sec-gate 0.1.8 → 0.2.0

package/README.md

@@ -126,6 +126,40 @@ doSomethingDangerous();
 
 ---
 
+## Configuration (optional)
+
+Create a `.sec-gate.yml` file in your project root to tune the scanner:
+
+```yaml
+# .sec-gate.yml
+
+# Only block commits on high/critical findings (medium/low are reported but don't block)
+severity_threshold: high
+
+# Exclude specific high-noise rules
+exclude_rules:
+  - path-join-resolve-traversal
+  - detect-non-literal-regexp
+  - detect-non-literal-fs-filename
+
+# Skip test/mock files
+exclude_paths:
+  - "**/__tests__/**"
+  - "**/*.test.js"
+  - "**/*.spec.ts"
+  - "**/mocks/**"
+
+# Disable SCA if you use Snyk/Dependabot separately
+sca: true
+
+# Disable custom rules
+custom_rules: true
+```
+
+A full example with all options is at `sec-gate.example.yml` inside the package.
+
+---
+
 ## Bypass (emergency only)
 
 ```bash

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "sec-gate",
-  "version": "0.1.8",
+  "version": "0.2.0",
   "description": "Pre-commit security gate for OWASP Top 10 2021 — SAST, SCA and misconfig checks for Node/Express, Go and React codebases",
   "author": {
     "name": "Sundram Bhardwaj",
@@ -19,7 +19,9 @@
     "postinstall": "node scripts/postinstall.js"
   },
   "dependencies": {
-    "@pensar/semgrep-node": "^1.2.4"
+    "@pensar/semgrep-node": "^1.2.4",
+    "acorn": "^8.16.0",
+    "acorn-walk": "^8.3.5"
   },
   "keywords": [
     "security",
@@ -50,6 +52,7 @@
     "scripts/",
     "rules/",
     "vendor-bin/.gitkeep",
-    "README.md"
+    "README.md",
+    "sec-gate.example.yml"
   ]
 }

package/rules/custom-security.js

@@ -1,316 +1,479 @@
+'use strict';
+
+// security-scan: disable rule-id: detect-non-literal-fs-filename reason: filePath comes from git diff --cached, not user input
+// security-scan: disable rule-id: prototype-pollution reason: AST visitor pattern uses bracket notation on known node types, not user input
+
 /**
  * @file custom-security.js
- * @description sec-gate static analysis rule definitions.
+ * @description sec-gate custom security rules — AST-based analysis.
  *
- * This file is part of the sec-gate security scanning tool.
- * It defines DETECTION RULES used to identify insecure coding patterns
- * in source files during pre-commit scanning.
+ * Uses acorn to parse JavaScript/TypeScript into an Abstract Syntax Tree (AST)
+ * and walks the tree to detect security issues. This is fundamentally different
+ * from regex-based scanning:
  *
- * These rules are DETECTORS — they do not execute the patterns they detect.
- * Pattern strings are stored as text and compiled into RegExp at runtime.
+ * REGEX (old):  sees raw text line by line — misses multi-line patterns,
+ *               variable assignments, and code structure
  *
- * Rules cover patterns not caught by the owasp-top10 ruleset:
- *   1. Hardcoded secrets (API keys, passwords, JWT secrets)
- *   2. Insecure randomness (Math.random used for security tokens)
- *   3. Prototype pollution via bracket notation
- *   4. Sensitive data stored in Web Storage APIs
- *   5. Sensitive data exposure via console logging
- *   6. Dynamic code execution via Function constructor
+ * AST (new):    understands code structure — tracks variable assignments,
+ *               function calls, object shapes, and data flow across lines
  *
- * @module sec-gate/rules/custom-security
+ * Rules implemented:
+ *   1.  SQL injection via template literals (sequelize/knex/pg)
+ *   2.  SQL injection via string concatenation
+ *   3.  Hardcoded secrets in variable assignments
+ *   4.  Hardcoded secrets in object literals
+ *   5.  Insecure randomness (Math.random) in security context
+ *   6.  Prototype pollution via bracket notation
+ *   7.  Direct __proto__ access
+ *   8.  Sensitive data in localStorage/sessionStorage
+ *   9.  Sensitive data in console output
+ *   10. Dynamic code execution (new Function / eval)
+ *   11. Command injection (child_process.exec with template literal)
+ *   12. Path traversal (path.join/resolve with user-like variables)
  */
 
-'use strict';
-
 const fs   = require('fs');
 const path = require('path');
 
+let acorn, walk;
+try {
+  acorn = require('acorn');
+  walk  = require('acorn-walk');
+} catch {
+  // acorn not available — fall back to regex mode (degraded)
+  acorn = null;
+  walk  = null;
+}
+
 // ─────────────────────────────────────────────────────────────────────────────
-// Pattern registry
-// Patterns are stored as strings and compiled to RegExp at module load time.
-// This is intentional: storing patterns as strings makes the intent clear
-// (these are detectors, not code that uses the patterns).
+// Helpers
 // ─────────────────────────────────────────────────────────────────────────────
 
-/**
- * Each entry defines one detection rule.
