSync, mkdirSync, existsSync } from 'fs';
+import { join } from 'path';
+import { getFindings, getSeverityCounts } from '../findings.js';
+import { calculateScore, getGrade } from '../score.js';
+
+export function exportJson(outputDir = './scans') {
+  if (!existsSync(outputDir)) {
+    mkdirSync(outputDir, { recursive: true });
+  }
+
+  const timestamp = new Date().toISOString().replace(/[:.]/g, '-');
+  const filename = `redgun-${timestamp}.json`;
+  const filepath = join(outputDir, filename);
+
+  const report = {
+    tool: 'RedGun Security Scanner',
+    version: '1.0.0',
+    timestamp: new Date().toISOString(),
+    score: calculateScore(),
+    grade: getGrade(calculateScore()),
+    summary: getSeverityCounts(),
+    totalFindings: getFindings().length,
+    findings: getFindings(),
+  };
+
+  writeFileSync(filepath, JSON.stringify(report, null, 2));
+  return filepath;
+}
+
+export function exportSarif(outputDir = './scans') {
+  if (!existsSync(outputDir)) {
+    mkdirSync(outputDir, { recursive: true });
+  }
+
+  const timestamp = new Date().toISOString().replace(/[:.]/g, '-');
+  const filepath = join(outputDir, `redgun-${timestamp}.sarif`);
+
+  const sarif = {
+    $schema: 'https://raw.githubusercontent.com/oasis-tcs/sarif-spec/master/Schemata/sarif-schema-2.1.0.json',
+    version: '2.1.0',
+    runs: [{
+      tool: {
+        driver: {
+          name: 'RedGun',
+          version: '1.0.0',
+          informationUri: 'https://github.com/aloc999/redgun',
+          rules: [],
+        },
+      },
+      results: getFindings().map((f, i) => ({
+        ruleId: `REDGUN-${String(i + 1).padStart(3, '0')}`,
+        level: f.severity === 'CRITICAL' || f.severity === 'HIGH' ? 'error' : f.severity === 'MEDIUM' ? 'warning' : 'note',
+        message: { text: `[${f.module}] ${f.title}: ${f.details || ''}` },
+        locations: f.file ? [{
+          physicalLocation: {
+            artifactLocation: { uri: f.file },
+            region: f.line ? { startLine: f.line } : undefined,
+          },
+        }] : [],
+      })),
+    }],
+  };
+
+  writeFileSync(filepath, JSON.stringify(sarif, null, 2));
+  return filepath;
+}

package/src/core/score.js

@@ -0,0 +1,41 @@
+import { getFindings } from './findings.js';
+
+const SEVERITY_WEIGHTS = {
+  CRITICAL: -15,
+  HIGH: -8,
+  MEDIUM: -3,
+  LOW: -1,
+  INFO: 0,
+};
+
+export function calculateScore() {
+  const findings = getFindings();
+  let score = 100;
+
+  for (const finding of findings) {
+    score += SEVERITY_WEIGHTS[finding.severity] || 0;
+  }
+
+  return Math.max(0, Math.min(100, score));
+}
+
+export function getGrade(score) {
+  if (score >= 90) return 'A';
+  if (score >= 80) return 'B';
+  if (score >= 70) return 'C';
+  if (score >= 60) return 'D';
+  if (score >= 50) return 'E';
+  return 'F';
+}
+
+export function getGradeColor(grade) {
+  const colors = {
+    A: '#4caf50',
+    B: '#8bc34a',
+    C: '#ffeb3b',
+    D: '#ff9800',
+    E: '#ff5722',
+    F: '#f44336',
+  };
+  return colors[grade] || '#f44336';
+}