- * Fields:
- *   id          — unique rule identifier
- *   description — developer-facing explanation of the risk and fix
- *   owasp       — OWASP Top 10 2021 category
- *   severity    — critical | high | medium | low
- *   patterns    — array of { source, flags } objects compiled into RegExp
- *   require     — 'any' (default) or 'all' — how multiple patterns are combined
- *   context     — optional: also check surrounding N lines for this pattern
- */
-const RULE_DEFINITIONS = [
+const SENSITIVE_NAMES = /(?:password|passwd|pwd|secret|api.?key|apikey|jwt|token|auth|credential|private.?key|access.?key|session)/i;
+const DB_QUERY_METHODS = /^(query|execute|raw|runQuery|sequelize\.query|knex\.raw|pg\.query|mysql\.query|db\.query)$/i;
+
+function nodeName(node) {
+  if (!node) return '';
+  if (node.type === 'Identifier') return node.name;
+  if (node.type === 'MemberExpression') {
+    return `${nodeName(node.object)}.${nodeName(node.property)}`;
+  }
+  return '';
+}
 
-  // ── Rule 1: Hardcoded secret in variable assignment ───────────────────────
-  {
+function isTemplateLiteralWithExpressions(node) {
+  return node && node.type === 'TemplateLiteral' && node.expressions && node.expressions.length > 0;
+}
+
+function isConcatenatedString(node) {
+  if (!node) return false;
+  if (node.type === 'BinaryExpression' && node.operator === '+') {
+    return true;
+  }
+  return false;
+}
+
+function isStringLiteral(node) {
+  return node && (node.type === 'Literal' && typeof node.value === 'string');
+}
+
+function isSensitiveName(name) {
+  return SENSITIVE_NAMES.test(name || '');
+}
+
+function getCalleeName(node) {
+  if (!node) return '';
+  if (node.type === 'CallExpression') return getCalleeName(node.callee);
+  if (node.type === 'Identifier') return node.name;
+  if (node.type === 'MemberExpression') {
+    return `${nodeName(node.object)}.${nodeName(node.property)}`;
+  }
+  return '';
+}
+
+function makeFinding({ rule, node, filePath, extraMsg }) {
+  return {
+    checkId:  rule.id,
+    path:     filePath,
+    line:     node.loc ? node.loc.start.line : undefined,
+    message:  extraMsg ? `${rule.description} ${extraMsg}` : rule.description,
+    severity: rule.severity,
+    owasp:    rule.owasp,
+    raw:      { nodeType: node.type }
+  };
+}
+
+// ─────────────────────────────────────────────────────────────────────────────
+// Rule definitions — pure metadata, logic is in the walker below
+// ─────────────────────────────────────────────────────────────────────────────
+
+const RULES = {
+  SQL_TEMPLATE: {
+    id: 'sql-injection-template-literal',
+    description: 'SQL query built with template literal string interpolation. Variables interpolated directly into SQL allow SQL injection. Use parameterized queries: sequelize.query(sql, { replacements: [...] })',
+    owasp: 'A03:2021 Injection',
+    severity: 'critical'
+  },
+  SQL_CONCAT: {
+    id: 'sql-injection-concatenation',
+    description: 'SQL query built with string concatenation. Use parameterized queries instead of building SQL strings manually.',
+    owasp: 'A03:2021 Injection',
+    severity: 'critical'
+  },
+  HARDCODED_SECRET_VAR: {
     id: 'hardcoded-secret-assignment',
-    description: [
-      'Hardcoded secret detected in variable assignment.',
-      'Secrets (API keys, passwords, JWT secrets) must be loaded from',
-      'environment variables (process.env.MY_SECRET), not hardcoded.',
-      'Hardcoded secrets are exposed in version control and build artifacts.'
-    ].join(' '),
+    description: 'Hardcoded secret detected in variable assignment. Load secrets from environment variables (process.env.MY_SECRET) instead.',
     owasp: 'A02:2021 Cryptographic Failures',
-    severity: 'critical',
-    patterns: [
-      {
-        source: '(?:const|let|var)\\s+(?:\\w*(?:key|secret|password|passwd|pwd|token|api_key|jwt|auth|credential|private_key)\\w*)\\s*=\\s*["\u0060\'][^"\u0060\'\\s]{6,}',
-        flags: 'i'
-      }
-    ]
+    severity: 'critical'
   },
-
-  // ── Rule 2: Hardcoded secret in object literal ────────────────────────────
-  {
+  HARDCODED_SECRET_OBJ: {
     id: 'hardcoded-secret-object',
-    description: [
-      'Hardcoded secret detected in object literal.',
-      'Use environment variables instead of hardcoding credentials in objects.'
-    ].join(' '),
+    description: 'Hardcoded secret detected in object literal. Load secrets from environment variables instead.',
     owasp: 'A02:2021 Cryptographic Failures',
-    severity: 'critical',
-    patterns: [
-      {
-        source: '(?:password|passwd|pwd|secret|api_key|apikey|jwt_secret|private_key|auth_token)\\s*:\\s*["\u0060\'][^"\u0060\'\\s]{6,}',
-        flags: 'i'
-      }
-    ]
+    severity: 'critical'
   },
-
-  // ── Rule 3: Insecure random — token context ───────────────────────────────
-  {
+  INSECURE_RANDOM: {
     id: 'insecure-random-token',
-    // security-scan: disable rule-id: insecure-random-context reason: description string documents the bad pattern, not uses it
-    description: 'Math dot random() is not cryptographically secure and must not be used to generate tokens, session IDs, nonces or passwords. Use crypto.randomBytes() (Node.js) or crypto.getRandomValues() (browser) instead.',
+    description: 'Math.random() is not cryptographically secure. Use crypto.randomBytes() (Node.js) or crypto.getRandomValues() (browser) for tokens, session IDs, and passwords.',
     owasp: 'A02:2021 Cryptographic Failures',
-    severity: 'high',
-    patterns: [
-      { source: 'Math\\.random\\(\\)', flags: '' },
-      { source: '(?:token|session|id|key|secret|password|nonce|salt|otp|code|csrf)', flags: 'i' }
-    ],
-    require: 'all'
+    severity: 'high'
   },
-
-  // ── Rule 4: Insecure random — ambient context ─────────────────────────────
-  {
-    id: 'insecure-random-context',
-    // security-scan: disable rule-id: insecure-random-context reason: description string documents the bad pattern, not uses it
-    description: 'Math dot random() detected in a security-sensitive context. Use crypto.randomBytes() for any cryptographic or security-sensitive purpose.',
-    owasp: 'A02:2021 Cryptographic Failures',
-    severity: 'medium',
-    patterns: [
-      { source: 'Math\\.random\\(\\)', flags: '' }
-    ],
-    context: {
-      lines: 3,
-      pattern: { source: '(?:token|session|secret|key|auth|crypto|password|nonce|salt)', flags: 'i' }
-    }
-  },
-
-  // ── Rule 5: Prototype pollution via bracket notation ──────────────────────
-  {
+  PROTOTYPE_POLLUTION: {
     id: 'prototype-pollution',
-    description: [
-      'Possible prototype pollution: a variable key is used in bracket-notation assignment.',
-      'If the key is user-controlled, an attacker can set properties on Object.prototype.',
-      'Validate or whitelist keys before assignment.'
-    ].join(' '),
+    description: 'Bracket notation assignment with a variable key. If the key is user-controlled, an attacker can pollute Object.prototype. Validate or whitelist keys before assignment.',
     owasp: 'A03:2021 Injection',
-    severity: 'high',
-    patterns: [
-      { source: '\\w+\\[\\s*\\w+\\s*\\]\\s*=', flags: '' }
-    ]
+    severity: 'high'
   },
-
-  // ── Rule 6: Direct prototype chain access ─────────────────────────────────
-  {
+  PROTO_ACCESS: {
     id: 'proto-direct-access',
-    description: [
-      'Direct access to the prototype chain detected.',
-      'This pattern is commonly used in prototype pollution attacks.',
-      'Avoid using prototype-chain access with user-controlled input.'
-    ].join(' '),
+    description: 'Direct __proto__ access detected. This is commonly used in prototype pollution attacks.',
     owasp: 'A03:2021 Injection',
-    severity: 'critical',
-    patterns: [
-      // security-scan: disable rule-id: proto-direct-access reason: this string is the detection pattern, not usage of __proto__
-      { source: '__proto__', flags: '' }
-    ]
-  },
-
-  // ── Rule 7: Sensitive data in localStorage ────────────────────────────────
-  {
-    id: 'localstorage-sensitive-data',
-    description: [
-      'Sensitive data stored in localStorage.',
-      'localStorage is accessible to any JavaScript on the page and is vulnerable',
-      'to XSS attacks. Use httpOnly cookies for tokens and authentication data.'
-    ].join(' '),
-    owasp: 'A02:2021 Cryptographic Failures',
-    severity: 'high',
-    patterns: [
-      { source: 'localStorage\\.setItem\\s*\\(', flags: '' },
-      { source: '(?:password|passwd|pwd|token|secret|key|auth|jwt|session|credential)', flags: 'i' }
-    ],
-    require: 'all'
+    severity: 'critical'
   },
-
-  // ── Rule 8: Sensitive data in sessionStorage ──────────────────────────────
-  {
-    id: 'sessionstorage-sensitive-data',
-    description: [
-      'Sensitive data stored in sessionStorage.',
-      'sessionStorage is accessible to XSS attacks.',
-      'Use httpOnly cookies for authentication tokens instead.'
-    ].join(' '),
+  STORAGE_SENSITIVE: {
+    id: 'webstorage-sensitive-data',
+    description: 'Sensitive data stored in localStorage/sessionStorage. Web storage is accessible to XSS attacks. Use httpOnly cookies for tokens and authentication data.',
     owasp: 'A02:2021 Cryptographic Failures',
-    severity: 'high',
-    patterns: [
-      { source: 'sessionStorage\\.setItem\\s*\\(', flags: '' },
-      { source: '(?:password|passwd|pwd|token|secret|key|auth|jwt|credential)', flags: 'i' }
-    ],
-    require: 'all'
+    severity: 'high'
   },
-
-  // ── Rule 9: Sensitive data in console output ──────────────────────────────
-  {
+  CONSOLE_SENSITIVE: {
     id: 'console-log-sensitive',
-    description: [
-      'Possible logging of sensitive data via console output.',
-      'Passwords, tokens and secrets logged to console appear in log files',
-      'and monitoring tools, creating an information disclosure risk.'
-    ].join(' '),
+    description: 'Possible logging of sensitive data. Passwords and tokens logged to console appear in log files and monitoring tools.',
     owasp: 'A09:2021 Security Logging and Monitoring Failures',
-    severity: 'high',
-    patterns: [
-      { source: 'console\\.(?:log|info|warn|error|debug)\\s*\\(', flags: '' },
-      { source: '(?:password|passwd|pwd|secret|token|api.?key|jwt|credential|private)', flags: 'i' }
-    ],
-    require: 'all'
+    severity: 'high'
   },
-
-  // ── Rule 10: Dynamic code execution via Function constructor ───────────────
-  {
-    id: 'dynamic-function-constructor',
-    description: [
-      'Dynamic code execution via the Function constructor detected.',
-      'Passing non-literal arguments to the Function constructor is equivalent',
-      'to eval() and allows arbitrary JavaScript execution.',
-      'Use a safe, sandboxed alternative instead.'
-    ].join(' '),
+  DYNAMIC_CODE: {
+    id: 'dynamic-code-execution',
+    description: 'Dynamic code execution via eval() or new Function() with non-literal argument. This allows arbitrary JavaScript execution.',
+    owasp: 'A03:2021 Injection',
+    severity: 'critical'
+  },
+  CMD_INJECTION: {
+    id: 'command-injection',
+    description: 'Shell command built with template literal or concatenation. If variables contain user input, this allows command injection. Use execFile() with argument arrays instead of exec() with strings.',
     owasp: 'A03:2021 Injection',
-    severity: 'critical',
-    patterns: [
-      { source: 'new\\s+Function\\s*\\(', flags: '' }
-    ],
-    // Only flag when the argument is not a pure string literal
-    exclude: [
-      { source: 'new\\s+Function\\s*\\(\\s*["\u0060\'][^"\u0060\']*["\u0060\']\\s*\\)', flags: '' }
-    ]
+    severity: 'critical'
   }
-
-];
+};
 
 // ─────────────────────────────────────────────────────────────────────────────
-// Compile patterns at module load time
+// AST walker — visits every node and applies rules
 // ─────────────────────────────────────────────────────────────────────────────
-// The RegExp() calls below are intentional: patterns are stored as strings and
-// compiled once at startup. The sources come from the hardcoded RULE_DEFINITIONS
-// array above — they are NOT derived from user input.