package/src/local/auth.js

@@ -0,0 +1,121 @@
+import { readFileSync, existsSync, readdirSync, statSync } from 'fs';
+import { join, extname } from 'path';
+import { addFinding } from '../core/findings.js';
+
+const SCAN_EXTENSIONS = ['.js', '.ts', '.jsx', '.tsx', '.mjs', '.py', '.rb', '.php'];
+const IGNORE_DIRS = ['node_modules', '.git', 'dist', 'build', '.next'];
+
+export async function auditAuth(projectPath, spinner) {
+  spinner.text = 'Checking auth & middleware configuration...';
+  const files = getFiles(projectPath);
+  let hasRateLimit = false;
+  let hasCors = false;
+  let hasCsrf = false;
+  let hasHelmet = false;
+
+  const packagePath = join(projectPath, 'package.json');
+  if (existsSync(packagePath)) {
+    try {
+      const pkg = JSON.parse(readFileSync(packagePath, 'utf-8'));
+      const allDeps = { ...pkg.dependencies, ...pkg.devDependencies };
+      hasRateLimit = !!allDeps['express-rate-limit'] || !!allDeps['rate-limiter-flexible'];
+      hasCors = !!allDeps['cors'];
+      hasCsrf = !!allDeps['csurf'] || !!allDeps['csrf'] || !!allDeps['lusca'];
+      hasHelmet = !!allDeps['helmet'];
+    } catch {}
+  }
+
+  if (!hasRateLimit) {
+    addFinding(
+      'HIGH',
+      'Auth & Middleware',
+      'No rate limiting detected',
+      'No rate-limit package found in dependencies',
+      'Install express-rate-limit or rate-limiter-flexible to prevent brute-force attacks'
+    );
+  }
+
+  if (!hasCsrf) {
+    addFinding(
+      'MEDIUM',
+      'Auth & Middleware',
+      'No CSRF protection detected',
+      'No CSRF package found in dependencies',
+      'Implement CSRF tokens using csurf or lusca middleware'
+    );
+  }
+
+  if (!hasHelmet) {
+    addFinding(
+      'MEDIUM',
+      'Auth & Middleware',
+      'No helmet (security headers) detected',
+      'Helmet package not found in dependencies',
+      'Install helmet to set secure HTTP headers automatically'
+    );
+  }
+
+  for (const file of files) {
+    try {
+      const content = readFileSync(file, 'utf-8');
+      const relativePath = file.replace(projectPath, '.');
+
+      if (/cors\(\s*\{\s*origin\s*:\s*['"`]\*['"`]/gi.test(content) || /cors\(\s*\)/g.test(content)) {
+        addFinding(
+          'MEDIUM',
+          'Auth & Middleware',
+          'CORS wildcard origin detected',
+          `File: ${relativePath}`,
+          'Restrict CORS origin to specific trusted domains instead of using wildcard *'
+        );
+      }
+
+      if (/session\s*\(\s*\{[^}]*secret\s*:\s*['"][^'"]{1,8}['"]/gi.test(content)) {
+        addFinding(
+          'HIGH',
+          'Auth & Middleware',
+          'Weak session secret',
+          `File: ${relativePath}`,
+          'Use a strong, random session secret (at least 32 characters) from environment variables'
+        );
+      }
+
+      if (/(?:expiresIn|exp)\s*:\s*['"]?\d{5,}['"]?/gi.test(content)) {
+        addFinding(
+          'LOW',
+          'Auth & Middleware',
+          'Long JWT/session expiration',
+          `File: ${relativePath}`,
+          'Consider shorter token expiration with refresh token rotation'
+        );
+      }
+
+      const hardcodedPwdPattern = /(?:password|passwd)\s*(?:===?|!==?)\s*['"][^'"]+['"]/gi;
+      if (hardcodedPwdPattern.test(content)) {
+        addFinding(
+          'CRITICAL',
+          'Auth & Middleware',
+          'Hardcoded password comparison',
+          `File: ${relativePath}`,
+          'Never hardcode passwords. Use bcrypt/argon2 hash comparison against stored hashes.'
+        );
+      }
+    } catch {}
+  }
+}
+
+function getFiles(dir, files = []) {
+  try {
+    const entries = readdirSync(dir);
+    for (const entry of entries) {
+      if (IGNORE_DIRS.includes(entry) || entry.startsWith('.')) continue;
+      const fullPath = join(dir, entry);
+      try {
+        const stat = statSync(fullPath);
+        if (stat.isDirectory()) getFiles(fullPath, files);
+        else if (SCAN_EXTENSIONS.includes(extname(entry).toLowerCase()) && stat.size < 512 * 1024) files.push(fullPath);
+      } catch {}
+    }
+  } catch {}
+  return files;
+}