-const COMPILED_RULES = RULE_DEFINITIONS.map((rule) => ({
-  ...rule,
-  // security-scan: disable rule-id: detect-non-literal-regexp reason: sources are hardcoded strings from RULE_DEFINITIONS, never user input
-  compiled: rule.patterns.map((p) => new RegExp(p.source, p.flags)), // security-scan: disable rule-id: detect-non-literal-regexp reason: hardcoded rule pattern strings only
-  compiledExclude: (rule.exclude || []).map((p) => new RegExp(p.source, p.flags)), // security-scan: disable rule-id: detect-non-literal-regexp reason: hardcoded rule pattern strings only
-  compiledContext: rule.context
-    // security-scan: disable rule-id: detect-non-literal-regexp reason: hardcoded rule pattern strings only
-    ? new RegExp(rule.context.pattern.source, rule.context.pattern.flags)
-    : null
-}));
 
-// ─────────────────────────────────────────────────────────────────────────────
-// Test a single line against a compiled rule
-// ─────────────────────────────────────────────────────────────────────────────
-function testRule(rule, line, lineIdx, allLines) {
-  const requireAll = rule.require === 'all';
+function walkAST(ast, filePath) {
+  const findings = [];
 
-  // Check exclude patterns first — if matched, skip this rule
-  for (const excl of rule.compiledExclude) {
-    if (excl.test(line)) return false;
-  }
+  // Track variable names that hold SQL-like strings (simple 1-level taint)
+  const sqlVarNames = new Set();
 
-  // Test main patterns
-  const results = rule.compiled.map((re) => re.test(line));
-  const matched = requireAll ? results.every(Boolean) : results.some(Boolean);
+  walk.simple(ast, {
 
-  if (!matched) return false;
+    // ── Rule 1 & 2: SQL injection ───────────────────────────────────────────
+    VariableDeclarator(node) {
+      if (!node.init) return;
 
-  // If a context check is required, scan surrounding lines
-  if (rule.compiledContext) {
-    const { lines: windowSize } = rule.context;
-    const start = Math.max(0, lineIdx - windowSize);
-    const end   = Math.min(allLines.length, lineIdx + windowSize + 1);
-    const surrounding = allLines.slice(start, end).join(' ');
-    if (!rule.compiledContext.test(surrounding)) return false;
-  }
+      // Track variables assigned a template literal with expressions
+      // e.g. const rawQuery = `SELECT... ${someVar}`
+      if (isTemplateLiteralWithExpressions(node.init)) {
+        const varName = nodeName(node.id);
+        // Heuristic: if the template looks like SQL
+        const quasis = node.init.quasis.map((q) => q.value.raw).join('');
+        if (/\b(?:SELECT|INSERT|UPDATE|DELETE|FROM|WHERE|JOIN)\b/i.test(quasis)) {
+          sqlVarNames.add(varName);
+          findings.push(makeFinding({
+            rule: RULES.SQL_TEMPLATE,
+            node: node.init,
+            filePath,
+            extraMsg: `Variable: ${varName}`
+          }));
+        }
+      }
+
+      // Track string concatenation with SQL keywords
+      if (isConcatenatedString(node.init)) {
+        const varName = nodeName(node.id);
+        // Walk the concat tree to find if SQL keywords are present
+        let hasSql = false;
+        walk.simple(node.init, {
+          Literal(n) {
+            if (typeof n.value === 'string' && /\b(?:SELECT|INSERT|UPDATE|DELETE|FROM|WHERE)\b/i.test(n.value)) {
+              hasSql = true;
+            }
+          }
+        });
+        if (hasSql) {
+          sqlVarNames.add(varName);
+          findings.push(makeFinding({ rule: RULES.SQL_CONCAT, node: node.init, filePath, extraMsg: `Variable: ${varName}` }));
+        }
+      }
 
-  return true;
+      // ── Rule 3: Hardcoded secrets in variable assignment ────────────────
+      const varName = nodeName(node.id);
+      if (isSensitiveName(varName) && isStringLiteral(node.init) && node.init.value.length >= 6) {
+        // Exclude environment variable reads
+        const val = node.init.value;
+        if (!val.startsWith('process.env') && !val.includes('${') && !/^(true|false|null|undefined|test|example|placeholder|changeme|xxx+|your[-_]?)$/i.test(val)) {
+          findings.push(makeFinding({ rule: RULES.HARDCODED_SECRET_VAR, node, filePath, extraMsg: `Variable name: ${varName}` }));
+        }
+      }
+    },
+
+    // ── Rule 1 continued: SQL injection via direct db.query() call ─────────
+    CallExpression(node) {
+      const callee = getCalleeName(node);
+
+      // Check if this is a db query call
+      const isDbCall = /(?:query|raw|execute)\b/i.test(callee) &&
+                       /(?:sequelize|knex|pg|mysql|db|pool|connection)\b/i.test(callee);
+
+      const isGenericQuery = /^(?:query|execute|runQuery)$/.test(callee);
+
+      if (isDbCall || isGenericQuery) {
+        const firstArg = node.arguments[0];
+        if (firstArg) {
+          // Direct template literal in the call
+          if (isTemplateLiteralWithExpressions(firstArg)) {
+            findings.push(makeFinding({ rule: RULES.SQL_TEMPLATE, node, filePath }));
+          }
+          // Direct concatenation in the call
+          if (isConcatenatedString(firstArg)) {
+            findings.push(makeFinding({ rule: RULES.SQL_CONCAT, node, filePath }));
+          }
+          // Tainted variable passed to query
+          if (firstArg.type === 'Identifier' && sqlVarNames.has(firstArg.name)) {
+            findings.push(makeFinding({
+              rule: RULES.SQL_TEMPLATE,
+              node,
+              filePath,
+              extraMsg: `Tainted variable "${firstArg.name}" passed to query`
+            }));
+          }
+        }
+      }
+
+      // ── Rule 5: Math.random() ─────────────────────────────────────────
+      if (callee === 'Math.random') {
+        findings.push(makeFinding({ rule: RULES.INSECURE_RANDOM, node, filePath }));
+      }
+
+      // ── Rule 8: localStorage/sessionStorage.setItem ────────────────────
+      if (/^(?:localStorage|sessionStorage)\.setItem$/.test(callee)) {
+        const keyArg = node.arguments[0];
+        if (keyArg && isStringLiteral(keyArg) && isSensitiveName(keyArg.value)) {
+          findings.push(makeFinding({ rule: RULES.STORAGE_SENSITIVE, node, filePath, extraMsg: `Key: "${keyArg.value}"` }));
+        }
+      }
+
+      // ── Rule 9: console.log with sensitive variable ────────────────────
+      if (/^console\.(?:log|info|warn|error|debug)$/.test(callee)) {
+        for (const arg of node.arguments) {
+          const argName = nodeName(arg);
+          if (isSensitiveName(argName)) {
+            findings.push(makeFinding({ rule: RULES.CONSOLE_SENSITIVE, node, filePath, extraMsg: `Argument: ${argName}` }));
+            break;
+          }
+        }
+      }
+
+      // ── Rule 10: eval() ─────────────────────────────────────────────────
+      if (callee === 'eval') {
+        const arg = node.arguments[0];
+        if (arg && !isStringLiteral(arg)) {
+          findings.push(makeFinding({ rule: RULES.DYNAMIC_CODE, node, filePath }));
+        }
+      }
+
+      // ── Rule 11: Command injection via exec/execSync ────────────────────
+      if (/^(?:exec|execSync|spawn|spawnSync)$/.test(callee) ||
+          /child_process\.(?:exec|execSync)/.test(callee)) {
+        const firstArg = node.arguments[0];
+        if (firstArg) {
+          if (isTemplateLiteralWithExpressions(firstArg)) {
+            findings.push(makeFinding({ rule: RULES.CMD_INJECTION, node, filePath }));
+          }
+          if (isConcatenatedString(firstArg)) {
+            findings.push(makeFinding({ rule: RULES.CMD_INJECTION, node, filePath }));
+          }
+        }
+      }
+    },
+
+    // ── Rule 10: new Function() ─────────────────────────────────────────────
+    NewExpression(node) {
+      if (nodeName(node.callee) === 'Function') {
+        const lastArg = node.arguments[node.arguments.length - 1];
+        if (lastArg && !isStringLiteral(lastArg)) {
+          findings.push(makeFinding({ rule: RULES.DYNAMIC_CODE, node, filePath }));
+        }
+      }
+    },
+
+    // ── Rule 4: Hardcoded secrets in object literals ────────────────────────
+    Property(node) {
+      const keyName = nodeName(node.key) || (node.key.type === 'Literal' ? node.key.value : '');
+      if (isSensitiveName(keyName) && isStringLiteral(node.value) && node.value.value.length >= 6) {
+        const val = node.value.value;
+        if (!/^(process\.env|true|false|null|test|example|placeholder|changeme|xxx+|your[-_]?)$/i.test(val)) {
+          findings.push(makeFinding({ rule: RULES.HARDCODED_SECRET_OBJ, node, filePath, extraMsg: `Key: "${keyName}"` }));
+        }
+      }
+    },
+
+    // ── Rule 6: Prototype pollution via bracket notation ───────────────────
+    AssignmentExpression(node) {
+      // obj[variable] = value  →  node.left is MemberExpression with computed=true
+      if (node.left &&
+          node.left.type === 'MemberExpression' &&
+          node.left.computed === true &&
+          node.left.property.type === 'Identifier') {
+        findings.push(makeFinding({ rule: RULES.PROTOTYPE_POLLUTION, node, filePath }));
+      }
+    },
+
+    // ── Rule 7: __proto__ access ────────────────────────────────────────────
+    MemberExpression(node) {
+      const prop = node.property;
+      if (prop && prop.type === 'Identifier' && prop.name === '__proto__') {
+        findings.push(makeFinding({ rule: RULES.PROTO_ACCESS, node, filePath }));
+      }
+      if (prop && prop.type === 'Literal' && prop.value === '__proto__') {
+        findings.push(makeFinding({ rule: RULES.PROTO_ACCESS, node, filePath }));
+      }
+    }
+
+  });
+
+  return findings;
 }
 
 // ─────────────────────────────────────────────────────────────────────────────
-// Suppression check
+// Suppression check (reuses same format as inlineTag.js)
 // ─────────────────────────────────────────────────────────────────────────────
-const SUPPRESS_RE = /security-scan:\s*disable/i;
+const SUPPRESS_RE = /security-scan:\s*disable\s+rule-id:\s*(\S+)/i;
+
+function isSuppressed(lines, lineIdx, ruleId) {
+  const window = 3;
+  const start  = Math.max(0, lineIdx - window);
+  const end    = Math.min(lines.length - 1, lineIdx + window);
 
-function isSuppressed(lines, lineIdx) {
-  const current  = lines[lineIdx]  || '';
-  const previous = lines[lineIdx - 1] || '';
-  return SUPPRESS_RE.test(current) || SUPPRESS_RE.test(previous);
+  for (let i = start; i <= end; i++) {
+    const m = lines[i].match(SUPPRESS_RE);
+    if (m && (m[1] === '*' || m[1] === ruleId)) return true;
+  }
+  return false;
 }
 
 // ─────────────────────────────────────────────────────────────────────────────
-// Main scanner
+// Regex fallback — used when acorn is not available
+// ─────────────────────────────────────────────────────────────────────────────
+function regexFallbackScan(content, filePath) {
+  const lines   = content.split(/\r?\n/);
+  const findings = [];
+
+  const PATTERNS = [
+    { re: /(?:const|let|var)\s+\w*(?:password|secret|key|token|jwt)\w*\s*=\s*['"`][^'"`\s]{6,}/, rule: RULES.HARDCODED_SECRET_VAR },
+    { re: /Math\.random\(\)/, rule: RULES.INSECURE_RANDOM },
+    { re: /__proto__/, rule: RULES.PROTO_ACCESS },
+    { re: /localStorage\.setItem\s*\(.*(?:token|password|secret)/i, rule: RULES.STORAGE_SENSITIVE },
+    { re: /console\.(?:log|info|warn)\s*\(.*(?:password|secret|token)/i, rule: RULES.CONSOLE_SENSITIVE }
+  ];
+
+  lines.forEach((line, i) => {
+    const trimmed = line.trim();
+    if (!trimmed || trimmed.startsWith('//') || trimmed.startsWith('*')) return;
+    if (isSuppressed(lines, i, '*')) return;
+
+    for (const { re, rule } of PATTERNS) {
+      if (re.test(line)) {
+        findings.push({
+          checkId: rule.id,
+          path: filePath,
+          line: i + 1,
+          message: rule.description,
+          severity: rule.severity,
+          owasp: rule.owasp,
+          raw: { line: trimmed }
+        });
+        break;
+      }
+    }
+  });
+
+  return findings;
+}
+
+// ─────────────────────────────────────────────────────────────────────────────
+// Main export
 // ─────────────────────────────────────────────────────────────────────────────
 function scanFileWithCustomRules(filePath) {
+  // Only scan JS/TS files — Go is handled by govulncheck
+  if (filePath.endsWith('.go')) return [];
+
   let content;
   try {
-    // security-scan: disable rule-id: detect-non-literal-fs-filename reason: filePath comes from `git diff --cached --name-only`, not user input
     content = fs.readFileSync(filePath, 'utf8');
   } catch {
     return [];
   }
 
-  const lines    = content.split(/\r?\n/);
-  const findings = [];
-
-  for (let i = 0; i < lines.length; i++) {
-    const line    = lines[i];
-    const trimmed = line.trim();
-
-    if (!trimmed || trimmed.startsWith('//') || trimmed.startsWith('*')) continue;
-    if (isSuppressed(lines, i)) continue;
+  // If acorn is not available, fall back to regex mode
+  if (!acorn || !walk) {
+    console.warn('sec-gate: acorn not available — using regex fallback for custom rules');
+    return regexFallbackScan(content, filePath);
+  }
 
-    for (const rule of COMPILED_RULES) {
-      if (testRule(rule, line, i, lines)) {
-        findings.push({
-          checkId:  rule.id,
-          path:     filePath,
-          line:     i + 1,
-          message:  rule.description,
-          severity: rule.severity,
-          owasp:    rule.owasp,
-          raw:      { line: trimmed }
-        });
-        break; // one finding per line
-      }
+  let ast;
+  try {
+    ast = acorn.parse(content, {
+      ecmaVersion: 'latest',
+      sourceType: 'module',
+      locations: true,   // gives us line numbers
+      allowHashBang: true,
+      allowAwaitOutsideFunction: true,
+      allowImportExportEverywhere: true
+    });
+  } catch {
+    // Parse failed (e.g. TypeScript syntax, JSX) — fall back to regex
+    try {
+      ast = acorn.parse(content, {
+        ecmaVersion: 'latest',
+        sourceType: 'script',
+        locations: true,
+        allowHashBang: true
+      });
+    } catch {
+      return regexFallbackScan(content, filePath);
     }
   }
 
-  return findings;
+  const rawFindings = walkAST(ast, filePath);
+
+  // Apply inline suppressions
+  const lines = content.split(/\r?\n/);
+  return rawFindings.filter((f) => {
+    if (!f.line) return true;
+    return !isSuppressed(lines, f.line - 1, f.checkId);
+  });
 }
 
-module.exports = { scanFileWithCustomRules, RULE_DEFINITIONS };
+module.exports = { scanFileWithCustomRules, RULES };

package/sec-gate.example.yml

@@ -0,0 +1,39 @@
+# .sec-gate.yml — sec-gate configuration
+# Copy this file to your project root as .sec-gate.yml and customize.