package/src/local/code-vulnerabilities.js

@@ -0,0 +1,94 @@
+import { readFileSync, readdirSync, statSync } from 'fs';
+import { join, extname } from 'path';
+import { addFinding } from '../core/findings.js';
+import { XSS_PATTERNS, SQLI_PATTERNS } from '../utils/patterns.js';
+
+const SCAN_EXTENSIONS = ['.js', '.ts', '.jsx', '.tsx', '.mjs', '.vue', '.svelte', '.php', '.py', '.rb'];
+const IGNORE_DIRS = ['node_modules', '.git', 'dist', 'build', '.next', '.nuxt', '__pycache__', 'vendor', 'coverage'];
+
+export async function auditCodeVulnerabilities(projectPath, spinner) {
+  spinner.text = 'Scanning for code vulnerabilities (SQLi, XSS, eval)...';
+  const files = getFiles(projectPath);
+
+  for (const file of files) {
+    try {
+      const content = readFileSync(file, 'utf-8');
+      const relativePath = file.replace(projectPath, '.');
+      const lines = content.split('\n');
+
+      for (const pattern of SQLI_PATTERNS) {
+        const regex = new RegExp(pattern.source, pattern.flags);
+        let match;
+        while ((match = regex.exec(content)) !== null) {
+          const lineNum = content.substring(0, match.index).split('\n').length;
+          addFinding(
+            'CRITICAL',
+            'Code Vulnerabilities',
+            'SQL Injection - user input in query',
+            `File: ${relativePath}:${lineNum}\nCode: ${lines[lineNum - 1]?.trim().substring(0, 100)}`,
+            'Use parameterized queries or prepared statements. Never concatenate user input into SQL.'
+          );
+        }
+      }
+
+      for (const pattern of XSS_PATTERNS) {
+        const regex = new RegExp(pattern.source, pattern.flags);
+        let match;
+        while ((match = regex.exec(content)) !== null) {
+          const lineNum = content.substring(0, match.index).split('\n').length;
+          addFinding(
+            'HIGH',
+            'Code Vulnerabilities',
+            'XSS - unsafe HTML rendering',
+            `File: ${relativePath}:${lineNum}\nCode: ${lines[lineNum - 1]?.trim().substring(0, 100)}`,
+            'Sanitize user input before rendering as HTML. Use DOMPurify or framework-native sanitization.'
+          );
+        }
+      }
+
+      const evalPattern = /\beval\s*\(\s*(?!['"`])/g;
+      let evalMatch;
+      while ((evalMatch = evalPattern.exec(content)) !== null) {
+        const lineNum = content.substring(0, evalMatch.index).split('\n').length;
+        addFinding(
+          'HIGH',
+          'Code Vulnerabilities',
+          'Dangerous eval() with dynamic input',
+          `File: ${relativePath}:${lineNum}`,
+          'Avoid eval(). Use JSON.parse() for data, or Function constructor with strict validation.'
+        );
+      }
+
+      const regexDosPattern = /new\s+RegExp\s*\(\s*(?:req|params|query|body|user)/gi;
+      let regexMatch;
+      while ((regexMatch = regexDosPattern.exec(content)) !== null) {
+        const lineNum = content.substring(0, regexMatch.index).split('\n').length;
+        addFinding(
+          'MEDIUM',
+          'Code Vulnerabilities',
+          'ReDoS - user input in RegExp constructor',
+          `File: ${relativePath}:${lineNum}`,
+          'Never create regex from user input. If needed, use a safe-regex library to validate patterns.'
+        );
+      }
+    } catch {}
+  }
+}
+
+function getFiles(dir, files = []) {
+  try {
+    const entries = readdirSync(dir);
+    for (const entry of entries) {
+      if (IGNORE_DIRS.includes(entry) || entry.startsWith('.')) continue;
+      const fullPath = join(dir, entry);
+      try {
+        const stat = statSync(fullPath);
+        if (stat.isDirectory()) getFiles(fullPath, files);
+        else if (SCAN_EXTENSIONS.includes(extname(entry).toLowerCase()) && stat.size < 512 * 1024) {
+          files.push(fullPath);
+        }
+      } catch {}
+    }
+  } catch {}
+  return files;
+}