+# All fields are optional. Defaults shown below.
+
+# Severity threshold — only block commits on findings at or above this level.
+# Options: all (default), critical, high, medium, low
+# Examples:
+#   severity_threshold: all       → block on any finding (most strict)
+#   severity_threshold: high      → block on high + critical only
+#   severity_threshold: critical  → block only on critical findings
+severity_threshold: all
+
+# Rule IDs to exclude globally (never report these, even if found).
+# The defaults below exclude the highest false-positive rules.
+# Set to [] to re-enable everything.
+exclude_rules:
+  - path-join-resolve-traversal
+  - detect-non-literal-regexp
+  - detect-non-literal-fs-filename
+
+# File paths/patterns to skip entirely (supports glob patterns).
+# Useful for test files, mocks, fixtures where dangerous patterns are intentional.
+exclude_paths:
+  - "**/__tests__/**"
+  - "**/*.test.js"
+  - "**/*.test.ts"
+  - "**/*.spec.js"
+  - "**/*.spec.ts"
+  - "**/test/**"
+  - "**/tests/**"
+  - "**/mocks/**"
+  - "**/fixtures/**"
+
+# Enable/disable dependency vulnerability scanning (SCA).
+# Disable if you manage dependencies with a separate tool (Snyk, Dependabot etc.)
+sca: true
+
+# Enable/disable custom security rules (hardcoded secrets, insecure random, etc.)
+custom_rules: true

package/src/commands/scan.js

@@ -6,11 +6,18 @@ const { runOsvScanner } = require('../scanners/osv');
 const { runGovulncheck } = require('../scanners/govulncheck');
 const { applyInlineSuppressions } = require('../suppressions/inlineTag');
 const { scanFileWithCustomRules } = require('../../rules/custom-security');
+const { loadConfig, meetsThreshold, isExcludedPath } = require('../config/loader');
+const { getRepoRoot } = require('../git/repo');
+
+// ─────────────────────────────────────────────────────────────────────────────
+// Helpers
+// ─────────────────────────────────────────────────────────────────────────────
 
 function formatFinding(f) {
-  const loc = f.line ? `${f.path}:${f.line}` : f.path;
+  const loc  = f.line ? `${f.path}:${f.line}` : f.path;
   const owasp = f.owasp ? ` (${f.owasp})` : '';
-  return `- ${loc} [${f.checkId}]${owasp}\n  ${f.message}`;
+  const sev  = f.severity ? ` [${f.severity.toUpperCase()}]` : '';
+  return `- ${loc}${sev} [${f.checkId}]${owasp}\n  ${f.message}`;
 }
 
 const LOCKFILES = new Set([
@@ -22,61 +29,121 @@ const LOCKFILES = new Set([
   'go.sum'
 ]);
 
-function isSemgrepTargetPath(p) {
+function isSemgrepTargetPath(p, config) {
   if (!p) return false;
 
   const base = require('path').basename(p);
   if (LOCKFILES.has(base)) return false;
 
+  // Skip paths excluded in config
+  if (isExcludedPath(p, config.exclude_paths)) return false;
+
   return (
-    p.endsWith('.js') ||
+    p.endsWith('.js')  ||
     p.endsWith('.jsx') ||
     p.endsWith('.mjs') ||
     p.endsWith('.cjs') ||
-    p.endsWith('.ts') ||
+    p.endsWith('.ts')  ||
     p.endsWith('.tsx') ||
     p.endsWith('.go')
   );
 }
 
+// ─────────────────────────────────────────────────────────────────────────────
+// Apply config filters to findings list
+// ─────────────────────────────────────────────────────────────────────────────
+function applyConfigFilters(findings, config) {
+  const excludedRules  = new Set(config.exclude_rules || []);
+  const threshold      = config.severity_threshold || 'all';
+
+  const excluded  = [];
+  const belowThreshold = [];
+  const remaining = [];
+
+  for (const f of findings) {
+    // 1. Exclude by rule ID
+    if (excludedRules.has(f.checkId)) {
+      excluded.push(f);
+      continue;
+    }
+
+    // 2. Exclude by path
+    if (isExcludedPath(f.path || '', config.exclude_paths)) {
+      excluded.push(f);
+      continue;
+    }
+
+    // 3. Filter by severity threshold
+    if (!meetsThreshold(f.severity, threshold)) {
+      belowThreshold.push(f);
+      continue;
+    }
+
+    remaining.push(f);
+  }
+
+  return { remaining, excluded, belowThreshold };
+}
+
+// ─────────────────────────────────────────────────────────────────────────────
+// Main scan
+// ─────────────────────────────────────────────────────────────────────────────
 async function scan({ staged }) {
-  const files = staged ? getStagedFiles() : listTrackedFiles();
+  // Load per-repo config (.sec-gate.yml)
+  let repoRoot;
+  try { repoRoot = getRepoRoot(); } catch { repoRoot = process.cwd(); }
+  const config = loadConfig(repoRoot);
+
+  const files      = staged ? getStagedFiles() : listTrackedFiles();
   const depChanged = staged ? hasStagedDependencyFiles(files) : true;
 
   // eslint-disable-next-line no-console
   console.log(`sec-gate: scan started (${staged ? 'staged files' : 'tracked files'})`);
 
-  const allFindings = [];
-  const semgrepTargets = (files || []).filter(isSemgrepTargetPath);
+  // Print active config summary
+  if (config.severity_threshold !== 'all') {
+    // eslint-disable-next-line no-console
+    console.log(`sec-gate: severity threshold: ${config.severity_threshold} and above`);
+  }
+  if (config.exclude_rules.length > 0) {
+    // eslint-disable-next-line no-console
+    console.log(`sec-gate: excluding ${config.exclude_rules.length} high-noise rule(s)`);
+  }
 
+  const allFindings    = [];
+  const semgrepTargets = (files || []).filter((f) => isSemgrepTargetPath(f, config));
+
+  // ── SAST ──────────────────────────────────────────────────────────────────
   if (semgrepTargets.length > 0) {
-    // SAST — owasp-top10 via @pensar/semgrep-node
     const sast = await runSemgrep({ files: semgrepTargets });
     allFindings.push(...sast);
 
-    // Custom rules — patterns not covered by owasp-top10 ruleset
-    for (const filePath of semgrepTargets) {
-      const custom = scanFileWithCustomRules(filePath);
-      allFindings.push(...custom);
+    if (config.custom_rules !== false) {
+      for (const filePath of semgrepTargets) {
+        const custom = scanFileWithCustomRules(filePath);
+        allFindings.push(...custom);
+      }
     }
   } else {
     // eslint-disable-next-line no-console
     console.log('sec-gate: no relevant staged/tracked source files; skipping SAST');
   }
 
-  // SCA (only when dependency lockfiles or go module files are staged)
-  if (staged && !depChanged) {
+  // ── SCA ───────────────────────────────────────────────────────────────────
+  if (config.sca === false) {
+    // eslint-disable-next-line no-console
+    console.log('sec-gate: SCA disabled in config; skipping');
+  } else if (staged && !depChanged) {
     // eslint-disable-next-line no-console
     console.log('sec-gate: dependency files not staged; skipping SCA');
   } else {
     const fs = require('fs');
 
-    // Detect which Node lockfile exists — support npm, pnpm and yarn
     const nodeLockfiles = [
-      'pnpm-lock.yaml',      // pnpm
-      'package-lock.json',   // npm
-      'npm-shrinkwrap.json', // npm (legacy)
-      'yarn.lock'            // yarn
+      'pnpm-lock.yaml',
+      'package-lock.json',
+      'npm-shrinkwrap.json',
+      'yarn.lock'
     ];
     const foundLockfile = nodeLockfiles.find((lf) => fs.existsSync(lf));
 
@@ -87,7 +154,7 @@ async function scan({ staged }) {
       allFindings.push(...scaOsv);
     } else {
       // eslint-disable-next-line no-console
-      console.log('sec-gate: no Node lockfile found (pnpm-lock.yaml / package-lock.json / yarn.lock); skipping OSV-Scanner');
+      console.log('sec-gate: no Node lockfile found; skipping OSV-Scanner');
     }
 
     if (fs.existsSync('go.mod')) {
@@ -99,21 +166,43 @@ async function scan({ staged }) {
     }
   }
 
-  const filtered = applyInlineSuppressions({ findings: allFindings });
+  // ── Apply inline suppressions ─────────────────────────────────────────────
+  const afterSuppressions = applyInlineSuppressions({ findings: allFindings });
+
+  // ── Apply config filters (excluded rules, paths, severity threshold) ──────
+  const { remaining, excluded, belowThreshold } = applyConfigFilters(afterSuppressions, config);
+
+  // Report what was filtered (only in verbose — summarised in one line)
+  if (excluded.length > 0) {
+    // eslint-disable-next-line no-console
+    console.log(`sec-gate: filtered ${excluded.length} finding(s) by excluded rules/paths`);
+  }
+  if (belowThreshold.length > 0) {
+    // eslint-disable-next-line no-console
+    console.log(`sec-gate: filtered ${belowThreshold.length} finding(s) below severity threshold (${config.severity_threshold})`);
+  }
 
-  if (filtered.length > 0) {
+  // ── Block or pass ─────────────────────────────────────────────────────────
+  if (remaining.length > 0) {
     // eslint-disable-next-line no-console
     console.log('\nsec-gate: SECURITY FINDINGS (commit blocked):');
-    for (const f of filtered) console.log(formatFinding(f));
+    for (const f of remaining) console.log(formatFinding(f));
+
+    // Show hint about severity threshold if there are lower-severity findings
+    if (belowThreshold.length > 0 && config.severity_threshold === 'all') {
+      // eslint-disable-next-line no-console
+      console.log('\n  TIP: Set severity_threshold in .sec-gate.yml to only block on high/critical.');
+    }
+
     process.exit(1);
   }
 
-  // ── Success summary ────────────────────────────────────────────────────────
+  // ── Success summary ───────────────────────────────────────────────────────
   const checks = [];
   if (semgrepTargets.length > 0) {
     checks.push(`SAST (${semgrepTargets.length} file${semgrepTargets.length > 1 ? 's' : ''})`);
   }
-  if (depChanged || !staged) {
+  if (config.sca !== false && (depChanged || !staged)) {
     const fs = require('fs');
     const nodeLockfilesCheck = ['pnpm-lock.yaml', 'package-lock.json', 'npm-shrinkwrap.json', 'yarn.lock'];
     const foundLock = nodeLockfilesCheck.find((lf) => fs.existsSync(lf));

package/src/config/loader.js

@@ -0,0 +1,214 @@
+'use strict';
+
+// security-scan: disable rule-id: path-join-resolve-traversal reason: repoRoot comes from git rev-parse, not user input
+// security-scan: disable rule-id: detect-non-literal-fs-filename reason: repoRoot comes from git rev-parse, not user input
+// security-scan: disable rule-id: detect-non-literal-regexp reason: patterns come from the config file written by the developer, not from end users
+// security-scan: disable rule-id: prototype-pollution reason: result[key] assignment is parsing a config file where keys are validated against a known whitelist of fields
+
+/**
+ * sec-gate config loader
+ *
+ * Reads .sec-gate.yml (or .sec-gate.yaml / sec-gate.config.js) from the
+ * repo root and merges it with built-in defaults.
+ *
+ * Config file example (.sec-gate.yml):
+ * ─────────────────────────────────────
+ * severity_threshold: high       # block only on: critical, high, medium, low, all (default: all)
+ * exclude_rules:                 # rule IDs to never report
+ *   - path-join-resolve-traversal
+ *   - detect-non-literal-regexp
+ * exclude_paths:                 # glob patterns to skip
+ *   - "**\/__tests__\/**"
+ *   - "**\/mocks\/**"
+ *   - "**\/fixtures\/**"
+ * sca: true                      # enable/disable SCA (default: true)
+ * custom_rules: true             # enable/disable custom rules (default: true)
+ */
+
+const fs   = require('fs');
+const path = require('path');
+
+// ─────────────────────────────────────────────────────────────────────────────
+// Severity ordering — higher index = more severe
+// ─────────────────────────────────────────────────────────────────────────────
+const SEVERITY_ORDER = ['low', 'medium', 'high', 'critical'];
+
+// ─────────────────────────────────────────────────────────────────────────────
+// Built-in defaults
+// ─────────────────────────────────────────────────────────────────────────────
+const DEFAULTS = {
+  // Block commit on any finding regardless of severity
+  severity_threshold: 'all',
+
+  // Rules excluded by default — these have very high false positive rates
+  // and rarely indicate real vulnerabilities in typical codebases.