package/src/local/command-injection.js

@@ -0,0 +1,74 @@
+import { readFileSync, readdirSync, statSync } from 'fs';
+import { join, extname } from 'path';
+import { addFinding } from '../core/findings.js';
+import { COMMAND_INJECTION_PATTERNS } from '../utils/patterns.js';
+
+const SCAN_EXTENSIONS = ['.js', '.ts', '.jsx', '.tsx', '.mjs', '.py', '.rb', '.php', '.go', '.java'];
+const IGNORE_DIRS = ['node_modules', '.git', 'dist', 'build', '__pycache__', 'vendor'];
+
+export async function auditCommandInjection(projectPath, spinner) {
+  spinner.text = 'Scanning for Command Injection (HackTricks)...';
+  const files = getFiles(projectPath);
+
+  for (const file of files) {
+    try {
+      const content = readFileSync(file, 'utf-8');
+      const relativePath = file.replace(projectPath, '.');
+      const lines = content.split('\n');
+
+      for (const pattern of COMMAND_INJECTION_PATTERNS) {
+        const regex = new RegExp(pattern.source, pattern.flags);
+        let match;
+        while ((match = regex.exec(content)) !== null) {
+          const lineNum = content.substring(0, match.index).split('\n').length;
+          addFinding(
+            'CRITICAL',
+            'Command Injection (HackTricks)',
+            'OS Command Injection - user input in system command',
+            `File: ${relativePath}:${lineNum}\nCode: ${lines[lineNum - 1]?.trim().substring(0, 120)}`,
+            'Never pass user input to shell commands. Use execFile/spawn with argument arrays instead of exec with string interpolation. Implement strict input validation with allowlists. Consider using libraries that don\'t invoke a shell.'
+          );
+        }
+      }
+
+      const shellPatterns = [
+        /os\.system\s*\(\s*f?['"].*\{/gi,
+        /subprocess\.(?:call|run|Popen)\s*\(\s*f?['"].*\{/gi,
+        /subprocess\.(?:call|run|Popen)\s*\(\s*(?:request|input)/gi,
+        /Runtime\.getRuntime\(\)\.exec\s*\(\s*(?:request|input)/gi,
+        /Process\.Start\s*\(\s*(?:request|input)/gi,
+        /\`[^`]*\$\{.*(?:req|params|query|body|user).*\}[^`]*\`/gi,
+      ];
+
+      for (const pattern of shellPatterns) {
+        let match;
+        while ((match = pattern.exec(content)) !== null) {
+          const lineNum = content.substring(0, match.index).split('\n').length;
+          addFinding(
+            'CRITICAL',
+            'Command Injection (HackTricks)',
+            'Shell command with user-controlled input',
+            `File: ${relativePath}:${lineNum}\nCode: ${lines[lineNum - 1]?.trim().substring(0, 120)}`,
+            'Use parameterized command execution. In Node.js: use execFile() with argument array. In Python: use subprocess with shell=False and list args.'
+          );
+        }
+      }
+    } catch {}
+  }
+}
+
+function getFiles(dir, files = []) {
+  try {
+    const entries = readdirSync(dir);
+    for (const entry of entries) {
+      if (IGNORE_DIRS.includes(entry) || entry.startsWith('.')) continue;
+      const fullPath = join(dir, entry);
+      try {
+        const stat = statSync(fullPath);
+        if (stat.isDirectory()) getFiles(fullPath, files);
+        else if (SCAN_EXTENSIONS.includes(extname(entry).toLowerCase()) && stat.size < 512 * 1024) files.push(fullPath);
+      } catch {}
+    }
+  } catch {}
+  return files;
+}