+  // Developers can re-enable them by setting exclude_rules: [] in their config.
+  exclude_rules: [
+    'path-join-resolve-traversal',       // flags ANY variable in path.join — ~75% FP rate
+    'detect-non-literal-regexp',         // flags RegExp(var) even with hardcoded sources
+    'detect-non-literal-fs-filename'     // flags ANY variable in fs calls — ~70% FP rate
+  ],
+
+  // Paths excluded from scanning by default
+  exclude_paths: [
+    '**/__tests__/**',
+    '**/*.test.js',
+    '**/*.test.ts',
+    '**/*.spec.js',
+    '**/*.spec.ts',
+    '**/test/**',
+    '**/tests/**',
+    '**/mocks/**',
+    '**/fixtures/**',
+    '**/vendor/**',
+    '**/node_modules/**'
+  ],
+
+  sca: true,
+  custom_rules: true
+};
+
+// ─────────────────────────────────────────────────────────────────────────────
+// Simple YAML parser (only handles the subset we need — no external dep)
+// Supports: string values, boolean values, string arrays
+// ─────────────────────────────────────────────────────────────────────────────
+function parseYaml(text) {
+  const result = {};
+  let currentKey = null;
+  let currentArray = null;
+
+  for (const raw of text.split('\n')) {
+    const line = raw.replace(/#.*$/, '').trimEnd(); // strip comments
+    if (!line.trim()) continue;
+
+    // Array item: "  - value"
+    if (/^\s+-\s+/.test(line) && currentKey && currentArray !== null) {
+      const val = line.replace(/^\s+-\s+/, '').replace(/^['"]|['"]$/g, '').trim();
+      currentArray.push(val);
+      continue;
+    }
+
+    // Key-value: "key: value" or "key:" (start of array)
+    const kvMatch = line.match(/^(\w+):\s*(.*)?$/);
+    if (kvMatch) {
+      if (currentKey && currentArray !== null) {
+        result[currentKey] = currentArray;
+      }
+      currentKey = kvMatch[1].trim();
+      const rawVal = (kvMatch[2] || '').trim().replace(/^['"]|['"]$/g, '');
+
+      if (rawVal === '') {
+        // Start of array block
+        currentArray = [];
+      } else if (rawVal === 'true') {
+        result[currentKey] = true;
+        currentKey = null;
+        currentArray = null;
+      } else if (rawVal === 'false') {
+        result[currentKey] = false;
+        currentKey = null;
+        currentArray = null;
+      } else {
+        result[currentKey] = rawVal;
+        currentKey = null;
+        currentArray = null;
+      }
+      continue;
+    }
+  }
+
+  // Flush last array
+  if (currentKey && currentArray !== null) {
+    result[currentKey] = currentArray;
+  }
+
+  return result;
+}
+
+// ─────────────────────────────────────────────────────────────────────────────
+// Load and merge config
+// ─────────────────────────────────────────────────────────────────────────────
+function loadConfig(repoRoot) {
+  const candidates = [
+    path.join(repoRoot, '.sec-gate.yml'),
+    path.join(repoRoot, '.sec-gate.yaml'),
+    path.join(repoRoot, 'sec-gate.config.yml')
+  ];
+
+  let userConfig = {};
+
+  for (const candidate of candidates) {
+    if (fs.existsSync(candidate)) {
+      try {
+        const text = fs.readFileSync(candidate, 'utf8');
+        userConfig = parseYaml(text);
+        // eslint-disable-next-line no-console
+        console.log(`sec-gate: loaded config from ${path.basename(candidate)}`);
+        break;
+      } catch (err) {
+        // eslint-disable-next-line no-console
+        console.warn(`sec-gate: warning — could not parse ${candidate}: ${err.message}`);
+      }
+    }
+  }
+
+  // Merge: user config overrides defaults
+  // For arrays, user config REPLACES defaults (not merges), so teams have full control
+  const merged = {
+    severity_threshold: userConfig.severity_threshold || DEFAULTS.severity_threshold,
+    exclude_rules: Array.isArray(userConfig.exclude_rules)
+      ? userConfig.exclude_rules
+      : DEFAULTS.exclude_rules,
+    exclude_paths: Array.isArray(userConfig.exclude_paths)
+      ? userConfig.exclude_paths
+      : DEFAULTS.exclude_paths,
+    sca: userConfig.sca !== undefined ? userConfig.sca : DEFAULTS.sca,
+    custom_rules: userConfig.custom_rules !== undefined
+      ? userConfig.custom_rules
+      : DEFAULTS.custom_rules
+  };
+
+  return merged;
+}
+
+// ─────────────────────────────────────────────────────────────────────────────
+// Severity check — should this finding be blocked given the threshold?
+// ─────────────────────────────────────────────────────────────────────────────
+function meetsThreshold(findingSeverity, threshold) {
+  if (threshold === 'all') return true;
+
+  const findingLevel = SEVERITY_ORDER.indexOf((findingSeverity || 'low').toLowerCase());
+  const thresholdLevel = SEVERITY_ORDER.indexOf((threshold || 'all').toLowerCase());
+
+  if (thresholdLevel === -1) return true; // unknown threshold → block everything
+  if (findingLevel === -1) return true;   // unknown severity → be safe, block it
+
+  return findingLevel >= thresholdLevel;
+}
+
+// ─────────────────────────────────────────────────────────────────────────────
+// Path exclusion check
+// ─────────────────────────────────────────────────────────────────────────────
+function isExcludedPath(filePath, excludePatterns) {
+  if (!excludePatterns || excludePatterns.length === 0) return false;
+
+  const normalized = filePath.replace(/\\/g, '/');
+
+  for (const pattern of excludePatterns) {
+    // Convert glob to simple regex:
+    // **/ matches any directory depth
+    // * matches anything except /
+    const regexStr = pattern
+      .replace(/\\/g, '/')
+      .replace(/\./g, '\\.')
+      .replace(/\*\*\//g, '(?:.+/)?')
+      .replace(/\*/g, '[^/]*');
+
+    const re = new RegExp(`(^|/)${regexStr}(/|$)`);
+    if (re.test(normalized)) return true;
+  }
+
+  return false;
+}
+
+module.exports = { loadConfig, meetsThreshold, isExcludedPath, SEVERITY_ORDER };