package/src/local/crypto.js

@@ -0,0 +1,97 @@
+import { readFileSync, readdirSync, statSync } from 'fs';
+import { join, extname } from 'path';
+import { addFinding } from '../core/findings.js';
+
+const SCAN_EXTENSIONS = ['.js', '.ts', '.jsx', '.tsx', '.mjs', '.py', '.rb', '.php', '.go', '.java', '.cs'];
+const IGNORE_DIRS = ['node_modules', '.git', 'dist', 'build', '__pycache__', 'vendor'];
+
+export async function auditCrypto(projectPath, spinner) {
+  spinner.text = 'Scanning for weak cryptography (HackTricks)...';
+  const files = getFiles(projectPath);
+
+  for (const file of files) {
+    try {
+      const content = readFileSync(file, 'utf-8');
+      const relativePath = file.replace(projectPath, '.');
+      const lines = content.split('\n');
+
+      const weakAlgorithms = [
+        { pattern: /createHash\s*\(\s*['"]md5['"]\)/gi, algo: 'MD5', severity: 'HIGH' },
+        { pattern: /createHash\s*\(\s*['"]sha1['"]\)/gi, algo: 'SHA1', severity: 'MEDIUM' },
+        { pattern: /hashlib\.md5/gi, algo: 'MD5', severity: 'HIGH' },
+        { pattern: /hashlib\.sha1/gi, algo: 'SHA1', severity: 'MEDIUM' },
+        { pattern: /MessageDigest\.getInstance\s*\(\s*['"]MD5['"]\)/gi, algo: 'MD5', severity: 'HIGH' },
+        { pattern: /MessageDigest\.getInstance\s*\(\s*['"]SHA-?1['"]\)/gi, algo: 'SHA1', severity: 'MEDIUM' },
+        { pattern: /DES|3DES|RC4|RC2|Blowfish/gi, algo: 'Weak cipher', severity: 'HIGH' },
+        { pattern: /createCipheriv\s*\(\s*['"](?:des|rc4|aes-128-ecb)['"]/gi, algo: 'Weak cipher mode', severity: 'HIGH' },
+        { pattern: /ECB/g, algo: 'ECB mode', severity: 'HIGH' },
+        { pattern: /Math\.random\s*\(\s*\)/g, algo: 'Math.random() for crypto', severity: 'MEDIUM' },
+        { pattern: /random\.random\s*\(\s*\)/g, algo: 'random.random() for crypto', severity: 'MEDIUM' },
+      ];
+
+      for (const { pattern, algo, severity } of weakAlgorithms) {
+        let match;
+        while ((match = pattern.exec(content)) !== null) {
+          const lineNum = content.substring(0, match.index).split('\n').length;
+          const line = lines[lineNum - 1]?.trim() || '';
+
+          if (isComment(line)) continue;
+
+          addFinding(
+            severity,
+            'Weak Cryptography (HackTricks)',
+            `Weak cryptographic algorithm: ${algo}`,
+            `File: ${relativePath}:${lineNum}\nCode: ${line.substring(0, 100)}`,
+            `Replace ${algo} with strong alternatives: SHA-256/SHA-3 for hashing, AES-256-GCM for encryption, crypto.randomBytes()/secrets module for random generation.`
+          );
+        }
+      }
+
+      const hardcodedIv = /(?:iv|nonce)\s*[:=]\s*(?:Buffer\.from|new Uint8Array)\s*\(\s*['"][^'"]+['"]\)/gi;
+      let ivMatch;
+      while ((ivMatch = hardcodedIv.exec(content)) !== null) {
+        const lineNum = content.substring(0, ivMatch.index).split('\n').length;
+        addFinding(
+          'HIGH',
+          'Weak Cryptography (HackTricks)',
+          'Hardcoded IV/nonce detected',
+          `File: ${relativePath}:${lineNum}`,
+          'Never hardcode IVs/nonces. Generate a new random IV for each encryption operation using crypto.randomBytes().'
+        );
+      }
+
+      const hardcodedKey = /(?:encryption|cipher|crypto).*key\s*[:=]\s*['"][A-Za-z0-9+/=]{16,}['"]/gi;
+      let keyMatch;
+      while ((keyMatch = hardcodedKey.exec(content)) !== null) {
+        const lineNum = content.substring(0, keyMatch.index).split('\n').length;
+        addFinding(
+          'CRITICAL',
+          'Weak Cryptography (HackTricks)',
+          'Hardcoded encryption key',
+          `File: ${relativePath}:${lineNum}`,
+          'Store encryption keys in a key management system (KMS) or environment variables. Never hardcode cryptographic keys.'
+        );
+      }
+    } catch {}
+  }
+}
+
+function isComment(line) {
+  return line.startsWith('//') || line.startsWith('#') || line.startsWith('*');
+}
+
+function getFiles(dir, files = []) {
+  try {
+    const entries = readdirSync(dir);
+    for (const entry of entries) {
+      if (IGNORE_DIRS.includes(entry) || entry.startsWith('.')) continue;
+      const fullPath = join(dir, entry);
+      try {
+        const stat = statSync(fullPath);
+        if (stat.isDirectory()) getFiles(fullPath, files);
+        else if (SCAN_EXTENSIONS.includes(extname(entry).toLowerCase()) && stat.size < 512 * 1024) files.push(fullPath);
+      } catch {}
+    }
+  } catch {}
+  return files;
+}

package/src/local/dependencies.js

@@ -0,0 +1,83 @@
+import { execSync } from 'child_process';
+import { existsSync, readFileSync } from 'fs';
+import { join } from 'path';
+import { addFinding } from '../core/findings.js';
+
+export async function auditDependencies(projectPath, spinner) {
+  spinner.text = 'Auditing dependencies for CVEs...';
+
+  const packageJsonPath = join(projectPath, 'package.json');
+  const packageLockPath = join(projectPath, 'package-lock.json');
+
+  if (!existsSync(packageJsonPath)) return;
+
+  try {
+    const result = execSync('npm audit --json 2>/dev/null', {
+      cwd: projectPath,
+      encoding: 'utf-8',
+      timeout: 30000,
+    });
+
+    const audit = JSON.parse(result);
+    const vulnerabilities = audit.vulnerabilities || {};
+
+    for (const [pkg, info] of Object.entries(vulnerabilities)) {
+      const severity = mapSeverity(info.severity);
+      addFinding(
+        severity,
+        'Dependencies',
+        `${pkg} has known vulnerability`,
+        `Severity: ${info.severity} | Via: ${info.via?.map(v => typeof v === 'string' ? v : v.title).join(', ') || 'unknown'}`,
+        `Run: npm audit fix, or upgrade ${pkg} to a patched version`
+      );
+    }
+  } catch (err) {
+    try {
+      const result = execSync('npm audit 2>&1', {
+        cwd: projectPath,
+        encoding: 'utf-8',
+        timeout: 30000,
+      });
+      if (result.includes('found 0 vulnerabilities')) return;
+
+      const critMatch = result.match(/(\d+)\s+critical/);
+      const highMatch = result.match(/(\d+)\s+high/);
+      const modMatch = result.match(/(\d+)\s+moderate/);
+
+      if (critMatch) {
+        addFinding('CRITICAL', 'Dependencies', `${critMatch[1]} critical vulnerabilities in dependencies`, 'Run npm audit for details', 'Run: npm audit fix --force');
+      }
+      if (highMatch) {
+        addFinding('HIGH', 'Dependencies', `${highMatch[1]} high severity vulnerabilities in dependencies`, 'Run npm audit for details', 'Run: npm audit fix');
+      }
+      if (modMatch) {
+        addFinding('MEDIUM', 'Dependencies', `${modMatch[1]} moderate vulnerabilities in dependencies`, 'Run npm audit for details', 'Run: npm audit fix');
+      }
+    } catch {}
+  }
+
+  if (existsSync(packageJsonPath)) {
+    try {
+      const pkg = JSON.parse(readFileSync(packageJsonPath, 'utf-8'));
+      const allDeps = { ...pkg.dependencies, ...pkg.devDependencies };
+
+      const dangerousPkgs = ['event-stream', 'flatmap-stream', 'ua-parser-js', 'coa', 'rc'];
+      for (const dangerous of dangerousPkgs) {
+        if (allDeps[dangerous]) {
+          addFinding(
+            'HIGH',
+            'Dependencies',
+            `Potentially compromised package: ${dangerous}`,
+            'This package has been involved in supply-chain attacks',
+            `Review if ${dangerous} is necessary and check its version for known compromised versions`
+          );
+        }
+      }
+    } catch {}
+  }
+}
+
+function mapSeverity(npmSeverity) {
+  const map = { critical: 'CRITICAL', high: 'HIGH', moderate: 'MEDIUM', low: 'LOW', info: 'INFO' };
+  return map[npmSeverity] || 'MEDIUM';
+}